@nklisch/pi-agile-workflow 0.15.3 → 0.16.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (41) hide show
  1. package/.claude-plugin/plugin.json +1 -1
  2. package/.codex-plugin/plugin.json +1 -1
  3. package/CHANGELOG.md +8 -0
  4. package/docs/ARCHITECTURE.md +117 -65
  5. package/docs/PRINCIPLES.md +84 -18
  6. package/docs/SPEC.md +70 -2
  7. package/docs/VISION.md +33 -12
  8. package/hooks/scripts/prompt-context.py +7 -1
  9. package/hooks/scripts/test_prompt_context.py +16 -0
  10. package/package.json +1 -1
  11. package/scripts/tests/convert-content-integrity.test.sh +4 -4
  12. package/scripts/tests/convert-review-weight.test.sh +61 -0
  13. package/scripts/work-view.sh +1 -1
  14. package/skills/autopilot/SKILL.md +138 -91
  15. package/skills/convert/SKILL.md +55 -11
  16. package/skills/epic-design/SKILL.md +37 -70
  17. package/skills/feature-design/SKILL.md +52 -68
  18. package/skills/fix/SKILL.md +52 -34
  19. package/skills/gate-cruft/SKILL.md +69 -24
  20. package/skills/gate-docs/SKILL.md +12 -5
  21. package/skills/gate-patterns/SKILL.md +7 -3
  22. package/skills/gate-refactor/SKILL.md +18 -6
  23. package/skills/gate-security/SKILL.md +16 -7
  24. package/skills/gate-tests/SKILL.md +86 -71
  25. package/skills/implement/SKILL.md +79 -58
  26. package/skills/implement-orchestrator/SKILL.md +274 -587
  27. package/skills/perf-design/SKILL.md +11 -12
  28. package/skills/principles/SKILL.md +175 -379
  29. package/skills/principles/references/advisory-review.md +76 -0
  30. package/skills/principles/references/code-design.md +164 -0
  31. package/skills/principles/references/models.md +42 -63
  32. package/skills/prose-author/SKILL.md +9 -4
  33. package/skills/refactor-design/SKILL.md +26 -17
  34. package/skills/review/SKILL.md +169 -64
  35. package/skills/review/references/substrate-side-effects.md +17 -10
  36. package/skills/scope/SKILL.md +20 -7
  37. package/work-view/crates/cli/.work-view-version +1 -1
  38. package/work-view/dist/aarch64-apple-darwin/work-view +0 -0
  39. package/work-view/dist/aarch64-unknown-linux-musl/work-view +0 -0
  40. package/work-view/dist/x86_64-apple-darwin/work-view +0 -0
  41. package/work-view/dist/x86_64-unknown-linux-musl/work-view +0 -0
@@ -1,9 +1,10 @@
1
1
  ---
2
2
  name: gate-cruft
3
3
  description: >
4
- Cruft gate that scans the items bound to a release for AI-accumulated debris (dead code, stale
5
- comments, compatibility shims, defensive bloat, over-abstraction) introduced or revealed by the
6
- bundle. Delegates the full scan to a deep cleanup scanner agent which runs language-aware
4
+ Cruft gate focused on release-bound items that may follow relevant evidence into adjacent or
5
+ system-wide code. Finds dead code, stale comments, low-value tests and checks, compatibility
6
+ shims, defensive bloat, and over-abstraction, including whole systems that may no longer earn
7
+ their cost. Delegates the scan to a deep cleanup scanner agent which runs language-aware
7
8
  detection plus heuristic pattern-matching, then returns findings. The orchestrator converts findings
8
9
  into items in .work/active/ with gate_origin:cruft and tags:[cleanup]. Auto-triggers during
9
10
  /agile-workflow:release-deploy.
@@ -11,11 +12,14 @@ description: >
11
12
 
12
13
  # Gate-Cruft
13
14
 
14
- You orchestrate a cruft gate over the items bound to a release. The actual
15
- scan runs inside a **deep cleanup scanner agent** (a generic sub-agent prompted with the scanner posture from `../principles/references/subagents.md`); your role is to prepare the bundle context,
15
+ You orchestrate a cruft gate focused on the items bound to a release. Bound
16
+ items establish the center of gravity, not a hard file boundary: the scanner may
17
+ follow relevant call paths, dependencies, shared infrastructure, tests, or
18
+ system-wide mechanisms needed to understand whether complexity still earns its
19
+ cost. The actual scan runs inside a **deep cleanup scanner agent** (a generic sub-agent prompted with the scanner posture from `../principles/references/subagents.md`); your role is to prepare the bundle context,
16
20
  dispatch the scanner, and convert the findings it returns into items in the
17
21
  substrate. Findings get `gate_origin: cruft`,
18
- `tags: [cleanup]`, with severity tier shaping the stage.
22
+ `tags: [cleanup]`, with confidence shaping placement and stage.
19
23
 
20
24
  Scanner strength is explicit: spawn exactly one source-read-only deep cleanup
21
25
  scanner with the strongest inspection/reviewer setting the host exposes. Use a generic sub-agent prompted with the scanner posture from `../principles/references/subagents.md`. Use extra-high reasoning
@@ -70,9 +74,10 @@ confidence, and returns structured findings.
70
74
  **Brief template**:
71
75
 
72
76
  > You are conducting a cruft scan for release `<version>` as an agile-workflow
73
- > scanner. Use read/search/shell tools as needed. Audit ONLY the bundle's
74
- > changed files not the whole repo. Do not spawn nested sub-agents or implement
75
- > fixes.
77
+ > scanner. Use read/search/shell tools as needed. Start with the bundle's
78
+ > changed files, then follow relevant evidence into adjacent dependencies,
79
+ > shared infrastructure, tests, or system-wide mechanisms. Do not perform an
80
+ > aimless whole-repo sweep, spawn nested sub-agents, or implement fixes.
76
81
  >
77
82
  > **Bundle scope**:
78
83
  > ```
@@ -90,8 +95,9 @@ confidence, and returns structured findings.
90
95
  > `Cargo.toml`, `go.mod`, `pyproject.toml`, `Makefile`. This determines
91
96
  > which language-aware detection tools are available.
92
97
  >
93
- > 2. **Language-aware detection (high confidence)** — run against the
94
- > bundle's changed files only:
98
+ > 2. **Language-aware detection (high confidence)** — run against the bundle
99
+ > files first; expand a tool's scope only when needed to establish callers,
100
+ > duplication, reachability, ownership, or system-level cost:
95
101
  > - **TypeScript/JavaScript** — `tsc --noUnusedLocals --noUnusedParameters
96
102
  > --noEmit`, eslint unused rules
97
103
  > - **Python** — `ruff check --select F811,F841,F401`, `vulture`
@@ -99,7 +105,8 @@ confidence, and returns structured findings.
99
105
  > - **Rust** — compiler warnings for `#[warn(dead_code)]`
100
106
  > Capture output and parse into findings.
101
107
  >
102
- > 3. **Heuristic pattern-matching** via Grep on bundle files:
108
+ > 3. **Heuristic pattern-matching** via Grep, beginning with bundle files and
109
+ > following concrete references where the evidence leads:
103
110
  >
104
111
  > **Medium confidence:**
105
112
  > - Comments containing "removed", "backwards compat", "for backwards
@@ -117,12 +124,27 @@ confidence, and returns structured findings.
117
124
  > - Single-use helper functions that could be inlined
118
125
  > - Config/options parameters that only ever receive one value
119
126
  > - Abstractions with a single implementation
127
+ > - Duplicate, tautological, obsolete, or implementation-bound tests
128
+ > - Validation/check layers whose guarantees exceed the project's actual scope
120
129
  >
121
- > 4. **Cross-check existing patterns** — read `.agents/skills/patterns/` and
130
+ > 4. **System-level challenge** — inspect whether an entire validation layer,
131
+ > invariant/check system, test suite, compatibility mechanism, defensive
132
+ > subsystem, or abstraction family exposed by the bundle still justifies its
133
+ > maintenance cost. State its current purpose, evidence of cost, what removal
134
+ > would simplify, and which behavior or guarantee would be lost. Classify
135
+ > these as `Decision required`; never assume the guarantee should disappear.
136
+ >
137
+ > 5. **Cross-check existing patterns** — read `.agents/skills/patterns/` and
122
138
  > legacy `.claude/skills/patterns/` if
123
139
  > present. Intentional repetition documented as a pattern is NOT cruft.
124
140
  >
125
- > 5. **Triage by confidence**:
141
+ > 6. **Triage by confidence, release relevance, and decision need**:
142
+ > - `Release-relevant`: caused by, exposed by, or materially affects the bundle.
143
+ > - `Ambient`: useful discovery outside release scope; propose as unbound backlog.
144
+ > - `Decision required: yes`: any whole-system removal candidate, especially
145
+ > one that changes behavior or guarantees; ask before creating removal work.
146
+ >
147
+ > Then triage confidence:
126
148
  > | Confidence | Stage of produced item |
127
149
  > |---|---|
128
150
  > | High (tool-detected) | `stage: implementing` |
@@ -139,7 +161,11 @@ confidence, and returns structured findings.
139
161
  > - **Confidence**: High | Medium | Low
140
162
  > - **Category**: unused import | dead function | stale comment |
141
163
  > compatibility shim | passthrough wrapper | defensive try/catch |
142
- > single-use helper | over-abstraction
164
+ > single-use helper | over-abstraction | low-value test | redundant checks |
165
+ > system-level simplification
166
+ > - **Relevance**: Release-relevant | Ambient
167
+ > - **Decision required**: yes | no
168
+ > - **Guarantee affected**: none | <behavior/validation/determinism/compatibility/safety>
143
169
  > - **Location**: `<file>:<line>`
144
170
  > - **Evidence**:
145
171
  > ```<lang>
@@ -162,7 +188,8 @@ confidence, and returns structured findings.
162
188
  > ```
163
189
  >
164
190
  > **Rules**:
165
- > - Scan only Bundle scope. Don't expand.
191
+ > - Bundle scope is the focus, not a hard boundary. Expand only by following
192
+ > concrete evidence; record why each out-of-bundle file or system was inspected.
166
193
  > - Cite file:line for every finding.
167
194
  > - Don't fabricate. If a tool produces no output, don't invent findings.
168
195
  > - Skip already-tracked. Patterns documented in
@@ -172,9 +199,19 @@ confidence, and returns structured findings.
172
199
  > used externally?" — if you can't confirm zero callers, downgrade to
173
200
  > medium confidence rather than high).
174
201
 
175
- ### Phase 4: Convert findings to items
202
+ ### Phase 4: Resolve system-level removal decisions
203
+
204
+ For each `Decision required` candidate, present the system's purpose, current
205
+ cost, proposed simplification, and guarantees or behavior removal would weaken.
206
+ Ask the user whether to remove, reduce, retain, or park it. Group related
207
+ candidates and use the structured question tool in batches when available.
208
+ Never turn a guarantee-reducing proposal into active work without confirmation.
209
+ In a non-interactive gate path, write an unbound backlog decision proposal and
210
+ continue; do not assume consent or block unrelated release work.
176
211
 
177
- For each finding the scanner returned:
212
+ ### Phase 5: Convert findings to items
213
+
214
+ For each confirmed or ordinary finding the scanner returned:
178
215
 
179
216
  Read `gate_finding_routing` from `.work/CONVENTIONS.md` before writing items.
180
217
  If absent, use the default routing below. Normalize cruft confidence to routing
@@ -191,7 +228,7 @@ stage: implementing | drafting # by confidence
191
228
  tags: [cleanup]
192
229
  parent: null
193
230
  depends_on: []
194
- release_binding: <version>
231
+ release_binding: <version> | null # null for ambient or unconfirmed decision proposals
195
232
  gate_origin: cruft
196
233
  created: YYYY-MM-DD
197
234
  updated: YYYY-MM-DD
@@ -217,12 +254,17 @@ High | Medium | Low
217
254
  <what to remove and what to fix in the surroundings — imports, whitespace, etc.>
218
255
  ```
219
256
 
257
+ Release-relevant findings use the normal confidence mapping and bind to the
258
+ release. Ambient findings and unconfirmed decision proposals always go to the
259
+ unbound backlog regardless of confidence. A confirmed system removal may bind
260
+ only when the user explicitly includes it in the current release.
261
+
220
262
  Default confidence -> placement mapping:
221
263
  - **High** → `stage: implementing` in `.work/active/stories/`
222
264
  - **Medium** → `stage: drafting` in `.work/active/stories/`
223
265
  - **Low** → backlog file in `.work/backlog/`
224
266
 
225
- ### Phase 5: Commit
267
+ ### Phase 6: Commit
226
268
 
227
269
  ```bash
228
270
  git add .work/active/stories/ .work/backlog/
@@ -233,7 +275,7 @@ git commit -m "gate-cruft: <N> findings for <version>"
233
275
 
234
276
  In conversation:
235
277
  - **Bundle**: `<version>` — `<N>` items audited, `<M>` files changed
236
- - **Findings**: count by confidence (High / Medium / Low)
278
+ - **Findings**: count by confidence and relevance (release / ambient / decision)
237
279
  - **Items created**: count, with new ids
238
280
  - **Already-tracked**: count skipped
239
281
 
@@ -247,10 +289,13 @@ and parallelizes well."
247
289
 
248
290
  - **The scan happens in the scanner agent, not here.** Your job is bundle
249
291
  prep, dispatch, and item-writing. Don't replicate the scanner's analysis.
250
- - Audit only the bundle's changed files, not the whole repo.
292
+ - Release-bound items define focus, not a hard boundary. Follow concrete
293
+ evidence into adjacent or system-wide code, but do not turn the gate into an
294
+ unfocused whole-repo audit.
251
295
  - Never remove code in this skill — produce items only.
252
- - Cleanup items must be surgical when implemented. They remove cruft and fix
253
- the immediate surroundings only. They do NOT improve, refactor, or enhance.
296
+ - Local cleanup items should stay surgical. Whole-system simplification is
297
+ allowed as a proposal, but any reduction in behavior or guarantees requires
298
+ explicit user confirmation and appropriately scoped design work.
254
299
  - Patterns documented in `.agents/skills/patterns/` or legacy
255
300
  `.claude/skills/patterns/` are intentional, not
256
301
  cruft. The scanner cross-checks; don't override.
@@ -155,6 +155,7 @@ returns structured findings.
155
155
  > changelog-gap | repo-skill-staleness | pattern-skill-staleness |
156
156
  > generated-file-needs-regen | doc-misplacement
157
157
  > - **Confidence**: High | Medium
158
+ > - **Relevance**: Release-relevant | Ambient
158
159
  > - **Doc location**: `<file>:<line>`
159
160
  > - **Code location**: `<file>:<line>` (for assertion drift; omit for gaps)
160
161
  > - **Current doc text**:
@@ -179,8 +180,9 @@ returns structured findings.
179
180
  > ```
180
181
  >
181
182
  > **Rules**:
182
- > - Scan only the bundle's changes plus the docs that own those areas.
183
- > Don't audit every doc in the repo.
183
+ > - Bundle changes and their owning docs are the focus, not a hard boundary.
184
+ > Follow concrete references into adjacent docs, generated catalogs, or
185
+ > system-wide documentation when needed; do not perform an aimless doc sweep.
184
186
  > - Cite file:line for every finding.
185
187
  > - Required edits ENFORCE rolling-foundation: replace stale assertions in
186
188
  > place. Do NOT propose adding "previously" or "in v1.x" prose. Git is the
@@ -210,7 +212,7 @@ stage: implementing # high-confidence drift
210
212
  tags: [documentation]
211
213
  parent: null
212
214
  depends_on: []
213
- release_binding: <version>
215
+ release_binding: <version> | null # null for ambient findings
214
216
  gate_origin: docs
215
217
  created: YYYY-MM-DD
216
218
  updated: YYYY-MM-DD
@@ -239,6 +241,10 @@ no "previously" prose, no "in v1.x" notes. Replace the assertion in place.>
239
241
  For generated files needing regeneration, the item describes the regeneration
240
242
  command rather than a manual edit.
241
243
 
244
+ Release-relevant drift uses the normal confidence mapping and binds to the
245
+ release. Ambient staleness merely discovered while following references goes to
246
+ the unbound backlog.
247
+
242
248
  Default confidence -> placement mapping:
243
249
  - **High** → `stage: implementing` in `.work/active/stories/`
244
250
  - **Medium** → `stage: drafting` in `.work/active/stories/`
@@ -272,7 +278,8 @@ In conversation:
272
278
  place. Do NOT propose adding "previously" or "in v1.x" prose.
273
279
  - Don't fix the docs in this skill — produce items only. Implementation of
274
280
  the fixes happens via `/agile-workflow:implement` on each item.
275
- - Audit only the bundle's changes plus the docs that own those areas — the
276
- scanner enforces this; don't override.
281
+ - Release-bound changes define focus, not a hard boundary. Follow concrete
282
+ documentation ownership and reference chains; route merely ambient drift to
283
+ the unbound backlog rather than silently expanding the release.
277
284
  - Generated files get items describing the regeneration command, not manual
278
285
  edits.
@@ -107,7 +107,7 @@ output.
107
107
  > Use read/search/shell tools as needed. Do not spawn nested sub-agents or modify
108
108
  > source files.
109
109
  >
110
- > **Bundle scope**:
110
+ > **Bundle focus** (start here; follow recurring shapes across the repository):
111
111
  > ```
112
112
  > <bundle-files>
113
113
  > ```
@@ -120,8 +120,10 @@ output.
120
120
  >
121
121
  > **Methodology**:
122
122
  >
123
- > 1. **Pattern discovery passes** — inspect the bundle's changed files plus
124
- > their immediate consumers (since reuse implies multiple call sites):
123
+ > 1. **Pattern discovery passes** — inspect the bundle's changed files first,
124
+ > then follow candidate shapes through consumers and the wider repository
125
+ > where needed to establish genuine recurrence. Bound files are the focus,
126
+ > not a hard scan boundary:
125
127
  > - **Shared abstractions & utilities** — find new shared/reusable code
126
128
  > introduced in the bundle: utility functions, base classes, common
127
129
  > helpers, types used across multiple modules. List each with
@@ -225,6 +227,8 @@ output.
225
227
  > the divergence instead.
226
228
  > - Don't fabricate patterns. If discovery yields nothing, return an empty
227
229
  > "New patterns" section.
230
+ > - Expansion beyond the bundle must follow a concrete candidate pattern or
231
+ > inconsistency; do not perform an unfocused whole-repo style audit.
228
232
 
229
233
  ### Phase 4: Write pattern files
230
234
 
@@ -139,8 +139,10 @@ M-times-N redundant file reads and allows cross-library finding deduplication.
139
139
  **Brief template**:
140
140
 
141
141
  > You are conducting a refactor gate scan for release `<version>` as an agile-workflow
142
- > scanner. Use read/search/shell tools as needed. Scan ONLY the bundle's changed files —
143
- > not the whole repo. Do not spawn nested sub-agents or implement fixes.
142
+ > scanner. Use read/search/shell tools as needed. Start with the bundle's changed
143
+ > files and follow concrete rule-relevant references into adjacent consumers,
144
+ > dependencies, or shared systems. Do not perform an aimless whole-repo sweep,
145
+ > spawn nested sub-agents, or implement fixes.
144
146
  >
145
147
  > **Bundle scope** (files changed by the bundle):
146
148
  > ```
@@ -169,6 +171,7 @@ M-times-N redundant file reads and allows cross-library finding deduplication.
169
171
  >
170
172
  > 1. Read every file in the bundle scope.
171
173
  > 2. For each file, check against all rules from all loaded libraries in a single pass.
174
+ > Expand only when a rule or concrete reference requires adjacent/system-wide context.
172
175
  > 3. For each finding, record:
173
176
  > - **Library tag**: which library's rule was violated (e.g. `structural`).
174
177
  > - **Rule slug**: which specific rule was violated (from the library's rule inventory).
@@ -176,11 +179,13 @@ M-times-N redundant file reads and allows cross-library finding deduplication.
176
179
  > - **Issue**: one-sentence description of the violation.
177
180
  > - **Fix**: specific proposed change (or "needs analysis" for findings requiring judgment).
178
181
  > - **Confidence**: `high` / `medium` / `low` per the library's guidance for that rule.
182
+ > - **Relevance**: `Release-relevant` or `Ambient`.
179
183
  > 4. Deduplicate against the already-tracked set.
180
184
  > 5. Return findings as a structured list.
181
185
  >
182
186
  > **Rules**:
183
- > - Scan only the bundle scope. Do not expand to the whole repo.
187
+ > - Bundle scope is the focus, not a hard boundary. Follow concrete rule-relevant
188
+ > evidence and record why any out-of-bundle surface was inspected.
184
189
  > - Cite file:line for every finding.
185
190
  > - Do not fabricate findings. If a rule produces no matches, emit nothing for it.
186
191
  > - Skip already-tracked findings (exact file:line + rule-slug match).
@@ -199,6 +204,7 @@ M-times-N redundant file reads and allows cross-library finding deduplication.
199
204
  > - **Library**: <library-tag>
200
205
  > - **Rule**: <rule-slug>
201
206
  > - **Confidence**: High | Medium | Low
207
+ > - **Relevance**: Release-relevant | Ambient
202
208
  > - **Location**: `<file>:<line>`
203
209
  > - **Issue**: <one sentence>
204
210
  > - **Fix**: <specific proposed change or "needs analysis">
@@ -248,7 +254,7 @@ stage: implementing | drafting # by gate_finding_routing
248
254
  tags: [refactor]
249
255
  parent: null
250
256
  depends_on: []
251
- release_binding: <version>
257
+ release_binding: <version> | null # null for ambient findings
252
258
  gate_origin: refactor
253
259
  created: YYYY-MM-DD
254
260
  updated: YYYY-MM-DD
@@ -265,7 +271,7 @@ stage: implementing | drafting # by gate_finding_routing
265
271
  tags: []
266
272
  parent: null
267
273
  depends_on: []
268
- release_binding: <version>
274
+ release_binding: <version> | null # null for ambient findings
269
275
  gate_origin: refactor
270
276
  created: YYYY-MM-DD
271
277
  updated: YYYY-MM-DD
@@ -296,6 +302,10 @@ High | Medium | Low
296
302
  <specific proposed change, or "needs analysis" for medium/low>
297
303
  ```
298
304
 
305
+ Release-relevant findings use the normal confidence mapping and bind to the
306
+ release. Ambient rule violations discovered outside the bundle go to the
307
+ unbound backlog regardless of confidence.
308
+
299
309
  Default confidence -> placement mapping:
300
310
 
301
311
  | Confidence | Stage | Tier |
@@ -343,7 +353,9 @@ In conversation:
343
353
 
344
354
  - **The scan happens in the scanner agent, not here.** Your job is library discovery, bundle prep,
345
355
  dispatch, and item-writing. Do not replicate the scanner's analysis.
346
- - Scan only the bundle's changed files, not the whole repo.
356
+ - Release-bound files define focus, not a hard boundary. Follow concrete
357
+ rule-relevant evidence into adjacent or system-wide code, but do not perform
358
+ an unfocused whole-repo scan; route ambient findings to the unbound backlog.
347
359
  - Never apply fixes in this skill — produce items only.
348
360
  - **No-libraries is not an error.** Graceful skip with a log entry is the correct behavior when
349
361
  no scan-* libraries are installed.
@@ -91,8 +91,8 @@ structured findings.
91
91
  > agile-workflow scanner. Use read/search/shell/current-source lookup tools as
92
92
  > needed, but do not spawn nested sub-agents or implement fixes.
93
93
  >
94
- > **Bundle scope** (audit ONLY these files; this is a release gate, not a
95
- > repo-wide audit):
94
+ > **Bundle focus** (start here; follow concrete security-relevant call paths,
95
+ > dependencies, shared infrastructure, and controls as needed):
96
96
  > ```
97
97
  > <bundle-files>
98
98
  > ```
@@ -138,7 +138,8 @@ structured findings.
138
138
  > logs, missing error boundaries, verbose prod errors. All prod apps.
139
139
  >
140
140
  > 3. **Domain audit passes** — for each selected domain, audit the bundle's
141
- > changed files against that domain's checklist. Use current-source lookup
141
+ > changed files against that domain's checklist, following concrete evidence
142
+ > into adjacent security boundaries, dependencies, and shared controls. Use current-source lookup
142
143
  > when needed to verify best practices for `<stack>+<domain>` combinations
143
144
  > before judging.
144
145
  >
@@ -160,6 +161,7 @@ structured findings.
160
161
  > - **Title**: <one-line>
161
162
  > - **Severity**: Critical | High | Medium | Low
162
163
  > - **Domain**: <domain name>
164
+ > - **Relevance**: Release-relevant | Ambient
163
165
  > - **Location**: `<file>:<line>`
164
166
  > - **Evidence**:
165
167
  > ```<lang>
@@ -182,7 +184,8 @@ structured findings.
182
184
  > ```
183
185
  >
184
186
  > **Rules**:
185
- > - Audit only the files listed in Bundle scope. Do NOT expand the audit.
187
+ > - Bundle files are the focus, not a hard boundary. Expand only along concrete
188
+ > security-relevant evidence and record why out-of-bundle surfaces were inspected.
186
189
  > - Cite file:line for every finding.
187
190
  > - Don't fabricate. If evidence is missing, don't report.
188
191
  > - Skip findings that match the already-tracked list.
@@ -211,7 +214,7 @@ stage: implementing # Critical or High
211
214
  tags: [security]
212
215
  parent: null
213
216
  depends_on: []
214
- release_binding: <version>
217
+ release_binding: <version> | null # null for ambient findings
215
218
  gate_origin: security
216
219
  created: YYYY-MM-DD
217
220
  updated: YYYY-MM-DD
@@ -237,6 +240,11 @@ Critical | High | Medium | Low
237
240
  <what should change — direction, not a finished fix>
238
241
  ```
239
242
 
243
+ Release-relevant findings use the normal severity mapping and bind to the
244
+ release. Ambient findings discovered outside the release's material risk go to
245
+ the unbound backlog regardless of severity; a genuinely critical repository
246
+ vulnerability is release-relevant when shipping would expose or perpetuate it.
247
+
240
248
  Default severity -> placement mapping:
241
249
  - **Critical** / **High** → `stage: implementing` in `.work/active/stories/`
242
250
  - **Medium** → `stage: drafting` in `.work/active/stories/`
@@ -271,5 +279,6 @@ In conversation:
271
279
  returns nothing. Don't paper that over.
272
280
  - Idempotent re-runs: pass already-tracked findings into the scanner brief so it
273
281
  skips duplicates. Double-check on item-write before creating.
274
- - Audit only the bundle's changes, not the whole repo. Repo-wide audits are
275
- a standalone `repo-eval`'s job, not a release gate's.
282
+ - Release-bound items define focus, not a hard boundary. Follow concrete
283
+ security evidence into adjacent or system-wide controls, but do not perform
284
+ an unfocused whole-repo audit. Route merely ambient findings to the unbound backlog.