chore(repo): bootstrap codex os guardrails

.codex/actions/_artifact_env.sh

@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# codex-os-managed
+REPO_ROOT="${CODEX_REPO_ROOT:-$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)}"
+REPO_NAME="${CODEX_REPO_NAME:-$(basename "$REPO_ROOT")}" 
+
+if command -v shasum >/dev/null 2>&1; then
+  REPO_HASH="${CODEX_REPO_HASH:-$(printf '%s' "$REPO_ROOT" | shasum -a 256 | awk '{print substr($1,1,12)}')}"
+else
+  REPO_HASH="${CODEX_REPO_HASH:-$(printf '%s' "$REPO_ROOT" | md5 | awk '{print substr($NF,1,12)}')}"
+fi
+
+RUN_ID="${CODEX_RUN_ID:-$(date +%Y%m%dT%H%M%S)-$$}"
+CODEX_CACHE_ROOT="${CODEX_CACHE_ROOT:-/Users/d/Library/Caches/Codex}"
+CODEX_BUILD_ROOT="${CODEX_BUILD_ROOT:-$CODEX_CACHE_ROOT/build}"
+CODEX_LOG_ROOT="${CODEX_LOG_ROOT:-$CODEX_CACHE_ROOT/logs}"
+
+export CODEX_REPO_ROOT="$REPO_ROOT"
+export CODEX_REPO_NAME="$REPO_NAME"
+export CODEX_REPO_HASH="$REPO_HASH"
+export CODEX_RUN_ID="$RUN_ID"
+
+export CODEX_BUILD_RUST_DIR="${CODEX_BUILD_RUST_DIR:-$CODEX_BUILD_ROOT/rust/$REPO_HASH}"
+export CODEX_BUILD_NEXT_DIR="${CODEX_BUILD_NEXT_DIR:-$CODEX_BUILD_ROOT/next/$REPO_HASH}"
+export CODEX_BUILD_JS_DIR="${CODEX_BUILD_JS_DIR:-$CODEX_BUILD_ROOT/js/$REPO_HASH}"
+export CODEX_LOG_RUN_DIR="${CODEX_LOG_RUN_DIR:-$CODEX_LOG_ROOT/$REPO_NAME/$RUN_ID}"
+
+mkdir -p "$CODEX_BUILD_RUST_DIR" "$CODEX_BUILD_NEXT_DIR" "$CODEX_BUILD_JS_DIR" "$CODEX_LOG_RUN_DIR"
+
+if [[ -z "${CARGO_TARGET_DIR:-}" ]]; then
+  export CARGO_TARGET_DIR="$CODEX_BUILD_RUST_DIR"
+fi
+if [[ -z "${NEXT_CACHE_DIR:-}" ]]; then
+  export NEXT_CACHE_DIR="$CODEX_BUILD_NEXT_DIR"
+fi
+if [[ -z "${VITE_CACHE_DIR:-}" ]]; then
+  export VITE_CACHE_DIR="$CODEX_BUILD_JS_DIR/vite"
+fi
+if [[ -z "${TURBO_CACHE_DIR:-}" ]]; then
+  export TURBO_CACHE_DIR="$CODEX_BUILD_JS_DIR/turbo"
+fi

.codex/bootstrap/package-bootstrap.json

@@ -0,0 +1,5 @@
+{
+  "schema": "codex-os-package-bootstrap/v1",
+  "managed_by": "codex-os-managed",
+  "notes": "Merged into package.json by scripts/merge_package_json.mjs"
+}

.codex/codex-os.manifest.json

@@ -0,0 +1,9 @@
+{
+  "schema": "codex-os-manifest/v1",
+  "managed_by": "codex-os-managed",
+  "bootstrap_version": "1.0.0",
+  "profile": "side",
+  "installed_at": "2026-02-17T05:39:49Z",
+  "last_verified_at": "2026-02-17T05:39:49Z",
+  "template_pack": "node-ts"
+}

.codex/scripts/run_verify_commands.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+COMMANDS_FILE="${1:-.codex/verify.commands}"
+
+if [[ ! -f "$COMMANDS_FILE" ]]; then
+  echo "Missing $COMMANDS_FILE"
+  exit 2
+fi
+
+while IFS= read -r cmd || [[ -n "$cmd" ]]; do
+  [[ -z "${cmd//[[:space:]]/}" ]] && continue
+  [[ "$cmd" =~ ^[[:space:]]*# ]] && continue
+
+  echo ">> $cmd"
+  eval "$cmd"
+done < "$COMMANDS_FILE"

.codex/verify.commands

@@ -0,0 +1,4 @@
+# codex-os-managed
+pnpm git:guard:all
+pnpm perf:build
+pnpm perf:assets

.github/pull_request_template.md

@@ -0,0 +1,34 @@
+<!-- codex-os-managed -->
+## What
+- 
+
+## Why
+- 
+
+## How
+- 
+
+## Testing
+- Commands run:
+- Results:
+
+## Performance impact
+- Bundle delta:
+- Build time delta:
+- Lighthouse delta:
+- API latency delta:
+- DB query delta:
+
+## Risk / Notes
+- 
+
+## Screenshots (UI only)
+- 
+
+## Lockfile rationale (if lockfile changed)
+- 
+
+## Baseline governance (if .perf-baselines changed)
+- `perf-baseline-update` label applied:
+- Reviewer signoff:
+- Rollback note:

.github/workflows/git-hygiene.yml

@@ -0,0 +1,52 @@
+name: git-hygiene
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, edited]
+    branches: [main, master]
+
+jobs:
+  commitlint:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+        with:
+          fetch-depth: 0
+      - uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed
+
+  pr-title:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
+    steps:
+      - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  branch-name:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
+    steps:
+      - uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b
+        with:
+          script: |
+            const branch = context.payload.pull_request?.head?.ref || "";
+            const pattern = /^codex\/(feat|fix|chore|refactor|docs|test|perf|ci|spike|hotfix)\/[a-z0-9]+(?:-[a-z0-9]+)*$/;
+            if (!pattern.test(branch)) {
+              core.setFailed(`Invalid branch name: ${branch}`);
+            }
+
+  secrets:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+        with:
+          fetch-depth: 0
+      - uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/lockfile-rationale.yml

@@ -0,0 +1,24 @@
+name: lockfile-rationale
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, edited]
+
+jobs:
+  enforce:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+      - uses: tj-actions/changed-files@48d8f15b2aaa3d255ca5af3eba4870f807ce6b3c
+        id: changed
+      - uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b
+        if: contains(steps.changed.outputs.all_changed_files, 'pnpm-lock.yaml') || contains(steps.changed.outputs.all_changed_files, 'package-lock.json') || contains(steps.changed.outputs.all_changed_files, 'yarn.lock')
+        with:
+          script: |
+            const body = (context.payload.pull_request?.body || "");
+            if (!/## Lockfile rationale/i.test(body)) {
+              core.setFailed("Lockfile changed but PR body lacks 'Lockfile rationale' section.");
+            }

.github/workflows/perf-enforced.yml

@@ -0,0 +1,113 @@
+name: perf-enforced
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, edited]
+    branches: [main, master]
+
+jobs:
+  perf-bundle:
+    if: ${{ vars.PERF_PROFILE == 'production' }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+      - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061
+        with:
+          version: 10.28.1
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
+        with:
+          node-version: 20
+          cache: pnpm
+      - run: pnpm install --frozen-lockfile
+      - run: pnpm build || pnpm build:ui
+      - run: pnpm perf:bundle
+      - run: node scripts/perf/compare-metric.mjs .perf-baselines/bundle.json .perf-results/bundle.json totalBytes 0.08
+
+  perf-build:
+    if: ${{ vars.PERF_PROFILE == 'production' }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+      - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061
+        with:
+          version: 10.28.1
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
+        with:
+          node-version: 20
+          cache: pnpm
+      - run: pnpm install --frozen-lockfile
+      - run: pnpm perf:build
+      - run: node scripts/perf/compare-metric.mjs .perf-baselines/build-time.json .perf-results/build-time.json buildMs 0.15
+
+  perf-assets:
+    if: ${{ vars.PERF_PROFILE == 'production' }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+      - run: ASSET_MAX_BYTES=250000 bash scripts/perf/check-assets.sh
+
+  perf-memory:
+    if: ${{ vars.PERF_PROFILE == 'production' }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+      - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061
+        with:
+          version: 10.28.1
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
+        with:
+          node-version: 20
+          cache: pnpm
+      - run: pnpm install --frozen-lockfile
+      - run: MEMORY_MAX_DELTA_MB=5 pnpm perf:memory
+
+  perf-lighthouse:
+    if: ${{ vars.PERF_PROFILE == 'production' }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+      - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061
+        with:
+          version: 10.28.1
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
+        with:
+          node-version: 20
+          cache: pnpm
+      - run: pnpm install --frozen-lockfile
+      - run: pnpm build || pnpm build:ui
+      - run: pnpm perf:lhci:prod || pnpm perf:lhci
+
+  perf-api:
+    if: ${{ vars.PERF_PROFILE == 'production' && vars.PERF_BASE_URL != '' }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+      - uses: grafana/setup-k6-action@ffe7d7290dfa715e48c2ccc924d068444c94bde2
+      - run: k6 run tests/perf/api.k6.js --summary-export=.perf-results/api-summary.json
+        env:
+          BASE_URL: ${{ vars.PERF_BASE_URL }}
+          API_P95_MS: "250"
+          API_P99_MS: "700"
+
+  perf-db:
+    if: ${{ vars.PERF_PROFILE == 'production' && vars.PERF_DATABASE_URL != '' }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+      - name: Install PostgreSQL client
+        run: sudo apt-get update && sudo apt-get install -y postgresql-client
+      - run: psql "${{ vars.PERF_DATABASE_URL }}" -f scripts/perf/db/check-pg-stat.sql