code-warden 3.1.1 → 3.3.1

package/README.md

@@ -1,137 +1,205 @@
-# code-warden
-
-> Portable AI Coding Governance Layer
-
-Code-Warden is a portable governance layer for AI coding agents. It enforces scoped planning, patch discipline, file-size limits, the zero-trust secrets policy, verification evidence, install health, and optional Claude Code pre-tool-use blocking.
-
-## Four Layers
-
-<p align="center">
-  <img src="../logo/layers-diagram.png" alt="Code-Warden Four Layers" width="100%" />
-</p>
-
-| Layer | What it does |
-|-------|-------------|
-| **Skill governance** | Scope Gate, Plan Gate, blast-radius checks, patch-first editing, research gates, drift signals, verification evidence |
-| **Local verification** | `warden-lint`, `verify-secrets`, `get-context` — directory-aware, no external deps |
-| **Installer and health** | Cross-app auto-installer, manifest-backed installs, `--doctor`, `--verify-target`, Windsurf adapter |
-| **Hard enforcement** | Claude Code `PreToolUse` hooks — block oversized writes and hardcoded secrets before the file system is touched |
-
-## Install
-
-```bash
-git clone https://github.com/Kodaxadev/Code-Warden.git
-cd Code-Warden/code-warden
-node install.js
-```
-
-### Installer commands
-
-| Command | Purpose |
-|---------|---------|
-| `node install.js` | Scan, prompt, install to detected apps |
-| `node install.js --all` | Install without prompt |
-| `node install.js --dry-run` | Preview installs, write nothing |
-| `node install.js --list` | Show detected apps and detection method |
-| `node install.js --doctor` | Verify source integrity + per-target install health |
-| `node install.js --target=claude,cursor` | Force specific targets (warns if not detected) |
-| `node install.js --verify-target=claude` | Strict health check — exits nonzero if not installed |
-| `node install.js --hooks=claude` | Install PreToolUse hooks into `~/.claude/settings.json` |
-| `node install.js --uninstall-hooks=claude` | Remove code-warden hook entries from settings |
-
-Supported targets: **Claude Code**, **Cursor**, **Warp**, **OpenAI Codex**, **Windsurf**, **Generic Agents**.
-
-Each install writes a `.code-warden-install.json` manifest (version, target, format, timestamp).
-
-### npm scripts
-
-```bash
-npm run lint            # warden-lint on full project tree
-npm run check-secrets   # verify-secrets on full project tree
-npm run install-auto    # node install.js
-npm run install-dry-run # node install.js --dry-run
-npm run install-list    # node install.js --list
-npm run install-doctor  # node install.js --doctor
-npm run test            # behavioral tests (8 scanner/hook pass/fail cases)
-npm run ci              # lint + secrets + test + doctor
-```
-
-## Usage
-
-Load at the start of any coding session. Trigger phrases:
-
-- `"load code-warden"` / `"load protocol"`
-- `"begin coding"` / `"new session"` / `"governance check"`
-- `"start a new module"` / `"review this before we write"`
-
-The session sequence is enforced before any implementation:
-
-<p align="center">
-  <img src="../logo/session-flow.png" alt="Code-Warden Session Start Sequence" width="100%" />
-</p>
-
-1. Architecture State (Re-injection Rule)
-2. Session Scope (Session Scoping Rule)
-3. Reference Files (Blueprint Rule)
-4. **Scope Gate** — goal, non-goals, files in/out, verify commands, rollback
-5. **Plan Gate** — patch order, blast radius class, post-patch checks
-
-See [`examples/governed-session.md`](examples/governed-session.md) for an annotated example.
-
-## Optional Claude Code Hooks
-
-<p align="center">
-  <img src="../logo/hook-flow.png" alt="Code-Warden Hook Enforcement Flow" width="100%" />
-</p>
-
-Install hard enforcement that runs at the `PreToolUse` level — before writes happen:
-
-```bash
-# Requires Claude Code target to be installed first
-node install.js --hooks=claude
-```
-
-| Hook | Trigger | Policy |
-|------|---------|--------|
-| `warden-lint-hook.js` | `Write` or `Edit` | Blocks if resulting file exceeds line limit |
-| `warden-secrets-hook.js` | `Write` or `Edit` | Hardcoded credential scanner — blocks if content matches any secret pattern |
-
-Both hooks use exec form (`node /path/to/hook.js`) — no shell differences across platforms.
-
-Thresholds are read from `codewarden.json` in the installed skill directory.
-
-```bash
-node install.js --uninstall-hooks=claude  # remove hook entries from settings.json
-```
-
-Doctor and `--verify-target=claude` validate hook script paths when hooks are registered.
-
-## Configuration
-
-All thresholds in [`codewarden.json`](codewarden.json):
-
-| Setting | Default | What it controls |
-|---------|---------|-----------------|
-| `thresholds.max_file_length` | 400 | Lines before `warden-lint.js` flags a file |
-| `thresholds.pre_flight_trigger_lines` | 150 | Lines before a pre-flight manifest is required |
-| `thresholds.human_checkpoint_files` | 2 | Files touched before `[AWAITING CONFIRMATION]` is required |
-| `safety.exempt_from_blast_radius` | `tests/`, `docs/`, `scripts/` | Paths excluded from rollback-plan rule |
-
-See [`CONFIGURE.md`](CONFIGURE.md) for team-size profiles and tuning rationale.
-
-## Reference Files
-
-| File | Domain |
-|------|--------|
-| `references/planning-gates.md` | Scope Gate and Plan Gate contracts |
-| `references/architecture.md` | Blueprint Rule, Re-injection, State Update |
-| `references/safety.md` | Blast Radius, Patch-First, Zero-Trust, Dependency Freeze |
-| `references/cognition.md` | Think Before Coding, Don't Guess Syntax, Human Checkpoint |
-| `references/cleanup.md` | Tech Debt format, Test Contract, Decision Log |
-| `references/anti-drift.md` | Anchor Check, Session Scoping, Drift Trigger Protocol |
-| `references/operations.md` | Verification, source-control hygiene, dependency control |
-| `references/research-and-fit.md` | Live research gate, stack fit, product-shape guardrails |
-
-## Author
-
-Justin Davis — MIT License
+# code-warden
+
+> Portable AI Coding Governance Layer
+
+Code-Warden provides verifiable governance for AI-assisted development.
+It does not just ask agents to follow rules — it adds Scope Gates, Plan Gates,
+local checks, CI enforcement, runtime hooks where supported, and governance
+artifacts that show what was checked before code was accepted.
+
+## Four Layers
+
+<p align="center">
+  <img src="../logo/layers-diagram.png" alt="Code-Warden Four Layers" width="100%" />
+</p>
+
+| Layer | What it does |
+|-------|-------------|
+| **Skill governance** | Scope Gate, Plan Gate, blast-radius checks, patch-first editing, research gates, drift signals, verification evidence |
+| **Local verification** | `warden-lint`, `verify-secrets`, `get-context` — directory-aware, no external deps |
+| **Installer and health** | Cross-app auto-installer, manifest-backed installs, `--doctor`, `--verify-target`, Windsurf adapter |
+| **Hard enforcement** | Claude Code `PreToolUse` hooks — block oversized writes and hardcoded secrets before the file system is touched |
+
+## Governance Evidence
+
+Generate a machine-readable governance report that can be stored in CI, attached to PRs, or used as audit evidence:
+
+```bash
+node tools/governance-report.js .                   # write .code-warden-report.json + summary
+node tools/governance-report.js . --format=json      # JSON to stdout
+node tools/governance-report.js . --format=md        # Markdown to stdout
+```
+
+The report runs all checks in a single pass (file length, secrets, behavioral tests, source integrity) and produces a structured artifact:
+
+```json
+{
+  "tool": "code-warden",
+  "version": "3.2.0",
+  "checks": {
+    "fileLength":      { "status": "pass", "filesScanned": 34, "violations": 0 },
+    "secrets":         { "status": "pass", "filesScanned": 34, "violations": 0 },
+    "behavioralTests": { "status": "pass", "tests": 8, "failures": 0 },
+    "installHealth":   { "status": "pass" }
+  },
+  "result": "pass"
+}
+```
+
+In CI, the Markdown format pipes directly into `$GITHUB_STEP_SUMMARY` for PR-visible evidence:
+
+| Check | Result | Details |
+|-------|--------|---------|
+| File length | PASS | 34 files scanned, 0 violations |
+| Hardcoded credentials | PASS | 34 files scanned, 0 violations |
+| Behavioral tests | PASS | 8 tests, 0 failures |
+| Install health | PASS | All source files present |
+
+See [`templates/ci/github-actions.yml`](templates/ci/github-actions.yml) for the full CI template with artifact upload.
+
+## Install
+
+```bash
+npx code-warden init
+```
+
+Or install globally:
+
+```bash
+npm install -g code-warden
+code-warden init
+```
+
+### CLI commands
+
+| Command | Purpose |
+|---------|---------|
+| `code-warden init` | Install to all detected AI runtimes |
+| `code-warden report` | Generate governance report |
+| `code-warden report --format=md` | Markdown output for PR summaries |
+| `code-warden doctor` | Verify source integrity + install health |
+| `code-warden list` | Show detected runtimes |
+| `code-warden hooks claude` | Install Claude Code PreToolUse hooks |
+| `code-warden hooks codex` | Install Codex PreToolUse hooks (partial) |
+| `code-warden uninstall-hooks claude` | Remove Claude Code hooks |
+| `code-warden uninstall-hooks codex` | Remove Codex hooks |
+
+### Direct installer commands
+
+| Command | Purpose |
+|---------|---------|
+| `node install.js` | Scan, prompt, install to detected apps |
+| `node install.js --all` | Install without prompt |
+| `node install.js --dry-run` | Preview installs, write nothing |
+| `node install.js --list` | Show detected apps and detection method |
+| `node install.js --doctor` | Verify source integrity + per-target install health |
+| `node install.js --target=claude,cursor` | Force specific targets (warns if not detected) |
+| `node install.js --verify-target=claude` | Strict health check — exits nonzero if not installed |
+| `node install.js --hooks=claude` | Install PreToolUse hooks into `~/.claude/settings.json` |
+| `node install.js --uninstall-hooks=claude` | Remove code-warden hook entries from settings |
+
+Supported targets: **Claude Code**, **Cursor**, **Warp**, **OpenAI Codex**, **Windsurf**, **Generic Agents**.
+
+Each install writes a `.code-warden-install.json` manifest (version, target, format, timestamp).
+
+### npm scripts
+
+```bash
+npm run lint            # warden-lint on full project tree
+npm run check-secrets   # verify-secrets on full project tree
+npm run report          # governance report, writes .code-warden-report.json
+npm run report:json     # governance report as JSON to stdout
+npm run report:md       # governance report as Markdown to stdout
+npm run install-auto    # node install.js
+npm run install-dry-run # node install.js --dry-run
+npm run install-list    # node install.js --list
+npm run install-doctor  # node install.js --doctor
+npm run test            # behavioral tests (8 scanner/hook pass/fail cases)
+npm run ci              # lint + secrets + test + doctor
+```
+
+## Usage
+
+Load at the start of any coding session. Trigger phrases:
+
+- `"load code-warden"` / `"load protocol"`
+- `"begin coding"` / `"new session"` / `"governance check"`
+- `"start a new module"` / `"review this before we write"`
+
+The session sequence is enforced before any implementation:
+
+<p align="center">
+  <img src="../logo/session-flow.png" alt="Code-Warden Session Start Sequence" width="100%" />
+</p>
+
+1. Architecture State (Re-injection Rule)
+2. Session Scope (Session Scoping Rule)
+3. Reference Files (Blueprint Rule)
+4. **Scope Gate** — goal, non-goals, files in/out, verify commands, rollback
+5. **Plan Gate** — patch order, blast radius class, post-patch checks
+
+See [`examples/governed-session.md`](examples/governed-session.md) for an annotated example.
+
+## Optional Claude Code Hooks
+
+<p align="center">
+  <img src="../logo/hook-flow.png" alt="Code-Warden Hook Enforcement Flow" width="100%" />
+</p>
+
+Install hard enforcement that runs at the `PreToolUse` level — before writes happen:
+
+```bash
+# Requires Claude Code target to be installed first
+node install.js --hooks=claude
+```
+
+| Hook | Trigger | Policy |
+|------|---------|--------|
+| `warden-lint-hook.js` | `Write` or `Edit` | Blocks if resulting file exceeds line limit |
+| `warden-secrets-hook.js` | `Write` or `Edit` | Hardcoded credential scanner — blocks if content matches any secret pattern |
+
+Both hooks use exec form (`node /path/to/hook.js`) — no shell differences across platforms.
+
+Thresholds are read from `codewarden.json` in the installed skill directory.
+
+```bash
+node install.js --uninstall-hooks=claude  # remove hook entries from settings.json
+```
+
+Doctor and `--verify-target=claude` validate hook script paths when hooks are registered.
+
+## Configuration
+
+All thresholds in [`codewarden.json`](codewarden.json):
+
+| Setting | Default | What it controls |
+|---------|---------|-----------------|
+| `thresholds.max_file_length` | 400 | Lines before `warden-lint.js` flags a file |
+| `thresholds.pre_flight_trigger_lines` | 150 | Lines before a pre-flight manifest is required |
+| `thresholds.human_checkpoint_files` | 2 | Files touched before `[AWAITING CONFIRMATION]` is required |
+| `safety.exempt_from_blast_radius` | `tests/`, `docs/`, `scripts/` | Paths excluded from rollback-plan rule |
+
+See [`CONFIGURE.md`](CONFIGURE.md) for team-size profiles and tuning rationale.
+
+## Reference Files
+
+| File | Domain |
+|------|--------|
+| `references/planning-gates.md` | Scope Gate and Plan Gate contracts |
+| `references/architecture.md` | Blueprint Rule, Re-injection, State Update |
+| `references/safety.md` | Blast Radius, Patch-First, Zero-Trust, Dependency Freeze |
+| `references/cognition.md` | Think Before Coding, Don't Guess Syntax, Human Checkpoint |
+| `references/cleanup.md` | Tech Debt format, Test Contract, Decision Log |
+| `references/anti-drift.md` | Anchor Check, Session Scoping, Drift Trigger Protocol |
+| `references/operations.md` | Verification, source-control hygiene, dependency control |
+| `references/research-and-fit.md` | Live research gate, stack fit, product-shape guardrails |
+
+## Note for contributors
+
+> If testing `npx code-warden` from inside the Code-Warden source checkout,
+> npm may prefer the local package context. Test from a separate directory for
+> the same behavior users will see.
+
+## Author
+
+Justin Davis — MIT License

package/bin/code-warden.js

@@ -0,0 +1,82 @@
+#!/usr/bin/env node
+'use strict';
+
+const { spawnSync } = require('child_process');
+const path          = require('path');
+
+const ROOT = path.join(__dirname, '..');
+
+const COMMANDS = {
+  init:    { desc: 'Install Code-Warden to detected AI runtimes', run: ['install.js', '--all'] },
+  doctor:  { desc: 'Verify source integrity and install health',  run: ['install.js', '--doctor'] },
+  report:  { desc: 'Generate governance report (.code-warden-report.json)', run: ['tools/governance-report.js', '.'] },
+  list:    { desc: 'Show detected AI runtimes',                   run: ['install.js', '--list'] },
+};
+
+const HOOK_TARGETS = ['claude', 'codex'];
+
+function usage() {
+  console.log('Usage: code-warden <command> [options]\n');
+  console.log('Commands:');
+  for (const [name, { desc }] of Object.entries(COMMANDS)) {
+    console.log(`  ${name.padEnd(22)} ${desc}`);
+  }
+  console.log(`  ${'hooks <target>'.padEnd(22)} Install PreToolUse hooks (${HOOK_TARGETS.join(', ')})`);
+  console.log(`  ${'uninstall-hooks <target>'.padEnd(22)} Remove PreToolUse hooks`);
+  console.log(`\nExamples:`);
+  console.log(`  npx code-warden init`);
+  console.log(`  npx code-warden report`);
+  console.log(`  npx code-warden report --format=md`);
+  console.log(`  npx code-warden hooks claude`);
+}
+
+function run(scriptPath, args) {
+  const result = spawnSync(process.execPath, [path.join(ROOT, scriptPath), ...args], {
+    stdio: 'inherit',
+    cwd: process.cwd(),
+  });
+  process.exit(result.status ?? 1);
+}
+
+const args = process.argv.slice(2);
+const command = args[0];
+const rest = args.slice(1);
+
+if (!command || command === '--help' || command === '-h') {
+  usage();
+  process.exit(0);
+}
+
+if (command === '--version' || command === '-v') {
+  const pkg = require(path.join(ROOT, 'package.json'));
+  console.log(pkg.version);
+  process.exit(0);
+}
+
+if (COMMANDS[command]) {
+  const entry = COMMANDS[command];
+  const scriptArgs = [...entry.run.slice(1), ...rest];
+  run(entry.run[0], scriptArgs);
+}
+
+if (command === 'hooks') {
+  const target = rest[0];
+  if (!target || !HOOK_TARGETS.includes(target)) {
+    console.error(`Usage: code-warden hooks <${HOOK_TARGETS.join('|')}>`);
+    process.exit(1);
+  }
+  run('install.js', [`--hooks=${target}`]);
+}
+
+if (command === 'uninstall-hooks') {
+  const target = rest[0];
+  if (!target || !HOOK_TARGETS.includes(target)) {
+    console.error(`Usage: code-warden uninstall-hooks <${HOOK_TARGETS.join('|')}>`);
+    process.exit(1);
+  }
+  run('install.js', [`--uninstall-hooks=${target}`]);
+}
+
+console.error(`Unknown command: ${command}\n`);
+usage();
+process.exit(1);

package/package.json

@@ -1,19 +1,62 @@
-{
-  "name": "code-warden",
-  "version": "3.1.1",
-  "description": "Production-grade AI development governance skill for Codex, Claude Code, and Cowork.",
-  "main": "SKILL.md",
-  "scripts": {
-    "lint": "node tools/warden-lint.js .",
-    "check-secrets": "node tools/verify-secrets.js .",
-    "get-context": "node tools/get-context.js",
-    "install-auto": "node install.js",
-    "install-dry-run": "node install.js --dry-run",
-    "install-list": "node install.js --list",
-    "install-doctor": "node install.js --doctor",
-    "test": "node tools/tests/run-tests.js",
-    "ci": "npm run lint && npm run check-secrets && npm run test && node install.js --doctor"
-  },
-  "author": "Justin Davis",
-  "license": "MIT"
-}
+{
+  "name": "code-warden",
+  "version": "3.3.1",
+  "description": "Verifiable governance for AI-assisted development — checks, hooks, and evidence.",
+  "main": "SKILL.md",
+  "bin": {
+    "code-warden": "bin/code-warden.js"
+  },
+  "files": [
+    "bin/",
+    "tools/",
+    "references/",
+    "templates/",
+    "examples/",
+    "SKILL.md",
+    "CONFIGURE.md",
+    "DECISIONS.md",
+    "README.md",
+    "codewarden.json",
+    "install.js",
+    "install.ps1",
+    "install.sh"
+  ],
+  "scripts": {
+    "lint": "node tools/warden-lint.js .",
+    "check-secrets": "node tools/verify-secrets.js .",
+    "get-context": "node tools/get-context.js",
+    "report": "node tools/governance-report.js .",
+    "report:json": "node tools/governance-report.js . --format=json",
+    "report:md": "node tools/governance-report.js . --format=md",
+    "install-auto": "node install.js",
+    "install-dry-run": "node install.js --dry-run",
+    "install-list": "node install.js --list",
+    "install-doctor": "node install.js --doctor",
+    "test": "node tools/tests/run-tests.js",
+    "ci": "npm run lint && npm run check-secrets && npm run test && node install.js --doctor"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "keywords": [
+    "ai",
+    "governance",
+    "claude",
+    "codex",
+    "cursor",
+    "windsurf",
+    "code-review",
+    "linter",
+    "secrets",
+    "ci",
+    "hooks"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/Kodaxadev/Code-Warden.git"
+  },
+  "homepage": "https://github.com/Kodaxadev/Code-Warden",
+  "bugs": "https://github.com/Kodaxadev/Code-Warden/issues",
+  "author": "Justin Davis",
+  "license": "MIT"
+}

package/templates/ci/github-actions.yml

@@ -1,66 +1,83 @@
-# Code-Warden Quality Gate — Project Template
-# https://github.com/Kodaxadev/Code-Warden
-#
-# Copy this file to .github/workflows/code-warden.yml in your project.
-#
-# What it enforces:
-#   - File length limits (warden-lint.js, default 400 lines per codewarden.json)
-#   - Zero-trust secrets (verify-secrets.js, hardcoded-credential patterns)
-#
-# How code-warden is made available in CI (choose one):
-#
-#   Option A — Download from release (recommended, no files to commit)
-#     Set CODE_WARDEN_VERSION below to pin a specific release.
-#     The "Install Code-Warden" step downloads and extracts automatically.
-#
-#   Option B — Commit to your repo
-#     Run: node /path/to/code-warden/install.js --target=claude
-#     Add .claude/skills/code-warden/ to git tracking.
-#     Set CODE_WARDEN_PATH: .claude/skills/code-warden
-#     Remove the "Install Code-Warden" step.
-#
-# Customise thresholds in codewarden.json after install:
-#   max_file_length          (default 400 lines)
-#   pre_flight_trigger_lines (default 150 lines)
-#   human_checkpoint_files   (default 2 files)
-
-name: Code-Warden Quality Gate
-
-on:
-  push:
-    branches: [main, master]
-  pull_request:
-    branches: [main, master]
-
-env:
-  CODE_WARDEN_VERSION: v3.1.0
-  CODE_WARDEN_PATH: .code-warden-ci
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-
-jobs:
-  code-warden:
-    name: Code-Warden Quality Gate
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: '24'
-
-      # Option A: download from GitHub release (remove if using Option B)
-      - name: Install Code-Warden
-        run: |
-          curl -fsSL -o cw.zip \
-            "https://github.com/Kodaxadev/Code-Warden/releases/download/${{ env.CODE_WARDEN_VERSION }}/code-warden-${{ env.CODE_WARDEN_VERSION }}.zip"
-          mkdir -p ${{ env.CODE_WARDEN_PATH }}
-          unzip -q cw.zip -d ${{ env.CODE_WARDEN_PATH }}
-
-      - name: Lint — enforce file length limits
-        run: node ${{ env.CODE_WARDEN_PATH }}/tools/warden-lint.js .
-
-      - name: Secrets — zero-trust scan
-        run: node ${{ env.CODE_WARDEN_PATH }}/tools/verify-secrets.js .
+# Code-Warden Quality Gate — Project Template
+# https://github.com/Kodaxadev/Code-Warden
+#
+# Copy this file to .github/workflows/code-warden.yml in your project.
+#
+# What it enforces:
+#   - File length limits (default 400 lines per codewarden.json)
+#   - Zero-trust secrets (hardcoded-credential patterns)
+#   - Behavioral tests (scanner and hook pass/fail verification)
+#   - Source integrity (required files present)
+#
+# What it produces:
+#   - .code-warden-report.json — machine-readable governance artifact
+#   - Markdown summary on the workflow run / PR (via GITHUB_STEP_SUMMARY)
+#   - Uploaded artifact for audit trail (90-day retention)
+#
+# How code-warden is made available in CI (choose one):
+#
+#   Option A — Download from release (recommended, no files to commit)
+#     Set CODE_WARDEN_VERSION below to pin a specific release.
+#     The "Install Code-Warden" step downloads and extracts automatically.
+#
+#   Option B — Commit to your repo
+#     Run: node /path/to/code-warden/install.js --target=claude
+#     Add .claude/skills/code-warden/ to git tracking.
+#     Set CODE_WARDEN_PATH: .claude/skills/code-warden
+#     Remove the "Install Code-Warden" step.
+#
+# Customise thresholds in codewarden.json after install:
+#   max_file_length          (default 400 lines)
+#   pre_flight_trigger_lines (default 150 lines)
+#   human_checkpoint_files   (default 2 files)
+
+name: Code-Warden Quality Gate
+
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+    branches: [main, master]
+
+env:
+  CODE_WARDEN_VERSION: v3.2.0
+  CODE_WARDEN_PATH: .code-warden-ci
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+jobs:
+  code-warden:
+    name: Code-Warden Quality Gate
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '24'
+
+      # Option A: download from GitHub release (remove if using Option B)
+      - name: Install Code-Warden
+        run: |
+          curl -fsSL -o cw.zip \
+            "https://github.com/Kodaxadev/Code-Warden/releases/download/${{ env.CODE_WARDEN_VERSION }}/code-warden-${{ env.CODE_WARDEN_VERSION }}.zip"
+          mkdir -p ${{ env.CODE_WARDEN_PATH }}
+          unzip -q cw.zip -d ${{ env.CODE_WARDEN_PATH }}
+
+      - name: Governance report
+        run: node ${{ env.CODE_WARDEN_PATH }}/tools/governance-report.js .
+
+      - name: Publish governance summary
+        if: always()
+        run: node ${{ env.CODE_WARDEN_PATH }}/tools/governance-report.js . --format=md >> $GITHUB_STEP_SUMMARY
+
+      - name: Upload governance artifact
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: code-warden-report
+          path: .code-warden-report.json
+          if-no-files-found: ignore
+          retention-days: 90

package/tools/governance-report.js

@@ -0,0 +1,302 @@
+#!/usr/bin/env node
+'use strict';
+
+const fs            = require('fs');
+const path          = require('path');
+const os            = require('os');
+const { spawnSync } = require('child_process');
+const { countLines }     = require('./lib/line-count');
+const { collectFiles }   = require('./lib/file-collection');
+const { scanForSecrets } = require('./lib/secret-patterns');
+const { loadConfig }     = require('./lib/config');
+
+const ROOT    = path.join(__dirname, '..');
+const PKG     = JSON.parse(fs.readFileSync(path.join(ROOT, 'package.json'), 'utf8'));
+const VERSION = PKG.version;
+
+// ---------------------------------------------------------------------------
+// CLI
+// ---------------------------------------------------------------------------
+
+function parseArgs(argv) {
+  const args = argv.slice(2);
+  const formatArg = args.find(a => a.startsWith('--format='));
+  const format = formatArg ? formatArg.split('=')[1] : null;
+  const scanPath = args.find(a => !a.startsWith('--')) || '.';
+  return { format, scanPath };
+}
+
+// ---------------------------------------------------------------------------
+// Git metadata
+// ---------------------------------------------------------------------------
+
+function gitInfo() {
+  const run = (gitArgs) => {
+    const r = spawnSync('git', gitArgs, { encoding: 'utf8', timeout: 5000 });
+    return r.status === 0 ? r.stdout.trim() : null;
+  };
+  return {
+    branch: run(['rev-parse', '--abbrev-ref', 'HEAD']),
+    commit: run(['rev-parse', '--short', 'HEAD']),
+  };
+}
+
+// ---------------------------------------------------------------------------
+// File length + secrets (single pass over all files)
+// ---------------------------------------------------------------------------
+
+function runScans(scanPath) {
+  const { maxFileLength } = loadConfig();
+  const resolved = path.resolve(scanPath);
+
+  if (!fs.existsSync(resolved)) {
+    console.error(`[CodeWarden] Error: scan path not found: ${scanPath}`);
+    process.exit(1);
+  }
+
+  const files = [];
+  if (fs.statSync(resolved).isDirectory()) {
+    collectFiles(resolved, files);
+  } else {
+    files.push(resolved);
+  }
+
+  const lengthViolations = [];
+  const secretViolations = [];
+
+  for (const f of files) {
+    let content;
+    try { content = fs.readFileSync(f, 'utf8'); } catch { continue; }
+
+    const rel = path.relative(resolved, f);
+
+    const lineCount = countLines(content);
+    if (lineCount > maxFileLength) {
+      lengthViolations.push({ file: rel, lines: lineCount, limit: maxFileLength });
+    }
+
+    const hit = scanForSecrets(content);
+    if (hit) {
+      secretViolations.push({ file: rel, pattern: hit.label });
+    }
+  }
+
+  return {
+    fileLength: {
+      status: lengthViolations.length === 0 ? 'pass' : 'fail',
+      filesScanned: files.length,
+      violations: lengthViolations.length,
+      details: lengthViolations.length > 0 ? lengthViolations : undefined,
+    },
+    secrets: {
+      status: secretViolations.length === 0 ? 'pass' : 'fail',
+      filesScanned: files.length,
+      violations: secretViolations.length,
+      details: secretViolations.length > 0 ? secretViolations : undefined,
+    },
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Behavioral tests
+// ---------------------------------------------------------------------------
+
+function checkTests() {
+  const testScript = path.join(__dirname, 'tests', 'run-tests.js');
+  if (!fs.existsSync(testScript)) {
+    return { status: 'skip', tests: 0, failures: 0 };
+  }
+
+  const r = spawnSync(process.execPath, [testScript], {
+    encoding: 'utf8',
+    timeout: 30000,
+    cwd: ROOT,
+  });
+
+  const out = (r.stdout || '') + (r.stderr || '');
+  const passMatch = out.match(/pass\s+(\d+)/);
+  const failMatch = out.match(/fail\s+(\d+)/);
+
+  let passed, failed;
+  if (passMatch || failMatch) {
+    passed = parseInt(passMatch?.[1] || '0', 10);
+    failed = parseInt(failMatch?.[1] || '0', 10);
+  } else {
+    passed = (out.match(/^(?:ok \d+|✔)/gm) || []).length;
+    failed = (out.match(/^(?:not ok \d+|✖)/gm) || []).length;
+  }
+
+  return {
+    status: r.status === 0 ? 'pass' : 'fail',
+    tests: passed + failed,
+    failures: failed,
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Source integrity
+// ---------------------------------------------------------------------------
+
+function checkInstallHealth() {
+  const required = [
+    'SKILL.md',
+    'references',
+    'tools/warden-lint.js',
+    'tools/verify-secrets.js',
+    'tools/get-context.js',
+  ];
+  const missing = required.filter(f => !fs.existsSync(path.join(ROOT, f)));
+  return {
+    status: missing.length === 0 ? 'pass' : 'fail',
+    missing: missing.length > 0 ? missing : undefined,
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Runtime hook detection
+// ---------------------------------------------------------------------------
+
+function checkRuntimeHooks() {
+  const home = os.homedir();
+  const result = {};
+
+  const claudeSettings = path.join(home, '.claude', 'settings.json');
+  if (fs.existsSync(claudeSettings)) {
+    try {
+      const s = JSON.parse(fs.readFileSync(claudeSettings, 'utf8'));
+      const hooks = (s?.hooks?.PreToolUse || [])
+        .flatMap(m => m.hooks || [])
+        .filter(h => String(h.description || '').startsWith('code-warden:'));
+      if (hooks.length > 0) {
+        const valid = hooks.every(h => h.args?.[0] && fs.existsSync(h.args[0]));
+        result.claude = valid ? 'registered' : 'registered_broken';
+      } else {
+        result.claude = 'not_registered';
+      }
+    } catch { result.claude = 'error'; }
+  } else {
+    result.claude = 'not_configured';
+  }
+
+  const codexHooksPath = path.join(home, '.codex', 'hooks.json');
+  if (fs.existsSync(codexHooksPath)) {
+    try {
+      const h = JSON.parse(fs.readFileSync(codexHooksPath, 'utf8'));
+      const cw = (h?.PreToolUse || [])
+        .filter(e => String(e.description || '').startsWith('code-warden:'));
+      if (cw.length > 0) {
+        const valid = cw.every(e => e.args?.[0] && fs.existsSync(e.args[0]));
+        result.codex = valid ? 'registered' : 'registered_broken';
+      } else {
+        result.codex = 'not_registered';
+      }
+    } catch { result.codex = 'error'; }
+  } else {
+    result.codex = 'not_configured';
+  }
+
+  return result;
+}
+
+// ---------------------------------------------------------------------------
+// Report assembly
+// ---------------------------------------------------------------------------
+
+function generateReport(scanPath) {
+  const repo = gitInfo();
+  const { fileLength, secrets } = runScans(scanPath);
+  const behavioralTests = checkTests();
+  const installHealth = checkInstallHealth();
+  const runtimeHooks = checkRuntimeHooks();
+
+  const checks = { fileLength, secrets, behavioralTests, installHealth };
+  const result = Object.values(checks).every(c => c.status === 'pass' || c.status === 'skip')
+    ? 'pass' : 'fail';
+
+  return {
+    tool: 'code-warden',
+    version: VERSION,
+    timestamp: new Date().toISOString(),
+    repository: { branch: repo.branch, commit: repo.commit },
+    checks,
+    governance: {
+      scopeGate: 'session_only',
+      planGate: 'session_only',
+      runtimeHooks,
+    },
+    result,
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Markdown formatter
+// ---------------------------------------------------------------------------
+
+function formatMarkdown(report) {
+  const badge = s => s === 'pass' ? 'PASS' : s === 'skip' ? 'SKIP' : 'FAIL';
+  const hookLabel = (id) => {
+    const s = report.governance.runtimeHooks[id];
+    if (s === 'registered') return 'verified';
+    if (s === 'registered_broken') return 'broken';
+    if (s === 'not_registered') return 'none';
+    return 'n/a';
+  };
+
+  const healthDetail = report.checks.installHealth.missing
+    ? 'Missing: ' + report.checks.installHealth.missing.join(', ')
+    : 'All source files present';
+
+  const lines = [
+    '## Code-Warden Governance Report',
+    '',
+    '| Check | Result | Details |',
+    '|-------|--------|---------|',
+    `| File length | ${badge(report.checks.fileLength.status)} | ${report.checks.fileLength.filesScanned} files scanned, ${report.checks.fileLength.violations} violations |`,
+    `| Hardcoded credentials | ${badge(report.checks.secrets.status)} | ${report.checks.secrets.filesScanned} files scanned, ${report.checks.secrets.violations} violations |`,
+    `| Behavioral tests | ${badge(report.checks.behavioralTests.status)} | ${report.checks.behavioralTests.tests} tests, ${report.checks.behavioralTests.failures} failures |`,
+    `| Install health | ${badge(report.checks.installHealth.status)} | ${healthDetail} |`,
+    `| Runtime hooks | — | Claude: ${hookLabel('claude')} / Codex: ${hookLabel('codex')} |`,
+    '',
+    `**Result:** ${report.result === 'pass' ? 'All governed checks passed.' : 'One or more checks failed.'}`,
+    '',
+    `> Generated by Code-Warden v${report.version} at ${report.timestamp}`,
+  ];
+
+  return lines.join('\n');
+}
+
+// ---------------------------------------------------------------------------
+// One-line summary (default mode stdout)
+// ---------------------------------------------------------------------------
+
+function formatSummary(report) {
+  const c = report.checks;
+  const parts = [
+    `lint:${c.fileLength.status}`,
+    `secrets:${c.secrets.status}`,
+    `tests:${c.behavioralTests.status}`,
+    `health:${c.installHealth.status}`,
+  ];
+  return `[CodeWarden] Governance report: ${report.result.toUpperCase()} (${parts.join(', ')})`;
+}
+
+// ---------------------------------------------------------------------------
+// Main
+// ---------------------------------------------------------------------------
+
+const { format, scanPath } = parseArgs(process.argv);
+const report = generateReport(scanPath);
+
+if (format === 'md') {
+  console.log(formatMarkdown(report));
+} else if (format === 'json') {
+  console.log(JSON.stringify(report, null, 2));
+} else {
+  const json = JSON.stringify(report, null, 2);
+  const outPath = path.resolve('.code-warden-report.json');
+  fs.writeFileSync(outPath, json, 'utf8');
+  console.log(formatSummary(report));
+  console.log(`[CodeWarden] Report written to ${outPath}`);
+}
+
+process.exit(report.result === 'pass' ? 0 : 1);

package/tools/lib/file-collection.js

@@ -1,72 +1,75 @@
-#!/usr/bin/env node
-'use strict';
-
-/**
- * file-collection.js
- * Shared file traversal helpers for warden-lint and verify-secrets CLI tools.
- *
- * Previously each CLI tool duplicated identical SKIP_DIRS, SKIP_EXTS,
- * collectFiles, and expandPaths logic — any change had to be made twice.
- */
-
-const fs   = require('fs');
-const path = require('path');
-
-const SKIP_DIRS = new Set(['node_modules', '.git', 'target', 'dist', '.next']);
-
-const SKIP_EXTS = new Set([
-  '.png', '.jpg', '.jpeg', '.gif', '.bmp', '.ico', '.svg', '.webp',
-  '.zip', '.tar', '.gz', '.7z', '.rar',
-  '.dll', '.exe', '.bin', '.so', '.dylib',
-  '.pdf', '.woff', '.woff2', '.ttf', '.eot', '.otf',
-  '.mp4', '.mp3', '.wav', '.ogg', '.avi', '.mov',
-  '.map', '.lock',
-]);
-
-/**
- * Recursively collect all scannable files under a directory.
- *
- * @param {string} dir
- * @param {string[]} results - accumulator (mutated)
- */
-function collectFiles(dir, results) {
-  for (const entry of fs.readdirSync(dir)) {
-    if (SKIP_DIRS.has(entry)) continue;
-    const full = path.join(dir, entry);
-    const stat = fs.statSync(full);
-    if (stat.isDirectory()) {
-      collectFiles(full, results);
-    } else if (!SKIP_EXTS.has(path.extname(entry).toLowerCase())) {
-      results.push(full);
-    }
-  }
-}
-
-/**
- * Expand a list of CLI path arguments into a flat array of file paths.
- * Directories are walked recursively; individual files are included as-is.
- * Exits with usage error if no args provided or a path is not found.
- *
- * @param {string[]} args - process.argv slice
- * @param {string} toolName - used in the usage message
- * @returns {string[]}
- */
-function expandPaths(args, toolName) {
-  if (args.length === 0) {
-    console.log(`Usage: ${toolName} <file|dir> [file|dir] ...`);
-    console.log(`       node tools/${toolName} .           # scan entire project`);
-    process.exit(1);
-  }
-  const files = [];
-  for (const arg of args) {
-    if (!fs.existsSync(arg)) {
-      console.error(`Error: path not found: ${arg}`);
-      continue;
-    }
-    if (fs.statSync(arg).isDirectory()) collectFiles(arg, files);
-    else files.push(arg);
-  }
-  return files;
-}
-
-module.exports = { collectFiles, expandPaths, SKIP_DIRS, SKIP_EXTS };
+#!/usr/bin/env node
+'use strict';
+
+/**
+ * file-collection.js
+ * Shared file traversal helpers for warden-lint and verify-secrets CLI tools.
+ *
+ * Previously each CLI tool duplicated identical SKIP_DIRS, SKIP_EXTS,
+ * collectFiles, and expandPaths logic — any change had to be made twice.
+ */
+
+const fs   = require('fs');
+const path = require('path');
+
+const SKIP_DIRS = new Set(['node_modules', '.git', 'target', 'dist', '.next']);
+
+const SKIP_EXTS = new Set([
+  '.png', '.jpg', '.jpeg', '.gif', '.bmp', '.ico', '.svg', '.webp',
+  '.zip', '.tar', '.gz', '.7z', '.rar',
+  '.dll', '.exe', '.bin', '.so', '.dylib',
+  '.pdf', '.woff', '.woff2', '.ttf', '.eot', '.otf',
+  '.mp4', '.mp3', '.wav', '.ogg', '.avi', '.mov',
+  '.map', '.lock',
+]);
+
+/**
+ * Recursively collect all scannable files under a directory.
+ *
+ * @param {string} dir
+ * @param {string[]} results - accumulator (mutated)
+ */
+function collectFiles(dir, results) {
+  let entries;
+  try { entries = fs.readdirSync(dir); } catch { return; }
+  for (const entry of entries) {
+    if (SKIP_DIRS.has(entry)) continue;
+    const full = path.join(dir, entry);
+    let stat;
+    try { stat = fs.statSync(full); } catch { continue; }
+    if (stat.isDirectory()) {
+      collectFiles(full, results);
+    } else if (!SKIP_EXTS.has(path.extname(entry).toLowerCase())) {
+      results.push(full);
+    }
+  }
+}
+
+/**
+ * Expand a list of CLI path arguments into a flat array of file paths.
+ * Directories are walked recursively; individual files are included as-is.
+ * Exits with usage error if no args provided or a path is not found.
+ *
+ * @param {string[]} args - process.argv slice
+ * @param {string} toolName - used in the usage message
+ * @returns {string[]}
+ */
+function expandPaths(args, toolName) {
+  if (args.length === 0) {
+    console.log(`Usage: ${toolName} <file|dir> [file|dir] ...`);
+    console.log(`       node tools/${toolName} .           # scan entire project`);
+    process.exit(1);
+  }
+  const files = [];
+  for (const arg of args) {
+    if (!fs.existsSync(arg)) {
+      console.error(`Error: path not found: ${arg}`);
+      continue;
+    }
+    if (fs.statSync(arg).isDirectory()) collectFiles(arg, files);
+    else files.push(arg);
+  }
+  return files;
+}
+
+module.exports = { collectFiles, expandPaths, SKIP_DIRS, SKIP_EXTS };