Initial generalized template scaffold

Author: tinmanworks

.editorconfig

@@ -0,0 +1,21 @@
+root = true
+
+[*]
+end_of_line = lf
+insert_final_newline = true
+charset = utf-8
+indent_style = space
+indent_size = 2
+trim_trailing_whitespace = true
+
+[*.md]
+trim_trailing_whitespace = false
+
+[*.{c,cc,cpp,h,hpp}]
+indent_size = 2
+
+[*.py]
+indent_size = 4
+
+[*.{yml,yaml}]
+indent_size = 2

.env.example

@@ -0,0 +1,3 @@
+NEXT_PUBLIC_APP_NAME=Modular Web App
+FEATURE_FLAG_EXAMPLE=true
+NEXT_PUBLIC_API_BASE_URL=http://localhost:4000

.eslintrc.json

@@ -0,0 +1,3 @@
+{
+  "extends": ["next/core-web-vitals", "next/typescript"]
+}

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,34 @@
+---
+about: Report something not working correctly
+labels: bug
+name: Bug report
+title: \[BUG\]
+---
+
+## Description
+
+Clear description of the problem.
+
+## Steps To Reproduce
+
+1.  
+2.  
+3.  
+
+## Expected Behavior
+
+What should have happened.
+
+## Actual Behavior
+
+What actually happened.
+
+## Environment
+
+-   OS:
+-   Version:
+-   Runtime/Compiler (if relevant):
+
+## Additional Context
+
+Anything else that helps diagnose.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,26 @@
+---
+about: Suggest an improvement or new capability
+labels: enhancement
+name: Feature request
+title: \[FEATURE\]
+---
+
+## Problem
+
+What problem does this solve?
+
+## Proposed Solution
+
+Describe the solution you'd like.
+
+## Alternatives Considered
+
+Other approaches you've considered.
+
+## Impact
+
+Who benefits and how?
+
+## Additional Context
+
+Anything else relevant.

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,23 @@
+## Summary
+
+Describe what changed.
+
+## Motivation
+
+Why is this change needed?
+
+## Changes
+
+-   Item 1
+-   Item 2
+
+## Testing
+
+Describe how this was tested.
+
+## Checklist
+
+-   [ ] Code builds
+-   [ ] Tests pass (if applicable)
+-   [ ] Documentation updated (if needed)
+-   [ ] No unrelated changes included

.github/workflows/ci-base.yml

@@ -0,0 +1,34 @@
+name: CI (Template Base)
+
+on:
+  push:
+  pull_request:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 3 * * 1"
+
+jobs:
+  core-validation:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install ripgrep
+        run: sudo apt-get update && sudo apt-get install -y ripgrep
+
+      - name: Run core template validation
+        run: bash tools/validate-template.sh core
+
+  advisory-validation:
+    runs-on: ubuntu-latest
+    continue-on-error: true
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install ripgrep
+        run: sudo apt-get update && sudo apt-get install -y ripgrep
+
+      - name: Run advisory template validation
+        run: bash tools/validate-template.sh advisory

.github/workflows/ci-pr-title.yml

@@ -0,0 +1,22 @@
+name: CI (PR Title)
+
+on:
+  pull_request_target:
+    types: [opened, edited, synchronize, reopened]
+
+jobs:
+  pr-title:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Validate PR title
+        env:
+          PR_TITLE: ${{ github.event.pull_request.title }}
+        run: |
+          set -euo pipefail
+          regex='^(feat|fix|docs|chore|refactor|test|ci|build|perf|revert)(\([a-z0-9._/-]+\))?!?: .+$'
+          if [[ ! "$PR_TITLE" =~ $regex ]]; then
+            echo "Invalid PR title: $PR_TITLE"
+            echo "Expected format: <type>(<scope>): <summary>"
+            echo "Allowed types: feat|fix|docs|chore|refactor|test|ci|build|perf|revert"
+            exit 1
+          fi

.github/workflows/release-tag.yml

@@ -0,0 +1,147 @@
+name: Release (Tag)
+
+on:
+  push:
+    tags:
+      - "v*"
+
+permissions:
+  contents: write
+
+jobs:
+  release-guard:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Release guard checks
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPO_NAME: ${{ github.event.repository.name }}
+          REPO_FULL: ${{ github.repository }}
+          TAG_NAME: ${{ github.ref_name }}
+        run: |
+          set -euo pipefail
+
+          fail() {
+            echo "::error::$1"
+            exit 1
+          }
+
+          warn() {
+            echo "::warning::$1"
+          }
+
+          api_get() {
+            local endpoint="$1"
+            curl -fsSL \
+              -H "Authorization: Bearer $GITHUB_TOKEN" \
+              -H "Accept: application/vnd.github+json" \
+              "https://api.github.com/repos/${REPO_FULL}${endpoint}"
+          }
+
+          api_get_best_effort() {
+            local endpoint="$1"
+            local out_file="$2"
+            local code
+            code=$(curl -sS -o "$out_file" -w "%{http_code}" \
+              -H "Authorization: Bearer $GITHUB_TOKEN" \
+              -H "Accept: application/vnd.github+json" \
+              "https://api.github.com/repos/${REPO_FULL}${endpoint}")
+            echo "$code"
+          }
+
+          expected_checks_for_repo() {
+            case "$REPO_NAME" in
+              repo-template-base)
+                printf '%s\n' "core-validation" "pr-title"
+                ;;
+              repo-template-python)
+                printf '%s\n' "core-gated (3.10)" "core-gated (3.11)" "core-gated (3.12)" "pr-title"
+                ;;
+              repo-template-flutter)
+                printf '%s\n' "core-gated" "pr-title"
+                ;;
+              repo-template-cpp-cmake)
+                printf '%s\n' "build" "pr-title"
+                ;;
+              repo-template-cpp-family)
+                printf '%s\n' "smoke" "pr-title"
+                ;;
+              *)
+                printf '%s\n' "pr-title"
+                ;;
+            esac
+          }
+
+          check_branch_protection() {
+            local branch="$1"
+            local expected
+            expected="$(expected_checks_for_repo)"
+
+            local prot_file sig_file
+            prot_file="$(mktemp)"
+            sig_file="$(mktemp)"
+            trap 'rm -f "$prot_file" "$sig_file"' EXIT
+
+            local prot_code
+            prot_code="$(api_get_best_effort "/branches/${branch}/protection" "$prot_file")"
+            if [ "$prot_code" != "200" ]; then
+              warn "Best-effort protection check skipped for ${branch}: HTTP ${prot_code}"
+              return 0
+            fi
+
+            jq -e '.required_status_checks != null' "$prot_file" >/dev/null || fail "Missing required status checks protection on ${branch}"
+            jq -e '.required_pull_request_reviews != null' "$prot_file" >/dev/null || fail "Missing required PR reviews protection on ${branch}"
+            jq -e '.allow_force_pushes.enabled == false' "$prot_file" >/dev/null || fail "Force-push must be blocked on ${branch}"
+            jq -e '.allow_deletions.enabled == false' "$prot_file" >/dev/null || fail "Branch deletion must be blocked on ${branch}"
+
+            local contexts
+            contexts="$(jq -r '.required_status_checks.contexts[]?' "$prot_file")"
+            while IFS= read -r check; do
+              [ -n "$check" ] || continue
+              echo "$contexts" | grep -Fx "$check" >/dev/null || fail "Required check '${check}' missing on ${branch}"
+            done <<< "$expected"
+
+            local sig_code
+            sig_code="$(api_get_best_effort "/branches/${branch}/protection/required_signatures" "$sig_file")"
+            if [ "$sig_code" != "200" ]; then
+              warn "Best-effort signature check skipped for ${branch}: HTTP ${sig_code}"
+              return 0
+            fi
+            jq -e '.enabled == true' "$sig_file" >/dev/null || fail "Signed commits must be required on ${branch}"
+
+            echo "Protection check passed for ${branch}"
+          }
+
+          echo "Checking working tree cleanliness"
+          [ -z "$(git status --porcelain)" ] || fail "Repository is not clean at release time"
+
+          echo "Checking tag signature verification for ${TAG_NAME}"
+          ref_json="$(api_get "/git/ref/tags/${TAG_NAME}")"
+          ref_type="$(echo "$ref_json" | jq -r '.object.type')"
+          ref_sha="$(echo "$ref_json" | jq -r '.object.sha')"
+
+          [ "$ref_type" = "tag" ] || fail "Tag ${TAG_NAME} is lightweight; signed annotated tags are required"
+
+          tag_json="$(api_get "/git/tags/${ref_sha}")"
+          verified="$(echo "$tag_json" | jq -r '.verification.verified')"
+          reason="$(echo "$tag_json" | jq -r '.verification.reason')"
+          [ "$verified" = "true" ] || fail "Tag ${TAG_NAME} is not verified (reason: ${reason})"
+
+          echo "Checking required branch protections (best-effort via API)"
+          check_branch_protection master
+
+  draft-release:
+    runs-on: ubuntu-latest
+    needs: release-guard
+    steps:
+      - name: Create or update draft release
+        uses: ncipollo/release-action@v1
+        with:
+          tag: ${{ github.ref_name }}
+          draft: true
+          generateReleaseNotes: true
+          allowUpdates: true

.gitignore

@@ -0,0 +1,7 @@
+node_modules
+.next
+out
+coverage
+.env
+.env.local
+pnpm-lock.yaml