merging from main

Author: leandrodamascena

.bandit

@@ -0,0 +1,11 @@
+# Bandit configuration (YAML format, bandit 1.9+)
+# https://bandit.readthedocs.io/en/latest/config.html
+#
+# NOTE: scan targets must be passed via -r on the CLI; the YAML config
+# does not support a "targets" key.  Edit the workflow's bandit command
+# to add new directories.
+
+# Exclude test directories (test code often has intentional patterns
+# that trigger false positives like assert, subprocess in fixtures)
+exclude_dirs:
+  - "*/tests/*"

.checkov.yaml

@@ -0,0 +1,28 @@
+# Checkov configuration
+# https://www.checkov.io/2.Basics/CLI%20Command%20Reference.html
+
+# Scan GitHub Actions workflows and Dockerfiles
+framework:
+  - github_actions
+  - dockerfile
+
+# Skip checks that conflict with this repo's patterns.
+#
+# Repo-wide suppressions go here. For file-level suppressions, use inline
+# comments in the source file:
+#
+#   Dockerfile:
+#     # checkov:skip=CKV_DOCKER_2:healthcheck not needed for build-only image
+#     FROM python:3.12-slim
+#
+#   GitHub Actions YAML:
+#     # checkov:skip=CKV_GHA_7:buildspec-override requires user parameters
+#     - uses: aws-actions/aws-codebuild-run-build@v1
+#
+# Multiple skips on one line:
+#     # checkov:skip=CKV_DOCKER_2,CKV_DOCKER_3:reason for both
+skip-check:
+  # CKV_GHA_7: "The build output cannot be affected by user parameters other
+  # than the build entry point and the top-level source location"
+  # — conflicts with inline buildspec-override in codebuild.yml
+  - CKV_GHA_7

.github/labeler.yml

@@ -0,0 +1,16 @@
+# Auto-label configuration for actions/labeler
+# See https://github.com/actions/labeler#match-object for syntax
+
+rules:
+- changed-files:
+  - any-glob-to-any-file: 'aidlc-rules/**'
+
+documentation:
+- changed-files:
+  - all-globs-to-any-file:
+    - '**/*.md'
+    - '!aidlc-rules/**'
+
+github:
+- changed-files:
+  - any-glob-to-any-file: '.github/**'

.github/workflows/ci.yml

@@ -0,0 +1,26 @@
+name: CI
+
+on:
+  pull_request:
+    branches: [ "main" ]
+  push:
+    branches: [ "main" ]
+  workflow_dispatch:
+
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  markdownlint:
+    name: Markdown Lint
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+      - uses: DavidAnson/markdownlint-cli2-action@ce4853d43830c74c1753b39f3cf40f71c2031eb9 #v23.0.0
+        with:
+          globs: "**/*.md"