refactor: move all remaining files to orig/ directory

Completed clean root directory structure:
- Root now contains only: .git, .env, docs/, orig/
- Moved all remaining files and directories to orig/:
  - Config files (.claude, .dockerignore, .drone.yml, etc.)
  - All .env variants (except active .env)
  - Git config (.gitconfig, .github, .gitignore, etc.)
  - Tool configs (.golangci.yml, .revive.toml, etc.)
  - Documentation (*.md files, @prompts)
  - Build files (Dockerfiles, Makefile, go.mod, go.sum)
  - Docker compose files
  - All source directories (scripts, tests, tools, etc.)
  - Runtime directories (logs, monitoring, reports)
  - Dependency files (node_modules, lib, cache)
  - Special files (--delete)

- Removed empty runtime directories (bin/, data/)

V2 structure is now clean:
- docs/planning/ - V2 planning documents
- orig/ - Complete V1 codebase preserved
- .env - Active environment config (not in git)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

orig/.semgrep/rules/go-security-rules.yaml

@@ -0,0 +1,114 @@
+---
+version: v1
+
+rules:
+  - id: go-unsafe-pointer-conversion
+    patterns:
+      - pattern-either:
+          - pattern: |
+              import "unsafe"
+              ...
+              unsafe.Pointer(...)
+          - pattern: |
+              import "unsafe"
+              ...
+              uintptr(...)
+    message: "Unsafe pointer conversion detected. This can cause memory corruption."
+    languages: [go]
+    severity: ERROR
+
+  - id: go-hardcoded-credentials
+    patterns:
+      - pattern-either:
+          - pattern: |
+              "$S0CR3T_$ID"
+          - pattern: |
+              "$S3CR3T_$KEY"
+          - pattern: |
+              "$API_$TOKEN"
+    message: "Hardcoded credential detected. Move to environment variables or secrets manager."
+    languages: [go]
+    severity: ERROR
+
+  - id: go-weak-crypto
+    patterns:
+      - pattern-either:
+          - pattern: |
+              import "crypto/md5"
+              ...
+              md5.New(...)
+          - pattern: |
+              import "crypto/sha1"
+              ...
+              sha1.New(...)
+    message: "Weak cryptographic algorithm detected. Use SHA-256 or higher."
+    languages: [go]
+    severity: ERROR
+
+  - id: go-weak-rng
+    patterns:
+      - pattern-either:
+          - pattern: |
+              import "math/rand"
+              ...
+              rand.Int(...)
+          - pattern: |
+              import "math/rand"
+              ...
+              rand.Seed(...)
+    message: "Weak random number generator detected. Use crypto/rand for security-sensitive random values."
+    languages: [go]
+    severity: ERROR
+
+  - id: go-incorrect-permission
+    patterns:
+      - pattern: |
+          os.Mkdir(..., 0777)
+    message: "Incorrect permission setting. Using 0777 is too permissive."
+    languages: [go]
+    severity: WARNING
+
+  - id: go-incorrect-permission-2
+    patterns:
+      - pattern: |
+          os.Chmod(..., 0777)
+    message: "Incorrect permission setting. Using 0777 is too permissive."
+    languages: [go]
+    severity: WARNING
+
+  - id: go-tls-insecure-skip-verify
+    patterns:
+      - pattern: |
+          &tls.Config{InsecureSkipVerify: true}
+    message: "Insecure TLS configuration detected. InsecureSkipVerify bypasses certificate validation."
+    languages: [go]
+    severity: ERROR
+
+  - id: go-printf-direct-fmt-string
+    patterns:
+      - pattern: |
+          fmt.Printf($USER_INPUT, ...)
+    message: "Direct use of user input in format string. This can lead to format string vulnerabilities."
+    languages: [go]
+    severity: ERROR
+
+  - id: go-sql-injection
+    patterns:
+      - pattern: |
+          db.Query($USER_INPUT, ...)
+    message: "Potential SQL injection vulnerability. Use parameterized queries instead."
+    languages: [go]
+    severity: ERROR
+
+  - id: go-integer-overflow
+    patterns:
+      - pattern-either:
+          - pattern: |
+              $VAR := int32($INPUT)
+          - pattern: |
+              $VAR := int16($INPUT)
+          - pattern: |
+              $VAR := int8($INPUT)
+    message: "Potential integer overflow/underflow. Consider checking input bounds."
+    languages: [go]
+    severity: WARNING