Initialize repository snapshot

.gitlab-ci.yml

@@ -0,0 +1,130 @@
+stages:
+  - build
+  - test
+  - lint
+
+variables:
+  CARGO_HOME: $CI_PROJECT_DIR/.cargo
+
+# Ensure receipts directories exist (tests may write into them)
+before_script:
+  - mkdir -p receipts/guardian receipts/treasury receipts/offsec receipts/automation receipts/mcp receipts/mesh
+
+# Rust build job
+rust-build:
+  stage: build
+  image: rust:1.75
+  script:
+    - cargo build --workspace --locked
+  cache:
+    key: cargo-$CI_COMMIT_REF_SLUG
+    paths:
+      - target/
+      - .cargo/registry/
+
+# Sentinel contract parity + testvectors (required gate)
+sentinel-contracts:
+  stage: test
+  image: python:3.11
+  before_script:
+    - pip install -q blake3
+  script:
+    - python3 tools/check_sentinel_contract_parity.py
+    - bash tools/run_sentinel_testvectors.sh
+
+# MERIDIAN v1 conformance suite (offline, deterministic, build-blocking)
+meridian-v1-conformance:
+  stage: test
+  image: python:3.11
+  before_script:
+    - pip install -q blake3
+  script:
+    - bash MERIDIAN_V1_CONFORMANCE_TEST_SUITE/run.sh
+
+# OpenCode plugin smoke (one PASS + one FAIL)
+sentinel-opencode-smoke:
+  stage: test
+  image: node:20-bullseye
+  before_script:
+    - apt-get update && apt-get install -y python3 python3-pip >/dev/null
+    - pip3 install -q blake3
+    - npm install -g opencode-ai@1.0.166
+    - npm install --prefix .opencode
+    - export VAULTMESH_WORKSPACE_ROOT="$CI_PROJECT_DIR"
+    - export VAULTMESH_SENTINEL_VERIFIER="$CI_PROJECT_DIR/tools/vm_verify_sentinel_bundle.py"
+  script:
+    - opencode run --format json --command sentinelVerifyBundle --worktree "$CI_PROJECT_DIR" --directory "$CI_PROJECT_DIR" --tool-args '{"bundlePath":"testvectors/sentinel/black-box-that-refused","strict":true}'
+    - opencode run --format json --command sentinelVerifyBundle --worktree "$CI_PROJECT_DIR" --directory "$CI_PROJECT_DIR" --tool-args '{"bundlePath":"testvectors/sentinel/integrity-size-mismatch","strict":true}'
+
+# Rust test job
+rust-test:
+  stage: test
+  image: rust:1.75
+  script:
+    - cargo test --workspace --locked
+  cache:
+    key: cargo-$CI_COMMIT_REF_SLUG
+    paths:
+      - target/
+      - .cargo/registry/
+
+# Rust lint job (format + clippy)
+rust-lint:
+  stage: lint
+  image: rust:1.75
+  script:
+    - rustup component add clippy rustfmt
+    - cargo fmt --check
+    - cargo clippy --workspace -- -D warnings
+  allow_failure: true
+  cache:
+    key: cargo-$CI_COMMIT_REF_SLUG
+    paths:
+      - target/
+      - .cargo/registry/
+
+# Python CLI tests (when pytest available)
+python-test:
+  stage: test
+  image: python:3.11
+  before_script:
+    - pip install -q blake3 click pynacl pytest
+  script:
+    - python -m pytest -q cli/ tests/ 2>/dev/null || echo "No Python tests yet"
+  allow_failure: true
+
+# Observability exporter smoke test
+observability-smoke:
+  stage: test
+  image: rust:1.75
+  script:
+    - cargo test -p vaultmesh-observability --tests -- --nocapture
+  cache:
+    key: cargo-$CI_COMMIT_REF_SLUG
+    paths:
+      - target/
+      - .cargo/registry/
+
+# Guardian metrics integration test (requires --features metrics)
+guardian-metrics-integration:
+  stage: test
+  image: rust:1.75
+  script:
+    - cargo test -p vaultmesh-guardian --features metrics --test metrics_integration -- --nocapture
+  cache:
+    key: cargo-$CI_COMMIT_REF_SLUG
+    paths:
+      - target/
+      - .cargo/registry/
+
+# Mesh metrics integration test (requires --features metrics)
+mesh-metrics-integration:
+  stage: test
+  image: rust:1.75
+  script:
+    - cargo test -p vaultmesh-mesh --features metrics --test metrics_integration -- --nocapture
+  cache:
+    key: cargo-$CI_COMMIT_REF_SLUG
+    paths:
+      - target/
+      - .cargo/registry/