@devtrack-solution/codesdd 1.2.2 → 1.2.4-rc3

package/dist/core/sdd/services/onboard.service.js

@@ -2,6 +2,7 @@ import path from "node:path";
 import { CLI_NAME } from "../../branding.js";
 import { loadStateSnapshot } from "../state.js";
 import { bundlesForSkills, getRuntime, relProjectPath, coreDocRef, planningDocRef, resolveActiveDocRefs } from "../legacy-operations.js";
+import { normalizeSddEntityRef } from "../entity-reference.js";
 import { ContextService } from "./context.service.js";
 import { NextService } from "./next.service.js";
 export class OnboardService {
@@ -12,7 +13,7 @@ export class OnboardService {
     async execute(projectRoot, target = 'system', options) {
         const { config, paths } = await getRuntime(projectRoot);
         const snapshot = await loadStateSnapshot(paths, config);
-        const normalized = (target || 'system').trim();
+        const normalized = normalizeSddEntityRef(target || 'system');
         const contextCmd = new ContextService(this.stores);
         const baseReadOrder = [
             'README.md',

package/dist/core/sdd/services/rebuild.service.js

@@ -6,6 +6,7 @@ import { BacklogStateSchema, DiscoveryIndexStateSchema, } from '../types.js';
 import { activeDocNamesForLayout, buildBacklogItem, computeCanonicalTitle, ensureFeatureQualityContract, ensureMemoryInitialized, relProjectPath, } from '../legacy-operations.js';
 import { renderViews } from '../views.js';
 import { parseWorkspaceYamlDocument, } from '../workspace-schemas.js';
+import { parseGovernanceFile } from '../governance-parser.js';
 const DISCOVERY_STATUSES = new Set([
     'NEW',
     'DEBATED',
@@ -78,6 +79,10 @@ function discoveryStatusFromMarkdown(content, type, discarded) {
     return 'READY';
 }
 function titleFromMarkdown(content, id, fileName) {
+    const parsed = parseGovernanceFile(fileName, content);
+    const frontmatterTitle = parsed.frontmatter && typeof parsed.frontmatter === 'object' && typeof parsed.frontmatter.title === 'string'
+        ? parsed.frontmatter.title
+        : '';
     const titleBlock = /^## Title\s*\n+(.+)$/im.exec(content);
     const baseTitle = /^\s*-\s*Base title:\s*(.+)$/im.exec(content);
     const heading = /^#\s+(.+)$/m.exec(content);
@@ -86,7 +91,7 @@ function titleFromMarkdown(content, id, fileName) {
         .replace(new RegExp(`^${id}-?`, 'i'), '')
         .replace(/-/g, ' ')
         .trim();
-    const candidate = (titleBlock?.[1] || baseTitle?.[1] || heading?.[1] || slugTitle || id).trim();
+    const candidate = (frontmatterTitle || titleBlock?.[1] || baseTitle?.[1] || heading?.[1] || slugTitle || id).trim();
     const cleaned = candidate
         .replace(new RegExp(`^(Insight|Debate|Epic)\\s+${id}\\s*:?\\s*`, 'i'), '')
         .trim();

package/dist/core/sdd/services/semantic-intent-classifier.service.d.ts

@@ -0,0 +1,6 @@
+import { type SemanticIntentClassification, type SemanticIntentClassifierInput } from '../domain/semantic-intent-classifier.js';
+export type SemanticIntentClassifierServiceResult = SemanticIntentClassification;
+export declare class SemanticIntentClassifierService {
+    execute(input: SemanticIntentClassifierInput): SemanticIntentClassifierServiceResult;
+}
+//# sourceMappingURL=semantic-intent-classifier.service.d.ts.map

package/dist/core/sdd/services/semantic-intent-classifier.service.js

@@ -0,0 +1,7 @@
+import { classifySemanticIntent, } from '../domain/semantic-intent-classifier.js';
+export class SemanticIntentClassifierService {
+    execute(input) {
+        return classifySemanticIntent(input);
+    }
+}
+//# sourceMappingURL=semantic-intent-classifier.service.js.map

package/dist/core/sdd/services/skills-sync.service.d.ts

@@ -1,4 +1,19 @@
 import { SddStores } from "../store/sdd-stores.js";
+type SkillManifestDriftLayer = 'canonical' | 'user-extension';
+type SkillManifestDriftStatus = 'missing' | 'modified';
+export interface SkillManifestDriftAlert {
+    skill_id: string;
+    layer: SkillManifestDriftLayer;
+    status: SkillManifestDriftStatus;
+    expected_sha256?: string;
+    observed_sha256: string;
+}
+export interface SkillsSyncResult {
+    synced: number;
+    local_synced: number;
+    tools: string[];
+    alerts: SkillManifestDriftAlert[];
+}
 export declare class SkillsSyncService {
     private readonly stores;
     constructor(stores: SddStores);
@@ -6,10 +21,7 @@ export declare class SkillsSyncService {
         bundles?: string[];
         all?: boolean;
         tools?: string[];
-    }): Promise<{
-        synced: number;
-        local_synced: number;
-        tools: string[];
-    }>;
+    }): Promise<SkillsSyncResult>;
 }
+export {};
 //# sourceMappingURL=skills-sync.service.d.ts.map

package/dist/core/sdd/services/skills-sync.service.js

@@ -3,9 +3,31 @@ import { promises as fs } from "node:fs";
 import { fileURLToPath } from "node:url";
 import { AI_TOOLS } from "../../config.js";
 import { loadSkillCatalogState } from "../state.js";
+import { DEFAULT_CURATED_SKILL_CATALOG, computeSkillManifestSha256 } from "../default-skills.js";
 import { getRuntime, buildCuratedSkillContent } from "../legacy-operations.js";
 import { SddWriteTransaction } from "../write-manifest.js";
 const PACKAGE_ROOT = path.resolve(path.dirname(fileURLToPath(import.meta.url)), '../../../../');
+const ZERO_HASH = '0000000000000000000000000000000000000000000000000000000000000000';
+const CANONICAL_SKILL_IDS = new Set(DEFAULT_CURATED_SKILL_CATALOG.skills.map((entry) => entry.id));
+function normalizeIntegrityHash(hash) {
+    if (!hash) {
+        return undefined;
+    }
+    const normalized = hash.trim().toLowerCase();
+    if (!/^[a-f0-9]{64}$/.test(normalized)) {
+        return undefined;
+    }
+    if (normalized === ZERO_HASH) {
+        return undefined;
+    }
+    return normalized;
+}
+function isCanonicalCriticalSkill(entry) {
+    if (entry.deterministic_pair) {
+        return true;
+    }
+    return entry.bundle_ids.includes('architecture-backend');
+}
 function isInside(parent, child) {
     const relative = path.relative(parent, child);
     return relative === '' || (!relative.startsWith('..') && !path.isAbsolute(relative));
@@ -78,9 +100,35 @@ export class SkillsSyncService {
         });
         await fs.mkdir(paths.skillsCuratedDir, { recursive: true });
         const contentBySkillId = new Map();
+        const driftAlerts = [];
+        const criticalCanonicalDrift = [];
         for (const entry of selected) {
             const content = await resolveCuratedSkillContent(paths, entry);
+            const observedHash = computeSkillManifestSha256(content);
+            const expectedHash = normalizeIntegrityHash(entry.integrity_hash);
+            if (!expectedHash || expectedHash !== observedHash) {
+                const alert = {
+                    skill_id: entry.id,
+                    layer: CANONICAL_SKILL_IDS.has(entry.id) ? 'canonical' : 'user-extension',
+                    status: expectedHash ? 'modified' : 'missing',
+                    expected_sha256: expectedHash,
+                    observed_sha256: observedHash,
+                };
+                driftAlerts.push(alert);
+                if (alert.layer === 'canonical' && isCanonicalCriticalSkill(entry)) {
+                    criticalCanonicalDrift.push(alert);
+                }
+            }
             contentBySkillId.set(entry.id, content);
+        }
+        if (criticalCanonicalDrift.length > 0) {
+            const details = criticalCanonicalDrift
+                .map((alert) => `- ${alert.skill_id}: ${alert.status} (expected=${alert.expected_sha256 || '<missing>'}, observed=${alert.observed_sha256})`)
+                .join('\n');
+            throw new Error(`Skill manifest drift detected in canonical layer. Sync blocked until canonical hashes are restored.\n${details}`);
+        }
+        for (const entry of selected) {
+            const content = contentBySkillId.get(entry.id) || await resolveCuratedSkillContent(paths, entry);
             await materializeLocalSourceSkill(paths, entry, content);
             const tx = new SddWriteTransaction();
             const localDir = path.join(paths.skillsCuratedDir, entry.id);
@@ -88,7 +136,7 @@ export class SkillsSyncService {
             await tx.commit(paths.projectRoot, paths.memoryRoot, 'skills-sync.service (local dir)');
         }
         if (selected.length === 0) {
-            return { synced: 0, local_synced: 0, tools: [] };
+            return { synced: 0, local_synced: 0, tools: [], alerts: [] };
         }
         const targetTools = (options?.tools && options.tools.length > 0
             ? AI_TOOLS.filter((tool) => options.tools?.includes(tool.value))
@@ -111,7 +159,12 @@ export class SkillsSyncService {
             }
             syncedTools.push(tool.value);
         }
-        return { synced: selected.length, local_synced: selected.length, tools: syncedTools };
+        return {
+            synced: selected.length,
+            local_synced: selected.length,
+            tools: syncedTools,
+            alerts: driftAlerts.filter((alert) => alert.layer === 'user-extension' || !criticalCanonicalDrift.some((critical) => critical.skill_id === alert.skill_id)),
+        };
     }
 }
 //# sourceMappingURL=skills-sync.service.js.map

package/dist/core/sdd/services/start.service.js

@@ -9,6 +9,7 @@ import { slugify, findDiscoveryRecord, ensureFeatureQualityContract, bundlesForS
 import { SddWriteTransaction } from "../write-manifest.js";
 import { withStateLock } from "../state-lock.js";
 import { featureDeclaresMandatoryAdrImpact } from "../adr-policy.js";
+import { normalizeFeatRef } from "../entity-reference.js";
 export class StartService {
     stores;
     constructor(stores) {
@@ -25,8 +26,9 @@ export class StartService {
             const catalog = await loadSkillCatalogState(paths);
             const now = nowIso();
             let feature;
-            if (/^FEAT-\d{3,}$/.test(value)) {
-                feature = resolveFeat(snapshot.backlog.items, value);
+            const normalizedFeatureRef = normalizeFeatRef(value);
+            if (normalizedFeatureRef || /^FEAT-\d{3,}$/.test(value)) {
+                feature = resolveFeat(snapshot.backlog.items, normalizedFeatureRef || value);
             }
             else if (/^(?:RAD|EPIC)-\d{3,}$/.test(value)) {
                 const existing = snapshot.backlog.items.find((item) => (item.origin_type === 'radar' || item.origin_type === 'epic') && item.origin_ref === value);
@@ -90,8 +92,8 @@ export class StartService {
             if (!feature.change_name) {
                 const base = slugify(`${feature.id}-${feature.title}`).slice(0, 50).replace(/-+$/g, '') ||
                     feature.id.toLowerCase();
-                // OpenSDD-native execution keeps this as a compatibility identifier only.
-                // It must not materialize legacy OpenSpec change directories.
+                // CodeSDD-native execution keeps this as a compatibility identifier only.
+                // It must not materialize legacy CodeSDD change directories.
                 feature.change_name = base;
             }
             await runLifecycleHooks('before-start', {

package/dist/core/sdd/skill-bundles-curation-schema.d.ts

@@ -0,0 +1,66 @@
+import { z } from 'zod';
+/**
+ * Schema for the curated skill-bundles document emitted as a Markdown view
+ * (`curation-en-us.md` / `curadoria-pt-br.md`) AND as canonical YAML
+ * (`curation-en-us.yaml` / `curadoria-pt-br.yaml`).
+ *
+ * EPIC-0072 wave 1 (FEAT-0284) introduces this YAML form as the precursor
+ * that validates the toolchain choice (`yaml` + `zod` without `gray-matter`)
+ * before the rest of the governance plane migrates to frontmatter + body.
+ *
+ * The Markdown form remains generated for human readability and is treated
+ * as a derived view; the YAML form is the structured contract.
+ */
+export declare const skillBundleEntrySchema: z.ZodObject<{
+    id: z.ZodString;
+    title: z.ZodString;
+    skill_ids: z.ZodArray<z.ZodString>;
+}, z.core.$strip>;
+export declare const highlightedSkillSchema: z.ZodObject<{
+    skill_id: z.ZodString;
+    bundle_id: z.ZodString;
+    canonical_path: z.ZodString;
+    notes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+}, z.core.$strip>;
+export declare const skillBundlesCurationSchema: z.ZodObject<{
+    schema_version: z.ZodLiteral<1>;
+    layout: z.ZodEnum<{
+        "pt-BR": "pt-BR";
+        "en-US": "en-US";
+    }>;
+    generated_from: z.ZodLiteral<"CURATED_BUNDLES">;
+    objective: z.ZodArray<z.ZodString>;
+    bundles: z.ZodArray<z.ZodObject<{
+        id: z.ZodString;
+        title: z.ZodString;
+        skill_ids: z.ZodArray<z.ZodString>;
+    }, z.core.$strip>>;
+    highlighted: z.ZodDefault<z.ZodArray<z.ZodObject<{
+        skill_id: z.ZodString;
+        bundle_id: z.ZodString;
+        canonical_path: z.ZodString;
+        notes: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    }, z.core.$strip>>>;
+    canonical_source: z.ZodString;
+    operational_rule: z.ZodArray<z.ZodString>;
+}, z.core.$strip>;
+export type SkillBundlesCuration = z.infer<typeof skillBundlesCurationSchema>;
+export type SkillBundleEntry = z.infer<typeof skillBundleEntrySchema>;
+export type HighlightedSkill = z.infer<typeof highlightedSkillSchema>;
+/**
+ * Parses an arbitrary value (typically loaded from YAML) into a typed
+ * curation document. Throws a Zod error on schema violation; callers should
+ * surface the error with path-aware context.
+ */
+export declare function parseSkillBundlesCuration(value: unknown): SkillBundlesCuration;
+/**
+ * Non-throwing variant for callers that prefer to handle errors explicitly.
+ */
+export declare function safeParseSkillBundlesCuration(value: unknown): {
+    ok: true;
+    data: SkillBundlesCuration;
+} | {
+    ok: false;
+    error: z.ZodError<SkillBundlesCuration>;
+};
+//# sourceMappingURL=skill-bundles-curation-schema.d.ts.map

package/dist/core/sdd/skill-bundles-curation-schema.js

@@ -0,0 +1,52 @@
+import { z } from 'zod';
+/**
+ * Schema for the curated skill-bundles document emitted as a Markdown view
+ * (`curation-en-us.md` / `curadoria-pt-br.md`) AND as canonical YAML
+ * (`curation-en-us.yaml` / `curadoria-pt-br.yaml`).
+ *
+ * EPIC-0072 wave 1 (FEAT-0284) introduces this YAML form as the precursor
+ * that validates the toolchain choice (`yaml` + `zod` without `gray-matter`)
+ * before the rest of the governance plane migrates to frontmatter + body.
+ *
+ * The Markdown form remains generated for human readability and is treated
+ * as a derived view; the YAML form is the structured contract.
+ */
+export const skillBundleEntrySchema = z.object({
+    id: z.string().min(1),
+    title: z.string().min(1),
+    skill_ids: z.array(z.string().min(1)).min(1),
+});
+export const highlightedSkillSchema = z.object({
+    skill_id: z.string().min(1),
+    bundle_id: z.string().min(1),
+    canonical_path: z.string().min(1),
+    notes: z.array(z.string().min(1)).default([]),
+});
+export const skillBundlesCurationSchema = z.object({
+    schema_version: z.literal(1),
+    layout: z.enum(['en-US', 'pt-BR']),
+    generated_from: z.literal('CURATED_BUNDLES'),
+    objective: z.array(z.string().min(1)).min(1),
+    bundles: z.array(skillBundleEntrySchema).min(1),
+    highlighted: z.array(highlightedSkillSchema).default([]),
+    canonical_source: z.string().min(1),
+    operational_rule: z.array(z.string().min(1)).min(1),
+});
+/**
+ * Parses an arbitrary value (typically loaded from YAML) into a typed
+ * curation document. Throws a Zod error on schema violation; callers should
+ * surface the error with path-aware context.
+ */
+export function parseSkillBundlesCuration(value) {
+    return skillBundlesCurationSchema.parse(value);
+}
+/**
+ * Non-throwing variant for callers that prefer to handle errors explicitly.
+ */
+export function safeParseSkillBundlesCuration(value) {
+    const result = skillBundlesCurationSchema.safeParse(value);
+    if (result.success)
+        return { ok: true, data: result.data };
+    return { ok: false, error: result.error };
+}
+//# sourceMappingURL=skill-bundles-curation-schema.js.map

package/dist/core/sdd/skill-evidence.d.ts

@@ -0,0 +1,19 @@
+import type { SkillCatalogEntry } from './types.js';
+import type { WorkspacePolicyRequirement } from './skill-policy-pool.js';
+export interface SkillEvidenceEntry {
+    skill_id: string;
+    note: string;
+    source: 'manual' | 'tooling' | 'quality_artifact';
+}
+export interface SkillProvenanceInfo {
+    skill_id: string;
+    source_repo: string | null;
+    source_path: string | null;
+    integrity_hash: string;
+    synced_at: string;
+}
+export declare function buildSkillProvenanceRecord(skillId: string, catalog: SkillCatalogEntry[], syncedAt?: string): SkillProvenanceInfo | null;
+export declare function buildSkillEvidenceEntry(skillId: string, note: string, source?: 'manual' | 'tooling' | 'quality_artifact'): SkillEvidenceEntry;
+export declare function buildProvenanceEvidenceFromCatalog(skillIds: string[], catalog: SkillCatalogEntry[]): SkillEvidenceEntry[];
+export declare function buildAppliedPolicyEvidence(policyRequirements: WorkspacePolicyRequirement[], policiesApplied?: Record<string, string>): SkillEvidenceEntry[];
+//# sourceMappingURL=skill-evidence.d.ts.map

package/dist/core/sdd/skill-evidence.js

@@ -0,0 +1,38 @@
+export function buildSkillProvenanceRecord(skillId, catalog, syncedAt) {
+    const entry = catalog.find((s) => s.id === skillId);
+    if (!entry)
+        return null;
+    return {
+        skill_id: entry.id,
+        source_repo: entry.source_repo ?? null,
+        source_path: entry.source_path ?? null,
+        integrity_hash: entry.integrity_hash,
+        synced_at: syncedAt ?? new Date().toISOString(),
+    };
+}
+export function buildSkillEvidenceEntry(skillId, note, source) {
+    const noteText = note.length >= 10 ? note : `${note} - Evidence recorded during FEAT execution.`;
+    return {
+        skill_id: skillId,
+        note: noteText,
+        source: source ?? 'tooling',
+    };
+}
+export function buildProvenanceEvidenceFromCatalog(skillIds, catalog) {
+    const uniqueIds = Array.from(new Set(skillIds.map((id) => id.trim()).filter(Boolean)));
+    return uniqueIds
+        .map((skillId) => {
+        const record = buildSkillProvenanceRecord(skillId, catalog);
+        if (!record) {
+            return buildSkillEvidenceEntry(skillId, `Skill "${skillId}" not found in catalog. Provenance could not be recorded.`, 'manual');
+        }
+        return buildSkillEvidenceEntry(skillId, `Skill provenance: source=${record.source_repo ?? 'unknown'}, path=${record.source_path ?? 'unknown'}, hash=${record.integrity_hash}, synced_at=${record.synced_at}`, 'tooling');
+    });
+}
+export function buildAppliedPolicyEvidence(policyRequirements, policiesApplied) {
+    return policyRequirements.map((req) => {
+        const appliedNote = policiesApplied?.[req.skill_id] ?? 'All required policy rules applied and validated.';
+        return buildSkillEvidenceEntry(req.skill_id, `Applied policy: pool=${req.policy_pool_ref}, contract=${req.source_contract_ref}, enforcement=${req.enforcement}. ${appliedNote}`, 'tooling');
+    });
+}
+//# sourceMappingURL=skill-evidence.js.map

package/dist/core/sdd/skill-policy-pool.d.ts

@@ -0,0 +1,46 @@
+import { type PluginPolicyPack } from './plugin-policy-pack.js';
+export interface SkillPolicyEntry {
+    ruleId: string;
+    skillId: string;
+    severity: 'P0' | 'P1' | 'P2';
+    title: string;
+    appliesTo: string[];
+    policyPackId: string;
+    detect: string[];
+    requiredResponse: string[];
+}
+export interface SkillPolicyPool {
+    version: number;
+    pools: PluginPolicyPack[];
+    entries: SkillPolicyEntry[];
+    metadata: {
+        derivedFrom: string[];
+        generatedAt: string;
+        sourceSkillIds: string[];
+    };
+}
+export interface WorkspacePolicyRequirement {
+    skill_id: string;
+    policy_pool_ref: string;
+    source_contract_ref: string;
+    enforcement: 'blocking' | 'advisory';
+    required_rule_refs: string[];
+    required_evidence: string[];
+}
+export interface WorkspacePolicyInjection {
+    version: 1;
+    generated_from: 'recommended_skills';
+    required_policies: WorkspacePolicyRequirement[];
+}
+export declare function buildWorkspacePolicyInjection(skillIds: string[]): WorkspacePolicyInjection;
+export declare function aiFillDefaultPolicyPack(skillId: string): PluginPolicyPack;
+export declare function aiFillDefaultPolicyEntry(skillId: string, packId: string): SkillPolicyEntry;
+export declare function derivePolicyPackFromContractPack(contractPackPath: string, skillId: string): Promise<{
+    packs: PluginPolicyPack[];
+    entries: SkillPolicyEntry[];
+}>;
+export declare function derivePolicyPoolFromSkill(skillId: string, options?: {
+    projectRoot?: string;
+    contractPackRelativePath?: string;
+}): Promise<SkillPolicyPool>;
+//# sourceMappingURL=skill-policy-pool.d.ts.map

package/dist/core/sdd/skill-policy-pool.js

@@ -0,0 +1,185 @@
+import { promises as fs } from 'node:fs';
+import path from 'node:path';
+import { parse } from 'yaml';
+import { pluginPolicyPackSchema } from './plugin-policy-pack.js';
+const DEVTRACK_API_BLOCKING_RULES = [
+    'DTAPI-P0-PROFILE-001',
+    'DTAPI-P0-PREVIEW-001',
+    'DTAPI-P0-PATH-001',
+    'DTAPI-P0-TYPEORM-001',
+    'DTAPI-P0-COMPOSITION-001',
+    'DTAPI-P0-MODULES-001',
+    'DTAPI-P0-PORTS-001',
+];
+export function buildWorkspacePolicyInjection(skillIds) {
+    const uniqueSkillIds = Array.from(new Set(skillIds.map((skillId) => skillId.trim()).filter(Boolean)));
+    return {
+        version: 1,
+        generated_from: 'recommended_skills',
+        required_policies: uniqueSkillIds.map((skillId) => buildWorkspacePolicyRequirement(skillId)),
+    };
+}
+function buildWorkspacePolicyRequirement(skillId) {
+    if (skillId === 'devtrack-api') {
+        return {
+            skill_id: skillId,
+            policy_pool_ref: 'skill-policy-pool:devtrack-api',
+            source_contract_ref: '.sdd/skills/curated/devtrack-api/references/contract-pack.yaml',
+            enforcement: 'blocking',
+            required_rule_refs: DEVTRACK_API_BLOCKING_RULES,
+            required_evidence: [
+                'selected derivation profile recorded in plan',
+                'package-structure preview approved or exception documented',
+                'devtrack-api architecture validation evidence recorded in quality',
+                'skill_evidence entry recorded for devtrack-api before finalize',
+            ],
+        };
+    }
+    return {
+        skill_id: skillId,
+        policy_pool_ref: `skill-policy-pool:${skillId}`,
+        source_contract_ref: `.sdd/skills/curated/${skillId}/references/contract-pack.yaml`,
+        enforcement: 'advisory',
+        required_rule_refs: [`${skillId}-DEFAULT-001`],
+        required_evidence: [
+            `skill_evidence entry recorded for ${skillId} before finalize`,
+            `policy conformance checked for ${skillId} before execution relies on the skill`,
+        ],
+    };
+}
+export function aiFillDefaultPolicyPack(skillId) {
+    return pluginPolicyPackSchema.parse({
+        id: `${skillId}-default`,
+        version: '1.0.0',
+        description: `AI-filled default policy pack derived from skill "${skillId}". No contract pack was provided, so safe defaults are applied.`,
+        applies_to: {
+            trust_tiers: ['local-dev', 'experimental', 'enterprise-approved'],
+        },
+        requirements: {
+            max_risk_tier: 'medium',
+            supply_chain: {
+                checksum: true,
+                signature_or_provenance: false,
+                sbom: false,
+                sbom_formats: [],
+            },
+            validation: {
+                min_coverage: 80,
+                security_checks: ['dependency-audit'],
+                dependency_checks: [],
+            },
+            execution: {
+                network: 'restricted',
+                process_spawn: 'forbidden',
+            },
+        },
+    });
+}
+export function aiFillDefaultPolicyEntry(skillId, packId) {
+    return {
+        ruleId: `${skillId}-DEFAULT-001`,
+        skillId,
+        severity: 'P2',
+        title: `Default policy for ${skillId}: verify skill content and intent before use.`,
+        appliesTo: ['FEAT', 'source', 'quality'],
+        policyPackId: packId,
+        detect: ['skill is referenced but not validated against project-local policy pool'],
+        requiredResponse: [
+            `record skill-policy-pool evidence for ${skillId}`,
+            'verify skill conformance before reliant execution',
+        ],
+    };
+}
+export async function derivePolicyPackFromContractPack(contractPackPath, skillId) {
+    const raw = await fs.readFile(contractPackPath, 'utf-8');
+    const contractPack = parse(raw);
+    const packs = [];
+    const entries = [];
+    const contractId = contractPack.contract_id ?? `${skillId}-contract-pack`;
+    const profiles = contractPack.derivation_profiles ?? {};
+    const rules = contractPack.rules ?? [];
+    for (const [profileName, profile] of Object.entries(profiles)) {
+        const packId = `${skillId}-${profileName}`;
+        const isDefault = profile.default !== false;
+        const packSeverityMap = {
+            block_on_p0: 'high',
+            block_on_p0_p1: 'high',
+            warn: 'medium',
+        };
+        const enforcementLevel = profile.enforcement?.path_conformance ?? 'warn';
+        const maxRiskTier = packSeverityMap[enforcementLevel] ?? 'medium';
+        const isBlocking = profile.enforcement?.finalize_blocking ?? false;
+        const pack = pluginPolicyPackSchema.parse({
+            id: packId,
+            version: '1.0.0',
+            description: `Derived policy pack for "${profileName}" profile from contract pack "${contractId}" (skill: ${skillId}). ${profile.purpose ?? ''}`,
+            applies_to: {
+                trust_tiers: isBlocking ? ['enterprise-approved'] : ['local-dev', 'experimental', 'enterprise-approved'],
+            },
+            requirements: {
+                max_risk_tier: maxRiskTier,
+                supply_chain: {
+                    checksum: isBlocking,
+                    signature_or_provenance: isBlocking,
+                    sbom: isDefault,
+                    sbom_formats: isBlocking ? ['cyclonedx'] : [],
+                },
+                validation: {
+                    min_coverage: isBlocking ? 95 : 80,
+                    security_checks: isBlocking
+                        ? ['dependency-audit', 'no-secret-fixtures']
+                        : ['dependency-audit'],
+                    dependency_checks: isBlocking ? ['lockfile-review'] : [],
+                },
+                execution: {
+                    network: isBlocking ? 'disabled' : 'restricted',
+                    process_spawn: isBlocking ? 'forbidden' : 'declared',
+                },
+            },
+        });
+        packs.push(pack);
+        for (const rule of rules) {
+            const sev = rule.severity === 'P0' ? 'P0' : rule.severity === 'P1' ? 'P1' : 'P2';
+            entries.push({
+                ruleId: rule.id,
+                skillId,
+                severity: sev,
+                title: rule.title,
+                appliesTo: rule.applies_to ?? [],
+                policyPackId: packId,
+                detect: rule.detect ?? [],
+                requiredResponse: rule.required_response ?? [],
+            });
+        }
+    }
+    return { packs, entries };
+}
+export async function derivePolicyPoolFromSkill(skillId, options = {}) {
+    const contractPackPath = options.contractPackRelativePath ??
+        `.sdd/skills/curated/${skillId}/references/contract-pack.yaml`;
+    const resolvedPath = options.projectRoot
+        ? path.resolve(options.projectRoot, contractPackPath)
+        : contractPackPath;
+    let packs;
+    let entries;
+    try {
+        const result = await derivePolicyPackFromContractPack(resolvedPath, skillId);
+        packs = result.packs;
+        entries = result.entries;
+    }
+    catch {
+        packs = [aiFillDefaultPolicyPack(skillId)];
+        entries = [aiFillDefaultPolicyEntry(skillId, packs[0].id)];
+    }
+    return {
+        version: 1,
+        pools: packs,
+        entries,
+        metadata: {
+            derivedFrom: [contractPackPath],
+            generatedAt: new Date().toISOString(),
+            sourceSkillIds: [skillId],
+        },
+    };
+}
+//# sourceMappingURL=skill-policy-pool.js.map