CI gates
CI gates are the blocking checks applied to every PR and every push to main. Any PR must pass them to be merged.
Workflows: .github/workflows/ci.yml, .github/workflows/release.yml, .github/workflows/scorecard.yml.
Gates overview
Section titled “Gates overview”| Gate | Source | Blocking |
|---|---|---|
| Public files guard | git ls-files filter | yes |
| Public docs guard | scripts/check-public-docs.mjs | yes |
| Docs link check | scripts/check-doc-links.mjs | yes |
| DCO sign-off | tim-actions/dco | yes |
| Secret scan | gitleaks | yes |
| ShellCheck | shellcheck on scripts/*.sh | yes |
| Lint | eslint --max-warnings=0 | yes |
| Architecture boundaries | scripts/check-architecture-boundaries.mjs | yes |
| Line-count | scripts/check-line-counts.mjs | yes |
| Typecheck | tsc --noEmit | yes |
| Unit tests | vitest run | yes |
| Build | npm run build | yes |
| License check | scripts/check-licenses.mjs | yes |
| SBOM | cyclonedx-npm | yes |
| OSSF Scorecard | scorecard-action (weekly) | non-blocking, posture metric |
Public files guard
Section titled “Public files guard”Refuses internal files in the Git index:
.input/(private workshop, gitignored).claude/(Claude Code config, gitignored except exceptions)AGENTS.md,CLAUDE.md(internal guides — excluded from the public repo byscripts/init-public-repo.sh).agents/,.codex/,.gitnexus/(local state)
If one of these files appears in git ls-files, the job fails.
Public docs guard
Section titled “Public docs guard”scripts/check-public-docs.mjs analyzes all .md under docs/ (+ root README*, ROADMAP, SECURITY, CONTRIBUTING):
- Forbidden file names:
AGENT-*patterns (exceptAGENT-INSTALL),AUDITOR-*,DISPATCH-*. - Forbidden content: references to internal dispatch briefs, retired WIP folders, and other internal orchestration artifacts.
To pass: remove/rename offending files, or remove the textual mention.
Docs link check
Section titled “Docs link check”scripts/check-doc-links.mjs validates markdown links:
- Each inline markdown link must point to an existing file.
- Each anchored link must point to an existing section in the target file.
- External URLs (
http://,https://,mailto:) are ignored.
To pass: fix or remove broken links. Mentions of upcoming files should be in code simple, not active links.
DCO sign-off
Section titled “DCO sign-off”Each commit must have a Signed-off-by: Name <email> line (equivalent to git commit -s). The DCO attests you have the right to submit the contribution under the project’s license.
To pass:
- Always use
git commit -s(create an alias if needed). - If commit forgotten:
git commit --amend -sfor the last, orgit rebase -i HEAD~N --signofffor several.
Secret scan (gitleaks)
Section titled “Secret scan (gitleaks)”gitleaks/gitleaks-action scans PR commits to detect API keys, tokens, passwords. False positive → add an entry to .gitleaksignore.
Architecture boundaries
Section titled “Architecture boundaries”scripts/check-architecture-boundaries.mjs validates that imports respect the boundaries defined in ADR 0001. Any violation (core/ importing adapters/, etc.) blocks the CI.
Line-count
Section titled “Line-count”scripts/check-line-counts.mjs refuses monolithic files above threshold (typically 1000-1500 lines depending on type). Forces splitting into cohesive modules.
License check
Section titled “License check”scripts/check-licenses.mjs checks that all dependencies use licenses compatible with Apache 2.0 (the project’s). Unauthorized copyleft (GPL, AGPL) are refused.
cyclonedx-npm generates a Software Bill of Materials for the root, the UI and cortex-lite. Validated in CI, distributed with releases.
OSSF Scorecard
Section titled “OSSF Scorecard”Weekly measurement (Monday) of supply-chain posture (signing, dependencies, hygiene). Non-blocking — score displayed publicly on the GitHub Security tab.
See also
Section titled “See also”- Scripts in detail: ../reference/scripts-ci
- Hexagonal architecture ADR: ../../adr/0001-architecture-hexagonale.md
- GitHub distribution ADR: ../../adr/0004-distribution-github-only.md