CI gates
CI gates are the blocking checks applied to every PR and every push to main. Any PR must pass them to be merged.
Workflows: .github/workflows/ci.yml, .github/workflows/release.yml, .github/workflows/scorecard.yml.
Gates overview
Section titled “Gates overview”| Gate | Source | Blocking |
|---|---|---|
| Public files guard | git ls-files filter | yes |
| Public docs guard | scripts/check-public-docs.mjs | yes |
| Docs link check | scripts/check-doc-links.mjs | yes |
| DCO sign-off | tim-actions/dco | yes |
| Secret scan | gitleaks | yes |
| ShellCheck | shellcheck on scripts/*.sh | yes |
| Lint | eslint --max-warnings=0 | yes |
| Architecture boundaries | scripts/check-architecture-boundaries.mjs | yes |
| Guardian runtime hardcode | scripts/check-guardian-runtime-hardcode.mjs | yes |
| Line-count | scripts/check-line-counts.mjs | yes |
| Typecheck | tsc --noEmit | yes |
| Unit tests | vitest run | yes |
| UI tests | UI Vitest/jsdom | yes |
| Build | npm run build | yes |
| License check | scripts/check-licenses.mjs | yes |
| SBOM | cyclonedx-npm | yes |
| OSSF Scorecard | scorecard-action (weekly) | non-blocking, posture metric |
Public files guard
Section titled “Public files guard”Refuses internal files in the Git index:
.input(private workshop, gitignored).claude(Claude Code config, gitignored except exceptions)AGENTS.md,CLAUDE.md(internal guides — excluded from the public repo byscripts/init-public-repo.sh).agents,.codex,.gitnexus(local state)
If one of these files appears in git ls-files, the job fails.
Public docs guard
Section titled “Public docs guard”scripts/check-public-docs.mjs analyzes all .md under docs/ (+ root README*, ROADMAP, SECURITY, CONTRIBUTING):
- Forbidden file names:
AGENT-*patterns (exceptAGENT-INSTALL),AUDITOR-*,DISPATCH-*. - Forbidden content: references to internal dispatch briefs, retired WIP folders, and other internal orchestration artifacts.
To pass: remove/rename offending files, or remove the textual mention.
Docs link check
Section titled “Docs link check”scripts/check-doc-links.mjs validates markdown links:
- Each inline markdown link must point to an existing file.
- Each anchored link must point to an existing section in the target file.
- External URLs (
http://,https://,mailto:) are ignored.
To pass: fix or remove broken links. Mentions of upcoming files should be in code simple, not active links.
DCO sign-off
Section titled “DCO sign-off”Each commit must have a Signed-off-by: Name <email> line (equivalent to git commit -s). The DCO attests you have the right to submit the contribution under the project’s license.
To pass:
- Always use
git commit -s(create an alias if needed). - If commit forgotten:
git commit --amend -sfor the last, orgit rebase -i HEAD~N --signofffor several.
Secret scan (gitleaks)
Section titled “Secret scan (gitleaks)”gitleaks/gitleaks-action scans PR commits to detect API keys, tokens, passwords. Repository-level false positives are kept narrow in .gitleaks.toml; do not whitelist real secrets.
Architecture boundaries
Section titled “Architecture boundaries”scripts/check-architecture-boundaries.mjs validates that imports respect the boundaries defined in ADR 0001. Any violation (core/ importing adapters/, etc.) blocks the CI.
Guardian runtime hardcode
Section titled “Guardian runtime hardcode”scripts/check-guardian-runtime-hardcode.mjs reads the first-party guardian pack JSON files and verifies that their long texts are not copied into runtime source code. Rules, mini rules, prompts and policies stay in packs, are materialized in Cortex Lite, then compiled by guardian-runtime-compiler.
Line-count
Section titled “Line-count”scripts/check-line-counts.mjs refuses monolithic files above 800 lines unless they are explicitly allowlisted with a reason. Generated artifacts such as dist/, coverage/ and sbom/ are excluded.
License check
Section titled “License check”scripts/check-licenses.mjs checks that all dependencies use licenses compatible with the Arka Deck Open Source License baseline. Unauthorized copyleft (GPL, AGPL) are refused.
cyclonedx-npm generates a Software Bill of Materials for the root, the UI and cortex-lite. npm run sbom:check validates temporary SBOMs in CI; npm run sbom:release writes the release SBOMs under sbom/, and the release tarball guard requires all three .cdx.json files.
OSSF Scorecard
Section titled “OSSF Scorecard”Weekly measurement (Monday) of supply-chain posture (signing, dependencies, hygiene). Non-blocking — score displayed publicly on the GitHub Security tab.
See also
Section titled “See also”- Scripts in detail: ../reference/scripts-ci
- Hexagonal architecture ADR: ../../adr/0001-architecture-hexagonale.md
- GitHub distribution ADR: ../../adr/0004-distribution-github-only.md