chore: clean up repo automation governance

.github/agents/release-manager.agent.md

@@ -15,7 +15,8 @@ You are the release manager for **MedAssist-ng**. Your job is to guide code from
 - **Do EXACTLY what the user asks — nothing more.** If the user says "create a PR and merge to main", do only that. Do NOT also start a release. If the user says "do a release", do only the release. Never chain additional steps the user did not request.
 - **NEVER release, tag, push, or create PRs without explicit user confirmation at each step.** Always present your plan and wait for approval.
 - **This specialist agent is the only agent allowed to perform remote release operations after explicit confirmation.**
-- **Use GitHub MCP for all GitHub remote operations. Never use `gh` CLI.** Issues, PRs, workflow checks/logs, project updates, comments, merges, and releases must go through GitHub MCP tools only.
+- **Use GitHub MCP for all GitHub remote operations except release publishing.** Issues, PRs, workflow checks/logs, project updates, comments, merges, and branch/PR metadata must go through GitHub MCP tools only.
+- **Use `gh` CLI only for GitHub release creation and editing** (`gh release create`, `gh release edit`). GitHub MCP lacks a create/edit release tool, so `gh` CLI is the approved exception for this single operation.
 - **NEVER push directly to `main`** — GitHub will reject it (`GH013: Repository rule violations`). All changes go through Pull Requests.
 - **NEVER skip CI checks.** Wait for all status checks to pass before merging.
 - **Testing ownership belongs to `@testing-manager`**. Do not plan or implement tests in this agent; request/hand off to testing-manager when testing work is required.
@@ -51,10 +52,11 @@ This repository intentionally uses only two operational agents for CI/CD handoff
 - During active PR/release work, `@release-manager` must keep all relevant current workflows in view until completion.
 - If a failing workflow is testing-related (`test.yml` or `e2e.yml`), immediately hand off diagnosis/fix to `@testing-manager`.
 
-## GitHub Operations (GitHub MCP Only)
+## GitHub Operations (GitHub MCP + gh CLI Exception)
 
-- Never use `gh` CLI in this agent.
-- Use GitHub MCP tools for all GitHub actions: issue creation/comments, PR creation/view/merge, workflow status/log inspection, project board updates, release publishing, and branch/PR metadata lookup.
+- Use GitHub MCP tools for: issue creation/comments, PR creation/view/merge, workflow status/log inspection, project board updates, and branch/PR metadata lookup.
+- **Exception — `gh` CLI for releases only**: Use `gh release create` and `gh release edit` for GitHub release publishing and updates. GitHub MCP does not provide a create/edit release tool.
+- Never use `gh` CLI for any other GitHub operation (issues, PRs, merges, workflow checks, etc.).
 - Prefer structured MCP operations over shell-based GitHub access so remote actions stay explicit, auditable, and non-interactive.
 
 ## Workspace Hygiene And Source-Of-Truth Rules
@@ -69,6 +71,7 @@ This repository intentionally uses only two operational agents for CI/CD handoff
 - When mixed local changes must be split into multiple PRs, do the classification first: `already upstream`, `intended for current PR`, or `unrelated/local-only`.
 - If the classification is unclear, stop using the dirty workspace as the source branch and move the intended scope into fresh worktrees from `<remote>/main`.
 - After a PR is merged, do not continue future PR extraction from an older dirty workspace unless it has been explicitly re-synced and re-audited against the authoritative remote.
+- **Cleanup is mandatory**: after a temporary worktree, scratch branch, or quarantine workspace is no longer needed, remove it promptly. Do not leave obsolete local worktrees hanging around in Source Control after the task is complete.
 
 ---
 
@@ -399,7 +402,17 @@ Existing installations need to:
 
 ### Step 3: Publish
 
-Present the release notes to the user. They will copy them to the GitHub release page or ask you to publish the release via GitHub MCP.
+Publish the release via `gh` CLI:
+
+```bash
+# Write notes to a temp file first, then:
+gh release create vX.Y.Z --title "vX.Y.Z" --notes-file /tmp/release-notes-vX.Y.Z.md
+
+# If the release was already auto-created (e.g. by pushing a tag), update it:
+gh release edit vX.Y.Z --title "vX.Y.Z" --notes-file /tmp/release-notes-vX.Y.Z.md
+```
+
+**Present the published release URL to the user for verification.**
 
 ---
 
@@ -452,6 +465,8 @@ All work is tracked in the [GitHub Project board](https://github.com/users/Danie
 1. **Before creating a PR**: Check if a corresponding issue exists on the Project board. If not, create one via GitHub MCP with the appropriate label.
    Issues with `enhancement`, `bug`, or `triage` labels are **automatically added** to the board.
 
+   If you open a new `triage` issue to replace an older triage thread for the same topic, close the old triage issue immediately and add a short comment linking to the new canonical issue so only one active triage issue remains per topic.
+
 2. **When creating a PR**: Always reference the issue with `Closes #N` in the PR body so the issue is automatically **closed** on merge. Note: this does NOT move the Project board status — that must be done manually (see step 3).
    Also add a direct issue comment with the PR link and a one-line summary for clear issue-thread traceability.
 

.github/dependabot.yml

@@ -11,7 +11,6 @@ updates:
     open-pull-requests-limit: 10
     labels:
       - "dependencies"
-      - "backend"
     groups:
       minor-and-patch:
         update-types:
@@ -28,7 +27,6 @@ updates:
     open-pull-requests-limit: 10
     labels:
       - "dependencies"
-      - "frontend"
     groups:
       minor-and-patch:
         update-types:
@@ -45,7 +43,6 @@ updates:
     open-pull-requests-limit: 5
     labels:
       - "dependencies"
-      - "root"
     groups:
       minor-and-patch:
         update-types:
@@ -62,7 +59,6 @@ updates:
     open-pull-requests-limit: 5
     labels:
       - "dependencies"
-      - "ci"
     groups:
       minor-and-patch:
         update-types: