@devtrack-solution/codesdd 1.2.3 → 1.2.4

package/dist/core/sdd/devtrack-api-appliance.js

@@ -1,6 +1,10 @@
 import { buildPluginRuntimeInvocationPlan, pluginArtifactManifestSchema, } from './plugin-broker.js';
 import { pluginManifestSchema } from './plugin-manifest.js';
 import { createPluginRegistryState } from './plugin-registry.js';
+import { DEFAULT_CODESDD_API_PROFILE_ID, resolveCodeSddApiProfile, } from './api-profile-catalog.js';
+import { CODESDD_API_FOUNDATION_SHARED_BASELINE, CODESDD_API_SHARED_BASELINE_QUALITY_GATES, CODESDD_API_SHARED_BASELINE_REQUIREMENTS, getCodeSddApiSharedBaselineRequirements, } from './api-foundation-baseline.js';
+import { CODESDD_FULL_FOUNDATION_COMPATIBLE_PROFILE_ID, CODESDD_FULL_FOUNDATION_PARITY_DIMENSIONS, CODESDD_FULL_FOUNDATION_PARITY_MATRIX, CODESDD_FULL_FOUNDATION_PARITY_QUALITY_GATES, getCodeSddFullFoundationParityMatrix, } from './api-foundation-parity.js';
+import { buildCodeSddApiProfileDryRunProjection, getCodeSddApiProfileDryRunExpectation, } from './api-profile-dry-run-projection.js';
 export const DEVTRACK_API_APPLIANCE_PLUGIN_ID = 'codesdd-plugin-devtrack-api';
 export const DEVTRACK_API_APPLIANCE_CAPABILITIES = [
     'scaffold.project',
@@ -17,10 +21,12 @@ const DEVTRACK_API_SCAFFOLD_WRITE_SCOPE = [
     'src',
     'tests',
     'docs',
+    '.env.example',
     'package.json',
     'tsconfig.json',
     'nest-cli.json',
     'eslint.config.mjs',
+    '.sdd/plugin-evidence',
 ];
 export function evaluateDevTrackApiApplianceConformance(manifest) {
     const parsed = pluginManifestSchema.parse(manifest);
@@ -52,6 +58,9 @@ export function buildDevTrackApiScaffoldDryRunPlan(manifest, input) {
     const parsed = pluginManifestSchema.parse(manifest);
     const createdAt = input.created_at ?? new Date().toISOString();
     const packageName = normalizePackageName(input.package_name ?? input.project_name);
+    const apiProfile = resolveCodeSddApiProfile(input.api_profile, {
+        defaultProfile: DEFAULT_CODESDD_API_PROFILE_ID,
+    });
     const conformance = evaluateDevTrackApiApplianceConformance(parsed);
     if (!conformance.valid) {
         return {
@@ -64,8 +73,8 @@ export function buildDevTrackApiScaffoldDryRunPlan(manifest, input) {
             issues: conformance.issues,
         };
     }
-    const artifacts = buildScaffoldArtifacts();
-    const runtimePlan = buildRuntimePlan(parsed, input, packageName, createdAt, artifacts);
+    const artifacts = buildScaffoldArtifacts(apiProfile.profile_id);
+    const runtimePlan = buildRuntimePlan(parsed, input, packageName, createdAt, artifacts, apiProfile);
     if (runtimePlan.status !== 'ready' || !runtimePlan.envelope) {
         return {
             schema_version: 1,
@@ -89,6 +98,7 @@ export function buildDevTrackApiScaffoldDryRunPlan(manifest, input) {
         status: 'planned',
         created_at: createdAt,
         operation_id: operationId,
+        api_profile: apiProfile,
         project_name: input.project_name,
         package_name: packageName,
         runtime_plan: runtimePlan,
@@ -107,6 +117,14 @@ export function buildDevTrackApiScaffoldDryRunPlan(manifest, input) {
                 operation: artifact.operation,
                 reason: artifact.reason,
                 content_type: artifact.content_type,
+                artifact_kind: artifact.artifact_kind,
+                role: artifact.role,
+                layer: artifact.layer,
+                language: artifact.language,
+                implementation: artifact.implementation,
+                decision_refs: artifact.decision_refs,
+                source_refs: [artifact.source_reference],
+                tags: artifact.tags,
             })),
             validation_evidence: parsed.validation.commands.map((command) => ({
                 command,
@@ -121,6 +139,9 @@ export function buildDevTrackApiScaffoldDryRunPlan(manifest, input) {
             projectName: input.project_name,
             packageName,
             validationCommands: parsed.validation.commands,
+            apiProfile,
+            expectedWriteScope: runtimePlan.envelope.write_scope,
+            artifacts,
         }),
         issues: [],
     };
@@ -138,7 +159,7 @@ function collectIdentityIssues(manifest) {
     }
     return issues;
 }
-function buildRuntimePlan(manifest, input, packageName, createdAt, artifacts) {
+function buildRuntimePlan(manifest, input, packageName, createdAt, artifacts, apiProfile) {
     const registry = createPluginRegistryState([
         {
             manifest,
@@ -153,10 +174,12 @@ function buildRuntimePlan(manifest, input, packageName, createdAt, artifacts) {
     return buildPluginRuntimeInvocationPlan(registry, {
         feature_ref: input.feature_ref,
         capability: DEVTRACK_API_SCAFFOLD_CAPABILITY,
-        skill_ref: 'devtrack-api',
+        skill_ref: apiProfile.profile_id,
         inputs: {
             project_name: input.project_name,
             package_name: packageName,
+            api_profile: apiProfile.profile_id,
+            api_profile_family: apiProfile.family_id,
             persistence: {
                 provider: 'typeorm',
             },
@@ -179,6 +202,35 @@ function buildRuntimePlan(manifest, input, packageName, createdAt, artifacts) {
     });
 }
 function buildEvidenceManifest(input) {
+    const sharedBaselineRequirements = getCodeSddApiSharedBaselineRequirements();
+    const fullFoundationCompatibility = input.apiProfile.profile_id === CODESDD_FULL_FOUNDATION_COMPATIBLE_PROFILE_ID
+        ? {
+            id: CODESDD_FULL_FOUNDATION_PARITY_MATRIX.id,
+            version: CODESDD_FULL_FOUNDATION_PARITY_MATRIX.version,
+            profile_id: CODESDD_FULL_FOUNDATION_COMPATIBLE_PROFILE_ID,
+            source: CODESDD_FULL_FOUNDATION_PARITY_MATRIX.foundation_reference,
+            dimension_ids: CODESDD_FULL_FOUNDATION_PARITY_DIMENSIONS,
+            quality_gates: CODESDD_FULL_FOUNDATION_PARITY_QUALITY_GATES,
+            dimensions: getCodeSddFullFoundationParityMatrix().map((dimension) => ({
+                ...dimension,
+                status: 'pending',
+            })),
+        }
+        : undefined;
+    const profileProjection = buildCodeSddApiProfileDryRunProjection({
+        apiProfile: input.apiProfile,
+        expectedWriteScope: input.expectedWriteScope,
+        artifactMapRefs: input.artifacts.map((artifactEntry) => ({
+            path: artifactEntry.path,
+            layer: artifactEntry.layer,
+            artifact_kind: artifactEntry.artifact_kind,
+            role: artifactEntry.role,
+            content_type: artifactEntry.content_type,
+            source_reference: artifactEntry.source_reference,
+            tags: artifactEntry.tags,
+        })),
+        validationCommands: input.validationCommands,
+    });
     return {
         schema_version: 1,
         operation_id: input.operationId,
@@ -199,48 +251,120 @@ function buildEvidenceManifest(input) {
             command,
             status: 'pending',
         })),
-        quality_gates: [
-            'typeorm-only-persistence',
+        quality_gates: unique([
+            ...profileProjection.expected_quality_gates,
             'no-secret-fixtures',
             'no-out-of-root-writes',
             'artifact-manifest-required',
             'evidence-manifest-required',
-        ],
+        ]),
+        api_profile: {
+            family_id: input.apiProfile.family_id,
+            selected_profile: input.apiProfile.profile_id,
+            requested_profile: input.apiProfile.input,
+            legacy_alias: input.apiProfile.legacy_alias,
+            migration_notice: input.apiProfile.migration_notice,
+            inherited_baseline: CODESDD_API_SHARED_BASELINE_REQUIREMENTS,
+        },
+        profile_projection: profileProjection,
+        foundation_baseline: {
+            id: CODESDD_API_FOUNDATION_SHARED_BASELINE.id,
+            version: CODESDD_API_FOUNDATION_SHARED_BASELINE.version,
+            source: CODESDD_API_FOUNDATION_SHARED_BASELINE.foundation_reference,
+            requirement_ids: CODESDD_API_SHARED_BASELINE_REQUIREMENTS,
+            quality_gates: CODESDD_API_SHARED_BASELINE_QUALITY_GATES,
+            requirements: sharedBaselineRequirements,
+        },
+        ...(fullFoundationCompatibility
+            ? {
+                full_foundation_compatibility: fullFoundationCompatibility,
+            }
+            : {}),
     };
 }
-function buildScaffoldArtifacts() {
-    return [
-        artifact('package.json', 'root', 'application/json', 'Foundation-compatible package metadata, scripts, and dependencies.'),
-        artifact('tsconfig.json', 'root', 'application/json', 'TypeScript path aliases and compiler settings aligned to Foundation API.'),
-        artifact('nest-cli.json', 'root', 'application/json', 'Nest CLI configuration with Swagger plugin support.'),
-        artifact('eslint.config.mjs', 'root', 'text/javascript', 'Foundation-compatible lint rules and import-boundary checks.'),
-        artifact('docs/foundation-backend-reference-structure.md', 'docs', 'text/markdown', 'Derived Foundation package structure reference for maintainers.'),
-        artifact('src/main.ts', 'root', 'text/typescript', 'NestJS bootstrap entrypoint.'),
-        artifact('src/app.module.ts', 'root', 'text/typescript', 'Root module composing application, infrastructure, and presentation layers.'),
-        artifact('src/application/application.module.ts', 'application', 'text/typescript', 'Application layer module boundary.'),
-        artifact('src/application/runtime-settings.ts', 'application', 'text/typescript', 'Application runtime settings boundary.'),
-        artifact('src/domain/auth/api-keys.domain.ts', 'domain', 'text/typescript', 'Initial domain object example from Foundation API.'),
-        artifact('src/infrastructure/infrastructure.module.ts', 'infrastructure', 'text/typescript', 'Infrastructure layer module boundary.'),
-        artifact('src/infrastructure/settings/app-configuration.ts', 'infrastructure', 'text/typescript', 'Typed application configuration source.'),
-        artifact('src/presentation/presentation.module.ts', 'presentation', 'text/typescript', 'Presentation layer module boundary.'),
-        artifact('src/presentation/rest/rest.presentation.module.ts', 'presentation', 'text/typescript', 'REST channel module boundary.'),
-        artifact('src/presentation/graphql/graphql.presentation.module.ts', 'presentation', 'text/typescript', 'GraphQL channel module boundary.'),
-        artifact('src/presentation/cli/cli.presentation.module.ts', 'presentation', 'text/typescript', 'CLI channel module boundary.'),
-        artifact('src/presentation/websocket/websocket.module.ts', 'presentation', 'text/typescript', 'WebSocket channel module boundary.'),
-        artifact('src/shared/domain/generic-business-object.ts', 'shared', 'text/typescript', 'Shared domain primitive used by Foundation packages.'),
-        artifact('src/shared/presentation/generic-controller.ts', 'shared', 'text/typescript', 'Shared presentation primitive used by REST controllers.'),
-        artifact('tests/app.e2e-spec.ts', 'tests', 'text/typescript', 'Initial E2E smoke test for the generated API scaffold.'),
-        artifact('tests/jest-e2e.json', 'tests', 'application/json', 'Jest E2E configuration for the scaffold.'),
+function buildScaffoldArtifacts(apiProfile) {
+    const baselineArtifacts = [
+        artifact('package.json', 'root', 'package-metadata', 'manifest', 'application/json', 'Foundation-compatible package metadata, scripts, and dependencies.', apiProfile),
+        artifact('.env.example', 'config', 'configuration', 'manifest', 'text/plain', 'Safe placeholder environment contract, including app, database, JWT, and Swagger server variables.', apiProfile),
+        artifact('tsconfig.json', 'config', 'configuration', 'manifest', 'application/json', 'TypeScript path aliases and compiler settings aligned to Foundation API.', apiProfile),
+        artifact('nest-cli.json', 'config', 'configuration', 'manifest', 'application/json', 'Nest CLI configuration with Swagger plugin support.', apiProfile),
+        artifact('eslint.config.mjs', 'config', 'configuration', 'policy', 'text/javascript', 'Foundation-compatible lint rules and import-boundary checks.', apiProfile),
+        artifact('docs/foundation-backend-reference-structure.md', 'docs', 'documentation', 'documentation', 'text/markdown', 'Derived Foundation package structure reference for maintainers.', apiProfile),
+        artifact('src/main.ts', 'root', 'source', 'implementation', 'text/typescript', 'NestJS bootstrap entrypoint with validation pipe and Swagger/OpenAPI /docs setup.', apiProfile),
+        artifact('src/app.module.ts', 'root', 'source', 'module', 'text/typescript', 'Root module composing application, infrastructure, and presentation layers.', apiProfile),
+        artifact('src/application/application.module.ts', 'application', 'source', 'module', 'text/typescript', 'Application layer module boundary.', apiProfile),
+        artifact('src/application/runtime-settings.ts', 'application', 'source', 'type', 'text/typescript', 'Application runtime settings boundary.', apiProfile),
+        artifact('src/domain/auth/business-objects/api-keys.bo.ts', 'domain', 'source', 'business-object', 'text/typescript', 'Initial BO-pattern domain object example from Foundation API.', apiProfile),
+        artifact('src/application/business/auth/ports/out/api-key-repository.port.ts', 'application', 'source', 'repository-port', 'text/typescript', 'BO-pattern repository port owned by application ports/out.', apiProfile),
+        artifact('src/application/business/auth/ports/in/register.use-case.port.ts', 'application', 'source', 'interface', 'text/typescript', 'Application input port for a user-facing auth route.', apiProfile),
+        artifact('src/application/business/auth/use-cases/register.use-case.ts', 'application', 'source', 'use-case', 'text/typescript', 'Application use case backing a user-facing route before presentation wiring.', apiProfile),
+        artifact('src/application/business/auth/auth.application.module.ts', 'application', 'source', 'module', 'text/typescript', 'Application auth module wiring input ports, use cases, services, and output ports.', apiProfile),
+        artifact('src/infrastructure/infrastructure.module.ts', 'infrastructure', 'source', 'module', 'text/typescript', 'Infrastructure layer module boundary.', apiProfile),
+        artifact('src/infrastructure/settings/app-configuration.ts', 'infrastructure', 'source', 'implementation', 'text/typescript', 'Typed application configuration source.', apiProfile),
+        artifact('src/infrastructure/adapters/orm/entities/api-key.orm-entity.ts', 'infrastructure', 'source', 'entity', 'text/typescript', 'TypeORM persistence entity kept in the centralized orm subsystem.', apiProfile),
+        artifact('src/presentation/presentation.module.ts', 'presentation', 'source', 'module', 'text/typescript', 'Presentation layer module boundary.', apiProfile),
+        artifact('src/presentation/rest/rest.presentation.module.ts', 'presentation', 'source', 'module', 'text/typescript', 'REST channel module boundary.', apiProfile),
+        artifact('src/presentation/rest/auth/auth.module.ts', 'presentation', 'source', 'module', 'text/typescript', 'REST auth module registering controllers, guards, and decorators.', apiProfile),
+        artifact('src/presentation/rest/auth/controllers/register.controller.ts', 'presentation', 'source', 'controller', 'text/typescript', 'Swagger-documented REST controller that injects an application input port.', apiProfile),
+        artifact('src/presentation/rest/auth/dtos/register-input.dto.ts', 'presentation', 'source', 'dto', 'text/typescript', 'Swagger-documented REST input DTO for a user-facing route.', apiProfile),
+        artifact('src/presentation/rest/auth/dtos/auth-session-output.dto.ts', 'presentation', 'source', 'dto', 'text/typescript', 'Swagger-documented REST output DTO for session responses.', apiProfile),
+        artifact('src/presentation/rest/auth/guards/jwt-auth.guard.ts', 'presentation', 'source', 'implementation', 'text/typescript', 'REST route guard baseline for protected bearer routes.', apiProfile),
+        artifact('src/presentation/rest/auth/guards/permission.guard.ts', 'presentation', 'source', 'implementation', 'text/typescript', 'REST authorization guard baseline for permission-protected routes.', apiProfile),
+        artifact('src/presentation/rest/auth/decorators/permission.decorator.ts', 'presentation', 'source', 'policy', 'text/typescript', 'REST authorization decorator baseline for permission metadata.', apiProfile),
+        artifact('src/presentation/dtos/api-error-response.dto.ts', 'presentation', 'source', 'dto', 'text/typescript', 'Swagger-documented error response DTO for controller response metadata.', apiProfile),
+        artifact('src/presentation/graphql/graphql.presentation.module.ts', 'presentation', 'source', 'module', 'text/typescript', 'GraphQL channel module boundary.', apiProfile),
+        artifact('src/presentation/cli/cli.presentation.module.ts', 'presentation', 'source', 'module', 'text/typescript', 'CLI channel module boundary.', apiProfile),
+        artifact('src/presentation/websocket/websocket.module.ts', 'presentation', 'source', 'module', 'text/typescript', 'WebSocket channel module boundary.', apiProfile),
+        artifact('src/shared/domain/generic-business-object.ts', 'shared', 'source', 'abstraction', 'text/typescript', 'Shared domain primitive used by Foundation packages.', apiProfile),
+        artifact('src/shared/presentation/generic-controller.ts', 'shared', 'source', 'abstraction', 'text/typescript', 'Shared presentation primitive used by REST controllers.', apiProfile),
+        artifact('tests/app.e2e-spec.ts', 'tests', 'test', 'test', 'text/typescript', 'Initial E2E smoke test for the generated API scaffold.', apiProfile),
+        artifact('tests/jest-e2e.json', 'tests', 'configuration', 'manifest', 'application/json', 'Jest E2E configuration for the scaffold.', apiProfile),
     ];
+    const plannedPaths = new Set(baselineArtifacts.map((entry) => entry.path));
+    const profileOverlayArtifacts = getCodeSddApiProfileDryRunExpectation(apiProfile).expected_writes
+        .filter((expectedWrite) => !plannedPaths.has(expectedWrite.path))
+        .map((expectedWrite) => artifact(expectedWrite.path, expectedWrite.layer, expectedWrite.artifact_kind, expectedWrite.role, contentTypeForScaffoldPath(expectedWrite.path, expectedWrite.artifact_kind), `${expectedWrite.reason} (Profile overlay for ${apiProfile}.)`, apiProfile));
+    return [...baselineArtifacts, ...profileOverlayArtifacts];
 }
-function artifact(artifactPath, layer, contentType, reason) {
-    return {
+function contentTypeForScaffoldPath(artifactPath, artifactKind) {
+    if (artifactPath.endsWith('.ts')) {
+        return 'text/typescript';
+    }
+    if (artifactPath.endsWith('.json')) {
+        return 'application/json';
+    }
+    if (artifactPath.endsWith('.md')) {
+        return 'text/markdown';
+    }
+    if (artifactPath.endsWith('.yaml') || artifactPath.endsWith('.yml')) {
+        return 'text/yaml';
+    }
+    if (artifactKind === 'documentation') {
+        return 'text/markdown';
+    }
+    return 'text/plain';
+}
+function artifact(artifactPath, layer, artifactKind, role, contentType, reason, apiProfile) {
+    const mapEntry = {
         path: artifactPath,
         layer,
         operation: 'planned',
+        artifact_kind: artifactKind,
+        role,
         content_type: contentType,
         reason,
+        language: contentType.includes('typescript') || contentType.includes('javascript') ? 'typescript' : undefined,
+        implementation: role === 'interface' || role === 'repository-port' ? 'contract' : 'generated',
+        decision_refs: ['EPIC-0075'],
+        source_refs: [`${DEVTRACK_API_REFERENCE_ROOT}/${artifactPath}`],
+        tags: ['devtrack-api', 'foundation-api', 'codesdd-api-profile', apiProfile],
+        metadata: {},
+    };
+    return {
+        ...mapEntry,
         source_reference: `${DEVTRACK_API_REFERENCE_ROOT}/${artifactPath}`,
+        decision_refs: mapEntry.decision_refs,
+        tags: mapEntry.tags,
     };
 }
 function normalizePackageName(value) {
@@ -254,4 +378,7 @@ function normalizePackageName(value) {
     }
     return normalized;
 }
+function unique(values) {
+    return [...new Set(values)];
+}
 //# sourceMappingURL=devtrack-api-appliance.js.map

package/dist/core/sdd/devtrack-api-architecture.d.ts

@@ -24,6 +24,22 @@ export interface DevTrackApiArchitectureValidationResult {
     architecture_schema: QualityArchitectureSchema;
     import_graph: QualityImportGraph;
     findings: DevTrackApiArchitectureFinding[];
+    drift_signals: DevTrackApiDriftSignal[];
+    profile_outcomes: DevTrackApiProfileOutcome[];
+}
+export type DevTrackApiDriftClass = 'CVD-01' | 'CVD-02' | 'CVD-03' | 'CVD-04' | 'CVD-05' | 'CVD-06' | 'CVD-07' | 'CVD-08' | 'CVD-09' | 'WCA-01' | 'WCA-02' | 'WCA-03';
+export interface DevTrackApiDriftSignal {
+    drift_class: DevTrackApiDriftClass;
+    observed: string;
+    mapped_rules: string[];
+    finding_codes: DevTrackApiArchitectureIssueCode[];
+}
+export interface DevTrackApiProfileOutcome {
+    profile: 'prototype' | 'foundation-compatible' | 'enterprise-strict';
+    status: 'passed' | 'warning' | 'blocked';
+    blocking_rules: string[];
+    blocking_drift_classes: DevTrackApiDriftClass[];
+    exception_candidate_rules: string[];
 }
 export declare function buildDevTrackApiArchitectureSchema(): QualityArchitectureSchema;
 export declare function collectDevTrackApiImportGraph(input: CollectDevTrackApiImportGraphInput): Promise<QualityImportGraph>;

package/dist/core/sdd/devtrack-api-architecture.js

@@ -1,6 +1,8 @@
 import { promises as fs } from 'node:fs';
 import path from 'node:path';
+import { fileURLToPath } from 'node:url';
 import ts from 'typescript';
+import { parse as parseYaml } from 'yaml';
 import { parseQualityArchitectureSchema, } from './quality-validation.js';
 export const DEVTRACK_API_ARCHITECTURE_SCHEMA_ID = 'ARCH-GATE-devtrack-api-p0';
 const DEFAULT_SOURCE_ROOTS = ['src', 'prisma'];
@@ -17,6 +19,30 @@ const DEVTRACK_ALIAS_PREFIXES = [
     '@shared/',
     '@src/',
 ];
+const DEVTRACK_API_CONTRACT_PACK_PATH = fileURLToPath(new URL('../../../.sdd/skills/curated/devtrack-api/references/contract-pack.yaml', import.meta.url));
+const DRIFT_CLASS_TO_FINDING_CODES = {
+    'CVD-02': [
+        'ARCH_RELATIVE_IMPORT_FORBIDDEN',
+        'ARCH_APPLICATION_PRESENTATION_IMPORT',
+        'ARCH_APPLICATION_CONCRETE_INFRA_IMPORT',
+        'ARCH_PRESENTATION_INFRA_IMPORT',
+        'ARCH_TYPEORM_IMPORT_OUTSIDE_INFRASTRUCTURE',
+        'ARCH_TYPEORM_ENTITY_PATH_INVALID',
+        'ARCH_TYPEORM_ENTITY_SUFFIX_INVALID',
+        'ARCH_TYPEORM_REPOSITORY_PATH_INVALID',
+        'ARCH_TYPEORM_REPOSITORY_SUFFIX_INVALID',
+        'ARCH_PRESENTATION_TRANSPORT_MISSING',
+        'ARCH_INFRASTRUCTURE_CONTEXT_PERSISTENCE_FORBIDDEN',
+    ],
+    'CVD-03': ['ARCH_TYPEORM_REPOSITORY_FAKE'],
+    'CVD-04': ['ARCH_PRESENTATION_COMPOSITION_ROOT', 'ARCH_AGGREGATE_MODULE_MISSING', 'ARCH_AGGREGATE_MODULE_NOT_NESTJS'],
+    'CVD-05': ['ARCH_PORT_MISSING_SYMBOL', 'ARCH_PORT_GROUPED_UNRELATED'],
+    'CVD-06': ['ARCH_BO_MISSING_METHODS', 'ARCH_VO_MISSING_METHODS'],
+    'CVD-07': ['ARCH_MISSING_DATASOURCE', 'ARCH_MISSING_MIGRATIONS', 'ARCH_MISSING_TYPEORM_MODULE_FORFEATURE'],
+    'CVD-09': ['ARCH_DOMAIN_REPOSITORY_PORT_CONTEXT_FORBIDDEN'],
+    'WCA-02': ['ARCH_RELATIVE_IMPORT_FORBIDDEN'],
+    'WCA-03': ['ARCH_TYPEORM_REPOSITORY_FAKE', 'ARCH_MISSING_TYPEORM_MODULE_FORFEATURE'],
+};
 export function buildDevTrackApiArchitectureSchema() {
     return parseQualityArchitectureSchema({
         schema_version: 1,
@@ -157,13 +183,73 @@ export async function validateDevTrackApiArchitecture(input) {
     detectMissingAggregateModules(files, fileContents, findings);
     detectMissingRuntimePersistence(files, fileContents, findings);
     const dedupedFindings = dedupeFindings(findings);
+    const contractPack = await loadDevTrackApiContractPack();
+    const driftSignals = mapFindingsToDriftSignals(dedupedFindings, contractPack);
+    const profileOutcomes = buildProfileOutcomes(driftSignals, contractPack);
     return {
         status: dedupedFindings.length > 0 ? 'warning' : 'passed',
         architecture_schema: buildDevTrackApiArchitectureSchema(),
         import_graph: importGraph,
         findings: dedupedFindings,
+        drift_signals: driftSignals,
+        profile_outcomes: profileOutcomes,
     };
 }
+async function loadDevTrackApiContractPack() {
+    const raw = await fs.readFile(DEVTRACK_API_CONTRACT_PACK_PATH, 'utf-8');
+    return parseYaml(raw);
+}
+function mapFindingsToDriftSignals(findings, contractPack) {
+    const findingCodes = new Set(findings.map((finding) => finding.code));
+    const driftSignals = [];
+    for (const [driftClass, mappedFindingCodes] of Object.entries(DRIFT_CLASS_TO_FINDING_CODES)) {
+        const matchedCodes = mappedFindingCodes.filter((code) => findingCodes.has(code));
+        if (matchedCodes.length === 0)
+            continue;
+        const mapping = contractPack.codesdd_validate_drift_map[driftClass] ?? contractPack.field_evidence_drift_map[driftClass];
+        driftSignals.push({
+            drift_class: driftClass,
+            observed: mapping?.observed ?? 'Observed semantic drift mapped from validator findings.',
+            mapped_rules: [...new Set(mapping?.mapped_rules ?? [])],
+            finding_codes: matchedCodes,
+        });
+    }
+    return driftSignals.sort((left, right) => left.drift_class.localeCompare(right.drift_class));
+}
+function buildProfileOutcomes(driftSignals, contractPack) {
+    const ruleSeverity = new Map(contractPack.rules.map((rule) => [rule.id, rule.severity]));
+    const ruleIds = [...new Set(driftSignals.flatMap((signal) => signal.mapped_rules))];
+    const p0Rules = ruleIds.filter((ruleId) => ruleSeverity.get(ruleId) === 'P0');
+    const p1Rules = ruleIds.filter((ruleId) => ruleSeverity.get(ruleId) === 'P1');
+    const p2Rules = ruleIds.filter((ruleId) => ruleSeverity.get(ruleId) === 'P2');
+    return [
+        {
+            profile: 'prototype',
+            status: driftSignals.length > 0 ? 'warning' : 'passed',
+            blocking_rules: [],
+            blocking_drift_classes: [],
+            exception_candidate_rules: [],
+        },
+        {
+            profile: 'foundation-compatible',
+            status: p0Rules.length > 0 ? 'blocked' : driftSignals.length > 0 ? 'warning' : 'passed',
+            blocking_rules: p0Rules,
+            blocking_drift_classes: driftSignals
+                .filter((signal) => signal.mapped_rules.some((ruleId) => p0Rules.includes(ruleId)))
+                .map((signal) => signal.drift_class),
+            exception_candidate_rules: [...new Set([...p1Rules, ...p2Rules])],
+        },
+        {
+            profile: 'enterprise-strict',
+            status: p0Rules.length > 0 || p1Rules.length > 0 ? 'blocked' : driftSignals.length > 0 ? 'warning' : 'passed',
+            blocking_rules: [...new Set([...p0Rules, ...p1Rules])],
+            blocking_drift_classes: driftSignals
+                .filter((signal) => signal.mapped_rules.some((ruleId) => p0Rules.includes(ruleId) || p1Rules.includes(ruleId)))
+                .map((signal) => signal.drift_class),
+            exception_candidate_rules: p2Rules,
+        },
+    ];
+}
 function finding(code, filePath, importSpecifier, message, remediation) {
     return {
         code,

package/dist/core/sdd/docs-sync.js

@@ -31,6 +31,16 @@ function upsertMarkedBlock(source, startMarker, endMarker, blockContent) {
     const next = `${prefix}${replacement}\n`;
     return { content: next, changed: true, hasMarkers: false };
 }
+function validateManagedBlock(source, startMarker, endMarker, expectedBlock, label, missingBlocks) {
+    if (!source.includes(startMarker) || !source.includes(endMarker)) {
+        missingBlocks.push(label);
+        return;
+    }
+    const expected = upsertMarkedBlock(source, startMarker, endMarker, expectedBlock);
+    if (expected.changed) {
+        missingBlocks.push(`${label}:DRIFT`);
+    }
+}
 function buildReadmeBlock(memoryDir, config) {
     return `## Onboarding SDD
 
@@ -41,7 +51,9 @@ Operational authority:
 
 Initial operational directives:
 - CodeSDD is the official planner for any build request; other planners or agent-native plans are secondary execution aids only.
-- For API/backend work, use \`devtrack-api\` by default unless the user or SDD context explicitly selects another skill/profile; Python/Flask API work stays routed to \`api-clean-flask-langgraph\`.
+- In initialized CodeSDD repositories, any user request that implies implementation, file edits, validation, execution, or finalize must be treated as requiring CodeSDD planning unless the user explicitly marks it as read-only or outside CodeSDD.
+- For change requests, agents must bind the work to an active or ready FEAT through \`${CLI_NAME} sdd next\` and \`${CLI_NAME} sdd context <FEAT-ID>\` before implementation; agent-native plans may only decompose execution after that CodeSDD context exists.
+- For API/backend work, select a CodeSDD API profile (\`minimal-rest\`, \`rest-auth-rbac\`, \`rest-crud-typeorm\`, \`evented-api\`, \`ai-agent-api\`, or \`full-foundation-compatible\`); \`devtrack-api\` remains the compatibility skill/alias and Python/Flask API work stays routed to \`api-clean-flask-langgraph\`.
 - During init, onboard, insight, and debate flows, CodeSDD-managed agent instruction blocks must be inspected and reconfigured when they drift from this contract.
 - Commit requests must follow Conventional Commits, selective staging, and grouping by modified directory plus change protocol (\`src\`, \`${memoryDir}\`, docs, config, infra, dependencies, or generated files).
 
@@ -102,7 +114,9 @@ Operational exclusivity:
 
 Initial directives:
 - CodeSDD is the official planner for requested work; model-native plans and other planning tools are subordinate to CodeSDD artifacts.
-- API/backend work uses \`devtrack-api\` by default unless an explicit skill/profile says otherwise; Python/Flask API work uses \`api-clean-flask-langgraph\`.
+- In initialized CodeSDD repositories, implementation, edit, validation, execution, and finalize requests implicitly require CodeSDD planning unless the user explicitly marks the request as read-only or outside CodeSDD.
+- A change request must use the active or ready FEAT returned by \`${CLI_NAME} sdd next\` and must load \`${CLI_NAME} sdd context <FEAT-ID>\` before coding; model-native plans may only refine execution after that context exists.
+- API/backend work selects a CodeSDD API profile (\`minimal-rest\`, \`rest-auth-rbac\`, \`rest-crud-typeorm\`, \`evented-api\`, \`ai-agent-api\`, or \`full-foundation-compatible\`); \`devtrack-api\` remains the compatibility skill/alias, and Python/Flask API work uses \`api-clean-flask-langgraph\`.
 - CodeSDD-managed blocks in \`AGENTS.md\`, \`AGENT.md\`, \`CLAUDE.md\`, \`GEMINI.md\`, \`.codex\`, \`.opencode\`, \`.ai\`, \`.cloud\`, or equivalent agent files must be inspected and normalized during init/onboard/insight/debate when CodeSDD owns project governance.
 - Commits must use Conventional Commits, selective staging, and grouping by modified directory plus protocol: source, \`${memoryDir}\`, docs, config, infra, dependencies, generated files, renames, or deletions.`;
 }
@@ -134,7 +148,9 @@ Do not use external context, memory, workflow, backlog, scratchpad, or handoff t
 
 Initial directives:
 - CodeSDD is the official planner. Other planning systems may assist execution only after CodeSDD context exists.
-- API/backend work defaults to \`devtrack-api\` unless an explicit skill/profile overrides it; Python/Flask API work remains a documented exception routed to \`api-clean-flask-langgraph\`.
+- In initialized CodeSDD repositories, implementation, edit, validation, execution, and finalize requests implicitly require CodeSDD planning unless the user explicitly marks the request as read-only or outside CodeSDD.
+- Agents must bind each change request to the active or ready FEAT returned by \`${CLI_NAME} sdd next\` and load \`${CLI_NAME} sdd context <FEAT-ID>\` before coding.
+- API/backend work selects a CodeSDD API profile (\`minimal-rest\`, \`rest-auth-rbac\`, \`rest-crud-typeorm\`, \`evented-api\`, \`ai-agent-api\`, or \`full-foundation-compatible\`); \`devtrack-api\` remains the compatibility skill/alias, and Python/Flask API work remains a documented exception routed to \`api-clean-flask-langgraph\`.
 - CodeSDD lifecycle entrypoints must inspect and normalize CodeSDD-managed agent instruction blocks in root and tool-specific agent files.
 - Commit work must use Conventional Commits, selective staging, and directory/protocol grouping. Source changes, \`${memoryDir}\` governance, docs, config, infra, dependencies, generated files, renames, and deletions should be staged and committed separately unless indivisible.`;
 }
@@ -225,11 +241,9 @@ export async function validateSddGuideDocs(projectRoot, paths, config) {
     const agentCompatRaw = (await fileExists(agentCompatPath))
         ? await fs.readFile(agentCompatPath, 'utf-8')
         : '';
-    if (!readmeRaw.includes(README_SDD_BLOCK_START) || !readmeRaw.includes(README_SDD_BLOCK_END)) {
-        missingBlocks.push('README.md::SDD:ONBOARDING');
-    }
+    validateManagedBlock(readmeRaw, README_SDD_BLOCK_START, README_SDD_BLOCK_END, buildReadmeBlock(memoryDirName, config), 'README.md::SDD:ONBOARDING', missingBlocks);
     if (internalReadmeRaw !==
-        buildSddInternalReadme(path.relative(projectRoot, paths.memoryRoot) || '.sdd', {
+        buildSddInternalReadme(memoryDirName, {
             discovery: config?.folders.discovery,
             planning: config?.folders.planning,
             skills: config?.folders.skills,
@@ -240,17 +254,9 @@ export async function validateSddGuideDocs(projectRoot, paths, config) {
         })) {
         missingBlocks.push(`${memoryDirName}/README.md::SDD:INTERNAL`);
     }
-    if (!agentRaw.includes(AGENT_SDD_BLOCK_START) || !agentRaw.includes(AGENT_SDD_BLOCK_END)) {
-        missingBlocks.push(`${memoryDirName}/AGENT.md::SDD:GUIA`);
-    }
-    if (!agentsRaw.includes(ROOT_AGENTS_SDD_BLOCK_START) ||
-        !agentsRaw.includes(ROOT_AGENTS_SDD_BLOCK_END)) {
-        missingBlocks.push('AGENTS.md::SDD:ROOT-AGENTS');
-    }
-    if (!agentCompatRaw.includes(ROOT_AGENTS_SDD_BLOCK_START) ||
-        !agentCompatRaw.includes(ROOT_AGENTS_SDD_BLOCK_END)) {
-        missingBlocks.push('AGENT.md::SDD:ROOT-AGENTS');
-    }
+    validateManagedBlock(agentRaw, AGENT_SDD_BLOCK_START, AGENT_SDD_BLOCK_END, buildAgentGuideBlock(memoryDirName, config), `${memoryDirName}/AGENT.md::SDD:GUIA`, missingBlocks);
+    validateManagedBlock(agentsRaw, ROOT_AGENTS_SDD_BLOCK_START, ROOT_AGENTS_SDD_BLOCK_END, buildRootAgentsBlock(memoryDirName), 'AGENTS.md::SDD:ROOT-AGENTS', missingBlocks);
+    validateManagedBlock(agentCompatRaw, ROOT_AGENTS_SDD_BLOCK_START, ROOT_AGENTS_SDD_BLOCK_END, buildRootAgentsBlock(memoryDirName), 'AGENT.md::SDD:ROOT-AGENTS', missingBlocks);
     return {
         documentationSync: missingBlocks.length === 0,
         missingBlocks,

package/dist/core/sdd/domain/capability-diff.d.ts

@@ -0,0 +1,63 @@
+import type { ChangeSafetyEvaluation, PlannedFileChange } from './change-safety-guardrails.js';
+export declare const CAPABILITY_KINDS: readonly ["route", "page", "cli_command", "public_contract", "schema", "event", "core_flow", "governance_state"];
+export declare const CAPABILITY_CHANGE_TYPES: readonly ["added", "removed", "modified", "unchanged"];
+export declare const CAPABILITY_RISK_LEVELS: readonly ["none", "low", "medium", "high", "critical"];
+export type CapabilityKind = (typeof CAPABILITY_KINDS)[number];
+export type CapabilityChangeType = (typeof CAPABILITY_CHANGE_TYPES)[number];
+export type CapabilityRiskLevel = (typeof CAPABILITY_RISK_LEVELS)[number];
+export interface CapabilityInventoryItem {
+    kind: CapabilityKind;
+    id: string;
+    path?: string;
+    fingerprint?: string;
+    metadata?: Record<string, unknown>;
+}
+export interface CapabilityInventory {
+    schema_version: 1;
+    contract: 'capability-inventory/v1';
+    items: CapabilityInventoryItem[];
+}
+export interface CapabilityDiffEntry {
+    kind: CapabilityKind;
+    id: string;
+    change: CapabilityChangeType;
+    before?: CapabilityInventoryItem;
+    after?: CapabilityInventoryItem;
+}
+export interface CapabilityDiffCounts {
+    added: number;
+    removed: number;
+    modified: number;
+    unchanged: number;
+}
+export interface CapabilityDiffReport {
+    schema_version: 1;
+    contract: 'capability-diff-report/v1';
+    entries: CapabilityDiffEntry[];
+    counts: CapabilityDiffCounts;
+}
+export interface CapabilityRiskSignal {
+    code: string;
+    level: Exclude<CapabilityRiskLevel, 'none'>;
+    message: string;
+    capability_ref?: string;
+    path?: string;
+}
+export interface CapabilityRiskReport {
+    schema_version: 1;
+    contract: 'deterministic-capability-risk/v1';
+    level: CapabilityRiskLevel;
+    score: number;
+    signals: CapabilityRiskSignal[];
+}
+export interface CapabilityRiskInput {
+    diff: CapabilityDiffReport;
+    change_safety?: ChangeSafetyEvaluation;
+    planned_changes?: PlannedFileChange[];
+    required_kinds?: CapabilityKind[];
+}
+export declare function buildCapabilityInventory(items: CapabilityInventoryItem[]): CapabilityInventory;
+export declare function diffCapabilityInventories(before: CapabilityInventory, after: CapabilityInventory): CapabilityDiffReport;
+export declare function scoreCapabilityDiffRisk(input: CapabilityRiskInput): CapabilityRiskReport;
+export declare function capabilityKey(item: Pick<CapabilityInventoryItem, 'kind' | 'id'>): string;
+//# sourceMappingURL=capability-diff.d.ts.map