Valinor - Self-enforcing engineering discipline.

The valinor command-line interface exposes Valinor's checks and scaffolding. Invoke it as valinor <command> [path] (via npx valinor …, or directly if you've added it to a script). Each command takes an optional path that defaults to the conventional config file, emits a telemetry event on stderr (stdout stays reserved for the command's own output, so --json modes pipe cleanly), and fails closed — a non-zero exit on any drift, error, or unreadable input.

valinor --version (or -v) prints the installed package version and exits — the deterministic check the publish pipeline's post-publish smoke test asserts against to prove a freshly-published package actually resolves and runs.

Every command at a glance

This inventory is a projection of the source of truth — it is generated directly from the src/cli.ts command registry, so it lists every command Valinor ships with a one-line summary and can never silently fall behind the code. (The site-freshness gate fails the build if this table drifts from the registry.) Reach below for the editorialized, grouped reference with flags, defaults, and the when to reach for it of each command.

Generated — do not hand-edit

The table below is regenerated by npm run gen:cli-reference. Edit a command's summary in src/siteGen/cliReference.ts (its single authoritative home), not here.

Command	What it does
`action-list`	Discover the available action-skill procedure ids (roadmapping · planning · execution).
`action-show`	Print an action-skill procedure, for your agent to read and follow (read-only).
`audit`	One-command launcher: print the applicable audit skills, the deterministic inventory, and the run steps.
`audit-all`	Aggregate the per-repo audit state across every `valinor-workspace.yml` repo — stack + measured production KLOC + the latest recorded grade per repo (no composite workspace score), with a loud no-grade row for any repo without a recorded grade.
`audit-data`	Print the deterministic repo inventory (stack, in-scope files, measured KLOC split production vs test — the grade divides by production code only) the audit folds in.
`audit-list`	Discover the available audit-concern ids your agent can run.
`audit-reconcile`	Reconcile this audit run's findings against the committed, finding-free history into the open/carried/resolved/reopened lifecycle (+ persisted accepted/false-positive triage), then print the ranked, aging backlog + the net-open burndown. The committed ledger is hash-only (a privacy-safe fingerprint + concern + counts, never a path/line/snippet).
`audit-record`	Record a verified audit run's grade into the committed score history (grade only, no findings). `[dir]` targets another repo — its root or its audit artifact dir — and the history always lands in the TARGET repo's `.valinor/score-history.jsonl`, never the caller's cwd (workspace-sweep safe). `--regrade` first recomputes `grade.json` from the stored findings under the current formula (the formula-migration path); `--help` prints the usage.
`audit-report`	Render a persisted audit run into a shareable Codebase Audit Report (Markdown and/or HTML).
`audit-show`	Print a concern's audit skill, for your agent to run against your repo (read-only).
`audit-trend`	Print the score-over-time trend from the recorded audit history.
`audit-verify`	Verify a persisted `.valinor/audit/` run is internally consistent before it is recorded.
`baseline`	Generate a baseline snapshot the new-code adoption mode grandfathers pre-existing findings against.
`branch-protection-check`	Diff the live branch-protection ruleset against your committed `branch-protection.json`.
`branch-protection-sync`	Apply `branch-protection.json` to the live branch-protection ruleset (create or update).
`cadence`	Surface every standing time-based obligation that is overdue — release cadence first, then dated-default re-checks and the other standing sweeps (advisory, never blocks).
`cadence-dispatch`	Print the action plan for overdue standing obligations within a reversibility-keyed safety boundary (AUTO-ACT → open a PR · RECOMMEND → open an issue), capped by `autonomy.code_merge`. Runtime-agnostic and key-free — it never calls an LLM; the opt-in scheduled agent-dispatch workflow's headless agent consumes the plan.
`check-agent-file-principles`	Flag any README-owned section carried in your agent file outside the doctrine block.
`check-change-narrative`	On a substantial PR, require at least one new bullet under `CHANGELOG.md`'s `## [Unreleased]`.
`check-dependency-health`	OWASP A03: verify EVERY tracked manifest (root + sub-projects) has a present/valid lockfile, no critical/high vulns, no unbounded version specifiers — vulns block uniformly.
`check-doc-freshness`	Scan your docs for dead internal links, dead config/command references, and CLI drift.
`check-docs-coverage`	Check your `.md` corpus for orphan and stub docs (the exhaustiveness axis).
`check-no-empty-catch`	Flag empty catch blocks (advisory by default — reports at `warn`; a JS/TS repo raises it to `error` in `governance.config.yml`).
`check-plans`	Validate the `docs/plans/` lifecycle (advisory by default — reports at `warn`; raise to `error` in `governance.config.yml` to block).
`check-repo-hygiene`	Verify your committed tree stays tidy — no tracked cruft, a covering `.gitignore`, no oversized binary.
`check-research-ledger`	Validate a `docs/research/` ledger (advisory by default — reports at `warn`; raise to `error` in `governance.config.yml` to block).
`check-workflow-templates`	Verify every shipped `skills/*/.workflow.js` template stays valid and reference-current.
`claims-verify`	Verify the repo satisfies every claim in `claims.yml`; exits non-zero on any drift.
`compat-check`	Verify a change to the public surface (doctrine version, propagation reach, init scaffold, CLI commands) doesn't break an existing adopter — diffs against a committed `.valinor/compat-baseline.json`.
`compliance-check`	Check your repo carries the universal legal-doc floor its nature requires (a privacy policy for end-users, a terms-of-service for an app) — present, sectioned, advisory-disclaimed. ADVISORY: flags, never certifies legal sufficiency.
`compliance-evidence`	Generate a requirement→control attestation report (Markdown or `--json`) mapping SOC2/ISO27001/NIST-SSDF/CRA security/SDLC requirements to the Valinor controls that satisfy them, with live pass/fail status. ADVISORY: evidence for an auditor, never a certification.
`compliance-seed`	Copy advisory-banner'd starter templates (NOT legal advice) for each required-but-absent legal doc, pre-empting the compliance-check gate at onboarding.
`cost-breaker-check`	The scheduled agent-dispatch monthly circuit-breaker pre-flight — read the committed cost ledger + the `agent-dispatch.budget` dial and emit `over_budget` (true ⇒ the dispatch step skips this month). Fails closed when a cap is set but the ledger is unreadable; advisory-only when no cap is set.
`cost-record`	Append one privacy-safe cost record (token counts, USD estimate, session id — never a prompt) from a Claude Code `--output-format json` result to the committed `.valinor/cost-history.jsonl` ledger. The post-run cost-capture step of the scheduled agent-dispatch workflow.
`dependency-health-reports`	Produce the per-manifest `npm audit`/`npm outdated` reports the multi-manifest dependency-health gate reads (run this before `check-dependency-health`).
`doctrine-check`	Verify your agent doc carries the portable Valinor doctrine block — present, current, un-drifted.
`doctrine-check-all`	Aggregate `doctrine-check` across every `valinor-workspace.yml` repo (+ the workspace's own agent file) — one row per repo, a rollup footer, non-zero exit when any repo fails or is not-initialized.
`eval-check`	Check the eval fixtures against expectations (machinery for the calibration tooling).
`eval-record`	Record an eval result (machinery for the calibration tooling).
`eval-verify`	Re-run each Greptile rule's seeded-violation/clean-control fixtures through Greptile to verify it still fires (the firing-verification sweep; needs a Greptile key).
`eval-verify-check`	Assert every adopted Greptile rule carries a fresh, passing firing-verification record (the freshness floor; composes with the Phase-4 coverage gate).
`gate-health-record`	Record a gate-health data point (machinery for the score-over-time and calibration tooling).
`gate-health-trend`	Print the gate-health trend over time (machinery for the score-over-time tooling).
`greptile-score`	Read a PR's live Greptile confidence score and post a fail-closed `greptile-score-verify` commit status (success at 5/5, failure below, neutral while pending) — the deterministic teeth on the STRICT-5/5 merge bar. Run by the scaffolded greptile-score workflow.
`init`	Adopt Valinor on a repo: inline the doctrine and scaffold the minimum to run the gates.
`init-workspace`	Adopt Valinor on a non-git parent directory of related repos: discover the sub-repos, seed the authoritative `valinor-workspace.yml` manifest, write workspace-level agent files, and run `init` in every governed repo.
`merge-gate`	Hold a PR draft until its pre-review quality gates pass green, then auto-mark it ready (so Greptile reviews a clean, gates-green PR once). Fail-open — an optimization, never the merge bar.
`onboard`	Interactive opt-in wizard — enforce the advisory-by-default capabilities for your repo's profile.
`reconcile-check`	Check your repo's COMMITTED priors don't contradict the doctrine it has adopted — an integrity-class dial softened to off/warn, a direct-push baseline vs the PR-only doctrine, or a doctrine block with no committed carrier (the brownfield-adoption gate).
`release`	Cut a release as a single consistent transaction — the make-the-right-path-easy companion to `release-check`.
`release-check`	Verify a release is cut as a single consistent transaction (versions agree, `[Unreleased]` rolled).
`release-pr`	Derive the next version from the commit log and create-or-update a standing Release PR whose merge cuts the release.
`remote-hygiene`	Cadenced advisory sweep of your remote — flags merged-but-undeleted/stale branches and abandoned PRs (read-only, never blocking).
`repo-settings-check`	Verify GitHub repo settings match `governance.config.yml` (unreadable admin field → `⚠ UNVERIFIABLE`).
`repo-settings-sync`	Apply the `verify: true` repo settings from `governance.config.yml` to GitHub.
`sbom`	Generate a CycloneDX (JSON) SBOM from your lockfile data across every tracked manifest — the component-inventory evidence (CRA Art. 13; SOC2/ISO/SSDF). A generator, never a gate.
`site-freshness`	Keep your client-facing sites in sync with the source of truth (CLI surface, version, install, links).
`spec-contract`	Check your API spec (OpenAPI/GraphQL/protobuf) is in sync with the implementation — valid, no un-acknowledged breaking change — when you declare an `api:` block; fires only when enabled (an absent block is a no-op), tool-selected per stack, with a loud UNVERIFIABLE (never a silent green) when a tool is absent.
`surface-provisioning`	Check your repo stands up the client-facing web surfaces its nature warrants (declared in config).

Adopting & updating

`init <targetPath>`

Adopt Valinor on a repository. Propagates the versioned canonical doctrine into the target's AGENTS.md ≡ CLAUDE.md and scaffolds the minimum to run the gates: governance.config.yml, a starter claims.yml, a starter README.md, .greptile/config.json (the canonical review-rubric rules), and .github/workflows/valinor-gates.yml.

Flags:

--profile — your repo's profile (shapes the scaffolded config).
--maturity — adoption maturity.
--mode — advisory, new-code, or strict (controls whether gates block).
--stack — your stack (e.g. nextjs); overrides the profile-aware default.
--dry-run — print the plan and write nothing.

Safe to re-run: it re-inlines the current doctrine in place and leaves already-present scaffold files untouched, so pulling a doctrine update never clobbers your custom claims or rules. A re-run reports each byte-identical file as unchanged — the output tells you exactly what changed.

`init-workspace [parentPath]` and the workspace sweeps

Adopt Valinor on a non-git parent directory of related repos: init-workspace discovers the git checkouts beneath the parent, seeds the authoritative valinor-workspace.yml manifest, writes workspace-level AGENTS.md ≡ CLAUDE.md, and runs the standard init in every governed repo (the init flags pass through; add --max-depth <n> to search deeper and --rediscover to diff newly-cloned repos into an existing manifest — with --dry-run, a rediscovery reports what it would add and writes nothing).

The discovery boundary: the scan never enters dot-directories (.claude/, .worktrees/, …) or follows symlinked directories, and skips node_modules/vendor — a checkout under a dot-directory (e.g. an agent harness's worktree) is invisible to discovery by design; govern its primary checkout instead.

Afterwards, two sweeps aggregate the workspace — doctrine-check-all (every repo's doctrine block) and audit-all (every repo's stack, KLOC, and latest recorded audit grade). Both print one row per repo plus a rollup footer, continue past failures (--bail opts into fail-fast), exit non-zero when any repo fails or is not-initialized/no-grade, and emit pure JSON on stdout under --json. Run them from the workspace root or any directory beneath it — they walk up to the nearest valinor-workspace.yml.

audit-all starts all-red — that's expected. A freshly-inited workspace reports every repo no-grade: init-workspace scaffolds governance but records no audit grade. Each repo earns its row by running the audit flow once (valinor audit, then valinor audit-record after the graded run); the sweep turns green repo by repo.

`onboard [path]`

The interactive opt-in wizard — the human-facing counterpart to init's non-interactive scaffold. init writes every opt-in capability at its non-blocking default (the three process gates at warn — they report without blocking — and prints them as a summary); onboard lets you raise them to blocking. For your repo's profile (read from governance.config.yml, or prompted) it walks the single-scalar opt-in gates one at a time — research-ledger, plans, no-empty-catch — printing each one's tradeoff and asking Enforce? [y/N], then writes the dials you chose into governance.config.yml without disturbing its comments or structure (and idempotently — re-running with the same answers changes nothing). It only flips dials; if you have no governance.config.yml yet, run init first.

Run it in a terminal — when its input isn't a terminal (CI, a pipe, an agent session) it never prompts: it prints the profile-aware "Capabilities you can enable" summary plus a note to run interactively or edit the config by hand, writes nothing, and exits cleanly.

`release <version | --patch | --minor | --major>`

Cut a release as a single consistent transaction — the make-the-right-path-easy companion to the release-check gate. It performs the cut so the result passes release-check by construction, so you (or an agent) never hand-roll an inconsistent release. From an explicit <version> (validated semver, strictly higher than the current) or a bump flag computed from package.json, it bumps package.json (and package-lock.json), moves CHANGELOG.md's ## [Unreleased] content into a dated ## [x.y.z] section, and rolls RELEASES.md the same way — preserving every bullet and the Added/Changed/Fixed grouping — and leaves a fresh empty Unreleased in each. It rejects a non-monotonic or invalid version and fails closed on a malformed changelog (never a half-roll).

Flags:

--patch / --minor / --major — compute the next version by a semantic bump instead of passing one explicitly.
--dry-run — print the planned changes and write nothing.
--tag — also create a local tag vx.y.z (never pushed; it prints the git push origin vx.y.z to run after merge). Without --tag it just prints the tag reminder.

Your changelog site stays editorially curated — release prints a reminder to curate the new version's section (it never auto-generates that prose), and the site-freshness rule keeps it honest.

Verifying your repo

These are the checks you'll run most — locally and in CI. Each scans your own repo from the working directory and fails closed.

Command	What it checks
`claims-verify [claims.yml]`	Verifies the repo satisfies every claim in `claims.yml`. Prints one line per claim; exits non-zero on any drift.
`doctrine-check [AGENTS.md]`	Verifies your agent doc carries the portable Valinor doctrine block — present, version-current, and un-drifted from the canonical doctrine.
`check-agent-file-principles [AGENTS.md]`	Flags any README-owned section (project / stack / commands / install / usage / license) carried in your agent file outside the doctrine block.
`check-doc-freshness`	Scans your docs for dead internal links, dead config references, dead `valinor` / `npm run` command references, and CLI drift.
`check-docs-coverage`	Checks your `.md` corpus for orphan and stub docs (the exhaustiveness axis).
`check-dependency-health`	OWASP A03 (Software Supply Chain Failures): checks your lockfile is present and valid, `npm audit` reports no critical/high vulnerabilities, and no dependency uses an unbounded version specifier. In CI, requires a prior `valinor dependency-health-reports` producer step; in a local run an absent report falls back to a live `npm audit --json` per manifest.
`check-change-narrative`	On a substantial pull request, requires at least one new bullet under your `CHANGELOG.md`'s `## [Unreleased]` section.
`surface-provisioning`	Checks your repo stands up the client-facing web surfaces its nature warrants — declared in `governance.config.yml`'s `surfaces:` block (help-center · changelog · api-docs only for a real programmatic API), profile-defaulted. Distinct from `site-freshness` (which keeps existing sites fresh).
`release-check`	Verifies a release is cut as a single consistent transaction — your `package.json`, `CHANGELOG.md`, and `RELEASES.md` versions agree, the version is valid semver and monotonic, `[Unreleased]` is rolled, every logged release carries notes, and (once you're tagging) the latest tag is not ahead of `package.json`. Backlog-staleness cadence is a dialable, warn-only nudge — never blocking. Governs the source-of-truth artifacts; composes with `site-freshness` (the rendered sites).
`check-workflow-templates`	Verifies every shipped `skills/*/.workflow.js` workflow template (the executable templates you bundle and ship to consumers) stays valid and reference-current — it parses as JavaScript, carries a well-formed self-describing `meta` header, references only real CLI commands and audit-concern slugs, and passes only function stages to the `parallel`/`pipeline` Workflow primitives (so a template never fails at run time with a syntax error, a dead command, or a non-function stage). A repo with no templates is a no-op.
`compat-check`	Verifies a change to Valinor's own public surface doesn't silently break an existing adopter — the deterministic teeth behind the "backwards-compatible / safe-to-deploy" Definition-of-DONE criterion. It keeps a committed `.valinor/compat-baseline.json` snapshot of the public surface (the doctrine version, each propagation surface's consumer reach, the `init` scaffold gate set + `governance.config.yml` gate-dial keys, and the registered `valinor <command>` set) and diffs HEAD's surface against it, failing on a regression (a doctrine-version decrease, a governance surface losing propagation reach or removed, a dropped scaffold gate or config dial, a removed CLI command) and staying quiet on any forward move (a version bump, a new command, a wider rollout). The first run seeds the baseline; `valinor release` re-seeds it each cut.
`check-repo-hygiene`	Verifies your committed tree stays tidy — the complement of repo-scaffolding (files that should be present): no tracked cruft (build output, dependency dirs, OS/editor droppings, a `.env` secrets file), your `.gitignore` covers the stack's standard build-artifact set plus the agent-tooling dirs (`.claude/` · `.agents/`), no oversized tracked binary (over a dialable 5 MB threshold; lockfiles/CHANGELOG/docs are exempt), and no leaked secret — it reads a gitleaks secret-scan report a CI step produces (gitleaks is the default scanner) and flags each leak, covering your committed tree and its git history. The first three legs are scoped to the committed tree — your local working-tree, worktree, and branch state isn't visible to CI (it runs on a clean checkout), so the `valinor-audit-repo-hygiene` skill sweeps that over time. The secret-scan fails closed if a report was expected but didn't arrive (a scan that silently didn't run is the dangerous case), and is a presence-aware no-op with an advisory when no scanner is wired.
`remote-hygiene`	The REMOTE leg of repo-hygiene — a cadenced advisory sweep of your repo's GitHub-side branch/PR cruft (completing the standard's local + remote scope). It queries GitHub read-only (via `GITHUB_TOKEN` — `contents:read` + `pull-requests:read`, no elevated scope) and reports: remote branches merged into your default branch but never deleted, stale branches (no commit past a tunable age, no open PR), and abandoned open PRs (no activity past a tunable age). It is always advisory — it prints a report to stdout and `$GITHUB_STEP_SUMMARY` and always exits 0 (remote cleanup is a judgment call — a long-lived branch or parked PR may be intentional), mirroring `release-integrity`'s cadence nudge. Run it on a schedule (alongside the config-drift checks), never in the per-PR gates job — remote cruft isn't introduced by one diff and needs the GitHub API a clean CI checkout doesn't have. Thresholds are dialable under `gates.repo-hygiene.remote` (`staleBranchDays` default 90, `abandonedPrDays` default 30). It governs branch/PR cruft cleanup, not branch-protection settings (`branch-protection-check` / `repo-settings-check` own those).

Opt-in gates

check-research-ledger, check-plans, and check-no-empty-catch ship advisory by default (severity: warn). They validate a docs/research/ ledger, a docs/plans/ lifecycle, and empty catch blocks respectively — reporting findings without blocking, and no-op'ing when their artifact is absent. Raise one to error in governance.config.yml when you adopt its discipline; set off to silence it.

GitHub configuration as code

These commands diff (or apply) your repository's GitHub settings against config committed in your repo. They call the GitHub API and read GITHUB_TOKEN from the environment.

Command	What it does
`branch-protection-check [branch-protection.json]`	Diffs the live branch-protection ruleset against your committed `branch-protection.json`; exits non-zero on drift.
`branch-protection-sync [branch-protection.json]`	Applies `branch-protection.json` to the live ruleset (creates or updates it).
`repo-settings-check [governance.config.yml]`	Verifies GitHub repo settings (e.g. merge options) match `governance.config.yml`. Reports an unreadable admin field as `⚠ UNVERIFIABLE` (fail-closed), never a phantom drift.
`repo-settings-sync [governance.config.yml]`	Applies the `verify: true` repo settings from `governance.config.yml`.

The whole-repo audit

Beyond per-change gates, Valinor ships audit skills — graded, standing-repo sweeps of a whole concern (e.g. "has this repo adopted the doctrine?"). They're bundled inside the installed package, version-locked to your Valinor.

npx valinor audit                          # one-command launcher: prints the skills, inventory, and run steps
npx valinor audit-list                     # discover the available concern ids
npx valinor audit-show doctrine            # print that concern's audit skill, for your agent to run
npx valinor audit-report --format both     # render the shareable Codebase Audit Report (Markdown + HTML)

audit is the one-command launcher — run it at the start of a Claude Code session and it prints, in one shot, the applicable audit skill set, the deterministic inventory, and the orchestration steps to drive the run (it reads your repo and writes nothing; add --data-only for just the inventory, or --scope/--exclude to narrow it). audit-show is read-only — your coding agent reads the printed skill and runs the graded audit against your repo. Once the run is graded and verified, audit-report renders it into a self-contained, shareable Codebase Audit Report — a Markdown file and/or a self-contained HTML variant (--format md|html|both, --out <path>) carrying the header, the honesty disclosure, the grade with its published formula, and the findings grouped by concern and severity. (PDF export is a deferred follow-up.) Other audit commands (audit-data — the deterministic inventory of your repo's stack, in-scope files, and measured production/test KLOC split the audit folds in (the grade divides by production code only) — plus audit-verify, audit-record, audit-trend, and the gate-health and eval commands) support the inventory, score-over-time, and calibration machinery; run npx valinor with no arguments to see the full list.

Planning and execution procedures

Valinor also ships action skills — orchestrator-level procedures your coding agent reads and follows, in work-lifecycle order: how to roadmap the next work (generate the next-highest-value work from your repo's own structured signal when the backlog is thin — the step before research), how to plan a feature (turn settled research into an ordered, verifiable build), and how to execute an approved plan (choose how to run each phase — inline, a dispatched subagent, or a workflow pattern). Like the audit skills, they're bundled inside the installed package and version-locked to your Valinor.

npx valinor action-list                       # discover the available procedure ids
npx valinor action-show valinor-roadmapping   # print the roadmapping procedure (what to do next)
npx valinor action-show valinor-planning      # print the planning procedure, for your agent to follow
npx valinor action-show valinor-execution     # print the execution toolkit (the workflow-pattern library)

action-show is read-only — your agent reads the printed procedure and applies it; nothing is written to your repo.

Authentication and token tiers

Valinor's GitHub checks read GITHUB_TOKEN from the environment. What each token tier can verify:

Tier	Reads
Built-in Actions `GITHUB_TOKEN`	claims, files, branch-protection rulesets — most checks
GitHub App / fine-grained PAT with Administration: Read	the above + repo administration
Classic PAT with `repo` scope	the above + the admin-write-gated repo merge-setting fields (`allow_auto_merge`, `delete_branch_on_merge`)

The recommended setup is the Valinor GitHub App: install it on your org and have CI mint a short-lived installation token — no personal tokens to provision or rotate. If you gate an admin-only field your token can't read, repo-settings-check reports ⚠ UNVERIFIABLE (fail-closed) with the exact remedy; to deliberately stop gating a field, set verify: false on it in governance.config.yml.

For the exhaustive command list with every flag and default, contributors can consult the in-repo commands reference, which is kept in sync with the CLI source.