@devtrack-solution/codesdd 1.2.4-rc3 → 1.2.4

package/.sdd/skills/curated/devtrack-api/references/contract-pack.yaml

@@ -50,6 +50,1517 @@ portable_agents:
     - agents/kimi.yaml
     - agents/opencode.yaml
     - references/portable-agent-contract.md
+    - references/generated-artifact-invalidation.md
+codesdd_api_profile_family:
+  id: codesdd-api-profile-family
+  status: active
+  foundation_reference: devtrack-foundation-api
+  shared_baseline_ref: foundation-api-shared-baseline
+  public_identity_rule: Future CodeSDD API work exposes named API profiles, not devtrack-api, as the normal public identity.
+  default_profile: minimal-rest
+  legacy_aliases:
+    devtrack-api:
+      status: compatibility-only
+      resolves_to: full-foundation-compatible
+      migration_notice: Use full-foundation-compatible for new CodeSDD API profile requests.
+  profile_ids:
+    - minimal-rest
+    - rest-auth-rbac
+    - rest-crud-typeorm
+    - evented-api
+    - ai-agent-api
+    - full-foundation-compatible
+  shared_baseline_requirements:
+    - openapi-swagger-docs
+    - env-example
+    - package-json-scripts
+    - application-usecase-boundary
+    - dto-validation
+    - structured-api-errors
+    - auth-authz-planning
+    - route-and-usecase-tests
+  profiles:
+    minimal-rest:
+      inherits_shared_baseline: true
+      purpose: Smallest production-grade REST API baseline.
+      adds:
+        - health route
+        - root REST module
+        - controller DTOs
+        - single use-case slice
+        - structured error DTO
+        - health route/use-case tests
+      required_proof:
+        - OpenAPI docs
+        - .env.example
+        - package scripts
+        - DTO validation
+        - structured errors
+        - health/root wiring
+        - route/use-case tests
+    rest-auth-rbac:
+      inherits_shared_baseline: true
+      purpose: REST API with authentication, authorization, guards, and permission boundaries.
+      adds:
+        - auth strategy
+        - route guards
+        - permission decorators
+        - current-user boundary
+        - RBAC policy examples
+      required_proof:
+        - protected OpenAPI docs
+        - allow/deny route tests
+        - guard/decorator artifacts
+    rest-crud-typeorm:
+      inherits_shared_baseline: true
+      purpose: REST CRUD API with TypeORM persistence and application/repository boundaries.
+      adds:
+        - TypeORM entity
+        - repository port
+        - migration scripts
+        - pagination
+        - filtering
+        - uniqueness checks
+      required_proof:
+        - repository boundary tests
+        - migration script evidence
+        - CRUD integration evidence
+    evented-api:
+      inherits_shared_baseline: true
+      purpose: API with application events, handlers, queue delivery, idempotency, and retry policy.
+      adds:
+        - application event contracts
+        - application handlers
+        - queue delivery strategy
+        - idempotency
+        - retry/error policy
+      required_proof:
+        - event contract docs
+        - handler tests
+        - idempotency/retry evidence
+    ai-agent-api:
+      inherits_shared_baseline: true
+      purpose: API for AI agent workflows with tool boundaries, safety, redaction, and deterministic tests.
+      adds:
+        - agent endpoint conventions
+        - tool/action boundaries
+        - provider config redaction
+        - audit trail
+      required_proof:
+        - no live credential tests
+        - tool boundary validation
+        - redaction evidence
+        - auditability evidence
+    full-foundation-compatible:
+      inherits_shared_baseline: true
+      purpose: Strict profile for full compatibility with devtrack-foundation-api architecture and conventions.
+      adds:
+        - Foundation parity matrix
+        - full layer structure
+        - strict contract validation
+        - legacy alias compatibility
+      required_proof:
+        - Foundation parity matrix
+        - artifact map evidence
+        - strict validation gates
+foundation_api_shared_baseline:
+  id: foundation-api-shared-baseline
+  version: 1
+  foundation_reference: devtrack-foundation-api
+  inherited_by_profiles:
+    - minimal-rest
+    - rest-auth-rbac
+    - rest-crud-typeorm
+    - evented-api
+    - ai-agent-api
+    - full-foundation-compatible
+  requirements:
+    - id: openapi-swagger-docs
+      title: Swagger/OpenAPI documentation
+      severity: P0
+      phase: scaffold
+      quality_gate: openapi-docs-required
+      contract_rule_refs:
+        - DTAPI-P0-SHARED-BASELINE-001
+        - DTAPI-P0-OPENAPI-001
+        - DTAPI-P0-TOOL-BASELINE-001
+      required_artifacts:
+        - package.json
+        - .env.example
+        - src/main.ts
+        - src/presentation/**
+      required_evidence:
+        - "@nestjs/swagger dependency is present"
+        - DocumentBuilder and SwaggerModule bootstrap /docs
+        - controllers and DTOs include Swagger decorators
+    - id: env-example
+      title: .env.example placeholder contract
+      severity: P0
+      phase: scaffold
+      quality_gate: env-example-required
+      contract_rule_refs:
+        - DTAPI-P0-SHARED-BASELINE-001
+        - DTAPI-P0-TOOL-BASELINE-001
+      required_artifacts:
+        - .env.example
+      required_evidence:
+        - runtime variables have placeholder values
+        - Swagger server settings are represented when OpenAPI is enabled
+        - no secret or credential values are emitted
+    - id: package-json-scripts
+      title: Operational package scripts and runtime bootstrap
+      severity: P0
+      phase: scaffold
+      quality_gate: package-scripts-required
+      contract_rule_refs:
+        - DTAPI-P0-SHARED-BASELINE-001
+        - DTAPI-P0-TOOL-BASELINE-001
+        - DTAPI-P0-RUNTIME-SCRIPTS-001
+      required_artifacts:
+        - package.json
+        - scripts/cleanup.sh
+        - scripts/kill-port.js
+      required_evidence:
+        - build, start, start:dev, start:prod, lint, test, coverage, e2e, cleanup, and cleanup:install scripts are present
+        - cleanup removes dependency installs, build outputs, caches, lockfiles, and compilation residue unless an ADR preserves a canonical lockfile
+        - start and start:dev run a configured-port preflight that terminates the listener before Nest starts
+        - scripts can be invoked with npm or pnpm, while nested package-script calls use npm run/npm install so Docker images do not require pnpm
+        - migration scripts are present when persistence is included
+    - id: application-usecase-boundary
+      title: Application use-case and input-port boundary
+      severity: P0
+      phase: implementation
+      quality_gate: application-usecase-route-boundary
+      contract_rule_refs:
+        - DTAPI-P0-SHARED-BASELINE-001
+        - DTAPI-P0-USECASE-001
+        - DTAPI-P0-TOOL-BASELINE-001
+      required_artifacts:
+        - src/application/**
+        - src/presentation/**
+      required_evidence:
+        - each user-facing route calls an application input port
+        - each input port delegates business orchestration to a use case
+    - id: dto-validation
+      title: DTO validation and documented request shape
+      severity: P0
+      phase: implementation
+      quality_gate: dto-validation-required
+      contract_rule_refs:
+        - DTAPI-P0-SHARED-BASELINE-001
+        - DTAPI-P0-OPENAPI-001
+      required_artifacts:
+        - src/main.ts
+        - src/presentation/**/dtos/**
+      required_evidence:
+        - global validation pipe is configured
+        - request DTOs use class-validator decorators
+        - DTOs include Swagger property metadata
+    - id: structured-api-errors
+      title: Structured API error responses
+      severity: P0
+      phase: implementation
+      quality_gate: structured-error-contract-required
+      contract_rule_refs:
+        - DTAPI-P0-SHARED-BASELINE-001
+        - DTAPI-P0-TOOL-BASELINE-001
+      required_artifacts:
+        - src/presentation/dtos/api-error-response.dto.ts
+        - src/presentation/**
+      required_evidence:
+        - controllers document error responses
+        - error DTO avoids leaking internal provider or secret data
+    - id: auth-authz-planning
+      title: Authentication and authorization planning
+      severity: P0
+      phase: planning
+      quality_gate: authz-planning-required
+      contract_rule_refs:
+        - DTAPI-P0-SHARED-BASELINE-001
+        - DTAPI-P0-AUTH-PLAN-001
+        - DTAPI-P0-TOOL-BASELINE-001
+      required_artifacts:
+        - FEAT quality evidence
+        - src/presentation/**/guards/**
+      required_evidence:
+        - route public/protected decision is recorded
+        - guard, decorator, role, permission, or policy choice is recorded
+        - Swagger security scheme is documented for protected routes
+    - id: route-and-usecase-tests
+      title: Route and use-case test evidence
+      severity: P0
+      phase: validation
+      quality_gate: route-usecase-tests-required
+      contract_rule_refs:
+        - DTAPI-P0-SHARED-BASELINE-001
+        - DTAPI-P1-EVIDENCE-001
+      required_artifacts:
+        - test/**
+        - coverage/**
+      required_evidence:
+        - route/controller behavior is covered
+        - application use-case behavior is covered
+        - validation evidence is recorded in the FEAT quality artifact
+profile_aware_dry_run_evidence:
+  id: profile-aware-dry-run-evidence
+  version: 1
+  mode: dry-run
+  mutation_policy: planning-only
+  required_manifest_field: profile_projection
+  required_fields:
+    - selected_profile
+    - requested_profile
+    - legacy_alias
+    - inherited_baseline
+    - expected_write_scope
+    - expected_writes
+    - expected_quality_gates
+    - artifact_map_refs
+    - validation_results
+    - migration_warnings
+  applies_to_profiles:
+    - minimal-rest
+    - rest-auth-rbac
+    - rest-crud-typeorm
+    - evented-api
+    - ai-agent-api
+    - full-foundation-compatible
+  profile_quality_gates:
+    minimal-rest:
+      - profile-minimal-rest-route-usecase-projection
+      - minimal-rest-recipe-required
+      - minimal-rest-openapi-docs-required
+      - minimal-rest-env-example-required
+      - minimal-rest-package-scripts-required
+      - minimal-rest-dto-usecase-boundary-required
+      - minimal-rest-structured-errors-required
+      - minimal-rest-health-root-wiring-required
+      - minimal-rest-route-usecase-tests-required
+    rest-auth-rbac:
+      - profile-rest-auth-rbac-guard-policy-projection
+      - rest-auth-rbac-recipe-required
+      - rest-auth-rbac-auth-plan-required
+      - rest-auth-rbac-jwt-strategy-required
+      - rest-auth-rbac-route-guards-required
+      - rest-auth-rbac-permission-decorator-required
+      - rest-auth-rbac-current-user-boundary-required
+      - rest-auth-rbac-protected-openapi-docs-required
+      - rest-auth-rbac-allow-deny-tests-required
+    rest-crud-typeorm:
+      - profile-rest-crud-typeorm-persistence-projection
+      - rest-crud-typeorm-recipe-required
+      - rest-crud-typeorm-bo-pattern-required
+      - rest-crud-typeorm-application-repository-port-required
+      - rest-crud-typeorm-usecase-transaction-boundary-required
+      - rest-crud-typeorm-infrastructure-orm-required
+      - rest-crud-typeorm-migration-required
+      - rest-crud-typeorm-pagination-filtering-required
+      - rest-crud-typeorm-uniqueness-required
+      - rest-crud-typeorm-crud-tests-required
+      - rest-crud-typeorm-no-prisma-required
+    evented-api:
+      - profile-evented-api-event-contract-projection
+      - evented-api-recipe-required
+      - evented-api-event-contract-required
+      - evented-api-application-handler-required
+      - evented-api-event-publisher-port-required
+      - evented-api-outbox-or-queue-required
+      - evented-api-idempotency-required
+      - evented-api-retry-error-policy-required
+      - evented-api-event-docs-required
+      - evented-api-event-tests-required
+    ai-agent-api:
+      - profile-ai-agent-api-tool-boundary-projection
+      - ai-agent-api-recipe-required
+      - ai-agent-api-endpoint-contract-required
+      - ai-agent-api-tool-boundary-required
+      - ai-agent-api-provider-config-redaction-required
+      - ai-agent-api-prompt-safety-required
+      - ai-agent-api-audit-trail-required
+      - ai-agent-api-deterministic-tests-required
+      - ai-agent-api-no-live-credentials-required
+    full-foundation-compatible:
+      - profile-full-foundation-compatible-parity-projection
+      - foundation-parity-matrix-required
+      - foundation-architecture-roots-parity
+      - foundation-contract-boundaries-parity
+      - foundation-api-documentation-parity
+      - foundation-env-runtime-config-parity
+      - foundation-package-scripts-parity
+      - foundation-auth-authorization-parity
+      - foundation-typeorm-persistence-parity
+      - foundation-validation-errors-parity
+      - foundation-evidence-quality-gates-parity
+  expected_writes:
+    minimal-rest:
+      - src/presentation/rest/rest.module.ts
+      - src/presentation/rest/health/health.controller.ts
+      - src/application/business/health/ports/in/read-health.use-case.port.ts
+      - src/application/business/health/use-cases/read-health.use-case.ts
+      - tests/health.e2e-spec.ts
+    rest-auth-rbac:
+      - src/presentation/rest/auth/auth.module.ts
+      - src/presentation/rest/auth/controllers/login.controller.ts
+      - src/presentation/rest/auth/controllers/create-role.controller.ts
+      - src/presentation/rest/auth/controllers/list-roles.controller.ts
+      - src/presentation/rest/auth/dtos/auth-session-output.dto.ts
+      - src/presentation/rest/auth/guards/jwt-auth.guard.ts
+      - src/presentation/rest/auth/guards/permission.guard.ts
+      - src/presentation/rest/auth/decorators/permission.decorator.ts
+      - src/application/business/auth/ports/in/authenticated-user.type.ts
+      - src/application/business/auth/ports/in/login.use-case.port.ts
+      - src/application/business/auth/use-cases/login.use-case.ts
+      - src/application/business/auth/ports/out/access-control.service.port.ts
+      - src/application/business/auth/services/access-control.service.ts
+      - src/infrastructure/adapters/auth/jwt.strategy.ts
+      - tests/auth-rbac.e2e-spec.ts
+    rest-crud-typeorm:
+      - src/domain/categories/business-objects/category.bo.ts
+      - src/domain/categories/types/category.type.ts
+      - src/application/business/categories/ports/out/category-repository.port.ts
+      - src/application/business/categories/ports/in/create-category.use-case.port.ts
+      - src/application/business/categories/use-cases/create-category.use-case.ts
+      - src/application/business/categories/ports/in/list-categories.use-case.port.ts
+      - src/application/business/categories/use-cases/list-categories.use-case.ts
+      - src/infrastructure/adapters/orm/entities/category.orm-entity.ts
+      - src/infrastructure/adapters/orm/repositories/category.typeorm-repository.ts
+      - src/infrastructure/adapters/orm/mappers/category.mapper.ts
+      - src/infrastructure/adapters/orm/typeorm.module.ts
+      - src/infrastructure/adapters/orm/categories-orm.module.ts
+      - src/infrastructure/adapters/orm/migrations/0000000000000-create-categories.migration.ts
+      - src/presentation/rest/categories/categories.module.ts
+      - src/presentation/rest/categories/controllers/create-category.controller.ts
+      - src/presentation/rest/categories/controllers/list-categories.controller.ts
+      - src/presentation/rest/categories/dtos/create-category-input.dto.ts
+      - src/presentation/rest/categories/dtos/category-output.dto.ts
+      - tests/categories-crud.e2e-spec.ts
+    evented-api:
+      - src/application/business/categories/events/category-created.event.ts
+      - src/application/business/categories/ports/out/category-event-publisher.port.ts
+      - src/application/business/categories/ports/out/event-idempotency-store.port.ts
+      - src/application/business/categories/handlers/category-created.handler.ts
+      - src/application/business/categories/use-cases/create-category.use-case.ts
+      - src/infrastructure/adapters/queue/category-event-publisher.adapter.ts
+      - src/infrastructure/adapters/queue/category-events.consumer.ts
+      - src/infrastructure/adapters/queue/event-idempotency-store.adapter.ts
+      - docs/events/category-created.md
+      - tests/categories-events.e2e-spec.ts
+    ai-agent-api:
+      - src/presentation/rest/agents/agents.module.ts
+      - src/presentation/rest/agents/controllers/agent-runs.controller.ts
+      - src/presentation/rest/agents/dtos/run-agent-input.dto.ts
+      - src/presentation/rest/agents/dtos/agent-run-output.dto.ts
+      - src/application/intelligence/agents/ports/in/run-agent.use-case.port.ts
+      - src/application/intelligence/agents/use-cases/run-agent.use-case.ts
+      - src/application/intelligence/agents/ports/out/llm-provider.port.ts
+      - src/application/intelligence/agents/ports/out/agent-tool-registry.port.ts
+      - src/application/intelligence/agents/ports/out/agent-audit.port.ts
+      - src/application/intelligence/agents/services/prompt-safety.service.ts
+      - src/application/intelligence/agents/services/redaction.service.ts
+      - src/infrastructure/adapters/llm/llm-provider.adapter.ts
+      - src/infrastructure/adapters/audit/agent-audit.adapter.ts
+      - docs/agents/ai-agent-api.md
+      - tests/agents.e2e-spec.ts
+      - tests/agents-safety.spec.ts
+    full-foundation-compatible:
+      - src/application/application.module.ts
+      - src/domain/auth/business-objects/api-keys.bo.ts
+      - src/infrastructure/adapters/orm/typeorm.module.ts
+      - src/infrastructure/adapters/orm/auth-orm.module.ts
+      - src/infrastructure/infrastructure.module.ts
+      - src/presentation/presentation.module.ts
+      - src/shared/domain/generic-business-object.ts
+      - .sdd/plugin-evidence/<FEAT>/<operation>/evidence-manifest.yaml
+minimal_rest_profile_recipe:
+  id: minimal-rest-profile-recipe
+  version: 1
+  profile_id: minimal-rest
+  title: Minimal REST profile recipe
+  foundation_reference: devtrack-foundation-api
+  inherits_shared_baseline: true
+  required_baseline_requirements:
+    - openapi-swagger-docs
+    - env-example
+    - package-json-scripts
+    - application-usecase-boundary
+    - dto-validation
+    - structured-api-errors
+    - auth-authz-planning
+    - route-and-usecase-tests
+  required_artifacts:
+    - path: package.json
+      category: scripts
+      content_markers:
+        - '"build"'
+        - '"start"'
+        - '"start:dev"'
+        - '"start:prod"'
+        - '"lint"'
+        - '"test"'
+        - '"test:cov"'
+        - '"test:e2e"'
+        - '"cleanup"'
+        - '"cleanup:install"'
+        - node scripts/kill-port.js
+        - npm run
+        - npm install
+    - path: scripts/cleanup.sh
+      category: scripts
+      content_markers:
+        - node_modules
+        - dist
+        - build
+        - coverage
+        - .cache
+        - .turbo
+        - .nest
+        - package-lock.json
+        - pnpm-lock.yaml
+        - yarn.lock
+        - bun.lock
+        - tsbuildinfo
+    - path: scripts/kill-port.js
+      category: scripts
+      content_markers:
+        - process.argv[2]
+        - process.env.PORT
+        - process.env.APP_PORT
+        - lsof -ti
+        - netstat -ano
+        - kill -9
+        - taskkill
+    - path: .env.example
+      category: environment
+      content_markers:
+        - PORT=
+        - SWAGGER_SERVER_LOCAL=
+    - path: src/main.ts
+      category: documentation
+      content_markers:
+        - ValidationPipe
+        - DocumentBuilder
+        - SwaggerModule.createDocument
+        - SwaggerModule.setup
+    - path: src/presentation/rest/rest.module.ts
+      category: root-wiring
+      content_markers:
+        - "@Module"
+        - HealthController
+    - path: src/presentation/rest/health/health.controller.ts
+      category: health
+      content_markers:
+        - "@Controller"
+        - "@Get"
+        - ApiOperation
+    - path: src/application/business/health/ports/in/read-health.use-case.port.ts
+      category: use-case
+      content_markers:
+        - ReadHealthUseCasePort
+    - path: src/application/business/health/use-cases/read-health.use-case.ts
+      category: use-case
+      content_markers:
+        - ReadHealthUseCase
+    - path: src/application/business/auth/ports/in/register.use-case.port.ts
+      category: use-case
+      content_markers:
+        - RegisterUseCasePort
+    - path: src/application/business/auth/use-cases/register.use-case.ts
+      category: use-case
+      content_markers:
+        - RegisterUseCase
+    - path: src/presentation/rest/auth/controllers/register.controller.ts
+      category: documentation
+      content_markers:
+        - "@Controller"
+        - ApiOperation
+    - path: src/presentation/rest/auth/dtos/register-input.dto.ts
+      category: dto
+      content_markers:
+        - ApiProperty
+        - Is
+    - path: src/presentation/dtos/api-error-response.dto.ts
+      category: structured-errors
+      content_markers:
+        - ApiProperty
+    - path: tests/app.e2e-spec.ts
+      category: tests
+      content_markers:
+        - request
+        - expect
+    - path: tests/health.e2e-spec.ts
+      category: tests
+      content_markers:
+        - /health
+        - expect
+  required_quality_gates:
+    - openapi-docs-required
+    - env-example-required
+    - package-scripts-required
+    - application-usecase-route-boundary
+    - dto-validation-required
+    - structured-error-contract-required
+    - authz-planning-required
+    - route-usecase-tests-required
+    - minimal-rest-recipe-required
+    - minimal-rest-openapi-docs-required
+    - minimal-rest-env-example-required
+    - minimal-rest-package-scripts-required
+    - minimal-rest-dto-usecase-boundary-required
+    - minimal-rest-structured-errors-required
+    - minimal-rest-health-root-wiring-required
+    - minimal-rest-route-usecase-tests-required
+  required_validation_commands:
+    - pnpm run build
+    - pnpm run lint
+    - pnpm test
+    - pnpm run test:e2e
+  validator:
+    runtime_function: validateMinimalRestProfileRecipe
+    failure_codes:
+      - MINIMAL_REST_PROFILE_MISMATCH
+      - MINIMAL_REST_ARTIFACT_MISSING
+      - MINIMAL_REST_CONTENT_MARKER_MISSING
+      - MINIMAL_REST_QUALITY_GATE_MISSING
+      - MINIMAL_REST_VALIDATION_COMMAND_MISSING
+rest_auth_rbac_profile_recipe:
+  id: rest-auth-rbac-profile-recipe
+  version: 1
+  profile_id: rest-auth-rbac
+  title: REST Auth RBAC profile recipe
+  foundation_reference: devtrack-foundation-api
+  inherits_shared_baseline: true
+  required_baseline_requirements:
+    - openapi-swagger-docs
+    - env-example
+    - package-json-scripts
+    - application-usecase-boundary
+    - dto-validation
+    - structured-api-errors
+    - auth-authz-planning
+    - route-and-usecase-tests
+  required_artifacts:
+    - path: package.json
+      category: scripts
+      content_markers:
+        - '"build"'
+        - '"start"'
+        - '"start:dev"'
+        - '"start:prod"'
+        - '"lint"'
+        - '"test"'
+        - '"test:cov"'
+        - '"test:e2e"'
+        - '"cleanup"'
+        - '"cleanup:install"'
+        - node scripts/kill-port.js
+        - npm run
+        - npm install
+    - path: scripts/cleanup.sh
+      category: scripts
+      content_markers:
+        - node_modules
+        - dist
+        - build
+        - coverage
+        - .cache
+        - .turbo
+        - .nest
+        - package-lock.json
+        - pnpm-lock.yaml
+        - yarn.lock
+        - bun.lock
+        - tsbuildinfo
+    - path: scripts/kill-port.js
+      category: scripts
+      content_markers:
+        - process.argv[2]
+        - process.env.PORT
+        - process.env.APP_PORT
+        - lsof -ti
+        - netstat -ano
+        - kill -9
+        - taskkill
+    - path: .env.example
+      category: auth-configuration
+      content_markers:
+        - JWT_SECRET=
+        - JWT_EXPIRES_IN=
+        - SWAGGER_SERVER_LOCAL=
+    - path: src/main.ts
+      category: documentation
+      content_markers:
+        - ValidationPipe
+        - DocumentBuilder
+        - SwaggerModule.setup
+        - addBearerAuth
+    - path: src/presentation/rest/auth/auth.module.ts
+      category: root-wiring
+      content_markers:
+        - "@Module"
+        - JwtAuthGuard
+        - PermissionGuard
+    - path: src/presentation/rest/auth/controllers/login.controller.ts
+      category: auth-controller
+      content_markers:
+        - "@Controller"
+        - LoginUseCasePortSymbol
+        - ApiOperation
+    - path: src/presentation/rest/auth/controllers/create-role.controller.ts
+      category: rbac-policy
+      content_markers:
+        - ApiBearerAuth
+        - UseGuards
+        - Permission("rbac.roles.write")
+        - AuthenticatedRequestType
+    - path: src/presentation/rest/auth/controllers/list-roles.controller.ts
+      category: rbac-policy
+      content_markers:
+        - ApiBearerAuth
+        - UseGuards
+        - Permission("rbac.roles.read")
+        - AuthenticatedRequestType
+    - path: src/presentation/rest/auth/dtos/auth-session-output.dto.ts
+      category: auth-session
+      content_markers:
+        - ApiProperty
+        - accessToken
+        - permissions
+    - path: src/presentation/rest/auth/guards/jwt-auth.guard.ts
+      category: guard
+      content_markers:
+        - AuthGuard("jwt")
+        - CanActivate
+        - JwtAuthGuard
+    - path: src/presentation/rest/auth/guards/permission.guard.ts
+      category: guard
+      content_markers:
+        - Reflector
+        - PERMISSION_METADATA_KEY
+        - canActivate
+    - path: src/presentation/rest/auth/decorators/permission.decorator.ts
+      category: decorator
+      content_markers:
+        - SetMetadata
+        - PERMISSION_METADATA_KEY
+        - required-permission
+    - path: src/application/business/auth/ports/in/authenticated-user.type.ts
+      category: current-user
+      content_markers:
+        - AuthenticatedUserType
+        - AuthenticatedRequestType
+        - user
+    - path: src/application/business/auth/ports/in/login.use-case.port.ts
+      category: use-case
+      content_markers:
+        - LoginUseCasePort
+        - execute
+    - path: src/application/business/auth/use-cases/login.use-case.ts
+      category: use-case
+      content_markers:
+        - LoginUseCase
+        - PasswordHashServicePort
+        - JwtPort
+    - path: src/application/business/auth/ports/out/access-control.service.port.ts
+      category: rbac-policy
+      content_markers:
+        - AccessControlServicePort
+        - ensurePermission
+    - path: src/application/business/auth/services/access-control.service.ts
+      category: rbac-policy
+      content_markers:
+        - AccessControlService
+        - ensurePermission
+        - UnauthorizedException
+    - path: src/infrastructure/adapters/auth/jwt.strategy.ts
+      category: auth-strategy
+      content_markers:
+        - PassportStrategy
+        - ExtractJwt.fromAuthHeaderAsBearerToken
+        - secretOrKey
+    - path: tests/auth-rbac.e2e-spec.ts
+      category: auth-tests
+      content_markers:
+        - expect(401)
+        - Authorization
+        - rbac.roles
+  required_quality_gates:
+    - openapi-docs-required
+    - env-example-required
+    - package-scripts-required
+    - application-usecase-route-boundary
+    - dto-validation-required
+    - structured-error-contract-required
+    - authz-planning-required
+    - route-usecase-tests-required
+    - rest-auth-rbac-recipe-required
+    - rest-auth-rbac-auth-plan-required
+    - rest-auth-rbac-jwt-strategy-required
+    - rest-auth-rbac-route-guards-required
+    - rest-auth-rbac-permission-decorator-required
+    - rest-auth-rbac-current-user-boundary-required
+    - rest-auth-rbac-protected-openapi-docs-required
+    - rest-auth-rbac-allow-deny-tests-required
+  required_validation_commands:
+    - pnpm run build
+    - pnpm run lint
+    - pnpm test
+    - pnpm run test:e2e
+  validator:
+    runtime_function: validateRestAuthRbacProfileRecipe
+    failure_codes:
+      - REST_AUTH_RBAC_PROFILE_MISMATCH
+      - REST_AUTH_RBAC_ARTIFACT_MISSING
+      - REST_AUTH_RBAC_CONTENT_MARKER_MISSING
+      - REST_AUTH_RBAC_QUALITY_GATE_MISSING
+      - REST_AUTH_RBAC_VALIDATION_COMMAND_MISSING
+rest_crud_typeorm_profile_recipe:
+  id: rest-crud-typeorm-profile-recipe
+  version: 1
+  profile_id: rest-crud-typeorm
+  title: REST CRUD TypeORM profile recipe
+  foundation_reference: devtrack-foundation-api
+  inherits_shared_baseline: true
+  required_baseline_requirements:
+    - openapi-swagger-docs
+    - env-example
+    - package-json-scripts
+    - application-usecase-boundary
+    - dto-validation
+    - structured-api-errors
+    - auth-authz-planning
+    - route-and-usecase-tests
+  required_artifacts:
+    - path: package.json
+      category: scripts
+      content_markers:
+        - '"build"'
+        - '"start"'
+        - '"start:dev"'
+        - '"start:prod"'
+        - '"lint"'
+        - '"test"'
+        - '"test:cov"'
+        - '"test:e2e"'
+        - '"cleanup"'
+        - '"cleanup:install"'
+        - node scripts/kill-port.js
+        - npm run
+        - npm install
+        - '"migration:run"'
+        - '"migration:revert"'
+        - '"migration:show"'
+        - '"typeorm"'
+        - '"@nestjs/typeorm"'
+    - path: scripts/cleanup.sh
+      category: scripts
+      content_markers:
+        - node_modules
+        - dist
+        - build
+        - coverage
+        - .cache
+        - .turbo
+        - .nest
+        - package-lock.json
+        - pnpm-lock.yaml
+        - yarn.lock
+        - bun.lock
+        - tsbuildinfo
+    - path: scripts/kill-port.js
+      category: scripts
+      content_markers:
+        - process.argv[2]
+        - process.env.PORT
+        - process.env.APP_PORT
+        - lsof -ti
+        - netstat -ano
+        - kill -9
+        - taskkill
+    - path: .env.example
+      category: persistence-configuration
+      content_markers:
+        - DB_HOST=
+        - DB_NAME=
+        - TYPEORM_SYNCHRONIZE=
+    - path: src/domain/categories/business-objects/category.bo.ts
+      category: business-object
+      content_markers:
+        - CategoryBusinessObject
+        - validate
+        - name
+    - path: src/domain/categories/types/category.type.ts
+      category: domain-type
+      content_markers:
+        - CategoryType
+        - id
+        - name
+    - path: src/application/business/categories/ports/out/category-repository.port.ts
+      category: repository-port
+      content_markers:
+        - CategoryRepositoryPort
+        - findById
+        - findByName
+        - findPage
+        - save
+    - path: src/application/business/categories/ports/in/create-category.use-case.port.ts
+      category: use-case
+      content_markers:
+        - CreateCategoryUseCasePort
+        - execute
+    - path: src/application/business/categories/use-cases/create-category.use-case.ts
+      category: use-case
+      content_markers:
+        - CreateCategoryUseCase
+        - CategoryRepositoryPort
+        - findByName
+        - transaction
+    - path: src/application/business/categories/ports/in/list-categories.use-case.port.ts
+      category: pagination-filtering
+      content_markers:
+        - ListCategoriesUseCasePort
+        - page
+        - limit
+    - path: src/application/business/categories/use-cases/list-categories.use-case.ts
+      category: pagination-filtering
+      content_markers:
+        - ListCategoriesUseCase
+        - findPage
+        - filter
+    - path: src/infrastructure/adapters/orm/entities/category.orm-entity.ts
+      category: orm-entity
+      content_markers:
+        - "@Entity"
+        - "@Column"
+        - "@Index"
+    - path: src/infrastructure/adapters/orm/repositories/category.typeorm-repository.ts
+      category: orm-repository
+      content_markers:
+        - InjectRepository
+        - Repository<CategoryOrmEntity>
+        - CategoryRepositoryPort
+    - path: src/infrastructure/adapters/orm/mappers/category.mapper.ts
+      category: orm-mapper
+      content_markers:
+        - CategoryMapper
+        - toDomain
+        - toOrm
+    - path: src/infrastructure/adapters/orm/typeorm.module.ts
+      category: orm-module
+      content_markers:
+        - TypeOrmRootModule
+        - TypeOrmModule.forRootAsync
+        - typeOrmConfig
+    - path: src/infrastructure/adapters/orm/categories-orm.module.ts
+      category: orm-module
+      content_markers:
+        - "@Global"
+        - TypeOrmModule.forFeature
+        - CategoryRepositoryPortSymbol
+    - path: src/infrastructure/adapters/orm/migrations/0000000000000-create-categories.migration.ts
+      category: migration
+      content_markers:
+        - MigrationInterface
+        - createTable
+        - categories
+    - path: src/presentation/rest/categories/categories.module.ts
+      category: root-wiring
+      content_markers:
+        - "@Module"
+        - CreateCategoryController
+        - ListCategoriesController
+    - path: src/presentation/rest/categories/controllers/create-category.controller.ts
+      category: crud-controller
+      content_markers:
+        - "@Controller"
+        - "@Post"
+        - ApiOperation
+        - CreateCategoryUseCasePortSymbol
+    - path: src/presentation/rest/categories/controllers/list-categories.controller.ts
+      category: pagination-filtering
+      content_markers:
+        - "@Controller"
+        - "@Get"
+        - ApiQuery
+        - ListCategoriesUseCasePortSymbol
+    - path: src/presentation/rest/categories/dtos/create-category-input.dto.ts
+      category: dto
+      content_markers:
+        - ApiProperty
+        - IsString
+        - MaxLength
+    - path: src/presentation/rest/categories/dtos/category-output.dto.ts
+      category: dto
+      content_markers:
+        - ApiProperty
+        - id
+        - name
+    - path: tests/categories-crud.e2e-spec.ts
+      category: crud-tests
+      content_markers:
+        - POST /categories
+        - GET /categories
+        - expect(409)
+        - page=1
+  required_quality_gates:
+    - openapi-docs-required
+    - env-example-required
+    - package-scripts-required
+    - application-usecase-route-boundary
+    - dto-validation-required
+    - structured-error-contract-required
+    - authz-planning-required
+    - route-usecase-tests-required
+    - rest-crud-typeorm-recipe-required
+    - rest-crud-typeorm-bo-pattern-required
+    - rest-crud-typeorm-application-repository-port-required
+    - rest-crud-typeorm-usecase-transaction-boundary-required
+    - rest-crud-typeorm-infrastructure-orm-required
+    - rest-crud-typeorm-migration-required
+    - rest-crud-typeorm-pagination-filtering-required
+    - rest-crud-typeorm-uniqueness-required
+    - rest-crud-typeorm-crud-tests-required
+    - rest-crud-typeorm-no-prisma-required
+  required_validation_commands:
+    - pnpm run build
+    - pnpm run lint
+    - pnpm test
+    - pnpm run test:e2e
+    - pnpm run migration:show
+  forbidden_artifact_patterns:
+    - prisma/**
+    - "**/*.prisma"
+    - src/domain/categories/entities/**
+    - src/domain/categories/repository-ports/**
+    - typeorm-artifacts-outside-src/infrastructure/adapters/orm/**
+  forbidden_content_markers:
+    - PrismaClient
+    - "@prisma/client"
+    - prisma.
+  validator:
+    runtime_function: validateRestCrudTypeormProfileRecipe
+    failure_codes:
+      - REST_CRUD_TYPEORM_PROFILE_MISMATCH
+      - REST_CRUD_TYPEORM_ARTIFACT_MISSING
+      - REST_CRUD_TYPEORM_CONTENT_MARKER_MISSING
+      - REST_CRUD_TYPEORM_QUALITY_GATE_MISSING
+      - REST_CRUD_TYPEORM_VALIDATION_COMMAND_MISSING
+      - REST_CRUD_TYPEORM_FORBIDDEN_ARTIFACT
+      - REST_CRUD_TYPEORM_FORBIDDEN_CONTENT_MARKER
+evented_api_profile_recipe:
+  id: evented-api-profile-recipe
+  version: 1
+  profile_id: evented-api
+  title: Evented API profile recipe
+  foundation_reference: devtrack-foundation-api
+  inherits_shared_baseline: true
+  required_baseline_requirements:
+    - openapi-swagger-docs
+    - env-example
+    - package-json-scripts
+    - application-usecase-boundary
+    - dto-validation
+    - structured-api-errors
+    - auth-authz-planning
+    - route-and-usecase-tests
+  required_artifacts:
+    - path: package.json
+      category: scripts
+      content_markers:
+        - '"build"'
+        - '"start"'
+        - '"start:dev"'
+        - '"start:prod"'
+        - '"lint"'
+        - '"test"'
+        - '"test:cov"'
+        - '"test:e2e"'
+        - '"cleanup"'
+        - '"cleanup:install"'
+        - node scripts/kill-port.js
+        - npm run
+        - npm install
+        - '"@nestjs/bullmq"'
+        - '"bullmq"'
+    - path: scripts/cleanup.sh
+      category: scripts
+      content_markers:
+        - node_modules
+        - dist
+        - build
+        - coverage
+        - .cache
+        - .turbo
+        - .nest
+        - package-lock.json
+        - pnpm-lock.yaml
+        - yarn.lock
+        - bun.lock
+        - tsbuildinfo
+    - path: scripts/kill-port.js
+      category: scripts
+      content_markers:
+        - process.argv[2]
+        - process.env.PORT
+        - process.env.APP_PORT
+        - lsof -ti
+        - netstat -ano
+        - kill -9
+        - taskkill
+    - path: .env.example
+      category: event-configuration
+      content_markers:
+        - EVENT_QUEUE_NAME=
+        - EVENT_RETRY_ATTEMPTS=
+        - EVENT_IDEMPOTENCY_TTL_SECONDS=
+    - path: src/application/business/categories/events/category-created.event.ts
+      category: event-contract
+      content_markers:
+        - CategoryCreatedEvent
+        - eventId
+        - categoryId
+        - occurredAt
+    - path: src/application/business/categories/ports/out/category-event-publisher.port.ts
+      category: event-publisher-port
+      content_markers:
+        - CategoryEventPublisherPort
+        - publishCategoryCreated
+        - idempotencyKey
+    - path: src/application/business/categories/ports/out/event-idempotency-store.port.ts
+      category: idempotency
+      content_markers:
+        - EventIdempotencyStorePort
+        - hasProcessed
+        - markProcessed
+    - path: src/application/business/categories/handlers/category-created.handler.ts
+      category: event-handler
+      content_markers:
+        - CategoryCreatedHandler
+        - CategoryCreatedEvent
+        - EventIdempotencyStorePort
+        - publishCategoryCreated
+    - path: src/application/business/categories/use-cases/create-category.use-case.ts
+      category: event-handler
+      content_markers:
+        - CreateCategoryUseCase
+        - CategoryCreatedEvent
+        - CategoryCreatedHandler
+    - path: src/infrastructure/adapters/queue/category-event-publisher.adapter.ts
+      category: outbox-queue
+      content_markers:
+        - CategoryEventPublisherAdapter
+        - Queue
+        - idempotencyKey
+        - retry
+    - path: src/infrastructure/adapters/queue/category-events.consumer.ts
+      category: event-consumer
+      content_markers:
+        - Processor
+        - Process
+        - CategoryCreatedHandler
+        - deadLetter
+    - path: src/infrastructure/adapters/queue/event-idempotency-store.adapter.ts
+      category: idempotency
+      content_markers:
+        - EventIdempotencyStoreAdapter
+        - hasProcessed
+        - markProcessed
+        - ttl
+    - path: docs/events/category-created.md
+      category: event-docs
+      content_markers:
+        - category.created
+        - payload
+        - idempotencyKey
+        - retry
+    - path: tests/categories-events.e2e-spec.ts
+      category: event-tests
+      content_markers:
+        - category.created
+        - idempotency
+        - retry
+        - expect
+  required_quality_gates:
+    - openapi-docs-required
+    - env-example-required
+    - package-scripts-required
+    - application-usecase-route-boundary
+    - dto-validation-required
+    - structured-error-contract-required
+    - authz-planning-required
+    - route-usecase-tests-required
+    - evented-api-recipe-required
+    - evented-api-event-contract-required
+    - evented-api-application-handler-required
+    - evented-api-event-publisher-port-required
+    - evented-api-outbox-or-queue-required
+    - evented-api-idempotency-required
+    - evented-api-retry-error-policy-required
+    - evented-api-event-docs-required
+    - evented-api-event-tests-required
+  required_validation_commands:
+    - pnpm run build
+    - pnpm run lint
+    - pnpm test
+    - pnpm run test:e2e
+  validator:
+    runtime_function: validateEventedApiProfileRecipe
+    failure_codes:
+      - EVENTED_API_PROFILE_MISMATCH
+      - EVENTED_API_ARTIFACT_MISSING
+      - EVENTED_API_CONTENT_MARKER_MISSING
+      - EVENTED_API_QUALITY_GATE_MISSING
+      - EVENTED_API_VALIDATION_COMMAND_MISSING
+ai_agent_api_profile_recipe:
+  id: ai-agent-api-profile-recipe
+  version: 1
+  profile_id: ai-agent-api
+  title: AI Agent API profile recipe
+  foundation_reference: devtrack-foundation-api
+  inherits_shared_baseline: true
+  required_baseline_requirements:
+    - openapi-swagger-docs
+    - env-example
+    - package-json-scripts
+    - application-usecase-boundary
+    - dto-validation
+    - structured-api-errors
+    - auth-authz-planning
+    - route-and-usecase-tests
+  required_artifacts:
+    - path: package.json
+      category: scripts
+      content_markers:
+        - '"build"'
+        - '"start"'
+        - '"start:dev"'
+        - '"start:prod"'
+        - '"lint"'
+        - '"test"'
+        - '"test:cov"'
+        - '"test:e2e"'
+        - '"cleanup"'
+        - '"cleanup:install"'
+        - node scripts/kill-port.js
+        - npm run
+        - npm install
+    - path: scripts/cleanup.sh
+      category: scripts
+      content_markers:
+        - node_modules
+        - dist
+        - build
+        - coverage
+        - .cache
+        - .turbo
+        - .nest
+        - package-lock.json
+        - pnpm-lock.yaml
+        - yarn.lock
+        - bun.lock
+        - tsbuildinfo
+    - path: scripts/kill-port.js
+      category: scripts
+      content_markers:
+        - process.argv[2]
+        - process.env.PORT
+        - process.env.APP_PORT
+        - lsof -ti
+        - netstat -ano
+        - kill -9
+        - taskkill
+    - path: .env.example
+      category: agent-configuration
+      content_markers:
+        - AI_PROVIDER=
+        - AI_MODEL=
+        - AI_API_KEY=
+        - AI_AUDIT_ENABLED=
+    - path: src/presentation/rest/agents/agents.module.ts
+      category: root-wiring
+      content_markers:
+        - "@Module"
+        - AgentRunsController
+        - RunAgentUseCasePortSymbol
+    - path: src/presentation/rest/agents/controllers/agent-runs.controller.ts
+      category: agent-controller
+      content_markers:
+        - "@Controller"
+        - "@Post"
+        - ApiOperation
+        - RunAgentUseCasePortSymbol
+    - path: src/presentation/rest/agents/dtos/run-agent-input.dto.ts
+      category: agent-dto
+      content_markers:
+        - ApiProperty
+        - IsString
+        - prompt
+        - allowedTools
+    - path: src/presentation/rest/agents/dtos/agent-run-output.dto.ts
+      category: agent-dto
+      content_markers:
+        - ApiProperty
+        - runId
+        - output
+        - auditId
+    - path: src/application/intelligence/agents/ports/in/run-agent.use-case.port.ts
+      category: agent-use-case
+      content_markers:
+        - RunAgentUseCasePort
+        - execute
+    - path: src/application/intelligence/agents/use-cases/run-agent.use-case.ts
+      category: agent-use-case
+      content_markers:
+        - RunAgentUseCase
+        - LlmProviderPort
+        - AgentToolRegistryPort
+        - PromptSafetyPolicyPort
+        - redact
+    - path: src/application/intelligence/agents/ports/out/llm-provider.port.ts
+      category: agent-provider-port
+      content_markers:
+        - LlmProviderPort
+        - complete
+        - model
+    - path: src/application/intelligence/agents/ports/out/agent-tool-registry.port.ts
+      category: agent-tool-port
+      content_markers:
+        - AgentToolRegistryPort
+        - executeTool
+        - allowedTools
+    - path: src/application/intelligence/agents/ports/out/agent-audit.port.ts
+      category: agent-audit
+      content_markers:
+        - AgentAuditPort
+        - recordToolCall
+        - redactedInput
+    - path: src/application/intelligence/agents/services/prompt-safety.service.ts
+      category: agent-safety
+      content_markers:
+        - PromptSafetyPolicy
+        - validatePrompt
+        - blockedPatterns
+    - path: src/application/intelligence/agents/services/redaction.service.ts
+      category: agent-redaction
+      content_markers:
+        - RedactionService
+        - redact
+        - secret
+        - token
+    - path: src/infrastructure/adapters/llm/llm-provider.adapter.ts
+      category: agent-provider-adapter
+      content_markers:
+        - LlmProviderAdapter
+        - LlmProviderPort
+        - AI_API_KEY
+        - redact
+    - path: src/infrastructure/adapters/audit/agent-audit.adapter.ts
+      category: agent-audit
+      content_markers:
+        - AgentAuditAdapter
+        - AgentAuditPort
+        - recordToolCall
+        - redacted
+    - path: docs/agents/ai-agent-api.md
+      category: agent-docs
+      content_markers:
+        - tool boundary
+        - redaction
+        - audit trail
+        - deterministic tests
+    - path: tests/agents.e2e-spec.ts
+      category: agent-tests
+      content_markers:
+        - POST /agents/runs
+        - deterministic
+        - no live credentials
+        - expect
+    - path: tests/agents-safety.spec.ts
+      category: agent-tests
+      content_markers:
+        - PromptSafetyPolicy
+        - RedactionService
+        - blocked
+        - redact
+  required_quality_gates:
+    - openapi-docs-required
+    - env-example-required
+    - package-scripts-required
+    - application-usecase-route-boundary
+    - dto-validation-required
+    - structured-error-contract-required
+    - authz-planning-required
+    - route-usecase-tests-required
+    - ai-agent-api-recipe-required
+    - ai-agent-api-endpoint-contract-required
+    - ai-agent-api-tool-boundary-required
+    - ai-agent-api-provider-config-redaction-required
+    - ai-agent-api-prompt-safety-required
+    - ai-agent-api-audit-trail-required
+    - ai-agent-api-deterministic-tests-required
+    - ai-agent-api-no-live-credentials-required
+  required_validation_commands:
+    - pnpm run build
+    - pnpm run lint
+    - pnpm test
+    - pnpm run test:e2e
+  forbidden_content_markers:
+    - AI_API_KEY=sk-
+    - OPENAI_API_KEY=sk-
+    - ANTHROPIC_API_KEY=sk-
+    - LIVE_PROVIDER_CALL=true
+  validator:
+    runtime_function: validateAiAgentApiProfileRecipe
+    failure_codes:
+      - AI_AGENT_API_PROFILE_MISMATCH
+      - AI_AGENT_API_ARTIFACT_MISSING
+      - AI_AGENT_API_CONTENT_MARKER_MISSING
+      - AI_AGENT_API_QUALITY_GATE_MISSING
+      - AI_AGENT_API_VALIDATION_COMMAND_MISSING
+      - AI_AGENT_API_FORBIDDEN_CONTENT_MARKER
+full_foundation_compatible_profile:
+  id: full-foundation-compatible-parity-matrix
+  version: 1
+  profile_id: full-foundation-compatible
+  foundation_reference: devtrack-foundation-api
+  dimensions:
+    - id: architecture-roots
+      title: Foundation-compatible source roots
+      severity: P0
+      quality_gate: foundation-architecture-roots-parity
+      contract_rule_refs:
+        - DTAPI-P0-FULL-FOUNDATION-PARITY-001
+        - DTAPI-P0-PATH-001
+        - DTAPI-P0-IMPORTS-001
+      required_artifacts:
+        - src/application/**
+        - src/domain/**
+        - src/infrastructure/**
+        - src/presentation/**
+        - src/shared/**
+      required_evidence:
+        - generated roots use Foundation-compatible singular output structure
+        - artifact map records Foundation source references
+    - id: contract-boundaries
+      title: Application and domain contract boundaries
+      severity: P0
+      quality_gate: foundation-contract-boundaries-parity
+      contract_rule_refs:
+        - DTAPI-P0-FULL-FOUNDATION-PARITY-001
+        - DTAPI-P0-COMPOSITION-001
+        - DTAPI-P0-PORTS-001
+      required_artifacts:
+        - src/application/**/ports/**
+        - src/application/**/use-cases/**
+        - src/domain/**
+      required_evidence:
+        - ports and use cases are present for user-facing flows
+        - presentation does not call infrastructure directly
+    - id: api-documentation
+      title: Swagger/OpenAPI parity
+      severity: P0
+      quality_gate: foundation-api-documentation-parity
+      contract_rule_refs:
+        - DTAPI-P0-FULL-FOUNDATION-PARITY-001
+        - DTAPI-P0-OPENAPI-001
+      required_artifacts:
+        - src/main.ts
+        - src/presentation/rest/**
+        - .env.example
+      required_evidence:
+        - Swagger bootstrap and /docs route are present
+        - controllers and DTOs expose documented request and response shapes
+    - id: env-and-runtime-config
+      title: Environment and typed runtime configuration parity
+      severity: P0
+      quality_gate: foundation-env-runtime-config-parity
+      contract_rule_refs:
+        - DTAPI-P0-FULL-FOUNDATION-PARITY-001
+        - DTAPI-P0-TOOL-BASELINE-001
+      required_artifacts:
+        - .env.example
+        - src/infrastructure/settings/**
+      required_evidence:
+        - all runtime variables are represented as placeholders
+        - typed configuration reads environment without exposing secrets
+    - id: package-scripts
+      title: Package scripts and operational bootstrap parity
+      severity: P0
+      quality_gate: foundation-package-scripts-parity
+      contract_rule_refs:
+        - DTAPI-P0-FULL-FOUNDATION-PARITY-001
+        - DTAPI-P0-TOOL-BASELINE-001
+        - DTAPI-P0-RUNTIME-SCRIPTS-001
+      required_artifacts:
+        - package.json
+        - scripts/cleanup.sh
+        - scripts/kill-port.js
+      required_evidence:
+        - build, lint, test, coverage, e2e, cleanup, cleanup:install, start, start:dev, and start:prod scripts are present
+        - start and start:dev kill the configured port listener before continuing bootstrap
+        - nested package-script calls use npm run/npm install so npm and pnpm invocations both work without requiring pnpm in Docker
+        - migration scripts are present when persistence is included
+    - id: auth-and-authorization
+      title: Authentication, authorization, guards, and security docs parity
+      severity: P0
+      quality_gate: foundation-auth-authorization-parity
+      contract_rule_refs:
+        - DTAPI-P0-FULL-FOUNDATION-PARITY-001
+        - DTAPI-P0-AUTH-PLAN-001
+        - DTAPI-P0-OPENAPI-001
+      required_artifacts:
+        - src/presentation/**/guards/**
+        - src/presentation/**/decorators/**
+        - FEAT quality evidence
+      required_evidence:
+        - auth/authz decisions are recorded
+        - protected routes include guards/decorators and documented security schemes
+    - id: persistence-typeorm
+      title: TypeORM persistence parity
+      severity: P0
+      quality_gate: foundation-typeorm-persistence-parity
+      contract_rule_refs:
+        - DTAPI-P0-FULL-FOUNDATION-PARITY-001
+        - DTAPI-P0-TYPEORM-001
+        - DTAPI-P1-RUNTIME-001
+      required_artifacts:
+        - src/infrastructure/adapters/orm/typeorm.module.ts
+        - src/infrastructure/adapters/orm/*-orm.module.ts
+        - src/infrastructure/adapters/orm/**
+        - src/application/**/ports/out/**
+      required_evidence:
+        - persistence uses TypeORM only
+        - typeorm.module.ts owns root TypeORM wiring
+        - <context>-orm.module.ts exports repository/service port providers
+        - application depends on output ports instead of ORM entities
+    - id: validation-and-errors
+      title: Validation and structured API errors parity
+      severity: P0
+      quality_gate: foundation-validation-errors-parity
+      contract_rule_refs:
+        - DTAPI-P0-FULL-FOUNDATION-PARITY-001
+        - DTAPI-P0-USECASE-001
+        - DTAPI-P0-OPENAPI-001
+      required_artifacts:
+        - src/main.ts
+        - src/presentation/**/dtos/**
+        - src/presentation/dtos/api-error-response.dto.ts
+      required_evidence:
+        - validation pipe is configured
+        - DTO validators and structured error response docs are present
+    - id: evidence-and-quality-gates
+      title: Evidence manifest and quality gates parity
+      severity: P0
+      quality_gate: foundation-evidence-quality-gates-parity
+      contract_rule_refs:
+        - DTAPI-P0-FULL-FOUNDATION-PARITY-001
+        - DTAPI-P1-EVIDENCE-001
+      required_artifacts:
+        - .sdd/plugin-evidence/**
+        - coverage/**
+        - test/**
+      required_evidence:
+        - artifact and evidence manifests are emitted
+        - validation commands and FEAT quality evidence are recorded
 derivation_profiles:
   prototype:
     default: false
@@ -99,6 +1610,88 @@ severity_model:
   P2:
     meaning: Lower-risk drift, documentation gap, or profile-specific variance.
     required_action: Record evidence, exception, or follow-up before closure.
+tool_level_api_minimums:
+  applies_to:
+    - API/backend/scaffold requests governed by devtrack-api
+    - REST route generation
+    - CRUD or bounded-context generation
+    - devtrack-api appliance scaffold previews
+  inferred_when_unspecified:
+    - package_json_scripts
+    - env_example
+    - swagger_openapi
+    - application_use_cases
+    - route_guards
+    - auth_authorization_planning
+  required_root_artifacts:
+    - package.json
+    - .env.example
+    - tsconfig.json
+    - nest-cli.json
+    - src/main.ts
+  required_package_scripts:
+    - build
+    - start
+    - start:dev
+    - start:prod
+    - lint
+    - test
+    - test:cov
+    - test:e2e
+    - cleanup
+    - cleanup:install
+    - migration:run when persistent schema changes exist
+    - migration:revert when persistent schema changes exist
+    - migration:show when persistent schema changes exist
+  operational_runtime_bootstrap:
+    required_artifacts:
+      - scripts/cleanup.sh
+      - scripts/kill-port.js
+    cleanup_contract:
+      - removes dependency installs such as node_modules
+      - removes build outputs, coverage, caches, and TypeScript compilation residue
+      - removes lockfiles unless an ADR preserves a canonical lockfile for the target project
+    port_preflight_contract:
+      - start and start:dev call node scripts/kill-port.js before Nest starts
+      - port is resolved from explicit script argument or PORT/APP_PORT environment
+      - Unix and Windows process termination paths are represented
+    package_manager_contract:
+      - scripts are invokable through npm run and pnpm run
+      - nested script composition uses npm run and npm install
+      - Docker runtime does not require pnpm unless the target explicitly opts in with ADR evidence
+  swagger_openapi:
+    docs_route: /docs
+    required_bootstrap:
+      - DocumentBuilder
+      - SwaggerModule.createDocument
+      - SwaggerModule.setup
+    required_controller_decorators:
+      - ApiTags
+      - ApiOperation
+      - ApiResponse or method-specific response decorators
+      - ApiBearerAuth when protected by bearer auth
+    required_dto_decorators:
+      - ApiProperty
+      - ApiPropertyOptional when optional fields exist
+    env_placeholders:
+      - SWAGGER_SERVER_LOCAL
+      - SWAGGER_SERVER_PROD when production docs are configured
+  application_slice:
+    route_requirement: Every user-facing route maps to one application input port and one use case.
+    forbidden_shortcuts:
+      - controller calling repository directly
+      - controller calling TypeORM directly
+      - controller calling infrastructure adapter directly
+      - controller using domain validators as transport/application orchestration
+  auth_authorization_planning:
+    required_plan_questions:
+      - Is authentication required?
+      - Which authentication mechanism applies?
+      - Is authorization required?
+      - Which role, permission, policy, ownership, or tenancy rule applies?
+      - Which routes are intentionally public?
+      - Which Swagger security scheme must be documented?
+    safest_default_when_unanswered: Protect non-health, non-login, non-registration, non-public write routes with the local guard pattern and record the assumption.
 rules:
   - id: DTAPI-P0-FOUNDATION-001
     severity: P0
@@ -127,6 +1720,195 @@ rules:
     required_response:
       - ask the human planner to approve the profile
       - record profile in the debate, FEAT workspace, or policy pool
+  - id: DTAPI-P0-CODESDD-PROFILE-FAMILY-001
+    severity: P0
+    title: CodeSDD API profile family must expose canonical profile ids.
+    applies_to:
+      - DEB
+      - EPIC
+      - FEAT
+      - source
+      - validator
+    detect:
+      - API profile catalog omits one of minimal-rest, rest-auth-rbac, rest-crud-typeorm, evented-api, ai-agent-api, or full-foundation-compatible
+      - devtrack-api is exposed as the normal public identity for new CodeSDD API work
+      - devtrack-api alias does not resolve to full-foundation-compatible with migration messaging
+    required_response:
+      - expose the six canonical profile ids
+      - route devtrack-api through compatibility-only alias handling
+      - record selected profile and inherited shared baseline in FEAT quality evidence
+  - id: DTAPI-P0-SHARED-BASELINE-001
+    severity: P0
+    title: Shared Foundation API baseline must be structurally synchronized.
+    applies_to:
+      - DEB
+      - EPIC
+      - FEAT
+      - source
+      - validator
+      - appliance
+    detect:
+      - foundation_api_shared_baseline.requirements ids diverge from codesdd_api_profile_family.shared_baseline_requirements
+      - runtime API profile catalog omits a shared baseline item, gate, artifact expectation, or evidence expectation
+      - appliance evidence omits foundation_baseline requirement inventory or any baseline quality gate
+      - a profile claims inherits_shared_baseline without proving inherited requirement ids
+    required_response:
+      - synchronize the structured baseline in contract-pack, runtime catalog, appliance evidence, and tests
+      - record per-item baseline inventory in FEAT quality evidence
+      - add or update profile-specific exceptions only through a documented FEAT/ADR exception
+  - id: DTAPI-P0-RUNTIME-SCRIPTS-001
+    severity: P0
+    title: Linked DevTrack API projects must ship cleanup and port-safe runtime bootstrap scripts.
+    applies_to:
+      - DEB
+      - EPIC
+      - FEAT
+      - source
+      - validator
+      - appliance
+    detect:
+      - package.json omits cleanup or cleanup:install scripts
+      - cleanup script does not remove dependency installs, build outputs, caches, lockfiles, or TypeScript compilation residue
+      - start or start:dev can fail on an occupied configured port instead of terminating the listener first
+      - package-script composition requires pnpm inside Docker when npm would be sufficient
+      - runtime API profile catalog or generated artifact map omits scripts/cleanup.sh or scripts/kill-port.js
+    required_response:
+      - require package.json, scripts/cleanup.sh, and scripts/kill-port.js in every linked devtrack-api profile
+      - keep generated start and start:dev scripts guarded by node scripts/kill-port.js
+      - make nested package scripts use npm run/npm install so npm and pnpm entrypoints both work
+      - record per-feature conformance evidence before finalize
+  - id: DTAPI-P0-PROFILE-DRY-RUN-EVIDENCE-001
+    severity: P0
+    title: Appliance dry-run evidence must expose profile-aware planning semantics.
+    applies_to:
+      - DEB
+      - EPIC
+      - FEAT
+      - source
+      - validator
+      - appliance
+    detect:
+      - appliance scaffold dry-run evidence omits profile_projection
+      - profile_projection omits selected_profile, requested_profile, legacy_alias, expected_writes, expected_quality_gates, artifact_map_refs, validation_results, or migration_warnings
+      - validation_results claim executed pass or fail status during dry-run instead of not_executed_dry_run with pending status
+      - devtrack-api compatibility alias resolves to full-foundation-compatible without a migration warning
+      - non-full profiles emit full_foundation_compatibility or full parity gates without governed FEAT approval
+    required_response:
+      - emit profile_projection for every canonical CodeSDD API profile dry-run
+      - include profile-specific expected writes and gates while keeping actual mutation disabled
+      - record dry-run validation results as pending not_executed_dry_run expectations
+      - restrict full_foundation_compatibility to full-foundation-compatible and the devtrack-api compatibility alias
+  - id: DTAPI-P0-MINIMAL-REST-RECIPE-001
+    severity: P0
+    title: minimal-rest profile must keep the production-grade API minimum recipe.
+    applies_to:
+      - DEB
+      - EPIC
+      - FEAT
+      - source
+      - validator
+      - appliance
+    detect:
+      - minimal_rest_profile_recipe omits OpenAPI docs, .env.example, package scripts, DTOs, application use cases, structured errors, health/root wiring, or route/use-case tests
+      - runtime minimal-rest recipe validator passes while required artifacts, quality gates, or validation commands are missing
+      - minimal-rest dry-run expected writes diverge from the recipe overlay artifacts
+    required_response:
+      - synchronize minimal_rest_profile_recipe with runtime recipe and dry-run expectations
+      - fail validation when any required minimal-rest artifact, quality gate, or command is missing
+      - record route/use-case test and OpenAPI evidence before claiming the smallest REST profile is production-grade
+  - id: DTAPI-P0-REST-AUTH-RBAC-RECIPE-001
+    severity: P0
+    title: rest-auth-rbac profile must keep authentication and authorization enforceable.
+    applies_to:
+      - DEB
+      - EPIC
+      - FEAT
+      - source
+      - validator
+      - appliance
+    detect:
+      - rest_auth_rbac_profile_recipe omits auth planning, JWT strategy, route guards, permission decorators, current-user boundary, protected OpenAPI docs, or allow/deny tests
+      - runtime rest-auth-rbac recipe validator passes while required artifacts, quality gates, content markers, or validation commands are missing
+      - rest-auth-rbac dry-run expected writes diverge from the auth/RBAC recipe overlay artifacts
+    required_response:
+      - synchronize rest_auth_rbac_profile_recipe with runtime recipe and dry-run expectations
+      - fail validation when any required rest-auth-rbac artifact, content marker, quality gate, or command is missing
+      - record protected-docs and allow/deny route evidence before claiming auth/RBAC readiness
+  - id: DTAPI-P0-REST-CRUD-TYPEORM-RECIPE-001
+    severity: P0
+    title: rest-crud-typeorm profile must keep CRUD persistence boundaries enforceable.
+    applies_to:
+      - DEB
+      - EPIC
+      - FEAT
+      - source
+      - validator
+      - appliance
+    detect:
+      - rest_crud_typeorm_profile_recipe omits BO-pattern domain artifact, application repository port, transactional use cases, TypeORM entity/repository/mapper, migration, pagination/filtering, uniqueness, or CRUD persistence tests
+      - runtime rest-crud-typeorm recipe validator passes while required artifacts, quality gates, content markers, or validation commands are missing
+      - rest-crud-typeorm dry-run expected writes diverge from the persistence recipe overlay artifacts
+      - CRUD persistence profile introduces Prisma, domain repository ports for a BO-pattern context, or TypeORM files outside infrastructure/adapters/orm
+    required_response:
+      - synchronize rest_crud_typeorm_profile_recipe with runtime recipe and dry-run expectations
+      - fail validation when any required rest-crud-typeorm artifact, content marker, quality gate, or command is missing
+      - record migration, repository-boundary, and CRUD integration evidence before claiming persistence readiness
+  - id: DTAPI-P0-EVENTED-API-RECIPE-001
+    severity: P0
+    title: evented-api profile must keep event contracts and delivery policy enforceable.
+    applies_to:
+      - DEB
+      - EPIC
+      - FEAT
+      - source
+      - validator
+      - appliance
+    detect:
+      - evented_api_profile_recipe omits application event contract, application handler, event publisher port, queue delivery adapter, idempotency boundary, retry/error policy, event docs, or event tests
+      - runtime evented-api recipe validator passes while required artifacts, quality gates, content markers, or validation commands are missing
+      - evented-api dry-run expected writes diverge from the event recipe overlay artifacts
+    required_response:
+      - synchronize evented_api_profile_recipe with runtime recipe and dry-run expectations
+      - fail validation when any required evented-api artifact, content marker, quality gate, or command is missing
+      - record event contract docs, handler tests, idempotency, and retry/error evidence before claiming event readiness
+  - id: DTAPI-P0-AI-AGENT-API-RECIPE-001
+    severity: P0
+    title: ai-agent-api profile must keep agent tool, safety, redaction, and audit boundaries enforceable.
+    applies_to:
+      - DEB
+      - EPIC
+      - FEAT
+      - source
+      - validator
+      - appliance
+    detect:
+      - ai_agent_api_profile_recipe omits agent endpoint contract, DTOs, input port, use case, provider port, tool registry port, safety policy, redaction service, audit port, provider/audit adapters, docs, or deterministic tests
+      - runtime ai-agent-api recipe validator passes while required artifacts, quality gates, content markers, validation commands, or forbidden live credential markers are missing
+      - ai-agent-api dry-run expected writes diverge from the agent recipe overlay artifacts
+      - ai-agent-api artifacts include live provider credentials, raw API key literals, or live credential test seams
+    required_response:
+      - synchronize ai_agent_api_profile_recipe with runtime recipe and dry-run expectations
+      - fail validation when any required ai-agent-api artifact, content marker, quality gate, command, or no-live-credential rule is missing
+      - record tool boundary, redaction, auditability, deterministic test, and no-live-credential evidence before claiming agent readiness
+  - id: DTAPI-P0-FULL-FOUNDATION-PARITY-001
+    severity: P0
+    title: full-foundation-compatible profile must emit a Foundation parity matrix.
+    applies_to:
+      - DEB
+      - EPIC
+      - FEAT
+      - source
+      - validator
+      - appliance
+    detect:
+      - full-foundation-compatible profile lacks full_foundation_compatible_profile matrix in contract-pack
+      - runtime profile catalog omits the full-foundation-compatible parity matrix reference
+      - appliance evidence for full-foundation-compatible omits full_foundation_compatibility or any parity quality gate
+      - devtrack-api compatibility alias resolves to full-foundation-compatible without emitting parity evidence
+    required_response:
+      - synchronize full_foundation_compatible_profile dimensions across contract-pack, runtime catalog, appliance evidence, and tests
+      - include roots, contracts, docs, env, scripts, auth, persistence, validation, and evidence dimensions
+      - record matrix inventory in FEAT quality evidence before finalize
   - id: DTAPI-P0-PREVIEW-001
     severity: P0
     title: Early devtrack-api planning must include package structure preview.
@@ -139,6 +1921,75 @@ rules:
     required_response:
       - generate package structure preview
       - request human approval before FEAT execution
+  - id: DTAPI-P0-TOOL-BASELINE-001
+    severity: P0
+    title: API tool requests must include the minimum operational API baseline.
+    applies_to:
+      - DEB
+      - FEAT
+      - source
+      - validator
+    detect:
+      - devtrack-api plan or scaffold lacks package.json scripts, .env.example, tsconfig aliases, Nest CLI config, validation commands, or src/main.ts bootstrap
+      - devtrack-api appliance scaffold preview omits baseline root artifacts, OpenAPI docs, use-case/input-port slice, or auth guard/decorator artifacts
+      - implementation claims Foundation compatibility while any tool_level_api_minimums item is omitted without profile-compatible exception
+    required_response:
+      - infer and add the missing minimum baseline from Foundation evidence
+      - or downgrade to prototype with explicit exception and follow-up
+      - record baseline inventory in the FEAT quality evidence
+  - id: DTAPI-P0-OPENAPI-001
+    severity: P0
+    title: REST APIs must expose Swagger/OpenAPI documentation.
+    applies_to:
+      - DEB
+      - FEAT
+      - source
+      - validator
+    detect:
+      - REST API plan or source lacks @nestjs/swagger dependency, DocumentBuilder, SwaggerModule.createDocument, or SwaggerModule.setup
+      - controllers lack ApiTags, ApiOperation, or response decorators
+      - DTOs or presentation validators lack ApiProperty/ApiPropertyOptional for documented request shape
+      - protected bearer routes lack ApiBearerAuth("bearer")
+    required_response:
+      - add root OpenAPI bootstrap and /docs route
+      - add controller and DTO Swagger decorators
+      - add .env.example placeholders for Swagger server settings
+      - or record an explicit prototype exception before implementation/finalize
+  - id: DTAPI-P0-USECASE-001
+    severity: P0
+    title: User-facing routes must go through application input ports and use cases.
+    applies_to:
+      - DEB
+      - FEAT
+      - source
+      - validator
+    detect:
+      - controller, resolver, CLI command, WebSocket gateway, agent, or tool calls repositories, TypeORM, infrastructure adapters, or domain validators directly
+      - user-facing route lacks matching src/application/business/<context>/ports/in/<verb-noun>.use-case.port.ts
+      - user-facing route lacks matching src/application/business/<context>/use-cases/<verb-noun>.use-case.ts
+    required_response:
+      - add an application input port with exported Symbol and interface
+      - add a use case implementing the input port
+      - inject the input port symbol from presentation
+      - keep transport mapping in presentation only
+  - id: DTAPI-P0-AUTH-PLAN-001
+    severity: P0
+    title: API plans must resolve authentication, authorization, and route guard decisions.
+    applies_to:
+      - DEB
+      - FEAT
+      - source
+      - validator
+    detect:
+      - plan for new API, route, scaffold, CRUD, or bounded context does not ask or record authentication decision
+      - plan for protected behavior does not ask or record authorization role, permission, policy, ownership, or tenancy decision
+      - non-public route lacks guard/decorator and Swagger security documentation
+      - route is treated as public by omission instead of explicit decision
+    required_response:
+      - ask the human planner about authentication and authorization before implementation
+      - record public route exceptions explicitly
+      - add guards/decorators and ApiBearerAuth or equivalent documented security scheme for protected routes
+      - if the human is unavailable and work must proceed, use the safest local guard pattern and record the assumption
   - id: DTAPI-P0-PATH-001
     severity: P0
     title: Proposed paths must match canonical Foundation-compatible paths.
@@ -150,7 +2001,8 @@ rules:
       - forbidden paths from SKILL.md or foundation-layout.md
       - new domain entities folder outside approved legacy contexts
       - context-owned infrastructure adapters
-      - per-context or per-entity TypeORM modules under src/infrastructure/adapters/orm
+      - TypeORM modules outside src/infrastructure/adapters/orm/typeorm.module.ts or src/infrastructure/adapters/orm/<context>-orm.module.ts
+      - per-entity TypeORM modules under src/infrastructure/adapters/orm
       - transport-less presentation context folders
     required_response:
       - replace with canonical path
@@ -181,9 +2033,11 @@ rules:
       - files ending in .typeorm-repository.ts without InjectRepository or Repository usage
       - in-memory Map persistence inside TypeORM-named repositories
       - missing TypeOrmModule.forFeature wiring for concrete ORM repositories
-      - concrete ORM repositories not provided and exported through src/infrastructure/adapters/orm/orm.module.ts
+      - concrete ORM repositories not provided and exported through the owning src/infrastructure/adapters/orm/<context>-orm.module.ts
     required_response:
       - implement real TypeORM repository wiring
+      - register root TypeORM configuration in src/infrastructure/adapters/orm/typeorm.module.ts
+      - bind and export repository/service port symbols from the owning <context>-orm.module.ts
       - rename prototype adapters so they do not claim TypeORM compatibility
       - or downgrade to prototype with explicit exception
   - id: DTAPI-P0-COMPOSITION-001
@@ -339,6 +2193,14 @@ codesdd_validate_drift_map:
     mapped_rules:
       - DTAPI-P1-APPONLY-001
       - DTAPI-P0-PATH-001
+  CVD-10:
+    observed: Derived API scaffolds could pass structural checks while omitting operational API minimums such as Swagger/OpenAPI bootstrap, .env.example, package scripts, auth planning, route guards, and application use cases.
+    mapped_rules:
+      - DTAPI-P0-TOOL-BASELINE-001
+      - DTAPI-P0-RUNTIME-SCRIPTS-001
+      - DTAPI-P0-OPENAPI-001
+      - DTAPI-P0-USECASE-001
+      - DTAPI-P0-AUTH-PLAN-001
 field_evidence_drift_map:
   WCA-01:
     observed: A derived API planned/implemented before devtrack-api became required evidence, then required a later corrective FEAT.
@@ -354,14 +2216,47 @@ field_evidence_drift_map:
     mapped_rules:
       - DTAPI-P0-TYPEORM-001
       - DTAPI-P1-RUNTIME-001
+  WCA-04:
+    observed: A generated API slice exposed routes without a complete application use-case path, OpenAPI documentation, .env.example, package scripts, or guard/authz planning.
+    mapped_rules:
+      - DTAPI-P0-TOOL-BASELINE-001
+      - DTAPI-P0-RUNTIME-SCRIPTS-001
+      - DTAPI-P0-OPENAPI-001
+      - DTAPI-P0-USECASE-001
+      - DTAPI-P0-AUTH-PLAN-001
 early_debate_gate:
   applies_to: first two or three DEBs that plan a new devtrack-api project or major API theme
   required_outputs:
     - selected derivation profile
     - package structure preview
+    - tool-level API baseline inventory
+    - authentication and authorization planning decision
     - human approval or correction
     - exception list with ADR refs when applicable
     - policy pool seed derived from this contract pack
+legacy_generated_artifact_policy:
+  reference: references/generated-artifact-invalidation.md
+  default_classification: invalidated
+  allowed_classifications:
+    - revalidated
+    - invalidated
+    - grandfathered
+    - not_applicable
+  revalidation_required_for:
+    - foundation-compatible compatibility claims
+    - enterprise-strict compatibility claims
+    - approved or corrected human_validation_gate reuse
+    - artifact-map evidence reused across source or profile changes
+  invalidation_triggers:
+    - predates ADR-FEAT-0373
+    - predates ADR-FEAT-0374 artifact-map gate evidence
+    - missing FEAT-0375 preview material signature
+    - missing FEAT-0376 semantic drift classes or profile outcomes
+    - consumer field-validation references changed after ADR-FEAT-0378
+    - uses plural CodeSDD roots as devtrack-api output
+    - omits Foundation-compatible aliases or tests projection
+    - omits cleanup or port-safe runtime bootstrap artifacts
+  grandfathering_rule: Grandfathered artifacts are historical evidence only and must not support Foundation-compatible claims without revalidation.
 future_consumers:
   - FEAT-0233 package preview gate
   - FEAT-0234 project-local skill policy pool
@@ -369,4 +2264,5 @@ future_consumers:
   - FEAT-0236 semantic architecture validator
   - FEAT-0237 finalize lifecycle gate
   - FEAT-0238 skill provenance and applied-policy evidence
+  - FEAT-0379 legacy generated artifact invalidation
   - FEAT-0239 future field validation protocol