fix(repo): Harden catalog sync and release integrity

Tighten the repo-state automation so canonical bot commits remain
predictable while leaving main clean after each sync.

Make the public catalog UI more honest by hiding dev-only sync,
turning stars into explicit browser-local saves, aligning risk types,
and removing hardcoded catalog counts.

Add shared public asset URL helpers, risk suggestion plumbing,
safer unpack/sync guards, and CI coverage gates so release and
maintainer workflows catch drift earlier.

.github/workflows/ci.yml

@@ -75,7 +75,7 @@ jobs:
           python-version: "3.10"
 
       - name: Install Python dependencies
-        run: pip install pyyaml
+        run: pip install -r tools/requirements.txt
 
       - name: Set up Node
         uses: actions/setup-node@v4
@@ -103,13 +103,15 @@ jobs:
 
       - name: Audit npm dependencies
         run: npm audit --audit-level=high
-        continue-on-error: true
 
       - name: Run tests
         env:
           ENABLE_NETWORK_TESTS: "1"
         run: npm run test
 
+      - name: Run web app coverage
+        run: npm run app:test:coverage
+
       - name: Run docs security checks
         run: npm run security:docs
 
@@ -126,7 +128,7 @@ jobs:
           python-version: "3.10"
 
       - name: Install Python dependencies
-        run: pip install pyyaml
+        run: pip install -r tools/requirements.txt
 
       - name: Set up Node
         uses: actions/setup-node@v4
@@ -176,12 +178,17 @@ jobs:
   main-validation-and-sync:
     if: github.event_name != 'pull_request'
     runs-on: ubuntu-latest
+    concurrency:
+      group: canonical-main-sync
+      cancel-in-progress: false
     permissions:
       contents: write
     env:
       GH_TOKEN: ${{ github.token }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
 
       - name: Set up Python
         uses: actions/setup-python@v5
@@ -189,7 +196,7 @@ jobs:
           python-version: "3.10"
 
       - name: Install Python dependencies
-        run: pip install pyyaml
+        run: pip install -r tools/requirements.txt
 
       - name: Set up Node
         uses: actions/setup-node@v4
@@ -216,37 +223,55 @@ jobs:
 
       - name: Audit npm dependencies
         run: npm audit --audit-level=high
-        continue-on-error: true
 
       - name: Run tests
         env:
           ENABLE_NETWORK_TESTS: "1"
         run: npm run test
 
+      - name: Run web app coverage
+        run: npm run app:test:coverage
+
       - name: Run docs security checks
         run: npm run security:docs
 
       - name: Set up GitHub credentials
         if: github.event_name == 'push' && github.ref == 'refs/heads/main'
         run: |
+          set -euo pipefail
           git config user.name 'github-actions[bot]'
           git config user.email 'github-actions[bot]@users.noreply.github.com'
           git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git
+          git fetch origin main
 
       - name: Auto-commit canonical artifacts
         if: github.event_name == 'push' && github.ref == 'refs/heads/main'
         run: |
+          set -euo pipefail
           mapfile -t managed_files < <(node tools/scripts/generated_files.js --include-mixed)
           if [ "${#managed_files[@]}" -eq 0 ]; then
             echo "No managed files resolved from generated_files contract."
             exit 1
           fi
 
-          git diff --quiet && exit 0
+          if git diff --quiet && [ -z "$(git ls-files --others --exclude-standard)" ]; then
+            echo "No canonical repo-state drift detected."
+            exit 0
+          fi
 
           git add -- "${managed_files[@]}" || true
 
-          git diff --cached --quiet && exit 0
+          if git diff --cached --quiet; then
+            echo "Repo-state sync produced unmanaged drift only."
+            git status --short
+            exit 1
+          fi
+
+          if [ -n "$(git diff --name-only)" ] || [ -n "$(git ls-files --others --exclude-standard)" ]; then
+            echo "Repo-state sync produced unmanaged drift alongside canonical changes."
+            git status --short
+            exit 1
+          fi
 
           git commit -m "chore: sync repo state [ci skip]"
           git pull origin main --rebase
@@ -255,13 +280,14 @@ jobs:
       - name: Check for uncommitted drift
         if: github.event_name == 'push' && github.ref == 'refs/heads/main'
         run: |
-          if ! git diff --quiet; then
-            echo "❌ Detected uncommitted changes produced by registry/readme/catalog scripts."
+          if ! git diff --quiet || [ -n "$(git ls-files --others --exclude-standard)" ]; then
+            echo "❌ Detected leftover drift after the canonical bot sync."
             echo
-            echo "Main must be self-healing after the auto-sync step."
+            echo "The bot may only commit managed canonical files and must leave a clean tree."
             echo "To fix locally, run the canonical maintainer flow:"
             echo "  npm run release:preflight"
             echo "  npm run sync:repo-state"
             echo "  git status"
+            git status --short
             exit 1
           fi

.github/workflows/publish-npm.yml

@@ -25,7 +25,7 @@ jobs:
           python-version: "3.10"
 
       - name: Install Python dependencies
-        run: pip install pyyaml
+        run: pip install -r tools/requirements.txt
 
       - name: Setup Node
         uses: actions/setup-node@v4
@@ -36,6 +36,9 @@ jobs:
       - name: Install dependencies
         run: npm ci
 
+      - name: Audit npm dependencies
+        run: npm audit --audit-level=high
+
       - name: Validate references
         run: npm run validate:references
 
@@ -45,6 +48,9 @@ jobs:
       - name: Run tests
         run: npm run test
 
+      - name: Run web app coverage
+        run: npm run app:test:coverage
+
       - name: Run docs security checks
         run: npm run security:docs
 

.github/workflows/repo-hygiene.yml

@@ -11,10 +11,15 @@ permissions:
 jobs:
   sync-repo-state:
     runs-on: ubuntu-latest
+    concurrency:
+      group: canonical-main-sync
+      cancel-in-progress: false
     env:
       GH_TOKEN: ${{ github.token }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
 
       - name: Set up Python
         uses: actions/setup-python@v5
@@ -22,7 +27,7 @@ jobs:
           python-version: "3.10"
 
       - name: Install Python dependencies
-        run: pip install pyyaml
+        run: pip install -r tools/requirements.txt
 
       - name: Set up Node
         uses: actions/setup-node@v4
@@ -33,6 +38,9 @@ jobs:
       - name: Install npm dependencies
         run: npm ci
 
+      - name: Audit npm dependencies
+        run: npm audit --audit-level=high
+
       - name: Run repo-state sync
         run: npm run sync:repo-state
 
@@ -46,17 +54,24 @@ jobs:
             exit 1
           fi
 
-          if git diff --quiet; then
+          if git diff --quiet && [ -z "$(git ls-files --others --exclude-standard)" ]; then
             echo "No repo-state drift detected."
             exit 0
           fi
 
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
+          git fetch origin main
           git add -- "${managed_files[@]}" || true
 
           if git diff --cached --quiet; then
-            echo "Repo hygiene produced unmanaged drift."
+            echo "Repo hygiene produced unmanaged drift only."
+            git status --short
+            exit 1
+          fi
+
+          if [ -n "$(git diff --name-only)" ] || [ -n "$(git ls-files --others --exclude-standard)" ]; then
+            echo "Repo hygiene produced unmanaged drift alongside canonical changes."
             git status --short
             exit 1
           fi