feat: add recommendation pipeline contract

.gitea/workflows/ci.yaml

@@ -38,6 +38,12 @@ jobs:
       - name: Checkout
         uses: https://192.168.178.233/actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
+      - name: Validate CI workflow policy
+        run: bash scripts/check-ci-workflow-policy.sh
+
+      - name: Validate recommendation contract gate
+        run: bash scripts/check-recommendation-contract.sh
+
       - name: Lint GitHub Actions workflows
         uses: rhysd/actionlint@914e7df21a07ef503a81201c76d2b11c789d3fca # v1.7.12
 

.github/scripts/fop-local-ci.sh

@@ -537,6 +537,7 @@ post_commit_status "pending" "fop local ${profile} running"
 
 run_direct "working tree whitespace" "git diff --check"
 run_direct "ui polish contract" "scripts/tests/test-ui-polish-contract.sh"
+run_direct "recommendation contract gate" "bash scripts/check-recommendation-contract.sh"
 run_direct "legal-readiness wording contract" "scripts/tests/test-legal-readiness-wording.sh"
 run_direct "legal/module OpenAPI contract" "scripts/tests/test-legal-openapi-contract.sh"
 

.github/workflows/ci.yml

@@ -44,6 +44,9 @@
       - name: Validate CI workflow policy
         run: bash scripts/check-ci-workflow-policy.sh
 
+      - name: Validate recommendation contract gate
+        run: bash scripts/check-recommendation-contract.sh
+
       - name: Validate Fly config
         run: python3 -c "import pathlib, tomllib; tomllib.loads(pathlib.Path('fly.toml').read_text())"
 
@@ -151,7 +154,7 @@
               # variable references substituted by gh -F flags, not shell vars.
               status="$(
                 gh api graphql \
                   -f query='query($oid:GitObjectID!,$owner:String!,$name:String!){repository(owner:$owner,name:$name){object(oid:$oid){...on Commit{statusCheckRollup{contexts(first:50){nodes{...on StatusContext{context state}}}}}}}}' \
                   -F oid="${SHA}" -F owner="$(echo "${REPO}" | cut -d/ -f1)" -F name="$(echo "${REPO}" | cut -d/ -f2)" \
                   --jq '.data.repository.object.statusCheckRollup.contexts.nodes[]? | select(.context == "'"${CONTEXT}"'") | .state' 2>/dev/null \
                   | head -n 1 \

.github/workflows/security.yml

@@ -165,11 +165,11 @@ jobs:
     # Audit-mode: surface findings as informational; do NOT fail the gate yet.
     # Promote findings to errors once the workflow inventory has been triaged.
     continue-on-error: true
-    env:
-      ZIZMOR_VERSION: "1.24.1"
     permissions:
       contents: read         # checkout source for the SAST scan
       security-events: write # upload Zizmor SARIF results to GitHub Security tab
+    env:
+      ZIZMOR_VERSION: "1.24.1"
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:

Makefile

@@ -146,6 +146,7 @@ script-tests:
 	bash scripts/check-ci-workflow-policy.sh
 	bash scripts/tests/test-drift-scripts.sh
 	bash scripts/tests/test-ui-polish-contract.sh
+	bash scripts/check-recommendation-contract.sh
 	bash scripts/tests/test-devcontainer-contract.sh
 	bash scripts/tests/test-fop-local-ci-ergonomics.sh
 	bash scripts/tests/test-fop-local-ci-failure-trap.sh