chore: add governance files (SECURITY, CHANGELOG, CODEOWNERS, PR template)

Closes governance gaps surfaced by the automated-assessment run:
- SECURITY.md: private vulnerability reporting (advisories + email)
- CHANGELOG.md: Keep-a-Changelog format with an Unreleased bucket
- .github/CODEOWNERS: default reviewer team per area
- .github/PULL_REQUEST_TEMPLATE.md: summary/test-plan/checklist

Covers: GH-3, GH-5, GW-05, GW-06, ER-44.
Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>

Author: CybotTM

.github/CODEOWNERS

@@ -0,0 +1,15 @@
+# See https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-security/customizing-your-repository/about-code-owners
+# Order matters — the last matching rule wins.
+
+# Default reviewers for anything not matched below.
+*                           @netresearch/coding-agents
+
+# Python package, audit, detection.
+/cli_audit/                 @netresearch/coding-agents
+/audit.py                   @netresearch/coding-agents
+
+# Installer and upgrade orchestration.
+/scripts/                   @netresearch/coding-agents
+
+# CI, release, security automation.
+/.github/                   @netresearch/coding-agents

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,37 @@
+<!--
+Thanks for the contribution! Keep this template terse — reviewers read it.
+-->
+
+## Summary
+
+<!-- 1–3 bullets describing the change and why it's needed. -->
+
+## Linked issues / PRs
+
+<!-- Closes #123, Relates to #456 -->
+
+## Type of change
+
+- [ ] Bug fix (`fix:`)
+- [ ] New feature (`feat:`)
+- [ ] Refactor / internal change (`refactor:`)
+- [ ] Docs only (`docs:`)
+- [ ] Chore / CI / deps (`chore:`)
+- [ ] Breaking change (describe migration below)
+
+## Test plan
+
+<!-- Commands you ran and their result. Prefer automated over manual. -->
+
+- [ ] `uv run pytest`
+- [ ] `uv run python -m flake8 cli_audit tests`
+- [ ] `./scripts/test_smoke.sh`
+- [ ] Manual scenario: …
+
+## Checklist
+
+- [ ] Conventional Commits (`type(scope): description`)
+- [ ] Commits signed (`git commit -S --signoff`)
+- [ ] `CHANGELOG.md` updated for user-visible changes
+- [ ] Relevant `AGENTS.md` files updated if structure / commands changed
+- [ ] No secrets, credentials, or PII committed

CHANGELOG.md

@@ -0,0 +1,28 @@
+# Changelog
+
+All notable changes to this project are documented in this file.
+
+The format is loosely based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and the project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+### Added
+- Governance files: `SECURITY.md`, `CODEOWNERS`, PR template, `CHANGELOG.md`.
+- `.github/workflows/codeql.yml`, `scorecard.yml`, `dependency-review.yml` for supply-chain scanning.
+- `.pre-commit-config.yaml` for local hook enforcement.
+- README badges (CI, Codecov, License).
+- AGENTS.md structural sections (Commands, Setup, Testing, Architecture, Development).
+- Per-cycle `auto_update` storage for multi-version tools (`python@3.13` vs `python@3.14`).
+- Persistent endoflife.date cache at `~/.cache/cli-audit/endoflife.json` with fallback on HTTP failure.
+- Binary-probe fallback in `guide.sh` when the post-install snapshot refresh is stale.
+
+### Fixed
+- `cmd_update_local` in MERGE mode now refreshes multi-version cycle entries (`python@3.14`, …) instead of only the base-tool entry. Resolved false-negative "Upgrade did not succeed" messages after successful uv installs.
+
+### Changed
+- Upgraded 23 locked Python dev-dependencies to latest compatible versions (bandit 1.9.4, mypy 1.20.1, isort 8.0.1, rich 15.0, coverage 7.13.5, …).
+
+## Prior history
+
+See [git log](https://github.com/netresearch/coding_agent_cli_toolset/commits/main) for commits prior to this changelog. Tagged releases: [Releases page](https://github.com/netresearch/coding_agent_cli_toolset/releases).

SECURITY.md

@@ -0,0 +1,30 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Please **do not** open a public issue for security-relevant findings.
+
+Use one of the following instead:
+
+- **Preferred:** [Privately report a vulnerability](https://github.com/netresearch/coding_agent_cli_toolset/security/advisories/new) via GitHub.
+- Or email `security@netresearch.de` with details and steps to reproduce.
+
+You should receive an acknowledgement within 3 working days. We will confirm the
+issue, agree on disclosure timelines with you, and publish a fix + GitHub
+Security Advisory once the fix is available.
+
+## Scope
+
+In scope: code in this repository, published releases of `cli-audit`, the
+installation / audit / upgrade scripts under `scripts/`, and anything that
+would let an attacker execute code on or exfiltrate data from a machine that
+runs `make upgrade` / `audit.py` against trusted upstream sources.
+
+Out of scope: vulnerabilities in third-party tools installed via the `install_*`
+scripts (report those upstream), bugs that are only reachable by an attacker
+with shell-level access to the machine running this toolkit.
+
+## Supported Versions
+
+Security fixes target the latest tagged release on the `main` branch. Older
+tags do not receive backports.