Merge main into feat/sr-187-ban-datetime-utcnow (auto-rebase to clear behind status)

Author: Delqhi

.github/dependabot.yml

@@ -0,0 +1,80 @@
+# Dependabot configuration — keep CI surface and runtime deps current.
+#
+# Why this file exists:
+#   path_guard.py pins behaviour to specific Action versions
+#   (actions/checkout@v5, actions/setup-python@v6). Without dependabot
+#   those pins quietly rot and we either run on EOL'd runners or stop
+#   getting security patches. Two-line yaml is cheap insurance.
+#
+# Why weekly, not daily:
+#   The repo has a single maintainer; daily PR noise drowns signal.
+#   Weekly keeps the queue manageable while still surfacing CVEs within
+#   ~7 days.
+#
+# Scope:
+#   - github-actions: every workflow under .github/workflows/
+#   - pip:            pyproject.toml + survey-cli/requirements.txt
+#
+# Doctrine: see survey-cli/AGENTS.md § PATH DOCTRINE (SR-159) for why
+# anything we add to .github/ must be justified inline.
+
+version: 2
+
+updates:
+  # GitHub Actions used in .github/workflows/*
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "ci"
+      include: "scope"
+    labels:
+      - "dependencies"
+      - "ci"
+    # Group all action bumps into a single PR per week to avoid noise.
+    groups:
+      github-actions:
+        patterns:
+          - "*"
+
+  # Python deps at repo root (pyproject.toml — the stealth-sync package).
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "deps"
+      include: "scope"
+    labels:
+      - "dependencies"
+      - "python"
+    groups:
+      python-minor-patch:
+        update-types:
+          - "minor"
+          - "patch"
+
+  # Python deps inside survey-cli/ (the canonical survey engine).
+  - package-ecosystem: "pip"
+    directory: "/survey-cli"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "deps(survey-cli)"
+      include: "scope"
+    labels:
+      - "dependencies"
+      - "python"
+      - "survey-cli"
+    groups:
+      survey-cli-minor-patch:
+        update-types:
+          - "minor"
+          - "patch"

.github/workflows/path-guard.yml

@@ -0,0 +1,108 @@
+# PATH-GUARD WORKFLOW — SR-159
+#
+# Enforces the repo's path doctrine on every PR. The doctrine itself lives
+# in two places that MUST stay in sync:
+#
+#   1. survey-cli/AGENTS.md  § PATH DOCTRINE (human-readable spec)
+#   2. scripts/path_guard.py (machine-readable manifest + checker)
+#
+# This workflow is a thin shim around `scripts/path_guard.py --diff`.
+# Keep it small. All policy logic belongs in the Python script so the
+# pre-commit hook and CI run the exact same code path.
+#
+# History:
+# - 2026-05-13 SR-159: created. Reason: SR-154 (100-file PR landed in a
+#   non-existent dir) + SR-162 (daemon.py vs daemon/ shadow killed CI for
+#   a week). Both could have been blocked by a 5-line CI check.
+#
+# Style notes (mirroring .github/workflows/ci.yml §13.8.4):
+# - Action versions are Brain-property. Bumped explicitly, never @latest.
+# - actions/checkout@v5, setup-python@v6 to stay on Node-24 runtime.
+# - fetch-depth: 0 is REQUIRED because the guard runs `git diff
+#   $base...HEAD` and needs the merge-base reachable.
+
+name: path-guard
+
+on:
+  pull_request:
+    # No `branches:` filter — see ci.yml: PRs against integration branches
+    # must also be gated, otherwise drift sneaks in via long-running feat
+    # branches (SR-50..SR-55 precedent in PR #54).
+  push:
+    branches:
+      - main
+      - master
+
+permissions:
+  contents: read
+  pull-requests: write   # for the failure comment
+
+jobs:
+  path-guard:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          # Needed for `git diff $base...HEAD` to resolve the merge-base.
+          fetch-depth: 0
+
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: "3.13"
+
+      - name: Run path-guard (diff mode)
+        id: guard
+        # The script uses $GITHUB_BASE_REF on pull_request events and falls
+        # back to origin/main on push events. No `pip install` — pure stdlib.
+        #
+        # `set -o pipefail` is REQUIRED — without it the exit code of `tee`
+        # (always 0) masks a non-zero exit from path_guard.py and the guard
+        # silently passes on real violations. This is not theoretical: the
+        # first iteration of this workflow shipped without pipefail, the
+        # demo probe PR (#174) showed the violations in the log but the
+        # check was marked green. Do NOT remove this line.
+        shell: bash
+        run: |
+          set -o pipefail
+          python scripts/path_guard.py --diff | tee path_guard.out
+        env:
+          # Explicit even though Actions sets it automatically — makes the
+          # script's behaviour obvious to anyone reading the workflow.
+          GITHUB_BASE_REF: ${{ github.base_ref }}
+
+      - name: Comment on PR when guard fails
+        if: failure() && github.event_name == 'pull_request'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            const out = fs.existsSync('path_guard.out')
+              ? fs.readFileSync('path_guard.out', 'utf8')
+              : '(no output captured)';
+            const body = [
+              '### path-guard failed (SR-159)',
+              '',
+              'This PR adds files outside the canonical repo layout. The doctrine',
+              'lives in [`survey-cli/AGENTS.md` § PATH DOCTRINE](https://github.com/' +
+                context.repo.owner + '/' + context.repo.repo +
+                '/blob/main/survey-cli/AGENTS.md#path-doctrine-sr-159).',
+              '',
+              '<details><summary>Guard output</summary>',
+              '',
+              '```',
+              out,
+              '```',
+              '',
+              '</details>',
+              '',
+              'If the verdict is wrong (e.g. a genuinely new canonical area),',
+              '**STOP** and comment on the issue with rationale — do not work',
+              'around the guard.',
+            ].join('\n');
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+              body,
+            });

.pre-commit-config.yaml

@@ -1,5 +1,14 @@
-# Pre-Commit Configuration (SR-73, 2026-05-11)
-# Hooks enforce AGENTS.md Brain-Rules before commits
+# Pre-Commit Configuration
+#
+# Hooks enforce AGENTS.md Brain-Rules before commits. The CI workflows
+# in .github/workflows/ run the same checks in cloud — local hooks are
+# the fast-feedback mirror, not a substitute.
+#
+# History:
+# - SR-73 (2026-05-11): initial — submodule + black + pylint + standard hooks.
+# - SR-159 (2026-05-13): added `path-guard` local hook. Mirrors
+#   .github/workflows/path-guard.yml exactly. Doctrine lives in
+#   survey-cli/AGENTS.md § PATH DOCTRINE and scripts/path_guard.py.
 
 repos:
   # Submodule Validation (SR-73 §11.9)
@@ -13,6 +22,17 @@ repos:
         stages: [commit]
         always_run: true
 
+  # Path Doctrine (SR-159) — local mirror of .github/workflows/path-guard.yml
+  - repo: local
+    hooks:
+      - id: path-guard
+        name: "Path-Guard: repo layout doctrine (SR-159)"
+        entry: python scripts/path_guard.py --diff
+        language: system
+        pass_filenames: false
+        stages: [commit]
+        always_run: true
+
   # Standard pre-commit hooks
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v4.5.0