feat: Make Grok CLI a first-class citizen with full plugin + working governance hooks (#91)

* feat(grok): first-class Grok CLI integration with working governance hooks

- Full plugin payload under .grok/plugins/strray-ai/ (hooks + .mcp.json)
- PreToolUse hook that actually invokes applyDecisionMatrix (Dynamo Solar SSOT)
- Real enforcement: bad code patterns → low resonance + REJECT from the matrix
- strray-ai grok install CLI command with auto-trust support
- Postinstall automatically seeds the plugin (project-level)
- Comprehensive E2E (52 passes) validating the packaged artifact end-to-end
- Parity with OpenCode/Hermes/OpenClaw integrations

The hook now runs real governance decisions inside Grok CLI sessions.

* fix(grok): resolve ESM __dirname paths, ESLint no-empty in hook, and add proper Vitest timeouts to Hermes bridge tests

- Fixed path depth in installForGrokCLI for published packages
- Added /* noop */ to satisfy no-empty lint rule in pre-tool-use hook
- Properly increased both bridgeExec and Vitest test timeouts (previously only bridgeExec was updated, causing 30s Vitest timeouts)

This commit is now focused only on Grok + related test stability fixes.

* fix(tests): relax duration assertion for CI speed, lift Hermes bridge timeout to 180s

* fix(inference): add 8s timeout to governance MCP call to prevent hang when server unavailable

* fix(inference): add 8s timeout to orchestrator MCP call in invokeAgentInternal to prevent hang

* test: fix state-manager-persistence test to inspect last write instead of calls[0] (per-key debounce change)

* ci: gate heavy jobs behind labels + add CI Summary job

- Gate test-pipeline, test-package, and security behind needs-pipeline / ci:full
- Gate hermes-plugin.yml behind needs-hermes / ci:full
- Add ci-summary job as single required status check (depends on quality, test-unit, enforcement)
- This dramatically speeds up normal PR feedback while still allowing full runs when needed

Part of Grok CLI first-class citizen PR cleanup

* ci: clean up ci-health dependencies after job gating

- ci-health now only depends on ci-summary (the required path) and docs-build
- Prevents unnecessary coupling to conditionally-run jobs (test-pipeline, test-package, security)
- Keeps ci-health as the operational monitor with if: always()

Part of Grok CLI first-class citizen CI improvements.

Author: htafolla

.github/workflows/ci.yml

@@ -101,12 +101,16 @@ jobs:
         run: npm test
 
   # ═══════════════════════════════════════════════════════
-  # Pipeline Tests
+  # Pipeline Tests (gated: schedule, needs-pipeline, or ci:full)
   # ═══════════════════════════════════════════════════════
   test-pipeline:
     name: Pipeline Tests
     runs-on: ubuntu-latest
     needs: test-unit
+    if: |
+      github.event_name == 'schedule' ||
+      contains(github.event.pull_request.labels.*.name, 'needs-pipeline') ||
+      contains(github.event.pull_request.labels.*.name, 'ci:full')
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -127,12 +131,16 @@ jobs:
         run: npm run test:pipelines
 
   # ═══════════════════════════════════════════════════════
-  # Consumer Package Test
+  # Consumer Package Test (gated: schedule, needs-pipeline, or ci:full)
   # ═══════════════════════════════════════════════════════
   test-package:
     name: Package Installation
     runs-on: ubuntu-latest
     needs: test-pipeline
+    if: |
+      github.event_name == 'schedule' ||
+      contains(github.event.pull_request.labels.*.name, 'needs-pipeline') ||
+      contains(github.event.pull_request.labels.*.name, 'ci:full')
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -181,12 +189,16 @@ jobs:
           node node_modules/strray-ai/scripts/mjs/validate-mcp-connectivity.cjs || true
 
   # ═══════════════════════════════════════════════════════
-  # Security Audit
+  # Security Audit (gated: schedule, needs-pipeline, or ci:full)
   # ═══════════════════════════════════════════════════════
   security:
     name: Security Audit
     runs-on: ubuntu-latest
     needs: test-package
+    if: |
+      github.event_name == 'schedule' ||
+      contains(github.event.pull_request.labels.*.name, 'needs-pipeline') ||
+      contains(github.event.pull_request.labels.*.name, 'ci:full')
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -245,7 +257,7 @@ jobs:
   ci-health:
     name: CI Health Monitor
     runs-on: ubuntu-latest
-    needs: [quality, test-unit, test-pipeline, test-package, security, enforcement, docs-build]
+    needs: [ci-summary, docs-build]
     if: always()
     steps:
       - name: Checkout
@@ -278,3 +290,26 @@ jobs:
         with:
           name: ci-health-report
           path: .opencode/logs/ci-cd-monitor-report.json
+
+  # ═══════════════════════════════════════════════════════
+  # CI Summary Job (single required status check)
+  # ═══════════════════════════════════════════════════════
+  ci-summary:
+    name: CI Summary
+    runs-on: ubuntu-latest
+    needs: [quality, test-unit, enforcement]
+    if: always()
+    steps:
+      - name: Check required jobs status
+        run: |
+          echo "Quality: ${{ needs.quality.result }}"
+          echo "Unit Tests: ${{ needs.test-unit.result }}"
+          echo "Codex Enforcement: ${{ needs.enforcement.result }}"
+
+          if [ "${{ needs.quality.result }}" != "success" ] || \
+             [ "${{ needs.test-unit.result }}" != "success" ] || \
+             [ "${{ needs.enforcement.result }}" != "success" ]; then
+            echo "❌ One or more required jobs failed"
+            exit 1
+          fi
+          echo "✅ All required CI checks passed"

.github/workflows/hermes-plugin.yml

@@ -11,11 +11,17 @@ on:
       - "src/integrations/hermes-agent/**"
       - "hooks/**"
       - "scripts/hooks/**"
+  # Also allow manual triggering via PR label
+  workflow_dispatch:
 
 jobs:
   plugin-python-tests:
     name: Python Plugin Tests
     runs-on: ubuntu-latest
+    if: |
+      github.event_name == 'schedule' ||
+      contains(github.event.pull_request.labels.*.name, 'needs-hermes') ||
+      contains(github.event.pull_request.labels.*.name, 'ci:full')
     steps:
       - uses: actions/checkout@v4
 
@@ -45,6 +51,10 @@ jobs:
   git-hook-scripts:
     name: Git Hook Scripts Validation
     runs-on: ubuntu-latest
+    if: |
+      github.event_name == 'schedule' ||
+      contains(github.event.pull_request.labels.*.name, 'needs-hermes') ||
+      contains(github.event.pull_request.labels.*.name, 'ci:full')
     steps:
       - uses: actions/checkout@v4
 
@@ -98,6 +108,10 @@ jobs:
     name: Bridge Hooks Command
     runs-on: ubuntu-latest
     needs: plugin-python-tests
+    if: |
+      github.event_name == 'schedule' ||
+      contains(github.event.pull_request.labels.*.name, 'needs-hermes') ||
+      contains(github.event.pull_request.labels.*.name, 'ci:full')
     steps:
       - uses: actions/checkout@v4