ci: add phase6 quality gate workflow

.github/pull_request_template.md

@@ -0,0 +1,30 @@
+## Summary
+
+- What changed:
+- Why:
+
+## AI Intent
+
+- Prompt or task statement:
+- Scope of AI-assisted changes:
+
+## Risk Assessment
+
+- Risk level: low / medium / high
+- Primary risks:
+- Compatibility impact:
+
+## Rollback Plan
+
+- Revert path:
+- Forward-fix path (if revert is not possible):
+
+## Validation
+
+- Local checks run:
+- CI checks expected:
+
+## Internal/Public Boundary Check
+
+- [ ] No internal-only data, private URLs, secrets, or private runbooks were
+      added.

.github/workflows/agent-boundary-check.yml

@@ -0,0 +1,50 @@
+name: "agent-boundary-check"
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  boundary-check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: "Validate changed files for internal-only markers"
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          BASE_SHA="${{ github.event.pull_request.base.sha }}"
+          HEAD_SHA="${{ github.event.pull_request.head.sha }}"
+
+          mapfile -t CHANGED < <(git diff --name-only "$BASE_SHA" "$HEAD_SHA")
+          if [ "${#CHANGED[@]}" -eq 0 ]; then
+            echo "No changed files detected"
+            exit 0
+          fi
+
+          FORBIDDEN='(INTERNAL[- ]ONLY|internal[- ]only|control plane|private runbook|do not share|confidential|confluence|notion|vpn|internal\\.)'
+          STATUS=0
+
+          for f in "${CHANGED[@]}"; do
+            [ -f "$f" ] || continue
+            # Don't scan CI/workflow files
+            [[ "$f" == .github/* ]] && continue
+            [[ "$f" == AGENTS.md ]] && continue
+            case "$f" in
+              *.md|*.txt|*.yml|*.yaml|*.json|*.toml|*.ts|*.tsx|*.js|*.jsx|*.sh|*.py|*.rb|*.tf|*.hcl)
+                if grep -Einq "$FORBIDDEN" "$f"; then
+                  echo "::error file=$f::Potential internal-only marker detected in $f"
+                  grep -Ein "$FORBIDDEN" "$f" || true
+                  STATUS=1
+                fi
+                ;;
+            esac
+          done
+
+          exit "$STATUS"

.github/workflows/quality-gate.yml

@@ -0,0 +1,56 @@
+name: quality-gate
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+
+permissions:
+  contents: read
+
+jobs:
+  changed-files:
+    runs-on: ubuntu-latest
+    outputs:
+      source_changed: ${{ steps.source.outputs.diff != '' }}
+      tests_changed: ${{ steps.tests.outputs.diff != '' }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: technote-space/get-diff-action@v6
+        id: source
+        with:
+          PATTERNS: |
+            **/*.ts
+            **/*.tsx
+            **/*.js
+            **/*.jsx
+            **/*.mjs
+            **/*.go
+            **/*.rs
+            **/*.py
+            **/*.sh
+          EXCLUDE_PATTERNS: |
+            **/*.test.*
+            **/*.spec.*
+            .github/**
+      - uses: technote-space/get-diff-action@v6
+        id: tests
+        with:
+          PATTERNS: |
+            **/*.test.*
+            **/*.spec.*
+            **/test/**
+            **/tests/**
+          EXCLUDE_PATTERNS: |
+            .github/**
+
+  enforce-test-delta:
+    needs: changed-files
+    if: needs.changed-files.outputs.source_changed == 'true' && needs.changed-files.outputs.tests_changed != 'true'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Require test updates when source changes
+        run: |
+          echo "::error::Source files changed without accompanying test changes."
+          exit 1

AGENTS.md

@@ -0,0 +1,25 @@
+# AGENTS: pkgx
+
+Public core CLI repository for running packages.
+
+## Core Commands
+
+- `cargo fmt --all -- --check`
+- `cargo clippy --all-features`
+- `cargo test --all-features`
+
+## Always Do
+
+- Preserve CLI semantics and user-facing flags unless intentionally versioned.
+- Keep changes in `crates/lib` and `crates/cli` compatibility-aware.
+- Add tests for changed runtime behavior.
+
+## Ask First
+
+- Breaking CLI behavior changes.
+- Distribution/release workflow changes.
+
+## Never Do
+
+- Never skip tests on core execution path changes.
+- Never merge compatibility-sensitive changes without impact notes.