Integration: merge all approved PRs (hardening, CI, reliability, performance, features)

.github/pull_request_template.md

@@ -8,11 +8,11 @@
 
 ## Validation
 
-- [ ] `npm run lint`
-- [ ] `npm run typecheck`
-- [ ] `npm test`
+- [ ] `npm run verify`
 - [ ] `npm test -- test/documentation.test.ts`
-- [ ] `npm run build`
+- [ ] if triaging failures, validated component gates: `npm run lint`, `npm run verify:repo`, `npm run verify:quality`, `npm run typecheck`, `npm test`, `npm run build`
+- [ ] `npm run doctor:dev` (when troubleshooting setup/environment issues)
+- [ ] `npm run setup:dev` (for first-clone reproducibility checks)
 
 ## Docs and Governance Checklist
 

.github/settings.yml

@@ -0,0 +1,23 @@
+branches:
+  - name: main
+    protection:
+      required_pull_request_reviews:
+        required_approving_review_count: 1
+        require_code_owner_reviews: false
+        dismiss_stale_reviews: true
+      required_status_checks:
+        strict: true
+        checks:
+          - context: "CI / Test on Node.js 20.x"
+          - context: "CI / Test on Node.js 22.x"
+          - context: "CI / Coverage Gate"
+          - context: "CI / Lint"
+          - context: "CI / Codex Compatibility Smoke"
+          - context: "CI / Cross-Platform Smoke (windows-latest)"
+          - context: "CI / Cross-Platform Smoke (macos-latest)"
+          - context: "CodeQL / Analyze"
+          - context: "Secret Scan / Gitleaks"
+          - context: "Supply Chain / Dependency Review"
+          - context: "Supply Chain / SCA and License Gate"
+      enforce_admins: true
+      restrictions: null

.github/workflows/ci.yml

@@ -2,18 +2,28 @@ name: CI
 
 on:
   push:
-    branches: [main]
+    branches: [main, dev]
   pull_request:
-    branches: [main]
+    branches: [main, dev]
+
+concurrency:
+  group: ci-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
   test:
-    name: Test on Node.js ${{ matrix.node-version }}
-    runs-on: ubuntu-latest
+    name: Test on Node.js ${{ matrix.node-version }} (${{ matrix.os }})
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 30
 
     strategy:
+      fail-fast: false
       matrix:
         node-version: [20.x, 22.x]
+        os: [ubuntu-latest]
+        include:
+          - node-version: 20.x
+            os: windows-latest
 
     steps:
       - name: Checkout code
@@ -23,37 +33,42 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
-          cache: 'npm'
+          cache: npm
 
       - name: Install dependencies
         run: npm ci
 
-      - name: Repository hygiene check
-        run: npm run clean:repo:check
-
-      - name: Security audit (CI policy)
-        run: npm run audit:ci
-
-      - name: Lockfile floor guard
-        run: npm run test -- test/lockfile-version-floor.test.ts
+      - name: Run CI verify pipeline
+        run: npm run verify:ci
 
       - name: Security audit (full dependency tree, non-blocking)
         continue-on-error: true
         run: npm run audit:all
 
-      - name: Run type check
-        run: npm run typecheck
+      - name: Generate and verify SBOM
+        run: |
+          npm run sbom:generate
+          npm run sbom:verify
 
-      - name: Run tests with coverage
-        run: npm run coverage
+      - name: Assert keychain mode storage contract
+        run: npm run ops:keychain-assert
 
-      - name: Build
-        run: npm run build
+      - name: Seed enterprise health fixture
+        run: |
+          node scripts/seed-health-fixture.js
+
+      - name: Enterprise health check
+        env:
+          CODEX_MULTI_AUTH_DIR: ${{ github.workspace }}/.tmp/health-fixture
+        run: npm run ops:health-check -- --require-files
+
+      - name: Performance budget check
+        run: npm run perf:budget-check
 
   lint:
     name: Lint
-
     runs-on: ubuntu-latest
+    timeout-minutes: 20
 
     steps:
       - name: Checkout code
@@ -63,17 +78,21 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: 20.x
-          cache: 'npm'
+          cache: npm
 
       - name: Install dependencies
         run: npm ci
 
-      - name: Run ESLint
+      - name: Dev doctor sanity check
+        run: npm run doctor:dev
+
+      - name: Run lint and format checks
         run: npm run lint
 
   codex-compat:
     name: Codex Compatibility Smoke
     runs-on: ubuntu-latest
+    timeout-minutes: 20
 
     steps:
       - name: Checkout code
@@ -83,10 +102,41 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: 20.x
-          cache: 'npm'
+          cache: npm
 
       - name: Install dependencies
         run: npm ci
 
       - name: Run Codex compatibility tests
         run: npm run test -- test/codex.test.ts test/host-codex-prompt.test.ts test/request-transformer.test.ts test/fetch-helpers.test.ts
+
+  cross-platform-smoke:
+    name: Cross-Platform Smoke (${{ matrix.os }})
+    runs-on: ${{ matrix.os }}
+
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [windows-latest, macos-latest]
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20.x
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run smoke typecheck
+        run: npm run typecheck
+
+      - name: Build
+        run: npm run build
+
+      - name: Run smoke tests
+        run: npm run test -- test/runtime-paths.test.ts test/codex-bin-wrapper.test.ts test/file-lock.test.ts test/background-jobs.test.ts

.github/workflows/recovery-drill.yml

@@ -0,0 +1,69 @@
+name: Recovery Drill
+
+on:
+  schedule:
+    - cron: "30 3 1 * *"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  recovery-drill:
+    name: Monthly Storage Recovery Drill
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}
+      cancel-in-progress: false
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20.x
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build
+        run: npm run build
+
+      - name: Run recovery drill tests
+        run: |
+          mkdir -p .tmp
+          npm run ops:recovery-drill -- --reporter=default --reporter=json --outputFile=.tmp/recovery-drill-vitest.json
+
+      - name: Run health check snapshot
+        run: node scripts/enterprise-health-check.js > .tmp/recovery-drill-health.json 2>&1
+
+      - name: Upload recovery drill artifacts
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: recovery-drill-artifacts
+          path: |
+            .tmp/recovery-drill-vitest.json
+            .tmp/recovery-drill-health.json
+
+      - name: Notify recovery drill failure
+        if: failure()
+        env:
+          RECOVERY_DRILL_WEBHOOK_URL: ${{ secrets.RECOVERY_DRILL_WEBHOOK_URL }}
+          RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+        run: |
+          message="Recovery drill failed. Run: ${RUN_URL}. Artifacts: .tmp/recovery-drill-vitest.json and .tmp/recovery-drill-health.json."
+          if [[ -n "${RECOVERY_DRILL_WEBHOOK_URL:-}" ]]; then
+            payload=$(jq -n --arg msg "${message}" '{"text": $msg}')
+            curl --fail --silent --show-error \
+              --max-time 30 \
+              -X POST \
+              -H "Content-Type: application/json" \
+              --data "${payload}" \
+              "${RECOVERY_DRILL_WEBHOOK_URL}"
+          else
+            echo "::warning::${message} Configure secrets.RECOVERY_DRILL_WEBHOOK_URL for push notifications."
+          fi

.github/workflows/release-provenance.yml

@@ -0,0 +1,59 @@
+name: Release Publish (Provenance)
+
+on:
+  workflow_dispatch:
+  release:
+    types: [published]
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  publish:
+    name: Publish with npm provenance
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20.x
+          registry-url: https://registry.npmjs.org
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Validate quality gates
+        env:
+          CODEX_MULTI_AUTH_DIR: ${{ github.workspace }}/.tmp/health-fixture
+        run: |
+          mkdir -p "${GITHUB_WORKSPACE}/.tmp/health-fixture/logs"
+          printf '{"version":3,"accounts":[],"activeIndex":0}\n' > "${GITHUB_WORKSPACE}/.tmp/health-fixture/openai-codex-accounts.json"
+          printf '{"version":1,"pluginConfig":{},"dashboardDisplaySettings":{}}\n' > "${GITHUB_WORKSPACE}/.tmp/health-fixture/settings.json"
+          printf '{"timestamp":"%s","action":"request.start","outcome":"success"}\n' "$(date -u +%Y-%m-%dT%H:%M:%SZ)" > "${GITHUB_WORKSPACE}/.tmp/health-fixture/logs/audit.log"
+          npm run audit:ci
+          npm run ops:health-check -- --require-files
+          npm run perf:budget-check
+          npm run lint
+          npm run typecheck
+          npm run build
+          npm test
+          npm run ops:keychain-assert
+          npm run sbom:generate
+          npm run sbom:verify
+          node scripts/compliance-evidence-bundle.js --profile=quick --out-dir=.tmp/compliance-evidence-release
+
+      - name: Upload release evidence bundle
+        uses: actions/upload-artifact@v4
+        with:
+          name: release-evidence-bundle
+          path: .tmp/compliance-evidence-release
+
+      - name: Publish package with provenance
+        run: npm publish --provenance --access public
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

.github/workflows/retention-maintenance.yml

@@ -0,0 +1,48 @@
+name: Retention Maintenance
+
+on:
+  schedule:
+    - cron: "15 2 * * 0"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  retention:
+    name: Weekly Retention Cleanup Drill
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set retention root
+        run: echo "CODEX_MULTI_AUTH_DIR=${{ runner.temp }}/codex-retention-root" >> "$GITHUB_ENV"
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20.x
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Prepare retention fixture
+        run: |
+          node -e "const fs=require('fs'); const path=require('path'); const root=process.env.CODEX_MULTI_AUTH_DIR; const logs=path.join(root,'logs','codex-plugin'); const cache=path.join(root,'cache'); const recovery=path.join(root,'recovery'); fs.mkdirSync(logs,{recursive:true}); fs.mkdirSync(cache,{recursive:true}); fs.mkdirSync(recovery,{recursive:true}); const oldFile=path.join(logs,'old-audit.log'); const newFile=path.join(cache,'fresh-cache.json'); fs.writeFileSync(oldFile,'old'); fs.writeFileSync(newFile,'new'); const oldTime=new Date(Date.now()-120*24*60*60*1000); fs.utimesSync(oldFile,oldTime,oldTime);"
+
+      - name: Run retention cleanup
+        run: |
+          mkdir -p .tmp
+          node scripts/retention-cleanup.js --days=90 > .tmp/retention-report.json
+
+      - name: Verify retention fixture cleanup
+        run: |
+          node -e "const fs=require('fs'); const path=require('path'); const root=process.env.CODEX_MULTI_AUTH_DIR; const oldFile=path.join(root,'logs','codex-plugin','old-audit.log'); const newFile=path.join(root,'cache','fresh-cache.json'); if(fs.existsSync(oldFile)){console.error('expected old file to be deleted'); process.exit(1);} if(!fs.existsSync(newFile)){console.error('expected fresh file to remain'); process.exit(1);} console.log('retention verification passed');"
+
+      - name: Upload retention report
+        uses: actions/upload-artifact@v4
+        with:
+          name: retention-maintenance-report
+          path: .tmp/retention-report.json