feat: add governance files, CI/CD workflows, and enhanced agent guidance

Add .cursorrules, CLAUDE.md, CONTRIBUTING.md, CODE_OF_CONDUCT.md, and
SECURITY.md for community governance. Add 6 new GitHub Actions workflows:
stale, label-sync, codeql, dependency-review, release, and release-drafter.
Upgrade AGENTS.md with detailed per-section editing guidance matching
CFX/Unity depth. Update README with new project structure and links.

Made-with: Cursor

Author: TMHSDigital

.cursorrules

@@ -0,0 +1,78 @@
+You are working on Developer Tools Directory, a meta-repository that catalogs, standardizes, and scaffolds TMHSDigital Cursor IDE plugins and MCP servers.
+
+## Repo structure
+
+- `registry.json` -- single source of truth for all 9 tool repos (name, type, counts, links, status)
+- `standards/` -- 9 Markdown docs defining conventions (folder structure, CI/CD, manifests, pages, commits, README, AGENTS.md, versioning)
+- `scaffold/create-tool.py` -- Python repo generator using Jinja2 templates
+- `scaffold/templates/` -- 18 Jinja2 templates producing a standards-compliant repo
+- `docs/` -- static GitHub Pages catalog site (index.html, style.css, script.js)
+- `assets/` -- logo image
+- `.github/workflows/` -- CI/CD for this repo (validate, pages, stale, codeql, dependency-review, release, release-drafter, label-sync)
+- `AGENTS.md` -- AI agent guidance for this repo
+- `CLAUDE.md` -- Claude Code project documentation
+
+## Commit conventions
+
+Use conventional commits. Prefix determines changelog category:
+- `feat:` -- new tool in registry, new standard doc, new scaffold template
+- `fix:` -- corrections to existing content
+- `chore:` -- dependency updates, CI changes, maintenance
+- `docs:` -- documentation-only changes
+
+## Hard rules
+
+- No em dashes or en dashes anywhere. Use hyphens or rewrite.
+- No hardcoded credentials, tokens, API keys, or passwords.
+- No binary files except images in `assets/`.
+- `registry.json` must be valid JSON at all times -- CI enforces schema.
+- The catalog site uses no external CDN dependencies -- everything is self-contained.
+- Standards docs are written for public readership -- no internal references.
+- All content is CC-BY-NC-ND-4.0 licensed.
+
+## When editing registry.json
+
+- Every entry needs all required fields: name, repo, slug, description, type, homepage, skills, rules, mcpTools, extras, topics, status, version, language, license, pagesType, hasCI.
+- `type` must be `cursor-plugin` or `mcp-server`.
+- `skills`, `rules`, `mcpTools` must be integers.
+- After editing registry.json, also update:
+  1. The embedded registry in `docs/index.html` (inside `<script type="application/json" id="registry-data">`)
+  2. The tools table and aggregate stats line in `README.md`
+
+## When editing standards/
+
+- Standards are pure Markdown documentation -- no executable code.
+- If adding a new standard, also add a row to `standards/README.md` and the standards table in `README.md`.
+- If the standard changes scaffold output expectations, update the corresponding `.j2` template in `scaffold/templates/`.
+- Use `docs:` commit prefix for edits, `feat:` for new standards.
+
+## When editing scaffold/
+
+- Templates are Jinja2 (`.j2` extension) in `scaffold/templates/`.
+- The generator script is `scaffold/create-tool.py`. It accepts CLI args: --name, --slug, --description, --type, --mcp-server, --skills, --rules, --license, --output, --author-name, --author-email.
+- If adding a new template file, update `create-tool.py` to render it.
+- Test locally: `python scaffold/create-tool.py --name "Test" --description "Test" --mcp-server --skills 2 --rules 1 --output /tmp/test`
+- CI runs a dry-run test on every push.
+
+## When editing docs/
+
+- `docs/index.html` is the catalog site entry point.
+- `docs/script.js` fetches `registry.json` at runtime and renders tool cards. It also has an embedded fallback copy.
+- `docs/style.css` is the full stylesheet -- dark theme, responsive, card layout.
+- No external dependencies (CDNs, frameworks). Vanilla HTML/CSS/JS only.
+- The `pages.yml` workflow copies `registry.json` and `assets/` into `docs/` at deploy time.
+
+## When editing workflows
+
+- `validate.yml` runs on PR and push to main. Keep checks fast.
+- `pages.yml` deploys to GitHub Pages. It copies registry.json into docs/ during build.
+- `release.yml` auto-creates releases on push to main.
+- `release-drafter.yml` auto-drafts release notes from merged PR titles and labels.
+- `stale.yml` runs weekly. Issues: 60-day stale / 14-day close. PRs: 30-day stale / 14-day close.
+- `codeql.yml` scans Python code for security issues weekly and on push/PR.
+- `dependency-review.yml` audits new dependencies in PRs.
+- `label-sync.yml` auto-labels PRs based on changed file paths.
+
+## Dependencies
+
+One Python dependency: `Jinja2` (in `requirements.txt`). The docs site has zero dependencies.

.github/release-drafter.yml

@@ -0,0 +1,73 @@
+name-template: "v$RESOLVED_VERSION"
+tag-template: "v$RESOLVED_VERSION"
+template: |
+  ## What's Changed
+
+  $CHANGES
+
+  **Full Changelog**: https://github.com/$OWNER/$REPOSITORY/compare/$PREVIOUS_TAG...v$RESOLVED_VERSION
+categories:
+  - title: "Features"
+    labels:
+      - "feature"
+      - "registry"
+  - title: "Standards"
+    labels:
+      - "standards"
+  - title: "Scaffold"
+    labels:
+      - "scaffold"
+  - title: "Bug Fixes"
+    labels:
+      - "bug"
+      - "fix"
+  - title: "Documentation"
+    labels:
+      - "documentation"
+      - "docs"
+  - title: "CI / Infrastructure"
+    labels:
+      - "ci"
+      - "infrastructure"
+      - "dependencies"
+  - title: "Other Changes"
+    labels:
+      - "*"
+change-template: "- $TITLE (#$NUMBER) @$AUTHOR"
+change-title-escapes: '\<*_&'
+version-resolver:
+  major:
+    labels:
+      - "major"
+      - "breaking"
+  minor:
+    labels:
+      - "minor"
+      - "feature"
+      - "registry"
+  patch:
+    labels:
+      - "patch"
+      - "bug"
+      - "fix"
+      - "docs"
+  default: patch
+exclude-labels:
+  - "skip-changelog"
+autolabeler:
+  - label: "documentation"
+    files:
+      - "*.md"
+      - "docs/**"
+  - label: "ci"
+    files:
+      - ".github/**"
+  - label: "standards"
+    files:
+      - "standards/**"
+  - label: "scaffold"
+    files:
+      - "scaffold/**"
+  - label: "registry"
+    files:
+      - "registry.json"

.github/workflows/codeql.yml

@@ -0,0 +1,38 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "0 6 * * 1"
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze Python
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [python]
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"

.github/workflows/dependency-review.yml

@@ -0,0 +1,20 @@
+name: Dependency Review
+
+on:
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  dependency-review:
+    name: Audit dependencies
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/dependency-review-action@v4
+        with:
+          fail-on-severity: high
+          comment-summary-in-pr: always

.github/workflows/label-sync.yml

@@ -0,0 +1,59 @@
+name: Label PRs
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  label:
+    name: Auto-label by path
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Get changed files
+        id: changed
+        run: |
+          FILES=$(gh pr diff ${{ github.event.pull_request.number }} --name-only)
+          echo "files<<EOF" >> "$GITHUB_OUTPUT"
+          echo "$FILES" >> "$GITHUB_OUTPUT"
+          echo "EOF" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Apply labels
+        run: |
+          LABELS=""
+
+          if echo "$FILES" | grep -q "^standards/"; then
+            LABELS="$LABELS,standards"
+          fi
+
+          if echo "$FILES" | grep -q "^scaffold/"; then
+            LABELS="$LABELS,scaffold"
+          fi
+
+          if echo "$FILES" | grep -q "^docs/"; then
+            LABELS="$LABELS,documentation"
+          fi
+
+          if echo "$FILES" | grep -q "^registry.json"; then
+            LABELS="$LABELS,registry"
+          fi
+
+          if echo "$FILES" | grep -q "^\.github/"; then
+            LABELS="$LABELS,ci"
+          fi
+
+          LABELS="${LABELS#,}"
+
+          if [ -n "$LABELS" ]; then
+            gh pr edit ${{ github.event.pull_request.number }} --add-label "$LABELS"
+          fi
+        env:
+          FILES: ${{ steps.changed.outputs.files }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release-drafter.yml

@@ -0,0 +1,20 @@
+name: Release Drafter
+
+on:
+  push:
+    branches: [main]
+  pull_request_target:
+    types: [opened, reopened, synchronize]
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  update-release-draft:
+    name: Draft release notes
+    runs-on: ubuntu-latest
+    steps:
+      - uses: release-drafter/release-drafter@v6
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release.yml

@@ -0,0 +1,73 @@
+name: Release
+
+on:
+  push:
+    branches: [main]
+    paths-ignore:
+      - "*.md"
+      - "docs/**"
+      - "standards/**"
+      - "LICENSE"
+      - ".github/release-drafter.yml"
+
+permissions:
+  contents: write
+
+concurrency:
+  group: release
+  cancel-in-progress: false
+
+jobs:
+  release:
+    name: Create release
+    runs-on: ubuntu-latest
+    if: "!contains(github.event.head_commit.message, '[skip ci]')"
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Get latest tag
+        id: tag
+        run: |
+          TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "v0.0.0")
+          echo "current=$TAG" >> "$GITHUB_OUTPUT"
+
+      - name: Determine version bump
+        id: bump
+        run: |
+          CURRENT="${{ steps.tag.outputs.current }}"
+          CURRENT="${CURRENT#v}"
+          IFS='.' read -r MAJOR MINOR PATCH <<< "$CURRENT"
+
+          COMMITS=$(git log "${{ steps.tag.outputs.current }}..HEAD" --pretty=format:"%s" 2>/dev/null || git log --pretty=format:"%s")
+
+          if echo "$COMMITS" | grep -qE "^feat!:|BREAKING CHANGE"; then
+            MAJOR=$((MAJOR + 1))
+            MINOR=0
+            PATCH=0
+          elif echo "$COMMITS" | grep -qE "^feat(\(.*\))?:"; then
+            MINOR=$((MINOR + 1))
+            PATCH=0
+          else
+            PATCH=$((PATCH + 1))
+          fi
+
+          NEW="$MAJOR.$MINOR.$PATCH"
+          echo "version=$NEW" >> "$GITHUB_OUTPUT"
+          echo "tag=v$NEW" >> "$GITHUB_OUTPUT"
+
+      - name: Create tag
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git tag -a "${{ steps.bump.outputs.tag }}" -m "Release ${{ steps.bump.outputs.tag }}"
+          git push origin "${{ steps.bump.outputs.tag }}"
+
+      - name: Create GitHub Release
+        run: |
+          gh release create "${{ steps.bump.outputs.tag }}" \
+            --title "${{ steps.bump.outputs.tag }}" \
+            --generate-notes
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}