nemo-cli 0.0.1__tar.gz → 0.1.0__tar.gz

nemo_cli-0.1.0/.claude/skills/close-session/SKILL.md

@@ -0,0 +1,37 @@
+---
+description: Close a CFD session by running the non-negotiable session-close ritual — update docs/CURRENT_STATUS.md, capture any clarified convention or informal decision, and produce a PR-ready summary. Use when the user says "close session", "wrap up", "we're done for today", or invokes the CFD session-close ritual. Implements ADR-018.
+---
+
+Run the Context-First Development session-close ritual (ADR-018). This is
+**non-negotiable** — a session that ends without step 1 leaves the next session
+with stale context. Do all of the following, in order:
+
+1. **Update `docs/CURRENT_STATUS.md`:**
+   - Move completed items from "In Progress" to "Recently Completed".
+   - Add anything still pending or newly surfaced this session.
+   - Update "Known Issues / Open Questions" if anything new appeared.
+   - Re-rank "Next Priorities".
+   - Update the "Last updated" date to today.
+   - If work was tracked as a GitHub issue (ADR-021), reference it by `#N`.
+
+2. **Update `docs/CONVENTIONS.md`** if any convention was clarified or a pattern
+   was corrected this session (ADR-016). Do not leave corrections only in chat
+   history — they will be lost next session.
+
+3. **If a significant decision was made informally** (in chat, in passing),
+   propose creating an ADR via the `new-decision` skill before closing
+   (ADR-013). Do not let an implicit decision ship undocumented.
+
+4. **Ship `docs/` context changes in the same commit/PR as the session's code.**
+   Exception specific to this project: `docs/CURRENT_STATUS.md` is local-only
+   (gitignored), so it is updated locally every session but never travels in a
+   PR — only `CONVENTIONS.md` and ADRs do.
+
+Do **not** end the session without completing step 1.
+
+After completing the ritual, output a one-paragraph session summary suitable for
+pasting into a PR description (Spanish is fine here per ADR-014 — PR descriptions
+are not reloaded into context).
+
+If a PR was opened from this session, the natural next step is the `review-pr`
+skill — it cross-checks the diff against the project's checklist (ADR-020).

nemo_cli-0.1.0/.claude/skills/issue-new/SKILL.md

@@ -0,0 +1,63 @@
+---
+description: Create a self-sufficient nemo-cli unit of work as a GitHub Issue with the fixed CFD body template (Context, Target, ADRs to load, Acceptance criteria, Reproduction, Estimated sessions). Use when the user asks to "open an issue", "create a work item", "plan a task", or describes new work to be tracked. Implements ADR-021.
+---
+
+Guide the user through creating a GitHub Issue with the fixed body template from
+ADR-021. The completeness of this issue determines how cheaply the next session
+starts — be thorough here. Ask, in order, and confirm each answer:
+
+1. **Type.** `feature` | `fix` | `chore` | `spike` | `docs`.
+2. **Title.** Imperative, ≤ 80 chars, English (ADR-014). e.g. "Add `nemo
+   portfolio export` command".
+3. **Context.** 2–4 sentences: the trigger and the user-visible outcome.
+4. **Target location.** Concrete paths. For a new subcommand, name the module
+   and proposed file (e.g. `src/nemo_cli/commands/<verb>.py` — new file —
+   registered in `src/nemo_cli/cli.py`).
+5. **Pattern to mirror.** An existing file the implementation should copy in
+   shape and naming (e.g. `src/nemo_cli/commands/instruments.py`). Flag
+   explicitly if no analog exists.
+6. **ADRs to load.** ADR numbers the agent must read first. If a needed decision
+   is not yet an ADR, **STOP and run the `new-decision` skill** — implementing
+   an undocumented decision is forbidden by ADR-013.
+7. **Acceptance criteria (DoD).** Markdown `[ ]` items covering all three of:
+   behaviour at the end, tests (kind + location under `tests/` mirroring the
+   package tree, `respx`/`CliRunner` per CONVENTIONS, coverage ≥ 95%), and docs
+   updated (CONVENTIONS, ADRs, README, CHANGELOG per ADR-007).
+8. **Reproduction steps.** `fix` only — a minimal repro the agent can run.
+9. **Estimated sessions.** `1` | `2–3` | `4+`. If > 1, **propose decomposing
+   into sub-issues before continuing** (ADR-019).
+10. **Labels.** The type plus any component (`auth`, `instruments`, `portfolio`,
+    `api`, `ci`, …).
+
+Then generate the body using the fixed template — do not change section order or
+names; `issue-start` parses by header:
+
+```markdown
+## Context
+<step 3>
+
+## Target
+- Files / dirs: <step 4>
+- Pattern to mirror: <step 5>
+
+## ADRs to load
+- [ADR-NNN](docs/decisions/NNN-*.md)
+
+## Acceptance criteria
+- [ ] <step 7>
+
+## Reproduction (fixes only)
+<step 8 — OR omit this section entirely if not a fix>
+
+## Estimated sessions
+<step 9>
+```
+
+Then create it:
+
+```bash
+gh issue create --title "<step 2>" --body "<body above>" --label "<type>,<labels>"
+```
+
+Output the issue URL when done. English for the issue body (ADR-014); the issue
+comment thread may be Spanish.

nemo_cli-0.1.0/.claude/skills/issue-start/SKILL.md

@@ -0,0 +1,39 @@
+---
+description: Pick up a nemo-cli GitHub Issue as the focus of this session — fetch it, parse its fixed CFD sections, pre-load the ADRs it names, skim the pattern to mirror, and summarize the objective and acceptance checklist without scanning target files. Use when the user says "start issue", "work on #N", "pick up", or passes an issue number. Implements ADR-021.
+---
+
+Pick up a tracker issue as this session's focus (ADR-021). Orient from the issue
+body and its ADRs — do not scan code at this step.
+
+1. **Fetch the issue.** The user passes a number; if not, ask which.
+
+   ```bash
+   gh issue view <n>
+   ```
+
+2. **Parse the fixed sections** (ADR-021): `Context`, `Target`, `ADRs to load`,
+   `Acceptance criteria`, `Reproduction` (fixes only), `Estimated sessions`. If
+   a required section is missing, **STOP** — tell the user the issue is
+   malformed and propose fixing it via `gh issue edit <n>`. Do not infer.
+
+3. **Read each ADR listed in `ADRs to load`** from `docs/decisions/`. These set
+   the constraints the implementation must satisfy.
+
+4. **Read the `Pattern to mirror` file ONCE for shape.** Skim, don't study — the
+   goal is to know what the produced code should look like.
+
+5. **Do NOT read the `Target` files yet.** They are where the work *goes*, not
+   where context comes *from*; reading them now is wasted tokens.
+
+6. **Summarize for the user:**
+   - **Objective** (one line, from `Context`).
+   - **Acceptance checklist** (verbatim from `Acceptance criteria` — the DoD).
+   - **ADRs loaded** and what each constrains.
+   - **Target paths** you will write to.
+   - **Pattern to mirror.**
+
+7. Ask: **"Ready to start?"** If `Estimated sessions` > 1, remind the user the
+   issue should be decomposed and offer to split it via `issue-new` (ADR-019).
+
+**Token discipline:** the issue body + ADRs are the spec. Code reading happens
+when implementation starts, not during orientation.

nemo_cli-0.1.0/.claude/skills/review-pr/SKILL.md

@@ -0,0 +1,115 @@
+---
+description: Review a nemo-cli Pull Request against the project's curated checklist — sourced from the ADRs, CONVENTIONS.md, and any linked issue's acceptance criteria — instead of re-discovering intent from code. Use when the user asks to "review PR", "review this branch", "check my PR", or passes a PR number. Implements ADR-020.
+---
+
+Review a PR against the project's context (ADR-020), not by re-discovering its
+intent from code. The agenda comes from the indices; read source to the depth
+the checklist demands.
+
+## 1. Identify the PR
+
+The user passes a PR number. If not, infer from the current branch:
+
+```bash
+gh pr status --json number --jq '.currentBranch.number'
+```
+
+If still none, ask.
+
+## 2. Fetch PR metadata + diff + commit story
+
+```bash
+gh pr view <n> --json baseRefName,headRefName,title,body,labels,commits,closingIssuesReferences
+gh pr diff <n>
+git log <base>..<head> --pretty=format:%s
+```
+
+## 3. Load the agenda
+
+- `docs/CONVENTIONS.md`
+- `docs/decisions/_index.md`, plus every ADR named in the PR body or a linked
+  issue.
+- The linked issue body via `gh issue view <issue-n>` if one exists (ADR-021):
+  extract the acceptance-criteria checklist and the "ADRs to load" list.
+- `.github/PULL_REQUEST_TEMPLATE.md` if present.
+
+## 4. Read changed files to the depth the agenda demands
+
+For nemo-cli this means **reading changed source files in full** — strict
+`pyright` and the `api_request()` boundary rule require verifying call sites,
+types, and that no handler or service calls `httpx` directly. This is
+verification against known rules, not discovery.
+
+## 5. Apply the checklist
+
+### Workflow (ADR-005, ADR-014)
+
+- Branch name follows `<type>/<slug>` (`feat`/`fix`/`docs`/`chore`/`refactor`/`test`).
+- Base branch is `main`; merge will be a squash with a Conventional-Commits title.
+- PR title is Conventional Commits and English.
+- PR body references `Closes #<n>` when an issue exists (ADR-021).
+- **No AI-attribution metadata** anywhere — no `Co-Authored-By:` trailer and no
+  "Generated with …" line, in any commit or the PR body (ADR-022). Flag any that
+  appear.
+
+### HTTP boundary (ADR-003, critical rule)
+
+- All Vector-portal HTTP goes through `api_request()` in
+  `src/nemo_cli/api/client.py`. No `httpx.request(...)` in command handlers or
+  services. Only allowed exception: `nemo_cli.auth.service.sign_in`.
+- Endpoint paths passed to `api_request()` are relative (e.g. `/shared/...`).
+- A new slow endpoint overrides `timeout=` at the service layer and adds a row
+  to the Timeouts table in `CONVENTIONS.md` — the global default is unchanged.
+
+### Conventions (CONVENTIONS.md)
+
+- Only `nemo_cli.config` reads `os.environ`.
+- Imports are absolute; new subcommand = one module exporting one verb function,
+  registered in `cli.py`.
+- Response shapes are typed at the call site (TypedDict/dataclass), not in a
+  global types module.
+- Errors: command handlers print a red one-line message to stderr and raise
+  `typer.Exit(code=1)`; library code raises `RuntimeError`.
+- A `--json` flag, when added, echoes the request scope + typed result.
+
+### Types
+
+- `pyright` strict passes; explicit return types on public functions; PEP-604
+  unions (`str | None`); no `Any`.
+
+### Testing (CONVENTIONS.md)
+
+- HTTP mocked via `respx`; CLI tested via `CliRunner`; tests mirror the package
+  tree; private helpers tested directly; coverage stays ≥ 95%.
+
+### Decisions & docs drift
+
+- Any new significant decision has an ADR in this PR (ADR-013); `_index.md`
+  updated.
+- A clarified convention is captured in `CONVENTIONS.md` (ADR-016).
+- A user-facing change has a `CHANGELOG.md` entry (ADR-007).
+- Each acceptance-criteria `[ ]` from the linked issue is implemented; no
+  out-of-scope changes.
+
+## 6. Output a structured review
+
+```text
+## Critical (must fix before merge)
+- <file>:<line> — <issue> — citation: <ADR-N / CONVENTIONS line>. Suggested fix: <…>.
+
+## Suggestions (should fix)
+- <file>:<line> — <issue> — citation.
+
+## Nits
+- <file>:<line> — <issue>.
+
+## Summary
+- Overall assessment, AC coverage X/Y, architecture compliance ✓/⚠/✗.
+```
+
+## Rules
+
+- **Do NOT auto-fix.** Report only; the author fixes next session.
+- If the checklist needs a rule not yet in an ADR or `CONVENTIONS.md`, surface
+  it as a finding ("missing convention for X") and propose `new-decision` — do
+  not silently invent it.

{nemo_cli-0.0.1 → nemo_cli-0.1.0}/.claude/skills/start-session/SKILL.md

@@ -8,10 +8,24 @@ files, in order, and do not scan source code unless a follow-up question require
 1. `docs/CURRENT_STATUS.md` — what is in progress, what is blocked, what is next.
 2. `docs/decisions/_index.md` — recent decisions that may affect the next change.
 
+3. **If `CURRENT_STATUS.md` references in-progress work by issue number** (e.g.
+   `#142`), load that unit of work (ADR-021):
+
+   ```bash
+   gh issue view <n>
+   ```
+
+   Then read each ADR the issue lists under "ADRs to load" from
+   `docs/decisions/`. Do **not** read the files in the issue's "Target" section —
+   those are where the work goes, not where context comes from. If no issue is
+   referenced, skip this step and orient from `CURRENT_STATUS.md` alone.
+
 Then produce a brief (≤ 8 lines) summary covering:
 
 - What was being worked on in the previous session.
 - What is currently blocked and why.
+- The objective and acceptance checklist of the in-progress issue, if one was
+  loaded in step 3.
 - What the next priority should be, based on `CURRENT_STATUS.md` and any open
   questions noted there.
 

{nemo_cli-0.0.1 → nemo_cli-0.1.0}/.claude/skills/validate-context/SKILL.md

@@ -1,5 +1,5 @@
 ---
-description: Audit CFD context-file integrity — verify CLAUDE.md size, @-references resolve, ADR index consistency, no duplicated context, and CURRENT_STATUS.md freshness. Use when the user asks to "validate context", "audit docs", or check whether the CFD scaffolding is healthy.
+description: Audit CFD context-file integrity — verify CLAUDE.md size, @-references resolve, ADR index consistency, no duplicated context, English-only model context, skill-set consistency, and CURRENT_STATUS.md freshness. Use when the user asks to "validate context", "audit docs", or check whether the CFD scaffolding is healthy.
 ---
 
 Run a CFD context-integrity check. Do not modify files; just report findings.
@@ -18,7 +18,15 @@ Checks to perform:
    `docs/STACK.md` only (not also expanded inside `CLAUDE.md` or `ARCHITECTURE.md`),
    and that decision rationale is in the relevant ADR (not duplicated in
    `ARCHITECTURE.md`).
-5. **`CURRENT_STATUS.md` freshness.** Look at the `Last updated:` line. If it is
+5. **English-only model context (ADR-014).** Spot-check that `CLAUDE.md` and
+   `docs/**/*.md` (including ADRs and `.claude/skills/**/SKILL.md`) are written in
+   English. Flag any model-facing file whose prose is predominantly another
+   language. (PR descriptions and chat are exempt — they are not in this tree.)
+6. **Skill-set consistency (ADR-015).** Every procedure listed in the
+   `docs/CONVENTIONS.md` "CFD workflow (Skills)" table has a matching
+   `.claude/skills/<name>/SKILL.md`, and every skill directory appears in that
+   table. Flag any mismatch in either direction.
+7. **`CURRENT_STATUS.md` freshness.** Look at the `Last updated:` line. If it is
    more than two working days behind today's date, flag it.
 
 Output a short report grouped by check, with `✓` / `✗` and a one-line note for each.

nemo_cli-0.1.0/.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,29 @@
+---
+name: Bug report
+about: Something in nemo-cli behaves incorrectly
+title: "fix: "
+labels: [bug]
+---
+
+> ⚠️ **Never paste real credentials, bearer tokens, JWTs, RUTs, or real
+> portfolio amounts.** Redact or use synthetic values.
+
+## What happened
+
+<!-- A clear description of the bug and the command you ran. -->
+
+## Steps to reproduce
+
+1. <!-- e.g. `nemo portfolio summary --json` -->
+2.
+
+## Expected vs. actual
+
+- **Expected:**
+- **Actual:** <!-- include the error message, redacted -->
+
+## Environment
+
+- `nemo --version`:
+- Python version:
+- OS:

nemo_cli-0.1.0/.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,5 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Security vulnerability (private)
+    url: https://github.com/albertomarturelo/nemo-cli/security/advisories/new
+    about: Report security issues privately. Do NOT open a public issue. See SECURITY.md.

nemo_cli-0.1.0/.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,23 @@
+---
+name: Feature request
+about: Suggest a new command, flag, or capability
+title: "feat: "
+labels: [enhancement]
+---
+
+## Problem
+
+<!-- What are you trying to do that nemo-cli doesn't support today? -->
+
+## Proposed solution
+
+<!-- The command / flag / behaviour you'd like. e.g. a new subcommand,
+     a `--json` field, a new portal endpoint. -->
+
+## Scope
+
+<!-- Which domain does this touch? auth / instruments / portfolio / output / other -->
+
+## Alternatives considered
+
+<!-- Workarounds you've tried or other approaches. -->

nemo_cli-0.1.0/.github/ISSUE_TEMPLATE/work-unit.md

@@ -0,0 +1,44 @@
+---
+name: Work unit (maintainer)
+about: Internal maintainer work unit (per ADR-021). Contributors — use Bug report or Feature request instead.
+title: ""
+labels: []
+---
+
+<!-- Do NOT delete any section. The `issue-start` skill parses by section header.
+     If a section truly does not apply (e.g. Reproduction on a feature),
+     remove ONLY that section. -->
+
+## Context
+
+<!-- 2–4 sentences: what is the trigger, what is the user-visible outcome. -->
+
+## Target
+
+- Files / dirs: <!-- concrete paths; mark `new file` if net-new -->
+- Pattern to mirror: <!-- existing file the implementation should mirror in shape/naming, e.g. src/nemo_cli/portfolio/summary.py -->
+
+## ADRs to load
+
+<!-- ADR numbers the agent must read before starting. Link each one. -->
+
+- [ADR-NNN](docs/decisions/NNN-*.md)
+
+## Acceptance criteria
+
+<!-- Definition of Done — reused verbatim in the PR description. -->
+
+- [ ] <!-- Behavior: what works at the end (concrete CLI output / library API) -->
+- [ ] <!-- Tests: which tests/ files exist; respx-mocked, no real network -->
+- [ ] <!-- Documentation: which of CONVENTIONS / STACK / ARCHITECTURE / CHANGELOG / new ADR is updated -->
+
+## Reproduction (fixes only)
+
+<!-- ONLY for `fix` issues. Minimal repro the agent can run. Remove this
+     section entirely if not a fix. Never paste real credentials or RUTs. -->
+
+## Estimated sessions
+
+<!-- 1 | 2–3 | 4+. If > 1, decompose into sub-issues before starting (ADR-019). -->
+
+1

nemo_cli-0.1.0/.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,43 @@
+<!-- Keep this template's sections — the `review-pr` skill (ADR-020) parses them. -->
+
+## Summary
+
+<!-- 1-3 sentences: what the PR changes and why. -->
+
+## Linked issue
+
+Closes #<!-- N -->
+
+<!-- If no linked issue, replace this section with a justification.
+     Most non-trivial work should track an issue per ADR-021. -->
+
+## Acceptance criteria
+
+<!-- Copy verbatim from the issue body. Tick boxes as items land. -->
+
+- [ ] <!-- behavior -->
+- [ ] <!-- tests -->
+- [ ] <!-- documentation -->
+
+## ADRs touched
+
+<!-- ADRs this PR depends on, supersedes, or amends. If you introduced a new
+     decision, link the new ADR file. If none, write "none". -->
+
+- ADR-NNN
+
+## Test plan
+
+<!-- Concrete commands a reviewer can run. HTTP is respx-mocked; no real
+     network or real credentials, ever (CONVENTIONS.md § Testing). -->
+
+```bash
+pytest
+ruff check .
+pyright
+```
+
+## Notes for the reviewer
+
+<!-- Anything non-obvious in the diff, deferred follow-ups, captured response
+     shapes for a new endpoint, etc. No AI-attribution footer in commits (ADR-022). -->

nemo_cli-0.1.0/.github/workflows/ci.yml

@@ -0,0 +1,170 @@
+name: CI
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  tests:
+    name: Tests + Lint (py${{ matrix.python-version }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: ['3.11', '3.12', '3.13']
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: pip
+
+      - name: Install (editable + dev extras)
+        run: python -m pip install --upgrade pip && pip install -e .[dev]
+
+      - name: pytest (coverage gate >= 95%)
+        run: pytest --cov=nemo_cli --cov-report=term-missing --cov-fail-under=95
+
+      - name: ruff check
+        run: ruff check .
+
+  types:
+    name: Types (pyright strict)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: '3.12'
+          cache: pip
+
+      - name: Install (editable + dev extras)
+        run: python -m pip install --upgrade pip && pip install -e .[dev]
+
+      - name: pyright
+        run: pyright
+
+  validate-context:
+    name: Validate context (ADRs + api_request boundary + PII)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+
+      - name: ADR index integrity
+        # Every docs/decisions/NNN-*.md must be listed in _index.md, and every
+        # link from _index.md must point to a real file (the /validate-context
+        # skill, check #3).
+        run: |
+          set -euo pipefail
+          fail=0
+          for f in docs/decisions/[0-9]*.md; do
+            name=$(basename "$f")
+            if ! grep -q "$name" docs/decisions/_index.md; then
+              echo "::error file=docs/decisions/_index.md::ADR $name exists on disk but is not listed in the index."
+              fail=1
+            fi
+          done
+          while IFS= read -r ref; do
+            if [ -n "$ref" ] && [ ! -f "$ref" ]; then
+              echo "::error file=docs/decisions/_index.md::Index links to a missing file: $ref"
+              fail=1
+            fi
+          done < <(grep -oE 'docs/decisions/[0-9]+-[a-zA-Z0-9-]+\.md' docs/decisions/_index.md | sort -u)
+          exit $fail
+
+      - name: ADR completeness (5 mandatory sections)
+        # House ADR format: Status, Context, Decision, Alternatives Considered,
+        # Consequences (Date is also present but not gated here).
+        run: |
+          set -euo pipefail
+          fail=0
+          for f in docs/decisions/[0-9]*.md; do
+            for section in '## Status' '## Context' '## Decision' '## Alternatives Considered' '## Consequences'; do
+              if ! grep -qxF "$section" "$f"; then
+                echo "::error file=$f::Missing required ADR section '$section'."
+                fail=1
+              fi
+            done
+          done
+          exit $fail
+
+      - name: CLAUDE.md is an index (<= 150 lines)
+        run: |
+          set -euo pipefail
+          lines=$(wc -l < CLAUDE.md)
+          if [ "$lines" -gt 150 ]; then
+            echo "::error file=CLAUDE.md::CLAUDE.md is $lines lines (> 150) — it must stay an index of @-references, not a long-form doc."
+            exit 1
+          fi
+          echo "CLAUDE.md: $lines lines (<= 150)."
+
+      - name: CLAUDE.md @-references resolve
+        run: |
+          set -euo pipefail
+          fail=0
+          for ref in $(grep -oE '@[A-Za-z0-9_./-]+' CLAUDE.md | sed 's/^@//'); do
+            if [ ! -e "$ref" ]; then
+              echo "::error file=CLAUDE.md::@-reference does not resolve: $ref"
+              fail=1
+            fi
+          done
+          exit $fail
+
+      - name: Skill-set consistency (ADR-015)
+        # Every skill under .claude/skills/ is listed in the CONVENTIONS
+        # "CFD workflow (Skills)" table, and vice versa.
+        run: |
+          set -euo pipefail
+          section=$(awk '/^## CFD workflow/{f=1} f&&/^## /&&!/CFD workflow/{exit} f' docs/CONVENTIONS.md)
+          dirs=$(ls -1 .claude/skills | sort)
+          table=$(printf '%s\n' "$section" | grep -oE '`[a-z][a-z-]+`' | tr -d '`' | sort -u)
+          if ! diff <(printf '%s\n' "$dirs") <(printf '%s\n' "$table") >/dev/null; then
+            echo "::error file=docs/CONVENTIONS.md::Skill set mismatch between .claude/skills/ and the CONVENTIONS 'CFD workflow' table:"
+            diff <(printf '%s\n' "$dirs") <(printf '%s\n' "$table") || true
+            exit 1
+          fi
+          echo "Skill set consistent."
+
+      - name: api_request() boundary (ADR-003)
+        # All Vector-portal HTTP must go through api_request(); the only files
+        # allowed to touch httpx directly are the client and the auth bootstrap.
+        run: |
+          set -euo pipefail
+          if git grep -nE 'httpx\.(request|get|post|put|delete|patch|stream|Client|AsyncClient)' -- 'src/' ':!src/nemo_cli/api/client.py' ':!src/nemo_cli/auth/service.py'; then
+            echo "::error::Direct httpx use outside api_request()/sign_in — ADR-003 forbids. Route the call through api_request() in src/nemo_cli/api/client.py."
+            exit 1
+          fi
+          echo "ADR-003 guard: no direct httpx use outside the allowed files."
+
+      - name: PII guard (no real RUTs in tracked files)
+        # CONVENTIONS forbids real PII in committed files. The synthetic dummy
+        # RUT (12.345.678-*) is allowed in tests/docs. Real RUT digit-bodies
+        # live in the PII_RUT_DENYLIST secret (pipe-separated 8-digit bodies, no
+        # dots/DV) — kept out of this public file. On forks the secret is unset
+        # and this step is skipped.
+        env:
+          PII_RUT_DENYLIST: ${{ secrets.PII_RUT_DENYLIST }}
+        run: |
+          set -euo pipefail
+          if [ -z "${PII_RUT_DENYLIST:-}" ]; then
+            echo "PII guard: no denylist secret configured (fork or unset) — skipping."
+            exit 0
+          fi
+          if git grep -nE "$PII_RUT_DENYLIST" -- src/ tests/ docs/ pyproject.toml; then
+            echo "::error::Real RUT digits found in tracked files — PII leak per CONVENTIONS. Use a synthetic value (e.g. 12.345.678-0)."
+            exit 1
+          fi
+          echo "PII guard: no forbidden RUT digits found."

{nemo_cli-0.0.1 → nemo_cli-0.1.0}/.github/workflows/publish.yml

@@ -12,10 +12,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.12'
 
@@ -26,7 +26,7 @@ jobs:
         run: python -m build
 
       - name: Upload artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: python-package-distributions
           path: dist/
@@ -42,7 +42,7 @@ jobs:
       id-token: write
     steps:
       - name: Download artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: python-package-distributions
           path: dist/
@@ -64,7 +64,7 @@ jobs:
       id-token: write
     steps:
       - name: Download artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: python-package-distributions
           path: dist/