[EVI-12]: prepare public repo hygiene

[riddim-developer-bot]

Summary

• Adds MIT license, contribution guidance, repository metadata guidance, and a public-reader README refresh.
• Moves active PR workflows to GitHub-hosted runners and removes the internal automerge bot workflow.
• Updates launch docs, examples, CLI help examples, and test fixtures to avoid stale command claims and private repo references.
• Adds workflow safety regression tests for public pull request runner safety, internal automerge coupling, and unsupported Action subcommands.

Verification

• Workflow verification: actionlint .github/workflows/*.yml Examples/workflows/*.yml passed.
• Swift tests: swift test passed: 126 tests executed, 2 skipped, 0 failures.
• CLI help check: swift run evidence -- --help passed and lists capture-screenshots, resize, render-marketing, record-preview, capture-evidence, upload-screenshots, capture-web, and capture-pr.
• CLI command help check: swift run evidence -- capture-pr --help passed and matches the README/launch demo references.
• Whitespace check: git diff --check passed.
• Local operational-file check: test ! -e WORKFLOW.md passed.

Hygiene scan

Exact internal-signal scan command:

pattern="AKIA|SECRET|PASSWORD|PRIVATE KEY|aws_access_key|aws_secret|self-hosted|/Users/|riddim-agent|RIDDIM_RELEASE_TOKEN|DEV_BOT|RiddimSoftware/(?!evidence)|arn:aws|AWS_ACCOUNT|BEGIN [A-Z ]*PRIVATE KEY"
git ls-files -z | xargs -0 rg -n --pcre2 "$pattern"

Result: no matches after staging the deletion of .github/workflows/set-automerge.yml.

Canonical token-name audit:

git ls-files -z | xargs -0 rg -n "GITHUB_TOKEN|GH_TOKEN"

Result: 28 references, all expected GitHub Actions token wiring, examples, docs, or validator tests. No private token values are present.

External validation gates

• GitHub repository visibility remains a maintainer action after merge.
• GitHub repository description, topics, homepage, and license badge should be verified in the GitHub UI after visibility changes.
• Maintainer should spot-check public docs do not overclaim maturity or imply automatic production release.

Fixes EVI-12.

[linear-code]

EVI-12 Prepare evidence for impeccable public repo hygiene

Context / background

The RiddimSoftware/evidence repository is intended to become part of the public surface for the AI Tinkerers demo. It is the tooling proof point for verifying app changes with generated artifacts rather than asking people to trust a black-box autonomous coding loop. Before the repository can be made public, its hygiene needs to be release-grade: licensing, CI safety, documentation accuracy, example workflows, and secret/internal-context sanitation all need to be clean.

This issue prepares the repository for public visibility. The actual GitHub visibility flip is a human gate and is not part of the implementation PR.

Acceptance criteria

• Add a valid LICENSE file that matches the README's stated license, or update the README if the intended license is different.
• Audit every workflow under .github/workflows/ and remove public-PR use of self-hosted runners.
• Any workflow triggered by pull_request uses GitHub-hosted runners or is disabled/rewritten so forked PRs cannot execute code on Riddim self-hosted infrastructure.
• Remove, disable, or rewrite internal automerge/developer-bot workflow coupling so public contributors are not required to have Riddim-only secrets or bot infrastructure.
• Run actionlint .github/workflows/*.yml Examples/workflows/*.yml after workflow changes and fix all reported issues.
• Review Examples/workflows and ensure examples use public-safe defaults, GitHub-hosted runners by default, and canonical optional secret names where secrets are needed.
• Update the README for a public reader: what Evidence does today, prerequisites, quickstart, where app-specific plans live, current CLI commands, privacy/security posture, and realistic limitations.
• Remove or rewrite stale docs/launch/* content that contains placeholders, internal-only assumptions, or claims about commands/features that do not match current CLI behavior.
• Ensure no untracked local/internal operational file is accidentally included in the PR, especially WORKFLOW.md unless it has been intentionally rewritten as public documentation.
• Run a tracked-file hygiene scan for secrets, private credentials, private URLs, AWS account IDs, internal runner labels, personal machine paths, and private repo names.
• Document the exact hygiene scan command(s) and result in the PR description.
• Run swift test and fix regressions.
• Run swift run evidence -- --help and ensure README/docs command references match the exposed CLI.
• Update repo-facing metadata docs where applicable: badges, description guidance, topics guidance, and homepage guidance. Metadata changes that require GitHub settings UI should be listed under external validation gates, not treated as code AC.
• Add a short public-facing section explaining how Evidence fits into the Riddim Software Factory narrative: generated artifacts verify that autonomous app changes satisfy requirements.
• PR description includes the workflow verification result, Swift test result, CLI help check result, and hygiene scan result.

External validation gates

• GitHub repository visibility changed from private to public after the PR merges. Owner: Sunny.
• GitHub repository description, topics, homepage, and license badge verified in the GitHub UI after visibility changes. Owner: Sunny.
• Human maintainer spot-checks that public docs do not overclaim maturity or imply fully automatic production release. Owner: Sunny.

Out of scope

• Implementing new Evidence features.
• Changing Evidence capture behavior, plan schema, upload behavior, or generated artifact formats except where needed to correct public docs.
• Publishing app-specific private evidence bundles.
• Adding TestFlight/App Store automation.
• Creating the separate public symphonyd extension spec repository.
• Changing the GitHub repository visibility inside the implementation PR.

Inputs / dependencies

Target repository: RiddimSoftware/evidence.
Canonical local checkout: /Users/sunny/code/evidence.

Known audit findings to address:

• README currently states MIT licensing, but the repository has no tracked LICENSE file.
• Some workflows use [self-hosted, macOS]; public PR workflows must not execute untrusted fork code on self-hosted runners.
• .github/workflows/set-automerge.yml references internal loop/developer-bot behavior and should be removed, disabled, or made public-safe.
• docs/launch/* contains stale placeholders and claims that need verification against current CLI help.
• An untracked WORKFLOW.md exists locally and should not be accidentally committed unless intentionally sanitized.

Required verification commands:

actionlint .github/workflows/*.yml Examples/workflows/*.yml
swift test
swift run evidence -- --help

Suggested hygiene scan approaches:

git ls-files | xargs rg -n "AKIA|SECRET|TOKEN|PASSWORD|PRIVATE KEY|aws_access_key|aws_secret|self-hosted|/Users/|riddim-agent|RIDDIM_RELEASE_TOKEN"

Add or refine patterns as needed. If a match is expected documentation, leave it only when the surrounding text makes clear it is an example or placeholder.

Risks / notes for implementer

Treat public repo safety as the product. The goal is not merely to avoid leaking secrets; the repo should look intentional, trustworthy, and easy for another builder to clone, test, and understand. Do not remove useful docs just to reduce work unless they are stale enough to mislead users. Prefer small, accurate public docs over broad claims.

Workflow safety is the highest-risk area. Public repositories must not run untrusted fork PR code on Riddim self-hosted runners. If a workflow requires credentials or internal infrastructure, make it workflow_dispatch, document required setup, or move it to an example that is not active by default.

Definition of Done

Done when the repo has license hygiene, public-safe workflows, accurate public documentation, reviewed examples, no accidental internal operational files, documented secret/internal-context scan results, passing workflow lint, passing Swift tests, and CLI docs aligned with swift run evidence -- --help. The repository is ready for a human maintainer to make public without additional code cleanup.

Architecture Impact

Docs, CI, and repository hygiene only. No intended changes to Evidence domain behavior or artifact semantics. Workflow changes affect public contributor safety and CI trust boundaries.

Clean Architecture Shape

N/A — this issue prepares repository hygiene and public documentation; it does not change application behavior.

Mergeability / change ownership

Single reason to change: make RiddimSoftware/evidence safe and credible for public visibility.
Primary owner: Evidence repository hygiene/documentation/CI surface.
Expected hot files/modules: LICENSE, README.md, .github/workflows/*, Examples/workflows/*, docs/launch/*.
Sibling issues likely to touch same area: none known.
Conflict risk: medium — workflows and README are common hot files if other public-release work starts concurrently.
Sequencing lane: foundation; complete before flipping repository visibility to public.

Review in Linear

[riddim-developer-bot]

Symphony developer-bot lease marker. Do not edit; managed by the autonomous loop.