Audit & optimize repo settings for public launch

[dhilgaertner]

Summary

• Switch license from Apache 2.0 to MIT (Copyright 2025 Radius Method)
• Add CODEOWNERS (* @radiusmethod/engineering)
• Add GitHub issue templates (bug report, feature request) and PR template
• Add kubelinter step to CI lint workflow
• Add Renovate config for automated dependency updates
• Remove Code of Conduct section from CONTRIBUTING.md

Closes #5

Test plan

• helm lint . --set citadel.secretKey=test passes
• helm template citadel . --set citadel.secretKey=test renders correctly
• CI lint workflow passes (including new kubelinter step)
• Issue templates render correctly on GitHub
• CODEOWNERS is recognized by GitHub

🤖 Generated with Claude Code

[dgershman]

Code & Security Review

Critical Issues

None.

Security Review

Strengths:

• License change from Apache 2.0 to MIT is clean and valid (Copyright 2025 Radius Method)
• Issue templates remind users to redact secrets in bug reports (.github/ISSUE_TEMPLATE/bug_report.yml:29)
• kubelinter addition catches Kubernetes security misconfigurations in CI
• CODEOWNERS ensures PRs get reviewed by @radiusmethod/engineering

Concerns:

• kubelinter install uses /releases/latest (.github/workflows/lint.yaml:31) — this downloads whatever the latest version is at runtime, which means builds aren't reproducible and a compromised release could affect CI. Consider pinning to a specific version (e.g. v0.7.2) or using the official stackrox/kube-linter-action GitHub Action with a pinned version.
• kube-linter exclusions are broad (.kube-linter.yaml:4-8) — excluding run-as-non-root, no-read-only-root-fs, and latest-tag globally rather than per-resource means these checks won't fire for any resource, including the main deployment container. The comment says "init containers and test pods" but the exclusions apply chart-wide. Consider scoping exclusions to specific objects if possible, or at least updating the comment to reflect the actual scope.
• kubelinter binary downloaded over HTTPS without checksum verification (.github/workflows/lint.yaml:31) — no integrity check on the downloaded binary. Lower risk since it's from GitHub releases, but worth noting.

Code Quality

• Issue templates are well-structured with appropriate required fields
• PR template includes useful checklist (chart version bump, docs update, changelog)
• Renovate config is minimal and uses recommended defaults — good
• Removing the Code of Conduct section from CONTRIBUTING.md is fine (it was just a one-liner)
• README.md license reference updated to match — consistent

Summary Table

Priority	Issue
🟡 Yellow	kubelinter installed from /latest — pin version for reproducible builds
🟡 Yellow	kube-linter exclusions are chart-wide, not scoped to init containers as comment suggests
🟢 Green	No checksum verification on kubelinter binary download

Recommendation: Approve — This is a solid repo hygiene PR. The kubelinter version pinning is worth addressing in a follow-up but isn't blocking. All changes are well-organized and appropriate for a public launch.