@oddessentials/repo-standards 2.1.0 → 3.1.0

package/dist/config/standards.json

@@ -519,7 +519,7 @@
             "job": "release"
           }
         },
-        "description": "Use MAJOR.MINOR.PATCH versioning with clear rules and automated changelog generation based on commit history.",
+        "description": "Use MAJOR.MINOR.PATCH versioning with clear rules and automated changelog generation based on commit history. Maintain a single canonical version source (for example, package.json or VERSION) that all release artifacts use.",
         "enforcement": "required",
         "id": "semantic-versioning",
         "label": "Semantic Versioning",
@@ -534,8 +534,19 @@
             "exampleTools": [
               "GitVersion"
             ],
-            "notes": "Use GitVersion to automatically compute SemVer from git history and feed it into assembly/package versions. Configure CI to auto-generate or update CHANGELOG.md from commit messages and git tags. Integrate with release pipeline to automatically version assemblies, NuGet packages, and create release notes.",
-            "verification": "Check that versioning is driven by a SemVer-aware tool (for example, GitVersion) and verify that running the release/versioning step locally or in CI automatically produces the expected version metadata, updates project files, and generates changelog entries from commit history."
+            "notes": "Use GitVersion (or Directory.Build.props) as the single canonical version source, computed from git history, and feed it into assembly/package versions. Configure CI to auto-generate or update CHANGELOG.md from commit messages and git tags. Integrate with the release pipeline to version assemblies, NuGet packages, and publish GitHub releases from the same version.",
+            "optionalFiles": [
+              "GitVersion.yml",
+              "Directory.Build.props",
+              "CHANGELOG.md"
+            ],
+            "requiredFiles": [
+              "*.csproj"
+            ],
+            "requiredScripts": [
+              "release"
+            ],
+            "verification": "Check that versioning is driven by a SemVer-aware tool (for example, GitVersion) and verify that running the release/versioning step locally or in CI produces the expected version metadata, updates project files, and generates changelog entries from commit history."
           },
           "go": {
             "exampleConfigFiles": [
@@ -546,8 +557,15 @@
               "goreleaser",
               "semantic-release"
             ],
-            "notes": "Go uses git tags for versioning (v1.2.3 format). Use goreleaser for automated releases with changelog generation. Tag versions consistently.",
-            "verification": "Check that git tags follow vMAJOR.MINOR.PATCH format and goreleaser or similar tool generates releases and changelogs."
+            "notes": "Go uses git tags (v1.2.3) as the canonical version source. Use goreleaser for automated releases with changelog generation and publish GitHub/Docker artifacts from the same tag.",
+            "optionalFiles": [
+              ".goreleaser.yml",
+              "CHANGELOG.md"
+            ],
+            "requiredScripts": [
+              "release"
+            ],
+            "verification": "Check that git tags follow vMAJOR.MINOR.PATCH format and goreleaser or similar tooling generates releases and changelogs."
           },
           "python": {
             "exampleConfigFiles": [
@@ -560,8 +578,18 @@
               "setuptools_scm",
               "towncrier"
             ],
-            "notes": "Automate version bumping and changelog generation using setuptools_scm (git-tag based) or bumpversion with towncrier for changelog fragments. Configure CI to automatically update version in pyproject.toml, generate/update CHANGELOG.md from commit messages or changelog fragments, and create git tags. Maintain a single source of truth for versioning.",
-            "verification": "Check that the package version in pyproject or setup configuration follows SemVer and verify that the configured tool (for example, setuptools_scm or bumpversion) automatically computes or bumps the version and generates changelog entries from commit history or fragments."
+            "notes": "Automate version bumping and changelog generation using setuptools_scm (git-tag based) or bumpversion with towncrier for changelog fragments. Keep pyproject.toml (or VERSION) as the single canonical version source, and have CI publish GitHub/PyPI/Docker artifacts from that same version.",
+            "optionalFiles": [
+              "VERSION",
+              "CHANGELOG.md"
+            ],
+            "requiredFiles": [
+              "pyproject.toml"
+            ],
+            "requiredScripts": [
+              "release"
+            ],
+            "verification": "Check that the canonical version in pyproject.toml or VERSION follows SemVer and verify that the configured tool (for example, setuptools_scm or bumpversion) computes or bumps the version and generates changelog entries from commit history or fragments."
           },
           "rust": {
             "exampleConfigFiles": [
@@ -572,7 +600,16 @@
               "cargo-release",
               "semantic-release"
             ],
-            "notes": "Version is defined in Cargo.toml. Use cargo-release or semantic-release-cargo for automated versioning. Follow Conventional Commits for changelog generation.",
+            "notes": "Version is defined in Cargo.toml as the canonical source. Use cargo-release or semantic-release-cargo for automated versioning and GitHub release publishing, and follow Conventional Commits for changelog generation.",
+            "optionalFiles": [
+              "CHANGELOG.md"
+            ],
+            "requiredFiles": [
+              "Cargo.toml"
+            ],
+            "requiredScripts": [
+              "release"
+            ],
             "verification": "Check that Cargo.toml version follows SemVer and verify changelog generation from commit history."
           },
           "typescript-js": {
@@ -585,8 +622,144 @@
               "semantic-release",
               "standard-version"
             ],
-            "notes": "Automate version bumping and changelog generation from Conventional Commits using semantic-release or standard-version. Configure CI to automatically bump package.json version, generate/update CHANGELOG.md, create git tags, and publish release artifacts. Protect release branches and ensure release tooling only runs there.",
-            "verification": "Check that the version field follows SemVer, and trigger the configured release workflow (for example, a dry run of semantic-release or standard-version) to confirm it automatically generates the expected next version, updates package.json, and creates/updates CHANGELOG.md with commit-based entries."
+            "notes": "Automate version bumping and changelog generation from Conventional Commits using semantic-release or standard-version. Keep package.json (or a VERSION file) as the single canonical version source and have CI publish npm/GitHub/Docker artifacts from that same version. Protect release branches and ensure release tooling only runs there.",
+            "optionalFiles": [
+              "VERSION",
+              "CHANGELOG.md"
+            ],
+            "requiredFiles": [
+              "package.json"
+            ],
+            "requiredScripts": [
+              "release"
+            ],
+            "verification": "Check that the canonical version field follows SemVer, and trigger the configured release workflow (for example, a dry run of semantic-release or standard-version) to confirm it generates the expected next version, updates package.json or VERSION, and creates/updates CHANGELOG.md with commit-based entries."
+          }
+        }
+      },
+      {
+        "appliesTo": {
+          "stacks": [
+            "typescript-js",
+            "csharp-dotnet",
+            "python",
+            "rust",
+            "go"
+          ]
+        },
+        "ciHints": {
+          "azure-devops": {
+            "stage": "release"
+          },
+          "github-actions": {
+            "job": "release"
+          }
+        },
+        "description": "Use a single CI release pipeline that publishes all artifacts (GitHub releases, packages, containers) from the same canonical version source.",
+        "enforcement": "required",
+        "id": "unified-release-workflow",
+        "label": "Unified Release Workflow",
+        "severity": "error",
+        "stackHints": {
+          "csharp-dotnet": {
+            "exampleConfigFiles": [
+              "azure-pipelines.yml",
+              ".github/workflows/release.yml"
+            ],
+            "exampleTools": [
+              "GitVersion",
+              "dotnet pack",
+              "dotnet nuget push"
+            ],
+            "notes": "Use a single release pipeline to publish NuGet packages, GitHub releases, and Docker images from the canonical version source (GitVersion or Directory.Build.props).",
+            "optionalFiles": [
+              "GitVersion.yml",
+              "Directory.Build.props"
+            ],
+            "requiredScripts": [
+              "release"
+            ],
+            "verification": "Trigger the release pipeline and confirm all artifacts share the same version number and tag."
+          },
+          "go": {
+            "exampleConfigFiles": [
+              ".github/workflows/release.yml",
+              "azure-pipelines.yml"
+            ],
+            "exampleTools": [
+              "goreleaser",
+              "docker buildx"
+            ],
+            "notes": "Use a single release pipeline (goreleaser or equivalent) to publish GitHub releases and Docker images from the same git tag.",
+            "optionalFiles": [
+              ".goreleaser.yml",
+              "CHANGELOG.md"
+            ],
+            "requiredScripts": [
+              "release"
+            ],
+            "verification": "Trigger the release pipeline and confirm all artifacts share the same version number and tag."
+          },
+          "python": {
+            "exampleConfigFiles": [
+              ".github/workflows/release.yml",
+              "azure-pipelines.yml"
+            ],
+            "exampleTools": [
+              "setuptools_scm",
+              "twine",
+              "build",
+              "docker buildx"
+            ],
+            "notes": "Use a single release pipeline to publish PyPI packages, GitHub releases, and Docker images from the canonical version source (pyproject.toml or VERSION).",
+            "optionalFiles": [
+              "CHANGELOG.md",
+              "VERSION"
+            ],
+            "requiredScripts": [
+              "release"
+            ],
+            "verification": "Trigger the release pipeline and confirm all artifacts share the same version number and tag."
+          },
+          "rust": {
+            "exampleConfigFiles": [
+              ".github/workflows/release.yml",
+              "azure-pipelines.yml"
+            ],
+            "exampleTools": [
+              "cargo-release",
+              "cargo publish",
+              "docker buildx"
+            ],
+            "notes": "Use a single release pipeline to publish crates.io packages, GitHub releases, and Docker images from the Cargo.toml version.",
+            "optionalFiles": [
+              "CHANGELOG.md"
+            ],
+            "requiredScripts": [
+              "release"
+            ],
+            "verification": "Trigger the release pipeline and confirm all artifacts share the same version number and tag."
+          },
+          "typescript-js": {
+            "exampleConfigFiles": [
+              ".github/workflows/release.yml",
+              "azure-pipelines.yml"
+            ],
+            "exampleTools": [
+              "semantic-release",
+              "changesets",
+              "npm publish",
+              "docker buildx"
+            ],
+            "notes": "Release workflow must publish npm packages, GitHub releases, and Docker images from the same canonical version (package.json or VERSION). Avoid separate manual steps or ad-hoc scripts for different artifacts.",
+            "optionalFiles": [
+              "CHANGELOG.md",
+              "VERSION"
+            ],
+            "requiredScripts": [
+              "release"
+            ],
+            "verification": "Trigger the release pipeline and confirm all artifacts share the same version number and tag."
           }
         }
       },
@@ -608,13 +781,20 @@
             "job": "ci"
           }
         },
-        "description": "Enforce structured commit messages such as Conventional Commits.",
+        "description": "Enforce structured commit messages such as Conventional Commits via commit-msg hooks and CI. This is required for deterministic versioning and changelog generation.",
         "enforcement": "required",
         "id": "commit-linting",
         "label": "Commit Linting",
         "severity": "error",
         "stackHints": {
           "csharp-dotnet": {
+            "anyOfFiles": [
+              "commitlint.config.js",
+              "commitlint.config.cjs",
+              "commitlint.config.mjs",
+              "commitlint.config.json",
+              ".cz.toml"
+            ],
             "exampleConfigFiles": [
               "commitlint.config.*",
               ".cz.toml"
@@ -623,10 +803,20 @@
               "commitlint",
               "commitizen"
             ],
-            "notes": "Document your commit convention and wire up a helper tool so contributors can easily follow it.",
-            "verification": "Create a test commit following the documented commit convention and confirm that any configured commit message checks (local hooks or CI) accept the message."
+            "notes": "Document your Conventional Commit convention and enforce it via commit-msg hooks and CI so release tooling can compute versions deterministically.",
+            "requiredScripts": [
+              "commitlint"
+            ],
+            "verification": "Create a test commit following the documented convention and confirm that commit-msg hooks and CI checks accept it."
           },
           "go": {
+            "anyOfFiles": [
+              "commitlint.config.js",
+              "commitlint.config.cjs",
+              "commitlint.config.mjs",
+              "commitlint.config.json",
+              ".cz.toml"
+            ],
             "exampleConfigFiles": [
               "commitlint.config.js",
               ".cz.toml"
@@ -635,10 +825,20 @@
               "commitlint",
               "commitizen"
             ],
-            "notes": "Use commitlint with pre-commit hooks for enforcing Conventional Commits. Consistent with goreleaser changelog generation.",
-            "verification": "Test that non-conforming commit messages are rejected by the configured hooks or CI check."
+            "notes": "Use commitlint with commit-msg or pre-commit hooks plus a CI check. Conventional Commits keep goreleaser changelog generation deterministic.",
+            "requiredScripts": [
+              "commitlint"
+            ],
+            "verification": "Test that non-conforming commit messages are rejected by the configured hooks and CI check."
           },
           "python": {
+            "anyOfFiles": [
+              ".cz.toml",
+              "commitlint.config.js",
+              "commitlint.config.cjs",
+              "commitlint.config.mjs",
+              "commitlint.config.json"
+            ],
             "exampleConfigFiles": [
               ".cz.toml",
               "pyproject.toml"
@@ -646,10 +846,20 @@
             "exampleTools": [
               "commitizen"
             ],
-            "notes": "Standardize commit messages using commitizen or a similar helper and document the required types and scopes.",
-            "verification": "Use the configured commit helper (for example, commitizen) or hooks to create a test commit and confirm that non-conforming messages are rejected while valid ones are accepted."
+            "notes": "Standardize Conventional Commits using commitizen or commitlint with commit-msg hooks plus CI so changelog generation is deterministic.",
+            "requiredScripts": [
+              "commitlint"
+            ],
+            "verification": "Use the configured commit helper or hooks to create a test commit and confirm that non-conforming messages are rejected locally and in CI."
           },
           "rust": {
+            "anyOfFiles": [
+              "commitlint.config.js",
+              "commitlint.config.cjs",
+              "commitlint.config.mjs",
+              "commitlint.config.json",
+              ".cz.toml"
+            ],
             "exampleConfigFiles": [
               "commitlint.config.js",
               ".cz.toml"
@@ -658,10 +868,19 @@
               "commitlint",
               "commitizen"
             ],
-            "notes": "Use commitlint with husky or pre-commit for enforcing Conventional Commits. Works consistently with cargo workspaces.",
-            "verification": "Test that non-conforming commit messages are rejected by the configured hooks or CI check."
+            "notes": "Use commitlint with husky or pre-commit for enforcing Conventional Commits and add a CI check to keep version/changelog automation deterministic.",
+            "requiredScripts": [
+              "commitlint"
+            ],
+            "verification": "Test that non-conforming commit messages are rejected by the configured hooks and CI check."
           },
           "typescript-js": {
+            "anyOfFiles": [
+              "commitlint.config.js",
+              "commitlint.config.cjs",
+              "commitlint.config.mjs",
+              "commitlint.config.json"
+            ],
             "exampleConfigFiles": [
               "commitlint.config.*"
             ],
@@ -669,8 +888,11 @@
               "@commitlint/cli",
               "@commitlint/config-conventional"
             ],
-            "notes": "Enforce commit message format via commit-msg hooks (e.g., Husky) before CI.",
-            "verification": "Create a test commit using the documented convention and ensure the commit message passes the configured commit linting or wizard (for example, commitlint or commitizen)."
+            "notes": "Enforce Conventional Commits via commit-msg hooks (e.g., Husky) and a CI job so versioning/changelog automation is deterministic.",
+            "requiredScripts": [
+              "commitlint"
+            ],
+            "verification": "Create a test commit using the documented convention and ensure the commit message passes both local commit-msg hooks and CI checks."
           }
         }
       },
@@ -1101,7 +1323,7 @@
             "job": "ci"
           }
         },
-        "description": "Use static type checking to catch errors before runtime and enforce strictness on new code.",
+        "description": "Use static type checking to catch errors before runtime and enforce strictness on new code. For JS/TS stacks, require a TypeScript-first policy with strict mode and a CI typecheck step; allow JSDoc/checkJs migration for legacy JS.",
         "enforcement": "required",
         "id": "type-checking",
         "label": "Type Checking",
@@ -1173,6 +1395,9 @@
             "requiredFiles": [
               "pyproject.toml"
             ],
+            "requiredScripts": [
+              "typecheck"
+            ],
             "verification": "pyproject.toml (or mypy.ini) signals that mypy configuration is available for the repository."
           },
           "rust": {
@@ -1207,14 +1432,14 @@
             "exampleTools": [
               "TypeScript compiler (tsc)"
             ],
-            "notes": "Enable strict mode ('strict': true) and treat type-check failures as CI failures for new code; gradually expand strictness into legacy modules.",
+            "notes": "Adopt a TypeScript-first policy. Require tsconfig.json with strict mode enabled ('strict': true) and enforce `npm run typecheck` (or equivalent) in CI. For legacy JS, allow JSDoc + `checkJs` or staged migration with `allowJs` while incrementally increasing coverage.",
             "requiredFiles": [
               "tsconfig.json"
             ],
             "requiredScripts": [
               "typecheck"
             ],
-            "verification": "Presence of tsconfig.json indicates type-checking is configured for the repository."
+            "verification": "tsconfig.json exists with strict mode enabled and CI runs the typecheck script; legacy JS modules use JSDoc/checkJs or allowJs as an explicit migration path."
           }
         }
       },
@@ -1327,6 +1552,370 @@
           }
         }
       },
+      {
+        "appliesTo": {
+          "stacks": [
+            "typescript-js",
+            "csharp-dotnet",
+            "python",
+            "rust",
+            "go"
+          ]
+        },
+        "ciHints": {
+          "azure-devops": {
+            "stage": "build"
+          },
+          "github-actions": {
+            "job": "ci"
+          }
+        },
+        "description": "Ensure builds are reproducible by pinning dependencies, base images, and tool/runtime versions. Avoid network/time variance and fail when lockfiles drift.",
+        "enforcement": "required",
+        "id": "deterministic-builds",
+        "label": "Deterministic & Hermetic Builds",
+        "severity": "error",
+        "stackHints": {
+          "csharp-dotnet": {
+            "exampleConfigFiles": [
+              "packages.lock.json",
+              "global.json"
+            ],
+            "exampleTools": [
+              "dotnet restore --locked-mode"
+            ],
+            "notes": "Enable packages.lock.json and use locked restore. Pin SDK versions via global.json and pin base images in Dockerfiles.",
+            "optionalFiles": [
+              "packages.lock.json",
+              "global.json"
+            ],
+            "verification": "packages.lock.json or equivalent lock files exist and restore runs in locked mode. SDK versions are pinned."
+          },
+          "go": {
+            "exampleConfigFiles": [
+              "go.sum",
+              "go.mod",
+              ".go-version"
+            ],
+            "exampleTools": [
+              "go env -w GOPROXY=off",
+              "go mod download"
+            ],
+            "notes": "Use go.sum for deterministic module versions and pin Go versions (go.mod + .go-version). Avoid network variance by caching modules and pinning proxies.",
+            "optionalFiles": [
+              ".go-version"
+            ],
+            "requiredFiles": [
+              "go.sum"
+            ],
+            "verification": "go.sum is present and builds use pinned Go versions; module downloads are cached."
+          },
+          "python": {
+            "anyOfFiles": [
+              "requirements.txt",
+              "poetry.lock",
+              "Pipfile.lock"
+            ],
+            "exampleConfigFiles": [
+              "requirements.txt",
+              "poetry.lock",
+              "Pipfile.lock"
+            ],
+            "exampleTools": [
+              "pip-tools",
+              "poetry",
+              "uv"
+            ],
+            "notes": "Use pinned lockfiles (requirements.txt or poetry.lock) and pin Python version (.python-version or tool-versions). Avoid non-deterministic installs in CI.",
+            "optionalFiles": [
+              ".python-version",
+              ".tool-versions"
+            ],
+            "verification": "Lockfile is present and CI installs with pinned versions only. Python runtime is pinned."
+          },
+          "rust": {
+            "exampleConfigFiles": [
+              "Cargo.lock",
+              "rust-toolchain.toml"
+            ],
+            "exampleTools": [
+              "cargo build --locked"
+            ],
+            "notes": "Commit Cargo.lock for binaries/services and pin Rust versions with rust-toolchain.toml. Use --locked in CI.",
+            "optionalFiles": [
+              "rust-toolchain.toml"
+            ],
+            "requiredFiles": [
+              "Cargo.lock"
+            ],
+            "verification": "Cargo.lock is present and CI uses --locked. Rust toolchain is pinned."
+          },
+          "typescript-js": {
+            "anyOfFiles": [
+              "package-lock.json",
+              "pnpm-lock.yaml",
+              "yarn.lock"
+            ],
+            "exampleConfigFiles": [
+              "package-lock.json",
+              "pnpm-lock.yaml",
+              "yarn.lock"
+            ],
+            "exampleTools": [
+              "npm ci",
+              "pnpm install --frozen-lockfile",
+              "yarn --immutable"
+            ],
+            "notes": "Require a lockfile and pinned Node/tool versions (.nvmrc or .tool-versions). Pin base images in Dockerfiles and avoid non-deterministic install flags.",
+            "optionalFiles": [
+              ".nvmrc",
+              ".tool-versions"
+            ],
+            "verification": "Lockfile is present and CI uses a frozen/immutable install. Dockerfiles reference pinned base images."
+          }
+        }
+      },
+      {
+        "appliesTo": {
+          "stacks": [
+            "typescript-js",
+            "csharp-dotnet",
+            "python",
+            "rust",
+            "go"
+          ]
+        },
+        "ciHints": {
+          "azure-devops": {
+            "stage": "security"
+          },
+          "github-actions": {
+            "job": "security"
+          }
+        },
+        "description": "Produce SBOMs or provenance metadata, enable secret/code scanning, and sign tags or commits for critical repos.",
+        "enforcement": "required",
+        "id": "provenance-security",
+        "label": "Provenance & Security Metadata",
+        "severity": "error",
+        "stackHints": {
+          "csharp-dotnet": {
+            "exampleConfigFiles": [
+              ".github/workflows/codeql.yml",
+              ".github/workflows/provenance.yml"
+            ],
+            "exampleTools": [
+              "sbom-tool",
+              "codeql",
+              "gitleaks",
+              "cosign"
+            ],
+            "notes": "Generate SBOM/provenance for NuGet and container artifacts, enable secret scanning, and sign tags/commits for critical repos.",
+            "optionalFiles": [
+              "SECURITY.md",
+              ".github/workflows/codeql.yml"
+            ],
+            "verification": "SBOM/provenance artifacts are published alongside releases, and CI runs secret/code scanning."
+          },
+          "go": {
+            "exampleConfigFiles": [
+              ".github/workflows/codeql.yml",
+              ".github/workflows/provenance.yml"
+            ],
+            "exampleTools": [
+              "syft",
+              "cyclonedx-gomod",
+              "codeql",
+              "gitleaks",
+              "cosign"
+            ],
+            "notes": "Generate SBOM/provenance for Go binaries and container artifacts, enable secret scanning, and sign tags/commits for critical repos.",
+            "optionalFiles": [
+              "SECURITY.md",
+              ".github/workflows/codeql.yml"
+            ],
+            "verification": "SBOM/provenance artifacts are published alongside releases, and CI runs secret/code scanning."
+          },
+          "python": {
+            "exampleConfigFiles": [
+              ".github/workflows/codeql.yml",
+              ".github/workflows/provenance.yml"
+            ],
+            "exampleTools": [
+              "cyclonedx-python",
+              "syft",
+              "codeql",
+              "gitleaks",
+              "cosign"
+            ],
+            "notes": "Generate SBOM/provenance for PyPI and container artifacts, enable secret scanning, and sign tags/commits for critical repos.",
+            "optionalFiles": [
+              "SECURITY.md",
+              ".github/workflows/codeql.yml"
+            ],
+            "verification": "SBOM/provenance artifacts are published alongside releases, and CI runs secret/code scanning."
+          },
+          "rust": {
+            "exampleConfigFiles": [
+              ".github/workflows/codeql.yml",
+              ".github/workflows/provenance.yml"
+            ],
+            "exampleTools": [
+              "cargo-cyclonedx",
+              "syft",
+              "codeql",
+              "gitleaks",
+              "cosign"
+            ],
+            "notes": "Generate SBOM/provenance for crates and container artifacts, enable secret scanning, and sign tags/commits for critical repos.",
+            "optionalFiles": [
+              "SECURITY.md",
+              ".github/workflows/codeql.yml"
+            ],
+            "verification": "SBOM/provenance artifacts are published alongside releases, and CI runs secret/code scanning."
+          },
+          "typescript-js": {
+            "exampleConfigFiles": [
+              ".github/workflows/codeql.yml",
+              ".github/workflows/provenance.yml"
+            ],
+            "exampleTools": [
+              "syft",
+              "cyclonedx-npm",
+              "codeql",
+              "gitleaks",
+              "cosign"
+            ],
+            "notes": "Generate SBOM/provenance for npm and container artifacts, enable secret scanning, and sign tags/commits for protected branches.",
+            "optionalFiles": [
+              "SECURITY.md",
+              ".github/workflows/codeql.yml"
+            ],
+            "verification": "SBOM/provenance artifacts are published alongside releases, and CI runs secret/code scanning."
+          }
+        }
+      },
+      {
+        "appliesTo": {
+          "stacks": [
+            "typescript-js",
+            "csharp-dotnet",
+            "python",
+            "rust",
+            "go"
+          ]
+        },
+        "ciHints": {
+          "azure-devops": {
+            "stage": "ci"
+          },
+          "github-actions": {
+            "job": "ci"
+          }
+        },
+        "description": "Adopt standard CI templates and config samples to scale across repositories, minimizing bespoke pipeline logic.",
+        "enforcement": "required",
+        "id": "ci-templates-automation",
+        "label": "CI Templates & Automation",
+        "severity": "error",
+        "stackHints": {
+          "csharp-dotnet": {
+            "anyOfFiles": [
+              ".github/workflows/ci.yml",
+              "azure-pipelines.yml"
+            ],
+            "exampleConfigFiles": [
+              ".github/workflows/ci.yml",
+              "azure-pipelines.yml"
+            ],
+            "exampleTools": [
+              "GitHub Actions reusable workflows",
+              "Azure DevOps templates"
+            ],
+            "notes": "Use shared CI templates for build/test/pack/release stages to standardize across .NET repos.",
+            "requiredScripts": [
+              "ci"
+            ],
+            "verification": "CI pipeline references a shared template or reusable workflow and follows the standard job naming."
+          },
+          "go": {
+            "anyOfFiles": [
+              ".github/workflows/ci.yml",
+              "azure-pipelines.yml"
+            ],
+            "exampleConfigFiles": [
+              ".github/workflows/ci.yml",
+              "azure-pipelines.yml"
+            ],
+            "exampleTools": [
+              "GitHub Actions reusable workflows",
+              "Azure DevOps templates"
+            ],
+            "notes": "Use shared CI templates for build/test/release stages to standardize across Go repos.",
+            "requiredScripts": [
+              "ci"
+            ],
+            "verification": "CI pipeline references a shared template or reusable workflow and follows the standard job naming."
+          },
+          "python": {
+            "anyOfFiles": [
+              ".github/workflows/ci.yml",
+              "azure-pipelines.yml"
+            ],
+            "exampleConfigFiles": [
+              ".github/workflows/ci.yml",
+              "azure-pipelines.yml"
+            ],
+            "exampleTools": [
+              "GitHub Actions reusable workflows",
+              "Azure DevOps templates"
+            ],
+            "notes": "Use shared CI templates for lint/test/typecheck/release stages to standardize across Python repos.",
+            "requiredScripts": [
+              "ci"
+            ],
+            "verification": "CI pipeline references a shared template or reusable workflow and follows the standard job naming."
+          },
+          "rust": {
+            "anyOfFiles": [
+              ".github/workflows/ci.yml",
+              "azure-pipelines.yml"
+            ],
+            "exampleConfigFiles": [
+              ".github/workflows/ci.yml",
+              "azure-pipelines.yml"
+            ],
+            "exampleTools": [
+              "GitHub Actions reusable workflows",
+              "Azure DevOps templates"
+            ],
+            "notes": "Use shared CI templates for build/test/release stages to standardize across Rust repos.",
+            "requiredScripts": [
+              "ci"
+            ],
+            "verification": "CI pipeline references a shared template or reusable workflow and follows the standard job naming."
+          },
+          "typescript-js": {
+            "anyOfFiles": [
+              ".github/workflows/ci.yml",
+              "azure-pipelines.yml"
+            ],
+            "exampleConfigFiles": [
+              ".github/workflows/ci.yml",
+              "azure-pipelines.yml"
+            ],
+            "exampleTools": [
+              "GitHub Actions reusable workflows",
+              "Azure DevOps templates"
+            ],
+            "notes": "Use shared CI templates for lint/test/build/release stages and keep repo-specific overrides minimal.",
+            "requiredScripts": [
+              "ci"
+            ],
+            "verification": "CI pipeline references a shared template or reusable workflow and follows the standard job naming."
+          }
+        }
+      },
       {
         "appliesTo": {
           "stacks": [