Add governance framework for bot collaboration and security enforcement

[Copilot]

Establishes infrastructure for Kairos bot and GitHub Copilot to collaborate on code review while enforcing security policies and preventing secret commits.

Governance & Security Policies

• POLICY.md: Key management rules, mandatory PR submission for all changes, bot audit requirements before merge
• OWNERSHIP.md: Maintainer structure, review requirements (1 human + bots), decision-making process
• SECURITY.md: Private vulnerability disclosure process, security best practices
• LICENSE: MIT with explicit terms for upgrade configuration

Automation

• GitHub Actions workflow (code-review.yml):

  • Dependency vulnerability scanning (fails on high/critical)
  • Secret detection in code (regex-based + pattern matching)
  • Policy compliance checks (required files, .gitignore patterns)
  • JSON/YAML validation
  • Explicit job permissions (CodeQL-validated)

• CODEOWNERS: Auto-assigns Yaketh (@Kushmanmb) to all sensitive files

Branch Protection

• branch-protection.md: Documents required settings for main, production, release/*
  • Minimum 1 approval required
  • All status checks must pass
  • No force pushes, linear history only
  • Includes Terraform/CLI examples for automation

Security Hardening

• .gitignore: Added patterns for *secret*, *private*, *.pem, *.key, API key variations
• Templates: Standardized PR template with security checklist, issue templates for bugs/features/security

Documentation

• README.md: Added governance section with bot collaboration flow diagram, security features, contribution process
• CONTRIBUTING.md: Complete contributor guide with code style, security requirements, review process

Review Flow

PR Created
  ↓
Automated Checks (CI/CD, tests, security)
  ↓
Bot Review (Kairos + Copilot analysis)
  ↓
Human Review (maintainer approval)
  ↓
Merge

All dependency updates now require PR submission + bot audit + human approval per POLICY.md §3.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• api.etherscan.io
  • Triggering command: /opt/hostedtoolcache/node/24.13.0/x64/bin/node /opt/hostedtoolcache/node/24.13.0/x64/bin/node test.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.