chore(devops): add CI/security/release workflows, dev tooling, and reference implementations

[Shards-inc]

Motivation

• The repository lacked production-oriented CI, security scanning, release automation, developer tooling, and reference implementations for thread-safe nonce handling and persistent audit storage.

Description

• Replace and expand the CI workflow with a Python matrix (3.9–3.12) that runs Ruff lint/format checks, mypy type checks, bandit security scans, and pytest with coverage gating (80%).
• Add a security.yml workflow with CodeQL analysis, PR dependency review, and safety vulnerability checking, and add a release.yml workflow to build and publish on v* tags.
• Add developer tooling files including Makefile, .pre-commit-config.yaml, and pyproject-additions.toml with baseline configs for Ruff, mypy, pytest, and coverage.
• Add reference implementation scaffolds implementations/permits_threadsafe.py (a ThreadSafeNonceRegistry using RLock with optional TTL cleanup) and implementations/storage.py (an SQLiteAuditStorage for persisting audit entries).

Testing

• Ran python -m pytest, which executed 132 tests and all tests passed.
• Compiled the new reference modules with python -m compileall implementations, which succeeded.

---

Codex Task

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out
the documentation.