diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
index 62e253c7..593e1755 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -6,6 +6,7 @@ about: Create a report to help us improve
 
 ## Description
 <!-- Provide a quick overview of the issue being raised. -->
+<!-- Link a Git diff with the format https://github.com/patternfly/patternfly-mcp/compare/main...your-username:your-branch -->
 
 ### Expected behavior
 <!-- Describe the expected behavior for the program. -->
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
index e5dc2e1c..031d2ad7 100644
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -6,6 +6,8 @@ about: Suggest an idea for this project
 
 ## Description
 <!-- Provide a quick overview of the feature -->
+<!-- Link a Git diff with the format https://github.com/patternfly/patternfly-mcp/compare/main...your-username:your-branch -->
+
 As user X, I want Y to happen so that Z.
 
 ## Acceptance criteria
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
index c5757246..46e217ed 100644
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -1,27 +1,19 @@
-<!--
-PR tips
-- Updates to MCP architecture, resources, prompts, and tools require an issue being opened first.
-- Review existing issues for confirmation that the work isn't already in progress.
-- Review our [PR contributing guidelines](https://github.com/patternfly/patternfly-mcp/blob/main/CONTRIBUTING.md#pull-requests).
+<!-- GH_PR_METADATA_V1_789 -->
+<!-- 
+Before you open a PR, make sure you have reviewed our contribution guidelines:
+https://github.com/patternfly/patternfly-mcp/blob/main/CONTRIBUTING.md 
 -->
+
 ## What is it?
 <!-- Summary of changes/additions/commits -->
-...
 
 ### Notes
-<!--
-- This is bot-created work, I am but a passenger on this wild-ride. AI agent tooling and model leveraged are:
-   - tooling: [IDE/Chat]
-   - model: [Specific/IDE specific/Auto-selection]
--->
 ...
 
-<!-- ## How to test-->
+## How to test
 <!-- Are there directions to test/review? -->
-<!--
-### Prompt an agent to
-1. `> [test prompt]`
--->
+...
+
 <!--
 ### Check the work
 1. Update the NPM packages with `$ npm install`
@@ -29,16 +21,24 @@ PR tips
 1. `npx -y @modelcontextprotocol/inspector node dist/cli.js`
 1. next...
 -->
+
+<!--
+### Prompt an agent to
+1. `> [test prompt]`
+-->
+
 <!--
 ### Unit test check
 1. Update the NPM packages with `$ npm install`
 1. `$ npm test`
 -->
+
 <!--
 ### E2E test check
 1. Update the NPM packages with `$ npm install`
 1. `$ npm run test:integration`
 -->
+
 <!--
 ### Check the build
 1. Update the NPM packages with `$ npm install`
diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
index 4da0ea41..c05b253c 100644
--- a/.github/workflows/audit.yml
+++ b/.github/workflows/audit.yml
@@ -1,16 +1,21 @@
-name: Data Audit
+name: Security & Data Audit
 
 on:
   pull_request:
     paths:
       - 'src/docs.json'
+      - 'scripts/**'
+      - 'tests/scripts/**'
       - 'tests/audit/**'
+      - 'package.json'
+      - 'package-lock.json'
   schedule:
     - cron: '0 0 * * *' # Daily at midnight
   workflow_dispatch:
 
 jobs:
-  audit-links:
+  documentation-audit:
+    name: Documentation Audit
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -30,3 +35,37 @@ jobs:
           DOCS_AUDIT_MAX_TOTAL: ${{ github.event_name == 'schedule' && '0' || '50' }}
         # Advisories are non-blocking for PRs
         continue-on-error: ${{ github.event_name == 'pull_request' }}
+
+  dependency-audit:
+    name: Dependency Audit
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v6
+      - name: Setup Node.js
+        uses: actions/setup-node@v6.3.0
+        with:
+          node-version: 22.x
+          cache: npm
+      - name: Run npm audit
+        run: npm audit --omit-dev --audit-level=critical
+        # Advisories are non-blocking for PRs
+        continue-on-error: ${{ github.event_name == 'pull_request' }}
+
+  script-audit:
+    name: Script Audit
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v6
+      - name: Setup Node.js
+        uses: actions/setup-node@v6.3.0
+        with:
+          node-version: 22.x
+          cache: npm
+      - name: Install dependencies
+        run: npm ci
+      - name: Run script audit
+        run: npm run test:scripts
diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
index 93d1dfc7..4c43fd2f 100644
--- a/.github/workflows/integration.yml
+++ b/.github/workflows/integration.yml
@@ -1,14 +1,92 @@
 name: Build
 on:
+  pull_request:
   push:
     branches: [ main ]
     tags:
       - "*"
-  pull_request:
 
 jobs:
+  Gatekeeper:
+    if: ${{ github.event_name == 'pull_request' }}
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+      contents: read
+    steps:
+      - name: Trusted configuration
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ github.event.pull_request.base.ref }} # Force our main/base branch
+          sparse-checkout: |
+            .github
+            scripts
+
+      - name: Validate Policy
+        uses: actions/github-script@v9
+        with:
+          script: |
+            const path = require('path');
+            let startFn;
+            try {
+              const scriptPath = path.resolve(process.env.GITHUB_WORKSPACE, 'scripts', 'workflow.preCheck.js');
+              const module = await import(scriptPath);
+              startFn = module.start || module.default;
+            } catch (err) {
+              console.error('PreCheck loading error.', err?.message || err);
+              core.setFailed('PreCheck loading error. File is missing or unreadable. Has the file been checked in?');
+            }
+
+            if (startFn) {
+              await startFn({
+                  LABEL_NEEDS_CLEANUP: 'bot:needs-cleanup',
+                  LABEL_NEEDS_MAINTAINER: 'bot:needs-maintainer',
+                  LABEL_PRECHECKS_PASS: 'bot:policy-ready'
+                }, {
+                  github,
+                  context,
+                  core,
+                });
+            }
+
+      - name: Commit Lint
+        uses: actions/github-script@v9
+        with:
+          script: |
+            const path = require('path');
+            let startFn;
+            try {
+              const scriptPath = path.resolve(process.env.GITHUB_WORKSPACE, 'scripts', 'workflow.commitLint.js');
+              const module = await import(scriptPath);
+              startFn = module.start || module.default;
+            } catch (err) {
+              console.error('Lint loading error.', err?.message || err);
+              core.setFailed('Lint loading error. File is missing or unreadable. Has the file been checked in?');
+            }
+
+            if (startFn) {
+              const { data: commits } = await github.rest.pulls.listCommits({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                pull_number: context.issue.number,
+              });
+
+              const { resultsArray, resultsString } = startFn(commits, {
+                  allowIssuesAnywhere: false,
+                  issueNumberExceptions: ['build', 'chore', 'ci', 'docs', 'fix', 'perf', 'refactor', 'test'],
+                  maxMessageLength: 65,
+                  typeScopeExceptions: '*'
+                });
+
+              if (resultsArray.length) {
+                core.setFailed(resultsString);
+              }
+            }
+
   Integration-checks:
     runs-on: ubuntu-latest
+    needs: Gatekeeper
+    if: ${{ always() && (github.event_name == 'push' || needs.Gatekeeper.result != 'cancelled') }}
     permissions:
       contents: read
     strategy:
@@ -16,27 +94,18 @@ jobs:
         node-version: [20.x, 22.x, 24.x]
     steps:
       - uses: actions/checkout@v6
+
       - name: Setup Node.js ${{ matrix.node-version }}
         uses: actions/setup-node@v6.3.0
         with:
           node-version: ${{ matrix.node-version }}
           cache: npm
-      - name: Node.js modules cache
-        uses: actions/cache@v5
-        id: modules-cache
-        with:
-          path: ${{ github.workspace }}/node_modules
-          key: ${{ runner.os }}-${{ matrix.node-version }}-modules-${{ hashFiles('**/package-lock.json') }}
-          restore-keys: |
-            ${{ runner.os }}-${{ matrix.node-version }}-modules
+
       - name: Install Node.js packages
-        if: ${{ steps.modules-cache.outputs.cache-hit != 'true' }}
         run: npm ci
-      - name: Audit packages
-        run: npm audit --audit-level=high
-        continue-on-error: true
+
       - name: Lint and test
         run: npm run test:ci
+
       - name: Confirm integration
-        if: ${{ success() }}
         run: npm run test:integration
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 29f479a1..5dd97abc 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,6 +1,5 @@
 # Contributing
-Interested in contributing to the project? Review the following guidelines and our [planned architecture](./docs/architecture.md) to make sure
-your contribution is aligned with the project's goals.
+Interested in contributing to the project? Review the following guidelines and our [planned architecture](./docs/architecture.md), [security policy](./SECURITY.md), and [governance policy](./GOVERNANCE.md) to make sure your contribution is aligned with the project's goals.
 
 ## Development
 
@@ -62,11 +61,62 @@ Our process follows the standard GitHub fork and pull request workflow.
 >    - `main` would be the default branch for development and feature work rebased from `stable` after release.
 >    - `stable` would be a branch used for stable releases/hashes, reference links, and only updated with release commits.
 
+#### Contributor roles
+
+- **Core Contributors:** Maintainers listed in `CODEOWNERS` or with `MEMBER/OWNER` roles in the GitHub organization. Their focus is architecture, roadmap planning, maintenance, and feature contributions. 
+- **General Contributors:** Community members contributing via forks. All PRs from general contributors undergo automated validation and must pass the initial checks before being queued for review by maintainers.
+
+#### Before you contribute
+
+> **Get a feature up and running. Try customizing the server!**
+>
+> The PatternFly MCP server is designed from the ground-up to be customizable. That customization allows the server to be [wrapped by a customized MCP server](./docs/development.md#programmatic-usage) and allows [MCP tool plugins](./docs/development.md#mcp-tool-plugins).
+
+##### Have a feature or found a bug? Start a conversation
+
+In the new age of agentic coding where your ideas can be up and working quickly, we encourage opening a GitHub issue before starting any work.
+
+Opening an issue first starts the planning conversation to have your idea integrated, push the PatternFly MCP forward collectively, and give you the recognition for your effort and planning without forcing a code review from maintainers. We want your planned idea, not our reactive interpretation. 
+
+Opening a PR without an issue has a higher likelihood your work will be flagged with automation, delayed for maintainer review, and potentially closed.
+
+> **Just want to show us your work?**
+>
+> If you're leveraging the GitHub PR to provide us with file diffs, you can achieve the same Git diff applied by PRs by simply using the GitHub link format and applying it to your issue:
+> - `https://github.com/[BASE_OWNER]/[BASE_REPO]/compare/[BASE_BRANCH]...[FORK_OWNER]:[FORK_BRANCH]`
+>
+> **Example for this repository:**
+> - `https://github.com/patternfly/patternfly-mcp/compare/main...your-username:your-branch`
+
+##### Want the PatternFly MCP to access your documentation?
+
+The PatternFly MCP primarily focuses on documentation found on the PatternFly GitHub organization. 
+
+**Guidelines for adding documentation references**:
+- **PatternFly subject**: Added documentation should concern PatternFly as the primary subject. Requests for additional subjects require an issue first.
+- **Specific domain**: Documentation is whitelisted to specific domains on purpose. Updates to this list require an issue first, for security.
+- **Production ready**: Documentation added to the PatternFly MCP resources should be production ready. Exposing draft documentation is a concern, and it is requested you open an issue first if you are unsure.
+- **Resource quality**: Documentation will be reviewed for quality and security. You will be providing a resource for every PatternFly MCP user.
+- **Release dependent**: Documentation merges may be placed on hold temporarily if it conflicts with any future PatternFly MCP release cycle.
+- **Agent skill**: An agent skill for a range of tools (e.g., Cursor, Claude, etc.) is provided for convenience to help update the related files
+   - [Update documentation SKILL](./guidelines/skills/add-docs-links/SKILL.md)
+
 #### Pull requests
 
 Development pull requests (PRs) should be opened against the default branch.
 
-> If your pull request work contains any of the following warning signs
+Pull requests from non-core contributors will be invited to read the contribution agreement in PR comments. Proceeding with the PR implies acceptance of these guidelines.
+
+##### The Contributor's agreement
+_I have read the contribution guidelines and fulfill them with this PR. I acknowledge my PR may be labeled, converted to draft, and closed by automation or maintainers if it does not have a related GitHub issue, follow guidelines, and pass validation._
+
+##### PR Labels
+Automation manages the following labels to indicate PR state:
+- `bot:policy-ready`: Gatekeeper policy checks have passed. Any additional required checks should pass before the PR is ready for maintainer review.
+- `bot:needs-cleanup`: PR requires attention (e.g., failed scan, missing issue).
+- `bot:needs-maintainer`: An unexpected error occurred, or manual intervention is required.
+
+> Automation looks for a few metrics related to the following warning signs
 >  - has no related issue
 >  - ignores existing code style
 >  - out-of-sync commits (not rebased against the default branch)
@@ -76,17 +126,18 @@ Development pull requests (PRs) should be opened against the default branch.
 >  - missing, relaxed, or removed linting, typings, and tests
 >  - overly complex TypeScript generics or generally over-the-top typings
 >  - dramatic unit test snapshot updates
+>  - favors naming unit test files after behavior instead of related filenames
 >  - affects any file not directly associated with the issue being resolved
 >  - affects "many" files
 >  - contains or is a minor grammatical fix
 >
-> You will be asked to either:
->  - open an issue instead of a PR
+> If automation does not pass, your PR will not be prioritized, and you may be asked to:
+>  - open an issue and close your PR
 >  - restructure your commits
 >  - break the work into multiple pull requests
->  - close the PR (typically, a last resort)
+>  - close the PR
 
-#### Pull request commits, messaging
+##### Pull request commits, messaging
 
 Your pull request should contain Git commit messaging that follows [conventional commit types](https://www.conventionalcommits.org/)
 to provide consistent history and help generate [CHANGELOG.md](./CHANGELOG.md) updates.
@@ -95,23 +146,25 @@ Commit messages follow two basic guidelines:
 - No more than `65` characters for the first line.
 - Commit message formats follow the structure:
   ```
-  <type>(<optional scope>): <description> (#PR_NUMBER)
+  <type>(<optional scope>): <issue> <description> (#PR_NUMBER)
   ```
   Where:
   - **Type**: The type of work the commit resolves (e.g., `feat`, `fix`, `chore`, `docs`, `refactor`, `test`).
   - **Scope**: The optional area of code affected (directory, filename, or concept).
+  - **Issue**: Related story issue for the commit work. `feat` work requires an issue to pass validation and tracking metrics. Typically associated with the formats `issue/123` or `PF-123`. 
   - **Description**: What the commit work encompasses.
   - **#PR_NUMBER**: The pull request number. Typically added automatically during merge/squash operations. Including it manually is optional. It can help with traceability during review.
 
 > If your **pull request contains multiple commits**, they will be squashed into a single commit before merging, and the messaging
 > will be altered to reflect current guidelines.
 
-#### Pull request test failures
-Before any review takes place, all tests should pass. You may be asked to update your pull request to resolve any failing tests
-before a review.
+##### Pull request test failures
+
+To ensure a smooth and efficient review process, maintainers will begin their evaluation only after all automated policy checks and any other required checks have all passed successfully.
 
-> If you are unsure why your tests are failing, you should [review testing documentation](#testing).
+Please follow the guidance provided by automation and resolve the issues. If your work is still failing, seek guidance before requesting a manual review.
 
+> If you are unsure why your tests are failing, we encourage you to [start a conversation](#have-a-feature-or-found-a-bug-start-a-conversation), and review both [pull request guidance](#pull-requests) and [testing documentation](#testing).
 
 ### Code style guidance and conventions
 Basic code style guidelines are generally enforced by ESLint, but there are additional guidelines.
@@ -123,8 +176,14 @@ Basic code style guidelines are generally enforced by ESLint, but there are addi
 #### Functionality, testing
 - Functions should attempt to maintain a single responsibility.
 - Function annotations follow a minimal JSDoc style; descriptions are encouraged.
+- Unit test file names should have a corresponding file with the same name (e.g. `server.ts`, `server.test.ts`).
+- E2E test file names should be representative of the core functionality of the codebase.
+- E2E testing can integrate into the `test` mode provided by the codebase. Recreating this functionality with custom mocks and fixtures is discouraged.
 - Tests should focus on functionality.
-- Tests should not be written for external packages. That is the responsibility of the external package, or it shouldn't be used.
+- Tests should not be written for external packages. That is the responsibility of the external package, or it shouldn't be used. 
+
+#### Functionality, features, fixes, etc.
+- Existing functions should be prioritized for reuse over writing new functions that do the same thing
 
 #### TypeScript
 - Typings within the project may be generally loose for initial development but should be refined over time.
@@ -142,7 +201,7 @@ Unit tests are located in the `__tests__` directory.
 
 #### E2E tests
 
-E2E tests are located in the root `./tests` directory.
+E2E tests are located in the root `./tests/e2e` directory.
 
 Contributors can run the MCP server in a specialized `test` mode against mock resources.
 
@@ -152,6 +211,22 @@ npm run test:integration
 
 This mode leverages the `--mode test` and `--mode-test-url` flags to redirect resource lookups to a fixture server instead of live or local resources.
 
+#### Audit tests
+
+Data audit tests are located in the root `./tests/audit` directory.
+
+```bash
+npm run test:audit
+```
+
+#### Script tests
+
+Script tests are located in the root `./tests/scripts` directory.
+
+```bash
+npm run test:scripts
+```
+
 ## Maintenance: Node.js engine bumps
 
 The `Node.js` engine requirements are updated on a predictable biannual schedule to ensure the server remains secure, leverages modern runtime features, and provides stability for consumers.
diff --git a/GOVERNANCE.md b/GOVERNANCE.md
new file mode 100644
index 00000000..b59e2238
--- /dev/null
+++ b/GOVERNANCE.md
@@ -0,0 +1,35 @@
+# Governance
+
+Every contribution passes through three layers before it can affect a user's system.
+
+## Layer 1: Automated Review
+
+GitHub workflows perform checks for
+
+- **Policy Guidance**: An automated bot provides Gatekeeper policy feedback and links to contribution guidelines if a PR requires cleanup or deviates from policy standards.
+- Spelling and linting for most files
+- Unit testing
+- E2E testing
+- Dependency Auditing: Automated `npm audit` checks to identify and block critical-risk vulnerabilities in the project's dependency tree, running on every dependency change and daily thereafter.
+- Conditional Data Auditing: If and when related files are updated, an automated audit verifies the integrity and reachability of PatternFly documentation entries.
+
+> Core contributors may receive an automated pass on Layer-1 Gatekeeper policy checks when the workflow makes an allowance. This pass does not remove the remaining steps of automated review, or the later layers of review and runtime boundaries.
+
+## Layer 2: Human Review
+
+A maintainer reviews every PR for intent-level issues that automated tools miss:
+
+- **Intent-based Filtering:** Automated labeling is leveraged to prioritize reviews and identify high-risk changes based on their potential impact.
+- **Architectural Alignment:** Every PR is verified against the [planned architecture](./docs/architecture.md) to ensure long-term stability.
+- **Guideline Adherence Verification:** Maintainers verify that contributions follow established patterns and do not interfere with internal validation mechanisms designed to ensure contributors have performed a full context review.
+- **Credential & Secret Scanning:** Manual verification that no sensitive environment variables or keys are exposed in tests or documentation.
+
+## Layer 3: Runtime Permission Boundary
+
+The PatternFly MCP server implements security at the execution level:
+- **Plugin Isolation:** By default, the server operates in `strict` isolation mode, sandboxing tool execution to prevent unauthorized filesystem or network access.
+- **Path Traversal Protection:** All resource lookups are constrained via a path normalization utility to ensure agents cannot escape the intended directory scope.
+
+## What This Means in Practice
+
+No single automated check or individual contributor can bypass the security chain. A malicious or accidental change must pass the Gatekeeper (Layer 1), a Human Maintainer (Layer 2), and still operate within the Sandbox (Layer 3) to affect a user.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..4b0936fd
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,35 @@
+# Security
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in this repository, please report it responsibly.
+
+**Do not open a public issue for security vulnerabilities.**
+
+- **GitHub:** Use [private vulnerability reporting](https://github.com/patternfly/patternfly-mcp/security/advisories/new)
+
+## Scope
+
+Security concerns for this MCP server include:
+- **Data Integrity:** Ensuring PatternFly documentation and schemas are accurate and untampered.
+- **Execution Safety:** Preventing malicious code execution through custom tool plugins.
+- **Path Escape:** Ensuring the server cannot be used to read sensitive files on the host system via validated path resolution.
+
+## Contribution Guardrails
+
+To maintain codebase integrity, we use an automated **Gatekeeper** workflow:
+- PRs from non-core contributors that modify core behavior or exceed established file limits are automatically moved to **Draft**.
+- These PRs require a secondary review by a Maintainer to be promoted from Draft status.
+
+## Release Integrity
+
+- **Code Freeze:** During the pre-release window, the repository enters a restricted state where only critical security patches are merged.
+- **Provenance:** All official releases are published using `npm publish --provenance` to provide a verifiable link between the package and the GitHub Actions build.
+
+## How Contributions Are Reviewed
+
+See [GOVERNANCE.md](GOVERNANCE.md) for the review layers that every contribution passes through before it can affect a user's system.
+
+## Supported Versions
+
+Only the latest semver major version on the `main` branch is supported.
diff --git a/cspell.config.json b/cspell.config.json
index bc46682e..e31ee944 100644
--- a/cspell.config.json
+++ b/cspell.config.json
@@ -1,9 +1,12 @@
 {
   "language": "en",
   "words": [
+    "agentic",
+    "aiignore",
     "amet",
     "codemods",
     "ized",
+    "junie",
     "llms",
     "localappdata",
     "midrun",
@@ -12,11 +15,15 @@
     "onsessioninitialized",
     "onsessionclosed",
     "patternfly",
+    "precheck",
+    "prechecks",
     "rereview",
     "rsort",
+    "sandboxing",
     "sparkline",
     "streamable",
     "unrepresentable",
-    "unsub"
+    "unsub",
+    "untampered"
   ]
 }
diff --git a/docs/README.md b/docs/README.md
index 019add3e..86e9a940 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -15,3 +15,8 @@ Welcome to the PatternFly MCP Server documentation. This guide is organized by u
 ### 🏗️ Architecture & design
 - **[System Architecture](./architecture.md)**: Design and core concepts.
 - **[Roadmap](./architecture.md#roadmap)**: Future plans for the project.
+
+### 📜 Policies
+- **[Contribution Guidelines](../CONTRIBUTING.md)**: Guidelines for contributing to the project.
+- **[Security Policy](../SECURITY.md)**: Security standards and reporting vulnerabilities.
+- **[Governance Policy](../GOVERNANCE.md)**: Project governance and contribution review layers.
diff --git a/docs/architecture.md b/docs/architecture.md
index c0bad92c..2955abc5 100644
--- a/docs/architecture.md
+++ b/docs/architecture.md
@@ -92,12 +92,21 @@ Our roadmap focuses on expanding the server's reach and providing a more integra
    - **Child Process Lifecycle Management**: Background process while you work for API synchronization.
 
 #### In-planning and under review
+- **Skills-as-Tools**: Expand MCP functionality with agent skills using common Markdown. Combined with MCP tools, resources, and prompts-as-plugins, this provides consumers with significant customization without the need to update the PatternFly MCP server core. You can actually start contributing now to the MCP by contributing skills through our [AI Plugin Marketplace](https://github.com/patternfly/ai-helpers).
 - **Resource-Tool Integration**: Directly integrate MCP resources into tool responses to reduce token counts and allow tools to accept URI links as inputs.
 - **Environment & Analysis Tooling**: A third built-in tool focused on environment snapshots, code analysis, and whitelisted resource access for local project analysis.
 - **Agentless MCP Client**: An MCP client for use without an LLM, allowing PatternFly tooling to integrate into CLI tools and CI/CD pipelines.
 - **YAML Configuration**: Remote tool, resource, and prompt plugins configured via YAML.
 - **Resource/Helper Sharing**: Mechanisms to share resources and helper functions across external tool plugins.
 
+> **Contribution alignment**
+> 
+> To maintain a lean and secure core, we prioritize contributions that align with our roadmap and [security policy](../SECURITY.md). The easiest way to align is to review the repo guidelines and open an issue.
+>
+> Contributions that overlap with upcoming roadmap items (such as the shift to modular plugins or dynamic API-level data) may be deferred or redirected to ensure they align with the future state of the project.
+>
+> Review our [contribution guidelines](../CONTRIBUTING.md)
+
 #### Future state
 
 ```mermaid
diff --git a/eslint.config.js b/eslint.config.js
index b77d361d..4b97a008 100644
--- a/eslint.config.js
+++ b/eslint.config.js
@@ -127,7 +127,8 @@ export default [
   {
     files: [
       'docs/**/*.ts',
-      'docs/**/*.js'
+      'docs/**/*.js',
+      'scripts/**/*.js'
     ],
     rules: {
       'jsdoc/require-returns': 0,
diff --git a/guidelines/README.md b/guidelines/README.md
index 228d056e..62825e63 100644
--- a/guidelines/README.md
+++ b/guidelines/README.md
@@ -36,6 +36,7 @@ Agents should use these phrases as signals to consult specific documentation and
 | **"review development guide"**      | Review `docs/development.md` for CLI, API, and plugin authoring.                                                                                       |
 | **"create an example tool plugin"** | Review `guidelines/agent_coding.md`, `docs/development.md`, `docs/examples/*`, and `src/*` for context, coding standards, and existing example formats. |
 | **"add documentation links"** / **"add doc entries"** / **"register docs"** / **"update docs.json"** / **"contribute to docs.json"** | Follow `guidelines/skills/add-docs-links/SKILL.md`: docs.json format, duplicate check, raw URL confirmation, then run unit tests and update meta. |
+| **"contribute to the repository"** / **"opening a pull request"** | Review `CONTRIBUTING.md`, `GOVERNANCE.md`, and `guidelines/agent_behaviors.md` for the Interactive Handshake Model and gatekeeper automation. |
 | **"troubleshoot server"** / **"debug server"** | Review `docs/usage.md#troubleshooting` and the PatternFly MCP server resource `patternfly://context` |
 
 ## Guidelines Processing Order
diff --git a/guidelines/agent_behaviors.md b/guidelines/agent_behaviors.md
index 04a4da24..f4d995c1 100644
--- a/guidelines/agent_behaviors.md
+++ b/guidelines/agent_behaviors.md
@@ -67,9 +67,10 @@ For a detailed overview of the system design and roadmap, see [docs/architecture
   - Research the error
   - Identify conflict scenarios with code
   - Identify potential test cases
+  - Review [testing standards](../CONTRIBUTING.md#testing) and [agent testing guidelines](./agent_testing.md) for applicable testing tiers.
 
 2. **Test**
-  - Run typing, lint, unit and e2e tests
+  - Run typing, lint, unit, e2e, and specialized tests (e.g., `npm run test:scripts` for script changes).
   - Confirm conflicts
   - Test resolution options
 
@@ -82,6 +83,24 @@ For a detailed overview of the system design and roadmap, see [docs/architecture
   - Test conflict resolution
   - Confirm approach
 
+### Trigger: "Contribute to the repository" / "Opening a pull request"
+
+1. **Review Standards**
+  - Study [CONTRIBUTING.md](../CONTRIBUTING.md) for project-wide guidelines.
+  - Review [GOVERNANCE.md](../GOVERNANCE.md) to understand the automated and human review layers.
+  - Open a GitHub issue BEFORE starting work to start a planning conversation.
+
+2. **Gatekeeper Model**
+  - PRs from general contributors require a Gatekeeper pre-check.
+  - After opening a PR, automation will provide immediate feedback in a "PR Quality Guidance" bot comment.
+  - **Action**: Monitor the bot comment for required cleanup. If Gatekeeper policy checks pass, the PR is labeled `bot:policy-ready`.
+
+3. **Validation & Gating**
+  - Address all feedback from the "PR Quality Guidance" bot comment before requesting a manual review.
+
+4. **Core Contributor Implicit Bypass**
+  - Core contributors (listed in `CODEOWNERS` or with `OWNER/MEMBER` roles) skip policy checks and receive the `bot:policy-ready` label immediately.
+
 ## 4. Decision-Making Guidelines
 
 1. **Consistency vs. Improvement**
diff --git a/guidelines/agent_testing.md b/guidelines/agent_testing.md
index c984e3ba..e33f2ad9 100644
--- a/guidelines/agent_testing.md
+++ b/guidelines/agent_testing.md
@@ -19,7 +19,9 @@ See the [Guidelines Index](./README.md#guidelines-index) for a complete list of
 Refer to [testing standards](../CONTRIBUTING.md#testing) for project-wide requirements.
 
 - **Unit Tests (`src/__tests__/*.test.ts`)**: Focus on individual module logic, helpers, and creator functions.
-- **E2E Tests (`tests/*.test.ts`)**: Validate full server lifecycle, transport (stdio/http), and tool/resource execution.
+- **E2E Tests (`tests/e2e/*.test.ts`)**: Validate full server lifecycle, transport (stdio/http), and tool/resource execution.
+- **Script Tests (`tests/scripts/*.test.ts`)**: Verify GitHub Action scripts and pre-check logic.
+- **Audit Tests (`tests/audit/*.test.ts`)**: Verify documentation links and resource integrity.
 - **Integration Tests (`npm run test:integration`)**: Verify interactions between server components.
 
 ## 2. Testing Principles
@@ -57,6 +59,29 @@ Refer to [testing standards](../CONTRIBUTING.md#testing) for project-wide requir
 ## 5. Execution
 
 - **Unit Tests**: `npm test`
-- **E2E/Integration**: `npm run test:integration`
+- **E2E Tests**: `npm run test:integration`
+- **Script Tests**: `npm run test:scripts`
+- **Audit Tests**: `npm run test:audit`
 - **Manual Verification**: Use the [MCP Inspector](../docs/development.md#testing-with-mcp-inspector) to manually verify tool and resource behavior.
 - **Coverage**: Ensure new logic is covered by at least one unit test.
+
+## 6. Script and Audit Testing
+
+### 6.1 Script Integrity
+
+Automation scripts in `scripts/` are critical to repository security. Changes to these scripts MUST be accompanied by updates to `tests/scripts/*.test.ts`.
+
+**Key areas to test**:
+- Label management logic.
+- Contributor and bot identification.
+- Failure fallback (📡 icon).
+- Informative error messaging.
+
+### 6.2 Data and Resource Audit
+
+The `test:audit` suite ensures the integrity of external documentation links and resource metadata in `src/docs.json`.
+
+**When to run**:
+- When adding new PatternFly documentation links
+- When updating whitelisted domains
+- As part of the daily security check
diff --git a/jest.config.ts b/jest.config.ts
index 8c02c24a..e759a021 100644
--- a/jest.config.ts
+++ b/jest.config.ts
@@ -36,7 +36,7 @@ export default {
   projects: [
     {
       displayName: 'unit',
-      roots: ['src'],
+      roots: ['<rootDir>/src'],
       testMatch: ['<rootDir>/src/**/*.test.ts'],
       setupFilesAfterEnv: ['<rootDir>/jest.setupTests.ts'],
       ...baseConfig,
@@ -64,7 +64,7 @@ export default {
     },
     {
       displayName: 'e2e',
-      roots: ['tests/e2e'],
+      roots: ['<rootDir>/tests/e2e'],
       testMatch: ['<rootDir>/tests/e2e/**/*.test.ts'],
       setupFilesAfterEnv: ['<rootDir>/tests/e2e/jest.setupTests.ts'],
       transformIgnorePatterns: [
@@ -74,9 +74,15 @@ export default {
     },
     {
       displayName: 'audit',
-      roots: ['tests/audit'],
+      roots: ['<rootDir>/tests/audit'],
       testMatch: ['<rootDir>/tests/audit/**/*.test.ts'],
       ...baseConfig
+    },
+    {
+      displayName: 'scripts',
+      roots: ['<rootDir>/scripts', '<rootDir>/tests/scripts'],
+      testMatch: ['<rootDir>/tests/scripts/**/*.test.ts'],
+      ...baseConfig
     }
   ]
 };
diff --git a/package.json b/package.json
index acbb8563..95be5418 100644
--- a/package.json
+++ b/package.json
@@ -31,16 +31,18 @@
     "release": "changelog --non-cc --link-url https://github.com/patternfly/patternfly-mcp.git",
     "start": "node dist/cli.js --log-stderr",
     "start:dev": "tsx watch src/cli.ts --verbose --log-stderr",
-    "test": "npm run test:spell && npm run test:spell-docs && npm run test:lint && npm run test:types && jest --selectProjects unit --roots=src/",
-    "test:audit": "jest --selectProjects audit --roots=tests/audit/",
+    "test": "npm run test:spell && npm run test:spell-docs && npm run test:lint && npm run test:types && jest --selectProjects unit",
+    "test:audit": "jest --selectProjects audit",
+    "test:scripts": "NODE_OPTIONS='--experimental-vm-modules' jest --selectProjects scripts",
+    "test:scripts-dev": "npm run test:scripts -- --watchAll",
     "test:ci": "npm test -- --coverage",
     "test:dev": "npm test -- --watchAll",
-    "test:integration": "npm run build && NODE_OPTIONS='--experimental-vm-modules' jest --selectProjects e2e --roots=tests/e2e/",
+    "test:integration": "npm run build && NODE_OPTIONS='--experimental-vm-modules' jest --selectProjects e2e",
     "test:integration-dev": "npm run test:integration -- --watchAll",
     "test:lint": "eslint .",
     "test:lint-fix": "eslint . --fix",
-    "test:spell-docs": "cspell './README.md' './CONTRIBUTING.md' './docs/**/*.md' './guidelines/**/*.md' './docs/**/*.ts' './docs/**/*.js' --config ./cspell.config.json --fail-fast",
-    "test:spell": "cspell './src/**/*.ts' './tests/**/*.ts' --exclude './src/**/*test*' --exclude './tests/**/*test*' --config ./cspell.config.json --fail-fast",
+    "test:spell-docs": "cspell './README.md' './CONTRIBUTING.md' './GOVERNANCE.md' './SECURITY.md' './docs/**/*.md' './guidelines/**/*.md' './docs/**/*.ts' './docs/**/*.js' --config ./cspell.config.json --fail-fast",
+    "test:spell": "cspell './src/**/*.ts' './scripts/**/*.js' './tests/**/*.ts' --exclude './src/**/*test*' --exclude './tests/**/*test*' --config ./cspell.config.json --fail-fast",
     "test:types": "tsc --noEmit",
     "prepare": "npm run build",
     "prepack": "npm run build"
diff --git a/scripts/workflow.commitLint.js b/scripts/workflow.commitLint.js
new file mode 100644
index 00000000..db070d69
--- /dev/null
+++ b/scripts/workflow.commitLint.js
@@ -0,0 +1,219 @@
+/** This is a temporary script meant to get up and running fast. It will be replaced. **/
+/**
+ * Available message scope types.
+ *
+ * @type {Array<string>}
+ */
+const MESSAGE_TYPES = [
+  'feat',
+  'fix',
+  'docs',
+  'style',
+  'refactor',
+  'perf',
+  'test',
+  'build',
+  'ci',
+  'chore',
+  'revert'
+];
+
+/**
+ * Parse a commit message
+ *
+ * @param {object} params
+ * @param {string} params.hash - Commit hash
+ * @param {string} params.message - Original commit message, typically the first line.
+ * @param {object} settings - Function settings
+ * @param {Array<string>} settings.messageTypes - List of available conventional commit types.
+ * @param {boolean} settings.allowIssuesAnywhere - Allow issue numbers to appear anywhere. Setting to `false`
+ *     limits the issue number placement to the beginning of the description.
+ * @returns {{scope: string, description: string, type: string, prNumber: string, hash: string,
+ *     typeScope: string, isBreaking: boolean, original: string, message: string, messageLength: number,
+ *     issueNumber: string}}
+ */
+const parseCommitMessage = ({ hash, message }, { messageTypes = MESSAGE_TYPES, allowIssuesAnywhere = true } = {}) => {
+  let output;
+
+  const trimmedMessage = message.trim();
+  const firstColonIndex = trimmedMessage.indexOf(':');
+  const baseTypeScope = firstColonIndex > -1 ? trimmedMessage.substring(0, firstColonIndex) : '';
+  const descriptionEtAll = firstColonIndex > -1 ? trimmedMessage.substring(firstColonIndex + 1).trim() : trimmedMessage;
+  const prMatch = descriptionEtAll.match(/\s\(#(\d+)\)$/);
+
+  let prNumber = undefined;
+  let description = descriptionEtAll;
+
+  if (prMatch) {
+    prNumber = prMatch[1];
+    description = descriptionEtAll.replace(/\s\(#(\d+)\)$/, '').trim();
+  }
+
+  const issueNumberMatch = allowIssuesAnywhere ? description.match(/([a-zA-Z]+[/-]+[0-9]+)/) : description.match(/(^[a-zA-Z]+[/-]+[0-9]+)/);
+  let issueNumber = undefined;
+
+  if (issueNumberMatch) {
+    issueNumber = issueNumberMatch[0];
+  }
+
+  const typeScope = baseTypeScope.replace(/!$/, '').trim();
+  let type = typeScope;
+  let scope = undefined;
+
+  if (typeScope.includes('(')) {
+    const [splitType, splitScope] = typeScope.split('(');
+
+    type = splitType?.trim();
+    scope = splitScope?.split(')')?.[0]?.trim();
+  }
+
+  const isType = messageTypes.includes(type) && type;
+
+  output = {
+    hash,
+    typeScope: isType ? typeScope : undefined,
+    type: isType ? type : undefined,
+    scope: isType ? scope : undefined,
+    description: isType ? description : trimmedMessage,
+    issueNumber,
+    prNumber,
+    isBreaking: isType ? /!$/.test(baseTypeScope) : undefined
+  };
+
+  const updatedMessage = [
+    `${output.typeScope || ''}${(output.isBreaking && '!') || ''}${(output.typeScope && ':') || ''}`,
+    output.description
+  ]
+    .filter(value => Boolean(value))
+    .join(' ')
+    .trim();
+
+  return {
+    ...output,
+    messageLength: updatedMessage?.length || 0,
+    message: updatedMessage,
+    original: message
+  };
+};
+
+/**
+ * Apply valid/invalid checks.
+ *
+ * @param {Array} parsedMessages
+ * @param {object} options - Default options, update accordingly
+ * @param {boolean} options.allowIssuesAnywhere - Updates related messaging. See `parseCommitMessage` for parsing behavior.
+ * @param {Array|string|undefined} options.issueNumberExceptions - An "undefined" or "false" or "falsy" value
+ *     will ignore issue numbers. A string of "*" will allow every type. An array of issue types can be used
+ *     to identify which commit message type scopes to ignore, i.e. ['chore', 'fix', 'build', 'perf'].
+ *     See NPM conventional-commit-types for full listing options, https://bit.ly/2L0yr6I
+ * @param {number} options.maxMessageLength - Max length of the main message string. Messages considered "body"
+ *     do not count against this limit.
+ * @param {Array<string>|string|undefined} options.typeScopeExceptions - see `options.issueNumberExceptions`
+ * @returns {Array}
+ */
+const messagesList = (
+  parsedMessages,
+  {
+    allowIssuesAnywhere = true,
+    issueNumberExceptions = [],
+    maxMessageLength = 65,
+    typeScopeExceptions = '*'
+  } = {}
+) =>
+  parsedMessages.map(
+    ({ messageLength = 0, type = null, scope = null, description = null, message = null, hash = null, issueNumber = null, prNumber = null }) => {
+      const typeValid =
+        (type && 'valid') || 'INVALID: type (expected known types and format "<type>:" or "<type>(<scope>):")';
+
+      let scopeException = !typeScopeExceptions || typeScopeExceptions === '*';
+
+      if (!scopeException && Array.isArray(typeScopeExceptions) && typeScopeExceptions.length > 0) {
+        scopeException = typeScopeExceptions.includes(type);
+      }
+
+      const scopeValid = (scopeException && 'valid') || (scope && 'valid') || 'INVALID: scope';
+
+      let issueNumberException = !issueNumberExceptions || issueNumberExceptions === '*';
+
+      if (!issueNumberException && Array.isArray(issueNumberExceptions) && issueNumberExceptions.length > 0) {
+        issueNumberException = issueNumberExceptions.includes(type);
+      }
+
+      const issueNumberValid =
+        (issueNumberException && 'valid') ||
+        (issueNumber && 'valid') ||
+        (allowIssuesAnywhere && 'INVALID: issue number (expected format "<desc>/<number>" or "<desc>-<number>")') ||
+        'INVALID: issue number (expected format "<desc>/<number>" or "<desc>-<number>" at beginning of description)';
+
+      const descriptionValid = (description && 'valid') || 'INVALID: description (missing description)';
+
+      const adjustedMaxMessageLength = issueNumber ? issueNumber.length + 1 + maxMessageLength : maxMessageLength;
+      const lengthValid =
+        (messageLength <= adjustedMaxMessageLength && 'valid') ||
+        `INVALID: message length (${messageLength} > ${maxMessageLength}).${
+          prNumber ? ' PRs do not count towards message length.' : ''}${
+          issueNumber ? ' Issue numbers do not count towards message length.' : ''}`;
+
+      return {
+        hash,
+        commit: message,
+        type: typeValid,
+        scope: scopeValid,
+        description: descriptionValid,
+        issueNumber: issueNumberValid,
+        length: lengthValid
+      };
+    }
+  );
+
+/**
+ * If commits exist, lint them.
+ *
+ * @param {Array<object>} commits
+ * @param {object} options - Configuration
+ * @param {boolean} options.allowIssuesAnywhere - See `parseCommitMessage` for behavior.
+ * @param {Array<string>} options.issueNumberExceptions - See `messagesList` for behavior.
+ * @param {number} options.maxMessageLength - See `messagesList` for behavior.
+ * @param {Array<string>|string|undefined} options.typeScopeExceptions - See `messagesList` for behavior.
+ * @returns {{resultsArray: Array<object>, resultsString: string}} Return linting results
+ *    - `resultsArray`: An array of objects representing the "error validated" parts of the message.
+ *    - `resultsString`: A `JSON.stringify` version of the `resultsArray` for display.
+ */
+const start = (commits, { allowIssuesAnywhere, issueNumberExceptions, maxMessageLength, typeScopeExceptions } = {}) => {
+  const lintResults = { resultsArray: [], resultsString: '' };
+
+  if (commits) {
+    const updatedCommits = commits
+      .map(({ sha, commit } = {}) => parseCommitMessage({
+        hash: sha.substring(0, 7),
+        message: (commit.message || 'empty').split('\n')[0]
+      }, { allowIssuesAnywhere }));
+
+    let filteredResults = messagesList(updatedCommits, {
+      allowIssuesAnywhere,
+      issueNumberExceptions,
+      maxMessageLength,
+      typeScopeExceptions
+    });
+
+    // Mutate and filter valid commits out
+    filteredResults.forEach(obj => {
+      const updatedObj = obj;
+
+      Object.entries(updatedObj).forEach(([key, value]) => {
+        if (value === 'valid') {
+          delete updatedObj[key];
+        }
+      });
+    });
+
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    filteredResults = filteredResults.filter(({ hash, commit, ...rest }) => Object.keys(rest).length > 0);
+    lintResults.resultsArray = filteredResults;
+    lintResults.resultsString = JSON.stringify(filteredResults, null, 2);
+  }
+
+  return lintResults;
+};
+
+export { messagesList, parseCommitMessage, start, MESSAGE_TYPES };
diff --git a/scripts/workflow.preCheck.js b/scripts/workflow.preCheck.js
new file mode 100644
index 00000000..a07ca477
--- /dev/null
+++ b/scripts/workflow.preCheck.js
@@ -0,0 +1,465 @@
+import fs from 'node:fs';
+
+/**
+ * Confirm specific authors/contributors from an available CODEOWNERS file.
+ *
+ * @note This check will pull authors/contributors regardless of CODEOWNERS' rights.
+ *
+ * @param params - Passed author parameters for review.
+ * @param params.author
+ * @param params.authorType
+ * @param params.authorRole
+ * @param options - Optional settings
+ * @param options.allowBots - Allow known bots to skip preCheck
+ * @param options.allowMaintainers - Allow general members
+ * @returns {boolean} A `boolean` indicating whether an author/contributor is allowed to skip pre-checks.
+ */
+const coreContributors = ({ author, authorType, authorRole } = {}, { allowBots = true, allowMaintainers = true } = {}) => {
+  const bots = ['Bot', 'dependabot[bot]'];
+  const contributors = ['OWNER'];
+  const codeOwnersPaths = ['.github/CODEOWNERS', 'CODEOWNERS'];
+
+  const isBot = allowBots && (bots.includes(authorType) || bots.includes(author));
+  const isMaintainer = allowMaintainers && contributors.includes(authorRole);
+  let isCodeOwner = false;
+
+  for (const filePath of codeOwnersPaths) {
+    if (!fs.existsSync(filePath)) {
+      continue;
+    }
+
+    const content = fs.readFileSync(filePath, 'utf8');
+    const isAvailable = content
+      .split(/[\s,()]+/)
+      .filter(Boolean)
+      .includes(`@${author}`);
+
+    if (isAvailable) {
+      isCodeOwner = true;
+      break;
+    }
+  }
+
+  return isBot || isMaintainer || isCodeOwner;
+};
+
+/**
+ * Does one list contain another list's values?
+ *
+ * @param {{ filename: string }[]} listBase - Base array of strings to match.
+ * @param {string[]} listCheck - Array of strings to confirm matches in base.
+ * @returns {string[]} An array of value matches.
+ */
+const doesListContainAnotherListValues = (listBase, listCheck) =>
+  ((Array.isArray(listBase) && listBase) || [])
+    .filter(file => {
+      const updatedFileName = file?.filename?.trim()?.toLowerCase() || undefined;
+      const updatedListCheck = ((Array.isArray(listCheck) && listCheck) || []).map(item => item?.toLowerCase());
+
+      if (!updatedFileName) {
+        return false;
+      }
+
+      return updatedListCheck.includes(updatedFileName) ||
+        updatedListCheck.some(
+          item => (item && (updatedFileName.startsWith(item) || updatedFileName.endsWith(item) || updatedFileName.includes(item) || item.includes(updatedFileName)))
+        );
+    }).map(file => file?.filename);
+
+/**
+ * Scan PR for signatures using basic logic.
+ *
+ * @param params - Passed code parameters for review.
+ * @param params.description
+ * @param params.files
+ * @param params.fileCount
+ * @returns {{errors: string[], isMaxFilesUpdated: boolean, isPrTemplateModified: boolean, isAgentModified: boolean,
+ *     isCoreModified: boolean, isExtraModified: boolean, isGenModified: boolean, isSecModified: boolean,
+ *     hasFailed: boolean, hasTell: boolean}} An `object` containing code scan results.
+ */
+const signatureScan = ({ description, files, fileCount } = {}) => {
+  // Make sure this is within the PR template, or we'll get false positives.
+  const prTemplateStr = '<!-- GH_PR_METADATA_V1_789 -->';
+
+  // Max file updates outside of core contributors before alerting.
+  const fileChangeLimit = 15;
+
+  // Signature checks. This can be a list of existing or non-existent files, directories, and/or extensions.
+  const coreList = [
+    'src/cli',
+    'src/declarations',
+    'src/index',
+    'src/mcpSdk',
+    'src/options.default',
+    'src/patternFly.getResources',
+    'src/resource.',
+    'src/server.ts',
+    'src/tool.',
+    'tests/audit',
+    'tests/e2e'
+  ];
+
+  // generated check. This can be a list of existing or non-existent files, directories, and/or extensions.
+  const genList = [
+    'tests/e2e/utils/stdioTransportClient.ts',
+    'tests/e2e/__snapshots__/stdioTransport.test.ts.snap'
+  ];
+
+  // double check. This can be a list of existing or non-existent files, directories, and/or extensions.
+  const secList = [
+    '.github',
+    '.gitignore',
+    '.npmrc',
+    '.sh',
+    'package-lock.json',
+    'src/index',
+    'scripts/workflow'
+  ];
+
+  // more than needed. This can be a list of existing or non-existent files, directories, and/or extensions.
+  const extrasList = [
+    '__fixtures__',
+    '__mocks__',
+    'src/fixtures',
+    'src/mocks'
+  ];
+
+  // agent exceptions. This can be a list of existing or non-existent files, directories, and/or extensions.
+  const agentList = [
+    '.aiignore',
+    '.agents',
+    '.claude',
+    '.cursor',
+    '.junie',
+    'guidelines/'
+  ];
+
+  try {
+    const isMaxFilesUpdated = typeof fileCount === 'number' ? fileCount > fileChangeLimit : undefined;
+    const isPrTemplateModified = typeof description === 'string' ? description.includes(prTemplateStr) === false : undefined;
+
+    const coreModified = doesListContainAnotherListValues(files, coreList);
+    const isCoreModified = coreModified.length > 0;
+
+    const genModified = doesListContainAnotherListValues(files, genList);
+    const isGenModified = genModified.length > 0;
+
+    const secModified = doesListContainAnotherListValues(files, secList);
+    const isSecModified = secModified.length > 0;
+
+    const extraModified = doesListContainAnotherListValues(files, extrasList);
+    const isExtraModified = extraModified.length > 0;
+
+    const agentModified = doesListContainAnotherListValues(files, agentList);
+    const isAgentModified = agentModified.length > 0;
+
+    // Aggregate errors
+    const errors = [];
+
+    if (isMaxFilesUpdated === true) {
+      errors.push(`⚠️ You've updated a lot of files (${fileCount}/${fileChangeLimit}). **Resolution:** Please reduce the scope of these changes by splitting them into smaller, more focused PR contributions.`);
+    }
+
+    if (isCoreModified) {
+      errors.push(`⚠️ I detected core file modifications. Updates to core files require an associated issue (${coreModified.join(', ')}). **Resolution:** Please link an issue in your PR description. If no issue exists your PR will be delayed for review, and may be closed.`);
+    }
+
+    if (isExtraModified) {
+      errors.push(`⚠️ I've found extra file updates. You may be attempting to tailor the codebase to your workflow (${extraModified.join(', ')}). **Resolution:** Please align to the codebase style and remove these changes. You can also provide an explanation in your PR description but expect a delay in review.`);
+    }
+
+    if (isAgentModified) {
+      errors.push(`⚠️ I found local agent modifications in your changes (${agentModified.join(', ')}). **Resolution:** Changes to agent guidelines require maintainer approval. Please remove these changes unless instructed otherwise.`);
+    }
+
+    if (isSecModified) {
+      errors.push(`⚠️ I've found updates that may require a core contributor's involvement (${secModified.join(', ')}). **Resolution:** A core contributor must review these changes. You can remove these changes, or provide an explanation in your PR description and expect a delay in review.`);
+    }
+
+    return {
+      errors,
+      isMaxFilesUpdated: isMaxFilesUpdated === true,
+      isPrTemplateModified: isPrTemplateModified === true,
+      isAgentModified,
+      isCoreModified,
+      isExtraModified,
+      isGenModified,
+      isSecModified,
+      hasFailed: false,
+      hasTell: isMaxFilesUpdated === true && isPrTemplateModified === true && isCoreModified && isGenModified
+    };
+  } catch (e) {
+    console.error(`Workflow PreCheck signatureScan failed`, e?.message || e);
+  }
+
+  return {
+    errors: [
+      `📡 I'm calling for backup! I encountered an unexpected issue while processing your work. A maintainer has been notified.`
+    ],
+    isMaxFilesUpdated: false,
+    isPrTemplateModified: false,
+    isAgentModified: false,
+    isCoreModified: false,
+    isExtraModified: false,
+    isGenModified: false,
+    isSecModified: false,
+    hasFailed: true,
+    hasTell: false
+  };
+};
+
+/**
+ * Set labels
+ *
+ * @param config
+ * @param config.github
+ * @param config.context
+ * @returns {{add: function(*): Promise<void>, remove: function(*): Promise<void>}}
+ */
+const setLabels = ({ github, context } = {}) => {
+  const { owner, repo } = context?.repo || {};
+  const issueNumber = context?.issue?.number;
+  const addLabels = github?.rest?.issues?.addLabels;
+  const removeLabel = github?.rest?.issues?.removeLabel;
+
+  return {
+    add: async labels => {
+      if (Array.isArray(labels)) {
+        await addLabels({ owner, repo, issue_number: issueNumber, labels }).catch(err => {
+          console.error(`Workflow add labels failed: ${labels.join(', ')}`, err?.message || err);
+        });
+      }
+    },
+    remove: async labels => {
+      if (Array.isArray(labels)) {
+        for (const label of labels) {
+          await removeLabel({ owner, repo, issue_number: issueNumber, name: label }).catch(err => {
+            console.error(`Workflow remove label failed: ${label}`, err?.message || err);
+          });
+        }
+      }
+    }
+  };
+};
+
+/**
+ * Get a comment ID from an issue number using a signature.
+ *
+ * @param signature
+ * @param config
+ * @param config.github
+ * @param config.context
+ * @returns {Promise<*>}
+ */
+const getCommentId = async (signature, { github, context } = {}) => {
+  const { owner, repo } = context?.repo || {};
+  const issueNumber = context?.issue?.number;
+
+  const listComments = github?.rest?.issues?.listComments;
+  let commentId;
+
+  if (listComments && issueNumber) {
+    const { data: comments } = await listComments({ owner, repo, issue_number: issueNumber }) || {};
+
+    const foundComment = comments.find(comment => comment?.body?.includes(signature));
+
+    commentId = foundComment?.id;
+  }
+
+  return commentId;
+};
+
+/**
+ * Set comments
+ *
+ * @param config
+ * @param config.signature
+ * @param config.github
+ * @param config.context
+ * @returns {Promise<{add: function(*): Promise<*>, remove: function(): Promise<*>, existingCommentId: *, isComment: boolean}>}
+ */
+const setComment = async ({ signature, github, context } = {}) => {
+  const { owner, repo } = context?.repo || {};
+  const issueNumber = context?.issue?.number;
+  const createComment = github?.rest?.issues?.createComment;
+  const deleteComment = github?.rest?.issues?.deleteComment;
+  const updateComment = github?.rest?.issues?.updateComment;
+
+  const getBody = bod => String(bod ?? '') + signature;
+  const commentId = await getCommentId(signature, { github, context });
+
+  return {
+    add: async body => {
+      if (commentId) {
+        return updateComment({ owner, repo, comment_id: commentId, body: getBody(body) }).catch(err => {
+          console.error(`Workflow update comment failed`, err?.message || err);
+        });
+      }
+
+      return createComment({ owner, repo, issue_number: issueNumber, body: getBody(body) }).catch(err => {
+        console.error(`Workflow create comment failed`, err?.message || err);
+      });
+    },
+    remove: async () => deleteComment({ owner, repo, comment_id: commentId }).catch(err => {
+      console.error(`Workflow remove comment failed`, err?.message || err);
+    }),
+    existingCommentId: commentId,
+    isComment: commentId !== undefined
+  };
+};
+
+/**
+ * Convert a PR to draft.
+ *
+ * @param config
+ * @param config.github
+ * @param config.context
+ * @returns {Promise<any>}
+ */
+const convertPrToDraft = async ({ github, context } = {}) => {
+  const prNodeId = context.payload.pull_request.node_id;
+  const mutation = `mutation($id: ID!) {
+      convertPullRequestToDraft(input: { pullRequestId: $id }) {
+        pullRequest { id isDraft }
+      }
+    }`;
+
+  return github.graphql(mutation, { id: prNodeId });
+};
+
+/**
+ * Get a pull request context.
+ *
+ * @param config
+ * @param config.github
+ * @param config.context
+ * @returns {Promise<{}|{author: *, authorType: *, authorRole: *, description: string, fileCount: *, files: *, comments: *}>}
+ */
+const getPullRequest = async ({ github, context } = {}) => {
+  try {
+    const { login: author, type: authorType } = context.payload.pull_request.user;
+    const authorRole = context.payload.pull_request.author_association;
+
+    const description = context.payload.pull_request.body || '';
+    const fileCount = context.payload.pull_request.changed_files;
+    const { data: files } = await github.rest.pulls.listFiles({
+      owner: context.repo.owner,
+      repo: context.repo.repo,
+      pull_number: context.issue.number,
+      per_page: 50
+    });
+    const { data: comments } = await github.rest.issues.listComments({
+      owner: context.repo.owner,
+      repo: context.repo.repo,
+      issue_number: context.issue.number
+    });
+
+    return {
+      author, authorType, authorRole, description, fileCount, files, comments
+    };
+  } catch (err) {
+    console.error('Failed to get pull request context', err?.message || err);
+  }
+
+  return {};
+};
+
+/**
+ * Start the pre-check process.
+ *
+ * @param config - Configuration params
+ * @param config.LABEL_NEEDS_CLEANUP - Label string
+ * @param config.LABEL_NEEDS_MAINTAINER - Label string
+ * @param config.LABEL_PRECHECKS_PASS - Label string
+ * @param env - Environment params
+ * @param env.github
+ * @param env.context
+ * @param env.core
+ * @returns {Promise<void>}
+ */
+const start = async ({
+  LABEL_NEEDS_CLEANUP,
+  LABEL_NEEDS_MAINTAINER,
+  LABEL_PRECHECKS_PASS
+} = {}, { github, context, core } = {}) => {
+  const { author, authorType, authorRole, description: prDescription, fileCount: prFileCount, files: prFiles } = await getPullRequest({ github, context });
+  const { add: addLabels, remove: removeLabels } = await setLabels({ github, context });
+
+  // Core contributors get a pass
+  if (coreContributors({ author, authorType, authorRole })) {
+    console.log(`Contributor found, skipping pre-checks: ${author}`);
+    await addLabels([LABEL_PRECHECKS_PASS]);
+
+    return;
+  }
+
+  // Signature checks found feature-like work, notify the user they may not be following guidance
+  const codeSignature = signatureScan({ description: prDescription, files: prFiles, fileCount: prFileCount });
+  const botCommentSignature = '<!-- precheck-bot-comment-V1 -->';
+  const { add: addBotComment } = await setComment({ signature: botCommentSignature, github, context });
+
+  if (codeSignature.hasTell) {
+    const botComment = `### 🤖 PR Quality Guidance\n` +
+      `I've moved this to **Draft** due to the scope of changes, and to avoid confusion.\n` +
+      `Once you've focused your changes I'll take another look.\n\n` +
+      `_Read our [contribution guidelines](https://github.com/patternfly/patternfly-mcp/blob/main/CONTRIBUTING.md). This comment updates automatically._`;
+
+    await convertPrToDraft({ github, context });
+    await addBotComment(botComment);
+    await addLabels([LABEL_NEEDS_CLEANUP]);
+
+    core.setFailed('PR moved to Draft. Make sure to review the contributing guidelines regarding potential feature and generated work and why your PatternFly MCP contribution may require planning.');
+
+    return;
+  }
+
+  // Sec check
+  if (codeSignature.isSecModified) {
+    await addLabels([LABEL_NEEDS_MAINTAINER]);
+  }
+
+  // Signature checks found something, alert the contributor in good faith
+  if (codeSignature.errors.length > 0) {
+    const botComment = `### 🤖 PR Quality Guidance\n` +
+      `I found some issues with your work. Once the following updates are addressed, you'll be queued for review:\n\n` +
+      `${codeSignature.errors.map(err => `- ${err}`).join('\n')}\n\n` +
+      `_Read our [contribution guidelines](https://github.com/patternfly/patternfly-mcp/blob/main/CONTRIBUTING.md). This comment updates automatically._`;
+
+    await addBotComment(botComment);
+    await addLabels([LABEL_NEEDS_CLEANUP]);
+
+    core.setFailed('PR pre-check requirements not met. Make sure to review the contributing guidelines.');
+
+    return;
+  }
+
+  // Fallback if signature checks fail, alert the maintainers, non-blocking
+  if (codeSignature.hasFailed) {
+    const errorComment = `### 🤖 PR Quality Guidance\n` +
+      `${codeSignature.errors.map(err => `- ${err}`).join('\n')}\n\n` +
+      `_This comment updates automatically._`;
+
+    await addBotComment(errorComment);
+    await addLabels([LABEL_NEEDS_MAINTAINER]);
+  } else {
+    // Or confirm the work has passed pre-check
+    const successComment = `### 🤖 PR Quality Guidance\n` +
+      `I finished my scan and all pre-checks pass!\n\n` +
+      `_Read our [contribution guidelines](https://github.com/patternfly/patternfly-mcp/blob/main/CONTRIBUTING.md). This comment updates automatically._`;
+
+    await addBotComment(successComment);
+    await addLabels([LABEL_PRECHECKS_PASS]);
+    await removeLabels([LABEL_NEEDS_CLEANUP, LABEL_NEEDS_MAINTAINER]);
+  }
+};
+
+export {
+  coreContributors,
+  doesListContainAnotherListValues,
+  getCommentId,
+  getPullRequest,
+  setComment,
+  setLabels,
+  signatureScan,
+  start
+};
diff --git a/tests/scripts/__snapshots__/workflow.preCheck.test.ts.snap b/tests/scripts/__snapshots__/workflow.preCheck.test.ts.snap
new file mode 100644
index 00000000..bf02205e
--- /dev/null
+++ b/tests/scripts/__snapshots__/workflow.preCheck.test.ts.snap
@@ -0,0 +1,150 @@
+// Jest Snapshot v1, https://jestjs.io/docs/snapshot-testing
+
+exports[`getPullRequest should resolve and aggregate PR metadata and resources: pr 1`] = `
+{
+  "author": "author1",
+  "authorRole": "MEMBER",
+  "authorType": "User",
+  "comments": [
+    "comment1",
+  ],
+  "description": "description",
+  "fileCount": 10,
+  "files": [
+    "file1",
+  ],
+}
+`;
+
+exports[`signatureScan should scan for signatures, "The Tell" 1`] = `
+{
+  "errors": [
+    "⚠️ You've updated a lot of files (20/15). **Resolution:** Please reduce the scope of these changes by splitting them into smaller, more focused PR contributions.",
+    "⚠️ I detected core file modifications. Updates to core files require an associated issue (src/server.ts, tests/e2e/__snapshots__/stdioTransport.test.ts.snap). **Resolution:** Please link an issue in your PR description. If no issue exists your PR will be delayed for review, and may be closed.",
+  ],
+  "hasFailed": false,
+  "hasTell": true,
+  "isAgentModified": false,
+  "isCoreModified": true,
+  "isExtraModified": false,
+  "isGenModified": true,
+  "isMaxFilesUpdated": true,
+  "isPrTemplateModified": true,
+  "isSecModified": false,
+}
+`;
+
+exports[`signatureScan should scan for signatures, agent modifications 1`] = `
+{
+  "errors": [
+    "⚠️ I found local agent modifications in your changes (.aiignore). **Resolution:** Changes to agent guidelines require maintainer approval. Please remove these changes unless instructed otherwise.",
+  ],
+  "hasFailed": false,
+  "hasTell": false,
+  "isAgentModified": true,
+  "isCoreModified": false,
+  "isExtraModified": false,
+  "isGenModified": false,
+  "isMaxFilesUpdated": false,
+  "isPrTemplateModified": false,
+  "isSecModified": false,
+}
+`;
+
+exports[`signatureScan should scan for signatures, core modifications 1`] = `
+{
+  "errors": [
+    "⚠️ I detected core file modifications. Updates to core files require an associated issue (src/server.ts). **Resolution:** Please link an issue in your PR description. If no issue exists your PR will be delayed for review, and may be closed.",
+  ],
+  "hasFailed": false,
+  "hasTell": false,
+  "isAgentModified": false,
+  "isCoreModified": true,
+  "isExtraModified": false,
+  "isGenModified": false,
+  "isMaxFilesUpdated": false,
+  "isPrTemplateModified": false,
+  "isSecModified": false,
+}
+`;
+
+exports[`signatureScan should scan for signatures, extra/generated files 1`] = `
+{
+  "errors": [
+    "⚠️ I've found extra file updates. You may be attempting to tailor the codebase to your workflow (scripts/__mocks__). **Resolution:** Please align to the codebase style and remove these changes. You can also provide an explanation in your PR description but expect a delay in review.",
+  ],
+  "hasFailed": false,
+  "hasTell": false,
+  "isAgentModified": false,
+  "isCoreModified": false,
+  "isExtraModified": true,
+  "isGenModified": false,
+  "isMaxFilesUpdated": false,
+  "isPrTemplateModified": false,
+  "isSecModified": false,
+}
+`;
+
+exports[`signatureScan should scan for signatures, missing template metadata 1`] = `
+{
+  "errors": [],
+  "hasFailed": false,
+  "hasTell": false,
+  "isAgentModified": false,
+  "isCoreModified": false,
+  "isExtraModified": false,
+  "isGenModified": false,
+  "isMaxFilesUpdated": false,
+  "isPrTemplateModified": true,
+  "isSecModified": false,
+}
+`;
+
+exports[`signatureScan should scan for signatures, security modifications 1`] = `
+{
+  "errors": [
+    "⚠️ I've found updates that may require a core contributor's involvement (.github/workflows/pr_precheck.yml). **Resolution:** A core contributor must review these changes. You can remove these changes, or provide an explanation in your PR description and expect a delay in review.",
+  ],
+  "hasFailed": false,
+  "hasTell": false,
+  "isAgentModified": false,
+  "isCoreModified": false,
+  "isExtraModified": false,
+  "isGenModified": false,
+  "isMaxFilesUpdated": false,
+  "isPrTemplateModified": false,
+  "isSecModified": true,
+}
+`;
+
+exports[`signatureScan should scan for signatures, too many files 1`] = `
+{
+  "errors": [
+    "⚠️ You've updated a lot of files (16/15). **Resolution:** Please reduce the scope of these changes by splitting them into smaller, more focused PR contributions.",
+  ],
+  "hasFailed": false,
+  "hasTell": false,
+  "isAgentModified": false,
+  "isCoreModified": false,
+  "isExtraModified": false,
+  "isGenModified": false,
+  "isMaxFilesUpdated": true,
+  "isPrTemplateModified": false,
+  "isSecModified": false,
+}
+`;
+
+exports[`signatureScan should scan for signatures, valid PR 1`] = `
+{
+  "errors": [],
+  "hasFailed": false,
+  "hasTell": false,
+  "isAgentModified": false,
+  "isCoreModified": false,
+  "isExtraModified": false,
+  "isGenModified": false,
+  "isMaxFilesUpdated": false,
+  "isPrTemplateModified": false,
+  "isSecModified": false,
+}
+`;
diff --git a/tests/scripts/workflow.commitLint.test.ts b/tests/scripts/workflow.commitLint.test.ts
new file mode 100644
index 00000000..4f6158db
--- /dev/null
+++ b/tests/scripts/workflow.commitLint.test.ts
@@ -0,0 +1,273 @@
+import { messagesList, MESSAGE_TYPES, parseCommitMessage, start } from '../../scripts/workflow.commitLint.js';
+
+describe('parseCommitMessage', () => {
+  it.each([
+    {
+      description: 'standard commit with type, scope, and PR',
+      message: 'feat(core): add something (#123)',
+      expected: {
+        type: 'feat',
+        scope: 'core',
+        description: 'add something',
+        prNumber: '123'
+      }
+    },
+    {
+      description: 'multiple colons in description (should not mutate description)',
+      message: 'feat: check: missing colon (#789)',
+      expected: {
+        type: 'feat',
+        description: 'check: missing colon',
+        prNumber: '789'
+      }
+    },
+    {
+      description: 'greedy PR extraction (should not merge description numbers)',
+      message: 'fix: resolve 500 error (#123)',
+      expected: {
+        type: 'fix',
+        description: 'resolve 500 error',
+        prNumber: '123'
+      }
+    },
+    {
+      description: 'breaking change with bang',
+      message: 'feat(ui)!: breaking change',
+      expected: {
+        type: 'feat',
+        isBreaking: true,
+        description: 'breaking change'
+      }
+    },
+    {
+      description: 'fallback when type is invalid',
+      message: 'unknown: some message',
+      expected: {
+        type: undefined,
+        description: 'unknown: some message'
+      }
+    },
+    {
+      description: 'issue number parsing',
+      message: 'feat(ui)!: issues/123 breaking change',
+      expected: {
+        type: 'feat',
+        description: 'issues/123 breaking change',
+        issueNumber: 'issues/123'
+      }
+    },
+    {
+      description: 'issue number parsing, misplaced',
+      message: 'feat(ui): a change issues/123',
+      settings: { allowIssuesAnywhere: false },
+      expected: {
+        type: 'feat',
+        description: 'a change issues/123',
+        issueNumber: undefined
+      }
+    },
+    {
+      description: 'issue number parsing, jira',
+      message: 'feat(ui): jira-12345 a change',
+      expected: {
+        type: 'feat',
+        description: 'jira-12345 a change',
+        issueNumber: 'jira-12345'
+      }
+    }
+  ])('should parse $description', ({ message, settings, expected }) => {
+    const result = parseCommitMessage({ hash: 'abc1234', message }, { messageTypes: MESSAGE_TYPES, ...settings } as any);
+
+    expect(result).toMatchObject(expected);
+  });
+});
+
+describe('messagesList', () => {
+  it.each([
+    {
+      description: 'valid standard commit',
+      parsed: [{
+        type: 'feat',
+        scope: 'any',
+        description: 'JIRA-123 add feature',
+        issueNumber: 'JIRA-123',
+        messageLength: 30,
+        hash: 'abc1234',
+        message: 'feat(any): JIRA-123 add feature'
+      }],
+      options: { typeScopeExceptions: [], issueNumberExceptions: [] },
+      expected: {
+        type: 'valid',
+        issueNumber: 'valid'
+      }
+    },
+    {
+      description: 'validation masking show issue number error even if type is invalid',
+      parsed: [{
+        type: undefined,
+        scope: 'any',
+        description: 'no issue here',
+        messageLength: 30,
+        hash: 'abc1234',
+        message: 'foo(any): no issue here'
+      }],
+      options: { typeScopeExceptions: [], issueNumberExceptions: ['feat'] },
+      expected: {
+        type: expect.stringContaining('INVALID: type'),
+        issueNumber: expect.stringContaining('INVALID: issue number')
+      }
+    },
+    {
+      description: 'message length validation',
+      parsed: [{
+        type: 'feat',
+        description: 'very long description',
+        messageLength: 100,
+        hash: 'abc1234',
+        message: 'feat: very long description'
+      }],
+      options: { maxMessageLength: 50 },
+      expected: {
+        length: 'INVALID: message length (100 > 50).'
+      }
+    },
+    {
+      description: 'message length validation, pr and issue number',
+      parsed: [{
+        type: 'feat',
+        description: 'issues/123 very long description',
+        messageLength: 100,
+        hash: 'abc1234',
+        message: 'feat: issues/123 very long description (#123)',
+        issueNumber: 'issues/123',
+        prNumber: '123'
+      }],
+      options: { maxMessageLength: 50 },
+      expected: {
+        length: 'INVALID: message length (100 > 50). PRs do not count towards message length. Issue numbers do not count towards message length.'
+      }
+    },
+    {
+      description: 'typeScopeExceptions using wildcard',
+      parsed: [{
+        type: 'feat',
+        scope: undefined,
+        description: 'JIRA-123 desc',
+        messageLength: 20,
+        hash: 'abc1234'
+      }],
+      options: { typeScopeExceptions: '*' },
+      expected: {
+        scope: 'valid'
+      }
+    }
+  ])('should validate $description', ({ parsed, options, expected }) => {
+    const results = messagesList(parsed, options as any);
+
+    expect(results[0]).toMatchObject(expected);
+  });
+});
+
+describe('start', () => {
+  const options = {
+    allowIssuesAnywhere: false,
+    issueNumberExceptions: [],
+    maxMessageLength: 65,
+    typeScopeExceptions: '*'
+  };
+
+  it.each([
+    {
+      description: 'valid commits',
+      commits: [
+        { sha: 'abcdef123456', commit: { message: 'feat(core): JIRA-123 add something (#1)' } },
+        { sha: '123456abcdef', commit: { message: 'fix: JIRA-456 resolve bug (#2)' } }
+      ],
+      options,
+      expected: {
+        resultsArray: [],
+        resultsString: '[]'
+      }
+    },
+    {
+      description: 'mixed valid and invalid commits',
+      commits: [
+        { sha: 'abcdef123456', commit: { message: 'feat(core): JIRA-123 add something' } },
+        { sha: '111111222222', commit: { message: 'invalid message format' } }
+      ],
+      options,
+      expected: {
+        resultsArray: [
+          {
+            hash: '1111112',
+            commit: 'invalid message format',
+            type: expect.stringContaining('INVALID: type'),
+            issueNumber: expect.stringContaining('INVALID: issue number')
+          }
+        ]
+      }
+    },
+    {
+      description: 'enforcing max message length with metadata bypass',
+      commits: [
+        {
+          sha: 'abcdef123456',
+          commit: { message: 'feat: JIRA-123 a very long description that exceeds the normal limit (#1)' }
+        }
+      ],
+      options: { ...options, maxMessageLength: 10 },
+      expected: {
+        resultsArray: [
+          {
+            hash: 'abcdef1',
+            length: expect.stringContaining('INVALID: message length')
+          }
+        ]
+      }
+    },
+    {
+      description: 'handling allowIssuesAnywhere toggle',
+      commits: [
+        { sha: 'abcdef123456', commit: { message: 'feat: add feature (JIRA-123)' } }
+      ],
+      options,
+      expected: {
+        resultsArray: [
+          {
+            hash: 'abcdef1',
+            issueNumber: expect.stringContaining('INVALID: issue number')
+          }
+        ]
+      }
+    },
+    {
+      description: 'respecting issueNumberExceptions',
+      commits: [
+        { sha: 'abcdef123456', commit: { message: 'chore: cleanup code' } }
+      ],
+      options: { ...options, issueNumberExceptions: ['chore'] },
+      expected: {
+        resultsArray: [],
+        resultsString: '[]'
+      }
+    },
+    {
+      description: 'empty or missing commits',
+      commits: null,
+      options,
+      expected: {
+        resultsArray: [],
+        resultsString: ''
+      }
+    }
+  ])('should handle $description', ({ commits, options, expected }) => {
+    const result = start(commits as any, options as any);
+
+    if (expected.resultsArray) {
+      expect(result.resultsArray).toMatchObject(expected.resultsArray);
+    }
+    if (expected.resultsString !== undefined) {
+      expect(result.resultsString).toBe(expected.resultsString);
+    }
+  });
+});
diff --git a/tests/scripts/workflow.preCheck.test.ts b/tests/scripts/workflow.preCheck.test.ts
new file mode 100644
index 00000000..7caddb7a
--- /dev/null
+++ b/tests/scripts/workflow.preCheck.test.ts
@@ -0,0 +1,576 @@
+import fs from 'node:fs';
+import { jest } from '@jest/globals';
+import {
+  coreContributors,
+  doesListContainAnotherListValues,
+  signatureScan,
+  getCommentId,
+  getPullRequest,
+  setLabels,
+  setComment,
+  start
+} from '../../scripts/workflow.preCheck.js';
+
+describe('coreContributors', () => {
+  afterEach(() => {
+    jest.restoreAllMocks();
+  });
+
+  it.each([
+    {
+      description: 'dependabot',
+      params: {
+        authorType: 'Bot',
+        author: 'dependabot[bot]'
+      },
+      expected: true
+    },
+    {
+      description: 'dependabot, user',
+      params: {
+        authorType: 'User',
+        author: 'dependabot[bot]'
+      },
+      expected: true
+    },
+    {
+      description: 'other bot',
+      params: {
+        authorType: 'Bot',
+        author: 'lorem-ipsum-bot'
+      },
+      expected: true
+    },
+    {
+      description: 'general user',
+      params: {
+        authorType: 'User',
+        author: 'lorem-ipsum-user'
+      },
+      expected: false
+    },
+    {
+      description: 'owner',
+      params: {
+        authorRole: 'OWNER',
+        author: 'dolor-sit-user'
+      },
+      expected: true
+    },
+    {
+      description: 'member',
+      params: {
+        authorRole: 'MEMBER',
+        author: 'dolor-sit-user'
+      },
+      expected: false
+    },
+    {
+      description: 'collaborator',
+      params: {
+        authorRole: 'COLLABORATOR',
+        author: 'dolor-sit-user'
+      },
+      expected: false
+    },
+    {
+      description: 'contributor',
+      params: {
+        authorRole: 'CONTRIBUTOR',
+        author: 'dolor-sit-user'
+      },
+      expected: false
+    }
+  ])('should handle actual authors, $description', ({ params, expected }) => {
+    // This is a live test against the actual CODEOWNERS file
+    const result = coreContributors(params);
+
+    expect(result).toBe(expected);
+  });
+
+  it.each([
+    {
+      description: 'codeowner, owner',
+      account: '@lorem',
+      params: {
+        author: 'lorem', authorRole: 'OWNER', authorType: 'User'
+      },
+      expected: true
+    },
+    {
+      description: 'owner',
+      account: undefined,
+      params: {
+        author: 'lorem', authorRole: 'OWNER', authorType: 'User'
+      },
+      expected: true
+    },
+    {
+      description: 'codeowner, member',
+      account: '@lorem',
+      params: {
+        author: 'lorem', authorRole: 'MEMBER', authorType: 'User'
+      },
+      expected: true
+    },
+    {
+      description: 'member',
+      account: undefined,
+      params: {
+        author: 'lorem', authorRole: 'MEMBER', authorType: 'User'
+      },
+      expected: false
+    },
+    {
+      description: 'codeowner with comma delimiter',
+      account: '@other, @lorem',
+      params: {
+        author: 'lorem', authorRole: 'MEMBER', authorType: 'User'
+      },
+      expected: true
+    },
+    {
+      description: 'codeowner with parentheses',
+      account: '(@lorem) @other',
+      params: {
+        author: 'lorem', authorRole: 'MEMBER', authorType: 'User'
+      },
+      expected: true
+    },
+    {
+      description: 'prevent partial name match (suffix)',
+      account: '@lorem-suffix',
+      params: {
+        author: 'lorem', authorRole: 'MEMBER', authorType: 'User'
+      },
+      expected: false
+    },
+    {
+      description: 'prevent partial name match (prefix)',
+      account: 'prefix-@lorem',
+      params: {
+        author: 'lorem', authorRole: 'MEMBER', authorType: 'User'
+      },
+      expected: false
+    }
+  ])('should verify simulated authors against a simulated CODEOWNERS file, $description', ({ account, params, expected }) => {
+    jest.spyOn(fs, 'existsSync').mockReturnValue(true);
+    const mockReadFileSyncSpy = jest.spyOn(fs, 'readFileSync').mockReturnValue(account ? `package*.json ${account} @dolor-sit` : 'package*.json @dolor-sit');
+    const result = coreContributors(params);
+
+    expect(result).toBe(expected);
+    expect(mockReadFileSyncSpy).toHaveBeenCalledWith(expect.stringContaining('CODEOWNERS'), 'utf8');
+  });
+});
+
+describe('doesListContainAnotherListValues', () => {
+  it.each([
+    {
+      description: 'empty lists',
+      listBase: [],
+      listCheck: ['src/'],
+      expected: []
+    },
+    {
+      description: 'exact match',
+      listBase: [{ filename: 'src/server.ts' }],
+      listCheck: ['src/server.ts'],
+      expected: ['src/server.ts']
+    },
+    {
+      description: 'case insensitivity',
+      listBase: [{ filename: 'src/SERVER.ts' }],
+      listCheck: ['SRC/server.TS'],
+      expected: ['src/SERVER.ts']
+    },
+    {
+      description: 'prefix/directory match',
+      listBase: [{ filename: 'src/cli.ts' }],
+      listCheck: ['src/cli'],
+      expected: ['src/cli.ts']
+    },
+    {
+      description: 'contains match',
+      listBase: [{ filename: 'some/path/scripts/workflow.script.js' }],
+      listCheck: ['scripts/workflow'],
+      expected: ['some/path/scripts/workflow.script.js']
+    },
+    {
+      description: 'multiple matches',
+      listBase: [
+        { filename: 'src/server.ts' },
+        { filename: 'tests/e2e/test.ts' }
+      ],
+      listCheck: ['src/', 'tests/e2e'],
+      expected: ['src/server.ts', 'tests/e2e/test.ts']
+    },
+    {
+      description: 'no match',
+      listBase: [{ filename: 'README.md' }],
+      listCheck: ['src/'],
+      expected: []
+    }
+  ])('should verify list containment, $description', ({ listBase, listCheck, expected }) => {
+    const result = doesListContainAnotherListValues(listBase, listCheck);
+
+    expect(result).toEqual(expected);
+  });
+});
+
+describe('signatureScan', () => {
+  it.each([
+    {
+      description: 'valid PR',
+      params: {
+        description: '<!-- GH_PR_METADATA_V1_789 -->',
+        files: [{ filename: 'src/patternfly.ts' }],
+        fileCount: 1
+      },
+      expected: 0
+    },
+    {
+      description: 'too many files',
+      params: {
+        description: '<!-- GH_PR_METADATA_V1_789 -->',
+        files: [],
+        fileCount: 16
+      },
+      expected: 1
+    },
+    {
+      description: 'missing template metadata',
+      params: {
+        description: 'Just a PR description',
+        files: [],
+        fileCount: 1
+      },
+      expected: 0
+    },
+    {
+      description: 'core modifications',
+      params: {
+        description: '<!-- GH_PR_METADATA_V1_789 -->',
+        files: [{ filename: 'src/server.ts' }],
+        fileCount: 1
+      },
+      expected: 1
+    },
+    {
+      description: 'security modifications',
+      params: {
+        description: '<!-- GH_PR_METADATA_V1_789 -->',
+        files: [{ filename: '.github/workflows/pr_precheck.yml' }],
+        fileCount: 1
+      },
+      expected: 1
+    },
+    {
+      description: 'agent modifications',
+      params: {
+        description: '<!-- GH_PR_METADATA_V1_789 -->',
+        files: [{ filename: '.aiignore' }],
+        fileCount: 1
+      },
+      expected: 1
+    },
+    {
+      description: 'extra/generated files',
+      params: {
+        description: '<!-- GH_PR_METADATA_V1_789 -->',
+        files: [{ filename: 'scripts/__mocks__' }],
+        fileCount: 1
+      },
+      expected: 1
+    },
+    {
+      description: '"The Tell"',
+      params: {
+        description: 'Missing metadata',
+        files: [
+          { filename: 'src/server.ts' },
+          { filename: 'tests/e2e/__snapshots__/stdioTransport.test.ts.snap' }
+        ],
+        fileCount: 20
+      },
+      expected: 2
+    }
+  ])('should scan for signatures, $description', ({ params, expected }) => {
+    const result = signatureScan(params);
+
+    expect(result.errors.length).toBe(expected);
+    expect(result).toMatchSnapshot();
+  });
+});
+
+describe('getCommentId', () => {
+  it('should return the ID of a comment matching the signature', async () => {
+    const github = {
+      rest: {
+        issues: {
+          listComments: jest.fn<any>().mockResolvedValue({
+            data: [
+              { id: 101, body: 'some other comment' },
+              { id: 202, body: 'matching signature <!-- metadata-123 -->' }
+            ]
+          })
+        }
+      }
+    };
+    const context = { repo: { owner: 'lorem', repo: 'ipsum' }, issue: { number: 1 } };
+    const id = await getCommentId('<!-- metadata-123 -->', { github, context });
+
+    expect(id).toBe(202);
+  });
+});
+
+describe('getPullRequest', () => {
+  it('should resolve and aggregate PR metadata and resources', async () => {
+    const github = {
+      rest: {
+        pulls: { listFiles: jest.fn<any>().mockResolvedValue({ data: ['file1'] }) },
+        issues: { listComments: jest.fn<any>().mockResolvedValue({ data: ['comment1'] }) }
+      }
+    };
+    const context = {
+      payload: {
+        pull_request: {
+          user: { login: 'author1', type: 'User' },
+          author_association: 'MEMBER',
+          body: 'description',
+          changed_files: 10
+        }
+      },
+      repo: { owner: 'lorem', repo: 'ipsum' },
+      issue: { number: 1 }
+    };
+
+    const result = await getPullRequest({ github, context });
+
+    expect(result).toMatchSnapshot('pr');
+  });
+});
+
+describe('setLabels', () => {
+  it('should provide methods to add and remove labels', async () => {
+    const github = {
+      rest: {
+        issues: {
+          addLabels: jest.fn<any>().mockResolvedValue({}),
+          removeLabel: jest.fn<any>().mockResolvedValue({})
+        }
+      }
+    };
+    const context = { repo: { owner: 'lorem', repo: 'ipsum' }, issue: { number: 1 } } as any;
+
+    const labels = setLabels({ github, context });
+
+    await labels.add(['label-a']);
+    await labels.remove(['label-b']);
+
+    expect(github.rest.issues.addLabels).toHaveBeenCalled();
+    expect(github.rest.issues.removeLabel).toHaveBeenCalled();
+  });
+});
+
+describe('setComment', () => {
+  it('should update an existing comment if a signature match is found', async () => {
+    const github = {
+      rest: {
+        issues: {
+          createComment: jest.fn<any>().mockResolvedValue({}),
+          listComments: jest.fn<any>().mockResolvedValue({
+            data: [{ id: 500, body: 'matching signature <!-- signature-123 -->' }]
+          }),
+          updateComment: jest.fn<any>().mockResolvedValue({})
+        }
+      }
+    };
+    const context = { repo: { owner: 'lorem', repo: 'ipsum' }, issue: { number: 1 } };
+    const comment = await setComment({ signature: '<!-- signature-123 -->', github, context });
+
+    await comment.add('new body');
+
+    expect(github.rest.issues.updateComment).toHaveBeenCalledWith(expect.objectContaining({
+      comment_id: 500,
+      body: 'new body<!-- signature-123 -->'
+    }));
+    expect(github.rest.issues.createComment).not.toHaveBeenCalled();
+  });
+
+  it('should create a new comment if no signature match is found', async () => {
+    const github = {
+      rest: {
+        issues: {
+          createComment: jest.fn<any>().mockResolvedValue({}),
+          listComments: jest.fn<any>().mockResolvedValue({ data: [] }),
+          updateComment: jest.fn<any>().mockResolvedValue({})
+        }
+      }
+    };
+    const context = { repo: { owner: 'lorem', repo: 'ipsum' }, issue: { number: 1 } };
+    const comment = await setComment({ signature: '<!-- signature-123 -->', github, context });
+
+    await comment.add('new body');
+
+    expect(github.rest.issues.createComment).toHaveBeenCalledWith(expect.objectContaining({
+      issue_number: 1,
+      body: 'new body<!-- signature-123 -->'
+    }));
+    expect(github.rest.issues.updateComment).not.toHaveBeenCalled();
+  });
+
+  it('should remove a comment if a signature match is found', async () => {
+    const github = {
+      rest: {
+        issues: {
+          listComments: jest.fn<any>().mockResolvedValue({ data: [{ id: 500, body: '<!-- signature-123 -->' }] }),
+          deleteComment: jest.fn<any>().mockResolvedValue({})
+        }
+      }
+    };
+    const context = { repo: { owner: 'lorem', repo: 'ipsum' }, issue: { number: 1 } };
+    const comment = await setComment({ signature: '<!-- signature-123 -->', github, context });
+
+    await comment.remove();
+
+    expect(github.rest.issues.deleteComment).toHaveBeenCalledWith(expect.objectContaining({
+      comment_id: 500
+    }));
+  });
+});
+
+describe('start', () => {
+  let github: any;
+  let context: any;
+  let core: any;
+  let config: any;
+
+  beforeEach(() => {
+    github = {
+      rest: {
+        pulls: { listFiles: jest.fn<any>().mockResolvedValue({ data: [] }) },
+        issues: {
+          listComments: jest.fn<any>().mockResolvedValue({ data: [] }),
+          addLabels: jest.fn<any>().mockResolvedValue({}),
+          removeLabel: jest.fn<any>().mockResolvedValue({}),
+          createComment: jest.fn<any>().mockResolvedValue({}),
+          updateComment: jest.fn<any>().mockResolvedValue({}),
+          deleteComment: jest.fn<any>().mockResolvedValue({})
+        }
+      },
+      graphql: jest.fn<any>().mockResolvedValue({})
+    };
+    context = {
+      payload: {
+        pull_request: {
+          user: { login: 'contributor', type: 'User' },
+          author_association: 'CONTRIBUTOR',
+          body: '<!-- GH_PR_METADATA_V1_789 -->',
+          changed_files: 1,
+          labels: [],
+          node_id: 'PR_123'
+        }
+      },
+      repo: { owner: 'o', repo: 'r' },
+      issue: { number: 123 }
+    };
+    core = { setFailed: jest.fn(), log: jest.fn() };
+    config = {
+      LABEL_PRECHECKS_PASS: 'bot:policy-ready',
+      LABEL_NEEDS_CLEANUP: 'bot:needs-cleanup',
+      LABEL_NEEDS_MAINTAINER: 'bot:needs-maintainer'
+    };
+  });
+
+  it('should immediately apply the pass label for core contributors', async () => {
+    // 1. Simulate an OWNER opening a PR
+    context.payload.pull_request.author_association = 'OWNER';
+
+    await start(config, { github, context, core });
+
+    // 2. Verify that it applied the pass label and skipped further checks
+    expect(github.rest.issues.addLabels).toHaveBeenCalledWith(expect.objectContaining({
+      labels: [config.LABEL_PRECHECKS_PASS]
+    }));
+
+    expect(github.rest.issues.createComment).not.toHaveBeenCalled();
+    expect(core.setFailed).not.toHaveBeenCalled();
+  });
+
+  it('should convert PR to draft if signature scan finds complex changes (hasTell)', async () => {
+    // 1. Mock fileCount and description to trigger hasTell
+    context.payload.pull_request.changed_files = 100;
+    context.payload.pull_request.body = 'Missing template signature';
+    github.rest.pulls.listFiles.mockResolvedValue({
+      data: [{ filename: 'src/server.ts' }, { filename: 'tests/e2e/utils/stdioTransportClient.ts' }]
+    });
+
+    await start(config, { github, context, core });
+
+    // 2. Verify draft conversion and labeling
+    expect(github.graphql).toHaveBeenCalledWith(expect.stringContaining('convertPullRequestToDraft'), expect.objectContaining({ id: 'PR_123' }));
+
+    expect(github.rest.issues.addLabels).toHaveBeenCalledWith(expect.objectContaining({
+      labels: [config.LABEL_NEEDS_CLEANUP]
+    }));
+
+    expect(github.rest.issues.createComment).toHaveBeenCalledWith(expect.objectContaining({
+      body: expect.stringContaining("I've moved this to **Draft**")
+    }));
+
+    expect(core.setFailed).toHaveBeenCalledWith(expect.stringContaining('PR moved to Draft'));
+  });
+
+  it('should apply needs-cleanup label and fail if scan find errors', async () => {
+    // 1. Mock fileCount to trigger the error list but not hasTell
+    context.payload.pull_request.changed_files = 20;
+
+    await start(config, { github, context, core });
+
+    // 2. Verify cleanup label and error comment
+    expect(github.rest.issues.addLabels).toHaveBeenCalledWith(expect.objectContaining({
+      labels: [config.LABEL_NEEDS_CLEANUP]
+    }));
+
+    expect(github.rest.issues.createComment).toHaveBeenCalledWith(expect.objectContaining({
+      body: expect.stringContaining('I found some issues with your work')
+    }));
+
+    expect(core.setFailed).toHaveBeenCalledWith(expect.stringContaining('PR pre-check requirements not met'));
+  });
+
+  it('should apply needs-maintainer label for security-sensitive changes', async () => {
+    github.rest.pulls.listFiles.mockResolvedValue({
+      data: [{ filename: '.github/workflows/integration.yml' }]
+    });
+
+    await start(config, { github, context, core });
+
+    expect(github.rest.issues.addLabels).toHaveBeenCalledWith(expect.objectContaining({
+      labels: [config.LABEL_NEEDS_MAINTAINER]
+    }));
+  });
+
+  it('should notify success and apply pass label when all pre-checks pass', async () => {
+    await start(config, { github, context, core });
+
+    // 1. Verify Success Notification
+    expect(github.rest.issues.createComment).toHaveBeenCalledWith(expect.objectContaining({
+      body: expect.stringContaining('I finished my scan and all pre-checks pass!')
+    }));
+
+    // 2. Verify Labeling
+    expect(github.rest.issues.addLabels).toHaveBeenCalledWith(expect.objectContaining({
+      labels: [config.LABEL_PRECHECKS_PASS]
+    }));
+
+    // 3. Verify Label Cleanup
+    const removedLabels = github.rest.issues.removeLabel.mock.calls.map((call: any) => call[0].name);
+
+    expect(removedLabels).toContain(config.LABEL_NEEDS_CLEANUP);
+    expect(removedLabels).toContain(config.LABEL_NEEDS_MAINTAINER);
+
+    // 4. Verify no failure was triggered
+    expect(core.setFailed).not.toHaveBeenCalled();
+  });
+});
diff --git a/tsconfig.json b/tsconfig.json
index c874d625..dc81a59c 100644
--- a/tsconfig.json
+++ b/tsconfig.json
@@ -21,7 +21,7 @@
     "resolveJsonModule": true,
     "noEmit": true,
     "stripInternal": true,
-    "rootDirs": ["./src", "./tests/e2e", "./tests/audit"],
+    "rootDirs": ["./src", "./tests/e2e", "./tests/audit", "./scripts", "./tests/scripts"],
     "paths": {
       "#docsCatalog": ["./src/docs.json"],
       "#toolsHost": ["./src/server.toolsHost.ts"]
@@ -29,6 +29,7 @@
   },
   "include": [
     "src/**/*",
+    "scripts/**/*",
     "tests/**/*",
     "jest.setupTests.ts",
     "jest.config.ts",