fix: converge governance gates and cognitive security contracts

[BrianCLong]

Supersedes closed #22319. Continuing governance and CI convergence on the live branch tip. Branch-triggered workflow runs on fix/golden-main-governance-convergence-20260331 are the authoritative signal while checks settle on the new PR object.

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[coderabbitai]

Important

Review skipped

Too many files!

This PR contains 160 files, which is 10 over the limit of 150.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2b023433-c6ae-4b20-ac7b-cadb675d8c9b

📥 Commits

Reviewing files that changed from the base of the PR and between f598676 and 7ea32cf.

📒 Files selected for processing (160)

• .dockerignore
• .github/dependabot.yml
• .github/merge-queue-config.json
• .github/scripts/run-agent-graph-check.ts
• .github/workflows/_canary-rollback.yml
• .github/workflows/_golden-path-pipeline.yml
• .github/workflows/_policy-enforcer.yml
• .github/workflows/_reusable-test.yml
• .github/workflows/admissibility-gate.yml
• .github/workflows/agent-evals.yml
• .github/workflows/artifact-integrity.yml
• .github/workflows/build-and-attest.yml
• .github/workflows/cac-enforcement.yml
• .github/workflows/ci-governance-module.yml
• .github/workflows/ci-security.yml
• .github/workflows/client-ci.yml
• .github/workflows/control-plane-drift.yml
• .github/workflows/cosign-verify.yml
• .github/workflows/dataset-flywheel.yml
• .github/workflows/dependabot-policy-convergence.yml
• .github/workflows/design-drift.yml
• .github/workflows/docs-pages.yml
• .github/workflows/enforce-release-trust.yml
• .github/workflows/failure-domain-declaration.yml
• .github/workflows/failure-isolation.yml
• .github/workflows/failure-semantics.yml
• .github/workflows/ga-certification-guard.yml
• .github/workflows/hardened-security-gate.yml
• .github/workflows/lex-governance.yml
• .github/workflows/load-test.yml
• .github/workflows/merge-surge.yml
• .github/workflows/pcpr-foundation-verify.yml
• .github/workflows/pr-attestation-gate.yml
• .github/workflows/pr-planner.yml
• .github/workflows/proof-gate.yml
• .github/workflows/proof-system-tests.yml
• .github/workflows/release-train.yml
• .github/workflows/repostate.yml
• .github/workflows/security-gates.yml
• .github/workflows/slsa-provenance.yml
• .github/workflows/telemetry-lineage-gates.yml
• .repoos/control/spec.json
• .repoos/scripts/ci/validate_schemas.mjs
• charts/companyos/templates/admissibility-presync-job.yaml
• deploy/helm/summit/templates/admissibility-presync-job.yaml
• docs/DECISION_EXECUTION_TRACE.md
• docs/DECISION_VALIDITY_PROTOCOL.md
• docs/cac/CAC_ENFORCEMENT_PIPELINE.md
• docs/ecosystem/summit-partner-operations-appendix.md
• docs/ecosystem/summit-partner-operations.md
• docs/ga/FAILURE_CONTAINMENT_ARCHITECTURE.md
• docs/ga/FAILURE_CONTAINMENT_DOCTRINE.md
• docs/ops/summit-annual-planning-workbook.md
• docs/ops/summit-board-and-investor-update-templates.md
• docs/ops/summit-board-appendices.md
• docs/ops/summit-board-operating-pack.md
• docs/ops/summit-cognitive-operating-system.md
• docs/ops/summit-cognitive-strategic-advantage-playbook.md
• docs/ops/summit-company-okr-system.md
• docs/ops/summit-company-operating-manual.md
• docs/ops/summit-company-operating-rhythm.md
• docs/ops/summit-company-scorecard.md
• docs/ops/summit-customer-proof-and-evidence-standards.md
• docs/ops/summit-decision-log-and-exception-template.md
• docs/ops/summit-department-operating-charters.md
• docs/ops/summit-evidence-standards-appendix.md
• docs/ops/summit-finance-runway-operating-pack.md
• docs/ops/summit-finance-workbook-spec.md
• docs/ops/summit-founder-playbook.md
• docs/ops/summit-fundraising-and-data-room.md
• docs/ops/summit-fundraising-process-appendix.md
• docs/ops/summit-internal-academy-and-onboarding.md
• docs/ops/summit-internal-communications-and-escalation-playbook.md
• docs/ops/summit-kpi-to-decision-map.md
• docs/ops/summit-manager-and-hiring-scorecards.md
• docs/ops/summit-meeting-and-ritual-templates.md
• docs/ops/summit-product-and-gtm-interface-charter.md
• docs/ops/summit-scenario-planning-playbook.md
• docs/roadmap/STATUS.json
• docs/sales-toolkit/summit-customer-lifecycle-playbook.md
• docs/sales-toolkit/summit-customer-success-playbook.md
• docs/sales-toolkit/summit-enterprise-procurement-appendix.md
• docs/sales-toolkit/summit-enterprise-procurement-playbook.md
• docs/sales-toolkit/summit-qbr-and-ebr-pack.md
• docs/sales-toolkit/summit-renewal-and-expansion-playbook.md
• docs/sales-toolkit/summit-sales-enablement-kit.md
• docs/standards/cognitive-security-protocol-v0.1.md
• docs/standards/summit-attestation-bundle-v0.1.md
• docs/standards/summit-category-language-and-glossary.md
• docs/standards/summit-evidence-protocol.md
• evidence/metrics.json
• evidence/report.json
• evidence/stamp.json
• evidence/verdict.json
• governance/branch-protection.required.json
• governance/ga/required-checks.yaml
• k8s/argo/admissibility-presync-check.yaml
• k8s/base/kustomization.yaml
• k8s/policies/cac-admission-policy.yaml
• k8s/policies/kyverno-admissibility-enforcement.yaml
• k8s/policies/kyverno-enforce-admissible-images.yaml
• k8s/server-deployment.yaml
• lib/admissibility.ts
• package.json
• policies/cac/policy.spec.json
• policies/ops/containment-slo.yaml
• policies/ops/failure-domain-map.yaml
• policies/ops/failure-policy.yaml
• policies/ops/rollout-policy.yaml
• policies/ops/verified-properties.yaml
• policies/security/security_gates.yml
• policy/actions-allowlist.json
• policy/admissibility/prohibited-dependencies.json
• policy/attest.rego
• prompts/governance/governance-gates-and-cognitive-security-convergence@v1.md
• prompts/governance/governance-gates-and-cognitive-security-convergence@v1.sha256
• prompts/registry.yaml
• schemas/cac/ingestion-record.schema.json
• schemas/cac/metrics.schema.json
• schemas/cac/report.schema.json
• schemas/cac/stamp.schema.json
• schemas/cac/verdict.schema.json
• schemas/det.schema.json
• schemas/dvp.schema.json
• schemas/governance/attestation-subject.schema.json
• schemas/governance/blast-radius.schema.json
• schemas/governance/containment-report.schema.json
• schemas/governance/decision-proof.schema.json
• schemas/governance/failure-domain.schema.json
• schemas/governance/failure-policy.schema.json
• schemas/governance/verification-summary.schema.json
• scripts/cac/__tests__/cen-evaluate.test.mjs
• scripts/cac/audit-ledger.mjs
• scripts/cac/cen-evaluate.mjs
• scripts/cac/compute-evidence-id.mjs
• scripts/cac/ingestion-gate.mjs
• scripts/cac/lib.mjs
• scripts/cac/verify-determinism.mjs
• scripts/ci/__tests__/governance_mutation_guard.test.mjs
• scripts/ci/__tests__/verify_security_gate.test.mjs
• scripts/ci/apply_branch_protection.sh
• scripts/ci/build_admissibility_evidence.mjs
• scripts/ci/check_failure_domains.mjs
• scripts/ci/check_failure_isolation.mjs
• scripts/ci/check_runner_version.mjs
• scripts/ci/generate-admissibility-bundle.ts
• scripts/ci/verify-admissibility.ts
• scripts/ci/verify-sbom-signature.sh
• scripts/ci/verify_branch_protection.mjs
• scripts/ci/verify_failure_semantics.mjs
• scripts/ci/verify_required_checks_contract.mjs
• scripts/ci/verify_security_gate.mjs
• scripts/ci/verify_summit_attestation_bundle.mjs
• scripts/configure-branch-protection.sh
• scripts/k6/adversary_load.js
• scripts/pr-orchestrator-config.js
• scripts/pr-orchestrator/README.md
• scripts/queue-performance-monitor.js
• services/api-gateway/Dockerfile
• tests/ci/admissibility.test.mts

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/golden-main-governance-convergence-20260331

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 30bec66f5c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Export helpers required by admissibility bundle generation

generate-admissibility-bundle.ts imports sha256Buffer and stableStringify from lib/admissibility.ts, but that module currently exports only evaluateAdmissibility and types. As a result, invoking this script fails at module load time (missing named exports), so the admissibility bundle generator cannot run in CI or locally until those exports are added or the import is corrected.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Remove undeclared PyYAML runtime dependency from gate verifier

This verifier shells out to python3 and imports yaml, but the workflows that call it install Node dependencies only and do not install Python packages. On runners that do not already have PyYAML preinstalled, the check exits before doing any contract validation, which blocks required CI gates (pr-gate/ci-guard) for reasons unrelated to policy drift.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Keep pr-gate in branch-protection required checks list

The applied branch-protection payload now omits pr-gate / gate even though the canonical required-check sources in this same change set include it. Running this script will therefore push a weaker protection policy than intended and immediately create drift against the repository’s required-check contracts.

Useful? React with 👍 / 👎.

[BrianCLong]

Superseded by #22309 and #22318, which are merged into main. Closing this stale convergence branch.

[BrianCLong]

Closing as superseded by the landed convergence path in #22309 and #22318, and by the narrower CAC replay lane #22338.