Add component-owner approval guard for issue #10

[taherdhanera]

/claim #10
@algora-pbc /claim #10 #387

Claim metadata

• Bounty issue: Project Repository & Version Control #10
• Claim PR: Add component-owner approval guard for issue #10 #387
• Algora linkage: @algora-pbc /claim Project Repository & Version Control #10 Add component-owner approval guard for issue #10 #387

Summary

Adds repository-component-owner-approval-guard, a self-contained Project Repository & Version Control slice that validates component-owner approval quorum before protected-branch merge or tagged repository release.

The guard evaluates:

• repository component path ownership for manuscript/, data/, code/, notebooks/, protocols/, results/, and metadata.json
• fresh eligible approval coverage per touched component
• restricted data/protocol escalation owners
• stale approvals after changed files move
• conflicted self-approvals by merge request authors
• unmapped repository paths without component policy coverage

Non-overlap

This is not a broad repository ledger, release engine, structured diff/rollback module, provenance attestation layer, release embargo gate, notebook replay tool, schema migration assistant, citation impact verifier, API/export verifier, merge queue, environment drift checker, access review guard, DOI tombstone gate, metadata readiness gate, branch hypothesis lineage guard, sensitive-artifact scanner, dependency-license guard, or legal-hold gate. It focuses specifically on component-owner approval quorum and approval freshness before merge.

Local validation

Run from repository-component-owner-approval-guard/:

npm run check
npm test
npm run demo
npm run demo:video

All four commands passed locally after the MP4 demo update.

Demo video

• reports/demo.webm and reports/demo.mp4 are included as short demo video artifacts required by the bounty.

Reviewer artifacts

• reports/summary.json
• reports/reviewer-packet.md
• reports/summary.svg
• reports/demo.webm
• reports/demo.mp4

Safety

All data is synthetic. The module does not call Git providers, repository hosting APIs, identity systems, storage systems, private repositories, or external services. It does not include private research data, credentials, real users, or live project mutations.

[taherdhanera]

@algora-pbc /claim #10 #387

Refreshing claim linkage from the PR thread as well. This PR is open, non-draft, mergeable, includes /claim #10 in the PR body, and contains explicit claim metadata for bounty issue #10 / PR #387.

[taherdhanera]

@algora-pbc claim indexing check for #10 / #387:

PR #387 is open, non-draft, mergeable, includes /claim #10 in the PR body, and has a full-URL claim comment on issue #10. The issue table still shows my row as WIP, while later #10 claim PRs such as #390/#392 have the 🙋 Bounty claim label and Reward links.

I attempted to add the existing 🙋 Bounty claim label to this PR, but GitHub rejected it because I do not have label-write permission on the upstream repository. Please re-index this claim or apply the bounty-claim label/linkage for PR #387 if the label is the missing trigger.

[taherdhanera]

/claim #10

Plain slash-command refresh for Algora indexing on PR #387. The PR is open, non-draft, clean/mergeable, and the body now starts with /claim #10 plus explicit bounty issue/PR metadata.

[taherdhanera]

Follow-up pushed in 5a7b58b: the reviewer demo now includes both reports/demo.webm and reports/demo.mp4, and npm run demo:video regenerates both artifacts from the same synthetic canvas workflow.

Local verification after the update:

• npm run check passed
• npm test passed
• npm run demo passed
• npm run demo:video passed
• git diff --check passed with only Windows LF/CRLF warnings

The PR remains focused on the component-owner approval quorum guard for /claim #10 and does not add external service calls, real project data, credentials, or unrelated repository changes.

[taherdhanera]

Closing this duplicate in favor of #407.

Reason: this PR stayed open, clean, mergeable, and locally verified, but Algora continued to show the linked #10 attempt as WIP instead of attaching the bounty claim label. #407 is the same verified implementation from the same commit with a clean /claim #10 PR body and current MP4/WebM demo artifacts, so reviewers have one active submission to inspect.