chore: cleanup gitignored files and group project subfolders under src

.github/.gitignore

@@ -1,7 +1,10 @@
-# Allow yml templates
-!**/*_TEMPLATE.yml
-!**/*_TEMPLATE.yaml
-!**/*_TEMPLATE.md
+## Allow workflows
+!workflows/
+!workflows/*.yaml
 
-# Allow workflows
-!workflows/*.yml
+## Allow renovate config
+!renovate.config.js
+!renovate.json
+
+## Allow github config files
+!CODEOWNERS

.github/CODEOWNERS

@@ -0,0 +1 @@
+@pfouilloux

.github/renovate.config.js

@@ -0,0 +1,42 @@
+module.exports = {
+  branchPrefix: "renovate-bot/",
+  username: "hibiscus-collective-renovate",
+  gitAuthor: "Renovate Bot <[email protected]>",
+  onboarding: false,
+  requireConfig: "optional",
+  platform: "github",
+  forkProcessing: "enabled",
+  repositories: ["HibiscusCollective/project-template"],
+  packageRules: [
+    {
+      description: "lockFileMaintenance",
+      matchUpdateTypes: [
+        "pin",
+        "digest",
+        "patch",
+        "minor",
+        "major",
+        "lockFileMaintenance",
+      ],
+      dependencyDashboardApproval: false,
+      minimumReleaseAge: "7 days",
+    },
+    {
+      matchUpdateTypes: [
+        "minor",
+        "patch",
+        "pin",
+        "pinDigest",
+        "digest",
+        "lockFileMaintenance",
+      ],
+      groupName: "minor-updates",
+      minimumReleaseAge: "7 days",
+    },
+    {
+      matchUpdateTypes: ["major"],
+      labels: ["Major Release"],
+      minimumReleaseAge: "7 days",
+    },
+  ],
+};

.github/renovate.json

@@ -0,0 +1,4 @@
+{
+    "extends": ["config:best-practices", ":disableDependencyDashboard"]
+}
+

.github/workflows/renovate.yaml

@@ -0,0 +1,27 @@
+name: Renovate Dependency Updates
+on:
+  schedule:
+    - cron: "0 6 * * 1,3,5" # 14:00 AWST on Mondays, Wednesdays, Fridays
+  workflow_dispatch: # Allow manual triggering
+
+jobs:
+  renovate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get token
+        id: get_token
+        uses: actions/create-github-app-token@0d564482f06ca65fa9e77e2510873638c82206f2
+        with:
+          app-id: ${{ secrets.RENOVATE_APP_ID }}
+          private-key: ${{ secrets.RENOVATE_PRIVATE_KEY }}
+
+      - name: Checkout repository
+        uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2
+
+      - name: Run Renovate
+        uses: renovatebot/github-action@35e307a0597c5bef8476daffc1e1000107c49a14
+        with:
+          configurationFile: .github/renovate.config.js
+          token: ${{ steps.get_token.outputs.token }}
+        env:
+          RENOVATE_PLATFORM_COMMIT: true

.github/workflows/scorecard.yaml

@@ -0,0 +1,45 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  schedule:
+    - cron: "0 9 * * 1,3,5"
+  push:
+    branches: ["main"]
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@ae7548a0ff1b94dda3a89eeda8f59c031874f035
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@1c15a48f3fb49ce535e9ee4e57e127315f669361
+        with:
+          sarif_file: results.sarif

.gitignore

@@ -1,58 +1,61 @@
-# Deny all
+## Ignore all by default
 *
 
-# Allowed
+## Allow project modules
+!src
+!src/cli
+!src/lib
+!src/os
+!src/ui
 
-## Subfolders
+## Allow config
 !.github/
-!.mise/
-!docs/
-!branding/
+!.vscode/
 
-## Git
 !.gitignore
 !.gitattributes
 
-## Workspace config
-!mise.toml
-!lefthook.yml
-!renovate.json
+!.windsurfrules
+!.editorconfig
 
-## Linter configs
-### Commits
 !.czrc
 !commitlint.config.mjs
 
-### Markdown
 !.markdownlint.yaml
 !.markdownlint-cli2.yaml
 !.markdown-link-check.json
 
-### Rust
 !.clippy.toml
 !.rustfmt.toml
 
-## Documentation
-!README.md
-!CONTRIBUTING.md
+!.cspell.json
+
+## Allow package management
+!mise.toml
+!Cargo.toml
+!Cargo.lock
+
+## Allow documentation
+!docs/
+!docs/**/
+!docs/**/*.md
+
+!licenses/
+!licenses/*.txt
+!licenses/*.md
+
 !LICENSE
-!SECURITY
+!README.md
 !PRIVACY
 
-## Branding
+## Allow branding and icons
+!branding/
 !branding/*.svg
 !branding/*.png
 
-## Rust
-!Cargo.toml
-!Cargo.lock
-
-## Docker
-!Dockerfile
-
-## AI Config
-!.windsurfrules
+!icons/
+!icons/*.svg
+!icons/*.png
+!icons/*.ico
+!icons/*.icns
 
-# Explicitly ignored local files
-.history
-node_modules