feat(content): harden 006 rollout gates and start 008 profile isolation

.github/pull_request_template.md

@@ -22,6 +22,8 @@
 - [ ] All tests pass
 - [ ] TypeScript / Python types are valid (no new type errors)
 - [ ] Documentation updated if behavior changed
+- [ ] If feature/status labels changed, I updated `status/feature-readiness.json`, regenerated `status/generated/feature-table.md`, and synchronized `README.md`, `ROADMAP.md`, and affected `kitty-specs/*/meta.json`
+- [ ] If status changes impact private planning docs, I logged the required `joyus-ai-internal` sync action in this PR (or marked N/A)
 - [ ] No secrets, credentials, or client-specific content introduced
 - [ ] Follows the Client Abstraction rule (§2.10): no real names, client names, or domain-specific jargon
 - [ ] PR title is descriptive and follows conventional commit style if applicable

.github/workflows/secret-scan.yml

@@ -20,8 +20,18 @@ jobs:
         with:
           fetch-depth: 0
 
-      - uses: gitleaks/gitleaks-action@v2
-        with:
-          args: --config=.gitleaks.toml --redact
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Install gitleaks CLI
+        run: |
+          VERSION="8.28.0"
+          curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${VERSION}/gitleaks_${VERSION}_linux_x64.tar.gz" \
+            | tar -xz gitleaks
+          sudo mv gitleaks /usr/local/bin/gitleaks
+          gitleaks version
+
+      - name: Run gitleaks scan
+        run: |
+          if [ -f ".gitleaks.toml" ]; then
+            gitleaks git --redact --config ".gitleaks.toml"
+          else
+            gitleaks git --redact
+          fi

.github/workflows/status-consistency.yml

@@ -0,0 +1,27 @@
+name: Status Consistency
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  status-consistency:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+
+      - name: Validate canonical status consistency
+        run: |
+          python scripts/verify-status-consistency.py
+
+      - name: Verify generated status snippets are up to date
+        run: |
+          python scripts/generate-status-snippets.py --check

CONTRIBUTING.md

@@ -111,6 +111,18 @@ Keep the summary line under 72 characters. Use the body to explain _why_, not _w
 - The project constitution at `spec/constitution.md` defines hard constraints. Read it before making architectural decisions.
 - Client-specific content belongs in private deployment repos, not here.
 
+## Status Synchronization Policy
+
+When a PR changes feature or readiness status, keep all status surfaces aligned in the same PR:
+
+- `status/feature-readiness.json` (canonical source)
+- `status/generated/feature-table.md` (generated artifact; run `python scripts/generate-status-snippets.py`)
+- `README.md` status section
+- `ROADMAP.md` lifecycle sections
+- Any affected `kitty-specs/<feature>/meta.json` lifecycle fields
+
+If private planning artifacts also need updates (for example in `joyus-ai-internal`), record that required sync action in the PR description before merge.
+
 ## Questions
 
 Open a [GitHub Discussion](https://github.com/Priivacy-ai/joyus-ai/discussions) for design questions or ideas that aren't yet a concrete issue.

README.md

@@ -87,17 +87,23 @@ Production deployment configuration is maintained in a separate private reposito
 
 This project uses [Spec Kitty](https://github.com/Priivacy-ai/spec-kitty) for spec-driven development. Feature specifications live in `kitty-specs/`.
 
-Current status snapshot (source: `python scripts/pride-status.py` on 2026-02-23):
+Current status snapshot (canonical source: `status/feature-readiness.json`; generated via `python scripts/generate-status-snippets.py`):
 
 | Spec | Description | Status |
 |------|-------------|--------|
-| `001` | MCP Server AWS Deployment | Complete |
-| `002` | Session Context Management | Complete |
-| `003` | Platform Architecture Overview | Spec-Only |
-| `004` | Workflow Enforcement | Complete |
-| `005` | Content Intelligence (Profile Engine) | Complete (Phases A–C, WP01–WP14) |
-| `006` | Content Infrastructure | Complete (WP01–WP12) |
-| `007` | Org-Scale Agentic Governance | Planning |
+| `001` | MCP Server AWS Deployment | Lifecycle: execution, implementation: integrated, readiness: not_ready |
+| `002` | Session Context Management | Lifecycle: done, implementation: validated, readiness: pilot_ready |
+| `003` | Platform Architecture Overview | Lifecycle: spec-only, implementation: none, readiness: not_ready |
+| `004` | Workflow Enforcement | Lifecycle: done, implementation: validated, readiness: pilot_ready |
+| `005` | Content Intelligence (Profile Engine) | Lifecycle: done, implementation: validated, readiness: pilot_ready |
+| `006` | Content Infrastructure | Lifecycle: done, implementation: integrated, readiness: not_ready |
+| `007` | Org-Scale Agentic Governance | Lifecycle: planning, implementation: scaffolded, readiness: not_ready |
+| `008` | Profile Isolation and Scale | Lifecycle: execution, implementation: integrated, readiness: not_ready |
+| `009` | Automated Pipelines Framework | Lifecycle: execution, implementation: integrated, readiness: not_ready |
+| `010` | Multi-Location Operations Module | Lifecycle: planning, implementation: none, readiness: not_ready |
+| `011` | Compliance Policy Modules | Lifecycle: planning, implementation: none, readiness: not_ready |
+
+Generated status artifact: `status/generated/feature-table.md`.
 
 Project-level architecture decisions, implementation plan, and constitution are in `spec/`.
 

ROADMAP.md

@@ -2,6 +2,8 @@
 
 An open-source, multi-tenant AI agent platform that encodes organizational knowledge as testable, enforceable skills.
 
+Canonical readiness source: `status/feature-readiness.json` (rendered summary: `status/generated/feature-table.md`).
+
 ---
 
 ## Shipped
@@ -12,10 +14,12 @@ An open-source, multi-tenant AI agent platform that encodes organizational knowl
 - **Web Chat UI** - Browser-based chat interface with Claude Desktop configuration support.
 - **Content Intelligence** - Corpus analysis, stylometric extraction, structured writing profiles, fidelity verification, drift monitoring, and repair.
 
-## In Development
+## In Development / Hardening
 
-- **Content Infrastructure** — Corpus connector interface, search abstraction layer, content state management, access level mapping, AI-optimized content API for bot mediation.
+- **Content Infrastructure** — Lifecycle: done, implementation: integrated, production_readiness: not_ready (staging/data-schema validation and soak/rollback gates pending).
 - **Org-Scale Agentic Governance** — Maturity scoring, spec lifecycle enforcement, CI-integrated governance gates, remediation tracking.
+- **Profile Isolation and Scale** — Lifecycle: execution, implementation: integrated (WP01/WP02 enforcement + WP03 queue/backpressure primitives), production_readiness: not_ready.
+- **Automated Pipelines Framework** — Lifecycle: execution, implementation: integrated (core stage contract + orchestrator), production_readiness: not_ready.
 
 ## Planned
 

deploy/scripts/feature-006-search-vector-check.sh

@@ -0,0 +1,97 @@
+#!/usr/bin/env bash
+# Feature 006: verify content.items search_vector readiness + query plan.
+#
+# Required env:
+#   DATABASE_URL             PostgreSQL DSN
+# Optional env:
+#   TEST_QUERY               Search phrase (default: "policy")
+#   TEST_SOURCE_ID           Explicit source_id filter
+#   PG_PSQL_CONTAINER        default: joyus-ai-mcp-server-db-1 (docker fallback)
+set -euo pipefail
+
+if [ -z "${DATABASE_URL:-}" ]; then
+  echo "ERROR: DATABASE_URL is required." >&2
+  exit 1
+fi
+
+TEST_QUERY="${TEST_QUERY:-policy}"
+TEST_SOURCE_ID="${TEST_SOURCE_ID:-}"
+PG_PSQL_CONTAINER="${PG_PSQL_CONTAINER:-joyus-ai-mcp-server-db-1}"
+
+PSQL_MODE="host"
+if ! command -v psql >/dev/null 2>&1; then
+  if command -v docker >/dev/null 2>&1 && docker inspect "$PG_PSQL_CONTAINER" >/dev/null 2>&1; then
+    PSQL_MODE="docker"
+  else
+    echo "ERROR: psql not available and docker fallback container not found." >&2
+    exit 1
+  fi
+fi
+
+DB_NAME="$(echo "$DATABASE_URL" | sed -E 's|.*/([^/?]+).*|\1|')"
+
+run_sql() {
+  local sql="$1"
+  if [ "$PSQL_MODE" = "host" ]; then
+    psql "$DATABASE_URL" -v ON_ERROR_STOP=1 -X -Atc "$sql"
+  else
+    docker exec "$PG_PSQL_CONTAINER" sh -lc "PGPASSWORD=postgres psql -U postgres -d '$DB_NAME' -v ON_ERROR_STOP=1 -X -Atc \"$sql\""
+  fi
+}
+
+run_sql_script() {
+  local sql="$1"
+  if [ "$PSQL_MODE" = "host" ]; then
+    psql "$DATABASE_URL" -v ON_ERROR_STOP=1 -X <<SQL
+$sql
+SQL
+  else
+    docker exec -i "$PG_PSQL_CONTAINER" sh -lc "PGPASSWORD=postgres psql -U postgres -d '$DB_NAME' -v ON_ERROR_STOP=1 -X" <<SQL
+$sql
+SQL
+  fi
+}
+
+echo "== Feature 006 search_vector readiness check =="
+
+table_exists="$(run_sql "select to_regclass('content.items') is not null;")"
+if [ "$table_exists" != "t" ]; then
+  echo "ERROR: content.items table does not exist." >&2
+  exit 1
+fi
+
+column_exists="$(run_sql "select exists (select 1 from information_schema.columns where table_schema='content' and table_name='items' and column_name='search_vector');")"
+if [ "$column_exists" != "t" ]; then
+  echo "ERROR: content.items.search_vector column is missing." >&2
+  exit 1
+fi
+
+gin_count="$(run_sql "select count(*) from pg_indexes where schemaname='content' and tablename='items' and indexdef ilike '%using gin%' and indexdef ilike '%search_vector%';")"
+if [ "$gin_count" -eq 0 ]; then
+  echo "ERROR: no GIN index found for content.items.search_vector." >&2
+  exit 1
+fi
+
+if [ -z "$TEST_SOURCE_ID" ]; then
+  TEST_SOURCE_ID="$(run_sql "select source_id from content.items where source_id is not null limit 1;")"
+fi
+
+echo "search_vector column: OK"
+echo "search_vector GIN indexes: $gin_count"
+echo "test query: $TEST_QUERY"
+echo "test source_id: ${TEST_SOURCE_ID:-<none>}"
+
+echo
+echo "== Query plan (EXPLAIN ANALYZE) =="
+run_sql_script "
+EXPLAIN (ANALYZE, BUFFERS)
+SELECT id, source_id, title
+FROM content.items
+WHERE ('$TEST_SOURCE_ID' = '' OR source_id = '$TEST_SOURCE_ID')
+  AND search_vector @@ plainto_tsquery('english', '$TEST_QUERY')
+ORDER BY ts_rank(search_vector, plainto_tsquery('english', '$TEST_QUERY')) DESC
+LIMIT 10;
+"
+
+echo
+echo "Feature 006 search_vector validation completed."