chore: add security gates and smoke tests

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @jb-thery

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,33 @@
+name: Bug report
+description: Report a reproducible Mimir bug
+title: "bug: "
+labels: ["bug"]
+body:
+  - type: textarea
+    id: summary
+    attributes:
+      label: Summary
+      description: What happened?
+    validations:
+      required: true
+  - type: textarea
+    id: reproduce
+    attributes:
+      label: Reproduction
+      description: Provide commands and minimal sample files. Do not include private documents or secrets.
+      render: bash
+    validations:
+      required: true
+  - type: input
+    id: version
+    attributes:
+      label: Mimir version
+      placeholder: "pnpm exec kb --version"
+    validations:
+      required: true
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected behavior
+    validations:
+      required: true

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,5 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Security vulnerability
+    url: mailto:contact@jcode.works
+    about: Please report vulnerabilities privately by email.

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,12 @@
+## Summary
+
+## Validation
+
+- [ ] `pnpm check`
+- [ ] `pnpm test`
+- [ ] `pnpm build`
+
+## Security
+
+- [ ] No secrets, private documents, `.env` files, or generated `.kb/storage` files are included.
+- [ ] Public documentation does not expose private project details.

.github/dependabot.yml

@@ -0,0 +1,38 @@
+version: 2
+updates:
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+      time: "08:00"
+      timezone: Asia/Bangkok
+    assignees:
+      - jb-thery
+    labels:
+      - dependencies
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: chore
+      include: scope
+    groups:
+      npm-minor-and-patch:
+        update-types:
+          - minor
+          - patch
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+      time: "08:30"
+      timezone: Asia/Bangkok
+    assignees:
+      - jb-thery
+    labels:
+      - dependencies
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: chore
+      include: scope

.github/workflows/ci.yml

@@ -0,0 +1,83 @@
+name: CI
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+  merge_group:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ci-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  quality:
+    name: Quality gate
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Set up Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+
+      - name: Set up pnpm
+        run: |
+          corepack enable
+          corepack prepare pnpm@11.9.0 --activate
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Lint and format check
+        run: pnpm lint
+
+      - name: Typecheck
+        run: pnpm check
+
+      - name: Test
+        run: pnpm test
+
+      - name: Build
+        run: pnpm build
+
+      - name: Smoke test production CLI and MCP
+        run: pnpm smoke
+
+      - name: Verify generated dist is committed
+        run: git diff --exit-code -- dist
+
+      - name: Verify npm package metadata
+        run: pnpm package:check
+
+  commitlint:
+    name: Commitlint
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Set up Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+
+      - name: Set up pnpm
+        run: |
+          corepack enable
+          corepack prepare pnpm@11.9.0 --activate
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Lint commit messages
+        run: pnpm exec commitlint --from "${{ github.event.pull_request.base.sha }}" --to "${{ github.event.pull_request.head.sha }}" --verbose

.github/workflows/codeql.yml

@@ -0,0 +1,31 @@
+name: CodeQL
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+  schedule:
+    - cron: "27 4 * * 1"
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze TypeScript
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: javascript-typescript
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v4
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v4

.github/workflows/npm-publish.yml

@@ -0,0 +1,79 @@
+name: Publish npm
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Version already committed in package.json"
+        required: true
+        type: string
+
+permissions:
+  actions: read
+  contents: read
+  id-token: write
+
+jobs:
+  publish:
+    name: Publish to npm
+    runs-on: ubuntu-latest
+    environment:
+      name: npm-publish
+      url: https://www.npmjs.com/package/@jcode.labs/mimir
+    steps:
+      - name: Verify main branch
+        run: test "${GITHUB_REF}" = "refs/heads/main"
+
+      - name: Verify CI passed for this commit
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          conclusion="$(gh run list --workflow ci.yml --branch main --commit "$GITHUB_SHA" --json conclusion --jq '.[0].conclusion')"
+          test "$conclusion" = "success"
+
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Set up Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          registry-url: https://registry.npmjs.org
+
+      - name: Set up pnpm
+        run: |
+          corepack enable
+          corepack prepare pnpm@11.9.0 --activate
+
+      - name: Verify version input
+        run: |
+          test "$(node -p "require('./package.json').version")" = "${{ inputs.version }}"
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Lint and format check
+        run: pnpm lint
+
+      - name: Typecheck
+        run: pnpm check
+
+      - name: Test
+        run: pnpm test
+
+      - name: Build
+        run: pnpm build
+
+      - name: Smoke test production CLI and MCP
+        run: pnpm smoke
+
+      - name: Verify generated dist is committed
+        run: git diff --exit-code -- dist
+
+      - name: Verify npm package metadata
+        run: pnpm package:check
+
+      - name: Publish
+        run: npm publish --access public --provenance
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

AGENTS.md

@@ -1,18 +1,22 @@
-# JCode Mimir
+# Mimir
 
 ## Working Rules
 
 - Speak with the user in French.
 - Write code, identifiers, commit messages, filenames, and technical comments in English.
 - Keep this repository free of private user documents, scans, tax identifiers, API keys,
   environment files, or generated vector stores.
-- Keep public branding centered on `JCode Mimir`, JCode Labs, and Jean-Baptiste Thery.
+- Keep public branding centered on `Mimir`. Use JCode Labs and Jean-Baptiste Thery for
+  package scope, repository ownership, and copyright, not as the product name.
 - The package is open source under the MIT License unless the user explicitly changes it.
 - This package must stay reusable across repositories. Resolve project data from the
   caller's working directory or explicit config, not from the package installation path.
 - Use Context7 before changing dependencies or public APIs that rely on external libraries.
-- Run the smallest relevant validation before publishing changes: `pnpm check`,
-  `pnpm test`, and `pnpm build` when TypeScript code changes.
+- Run `pnpm validate` before opening a release pull request or publishing. It covers
+  Biome, TypeScript, Vitest, build output, production CLI/MCP smoke tests, and npm package
+  metadata.
+- Do not publish from a local machine or direct push to `main`. npm releases must go through
+  the protected manual `Publish npm` GitHub Actions workflow after `main` has green CI.
 
 ## Architecture
 
@@ -21,4 +25,6 @@
 - `src/ingest.ts` parses supported files, chunks text, embeds chunks, and rebuilds the
   local LanceDB table.
 - `src/query.ts` performs vector search and local Ollama answer synthesis.
+- `src/mcp.ts` exposes Mimir as an MCP stdio server for agents.
+- `skills/mimir/SKILL.md` is the bundled portable agent skill.
 - `.kb/storage/` and project `private/` folders are user data and must not be committed.

CONTRIBUTING.md

@@ -0,0 +1,28 @@
+# Contributing
+
+Mimir is an open-source project under the MIT License. Issues and pull requests are welcome.
+
+## Development
+
+Use Node.js 20+ and pnpm:
+
+```bash
+pnpm install
+pnpm validate
+```
+
+`pnpm validate` runs Biome, TypeScript, Vitest, the production CLI/MCP smoke test, and npm
+package metadata checks.
+
+## Pull Requests
+
+- Open pull requests against `main`.
+- Keep changes focused and include tests or smoke coverage for behavior changes.
+- Do not commit private documents, generated vector stores, environment files, tokens, or
+  credentials.
+- Use conventional commit messages such as `feat: add source parser` or
+  `fix: handle empty index`.
+
+## Security
+
+Do not report vulnerabilities through public issues. Follow [`SECURITY.md`](./SECURITY.md).

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2026 Jean-Baptiste Thery
+Copyright (c) 2026 Jean-Baptiste Thery and JCode Labs
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal