chore: initial MCP preparation package

14-file blueprint including:
- sources.yml with data source provenance
- 12 golden contract tests with native-language search terms
- 5-6 drift detection anchors
- MCP Registry + npm package configs
- Vercel deployment config (SMALL tier)
- Security policies and issue templates

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.github/ISSUE_TEMPLATE/data-error.md

@@ -0,0 +1,39 @@
+---
+name: Data Error Report
+about: Report incorrect, missing, or outdated legal data
+title: "[DATA] "
+labels: data-error, triage
+assignees: ''
+---
+
+## Data Error Report
+
+### Which law or provision is affected?
+
+**Law/Act name:**
+**Section/Article number:**
+**Jurisdiction:** IL
+
+### What is wrong?
+
+- [ ] Incorrect text
+- [ ] Missing provision
+- [ ] Outdated version (amendment not reflected)
+- [ ] Incorrect citation/URL
+- [ ] Missing cross-reference
+- [ ] Other (describe below)
+
+### Expected content
+
+Please provide the correct text or a link to the official source:
+
+### Official source URL
+
+Link to the authoritative source showing the correct content:
+
+### Additional context
+
+Any other information that would help us fix this issue.
+
+---
+*This MCP uses automated drift detection to catch upstream changes. If you're seeing stale data, it may already be flagged in our monitoring.*

.github/SECURITY-SETUP.md

@@ -0,0 +1,49 @@
+# Security Setup Guide (Internal)
+
+## Required Secrets
+
+Configure these secrets in the GitHub repository settings:
+
+| Secret | Purpose | Source |
+|--------|---------|--------|
+| `NPM_TOKEN` | npm publishing with provenance | npm.js account (Ansvar org) |
+| `VERCEL_TOKEN` | Vercel deployment | Vercel dashboard |
+| `VERCEL_ORG_ID` | Vercel organization | Vercel dashboard |
+| `VERCEL_PROJECT_ID` | Vercel project | Vercel dashboard |
+
+## MCP Registry Publishing
+
+Registry publishing uses Azure Key Vault for signing:
+
+- **Vault:** `kv-ansvar-dev`
+- **Key:** `mcp-registry-signing-key`
+- **Algorithm:** ECDSA P-384
+- **DNS Auth:** `ansvar.eu` TXT record
+
+To publish:
+```bash
+mcp-publisher login dns azure-key-vault \
+  --domain="ansvar.eu" \
+  --vault "kv-ansvar-dev" \
+  --key "mcp-registry-signing-key"
+
+mcp-publisher publish
+```
+
+## Branch Protection
+
+Enable these rules on `main`:
+- Require pull request reviews (1 reviewer)
+- Require status checks to pass (ci, contract-tests)
+- Require branches to be up to date
+- Do not allow bypassing the above settings
+
+## Security Scanning
+
+All 6 scanners are configured in `.github/workflows/ci.yml`:
+- CodeQL (semantic SAST)
+- Semgrep (pattern SAST)
+- Trivy (dependency CVE)
+- Gitleaks (secret detection)
+- Socket Security (supply chain)
+- OSSF Scorecard (security posture)

.github/SECURITY.md

@@ -0,0 +1,34 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 1.x.x   | :white_check_mark: |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in Israel Law MCP, please report it responsibly:
+
+1. **Do NOT open a public issue**
+2. Email **security@ansvar.eu** with:
+   - Description of the vulnerability
+   - Steps to reproduce
+   - Potential impact
+3. You will receive acknowledgment within 48 hours
+4. We aim to provide a fix within 7 days for critical issues
+
+## Data Accuracy
+
+For data accuracy issues (incorrect legal text, missing provisions, stale data), please use our [data error issue template](https://github.com/Ansvar-Systems/israel-law-mcp/issues/new?template=data-error.md).
+
+## Scope
+
+This policy covers:
+- The npm package `@ansvar/israel-law-mcp`
+- The Vercel deployment at `https://israel-law-mcp.vercel.app`
+- The MCP server code in this repository
+
+Out of scope:
+- The upstream legal data sources themselves
+- Third-party dependencies (report to their maintainers)