docs: Complete U5 (Multi-Scale Coherence) documentation parity with U1-U4

- Added full U5 section to 02-CANONICAL-CONSTRAINTS.md with same depth as U1-U4
  * Intuition, Formal Definition, Physical Derivation
  * Implementation code examples
  * Valid/invalid examples and anti-patterns
  * Test specifications and related documentation

- Updated all grammar documentation files (33+ files) to reflect U5
  * MASTER-INDEX.md: System overview and conceptual hierarchy
  * 08-QUICK-REFERENCE.md: Constraint box, decision tree, examples
  * 06-VALIDATION-AND-TESTING.md: Coverage checklist and requirements
  * 01-FUNDAMENTAL-CONCEPTS.md: Learning path references
  * GLOSSARY.md: Grammar definition and sequence validation
  * EXECUTIVE-SUMMARY.md: Business value and constraint count

- Updated technical implementation documentation
  * 05-TECHNICAL-IMPLEMENTATION.md: Architecture and validation logic
  * 04-VALID-SEQUENCES.md: Validation algorithms and notes
  * 07-MIGRATION-AND-EVOLUTION.md: Phase 3 current state, breaking changes

- Updated operator classification references
  * Added RECURSIVE_GENERATORS and SCALE_STABILIZERS to all relevant docs
  * Updated all code docstrings from 'U1-U4' to 'U1-U5'
  * Updated Summary Table and Complete Validation Example

- Implementation note: U5 already exists in codebase (grammar.py)
  * Tests exist (test_u5_multiscale_coherence.py)
  * This commit achieves documentation completeness only

Physics basis: C_parent >= α·ΣC_child (hierarchical coherence conservation)
U5 requirement: Deep REMESH (depth>1) needs IL/THOL within ±3 operators

Refs: AGENTS.md (Invariant #7: Operational Fractality), UNIFIED_GRAMMAR_RULES.md

Author: fer

.codeql/codeql-config.yml

@@ -0,0 +1,47 @@
+# CodeQL Configuration
+# This file configures CodeQL analysis for the TNFR Python Engine repository
+
+name: "TNFR CodeQL Configuration"
+
+# Use the default security-and-quality query suite
+queries:
+  - uses: security-and-quality
+
+# Query filters to suppress false positives
+query-filters:
+  # Suppress incomplete URL substring sanitization in test files
+  # Context: Test files use 'module_name in sys.modules' pattern for test
+  # isolation (clearing module cache), not for URL validation. CodeQL
+  # incorrectly flags this as CWE-020 (Incomplete URL substring sanitization).
+  # This is a false positive - the code performs module management, not
+  # security validation.
+  - exclude:
+      id: py/incomplete-url-substring-sanitization
+      paths:
+        - "tests/**/*.py"
+      reason: "Test files use module path checking for test isolation, not URL validation"
+  
+  # Suppress ineffectual statement warnings for Protocol method stubs
+  # Context: Python Protocol classes use ellipsis (...) as method body to define
+  # structural contracts for type checking. These are not ineffectual statements
+  # but required typing patterns per PEP 544 (Protocol).
+  # Affected files: types.py (13 stubs), node.py (6 stubs)
+  - exclude:
+      id: py/ineffectual-statement
+      paths:
+        - "src/tnfr/types.py"
+        - "src/tnfr/node.py"
+      reason: "Protocol method definitions use ellipsis as valid structural contract stubs (PEP 544)"
+  
+  # Suppress ineffectual statement warnings for @overload signatures
+  # Context: Python @overload decorator (PEP 484) requires function signatures
+  # with ellipsis body to define type variants. The actual implementation follows
+  # these signatures. These are not ineffectual but required typing patterns.
+  # Affected files: trace.py, utils/data.py, metrics/trig.py (6 overload stubs)
+  - exclude:
+      id: py/ineffectual-statement
+      paths:
+        - "src/tnfr/trace.py"
+        - "src/tnfr/utils/data.py"
+        - "src/tnfr/metrics/trig.py"
+      reason: "@overload signatures use ellipsis as valid type variant stubs (PEP 484)"

.env.example

@@ -0,0 +1,59 @@
+# TNFR Engine Environment Configuration
+# Copy this file to .env and fill in your actual values
+# NEVER commit .env files with real credentials to version control
+
+# ============================================================================
+# Development Configuration
+# ============================================================================
+
+# PyPI Publishing Configuration (for release scripts)
+# Use API tokens for enhanced security: https://pypi.org/help/#apitoken
+PYPI_USERNAME=__token__
+PYPI_PASSWORD=pypi-XXXXXXXXXXXXXXXXXXXXXXXX  # Your PyPI API token
+PYPI_API_TOKEN=pypi-XXXXXXXXXXXXXXXXXXXXXXXX  # Alternative name
+TWINE_USERNAME=__token__
+TWINE_PASSWORD=pypi-XXXXXXXXXXXXXXXXXXXXXXXX  # Your PyPI API token
+PYPI_REPOSITORY=pypi  # or 'testpypi' for testing
+
+# GitHub Configuration (for security dashboard and CI scripts)
+GITHUB_TOKEN=ghp_XXXXXXXXXXXXXXXXXXXXXXXX  # GitHub Personal Access Token
+GITHUB_REPOSITORY=fermga/TNFR-Python-Engine  # Format: owner/repo
+
+# Redis Configuration (for RedisCacheLayer with authentication)
+REDIS_HOST=localhost
+REDIS_PORT=6379
+REDIS_PASSWORD=your-redis-password-here
+REDIS_DB=0
+REDIS_USE_TLS=false
+
+# Cache Signing Configuration (for hardened cache security)
+# Generate a strong random secret: python -c "import secrets; print(secrets.token_hex(32))"
+TNFR_CACHE_SECRET=  # 64-character hex string recommended
+
+# ============================================================================
+# TNFR Engine Configuration
+# ============================================================================
+
+# Logging Configuration
+TNFR_LOG_LEVEL=INFO  # DEBUG, INFO, WARNING, ERROR, CRITICAL
+
+# Reproducibility Configuration
+TNFR_RANDOM_SEED=42  # For deterministic simulations
+
+# Performance Configuration
+TNFR_BACKEND=numpy  # numpy, jax, or torch
+TNFR_CACHE_ENABLED=true
+
+# ============================================================================
+# Security Best Practices
+# ============================================================================
+#
+# 1. NEVER commit this file with real credentials
+# 2. Use API tokens instead of passwords where possible
+# 3. Rotate credentials regularly
+# 4. Use different credentials for development, staging, and production
+# 5. Store production secrets in secure secret management systems
+# 6. Grant minimal necessary permissions to all tokens
+# 7. Revoke tokens immediately if compromised
+#
+# For more information, see SECURITY.md