spec-005: production readiness — real pins, zero placeholders, cross-firewall scaffolding

.github/workflows/drift-check.yml

@@ -0,0 +1,28 @@
+name: drift-check
+
+# Weekly refetch of pinned AMD ARK / Intel DCAP / Sigstore Rekor values
+# from upstream. Opens a repository issue on mismatch. Per spec 005 FR-011a.
+
+on:
+  schedule:
+    - cron: "0 3 * * 1"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  issues: write
+
+jobs:
+  drift-check:
+    name: drift-check
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install system tools
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y openssl python3 curl jq gh
+
+      - name: Run drift check
+        run: bash scripts/drift-check.sh --open-issue

.github/workflows/verify-no-placeholders.yml

@@ -0,0 +1,28 @@
+name: verify-no-placeholders
+
+# Hard-block CI check for spec 005 (FR-038, SC-006).
+# Runs on every PR and push. On the 005 branch and on merges to main,
+# additionally enforces that .placeholder-allowlist is empty (spec-005
+# completion gate).
+
+on:
+  push:
+    branches: [main, "005-production-readiness"]
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  verify:
+    name: verify-no-placeholders
+    runs-on: ubuntu-latest
+    env:
+      GIT_REF: ${{ github.ref }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run placeholder scan
+        run: bash scripts/verify-no-placeholders.sh
+
+      - name: Enforce empty allowlist (spec-005 completion gate)
+        if: env.GIT_REF == 'refs/heads/main' || env.GIT_REF == 'refs/heads/005-production-readiness'
+        run: bash scripts/verify-no-placeholders.sh --check-empty

.gitignore

@@ -26,3 +26,9 @@ Thumbs.db
 # Evidence artifacts (generated, not committed)
 evidence/
 .credentials
+
+# Private notes folder (personal workspace - per CLAUDE.md global instructions)
+notes/
+
+# Credentials file (never commit)
+.credentials