@nugehs/gate 0.1.0

package/CHANGELOG.md

@@ -0,0 +1,16 @@
+# Changelog
+
+All notable changes to `@nugehs/gate` are documented here.
+
+## 0.1.0
+
+Initial release.
+
+- Runs aiglare, bouncer, tieline & repoctx against a repo and merges their four
+  dialects (red/amber/green, pass/fail/unknown, matched/drift, PASS/WARN/FAIL)
+  into one normalized verdict (`pass | warn | fail | unknown | skipped | error`).
+- `--ci` gate blocks on a `fail` verdict by default; `--strict` also blocks on warnings.
+- A run where no domain executes (everything skipped or deselected) is **not** a
+  pass — under `--ci` it fails, so a typo can't silently turn the gate into a no-op.
+- Per-tool resolution: `GATE_<TOOL>_BIN` env → installed `@nugehs/<tool>` → `../<tool>` sibling checkout.
+- Terminal and JSON reporters; `--only` / `--skip` tool selection.

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Oluwasegun Olumbe
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,158 @@
+# gate
+
+**One ship/no-ship verdict from your whole nugehs toolchain.**
+
+[![npm](https://img.shields.io/npm/v/@nugehs/gate?style=flat-square)](https://www.npmjs.com/package/@nugehs/gate) [![license: MIT](https://img.shields.io/badge/license-MIT-blue?style=flat-square)](LICENSE) [![node](https://img.shields.io/node/v/@nugehs/gate?style=flat-square)](https://www.npmjs.com/package/@nugehs/gate)
+
+![gate demo](gate-demo.gif)
+
+`gate` runs [aiglare](https://www.npmjs.com/package/@nugehs/aiglare),
+[bouncer](https://www.npmjs.com/package/@nugehs/bouncer),
+[tieline](https://www.npmjs.com/package/@nugehs/tieline) and
+[repoctx](https://www.npmjs.com/package/@nugehs/repoctx) against a repo and
+merges their four dialects into **one normalized verdict**. Each tool already
+answers a different "can this ship?" question — gate is the place they finally
+agree on the answer.
+
+```
+npx @nugehs/gate                      # audit the current repo
+npx @nugehs/gate ./service --ci       # fail the build on a blocking verdict
+npx @nugehs/gate --json               # the unified verdict, machine-readable
+```
+
+```
+        ┌──────────────────────────────────────────────┐
+        │                   gate                         │
+        │   one config · one verdict · one report        │
+        └──────────────────────────────────────────────┘
+            │            │            │            │
+        aiglare       bouncer      tieline      repoctx
+       red/amber/    pass/fail/   matched/     PASS/WARN/
+         green        unknown      drift         FAIL
+            │            │            │            │
+            └──── normalize to pass · warn · fail ─────┘
+                          │
+                  ✗ FAIL   ⚠ WARN   ✓ PASS
+```
+
+## What it reports
+
+```
+  gate · /path/to/repo
+
+  ✗  AI governance    fail      2 red · 1 amber · 13 green · 1 blocking side-effect
+  ·  Compliance       skipped   not configured (run `bouncer init`)
+  ·  Contract drift   skipped   not configured (run `tieline init`)
+  ⚠  Merge readiness  warn      1 of 8 checks need attention
+
+  verdict: FAIL — 1 blocking · 1 warn · 2 skipped
+```
+
+Each tool's native result is normalized onto one status vocabulary:
+
+| Status | Meaning |
+| --- | --- |
+| `pass`    | the check ran and is clean |
+| `warn`    | ran, found something worth a look — not blocking |
+| `fail`    | ran, found a blocking problem |
+| `unknown` | ran, but couldn't determine — explicitly **not** a pass |
+| `skipped` | not applicable / not configured for this repo |
+| `error`   | the tool couldn't be run, or returned garbage |
+
+The top-level verdict is the worst across the domains that actually ran
+(`skipped` never counts). `unknown` and `error` roll up to `warn` so nothing
+slips through as a silent pass.
+
+## How each dialect maps
+
+| Tool | Native signal | → gate |
+| --- | --- | --- |
+| **aiglare** | a red surface on a side-effectful sink | `fail`; any red/amber → `warn` |
+| **bouncer** | a `fail` finding (missing required control) | `fail`; any `unknown` control → `unknown` |
+| **tieline** | `drift` > 0 (FE call with no BE route) | `fail`; `unverifiable` > 0 → `warn` |
+| **repoctx** | `FAIL`/`BLOCK` merge verdict | `fail`; `WARN` → `warn` |
+
+> gate runs aiglare **without** `--ci` and derives the blocking verdict itself,
+> so a tool that `process.exit()`s before flushing its pipe can't truncate the
+> report it feeds us.
+
+**A run that checked nothing is not a pass.** If every domain is skipped or
+deselected (e.g. `--skip` them all, or a typo'd `--only`), gate reports **NO
+CHECKS RAN** (`ok:false`) and fails under `--ci` — a misconfiguration can't
+silently turn the gate green.
+
+**On repoctx + local mode.** repoctx's merge-readiness gate can only verify
+review state (approvals, CODEOWNERS, required checks) against a host like
+GitHub. Run locally it reports those as a `WARN`, so on a clean local repo gate
+will often show `merge readiness: warn`. That's repoctx being honest about what
+it can't see locally — not a problem with your change.
+
+## CLI
+
+```
+gate [path] [options]
+
+  --json            Emit the unified verdict as JSON
+  --ci              Exit non-zero when the gate fails (blocking by default)
+  --strict          Treat WARN/UNKNOWN as blocking too
+  --only <list>     Run only these tools (aiglare,bouncer,tieline,repoctx)
+  --skip <list>     Skip these tools
+  -h, --help        Show this help
+
+gate mcp            Start the MCP server (stdio)
+```
+
+By default only a `fail` verdict blocks under `--ci` — safe to adopt without
+drowning a team in warnings. Add `--strict` when you want warnings to gate too.
+
+## Tool resolution
+
+gate doesn't bundle the four tools; it finds each one at runtime. Per tool, first hit wins:
+
+1. `GATE_<TOOL>_BIN` environment variable (explicit override)
+2. the installed `@nugehs/<tool>` package (from `node_modules`)
+3. a sibling checkout at `../<tool>` (local development)
+
+A tool that can't be resolved is reported as `skipped`, never a hard failure —
+so `gate` is safe to run in a repo that only uses some of the toolchain.
+
+## In CI
+
+```yaml
+- run: npx @nugehs/gate . --ci
+```
+
+For a machine-readable record, `--json` emits the full verdict (schema version,
+per-domain results, counts, and the blocking reasons) for dashboards or audit
+evidence.
+
+## MCP
+
+gate is also an MCP server, so an agent can ask "can this ship?" in one call —
+the unified verdict, not four separate tools.
+
+```
+gate mcp                 # stdio JSON-RPC server
+npx @nugehs/gate mcp
+```
+
+Tools:
+
+| Tool | Returns |
+| --- | --- |
+| `gate_check` | the unified verdict for a repo (`path`, optional `only`/`skip`/`ci`/`strict`) |
+| `list_checks` | the four checks gate runs, each with its domain and what it answers |
+
+Registry manifest: [`server.json`](server.json) (`io.github.nugehs/gate`).
+
+## Roadmap
+
+gate is the shared spine. The same normalized verdict already drives the CLI,
+the `--ci` gate, and the MCP server above. Next clients on the same JSON:
+
+- **Web cockpit** — a repo/PR verdict board over the JSON, unifying the four `*-web` sites.
+- **Editor extension** — shift the gates left from CI into the editor as inline findings.
+
+## License
+
+MIT © Oluwasegun Olumbe

package/package.json

@@ -0,0 +1,62 @@
+{
+  "name": "@nugehs/gate",
+  "version": "0.1.0",
+  "mcpName": "io.github.nugehs/gate",
+  "description": "gate — one ship/no-ship verdict from aiglare, bouncer, tieline & repoctx. The unified merge gate for the nugehs toolchain: run four deterministic checks, get one normalized verdict.",
+  "type": "module",
+  "bin": {
+    "gate": "src/cli.js",
+    "nugehs-gate": "src/cli.js"
+  },
+  "files": [
+    "src",
+    "scripts",
+    "server.json",
+    "README.md",
+    "LICENSE",
+    "CHANGELOG.md"
+  ],
+  "scripts": {
+    "start": "node src/cli.js",
+    "gate": "node src/cli.js",
+    "mcp": "node src/cli.js mcp",
+    "version:check": "node scripts/check-version.js",
+    "version": "node scripts/sync-server-version.mjs && git add server.json",
+    "test": "node --test test/*.test.js",
+    "ci": "npm run version:check && npm test"
+  },
+  "engines": {
+    "node": ">=18.18"
+  },
+  "optionalDependencies": {
+    "@nugehs/aiglare": "^0.3.0",
+    "@nugehs/bouncer": "^0.1.3",
+    "@nugehs/repoctx": "^2.1.0",
+    "@nugehs/tieline": "^0.1.4"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/nugehs/gate.git"
+  },
+  "homepage": "https://github.com/nugehs/gate#readme",
+  "bugs": {
+    "url": "https://github.com/nugehs/gate/issues"
+  },
+  "keywords": [
+    "ci",
+    "merge-gate",
+    "governance",
+    "compliance",
+    "ai-governance",
+    "contract-drift",
+    "static-analysis",
+    "monorepo",
+    "mcp",
+    "model-context-protocol"
+  ],
+  "author": "Oluwasegun Olumbe",
+  "license": "MIT"
+}

package/scripts/check-version.js

@@ -0,0 +1,56 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const root = path.resolve(path.dirname(fileURLToPath(import.meta.url)), '..');
+const packageJson = readJson(path.join(root, 'package.json'));
+const packageLock = readJson(path.join(root, 'package-lock.json'), { optional: true });
+const serverManifest = readJson(path.join(root, 'server.json'), { optional: true });
+
+const semverPattern =
+  /^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|[0-9A-Za-z-]*[A-Za-z-][0-9A-Za-z-]*)(?:\.(?:0|[1-9]\d*|[0-9A-Za-z-]*[A-Za-z-][0-9A-Za-z-]*))*))?(?:\+([0-9A-Za-z-]+(?:\.[0-9A-Za-z-]+)*))?$/;
+
+if (!semverPattern.test(packageJson.version)) {
+  fail(`package.json version must be valid SemVer, got ${JSON.stringify(packageJson.version)}`);
+}
+
+if (packageLock) {
+  if (packageLock.version !== packageJson.version) {
+    fail(`package-lock.json version ${packageLock.version} does not match package.json version ${packageJson.version}`);
+  }
+
+  const rootPackage = packageLock.packages?.[''];
+  if (rootPackage?.version !== packageJson.version) {
+    fail(`package-lock root package version ${rootPackage?.version} does not match package.json version ${packageJson.version}`);
+  }
+}
+
+if (serverManifest) {
+  if (serverManifest.version !== packageJson.version) {
+    fail(`server.json version ${serverManifest.version} does not match package.json version ${packageJson.version}`);
+  }
+  for (const pkg of serverManifest.packages ?? []) {
+    if (pkg.version && pkg.version !== packageJson.version) {
+      fail(`server.json package ${pkg.identifier} version ${pkg.version} does not match package.json version ${packageJson.version}`);
+    }
+  }
+}
+
+console.log(`ok: gate version ${packageJson.version} is SemVer`);
+
+function readJson(filePath, { optional = false } = {}) {
+  if (optional && !fs.existsSync(filePath)) {
+    return undefined;
+  }
+
+  try {
+    return JSON.parse(fs.readFileSync(filePath, 'utf8'));
+  } catch (error) {
+    fail(`failed to read ${filePath}: ${error.message}`);
+  }
+}
+
+function fail(message) {
+  console.error(`version:check failed: ${message}`);
+  process.exit(1);
+}

package/scripts/sync-server-version.mjs

@@ -0,0 +1,14 @@
+// Keeps server.json (MCP registry manifest) in lockstep with package.json.
+// Wired into the `version` lifecycle script so `npm version` bumps both.
+import fs from 'node:fs';
+
+const pkg = JSON.parse(fs.readFileSync('package.json', 'utf8'));
+const manifest = JSON.parse(fs.readFileSync('server.json', 'utf8'));
+
+manifest.version = pkg.version;
+for (const p of manifest.packages ?? []) {
+  if (p.version) p.version = pkg.version;
+}
+
+fs.writeFileSync('server.json', JSON.stringify(manifest, null, 2) + '\n');
+console.log(`server.json synced to v${pkg.version}`);

package/server.json

@@ -0,0 +1,28 @@
+{
+  "$schema": "https://static.modelcontextprotocol.io/schemas/2025-12-11/server.schema.json",
+  "name": "io.github.nugehs/gate",
+  "description": "One ship/no-ship verdict from aiglare, bouncer, tieline & repoctx — the unified merge gate.",
+  "repository": {
+    "url": "https://github.com/nugehs/gate",
+    "source": "github"
+  },
+  "version": "0.1.0",
+  "packages": [
+    {
+      "registryType": "npm",
+      "registryBaseUrl": "https://registry.npmjs.org",
+      "identifier": "@nugehs/gate",
+      "version": "0.1.0",
+      "runtimeHint": "npx",
+      "transport": {
+        "type": "stdio"
+      },
+      "packageArguments": [
+        {
+          "type": "positional",
+          "value": "mcp"
+        }
+      ]
+    }
+  ]
+}

package/src/adapters/aiglare.js

@@ -0,0 +1,66 @@
+// aiglare — AI/LLM governance guardrails.
+// Dialect: { ok, surfaceCount, summary:{red,amber,green}, surfaces:[{severity,sink,...}] }
+//
+// We deliberately do NOT pass --ci: under --ci aiglare calls process.exit(1),
+// which truncates its own JSON when stdout is a pipe (the classic Node
+// flush-on-exit gotcha). Instead we run it clean (exit 0, full output) and
+// derive the blocking verdict ourselves — a red surface on a side-effectful
+// sink is the "AI auto-triggers an irreversible action" case.
+
+import { STATUS } from '../verdict.js';
+
+const isBlocking = (s) => s.severity === 'red' && s.sink === 'side-effectful';
+
+export default {
+  tool: 'aiglare',
+  pkg: '@nugehs/aiglare',
+  binRel: 'src/cli.js',
+  binName: 'aiglare',
+  domain: 'ai-governance',
+  label: 'AI governance',
+
+  args(ctx) {
+    return [ctx.path ?? '.', '--format', 'json'];
+  },
+
+  normalize(json) {
+    const s = json.summary ?? { red: 0, amber: 0, green: 0 };
+    const surfaces = json.surfaces ?? [];
+    const count = json.surfaceCount ?? surfaces.length;
+    const blocking = surfaces.filter(isBlocking);
+
+    if (count === 0) {
+      return {
+        status: STATUS.PASS,
+        summary: 'no AI surfaces detected',
+        counts: { surfaces: 0, red: 0, amber: 0, green: 0, blocking: 0 },
+        findings: [],
+      };
+    }
+
+    let status;
+    if (blocking.length > 0) status = STATUS.FAIL;
+    else if (s.red > 0 || s.amber > 0) status = STATUS.WARN;
+    else status = STATUS.PASS;
+
+    const parts = [`${s.red} red`, `${s.amber} amber`, `${s.green} green`];
+    if (blocking.length > 0) {
+      parts.push(`${blocking.length} blocking side-effect${blocking.length === 1 ? '' : 's'}`);
+    }
+
+    const reds = surfaces.filter((x) => x.severity === 'red');
+    const ordered = [...blocking, ...reds.filter((x) => !isBlocking(x))];
+
+    return {
+      status,
+      summary: parts.join(' · '),
+      counts: { surfaces: count, red: s.red, amber: s.amber, green: s.green, blocking: blocking.length },
+      findings: ordered.slice(0, 5).map((x) => ({
+        id: x.file,
+        severity: 'red',
+        title: x.file,
+        sink: x.sink,
+      })),
+    };
+  },
+};

package/src/adapters/bouncer.js

@@ -0,0 +1,66 @@
+// bouncer — static compliance-controls checker (rule packs).
+// Dialect: { findings: [ { ruleId, packId, standard, severity, surface, status } ] }
+//   status: pass    — required control found
+//           fail    — required control missing
+//           unknown — surface not locatable; explicitly NOT a pass
+// No findings at all means no packs are configured for this repo → skipped.
+
+import { STATUS } from '../verdict.js';
+
+export default {
+  tool: 'bouncer',
+  pkg: '@nugehs/bouncer',
+  binRel: 'src/cli.js',
+  binName: 'bouncer',
+  domain: 'compliance-controls',
+  label: 'Compliance',
+
+  args() {
+    return ['check', '--json'];
+  },
+
+  skip(res) {
+    if (/no\s+\S*config(?:\.json)?\s+found/i.test(`${res.stdout}\n${res.stderr}`)) {
+      return 'not configured (run `bouncer init`)';
+    }
+    return null;
+  },
+
+  normalize(json) {
+    const findings = Array.isArray(json.findings) ? json.findings : [];
+    if (findings.length === 0) {
+      return {
+        status: STATUS.SKIPPED,
+        summary: 'no rule packs configured',
+        counts: { rules: 0, pass: 0, fail: 0, unknown: 0 },
+        findings: [],
+      };
+    }
+
+    const fail = findings.filter((f) => f.status === 'fail');
+    const unknown = findings.filter((f) => f.status === 'unknown');
+    const pass = findings.filter((f) => f.status === 'pass');
+
+    let status;
+    if (fail.length > 0) status = STATUS.FAIL;
+    else if (unknown.length > 0) status = STATUS.UNKNOWN;
+    else status = STATUS.PASS;
+
+    const parts = [`${pass.length}/${findings.length} controls present`];
+    if (fail.length > 0) parts.push(`${fail.length} missing`);
+    if (unknown.length > 0) parts.push(`${unknown.length} unverifiable`);
+
+    return {
+      status,
+      summary: parts.join(', '),
+      counts: { rules: findings.length, pass: pass.length, fail: fail.length, unknown: unknown.length },
+      findings: [...fail, ...unknown].slice(0, 5).map((f) => ({
+        id: f.ruleId,
+        severity: f.severity,
+        title: f.standard,
+        surface: f.surface,
+        status: f.status,
+      })),
+    };
+  },
+};

package/src/adapters/index.js

@@ -0,0 +1,9 @@
+import aiglare from './aiglare.js';
+import bouncer from './bouncer.js';
+import tieline from './tieline.js';
+import repoctx from './repoctx.js';
+
+// Order is the display order in the report: governance → compliance → contracts → merge.
+export const ADAPTERS = [aiglare, bouncer, tieline, repoctx];
+
+export const ADAPTERS_BY_TOOL = Object.fromEntries(ADAPTERS.map((a) => [a.tool, a]));

package/src/adapters/repoctx.js

@@ -0,0 +1,53 @@
+// repoctx — deterministic merge-readiness gate.
+// Dialect: { verdict: 'PASS'|'WARN'|'FAIL', checks: [ { name, status, summary } ] }
+// This is the merge spine the other three feed; its verdict maps directly.
+
+import { STATUS } from '../verdict.js';
+
+export default {
+  tool: 'repoctx',
+  pkg: '@nugehs/repoctx',
+  binRel: 'src/cli.js',
+  binName: 'repoctx',
+  domain: 'merge-readiness',
+  label: 'Merge readiness',
+
+  args() {
+    return ['gate', '--json'];
+  },
+
+  skip(res) {
+    if (/not a git repos/i.test(`${res.stdout}\n${res.stderr}`)) {
+      return 'not a git repository';
+    }
+    return null;
+  },
+
+  normalize(json) {
+    const checks = Array.isArray(json.checks) ? json.checks : [];
+    const failing = checks.filter((c) => String(c.status).toUpperCase() !== 'PASS');
+    const v = String(json.verdict ?? '').toUpperCase();
+
+    let status;
+    if (v === 'PASS') status = STATUS.PASS;
+    else if (v === 'WARN') status = STATUS.WARN;
+    else if (v) status = STATUS.FAIL; // FAIL / BLOCK / anything blocking
+    else status = STATUS.UNKNOWN;
+
+    const summary =
+      failing.length > 0
+        ? `${failing.length} of ${checks.length} checks need attention`
+        : `${checks.length} checks passed`;
+
+    return {
+      status,
+      summary,
+      counts: { checks: checks.length, failing: failing.length },
+      findings: failing.slice(0, 5).map((c) => ({
+        id: c.name,
+        severity: String(c.status).toLowerCase(),
+        title: c.summary,
+      })),
+    };
+  },
+};

package/src/adapters/tieline.js

@@ -0,0 +1,64 @@
+// tieline — static frontend↔backend contract-drift checker.
+// Dialect: { totals:{matched,drift,unverifiable,dead}, drift:[], unverifiable:[], ... }
+//   drift        — FE call resolves but BE has no such route/method (the bug bucket)
+//   unverifiable — call shape couldn't be resolved on one side
+// All-zero totals means no contract map was built (not configured) → skipped.
+
+import { STATUS } from '../verdict.js';
+
+export default {
+  tool: 'tieline',
+  pkg: '@nugehs/tieline',
+  binRel: 'bin/tieline.mjs',
+  binName: 'tieline',
+  domain: 'contract-drift',
+  label: 'Contract drift',
+
+  args() {
+    return ['check', '--json'];
+  },
+
+  skip(res) {
+    if (/no\s+\S*config(?:\.json)?\s+found/i.test(`${res.stdout}\n${res.stderr}`)) {
+      return 'not configured (run `tieline init`)';
+    }
+    return null;
+  },
+
+  normalize(json) {
+    const t = json.totals ?? { matched: 0, drift: 0, unverifiable: 0, dead: 0 };
+    const empty = !t.matched && !t.drift && !t.unverifiable && !t.dead;
+    // Reaching normalize() means tieline ran cleanly with a config loaded (the
+    // genuine "no config" case is caught earlier by skip()). So all-zero totals
+    // mean "configured but resolved nothing" — a likely stale config, not an
+    // absent one. Surface it as WARN; never claim "not configured".
+    if (empty) {
+      return {
+        status: STATUS.WARN,
+        summary: 'contract map empty — 0 endpoints resolved (stale config?)',
+        counts: t,
+        findings: [],
+      };
+    }
+
+    let status;
+    if (t.drift > 0) status = STATUS.FAIL;
+    else if (t.unverifiable > 0) status = STATUS.WARN;
+    else status = STATUS.PASS;
+
+    const parts = [`${t.drift} drift`, `${t.matched} matched`];
+    if (t.unverifiable > 0) parts.push(`${t.unverifiable} unverifiable`);
+
+    return {
+      status,
+      summary: parts.join(' · '),
+      counts: t,
+      findings: (json.drift ?? []).slice(0, 5).map((d) => ({
+        id: `${d.method ?? ''} ${d.path ?? d.url ?? ''}`.trim(),
+        severity: 'drift',
+        title: d.path ?? d.url ?? d.endpoint,
+        method: d.method,
+      })),
+    };
+  },
+};

package/src/cli.js

@@ -0,0 +1,136 @@
+#!/usr/bin/env node
+import { fileURLToPath } from 'node:url';
+import { realpathSync } from 'node:fs';
+import { runGate } from './orchestrator.js';
+import { renderTerminal } from './report/terminal.js';
+import { startMcpServer } from './mcp.js';
+import { ADAPTERS } from './adapters/index.js';
+
+const TOOLS = ADAPTERS.map((a) => a.tool);
+const KNOWN = new Set(TOOLS);
+
+const HELP = `gate — one verdict from aiglare, bouncer, tieline & repoctx
+
+Usage:  gate [path] [options]
+
+Runs the four nugehs checks against a repo and merges their results into a
+single ship/no-ship verdict.
+
+Options:
+  --json            Emit the unified verdict as JSON
+  --ci              Exit non-zero when the gate fails (blocking by default)
+  --strict          Treat WARN/UNKNOWN as blocking too
+  --only <list>     Run only these tools (comma-separated: ${TOOLS.join(',')})
+  --skip <list>     Skip these tools
+  -h, --help        Show this help
+
+Subcommand:
+  gate mcp          Start the MCP server (stdio) — exposes gate_check + list_checks
+
+A run where no domain actually executes (everything skipped or deselected) is
+NOT a pass — under --ci it fails, so a typo can't silently defeat the gate.
+
+Tool resolution (per tool, first hit wins):
+  1. GATE_<TOOL>_BIN env var   2. installed @nugehs/<tool>   3. ../<tool> sibling checkout
+
+Examples:
+  gate                                  # audit the current repo
+  gate ./service --ci                   # fail the build on a blocking verdict
+  gate --only aiglare,repoctx --json    # just those two, machine-readable
+  gate --skip tieline --strict          # everything but tieline, warnings block
+`;
+
+function parseList(v) {
+  return v
+    .split(',')
+    .map((s) => s.trim())
+    .filter(Boolean);
+}
+
+/**
+ * Pure arg parser — returns `{ help }`, `{ error: {code, message} }`, or `{ args }`.
+ * Kept side-effect-free (no process.exit, no process.cwd) so it is unit-testable.
+ */
+export function parseArgs(argv) {
+  const args = { path: null, json: false, ci: false, strict: false, only: null, skip: [] };
+  for (let i = 0; i < argv.length; i++) {
+    const a = argv[i];
+    if (a === '-h' || a === '--help') {
+      return { help: true };
+    } else if (a === '--json') {
+      args.json = true;
+    } else if (a === '--ci') {
+      args.ci = true;
+    } else if (a === '--strict') {
+      args.strict = true;
+    } else if (a === '--only' || a === '--skip') {
+      const v = argv[i + 1];
+      if (v === undefined || v.startsWith('-')) {
+        return { error: { code: 2, message: `${a} requires a comma-separated tool list (${TOOLS.join(',')})` } };
+      }
+      i++;
+      const list = parseList(v);
+      if (list.length === 0) {
+        return { error: { code: 2, message: `${a} requires at least one tool` } };
+      }
+      const unknown = list.filter((t) => !KNOWN.has(t));
+      if (unknown.length) {
+        return { error: { code: 2, message: `Unknown tool: ${unknown.join(', ')} (expected one of ${TOOLS.join(', ')})` } };
+      }
+      if (a === '--only') args.only = list;
+      else args.skip = list;
+    } else if (a.startsWith('-')) {
+      return { error: { code: 2, message: `Unknown option: ${a}` } };
+    } else {
+      args.path = a;
+    }
+  }
+  return { args };
+}
+
+async function main() {
+  const argv = process.argv.slice(2);
+  if (argv[0] === 'mcp') {
+    await startMcpServer();
+    return;
+  }
+
+  const parsed = parseArgs(argv);
+  if (parsed.help) {
+    process.stdout.write(HELP);
+    process.exit(0);
+  }
+  if (parsed.error) {
+    console.error(parsed.error.message);
+    process.exit(parsed.error.code);
+  }
+
+  const result = await runGate(parsed.args);
+
+  if (parsed.args.json) {
+    process.stdout.write(JSON.stringify(result, null, 2) + '\n');
+  } else {
+    process.stdout.write(renderTerminal(result) + '\n');
+  }
+
+  if (result.gate.failed) process.exit(1);
+}
+
+// Only run when invoked as a binary — importing this module (e.g. in tests) is
+// side-effect-free. Resolve symlinks on both sides so it still fires when run
+// through a symlinked bin (npm link, `npm i -g`, npx), where argv[1] is the link.
+export function isMainModule() {
+  if (!process.argv[1]) return false;
+  try {
+    return realpathSync(process.argv[1]) === realpathSync(fileURLToPath(import.meta.url));
+  } catch {
+    return false;
+  }
+}
+
+if (isMainModule()) {
+  main().catch((e) => {
+    console.error(`gate: ${e?.stack ?? e}`);
+    process.exit(2);
+  });
+}

package/src/color.js

@@ -0,0 +1,16 @@
+// Zero-dependency ANSI color, matching the rest of the nugehs toolchain.
+// Honors NO_COLOR and falls back to plain text when stdout is not a TTY.
+
+const enabled = !process.env.NO_COLOR && process.stdout.isTTY === true;
+
+const wrap = (open, close) => (s) => (enabled ? `[${open}m${s}[${close}m` : String(s));
+
+export const color = {
+  enabled,
+  red: wrap(31, 39),
+  green: wrap(32, 39),
+  yellow: wrap(33, 39),
+  blue: wrap(34, 39),
+  dim: wrap(2, 22),
+  bold: wrap(1, 22),
+};

package/src/mcp.js

@@ -0,0 +1,183 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import readline from 'node:readline';
+import { fileURLToPath } from 'node:url';
+import { runGate } from './orchestrator.js';
+import { ADAPTERS } from './adapters/index.js';
+
+// Hand-rolled JSON-RPC 2.0 server over stdio — no SDK dependency, matching the
+// aiglare/repoctx MCP server convention. Reads line-delimited JSON from stdin
+// and writes responses to stdout.
+
+const protocolVersion = '2025-06-18';
+const packageRoot = path.resolve(path.dirname(fileURLToPath(import.meta.url)), '..');
+const packageJson = JSON.parse(fs.readFileSync(path.join(packageRoot, 'package.json'), 'utf8'));
+
+const TOOL_NAMES = ADAPTERS.map((a) => a.tool);
+
+const CHECK_DESCRIPTIONS = {
+  aiglare:
+    'AI/LLM governance guardrails — flags model output reaching a user or a side-effect without confidence handling, fallback, validation, or human-in-the-loop.',
+  bouncer:
+    "Static compliance-controls — verifies the controls a regulation requires (UK Online Safety Act, ICO Children's Code) actually exist in the code.",
+  tieline: 'Frontend↔backend contract drift — frontend API calls that resolve to no backend route.',
+  repoctx: 'Deterministic merge-readiness gate — secret safety, risk review, release discipline, required checks.',
+};
+
+const tools = [
+  {
+    name: 'gate_check',
+    title: 'Run the unified gate',
+    description:
+      'Run aiglare, bouncer, tieline & repoctx against a repo and return one normalized verdict (pass|warn|fail), with each tool reduced to a status and the blocking reasons. The single "can this ship?" call for the nugehs toolchain.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        path: { type: 'string', description: 'Repository path. Defaults to the current working directory.' },
+        only: {
+          type: 'array',
+          items: { type: 'string', enum: TOOL_NAMES },
+          description: 'Run only these checks.',
+        },
+        skip: {
+          type: 'array',
+          items: { type: 'string', enum: TOOL_NAMES },
+          description: 'Skip these checks.',
+        },
+        ci: { type: 'boolean', description: 'Compute gate.failed as a CI gate would (blocks on a fail verdict).' },
+        strict: { type: 'boolean', description: 'Treat WARN/UNKNOWN as blocking too.' },
+      },
+    },
+  },
+  {
+    name: 'list_checks',
+    title: 'List the gate checks',
+    description: 'List the four checks gate runs, each with the domain it covers and what it answers.',
+    inputSchema: { type: 'object', properties: {} },
+  },
+];
+
+async function dispatchTool(name, args) {
+  switch (name) {
+    case 'gate_check':
+      return runGate({
+        path: args.path,
+        only: args.only ?? null,
+        skip: args.skip ?? [],
+        ci: args.ci ?? false,
+        strict: args.strict ?? false,
+      });
+    case 'list_checks':
+      return {
+        checks: ADAPTERS.map((a) => ({
+          tool: a.tool,
+          domain: a.domain,
+          label: a.label,
+          description: CHECK_DESCRIPTIONS[a.tool] ?? '',
+        })),
+      };
+    default:
+      throw new McpProtocolError(-32602, `Unknown tool: ${name}`);
+  }
+}
+
+export async function startMcpServer({ input = process.stdin, output = process.stdout } = {}) {
+  const rl = readline.createInterface({ input, crlfDelay: Infinity });
+  for await (const line of rl) {
+    const trimmed = line.trim();
+    if (!trimmed) continue;
+
+    let message;
+    try {
+      message = JSON.parse(trimmed);
+    } catch (error) {
+      writeMessage(output, errorResponse(null, -32700, `Parse error: ${error.message}`));
+      continue;
+    }
+
+    const response = await handleMessage(message);
+    if (response) writeMessage(output, response);
+  }
+}
+
+async function handleMessage(message) {
+  if (!message || message.jsonrpc !== '2.0' || typeof message.method !== 'string') {
+    return errorResponse(message?.id ?? null, -32600, 'Invalid JSON-RPC request');
+  }
+
+  try {
+    switch (message.method) {
+      case 'initialize':
+        return successResponse(message.id, {
+          protocolVersion,
+          capabilities: { tools: { listChanged: false } },
+          serverInfo: { name: packageJson.name, version: packageJson.version },
+        });
+      case 'notifications/initialized':
+        return undefined;
+      case 'ping':
+        return successResponse(message.id, {});
+      case 'tools/list':
+        return successResponse(message.id, { tools });
+      case 'tools/call':
+        return successResponse(message.id, await callTool(message.params));
+      default:
+        return errorResponse(message.id, -32601, `Method not found: ${message.method}`);
+    }
+  } catch (error) {
+    const code = error instanceof McpProtocolError ? error.code : -32603;
+    return errorResponse(message.id, code, error instanceof Error ? error.message : String(error));
+  }
+}
+
+async function callTool(params = {}) {
+  if (!params || typeof params !== 'object') {
+    throw new McpProtocolError(-32602, 'Tool call params must be an object');
+  }
+
+  const name = params.name;
+  if (typeof name !== 'string' || !name.trim()) {
+    throw new McpProtocolError(-32602, 'Tool name is required');
+  }
+
+  const args = params.arguments ?? {};
+  if (!args || typeof args !== 'object' || Array.isArray(args)) {
+    throw new McpProtocolError(-32602, 'Tool arguments must be an object');
+  }
+
+  let result;
+  try {
+    result = await dispatchTool(name, args);
+  } catch (error) {
+    if (error instanceof McpProtocolError) throw error;
+    return {
+      content: [{ type: 'text', text: error instanceof Error ? error.message : String(error) }],
+      isError: true,
+    };
+  }
+
+  return {
+    content: [{ type: 'text', text: JSON.stringify(result, null, 2) }],
+    structuredContent: result,
+    isError: false,
+  };
+}
+
+function successResponse(id, result) {
+  return { jsonrpc: '2.0', id, result };
+}
+
+function errorResponse(id, code, message) {
+  return { jsonrpc: '2.0', id, error: { code, message } };
+}
+
+function writeMessage(output, message) {
+  output.write(`${JSON.stringify(message)}\n`);
+}
+
+class McpProtocolError extends Error {
+  constructor(code, message) {
+    super(message);
+    this.code = code;
+  }
+}

package/src/orchestrator.js

@@ -0,0 +1,117 @@
+// Run the selected adapters against a repo, in parallel, and merge their
+// per-domain results into one unified verdict.
+
+import path from 'node:path';
+import { ADAPTERS } from './adapters/index.js';
+import { resolveTool } from './resolve.js';
+import { runTool, extractJson } from './run.js';
+import { mergeVerdict, STATUS } from './verdict.js';
+
+const SCHEMA_VERSION = 1;
+
+export async function runAdapter(adapter, ctx) {
+  const base = { tool: adapter.tool, domain: adapter.domain, label: adapter.label };
+
+  const resolved = resolveTool(adapter);
+  if (!resolved) {
+    return {
+      ...base,
+      status: STATUS.SKIPPED,
+      summary: `${adapter.tool} not installed`,
+      counts: {},
+      findings: [],
+      available: false,
+      source: null,
+      durationMs: 0,
+      exitCode: null,
+      error: `Could not resolve ${adapter.pkg}. Install it, or set GATE_${adapter.tool.toUpperCase()}_BIN.`,
+    };
+  }
+
+  const startedAt = Date.now();
+  const res = await runTool(resolved.entry, adapter.args(ctx), { cwd: ctx.path });
+  const durationMs = Date.now() - startedAt;
+  const meta = { available: true, source: resolved.source, durationMs, exitCode: res.exitCode };
+
+  if (res.spawnError || res.timedOut) {
+    return {
+      ...base,
+      ...meta,
+      status: STATUS.ERROR,
+      summary: res.timedOut ? 'timed out' : 'failed to run',
+      counts: {},
+      findings: [],
+      error: res.spawnError ?? 'timed out',
+    };
+  }
+
+  // A tool that isn't configured for this repo (no config file, not a git repo)
+  // is "not applicable" — skip it rather than treating it as an error.
+  const skipReason = adapter.skip?.(res);
+  if (skipReason) {
+    return {
+      ...base,
+      ...meta,
+      status: STATUS.SKIPPED,
+      summary: skipReason,
+      counts: {},
+      findings: [],
+      error: null,
+    };
+  }
+
+  const json = extractJson(res.stdout);
+  if (!json) {
+    return {
+      ...base,
+      ...meta,
+      status: STATUS.ERROR,
+      summary: 'no parseable output',
+      counts: {},
+      findings: [],
+      error: (res.stderr || res.stdout || '').trim().split('\n').slice(0, 3).join(' ') || 'empty output',
+    };
+  }
+
+  try {
+    const norm = adapter.normalize(json);
+    return { ...base, ...meta, error: null, ...norm };
+  } catch (e) {
+    return {
+      ...base,
+      ...meta,
+      status: STATUS.ERROR,
+      summary: 'could not interpret output',
+      counts: {},
+      findings: [],
+      error: String(e?.message ?? e),
+    };
+  }
+}
+
+/**
+ * @param {{path?:string, only?:string[]|null, skip?:string[], ci?:boolean, strict?:boolean}} opts
+ */
+export async function runGate(opts = {}) {
+  const target = path.resolve(opts.path ?? process.cwd());
+  const only = opts.only ?? null;
+  const skip = opts.skip ?? [];
+
+  const selected = ADAPTERS.filter(
+    (a) => (!only || only.includes(a.tool)) && !skip.includes(a.tool)
+  );
+
+  const ctx = { path: target };
+  const domains = await Promise.all(selected.map((a) => runAdapter(a, ctx)));
+
+  const merged = mergeVerdict(domains, { ci: opts.ci, strict: opts.strict });
+
+  return {
+    schemaVersion: SCHEMA_VERSION,
+    tool: 'gate',
+    generatedAt: new Date().toISOString(),
+    repo: { root: target, name: path.basename(target) },
+    ...merged,
+    domains,
+  };
+}

package/src/report/terminal.js

@@ -0,0 +1,66 @@
+import { color } from '../color.js';
+import { STATUS } from '../verdict.js';
+
+const ICON = {
+  [STATUS.PASS]: () => color.green('✓'),
+  [STATUS.WARN]: () => color.yellow('⚠'),
+  [STATUS.FAIL]: () => color.red('✗'),
+  [STATUS.UNKNOWN]: () => color.yellow('?'),
+  [STATUS.SKIPPED]: () => color.dim('·'),
+  [STATUS.ERROR]: () => color.red('!'),
+};
+
+const STATUS_WORD = {
+  [STATUS.PASS]: (s) => color.green(s),
+  [STATUS.WARN]: (s) => color.yellow(s),
+  [STATUS.FAIL]: (s) => color.red(s),
+  [STATUS.UNKNOWN]: (s) => color.yellow(s),
+  [STATUS.SKIPPED]: (s) => color.dim(s),
+  [STATUS.ERROR]: (s) => color.red(s),
+};
+
+function pad(s, n) {
+  return s.length >= n ? s : s + ' '.repeat(n - s.length);
+}
+
+export function renderTerminal(result) {
+  const lines = [];
+  lines.push('');
+  lines.push(`  ${color.bold('gate')} ${color.dim('·')} ${result.repo.root}`);
+  lines.push('');
+
+  const labelWidth = Math.max(...result.domains.map((d) => d.label.length), 0);
+  for (const d of result.domains) {
+    const icon = (ICON[d.status] ?? ICON[STATUS.ERROR])();
+    const word = (STATUS_WORD[d.status] ?? STATUS_WORD[STATUS.ERROR])(pad(d.status, 8));
+    lines.push(`  ${icon}  ${color.bold(pad(d.label, labelWidth))}  ${word}  ${color.dim(d.summary)}`);
+  }
+
+  lines.push('');
+  const v = result.verdict;
+  const verdictWord =
+    v === STATUS.FAIL ? color.red(color.bold('FAIL')) : v === STATUS.WARN ? color.yellow(color.bold('WARN')) : color.green(color.bold('PASS'));
+
+  const c = result.summary;
+  const tail = [];
+  if (c.fail) tail.push(`${c.fail} blocking`);
+  if (c.warn) tail.push(`${c.warn} warn`);
+  if (c.unknown) tail.push(`${c.unknown} unknown`);
+  if (c.error) tail.push(`${c.error} error`);
+  if (c.skipped) tail.push(`${c.skipped} skipped`);
+  const tailStr = tail.length ? color.dim(` — ${tail.join(' · ')}`) : '';
+
+  if (result.gate.nothingChecked) {
+    lines.push(`  verdict: ${color.yellow(color.bold('NO CHECKS RAN'))}${color.dim(' — every domain was skipped or deselected')}`);
+  } else {
+    lines.push(`  verdict: ${verdictWord}${tailStr}`);
+  }
+
+  if (result.gate.failed) {
+    lines.push('');
+    lines.push(`  ${color.red('✗ gate failed')}`);
+    for (const r of result.gate.reasons) lines.push(`    ${color.dim('•')} ${r}`);
+  }
+  lines.push('');
+  return lines.join('\n');
+}

package/src/resolve.js

@@ -0,0 +1,52 @@
+// Find each tool's CLI entrypoint without hard-coding install layout.
+//
+// Resolution order, first hit wins:
+//   1. GATE_<TOOL>_BIN env var  — explicit override (CI, exotic installs)
+//   2. node_modules             — the published @nugehs/<tool> dependency
+//   3. sibling checkout         — ../<tool> next to this repo (local dev)
+//
+// This lets gate work both as a published package (deps resolve from
+// node_modules) and straight from a clone sitting alongside the four tools.
+
+import { createRequire } from 'node:module';
+import { fileURLToPath } from 'node:url';
+import path from 'node:path';
+import fs from 'node:fs';
+
+const require = createRequire(import.meta.url);
+const ROOT = path.resolve(path.dirname(fileURLToPath(import.meta.url)), '..');
+
+/**
+ * @param {{tool:string, pkg:string, binRel:string, binName?:string}} spec
+ * @param {{root?:string}} [opts] - override the repo root the sibling fallback is
+ *   resolved against (defaults to this package's root; injectable for tests).
+ * @returns {{entry:string, source:'env'|'node_modules'|'sibling'}|null}
+ */
+export function resolveTool({ tool, pkg, binRel, binName }, { root = ROOT } = {}) {
+  const envKey = `GATE_${tool.toUpperCase()}_BIN`;
+  const override = process.env[envKey];
+  if (override && fs.existsSync(override)) {
+    return { entry: override, source: 'env' };
+  }
+
+  try {
+    const pkgJsonPath = require.resolve(`${pkg}/package.json`);
+    const dir = path.dirname(pkgJsonPath);
+    const meta = JSON.parse(fs.readFileSync(pkgJsonPath, 'utf8'));
+    const bin =
+      typeof meta.bin === 'string'
+        ? meta.bin
+        : (meta.bin && (meta.bin[binName] ?? Object.values(meta.bin)[0]));
+    if (bin) {
+      const entry = path.join(dir, bin);
+      if (fs.existsSync(entry)) return { entry, source: 'node_modules' };
+    }
+  } catch {
+    // not installed — fall through to the sibling checkout
+  }
+
+  const sibling = path.resolve(root, '..', tool, binRel);
+  if (fs.existsSync(sibling)) return { entry: sibling, source: 'sibling' };
+
+  return null;
+}

package/src/run.js

@@ -0,0 +1,63 @@
+// Spawn a tool's CLI under the current node, capture stdout, and pull JSON out.
+
+import { execFile } from 'node:child_process';
+
+const MAX_BUFFER = 32 * 1024 * 1024; // tool reports can be large; never truncate
+
+/**
+ * Run a tool entrypoint and fully capture its output. Never rejects — a
+ * non-zero exit is expected (these tools exit non-zero when they find
+ * problems), and stdout/stderr are captured regardless of exit code.
+ *
+ * @returns {Promise<{exitCode:number|null, stdout:string, stderr:string, spawnError?:string, timedOut?:boolean}>}
+ */
+export function runTool(entry, args, { cwd, timeoutMs = 120_000 } = {}) {
+  return new Promise((resolve) => {
+    execFile(
+      process.execPath,
+      [entry, ...args],
+      { cwd, env: process.env, timeout: timeoutMs, maxBuffer: MAX_BUFFER },
+      (err, stdout, stderr) => {
+        if (!err) {
+          resolve({ exitCode: 0, stdout, stderr });
+          return;
+        }
+        if (err.killed) {
+          resolve({ exitCode: null, stdout, stderr, timedOut: true });
+          return;
+        }
+        // A normal non-zero exit surfaces as err.code === <number>; stdout/stderr
+        // are still fully populated. Anything else (ENOENT, maxBuffer) is a real failure.
+        if (typeof err.code === 'number') {
+          resolve({ exitCode: err.code, stdout, stderr });
+          return;
+        }
+        resolve({ exitCode: null, stdout, stderr, spawnError: String(err.message ?? err) });
+      }
+    );
+  });
+}
+
+/**
+ * Best-effort JSON extraction. Tools emit clean JSON under --json, but a stray
+ * leading line shouldn't break us — fall back to the outermost {...} or [...].
+ */
+export function extractJson(text) {
+  if (!text) return null;
+  try {
+    return JSON.parse(text);
+  } catch {
+    // fall through
+  }
+  const start = text.search(/[[{]/);
+  if (start === -1) return null;
+  const open = text[start];
+  const close = open === '{' ? '}' : ']';
+  const end = text.lastIndexOf(close);
+  if (end <= start) return null;
+  try {
+    return JSON.parse(text.slice(start, end + 1));
+  } catch {
+    return null;
+  }
+}

package/src/verdict.js

@@ -0,0 +1,83 @@
+// The unified verdict model.
+//
+// Every tool speaks its own dialect — aiglare has red/amber/green, bouncer has
+// pass/fail/unknown, tieline has matched/drift, repoctx has PASS/WARN/FAIL.
+// Adapters normalize each into a single STATUS. This module rolls a set of
+// per-domain results up into one verdict and decides whether the gate fails.
+
+/** The normalized status vocabulary every adapter maps onto. */
+export const STATUS = Object.freeze({
+  PASS: 'pass', // the check ran and is clean
+  WARN: 'warn', // ran, found something worth a look, not blocking
+  FAIL: 'fail', // ran, found a blocking problem
+  UNKNOWN: 'unknown', // ran, but could not determine — explicitly "not a pass"
+  SKIPPED: 'skipped', // not applicable / not configured for this repo
+  ERROR: 'error', // the tool could not be run or returned garbage
+});
+
+// How bad each status is when rolling up. SKIPPED is invisible to the verdict;
+// UNKNOWN and ERROR sit at WARN level so they never silently pass.
+const RANK = Object.freeze({
+  pass: 0,
+  skipped: 0,
+  unknown: 2,
+  warn: 2,
+  error: 2,
+  fail: 3,
+});
+
+function statusForRank(rank) {
+  if (rank >= 3) return STATUS.FAIL;
+  if (rank >= 2) return STATUS.WARN;
+  return STATUS.PASS;
+}
+
+/**
+ * Roll per-domain results into one verdict.
+ *
+ * @param {Array<{tool:string,label:string,status:string,summary:string}>} domains
+ * @param {{ci?:boolean, strict?:boolean}} opts
+ *   ci     — when true, a blocking verdict sets gate.failed (drives a non-zero exit)
+ *   strict — when true, WARN-level results also block (otherwise only FAIL blocks)
+ */
+export function mergeVerdict(domains, { ci = false, strict = false } = {}) {
+  const counts = {
+    domains: domains.length,
+    pass: 0,
+    warn: 0,
+    fail: 0,
+    unknown: 0,
+    skipped: 0,
+    error: 0,
+  };
+  for (const d of domains) {
+    if (counts[d.status] === undefined) counts[d.status] = 0;
+    counts[d.status] += 1;
+  }
+
+  // SKIPPED domains do not influence the verdict — the check simply did not apply.
+  const ran = domains.filter((d) => d.status !== STATUS.SKIPPED);
+  const nothingChecked = ran.length === 0;
+  let rank = 0;
+  for (const d of ran) rank = Math.max(rank, RANK[d.status] ?? 0);
+  const verdict = statusForRank(rank);
+
+  const blocks = (d) =>
+    d.status === STATUS.FAIL ||
+    (strict && (d.status === STATUS.WARN || d.status === STATUS.UNKNOWN || d.status === STATUS.ERROR));
+
+  const reasons = domains.filter(blocks).map((d) => `${d.label}: ${d.summary}`);
+  // A gate that checked nothing must not read as a clean pass — that's how a
+  // typo (`--skip` everything, a bare trailing `--only`) silently defeats CI.
+  if (nothingChecked) reasons.unshift('no checks ran — every domain was skipped or deselected');
+
+  const failed = ci && (verdict === STATUS.FAIL || nothingChecked || (strict && verdict === STATUS.WARN));
+  counts.ran = ran.length;
+
+  return {
+    verdict,
+    ok: verdict !== STATUS.FAIL && !nothingChecked,
+    summary: counts,
+    gate: { ci, strict, failed, nothingChecked, reasons },
+  };
+}