docs: refine Security Batch governance hooks and CI smoke-fast schedule

.github/ISSUE_TEMPLATE/security-batch.yml

@@ -0,0 +1,91 @@
+name: Security Batch
+description: Recurring sprint issue for security dashboard triage, CIS benchmark checks, and CI readiness.
+title: "Security Batch: YYYY-MM-DD"
+labels:
+  - "type:security"
+  - "area:security"
+  - "lane:security"
+assignees: []
+body:
+  - type: markdown
+    attributes:
+      value: |
+        ## Security Batch Sprint
+        Use this template to run the recurring security batch. Reference:
+        - Runbook: docs/security/SECURITY_BATCH.md
+        - CIS checks: docs/security/SECURITY_CIS.md
+        - Readiness authority: docs/SUMMIT_READINESS_ASSERTION.md
+  - type: input
+    id: sprint-window
+    attributes:
+      label: Sprint window
+      description: Planned dates for this security batch.
+      placeholder: "2026-02-10 → 2026-02-24"
+    validations:
+      required: true
+  - type: input
+    id: owner
+    attributes:
+      label: Owner
+      description: Primary accountable owner for this batch.
+      placeholder: "@security-lead"
+    validations:
+      required: true
+  - type: input
+    id: dashboard-review
+    attributes:
+      label: Security dashboard review
+      description: Link to GitHub security/code view review and timestamp.
+      placeholder: "https://github.com/<org>/<repo>/security/code (reviewed YYYY-MM-DD)"
+    validations:
+      required: true
+  - type: input
+    id: cis-run
+    attributes:
+      label: CIS benchmark run evidence
+      description: Link to evidence artifact or report (must be ≤ 7 days old).
+      placeholder: "artifacts/security/cis-report-YYYY-MM-DD.md"
+    validations:
+      required: true
+  - type: textarea
+    id: acceptance-criteria
+    attributes:
+      label: Acceptance criteria
+      value: |
+        - [ ] No open **high/critical** alerts in GitHub `security/code` view.
+        - [ ] CIS benchmark run completed in the last 7 days and archived.
+        - [ ] CI green on `.github/workflows/ci.yml` for touched components.
+        - [ ] Security batch findings logged as follow-on issues.
+    validations:
+      required: true
+  - type: textarea
+    id: execution-log
+    attributes:
+      label: Execution log
+      description: Capture commands, evidence links, and notes.
+      placeholder: |
+        - Command: ./scripts/security-hardening-suite.sh (CIS validation)
+        - Evidence: <link>
+        - Notes: ...
+    validations:
+      required: true
+  - type: textarea
+    id: governed-exceptions
+    attributes:
+      label: Governed Exceptions
+      description: List approved exceptions with links to approval records (if any).
+      placeholder: |
+        - Exception ID: EX-YYYY-###
+          Approval: <link>
+          Scope: <scope>
+    validations:
+      required: true
+  - type: checkboxes
+    id: verification
+    attributes:
+      label: Verification
+      options:
+        - label: CI workflow results reviewed (ci.yml)
+        - label: CIS benchmark evidence attached
+        - label: Security dashboard alerts triaged
+        - label: Follow-on issues created and labeled lane:security

.github/labels.json

@@ -94,6 +94,21 @@
     "color": "e11d21",
     "description": "Security/compliance"
   },
+  {
+    "name": "lane:security",
+    "color": "0b7285",
+    "description": "Security program lane"
+  },
+  {
+    "name": "lane:bizdev",
+    "color": "6f42c1",
+    "description": "Business development lane"
+  },
+  {
+    "name": "lane:infra",
+    "color": "1d76db",
+    "description": "Infrastructure lane"
+  },
   {
     "name": "area:release",
     "color": "f9d0c4",

.github/labels.yml

@@ -55,6 +55,15 @@
 - name: "area:security"
   color: "e11d21"
   description: "Security and compliance"
+- name: "lane:security"
+  color: "0b7285"
+  description: "Security program lane"
+- name: "lane:bizdev"
+  color: "6f42c1"
+  description: "Business development lane"
+- name: "lane:infra"
+  color: "1d76db"
+  description: "Infrastructure lane"
 - name: "area:release"
   color: "f9d0c4"
   description: "Release management and gating"

.github/workflows/ci.yml

@@ -6,6 +6,8 @@ on:
     branches: [ main ]
     paths-ignore:
       - "**/*.md"
+  schedule:
+    - cron: "0 3 * * *"
 
 concurrency:
   group: ci-${{ github.ref }}
@@ -24,8 +26,6 @@ jobs:
     timeout-minutes: 5
     steps:
       - uses: actions/checkout@v4
-      - name: Setup pnpm
-        uses: pnpm/action-setup@v4
       - name: Setup pnpm
         uses: pnpm/action-setup@v4
       - name: Validate Jest & pnpm Configuration
@@ -72,11 +72,6 @@ jobs:
     needs: [typecheck]
     steps:
       - uses: actions/checkout@v4
-      - name: Setup Node
-        uses: actions/setup-node@v4
-        with:
-          node-version-file: .nvmrc
-          cache: "pnpm"
       - name: Setup Node
         uses: actions/setup-node@v4
         with:
@@ -103,6 +98,25 @@ jobs:
           name: coverage-report
           path: server/coverage/
 
+  smoke-fast:
+    name: Smoke (Fast)
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    needs: [typecheck]
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: .nvmrc
+          cache: "pnpm"
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+      - name: Smoke (GA)
+        run: pnpm ga:smoke
+
   integration-test:
     runs-on: ubuntu-latest
     timeout-minutes: 5

CONTRIBUTING.md

@@ -40,6 +40,18 @@ For ready-to-use templates that keep issues and PRs crisp, copy the relevant pla
   - `fix/graph/node-expansion-crash`
   - `docs/api/update-schema`
 
+#### Lane Labels & Definitions of Done
+
+We use lane labels to keep workstreams explicit and to enforce lane-specific definitions of done.
+
+- **`lane:security`**: Security batch sprints, dashboard triage, CIS benchmark checks, and
+  remediation planning.
+  - **Done**: Security dashboard reviewed, CIS run ≤ 7 days old, follow-on issues filed, CI green.
+- **`lane:bizdev`**: Business development commitments, partner enablement, and GTM collateral.
+  - **Done**: Stakeholder signoff and artifacts delivered (proposal, deck, or contract).
+- **`lane:infra`**: Infrastructure readiness, environments, and deployment automation.
+  - **Done**: Change validated in target environment with rollback evidence.
+
 ### 2. Making Changes
 
 - **Atomic PRs**: One feature or fix per PR. Avoid "kitchen sink" PRs.

docs/roadmap/STATUS.json

@@ -1,6 +1,6 @@
 {
-  "last_updated": "2026-02-07T00:00:00Z",
-  "revision_note": "Added Summit PR Stack Sequencer skill scaffolding.",
+  "last_updated": "2026-02-08T02:37:52Z",
+  "revision_note": "Refined security batch governance references and governed exception capture.",
   "initiatives": [
     {
       "id": "adenhq-hive-subsumption-lane1",

docs/security/SECURITY_BATCH.md

@@ -0,0 +1,36 @@
+# Security Batch Runbook
+
+**Purpose:** Standardize recurring security batch sprints for dashboard triage, CIS benchmark
+validation, and remediation intake.
+
+## References
+
+- Primary playbook: [SECURITY_BATCH_1_PLAYBOOK.md](SECURITY_BATCH_1_PLAYBOOK.md)
+- CIS benchmark guidance: [SECURITY_CIS.md](SECURITY_CIS.md)
+- Security pipeline controls: [security-pipeline.md](security-pipeline.md)
+- Readiness authority: [SUMMIT_READINESS_ASSERTION.md](../SUMMIT_READINESS_ASSERTION.md)
+
+## Execution Steps
+
+1. **Open the Security Batch issue** using the `Security Batch` issue template.
+2. **Review GitHub Security Dashboard** (`/security/code`):
+   - Triage all high/critical alerts.
+   - Link each alert to a follow-on issue labeled `lane:security`.
+3. **Run CIS benchmark validation** using the CIS runbook and capture evidence artifacts.
+4. **Verify CI health** for `.github/workflows/ci.yml` on touched components.
+5. **Record outcomes** in the batch issue:
+   - Evidence links
+   - Exceptions (if any) as **Governed Exceptions** with links to approval records
+   - Follow-on issue links
+
+## Acceptance Criteria
+
+- No open high/critical alerts in GitHub `security/code` view.
+- Latest CIS benchmark run ≤ 7 days old and archived.
+- CI green for `ci.yml` on touched components.
+- Follow-on issues created and labeled `lane:security`.
+
+## Escalation
+
+Escalate unresolved high/critical alerts to Security Leadership and Release Captain per
+[SECURITY_OPERATIONS.md](SECURITY_OPERATIONS.md).

docs/security/SECURITY_CIS.md

@@ -0,0 +1,37 @@
+# CIS Benchmark Validation Runbook
+
+**Purpose:** Provide a repeatable, auditable CIS benchmark validation procedure for Summit.
+
+## Preconditions
+
+- Access to the target Kubernetes cluster context.
+- `kubectl`, `trivy`, and `cosign` installed in the execution environment.
+- Read access to `scripts/security-hardening-suite.sh`.
+
+## Primary Run
+
+Use the security hardening suite to perform baseline CIS validation and related checks:
+
+```bash
+./scripts/security-hardening-suite.sh
+```
+
+This suite performs the following CIS-aligned checks:
+
+- Pod Security Standards enforcement.
+- Network policy coverage inspection.
+- Privileged container detection.
+- Image signature validation via `cosign`.
+- RBAC permission validation.
+- Vulnerability scan via `trivy`.
+
+## Evidence Capture
+
+- Save the generated `security-hardening-report-<timestamp>.md` to the security evidence store.
+- Attach the report link in the Security Batch issue template under **CIS benchmark run evidence**.
+
+## Validation Cadence
+
+- **Requirement:** Latest CIS benchmark run must be ≤ 7 days old.
+- **Failure Handling:** Record deviations as **Governed Exceptions** with approval links and open a
+  follow-on issue labeled `lane:security`.