@devtrack-solution/codesdd 1.2.2 → 1.2.3

package/dist/core/sdd/services/onboard.service.js

@@ -2,6 +2,7 @@ import path from "node:path";
 import { CLI_NAME } from "../../branding.js";
 import { loadStateSnapshot } from "../state.js";
 import { bundlesForSkills, getRuntime, relProjectPath, coreDocRef, planningDocRef, resolveActiveDocRefs } from "../legacy-operations.js";
+import { normalizeSddEntityRef } from "../entity-reference.js";
 import { ContextService } from "./context.service.js";
 import { NextService } from "./next.service.js";
 export class OnboardService {
@@ -12,7 +13,7 @@ export class OnboardService {
     async execute(projectRoot, target = 'system', options) {
         const { config, paths } = await getRuntime(projectRoot);
         const snapshot = await loadStateSnapshot(paths, config);
-        const normalized = (target || 'system').trim();
+        const normalized = normalizeSddEntityRef(target || 'system');
         const contextCmd = new ContextService(this.stores);
         const baseReadOrder = [
             'README.md',

package/dist/core/sdd/services/rebuild.service.js

@@ -6,6 +6,7 @@ import { BacklogStateSchema, DiscoveryIndexStateSchema, } from '../types.js';
 import { activeDocNamesForLayout, buildBacklogItem, computeCanonicalTitle, ensureFeatureQualityContract, ensureMemoryInitialized, relProjectPath, } from '../legacy-operations.js';
 import { renderViews } from '../views.js';
 import { parseWorkspaceYamlDocument, } from '../workspace-schemas.js';
+import { parseGovernanceFile } from '../governance-parser.js';
 const DISCOVERY_STATUSES = new Set([
     'NEW',
     'DEBATED',
@@ -78,6 +79,10 @@ function discoveryStatusFromMarkdown(content, type, discarded) {
     return 'READY';
 }
 function titleFromMarkdown(content, id, fileName) {
+    const parsed = parseGovernanceFile(fileName, content);
+    const frontmatterTitle = parsed.frontmatter && typeof parsed.frontmatter === 'object' && typeof parsed.frontmatter.title === 'string'
+        ? parsed.frontmatter.title
+        : '';
     const titleBlock = /^## Title\s*\n+(.+)$/im.exec(content);
     const baseTitle = /^\s*-\s*Base title:\s*(.+)$/im.exec(content);
     const heading = /^#\s+(.+)$/m.exec(content);
@@ -86,7 +91,7 @@ function titleFromMarkdown(content, id, fileName) {
         .replace(new RegExp(`^${id}-?`, 'i'), '')
         .replace(/-/g, ' ')
         .trim();
-    const candidate = (titleBlock?.[1] || baseTitle?.[1] || heading?.[1] || slugTitle || id).trim();
+    const candidate = (frontmatterTitle || titleBlock?.[1] || baseTitle?.[1] || heading?.[1] || slugTitle || id).trim();
     const cleaned = candidate
         .replace(new RegExp(`^(Insight|Debate|Epic)\\s+${id}\\s*:?\\s*`, 'i'), '')
         .trim();

package/dist/core/sdd/services/skills-sync.service.d.ts

@@ -1,4 +1,19 @@
 import { SddStores } from "../store/sdd-stores.js";
+type SkillManifestDriftLayer = 'canonical' | 'user-extension';
+type SkillManifestDriftStatus = 'missing' | 'modified';
+export interface SkillManifestDriftAlert {
+    skill_id: string;
+    layer: SkillManifestDriftLayer;
+    status: SkillManifestDriftStatus;
+    expected_sha256?: string;
+    observed_sha256: string;
+}
+export interface SkillsSyncResult {
+    synced: number;
+    local_synced: number;
+    tools: string[];
+    alerts: SkillManifestDriftAlert[];
+}
 export declare class SkillsSyncService {
     private readonly stores;
     constructor(stores: SddStores);
@@ -6,10 +21,7 @@ export declare class SkillsSyncService {
         bundles?: string[];
         all?: boolean;
         tools?: string[];
-    }): Promise<{
-        synced: number;
-        local_synced: number;
-        tools: string[];
-    }>;
+    }): Promise<SkillsSyncResult>;
 }
+export {};
 //# sourceMappingURL=skills-sync.service.d.ts.map

package/dist/core/sdd/services/skills-sync.service.js

@@ -3,9 +3,31 @@ import { promises as fs } from "node:fs";
 import { fileURLToPath } from "node:url";
 import { AI_TOOLS } from "../../config.js";
 import { loadSkillCatalogState } from "../state.js";
+import { DEFAULT_CURATED_SKILL_CATALOG, computeSkillManifestSha256 } from "../default-skills.js";
 import { getRuntime, buildCuratedSkillContent } from "../legacy-operations.js";
 import { SddWriteTransaction } from "../write-manifest.js";
 const PACKAGE_ROOT = path.resolve(path.dirname(fileURLToPath(import.meta.url)), '../../../../');
+const ZERO_HASH = '0000000000000000000000000000000000000000000000000000000000000000';
+const CANONICAL_SKILL_IDS = new Set(DEFAULT_CURATED_SKILL_CATALOG.skills.map((entry) => entry.id));
+function normalizeIntegrityHash(hash) {
+    if (!hash) {
+        return undefined;
+    }
+    const normalized = hash.trim().toLowerCase();
+    if (!/^[a-f0-9]{64}$/.test(normalized)) {
+        return undefined;
+    }
+    if (normalized === ZERO_HASH) {
+        return undefined;
+    }
+    return normalized;
+}
+function isCanonicalCriticalSkill(entry) {
+    if (entry.deterministic_pair) {
+        return true;
+    }
+    return entry.bundle_ids.includes('architecture-backend');
+}
 function isInside(parent, child) {
     const relative = path.relative(parent, child);
     return relative === '' || (!relative.startsWith('..') && !path.isAbsolute(relative));
@@ -78,9 +100,35 @@ export class SkillsSyncService {
         });
         await fs.mkdir(paths.skillsCuratedDir, { recursive: true });
         const contentBySkillId = new Map();
+        const driftAlerts = [];
+        const criticalCanonicalDrift = [];
         for (const entry of selected) {
             const content = await resolveCuratedSkillContent(paths, entry);
+            const observedHash = computeSkillManifestSha256(content);
+            const expectedHash = normalizeIntegrityHash(entry.integrity_hash);
+            if (!expectedHash || expectedHash !== observedHash) {
+                const alert = {
+                    skill_id: entry.id,
+                    layer: CANONICAL_SKILL_IDS.has(entry.id) ? 'canonical' : 'user-extension',
+                    status: expectedHash ? 'modified' : 'missing',
+                    expected_sha256: expectedHash,
+                    observed_sha256: observedHash,
+                };
+                driftAlerts.push(alert);
+                if (alert.layer === 'canonical' && isCanonicalCriticalSkill(entry)) {
+                    criticalCanonicalDrift.push(alert);
+                }
+            }
             contentBySkillId.set(entry.id, content);
+        }
+        if (criticalCanonicalDrift.length > 0) {
+            const details = criticalCanonicalDrift
+                .map((alert) => `- ${alert.skill_id}: ${alert.status} (expected=${alert.expected_sha256 || '<missing>'}, observed=${alert.observed_sha256})`)
+                .join('\n');
+            throw new Error(`Skill manifest drift detected in canonical layer. Sync blocked until canonical hashes are restored.\n${details}`);
+        }
+        for (const entry of selected) {
+            const content = contentBySkillId.get(entry.id) || await resolveCuratedSkillContent(paths, entry);
             await materializeLocalSourceSkill(paths, entry, content);
             const tx = new SddWriteTransaction();
             const localDir = path.join(paths.skillsCuratedDir, entry.id);
@@ -88,7 +136,7 @@ export class SkillsSyncService {
             await tx.commit(paths.projectRoot, paths.memoryRoot, 'skills-sync.service (local dir)');
         }
         if (selected.length === 0) {
-            return { synced: 0, local_synced: 0, tools: [] };
+            return { synced: 0, local_synced: 0, tools: [], alerts: [] };
         }
         const targetTools = (options?.tools && options.tools.length > 0
             ? AI_TOOLS.filter((tool) => options.tools?.includes(tool.value))
@@ -111,7 +159,12 @@ export class SkillsSyncService {
             }
             syncedTools.push(tool.value);
         }
-        return { synced: selected.length, local_synced: selected.length, tools: syncedTools };
+        return {
+            synced: selected.length,
+            local_synced: selected.length,
+            tools: syncedTools,
+            alerts: driftAlerts.filter((alert) => alert.layer === 'user-extension' || !criticalCanonicalDrift.some((critical) => critical.skill_id === alert.skill_id)),
+        };
     }
 }
 //# sourceMappingURL=skills-sync.service.js.map

package/dist/core/sdd/services/start.service.js

@@ -9,6 +9,7 @@ import { slugify, findDiscoveryRecord, ensureFeatureQualityContract, bundlesForS
 import { SddWriteTransaction } from "../write-manifest.js";
 import { withStateLock } from "../state-lock.js";
 import { featureDeclaresMandatoryAdrImpact } from "../adr-policy.js";
+import { normalizeFeatRef } from "../entity-reference.js";
 export class StartService {
     stores;
     constructor(stores) {
@@ -25,8 +26,9 @@ export class StartService {
             const catalog = await loadSkillCatalogState(paths);
             const now = nowIso();
             let feature;
-            if (/^FEAT-\d{3,}$/.test(value)) {
-                feature = resolveFeat(snapshot.backlog.items, value);
+            const normalizedFeatureRef = normalizeFeatRef(value);
+            if (normalizedFeatureRef || /^FEAT-\d{3,}$/.test(value)) {
+                feature = resolveFeat(snapshot.backlog.items, normalizedFeatureRef || value);
             }
             else if (/^(?:RAD|EPIC)-\d{3,}$/.test(value)) {
                 const existing = snapshot.backlog.items.find((item) => (item.origin_type === 'radar' || item.origin_type === 'epic') && item.origin_ref === value);
@@ -90,8 +92,8 @@ export class StartService {
             if (!feature.change_name) {
                 const base = slugify(`${feature.id}-${feature.title}`).slice(0, 50).replace(/-+$/g, '') ||
                     feature.id.toLowerCase();
-                // OpenSDD-native execution keeps this as a compatibility identifier only.
-                // It must not materialize legacy OpenSpec change directories.
+                // CodeSDD-native execution keeps this as a compatibility identifier only.
+                // It must not materialize legacy CodeSDD change directories.
                 feature.change_name = base;
             }
             await runLifecycleHooks('before-start', {

package/dist/core/sdd/skill-bundles-curation-schema.d.ts

@@ -0,0 +1,66 @@
+import { z } from 'zod';
+/**
+ * Schema for the curated skill-bundles document emitted as a Markdown view
+ * (`curation-en-us.md` / `curadoria-pt-br.md`) AND as canonical YAML
+ * (`curation-en-us.yaml` / `curadoria-pt-br.yaml`).
+ *
+ * EPIC-0072 wave 1 (FEAT-0284) introduces this YAML form as the precursor
+ * that validates the toolchain choice (`yaml` + `zod` without `gray-matter`)
+ * before the rest of the governance plane migrates to frontmatter + body.
+ *
+ * The Markdown form remains generated for human readability and is treated
+ * as a derived view; the YAML form is the structured contract.
+ */
+export declare const skillBundleEntrySchema: z.ZodObject<{
+    id: z.ZodString;
+    title: z.ZodString;
+    skill_ids: z.ZodArray<z.ZodString>;
+}, z.core.$strip>;
+export declare const highlightedSkillSchema: z.ZodObject<{
+    skill_id: z.ZodString;
+    bundle_id: z.ZodString;
+    canonical_path: z.ZodString;
+    notes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+}, z.core.$strip>;
+export declare const skillBundlesCurationSchema: z.ZodObject<{
+    schema_version: z.ZodLiteral<1>;
+    layout: z.ZodEnum<{
+        "pt-BR": "pt-BR";
+        "en-US": "en-US";
+    }>;
+    generated_from: z.ZodLiteral<"CURATED_BUNDLES">;
+    objective: z.ZodArray<z.ZodString>;
+    bundles: z.ZodArray<z.ZodObject<{
+        id: z.ZodString;
+        title: z.ZodString;
+        skill_ids: z.ZodArray<z.ZodString>;
+    }, z.core.$strip>>;
+    highlighted: z.ZodDefault<z.ZodArray<z.ZodObject<{
+        skill_id: z.ZodString;
+        bundle_id: z.ZodString;
+        canonical_path: z.ZodString;
+        notes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    }, z.core.$strip>>>;
+    canonical_source: z.ZodString;
+    operational_rule: z.ZodArray<z.ZodString>;
+}, z.core.$strip>;
+export type SkillBundlesCuration = z.infer<typeof skillBundlesCurationSchema>;
+export type SkillBundleEntry = z.infer<typeof skillBundleEntrySchema>;
+export type HighlightedSkill = z.infer<typeof highlightedSkillSchema>;
+/**
+ * Parses an arbitrary value (typically loaded from YAML) into a typed
+ * curation document. Throws a Zod error on schema violation; callers should
+ * surface the error with path-aware context.
+ */
+export declare function parseSkillBundlesCuration(value: unknown): SkillBundlesCuration;
+/**
+ * Non-throwing variant for callers that prefer to handle errors explicitly.
+ */
+export declare function safeParseSkillBundlesCuration(value: unknown): {
+    ok: true;
+    data: SkillBundlesCuration;
+} | {
+    ok: false;
+    error: z.ZodError<SkillBundlesCuration>;
+};
+//# sourceMappingURL=skill-bundles-curation-schema.d.ts.map

package/dist/core/sdd/skill-bundles-curation-schema.js

@@ -0,0 +1,52 @@
+import { z } from 'zod';
+/**
+ * Schema for the curated skill-bundles document emitted as a Markdown view
+ * (`curation-en-us.md` / `curadoria-pt-br.md`) AND as canonical YAML
+ * (`curation-en-us.yaml` / `curadoria-pt-br.yaml`).
+ *
+ * EPIC-0072 wave 1 (FEAT-0284) introduces this YAML form as the precursor
+ * that validates the toolchain choice (`yaml` + `zod` without `gray-matter`)
+ * before the rest of the governance plane migrates to frontmatter + body.
+ *
+ * The Markdown form remains generated for human readability and is treated
+ * as a derived view; the YAML form is the structured contract.
+ */
+export const skillBundleEntrySchema = z.object({
+    id: z.string().min(1),
+    title: z.string().min(1),
+    skill_ids: z.array(z.string().min(1)).min(1),
+});
+export const highlightedSkillSchema = z.object({
+    skill_id: z.string().min(1),
+    bundle_id: z.string().min(1),
+    canonical_path: z.string().min(1),
+    notes: z.array(z.string().min(1)).default([]),
+});
+export const skillBundlesCurationSchema = z.object({
+    schema_version: z.literal(1),
+    layout: z.enum(['en-US', 'pt-BR']),
+    generated_from: z.literal('CURATED_BUNDLES'),
+    objective: z.array(z.string().min(1)).min(1),
+    bundles: z.array(skillBundleEntrySchema).min(1),
+    highlighted: z.array(highlightedSkillSchema).default([]),
+    canonical_source: z.string().min(1),
+    operational_rule: z.array(z.string().min(1)).min(1),
+});
+/**
+ * Parses an arbitrary value (typically loaded from YAML) into a typed
+ * curation document. Throws a Zod error on schema violation; callers should
+ * surface the error with path-aware context.
+ */
+export function parseSkillBundlesCuration(value) {
+    return skillBundlesCurationSchema.parse(value);
+}
+/**
+ * Non-throwing variant for callers that prefer to handle errors explicitly.
+ */
+export function safeParseSkillBundlesCuration(value) {
+    const result = skillBundlesCurationSchema.safeParse(value);
+    if (result.success)
+        return { ok: true, data: result.data };
+    return { ok: false, error: result.error };
+}
+//# sourceMappingURL=skill-bundles-curation-schema.js.map

package/dist/core/sdd/skill-evidence.d.ts

@@ -0,0 +1,19 @@
+import type { SkillCatalogEntry } from './types.js';
+import type { WorkspacePolicyRequirement } from './skill-policy-pool.js';
+export interface SkillEvidenceEntry {
+    skill_id: string;
+    note: string;
+    source: 'manual' | 'tooling' | 'quality_artifact';
+}
+export interface SkillProvenanceInfo {
+    skill_id: string;
+    source_repo: string | null;
+    source_path: string | null;
+    integrity_hash: string;
+    synced_at: string;
+}
+export declare function buildSkillProvenanceRecord(skillId: string, catalog: SkillCatalogEntry[], syncedAt?: string): SkillProvenanceInfo | null;
+export declare function buildSkillEvidenceEntry(skillId: string, note: string, source?: 'manual' | 'tooling' | 'quality_artifact'): SkillEvidenceEntry;
+export declare function buildProvenanceEvidenceFromCatalog(skillIds: string[], catalog: SkillCatalogEntry[]): SkillEvidenceEntry[];
+export declare function buildAppliedPolicyEvidence(policyRequirements: WorkspacePolicyRequirement[], policiesApplied?: Record<string, string>): SkillEvidenceEntry[];
+//# sourceMappingURL=skill-evidence.d.ts.map

package/dist/core/sdd/skill-evidence.js

@@ -0,0 +1,38 @@
+export function buildSkillProvenanceRecord(skillId, catalog, syncedAt) {
+    const entry = catalog.find((s) => s.id === skillId);
+    if (!entry)
+        return null;
+    return {
+        skill_id: entry.id,
+        source_repo: entry.source_repo ?? null,
+        source_path: entry.source_path ?? null,
+        integrity_hash: entry.integrity_hash,
+        synced_at: syncedAt ?? new Date().toISOString(),
+    };
+}
+export function buildSkillEvidenceEntry(skillId, note, source) {
+    const noteText = note.length >= 10 ? note : `${note} - Evidence recorded during FEAT execution.`;
+    return {
+        skill_id: skillId,
+        note: noteText,
+        source: source ?? 'tooling',
+    };
+}
+export function buildProvenanceEvidenceFromCatalog(skillIds, catalog) {
+    const uniqueIds = Array.from(new Set(skillIds.map((id) => id.trim()).filter(Boolean)));
+    return uniqueIds
+        .map((skillId) => {
+        const record = buildSkillProvenanceRecord(skillId, catalog);
+        if (!record) {
+            return buildSkillEvidenceEntry(skillId, `Skill "${skillId}" not found in catalog. Provenance could not be recorded.`, 'manual');
+        }
+        return buildSkillEvidenceEntry(skillId, `Skill provenance: source=${record.source_repo ?? 'unknown'}, path=${record.source_path ?? 'unknown'}, hash=${record.integrity_hash}, synced_at=${record.synced_at}`, 'tooling');
+    });
+}
+export function buildAppliedPolicyEvidence(policyRequirements, policiesApplied) {
+    return policyRequirements.map((req) => {
+        const appliedNote = policiesApplied?.[req.skill_id] ?? 'All required policy rules applied and validated.';
+        return buildSkillEvidenceEntry(req.skill_id, `Applied policy: pool=${req.policy_pool_ref}, contract=${req.source_contract_ref}, enforcement=${req.enforcement}. ${appliedNote}`, 'tooling');
+    });
+}
+//# sourceMappingURL=skill-evidence.js.map

package/dist/core/sdd/skill-policy-pool.d.ts

@@ -0,0 +1,46 @@
+import { type PluginPolicyPack } from './plugin-policy-pack.js';
+export interface SkillPolicyEntry {
+    ruleId: string;
+    skillId: string;
+    severity: 'P0' | 'P1' | 'P2';
+    title: string;
+    appliesTo: string[];
+    policyPackId: string;
+    detect: string[];
+    requiredResponse: string[];
+}
+export interface SkillPolicyPool {
+    version: number;
+    pools: PluginPolicyPack[];
+    entries: SkillPolicyEntry[];
+    metadata: {
+        derivedFrom: string[];
+        generatedAt: string;
+        sourceSkillIds: string[];
+    };
+}
+export interface WorkspacePolicyRequirement {
+    skill_id: string;
+    policy_pool_ref: string;
+    source_contract_ref: string;
+    enforcement: 'blocking' | 'advisory';
+    required_rule_refs: string[];
+    required_evidence: string[];
+}
+export interface WorkspacePolicyInjection {
+    version: 1;
+    generated_from: 'recommended_skills';
+    required_policies: WorkspacePolicyRequirement[];
+}
+export declare function buildWorkspacePolicyInjection(skillIds: string[]): WorkspacePolicyInjection;
+export declare function aiFillDefaultPolicyPack(skillId: string): PluginPolicyPack;
+export declare function aiFillDefaultPolicyEntry(skillId: string, packId: string): SkillPolicyEntry;
+export declare function derivePolicyPackFromContractPack(contractPackPath: string, skillId: string): Promise<{
+    packs: PluginPolicyPack[];
+    entries: SkillPolicyEntry[];
+}>;
+export declare function derivePolicyPoolFromSkill(skillId: string, options?: {
+    projectRoot?: string;
+    contractPackRelativePath?: string;
+}): Promise<SkillPolicyPool>;
+//# sourceMappingURL=skill-policy-pool.d.ts.map

package/dist/core/sdd/skill-policy-pool.js

@@ -0,0 +1,185 @@
+import { promises as fs } from 'node:fs';
+import path from 'node:path';
+import { parse } from 'yaml';
+import { pluginPolicyPackSchema } from './plugin-policy-pack.js';
+const DEVTRACK_API_BLOCKING_RULES = [
+    'DTAPI-P0-PROFILE-001',
+    'DTAPI-P0-PREVIEW-001',
+    'DTAPI-P0-PATH-001',
+    'DTAPI-P0-TYPEORM-001',
+    'DTAPI-P0-COMPOSITION-001',
+    'DTAPI-P0-MODULES-001',
+    'DTAPI-P0-PORTS-001',
+];
+export function buildWorkspacePolicyInjection(skillIds) {
+    const uniqueSkillIds = Array.from(new Set(skillIds.map((skillId) => skillId.trim()).filter(Boolean)));
+    return {
+        version: 1,
+        generated_from: 'recommended_skills',
+        required_policies: uniqueSkillIds.map((skillId) => buildWorkspacePolicyRequirement(skillId)),
+    };
+}
+function buildWorkspacePolicyRequirement(skillId) {
+    if (skillId === 'devtrack-api') {
+        return {
+            skill_id: skillId,
+            policy_pool_ref: 'skill-policy-pool:devtrack-api',
+            source_contract_ref: '.sdd/skills/curated/devtrack-api/references/contract-pack.yaml',
+            enforcement: 'blocking',
+            required_rule_refs: DEVTRACK_API_BLOCKING_RULES,
+            required_evidence: [
+                'selected derivation profile recorded in plan',
+                'package-structure preview approved or exception documented',
+                'devtrack-api architecture validation evidence recorded in quality',
+                'skill_evidence entry recorded for devtrack-api before finalize',
+            ],
+        };
+    }
+    return {
+        skill_id: skillId,
+        policy_pool_ref: `skill-policy-pool:${skillId}`,
+        source_contract_ref: `.sdd/skills/curated/${skillId}/references/contract-pack.yaml`,
+        enforcement: 'advisory',
+        required_rule_refs: [`${skillId}-DEFAULT-001`],
+        required_evidence: [
+            `skill_evidence entry recorded for ${skillId} before finalize`,
+            `policy conformance checked for ${skillId} before execution relies on the skill`,
+        ],
+    };
+}
+export function aiFillDefaultPolicyPack(skillId) {
+    return pluginPolicyPackSchema.parse({
+        id: `${skillId}-default`,
+        version: '1.0.0',
+        description: `AI-filled default policy pack derived from skill "${skillId}". No contract pack was provided, so safe defaults are applied.`,
+        applies_to: {
+            trust_tiers: ['local-dev', 'experimental', 'enterprise-approved'],
+        },
+        requirements: {
+            max_risk_tier: 'medium',
+            supply_chain: {
+                checksum: true,
+                signature_or_provenance: false,
+                sbom: false,
+                sbom_formats: [],
+            },
+            validation: {
+                min_coverage: 80,
+                security_checks: ['dependency-audit'],
+                dependency_checks: [],
+            },
+            execution: {
+                network: 'restricted',
+                process_spawn: 'forbidden',
+            },
+        },
+    });
+}
+export function aiFillDefaultPolicyEntry(skillId, packId) {
+    return {
+        ruleId: `${skillId}-DEFAULT-001`,
+        skillId,
+        severity: 'P2',
+        title: `Default policy for ${skillId}: verify skill content and intent before use.`,
+        appliesTo: ['FEAT', 'source', 'quality'],
+        policyPackId: packId,
+        detect: ['skill is referenced but not validated against project-local policy pool'],
+        requiredResponse: [
+            `record skill-policy-pool evidence for ${skillId}`,
+            'verify skill conformance before reliant execution',
+        ],
+    };
+}
+export async function derivePolicyPackFromContractPack(contractPackPath, skillId) {
+    const raw = await fs.readFile(contractPackPath, 'utf-8');
+    const contractPack = parse(raw);
+    const packs = [];
+    const entries = [];
+    const contractId = contractPack.contract_id ?? `${skillId}-contract-pack`;
+    const profiles = contractPack.derivation_profiles ?? {};
+    const rules = contractPack.rules ?? [];
+    for (const [profileName, profile] of Object.entries(profiles)) {
+        const packId = `${skillId}-${profileName}`;
+        const isDefault = profile.default !== false;
+        const packSeverityMap = {
+            block_on_p0: 'high',
+            block_on_p0_p1: 'high',
+            warn: 'medium',
+        };
+        const enforcementLevel = profile.enforcement?.path_conformance ?? 'warn';
+        const maxRiskTier = packSeverityMap[enforcementLevel] ?? 'medium';
+        const isBlocking = profile.enforcement?.finalize_blocking ?? false;
+        const pack = pluginPolicyPackSchema.parse({
+            id: packId,
+            version: '1.0.0',
+            description: `Derived policy pack for "${profileName}" profile from contract pack "${contractId}" (skill: ${skillId}). ${profile.purpose ?? ''}`,
+            applies_to: {
+                trust_tiers: isBlocking ? ['enterprise-approved'] : ['local-dev', 'experimental', 'enterprise-approved'],
+            },
+            requirements: {
+                max_risk_tier: maxRiskTier,
+                supply_chain: {
+                    checksum: isBlocking,
+                    signature_or_provenance: isBlocking,
+                    sbom: isDefault,
+                    sbom_formats: isBlocking ? ['cyclonedx'] : [],
+                },
+                validation: {
+                    min_coverage: isBlocking ? 95 : 80,
+                    security_checks: isBlocking
+                        ? ['dependency-audit', 'no-secret-fixtures']
+                        : ['dependency-audit'],
+                    dependency_checks: isBlocking ? ['lockfile-review'] : [],
+                },
+                execution: {
+                    network: isBlocking ? 'disabled' : 'restricted',
+                    process_spawn: isBlocking ? 'forbidden' : 'declared',
+                },
+            },
+        });
+        packs.push(pack);
+        for (const rule of rules) {
+            const sev = rule.severity === 'P0' ? 'P0' : rule.severity === 'P1' ? 'P1' : 'P2';
+            entries.push({
+                ruleId: rule.id,
+                skillId,
+                severity: sev,
+                title: rule.title,
+                appliesTo: rule.applies_to ?? [],
+                policyPackId: packId,
+                detect: rule.detect ?? [],
+                requiredResponse: rule.required_response ?? [],
+            });
+        }
+    }
+    return { packs, entries };
+}
+export async function derivePolicyPoolFromSkill(skillId, options = {}) {
+    const contractPackPath = options.contractPackRelativePath ??
+        `.sdd/skills/curated/${skillId}/references/contract-pack.yaml`;
+    const resolvedPath = options.projectRoot
+        ? path.resolve(options.projectRoot, contractPackPath)
+        : contractPackPath;
+    let packs;
+    let entries;
+    try {
+        const result = await derivePolicyPackFromContractPack(resolvedPath, skillId);
+        packs = result.packs;
+        entries = result.entries;
+    }
+    catch {
+        packs = [aiFillDefaultPolicyPack(skillId)];
+        entries = [aiFillDefaultPolicyEntry(skillId, packs[0].id)];
+    }
+    return {
+        version: 1,
+        pools: packs,
+        entries,
+        metadata: {
+            derivedFrom: [contractPackPath],
+            generatedAt: new Date().toISOString(),
+            sourceSkillIds: [skillId],
+        },
+    };
+}
+//# sourceMappingURL=skill-policy-pool.js.map

package/dist/core/sdd/state.d.ts

@@ -1,4 +1,5 @@
 import { type NamingContractState, type ArchitectureState, type BacklogState, type DiscoveryIndexState, type FinalizeQueueState, type FrontendDecisionsState, type FrontendGapsState, type FrontendMapState, type IntegrationContractsState, type RepoMapState, type SourceIndexState, type SkillCatalogState, type SkillRoutingState, type ServiceCatalogState, type TechStackState, type TechDebtState, type UnblockEventsState, type TransitionLogState, type AuditHistoryState } from './types.js';
+import { type BuiltInSkillDefinition, type BuiltInSkillSourceTree } from './default-skills.js';
 export type SddLanguage = 'pt-BR' | 'en-US';
 export type SddLayout = 'legacy' | 'pt-BR' | 'en-US';
 export interface SddRuntimeConfig {
@@ -89,6 +90,21 @@ export interface SddStateSnapshot {
     sourceIndex: SourceIndexState;
     skillRouting: SkillRoutingState;
 }
+export declare function skillSubfoldersForLayout(layout: SddLayout): {
+    curated: string;
+    bundles: string;
+};
+export declare function defaultFoldersForLayout(layout: SddLayout): SddRuntimeConfig['folders'];
+export declare function isRecord(value: unknown): value is Record<string, unknown>;
+export declare function mergeRuntimeConfig(raw: unknown): SddRuntimeConfig;
+export declare function validateRuntimeConfig(config: SddRuntimeConfig): void;
+export declare function defaultRuntimeConfig(): SddRuntimeConfig;
+export declare function fileExists(filePath: string): Promise<boolean>;
+export declare function firstExistingFile(paths: string[]): Promise<string | null>;
+export declare function readYamlObject(filePath: string): Promise<Record<string, unknown>>;
+export declare function isLegacyGeneratedBy(value: unknown): boolean;
+export declare function buildSddConfigDocument(existing: Record<string, unknown>, config: SddRuntimeConfig): Record<string, unknown>;
+export declare function removeSddRuntimeConfigFromLegacySpecConfig(projectRoot: string): Promise<void>;
 export declare function loadProjectSddConfig(projectRoot: string): Promise<SddRuntimeConfig>;
 export declare function upsertProjectSddConfig(projectRoot: string, overrides?: {
     frontendEnabled?: boolean;
@@ -97,6 +113,12 @@ export declare function upsertProjectSddConfig(projectRoot: string, overrides?:
 }): Promise<SddRuntimeConfig>;
 export declare function resolveSddPaths(projectRoot: string, config: SddRuntimeConfig): SddPaths;
 export declare function ensureBaseStructure(paths: SddPaths): Promise<void>;
+export declare function isBuiltInSkillSourceTree(definition: BuiltInSkillDefinition): definition is BuiltInSkillSourceTree;
+export declare function adaptSkillContentForLayout(content: string, paths: SddPaths, config: SddRuntimeConfig): string;
+export declare function listTreeFiles(rootDir: string): Promise<string[]>;
+export declare function resolveBuiltInSourceRoot(paths: SddPaths, sourceRoot: string): Promise<string | null>;
+export declare function materializeBuiltInSkill(paths: SddPaths, config: SddRuntimeConfig, skillId: string, definition: BuiltInSkillDefinition): Promise<void>;
+export declare function ensureCuratedSkillCatalog(filePath: string): Promise<void>;
 export declare function ensureBaseFiles(paths: SddPaths, config: SddRuntimeConfig): Promise<void>;
 export declare function loadStateSnapshot(paths: SddPaths, config: SddRuntimeConfig): Promise<SddStateSnapshot>;
 export declare function loadSkillCatalogState(paths: SddPaths): Promise<SkillCatalogState>;