div0rce · div0rce · Apr 27, 2026 · Apr 28, 2026 · Apr 28, 2026 · Apr 28, 2026
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -1,5 +1,5 @@
 Status: Active
-Last updated: 2026-01-02
+Last updated: 2026-04-28
 
 # Pull Request Checklist
 
@@ -13,10 +13,9 @@ Last updated: 2026-01-02
 ## Testing
 
 - [ ] Not run (explain why)
-- [ ] `npm run check`
-- [ ] `npm test`
-- [ ] `npm run build`
-- [ ] `npm run ci:verify`
+- [ ] Targeted proof for changed surface:
+- [ ] `CHERRY_TMP_ROOT="$HOME/.cherry-tmp" CHERRY_VINE_SIGNATURE_MODE=enforce npm run verify:repo-closure`
+- [ ] `npm run test:db` (only for DB/env changes)
 
 ## Engine Impact
 

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -43,11 +43,5 @@ jobs:
       - name: Guardrails
         run: npm run check:guardrails
 
-      - name: Node runtime tests
-        run: npm run check:tests:node
-
-      - name: Next runtime tests
-        run: npm run check:tests:next
-
       - name: Verify CI truth
         run: npm run ci:verify
diff --git a/.github/workflows/n8n-notify.yml b/.github/workflows/n8n-notify.yml
@@ -0,0 +1,31 @@
+name: Notify n8n
+
+on:
+  workflow_run:
+    workflows:
+      - CI
+    types:
+      - completed
+
+jobs:
+  notify-n8n:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Send workflow result to n8n
+        env:
+          N8N_WEBHOOK_URL: ${{ secrets.N8N_WEBHOOK_URL }}
+          N8N_WEBHOOK_TOKEN: ${{ secrets.N8N_WEBHOOK_TOKEN }}
+        run: |
+          curl -X POST "$N8N_WEBHOOK_URL" \
+            -H "Authorization: Bearer $N8N_WEBHOOK_TOKEN" \
+            -H "Content-Type: application/json" \
+            -d '{
+              "event": "github.workflow.completed",
+              "repo": "${{ github.repository }}",
+              "workflow": "${{ github.event.workflow_run.name }}",
+              "status": "${{ github.event.workflow_run.conclusion }}",
+              "branch": "${{ github.event.workflow_run.head_branch }}",
+              "sha": "${{ github.event.workflow_run.head_sha }}",
+              "url": "${{ github.event.workflow_run.html_url }}"
+            }'
diff --git a/AGENTS.md b/AGENTS.md
@@ -1,5 +1,5 @@
 Status: Active
-Last updated: 2026-01-29
+Last updated: 2026-04-28
 
 # Cherry Agents — Canonical Operating Guide
 
@@ -93,14 +93,19 @@ Forbidden framings: “fronting card,” “proxy BIN,” “tap to pay with Che
   - `npx prisma format`
   - `npx prisma migrate dev --name <desc>`
   - `npx prisma generate`
-  - Run `npm run check`, `npm test`, and `npm run build`.
+  - Run the issue's acceptance commands, or the narrowest proof that covers schema, runtime, and build impact.
 - For docs: add `Status` + `Last updated`, split Current vs Future, add Related docs.
 
 ## PR Checklist (what each command proves)
 - `npm run check` → guardrails + lint + typecheck are green.
-- `npm test` → unit/guardrail tests green (Prisma mocked by loader).
+- `npm test` → partitioned full runtime suite: root legacy tests, `tests/node`, then `tests/next` (Prisma mocked by loader).
 - `npm run build` → Next.js build passes.
 - `npm run ci:verify` → mirrors CI entrypoint.
+- `npm run test:db` → DB/env tests only; not part of standard mocked runtime proof.
+- `npm run check:fast` → local guardrails + script typecheck only.
+- `npm run check:local` → `check:fast` plus partitioned runtime suite.
+- Full repo proof → `CHERRY_TMP_ROOT="$HOME/.cherry-tmp" CHERRY_VINE_SIGNATURE_MODE=enforce npm run verify:repo-closure`.
+- Agents must not run both `npm test` and `verify:repo-closure` unless explicitly required.
 - If schema changed: migrations apply and Prisma client is regenerated.
 
 ## Drift Policy

diff --git a/README.md b/README.md
@@ -45,13 +45,17 @@ npm run dev
 
 The repo runtime is Node 24.15.0. Use `.nvmrc` / `engines.node` as the source of truth, and keep PATH stable (e.g. `/usr/bin:/bin:/usr/local/bin`) so `rg`, `git`, and `node` resolve deterministically.
 
-## Health Gates (must pass before pushing)
+## Health Gates
 ```bash
-npm run check
-npm test
-npm run build
+CHERRY_TMP_ROOT="$HOME/.cherry-tmp" CHERRY_VINE_SIGNATURE_MODE=enforce npm run verify:repo-closure
 ```
 
+For day-to-day development, use the narrowest proof that covers the changed surface.
+`npm test` is the partitioned full runtime runner: root legacy tests, `tests/node`,
+then `tests/next`. Runtime ownership is enforced by
+`tests/node/guardrails/test-runner-ownership.test.ts`. DB tests remain separate under
+`npm run test:db`.
+
 ---
 
 ## Key Commands and Scripts
@@ -144,3 +148,4 @@ Always import Prisma from `@/lib/prisma` and validate inputs with Zod schemas in
 - Third-party typing gaps must be patched via `types/compat/**` with a documented audit boundary.
 - Tailwind tokens live in `app/globals.css`; prefer semantic utilities.
 - Keep lint/typecheck green; add focused tests when touching engine/sessions/ledger logic.
+test
diff --git a/app/api/automation/_auth.ts b/app/api/automation/_auth.ts
@@ -0,0 +1,34 @@
+import type { NextRequest } from 'next/server';
+import { NextResponse } from 'next/server';
+import { getStandardBearerHeader } from '../../../lib/http/bearer-token.js';
+
+export type AutomationAuthResult = { ok: true } | { ok: false; response: NextResponse };
+
+export function requireAutomationToken(request: NextRequest): AutomationAuthResult {
+  const expected = process.env['CHERRY_AUTOMATION_TOKEN'];
+  if (typeof expected !== 'string' || expected.trim().length === 0) {
+    return {
+      ok: false,
+      response: NextResponse.json(
+        { error: 'automation_token_not_configured' },
+        { status: 503 }
+      ),
+    };
+  }
+
+  const bearerHeader = getStandardBearerHeader(request.headers);
+  const headerToken = request.headers.get('x-cherry-automation-token');
+  const bearerToken =
+    bearerHeader !== null && bearerHeader.startsWith('Bearer ')
+      ? bearerHeader.slice('Bearer '.length)
+      : null;
+  const provided = bearerToken ?? headerToken;
+  if (provided !== expected) {
+    return {
+      ok: false,
+      response: NextResponse.json({ error: 'Unauthorized' }, { status: 401 }),
+    };
+  }
+
+  return { ok: true };
+}
diff --git a/app/api/automation/classify/pr/route.ts b/app/api/automation/classify/pr/route.ts
@@ -0,0 +1,41 @@
+import type { NextRequest } from 'next/server';
+import { NextResponse } from 'next/server';
+import {
+  AutomationEventIdempotencyConflictError,
+  classifyAndStorePrAutomation,
+} from '../../../../../lib/automation/events.js';
+import { ensureRouteConfigFromEnv } from '../../../../../lib/config/route.js';
+import { PrAutomationClassifySchema } from '../../../../../lib/schemas/automation.js';
+import { parseJsonBody } from '../../../../../lib/validation.js';
+import { requireAutomationToken } from '../../_auth.js';
+
+export async function POST(request: NextRequest): Promise<NextResponse> {
+  ensureRouteConfigFromEnv(process.env);
+
+  const auth = requireAutomationToken(request);
+  if (auth.ok === false) return auth.response;
+
+  const parsed = await parseJsonBody(request, PrAutomationClassifySchema);
+  if (parsed.ok === false) return parsed.response;
+
+  let result: Awaited<ReturnType<typeof classifyAndStorePrAutomation>>;
+  try {
+    result = await classifyAndStorePrAutomation(parsed.data);
+  } catch (error: unknown) {
+    if (error instanceof AutomationEventIdempotencyConflictError) {
+      return NextResponse.json(
+        { error: 'automation_event_idempotency_conflict' },
+        { status: 409 }
+      );
+    }
+    throw error;
+  }
+
+  return NextResponse.json({
+    ok: true,
+    created: result.created,
+    automationEventId: result.event.id,
+    outputHash: result.event.outputHash,
+    classifierOutput: result.classifierOutput,
+  });
+}
diff --git a/app/api/automation/events/route.ts b/app/api/automation/events/route.ts
@@ -0,0 +1,40 @@
+import type { NextRequest } from 'next/server';
+import { NextResponse } from 'next/server';
+import { AutomationEventIngestSchema } from '../../../../lib/schemas/automation.js';
+import {
+  AutomationEventIdempotencyConflictError,
+  storeAutomationEvent,
+} from '../../../../lib/automation/events.js';
+import { ensureRouteConfigFromEnv } from '../../../../lib/config/route.js';
+import { parseJsonBody } from '../../../../lib/validation.js';
+import { requireAutomationToken } from '../_auth.js';
+
+export async function POST(request: NextRequest): Promise<NextResponse> {
+  ensureRouteConfigFromEnv(process.env);
+
+  const auth = requireAutomationToken(request);
+  if (auth.ok === false) return auth.response;
+
+  const parsed = await parseJsonBody(request, AutomationEventIngestSchema);
+  if (parsed.ok === false) return parsed.response;
+
+  let result: Awaited<ReturnType<typeof storeAutomationEvent>>;
+  try {
+    result = await storeAutomationEvent(parsed.data);
+  } catch (error: unknown) {
+    if (error instanceof AutomationEventIdempotencyConflictError) {
+      return NextResponse.json(
+        { error: 'automation_event_idempotency_conflict' },
+        { status: 409 }
+      );
+    }
+    throw error;
+  }
+
+  return NextResponse.json({
+    ok: true,
+    created: result.created,
+    automationEventId: result.event.id,
+    outputHash: result.event.outputHash,
+  });
+}
diff --git a/app/api/automation/replay/route.ts b/app/api/automation/replay/route.ts
@@ -0,0 +1,33 @@
+import type { NextRequest } from 'next/server';
+import { NextResponse } from 'next/server';
+import { replayAutomationEvent } from '../../../../lib/automation/events.js';
+import { ensureRouteConfigFromEnv } from '../../../../lib/config/route.js';
+import { AutomationReplaySchema } from '../../../../lib/schemas/automation.js';
+import { parseJsonBody } from '../../../../lib/validation.js';
+import { requireAutomationToken } from '../_auth.js';
+
+export async function POST(request: NextRequest): Promise<NextResponse> {
+  ensureRouteConfigFromEnv(process.env);
+
+  const auth = requireAutomationToken(request);
+  if (auth.ok === false) return auth.response;
+
+  const parsed = await parseJsonBody(request, AutomationReplaySchema);
+  if (parsed.ok === false) return parsed.response;
+
+  const result = await replayAutomationEvent(
+    parsed.data.automationEventId,
+    parsed.data.classifierVersion
+  );
+  if (result === null) {
+    return NextResponse.json({ error: 'automation_event_not_found' }, { status: 404 });
+  }
+
+  return NextResponse.json({
+    ok: true,
+    automationEventId: result.event.id,
+    outputHash: result.outputHash,
+    matches: result.matches,
+    reason: result.reason,
+  });
+}
diff --git a/app/api/automation/simulation-snapshots/compare/route.ts b/app/api/automation/simulation-snapshots/compare/route.ts
@@ -0,0 +1,41 @@
+import type { NextRequest } from 'next/server';
+import { NextResponse } from 'next/server';
+import {
+  SimulationSnapshotIdempotencyConflictError,
+  compareAndStoreSimulationSnapshot,
+} from '../../../../../lib/automation/events.js';
+import { ensureRouteConfigFromEnv } from '../../../../../lib/config/route.js';
+import { SimulationSnapshotCompareSchema } from '../../../../../lib/schemas/automation.js';
+import { parseJsonBody } from '../../../../../lib/validation.js';
+import { requireAutomationToken } from '../../_auth.js';
+
+export async function POST(request: NextRequest): Promise<NextResponse> {
+  ensureRouteConfigFromEnv(process.env);
+
+  const auth = requireAutomationToken(request);
+  if (auth.ok === false) return auth.response;
+
+  const parsed = await parseJsonBody(request, SimulationSnapshotCompareSchema);
+  if (parsed.ok === false) return parsed.response;
+
+  let result: Awaited<ReturnType<typeof compareAndStoreSimulationSnapshot>>;
+  try {
+    result = await compareAndStoreSimulationSnapshot(parsed.data);
+  } catch (error: unknown) {
+    if (error instanceof SimulationSnapshotIdempotencyConflictError) {
+      return NextResponse.json(
+        { error: 'simulation_snapshot_idempotency_conflict' },
+        { status: 409 }
+      );
+    }
+    throw error;
+  }
+
+  return NextResponse.json({
+    ok: true,
+    created: result.created,
+    snapshotId: result.snapshot.id,
+    outputHash: result.snapshot.outputHash,
+    comparisonOutput: result.comparisonOutput,
+  });
+}
diff --git a/app/api/automation/statuses/github/retry/route.ts b/app/api/automation/statuses/github/retry/route.ts
@@ -0,0 +1,50 @@
+import type { NextRequest } from 'next/server';
+import { NextResponse } from 'next/server';
+import {
+  GithubStatusRetryNotFoundError,
+  retryGithubStatus,
+} from '../../../../../../lib/automation/github-status.js';
+import { ensureRouteConfigFromEnv } from '../../../../../../lib/config/route.js';
+import { GithubStatusRetrySchema } from '../../../../../../lib/schemas/automation.js';
+import { parseJsonBody } from '../../../../../../lib/validation.js';
+import { requireAutomationToken } from '../../../_auth.js';
+
+export async function POST(request: NextRequest): Promise<NextResponse> {
+  ensureRouteConfigFromEnv(process.env);
+
+  const auth = requireAutomationToken(request);
+  if (auth.ok === false) return auth.response;
+
+  const parsed = await parseJsonBody(request, GithubStatusRetrySchema);
+  if (parsed.ok === false) return parsed.response;
+
+  try {
+    const result = await retryGithubStatus(parsed.data, {
+      githubToken: process.env['GITHUB_TOKEN'] ?? '',
+    });
+    return NextResponse.json({
+      ok: true,
+      retried: result.retried,
+      statusCheck: result.statusCheck,
+    });
+  } catch (error: unknown) {
+    if (error instanceof GithubStatusRetryNotFoundError) {
+      return NextResponse.json({ error: 'github_status_not_found' }, { status: 404 });
+    }
+    const statusCheck = (error as { statusCheck?: unknown }).statusCheck;
+    const message = error instanceof Error ? error.message : 'github_status_retry_failed';
+    const status = /forbidden Cherry finance endpoint|Unsupported GitHub status context/.test(
+      message
+    )
+      ? 400
+      : 502;
+    return NextResponse.json(
+      {
+        ok: false,
+        error: message,
+        statusCheck,
+      },
+      { status }
+    );
+  }
+}