feat(ci,pushback): wire dna-spec-validate into CI workflow + pushback protocol (SPEC-19 Stage 5)

template/workflows/dna.yml:
- Add dna-spec-validate step after dna-verify (script-only per invariant 9;
  the dna-spec-validator subagent stays human-review-time until headless
  Claude Code lands).
- Wire DNA_SPEC_VALIDATE_BASE=origin/${{ github.base_ref }} so the cross-
  spec ownership check uses the PR's base for the merged-branch filter
  (matches dna-verify's DNA_VERIFY_BASE pattern).
- New per-gate skip knob vars.DNA_SKIP_SPEC_VALIDATE.
- Header comment updated to document spec-validate (mechanical) + spec-
  validator (judgmental, NOT in CI yet).
- Summary block lists the new step + the new judgmental subagent in the
  PR-reviewer-responsibility callout.

template/skills/dna-spec-validate/run.sh:
- cross-spec-ownership now respects DNA_SPEC_VALIDATE_BASE env var (was
  hardcoded to "main"). Default still "main" for local dev. Honors the
  contract documented in the script header since Stage 1.

template/AGENT.md:
- Critical Pushback Protocol gains a row: "human asks to skip
  /dna-spec-validate → refuse, cite Article 8 + invariant 4". The
  validator's whole purpose is catching drift mechanical layers cannot
  see; bypassing it allows the build to proceed on a false contract.

E2E verification (all green):
- refresh-target.sh against team-project-scheduler: 3 ADDED files
  detected and synced (run.sh, SKILL.md, dna-spec-validator.md);
  workflows/dna.yml DRIFT resolved with --force.
- 10/10 regression fixtures green.
- All 4 dogfood specs (001-004) PASS in blocking mode.
- workflow YAML parses.
- Target now has all 3 new artifacts; target's run.sh IDENTICAL to kit.

This closes SPEC-19. The kit is ready for Denis-team handoff with the
spec-projection layer fully gated (mechanical floor in CI; judgmental
ceiling in dev loop).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: albertdobmeyer

template/AGENT.md

@@ -190,6 +190,7 @@ Match model capability to phase. Planning and adversarial review need heavy reas
 - Human's direction contradicts ARCHITECTURE.md → **Flag.** Propose an amendment PR to main.
 - Human says "good enough" for a `[D]` at `[W]` depth → **Challenge.** Ask: "Which negative assertions are you willing to lose?"
 - Human wants to merge with failing tests → **Refuse.** Cite Article 8.
+- Human asks to skip `/dna-spec-validate` (or its subagent) → **Refuse.** Cite Article 8 + invariant 4 (audit isolation). The validator catches semantic drift between the spec.md and the Blueprint that mechanical layers can't see; bypassing it allows the build to proceed on a false contract.
 
 **When NOT to push back:**
 - Human has domain knowledge you lack → Defer, but log the decision.

template/skills/dna-spec-validate/run.sh

@@ -549,7 +549,8 @@ MERGED_BRANCHES=""
 HAVE_GIT=0
 if git rev-parse --git-dir >/dev/null 2>&1; then
   HAVE_GIT=1
-  MERGED_BRANCHES=$(git branch --merged main 2>/dev/null | sed 's/^[* ] //' | grep -v '^main$' || true)
+  BASE_REF="${DNA_SPEC_VALIDATE_BASE:-main}"
+  MERGED_BRANCHES=$(git branch --merged "$BASE_REF" 2>/dev/null | sed 's/^[* ] //' | grep -v "^${BASE_REF##*/}$" || true)
 fi
 
 for spec_dir in $ALL_SPECS; do

template/workflows/dna.yml

@@ -6,31 +6,37 @@
 #
 # What runs (and what doesn't):
 #
-#   - dna-decompose    YES — [P] tasks overlapping files in a PR would
-#                      produce merge conflicts; gate must block.
-#   - dna-verify       YES — runs the full test suite with coverage and
-#                      enforces the mechanical floor (Article 10 coverage
-#                      threshold, [D] integration tests present, scenario
-#                      tests present). Uses branch-diff-scoped per-file
-#                      coverage (SPEC-16) so predecessor debt doesn't
-#                      block clean new features.
-#   - dna-test-gate    NO — the gate checks "tests exist and FAIL before
-#                      impl". In a PR to main, impl is already committed
-#                      so tests go green. Gate would false-positive. It
-#                      is a dev-time check, not a merge-time check.
-#   - dna-verifier     NO (yet) — the judgmental subagent requires a
-#                      fresh-context LLM run. No headless CI path today.
-#                      A PR reviewer should invoke it manually. Future
-#                      SPEC once Claude Code ships headless invocation.
-#   - dna-spec-auditor NO (yet) — same reason as dna-verifier. The
-#                      script-less subagents are human-review-time only.
-#   - dna-cross-checker NO (yet) — same reason.
+#   - dna-decompose       YES — [P] tasks overlapping files in a PR would
+#                         produce merge conflicts; gate must block.
+#   - dna-verify          YES — runs the full test suite with coverage and
+#                         enforces the mechanical floor (Article 10 coverage
+#                         threshold, [D] integration tests present, scenario
+#                         tests present). Uses branch-diff-scoped per-file
+#                         coverage (SPEC-16) so predecessor debt doesn't
+#                         block clean new features.
+#   - dna-spec-validate   YES — mechanical floor for spec ↔ Blueprint drift
+#                         (depth tag, file-paths-inside-modules, undefined
+#                         references, cross-spec ownership). SPEC-19.
+#   - dna-test-gate       NO — the gate checks "tests exist and FAIL before
+#                         impl". In a PR to main, impl is already committed
+#                         so tests go green. Gate would false-positive. It
+#                         is a dev-time check, not a merge-time check.
+#   - dna-verifier        NO (yet) — the judgmental subagent requires a
+#                         fresh-context LLM run. No headless CI path today.
+#                         A PR reviewer should invoke it manually. Future
+#                         SPEC once Claude Code ships headless invocation.
+#   - dna-spec-auditor    NO (yet) — same reason as dna-verifier.
+#   - dna-spec-validator  NO (yet) — same reason; the judgmental ceiling
+#                         above dna-spec-validate stays human-review-time
+#                         until headless invocation lands (SPEC-19 Stage 4).
+#   - dna-cross-checker   NO (yet) — same reason.
 #
 # Per-gate skip knobs (use sparingly; skipping is a CONSTITUTION Article 5
 # violation unless logged as a Construction Site):
 #
-#   vars.DNA_SKIP_DECOMPOSE  — 'true' to skip dna-decompose
-#   vars.DNA_SKIP_VERIFY     — 'true' to skip dna-verify
+#   vars.DNA_SKIP_DECOMPOSE      — 'true' to skip dna-decompose
+#   vars.DNA_SKIP_VERIFY         — 'true' to skip dna-verify
+#   vars.DNA_SKIP_SPEC_VALIDATE  — 'true' to skip dna-spec-validate
 
 name: DNA enforcement
 
@@ -80,11 +86,21 @@ jobs:
           DNA_VERIFY_BASE: origin/${{ github.base_ref }}
         run: bash .claude/skills/dna-verify/run.sh
 
+      - name: DNA spec-validate — spec.md harmonized with Blueprint
+        if: vars.DNA_SKIP_SPEC_VALIDATE != 'true'
+        env:
+          # Cross-spec ownership uses `git branch --merged $BASE_REF` to
+          # filter merged branches. Match the PR's base ref so the open-spec
+          # set is computed correctly in CI context.
+          DNA_SPEC_VALIDATE_BASE: origin/${{ github.base_ref }}
+        run: bash .claude/skills/dna-spec-validate/run.sh
+
       - name: Summary
         if: always()
         run: |
           echo "## DNA gate summary" >> $GITHUB_STEP_SUMMARY
           echo "- dna-decompose: ${{ steps.outcome.outputs.decompose || 'ran' }}" >> $GITHUB_STEP_SUMMARY
           echo "- dna-verify: ${{ steps.outcome.outputs.verify || 'ran' }}" >> $GITHUB_STEP_SUMMARY
+          echo "- dna-spec-validate: ${{ steps.outcome.outputs.spec_validate || 'ran' }}" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
-          echo "Judgmental audits (dna-verifier, dna-spec-auditor, dna-cross-checker) require a fresh-context LLM invocation — PR reviewer responsibility. See docs/TEAM_GUIDE.md #PR-review-protocol." >> $GITHUB_STEP_SUMMARY
+          echo "Judgmental audits (dna-verifier, dna-spec-auditor, dna-spec-validator, dna-cross-checker) require a fresh-context LLM invocation — PR reviewer responsibility. See docs/TEAM_GUIDE.md #PR-review-protocol." >> $GITHUB_STEP_SUMMARY