chore(governance): add CI/CD governance baseline

.github/allowed-workflow-secrets.txt

@@ -0,0 +1,7 @@
+CHITTYCONNECT_API_KEY
+GITHUB_TOKEN
+ORG_AUTOMATION_TOKEN
+CHITTY_GATEWAY_TOKEN
+CHITTY_AGENT_TOKEN
+OP_SERVICE_ACCOUNT_TOKEN
+CHITTYCONNECT_BROKER_TOKEN

.github/secret-catalog.json

@@ -0,0 +1,29 @@
+{
+  "vault": "ChittyOS",
+  "secrets": [
+    {
+      "name": "ORG_AUTOMATION_TOKEN",
+      "op_ref": "op://ChittyOS/GitHub Automation Token/token",
+      "rotation_days": 30,
+      "owner": "platform-security"
+    },
+    {
+      "name": "CHITTYCONNECT_BROKER_TOKEN",
+      "op_ref": "op://ChittyOS/ChittyConnect Broker Token/token",
+      "rotation_days": 30,
+      "owner": "platform-security"
+    },
+    {
+      "name": "CHITTY_GATEWAY_TOKEN",
+      "op_ref": "op://ChittyOS/ChittyGateway API Token/token",
+      "rotation_days": 30,
+      "owner": "platform-security"
+    },
+    {
+      "name": "CHITTY_AGENT_TOKEN",
+      "op_ref": "op://ChittyOS/ChittyAgent Orchestrator Token/token",
+      "rotation_days": 30,
+      "owner": "platform-security"
+    }
+  ]
+}

.github/workflows/adversarial-review.yml

@@ -0,0 +1,46 @@
+name: Adversarial Review Orchestrator
+
+on:
+  pull_request_target:
+    types: [opened, reopened, synchronize, ready_for_review]
+
+permissions:
+  contents: read
+  pull-requests: write
+  issues: write
+
+jobs:
+  orchestrate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Request Reviewer Agents
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const reviewers = ["coderabbitai"];
+            try {
+              await github.rest.pulls.requestReviewers({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                pull_number: context.payload.pull_request.number,
+                reviewers
+              });
+              core.info(`Requested reviewers: ${reviewers.join(", ")}`);
+            } catch (error) {
+              core.warning(`Reviewer request failed: ${error.message}`);
+            }
+      - name: Trigger Bot Review Comments
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const lines = [
+              "@coderabbitai review",
+              "@copilot review",
+              "Adversarial review request: evaluate security, policy bypass paths, and regression risk."
+            ];
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.payload.pull_request.number,
+              body: lines.join("\n")
+            });

.github/workflows/governance-gates.yml

@@ -0,0 +1,11 @@
+name: Governance Gates
+
+on:
+  pull_request:
+  push:
+    branches: [ main ]
+
+jobs:
+  gates:
+    uses: ./.github/workflows/reusable-governance-gates.yml
+    secrets: inherit

.github/workflows/identity-context-onboarding.yml

@@ -0,0 +1,17 @@
+name: Identity & Context Onboarding Gate
+
+on:
+  pull_request:
+  push:
+    branches: [ main ]
+
+jobs:
+  identity-onboarding:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Validate ChittyID Context Onboarding
+        shell: bash
+        run: |
+          set -euo pipefail
+          bash scripts/check-chitty-onboarding.sh .chittyconnect.yml

.github/workflows/onepassword-rotation-audit.yml

@@ -0,0 +1,56 @@
+name: 1Password Rotation Audit
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "25 3 * * *"
+
+permissions:
+  contents: read
+  issues: write
+
+jobs:
+  audit:
+    runs-on: ubuntu-latest
+    env:
+      GH_TOKEN: ${{ secrets.ORG_AUTOMATION_TOKEN }}
+      OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Validate required secrets
+        shell: bash
+        run: |
+          set -euo pipefail
+          [[ -n "${GH_TOKEN:-}" ]] || { echo "Missing ORG_AUTOMATION_TOKEN"; exit 1; }
+          [[ -n "${OP_SERVICE_ACCOUNT_TOKEN:-}" ]] || { echo "Missing OP_SERVICE_ACCOUNT_TOKEN"; exit 1; }
+      - name: Install 1Password CLI
+        uses: 1password/install-cli-action@v1
+      - name: Run rotation audit
+        id: rotation
+        shell: bash
+        run: |
+          set -euo pipefail
+          mkdir -p reports/secret-rotation
+          if bash scripts/onepassword-rotation-audit.sh .github/secret-catalog.json reports/secret-rotation; then
+            echo "status=pass" >> "$GITHUB_OUTPUT"
+          else
+            echo "status=fail" >> "$GITHUB_OUTPUT"
+          fi
+      - name: Upload rotation report
+        uses: actions/upload-artifact@v4
+        with:
+          name: onepassword-rotation-report
+          path: reports/secret-rotation
+      - name: Open or update rotation issue on failure
+        if: ${{ steps.rotation.outputs.status == 'fail' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          title="[Security] 1Password rotation policy violations"
+          body="$(cat reports/secret-rotation/latest.md)"
+          existing="$(gh issue list --state open --search "\"${title}\" in:title" --json number,title --jq '.[] | select(.title=="'"${title}"'") | .number' | head -n1 || true)"
+          if [[ -n "${existing}" ]]; then
+            gh issue comment "${existing}" --body "${body}" >/dev/null
+          else
+            gh issue create --title "${title}" --body "${body}" >/dev/null
+          fi

.gitleaks.toml

@@ -0,0 +1,12 @@
+title = "chittycommand-gitleaks-config"
+
+[allowlist]
+description = "Known test/example files with non-production credential-like strings"
+paths = [
+  '''_ext/chittyid/chittycontext\.config\.js''',
+  '''_ext/chittyid/monitoring/scripts/setup-monitoring\.sh''',
+  '''_ext/chittyid/test-security\.sh''',
+  '''_ext/chittyid/tests/integration/chittyrouter-gateway\.test\.js''',
+  '''_ext/chittyid/tests/penetration/bypass-attempts\.test\.js''',
+  '''_ext/chittyops/project-awareness/test/qa-integration-tests\.js''',
+]