ci(#2): dogfood apexstack CI with pr-title, markdown, shell, link checks

[atlas-apex]

Summary

ApexStack now dogfoods its own CI. Four GitHub Actions workflows added so that PRs to the framework repo itself get the same quality gates it ships to adopters via golden-paths/pipelines/.

Refs #2

What changed

File	Purpose
.github/workflows/pr-title-check.yml	Enforces ticket ID in PR titles using the git-conventions regex. Copied verbatim from golden-paths/pipelines/pr-title-check.yml.
.github/workflows/markdown-lint.yml	Runs markdownlint-cli2 on **/*.md. Catches broken markdown and inconsistent headings.
.github/workflows/shellcheck.yml	Runs shellcheck on .claude/hooks/*.sh. Catches portability bugs in hook scripts.
.github/workflows/link-check.yml	Runs lychee on site/index.html and **/*.md. Includes weekly cron for link-rot detection.
.markdownlint.json	Relaxed ruleset (disables MD013/MD033/MD041 etc.) because existing docs use bare URLs, mixed code-fence styles, and long lines.

Deviations from the ticket

• Optional html-validate.yml skipped — site/index.html is ~2000 lines of hand-written marketing HTML with hero animations and custom attributes. html-validate would need non-trivial config and likely false-positive heavily. Not worth the noise.
• Weekly cron added to link-check.yml — catches upstream link rot between PRs at zero extra config cost.
• Relaxed markdownlint config — strict mode would flag hundreds of pre-existing style issues in the docs and drown the signal. The config disables line-length (MD013), inline-HTML (MD033), first-line-heading (MD041), and several other cosmetic rules. Real problems (broken links, malformed tables, unclosed fences) are still caught.

How it was tested

• All 4 YAML files validated with YAML.load_file (Ruby) — valid syntax
• .markdownlint.json validated with python3 json — valid JSON
• First real CI run will happen on this PR itself

Glossary

Term	Definition
Dogfooding	Using your own product. ApexStack ships CI pipelines for adopters but didn't run them on its own repo until now.
markdownlint-cli2	CLI tool for linting Markdown files. Configured via .markdownlint.json.
ShellCheck	Static analysis tool for shell scripts. Catches portability bugs, quoting issues, and common errors.
Lychee	Fast link checker. Used here to validate URLs in Markdown files and the landing page HTML.
Golden paths	Reusable CI pipeline templates at golden-paths/pipelines/ that adopters copy into their own repos.

Test plan

• Confirm all 4 workflows run on this PR (they should trigger on pull_request)
• Confirm .markdownlint.json config doesn't produce false-positive noise
• Confirm ShellCheck passes on all hooks in .claude/hooks/
• Confirm link-check doesn't flag valid internal anchors
• Code Reviewer (Rex) review
• Explicit per-PR CEO approval

🤖 Generated with Claude Code

[atlas-apex]

Code Review: PR #26

Commit: d37be94dca32ad090f15bc69f07860b84ada7ad6

Summary

Adds 4 GitHub Actions workflows to dogfood CI on the apexstack repo itself: pr-title-check, markdown-lint, shellcheck, and link-check. Plus a relaxed .markdownlint.json config. Well-scoped, clean YAML, good PR description.

Checklist Results

• N/A Architecture & DDD: Not applicable (CI config, no domain code)
• PASS Code Quality: YAML is clean, well-commented, appropriate permissions blocks
• N/A Testing: CI-only change, self-testing by nature (first run is this PR)
• PASS Security: Minimal permissions (contents: read, pull-requests: write), no secrets
• PASS Performance: Path filters on all workflows prevent unnecessary runs
• PASS PR Description & Glossary: Glossary present with 5 terms, clear summary, deviations documented
• N/A Technical Decisions (AgDR): No novel decisions -- tools are industry-standard choices for their category (markdownlint for MD, shellcheck for sh, lychee for links). The pr-title-check is copied verbatim from the golden-path.

Issues Found

None blocking.

Suggestions (nice-to-have, not blocking)

1. ShellCheck will likely flag validate-pr-create.sh line 101: printf "$ERRORS" is SC2059 (variable used as format string). Since severity is warning, this would fail the check. Consider printf '%s' "$ERRORS" in a follow-up PR, or add a # shellcheck disable=SC2059 directive if the % formatting is intentional. Not blocking this PR since fixing hooks is a separate ticket.

2. markdownlint-cli2-action pinned at @v16: Latest is v23. The v16 tag still works but you may want to bump in a follow-up for any new rule support. Same for lychee-action: @v2 resolves to a major tag (currently v2.8.0), which is fine for auto-patching.

3. shellcheck action pinned at @2.0.0: This IS the latest release, good.

4. PR title regex vs git-conventions.md: The workflow checks for ticket ID presence anywhere in the title (/#\d+/ or /[A-Z]{2,10}-\d+/) but does NOT enforce the full type(TICKET): description format from git-conventions.md. This is the same as the golden-path template, so it's consistent, but a title like "random #42 text" would pass CI. The local hook validate-pr-create.sh enforces the stricter format, so this is defense-in-depth, not a gap.

5. Link-check --accept 429: Smart -- avoids false positives from rate-limited sites (GitHub, npm). The --exclude-loopback --exclude-private flags are reasonable for docs that reference localhost examples.

Surprising

The pr-title-check is byte-identical to the golden-path template. That's the right call -- dogfood the exact artifact adopters use.

Verdict

COMMENT -- Looks good. No blocking issues. The ShellCheck printf warning in existing hooks is worth noting but is a pre-existing issue, not introduced by this PR.

---

Rex (Code Reviewer Agent)
Reviewed commit: d37be94dca32ad090f15bc69f07860b84ada7ad6