chore(repo): bootstrap codex os guardrails

.agents/skills/git-workflow/SKILL.md

@@ -0,0 +1,91 @@
+---
+name: git-workflow
+description: Enforce branch safety, atomic commits, conventional commit messages, PR notes generation, and multi-session autosquash protocol. Trigger for any task that edits files.
+---
+
+# Git Workflow Skill
+
+## Objective
+
+Produce senior-level, audit-friendly Git history automatically from normal feature prompts.
+
+## Inputs
+
+- Task summary in plain language.
+- Current repo state.
+- Base branch (default `master`).
+
+## Hard rules
+
+- Never work on `main` or `master`.
+- Branch must match `codex/<type>/<slug>`.
+- Every commit must pass commitlint and be atomic by concern.
+- Run reviewer/fixer loop before finalizing a logical commit.
+- Never bypass failing required gates.
+
+## Procedure
+
+1. Ensure branch:
+
+- Infer type from task (`feat`, `fix`, `refactor`, `chore`, `docs`, `test`, `perf`, `ci`).
+- Slugify task to kebab-case.
+- Create/switch branch `codex/<type>/<slug>` if needed using `pnpm git:branch:create -- "<task>" <type>`.
+
+2. Plan commit chunks:
+
+- Group changed files by concern.
+- Keep each chunk independently testable.
+
+3. Stage one chunk:
+
+- Stage only files in current chunk.
+- Reject chunk if generated artifacts or oversized files are staged.
+
+4. Propose commit message:
+
+- Generate one Conventional Commit candidate from staged diff using `pnpm git:commit:propose`.
+- Require explicit confirmation before commit.
+- Run commitlint on proposed message.
+
+5. Validate chunk:
+
+- Run relevant fast checks.
+- Run reviewer/fixer loop:
+  - read-only reviewer
+  - apply accepted fixes
+  - re-review until no P0/P1 findings
+
+6. Commit:
+
+- Create commit with validated message.
+- Record commit in session log.
+
+7. Repeat for remaining chunks.
+
+8. Pre-PR cleanup:
+
+- Autosquash fixup commits onto their targets.
+- Rebase on latest `origin/master`.
+
+9. PR draft output:
+
+- Generate markdown sections:
+  - What
+  - Why
+  - How
+  - Testing
+  - Risks
+  - Performance impact
+  - Lockfile rationale (if needed)
+  - Screenshots placeholder (if UI changed)
+
+10. Interruption protocol:
+
+- If session is interrupted, run save/resume scripts and continue from last chunk.
+
+## Outputs
+
+- Branch name.
+- Ordered commit list with message + scope.
+- PR-ready markdown summary.
+- Any unresolved risks/gates.

.agents/skills/performance-budget/SKILL.md

@@ -0,0 +1,83 @@
+---
+name: performance-budget
+description: Run bundle/build/Lighthouse/API/DB/memory/asset checks, compare against baselines, classify drift, and enforce profile-specific gates.
+---
+
+# Performance Budget Skill
+
+## Objective
+
+Catch regressions at PR-time with low-flake, deterministic checks and clear remediation advice.
+
+## Inputs
+
+- Profile: `side` or `production`.
+- Current branch and baseline files under `.perf-baselines/`.
+
+## Metrics
+
+- Bundle size (`totalBytes` and key asset sizes).
+- Build time (`buildMs`).
+- Lighthouse scores.
+- API latency/error thresholds (k6).
+- DB query performance (`pg_stat_statements` offenders).
+- Memory growth smoke check.
+- Asset size caps.
+
+## Default thresholds
+
+- Side:
+  - Bundle regression max: `+10%`
+  - Build time regression max: `+25%`
+  - Lighthouse performance min: `0.85`
+  - API p95 max: `350ms`
+  - DB offender threshold: `mean_exec_time > 120ms with calls >= 50`
+  - Asset file max: `350KB`
+- Production:
+  - Bundle regression max: `+8%`
+  - Build time regression max: `+15%`
+  - Lighthouse performance min: `0.90`
+  - API p95 max: `250ms`
+  - DB offender threshold: `mean_exec_time > 100ms with calls >= 50`
+  - Asset file max: `250KB`
+
+## Procedure
+
+1. Run checks:
+
+- `pnpm perf:bundle`
+- `pnpm perf:build`
+- `pnpm perf:lhci`
+- `pnpm perf:api`
+- `pnpm perf:db`
+- `pnpm perf:memory`
+- `pnpm perf:assets`
+
+2. Compare with baselines:
+
+- Use `scripts/perf/compare-metric.mjs` for ratio-based checks.
+- Mark each metric as `pass`, `warn`, or `fail`.
+
+3. Diagnose meaningful regressions:
+
+- Point to changed files likely responsible.
+- Suggest one minimal remediation per failing metric.
+
+4. Gate decision:
+
+- Side profile:
+  - Fail only on severe regressions or repeated drift.
+- Production profile:
+  - Fail on any required metric `fail` or `not-run`.
+
+5. Output report:
+
+- Single markdown table with baseline/current/delta/status.
+- Top 3 root-cause suspects.
+- Exact commands to reproduce locally.
+
+## Outputs
+
+- Machine-readable summary in `.perf-results/summary.json`.
+- Human report for PR comment.
+- Gate verdict: `pass`, `warn`, or `fail`.

.codex/actions/_artifact_env.sh

@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# codex-os-managed
+REPO_ROOT="${CODEX_REPO_ROOT:-$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)}"
+REPO_NAME="${CODEX_REPO_NAME:-$(basename "$REPO_ROOT")}" 
+
+if command -v shasum >/dev/null 2>&1; then
+  REPO_HASH="${CODEX_REPO_HASH:-$(printf '%s' "$REPO_ROOT" | shasum -a 256 | awk '{print substr($1,1,12)}')}"
+else
+  REPO_HASH="${CODEX_REPO_HASH:-$(printf '%s' "$REPO_ROOT" | md5 | awk '{print substr($NF,1,12)}')}"
+fi
+
+RUN_ID="${CODEX_RUN_ID:-$(date +%Y%m%dT%H%M%S)-$$}"
+CODEX_CACHE_ROOT="${CODEX_CACHE_ROOT:-/Users/d/Library/Caches/Codex}"
+CODEX_BUILD_ROOT="${CODEX_BUILD_ROOT:-$CODEX_CACHE_ROOT/build}"
+CODEX_LOG_ROOT="${CODEX_LOG_ROOT:-$CODEX_CACHE_ROOT/logs}"
+
+export CODEX_REPO_ROOT="$REPO_ROOT"
+export CODEX_REPO_NAME="$REPO_NAME"
+export CODEX_REPO_HASH="$REPO_HASH"
+export CODEX_RUN_ID="$RUN_ID"
+
+export CODEX_BUILD_RUST_DIR="${CODEX_BUILD_RUST_DIR:-$CODEX_BUILD_ROOT/rust/$REPO_HASH}"
+export CODEX_BUILD_NEXT_DIR="${CODEX_BUILD_NEXT_DIR:-$CODEX_BUILD_ROOT/next/$REPO_HASH}"
+export CODEX_BUILD_JS_DIR="${CODEX_BUILD_JS_DIR:-$CODEX_BUILD_ROOT/js/$REPO_HASH}"
+export CODEX_LOG_RUN_DIR="${CODEX_LOG_RUN_DIR:-$CODEX_LOG_ROOT/$REPO_NAME/$RUN_ID}"
+
+mkdir -p "$CODEX_BUILD_RUST_DIR" "$CODEX_BUILD_NEXT_DIR" "$CODEX_BUILD_JS_DIR" "$CODEX_LOG_RUN_DIR"
+
+if [[ -z "${CARGO_TARGET_DIR:-}" ]]; then
+  export CARGO_TARGET_DIR="$CODEX_BUILD_RUST_DIR"
+fi
+if [[ -z "${NEXT_CACHE_DIR:-}" ]]; then
+  export NEXT_CACHE_DIR="$CODEX_BUILD_NEXT_DIR"
+fi
+if [[ -z "${VITE_CACHE_DIR:-}" ]]; then
+  export VITE_CACHE_DIR="$CODEX_BUILD_JS_DIR/vite"
+fi
+if [[ -z "${TURBO_CACHE_DIR:-}" ]]; then
+  export TURBO_CACHE_DIR="$CODEX_BUILD_JS_DIR/turbo"
+fi

.codex/bootstrap/package-bootstrap.json

@@ -0,0 +1,5 @@
+{
+  "schema": "codex-os-package-bootstrap/v1",
+  "managed_by": "codex-os-managed",
+  "notes": "Merged into package.json by scripts/merge_package_json.mjs"
+}

.codex/bootstrap/tests-docs.v1.json

@@ -0,0 +1,16 @@
+{
+  "contract": "tests-docs-bootstrap-v1",
+  "adapter": "node-ts",
+  "branch": "codex/bootstrap-tests-docs-v1",
+  "generated_at": "2026-02-17T05:34:04.366Z",
+  "generated_by": "/Users/d/.codex/scripts/bootstrap/global_tests_docs_bootstrap.mjs",
+  "changed_files": [
+    ".codex/prompts/test-critic.md",
+    ".codex/scripts/run_verify_commands.sh",
+    ".github/workflows/quality-gates.yml",
+    "docs/adr/0000-template.md",
+    "openapi/openapi.generated.json",
+    "scripts/ci/require-tests-and-docs.mjs",
+    "AGENTS.md"
+  ]
+}

.codex/codex-os.manifest.json

@@ -0,0 +1,9 @@
+{
+  "schema": "codex-os-manifest/v1",
+  "managed_by": "codex-os-managed",
+  "bootstrap_version": "1.0.0",
+  "profile": "side",
+  "installed_at": "2026-02-17T05:40:05Z",
+  "last_verified_at": "2026-02-17T05:40:05Z",
+  "template_pack": "react-ts"
+}

.codex/commands.md

@@ -0,0 +1,15 @@
+# AssistSupport .codex command map
+
+| Action                  | Command                                             | Source                                     |
+| ----------------------- | --------------------------------------------------- | ------------------------------------------ |
+| setup deps              | `pnpm install --frozen-lockfile`                    | `.github/workflows/ci.yml`                 |
+| lint                    | `pnpm run typecheck`                                | `.github/workflows/ci.yml`, `package.json` |
+| test                    | `pnpm run test:ci`                                  | `package.json`                             |
+| build                   | `pnpm run build`                                    | `package.json`                             |
+| lean dev                | `pnpm run dev:lean`                                 | `README.md`, `package.json`                |
+| create branch from task | `pnpm run git:branch:create -- "task summary" feat` | `package.json`                             |
+| git guardrails          | `pnpm run git:guard:all`                            | `package.json`                             |
+| propose commit message  | `pnpm run git:commit:propose`                       | `package.json`                             |
+| perf bundle             | `pnpm run perf:bundle`                              | `package.json`                             |
+| perf build              | `pnpm run perf:build`                               | `package.json`                             |
+| perf assets             | `pnpm run perf:assets`                              | `package.json`                             |

.codex/prompts/test-critic.md

@@ -0,0 +1,16 @@
+You are a QA Test Critic reviewing only changed files and related tests.
+
+Review criteria:
+
+1. Tests assert behavior outcomes, not implementation details.
+2. Each changed behavior includes edge/error/boundary coverage.
+3. Mocks are used only at external boundaries.
+4. UI tests cover loading/empty/error/success and disabled/focus-visible states.
+5. Assertions would fail under realistic regressions.
+6. Flag brittle selectors, snapshot spam, and tautological assertions.
+7. Flag missing docs updates for API/command or architecture changes.
+
+Output:
+
+- Emit ReviewFindingV1 findings only.
+- Priority order: critical, high, medium, low.

.codex/scripts/run_verify_commands.sh

@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+VERIFY_FILE="${1:-.codex/verify.commands}"
+if [[ ! -f "$VERIFY_FILE" ]]; then
+  echo "missing verify commands file: $VERIFY_FILE" >&2
+  exit 1
+fi
+
+failed=0
+while IFS= read -r cmd || [[ -n "$cmd" ]]; do
+  [[ -z "$cmd" ]] && continue
+  [[ "$cmd" =~ ^# ]] && continue
+  echo ">>> $cmd"
+  if ! bash -lc "$cmd"; then
+    failed=1
+    break
+  fi
+done < "$VERIFY_FILE"
+
+exit "$failed"

.codex/verify.commands

@@ -0,0 +1,6 @@
+pnpm ui:gate:static
+pnpm ui:gate:regression
+pnpm git:guard:all
+pnpm perf:bundle
+pnpm perf:build
+pnpm perf:assets

.github/pull_request_template.md

@@ -0,0 +1,36 @@
+## What
+
+-
+
+## Why
+
+-
+
+## How
+
+-
+
+## Testing
+
+- Commands run:
+- Results:
+
+## Performance impact
+
+- Bundle delta:
+- Build time delta:
+- Lighthouse delta:
+- API latency delta:
+- DB query delta:
+
+## Risk / Notes
+
+-
+
+## Screenshots (UI only)
+
+-
+
+## Lockfile rationale (if lockfile changed)
+
+-