@devtrack-solution/codesdd 1.2.4-rc3 → 1.2.4

package/dist/core/sdd/devtrack-api-appliance.js

@@ -1,6 +1,10 @@
 import { buildPluginRuntimeInvocationPlan, pluginArtifactManifestSchema, } from './plugin-broker.js';
 import { pluginManifestSchema } from './plugin-manifest.js';
 import { createPluginRegistryState } from './plugin-registry.js';
+import { DEFAULT_CODESDD_API_PROFILE_ID, resolveCodeSddApiProfile, } from './api-profile-catalog.js';
+import { CODESDD_API_FOUNDATION_SHARED_BASELINE, CODESDD_API_SHARED_BASELINE_QUALITY_GATES, CODESDD_API_SHARED_BASELINE_REQUIREMENTS, getCodeSddApiSharedBaselineRequirements, } from './api-foundation-baseline.js';
+import { CODESDD_FULL_FOUNDATION_COMPATIBLE_PROFILE_ID, CODESDD_FULL_FOUNDATION_PARITY_DIMENSIONS, CODESDD_FULL_FOUNDATION_PARITY_MATRIX, CODESDD_FULL_FOUNDATION_PARITY_QUALITY_GATES, getCodeSddFullFoundationParityMatrix, } from './api-foundation-parity.js';
+import { buildCodeSddApiProfileDryRunProjection, getCodeSddApiProfileDryRunExpectation, } from './api-profile-dry-run-projection.js';
 export const DEVTRACK_API_APPLIANCE_PLUGIN_ID = 'codesdd-plugin-devtrack-api';
 export const DEVTRACK_API_APPLIANCE_CAPABILITIES = [
     'scaffold.project',
@@ -17,10 +21,12 @@ const DEVTRACK_API_SCAFFOLD_WRITE_SCOPE = [
     'src',
     'tests',
     'docs',
+    '.env.example',
     'package.json',
     'tsconfig.json',
     'nest-cli.json',
     'eslint.config.mjs',
+    '.sdd/plugin-evidence',
 ];
 export function evaluateDevTrackApiApplianceConformance(manifest) {
     const parsed = pluginManifestSchema.parse(manifest);
@@ -52,6 +58,9 @@ export function buildDevTrackApiScaffoldDryRunPlan(manifest, input) {
     const parsed = pluginManifestSchema.parse(manifest);
     const createdAt = input.created_at ?? new Date().toISOString();
     const packageName = normalizePackageName(input.package_name ?? input.project_name);
+    const apiProfile = resolveCodeSddApiProfile(input.api_profile, {
+        defaultProfile: DEFAULT_CODESDD_API_PROFILE_ID,
+    });
     const conformance = evaluateDevTrackApiApplianceConformance(parsed);
     if (!conformance.valid) {
         return {
@@ -64,8 +73,8 @@ export function buildDevTrackApiScaffoldDryRunPlan(manifest, input) {
             issues: conformance.issues,
         };
     }
-    const artifacts = buildScaffoldArtifacts();
-    const runtimePlan = buildRuntimePlan(parsed, input, packageName, createdAt, artifacts);
+    const artifacts = buildScaffoldArtifacts(apiProfile.profile_id);
+    const runtimePlan = buildRuntimePlan(parsed, input, packageName, createdAt, artifacts, apiProfile);
     if (runtimePlan.status !== 'ready' || !runtimePlan.envelope) {
         return {
             schema_version: 1,
@@ -89,6 +98,7 @@ export function buildDevTrackApiScaffoldDryRunPlan(manifest, input) {
         status: 'planned',
         created_at: createdAt,
         operation_id: operationId,
+        api_profile: apiProfile,
         project_name: input.project_name,
         package_name: packageName,
         runtime_plan: runtimePlan,
@@ -129,6 +139,9 @@ export function buildDevTrackApiScaffoldDryRunPlan(manifest, input) {
             projectName: input.project_name,
             packageName,
             validationCommands: parsed.validation.commands,
+            apiProfile,
+            expectedWriteScope: runtimePlan.envelope.write_scope,
+            artifacts,
         }),
         issues: [],
     };
@@ -146,7 +159,7 @@ function collectIdentityIssues(manifest) {
     }
     return issues;
 }
-function buildRuntimePlan(manifest, input, packageName, createdAt, artifacts) {
+function buildRuntimePlan(manifest, input, packageName, createdAt, artifacts, apiProfile) {
     const registry = createPluginRegistryState([
         {
             manifest,
@@ -161,10 +174,12 @@ function buildRuntimePlan(manifest, input, packageName, createdAt, artifacts) {
     return buildPluginRuntimeInvocationPlan(registry, {
         feature_ref: input.feature_ref,
         capability: DEVTRACK_API_SCAFFOLD_CAPABILITY,
-        skill_ref: 'devtrack-api',
+        skill_ref: apiProfile.profile_id,
         inputs: {
             project_name: input.project_name,
             package_name: packageName,
+            api_profile: apiProfile.profile_id,
+            api_profile_family: apiProfile.family_id,
             persistence: {
                 provider: 'typeorm',
             },
@@ -187,6 +202,35 @@ function buildRuntimePlan(manifest, input, packageName, createdAt, artifacts) {
     });
 }
 function buildEvidenceManifest(input) {
+    const sharedBaselineRequirements = getCodeSddApiSharedBaselineRequirements();
+    const fullFoundationCompatibility = input.apiProfile.profile_id === CODESDD_FULL_FOUNDATION_COMPATIBLE_PROFILE_ID
+        ? {
+            id: CODESDD_FULL_FOUNDATION_PARITY_MATRIX.id,
+            version: CODESDD_FULL_FOUNDATION_PARITY_MATRIX.version,
+            profile_id: CODESDD_FULL_FOUNDATION_COMPATIBLE_PROFILE_ID,
+            source: CODESDD_FULL_FOUNDATION_PARITY_MATRIX.foundation_reference,
+            dimension_ids: CODESDD_FULL_FOUNDATION_PARITY_DIMENSIONS,
+            quality_gates: CODESDD_FULL_FOUNDATION_PARITY_QUALITY_GATES,
+            dimensions: getCodeSddFullFoundationParityMatrix().map((dimension) => ({
+                ...dimension,
+                status: 'pending',
+            })),
+        }
+        : undefined;
+    const profileProjection = buildCodeSddApiProfileDryRunProjection({
+        apiProfile: input.apiProfile,
+        expectedWriteScope: input.expectedWriteScope,
+        artifactMapRefs: input.artifacts.map((artifactEntry) => ({
+            path: artifactEntry.path,
+            layer: artifactEntry.layer,
+            artifact_kind: artifactEntry.artifact_kind,
+            role: artifactEntry.role,
+            content_type: artifactEntry.content_type,
+            source_reference: artifactEntry.source_reference,
+            tags: artifactEntry.tags,
+        })),
+        validationCommands: input.validationCommands,
+    });
     return {
         schema_version: 1,
         operation_id: input.operationId,
@@ -207,43 +251,100 @@ function buildEvidenceManifest(input) {
             command,
             status: 'pending',
         })),
-        quality_gates: [
-            'typeorm-only-persistence',
+        quality_gates: unique([
+            ...profileProjection.expected_quality_gates,
             'no-secret-fixtures',
             'no-out-of-root-writes',
             'artifact-manifest-required',
             'evidence-manifest-required',
-        ],
+        ]),
+        api_profile: {
+            family_id: input.apiProfile.family_id,
+            selected_profile: input.apiProfile.profile_id,
+            requested_profile: input.apiProfile.input,
+            legacy_alias: input.apiProfile.legacy_alias,
+            migration_notice: input.apiProfile.migration_notice,
+            inherited_baseline: CODESDD_API_SHARED_BASELINE_REQUIREMENTS,
+        },
+        profile_projection: profileProjection,
+        foundation_baseline: {
+            id: CODESDD_API_FOUNDATION_SHARED_BASELINE.id,
+            version: CODESDD_API_FOUNDATION_SHARED_BASELINE.version,
+            source: CODESDD_API_FOUNDATION_SHARED_BASELINE.foundation_reference,
+            requirement_ids: CODESDD_API_SHARED_BASELINE_REQUIREMENTS,
+            quality_gates: CODESDD_API_SHARED_BASELINE_QUALITY_GATES,
+            requirements: sharedBaselineRequirements,
+        },
+        ...(fullFoundationCompatibility
+            ? {
+                full_foundation_compatibility: fullFoundationCompatibility,
+            }
+            : {}),
     };
 }
-function buildScaffoldArtifacts() {
-    return [
-        artifact('package.json', 'root', 'package-metadata', 'manifest', 'application/json', 'Foundation-compatible package metadata, scripts, and dependencies.'),
-        artifact('tsconfig.json', 'config', 'configuration', 'manifest', 'application/json', 'TypeScript path aliases and compiler settings aligned to Foundation API.'),
-        artifact('nest-cli.json', 'config', 'configuration', 'manifest', 'application/json', 'Nest CLI configuration with Swagger plugin support.'),
-        artifact('eslint.config.mjs', 'config', 'configuration', 'policy', 'text/javascript', 'Foundation-compatible lint rules and import-boundary checks.'),
-        artifact('docs/foundation-backend-reference-structure.md', 'docs', 'documentation', 'documentation', 'text/markdown', 'Derived Foundation package structure reference for maintainers.'),
-        artifact('src/main.ts', 'root', 'source', 'implementation', 'text/typescript', 'NestJS bootstrap entrypoint.'),
-        artifact('src/app.module.ts', 'root', 'source', 'module', 'text/typescript', 'Root module composing application, infrastructure, and presentation layers.'),
-        artifact('src/application/application.module.ts', 'application', 'source', 'module', 'text/typescript', 'Application layer module boundary.'),
-        artifact('src/application/runtime-settings.ts', 'application', 'source', 'type', 'text/typescript', 'Application runtime settings boundary.'),
-        artifact('src/domain/auth/business-objects/api-keys.bo.ts', 'domain', 'source', 'business-object', 'text/typescript', 'Initial BO-pattern domain object example from Foundation API.'),
-        artifact('src/application/business/auth/ports/out/api-key-repository.port.ts', 'application', 'source', 'repository-port', 'text/typescript', 'BO-pattern repository port owned by application ports/out.'),
-        artifact('src/infrastructure/infrastructure.module.ts', 'infrastructure', 'source', 'module', 'text/typescript', 'Infrastructure layer module boundary.'),
-        artifact('src/infrastructure/settings/app-configuration.ts', 'infrastructure', 'source', 'implementation', 'text/typescript', 'Typed application configuration source.'),
-        artifact('src/infrastructure/adapters/orm/entities/api-key.orm-entity.ts', 'infrastructure', 'source', 'entity', 'text/typescript', 'TypeORM persistence entity kept in the centralized orm subsystem.'),
-        artifact('src/presentation/presentation.module.ts', 'presentation', 'source', 'module', 'text/typescript', 'Presentation layer module boundary.'),
-        artifact('src/presentation/rest/rest.presentation.module.ts', 'presentation', 'source', 'module', 'text/typescript', 'REST channel module boundary.'),
-        artifact('src/presentation/graphql/graphql.presentation.module.ts', 'presentation', 'source', 'module', 'text/typescript', 'GraphQL channel module boundary.'),
-        artifact('src/presentation/cli/cli.presentation.module.ts', 'presentation', 'source', 'module', 'text/typescript', 'CLI channel module boundary.'),
-        artifact('src/presentation/websocket/websocket.module.ts', 'presentation', 'source', 'module', 'text/typescript', 'WebSocket channel module boundary.'),
-        artifact('src/shared/domain/generic-business-object.ts', 'shared', 'source', 'abstraction', 'text/typescript', 'Shared domain primitive used by Foundation packages.'),
-        artifact('src/shared/presentation/generic-controller.ts', 'shared', 'source', 'abstraction', 'text/typescript', 'Shared presentation primitive used by REST controllers.'),
-        artifact('tests/app.e2e-spec.ts', 'tests', 'test', 'test', 'text/typescript', 'Initial E2E smoke test for the generated API scaffold.'),
-        artifact('tests/jest-e2e.json', 'tests', 'configuration', 'manifest', 'application/json', 'Jest E2E configuration for the scaffold.'),
+function buildScaffoldArtifacts(apiProfile) {
+    const baselineArtifacts = [
+        artifact('package.json', 'root', 'package-metadata', 'manifest', 'application/json', 'Foundation-compatible package metadata, scripts, and dependencies.', apiProfile),
+        artifact('.env.example', 'config', 'configuration', 'manifest', 'text/plain', 'Safe placeholder environment contract, including app, database, JWT, and Swagger server variables.', apiProfile),
+        artifact('tsconfig.json', 'config', 'configuration', 'manifest', 'application/json', 'TypeScript path aliases and compiler settings aligned to Foundation API.', apiProfile),
+        artifact('nest-cli.json', 'config', 'configuration', 'manifest', 'application/json', 'Nest CLI configuration with Swagger plugin support.', apiProfile),
+        artifact('eslint.config.mjs', 'config', 'configuration', 'policy', 'text/javascript', 'Foundation-compatible lint rules and import-boundary checks.', apiProfile),
+        artifact('docs/foundation-backend-reference-structure.md', 'docs', 'documentation', 'documentation', 'text/markdown', 'Derived Foundation package structure reference for maintainers.', apiProfile),
+        artifact('src/main.ts', 'root', 'source', 'implementation', 'text/typescript', 'NestJS bootstrap entrypoint with validation pipe and Swagger/OpenAPI /docs setup.', apiProfile),
+        artifact('src/app.module.ts', 'root', 'source', 'module', 'text/typescript', 'Root module composing application, infrastructure, and presentation layers.', apiProfile),
+        artifact('src/application/application.module.ts', 'application', 'source', 'module', 'text/typescript', 'Application layer module boundary.', apiProfile),
+        artifact('src/application/runtime-settings.ts', 'application', 'source', 'type', 'text/typescript', 'Application runtime settings boundary.', apiProfile),
+        artifact('src/domain/auth/business-objects/api-keys.bo.ts', 'domain', 'source', 'business-object', 'text/typescript', 'Initial BO-pattern domain object example from Foundation API.', apiProfile),
+        artifact('src/application/business/auth/ports/out/api-key-repository.port.ts', 'application', 'source', 'repository-port', 'text/typescript', 'BO-pattern repository port owned by application ports/out.', apiProfile),
+        artifact('src/application/business/auth/ports/in/register.use-case.port.ts', 'application', 'source', 'interface', 'text/typescript', 'Application input port for a user-facing auth route.', apiProfile),
+        artifact('src/application/business/auth/use-cases/register.use-case.ts', 'application', 'source', 'use-case', 'text/typescript', 'Application use case backing a user-facing route before presentation wiring.', apiProfile),
+        artifact('src/application/business/auth/auth.application.module.ts', 'application', 'source', 'module', 'text/typescript', 'Application auth module wiring input ports, use cases, services, and output ports.', apiProfile),
+        artifact('src/infrastructure/infrastructure.module.ts', 'infrastructure', 'source', 'module', 'text/typescript', 'Infrastructure layer module boundary.', apiProfile),
+        artifact('src/infrastructure/settings/app-configuration.ts', 'infrastructure', 'source', 'implementation', 'text/typescript', 'Typed application configuration source.', apiProfile),
+        artifact('src/infrastructure/adapters/orm/entities/api-key.orm-entity.ts', 'infrastructure', 'source', 'entity', 'text/typescript', 'TypeORM persistence entity kept in the centralized orm subsystem.', apiProfile),
+        artifact('src/presentation/presentation.module.ts', 'presentation', 'source', 'module', 'text/typescript', 'Presentation layer module boundary.', apiProfile),
+        artifact('src/presentation/rest/rest.presentation.module.ts', 'presentation', 'source', 'module', 'text/typescript', 'REST channel module boundary.', apiProfile),
+        artifact('src/presentation/rest/auth/auth.module.ts', 'presentation', 'source', 'module', 'text/typescript', 'REST auth module registering controllers, guards, and decorators.', apiProfile),
+        artifact('src/presentation/rest/auth/controllers/register.controller.ts', 'presentation', 'source', 'controller', 'text/typescript', 'Swagger-documented REST controller that injects an application input port.', apiProfile),
+        artifact('src/presentation/rest/auth/dtos/register-input.dto.ts', 'presentation', 'source', 'dto', 'text/typescript', 'Swagger-documented REST input DTO for a user-facing route.', apiProfile),
+        artifact('src/presentation/rest/auth/dtos/auth-session-output.dto.ts', 'presentation', 'source', 'dto', 'text/typescript', 'Swagger-documented REST output DTO for session responses.', apiProfile),
+        artifact('src/presentation/rest/auth/guards/jwt-auth.guard.ts', 'presentation', 'source', 'implementation', 'text/typescript', 'REST route guard baseline for protected bearer routes.', apiProfile),
+        artifact('src/presentation/rest/auth/guards/permission.guard.ts', 'presentation', 'source', 'implementation', 'text/typescript', 'REST authorization guard baseline for permission-protected routes.', apiProfile),
+        artifact('src/presentation/rest/auth/decorators/permission.decorator.ts', 'presentation', 'source', 'policy', 'text/typescript', 'REST authorization decorator baseline for permission metadata.', apiProfile),
+        artifact('src/presentation/dtos/api-error-response.dto.ts', 'presentation', 'source', 'dto', 'text/typescript', 'Swagger-documented error response DTO for controller response metadata.', apiProfile),
+        artifact('src/presentation/graphql/graphql.presentation.module.ts', 'presentation', 'source', 'module', 'text/typescript', 'GraphQL channel module boundary.', apiProfile),
+        artifact('src/presentation/cli/cli.presentation.module.ts', 'presentation', 'source', 'module', 'text/typescript', 'CLI channel module boundary.', apiProfile),
+        artifact('src/presentation/websocket/websocket.module.ts', 'presentation', 'source', 'module', 'text/typescript', 'WebSocket channel module boundary.', apiProfile),
+        artifact('src/shared/domain/generic-business-object.ts', 'shared', 'source', 'abstraction', 'text/typescript', 'Shared domain primitive used by Foundation packages.', apiProfile),
+        artifact('src/shared/presentation/generic-controller.ts', 'shared', 'source', 'abstraction', 'text/typescript', 'Shared presentation primitive used by REST controllers.', apiProfile),
+        artifact('tests/app.e2e-spec.ts', 'tests', 'test', 'test', 'text/typescript', 'Initial E2E smoke test for the generated API scaffold.', apiProfile),
+        artifact('tests/jest-e2e.json', 'tests', 'configuration', 'manifest', 'application/json', 'Jest E2E configuration for the scaffold.', apiProfile),
     ];
+    const plannedPaths = new Set(baselineArtifacts.map((entry) => entry.path));
+    const profileOverlayArtifacts = getCodeSddApiProfileDryRunExpectation(apiProfile).expected_writes
+        .filter((expectedWrite) => !plannedPaths.has(expectedWrite.path))
+        .map((expectedWrite) => artifact(expectedWrite.path, expectedWrite.layer, expectedWrite.artifact_kind, expectedWrite.role, contentTypeForScaffoldPath(expectedWrite.path, expectedWrite.artifact_kind), `${expectedWrite.reason} (Profile overlay for ${apiProfile}.)`, apiProfile));
+    return [...baselineArtifacts, ...profileOverlayArtifacts];
 }
-function artifact(artifactPath, layer, artifactKind, role, contentType, reason) {
+function contentTypeForScaffoldPath(artifactPath, artifactKind) {
+    if (artifactPath.endsWith('.ts')) {
+        return 'text/typescript';
+    }
+    if (artifactPath.endsWith('.json')) {
+        return 'application/json';
+    }
+    if (artifactPath.endsWith('.md')) {
+        return 'text/markdown';
+    }
+    if (artifactPath.endsWith('.yaml') || artifactPath.endsWith('.yml')) {
+        return 'text/yaml';
+    }
+    if (artifactKind === 'documentation') {
+        return 'text/markdown';
+    }
+    return 'text/plain';
+}
+function artifact(artifactPath, layer, artifactKind, role, contentType, reason, apiProfile) {
     const mapEntry = {
         path: artifactPath,
         layer,
@@ -256,7 +357,7 @@ function artifact(artifactPath, layer, artifactKind, role, contentType, reason)
         implementation: role === 'interface' || role === 'repository-port' ? 'contract' : 'generated',
         decision_refs: ['EPIC-0075'],
         source_refs: [`${DEVTRACK_API_REFERENCE_ROOT}/${artifactPath}`],
-        tags: ['devtrack-api', 'foundation-api'],
+        tags: ['devtrack-api', 'foundation-api', 'codesdd-api-profile', apiProfile],
         metadata: {},
     };
     return {
@@ -277,4 +378,7 @@ function normalizePackageName(value) {
     }
     return normalized;
 }
+function unique(values) {
+    return [...new Set(values)];
+}
 //# sourceMappingURL=devtrack-api-appliance.js.map

package/dist/core/sdd/devtrack-api-architecture.d.ts

@@ -24,6 +24,22 @@ export interface DevTrackApiArchitectureValidationResult {
     architecture_schema: QualityArchitectureSchema;
     import_graph: QualityImportGraph;
     findings: DevTrackApiArchitectureFinding[];
+    drift_signals: DevTrackApiDriftSignal[];
+    profile_outcomes: DevTrackApiProfileOutcome[];
+}
+export type DevTrackApiDriftClass = 'CVD-01' | 'CVD-02' | 'CVD-03' | 'CVD-04' | 'CVD-05' | 'CVD-06' | 'CVD-07' | 'CVD-08' | 'CVD-09' | 'WCA-01' | 'WCA-02' | 'WCA-03';
+export interface DevTrackApiDriftSignal {
+    drift_class: DevTrackApiDriftClass;
+    observed: string;
+    mapped_rules: string[];
+    finding_codes: DevTrackApiArchitectureIssueCode[];
+}
+export interface DevTrackApiProfileOutcome {
+    profile: 'prototype' | 'foundation-compatible' | 'enterprise-strict';
+    status: 'passed' | 'warning' | 'blocked';
+    blocking_rules: string[];
+    blocking_drift_classes: DevTrackApiDriftClass[];
+    exception_candidate_rules: string[];
 }
 export declare function buildDevTrackApiArchitectureSchema(): QualityArchitectureSchema;
 export declare function collectDevTrackApiImportGraph(input: CollectDevTrackApiImportGraphInput): Promise<QualityImportGraph>;

package/dist/core/sdd/devtrack-api-architecture.js

@@ -1,6 +1,8 @@
 import { promises as fs } from 'node:fs';
 import path from 'node:path';
+import { fileURLToPath } from 'node:url';
 import ts from 'typescript';
+import { parse as parseYaml } from 'yaml';
 import { parseQualityArchitectureSchema, } from './quality-validation.js';
 export const DEVTRACK_API_ARCHITECTURE_SCHEMA_ID = 'ARCH-GATE-devtrack-api-p0';
 const DEFAULT_SOURCE_ROOTS = ['src', 'prisma'];
@@ -17,6 +19,30 @@ const DEVTRACK_ALIAS_PREFIXES = [
     '@shared/',
     '@src/',
 ];
+const DEVTRACK_API_CONTRACT_PACK_PATH = fileURLToPath(new URL('../../../.sdd/skills/curated/devtrack-api/references/contract-pack.yaml', import.meta.url));
+const DRIFT_CLASS_TO_FINDING_CODES = {
+    'CVD-02': [
+        'ARCH_RELATIVE_IMPORT_FORBIDDEN',
+        'ARCH_APPLICATION_PRESENTATION_IMPORT',
+        'ARCH_APPLICATION_CONCRETE_INFRA_IMPORT',
+        'ARCH_PRESENTATION_INFRA_IMPORT',
+        'ARCH_TYPEORM_IMPORT_OUTSIDE_INFRASTRUCTURE',
+        'ARCH_TYPEORM_ENTITY_PATH_INVALID',
+        'ARCH_TYPEORM_ENTITY_SUFFIX_INVALID',
+        'ARCH_TYPEORM_REPOSITORY_PATH_INVALID',
+        'ARCH_TYPEORM_REPOSITORY_SUFFIX_INVALID',
+        'ARCH_PRESENTATION_TRANSPORT_MISSING',
+        'ARCH_INFRASTRUCTURE_CONTEXT_PERSISTENCE_FORBIDDEN',
+    ],
+    'CVD-03': ['ARCH_TYPEORM_REPOSITORY_FAKE'],
+    'CVD-04': ['ARCH_PRESENTATION_COMPOSITION_ROOT', 'ARCH_AGGREGATE_MODULE_MISSING', 'ARCH_AGGREGATE_MODULE_NOT_NESTJS'],
+    'CVD-05': ['ARCH_PORT_MISSING_SYMBOL', 'ARCH_PORT_GROUPED_UNRELATED'],
+    'CVD-06': ['ARCH_BO_MISSING_METHODS', 'ARCH_VO_MISSING_METHODS'],
+    'CVD-07': ['ARCH_MISSING_DATASOURCE', 'ARCH_MISSING_MIGRATIONS', 'ARCH_MISSING_TYPEORM_MODULE_FORFEATURE'],
+    'CVD-09': ['ARCH_DOMAIN_REPOSITORY_PORT_CONTEXT_FORBIDDEN'],
+    'WCA-02': ['ARCH_RELATIVE_IMPORT_FORBIDDEN'],
+    'WCA-03': ['ARCH_TYPEORM_REPOSITORY_FAKE', 'ARCH_MISSING_TYPEORM_MODULE_FORFEATURE'],
+};
 export function buildDevTrackApiArchitectureSchema() {
     return parseQualityArchitectureSchema({
         schema_version: 1,
@@ -157,13 +183,73 @@ export async function validateDevTrackApiArchitecture(input) {
     detectMissingAggregateModules(files, fileContents, findings);
     detectMissingRuntimePersistence(files, fileContents, findings);
     const dedupedFindings = dedupeFindings(findings);
+    const contractPack = await loadDevTrackApiContractPack();
+    const driftSignals = mapFindingsToDriftSignals(dedupedFindings, contractPack);
+    const profileOutcomes = buildProfileOutcomes(driftSignals, contractPack);
     return {
         status: dedupedFindings.length > 0 ? 'warning' : 'passed',
         architecture_schema: buildDevTrackApiArchitectureSchema(),
         import_graph: importGraph,
         findings: dedupedFindings,
+        drift_signals: driftSignals,
+        profile_outcomes: profileOutcomes,
     };
 }
+async function loadDevTrackApiContractPack() {
+    const raw = await fs.readFile(DEVTRACK_API_CONTRACT_PACK_PATH, 'utf-8');
+    return parseYaml(raw);
+}
+function mapFindingsToDriftSignals(findings, contractPack) {
+    const findingCodes = new Set(findings.map((finding) => finding.code));
+    const driftSignals = [];
+    for (const [driftClass, mappedFindingCodes] of Object.entries(DRIFT_CLASS_TO_FINDING_CODES)) {
+        const matchedCodes = mappedFindingCodes.filter((code) => findingCodes.has(code));
+        if (matchedCodes.length === 0)
+            continue;
+        const mapping = contractPack.codesdd_validate_drift_map[driftClass] ?? contractPack.field_evidence_drift_map[driftClass];
+        driftSignals.push({
+            drift_class: driftClass,
+            observed: mapping?.observed ?? 'Observed semantic drift mapped from validator findings.',
+            mapped_rules: [...new Set(mapping?.mapped_rules ?? [])],
+            finding_codes: matchedCodes,
+        });
+    }
+    return driftSignals.sort((left, right) => left.drift_class.localeCompare(right.drift_class));
+}
+function buildProfileOutcomes(driftSignals, contractPack) {
+    const ruleSeverity = new Map(contractPack.rules.map((rule) => [rule.id, rule.severity]));
+    const ruleIds = [...new Set(driftSignals.flatMap((signal) => signal.mapped_rules))];
+    const p0Rules = ruleIds.filter((ruleId) => ruleSeverity.get(ruleId) === 'P0');
+    const p1Rules = ruleIds.filter((ruleId) => ruleSeverity.get(ruleId) === 'P1');
+    const p2Rules = ruleIds.filter((ruleId) => ruleSeverity.get(ruleId) === 'P2');
+    return [
+        {
+            profile: 'prototype',
+            status: driftSignals.length > 0 ? 'warning' : 'passed',
+            blocking_rules: [],
+            blocking_drift_classes: [],
+            exception_candidate_rules: [],
+        },
+        {
+            profile: 'foundation-compatible',
+            status: p0Rules.length > 0 ? 'blocked' : driftSignals.length > 0 ? 'warning' : 'passed',
+            blocking_rules: p0Rules,
+            blocking_drift_classes: driftSignals
+                .filter((signal) => signal.mapped_rules.some((ruleId) => p0Rules.includes(ruleId)))
+                .map((signal) => signal.drift_class),
+            exception_candidate_rules: [...new Set([...p1Rules, ...p2Rules])],
+        },
+        {
+            profile: 'enterprise-strict',
+            status: p0Rules.length > 0 || p1Rules.length > 0 ? 'blocked' : driftSignals.length > 0 ? 'warning' : 'passed',
+            blocking_rules: [...new Set([...p0Rules, ...p1Rules])],
+            blocking_drift_classes: driftSignals
+                .filter((signal) => signal.mapped_rules.some((ruleId) => p0Rules.includes(ruleId) || p1Rules.includes(ruleId)))
+                .map((signal) => signal.drift_class),
+            exception_candidate_rules: p2Rules,
+        },
+    ];
+}
 function finding(code, filePath, importSpecifier, message, remediation) {
     return {
         code,

package/dist/core/sdd/docs-sync.js

@@ -53,7 +53,7 @@ Initial operational directives:
 - CodeSDD is the official planner for any build request; other planners or agent-native plans are secondary execution aids only.
 - In initialized CodeSDD repositories, any user request that implies implementation, file edits, validation, execution, or finalize must be treated as requiring CodeSDD planning unless the user explicitly marks it as read-only or outside CodeSDD.
 - For change requests, agents must bind the work to an active or ready FEAT through \`${CLI_NAME} sdd next\` and \`${CLI_NAME} sdd context <FEAT-ID>\` before implementation; agent-native plans may only decompose execution after that CodeSDD context exists.
-- For API/backend work, use \`devtrack-api\` by default unless the user or SDD context explicitly selects another skill/profile; Python/Flask API work stays routed to \`api-clean-flask-langgraph\`.
+- For API/backend work, select a CodeSDD API profile (\`minimal-rest\`, \`rest-auth-rbac\`, \`rest-crud-typeorm\`, \`evented-api\`, \`ai-agent-api\`, or \`full-foundation-compatible\`); \`devtrack-api\` remains the compatibility skill/alias and Python/Flask API work stays routed to \`api-clean-flask-langgraph\`.
 - During init, onboard, insight, and debate flows, CodeSDD-managed agent instruction blocks must be inspected and reconfigured when they drift from this contract.
 - Commit requests must follow Conventional Commits, selective staging, and grouping by modified directory plus change protocol (\`src\`, \`${memoryDir}\`, docs, config, infra, dependencies, or generated files).
 
@@ -116,7 +116,7 @@ Initial directives:
 - CodeSDD is the official planner for requested work; model-native plans and other planning tools are subordinate to CodeSDD artifacts.
 - In initialized CodeSDD repositories, implementation, edit, validation, execution, and finalize requests implicitly require CodeSDD planning unless the user explicitly marks the request as read-only or outside CodeSDD.
 - A change request must use the active or ready FEAT returned by \`${CLI_NAME} sdd next\` and must load \`${CLI_NAME} sdd context <FEAT-ID>\` before coding; model-native plans may only refine execution after that context exists.
-- API/backend work uses \`devtrack-api\` by default unless an explicit skill/profile says otherwise; Python/Flask API work uses \`api-clean-flask-langgraph\`.
+- API/backend work selects a CodeSDD API profile (\`minimal-rest\`, \`rest-auth-rbac\`, \`rest-crud-typeorm\`, \`evented-api\`, \`ai-agent-api\`, or \`full-foundation-compatible\`); \`devtrack-api\` remains the compatibility skill/alias, and Python/Flask API work uses \`api-clean-flask-langgraph\`.
 - CodeSDD-managed blocks in \`AGENTS.md\`, \`AGENT.md\`, \`CLAUDE.md\`, \`GEMINI.md\`, \`.codex\`, \`.opencode\`, \`.ai\`, \`.cloud\`, or equivalent agent files must be inspected and normalized during init/onboard/insight/debate when CodeSDD owns project governance.
 - Commits must use Conventional Commits, selective staging, and grouping by modified directory plus protocol: source, \`${memoryDir}\`, docs, config, infra, dependencies, generated files, renames, or deletions.`;
 }
@@ -150,7 +150,7 @@ Initial directives:
 - CodeSDD is the official planner. Other planning systems may assist execution only after CodeSDD context exists.
 - In initialized CodeSDD repositories, implementation, edit, validation, execution, and finalize requests implicitly require CodeSDD planning unless the user explicitly marks the request as read-only or outside CodeSDD.
 - Agents must bind each change request to the active or ready FEAT returned by \`${CLI_NAME} sdd next\` and load \`${CLI_NAME} sdd context <FEAT-ID>\` before coding.
-- API/backend work defaults to \`devtrack-api\` unless an explicit skill/profile overrides it; Python/Flask API work remains a documented exception routed to \`api-clean-flask-langgraph\`.
+- API/backend work selects a CodeSDD API profile (\`minimal-rest\`, \`rest-auth-rbac\`, \`rest-crud-typeorm\`, \`evented-api\`, \`ai-agent-api\`, or \`full-foundation-compatible\`); \`devtrack-api\` remains the compatibility skill/alias, and Python/Flask API work remains a documented exception routed to \`api-clean-flask-langgraph\`.
 - CodeSDD lifecycle entrypoints must inspect and normalize CodeSDD-managed agent instruction blocks in root and tool-specific agent files.
 - Commit work must use Conventional Commits, selective staging, and directory/protocol grouping. Source changes, \`${memoryDir}\` governance, docs, config, infra, dependencies, generated files, renames, and deletions should be staged and committed separately unless indivisible.`;
 }

package/dist/core/sdd/enterprise-mutating-command-gate.d.ts

@@ -0,0 +1,27 @@
+import type { ArtifactAllocatorLease } from './artifact-id-allocator.js';
+import type { EnterpriseProvisioningPolicyReport } from './enterprise-provisioning-policy.js';
+export type EnterpriseCommandGateDecision = 'allow' | 'block' | 'bypass-detected';
+export interface EnterpriseMutatingCommandGateRequest {
+    command: string;
+    mutates_numbered_artifacts: boolean;
+    provisioning: EnterpriseProvisioningPolicyReport;
+    project_id?: string;
+    tenant_id?: string;
+    artifact_type?: ArtifactAllocatorLease['artifact_type'];
+    lease?: ArtifactAllocatorLease;
+    fencing_token?: number;
+    now: string;
+    bypass_requested?: boolean;
+    bypass_reason?: string;
+}
+export interface EnterpriseMutatingCommandGateResult {
+    decision: EnterpriseCommandGateDecision;
+    reason: string;
+    required: boolean;
+    bypass_detected: boolean;
+    requested_mode: 'local' | 'enterprise';
+    effective_mode: 'local' | 'enterprise';
+    local_mode_exception_accepted: boolean;
+}
+export declare function evaluateEnterpriseMutatingCommandGate(request: EnterpriseMutatingCommandGateRequest): EnterpriseMutatingCommandGateResult;
+//# sourceMappingURL=enterprise-mutating-command-gate.d.ts.map

package/dist/core/sdd/enterprise-mutating-command-gate.js

@@ -0,0 +1,104 @@
+import { validateAllocatorFencingToken } from './artifact-id-allocator.js';
+export function evaluateEnterpriseMutatingCommandGate(request) {
+    const requestedMode = request.provisioning.requested_mode ?? request.provisioning.mode;
+    const effectiveMode = request.provisioning.effective_mode ??
+        (request.provisioning.requested && request.provisioning.status !== 'disabled' ? 'enterprise' : 'local');
+    const localModeExceptionAccepted = request.provisioning.local_mode_exception_accepted ??
+        (!request.provisioning.requested || request.provisioning.status === 'disabled');
+    if (!request.mutates_numbered_artifacts) {
+        return {
+            decision: 'allow',
+            reason: `Command ${request.command} does not mutate numbered artifacts.`,
+            required: false,
+            bypass_detected: false,
+            requested_mode: requestedMode,
+            effective_mode: effectiveMode,
+            local_mode_exception_accepted: localModeExceptionAccepted,
+        };
+    }
+    if (request.bypass_requested) {
+        return {
+            decision: 'bypass-detected',
+            reason: request.bypass_reason
+                ? `Bypass requested for ${request.command}: ${request.bypass_reason}`
+                : `Bypass requested for ${request.command} without an auditable reason.`,
+            required: true,
+            bypass_detected: true,
+            requested_mode: requestedMode,
+            effective_mode: effectiveMode,
+            local_mode_exception_accepted: localModeExceptionAccepted,
+        };
+    }
+    if (!request.provisioning.requested || request.provisioning.status === 'disabled') {
+        return {
+            decision: 'allow',
+            reason: 'Enterprise provisioning is not requested for this mutation; local mode exception is accepted and numbered artifact mutation is allowed.',
+            required: false,
+            bypass_detected: false,
+            requested_mode: requestedMode,
+            effective_mode: 'local',
+            local_mode_exception_accepted: true,
+        };
+    }
+    if (request.provisioning.status !== 'ready') {
+        return {
+            decision: 'block',
+            reason: `Enterprise provisioning is ${request.provisioning.status} with requested_mode=${requestedMode} and effective_mode=enterprise: ` +
+                request.provisioning.reason,
+            required: true,
+            bypass_detected: false,
+            requested_mode: requestedMode,
+            effective_mode: 'enterprise',
+            local_mode_exception_accepted: false,
+        };
+    }
+    if (!request.lease || request.fencing_token === undefined) {
+        return {
+            decision: 'block',
+            reason: `Command ${request.command} requires an active allocator lease and fencing token in Enterprise mode.`,
+            required: true,
+            bypass_detected: false,
+            requested_mode: requestedMode,
+            effective_mode: 'enterprise',
+            local_mode_exception_accepted: false,
+        };
+    }
+    if ((request.project_id !== undefined && request.lease.project_id !== request.project_id) ||
+        (request.tenant_id !== undefined && request.lease.tenant_id !== request.tenant_id) ||
+        (request.artifact_type !== undefined && request.lease.artifact_type !== request.artifact_type)) {
+        return {
+            decision: 'block',
+            reason: `Command ${request.command} allocator lease scope does not match the requested mutation scope.`,
+            required: true,
+            bypass_detected: false,
+            requested_mode: requestedMode,
+            effective_mode: 'enterprise',
+            local_mode_exception_accepted: false,
+        };
+    }
+    const fencing = validateAllocatorFencingToken(request.lease, {
+        fencing_token: request.fencing_token,
+        now: request.now,
+    });
+    if (!fencing.valid) {
+        return {
+            decision: 'block',
+            reason: `Command ${request.command} allocator fencing token is ${fencing.reason}.`,
+            required: true,
+            bypass_detected: false,
+            requested_mode: requestedMode,
+            effective_mode: 'enterprise',
+            local_mode_exception_accepted: false,
+        };
+    }
+    return {
+        decision: 'allow',
+        reason: `Command ${request.command} has a valid Enterprise allocator lease and fencing token.`,
+        required: true,
+        bypass_detected: false,
+        requested_mode: requestedMode,
+        effective_mode: 'enterprise',
+        local_mode_exception_accepted: false,
+    };
+}
+//# sourceMappingURL=enterprise-mutating-command-gate.js.map

package/dist/core/sdd/enterprise-provenance-gates.d.ts

@@ -0,0 +1,20 @@
+import type { ArtifactIdAllocatorState } from './artifact-id-allocator.js';
+export interface EnterpriseProvenanceFinding {
+    severity: 'blocker' | 'warning';
+    code: string;
+    message: string;
+    ref?: string;
+}
+export interface EnterpriseProvenanceReport {
+    valid: boolean;
+    findings: EnterpriseProvenanceFinding[];
+    counters: {
+        reservations: number;
+        leases: number;
+        canonical_writes: number;
+        drafts: number;
+        audit_events: number;
+    };
+}
+export declare function evaluateEnterpriseAllocatorProvenance(state: ArtifactIdAllocatorState): EnterpriseProvenanceReport;
+//# sourceMappingURL=enterprise-provenance-gates.d.ts.map