From 0aa5ca0ea73574767f96ac9cac59656777c0e864 Mon Sep 17 00:00:00 2001
From: Chrison Simtian <csimon@chrison.dev>
Date: Sat, 30 May 2026 14:20:22 +1200
Subject: [PATCH 01/10] chore(experimental): set version.json to
 2026.1.0-alpha.{height}

Seeds the fast/AI lane (ADR-0004). experimental is a non-public NB.GV ref, so
builds get -alpha.<height>.g<commit>, sorting below main's -preview. Same core as
main (2026.1.0); breaking surface rides [Experimental] until the yearly cut.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 version.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.json b/version.json
index b5a80df54..c4d5b2508 100644
--- a/version.json
+++ b/version.json
@@ -1,6 +1,6 @@
 {
   "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/main/src/NerdBank.GitVersioning/version.schema.json",
-  "version": "2026.1.0-preview.{height}",
+  "version": "2026.1.0-alpha.{height}",
   "publicReleaseRefSpec": [
     "^refs/heads/release/\\d{4}$",
     "^refs/heads/support/\\d{4}$",
@@ -18,7 +18,7 @@
   },
   "release": {
     "versionIncrement": "minor",
-    "firstUnstableTag": "preview",
+    "firstUnstableTag": "alpha",
     "branchName": "release/{version}"
   }
 }

From f8d631cb7ece7c31e1d5f64debab14dab75529af Mon Sep 17 00:00:00 2001
From: Chrison Simtian <csimon@chrison.dev>
Date: Sun, 31 May 2026 12:49:13 +1200
Subject: [PATCH 02/10] =?UTF-8?q?chore:=20forward-port=20main=20=E2=86=92?=
 =?UTF-8?q?=20experimental=20(CI=20hygiene=20#322/#324/#329)=20(#338)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* ci: realign triggers to the 3-tier ladder + hygiene (milestone #18) (#330)

Implements the trigger/hygiene slice of milestone #18 (CI cost & pipeline
structure). #325 (publish-lane realignment) already landed in the ladder PR.

- #318/#326 Cross-platform gated to release intent. windows/macos no longer run
  on main/experimental pushes (or any routine push). They run only on PR-to-
  release/* or support/*, and on v* tag pushes. ("On main we've got our edge":
  the ubuntu-latest PR gate + alpha/preview pipelines.) workflow_dispatch is not
  emitted — the generator only writes it with inputs; GitHub's run re-run covers
  on-demand cross-platform.
- #322 concurrency cancel-in-progress on ubuntu/windows/macos (generator) +
  experimental.yml + preview.yml. NOT on release.yml (never cancel a publish).
- #323/#328 Canonical CI-ignore list (docs/**, .assets/**, **/*.md) on every
  PR/push trigger. (release.yml is tag-triggered, so path-ignore is N/A there.)
- #327 Codified "feature branches run zero CI until PR'd" + the trigger model in
  docs/agents/conventions.md, with what-not-to-do guards.
- #329 Dropped dead 'submodules: recursive' from all checkouts + the generator
  (no .gitmodules; full build passes without it) and the stale vendor comment.

Generated workflows regenerated from build/Build.CI.GitHubActions.cs.

Deferred (own follow-ups): #324 split Build/Test/Pack stages; #328 caching
deep-dive; #327 automated reflective guard-test (docs guard in place now).

Also unblocked publishing separately: the github-packages environment
deployment policy now allows experimental/main/release/*/support/* + v* tags.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* ci: test before publishing on every lane + cache restore-keys (#324, #328) (#331)

#324 — experimental.yml and preview.yml ran `dotnet fallout Pack` only, publishing
alpha/preview packages WITHOUT running tests. Both now run `dotnet fallout Test Pack`
(release.yml + the PR gate already did). One invocation = NUKE's discrete internal
stages (Restore → Compile → Test → Pack), failing at the breaking stage; a test
failure stops the job before the push step, so untested packages never publish.
Separate per-step `dotnet fallout` invocations are avoided on purpose — each re-runs
the dependency graph (double-compile); the single invocation is the staged build.

#328 — added `restore-keys:` prefix fallback to the hand-written workflows' caches
for faster partial restores on key miss. Evaluation: current key (global.json +
*.csproj + Directory.Packages.props) is the right dependency set; no packages.lock.json
exists to add; build-output (bin/obj) caching deliberately not done (stale-artifact
risk). Canonical ignore list (docs/.assets/md) already applied in the trigger PR.

Codified both in docs/agents/conventions.md.

Deferred: #327 automated reflective guard-test (docs guard already in place).

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/experimental.yml   | 17 +++++++++--
 .github/workflows/macos-latest.yml   | 14 +++++++--
 .github/workflows/preview.yml        | 17 +++++++++--
 .github/workflows/release.yml        |  3 +-
 .github/workflows/ubuntu-latest.yml  |  5 +++-
 .github/workflows/windows-latest.yml | 14 +++++++--
 build/Build.CI.GitHubActions.cs      | 44 ++++++++++++++++++----------
 docs/agents/conventions.md           | 16 ++++++++++
 8 files changed, 101 insertions(+), 29 deletions(-)

diff --git a/.github/workflows/experimental.yml b/.github/workflows/experimental.yml
index 76faad6d7..ad9ca7fee 100644
--- a/.github/workflows/experimental.yml
+++ b/.github/workflows/experimental.yml
@@ -28,6 +28,11 @@ on:
       - '.assets/**'
       - '**/*.md'
 
+# Cancel a superseded alpha build when a newer commit lands (#322). Never on release.yml.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
 
@@ -44,7 +49,6 @@ jobs:
       - uses: actions/checkout@v6
         with:
           fetch-depth: 0           # Nerdbank.GitVersioning needs full history
-          submodules: recursive
       - name: 'Cache: .fallout/temp, ~/.nuget/packages'
         uses: actions/cache@v4
         with:
@@ -52,14 +56,21 @@ jobs:
             .fallout/temp
             ~/.nuget/packages
           key: ${{ runner.os }}-experimental-${{ hashFiles('**/global.json', '**/*.csproj', '**/Directory.Packages.props', 'version.json') }}
+          restore-keys: |
+            ${{ runner.os }}-experimental-
       - name: 'Setup: .NET SDK'
         uses: actions/setup-dotnet@v4
         with:
           global-json-file: global.json
       - name: 'Restore: dotnet tools'
         run: dotnet tool restore
-      - name: 'Run: Pack'
-        run: dotnet fallout Pack
+      # build + unit-test before publishing alpha (#324). One invocation: NUKE runs
+      # this as discrete internal stages (Restore → Compile → Test → Pack) and fails
+      # at the breaking stage — separate `dotnet fallout` steps would re-run the
+      # dependency graph (double-compile), so we keep it a single invocation.
+      # If Test fails, the job stops here and nothing is published.
+      - name: 'Run: Test + Pack'
+        run: dotnet fallout Test Pack
       - name: 'Push: all *.nupkg to GitHub Packages (alpha)'
         run: |
           set -euo pipefail
diff --git a/.github/workflows/macos-latest.yml b/.github/workflows/macos-latest.yml
index b17aacacd..426d42ffa 100644
--- a/.github/workflows/macos-latest.yml
+++ b/.github/workflows/macos-latest.yml
@@ -18,11 +18,20 @@ name: macos-latest
 
 on:
   push:
+    tags:
+      - 'v*'
+  pull_request:
     branches:
-      - experimental
-      - main
       - 'release/*'
       - 'support/*'
+    paths-ignore:
+      - 'docs/**'
+      - '.assets/**'
+      - '**/*.md'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
   macos-latest:
@@ -31,7 +40,6 @@ jobs:
     steps:
       - uses: actions/checkout@v6
         with:
-          submodules: recursive
           fetch-depth: 0
       - name: 'Cache: .fallout/temp, ~/.nuget/packages'
         uses: actions/cache@v4
diff --git a/.github/workflows/preview.yml b/.github/workflows/preview.yml
index 5b90bedfa..f3d34cc1a 100644
--- a/.github/workflows/preview.yml
+++ b/.github/workflows/preview.yml
@@ -28,6 +28,11 @@ on:
       - '.assets/**'
       - '**/*.md'
 
+# Cancel a superseded preview build when a newer commit lands (#322). Never on release.yml.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
 
@@ -44,7 +49,6 @@ jobs:
       - uses: actions/checkout@v6
         with:
           fetch-depth: 0           # Nerdbank.GitVersioning needs full history
-          submodules: recursive
       - name: 'Cache: .fallout/temp, ~/.nuget/packages'
         uses: actions/cache@v4
         with:
@@ -52,14 +56,21 @@ jobs:
             .fallout/temp
             ~/.nuget/packages
           key: ${{ runner.os }}-preview-${{ hashFiles('**/global.json', '**/*.csproj', '**/Directory.Packages.props', 'version.json') }}
+          restore-keys: |
+            ${{ runner.os }}-preview-
       - name: 'Setup: .NET SDK'
         uses: actions/setup-dotnet@v4
         with:
           global-json-file: global.json
       - name: 'Restore: dotnet tools'
         run: dotnet tool restore
-      - name: 'Run: Pack'
-        run: dotnet fallout Pack
+      # build + unit-test before publishing preview (#324). One invocation: NUKE runs
+      # this as discrete internal stages (Restore → Compile → Test → Pack) and fails
+      # at the breaking stage — separate `dotnet fallout` steps would re-run the
+      # dependency graph (double-compile), so we keep it a single invocation.
+      # If Test fails, the job stops here and nothing is published.
+      - name: 'Run: Test + Pack'
+        run: dotnet fallout Test Pack
       - name: 'Push: all *.nupkg to GitHub Packages (preview)'
         run: |
           set -euo pipefail
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index d7820252e..ce115724e 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -94,7 +94,6 @@ jobs:
         with:
           ref: ${{ inputs.tag || github.ref }}
           fetch-depth: 0           # Nerdbank.GitVersioning needs full history
-          submodules: recursive    # vendor/vs-solutionpersistence
       - name: 'Cache: .fallout/temp, ~/.nuget/packages'
         uses: actions/cache@v4
         with:
@@ -102,6 +101,8 @@ jobs:
             .fallout/temp
             ~/.nuget/packages
           key: ${{ runner.os }}-release-${{ hashFiles('**/global.json', '**/*.csproj', '**/Directory.Packages.props', 'version.json') }}
+          restore-keys: |
+            ${{ runner.os }}-release-
       - name: 'Setup: .NET SDK'
         uses: actions/setup-dotnet@v4
         with:
diff --git a/.github/workflows/ubuntu-latest.yml b/.github/workflows/ubuntu-latest.yml
index e1e942332..45f548d6e 100644
--- a/.github/workflows/ubuntu-latest.yml
+++ b/.github/workflows/ubuntu-latest.yml
@@ -28,6 +28,10 @@ on:
       - '.assets/**'
       - '**/*.md'
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   ubuntu-latest:
     name: ubuntu-latest
@@ -35,7 +39,6 @@ jobs:
     steps:
       - uses: actions/checkout@v6
         with:
-          submodules: recursive
           fetch-depth: 0
           repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
           ref: ${{ github.head_ref }}
diff --git a/.github/workflows/windows-latest.yml b/.github/workflows/windows-latest.yml
index abfd9026f..bc97f4c73 100644
--- a/.github/workflows/windows-latest.yml
+++ b/.github/workflows/windows-latest.yml
@@ -18,11 +18,20 @@ name: windows-latest
 
 on:
   push:
+    tags:
+      - 'v*'
+  pull_request:
     branches:
-      - experimental
-      - main
       - 'release/*'
       - 'support/*'
+    paths-ignore:
+      - 'docs/**'
+      - '.assets/**'
+      - '**/*.md'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
   windows-latest:
@@ -31,7 +40,6 @@ jobs:
     steps:
       - uses: actions/checkout@v6
         with:
-          submodules: recursive
           fetch-depth: 0
       - name: 'Cache: .fallout/temp, ~/.nuget/packages'
         uses: actions/cache@v4
diff --git a/build/Build.CI.GitHubActions.cs b/build/Build.CI.GitHubActions.cs
index 835e50ea9..6a272c419 100644
--- a/build/Build.CI.GitHubActions.cs
+++ b/build/Build.CI.GitHubActions.cs
@@ -1,37 +1,51 @@
 using Fallout.Common.CI.GitHubActions;
 using Fallout.Components;
 
-// macOS and Windows runs are reserved for post-merge validation on the
-// long-lived branches (experimental, main, release/YYYY, support/*). PRs and
-// feature-branch pushes get Linux-only for fast, cheap feedback. Cross-platform
-// regressions on those branches surface as a red commit — same fail-fast model.
+// Cross-platform (macOS/Windows) full Test+Pack is gated to RELEASE INTENT
+// (#318/#326): it runs only on a PR into a production branch (release/YYYY,
+// support/*) and on a release tag push (v*) — never on routine pushes to
+// main/experimental, never on a per-merge basis. On main/experimental "we've
+// got our edge": the ubuntu-latest PR gate + the alpha/preview pipelines.
+// (workflow_dispatch as a manual cross-platform trigger isn't emitted here —
+// the generator only writes workflow_dispatch when it has inputs; GitHub's
+// built-in run re-run covers the on-demand case.)
+//
+// concurrency cancel-in-progress (#322): superseded runs are cancelled rather
+// than stacked. Never applied to release.yml (a publish must not be cancelled).
 [GitHubActions(
     "macos-latest",
     GitHubActionsImage.MacOsLatest,
     FetchDepth = 0,
-    Submodules = GitHubActionsSubmodules.Recursive,
-    OnPushBranches = new[] { ExperimentalBranch, MainBranch, ReleaseBranchPattern, SupportBranchPattern },
+    ConcurrencyGroup = "${{ github.workflow }}-${{ github.ref }}",
+    ConcurrencyCancelInProgress = true,
+    OnPushTags = new[] { "v*" },
+    OnPullRequestBranches = new[] { ReleaseBranchPattern, SupportBranchPattern },
+    OnPullRequestExcludePaths = new[] { "docs/**", ".assets/**", "**/*.md" },
     InvokedTargets = new[] { nameof(ITest.Test), nameof(IPack.Pack) },
     PublishArtifacts = false)]
 [GitHubActions(
     "windows-latest",
     GitHubActionsImage.WindowsLatest,
     FetchDepth = 0,
-    Submodules = GitHubActionsSubmodules.Recursive,
-    OnPushBranches = new[] { ExperimentalBranch, MainBranch, ReleaseBranchPattern, SupportBranchPattern },
+    ConcurrencyGroup = "${{ github.workflow }}-${{ github.ref }}",
+    ConcurrencyCancelInProgress = true,
+    OnPushTags = new[] { "v*" },
+    OnPullRequestBranches = new[] { ReleaseBranchPattern, SupportBranchPattern },
+    OnPullRequestExcludePaths = new[] { "docs/**", ".assets/**", "**/*.md" },
     InvokedTargets = new[] { nameof(ITest.Test), nameof(IPack.Pack) },
     PublishArtifacts = false)]
-// pull_request only — same-repo branches would otherwise fire both push and
-// pull_request events on every push, double-running the validation.
-//
-// CheckoutRef = github.head_ref pins checkout to the PR source branch instead of the merge SHA,
-// keeping HEAD attached so GitHubTasksTest.GitHubRepositoryFromLocalDirectoryTest (which reads
-// .git/HEAD via GitRepository.FromLocalDirectory) resolves a non-null branch.
+// The Linux PR gate — the only required status check. pull_request only:
+// feature-branch pushes run zero CI until a PR is opened against a long-lived
+// branch (#327). CheckoutRef = github.head_ref pins checkout to the PR source
+// branch instead of the merge SHA, keeping HEAD attached so
+// GitHubTasksTest.GitHubRepositoryFromLocalDirectoryTest (which reads .git/HEAD
+// via GitRepository.FromLocalDirectory) resolves a non-null branch.
 [GitHubActions(
     "ubuntu-latest",
     GitHubActionsImage.UbuntuLatest,
     FetchDepth = 0,
-    Submodules = GitHubActionsSubmodules.Recursive,
+    ConcurrencyGroup = "${{ github.workflow }}-${{ github.ref }}",
+    ConcurrencyCancelInProgress = true,
     CheckoutRef = "${{ github.head_ref }}",
     // Trigger for PRs targeting experimental, main, or any release/YYYY / support/*
     // branch — all are long-lived and protected; all require the ubuntu-latest check.
diff --git a/docs/agents/conventions.md b/docs/agents/conventions.md
index b85d0e49f..555ce8125 100644
--- a/docs/agents/conventions.md
+++ b/docs/agents/conventions.md
@@ -34,9 +34,25 @@ public sealed class NewPluginHost
 - **Channel discipline differs.** On the `experimental` (alpha) / `main` (preview) test lanes, churn is expected and the attribute is a courtesy. On a `release/YYYY` **production line**, any risky-but-shipped public surface **must** wear `[Experimental]` — that contract is what keeps the stable line trustworthy while still carrying new work.
 - **Don't apply it speculatively.** Because the diagnostic is error-by-default, marking an API that's already used internally breaks the build everywhere it's referenced. Only add `[Experimental]` to a genuinely not-yet-stable API, and suppress every internal usage in the same change so the build stays green.
 
+## CI pipeline & triggers
+
+Shaped by [milestone #18](https://github.com/ChrisonSimtian/Fallout/milestone/18) and the [ADR-0004](../adr/0004-calendar-versioning-and-dual-pace-channels.md) ladder. Invariants:
+
+- **Feature branches run zero CI until a PR is opened.** Push triggers list **only** long-lived branches; nothing fires on `feature/*`, `bugfix/*`, etc. until they're PR'd against `experimental`/`main`/`release/*`/`support/*`. Do **not** add a working-branch pattern to any `OnPush*`/`branches:` trigger.
+- **The Linux PR gate (`ubuntu-latest`) is the only required check** — runs on PRs to the four long-lived branches.
+- **`experimental` (push) → `-alpha`, `main` (push) → `-preview`** to GitHub Packages (`experimental.yml` / `preview.yml`).
+- **Cross-platform `windows`/`macos` are gated to release intent** — PR-to-`release/*`/`support/*` or a `v*` tag push only. They do **not** run on `main`/`experimental` pushes. ("On `main` we've got our edge.")
+- **`concurrency: cancel-in-progress` on every build workflow except `release.yml`** — never cancel a publish mid-flight.
+- **Canonical CI-ignore paths:** `docs/**`, `.assets/**`, `**/*.md` — applied to every PR/push trigger.
+- The `ubuntu-latest` / `windows-latest` / `macos-latest` workflows are **generated** from `build/Build.CI.GitHubActions.cs` — edit the attributes + constants there and regenerate (`./build.sh`), never hand-edit the `.yml`. `experimental.yml` / `preview.yml` / `release.yml` are hand-written.
+- **Every publishing lane runs `Test` before it publishes** (#324). `experimental.yml`, `preview.yml`, and `release.yml` all run a single `dotnet fallout Test Pack` invocation — NUKE executes it as discrete internal stages (Restore → Compile → Test → Pack) and fails at the breaking stage, so a test failure stops the job before the push step. Don't split a lane into separate `dotnet fallout Compile`/`Test`/`Pack` steps — each invocation re-runs the dependency graph (double-compile); the single invocation *is* the staged build.
+- **Caching** (#328): every workflow caches `~/.nuget/packages` + `.fallout/temp`, keyed on `global.json` + `**/*.csproj` + `Directory.Packages.props` (the dependency-affecting set), with a `restore-keys:` prefix fallback for partial restores. There is no `packages.lock.json` to add to the key, and build outputs (`bin`/`obj`) are deliberately **not** cached (stale-artifact correctness risk).
+
 ## What not to do
 
 - Don't reintroduce `source/` — production code lives under `src/`, tests under `tests/`. Same for `images/` (now `.assets/`).
+- Don't add `main`/`experimental` (or any working-branch pattern) to the **push** triggers of the cross-platform workflows — they're release-intent-gated on purpose (milestone #18 / #318 / #326).
+- Don't add `submodules: recursive` to checkouts — there are no submodules (no `.gitmodules`); it's a dead init step.
 - Don't add `secret`/`default` defaults to tool JSON files (see CONTRIBUTING.md).
 - Don't introduce a new test framework or assertion library — stay on xUnit + FluentAssertions + Verify.
 - Don't commit `output/` or any `bin/`/`obj/` directory.

From 8fa4b9589efd40ddb9a15f9083b1f61bb6b0fbd8 Mon Sep 17 00:00:00 2001
From: Chrison Simtian <csimon@chrison.dev>
Date: Sun, 31 May 2026 13:16:57 +1200
Subject: [PATCH 03/10] feat(publish): multi-channel, package-ID-aware
 publishing + dogfood the lanes (#333) (#339)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* feat(publish): multi-channel, package-ID-aware publishing surface (#333, FALLOUT001)

IPublish gains [Experimental("FALLOUT001")] PublishTargets + a --publish-to selector;
Publish now routes one Pack output across multiple feeds via the pure, unit-tested
PublishPackageRouter (glob include/exclude by package name). Existing single-source
members stay as a back-compat default target.

Build.cs wires the two real channels: github-packages (every package incl Nuke.*,
keyed by the GitHub token) and nuget.org (Fallout.* only, never Nuke.*, keyed by
NUGET_API_KEY) — replacing the legacy single-feed push.

- src/Fallout.Components/PublishTarget.cs — PublishTarget record + PublishPackageRouter
- tests/Fallout.Components.Tests — 10 router tests (added to fallout.slnx)
- docs/experimental-apis.md — FALLOUT001 registered

Framework compiles clean (0 errors); router tests green. Workflow rewire to
`dotnet fallout Publish --publish-to …` follows once experimental is synced with main.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* ci(publish): dogfood `dotnet fallout Publish` on the alpha/preview lanes (#333)

experimental.yml and preview.yml now publish via `dotnet fallout Publish --publish-to
github-packages` instead of a hand-rolled `dotnet nuget push` loop. Publish depends on
Test + Pack, so one invocation runs Restore → Compile → Test → Pack → Publish as NUKE
stages; package routing (Fallout.* + Nuke.* → GitHub Packages) lives in Build.cs
IPublish.PublishTargets. The GitHub token is passed via the GitHubToken env.

Also restore IPublish.PackagePushSettings + PushSettingsBase (kept for back-compat) so the
multi-channel reshape stays additive — the new PublishTargets/PublishTo surface is the only
opt-in change, behind [Experimental("FALLOUT001")].

release.yml's publish jobs still use raw nuget push (they're coupled to the artifact
handoff + nuget-org approval gate) — dogfooding those is folded into #336.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(publish): make PublishTarget a sealed class so the shim generator skips it

CI caught CS0509: the TransitionShimGenerator tried to derive a Nuke.Components
shim from the sealed *record* PublishTarget. Sealed classes are skipped by design
(SHIM001), but the sealed-record shape slipped past that guard. PublishTarget is a
new type with no pre-rename consumers, so skipping its shim is correct; switching
record→sealed class hits the documented skip path. We don't use record equality/`with`.

Verified: Nuke.Components builds 0 errors (SHIM001 warning only).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* test(generators): accept solution-generator snapshot for new Fallout.Components.Tests

Adding tests/Fallout.Components.Tests to fallout.slnx makes the StronglyTypedSolution
generator emit a Fallout_Components_Tests accessor; update the Verify snapshot to match
(one added line — the new project's strongly-typed Solution property).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/experimental.yml            | 33 ++-----
 .github/workflows/preview.yml                 | 33 ++-----
 build/Build.cs                                | 50 ++++++----
 docs/experimental-apis.md                     |  2 +-
 fallout.slnx                                  |  1 +
 src/Fallout.Components/IPublish.cs            | 98 +++++++++++++++----
 src/Fallout.Components/PublishTarget.cs       | 83 ++++++++++++++++
 .../Fallout.Components.Tests.csproj           | 11 +++
 .../PublishPackageRouterTests.cs              | 62 ++++++++++++
 ...nGeneratorTest.Test#Solution.g.verified.cs |  1 +
 10 files changed, 288 insertions(+), 86 deletions(-)
 create mode 100644 src/Fallout.Components/PublishTarget.cs
 create mode 100644 tests/Fallout.Components.Tests/Fallout.Components.Tests.csproj
 create mode 100644 tests/Fallout.Components.Tests/PublishPackageRouterTests.cs

diff --git a/.github/workflows/experimental.yml b/.github/workflows/experimental.yml
index ad9ca7fee..e5d88e09e 100644
--- a/.github/workflows/experimental.yml
+++ b/.github/workflows/experimental.yml
@@ -64,26 +64,13 @@ jobs:
           global-json-file: global.json
       - name: 'Restore: dotnet tools'
         run: dotnet tool restore
-      # build + unit-test before publishing alpha (#324). One invocation: NUKE runs
-      # this as discrete internal stages (Restore → Compile → Test → Pack) and fails
-      # at the breaking stage — separate `dotnet fallout` steps would re-run the
-      # dependency graph (double-compile), so we keep it a single invocation.
-      # If Test fails, the job stops here and nothing is published.
-      - name: 'Run: Test + Pack'
-        run: dotnet fallout Test Pack
-      - name: 'Push: all *.nupkg to GitHub Packages (alpha)'
-        run: |
-          set -euo pipefail
-          shopt -s nullglob
-          packages=(output/packages/*.nupkg)
-          if [ ${#packages[@]} -eq 0 ]; then
-            echo "::error::No packages found — nothing to publish to the experimental channel."
-            exit 1
-          fi
-          for pkg in "${packages[@]}"; do
-            echo "Pushing $pkg to GitHub Packages (alpha)..."
-            dotnet nuget push "$pkg" \
-              --source "https://nuget.pkg.github.com/ChrisonSimtian/index.json" \
-              --api-key "${{ secrets.GITHUB_TOKEN }}" \
-              --skip-duplicate
-          done
+      # Test + Pack + push alpha → GitHub Packages, all through our own framework (#333) —
+      # dogfooding `dotnet fallout Publish` instead of a hand-rolled `dotnet nuget push`.
+      # `Publish` depends on Test + Pack, so NUKE runs Restore → Compile → Test → Pack →
+      # Publish as discrete internal stages and fails at the breaking stage; if Test fails
+      # the job stops before any push. Which packages go where (Fallout.* + Nuke.* → GitHub
+      # Packages) is decided by Build.cs IPublish.PublishTargets, not here.
+      - name: 'Publish: alpha → GitHub Packages'
+        run: dotnet fallout Publish --publish-to github-packages
+        env:
+          GitHubToken: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/preview.yml b/.github/workflows/preview.yml
index f3d34cc1a..5d71ade08 100644
--- a/.github/workflows/preview.yml
+++ b/.github/workflows/preview.yml
@@ -64,26 +64,13 @@ jobs:
           global-json-file: global.json
       - name: 'Restore: dotnet tools'
         run: dotnet tool restore
-      # build + unit-test before publishing preview (#324). One invocation: NUKE runs
-      # this as discrete internal stages (Restore → Compile → Test → Pack) and fails
-      # at the breaking stage — separate `dotnet fallout` steps would re-run the
-      # dependency graph (double-compile), so we keep it a single invocation.
-      # If Test fails, the job stops here and nothing is published.
-      - name: 'Run: Test + Pack'
-        run: dotnet fallout Test Pack
-      - name: 'Push: all *.nupkg to GitHub Packages (preview)'
-        run: |
-          set -euo pipefail
-          shopt -s nullglob
-          packages=(output/packages/*.nupkg)
-          if [ ${#packages[@]} -eq 0 ]; then
-            echo "::error::No packages found — nothing to publish to the preview channel."
-            exit 1
-          fi
-          for pkg in "${packages[@]}"; do
-            echo "Pushing $pkg to GitHub Packages (preview)..."
-            dotnet nuget push "$pkg" \
-              --source "https://nuget.pkg.github.com/ChrisonSimtian/index.json" \
-              --api-key "${{ secrets.GITHUB_TOKEN }}" \
-              --skip-duplicate
-          done
+      # Test + Pack + push preview → GitHub Packages, all through our own framework (#333) —
+      # dogfooding `dotnet fallout Publish` instead of a hand-rolled `dotnet nuget push`.
+      # `Publish` depends on Test + Pack, so NUKE runs Restore → Compile → Test → Pack →
+      # Publish as discrete internal stages and fails at the breaking stage; if Test fails
+      # the job stops before any push. Which packages go where (Fallout.* + Nuke.* → GitHub
+      # Packages) is decided by Build.cs IPublish.PublishTargets, not here.
+      - name: 'Publish: preview → GitHub Packages'
+        run: dotnet fallout Publish --publish-to github-packages
+        env:
+          GitHubToken: ${{ secrets.GITHUB_TOKEN }}
diff --git a/build/Build.cs b/build/Build.cs
index 823c3535f..40d2f3ffc 100644
--- a/build/Build.cs
+++ b/build/Build.cs
@@ -127,31 +127,41 @@ from framework in project.GetTargetFrameworks()
 
     [Parameter] [Secret] readonly string NuGetApiKey;
 
-    // Publishing to nuget.org now that the Fallout.* rename has landed (#54).
-    // Requires NUGET_API_KEY in repo secrets — see release.yml.
-    string IPublish.NuGetSource => "https://api.nuget.org/v3/index.json";
-    string IPublish.NuGetApiKey => NuGetApiKey;
-
+    // Two publish channels (FALLOUT001 — see IPublish.PublishTargets). Routing replaces the
+    // old single-feed push + the hand-rolled `dotnet nuget push` in the workflows (#333):
+    //   - github-packages: EVERY package, incl. the Nuke.* shims — that ID is owned by the
+    //     original NUKE maintainer (#47), so the shims only ever go here. Keyed by the GitHub token.
+    //   - nuget.org: Fallout.* ONLY, never the Nuke.* shims. Keyed by NUGET_API_KEY.
+    // Select per run from CI with `dotnet fallout Publish --publish-to <name>`. PublishTarget.SkipDuplicate
+    // (default true) keeps re-runs idempotent if a version already exists on a feed.
+#pragma warning disable FALLOUT001 // opting our own build into the experimental multi-channel publish surface
+    IEnumerable<PublishTarget> IPublish.PublishTargets => new[]
+    {
+        new PublishTarget
+        {
+            Name = "github-packages",
+            Source = "https://nuget.pkg.github.com/ChrisonSimtian/index.json",
+            ApiKey = From<ICreateGitHubRelease>().GitHubToken,
+        },
+        new PublishTarget
+        {
+            Name = "nuget.org",
+            Source = "https://api.nuget.org/v3/index.json",
+            ApiKey = NuGetApiKey,
+            IncludePackages = new[] { "Fallout.*" },
+            ExcludePackages = new[] { "Nuke.*" },
+        },
+    };
+#pragma warning restore FALLOUT001
+
+    // The workflows now gate which channel publishes (via --publish-to); no on-branch
+    // requirement here. Missing keys fail per-target inside Publish, so a stray local
+    // `dotnet fallout Publish` is safe (no key → clear error, no push).
     Target IPublish.Publish => _ => _
         .Inherit<IPublish>()
         .Consumes(From<IPack>().Pack)
-        .Requires(() => GitRepository.IsOnMainBranch() && Host is GitHubActions && GitHubActions.Workflow == ReleaseWorkflow)
         .WhenSkipped(DependencyBehavior.Execute);
 
-    // Filter `Nuke.*` shim packages out of the nuget.org push — that ID is owned by
-    // the original NUKE maintainer. The shims still build and pack as artifacts; they
-    // are pushed to GitHub Packages by a follow-up step in .github/workflows/release.yml
-    // (#47).
-    IEnumerable<AbsolutePath> IPublish.PushPackageFiles
-        => From<IPack>().PackagesDirectory.GlobFiles("*.nupkg")
-            .Where(x => !x.NameWithoutExtension.StartsWith("Nuke.", StringComparison.OrdinalIgnoreCase));
-
-    // `--skip-duplicate` makes nuget push idempotent: if a version is already on the feed,
-    // skip it instead of erroring. Lets us rerun release.yml safely when a single package
-    // fails mid-batch without nuking the whole pipeline on retry.
-    Configure<DotNetNuGetPushSettings> IPublish.PushSettings => _ => _
-        .EnableSkipDuplicate();
-
     IEnumerable<AbsolutePath> NuGetPackageFiles
         => From<IPack>().PackagesDirectory.GlobFiles("*.nupkg");
 
diff --git a/docs/experimental-apis.md b/docs/experimental-apis.md
index e51405716..3bf307a2d 100644
--- a/docs/experimental-apis.md
+++ b/docs/experimental-apis.md
@@ -48,7 +48,7 @@ Status values: **Experimental** (live, opt-in), **Promoted** (attribute removed,
 
 | ID | Surface | Introduced | Status | Notes |
 |----|---------|------------|--------|-------|
-| _none allocated yet_ | — | — | — | First experimental API to land claims `FALLOUT001`. |
+| `FALLOUT001` | `Fallout.Components.IPublish.PublishTargets` / `.PublishTo` (multi-channel publishing) | 2026.1 | Experimental | Fan a single `Pack` output across multiple feeds with per-feed package-ID routing (`PublishTarget`). Shape may change while the CD model firms up (epic #332). Promote by deleting the attribute once `ReleaseChannel`/`DeploymentTarget` (#334) settle. |
 
 <!--
 Allocation example (do not uncomment unless a real API is marked):
diff --git a/fallout.slnx b/fallout.slnx
index 6b9975316..0f6ae9699 100644
--- a/fallout.slnx
+++ b/fallout.slnx
@@ -36,6 +36,7 @@
   <Project Path="src\Fallout.Utilities\Fallout.Utilities.csproj" />
   <Project Path="tests\Fallout.Build.Tests\Fallout.Build.Tests.csproj" />
   <Project Path="tests\Fallout.Common.Tests\Fallout.Common.Tests.csproj" />
+  <Project Path="tests\Fallout.Components.Tests\Fallout.Components.Tests.csproj" />
   <Project Path="tests\Fallout.Core.Tests\Fallout.Core.Tests.csproj" />
   <Project Path="tests\Fallout.Cli.Tests\Fallout.Cli.Tests.csproj" />
   <Project Path="tests\Fallout.Migrate.Tests\Fallout.Migrate.Tests.csproj" />
diff --git a/src/Fallout.Components/IPublish.cs b/src/Fallout.Components/IPublish.cs
index 7e5a21102..38a97d626 100644
--- a/src/Fallout.Components/IPublish.cs
+++ b/src/Fallout.Components/IPublish.cs
@@ -1,10 +1,14 @@
-using System;
+#nullable enable
+using System;
 using System.Collections.Generic;
+using System.Diagnostics.CodeAnalysis;
 using System.Linq;
 using Fallout.Common;
 using Fallout.Common.IO;
 using Fallout.Common.Tooling;
 using Fallout.Common.Tools.DotNet;
+using Fallout.Common.Utilities;
+using Fallout.Common.Utilities.Collections;
 using static Fallout.Common.Tools.DotNet.DotNetTasks;
 
 namespace Fallout.Components;
@@ -14,31 +18,87 @@ public interface IPublish : IPack, ITest
     [Parameter] string NuGetSource => TryGetValue(() => NuGetSource) ?? "https://api.nuget.org/v3/index.json";
     [Parameter] [Secret] string NuGetApiKey => TryGetValue(() => NuGetApiKey);
 
-    Target Publish => _ => _
-        .DependsOn(Test, Pack)
-        .Requires(() => NuGetApiKey)
-        // .Requires(() => GitHasCleanWorkingCopy())
-        .Executes(() =>
-        {
-            DotNetNuGetPush(_ => _
-                    .Apply(PushSettingsBase)
-                    .Apply(PushSettings)
-                    .CombineWith(PushPackageFiles, (_, v) => _
-                        .SetTargetPath(v))
-                    .Apply(PackagePushSettings),
-                PushDegreeOfParallelism,
-                PushCompleteOnFailure);
-        });
+    /// <summary>
+    /// The channels this build publishes to (<c>FALLOUT001</c>). Override to fan a single
+    /// <c>Pack</c> output across multiple feeds with per-feed package routing (e.g. GitHub
+    /// Packages for everything, nuget.org for <c>Fallout.*</c> only). The default reproduces
+    /// the legacy single-feed push from <see cref="NuGetSource"/> / <see cref="NuGetApiKey"/>.
+    /// </summary>
+    [Experimental("FALLOUT001")]
+    IEnumerable<PublishTarget> PublishTargets =>
+        new[] { new PublishTarget { Name = "default", Source = NuGetSource, ApiKey = NuGetApiKey } };
 
-    sealed Configure<DotNetNuGetPushSettings> PushSettingsBase => _ => _
-        .SetSource(NuGetSource)
-        .SetApiKey(NuGetApiKey);
+    /// <summary>
+    /// Names of the configured <see cref="PublishTargets"/> to push to this run (<c>FALLOUT001</c>).
+    /// Empty selects all. Wire from the CLI as <c>--publish-to github-packages nuget.org</c>.
+    /// </summary>
+    [Parameter("Publish only to these named targets (default: all configured PublishTargets).")]
+    [Experimental("FALLOUT001")]
+    string[] PublishTo => TryGetValue(() => PublishTo) ?? Array.Empty<string>();
 
+    /// <summary>Extra per-push configuration applied to every target's <c>dotnet nuget push</c>.</summary>
     Configure<DotNetNuGetPushSettings> PushSettings => _ => _;
+
+    /// <summary>Per-package push configuration applied (with <see cref="PushSettings"/>) to every target.</summary>
     Configure<DotNetNuGetPushSettings> PackagePushSettings => _ => _;
 
+    /// <summary>
+    /// Legacy single-feed base settings (source + key from <see cref="NuGetSource"/>/<see cref="NuGetApiKey"/>).
+    /// Retained for back-compat; the multi-channel <see cref="Publish"/> path sets source/key per
+    /// <see cref="PublishTarget"/> instead, so it does not apply this.
+    /// </summary>
+    sealed Configure<DotNetNuGetPushSettings> PushSettingsBase => _ => _
+        .SetSource(NuGetSource)
+        .SetApiKey(NuGetApiKey);
+
+    /// <summary>Candidate package set routed across the selected targets. Defaults to every packed <c>*.nupkg</c>.</summary>
     IEnumerable<AbsolutePath> PushPackageFiles => PackagesDirectory.GlobFiles("*.nupkg");
 
     bool PushCompleteOnFailure => true;
     int PushDegreeOfParallelism => 5;
+
+    Target Publish => _ => _
+        .DependsOn(Test, Pack)
+        .Executes(() =>
+        {
+#pragma warning disable FALLOUT001 // configuring the experimental multi-channel surface is the point of this target
+            var configured = PublishTargets.ToList();
+            var selection = PublishTo;
+#pragma warning restore FALLOUT001
+
+            var targets = selection.Length == 0
+                ? configured
+                : configured.Where(x => selection.Contains(x.Name, StringComparer.OrdinalIgnoreCase)).ToList();
+
+            Assert.True(targets.Count > 0,
+                selection.Length == 0
+                    ? "No publish targets are configured — override IPublish.PublishTargets."
+                    : $"--publish-to [{selection.JoinComma()}] matched none of the configured targets [{configured.Select(x => x.Name).JoinComma()}].");
+
+            var candidates = PushPackageFiles.ToList();
+
+            foreach (var target in targets)
+            {
+                Assert.True(!target.ApiKey.IsNullOrWhiteSpace(), $"Publish target '{target.Name}' has no API key.");
+
+                var routed = candidates.Where(x => target.Accepts(x.NameWithoutExtension)).ToList();
+                if (routed.Count == 0)
+                {
+                    Serilog.Log.Warning("Publish target {Target}: no packaged files matched its routing rules — skipping.", target.Name);
+                    continue;
+                }
+
+                Serilog.Log.Information("Publish target {Target}: pushing {Count} package(s) → {Source}.", target.Name, routed.Count, target.Source);
+                DotNetNuGetPush(_ => _
+                        .SetSource(target.Source)
+                        .SetApiKey(target.ApiKey!)
+                        .When(target.SkipDuplicate, _ => _.EnableSkipDuplicate())
+                        .Apply(PushSettings)
+                        .CombineWith(routed, (_, v) => _
+                            .SetTargetPath(v))
+                        .Apply(PackagePushSettings),
+                    PushDegreeOfParallelism,
+                    PushCompleteOnFailure);
+            }
+        });
 }
diff --git a/src/Fallout.Components/PublishTarget.cs b/src/Fallout.Components/PublishTarget.cs
new file mode 100644
index 000000000..94cacabd8
--- /dev/null
+++ b/src/Fallout.Components/PublishTarget.cs
@@ -0,0 +1,83 @@
+#nullable enable
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Text.RegularExpressions;
+
+namespace Fallout.Components;
+
+/// <summary>
+/// A routable publish destination: a package feed plus the rules deciding which
+/// packages go to it. Consumed by <see cref="IPublish"/> to fan a single
+/// <c>Pack</c> output out across multiple channels (e.g. GitHub Packages for
+/// everything, nuget.org for <c>Fallout.*</c> only). Part of the experimental
+/// multi-channel publishing surface (<c>FALLOUT001</c>).
+/// </summary>
+// A sealed class (not a record) so the transition-shim generator skips it: it can't
+// derive a Nuke.* shim from a sealed type (CS0509), and this is a new type with no
+// pre-rename consumers to bridge. We don't rely on record value-equality / `with`.
+public sealed class PublishTarget
+{
+    /// <summary>Logical name, used by the <c>--publish-to</c> selector (e.g. <c>github-packages</c>, <c>nuget.org</c>).</summary>
+    public required string Name { get; init; }
+
+    /// <summary>NuGet feed URL packages are pushed to.</summary>
+    public required string Source { get; init; }
+
+    /// <summary>API key for the feed; <see langword="null"/> when the source needs none.</summary>
+    public string? ApiKey { get; init; }
+
+    /// <summary>Package-name globs (<c>*</c>, <c>?</c>) this target accepts. Default: everything.</summary>
+    public IReadOnlyList<string> IncludePackages { get; init; } = new[] { "*" };
+
+    /// <summary>Package-name globs this target rejects. Exclusion wins over inclusion.</summary>
+    public IReadOnlyList<string> ExcludePackages { get; init; } = Array.Empty<string>();
+
+    /// <summary>Pass <c>--skip-duplicate</c> so re-runs are idempotent on already-published versions.</summary>
+    public bool SkipDuplicate { get; init; } = true;
+
+    /// <summary>
+    /// Whether this target accepts the given package name. <paramref name="packageName"/> is matched
+    /// against the include/exclude globs; callers pass the package file name without its
+    /// <c>.nupkg</c> extension, so a pattern like <c>Fallout.*</c> matches <c>Fallout.Common.2026.1.0</c>.
+    /// </summary>
+    public bool Accepts(string packageName)
+        => PublishPackageRouter.MatchesAny(IncludePackages, packageName)
+           && !PublishPackageRouter.MatchesAny(ExcludePackages, packageName);
+}
+
+/// <summary>
+/// Pure routing logic for <see cref="PublishTarget"/> — kept free of any tooling
+/// or filesystem dependency so it is unit-testable in isolation.
+/// </summary>
+public static class PublishPackageRouter
+{
+    /// <summary>Returns the package names accepted by <paramref name="target"/> from the candidate set.</summary>
+    public static IEnumerable<string> Route(PublishTarget target, IEnumerable<string> packageNames)
+        => packageNames.Where(target.Accepts);
+
+    /// <summary>True when <paramref name="value"/> matches at least one glob in <paramref name="patterns"/> (case-insensitive).</summary>
+    public static bool MatchesAny(IEnumerable<string> patterns, string value)
+        => patterns.Any(pattern => GlobMatches(pattern, value));
+
+    /// <summary>Case-insensitive glob match supporting <c>*</c> (any run) and <c>?</c> (one char).</summary>
+    public static bool GlobMatches(string pattern, string value)
+        => Regex.IsMatch(value, GlobToRegex(pattern), RegexOptions.IgnoreCase | RegexOptions.CultureInvariant);
+
+    static string GlobToRegex(string pattern)
+    {
+        var builder = new StringBuilder("^");
+        foreach (var c in pattern)
+        {
+            builder.Append(c switch
+            {
+                '*' => ".*",
+                '?' => ".",
+                _ => Regex.Escape(c.ToString())
+            });
+        }
+
+        return builder.Append('$').ToString();
+    }
+}
diff --git a/tests/Fallout.Components.Tests/Fallout.Components.Tests.csproj b/tests/Fallout.Components.Tests/Fallout.Components.Tests.csproj
new file mode 100644
index 000000000..35c626099
--- /dev/null
+++ b/tests/Fallout.Components.Tests/Fallout.Components.Tests.csproj
@@ -0,0 +1,11 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>net10.0</TargetFramework>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\..\src\Fallout.Components\Fallout.Components.csproj" />
+  </ItemGroup>
+
+</Project>
diff --git a/tests/Fallout.Components.Tests/PublishPackageRouterTests.cs b/tests/Fallout.Components.Tests/PublishPackageRouterTests.cs
new file mode 100644
index 000000000..1c4f81ff1
--- /dev/null
+++ b/tests/Fallout.Components.Tests/PublishPackageRouterTests.cs
@@ -0,0 +1,62 @@
+using FluentAssertions;
+using Xunit;
+
+namespace Fallout.Components.Tests;
+
+public class PublishPackageRouterTests
+{
+    [Theory]
+    [InlineData("Fallout.*", "Fallout.Common.2026.1.0", true)]
+    [InlineData("Fallout.*", "Nuke.Common.2026.1.0", false)]
+    [InlineData("*", "anything-at-all", true)]
+    [InlineData("Nuke.?ommon*", "Nuke.Common.1.0.0", true)]
+    [InlineData("Nuke.?ommon*", "Nuke.Xommon.1.0.0", true)]
+    [InlineData("Nuke.?", "Nuke.Common", false)]
+    public void GlobMatches_handles_star_and_question(string pattern, string value, bool expected)
+        => PublishPackageRouter.GlobMatches(pattern, value).Should().Be(expected);
+
+    [Fact]
+    public void GlobMatches_is_case_insensitive()
+        => PublishPackageRouter.GlobMatches("fallout.*", "Fallout.Common").Should().BeTrue();
+
+    [Fact]
+    public void Accepts_includes_then_applies_excludes()
+    {
+        // The real nuget.org routing: Fallout.* only, never the Nuke.* shims.
+        var nugetOrg = new PublishTarget
+        {
+            Name = "nuget.org",
+            Source = "https://api.nuget.org/v3/index.json",
+            IncludePackages = new[] { "Fallout.*" },
+            ExcludePackages = new[] { "Nuke.*" },
+        };
+
+        nugetOrg.Accepts("Fallout.Common.2026.1.0").Should().BeTrue();
+        nugetOrg.Accepts("Nuke.Common.2026.1.0").Should().BeFalse();
+    }
+
+    [Fact]
+    public void Accepts_exclusion_wins_over_inclusion()
+    {
+        var target = new PublishTarget
+        {
+            Name = "t",
+            Source = "s",
+            IncludePackages = new[] { "*" },
+            ExcludePackages = new[] { "Nuke.*" },
+        };
+
+        target.Accepts("Fallout.Common").Should().BeTrue();
+        target.Accepts("Nuke.Common").Should().BeFalse();
+    }
+
+    [Fact]
+    public void Default_target_accepts_everything()
+    {
+        // The real github-packages routing: everything, including the Nuke.* shims.
+        var ghPackages = new PublishTarget { Name = "github-packages", Source = "s" };
+        var all = new[] { "Fallout.Common.1.0.0", "Nuke.Common.1.0.0" };
+
+        PublishPackageRouter.Route(ghPackages, all).Should().BeEquivalentTo(all);
+    }
+}
diff --git a/tests/Fallout.SourceGenerators.Tests/StronglyTypedSolutionGeneratorTest.Test#Solution.g.verified.cs b/tests/Fallout.SourceGenerators.Tests/StronglyTypedSolutionGeneratorTest.Test#Solution.g.verified.cs
index 8b2c5d544..2dec22605 100644
--- a/tests/Fallout.SourceGenerators.Tests/StronglyTypedSolutionGeneratorTest.Test#Solution.g.verified.cs
+++ b/tests/Fallout.SourceGenerators.Tests/StronglyTypedSolutionGeneratorTest.Test#Solution.g.verified.cs
@@ -17,6 +17,7 @@ internal class Solution(SolutionModel model, AbsolutePath path) : Fallout.Soluti
     public Fallout.Solutions.Project Fallout_Common => this.GetProject("Fallout.Common");
     public Fallout.Solutions.Project Fallout_Common_Tests => this.GetProject("Fallout.Common.Tests");
     public Fallout.Solutions.Project Fallout_Components => this.GetProject("Fallout.Components");
+    public Fallout.Solutions.Project Fallout_Components_Tests => this.GetProject("Fallout.Components.Tests");
     public Fallout.Solutions.Project Fallout_Consumer_Local => this.GetProject("Fallout.Consumer.Local");
     public Fallout.Solutions.Project Fallout_Consumer_NuGet => this.GetProject("Fallout.Consumer.NuGet");
     public Fallout.Solutions.Project Fallout_Core => this.GetProject("Fallout.Core");

From da36be7bf6bd46e1d78f594f989cb1c99b91ebf0 Mon Sep 17 00:00:00 2001
From: Chrison Simtian <csimon@chrison.dev>
Date: Sun, 31 May 2026 13:29:52 +1200
Subject: [PATCH 04/10] fix(ci): pass the publish token as GITHUB_TOKEN, not
 GitHubToken (#333) (#340)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The dogfood `dotnet fallout Publish` run failed with "Publish target 'github-packages'
has no API key". The github-packages target resolves its key via
From<ICreateGitHubRelease>().GitHubToken → GitHubActions.Token, which reads the
GITHUB_TOKEN env var (EnvironmentInfo.GetVariable("GITHUB_TOKEN")). The lane workflows
set `GitHubToken` instead, which didn't match (ICreateGitHubRelease is also
[ParameterPrefix]-ed, so the unprefixed name wouldn't bind anyway). Set GITHUB_TOKEN.

Caught by letting the post-merge experimental publish actually run.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/experimental.yml | 2 +-
 .github/workflows/preview.yml      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/experimental.yml b/.github/workflows/experimental.yml
index e5d88e09e..8307489d1 100644
--- a/.github/workflows/experimental.yml
+++ b/.github/workflows/experimental.yml
@@ -73,4 +73,4 @@ jobs:
       - name: 'Publish: alpha → GitHub Packages'
         run: dotnet fallout Publish --publish-to github-packages
         env:
-          GitHubToken: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/preview.yml b/.github/workflows/preview.yml
index 5d71ade08..2045a707f 100644
--- a/.github/workflows/preview.yml
+++ b/.github/workflows/preview.yml
@@ -73,4 +73,4 @@ jobs:
       - name: 'Publish: preview → GitHub Packages'
         run: dotnet fallout Publish --publish-to github-packages
         env:
-          GitHubToken: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

From 046a600ed326109416b1bfa0d848960ab0acb932 Mon Sep 17 00:00:00 2001
From: Chrison Simtian <csimon@chrison.dev>
Date: Sun, 31 May 2026 23:37:21 +1200
Subject: [PATCH 05/10] chore: repoint to Fallout-build org after repo transfer
 (experimental) (#346)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Feed URL nuget.pkg.github.com/ChrisonSimtian → /Fallout-build (Build.cs IPublish
github-packages target, release.yml, consumer docs) + CODEOWNERS → @Fallout-build/maintainers.
Sibling of the main repoint (#345). Feed stays PAT-gated (#344).

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/CODEOWNERS                    | 4 ++--
 .github/workflows/release.yml         | 2 +-
 CHANGELOG.md                          | 2 +-
 build/Build.cs                        | 2 +-
 docs/agents/release-and-versioning.md | 2 +-
 docs/migration/from-nuke.md           | 2 +-
 src/Shims/Nuke.Build/README.md        | 2 +-
 src/Shims/Nuke.Common/README.md       | 4 ++--
 src/Shims/Nuke.Components/README.md   | 2 +-
 9 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 3b08bb53b..713f0c064 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -8,5 +8,5 @@
 # changelogs, etc.) have no code owner and are gated only by the required CI
 # status check.
 
-/src/**     @ChrisonSimtian
-/tests/**   @ChrisonSimtian
+/src/**     @Fallout-build/maintainers
+/tests/**   @Fallout-build/maintainers
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ce115724e..10e1e1e4d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -199,7 +199,7 @@ jobs:
           for pkg in "${packages[@]}"; do
             echo "Pushing $pkg to GitHub Packages..."
             dotnet nuget push "$pkg" \
-              --source "https://nuget.pkg.github.com/ChrisonSimtian/index.json" \
+              --source "https://nuget.pkg.github.com/Fallout-build/index.json" \
               --api-key "${{ secrets.GITHUB_TOKEN }}" \
               --skip-duplicate
           done
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8ac51bd0f..49a482d1a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -123,7 +123,7 @@ The NUKE → Fallout hard fork. Originally NUKE by [@matkoch](https://github.com
 ### Backwards-compat: Nuke.* transition shims
 - **`Nuke.Common` MVP shim package** (#70): thin wrapper assembly in the `Nuke.*` namespace whose types inherit from the corresponding `Fallout.*` types — lets pre-rename consumers compile against the new packages without source changes. Lives at `src/Shims/Nuke.Common/`.
 - **`TransitionShimGenerator` source generator** (#69): emits shim type wrappers per-target, covering the Nuke.Common "Easy tier" surface (plain types, interfaces, enums) and static-class method delegation. Hard-tier types (sealed structs, delegates, etc.) raise `SHIM001` warnings with a pointer to `fallout-migrate`.
-- **Shim packages publish to GitHub Packages** (#47): `Nuke.*` package IDs belong to matkoch on nuget.org, so the transition shim feed lives at GH Packages (`https://nuget.pkg.github.com/ChrisonSimtian/index.json`). Production-build feed is nuget.org with `Fallout.*` only.
+- **Shim packages publish to GitHub Packages** (#47): `Nuke.*` package IDs belong to matkoch on nuget.org, so the transition shim feed lives at GH Packages (`https://nuget.pkg.github.com/Fallout-build/index.json`). Production-build feed is nuget.org with `Fallout.*` only.
 
 ### Vendored fork of `Microsoft.VisualStudio.SolutionPersistence`
 - **Replaced `matkoch.Microsoft.VisualStudio.SolutionPersistence` with a vendored fork** (#86). The upstream Microsoft package only ships `net472` + `net8.0`; our source generators need `netstandard2.0`. Matt's fork had the netstandard2.0 patches — we forked his repo at [`ChrisonSimtian/vs-solutionpersistence`](https://github.com/ChrisonSimtian/vs-solutionpersistence) (preserves the MIT license + upstream Microsoft history + attribution chain). Sources are a submodule at `vendor/vs-solutionpersistence/`; wrapper csproj at `src/Fallout.VisualStudio.SolutionPersistence/` compiles them with the TFMs we need. Assembly name stays `Microsoft.VisualStudio.SolutionPersistence` so type identity is preserved. (Note: in 10.2 the wrapper packed as `IsPackable=false` and caused the restore bug fixed in 10.3.0 above — known issue, fix-forward.)
diff --git a/build/Build.cs b/build/Build.cs
index 40d2f3ffc..b1ecb3288 100644
--- a/build/Build.cs
+++ b/build/Build.cs
@@ -140,7 +140,7 @@ from framework in project.GetTargetFrameworks()
         new PublishTarget
         {
             Name = "github-packages",
-            Source = "https://nuget.pkg.github.com/ChrisonSimtian/index.json",
+            Source = "https://nuget.pkg.github.com/Fallout-build/index.json",
             ApiKey = From<ICreateGitHubRelease>().GitHubToken,
         },
         new PublishTarget
diff --git a/docs/agents/release-and-versioning.md b/docs/agents/release-and-versioning.md
index 64493bf57..b6ab8dec4 100644
--- a/docs/agents/release-and-versioning.md
+++ b/docs/agents/release-and-versioning.md
@@ -92,7 +92,7 @@ If you only discover the breaking nature mid-review, apply all relevant steps be
 | Job | Environment | Fires on tag push? | What ships | Gating |
 |---|---|---|---|---|
 | `publish-nuget-org` | `nuget-org` | **No — opt-in only** via `workflow_dispatch` flag | `Fallout.*.nupkg` to https://api.nuget.org/v3/index.json | Workflow flag + approval-gated env |
-| `publish-github-packages` | `github-packages` | Yes | **All** `*.nupkg` (Fallout.* + Nuke.*) to https://nuget.pkg.github.com/ChrisonSimtian/index.json | None |
+| `publish-github-packages` | `github-packages` | Yes | **All** `*.nupkg` (Fallout.* + Nuke.*) to https://nuget.pkg.github.com/Fallout-build/index.json | None |
 | `publish-github-releases` | `github-releases` | Yes | All `*.nupkg` attached to a GitHub Release on the tag, auto-generated notes | None |
 
 ### Test lanes (from `experimental` and `main`)
diff --git a/docs/migration/from-nuke.md b/docs/migration/from-nuke.md
index 1332f6d86..f1eba5a94 100644
--- a/docs/migration/from-nuke.md
+++ b/docs/migration/from-nuke.md
@@ -82,7 +82,7 @@ The shim ships on **GitHub Packages** (not nuget.org — that namespace belongs
 <?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <packageSources>
-    <add key="fallout-shims" value="https://nuget.pkg.github.com/ChrisonSimtian/index.json" />
+    <add key="fallout-shims" value="https://nuget.pkg.github.com/Fallout-build/index.json" />
   </packageSources>
   <packageSourceCredentials>
     <fallout-shims>
diff --git a/src/Shims/Nuke.Build/README.md b/src/Shims/Nuke.Build/README.md
index c4d6797d8..69f5a348b 100644
--- a/src/Shims/Nuke.Build/README.md
+++ b/src/Shims/Nuke.Build/README.md
@@ -11,7 +11,7 @@ Coverage and limitations are the same as the `Nuke.Common` shim — see [`../Nuk
 Add this fork's GitHub Packages feed to your `nuget.config`:
 
 ```xml
-<add key="fallout-shims" value="https://nuget.pkg.github.com/ChrisonSimtian/index.json" />
+<add key="fallout-shims" value="https://nuget.pkg.github.com/Fallout-build/index.json" />
 ```
 
 Then bump your `Nuke.Build` package reference to the latest 10.3.x or later.
diff --git a/src/Shims/Nuke.Common/README.md b/src/Shims/Nuke.Common/README.md
index 3d7a48380..6d515d5c7 100644
--- a/src/Shims/Nuke.Common/README.md
+++ b/src/Shims/Nuke.Common/README.md
@@ -45,14 +45,14 @@ Until automated dual-publish lands (tracked in [#69](https://github.com/ChrisonS
 dotnet pack src/Shims/Nuke.Common/Nuke.Common.csproj -c Release
 dotnet nuget push **/Nuke.Common.*.nupkg `
     --api-key $env:GITHUB_TOKEN `
-    --source https://nuget.pkg.github.com/ChrisonSimtian/index.json
+    --source https://nuget.pkg.github.com/Fallout-build/index.json
 ```
 
 ## Migration path
 
 For projects that just want their `class Build : NukeBuild { ... }` to compile against our framework:
 
-1. Add `https://nuget.pkg.github.com/ChrisonSimtian/index.json` as a NuGet source (`nuget.config`).
+1. Add `https://nuget.pkg.github.com/Fallout-build/index.json` as a NuGet source (`nuget.config`).
 2. Bump the `Nuke.Common` package version to the latest published here.
 3. Build. If the shim covers what you use, you're done. Otherwise:
 4. Run `fallout-migrate` to rewrite the remaining references.
diff --git a/src/Shims/Nuke.Components/README.md b/src/Shims/Nuke.Components/README.md
index afe0142e7..65c2f49d2 100644
--- a/src/Shims/Nuke.Components/README.md
+++ b/src/Shims/Nuke.Components/README.md
@@ -11,7 +11,7 @@ Limitations are the same as the `Nuke.Common` shim — see [`../Nuke.Common/READ
 Add this fork's GitHub Packages feed to your `nuget.config`:
 
 ```xml
-<add key="fallout-shims" value="https://nuget.pkg.github.com/ChrisonSimtian/index.json" />
+<add key="fallout-shims" value="https://nuget.pkg.github.com/Fallout-build/index.json" />
 ```
 
 Then bump your `Nuke.Components` package reference to the latest 10.3.x or later.

From 5b29018412bc815a5552737a970db9fc8ee4d003 Mon Sep 17 00:00:00 2001
From: Chrison Simtian <csimon@chrison.dev>
Date: Sun, 31 May 2026 12:39:28 +1200
Subject: [PATCH 06/10] docs: add ADR-0005 + spike 0001 for CI ports & adapters

Model CI host integration as ports & adapters (hexagonal seam) with an
additive-now / deletions-batched-to-the-year-cut compatibility strategy,
plus the GitHub-adapter-end-to-end spike that validates the runtime-host
port shape.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 ...-ci-host-integration-ports-and-adapters.md | 98 +++++++++++++++++++
 docs/adr/README.md                            |  1 +
 docs/spikes/0001-ci-ports-and-adapters.md     | 91 +++++++++++++++++
 3 files changed, 190 insertions(+)
 create mode 100644 docs/adr/0005-ci-host-integration-ports-and-adapters.md
 create mode 100644 docs/spikes/0001-ci-ports-and-adapters.md

diff --git a/docs/adr/0005-ci-host-integration-ports-and-adapters.md b/docs/adr/0005-ci-host-integration-ports-and-adapters.md
new file mode 100644
index 000000000..bdfd9aeaf
--- /dev/null
+++ b/docs/adr/0005-ci-host-integration-ports-and-adapters.md
@@ -0,0 +1,98 @@
+# ADR-0005 — CI host integration as ports & adapters (hexagonal seam)
+
+- **Status:** Proposed
+- **Date:** 2026-05-31
+- **Deciders:** Fallout maintainers
+- **Relates to:** ADR-[0001](0001-cd-primitives-attributes-vs-tasks.md) (CD primitives — attributes vs tasks), ADR-[0004](0004-calendar-versioning-and-dual-pace-channels.md) (calendar versioning + channels), milestone [#6](https://github.com/ChrisonSimtian/Fallout/milestone/6) (plugin foundation — internal), milestone [#7](https://github.com/ChrisonSimtian/Fallout/milestone/7) (public plugin SDK), RFCs [#97](https://github.com/ChrisonSimtian/Fallout/issues/97)–[#101](https://github.com/ChrisonSimtian/Fallout/issues/101)
+- **Spike:** [docs/spikes/0001-ci-ports-and-adapters.md](../spikes/0001-ci-ports-and-adapters.md)
+
+## Context
+
+CI host integration is the framework's most-replicated extension point — eleven providers today (`AppVeyor`, `AzurePipelines`, `Bamboo`, `Bitbucket`, `Bitrise`, `GitHubActions`, `GitLab`, `Jenkins`, `SpaceAutomation`, `TeamCity`, `TravisCI`), each a folder under `src/Fallout.Common/CI/<Provider>/`. The public plugin SDK (milestone #7) explicitly names **"CI host adapters"** as an extension point it will expose. Before that surface goes public — additive-only, forever — the seam behind it needs to be **named, de-anemic-ed, and enforced**. This ADR records the shape we commit to.
+
+### What's actually there today
+
+A single provider folder conflates **two distinct concerns** with two distinct lifecycles:
+
+1. **Config generation (design-time / output).** `[GitHubActions(...)]` on the build class is reflected into a POCO and serialized to `.github/workflows/*.yml`. The port already exists and is healthy: `IConfigurationGenerator` (`src/Fallout.Build/CICD/IConfigurationGenerator.cs`), implemented by `ConfigurationAttributeBase`. This is the pattern ADR-0001 builds on.
+
+2. **Runtime host integration (execution-time).** Detecting we're running *inside* a host (`IsRunningGitHubActions => HasVariable("GITHUB_ACTIONS")`), emitting host commands (`::group::`, `::error::`), exposing `Branch`/`Commit`, and routing warnings/errors to host-native annotations. The "port" here is the `Host` base class (`src/Fallout.Build/Host.cs` + `Host.Activation.cs`) plus the **anemic** `IBuildServer` interface — currently just `Branch` and `Commit` (`src/Fallout.Build/CICD/IBuildServer.cs`).
+
+### The latent structure is already correct
+
+The dependency direction already obeys the hexagon's hardest rule: **ports live in `Fallout.Build`; the eleven adapters in `Fallout.Common.CI.*` depend inward on them.** Nothing needs re-plumbing. Three things are nonetheless wrong-shaped for a public extension point:
+
+- **The runtime port is anemic and entangled.** `IBuildServer` says almost nothing, and the real host contract is fused into `Host`, a base class that *also* owns logging, theming, and console-output formatting (`WriteLogo`, `WriteBlock`, `WriteTargetOutcome`, …). "Am I a CI host" and "how do I render a build summary" are different jobs welded together.
+- **The boundary is unenforced.** Nothing prevents core code from reaching for a concrete `GitHubActions` type. Today it's clean by discipline; a public SDK needs it clean by construction.
+- **Adapters aren't named as adapters.** Discovery is reflection-by-convention (`Host.Default` scans public `Host` subclasses for a static `IsRunning{Name}` property). It works, but it's implicit — there's no declared "this type is the GitHub adapter for these ports" contract for an external plugin author to implement against.
+
+### Onion or hexagonal?
+
+For a subsystem whose entire value is *N interchangeable providers behind one contract*, **ports-and-adapters (hexagonal) is the right model** — it names the symmetry between the driven side (write a workflow file, push an annotation) and the driving side (the host environment that drives our run). Onion's concentric inward-dependency rule is the *constraint we keep*; hexagonal is the *vocabulary we adopt*. They compose: a hexagon obeys the onion dependency rule at its boundary. We are **not** adopting a `Fallout.Application.*` / `Fallout.Infrastructure.*` project renaming — that is gratuitous public churn (see Alternatives) that buys nothing the seam doesn't already give us.
+
+## Decision
+
+**1. Model CI host integration as two named ports, not one.**
+
+| Port | Concern | Status | Lives in |
+|---|---|---|---|
+| **Config-generation port** — `IConfigurationGenerator` | Design-time: emit `.yml`/`.xml`/`.toml` committed to git | **Exists, keep as-is** | `Fallout.Build/CICD/` |
+| **Runtime-host port** — *new, working name `IBuildHost`* | Execution-time: detect host, expose VCS/run facts, emit host annotations & summaries | **Formalize** | `Fallout.Build/CICD/` |
+
+The runtime-host port subsumes and fattens the anemic `IBuildServer`. It carries the *host integration* contract (environment facts, annotation/log reporting, output/summary writing) and is deliberately **separated from the `Host` logging/theming base** — `Host` may *implement* the port, but the port does not inherit `Host`'s console-rendering responsibilities.
+
+**2. The eleven `Fallout.Common.CI.<Provider>` types are adapters.** Document and treat them as such. **Do not relocate or rename them in this work** — naming the role is the deliverable, not moving the files.
+
+**3. The public consumer surface stays, as a facade over the ports.** `[GitHubActions(...)]`, `GitHubActions.Instance`, `[CI]` injection (`CIAttribute`), and the `Host` API all keep working unchanged. Statics delegate *inward* to the ports / resolved instances — the same pattern a static `Log` facade uses over DI-resolved logging. **This delegation discipline is the rule that prevents a half-and-half mess** (ports bolted on while a static singleton still does the real work).
+
+**4. Enforce the boundary with an architecture fitness test.** Assert that `Fallout.Build` (ports + kernel) never references a concrete provider type under `Fallout.Common.CI.*`, and that adapters depend inward only. This is what *holds* the hexagon once it exists, and it is a prerequisite for exposing the seam publicly.
+
+**5. Compatibility strategy: additive now, deletions batched to the year cut.**
+
+This is the load-bearing decision and the answer to "clean break or backwards-compatible?": **they are separable, and we take both — in sequence.**
+
+- **All seam work is additive and ships continuously** through `main` → `-preview`: new port interface(s), adapters implementing them, the fitness test, and the delegating facades are all non-breaking. They land mid-year on the `2026` line.
+- **Legacy paths are marked, not deleted:** `[Obsolete]` for plain deprecation, `[Experimental("FALLOUT0xx")]` (see [docs/experimental-apis.md](../experimental-apis.md) for the registry — allocate a fresh ID, do not reuse) for not-yet-stable replacements.
+- **The genuinely breaking steps are deferred and batched.** Removing deprecated surface, dropping the `Nuke.*` shims, or reshaping a *consumer-implemented* interface land on `experimental` and ship at the next yearly major (`2027.0.0`), per ADR-0004. Mid-year `main`/production stays strictly non-breaking.
+- **Type relocation, if ever needed, is non-breaking too:** `[TypeForwardedTo]` plus the existing `Fallout.SourceGenerators.TransitionShimGenerator` (`src/Shims/`) forward old namespaces, so even moving a public type to its own adapter assembly does not break callers.
+
+Net: the better architecture arrives **immediately**, the dead weight is shed **on schedule** at the cut, and the trunk stays **green throughout**. Crucially, per ADR-0004 a deliberate break could only *ship* at the yearly major anyway — so "additive now" costs zero timeline versus "clean break now," and avoids months of an un-shippable trunk.
+
+## Consequences
+
+### Positive
+
+- **Stable seam before it goes public.** Milestone #7 can expose "implement `IBuildHost` + `IConfigurationGenerator` to add a CI host" against a contract that's been dogfooded by the eleven in-tree adapters first.
+- **Separation untangles the `Host` god-base.** Splitting "am I a CI host" from "how do I render output" makes both independently testable and lets a host adapter exist without inheriting console-formatting machinery.
+- **No flag day, no broken trunk.** Every interim build compiles, passes, and is dogfoodable via `./build.sh`.
+- **Generalizes cleanly.** Proving the port shape on GitHub Actions first (the spike) de-risks the other ten before any of them are touched.
+
+### Negative
+
+- **A transition period with two ways to express the runtime host** (the old `Host`/`IBuildServer` path and the new port). Mitigated by the facade discipline (§3) and a dated removal entry batched to `2027.0.0`.
+- **Fitness test maintenance.** The boundary assertion must be kept honest as new providers land; a too-strict rule could false-positive on shared helpers. Scope it to "core → concrete provider type," not "core → `Fallout.Common.CI` namespace at all."
+- **Naming risk.** `IBuildHost` vs `IBuildServer` vs `ICiHost` is a public name we'll live with. The name is provisional until the spike validates the shape; do not treat it as locked by this ADR.
+
+## Alternatives considered
+
+### A. Clean break — rebuild the CI subsystem fresh on the 2027 line
+
+Rejected. The break buys only *deletion* of compatibility surface, not any *capability* the additive path lacks — the new ports sit cleanly over the existing facade. A clean break would mean a broken, un-shippable trunk for months in exchange for **zero** earlier delivery (ADR-0004 gates the break to the year cut regardless). "Drag no dead weight" is satisfied by scheduling the deletions at the cut, not by starting over.
+
+### B. Full Domain/Application/Infrastructure project renaming
+
+Rejected. Renaming `Fallout.Common.CI.*` → `Fallout.Infrastructure.*` etc. is a large public namespace/package break (mitigable with shims, but still churn) that delivers nothing the named-ports-in-place approach doesn't. It also fights the repo's established by-provider convention (AGENTS.md: prefer existing patterns). Onion layer *names* are not the goal; the enforced seam is.
+
+### C. Status quo — keep `Host` + `IBuildServer` as the de facto contract
+
+Rejected. The runtime port is too anemic and too entangled with console rendering to expose as a public plugin extension point. Shipping milestone #7 on top of it would lock in the entanglement as public API.
+
+## References
+
+- Config-generation port: `src/Fallout.Build/CICD/IConfigurationGenerator.cs`, `ConfigurationAttributeBase.cs`
+- Runtime host (today): `src/Fallout.Build/Host.cs`, `Host.Activation.cs`, `src/Fallout.Build/CICD/IBuildServer.cs`
+- Consumer injection: `src/Fallout.Build/CICD/CIAttribute.cs`
+- Canonical adapter: `src/Fallout.Common/CI/GitHubActions/` (`GitHubActions.cs`, `GitHubActionsAttribute.cs`, `GitHubActions.Client.cs`)
+- Live dogfood usage: `build/Build.CI.GitHubActions.cs`
+- Compatibility machinery: `src/Shims/`, `Fallout.SourceGenerators.TransitionShimGenerator`, [docs/experimental-apis.md](../experimental-apis.md)
+- Spike plan: [docs/spikes/0001-ci-ports-and-adapters.md](../spikes/0001-ci-ports-and-adapters.md)
diff --git a/docs/adr/README.md b/docs/adr/README.md
index c38f1e8d8..e2b4ece29 100644
--- a/docs/adr/README.md
+++ b/docs/adr/README.md
@@ -38,3 +38,4 @@ If you change a decision, do NOT silently rewrite the old ADR — add a new one
 | [0002](0002-v11-off-nuget-by-default.md) | v11 publishes to GitHub Packages by default; nuget.org opt-in | Accepted |
 | [0003](0003-variables-and-substitution.md) | Variables and `${…}` substitution layer | Proposed |
 | [0004](0004-calendar-versioning-and-dual-pace-channels.md) | Calendar versioning + dual-pace channels (edge/stable) + experimental APIs | Accepted |
+| [0005](0005-ci-host-integration-ports-and-adapters.md) | CI host integration as ports & adapters (hexagonal seam) | Proposed |
diff --git a/docs/spikes/0001-ci-ports-and-adapters.md b/docs/spikes/0001-ci-ports-and-adapters.md
new file mode 100644
index 000000000..fd8261889
--- /dev/null
+++ b/docs/spikes/0001-ci-ports-and-adapters.md
@@ -0,0 +1,91 @@
+# Spike 0001 — CI host integration as ports & adapters (GitHub Actions end-to-end)
+
+- **Status:** Done (2026-05-31) — see [Verdict](#verdict)
+- **Date:** 2026-05-31
+- **Decision record:** [ADR-0005](../adr/0005-ci-host-integration-ports-and-adapters.md)
+- **Channel:** `experimental` (spike branch off `experimental`; nothing here is meant to merge as-is)
+- **Time-box:** one focused session
+
+> Spikes are **time-boxed, throwaway-by-default** experiments to validate a shape, not to ship it. The output is a *decision* ("the port shape is right / wrong / needs X"), plus possibly a clean re-implementation later. Code from a spike earns its way to `main` only after review, additively, per ADR-0005's compatibility strategy.
+
+## Hypothesis to validate
+
+> The runtime-host concern can be expressed as a focused, de-anemic port (`IBuildHost`, working name) that **GitHub Actions implements as a named adapter**, with the existing public surface (`[GitHubActions]`, `GitHubActions.Instance`, `[CI]` injection, `Host`) preserved as a thin facade delegating inward — and a fitness test can enforce the core→adapter boundary — **all without a single breaking change and with the dogfood workflow output byte-identical.**
+
+If that holds on GitHub Actions, the same shape generalizes to the other ten providers. If it forces awkward escape hatches (e.g. the port can't be separated from `Host`'s console rendering without breaking something), we learn that *before* touching anything public.
+
+## Scope
+
+### In scope (this spike)
+1. Define the runtime-host port `IBuildHost` (working name) in `src/Fallout.Build/CICD/`, separated from `Host`'s logging/theming responsibilities. Fold in / supersede the anemic `IBuildServer` (`Branch`, `Commit`).
+2. Make **`GitHubActions` implement the port** as the first named adapter — additively (add the interface; keep the `Host` base, keep all existing members).
+3. Keep the **facade working unchanged**: `GitHubActions.Instance`, `[CI]`-injection (`CIAttribute`), and `Host` API resolve to something satisfying the port. No consumer-visible change.
+4. Confirm the **config-generation port is untouched and still healthy**: `GitHubActionsAttribute : ConfigurationAttributeBase` still satisfies `IConfigurationGenerator`. (This port already exists — the spike only re-confirms the boundary, it does not redesign it.)
+5. Add one **architecture fitness test**: `Fallout.Build` must not reference the concrete `GitHubActions` type (scope narrowly to concrete provider types, not the whole `Fallout.Common.CI` namespace).
+6. **Validate end-to-end:** `./build.sh Compile`, `./build.sh Test`, and regenerate the dogfood workflow from `build/Build.CI.GitHubActions.cs` — assert the emitted `.github/workflows/*.yml` (and any Verify snapshot) is unchanged.
+
+### Explicitly OUT of scope (do not do these in the spike)
+- ❌ Touching the other ten providers (`AzurePipelines`, `TeamCity`, …). GitHub only.
+- ❌ Renaming namespaces or splitting assemblies (`Fallout.Infrastructure.*` etc.). ADR-0005 §Alternatives B.
+- ❌ Deleting or `[Obsolete]`-ing `IBuildServer` for real — at most mark it provisionally to feel the blast radius; the actual deprecation is a separate, reviewed, batched-to-2027 change.
+- ❌ Any public SDK surface (milestone #7). Internal interfaces stay `internal` / unexposed.
+- ❌ Introducing a DI container. If resolution needs a seam, use the simplest static delegation; container work is a separate workstream.
+
+## Ordered steps
+
+1. **Branch.** Cut a spike branch off `experimental` (e.g. `spike/ci-ports-gha`). Do not target `main`.
+2. **Read the runtime contract as-built.** `Host.cs`, `Host.Activation.cs` (the `IsRunning{Name}` + `Host.Default` discovery), `IBuildServer.cs`, `CIAttribute.cs`, and `GitHubActions.cs` — list every member the *runtime host* concern actually uses, separating it from console-rendering members that belong to `Host`.
+3. **Draft `IBuildHost`.** Put only the host-integration surface on it (environment/VCS facts, annotation reporting, summary/output writing). Keep it small — anemic-but-honest beats fat-and-speculative. Leave `Host`'s `WriteLogo`/`WriteBlock`/`WriteTargetOutcome` *out* of the port.
+4. **Implement on `GitHubActions`.** Add `IBuildHost` to its declaration; wire members to existing behaviour. Additive only.
+5. **Make the facade delegate.** Ensure `GitHubActions.Instance` and `[CI]` injection still hand back an instance that satisfies the port; ensure `Host.Default` discovery is unaffected.
+6. **Fitness test.** Add the boundary assertion to the orchestration test project (xUnit + FluentAssertions, per repo convention). Watch it pass; then temporarily introduce a deliberate violation to confirm it *fails* (a fitness test that can't fail proves nothing), then revert.
+7. **Validate.** `./build.sh Compile` → `./build.sh Test` → regenerate the dogfood workflow → diff. Green + byte-identical YAML = hypothesis holds.
+
+## Success criteria
+
+- ✅ Solution compiles; full test suite green.
+- ✅ Dogfood `.github/workflows/*.yml` output unchanged (and any Verify snapshot unchanged).
+- ✅ `GitHubActions` satisfies both ports; the facade is consumer-invisible.
+- ✅ Fitness test passes, and demonstrably fails on an injected violation.
+- ✅ A written verdict (append to this doc): is the `IBuildHost` shape right, what's the final name, and what's the blast radius of superseding `IBuildServer`?
+
+## Risks / things to watch
+
+- **Half-and-half mess** — the named failure mode. The mitigation is the facade-delegates-to-port discipline (ADR-0005 §3); if you find the static singleton still doing the real work while the port is decorative, stop and rethink the resolution path.
+- **`Host` entanglement** — if the host-integration members genuinely can't be separated from console rendering without breakage, that's a key finding: record it; it may mean the port needs to *compose* `Host` rather than replace it.
+- **Discovery coupling** — `Host.Default` finds adapters by reflecting on public `Host` subclasses with a static `IsRunning{Name}`. The port must not break that convention this spike; generalizing discovery to "any `IBuildHost`" is future work.
+- **`IBuildServer` blast radius** — it's public. Feel it (who implements vs. who reads), but defer the real deprecation to a reviewed, batched change.
+
+## Exit
+
+Update **Status** to `Done` and append the verdict. Feed the result back into ADR-0005 (promote `Proposed` → `Accepted`, lock the port name) before generalizing to the other ten adapters or exposing anything for milestone #7.
+
+## Verdict
+
+**Hypothesis confirmed.** The runtime-host port can be introduced fully additively, GitHub Actions satisfies it as the first named adapter, the public surface is untouched, the boundary is enforced, and build output is byte-identical.
+
+**What was built (branch `spike/ci-ports-gha` off `experimental`):**
+- `src/Fallout.Build/CICD/IBuildHost.cs` — the port (`Branch`, `Commit`, `IsPullRequest` default-interface-member, `ReportWarning`, `ReportError`).
+- `src/Fallout.Build/CICD/IBuildServer.cs` — doc pointer to its successor (no `[Obsolete]` — that removal is batched to the year cut).
+- `src/Fallout.Common/CI/GitHubActions/GitHubActions.BuildHost.cs` + a one-token edit to the class declaration — GitHub adapter, explicit interface implementation.
+- `tests/Fallout.Build.Tests/CiHostBoundaryTest.cs` — fitness test: `Fallout.Build` must not reference `Fallout.Common`.
+
+**Evidence:**
+- `dotnet build src/Fallout.Common` → succeeded (0 errors; warnings are pre-existing generated-code noise).
+- `dotnet test tests/Fallout.Build.Tests` → **104/104 passed**, including the fitness test.
+- Fitness test demonstrably **goes red** when pointed at a genuinely-referenced assembly (`Fallout.Core`), then reverted — it is not vacuous.
+- `git status .github/` → clean; the config-generation path was never touched, so generated workflows are unchanged by construction *and* in fact.
+
+**Findings that shape the real implementation:**
+1. **The boundary already holds structurally.** `Fallout.Build` does not reference `Fallout.Common`, and a `Build → Common` reference would be *circular* (Common already references Build) — so the compiler enforces the inward-only rule for free. The fitness test guards against the subtler case of an indirect/transitive leak, not the gross one.
+2. **The reporting half is entangled with the `Host` base — and exposes a latent gap.** `Host.ReportWarning`/`ReportError` are `protected internal virtual` **no-ops**; `GitHubActions` surfaces annotations via separate public `WriteWarning`/`WriteError`. The `LogEventSink` routes warnings/errors to `Host.ReportWarning` — which on GitHub Actions does **nothing**. So today, sink-routed warnings likely never become `::warning::` annotations. The port had to implement reporting **explicitly** (delegating to `WriteWarning`/`WriteError`) to avoid the protected/public clash. **Implication:** the clean end-state is `IBuildHost` as the *canonical* reporting contract with `Host` (and the sink) delegating *to it* — not the reverse. Wiring the sink through `IBuildHost.ReportWarning` would also fix the dormant-annotation gap. That rewire is a behavior change → out of spike scope, but it's the highest-value follow-up.
+3. **One port, for now — split not yet justified.** The read/write seam is real (and marked with regions), but the write side is two members. A two-port split (`IBuildHost` context + `IBuildReporter`) earns its keep only once reporting grows (log grouping, job summaries, output variables). Keep one port; revisit at that trigger.
+4. **`IBuildHost` reads well** and the explicit-impl pattern mirrors the existing `IBuildServer` mapping (`Branch => Ref`, `Commit => Sha`). Name validated.
+5. **Discovery untouched.** `Host.Default` still finds adapters via the `IsRunning{Name}` reflection convention. Generalizing discovery to "any `IBuildHost`" is future work, not needed for the seam.
+
+**Recommended next moves (in order):**
+1. Promote ADR-0005 `Proposed` → `Accepted` (maintainer call, via PR review) and lock the `IBuildHost` name + single-port shape.
+2. Separate doc PR (targets `main`, non-breaking) for ADR-0005 + this spike.
+3. Make `IBuildHost` the canonical reporting contract and route `Host`/`LogEventSink` through it (fixes finding #2's annotation gap). Behavior change → land on `experimental`, exercise via the dogfood GitHub Actions run.
+4. Roll the port across the other ten adapters once #3's shape is settled.
+5. Only then consider exposing the seam for milestone #7.

From e8f407cfe723756dc96bb05174f02d61d1334f1a Mon Sep 17 00:00:00 2001
From: Chrison Simtian <csimon@chrison.dev>
Date: Sun, 31 May 2026 12:39:28 +1200
Subject: [PATCH 07/10] feat(ci): introduce IBuildHost runtime-host port +
 GitHub adapter

Additive seam per ADR-0005: IBuildHost supersedes the anemic IBuildServer as
the build's-eye-view runtime-host port (context + reporting). GitHubActions
implements it via explicit interface implementation, leaving the public
surface and generated workflows untouched. Adds an architecture fitness test
asserting the ports layer (Fallout.Build) never references the adapters layer
(Fallout.Common).

Spike work on experimental; LogEventSink rewire deferred (see spike verdict #2).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 src/Fallout.Build/CICD/IBuildHost.cs          | 43 +++++++++++++++++++
 src/Fallout.Build/CICD/IBuildServer.cs        |  4 ++
 .../GitHubActions/GitHubActions.BuildHost.cs  | 23 ++++++++++
 .../CI/GitHubActions/GitHubActions.cs         |  2 +-
 .../Fallout.Build.Tests/CiHostBoundaryTest.cs | 27 ++++++++++++
 5 files changed, 98 insertions(+), 1 deletion(-)
 create mode 100644 src/Fallout.Build/CICD/IBuildHost.cs
 create mode 100644 src/Fallout.Common/CI/GitHubActions/GitHubActions.BuildHost.cs
 create mode 100644 tests/Fallout.Build.Tests/CiHostBoundaryTest.cs

diff --git a/src/Fallout.Build/CICD/IBuildHost.cs b/src/Fallout.Build/CICD/IBuildHost.cs
new file mode 100644
index 000000000..08e8dd926
--- /dev/null
+++ b/src/Fallout.Build/CICD/IBuildHost.cs
@@ -0,0 +1,43 @@
+namespace Fallout.Common.CI;
+
+/// <summary>
+/// The build's-eye view of the environment hosting this run — the CI system (or the local terminal)
+/// that Fallout is executing under. From the build's perspective <em>GitHub Actions is the host</em>;
+/// a future Fallout-owned runner would simply be another host adapter. The active, cross-build
+/// supervisor that <em>launches</em> builds is a separate concern and takes a separate name
+/// (Runner/Agent) — never reuse this one.
+///
+/// This is the runtime-host port of <see href="../../docs/adr/0005-ci-host-integration-ports-and-adapters.md">ADR-0005</see>.
+/// It deliberately carries only the <strong>cross-host</strong> contract: provider-specific facts
+/// (GitHub's <c>Workflow</c>/<c>Action</c>, …) stay on the concrete adapter, and console rendering
+/// stays on the <see cref="Host"/> base. Supersedes the anemic <see cref="IBuildServer"/>.
+///
+/// SPIKE NOTE (0001): modelled as a single port for now. The members split cleanly into a read
+/// (context) half and a write (reporting) half — whether that becomes two ports is the open question
+/// recorded for the spike verdict.
+/// </summary>
+public interface IBuildHost
+{
+    #region Context (read) — universal subset only; provider-specific facts live on the adapter
+
+    /// <summary>The short branch name of the ref that triggered this run.</summary>
+    string Branch { get; }
+
+    /// <summary>The commit SHA that triggered this run.</summary>
+    string Commit { get; }
+
+    /// <summary>Whether this run was triggered by a pull/merge request. Hosts without the concept return <c>false</c>.</summary>
+    bool IsPullRequest => false;
+
+    #endregion
+
+    #region Reporting (write) — routed to the host's native annotation channels
+
+    /// <summary>Surface a warning through the host's native channel (e.g. a GitHub <c>::warning::</c> annotation).</summary>
+    void ReportWarning(string text, string details = null);
+
+    /// <summary>Surface an error through the host's native channel (e.g. a GitHub <c>::error::</c> annotation).</summary>
+    void ReportError(string text, string details = null);
+
+    #endregion
+}
diff --git a/src/Fallout.Build/CICD/IBuildServer.cs b/src/Fallout.Build/CICD/IBuildServer.cs
index 46cdc1804..c2e479657 100644
--- a/src/Fallout.Build/CICD/IBuildServer.cs
+++ b/src/Fallout.Build/CICD/IBuildServer.cs
@@ -1,6 +1,10 @@
 
 namespace Fallout.Common.CI;
 
+/// <summary>
+/// Superseded by <see cref="IBuildHost"/> (ADR-0005). Kept for backwards compatibility; its eventual
+/// removal is a breaking change batched to the next yearly major, not done here.
+/// </summary>
 public interface IBuildServer
 {
     string Branch { get; }
diff --git a/src/Fallout.Common/CI/GitHubActions/GitHubActions.BuildHost.cs b/src/Fallout.Common/CI/GitHubActions/GitHubActions.BuildHost.cs
new file mode 100644
index 000000000..75e3bb186
--- /dev/null
+++ b/src/Fallout.Common/CI/GitHubActions/GitHubActions.BuildHost.cs
@@ -0,0 +1,23 @@
+using System;
+
+namespace Fallout.Common.CI.GitHubActions;
+
+// ADR-0005 / spike 0001: GitHubActions as the first named adapter for the runtime-host port.
+// Implemented explicitly so the port contract sits alongside — not on top of — the existing public
+// surface (Ref/Sha/IsPullRequest, WriteWarning/WriteError) and the Host base's protected rendering
+// members. These impls are additive and dormant: current call sites are unchanged, so build output
+// stays byte-identical. They exist to prove the seam compiles and is satisfiable end-to-end.
+public partial class GitHubActions
+{
+    // Context — reuse the same mapping the IBuildServer impl already uses.
+    string IBuildHost.Branch => Ref;
+    string IBuildHost.Commit => Sha;
+    // IBuildHost.IsPullRequest is satisfied implicitly by the public IsPullRequest property.
+
+    // Reporting — route to GitHub's native annotation commands (::warning:: / ::error::).
+    void IBuildHost.ReportWarning(string text, string details) =>
+        WriteWarning(string.IsNullOrEmpty(details) ? text : $"{text} — {details}");
+
+    void IBuildHost.ReportError(string text, string details) =>
+        WriteError(string.IsNullOrEmpty(details) ? text : $"{text} — {details}");
+}
diff --git a/src/Fallout.Common/CI/GitHubActions/GitHubActions.cs b/src/Fallout.Common/CI/GitHubActions/GitHubActions.cs
index 0e76cf618..ee461b6fa 100644
--- a/src/Fallout.Common/CI/GitHubActions/GitHubActions.cs
+++ b/src/Fallout.Common/CI/GitHubActions/GitHubActions.cs
@@ -17,7 +17,7 @@ namespace Fallout.Common.CI.GitHubActions;
 /// Interface according to the <a href="https://docs.github.com/en/actions/configuring-and-managing-workflows/using-environment-variables">official website</a>.
 /// </summary>
 [ExcludeFromCodeCoverage]
-public partial class GitHubActions : Host, IBuildServer
+public partial class GitHubActions : Host, IBuildServer, IBuildHost
 {
     internal static bool IsRunningGitHubActions => EnvironmentInfo.HasVariable("GITHUB_ACTIONS");
 
diff --git a/tests/Fallout.Build.Tests/CiHostBoundaryTest.cs b/tests/Fallout.Build.Tests/CiHostBoundaryTest.cs
new file mode 100644
index 000000000..dce8edde5
--- /dev/null
+++ b/tests/Fallout.Build.Tests/CiHostBoundaryTest.cs
@@ -0,0 +1,27 @@
+using System.Linq;
+using Fallout.Common.CI;
+using FluentAssertions;
+using Xunit;
+
+namespace Fallout.Common.Tests;
+
+// ADR-0005: CI host integration is ports-and-adapters. The ports + kernel (Fallout.Build) must not
+// depend on the adapters (Fallout.Common, where GitHubActions et al. live) — dependencies point
+// inward only. This test holds that boundary; it is the construction-time guarantee that lets the
+// seam be exposed publicly in the plugin SDK (milestone #7).
+public class CiHostBoundaryTest
+{
+    [Fact]
+    public void PortsAssembly_DoesNotReference_AdaptersAssembly()
+    {
+        var portsAssembly = typeof(IBuildHost).Assembly;
+
+        // Guard: make sure we're actually inspecting the ports assembly and not something else,
+        // so the assertion below can't pass vacuously.
+        portsAssembly.GetName().Name.Should().Be("Fallout.Build");
+
+        portsAssembly.GetReferencedAssemblies()
+            .Select(x => x.Name)
+            .Should().NotContain("Fallout.Common", "the ports layer must not depend on the adapters layer (ADR-0005)");
+    }
+}

From fc6ee29dd9a41952287570ce1f924a50c6fb0fa9 Mon Sep 17 00:00:00 2001
From: Chrison Simtian <csimon@chrison.dev>
Date: Sun, 31 May 2026 12:53:48 +1200
Subject: [PATCH 08/10] refactor(ci): split runtime-host seam into IBuildHost +
 IBuildReporter
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Two ports, justified by differing implementor sets: every Host reports (so
the local Terminal is an IBuildReporter), but only CI hosts carry run context
(so Terminal is not an IBuildHost). IBuildHost rescoped to context (branch/
commit/is-PR); new IBuildReporter (warnings/errors/grouping) implemented by the
Host base via explicit impls over the existing protected-virtual hooks — so
adapters override reporting exactly as before. No behavior change.

Fitness tests pin the split (Terminal: reporter not host; GitHubActions: both).
Corrects spike finding #2 (reporting was already wired in the *.Theming.cs
partials; there was no latent bug). Updates ADR-0005 + spike verdict.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 ...-ci-host-integration-ports-and-adapters.md |  5 ++-
 docs/spikes/0001-ci-ports-and-adapters.md     | 20 +++++++---
 src/Fallout.Build/CICD/IBuildHost.cs          | 38 ++++++-------------
 src/Fallout.Build/CICD/IBuildReporter.cs      | 28 ++++++++++++++
 src/Fallout.Build/Host.cs                     | 11 +++++-
 .../GitHubActions/GitHubActions.BuildHost.cs  | 20 +++-------
 .../CI/GitHubActions/GitHubActions.cs         |  2 +-
 .../Fallout.Build.Tests/CiHostBoundaryTest.cs | 11 ++++++
 tests/Fallout.Common.Tests/CiHostPortsTest.cs | 18 +++++++++
 9 files changed, 102 insertions(+), 51 deletions(-)
 create mode 100644 src/Fallout.Build/CICD/IBuildReporter.cs
 create mode 100644 tests/Fallout.Common.Tests/CiHostPortsTest.cs

diff --git a/docs/adr/0005-ci-host-integration-ports-and-adapters.md b/docs/adr/0005-ci-host-integration-ports-and-adapters.md
index bdfd9aeaf..97a02171c 100644
--- a/docs/adr/0005-ci-host-integration-ports-and-adapters.md
+++ b/docs/adr/0005-ci-host-integration-ports-and-adapters.md
@@ -37,9 +37,10 @@ For a subsystem whose entire value is *N interchangeable providers behind one co
 | Port | Concern | Status | Lives in |
 |---|---|---|---|
 | **Config-generation port** — `IConfigurationGenerator` | Design-time: emit `.yml`/`.xml`/`.toml` committed to git | **Exists, keep as-is** | `Fallout.Build/CICD/` |
-| **Runtime-host port** — *new, working name `IBuildHost`* | Execution-time: detect host, expose VCS/run facts, emit host annotations & summaries | **Formalize** | `Fallout.Build/CICD/` |
+| **Runtime-host context port** — `IBuildHost` | Execution-time facts: branch, commit, is-PR (universal subset; provider-specific facts stay on the adapter) | **Formalized** | `Fallout.Build/CICD/` |
+| **Runtime-host reporting port** — `IBuildReporter` | Execution-time output: surface warnings/errors/grouping through the host's native channels | **Formalized** | `Fallout.Build/CICD/` |
 
-The runtime-host port subsumes and fattens the anemic `IBuildServer`. It carries the *host integration* contract (environment facts, annotation/log reporting, output/summary writing) and is deliberately **separated from the `Host` logging/theming base** — `Host` may *implement* the port, but the port does not inherit `Host`'s console-rendering responsibilities.
+The runtime-host concern is **two ports, not one** — a refinement the spike (0001) confirmed with a concrete reason: their *implementor sets differ*. Every host reports (so the local `Terminal` is an `IBuildReporter`), but only CI hosts carry run context (so `Terminal` is **not** an `IBuildHost`). `IBuildHost` supersedes the anemic `IBuildServer`. Both are deliberately **separated from the `Host` logging/theming base**: `IBuildReporter` is implemented by the `Host` base (backed by its existing protected-virtual hooks, so adapters override exactly as before), while the port surfaces stay free of `Host`'s console-rendering responsibilities (`WriteLogo`, `WriteTargetOutcome`, …).
 
 **2. The eleven `Fallout.Common.CI.<Provider>` types are adapters.** Document and treat them as such. **Do not relocate or rename them in this work** — naming the role is the deliverable, not moving the files.
 
diff --git a/docs/spikes/0001-ci-ports-and-adapters.md b/docs/spikes/0001-ci-ports-and-adapters.md
index fd8261889..752927a97 100644
--- a/docs/spikes/0001-ci-ports-and-adapters.md
+++ b/docs/spikes/0001-ci-ports-and-adapters.md
@@ -78,14 +78,24 @@ Update **Status** to `Done` and append the verdict. Feed the result back into AD
 
 **Findings that shape the real implementation:**
 1. **The boundary already holds structurally.** `Fallout.Build` does not reference `Fallout.Common`, and a `Build → Common` reference would be *circular* (Common already references Build) — so the compiler enforces the inward-only rule for free. The fitness test guards against the subtler case of an indirect/transitive leak, not the gross one.
-2. **The reporting half is entangled with the `Host` base — and exposes a latent gap.** `Host.ReportWarning`/`ReportError` are `protected internal virtual` **no-ops**; `GitHubActions` surfaces annotations via separate public `WriteWarning`/`WriteError`. The `LogEventSink` routes warnings/errors to `Host.ReportWarning` — which on GitHub Actions does **nothing**. So today, sink-routed warnings likely never become `::warning::` annotations. The port had to implement reporting **explicitly** (delegating to `WriteWarning`/`WriteError`) to avoid the protected/public clash. **Implication:** the clean end-state is `IBuildHost` as the *canonical* reporting contract with `Host` (and the sink) delegating *to it* — not the reverse. Wiring the sink through `IBuildHost.ReportWarning` would also fix the dormant-annotation gap. That rewire is a behavior change → out of spike scope, but it's the highest-value follow-up.
+2. **~~The reporting half is entangled with the `Host` base — and exposes a latent gap.~~ CORRECTED (see Refinement round below).** The original finding claimed `Host.ReportWarning`/`ReportError` were no-ops on GitHub Actions and that sink-routed warnings never became `::warning::` annotations. **That was wrong** — it was based on reading only `GitHubActions.cs` and missing the overrides in `GitHubActions.Theming.cs` (and `AzurePipelines`/`TeamCity`/`AppVeyor` likewise). Reporting *is* wired today; there is no bug. The reporting members (`ReportWarning`/`ReportError`/`WriteBlock`) genuinely live on the `Host` base and are overridden per-adapter.
 3. **One port, for now — split not yet justified.** The read/write seam is real (and marked with regions), but the write side is two members. A two-port split (`IBuildHost` context + `IBuildReporter`) earns its keep only once reporting grows (log grouping, job summaries, output variables). Keep one port; revisit at that trigger.
 4. **`IBuildHost` reads well** and the explicit-impl pattern mirrors the existing `IBuildServer` mapping (`Branch => Ref`, `Commit => Sha`). Name validated.
 5. **Discovery untouched.** `Host.Default` still finds adapters via the `IsRunning{Name}` reflection convention. Generalizing discovery to "any `IBuildHost`" is future work, not needed for the seam.
 
+## Refinement round (same day) — two-port split
+
+Acting on the spike's open question (and a maintainer's gut feeling), the single port was split in two, and finding #2 was corrected:
+
+- **`IBuildHost`** rescoped to the **context** half: `Branch`, `Commit`, `IsPullRequest`.
+- **`IBuildReporter`** added for the **reporting** half: `ReportWarning`, `ReportError`, `WriteBlock`. Implemented by the `Host` base (explicit interface impls delegating to the existing protected-virtual hooks), so every host — including the local `Terminal` — is a reporter, and adapters keep overriding exactly as before. **No behavior change.**
+- **The split is justified, not cosmetic:** the implementor sets differ. A fitness test now pins this down — `Terminal` is an `IBuildReporter` but **not** an `IBuildHost`; `GitHubActions` is both. If those sets ever collapse, the test fails and the split has lost its reason.
+- `GitHubActions.BuildHost.cs` reduced to context-only; reporting overrides stay in `GitHubActions.Theming.cs`, untouched.
+- Validation: `Fallout.Common` builds clean; **105** Build.Tests + the new Common.Tests port check pass; generated workflows unchanged.
+
 **Recommended next moves (in order):**
-1. Promote ADR-0005 `Proposed` → `Accepted` (maintainer call, via PR review) and lock the `IBuildHost` name + single-port shape.
+1. Promote ADR-0005 `Proposed` → `Accepted` (maintainer call, via PR review) and lock the two-port shape + names (`IBuildHost` / `IBuildReporter`).
 2. Separate doc PR (targets `main`, non-breaking) for ADR-0005 + this spike.
-3. Make `IBuildHost` the canonical reporting contract and route `Host`/`LogEventSink` through it (fixes finding #2's annotation gap). Behavior change → land on `experimental`, exercise via the dogfood GitHub Actions run.
-4. Roll the port across the other ten adapters once #3's shape is settled.
-5. Only then consider exposing the seam for milestone #7.
+3. **Generalize host discovery** to key off the ports rather than the `IsRunning{Name}` reflection convention on `Host` subclasses.
+4. **Add a second adapter** to prove the shape generalizes — Forgejo (its Actions are GitHub-workflow-compatible) or Azure DevOps.
+5. Roll the ports across the other adapters; then consider exposing the seam for milestone #7. Mark the ports `[Experimental("FALLOUT0xx")]` when they near consumer-facing exposure.
diff --git a/src/Fallout.Build/CICD/IBuildHost.cs b/src/Fallout.Build/CICD/IBuildHost.cs
index 08e8dd926..009cdc34a 100644
--- a/src/Fallout.Build/CICD/IBuildHost.cs
+++ b/src/Fallout.Build/CICD/IBuildHost.cs
@@ -1,25 +1,21 @@
 namespace Fallout.Common.CI;
 
 /// <summary>
-/// The build's-eye view of the environment hosting this run — the CI system (or the local terminal)
-/// that Fallout is executing under. From the build's perspective <em>GitHub Actions is the host</em>;
-/// a future Fallout-owned runner would simply be another host adapter. The active, cross-build
-/// supervisor that <em>launches</em> builds is a separate concern and takes a separate name
-/// (Runner/Agent) — never reuse this one.
+/// The build's-eye view of the <strong>context</strong> of the environment hosting this run — the
+/// facts of "what is this run, under what". From the build's perspective <em>GitHub Actions is the
+/// host</em>; a future Fallout-owned runner would simply be another host adapter. The active,
+/// cross-build supervisor that <em>launches</em> builds is a separate concern and takes a separate
+/// name (Runner/Agent) — never reuse this one.
 ///
-/// This is the runtime-host port of <see href="../../docs/adr/0005-ci-host-integration-ports-and-adapters.md">ADR-0005</see>.
-/// It deliberately carries only the <strong>cross-host</strong> contract: provider-specific facts
-/// (GitHub's <c>Workflow</c>/<c>Action</c>, …) stay on the concrete adapter, and console rendering
-/// stays on the <see cref="Host"/> base. Supersedes the anemic <see cref="IBuildServer"/>.
-///
-/// SPIKE NOTE (0001): modelled as a single port for now. The members split cleanly into a read
-/// (context) half and a write (reporting) half — whether that becomes two ports is the open question
-/// recorded for the spike verdict.
+/// This is the context half of the runtime-host seam of
+/// <see href="../../docs/adr/0005-ci-host-integration-ports-and-adapters.md">ADR-0005</see>;
+/// the reporting half is <see cref="IBuildReporter"/>. The split is real: only CI hosts have run
+/// context, but <em>every</em> host (including the local terminal) is an <see cref="IBuildReporter"/>.
+/// Carries only the cross-host subset — provider-specific facts (GitHub's <c>Workflow</c>/<c>Action</c>, …)
+/// stay on the concrete adapter. Supersedes the anemic <see cref="IBuildServer"/>.
 /// </summary>
 public interface IBuildHost
 {
-    #region Context (read) — universal subset only; provider-specific facts live on the adapter
-
     /// <summary>The short branch name of the ref that triggered this run.</summary>
     string Branch { get; }
 
@@ -28,16 +24,4 @@ public interface IBuildHost
 
     /// <summary>Whether this run was triggered by a pull/merge request. Hosts without the concept return <c>false</c>.</summary>
     bool IsPullRequest => false;
-
-    #endregion
-
-    #region Reporting (write) — routed to the host's native annotation channels
-
-    /// <summary>Surface a warning through the host's native channel (e.g. a GitHub <c>::warning::</c> annotation).</summary>
-    void ReportWarning(string text, string details = null);
-
-    /// <summary>Surface an error through the host's native channel (e.g. a GitHub <c>::error::</c> annotation).</summary>
-    void ReportError(string text, string details = null);
-
-    #endregion
 }
diff --git a/src/Fallout.Build/CICD/IBuildReporter.cs b/src/Fallout.Build/CICD/IBuildReporter.cs
new file mode 100644
index 000000000..1b143fa78
--- /dev/null
+++ b/src/Fallout.Build/CICD/IBuildReporter.cs
@@ -0,0 +1,28 @@
+using System;
+
+namespace Fallout.Common.CI;
+
+/// <summary>
+/// The reporting half of the runtime-host seam of
+/// <see href="../../docs/adr/0005-ci-host-integration-ports-and-adapters.md">ADR-0005</see> — the
+/// channel a build uses to surface progress, warnings, and errors through the host's <em>native</em>
+/// mechanisms (e.g. GitHub <c>::warning::</c> annotations, TeamCity service messages, Azure Pipelines
+/// <c>##vso</c> issues, or — for the local terminal — plain console output).
+///
+/// Implemented by the <see cref="Host"/> base, so <strong>every</strong> host is a reporter, including
+/// the local terminal. Concrete adapters customise behaviour by overriding the corresponding members
+/// on <see cref="Host"/>. This is the companion to <see cref="IBuildHost"/> (the context half); the
+/// two are separated because their implementor sets differ — every host reports, but only CI hosts
+/// carry run context.
+/// </summary>
+public interface IBuildReporter
+{
+    /// <summary>Surface a warning through the host's native channel.</summary>
+    void ReportWarning(string text, string details = null);
+
+    /// <summary>Surface an error through the host's native channel.</summary>
+    void ReportError(string text, string details = null);
+
+    /// <summary>Open a collapsible/grouped output region; dispose to close it.</summary>
+    IDisposable WriteBlock(string text);
+}
diff --git a/src/Fallout.Build/Host.cs b/src/Fallout.Build/Host.cs
index b5e147813..a1a41c621 100644
--- a/src/Fallout.Build/Host.cs
+++ b/src/Fallout.Build/Host.cs
@@ -2,6 +2,7 @@
 using System.ComponentModel;
 using System.Globalization;
 using System.Linq;
+using Fallout.Common.CI;
 using Fallout.Common.Execution;
 using Fallout.Common.Execution.Theming;
 using Fallout.Common.Utilities;
@@ -14,8 +15,16 @@
 namespace Fallout.Common;
 
 [TypeConverter(typeof(TypeConverter))]
-public partial class Host
+public partial class Host : IBuildReporter
 {
+    // ADR-0005: the Host base is the runtime-host reporting port. The contract is exposed via
+    // IBuildReporter and backed by the existing protected-virtual hooks below, so concrete adapters
+    // keep customising reporting exactly as before (overriding ReportWarning/ReportError/WriteBlock)
+    // — virtual dispatch routes the interface calls to their overrides. No adapter changes required.
+    void IBuildReporter.ReportWarning(string text, string details) => ReportWarning(text, details);
+    void IBuildReporter.ReportError(string text, string details) => ReportError(text, details);
+    IDisposable IBuildReporter.WriteBlock(string text) => WriteBlock(text);
+
     protected Host()
     {
         // TODO: check assertion
diff --git a/src/Fallout.Common/CI/GitHubActions/GitHubActions.BuildHost.cs b/src/Fallout.Common/CI/GitHubActions/GitHubActions.BuildHost.cs
index 75e3bb186..668c15c3c 100644
--- a/src/Fallout.Common/CI/GitHubActions/GitHubActions.BuildHost.cs
+++ b/src/Fallout.Common/CI/GitHubActions/GitHubActions.BuildHost.cs
@@ -1,23 +1,13 @@
-using System;
-
 namespace Fallout.Common.CI.GitHubActions;
 
-// ADR-0005 / spike 0001: GitHubActions as the first named adapter for the runtime-host port.
+// ADR-0005 / spike 0001: GitHubActions as the first named adapter for the runtime-host context port.
 // Implemented explicitly so the port contract sits alongside — not on top of — the existing public
-// surface (Ref/Sha/IsPullRequest, WriteWarning/WriteError) and the Host base's protected rendering
-// members. These impls are additive and dormant: current call sites are unchanged, so build output
-// stays byte-identical. They exist to prove the seam compiles and is satisfiable end-to-end.
-public partial class GitHubActions
+// surface (Ref/Sha/IsPullRequest). Reporting is NOT here: it comes from the Host base (IBuildReporter)
+// plus this adapter's existing ReportWarning/ReportError/WriteBlock overrides in GitHubActions.Theming.cs.
+public partial class GitHubActions : IBuildHost
 {
-    // Context — reuse the same mapping the IBuildServer impl already uses.
+    // Reuse the same mapping the IBuildServer impl already uses.
     string IBuildHost.Branch => Ref;
     string IBuildHost.Commit => Sha;
     // IBuildHost.IsPullRequest is satisfied implicitly by the public IsPullRequest property.
-
-    // Reporting — route to GitHub's native annotation commands (::warning:: / ::error::).
-    void IBuildHost.ReportWarning(string text, string details) =>
-        WriteWarning(string.IsNullOrEmpty(details) ? text : $"{text} — {details}");
-
-    void IBuildHost.ReportError(string text, string details) =>
-        WriteError(string.IsNullOrEmpty(details) ? text : $"{text} — {details}");
 }
diff --git a/src/Fallout.Common/CI/GitHubActions/GitHubActions.cs b/src/Fallout.Common/CI/GitHubActions/GitHubActions.cs
index ee461b6fa..0e76cf618 100644
--- a/src/Fallout.Common/CI/GitHubActions/GitHubActions.cs
+++ b/src/Fallout.Common/CI/GitHubActions/GitHubActions.cs
@@ -17,7 +17,7 @@ namespace Fallout.Common.CI.GitHubActions;
 /// Interface according to the <a href="https://docs.github.com/en/actions/configuring-and-managing-workflows/using-environment-variables">official website</a>.
 /// </summary>
 [ExcludeFromCodeCoverage]
-public partial class GitHubActions : Host, IBuildServer, IBuildHost
+public partial class GitHubActions : Host, IBuildServer
 {
     internal static bool IsRunningGitHubActions => EnvironmentInfo.HasVariable("GITHUB_ACTIONS");
 
diff --git a/tests/Fallout.Build.Tests/CiHostBoundaryTest.cs b/tests/Fallout.Build.Tests/CiHostBoundaryTest.cs
index dce8edde5..471298129 100644
--- a/tests/Fallout.Build.Tests/CiHostBoundaryTest.cs
+++ b/tests/Fallout.Build.Tests/CiHostBoundaryTest.cs
@@ -1,5 +1,6 @@
 using System.Linq;
 using Fallout.Common.CI;
+using Fallout.Common.Execution;
 using FluentAssertions;
 using Xunit;
 
@@ -24,4 +25,14 @@ public void PortsAssembly_DoesNotReference_AdaptersAssembly()
             .Select(x => x.Name)
             .Should().NotContain("Fallout.Common", "the ports layer must not depend on the adapters layer (ADR-0005)");
     }
+
+    // The two-port split is justified by differing implementor sets: every Host reports (so Terminal,
+    // the local non-CI host, is an IBuildReporter), but only CI hosts carry run context (so Terminal
+    // is NOT an IBuildHost). If these ever collapse to the same set, the split has lost its reason.
+    [Fact]
+    public void Terminal_IsAReporter_ButNotAContextHost()
+    {
+        typeof(IBuildReporter).IsAssignableFrom(typeof(Terminal)).Should().BeTrue();
+        typeof(IBuildHost).IsAssignableFrom(typeof(Terminal)).Should().BeFalse();
+    }
 }
diff --git a/tests/Fallout.Common.Tests/CiHostPortsTest.cs b/tests/Fallout.Common.Tests/CiHostPortsTest.cs
new file mode 100644
index 000000000..01f8cdc51
--- /dev/null
+++ b/tests/Fallout.Common.Tests/CiHostPortsTest.cs
@@ -0,0 +1,18 @@
+using Fallout.Common.CI;
+using Fallout.Common.CI.GitHubActions;
+using FluentAssertions;
+using Xunit;
+
+namespace Fallout.Common.Tests;
+
+// ADR-0005: a CI host adapter satisfies BOTH runtime-host ports — context (IBuildHost) and
+// reporting (IBuildReporter, inherited from the Host base). GitHubActions is the canonical adapter.
+public class CiHostPortsTest
+{
+    [Fact]
+    public void GitHubActions_ImplementsBothRuntimeHostPorts()
+    {
+        typeof(IBuildHost).IsAssignableFrom(typeof(GitHubActions)).Should().BeTrue();
+        typeof(IBuildReporter).IsAssignableFrom(typeof(GitHubActions)).Should().BeTrue();
+    }
+}

From 33b5cc9aa57bea071924e79e3f8f9dd903feb98b Mon Sep 17 00:00:00 2001
From: Chrison Simtian <csimon@chrison.dev>
Date: Sun, 31 May 2026 13:02:27 +1200
Subject: [PATCH 09/10] refactor(ci): probe Host.IsActive for discovery, not
 IsRunning{Name}

Host.Default now probes an overridable Host.IsActive member instead of
reflecting for the magic-string IsRunning{TypeName} static. The default
IsActive falls back to that legacy convention, so all existing hosts work
unchanged; new adapters override IsActive directly (no static, no name match).
Host ctors are side-effect-free, so construct-then-probe is cheap and the
active host (constructed last) remains Host.Instance.

Covers ADR-0005 #3. Tests exercise both the override and fallback paths.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 docs/spikes/0001-ci-ports-and-adapters.md     | 13 +++++--
 src/Fallout.Build/Host.Activation.cs          | 13 +++++--
 .../Fallout.Build.Tests/HostActivationTest.cs | 36 +++++++++++++++++++
 3 files changed, 57 insertions(+), 5 deletions(-)
 create mode 100644 tests/Fallout.Build.Tests/HostActivationTest.cs

diff --git a/docs/spikes/0001-ci-ports-and-adapters.md b/docs/spikes/0001-ci-ports-and-adapters.md
index 752927a97..edf6b1870 100644
--- a/docs/spikes/0001-ci-ports-and-adapters.md
+++ b/docs/spikes/0001-ci-ports-and-adapters.md
@@ -93,9 +93,18 @@ Acting on the spike's open question (and a maintainer's gut feeling), the single
 - `GitHubActions.BuildHost.cs` reduced to context-only; reporting overrides stay in `GitHubActions.Theming.cs`, untouched.
 - Validation: `Fallout.Common` builds clean; **105** Build.Tests + the new Common.Tests port check pass; generated workflows unchanged.
 
+## Discovery generalization (same day) — #3 done
+
+Host discovery no longer hinges on the magic-string `IsRunning{TypeName}` convention:
+
+- Added `protected internal virtual bool Host.IsActive`; `Host.Default` now probes `IsActive` instead of reflecting for `IsRunning{TypeName}`.
+- The default `IsActive` **falls back** to the legacy convention, so all eleven existing hosts work unchanged; a new adapter just overrides `IsActive` (no static, no name-matching) — which is how the upcoming Forgejo adapter will declare its detection.
+- Safe by construction: every host ctor is side-effect-free (verified), and because `First()` stops at the active host it is the last constructed and remains `Host.Instance`.
+- Tests (`HostActivationTest`) cover both paths: override-needs-no-static, and default-falls-back-to-convention. **107** Build.Tests + full Common.Tests green.
+
 **Recommended next moves (in order):**
 1. Promote ADR-0005 `Proposed` → `Accepted` (maintainer call, via PR review) and lock the two-port shape + names (`IBuildHost` / `IBuildReporter`).
 2. Separate doc PR (targets `main`, non-breaking) for ADR-0005 + this spike.
-3. **Generalize host discovery** to key off the ports rather than the `IsRunning{Name}` reflection convention on `Host` subclasses.
-4. **Add a second adapter** to prove the shape generalizes — Forgejo (its Actions are GitHub-workflow-compatible) or Azure DevOps.
+3. ~~Generalize host discovery~~ **done** (above).
+4. **Add the Forgejo adapter** — first adapter to use the clean `IsActive` override + both ports; its Actions are GitHub-workflow-compatible, so it stress-tests config generation too. Dogfood once the instance is live.
 5. Roll the ports across the other adapters; then consider exposing the seam for milestone #7. Mark the ports `[Experimental("FALLOUT0xx")]` when they near consumer-facing exposure.
diff --git a/src/Fallout.Build/Host.Activation.cs b/src/Fallout.Build/Host.Activation.cs
index 8d611ed92..a7e9b3f45 100644
--- a/src/Fallout.Build/Host.Activation.cs
+++ b/src/Fallout.Build/Host.Activation.cs
@@ -16,9 +16,8 @@ public partial class Host
         AvailableTypes
             .OrderBy(x => x.IsAssignableTo(typeof(Terminal)))
             .ThenBy(x => x == typeof(Terminal))
-            .Where(IsRunning)
             .Select(CreateHost)
-            .First();
+            .First(x => x.IsActive);
 
     internal static IEnumerable<Type> AvailableTypes
         => AppDomain.CurrentDomain.GetAssemblies()
@@ -26,7 +25,15 @@ internal static IEnumerable<Type> AvailableTypes
             .Where(x => x.IsPublic)
             .Where(x => x.IsSubclassOf(typeof(Host)));
 
-    private static bool IsRunning(Type hostType)
+    // ADR-0005 (#3): discovery probes this overridable member instead of reflecting for a
+    // magic-string `IsRunning{TypeName}` static. The default falls back to that legacy convention,
+    // so every existing host keeps working unchanged; a new adapter just overrides IsActive (no
+    // static, no name-matching). Host constructors are side-effect-free, so probing by construction
+    // is cheap, and because First() stops at the active host it is the last constructed — and so
+    // remains Host.Instance (set in the base ctor).
+    protected internal virtual bool IsActive => IsRunningByConvention(GetType());
+
+    private static bool IsRunningByConvention(Type hostType)
     {
         var propertyName = $"IsRunning{hostType.Name}";
         var member = hostType.GetProperty(propertyName, ReflectionUtility.Static)
diff --git a/tests/Fallout.Build.Tests/HostActivationTest.cs b/tests/Fallout.Build.Tests/HostActivationTest.cs
new file mode 100644
index 000000000..44e98b6e9
--- /dev/null
+++ b/tests/Fallout.Build.Tests/HostActivationTest.cs
@@ -0,0 +1,36 @@
+using FluentAssertions;
+using Xunit;
+
+namespace Fallout.Common.Tests;
+
+// ADR-0005 (#3): host discovery probes the overridable Host.IsActive member rather than the
+// magic-string IsRunning{TypeName} convention. These hosts are private-nested, so they report
+// IsPublic == false and are excluded from the global Host discovery scan — no pollution.
+public class HostActivationTest
+{
+    // New path: an adapter overrides IsActive directly — no IsRunning{Name} static required.
+    private sealed class OverrideHost : Host
+    {
+        protected internal override bool IsActive => true;
+        public bool Probe() => IsActive;
+    }
+
+    // Legacy path: no override; the default IsActive must fall back to the IsRunning{TypeName} static.
+    private sealed class LegacyHost : Host
+    {
+        public static bool IsRunningLegacyHost => true;
+        public bool Probe() => IsActive;
+    }
+
+    [Fact]
+    public void OverriddenIsActive_NeedsNoLegacyStatic()
+    {
+        new OverrideHost().Probe().Should().BeTrue();
+    }
+
+    [Fact]
+    public void DefaultIsActive_FallsBackToLegacyConvention()
+    {
+        new LegacyHost().Probe().Should().BeTrue();
+    }
+}

From 64b1ea98b4deb596945c97d8bbc6925ffb76daa3 Mon Sep 17 00:00:00 2001
From: Chrison Simtian <csimon@chrison.dev>
Date: Sun, 31 May 2026 13:18:16 +1200
Subject: [PATCH 10/10] feat(ci): scaffold Forgejo adapter against the ports
 seam
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

First adapter built on the finished ADR-0005 seam, proving it generalizes:
- Runtime host overrides Host.IsActive (no IsRunning{Name} static — first user
  of the #3 detection style) and implements both ports (IBuildHost context via
  GitHub-compatible GITHUB_* vars; IBuildReporter reporting).
- Config generation composes the GitHub config model + a shared WorkflowCommands
  helper for the ::cmd:: dialect, rather than inheriting GitHubActionsAttribute
  (which is blocked anyway by ConfigurationAttributeBase.Build's internal set).
  Common-case scaffold; full parity needs the GH model-builder extracted.
- Detection (FORGEJO_ACTIONS) is a naive guess pending the live instance.

Tests assert both ports, the IsActive detection path, and non-inheritance from
the GitHubActions adapter.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 docs/spikes/0001-ci-ports-and-adapters.md     | 19 ++++-
 .../CI/Forgejo/Forgejo.BuildHost.cs           | 10 +++
 .../CI/Forgejo/Forgejo.Theming.cs             | 39 +++++++++
 src/Fallout.Common/CI/Forgejo/Forgejo.cs      | 45 ++++++++++
 .../CI/Forgejo/ForgejoAttribute.cs            | 83 +++++++++++++++++++
 src/Fallout.Common/CI/WorkflowCommands.cs     | 43 ++++++++++
 .../ForgejoAdapterTest.cs                     | 45 ++++++++++
 7 files changed, 281 insertions(+), 3 deletions(-)
 create mode 100644 src/Fallout.Common/CI/Forgejo/Forgejo.BuildHost.cs
 create mode 100644 src/Fallout.Common/CI/Forgejo/Forgejo.Theming.cs
 create mode 100644 src/Fallout.Common/CI/Forgejo/Forgejo.cs
 create mode 100644 src/Fallout.Common/CI/Forgejo/ForgejoAttribute.cs
 create mode 100644 src/Fallout.Common/CI/WorkflowCommands.cs
 create mode 100644 tests/Fallout.Common.Tests/ForgejoAdapterTest.cs

diff --git a/docs/spikes/0001-ci-ports-and-adapters.md b/docs/spikes/0001-ci-ports-and-adapters.md
index edf6b1870..f4dd19218 100644
--- a/docs/spikes/0001-ci-ports-and-adapters.md
+++ b/docs/spikes/0001-ci-ports-and-adapters.md
@@ -102,9 +102,22 @@ Host discovery no longer hinges on the magic-string `IsRunning{TypeName}` conven
 - Safe by construction: every host ctor is side-effect-free (verified), and because `First()` stops at the active host it is the last constructed and remains `Host.Instance`.
 - Tests (`HostActivationTest`) cover both paths: override-needs-no-static, and default-falls-back-to-convention. **107** Build.Tests + full Common.Tests green.
 
+## Forgejo adapter (same day) — #4 scaffolded
+
+The first adapter built against the finished seam, validating it generalizes to a new provider:
+
+- **Runtime host** (`Forgejo.cs` + `.BuildHost.cs` + `.Theming.cs`): first user of the #3 detection style — overrides `IsActive` directly, **no `IsRunning{Name}` static**. Implements both ports (`IBuildHost` context via GitHub-compatible `GITHUB_*` vars; `IBuildReporter` reporting via the shared command dialect).
+- **Composition, not coupling** (`ForgejoAttribute.cs`, `WorkflowCommands.cs`): Forgejo reuses the GitHub config *model* (`GitHubActionsConfiguration` + jobs/steps) and a new shared `WorkflowCommands` helper for the `::cmd::` dialect — but is **not** a `GitHubActions`. A fitness test asserts the non-inheritance.
+- Validation: clean build; **46** Common.Tests (4 new) + **107** Build.Tests green; existing `.github` workflows untouched.
+
+**Findings:**
+1. **Config-gen isn't composition-ready at the attribute level.** `ConfigurationAttributeBase.Build` has an `internal set`, so an attribute in `Fallout.Common` can't wire up a composed inner `GitHubActionsAttribute`. Worked around by composing the shared *model* instead. The clean fix is to extract the GH generator's model-building from its file placement so both adapters compose one builder — that's what unlocks full Forgejo parity (caching, artifacts, secrets, detailed triggers), currently a common-case scaffold only.
+2. **`WorkflowCommands` is the dialect composition seam, but GHA still has its own copy.** Deduping GitHubActions onto it touches that adapter's public `WriteCommand` and risks its byte-identical output, so it's deferred — a tracked follow-up, not done here.
+3. **Detection is a naive guess** (`FORGEJO_ACTIONS`). Forgejo sets `GITHUB_ACTIONS=true` for compatibility, so the real distinctive variable (and ordering-vs-GitHub) must be confirmed against the live instance — marked `TODO(forgejo)` in `Forgejo.cs`.
+
 **Recommended next moves (in order):**
 1. Promote ADR-0005 `Proposed` → `Accepted` (maintainer call, via PR review) and lock the two-port shape + names (`IBuildHost` / `IBuildReporter`).
 2. Separate doc PR (targets `main`, non-breaking) for ADR-0005 + this spike.
-3. ~~Generalize host discovery~~ **done** (above).
-4. **Add the Forgejo adapter** — first adapter to use the clean `IsActive` override + both ports; its Actions are GitHub-workflow-compatible, so it stress-tests config generation too. Dogfood once the instance is live.
-5. Roll the ports across the other adapters; then consider exposing the seam for milestone #7. Mark the ports `[Experimental("FALLOUT0xx")]` when they near consumer-facing exposure.
+3. ~~Generalize host discovery~~ **done**. 4. ~~Add the Forgejo adapter~~ **scaffolded** (above).
+5. Confirm Forgejo detection against the live instance; then extract the GH model-builder (finding #1) for full config parity, and dedup `WorkflowCommands` onto GitHubActions (finding #2).
+6. Roll the ports across the other adapters; then consider exposing the seam for milestone #7. Mark the ports `[Experimental("FALLOUT0xx")]` when they near consumer-facing exposure.
diff --git a/src/Fallout.Common/CI/Forgejo/Forgejo.BuildHost.cs b/src/Fallout.Common/CI/Forgejo/Forgejo.BuildHost.cs
new file mode 100644
index 000000000..509d0191f
--- /dev/null
+++ b/src/Fallout.Common/CI/Forgejo/Forgejo.BuildHost.cs
@@ -0,0 +1,10 @@
+namespace Fallout.Common.CI.Forgejo;
+
+// ADR-0005: Forgejo satisfies the runtime-host context port. Reporting (IBuildReporter) comes from
+// the Host base plus this adapter's overrides in Forgejo.Theming.cs.
+public partial class Forgejo : IBuildHost
+{
+    string IBuildHost.Branch => RefName;
+    string IBuildHost.Commit => Sha;
+    // IBuildHost.IsPullRequest is satisfied implicitly by the public IsPullRequest property.
+}
diff --git a/src/Fallout.Common/CI/Forgejo/Forgejo.Theming.cs b/src/Fallout.Common/CI/Forgejo/Forgejo.Theming.cs
new file mode 100644
index 000000000..178a60590
--- /dev/null
+++ b/src/Fallout.Common/CI/Forgejo/Forgejo.Theming.cs
@@ -0,0 +1,39 @@
+using System;
+using Fallout.Common.Execution.Theming;
+using Fallout.Common.Utilities;
+
+namespace Fallout.Common.CI.Forgejo;
+
+// Reporting half of the runtime-host seam (IBuildReporter, via the Host base). Forgejo Actions speaks
+// the GitHub workflow-command dialect, so reporting COMPOSES the shared WorkflowCommands helper rather
+// than coupling to the GitHubActions adapter (ADR-0005).
+public partial class Forgejo
+{
+    internal override IHostTheme Theme => AnsiConsoleHostTheme.Default256AnsiColorTheme;
+
+    protected internal override IDisposable WriteBlock(string text)
+    {
+        return DelegateDisposable.CreateBracket(
+            () => WorkflowCommands.Group(text),
+            () => WorkflowCommands.EndGroup(text));
+    }
+
+    protected internal override void ReportWarning(string text, string details = null)
+    {
+        WorkflowCommands.WriteWarning(text);
+    }
+
+    protected internal override void ReportError(string text, string details = null)
+    {
+        WorkflowCommands.WriteError(text);
+    }
+
+    protected internal override bool FilterMessage(string message)
+    {
+        if (!message.StartsWith("::") && !message.StartsWith("##["))
+            return false;
+
+        Console.WriteLine(message);
+        return true;
+    }
+}
diff --git a/src/Fallout.Common/CI/Forgejo/Forgejo.cs b/src/Fallout.Common/CI/Forgejo/Forgejo.cs
new file mode 100644
index 000000000..bf8a956c1
--- /dev/null
+++ b/src/Fallout.Common/CI/Forgejo/Forgejo.cs
@@ -0,0 +1,45 @@
+using System.Diagnostics.CodeAnalysis;
+
+namespace Fallout.Common.CI.Forgejo;
+
+/// <summary>
+/// Runtime-host adapter for <a href="https://forgejo.org/docs/latest/user/actions/">Forgejo Actions</a>.
+/// Forgejo Actions is GitHub-Actions-compatible, so it exposes the same <c>GITHUB_*</c> environment
+/// variables and speaks the same workflow-command dialect — see <see cref="WorkflowCommands"/> and
+/// <c>Forgejo.Theming.cs</c>. First adapter to use the ADR-0005 #3 detection style: it overrides
+/// <see cref="Host.IsActive"/> directly instead of declaring an <c>IsRunning{Name}</c> static.
+/// </summary>
+[ExcludeFromCodeCoverage]
+public partial class Forgejo : Host, IBuildServer
+{
+    public new static Forgejo Instance => Host.Instance as Forgejo;
+
+    // NAIVE detection — TODO(forgejo): verify against a live instance. Forgejo Actions sets
+    // GITHUB_ACTIONS=true for compatibility, so we must key off a Forgejo-distinctive variable to
+    // avoid colliding with the GitHubActions adapter. FORGEJO_ACTIONS is a guess pending the
+    // instance being stood up; the runner's actual distinctive variable is unconfirmed.
+    protected internal override bool IsActive => EnvironmentInfo.HasVariable("FORGEJO_ACTIONS");
+
+    internal Forgejo()
+    {
+    }
+
+    string IBuildServer.Branch => RefName;
+    string IBuildServer.Commit => Sha;
+
+    // GitHub-Actions-compatible run context. Provider-specific facts (instance URL, etc.) can be
+    // added once the live instance confirms what Forgejo exposes beyond the GITHUB_* surface.
+    public string Repository => EnvironmentInfo.GetVariable("GITHUB_REPOSITORY");
+    public string RepositoryOwner => EnvironmentInfo.GetVariable("GITHUB_REPOSITORY_OWNER");
+    public string Actor => EnvironmentInfo.GetVariable("GITHUB_ACTOR");
+    public string Workflow => EnvironmentInfo.GetVariable("GITHUB_WORKFLOW");
+    public string Sha => EnvironmentInfo.GetVariable("GITHUB_SHA");
+    public string Ref => EnvironmentInfo.GetVariable("GITHUB_REF");
+    public string RefName => EnvironmentInfo.GetVariable("GITHUB_REF_NAME");
+    public string EventName => EnvironmentInfo.GetVariable("GITHUB_EVENT_NAME");
+    public string ServerUrl => EnvironmentInfo.GetVariable("GITHUB_SERVER_URL");
+    public string Token => EnvironmentInfo.GetVariable("GITHUB_TOKEN");
+    public long RunId => EnvironmentInfo.GetVariable<long>("GITHUB_RUN_ID");
+    public long RunNumber => EnvironmentInfo.GetVariable<long>("GITHUB_RUN_NUMBER");
+    public bool IsPullRequest => EventName == "pull_request";
+}
diff --git a/src/Fallout.Common/CI/Forgejo/ForgejoAttribute.cs b/src/Fallout.Common/CI/Forgejo/ForgejoAttribute.cs
new file mode 100644
index 000000000..f67a40afb
--- /dev/null
+++ b/src/Fallout.Common/CI/Forgejo/ForgejoAttribute.cs
@@ -0,0 +1,83 @@
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Linq;
+using Fallout.Common.CI.GitHubActions;
+using Fallout.Common.CI.GitHubActions.Configuration;
+using Fallout.Common.Execution;
+using Fallout.Common.IO;
+using Fallout.Common.Tooling;
+using Fallout.Common.Utilities;
+using Fallout.Common.Utilities.Collections;
+
+namespace Fallout.Common.CI.Forgejo;
+
+/// <summary>
+/// Generates a Forgejo Actions workflow at <c>.forgejo/workflows/{name}.yml</c>. Forgejo Actions speaks
+/// the GitHub Actions workflow dialect, so this <strong>composes the GitHub Actions configuration
+/// model</strong> (<see cref="GitHubActionsConfiguration"/> + jobs/steps) rather than inheriting
+/// <see cref="GitHubActionsAttribute"/> — keeping the two adapters decoupled (ADR-0005). Inheriting it
+/// is also blocked by design: <see cref="ConfigurationAttributeBase.Build"/> has an <c>internal set</c>,
+/// so an attribute outside Fallout.Build cannot wire up a composed inner attribute. Reusing the shared
+/// model side-steps that.
+/// <para/>
+/// First-cut scaffold: covers the common case (short triggers + invoked targets + image). Fuller parity
+/// with <see cref="GitHubActionsAttribute"/> (caching, artifacts, secrets, detailed triggers) is tracked
+/// in <c>docs/spikes/0001-ci-ports-and-adapters.md</c>; the clean way to get there is to extract the GH
+/// generator's model-building from its file placement so both adapters compose one builder.
+/// </summary>
+[AttributeUsage(AttributeTargets.Class, AllowMultiple = true)]
+public class ForgejoAttribute : ConfigurationAttributeBase
+{
+    private readonly string _name;
+    private readonly GitHubActionsImage[] _images;
+
+    public ForgejoAttribute(string name, GitHubActionsImage image, params GitHubActionsImage[] images)
+    {
+        _name = name.Replace(oldChar: ' ', newChar: '_');
+        _images = new[] { image }.Concat(images).ToArray();
+    }
+
+    public override string IdPostfix => _name;
+    public override Type HostType => typeof(Forgejo);
+    public override AbsolutePath ConfigurationFile => Build.RootDirectory / ".forgejo" / "workflows" / $"{_name}.yml";
+    public override IEnumerable<AbsolutePath> GeneratedFiles => new[] { ConfigurationFile };
+
+    public override IEnumerable<string> RelevantTargetNames => InvokedTargets;
+    public override IEnumerable<string> IrrelevantTargetNames => new string[0];
+
+    public GitHubActionsTrigger[] On { get; set; } = new GitHubActionsTrigger[0];
+    public string[] InvokedTargets { get; set; } = new string[0];
+
+    public override CustomFileWriter CreateWriter(StreamWriter streamWriter)
+    {
+        return new CustomFileWriter(streamWriter, indentationFactor: 2, commentPrefix: "#");
+    }
+
+    public override ConfigurationEntity GetConfiguration(IReadOnlyCollection<ExecutableTarget> relevantTargets)
+    {
+        Assert.True(On.Length > 0, $"Forgejo workflow must define at least one '{nameof(On)}' trigger");
+
+        return new GitHubActionsConfiguration
+               {
+                   Name = _name,
+                   ShortTriggers = On,
+                   DetailedTriggers = new GitHubActionsDetailedTrigger[0],
+                   Permissions = new (GitHubActionsPermissions, string)[0],
+                   Jobs = _images.Select(image => new GitHubActionsJob
+                                                  {
+                                                      Name = image.GetValue().Replace(".", "_"),
+                                                      Image = image,
+                                                      Steps = new GitHubActionsStep[]
+                                                              {
+                                                                  new GitHubActionsCheckoutStep(),
+                                                                  new GitHubActionsRunStep
+                                                                  {
+                                                                      InvokedTargets = InvokedTargets,
+                                                                      Imports = new Dictionary<string, string>()
+                                                                  }
+                                                              }
+                                                  }).ToArray()
+               };
+    }
+}
diff --git a/src/Fallout.Common/CI/WorkflowCommands.cs b/src/Fallout.Common/CI/WorkflowCommands.cs
new file mode 100644
index 000000000..bdcc1be21
--- /dev/null
+++ b/src/Fallout.Common/CI/WorkflowCommands.cs
@@ -0,0 +1,43 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using Fallout.Common.Utilities;
+
+namespace Fallout.Common.CI;
+
+/// <summary>
+/// The GitHub-Actions workflow-command dialect — <c>::command parameters::data</c> — shared by every
+/// host whose runner speaks it (GitHub Actions and Forgejo Actions today). This is a <em>composition
+/// seam</em> (ADR-0005): a host adapter <em>composes</em> this helper rather than inheriting another
+/// adapter, so providers that happen to share a wire protocol stay decoupled.
+/// </summary>
+/// <remarks>
+/// The canonical GitHubActions adapter still carries its own copy of this logic; folding it onto this
+/// helper is a tracked follow-up (it would touch public API on GitHubActions, so it's kept separate
+/// from the Forgejo scaffold to avoid risking that adapter's byte-identical output).
+/// </remarks>
+internal static class WorkflowCommands
+{
+    public static void Group(string name) => WriteCommand("group", name);
+    public static void EndGroup(string name) => WriteCommand("endgroup", name);
+    public static void WriteDebug(string message) => WriteCommand("debug", message);
+    public static void WriteWarning(string message) => WriteCommand("warning", message);
+    public static void WriteError(string message) => WriteCommand("error", message);
+
+    public static void WriteCommand(string command, string message = null, IReadOnlyDictionary<string, object> parameters = null)
+    {
+        var formatted = parameters == null || parameters.Count == 0
+            ? string.Empty
+            : parameters.Select(x => $"{x.Key}={EscapeProperty(x.Value.ToString())}").JoinCommaSpace();
+
+        Console.WriteLine(formatted.IsNullOrEmpty()
+            ? $"::{command}::{EscapeData(message)}"
+            : $"::{command} {formatted}::{EscapeData(message)}");
+    }
+
+    private static string EscapeData(string data)
+        => data?.Replace("%", "%25").Replace("\r", "%0D").Replace("\n", "%0A");
+
+    private static string EscapeProperty(string value)
+        => value.Replace("%", "%25").Replace("\r", "%0D").Replace("\n", "%0A").Replace(":", "%3A").Replace(",", "%2C");
+}
diff --git a/tests/Fallout.Common.Tests/ForgejoAdapterTest.cs b/tests/Fallout.Common.Tests/ForgejoAdapterTest.cs
new file mode 100644
index 000000000..ecbc695a4
--- /dev/null
+++ b/tests/Fallout.Common.Tests/ForgejoAdapterTest.cs
@@ -0,0 +1,45 @@
+using System.Reflection;
+using Fallout.Common.CI;
+using Fallout.Common.CI.Forgejo;
+using Fallout.Common.CI.GitHubActions;
+using FluentAssertions;
+using Xunit;
+
+namespace Fallout.Common.Tests;
+
+// ADR-0005: Forgejo is the first adapter built against the finished seam — both runtime-host ports,
+// composition (not inheritance) for config generation, and the new IsActive detection style.
+public class ForgejoAdapterTest
+{
+    [Fact]
+    public void Forgejo_ImplementsBothRuntimeHostPorts()
+    {
+        typeof(IBuildHost).IsAssignableFrom(typeof(Forgejo)).Should().BeTrue();
+        typeof(IBuildReporter).IsAssignableFrom(typeof(Forgejo)).Should().BeTrue();
+    }
+
+    [Fact]
+    public void Forgejo_DetectsViaIsActiveOverride_NotTheLegacyConvention()
+    {
+        // No IsRunningForgejo static: detection comes from the IsActive override (ADR-0005 #3).
+        // If it declared neither, discovery would throw — so the static's absence implies the override.
+        typeof(Forgejo)
+            .GetProperty("IsRunningForgejo", BindingFlags.Static | BindingFlags.Public | BindingFlags.NonPublic)
+            .Should().BeNull();
+    }
+
+    [Fact]
+    public void Forgejo_DoesNotInheritTheGitHubActionsAdapter()
+    {
+        // Composition, not coupling: Forgejo reuses the GitHub config model + command dialect but is
+        // not a GitHubActions.
+        typeof(Forgejo).Should().NotBeAssignableTo<GitHubActions>();
+        typeof(ForgejoAttribute).Should().NotBeAssignableTo<GitHubActionsAttribute>();
+    }
+
+    [Fact]
+    public void ForgejoAttribute_TargetsTheForgejoHost()
+    {
+        new ForgejoAttribute("build", GitHubActionsImage.UbuntuLatest).HostType.Should().Be(typeof(Forgejo));
+    }
+}