Add component-owner approval guard for issue #10

[taherdhanera]

/claim #10
@algora-pbc /claim #10 #407

Claim metadata

• Bounty issue: Project Repository & Version Control #10
• Active claim PR: Add component-owner approval guard for issue #10 #407
• Algora linkage: @algora-pbc /claim Project Repository & Version Control #10 Add component-owner approval guard for issue #10 #407

Summary

Adds repository-component-owner-approval-guard, a self-contained Project Repository & Version Control slice that validates component-owner approval quorum before protected-branch merge or tagged repository release.

The guard evaluates:

• repository component path ownership for manuscript/, data/, code/, notebooks/, protocols/, results/, and metadata.json
• fresh eligible approval coverage per touched component
• restricted data/protocol escalation owners
• stale approvals after changed files move
• conflicted self-approvals by merge request authors
• unmapped repository paths without component policy coverage

Non-overlap

This is not a broad repository ledger, release engine, structured diff/rollback module, provenance attestation layer, release embargo gate, notebook replay tool, schema migration assistant, citation impact verifier, API/export verifier, merge queue, environment drift checker, access review guard, DOI tombstone gate, metadata readiness gate, branch hypothesis lineage guard, sensitive-artifact scanner, dependency-license guard, legal-hold gate, restore rehearsal guard, or compute sandbox policy guard. It focuses specifically on component-owner approval quorum and approval freshness before merge.

Validation

Run from repository-component-owner-approval-guard/:

npm run check
npm test
npm run demo
npm run demo:video

Fresh validation passed after the latest reproducibility hardening commit.

Demo Video

• reports/demo.webm
• reports/demo.mp4

Reviewer Artifacts

• reports/summary.json
• reports/reviewer-packet.md
• reports/summary.svg
• reports/demo.webm
• reports/demo.mp4

Safety

All data is synthetic. The module does not call Git providers, repository hosting APIs, identity systems, storage systems, private repositories, or external services. It does not include private research data, credentials, real users, or live project mutations.

[taherdhanera]

Follow-up pushed in 8674251 for reviewer reproducibility.

npm run demo:video now verifies the committed reports/demo.webm and reports/demo.mp4 artifacts without rewriting browser-generated binary output on every run. Explicit re-recording is still available via RECORD_DEMO_VIDEO=1 node demo-video.js.

Fresh local validation after this commit:

• npm run check passed
• npm test passed
• npm run demo passed
• npm run demo:video passed and verified both video artifacts
• working tree stayed clean after validation