chore: phase 0 — repo bootstrap with secrets hygiene and CI

Initial scaffold for yc-ai-pulse, an open-source YC batch analyzer.

Phase 0 establishes the safety floor before any LLM code lands:
- MIT license, README with anti-hallucination contract, CONTRIBUTING,
  SECURITY policy, CHANGELOG, BACKLOG, .env.example
- pyproject.toml (ruff/mypy/pytest config), package.json placeholder
- pre-commit with detect-secrets, gitleaks, ruff, custom Anthropic/
  OpenAI/GitHub key regex, large-file guard
- scripts/secret_scan.sh + scripts/publish_check.sh for the
  pre-publish PII/credential gate
- .github/workflows/ci.yml: ruff, mypy, pytest, secret-scan,
  publish-check on every PR
- Issue and PR templates referencing the anti-hallucination
  invariants in CONTRIBUTING.md
- ADR 0001 (yc-oss/api as primary data source) and ADR 0002
  (localhost FastAPI over native messaging) so future-me has the why
- src/ycai package skeleton with version + CLI shim, tests/test_smoke.py

Subsequent phases land in their own PRs against milestone v0.1.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: RyanAlberts

.env.example

@@ -0,0 +1,14 @@
+# Copy to .env and fill in. Never commit .env.
+
+# Optional: only set if you want to pay-per-run via the Anthropic API.
+# Leave unset to use the Claude Agent SDK against your Claude Max subscription.
+# ANTHROPIC_API_KEY=sk-ant-...
+
+# Local backend port (default 8787).
+# YCAI_PORT=8787
+
+# Default model. Override only if you know why.
+# YCAI_MODEL=claude-sonnet-4-6
+
+# Concurrency for the per-company research sweep.
+# YCAI_CONCURRENCY=8

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,22 @@
+---
+name: Bug report
+about: Something doesn't work
+labels: bug
+---
+
+## What happened
+
+<!-- Concrete, reproducible. Include the exact command. -->
+
+## What you expected
+
+## Environment
+
+- OS:
+- Python version:
+- `yc-ai-pulse` version (`pip show yc-ai-pulse`):
+- Browser (if extension):
+
+## Logs
+
+<!-- Redact any API keys before pasting. -->

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,17 @@
+---
+name: Feature request
+about: Propose a change
+labels: enhancement
+---
+
+## Problem
+
+<!-- What can't a user do today? -->
+
+## Proposed solution
+
+## Alternatives considered
+
+## Phase
+
+<!-- Which milestone does this belong to? v0.1 / v0.2 / v1.0 / unsure -->

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,24 @@
+## What
+
+<!-- One sentence on what changes for the user. -->
+
+## Why
+
+<!-- The motivation. Link the issue if there is one. -->
+
+## How
+
+<!-- Brief implementation notes. Diagrams encouraged for non-trivial changes. -->
+
+## Acceptance
+
+- [ ] `make validate-p0` (or current phase) green locally
+- [ ] `make publish-check` green
+- [ ] Pre-commit hooks all pass
+- [ ] No new lines in `BACKLOG.md` deferred without a reason
+- [ ] If this PR touches the LLM path: anti-hallucination invariants preserved (see [CONTRIBUTING.md](../CONTRIBUTING.md))
+- [ ] If this PR touches the extension: Playwright suite passes
+
+## Test plan
+
+<!-- How did you verify this? Include any manual smoke steps. -->

.github/workflows/ci.yml

@@ -0,0 +1,78 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ci-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  python:
+    name: lint / type / test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+          cache: pip
+
+      - name: Install dev dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e ".[dev]"
+
+      - name: ruff
+        run: ruff check .
+
+      - name: mypy (best-effort during phase 0)
+        run: |
+          if [ -d src/ycai ] && [ -n "$(find src/ycai -name '*.py' -not -empty)" ]; then
+            mypy src/ycai
+          else
+            echo "no source yet — phase 0"
+          fi
+
+      - name: pytest
+        run: pytest -q
+
+  secret-scan:
+    name: secret scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Python (for detect-secrets)
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install detect-secrets
+        run: pip install detect-secrets
+
+      - name: Custom regex sweep
+        run: bash scripts/secret_scan.sh
+
+      - name: gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  publish-check:
+    name: publish hygiene
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: publish-check
+        run: bash scripts/publish_check.sh

.gitignore

@@ -0,0 +1,50 @@
+# Secrets — never check these in
+.env
+.env.*
+!.env.example
+*.key
+*.pem
+secrets/
+~/.ycai/
+
+# Run artifacts (timestamped output directories)
+runs/
+cache/
+
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+*.so
+.Python
+build/
+dist/
+*.egg-info/
+.eggs/
+.pytest_cache/
+.mypy_cache/
+.ruff_cache/
+.coverage
+htmlcov/
+.tox/
+.venv/
+venv/
+env/
+
+# Node / extension build
+node_modules/
+extension/dist/
+extension/.env.local
+*.tsbuildinfo
+
+# Editor / OS
+.DS_Store
+.idea/
+.vscode/
+*.swp
+*~
+
+# DBs / large files we don't want shipped
+*.sqlite
+*.sqlite3
+*.db

.pre-commit-config.yaml

@@ -0,0 +1,46 @@
+# Pre-commit hooks. Install with: pre-commit install --install-hooks
+# CI re-runs the same checks on every PR.
+
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.6.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+      - id: check-toml
+      - id: check-json
+      - id: check-merge-conflict
+      - id: check-added-large-files
+        args: ["--maxkb=500"]
+      - id: detect-private-key
+      - id: mixed-line-ending
+        args: ["--fix=lf"]
+
+  - repo: https://github.com/Yelp/detect-secrets
+    rev: v1.5.0
+    hooks:
+      - id: detect-secrets
+        args: ["--baseline", ".secrets.baseline"]
+        exclude: \.secrets\.baseline$
+
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.21.2
+    hooks:
+      - id: gitleaks
+
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.6.9
+    hooks:
+      - id: ruff
+        args: [--fix]
+      - id: ruff-format
+
+  - repo: local
+    hooks:
+      - id: anthropic-key-regex
+        name: block Anthropic / OpenAI / GitHub credentials
+        entry: bash scripts/secret_scan.sh
+        language: system
+        pass_filenames: false
+        stages: [pre-commit]

.secrets.baseline

@@ -0,0 +1,131 @@
+{
+  "version": "1.5.0",
+  "plugins_used": [
+    {
+      "name": "ArtifactoryDetector"
+    },
+    {
+      "name": "AWSKeyDetector"
+    },
+    {
+      "name": "AzureStorageKeyDetector"
+    },
+    {
+      "name": "Base64HighEntropyString",
+      "limit": 4.5
+    },
+    {
+      "name": "BasicAuthDetector"
+    },
+    {
+      "name": "CloudantDetector"
+    },
+    {
+      "name": "DiscordBotTokenDetector"
+    },
+    {
+      "name": "GitHubTokenDetector"
+    },
+    {
+      "name": "GitLabTokenDetector"
+    },
+    {
+      "name": "HexHighEntropyString",
+      "limit": 3.0
+    },
+    {
+      "name": "IbmCloudIamDetector"
+    },
+    {
+      "name": "IbmCosHmacDetector"
+    },
+    {
+      "name": "IPPublicDetector"
+    },
+    {
+      "name": "JwtTokenDetector"
+    },
+    {
+      "name": "KeywordDetector",
+      "keyword_exclude": ""
+    },
+    {
+      "name": "MailchimpDetector"
+    },
+    {
+      "name": "NpmDetector"
+    },
+    {
+      "name": "OpenAIDetector"
+    },
+    {
+      "name": "PrivateKeyDetector"
+    },
+    {
+      "name": "PypiTokenDetector"
+    },
+    {
+      "name": "SendGridDetector"
+    },
+    {
+      "name": "SlackDetector"
+    },
+    {
+      "name": "SoftlayerDetector"
+    },
+    {
+      "name": "SquareOAuthDetector"
+    },
+    {
+      "name": "StripeDetector"
+    },
+    {
+      "name": "TelegramBotTokenDetector"
+    },
+    {
+      "name": "TwilioKeyDetector"
+    }
+  ],
+  "filters_used": [
+    {
+      "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
+    },
+    {
+      "path": "detect_secrets.filters.common.is_baseline_file",
+      "filename": ".secrets.baseline"
+    },
+    {
+      "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
+      "min_level": 2
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_indirect_reference"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_likely_id_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_lock_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_potential_uuid"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_sequential_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_swagger_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_templated_secret"
+    }
+  ],
+  "results": {},
+  "generated_at": "2026-05-01T17:09:18Z"
+}