fix: complete 4-lane remediation

.chittyconnect.yml

@@ -0,0 +1,21 @@
+onboarding:
+  provisions:
+    chitty_id: required
+    service_token: required
+    certificate: required
+    trust_chain: required
+  context_consciousness:
+    enabled: true
+    session_binding: required
+  chittydna:
+    enabled: true
+    identity_lineage: required
+  memorycloude:
+    enabled: true
+    memory_policy: required
+  synthetic_entity:
+    type: person
+    classification: synthetic
+    authority_scope: least_privilege
+    access_scope: explicit_scopes_only
+    actor_binding: required

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,5 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Governance triage
+    url: https://github.com/chittyos/chittycommand/issues/new?template=governance-exception.yml
+    about: Use the governance exception template for bypass requests.

.github/ISSUE_TEMPLATE/governance-exception.yml

@@ -0,0 +1,39 @@
+name: Governance Exception Request
+description: Request a temporary exception to governance automation controls.
+title: "[Governance Exception] "
+labels:
+  - governance
+  - exception-request
+body:
+  - type: input
+    id: repository
+    attributes:
+      label: Repository
+      description: Repository impacted by this exception.
+      placeholder: CHITTYOS/example-repo
+    validations:
+      required: true
+  - type: textarea
+    id: scope
+    attributes:
+      label: Scope and duration
+      description: Exact control to bypass, start date, and expiry date.
+      placeholder: "Bypass required status checks for release hotfix until 2026-03-10"
+    validations:
+      required: true
+  - type: textarea
+    id: risk
+    attributes:
+      label: Risk and mitigation
+      description: Risks introduced and compensating controls.
+    validations:
+      required: true
+  - type: checkboxes
+    id: attestations
+    attributes:
+      label: Attestations
+      options:
+        - label: I confirm this request is temporary and time-bounded.
+          required: true
+        - label: I confirm this request has rollback and remediation steps.
+          required: true

.github/allowed-workflow-secrets.txt

@@ -0,0 +1,9 @@
+CHITTYCONNECT_API_KEY
+CHITTYCONNECT_BROKER_TOKEN
+CHITTY_AGENT_TOKEN
+CHITTY_GATEWAY_TOKEN
+CHITTY_GOVERNANCE_DISPATCH_TOKEN
+CHITTY_REVIEW_DELEGATE_TOKEN
+GITHUB_TOKEN
+OP_SERVICE_ACCOUNT_TOKEN
+ORG_AUTOMATION_TOKEN

.github/org-governance-policy.json

@@ -0,0 +1,170 @@
+{
+  "orgs": [
+    "CHITTYOS",
+    "CHITTYCORP",
+    "ChittyApps",
+    "ChitCommit",
+    "Furnished-Condos",
+    "ChicagoApps"
+  ],
+  "includeArchived": false,
+  "maxReposPerOrg": 0,
+  "requireBranchProtection": true,
+  "useOrgRulesets": true,
+  "requiredFiles": [
+    ".github/workflows/governance-gates.yml",
+    ".github/workflows/reusable-governance-gates.yml",
+    ".github/workflows/adversarial-review.yml",
+    ".github/workflows/identity-context-onboarding.yml",
+    ".github/workflows/onepassword-rotation-audit.yml",
+    ".github/ISSUE_TEMPLATE/config.yml",
+    ".github/ISSUE_TEMPLATE/governance-exception.yml",
+    "CHITTY.md",
+    "CHARTER.md",
+    "docs/PERSISTENT_BRIEF.md",
+    ".github/release.yml",
+    ".github/secret-catalog.json",
+    ".github/allowed-workflow-secrets.txt",
+    ".gitleaks.toml",
+    "scripts/check-chitty-onboarding.sh",
+    "scripts/onepassword-rotation-audit.sh"
+  ],
+  "requiredWorkflowTriggers": {
+    ".github/workflows/governance-gates.yml": [
+      "pull_request",
+      "push"
+    ],
+    ".github/workflows/adversarial-review.yml": [
+      "pull_request_target"
+    ],
+    ".github/workflows/identity-context-onboarding.yml": [
+      "pull_request",
+      "push"
+    ],
+    ".github/workflows/onepassword-rotation-audit.yml": [
+      "schedule",
+      "workflow_dispatch"
+    ]
+  },
+  "requiredStatusChecks": [
+    "Governance Gates / gates",
+    "Identity & Context Onboarding Gate / identity-onboarding",
+    "Adversarial Review Orchestrator / orchestrate"
+  ],
+  "requiredApprovingReviewCount": 1,
+  "orgRulesets": {
+    "branch": {
+      "name": "Chitty Governance Branch Gate",
+      "enforcement": "active",
+      "conditions": {
+        "repository_name": {
+          "include": [
+            "~ALL"
+          ],
+          "exclude": []
+        },
+        "ref_name": {
+          "include": [
+            "~DEFAULT_BRANCH"
+          ],
+          "exclude": []
+        }
+      },
+      "rules": {
+        "pull_request": {
+          "allowed_merge_methods": [
+            "squash"
+          ],
+          "dismiss_stale_reviews_on_push": true,
+          "require_code_owner_review": false,
+          "require_last_push_approval": false,
+          "required_review_thread_resolution": true
+        },
+        "required_status_checks": {
+          "do_not_enforce_on_create": false,
+          "strict_required_status_checks_policy": true
+        },
+        "non_fast_forward": true,
+        "required_linear_history": true
+      }
+    }
+  },
+  "repoSettings": {
+    "defaultBranchName": "main",
+    "enforceDefaultBranchName": true,
+    "setDefaultBranchWhenPresent": true,
+    "pushPolicy": {
+      "enabled": true,
+      "maxRefUpdates": 10
+    }
+  },
+  "projectAutomation": {
+    "enabled": false,
+    "org": "CHITTYOS",
+    "projectNumber": 0
+  },
+  "issueManagement": {
+    "labels": [
+      "governance",
+      "automation"
+    ],
+    "milestoneTitle": "Governance Compliance"
+  },
+  "reviewDelegation": {
+    "enabled": true,
+    "delegateLoginVar": "CHITTY_REVIEW_DELEGATE_LOGIN",
+    "delegateTokenSecret": "CHITTY_REVIEW_DELEGATE_TOKEN"
+  },
+  "requiredFilePatterns": {
+    "CHITTY.md": [
+      "context_brief:",
+      "chitty:discovery-links:start",
+      "three-aspects-framework",
+      "written-to-chittydna",
+      "not an authority source"
+    ],
+    "CHARTER.md": [
+      "context_brief:",
+      "chitty:discovery-links:start",
+      "three-aspects-framework",
+      "written-to-chittydna",
+      "not an authority source"
+    ],
+    "docs/PERSISTENT_BRIEF.md": [
+      "Persistent Brief",
+      "Discovery Anchors",
+      "TY/VY/RY framework"
+    ],
+    ".github/ISSUE_TEMPLATE/config.yml": [
+      "blank_issues_enabled:",
+      "contact_links:"
+    ],
+    ".github/ISSUE_TEMPLATE/governance-exception.yml": [
+      "Governance Exception Request",
+      "exception-request",
+      "Attestations"
+    ],
+    ".github/release.yml": [
+      "changelog:"
+    ],
+    ".chittyconnect.yml": [
+      "onboarding:",
+      "provisions:",
+      "chitty_id:",
+      "service_token:",
+      "certificate:",
+      "trust_chain:",
+      "context_consciousness:",
+      "enabled:",
+      "chittydna:",
+      "memorycloude:",
+      "synthetic_entity:",
+      "type:",
+      "classification:",
+      "authority_scope:",
+      "access_scope:",
+      "actor_binding:"
+    ]
+  },
+  "complianceIssueTitle": "[Governance] CI/CD compliance gaps"
+}

.github/release.yml

@@ -0,0 +1,17 @@
+changelog:
+  categories:
+    - title: "Features"
+      labels:
+        - "feature"
+        - "enhancement"
+    - title: "Fixes"
+      labels:
+        - "bug"
+        - "fix"
+    - title: "Maintenance"
+      labels:
+        - "chore"
+        - "dependencies"
+  exclude:
+    labels:
+      - "skip-changelog"

.github/secret-catalog.json

@@ -0,0 +1,29 @@
+{
+  "vault": "ChittyOS",
+  "secrets": [
+    {
+      "name": "ORG_AUTOMATION_TOKEN",
+      "op_ref": "op://ChittyOS/GitHub Automation Token/token",
+      "rotation_days": 30,
+      "owner": "platform-security"
+    },
+    {
+      "name": "CHITTYCONNECT_BROKER_TOKEN",
+      "op_ref": "op://ChittyOS/ChittyConnect Broker Token/token",
+      "rotation_days": 30,
+      "owner": "platform-security"
+    },
+    {
+      "name": "CHITTY_GATEWAY_TOKEN",
+      "op_ref": "op://ChittyOS/ChittyGateway API Token/token",
+      "rotation_days": 30,
+      "owner": "platform-security"
+    },
+    {
+      "name": "CHITTY_AGENT_TOKEN",
+      "op_ref": "op://ChittyOS/ChittyAgent Orchestrator Token/token",
+      "rotation_days": 30,
+      "owner": "platform-security"
+    }
+  ]
+}

.github/workflows/adversarial-review.yml

@@ -0,0 +1,64 @@
+name: Adversarial Review Orchestrator
+
+on:
+  pull_request_target:
+    types: [opened, reopened, synchronize, ready_for_review]
+
+permissions:
+  contents: read
+  pull-requests: write
+  issues: write
+
+jobs:
+  orchestrate:
+    runs-on: ubuntu-latest
+    env:
+      REQUEST_REVIEWERS: ${{ vars.CHITTY_REQUEST_REVIEWERS || 'coderabbitai' }}
+      REVIEW_TAG_SEQUENCE: ${{ vars.CHITTY_REVIEW_TAG_SEQUENCE || '@coderabbitai review||@copilot review||@codex review||@claude review' }}
+    steps:
+      - name: Request Reviewer Agents
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const reviewers = (process.env.REQUEST_REVIEWERS || "")
+              .split(",")
+              .map((v) => v.trim())
+              .filter(Boolean);
+            const succeeded = [];
+            const failed = [];
+            for (const reviewer of reviewers) {
+              try {
+                await github.rest.pulls.requestReviewers({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  pull_number: context.payload.pull_request.number,
+                  reviewers: [reviewer]
+                });
+                succeeded.push(reviewer);
+              } catch (error) {
+                failed.push(`${reviewer}: ${error.message}`);
+              }
+            }
+            core.info(`Requested reviewers success: ${succeeded.join(", ") || "none"}`);
+            if (failed.length > 0) {
+              core.warning(`Reviewer request failures: ${failed.join(" | ")}`);
+            }
+      - name: Trigger Bot Review Comments (Sequenced)
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const sequence = (process.env.REVIEW_TAG_SEQUENCE || "")
+              .split("||")
+              .map((v) => v.trim())
+              .filter(Boolean);
+            const lines = [];
+            sequence.forEach((tag, index) => {
+              lines.push(`${index + 1}. ${tag}`);
+            });
+            lines.push("Adversarial review request: evaluate security, policy bypass paths, regression risk, and merge-gating bypass attempts.");
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.payload.pull_request.number,
+              body: lines.join("\n")
+            });