ci

Source contract preview

This generated excerpt gives readers the beginning of the live primitive contract before they jump to GitHub.

Confidence in correctness. CI is load-bearing: a green CI is a claim about
code correctness. If CI is weak (no type check, shallow tests, no coverage
floor), green means nothing. So this skill **audits first, then runs**.

Stops at green CI. Does not review code semantics (→ `/code-review`), does
not address review comments (→ `/deliver --polish-only`), does not ship.

## Modes

- Default: audit → run. Full pass.
- `--audit-only`: produce audit report and gap proposals; do not run gates.
- `--run-only`: skip audit, just drive gates green.

## Stance

1. **Audit before run.** A weak pipeline passing is worse than a strong
   one failing. Inventory coverage before trusting green.
   For CI-audit, red-gate investigation, or gate-policy changes, use the
   Delegation Floor before changing policy or claiming green.
2. **Dagger-mandatory, auto-scaffolded.** Missing `dagger.json` is a gap
   the skill closes itself, not a blocker that halts work. Scaffold a
   TypeScript Dagger module, fold every existing gate into `check()`,
   thin the CI provider (GHA, CircleCI, etc.) to a single `dagger call check`
   step, and update pre-push hooks to match. Raw `npm run lint` / `pytest`
   / `go test` etc. are what GHA replaced, not what replaces GHA — they
   bypass the hermetic-container contract. CI providers must be thin
   wrappers that shell out to `dagger call check`, never the authoritative
   gate owner. Agent-first, local-first, provider-independent.
3. **Act, do not propose.** The skill has executive authority within its
   domain: mechanical strengthenings (adding missing gates, wiring
   uncovered scripts, consolidating duplicate workflows, hardening
   thresholds upward, scaffolding Dagger) are applied directly. Do NOT
   emit "proposals" or "diff previews" awaiting approval. Only escalate
...