Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions .githooks/pre-commit
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
#!/bin/sh
set -eu

branch="$(git symbolic-ref --quiet --short HEAD || true)"
case "$branch" in
main|master)
echo "Direct commits to $branch are blocked; create a feature branch." >&2
exit 1
;;
esac

staged="$(git diff --cached --name-only --diff-filter=ACMR)"
if printf '%s\n' "$staged" | grep -Eq '(^|/)\.env($|\.)|(^|/)(__pycache__|\.pytest_cache)(/|$)|\.py[co]$'; then
echo "Refusing to commit runtime environment or Python cache files." >&2
exit 1
fi

bash scripts/ci/run-fast-checks.sh
6 changes: 6 additions & 0 deletions .github/actionlint.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
self-hosted-runner:
labels:
- self-hosted
- linux
- shell-only
- public
43 changes: 24 additions & 19 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ on:
push:
branches:
- main
workflow_dispatch:

permissions:
contents: read
Expand All @@ -21,26 +22,30 @@ jobs:
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

- name: Validate JSON schemas
run: python -m json.tool schemas/issue-contract.schema.json >/dev/null && python -m json.tool schemas/pr-contract.schema.json >/dev/null && python -m json.tool schemas/public-repository-standard-v1.schema.json >/dev/null && python -m json.tool schemas/provenance-manifest-v1.schema.json >/dev/null
- name: Run fast checks
run: bash scripts/ci/run-fast-checks.sh

- name: Validate public repository policy bundle
run: python scripts/flow/validate_policy_bundle.py

- name: Validate executable transition policy
run: python scripts/flow/validate_transition.py

- name: Validate security and provenance policy
run: python scripts/flow/validate_provenance.py

- name: Validate contribution lifecycle policy
run: python scripts/flow/evaluate_contribution.py
workflow-lint:
name: Workflow Lint
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

- name: Build and verify policy release offline
run: python scripts/flow/build_policy_release.py --output /tmp/flow-policy-release-ci --version 1.0.0 --verify
- name: Run actionlint with repository runner labels
run: go run github.com/rhysd/actionlint/cmd/actionlint@v1.7.7

- name: Test public repository policy bundle
run: python -m unittest discover -s tests -v
extended-validation:
name: Extended Validation
if: github.event_name != 'pull_request'
runs-on:
- self-hosted
- linux
- shell-only
- public
steps:
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

- name: Compile flow inspector
run: python -m py_compile scripts/flow/inspector_core.py scripts/flow/inspect_repo_flow.py
- name: Build and verify release contract
run: bash scripts/ci/run-extended-validation.sh
5 changes: 5 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
__pycache__/
*.py[cod]
.pytest_cache/
.mypy_cache/
.ruff_cache/
2 changes: 1 addition & 1 deletion AGENTS.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
- Always work on a feature branch. Hooks block commits to `main` and `master`; enable them with `git config core.hooksPath .githooks`.
- Stack baseline: Generic polyglot.
- CI baseline: fast PR checks stay cheap and shell-safe; extended validation runs on `main`, nightly, or manual dispatch.
- Self-hosted runner policy: shell-safe jobs may use `[self-hosted, synology, shell-only, public]`; anything needing Docker, service containers, browser infra, or `container:` must stay on GitHub-hosted runners.
- Self-hosted runner policy: shell-safe jobs may use `[self-hosted, linux, shell-only, public]`; anything needing Docker, service containers, browser infra, or `container:` must stay on GitHub-hosted runners.
- Add or update tests for every interactive, branching, or operator-facing behavior change.
- PRs must use the generated pull request template. The required PR gate validates summary, issue linkage, validation evidence, and risk notes.
- Never commit real secrets, runtime auth, or machine-local env files. Use templates and GitHub environments instead.
Expand Down
4 changes: 3 additions & 1 deletion CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ Contributions should start from a GitHub issue that is assigned or explicitly en
- Install dependencies for the selected stack before changing code.
- Enable repo hooks with `git config core.hooksPath .githooks`; they block direct commits to `main` and catch committed runtime env files.
- Use `project.bootstrap.yaml` as the source of truth for governance, CI, environments, and bootstrap-managed guidance files.
- Review `docs/bootstrap/onboarding.md` before the first merge after governance changes.

## Change Expectations

Expand All @@ -17,7 +18,8 @@ Contributions should start from a GitHub issue that is assigned or explicitly en

## Validation

- Run the relevant local checks before opening a PR.
- Run `bash scripts/ci/run-fast-checks.sh` before opening a PR.
- Run `bash scripts/ci/run-extended-validation.sh` for release, policy-package, or mainline validation changes.
- For this bootstrap contract, the required PR check surface is `CI Gate`.
- Document any skipped checks in the PR with a concrete reason.

Expand Down
11 changes: 7 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -52,10 +52,13 @@ Open PR clearance has priority over starting new implementation work:
## Validation

```sh
python -m json.tool schemas/issue-contract.schema.json >/dev/null
python -m json.tool schemas/pr-contract.schema.json >/dev/null
python -m py_compile scripts/flow/inspector_core.py scripts/flow/inspect_repo_flow.py
python -m unittest discover -s tests -v
bash scripts/ci/run-fast-checks.sh
```

For mainline or release-contract validation, including an offline deterministic policy build:

```sh
bash scripts/ci/run-extended-validation.sh
```

Inspect a repository without mutating GitHub or local assignment state:
Expand Down
33 changes: 33 additions & 0 deletions docs/bootstrap/onboarding.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
# Bootstrap onboarding

Review this file before the first merge after Bootstrap changes repository governance.

## Managed and product-owned boundaries

`project.bootstrap.yaml` is the repository control plane. Its `repo.managedPaths` list identifies Bootstrap-managed guidance and GitHub templates. Product code, policy data, validators, CI scripts, and canonical `github/` inputs remain product-owned unless the manifest says otherwise.

Run Bootstrap in plan mode and review the managed/product-owned inventory before apply. Flow issue [#13](https://github.com/OMT-Global/flow/issues/13) records the current plan evidence and the external resolver/projection blocker.

## Review and merge gates

- Governing work must link a GitHub issue.
- `CI Gate` is the required repository check.
- One non-author approval from `OMT-Codeowners` is required.
- The PR author enables squash auto-merge when checks, review, and conversation gates can converge safely.
- Policy releases follow the exact-pin and independent-review rules in [Policy releases and upgrades](../policy-release-and-upgrades.md).

## Runner policy

The manifest's `hybrid-safe` policy maps Flow's shell-safe CI Gate to `[self-hosted, linux, shell-only, public]`. The live job used to verify this contract on 2026-07-15 ran in runner group `linux-public` with those exact labels. Jobs requiring Docker, service containers, browser infrastructure, or a workflow-level `container:` declaration stay on GitHub-hosted runners.

If the workflow selector, this document, `AGENTS.md`, or live job metadata disagree, stop and reconcile the trust boundary before merging.

## Local checks

```sh
git config core.hooksPath .githooks
bash scripts/ci/run-fast-checks.sh
bash scripts/ci/run-extended-validation.sh
```

The fast check validates local Markdown targets, canonical-to-projected governance drift, workflow runner labels, release-pin guidance, policy data, and unit tests. Extended validation additionally builds and verifies the deterministic policy release offline.
14 changes: 11 additions & 3 deletions github/ISSUE_TEMPLATE/flow-blocker.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
name: Flow blocker
about: Record a blocked unit of work with a next actor and unblock target.
description: Record a blocked unit of work with a next actor and unblock target
title: "Flow blocker: "
labels: ["state:blocked-infra"]
labels:
- state:blocked-infra
body:
- type: textarea
id: blocked_item
Expand Down Expand Up @@ -33,7 +34,14 @@ body:
id: next_actor
attributes:
label: Next actor
options: [Pheidon, Apollo, Ares, Daedalus, Hephaestus, Hermes, Human]
options:
- Pheidon
- Apollo
- Ares
- Daedalus
- Hephaestus
- Hermes
- Human
validations:
required: true
- type: textarea
Expand Down
25 changes: 3 additions & 22 deletions github/ISSUE_TEMPLATE/implementation.yml
Original file line number Diff line number Diff line change
@@ -1,12 +1,9 @@
name: Implementation work
about: Durable contract for autonomous or review-gated implementation work.
description: Durable contract for autonomous or review-gated implementation work
title: ""
labels: ["state:intake"]
labels:
- state:intake
body:
- type: markdown
attributes:
value: |
Use this form for work that should be executable by Pheidon or a worker lane.
- type: textarea
id: problem
attributes:
Expand All @@ -19,19 +16,13 @@ body:
attributes:
label: Acceptance criteria
description: Concrete conditions that make this done.
placeholder: |
- ...
- ...
validations:
required: true
- type: textarea
id: validation
attributes:
label: Validation commands
description: Commands or checks the worker should run.
placeholder: |
- npm test
- cargo test --locked
validations:
required: true
- type: dropdown
Expand Down Expand Up @@ -60,13 +51,3 @@ body:
- Human
validations:
required: true
- type: textarea
id: dependencies
attributes:
label: Dependencies / blockers
description: Known blockers, prerequisites, or related issues/PRs.
- type: textarea
id: out_of_scope
attributes:
label: Out of scope
description: Explicitly excluded work.
68 changes: 68 additions & 0 deletions github/ISSUE_TEMPLATE/release-train.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
name: Release Train
description: Governed release train for an OMT-Global repository
title: "Release: vX.Y.Z"
labels:
- release:train
- review:release
body:
- type: input
id: version
attributes:
label: Version
placeholder: v1.2.3 or v1.2.3-rc.1
validations:
required: true

- type: dropdown
id: channel
attributes:
label: Channel
options:
- rc
- beta
- stable
- maintenance
validations:
required: true

- type: input
id: release_branch
attributes:
label: Release branch
placeholder: release/1.2

- type: input
id: target_sha
attributes:
label: Target SHA
placeholder: Full commit SHA for the release candidate

- type: textarea
id: scope
attributes:
label: Scope
description: User-facing changes, fixes, risks, exclusions.
validations:
required: true

- type: textarea
id: gates
attributes:
label: Gates
value: |
- [ ] Release branch created
- [ ] Scope locked
- [ ] Changelog/release notes prepared
- [ ] Version surfaces updated
- [ ] Preflight passed
- [ ] preflight_run_id recorded:
- [ ] Full validation passed
- [ ] validation_run_id recorded:
- [ ] Exact tag created
- [ ] Publish approval granted
- [ ] Artifacts published
- [ ] GitHub Release created or updated
- [ ] Release evidence uploaded
- [ ] Postpublish verification passed
- [ ] Floating tags/channels promoted if applicable
- [ ] Release issue closed
38 changes: 26 additions & 12 deletions github/pull_request_template.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,27 +2,41 @@

-

## Linked issue
## Governing Issue

Closes #
Refs #<issue-number> <!-- use Closes/Fixes/Resolves only when this PR fully completes the issue; otherwise use Refs/Part of, owner/repo#123, a full GitHub issue URL, or explain why no issue is linked -->

## Flow contract
## Validation

- [ ] Relevant local checks passed
- [ ] Required PR checks are expected to satisfy `CI Gate`
- [ ] Skipped checks are explained below

## Bootstrap Governance

- [ ] Changes are scoped to the linked issue
- [ ] Contributor or PR guidance changes are reflected in `CONTRIBUTING.md`, `.github/PULL_REQUEST_TEMPLATE.md`, and `docs/bootstrap/onboarding.md` when applicable
- [ ] PR author enabled auto-merge where GitHub allows it, or GitHub plan-limit evidence/unavailable reason is recorded and the fallback merge-readiness policy applies
- [ ] No real secrets, runtime auth, or machine-local env files are committed

## Flow Contract

- Owner lane:
- Repair owner:
- Autonomy class:
- Risk class:

## Validation
## Flow Merge Readiness

Commands/checks run:
- [ ] Every blocker has a next actor and next action
- [ ] No active blocking requested changes remain
- [ ] Non-author approval is present when required
- [ ] PR author enabled auto-merge where GitHub allows it, or recorded why it is unavailable/unsafe

- [ ]
## Merge Automation

## Merge readiness
- [ ] PR author enabled auto-merge with `gh pr merge --auto --squash`, or the reason it is unavailable/unsafe is noted below

- [ ] Linked issue or no-issue rationale is present
- [ ] Required checks pass or are intentionally non-blocking
- [ ] No active blocking requested changes remain
- [ ] Non-author approval is present if required
- [ ] Auto-merge is appropriate when gates pass
## Notes

-
12 changes: 12 additions & 0 deletions scripts/ci/run-extended-validation.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
#!/usr/bin/env bash
set -euo pipefail

bash scripts/ci/run-fast-checks.sh

artifact_dir="$(mktemp -d "${TMPDIR:-/tmp}/flow-policy-release.XXXXXX")"
trap 'rm -rf "$artifact_dir"' EXIT

python3 scripts/flow/build_policy_release.py \
--output "$artifact_dir" \
--version 1.0.0 \
--verify
Loading
Loading