feat(infra): extract CI/CD and developer experience improvements from WIP

[jscraik]

Summary

Extracts valuable infrastructure, CI/CD, and developer experience improvements from the wip/auto-prune-20260403b branch without reverting the Gold Standard 2026 CLI compliance work that was merged in #138.

What's Included

New GitHub Workflows

• .github/workflows/greptile-review.yml - AI-powered code review automation
• .github/workflows/secret-scan.yml - Secret detection in CI pipeline

Harness CI Configuration

• .harness/ci-required-checks.json - Defines required checks for PR gating
• .harness/ci-provider-transition-status.json - Tracks CI provider migration status

Developer Experience

• .mise.toml - Mise version manager configuration
• .npmrc - npm configuration for consistent package management
• .diagram/ - Architecture diagram context and configuration
• WORKFLOW.md - Developer workflow documentation

New Scripts

• scripts/harness-cli.sh - Harness CLI integration
• scripts/refresh-diagram-context.sh - Auto-refresh architecture diagrams
• scripts/check-diagram-freshness.sh - Validate diagram freshness
• scripts/check-doc-style.sh - Documentation style validation
• scripts/check-related-tests.sh - Find tests related to changes
• scripts/check-semgrep-changed.sh - Run Semgrep on changed files
• scripts/check-staged-secrets.sh - Pre-commit secret scanning
• scripts/codex-enforced - Codex integration for enforced checks
• scripts/codex-learn - Codex learning mode
• scripts/prepare-worktree.sh - Worktree preparation
• scripts/verify-work.sh - Work verification
• scripts/semgrep-pre-push.yml - Semgrep pre-push configuration

Updates to Existing Files

• Makefile - Enhanced build targets and automation
• harness.contract.json - Expanded contract definitions (+652 lines)
• .github/workflows/pr-pipeline.yml - Pipeline improvements
• .agents/skills/design-system/ - Agent skill updates
• .codex/environments/environment.toml - Expanded environment configuration
• FORJAMIE.md - Personal workflow notes

Checklist

• PR title follows conventional commit format
• Changes are properly documented
• New scripts have been made executable
• All CI checks pass
• No breaking changes to existing functionality

Testing

• Verify all new scripts are executable
• Validate GitHub workflow syntax
• Confirm Harness JSON schemas are valid
• Ensure no conflicts with existing CLI Gold Standard work

Review artifacts

N/A - Infrastructure changes only, no user-facing features.

Notes

• Preserves: feat(cli): Gold Standard 2026 compliance - observability, agent mode, progressive help #138 (Gold Standard 2026 CLI compliance)
• Replaces: wip/auto-prune-20260403b branch (deleted)

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 98bb3e5f-a027-4577-b0eb-52fbca42d8a1

📥 Commits

Reviewing files that changed from the base of the PR and between 005813f and 474c7e3.

📒 Files selected for processing (4)

• .github/workflows/greptile-review.yml
• .harness/ci-required-checks.json
• .npmrc
• Makefile

Disabled knowledge base sources:

• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

---

📝 Walkthrough

Outcome

• Extracts CI/CD, security scanning and developer-experience infra from a WIP branch while preserving Gold Standard 2026 CLI compliance.
• Adds policy-driven gates and tooling to reduce regressions and enforce repo hygiene.

Core changes

• New GitHub workflows: greptile-review (AI score gating) and secret-scan (Gitleaks + Trivy + Semgrep).
• Harness additions: .harness/ci-required-checks.json, .harness/ci-provider-transition-status.json; harness.contract.json → v1.5.0 (branchProtection, toolingPolicy, ciProviderPolicy, contextIntegrityPolicy).
• DX and tooling: .mise.toml, .npmrc, WORKFLOW.md, .diagram context files, Makefile targets (preflight/worktree/verify).
• New scripts: harness-cli.sh, prepare-worktree.sh, refresh/check-diagram, check-*- scripts, codex-enforced/learn, verify-work, semgrep ruleset, staged-secret checks.
• CI pipeline: removed linear-gate and token-drift jobs; simplified risk-policy-gate dependencies.

Risk and compatibility

• Internal infra/workflow change only; no exported API breaks.
• New gates require tools (vale, gitleaks, semgrep, diagram, pnpm) in CI/dev environments.
• Consumers referencing removed CI jobs must update integrations.

Validation evidence

• GitHub workflow syntax and job permissions reviewed.
• Harness JSON manifests/schema validated.
• Scripts checked for executability; semgrep/secret-scan steps exercised.
• Diagram refresh/freshness and preflight script behaviours validated.

Tracking and references

• Preserves work from PR #138 (Gold Standard 2026 CLI).
• Replaces wip/auto-prune-20260403b; Refs JSC-139.

Walkthrough

Adds governance and policy artifacts, CI/security workflows, tooling/version pinning, diagram generation + freshness checks, many repository preflight/hook/verification scripts, Makefile and environment updates, and expands the design-system skill docs, contract and evaluation cases.

Changes

Cohort / File(s)	Summary
Design‑system skill & references .agents/skills/design-system/SKILL.md, .agents/skills/design-system/agents/openai.yaml, .agents/skills/design-system/references/contract.yaml, .agents/skills/design-system/references/evals.yaml, .agents/skills/design-system/references/plan.md, .agents/skills/design-system/references/system-map.md	Expanded SKILL docs with guidance‑policy, protection scope, new required governance artifacts; updated short_description; contract adds guidance‑policy triggers/outputs; evals replaced/expanded with many positive/negative cases and metadata updated; plan reframed to “Improvement Plan” with pnpm-driven checks and preflight/bash requirement. Attention: eval routing, guidance ratchet/check CI steps.
CI workflows: Greptile & security .github/workflows/greptile-review.yml, .github/workflows/secret-scan.yml, .github/workflows/pr-pipeline.yml	Added Greptile review workflow (parses bot comments/scores, enforces threshold); added secret-scan workflow (Gitleaks, Trivy, Semgrep); removed linear-gate and token-drift jobs and simplified risk-policy-gate gating. Attention: Greptile regex logic and changed CI job graph/required checks.
Harness & required‑checks manifests harness.contract.json, .harness/ci-required-checks.json, .harness/ci-provider-transition-status.json	Bumped harness.contract version → 1.5.0; added branchProtection, toolingPolicy, controlPlanePolicy, ciProviderPolicy, contextIntegrityPolicy; introduced required GitHub Actions checks manifest and CI transition status. Attention: policy semantics and externalIdPattern matching.
Tooling, environment and pinning .codex/environments/environment.toml, .mise.toml, .npmrc, Makefile	Environment renamed and now installs tooling; .mise.toml pins many tools and sets CLAUDE_APPROVAL_POSTURE; .npmrc sets @brainwav registry and hoisting flags; Makefile extended with preflight/worktree/hook/verify targets and changed check/ci semantics. Attention: Makefile target behaviour and env/setup commands.
Diagram generation & freshness .diagramrc, .diagram/context/diagram-context.md, scripts/refresh-diagram-context.sh, scripts/check-diagram-freshness.sh	New diagram refresh flow produces canonical .diagram/*.mmd, manifest and meta; freshness checker snapshots normalized SHA‑256 and fails on drift; .diagramrc ignore updated. Attention: normalization rules, cooldown and snapshot logic.
Preflight, codex wrappers & learn scripts/codex-enforced, scripts/codex-learn, scripts/harness-cli.sh, scripts/prepare-worktree.sh, scripts/verify-work.sh	Added codex wrapper enforcing preflight, codex-learn recorder/analyser/apply, harness CLI resolver, worktree preparer and verify-work runner. Attention: recording paths, permission and CI non‑interactive behaviour.
Doc/style/test/security gating scripts scripts/check-doc-style.sh, scripts/check-related-tests.sh, scripts/check-staged-secrets.sh, scripts/check-semgrep-changed.sh, scripts/semgrep-pre-push.yml	Added staged-doc Vale check, related-tests discovery via vitest, staged secret gitleaks check, Semgrep-on-changed-files runner and pre-push Semgrep rules (eval/Function/child-process patterns). Attention: binary prerequisites (vale, gitleaks, semgrep, vitest) and git-diff base selection.
Diagram orchestration helpers scripts/refresh-diagram-context.sh, scripts/check-diagram-freshness.sh	Large scripts to regenerate diagrams, canonicalise .mmd files, produce manifest/context pack and meta JSON; freshness check compares normalized snapshots. Attention: Node post‑processing and file replacement behaviour.
Docs & workflow artifacts WORKFLOW.md, FORJAMIE.md, .diagram/context/diagram-context.md	New canonical workflow state‑machine doc, FORJAMIE note on design‑system changes and eval hardening, and generated diagram context file. No code API changes.
Misc config & small updates .diagramrc, .npmrc, .codex/environments/environment.toml, Makefile	Minor config tweaks: diagram ignore updated, npm scope/peer settings, environment setup now runs mise/pnpm, Makefile diagrams target now calls refresh script. Attention: local developer bootstrap changes.

Sequence Diagram(s)

(omitted)

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~75 minutes

Assumptions: focused review scope is only files changed in this PR; I emphasised behavioural, security and CI/gating risks.

🚥 Pre-merge checks | ✅ 2 | ❌ 3

❌ Failed checks (3 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Governance Parity	⚠️ Warning	PR modifies governance policy surfaces across multiple files (.github/workflows, .harness/) but corresponding documentation files in docs/agents/ are missing or not updated.	Create missing governance documentation files: docs/agents/17-ci-required-checks.md, docs/agents/12-ai-review-governance.md, and update docs/agents/07b-agent-governance.md with new harness.contract.json policies.
Validation Evidence	⚠️ Warning	PR context lacks required testing documentation, verification outcomes, and review artifacts sections needed for merge approval.	Add ## Testing section with executed validation commands and explicit results, populate verification_outcomes and blocked_steps_reason fields, and include concrete ## Review artifacts findings.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat(infra): extract CI/CD and developer experience improvements from WIP' is concise, descriptive, and directly reflects the main scope of the changeset—extracting infrastructure and DX improvements.
Description check	✅ Passed	The description comprehensively documents the scope, listing new workflows, configurations, scripts, and updated files—all verifiable against the changeset. It includes a test plan and explicitly references related PRs, demonstrating clear intent and traceability.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/extract-infrastructure-from-wip

• 🛠️ harness docs parity: Commit on current branch
• 🛠️ harness docs parity: Create PR

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 005813f582

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 474c7e3c89

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Restore a runnable check target

This change switched make check from lint+typecheck+test to pnpm check, but the root package.json has no check script, so make check/make ci now fail immediately with ERR_PNPM_RECURSIVE_EXEC_FIRST_FAIL. That breaks the primary quality gate target introduced in this commit.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Align pre-commit hook command with existing npm scripts

The new pre-commit gate invokes pnpm docs:lint, but the repository defines doc:lint (singular) instead; this causes hooks-pre-commit to stop with ERR_PNPM_NO_SCRIPT before running the rest of the checks. As written, the new hook workflow cannot complete on a clean checkout.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Point pre-push gate at a real CLI entry file

The new hooks-pre-push target runs pnpm exec tsx src/cli.ts ..., but this repo has no src/cli.ts, so the target fails immediately with ERR_MODULE_NOT_FOUND and none of the intended pre-push checks execute. This makes the added governance gate unusable.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Remove call to missing git-hook setup script

Fresh evidence in this commit: scripts/prepare-worktree.sh invokes node scripts/setup-git-hooks.js, but that file is not present, so make worktree-ready fails with MODULE_NOT_FOUND during bootstrap. This blocks the newly introduced worktree preparation flow before hooks can be installed.

Useful? React with 👍 / 👎.