feat(ci): make shellcheck mandatory — .shellcheckrc, fix 24 violations, add CI gates

.gitea/workflows/ci-debug-parity.yml

@@ -0,0 +1,58 @@
+name: CI Debug Parity
+
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+  ci-debug:
+    runs-on: [self-hosted, general]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+
+      - name: Setup Go
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v5.0.2
+        with:
+          go-version-file: go.mod
+
+      - name: Verify ci:debug parity contract
+        run: |
+          set -euo pipefail
+          make ci-verify-parity
+
+      - name: Setup Node.js
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version: "24"
+
+      - name: Run npm ci:debug
+        env:
+          CI: "true"
+          GITEA_ACTIONS: "true"
+        run: |
+          set -euo pipefail
+          npm run ci:debug --silent
+
+      - name: Print ci:debug artifacts
+        if: always()
+        run: |
+          set -euo pipefail
+          test -f outputs/ci/debug/report.json && cat outputs/ci/debug/report.json || true
+          test -f outputs/ci/debug/metrics.prom && cat outputs/ci/debug/metrics.prom || true
+          test -f outputs/ci/governance-propagation-coverage/coverage.txt && cat outputs/ci/governance-propagation-coverage/coverage.txt || true
+
+      - name: Alert on ci:debug failure details
+        if: always()
+        run: |
+          set -euo pipefail
+          if ! command -v python3 >/dev/null 2>&1; then
+            echo "::warning::python3 unavailable; skipping ci:debug alert extraction"
+            exit 0
+          fi
+          python3 scripts/ci/report-alert.py ci-debug outputs/ci/debug/report.json

.gitea/workflows/governance-check.yml

@@ -0,0 +1,89 @@
+name: Governance Check
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "43 3 * * *"
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  governance:
+    runs-on: [self-hosted, general]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+
+      - name: Init submodules (HTTPS with token)
+        env:
+          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+          GITHUB_TOKEN: ${{ github.token }}
+        run: |
+          set -euo pipefail
+          git config --local url."http://vhost7:8167/".insteadOf "ssh://git@vhost7:9001/"
+
+          TOKEN="${GITEA_TOKEN:-${GITHUB_TOKEN:-}}"
+          if [[ -n "${TOKEN}" ]]; then
+            git config --local http.http://vhost7:8167/.extraheader "Authorization: token ${TOKEN}"
+          fi
+
+          if git submodule update --init --recursive 2>&1; then
+            echo "SUBMODULE_INIT=success"
+          else
+            echo "WARN: submodule init failed; governance wrapper will report actionable status"
+            echo "SUBMODULE_INIT=failed"
+          fi
+
+      - name: Run shellcheck on all shell scripts
+        run: |
+          set -euo pipefail
+          if ! command -v shellcheck &>/dev/null; then
+            apt-get update -qq && apt-get install -y shellcheck
+          fi
+          mapfile -t shell_files < <(git ls-files '*.sh' | sort)
+          if [[ ${#shell_files[@]} -eq 0 ]]; then
+            echo "No shell files found"
+            exit 0
+          fi
+          echo "Checking ${#shell_files[@]} shell file(s)..."
+          shellcheck -x "${shell_files[@]}"
+          echo "shellcheck: all files passed"
+
+      - name: Run governance unit tests (70%)
+        run: |
+          set -euo pipefail
+          bash test/ci/test-governance-unit.sh
+
+      - name: Run governance integration tests (20%)
+        run: |
+          set -euo pipefail
+          bash test/ci/test-governance-integration.sh
+
+      - name: Run governance e2e tests (10%)
+        run: |
+          set -euo pipefail
+          bash test/ci/test-governance-e2e.sh
+
+      - name: Verify governance wiring
+        env:
+          GOVERNANCE_REPORT_JSON: outputs/ci/governance/report.json
+          GOVERNANCE_METRICS_TEXTFILE: outputs/ci/governance/metrics.prom
+        run: |
+          set -euo pipefail
+          chmod +x scripts/check-governance.sh
+          ./scripts/check-governance.sh
+
+      - name: Print governance report and metrics
+        if: always()
+        run: |
+          set -euo pipefail
+          test -f outputs/ci/governance/report.json && cat outputs/ci/governance/report.json || true
+          test -f outputs/ci/governance/metrics.prom && cat outputs/ci/governance/metrics.prom || true
+          test -f outputs/ci/governance/events.jsonl && cat outputs/ci/governance/events.jsonl || true
+
+      - name: Alert on governance outcome
+        if: always()
+        run: |
+          set -euo pipefail
+          python3 scripts/ci/report-alert.py governance outputs/ci/governance/report.json

.gitea/workflows/submodule-freshness.yml

@@ -0,0 +1,85 @@
+name: Submodule Freshness Check
+
+on:
+  workflow_dispatch:
+    inputs:
+      auto_update:
+        description: "Automatically bump stale prompts submodule in workflow workspace"
+        required: false
+        default: "false"
+  schedule:
+    - cron: "17 */6 * * *"
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  submodule-freshness:
+    runs-on: [self-hosted, general]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+
+      - name: Init submodules (HTTPS with token)
+        env:
+          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+          GITHUB_TOKEN: ${{ github.token }}
+        run: |
+          set -euo pipefail
+          # Rewrite SSH URLs to HTTPS for CI runner auth.
+          # CI runners lack SSH keys but can use token-based HTTPS.
+          # See: https://forum.gitea.com/t/gitea-runner-recursive-checkout/10812
+          git config --local url."http://vhost7:8167/".insteadOf "ssh://git@vhost7:9001/"
+
+          # Use available token for HTTPS auth
+          TOKEN="${GITEA_TOKEN:-${GITHUB_TOKEN:-}}"
+          if [[ -n "${TOKEN}" ]]; then
+            git config --local http.http://vhost7:8167/.extraheader "Authorization: token ${TOKEN}"
+          fi
+
+          # Init submodules; continue even if clone fails (script handles gracefully)
+          if git submodule update --init --recursive 2>&1; then
+            echo "SUBMODULE_INIT=success"
+          else
+            echo "WARN: submodule init failed; freshness script will handle gracefully"
+            echo "SUBMODULE_INIT=failed"
+          fi
+
+      - name: Run submodule freshness unit tests (70%)
+        run: |
+          set -euo pipefail
+          bash test/ci/test-submodule-freshness-unit.sh
+
+      - name: Run submodule freshness integration tests (20%)
+        run: |
+          set -euo pipefail
+          bash test/ci/test-submodule-freshness-integration.sh
+
+      - name: Run submodule freshness e2e tests (10%)
+        run: |
+          set -euo pipefail
+          bash test/ci/test-submodule-freshness-e2e.sh
+
+      - name: Verify prompts freshness
+        env:
+          AUTO_UPDATE: ${{ inputs.auto_update || 'false' }}
+          STRICT_REMOTE: auto
+          SUBMODULE_REPORT_JSON: outputs/ci/submodule-freshness/report.json
+          SUBMODULE_METRICS_TEXTFILE: outputs/ci/submodule-freshness/metrics.prom
+        run: |
+          set -euo pipefail
+          chmod +x scripts/prompts-submodule-freshness.sh
+          ./scripts/prompts-submodule-freshness.sh
+
+      - name: Print freshness report and metrics
+        if: always()
+        run: |
+          set -euo pipefail
+          test -f outputs/ci/submodule-freshness/report.json && cat outputs/ci/submodule-freshness/report.json || true
+          test -f outputs/ci/submodule-freshness/metrics.prom && cat outputs/ci/submodule-freshness/metrics.prom || true
+
+      - name: Alert on stale or failed freshness outcomes
+        if: always()
+        run: |
+          set -euo pipefail
+          python3 scripts/ci/report-alert.py submodule-freshness outputs/ci/submodule-freshness/report.json

.github/actions/setup-go-env/action.yml

@@ -0,0 +1,44 @@
+# Reusable composite action: Set up Go + CGO dependencies
+# Last Updated: 2026-02-22
+
+name: "Setup Go Environment"
+description: "Set up Go toolchain and install CGO library dependencies"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Ensure /dev character devices before apt
+      shell: bash
+      run: |
+        set -euo pipefail
+        ensure_char_device() {
+          local path="$1" major="$2" minor="$3"
+          if [[ -c "${path}" ]] && echo "probe" > "${path}" 2>/dev/null; then
+            return 0
+          fi
+          echo "Repairing ${path} before dependency install"
+          sudo rm -f "${path}" 2>/dev/null || true
+          sudo mknod -m 666 "${path}" c "${major}" "${minor}"
+        }
+        ensure_char_device /dev/null 1 3
+        ensure_char_device /dev/zero 1 5
+
+    - name: Set up Go
+      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32
+      with:
+        go-version-file: go.mod
+        cache: true
+
+    - name: Install CGO library dependencies
+      shell: bash
+      run: |
+        sudo apt-get update -qq
+        sudo apt-get install -y -qq \
+          librados-dev \
+          librbd-dev \
+          libcephfs-dev \
+          libvirt-dev
+
+    - name: Download Go module dependencies
+      shell: bash
+      run: go mod download

.github/dependabot.yml

@@ -1,33 +1,28 @@
-# dependabot.yml
-
-# Specify the version of Dependabot configuration
-
-# To get started with Dependabot version updates, you'll need to specify which
-# package ecosystems to update and where the package manifests are located.
-# Please see the documentation for all configuration options:
-# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
-
-version: 2
-updates:
-  - package-ecosystem: "" # See documentation for possible values
-    directory: "/" # Location of package manifests
-    schedule:
-      interval: "weekly"
-# Define the updates configuration
-# Removed misplaced 'updates' section. Dependabot configuration should be in a separate dependabot.yml file.
-
+# dependabot.yml - Automated dependency updates
+# Last Updated: 2026-02-19
+# Documentation: https://docs.github.com/code-security/dependabot/dependabot-version-updates
 
 version: 2
 updates:
   - package-ecosystem: "gomod"
     directory: "/"
     schedule:
       interval: "weekly"
+    labels:
+      - "dependencies"
+      - "go"
+
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "weekly"
+    labels:
+      - "dependencies"
+      - "ci"
+
   - package-ecosystem: "docker"
     directory: "/"
     schedule:
       interval: "weekly"
+    labels:
+      - "dependencies"