chore(specs): make CI health a hard gate in maintenance checklist

The maintenance pass (PR #1063) shipped while CI on main was red for 9
days and fuzz had 5 failures. Root causes:

- Spec only required nightly/fuzz green, not CI on main
- Maintain skill only checked nightly.yml and fuzz.yml, missing ci.yml
- No language marking the check as a blocker that prevents merging

Changes:
- Rename "Nightly CI" → "CI Health", add "CI on main is green" check
- Mark the section as a hard gate — pass cannot complete while red
- Expand escalation policy to cover all workflows, not just nightly
- Update maintain skill with concrete `gh` commands for CI on main
- Add "never silently skip" instruction for the agent

Ref: #1088 #1089 #1090 #1091

Author: chaliy

.claude/commands/maintain.md

@@ -74,13 +74,29 @@ Make the simplifications. Run tests after each change. The goal is less code tha
 
 `AGENTS.md` and `CLAUDE.md` reflect current specs, commands, tooling, and workflows.
 
-### 10. Nightly CI is healthy
-
-Nightly and fuzz workflows green for past week. Fuzz targets compile. Git-sourced deps resolve.
-
-Key tools: `gh run list --workflow=nightly.yml --limit 7`, `gh run list --workflow=fuzz.yml --limit 7`
-
-If failures persist >2 days, escalate per the policy in `specs/012-maintenance.md`.
+### 10. All CI is healthy (HARD GATE)
+
+**This section is a blocker.** The maintenance pass MUST NOT be marked complete
+while any of these checks are red.
+
+1. **CI on main is green** — check the latest CI run on the `main` branch. If
+   any job (Audit, Test, Lint, Examples, Fuzz Compile Check) fails, fix it
+   before proceeding. Common failures: `cargo vet` missing certifications,
+   dependency audit advisories, clippy warnings.
+2. **Nightly workflow green** for past 7 days.
+3. **Fuzz workflow green** for past 7 days. If a fuzz target crashes, open a
+   GitHub issue with the crash artifact, reproduction command, and base64 input.
+4. Fuzz targets compile. Git-sourced deps resolve.
+
+Key tools:
+- `gh run list --workflow=ci.yml --branch=main --limit 5` (CI on main)
+- `gh run list --workflow=nightly.yml --limit 7` (nightly)
+- `gh run list --workflow=fuzz.yml --limit 7` (fuzz)
+- `gh api repos/OWNER/REPO/actions/runs/RUN_ID/jobs` (inspect failed jobs)
+
+If failures persist >2 days, escalate per `specs/012-maintenance.md`.
+If the agent cannot fix a failure, it MUST open a GitHub issue and report the
+pass as blocked — never silently skip.
 
 ## Execution
 

specs/012-maintenance.md

@@ -111,20 +111,28 @@ dependency rot, or security gaps ship in a release.
 - Build/test commands work
 - Pre-PR checklist covers current tooling
 
-### Nightly CI
+### CI Health
 
+- **CI on main is green** — the latest CI run on `main` must pass. Any failure
+  (audit, test, lint, examples) is a blocker that must be fixed before
+  proceeding with the rest of the maintenance pass.
 - Nightly and fuzz workflows green for past week
 - Fuzz targets compile
 - Git-sourced dependencies still resolve
 
-#### Nightly Escalation Policy
+#### Escalation Policy
 
-Failures persisting **>2 consecutive days** are blocking:
+Failures persisting **>2 consecutive days** on any workflow (CI, nightly, fuzz)
+are blocking:
 1. Open GitHub issue with label `ci:nightly`
 2. Link failing run(s)
 3. Assign to most recent contributor in failing area
 4. If upstream dep change: pin to known-good rev, open follow-up issue
 
+**This section is a hard gate.** The maintenance pass MUST NOT be marked
+complete or merged while any of the above checks are red. If the agent cannot
+fix a failure, it must open a GitHub issue and report the pass as blocked.
+
 ## Deferred Items
 
 When a maintenance pass identifies issues too large to fix inline (e.g.
@@ -149,7 +157,8 @@ Sections dependencies, tests, examples, code quality, and nightly CI are fully
 automatable. Security, documentation, specs, simplification, and agent config
 require human or agent review.
 
-Nightly check enforced by `just check-nightly`, called by `just release-check`.
+CI health check enforced by `just check-nightly` (nightly + fuzz) and manual
+inspection of CI on `main` (audit, test, lint). Called by `just release-check`.
 
 ## Invocation