netkeep80 · netkeep80 · May 12, 2026 · May 12, 2026 · May 12, 2026 · May 12, 2026
@@ -0,0 +1,6 @@
+# Governance ownership for the library-size and policy-delta gate.
+# Edits to these paths require maintainer review and are tracked by
+# repo-guard's trusted policy boundary.
+/repo-policy.json @netkeep80
+/.github/workflows/repo-guard.yml @netkeep80
+/.github/CODEOWNERS @netkeep80
@@ -15,7 +15,7 @@ permissions:
 
 jobs:
   policy-check:
-    name: repo-guard advisory check
+    name: repo-guard blocking check
     runs-on: ubuntu-latest
     if: github.event_name == 'pull_request' && !github.event.pull_request.draft
     steps:
@@ -25,10 +25,10 @@ jobs:
 
       - name: Run repo-guard
         id: repo_guard
-        uses: netkeep80/repo-guard@6c81bb1050c7dca93de1a13108e0a024fe095298
+        uses: netkeep80/repo-guard@b1b6756639092bbd4ff6a473aeaa637a63475a86
         with:
           mode: check-pr
-          enforcement: advisory
+          enforcement: blocking
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 

diff --git a/docs/index.md b/docs/index.md
@@ -10,7 +10,7 @@ Single entry point for PMM documentation. The canonical set below must match
 | [PMM Target Model](pmm_target_model.md) | Normative top-level model: PMM as compact persistent storage kernel; boundary vs `pjson` / `pjson_db` / execution / product layers |
 | [PMM Transformation Rules](pmm_transformation_rules.md) | Normative operational rulebook: allowed issue types, atomic-issue / no-mixed-PR / extraction-first / surface-compression rules, PR review semantics |
 | [Comment Policy](comment_policy.md) | Canonical text discipline for comments, docs placement, and text-surface review |
-| [BlockHeader Semantics](block_and_treenode_semantics.md) | Field-level specification of the single physical [BlockHeader](../include/pmm/block_header.h#pmm-blockheader) layout (`Block<AT>` is a type alias for `BlockHeader<AT>`) |
+| [BlockHeader Semantics](block_and_treenode_semantics.md) | Field-level specification of the single physical `BlockHeader` layout (`Block<AT>` is a type alias for `BlockHeader<AT>`) |
 | [Architecture](architecture.md) | Layer stack, memory layout, algorithms, storage backends, configuration |
 | [API Reference](api_reference.md) | Complete public API: lifecycle, allocation, containers, I/O, error codes |
 | [Validation Model](validation_model.md) | Low-level pointer and block validation: cheap vs full modes, conversion paths, error categories |

@@ -2,7 +2,7 @@
   "policy_format_version": "0.3.0",
   "repository_kind": "library",
   "enforcement": {
-    "mode": "advisory"
+    "mode": "blocking"
   },
   "paths": {
     "forbidden": [
@@ -33,6 +33,7 @@
     "governance_paths": [
       "repo-policy.json",
       "CONTRIBUTING.md",
+      ".github/CODEOWNERS",
       ".github/workflows/repo-guard.yml",
       ".github/workflows/docs-consistency.yml",
       ".github/PULL_REQUEST_TEMPLATE.md",

diff --git a/scripts/check-repo-guard-rollout.sh b/scripts/check-repo-guard-rollout.sh
@@ -22,11 +22,12 @@ workflow = workflow_path.read_text(encoding="utf-8")
 policy = json.loads(policy_path.read_text(encoding="utf-8"))
 issue_template = issue_template_path.read_text(encoding="utf-8")
 pr_template = pr_template_path.read_text(encoding="utf-8")
-expected_action_ref = "6c81bb1050c7dca93de1a13108e0a024fe095298"
+expected_action_ref = "b1b6756639092bbd4ff6a473aeaa637a63475a86"
 expected_action = f"netkeep80/repo-guard@{expected_action_ref}"
 old_action_refs = {
     "7ab5ca2f2d9859b4ffa2c423f05e951d4971be84",
     "99bf716da62c5d01070aa0d7e4d4f8031b43a351",
+    "6c81bb1050c7dca93de1a13108e0a024fe095298",
 }
 expected_profiles = {
     "governance",
@@ -78,7 +79,8 @@ if action_refs:
 for old_action_ref in old_action_refs:
     require(old_action_ref not in workflow, f"repo-guard workflow must not use old Action pin {old_action_ref}")
 require("mode: check-pr" in workflow, "repo-guard workflow must run check-pr mode")
-require("enforcement: advisory" in workflow, "repo-guard workflow must remain advisory in this stage")
+require("enforcement: blocking" in workflow, "repo-guard workflow must enforce policy in blocking mode")
+require("enforcement: advisory" not in workflow, "repo-guard workflow must not run in advisory mode")
 require("fetch-depth: 0" in workflow, "repo-guard workflow must use full checkout history")
 require("contents: read" in workflow, "repo-guard workflow must keep contents read-only permission")
 require("issues: read" in workflow, "repo-guard workflow must keep issues read-only permission")
@@ -94,7 +96,7 @@ for forbidden in (
     require(forbidden not in workflow, f"repo-guard workflow must not use legacy manual integration pattern: {forbidden}")
 
 policy_mode = policy.get("enforcement", {}).get("mode")
-require(policy_mode == "advisory", "repo-policy.json must default to advisory enforcement")
+require(policy_mode == "blocking", "repo-policy.json must enforce policy in blocking mode")
 
 for removed in ("change_classes", "new_file_rules", "change_type_rules"):
     require(removed not in policy, f"repo-policy.json must not use legacy {removed}")