Bootstrap repo setup

.devcontainer/devcontainer-lock.json

@@ -0,0 +1,29 @@
+{
+  "features": {
+    "ghcr.io/devcontainers/features/common-utils:2": {
+      "version": "2.5.7",
+      "resolved": "ghcr.io/devcontainers/features/common-utils@sha256:dbf431d6b42d55cde50fa1df75c7f7c3999a90cde6d73f7a7071174b3c3d0cc4",
+      "integrity": "sha256:dbf431d6b42d55cde50fa1df75c7f7c3999a90cde6d73f7a7071174b3c3d0cc4"
+    },
+    "ghcr.io/devcontainers/features/git-lfs:1": {
+      "version": "1.2.5",
+      "resolved": "ghcr.io/devcontainers/features/git-lfs@sha256:71c2b371cf12ab7fcec47cf17369c6f59156100dad9abf9e4c593049d789de72",
+      "integrity": "sha256:71c2b371cf12ab7fcec47cf17369c6f59156100dad9abf9e4c593049d789de72"
+    },
+    "ghcr.io/devcontainers/features/node:1": {
+      "version": "1.7.1",
+      "resolved": "ghcr.io/devcontainers/features/node@sha256:8c0de46939b61958041700ee89e3493f3b2e4131a06dc46b4d9423427d06e5f6",
+      "integrity": "sha256:8c0de46939b61958041700ee89e3493f3b2e4131a06dc46b4d9423427d06e5f6"
+    },
+    "ghcr.io/devcontainers/features/powershell:1": {
+      "version": "1.5.1",
+      "resolved": "ghcr.io/devcontainers/features/powershell@sha256:df7baa89598c93bfd15808641d9ec9eb03e0ccdf52e5de4cbbce9ab2d9755d18",
+      "integrity": "sha256:df7baa89598c93bfd15808641d9ec9eb03e0ccdf52e5de4cbbce9ab2d9755d18"
+    },
+    "ghcr.io/devcontainers/features/python:1": {
+      "version": "1.8.0",
+      "resolved": "ghcr.io/devcontainers/features/python@sha256:fbcad6955caeecc5ad3f7886baf652e25cba5225a6c4c2287c536de2e5607511",
+      "integrity": "sha256:fbcad6955caeecc5ad3f7886baf652e25cba5225a6c4c2287c536de2e5607511"
+    }
+  }
+}

.devcontainer/post-create.sh

@@ -7,14 +7,26 @@ elif [ -f package.json ]; then
   npm install
 fi
 
-sudo npm install -g "@openai/codex@latest"
+# `sudo` resets PATH via secure_path, which drops the Node feature's bin
+# directory and causes `sudo npm` to fail with "command not found". Resolve
+# npm in the calling shell and invoke it through `sudo` while preserving PATH.
+# `-H` resets HOME so package postinstall scripts (notably @openai/codex) do
+# not write into the calling user's home directory as root.
+NPM_BIN="$(command -v npm)"
+sudo -H env "PATH=$PATH" "$NPM_BIN" install -g npm@latest
+sudo -H env "PATH=$PATH" "$NPM_BIN" install -g "@openai/codex@latest"
 
 python -m venv .venv
 . .venv/bin/activate
 python -m pip install --upgrade pip
-python -m pip install -e ".[dev]" pre-commit
+python -m pip install pre-commit
 pre-commit install
 
+# Reclaim ownership in case a prior run created ~/.codex as root before the
+# `sudo -H` fix above was in place.
+if [ -e "${HOME}/.codex" ] && [ ! -O "${HOME}/.codex" ]; then
+  sudo chown -R "$(id -u):$(id -g)" "${HOME}/.codex"
+fi
 mkdir -p "${HOME}/.codex"
 cat > "${HOME}/.codex/config.toml" <<'EOF'
 approval_policy = "never"

.gitattributes

@@ -1,86 +1,92 @@
-# ---------------------------------------------------------------------------
-# Byte-exact text artifact protection
-# ---------------------------------------------------------------------------
-# The rules below pin committed text fixtures to LF line endings so that
-# checkouts on Windows hosts with `core.autocrlf=true` do not silently
-# rewrite the on-disk bytes. Any test or tool that performs byte-exact
-# comparison (hash equality, signature verification, snapshot diffing)
-# depends on this stability.
-#
-# The directory-level rules below are broad on purpose: they catch text
-# fixtures regardless of extension (including ad-hoc names like `expected`
-# or `baseline`). Binary file types commonly stored alongside text
-# fixtures (images, archives, media, fonts, compiled artifacts) are
-# declassified further down with Git's built-in `binary` macro so
-# Git does not apply line-ending conversion to them. Later patterns win
-# per-attribute in `.gitattributes`, so the binary overrides take
-# precedence over the directory-wide `text eol=lf` pins.
-#
-# DO NOT DELETE these rules when customizing this template unless you are
-# certain no byte-exact comparison exists in your repository. See
-# .github/instructions/gitattributes.instructions.md for the normative rule
-# and guidance on adding project-specific entries (including how to
-# declassify additional binary types).
-# ---------------------------------------------------------------------------
-
-# Text fixtures: pin LF line endings on checkout.
-tests/**/golden/**            text eol=lf
-tests/**/goldens/**           text eol=lf
-tests/**/snapshots/**         text eol=lf
-tests/**/__snapshots__/**     text eol=lf
-tests/**/fixtures/**          text eol=lf
-testdata/**                   text eol=lf
-
-# Binary overrides: prevent the broad rules above (or any default
-# text-detection) from treating these common binary file types as text.
-# The `binary` macro expands to `-text -diff`.
-
-# Images
-*.png                         binary
-*.jpg                         binary
-*.jpeg                        binary
-*.gif                         binary
-*.webp                        binary
-*.bmp                         binary
-*.ico                         binary
-*.tif                         binary
-*.tiff                        binary
-
-# Documents and archives
-*.pdf                         binary
-*.zip                         binary
-*.tar                         binary
-*.gz                          binary
-*.tgz                         binary
-*.bz2                         binary
-*.xz                          binary
-*.7z                          binary
-*.rar                         binary
-
-# Compiled and packaged artifacts
-*.exe                         binary
-*.dll                         binary
-*.so                          binary
-*.dylib                       binary
-*.class                       binary
-*.jar                         binary
-*.wasm                        binary
-*.pyc                         binary
-
-# Audio and video
-*.mp3                         binary
-*.mp4                         binary
-*.mov                         binary
-*.wav                         binary
-*.ogg                         binary
-*.webm                        binary
-*.mkv                         binary
-*.avi                         binary
-*.flac                        binary
-
-# Fonts
-*.ttf                         binary
-*.otf                         binary
-*.woff                        binary
-*.woff2                       binary
-*.eot                         binary
+# ---------------------------------------------------------------------------
+# Byte-exact text artifact protection
+# ---------------------------------------------------------------------------
+# The rules below pin committed text fixtures to LF line endings so that
+# checkouts on Windows hosts with `core.autocrlf=true` do not silently
+# rewrite the on-disk bytes. Any test or tool that performs byte-exact
+# comparison (hash equality, signature verification, snapshot diffing)
+# depends on this stability.
+#
+# The directory-level rules below are broad on purpose: they catch text
+# fixtures regardless of extension (including ad-hoc names like `expected`
+# or `baseline`). Binary file types commonly stored alongside text
+# fixtures (images, archives, media, fonts, compiled artifacts) are
+# declassified further down with Git's built-in `binary` macro so
+# Git does not apply line-ending conversion to them. Later patterns win
+# per-attribute in `.gitattributes`, so the binary overrides take
+# precedence over the directory-wide `text eol=lf` pins.
+#
+# DO NOT DELETE these rules when customizing this template unless you are
+# certain no byte-exact comparison exists in your repository. See
+# .github/instructions/gitattributes.instructions.md for the normative rule
+# and guidance on adding project-specific entries (including how to
+# declassify additional binary types).
+# ---------------------------------------------------------------------------
+
+# Text fixtures: pin LF line endings on checkout.
+tests/**/golden/**            text eol=lf
+tests/**/goldens/**           text eol=lf
+tests/**/snapshots/**         text eol=lf
+tests/**/__snapshots__/**     text eol=lf
+tests/**/fixtures/**          text eol=lf
+testdata/**                   text eol=lf
+
+# Shell scripts must use LF: CRLF breaks shebang resolution and option
+# parsing (e.g. `set -euo pipefail\r` is rejected by bash) when the script
+# is checked out on Windows with `core.autocrlf=true` and then executed
+# inside a Linux container, such as the devcontainer post-create hook.
+*.sh                          text eol=lf
+
+# Binary overrides: prevent the broad rules above (or any default
+# text-detection) from treating these common binary file types as text.
+# The `binary` macro expands to `-text -diff`.
+
+# Images
+*.png                         binary
+*.jpg                         binary
+*.jpeg                        binary
+*.gif                         binary
+*.webp                        binary
+*.bmp                         binary
+*.ico                         binary
+*.tif                         binary
+*.tiff                        binary
+
+# Documents and archives
+*.pdf                         binary
+*.zip                         binary
+*.tar                         binary
+*.gz                          binary
+*.tgz                         binary
+*.bz2                         binary
+*.xz                          binary
+*.7z                          binary
+*.rar                         binary
+
+# Compiled and packaged artifacts
+*.exe                         binary
+*.dll                         binary
+*.so                          binary
+*.dylib                       binary
+*.class                       binary
+*.jar                         binary
+*.wasm                        binary
+*.pyc                         binary
+
+# Audio and video
+*.mp3                         binary
+*.mp4                         binary
+*.mov                         binary
+*.wav                         binary
+*.ogg                         binary
+*.webm                        binary
+*.mkv                         binary
+*.avi                         binary
+*.flac                        binary
+
+# Fonts
+*.ttf                         binary
+*.otf                         binary
+*.woff                        binary
+*.woff2                       binary
+*.eot                         binary

.github/CODEOWNERS

@@ -1,22 +1,17 @@
 # CODEOWNERS file - Defines code ownership for pull request reviews
 #
-# TEMPLATE NOTE: Replace @OWNER with your GitHub username or team.
+# Phase 0 bootstrap note: Frank Lesniak is the launch code owner.
 # See: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
 #
-# EXPECTED WARNINGS: GitHub will show "Unknown owner" errors for @OWNER in
-# the template repository. This is expected and intentional - the placeholder
-# must be replaced after cloning. The check-placeholders.yml workflow enforces
-# this replacement.
-#
 # After customizing, this file ensures the right people are automatically
 # requested to review pull requests.
 
 # Default owners for everything in the repo
-* @OWNER
+* @franklesniak
 
 # Workflow files require maintainer review
-.github/workflows/ @OWNER
+.github/workflows/ @franklesniak
 
 # Copilot instructions require maintainer review
-.github/copilot-instructions.md @OWNER
-.github/instructions/ @OWNER
+.github/copilot-instructions.md @franklesniak
+.github/instructions/ @franklesniak