name: ci-security-and-governance description: "Harden Carni-mvp CI with governance gates, secret scanning, TruffleHog-style checks, deterministic validation, and release discipline for protected delivery paths." metadata: trigger: "Use when editing CI, adding repository checks, defining merge gates, or reviewing delivery governance." scope: [ci, security, governance, release, devops]

CI Security And Governance

Purpose

Turn CI into a trust boundary, not just a build runner.

Controls

• syntax and build checks for Node and frontend
• secret scanning before merge or release
• delivery claims backed by executable validation
• protected branch discipline and human review for risky changes

Recommended Gates

• npm ci
• node --check app.js
• npm run build
• secret scan with TruffleHog or equivalent
• artifact sanity checks for entrypoints and manifest