Tracking epic for github-warden. Forward work is the discrete sub-issues below (each cold-handoff ready: real paths, the src/cycles/branch-protection.ts template, acceptance criteria). Design context: chant#447.
Status: pre-1.0 (v0.1.0). One reconcile cycle (branch protection) + GitHub posture audit. Config schema and CLI flags will change as cycles land.
Shipped
- Reconcile harness (config, App auth, diff, guardrails, runner), branch-protection cycle (the template), dump/import, emitted pipeline, CLI, GitHub posture-audit cycle (uses chant's audit engine).
- Distribution plumbing: public repo; JS Action (
uses: intentius/github-warden@<sha>, v0.1.0 prerelease); emitted pipeline SHA-pinned to the Action.
Publish to npm — gated on COVERAGE, not credentials
Cycles & remaining work
See sub-issues #5–#20. Reconcile cycles copy the branch-protection template; aggregator/report cycles (#19) are detect-only; #20 (harness→chant primitive) is deferred until a second git-host warden exists.
Scope guardrail
warden is GitHub-only governance. Other git hosts would be separate sibling apps reusing the future chant reconcile primitive (#20). Infra lexicons (k8s/aws/etc.) are NOT warden targets — author with chant, audit with blacklight.
Tracking epic for github-warden. Forward work is the discrete sub-issues below (each cold-handoff ready: real paths, the
src/cycles/branch-protection.tstemplate, acceptance criteria). Design context: chant#447.Status: pre-1.0 (v0.1.0). One reconcile cycle (branch protection) + GitHub posture audit. Config schema and CLI flags will change as cycles land.
Shipped
uses: intentius/github-warden@<sha>, v0.1.0 prerelease); emitted pipeline SHA-pinned to the Action.Publish to npm — gated on COVERAGE, not credentials
npx github-warden) only once the core access/repo cycles land (cycle: org settings #5 org settings, cycle: membership & roles #6 membership, cycle: teams #7 teams, cycle: repository settings #8 repo settings, cycle: rulesets (repo + org) #9 rulesets). Publishing a one-cycle "governance tool" undersells it and locks a public CLI/config contract that's still evolving. Namegithub-wardenis reserved/available. The Action path needs nothing further and works today for what's built.Cycles & remaining work
See sub-issues #5–#20. Reconcile cycles copy the branch-protection template; aggregator/report cycles (#19) are detect-only; #20 (harness→chant primitive) is deferred until a second git-host warden exists.
Scope guardrail
warden is GitHub-only governance. Other git hosts would be separate sibling apps reusing the future chant reconcile primitive (#20). Infra lexicons (k8s/aws/etc.) are NOT warden targets — author with chant, audit with blacklight.