ci: enable full Zephyr Twister job, execute benchmarks, apply specsmith migrations

- Enable Zephyr CI job (was commented out): west init/update with narrow
  shallow clone, native_sim platform, west workspace cached by west.yml hash
- Flip benchmarks from build_only to execute; harness_config regex gates
  pass/fail on final log line so timing numbers are captured as artifacts
- Apply specsmith migrations v001-v006: governance YAMLs, compliance
  scaffold, ESDB WAL migration, agent-tools.json, session protocol
- Gitignore .chronomemory/ and .specsmith/*.bak (machine-local state)

Co-Authored-By: Oz <oz-agent@warp.dev>

Author: tbitcs

.github/workflows/ci.yml

@@ -55,20 +55,87 @@ jobs:
           done
           exit $missing
 
-  # Zephyr/Twister tests require a full Zephyr SDK setup.
-  # Uncomment when CI has west + Zephyr SDK available.
-  # zephyr:
-  #   name: Zephyr Twister Tests
-  #   runs-on: ubuntu-latest
-  #   steps:
-  #     - uses: actions/checkout@v4
-  #     - name: Install west
-  #       run: pip install west
-  #     - name: Init workspace
-  #       run: west init -l .
-  #     - name: Update
-  #       run: west update
-  #     - name: Twister tests
-  #       run: west twister -T tests
-  #     - name: Twister samples
-  #       run: west twister -T samples
+  zephyr:
+    name: Zephyr Twister Tests
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          # west.yml declares self.path: app — match it so west module
+          # resolution works correctly alongside modules/lib/arbiter/
+          path: app
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install west
+        run: pip install west
+
+      # Cache the Zephyr tree and west state keyed on west.yml.
+      # All three paths are saved/restored together so a partial
+      # hit cannot leave the workspace in an inconsistent state.
+      - name: Cache west workspace
+        id: cache-west
+        uses: actions/cache@v4
+        with:
+          path: |
+            zephyr
+            modules
+            .west
+          key: west-${{ hashFiles('app/west.yml') }}
+          restore-keys: west-
+
+      # Only run init+update on a cache miss; .west/config is
+      # restored from cache and is sufficient for subsequent steps.
+      - name: West init
+        if: steps.cache-west.outputs.cache-hit != 'true'
+        run: west init -l app
+
+      # --narrow: only fetch projects in our top-level manifest
+      # (zephyr + arbiter), skipping Zephyr's full HAL set.
+      # -o=--depth=1: shallow clone to keep the runner fast.
+      # native_sim needs only the Zephyr core tree, no HALs.
+      - name: West update
+        if: steps.cache-west.outputs.cache-hit != 'true'
+        run: west update --narrow -o=--depth=1
+
+      - name: Install Zephyr Python requirements
+        run: |
+          pip install -r zephyr/scripts/requirements-base.txt
+          pip install -r zephyr/scripts/requirements-build-test.txt
+
+      # Unit tests run as native executables on native_sim.
+      - name: Twister — unit tests
+        run: |
+          west twister \
+            -T app/tests/unit \
+            -p native_sim \
+            --inline-logs -v \
+            --output-dir twister-out/unit
+
+      # Benchmarks execute on native_sim; Twister captures timing output
+      # as an artifact. pass/fail is gated on the final log line regex.
+      - name: Twister — benchmarks
+        run: |
+          west twister \
+            -T app/tests/benchmarks \
+            -p native_sim \
+            --inline-logs -v \
+            --output-dir twister-out/benchmarks
+
+      # All 17 samples are build_only; CI proves they compile clean.
+      - name: Twister — samples
+        run: |
+          west twister \
+            -T app/samples \
+            -p native_sim \
+            --inline-logs -v \
+            --output-dir twister-out/samples
+
+      - name: Upload Twister results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: twister-results
+          path: twister-out/

.gitignore

@@ -41,3 +41,7 @@ Thumbs.db
 htmlcov/
 .coverage
 coverage.xml
+
+# specsmith machine-local state
+.chronomemory/
+.specsmith/*.bak

.specsmith/agent-tools.json

@@ -0,0 +1,20 @@
+{
+  "schema_version": 1,
+  "primary_governance_command": "specsmith_run",
+  "slash_prefix": "/specsmith",
+  "verb_shortcuts": [
+    "audit",
+    "commit",
+    "doctor",
+    "load",
+    "pull",
+    "push",
+    "run",
+    "save",
+    "status",
+    "sync",
+    "validate",
+    "watch"
+  ],
+  "description": "Use specsmith_run() or /specsmith <args> in the Nexus REPL for all governance operations (save, load, push, pull, audit, status, \u2026). REQ-SM-001: agents must not invoke the specsmith binary directly via run_shell when specsmith_run is available."
+}

.specsmith/compliance/README.md

@@ -0,0 +1,26 @@
+# .specsmith/compliance/
+
+Project-specific compliance overlays for AI regulation.
+
+## Structure
+
+Each file overrides the built-in regulation status for this project:
+  eu-ai-act.yaml        — EU AI Act (Regulation 2024/1689)
+  nist-rmf.yaml         — NIST AI RMF 1.0 + AI 600-1
+  omb-m-24-10.yaml      — OMB M-24-10
+  colorado-sb24-205.yaml — Colorado AI Act (effective Feb 2026)
+  texas-hb1709.yaml     — Texas AI Transparency Act
+  etc.
+
+## Usage
+
+  # Check compliance for all regulations
+  specsmith compliance check
+
+  # Generate compliance report
+  specsmith compliance report --format html --output compliance-report.html
+
+  # Store results to ESDB audit trail
+  specsmith compliance audit
+
+See: https://specsmith.readthedocs.io/en/stable/compliance/

.specsmith/compliance/eu-ai-act.yaml

@@ -0,0 +1,17 @@
+# EU AI Act (Regulation 2024/1689) — project overlay
+#
+# This file allows overriding compliance status for this specific project.
+# Leave fields empty to use specsmith's auto-detection.
+#
+# regulation_id: eu-ai-act
+# project notes:
+
+risk_tier: minimal_risk   # prohibited | high_risk | gpai | minimal_risk
+is_gpai: false            # true if this is a General Purpose AI model
+gpai_systemic_risk: false # true if > 10^25 FLOP training compute
+
+# Override specific article status (auto-detected if absent):
+# article_overrides:
+#   Art.9:
+#     status: compliant
+#     notes: "Risk management system via specsmith AEE pipeline"

.specsmith/governance/context-budget.yaml

@@ -0,0 +1,12 @@
+# Generated by specsmith migrate m001
+# Edit this file; original MD kept as view.
+
+content: '# Context Budget
+
+
+  Keep governance files small. Lazy-load per task.
+
+  '
+generated_by: specsmith migrate (m001)
+kind: context-budget
+source_md: docs/governance/CONTEXT-BUDGET.md

.specsmith/governance/drift-metrics.yaml

@@ -0,0 +1,12 @@
+# Generated by specsmith migrate m001
+# Edit this file; original MD kept as view.
+
+content: '# Drift Metrics
+
+
+  Use `specsmith audit` to check governance health.
+
+  '
+generated_by: specsmith migrate (m001)
+kind: drift-metrics
+source_md: docs/governance/DRIFT-METRICS.md

.specsmith/governance/lifecycle.yaml

@@ -0,0 +1,14 @@
+# Generated by specsmith migrate m001
+# Edit this file; original MD kept as view.
+
+content: '# Project Lifecycle
+
+
+  See `specsmith phase show` for current phase readiness.
+
+  See `specsmith phase list` for the full AEE lifecycle.
+
+  '
+generated_by: specsmith migrate (m001)
+kind: lifecycle
+source_md: docs/governance/LIFECYCLE.md

.specsmith/governance/roles.yaml

@@ -0,0 +1,14 @@
+# Generated by specsmith migrate m001
+# Edit this file; original MD kept as view.
+
+content: '# Roles
+
+
+  - **Human**: Approves proposals
+
+  - **Agent**: Proposes and executes
+
+  '
+generated_by: specsmith migrate (m001)
+kind: roles
+source_md: docs/governance/ROLES.md

.specsmith/governance/rules.yaml

@@ -0,0 +1,10 @@
+# specsmith governance rules — structured YAML
+# Generated by: specsmith migrate run --version 1
+# Source: docs/governance/RULES.md
+# Edit this file; original MD kept as read-only view.
+
+kind: rules
+source_md: docs/governance/RULES.md
+generated_by: specsmith migrate (m001)
+rules:
+- note: Could not parse rules — see source MD