feat: add operator eval release checks

CHANGELOG.md

@@ -12,19 +12,56 @@
   Google Ads upload QA, ad preflight review, paid social launch gating,
   technical SEO launch audits, product marketing context, growth loop
   diagnosis, and social content fact-check rewrites.
+- A public-safe Google Workspace operator pack for draft-first SMB workflows
+  across Sheets, Drive/Docs, Calendar, and Gmail.
+- A public-safe Meta Ads CLI dry-run adapter for planning Marketing API work
+  without default account access or spend mutation.
 - Executable workflow files and markdown playbooks for the growth skill set,
-  plus a multi-skill growth launch readiness workflow.
-- Synthetic Acme Sleep examples, growth skill eval prompts, and an examples
-  index.
+  plus Workspace operator, Meta CLI adapter, and multi-skill growth launch
+  readiness workflows.
+- Synthetic Acme Sleep, Acme Repair, and Meta CLI examples, growth skill eval
+  prompts, and an examples index.
+- Machine-readable growth skill eval fixtures covering analytics consent
+  audits, Google Ads upload QA, ad preflight review, growth loop diagnosis,
+  paid-social launch gating, product marketing context building, social content
+  fact-check rewrites, and technical SEO launch audits.
+- Machine-readable operator eval fixtures for Google Workspace draft-first
+  boundaries and Meta Ads CLI dry-run account, token, budget, pixel, catalog,
+  submission, and destructive-action gates.
 - `aw check-skills` for skill metadata, required sections, and obvious
   publication-policy issues.
 - `aw publication-scan` and `aw publication-scan --list` for repo-wide
   public-safety checks and scan coverage visibility.
+- `aw catalog-check` for README, examples-index, and eval fixture README
+  coverage across workflows, skills, examples, and eval fixtures.
+- `aw eval-check` for machine-readable eval fixture shape, skill references,
+  stop conditions, and public-safety checks.
 - `aw new skill <name>` for validator-compliant skill scaffolding.
+- A public release checklist for validation, catalog review, public-safety
+  review, repository-state review, release notes, and final handoff.
+
+### Changed
+
+- The README now includes a growth marketer quick path across context, consent,
+  ad preflight, paid-social launch, Workspace operator, and Meta dry-run
+  workflows.
+- The public release gate now points to `bun run validate` and clarifies what
+  the built-in publication scan covers.
+- Credentialed workflow validation now rejects placeholder required-permission
+  or approval-gate values.
 
 ### Safety
 
 - All committed growth examples use fictional brands, `example.com` URLs, fake
   IDs, fake budgets, and synthetic claims.
+- `aw publication-scan` now flags real-looking Google OAuth client IDs, Meta
+  access-token shapes, Meta ad account IDs, and private-key blocks in addition
+  to existing private path, token, email, Google Ads, and GA4 checks.
 - External publishing, posting, account mutation, campaign enablement, and
   spend changes remain approval-gated in the workflow artifacts.
+- Gmail sends, Calendar invitations, Drive permission changes, Docs edits,
+  Sheets writes, credential changes, and OAuth scope expansion remain
+  approval-gated in the Workspace operator artifacts.
+- Meta CLI authentication, system-user token use, real account reads, campaign
+  creation, ad submission, budget changes, pixel or catalog changes, and
+  destructive ad-account actions remain approval-gated in the Meta artifacts.

PUBLICATION_POLICY.md

@@ -31,10 +31,17 @@ Before making this repository public:
 
 1. Inventory every workflow and mark keep, rewrite, or remove.
 2. Sanitize private details and replace them with fictional examples.
-3. Run secret scanning on the working tree and full git history.
-4. Search manually for private paths, tokens, emails, webhooks, and real account
+3. Run `bun run validate` from the repo root. It includes workflow validation,
+   skill validation, catalog coverage, and the publication scan.
+4. Run secret scanning on the working tree and full git history.
+5. Search manually for private paths, tokens, emails, webhooks, and real account
    names.
-5. Remove employer/client/internal material unless fully generalized.
-6. Review executable examples for dry-run defaults and approval language.
-7. Read the final diff as an attacker, employer, client, and random internet
+6. Remove employer/client/internal material unless fully generalized.
+7. Review executable examples for dry-run defaults and approval language.
+8. Read the final diff as an attacker, employer, client, and random internet
    reader. If a line reveals private setup, remove or generalize it.
+
+The built-in publication scan catches obvious private paths, non-example email
+addresses, common API/token shapes, Google Ads IDs, GA4 IDs, Google OAuth client
+IDs, Meta access-token shapes, and real-looking Meta ad account IDs. It is a
+guardrail, not a substitute for human review.

README.md

@@ -1,6 +1,7 @@
 # Agentic Workflows
 
-Repo-native operating files for controlled AI work.
+Repo-native operating files for controlled AI, operator, and growth marketing
+work.
 
 > Prompts are not the product. The product is the operating loop: context,
 > delegation, verification, approval, artifact, learning.
@@ -9,7 +10,9 @@ Repo-native operating files for controlled AI work.
 
 `agentic-workflows` turns AI workflows into repo-native operating files:
 validate them, render runbooks, audit authority, and compile them into agent
-skills.
+skills. The current sample pack focuses on public-safe operator workflows and
+growth marketing launch work: workspace operations, paid media, analytics
+consent, SEO, product marketing context, and social content review.
 
 It is still a playbook, but v2 adds a runnable foundation:
 
@@ -52,6 +55,8 @@ bun run validate
 bun cli/aw.ts inventory
 bun cli/aw.ts check
 bun cli/aw.ts check-skills
+bun cli/aw.ts catalog-check
+bun cli/aw.ts eval-check
 bun cli/aw.ts publication-scan
 bun cli/aw.ts publication-scan --list
 bun cli/aw.ts runbook workflows/repo-triage.workflow.yml
@@ -66,6 +71,8 @@ CLI commands:
 aw validate <workflow>
 aw check [workflow...]
 aw check-skills [skill...]
+aw catalog-check
+aw eval-check [fixture...]
 aw publication-scan [--list] [file...]
 aw inventory
 aw runbook <workflow>
@@ -98,10 +105,35 @@ for the best end-to-end example of the operating loop.
 ## Who this is for
 
 - founders, operators, chiefs of staff, and product leads adopting AI agents
+- growth marketers, paid-media operators, and lifecycle teams adding AI to
+  launch, tracking, and approval workflows
 - engineering and product teams designing human-in-the-loop workflows
 - people evaluating what competent AI delegation looks like in practice
 - anyone who wants less AI theater and more reliable AI-assisted execution
 
+## Growth marketer quick path
+
+For a launch or operator review, start with the smallest workflow that matches
+the real risk:
+
+1. Build stable product and audience context with
+   [product-marketing-context-builder](skills/product-marketing-context-builder/SKILL.md).
+2. Check tracking and consent with
+   [analytics-consent-audit](skills/analytics-consent-audit/SKILL.md).
+3. Review ad claims and launch state with
+   [ad-preflight-review](skills/ad-preflight-review/SKILL.md) and
+   [paid-social-launch-gate](skills/paid-social-launch-gate/SKILL.md).
+4. Use [google-workspace-operator-pack](skills/google-workspace-operator-pack/SKILL.md)
+   when the agent needs a draft-first SMB operating layer across Sheets,
+   Drive/Docs, Calendar, and Gmail.
+5. Use [meta-ads-cli-dry-run-adapter](skills/meta-ads-cli-dry-run-adapter/SKILL.md)
+   when planning Meta Ads CLI or Marketing API work without account access by
+   default.
+
+The examples under [examples](examples/README.md) are intentionally fictional.
+They show the artifact shape and approval boundaries without publishing real
+accounts, IDs, budgets, credentials, customer data, or private workspace state.
+
 ## The operating loop
 
 ```mermaid
@@ -144,9 +176,11 @@ Executable-style examples live beside the markdown playbooks:
 | [repo-triage.workflow.yml](workflows/repo-triage.workflow.yml) | Mapping an unfamiliar repo before edits | `bun cli/aw.ts runbook workflows/repo-triage.workflow.yml` |
 | [research-to-decision.workflow.yml](workflows/research-to-decision.workflow.yml) | Research that must end in a recommendation | `bun cli/aw.ts audit workflows/research-to-decision.workflow.yml` |
 | [external-action-gate.workflow.yml](workflows/external-action-gate.workflow.yml) | Preparing an external write for approval | `bun cli/aw.ts runbook workflows/external-action-gate.workflow.yml` |
+| [google-workspace-operator-pack.workflow.yml](workflows/google-workspace-operator-pack.workflow.yml) | Mapping a draft-first SMB operator across Sheets, Drive/Docs, Calendar, and Gmail | `bun cli/aw.ts runbook workflows/google-workspace-operator-pack.workflow.yml` |
 | [analytics-consent-audit.workflow.yml](workflows/analytics-consent-audit.workflow.yml) | Auditing consent-gated analytics and conversion tracking | `bun cli/aw.ts runbook workflows/analytics-consent-audit.workflow.yml` |
 | [google-ads-upload-qa.workflow.yml](workflows/google-ads-upload-qa.workflow.yml) | Reviewing Google Ads bulk uploads before posting account changes | `bun cli/aw.ts audit workflows/google-ads-upload-qa.workflow.yml` |
 | [ad-preflight-review.workflow.yml](workflows/ad-preflight-review.workflow.yml) | Reviewing ad copy, claims, landing-page alignment, and launch approvals | `bun cli/aw.ts audit workflows/ad-preflight-review.workflow.yml` |
+| [meta-ads-cli-dry-run-adapter.workflow.yml](workflows/meta-ads-cli-dry-run-adapter.workflow.yml) | Preparing Meta Ads CLI or Marketing API work without default account access | `bun cli/aw.ts runbook workflows/meta-ads-cli-dry-run-adapter.workflow.yml` |
 | [paid-social-launch-gate.workflow.yml](workflows/paid-social-launch-gate.workflow.yml) | Gating paid-social submission, enablement, event changes, and spend scaling | `bun cli/aw.ts audit workflows/paid-social-launch-gate.workflow.yml` |
 | [technical-seo-launch-audit.workflow.yml](workflows/technical-seo-launch-audit.workflow.yml) | Auditing crawl, indexation, metadata, sitemap, robots, and schema launch readiness | `bun cli/aw.ts runbook workflows/technical-seo-launch-audit.workflow.yml` |
 | [product-marketing-context-builder.workflow.yml](workflows/product-marketing-context-builder.workflow.yml) | Building stable product, audience, proof, and claim-boundary context | `bun cli/aw.ts runbook workflows/product-marketing-context-builder.workflow.yml` |
@@ -175,37 +209,41 @@ Each workflow declares:
 - `artifacts`
 - `memory_update`
 
-## Growth marketing skills
+## Operator and growth skills
 
-The `skills/` directory contains repo-native skill drafts for repeatable growth
-marketing workflows. These skills are public-safe operating files, not private
-prompt dumps. Each skill names its inputs, authority boundary, approval gates,
-verification gate, and output artifact. `check-skills` also rejects a small set
-of obvious publication-policy violations such as private home paths and common
-token shapes.
+The `skills/` directory contains repo-native skill drafts for repeatable
+operator and growth marketing workflows. These skills are public-safe operating
+files, not private prompt dumps. Each skill names its inputs, authority
+boundary, approval gates, verification gate, and output artifact.
+`check-skills` also rejects a small set of obvious publication-policy
+violations such as private home paths and common token shapes.
 
 Current skills:
 
 | Skill | Use it for |
 | --- | --- |
+| [google-workspace-operator-pack](skills/google-workspace-operator-pack/SKILL.md) | Designing a draft-first SMB operator layer across Sheets, Drive/Docs, Calendar, and Gmail |
 | [analytics-consent-audit](skills/analytics-consent-audit/SKILL.md) | Auditing consent state, tag loading, conversion-event dispatch, and attribution evidence |
 | [google-ads-upload-qa](skills/google-ads-upload-qa/SKILL.md) | Reviewing Google Ads bulk upload packages before posting account changes |
 | [ad-preflight-review](skills/ad-preflight-review/SKILL.md) | Reviewing ad copy, claims, landing-page alignment, and approval requirements before launch |
+| [meta-ads-cli-dry-run-adapter](skills/meta-ads-cli-dry-run-adapter/SKILL.md) | Designing dry-run Meta Ads CLI and Marketing API command plans with account-access gates |
 | [paid-social-launch-gate](skills/paid-social-launch-gate/SKILL.md) | Verifying paid-social launch readiness before submission, enablement, or scaling |
 | [technical-seo-launch-audit](skills/technical-seo-launch-audit/SKILL.md) | Checking crawl, indexation, metadata, sitemap, robots, and schema launch readiness |
 | [product-marketing-context-builder](skills/product-marketing-context-builder/SKILL.md) | Building stable product, audience, proof, and claim-boundary context for growth work |
 | [growth-loop-diagnosis](skills/growth-loop-diagnosis/SKILL.md) | Diagnosing the current growth loop, weakest link, confidence, and next experiment |
 | [social-content-fact-check-rewrite](skills/social-content-fact-check-rewrite/SKILL.md) | Fact-checking and rewriting social posts before publication |
 
-Use
-[growth skill eval prompts](examples/growth-skill-evals/README.md)
-to test each skill with synthetic Acme Sleep scenarios and a shared scoring
-rubric.
+Use [growth skill eval prompts](examples/growth-skill-evals/README.md),
+[operator skill eval prompts](examples/operator-skill-evals/README.md), and
+the machine-readable eval fixtures beside them to test skills with synthetic
+Acme Sleep or Acme Repair scenarios and a shared scoring rubric.
 
 Validate skills and public-facing files with:
 
 ```sh
 bun cli/aw.ts check-skills
+bun cli/aw.ts catalog-check
+bun cli/aw.ts eval-check
 bun cli/aw.ts publication-scan
 bun cli/aw.ts publication-scan --list
 ```
@@ -229,9 +267,11 @@ bun cli/aw.ts publication-scan --list
 | [Subagent delegation brief](workflows/subagent-delegation-brief.md) | Parallel task delegation | Brief + result spec |
 | [Multi-agent review loop](workflows/multi-agent-review-loop.md) | Research/review/design sprints | Synthesized recommendation |
 | [External action gate](workflows/external-action-gate.md) | Sending/posting/commenting/publishing | Approval checklist |
+| [Google Workspace operator pack](workflows/google-workspace-operator-pack.md) | Mapping a draft-first SMB operating layer across Sheets, Drive/Docs, Calendar, and Gmail | Operator map |
 | [Analytics consent audit](workflows/analytics-consent-audit.md) | Checking consent-gated analytics and conversion tracking | Audit report |
 | [Google Ads upload QA](workflows/google-ads-upload-qa.md) | Reviewing paid-search bulk uploads before account changes | QA report |
 | [Ad preflight review](workflows/ad-preflight-review.md) | Reviewing ad claims, landing-page alignment, and launch approvals | Preflight report |
+| [Meta Ads CLI dry-run adapter](workflows/meta-ads-cli-dry-run-adapter.md) | Preparing Meta Ads CLI or Marketing API work without default account access | Adapter map |
 | [Paid social launch gate](workflows/paid-social-launch-gate.md) | Checking paid-social launch readiness before platform-visible changes | Launch gate report |
 | [Technical SEO launch audit](workflows/technical-seo-launch-audit.md) | Checking crawl, indexation, sitemap, robots, metadata, and schema readiness | SEO audit report |
 | [Product marketing context builder](workflows/product-marketing-context-builder.md) | Building reusable product, audience, proof, and claim-boundary context | Context document |
@@ -266,6 +306,18 @@ All examples are synthetic. Do not commit secrets, private conversations,
 client/employer material, real account IDs, internal repo names, or hidden system
 prompts. See [Publication policy](PUBLICATION_POLICY.md).
 
+Before release, run:
+
+```sh
+bun run validate
+```
+
+This checks tests, workflow schema compatibility, skill structure, README,
+examples index, eval fixture discoverability, eval fixture shape, and obvious
+publication-safety patterns.
+Use [release-checklist.md](docs/release-checklist.md) for the full public
+release gate.
+
 ## Accessibility
 
 Accessibility expectations for docs, templates, diagrams, and CLI output are in