@marcusrbrown/infra 0.4.4 → 0.4.6

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@marcusrbrown/infra",
-  "version": "0.4.4",
+  "version": "0.4.6",
   "description": "Infrastructure management CLI — deploy automation, health checks, and MCP bridge",
   "keywords": [
     "infra",
@@ -35,6 +35,9 @@
     "string-dedent": "^3.0.2",
     "zod": "^4.3.6"
   },
+  "devDependencies": {
+    "yaml": "^2.8.3"
+  },
   "engines": {
     "bun": ">=1.0.0"
   },

package/src/__snapshots__/cli.test.ts.snap

@@ -14,7 +14,7 @@ Commands:
     --verbose                          Enable verbose output for all commands
 
 
-  keeweb deploy                        Trigger KeeWeb deployment. Default mode dispatches the GitHub Deploy workflow. Use --local to run apps/keeweb/deploy.sh directly from this repo.
+  keeweb deploy                        Trigger KeeWeb deployment. Default mode dispatches the GitHub Deploy KeeWeb workflow. Use --local to run apps/keeweb/deploy.sh directly from this repo.
 
     --local                            Run local deployment using apps/keeweb/deploy.sh instead of triggering GitHub Actions. (default: false)
     --nginx                            Include nginx config deployment. Valid only with --local and passed through to deploy.sh as --nginx. (default: false)
@@ -31,7 +31,7 @@ Commands:
     --verbose                          Enable verbose output for all commands
 
 
-  cliproxy deploy                      Deploy CLIProxyAPI. Default mode triggers the GitHub Deploy workflow, while --local runs apps/cliproxy/src/deploy.ts directly with Bun.
+  cliproxy deploy                      Deploy CLIProxyAPI. Default mode triggers the GitHub Deploy CLIProxy workflow, while --local runs apps/cliproxy/src/deploy.ts directly with Bun.
 
     --local                            Run local deployment with Bun using apps/cliproxy/src/deploy.ts instead of triggering GitHub Actions. (default: false)
     --force-config                     Force upload config.yaml even if it exists on the server. WARNING: overwrites runtime API keys and settings. (default: false)

package/src/commands/cliproxy/deploy.ts

@@ -5,8 +5,8 @@ import {resolve} from 'node:path'
 import {z} from 'zod'
 
 const REPO = 'marcusrbrown/infra'
-const WORKFLOW_NAME = 'Deploy'
-const WORKFLOW_URL = 'https://github.com/marcusrbrown/infra/actions/workflows/deploy.yaml'
+const WORKFLOW_NAME = 'Deploy CLIProxy'
+const WORKFLOW_URL = 'https://github.com/marcusrbrown/infra/actions/workflows/deploy-cliproxy.yaml'
 
 type CliInstance = ReturnType<typeof goke>
 
@@ -66,7 +66,7 @@ export function registerCliproxyDeploy(cli: CliInstance): void {
   cli
     .command(
       'cliproxy deploy',
-      'Deploy CLIProxyAPI. Default mode triggers the GitHub Deploy workflow, while --local runs apps/cliproxy/src/deploy.ts directly with Bun.',
+      'Deploy CLIProxyAPI. Default mode triggers the GitHub Deploy CLIProxy workflow, while --local runs apps/cliproxy/src/deploy.ts directly with Bun.',
     )
     .option(
       '--local',

package/src/commands/cliproxy/setup.test.ts

@@ -8,8 +8,10 @@ import {
   formatWorkflowSnippet,
   getHarnessTemplate,
   interpretGhContentResult,
+  isGhRateLimitError,
   registerCliproxySetup,
   validateSetupOptions,
+  withGhRetry,
   type SecretAssignment,
   type VariableAssignment,
 } from './setup'
@@ -266,6 +268,62 @@ describe('cliproxy setup helpers', () => {
     })
   })
 
+  describe('isGhRateLimitError', () => {
+    it('returns true when text contains "rate limit"', () => {
+      expect(isGhRateLimitError('API rate limit exceeded')).toBe(true)
+    })
+
+    it('is case-insensitive', () => {
+      expect(isGhRateLimitError('You have exceeded a secondary RATE LIMIT')).toBe(true)
+    })
+
+    it('returns false for unrelated error messages', () => {
+      expect(isGhRateLimitError('Not Found (HTTP 404)')).toBe(false)
+    })
+
+    it('returns false for an empty string', () => {
+      expect(isGhRateLimitError('')).toBe(false)
+    })
+
+    it('returns false for a connection timeout', () => {
+      expect(isGhRateLimitError('connection timeout')).toBe(false)
+    })
+  })
+
+  describe('withGhRetry', () => {
+    it('returns the value when fn succeeds immediately', async () => {
+      const result = await withGhRetry('test label', async () => 'ok', false)
+
+      expect(result).toBe('ok')
+    })
+
+    it('re-throws non-rate-limit errors without querying the reset time', async () => {
+      const queryReset = async (): Promise<string> => {
+        throw new Error('queryReset should not have been called')
+      }
+      const err = new Error('some other error')
+
+      await expect(withGhRetry('test label', async () => Promise.reject(err), false, queryReset)).rejects.toThrow(
+        'some other error',
+      )
+    })
+
+    it('re-throws with reset time appended in non-interactive mode on rate limit', async () => {
+      const queryReset = async (): Promise<string> => '2:30 PM'
+
+      await expect(
+        withGhRetry(
+          'test label',
+          async () => {
+            throw new Error('API rate limit exceeded for url')
+          },
+          false,
+          queryReset,
+        ),
+      ).rejects.toThrow('resets at 2:30 PM')
+    })
+  })
+
   describe('help output', () => {
     it('shows --key, --repo, and --harness flags', () => {
       const cli = goke('infra')

package/src/commands/cliproxy/setup.ts

@@ -225,6 +225,75 @@ async function runGh(args: string[]): Promise<CommandResult> {
   return runCommand('gh', args)
 }
 
+export function isGhRateLimitError(text: string): boolean {
+  return /rate limit/i.test(text)
+}
+
+/**
+ * Query the GitHub API rate limit reset time. The `rate_limit` endpoint is
+ * exempt from rate limiting itself, so this should succeed even when the
+ * primary GraphQL limit is exhausted. Returns a formatted local time string
+ * or a fallback phrase when the endpoint is unreachable.
+ */
+async function queryRateLimitReset(): Promise<string> {
+  try {
+    const result = await runGh(['api', 'rate_limit'])
+    if (result.exitCode === 0) {
+      const parsed = JSON.parse(result.stdout) as {
+        resources?: {graphql?: {reset?: number}; core?: {reset?: number}}
+      }
+      const reset = parsed.resources?.graphql?.reset ?? parsed.resources?.core?.reset
+      if (reset) {
+        return new Date(reset * 1000).toLocaleTimeString([], {hour: '2-digit', minute: '2-digit'})
+      }
+    }
+  } catch {
+    // Fall through to generic phrase
+  }
+  return 'an unknown time'
+}
+
+/**
+ * Run a GitHub API operation wrapped in a spinner, retrying indefinitely on
+ * rate-limit errors when in interactive mode. In non-interactive mode the
+ * error is re-thrown with the reset time appended so the caller can surface
+ * it without prompting.
+ */
+export async function withGhRetry<T>(
+  label: string,
+  fn: (spinnerInstance: SpinnerResult) => Promise<T>,
+  interactive: boolean,
+  queryReset: () => Promise<string> = queryRateLimitReset,
+): Promise<T> {
+  for (;;) {
+    try {
+      return await withSpinner(label, fn)
+    } catch (error) {
+      const message = extractErrorMessage(error)
+      if (!isGhRateLimitError(message)) {
+        throw error
+      }
+      const reset = await queryReset()
+      if (!interactive) {
+        throw new Error(`${message} — GitHub API rate limit resets at ${reset}. Re-run when ready.`)
+      }
+      log.warn(`GitHub API rate limit exceeded. Resets at ${reset}.`)
+      const retry = await promptValue(
+        confirm({
+          message: 'Retry this step when ready?',
+          active: 'retry',
+          inactive: 'abort',
+          initialValue: true,
+        }),
+        'Setup aborted after rate limit.',
+      )
+      if (!retry) {
+        cancelAndExit('Setup aborted after GitHub API rate limit.')
+      }
+    }
+  }
+}
+
 async function assertGhInstalled(): Promise<void> {
   if (!Bun.which('gh')) {
     throw new Error('GitHub CLI is required for cliproxy setup. Install gh first: https://cli.github.com/')
@@ -720,9 +789,13 @@ export function registerCliproxySetup(cli: ReturnType<typeof goke>): void {
           resolveManagementKey()
         }
 
-        await withSpinner(`Checking GitHub access for ${plan.repo}`, async () => {
-          await assertRepoAccess(plan.repo)
-        })
+        await withGhRetry(
+          `Checking GitHub access for ${plan.repo}`,
+          async () => {
+            await assertRepoAccess(plan.repo)
+          },
+          interactive,
+        )
 
         if (options.key) {
           log.info('Using the provided API key value directly. No new CLIProxyAPI key will be created.')
@@ -756,10 +829,12 @@ export function registerCliproxySetup(cli: ReturnType<typeof goke>): void {
           }
         }
 
-        const [existingSecrets, existingVariables] = await Promise.all([
-          listExistingGhNames(plan.repo, 'secret'),
-          listExistingGhNames(plan.repo, 'variable'),
-        ])
+        const [existingSecrets, existingVariables] = await withGhRetry(
+          'Checking existing GitHub secrets and variables',
+          async () =>
+            Promise.all([listExistingGhNames(plan.repo, 'secret'), listExistingGhNames(plan.repo, 'variable')]),
+          interactive,
+        )
         const collisions = collectCollisions(plan.template, existingSecrets, existingVariables)
 
         if (collisions.length > 0) {
@@ -796,26 +871,34 @@ export function registerCliproxySetup(cli: ReturnType<typeof goke>): void {
         }
 
         try {
-          await withSpinner('Writing GitHub secrets and variables', async spinnerInstance => {
-            for (const secret of plan.template.secrets) {
-              spinnerInstance.message(`Setting secret ${secret.name}`)
-              await applyGhValue('secret', secret.name, plan.repo, secret.value)
-            }
+          await withGhRetry(
+            'Writing GitHub secrets and variables',
+            async spinnerInstance => {
+              for (const secret of plan.template.secrets) {
+                spinnerInstance.message(`Setting secret ${secret.name}`)
+                await applyGhValue('secret', secret.name, plan.repo, secret.value)
+              }
 
-            for (const variable of plan.template.variables) {
-              spinnerInstance.message(`Setting variable ${variable.name}`)
-              await applyGhValue('variable', variable.name, plan.repo, variable.value)
-            }
-          })
+              for (const variable of plan.template.variables) {
+                spinnerInstance.message(`Setting variable ${variable.name}`)
+                await applyGhValue('variable', variable.name, plan.repo, variable.value)
+              }
+            },
+            interactive,
+          )
 
           await withSpinner('Verifying the new key through the proxy', async () => {
             await assertProxyKeyWorks(baseUrl, plan.keyValue)
           })
 
           if (plan.harness === 'opencode') {
-            const workflow = await withSpinner(`Checking ${plan.repo} fro-bot.yaml wiring`, async () => {
-              return checkFroBotWorkflow(plan.repo)
-            })
+            const workflow = await withGhRetry(
+              `Checking ${plan.repo} fro-bot.yaml wiring`,
+              async () => {
+                return checkFroBotWorkflow(plan.repo)
+              },
+              interactive,
+            )
 
             switch (workflow.kind) {
               case 'missing': {

package/src/commands/keeweb/deploy.ts

@@ -4,8 +4,8 @@ import {resolve} from 'node:path'
 import {z} from 'zod'
 
 const REPO = 'marcusrbrown/infra'
-const WORKFLOW_NAME = 'Deploy'
-const WORKFLOW_URL = 'https://github.com/marcusrbrown/infra/actions/workflows/deploy.yaml'
+const WORKFLOW_NAME = 'Deploy KeeWeb'
+const WORKFLOW_URL = 'https://github.com/marcusrbrown/infra/actions/workflows/deploy-keeweb.yaml'
 
 const DEFAULT_HOST = 'box.heatvision.co'
 const DEFAULT_REMOTE_USER = 'deploy-kw'
@@ -87,7 +87,7 @@ export function registerKeewebDeploy(cli: CliInstance): void {
   cli
     .command(
       'keeweb deploy',
-      'Trigger KeeWeb deployment. Default mode dispatches the GitHub Deploy workflow. Use --local to run apps/keeweb/deploy.sh directly from this repo.',
+      'Trigger KeeWeb deployment. Default mode dispatches the GitHub Deploy KeeWeb workflow. Use --local to run apps/keeweb/deploy.sh directly from this repo.',
     )
     .option(
       '--local',
@@ -114,7 +114,7 @@ export function registerKeewebDeploy(cli: CliInstance): void {
           'Print planned actions without validating preconditions, executing deploy.sh, or triggering GitHub Actions.',
         ),
     )
-    .example('# Trigger GitHub Deploy workflow (default mode)')
+    .example('# Trigger GitHub Deploy KeeWeb workflow (default mode)')
     .example('infra keeweb deploy')
     .example('# Preview local deploy plan without side effects')
     .example('infra keeweb deploy --local --dry-run')
@@ -170,7 +170,9 @@ export function registerKeewebDeploy(cli: CliInstance): void {
 
       validateRemotePreconditions()
 
-      console.warn('Warning: the Deploy workflow includes nginx config deployment as part of workflow_dispatch logic.')
+      console.warn(
+        'Warning: the Deploy KeeWeb workflow includes nginx config deployment as part of workflow_dispatch logic.',
+      )
       console.warn('Warning: the workflow requires keeweb environment approval before jobs execute.')
 
       const child = Bun.spawn(['gh', 'workflow', 'run', WORKFLOW_NAME, '--repo', REPO], {
@@ -180,7 +182,7 @@ export function registerKeewebDeploy(cli: CliInstance): void {
 
       const exitCode = await child.exited
       if (exitCode !== 0) {
-        throw new Error(`Failed to trigger Deploy workflow (exit code ${exitCode})`)
+        throw new Error(`Failed to trigger Deploy KeeWeb workflow (exit code ${exitCode})`)
       }
 
       console.log(`Workflow triggered: ${WORKFLOW_URL}`)

package/src/commands/keeweb/status.ts

@@ -116,7 +116,7 @@ export async function checkLastDeploy(verbose: boolean): Promise<CheckResult> {
         'gh',
         'run',
         'list',
-        '--workflow=Deploy',
+        '--workflow=Deploy KeeWeb',
         '--status=success',
         '--limit=1',
         '--json',
@@ -164,7 +164,7 @@ export async function checkLastDeploy(verbose: boolean): Promise<CheckResult> {
       return {
         title: 'Last successful deploy',
         level: 'warning',
-        summary: 'No successful Deploy workflow runs found',
+        summary: 'No successful Deploy KeeWeb workflow runs found',
       }
     }
 

package/src/conventions.test.ts

@@ -0,0 +1,316 @@
+import {relative, resolve} from 'node:path'
+import {describe, expect, it} from 'bun:test'
+import {parse as parseYaml} from 'yaml'
+
+const REPO_ROOT = resolve(import.meta.dir, '../../..')
+const INTERNAL_ORGS = new Set(['marcusrbrown'])
+const ALLOWED_SHELL_SCRIPTS = new Set(['apps/keeweb/deploy.sh'])
+
+// Accepted version-comment forms on SHA-pinned `uses:` lines:
+//   # v6.0.2                        (semver tag)
+//   # renovate-changesets@0.2.31    (scoped release tag)
+const VERSION_COMMENT_RE = /^#\s+(?:v\d+(?:\.\d+){0,2}|[\w@/-]+@\d+(?:\.\d+){0,2})\s*$/
+
+// Match `[- ]uses: owner/repo@<sha>[ trailing]` — step-level (indented, possibly dash-prefixed) and job-level.
+// Uses [ \t] instead of \s to avoid regex backtracking ambiguity between overlapping quantifiers.
+const USES_SHA_LINE_RE = /^[ \t]+(?:-[ \t]+)?uses:[ \t]+(\S+)@([a-f0-9]{7,})(?:[ \t]+(\S.*))?$/
+
+interface Violation {
+  file: string
+  detail: string
+}
+
+// `.github/` is a dot-directory; Bun.Glob skips dot-dirs by default, so every
+// glob that traverses `.github/` must pass `{ dot: true }`. Without it, the
+// workflow rules silently pass on an empty file set. The tripwire test at the
+// top of the suite asserts the file count is >= 1 to catch this regression.
+function listWorkflowFiles(extension: '.yaml' | '.yml'): string[] {
+  const glob = new Bun.Glob(`.github/workflows/*${extension}`)
+  return [...glob.scanSync({cwd: REPO_ROOT, absolute: true, dot: true})]
+}
+
+function listPackageJsonFiles(): string[] {
+  // Bun.Glob auto-excludes node_modules/** by default; no package.json lives under dot-dirs.
+  const glob = new Bun.Glob('**/package.json')
+  return [...glob.scanSync({cwd: REPO_ROOT, absolute: true})].filter(f => !f.includes('/node_modules/'))
+}
+
+function listShellScriptFiles(): string[] {
+  const glob = new Bun.Glob('**/*.sh')
+  return [...glob.scanSync({cwd: REPO_ROOT, absolute: true})].filter(
+    f => !f.includes('/node_modules/') && !f.includes('/.cache/') && !f.includes('/dist/'),
+  )
+}
+
+/**
+ * Detect cross-org `secrets: inherit` on reusable-workflow job calls.
+ *
+ * Rules:
+ *   - Jobs without a `uses:` string are step-based and out of scope.
+ *   - `uses:` values starting with `./` or `../` are local reusable workflows; `secrets: inherit` is legitimate.
+ *   - `uses:` values whose owner (first path segment) is in INTERNAL_ORGS are same-org; `secrets: inherit` is legitimate.
+ *   - Everything else is cross-org and must not use `secrets: inherit`.
+ */
+export function findCrossOrgSecretsInherit(parsed: unknown): {jobId: string; uses: string}[] {
+  if (typeof parsed !== 'object' || parsed === null) return []
+  const jobs = (parsed as {jobs?: Record<string, unknown>}).jobs
+  if (typeof jobs !== 'object' || jobs === null) return []
+
+  const violations: {jobId: string; uses: string}[] = []
+  for (const [jobId, jobRaw] of Object.entries(jobs)) {
+    if (typeof jobRaw !== 'object' || jobRaw === null) continue
+    const job = jobRaw as {uses?: unknown; secrets?: unknown}
+    if (typeof job.uses !== 'string') continue
+    if (job.uses.startsWith('./') || job.uses.startsWith('../')) continue
+    const owner = job.uses.split('/')[0] ?? ''
+    if (INTERNAL_ORGS.has(owner)) continue
+    if (job.secrets === 'inherit') {
+      violations.push({jobId, uses: job.uses})
+    }
+  }
+  return violations
+}
+
+describe('repo conventions', () => {
+  it('tripwire: workflow glob resolves to at least one file (catches dot-dir glob regressions)', () => {
+    const workflows = listWorkflowFiles('.yaml')
+    expect(workflows.length).toBeGreaterThan(0)
+  })
+
+  it('no `bundledDependencies` in any package.json', async () => {
+    const files = listPackageJsonFiles()
+    const offenders: string[] = []
+    for (const file of files) {
+      const json = (await Bun.file(file).json()) as Record<string, unknown>
+      if ('bundledDependencies' in json) {
+        offenders.push(relative(REPO_ROOT, file))
+      }
+    }
+    expect(offenders).toEqual([])
+  })
+
+  it("apps/keeweb/config/config.json has settings.dropboxSecret === ''", async () => {
+    const configPath = resolve(REPO_ROOT, 'apps/keeweb/config/config.json')
+    const config = (await Bun.file(configPath).json()) as {
+      settings?: {dropboxSecret?: unknown}
+    }
+    expect(config.settings?.dropboxSecret).toBe('')
+  })
+
+  it('no `secrets: inherit` on any job whose `uses:` points to a cross-org workflow', async () => {
+    const files = listWorkflowFiles('.yaml')
+    const violations: Violation[] = []
+    for (const file of files) {
+      const text = await Bun.file(file).text()
+      const parsed = parseYaml(text, {merge: true})
+      for (const v of findCrossOrgSecretsInherit(parsed)) {
+        violations.push({
+          file: relative(REPO_ROOT, file),
+          detail: `job '${v.jobId}' uses '${v.uses}' with secrets: inherit`,
+        })
+      }
+    }
+    expect(violations).toEqual([])
+  })
+
+  it('no `ssh-keyscan` under .github/workflows/**', async () => {
+    const files = listWorkflowFiles('.yaml')
+    const violations: Violation[] = []
+    for (const file of files) {
+      const text = await Bun.file(file).text()
+      const lines = text.split(/\r?\n/)
+      for (const [index, line] of lines.entries()) {
+        if (/\bssh-keyscan\b/.test(line)) {
+          violations.push({
+            file: relative(REPO_ROOT, file),
+            detail: `line ${index + 1}: ${line.trim()}`,
+          })
+        }
+      }
+    }
+    expect(violations).toEqual([])
+  })
+
+  it('every SHA-pinned `uses:` line has a trailing `# vX.Y.Z` or `# scope@X.Y.Z` comment', async () => {
+    const files = listWorkflowFiles('.yaml')
+    const violations: Violation[] = []
+    for (const file of files) {
+      const text = await Bun.file(file).text()
+      const lines = text.split(/\r?\n/)
+      for (const [index, line] of lines.entries()) {
+        const match = line.match(USES_SHA_LINE_RE)
+        if (!match) continue
+        const [, ref = '', sha = '', tail] = match
+        const shortSha = sha.slice(0, 7)
+        if (tail === undefined) {
+          violations.push({
+            file: relative(REPO_ROOT, file),
+            detail: `line ${index + 1}: missing version comment on '${ref}@${shortSha}…'`,
+          })
+        } else if (!VERSION_COMMENT_RE.test(tail.trim())) {
+          violations.push({
+            file: relative(REPO_ROOT, file),
+            detail: `line ${index + 1}: malformed version comment '${tail.trim()}' on '${ref}@${shortSha}…'`,
+          })
+        }
+      }
+    }
+    expect(violations).toEqual([])
+  })
+
+  it('no `.yml` files under .github/workflows/ (use `.yaml`)', () => {
+    const files = listWorkflowFiles('.yml')
+    expect(files.map(f => relative(REPO_ROOT, f))).toEqual([])
+  })
+
+  it('no `.sh` files outside `apps/keeweb/deploy.sh`', () => {
+    const files = listShellScriptFiles()
+    const offenders = files.map(f => relative(REPO_ROOT, f)).filter(f => !ALLOWED_SHELL_SCRIPTS.has(f))
+    expect(offenders).toEqual([])
+  })
+})
+
+// ---------------------------------------------------------------------------
+// (enforced) marker drift detection
+// ---------------------------------------------------------------------------
+//
+// Every bullet in AGENTS.md tagged `(enforced)` must map to a known
+// enforcement mechanism (test or ESLint rule). Adding `(enforced)` without
+// backing enforcement, or deleting the enforcement while keeping the marker,
+// both cause a test failure here.
+//
+// Manifest keys are unique substrings of the AGENTS.md bullet text.
+// Values describe where the enforcement lives — they are documentation only.
+const ENFORCED_MANIFEST: Record<string, string> = {
+  'Only bash script': 'conventions.test.ts: no .sh files outside apps/keeweb/deploy.sh',
+  'GitHub Actions': 'conventions.test.ts: .yaml extension + SHA-pin version comment',
+  'Cross-org reusable workflows': 'conventions.test.ts: no secrets: inherit on cross-org jobs',
+  'as any': 'eslint.config.ts: @typescript-eslint/no-explicit-any + ban-ts-comment at error',
+  'No secret values in tracked files': 'conventions.test.ts: settings.dropboxSecret === empty string',
+  'ssh-keyscan': 'conventions.test.ts: no ssh-keyscan under .github/workflows/**',
+  'Never `secrets: inherit`': 'conventions.test.ts: no secrets: inherit on cross-org jobs',
+  bundledDependencies: 'conventions.test.ts: no bundledDependencies in any package.json',
+}
+
+describe('(enforced) marker drift', () => {
+  it('every (enforced) bullet in AGENTS.md is accounted for in the enforcement manifest', async () => {
+    const agentsMd = await Bun.file(resolve(REPO_ROOT, 'AGENTS.md')).text()
+    const enforcedLines = agentsMd.split(/\r?\n/).filter((l: string) => /\(enforced\)/.test(l))
+
+    // Tripwire — if the grep logic breaks, the whole suite silently passes with 0 checks
+    expect(enforcedLines.length).toBeGreaterThan(0)
+
+    const unmatched = enforcedLines.filter(
+      (line: string) => !Object.keys(ENFORCED_MANIFEST).some((key: string) => line.includes(key)),
+    )
+    expect(unmatched, 'New (enforced) bullet has no manifest entry — add enforcement before tagging').toEqual([])
+  })
+
+  it('every manifest entry corresponds to an actual (enforced) bullet in AGENTS.md', async () => {
+    const agentsMd = await Bun.file(resolve(REPO_ROOT, 'AGENTS.md')).text()
+    const enforcedLines = agentsMd.split(/\r?\n/).filter((l: string) => /\(enforced\)/.test(l))
+
+    const stale = Object.keys(ENFORCED_MANIFEST).filter(
+      (key: string) => !enforcedLines.some((l: string) => l.includes(key)),
+    )
+    expect(stale, 'Manifest entry has no matching (enforced) bullet in AGENTS.md — remove or update').toEqual([])
+  })
+
+  it('@typescript-eslint/no-explicit-any is configured at error severity in eslint.config.ts', async () => {
+    const eslintConfig = await Bun.file(resolve(REPO_ROOT, 'eslint.config.ts')).text()
+    // Matches: '@typescript-eslint/no-explicit-any': 'error'
+    expect(eslintConfig).toMatch(/'@typescript-eslint\/no-explicit-any'\s*:\s*'error'/)
+  })
+
+  it('@typescript-eslint/ban-ts-comment is configured in eslint.config.ts', async () => {
+    const eslintConfig = await Bun.file(resolve(REPO_ROOT, 'eslint.config.ts')).text()
+    expect(eslintConfig).toContain('@typescript-eslint/ban-ts-comment')
+  })
+})
+
+// ---------------------------------------------------------------------------
+// Per-app invariants
+// ---------------------------------------------------------------------------
+//
+// Guard that critical safety mechanisms in each app are not accidentally
+// removed. These are the runtime equivalents of (enforced) markers: code that
+// must remain present for the documented behaviour to hold.
+
+describe('per-app invariants', () => {
+  it('cliproxy deploy.ts guards config.yaml upload with a remoteFileExists() check', async () => {
+    const deployTs = await Bun.file(resolve(REPO_ROOT, 'apps/cliproxy/src/deploy.ts')).text()
+    // The guard: remoteFileExists(host, `${REMOTE_DIR}/config/config.yaml`, env)
+    // This prevents overwriting runtime API keys on the server.
+    expect(deployTs).toContain('remoteFileExists')
+    expect(deployTs).toContain('config.yaml')
+  })
+
+  it('keeweb build.ts defines an EXPECTED_SHA256 constant for archive integrity', async () => {
+    const buildTs = await Bun.file(resolve(REPO_ROOT, 'apps/keeweb/src/build.ts')).text()
+    // EXPECTED_SHA256 is the KeeWeb release zip checksum; its presence proves
+    // SHA verification is wired in and was not accidentally stripped.
+    expect(buildTs).toMatch(/const\s+EXPECTED_SHA256\s*=/)
+  })
+})
+
+describe('findCrossOrgSecretsInherit', () => {
+  it('flags a cross-org reusable workflow that uses `secrets: inherit`', () => {
+    const parsed = parseYaml(`
+jobs:
+  build:
+    uses: bfra-me/.github/.github/workflows/example.yaml@abc1234
+    secrets: inherit
+`)
+    const violations = findCrossOrgSecretsInherit(parsed)
+    expect(violations).toHaveLength(1)
+    expect(violations[0]?.jobId).toBe('build')
+    expect(violations[0]?.uses).toContain('bfra-me/')
+  })
+
+  it('allows a same-org reusable workflow to use `secrets: inherit`', () => {
+    const parsed = parseYaml(`
+jobs:
+  release:
+    uses: marcusrbrown/infra/.github/workflows/release.yaml@sha
+    secrets: inherit
+`)
+    expect(findCrossOrgSecretsInherit(parsed)).toEqual([])
+  })
+
+  it('allows a local (./) reusable workflow to use `secrets: inherit`', () => {
+    const parsed = parseYaml(`
+jobs:
+  build:
+    uses: ./.github/workflows/local.yaml
+    secrets: inherit
+`)
+    expect(findCrossOrgSecretsInherit(parsed)).toEqual([])
+  })
+
+  it('ignores `secrets: inherit` strings appearing inside prose block scalars', () => {
+    // Mirrors fro-bot.yaml: SCHEDULE_PROMPT contains the literal string
+    // `secrets: inherit` inside a prompt heredoc, but no job-level key exists.
+    const parsed = parseYaml(`
+env:
+  SCHEDULE_PROMPT: |
+    Remember: never use secrets: inherit with cross-org workflows.
+jobs:
+  run:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo hi
+`)
+    expect(findCrossOrgSecretsInherit(parsed)).toEqual([])
+  })
+
+  it('does not flag jobs without a `uses:` key (step-based jobs)', () => {
+    const parsed = parseYaml(`
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo hi
+`)
+    expect(findCrossOrgSecretsInherit(parsed)).toEqual([])
+  })
+})