chore: hardening cleanup, docs upgrade, and CI polish

[Doogie201]

Summary

This PR brings the repository to a cleaner, reviewable baseline while preserving hardening work and avoiding trust-boundary regressions.

What changed

• Removed tracked runtime artifacts (reports/*) and Finder metadata (.DS_Store), and ignored reports/ moving forward.
• Upgraded project documentation (README.md, CONTRIBUTING.md) and added SECURITY.md + CHANGELOG.md.
• Added MIT LICENSE text and referenced license posture in docs.
• Fixed CI commands:
  • ruff now runs as ruff check .
  • pytest coverage multiline command is shell-safe and correctly escaped.
• Finalized security/reliability hardening in orchestrator paths:
  • Darwin-gated install-sudoers
  • strict interface/user validation
  • deterministic sudoers rule rendering and escaping
  • fail-closed sudoers include-dir verification with non-interactive fallback (sudo -n) and timeout
  • least-privilege sudoers run-as target (root)
  • export-state restricted to json/csv with consistent error handling
  • atomic writes for state/report paths validated by tests
• Included minimal import/type hygiene fixes needed for clean static checks.

Verification

Commands run locally and passing:

poetry run ruff check .
poetry run black --check .
poetry run isort --check-only .
poetry run mypy .
poetry run pytest -q

Results:

• Ruff: pass
• Black: pass
• isort: pass
• mypy: pass (no issues in 65 source files)
• pytest: pass (87 passed)

Risk assessment

Low-to-moderate. Most changes are additive hardening, docs, CI command fixes, and cleanup of generated artifacts. Main behavior changes are constrained to install-sudoers/export validation paths and are covered by tests.

Security notes

• No shell=True paths introduced.
• No trust-boundary expansion.
• Least-privilege constraints preserved/improved.
• Sudoers install path fails closed when verification cannot be completed non-interactively.

[codecov]

Welcome to Codecov 🎉

Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests.

ℹ️ You can also turn on project coverage checks and project coverage reporting on Pull Request comment

Thanks for integrating Codecov - We've got you covered ☂️