Ch 00001 standardize dev setup

.github/pull_request_template.md

@@ -0,0 +1,96 @@
+## Ticket
+
+- Ticket ID: <!-- FR-NNNNN / BG-NNNNN / CH-NNNNN -->
+- [ ] User Story / Bug Report / Chore Description exists and is complete
+- [ ] Technical Document exists and is complete
+
+---
+
+## Description
+
+<!-- Brief description of changes (2-3 sentences) -->
+
+## Type of Change
+
+- [ ] Feature (new functionality)
+- [ ] Bug fix (fixes an issue)
+- [ ] Documentation (docs only)
+- [ ] Refactor (code improvement, no behavior change)
+- [ ] Performance improvement
+- [ ] Hotfix (critical production issue)
+- [ ] Infrastructure/tooling
+
+## Related Issues
+
+Closes #
+Related to #
+
+---
+
+## Design Compliance Checklist
+
+### Testing
+
+- [ ] Coverage ≥ 95% (verify: `make test-all`)
+- [ ] Unit tests for new/modified code
+- [ ] Integration tests for end-to-end flows (if applicable)
+- [ ] All tests pass locally (`make test-all`)
+- [ ] No flaky tests introduced
+
+### Documentation
+
+- [ ] CHANGELOG.md updated with user-facing changes
+- [ ] Public APIs have docstrings
+- [ ] User documentation updated (if user-facing change)
+- [ ] Development docs updated (if process changed)
+
+### Git Workflow
+
+- [ ] Branch name follows convention (feature/*, bugfix/*, docs/*, etc.)
+- [ ] Commits follow Conventional Commits format
+- [ ] No merge commits (rebased on target branch)
+
+### Code Quality
+
+- [ ] Code follows existing patterns and conventions
+- [ ] No commented-out code or debug statements
+- [ ] No TODO comments (convert to issues instead)
+- [ ] Error messages are clear and actionable
+
+### CI/CD
+
+- [ ] All CI checks passing
+- [ ] Linting passes: `make lint`
+- [ ] Security scan clean: `make security`
+- [ ] Tests pass with ≥95% coverage: `make test-all`
+
+### Security
+
+- [ ] No hardcoded secrets or credentials
+- [ ] Input validation for user-provided data
+- [ ] No command injection vulnerabilities
+- [ ] External dependencies reviewed
+
+---
+
+## Verification Commands
+
+```bash
+make lint
+make test-all
+make pipeline
+```
+
+## Breaking Changes
+
+- [ ] No breaking changes
+- [ ] Breaking changes documented with migration guide
+
+---
+
+## Self-Review Checklist
+
+- [ ] I have reviewed my own code
+- [ ] I have tested this thoroughly
+- [ ] I have updated CHANGELOG.md
+- [ ] This PR is ready for review

.github/workflows/ci-cache.yml

@@ -0,0 +1,122 @@
+name: cache Package CI
+
+on:
+  push:
+    branches: ["**"]
+    paths:
+      - "packages/cache/**"
+      - ".github/workflows/ci-cache.yml"
+  pull_request:
+    branches: [main, master, develop]
+    paths:
+      - "packages/cache/**"
+
+jobs:
+  lint:
+    name: Lint (cache)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install uv
+        run: pip install uv
+
+      - name: Install dependencies
+        run: uv sync --dev --all-packages
+
+      - name: Ruff check
+        run: |
+          cd packages/cache
+          uv run ruff check --line-length 88 .
+
+      - name: Black check
+        run: |
+          cd packages/cache
+          uv run black --check --line-length=88 .
+
+      - name: isort check
+        run: |
+          cd packages/cache
+          uv run isort --check --line-length=88 .
+
+      # Add mypy step for packages with complex logic (core, orchestrator):
+      # - name: mypy type check
+      #   run: |
+      #     cd packages/cache
+      #     uv run mypy src/
+
+  security:
+    name: Security Scan (cache)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install uv
+        run: pip install uv
+
+      - name: Install dependencies
+        run: uv sync --dev --all-packages
+
+      - name: Bandit security scan
+        run: |
+          cd packages/cache
+          uv run bandit -r src/ -ll -f json -o bandit-report.json
+
+      - name: Upload security report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: bandit-report-cache
+          path: packages/cache/bandit-report.json
+
+  test:
+    name: Test (cache)
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest]
+        python-version: ["3.12", "3.13"]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install uv
+        run: pip install uv
+
+      - name: Install dependencies
+        run: uv sync --dev --all-packages
+
+      - name: Run tests with coverage
+        run: |
+          cd packages/cache
+          uv run pytest -n auto --cov=src --cov-report=xml --cov-report=term
+
+      - name: Check coverage threshold
+        run: |
+          cd packages/cache
+          uv run coverage report --fail-under=95
+
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@v4
+        with:
+          file: packages/cache/coverage.xml
+          flags: cache
+          token: ${{ secrets.CODECOV_TOKEN }}
+          fail_ci_if_error: false

.github/workflows/ci-container-manager.yml

@@ -0,0 +1,122 @@
+name: container-manager Package CI
+
+on:
+  push:
+    branches: ["**"]
+    paths:
+      - "packages/container-manager/**"
+      - ".github/workflows/ci-container-manager.yml"
+  pull_request:
+    branches: [main, master, develop]
+    paths:
+      - "packages/container-manager/**"
+
+jobs:
+  lint:
+    name: Lint (container-manager)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install uv
+        run: pip install uv
+
+      - name: Install dependencies
+        run: uv sync --dev --all-packages
+
+      - name: Ruff check
+        run: |
+          cd packages/container-manager
+          uv run ruff check --line-length 88 .
+
+      - name: Black check
+        run: |
+          cd packages/container-manager
+          uv run black --check --line-length=88 .
+
+      - name: isort check
+        run: |
+          cd packages/container-manager
+          uv run isort --check --line-length=88 .
+
+      # Add mypy step for packages with complex logic (core, orchestrator):
+      # - name: mypy type check
+      #   run: |
+      #     cd packages/container-manager
+      #     uv run mypy src/
+
+  security:
+    name: Security Scan (container-manager)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install uv
+        run: pip install uv
+
+      - name: Install dependencies
+        run: uv sync --dev --all-packages
+
+      - name: Bandit security scan
+        run: |
+          cd packages/container-manager
+          uv run bandit -r src/ -ll -f json -o bandit-report.json
+
+      - name: Upload security report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: bandit-report-container-manager
+          path: packages/container-manager/bandit-report.json
+
+  test:
+    name: Test (container-manager)
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest]
+        python-version: ["3.12", "3.13"]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install uv
+        run: pip install uv
+
+      - name: Install dependencies
+        run: uv sync --dev --all-packages
+
+      - name: Run tests with coverage
+        run: |
+          cd packages/container-manager
+          uv run pytest -n auto --cov=src --cov-report=xml --cov-report=term
+
+      - name: Check coverage threshold
+        run: |
+          cd packages/container-manager
+          uv run coverage report --fail-under=95
+
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@v4
+        with:
+          file: packages/container-manager/coverage.xml
+          flags: container-manager
+          token: ${{ secrets.CODECOV_TOKEN }}
+          fail_ci_if_error: false