@intentsolutionsio/contributing-clanker 0.1.1

package/skills/contribute/scripts/gates/c13-bots-passed.sh

@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+# Catalog: C13 — Required review bots haven't reviewed/commented yet
+source "$(dirname "$0")/lib/preamble.sh"
+
+gate_read_input
+
+PR_NUMBER=$(fm_field "$GATE_CANDIDATE_PATH" "pr_number")
+if [[ -z "$PR_NUMBER" ]]; then
+  gate_skip "no pr_number in candidate (no PR yet)"
+fi
+
+# Parse review_bots: list from dossier — `  - <name>` lines following `review_bots:`
+BOTS_RAW=$(/usr/bin/awk '
+  /^---$/ { fm = !fm ? 1 : 2; next }
+  fm != 1 { next }
+  /^review_bots:/ { collecting = 1; next }
+  collecting && /^[[:space:]]+-[[:space:]]+/ {
+    sub(/^[[:space:]]+-[[:space:]]+/, "")
+    gsub(/^"|"$/, "")
+    print
+    next
+  }
+  collecting && /^[A-Za-z]/ { collecting = 0 }
+' "$GATE_DOSSIER_PATH" 2>/dev/null || /usr/bin/echo "")
+
+if [[ -z "$BOTS_RAW" ]]; then
+  gate_skip "no review_bots listed in dossier"
+fi
+
+# Filter "(none detected)" sentinel
+declare -a BOTS=()
+while IFS= read -r line; do
+  [[ -z "$line" ]] && continue
+  [[ "$line" == "(none detected)" ]] && continue
+  BOTS+=("$line")
+done <<< "$BOTS_RAW"
+
+if (( ${#BOTS[@]} == 0 )); then
+  gate_skip "review_bots list empty or (none detected)"
+fi
+
+# Pull all reviewer + commenter logins from the PR
+REVIEWERS=$(gh_safe pr view "$PR_NUMBER" --repo "$GATE_REPO" --json reviews,comments \
+  --jq '[.reviews[].author.login, .comments[].author.login] | unique | join(",")' 2>/dev/null || /usr/bin/echo "")
+
+# For each required bot, substring match against the reviewers/commenters list (lowercased)
+REVIEWERS_LC=$(/usr/bin/printf '%s' "$REVIEWERS" | /usr/bin/tr '[:upper:]' '[:lower:]')
+declare -a MISSING=()
+for bot in "${BOTS[@]}"; do
+  bot_lc=$(/usr/bin/printf '%s' "$bot" | /usr/bin/tr '[:upper:]' '[:lower:]' | /usr/bin/tr -d '-')
+  reviewers_norm=$(/usr/bin/printf '%s' "$REVIEWERS_LC" | /usr/bin/tr -d '-')
+  if [[ "$reviewers_norm" != *"$bot_lc"* ]]; then
+    MISSING+=("$bot")
+  fi
+done
+
+if (( ${#MISSING[@]} > 0 )); then
+  joined=$(IFS=', '; /usr/bin/printf '%s' "${MISSING[*]}")
+  gate_warn "waiting on review from: $joined" "wait for these bots to weigh in before flipping to ready-for-review"
+fi
+
+gate_pass "all required review bots have engaged on the PR"

package/skills/contribute/scripts/gates/c16-no-self-merge.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+# Catalog: C16 — author attempts to merge their own PR
+# Mitigates: bypassing maintainer review on a contribution is a hard etiquette violation.
+source "$(dirname "$0")/lib/preamble.sh"
+
+gate_read_input
+
+PR_NUM=$(fm_field "$GATE_CANDIDATE_PATH" "pr_number")
+if [[ -z "$PR_NUM" || -z "$GATE_REPO" ]]; then
+  gate_skip "no pr_number or repo in candidate"
+fi
+
+PR_AUTHOR=$(gh_safe pr view "$PR_NUM" --repo "$GATE_REPO" --json author --jq '.author.login' || /usr/bin/echo "")
+ME=$(gh_safe api user --jq '.login' || /usr/bin/echo "")
+
+if [[ -z "$PR_AUTHOR" || -z "$ME" ]]; then
+  gate_skip "could not resolve PR author or current user"
+fi
+
+if [[ "$PR_AUTHOR" == "$ME" ]]; then
+  gate_block "you ($ME) authored PR #$PR_NUM — self-merge would bypass maintainer review" "you authored this PR — wait for a maintainer to merge"
+fi
+
+gate_pass "PR author ($PR_AUTHOR) differs from current user ($ME)"

package/skills/contribute/scripts/gates/c19-body-claim-vs-diff.sh

@@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+# Catalog: C19 — PR body claims that don't match the diff
+# Mitigates: Round-1 maintainer GAP-6 — close-on-sight pattern: PR body
+# claims "added tests" / "updated CHANGELOG" / "added migration notes" but
+# `git diff` shows no corresponding files touched. Pure AI-confabulation.
+# Fastest path from "AI-assisted" to "AI-fabricated" in maintainer's eye.
+source "$(dirname "$0")/lib/preamble.sh"
+
+gate_read_input
+
+# Need both PR body and a way to inspect the diff
+PR_BODY=$(/usr/bin/awk '/^## PR body/{flag=1;next} /^## /{flag=0} flag' "$GATE_CANDIDATE_PATH" 2>/dev/null || /usr/bin/echo "")
+LOCAL_CLONE=$(fm_field "$GATE_CANDIDATE_PATH" "local_clone_path")
+BRANCH=$(fm_field "$GATE_CANDIDATE_PATH" "branch")
+
+if [[ -z "$PR_BODY" ]]; then
+  gate_inform "no PR body drafted yet"
+fi
+if [[ -z "$LOCAL_CLONE" || ! -d "$LOCAL_CLONE" ]]; then
+  gate_skip "no local_clone_path; cannot inspect diff"
+fi
+if [[ -z "$BRANCH" ]]; then
+  gate_skip "no branch in candidate"
+fi
+
+# Get the list of changed files vs default branch (heuristic: master/main)
+DEFAULT_BRANCH="main"
+if [[ -n "$GATE_DOSSIER_PATH" && -f "$GATE_DOSSIER_PATH" ]]; then
+  V=$(fm_field "$GATE_DOSSIER_PATH" "default_branch")
+  [[ -n "$V" ]] && DEFAULT_BRANCH="$V"
+fi
+
+DIFF_FILES=$(cd "$LOCAL_CLONE" 2>/dev/null && git diff --name-only "origin/$DEFAULT_BRANCH..$BRANCH" 2>/dev/null || /usr/bin/echo "")
+if [[ -z "$DIFF_FILES" ]]; then
+  gate_skip "no diff against origin/$DEFAULT_BRANCH (or git command failed)"
+fi
+
+# Claim → expected-path patterns. Each entry: regex_in_body | regex_required_in_diff
+declare -a CLAIMS=(
+  "(added|wrote|new) tests?\b|added test (coverage|cases)|test cases? added|regression test|test for the (bug|fix)|tests?[[:space:]]*passing:[[:space:]]+(yes|added)|cargo test|pytest|jest|mocha|vitest=tests?/"
+  "updated? (the )?CHANGELOG=CHANGELOG"
+  "(added|updated) (the )?(migration|migration notes|migrations)=(migration|migrations)/"
+  "updated? (the )?(README|docs|documentation)=(README|docs/|.md$)"
+  "added? (the )?changeset=\.changeset/"
+)
+
+ISSUES=()
+for ENTRY in "${CLAIMS[@]}"; do
+  CLAIM_REGEX="${ENTRY%%=*}"
+  PATH_REGEX="${ENTRY##*=}"
+  if /usr/bin/printf '%s' "$PR_BODY" | /usr/bin/grep -qiE "$CLAIM_REGEX"; then
+    if ! /usr/bin/printf '%s' "$DIFF_FILES" | /usr/bin/grep -qiE "$PATH_REGEX"; then
+      MATCHED=$(/usr/bin/printf '%s' "$PR_BODY" | /usr/bin/grep -ioE "$CLAIM_REGEX" | /usr/bin/head -1)
+      ISSUES+=("body claims '$MATCHED' but diff doesn't touch $PATH_REGEX")
+    fi
+  fi
+done
+
+if [[ "${#ISSUES[@]}" -gt 0 ]]; then
+  REASONS=$(/usr/bin/printf '%s; ' "${ISSUES[@]}")
+  gate_block "PR body makes claims not backed by the diff: $REASONS" "either add the work to match the claim, OR remove the claim from the PR body. False claims = closure regardless of code quality (PostHog AI_POLICY: 'PRs that clearly weren't run or tested will be closed')."
+fi
+
+gate_pass "PR body claims are consistent with diff"

package/skills/contribute/scripts/gates/d02-no-ai-bug-reports.sh

@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+# Catalog: D2 — Block AI-shaped issue body when opening a new issue
+# Many repos auto-close machine-generated bug reports on sight. We refuse
+# to ship one in our name.
+source "$(dirname "$0")/lib/preamble.sh"
+
+gate_read_input
+
+# Extract the "## Issue body draft" section from the candidate
+DRAFT=$(/usr/bin/awk '/^## Issue body draft/{flag=1;next} /^## /{flag=0} flag' "$GATE_CANDIDATE_PATH" 2>/dev/null || /usr/bin/echo "")
+
+if [[ -z "${DRAFT// /}" ]]; then
+  gate_skip "no issue draft yet"
+fi
+
+# AI-shaped patterns. Case-insensitive. Each entry is one distinct pattern.
+PATTERNS=(
+  "I noticed"
+  "It appears"
+  "I observed"
+  "the AI suggests"
+  "Claude suggests"
+  "ChatGPT suggests"
+  "based on my analysis"
+  "after analyzing"
+  "I've identified"
+  "the issue stems from"
+)
+
+HITS=()
+for pat in "${PATTERNS[@]}"; do
+  if /usr/bin/printf '%s' "$DRAFT" | /usr/bin/grep -qiE "$pat"; then
+    HITS+=("$pat")
+  fi
+done
+
+COUNT=${#HITS[@]}
+JOINED=$(/usr/bin/printf '%s, ' "${HITS[@]}" 2>/dev/null | /usr/bin/sed 's/, $//')
+
+if (( COUNT >= 2 )); then
+  gate_block "issue draft contains $COUNT AI-shaped phrases: $JOINED" "rewrite the issue in your own voice; many repos auto-close AI-shaped bug reports"
+fi
+
+if (( COUNT == 1 )); then
+  gate_warn "issue draft contains AI-shaped phrase: $JOINED" "consider rewriting in your own voice"
+fi
+
+gate_pass "no AI-shaped phrases detected"

package/skills/contribute/scripts/gates/d03-no-ai-pr-reviews.sh

@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+# Catalog: D3 — Block AI-generated review comments on someone else's PR
+# AI-shaped review comments are unwelcome at most repos. Stricter than D2:
+# any single hit blocks.
+source "$(dirname "$0")/lib/preamble.sh"
+
+gate_read_input
+
+DRAFT=$(/usr/bin/awk '/^## Review draft/{flag=1;next} /^## /{flag=0} flag' "$GATE_CANDIDATE_PATH" 2>/dev/null || /usr/bin/echo "")
+
+if [[ -z "${DRAFT// /}" ]]; then
+  gate_skip "no review draft yet"
+fi
+
+PATTERNS=(
+  "I noticed"
+  "It appears"
+  "I observed"
+  "the AI suggests"
+  "Claude suggests"
+  "ChatGPT suggests"
+  "based on my analysis"
+  "after analyzing"
+  "I've identified"
+  "the issue stems from"
+)
+
+HITS=()
+for pat in "${PATTERNS[@]}"; do
+  if /usr/bin/printf '%s' "$DRAFT" | /usr/bin/grep -qiE "$pat"; then
+    HITS+=("$pat")
+  fi
+done
+
+COUNT=${#HITS[@]}
+JOINED=$(/usr/bin/printf '%s, ' "${HITS[@]}" 2>/dev/null | /usr/bin/sed 's/, $//')
+
+if (( COUNT >= 1 )); then
+  gate_block "review draft contains $COUNT AI-shaped phrase(s): $JOINED" "AI-generated review comments are unwelcome at most repos; either rewrite in your own voice or skip the review"
+fi
+
+gate_pass "no AI-shaped phrases detected"

package/skills/contribute/scripts/gates/d05-no-reopen.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+# Catalog: D5 — reopening a PR that a maintainer closed
+# Mitigates: comes across as ignoring maintainer feedback; usually a fresh PR is better.
+source "$(dirname "$0")/lib/preamble.sh"
+
+gate_read_input
+
+PR_NUM=$(fm_field "$GATE_CANDIDATE_PATH" "pr_number")
+if [[ -z "$PR_NUM" || -z "$GATE_REPO" ]]; then
+  gate_skip "no pr_number or repo in candidate"
+fi
+
+INFO=$(gh_safe pr view "$PR_NUM" --repo "$GATE_REPO" --json state,closedAt --jq '{state: .state, closedAt: .closedAt}' || /usr/bin/echo "")
+if [[ -z "$INFO" ]]; then
+  gate_skip "could not fetch PR state"
+fi
+
+STATE=$(/usr/bin/printf '%s' "$INFO" | jq -r '.state // ""')
+CLOSED_AT=$(/usr/bin/printf '%s' "$INFO" | jq -r '.closedAt // ""')
+
+if [[ "$STATE" != "CLOSED" || -z "$CLOSED_AT" || "$CLOSED_AT" == "null" ]]; then
+  gate_skip "PR is not in CLOSED state (state=$STATE) — nothing to reopen"
+fi
+
+gate_warn "PR #$PR_NUM was closed at $CLOSED_AT — reopening may be read as ignoring the maintainer" "the maintainer closed this PR; reopening without addressing their feedback can come across as disrespectful. Consider a fresh PR if you've made substantial changes"

package/skills/contribute/scripts/gates/e02-ai-strike-track.sh

@@ -0,0 +1,57 @@
+#!/usr/bin/env bash
+# Catalog: E2 — AI policy strike tracking, ORG-LEVEL (not just repo-level)
+# Mitigates: Round-1 AI-policy GAP-6 — PostHog AI_POLICY says "Two or more
+# closures: We'll block the account." Stake is account-level, not per-repo.
+# A 1st closure on PostHog/posthog + 1st on PostHog/posthog-js = blocked,
+# and a per-repo gate would never see it. This gate evaluates strikes at
+# the org-owner level.
+source "$(dirname "$0")/lib/preamble.sh"
+
+gate_read_input
+
+if [[ -z "$GATE_REPO" ]]; then
+  gate_skip "no repo in candidate"
+fi
+
+# Read strike scope from dossier (default: org)
+STRIKE_SCOPE="org"
+if [[ -n "$GATE_DOSSIER_PATH" && -f "$GATE_DOSSIER_PATH" ]]; then
+  V=$(fm_field "$GATE_DOSSIER_PATH" "strike_scope")
+  [[ -n "$V" ]] && STRIKE_SCOPE="$V"
+fi
+
+OWNER="${GATE_REPO%%/*}"
+LOG="$HOME/.contribute-system/log.jsonl"
+
+if [[ ! -f "$LOG" ]]; then
+  gate_pass "no log.jsonl yet (no prior strikes possible)"
+fi
+
+# Count prior closures with reason matching AI policy at the appropriate scope.
+# Reason patterns: any 'dropped' event with reason containing 'ai_policy', 'ai-policy', 'slop', 'ai policy'
+case "$STRIKE_SCOPE" in
+  repo)    SCOPE_FILTER=".details.repo == \"$GATE_REPO\"" ;;
+  org)     SCOPE_FILTER=".details.repo | startswith(\"$OWNER/\")" ;;
+  account) SCOPE_FILTER="true" ;;
+  *)       gate_block "unknown strike_scope in dossier: $STRIKE_SCOPE" "set strike_scope to repo|org|account in the dossier" ;;
+esac
+
+STRIKE_COUNT=$(jq -c "
+  select(.event == \"candidate_dropped\")
+  | select($SCOPE_FILTER)
+  | select(.details.reason | tostring | test(\"ai[ _-]?policy|ai[ _-]?slop\"; \"i\"))
+" "$LOG" 2>/dev/null | /usr/bin/wc -l | /usr/bin/awk '{print $1}')
+
+# Note: pre-Phase-3, there's no way to query PostHog's ACTUAL record of our
+# strikes; we only know what WE logged. If we never logged a closure (e.g.,
+# PostHog closed without us calling it out), we'd undercount. Best-effort.
+
+if [[ "${STRIKE_COUNT:-0}" -ge 1 ]]; then
+  if [[ "$STRIKE_COUNT" -eq 1 ]]; then
+    gate_block "1 prior AI-policy closure at $STRIKE_SCOPE-scope ($OWNER). Next closure = account block at PostHog-tier repos." "manual override required: --override-gate=E2 \"<reason you're confident this PR won't get closed>\". This is the gate that prevents account-block."
+  else
+    gate_block "$STRIKE_COUNT prior AI-policy closures at $STRIKE_SCOPE-scope ($OWNER). HARD STOP — pause contributions to this org until you've discussed with maintainers." "manual override is intentionally inconvenient here. If you must proceed, --override-gate=E2 \"<written rationale>\" AND post a comment on the issue acknowledging the prior closures."
+  fi
+fi
+
+gate_pass "no prior AI-policy closures at $STRIKE_SCOPE-scope ($OWNER)"

package/skills/contribute/scripts/gates/e04-fork-target.sh

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+# Catalog: E4 — Verify origin points at user's fork (not upstream)
+# Mitigates: pushing to someone else's repo by accident, or being unable to
+# push at all.
+source "$(dirname "$0")/lib/preamble.sh"
+
+gate_read_input
+
+CLONE="$HOME/000-projects/contributing-clanker/${GATE_REPO##*/}"
+
+if [[ ! -d "$CLONE/.git" ]]; then
+  gate_skip "no local clone at $CLONE"
+fi
+
+USER_LOGIN=$(gh_safe api user --jq .login 2>/dev/null || /usr/bin/echo "")
+if [[ -z "$USER_LOGIN" ]]; then
+  gate_skip "could not resolve current gh user login"
+fi
+
+ORIGIN_URL=$(/usr/bin/git -C "$CLONE" remote get-url origin 2>/dev/null || /usr/bin/echo "")
+if [[ -z "$ORIGIN_URL" ]]; then
+  gate_block "no origin remote configured in $CLONE" "set origin to your fork: gh repo fork ${GATE_REPO} --remote --remote-name origin"
+fi
+
+# Parse owner from URL — handles SSH (git@github.com:owner/repo.git) and
+# HTTPS (https://github.com/owner/repo.git) forms.
+ORIGIN_OWNER=$(/usr/bin/printf '%s' "$ORIGIN_URL" | /usr/bin/sed -E 's#^git@github\.com:([^/]+)/.*$#\1#; s#^https?://github\.com/([^/]+)/.*$#\1#')
+
+UPSTREAM_OWNER="${GATE_REPO%%/*}"
+
+if [[ "$ORIGIN_OWNER" == "$UPSTREAM_OWNER" ]]; then
+  gate_inform "origin points at upstream ($UPSTREAM_OWNER); pushing directly to upstream — verify you have access"
+fi
+
+if [[ "$ORIGIN_OWNER" != "$USER_LOGIN" ]]; then
+  gate_block "origin owner is '$ORIGIN_OWNER' but your gh login is '$USER_LOGIN'" "set origin to your fork: gh repo fork ${GATE_REPO} --remote --remote-name origin"
+fi
+
+gate_pass "origin points at your fork ($USER_LOGIN/${GATE_REPO##*/})"

package/skills/contribute/scripts/gates/f01-license-compat.sh

@@ -0,0 +1,92 @@
+#!/usr/bin/env bash
+# Catalog: F1 — License compatibility check for newly added dependencies
+# Lists new deps and prompts manual license verification. Does NOT look up
+# SPDX from registries (too heavy for a gate); informational only.
+source "$(dirname "$0")/lib/preamble.sh"
+
+gate_read_input
+
+CLONE="$HOME/000-projects/contributing-clanker/${GATE_REPO##*/}"
+
+if [[ ! -d "$CLONE/.git" ]]; then
+  gate_skip "no local clone at $CLONE"
+fi
+
+DEFAULT_BRANCH=$(fm_field "$GATE_DOSSIER_PATH" "default_branch")
+if [[ -z "$DEFAULT_BRANCH" ]]; then
+  gate_skip "no default_branch in dossier"
+fi
+
+REPO_LICENSE=$(fm_field "$GATE_DOSSIER_PATH" "license")
+[[ -z "$REPO_LICENSE" ]] && REPO_LICENSE="unknown"
+
+CHANGED=$(/usr/bin/git -C "$CLONE" diff "$DEFAULT_BRANCH..HEAD" --name-only 2>/dev/null || /usr/bin/echo "")
+
+MANIFESTS=()
+while IFS= read -r f; do
+  case "$f" in
+    package.json|*/package.json) MANIFESTS+=("$f") ;;
+    Cargo.toml|*/Cargo.toml) MANIFESTS+=("$f") ;;
+    requirements.txt|*/requirements.txt) MANIFESTS+=("$f") ;;
+    pyproject.toml|*/pyproject.toml) MANIFESTS+=("$f") ;;
+    go.mod|*/go.mod) MANIFESTS+=("$f") ;;
+    Gemfile|*/Gemfile) MANIFESTS+=("$f") ;;
+  esac
+done <<< "$CHANGED"
+
+if (( ${#MANIFESTS[@]} == 0 )); then
+  gate_pass "no dependency manifest changes"
+fi
+
+NEW_DEPS=()
+for m in "${MANIFESTS[@]}"; do
+  DIFF=$(/usr/bin/git -C "$CLONE" diff "$DEFAULT_BRANCH..HEAD" -- "$m" 2>/dev/null || /usr/bin/echo "")
+  # Best-effort regex per manifest type — extract package names from + lines
+  case "$m" in
+    *package.json)
+      while IFS= read -r line; do
+        name=$(/usr/bin/printf '%s' "$line" | /usr/bin/sed -nE 's/^\+[[:space:]]*"([^"]+)":[[:space:]]*"[^"]+".*$/\1/p')
+        [[ -n "$name" ]] && NEW_DEPS+=("$name")
+      done <<< "$DIFF"
+      ;;
+    *Cargo.toml)
+      while IFS= read -r line; do
+        name=$(/usr/bin/printf '%s' "$line" | /usr/bin/sed -nE 's/^\+[[:space:]]*([a-zA-Z0-9_-]+)[[:space:]]*=.*$/\1/p')
+        [[ -n "$name" ]] && NEW_DEPS+=("$name")
+      done <<< "$DIFF"
+      ;;
+    *requirements.txt)
+      while IFS= read -r line; do
+        name=$(/usr/bin/printf '%s' "$line" | /usr/bin/sed -nE 's/^\+[[:space:]]*([a-zA-Z0-9_.-]+)[[:space:]]*[<>=~!].*$/\1/p; s/^\+[[:space:]]*([a-zA-Z0-9_.-]+)[[:space:]]*$/\1/p')
+        [[ -n "$name" ]] && NEW_DEPS+=("$name")
+      done <<< "$DIFF"
+      ;;
+    *pyproject.toml)
+      while IFS= read -r line; do
+        name=$(/usr/bin/printf '%s' "$line" | /usr/bin/sed -nE 's/^\+[[:space:]]*"([a-zA-Z0-9_.-]+)[[:space:]<>=~!].*"$/\1/p; s/^\+[[:space:]]*([a-zA-Z0-9_.-]+)[[:space:]]*=[[:space:]]*".*$/\1/p')
+        [[ -n "$name" ]] && NEW_DEPS+=("$name")
+      done <<< "$DIFF"
+      ;;
+    *go.mod)
+      while IFS= read -r line; do
+        name=$(/usr/bin/printf '%s' "$line" | /usr/bin/sed -nE 's/^\+[[:space:]]*([a-zA-Z0-9_./-]+)[[:space:]]+v[0-9].*$/\1/p')
+        [[ -n "$name" ]] && NEW_DEPS+=("$name")
+      done <<< "$DIFF"
+      ;;
+    *Gemfile)
+      while IFS= read -r line; do
+        name=$(/usr/bin/printf '%s' "$line" | /usr/bin/sed -nE "s/^\+[[:space:]]*gem[[:space:]]+['\"]([^'\"]+)['\"].*$/\1/p")
+        [[ -n "$name" ]] && NEW_DEPS+=("$name")
+      done <<< "$DIFF"
+      ;;
+  esac
+done
+
+if (( ${#NEW_DEPS[@]} == 0 )); then
+  gate_pass "no new dependency entries detected in changed manifests"
+fi
+
+# Dedupe
+UNIQ=$(/usr/bin/printf '%s\n' "${NEW_DEPS[@]}" | /usr/bin/awk '!seen[$0]++' | /usr/bin/tr '\n' ',' | /usr/bin/sed 's/,$//')
+
+gate_inform "new dependencies added: $UNIQ; verify license compatibility with repo's $REPO_LICENSE license manually"

package/skills/contribute/scripts/gates/f03-fixtures-clean.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+# Catalog: F3 — new fixture / sample files that may contain copyrighted external content
+# Mitigates: copying real-world web/user content into fixtures triggers license takedowns.
+source "$(dirname "$0")/lib/preamble.sh"
+
+gate_read_input
+
+REPO_NAME="${GATE_REPO##*/}"
+CLONE="$HOME/000-projects/contributing-clanker/$REPO_NAME"
+
+if [[ ! -d "$CLONE/.git" ]]; then
+  gate_skip "no local clone at $CLONE"
+fi
+
+DEFAULT_BRANCH=""
+if [[ -n "$GATE_DOSSIER_PATH" && -f "$GATE_DOSSIER_PATH" ]]; then
+  DEFAULT_BRANCH=$(fm_field "$GATE_DOSSIER_PATH" "default_branch")
+fi
+[[ -z "$DEFAULT_BRANCH" ]] && DEFAULT_BRANCH="main"
+
+ADDED=$(/usr/bin/git -C "$CLONE" diff "$DEFAULT_BRANCH..HEAD" --name-only --diff-filter=A 2>/dev/null || /usr/bin/echo "")
+
+FIXTURES=$(/usr/bin/printf '%s\n' "$ADDED" | /usr/bin/grep -E '(tests/fixtures/|tests/data/|__fixtures__/|(^|/)fixtures/|test_data/|testdata/|(^|/)samples/)' || /usr/bin/echo "")
+
+if [[ -z "$FIXTURES" ]]; then
+  gate_pass "no new fixture / sample files added"
+fi
+
+LIST=$(/usr/bin/printf '%s' "$FIXTURES" | /usr/bin/tr '\n' ',' | /usr/bin/sed 's/,$//')
+gate_inform "new fixture / sample files added — verify provenance manually: $LIST"

package/skills/contribute/scripts/gates/f04-override-disclosure.sh

@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+# Catalog: F4 — Override disclosure required in PR body
+# Mitigates: Round-1 maintainer GAP-10 + security GAP-2 + portfolio GAP-3 —
+# `--override-gate=<id>` writes audit trail to log.jsonl + candidate .md, but
+# both are private to the contributor. From the maintainer's POV, the
+# override mechanism is plausible-deniability theater. This gate forces any
+# PR submitted with overrides to include a `## Safety override disclosure`
+# section in the PR body listing each override + reason.
+source "$(dirname "$0")/lib/preamble.sh"
+
+gate_read_input
+
+# Read overrides from candidate frontmatter
+OVERRIDES=$(/usr/bin/awk '/^overrides:/{flag=1;next} /^[a-z_]+:/{flag=0} flag' "$GATE_CANDIDATE_PATH" 2>/dev/null || /usr/bin/echo "")
+
+if [[ -z "$OVERRIDES" ]]; then
+  gate_pass "no overrides used; nothing to disclose"
+fi
+
+# Count overrides
+OVERRIDE_COUNT=$(/usr/bin/printf '%s\n' "$OVERRIDES" | /usr/bin/grep -c 'gate:' || /usr/bin/echo 0)
+
+# Read PR body draft from candidate (## PR body section)
+PR_BODY=$(/usr/bin/awk '/^## PR body/{flag=1;next} /^## /{flag=0} flag' "$GATE_CANDIDATE_PATH" 2>/dev/null || /usr/bin/echo "")
+
+if [[ -z "$PR_BODY" ]]; then
+  gate_inform "$OVERRIDE_COUNT overrides used but no PR body drafted yet — re-run at open-pr"
+fi
+
+# Look for the disclosure section in the PR body
+if /usr/bin/printf '%s' "$PR_BODY" | /usr/bin/grep -qiE '^## (Safety override|Override) disclosure'; then
+  # Check that each override gate ID is mentioned in the body
+  MISSING=()
+  while IFS= read -r OG; do
+    GID=$(/usr/bin/printf '%s' "$OG" | /usr/bin/grep -oP 'gate:\s*\K[A-Z0-9]+')
+    [[ -z "$GID" ]] && continue
+    if ! /usr/bin/printf '%s' "$PR_BODY" | /usr/bin/grep -qE "\b$GID\b"; then
+      MISSING+=("$GID")
+    fi
+  done < <(/usr/bin/printf '%s\n' "$OVERRIDES" | /usr/bin/grep 'gate:')
+
+  if [[ "${#MISSING[@]}" -eq 0 ]]; then
+    gate_pass "all $OVERRIDE_COUNT overrides disclosed in PR body"
+  else
+    gate_block "PR body has '## Safety override disclosure' section but doesn't mention overrides: ${MISSING[*]}" "list each override gate ID in the disclosure section with the reason you used it"
+  fi
+fi
+
+gate_block "$OVERRIDE_COUNT safety overrides used but PR body lacks '## Safety override disclosure' section" "add a section to the PR body enumerating each override + reason. This is the maintainer-visible audit trail; without it the override mechanism is invisible to the people the safety system is supposed to protect."

package/skills/contribute/scripts/gates/g01-no-vendored-edits.sh

@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+# Catalog: G1 — Block hand-edits to vendored / generated paths
+# Vendored dirs (vendor/, node_modules/, dist/, etc.) must regenerate from
+# source. Lockfile changes are common and legitimate (dependency bumps);
+# treat them as WARN, not BLOCK.
+source "$(dirname "$0")/lib/preamble.sh"
+
+gate_read_input
+
+CLONE="$HOME/000-projects/contributing-clanker/${GATE_REPO##*/}"
+
+if [[ ! -d "$CLONE/.git" ]]; then
+  gate_skip "no local clone at $CLONE"
+fi
+
+DEFAULT_BRANCH=$(fm_field "$GATE_DOSSIER_PATH" "default_branch")
+[[ -z "$DEFAULT_BRANCH" ]] && DEFAULT_BRANCH="main"
+
+CHANGED=$(/usr/bin/git -C "$CLONE" diff "$DEFAULT_BRANCH..HEAD" --name-only 2>/dev/null || /usr/bin/echo "")
+
+if [[ -z "${CHANGED// /}" ]]; then
+  gate_pass "no changed files"
+fi
+
+VENDOR_HITS=()
+LOCKFILE_HITS=()
+
+# Vendor-dir patterns (BLOCK)
+VENDOR_RE='^(vendor/|node_modules/|\.next/|dist/|build/|generated/|_generated/)'
+# Lockfile patterns (WARN)
+LOCKFILE_RE='(^pnpm-lock\.yaml$|^package-lock\.json$|^Cargo\.lock$|^poetry\.lock$|^uv\.lock$|^yarn\.lock$|\.lock$)'
+
+while IFS= read -r f; do
+  [[ -z "$f" ]] && continue
+  if /usr/bin/printf '%s' "$f" | /usr/bin/grep -qE "$VENDOR_RE"; then
+    VENDOR_HITS+=("$f")
+  elif /usr/bin/printf '%s' "$f" | /usr/bin/grep -qE "$LOCKFILE_RE"; then
+    LOCKFILE_HITS+=("$f")
+  fi
+done <<< "$CHANGED"
+
+if (( ${#VENDOR_HITS[@]} > 0 )); then
+  JOINED=$(/usr/bin/printf '%s, ' "${VENDOR_HITS[@]}" | /usr/bin/sed 's/, $//')
+  gate_block "vendored/generated paths edited: $JOINED" "regenerate from source instead of editing by hand; if this is intentional, override with --override-gate G1"
+fi
+
+if (( ${#LOCKFILE_HITS[@]} > 0 )); then
+  JOINED=$(/usr/bin/printf '%s, ' "${LOCKFILE_HITS[@]}" | /usr/bin/sed 's/, $//')
+  gate_warn "lockfile changes detected: $JOINED" "verify the lockfile changes are intentional (dependency bumps) and not stale-checkout artifacts"
+fi
+
+gate_pass "no vendored/generated path edits"

package/skills/contribute/scripts/gates/g02-protected-paths.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+# Catalog: G2 — diff touches infrastructure / CI paths that maintainers gate-keep
+# Mitigates: drive-by edits to .github/workflows or terraform/ rarely land first try.
+source "$(dirname "$0")/lib/preamble.sh"
+
+gate_read_input
+
+REPO_NAME="${GATE_REPO##*/}"
+CLONE="$HOME/000-projects/contributing-clanker/$REPO_NAME"
+
+if [[ ! -d "$CLONE/.git" ]]; then
+  gate_skip "no local clone at $CLONE"
+fi
+
+DEFAULT_BRANCH=""
+if [[ -n "$GATE_DOSSIER_PATH" && -f "$GATE_DOSSIER_PATH" ]]; then
+  DEFAULT_BRANCH=$(fm_field "$GATE_DOSSIER_PATH" "default_branch")
+fi
+[[ -z "$DEFAULT_BRANCH" ]] && DEFAULT_BRANCH="main"
+
+CHANGED=$(/usr/bin/git -C "$CLONE" diff "$DEFAULT_BRANCH..HEAD" --name-only 2>/dev/null || /usr/bin/echo "")
+
+PROTECTED=$(/usr/bin/printf '%s\n' "$CHANGED" | /usr/bin/grep -E '(\.github/workflows/|^infrastructure/|^terraform/|^helm/|^k8s/|^kubernetes/|^\.circleci/|^charts/)' || /usr/bin/echo "")
+
+if [[ -z "$PROTECTED" ]]; then
+  gate_pass "diff does not touch protected infrastructure / CI paths"
+fi
+
+LIST=$(/usr/bin/printf '%s' "$PROTECTED" | /usr/bin/tr '\n' ',' | /usr/bin/sed 's/,$//')
+gate_warn "diff touches protected paths: $LIST" "infrastructure / CI changes deserve maintainer pre-approval; consider opening a Design Issue first to discuss the change"