KooshaPari · KooshaPari · Jun 5, 2026 · Jun 5, 2026 · Jun 5, 2026 · Jun 5, 2026
diff --git a/.claude/worktrees/agent-a000e7f64ef518c90 b/.claude/worktrees/agent-a000e7f64ef518c90
diff --git a/.claude/worktrees/agent-af4a36eeef58e5fdb b/.claude/worktrees/agent-af4a36eeef58e5fdb
diff --git a/.editorconfig b/.editorconfig
@@ -1,7 +1,7 @@
 root = true
 
 [*]
-indent_style = space
+indent_style = tab
 indent_size = 2
 end_of_line = lf
 charset = utf-8

diff --git a/.github/workflows/cargo-audit.yml b/.github/workflows/cargo-audit.yml
@@ -2,6 +2,10 @@ name: cargo-audit
 permissions:
   contents: read
   pull-requests: read
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 on:
   push:
     branches: [main]
@@ -15,7 +19,7 @@ jobs:
   audit:
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.1.1
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.1.1
       - uses: rustsec/audit-check@v2
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ github.token }}
diff --git a/.github/workflows/cargo-deny.yml b/.github/workflows/cargo-deny.yml
@@ -2,6 +2,10 @@ name: cargo-deny
 permissions:
   contents: read
   pull-requests: read
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 
 on:
   workflow_dispatch:
@@ -23,7 +27,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4
 
       - name: Install Rust toolchain
         uses: dtolnay/rust-toolchain@stable

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -2,6 +2,10 @@ name: CI
 permissions:
   contents: read
   pull-requests: read
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 on: [push, pull_request]
 jobs:
   test:
@@ -10,5 +14,9 @@ jobs:
       - uses: actions/checkout@v4
       - uses: dtolnay/rust-toolchain@stable
       - uses: Swatinem/rust-cache@v2
+      - name: Clone sibling PhenoObservability
+        run: |
+          git clone --depth 1 https://github.com/KooshaPari/PhenoObservability.git \
+            "$GITHUB_WORKSPACE/../PhenoObservability"
       - run: cargo test --all-features --workspace
       - run: cargo clippy --all-features -- -D warnings 2>/dev/null || cargo check
diff --git a/.github/workflows/journey-gate.yml b/.github/workflows/journey-gate.yml
@@ -2,6 +2,10 @@
 permissions:
   contents: read
   pull-requests: read
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 # Journey Gate — Reusable Workflow
 # =============================================================================
 # Canonical source: phenotype-infra/docs/governance/ci-journey-gate.yml
@@ -58,7 +62,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4
 
       # ---------------------------------------------------------------------
       # 1. Install runtime dependencies

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -1,34 +1,10 @@
-name: Scorecard
-
+name: OpenSSF Scorecard
 on:
   push:
-    branches: [main, master]
+    branches: [main]
   schedule:
-    - cron: "0 0 * * 0"
-
+    - cron: '17 3 * * 6'
 permissions: read-all
-
 jobs:
   scorecard:
-    name: Scorecard analysis
-    runs-on: ubuntu-24.04
-    permissions:
-      security-events: write
-      id-token: write
-      contents: read
-      actions: read
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
-        with:
-          persist-credentials: false
-      - name: Run Scorecard
-        uses: ossf/scorecard-action@v2.4.4
-        with:
-          results_file: results.sarif
-          results_format: sarif
-          publish_results: true
-      - name: Upload SARIF results
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: results.sarif
+    uses: KooshaPari/phenotype-shared/.github/workflows/reusable-scorecard.yml@72b9c6cbdb24c49189b0e7c7395d874830d1ed87
diff --git a/.github/workflows/trufflehog.yml b/.github/workflows/trufflehog.yml
@@ -1,20 +1,28 @@
-name: Trufflehog Secrets Scan
+name: TruffleHog Secrets Scan
 permissions:
   contents: read
   pull-requests: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 on:
   push:
     branches: [main]
   pull_request:
 
 jobs:
   trufflehog:
-    runs-on: ubuntu-24.04
+    name: TruffleHog scan
+    runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
         with:
           fetch-depth: 0
-      - uses: trufflehog/actions/setup@main
-      - run: trufflehog github --only-verified --no-update
-        env:
-          #
+      - uses: trufflesecurity/trufflehog@75add79b929b263dae147d2e5bcf0daf292165cf
+        with:
+          path: ./
+          base: ${{ github.event.repository.default_branch }}
+          head: HEAD
+          extra_args: --only-verified --fail --no-update
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -29,3 +29,15 @@ All submissions require review. Please ensure:
 - CI checks pass
 - Code is documented
 - Tests cover new functionality
+
+## Governance
+
+Project-wide rules live under `docs/governance/`. The canonical
+background-agent policy that this repository and sibling repos
+(such as `thegent` and `thegent-clean`) point at is:
+
+- [`docs/governance/background_agent_policy.md`](./docs/governance/background_agent_policy.md)
+
+When changing fleet composition, dispatch patterns, or
+failure-handling expectations, update that file in the same PR and
+reference the governance worklog entry.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -58,6 +58,7 @@ members = [
     "crates/connector-linear",
     "tests/e2e",
     "crates/focus-plugin-sdk",
+    "crates/phenotype-observably-macros",
 ]
 
 [workspace.package]
@@ -122,6 +123,13 @@ rand_core = "0.6"
 # MCP SDK
 mcp-sdk = "0.0.3"
 
+# Phenotype cross-cutting deps (vendored locally; replaces the
+# brittle ../../../PhenoObservability sibling path-dep that broke CI
+# under sparse-checkout cone-mode, and the git dep that fails because
+# PhenoObservability's submodule 'ObservabilityKit/python/pheno-logging'
+# has no URL configured).
+phenotype-observably-macros = { path = "crates/phenotype-observably-macros", version = "0.1.1" }
+
 # Platform-specific paths
 dirs = "5.0"
 

diff --git a/Justfile b/Justfile
@@ -0,0 +1,43 @@
+# Justfile — task runner for the FocalPoint project
+# See https://just.systems/man/en/
+
+set dotenv-load
+
+_default:
+    @just --list
+
+# Run all CI checks locally
+ci: fmt-check lint test build
+    @echo "✓ CI checks pass"
+
+# Format code
+fmt:
+    cargo fmt --all
+
+# Check formatting
+fmt-check:
+    cargo fmt --all -- --check
+
+# Lint
+lint:
+    cargo clippy --all-targets --all-features -- -D warnings
+
+# Run tests
+test:
+    cargo test --all-features
+
+# Build release
+build:
+    cargo build --release
+
+# Audit dependencies for security advisories
+audit:
+    cargo deny check advisories
+
+# Check licenses
+licenses:
+    cargo deny check licenses
+
+# Clean build artifacts
+clean:
+    cargo clean
diff --git a/STATUS.md b/STATUS.md
diff --git a/crates/connector-canvas/Cargo.toml b/crates/connector-canvas/Cargo.toml
@@ -28,7 +28,7 @@ tokio = { workspace = true }
 chrono = { workspace = true }
 uuid = { workspace = true }
 tracing = { workspace = true }
-phenotype-observably-macros = { path = "../../../PhenoObservability/crates/phenotype-observably-macros" }
+phenotype-observably-macros = { workspace = true }
 url = "2.5"
 
 [dev-dependencies]

diff --git a/crates/connector-gcal/Cargo.toml b/crates/connector-gcal/Cargo.toml
@@ -15,7 +15,7 @@ live-gcal = []
 focus-connectors = { path = "../focus-connectors" }
 focus-events = { path = "../focus-events" }
 focus-crypto = { path = "../focus-crypto", optional = true }
-phenotype-observably-macros = { path = "../../../PhenoObservability/crates/phenotype-observably-macros" }
+phenotype-observably-macros = { workspace = true }
 secrecy = { workspace = true, optional = true }
 serde = { workspace = true }
 serde_json = { workspace = true }

diff --git a/crates/connector-github/Cargo.toml b/crates/connector-github/Cargo.toml
@@ -24,7 +24,7 @@ tokio = { workspace = true }
 chrono = { workspace = true }
 uuid = { workspace = true }
 tracing = { workspace = true }
-phenotype-observably-macros = { path = "../../../PhenoObservability/crates/phenotype-observably-macros" }
+phenotype-observably-macros = { workspace = true }
 
 [dev-dependencies]
 wiremock = "0.6"

diff --git a/crates/connector-linear/Cargo.toml b/crates/connector-linear/Cargo.toml
@@ -31,7 +31,7 @@ async-trait.workspace = true
 tracing.workspace = true
 
 # Observability
-phenotype-observably-macros = { path = "../../../PhenoObservability/crates/phenotype-observably-macros" }
+phenotype-observably-macros = { workspace = true }
 
 [dev-dependencies]
 wiremock = "0.6"

diff --git a/crates/connector-notion/Cargo.toml b/crates/connector-notion/Cargo.toml
@@ -31,7 +31,7 @@ async-trait.workspace = true
 tracing.workspace = true
 
 # Observability
-phenotype-observably-macros = { path = "../../../PhenoObservability/crates/phenotype-observably-macros" }
+phenotype-observably-macros = { workspace = true }
 
 [dev-dependencies]
 wiremock = "0.6"