Add security and git policies, make repo a model example

- Never commit secrets; comprehensive .gitignore with fetch URL
- Never force-push to main
- go mod tidy before committing
- make hooks target with Go repo detection
- Add .editorconfig, .prettierrc, .prettierignore
- Template files URL for new repo setup

.editorconfig

@@ -0,0 +1,12 @@
+root = true
+
+[*]
+indent_style = space
+indent_size = 4
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[Makefile]
+indent_style = tab

.gitignore

@@ -1,5 +1,21 @@
+# OS
 .DS_Store
+Thumbs.db
+
+# Editors
 *.swp
 *.swo
 *~
+*.bak
+.idea/
+.vscode/
+*.sublime-*
+
+# Node
 node_modules/
+
+# Environment / secrets
+.env
+.env.*
+*.pem
+*.key

.prettierignore

@@ -0,0 +1,2 @@
+node_modules/
+yarn.lock

.prettierrc

@@ -0,0 +1,3 @@
+{
+    "tabWidth": 4
+}

Makefile

@@ -1,4 +1,4 @@
-.PHONY: test lint fmt fmt-check check docker
+.PHONY: test lint fmt fmt-check check docker hooks
 
 PRETTIER := yarn run prettier
 
@@ -19,3 +19,11 @@ check: test lint fmt-check
 
 docker:
 	docker build -t prompts .
+
+hooks:
+	@printf '#!/bin/sh\nset -e\n' > .git/hooks/pre-commit
+	@if [ -f go.mod ]; then \
+		printf 'go mod tidy\ngo fmt ./...\ngit diff --exit-code -- go.mod go.sum || { echo "go mod tidy changed files; please stage and retry"; exit 1; }\n' >> .git/hooks/pre-commit; \
+	fi
+	@printf 'make check\n' >> .git/hooks/pre-commit
+	@chmod +x .git/hooks/pre-commit

REPO_POLICIES.md

@@ -12,8 +12,10 @@ Version: 2026-02-22
 
 - Every repo with software must have a root `Makefile` with these targets:
   `make test`, `make lint`, `make fmt` (writes), `make fmt-check`
-  (read-only), `make check` (prereqs: `test`, `lint`, `fmt-check`), and
+  (read-only), `make check` (prereqs: `test`, `lint`, `fmt-check`),
-  `make docker`.
+  `make docker`, and `make hooks` (installs pre-commit hook). A model
+  Makefile is at
+  `https://git.eeqj.de/sneak/prompts/raw/branch/main/Makefile`.
 
 - Always use Makefile targets (`make fmt`, `make test`, `make lint`, etc.)
   instead of invoking the underlying tools directly. The Makefile is the
@@ -43,9 +45,20 @@ Version: 2026-02-22
 
 - `main` must always pass `make check`, no exceptions.
 
+- Never commit secrets. `.env` files, credentials, API keys, and
+  private keys must be in `.gitignore`. No exceptions.
+
+- `.gitignore` should be comprehensive from the start: OS files
+  (`.DS_Store`), editor files (`.swp`, `*~`), language build artifacts,
+  and `node_modules/`. Fetch the standard `.gitignore` from
+  `https://git.eeqj.de/sneak/prompts/raw/branch/main/.gitignore`
+  when setting up a new repo.
+
 - Never use `git add -A` or `git add .`. Always stage files explicitly
   by name.
 
+- Never force-push to `main`.
+
 - Make all changes on a feature branch. You can do whatever you want on
   a feature branch.
 
@@ -84,7 +97,8 @@ Version: 2026-02-22
 
 - First commit of a new repo should contain only `README.md`.
 
-- Go module root: `sneak.berlin/go/<name>`.
+- Go module root: `sneak.berlin/go/<name>`. Always run `go mod tidy`
+  before committing.
 
 - Use SemVer.
 
@@ -112,6 +126,10 @@ Version: 2026-02-22
     - `static/` — static assets (images, fonts, etc.)
     - `web/` — web frontend source
 
+- When setting up a new repo, files from the `prompts` repo may be used
+  as templates. Fetch them from
+  `https://git.eeqj.de/sneak/prompts/raw/branch/main/<filename>`.
+
 - New repos must contain at minimum:
     - `README.md`, `.git`, `.gitignore`, `.editorconfig`
     - `REPO_POLICIES.md` (copy from the `prompts` repo)