Epic A: Workflow & CI Governance (Sprint 1)

.github/pull_request_template.md

@@ -0,0 +1,32 @@
+### Summary
+
+### Risk & Scope
+- [ ] Low risk
+- [ ] Medium risk
+- [ ] High risk (requires ai:required or risk:high label)
+
+### Architecture Compliance
+- [ ] No transport logic added in React components
+- [ ] No server-only modules imported into client code
+- [ ] Service/store boundaries preserved (service -> store -> hooks -> components)
+
+### Service/Store Impact
+- [ ] Touches service layer (list files):
+- [ ] Touches state store/reducer (list files):
+- [ ] Migration/backward compatibility considered
+
+### Auth/Security
+- [ ] Affects auth/session/token flow
+- [ ] WebSocket upgrade/auth assumptions reviewed
+- [ ] No secrets introduced in code/config/logs
+
+### Testing
+- [ ] Lint/type/knip pass locally
+- [ ] Unit tests updated
+- [ ] Integration tests updated
+- [ ] VRT/E2E impact assessed
+
+### Accessibility
+- [ ] Realtime announcements use correct aria-live strategy
+- [ ] No high-frequency screen-reader spam introduced
+- [ ] Contrast/accessibility checks considered

.github/scripts/jules_ops.py

@@ -4,7 +4,7 @@
 import requests
 import argparse
 
-def create_jules_session(prompt, branch, title, owner, repo_name, jules_api_url):
+def create_jules_session(prompt, branch, title, owner, repo_name, jules_api_url, mode="audit"):
     """
     Creates a new Jules session via the API and returns the session ID.
     """
@@ -24,6 +24,7 @@ def create_jules_session(prompt, branch, title, owner, repo_name, jules_api_url)
         "title": title,
         "owner": owner,
         "repo_name": repo_name,
+        "mode": mode,
     }
 
     try:
@@ -85,20 +86,53 @@ def main():
     parser.add_argument("--owner", help="The owner of the repository.")
     parser.add_argument("--repo-name", help="The name of the repository.")
     parser.add_argument("--jules-api-url", default="https://api.jules.ai/v1/sessions", help="The URL of the Jules API.")
+    parser.add_argument("--mode", choices=['audit', 'direct'], default='audit', help="The operation mode.")
+    parser.add_argument("--direct", action="store_true", help="Alias for --mode direct.")
+    parser.add_argument("--allow-risk-paths", action="store_true", help="Allow direct mode on high-risk paths.")
+    parser.add_argument("--deterministic-passed", default="true", help="Whether deterministic checks passed.")
+    parser.add_argument("--changed-files", help="Comma-separated list of changed files.")
 
     args = parser.parse_args()
 
+    mode = args.mode
+    if args.direct:
+        mode = 'direct'
+
     if args.command == 'new':
         if not all([args.prompt, args.branch, args.title, args.owner, args.repo_name]):
             sys.stderr.write("Error: --prompt, --branch, --title, --owner, and --repo-name are required for the 'new' command.\n")
             sys.exit(1)
+
+        # Safety gates for direct mode
+        if mode == 'direct':
+            if args.deterministic_passed != "true":
+                sys.stderr.write("Error: Direct mode blocked on deterministic failure.\n")
+                sys.exit(1)
+
+            # High-risk path detection
+            if args.changed_files and not args.allow_risk_paths:
+                risk_paths = [
+                    "server.ts", "middleware.ts",
+                    "context/WebSocketContext.tsx", "context/webSocketReducer.ts",
+                    "hooks/useBluetoothHRM.ts", ".github/workflows/",
+                    "package.json", "pnpm-lock.yaml"
+                ]
+                changed_files = args.changed_files.split(',')
+                for cf in changed_files:
+                    cf = cf.strip()
+                    for rp in risk_paths:
+                        if cf == rp or (rp.endswith('/') and cf.startswith(rp)):
+                            sys.stderr.write(f"Error: Direct mode blocked. Risk path touched: {cf}. Use --allow-risk-paths to override.\n")
+                            sys.exit(1)
+
         session_id = create_jules_session(
             prompt=args.prompt,
             branch=args.branch,
             title=args.title,
             owner=args.owner,
             repo_name=args.repo_name,
-            jules_api_url=args.jules_api_url
+            jules_api_url=args.jules_api_url,
+            mode=mode
         )
         if 'GITHUB_OUTPUT' in os.environ:
             with open(os.environ['GITHUB_OUTPUT'], 'a') as f:

.github/workflows/auto-merge-deps.yml

@@ -1,3 +1,6 @@
+# owner: @team-devex
+# purpose: Standard automation workflow
+
 name: Auto-merge Dependencies
 
 on:

.github/workflows/auto-rebase.yml

@@ -1,3 +1,6 @@
+# owner: @team-devex
+# purpose: Standard automation workflow
+
 name: Auto Rebase
 
 on:

.github/workflows/auto-update.yml

@@ -1,3 +1,6 @@
+# owner: @team-devex
+# purpose: Standard automation workflow
+
 name: Auto-update
 # Auto-update only listens to `push` events.
 # If a pull request is already outdated when enabling auto-merge, manually click on the "Update branch" button a first time to avoid having to wait for another commit to land on the base branch for the pull request to be updated.

.github/workflows/comment-ops.yml

@@ -1,3 +1,6 @@
+# owner: @team-devex
+# purpose: Standard automation workflow
+
 name: Bot Command Orchestrator
 
 on:
@@ -145,9 +148,9 @@ jobs:
           # Find the branch name of the PR
           BRANCH=$(gh pr view "$PR_NUMBER" --json headRefName -q .headRefName)
 
-          # Find the most recent successful run of 'Gemini Orchestrator' (pr-orchestrator.yml) for this branch.
+          # Find the most recent successful run of 'PR Quality' (pr-quality.yml) for this branch.
           # This workflow produces the 'review-result' artifact.
-          RUN_ID=$(gh run list --workflow pr-orchestrator.yml --branch "$BRANCH" --status success --limit 1 --json databaseId -q '.[0].databaseId')
+          RUN_ID=$(gh run list --workflow pr-quality.yml --branch "$BRANCH" --status success --limit 1 --json databaseId -q '.[0].databaseId')
 
           # Fallback: check 'Bot Command Orchestrator' if manual review was triggered
           if [ -z "$RUN_ID" ]; then

.github/workflows/commit-lint.yml

@@ -1,3 +1,6 @@
+# owner: @team-devex
+# purpose: Standard automation workflow
+
 name: Lint Commit Messages
 on: [pull_request]
 

.github/workflows/conflict-resolver.yml

@@ -1,3 +1,6 @@
+# owner: @team-devex
+# purpose: Standard automation workflow
+
 name: 'Auto Conflict Resolver'
 
 on:
@@ -115,14 +118,12 @@ jobs:
           echo "resolved_sha=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
         id: commit_push
 
-      - name: Trigger Gemini Orchestrator
+      - name: Trigger PR Quality Gate
         if: steps.validate_branches.outputs.skipped != 'true' && steps.resolve.outputs.unresolved-files == '' && env.PR_NUMBER && env.PR_NUMBER != '0'
         env:
           GH_TOKEN: ${{ secrets.PAT_TOKEN || secrets.ARI_PAT || secrets.GITHUB_TOKEN }}
-          HEAD_SHA: ${{ steps.commit_push.outputs.resolved_sha }}
-          BASE_SHA: ${{ steps.validate_branches.outputs.base_sha }}
         run: |
-          gh workflow run "pr-orchestrator.yml" --ref "$SOURCE" -f pr_number="$PR_NUMBER" -f base_ref="$BASE_SHA" -f head_ref="$HEAD_SHA" -f base_branch="$TARGET"
+          gh workflow run "pr-quality.yml" --ref "$SOURCE" -f force_ai=true
 
       - name: Update comment on success
         if: steps.validate_branches.outputs.skipped != 'true' && success() && steps.resolve.outputs.unresolved-files == '' && env.PR_NUMBER && env.PR_NUMBER != '0'

.github/workflows/deploy.yml

@@ -1,3 +1,6 @@
+# owner: @team-devex
+# purpose: Standard automation workflow
+
 name: Deploy Production
 
 on:

.github/workflows/e2e-ci-tests.yml

@@ -1,3 +1,6 @@
+# owner: @team-devex
+# purpose: Standard automation workflow
+
 name: 'E2E CI Tests'
 
 on:

.github/workflows/gemini-coder.yml

@@ -1,3 +1,6 @@
+# owner: @team-devex
+# purpose: Standard automation workflow
+
 # .github/workflows/gemini-coder.yml
 #
 # AI-Powered Automated Code Generation and Patching

.github/workflows/gemini-triage.yml

@@ -1,3 +1,6 @@
+# owner: @team-devex
+# purpose: Standard automation workflow
+
 # .github/workflows/gemini-triage.yml
 #
 # Consolidates AI-driven issue triage with scheduled maintenance tasks.

.github/workflows/jules-session-manager.yml

@@ -1,3 +1,6 @@
+# owner: @team-devex
+# purpose: Standard automation workflow
+
 # .github/workflows/jules-session-manager.yml
 name: Jules Session Manager
 
@@ -141,13 +144,20 @@ jobs:
           REPO_NAME: ${{ github.event.repository.name }}
         run: |
           set +e
+          # Detect if direct mode is requested via comment
+          MODE="audit"
+          if [[ "${{ github.event.comment.body }}" == *"--direct"* ]]; then
+            MODE="direct"
+          fi
+
           OUTPUT=$(python3 .github/scripts/jules_ops.py \
             --command "new" \
             --prompt "$PROMPT" \
             --branch "$BRANCH" \
             --title "$TITLE" \
             --owner "$REPO_OWNER" \
             --repo-name "$REPO_NAME" \
+            --mode "$MODE" \
             --jules-api-url "${{ secrets.JULES_API_URL }}" 2>&1)
           EXIT_CODE=$?
 

.github/workflows/manual-release-local.yml

@@ -1,3 +1,6 @@
+# owner: @team-devex
+# purpose: Standard automation workflow
+
 name: Manual Release (Local Deployment)
 
 on:

.github/workflows/pr-enrichment.yml

@@ -1,3 +1,6 @@
+# owner: @team-devex
+# purpose: Standard automation workflow
+
 # .github/workflows/pr-enrichment.yml
 # Enriches pull request titles and descriptions with contextual information
 # based on the files changed, scope of changes, and related issues/PRs.
@@ -74,7 +77,7 @@ jobs:
           fi
 
           # 3. Automatically disable for E2E tests to prevent interfering with test expectations
-          # Consistent with pr-orchestrator.yml bypass logic.
+          # Consistent with pr-quality.yml bypass logic.
           if [[ "$PR_TITLE_EVENT" == *"E2E Test PR"* ]] || [[ "$HEAD_REF_EVENT" == "e2e-test-"* ]]; then
             echo "disabled=true" >> $GITHUB_OUTPUT
             echo "::notice::PR enrichment is disabled for E2E Test PR (Title: '$PR_TITLE_EVENT', Branch: '$HEAD_REF_EVENT')"