chore: public logic hardening wave (infra audit)

.github/workflows/public-logic-ci.yml

@@ -0,0 +1,68 @@
+name: Public Logic CI
+
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  validate-public-logic:
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          submodules: recursive
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          cache: npm
+          cache-dependency-path: governance/seven-shadow-system/package-lock.json
+
+      - name: Validate policy JSON
+        run: python3 -m json.tool .seven-shadow/policy.json >/dev/null
+
+      - name: Validate leveling JSON
+        run: python3 -m json.tool leveling.example.json >/dev/null
+
+      - name: Validate public document links
+        run: |
+          python3 - <<'PY'
+          import pathlib
+          import re
+          import sys
+
+          files = [pathlib.Path("README.md"), pathlib.Path("ARCHITECTURE.md")]
+          missing = []
+
+          for file_path in files:
+            text = file_path.read_text(encoding="utf-8")
+            for match in re.finditer(r"\[[^\]]+\]\(([^)]+)\)", text):
+              target = match.group(1).split("#", 1)[0].strip()
+              if not target or target.startswith(("http://", "https://", "mailto:")):
+                continue
+              if not (file_path.parent / target).exists():
+                missing.append((str(file_path), target))
+
+          if missing:
+            for file_path, target in missing:
+              print(f"Missing relative link target in {file_path}: {target}")
+            sys.exit(1)
+          PY
+
+      - name: Install governance dependencies
+        run: npm ci
+        working-directory: governance/seven-shadow-system
+
+      - name: Build governance package
+        run: npm run build
+        working-directory: governance/seven-shadow-system

docs/audits/public-logic-audit-2026-02-22.md

@@ -0,0 +1,40 @@
+# Public Logic Audit - 2026-02-22
+
+## Repo
+- VontaJamal/shadow-gate
+
+## Scope
+- Deep quality-control on existing public-facing logic only.
+- No net-new product features.
+
+## Baseline Snapshot
+- Open PR count at start: 0
+- Default branch: main
+- Latest default-branch run (at start):
+  - None detected on default branch
+
+## Public Surface Inventory
+- README and architecture docs
+- Seven Shadow policy and governance wiring
+- Governance submodule build path
+- Public workflow coverage for existing governance logic
+
+## Command Matrix
+| Check | Result | Notes |
+|---|---|---|
+| `.seven-shadow/policy.json` parse | PASS | Valid JSON |
+| `leveling.example.json` parse | PASS | Valid JSON |
+| `npm --prefix governance/seven-shadow-system ci` | PASS | Governance dependency install succeeded |
+| `npm --prefix governance/seven-shadow-system run build` | PASS | Governance build succeeded |
+| README/architecture link integrity | PASS | Relative links in public docs resolve |
+
+## Findings Register
+| Severity | Area | Repro | Status | Fix |
+|---|---|---|---|---|
+| P1 | CI coverage gap | No default-branch `push`/`pull_request` workflow validated public governance logic | Fixed | Added `Public Logic CI` workflow on `main` push/PR |
+
+## Residual Risks / Follow-ups
+- Continue monitoring governance submodule and policy bundle mode behavior in future waves.
+
+## Attestation
+- This wave is maintenance and hardening only.