docs: update release readiness docs

CHANGELOG.md

@@ -2,7 +2,7 @@
 
 All notable changes to agent-rules-kit will be documented in this file.
 
-This project has no public release yet.
+This project has no stable public release yet.
 
 ## [Unreleased]
 
@@ -14,40 +14,63 @@ This project has no public release yet.
 - Initial CLI entrypoint with version and help behavior.
 - CLI smoke tests.
 - Local check script for syntax, tests, text hygiene, and Git whitespace checks.
+- GitHub Actions CI workflow using `local-checks / Python 3.12`.
 - AGENTS.md with mandatory AI assistant operating rules.
 - SECURITY.md with explicit security boundaries and non-goals.
+- SUPPORT.md with pre-release support boundaries.
 - CONTRIBUTING.md with Genesis and Always-Green workflow rules.
+- GitHub issue templates and pull request template.
+- Diagnostic fixtures for supported and risky instruction file scenarios.
+- Finding model for diagnostic output.
+- Instruction file discovery for `AGENTS.md`, `CLAUDE.md`, `GEMINI.md`, Cursor rules, GitHub Copilot instructions, and GitHub instruction files.
+- `check` command with console output.
+- JSON output for `check`.
+- Markdown output for `check`.
+- Secret-like value redaction helpers and tests.
+- `init --dry-run` planning behavior.
+- Explicit `init --write` behavior for root `AGENTS.md`.
+- Backup behavior before replacing an existing root `AGENTS.md`.
+- Path boundary tests for discovery and init write behavior.
+- Threat model in `docs/THREAT-MODEL.md`.
+- Public README with real CLI screenshots, command examples, safety boundaries, quality gates, maintainer workflow, and optional support badge.
 
 ### Security
 
 - Runtime boundaries documented: read-only by default, no network behavior, no LLM dependency, and no execution of commands from analyzed repositories.
-- Secret-like findings must be redacted.
+- `check` and `init --dry-run` documented as non-writing behavior.
+- `init --write` documented as explicit write behavior only.
+- Existing root `AGENTS.md` is backed up before replacement.
+- Secret-like values are redacted in supported output paths.
+- Path boundary tests cover root-only init write behavior and repository-relative discovery paths.
+- Threat model documents assets, trust boundaries, threats, mitigations, and residual risk.
 - The project is explicitly documented as not a security scanner and as providing no security guarantees.
 
 ### Changed
 
-- Nothing yet.
+- Replaced the inception README with a public README reflecting implemented behavior and verified output examples.
+- Updated security and support documentation from local-inception wording to current pre-release public repository status.
 
 ### Deprecated
 
-- Nothing yet.
+- No deprecated entries.
 
 ### Removed
 
-- Nothing yet.
+- No removed entries.
 
 ### Fixed
 
-- Nothing yet.
+- Corrected release-readiness documentation that still referred to future write behavior after `init --write` had been implemented.
+- Corrected stale local-inception wording in support and security documentation.
 
 ## Release policy
 
-Before the first public release, the maintainer must verify:
+Before the first stable public release, the maintainer must verify:
 
 - local checks pass;
-- CI passes;
+- CI passes for the release SHA;
 - README reflects actual behavior;
-- SECURITY.md has a real reporting channel or clearly documents the absence of one;
+- SECURITY.md has a private reporting channel or clearly documents the absence of one;
 - CHANGELOG.md describes the released changes;
 - version number matches pyproject.toml and package metadata;
 - no unsupported security, production, or maturity claims are present.

SECURITY.md

@@ -21,9 +21,12 @@ The project must preserve these boundaries:
 - no network access in runtime behavior;
 - no LLM dependency in runtime behavior;
 - no execution of commands from analyzed repositories;
-- no modification of analyzed repositories unless a future explicit write mode is intentionally designed;
+- no unsupported security claims;
 - no printing of raw secrets;
-- no unsupported security claims.
+- no file modification during `check`;
+- no file modification during `init --dry-run`;
+- file modification only through explicit `init --write` user intent;
+- existing root `AGENTS.md` must be backed up before replacement.
 
 ## Secret handling
 
@@ -35,11 +38,13 @@ Use fake examples only.
 
 ## Reporting a vulnerability
 
-This repository is currently in local inception and has no public release.
+This repository is public but has no stable release and no formal private vulnerability disclosure process yet.
 
-Before public release, a reporting channel must be defined.
+For non-sensitive security boundary issues, open a GitHub issue with a minimal reproduction.
 
-Until then, do not claim that the project has a formal vulnerability disclosure process.
+Do not include secrets, tokens, credentials, cookies, private URLs, customer data, or sensitive repository contents in public issues.
+
+Before a stable public release, the maintainer must define a private reporting channel or enable GitHub Security Advisories.
 
 ## Non-goals
 
@@ -50,11 +55,14 @@ agent-rules-kit does not aim to:
 - scan dependencies for vulnerabilities;
 - validate CI/CD supply chain security;
 - execute repository commands to confirm behavior;
-- inspect private services, credentials, or infrastructure.
+- inspect private services, credentials, or infrastructure;
+- provide complete secret scanning.
 
 ## Maintainer response
 
-Before a public release, the maintainer must define:
+There is no guaranteed security response time before a stable release.
+
+Before a stable public release, the maintainer must define:
 
 - contact channel;
 - expected response time;

SUPPORT.md

@@ -1,16 +1,16 @@
 # Support Policy
 
-agent-rules-kit is currently in local inception and has no public release.
+agent-rules-kit is a pre-release public project with no stable release yet.
 
-There is no formal support channel yet.
+There is no guaranteed support response time.
 
 ## Current status
 
 This project is pre-release software.
 
 At this stage:
 
-- no public release exists;
+- no stable public release exists;
 - no stability guarantee exists;
 - no support response time is promised;
 - no production readiness is claimed;
@@ -20,8 +20,6 @@ At this stage:
 
 agent-rules-kit is a local Python CLI for diagnosing baseline quality of AI agent instruction files in repositories.
 
-It is not a security scanner.
-
 It is intended to help detect missing, weak, duplicated, or risky instruction patterns.
 
 ## What this project is not
@@ -74,9 +72,11 @@ The following requests are out of scope unless a maintainer explicitly approves
 
 Security-sensitive reports should follow SECURITY.md.
 
-Before public release, the maintainer must define whether GitHub Security Advisories are enabled and what contact channel should be used.
+For non-sensitive security boundary issues, open a GitHub issue with a minimal reproduction.
+
+Do not include secrets, tokens, credentials, cookies, private URLs, customer data, or sensitive repository contents in public issues.
 
-Until that is defined, do not claim that this project has a formal vulnerability disclosure process.
+Before a stable public release, the maintainer must define whether GitHub Security Advisories are enabled and what private contact channel should be used.
 
 ## Maintainer note