fix(governance): eliminate hollow compliance via centralized reusable-governance-gates.yml (Option B)

[Copilot]

Four CHITTYOS repos had a governance-gates.yml stub calling uses: ./.github/workflows/reusable-governance-gates.yml while that file was absent — the workflow silently failed to load, but file-presence scoring still passed. Zero governance checks ever ran on those repos' main branches.

Changes

Cross-repo reference (Option B)

• governance-gates.yml (live + baseline template): uses: switched from local path to CHITTYOS/chittycommand/.github/workflows/reusable-governance-gates.yml@main
• Fixes propagate automatically to all consumers when reusable-governance-gates.yml is updated in this repo

# Before (hollow stub — workflow fails to load when local file is absent)
uses: ./.github/workflows/reusable-governance-gates.yml

# After (canonical cross-repo reference)
uses: CHITTYOS/chittycommand/.github/workflows/reusable-governance-gates.yml@main

Template cleanup

• templates/governance-baseline/.github/workflows/reusable-governance-gates.yml — deleted; per-repo copies are no longer needed

Policy hardening

• .github/org-governance-policy.json: removed reusable-governance-gates.yml from requiredFiles (repos using Option B won't have it); added requiredFilePatterns entry for governance-gates.yml requiring the cross-repo @main string — audit now detects hollow stubs as non-compliant

Remediation auto-fix

• scripts/org-governance-remediate.sh: extended the missing-patterns handler to include .github/workflows/governance-gates.yml alongside the existing boundary docs — broken stubs get overwritten with the correct template on the next remediation run

Test coverage

• scripts/pressure-test-governance.sh: added Test 4 covering hollow-stub detection → remediation → PR open path

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh gh issue list -R Org/repo-hollow-stub --state open --search "[Governance] CI/CD compliance gaps" in:title --json number,title --jq .[] | select(.title=="[Governance] CI/CD compliance gaps") | .number --local --get /debian-sa1 er (http block)
  • Triggering command: `/usr/bin/gh gh issue create -R Org/repo-hollow-stub --title [Governance] CI/CD compliance gaps --body Automated governance control loop flagged this repository as non-compliant.

• Score: 50%
• Branch protection: true
• Missing files: none
• Missing onboarding/policy patterns: .github/workflows/governance-gates.yml:CHITTYOS/chittycommand/.github/workflows` (http block)

• Triggering command: /usr/bin/gh gh pr list -R Org/repo-hollow-stub --state open --search "chore(governance): add CI/CD governance baseline" in:title --json number,title --jq .[] | select(.title=="chore(governance): add CI/CD governance baseline") | .number ck.js || npm run build --get tnet/tools/git mber (http block)
• https://api.github.com/repos/Org/repo-hollow-stub/labels
  • Triggering command: /usr/bin/gh gh label create -R Org/repo-hollow-stub governance --color 0E8A16 --force (http block)
  • Triggering command: /usr/bin/gh gh label create -R Org/repo-hollow-stub automation --color 0E8A16 --force (http block)
• https://api.github.com/repos/Org/repo-hollow-stub/milestones
  • Triggering command: /usr/bin/gh gh api /repos/Org/repo-hollow-stub/milestones?state=all&per_page=100 number,title --jq .[] | select(.title=="[Governance] CI/CD compliance gaps") | .number --global /home/REDACTED/.do--depth (http block)
  • Triggering command: /usr/bin/gh gh api -X POST /repos/Org/repo-hollow-stub/milestones -f title=Governance Compliance nfig/composer/ve--depth user.name (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
✅ Deployment successful! View logs	chittycommand	fd27860	May 05 2026, 06:02 PM

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
✅ Deployment successful! View logs	chittycommand-ui	fd27860	May 05 2026, 06:02 PM