fix: converge governance gates and cognitive security contracts

[BrianCLong]

Supersedes closed #22298. Continuing governance and CI convergence on the live branch tip. Branch-triggered workflow runs on fix/golden-main-governance-convergence-20260331 are the authoritative signal while checks settle on the new PR object.

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[coderabbitai]

Important

Review skipped

Too many files!

This PR contains 185 files, which is 35 over the limit of 150.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 122ac21c-ce4e-4696-aad4-01fcfd0134cb

📥 Commits

Reviewing files that changed from the base of the PR and between 55fb4d6 and fb4644c.

📒 Files selected for processing (185)

• .github/actions/setup-pnpm/action.yml
• .github/merge-queue-config.json
• .github/required-checks.manifest.json
• .github/required-checks.yml
• .github/scripts/run-agent-graph-check.ts
• .github/workflows/_baseline.yml
• .github/workflows/_canary-rollback.yml
• .github/workflows/_golden-path-pipeline.yml
• .github/workflows/_policy-enforcer.yml
• .github/workflows/_reusable-build.yml
• .github/workflows/_reusable-ci.yml
• .github/workflows/_reusable-governance-gate.yml
• .github/workflows/_reusable-test.yml
• .github/workflows/admissibility-gate.yml
• .github/workflows/agent-evals.yml
• .github/workflows/artifact-integrity.yml
• .github/workflows/branch-protection-convergence.yml
• .github/workflows/branch-protection-drift.yml
• .github/workflows/build-and-attest.yml
• .github/workflows/build.yml
• .github/workflows/business-integrity.yml
• .github/workflows/ci-drift-sentinel.yml
• .github/workflows/ci-governance-module.yml
• .github/workflows/ci-governance.yml
• .github/workflows/ci-guard.yml
• .github/workflows/ci-hardened.yml
• .github/workflows/ci-security.yml
• .github/workflows/ci.yml
• .github/workflows/client-ci.yml
• .github/workflows/control-plane.yml
• .github/workflows/cosign-verify.yml
• .github/workflows/daily-benchmarks.yml
• .github/workflows/dataset-flywheel.yml
• .github/workflows/dependabot-auto-merge.yml
• .github/workflows/dependabot-policy-convergence.yml
• .github/workflows/dependabot-pr-gate.yml
• .github/workflows/design-drift.yml
• .github/workflows/docs-pages.yml
• .github/workflows/drift-sentinel.yml
• .github/workflows/e2e-smoke.yml
• .github/workflows/embedding-drift-gate.yml
• .github/workflows/enforce-release-trust.yml
• .github/workflows/enterprise-hardening.yml
• .github/workflows/evidence-ledger.yml
• .github/workflows/failure-domain-declaration.yml
• .github/workflows/failure-isolation.yml
• .github/workflows/failure-semantics.yml
• .github/workflows/ga-certification-guard.yml
• .github/workflows/ga-gate.yml
• .github/workflows/ga-verify.yml
• .github/workflows/gates.yml
• .github/workflows/governance-gate.yml
• .github/workflows/hardened-security-gate.yml
• .github/workflows/investigation-governance.yml
• .github/workflows/learning-ci-example.yml
• .github/workflows/lex-governance.yml
• .github/workflows/load-test.yml
• .github/workflows/merge-queue.yml
• .github/workflows/merge-surge.yml
• .github/workflows/monitoring.yml
• .github/workflows/pcpr-foundation-verify.yml
• .github/workflows/policy-learning.yml
• .github/workflows/post-ga-hardening-enforcement.yml
• .github/workflows/pr-attestation-gate.yml
• .github/workflows/pr-fast.yml
• .github/workflows/pr-gate.yml
• .github/workflows/pr-planner.yml
• .github/workflows/predictive-merge.yml
• .github/workflows/proof-gate.yml
• .github/workflows/prove-pr-sign.yml
• .github/workflows/release-ga.yml
• .github/workflows/release-train.yml
• .github/workflows/repostate.yml
• .github/workflows/schema-change-check.yml
• .github/workflows/security-gates.yml
• .github/workflows/slsa-provenance.yml
• .github/workflows/soc-controls.yml
• .github/workflows/telemetry-lineage-gates.yml
• .github/workflows/trust-drift-scan.yml
• .github/workflows/unit-test-coverage.yml
• .github/workflows/verify-approval-transparency.yml
• .github/workflows/workflow-lint.yml
• .repoos/control/spec.json
• .repoos/scripts/ci/validate_schemas.mjs
• charts/companyos/templates/admissibility-presync-job.yaml
• deploy/helm/summit/templates/admissibility-presync-job.yaml
• docs/DECISION_EXECUTION_TRACE.md
• docs/DECISION_VALIDITY_PROTOCOL.md
• docs/ecosystem/summit-partner-operations-appendix.md
• docs/ecosystem/summit-partner-operations.md
• docs/ga/FAILURE_CONTAINMENT_ARCHITECTURE.md
• docs/ga/FAILURE_CONTAINMENT_DOCTRINE.md
• docs/governance/REQUIRED_CHECKS_CONTRACT.yml
• docs/ops/summit-annual-planning-workbook.md
• docs/ops/summit-board-and-investor-update-templates.md
• docs/ops/summit-board-appendices.md
• docs/ops/summit-board-operating-pack.md
• docs/ops/summit-cognitive-operating-system.md
• docs/ops/summit-cognitive-strategic-advantage-playbook.md
• docs/ops/summit-company-okr-system.md
• docs/ops/summit-company-operating-manual.md
• docs/ops/summit-company-operating-rhythm.md
• docs/ops/summit-company-scorecard.md
• docs/ops/summit-customer-proof-and-evidence-standards.md
• docs/ops/summit-decision-log-and-exception-template.md
• docs/ops/summit-department-operating-charters.md
• docs/ops/summit-evidence-standards-appendix.md
• docs/ops/summit-finance-runway-operating-pack.md
• docs/ops/summit-finance-workbook-spec.md
• docs/ops/summit-founder-playbook.md
• docs/ops/summit-fundraising-and-data-room.md
• docs/ops/summit-fundraising-process-appendix.md
• docs/ops/summit-internal-academy-and-onboarding.md
• docs/ops/summit-internal-communications-and-escalation-playbook.md
• docs/ops/summit-kpi-to-decision-map.md
• docs/ops/summit-manager-and-hiring-scorecards.md
• docs/ops/summit-meeting-and-ritual-templates.md
• docs/ops/summit-product-and-gtm-interface-charter.md
• docs/ops/summit-scenario-planning-playbook.md
• docs/roadmap/STATUS.json
• docs/sales-toolkit/summit-customer-lifecycle-playbook.md
• docs/sales-toolkit/summit-customer-success-playbook.md
• docs/sales-toolkit/summit-enterprise-procurement-appendix.md
• docs/sales-toolkit/summit-enterprise-procurement-playbook.md
• docs/sales-toolkit/summit-qbr-and-ebr-pack.md
• docs/sales-toolkit/summit-renewal-and-expansion-playbook.md
• docs/sales-toolkit/summit-sales-enablement-kit.md
• docs/standards/CAC_v1.0.md
• docs/standards/cognitive-security-protocol-v0.1.md
• docs/standards/summit-attestation-bundle-v0.1.md
• docs/standards/summit-category-language-and-glossary.md
• docs/standards/summit-evidence-protocol.md
• governance/branch-protection.required.json
• governance/ga/required-checks.yaml
• k8s/argo/admissibility-presync-check.yaml
• k8s/base/kustomization.yaml
• k8s/policies/kyverno-admissibility-enforcement.yaml
• k8s/policies/kyverno-enforce-admissible-images.yaml
• k8s/server-deployment.yaml
• lib/admissibility.ts
• package.json
• policies/ops/containment-slo.yaml
• policies/ops/failure-domain-map.yaml
• policies/ops/failure-policy.yaml
• policies/ops/rollout-policy.yaml
• policies/ops/verified-properties.yaml
• policies/security/security_gates.yml
• policy/actions-allowlist.json
• policy/admissibility/prohibited-dependencies.json
• prompts/governance/governance-gates-and-cognitive-security-convergence@v1.md
• prompts/governance/governance-gates-and-cognitive-security-convergence@v1.sha256
• prompts/registry.yaml
• schemas/det.schema.json
• schemas/dvp.schema.json
• schemas/governance/attestation-subject.schema.json
• schemas/governance/blast-radius.schema.json
• schemas/governance/containment-report.schema.json
• schemas/governance/decision-proof.schema.json
• schemas/governance/failure-domain.schema.json
• schemas/governance/failure-policy.schema.json
• schemas/governance/verification-summary.schema.json
• scripts/check_branch_protection_convergence.mjs
• scripts/ci/__tests__/governance_mutation_guard.test.mjs
• scripts/ci/__tests__/verify_security_gate.test.mjs
• scripts/ci/apply_branch_protection.sh
• scripts/ci/build_admissibility_evidence.mjs
• scripts/ci/check_branch_protection_drift.mjs
• scripts/ci/check_determinism.mjs
• scripts/ci/check_determinism.sh
• scripts/ci/check_failure_domains.mjs
• scripts/ci/check_failure_isolation.mjs
• scripts/ci/generate-admissibility-bundle.ts
• scripts/ci/verify-admissibility.ts
• scripts/ci/verify-sbom-signature.sh
• scripts/ci/verify_branch_protection.mjs
• scripts/ci/verify_failure_semantics.mjs
• scripts/ci/verify_required_checks_contract.mjs
• scripts/ci/verify_security_gate.mjs
• scripts/ci/verify_summit_attestation_bundle.mjs
• scripts/configure-branch-protection.sh
• scripts/k6/adversary_load.js
• scripts/pr-orchestrator-config.js
• scripts/pr-orchestrator/README.md
• scripts/queue-performance-monitor.js
• tests/ci/admissibility.test.mts

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/golden-main-governance-convergence-20260331

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[BrianCLong]

Superseded by #22309 and #22318, both of which are now merged into main.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fb4644cc36

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Remove undeclared PyYAML dependency from gate verifier

loadYaml now shells out to python3 and imports yaml, but the workflows that call this script (pr-gate and ci-guard) do not install PyYAML before execution. On runners/images where python3-yaml is absent (common on self-hosted/minimal environments), this check fails before any contract validation runs, turning required-check evaluation into an environment-dependent failure. Please either parse YAML in Node again (as before) or explicitly install/pin the Python dependency in the invoking workflows.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Include pr-gate context in branch protection payload

This branch-protection payload now requires only four contexts and omits pr-gate / gate, even though the same commit defines pr-gate / gate as canonical in required-check policy files. Running this script will configure branch protection with a weaker required-check set than policy, creating governance drift and allowing merges without the canonical PR gate. Add {"context": "pr-gate / gate"} to keep enforcement aligned.

Useful? React with 👍 / 👎.