Skip to content

CI scripts

Inventory of CI and utility scripts under scripts/ and the gates that use them.


Each npm run <script> command launches a verification script. Critical commands are run in CI on each PR.

CommandScriptRole
npm run linteslint . --ext .ts,.cjs --max-warnings=0TypeScript lint with import boundaries (see ADR 0001)
npm run typechecktsc -p tsconfig.json --noEmitStrict TypeScript check
npm testvitest runUnit tests (vitest)
npm run test:uinpm --prefix adapters/inbound/web/ui run testReact/UI tests in jsdom
npm run e2eplaywright testEnd-to-end tests (Playwright)
npm run line-countscripts/check-line-counts.mjsSize gate (refuses monoliths above the 700 LoC threshold; legacy files above 700 are tracked in the script allowlist with a SPEC-05 split-plan reason — entries become stale automatically once the file drops below the limit)
npm run architecture:checkscripts/check-architecture-boundaries.mjsStrict import boundaries between core/adapters/composition/addons
npm run guardian:runtime:checkscripts/check-guardian-runtime-hardcode.mjsRefuses long guardian pack rules/prompts copied into runtime source
npm run public-docs:checkscripts/check-public-docs.mjsRefuses AGENT-*, AUDITOR-*, DISPATCH-* and other internal patterns in docs/
npm run docs:linksscripts/check-doc-links.mjsChecks internal markdown links (file + anchor)
npm run docs:orphansscripts/check-doc-orphans.mjsRefuses unreferenced public docs under docs/
npm run docs:bilingualscripts/check-doc-bilingual.mjsChecks .md / .fr.md documentation parity
npm run license:checkscripts/check-licenses.mjsChecks dependency licenses (refuses unauthorized copyleft)
npm run sbom:checkcyclonedx-npmGenerates and validates SBOM for root, UI, cortex-lite
npm run sbom:releasecyclonedx-npmGenerates release SBOMs under sbom/
npm run release:tarball:checkscripts/check-release-tarball.mjsAudits the release tarball (expected files, exclusions)

ScriptRole
scripts/release.shVerify changelog section, bump packages/lockfiles, run lint/test, create DCO release commit
scripts/smoke-binary.shSmoke test the ./bin/arka-deck binary
scripts/init-public-repo.shPrepare a clean public repo (excludes private workshop files, AGENTS.md, CLAUDE.md, etc.)

.github/workflows/ci.yml chains the gates:

  1. Public files guard — refuses private/local agent state directories in the Git index
  2. Public docs guardnpm run public-docs:check
  3. Docs link checknpm run docs:links
  4. Docs orphans checknpm run docs:orphans
  5. Docs bilingual paritynpm run docs:bilingual
  6. DCO sign-off — checks git commit -s on each commit
  7. Secret scangitleaks on the repository
  8. ShellCheckshellcheck on shell scripts
  9. Quality (Node matrix) — lint + tests + UI tests + build + line-count + architecture-check + guardian-runtime-hardcode + typecheck + license-check + sbom-check

.github/workflows/release.yml adds:

  • Release SBOM generation
  • Tarball generation
  • Tarball audit (check-release-tarball.mjs)
  • SHA256
  • GitHub Release with tarball, checksum and SBOMs

.github/workflows/scorecard.yml runs OSSF Scorecard each Monday to measure the supply-chain posture.


.githooks/ contains a pre-commit that:

  • Runs lint on staged files
  • Checks DCO sign-off
  • Refuses internal private workshop files

Enable hooks locally:

Terminal window
git config core.hooksPath .githooks