Orchestration: CI, tests, security, and governance improvements

[Ladas]

Current maturity score: 1/5

This repository contains 23 container images (13 A2A agents + 10 MCP tools) with near-zero test coverage and zero security scanning. The high number of published images makes the security gap especially concerning.

Top 5 gaps

1. Zero security scanning — 0/9 applicable tools. 23 Docker images are built and pushed to ghcr.io without any container scanning, no SAST, no Hadolint for the 23 Dockerfiles.
2. Tests commented out in CI — The pytest step in ci.yaml is commented out. Only 1 real test file exists for 23 services. Dependency updates needed (including replacing an abandoned Go library).
3. No pre-commit config — No .pre-commit-config.yaml exists. No local quality gates.
4. 0% SHA-pinned actions — All 8 GitHub Actions references use tag-only pinning. ci.yaml has no permissions: declaration.
5. No Dependabot — 21 pyproject.toml files, 1 go.mod, 23 Dockerfiles, and 2 workflows have no automated dependency updates.

Recommended phase order

1. orchestrate:precommit — Add pre-commit with ruff, bandit, hadolint, shellcheck, yamllint, gitleaks
2. orchestrate:tests — Add pytest suites for agents/tools; add pytest-cov; uncomment CI test step
3. orchestrate:ci — SHA-pin actions, add permissions, add Trivy, dependabot, scorecard
4. orchestrate:security — Add CODEOWNERS, SECURITY.md
5. orchestrate:replicate — CLAUDE.md, .claude/settings.json, skills

Context

• Scan report generated by orchestrate:scan skill
• Umbrella issue: Org-wide orchestration: CI, tests, security, and governance across all repos kagenti#841
• Scan skill PR: Add orchestrate and onboard skill families with comprehensive CI blueprint kagenti#691