CI scripts
Inventory of CI and utility scripts under scripts/ and the gates that use them.
Gate npm scripts
Section titled “Gate npm scripts”Each npm run <script> command launches a verification script. Critical commands are run in CI on each PR.
| Command | Script | Role |
|---|---|---|
npm run lint | eslint . --ext .ts,.cjs --max-warnings=0 | TypeScript lint with import boundaries (see ADR 0001) |
npm run typecheck | tsc -p tsconfig.json --noEmit | Strict TypeScript check |
npm test | vitest run | Unit tests (vitest) |
npm run test:ui | npm --prefix adapters/inbound/web/ui run test | React/UI tests in jsdom |
npm run e2e | playwright test | End-to-end tests (Playwright) |
npm run line-count | scripts/check-line-counts.mjs | Size gate (refuses monoliths above the 700 LoC threshold; legacy files above 700 are tracked in the script allowlist with a SPEC-05 split-plan reason — entries become stale automatically once the file drops below the limit) |
npm run architecture:check | scripts/check-architecture-boundaries.mjs | Strict import boundaries between core/adapters/composition/addons |
npm run guardian:runtime:check | scripts/check-guardian-runtime-hardcode.mjs | Refuses long guardian pack rules/prompts copied into runtime source |
npm run public-docs:check | scripts/check-public-docs.mjs | Refuses AGENT-*, AUDITOR-*, DISPATCH-* and other internal patterns in docs/ |
npm run docs:links | scripts/check-doc-links.mjs | Checks internal markdown links (file + anchor) |
npm run docs:orphans | scripts/check-doc-orphans.mjs | Refuses unreferenced public docs under docs/ |
npm run docs:bilingual | scripts/check-doc-bilingual.mjs | Checks .md / .fr.md documentation parity |
npm run license:check | scripts/check-licenses.mjs | Checks dependency licenses (refuses unauthorized copyleft) |
npm run sbom:check | cyclonedx-npm | Generates and validates SBOM for root, UI, cortex-lite |
npm run sbom:release | cyclonedx-npm | Generates release SBOMs under sbom/ |
npm run release:tarball:check | scripts/check-release-tarball.mjs | Audits the release tarball (expected files, exclusions) |
Shell scripts
Section titled “Shell scripts”| Script | Role |
|---|---|
scripts/release.sh | Verify changelog section, bump packages/lockfiles, run lint/test, create DCO release commit |
scripts/smoke-binary.sh | Smoke test the ./bin/arka-deck binary |
scripts/init-public-repo.sh | Prepare a clean public repo (excludes private workshop files, AGENTS.md, CLAUDE.md, etc.) |
CI workflow
Section titled “CI workflow”.github/workflows/ci.yml chains the gates:
- Public files guard — refuses private/local agent state directories in the Git index
- Public docs guard —
npm run public-docs:check - Docs link check —
npm run docs:links - Docs orphans check —
npm run docs:orphans - Docs bilingual parity —
npm run docs:bilingual - DCO sign-off — checks
git commit -son each commit - Secret scan —
gitleakson the repository - ShellCheck —
shellcheckon shell scripts - Quality (Node matrix) — lint + tests + UI tests + build + line-count + architecture-check + guardian-runtime-hardcode + typecheck + license-check + sbom-check
.github/workflows/release.yml adds:
- Release SBOM generation
- Tarball generation
- Tarball audit (
check-release-tarball.mjs) - SHA256
- GitHub Release with tarball, checksum and SBOMs
.github/workflows/scorecard.yml runs OSSF Scorecard each Monday to measure the supply-chain posture.
Git hooks
Section titled “Git hooks”.githooks/ contains a pre-commit that:
- Runs lint on staged files
- Checks DCO sign-off
- Refuses internal private workshop files
Enable hooks locally:
git config core.hooksPath .githooksSee also
Section titled “See also”- Detailed CI/Gates (contributor workflow): ../workflow/ci-gates
- Release procedure: ../workflow/release
- Hexagonal architecture (ADR 0001): ../../adr/0001-architecture-hexagonale.md