rookiestar28
diff --git a/‎.github/workflows/outbound-safety.yml‎
Lines changed: 42 additions & 0 deletions b/‎.github/workflows/outbound-safety.yml‎
Lines changed: 42 additions & 0 deletions
diff --git a/‎.github/workflows/phase2-release-gate.yml‎
Lines changed: 182 additions & 0 deletions b/‎.github/workflows/phase2-release-gate.yml‎
Lines changed: 182 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 26 additions & 0 deletions b/‎README.md‎
Lines changed: 26 additions & 0 deletions
diff --git a/‎ROADMAP.md‎
Lines changed: 8 additions & 5 deletions b/‎ROADMAP.md‎
Lines changed: 8 additions & 5 deletions
@@ -0,0 +1,42 @@
+name: Outbound Safety Check
+
+on:
+  push:
+    branches:
+      - main
+      - dev
+    paths:
+      - '**/*.py'
+      - 'scripts/check_outbound_safety.py'
+      - '.github/workflows/outbound-safety.yml'
+  pull_request:
+    paths:
+      - '**/*.py'
+      - 'scripts/check_outbound_safety.py'
+  workflow_dispatch:
+
+jobs:
+  outbound-safety:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.10'
+
+      - name: Run outbound safety check
+        run: |
+          python scripts/check_outbound_safety.py
+
+      - name: Summary
+        if: success()
+        run: |
+          echo "✅ Outbound safety check passed!"
+          echo "- No raw context fields in outbound payloads"
+          echo "- All POST requests use sanitize_outbound_payload()"
+          echo "- No dangerous fallback patterns detected"
@@ -0,0 +1,182 @@
+name: Phase 2 Release Gate
+
+on:
+  push:
+    branches:
+      - main
+      - dev
+      - 'release/**'
+    paths:
+      # Trigger on Phase 2 critical files
+      - 'pipeline/**/*.py'
+      - 'sanitizer.py'
+      - 'outbound.py'
+      - 'config.py'
+      - '__init__.py'
+      - 'tests/test_plugins_security.py'
+      - 'tests/test_metadata_contract.py'
+      - 'tests/test_pipeline_dependency_policy.py'
+      - 'tests/test_outbound_payload_safety.py'
+      - 'web/**/*.js'
+      - 'tests/e2e/**/*.js'
+      - '.github/workflows/phase2-release-gate.yml'
+  pull_request:
+    branches:
+      - main
+      - dev
+    paths:
+      - 'pipeline/**/*.py'
+      - 'sanitizer.py'
+      - 'outbound.py'
+      - 'config.py'
+      - '__init__.py'
+      - 'tests/test_plugins_security.py'
+      - 'tests/test_metadata_contract.py'
+      - 'tests/test_pipeline_dependency_policy.py'
+      - 'tests/test_outbound_payload_safety.py'
+      - 'web/**/*.js'
+      - 'tests/e2e/**/*.js'
+      - '.github/workflows/phase2-release-gate.yml'
+  workflow_dispatch:
+
+jobs:
+  phase2-python-gate:
+    name: Phase 2 Python Security & Contract Tests
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python 3.10
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.10'
+          cache: 'pip'
+          cache-dependency-path: |
+            pyproject.toml
+            pytest.ini
+
+      - name: Install dependencies
+        run: |
+          pip install pytest jsonschema
+
+      - name: Run Plugin Security Suite
+        run: |
+          pytest -q tests/test_plugins_security.py --tb=short
+        timeout-minutes: 2
+
+      - name: Run Metadata Contract Suite
+        run: |
+          pytest -q tests/test_metadata_contract.py --tb=short
+        timeout-minutes: 1
+
+      - name: Run Dependency Policy Suite
+        run: |
+          pytest -q tests/test_pipeline_dependency_policy.py --tb=short
+        timeout-minutes: 1
+
+      - name: Run Outbound Payload Safety Suite
+        run: |
+          pytest -q tests/test_outbound_payload_safety.py --tb=short
+        timeout-minutes: 1
+
+      - name: Summary
+        if: success()
+        run: |
+          echo "✅ Phase 2 Python Gate Passed"
+          echo "- Plugin security: PASS"
+          echo "- Metadata contract: PASS"
+          echo "- Dependency policy: PASS"
+          echo "- Outbound payload safety: PASS"
+
+  phase2-e2e-gate:
+    name: Phase 2 E2E Regression Tests
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Node.js 18
+        uses: actions/setup-node@v4
+        with:
+          node-version: '18'
+          cache: 'npm'
+
+      - name: Set up Python 3.10 (for HTTP server)
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.10'
+
+      - name: Install npm dependencies
+        run: npm ci
+
+      - name: Install Playwright browsers
+        run: npx playwright install chromium --with-deps
+
+      - name: Run E2E tests
+        run: npm test
+        env:
+          CI: true
+        timeout-minutes: 8
+
+      - name: Upload test results
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: playwright-report
+          path: playwright-report/
+          retention-days: 7
+
+      - name: Upload screenshots on failure
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: playwright-screenshots
+          path: test-results/
+          retention-days: 7
+
+      - name: Summary
+        if: success()
+        run: |
+          echo "✅ Phase 2 E2E Gate Passed"
+          echo "- Preact loader: PASS"
+          echo "- Settings UI: PASS"
+          echo "- Statistics UI: PASS"
+          echo "- Sidebar UI: PASS"
+
+  phase2-gate-complete:
+    name: Phase 2 Gate Complete
+    runs-on: ubuntu-latest
+    needs: [phase2-python-gate, phase2-e2e-gate]
+    if: always()
+
+    steps:
+      - name: Check gate status
+        run: |
+          if [[ "${{ needs.phase2-python-gate.result }}" == "success" ]] && [[ "${{ needs.phase2-e2e-gate.result }}" == "success" ]]; then
+            echo "✅ Phase 2 Release Gate: ALL CHECKS PASSED"
+            echo ""
+            echo "Security & Governance:"
+            echo "  ✅ Plugin security (10 tests)"
+            echo "  ✅ Metadata contract (1 test)"
+            echo "  ✅ Dependency policy (2 tests)"
+            echo "  ✅ Outbound payload safety (4 tests)"
+            echo ""
+            echo "Frontend Regression:"
+            echo "  ✅ E2E tests (61 tests)"
+            echo ""
+            echo "This change is safe to merge."
+            exit 0
+          else
+            echo "❌ Phase 2 Release Gate: FAILED"
+            echo ""
+            echo "Python Gate: ${{ needs.phase2-python-gate.result }}"
+            echo "E2E Gate: ${{ needs.phase2-e2e-gate.result }}"
+            echo ""
+            echo "Please fix the failing checks before merging."
+            exit 1
+          fi
@@ -767,6 +767,32 @@ And more...
 
 ---
 
+## Phase 2 Release Gate
+
+Before merging Phase 2 changes (pipeline, security, plugin hardening), all code must pass the **Phase 2 Release Gate**.
+
+### Required Checks
+
+- **Plugin security suite** (10 tests) - Allowlist, trust states, DoS limits
+- **Metadata contract suite** (1 test) - Schema validation
+- **Dependency policy suite** (2 tests) - Requires/provides enforcement
+- **Outbound payload safety suite** (4 tests) - Sanitization funnel
+- **E2E regression suite** (61 tests) - UI stability
+
+### Run Locally
+
+```bash
+# Full gate (Python + E2E)
+python scripts/phase2_gate.py
+
+# Fast mode (Python only, < 2 minutes)
+python scripts/phase2_gate.py --fast
+```
+
+**CI Status**: The gate runs automatically on push/PR to `main` and `dev` branches.
+
+---
+
 ## Tips
 
 1. **Pair with ComfyUI Manager**: Install missing custom nodes automatically
 
@@ -419,11 +419,12 @@ graph TD
   - **Foundation for**: v2.0 advanced chat features, v3.0 multi-workspace features
   - **Design Reference**: See `.planning/ComfyUI-Doctor Architecture In-Depth Analysis and Optimization Blueprint.md`
 - [ ] **A5**: Create `LLMProvider` Protocol for unified LLM interface - 🟡 Medium ⚠️ *Use dev branch*
-- [ ] **A8**: Plugin Migration Tooling (Plan 6.3) - 🟡 Medium
+- [x] **A8**: Plugin Migration Tooling (Plan 6.3) - 🟡 Medium ✅ *Completed (2026-01-09)*
   - **Goal**: Reduce configuration friction for safe-by-default plugin policy (manifest + allowlist helpers; optional HMAC signer).
-  - **Deliverables**: `scripts/plugin_manifest.py`, `scripts/plugin_allowlist.py`, optional `scripts/plugin_hmac_sign.py`
+  - **Deliverables**: `scripts/plugin_manifest.py`, `scripts/plugin_allowlist.py`, `scripts/plugin_validator.py`, optional `scripts/plugin_hmac_sign.py`
   - **Acceptance**: Generate valid manifests + allowlist snippet in one command; safe defaults (`--dry-run`); never prints/writes secret keys.
   - **Plan Update Record**: `.planning/260109-PHASE2_CI_GATE_AND_MIGRATION_TOOLING_PLAN_UPDATE_RECORD.md`
+  - **Implementation Record**: `.planning/260109-T11_T12_A8_IMPLEMENTATION_RECORD.md`
 - [ ] **A4**: Convert `NodeContext` to `@dataclass(frozen=True)` + validation - 🟡 Medium ⚠️ *Use dev branch*
 - [x] **A1**: Add `py.typed` marker + mypy config in pyproject.toml - 🟢 Low ✅ *Completed (Phase 3A)*
 - [x] **A2**: Integrate ruff linter (replace flake8/isort) - 🟢 Low ✅ *Completed (Phase 3A)*
@@ -433,17 +434,19 @@ graph TD
 
 *Sorted by priority (High → Low), then by item number:*
 
-- [ ] **T11**: Phase 2 Release Readiness CI Gate (Plan 6.1) - 🔴 High
+- [x] **T11**: Phase 2 Release Readiness CI Gate (Plan 6.1) - 🔴 High ✅ *Completed (2026-01-09)*
   - **Goal**: Make Phase 2 hardening non-regressable (required checks before merge/release).
   - **Gate**: `pytest -q tests/test_plugins_security.py`, `tests/test_metadata_contract.py`, `tests/test_pipeline_dependency_policy.py`, `tests/test_outbound_payload_safety.py`, plus `npm test`.
   - **Acceptance**: Branch protection requires the gate; stable runtime (< ~3 minutes typical).
   - **Plan Update Record**: `.planning/260109-PHASE2_CI_GATE_AND_MIGRATION_TOOLING_PLAN_UPDATE_RECORD.md`
+  - **Implementation Record**: `.planning/260109-T11_T12_A8_IMPLEMENTATION_RECORD.md`
 
-- [ ] **T12**: Outbound Funnel Static CI Gate (Plan 6.2) - 🟡 Medium
+- [x] **T12**: Outbound Funnel Static CI Gate (Plan 6.2) - 🟡 Medium ✅ *Completed (2026-01-09)*
   - **Goal**: Fail CI if new outbound call paths bypass `outbound.py` / `sanitize_outbound_payload(...)`.
-  - **Approach**: Grep guard (fast) or AST scan (precise) to detect suspicious raw-field usage outside `outbound.py`.
+  - **Approach**: AST-based checker (`scripts/check_outbound_safety.py`) + CI workflow (`.github/workflows/outbound-safety.yml`) + tests (`tests/test_outbound_safety_gate.py`) + docs (`docs/OUTBOUND_SAFETY.md`).
   - **Acceptance**: CI fails on bypass attempts; low false-positive rate.
   - **Plan Update Record**: `.planning/260109-PHASE2_CI_GATE_AND_MIGRATION_TOOLING_PLAN_UPDATE_RECORD.md`
+  - **Implementation Record**: `.planning/260109-T11_T12_A8_IMPLEMENTATION_RECORD.md`
 
 - [x] **T8**: Pattern Validation CI - 🟡 Medium ✅ *Completed (2026-01-03)*
   - **Problem**: Pattern format errors and i18n gaps can break the system