Promote dev import runtime hardening to main

.github/workflows/sign-modules-on-approval.yml

@@ -6,40 +6,30 @@ on:
     types: [submitted]
 
 concurrency:
-  group: sign-modules-on-approval-${{ github.event.pull_request.number }}
+  group: sign-modules-on-approval-${{ github.event.pull_request.number || github.event.number }}
   cancel-in-progress: true
 
 permissions:
   contents: write
+  pull-requests: read
 
 jobs:
   sign-modules:
     runs-on: ubuntu-latest
     env:
       SPECFACT_MODULE_PRIVATE_SIGN_KEY: ${{ secrets.SPECFACT_MODULE_PRIVATE_SIGN_KEY }}
       SPECFACT_MODULE_PRIVATE_SIGN_KEY_PASSPHRASE: ${{ secrets.SPECFACT_MODULE_PRIVATE_SIGN_KEY_PASSPHRASE }}
-      PR_BASE_REF: ${{ github.event.pull_request.base.ref }}
-      PR_HEAD_REF: ${{ github.event.pull_request.head.ref }}
+      PR_BASE_REF: ${{ github.event.pull_request.base.ref || github.base_ref }}
+      PR_HEAD_REF: ${{ github.event.pull_request.head.ref || github.head_ref }}
     steps:
       - name: Eligibility gate (required status check)
         id: gate
+        env:
+          GH_TOKEN: ${{ github.token }}
         run: |
           set -euo pipefail
-          if [ "${{ github.event.review.state }}" != "approved" ]; then
-            echo "sign=false" >> "$GITHUB_OUTPUT"
-            echo "::notice::Skipping module signing: review state is not approved."
-            exit 0
-          fi
-          author_association="${{ github.event.review.user.author_association }}"
-          case "$author_association" in
-            COLLABORATOR|MEMBER|OWNER)
-              ;;
-            *)
-              echo "sign=false" >> "$GITHUB_OUTPUT"
-              echo "::notice::Skipping module signing: reviewer association '${author_association}' is not trusted for signing."
-              exit 0
-              ;;
-          esac
+          review_state="${{ github.event.review.state || '' }}"
+          author_association="${{ github.event.review.user.author_association || '' }}"
           base_ref="${{ github.event.pull_request.base.ref }}"
           if [ "$base_ref" != "dev" ] && [ "$base_ref" != "main" ]; then
             echo "sign=false" >> "$GITHUB_OUTPUT"
@@ -53,8 +43,22 @@ jobs:
             echo "::notice::Skipping module signing: fork PR (head repo differs from target repo)."
             exit 0
           fi
+          if [ "$review_state" != "approved" ]; then
+            echo "sign=false" >> "$GITHUB_OUTPUT"
+            echo "::notice::Skipping module signing: review state is not approved."
+            exit 0
+          fi
+          case "$author_association" in
+            COLLABORATOR|MEMBER|OWNER)
+              ;;
+            *)
+              echo "sign=false" >> "$GITHUB_OUTPUT"
+              echo "::notice::Skipping module signing: reviewer association '${author_association}' is not trusted for signing."
+              exit 0
+              ;;
+          esac
           echo "sign=true" >> "$GITHUB_OUTPUT"
-          echo "Eligible for module signing (approved by trusted reviewer, same-repo PR to dev or main)."
+          echo "Eligible for module signing (same-repo PR to dev or main with trusted approval state)."
 
       - name: Guard signing secrets
         if: steps.gate.outputs.sign == 'true'
@@ -139,7 +143,7 @@ jobs:
           {
             echo "### Module signing (CI approval)"
             if [ "${GATE_SIGN}" != "true" ]; then
-              echo "Signing skipped (eligibility gate: not approved, wrong base branch, or fork PR)."
+              echo "Signing skipped (eligibility gate: no trusted approval, wrong base branch, or fork PR)."
             else
               echo "Manifests discovered under \`packages/\`: ${MANIFESTS_COUNT:-unknown}"
               if [ "${COMMIT_CHANGED}" = "true" ]; then

.github/workflows/sign-modules.yml

@@ -70,11 +70,16 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
 
       - name: Fetch workflow_dispatch comparison base
         if: github.event_name == 'workflow_dispatch'
         run: git fetch --no-tags origin "${{ github.event.inputs.base_branch }}"
 
+      - name: Fetch pull_request comparison base
+        if: github.event_name == 'pull_request'
+        run: git fetch --no-tags origin "${{ github.event.pull_request.base.ref }}"
+
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
@@ -151,6 +156,39 @@ jobs:
               )
           PY
 
+      - name: Auto-sign changed module manifests (same-repo PRs, non-bot actors)
+        if: >-
+          github.event_name == 'pull_request' &&
+          github.event.pull_request.head.repo.full_name == github.repository &&
+          github.actor != 'github-actions[bot]'
+        env:
+          PR_HEAD_REF: ${{ github.event.pull_request.head.ref }}
+          SPECFACT_MODULE_PRIVATE_SIGN_KEY: ${{ secrets.SPECFACT_MODULE_PRIVATE_SIGN_KEY }}
+          SPECFACT_MODULE_PRIVATE_SIGN_KEY_PASSPHRASE: ${{ secrets.SPECFACT_MODULE_PRIVATE_SIGN_KEY_PASSPHRASE }}
+        run: |
+          set -euo pipefail
+          if [ -z "${SPECFACT_MODULE_PRIVATE_SIGN_KEY}" ]; then
+            echo "::error::Missing SPECFACT_MODULE_PRIVATE_SIGN_KEY. Configure the secret so same-repo PRs can auto-sign module manifests."
+            exit 1
+          fi
+          MERGE_BASE="$(git merge-base HEAD "origin/${{ github.event.pull_request.base.ref }}")"
+          python scripts/sign-modules.py \
+            --changed-only \
+            --base-ref "$MERGE_BASE" \
+            --bump-version patch \
+            --payload-from-filesystem
+
+          if [ -z "$(git status --porcelain -- packages/)" ]; then
+            echo "No manifest signing changes to commit."
+            exit 0
+          fi
+
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git add -u -- packages/
+          git commit -m "chore(modules): ci sign changed modules"
+          git push origin "HEAD:${PR_HEAD_REF}"
+
       - name: Strict verify module manifests (push to dev/main)
         if: github.event_name == 'push' && (github.ref_name == 'dev' || github.ref_name == 'main')
         run: |

docs/bundles/project/import-migration.md

@@ -18,6 +18,7 @@ This guide covers advanced features and optimizations in the `code import` comma
 The `code import` command has been optimized for large codebases and includes several features to improve reliability, performance, and user experience:
 
 - **Progress Reporting**: Real-time progress bars for long-running operations
+- **Default Ignore Policy**: Hidden and heavyweight artifact directories are pruned before traversal
 - **Feature Validation**: Automatic validation of existing features when resuming imports
 - **Early Save Checkpoint**: Features saved immediately after analysis to prevent data loss
 - **Performance Optimizations**: Pre-computed caches for 5-15x faster processing
@@ -29,6 +30,26 @@ The `code import` command has been optimized for large codebases and includes se
 
 The import command now provides detailed progress reporting for all major operations:
 
+### Discovery and ETA Semantics
+
+Import progress is now derived from the work discovered after ignore pruning, not from a fixed-duration promise.
+
+- Default traversal skips hidden and heavyweight directories such as `.git/`, `.specfact/`, `.venv/`, `venv/`, `node_modules/`, `build/`, `dist/`, and `__pycache__/`.
+- Repo-local overrides can be added in `.specfact/.specfactignore`.
+- When import encounters ignored artifact trees with more than 500 entries or repositories larger than 1,000 files, it emits warnings instead of promising that the run will finish in a specific number of minutes.
+- Remaining time is based on processed-versus-discovered work at the current runtime rate, so estimates remain provisional for repos above those configured thresholds.
+
+### Repo-local Ignore Overrides
+
+Add extra ignore patterns to `.specfact/.specfactignore` when a repository contains generated or vendored trees outside the default exclusions:
+
+```text
+custom_ignore/
+third_party/generated/**
+```
+
+Patterns are applied before traversal so ignored trees do not inflate scanned-file counts or ETA totals.
+
 ### Feature Analysis Progress
 
 During the initial codebase analysis, you'll see:
@@ -192,7 +213,7 @@ specfact code import my-project --repo . --revalidate-features
 For codebases with 1000+ features:
 
 1. **Use partial analysis**: Start with `--entry-point` to analyze one module at a time
-2. **Monitor progress**: Watch the progress bars to estimate completion time
+2. **Monitor progress**: Treat remaining time as live guidance based on discovered work, not a fixed promise
 3. **Use checkpoints**: Let the early save checkpoint work for you - don't worry about interruptions
 4. **Re-validate periodically**: Use `--revalidate-features` after major code changes
 
@@ -217,8 +238,9 @@ For codebases with 1000+ features:
 
 If source file linking is slow:
 
-- **Check file count**: Large numbers of files (10,000+) will take longer
+- **Check file count**: Large numbers of files (10,000+) will take longer even after default ignore pruning
 - **Monitor progress**: The progress bar shows current status
+- **Review warnings**: Heavy-artifact warnings identify ignored trees that would otherwise dominate runtime
 - **Use entry points**: Limit scope with `--entry-point` for faster processing
 
 ### Validation Issues
@@ -247,4 +269,4 @@ If import is interrupted:
 
 ---
 
-**Happy importing!** 🚀
+**Happy importing!** 🚀

openspec/CHANGE_ORDER.md

@@ -80,11 +80,29 @@ These changes are the modules-side runtime companions to split core governance a
 | validation | 02 | validation-02-full-chain-engine | [#171](https://github.com/nold-ai/specfact-cli-modules/issues/171) | Parent Feature: [#163](https://github.com/nold-ai/specfact-cli-modules/issues/163); core counterpart `specfact-cli#241`; runtime inputs from `#164` and `#165`; policy semantics from `#158` |
 | docs + validation | 15 | docs-15-code-review-validation-guardrails | [#202](https://github.com/nold-ai/specfact-cli-modules/issues/202) | Parent Feature: [#163](https://github.com/nold-ai/specfact-cli-modules/issues/163); Parent Epic: [#162](https://github.com/nold-ai/specfact-cli-modules/issues/162); no known blockers |
 
+### Five-pillar governance and enterprise runtime companions
+
+These changes are the modules-side runtime companions to the five-pillar governance wave in `specfact-cli`. Core remains authoritative for schemas, scoring, resolution semantics, and shared report contracts; this repo owns the runnable bundle packages, manifests, and packaged tool integrations.
+
+| Module | Order | Change folder | GitHub # | Blocked by |
+|--------|-------|---------------|----------|------------|
+| telemetry + finops | 01 | finops-01-module-cost-outcome | [#223](https://github.com/nold-ai/specfact-cli-modules/issues/223) | Parent Epic: [#216](https://github.com/nold-ai/specfact-cli-modules/issues/216); Parent Feature: [#220](https://github.com/nold-ai/specfact-cli-modules/issues/220); core umbrella [specfact-cli#511](https://github.com/nold-ai/specfact-cli/issues/511); paired core changes `telemetry-01-opentelemetry-default-on` and `finops-01-telemetry-and-outcomes` |
+| knowledge | 02 | knowledge-01-module-memory-runtime | [#224](https://github.com/nold-ai/specfact-cli-modules/issues/224) | Parent Epic: [#216](https://github.com/nold-ai/specfact-cli-modules/issues/216); Parent Feature: [#221](https://github.com/nold-ai/specfact-cli-modules/issues/221); core umbrella [specfact-cli#511](https://github.com/nold-ai/specfact-cli/issues/511); paired core change `knowledge-01-distillation-engine`; uses default markdown-graph runtime |
+| review | 03 | review-resiliency-01-module | [#226](https://github.com/nold-ai/specfact-cli-modules/issues/226) | Parent Epic: [#216](https://github.com/nold-ai/specfact-cli-modules/issues/216); Parent Feature: [#217](https://github.com/nold-ai/specfact-cli-modules/issues/217); core umbrella [specfact-cli#511](https://github.com/nold-ai/specfact-cli/issues/511); paired core change `review-resiliency-01-contracts`; optional evidence hooks depend on `knowledge-01-module-memory-runtime` |
+| security | 03 | security-01-module-sast-sca-secret | [#227](https://github.com/nold-ai/specfact-cli-modules/issues/227) | Parent Epic: [#216](https://github.com/nold-ai/specfact-cli-modules/issues/216); Parent Feature: [#218](https://github.com/nold-ai/specfact-cli-modules/issues/218); core umbrella [specfact-cli#511](https://github.com/nold-ai/specfact-cli/issues/511); paired core change `security-01-unified-findings-model`; shared policy semantics from `policy-02-packs-and-modes` |
+| architecture | 03 | architecture-02-module-well-architected | [#230](https://github.com/nold-ai/specfact-cli-modules/issues/230) | Parent Epic: [#216](https://github.com/nold-ai/specfact-cli-modules/issues/216); Parent Feature: [#219](https://github.com/nold-ai/specfact-cli-modules/issues/219); core umbrella [specfact-cli#511](https://github.com/nold-ai/specfact-cli/issues/511); paired core change `architecture-02-well-architected-review`; boundary rules align with `ALLOWED_IMPORTS.md` |
+| security | 04 | security-02-module-license-compliance | [#228](https://github.com/nold-ai/specfact-cli-modules/issues/228) | Parent Epic: [#216](https://github.com/nold-ai/specfact-cli-modules/issues/216); Parent Feature: [#218](https://github.com/nold-ai/specfact-cli-modules/issues/218); core umbrella [specfact-cli#511](https://github.com/nold-ai/specfact-cli/issues/511); `security-01-module-sast-sca-secret`; paired core changes `security-01-unified-findings-model` and shared policy semantics |
+| security | 05 | security-03-module-pii-gdpr-eu | [#229](https://github.com/nold-ai/specfact-cli-modules/issues/229) | Parent Epic: [#216](https://github.com/nold-ai/specfact-cli-modules/issues/216); Parent Feature: [#218](https://github.com/nold-ai/specfact-cli-modules/issues/218); core umbrella [specfact-cli#511](https://github.com/nold-ai/specfact-cli/issues/511); `security-01-module-sast-sca-secret`; paired core changes `security-01-unified-findings-model` and `security-02-eu-gdpr-baseline` |
+| knowledge | 06 | knowledge-02-module-writeback | [#225](https://github.com/nold-ai/specfact-cli-modules/issues/225) | Parent Epic: [#216](https://github.com/nold-ai/specfact-cli-modules/issues/216); Parent Feature: [#221](https://github.com/nold-ai/specfact-cli-modules/issues/221); core umbrella [specfact-cli#511](https://github.com/nold-ai/specfact-cli/issues/511); `knowledge-01-module-memory-runtime`; paired core change `knowledge-02-preflight-context-assembly` |
+| enterprise | 09 | enterprise-01-module-policy-client | [#231](https://github.com/nold-ai/specfact-cli-modules/issues/231) | Parent Epic: [#216](https://github.com/nold-ai/specfact-cli-modules/issues/216); Parent Feature: [#222](https://github.com/nold-ai/specfact-cli-modules/issues/222); core umbrella [specfact-cli#511](https://github.com/nold-ai/specfact-cli/issues/511); paired core change `enterprise-01-policy-resolution-extension`; depends on prior five-pillar runtime bundles being available for policy application targets |
+| enterprise | 10 | enterprise-02-module-audit-client | [#232](https://github.com/nold-ai/specfact-cli-modules/issues/232) | Parent Epic: [#216](https://github.com/nold-ai/specfact-cli-modules/issues/216); Parent Feature: [#222](https://github.com/nold-ai/specfact-cli-modules/issues/222); core umbrella [specfact-cli#511](https://github.com/nold-ai/specfact-cli/issues/511); `enterprise-01-module-policy-client`; paired core change `enterprise-02-rbac-and-audit-trail` |
+
 ### Code review and sidecar validation improvements
 
 | Module | Order | Change folder | GitHub # | Blocked by |
 |--------|-------|---------------|----------|------------|
 | code-review + codebase | 01 | code-review-bug-finding-and-sidecar-venv-fix | [#174](https://github.com/nold-ai/specfact-cli-modules/issues/174) | Parent Feature: [#175](https://github.com/nold-ai/specfact-cli-modules/issues/175); Epic: [#162](https://github.com/nold-ai/specfact-cli-modules/issues/162) |
+| codebase + project-runtime | 02 | codebase-import-runtime-hardening | [#235](https://github.com/nold-ai/specfact-cli-modules/issues/235) | Parent Feature: [#234](https://github.com/nold-ai/specfact-cli-modules/issues/234); Epic: [#162](https://github.com/nold-ai/specfact-cli-modules/issues/162); no known blockers |
 
 ### Module trust chain and CI security
 
@@ -108,4 +126,4 @@ These changes are the modules-side runtime companions to split core governance a
 
 | Module | Order | Change folder | GitHub # | Blocked by |
 |--------|-------|---------------|----------|------------|
-| peer-deps | 01 | ✅ module-bundle-deps-auto-install (archived 2026-04-05) | [#135](https://github.com/nold-ai/specfact-cli-modules/issues/135) | — |
+| peer-deps | 01 | ✅ module-bundle-deps-auto-install (archived 2026-04-05) | [#135](https://github.com/nold-ai/specfact-cli-modules/issues/135) | — |

openspec/changes/architecture-02-module-well-architected/.openspec.yaml

@@ -0,0 +1,2 @@
+schema: spec-driven
+created: 2026-04-19