ci: enforce identity hygiene gate

.gitea/workflows/check.yml

@@ -10,6 +10,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+      - name: Identity hygiene gate
+        run: ./scripts/check_identity_hygiene.sh
       - uses: actions/setup-go@v5
         with:
           go-version-file: backend/secretapi/go.mod

scripts/check_identity_hygiene.sh

@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+EXPECTED='Edut LLC <publishing@edut.dev>'
+
+fail() {
+  echo "IDENTITY HYGIENE CHECK FAILED: $*" >&2
+  exit 1
+}
+
+check_head_identity() {
+  local label="$1"
+  local value="$2"
+  if [[ "$value" != "$EXPECTED" ]]; then
+    fail "$label is '$value' (expected '$EXPECTED')"
+  fi
+}
+
+head_author="$(git show -s --format='%an <%ae>' HEAD)"
+head_committer="$(git show -s --format='%cn <%ce>' HEAD)"
+check_head_identity "HEAD author" "$head_author"
+check_head_identity "HEAD committer" "$head_committer"
+
+if bad_identity="$(git log --format='%an <%ae>%n%cn <%ce>' | grep -Ev "^${EXPECTED//\/\\}$" | head -n 1 || true)"; [[ -n "${bad_identity}" ]]; then
+  fail "history contains non-publisher identity: ${bad_identity}"
+fi
+
+# Trackers for personal attribution and legacy infra markers that must never reappear.
+if git grep -nE 'Joshua Armstrong|\bjoshua\b|workvsg\.com|vsg@|vsgstrategies|VSG Strategies|/Users/vsg|VSG Codex' \
+  -- . \
+     ':(exclude)scripts/check_identity_hygiene.sh' \
+     ':(exclude)operations/audit_reports/**' \
+  >/tmp/identity_hygiene_hits.txt 2>/dev/null; then
+  echo "Disallowed content patterns found:" >&2
+  cat /tmp/identity_hygiene_hits.txt >&2
+  rm -f /tmp/identity_hygiene_hits.txt
+  fail "content pattern violations detected"
+fi
+rm -f /tmp/identity_hygiene_hits.txt
+
+echo "PASS: identity hygiene checks passed"