Implement TODO.md template hardening and automation

.claude/rules/copier/template-conventions.md

@@ -58,18 +58,16 @@ current_year:
 They are not stored in `.copier-answers.yml` and not shown to users. Use them for
 derived values (year, Python version matrix) to keep templates DRY.
 
-## Secret variables
+## Secrets and third-party tokens
 
-Use `secret: true` for sensitive values to prevent them from being stored in
-`.copier-answers.yml`:
+Do **not** add Copier prompts for API tokens or upload keys (Codecov, PyPI, npm,
+and so on). Those belong in the CI provider’s **encrypted secrets** (for example
+GitHub Actions **Settings → Secrets**) and in maintainer documentation
+(`README.md`, `docs/ci.md`), not in `.copier-answers.yml`.
 
-```yaml
-codecov_token:
-  type: str
-  secret: true
-  default: ""
-  help: Leave empty; use GitHub secret CODECOV_TOKEN
-```
+If you must accept a rare secret interactively, use `secret: true` with a safe
+`default` so it is **not** written to the answers file — and still prefer
+documenting the secret-in-CI workflow instead of prompting.
 
 ## _skip_if_exists
 

.github/labeler.yml

@@ -0,0 +1,23 @@
+# actions/labeler@v4 — minimatch globs per label
+# https://github.com/actions/labeler
+template:
+  - template/**/*
+
+tests:
+  - tests/**/*
+
+ci:
+  - .github/**/*
+
+copier:
+  - copier.yml
+
+dependencies:
+  - pyproject.toml
+  - uv.lock
+
+documentation:
+  - "**/*.md"
+
+scripts:
+  - scripts/**/*

.github/renovate.json

@@ -0,0 +1,12 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": ["config:base"],
+  "pre-commit": {
+    "enabled": true
+  },
+  "labels": ["dependencies"],
+  "dependencyDashboard": true,
+  "lockFileMaintenance": {
+    "enabled": true
+  }
+}

.github/workflows/labeler.yml

@@ -20,3 +20,4 @@ jobs:
     - uses: actions/labeler@v4
       with:
         repo-token: "${{ secrets.GITHUB_TOKEN }}"
+        dot: true

.github/workflows/sync-skip-if-exists.yml

@@ -0,0 +1,43 @@
+# Weekly maintenance: align ``_skip_if_exists`` in copier.yml with template paths and
+# recent commit activity (see scripts/sync_skip_if_exists.py).
+name: Sync Copier skip-if-exists list
+
+on:
+  schedule:
+    - cron: "15 6 * * 1" # Mondays 06:15 UTC
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  sync:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: "3.11"
+
+      - name: Run sync script
+        run: python scripts/sync_skip_if_exists.py --write
+
+      - name: Create pull request
+        uses: peter-evans/create-pull-request@v7
+        with:
+          commit-message: "chore(copier): sync _skip_if_exists list"
+          title: "chore(copier): sync _skip_if_exists list"
+          body: |
+            Automated update from `scripts/sync_skip_if_exists.py` (scheduled workflow).
+
+            Review the diff to ensure newly skipped paths match files users are expected to edit.
+          branch: automation/sync-skip-if-exists
+          delete-branch: true

.gitignore

@@ -79,6 +79,10 @@ instance/
 docs/_build/
 docs/
 
+# Copier template ships MkDocs sources under template/docs/ (must not match the rule above).
+!template/docs/
+!template/docs/**
+
 # PyBuilder
 target/
 

.pre-commit-config.yaml

@@ -44,6 +44,13 @@ repos:
   # ---------------------------------------------------------------------------
   # Basic hygiene, YAML/TOML checks
   # ---------------------------------------------------------------------------
+  - repo: https://github.com/Yelp/detect-secrets
+    rev: v1.5.0
+    hooks:
+      - id: detect-secrets
+        args: ["--baseline", ".secrets.baseline"]
+        exclude: ^template/.*\.jinja$
+
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v5.0.0
     hooks:

.secrets.baseline

@@ -0,0 +1,133 @@
+{
+  "version": "1.5.0",
+  "plugins_used": [
+    {
+      "name": "ArtifactoryDetector"
+    },
+    {
+      "name": "AWSKeyDetector"
+    },
+    {
+      "name": "AzureStorageKeyDetector"
+    },
+    {
+      "name": "Base64HighEntropyString",
+      "limit": 4.5
+    },
+    {
+      "name": "BasicAuthDetector"
+    },
+    {
+      "name": "CloudantDetector"
+    },
+    {
+      "name": "DiscordBotTokenDetector"
+    },
+    {
+      "name": "GitHubTokenDetector"
+    },
+    {
+      "name": "GitLabTokenDetector"
+    },
+    {
+      "name": "HexHighEntropyString",
+      "limit": 3.0
+    },
+    {
+      "name": "IbmCloudIamDetector"
+    },
+    {
+      "name": "IbmCosHmacDetector"
+    },
+    {
+      "name": "IPPublicDetector"
+    },
+    {
+      "name": "JwtTokenDetector"
+    },
+    {
+      "name": "KeywordDetector",
+      "keyword_exclude": ""
+    },
+    {
+      "name": "MailchimpDetector"
+    },
+    {
+      "name": "NpmDetector"
+    },
+    {
+      "name": "OpenAIDetector"
+    },
+    {
+      "name": "PrivateKeyDetector"
+    },
+    {
+      "name": "PypiTokenDetector"
+    },
+    {
+      "name": "SendGridDetector"
+    },
+    {
+      "name": "SlackDetector"
+    },
+    {
+      "name": "SoftlayerDetector"
+    },
+    {
+      "name": "SquareOAuthDetector"
+    },
+    {
+      "name": "StripeDetector"
+    },
+    {
+      "name": "TelegramBotTokenDetector"
+    },
+    {
+      "name": "TwilioKeyDetector"
+    }
+  ],
+  "filters_used": [
+    {
+      "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
+    },
+    {
+      "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
+      "min_level": 2
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_indirect_reference"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_likely_id_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_lock_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_potential_uuid"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_sequential_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_swagger_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_templated_secret"
+    },
+    {
+      "path": "detect_secrets.filters.regex.should_exclude_file",
+      "pattern": [
+        "template/.*\\.jinja$"
+      ]
+    }
+  ],
+  "results": {},
+  "generated_at": "2026-04-07T10:18:44Z"
+}