diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml
new file mode 100644
index 0000000..aae93d2
--- /dev/null
+++ b/.github/workflows/copilot-setup-steps.yml
@@ -0,0 +1,82 @@
+---
+name: "Copilot Setup Steps"
+
+# Auto-run when changed (for validation) and allow manual runs via the
+# Actions tab.
+'on':
+  workflow_dispatch:
+  push:
+    paths:
+      - .github/workflows/copilot-setup-steps.yml
+  pull_request:
+    paths:
+      - .github/workflows/copilot-setup-steps.yml
+
+jobs:
+  # The job MUST be named exactly `copilot-setup-steps`.
+  copilot-setup-steps:
+    # Default runner. If you provision larger runners, change to the label
+    # (e.g., ubuntu-4-core).
+    runs-on: ubuntu-latest
+
+    # Minimal permissions. Copilot receives its own token at runtime.
+    permissions:
+      contents: read
+
+    # Keep under 59 minutes per Copilot constraints.
+    timeout-minutes: 30
+
+    steps:
+      - name: Checkout repository (with LFS)
+        uses: actions/checkout@v4
+        with:
+          lfs: true
+
+      # Cache-aware Node setup by lockfile (supports npm/pnpm/yarn)
+      - name: Set up Node.js (npm)
+        if: ${{ hashFiles('**/package-lock.json') != '' }}
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+          cache: 'npm'
+
+      - name: Set up Node.js (pnpm)
+        if: ${{ hashFiles('**/pnpm-lock.yaml') != '' }}
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+          cache: 'pnpm'
+
+      - name: Set up Node.js (yarn)
+        if: ${{ hashFiles('**/yarn.lock') != '' }}
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+          cache: 'yarn'
+
+      - name: Enable Corepack (pnpm/yarn shims)
+        run: corepack enable
+
+      # Install dependencies by detected lockfile
+      - name: Install dependencies (npm)
+        if: ${{ hashFiles('**/package-lock.json') != '' }}
+        run: npm ci
+
+      - name: Install dependencies (pnpm)
+        if: ${{ hashFiles('**/pnpm-lock.yaml') != '' }}
+        run: |
+          corepack prepare pnpm@latest --activate
+          pnpm install --frozen-lockfile
+
+      - name: Install dependencies (yarn)
+        if: ${{ hashFiles('**/yarn.lock') != '' }}
+        run: |
+          corepack prepare yarn@stable --activate
+          yarn install --frozen-lockfile
+
+      # Optional: useful for video/media processing in tests
+      - name: Install ffmpeg
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y ffmpeg
+        continue-on-error: true
diff --git a/.husky/post-checkout b/.husky/post-checkout
new file mode 100755
index 0000000..5abf8ed
--- /dev/null
+++ b/.husky/post-checkout
@@ -0,0 +1,3 @@
+#!/bin/sh
+command -v git-lfs >/dev/null 2>&1 || { printf >&2 "\n%s\n\n" "This repository is configured for Git LFS but 'git-lfs' was not found on your path. If you no longer wish to use Git LFS, remove this hook by deleting the 'post-checkout' file in the hooks directory (set by 'core.hookspath'; usually '.git/hooks')."; exit 2; }
+git lfs post-checkout "$@"
diff --git a/.husky/post-commit b/.husky/post-commit
new file mode 100755
index 0000000..b8b76c2
--- /dev/null
+++ b/.husky/post-commit
@@ -0,0 +1,3 @@
+#!/bin/sh
+command -v git-lfs >/dev/null 2>&1 || { printf >&2 "\n%s\n\n" "This repository is configured for Git LFS but 'git-lfs' was not found on your path. If you no longer wish to use Git LFS, remove this hook by deleting the 'post-commit' file in the hooks directory (set by 'core.hookspath'; usually '.git/hooks')."; exit 2; }
+git lfs post-commit "$@"
diff --git a/.husky/post-merge b/.husky/post-merge
new file mode 100755
index 0000000..726f909
--- /dev/null
+++ b/.husky/post-merge
@@ -0,0 +1,3 @@
+#!/bin/sh
+command -v git-lfs >/dev/null 2>&1 || { printf >&2 "\n%s\n\n" "This repository is configured for Git LFS but 'git-lfs' was not found on your path. If you no longer wish to use Git LFS, remove this hook by deleting the 'post-merge' file in the hooks directory (set by 'core.hookspath'; usually '.git/hooks')."; exit 2; }
+git lfs post-merge "$@"
diff --git a/.husky/pre-push b/.husky/pre-push
new file mode 100755
index 0000000..5f26dc4
--- /dev/null
+++ b/.husky/pre-push
@@ -0,0 +1,3 @@
+#!/bin/sh
+command -v git-lfs >/dev/null 2>&1 || { printf >&2 "\n%s\n\n" "This repository is configured for Git LFS but 'git-lfs' was not found on your path. If you no longer wish to use Git LFS, remove this hook by deleting the 'pre-push' file in the hooks directory (set by 'core.hookspath'; usually '.git/hooks')."; exit 2; }
+git lfs pre-push "$@"
diff --git a/copilot_firewall_config.md b/copilot_firewall_config.md
new file mode 100644
index 0000000..0e40583
--- /dev/null
+++ b/copilot_firewall_config.md
@@ -0,0 +1,32 @@
+# Customizing or disabling the firewall for GitHub Copilot coding agent
+
+Copilot coding agent uses an outbound firewall by default to reduce data exfiltration risk. You can keep the recommended allowlist and add a minimal custom allowlist for required third‑party APIs.
+
+Where to configure
+- Repository Settings → Code & automation → Copilot → coding agent
+
+Recommended settings
+- Enable firewall: ON
+- Recommended allowlist: ON
+- Custom allowlist: add only what you need
+
+Suggested custom allowlist for StreamVault
+- Cloudflare Stream API (narrow URL is safer):
+  - https://api.cloudflare.com/client/v4/accounts/<YOUR_ACCOUNT_ID>/stream/
+  - Or broader: Domain: api.cloudflare.com
+- Playback CDN (if tests fetch sample content):
+  - Domain: videodelivery.net
+- Stripe API (use test keys in CI):
+  - Domain: api.stripe.com
+- Google/Firebase (only those used by tests/build):
+  - Domains: firestore.googleapis.com, firebase.googleapis.com, storage.googleapis.com
+
+How the firewall behaves
+- If a blocked request occurs, Copilot will add a warning to the PR or comment indicating the blocked address and the command that attempted it. Use that signal to refine the allowlist.
+
+Disabling the firewall (not recommended)
+- Toggle "Enable firewall" to OFF. This allows the agent to connect to any host and increases exfiltration risk. Prefer targeted allowlisting.
+
+Notes
+- Larger runners and self-hosted runners: Copilot supports GitHub‑hosted Ubuntu x64 runners only. To use larger runners, provision them first in Settings → Actions → Runners → Larger runners, then update the `runs-on` label in `.github/workflows/copilot-setup-steps.yml`.
+- Git LFS: The setup workflow checks out with `lfs: true` to ensure LFS objects are available to the agent.
\ No newline at end of file