saagar210 · saagar210 · Feb 16, 2026 · Feb 16, 2026 · Feb 16, 2026 · Feb 16, 2026
diff --git a/.codex/actions/_artifact_env.sh b/.codex/actions/_artifact_env.sh
@@ -0,0 +1,58 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+REPO_ROOT="${CODEX_REPO_ROOT:-$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)}"
+REPO_NAME="${CODEX_REPO_NAME:-$(basename "$REPO_ROOT")}"
+
+if command -v shasum >/dev/null 2>&1; then
+  REPO_HASH="${CODEX_REPO_HASH:-$(printf '%s' "$REPO_ROOT" | shasum -a 256 | awk '{print substr($1,1,12)}')}"
+else
+  REPO_HASH="${CODEX_REPO_HASH:-$(printf '%s' "$REPO_ROOT" | md5 | awk '{print substr($NF,1,12)}')}"
+fi
+
+RUN_ID="${CODEX_RUN_ID:-$(date +%Y%m%dT%H%M%S)-$$}"
+
+CODEX_CACHE_ROOT="${CODEX_CACHE_ROOT:-/Users/d/Library/Caches/Codex}"
+CODEX_BUILD_ROOT="${CODEX_BUILD_ROOT:-$CODEX_CACHE_ROOT/build}"
+CODEX_LOG_ROOT="${CODEX_LOG_ROOT:-$CODEX_CACHE_ROOT/logs}"
+
+CODEX_BUILD_RUST_DIR="${CODEX_BUILD_RUST_DIR:-$CODEX_BUILD_ROOT/rust/$REPO_HASH}"
+CODEX_BUILD_NEXT_DIR="${CODEX_BUILD_NEXT_DIR:-$CODEX_BUILD_ROOT/next/$REPO_HASH}"
+CODEX_BUILD_JS_DIR="${CODEX_BUILD_JS_DIR:-$CODEX_BUILD_ROOT/js/$REPO_HASH}"
+CODEX_LOG_RUN_DIR="${CODEX_LOG_RUN_DIR:-$CODEX_LOG_ROOT/$REPO_NAME/$RUN_ID}"
+
+mkdir -p "$CODEX_BUILD_RUST_DIR" "$CODEX_BUILD_NEXT_DIR" "$CODEX_BUILD_JS_DIR" "$CODEX_LOG_RUN_DIR"
+
+export CODEX_REPO_ROOT="$REPO_ROOT"
+export CODEX_REPO_NAME="$REPO_NAME"
+export CODEX_REPO_HASH="$REPO_HASH"
+export CODEX_RUN_ID="$RUN_ID"
+export CODEX_CACHE_ROOT
+export CODEX_BUILD_ROOT
+export CODEX_LOG_ROOT
+export CODEX_BUILD_RUST_DIR
+export CODEX_BUILD_NEXT_DIR
+export CODEX_BUILD_JS_DIR
+export CODEX_LOG_RUN_DIR
+
+if [ -z "${CARGO_TARGET_DIR:-}" ]; then
+  export CARGO_TARGET_DIR="$CODEX_BUILD_RUST_DIR"
+fi
+
+if [ -z "${VITE_CACHE_DIR:-}" ]; then
+  export VITE_CACHE_DIR="$CODEX_BUILD_JS_DIR/vite"
+fi
+
+if [ -z "${NEXT_CACHE_DIR:-}" ]; then
+  export NEXT_CACHE_DIR="$CODEX_BUILD_NEXT_DIR"
+fi
+
+if [ -z "${TURBO_CACHE_DIR:-}" ]; then
+  export TURBO_CACHE_DIR="$CODEX_BUILD_JS_DIR/turbo"
+fi
+
+if [ -z "${PLAYWRIGHT_OUTPUT_DIR:-}" ]; then
+  export PLAYWRIGHT_OUTPUT_DIR="$CODEX_LOG_RUN_DIR/playwright"
+fi
+
+mkdir -p "$PLAYWRIGHT_OUTPUT_DIR"
diff --git a/.codex/actions/build.sh b/.codex/actions/build.sh
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Codex artifact routing defaults (v6.0)
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+if [ -f "$SCRIPT_DIR/_artifact_env.sh" ]; then
+  # shellcheck source=/dev/null
+  source "$SCRIPT_DIR/_artifact_env.sh"
+fi
+pnpm run build
diff --git a/.codex/actions/dev-lean.sh b/.codex/actions/dev-lean.sh
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Codex artifact routing defaults (v6.0)
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+if [ -f "$SCRIPT_DIR/_artifact_env.sh" ]; then
+  # shellcheck source=/dev/null
+  source "$SCRIPT_DIR/_artifact_env.sh"
+fi
+pnpm run dev:lean
diff --git a/.codex/actions/lint.sh b/.codex/actions/lint.sh
@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Codex artifact routing defaults (v6.0)
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+if [ -f "$SCRIPT_DIR/_artifact_env.sh" ]; then
+  # shellcheck source=/dev/null
+  source "$SCRIPT_DIR/_artifact_env.sh"
+fi
+
+echo "No dedicated lint script in package.json; running build/type check fallback."
+pnpm run build
diff --git a/.codex/actions/test.sh b/.codex/actions/test.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Codex artifact routing defaults (v6.0)
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+if [ -f "$SCRIPT_DIR/_artifact_env.sh" ]; then
+  # shellcheck source=/dev/null
+  source "$SCRIPT_DIR/_artifact_env.sh"
+fi
+
+echo "NOT_RUN: No test script is documented in README.md or package.json for this repo."
+echo "Add a canonical test command before treating production-ready quality gates as passing."
+
+if [ "${CODEX_ALLOW_NOT_RUN_GATES:-0}" = "1" ]; then
+  echo "Bypass enabled via CODEX_ALLOW_NOT_RUN_GATES=1; continuing with documented risk."
+  exit 0
+fi
+
+exit 3
diff --git a/.codex/bootstrap/package-bootstrap.json b/.codex/bootstrap/package-bootstrap.json
@@ -0,0 +1,5 @@
+{
+  "schema": "codex-os-package-bootstrap/v1",
+  "managed_by": "codex-os-managed",
+  "notes": "Merged into package.json by scripts/merge_package_json.mjs"
+}
diff --git a/.codex/codex-os.manifest.json b/.codex/codex-os.manifest.json
@@ -0,0 +1,9 @@
+{
+  "schema": "codex-os-manifest/v1",
+  "managed_by": "codex-os-managed",
+  "bootstrap_version": "1.0.0",
+  "profile": "side",
+  "installed_at": "2026-02-17T05:40:04Z",
+  "last_verified_at": "2026-02-17T05:40:04Z",
+  "template_pack": "react-ts"
+}
diff --git a/.codex/commands.md b/.codex/commands.md
@@ -0,0 +1,9 @@
+# SpecCompanion .codex command map
+
+| Action | Command | Source |
+| --- | --- | --- |
+| setup deps | `pnpm install` | `README.md` |
+| lint fallback | `pnpm run build` | `package.json` (no dedicated lint script) |
+| test | _none configured (blocks by default as NOT_RUN; bypass only with `CODEX_ALLOW_NOT_RUN_GATES=1` + explicit risk acceptance)_ | `README.md`, `package.json` |
+| build | `pnpm run build` | `README.md`, `package.json` |
+| lean dev | `pnpm run dev:lean` | `README.md`, `package.json` |
diff --git a/.codex/scripts/run_verify_commands.sh b/.codex/scripts/run_verify_commands.sh
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+COMMANDS_FILE="${1:-.codex/verify.commands}"
+
+if [[ ! -f "$COMMANDS_FILE" ]]; then
+  echo "Missing $COMMANDS_FILE"
+  exit 2
+fi
+
+while IFS= read -r cmd || [[ -n "$cmd" ]]; do
+  [[ -z "${cmd//[[:space:]]/}" ]] && continue
+  [[ "$cmd" =~ ^[[:space:]]*# ]] && continue
+
+  echo ">> $cmd"
+  eval "$cmd"
+done < "$COMMANDS_FILE"
diff --git a/.codex/setup.sh b/.codex/setup.sh
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+echo "SpecCompanion local setup (non-destructive)."
+command -v node >/dev/null 2>&1 && node -v || echo "node: missing"
+command -v pnpm >/dev/null 2>&1 && pnpm -v || echo "pnpm: missing"
+command -v cargo >/dev/null 2>&1 && cargo --version || echo "cargo: missing"
+
+echo
+echo "Install deps (README.md):"
+echo "  pnpm install"
+echo "Lean dev mode (README.md):"
+echo "  pnpm run dev:lean"
diff --git a/.codex/verify.commands b/.codex/verify.commands
@@ -0,0 +1,2 @@
+pnpm ui:gate:static
+pnpm ui:gate:regression
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -0,0 +1,34 @@
+<!-- codex-os-managed -->
+## What
+- 
+
+## Why
+- 
+
+## How
+- 
+
+## Testing
+- Commands run:
+- Results:
+
+## Performance impact
+- Bundle delta:
+- Build time delta:
+- Lighthouse delta:
+- API latency delta:
+- DB query delta:
+
+## Risk / Notes
+- 
+
+## Screenshots (UI only)
+- 
+
+## Lockfile rationale (if lockfile changed)
+- 
+
+## Baseline governance (if .perf-baselines changed)
+- `perf-baseline-update` label applied:
+- Reviewer signoff:
+- Rollback note:
diff --git a/.github/workflows/git-hygiene.yml b/.github/workflows/git-hygiene.yml
@@ -0,0 +1,52 @@
+name: git-hygiene
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, edited]
+    branches: [main, master]
+
+jobs:
+  commitlint:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+        with:
+          fetch-depth: 0
+      - uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed
+
+  pr-title:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
+    steps:
+      - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  branch-name:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
+    steps:
+      - uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b
+        with:
+          script: |
+            const branch = context.payload.pull_request?.head?.ref || "";
+            const pattern = /^codex\/(feat|fix|chore|refactor|docs|test|perf|ci|spike|hotfix)\/[a-z0-9]+(?:-[a-z0-9]+)*$/;
+            if (!pattern.test(branch)) {
+              core.setFailed(`Invalid branch name: ${branch}`);
+            }
+
+  secrets:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+        with:
+          fetch-depth: 0
+      - uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/lighthouse.yml b/.github/workflows/lighthouse.yml
@@ -0,0 +1,23 @@
+name: lighthouse
+
+on:
+  pull_request:
+    branches: [main, master]
+
+jobs:
+  lhci:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 10
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: pnpm
+      - run: pnpm install --frozen-lockfile || pnpm install
+      - run: pnpm build:ui
+      - run: pnpm exec lhci autorun
diff --git a/.github/workflows/lockfile-rationale.yml b/.github/workflows/lockfile-rationale.yml
@@ -0,0 +1,24 @@
+name: lockfile-rationale
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, edited]
+
+jobs:
+  enforce:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+      - uses: tj-actions/changed-files@48d8f15b2aaa3d255ca5af3eba4870f807ce6b3c
+        id: changed
+      - uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b
+        if: contains(steps.changed.outputs.all_changed_files, 'pnpm-lock.yaml') || contains(steps.changed.outputs.all_changed_files, 'package-lock.json') || contains(steps.changed.outputs.all_changed_files, 'yarn.lock')
+        with:
+          script: |
+            const body = (context.payload.pull_request?.body || "");
+            if (!/## Lockfile rationale/i.test(body)) {
+              core.setFailed("Lockfile changed but PR body lacks 'Lockfile rationale' section.");
+            }