feat: add org-default control guardrails

[haasonsaas]

Summary

• add a versioned org control-plane contract, verifier, CI rail, and gh-api body regression coverage
• add canonical label sync, agent MCP config rollout machinery, Codex hook guardrails, and archived Dependabot audit/runbook
• add durable strategy/tooling profile docs for the AI-fleet positioning and TypeScript gts/wireit standardization path

Verification

• ruby .github/scripts/verify-org-control-plane-contract.rb --json-output org-control-plane-contract-report.json --markdown-output org-control-plane-contract-report.md
• ruby .github/scripts/sync-labels.rb --validate-only --labels labels.yml
• ruby -Itest -e 'ARGV.each { |path| require "./#{path}" }' test/*_test.rb\n- actionlint .github/workflows/agent-mcp-config-rollout.yml .github/workflows/archived-dependabot-audit.yml .github/workflows/codex-rails-check.yml .github/workflows/sync-labels.yml\n- git diff --check\n\nCloses Ship .mcp.json in every public repo to auto-connect coding agents to the EvalOps control plane #2.\nCloses Standardize TypeScript tooling across evalops with google/gts + google/wireit #4.\nCloses [strategy] Reposition evalops as 'govern the AI fleet you already have' #5.\nCloses Org-wide label taxonomy sync for evalops/* repos #6.\nCloses tooling: disable dependabot on archived evalops repos (archival-rot cleanup) #7.\nCloses codex: define org-managed hook guardrails for local agent work #27.\nCloses Build the EvalOps Feedback Operating System #45.\nCloses Add a research-backed acceptance harness for .github (org-level defaults issue templates reusable) #63.\nCloses Make provenance and evidence traceability first-class for .github (org-level defaults issue templates reusable) #64.\nCloses Add adversarial safety fixtures for .github (org-level defaults issue templates reusable) #65.\nCloses Expose operational telemetry and SLO gates for .github (org-level defaults issue templates reusable) #66.\nCloses Promote latent specs into a documented conformance contract for .github (org-level defaults issue templates reusable) #67.\nCloses [codex] Guardrail candidate: Workflow shell footgun (workflow-shell-footgun) #81.\nRefs [codex] Guardrail backlog: Other feedback (other-feedback) #48.\nRefs [codex] Weekly review feedback guardrail report #56.\nRefs [codex] Recent unresolved review feedback #62.\nRefs [codex] Guardrail backlog: Runtime smoke coverage gap (runtime-smoke-coverage) #68.

[cursor]

PR Summary

High Risk
High risk because it introduces new GitHub Actions workflows and Ruby automation that can open PRs or mutate org repo labels, and it tightens validation gates for org-default changes. Errors in these scripts or token scoping could impact many repositories at once.

Overview
Adds an enforced .github/contracts/org-control-plane.yml plus verify-org-control-plane-contract.rb and CI wiring in codex-rails-check.yml to validate contract provenance/evidence and fail closed on drift.

Introduces org-wide rollout automation: sync-agent-mcp-config.rb + templates for committing EvalOps MCP client config into repos (and a agent-mcp-config-rollout workflow that can open PRs across public repos), and a new labels.yml + sync-labels.rb + sync-labels workflow to plan/apply additive label reconciliation with per-repo opt-out.

Adds an archived-dependabot-audit scheduled workflow + script to report archived repos still running Dependabot, local Codex hook guardrails (evalops-codex-hook-guard.rb + example hook pack), and fixes evalops-pr-lens-review.rb to pass request bodies to gh api via --input - (with regression test coverage).

^{Reviewed by Cursor Bugbot for commit 354ea5c. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

EvalOps Label Sync Report

• Generated at: 2026-05-15T19:46:12Z
• Mode: dry-run
• Labels: 24
• Target repos: 34
• Additions: 481
• Updates: 86
• Errors: 0

Repo	Status	Add	Update	Notes
evalops/.github	planned	15	2
evalops/agent-harness	planned	15	2
evalops/agent-pm	planned	14	2
evalops/agentd	planned	12	5
evalops/bandit_dspy	planned	15	2
evalops/cognitive-dissonance-dspy	planned	15	2
evalops/cypher-llm-compiler	planned	15	2
evalops/deep-code-reasoning-mcp	planned	13	3
evalops/deliberate-reasoning-engine	planned	13	3
evalops/diffscope	planned	12	4
evalops/dspy-0to1-guide	planned	15	2
evalops/dspy-advanced-prompting	planned	15	2
evalops/dspy-micro-agent	planned	15	2
evalops/eval2otel	planned	15	2
evalops/evalops-anthropic	planned	13	4
evalops/evalops-google-generativeai	planned	13	4
evalops/evalops-openai	planned	13	4
evalops/folie-a-deux-dspy	planned	15	2
evalops/garak-skill	planned	15	2
evalops/gemini-exfil-detector	planned	15	2
evalops/keep	planned	13	3
evalops/kestrel	planned	13	3
evalops/lark	planned	15	2
evalops/maestro	planned	14	2
evalops/mcp-firewall	planned	15	2
evalops/mcp-openapi	planned	13	3
evalops/mocktopus	planned	15	2
evalops/openclaw-safety-harness	planned	13	3
evalops/orbit-agent	planned	14	2
evalops/override-cascade-dspy	planned	15	2
evalops/proto	planned	15	2
evalops/service-runtime	planned	15	2
evalops/shared-memory-mcp	planned	13	3
evalops/template-go-service	planned	15	2

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is ON, but it could not run because the branch was deleted or merged before autofix could start.}

^{Reviewed by Cursor Bugbot for commit 354ea5c. Configure here.}

[cursor]

Leading blank line in new .gitignore files

Low Severity

When existing is nil (no .gitignore exists), merge_gitignore calls ensure_trailing_newline("") which converts the empty string to "\n", producing a leading blank line in the output. The sister function merge_agents avoids this with an early return section if existing.to_s.strip.empty? guard, but merge_gitignore lacks an equivalent check, so every new .gitignore created during MCP config rollout starts with a spurious blank line.

 

^{Reviewed by Cursor Bugbot for commit 354ea5c. Configure here.}