Chore/add GitHub config

.githooks/pre-commit

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if command -v gitleaks >/dev/null 2>&1; then
+  gitleaks protect --staged --redact
+else
+  echo "warning: gitleaks not found; skipping staged secret scan" >&2
+fi

.githooks/pre-push

@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+#
+# pre-push hook — runs fmt, clippy, and tests before every push.
+# Install:  git config core.hooksPath .githooks
+# Skip:     git push --no-verify
+
+set -euo pipefail
+
+echo "==> pre-push: running rust quality gate..."
+./scripts/ci/rust_quality_gate.sh || {
+    echo "FAIL: rust quality gate failed."
+    exit 1
+}
+
+if [ "${ZEROCLAW_STRICT_LINT:-0}" = "1" ]; then
+    echo "==> pre-push: running strict clippy warnings gate (ZEROCLAW_STRICT_LINT=1)..."
+    ./scripts/ci/rust_quality_gate.sh --strict || {
+        echo "FAIL: strict clippy warnings gate reported issues."
+        exit 1
+    }
+fi
+
+if [ "${ZEROCLAW_STRICT_DELTA_LINT:-0}" = "1" ]; then
+    echo "==> pre-push: running strict delta lint gate (ZEROCLAW_STRICT_DELTA_LINT=1)..."
+    ./scripts/ci/rust_strict_delta_gate.sh || {
+        echo "FAIL: strict delta lint gate reported issues."
+        exit 1
+    }
+fi
+
+if [ "${ZEROCLAW_DOCS_LINT:-0}" = "1" ]; then
+    echo "==> pre-push: running docs quality gate (ZEROCLAW_DOCS_LINT=1)..."
+    ./scripts/ci/docs_quality_gate.sh || {
+        echo "FAIL: docs quality gate reported issues."
+        exit 1
+    }
+fi
+
+if [ "${ZEROCLAW_DOCS_LINKS:-0}" = "1" ]; then
+    echo "==> pre-push: running docs links gate (ZEROCLAW_DOCS_LINKS=1)..."
+    ./scripts/ci/docs_links_gate.sh || {
+        echo "FAIL: docs links gate reported issues."
+        exit 1
+    }
+fi
+
+echo "==> pre-push: running tests..."
+cargo test --locked || {
+    echo "FAIL: some tests did not pass."
+    exit 1
+}
+
+echo "==> pre-push: all checks passed."

.github/CODEOWNERS

@@ -0,0 +1,32 @@
+# Default owner for all files
+* @louisdevzz
+
+# Important functional modules
+/src/agent/** @louisdevzz
+/src/providers/** @louisdevzz
+/src/channels/** @louisdevzz
+/src/tools/** @louisdevzz
+/src/gateway/** @louisdevzz
+/src/runtime/** @louisdevzz
+/src/memory/** @louisdevzz
+/Cargo.toml @louisdevzz
+/Cargo.lock @louisdevzz
+
+# Security / tests / CI-CD ownership
+/src/security/** @louisdevzz
+/tests/** @louisdevzz
+/.github/** @louisdevzz
+/.github/workflows/** @louisdevzz
+/.github/codeql/** @louisdevzz
+/.github/dependabot.yml @louisdevzz
+/SECURITY.md @louisdevzz
+/docs/actions-source-policy.md @louisdevzz
+/docs/ci-map.md @louisdevzz
+
+# Docs & governance
+/docs/** @louisdevzz
+/AGENTS.md @louisdevzz
+/CLAUDE.md @louisdevzz
+/CONTRIBUTING.md @louisdevzz
+/docs/pr-workflow.md @louisdevzz
+/docs/reviewer-playbook.md @louisdevzz

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,148 @@
+name: Bug Report
+description: Report a reproducible defect in ZeroClaw
+title: "[Bug]: "
+labels:
+  - bug
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to report a bug.
+        Please provide a minimal reproducible case so maintainers can triage quickly.
+        Do not include personal/sensitive data; redact and anonymize all logs/payloads.
+
+  - type: input
+    id: summary
+    attributes:
+      label: Summary
+      description: One-line description of the problem.
+      placeholder: zeroclaw daemon exits immediately when ...
+    validations:
+      required: true
+
+  - type: dropdown
+    id: component
+    attributes:
+      label: Affected component
+      options:
+        - runtime/daemon
+        - provider
+        - channel
+        - memory
+        - security/sandbox
+        - tooling/ci
+        - docs
+        - unknown
+    validations:
+      required: true
+
+  - type: dropdown
+    id: severity
+    attributes:
+      label: Severity
+      options:
+        - S0 - data loss / security risk
+        - S1 - workflow blocked
+        - S2 - degraded behavior
+        - S3 - minor issue
+    validations:
+      required: true
+
+  - type: textarea
+    id: current
+    attributes:
+      label: Current behavior
+      description: What is happening now?
+      placeholder: The process exits with ...
+    validations:
+      required: true
+
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected behavior
+      description: What should happen instead?
+      placeholder: The daemon should stay alive and ...
+    validations:
+      required: true
+
+  - type: textarea
+    id: reproduce
+    attributes:
+      label: Steps to reproduce
+      description: Please provide exact commands/config.
+      placeholder: |
+        1. zeroclaw onboard --interactive
+        2. zeroclaw daemon
+        3. Observe crash in logs
+      render: bash
+    validations:
+      required: true
+
+  - type: textarea
+    id: impact
+    attributes:
+      label: Impact
+      description: Who is affected, how often, and practical consequences.
+      placeholder: |
+        Affected users: ...
+        Frequency: always/intermittent
+        Consequence: ...
+    validations:
+      required: true
+
+  - type: textarea
+    id: logs
+    attributes:
+      label: Logs / stack traces
+      description: Paste relevant logs (redact secrets, personal identifiers, and sensitive data).
+      render: text
+    validations:
+      required: false
+
+  - type: input
+    id: version
+    attributes:
+      label: ZeroClaw version
+      placeholder: v0.1.0 / commit SHA
+    validations:
+      required: true
+
+  - type: input
+    id: rust
+    attributes:
+      label: Rust version
+      placeholder: rustc 1.xx.x
+    validations:
+      required: true
+
+  - type: input
+    id: os
+    attributes:
+      label: Operating system
+      placeholder: Ubuntu 24.04 / macOS 15 / Windows 11
+    validations:
+      required: true
+
+  - type: dropdown
+    id: regression
+    attributes:
+      label: Regression?
+      options:
+        - Unknown
+        - Yes, it worked before
+        - No, first-time setup
+    validations:
+      required: true
+
+  - type: checkboxes
+    id: checks
+    attributes:
+      label: Pre-flight checks
+      options:
+        - label: I reproduced this on the latest main branch or latest release.
+          required: true
+        - label: I redacted secrets/tokens from logs.
+          required: true
+        - label: I removed personal identifiers and replaced identity-specific data with neutral placeholders.
+          required: true

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,17 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Security vulnerability report
+    url: https://github.com/zeroclaw-labs/zeroclaw/security/policy
+    about: Please report security vulnerabilities privately via SECURITY.md policy.
+  - name: Private vulnerability report template
+    url: https://github.com/zeroclaw-labs/zeroclaw/blob/main/docs/security/private-vulnerability-report-template.md
+    about: Use this template when filing a private vulnerability report in Security Advisories.
+  - name: 私密漏洞报告模板（中文）
+    url: https://github.com/zeroclaw-labs/zeroclaw/blob/main/docs/security/private-vulnerability-report-template.zh-CN.md
+    about: 使用该中文模板通过 Security Advisories 进行私密漏洞提交。
+  - name: Contribution guide
+    url: https://github.com/zeroclaw-labs/zeroclaw/blob/main/CONTRIBUTING.md
+    about: Please read contribution and PR requirements before opening an issue.
+  - name: PR workflow & reviewer expectations
+    url: https://github.com/zeroclaw-labs/zeroclaw/blob/main/docs/pr-workflow.md
+    about: Read risk-based PR tracks, CI gates, and merge criteria before filing feature requests.

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,107 @@
+name: Feature Request
+description: Propose an improvement or new capability
+title: "[Feature]: "
+labels:
+  - enhancement
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for sharing your idea.
+        Please focus on user value, constraints, and rollout safety.
+        Do not include personal/sensitive data; use neutral project-scoped placeholders.
+
+  - type: input
+    id: summary
+    attributes:
+      label: Summary
+      description: One-line statement of the requested capability.
+      placeholder: Add a provider-level retry budget override for long-running channels.
+    validations:
+      required: true
+
+  - type: textarea
+    id: problem
+    attributes:
+      label: Problem statement
+      description: What user pain does this solve and why is current behavior insufficient?
+      placeholder: Teams operating in unstable networks cannot tune retries per provider...
+    validations:
+      required: true
+
+  - type: textarea
+    id: proposal
+    attributes:
+      label: Proposed solution
+      description: Describe preferred behavior and interfaces.
+      placeholder: Add `[provider.retry]` config and enforce bounds in config validation.
+    validations:
+      required: true
+
+  - type: textarea
+    id: non_goals
+    attributes:
+      label: Non-goals / out of scope
+      description: Clarify what should not be included in the first iteration.
+      placeholder: No UI changes, no cross-provider dynamic adaptation in v1.
+    validations:
+      required: true
+
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives considered
+      description: What alternatives did you evaluate?
+      placeholder: Keep current behavior, use wrapper scripts, etc.
+    validations:
+      required: false
+
+  - type: textarea
+    id: acceptance
+    attributes:
+      label: Acceptance criteria
+      description: What outcomes would make this request complete?
+      placeholder: |
+        - Config key is documented and validated
+        - Runtime path uses configured retry budget
+        - Regression tests cover fallback and invalid config
+    validations:
+      required: true
+
+  - type: textarea
+    id: architecture
+    attributes:
+      label: Architecture impact
+      description: Which subsystem(s) are affected?
+      placeholder: providers/, channels/, memory/, runtime/, security/, docs/ ...
+    validations:
+      required: true
+
+  - type: textarea
+    id: risk
+    attributes:
+      label: Risk and rollback
+      description: Main risk + how to disable/revert quickly.
+      placeholder: Risk is ... rollback is ...
+    validations:
+      required: true
+
+  - type: dropdown
+    id: breaking
+    attributes:
+      label: Breaking change?
+      options:
+        - "No"
+        - "Yes"
+    validations:
+      required: true
+
+  - type: checkboxes
+    id: hygiene
+    attributes:
+      label: Data hygiene checks
+      options:
+        - label: I removed personal/sensitive data from examples, payloads, and logs.
+          required: true
+        - label: I used neutral, project-focused wording and placeholders.
+          required: true

.github/actionlint.yaml

@@ -0,0 +1,7 @@
+self-hosted-runner:
+    labels:
+        - blacksmith-2vcpu-ubuntu-2404
+        - aws-india
+        - hetzner
+        - Linux
+        - X64

.github/codeql/codeql-config.yml

@@ -0,0 +1,8 @@
+# CodeQL configuration for ZeroClaw
+#
+# We intentionally ignore integration tests under `tests/` because they often
+# contain security-focused fixtures (example secrets, malformed payloads, etc.)
+# that can trigger false positives in security queries.
+
+paths-ignore:
+    - tests/**