chore: improve OSS readiness

.editorconfig

@@ -0,0 +1,20 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.md]
+indent_style = space
+indent_size = 2
+trim_trailing_whitespace = false
+
+[*.ps1]
+indent_style = space
+indent_size = 4
+
+[*.yml]
+indent_style = space
+indent_size = 2

.github/workflows/ci.yml

@@ -0,0 +1,27 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  quality-gate:
+    name: Quality gate
+    runs-on: windows-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run scanner tests
+        shell: pwsh
+        run: .\tests\scan-private-markers.Tests.ps1
+
+      - name: Run private marker scan
+        shell: pwsh
+        run: .\scripts\scan-private-markers.ps1

CHANGELOG.md

@@ -0,0 +1,15 @@
+# Changelog
+
+All notable changes to this project should be documented in this file.
+
+This project follows a lightweight, human-readable changelog format. Add entries under `Unreleased` before cutting any release tag.
+
+## Unreleased
+
+- Added a GitHub Actions quality gate for scanner tests and private marker scanning.
+- Added scanner regression tests that verify redacted findings and script-path coverage.
+- Added contribution and security reporting guidance for public-safe OSS collaboration.
+
+## 0.1.0
+
+- Initial public skill, examples, README, license, and private marker scan script.

CONTRIBUTING.md

@@ -0,0 +1,29 @@
+# Contributing
+
+Thanks for improving `agentic-coding-security-gate`. Keep contributions small, public-safe, and evidence-backed.
+
+## Local Checks
+
+Run these commands from the repository root before opening a pull request:
+
+```powershell
+pwsh -NoProfile -ExecutionPolicy Bypass -File .\tests\scan-private-markers.Tests.ps1
+pwsh -NoProfile -ExecutionPolicy Bypass -File .\scripts\scan-private-markers.ps1
+```
+
+If a check fails, fix the finding instead of hiding it. Scanner output intentionally redacts values; do not replay protected values in issues, commits, or pull request comments.
+
+## Pull Request Guidelines
+
+- Keep examples synthetic and minimal.
+- Avoid private repository names, local machine paths, raw logs, screenshots, customer data, OAuth values, tokens, private keys, and production identifiers.
+- Update `README.md`, `SKILL.md`, examples, or tests when behavior or guidance changes.
+- Report only checks that actually ran. Mark skipped checks as not checked.
+- Prefer one coherent change per pull request.
+
+## Documentation Style
+
+- Write for agents and reviewers who need a quick safety decision.
+- Use direct language and concrete steps.
+- Make unsafe examples synthetic and clearly labeled.
+- Keep the skill compact enough to load into an agent workflow.

HANDOFF.md

@@ -0,0 +1,81 @@
+# HANDOFF
+
+作成日時: 2026/06/12 22:35:33 JST
+
+## リポジトリの目的
+
+このリポジトリは、AI coding agent が Git / GitHub / browser / MCP / CLI / cloud / API などの境界を越える前に、secret・private context・real data・paid operation の漏えいや誤実行を防ぐための Codex-style skill を提供する。現時点の理解では、公開配布向けの `SKILL.md`、合成例、ローカル marker scan、回帰テスト、CI を含む軽量な OSS-ready skill repository である。
+
+## 現状サマリ
+
+- 現在の作業ブランチは `chore/oss-readiness`。
+- `main` は `118fba3 feat: add agentic coding security gate skill` を指している。
+- `chore/oss-readiness` は OSS readiness 系の変更、backlog、scanner test 修正、handoff 文書を含む未mergeブランチ。
+- `TASKS_BACKLOG.md` に doing タスクはない。
+- open GitHub issues は 0 件。
+- TODO / FIXME コメントは見つかっていない。
+- この締め作業では新機能実装・リファクタ・依存追加は行っていない。
+- lint / 型チェック / build は該当する設定ファイルがないため未実施扱い。
+
+## 完了タスクと commit
+
+| タスク | commit | 内容 |
+| --- | --- | --- |
+| OSS readiness 改善 | `19f5e50` | CI、scanner regression tests、contribution/security docs を追加 |
+| backlog 棚卸し | `955eff8` | `TASKS_BACKLOG.md` を追加し、残タスクを整理 |
+| scanner test 成功終了コード明示 | `4aa3564` | `tests/scan-private-markers.Tests.ps1` の成功時に `exit 0` を追加 |
+
+## 未完了 / skip タスク
+
+- skip タスクはなし。
+- 未完了候補は `TASKS_BACKLOG.md` の T-002 から T-004 を参照。
+
+## 既知の問題・残懸念
+
+- `chore/oss-readiness` は未merge。Claude Code 側では、push済みブランチのCI結果と差分を確認して main へ取り込むか判断する。
+- 通常の sandbox 経路では `gh issue list` が proxy/network 制約で失敗することがある。権限付き読み取り経路では 2026/06/12 時点で open issues 0 件を確認済み。
+- README は `pwsh` を前提としている。今回のローカル検証は Windows PowerShell の `powershell.exe` で実行したため、引き継ぎ先環境で `pwsh` availability を確認する。
+- Markdown lint、Skill validator、Gitleaks/Semgrep のリモートCI相当は未追加。必要なら T-004 として検討する。
+
+## 最終検証結果
+
+実行日時: 2026/06/12 22:35 JST
+
+| 種別 | コマンド | 結果 |
+| --- | --- | --- |
+| scanner tests | `powershell.exe -NoProfile -ExecutionPolicy Bypass -File .\tests\scan-private-markers.Tests.ps1` | pass。3 tests passed |
+| private marker scan | `powershell.exe -NoProfile -ExecutionPolicy Bypass -File .\scripts\scan-private-markers.ps1` | pass |
+| lint | 該当なし | `package.json` 等の lint 設定なし |
+| 型チェック | 該当なし | `tsconfig.json` / `pyproject.toml` 等なし |
+| build | 該当なし | build 設定なし |
+| GitHub issues | `gh issue list --limit 50 --state open --json number,title,labels,url` | pass。0件 |
+
+## セットアップ・テスト・ビルド手順
+
+README 記載の推奨環境:
+
+```powershell
+pwsh -NoProfile -ExecutionPolicy Bypass -File .\tests\scan-private-markers.Tests.ps1
+pwsh -NoProfile -ExecutionPolicy Bypass -File .\scripts\scan-private-markers.ps1
+```
+
+この Windows host で確認した代替コマンド:
+
+```powershell
+powershell.exe -NoProfile -ExecutionPolicy Bypass -File .\tests\scan-private-markers.Tests.ps1
+powershell.exe -NoProfile -ExecutionPolicy Bypass -File .\scripts\scan-private-markers.ps1
+```
+
+build コマンドは未定義。
+
+## ブランチ状況
+
+- `main`: `118fba3`、`origin/main` と一致。
+- `chore/oss-readiness`: 未merge作業ブランチ。`19f5e50`、`955eff8`、`4aa3564` と handoff / backlog closeout commit を含む。この文書が origin 上に存在する場合、その時点で push 済み。
+- 未mergeブランチの merge は実施していない。
+
+## 次にやるべき候補
+
+1. `origin/chore/oss-readiness` のCIと差分を確認し、main へ merge するか判断する。
+2. 引き継ぎ先環境で `pwsh` と README 記載コマンドがそのまま動くか確認する。
+3. 公開配布前に markdown lint または Codex-style skill validator を追加する価値があるか判断する。

README.md

@@ -1,5 +1,7 @@
 # agentic-coding-security-gate
 
+[![CI](https://github.com/h8nc4y/agentic-coding-security-gate/actions/workflows/ci.yml/badge.svg)](https://github.com/h8nc4y/agentic-coding-security-gate/actions/workflows/ci.yml)
+
 A Codex-style skill for adding a security gate to agentic coding workflows before an agent publishes, transmits, stores, or executes sensitive or cost-bearing work.
 
 ## What It Solves
@@ -15,6 +17,12 @@ This skill gives agents a compact gate for those moments. It focuses on workflow
 - Reviewers who need public-safe security summaries without leaking private material.
 - Teams that want a reusable checklist for agentic coding safety.
 
+## Prerequisites
+
+- Git for cloning the repository.
+- PowerShell 7+ (`pwsh`) for the bundled marker scan and tests.
+- A Codex-style skills directory such as `~/.agents/skills` for manual installation.
+
 ## Install
 
 Clone the repository:
@@ -49,6 +57,16 @@ Copy-Item -LiteralPath .\SKILL.md -Destination (Join-Path $dest 'SKILL.md')
 
 The overwrite guard is intentional. If a local skill already exists, review it before replacing it.
 
+## Repository Layout
+
+```text
+SKILL.md                         Skill instructions loaded by an agent.
+examples/                        Synthetic examples and templates.
+scripts/scan-private-markers.ps1 Local public-safety marker scan.
+tests/                           Dependency-free scanner regression tests.
+.github/workflows/ci.yml         Pull request and main-branch quality gate.
+```
+
 ## Manual Use
 
 Use the skill before an agent:
@@ -79,7 +97,13 @@ The examples are synthetic. Do not replace placeholders with real secrets, raw l
 
 ## Validation And Scan
 
-Run the bundled marker scan from the repository root:
+Run the dependency-free scanner tests from the repository root:
+
+```powershell
+pwsh -NoProfile -ExecutionPolicy Bypass -File .\tests\scan-private-markers.Tests.ps1
+```
+
+Run the bundled marker scan:
 
 ```powershell
 pwsh -NoProfile -ExecutionPolicy Bypass -File .\scripts\scan-private-markers.ps1
@@ -93,6 +117,15 @@ python path/to/quick_validate.py .
 
 Optional local checks can include Gitleaks, Semgrep, markdown linting, or a manual review. Report only the checks that actually ran. If a check is unavailable, say it was not checked.
 
+Pull requests run the same bundled scanner tests and marker scan in GitHub Actions.
+
+## Contributing And Security
+
+- Read [CONTRIBUTING.md](CONTRIBUTING.md) before opening issues or pull requests.
+- Read [SECURITY.md](SECURITY.md) before reporting security-sensitive behavior.
+- Keep public reports synthetic and redact protected values.
+- Do not claim a validation passed unless the exact command ran successfully.
+
 ## Limitations
 
 - This skill is a workflow gate, not a legal, compliance, or incident-response program.

SECURITY.md

@@ -0,0 +1,28 @@
+# Security Policy
+
+## Supported Versions
+
+The `main` branch is the supported development line.
+
+## Reporting Security Issues
+
+Do not include secrets, credential-bearing output, raw logs, private repository names, screenshots, customer data, or production identifiers in public issues or pull requests.
+
+Preferred reporting path:
+
+1. Use GitHub private vulnerability reporting for this repository if it is available.
+2. If private reporting is unavailable, open a public issue with a minimal synthetic summary only.
+3. State that sensitive details were removed and ask the maintainer for a private channel.
+
+Safe public issue content may include:
+
+- A short description of the affected behavior.
+- Synthetic reproduction steps.
+- The relative file path and rule name when a scanner finding is involved.
+- Confirmation that protected values were redacted.
+
+Unsafe public issue content includes credential values, raw authentication output, production logs, screenshots with private data, customer or tenant identifiers, and local absolute paths.
+
+## Maintainer Handling
+
+Maintainers should reproduce with synthetic fixtures when possible, avoid requesting protected values in public, and document which checks actually ran before closing a report.

TASKS_BACKLOG.md

@@ -0,0 +1,23 @@
+# Tasks Backlog
+
+棚卸し日時: 2026/06/11 20:53:09 JST
+最終更新: 2026/06/12 22:35:33 JST
+
+## Sources
+
+- 既存タスク管理ファイル: 該当なし (`TASKS_BACKLOG.md` / `TODO.md` / `TASKS.md` は未存在)
+- README / docs: 明示的な未完了要件は該当なし
+- AGENTS.md / `.codex`: リポジトリ内には該当なし
+- TODO / FIXME: 該当なし (`rg -n "TODO|FIXME"` で一致なし)
+- テスト / lint / 型チェック: `powershell.exe -NoProfile -ExecutionPolicy Bypass -File .\tests\scan-private-markers.Tests.ps1` は成功、`powershell.exe -NoProfile -ExecutionPolicy Bypass -File .\scripts\scan-private-markers.ps1` は成功。lint / 型チェック / build は該当する設定ファイルなし。
+- git status: `chore/oss-readiness` 上の未コミット変更は backlog / handoff の締めcommitへ整理。
+- GitHub open issues: 0件 (`gh issue list --limit 50 --state open --json number,title,labels,url`)
+
+## Tasks
+
+| ID | タスク名 | 出典 | 優先度 | 規模 | 状態 |
+| --- | --- | --- | --- | --- | --- |
+| T-001 | scanner regression test の成功終了コードを明示して WIP 差分を完了する | git status / `tests/scan-private-markers.Tests.ps1` 未コミット差分 | 高 | S | done |
+| T-002 | `chore/oss-readiness` をリモートCIで確認し main への取り込み方針を決める | 未mergeブランチ / 引き継ぎ準備 | 中 | S | todo |
+| T-003 | 引き継ぎ先環境で `pwsh` と README 記載の検証コマンドを確認する | README prerequisite / 引き継ぎ準備 | 低 | S | todo |
+| T-004 | 必要なら markdown lint または skill validator の導入要否を検討する | README optional validation / 引き継ぎ準備 | 低 | S | todo |

scripts/scan-private-markers.ps1

@@ -36,14 +36,6 @@ $rules = @(
 $githubUrlPattern = 'https://github\.com/[A-Za-z0-9_.-]+/[A-Za-z0-9_.-]+(?:\.git)?'
 $findings = New-Object System.Collections.Generic.List[object]
 
-function Test-SelfReferenceLine {
-    param(
-        [string]$RelativePath
-    )
-
-    return $RelativePath -eq 'scripts/scan-private-markers.ps1'
-}
-
 $files = Get-ChildItem -LiteralPath $root -Recurse -File | Where-Object {
     $_.FullName -notmatch '\\.git(\\|$)' -and
     $_.FullName -notmatch '\\node_modules(\\|$)' -and
@@ -62,10 +54,8 @@ foreach ($file in $files) {
 
     foreach ($line in Get-Content -LiteralPath $file.FullName) {
         $lineNumber++
-        $isSelfReference = Test-SelfReferenceLine -RelativePath $relative
-
         foreach ($match in [regex]::Matches($line, $githubUrlPattern)) {
-            if ($match.Value -notmatch $ownRepoUrlPattern -and -not $isSelfReference) {
+            if ($match.Value -notmatch $ownRepoUrlPattern) {
                 $findings.Add([pscustomobject]@{
                     File = $relative
                     Line = $lineNumber
@@ -83,7 +73,7 @@ foreach ($file in $files) {
                 $matched = [regex]::IsMatch($line, $rule.Pattern, 'IgnoreCase')
             }
 
-            if ($matched -and -not $isSelfReference) {
+            if ($matched) {
                 $findings.Add([pscustomobject]@{
                     File = $relative
                     Line = $lineNumber