Initial WatchLink scaffold

docs/agent-handoff.md

@@ -0,0 +1,11 @@
+# Agent Handoff
+
+## Current State
+
+Initial implementation created from `codex-agent-repository-kit` guidance.
+
+## Notes
+
+- The kit was read and applied as a source template, not kept as a project dependency.
+- npm and Docker were not available in the initial local shell, so dependency installation and Docker verification may need a machine with those tools in PATH.
+- `GITEA_TOKEN` may be available locally, but it must not be printed or committed.

docs/release-checklist.md

@@ -0,0 +1,9 @@
+# Release Checklist
+
+- [ ] `npm run release:check` passes.
+- [ ] `docker compose up --build` starts app and Postgres.
+- [ ] First setup works on a clean database.
+- [ ] Gitea Actions are green.
+- [ ] Container image `git.wilkensxl.de/MrSphay/watchlink:latest` is pushed and pull-tested.
+- [ ] README and CHANGELOG are current.
+- [ ] No `.env`, tokens, private keys, or local secrets are tracked.

docs/release-notes.md

@@ -0,0 +1,5 @@
+# Release Notes
+
+## 0.1.0 Draft
+
+Initial pre-release of WatchLink with persistent rooms, account setup, dashboard UI, Prisma schema, Socket.IO realtime server, and Docker packaging.

docs/security-review.md

@@ -0,0 +1,17 @@
+# Security Review
+
+## Scope
+
+WatchLink handles user accounts, password hashes, friendship data, room access rules, media URLs, and realtime playback events.
+
+## Current Controls
+
+- Passwords are hashed with bcrypt.
+- Sessions use HTTP-only signed cookies.
+- Prisma models enforce uniqueness for users, friendships, and room slugs.
+- `.env` files are ignored except `.env.example`.
+- Container publishing expects Gitea `REGISTRY_TOKEN` as a secret.
+
+## Release Review Notes
+
+Fill this section during release readiness work with commands run, CI links, audit results, and any accepted risks.