chore(checkpoint): record governance closure and gate3 success evidence

scripts/checkpoints/runs/2026-03-03-chitragupta-handover.md

@@ -28,50 +28,45 @@ Preserve end-of-day release-governance state and next execution steps for immedi
    - `docs/TODO.md`
 5. Verified health/delegation readiness:
    - `artifacts/2026-03-03-proxy-governance-gates/chitragupta-health-handover.log` (`PASS`)
+6. Governance configuration is now applied:
+   - repo secret `NPM_TOKEN` present
+   - `npm-publish` environment exists with reviewer + `main` branch policy
+   - `main` branch protection enabled
+7. Gate 3 GitHub Actions dry-run publish succeeded:
+   - run `22670960699`: `https://github.com/sriinnu/command-relay/actions/runs/22670960699`
 
 ## In Progress
 
 - None. State is checkpointed for clean restart.
 
 ## Blocked
 
-1. External governance policy still non-compliant (from captured artifacts):
-   - `contains_NPM_TOKEN=false`
-   - `npm_publish_environment_present=false`
-   - main branch protection endpoint returns `Branch not protected (HTTP 404)`
-2. Gate 3 GitHub Actions dry-run still failing, now in verify stage:
-   - run `22669448233`: `https://github.com/sriinnu/command-relay/actions/runs/22669448233`
-   - failure reason (resolved): `Discover Publish Set` -> `Select proxy packages` heredoc termination bug
-   - rerun `22670212018`: `https://github.com/sriinnu/command-relay/actions/runs/22670212018`
-   - current failure: verify jobs fail before pack/publish with module-resolution/typecheck errors (`Cannot find module '@commandrelay/proxy-core'`)
+1. Readiness discipline still required for guardrails execution:
+   - guardrails pass in a clean worktree
+   - current preflight fails only when checkpoint/docs files are modified pre-commit
 
 ## Next Steps
 
-1. Configure GitHub governance policy:
-   - add repo secret `NPM_TOKEN`
-   - create/protect `npm-publish` environment with reviewers/restrictions
-   - enable default branch protection for `main`
-2. Re-capture governance artifacts after policy changes:
+1. Run release guardrails only from a clean tree (checkpoint/docs committed or stashed first):
 
 ```bash
-npm run release:proxy:capture-governance -- \
+npm run release:proxy:guardrails -- \
   --batch-date 2026-03-03 \
-  --repo sriinnu/command-relay \
-  --default-branch main
+  --package-selector @commandrelay/proxy-*
 ```
 
-3. Re-run release guardrails on a clean tree:
+2. Re-capture governance artifacts to reflect the now-compliant policy state:
 
 ```bash
-npm run release:proxy:guardrails -- \
+npm run release:proxy:capture-governance -- \
   --batch-date 2026-03-03 \
-  --package-selector @commandrelay/proxy-*
+  --repo sriinnu/command-relay \
+  --default-branch main
 ```
 
-4. Follow-up workflow fix is prepared in `.github/workflows/publish-proxy-packages.yml`:
-   - add `Build workspace packages` before package-local check/build/test in verify job
-5. Trigger GitHub Actions dry-run publish again after merging follow-up fix, then append workflow URL/output to:
+3. Append latest successful Gate 3 run evidence to:
    - `scripts/checkpoints/runs/2026-03-03-proxy-governance-gates.md`
+   - include run `22670960699` URL/output and clean-tree preflight outcome
 
 ## Files/Artifacts
 

scripts/checkpoints/runs/2026-03-03-proxy-governance-gates.md

@@ -26,44 +26,45 @@ Advance Track B release governance and gate evidence for batch `2026-03-03` with
 4. Triggered Gate 3 workflow dry-run for proxy selector:
    - run `22669448233` failed in `Discover Publish Set` -> `Select proxy packages` (heredoc termination syntax error) at `https://github.com/sriinnu/command-relay/actions/runs/22669448233`
    - run `22670212018` (after heredoc fix) failed in verify jobs with TypeScript module resolution errors at `https://github.com/sriinnu/command-relay/actions/runs/22670212018`
-   - follow-up workflow patch prepared: add `Build workspace packages` before package-local check/build/test
+   - run `22670703378` (after verify prebuild attempt) failed in `Build workspace packages` due clean-CI workspace build order defects
+   - run `22670960699` (after topological build-order fix) completed `success`: `https://github.com/sriinnu/command-relay/actions/runs/22670960699`
 
 ## Gate Snapshot
 
 | Gate | Status | Evidence |
 | --- | --- | --- |
-| Gate 0 (`release:proxy:guardrails` green with evidence files) | `partial` | Governance recapture at `2026-03-04T12:23:03Z` still shows `contains_NPM_TOKEN=false` and `npm_publish_environment_present=false`; branch protection endpoint still returns 404 while branch summary remains `protected=true` with `protection.enabled=false`. Preflight still fails on dirty-tree guardrail while this follow-up workflow patch is in-flight (`.github/workflows/publish-proxy-packages.yml`). |
+| Gate 0 (`release:proxy:guardrails` green with evidence files) | `partial` | Governance recapture at `2026-03-04T13:57:58Z` is compliant: `contains_NPM_TOKEN=true`, `npm_publish_environment_present=true`, `environment_details_status=ok`. Branch protection is configured: `protection_status=ok`, `branch_summary.protection.enabled=true`, required contexts include `Check and Test (Node 22)` + `Swift Package Tests (macOS)`. Current `release:proxy:guardrails` failure is only due to dirty tree from this checkpoint file modification. |
 | Gate 1 (version + changelog readiness) | `partial` | `release:proxy:lockstep` remains green with 5 proxy packages aligned at `0.1.0`; deterministic validation is green; safety gate correctly allows `npm run ci:test` and rejects `rm -rf artifacts/`. Current-batch readiness is evidenced, but not all future release candidates are confirmed. |
-| Gate 3 (publish dry-run selector + dist-tag) | `fail` | Local dry-run evidence remains green (`scripts/checkpoints/runs/2026-03-03-proxy-publish-dry-run.md`), but latest GitHub Actions dry-run run `22670212018` fails in verify jobs (`@commandrelay/proxy-agent`, `@commandrelay/proxy-http-client`) with module-resolution/typecheck errors against workspace proxy packages. |
+| Gate 3 (publish dry-run selector + dist-tag) | `pass` | GitHub Actions dry-run run `22670960699` completed `success` on `main` after workflow fixes (`https://github.com/sriinnu/command-relay/actions/runs/22670960699`). |
 
 ## Evidence Update (2026-03-04 Local Recapture)
 
 | Check | Label | Command | Observed Output |
 | --- | --- | --- | --- |
-| Governance recapture artifacts | `PARTIAL` | `npm run release:proxy:capture-governance -- --batch-date 2026-03-03 --repo sriinnu/command-relay --default-branch main` | Artifacts regenerated at `2026-03-04T12:23:03Z`; `contains_NPM_TOKEN=false`; `npm_publish_environment_present=false`. |
-| Branch protection endpoint | `FAIL` | `gh api repos/sriinnu/command-relay/branches/main/protection` | Endpoint still returns `Branch not protected (HTTP 404)`; branch summary remains `protected=true`, `protection.enabled=false`. |
+| Governance recapture artifacts | `PASS` | `npm run release:proxy:capture-governance -- --batch-date 2026-03-03 --repo sriinnu/command-relay --default-branch main` | Artifacts regenerated at `2026-03-04T13:57:58Z`; `contains_NPM_TOKEN=true`; `npm_publish_environment_present=true`; `environment_details_status=ok`. |
+| Branch protection endpoint | `PASS` | `gh api repos/sriinnu/command-relay/branches/main/protection` | `protection_status=ok`; `branch_summary.protection.enabled=true`; required contexts include `Check and Test (Node 22)` and `Swift Package Tests (macOS)`. |
 | Lockstep versions | `PASS` | `npm run release:proxy:lockstep` | `PASS lockstep: 5 proxy package(s) aligned at version 0.1.0 (@commandrelay=3, @termina=2)`. |
-| Preflight (active tree) | `FAIL` | `npm run release:proxy:preflight -- --batch-date 2026-03-03 --package-selector @commandrelay/proxy-*` | Fails only dirty-tree check due in-flight workflow edit: `.github/workflows/publish-proxy-packages.yml`. |
+| Guardrails (active tree) | `FAIL` | `npm run release:proxy:guardrails -- --batch-date 2026-03-03 --package-selector @commandrelay/proxy-*` | Fails only on dirty working tree because `scripts/checkpoints/runs/2026-03-03-proxy-governance-gates.md` is modified in-place for this checkpoint update. |
 | Deterministic validation | `PASS` | `npm run release:proxy:deterministic-validate` | Deterministic validation completed successfully. |
 | Safety gate allow path | `PASS` | `scripts/release/safety-gate.sh npm run ci:test` | `safety-gate: allow: npm run ci:test`. |
 | Safety gate reject path | `PASS` | `scripts/release/safety-gate.sh --command "rm -rf artifacts/"` | Rejects as expected (`rm -rf` / protected path `artifacts/`). |
-| Gate 3 workflow trigger | `FAIL` | `gh workflow run publish-proxy-packages.yml -R sriinnu/command-relay -f mode=dry-run -f package_selector=@commandrelay/proxy-* -f dist_tag=latest` + `gh run view -R sriinnu/command-relay 22670212018` | Run `22670212018` completed `failure` at `https://github.com/sriinnu/command-relay/actions/runs/22670212018`; discover job passed, but verify jobs failed with `Cannot find module '@commandrelay/proxy-core'` before pack/publish dry-run. |
+| Gate 3 workflow trigger | `PASS` | `gh workflow run publish-proxy-packages.yml -R sriinnu/command-relay -f mode=dry-run -f package_selector=@commandrelay/proxy-* -f dist_tag=latest` + `gh run view -R sriinnu/command-relay 22670960699 --json url,status,conclusion,createdAt,updatedAt,name,event,headBranch` | Run `22670960699` completed `success` at `https://github.com/sriinnu/command-relay/actions/runs/22670960699`. |
 
 ## Blocked
 
-1. Governance policy itself is still not compliant in latest recapture:
-   - `contains_NPM_TOKEN=false`
-   - `npm_publish_environment_present=false`
-   - branch protection endpoint returns `Branch not protected (HTTP 404)`
-2. Active branch preflight is red only because the worktree is dirty from in-flight workflow fix:
-   - `.github/workflows/publish-proxy-packages.yml`
-3. Gate 3 is blocked by verify-stage ordering on `main`: workspace packages are not built before package-local typecheck in publish workflow run `22670212018`.
+1. `release:proxy:guardrails` is currently blocked only by local dirty tree state from this checkpoint file edit:
+   - modified file: `scripts/checkpoints/runs/2026-03-03-proxy-governance-gates.md`
+2. Governance policy and branch protection blockers are cleared in latest recapture:
+   - `contains_NPM_TOKEN=true`
+   - `npm_publish_environment_present=true`
+   - `environment_details_status=ok`
+   - `protection_status=ok`
 
 ## Next Steps
 
-1. Configure repository governance policy (add `NPM_TOKEN`, create `npm-publish` environment with reviewers/restrictions, enable default branch protection).
-2. Re-run `npm run release:proxy:guardrails -- --batch-date 2026-03-03 --package-selector @commandrelay/proxy-*` on a clean branch tip after this update is committed.
-3. Merge the follow-up workflow patch (`Build workspace packages` in verify job), then re-run Gate 3 dry-run workflow and attach final URL/output for the fresh run.
+1. Re-run `npm run release:proxy:guardrails -- --batch-date 2026-03-03 --package-selector @commandrelay/proxy-*` from a clean tree (or after committing/stashing this checkpoint file update) to flip Gate 0 to fully green.
+2. Keep governance recapture evidence pinned to compliant snapshot `2026-03-04T13:57:58Z` (`contains_NPM_TOKEN=true`, `npm_publish_environment_present=true`, `environment_details_status=ok`).
+3. Keep Gate 3 dry-run success evidence linked to run `22670960699`: `https://github.com/sriinnu/command-relay/actions/runs/22670960699`.
 
 ## Files/Artifacts