chore(ai): migrate .ai/ AICaC context to the v2.0 schema

[eFAILution]

Description

Completes the AICaC v1.x → v2.0 migration. aicac-adoption@0.6.0 stages this migration on every default-branch run but can't open the PR itself (GitHub Actions isn't permitted to create PRs in this repo), so this is the hand-finished, schema-clean version of that work.

Changes Made

• Migrated .ai/ AICaC context to the v2.0 schema
• Updated documentation (the .ai/ context is the docs)

Details

The auto-migrator did the bulk list→dict conversion; this PR fixes the schema violations it flagged for manual cleanup (and re-validates the whole set):

• decisions.yaml / errors.yaml — list → dict keyed by id. Plus: ADR date values coerced to strings, string rationale → arrays, flat consequences lists → {positive: [...]}.
• context.yaml — entrypoints flattened to a string→string map (v2 requires it); project.type → cli (was the non-enum security-pipeline); added required project.description.
• workflows.yaml — merged user_workflows/contributor_workflows into the required workflows: key; string steps → {action: …}; sdk_command → the canonical command.
• architecture.yaml — data_flow reshaped to the v2 object-of-arrays form (lossless — prose values wrapped as single-item arrays).
• index.yaml — added by the migrator.

Testing

• Manual testing performed

Test Results

Validated every file against the AICaC spec/v2/*.schema.json (jsonschema):

✅ context.yaml   ✅ architecture.yaml   ✅ workflows.yaml
✅ decisions.yaml ✅ errors.yaml         ✅ index.yaml
TOTAL_ERRORS=0

Content integrity verified (nothing dropped): components 9, decisions 29 (ADR-001…029), errors 16, workflows 21. This PR's own "AICaC Adoption" check (pull_request, maintain mode) should pass now that .ai/ is valid v2.

Security Considerations

• No security impact — documentation/context only.

AI Context Updates (.ai/)

• This PR is the .ai/ update (v2 schema migration).

Reviewer notes

• The re-dump reformats YAML (large diff) but content is preserved — review the rendered values, not byte-diffs.
• 7 older ADRs stored consequences as uncategorized flat lists; I defaulted them to positive. Re-split any you consider negative.

Checklist

• Code follows project style guidelines
• All tests pass (v2 schema validation clean)
• Reviewed by at least one maintainer
• Reviewed CONTRIBUTING.md guidelines

Related Issues

Supersedes #225 — once this merges, .ai/ is v2 and the AICaC Adoption workflow stops attempting the migration, so disabling auto-migrate is no longer needed. (The aicac/** ruleset bypass and the "Allow Actions to create PRs" setting are then moot for this purpose too.)

[github-actions]

🚀 Release Preview

📦 Version Update

Current: 1.2.1 → New: 1.3.0

📋 Changelog

1.3.0 (2026-06-02)

Features

• lint-shell: add shellcheck linter (closes #191) (#206) (ca60c2b)
• scanner-gosec: add gosec Go SAST scanner (#207) (17d6f2d), closes #189
• scanner-kics: add KICS IaC scanner (closes #188) (#205) (0d021a0)
• scanner-promptfoo: add promptfoo LLM-security scanner (#208) (4185c38), closes #89
• validate: add --deep flag for live config validation (#204) (a23e07e), closes 186/#187 #198

Bug Fixes

• actions: v1.2.x reusable-workflow regressions — install argus + invalid needs context (#211, #212) (#214) (09d1771)
• container: make smoke fixture world-readable for non-root scanner containers (#210) (2b57be6)

Security Tools

• deps: Update dependency opengrep to v1.22.0 (#216) (5da035c)

Dependencies

• deps: bump node (#221) (9cbe4ed)
• deps: Update github-actions-major (#223) (9cab1dd)
• deps: Update github-actions-minor-patch (#222) (0c2fed7)
• deps: Update hashicorp/terraform Docker tag to v1.15.4 (#215) (171fa0e)

Maintenance

• ai: migrate .ai/ AICaC context to the v2.0 schema (c76bd86), closes #225

Tests

• container: registry-parametrized container-invocation smoke harness + PR gate (#209) (4a8a9e3)

Continuous Integration

• add Python 3.14 to the test/publish matrix and trove classifiers (#224) (9085cd6), closes #222
• deps: move github-actions updates from Dependabot to Renovate (#220) (1d34ef9), closes #196 #11645 #13691 #196
• release: make the publishing release manual-only (workflow_dispatch) (#219) (63b875e)
• remove obsolete update-pinned-tools workflow + unblock Dependabot github-actions (#217, #196) (#218) (c295dc4), closes #216

🔍 Version Reference Coverage

✅ Version refs found: 349 across 115 files

All covered by release-it config.

✅ Actions that would be performed

• 📝 Update CHANGELOG.md with new entries
• 🏷️ Create git tag 1.3.0
• 📤 Push changes and tag to repository
• 📦 Create GitHub release

---

This preview is generated by running release-it --dry-run

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!