Document lifecycle-aware continuity controls in README

.env.example

@@ -0,0 +1,46 @@
+APP_ENV=development
+APP_HOST=127.0.0.1
+APP_PORT=8000
+# Development-only local credentials. Override for any shared or remote environment.
+DATABASE_URL=postgresql://alicebot_app:alicebot_app@localhost:5432/alicebot
+DATABASE_ADMIN_URL=postgresql://alicebot_admin:alicebot_admin@localhost:5432/alicebot
+REDIS_URL=redis://localhost:6379/0
+S3_ENDPOINT_URL=http://localhost:9000
+S3_ACCESS_KEY=alicebot
+S3_SECRET_KEY=alicebot-secret
+S3_BUCKET=alicebot-local
+HEALTHCHECK_TIMEOUT_SECONDS=2
+TASK_WORKSPACE_ROOT=/tmp/alicebot/task-workspaces
+# Server-side authenticated user binding for /v0 requests.
+ALICEBOT_AUTH_USER_ID=00000000-0000-0000-0000-000000000001
+# Default sample-data fixture consumed by ./scripts/load_sample_data.sh.
+PUBLIC_SAMPLE_DATA_PATH=fixtures/public_sample_data/continuity_v1.json
+# Per-user response generation throttle (POST /v0/responses).
+RESPONSE_RATE_LIMIT_WINDOW_SECONDS=60
+RESPONSE_RATE_LIMIT_MAX_REQUESTS=20
+# Hosted auth and webhook ingress throttles.
+MAGIC_LINK_START_RATE_LIMIT_WINDOW_SECONDS=300
+MAGIC_LINK_START_RATE_LIMIT_MAX_REQUESTS=5
+MAGIC_LINK_VERIFY_RATE_LIMIT_WINDOW_SECONDS=300
+MAGIC_LINK_VERIFY_RATE_LIMIT_MAX_REQUESTS=10
+TELEGRAM_WEBHOOK_RATE_LIMIT_WINDOW_SECONDS=60
+TELEGRAM_WEBHOOK_RATE_LIMIT_MAX_REQUESTS=120
+# Telegram transport defaults.
+TELEGRAM_LINK_TTL_SECONDS=600
+TELEGRAM_BOT_USERNAME=alicebot
+TELEGRAM_WEBHOOK_SECRET=
+TELEGRAM_BOT_TOKEN=
+# Browser security posture.
+CORS_ALLOWED_ORIGINS=http://localhost:3000,http://127.0.0.1:3000
+CORS_ALLOWED_METHODS=GET,POST,PUT,PATCH,DELETE,OPTIONS
+CORS_ALLOWED_HEADERS=Authorization,Content-Type,X-AliceBot-User-Id,X-Telegram-Bot-Api-Secret-Token
+CORS_ALLOW_CREDENTIALS=false
+CORS_PREFLIGHT_MAX_AGE_SECONDS=600
+SECURITY_HEADERS_ENABLED=true
+SECURITY_HEADERS_HSTS_MAX_AGE_SECONDS=31536000
+SECURITY_HEADERS_HSTS_INCLUDE_SUBDOMAINS=true
+# Proxy and ingress trust boundaries.
+TRUST_PROXY_HEADERS=false
+TRUSTED_PROXY_IPS=
+# Entrypoint abuse-control backend.
+ENTRYPOINT_RATE_LIMIT_BACKEND=redis

.github/dependabot.yml

@@ -0,0 +1,21 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+
+  - package-ecosystem: pip
+    directory: /
+    schedule:
+      interval: weekly
+
+  - package-ecosystem: npm
+    directory: /packages/alice-core
+    schedule:
+      interval: weekly
+
+  - package-ecosystem: npm
+    directory: /packages/alice-cli
+    schedule:
+      interval: weekly

.github/workflows/publish-npm.yml

@@ -0,0 +1,113 @@
+name: Publish NPM Packages
+
+on:
+  push:
+    tags:
+      - "v*"
+
+permissions:
+  contents: read
+
+concurrency:
+  group: publish-npm-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  publish-core:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          registry-url: https://registry.npmjs.org
+
+      - name: Resolve core version
+        id: core_meta
+        working-directory: packages/alice-core
+        run: |
+          version=$(npm pkg get version --json | tr -d '"' | tr -d '\n')
+          echo "version=$version" >> "$GITHUB_OUTPUT"
+
+      - name: Validate core version output
+        run: |
+          if [ -z "${{ steps.core_meta.outputs.version }}" ]; then
+            echo "Core version output is empty."
+            exit 1
+          fi
+
+      - name: Check if core version is already published
+        id: core_exists
+        run: |
+          if npm view @aliceos/alice-core@${{ steps.core_meta.outputs.version }} version >/dev/null 2>&1; then
+            echo "exists=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "exists=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Publish @aliceos/alice-core
+        if: steps.core_exists.outputs.exists == 'false'
+        working-directory: packages/alice-core
+        run: npm publish --access public --provenance
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+      - name: Skip core publish (already exists)
+        if: steps.core_exists.outputs.exists == 'true'
+        run: echo "@aliceos/alice-core@${{ steps.core_meta.outputs.version }} already published; skipping."
+
+  publish-cli:
+    runs-on: ubuntu-latest
+    needs: publish-core
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          registry-url: https://registry.npmjs.org
+
+      - name: Resolve cli version
+        id: cli_meta
+        working-directory: packages/alice-cli
+        run: |
+          version=$(npm pkg get version --json | tr -d '"' | tr -d '\n')
+          echo "version=$version" >> "$GITHUB_OUTPUT"
+
+      - name: Validate cli version output
+        run: |
+          if [ -z "${{ steps.cli_meta.outputs.version }}" ]; then
+            echo "CLI version output is empty."
+            exit 1
+          fi
+
+      - name: Check if cli version is already published
+        id: cli_exists
+        run: |
+          if npm view @aliceos/alice-cli@${{ steps.cli_meta.outputs.version }} version >/dev/null 2>&1; then
+            echo "exists=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "exists=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Publish @aliceos/alice-cli
+        if: steps.cli_exists.outputs.exists == 'false'
+        working-directory: packages/alice-cli
+        run: npm publish --access public --provenance
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+      - name: Skip cli publish (already exists)
+        if: steps.cli_exists.outputs.exists == 'true'
+        run: echo "@aliceos/alice-cli@${{ steps.cli_meta.outputs.version }} already published; skipping."

.github/workflows/security-scans.yml

@@ -0,0 +1,57 @@
+name: Security Scans
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+  schedule:
+    - cron: "23 3 * * 1"
+
+permissions:
+  contents: read
+
+jobs:
+  secrets:
+    name: Secrets Scan (Gitleaks)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Run gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  codeql:
+    name: CodeQL (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        language:
+          - python
+          - javascript
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Analyze
+        uses: github/codeql-action/analyze@v3

.gitignore

@@ -0,0 +1,23 @@
+.DS_Store
+.env
+.pytest_cache/
+.venv/
+*.egg-info/
+__pycache__/
+*.pyc
+apps/web/.next/
+apps/web/node_modules/
+artifacts/
+
+# Internal operating docs (keep local, exclude from public repo)
+.ai/
+BUILD_REPORT.md
+REVIEW_REPORT.md
+ARCHIVE_RECOMMENDATIONS.md
+RECOMMENDED_ADRS.md
+
+# Internal planning/process docs (keep local, exclude from public repo)
+docs/archive/planning/
+docs/archive/sprints/
+docs/phase5-sprint-17-20-plan.md
+docs/phase8-sprint-29-32-plan.md