KooshaPari · KooshaPari · Mar 25, 2026 · Mar 2, 2026 · Mar 2, 2026 · Mar 2, 2026
diff --git a/.github/scripts/security-guard.sh b/.github/scripts/security-guard.sh
@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+cd "$(git rev-parse --show-toplevel)"
+
+if command -v ggshield >/dev/null 2>&1; then
+  GGSHIELD=(ggshield)
+elif command -v uvx >/dev/null 2>&1; then
+  GGSHIELD=(uvx ggshield)
+elif command -v uv >/dev/null 2>&1; then
+  GGSHIELD=(uv tool run ggshield)
+else
+  echo "ERROR: ggshield not installed. Install with: pipx install ggshield or uv tool install ggshield" >&2
+  exit 1
+fi
+
+echo "[security-guard] Running ggshield secret scan"
+"${GGSHIELD[@]}" secret scan pre-commit
+
+if command -v codespell >/dev/null 2>&1; then
+  changed_files=$(git diff --cached --name-only --diff-filter=ACM || true)
+  if [ -z "${changed_files}" ]; then
+    changed_files=$(git diff --name-only HEAD~1..HEAD 2>/dev/null || true)
+  fi
+
+  if [ -n "${changed_files}" ]; then
+    echo "[security-guard] Running optional codespell fast pass"
+    echo "${changed_files}" |       grep -E '\.(md|txt|py|ts|tsx|js|go|rs|kt|java|yaml|yml)$' |       xargs -r codespell -q 2 -L "hte,teh" || true
+  fi
+fi
diff --git a/docs/agent-policy/effective-policy.json b/docs/agent-policy/effective-policy.json
@@ -0,0 +1,323 @@
+{
+  "applied_layers": [
+    {
+      "policy": {
+        "agent_governance": {
+          "ci": {
+            "dry_run_first": true,
+            "require_gates": true
+          },
+          "consent_rules": {
+            "destructive_actions": "ask",
+            "network_access": "ask_on_unknown_hosts"
+          },
+          "policy_files": {
+            "must_read": [
+              "AGENTS.md",
+              "CLAUDE.md"
+            ],
+            "required_sections": [
+              "security",
+              "testing",
+              "deployment",
+              "handoff"
+            ]
+          },
+          "required_mode": "production_ready"
+        },
+        "telemetry": {
+          "capture": true,
+          "retention_days": 90
+        }
+      }
+    },
+    {
+      "policy": {
+        "compliance": {
+          "sensitive_file_guard": [
+            "secrets.yml",
+            "config/secrets.json",
+            ".env"
+          ]
+        },
+        "security": {
+          "allow_branch_force_push": false,
+          "allow_destructive_commands": false,
+          "allow_root_writes": false,
+          "secret_scan": true
+        }
+      }
+    },
+    {
+      "policy": {
+        "agent_governance": {
+          "auto_loop": true,
+          "default_prompt_depth": "full",
+          "handoff_note": "handoff_required_on: [tooling_change, governance_change]",
+          "research_first": true
+        },
+        "ci": {
+          "require_gates": true,
+          "smoke_first": true
+        }
+      }
+    },
+    {
+      "policy": {
+        "harness": {
+          "capabilities": {
+            "executor": "task",
+            "parallel_agents": "high"
+          },
+          "name": "Factory-Droid",
+          "routing": {
+            "escalation_on": [
+              "token_budget",
+              "policy_violation"
+            ],
+            "escalation_to": "human"
+          },
+          "tool_contracts": {
+            "shell": {
+              "forbidden_default": [
+                "git commit --amend",
+                "git push --force"
+              ],
+              "requires_signed_artifact": true
+            }
+          }
+        }
+      }
+    },
+    {
+      "policy": {
+        "repo": {
+          "governance": {
+            "policy_federation": {
+              "enforced": true,
+              "required": true
+            }
+          },
+          "policy_hints": {
+            "default_scope": "agentops",
+            "managed_by": "agent-devops-setups"
+          }
+        }
+      }
+    },
+    {
+      "policy": {
+        "task_domain": {
+          "name": "devops",
+          "pipelines": {
+            "ci": {
+              "must_have_witness": true,
+              "required_gate_state": "pass"
+            },
+            "release": {
+              "require_artifact_trace": true,
+              "require_changelog": false
+            }
+          }
+        }
+      }
+    },
+    {
+      "policy": {
+        "extensions": {
+          "codex-gate": {
+            "agent_governance": {
+              "command_policy": {
+                "require_closure_check": true,
+                "required_readme_updates": true
+              },
+              "handoff": {
+                "auto_summary": true
+              }
+            },
+            "telemetry": {
+              "track_pipeline": true
+            }
+          }
+        }
+      }
+    },
+    {
+      "policy": {
+        "extensions": {
+          "agentops-ci": {
+            "ci": {
+              "artifact_retention_days": 60,
+              "default_matrix_size": "small",
+              "required_checks": [
+                "policy-gate",
+                "lint",
+                "test",
+                "types"
+              ]
+            },
+            "policy": {
+              "audit_before_merge": true
+            }
+          }
+        }
+      }
+    }
+  ],
+  "audit": {
+    "files": [
+      "system/base.json",
+      "system/security-guard.json",
+      "user/core-operator.json",
+      "harness/factory-droid.json",
+      "repo/default.json",
+      "task-domain/devops.json",
+      "extensions/manifests/codex-gate.json",
+      "extensions/manifests/agentops-ci.json"
+    ],
+    "generated_at": "2026-03-02T08:03:24.250589+00:00",
+    "policy_digest": "a41a9f5202906e7af00f298514375adee1bfb5646a074b9d7e5aae78d55ae2ad",
+    "policy_signature": ""
+  },
+  "policy": {
+    "agent_governance": {
+      "auto_loop": true,
+      "ci": {
+        "dry_run_first": true,
+        "require_gates": true
+      },
+      "consent_rules": {
+        "destructive_actions": "ask",
+        "network_access": "ask_on_unknown_hosts"
+      },
+      "default_prompt_depth": "full",
+      "handoff_note": "handoff_required_on: [tooling_change, governance_change]",
+      "policy_files": {
+        "must_read": [
+          "AGENTS.md",
+          "CLAUDE.md"
+        ],
+        "required_sections": [
+          "security",
+          "testing",
+          "deployment",
+          "handoff"
+        ]
+      },
+      "required_mode": "production_ready",
+      "research_first": true
+    },
+    "ci": {
+      "require_gates": true,
+      "smoke_first": true
+    },
+    "compliance": {
+      "sensitive_file_guard": [
+        "secrets.yml",
+        "config/secrets.json",
+        ".env"
+      ]
+    },
+    "extensions": {
+      "agentops-ci": {
+        "ci": {
+          "artifact_retention_days": 60,
+          "default_matrix_size": "small",
+          "required_checks": [
+            "policy-gate",
+            "lint",
+            "test",
+            "types"
+          ]
+        },
+        "policy": {
+          "audit_before_merge": true
+        }
+      },
+      "codex-gate": {
+        "agent_governance": {
+          "command_policy": {
+            "require_closure_check": true,
+            "required_readme_updates": true
+          },
+          "handoff": {
+            "auto_summary": true
+          }
+        },
+        "telemetry": {
+          "track_pipeline": true
+        }
+      }
+    },
+    "harness": {
+      "capabilities": {
+        "executor": "task",
+        "parallel_agents": "high"
+      },
+      "name": "Factory-Droid",
+      "routing": {
+        "escalation_on": [
+          "token_budget",
+          "policy_violation"
+        ],
+        "escalation_to": "human"
+      },
+      "tool_contracts": {
+        "shell": {
+          "forbidden_default": [
+            "git commit --amend",
+            "git push --force"
+          ],
+          "requires_signed_artifact": true
+        }
+      }
+    },
+    "repo": {
+      "governance": {
+        "policy_federation": {
+          "enforced": true,
+          "required": true
+        }
+      },
+      "policy_hints": {
+        "default_scope": "agentops",
+        "managed_by": "agent-devops-setups"
+      }
+    },
+    "security": {
+      "allow_branch_force_push": false,
+      "allow_destructive_commands": false,
+      "allow_root_writes": false,
+      "secret_scan": true
+    },
+    "task_domain": {
+      "name": "devops",
+      "pipelines": {
+        "ci": {
+          "must_have_witness": true,
+          "required_gate_state": "pass"
+        },
+        "release": {
+          "require_artifact_trace": true,
+          "require_changelog": false
+        }
+      }
+    },
+    "telemetry": {
+      "capture": true,
+      "retention_days": 90
+    }
+  },
+  "resolver_version": "agent-devops-setups/federation-v1",
+  "scope": {
+    "extensions": [
+      "codex-gate",
+      "agentops-ci"
+    ],
+    "harness": "factory-droid",
+    "repo": "cliproxyapi++",
+    "system": "base,security-guard",
+    "task_domain": "devops",
+    "user": "core-operator"
+  }
+}
diff --git a/docs/agent-policy/sources.json b/docs/agent-policy/sources.json
@@ -0,0 +1,10 @@
+[
+  "system/base.json",
+  "system/security-guard.json",
+  "user/core-operator.json",
+  "harness/factory-droid.json",
+  "repo/default.json",
+  "task-domain/devops.json",
+  "extensions/manifests/codex-gate.json",
+  "extensions/manifests/agentops-ci.json"
+]