Shared Actions enforcement layer: cross-team baton governance

[chf3198]

Summary

Build a shared GitHub Actions enforcement layer that brings Copilot and Codex teams to the same governance enforcement level as Claude Code, closing the multi-runtime gap identified in Epic #536 analysis. This Epic targets the highest-probability path to 90%+ cross-team procedural compliance.

Problem Statement

After Epic #536, enforcement depth differs radically by runtime:

Layer	Claude Code	Copilot	Codex
Branch protection	✓ platform	✓ platform	✓ platform
Baton CI gates	✓ CI	✓ CI	✓ CI
Pre-action merge hook	✓ hook	✗ none	✗ none
Pre-action create hook	✓ hook	✗ none	✗ none
Context re-injection	✓ hook	✗ none	✗ none

The Copilot gap is the primary cause of repeated governance drift in Epic #534 analysis. Copilot and Codex have no pre-action hook API. The only way to enforce pre-merge governance on those runtimes is through GitHub platform-enforced required status checks.

Architecture

Layer A — Pre-merge evidence completeness check (#553 + #554)

A new required CI check (evidence-completeness) that verifies pre-merge evidence before any agent runtime can merge.

Enforces three things baton-gates.yml does not:

1. Temporal sequencing: COLLABORATOR_HANDOFF must predate PR creation by ≥60 seconds. This verifies sequence, not just existence. An agent cannot retroactively plant artifacts to pass this check — GitHub's created_at timestamp is infrastructure-assigned and cannot be falsified. This is the single most significant enforcement advance in this Epic.

2. Branch-to-issue binding: The issue number in the branch name (feat/N-*) must equal the issue number in Refs #N. Prevents branch reuse across tickets and disconnected naming.

3. Issue-type guard: Linked issue must not be type:epic. Closes the Epic-bypass path where a PR references an Epic instead of a child ticket.

Layer B — Post-merge Consultant activation (#555)

Workflow triggered on merge that:

• Auto-transitions issue status:testing → status:review (removes role:admin, adds role:consultant)
• Posts structured Consultant assignment prompt with merge SHA and action items
• Posts stale-review reminder if issue remains at status:review for >72h without CONSULTANT_CLOSEOUT

Note: Does NOT post ADMIN_HANDOFF. Admin-gate (required check) already requires ADMIN_HANDOFF before merge. Posting it again is dead code.

Layer C — Compliance observability (#556)

Scheduled daily report with:

• Cross-team baton state for all open PRs
• Timing anomaly detection: baton sequences where all four artifacts span ≤300 seconds flagged as anomaly:rapid-baton (statistical fingerprint of all-roles-in-one-session fraud)
• first_attempt_pass_rate metric enabling AC6 verification
• Structured JSON output for dashboard integration

Child Tickets

#	Title	Lane	Priority
#553	Build composite action: pre-merge evidence completeness gate	code-change	P1
#554	Add evidence-completeness to branch protection required checks	config-only	P1
#555	Post-merge: Consultant activation + stale-review detection	code-change	P2
#556	Compliance report: timing anomaly detection + AC6 measurement	code-change	P2

Acceptance Criteria

• AC1: evidence-completeness check verifies linked issue is open, non-epic, with branch binding AND COLLABORATOR_HANDOFF predating PR by ≥60s
• AC2: evidence-completeness added to branch protection required checks
• AC3: Post-merge workflow auto-transitions issue status:testing → status:review
• AC4: Post-merge workflow posts structured Consultant assignment prompt (NOT ADMIN_HANDOFF)
• AC5: Stale-review reminder posted if status:review persists >72h without CONSULTANT_CLOSEOUT
• AC6: Compliance report captures first_attempt_pass_rate and timing anomaly flags; JSON artifact written

Expected Impact

Team	Post-Epic-536	Post-Epic-552 (revised)
Claude Code	~90–95%	~92–95% (marginal)
Copilot	~75–80%	~91–95%
Codex	~75–80%	~91–95%
Cross-team avg	~80–85%	~92–95%

The Copilot/Codex jump is driven by:

1. evidence-completeness with timestamp sequencing — platform-enforced, runtime-agnostic, closes retroactive-posting attack vector
2. Auto-Consultant activation — eliminates the manual Consultant trigger that is the most common skip point

Critical Path

#553 → #554 (composite action must exist before it can be required in branch protection).

Why Timestamp Sequencing Matters

All prior governance attempts verified artifact existence. An agent can satisfy an existence check by posting all four artifacts immediately before PR creation — the gate passes, the baton was never genuinely performed. Timestamp sequencing converts this from a string presence check into a protocol sequence check. The COLLABORATOR_HANDOFF must have been created before the PR existed. There is no way to satisfy this retroactively without a GitHub infrastructure vulnerability.

This is the enforcement pattern identified in the Microsoft Agent Governance Toolkit (April 2026) as deterministic policy evaluation: policy inputs must have external provenance. GitHub infrastructure timestamps are the most accessible external provenance available in this stack.

Research Basis

• MAGT (April 2026): deterministic policy evaluation requires externally-provenance inputs
• Epic Governance Architecture Redesign: Near-Zero Procedural Drift with Semantic Quality Oversight #536 critical analysis (2026-04-27): timestamp sequencing identified as primary unaddressed enforcement vector
• Goodhart's Law: status:testing label as gate input → agent optimizes for label, not work
• Epic Prevent epic evidence drift in progress and closeout records #534 analysis: Copilot team drift caused by missing pre-action enforcement
• GitHub composite actions: reusable workflows as required status checks (runtime-agnostic)

Prerequisite

Epic #536 fully deployed. ✅

Known Residual Risk After This Epic

• COLLABORATOR_HANDOFF content quality not verified (timing verified, semantics not)
• Moving to 95%+ cross-team requires cryptographic action signing — out of scope
• Timing anomaly detection flags but does not block: deliberate four-role fraud in one session remains possible if agent waits ≥5 minutes between each artifact post

[chf3198]

MANAGER_HANDOFF — Epic #552 scoped. Architecture designed. Four child tickets to be created. Advancing to status:ready pending child ticket creation.

Priority justification: This is the single highest-ROI remaining action for cross-team governance adherence. The Copilot gap is the primary cause of repeat governance drift. Shared Actions enforcement is the only proven mechanism that works across all three runtimes without requiring vendor cooperation.

Signed-by: Alex Mason
Team&Model: devenv-ops:claude-sonnet-4-6@claude-code
Role: manager

[github-actions]

⚠️ ADR-010 Label Lint Violation

Issue #552 has invalid label combinations:

• Rule 6: Multiple area: labels found: area:infra, area:governance. Only one is allowed.

Current labels: type:epic, status:done, priority:P1, area:infra, area:governance, resolution:released

See ADR-010 for the full status–role binding model.

This comment was posted by the label-lint workflow.