feat: Phase 0+1 — Infrastructure, GHAS, GitHub Flow + SDK features

* ci: add CodeQL scanning workflow and secret scanning setup script

- Create .github/workflows/codeql.yml (JS/TS analysis, weekly + PR triggers)
- Create scripts/setup-security.sh for enabling secret scanning + push protection
- Update SECURITY.md with secret scanning documentation

Closes #78
Closes #79

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* ci: add branch protection script and release-please workflow

- Create scripts/setup-branch-protection.sh (gh api, requires admin)
- Create .github/workflows/release.yml (release-please for semver + changelog)
- Create release-please-config.json and .release-please-manifest.json

Closes #75
Closes #80

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* ci: enhance CI with Playwright E2E, conventional commit check, caching

- Add e2e job with Playwright desktop tests and artifact upload on failure
- Add commit-lint job checking PR title against conventional commits pattern
- Add concurrency group to cancel redundant runs
- Add npm cache via setup-node

Closes #70

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* docs: enhance PR template, YAML issue forms, and CODEOWNERS

- Upgrade PR template with GitHub Flow + security checklist
- Convert issue templates from Markdown to YAML forms
- Add SDK feature issue template
- Add security advisory contact link
- Create CODEOWNERS with path-based ownership

Closes #73
Closes #74
Closes #77

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* ci: add PR auto-labeler and stale issues/PR management

- Create labeler config with 10 path-based labels (backend, frontend, sdk, etc.)
- Create labeler.yml workflow using actions/labeler@v5
- Create stale.yml workflow (30-day stale, 7-day close, exempt security/killer-feature)

Closes #71
Closes #72

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* docs: add Copilot prompt files and rewrite copilot-instructions.md

- Create 4 prompt files: generate-test, review-security, add-feature, fix-bug
- Rewrite copilot-instructions.md with accurate counts (20 components, 78 message types)
- Add skills system, testing sections, updated project structure

Closes #76

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: adopt awesome-copilot skills, agents, instructions, and workflows

Skills added (4): github-issues, doublecheck, copilot-spaces, automate-this
Agents added (6): 4.1-Beast, critical-thinking, implementation-plan, refine-issue, polyglot-test-generator, adr-generator
Instructions added (2): code-review-generic, performance-optimization
Workflows added (2): codespell, check-pr-target

Closes #86
Closes #87
Closes #88
Closes #69

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: add SDK SessionHooks support (#49)

Wire all six SDK session hooks (onPreToolUse, onPostToolUse,
onSessionStart, onSessionEnd, onErrorOccurred) to forward events
over WebSocket as new message types.

Changes:
- Add HookPreToolMessage, HookPostToolMessage, HookSessionStartMessage,
  HookSessionEndMessage, HookErrorMessage types to ServerMessage union
- Add HookEventCallback type and buildSessionHooks() factory to session.ts
- Add onHookEvent option to CreateSessionOptions
- Wire hooks in both session creation paths in handler.ts
- Add 7 unit tests covering all hook types and wiring

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: validate attachment paths to prevent arbitrary file reads (#52)

- Add isValidAttachmentPath() to ensure attachment paths are inside the
  upload directory (tmpdir/copilot-uploads/), preventing malicious
  WebSocket clients from reading arbitrary server files via the SDK
- Log rejected paths via security logger at warn level
- Add unit tests for path validation (8 tests covering traversal,
  relative paths, prefix spoofing, etc.)
- Add image-specific upload tests verifying all 5 image types (jpg,
  jpeg, png, gif, webp) are accepted with correct MIME types
- Add test verifying upload returns absolute server-side paths

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: complete MCP server integration (#51)

- Extract parseMcpServers() helper with defense-in-depth enabled filtering
- Pass MCP servers (GitHub + user) on resume_session (SDK + fallback)
- Update ResumeSessionMessage type to include mcpServers
- Client sends enabled MCP servers when resuming sessions
- Add unit tests for MCP parser (9 tests) and session config (3 tests)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: add path traversal protection to session persistence (#55)

- Add isValidSessionId() UUID validation for getSessionDetail/buildSessionContext
- Reset isProcessing flag on resume to prevent stale state
- Add 4 unit tests for UUID validation and path traversal rejection

Closes #55

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: devartifex

.codespellrc

@@ -0,0 +1,3 @@
+[codespell]
+skip = node_modules,build,dist,coverage,playwright-report,package-lock.json,.svelte-kit,bundled-sessions,bundled-session-store.db
+ignore-words-list = crate,ot

.github/CODEOWNERS

@@ -0,0 +1,30 @@
+# Default owner for all files
+* @devartifex
+
+# Backend / SDK integration
+/src/lib/server/ @devartifex
+/server.js @devartifex
+
+# Frontend components & stores
+/src/lib/components/ @devartifex
+/src/lib/stores/ @devartifex
+
+# Infrastructure & deployment
+/Dockerfile @devartifex
+/docker-compose.yml @devartifex
+/infra/ @devartifex
+
+# CI/CD & GitHub config
+/.github/workflows/ @devartifex
+/.github/agents/ @devartifex
+/.github/instructions/ @devartifex
+
+# Documentation
+/docs/ @devartifex
+
+# Tests
+/tests/ @devartifex
+/playwright.config.ts @devartifex
+
+# Skills
+/skills/ @devartifex

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,64 @@
+name: 🐛 Bug Report
+description: Report a bug or unexpected behavior
+labels: ["bug"]
+body:
+  - type: markdown
+    attributes:
+      value: "Thanks for reporting a bug! Please fill out the form below."
+  - type: textarea
+    id: description
+    attributes:
+      label: Describe the bug
+      description: A clear description of what the bug is.
+    validations:
+      required: true
+  - type: textarea
+    id: steps
+    attributes:
+      label: Steps to reproduce
+      description: Steps to reproduce the behavior.
+      placeholder: |
+        1. Go to '...'
+        2. Click on '...'
+        3. See error
+    validations:
+      required: true
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected behavior
+      description: What you expected to happen.
+    validations:
+      required: true
+  - type: textarea
+    id: screenshots
+    attributes:
+      label: Screenshots / Recordings
+      description: If applicable, add screenshots or screen recordings.
+  - type: dropdown
+    id: browser
+    attributes:
+      label: Browser
+      options:
+        - Chrome
+        - Firefox
+        - Safari
+        - Edge
+        - Other
+    validations:
+      required: true
+  - type: dropdown
+    id: device
+    attributes:
+      label: Device
+      options:
+        - Desktop
+        - Tablet
+        - Phone
+    validations:
+      required: true
+  - type: input
+    id: deployment
+    attributes:
+      label: Deployment type
+      placeholder: "Docker, Azure, Local dev"

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -1 +1,5 @@
 blank_issues_enabled: true
+contact_links:
+  - name: 🔒 Security Vulnerability
+    url: https://github.com/devartifex/copilot-unleashed/security/advisories/new
+    about: Report security vulnerabilities privately

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,42 @@
+name: ✨ Feature Request
+description: Suggest a new feature or improvement
+labels: ["enhancement"]
+body:
+  - type: markdown
+    attributes:
+      value: "Thanks for suggesting a feature!"
+  - type: textarea
+    id: problem
+    attributes:
+      label: Is your feature request related to a problem?
+      description: A clear description of the problem.
+  - type: textarea
+    id: solution
+    attributes:
+      label: Describe the solution you'd like
+      description: What you want to happen.
+    validations:
+      required: true
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives considered
+      description: Any alternative solutions or features you've considered.
+  - type: dropdown
+    id: area
+    attributes:
+      label: Area
+      options:
+        - UI/UX
+        - Backend/SDK
+        - CI/CD
+        - Security
+        - Documentation
+        - Other
+    validations:
+      required: true
+  - type: textarea
+    id: context
+    attributes:
+      label: Additional context
+      description: Any other context or screenshots.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,41 @@
+name: 🔌 SDK Feature
+description: Track a Copilot SDK feature implementation or verification
+labels: ["enhancement"]
+body:
+  - type: markdown
+    attributes:
+      value: "Track implementation/verification of a @github/copilot-sdk feature."
+  - type: input
+    id: sdk_feature
+    attributes:
+      label: SDK Feature Name
+      placeholder: "e.g., Hooks, MCP Servers, Image Input"
+    validations:
+      required: true
+  - type: input
+    id: sdk_doc
+    attributes:
+      label: SDK Documentation Link
+      placeholder: "https://github.com/github/copilot-sdk/blob/main/docs/features/..."
+  - type: dropdown
+    id: status
+    attributes:
+      label: Current Implementation Status
+      options:
+        - Not implemented
+        - Partially implemented
+        - Implemented but needs verification
+    validations:
+      required: true
+  - type: textarea
+    id: tasks
+    attributes:
+      label: Implementation Tasks
+      description: What needs to be done to complete this feature.
+    validations:
+      required: true
+  - type: textarea
+    id: affected_files
+    attributes:
+      label: Affected Files
+      description: Which files need to be created or modified.