feat: add comply pipeline workflow

.claude-plugin/plugin.json

@@ -0,0 +1,23 @@
+{
+  "name": "comply",
+  "displayName": "ComplyPack",
+  "version": "0.1.0",
+  "description": "Gemara compliance pipeline and policy generation via MCP server",
+  "author": {
+    "name": "ComplyTime Authors",
+    "url": "https://github.com/complytime"
+  },
+  "homepage": "https://github.com/complytime/complypack",
+  "repository": "https://github.com/complytime/complypack",
+  "license": "Apache-2.0",
+  "keywords": [
+    "compliance",
+    "rego",
+    "opa",
+    "gemara",
+    "policy",
+    "mcp",
+    "audit",
+    "governance"
+  ]
+}

.cursor-plugin/plugin.json

@@ -0,0 +1,22 @@
+{
+  "name": "comply",
+  "displayName": "ComplyPack",
+  "version": "0.1.0",
+  "description": "Gemara compliance pipeline and policy generation via MCP server",
+  "author": {
+    "name": "ComplyTime Authors",
+    "url": "https://github.com/complytime"
+  },
+  "repository": "https://github.com/complytime/complypack",
+  "license": "Apache-2.0",
+  "keywords": [
+    "compliance",
+    "rego",
+    "opa",
+    "gemara",
+    "policy",
+    "mcp",
+    "audit",
+    "governance"
+  ]
+}

.dockerignore

@@ -0,0 +1,12 @@
+.git
+.github
+.complytime
+.cursor
+.opencode
+docs
+kb
+skills
+tests
+acceptance
+*.md
+!LICENSE

.github/workflows/container.yml

@@ -0,0 +1,61 @@
+name: Container Image
+
+on:
+  push:
+    tags:
+      - 'v*'
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  push:
+    uses: complytime/org-infra/.github/workflows/reusable_publish_ghcr.yml@e266be092e71ac9343fcd6d5cafc50402161981e # main
+    permissions:
+      contents: read
+      packages: write
+      actions: read
+      id-token: write
+      attestations: write
+    with:
+      component_name: complypack
+      containerfile_path: Containerfile
+      context_path: .
+      image_name: complytime/complypack
+      image_description: "ComplyPack MCP server for compliance policy generation"
+      platforms: linux/amd64,linux/arm64
+
+  scan:
+    needs: push
+    if: >-
+      always()
+      && needs.push.result == 'success'
+      && needs.push.outputs.image != ''
+    uses: complytime/org-infra/.github/workflows/reusable_trivy_image_scan.yml@e266be092e71ac9343fcd6d5cafc50402161981e # main
+    permissions:
+      contents: read
+      packages: write
+      security-events: write
+      id-token: write
+    with:
+      image_ref: ${{ needs.push.outputs.image }}:${{ needs.push.outputs.tag }}
+      image_digest: ${{ needs.push.outputs.digest }}
+      trivy_severity: HIGH,CRITICAL
+
+  sign:
+    needs: [push, scan]
+    if: >-
+      always()
+      && needs.push.result == 'success'
+    uses: complytime/org-infra/.github/workflows/reusable_sign_and_verify.yml@e266be092e71ac9343fcd6d5cafc50402161981e # main
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    with:
+      image_name: ${{ needs.push.outputs.image }}
+      digest: ${{ needs.push.outputs.digest }}
+      allowed_identity_regex: "https://github.com/complytime/org-infra(/.*)?$"
+      verify_vuln: ${{ needs.scan.result == 'success' }}

.gitignore

@@ -28,9 +28,11 @@ go.work.sum
 .DS_Store
 Thumbs.db
 
-# Local docs (plans, analysis)
+# Local docs (plans, analysis, specs, demos)
 docs/plans/
 docs/analysis/
+docs/superpowers/
+docs/demo/
 
 # Development tooling
 .opencode/

.mcp.json.example

@@ -0,0 +1,12 @@
+{
+  "mcpServers": {
+    "complypack": {
+      "command": "docker",
+      "args": ["run", "--rm", "-i",
+               "ghcr.io/complytime/complypack:VERSION",
+               "mcp", "serve",
+               "--source", "oci://YOUR_REGISTRY/gemara/YOUR_CATALOG:TAG",
+               "--schema", "YOUR_PLATFORM"]
+    }
+  }
+}

Containerfile

@@ -0,0 +1,17 @@
+FROM golang:1.26-alpine AS builder
+
+WORKDIR /build
+COPY go.mod go.sum ./
+RUN go mod download
+COPY . .
+RUN CGO_ENABLED=0 go build -trimpath -ldflags="-s -w" -o complypack ./cmd/complypack
+
+FROM registry.access.redhat.com/ubi9-micro:9.6-4@sha256:b498b3ea26111ab4b81d65139f2ebd2ef9a2abb7a4588b7fdcc54889f95e9caa
+
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/pki/tls/certs/ca-bundle.crt
+COPY --from=builder /build/complypack /usr/local/bin/complypack
+
+ARG USER_UID=10001
+USER ${USER_UID}
+
+ENTRYPOINT ["complypack"]

INSTALL.md

@@ -0,0 +1,107 @@
+# Installing ComplyPack
+
+ComplyPack is a plugin that provides a compliance policy generation skill and
+an MCP server for working with Gemara catalogs.
+
+## Prerequisites
+
+- Docker or Podman (Fedora users: `sudo dnf install podman-docker`)
+
+## Claude Code
+
+Install from the marketplace:
+
+```
+/plugin install complypack@claude-plugins-official
+```
+
+The skill is auto-discovered. To configure the MCP server, create a
+`.mcp.json` in your project:
+
+```json
+{
+  "mcpServers": {
+    "complypack": {
+      "command": "docker",
+      "args": ["run", "--rm", "-i",
+               "ghcr.io/complytime/complypack:latest",
+               "mcp", "serve",
+               "--source", "oci://your-registry/gemara/your-catalog:v1",
+               "--schema", "ci"]
+    }
+  }
+}
+```
+
+Replace the `--source` and `--schema` values with your Gemara catalog
+references and target platforms.
+
+### Multiple sources and schemas
+
+```json
+"args": ["run", "--rm", "-i",
+         "ghcr.io/complytime/complypack:latest",
+         "mcp", "serve",
+         "--source", "oci://registry.example.com/gemara/controls:v1",
+         "--source", "oci://registry.example.com/gemara/guidance:v1",
+         "--schema", "ci=cue://cue.dev/x/githubactions@v0#Workflow",
+         "--schema", "kubernetes"]
+```
+
+### Plain HTTP registries (development)
+
+Use `oci+http://` for registries without TLS:
+
+```json
+"--source", "oci+http://localhost:5001/gemara/controls:v1"
+```
+
+## OpenCode
+
+Add to your `opencode.json`:
+
+```json
+{
+  "mcpServers": {
+    "complypack": {
+      "command": "docker",
+      "args": ["run", "--rm", "-i",
+               "ghcr.io/complytime/complypack:latest",
+               "mcp", "serve",
+               "--source", "oci://your-registry/gemara/your-catalog:v1",
+               "--schema", "ci"]
+    }
+  }
+}
+```
+
+## Using a config file (advanced)
+
+If you prefer YAML configuration, mount a `complypack.yaml`:
+
+```json
+"args": ["run", "--rm", "-i",
+         "-v", "./complypack.yaml:/config/complypack.yaml:ro",
+         "ghcr.io/complytime/complypack:latest",
+         "mcp", "serve",
+         "--config", "/config/complypack.yaml"]
+```
+
+## Verifying the image
+
+Images include SLSA provenance and SBOM attestations. To verify:
+
+```
+gh attestation verify oci://ghcr.io/complytime/complypack:latest \
+  --owner complytime
+```
+
+## Embedded schemas
+
+These platforms have built-in schemas (no `--schema source` needed):
+
+- `kubernetes`
+- `terraform`
+- `docker`
+- `ansible`
+- `ci`