Complete P3 remediation: docs, CI governance gate, and docker-smoke policy.

Align README validation/tournament with Beta maturity, fix architecture
section numbering, link threat-model rows to tests, expand governance-gate
Phase 5 unit coverage, and document advisory docker-smoke in CONTRIBUTING.

Constraint: docker-smoke remains continue-on-error; merge not blocked on Docker.
Tested: governance-gate pytest subset (65 passed); pre-commit on changed files.
Confidence: high
Co-authored-by: Cursor <cursoragent@cursor.com>

Author: johnteee

.github/workflows/ci.yml

@@ -191,12 +191,16 @@ jobs:
       - name: Check plan-before-write enforcement
         run: pytest tests/test_tranche_b_governance.py -k "plan" -v
 
+      - name: Run Phase 5 unit tests
+        run: pytest tests/test_phase5_context_bus.py tests/test_phase5_workflow_engine.py tests/test_phase5_jit_approval_server.py tests/test_federated_sync.py tests/test_remediation_p1_p2.py -v
+
       - name: Run Phase 4-5 acceptance and adversarial governance tests
-        run: pytest tests/acceptance/test_consensus_flow.py tests/acceptance/test_sandbox_enhancement_flow.py tests/test_governance_adversarial_runtime.py tests/test_skill_executor.py tests/test_phase6_docker.py -v
+        run: pytest tests/acceptance/test_consensus_flow.py tests/acceptance/test_sandbox_enhancement_flow.py tests/test_governance_adversarial_runtime.py tests/test_skill_executor.py -v
 
   docker-smoke:
     runs-on: ubuntu-latest
     needs: lint
+    # Advisory: Docker/Podman not guaranteed on all forks; failures do not block merge.
     continue-on-error: true
 
     steps:

CONTRIBUTING.md

@@ -24,6 +24,23 @@ Run the same checks as CI before opening a pull request:
 .venv/bin/pytest -q
 ```
 
+Pre-commit runs a smoke subset by default. For the full test suite locally:
+
+```bash
+TEAAGENT_PRECOMMIT_FULL=1 pre-commit run --all-files
+```
+
+### CI jobs
+
+| Job | Blocks merge? | Purpose |
+|-----|---------------|---------|
+| `lint` | Yes | Ruff, mypy, format |
+| `governance-gate` | Yes | Governance fuzz, plan gate, Phase 4–5 acceptance, Phase 5 unit tests |
+| `docker-smoke` | **No** (`continue-on-error`) | `tests/test_phase6_docker.py` when Docker/Podman is available |
+| `package` | Yes | Wheel/sdist build |
+
+Run `pytest tests/test_phase6_docker.py` locally before relying on container Code Mode in production.
+
 ## Pull Requests
 
 - Keep changes small and focused.

README.md

@@ -105,29 +105,32 @@ TeaAgent includes persistent memory features to learn from past mistakes and syn
 - Commands: `/pin <file>`, `/unpin <file>`, `/pinned` (list)
 - Visual indicator in prompt shows pinned file count (e.g., `teaagent📌2>`)
 
-### 8. Self-Healing Validation (Foundation)
+### 8. Self-Healing Validation (Beta)
 
-TeaAgent includes LSP/static analysis validation foundation for code correctness:
+LSP/static analysis validation is integrated with the agent runner and workflow engine:
 
 **Validation Tools:**
 - Auto-detects available tools (ruff, mypy, tsc, eslint)
 - Validates code before committing changes
 - Supports Python, TypeScript, and JavaScript projects
-- Enable with `--validate` flag (opt-in)
+- Enable with `--validate` on `agent run` or via workflow self-healing steps
 
-### 9. Tournament Selection (Foundation)
+See [maturity-matrix.md](docs/maturity-matrix.md) for surface status and test pointers.
 
-TeaAgent includes tournament-style parallel execution foundation for architecture exploration:
+### 9. Tournament Selection (Beta)
+
+Tournament-style parallel execution runs in `SwarmManager` with git worktree isolation,
+security-weighted scoring, and centralized approval queue integration:
 
 **Parallel Execution:**
 - Create isolated git sandbox branches for multiple approaches
 - Auto-generate approach hints based on task keywords
 - Execute subagents in parallel with resource limits
 - Benchmark correctness, performance, and code quality
 - Compare approaches with weighted scoring
-- Enable with `--parallel N` flag (opt-in)
+- Enable with `--parallel N` on `agent run` (read-only analysis) or swarm/tournament modes
 
-**Status:** Foundation implemented. Full integration with agent runner and human approval workflow documented in spec files for future implementation.
+**Status:** Beta — shipped in harness with governance gates; hosted tournament dashboards remain future work. See [maturity-matrix.md](docs/maturity-matrix.md).
 
 ### 10. Cognitive Swarm Evolution (Phase 5)
 

docs/architecture.md

@@ -80,8 +80,8 @@ The TeaAgent governance system has been hardened through a comprehensive 5-loop
 
 Core Phase 4 (consensus) and Phase 5 (sandbox routing/execution) modules are shipped
 with CLI, unit tests, and E2E acceptance. Optional hardening (async vote polling,
-WASM skill execution, docker-smoke CI) is shipped; remaining Beta work is native
-WASM modules and deeper tournament benchmarks. See [backlog-priority.md](backlog-priority.md).
+WASM skill execution) is shipped; `docker-smoke` CI is advisory (see [CONTRIBUTING.md](../CONTRIBUTING.md#ci-jobs)).
+Remaining Beta work is native WASM modules and deeper tournament benchmarks. See [backlog-priority.md](backlog-priority.md).
 
 ### Phase 4: Federated Swarm Consensus & Peer Attestations — **Beta**
 - `ConsensusEngine`, peer registry, voting mechanisms, and attestation trail
@@ -193,18 +193,6 @@ Restricted Python execution with AST allow-list validation:
 Code Mode allows only a fixed set of AST nodes and builtin functions — no
 imports, no attributes, no arbitrary calls.
 
-### 5. Code Mode
-
-Restricted Python execution with AST allow-list validation:
-
-| Backend               | Isolation Level                                |
-|-----------------------|------------------------------------------------|
-| Child process (default)| `RLIMIT_CPU`, wall-clock timeout, advisory `RLIMIT_AS` |
-| Container              | Docker/Podman: `--network none`, `--read-only`, `--cap-drop=ALL`, non-root, tmpfs, CPU/memory/PID limits, streaming output cap, image digest pinning, image allowlist |
-
-Code Mode allows only a fixed set of AST nodes and builtin functions — no
-imports, no attributes, no arbitrary calls.
-
 ### 6. Governance Hardening (Tranche B)
 
 **Plan-before-Write Enforcement:**
@@ -235,7 +223,7 @@ imports, no attributes, no arbitrary calls.
 - Tests conservative defaults and path filtering
 - Integrated into CI governance gate
 
-### 8. OAuth 2.1 / DPoP
+### 7. OAuth 2.1 / DPoP
 
 `OAuth21AuthorizationServer` and `OAuth21ResourceServer` implement the
 authorization code grant with PKCE (S256) and optional DPoP proof-of-possession:
@@ -247,7 +235,7 @@ authorization code grant with PKCE (S256) and optional DPoP proof-of-possession:
 - `SQLiteOAuthStore` provides durable client/authorization-code/nonce storage
   with PBKDF2-SHA256 client-secret hashing.
 
-### 9. MCP Transport
+### 8. MCP Transport
 
 Two transports share the same `handle_mcp_request()` dispatch:
 
@@ -261,7 +249,7 @@ The HTTP server enforces:
 - `Mcp-Session-Id` session tracking.
 - Body size limits with `413` for oversized payloads.
 
-### 8. LLM Integration
+### 9. LLM Integration
 
 `teaagent.llm` provides a unified adapter layer (`LLMAdapter`) across 13
 registered providers in `PROVIDER_CONFIGS`: `claude`, `gpt`, `gemini`,
@@ -275,7 +263,7 @@ adapter implements `chat()` returning an `LLMResponse`. Features include:
 - Cost budget pre-flight.
 - Streaming via `stream=True` and `on_chunk` callbacks.
 
-### 9. External Federation Boundary (ANP Adapter)
+### 10. External Federation Boundary (ANP Adapter)
 
 TeaAgent treats ANP as an optional external federation surface through a
 bidirectional adapter boundary:

docs/plans/remediation-roadmap.md

@@ -48,12 +48,12 @@ Principle: **smallest verifiable step** per phase; no big-bang refactors.
 
 | # | Task | Output |
 |---|------|--------|
-| P3.1 | Reconcile README Foundation vs maturity Beta | README + matrix sync |
-| P3.2 | Fix `architecture.md` duplicate section numbers | Editorial |
-| P3.3 | threat-model verification columns for rows 26, 32 | Link to new tests |
-| P3.4 | governance-gate: add phase5/6 unit files | `.github/workflows/ci.yml` |
+| P3.1 | ✅ Reconcile README Foundation vs maturity Beta | README + matrix sync |
+| P3.2 | ✅ Fix `architecture.md` duplicate section numbers | Editorial |
+| P3.3 | ✅ threat-model verification columns (Context Bus, async P2P, swarm, workflow rollback) | `docs/threat-model.md` |
+| P3.4 | ✅ governance-gate: Phase 5 unit files; docker only in `docker-smoke` | `.github/workflows/ci.yml` |
 | P3.5 | ✅ Optional pre-commit smoke (`TEAAGENT_PRECOMMIT_FULL=1` for full suite) | `.pre-commit-config.yaml` |
-| P3.6 | docker-smoke: decide block vs advisory | CI policy doc |
+| P3.6 | ✅ docker-smoke advisory (`continue-on-error`); documented in CONTRIBUTING | `CONTRIBUTING.md` |
 | P3.7 | ✅ Plugin fail-closed when `TEAAGENT_PLUGINS_STRICT=1` | S-H8 | `plugins.py` |
 
 ---

docs/threat-model.md

@@ -22,16 +22,16 @@ This document maps threats to mitigations and verification. It complements [tool
 | Provider response schema drift | Low | JSON schema for model decisions | `test_live_provider_conformance_flow.py` | Provider-specific quirks remain |
 | Unbounded run cost | Medium | `RunBudget`; iteration/tool/cost caps | `test_p0_harness.py`, `test_p0_slo_flow.py` | User must configure caps |
 | JIT approval server unresponsive during wait | High | Async `_wait_for_approval` using `asyncio.Event` + `asyncio.wait_for`; SSE server remains responsive | `tests/test_phase6_jit_server.py` | Fixed synchronous `time.sleep` spin-lock blocking event loop |
-| Context Bus SQLite lock contention / transaction leaks | Medium | Per-thread SQLite connections (`threading.local`); `timeout=5.0` on connect; WAL pragmas on each new connection; `_execute_with_retry` with exponential backoff (5 retries) + generation-based reconnect; explicit `conn.rollback()` on write failure; `cleanup_old_deltas` scoped to `workflow_id` | `tests/test_phase5_context_bus.py` (incl. parallel publish + workflow-scoped cleanup) | Global `_reconnect()` still closes all thread handles; see `docs/plans/remediation-roadmap.md` P2.1 |
+| Context Bus SQLite lock contention / transaction leaks | Medium | Per-thread SQLite connections (`threading.local`); `timeout=5.0` on connect; WAL pragmas on each new connection; `_execute_with_retry` with exponential backoff (5 retries) + generation-based reconnect (per-thread only); explicit `conn.rollback()` on write failure; `cleanup_old_deltas` scoped to `workflow_id` | `tests/test_phase5_context_bus.py` (incl. parallel publish + workflow-scoped cleanup), `tests/test_remediation_p1_p2.py` | — |
 | Federated sync state corruption on crash | Medium | `atomic_write_text` + file lock on `federated_sync_state.json`; lock on pending changes | `tests/test_federated_sync.py` | File-based multi-sig quorum still experimental |
 | JIT approval server race on approve/reject | Medium | `threading.Lock` on `_requests` / `_pending_events` | `tests/test_phase5_jit_approval_server.py` | Approve from thread without running event loop still drops SSE broadcast |
-| Asyncio event loop starvation from synchronous P2P approval polling | High | `collect_approval_signatures` converted to `async def` with `asyncio.sleep`; `_collect_peer_signatures` dispatches via `run_coroutine_threadsafe` or `asyncio.run()` | — | Previously 5-minute synchronous `time.sleep` polling blocked event loop — now fully non-blocking |
+| Asyncio event loop starvation from synchronous P2P approval polling | High | `collect_approval_signatures` is `async def` with `asyncio.sleep`; blocking I/O uses `run_in_executor`; `_collect_peer_signatures` dispatches via `run_coroutine_threadsafe` or `asyncio.run()` | `tests/test_federated_sync.py`, `tests/test_policy.py` (`MultiSigQuorumTests`) | Dedicated async poll unit test still optional |
 | Shell normalization bypass via brace expansion / process substitution | High | Multi-pass `_normalize_shell_arg` now handles `{a,b}` expansion, `<()` process substitution, and non-string/non-list fallback | `tests/test_policy.py` | Catches `/pr{od,oduction}`, `<(echo /prod)`, dict-type command args |
 | Protected directory bypass via alternate write tools | High | `workspace_write_*` tool pattern + `.git*` argument pattern covers all write tools and subdirectory contents | `tests/test_policy.py`, `tests/test_file_policy.py` | Previously only `workspace_write_file` was covered |
-| Swarm hang / undetected thread deadlock | High | `ThreadPoolExecutor.as_completed(timeout=...)` with partial result collection; `Subagent` tracks `is_running`/`last_heartbeat`; `_heartbeat_monitor_loop` uses thread-ref liveness instead of defunct PID-based `is_process_alive` | `tests/test_swarm.py` | Previously heartbeat monitor checked parent PID (always alive) — now detects actual thread hangs |
+| Swarm hang / undetected thread deadlock | High | `ThreadPoolExecutor.as_completed(timeout=...)` with partial result collection; `Subagent` tracks `is_running`/`last_heartbeat`; `_heartbeat_monitor_loop` uses thread-ref liveness instead of defunct PID-based `is_process_alive`; heartbeat hangs merged into swarm `results` | `tests/test_swarm.py`, `tests/test_remediation_p1_p2.py` | Previously heartbeat monitor checked parent PID (always alive) — now detects actual thread hangs |
 | Git stash stack corruption in parallel sandboxes | Critical | `stash_save` returns actual stash reflog selector; `stash_pop` accepts specific ref | `tests/test_sandbox.py` | Previously hardcoded `stash@{0}` caused cross-agent stash confusion |
 | Workflow self-healing infinite recursion | High | `_execute_step` accepts `current_attempt` parameter preserved across recursive re-execution; abort guard checks attempts against max before proceeding | `tests/test_phase5_workflow_engine.py` | Previously `self_healing_attempts` reset to 0 on new `StepExecution` — now passed through recursion chain |
-| Workflow strict validation rollback never executed | High | `execute_workflow` integrates `UndoJournal` + `AuditLogger`; checks `result.requires_rollback` and calls `journal.restore()` on strict validation failure | — | Previously `requires_rollback` flag set but never consumed — now triggers full workspace undo |
+| Workflow strict validation rollback never executed | High | `execute_workflow` integrates `UndoJournal` + `AuditLogger`; checks `result.requires_rollback` and calls `journal.restore()` on strict validation failure | `tests/test_remediation_p1_p2.py` (`WorkflowRollbackTests`), `tests/test_phase5_workflow_engine.py` | Previously `requires_rollback` flag set but never consumed — now triggers full workspace undo |
 
 ## Trust Boundaries