diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml
index dd0b133..01a1cd8 100644
--- a/.github/workflows/secret-scan.yml
+++ b/.github/workflows/secret-scan.yml
@@ -1,18 +1,17 @@
 name: Secret Scan
 
-# Private-tier-free alternative to GitHub Advanced Security secret scanning.
-# Runs gitleaks on every PR and push to main; blocks the CI if leaked secrets
-# are detected. Replaces the GHAS-only `secret_scanning` feature without
-# requiring a paid plan.
-
 on:
   pull_request:
   push:
     branches:
       - main
+      - master
+      - "codex/**"
+  workflow_dispatch:
 
 permissions:
   contents: read
+  pull-requests: read
 
 jobs:
   gitleaks:
@@ -23,7 +22,6 @@ jobs:
         uses: actions/checkout@v6
         with:
           fetch-depth: 0
-
       - name: Run gitleaks
         uses: gitleaks/gitleaks-action@v2
         env:
diff --git a/.mailmap b/.mailmap
new file mode 100644
index 0000000..c1c4900
--- /dev/null
+++ b/.mailmap
@@ -0,0 +1 @@
+Warren Edward Trepp <warrenetrepp.primary@gmail.com> <noreply@anthropic.com>
diff --git a/LICENSE b/LICENSE
index b977875..bab7b68 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2026 Warren Trepp
+Copyright (c) 2026 Warren Edward Trepp
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
diff --git a/README.md b/README.md
index 8d3ce78..98a81cb 100644
--- a/README.md
+++ b/README.md
@@ -1,141 +1,88 @@
-<h3 align="center">wt</h3>
-<p align="center">Per-repo hooks, shell integration, project-aware prompt, and operator event bridge — one install for every repo.</p>
-
-<p align="center">
-  <a href="https://warrencommand.dev"><img src="https://img.shields.io/badge/warrencommand.dev-0a1220?style=for-the-badge&logoColor=white" alt="Website" /></a>
-  <a href="https://github.com/wtchronos/wt-cli/blob/main/LICENSE"><img src="https://img.shields.io/badge/license-MIT-blue?style=for-the-badge" alt="MIT License" /></a>
-  <img src="https://img.shields.io/badge/Go-00ADD8?style=for-the-badge&logo=go&logoColor=white" alt="Go" />
-</p>
-
----
-
-### What this is
-
-A single Go binary that turns any git repo into a `wt`-aware project via a `.wt.toml` file. Shell integration auto-loads project aliases + env when you `cd` in, git hook dispatchers fire declared commands on lifecycle events, and an operator bridge emits structured events to a remote surface (Cortix) with local JSONL queue + replay for offline reliability.
-
-Built for one person's workflow across ~20 repos on Mac + VPS. Public because the shape is general.
-
----
-
-## Quick Install
-
-```bash
-curl -fsSL https://raw.githubusercontent.com/wtchronos/wt-cli/main/install.sh | sh
+# ⚡ wt-cli // WARREN TERMINAL CLI
+
+```text
+┌──────────────────────────────────────────────────────────────────────────────┐
+│  WT_CLI                                               // WTCHRONOS CONTROL SURFACE       │
+├──────────────────────────────────────────────────────────────────────────────┤
+│  mode: local-first      branch: main               license: MIT           │
+│  posture: sovereign     scan: gitleaks          operator: Warren Trepp       │
+└──────────────────────────────────────────────────────────────────────────────┘
 ```
 
-Or build from source:
-
-```bash
-go install github.com/wtchronos/wt-cli@latest
+[![Secret Scan](https://github.com/wtchronos/wt-cli/actions/workflows/secret-scan.yml/badge.svg)](https://github.com/wtchronos/wt-cli/actions/workflows/secret-scan.yml)
+[![Last Commit](https://img.shields.io/github/last-commit/wtchronos/wt-cli?color=00ffae)](https://github.com/wtchronos/wt-cli/commits)
+[![License](https://img.shields.io/github/license/wtchronos/wt-cli?color=ff2d75)](LICENSE)
+
+### [ SYSTEM STATUS ]
+
+```text
+┌─ REPOSITORY TELEMETRY ───────────────────────────────────────────────────────┐
+│ namespace        wtchronos/wt-cli                                      │
+│ default branch   main                                                     │
+│ identity map     .mailmap enforced                                           │
+│ secret posture   GitHub Action history scan                                  │
+│ license target   MIT                                                      │
+│ social preview   Command Overlay hero                                        │
+└──────────────────────────────────────────────────────────────────────────────┘
 ```
 
-## Commands
-
-| Command | Purpose |
-|---|---|
-| `wt init` | Create `.wt.toml` + install git hook dispatchers |
-| `wt status` | Project overview — git state, hooks, aliases, scripts, env |
-| `wt run <script>` | Run a named script from `[scripts]` with project env |
-| `wt deploy [target]` | Deploy via `[scripts] deploy` + emit operator events |
-| `wt health` | Check project + operator health |
-| `wt emit <type> <msg>` | Send events to operator surface (Cortix) |
-| `wt events` | Show local event log |
-| `wt sync` | Flush queued events to operator surface |
-| `wt env show/export` | Display or inject project environment variables |
-| `wt shell init <shell>` | Emit eval-able shell integration (bash/zsh/fish) |
-| `wt hook run <event>` | Run project hooks for a git/lifecycle event |
-| `wt prompt` | Print colored prompt segment |
-| `wt aliases --load/--unload` | Project-scoped shell aliases |
-| `wt completion <shell>` | Shell completions |
-| `wt agent` | Query Cortix for active services and agent status |
-| `wt log [-n 10] [-f] [-s source]` | Tail unified ops log (events, ops, audit) |
-| `wt intent <desc> [-p P0/P1/P2]` | Submit intent to Cortix intent bridge |
-| `wt version` | Version info |
-
-## Config (`.wt.toml`)
-
-Place in any git repo root. `wt` walks ancestors to find the nearest config.
-
-```toml
-[project]
-name = "kairos-w"
-
-[prompt]
-segment = '{{cyan (printf "[%s] " .Project.Name)}}'
-
-[hooks.git]
-pre-commit = ["uv run ruff check ."]
-post-checkout = ["./scripts/sync.sh"]
-post-merge = ["uv run pip install -r requirements.txt"]
-
-[hooks.enter]
-commands = ["echo entering {{.Project.Name}}"]
-
-[hooks.leave]
-commands = []
-
-[aliases]
-t = "PYTHONPATH=. uv run pytest tests/ -q"
-lint = "uv run ruff check . --fix"
-deploy = "bash scripts/deploy-rotation-fix.sh"
-
-[env]
-PYTHONPATH = "."
-KAIROS_ENV = "development"
-
-[scripts]
-test = "PYTHONPATH=. uv run pytest tests/ -q"
-lint = "uv run ruff check . --fix"
-deploy = "bash scripts/deploy-rotation-fix.sh"
-health = "bash scripts/regression-guard.sh"
-
-[operator]
-cortix_url = "https://command.warrencommand.dev"
-tags = ["active", "python"]
+Operational signal: `go.mod`.
+
+### [ MODULE ARCHITECTURE ]
+
+```text
+                         ┌────────────────────────┐
+                         │   OPERATOR REQUEST     │
+                         └───────────┬────────────┘
+                                     │
+                                     ▼
+┌──────────────────────────────────────────────────────────────────────────────┐
+│ repo surface                                                                  │
+│ README · LICENSE · SECURITY · .mailmap · workflows                            │
+└───────────────┬──────────────────────────────────────────────────────────────┘
+                │
+                ▼
+┌──────────────────────────────────────────────────────────────────────────────┐
+│ implementation layer                                                          │
+│ source files · scripts · docs · receipts · local state                        │
+└───────────────┬──────────────────────────────────────────────────────────────┘
+                │
+                ▼
+┌──────────────────────────────────────────────────────────────────────────────┐
+│ proof layer                                                                   │
+│ pull request checks · secret scan · operator review · release notes           │
+└──────────────────────────────────────────────────────────────────────────────┘
 ```
 
-## Shell Setup
-
-```bash
-# Zsh — add to ~/.zshrc
-eval "$(wt shell init zsh)"
+```text
+TELEMETRY GRID
 
-# Bash — add to ~/.bashrc
-eval "$(wt shell init bash)"
-
-# Fish
-wt shell init fish | source
+  [identity]──.mailmap──────┐
+  [license ]──LICENSE───────┼──► GitHub repository trust surface
+  [proof   ]──secret-scan───┘
+  [docs    ]──README──────────► operator scan path
 ```
 
-This gives you:
-- Auto-load/unload aliases when you `cd` into/out of a wt project
-- Auto-inject `[env]` variables per project
-- `wtr` shortcut for `wt run`
-- Project-aware prompt segment
-
-## Operator Integration
-
-The `[operator]` block connects your project to the operator surface (Cortix).
-
-```bash
-# Emit events
-wt emit deploy "shipped v2.1"
-wt emit test "142 tests passing" --meta branch=main,coverage=87
+### [ OPERATIONAL PROTOCOLS ]
 
-# Check health (project + operator)
-wt health
-
-# Flush queued events
-wt sync
-
-# Deploy with event emission
-wt deploy
+```text
+01  clone repository
+02  inspect README + SECURITY + workflows
+03  run repo-native checks before code changes
+04  keep secrets in provider vaults or local env files only
+05  use pull requests for every durable change
 ```
 
-Events are structured JSON with source, type, project, tags, and metadata.
-When Cortix is unreachable, events queue locally to `.wt/events.jsonl`
-and replay on `wt sync`.
+Repository rules:
+
+| Control | Standard |
+| --- | --- |
+| Identity | `Warren Edward Trepp <warrenetrepp.primary@gmail.com> <noreply@anthropic.com>` |
+| Topics | `ai-agent`, `sovereign-compute`, `autonomous-systems`, `mcp` |
+| License | `MIT` |
+| Secret scan | `.github/workflows/secret-scan.yml` |
+| Current aesthetic | Cyberpunk Minimalist / Technical Elite |
 
-## License
+Social preview:
 
-MIT
+Upload the Command Overlay hero image in GitHub at **Settings > General > Social preview**. Use the same visual treatment as this README: dark terminal field, crisp border grid, repository name, and `WARREN TERMINAL CLI` as the subtitle.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..5628fbd
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,23 @@
+# Security Policy
+
+## Secret Handling
+
+Do not commit API keys, tokens, passwords, private keys, `.env` files, or credential exports.
+
+If a secret is committed, treat it as exposed:
+
+1. Revoke or rotate the provider-side credential.
+2. Remove the current-branch reference with a normal PR.
+3. Decide separately whether history rewrite is worth the coordination cost.
+4. Keep remediation notes redacted; use fingerprints, commit ids, and file paths instead of values.
+
+## Reporting
+
+Open a private GitHub issue in this repository with:
+
+- affected path,
+- commit id,
+- credential provider,
+- redacted fingerprint,
+- rotation status,
+- current-branch cleanup status.