Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 51 additions & 0 deletions .github/workflows/dco.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
name: DCO

on:
pull_request:
types: [opened, edited, synchronize, reopened]
branches:
- main

permissions:
contents: read
pull-requests: read

concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true

jobs:
dco:
name: DCO Sign-off Check
runs-on: ubuntu-latest
timeout-minutes: 5
if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
fetch-depth: 0

- name: Check DCO sign-off
run: |
base="${{ github.event.pull_request.base.sha }}"
head="${{ github.event.pull_request.head.sha }}"
failed=0

for sha in $(git rev-list "$base".."$head"); do
if ! git log -1 --format='%B' "$sha" | grep -qiE '^Signed-off-by: .+ <.+>'; then
echo "::error::Commit $sha is missing a DCO Signed-off-by line."
echo " $(git log -1 --format='%s' "$sha")"
failed=1
fi
done

if [ "$failed" -eq 1 ]; then
echo ""
echo "All commits must include a Signed-off-by line."
echo "Use 'git commit -s' to sign, or 'git rebase --signoff HEAD~N' to fix existing commits."
echo "See: https://developercertificate.org/"
exit 1
fi

echo "All commits are signed off."
188 changes: 188 additions & 0 deletions ASSURANCE-CASE.md

Large diffs are not rendered by default.

42 changes: 42 additions & 0 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -156,9 +156,51 @@ git push origin feature/your-feature-name

7. **Submit a pull request** to the main repository

## Developer Certificate of Origin (DCO)

This project uses the [Developer Certificate of Origin (DCO)](https://developercertificate.org/) to ensure that contributors have the right to submit their contributions under the project's [Apache 2.0 license](LICENSE.md).

**All commits must include a `Signed-off-by` line** with your real name and email address, certifying that you have the right to submit the work under the project's license:

```
Signed-off-by: Your Name <your.email@example.com>
```

### How to sign off

Add the `-s` (or `--signoff`) flag to your `git commit` command:

```bash
git commit -s -m "feat: your feature description"
```

This automatically appends the `Signed-off-by` line using the name and email from your git configuration. To set these:

```bash
git config user.name "Your Name"
git config user.email "your.email@example.com"
```

### Fixing unsigned commits

If you forget to sign off, you can amend your most recent commit:

```bash
git commit --amend -s --no-edit
```

For multiple unsigned commits, use an interactive rebase:

```bash
git rebase --signoff HEAD~N # where N is the number of commits to sign
```

**Pull requests with unsigned commits will fail the DCO check in CI and cannot be merged.**

## Guidelines

- **Read the ADRs first** — all code changes must comply with the project's Architecture Decision Records
- **Sign your commits** — all commits must include a `Signed-off-by` line (see DCO section above)
- Follow the existing code style and conventions
- Write clear, descriptive commit messages using [Conventional Commits](https://www.conventionalcommits.org/)
- Add tests for new functionality when applicable
Expand Down
56 changes: 56 additions & 0 deletions MAINTAINERS.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
# Maintainers

This document lists the maintainers of the Archgate CLI project and describes the access continuity plan to ensure the project can continue with minimal interruption if any single contributor becomes unavailable.

## Current Maintainers

| Name | GitHub | Role | Scope |
| ------------- | ------------------------------------------------ | --------------- | --------------------------------------------------------- |
| Rhuan Barreto | [@rhuanbarreto](https://github.com/rhuanbarreto) | Lead Maintainer | Full project access (code, releases, infrastructure, DNS) |

## Becoming a Maintainer

We welcome new maintainers. To be considered, a contributor should:

1. Have a history of meaningful contributions (code, docs, reviews, or community support)
2. Demonstrate understanding of the project's ADR governance model
3. Be nominated by an existing maintainer
4. Agree to follow the project's [Code of Conduct](CODE_OF_CONDUCT.md) and [Contributing Guidelines](CONTRIBUTING.md)

If you are interested in becoming a maintainer, open a discussion in [GitHub Discussions](https://github.com/archgate/cli/discussions) or reach out to an existing maintainer.

## Access Continuity Plan

The project maintains the following access continuity measures to ensure it can create and close issues, accept proposed changes, and release new versions within a week of any single contributor becoming unavailable:

### Critical Access Points

| Resource | Access Level | Backup Mechanism |
| ---------------------------------------------------- | --------------- | ---------------------------------------------------- |
| GitHub repository (admin) | Lead Maintainer | GitHub organization ownership with recovery contacts |
| npm publishing (`archgate` package) | Lead Maintainer | npm organization with granular access tokens |
| Domain (`archgate.dev`, `cli.archgate.dev`) | Lead Maintainer | Domain registrar account with recovery email |
| Cloudflare Pages (docs hosting) | Lead Maintainer | Cloudflare account with recovery mechanisms |
| Plugin distribution service (`plugins.archgate.dev`) | Lead Maintainer | Infrastructure documented in internal runbooks |
| GitHub Actions secrets | Lead Maintainer | Documented in internal access registry |

### Continuity Measures

1. **GitHub Organization:** The `archgate` GitHub organization has recovery contacts configured. Organization ownership can be transferred through GitHub's account recovery process.

2. **npm Access:** The `archgate` npm package is published under an npm organization, enabling additional maintainers to be granted publish access without sharing individual credentials.

3. **Release Process:** The release workflow (`.github/workflows/release.yml` and `.github/workflows/release-binaries.yml`) is fully automated via GitHub Actions. Any maintainer with write access can trigger a release by pushing a version tag.

4. **Documentation:** The documentation site builds and deploys automatically from the `main` branch. No manual intervention is required for docs updates.

5. **Secrets and Credentials:** All project secrets (API keys, tokens, signing keys) are stored in GitHub Actions secrets and a secure credential vault. Access procedures are documented internally and can be transferred to a successor maintainer.

6. **Bus Factor Improvement:** The project is actively working to onboard additional maintainers to increase the bus factor above 1. This includes:
- Comprehensive documentation of all processes in this file and [CONTRIBUTING.md](CONTRIBUTING.md)
- Automated CI/CD pipelines that require minimal manual intervention
- Self-governance via ADRs that document architectural decisions independently of any individual

### Emergency Contact

For urgent access or continuity concerns, contact: **hello@archgate.dev**
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
[![License: Apache-2.0](https://img.shields.io/badge/License-Apache--2.0-blue.svg)](LICENSE.md)
[![Release](https://github.com/archgate/cli/actions/workflows/release.yml/badge.svg)](https://github.com/archgate/cli/actions/workflows/release.yml)
[![Docs](https://img.shields.io/badge/docs-cli.archgate.dev-blue)](https://cli.archgate.dev)
[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/12659/badge)](https://www.bestpractices.dev/projects/12659)

</div>

Expand Down
74 changes: 74 additions & 0 deletions ROADMAP.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
# Archgate CLI Roadmap

> **Last updated:** April 2026 | **Current version:** v0.30.1

This document describes what Archgate intends to build, improve, and explicitly _not_ pursue over the next 12 months. It is reviewed quarterly.

## Vision

Archgate becomes the standard governance layer for AI-assisted development. ADRs are the universal format for expressing architectural decisions, and Archgate enforces them automatically — across AI tools, CI systems, and teams.

## What's Done (Phases 0–2.5)

These phases are complete and stable:

- **ADR format & lifecycle** — create, list, show, update ADRs with YAML frontmatter and companion `.rules.ts` files
- **Check engine** — fast, deterministic ADR compliance validation (`archgate check`) with CI annotations, `--staged` support, and JSON output
- **AI integration** — MCP server exposing tools and resources for AI agents to consume ADR context
- **Editor plugins** — Claude Code, VS Code, Cursor, Copilot CLI, and opencode integrations
- **Documentation site** — [cli.archgate.dev](https://cli.archgate.dev) with i18n (English + Brazilian Portuguese)
- **Binary distribution** — macOS ARM, Linux x64, Windows x64 via GitHub Releases with npm thin shim, install script, and proto plugin
- **GitHub Actions** — `archgate/check-action@v1` and `archgate/setup-action@v1` published
- **Self-governance** — the CLI dogfoods 17+ ADRs with executable rules

## In Progress: Ecosystem Growth (Phase 3)

**Timeline:** Q2 2026 – Q1 2027

### ADR Marketplace

- Community-contributed ADR repository at [`archgate/awesome-adrs`](https://github.com/archgate/awesome-adrs)
- `archgate adr import <source>` command to import ADRs from the marketplace or any git URL
- Curated ADR sets: TypeScript, Testing, API Design (with companion `.rules.ts` files)
- Contribution guidelines and review process for community ADRs

### Pre-commit Hook Integration

- Package `archgate check --staged` for husky, lefthook, and pre-commit ecosystems
- Lower the adoption barrier for teams with existing git hook workflows
- Documentation and examples for each hook system

### Starter ADR Sets

- **TypeScript** — strict tsconfig rules, no `any`, naming conventions
- **Testing** — test file co-location, coverage thresholds, fixture patterns
- **API Design** — REST naming, error response format, OpenAPI requirements

### Documentation & Community

- Expand rule examples library (target: 30+ patterns)
- Contributor onboarding guide
- Case studies from early adopters

## What We Will NOT Do

These are explicit non-goals for the foreseeable future:

- **Become a linter.** Archgate orchestrates enforcement (including linting) but will not compete with ESLint, Biome, or Oxlint on code style rules.
- **Lock into a single AI tool.** The MCP server and ADR format are tool-agnostic. We will not build features that only work with one AI vendor.
- **Dictate technology stacks.** Archgate governs how you build, not what you build with. ADRs are stack-agnostic by design.
- **Build a code generation tool.** Archgate governs AI-generated code — it does not generate code itself.
- **Support pre-1.0 API stability guarantees.** The ADR format and Rule API may have breaking changes before 1.0. We version clearly and document migrations.

## Release Cadence

- **Patch releases** (bug fixes, docs): as needed
- **Minor releases** (features, non-breaking): roughly bi-weekly
- **Major milestones** are tracked in [GitHub Issues](https://github.com/archgate/cli/issues) and this roadmap

## How to Influence the Roadmap

- **Feature requests:** [Open an issue](https://github.com/archgate/cli/issues/new) with the `enhancement` label
- **Bug reports:** [Open an issue](https://github.com/archgate/cli/issues/new) with the `bug` label
- **Discussions:** [GitHub Discussions](https://github.com/archgate/cli/discussions) for broader ideas and feedback
- **Contributions:** See [CONTRIBUTING.md](CONTRIBUTING.md) for how to get involved
19 changes: 9 additions & 10 deletions docs/public/llms-full.txt
Original file line number Diff line number Diff line change
Expand Up @@ -1219,7 +1219,7 @@ Authenticate with your GitHub account to obtain a plugin token:
archgate login
```

This starts a GitHub Device Flow. The CLI displays a one-time code and URL -- open the URL in your browser, enter the code, and authorize. Once complete, credentials are stored in `~/.archgate/credentials`.
This starts a GitHub Device Flow. The CLI displays a one-time code and URL -- open the URL in your browser, enter the code, and authorize. Once complete, credentials are stored securely in your OS credential manager via `git credential approve`.

### 2. Initialize your project with the plugin

Expand Down Expand Up @@ -1355,7 +1355,7 @@ Authenticate with your GitHub account to obtain a plugin token:
archgate login
```

This starts a GitHub Device Flow. The CLI displays a one-time code and URL -- open the URL in your browser, enter the code, and authorize. Once complete, credentials are stored in `~/.archgate/credentials`.
This starts a GitHub Device Flow. The CLI displays a one-time code and URL -- open the URL in your browser, enter the code, and authorize. Once complete, credentials are stored securely in your OS credential manager via `git credential approve`.

### 2. Initialize your project with the plugin

Expand Down Expand Up @@ -1397,7 +1397,7 @@ If the `copilot` CLI is not found during `archgate init`, you can install the pl
copilot plugin install https://<github-user>:<token>@plugins.archgate.dev/archgate.git
```

You can find your authenticated URL by running `archgate login` and checking `~/.archgate/credentials`.
You can find your authenticated URL by running `archgate plugin url copilot`.

## What the plugin provides

Expand Down Expand Up @@ -1984,11 +1984,10 @@ When cloning or forking a repository that uses Archgate, the security scanner au

### Credentials

The `archgate login` command stores an authentication token at `~/.archgate/credentials` with owner-only file permissions (`0600` on Unix). This token is used for plugin installation and is never sent to third parties beyond the Archgate plugins service.
The `archgate login` command stores your authentication token in the operating system's credential manager (macOS Keychain, Windows Credential Manager, or Linux libsecret) via `git credential approve`. No credentials are written to disk as plain-text files. The token is used for plugin installation and is never sent to third parties beyond the Archgate plugins service.

- Do not commit `~/.archgate/credentials` to version control.
- Do not share the token in CI logs. Plugin installation commands pass credentials via authenticated URLs to git, which may appear in process listings. Avoid running `archgate plugin install` with verbose logging in shared CI environments.
- To revoke access, run `archgate logout` or delete `~/.archgate/credentials`.
- To revoke access, run `archgate login logout`.

### Self-update integrity

Expand Down Expand Up @@ -2026,7 +2025,7 @@ Authenticate with your GitHub account to obtain a plugin token:
archgate login
```

This starts a GitHub Device Flow. The CLI displays a one-time code and URL -- open the URL in your browser, enter the code, and authorize. Once complete, credentials are stored in `~/.archgate/credentials`.
This starts a GitHub Device Flow. The CLI displays a one-time code and URL -- open the URL in your browser, enter the code, and authorize. Once complete, credentials are stored securely in your OS credential manager via `git credential approve`.

### 2. Initialize your project with the plugin

Expand Down Expand Up @@ -2089,7 +2088,7 @@ The user-level marketplace setting (added to your `settings.json`):

If you prefer not to let the CLI modify your user settings, you can set things up manually:

**Marketplace URL:** Open VS Code's user settings JSON (`Ctrl+Shift+P` → "Preferences: Open User Settings (JSON)") and add the `chat.plugins.marketplaces` entry shown above. You can find your authenticated URL by running `archgate login` and checking `~/.archgate/credentials`.
**Marketplace URL:** Open VS Code's user settings JSON (`Ctrl+Shift+P` → "Preferences: Open User Settings (JSON)") and add the `chat.plugins.marketplaces` entry shown above. You can find your authenticated URL by running `archgate plugin url vscode`.

**Extension:** Download and install the `.vsix` file directly:

Expand All @@ -2099,7 +2098,7 @@ code --install-extension archgate.vsix
rm archgate.vsix
```

Replace `<token>` with your archgate token from `~/.archgate/credentials`.
Replace `<token>` with your archgate token (retrieve it via `archgate plugin url vscode`).

## What the plugin provides

Expand Down Expand Up @@ -3610,7 +3609,7 @@ Authenticate with GitHub to access Archgate editor plugins. If you are not regis
archgate login
```

Starts a GitHub Device Flow (OAuth). The CLI displays a one-time code and a URL. Open the URL in your browser, enter the code, and authorize the Archgate GitHub OAuth App. Once authorized, the CLI exchanges your GitHub identity for an Archgate plugin token and stores it securely in your OS credential manager (macOS Keychain, Windows Credential Manager, or Linux libsecret) via `git credential approve`. Non-sensitive metadata (username, date) is saved to `~/.archgate/credentials`.
Starts a GitHub Device Flow (OAuth). The CLI displays a one-time code and a URL. Open the URL in your browser, enter the code, and authorize the Archgate GitHub OAuth App. Once authorized, the CLI exchanges your GitHub identity for an Archgate plugin token and stores it securely in your OS credential manager (macOS Keychain, Windows Credential Manager, or Linux libsecret) via `git credential approve`. No credentials are written to disk as plain-text files.

If your GitHub account is not yet registered, the CLI prompts for your email, preferred editor, and use case, then signs you up automatically.

Expand Down
2 changes: 1 addition & 1 deletion docs/src/content/docs/guides/claude-code-plugin.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ Authenticate with your GitHub account to obtain a plugin token:
archgate login
```

This starts a GitHub Device Flow. The CLI displays a one-time code and URL -- open the URL in your browser, enter the code, and authorize. Once complete, credentials are stored in `~/.archgate/credentials`.
This starts a GitHub Device Flow. The CLI displays a one-time code and URL -- open the URL in your browser, enter the code, and authorize. Once complete, credentials are stored securely in your OS credential manager via `git credential approve`.

### 2. Initialize your project with the plugin

Expand Down
4 changes: 2 additions & 2 deletions docs/src/content/docs/guides/copilot-cli-plugin.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ Authenticate with your GitHub account to obtain a plugin token:
archgate login
```

This starts a GitHub Device Flow. The CLI displays a one-time code and URL -- open the URL in your browser, enter the code, and authorize. Once complete, credentials are stored in `~/.archgate/credentials`.
This starts a GitHub Device Flow. The CLI displays a one-time code and URL -- open the URL in your browser, enter the code, and authorize. Once complete, credentials are stored securely in your OS credential manager via `git credential approve`.

### 2. Initialize your project with the plugin

Expand Down Expand Up @@ -65,7 +65,7 @@ If the `copilot` CLI is not found during `archgate init`, you can install the pl
copilot plugin install https://<github-user>:<token>@plugins.archgate.dev/archgate.git
```

You can find your authenticated URL by running `archgate login` and checking `~/.archgate/credentials`.
You can find your authenticated URL by running `archgate plugin url copilot`.

## What the plugin provides

Expand Down
Loading
Loading