@h9-foundry/agentforge-cli 0.9.0 → 0.10.0

package/dist/index.js

@@ -6,7 +6,7 @@ import { buildAuditBundle, createAuditEntry, renderAuditBundleMarkdown } from "@
 import { createWorkflowState, findWorkspaceRoot } from "@h9-foundry/agentforge-context-engine";
 import { createPolicyEngine, loadPolicyDocument, resolvePolicy } from "@h9-foundry/agentforge-policy-engine";
 import { runWorkflow } from "@h9-foundry/agentforge-runtime";
-import { agentforgeConfigSchema, auditBundleSchema, benchmarkArtifactSchema, designArtifactSchema, designRequestSchema, evalArtifactSchema, evalFixtureCorpusSchema, implementationRequestSchema, incidentRequestSchema, maintenanceRequestSchema, planningArtifactSchema, planningRequestSchema, qaRequestSchema, releaseRequestSchema, schemaFixtures, securityRequestSchema, workflowDefinitionSchema } from "@h9-foundry/agentforge-schemas";
+import { agentforgeConfigSchema, auditBundleSchema, benchmarkArtifactSchema, designArtifactSchema, designRequestSchema, deploymentRequestSchema, evalArtifactSchema, evalFixtureCorpusSchema, implementationRequestSchema, incidentRequestSchema, maintenanceRequestSchema, pipelineRequestSchema, planningArtifactSchema, planningRequestSchema, qaRequestSchema, releaseRequestSchema, schemaFixtures, securityRequestSchema, workflowDefinitionSchema } from "@h9-foundry/agentforge-schemas";
 import { createBuiltinAdapters } from "./internal/builtin-adapters.js";
 import { createBuiltinAgentRegistry } from "./internal/builtin-agents.js";
 import { LocalPluginRegistry } from "./internal/local-plugin-registry.js";
@@ -239,7 +239,7 @@ description: Validate a bounded release-readiness request while keeping trusted
 trigger: manual
 catalog:
   domain: release
-  supportLevel: partial
+  supportLevel: official
   maturity: mvp
   trustScope: official-core-only
 nodes:
@@ -259,6 +259,58 @@ nodes:
     kind: report
     outputs_to: reports.final
 `;
+const pipelineWorkflowTemplate = `version: 1
+name: pipeline-evidence-review
+description: Review bounded local pipeline evidence through the shared CI model without assuming a release target.
+trigger: manual
+catalog:
+  domain: release
+  supportLevel: official
+  maturity: mvp
+  trustScope: official-core-only
+nodes:
+  - id: intake
+    kind: deterministic
+    agent: pipeline-intake
+    outputs_to: agentResults.intake
+  - id: evidence
+    kind: deterministic
+    agent: pipeline-evidence-normalizer
+    outputs_to: agentResults.evidence
+  - id: pipeline
+    kind: reasoning
+    agent: pipeline-analyst
+    outputs_to: agentResults.pipeline
+  - id: report
+    kind: report
+    outputs_to: reports.final
+`;
+const deploymentGateWorkflowTemplate = `version: 1
+name: deployment-gate-review
+description: Review a bounded deployment candidate using shared CI evidence and referenced lifecycle artifacts.
+trigger: manual
+catalog:
+  domain: release
+  supportLevel: official
+  maturity: mvp
+  trustScope: official-core-only
+nodes:
+  - id: intake
+    kind: deterministic
+    agent: deployment-gate-intake
+    outputs_to: agentResults.intake
+  - id: evidence
+    kind: deterministic
+    agent: deployment-gate-evidence-normalizer
+    outputs_to: agentResults.evidence
+  - id: deployment
+    kind: reasoning
+    agent: deployment-gate-analyst
+    outputs_to: agentResults.deployment
+  - id: report
+    kind: report
+    outputs_to: reports.final
+`;
 const incidentWorkflowTemplate = `version: 1
 name: incident-handoff
 description: Validate staged incident evidence while keeping the default path local, read-only, and explicit.
@@ -328,24 +380,90 @@ function runGit(root, args) {
         return "";
     }
 }
-function parseGitHubRepositoryUrl(value) {
+function inferScmPlatform(host) {
+    const normalizedHost = host.toLowerCase();
+    if (normalizedHost.includes("github")) {
+        return "github";
+    }
+    if (normalizedHost.includes("gitlab")) {
+        return "gitlab";
+    }
+    return "generic";
+}
+function parseScmRepositoryUrl(value) {
     const trimmed = value.trim();
-    const sshMatch = trimmed.match(/^git@([^:]+):([^/]+)\/([^/]+?)(?:\.git)?$/i);
+    const sshMatch = trimmed.match(/^git@([^:]+):(.+?)(?:\.git)?$/i);
     if (sshMatch) {
+        const host = sshMatch[1].toLowerCase();
+        const pathSegments = sshMatch[2].split("/").filter(Boolean);
+        if (pathSegments.length < 2) {
+            return undefined;
+        }
+        const repo = pathSegments[pathSegments.length - 1] ?? "";
+        const namespace = pathSegments.slice(0, -1).join("/");
+        const platform = inferScmPlatform(host);
+        if (platform === "github") {
+            return {
+                platform,
+                host,
+                owner: namespace,
+                repo
+            };
+        }
         return {
-            host: sshMatch[1].toLowerCase(),
-            owner: sshMatch[2],
-            repo: sshMatch[3]
+            platform,
+            host,
+            namespace,
+            repo
         };
     }
-    const httpsMatch = trimmed.match(/^https?:\/\/([^/]+)\/([^/]+)\/([^/]+?)(?:\.git)?(?:\/)?$/i);
+    const httpsMatch = trimmed.match(/^https?:\/\/([^/]+)\/(.+?)(?:\.git)?(?:\/)?$/i);
     if (!httpsMatch) {
         return undefined;
     }
+    const host = httpsMatch[1].toLowerCase();
+    const pathSegments = httpsMatch[2].split("/").filter(Boolean);
+    if (pathSegments.length < 2) {
+        return undefined;
+    }
+    const repo = pathSegments[pathSegments.length - 1] ?? "";
+    const namespace = pathSegments.slice(0, -1).join("/");
+    const platform = inferScmPlatform(host);
+    if (platform === "github") {
+        return {
+            platform,
+            host,
+            owner: namespace,
+            repo
+        };
+    }
+    return {
+        platform,
+        host,
+        namespace,
+        repo
+    };
+}
+function parseGitHubRepositoryUrl(value) {
+    const parsed = parseScmRepositoryUrl(value);
+    if (!parsed || parsed.platform !== "github") {
+        return undefined;
+    }
     return {
-        host: httpsMatch[1].toLowerCase(),
-        owner: httpsMatch[2],
-        repo: httpsMatch[3]
+        host: parsed.host,
+        owner: parsed.owner,
+        repo: parsed.repo
+    };
+}
+function parseGitLabRepositoryUrl(value) {
+    const parsed = parseScmRepositoryUrl(value);
+    if (!parsed || parsed.platform !== "gitlab") {
+        return undefined;
+    }
+    return {
+        host: parsed.host,
+        namespace: parsed.namespace,
+        repo: parsed.repo
     };
 }
 function inferGitHubRepoContext(root) {
@@ -371,6 +489,60 @@ function inferGitHubRepoContext(root) {
     const remoteUrl = runGit(root, ["config", "--get", "remote.origin.url"]);
     return remoteUrl ? parseGitHubRepositoryUrl(remoteUrl) : undefined;
 }
+function inferGitLabRepoContext(root) {
+    const packageJsonPath = join(root, "package.json");
+    if (existsSync(packageJsonPath)) {
+        const parsed = JSON.parse(readFileSync(packageJsonPath, "utf8"));
+        if (isRecord(parsed)) {
+            const repository = parsed.repository;
+            if (typeof repository === "string") {
+                const context = parseGitLabRepositoryUrl(repository);
+                if (context) {
+                    return context;
+                }
+            }
+            if (isRecord(repository) && typeof repository.url === "string") {
+                const context = parseGitLabRepositoryUrl(repository.url);
+                if (context) {
+                    return context;
+                }
+            }
+        }
+    }
+    const remoteUrl = runGit(root, ["config", "--get", "remote.origin.url"]);
+    return remoteUrl ? parseGitLabRepositoryUrl(remoteUrl) : undefined;
+}
+function inferScmRepoContext(root) {
+    const gitHubContext = inferGitHubRepoContext(root);
+    if (gitHubContext) {
+        return { platform: "github", ...gitHubContext };
+    }
+    const gitLabContext = inferGitLabRepoContext(root);
+    if (gitLabContext) {
+        return { platform: "gitlab", ...gitLabContext };
+    }
+    const packageJsonPath = join(root, "package.json");
+    if (existsSync(packageJsonPath)) {
+        const parsed = JSON.parse(readFileSync(packageJsonPath, "utf8"));
+        if (isRecord(parsed)) {
+            const repository = parsed.repository;
+            if (typeof repository === "string") {
+                const context = parseScmRepositoryUrl(repository);
+                if (context) {
+                    return context;
+                }
+            }
+            if (isRecord(repository) && typeof repository.url === "string") {
+                const context = parseScmRepositoryUrl(repository.url);
+                if (context) {
+                    return context;
+                }
+            }
+        }
+    }
+    const remoteUrl = runGit(root, ["config", "--get", "remote.origin.url"]);
+    return remoteUrl ? parseScmRepositoryUrl(remoteUrl) : undefined;
+}
 function normalizeGitHubReference(rawValue, repoContext) {
     const raw = rawValue.trim();
     if (!raw) {
@@ -426,6 +598,86 @@ function normalizeGitHubReferences(rawValues, repoContext) {
     }
     return normalized;
 }
+function normalizeGitLabReference(rawValue, repoContext) {
+    const raw = rawValue.trim();
+    if (!raw) {
+        return undefined;
+    }
+    const fromParts = (context, kind, number) => ({
+        platform: "gitlab",
+        host: context.host,
+        namespace: context.namespace,
+        repo: context.repo,
+        kind,
+        identifier: `${number}`,
+        number,
+        canonical: kind === "issue"
+            ? `${context.host}/${context.namespace}/${context.repo}#${number}`
+            : `${context.host}/${context.namespace}/${context.repo}!${number}`,
+        url: kind === "issue"
+            ? `https://${context.host}/${context.namespace}/${context.repo}/-/issues/${number}`
+            : `https://${context.host}/${context.namespace}/${context.repo}/-/merge_requests/${number}`,
+        source: raw
+    });
+    const urlMatch = raw.match(/^https?:\/\/([^/]+)\/(.+?)\/-\/(issues|merge_requests)\/(\d+)(?:\/)?$/i);
+    if (urlMatch) {
+        const pathSegments = urlMatch[2].split("/").filter(Boolean);
+        if (pathSegments.length < 2) {
+            return undefined;
+        }
+        const repo = pathSegments[pathSegments.length - 1] ?? "";
+        const namespace = pathSegments.slice(0, -1).join("/");
+        return fromParts({ host: urlMatch[1].toLowerCase(), namespace, repo }, urlMatch[3].toLowerCase() === "merge_requests" ? "merge_request" : "issue", Number.parseInt(urlMatch[4], 10));
+    }
+    const shortIssueMatch = raw.match(/^#(\d+)$/);
+    if (shortIssueMatch && repoContext) {
+        return fromParts(repoContext, "issue", Number.parseInt(shortIssueMatch[1], 10));
+    }
+    const shortMergeRequestMatch = raw.match(/^!(\d+)$/);
+    if (shortMergeRequestMatch && repoContext) {
+        return fromParts(repoContext, "merge_request", Number.parseInt(shortMergeRequestMatch[1], 10));
+    }
+    return undefined;
+}
+function normalizeScmReference(rawValue, repoContext) {
+    const raw = rawValue.trim();
+    if (!raw) {
+        return undefined;
+    }
+    const gitHubRef = normalizeGitHubReference(raw, repoContext?.platform === "github"
+        ? { host: repoContext.host, owner: repoContext.owner, repo: repoContext.repo }
+        : undefined);
+    if (gitHubRef) {
+        return {
+            platform: "github",
+            host: gitHubRef.host,
+            namespace: gitHubRef.owner,
+            repo: gitHubRef.repo,
+            kind: gitHubRef.kind,
+            identifier: `${gitHubRef.number}`,
+            number: gitHubRef.number,
+            canonical: `${gitHubRef.host}/${gitHubRef.owner}/${gitHubRef.repo}${gitHubRef.kind === "issue" ? `#${gitHubRef.number}` : `/pull/${gitHubRef.number}`}`,
+            url: gitHubRef.url,
+            source: gitHubRef.source
+        };
+    }
+    return normalizeGitLabReference(raw, repoContext?.platform === "gitlab"
+        ? { host: repoContext.host, namespace: repoContext.namespace, repo: repoContext.repo }
+        : undefined);
+}
+function normalizeScmReferences(rawValues, repoContext) {
+    const seen = new Set();
+    const normalized = [];
+    for (const rawValue of rawValues) {
+        const scmRef = normalizeScmReference(rawValue, repoContext);
+        if (!scmRef || seen.has(scmRef.canonical)) {
+            continue;
+        }
+        seen.add(scmRef.canonical);
+        normalized.push(scmRef);
+    }
+    return normalized;
+}
 export function mapWorkflowRunStatusToGitHubStatus(workflow, localRunStatus) {
     if (localRunStatus === "success") {
         return {
@@ -544,6 +796,35 @@ function validateReleaseRequestCompleteness(request) {
     }
     return request;
 }
+function validatePipelineRequestCompleteness(request) {
+    const evidenceSignalCount = request.evidenceSources.length + request.qaReportRefs.length + request.securityReportRefs.length + request.releaseReportRefs.length;
+    if (evidenceSignalCount === 0) {
+        throw new Error("Pipeline request is underspecified. Add at least one of evidenceSources, qaReportRefs, securityReportRefs, or releaseReportRefs.");
+    }
+    return request;
+}
+function validateDeploymentRequestCompleteness(request) {
+    const evidenceSignalCount = request.evidenceSources.length +
+        request.qaReportRefs.length +
+        request.securityReportRefs.length +
+        request.releaseReportRefs.length +
+        request.pipelineReportRefs.length;
+    if (evidenceSignalCount === 0) {
+        throw new Error("Deployment request is underspecified. Add at least one of evidenceSources, qaReportRefs, securityReportRefs, releaseReportRefs, or pipelineReportRefs.");
+    }
+    return request;
+}
+function addSourceReferences(refs, incoming) {
+    for (const issueRef of incoming.issueRefs) {
+        refs.issueRefs.add(issueRef);
+    }
+    for (const scmRef of incoming.scmRefs) {
+        refs.scmRefMap.set(scmRef.canonical, scmRef);
+    }
+    for (const githubRef of incoming.githubRefs) {
+        refs.githubRefMap.set(githubRef.canonical, githubRef);
+    }
+}
 function loadLifecycleArtifactKinds(root, bundleRef) {
     const bundlePath = join(root, bundleRef);
     if (!existsSync(bundlePath)) {
@@ -558,22 +839,31 @@ function loadLifecycleArtifactSourceReferences(root, bundleRef) {
         throw new Error(`Referenced bundle not found: ${bundleRef}`);
     }
     const bundle = auditBundleSchema.parse(JSON.parse(readFileSync(bundlePath, "utf8")));
-    const repoContext = inferGitHubRepoContext(root);
+    const scmRepoContext = inferScmRepoContext(root);
+    const gitHubRepoContext = inferGitHubRepoContext(root);
     const issueRefs = new Set();
+    const scmRefs = new Map();
     const githubRefs = new Map();
     for (const artifact of bundle.lifecycleArtifacts) {
         for (const issueRef of artifact.source.issueRefs) {
             issueRefs.add(issueRef);
         }
+        for (const scmRef of artifact.source.scmRefs ?? []) {
+            scmRefs.set(scmRef.canonical, scmRef);
+        }
         for (const githubRef of artifact.source.githubRefs ?? []) {
             githubRefs.set(githubRef.canonical, githubRef);
         }
-        for (const githubRef of normalizeGitHubReferences(artifact.source.issueRefs, repoContext)) {
+        for (const scmRef of normalizeScmReferences(artifact.source.issueRefs, scmRepoContext)) {
+            scmRefs.set(scmRef.canonical, scmRef);
+        }
+        for (const githubRef of normalizeGitHubReferences(artifact.source.issueRefs, gitHubRepoContext)) {
             githubRefs.set(githubRef.canonical, githubRef);
         }
     }
     return {
         issueRefs: [...issueRefs],
+        scmRefs: [...scmRefs.values()],
         githubRefs: [...githubRefs.values()]
     };
 }
@@ -584,9 +874,11 @@ function prepareWorkflowInputs(workflow, root, policyEngine) {
         const requestPath = ".agentops/requests/planning.yaml";
         ensureReadablePath(policyEngine, requestPath, "planning request");
         const planningRequest = validatePlanningRequestCompleteness(readYamlFile(join(root, requestPath), planningRequestSchema, "planning request"));
+        const planningScmRefs = normalizeScmReferences(planningRequest.issueRefs, inferScmRepoContext(root));
         const planningGithubRefs = normalizeGitHubReferences(planningRequest.issueRefs, inferGitHubRepoContext(root));
         return {
             planningRequest,
+            planningScmRefs,
             planningGithubRefs,
             requestFile: requestPath
         };
@@ -628,10 +920,11 @@ function prepareWorkflowInputs(workflow, root, policyEngine) {
         }
         const referencedSourceRefs = qaRequest.targetRef.endsWith("bundle.json")
             ? loadLifecycleArtifactSourceReferences(root, qaRequest.targetRef)
-            : { issueRefs: [], githubRefs: [] };
+            : { issueRefs: [], scmRefs: [], githubRefs: [] };
         return {
             qaRequest: qaRequest,
             qaIssueRefs: referencedSourceRefs.issueRefs,
+            qaScmRefs: referencedSourceRefs.scmRefs,
             qaGithubRefs: referencedSourceRefs.githubRefs,
             requestFile: requestPath
         };
@@ -656,20 +949,68 @@ function prepareWorkflowInputs(workflow, root, policyEngine) {
         }
         const referencedSourceRefs = securityRequest.targetRef.endsWith("bundle.json")
             ? loadLifecycleArtifactSourceReferences(root, securityRequest.targetRef)
-            : { issueRefs: [], githubRefs: [] };
+            : { issueRefs: [], scmRefs: [], githubRefs: [] };
         return {
             securityRequest: securityRequest,
             securityTargetArtifactKinds: referencedArtifactKinds,
             securityIssueRefs: referencedSourceRefs.issueRefs,
+            securityScmRefs: referencedSourceRefs.scmRefs,
             securityGithubRefs: referencedSourceRefs.githubRefs,
             requestFile: requestPath
         };
     }
+    if (workflow.name === "pipeline-evidence-review") {
+        const requestPath = ".agentops/requests/pipeline.yaml";
+        ensureReadablePath(policyEngine, requestPath, "pipeline request");
+        const pipelineRequest = validatePipelineRequestCompleteness(readYamlFile(join(root, requestPath), pipelineRequestSchema, "pipeline request"));
+        const scmRepoContext = inferScmRepoContext(root);
+        const gitHubRepoContext = inferGitHubRepoContext(root);
+        const pipelineRefs = {
+            issueRefs: new Set(pipelineRequest.issueRefs),
+            scmRefMap: new Map(),
+            githubRefMap: new Map()
+        };
+        for (const scmRef of normalizeScmReferences(pipelineRequest.issueRefs, scmRepoContext)) {
+            pipelineRefs.scmRefMap.set(scmRef.canonical, scmRef);
+        }
+        for (const githubRef of normalizeGitHubReferences(pipelineRequest.issueRefs, gitHubRepoContext)) {
+            pipelineRefs.githubRefMap.set(githubRef.canonical, githubRef);
+        }
+        for (const qaReportRef of pipelineRequest.qaReportRefs) {
+            ensureReadablePath(policyEngine, qaReportRef, "QA report reference");
+            ensureBundleContainsArtifactKind(root, qaReportRef, "qa-report", "QA report reference");
+            addSourceReferences(pipelineRefs, loadLifecycleArtifactSourceReferences(root, qaReportRef));
+        }
+        for (const securityReportRef of pipelineRequest.securityReportRefs) {
+            ensureReadablePath(policyEngine, securityReportRef, "security report reference");
+            ensureBundleContainsArtifactKind(root, securityReportRef, "security-report", "security report reference");
+            addSourceReferences(pipelineRefs, loadLifecycleArtifactSourceReferences(root, securityReportRef));
+        }
+        for (const releaseReportRef of pipelineRequest.releaseReportRefs) {
+            ensureReadablePath(policyEngine, releaseReportRef, "release report reference");
+            ensureBundleContainsArtifactKind(root, releaseReportRef, "release-report", "release report reference");
+            addSourceReferences(pipelineRefs, loadLifecycleArtifactSourceReferences(root, releaseReportRef));
+        }
+        for (const evidenceSource of pipelineRequest.evidenceSources) {
+            ensureReadablePath(policyEngine, evidenceSource, "pipeline evidence source");
+            if (!existsSync(join(root, evidenceSource))) {
+                throw new Error(`Pipeline evidence source not found: ${evidenceSource}`);
+            }
+        }
+        return {
+            pipelineRequest: pipelineRequest,
+            pipelineIssueRefs: [...pipelineRefs.issueRefs],
+            pipelineScmRefs: [...pipelineRefs.scmRefMap.values()],
+            pipelineGithubRefs: [...pipelineRefs.githubRefMap.values()],
+            requestFile: requestPath
+        };
+    }
     if (workflow.name === "release-readiness") {
         const requestPath = ".agentops/requests/release.yaml";
         ensureReadablePath(policyEngine, requestPath, "release request");
         const releaseRequest = validateReleaseRequestCompleteness(readYamlFile(join(root, requestPath), releaseRequestSchema, "release request"));
         const releaseIssueRefs = new Set();
+        const releaseScmRefMap = new Map();
         const releaseGithubRefMap = new Map();
         for (const qaReportRef of releaseRequest.qaReportRefs) {
             ensureReadablePath(policyEngine, qaReportRef, "QA report reference");
@@ -678,6 +1019,9 @@ function prepareWorkflowInputs(workflow, root, policyEngine) {
             for (const issueRef of refs.issueRefs) {
                 releaseIssueRefs.add(issueRef);
             }
+            for (const scmRef of refs.scmRefs) {
+                releaseScmRefMap.set(scmRef.canonical, scmRef);
+            }
             for (const githubRef of refs.githubRefs) {
                 releaseGithubRefMap.set(githubRef.canonical, githubRef);
             }
@@ -689,6 +1033,9 @@ function prepareWorkflowInputs(workflow, root, policyEngine) {
             for (const issueRef of refs.issueRefs) {
                 releaseIssueRefs.add(issueRef);
             }
+            for (const scmRef of refs.scmRefs) {
+                releaseScmRefMap.set(scmRef.canonical, scmRef);
+            }
             for (const githubRef of refs.githubRefs) {
                 releaseGithubRefMap.set(githubRef.canonical, githubRef);
             }
@@ -702,18 +1049,75 @@ function prepareWorkflowInputs(workflow, root, policyEngine) {
         return {
             releaseRequest: releaseRequest,
             releaseIssueRefs: [...releaseIssueRefs],
+            releaseScmRefs: [...releaseScmRefMap.values()],
             releaseGithubRefs: [...releaseGithubRefMap.values()],
             requestFile: requestPath
         };
     }
+    if (workflow.name === "deployment-gate-review") {
+        const requestPath = ".agentops/requests/deployment.yaml";
+        ensureReadablePath(policyEngine, requestPath, "deployment request");
+        const deploymentRequest = validateDeploymentRequestCompleteness(readYamlFile(join(root, requestPath), deploymentRequestSchema, "deployment request"));
+        const scmRepoContext = inferScmRepoContext(root);
+        const gitHubRepoContext = inferGitHubRepoContext(root);
+        const deploymentRefs = {
+            issueRefs: new Set(deploymentRequest.issueRefs),
+            scmRefMap: new Map(),
+            githubRefMap: new Map()
+        };
+        for (const scmRef of normalizeScmReferences(deploymentRequest.issueRefs, scmRepoContext)) {
+            deploymentRefs.scmRefMap.set(scmRef.canonical, scmRef);
+        }
+        for (const githubRef of normalizeGitHubReferences(deploymentRequest.issueRefs, gitHubRepoContext)) {
+            deploymentRefs.githubRefMap.set(githubRef.canonical, githubRef);
+        }
+        for (const qaReportRef of deploymentRequest.qaReportRefs) {
+            ensureReadablePath(policyEngine, qaReportRef, "QA report reference");
+            ensureBundleContainsArtifactKind(root, qaReportRef, "qa-report", "QA report reference");
+            addSourceReferences(deploymentRefs, loadLifecycleArtifactSourceReferences(root, qaReportRef));
+        }
+        for (const securityReportRef of deploymentRequest.securityReportRefs) {
+            ensureReadablePath(policyEngine, securityReportRef, "security report reference");
+            ensureBundleContainsArtifactKind(root, securityReportRef, "security-report", "security report reference");
+            addSourceReferences(deploymentRefs, loadLifecycleArtifactSourceReferences(root, securityReportRef));
+        }
+        for (const releaseReportRef of deploymentRequest.releaseReportRefs) {
+            ensureReadablePath(policyEngine, releaseReportRef, "release report reference");
+            ensureBundleContainsArtifactKind(root, releaseReportRef, "release-report", "release report reference");
+            addSourceReferences(deploymentRefs, loadLifecycleArtifactSourceReferences(root, releaseReportRef));
+        }
+        for (const pipelineReportRef of deploymentRequest.pipelineReportRefs) {
+            ensureReadablePath(policyEngine, pipelineReportRef, "pipeline report reference");
+            ensureBundleContainsArtifactKind(root, pipelineReportRef, "pipeline-report", "pipeline report reference");
+            addSourceReferences(deploymentRefs, loadLifecycleArtifactSourceReferences(root, pipelineReportRef));
+        }
+        for (const evidenceSource of deploymentRequest.evidenceSources) {
+            ensureReadablePath(policyEngine, evidenceSource, "deployment evidence source");
+            if (!existsSync(join(root, evidenceSource))) {
+                throw new Error(`Deployment evidence source not found: ${evidenceSource}`);
+            }
+        }
+        return {
+            deploymentRequest: deploymentRequest,
+            deploymentIssueRefs: [...deploymentRefs.issueRefs],
+            deploymentScmRefs: [...deploymentRefs.scmRefMap.values()],
+            deploymentGithubRefs: [...deploymentRefs.githubRefMap.values()],
+            requestFile: requestPath
+        };
+    }
     if (workflow.name === "incident-handoff") {
         const requestPath = ".agentops/requests/incident.yaml";
         ensureReadablePath(policyEngine, requestPath, "incident request");
         const incidentRequest = validateIncidentRequestCompleteness(readYamlFile(join(root, requestPath), incidentRequestSchema, "incident request"));
-        const repoContext = inferGitHubRepoContext(root);
+        const scmRepoContext = inferScmRepoContext(root);
+        const gitHubRepoContext = inferGitHubRepoContext(root);
         const incidentIssueRefs = new Set(incidentRequest.issueRefs);
+        const incidentScmRefMap = new Map();
         const incidentGithubRefMap = new Map();
-        for (const githubRef of normalizeGitHubReferences(incidentRequest.issueRefs, repoContext)) {
+        for (const scmRef of normalizeScmReferences(incidentRequest.issueRefs, scmRepoContext)) {
+            incidentScmRefMap.set(scmRef.canonical, scmRef);
+        }
+        for (const githubRef of normalizeGitHubReferences(incidentRequest.issueRefs, gitHubRepoContext)) {
             incidentGithubRefMap.set(githubRef.canonical, githubRef);
         }
         for (const releaseReportRef of incidentRequest.releaseReportRefs) {
@@ -723,6 +1127,9 @@ function prepareWorkflowInputs(workflow, root, policyEngine) {
             for (const issueRef of refs.issueRefs) {
                 incidentIssueRefs.add(issueRef);
             }
+            for (const scmRef of refs.scmRefs) {
+                incidentScmRefMap.set(scmRef.canonical, scmRef);
+            }
             for (const githubRef of refs.githubRefs) {
                 incidentGithubRefMap.set(githubRef.canonical, githubRef);
             }
@@ -736,6 +1143,7 @@ function prepareWorkflowInputs(workflow, root, policyEngine) {
         return {
             incidentRequest: incidentRequest,
             incidentIssueRefs: [...incidentIssueRefs],
+            incidentScmRefs: [...incidentScmRefMap.values()],
             incidentGithubRefs: [...incidentGithubRefMap.values()],
             requestFile: requestPath
         };
@@ -744,10 +1152,15 @@ function prepareWorkflowInputs(workflow, root, policyEngine) {
         const requestPath = ".agentops/requests/maintenance.yaml";
         ensureReadablePath(policyEngine, requestPath, "maintenance request");
         const maintenanceRequest = validateMaintenanceRequestCompleteness(readYamlFile(join(root, requestPath), maintenanceRequestSchema, "maintenance request"));
-        const repoContext = inferGitHubRepoContext(root);
+        const scmRepoContext = inferScmRepoContext(root);
+        const gitHubRepoContext = inferGitHubRepoContext(root);
         const maintenanceIssueRefs = new Set(maintenanceRequest.issueRefs);
+        const maintenanceScmRefMap = new Map();
         const maintenanceGithubRefMap = new Map();
-        for (const githubRef of normalizeGitHubReferences(maintenanceRequest.issueRefs, repoContext)) {
+        for (const scmRef of normalizeScmReferences(maintenanceRequest.issueRefs, scmRepoContext)) {
+            maintenanceScmRefMap.set(scmRef.canonical, scmRef);
+        }
+        for (const githubRef of normalizeGitHubReferences(maintenanceRequest.issueRefs, gitHubRepoContext)) {
             maintenanceGithubRefMap.set(githubRef.canonical, githubRef);
         }
         for (const releaseReportRef of maintenanceRequest.releaseReportRefs) {
@@ -757,6 +1170,9 @@ function prepareWorkflowInputs(workflow, root, policyEngine) {
             for (const issueRef of refs.issueRefs) {
                 maintenanceIssueRefs.add(issueRef);
             }
+            for (const scmRef of refs.scmRefs) {
+                maintenanceScmRefMap.set(scmRef.canonical, scmRef);
+            }
             for (const githubRef of refs.githubRefs) {
                 maintenanceGithubRefMap.set(githubRef.canonical, githubRef);
             }
@@ -776,6 +1192,7 @@ function prepareWorkflowInputs(workflow, root, policyEngine) {
         return {
             maintenanceRequest: maintenanceRequest,
             maintenanceIssueRefs: [...maintenanceIssueRefs],
+            maintenanceScmRefs: [...maintenanceScmRefMap.values()],
             maintenanceGithubRefs: [...maintenanceGithubRefMap.values()],
             requestFile: requestPath
         };
@@ -1421,6 +1838,14 @@ function ensureInitFiles(root) {
             path: join(workflowsDir, "release-readiness.yaml"),
             contents: releaseWorkflowTemplate
         },
+        {
+            path: join(workflowsDir, "pipeline-evidence-review.yaml"),
+            contents: pipelineWorkflowTemplate
+        },
+        {
+            path: join(workflowsDir, "deployment-gate-review.yaml"),
+            contents: deploymentGateWorkflowTemplate
+        },
         {
             path: join(workflowsDir, "incident-handoff.yaml"),
             contents: incidentWorkflowTemplate