feat: implement GitHub org-gated access for coder.ddev.com, fixes #64

.claudeignore

@@ -0,0 +1,58 @@
+# Spec Kitty Configuration and Templates
+# These are internal directories that shouldn't be scanned by AI assistants
+
+# Template directories (not working code)
+.kittify/templates/
+.kittify/missions/
+.kittify/scripts/
+
+# Agent command directories (generated from templates, not source)
+.claude/
+.codex/
+.gemini/
+.cursor/
+.qwen/
+.opencode/
+.windsurf/
+.kilocode/
+.augment/
+.roo/
+.amazonq/
+.github/copilot/
+
+# Git metadata
+.git/
+
+# Build artifacts and caches
+__pycache__/
+*.pyc
+*.pyo
+.pytest_cache/
+.coverage
+htmlcov/
+node_modules/
+dist/
+build/
+*.egg-info/
+
+# Virtual environments
+.venv/
+venv/
+env/
+
+# OS-specific files
+.DS_Store
+Thumbs.db
+desktop.ini
+
+# IDE directories
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+
+# Logs and databases
+*.log
+*.db
+*.sqlite

.gitattributes

@@ -0,0 +1 @@
+kitty-specs/**/status.events.jsonl merge=spec-kitty-event-log

.github/workflows/validate.yml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        template: [user-defined-web, drupal-core, drupal-contrib, freeform]
+        template: [user-defined-web, drupal-core, freeform]
       fail-fast: false
     steps:
       - uses: actions/checkout@v6

.gitignore

@@ -9,3 +9,32 @@ __pycache__/
 
 # Temp files
 composer.json.tmp
+
+# Added by Spec Kitty CLI (auto-managed)
+.claude/
+.codex/
+.vibe/
+.opencode/
+.windsurf/
+.gemini/
+.cursor/
+.qwen/
+.kilocode/
+.augment/
+.roo/
+.amazonq/
+.kiro/
+.agent/
+.github/copilot/
+.kittify/.dashboard
+.kittify/charter/context-state.json
+.kittify/charter/directives.yaml
+.kittify/charter/governance.yaml
+.kittify/charter/metadata.yaml
+.kittify/charter/references.yaml
+.kittify/dossiers/
+.kittify/events/
+.kittify/merge-state.json
+.kittify/missions/__pycache__/
+.kittify/runtime/
+.kittify/workspaces/

.kittify/charter/charter.md

@@ -0,0 +1,77 @@
+# Project Charter
+
+<!-- Generated by `spec-kitty charter generate` -->
+
+Generated: 2026-05-07T16:47:53Z
+
+## Testing Standards
+
+- Integration tests are BATS scripts that run against a live staging Coder instance (staging-coder.ddev.com) before any deployment to production. Plan-level tests use `terraform test` (no real infrastructure required). CI also runs `terraform fmt -check -recursive` and `terraform validate` for each touched template. There is no unit-test coverage percentage target — correctness is verified by staging promotion.
+
+
+## Quality Gates
+
+- All changes require a pull request. CI must pass before merge. CI gates: `terraform fmt -check`, `terraform validate`, `terraform test` for each template. Integration test scripts run against staging before promoting to production. No direct commits to main.
+
+
+## Performance Benchmarks
+
+- No quantitative latency targets. Workspace startup should complete within a reasonable time (under 5 minutes) as a qualitative target. CLI commands (terraform, make) should not timeout during CI runs.
+
+
+## Branch Strategy
+
+- Every change requires a pull request. Single maintainer project currently, but PRs still required for traceability and CI gating. Conventional commit messages are preferred.
+
+- Deployment constraints: Two environments: staging-coder.ddev.com and production coder.ddev.com. Templates are promoted staging → production only after integration tests pass on staging. The main branch reflects the production-ready state. Feature branches are used for all development work.
+
+
+## Governance Activation
+
+```yaml
+mission: software-dev
+selected_paradigms: []
+selected_directives: []
+available_tools: [git, spec-kitty]
+template_set: software-dev-default
+```
+
+## Policy Summary
+
+- Intent: Manage and deploy coder.ddev.com — a cloud-hosted DDEV environment for web developers. The project owns the Coder workspace templates (Terraform HCL), the base Docker image, and the supporting shell scripts that enable Docker-in-Docker development via Sysbox runtime. A breaking change means developers cannot create or use workspaces; risk level is high for end users who depend on the service.
+
+- Languages/Frameworks: Terraform (HCL), Shell (Bash), Dockerfile (Ubuntu 24.04 base), bats-core (BATS test framework for shell-level integration tests), Go toolchain (available in image for future use).
+
+- Testing: Integration tests are BATS scripts that run against a live staging Coder instance (staging-coder.ddev.com) before any deployment to production. Plan-level tests use `terraform test` (no real infrastructure required). CI also runs `terraform fmt -check -recursive` and `terraform validate` for each touched template. There is no unit-test coverage percentage target — correctness is verified by staging promotion.
+
+- Quality Gates: All changes require a pull request. CI must pass before merge. CI gates: `terraform fmt -check`, `terraform validate`, `terraform test` for each template. Integration test scripts run against staging before promoting to production. No direct commits to main.
+
+- Review Policy: Every change requires a pull request. Single maintainer project currently, but PRs still required for traceability and CI gating. Conventional commit messages are preferred.
+
+- Performance Targets: No quantitative latency targets. Workspace startup should complete within a reasonable time (under 5 minutes) as a qualitative target. CLI commands (terraform, make) should not timeout during CI runs.
+
+- Deployment Constraints: Two environments: staging-coder.ddev.com and production coder.ddev.com. Templates are promoted staging → production only after integration tests pass on staging. The main branch reflects the production-ready state. Feature branches are used for all development work.
+
+
+## Project Directives
+
+1. Respect risk boundaries: High-risk changes: modifications to startup scripts, Sysbox runtime configuration, Docker daemon setup, or base image layers — these affect all workspaces. Medium-risk: template variable changes or new templates. Low-risk: documentation, Makefile targets, version bumps. Any change that affects running workspaces requires staging validation.
+
+2. Keep documentation synchronized with workflow and behavior changes.
+
+## Reference Index
+
+| Reference ID | Kind | Summary | Local Doc |
+|---|---|---|---|
+| `USER:PROJECT_PROFILE` | user_profile | Project-specific interview answers captured for charter compilation. | `_LIBRARY/user-project-profile.md` |
+| `TEMPLATE_SET:software-dev-default` | template_set | Build high-quality software with structured workflows and test-driven development | `_LIBRARY/template-set-software-dev-default.md` |
+
+## Amendment Process
+
+Charter amendments follow the same PR process as code changes. Significant governance changes should be discussed in the PR description.
+
+
+## Exception Policy
+
+Hotfixes for production incidents may bypass staging testing with explicit maintainer acknowledgment in the PR, but must still pass CI.
+

.kittify/charter/interview/answers.yaml

@@ -0,0 +1,79 @@
+schema_version: "1.0.0"
+mission: "software-dev"
+profile: "comprehensive"
+answers:
+  project_intent: >
+    Manage and deploy coder.ddev.com — a cloud-hosted DDEV environment for
+    web developers. The project owns the Coder workspace templates (Terraform HCL),
+    the base Docker image, and the supporting shell scripts that enable
+    Docker-in-Docker development via Sysbox runtime. A breaking change means
+    developers cannot create or use workspaces; risk level is high for end users
+    who depend on the service.
+
+  languages_frameworks: >
+    Terraform (HCL), Shell (Bash), Dockerfile (Ubuntu 24.04 base),
+    bats-core (BATS test framework for shell-level integration tests),
+    Go toolchain (available in image for future use).
+
+  testing_requirements: >
+    Integration tests are BATS scripts that run against a live staging Coder
+    instance (staging-coder.ddev.com) before any deployment to production.
+    Plan-level tests use `terraform test` (no real infrastructure required).
+    CI also runs `terraform fmt -check -recursive` and `terraform validate`
+    for each touched template. There is no unit-test coverage percentage target —
+    correctness is verified by staging promotion.
+
+  quality_gates: >
+    All changes require a pull request. CI must pass before merge.
+    CI gates: `terraform fmt -check`, `terraform validate`, `terraform test`
+    for each template. Integration test scripts run against staging before
+    promoting to production. No direct commits to main.
+
+  review_policy: >
+    Every change requires a pull request. Single maintainer project currently,
+    but PRs still required for traceability and CI gating. Conventional commit
+    messages are preferred.
+
+  performance_targets: >
+    No quantitative latency targets. Workspace startup should complete within
+    a reasonable time (under 5 minutes) as a qualitative target. CLI commands
+    (terraform, make) should not timeout during CI runs.
+
+  deployment_constraints: >
+    Two environments: staging-coder.ddev.com and production coder.ddev.com.
+    Templates are promoted staging → production only after integration tests
+    pass on staging. The main branch reflects the production-ready state.
+    Feature branches are used for all development work.
+
+  documentation_policy: >
+    User-facing documentation lives in /docs/. CLAUDE.md documents developer
+    and contributor guidance. Changes to template behavior or CLI commands
+    must be reflected in docs before merge. Doc-only changes are low-risk
+    but still require PRs.
+
+  risk_boundaries: >
+    High-risk changes: modifications to startup scripts, Sysbox runtime
+    configuration, Docker daemon setup, or base image layers — these affect
+    all workspaces. Medium-risk: template variable changes or new templates.
+    Low-risk: documentation, Makefile targets, version bumps.
+    Any change that affects running workspaces requires staging validation.
+
+  amendment_process: >
+    Charter amendments follow the same PR process as code changes.
+    Significant governance changes should be discussed in the PR description.
+
+  exception_policy: >
+    Hotfixes for production incidents may bypass staging testing with explicit
+    maintainer acknowledgment in the PR, but must still pass CI.
+
+selected_paradigms: []
+
+selected_directives: []
+
+available_tools:
+  - git
+  - spec-kitty
+  - terraform
+  - docker
+  - make
+  - bats

.kittify/config.yaml

@@ -0,0 +1,11 @@
+vcs:
+  type: git
+agents:
+  available:
+  - claude
+  auto_commit: true
+project:
+  uuid: 595dcc83-8eee-4a87-8644-84d94a4b531c
+  slug: coder-ddev
+  node_id: a1b8182ad705
+  build_id: ea439b9d-ce91-4e8c-a458-0f28a54b80bc