feat: complete governance and quality foundation

.github/workflows/quality.yml

@@ -0,0 +1,48 @@
+name: Quality
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  quality:
+    runs-on: windows-latest
+    timeout-minutes: 20
+    steps:
+      - name: Check out source
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        timeout-minutes: 2
+
+      - name: Set up Python
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+        with:
+          python-version: "3.12"
+        timeout-minutes: 5
+
+      - name: Install quality dependencies
+        shell: powershell
+        run: |
+          Set-PSRepository PSGallery -InstallationPolicy Trusted
+          Install-Module Pester -MinimumVersion 5.7.1 -Scope CurrentUser -Force
+          Install-Module PSScriptAnalyzer -MinimumVersion 1.24.0 -Scope CurrentUser -Force
+          python -m pip install --disable-pip-version-check jsonschema==4.26.0
+        timeout-minutes: 8
+
+      - name: Run quality gate
+        shell: powershell
+        run: .\Invoke-Quality.ps1
+        timeout-minutes: 8
+
+      - name: Upload quality evidence
+        if: always()
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        with:
+          name: quality-evidence
+          path: .artifacts/quality
+          if-no-files-found: error
+        timeout-minutes: 3
+

.planning/PROJECT.md

@@ -16,10 +16,10 @@ An AI developer can run one safe, repeatable workflow and receive a complete, wo
 - ✓ PowerShell entry points exist for setup, doctor, start, upgrade, and uninstall — existing seed
 - ✓ Doctor can emit human-readable and JSON readiness output — existing seed
 - ✓ The seed can discover tools, repositories, and basic service health — existing seed
+- ✓ Governance, schemas, Pester, static analysis, Windows CI, ADRs, and requirement traceability — validated in Phase 1
 
 ### Active
 
-- [ ] Establish governance, CI, schemas, and a comprehensive Pester test foundation.
 - [ ] Make manifest parsing, allowlisting, path handling, and destructive operations fail closed.
 - [ ] Make setup and upgrade idempotent, observable, transactional, and recoverable after partial failure.
 - [ ] Generate and merge profile-specific AI client, MCP, skill, workspace, and service configuration without overwriting unrelated user state.
@@ -82,4 +82,4 @@ This document evolves at phase transitions and milestone boundaries.
 4. Update context with evidence, users, feedback, and operational metrics.
 
 ---
-*Last updated: 2026-06-11 after initialization*
+*Last updated: 2026-06-11 after Phase 1 completion*

.planning/REQUIREMENTS.md

@@ -7,10 +7,10 @@
 
 ### Governance and Contracts
 
-- [ ] **GOV-01**: Maintainer can validate manifest, managed state, operation plan, doctor report, event log, and support-bundle metadata against versioned JSON schemas.
-- [ ] **GOV-02**: Contributor can run Pester, PSScriptAnalyzer, schema validation, and documentation checks locally through one documented command.
-- [ ] **GOV-03**: Pull requests run required Windows CI checks with least-privilege permissions, pinned actions, timeouts, and retained evidence.
-- [ ] **GOV-04**: Maintainer can trace requirements to phases, tests, architecture decisions, and release evidence.
+- [x] **GOV-01**: Maintainer can validate manifest, managed state, operation plan, doctor report, event log, and support-bundle metadata against versioned JSON schemas.
+- [x] **GOV-02**: Contributor can run Pester, PSScriptAnalyzer, schema validation, and documentation checks locally through one documented command.
+- [x] **GOV-03**: Pull requests run required Windows CI checks with least-privilege permissions, pinned actions, timeouts, and retained evidence.
+- [x] **GOV-04**: Maintainer can trace requirements to phases, tests, architecture decisions, and release evidence.
 
 ### Manifest and Profiles
 
@@ -88,10 +88,10 @@
 
 | Requirement | Phase | Status |
 |-------------|-------|--------|
-| GOV-01 | Phase 1 | Pending |
-| GOV-02 | Phase 1 | Pending |
-| GOV-03 | Phase 1 | Pending |
-| GOV-04 | Phase 1 | Pending |
+| GOV-01 | Phase 1 | Complete |
+| GOV-02 | Phase 1 | Complete |
+| GOV-03 | Phase 1 | Complete |
+| GOV-04 | Phase 1 | Complete |
 | MAN-01 | Phase 2 | Pending |
 | MAN-02 | Phase 2 | Pending |
 | MAN-03 | Phase 2 | Pending |

.planning/ROADMAP.md

@@ -18,7 +18,7 @@ CAS Workstation v1 progresses from a functional seed to a trustworthy desired-st
 
 ## Phase Details
 
-### Phase 1: Governance and Quality Foundation
+### Phase 1: Governance and Quality Foundation (Complete: 2026-06-11)
 
 **Goal:** Every later change is constrained by schemas, tests, static quality, CI, and requirement traceability.
 

.planning/STATE.md

@@ -1,21 +1,40 @@
+---
+gsd_state_version: 1.0
+milestone: v1.0
+milestone_name: milestone
+status: ready_to_plan
+last_updated: 2026-06-11T10:36:59.864Z
+progress:
+  total_phases: 7
+  completed_phases: 1
+  total_plans: 3
+  completed_plans: 3
+  percent: 14
+stopped_at: Phase 1 complete (3/3) — ready to discuss Phase 2
+---
+
 # Project State
 
 ## Project Reference
 
 See: `.planning/PROJECT.md` (updated 2026-06-11)
 
 **Core value:** An AI developer can run one safe, repeatable workflow and receive a complete, working workstation without manually discovering or reconciling prerequisites.  
-**Current focus:** Phase 1 — Governance and Quality Foundation
+**Current focus:** Phase 2 — manifest, inventory, and safety boundaries
 
 ## Current Position
 
+Phase: 2
+Plan: Not started
+
 - Project initialization: complete
 - Research: complete
 - Requirements: 35 v1 requirements, all mapped
 - Roadmap: 7 phases
-- Active phase: Phase 1
-- Phase plans: not created
-- Implementation: not started
+- Completed phase: Phase 1 — Governance and Quality Foundation
+- Active phase: Phase 2 — Manifest, Inventory, and Safety Boundaries
+- Phase 1 plans: 3/3 complete
+- Implementation: Phase 1 verified
 
 ## Workflow
 
@@ -29,7 +48,7 @@ See: `.planning/PROJECT.md` (updated 2026-06-11)
 
 ## Next Action
 
-Run `$gsd-plan-phase 1` to plan Governance and Quality Foundation. Do not implement until the phase plan is reviewed and validated.
+Run `$gsd-discuss-phase 2` before planning Manifest, Inventory, and Safety Boundaries.
 
 ## Decisions and Risks
 

.planning/phases/01-governance-and-quality-foundation/01-01-PLAN.md

@@ -0,0 +1,94 @@
+---
+phase: 01-governance-and-quality-foundation
+plan: 01
+type: execute
+wave: 1
+depends_on: []
+files_modified:
+  - schemas/manifest.schema.json
+  - schemas/managed-state.schema.json
+  - schemas/operation-plan.schema.json
+  - schemas/doctor.schema.json
+  - schemas/event.schema.json
+  - schemas/support-bundle.schema.json
+  - tests/fixtures/contracts
+  - tests/ContractSchemas.Tests.ps1
+  - scripts/Test-CasJsonSchema.ps1
+autonomous: true
+requirements:
+  - GOV-01
+must_haves:
+  truths:
+    - "Every planned CAS product contract has a versioned JSON Schema."
+    - "Each contract has a positive fixture and a negative fixture that are enforced automatically."
+    - "Schema validation fails closed when a schema, fixture, or validator dependency is unavailable."
+  artifacts:
+    - path: "scripts/Test-CasJsonSchema.ps1"
+      provides: "Deterministic repository-local schema and fixture validation"
+      contains: "Validate"
+    - path: "tests/ContractSchemas.Tests.ps1"
+      provides: "Positive and negative contract regression coverage"
+      contains: "Describe"
+    - path: "schemas/manifest.schema.json"
+      provides: "Versioned workstation manifest contract"
+      contains: "2020-12"
+  key_links:
+    - from: "tests/ContractSchemas.Tests.ps1"
+      to: "scripts/Test-CasJsonSchema.ps1"
+      via: "contract fixture validation"
+      pattern: "Test-CasJsonSchema"
+---
+
+<objective>
+Establish strict, executable JSON contracts for all planned CAS Workstation artifact types.
+
+Purpose: Later phases must evolve behind stable, regression-tested contracts rather than informal object shapes.
+Output: Six versioned schemas, positive/negative fixtures, a validator, and contract tests.
+</objective>
+
+<context>
+@.planning/PROJECT.md
+@.planning/REQUIREMENTS.md
+@.planning/phases/01-governance-and-quality-foundation/01-RESEARCH.md
+@schemas/doctor.schema.json
+@stack.manifest.json
+</context>
+
+<threat_model>
+- T-01 High: malformed contracts pass validation because dependencies or fixtures are missing. Mitigation: fail closed and cover unavailable/malformed cases.
+- T-02 High: permissive schemas allow unsafe unknown fields. Mitigation: use explicit required fields and additionalProperties boundaries.
+</threat_model>
+
+<tasks>
+
+<task type="auto">
+  <name>Task 1: Define versioned product contract schemas and fixtures</name>
+  <files>schemas/*.schema.json, tests/fixtures/contracts/**</files>
+  <action>Create Draft 2020-12 schemas for manifest, managed state, operation plan, doctor report, event log entry, and support-bundle metadata. Preserve the current doctor contract while adding explicit schema versioning. Add canonical valid and deliberately invalid JSON fixtures for every schema. Keep future implementation fields minimal but structurally meaningful, strict, and documented through schema descriptions.</action>
+  <verify>Get-ChildItem schemas/*.schema.json | ForEach-Object { Get-Content $_ -Raw | ConvertFrom-Json | Out-Null }</verify>
+  <done>Every planned contract has parseable versioned schema plus positive and negative fixtures.</done>
+</task>
+
+<task type="auto">
+  <name>Task 2: Add fail-closed schema validator and contract tests</name>
+  <files>scripts/Test-CasJsonSchema.ps1, tests/ContractSchemas.Tests.ps1</files>
+  <action>Implement a PowerShell 5.1-compatible schema validation entry point that validates repository schemas and fixtures without network access. Use a well-defined local validator dependency and return non-zero when it is missing or any fixture has the wrong result. Add Pester coverage for all schemas, positive fixtures, negative fixtures, missing inputs, and malformed JSON.</action>
+  <verify>Invoke-Pester tests/ContractSchemas.Tests.ps1</verify>
+  <done>Contract validation proves valid fixtures pass, invalid fixtures fail, and missing validation capability cannot produce a false success.</done>
+</task>
+
+</tasks>
+
+<verification>
+- [ ] All schema JSON parses.
+- [ ] `Invoke-Pester tests/ContractSchemas.Tests.ps1` passes.
+- [ ] Every schema has both valid and invalid fixture evidence.
+</verification>
+
+<success_criteria>
+- GOV-01 is satisfied by executable, versioned contracts.
+- No required contract relies on documentation-only validation.
+</success_criteria>
+
+<output>Create `01-01-SUMMARY.md` after execution.</output>
+

.planning/phases/01-governance-and-quality-foundation/01-01-SUMMARY.md

@@ -0,0 +1,43 @@
+---
+phase: 01-governance-and-quality-foundation
+plan: 01
+subsystem: contracts
+tags: [json-schema, pester, powershell, governance]
+provides:
+  - Versioned JSON schemas for six CAS product contracts
+  - Positive and negative fixtures for every contract
+  - Fail-closed repository-local schema validation
+affects: [manifest, managed-state, operation-plan, doctor, events, support-bundle]
+tech-stack:
+  added: [Python jsonschema]
+  patterns: [Draft 2020-12 contracts, positive-negative fixtures, fail-closed validation]
+key-files:
+  created: [scripts/Test-CasJsonSchema.ps1, scripts/validate_json_schema.py, tests/ContractSchemas.Tests.ps1]
+  modified: [schemas/doctor.schema.json, scripts/Cas.Workstation.psm1]
+key-decisions:
+  - "Use a small PowerShell wrapper around Python jsonschema so validation remains deterministic and portable."
+duration: 15min
+completed: 2026-06-11
+---
+
+# Phase 1 Plan 01: Contract Foundation Summary
+
+Six planned product contracts now have strict Draft 2020-12 schemas, valid and invalid fixtures, and fail-closed automated validation.
+
+## Accomplishments
+
+- Added manifest, managed-state, operation-plan, doctor, event, and support-bundle contracts.
+- Added positive/negative fixtures and Pester regression coverage.
+- Added `schemaVersion` to generated doctor reports.
+
+## Verification
+
+- `.\scripts\Test-CasJsonSchema.ps1 -AllFixtures`
+- `Invoke-Pester tests\ContractSchemas.Tests.ps1`
+- Result: 3/3 tests passed.
+
+## Deviations
+
+- Added `scripts/validate_json_schema.py` as the isolated standards-compliant validation engine behind the planned PowerShell entry point.
+
+## Self-Check: PASSED

.planning/phases/01-governance-and-quality-foundation/01-02-PLAN.md

@@ -0,0 +1,91 @@
+---
+phase: 01-governance-and-quality-foundation
+plan: 02
+type: execute
+wave: 1
+depends_on: []
+files_modified:
+  - docs/architecture/README.md
+  - docs/architecture/decisions/0000-template.md
+  - docs/architecture/decisions/0001-windows-first-powershell.md
+  - docs/traceability.json
+  - CONTRIBUTING.md
+  - scripts/Test-CasGovernance.ps1
+  - tests/Governance.Tests.ps1
+autonomous: true
+requirements:
+  - GOV-04
+must_haves:
+  truths:
+    - "Every v1 requirement is mapped exactly once to a phase and to executable evidence."
+    - "Architecture decisions use a documented, reviewable convention."
+    - "Missing, duplicate, or unknown traceability references fail validation."
+  artifacts:
+    - path: "docs/traceability.json"
+      provides: "Machine-readable requirement-to-phase, ADR, test, and evidence map"
+      contains: "GOV-01"
+    - path: "scripts/Test-CasGovernance.ps1"
+      provides: "Deterministic traceability and governance validator"
+      contains: "traceability"
+    - path: "docs/architecture/decisions/0000-template.md"
+      provides: "ADR convention template"
+      contains: "Status"
+  key_links:
+    - from: "scripts/Test-CasGovernance.ps1"
+      to: ".planning/REQUIREMENTS.md"
+      via: "requirement ID reconciliation"
+      pattern: "REQUIREMENTS"
+---
+
+<objective>
+Make architectural decisions and requirement evidence inspectable and mechanically traceable.
+
+Purpose: Portfolio and enterprise claims need proof that requirements, decisions, tests, and release evidence stay connected.
+Output: ADR convention, machine-readable traceability map, validator, and governance tests.
+</objective>
+
+<context>
+@.planning/PROJECT.md
+@.planning/REQUIREMENTS.md
+@.planning/ROADMAP.md
+@.planning/phases/01-governance-and-quality-foundation/01-RESEARCH.md
+@PRODUCT-BRIEF.md
+</context>
+
+<threat_model>
+- T-04 Medium: traceability claims evidence that does not exist. Mitigation: validate IDs, phase mappings, file references, and evidence commands.
+</threat_model>
+
+<tasks>
+
+<task type="auto">
+  <name>Task 1: Establish ADR and contribution conventions</name>
+  <files>docs/architecture/README.md, docs/architecture/decisions/0000-template.md, docs/architecture/decisions/0001-windows-first-powershell.md, CONTRIBUTING.md</files>
+  <action>Document the lightweight ADR lifecycle, requirement/evidence expectations, local quality workflow, and review standard. Record the Windows-first PowerShell decision as the first accepted ADR. Keep later architecture decisions pending rather than pretending they are validated.</action>
+  <verify>Get-ChildItem docs/architecture/decisions/*.md,CONTRIBUTING.md | ForEach-Object { if (-not (Get-Content $_ -Raw).Trim()) { throw "Empty governance file: $_" } }</verify>
+  <done>Contributors have an explicit ADR and evidence workflow with one real accepted decision.</done>
+</task>
+
+<task type="auto">
+  <name>Task 2: Add machine-readable traceability and fail-closed validation</name>
+  <files>docs/traceability.json, scripts/Test-CasGovernance.ps1, tests/Governance.Tests.ps1</files>
+  <action>Create a traceability map covering all 35 v1 requirement IDs, their roadmap phase, current evidence status, applicable ADRs, test files, and evidence commands/artifacts. Implement validation that reconciles IDs against `.planning/REQUIREMENTS.md`, rejects duplicates and unknown IDs, verifies phase assignments, and checks referenced repository files. Add Pester tests for valid and intentionally broken maps.</action>
+  <verify>Invoke-Pester tests/Governance.Tests.ps1</verify>
+  <done>Traceability cannot silently drift from requirements, phases, decisions, or evidence files.</done>
+</task>
+
+</tasks>
+
+<verification>
+- [ ] ADR and contribution conventions are substantive.
+- [ ] `Invoke-Pester tests/Governance.Tests.ps1` passes.
+- [ ] All 35 v1 requirements are represented exactly once.
+</verification>
+
+<success_criteria>
+- GOV-04 is satisfied with machine-checkable traceability.
+- Governance claims reference real repository evidence.
+</success_criteria>
+
+<output>Create `01-02-SUMMARY.md` after execution.</output>
+