cleanup: move org automation to private .github-private (MERGE LAST)

[haasonsaas]

Move org automation out of public .github

evalops/.github is public because it hosts the org profile and public default
community-health files. It also exposed internal automation: the full service
catalog (services.yaml), the PR-lens review engine and webhook relay
(.github/scripts/), 16 review/guardrail workflows, contracts, routing config,
and the test suite. This PR removes that automation from the public repo.

The engine was copied (clean copy, no history) into the new private repo
evalops/.github-private, which is now the repo of record. Dispatch targets,
PR_LENS_APP_REPOSITORIES, the webhook relay default, reusable-workflow helper
checkouts, contract owner_repo, and the review-targets central_repo were all
repointed to .github-private there.

What this PR removes

• services.yaml
• .github/scripts/ (14 Ruby scripts)
• .github/workflows/ (16 workflows)
• .github/contracts/, .github/evalopsbot-review-targets.yml, .github/pr-lens-routing.yml
• AGENTS.md, test/, labels.yml, renovate-config.json, scripts/check-positioning.mjs
• .github/codex/, .github/agent-mcp/, .github/workflow-templates/
• .github/ISSUE_TEMPLATE/, .github/pull_request_template.md, .github/CODEOWNERS, .github/actionlint.yaml

What stays public

• profile/ (the org page and operating-convention docs) — unchanged
• SECURITY.md — unchanged
• README.md — minimized; points maintainers to evalops/.github-private

Note on community-health defaults

.github/ISSUE_TEMPLATE/, .github/pull_request_template.md, and
.github/workflow-templates/ were genuine public community-health defaults that
downstream public repos without their own copies inherit. They are removed here
because the end state is "profile + README + SECURITY only," and the
workflow-templates referenced reusable workflows (uses: evalops/.github/...@main)
that are being removed. If the org wants to keep default issue/PR templates
public, they can be re-added in a separate PR without the sensitive engine.
Downstream public repos that uses: evalops/.github/.github/workflows/*@main
will need to repoint or vendor those workflows; .github-private is private and
cannot be referenced as a public reusable workflow.

⚠️ MERGE THIS PR LAST

This PR must be the last step. Until it merges, the live review pipeline
keeps running on evalops/.github.

Safe merge order

1. Scope secrets to .github-private and confirm its workflows run green on a
   manual workflow_dispatch. Secret checklist:
   • EVALOPS_PR_LENS_TOKEN (org, visibility selected) — add .github-private to its selected repos.
   • Repo-level secrets present on evalops/.github (EVALOPS_ORG_READ_TOKEN,
     EVALOPS_ORG_WRITE_TOKEN, EVALOPS_PR_LENS_TOKEN, ANTHROPIC_API_KEY) — recreate on .github-private.
   • ANTHROPIC_API_KEY (org, visibility private) already covers private repos.
   • Verify the App-auth path (EVALOPS_PR_LENS_APP_ID/_PRIVATE_KEY/_INSTALLATION_ID)
     and the EVALOPS_REVIEW_GUARD_TOKEN/EVALOPS_LABEL_SYNC_TOKEN/EVALOPS_MCP_ROLLOUT_TOKEN
     fallbacks resolve on .github-private.
   • Full checklist with gh commands is in the .github-private README.
2. Merge the evalops/deploy relay-repoint PR (cleanup/relay-target-github-private)
   and redeploy the Cloudflare worker (terraform apply on 50-cloudflare-security).
3. Merge this PR.

Out of scope

The old public git history of this repo still contains services.yaml
(metadata only — no secrets). A history scrub is a separate, optional decision
and is not part of this PR.

🤖 Generated with Claude Code

[cursor]

PR Summary

High Risk
Large deletion of org-wide CI, review bots, contracts, and public reusable workflow/template surfaces; merge order and downstream uses: repoints are critical to avoid breaking reviews and guardrails.

Overview
Strips internal org automation from public evalops/.github so the repo is effectively profile docs, SECURITY.md, and a slim README that sends maintainers to private evalops/.github-private.

Removed in bulk: services.yaml, the full .github/scripts/ Ruby control plane (PR lens review, EvalOpsBot webhook relay, engineering-practices audit, review-thread guard, review-feedback sentinel, Codex hooks/publishers, etc.), 16 workflows, contracts (engineering-practices, org-control-plane), EvalOpsBot/PR-lens routing config, issue/PR templates, CODEOWNERS, Codex prompts/schemas, agent MCP templates, and related tests/tooling.

Operational impact: Until sibling repoint/secret work lands and this merges last (per PR notes), downstream repos still depending on uses: evalops/.github/... or public community defaults lose those surfaces from this repo; the live pipeline is intended to keep running on .github until the final merge.

^{Reviewed by Cursor Bugbot for commit 84b2b6e. Bugbot is set up for automated code reviews on this repo. Configure here.}