chore: deploy agentic workflows

.gitattributes

@@ -0,0 +1 @@
+.github/workflows/*.lock.yml linguist-generated=true merge=ours

.github/actionlint.yaml

@@ -0,0 +1,9 @@
+# Skip gh-aw machine-generated workflow files (validated by `gh aw lint`/`compile`).
+# Auto-applied by actionlint regardless of which security-scan invokes it.
+paths:
+  "**/*.lock.yml":
+    ignore:
+      - ".*"
+  "**/agentics-maintenance.yml":
+    ignore:
+      - ".*"

.github/aw/actions-lock.json

@@ -0,0 +1,19 @@
+{
+  "entries": {
+    "actions/github-script@v9.0.0": {
+      "repo": "actions/github-script",
+      "version": "v9.0.0",
+      "sha": "3a2844b7e9c422d3c10d287c895573f7108da1b3"
+    },
+    "github/gh-aw-actions/setup-cli@v0.79.4": {
+      "repo": "github/gh-aw-actions/setup-cli",
+      "version": "v0.79.4",
+      "sha": "d059700c6a8ec3b5fd798b9ea60f5d048447b918"
+    },
+    "github/gh-aw-actions/setup@v0.79.4": {
+      "repo": "github/gh-aw-actions/setup",
+      "version": "v0.79.4",
+      "sha": "d059700c6a8ec3b5fd798b9ea60f5d048447b918"
+    }
+  }
+}

.github/workflows/ai-auditor.md

@@ -0,0 +1,45 @@
+---
+# Trigger - when should this workflow run?
+on:
+  pull_request:
+    types: [opened]
+  workflow_dispatch:  # Manual trigger
+
+# Permissions - what can this workflow access?
+permissions:
+  contents: read
+  issues: read
+  pull-requests: read
+
+# AI engine - Gemini (free Google AI Studio tier; avoids Copilot utility-model rate limits)
+engine: gemini
+
+# Network access
+network: defaults
+
+# Outputs - what APIs and tools can the AI use?
+safe-outputs:
+  report-failure-as-issue: false
+  add-comment:
+    max: 10
+
+---
+
+# ai-auditor
+
+Audit the changes in this pull request for security vulnerabilities, logic bugs, or performance issues.
+
+## Instructions
+
+1.  Review all file changes in the current pull request.
+2.  Identify potential security vulnerabilities (e.g., SQL injection, hardcoded secrets, insecure defaults).
+3.  Look for logic bugs, edge cases, or potential runtime errors.
+4.  Check for performance bottlenecks or inefficient code patterns.
+5.  For each identified issue, provide a concise and constructive comment explaining the problem and suggesting a fix.
+6.  Use the `add-comment` tool to post your feedback directly on the PR.
+
+Be thorough but focus on high-impact issues. If no issues are found, post a brief summary comment stating that the audit passed.
+
+## Setup
+
+This workflow uses the Gemini engine and requires the `GEMINI_API_KEY` repository secret (free key from https://aistudio.google.com).

.github/workflows/auto-triage-issues.md

@@ -0,0 +1,161 @@
+---
+name: Auto-Triage Issues
+description: >
+  Automatically labels new and existing unlabeled issues based on content analysis.
+  Improves discoverability and reduces manual triage workload across the polyglot monorepo.
+
+on:
+  issues:
+    types: [opened, edited]
+  schedule: weekly
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  issues: read
+
+engine: copilot
+
+strict: true
+
+tools:
+  github:
+    toolsets: [issues]
+  bash:
+    - "jq *"
+
+safe-outputs:
+  report-failure-as-issue: false
+  add-labels:
+    max: 10
+  create-discussion:
+    expires: 1d
+    title-prefix: "[Auto-Triage] "
+    category: "audits"
+    close-older-discussions: true
+    max: 1
+
+timeout-minutes: 15
+---
+
+# Auto-Triage Issues Agent
+
+You are the Auto-Triage Issues Agent for the ResQ project — an autonomous drone swarm platform for disaster response. You automatically categorize and label GitHub issues to improve discoverability across a polyglot monorepo (Rust, TypeScript, Python, C++, C#).
+
+## Task
+
+When triggered by an issue event (opened/edited) or scheduled run, analyze issues and apply appropriate labels.
+
+### On Issue Events (opened/edited)
+
+1. **Analyze the issue** that triggered this workflow
+2. **Check if the author is a community member** — if `author_association` is `NONE`, `FIRST_TIME_CONTRIBUTOR`, `FIRST_TIMER`, or `CONTRIBUTOR`, and the author is **not** a bot, include `community` in labels
+3. **Classify the issue** based on title and body content
+4. **Apply all labels** in a single `add_labels` call
+5. If uncertain, add `needs-triage` for human review
+
+### On Scheduled Runs
+
+1. **Fetch unlabeled issues** using GitHub tools
+2. **Process up to 10 unlabeled issues** (respecting safe-output limits)
+3. **Apply labels** to each issue
+4. **Create a summary discussion** with statistics
+
+## Classification Rules
+
+Apply labels based on content. Multiple labels are encouraged (2–4).
+
+### Issue Type Labels
+
+- **`bug`** — Error reports, crashes, unexpected behavior, stack traces
+- **`feature`** — New functionality, enhancement requests, "would be nice" phrases
+- **`documentation`** — Doc improvements, README updates, guide requests
+- **`security`** — Vulnerabilities, secret exposure, auth issues, CVEs
+- **`performance`** — Speed regressions, memory issues, optimization requests
+- **`refactor`** — Code restructuring without behavior change
+
+### Service Labels
+
+Apply based on mentioned services, file paths, or component names:
+
+- **`service:infrastructure`** — Infrastructure API, Axum, Rust backend, `services/infrastructure-api/`
+- **`service:coordination`** — Coordination HCE, Bun, Elysia, `services/coordination-hce/`
+- **`service:intelligence`** — Predictive Intelligence, Python ML/AI, `services/intelligence-pdie/`
+- **`service:edge`** — Edge AEAI, ROS2, C++ drone code, `services/edge-aeai/`
+- **`service:strategic`** — Strategic DTSOP, C++ planning, `services/strategic-dtsop/`
+- **`service:dashboard`** — Web Dashboard, Next.js, `services/web-dashboard/`
+- **`service:simulation`** — Simulation Harness, .NET, Gazebo, PX4, `services/simulation-harness/`
+
+### Library / Area Labels
+
+- **`lib:protocols`** — Protobuf, `.proto` files, codegen, `libs/protocols/`
+- **`lib:ts`** — TypeScript shared libraries
+- **`lib:python`** — Python shared libraries
+- **`lib:cpp`** — C++ shared libraries
+- **`lib:dotnet`** — .NET shared libraries
+- **`area:blockchain`** — Neo N3, Solana, IPFS, immutable audit trail, `programs/`
+- **`area:ci-cd`** — GitHub Actions, CI/CD, workflows, `turbo.json`
+- **`area:docs`** — Documentation files
+
+### Tool Labels
+
+- **`tool:cli`** — ResQ CLI tool, `tools/cli/`
+- **`tool:scripts`** — Scripts, `tools/scripts/`
+
+### Priority Indicators
+
+- **`P0: critical`** — "outage", "data loss", "crash in production", "safety critical"
+- **`P1: high`** — "blocking", "urgent", "critical", "major"
+- **`P2: medium`** — Moderate impact, clear bug with workaround
+- **`P3: low`** — Minor issues, cosmetic, "nice to have"
+
+### Special Labels
+
+- **`dependencies`** — Dependency updates, version bumps
+- **`github-actions`** — Workflow files, CI configuration
+- **`good first issue`** — Explicitly beginner-friendly or small isolated scope
+- **`needs-triage`** — Uncertain classification, ambiguous description
+
+## Label Application Guidelines
+
+1. **Multiple labels encouraged** — Issues often span categories (e.g., `bug` + `service:edge` + `performance`)
+2. **Minimum one label** per issue
+3. **Maximum 4 labels** — Focus on the most relevant
+4. **Be conservative** — Use `needs-triage` when uncertain
+5. **Respect limits** — Maximum 10 label operations per run
+
+## Scheduled Run Report
+
+When running on schedule, create a discussion with this structure:
+
+```markdown
+### Auto-Triage Report Summary
+
+**Report Period**: [Date/Time Range]
+**Issues Processed**: X
+**Labels Applied**: Y total labels
+**Still Unlabeled**: Z issues
+
+### Key Metrics
+- **Success Rate**: X%
+- **Average Confidence**: [High/Medium/Low]
+- **Most Common Classifications**: [list]
+
+### Classification Summary
+
+| Issue | Applied Labels | Confidence | Key Reasoning |
+|-------|---------------|------------|---------------|
+| #N    | labels        | level      | reason        |
+
+### Label Distribution
+- [breakdown by label]
+
+### Recommendations
+- [actionable insights]
+
+### Confidence Assessment
+- **Overall Success**: [High/Medium/Low]
+- **Human Review Needed**: X issues flagged with `needs-triage`
+```
+
+**Important**: If no action is needed after completing your analysis, you **MUST** call the `noop` safe-output tool with a brief explanation.