6 · Commit & freeze the vendor

TL;DR

Objective — earn the whole section: verify the frozen author/vX baseline from Create the project, push develop + the author branch + tag to the private remote, cut your working branch, and prove the seam is clean.

User part + done-when

👤 User part — none required beyond an optional glance at GitHub to confirm the branch + tag landed; every command here is agent-runnable once SSH is wired.

Done when develop is pushed with six AI commits (C1 pristine + C2–C6) after Verify & gate, the author/vX.X.X branch and author-vX.X.X tag exist on the remote, your working branch is checked out, and git log --all -- .env vendor/ returns nothing.  ·  ⏱ ~15 min  ·  🤖 agent-runnable.

Background

Create the project already created the pristine vendor baseline — the immutable snapshot you diff against at every vendor update. This page pushes that baseline; it does not re-commit vendor source mixed with AI files.

flowchart TD
  V["verify author-vX tag<br/>+ author/vX branch"] -->|missing| L["legacy: run Create the project<br/>baseline commit"]
  V -->|present| P["push develop +<br/>author branch + tag"]
  P --> W["git checkout -b<br/>Setup/Initial-Launch"]
  W --> S["seam check<br/>.env + vendor/"]

Steps

1. Verify the pristine baseline exists

1. Confirm the frozen branch, tag, and pristine import commit from AI System setup.

   git tag --list 'author-*'
   git branch --list 'author/*'
   git branch --show-current    # expect develop (or your working branch after Verify & gate)
   git log develop --oneline -6   # expect C1…C6 (pristine + five AI commits)
   git log author/v${VERSION} -1 --oneline 2>/dev/null || git log -1 --oneline
   # Expected: author-vX.X.X tag + author/vX.X.X branch; log shows pristine import message

   • ✅ author-v${VERSION} tag and author/v${VERSION} branch exist locally.

2. If either is missing — you skipped the baseline commit. Go back to Create the project · pristine baseline before continuing. Do not run a mixed git add . import here.

   • ✅ Baseline present — continue. If missing — stop and create it on Create the project only.

2. Safety-check before pushing

Never trust that .gitignore is perfect — prove it before anything hits the remote.

1. Scan the working tree for anything that must not be committed.

   git status | grep -E "vendor/|node_modules/|\.env$" && echo "STOP! Fix .gitignore!" || echo "Safe"
   git check-ignore -q _source/ && echo "_source ignored OK" || echo "FAIL: /_source/ must stay ignored"
   # Expected: "Safe" — no vendor/, node_modules/, or .env in the status

   • ✅ Prints Safe. If it prints STOP!, fix .gitignore before continuing.

Do not recreate the vendor import here

If you followed AI System setup, the first commit is already the pristine vendor tree. Commit & freeze never runs git commit for vendor import — that would duplicate or pollute the baseline story.

3. Push to the private remote

1. Add the remote and push develop, the author branch, and the tag.

   git remote add origin "$GITHUB_REPO" 2>/dev/null || git remote set-url origin "$GITHUB_REPO"
   git push -u origin develop
   git push origin "author/v${VERSION}" "author-v${VERSION}"
   # Expected: develop, author/vX.X.X, and author-vX.X.X all pushed to origin

   • ✅ On GitHub, the branches dropdown shows develop + author/vX.X.X, and Tags shows author-vX.X.X.

2. Enable signed-commit protection on the active branches. In GitHub, add branch rules for develop and main (or the eventual production branch) with Require signed commits enabled.

   • ✅ develop is protected against unsigned authored commits before the setup branch starts.
   • ✅ When main exists, it gets the same rule before the first production merge.

Why server-side signing matters

A local hook can be skipped with --no-verify, and a history rewrite can drop signatures even when commit.gpgSign=true. GitHub’s signed-commit branch rule is the remote gate: it rejects unsigned pushes instead of hoping every local machine is configured correctly.

Why a branch and a tag

The tag is the immutable anchor you diff against at every vendor update. The branch lets you, if ever needed, build the pristine vendor tree in isolation to reproduce a bug against untouched code. You never commit to either.

4. Cut your working branch

With the baseline frozen and pushed, create the branch the rest of the playbook commits against (Option A; for Option B you’ll create a Setup/Phase-N-* branch per phase instead).

1. Branch off develop for the working branch.

   git checkout develop
   git checkout -b Setup/Initial-Launch
   # Expected: now on Setup/Initial-Launch, branched from develop

   • ✅ git branch --show-current prints your working branch.

5. Verify the seam

1. Prove secrets and installed vendor never entered history.

   git log --all --full-history -- .env      # → nothing
   git log --all --full-history -- vendor/   # → nothing
   # Expected: both commands print nothing

   • ✅ Both commands return empty — the seam is clean.

Checklist

Do not mark this step done until every box below is checked.

• 🤖 Baseline verified — author/vX.X.X + author-vX.X.X exist locally (created at Create the project).
• 🤖 develop pushed to the private remote (includes C1–C6 after Verify & gate).
• 👤 Signed-commit protection enabled — GitHub requires signed commits on develop and later main.
• 🤖 Snapshot on remote — author/vX.X.X branch and author-vX.X.X tag pushed.
• 🤖 Working branch checked out — Setup/Initial-Launch (or your Option B branch).
• 🤖 Seam clean — git log --all -- .env vendor/ returns nothing.

→Next step

Local development