@momentiq/dark-factory-cli 0.1.0-alpha.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (132) hide show
  1. package/LICENSE +201 -0
  2. package/README.md +150 -0
  3. package/dist/adapters/_shared.d.ts +45 -0
  4. package/dist/adapters/_shared.d.ts.map +1 -0
  5. package/dist/adapters/_shared.js +200 -0
  6. package/dist/adapters/_shared.js.map +1 -0
  7. package/dist/adapters/codex-sdk.d.ts +279 -0
  8. package/dist/adapters/codex-sdk.d.ts.map +1 -0
  9. package/dist/adapters/codex-sdk.js +930 -0
  10. package/dist/adapters/codex-sdk.js.map +1 -0
  11. package/dist/adapters/critic-result-schema.d.ts +215 -0
  12. package/dist/adapters/critic-result-schema.d.ts.map +1 -0
  13. package/dist/adapters/critic-result-schema.js +153 -0
  14. package/dist/adapters/critic-result-schema.js.map +1 -0
  15. package/dist/adapters/critic.d.ts +62 -0
  16. package/dist/adapters/critic.d.ts.map +1 -0
  17. package/dist/adapters/critic.js +79 -0
  18. package/dist/adapters/critic.js.map +1 -0
  19. package/dist/adapters/cursor-sdk.d.ts +153 -0
  20. package/dist/adapters/cursor-sdk.d.ts.map +1 -0
  21. package/dist/adapters/cursor-sdk.js +818 -0
  22. package/dist/adapters/cursor-sdk.js.map +1 -0
  23. package/dist/adapters/gemini-sdk.d.ts +113 -0
  24. package/dist/adapters/gemini-sdk.d.ts.map +1 -0
  25. package/dist/adapters/gemini-sdk.js +532 -0
  26. package/dist/adapters/gemini-sdk.js.map +1 -0
  27. package/dist/adapters/grok-direct-sdk.d.ts +148 -0
  28. package/dist/adapters/grok-direct-sdk.d.ts.map +1 -0
  29. package/dist/adapters/grok-direct-sdk.js +694 -0
  30. package/dist/adapters/grok-direct-sdk.js.map +1 -0
  31. package/dist/branch-protection/audit_branch_protection.py +759 -0
  32. package/dist/branch-protection/index.d.ts +25 -0
  33. package/dist/branch-protection/index.d.ts.map +1 -0
  34. package/dist/branch-protection/index.js +70 -0
  35. package/dist/branch-protection/index.js.map +1 -0
  36. package/dist/branch-protection/spec-default.yaml +314 -0
  37. package/dist/cli.d.ts +3 -0
  38. package/dist/cli.d.ts.map +1 -0
  39. package/dist/cli.js +581 -0
  40. package/dist/cli.js.map +1 -0
  41. package/dist/cycle-doc-validator/index.d.ts +43 -0
  42. package/dist/cycle-doc-validator/index.d.ts.map +1 -0
  43. package/dist/cycle-doc-validator/index.js +69 -0
  44. package/dist/cycle-doc-validator/index.js.map +1 -0
  45. package/dist/cycle-doc-validator/validate_cycle_doc.py +1260 -0
  46. package/dist/cycle-tracker-sync/attribute_pr_cycle_ref.py +384 -0
  47. package/dist/cycle-tracker-sync/index.d.ts +20 -0
  48. package/dist/cycle-tracker-sync/index.d.ts.map +1 -0
  49. package/dist/cycle-tracker-sync/index.js +71 -0
  50. package/dist/cycle-tracker-sync/index.js.map +1 -0
  51. package/dist/cycle-tracker-sync/sync_cycle_trackers.py +1093 -0
  52. package/dist/evidence/audit-trail.d.ts +59 -0
  53. package/dist/evidence/audit-trail.d.ts.map +1 -0
  54. package/dist/evidence/audit-trail.js +283 -0
  55. package/dist/evidence/audit-trail.js.map +1 -0
  56. package/dist/evidence/index.d.ts +4 -0
  57. package/dist/evidence/index.d.ts.map +1 -0
  58. package/dist/evidence/index.js +29 -0
  59. package/dist/evidence/index.js.map +1 -0
  60. package/dist/evidence/per-sha.d.ts +13 -0
  61. package/dist/evidence/per-sha.d.ts.map +1 -0
  62. package/dist/evidence/per-sha.js +97 -0
  63. package/dist/evidence/per-sha.js.map +1 -0
  64. package/dist/evidence/quality-gates.d.ts +19 -0
  65. package/dist/evidence/quality-gates.d.ts.map +1 -0
  66. package/dist/evidence/quality-gates.js +212 -0
  67. package/dist/evidence/quality-gates.js.map +1 -0
  68. package/dist/git.d.ts +40 -0
  69. package/dist/git.d.ts.map +1 -0
  70. package/dist/git.js +414 -0
  71. package/dist/git.js.map +1 -0
  72. package/dist/glob.d.ts +4 -0
  73. package/dist/glob.d.ts.map +1 -0
  74. package/dist/glob.js +99 -0
  75. package/dist/glob.js.map +1 -0
  76. package/dist/index.d.ts +17 -0
  77. package/dist/index.d.ts.map +1 -0
  78. package/dist/index.js +33 -0
  79. package/dist/index.js.map +1 -0
  80. package/dist/paths.d.ts +12 -0
  81. package/dist/paths.d.ts.map +1 -0
  82. package/dist/paths.js +42 -0
  83. package/dist/paths.js.map +1 -0
  84. package/dist/policy/baseline.d.ts +15 -0
  85. package/dist/policy/baseline.d.ts.map +1 -0
  86. package/dist/policy/baseline.js +115 -0
  87. package/dist/policy/baseline.js.map +1 -0
  88. package/dist/policy/config.d.ts +64 -0
  89. package/dist/policy/config.d.ts.map +1 -0
  90. package/dist/policy/config.js +363 -0
  91. package/dist/policy/config.js.map +1 -0
  92. package/dist/policy/gate.d.ts +80 -0
  93. package/dist/policy/gate.d.ts.map +1 -0
  94. package/dist/policy/gate.js +1019 -0
  95. package/dist/policy/gate.js.map +1 -0
  96. package/dist/policy/index.d.ts +7 -0
  97. package/dist/policy/index.d.ts.map +1 -0
  98. package/dist/policy/index.js +14 -0
  99. package/dist/policy/index.js.map +1 -0
  100. package/dist/policy/merge-queue.d.ts +183 -0
  101. package/dist/policy/merge-queue.d.ts.map +1 -0
  102. package/dist/policy/merge-queue.js +310 -0
  103. package/dist/policy/merge-queue.js.map +1 -0
  104. package/dist/policy/profile.d.ts +98 -0
  105. package/dist/policy/profile.d.ts.map +1 -0
  106. package/dist/policy/profile.js +156 -0
  107. package/dist/policy/profile.js.map +1 -0
  108. package/dist/policy/tdd-classifier.d.ts +18 -0
  109. package/dist/policy/tdd-classifier.d.ts.map +1 -0
  110. package/dist/policy/tdd-classifier.js +79 -0
  111. package/dist/policy/tdd-classifier.js.map +1 -0
  112. package/dist/prompt.d.ts +13 -0
  113. package/dist/prompt.d.ts.map +1 -0
  114. package/dist/prompt.js +175 -0
  115. package/dist/prompt.js.map +1 -0
  116. package/dist/report.d.ts +88 -0
  117. package/dist/report.d.ts.map +1 -0
  118. package/dist/report.js +376 -0
  119. package/dist/report.js.map +1 -0
  120. package/dist/runner.d.ts +30 -0
  121. package/dist/runner.d.ts.map +1 -0
  122. package/dist/runner.js +456 -0
  123. package/dist/runner.js.map +1 -0
  124. package/dist/security.d.ts +2 -0
  125. package/dist/security.d.ts.map +1 -0
  126. package/dist/security.js +19 -0
  127. package/dist/security.js.map +1 -0
  128. package/dist/trusted-surface/rebind.d.ts +10 -0
  129. package/dist/trusted-surface/rebind.d.ts.map +1 -0
  130. package/dist/trusted-surface/rebind.js +154 -0
  131. package/dist/trusted-surface/rebind.js.map +1 -0
  132. package/package.json +78 -0
@@ -0,0 +1,25 @@
1
+ export interface AuditBranchProtectionOptions {
2
+ /** Path to consumer's `spec.yaml`. Falls back to bundled default if missing AND `useBundledDefaultSpec` is true. */
3
+ readonly specPath?: string;
4
+ /** GitHub `owner/repo` slug. Defaults to `$REPO` or `$GITHUB_REPOSITORY`. */
5
+ readonly repo?: string;
6
+ /** Pass `--use-bundled-default-spec` to fall back to the bundled spec. */
7
+ readonly useBundledDefaultSpec?: boolean;
8
+ /** Extra argv after the resolved spec path / repo. */
9
+ readonly args?: ReadonlyArray<string>;
10
+ readonly cwd?: string;
11
+ readonly env?: NodeJS.ProcessEnv;
12
+ readonly repoRoot?: string;
13
+ readonly inheritStdio?: boolean;
14
+ readonly python?: string;
15
+ }
16
+ export interface AuditBranchProtectionResult {
17
+ readonly exitCode: number;
18
+ readonly stdout: string;
19
+ readonly stderr: string;
20
+ }
21
+ export declare function getAuditBranchProtectionScriptPath(): string;
22
+ /** Path to the bundled fallback `spec-default.yaml`. */
23
+ export declare function getBundledDefaultSpecPath(): string;
24
+ export declare function runAuditBranchProtection(options?: AuditBranchProtectionOptions): Promise<AuditBranchProtectionResult>;
25
+ //# sourceMappingURL=index.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/branch-protection/index.ts"],"names":[],"mappings":"AAmBA,MAAM,WAAW,4BAA4B;IAC3C,oHAAoH;IACpH,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,6EAA6E;IAC7E,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,0EAA0E;IAC1E,QAAQ,CAAC,qBAAqB,CAAC,EAAE,OAAO,CAAC;IACzC,sDAAsD;IACtD,QAAQ,CAAC,IAAI,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACtC,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC,UAAU,CAAC;IACjC,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,YAAY,CAAC,EAAE,OAAO,CAAC;IAChC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,2BAA2B;IAC1C,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAED,wBAAgB,kCAAkC,IAAI,MAAM,CAG3D;AAED,wDAAwD;AACxD,wBAAgB,yBAAyB,IAAI,MAAM,CAGlD;AAED,wBAAgB,wBAAwB,CACtC,OAAO,GAAE,4BAAiC,GACzC,OAAO,CAAC,2BAA2B,CAAC,CAwCtC"}
@@ -0,0 +1,70 @@
1
+ // Service #7 — Branch-Protection Drift Detector
2
+ //
3
+ // Wraps the bundled Python script `audit_branch_protection.py` (Phase C
4
+ // extraction from sage3c per cycle 331.1). The script compares a
5
+ // declarative `spec.yaml` (consumer-supplied or fall back to the bundled
6
+ // `spec-default.yaml`) against the live GitHub branch-protection ruleset
7
+ // for the target repo. It shells out to `gh api` for the live state.
8
+ //
9
+ // The bundled `spec-default.yaml` is shipped as a fallback for first-run
10
+ // audits — consumers SHOULD author their own `spec.yaml` describing their
11
+ // desired branch-protection posture. See `spec-default.yaml` for shape.
12
+ //
13
+ // Design choice: subprocess wrap (Option A). The pure-TS rewrite is
14
+ // tracked as Phase C-PORT follow-up.
15
+ import { spawn } from "node:child_process";
16
+ import { dirname, resolve } from "node:path";
17
+ import { fileURLToPath } from "node:url";
18
+ export function getAuditBranchProtectionScriptPath() {
19
+ const here = dirname(fileURLToPath(import.meta.url));
20
+ return resolve(here, "audit_branch_protection.py");
21
+ }
22
+ /** Path to the bundled fallback `spec-default.yaml`. */
23
+ export function getBundledDefaultSpecPath() {
24
+ const here = dirname(fileURLToPath(import.meta.url));
25
+ return resolve(here, "spec-default.yaml");
26
+ }
27
+ export function runAuditBranchProtection(options = {}) {
28
+ const scriptPath = getAuditBranchProtectionScriptPath();
29
+ const python = options.python ?? "python3";
30
+ const argv = [scriptPath];
31
+ if (options.specPath)
32
+ argv.push(options.specPath);
33
+ if (options.repo)
34
+ argv.push("--repo", options.repo);
35
+ if (options.useBundledDefaultSpec)
36
+ argv.push("--use-bundled-default-spec");
37
+ if (options.args && options.args.length > 0)
38
+ argv.push(...options.args);
39
+ const cwd = options.cwd ?? process.cwd();
40
+ const inherit = options.inheritStdio !== false;
41
+ const env = { ...process.env, ...(options.env ?? {}) };
42
+ if (options.repoRoot)
43
+ env["DF_REPO_ROOT"] = options.repoRoot;
44
+ return new Promise((resolvePromise, rejectPromise) => {
45
+ const child = spawn(python, argv, {
46
+ cwd,
47
+ env,
48
+ stdio: inherit ? "inherit" : ["ignore", "pipe", "pipe"],
49
+ });
50
+ let stdout = "";
51
+ let stderr = "";
52
+ if (!inherit) {
53
+ child.stdout?.on("data", (chunk) => {
54
+ stdout += chunk.toString("utf8");
55
+ });
56
+ child.stderr?.on("data", (chunk) => {
57
+ stderr += chunk.toString("utf8");
58
+ });
59
+ }
60
+ child.on("error", (err) => rejectPromise(err));
61
+ child.on("close", (code) => {
62
+ resolvePromise({
63
+ exitCode: code === null ? -1 : code,
64
+ stdout,
65
+ stderr,
66
+ });
67
+ });
68
+ });
69
+ }
70
+ //# sourceMappingURL=index.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/branch-protection/index.ts"],"names":[],"mappings":"AAAA,gDAAgD;AAChD,EAAE;AACF,wEAAwE;AACxE,iEAAiE;AACjE,yEAAyE;AACzE,yEAAyE;AACzE,qEAAqE;AACrE,EAAE;AACF,yEAAyE;AACzE,0EAA0E;AAC1E,wEAAwE;AACxE,EAAE;AACF,oEAAoE;AACpE,qCAAqC;AAErC,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAC3C,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC7C,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAwBzC,MAAM,UAAU,kCAAkC;IAChD,MAAM,IAAI,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IACrD,OAAO,OAAO,CAAC,IAAI,EAAE,4BAA4B,CAAC,CAAC;AACrD,CAAC;AAED,wDAAwD;AACxD,MAAM,UAAU,yBAAyB;IACvC,MAAM,IAAI,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IACrD,OAAO,OAAO,CAAC,IAAI,EAAE,mBAAmB,CAAC,CAAC;AAC5C,CAAC;AAED,MAAM,UAAU,wBAAwB,CACtC,UAAwC,EAAE;IAE1C,MAAM,UAAU,GAAG,kCAAkC,EAAE,CAAC;IACxD,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,SAAS,CAAC;IAE3C,MAAM,IAAI,GAAa,CAAC,UAAU,CAAC,CAAC;IACpC,IAAI,OAAO,CAAC,QAAQ;QAAE,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAClD,IAAI,OAAO,CAAC,IAAI;QAAE,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;IACpD,IAAI,OAAO,CAAC,qBAAqB;QAAE,IAAI,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;IAC3E,IAAI,OAAO,CAAC,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC;QAAE,IAAI,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAExE,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;IACzC,MAAM,OAAO,GAAG,OAAO,CAAC,YAAY,KAAK,KAAK,CAAC;IAC/C,MAAM,GAAG,GAAsB,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,OAAO,CAAC,GAAG,IAAI,EAAE,CAAC,EAAE,CAAC;IAC1E,IAAI,OAAO,CAAC,QAAQ;QAAE,GAAG,CAAC,cAAc,CAAC,GAAG,OAAO,CAAC,QAAQ,CAAC;IAE7D,OAAO,IAAI,OAAO,CAA8B,CAAC,cAAc,EAAE,aAAa,EAAE,EAAE;QAChF,MAAM,KAAK,GAAG,KAAK,CAAC,MAAM,EAAE,IAAI,EAAE;YAChC,GAAG;YACH,GAAG;YACH,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;SACxD,CAAC,CAAC;QACH,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;gBACzC,MAAM,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YACnC,CAAC,CAAC,CAAC;YACH,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;gBACzC,MAAM,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YACnC,CAAC,CAAC,CAAC;QACL,CAAC;QACD,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC;QAC/C,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;YACzB,cAAc,CAAC;gBACb,QAAQ,EAAE,IAAI,KAAK,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI;gBACnC,MAAM;gBACN,MAAM;aACP,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC"}
@@ -0,0 +1,314 @@
1
+ # tools/branch-protection/spec.yaml
2
+ #
3
+ # Single source of truth for `main` branch protection settings.
4
+ #
5
+ # Compared against the live state by `.github/workflows/branch-protection-audit.yml`
6
+ # (CI workflow ships in Cycle 318.4; this file is the input contract).
7
+ #
8
+ # The live ground truth is a GitHub Repository Ruleset (id 6076292, name "main1"),
9
+ # fetched via:
10
+ # gh api repos/momentiq-ai/sage3c/rulesets/6076292
11
+ #
12
+ # Schema notes:
13
+ # - `schema_version: 1` — first version of this file. Bump on breaking changes.
14
+ # - `branches.main.required_status_checks.contexts[]` — full set of CI contexts
15
+ # that MUST be required for a PR to merge to `main`. Each entry has a `status`
16
+ # of `required` (currently enforced) or `planned` (will be promoted by a
17
+ # future cycle, tracked in `.agent-review/RATCHETING.md`).
18
+ # - `allowed_bypasses` / `forbidden_bypasses` — explicit enumerations. The CI
19
+ # audit step diffs against these lists; any new bypass surface that isn't on
20
+ # either list fails the audit.
21
+ #
22
+ # Sister cycles: cerebe-platform Cycle 70.2.
23
+ # Cycle: 318.3 (initial), 318.4 (promotions + audit workflow)
24
+
25
+ schema_version: 1
26
+
27
+ # ---------------------------------------------------------------------------
28
+ # Repository ruleset (GitHub modern rulesets — replaces classic branch protection)
29
+ # ---------------------------------------------------------------------------
30
+ ruleset:
31
+ id: 6076292
32
+ name: "main1"
33
+ enforcement: active
34
+ target: branch
35
+ conditions:
36
+ ref_name:
37
+ include:
38
+ - "refs/heads/main"
39
+ exclude: []
40
+
41
+ branches:
42
+ main:
43
+ # Block deletion + force-push of `main`. Non-negotiable.
44
+ deletion_blocked: true
45
+ non_fast_forward_blocked: true
46
+
47
+ # Linear history — squash-merge only on `main`. Aligns with merge_queue method.
48
+ required_linear_history: true
49
+
50
+ required_pull_request_reviews:
51
+ # 0 because AI-PR-audit + agent-critic + Copilot code review substitute
52
+ # for human approval (AI-Native Manifesto §11). Thread resolution is the
53
+ # mechanism that surfaces blocking findings to humans.
54
+ required_approving_review_count: 0
55
+ dismiss_stale_reviews_on_push: false
56
+ require_code_owner_reviews: false
57
+ require_last_push_approval: false
58
+ required_review_thread_resolution: true
59
+ allowed_merge_methods:
60
+ - merge
61
+ - squash
62
+ - rebase
63
+
64
+ required_status_checks:
65
+ strict_required_status_checks_policy: true # branch must be up to date with `main` before merging
66
+ do_not_enforce_on_create: false
67
+ contexts:
68
+ - context: "PR Status Check"
69
+ status: required
70
+ source: "github_actions"
71
+ integration_id: 15368
72
+ rationale: "Aggregator check; rolls up the per-job results from .github/workflows/pr.yml. Required since Cycle 312."
73
+ - context: "schema-check"
74
+ status: required
75
+ source: "github_actions"
76
+ rationale: "OpenAPI ↔ frontend type-shape parity. Required since Cycle 315.7."
77
+ # ----- promoted to required (issue #1385) -----
78
+ # Admin updated ruleset 6076292 to add the three contexts to
79
+ # required_status_checks; this file flip (planned → required) is
80
+ # the matching spec-side acknowledgment.
81
+ - context: "agent-critic"
82
+ status: required
83
+ workflow: ".github/workflows/agent-critic.yml"
84
+ rationale: "CI replay of local agent critic; closes the no-bridge enforcement loop. Promoted to required in issue #1385 after admin updated ruleset 6076292."
85
+ - context: "cycle-doc-validation"
86
+ status: required
87
+ workflow: ".github/workflows/cycle-doc-validation.yml"
88
+ rationale: "Enforces Cycle: / Issue: / ProjectItem: trailers per AI-Native Manifesto §10 (Spec-Driven Traceability). Promoted to required in issue #1385."
89
+ - context: "branch-protection-audit"
90
+ status: required
91
+ workflow: ".github/workflows/branch-protection-audit.yml"
92
+ rationale: "Compares this file against the live ruleset; fails on divergence. Runs on every spec-touching PR and on the weekly Monday-06:00-UTC cron. Promoted to required in issue #1385."
93
+ # ----- shipped in Cycle 322.4 (workflows exist; promotion deferred) -----
94
+ # Same pattern as the 318.4 block above: ship the workflows
95
+ # as observable + non-required, then a follow-up PR (post-
96
+ # admin ruleset update + post-team-creation) promotes them.
97
+ # See `post_322_4_promotion_sequence` at the bottom of this
98
+ # file for the staging plan. Cycle 322.4 also introduces the
99
+ # second ruleset `main-ce-review` (Chief Engineer review-only
100
+ # bypass lane); that ruleset's tracked desired-state lives at
101
+ # `.github/rulesets/main-ce-review.json` and is verified by
102
+ # the `verify-rulesets` workflow listed below.
103
+ - context: "verify-rulesets"
104
+ status: planned
105
+ target_cycle: "322.4"
106
+ workflow: ".github/workflows/verify-rulesets.yml"
107
+ rationale: "Diffs `.github/rulesets/*.json` against the live ruleset state. Catches drift on the two-ruleset architecture (`main` + `main-ce-review`) introduced by Cycle 322.4. Runs on every PR + merge_group + weekly cron. The Chief Engineer does NOT bypass this check (it lives on Ruleset A); a CE PR cannot merge with a drifted live ruleset."
108
+ - context: "plan-pr-review-gate"
109
+ status: planned
110
+ target_cycle: "322.4"
111
+ workflow: ".github/workflows/plan-pr-review-gate.yml"
112
+ rationale: "Enforces CLAUDE.md Phase 1 step 4–5 on plan PRs (cycle-doc only). Restructured per issue #1514: CE-authored plan PRs skip-pass (architect-loop is the review); non-CE plan PRs require an APPROVED review FROM THE CE specifically on the current head SHA. CE identity is read from `.github/agentic-engineers.json` on the BASE ref to prevent a non-CE author from monkey-patching the registry in their own PR to claim CE status. The CE bypass on Ruleset B (`main-ce-review`) cannot waive this because it lives on Ruleset A. The pre-#1514 'any non-author APPROVED' semantics failed every plan PR after Dark Factory's universal-no-human-review posture for code PRs was codified (no human or bot ever produces an APPROVED review); the restructured gate aligns with current operation AND retains forward-compatible value (autonomous agents authoring plan PRs are forced into CE review)."
113
+ # ----- shipped in Cycle 322.6 (workflow exists; promotion deferred) -----
114
+ # Same deferred-promotion pattern as 318.4 + 322.4 above.
115
+ # 322.6 closes the race exposed by Cycle 322's own Plan PR
116
+ # #1328 (which merged before Copilot's review fired): bot
117
+ # reviews land as `pull_request_review` events with
118
+ # state=`COMMENTED`, NOT as status checks, so the merge queue's
119
+ # required_status_checks logic never sees them. The new
120
+ # `bot-review-settle` workflow translates "all Code Critics in
121
+ # `.github/agentic-engineers.json` (read from BASE ref) have
122
+ # reviewed the current HEAD SHA" into a status check.
123
+ - context: "bot-review-settle"
124
+ status: planned
125
+ target_cycle: "322.6"
126
+ workflow: ".github/workflows/bot-review-settle.yml"
127
+ rationale: "Holds the merge queue until all Code Critics registered in `.github/agentic-engineers.json` (Cursor BugBot, OpenAI Codex, GitHub Copilot today) have posted at least one PR review on the current HEAD SHA, or a 7-min (configurable) fail-open timeout elapses. Closes the bot-review-race that allowed PR #1328 to merge before Copilot's review fired. The Chief Engineer does NOT bypass this check (lives on Ruleset A); CE PRs especially benefit from bot review since they lack human reviewers."
128
+
129
+ copilot_code_review:
130
+ enabled: true
131
+ review_on_push: false
132
+ review_draft_pull_requests: false
133
+
134
+ merge_queue:
135
+ enabled: true
136
+ merge_method: SQUASH
137
+ max_entries_to_build: 5
138
+ min_entries_to_merge: 1
139
+ max_entries_to_merge: 5
140
+ min_entries_to_merge_wait_minutes: 0
141
+ grouping_strategy: ALLGREEN # all queued PRs must be green together; reduces re-runs vs HEADGREEN
142
+ check_response_timeout_minutes: 60
143
+
144
+ restrictions: null # no user/team push restrictions
145
+
146
+ # ---------------------------------------------------------------------------
147
+ # Bypass surfaces — every legitimate skip path enumerated; every closed surface
148
+ # explicitly forbidden. The CI audit step in 318.4 diffs the live workflows/
149
+ # repo-vars against these lists.
150
+ # ---------------------------------------------------------------------------
151
+ allowed_bypasses:
152
+ - kind: workflow_call_only
153
+ workflows:
154
+ - ".github/workflows/quality-gate.yml"
155
+ rationale: "Reusable workflow; cannot trigger directly — only consumed by pr.yml as a `uses:` callee. Not a bypass per se; documented so the audit doesn't flag it."
156
+
157
+ - kind: docs_only_skip
158
+ workflows:
159
+ - "quality-gate"
160
+ - "backend-tests"
161
+ - "frontend-tests"
162
+ - "frontend-unit-tests"
163
+ - "evals"
164
+ - "parent-chat-eval"
165
+ rationale: "detect-changes paths-filter routes docs-only PRs around code-only checks. `quality-gate` is gated by `if: needs.detect-changes.outputs.docs_only != 'true'`; the per-language test jobs gate on the more granular `frontend`/`backend` outputs (true implies non-docs-only). All of these jobs `skip` rather than `fail` on a docs-only PR, which the ruleset accepts for required checks."
166
+ enforced_by: ".github/workflows/pr.yml — needs.detect-changes.outputs.docs_only / frontend / backend"
167
+
168
+ - kind: merge_group_fast_path
169
+ workflows:
170
+ - "cycle-doc-validation"
171
+ - "branch-protection-audit"
172
+ - "plan-pr-review-gate"
173
+ - "bot-review-settle"
174
+ rationale: "On `merge_group` events these workflows fast-path to success (writing a step summary, not re-running the validator). cycle-doc-validation needs PR-level data (title/body/labels) which is not exposed in merge_group context; branch-protection-audit's spec-vs-live reconciliation was already done on the originating PR and the weekly cron is the authoritative passive-drift gate; plan-pr-review-gate's classification + review check needs PR-level data (file list, reviews) and was already evaluated when the PR was queued. bot-review-settle's polling logic is keyed off the PR-phase `head.sha` AND the BASE-ref Code Critic registry — the merge_group commit is a synthetic squash with no PR-level reviews to observe, so the settle window was satisfied (or fail-opened) before queue admission; the merge_group passthrough emits SUCCESS on the synthetic commit so required-status inheritance is satisfied. agent-critic, by contrast, DOES re-execute the critic in merge_group using the merge_group.head_sha (the combined merged commit is the right target for the critic, distinct from individual PR heads). verify-rulesets does NOT fast-path on merge_group — the live ruleset state is queue-agnostic and the same RO API call is cheap to repeat."
175
+ enforced_by: "github.event_name == 'merge_group' fast-path step in each workflow"
176
+ compensating_controls:
177
+ - "cycle-doc-validation: trailer-shape failures cannot regress across queue ordering — the PR-head verdict is authoritative for the trailers on that PR."
178
+ - "branch-protection-audit: weekly Monday 06:00 UTC cron runs the full audit unconditionally; passive drift introduced via the GitHub UI is caught within ≤7 days."
179
+ - "plan-pr-review-gate: review-shape failures cannot regress across queue ordering — the PR-head verdict (CE-self-skip OR CE-APPROVED required on non-CE plan PRs, post-#1514) is authoritative for that PR. (Codex P1 from cycle322.4 #1334 — see the cycle doc for why merge_group is still REQUIRED to fire, just as a passthrough.)"
180
+ - "bot-review-settle: the PR-phase settle was either satisfied (all configured Code Critics reviewed the HEAD) or fail-opened (timeout elapsed; bot findings that DID post are still gated by `required_review_thread_resolution: true`). The merge_group commit has no per-PR review surface to observe, so re-polling there is non-meaningful — the passthrough emits SUCCESS so required-check inheritance is satisfied on the synthetic queue commit."
181
+ decision_cycle: "318.4 (cycle-doc-validation, branch-protection-audit); 322.4 (plan-pr-review-gate); 322.6 (bot-review-settle)"
182
+
183
+ - kind: trusted_surface_skip
184
+ workflows:
185
+ - "agent-critic"
186
+ - "branch-protection-audit"
187
+ - "verify-rulesets"
188
+ rationale: "PRs that modify the workflow file, the script(s) the workflow invokes, or files in the workflow's trusted-policy surface receive a SKIP on the secret-bearing step rather than a green run. Without the skip a malicious PR could exfiltrate the workflow's secret (CURSOR_API_KEY for agent-critic; BRANCH_PROTECTION_RO_PAT for the audit + verify-rulesets workflows) by injecting code into the PR-controlled trusted surface before the secret-bearing step runs. The weekly cron and any post-merge run (when the code is reviewed) re-exercises the secret-bearing step. Human review of the diff is the compensating control while the PR is open."
189
+ enforced_by: "trusted-surface detection step in each workflow; see .github/workflows/<name>.yml for the per-workflow scope regex."
190
+ compensating_controls:
191
+ - "Human review of the diff for any PR that lights up the trusted-surface skip."
192
+ - "Weekly cron / workflow_dispatch / next-PR run re-exercises the secret-bearing step under trusted (base-ref) code."
193
+ decision_cycle: "318.4 (initial); 322.4 (extended to verify-rulesets); PR #1383 (hardened scope detection on agent-critic + audit)"
194
+
195
+ forbidden_bypasses:
196
+ # Each entry below was a known kill-switch, ambient bypass, or rename-disable
197
+ # pattern. The audit step fails if any of these reappear.
198
+
199
+ - kind: repo_variable
200
+ name: SKIP_PR_CI
201
+ rationale: "Repo-variable kill switch removed in PR #1215 (Cycle 315.9). Do not reintroduce. CI audit checks `gh variable list` for this name."
202
+
203
+ - kind: pr_title_skip
204
+ pattern: "[skip ci]"
205
+ rationale: "Ambient bypass via title token. Not currently honored in pr.yml (0 matches as of 2026-05-12). Listed here prophylactically to prevent regression — any addition of `[skip ci]` handling in a workflow fails the audit."
206
+
207
+ - kind: disabled_workflow
208
+ pattern: "*.yml.disabled"
209
+ rationale: "Rename-disable is a silent kill switch. Cycle 318.4 deleted `.github/workflows/deploy-gcp.yml.disabled` (GCP deploy was decommissioned during the move to GKE-via-Helm; the file was preserved-by-rename for historical reference). Going forward any `*.yml.disabled` file fails the audit; archival via git history (`git log --all -- .github/workflows/<name>.yml.disabled`) is the prescribed substitute. See docs/engineering/ci-bypass-audit-2026-05.md."
210
+ known_violations: [] # cleared by Cycle 318.4 (deletion landed in this same PR)
211
+
212
+ # ---------------------------------------------------------------------------
213
+ # Promotion sequencing (Cycle 318.4 → admin → follow-up PR).
214
+ # STATUS: COMPLETED via issue #1385. All three steps below have landed.
215
+ # Cycle 318.4 shipped:
216
+ # (1) the three new workflows (agent-critic, cycle-doc-validation,
217
+ # branch-protection-audit),
218
+ # (2) the deletion of `.github/workflows/deploy-gcp.yml.disabled`,
219
+ # (3) the original spec entry that recorded the three contexts as
220
+ # `planned` (intentionally deferred so the audit gate did not
221
+ # fail-closed on its own merging commit).
222
+ # Issue #1385 closed the loop: admin updated ruleset 6076292 to add the
223
+ # three contexts, and PR `close-1385` flipped this spec from `planned`
224
+ # to `required`. Block retained for historical/audit traceability.
225
+ # ---------------------------------------------------------------------------
226
+ post_318_4_promotion_sequence:
227
+ status: completed
228
+ closed_by_issue: 1385
229
+ step_1:
230
+ description: "Cycle 318.4 PR merged. Workflows shipped as observable but non-required."
231
+ status: completed
232
+ step_2:
233
+ description: "Admin updated ruleset 6076292 to add the three contexts to required_status_checks. See `docs/engineering/ci-bypass-audit-2026-05.md` §'Promotion sequence (completed via issue #1385)'."
234
+ actor: "repository admin"
235
+ command_hint: "gh api -X PATCH repos/momentiq-ai/sage3c/rulesets/6076292 --input <patched-payload>"
236
+ status: completed
237
+ step_3:
238
+ description: "PR `close-1385` flipped spec.yaml `status: planned → required` for the three contexts. The audit gate goes green because live ruleset matches."
239
+ target: "tools/branch-protection/spec.yaml"
240
+ status: completed
241
+
242
+ # ---------------------------------------------------------------------------
243
+ # Promotion sequencing (Cycle 322.4 → admin → follow-up PR).
244
+ # Cycle 322.4 ships:
245
+ # (1) the two new workflows (verify-rulesets, plan-pr-review-gate),
246
+ # (2) the two tracked rulesets in `.github/rulesets/` (main.json
247
+ # baseline + main-ce-review.json with id=null),
248
+ # (3) the apply/verify/test scripts in scripts/{lib,tests}/ +
249
+ # scripts/{apply,verify}-main-ruleset.sh,
250
+ # (4) the two `planned` context entries in this file
251
+ # (verify-rulesets, plan-pr-review-gate),
252
+ # (5) `trusted_surface_skip` entry covering verify-rulesets
253
+ # alongside the 318.4 workflows,
254
+ # (6) `merge_group_fast_path` extension to include
255
+ # plan-pr-review-gate.
256
+ # It deliberately does NOT promote them to `required` for the same
257
+ # reason 318.4 didn't promote its three: the audit + verify-rulesets
258
+ # would fail-closed on their own merging commit (live ruleset doesn't
259
+ # yet expect the new contexts).
260
+ # ---------------------------------------------------------------------------
261
+ post_322_4_promotion_sequence:
262
+ step_1:
263
+ description: "Cycle 322.4 (this PR) merges. Workflows ship as observable but non-required; main-ce-review ruleset JSON is tracked with id=null (pending creation)."
264
+ step_2:
265
+ description: "Admin creates the `momentiq-ai/chief-engineers` team and grants `maintain` permission on `momentiq-ai/sage3c`. Single seat at launch (@alien8d) per the production-posture constraint."
266
+ actor: "repository admin"
267
+ command_hint: |-
268
+ gh api -X POST orgs/momentiq-ai/teams -f name=chief-engineers -f privacy=closed -f description='Chief Engineer auto-merge bypass actor (Cycle 322.4)'
269
+ gh api -X PUT orgs/momentiq-ai/teams/chief-engineers/memberships/alien8d -f role=member
270
+ gh api -X PUT orgs/momentiq-ai/teams/chief-engineers/repos/momentiq-ai/sage3c -f permission=maintain
271
+ step_3:
272
+ description: "Admin runs `scripts/apply-main-ruleset.sh --apply` from a workstation. The script POSTs `main-ce-review` (creating it on GitHub) and writes the new id back to `.github/rulesets/main-ce-review.json`. The same run idempotently no-ops on `main.json` (id=6076292 already matches live)."
273
+ actor: "repository admin"
274
+ command_hint: "scripts/apply-main-ruleset.sh --apply"
275
+ step_4:
276
+ description: "Admin commits the `id` write-back to `.github/rulesets/main-ce-review.json` as a separate PR. After this PR merges, subsequent verify-rulesets runs include the main-ce-review ruleset in the structural compare."
277
+ target: ".github/rulesets/main-ce-review.json"
278
+ step_5:
279
+ description: "Admin updates ruleset 6076292 to add the two new 322.4 contexts (`verify-rulesets`, `plan-pr-review-gate`) to `required_status_checks`. The three 318.4 contexts (`agent-critic`, `cycle-doc-validation`, `branch-protection-audit`) were already promoted via issue #1385; the idempotent jq in `docs/engineering/ci-bypass-audit-2026-05.md` §322.4 admin actions de-duplicates by context name."
280
+ actor: "repository admin"
281
+ command_hint: "gh api -X PATCH repos/momentiq-ai/sage3c/rulesets/6076292 --input <patched-payload>"
282
+ step_6:
283
+ description: "Follow-up PR flips spec.yaml `status: planned → required` for the remaining 322.4 contexts (`verify-rulesets`, `plan-pr-review-gate`). The audit + verify-rulesets gates stay green (318.4 contexts already promoted via #1385)."
284
+ target: "tools/branch-protection/spec.yaml"
285
+
286
+ # ---------------------------------------------------------------------------
287
+ # Promotion sequencing (Cycle 322.6 → admin → follow-up PR).
288
+ # Cycle 322.6 ships:
289
+ # (1) the new `bot-review-settle` workflow,
290
+ # (2) `scripts/tests/test-bot-review-settle.sh` shell-test suite +
291
+ # Makefile wiring under `make sage-test-ruleset-scripts`,
292
+ # (3) the `planned` context entry in this file above,
293
+ # (4) `merge_group_fast_path` extension to include
294
+ # bot-review-settle (the merge_group passthrough emits SUCCESS
295
+ # for required-check inheritance on the synthetic queue commit).
296
+ # It deliberately does NOT promote `bot-review-settle` to `required`
297
+ # for the same reason 318.4 and 322.4 didn't: the audit + verify-
298
+ # rulesets workflows would fail-closed on their own merging commit
299
+ # (live ruleset doesn't yet expect the new context). The promotion
300
+ # can be combined with the 318.4 + 322.4 admin actions in a single
301
+ # `gh api -X PATCH` against ruleset 6076292 if that paired admin
302
+ # work is still pending; otherwise it follows the same shape as
303
+ # the prior post_*_promotion_sequence blocks.
304
+ # ---------------------------------------------------------------------------
305
+ post_322_6_promotion_sequence:
306
+ step_1:
307
+ description: "Cycle 322.6 (this PR) merges. Workflow ships as observable but non-required."
308
+ step_2:
309
+ description: "Admin updates ruleset 6076292 to add `bot-review-settle` to `required_status_checks`. Can be combined with the 318.4 + 322.4 paired admin work if not yet performed; otherwise a standalone PATCH targeting only the new context."
310
+ actor: "repository admin"
311
+ command_hint: "gh api -X PATCH repos/momentiq-ai/sage3c/rulesets/6076292 --input <patched-payload>"
312
+ step_3:
313
+ description: "Follow-up PR flips spec.yaml `status: planned → required` for `bot-review-settle`. The audit + verify-rulesets gates remain green because live ruleset now matches."
314
+ target: "tools/branch-protection/spec.yaml"
package/dist/cli.d.ts ADDED
@@ -0,0 +1,3 @@
1
+ #!/usr/bin/env node
2
+ export {};
3
+ //# sourceMappingURL=cli.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":""}