governance: add GitHub Releases and Discussions responsibilities to Quill, Glyph, Paige, Relay, and G5 checklist

Author: Douglas Jones

.kiro/steering/01-governance-gates.md

@@ -97,10 +97,20 @@ Every initiative passes through seven gates. No gate passes on confidence — on
 - Release notes (Quill readout)
 - Rollback plan (what breaks if we revert, how to revert)
 - Capability manifest updated if the public surface changed
-- publicsite updated if agent-facing docs changed
-- Sable post-audit completed
+- **Publicsite sync (mandatory on every release):**
+  - `publicsite/capability.json` regenerated — `generator` field matches current version
+  - `publicsite/capability.cbor` regenerated
+  - Version stat in `index.html` updated to the new release number
+  - Release description text in `index.html` updated
+  - Any agent-facing doc changes (QUICKREF, FOR_AGENTS, COOKBOOK) reflected on site
+- **GitHub (mandatory on every release):**
+  - Git tag created and pushed (`git tag -a vX.Y.Z -m "..."`)
+  - GitHub Release created via `gh release create` with full release notes (Paige)
+  - GitHub Discussions Announcements post by Quill (human-facing narrative)
+  - GitHub Discussions Announcements structured companion by Glyph (agent-readable dispatch summary)
+- Sable post-audit completed (includes publicsite sync verification — see `04-adversarial-review.md`)
 - Glyph dispatch filed
-- `dispatch-check` exits 0
+- `dispatch-check` exits 0 (enforces publicsite sync automatically)
 
 **Passes when:** The change is safe to put in front of agents and users.
 

.kiro/steering/02-personas.md

@@ -22,12 +22,12 @@ The A-Team designs, builds, and delivers. They use the primary AI assistant (thi
 | **Forge** | Performance Engineer | NFRs, benchmarks, parallel evaluator, throughput targets | G1, G4, G5 |
 | **Sable** | Auditor | Adversarial soundness review, conformance gaps, supply chain | All gates (feeds Quill + Glyph) |
 | **Amelia** | Lead Developer | Implementation, code quality, technical decisions | G4 |
-| **Paige** | Technical Writer | Documentation, ADRs, capability manifest, agent-facing docs | All gates |
+| **Paige** | Technical Writer | Documentation, ADRs, capability manifest, agent-facing docs, GitHub Releases (release notes authored and published at every tag) | All gates |
 | **Axiom** | Agent Ergonomics Reviewer | First-contact agent perspective, friction mapping, cookbook raw material | G4, G5 |
 | **Lumen** | Specification Editor | Spec consistency, completeness, conformance gap detection | G2/G3, G4, G5 |
-| **Relay** | Developer/Agent Relations | Onboarding funnel, adoption KPIs, time-to-first-working-program | G5, G6 |
-| **Quill** | Journalist (human-facing) | Honest narrative assessment, readouts, release notes | G5, G6 |
-| **Glyph** | Journalist (agent-facing) | Structured dispatches, canonical state, agent-readable output | G5, G6 |
+| **Relay** | Developer/Agent Relations | Onboarding funnel, adoption KPIs, time-to-first-working-program, GitHub Discussions Q&A (monitors and responds to community questions) | G5, G6 |
+| **Quill** | Journalist (human-facing) | Honest narrative assessment, readouts, release notes, GitHub Discussions Announcements (posts human-facing release announcement at every release) | G5, G6 |
+| **Glyph** | Journalist (agent-facing) | Structured dispatches, canonical state, agent-readable output, GitHub Discussions Announcements (posts structured companion dispatch at every release) | G5, G6 |
 
 ---
 

.kiro/steering/04-adversarial-review.md

@@ -88,6 +88,50 @@ Both run at every gate. Sable first (informs the B-Team package), then B-Team.
 
 ---
 
+## Sable Release Checklist — Publicsite Sync
+
+Every G5 (Release Readiness) Sable audit **must** include the following
+publicsite sync checks. A finding on any item is at minimum P2 and is a
+release blocker.
+
+### PS-1 — capability.json generator version
+- Open `publicsite/capability.json`.
+- Read the `generator` field.
+- Run `python3 -m codifide capability | python3 -c "import sys,json; print(json.load(sys.stdin)['generator'])"`.
+- **Pass:** the two values match.
+- **Fail (P2):** they differ. The published manifest is stale.
+
+### PS-2 — capability.cbor freshness
+- Verify `publicsite/capability.cbor` was regenerated in the same commit
+  as `publicsite/capability.json`.
+- **Pass:** both files have the same commit timestamp.
+- **Fail (P2):** CBOR is older than JSON, or JSON is older than the release commit.
+
+### PS-3 — version stat in index.html
+- Search `publicsite/index.html` for `lang-stat-num`.
+- **Pass:** the version number matches the current release tag.
+- **Fail (P2):** the version stat still shows the previous release.
+
+### PS-4 — release description text
+- Search `publicsite/index.html` for the release description paragraph
+  adjacent to the version stat.
+- **Pass:** the description references the current release's key features.
+- **Fail (P3):** the description still describes the previous release.
+
+### PS-5 — agent-facing doc excerpts
+- Check whether `index.html` embeds or links to AGENT_QUICKREF.md,
+  FOR_AGENTS.md, or AGENT_COOKBOOK.md content inline.
+- If so, verify the inline content matches the current file.
+- **Pass:** no stale inline excerpts.
+- **Fail (P3):** inline content diverges from the source doc.
+
+### PS-6 — dispatch-check exits 0
+- Run `python3 -m codifide dispatch-check`.
+- **Pass:** exits 0.
+- **Fail (P1):** exits non-zero. Session cannot close with gaps outstanding.
+
+---
+
 ## Tracking
 
 All B-Team findings are tracked in the relevant spec's `G4_VERIFICATION.md` or `G5_RELEASE_READINESS.md` with:

.kiro/steering/personas/glyph.md

@@ -102,6 +102,23 @@ communicates with humans. Glyph communicates with agents. The project
 "publishes to agents" when a Glyph dispatch is committed to the repo and
 (later) posted to the dispatch stream.
 
+## GitHub Discussions — Glyph's role
+
+Glyph is responsible for the **Announcements** category on GitHub Discussions
+as the agent-readable release record. At every release:
+
+1. Quill posts the human-facing announcement (narrative, what changed, why it matters)
+2. Glyph posts a structured companion in the same thread or as a reply — the
+   canonical state in dispatch format, so agents reading the Discussions page
+   can reconstruct project state without reading the full dispatch journal
+
+The structured companion follows the dispatch schema but is written for
+GitHub Markdown, not YAML. It includes:
+- Shipped items as a checklist
+- Test count and manifest hash
+- Open items and unknowns
+- Links to the full Glyph YAML dispatch in the repo
+
 ## Catch-up on Codifide (as of v2.0 — 2026-05-14)
 
 Glyph, the project lives at

.kiro/steering/personas/quill.md

@@ -31,6 +31,13 @@ minutes, not hours. They will form an opinion based on what Quill writes.
 - **Release notes** written for human readers
 - **Post-mortems** that assign lessons, not blame
 - **Feature narratives** that explain *why*, not just *what*
+- **GitHub Discussions** — Quill owns the Discussions page:
+  - Post a release announcement in **Announcements** for every version that ships
+  - Seed **Show and tell** with case study results and real usage examples
+  - Seed **Q&A** with a getting-started thread at each major release
+  - Seed **Ideas** with deferred features, explaining the evidence threshold that would unlock them
+  - Monitor for community questions and ensure they get answered
+  - Keep the Announcements category as the canonical human-readable record of what shipped and why
 
 ## Integrity rules
 

.kiro/steering/publicsite-rules.md

@@ -0,0 +1,83 @@
+---
+inclusion: manual
+---
+
+# Publicsite (codifide.com) — Rules
+
+## Version Sync — The Website Must Track the Code
+
+The publicsite is the agent-facing interface to Codifide. Stale content
+misleads agents and users. These rules are enforced by `dispatch-check`
+and are on the Sable auditor checklist.
+
+### Rules
+
+1. **`publicsite/capability.json` and `publicsite/capability.cbor` must be
+   regenerated on every release.** Run:
+   ```bash
+   python3 -m codifide capability > /path/to/publicsite/capability.json
+   python3 -m codifide capability --cbor > /path/to/publicsite/capability.cbor
+   ```
+   The `generator` field in the published JSON must match the current
+   `codifide-python-X.Y.Z` version. A mismatch is a release blocker.
+
+2. **The version stat in `index.html` must match the current release.**
+   The `<span class="lang-stat-num">` element showing the version number
+   (e.g. `v2.0`) must be updated on every release. The release description
+   text alongside it must also reflect the new release.
+
+3. **Any agent-facing doc change (AGENT_QUICKREF.md, FOR_AGENTS.md,
+   AGENT_COOKBOOK.md) must be reflected on the site** if the site links to
+   or embeds that content. Check `index.html` for stale inline excerpts.
+
+4. **`dispatch-check` enforces rules 1 and 2 automatically.** It compares
+   the `generator` field in `publicsite/capability.json` against the live
+   manifest and checks the version stat in `index.html`. A mismatch causes
+   `dispatch-check` to exit non-zero.
+
+5. **The publicsite update must be committed in the same session as the
+   release.** Do not close a release session with a stale publicsite.
+
+### What "same session" means
+
+A release session ends when `dispatch-check` exits 0 and the
+session-close dispatch pair is filed. The publicsite sync must happen
+before that close, not after.
+
+---
+
+## Vercel Content Security Policy
+
+The `vercel.json` for the publicsite enforces a strict CSP:
+
+```
+style-src 'self' https://fonts.googleapis.com
+```
+
+**This means inline `<style>` blocks are blocked by the browser and silently ignored.**
+
+### Rules
+
+1. **Never write inline `<style>` blocks in any HTML file deployed to Vercel.** They will be blocked by the CSP and the page will render unstyled.
+
+2. **All CSS must be in external `.css` files** referenced via `<link rel="stylesheet" href="...">`.
+
+3. **When adding a new page**, create a corresponding `.css` file (e.g. `launch.html` → `launch.css`) and link it externally.
+
+4. **The main design system is `styles.css`** — always link this first, then any page-specific CSS file second.
+
+5. **Do not add `'unsafe-inline'` to the CSP** to work around this — fix the CSS instead.
+
+### Example
+
+Wrong:
+```html
+<style>
+  .my-class { color: red; }
+</style>
+```
+
+Right:
+```html
+<link rel="stylesheet" href="my-page.css" />
+```