@ps-neko/nekowork 0.1.0-alpha.0

package/examples/github-actions-hardening/case-study/VERIFY_SUMMARY.md

@@ -0,0 +1,35 @@
+# Verify Summary
+
+## Codex Review
+
+Expected verdict: `approve` if the workflow stays validation-only.
+
+## Risk Policy
+
+GitHub Actions workflow work is deploy-sensitive.
+
+```text
+tags=deploy
+codex_challenge=true
+human_gate=true
+```
+
+## Evidence
+
+```bash
+npm test
+```
+
+Expected output:
+
+```text
+github-actions-hardening checks passed
+```
+
+## Boundary Checks
+
+- No `pull_request_target`.
+- No `npm publish`.
+- No static secrets.
+- No cloud credential action.
+- Permissions remain read-only.

package/examples/github-actions-hardening/case-study/WORK_SUMMARY.md

@@ -0,0 +1,24 @@
+# Work Summary
+
+## Result
+
+Implemented a hardened GitHub Actions validation fixture.
+
+## Files
+
+- `.github/workflows/hardened-validate.yml`
+- `scripts/check.mjs`
+- `package.json`
+- `README.md`
+
+## Mutation Policy
+
+Single executor only.
+
+## Acceptance Evidence
+
+- Workflow has bounded triggers.
+- Token permissions are read-only.
+- Checkout does not persist credentials.
+- Action refs are pinned and non-floating.
+- Local test checks for deploy, publish, secret, and cloud credential exclusions.

package/examples/github-actions-hardening/package.json

@@ -0,0 +1,12 @@
+{
+  "name": "nekowork-github-actions-hardening",
+  "version": "0.0.0",
+  "private": true,
+  "type": "module",
+  "scripts": {
+    "test": "node scripts/check.mjs"
+  },
+  "devDependencies": {
+    "yaml": "^2.6.1"
+  }
+}

package/examples/github-actions-hardening/scripts/check.mjs

@@ -0,0 +1,43 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import { fileURLToPath } from 'node:url';
+import YAML from 'yaml';
+
+const root = path.resolve(path.dirname(fileURLToPath(import.meta.url)), '..');
+const workflowPath = path.join(root, '.github', 'workflows', 'hardened-validate.yml');
+
+if (!fs.existsSync(workflowPath)) {
+  throw new Error('missing hardened workflow');
+}
+
+const raw = fs.readFileSync(workflowPath, 'utf8');
+const workflow = YAML.parse(raw);
+
+assert(!raw.includes('pull_request_target'), 'workflow must not use pull_request_target');
+assert(!raw.includes('npm publish'), 'workflow must not publish packages');
+assert(!raw.includes('aws-actions/configure-aws-credentials'), 'workflow must not configure cloud credentials');
+assert(!raw.includes('${{ secrets.'), 'workflow must not read static secrets');
+
+assert(workflow.permissions?.contents === 'read', 'top-level contents permission must be read');
+assert(workflow.concurrency?.['cancel-in-progress'] === true, 'workflow must cancel superseded runs');
+
+const jobs = workflow.jobs || {};
+assert(Object.keys(jobs).length > 0, 'workflow must define jobs');
+
+for (const [jobName, job] of Object.entries(jobs)) {
+  assert(job['timeout-minutes'] && job['timeout-minutes'] <= 20, `${jobName} must have a bounded timeout`);
+  assert(job.permissions?.contents === 'read', `${jobName} contents permission must be read`);
+  assert(job.permissions?.actions === 'read', `${jobName} actions permission must be read`);
+
+  for (const step of job.steps || []) {
+    if (!step.uses) continue;
+    assert(/@[a-zA-Z0-9._-]+$/.test(step.uses), `${step.uses} must pin an action ref`);
+    assert(!/@main$|@master$|@latest$/i.test(step.uses), `${step.uses} must not use floating refs`);
+  }
+}
+
+console.log('github-actions-hardening checks passed');
+
+function assert(condition, message) {
+  if (!condition) throw new Error(message);
+}

package/examples/quality-lifecycle-smoke/README.md

@@ -0,0 +1,30 @@
+# Quality Lifecycle Smoke Project
+
+This is a small standalone repository fixture used as a NEKOWORK quality-runtime case-study target.
+
+It demonstrates the quality profile path:
+
+- product and quality questions before implementation
+- test-first planning
+- single-executor work
+- Codex verification with evidence requirements
+- structured acceptance coverage
+- optional strict quality blocking before ship readiness
+
+## Test
+
+```bash
+npm test
+```
+
+The test verifies that the case-study artifacts include quality checklist, evidence fields, and acceptance coverage.
+
+## NEKOWORK Case Study
+
+See [case-study/TASK.md](case-study/TASK.md) for the workflow evidence:
+
+```text
+ask --profile quality -> plan -> team -> work --profile quality -> verify --profile quality --strict-quality -> ship
+```
+
+The important product rule is that quality warnings start as evidence, and `--strict-quality` can convert missing evidence or acceptance coverage into a no-ship condition.

package/examples/quality-lifecycle-smoke/case-study/ASK.md

@@ -0,0 +1,24 @@
+# Ask
+
+profile: quality
+
+Question gate:
+
+1. What outcome should count as done?
+2. Who is the target user or operator, and what problem should this solve?
+3. What is the smallest MVP scope for this cycle?
+4. What is explicitly out of scope?
+5. What files, surfaces, or user flows are allowed to change?
+6. What launch or readiness risk should block ship?
+7. What test-first plan should exist before implementation starts?
+8. What evidence should prove each acceptance criterion passed?
+
+Profile checklist:
+
+- brainstorm before work
+- test-first plan
+- systematic debugging path
+- acceptance criteria coverage evidence
+- evidence-based review findings
+- verification before completion
+- quality gate before ship/apply

package/examples/quality-lifecycle-smoke/case-study/GATE_STATUS.md

@@ -0,0 +1,10 @@
+# Gate Status
+
+Human Gate: clear
+
+Reason:
+
+- No critical, financial, deploy, auth, or data-loss risk was detected.
+- Strict quality produced no blocking warnings in this case-study path.
+
+Human still owns PR, release, publish, and deploy decisions.

package/examples/quality-lifecycle-smoke/case-study/PLAN.md

@@ -0,0 +1,19 @@
+# Plan
+
+Acceptance criteria:
+
+- AC-001: parser rejects malformed input with a stable error message
+- AC-002: parser accepts the documented happy path
+- AC-003: no unrelated files are changed
+
+Test-first plan:
+
+- Add or identify a parser malformed-input check before implementation.
+- Keep happy path behavior unchanged.
+- Compare the final changed file list against the planned scope.
+
+Non-goals:
+
+- No parser architecture rewrite.
+- No new dependency.
+- No production deploy or publish.

package/examples/quality-lifecycle-smoke/case-study/SHIP_READY.md

@@ -0,0 +1,11 @@
+# Ship Ready
+
+SHIP_READY
+
+Evidence:
+
+- Work was single-executor.
+- Codex verification recorded evidence-based findings.
+- Acceptance criteria coverage was structured.
+- Human Gate was clear.
+- Apply remains explicit.

package/examples/quality-lifecycle-smoke/case-study/TASK.md

@@ -0,0 +1,19 @@
+# Task
+
+Create a small parser cleanup flow and prove that NEKOWORK can keep quality expectations visible from question gate through verification.
+
+The target change is intentionally tiny:
+
+- normalize parser error messages
+- keep implementation single-executor
+- verify acceptance criteria with explicit evidence
+- demonstrate strict quality policy without needing a real provider call
+
+Suggested command path:
+
+```bash
+node scripts/cli.js ask "clean up parser errors" --profile quality --session quality-smoke
+node scripts/cli.js work "clean up parser errors" --profile quality --session quality-smoke
+node scripts/cli.js verify "verify parser cleanup" --profile quality --strict-quality --session quality-smoke
+node scripts/cli.js ship "prepare quality smoke ship handoff" --session quality-smoke
+```

package/examples/quality-lifecycle-smoke/case-study/TEAM_HANDOFFS.md

@@ -0,0 +1,21 @@
+# Team Handoffs
+
+All team handoffs are read-only.
+
+Planner:
+
+- Keep this as a parser cleanup, not a rewrite.
+- Require explicit acceptance coverage in verify.
+
+Test:
+
+- AC-001 and AC-002 should be checked independently.
+- Missing test evidence should be a quality warning.
+
+Security:
+
+- No secrets, credentials, deploy logic, or auth files are in scope.
+
+Reviewer:
+
+- Findings should include claim, evidence, required_fix, confidence, and gate_required when high or critical.

package/examples/quality-lifecycle-smoke/case-study/VERIFY_SUMMARY.md

@@ -0,0 +1,44 @@
+# Verify Summary
+
+profile: quality
+strict_quality: true
+strict_quality_blocked: false
+
+Evidence-based finding example:
+
+```text
+claim: Parser malformed input behavior is covered.
+evidence: tests/parser.test.js references AC-001 and asserts a stable error message.
+required_fix: none
+confidence: 0.91
+gate_required: false
+```
+
+acceptance_coverage:
+
+```json
+[
+  {
+    "id": "AC-001",
+    "status": "covered",
+    "evidence": "tests/parser.test.js references AC-001 and malformed input",
+    "source": "codex-review"
+  },
+  {
+    "id": "AC-002",
+    "status": "covered",
+    "evidence": "codex-review confirms the happy path remains covered",
+    "source": "codex-review"
+  },
+  {
+    "id": "AC-003",
+    "status": "covered",
+    "evidence": "changed file list is limited to parser and parser tests",
+    "source": "codex-review"
+  }
+]
+```
+
+Quality warnings:
+
+- none

package/examples/quality-lifecycle-smoke/case-study/WORK_SUMMARY.md

@@ -0,0 +1,19 @@
+# Work Summary
+
+profile: quality
+
+Work policy:
+
+- single executor only
+- target project mutation isolated until explicit apply
+- acceptance criteria artifact required
+- quality checklist passed into the executor context
+
+Changed files:
+
+- src/parser.js
+- tests/parser.test.js
+
+Result:
+
+- Parser cleanup is ready for independent Codex verification.

package/examples/quality-lifecycle-smoke/package.json

@@ -0,0 +1,8 @@
+{
+  "name": "nekowork-quality-lifecycle-smoke",
+  "private": true,
+  "type": "module",
+  "scripts": {
+    "test": "node scripts/check.mjs"
+  }
+}

package/examples/quality-lifecycle-smoke/scripts/check.mjs

@@ -0,0 +1,44 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const root = path.resolve(path.dirname(fileURLToPath(import.meta.url)), '..');
+const caseStudy = path.join(root, 'case-study');
+
+const required = [
+  'TASK.md',
+  'ASK.md',
+  'PLAN.md',
+  'TEAM_HANDOFFS.md',
+  'WORK_SUMMARY.md',
+  'VERIFY_SUMMARY.md',
+  'GATE_STATUS.md',
+  'SHIP_READY.md',
+];
+
+for (const rel of required) {
+  assert(fs.existsSync(path.join(caseStudy, rel)), `${rel} must exist`);
+}
+
+const ask = read('ASK.md');
+const verify = read('VERIFY_SUMMARY.md');
+const ship = read('SHIP_READY.md');
+
+assert(ask.includes('profile: quality'), 'ASK must record the quality profile');
+assert(ask.includes('test-first plan'), 'ASK must include the test-first question');
+assert(verify.includes('claim:'), 'VERIFY must include evidence claim fields');
+assert(verify.includes('evidence:'), 'VERIFY must include evidence details');
+assert(verify.includes('required_fix:'), 'VERIFY must include required fixes');
+assert(verify.includes('acceptance_coverage:'), 'VERIFY must include structured acceptance coverage');
+assert(verify.includes('strict_quality_blocked: false'), 'VERIFY must record strict quality status');
+assert(ship.includes('SHIP_READY'), 'SHIP must record readiness');
+
+console.log('quality-lifecycle-smoke checks passed');
+
+function read(rel) {
+  return fs.readFileSync(path.join(caseStudy, rel), 'utf8');
+}
+
+function assert(condition, message) {
+  if (!condition) throw new Error(message);
+}

package/examples/trading-dashboard-mock/README.md

@@ -0,0 +1,33 @@
+# Trading Dashboard Mock Project
+
+This is a small standalone project used as a NEKOWORK case-study target.
+
+It is intentionally mock-only:
+
+- no broker SDK
+- no payment provider
+- no real account connection
+- no order execution
+- no network calls
+
+## Run
+
+Open `index.html` in a browser, or serve the directory with any static file server.
+
+## Test
+
+```bash
+npm test
+```
+
+The test checks that the mock project stays local and does not introduce broker, payment, or outbound API wiring.
+
+## NEKOWORK Case Study
+
+See [case-study/TASK.md](case-study/TASK.md) for the workflow evidence:
+
+```text
+ask -> plan -> team -> work -> verify -> gate -> ship
+```
+
+The important product rule is that financial UI work is still gate-sensitive even when all data is mocked.

package/examples/trading-dashboard-mock/case-study/ASK.md

@@ -0,0 +1,24 @@
+# Ask
+
+Expected question-gate outcome:
+
+```text
+risk=high
+tags=financial,product-ui
+requiresCodexChallenge=true
+requiresHumanGate=true
+```
+
+## Blocking Questions
+
+1. Must all order behavior stay disabled and mock-only?
+2. Are broker, account, payment, and order APIs explicitly out of scope?
+3. What visual states are required for the dashboard?
+4. What evidence proves the mock cannot place real trades?
+
+## Draft Success Criteria
+
+1. The dashboard renders portfolio, watchlist, and order-ticket surfaces.
+2. Order controls are disabled.
+3. No outbound network, broker SDK, payment SDK, or account integration exists.
+4. A local test verifies the mock-only boundary.

package/examples/trading-dashboard-mock/case-study/GATE_STATUS.md

@@ -0,0 +1,28 @@
+# Gate Status
+
+## Expected Status Before Approval
+
+```text
+status=open
+reason=risk policy requires human gate (financial,product-ui)
+```
+
+## Human Review Checklist
+
+- The page says demo data only.
+- The order ticket is disabled.
+- There is no broker or payment SDK.
+- There are no outbound calls.
+- The local project test passes.
+
+## Approve Command
+
+```bash
+node ../../scripts/cli.js gate approve --project-root . --session trading-demo --reason "Confirmed mock-only financial UI boundary."
+```
+
+## Block Command
+
+```bash
+node ../../scripts/cli.js gate block --project-root . --session trading-demo --reason "Financial UI boundary is not proven."
+```

package/examples/trading-dashboard-mock/case-study/PLAN.md

@@ -0,0 +1,23 @@
+# Plan
+
+## Implementation
+
+1. Create a static `index.html` entry point.
+2. Build a responsive dashboard layout in `src/styles.css`.
+3. Render a canvas portfolio chart and watchlist in `src/app.js`.
+4. Keep order inputs and side buttons disabled.
+5. Add local fixture data under `fixtures/market.json`.
+6. Add `scripts/check.mjs` to verify the mock-only boundary.
+
+## Acceptance Criteria
+
+| ID | Criteria |
+|---|---|
+| AC-001 | Dashboard opens as a static browser page. |
+| AC-002 | Portfolio chart and watchlist render from mock data. |
+| AC-003 | Buy/sell/order controls are disabled. |
+| AC-004 | Test fails if broker, payment, or outbound API wiring appears. |
+
+## Human Gate
+
+Human approval is required before any ship-ready claim because this is a financial UI surface.

package/examples/trading-dashboard-mock/case-study/SHIP_READY.md

@@ -0,0 +1,21 @@
+# Ship Ready
+
+This case study is ship-ready only after Human Gate approval.
+
+## Required Evidence
+
+- Work handoff exists.
+- Codex verification exists.
+- Risk policy was evaluated.
+- Human Gate was approved.
+- `npm test` passed inside this mock project.
+
+## Ship Command
+
+```bash
+node ../../scripts/cli.js ship "prepare trading dashboard mock ship readiness" --project-root . --session trading-demo --require-clean-gates
+```
+
+## Apply Policy
+
+This static example is already present in the repository. In a live-work session, `apply` would remain explicit and would require `SHIP_READY`.

package/examples/trading-dashboard-mock/case-study/TASK.md

@@ -0,0 +1,29 @@
+# Task
+
+Build a trading dashboard mockup that demonstrates NEKOWORK's financial-risk gate.
+
+## Scope
+
+- Static browser UI.
+- Mock portfolio chart.
+- Mock watchlist.
+- Disabled order ticket.
+- No real broker, payment, account, or order execution wiring.
+
+## Non-Goals
+
+- No production trading behavior.
+- No API calls.
+- No authentication.
+- No deploy automation.
+
+## Recommended NEKOWORK Flow
+
+```bash
+node ../../scripts/cli.js ask "stock trading dashboard mockup with mock-only orders" --project-root . --session trading-demo
+node ../../scripts/cli.js plan "stock trading dashboard mockup with mock-only orders" --project-root . --session trading-demo
+node ../../scripts/cli.js team "stock trading dashboard mockup with mock-only orders" --workers planner,product,security,test --no-write --project-root . --session trading-demo
+node ../../scripts/cli.js work "implement the planned trading dashboard mockup" --single-executor --project-root . --session trading-demo
+node ../../scripts/cli.js verify "verify the trading dashboard mockup stays mock-only" --project-root . --session trading-demo
+node ../../scripts/cli.js gate status --project-root . --session trading-demo
+```

package/examples/trading-dashboard-mock/case-study/TEAM_HANDOFFS.md

@@ -0,0 +1,49 @@
+# Team Handoffs
+
+## Planner
+
+Decided: Keep the project static and self-contained.
+
+Rejected: Real order placement, authentication, accounts, broker APIs, and deployment.
+
+Risks: Users may mistake the mock for a live trading surface without visible copy.
+
+Files: `index.html`, `src/styles.css`, `src/app.js`, `fixtures/market.json`, `scripts/check.mjs`
+
+Remaining: Verify disabled controls and no outbound wiring.
+
+## Product
+
+Decided: Show the dashboard as an operational mock, not a marketing page.
+
+Rejected: Hero layout, onboarding copy, or real portfolio import.
+
+Risks: Financial UI needs clear demo-only language.
+
+Files: `index.html`, `src/styles.css`
+
+Remaining: Keep the warning visible above the dashboard.
+
+## Security
+
+Decided: No network calls, no secrets, no account tokens, no payment provider, no broker SDK.
+
+Rejected: Any API key, OAuth, webhook, or order endpoint.
+
+Risks: Future edits could add a broker SDK; local test should catch common tokens.
+
+Files: `scripts/check.mjs`
+
+Remaining: Human Gate stays required for financial context.
+
+## Test
+
+Decided: Use a zero-dependency Node check.
+
+Rejected: Browser automation for this small static case study.
+
+Risks: Static regex checks are not a substitute for full product security review.
+
+Files: `scripts/check.mjs`, `fixtures/market.json`
+
+Remaining: Run `npm test`.

package/examples/trading-dashboard-mock/case-study/VERIFY_SUMMARY.md

@@ -0,0 +1,35 @@
+# Verify Summary
+
+## Codex Review
+
+Expected verdict: `approve_with_fixes` or `approve`, depending on local review strictness.
+
+## Risk Policy
+
+Financial work remains gate-sensitive even when the project is mock-only.
+
+```text
+tags=financial,product-ui
+codex_challenge=true
+human_gate=true
+```
+
+## Evidence
+
+```bash
+npm test
+```
+
+Expected output:
+
+```text
+trading-dashboard-mock checks passed
+```
+
+## Boundary Checks
+
+- No `fetch(` usage.
+- No WebSocket usage.
+- No broker SDK tokens.
+- No payment provider tokens.
+- Disabled order controls remain present in HTML.

package/examples/trading-dashboard-mock/case-study/WORK_SUMMARY.md

@@ -0,0 +1,27 @@
+# Work Summary
+
+## Result
+
+Implemented a static trading dashboard mock project.
+
+## Files
+
+- `index.html`
+- `src/styles.css`
+- `src/app.js`
+- `fixtures/market.json`
+- `scripts/check.mjs`
+- `package.json`
+- `README.md`
+
+## Mutation Policy
+
+Single executor only.
+
+## Acceptance Evidence
+
+- Static dashboard shell exists.
+- Canvas chart renders from local mock data.
+- Watchlist renders from mock symbols.
+- Order form controls are disabled.
+- Local test checks for forbidden outbound or real-money wiring.

package/examples/trading-dashboard-mock/fixtures/market.json

@@ -0,0 +1,9 @@
+{
+  "portfolio": [118.2, 119.4, 121.1, 120.3, 122.6, 124.0, 123.2, 125.7, 127.4, 126.9, 129.1, 131.3],
+  "symbols": [
+    { "symbol": "NKO", "name": "Neko Systems", "price": 142.35, "change": 2.41 },
+    { "symbol": "VRFY", "name": "Verify Labs", "price": 88.12, "change": 1.26 },
+    { "symbol": "GATE", "name": "Gatehold Inc.", "price": 54.67, "change": 0.74 },
+    { "symbol": "MOCK", "name": "Mock Market ETF", "price": 203.19, "change": 3.08 }
+  ]
+}