Restructure repository for release automation and remove generated artifacts from git

[thomas-bartlett]

Removes generated IDE files from git (treating them as build artifacts), reorganizes source rules for clarity, and implements a manual release workflow that builds artifacts on-demand.

---

Key Changes

1. Repository Structure

Before: rules/ and additional_rules/owasp/ mixed source and generated files

After:

• sources/core/ - 22 curated rules (released by default)
• sources/owasp/ - 86 supplementary rules (optional)
• dist/ - Generated IDE bundles (not committed)
• skills/ - Claude Code plugin (committed, distributed via plugin system)

Removed duplicates: Deleted 2 OWASP rules (codeguard-0-iac-security.md, codeguard-0-logging.md) already present in core.

---

2. Generated Files No Longer Committed

Deleted: 66 IDE-specific files (.cursor/, .windsurf/, .github/instructions/)

Why treat IDE formats as build artifacts:

• Single source of truth (sources/ only)
• Cleaner git history (no auto-generated commits)
• Reduces repo size and noise in diffs

Exception: skills/ (Claude Code plugin) remains committed for plugin distribution

---

3. Release Process: Manual Instead of Automated

Old: Auto-generated IDE rules on every push, auto-committed back to repo

New: Manual version bump → create GitHub release → CI builds and uploads ZIPs

Why no automated release PRs:

• Cleaner git history (no "chore: regenerate rules" commits)
• Explicit control over releases (conscious decision, not automatic)
• Versioned artifacts attached to GitHub releases (immutable)

---

4. Technical Improvements

New scripts:

• validate_versions.py (132 lines) - Version validation
• convert_to_ide_formats.py (339 lines) - Replaces unified_to_all.py with better validation

Workflows:

• Deleted: generate-ide-rules.yml (no longer needed)
• Added: validate-rules.yml (runs on PRs, validates without committing)
• Added: build-ide-bundles.yml (runs on release, builds ZIPs)

[Copilot]

Pull Request Overview

This PR restructures the repository to separate source rules from generated IDE bundles, implementing a manual release workflow instead of automated commits. The key change is treating IDE-specific formats as build artifacts (not committed to git), while keeping only the unified source rules (sources/) and Claude Code plugin (skills/) in version control.

Key Changes:

• Reorganized repository: rules/ → sources/core/ and sources/owasp/, generated output → dist/
• Removed IDE-generated files from git (.cursor/, .windsurf/, .github/instructions/)
• Implemented manual release workflow with version validation and artifact building
• Renamed and enhanced unified_to_all.py → convert_to_ide_formats.py with better validation

Reviewed Changes

Copilot reviewed 86 out of 197 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
src/validate_versions.py	New script for validating version consistency across pyproject.toml and plugin metadata files
src/validate_unified_rules.py	Updated to recursively validate rules in sources/ directory structure
src/unified_to_all.py	Deleted; replaced by convert_to_ide_formats.py
src/formats/claudecode.py	Removed outputs_to_ide_rules() method (no longer needed)
src/formats/base.py	Removed outputs_to_ide_rules() method from base class
src/converter.py	Removed outputs_to_ide_rules field from FormatOutput dataclass
src/convert_to_ide_formats.py	New conversion script with enhanced validation, Claude Code handling, and multi-source support
ide_rules/*	All generated IDE rule files deleted (now build artifacts in dist/)
docs/getting-started.md	Updated installation instructions for new release ZIP structure
docs/faq.md	Updated references from additional_rules/ to sources/owasp/
docs/claude-code-skill-plugin.md	Updated documentation for new build process and directory structure
additional_rules/owasp/*	Two duplicate rule files deleted (already in core)
README.md	Updated with new repository structure and developer workflow
.github/workflows/generate-ide-rules.yml	Deleted automated rule generation workflow

Comments suppressed due to low confidence (1)

src/validate_versions.py:1

• [nitpick] The condition uses not in which checks substring existence. For marker validation in structured files, consider using a more explicit check that validates both markers are present and properly ordered (start_marker appears before end_marker). This would catch cases where markers exist but are in wrong order or duplicated.

#!/usr/bin/env python3

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

Pull Request Overview

Copilot reviewed 86 out of 197 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (1)

src/validate_versions.py:1

• Corrected error message text from 'Invalid SKILLS.md template' to 'Invalid SKILL.md template' since the actual filename is 'SKILL.md' (singular), not 'SKILLS.md'.

#!/usr/bin/env python3

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[santosomar]

The restructure looks good. We will need to carefully document it everywhere.