automation: add branch protection guide, roadmap, tagging helper, release workflow

Author: CalorieApp Maintainer

.github/workflows/release.yml

@@ -0,0 +1,70 @@
+name: Release (Tagged)
+
+on:
+  push:
+    tags:
+      - "v*"
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Tag to release (e.g. v0.1.1-testnet)"
+        required: false
+
+permissions:
+  contents: write
+
+jobs:
+  create-release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Derive tag
+        id: vars
+        run: |
+          if [ -n "${{ github.event.inputs.tag }}" ]; then
+            echo "tag=${{ github.event.inputs.tag }}" >> $GITHUB_OUTPUT
+          else
+            echo "tag=${GITHUB_REF##*/}" >> $GITHUB_OUTPUT
+          fi
+          echo "version=${GITHUB_REF##*/}" >> $GITHUB_OUTPUT
+
+      - name: Find release note
+        id: note
+        run: |
+          TAG="${{ steps.vars.outputs.tag }}"
+          BASE=${TAG#v}
+          FILE="docs/RELEASE_NOTE_${BASE//./_^^}.md"
+          # Fallback to testnet uppercase transform
+          if [ ! -f "$FILE" ]; then
+            ALT="docs/RELEASE_NOTE_${BASE//./_ | tr '[:lower:]' '[:upper:]' }.md"
+          fi
+          if [ -f "$FILE" ]; then
+            echo "path=$FILE" >> $GITHUB_OUTPUT
+          else
+            echo "path=CHANGELOG.md" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Read body
+        id: body
+        run: |
+          BODY_PATH="${{ steps.note.outputs.path }}"
+          echo "Using body file: $BODY_PATH"
+          echo 'BODY<<EOF' >> $GITHUB_OUTPUT
+          sed 's/\r$//' "$BODY_PATH" >> $GITHUB_OUTPUT
+          echo 'EOF' >> $GITHUB_OUTPUT
+
+      - name: Create Release
+        uses: softprops/action-gh-release@v1
+        with:
+          tag_name: ${{ steps.vars.outputs.tag }}
+          name: ${{ steps.vars.outputs.tag }}
+          draft: false
+          prerelease: true
+          body: ${{ steps.body.outputs.BODY }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Summary
+        run: echo "Release published for ${{ steps.vars.outputs.tag }}" >> $GITHUB_STEP_SUMMARY

docs/BRANCH_PROTECTION_GUIDE.md

@@ -0,0 +1,69 @@
+# Branch Protection & PR Workflow Guide
+
+## Purpose
+Establish a minimal, testnet-appropriate workflow that prevents direct pushes to `main`, enforces review, and preserves repository integrity while in beta.
+
+## Recommended Settings (GitHub > Settings > Branches > Branch protection rules)
+1. Protected Branch: `main`
+2. Require a pull request before merging: ENABLE
+   - Require approvals: 1 (increase to 2 post-team expansion)
+   - Dismiss stale approvals on new commits: ENABLE
+   - Require review from Code Owners (optional if CODEOWNERS added)
+3. Require status checks to pass before merging: ENABLE
+   - Required checks: `CI (ubuntu-latest / Python 3.12)`, `CI (windows-latest / Python 3.12)`, `lint`, `codeql`
+   - Optionally add coverage threshold checks later.
+4. Require branches to be up to date before merging: ENABLE (prevents merging outdated PR base)
+5. Require signed commits: OPTIONAL (enable if enforcing signature policy)
+6. Require linear history: ENABLE (no merge commits; squash or rebase only)
+7. Include administrators: ENABLE (ensures consistency)
+8. Restrict who can push to matching branches: ENABLE (limit to release automation if needed)
+9. Lock branch: DISABLED (still in active development)
+
+## Pull Request Workflow
+1. Create feature or fix branch: `feature/<short-topic>` or `chore/<task>`.
+2. Implement changes with small logical commits.
+3. Run local tests: `pytest -q` and lint: `flake8 src tests`.
+4. Open PR targeting `main`; include concise summary, risk section, and test evidence.
+5. Ensure required checks pass (CI matrix & lint). Fix issues before requesting review.
+6. Reviewer validates:
+   - No accidental inclusion of deferred modules from `src/_deferred/`.
+   - No secrets or wallet data artifacts.
+   - Feature flags respected for experimental code.
+7. Merge strategy: **Squash** (recommended for beta) for clean history.
+
+## Emergency Fix Protocol
+For critical testnet breakages:
+1. Branch `hotfix/<issue>` from `main`.
+2. Minimal patch only; no feature additions.
+3. PR with clear justification; expedite single approval.
+4. Post-merge, create follow-up issue for root cause analysis.
+
+## Release Tagging
+1. Prepare release branch `release/v0.1.1-testnet`.
+2. Update `src/VERSION.py`, `CHANGELOG.md`, create `docs/RELEASE_NOTE_<VERSION>.md`.
+3. PR merge.
+4. Tag: `git tag -a v0.1.1-testnet -m "0.1.1-testnet <focus>"; git push origin v0.1.1-testnet`.
+5. GitHub Release auto-generated by workflow (see `.github/workflows/release.yml`).
+
+## Deferred Feature Safeguards
+Before enabling `ENABLE_WEB3_BROWSER` or `ENABLE_CALORIE_DB`:
+1. Security review of dependencies & data flow.
+2. Add tests ensuring no sensitive leakage.
+3. Document activation rationale and rollback plan.
+4. Enable flag ONLY via PR with explicit reviewer sign-off.
+
+## Prohibited in PRs
+| Action | Reason |
+|--------|--------|
+| Committing wallet seed/mnemonic | Security risk |
+| Reintroducing removed backup files | Privacy breach |
+| Activating deferred features silently | Undocumented surface expansion |
+| Bypassing tests/lint with forced merges | Stability regression |
+
+## Future Enhancements
+- CODEOWNERS for security-sensitive paths.
+- Coverage threshold enforcement (>70% for core modules).
+- Secret scanning action on PR (GitHub Advanced Security or third-party).
+
+## Testnet Disclaimer
+All merges assume testnet-only operation; production deployment requires separate audit phase and explicit version bump out of `-testnet` suffix.

docs/ROADMAP_NEXT_MILESTONE.md

@@ -0,0 +1,48 @@
+# Roadmap: Next Milestone (Target: v0.1.1-testnet)
+
+## Objective
+Incremental quality improvements: visual polish, accessibility, performance profiling, preparatory groundwork for optional CalorieDB activation.
+
+## Pillars
+1. Visual Consistency & Spacing
+2. Accessibility & Contrast
+3. XRPL Performance Profiling
+4. Deferred Feature Security Modeling
+5. Release Automation Maturity
+
+## Detailed Items
+| Category | Task | Notes |
+|----------|------|-------|
+| Visual | Normalize padding across form screens | Use consistent dp scale helpers |
+| Visual | Introduce design tokens (colors, spacing) | Centralize in `src/core/design_tokens.py` |
+| Accessibility | Contrast audit (AA baseline) | Add script to scan KV color usage |
+| Accessibility | Keyboard focus ring improvements | Extend `AccessibleButton` styling |
+| Performance | Profile XRPL failover latency | Add timed metrics & histogram logging |
+| Performance | Cache trustline queries | Reduce repeated `AccountLines` calls |
+| CalorieDB | Threat model draft | Document data surfaces & encryption boundaries |
+| CalorieDB | Anonymization verification tests | Ensure removal of PII before public sync |
+| Release Automation | Enforce PR-only tag creation | Guard via branch protection + workflow checks |
+| Tooling | Add secret scanning workflow | GitHub action or trufflehog integration |
+| Testing | Expand unit tests for feature flags | Ensure disabled state blocks imports |
+
+## Stretch Goals
+- WalletConnect Phase 1 session handshake sandbox.
+- Dynamic theme accessibility auto-adjust (contrast-aware palette fallback).
+- Basic metric export endpoint (local debug only).
+
+## Risks & Mitigations
+| Risk | Mitigation |
+|------|------------|
+| Premature CalorieDB exposure | Keep flags false; add activation checklist |
+| UI regression from spacing refactor | Snapshot KV layout diff; gradual module approach |
+| Performance tuning introduces race conditions | Add deterministic test harness wrappers |
+
+## Exit Criteria (v0.1.1-testnet)
+- All visual spacing tasks merged.
+- Contrast audit summary committed.
+- XRPL latency metrics recorded & baseline documented.
+- CalorieDB threat model doc approved.
+- Release automation workflow validated via dry-run.
+
+## Audit Reminder
+No production token/value features until post-threat model & second security audit.