yadflow 1.0.1

package/skills/sdlc-checks/references/check-gates.md

@@ -0,0 +1,168 @@
+# Check gates — definitions, scripts, CI wiring, convention map
+
+The gates are the production-safety core of the build half (Phase 3 build plan §C). They are
+deliberately small, separate, and CI-agnostic: plain bash in `checks/`, invoked by whatever CI the
+repo uses. Each reads conventions established by earlier steps — it invents nothing.
+
+## What each gate reads (the convention map)
+
+| Gate | Reads | Source step |
+|------|-------|-------------|
+| spec-link | the `Task: <story>-<task>` commit trailer; `specs/<story>/link.md` | `sdlc-implement` (trailer), `sdlc-spec` (link.md) |
+| contract-check | changed files under `specs/<story>/contracts/`; the `Contract-Change: yes` trailer; `link.md`'s pinned `contract-lock`; the product repo's `contract-lock.json` | `sdlc-author-architecture` (lock), `sdlc-spec` (slice + link), `sdlc-implement` (trailer) |
+| build/test/lint | the repo's `npm run lint` / `npm run build` / `npm test` | the repo |
+| verified-commits | each commit's platform signature-verification status; the author email vs `.sdlc/verified-authors` | hub roster `email` fields (`sdlc check --fix` generates the allowlist) |
+
+## 1. spec-link (`templates/checks/spec-link.sh`)
+
+- Collects the `Task:` trailers across `<base>..HEAD`.
+- **FAIL** if there is no `Task:` trailer (the change does not link a story/spec).
+- For each `Task: <story>-<task>`, strips the `-T<NN>` suffix to get `<story>` and requires
+  `specs/<story>/link.md` to exist. **FAIL** if missing.
+- Portable across bash 3.2 (macOS) and 4+ (no `mapfile`).
+- **Fails closed** when `<base>` can't be resolved (so a shallow clone / wrong base never PASSes blind).
+
+## 2. contract-check (`templates/checks/contract-check.sh`)
+
+- **Fails closed** if `<base>` can't be resolved — an undiffable range must never report "no surface
+  change" and silently green-light a bypass.
+- Computes the changed files in `<base>..HEAD`.
+- If **nothing** under `specs/*/contracts/**` changed → **PASS** (normal implementation only *consumes*
+  the contract).
+- If the surface slice changed:
+  - Require a `Contract-Change: yes` trailer. **FAIL** (route back to the architecture gate) if absent.
+  - Best-effort fidelity: when the product repo is reachable (via `link.md`'s `product-repo` path),
+    require `link.md`'s pinned `contract-lock` hash to match the product repo's current
+    `contract-lock.json`. A claimed change that still pins the **old** lock **FAILS** — re-run
+    `sdlc-spec` so the slice matches the re-locked contract.
+- This enforces the Phase 2 rule: the shared surface is owned upstream and is never widened from inside
+  a code repo. The hash recipe is in `../sdlc-author-architecture/references/contract-format.md`.
+
+## 3. build/test/lint (`templates/checks/build-test-lint.sh`)
+
+- Runs `npm run lint`, `npm run build`, `npm test` in order; any non-zero exit fails the gate.
+- Tests must actually exercise behavior (build plan §C) — an empty or trivially-passing suite does not
+  satisfy the gate's intent.
+
+### Canonical `package.json` scripts (Node demo)
+
+```json
+{
+  "scripts": {
+    "lint": "find src -name '*.js' -print0 | xargs -0 -n1 node --check",
+    "build": "true",
+    "test": "node --test"
+  }
+}
+```
+
+`node --check` is a real syntax lint with no extra dependency; `node --test` is Node 20+'s built-in
+runner. Real repos substitute their own eslint/tsc/jest — the gate only calls the scripts.
+
+## 4. verified-commits (`templates/checks/verified-commits.sh`)
+
+No unverified commits from unverified users reach merge — on the product hub and on every connected
+repo. For each commit in `<base>..HEAD`, two independent checks:
+
+- **Verified signature** — the platform must mark the commit's signature verified (the GitHub/GitLab
+  "Verified" badge: signed with a GPG/SSH key registered to the account owning the author email).
+  Read via `gh api repos/{owner}/{repo}/commits/<sha>` (GitHub) or the commits/signature API (GitLab).
+- **Known author** — the commit's **author email** must appear in `.sdlc/verified-authors`, generated
+  by `sdlc check --fix` from the hub roster's `email`/`emails` fields plus hub.json's
+  `verified_authors` list (edit hub.json, never the generated file). Only the author is checked:
+  platform-generated merge/squash commits set the platform as committer, and their integrity is
+  covered by the signature check.
+
+Degradation is explicit, never silent: a missing allowlist SKIPs the author check with a warning
+(configure roster emails, re-wire); no GitHub/GitLab remote SKIPs the signature check (the badge is a
+platform concept — this keeps local runs and tests meaningful); an unreachable platform API **fails
+closed** with guidance. GitLab CI needs a `GITLAB_TOKEN`/`SDLC_API_TOKEN` variable with `read_api` —
+`CI_JOB_TOKEN` cannot read the signature API.
+
+Note the deliberate split with the gate-sync bot: this gate runs on **PRs/MRs only**, so the
+`sdlc-gate-sync` ledger commits (pushed directly to the default branch, unsigned, bot-authored) are
+not subject to it. Do **not** replace it with a platform-level "reject unsigned pushes" rule on the
+default branch — that would break the event-driven gate sync (and GitLab push rules are Premium-only).
+
+## CI wiring (both platforms)
+
+The gates run identically under either CI; the config just invokes the scripts with the PR/MR base.
+
+- **GitHub Actions** — `templates/github/sdlc-checks.yml` → `.github/workflows/sdlc-checks.yml`. The
+  jobs run on `pull_request` with `fetch-depth: 0`, passing `origin/${{ github.base_ref }}` as base
+  (verified-commits also gets a read-only `GH_TOKEN` for the Verified-badge lookup).
+- **GitLab CI** — `templates/gitlab/sdlc-checks.gitlab-ci.yml` → `.gitlab/ci/sdlc-checks.yml`, pulled in
+  by the root `.gitlab-ci.yml`'s `include:`. The jobs run on `merge_request_event` with `GIT_DEPTH: 0`,
+  passing `origin/$CI_MERGE_REQUEST_TARGET_BRANCH_NAME`.
+
+## Sync with existing CI (merge, never clobber)
+
+`wire` is **additive**: it brings the SDLC gates into a repo that may already have CI, without ever
+editing a foreign CI file. The principle is "own a separate file; touch the foreign root only to add a
+one-line include".
+
+**GitHub.** Every workflow file runs independently, so the gates simply live in their own
+`sdlc-checks.yml`, identified by the first-line marker `# sdlc-managed: sdlc-checks`.
+- No file at our path → copy the template verbatim.
+- Our marked file already there → refresh it (no-op if identical).
+- A **foreign** workflow occupies the name → install as `sdlc-checks.gen.yml` instead and make the
+  display `name:` unique. We never merge jobs into, or edit, a foreign workflow.
+
+**GitLab.** Only one root `.gitlab-ci.yml` may exist, so the gates live in an **includable** fragment
+`.gitlab/ci/sdlc-checks.yml` (marker `# sdlc-managed-include: sdlc-checks`). Its jobs declare `needs: []`
+and **no `stage:`**, so they run in the default stage and a foreign root's `stages:` list can neither
+break nor reorder them; job names are `sdlc-`prefixed to avoid collisions.
+- No root `.gitlab-ci.yml` → write a minimal root (`gitlab-ci.include-root.yml`) that only `include:`s
+  the fragment.
+- Root exists → read its top-level `include:`; add the key if absent, append
+  `- local: '.gitlab/ci/sdlc-checks.yml'` if missing, no-op if already present. **Nothing else** in the
+  root is touched.
+- Root YAML cannot be parsed safely → **STOP** and print the include snippet for the human to paste.
+
+**package.json.** Only ADD a missing `lint`/`build`/`test` script; an existing one is never overwritten.
+
+**Idempotent.** The two markers plus the include-entry check make a re-run a no-op. This is how a repo
+that already had its own pipeline keeps it and still gains the gates.
+
+## Wiring the hub (`repo: hub`)
+
+The product hub is itself a repo on a platform (recorded in `.sdlc/hub.json` by
+`sdlc-connect-repos action: detect-hub`). `wire repo: hub` targets `{project-root}` and uses the same
+merge-not-clobber logic, with a **hub-flavored gate set** appropriate to a "thinking" repo (it has no
+`specs/` or `package.json` build):
+- **owner-set** — every `epic.md` (and forward artifact) under `epics/EP-*/` carries an `owner`.
+- **contract-locked** — where an epic has a `contract.md`, its surface hash matches
+  `.sdlc/contract-lock.json` (reuse the recipe in
+  `../sdlc-author-architecture/references/contract-format.md`).
+- **approvals-present** — an epic at `ready-for-build` has the approvals its gate rule requires recorded
+  in `.sdlc/approvals.json` (the same predicate `sdlc-review-gate` enforces).
+
+These are advisory checks on the hub's own PRs (the front-half review PRs the bridge opens); they keep
+the hub's artifacts internally consistent. The hub never runs the code-repo `spec-link`/`build-test-lint`
+gates. Author the hub gate scripts under the hub's `checks/` following the same CI-agnostic-bash pattern.
+
+The hub **does** run the verified-commits gate — `sdlc check --fix` installs `checks/verified-commits.sh`
+plus a standalone workflow (`templates/github/sdlc-verified-commits.yml` →
+`.github/workflows/sdlc-verified-commits.yml`, or the GitLab fragment
+`templates/gitlab/sdlc-verified-commits.gitlab-ci.yml` → `.gitlab/ci/sdlc-verified-commits.yml` +
+its one include line) whenever `.sdlc/hub.json` has a platform with the bridge enabled. So the
+front-half review PRs are held to the same rule as code-repo PRs: signed, known authors only.
+
+## Running by hand (Phase 3 is manual)
+
+From inside the code repo, against the PR/MR base (e.g. `master`):
+
+```bash
+bash checks/spec-link.sh master
+bash checks/contract-check.sh master
+bash checks/build-test-lint.sh
+bash checks/verified-commits.sh master   # uses your own gh/glab auth for the signature lookup
+```
+
+## Proven behavior (demo: `demo-repos/backend`, story EP-istifta-inquiries-S01)
+
+- **Good PR** (task branch with a `Task:` trailer, no surface change, passing tests) → all three **PASS**.
+- **Bad PR A** (a code change committed with **no** `Task:` trailer) → spec-link **FAILS**.
+- **Bad PR B** (edits `specs/.../contracts/inquiries.md` to widen the surface, with a `Task:` trailer
+  but **no** `Contract-Change`) → spec-link passes, contract-check **FAILS** and routes back to the
+  architecture gate.

package/skills/sdlc-checks/templates/checks/build-test-lint.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+# build / test / lint gate (Phase 3 build plan §C).
+# Standard quality stage: lint, build, and tests that actually exercise behavior (not just pass).
+# Delegates to the repo's npm scripts so each repo owns the specifics.
+set -euo pipefail
+
+echo "[build/test/lint] lint…"
+npm run --silent lint
+echo "[build/test/lint] build…"
+npm run --silent build
+echo "[build/test/lint] test…"
+npm run --silent test
+
+echo "PASS [build/test/lint]: lint, build, and tests all green."

package/skills/sdlc-checks/templates/checks/contract-check.sh

@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+# contract-check gate (Phase 3 build plan §C; contract representation from Phase 2).
+# The contract surface is singular and owned upstream (the product repo's locked contract.md).
+# A code repo carries its quoted slice under specs/<story>/contracts/. If the diff changes that
+# slice (i.e. tries to move the shared surface from inside a code repo), it MUST carry a
+# `Contract-Change: yes` trailer AND the contract must have been updated/re-locked upstream first
+# (link.md's pinned hash must match the product lock). Otherwise FAIL and route back to the
+# architecture gate. Normal implementation that only CONSUMES the contract passes untouched.
+set -euo pipefail
+
+BASE="${1:-${SDLC_BASE:-origin/main}}"
+
+# Fail CLOSED if the base ref can't be resolved (shallow clone / wrong base branch / unfetched ref).
+# Never let an undiffable range silently report "no surface change" — that would green-light a bypass.
+if ! git rev-parse --verify --quiet "${BASE}^{commit}" >/dev/null; then
+  echo "FAIL [contract-check]: base ref '${BASE}' not found — fetch full history / check the base branch."
+  exit 1
+fi
+RANGE="${BASE}..HEAD"
+
+changed="$(git diff --name-only "$RANGE")"
+surface="$(printf '%s\n' "$changed" | grep -E '^specs/[^/]+/contracts/' || true)"
+
+if [ -z "$surface" ]; then
+  echo "PASS [contract-check]: diff does not touch the contract surface (specs/*/contracts/**)."
+  exit 0
+fi
+
+echo "note [contract-check]: diff touches the contract surface:"
+printf '%s\n' "$surface" | sed 's/^/  /'
+
+cc="$(git log "$RANGE" --format='%(trailers:key=Contract-Change,valueonly)' | sed '/^$/d' | tr 'A-Z' 'a-z')"
+if ! printf '%s\n' "$cc" | grep -qx 'yes'; then
+  echo "FAIL [contract-check]: contract surface changed without a 'Contract-Change: yes' trailer."
+  echo "  -> Route back to the architecture gate: update + re-lock contract.md in the product repo,"
+  echo "     re-run sdlc-spec, then implement with Contract-Change: yes. The surface is never widened"
+  echo "     from inside a code repo."
+  exit 1
+fi
+
+# Fidelity check (best-effort): when the product repo is reachable, the story's link.md must pin the
+# CURRENT product lock — proof the contract was actually updated/re-locked upstream, not just flagged.
+story="$(printf '%s\n' "$surface" | head -1 | sed -E 's#^specs/([^/]+)/contracts/.*#\1#')"
+link="specs/${story}/link.md"
+if [ -f "$link" ]; then
+  product_rel="$(sed -nE 's/^product-repo:[[:space:]]*(.*)$/\1/p' "$link" | head -1)"
+  pinned="$(sed -nE 's/^contract-lock:[[:space:]]*sha256:([0-9a-f]+).*$/\1/p' "$link" | head -1)"
+  epic="$(printf '%s' "$story" | sed -E 's/-S[0-9]+$//')"   # story EP-<slug>-S0N -> epic EP-<slug>
+  lock="${product_rel}/epics/${epic}/.sdlc/contract-lock.json"
+  if [ -n "$product_rel" ] && [ -f "$lock" ]; then
+    current="$(sed -nE 's/.*"hash":[[:space:]]*"sha256:([0-9a-f]+)".*/\1/p' "$lock" | head -1)"
+    if [ -n "$current" ] && [ "$current" != "$pinned" ]; then
+      echo "FAIL [contract-check]: Contract-Change claimed, but ${link} still pins ${pinned:0:12}…"
+      echo "  while the product lock is ${current:0:12}… — re-run sdlc-spec so the slice matches the re-locked contract."
+      exit 1
+    fi
+    echo "note [contract-check]: link.md hash matches the product lock (${current:0:12}…)."
+  fi
+fi
+
+echo "PASS [contract-check]: surface change accompanied by Contract-Change: yes (and an updated contract)."
+exit 0

package/skills/sdlc-checks/templates/checks/spec-link.sh

@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+# spec-link gate (Phase 3 build plan §C).
+# The change must link a real story/spec: every commit range under review must carry a
+# `Task: <story>-<task>` trailer whose <story> resolves to a specs/<story>/link.md.
+# Fail if the link is missing — no unlinked code reaches merge.
+set -euo pipefail
+
+BASE="${1:-${SDLC_BASE:-origin/main}}"
+
+# Fail closed if the base ref can't be resolved (shallow clone / wrong base branch / unfetched ref).
+if ! git rev-parse --verify --quiet "${BASE}^{commit}" >/dev/null; then
+  echo "FAIL [spec-link]: base ref '${BASE}' not found — fetch full history / check the base branch."
+  exit 1
+fi
+RANGE="${BASE}..HEAD"
+
+# Portable across bash 3.2 (macOS) and 4+ — no mapfile.
+tasks="$(git log "$RANGE" --format='%(trailers:key=Task,valueonly)' | sed '/^$/d' | sort -u)"
+
+if [ -z "$tasks" ]; then
+  echo "FAIL [spec-link]: no 'Task: <story>-<task>' trailer in ${RANGE} — change does not link a story/spec."
+  exit 1
+fi
+
+rc=0
+while IFS= read -r t; do
+  [ -z "$t" ] && continue
+  story="$(printf '%s' "$t" | sed -E 's/-T[0-9]+$//')"
+  if [ -f "specs/${story}/link.md" ]; then
+    echo "PASS [spec-link]: ${t} -> specs/${story}/link.md"
+  else
+    echo "FAIL [spec-link]: ${t} references specs/${story}/ but link.md is missing."
+    rc=1
+  fi
+done <<EOF
+$tasks
+EOF
+exit "$rc"

package/skills/sdlc-checks/templates/checks/verified-commits.sh

@@ -0,0 +1,120 @@
+#!/usr/bin/env bash
+# verified-commits gate.
+# Every commit in the range under review must (1) carry a signature the PLATFORM marks as verified
+# (the GitHub/GitLab "Verified" badge — proves the commit was signed by a key registered to the
+# account that owns the author email) and (2) be AUTHORED by a known identity: the author email must
+# appear in the .sdlc/verified-authors allowlist (generated by `sdlc check --fix` from the hub
+# roster's `email` fields + hub.json `verified_authors`). Unsigned commits and commits from unknown
+# authors do not reach merge — on the product hub and on every connected repo alike.
+#
+# Only the AUTHOR email is checked against the allowlist: platform-generated merge/squash/update
+# commits set the platform itself as the committer (e.g. noreply@github.com), and their integrity is
+# covered by the signature check (the platform signs them).
+#
+# Degradation is explicit, never silent:
+#   - no allowlist file        -> author check SKIPPED with a warning (configure emails, re-wire)
+#   - no GitHub/GitLab remote  -> signature check SKIPPED with a warning (no platform, no badge)
+#   - platform API unreachable -> FAIL closed (a security gate must not pass on a broken check)
+#
+# GitLab note: the signature API is not readable with CI_JOB_TOKEN — provide a CI variable
+# GITLAB_TOKEN (or SDLC_API_TOKEN) with read_api scope; see the pipeline fragment header.
+set -euo pipefail
+
+BASE="${1:-${SDLC_BASE:-origin/main}}"
+
+# Fail closed if the base ref can't be resolved (shallow clone / wrong base branch / unfetched ref).
+if ! git rev-parse --verify --quiet "${BASE}^{commit}" >/dev/null; then
+  echo "FAIL [verified-commits]: base ref '${BASE}' not found — fetch full history / check the base branch."
+  exit 1
+fi
+RANGE="${BASE}..HEAD"
+
+commits="$(git rev-list "$RANGE")"
+if [ -z "$commits" ]; then
+  echo "PASS [verified-commits]: no commits in ${RANGE}"
+  exit 0
+fi
+
+# ---- author allowlist (one email per line; # comments; case-insensitive) -------------------------
+ALLOWLIST="${SDLC_VERIFIED_AUTHORS:-.sdlc/verified-authors}"
+authors_on=0
+if [ -f "$ALLOWLIST" ]; then
+  authors_on=1
+else
+  echo "WARN [verified-commits]: ${ALLOWLIST} not found — author allowlist NOT enforced. Add 'email' to the hub roster (or hub.json 'verified_authors'), then run \`sdlc check --fix\`."
+fi
+
+# ---- platform for the signature check (override with SDLC_PLATFORM=github|gitlab|none) -----------
+remote="$(git remote get-url origin 2>/dev/null || true)"
+platform=""
+case "$remote" in
+  *github*) platform=github ;;
+  *gitlab*) platform=gitlab ;;
+esac
+platform="${SDLC_PLATFORM:-$platform}"
+case "$platform" in
+  github|gitlab) ;;
+  ""|none)
+    platform=""
+    echo "WARN [verified-commits]: no GitHub/GitLab remote — signature verification SKIPPED (the Verified badge is a platform concept)."
+    ;;
+  *)
+    # Fail closed: an unknown override must never let signature checks silently pass.
+    echo "FAIL [verified-commits]: unknown platform '${platform}' (SDLC_PLATFORM must be github|gitlab|none)."
+    exit 1
+    ;;
+esac
+
+# 0 when the platform marks the commit's signature verified.
+signature_verified() {
+  local sha v body
+  sha="$1"
+  case "$platform" in
+    github)
+      v="$(gh api "repos/{owner}/{repo}/commits/${sha}" --jq '.commit.verification.verified' 2>/dev/null || echo api-error)"
+      [ "$v" = "true" ]
+      ;;
+    gitlab)
+      # In CI use the documented API directly; locally fall back to the user's own glab.
+      if [ -n "${CI_API_V4_URL:-}" ] && [ -n "${CI_PROJECT_ID:-}" ]; then
+        body="$(curl -fsS --header "PRIVATE-TOKEN: ${GITLAB_TOKEN:-${SDLC_API_TOKEN:-}}" \
+          "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/repository/commits/${sha}/signature" 2>/dev/null || true)"
+      else
+        body="$(glab api "projects/:id/repository/commits/${sha}/signature" 2>/dev/null || true)"
+      fi
+      printf '%s' "$body" | grep -qE '"verification_status"[[:space:]]*:[[:space:]]*"verified"'
+      ;;
+    *) return 1 ;; # unreachable (platform validated above) — keep the gate fail-closed regardless
+  esac
+}
+
+rc=0
+while IFS= read -r sha; do
+  [ -z "$sha" ] && continue
+  short="$(git log -1 --format=%h "$sha")"
+  author="$(git log -1 --format=%ae "$sha" | tr '[:upper:]' '[:lower:]')"
+
+  if [ "$authors_on" = 1 ]; then
+    # tolerate CRLF / stray surrounding whitespace in a hand-edited allowlist
+    if grep -vE '^[[:space:]]*(#|$)' "$ALLOWLIST" | tr -d '\r' | sed 's/^[[:space:]]*//;s/[[:space:]]*$//' \
+        | tr '[:upper:]' '[:lower:]' | grep -qxF "$author"; then
+      echo "PASS [verified-commits]: ${short} author <${author}> is a known identity"
+    else
+      echo "FAIL [verified-commits]: ${short} author <${author}> is not in ${ALLOWLIST} — unverified user."
+      rc=1
+    fi
+  fi
+
+  if [ -n "$platform" ]; then
+    if signature_verified "$sha"; then
+      echo "PASS [verified-commits]: ${short} signature verified by ${platform}"
+    else
+      echo "FAIL [verified-commits]: ${short} signature missing/unverified — sign commits (GPG/SSH key registered on ${platform}), or the signature API was unreachable (GitLab: set GITLAB_TOKEN/SDLC_API_TOKEN with read_api)."
+      rc=1
+    fi
+  fi
+done <<EOF
+$commits
+EOF
+
+exit "$rc"

package/skills/sdlc-checks/templates/github/sdlc-checks.yml

@@ -0,0 +1,45 @@
+# sdlc-managed: sdlc-checks
+# SDLC check gates (Phase 3 build plan §C). The three gates run on every PR and must pass before
+# merge. They are CI-agnostic bash in checks/ — this workflow just invokes them with the PR base.
+# This workflow file is OWNED by sdlc-checks (the marker on line 1 identifies it). It runs
+# independently of any other workflow in .github/workflows/, so wiring never edits a foreign workflow.
+name: sdlc-checks
+on:
+  pull_request:
+    branches: ["**"]
+
+jobs:
+  spec-link:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with: { fetch-depth: 0 }
+      - run: bash checks/spec-link.sh "origin/${{ github.base_ref }}"
+
+  contract-check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with: { fetch-depth: 0 }
+      - run: bash checks/contract-check.sh "origin/${{ github.base_ref }}"
+
+  build-test-lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with: { fetch-depth: 0 }
+      - uses: actions/setup-node@v4
+        with: { node-version: "20" }
+      - run: bash checks/build-test-lint.sh
+
+  # No unverified commits from unverified users: platform-Verified signature + allowlisted author.
+  verified-commits:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    env:
+      GH_TOKEN: ${{ github.token }} # read-only: gh api commits/<sha> for the Verified badge
+    steps:
+      - uses: actions/checkout@v4
+        with: { fetch-depth: 0 }
+      - run: bash checks/verified-commits.sh "origin/${{ github.base_ref }}"

package/skills/sdlc-checks/templates/github/sdlc-verified-commits.yml

@@ -0,0 +1,22 @@
+# sdlc-managed: sdlc-checks
+# verified-commits gate for the PRODUCT HUB: every PR (including the front-half review/EP-* PRs)
+# must contain only commits whose signature the platform marks Verified AND whose author email is a
+# known identity (.sdlc/verified-authors — generated by `sdlc check --fix` from the hub roster).
+# Standalone workflow so it never collides with the hub-flavored sdlc-checks workflow.
+name: sdlc-verified-commits
+on:
+  pull_request:
+    branches: ["**"]
+
+permissions:
+  contents: read
+
+jobs:
+  verified-commits:
+    runs-on: ubuntu-latest
+    env:
+      GH_TOKEN: ${{ github.token }} # read-only: gh api commits/<sha> for the Verified badge
+    steps:
+      - uses: actions/checkout@v4
+        with: { fetch-depth: 0 }
+      - run: bash checks/verified-commits.sh "origin/${{ github.base_ref }}"

package/skills/sdlc-checks/templates/gitlab/.gitlab-ci.yml

@@ -0,0 +1,40 @@
+# SDLC check gates (Phase 3 build plan §C). The team's GitLab CI runs the same gates as
+# pipeline stages on every merge request; they must pass before merge. The gates are CI-agnostic
+# bash in checks/ — these stages just invoke them with the MR target as base.
+stages: [spec-link, contract-check, build-test-lint, verified-commits]
+
+default:
+  image: node:20
+
+.mr_only:
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+
+variables:
+  GIT_DEPTH: "0"   # full history so the gates can diff against the target branch
+
+spec-link:
+  stage: spec-link
+  extends: .mr_only
+  script:
+    - bash checks/spec-link.sh "origin/$CI_MERGE_REQUEST_TARGET_BRANCH_NAME"
+
+contract-check:
+  stage: contract-check
+  extends: .mr_only
+  script:
+    - bash checks/contract-check.sh "origin/$CI_MERGE_REQUEST_TARGET_BRANCH_NAME"
+
+build-test-lint:
+  stage: build-test-lint
+  extends: .mr_only
+  script:
+    - bash checks/build-test-lint.sh
+
+# Needs a CI/CD variable GITLAB_TOKEN (or SDLC_API_TOKEN) with read_api scope — CI_JOB_TOKEN cannot
+# read the commit-signature API.
+verified-commits:
+  stage: verified-commits
+  extends: .mr_only
+  script:
+    - bash checks/verified-commits.sh "origin/$CI_MERGE_REQUEST_TARGET_BRANCH_NAME"

package/skills/sdlc-checks/templates/gitlab/gitlab-ci.include-root.yml

@@ -0,0 +1,7 @@
+# SDLC check gates — minimal root pipeline.
+# Written by `sdlc-checks wire` ONLY when the repo has no existing root `.gitlab-ci.yml`.
+# The gates themselves live in the included fragment so the same single source is reused whether
+# or not a root pipeline already exists. If a root later grows real jobs, they coexist with the
+# included sdlc-* jobs (which carry `needs: []` and no `stage:`).
+include:
+  - local: '.gitlab/ci/sdlc-checks.yml'

package/skills/sdlc-checks/templates/gitlab/sdlc-checks.gitlab-ci.yml

@@ -0,0 +1,47 @@
+# sdlc-managed-include: sdlc-checks
+# SDLC check gates (Phase 3 build plan §C), as an INCLUDABLE fragment.
+# This file is pulled into a repo's existing .gitlab-ci.yml via:
+#   include:
+#     - local: '.gitlab/ci/sdlc-checks.yml'
+# so wiring NEVER edits the foreign root pipeline beyond adding that one include line.
+#
+# Merge-safety: these jobs do NOT declare a `stage:` and use `needs: []`, so they run in the
+# pipeline's default stage regardless of any `stages:` order the foreign root defines — a foreign
+# `stages:` list can neither break them nor reorder them. Job names are sdlc-prefixed to avoid
+# colliding with the host project's own job names.
+default:
+  image: node:20
+
+.sdlc_mr_only:
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+
+variables:
+  GIT_DEPTH: "0"   # full history so the gates can diff against the target branch
+
+sdlc-spec-link:
+  extends: .sdlc_mr_only
+  needs: []
+  script:
+    - bash checks/spec-link.sh "origin/$CI_MERGE_REQUEST_TARGET_BRANCH_NAME"
+
+sdlc-contract-check:
+  extends: .sdlc_mr_only
+  needs: []
+  script:
+    - bash checks/contract-check.sh "origin/$CI_MERGE_REQUEST_TARGET_BRANCH_NAME"
+
+sdlc-build-test-lint:
+  extends: .sdlc_mr_only
+  needs: []
+  script:
+    - bash checks/build-test-lint.sh
+
+# No unverified commits from unverified users: platform-Verified signature + allowlisted author.
+# Needs a CI/CD variable GITLAB_TOKEN (or SDLC_API_TOKEN) with read_api scope — CI_JOB_TOKEN cannot
+# read the commit-signature API. Without it the job FAILS closed with guidance.
+sdlc-verified-commits:
+  extends: .sdlc_mr_only
+  needs: []
+  script:
+    - bash checks/verified-commits.sh "origin/$CI_MERGE_REQUEST_TARGET_BRANCH_NAME"

package/skills/sdlc-checks/templates/gitlab/sdlc-verified-commits.gitlab-ci.yml

@@ -0,0 +1,21 @@
+# sdlc-managed-include: sdlc-checks
+# verified-commits gate for the PRODUCT HUB, as an INCLUDABLE fragment. Pulled into the hub's root
+# .gitlab-ci.yml via:
+#   include:
+#     - local: '.gitlab/ci/sdlc-verified-commits.yml'
+# Every MR (including the front-half review/EP-* MRs) must contain only commits whose signature the
+# platform marks Verified AND whose author email is a known identity (.sdlc/verified-authors).
+#
+# Needs a CI/CD variable GITLAB_TOKEN (or SDLC_API_TOKEN) with read_api scope — CI_JOB_TOKEN cannot
+# read the commit-signature API. The hub's SDLC_GATE_TOKEN (from the gate-sync wiring) also works:
+# set GITLAB_TOKEN: $SDLC_GATE_TOKEN in the job if you prefer one token.
+# Job name is sdlc-hub-prefixed so it can coexist with the code-repo fragment in one pipeline.
+sdlc-hub-verified-commits:
+  needs: []
+  image: node:20
+  variables:
+    GIT_DEPTH: "0" # full history so the gate can diff against the target branch
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+  script:
+    - bash checks/verified-commits.sh "origin/$CI_MERGE_REQUEST_TARGET_BRANCH_NAME"