CI scripts
Inventory of CI and utility scripts under scripts/ and the gates that use them.
Gate npm scripts
Section titled “Gate npm scripts”Each npm run <script> command launches a verification script. Critical commands are run in CI on each PR.
| Command | Script | Role |
|---|---|---|
npm run lint | eslint . --ext .ts,.cjs --max-warnings=0 | TypeScript lint with import boundaries (see ADR 0001) |
npm run typecheck | tsc -p tsconfig.json --noEmit | Strict TypeScript check |
npm test | vitest run | Unit tests (vitest) |
npm run e2e | playwright test | End-to-end tests (Playwright) |
npm run line-count | scripts/check-line-counts.mjs | Size gate (refuses monoliths above threshold) |
npm run architecture:check | scripts/check-architecture-boundaries.mjs | Strict import boundaries between core/adapters/composition/addons |
npm run public-docs:check | scripts/check-public-docs.mjs | Refuses AGENT-*, AUDITOR-*, DISPATCH-* and other internal patterns in docs/ |
npm run docs:links | scripts/check-doc-links.mjs | Checks internal markdown links (file + anchor) |
npm run license:check | scripts/check-licenses.mjs | Checks dependency licenses (refuses unauthorized copyleft) |
npm run sbom:check | cyclonedx-npm | Generates and validates SBOM for root, UI, cortex-lite |
npm run release:tarball:check | scripts/check-release-tarball.mjs | Audits the release tarball (expected files, exclusions) |
Shell scripts
Section titled “Shell scripts”| Script | Role |
|---|---|
scripts/release.sh | Bump version, changelog, tag release |
scripts/smoke-binary.sh | Smoke test the ./bin/arka-deck binary |
scripts/init-public-repo.sh | Prepare a clean public repo (excludes .input/, AGENTS.md, CLAUDE.md, etc.) |
CI workflow
Section titled “CI workflow”.github/workflows/ci.yml chains the gates:
- Public files guard — refuses
.input/,.claude/,.agents/, etc. in the Git index - Public docs guard —
npm run public-docs:check - Docs link check —
npm run docs:links - DCO sign-off — checks
git commit -son each commit - Secret scan —
gitleakson the repository - ShellCheck —
shellcheckon shell scripts - Quality (Node matrix) — lint + tests + build + line-count + architecture-check + typecheck + license-check + sbom-check
.github/workflows/release.yml adds:
- Tarball generation
- Tarball audit (
check-release-tarball.mjs) - SHA256
- GitHub Release
.github/workflows/scorecard.yml runs OSSF Scorecard each Monday to measure the supply-chain posture.
Git hooks
Section titled “Git hooks”.githooks/ contains a pre-commit that:
- Runs lint on staged files
- Checks DCO sign-off
- Refuses internal files (
.input/, etc.)
Enable hooks locally:
git config core.hooksPath .githooksSee also
Section titled “See also”- Detailed CI/Gates (contributor workflow):
docs/dev/workflow/ci-gates.en.md(coming) - Release procedure:
docs/dev/workflow/release.en.md(coming) - Hexagonal architecture (ADR 0001): ../../adr/0001-architecture-hexagonale.md