CI gate commands

Verify the given agent-doc carries the portable Valinor Doctrine block — present (anchors), version parseable + current (>= the bundled canonical version), and the block body un-drifted from the canonical doctrine. The consumer-facing wrapper over the same validator as scripts/check-doctrine.mjs.

The deterministic complement of doctrine-check. Where doctrine-check is byte-identity on the propagated block, this inspects the prose outside it and flags any README-owned section header (project / stack / commands / install / usage / license) carried out-of-block — the doctrine's "no README duplication" principle. Reads its severity from gates.agent-file-principles.

Scans your repo's docs for deterministic rot: dead internal links, dead tracked-config refs, dead valinor <cmd> / npm run <script> prose refs, and a CLI generate-diff (documented commands vs the enumerable src/cli.ts registry, both directions). The temporal complement to the doc-accuracy Greptile rule. Takes no argument — it scans the working directory.

The exhaustiveness/accounting axis of your docs corpus: no orphans, no stubs. By default it uses a generic manifest (it never false-flags a doc as an orphan — it only floors near-empty placeholders). Declare your own doc-types under gates.docs-coverage.manifest to enable the stricter govern-or-remove orphan check. Scans the working directory.

The OWASP A06 gate — checks your lockfile is present + valid, npm audit reports no critical/high vulnerabilities, and no dependency carries an unbounded version specifier or a denylisted package. Reads failOn / denylist overrides from governance.config.yml.

When a PR's src/ diff is substantial (more than ~30 added/removed .ts/.tsx lines), it requires at least one new bullet under your CHANGELOG.md's ## [Unreleased] section. Resolves the base ref from GITHUB_BASE_REF (falling back to origin/main); on a local / non-PR run with no resolvable base it skips.