fix(security): fix gh issue (#234)

* chore(docs): update roadmap

* chore(docs): update roadmap inconsistencies

* fix(security): upgrade gh version

* fix(docs): fix inconsistencies

* fix(scripts): fix failing precommit

* fix(docs): fix build

---------

Co-authored-by: bgagent <bgagent@noreply.github.com>

Author: krokoko

.github/workflows/security.yml

@@ -97,6 +97,7 @@ jobs:
 
           gh issue create \
             --title "Security suite failed (${GITHUB_REF_NAME} @ ${short})" \
+            --label bug \
             --body-file "${body_file}"
 
       - name: Fail job if security suite failed

agent/Dockerfile

@@ -1,5 +1,5 @@
 ARG TARGETPLATFORM=linux/arm64
-ARG GH_VERSION=2.92.0
+ARG GH_VERSION=2.93.0
 
 FROM --platform=$TARGETPLATFORM jdxcode/mise:latest AS mise
 

docs/decisions/ADR-002-least-privilege-bootstrap-policies.md

@@ -2,7 +2,7 @@
 
 **Status:** accepted
 **Date:** 2026-05-19
-**Implementation:** Tracked in RFC #120; artifacts referenced below land progressively across the 8-PR stack and are not yet present on `main`.
+**Implementation:** Core shipped (#158, #162). The typed policies (`cdk/src/bootstrap/policies/`), triple-layer versioning (`cdk/src/bootstrap/version.ts` — `BOOTSTRAP_VERSION = '1.1.0'`, `computeBootstrapHash()`), the generated bootstrap template (`cdk/bootstrap/bootstrap-template.yaml`), and the `mise //cdk:bootstrap` + `mise //cdk:bootstrap:generate` tasks are all present on `main`. Two sub-mechanisms remain pending: the synth-time CDK Aspect (#125, depends on the resource-action-map #124) and the deploy-time `mise //cdk:preflight` validator (#126). See RFC #120 for the original stack.
 
 ## Context
 
@@ -19,7 +19,7 @@ The ABCA project documented three scoped policies in `docs/design/DEPLOYMENT_ROL
 
 ## Decision
 
-### Policies as typed TypeScript code in `cdk/src/bootstrap/` *(lands in #122)*
+### Policies as typed TypeScript code in `cdk/src/bootstrap/` *(shipped)*
 
 Rationale for location:
 - **Agent routing** — `AGENTS.md` routes CDK/IAM changes to `cdk/`. An agent modifying a construct that adds a DynamoDB table naturally looks here for the policy it must update.
@@ -35,16 +35,16 @@ Rationale for location:
 | **SHA256 hash** | Detects console drift — manual IAM edits that diverge from code. |
 | **Action-set comparison** | Precise gap reporting: exactly which actions are missing. |
 
-Semver and hash are emitted as CloudFormation outputs on the CDKToolkit stack, enabling automated preflight checks.
+Semver and hash are computed by `cdk/src/bootstrap/version.ts` (`BOOTSTRAP_VERSION`, `computeBootstrapHash()`) and emitted into the generated template / `cdk/bootstrap/{BOOTSTRAP_VERSION,BOOTSTRAP_HASH}` files, enabling automated preflight checks.
 
 ### Two-layer preflight validation
 
-1. **CDK Aspect (synth-time)** *(lands in #125)* — will run during `mise //cdk:synth`, visiting every `CfnResource`, looking up required actions in a resource-action-map (#124), and comparing against declared policy. Catches issues at dev time.
-2. **Live-account validator (deploy-time)** *(lands in #126)* — `mise //cdk:preflight` will read CDKToolkit stack outputs, compare version/hash against requirements, and fail fast with an actionable "re-bootstrap required" message before CloudFormation starts.
+1. **CDK Aspect (synth-time)** *(pending — #125)* — will run during `mise //cdk:synth`, visiting every `CfnResource`, looking up required actions in a resource-action-map (#124), and comparing against declared policy. Catches issues at dev time. **Not yet implemented:** `cdk/src/main.ts` currently registers only `AwsSolutionsChecks` (cdk-nag) — there is no bootstrap-policy aspect.
+2. **Live-account validator (deploy-time)** *(pending — #126)* — `mise //cdk:preflight` will read CDKToolkit stack outputs, compare version/hash against requirements, and fail fast with an actionable "re-bootstrap required" message before CloudFormation starts. **Not yet implemented:** no `preflight` task exists in `cdk/mise.toml`.
 
 ### Custom bootstrap template
 
-*(Lands in #123)* — will be generated from the policy source code (not hand-maintained). Operators will run `mise //cdk:bootstrap` to provision least-privilege roles in a single command. The template replaces `AdministratorAccess` with the three managed policies while retaining all other default bootstrap resources.
+*(shipped)* — generated from the policy source code (not hand-maintained) at `cdk/bootstrap/bootstrap-template.yaml`. Operators run `mise //cdk:bootstrap` (which depends on `mise //cdk:bootstrap:generate` to regenerate the policy JSON, template YAML, and version/hash files) to provision least-privilege roles in a single command. The template replaces `AdministratorAccess` with the three managed policies while retaining all other default bootstrap resources.
 
 ### Delivery via stacked PRs (ADR-001)
 

docs/decisions/ADR-013-tiered-validation-pyramid.md

@@ -31,7 +31,7 @@ The root cause: there is no **Tier 2** — a local, fast, high-fidelity validati
 | Tier | Time | What it catches | Gap |
 |------|------|-----------------|-----|
 | Pre-commit (Tier 0) | < 5s | Formatting, secrets, trailing whitespace | None — works well |
-| mise build (Tier 1) | 30–90s | Compile, unit tests, CDK synth, docs sync, linting | Partial — available but not gated on push |
+| mise build (Tier 1) | 30–90s | Compile, unit tests, CDK synth, docs sync, linting | Wired as a pre-push gate (prek `pre-push` hooks run tests + security); the `mise run build` superset is available on demand |
 | Remote CI (Tier 3) | 5–20 min | Full matrix, security, E2E, deploy | Authoritative but slow |
 | **Local integration (Tier 2)** | — | **Does not exist** | Integration-level validation without remote round-trip |
 
@@ -92,9 +92,9 @@ Status: **Implemented** (prek hooks)
 - Type sync drift (CDK ↔ CLI types in sync)
 - Constants drift (cross-language contract check)
 
-Status: **Partially implemented** — available as `mise run build` but not enforced as a push gate. Agents can invoke this but often skip it.
+Status: **Implemented as a pre-push gate.** `.pre-commit-config.yaml` sets `default_install_hook_types: [pre-commit, pre-push]`, and the `monorepo-tests-pre-push` and `monorepo-security-pre-push` hooks (both `stages: [pre-push]`) run `mise run hooks:pre-push:tests` (→ `mise //cdk:test`, `mise //cli:test`, and the agent test suite) and `mise run hooks:pre-push:security` (→ `mise run security`) on every push. Note the shipped gate runs tests + security rather than the full `mise run build` superset (which additionally covers CDK synth, docs sync, and type/constants drift); those remain available on demand and are enforced authoritatively in Tier 3.
 
-Requirement: Make `mise run build` (or a subset) the pre-push gate. Consider splitting into `mise run check:fast` (compile + lint, 30s) and `mise run check:full` (compile + test + synth, 90s).
+Remaining refinement: consider splitting into `mise run check:fast` (compile + lint, 30s) and `mise run check:full` (compile + test + synth, 90s), and folding synth/docs-sync/drift checks into the push gate for full Tier 1 coverage.
 
 **Tier 2 — Local sandbox (1–5 min, on-demand before PR)**
 
@@ -162,7 +162,7 @@ The gap analysis dictates priority:
 
 | Priority | Investment | Impact |
 |----------|-----------|--------|
-| P0 | Enforce Tier 1 as pre-push gate | Eliminates "pushed without building" class of CI failures |
+| P0 | ~~Enforce Tier 1 as pre-push gate~~ **(largely done)** — test + security push gate is wired (prek `pre-push` hooks); remaining work is folding synth/docs-sync/drift into the gate | Eliminates "pushed without building" class of CI failures |
 | P1 | `mise run test:integration` (Tier 2a — LocalStack) | Eliminates 60%+ of CI-only failures (AWS API contract mismatches) |
 | P2 | Agent smoke test (Tier 2b) | Catches agent runtime regressions before PR |
 | P3 | Ephemeral stack deploy (Tier 2c) | Catches IAM/wiring issues that only surface in real deployment |
@@ -207,7 +207,7 @@ Escape hatches must be explicit (noted in PR description, not silent).
 - ADR-002 — bootstrap policies (Tier 2c validates IAM preflight locally)
 - ADR-008 — definition of done (tier requirements per DoD level)
 - ADR-012 (prerequisite) — operational knowledge stack; this ADR depends on 012's skill model for agent interaction with validation tiers
-- Current hooks: `.pre-commit-config.yaml` (Tier 0 implementation)
+- Current hooks: `.pre-commit-config.yaml` — the config file keeps the `pre-commit` name, but the runner is **prek** (pinned in `mise.toml` `[tools]`; `prek install --prepare-hooks` wires both `pre-commit` and `pre-push` stages). Implements Tier 0 (`pre-commit` stage) and the Tier 1 push gate (`pre-push` stage).
 - Current build: `mise.toml` root + package-level configs (Tier 1 implementation)
 - LocalStack: https://localstack.cloud (candidate for Tier 2a)
 - Firecracker MicroVMs: https://firecracker-microvm.github.io (candidate for Tier 2d)