fix: address PR review feedback across 10 files

- package.json: remove trailing space on kv:seed script line
- ci.yml: add npm test step, fix secret allowlist to catch bracket
  notation (secrets['NAME']) in addition to dot notation
- reusable-governance-gates.yml: same bracket notation fix
- chittycompliance-dispatch.sh: replace string interpolation with
  jq -nc for all JSON payloads to prevent injection
- org-governance-adversarial-review.sh: add defensive // [] for
  missingFiles and missingTriggers jq expressions
- connect.ts: proper AuthVariables typing instead of @ts-expect-error
- integrations.ts: normalize KV cache key with encodeURIComponent
- wrangler.toml: default PLAID_ENV to sandbox, production override
  in [env.production.vars]
- org-governance-pr-integration-loop.sh: add author verification
  against governance automation allowlist before auto-approve
- .gitignore: exclude timestamped governance report artifacts

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: chitcommit

.github/workflows/ci.yml

@@ -14,8 +14,8 @@ jobs:
         shell: bash
         run: |
           set -euo pipefail
-          secrets_in_use="$(grep -RhoE '\${{\s*secrets\.[A-Za-z_][A-Za-z0-9_]*\s*}}' .github/workflows \
-            | sed -E 's/.*secrets\.([A-Za-z_][A-Za-z0-9_]*).*/\1/' \
+          secrets_in_use="$(grep -RhoE '\$\{\{\s*secrets(\.[A-Za-z_][A-Za-z0-9_]*|\['"'"'\"[A-Za-z_][A-Za-z0-9_]*'"'"'\"\])\s*\}\}' .github/workflows \
+            | sed -E "s/.*secrets[.\['\"]([A-Za-z_][A-Za-z0-9_]*).*/\1/" \
             | sort -u || true)"
 
           if [[ -z "${secrets_in_use}" ]]; then
@@ -76,6 +76,8 @@ jobs:
         run: npm audit --audit-level=high
       - name: Typecheck
         run: npx tsc -p tsconfig.json --noEmit
+      - name: Test
+        run: npm test
       - name: Governance Pressure Tests
         run: bash scripts/pressure-test-governance.sh
       - name: Lint (skipped)

.github/workflows/reusable-governance-gates.yml

@@ -20,8 +20,8 @@ jobs:
         shell: bash
         run: |
           set -euo pipefail
-          secrets_in_use="$(grep -RhoE '\$\{\{\s*secrets\.[A-Za-z_][A-Za-z0-9_]*\s*\}\}' .github/workflows \
-            | sed -E 's/.*secrets\.([A-Za-z_][A-Za-z0-9_]*).*/\1/' \
+          secrets_in_use="$(grep -RhoE '\$\{\{\s*secrets(\.[A-Za-z_][A-Za-z0-9_]*|\['"'"'\"[A-Za-z_][A-Za-z0-9_]*'"'"'\"\])\s*\}\}' .github/workflows \
+            | sed -E "s/.*secrets[.\['\"]([A-Za-z_][A-Za-z0-9_]*).*/\1/" \
             | sort -u || true)"
 
           if [[ -z "${secrets_in_use}" ]]; then

.gitignore

@@ -15,6 +15,11 @@ ui/dist/
 # External service repos (cloned for reference, not tracked)
 _ext/
 
+# Generated governance reports (timestamped artifacts)
+reports/org-governance-*/report-*.json
+reports/org-governance-*/report-*.jsonl
+reports/org-governance-*/report-*.md
+
 # Build infos and OS cruft
 ui/tsconfig.tsbuildinfo
 .DS_Store

package.json

@@ -13,7 +13,7 @@
     "predeploy": "npm run typecheck",
     "db:generate": "drizzle-kit generate",
     "db:migrate": "drizzle-kit migrate",
-    "kv:seed": "bash scripts/seed-kv.sh ${KV_NAMESPACE_ID:-}" ,
+    "kv:seed": "bash scripts/seed-kv.sh ${KV_NAMESPACE_ID:-}",
     "ui:dev": "cd ui && vite dev",
     "ui:build": "cd ui && vite build",
     "ui:preview": "cd ui && vite preview",

scripts/chittycompliance-dispatch.sh

@@ -77,18 +77,14 @@ if [[ -n "${BROKER_URL}" && -n "${BROKER_TOKEN}" ]]; then
   broker_response="$(run_with_timeout curl -fsS -X POST "${BROKER_URL}" \
     -H "Authorization: Bearer ${BROKER_TOKEN}" \
     -H "Content-Type: application/json" \
-    -d "{
-      \"repo\":\"${REPO}\",
-      \"mode\":\"${MODE}\",
-      \"findings\":\"${FINDINGS}\",
-      \"context\":{
-        \"source\":\"org-governance-control-loop\",
-        \"run_id\":\"${GITHUB_RUN_ID:-local}\",
-        \"actor\":\"${GITHUB_ACTOR:-local}\",
-        \"workflow\":\"${GITHUB_WORKFLOW:-local}\"
-      },
-      \"requested_access\":[\"gateway_dispatch\",\"agent_orchestrator\"]
-    }" 2>/dev/null || true)"
+    -d "$(jq -nc \
+      --arg repo "${REPO}" \
+      --arg mode "${MODE}" \
+      --arg findings "${FINDINGS}" \
+      --arg run_id "${GITHUB_RUN_ID:-local}" \
+      --arg actor "${GITHUB_ACTOR:-local}" \
+      --arg workflow "${GITHUB_WORKFLOW:-local}" \
+      '{repo:$repo, mode:$mode, findings:$findings, context:{source:"org-governance-control-loop", run_id:$run_id, actor:$actor, workflow:$workflow}, requested_access:["gateway_dispatch","agent_orchestrator"]}')" 2>/dev/null || true)"
 
   if [[ -n "${broker_response}" ]]; then
     decision="$(jq -r '.decision // "deny"' <<< "${broker_response}" 2>/dev/null || echo "deny")"
@@ -137,7 +133,7 @@ fi
 if [[ -n "${CHITTYCOMPLIANCE_AGENT_ENDPOINT:-}" ]]; then
   run_with_timeout curl -fsS -X POST "${CHITTYCOMPLIANCE_AGENT_ENDPOINT}" \
     -H "Content-Type: application/json" \
-    -d "{\"repo\":\"${REPO}\",\"mode\":\"${MODE}\",\"findings\":\"${FINDINGS}\"}" >/dev/null && dispatch_success=1 || true
+    -d "$(jq -nc --arg repo "${REPO}" --arg mode "${MODE}" --arg findings "${FINDINGS}" '{repo:$repo, mode:$mode, findings:$findings}')" >/dev/null && dispatch_success=1 || true
 fi
 
 # Primary path: ChittyGateway / ChittyAgent orchestrator on Cloudflare Workers AI.
@@ -149,7 +145,7 @@ if [[ -n "${gateway_url}" ]]; then
   run_with_timeout curl -fsS -X POST "${gateway_url}" \
     -H "Content-Type: application/json" \
     "${auth_headers[@]}" \
-    -d "{\"pipeline\":\"chittycompliance\",\"repo\":\"${REPO}\",\"mode\":\"${MODE}\",\"findings\":\"${FINDINGS}\"}" >/dev/null && dispatch_success=1 || true
+    -d "$(jq -nc --arg repo "${REPO}" --arg mode "${MODE}" --arg findings "${FINDINGS}" '{pipeline:"chittycompliance", repo:$repo, mode:$mode, findings:$findings}')" >/dev/null && dispatch_success=1 || true
 fi
 
 if [[ -n "${orchestrator_url}" ]]; then
@@ -160,7 +156,7 @@ if [[ -n "${orchestrator_url}" ]]; then
   run_with_timeout curl -fsS -X POST "${orchestrator_url}" \
     -H "Content-Type: application/json" \
     "${auth_headers[@]}" \
-    -d "{\"operation\":\"governance_review\",\"repo\":\"${REPO}\",\"mode\":\"${MODE}\",\"findings\":\"${FINDINGS}\"}" >/dev/null && dispatch_success=1 || true
+    -d "$(jq -nc --arg repo "${REPO}" --arg mode "${MODE}" --arg findings "${FINDINGS}" '{operation:"governance_review", repo:$repo, mode:$mode, findings:$findings}')" >/dev/null && dispatch_success=1 || true
 fi
 
 if [[ "${STRICT_MODE}" == "true" && "${dispatch_success}" -eq 0 ]]; then

scripts/org-governance-adversarial-review.sh

@@ -63,9 +63,9 @@ while IFS= read -r row; do
   [[ -z "${row}" ]] && continue
   full_repo="$(jq -r '.fullRepo' <<< "${row}")"
   score="$(jq -r '.score' <<< "${row}")"
-  missing_files="$(jq -r '.missingFiles | join(", ")' <<< "${row}")"
-  missing_patterns="$(jq -r '.missingPatterns // [] | join(", ")' <<< "${row}")"
-  missing_triggers="$(jq -r '.missingTriggers | join(", ")' <<< "${row}")"
+  missing_files="$(jq -r '(.missingFiles // []) | join(", ")' <<< "${row}")"
+  missing_patterns="$(jq -r '(.missingPatterns // []) | join(", ")' <<< "${row}")"
+  missing_triggers="$(jq -r '(.missingTriggers // []) | join(", ")' <<< "${row}")"
   missing_status_checks="$(jq -r '.missingStatusChecks // [] | join(", ")' <<< "${row}")"
   missing_repo_settings="$(jq -r '.missingRepoSettings // [] | join(", ")' <<< "${row}")"
 

scripts/org-governance-pr-integration-loop.sh

@@ -116,6 +116,15 @@ while IFS= read -r full_repo; do
     auto_merge_enabled="$(jq -r 'if .autoMergeRequest == null then "false" else "true" end' <<< "${pr}")"
     pr_author="$(jq -r '.author.login // ""' <<< "${pr}")"
 
+    # Only process PRs created by known governance automation accounts
+    allowed_authors="chitcommit github-actions[bot] dependabot[bot]"
+    if ! echo "${allowed_authors}" | grep -qw "${pr_author}"; then
+      blocked=$((blocked + 1))
+      echo "Blocked ${pr_url}: author '${pr_author}' not in governance automation allowlist"
+      queue_event "${full_repo}" "${pr_number}" "${pr_url}" "integration" "blocked" "untrusted_author:${pr_author}"
+      continue
+    fi
+
     if [[ "${is_draft}" == "true" ]]; then
       blocked=$((blocked + 1))
       echo "Blocked ${pr_url}: draft"

src/lib/integrations.ts

@@ -315,7 +315,7 @@ export function connectClient(env: Env) {
   return {
     /** Discover a service URL by name */
     discover: async (serviceName: string): Promise<string | null> => {
-      const key = `connect:discover:${serviceName}`;
+      const key = `connect:discover:${encodeURIComponent(serviceName)}`;
       // KV cache (5 minutes)
       try {
         const cached = await env.COMMAND_KV.get(key);

src/routes/connect.ts

@@ -1,8 +1,9 @@
 import { Hono } from 'hono';
 import type { Env } from '../index';
+import type { AuthVariables } from '../middleware/auth';
 import { connectClient } from '../lib/integrations';
 
-export const connectRoutes = new Hono<{ Bindings: Env }>();
+export const connectRoutes = new Hono<{ Bindings: Env; Variables: AuthVariables }>();
 
 connectRoutes.get('/connect/status', async (c) => {
   const url = c.env.CHITTYCONNECT_URL;
@@ -23,8 +24,7 @@ connectRoutes.post('/connect/discover', async (c) => {
   // Simple per-minute rate limit (KV-configurable). Subject: userId or token hash.
   const authHeader = c.req.header('Authorization') || '';
   const token = authHeader.startsWith('Bearer ') ? authHeader.slice(7) : '';
-  // @ts-expect-error app-level variables
-  const userId = (c.get('userId') as string | undefined) || 'anonymous';
+  const userId = c.get('userId') || 'anonymous';
   const subject = userId === 'bridge-service' ? 'svc:bridge-service' : `usr:${userId}`;
   const rateRaw = await c.env.COMMAND_KV.get('discover:rate_limit');
   const limit = rateRaw ? Math.max(1, parseInt(rateRaw)) : 60; // default 60/min

wrangler.toml

@@ -14,7 +14,7 @@ CHITTYLEDGER_URL = "https://ledger.chitty.cc"
 CHITTYFINANCE_URL = "https://finance.chitty.cc"
 CHITTYCHARGE_URL = "https://charge.chitty.cc"
 CHITTYCONNECT_URL = "https://connect.chitty.cc"
-PLAID_ENV = "production"
+PLAID_ENV = "sandbox"
 CHITTYBOOKS_URL = "https://chittybooks.chitty.cc"
 CHITTYASSETS_URL = "https://chittyassets.chitty.cc"
 CHITTYSCRAPE_URL = "https://scrape.chitty.cc"
@@ -58,3 +58,7 @@ crons = [
   "0 14 * * 1",   # Weekly Monday 8 AM CT: Utility scrapers
   "0 15 1 * *"    # Monthly 1st 9 AM CT: Mortgage, property tax
 ]
+
+# Production overrides
+[env.production.vars]
+PLAID_ENV = "production"