Codex/GitHub prep clean ship

.github/workflows/dependency-gate.yml

@@ -0,0 +1,113 @@
+name: Dependency Gate
+
+on:
+  pull_request:
+  push:
+
+jobs:
+  dependency-check:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+
+      - name: Install frontend deps (clean)
+        working-directory: frontend
+        run: |
+          npm ci || {
+            echo "🔥 DEPENDENCY GATE FAILED"
+            echo "Reason: frontend lockfile mismatch or install drift detected"
+            echo "This is a hard law violation under DEPENDENCY_GATE_POLICY.md"
+            echo "Fix required before merge."
+            exit 1
+          }
+
+      - name: Audit frontend
+        working-directory: frontend
+        run: |
+          npm audit --audit-level=moderate || {
+            echo "🔥 DEPENDENCY GATE FAILED"
+            echo "Reason: vulnerable frontend package detected by npm audit"
+            echo "This is a hard law violation under DEPENDENCY_GATE_POLICY.md"
+            echo "Fix required before merge."
+            exit 1
+          }
+
+      - name: Test frontend
+        working-directory: frontend
+        run: npm run test:ci
+
+      - name: Build frontend
+        working-directory: frontend
+        run: npm run build
+
+      - name: Install mobile deps (clean)
+        working-directory: mobile
+        run: |
+          npm ci || {
+            echo "🔥 DEPENDENCY GATE FAILED"
+            echo "Reason: mobile lockfile mismatch or install drift detected"
+            echo "This is a hard law violation under DEPENDENCY_GATE_POLICY.md"
+            echo "Fix required before merge."
+            exit 1
+          }
+
+      - name: Audit mobile
+        working-directory: mobile
+        run: |
+          npm audit --audit-level=moderate || {
+            echo "🔥 DEPENDENCY GATE FAILED"
+            echo "Reason: vulnerable mobile package detected by npm audit"
+            echo "This is a hard law violation under DEPENDENCY_GATE_POLICY.md"
+            echo "Fix required before merge."
+            exit 1
+          }
+
+      - name: Typecheck mobile
+        working-directory: mobile
+        run: npm run typecheck
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install uv
+        run: pip install uv
+
+      - name: Sync root deps
+        run: |
+          uv sync --frozen --extra dev || {
+            echo "🔥 DEPENDENCY GATE FAILED"
+            echo "Reason: root Python lock drift or unresolved frozen sync"
+            echo "This is a hard law violation under DEPENDENCY_GATE_POLICY.md"
+            echo "Fix required before merge."
+            exit 1
+          }
+
+      - name: Sync api deps
+        working-directory: api
+        run: |
+          uv sync --frozen || {
+            echo "🔥 DEPENDENCY GATE FAILED"
+            echo "Reason: api Python lock drift or unresolved frozen sync"
+            echo "This is a hard law violation under DEPENDENCY_GATE_POLICY.md"
+            echo "Fix required before merge."
+            exit 1
+          }
+
+      - name: Run backend tests
+        run: |
+          uv run --frozen pytest -q || {
+            echo "🔥 DEPENDENCY GATE FAILED"
+            echo "Reason: governed verification did not pass after dependency sync"
+            echo "This is a hard law violation under DEPENDENCY_GATE_POLICY.md"
+            echo "Fix required before merge."
+            exit 1
+          }

docs/README.md

@@ -17,6 +17,8 @@ Use it to answer four questions quickly:
   - live runtime maps, subsystem status, and system-facing reference docs
 - [contracts/](./contracts/)
   - active laws, protocols, doctrine, and contracts
+  - includes the dependency override ledger in
+    [contracts/DEPENDENCY_OVERRIDES.md](./contracts/DEPENDENCY_OVERRIDES.md)
   - includes the active tracing contract in
     [contracts/AAIS_TRACING_PROTOCOL.md](./contracts/AAIS_TRACING_PROTOCOL.md)
   - includes the active immune and pattern-ledger contracts in

docs/audit/AAIS_STATUS_AUDIT.md

@@ -36,6 +36,8 @@ These files currently do a good job of describing the live system or one bounded
   - admits ARIS as an embedded AAIS runtime profile and carries the canonical non-copy clause
 - [DEPENDENCY_GATE_POLICY.md](../contracts/DEPENDENCY_GATE_POLICY.md)
   - canonical contract for pinned dependency admission, lockfile evidence, and drift rejection
+- [DEPENDENCY_OVERRIDES.md](../contracts/DEPENDENCY_OVERRIDES.md)
+  - rationale ledger for the remaining mobile overrides and the frontend override removals
 - [TINY_NOVA_CANONICAL.md](../subsystems/nova/TINY_NOVA_CANONICAL.md)
   - canonical markdown source for Tiny/Small Nova identity, memory boundaries, growth stages, and the Jarvis authority split
 - [NOVA_HUMAN_GUIDE.md](../subsystems/nova/NOVA_HUMAN_GUIDE.md), [NOVA_AI_OPERATING_CONTRACT.md](../subsystems/nova/NOVA_AI_OPERATING_CONTRACT.md), and [NOVA_STAGE_SPEC.md](../subsystems/nova/NOVA_STAGE_SPEC.md)
@@ -112,9 +114,20 @@ These are not hidden bugs. They are explicit limits in the current design.
   - Super Nova is no longer described as dormant or future-only in the active truth surfaces
   - the live boundary now reflects phase gate before execution, explicit activation, watchdog enforcement, bounded immune protocol observation, and Project Infi final-truth admission
 - The dependency hardening pass is now repaired and deterministic.
+  - the repo now carries a root `uv.lock` for AAIS orchestration/runtime in
+    addition to the existing `api/uv.lock`
+  - `.github/workflows/dependency-gate.yml` now enforces clean installs,
+    frozen Python sync, dependency audits, frontend build/tests, mobile
+    typecheck, and backend tests on GitHub Actions
   - `api/uv.lock` now resolves `pillow 12.2.0`
-  - `frontend/package-lock.json` now carries exact governed versions for `axios`, `follow-redirects`, `lodash`, and `postcss`
-  - `mobile/package-lock.json` now carries exact governed versions for `axios`, `@xmldom/xmldom`, `follow-redirects`, `postcss`, and `uuid`
+  - `frontend/package-lock.json` now resolves to a clean audited tree without
+    any remaining overrides
+  - `mobile/package-lock.json` now keeps only the still-required governed
+    overrides for `@xmldom/xmldom`, `postcss`, and `uuid`
+- Remote GitHub Actions proof is currently blocked by platform state, not gate logic.
+  - the throwaway break branch and the good branch both triggered the workflow
+  - GitHub returned `The job was not started because your account is locked due to a billing issue`
+  - local verification is complete, but remote step-by-step gate execution cannot be proven until that GitHub account issue is cleared
 - The detachment governance and ingress identity seams are now repaired.
   - the detachment guard is exposed through governed read and clear API routes
   - message, stream, and compat ingress lanes now preserve distinct bridge route and surface attribution
@@ -161,8 +174,14 @@ These are not hidden bugs. They are explicit limits in the current design.
 - Frontend dependency audit: `0 vulnerabilities`
 - Mobile dependency audit: `0 vulnerabilities`
 - Mobile typecheck: passes
+- Root AAIS lock generation: `uv lock` passes and produces `uv.lock`
+- Root AAIS frozen sync check: `uv sync --frozen --extra dev` passes in an
+  isolated project environment
 - Link sanity for the updated Super Nova truth surfaces: `SUPER_NOVA_DOC_LINKS_OK`
 - The dependency hardening and detachment-governance pass reran the full backend suite, the full frontend test suite, the frontend production build, mobile typecheck, and the frontend/mobile dependency audits.
+- Remote branch-triggered Actions runs were created for both the ship branch and
+  the deliberate break branch, but neither job started because GitHub reported
+  an account billing lock before step execution.
 
 ## 6. Recommended Next Documentation Moves
 

docs/audit/LOGBOOK.md

@@ -282,3 +282,10 @@ Every major entry should name its CISIV stage explicitly.
 - scope: exposed the detachment guard through governed read and clear API routes, restored distinct bridge route and surface attribution across message, stream, and compat ingress lanes, and added regression coverage for detachment lifecycle control and route identity integrity
 - outcome: the repo no longer carries hidden detachment review state, operator-facing detachment clearance is explicit and bounded, and ingress attribution remains accurate across the governed API boundary
 - verification note: the detachment regression slice in `tests/test_api.py` passed after the patch, and the full backend suite remained green at `668 passed, 12 subtests passed`
+
+### Dependency Gate, Root Lock, And Override Reduction
+
+- CISIV stage: `verification`
+- scope: added the first GitHub-native dependency gate workflow, generated the root `uv.lock` for AAIS orchestration/runtime, removed all now-unnecessary frontend overrides, reduced the mobile overrides to the three still forced by the Expo tree, and documented the remaining override debt explicitly
+- outcome: AAIS now enforces clean frontend/mobile installs plus audits and frozen Python sync in `.github/workflows/dependency-gate.yml`, the root runtime has deterministic lock evidence in `uv.lock`, the frontend no longer depends on override shims, and the mobile package keeps only the still-justified overrides for `@xmldom/xmldom`, `postcss`, and `uuid`
+- verification note: isolated no-override probes proved the frontend stays clean without overrides while the mobile Expo tree reintroduces vulnerable `postcss` and `uuid` plus an old `@xmldom/xmldom` without them; after the real manifest updates the backend suite, frontend test/build, mobile typecheck, frontend audit, and mobile audit were rerun; a deliberate remote break test and a matching good-branch run both triggered GitHub Actions but were blocked before step execution because GitHub reported an account billing lock

docs/contracts/DEPENDENCY_GATE_POLICY.md

@@ -30,12 +30,19 @@ Stability before freedom applies to dependencies too.
 
 The current repo uses these governed evidence surfaces:
 
+- `uv.lock`
 - `api/uv.lock`
 - `frontend/package-lock.json`
 - `mobile/package-lock.json`
 
+The current repo enforces those surfaces in GitHub Actions through:
+
+- `.github/workflows/dependency-gate.yml`
+
 The current repo also uses explicit npm overrides where a safe transitive
 version must be forced instead of waiting for an upstream package to catch up.
+The current rationale for each remaining override lives in
+`docs/contracts/DEPENDENCY_OVERRIDES.md`.
 
 ## Verification Requirement
 

docs/contracts/DEPENDENCY_OVERRIDES.md

@@ -0,0 +1,79 @@
+# Dependency Overrides
+
+This file explains the remaining npm overrides that are still admitted into
+AAIS after the dependency hardening pass.
+
+Overrides are not normal dependency state.
+They are temporary governance shims that stay only while an upstream tree still
+resolves an unsafe version.
+
+## Current Rule
+
+- keep an override only when a clean no-override resolution reintroduces a
+  vulnerable or explicitly rejected package version
+- remove an override as soon as upstream resolves to a safe version without it
+- record the reason and expected removal condition here
+
+## Frontend
+
+The frontend no longer requires overrides.
+
+An isolated no-override resolution on 2026-04-29 still produced:
+
+- `follow-redirects 1.16.0`
+- `lodash 4.18.1`
+- `postcss 8.5.12`
+
+and `npm audit --audit-level=moderate --package-lock-only` reported
+`0 vulnerabilities`.
+
+That is why the frontend override block was removed.
+
+## Mobile
+
+The mobile package still requires three overrides today because the Expo 54
+dependency tree reintroduces unsafe versions without them.
+
+### `@xmldom/xmldom`
+
+- reason: the no-override tree resolves `@xmldom/xmldom 0.8.13` on the Expo
+  config path, while the governed floor is `0.9.10`
+- current admitted override: `0.9.10`
+- remove when: the Expo / plist / config-plugin tree resolves `>=0.9.10`
+  natively
+
+### `postcss`
+
+- reason: the no-override tree resolves `postcss 8.4.49`, and
+  `npm audit --audit-level=moderate --package-lock-only` reports the
+  moderated-severity advisory on versions `<8.5.10`
+- current admitted override: `8.5.12`
+- remove when: the Expo Metro/config tree resolves `>=8.5.10` natively
+
+### `uuid`
+
+- reason: the no-override tree resolves `uuid 7.0.3` through `xcode`, and
+  `npm audit --audit-level=moderate --package-lock-only` reports the
+  moderated-severity advisory on versions `<14.0.0`
+- current admitted override: `14.0.0`
+- remove when: the Expo config-plugin / xcode tree resolves `>=14.0.0`
+  natively
+
+## Removed Override
+
+### `follow-redirects` (mobile)
+
+- result: removed
+- reason: the no-override mobile tree already resolves `follow-redirects
+  1.16.0`, so the override was no longer carrying real governance weight
+
+## Verification Evidence
+
+The 2026-04-29 no-override probe used isolated temporary installs outside the
+live package folders, then checked:
+
+- frontend `npm audit --audit-level=moderate --package-lock-only`
+- mobile `npm audit --audit-level=moderate --package-lock-only`
+
+The frontend passed cleanly without overrides.
+The mobile tree failed without overrides and justified the remaining three.

docs/contracts/README.md

@@ -7,6 +7,7 @@ govern AAIS behavior.
 
 - document protocol and documentation law
 - dependency gate and deterministic lock policy
+- dependency override ledger and removal conditions
 - module governance and phase rules
 - cognitive bridge ingress law
 - embedded ARIS runtime and non-copy law

frontend/package.json

@@ -55,10 +55,5 @@
       "last 1 firefox version",
       "last 1 safari version"
     ]
-  },
-  "overrides": {
-    "follow-redirects": "1.16.0",
-    "lodash": "4.18.1",
-    "postcss": "8.5.12"
   }
 }

mobile/package.json

@@ -35,7 +35,6 @@
   },
   "overrides": {
     "@xmldom/xmldom": "0.9.10",
-    "follow-redirects": "1.16.0",
     "postcss": "8.5.12",
     "uuid": "14.0.0"
   }