@devtrack-solution/codesdd 1.2.4-rc3 → 1.2.4

package/dist/core/sdd/reversa-source-safety.js

@@ -0,0 +1,105 @@
+import { createHash } from 'node:crypto';
+import { reversaSourceAttestationSchema } from './reversa-evidence.js';
+const WINDOWS_ABSOLUTE_PATH_PATTERN = /^[A-Za-z]:[\\/]/;
+const SECRET_PATH_SEGMENTS = new Set([
+    '.aws',
+    '.env',
+    '.ssh',
+    'credential',
+    'credentials',
+    'id_rsa',
+    'pem',
+    'private',
+    'secret',
+    'secrets',
+    'token',
+]);
+const SENSITIVE_KEY_TOKENS = ['key', 'secret', 'token', 'password', 'credential', 'private', 'auth'];
+export function attestReversaSource(input) {
+    const normalizedPath = normalizeReversaSourcePath(input.sourcePath);
+    if (!normalizedPath) {
+        return blocked(input.sourcePath, 'Source path must be project-relative and must not contain traversal or absolute roots.');
+    }
+    if (isCanonicalStatePath(normalizedPath)) {
+        return blocked(normalizedPath, 'Reversa inputs cannot target canonical CodeSDD state under .sdd/state/.');
+    }
+    if (hasSecretPathSegment(normalizedPath)) {
+        return blocked(normalizedPath, 'Source path is blocked by Reversa secret-path policy.');
+    }
+    const redactedContent = typeof input.content === 'string' ? redactReversaSensitiveText(input.content) : undefined;
+    const redactionStatus = typeof input.content === 'string' && redactedContent !== input.content ? 'redacted' : 'not_required';
+    const attestation = reversaSourceAttestationSchema.parse({
+        source_ref: normalizedPath,
+        source_type: input.sourceType ?? inferSourceType(normalizedPath),
+        trust_level: input.trustLevel ?? 'hostile',
+        sha256: input.content ? createHash('sha256').update(redactedContent ?? input.content).digest('hex') : undefined,
+        redaction_status: redactionStatus,
+    });
+    return {
+        status: 'accepted',
+        normalized_path: normalizedPath,
+        reason: null,
+        attestation,
+        redacted_content: redactedContent,
+    };
+}
+export function normalizeReversaSourcePath(value) {
+    const normalized = value.trim().replace(/\\/gu, '/').replace(/^\.\//u, '');
+    if (!normalized || normalized === '.' || normalized.startsWith('/') || WINDOWS_ABSOLUTE_PATH_PATTERN.test(normalized)) {
+        return null;
+    }
+    const segments = normalized.split('/').filter(Boolean);
+    if (segments.some((segment) => segment === '..')) {
+        return null;
+    }
+    return segments.join('/');
+}
+export function redactReversaSensitiveText(value) {
+    return value
+        .split(/\r?\n/u)
+        .map((line) => {
+        const keyMatch = line.match(/^(\s*["']?([A-Za-z0-9_.-]+)["']?\s*[:=]\s*)(.+)$/u);
+        if (!keyMatch) {
+            return line.replace(/(bearer\s+)[A-Za-z0-9._~+/-]+=*/giu, '$1[REDACTED]');
+        }
+        const key = keyMatch[2] ?? '';
+        if (!SENSITIVE_KEY_TOKENS.some((token) => key.toLowerCase().includes(token))) {
+            return line;
+        }
+        return `${keyMatch[1]}[REDACTED]`;
+    })
+        .join('\n');
+}
+export function isReversaCanonicalStatePath(value) {
+    const normalized = normalizeReversaSourcePath(value);
+    return normalized ? isCanonicalStatePath(normalized) : false;
+}
+function blocked(sourcePath, reason) {
+    return {
+        status: 'blocked',
+        normalized_path: normalizeReversaSourcePath(sourcePath),
+        reason,
+        attestation: null,
+    };
+}
+function isCanonicalStatePath(value) {
+    return value === '.sdd/state' || value.startsWith('.sdd/state/');
+}
+function hasSecretPathSegment(value) {
+    return value
+        .toLowerCase()
+        .split('/')
+        .some((segment) => SECRET_PATH_SEGMENTS.has(segment) || segment.endsWith('.pem'));
+}
+function inferSourceType(path) {
+    if (/\.(md|mdx|txt|rst)$/iu.test(path))
+        return 'document';
+    if (/\.(ya?ml|json|toml|ini|env)$/iu.test(path))
+        return 'config';
+    if (/\.(log|out)$/iu.test(path))
+        return 'runtime_log';
+    if (/\.(sql|prisma)$/iu.test(path))
+        return 'database_schema';
+    return 'repository';
+}
+//# sourceMappingURL=reversa-source-safety.js.map

package/dist/core/sdd/reversa-surface-scout.d.ts

@@ -0,0 +1,13 @@
+import type { ReversaEvidenceBundle } from './reversa-evidence.js';
+export interface ReversaSurfaceSource {
+    path: string;
+    content: string;
+}
+export interface BuildReversaSurfaceInventoryInput {
+    featureRef: string;
+    operationId: string;
+    generatedAt: string;
+    sources: ReversaSurfaceSource[];
+}
+export declare function buildReversaSurfaceInventory(input: BuildReversaSurfaceInventoryInput): ReversaEvidenceBundle;
+//# sourceMappingURL=reversa-surface-scout.d.ts.map

package/dist/core/sdd/reversa-surface-scout.js

@@ -0,0 +1,85 @@
+import { attestReversaSource } from './reversa-source-safety.js';
+export function buildReversaSurfaceInventory(input) {
+    const attestations = input.sources.map((source) => attestReversaSource({
+        sourcePath: source.path,
+        content: source.content,
+    }));
+    const accepted = attestations.filter((entry) => entry.status === 'accepted' && entry.attestation);
+    const blocked = attestations.filter((entry) => entry.status === 'blocked');
+    const findings = accepted.flatMap((entry) => {
+        const source = input.sources.find((candidate) => entry.normalized_path === candidate.path.replace(/^\.\//u, ''));
+        return source ? scanSurface(entry.normalized_path, source.content) : [];
+    });
+    return {
+        schema_version: 1,
+        contract: 'reversa-evidence-bundle/v1',
+        operation_id: input.operationId,
+        generated_at: input.generatedAt,
+        feature_ref: input.featureRef,
+        mode: 'read-only',
+        source_attestations: accepted.map((entry) => entry.attestation),
+        findings,
+        artifacts: [
+            {
+                path: `.sdd/evidence/reversa/${input.featureRef}/surface-inventory.yaml`,
+                artifact_type: 'inventory',
+                phase: 'surface',
+                produced_by: 'codesdd reversa surface scout',
+                write_scope: 'read_only',
+            },
+        ],
+        validations: [
+            {
+                id: 'REV-VAL-SURFACE-SAFETY',
+                phase: 'surface',
+                command: 'buildReversaSurfaceInventory',
+                status: blocked.length === 0 ? 'passed' : 'blocked',
+                issue_codes: blocked.length === 0 ? [] : ['UNSAFE_SOURCE_BLOCKED'],
+            },
+        ],
+        contradictions: [],
+        human_questions: [],
+        quality_refs: [`.sdd/active/${input.featureRef}/5-quality.yaml`],
+        residual_risks: blocked.map((entry) => ({
+            code: 'UNSAFE_SOURCE_BLOCKED',
+            severity: 'medium',
+            description: entry.reason ?? 'A legacy source was blocked by Reversa intake safety.',
+            mitigation: 'Review source path and provide a safe project-relative source before extraction.',
+        })),
+        metadata: {
+            counts: summarizeSurface(findings),
+        },
+    };
+}
+function scanSurface(sourceRef, content) {
+    const findings = [];
+    const routeMatches = [...content.matchAll(/\b(?:app|router)\.(get|post|put|patch|delete)\s*\(\s*['"`]([^'"`]+)['"`]/giu)];
+    const controllerMatches = [...content.matchAll(/@(Controller|Get|Post|Put|Patch|Delete)\s*\(\s*['"`]?([^'"`)]*)['"`]?\s*\)/giu)];
+    const jobMatches = [...content.matchAll(/\b(?:cron|schedule|job|queue|worker)\b/giu)];
+    const commandMatches = [...content.matchAll(/\b(?:command|program\.command|Command)\b/gu)];
+    const screenMatches = [...content.matchAll(/(?:component|screen|page|route)/giu)];
+    pushFinding(findings, 'API', 'API endpoints', routeMatches.length + controllerMatches.length, sourceRef);
+    pushFinding(findings, 'JOB', 'Jobs and workers', jobMatches.length, sourceRef);
+    pushFinding(findings, 'COMMAND', 'CLI commands', commandMatches.length, sourceRef);
+    pushFinding(findings, 'SCREEN', 'Screens and routes', screenMatches.length, sourceRef);
+    return findings;
+}
+function pushFinding(findings, suffix, title, count, sourceRef) {
+    if (count === 0)
+        return;
+    findings.push({
+        id: `REV-FIND-SURFACE-${suffix}`,
+        phase: 'surface',
+        title,
+        summary: `${title} detected in ${sourceRef}: ${count}.`,
+        confidence: 'medium',
+        source_refs: [sourceRef],
+        contradiction_refs: [],
+        promoted_refs: [],
+        metadata: { count },
+    });
+}
+function summarizeSurface(findings) {
+    return Object.fromEntries(findings.map((finding) => [finding.id, Number(finding.metadata.count ?? 0)]));
+}
+//# sourceMappingURL=reversa-surface-scout.js.map

package/dist/core/sdd/reversa-ux-mapper.d.ts

@@ -0,0 +1,11 @@
+import type { ReversaEvidenceBundle } from './reversa-evidence.js';
+export declare function buildReversaUxPermissionMap(input: {
+    featureRef: string;
+    operationId: string;
+    generatedAt: string;
+    sources: Array<{
+        path: string;
+        content: string;
+    }>;
+}): ReversaEvidenceBundle;
+//# sourceMappingURL=reversa-ux-mapper.d.ts.map

package/dist/core/sdd/reversa-ux-mapper.js

@@ -0,0 +1,73 @@
+import { attestReversaSource } from './reversa-source-safety.js';
+export function buildReversaUxPermissionMap(input) {
+    const accepted = input.sources
+        .map((source) => ({ source, attestation: attestReversaSource({ sourcePath: source.path, content: source.content }) }))
+        .filter((entry) => entry.attestation.status === 'accepted' && entry.attestation.attestation);
+    const screens = accepted.flatMap(({ source, attestation }) => scanScreens(attestation.normalized_path, source.content));
+    const permissions = accepted.flatMap(({ source, attestation }) => scanPermissions(attestation.normalized_path, source.content));
+    const findings = [];
+    if (screens.length > 0) {
+        findings.push({
+            id: 'REV-FIND-UX-SCREENS',
+            phase: 'ux',
+            title: 'Screens and UI routes',
+            summary: `Detected ${screens.length} screen, component or route candidates.`,
+            confidence: 'medium',
+            source_refs: [...new Set(screens.map((entry) => entry.source_ref))],
+            contradiction_refs: [],
+            promoted_refs: [],
+            metadata: { screens },
+        });
+    }
+    if (permissions.length > 0) {
+        findings.push({
+            id: 'REV-FIND-UX-PERMISSIONS',
+            phase: 'ux',
+            title: 'Permission and guard flows',
+            summary: `Detected ${permissions.length} permission or guard candidates.`,
+            confidence: 'medium',
+            source_refs: [...new Set(permissions.map((entry) => entry.source_ref))],
+            contradiction_refs: [],
+            promoted_refs: [],
+            metadata: { permissions },
+        });
+    }
+    return {
+        schema_version: 1,
+        contract: 'reversa-evidence-bundle/v1',
+        operation_id: input.operationId,
+        generated_at: input.generatedAt,
+        feature_ref: input.featureRef,
+        mode: 'read-only',
+        source_attestations: accepted.map((entry) => entry.attestation.attestation),
+        findings,
+        artifacts: [{
+                path: `.sdd/evidence/reversa/${input.featureRef}/ux-permission-map.yaml`,
+                artifact_type: 'ux_map',
+                phase: 'ux',
+                produced_by: 'codesdd reversa ux mapper',
+                write_scope: 'read_only',
+            }],
+        validations: [{
+                id: 'REV-VAL-UX-SAFETY',
+                phase: 'ux',
+                command: 'buildReversaUxPermissionMap',
+                status: accepted.length === input.sources.length ? 'passed' : 'blocked',
+                issue_codes: accepted.length === input.sources.length ? [] : ['UNSAFE_SOURCE_BLOCKED'],
+            }],
+        contradictions: [],
+        human_questions: [],
+        quality_refs: [`.sdd/active/${input.featureRef}/5-quality.yaml`],
+        residual_risks: [],
+        metadata: { screen_count: screens.length, permission_count: permissions.length },
+    };
+}
+function scanScreens(sourceRef, content) {
+    return [...content.matchAll(/\b(?:component|screen|page|route|path)\b\s*[:=]?\s*['"]?([A-Za-z0-9_/-]*)/giu)]
+        .map((match) => ({ name: match[1] || match[0], source_ref: sourceRef }));
+}
+function scanPermissions(sourceRef, content) {
+    return [...content.matchAll(/\b(?:guard|canActivate|permission|role|rbac|auth)\b/giu)]
+        .map((match) => ({ signal: match[0].toLowerCase(), source_ref: sourceRef }));
+}
+//# sourceMappingURL=reversa-ux-mapper.js.map

package/dist/core/sdd/sdk-agent-plugin-quality-gates.d.ts

@@ -41,8 +41,8 @@ export declare const sdkAgentPluginQualityGateInputSchema: z.ZodObject<{
         }, z.core.$strip>>;
     }, z.core.$strip>>>;
     required_agent_providers: z.ZodDefault<z.ZodArray<z.ZodEnum<{
-        codex: "codex";
         opencode: "opencode";
+        codex: "codex";
         deepagents: "deepagents";
     }>>>;
     coverage_target: z.ZodDefault<z.ZodObject<{

package/dist/core/sdd/services/archive-quality-coherence.service.d.ts

@@ -0,0 +1,17 @@
+export type ArchiveQualityCoherenceIssueCode = 'ACCEPTANCE_NOT_MET_WITH_Q95_PASS' | 'OPEN_RISK_WITH_Q95_PASS' | 'PLACEHOLDER_EVIDENCE_WITH_Q95_PASS' | 'GENERIC_EVIDENCE_WITH_Q95_PASS';
+export interface ArchiveQualityCoherenceIssue {
+    featureId: string;
+    qualityPath: string;
+    issueCode: ArchiveQualityCoherenceIssueCode;
+    message: string;
+}
+export interface ArchiveQualityCoherenceReport {
+    scanned: number;
+    analyzed: number;
+    grandfathered: number;
+    issues: ArchiveQualityCoherenceIssue[];
+}
+export declare function scanArchiveQualityCoherence(archivedDir: string, options?: {
+    grandfatherMaxFeat?: number;
+}): Promise<ArchiveQualityCoherenceReport>;
+//# sourceMappingURL=archive-quality-coherence.service.d.ts.map

package/dist/core/sdd/services/archive-quality-coherence.service.js

@@ -0,0 +1,141 @@
+import { existsSync } from 'node:fs';
+import { promises as fs } from 'node:fs';
+import path from 'node:path';
+import { parseWorkspaceYamlDocument } from '../workspace-schemas.js';
+const PLACEHOLDER_PATTERNS = [
+    /\(fill in/i,
+    /\(placeholder/i,
+    /\btodo\b/i,
+    /\btbd\b/i,
+    /\bpending\b/i,
+    /\bmust implement\b/i,
+    /\bto be executed\b/i,
+    /\bplanned\b/i,
+    /\bwill be\b/i,
+    /\bto do\b/i,
+];
+const GENERIC_EVIDENCE_PATTERNS = [
+    /must implement and record executable evidence/i,
+    /planned but not yet executed/i,
+    /is implemented only in the planned surfaces/i,
+    /planned implementation surface/i,
+    /pending\.?$/i,
+];
+const DEFAULT_GRANDFATHER_MAX_FEAT = 451;
+function featNumericId(featureId) {
+    const match = featureId.match(/^FEAT-(\d{4,})$/);
+    if (!match)
+        return null;
+    return Number.parseInt(match[1] || '', 10);
+}
+function hasPattern(text, patterns) {
+    return patterns.some((pattern) => pattern.test(text));
+}
+function qualityHasPlaceholderOrGenericEvidence(document) {
+    let hasPlaceholder = false;
+    let hasGeneric = false;
+    const evidenceTexts = [
+        ...document.evidence_log.flatMap((entry) => [entry.kind, entry.result, entry.artifact ?? '']),
+        ...document.acceptance_matrix.flatMap((entry) => [entry.criterion, entry.evidence]),
+    ];
+    for (const text of evidenceTexts) {
+        if (!text)
+            continue;
+        if (!hasPlaceholder && hasPattern(text, PLACEHOLDER_PATTERNS)) {
+            hasPlaceholder = true;
+        }
+        if (!hasGeneric && hasPattern(text, GENERIC_EVIDENCE_PATTERNS)) {
+            hasGeneric = true;
+        }
+        if (hasPlaceholder && hasGeneric) {
+            break;
+        }
+    }
+    return { hasPlaceholder, hasGeneric };
+}
+export async function scanArchiveQualityCoherence(archivedDir, options = {}) {
+    if (!existsSync(archivedDir)) {
+        return {
+            scanned: 0,
+            analyzed: 0,
+            grandfathered: 0,
+            issues: [],
+        };
+    }
+    const grandfatherMaxFeat = options.grandfatherMaxFeat ?? DEFAULT_GRANDFATHER_MAX_FEAT;
+    const issues = [];
+    const entries = await fs.readdir(archivedDir, { withFileTypes: true });
+    let scanned = 0;
+    let analyzed = 0;
+    let grandfathered = 0;
+    for (const entry of entries) {
+        if (!entry.isDirectory() || !entry.name.startsWith('FEAT-'))
+            continue;
+        scanned += 1;
+        const featureId = entry.name;
+        const numericId = featNumericId(featureId);
+        if (numericId !== null && numericId <= grandfatherMaxFeat) {
+            grandfathered += 1;
+            continue;
+        }
+        const qualityPath = path.join(archivedDir, featureId, '5-quality.yaml');
+        if (!existsSync(qualityPath)) {
+            continue;
+        }
+        const raw = await fs.readFile(qualityPath, 'utf-8').catch(() => '');
+        if (!raw.trim()) {
+            continue;
+        }
+        let quality;
+        try {
+            quality = parseWorkspaceYamlDocument('5-quality.yaml', raw);
+        }
+        catch {
+            continue;
+        }
+        analyzed += 1;
+        if (quality.q95_ledger.status !== 'pass') {
+            continue;
+        }
+        if (quality.acceptance_matrix.some((entry) => entry.status === 'not_met')) {
+            issues.push({
+                featureId,
+                qualityPath,
+                issueCode: 'ACCEPTANCE_NOT_MET_WITH_Q95_PASS',
+                message: `${featureId} archived quality has q95_ledger.status=pass but acceptance_matrix contains not_met entries.`,
+            });
+        }
+        if (quality.requirement_validation_evidence_risk_matrix.some((entry) => entry.risk_status === 'open')) {
+            issues.push({
+                featureId,
+                qualityPath,
+                issueCode: 'OPEN_RISK_WITH_Q95_PASS',
+                message: `${featureId} archived quality has q95_ledger.status=pass but requirement risk_status=open remains unresolved.`,
+            });
+        }
+        const evidenceSignals = qualityHasPlaceholderOrGenericEvidence(quality);
+        if (evidenceSignals.hasPlaceholder) {
+            issues.push({
+                featureId,
+                qualityPath,
+                issueCode: 'PLACEHOLDER_EVIDENCE_WITH_Q95_PASS',
+                message: `${featureId} archived quality has q95_ledger.status=pass but placeholder/future-tense evidence markers are present.`,
+            });
+        }
+        if (evidenceSignals.hasGeneric) {
+            issues.push({
+                featureId,
+                qualityPath,
+                issueCode: 'GENERIC_EVIDENCE_WITH_Q95_PASS',
+                message: `${featureId} archived quality has q95_ledger.status=pass but generic non-executable evidence text is still present.`,
+            });
+        }
+    }
+    return {
+        scanned,
+        analyzed,
+        grandfathered,
+        issues,
+    };
+}
+//# sourceMappingURL=archive-quality-coherence.service.js.map

package/dist/core/sdd/services/decide.service.js

@@ -23,7 +23,7 @@ export class DecideService {
             const debateContent = await fs.readFile(debateFile, 'utf-8');
             const missingSections = validateDebateDocument(debateContent);
             if (missingSections.length > 0) {
-                throw new Error(`Debate ${debateId} is incomplete. Fill required sections before deciding:\n- ${missingSections.join('\n- ')}`);
+                throw new Error(`Debate ${debateId} failed the planning quality gate required for promotion. Fill required sections before deciding:\n- ${missingSections.join('\n- ')}`);
             }
             const now = nowIso();
             const targetStatus = outcome === 'radar' || outcome === 'epic' ? 'APPROVED' : 'DISCARDED';

package/dist/core/sdd/services/finalize.service.d.ts

@@ -2,6 +2,7 @@ import { SddPaths, SddRuntimeConfig } from "../state.js";
 import { BacklogItem, FinalizeQueueItem } from "../types.js";
 import { SddStores } from "../store/sdd-stores.js";
 import { type WorkspaceQualityDocument } from "../workspace-schemas.js";
+export declare function reconcileAdrMarkdownForFinalize(existingAdr: string, now: string): string;
 export declare class FinalizeService {
     private readonly stores;
     constructor(stores: SddStores);
@@ -135,4 +136,5 @@ export declare function missingCoverageTargets(document: WorkspaceQualityDocumen
 export declare function coverageTargetMet(document: WorkspaceQualityDocument, kind: 'unit' | 'integration', target: number): boolean;
 export declare function countQualityEvidenceRounds(document: WorkspaceQualityDocument): number;
 export declare function missingSkillEvidence(document: WorkspaceQualityDocument): string[];
+export declare function missingCriticalEvidenceProvenance(document: WorkspaceQualityDocument): string[];
 //# sourceMappingURL=finalize.service.d.ts.map

package/dist/core/sdd/services/finalize.service.js

@@ -43,6 +43,13 @@ function moveCompletedFinalizeItemsToHistory(state) {
     }
     state.items = activeItems;
 }
+export function reconcileAdrMarkdownForFinalize(existingAdr, now) {
+    return existingAdr
+        .replace(/^status:\s*IN_PROGRESS\b/m, 'status: DONE')
+        .replace(/^status:\s*DRAFT\b/m, 'status: DONE')
+        .replace(/^decision_status:\s*PROPOSED\b/m, 'decision_status: ACCEPTED')
+        .replace(/^updated_at:\s*["']?[\dTZ:.-]+["']?\s*$/m, `updated_at: ${now}`);
+}
 function buildPostFinalizeReplan(items, finalized, unlocked, generatedAt) {
     const rank = 'impact';
     const computed = computeReadyFeatures(items, { rank });
@@ -451,7 +458,13 @@ export class FinalizeService {
                 if (!options?.noAdr && !feature.requires_adr) {
                     const adrPath = path.join(paths.coreDir, 'adrs', `ADR-${feature.id}.md`);
                     const tx = new SddWriteTransaction();
-                    tx.writeFile(adrPath, buildAdrMarkdown(feature, unlockedByFeature, now));
+                    try {
+                        const existingAdr = await fs.readFile(adrPath, 'utf-8');
+                        tx.writeFile(adrPath, reconcileAdrMarkdownForFinalize(existingAdr, now));
+                    }
+                    catch {
+                        tx.writeFile(adrPath, buildAdrMarkdown(feature, unlockedByFeature, now));
+                    }
                     await tx.commit(paths.projectRoot, paths.memoryRoot, 'finalize.service (ADR)');
                 }
                 await fs.mkdir(paths.archivedDir, { recursive: true });
@@ -701,6 +714,7 @@ export async function evaluateWorkspaceQualityFeedback(paths, config, feature) {
     }
     const missingTargets = missingCoverageTargets(document);
     const missingSkills = missingSkillEvidence(document);
+    const criticalProvenanceReasons = missingCriticalEvidenceProvenance(document);
     const matrixReasons = evaluateQualityWitnessMatrix(document);
     const reasons = [];
     const maxRounds = document.remediation_policy.max_rounds;
@@ -728,6 +742,9 @@ export async function evaluateWorkspaceQualityFeedback(paths, config, feature) {
     if (missingSkills.length > 0) {
         reasons.push(`required skill evidence missing for ${missingSkills.join(', ')}`);
     }
+    if (criticalProvenanceReasons.length > 0) {
+        reasons.push(...criticalProvenanceReasons);
+    }
     if (matrixReasons.length > 0) {
         reasons.push(`quality-witness matrix blocked finalize: ${matrixReasons.join(' | ')}`);
     }
@@ -942,7 +959,6 @@ const LEGACY_NAMING_PATTERNS = [
     /\bcoach-sdd\b/u,
     /\bcoach_sdd\b/u,
     /\bsdd\s+coach\b/u,
-    /\.codesdd\b/u,
 ];
 export function computeNamingAxis(feature, document) {
     let score = 100;
@@ -1165,4 +1181,34 @@ export function missingSkillEvidence(document) {
         .filter(Boolean));
     return required.filter((skillId) => !provided.has(skillId.toLowerCase()));
 }
+export function missingCriticalEvidenceProvenance(document) {
+    const reasons = [];
+    document.evidence_log.forEach((entry, index) => {
+        if (entry.critical !== true) {
+            return;
+        }
+        const provenance = entry.provenance;
+        if (!provenance) {
+            reasons.push(`critical evidence_log[${index}] (${entry.kind}) missing provenance (command, exit_code, timestamp_iso, commit_sha, artifact_path, artifact_hash)`);
+            return;
+        }
+        const missingFields = [];
+        if (!provenance.command?.trim())
+            missingFields.push('command');
+        if (!Number.isInteger(provenance.exit_code))
+            missingFields.push('exit_code');
+        if (!provenance.timestamp_iso?.trim())
+            missingFields.push('timestamp_iso');
+        if (!provenance.commit_sha?.trim())
+            missingFields.push('commit_sha');
+        if (!provenance.artifact_path?.trim())
+            missingFields.push('artifact_path');
+        if (!provenance.artifact_hash?.trim())
+            missingFields.push('artifact_hash');
+        if (missingFields.length > 0) {
+            reasons.push(`critical evidence_log[${index}] (${entry.kind}) missing provenance fields: ${missingFields.join(', ')}`);
+        }
+    });
+    return reasons;
+}
 //# sourceMappingURL=finalize.service.js.map

package/dist/core/sdd/services/historical-quality-regression.service.d.ts

@@ -0,0 +1,35 @@
+export type HistoricalQualityRegressionMode = 'recent-window' | 'full-history';
+export type HistoricalQualityRegressionIssueCode = 'ACCEPTANCE_NOT_MET' | 'OPEN_RISK' | 'PLACEHOLDER_EVIDENCE' | 'MISSING_ADR' | 'FRONTEND_IMPACT_UNKNOWN' | 'MISSING_DONE_AT' | 'MISSING_ARCHIVED_AT' | 'STATE_CORE_DIVERGENCE';
+export interface HistoricalQualityRegressionIssue {
+    feature_id: string;
+    code: HistoricalQualityRegressionIssueCode;
+    message: string;
+    quality_path?: string;
+    backlog_path?: string;
+    adr_path?: string;
+}
+export interface HistoricalQualityRegressionReport {
+    generated_at: string;
+    mode: HistoricalQualityRegressionMode;
+    recent_window_size: number | null;
+    scanned: number;
+    considered: number;
+    analyzed: number;
+    grandfathered: number;
+    issue_count: number;
+    grandfathering: {
+        enabled: boolean;
+        max_feat_id: number;
+        policy: string;
+    };
+    issues: HistoricalQualityRegressionIssue[];
+}
+export interface HistoricalQualityRegressionOptions {
+    mode?: HistoricalQualityRegressionMode;
+    recentWindowSize?: number;
+    grandfatherMaxFeat?: number;
+}
+export declare class HistoricalQualityRegressionService {
+    execute(projectRoot: string, options?: HistoricalQualityRegressionOptions): Promise<HistoricalQualityRegressionReport>;
+}
+//# sourceMappingURL=historical-quality-regression.service.d.ts.map