chore: add dev tooling — hooks, skills, agents, codecov, dependabot

- Add .git-hooks/ (pre-commit, commit-msg, prepare-commit-msg, post-checkout, post-merge, pre-push)
  with resq-cli delegation, OSV scan, secrets scan, and dotnet format check
- Add scripts/setup.sh with core.hooksPath wiring and Nix bootstrap
- Add bootstrap.sh root alias for scripts/setup.sh
- Add flake.nix devShell with osv-scanner and dotnet-sdk_9
- Add .github/skills/ (feynman-auditor, nemesis-auditor, state-inconsistency-auditor)
- Add .github/agents/, .github/commands/, .github/rules/ for .NET context
- Add .github/dependabot.yml with nuget + github-actions and minor/patch grouping
- Add .github/workflows/auto-merge.yml for Dependabot PRs
- Update .github/workflows/ci.yml with XPlat Code Coverage and Codecov upload
- Add CLAUDE.md + AGENTS.md agent guide
- Add agent-sync.sh to keep AGENTS.md and CLAUDE.md in sync

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: WomB0ComB0

.claude/agents

@@ -0,0 +1 @@
+../.github/agents

.claude/commands

@@ -0,0 +1 @@
+../.github/commands

.claude/rules

@@ -0,0 +1 @@
+../.github/rules

.claude/skills

@@ -0,0 +1 @@
+../.github/skills

.dockerignore

@@ -0,0 +1,7 @@
+**/bin/
+**/obj/
+**/TestResults/
+**/.vs/
+.git/
+**/*.md
+artifacts/

.git-hooks/README.md

@@ -0,0 +1,52 @@
+# Git Hooks — ResQ .NET SDK
+
+This directory contains the project's git hooks. They enforce code quality, security, and workflow conventions for the ResQ .NET SDK (C#/.NET 9).
+
+## Installation
+
+```bash
+# Configure git to use these hooks
+git config core.hooksPath .git-hooks
+
+# Or run the setup script (recommended)
+./scripts/setup.sh
+```
+
+The setup script sets `core.hooksPath` to `.git-hooks` and makes all hooks executable.
+
+## Active Hooks
+
+| Hook | Purpose |
+|------|---------|
+| `pre-commit` | Large file guard (1 MB limit), secrets scan (gitleaks / grep fallback), C# formatting verification (`dotnet format --verify-no-changes`) |
+| `commit-msg` | Conventional Commits format validation; blocks `fixup!`/`squash!`/WIP on `main` |
+| `prepare-commit-msg` | Prepends ticket reference (e.g., `[PROJ-123]`) extracted from branch name |
+| `pre-push` | Force-push guard on `main`, branch naming convention, `dotnet build` check on changed `.cs` files |
+| `post-checkout` | Auto `dotnet restore` when `packages.lock.json` changes between branches |
+| `post-merge` | Auto `dotnet restore` when `packages.lock.json` changes after a merge |
+
+## Bypassing Hooks
+
+Use `--no-verify` to skip `pre-commit` and `commit-msg` hooks:
+
+```bash
+git commit --no-verify -m "wip: quick save"
+git push --no-verify
+```
+
+> **Note:** `post-checkout`, `post-merge`, and `prepare-commit-msg` cannot be bypassed with `--no-verify`.
+> Set `GIT_HOOKS_SKIP=1` to skip all custom hook logic.
+
+## Environment Variables
+
+| Variable | Effect | Scope |
+|----------|--------|-------|
+| `GIT_HOOKS_SKIP=1` | Skip all custom hook logic | `pre-commit`, `commit-msg`, `pre-push`, `post-checkout`, `post-merge` |
+
+## Adding a New Hook
+
+1. Create the hook file in `.git-hooks/` (no extension).
+2. Start with `#!/usr/bin/env bash` and add the Apache-2.0 license header.
+3. Make it executable: `chmod +x .git-hooks/<hook-name>`
+4. Test with: `bash -n .git-hooks/<hook-name>`
+5. Update this README with the new hook's purpose.

.git-hooks/commit-msg

@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+set -euo pipefail
+#
+# Copyright 2026 ResQ
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# commit-msg
+#
+# Validates the commit message format.
+# Ensures the subject line follows the Conventional Commits specification.
+#
+# Usage:
+#   .git-hooks/commit-msg COMMIT_MSG_FILE
+#
+# Arguments:
+#   $1 - Path to the file containing the commit message.
+#
+# Exit codes:
+#   0  Commit message is valid.
+#   1  Commit message is invalid.
+
+[ -n "${GIT_HOOKS_SKIP:-}" ] && exit 0
+
+# INPUT_FILE stores the path to the commit message file.
+INPUT_FILE=${1:-}
+# PATTERN is the regular expression for a valid Conventional Commit message.
+PATTERN="^(feat|fix|docs|style|refactor|perf|test|build|ci|chore|revert)(\(.+\))?(!)?: .+$"
+
+# Validate only the first line (subject). Strip an optional [TICKET-123] prefix
+# inserted by prepare-commit-msg so the two hooks don't conflict.
+FIRST_LINE=$(head -1 "$INPUT_FILE")
+SUBJECT=$(echo "$FIRST_LINE" | sed 's/^\[[A-Z][A-Z]*-[0-9]*\] //')
+
+if ! echo "$SUBJECT" | grep -qE "$PATTERN"; then
+    echo "Error: Invalid commit message format."
+    echo "Expected format: type(scope): subject"
+    echo "Examples:"
+    echo "  feat(core): add new feature"
+    echo "  fix(ui): fix button color"
+    exit 1
+fi
+
+# Block fixup!/WIP commits on main
+BRANCH=$(git symbolic-ref --short HEAD 2>/dev/null || echo "")
+if [ "$BRANCH" = "main" ]; then
+    if echo "$FIRST_LINE" | grep -qiE "^(\[[A-Z]+-[0-9]+\] )?(fixup!|squash!|wip[: ])"; then
+        echo "Error: fixup!/squash!/WIP commits are not allowed on main."
+        echo "Create a feature branch instead."
+        exit 1
+    fi
+fi

.git-hooks/post-checkout

@@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+set -euo pipefail
+#
+# Copyright 2026 ResQ
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# post-checkout
+#
+# Automatically installs dependencies when lock files change during branch checkout.
+#
+# Usage:
+#   .git-hooks/post-checkout PREV_HEAD NEW_HEAD IS_BRANCH_CHECKOUT
+#
+# Arguments:
+#   $1 - Previous HEAD commit hash.
+#   $2 - New HEAD commit hash.
+#   $3 - Flag indicating if it's a branch checkout (1) or file checkout (0).
+#
+# Exit codes:
+#   0  Always.
+
+[ -n "${GIT_HOOKS_SKIP:-}" ] && exit 0
+
+# PREV_HEAD stores the commit hash before checkout.
+PREV_HEAD="${1:-}"
+# NEW_HEAD stores the commit hash after checkout.
+NEW_HEAD="${2:-}"
+# IS_BRANCH_CHECKOUT is "1" if a branch was checked out, "0" otherwise.
+IS_BRANCH_CHECKOUT="${3:-}"
+
+# Only run on branch checkouts, not file checkouts
+if [ "$IS_BRANCH_CHECKOUT" != "1" ]; then
+    exit 0
+fi
+
+# Skip if both heads are the same (no actual branch change)
+if [ "$PREV_HEAD" = "$NEW_HEAD" ]; then
+    exit 0
+fi
+
+# CHANGED stores the list of files that differ between the two heads.
+CHANGED=$(git diff --name-only "$PREV_HEAD" "$NEW_HEAD" 2>/dev/null)
+
+# Check if packages.lock.json changed (NuGet lock file)
+if echo "$CHANGED" | grep -q "packages\.lock\.json"; then
+    if command -v dotnet >/dev/null 2>&1; then
+        echo "📦 packages.lock.json changed — running dotnet restore..."
+        dotnet restore 2>/dev/null || true
+        echo "✅ Dependencies restored"
+    else
+        echo "⚠️  dotnet not found — run 'dotnet restore' manually"
+    fi
+fi

.git-hooks/post-merge

@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+set -euo pipefail
+#
+# Copyright 2026 ResQ
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# post-merge
+#
+# Automatically installs dependencies when lock files change after a merge.
+#
+# Usage:
+#   .git-hooks/post-merge
+#
+# Exit codes:
+#   0  Always.
+
+[ -n "${GIT_HOOKS_SKIP:-}" ] && exit 0
+
+# CHANGED_FILES stores the list of files changed in the merge.
+CHANGED_FILES=$(git diff-tree -r --name-only --no-commit-id ORIG_HEAD HEAD 2>/dev/null)
+
+# Check if packages.lock.json changed (NuGet lock file)
+if echo "$CHANGED_FILES" | grep -q "packages\.lock\.json"; then
+    if command -v dotnet >/dev/null 2>&1; then
+        echo "📦 packages.lock.json changed after merge — running dotnet restore..."
+        dotnet restore 2>/dev/null || true
+        echo "✅ Dependencies restored"
+    else
+        echo "⚠️  dotnet not found — run 'dotnet restore' manually"
+    fi
+fi

.git-hooks/pre-commit

@@ -0,0 +1,122 @@
+#!/usr/bin/env bash
+set -euo pipefail
+#
+# Copyright 2026 ResQ
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# pre-commit
+#
+# Runs checks before allowing a commit:
+#   resq CLI (if installed) → secrets scan → OSV vuln scan → C# format check
+#
+# Install resq CLI: cargo install resq-cli
+#
+# Exit codes:
+#   0  All checks passed.
+#   1  Blocking check failed.
+
+# ── Path resolution ───────────────────────────────────────────────────────────
+if [ ${#BASH_SOURCE[@]} -gt 0 ] && [ -n "${BASH_SOURCE[0]:-}" ]; then
+    HOOK_PATH="${BASH_SOURCE[0]}"
+else
+    HOOK_PATH="$0"
+fi
+HOOK_PATH=$(readlink -f "$HOOK_PATH")
+SCRIPT_DIR=$(dirname "$HOOK_PATH")
+PROJECT_ROOT=$(cd "$SCRIPT_DIR/.." && pwd)
+
+# ── Nix environment entry (if osv-scanner or dotnet missing) ──────────────────
+if [[ -z "${IN_NIX_SHELL:-}" ]] && [[ -z "${RESQ_NIX_GUARD:-}" ]]; then
+    NEED_NIX=0
+    for _tool in osv-scanner dotnet; do
+        if ! command -v "$_tool" >/dev/null 2>&1; then NEED_NIX=1; break; fi
+    done
+    if [[ "$NEED_NIX" -eq 1 ]] && command -v nix >/dev/null 2>&1 && [ -f "$PROJECT_ROOT/flake.nix" ]; then
+        echo "❄️  Entering Nix environment for pre-commit checks..."
+        export RESQ_NIX_GUARD=1
+        exec nix develop "$PROJECT_ROOT" --command bash "$HOOK_PATH" "$@"
+    fi
+fi
+
+# Source shared utilities if available
+if [ -f "$PROJECT_ROOT/scripts/lib/shell-utils.sh" ]; then
+    source "$PROJECT_ROOT/scripts/lib/shell-utils.sh"
+fi
+
+[ -n "${GIT_HOOKS_SKIP:-}" ] && exit 0
+
+# ── Try resq CLI (handles all checks including OSV, secrets, formatting) ──────
+if command -v resq >/dev/null 2>&1; then
+    exec resq pre-commit --root "$PROJECT_ROOT" "$@"
+fi
+echo "ℹ️  resq CLI not found — running inline checks. Install: cargo install resq-cli"
+
+# ── Large file check ──────────────────────────────────────────────────────────
+echo "🔍 Checking staged file sizes..."
+STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM)
+for f in $STAGED_FILES; do
+    if [ -f "$f" ]; then
+        SIZE=$(wc -c < "$f")
+        if [ "$SIZE" -gt 1048576 ]; then
+            echo "❌ '$f' exceeds 1 MB. Large files must not be committed."
+            exit 1
+        fi
+    fi
+done
+echo "✅ File sizes OK"
+
+# ── Secrets scan ──────────────────────────────────────────────────────────────
+echo "🔍 Scanning for secrets..."
+if command -v gitleaks >/dev/null 2>&1; then
+    if ! gitleaks protect --staged --redact -v 2>/dev/null; then
+        echo "❌ Potential secrets detected. Remove them before committing."
+        exit 1
+    fi
+else
+    STAGED_CONTENT=$(git diff --cached --unified=0 2>/dev/null || true)
+    echo "$STAGED_CONTENT" | grep -qE 'AKIA[0-9A-Z]{16}'                          && { echo "❌ AWS key detected.";      exit 1; } || true
+    echo "$STAGED_CONTENT" | grep -qE '(ghp_|ghs_|gho_)[A-Za-z0-9_]{36,}'        && { echo "❌ GitHub token detected."; exit 1; } || true
+    echo "$STAGED_CONTENT" | grep -qF 'BEGIN PRIVATE KEY'                         && { echo "❌ Private key detected.";  exit 1; } || true
+    echo "$STAGED_CONTENT" | grep -qiE 'api[_-]?key\s*=\s*"[A-Za-z0-9_\-]{16,}"' && { echo "❌ API key detected.";     exit 1; } || true
+    echo "$STAGED_CONTENT" | grep -qiE 'password\s*=\s*"[^"]{4,}"'               && { echo "❌ Password detected.";    exit 1; } || true
+fi
+echo "✅ Secrets scan OK"
+
+# ── OSV vulnerability scan ────────────────────────────────────────────────────
+if command -v osv-scanner >/dev/null 2>&1; then
+    echo "🔍 Running OSV vulnerability scan..."
+    OSV_ARGS=()
+    [ -f "$PROJECT_ROOT/packages.lock.json" ] && OSV_ARGS+=(--lockfile "$PROJECT_ROOT/packages.lock.json")
+    if [ ${#OSV_ARGS[@]} -gt 0 ]; then
+        if ! osv-scanner scan "${OSV_ARGS[@]}" 2>/dev/null; then
+            echo "❌ OSV scan found vulnerabilities. Run: osv-scanner scan --lockfile packages.lock.json"
+            echo "   To skip: GIT_HOOKS_SKIP=1 git commit"
+            exit 1
+        fi
+        echo "✅ OSV scan OK"
+    fi
+fi
+
+# ── C# formatting check ───────────────────────────────────────────────────────
+STAGED_CS=$(git diff --cached --name-only --diff-filter=ACM | grep '\.cs$' || true)
+if [ -n "$STAGED_CS" ] && command -v dotnet >/dev/null 2>&1; then
+    echo "🔍 Checking C# formatting..."
+    if ! dotnet format --verify-no-changes --no-restore 2>/dev/null; then
+        echo "❌ C# formatting issues. Run: dotnet format"
+        exit 1
+    fi
+    echo "✅ C# formatting OK"
+fi
+
+echo "✅ Pre-commit checks passed"