fix(#431): enforce H1 shell policy (linux=bash, macOS=zsh, windows=pwsh) across PR + release gates (#434)

* test(#431): policy-shell-pinning linter — RED baseline (37 violations on origin/next)

Adds scripts/workflow-policy.cjs: H1 shell-policy linter with POLICY map,
VIOLATION enum, matrix expansion, effective-shell resolution order, and
runPolicyLint({ workflowsDir }) entry point.

Adds tests/policy-shell-pinning.test.cjs: 8 tests (baseline + 6 synthetic
counter-tests). Synthetic tests 2–7 pass; baseline test is intentionally RED
(37 violations: 28 in test.yml, 9 in install-smoke.yml — all macos/windows
lanes using shell: bash instead of native zsh/pwsh).

Adds js-yaml@4.1.1 as devDependency for YAML parsing.

* fix(#431): switch ubuntu/windows lanes to native shells; extract bash-isms to Node

Remove all explicit shell: bash pins from ubuntu-only jobs (changes, lint-tests,
coverage, required-tests, smoke-unpacked) — ubuntu runner default is bash, which
is both H1-compliant and the runner default, making the pin redundant.

For the test and test-full mixed-OS jobs (ubuntu+windows, windows+macos):
- Move bash-ism steps to shell-agnostic Node scripts:
    scripts/ci-guard-runner.cjs       — RUNNER_ENVIRONMENT check
    scripts/ci-rebase-check.cjs       — git fetch+merge PR base branch
    scripts/check-npm-integrity.cjs   — Node port of check-npm-integrity.sh
    scripts/ci-prepare-test-scope.cjs — write .ci-selected-tests.txt
    scripts/ci-smoke-skip.cjs         — set skip= output for full-only matrix entries
- Remove shell: bash from simple npm/node command steps (runner default applies)

This brings Windows violations from 19 to 0. Remaining 17 violations are all
MACOS_MISSING_EXPLICIT_ZSH in mixed-OS matrix jobs (test-full: windows+macos,
install-smoke smoke: ubuntu+macos) — these require job splitting to fix; see
BLOCKER in PR description.

* fix(#431): update workflow-shell-pinning test for H1 policy

The old test required all Windows-targeting npm steps to pin shell: bash
(to prevent pwsh stderr-swallow). Under H1, Windows runners must use
pwsh (native, no pin needed) — shell: bash on Windows is now the
violation, not the fix.

Update findViolations() to flag npm steps with effectiveShell === 'bash'
(rather than effectiveShell === null). Update synthetic tests to verify
the H1-inverted semantics: defaults.run.shell: bash on Windows is now 2
violations, not 0. Update test name and assertion messages to describe
the H1 constraint rather than the old missing-pin constraint.

* fix(#431): extend policy linter to resolve matrix.shell expressions

- expandRunsOn now captures all matrix.include row keys as realization
  context (os, node-version, shell, full_only, etc.) instead of only os
- effectiveShell now accepts a realizationContext and resolves
  ${{ matrix.<key> }} expressions against it before checking policy
- Unresolvable matrix key in shell expression emits UNRESOLVABLE_MATRIX
- Add 3 new tests: positive (zsh+pwsh per row → 0 violations),
  counter (bash in macOS row → WRONG_SHELL_FOR_OS), counter (missing
  shell key → UNRESOLVABLE_MATRIX)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(#431): apply matrix.shell pattern to test-full and smoke jobs (clears BLOCKER)

test-full job (test.yml):
- Add shell: pwsh/zsh per matrix.include row (windows-latest→pwsh,
  macos-latest→zsh)
- Add job-level defaults.run.shell: ${{ matrix.shell }}
- No step-level shell pins existed to remove

smoke job (install-smoke.yml):
- Add shell: bash/zsh per matrix.include row (ubuntu→bash, macos→zsh)
- Add job-level defaults.run.shell: ${{ matrix.shell }}
- No step-level shell pins existed to remove

Policy linter now reports 0 violations across all workflow files.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* refactor(#431): migrate .sh check scripts to .cjs; remove .sh originals

- Add scripts/check-env.cjs: Node.js port of check-env.sh with
  identical exit codes (0/1/2), human-readable and --json output,
  --help flag, and all 5 checks (node-version, npm-version,
  lockfile-present, lockfile-sync, version-manager-pin)
- Migrate all callers:
  - package.json check:env → node scripts/check-env.cjs
  - package.json check:integrity → node scripts/check-npm-integrity.cjs
  - scripts/ci-test-scope.cjs path strings → .cjs equivalents
  - .github/workflows/release.yml rc+finalize jobs → node .cjs (drop chmod+x)
  - .github/workflows/security-scan.yml → node .cjs (drop chmod+x)
  - tests/check-env.test.cjs → spawn node process.execPath [.cjs]
  - tests/npm-integrity-gate.test.cjs → spawn node process.execPath [.cjs]
- Delete scripts/check-env.sh and scripts/check-npm-integrity.sh

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* refactor(#431): update doc references from .sh to .cjs

Update SECURITY.md and docs/contributing/bootstrap.md to reference the
canonical Node invocation instead of the removed bash scripts.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(#431): use per-step shell:matrix.shell instead of defaults.run.shell (GHA compat)

GHA does not reliably resolve matrix expressions inside defaults.run.shell.
Per-step shell: always resolves correctly. Removed the defaults.run.shell block
from the test-full job (test.yml) and the smoke job (install-smoke.yml), and
added shell: \${{ matrix.shell }} directly on every run: step in both jobs.

Codex finding: defaults.run.shell with matrix expressions is not a
GHA-supported pattern; per-step shell: is the safe form.

* fix(#431): policy linter validates every matrix.include row independently

Removed runner-label-only dedup from expandRunsOn() in workflow-policy.cjs.
The prior guard (if !realizations.find(r => r.runner === runner)) collapsed
two macos-latest rows with different node-version/shell contexts into one,
hiding the second row's policy violation.

Each matrix.include row is a distinct CI realization with its own context;
validating it twice is harmless but skipping it causes false negatives.

Added counter-test (Test 8) in tests/policy-shell-pinning.test.cjs:
two macos-latest rows (shell:zsh compliant + shell:bash violation) must
produce exactly one WRONG_SHELL_FOR_OS violation on the second row.

* fix(#431): remove dedup-by-runner in Cartesian matrix.<key> expansion (Codex round 3)

The base-list path in expandRunsOn (matrix.<key> arrays, e.g. matrix.os)
previously guarded each push with `if (!realizations.find(r => r.runner === runner))`,
collapsing duplicate runner values into a single realization and hiding policy
violations on later rows of a Cartesian matrix.

Remove the guard unconditionally; each entry in the base-list array now produces
its own realization, matching the same fix already applied to the matrix.include path.

Add counter-test "Cartesian matrix os × shell — dedup must not collapse rows by
runner alone": matrix.os: [macos-latest, macos-latest] + shell: ${{ matrix.shell }}
now yields 2 realizations (not 1). Documents that Cartesian cross-product expansion
(carrying all keys into realization context) is a separate follow-up; current violations
are UNRESOLVABLE_MATRIX pending that work.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(#431): remove 60s timeout regression on npm ci --dry-run (parity with check-env.sh)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(#431): ci-rebase-check.cjs — return truthy sentinel on success (Codex round 4)

run() used execFileSync with stdio:'inherit', which returns null on success.
Caller checked `result !== null`, always false → every successful fetch fell
through to "failed after 3 attempts" exit-1 path.

Fix: run() now returns true on success, false on failure.
Update caller from `result !== null` to `if (result)`.

Adds tests/ci-rebase-check.test.cjs (5 tests) covering the sentinel contract
and a local-bare-remote integration smoke that verifies the full fetch+merge
path exits 0 when fetch succeeds.

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: CI Rebase Check <ci@gsd-redux>

Author: 3 people

.github/workflows/install-smoke.yml

@@ -64,26 +64,24 @@ jobs:
           - os: ubuntu-latest
             node-version: 22
             full_only: false
+            shell: bash
           - os: ubuntu-latest
             node-version: 24
             full_only: true
+            shell: bash
           - os: macos-latest
             node-version: 24
             full_only: true
+            shell: zsh
 
     steps:
       - name: Skip full-only matrix entry on PR
         id: skip
-        shell: bash
         env:
           EVENT: ${{ github.event_name }}
           FULL_ONLY: ${{ matrix.full_only }}
-        run: |
-          if [ "$EVENT" = "pull_request" ] && [ "$FULL_ONLY" = "true" ]; then
-            echo "skip=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "skip=false" >> "$GITHUB_OUTPUT"
-          fi
+        shell: ${{ matrix.shell }}
+        run: node scripts/ci-smoke-skip.cjs
 
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         if: steps.skip.outputs.skip != 'true'
@@ -102,20 +100,8 @@ jobs:
       # instead of a downstream build error that looks unrelated.
       - name: Rebase check — merge PR base branch into PR head
         if: steps.skip.outputs.skip != 'true' && github.event_name == 'pull_request'
-        shell: bash
-        run: |
-          set -euo pipefail
-          git config user.email "ci@gsd-redux"
-          git config user.name "CI Rebase Check"
-          BASE_BRANCH="${GITHUB_BASE_REF:-main}"
-          git fetch origin "$BASE_BRANCH"
-          if ! git merge --no-edit --no-ff "origin/$BASE_BRANCH"; then
-            echo "::error::This PR cannot cleanly merge origin/$BASE_BRANCH. Rebase your branch onto current $BASE_BRANCH and push again."
-            echo "::error::Conflicting files:"
-            git diff --name-only --diff-filter=U
-            git merge --abort
-            exit 1
-          fi
+        shell: ${{ matrix.shell }}
+        run: node scripts/ci-rebase-check.cjs
 
       - name: Set up Node.js ${{ matrix.node-version }}
         if: steps.skip.outputs.skip != 'true'
@@ -126,12 +112,13 @@ jobs:
 
       - name: Install root deps
         if: steps.skip.outputs.skip != 'true'
+        shell: ${{ matrix.shell }}
         run: npm ci
 
       - name: Pack root tarball
         if: steps.skip.outputs.skip != 'true'
         id: pack
-        shell: bash
+        shell: ${{ matrix.shell }}
         run: |
           set -euo pipefail
           TARBALL=$(npm pack --silent)
@@ -141,18 +128,18 @@ jobs:
 
       - name: Ensure npm global bin is on PATH (CI runner default may differ)
         if: steps.skip.outputs.skip != 'true'
-        shell: bash
+        shell: ${{ matrix.shell }}
         run: |
           NPM_BIN="$(npm config get prefix)/bin"
           echo "$NPM_BIN" >> "$GITHUB_PATH"
           echo "npm global bin: $NPM_BIN"
 
       - name: Install tarball globally
         if: steps.skip.outputs.skip != 'true'
-        shell: bash
         env:
           TARBALL: ${{ steps.pack.outputs.tarball }}
           WORKSPACE: ${{ github.workspace }}
+        shell: ${{ matrix.shell }}
         run: |
           set -euo pipefail
           TMPDIR_ROOT=$(mktemp -d)
@@ -170,7 +157,7 @@ jobs:
 
       - name: Assert gsd-tools resolves on PATH
         if: steps.skip.outputs.skip != 'true'
-        shell: bash
+        shell: ${{ matrix.shell }}
         run: |
           set -euo pipefail
           if ! command -v gsd-tools >/dev/null 2>&1; then
@@ -184,7 +171,7 @@ jobs:
 
       - name: Assert gsd-tools is executable
         if: steps.skip.outputs.skip != 'true'
-        shell: bash
+        shell: ${{ matrix.shell }}
         run: |
           set -euo pipefail
           gsd-tools --help
@@ -193,7 +180,7 @@ jobs:
       - name: Lifecycle smoke
         if: steps.skip.outputs.skip != 'true'
         id: lifecycle-smoke
-        shell: bash
+        shell: ${{ matrix.shell }}
         run: |
           set -euo pipefail
           node scripts/release-tarball-smoke.cjs --json | tee /tmp/release-smoke.json
@@ -226,20 +213,7 @@ jobs:
       # latest target.
       - name: Rebase check — merge PR base branch into PR head
         if: github.event_name == 'pull_request'
-        shell: bash
-        run: |
-          set -euo pipefail
-          git config user.email "ci@gsd-redux"
-          git config user.name "CI Rebase Check"
-          BASE_BRANCH="${GITHUB_BASE_REF:-main}"
-          git fetch origin "$BASE_BRANCH"
-          if ! git merge --no-edit --no-ff "origin/$BASE_BRANCH"; then
-            echo "::error::This PR cannot cleanly merge origin/$BASE_BRANCH. Rebase your branch onto current $BASE_BRANCH and push again."
-            echo "::error::Conflicting files:"
-            git diff --name-only --diff-filter=U
-            git merge --abort
-            exit 1
-          fi
+        run: node scripts/ci-rebase-check.cjs
 
       - name: Set up Node.js 22
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
@@ -251,14 +225,12 @@ jobs:
         run: npm ci
 
       - name: Ensure npm global bin is on PATH
-        shell: bash
         run: |
           NPM_BIN="$(npm config get prefix)/bin"
           echo "$NPM_BIN" >> "$GITHUB_PATH"
           echo "npm global bin: $NPM_BIN"
 
       - name: Install from unpacked directory (no npm pack)
-        shell: bash
         run: |
           set -euo pipefail
           TMPDIR_ROOT=$(mktemp -d)
@@ -268,7 +240,6 @@ jobs:
           get-shit-done-redux --claude --local || true
 
       - name: Assert gsd-tools resolves on PATH after unpacked install
-        shell: bash
         run: |
           set -euo pipefail
           if ! command -v gsd-tools >/dev/null 2>&1; then
@@ -280,7 +251,6 @@ jobs:
           echo "✓ gsd-tools resolves at: $(command -v gsd-tools)"
 
       - name: Assert gsd-tools is executable after unpacked install
-        shell: bash
         run: |
           set -euo pipefail
           gsd-tools --help

.github/workflows/release.yml

@@ -189,8 +189,7 @@ jobs:
       - name: Install and test
         run: |
           npm ci
-          chmod +x scripts/check-npm-integrity.sh
-          scripts/check-npm-integrity.sh
+          node scripts/check-npm-integrity.cjs
           npm run test:coverage:unit
 
       - name: Commit pre-release version bump
@@ -321,8 +320,7 @@ jobs:
           NODE_OPTIONS: --max-old-space-size=6144
         run: |
           npm ci
-          chmod +x scripts/check-npm-integrity.sh
-          scripts/check-npm-integrity.sh
+          node scripts/check-npm-integrity.cjs
           npm run test:coverage:unit
 
       # npm bundled with Node 24 (pinned via setup-node) already supports trusted publishing (#318)

.github/workflows/security-scan.yml

@@ -43,9 +43,7 @@ jobs:
         run: npm ci
 
       - name: Dependency integrity gate
-        run: |
-          chmod +x scripts/check-npm-integrity.sh
-          scripts/check-npm-integrity.sh
+        run: node scripts/check-npm-integrity.cjs
 
       - name: Prompt injection scan
         env: