chore: pre-public scrub ahead of repo visibility flip

.github/workflows/cleanroom-install.yml

@@ -1,6 +1,6 @@
 name: Cleanroom Install Smoke
 
-# INIT-2026-549 — added after the b2/b3 fastapi regression (F-B3-007).
+# [internal-tracker] — added after the b2/b3 fastapi regression (F-B3-007).
 #
 # The `simdrive-ci.yml` job installs `[dev]` extras to run the test suite. That
 # means every CI run has fastapi + sqlalchemy + the full cloud-side dep graph

.github/workflows/codeql.yml

@@ -1,6 +1,6 @@
 name: CodeQL (Python)
 
-# INIT-2026-549 cleanup: salvaged — switched to build-mode: none and scoped
+# [internal-tracker] cleanup: salvaged — switched to build-mode: none and scoped
 # analysis to simdrive/src/. Original failure cause: autobuild ran `pip install`
 # from repo root where no pyproject.toml exists (metadata lives at
 # simdrive/pyproject.toml). Python doesn't need a build for CodeQL extraction,

.github/workflows/security.yml

@@ -1,6 +1,6 @@
 name: Security baseline (pip-audit)
 
-# INIT-2026-549 W1: security CI baseline.
+# [internal-tracker]: security CI baseline.
 # - pip-audit: blocks on HIGH-severity vulns in the resolved dep graph.
 # CodeQL lives in .github/workflows/codeql.yml (separate workflow for the
 # distinct GitHub Code Scanning permissions model).
@@ -17,7 +17,7 @@ name: Security baseline (pip-audit)
 # wire up gitleaks with a license — see docs/security/secret-scanning.md
 # if/when that's added.
 #
-# INIT-2026-549 cleanup (review): paths verified post repo restructure.
+# [internal-tracker] cleanup (review): paths verified post repo restructure.
 # pip-audit consumes simdrive/requirements.lock (exists; pinned in PR #113).
 # If this workflow is red on main, the cause is a real CVE finding in
 # simdrive/requirements.lock — investigate and bump pin, do not mask.
@@ -38,7 +38,7 @@ permissions:
 jobs:
   pip-audit:
     name: pip-audit (HIGH blocks)
-    # INIT-2026-549 cleanup: must be macOS — requirements.lock pins pyobjc-core,
+    # [internal-tracker] cleanup: must be macOS — requirements.lock pins pyobjc-core,
     # which has a source-build dep on macOS frameworks (Quartz/Vision). On
     # ubuntu-latest the audit step fails at the install phase with "PyObjC
     # requires macOS to build" before pip-audit can even read the lock.
@@ -64,15 +64,15 @@ jobs:
         #     responsibility, not the library's). No fix version available.
         #     simdrive does not use pyjwt directly — it's a transitive dep
         #     of `mcp` for its own auth surface, which is not in our control.
-        #     [INIT-2026-549]
+        #
         #   PYSEC-2026-161 / GHSA-86qp-5c8j-p5mr — starlette Host header path
         #     injection advisory (published 2026-05-22). Fix version is 1.0.1
         #     which is not yet available on PyPI as of 2026-05-22. Awaiting
         #     upstream release. simdrive runs as an MCP stdio server — it is
         #     not exposed to external HTTP requests, so exploitability is
         #     effectively zero in our threat model. Re-enable the block once
         #     starlette>=1.0.1 is published and requirements.lock is updated.
-        #     Tracked: [INIT-2026-549]
+        #     Tracked:
         run: |
           pip-audit -r simdrive/requirements.lock \
             --vulnerability-service osv \

.github/workflows/simdrive-ci.yml

@@ -1,6 +1,6 @@
 name: simdrive CI
 
-# INIT-2026-549 W1: expanded test gate.
+# [internal-tracker]: expanded test gate.
 # - Runs `pytest simdrive/tests -m "not live"` (was: tests/test_unit.py only).
 # - Enforces a coverage ratchet floor on the hot-path modules (see simdrive/docs/COVERAGE_RATCHET.md).
 # - Installs simdrive[dev] (which already pins pytest-cov, moto[s3], hypothesis).
@@ -68,7 +68,7 @@ jobs:
             --cov=simdrive.device \
             --cov-report=xml \
             --cov-report=term-missing \
-            --cov-fail-under=90  # Ratchet floor — INIT-2026-549 W4 push to 85% reached 92% on hot-path modules (server.py 70%->94%); floor set 2pp below measured per flake-safety policy.
+            --cov-fail-under=90  # Ratchet floor — [internal-tracker] push to 85% reached 92% on hot-path modules (server.py 70%->94%); floor set 2pp below measured per flake-safety policy.
 
       - name: Upload coverage artifact
         if: always()

.github/workflows/specterqa-ios-publish.yml

@@ -1,6 +1,6 @@
 name: simdrive Publish to PyPI
 
-# INIT-2026-549 W1: tag scheme migrated from `specterqa-ios-v*` to `simdrive-v*`.
+# [internal-tracker]: tag scheme migrated from `specterqa-ios-v*` to `simdrive-v*`.
 # Three pre-publish gates run before the build, in order:
 #   1. version-match    — git tag == simdrive-v<pyproject.version>
 #   2. CHANGELOG head   — first `## [X.Y.Z]` heading == pyproject version

.gitignore

@@ -13,6 +13,9 @@ venv/
 .mypy_cache/
 .pytest_cache/
 .ruff_cache/
+.hypothesis/
+.coverage
+coverage.xml
 *.ips
 
 # LapsApp — Xcode user-specific state (project.pbxproj IS committed)