chore: harden repo maturity baseline

.github/dependabot.yml

@@ -0,0 +1,19 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "github-actions"
+
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "python"

.github/workflows/ci.yml

@@ -16,8 +16,15 @@ concurrency:
 
 jobs:
   test:
+    name: test (python-${{ matrix.python-version }})
     runs-on: ubuntu-24.04
-    timeout-minutes: 15
+    timeout-minutes: 20
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version:
+          - "3.11"
+          - "3.13"
     env:
       FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
 
@@ -28,7 +35,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
-          python-version: "3.13"
+          python-version: ${{ matrix.python-version }}
           cache: pip
 
       - name: Install project
@@ -42,6 +49,11 @@ jobs:
       - name: Run mypy
         run: python -m mypy src
 
+      - name: Run Bandit
+        run: >-
+          python -m bandit -q --severity-level medium --confidence-level medium
+          -c pyproject.toml -r src scripts
+
       - name: Run unit tests
         run: PYTHONPATH=src python -m unittest discover -s tests
 
@@ -60,6 +72,9 @@ jobs:
       - name: Compile source tree
         run: python -m compileall src
 
+      - name: Build wheel
+        run: python -m pip wheel . --no-deps -w "${RUNNER_TEMP}/dist"
+
       - name: Smoke doctor
         run: MC_PROVIDER=auto PYTHONPATH=src python -m master_control --json doctor
 

.gitignore

@@ -11,6 +11,7 @@ __pycache__/
 .coverage
 build/
 dist/
+artifacts/
 logs/
 *.sqlite3
 *.db

.pre-commit-config.yaml

@@ -6,17 +6,28 @@ repos:
       - id: end-of-file-fixer
       - id: trailing-whitespace
 
-  - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.15.6
+  - repo: local
     hooks:
       - id: ruff-check
-        args: ["--fix"]
+        name: ruff check --fix
+        entry: python3 -m ruff check --fix .
+        language: system
+        pass_filenames: false
+
       - id: ruff-format
+        name: ruff format
+        entry: python3 -m ruff format .
+        language: system
+        pass_filenames: false
 
-  - repo: local
-    hooks:
       - id: mypy
-        name: mypy
+        name: mypy src
         entry: python3 -m mypy src
         language: system
         pass_filenames: false
+
+      - id: bandit
+        name: bandit src scripts
+        entry: python3 -m bandit -q --severity-level medium --confidence-level medium -c pyproject.toml -r src scripts
+        language: system
+        pass_filenames: false

CHANGELOG.md

@@ -4,6 +4,13 @@
 
 ### Added
 
+- product maturity assessment document for evaluating MC as a real public product
+- real `.pre-commit-config.yaml` so contributor setup matches the documented local workflow
+- Apache-2.0 `LICENSE`
+- `SUPPORT.md` for public support scope and compatibility expectations
+- `SECURITY.md` for vulnerability reporting and supported-version policy
+- `CODE_OF_CONDUCT.md` for public collaboration expectations
+- `dependabot` automation for Python and GitHub Actions updates
 - structured `SessionContext` for the core high-risk planner and recommendation paths
 - extracted session-analysis seam for summary -> context -> insight assembly outside the central app orchestrator
 - repeatable host-profile validation harness and guide for collecting multi-host workflow evidence
@@ -38,6 +45,14 @@
 
 ### Changed
 
+- interface-owned planning, rendering, session-summary, and tool-result helpers now live under `master_control.interfaces.agent.*`, while `master_control.agent.*` remains a compatibility namespace
+- CI now runs Bandit and a wheel-build smoke in addition to lint, typecheck, tests, and runtime validation
+- Python support floor is now `3.11+` instead of `3.13+`
+- README now leads with the operator journey and repository policy instead of only architectural posture
+- host validation baseline commands now execute without `shell=True`
+- provider endpoints now require `http` or `https` before any network call is attempted
+- production tool paths no longer rely on `assert` for runtime argument guarantees
+- generated `artifacts/` output is now ignored by git
 - the narrow local CLI MVP closeout is now complete for the alpha baseline
 - slow-host diagnosis can now chain memory, processes, process correlation, and service status when correlation evidence exists
 - hot-process follow-up logic no longer relies on guessed service identity and can use typed correlation evidence instead

CODE_OF_CONDUCT.md

@@ -0,0 +1,44 @@
+# Code Of Conduct
+
+## Our Standard
+
+This project expects respectful, technically serious collaboration.
+
+Examples of expected behavior:
+
+- discuss ideas and code directly, without personal attacks
+- assume good faith while still being precise about bugs, risks, and tradeoffs
+- keep security, privacy, and safety concerns responsible and non-performative
+- accept correction when evidence shows a claim is wrong
+- keep review feedback concrete and actionable
+
+Examples of unacceptable behavior:
+
+- harassment, insults, threats, or intimidation
+- doxxing or publication of private information
+- bad-faith security disclosure
+- discriminatory language or exclusionary behavior
+- intentionally disruptive issue, PR, or review behavior
+
+## Scope
+
+This code of conduct applies in:
+
+- issues
+- pull requests
+- discussions
+- code review
+- project chat spaces linked from the repository
+
+## Enforcement
+
+Project maintainers may remove, edit, or reject contributions and interactions that violate this policy.
+Repeated or severe violations can lead to temporary or permanent exclusion from the project spaces.
+
+## Reporting
+
+If you experience or witness unacceptable behavior, report it privately to the maintainer instead of escalating it in public threads.
+
+## Attribution
+
+This document is adapted from the Contributor Covenant and shortened for this repository.

CONTRIBUTING.md

@@ -8,6 +8,13 @@ This project is still in an early local-first stage. Contributions should preser
 - interfaces sit on top of the runtime instead of owning business logic
 - typed tools remain the default execution surface
 
+Repository policy references:
+
+- `LICENSE`
+- `SUPPORT.md`
+- `SECURITY.md`
+- `CODE_OF_CONDUCT.md`
+
 ## Local setup
 
 ```bash
@@ -24,10 +31,12 @@ Run these before considering a change complete:
 ```bash
 python3 -m ruff check .
 python3 -m mypy src
+python3 -m bandit -q --severity-level medium --confidence-level medium -c pyproject.toml -r src scripts
 PYTHONPATH=src python3 -m unittest discover -s tests
 PYTHONPATH=src python3 -m pytest -q
 python3 -m compileall src
 PYTHONPATH=src python3 -m master_control --json doctor
+python3 -m pip wheel . --no-deps -w /tmp/mc-dist
 ```
 
 The repository also has a matching GitHub Actions baseline in `.github/workflows/ci.yml`. Keep local checks and CI checks aligned.
@@ -38,6 +47,7 @@ If you use `pre-commit`, the repository will run:
 - `ruff check --fix`
 - `ruff format`
 - `mypy src`
+- `bandit -q --severity-level medium --confidence-level medium -c pyproject.toml -r src scripts`
 
 ## Engineering guardrails
 
@@ -49,6 +59,7 @@ If you use `pre-commit`, the repository will run:
 - do not let providers execute host actions directly
 - use structured plans instead of free-form action text
 - keep compatibility facades thin when moving public entry points
+- prefer `master_control.interfaces.*` imports for interface-owned helpers; treat `master_control.agent.*` as compatibility-facing unless a module is explicitly owned there
 - document architectural changes with an ADR when they change core system contracts
 
 ### Security
@@ -99,6 +110,10 @@ Recommended examples:
 - `feat(app): execute accepted recommendation actions`
 - `test(chat): cover service recommendation flow`
 
+## License
+
+Unless explicitly stated otherwise, contributions are made under the repository license in `LICENSE`.
+
 ## Change checklist
 
 Before closing a change, verify: