feat: add security scanning, PR template, pre-commit hooks, and AGENTS.md (#1)

* feat: add security scanning, PR template, pre-commit hooks, and AGENTS.md

- Add CodeQL security scanning workflow with weekly schedule
- Add dependency review for pull requests
- Create comprehensive PR template with testing checklist
- Install Husky and lint-staged for pre-commit hooks
- Add AGENTS.md with AI agent guidelines and coding standards

* fix: make dependency review non-blocking until Dependency graph is enabled

Add continue-on-error: true to prevent PR blocking when Dependency graph
is not enabled in repository settings. Added comment explaining the
required setup for full functionality.

Author: spencer-hong

.github/pull_request_template.md

@@ -0,0 +1,36 @@
+## Summary
+<!-- Brief description of changes -->
+
+## Type of Change
+- [ ] Bug fix (non-breaking change that fixes an issue)
+- [ ] New feature (non-breaking change that adds functionality)
+- [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
+- [ ] Documentation update
+- [ ] Refactoring (no functional changes)
+- [ ] Performance improvement
+- [ ] Test coverage improvement
+
+## Related Issues
+<!-- Link to related issues: Fixes #123, Closes #456 -->
+
+## Testing
+- [ ] Unit tests added/updated
+- [ ] Integration tests added/updated
+- [ ] Storybook stories added/updated (for UI changes)
+- [ ] Manual testing completed
+- [ ] E2E tests added/updated (for critical user flows)
+
+## Checklist
+- [ ] Code follows project style guidelines (ESLint, Prettier)
+- [ ] Self-review completed
+- [ ] Documentation updated (if applicable)
+- [ ] No new TypeScript errors (`npx nx typecheck <package>`)
+- [ ] All existing tests pass (`npx nx test <package>`)
+- [ ] GraphQL schema changes are backward compatible (if applicable)
+- [ ] Database migrations are properly structured (if applicable)
+
+## Screenshots/Videos
+<!-- If applicable, add screenshots or videos to demonstrate the changes -->
+
+## Additional Notes
+<!-- Any additional context or notes for reviewers -->

.github/workflows/security.yaml

@@ -0,0 +1,57 @@
+name: Security Scan
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+  schedule:
+    - cron: '0 0 * * 0'
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+jobs:
+  codeql:
+    name: CodeQL Analysis
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    permissions:
+      security-events: write
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: javascript-typescript
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:javascript-typescript"
+
+  # NOTE: Dependency Review requires the Dependency graph to be enabled in the repository settings.
+  # To enable: Repository Settings > Security > Code security > Dependency graph (Enable)
+  # Without this setting, the job will fail but won't block the PR due to continue-on-error.
+  dependency-review:
+    name: Dependency Review
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    timeout-minutes: 10
+    continue-on-error: true
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Dependency Review
+        uses: actions/dependency-review-action@v4
+        with:
+          fail-on-severity: high

.husky/pre-commit

@@ -0,0 +1 @@
+npx lint-staged