feat(ci): add workspace integrity, prerelease guard, and export smoke gates

[diberry]

Summary

Adds 3 new CI validation gates to \squad-ci.yml\ motivated by the PR #640 prerelease version incident where npm silently resolved a stale published SDK instead of the local workspace copy.

Gate 1: \workspace-integrity\

• Verifies lockfile has no stale registry entries for workspace packages
• Catches: npm resolving published registry copy instead of local workspace symlink
• Cost: Zero-install (reads \package-lock.json\ only)
• Flag: \�ars.SQUAD_WORKSPACE_CHECK\ / label: \skip-workspace-check\

Gate 2: \prerelease-version-guard\

• Blocks prerelease version suffixes (-build, -alpha, -beta, -rc) from merging to dev/main
• Catches: Forgotten prerelease suffixes that break semver range resolution
• Cost: Zero-install (reads \packages/*/package.json\ only)
• Flag: \�ars.SQUAD_VERSION_CHECK\ / label: \skip-version-check\

Gate 3: ^[xport-smoke-test\

• Verifies all subpath exports resolve to built artifacts after SDK build
• Catches: Missing \dist/\ files for declared exports (complements ^[xports-map-check)
• Cost: Lightweight install + SDK build (~30s), only runs when SDK files change
• Flag: \�ars.SQUAD_EXPORT_SMOKE\ / label: \skip-export-smoke\

Design

• All gates follow existing CI patterns: feature flags, skip labels, three-dot diff, ::error::\ annotations
• Gates 1 & 2 are zero-install (fast, no
  pm ci\ needed)
• Gate 3 only triggers on SDK source/config changes and does its own lightweight build

Closes #114

---

Fork PR: diberry#115

Merge Order

These 3 PRs form a dependency chain — merge in this order:

1. PR: fix(sdk,cli): remove prerelease version suffixes (from fork PR feat: Extract cold-path sections from squad.agent.md (#98) #116) — fixes dev branch versions
2. PR: feat(ci): add workspace integrity, prerelease guard, and export smoke gates (from fork PR chore: Remove .ai-team/ deprecation banner (#71) #115) — adds CI enforcement
3. PR: docs(skill): add versioning policy (from fork PR chore: standardize timestamps to ISO 8601 UTC #117) — documents the rules

[Copilot]

Pull request overview

Adds additional CI “health gates” to reduce workspace/version/export regressions (motivated by prior incidents), plus supporting scripts/tests and documentation/process updates.

Changes:

• Add new CI jobs for workspace lockfile integrity, prerelease version blocking, exports-map validation, and subpath export smoke testing.
• Add scripts + Vitest coverage for exports-map checking and guard workflow removal regression protection.
• Add PR process artifacts (PR template/requirements) and new/updated docs pages.

Reviewed changes

Copilot reviewed 14 out of 14 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
.github/workflows/squad-ci.yml	Adds multiple new CI gates (workspace integrity, prerelease guard, exports map check, export smoke test, samples build, changelog gate) and skip-label handling.
scripts/check-exports-map.mjs	New script to compare SDK barrel directories vs package.json exports.
test/check-exports-map.test.ts	Ensures the exports-map checker script runs and produces structured output.
test/guard-removal.test.ts	Adds regression tests ensuring the old “main guard” workflow isn’t recreated by init/upgrade/migrations/templates.
docs/src/content/docs/features/context-hygiene.md	Updates Nap description and links to new concept page.
docs/src/content/docs/concepts/nap-vs-compact.md	New concept page explaining Nap vs /compact.
.github/PULL_REQUEST_TEMPLATE.md	Adds a structured PR template with testing/docs/exports checklists.
.github/PR_REQUIREMENTS.md	Adds a versioned PR requirements spec doc.
.squad/skills/fork-first-pipeline/SKILL.md	New skill documenting a fork-first PR workflow.
.copilot/skills/bleed-check/SKILL.md	New skill documenting bleed-check audit process.
.squad/decisions.md	Moves/records decision entries (including CI safety items) and updates decision log content.
.squad/decisions-archive.md	Archives older decision entries removed from .squad/decisions.md.
.squad/decisions/inbox/retro-copilot-git-safety.md	Removes inbox entry (content moved elsewhere).
.squad/decisions/inbox/booster-ci-deletion-guard.md	Removes inbox entry (content moved elsewhere).

[Copilot]

The samples gate uses npm install inside each sample directory even though many samples have package-lock.json. Using npm ci when a lockfile is present makes installs reproducible and reduces flakiness from dependency drift (and usually speeds CI up). Consider branching: npm ci if package-lock.json exists, else npm install.

Suggested change

	if ! (cd "$sample_dir" && npm install --ignore-scripts 2>&1); then
	echo "::error::[$sample] npm install failed"
	if [ -f "$sample_dir/package-lock.json" ]; then
	INSTALL_CMD="npm ci --ignore-scripts"
	else
	INSTALL_CMD="npm install --ignore-scripts"
	fi
	if ! (cd "$sample_dir" && $INSTALL_CMD 2>&1); then
	echo "::error::[$sample] dependency installation failed"

[Copilot]

PR description focuses on CI gates, but this workflow file also introduces additional non-CI process artifacts elsewhere in the PR (PR template/requirements and new skill docs). If those are intentionally in-scope, the PR description/title should mention them; otherwise consider splitting them into a separate PR to keep CI changes reviewable and revertible.

[Copilot]

This internal docs link uses an absolute route (/concepts/nap-vs-compact) while most docs in this repo use relative .md links (e.g., ../concepts/github-workflow.md). Using relative links is generally more robust across differing site base paths and keeps link style consistent within the docs set.

Suggested change

	> **Note:** For session-level conversation compression, use `/compact` in the Copilot CLI interactive shell. See [Nap vs /compact](/concepts/nap-vs-compact) for the difference between team state cleanup and session transcript compression.
	> **Note:** For session-level conversation compression, use `/compact` in the Copilot CLI interactive shell. See [Nap vs /compact](../concepts/nap-vs-compact.md) for the difference between team state cleanup and session transcript compression.

[Copilot]

The template mentions "npm run preflight", but the repo doesn’t define a preflight script. This can confuse contributors filling out the template; consider referencing the actual commands used here (e.g., npm run build && npm test) or adding a real preflight script if that’s intended.

Suggested change

	<!-- What was tested and how. "npm run preflight" output or CI green. -->
	<!-- What was tested and how. "npm run build && npm test" output or CI green. -->

[Copilot]

These \\\ / \\\bash blocks aren’t valid Markdown fences and include a stray control character before ash, so the commands won’t render as code blocks. Replace them with standard triple-backtick fences (bash ... ), and remove the backslashes/control character throughout the skill.

[Copilot]

These \\\bash / \\\ blocks aren’t valid Markdown fences and include a stray control character before ash, so the example commands won’t render correctly. Use standard triple-backtick code fences (bash ... ), and remove the backslashes/control character throughout this skill file.

[Copilot]

check-exports-map.mjs currently fails if any top-level src/<dir>/index.ts barrel lacks a corresponding exports["./<dir>"] entry. The SDK already has existing barrel dirs (e.g. remote/, platform/, roles/, streams/, upstream/) without exports entries, so this gate will block the next PR that touches packages/squad-sdk/src/ unless those legacy gaps are addressed. Consider scoping the check to only new barrel dirs introduced in the PR (e.g., compute added src/*/index.ts dirs via git diff base...head), or maintain an explicit allowlist/denylist of public barrels.

[Copilot]

The export smoke test computes a package subpath specifier (@bradygaster/squad-sdk/...) but then imports the built file via file://... instead. That bypasses Node’s exports resolution rules, so a malformed/unsupported exports entry key could still pass as long as the target file exists. Importing via the computed package specifier would more accurately validate real consumer behavior.

[Copilot]

These label checks use gh pr view ... but the workflow’s top-level permissions: currently only grants contents: read. With restricted permissions, the GITHUB_TOKEN often cannot read PR metadata via the API, causing gh pr view to fail and skip labels to be ignored. Prefer using ${{ toJSON(github.event.pull_request.labels.*.name) }} (no API call) like other jobs here, or add pull-requests: read to the workflow permissions.

Suggested change

	LABELS=$(gh pr view ${{ github.event.pull_request.number }} --json labels --jq '.labels[].name' 2>/dev/null || echo "")
	if echo "$LABELS" | grep -q "skip-changelog"; then
	echo "skip=true" >> "$GITHUB_OUTPUT"
	echo "Skipping CHANGELOG gate (skip-changelog label present)"
	else
	echo "skip=false" >> "$GITHUB_OUTPUT"
	fi
	env:
	GH_TOKEN: ${{ github.token }}
	LABELS='${{ toJSON(github.event.pull_request.labels.*.name) }}'
	if echo "$LABELS" | grep -q '"skip-changelog"'; then
	echo "skip=true" >> "$GITHUB_OUTPUT"
	echo "Skipping CHANGELOG gate (skip-changelog label present)"
	else
	echo "skip=false" >> "$GITHUB_OUTPUT"
	fi

[diberry]

Superseded by new PR with clean branch from upstream/dev (no fork-specific commits).