chore: bootstrap setup baseline

.editorconfig

@@ -0,0 +1,15 @@
+root = true
+
+[*.{ts,tsx,js,json,yml,yaml,md,py,sh,rs}]
+charset = utf-8
+end_of_line = lf
+insert_final_newline = true
+indent_style = space
+indent_size = 2
+trim_trailing_whitespace = true
+
+[*.py]
+indent_size = 4
+
+[Makefile]
+indent_style = tab

.gitattributes

@@ -0,0 +1,13 @@
+* text=auto eol=lf
+
+*.png binary
+*.jpg binary
+*.jpeg binary
+*.webp binary
+*.pdf binary
+*.zip binary
+*.wav binary
+*.mp3 binary
+*.flac binary
+*.m4a binary
+*.onnx binary

.github/CODEOWNERS

@@ -0,0 +1,5 @@
+* @seonghobae
+/docs/security/ @seonghobae
+/.github/workflows/ @seonghobae
+/apps/desktop/ @seonghobae
+/services/analysis-engine/ @seonghobae

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,34 @@
+name: Bug report
+description: Report a defect in BandScope
+title: "[Bug] "
+labels:
+  - bug
+body:
+  - type: textarea
+    id: summary
+    attributes:
+      label: Summary
+    validations:
+      required: true
+  - type: textarea
+    id: steps
+    attributes:
+      label: Steps to reproduce
+    validations:
+      required: true
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected behavior
+    validations:
+      required: true
+  - type: textarea
+    id: actual
+    attributes:
+      label: Actual behavior
+      description: Describe what happened instead.
+  - type: textarea
+    id: environment
+    attributes:
+      label: Environment details
+      description: OS, BandScope version, install source, and any relevant device context.

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,5 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Security reporting
+    url: https://github.com/seonghobae/bandscope/security/advisories/new
+    about: Use private vulnerability reporting for security issues when available.

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,24 @@
+name: Feature request
+description: Propose a feature for BandScope
+title: "[Feature] "
+labels:
+  - enhancement
+body:
+  - type: textarea
+    id: problem
+    attributes:
+      label: Problem to solve
+    validations:
+      required: true
+  - type: textarea
+    id: proposal
+    attributes:
+      label: Proposed solution
+    validations:
+      required: true
+  - type: textarea
+    id: security
+    attributes:
+      label: Security or supply-chain considerations
+    validations:
+      required: true

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,50 @@
+# Pull Request
+
+## Summary
+
+-
+
+## Verification
+
+- [ ] `./scripts/harness/quickcheck.sh`
+
+## Security Notes
+
+### Attack surface
+
+-
+
+### Trust boundary
+
+-
+
+### Mitigations
+
+-
+
+### Test points
+
+-
+
+## Dependency and Supply Chain
+
+- [ ] No new direct dependency was added
+- [ ] If a new dependency was added, this PR explains why it is needed
+- [ ] runtime / dev / build / test classification is recorded
+- [ ] alternatives were considered
+- [ ] maintainer trust and update health were checked
+- [ ] license fit was checked
+- [ ] known security issues were checked
+- [ ] transitive footprint impact was considered
+- [ ] SBOM or supplemental inventory impact was recorded
+
+## i18n impact
+
+- [ ] No user-visible string changed
+- [ ] Korean and English locale impact was updated
+
+## Reviewer checklist
+
+- [ ] Gitflow target branch is correct
+- [ ] protected-branch rules were not weakened
+- [ ] required checks are expected to stay green

.github/dependabot.yml

@@ -0,0 +1,41 @@
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    target-branch: "develop"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    labels:
+      - "dependencies"
+      - "javascript"
+
+  - package-ecosystem: "pip"
+    directory: "/services/analysis-engine"
+    target-branch: "develop"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    labels:
+      - "dependencies"
+      - "python"
+
+  - package-ecosystem: "cargo"
+    directory: "/apps/desktop/src-tauri"
+    target-branch: "develop"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    labels:
+      - "dependencies"
+      - "rust"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    target-branch: "develop"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    labels:
+      - "dependencies"
+      - "github-actions"

.github/workflows/build-baseline.yml

@@ -0,0 +1,138 @@
+name: build-baseline
+
+on:
+  pull_request:
+    branches:
+      - develop
+      - main
+  push:
+    branches:
+      - develop
+      - main
+    tags:
+      - "v*"
+  release:
+    types:
+      - published
+
+permissions:
+  contents: read
+
+jobs:
+  build-windows:
+    name: gate / build / windows
+    runs-on: windows-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version: 22
+          cache: npm
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+        with:
+          python-version: "3.12"
+      - uses: astral-sh/setup-uv@e58605a9b6da7c637471fab8847a5e5a6b8df081 # v5
+        with:
+          version: "0.8.6"
+      - name: Install Rust stable
+        shell: bash
+        run: rustup toolchain install stable --profile minimal
+      - name: Install node dependencies
+        run: npm ci
+      - name: Sync Python dependencies
+        run: uv sync --project services/analysis-engine --group dev --frozen
+      - name: Build frontend
+        run: npm run build --workspace @bandscope/desktop
+      - name: Build native shell
+        run: cargo +stable build --manifest-path apps/desktop/src-tauri/Cargo.toml --release --locked
+      - name: Package Windows artifact
+        run: python scripts/release/package_desktop_artifact.py
+      - name: Upload Windows artifact
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        with:
+          name: bandscope-windows-${{ github.sha }}
+          path: |
+            artifacts/*.zip
+            artifacts/*.sha256
+            artifacts/*.manifest.txt
+  build-macos:
+    name: gate / build / macos
+    runs-on: macos-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version: 22
+          cache: npm
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+        with:
+          python-version: "3.12"
+      - uses: astral-sh/setup-uv@e58605a9b6da7c637471fab8847a5e5a6b8df081 # v5
+        with:
+          version: "0.8.6"
+      - name: Install Rust stable
+        run: rustup toolchain install stable --profile minimal
+      - name: Install node dependencies
+        run: npm ci
+      - name: Sync Python dependencies
+        run: uv sync --project services/analysis-engine --group dev --frozen
+      - name: Build frontend
+        run: npm run build --workspace @bandscope/desktop
+      - name: Build native shell
+        run: cargo +stable build --manifest-path apps/desktop/src-tauri/Cargo.toml --release --locked
+      - name: Package macOS artifact
+        run: python3 scripts/release/package_desktop_artifact.py
+      - name: Upload macOS artifact
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        with:
+          name: bandscope-macos-${{ github.sha }}
+          path: |
+            artifacts/*.zip
+            artifacts/*.sha256
+            artifacts/*.manifest.txt
+
+  attach-windows-release-artifact:
+    name: release-artifact / windows
+    if: github.event_name == 'release'
+    runs-on: ubuntu-latest
+    needs:
+      - build-windows
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
+        with:
+          name: bandscope-windows-${{ github.sha }}
+          path: artifacts
+      - name: Attach Windows artifact to release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          RELEASE_TAG: ${{ github.event.release.tag_name }}
+        run: gh release upload "$RELEASE_TAG" artifacts/*.zip artifacts/*.sha256 artifacts/*.manifest.txt --clobber
+
+  attach-macos-release-artifact:
+    name: release-artifact / macos
+    if: github.event_name == 'release'
+    runs-on: ubuntu-latest
+    needs:
+      - build-macos
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
+        with:
+          name: bandscope-macos-${{ github.sha }}
+          path: artifacts
+      - name: Attach macOS artifact to release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          RELEASE_TAG: ${{ github.event.release.tag_name }}
+        run: gh release upload "$RELEASE_TAG" artifacts/*.zip artifacts/*.sha256 artifacts/*.manifest.txt --clobber

.github/workflows/ci.yml

@@ -0,0 +1,49 @@
+name: ci
+
+on:
+  push:
+    branches:
+      - develop
+      - main
+  pull_request:
+    branches:
+      - develop
+      - main
+
+jobs:
+  verify:
+    name: ci / build-and-test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version: 22
+          cache: npm
+      - uses: astral-sh/setup-uv@e58605a9b6da7c637471fab8847a5e5a6b8df081 # v5
+        with:
+          version: "0.8.6"
+      - name: Install node dependencies
+        run: npm ci
+      - name: Sync Python dependencies
+        run: uv sync --project services/analysis-engine --group dev --frozen
+      - name: Run quickcheck
+        run: ./scripts/harness/quickcheck.sh
+
+  rust-check:
+    name: gate / ci / rust-check
+    runs-on: macos-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version: 22
+          cache: npm
+      - name: Install stable Rust toolchain
+        run: rustup toolchain install stable --profile minimal
+      - name: Install node dependencies
+        run: npm ci
+      - name: Build frontend
+        run: npm run build --workspace @bandscope/desktop
+      - name: Check Tauri shell
+        run: cargo +stable check --manifest-path apps/desktop/src-tauri/Cargo.toml --locked