Clarethium · dependabot · May 5, 2026 · May 5, 2026 · May 5, 2026 · May 5, 2026
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,46 @@
+---
+name: Bug report
+about: Something cma-mcp does that does not match the documented behavior
+title: '[bug] '
+labels: bug
+---
+
+## Expected behavior
+
+<!-- What you expected to happen, with reference to README, docs/MCP_SERVER.md, or a specific tool/resource description. -->
+
+## Actual behavior
+
+<!-- What happened instead. Quote any error message verbatim. -->
+
+## Reproduction
+
+<!-- Minimum steps to reproduce. Specific MCP client and version helps. -->
+
+## Install fingerprint
+
+```
+$ cma-mcp --version
+<paste output here>
+```
+
+## bash cma version
+
+```
+$ cma --version
+<paste output here, or note "cma not installed">
+```
+
+## Environment
+
+- OS:
+- Python version:
+- MCP client (Claude Desktop / Cursor / Cline / etc.) and version:
+
+## Logs
+
+<!--
+cma-mcp logs to stderr. If your MCP client surfaces server stderr,
+paste the relevant lines here. If not, run with `CMA_MCP_LOG_LEVEL=DEBUG`
+and capture stderr separately.
+-->
diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1,11 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Security issue
+    url: mailto:lovro.lucic@gmail.com?subject=%5Bcma-mcp%20security%5D
+    about: Email security issues directly per SECURITY.md. Do NOT open public issues for vulnerabilities.
+  - name: bash cma issue (the wrapped binary)
+    url: https://github.com/Clarethium/cma/issues
+    about: Issues with cma's seven primitives, hooks, or shell wrappers belong in the cma repo, not here.
+  - name: Lodestone methodology question
+    url: https://github.com/Clarethium/lodestone/issues
+    about: Methodology canon questions (FM catalog, surface protocols, compound practice) live with Lodestone, not cma-mcp.
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,45 @@
+---
+name: Feature request
+about: A capability cma-mcp could expose
+title: '[feature] '
+labels: enhancement
+---
+
+## What you want cma-mcp to do
+
+<!-- The capability, named in operator-facing terms. -->
+
+## Why it matters
+
+<!--
+What does this enable that's not currently possible?
+- Is the capability already available in bash cma but not exposed
+  through cma-mcp? (Most likely answer: yes; cma-mcp is a thin
+  wrapper.)
+- Is the capability NOT in bash cma either? (If so, this is a cma
+  feature request, not a cma-mcp one. Open at
+  https://github.com/Clarethium/cma/issues instead.)
+-->
+
+## Proposed shape
+
+<!--
+Tool / resource name, parameters, returned payload shape. Mirror
+existing cma-mcp patterns where possible (three-section payload,
+snake_case fields, optional surface label).
+-->
+
+## STRATEGY check
+
+<!--
+Does this change touch a STRATEGY.md §6 durable decision? If yes,
+note which one. If no, write "none".
+-->
+
+## Companion impact
+
+<!--
+Does this require a parallel change in cma (the bash binary), in
+docs/MCP_SERVER.md, or in any other Clarethium companion? If yes,
+name what.
+-->
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -0,0 +1,50 @@
+<!--
+Thanks for contributing to cma-mcp. Read CONTRIBUTING.md and
+GOVERNANCE.md before opening a substantial change. Especially:
+
+- Sign every commit with DCO: `git commit -s`
+- Run pytest before pushing: `python3 -m pytest -q`
+- Check whether your change touches a STRATEGY.md durable decision;
+  if so, the PR description must include the overturn rationale.
+-->
+
+## Summary
+
+<!-- One short paragraph: what changed, why. -->
+
+## Type
+
+<!-- Check one. -->
+
+- [ ] Bug fix (no schema change)
+- [ ] New tool, resource, or schema field (additive; minor SERVER_VERSION bump)
+- [ ] Schema-breaking change (major SERVER_VERSION bump; STRATEGY review required)
+- [ ] Documentation only
+- [ ] Test addition / refactor
+- [ ] Architectural decision (DECISIONS.md entry added)
+- [ ] Durable decision change (STRATEGY.md §6; rationale below)
+
+## Reviewer checklist
+
+- [ ] DCO sign-off on every commit (`git log` shows `Signed-off-by:` trailer)
+- [ ] `python3 -m pytest -q` passes locally
+- [ ] If surface changed: `mcp_schema.py`, `mcp_server.py`, the relevant test, and `docs/MCP_SERVER.md` all updated together
+- [ ] If payload shape changed: `tests/test_payload_determinism.py` updated
+- [ ] If runtime behavior changed: `CHANGELOG.md` `[Unreleased]` updated
+- [ ] No new runtime dependency added (cma-mcp's runtime stays stdlib-only unless STRATEGY says otherwise)
+
+## Companion-link impact
+
+<!--
+Does this change affect references to cma, Lodestone, Touchstone,
+or frame-check-mcp? If yes, name what coordinates with each
+companion repo. If no, write "none".
+-->
+
+## STRATEGY / DECISIONS
+
+<!--
+If this PR adds a DECISIONS.md entry, paste the AD-NNN block here.
+If this PR changes a STRATEGY.md durable decision, paste the
+overturn rationale here.
+-->
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,55 @@
+# Dependabot configuration for the cma project.
+#
+# Two ecosystems are tracked:
+#
+# - GitHub Actions (workflow YAML): floating action versions
+#   (`actions/checkout@v4`, `actions/setup-python@v5`, etc.) get
+#   weekly major/minor PRs so security advisories land without
+#   manual chasing.
+# - Python (cma-mcp): runtime deps are intentionally empty
+#   (DECISIONS AD-001) so the dev-deps block (`pytest`,
+#   `pytest-timeout`, `pytest-cov`) is the only watched surface.
+#   Scoped to `cma-mcp/pyproject.toml` per the AD-008 monorepo
+#   layout.
+#
+# bash cma has no package dependencies (Python stdlib only for JSON
+# escape) so it does not need a Dependabot ecosystem.
+
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "ci"
+      include: scope
+    labels:
+      - dependencies
+      - github-actions
+    reviewers:
+      - llucic
+
+  - package-ecosystem: pip
+    directory: /cma-mcp
+    schedule:
+      interval: weekly
+      day: monday
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "deps(cma-mcp)"
+      include: scope
+    labels:
+      - dependencies
+      - cma-mcp
+    reviewers:
+      - llucic
+    # Only test-time dependencies exist; group their updates so a
+    # pytest minor bump and a pytest-cov minor bump arrive as one
+    # PR rather than two.
+    groups:
+      test-deps:
+        patterns:
+          - "pytest*"
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,32 @@
+name: codeql
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    # Weekly CodeQL re-scan on Mondays so a vulnerability landing
+    # in a transitive dependency surfaces even when the repo is idle.
+    - cron: "17 6 * * 1"
+
+permissions:
+  contents: read
+  security-events: write
+  actions: read
+
+jobs:
+  analyze:
+    name: CodeQL (python)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: python
+          queries: security-and-quality
+      - name: Perform CodeQL analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:python"
diff --git a/.github/workflows/dco-check.yml b/.github/workflows/dco-check.yml
@@ -0,0 +1,41 @@
+name: dco-check
+
+# Enforce Developer Certificate of Origin sign-off on every commit
+# in a pull request. Per CONTRIBUTING.md: contributors must sign off
+# every commit with `git commit -s`, certifying the contribution
+# under https://developercertificate.org/.
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  dco:
+    name: Verify DCO sign-off
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Check Signed-off-by trailer on every PR commit
+        run: |
+          base="${{ github.event.pull_request.base.sha }}"
+          head="${{ github.event.pull_request.head.sha }}"
+          missing=0
+          for commit in $(git rev-list "$base..$head"); do
+            if ! git log -1 --format='%B' "$commit" | grep -qE '^Signed-off-by: .+ <.+@.+>$'; then
+              echo "::error::Commit $commit missing Signed-off-by trailer (DCO)"
+              missing=$((missing + 1))
+            fi
+          done
+          if [ "$missing" -gt 0 ]; then
+            echo ""
+            echo "Add the trailer with: git commit -s --amend (or rebase + sign-off-by-each-commit)"
+            echo "Background: https://developercertificate.org/"
+            exit 1
+          fi
+          echo "All commits carry Signed-off-by."