@oddessentials/repo-standards 4.4.0 → 5.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (25) hide show
  1. package/dist/config/standards.csharp-dotnet.azure-devops.json +347 -11
  2. package/dist/config/standards.csharp-dotnet.github-actions.json +348 -12
  3. package/dist/config/standards.csharp-dotnet.json +401 -12
  4. package/dist/config/standards.go.azure-devops.json +339 -9
  5. package/dist/config/standards.go.github-actions.json +340 -10
  6. package/dist/config/standards.go.json +393 -10
  7. package/dist/config/standards.json +1404 -135
  8. package/dist/config/standards.python.azure-devops.json +350 -9
  9. package/dist/config/standards.python.github-actions.json +351 -10
  10. package/dist/config/standards.python.json +404 -10
  11. package/dist/config/standards.rust.azure-devops.json +341 -9
  12. package/dist/config/standards.rust.github-actions.json +342 -10
  13. package/dist/config/standards.rust.json +395 -10
  14. package/dist/config/standards.schema.json +24 -2
  15. package/dist/config/standards.typescript-js.azure-devops.json +356 -10
  16. package/dist/config/standards.typescript-js.github-actions.json +357 -11
  17. package/dist/config/standards.typescript-js.json +410 -11
  18. package/dist/index.cjs +1 -1
  19. package/dist/index.cjs.map +1 -1
  20. package/dist/index.d.cts +1 -1
  21. package/dist/index.d.ts +1 -1
  22. package/dist/index.js +1 -1
  23. package/dist/index.js.map +1 -1
  24. package/package.json +1 -1
  25. package/scripts/validate-schema.ts +46 -0
package/dist/config/standards.json CHANGED
@@ -1,6 +1,244 @@
1
1
  {
2
2
  "checklist": {
3
3
  "core": [
4
+ {
5
+ "appliesTo": {
6
+ "stacks": [
7
+ "typescript-js",
8
+ "csharp-dotnet",
9
+ "python",
10
+ "rust",
11
+ "go"
12
+ ]
13
+ },
14
+ "ciHints": {
15
+ "azure-devops": {
16
+ "notes": "Run CRLF detection early in pipeline before other checks.",
17
+ "stage": "quality"
18
+ },
19
+ "github-actions": {
20
+ "job": "ci",
21
+ "notes": "Add .gitattributes check as first step in CI job."
22
+ }
23
+ },
24
+ "description": "Enforce line endings at the Git layer using .gitattributes. Mark text files with appropriate EOL handling (eol=lf for shell scripts, eol=auto for most files) and binary files as binary to prevent corruption. This prevents 'works locally, fails in CI' issues caused by CRLF/LF mismatches.",
25
+ "enforcement": "required",
26
+ "executionStage": "pre-commit",
27
+ "id": "gitattributes-eol",
28
+ "label": "Git Attributes (Line Endings)",
29
+ "severity": "error",
30
+ "stackHints": {
31
+ "csharp-dotnet": {
32
+ "exampleConfigFiles": [
33
+ ".gitattributes",
34
+ ".editorconfig"
35
+ ],
36
+ "exampleTools": [
37
+ "git"
38
+ ],
39
+ "machineCheck": {
40
+ "command": "git ls-files --eol | grep -E 'w/crlf.*\\.sh$' && exit 1 || exit 0",
41
+ "description": "Verify no CRLF in shell scripts",
42
+ "expectExitCode": 0
43
+ },
44
+ "notes": "Use .gitattributes for EOL authority. Mark *.sh, *.ps1 scripts appropriately. .editorconfig drives editor behavior but .gitattributes is the source of truth for Git operations.",
45
+ "optionalFiles": [
46
+ ".editorconfig"
47
+ ],
48
+ "requiredFiles": [
49
+ ".gitattributes"
50
+ ],
51
+ "verification": "Run 'git ls-files --eol' to check EOL consistency."
52
+ },
53
+ "go": {
54
+ "exampleConfigFiles": [
55
+ ".gitattributes",
56
+ ".editorconfig"
57
+ ],
58
+ "exampleTools": [
59
+ "git"
60
+ ],
61
+ "machineCheck": {
62
+ "command": "git ls-files --eol | grep -E 'w/crlf.*\\.sh$' && exit 1 || exit 0",
63
+ "description": "Verify no CRLF in shell scripts",
64
+ "expectExitCode": 0
65
+ },
66
+ "notes": "Go files should use LF for consistency. Mark *.go as text. Shell scripts (*.sh) must use eol=lf. Binary artifacts should be marked as binary.",
67
+ "optionalFiles": [
68
+ ".editorconfig"
69
+ ],
70
+ "requiredFiles": [
71
+ ".gitattributes"
72
+ ],
73
+ "verification": "Run 'git ls-files --eol' to verify EOL handling."
74
+ },
75
+ "python": {
76
+ "exampleConfigFiles": [
77
+ ".gitattributes",
78
+ ".editorconfig"
79
+ ],
80
+ "exampleTools": [
81
+ "git"
82
+ ],
83
+ "machineCheck": {
84
+ "command": "git ls-files --eol | grep -E 'w/crlf.*\\.py$' && exit 1 || exit 0",
85
+ "description": "Verify no CRLF in Python files",
86
+ "expectExitCode": 0
87
+ },
88
+ "notes": "Python files should use LF endings for cross-platform compatibility. Mark *.py as eol=lf in .gitattributes. Shebang scripts fail with CRLF.",
89
+ "optionalFiles": [
90
+ ".editorconfig"
91
+ ],
92
+ "requiredFiles": [
93
+ ".gitattributes"
94
+ ],
95
+ "verification": "Run 'git ls-files --eol' and verify Python files use LF."
96
+ },
97
+ "rust": {
98
+ "exampleConfigFiles": [
99
+ ".gitattributes",
100
+ ".editorconfig"
101
+ ],
102
+ "exampleTools": [
103
+ "git"
104
+ ],
105
+ "machineCheck": {
106
+ "command": "git ls-files --eol | grep -E 'w/crlf.*\\.sh$' && exit 1 || exit 0",
107
+ "description": "Verify no CRLF in shell scripts",
108
+ "expectExitCode": 0
109
+ },
110
+ "notes": "Mark *.rs, *.toml as text with auto EOL handling. Mark shell scripts as eol=lf. Binary files (*.exe, *.dll) should be marked as binary.",
111
+ "optionalFiles": [
112
+ ".editorconfig"
113
+ ],
114
+ "requiredFiles": [
115
+ ".gitattributes"
116
+ ],
117
+ "verification": "Run 'git ls-files --eol' to verify EOL consistency."
118
+ },
119
+ "typescript-js": {
120
+ "exampleConfigFiles": [
121
+ ".gitattributes",
122
+ ".editorconfig"
123
+ ],
124
+ "exampleTools": [
125
+ "git"
126
+ ],
127
+ "machineCheck": {
128
+ "command": "git ls-files --eol | grep -E 'w/crlf.*\\.(sh|bash|py)$' && exit 1 || exit 0",
129
+ "description": "Verify no CRLF in shell/script files",
130
+ "expectExitCode": 0
131
+ },
132
+ "notes": "Use .gitattributes as the authority for EOL; .editorconfig is supplementary for editor display. Mark *.sh, *.bash as eol=lf. After adding .gitattributes, run 'git add --renormalize .' to fix existing files. Windows contributors should set core.autocrlf=false.",
133
+ "optionalFiles": [
134
+ ".editorconfig"
135
+ ],
136
+ "requiredFiles": [
137
+ ".gitattributes"
138
+ ],
139
+ "verification": "Run 'git ls-files --eol' and verify no unexpected CRLF in LF-only files."
140
+ }
141
+ }
142
+ },
143
+ {
144
+ "appliesTo": {
145
+ "stacks": [
146
+ "typescript-js",
147
+ "csharp-dotnet",
148
+ "python",
149
+ "rust",
150
+ "go"
151
+ ]
152
+ },
153
+ "ciHints": {
154
+ "azure-devops": {
155
+ "notes": "Run CRLF detection as the first quality check before linting or testing.",
156
+ "stage": "quality"
157
+ },
158
+ "github-actions": {
159
+ "job": "ci",
160
+ "notes": "Add CRLF detection step before main CI steps."
161
+ }
162
+ },
163
+ "description": "Fail CI early for Linux-executed files containing CRLF line endings. Shell scripts, Python files, and other interpreted files fail silently or with cryptic errors when they contain \\r characters. Detect this before running deeper CI steps.",
164
+ "enforcement": "required",
165
+ "executionStage": "ci-pr",
166
+ "id": "crlf-detection",
167
+ "label": "CRLF Detection in CI",
168
+ "severity": "error",
169
+ "stackHints": {
170
+ "csharp-dotnet": {
171
+ "exampleConfigFiles": [],
172
+ "exampleTools": [
173
+ "file",
174
+ "grep"
175
+ ],
176
+ "machineCheck": {
177
+ "command": "git ls-files --eol | grep -E 'w/crlf.*\\.sh$' && exit 1 || exit 0",
178
+ "description": "Detect CRLF in shell scripts",
179
+ "expectExitCode": 0
180
+ },
181
+ "notes": "Detect CRLF in shell scripts and CI configuration files. C# source files can tolerate CRLF but shell scripts cannot.",
182
+ "verification": "Run CRLF detection on .sh files in CI."
183
+ },
184
+ "go": {
185
+ "exampleConfigFiles": [],
186
+ "exampleTools": [
187
+ "file",
188
+ "grep"
189
+ ],
190
+ "machineCheck": {
191
+ "command": "git ls-files --eol | grep -E 'w/crlf.*\\.(sh|bash)$' && exit 1 || exit 0",
192
+ "description": "Detect CRLF in shell scripts",
193
+ "expectExitCode": 0
194
+ },
195
+ "notes": "Go source files tolerate CRLF but shell scripts and Makefiles do not. Check .sh, Makefile, and go.mod for CRLF.",
196
+ "verification": "Run CRLF detection on shell scripts and Makefiles."
197
+ },
198
+ "python": {
199
+ "exampleConfigFiles": [],
200
+ "exampleTools": [
201
+ "file",
202
+ "grep"
203
+ ],
204
+ "machineCheck": {
205
+ "command": "git ls-files --eol | grep -E 'w/crlf.*\\.(py|sh)$' && exit 1 || exit 0",
206
+ "description": "Detect CRLF in Python/shell files",
207
+ "expectExitCode": 0
208
+ },
209
+ "notes": "Python shebang scripts fail with CRLF. Check all .py and .sh files for CRLF before running pytest or other Python tools.",
210
+ "verification": "Run CRLF detection on Python and shell files."
211
+ },
212
+ "rust": {
213
+ "exampleConfigFiles": [],
214
+ "exampleTools": [
215
+ "file",
216
+ "grep"
217
+ ],
218
+ "machineCheck": {
219
+ "command": "git ls-files --eol | grep -E 'w/crlf.*\\.(sh|bash)$' && exit 1 || exit 0",
220
+ "description": "Detect CRLF in shell scripts",
221
+ "expectExitCode": 0
222
+ },
223
+ "notes": "Rust build scripts (build.rs) and shell scripts must not have CRLF. Cargo tolerates CRLF in .rs files but shell invocations fail.",
224
+ "verification": "Run CRLF detection on shell and build scripts."
225
+ },
226
+ "typescript-js": {
227
+ "exampleConfigFiles": [],
228
+ "exampleTools": [
229
+ "file",
230
+ "grep"
231
+ ],
232
+ "machineCheck": {
233
+ "command": "git ls-files --eol | grep -E 'w/crlf.*\\.(sh|js|ts|mjs|cjs)$' && exit 1 || exit 0",
234
+ "description": "Detect CRLF in script files",
235
+ "expectExitCode": 0
236
+ },
237
+ "notes": "Check for CRLF in .sh, .js, .ts, .json files early in CI. Use 'file' command or grep for \\r to detect issues before they cause cryptic failures.",
238
+ "verification": "Run 'git ls-files --eol | grep w/crlf' and verify no unexpected CRLF files."
239
+ }
240
+ }
241
+ },
4
242
  {
5
243
  "appliesTo": {
6
244
  "stacks": [
@@ -21,6 +259,7 @@
21
259
  },
22
260
  "description": "Maintain proper .gitignore and .dockerignore files to prevent committing secrets, build artifacts, or unnecessary files.",
23
261
  "enforcement": "required",
262
+ "executionStage": "pre-commit",
24
263
  "id": "gitignore-and-dockerignore",
25
264
  "label": "Git and Docker Ignore Files",
26
265
  "severity": "error",
@@ -117,8 +356,10 @@
117
356
  },
118
357
  "description": "Run static code linting to enforce consistency and catch common issues early.",
119
358
  "enforcement": "required",
359
+ "executionStage": "pre-commit",
120
360
  "id": "linting",
121
361
  "label": "Linting",
362
+ "scopeToChangedFiles": true,
122
363
  "severity": "error",
123
364
  "stackHints": {
124
365
  "csharp-dotnet": {
@@ -284,6 +525,7 @@
284
525
  },
285
526
  "description": "Provide a deterministic unit test framework with a single command to run all tests.",
286
527
  "enforcement": "required",
528
+ "executionStage": "pre-push",
287
529
  "id": "unit-test-runner",
288
530
  "label": "Unit Test Runner",
289
531
  "severity": "error",
@@ -420,6 +662,7 @@
420
662
  },
421
663
  "description": "Provide a Dockerfile and, if applicable, a docker-compose file for local dev and CI parity.",
422
664
  "enforcement": "required",
665
+ "executionStage": "ci-pr",
423
666
  "id": "containerization",
424
667
  "label": "Containerization (Docker / Docker Compose)",
425
668
  "severity": "error",
@@ -521,6 +764,7 @@
521
764
  },
522
765
  "description": "Use MAJOR.MINOR.PATCH versioning with clear rules and automated changelog generation based on commit history. Maintain a single canonical version source (for example, package.json or VERSION) that all release artifacts use.",
523
766
  "enforcement": "required",
767
+ "executionStage": "release",
524
768
  "id": "semantic-versioning",
525
769
  "label": "Semantic Versioning",
526
770
  "severity": "error",
@@ -657,6 +901,7 @@
657
901
  },
658
902
  "description": "Use a single CI release pipeline that publishes all artifacts (GitHub releases, packages, containers) from the same canonical version source.",
659
903
  "enforcement": "required",
904
+ "executionStage": "release",
660
905
  "id": "unified-release-workflow",
661
906
  "label": "Unified Release Workflow",
662
907
  "severity": "error",
@@ -763,6 +1008,94 @@
763
1008
  }
764
1009
  }
765
1010
  },
1011
+ {
1012
+ "appliesTo": {
1013
+ "stacks": [
1014
+ "typescript-js",
1015
+ "csharp-dotnet",
1016
+ "python",
1017
+ "rust",
1018
+ "go"
1019
+ ]
1020
+ },
1021
+ "ciHints": {
1022
+ "azure-devops": {
1023
+ "notes": "Set HUSKY=0 or equivalent in release pipeline to disable hooks.",
1024
+ "stage": "release"
1025
+ },
1026
+ "github-actions": {
1027
+ "job": "release",
1028
+ "notes": "Set HUSKY=0 or equivalent in release job to disable hooks."
1029
+ }
1030
+ },
1031
+ "description": "Release automation must bypass local developer hooks (HUSKY=0, --no-verify) and rely solely on CI gates for validation. This ensures idempotent, reproducible releases that don't fail due to hook environment differences.",
1032
+ "enforcement": "required",
1033
+ "executionStage": "release",
1034
+ "id": "release-hook-bypass",
1035
+ "label": "Release Hook Bypass",
1036
+ "severity": "error",
1037
+ "stackHints": {
1038
+ "csharp-dotnet": {
1039
+ "exampleConfigFiles": [
1040
+ "azure-pipelines.yml",
1041
+ ".github/workflows/release.yml"
1042
+ ],
1043
+ "exampleTools": [
1044
+ "GitVersion"
1045
+ ],
1046
+ "notes": "Release pipelines should skip local hooks. If using Lefthook, set LEFTHOOK=0. Rely on CI gates for all validation.",
1047
+ "verification": "Check release pipeline for hook bypass configuration."
1048
+ },
1049
+ "go": {
1050
+ "exampleConfigFiles": [
1051
+ ".goreleaser.yml",
1052
+ ".github/workflows/release.yml"
1053
+ ],
1054
+ "exampleTools": [
1055
+ "goreleaser"
1056
+ ],
1057
+ "notes": "Goreleaser handles releases without invoking local hooks. Ensure any git operations use --no-verify.",
1058
+ "verification": "Check release workflow for hook bypass configuration."
1059
+ },
1060
+ "python": {
1061
+ "exampleConfigFiles": [
1062
+ ".github/workflows/release.yml"
1063
+ ],
1064
+ "exampleTools": [
1065
+ "semantic-release",
1066
+ "bumpversion"
1067
+ ],
1068
+ "notes": "Set PRE_COMMIT_ALLOW_NO_CONFIG=1 or SKIP=all to bypass pre-commit hooks in release automation. CI gates already validated.",
1069
+ "verification": "Check release workflow for pre-commit bypass."
1070
+ },
1071
+ "rust": {
1072
+ "exampleConfigFiles": [
1073
+ ".github/workflows/release.yml"
1074
+ ],
1075
+ "exampleTools": [
1076
+ "cargo-release"
1077
+ ],
1078
+ "notes": "Use --no-verify with git commands in release scripts. If using pre-commit, set SKIP=all.",
1079
+ "verification": "Check release workflow for hook bypass."
1080
+ },
1081
+ "typescript-js": {
1082
+ "exampleConfigFiles": [
1083
+ ".github/workflows/release.yml"
1084
+ ],
1085
+ "exampleTools": [
1086
+ "semantic-release",
1087
+ "husky"
1088
+ ],
1089
+ "machineCheck": {
1090
+ "command": "grep -r 'HUSKY=0\\|--no-verify' .github/workflows/ || echo 'WARNING: No hook bypass in release workflow'",
1091
+ "description": "Verify release workflows disable hooks",
1092
+ "expectExitCode": 0
1093
+ },
1094
+ "notes": "In release workflows, set HUSKY=0 environment variable to disable husky hooks. Release commits from semantic-release should bypass commitlint since they're generated. CI gates already validated the code.",
1095
+ "verification": "Check release workflow for HUSKY=0 or --no-verify flags."
1096
+ }
1097
+ }
1098
+ },
766
1099
  {
767
1100
  "appliesTo": {
768
1101
  "stacks": [
@@ -783,6 +1116,7 @@
783
1116
  },
784
1117
  "description": "Enforce structured commit messages such as Conventional Commits via commit-msg hooks and CI. This is required for deterministic versioning and changelog generation.",
785
1118
  "enforcement": "required",
1119
+ "executionStage": "pre-commit",
786
1120
  "id": "commit-linting",
787
1121
  "label": "Commit Linting",
788
1122
  "severity": "error",
@@ -916,6 +1250,7 @@
916
1250
  },
917
1251
  "description": "Generate readable unit test and coverage reports and enforce a minimum coverage threshold (around 80%) for new or changed code.",
918
1252
  "enforcement": "required",
1253
+ "executionStage": "ci-pr",
919
1254
  "id": "unit-test-reporter",
920
1255
  "label": "Unit Test Reporter / Coverage",
921
1256
  "severity": "error",
@@ -1030,6 +1365,7 @@
1030
1365
  },
1031
1366
  "description": "Single CI pipeline that runs linting, formatting, type checking, tests, coverage, build, and containerization.",
1032
1367
  "enforcement": "required",
1368
+ "executionStage": "ci-pr",
1033
1369
  "id": "ci-quality-gates",
1034
1370
  "label": "CI Quality Gates",
1035
1371
  "severity": "error",
@@ -1136,8 +1472,10 @@
1136
1472
  },
1137
1473
  "description": "Automatic code formatting to maintain a consistent style across all contributors.",
1138
1474
  "enforcement": "required",
1475
+ "executionStage": "pre-commit",
1139
1476
  "id": "code-formatter",
1140
1477
  "label": "Code Formatter",
1478
+ "scopeToChangedFiles": true,
1141
1479
  "severity": "error",
1142
1480
  "stackHints": {
1143
1481
  "csharp-dotnet": {
@@ -1236,27 +1574,33 @@
1236
1574
  },
1237
1575
  "ciHints": {
1238
1576
  "azure-devops": {
1577
+ "notes": "Hooks and CI must invoke identical verification commands. Use npm run verify or equivalent.",
1239
1578
  "stage": "quality"
1240
1579
  },
1241
1580
  "github-actions": {
1242
- "job": "ci"
1581
+ "job": "ci",
1582
+ "notes": "Hooks and CI must invoke identical verification commands. Use npm run verify or equivalent."
1243
1583
  }
1244
1584
  },
1245
- "description": "Use git hooks to run linting, formatting, tests, and commit linting before changes are committed.",
1585
+ "description": "Use git hooks to run linting, formatting, and commit linting before changes are committed. Hooks should CHECK by default (not auto-fix), be fast, and scope to changed files only. Use a single entry hook mechanism (e.g., Husky as entry point calling pre-commit or lint-staged).",
1246
1586
  "enforcement": "required",
1587
+ "executionStage": "pre-commit",
1247
1588
  "id": "pre-commit-hooks",
1248
1589
  "label": "Pre-Commit Hooks",
1590
+ "scopeToChangedFiles": true,
1249
1591
  "severity": "error",
1250
1592
  "stackHints": {
1251
1593
  "csharp-dotnet": {
1252
1594
  "exampleConfigFiles": [
1253
- "lefthook.yml"
1595
+ "lefthook.yml",
1596
+ ".husky/"
1254
1597
  ],
1255
1598
  "exampleTools": [
1256
- "Lefthook"
1599
+ "Lefthook",
1600
+ "husky.net"
1257
1601
  ],
1258
- "notes": "Configure Lefthook or similar to run formatting and basic checks on staged files before commits.",
1259
- "verification": "Inspect the hook configuration (for example, Lefthook or similar) and confirm it runs at least formatting and basic checks on staged changes before commits or pushes."
1602
+ "notes": "Configure Lefthook or husky.net to run formatting checks (not auto-fix) on staged files. Hooks should be deterministic and environment-pinned via global.json SDK version.",
1603
+ "verification": "Inspect hook configuration and confirm checks run in verify mode, not auto-fix mode."
1260
1604
  },
1261
1605
  "go": {
1262
1606
  "exampleConfigFiles": [
@@ -1267,8 +1611,8 @@
1267
1611
  "pre-commit",
1268
1612
  "lefthook"
1269
1613
  ],
1270
- "notes": "Use pre-commit with go hooks for gofmt, goimports, and golangci-lint on staged files.",
1271
- "verification": "Inspect hooks configuration and confirm that go fmt and golangci-lint run before commits."
1614
+ "notes": "Use pre-commit or lefthook with go hooks for 'gofmt -d' (check mode) and golangci-lint. Pin Go version in go.mod and .go-version for determinism.",
1615
+ "verification": "Confirm hooks run format checks (not auto-fix) and golangci-lint before commits."
1272
1616
  },
1273
1617
  "python": {
1274
1618
  "exampleConfigFiles": [
@@ -1277,8 +1621,8 @@
1277
1621
  "exampleTools": [
1278
1622
  "pre-commit"
1279
1623
  ],
1280
- "notes": "Use pre-commit to run ruff, black, and optionally mypy on staged files before committing.",
1281
- "verification": "Inspect .pre-commit-config.yaml and confirm that hooks for linting, formatting, and optionally type checking are enabled and run on changed files before commits."
1624
+ "notes": "Use pre-commit framework as both entry and executor. Pin hook versions in .pre-commit-config.yaml for determinism. Hooks should run checks (ruff check, black --check) not auto-fix. Run pre-commit install to set up hooks.",
1625
+ "verification": "Inspect .pre-commit-config.yaml and confirm hooks use check/verify flags, not auto-fix."
1282
1626
  },
1283
1627
  "rust": {
1284
1628
  "exampleConfigFiles": [
@@ -1288,20 +1632,21 @@
1288
1632
  "pre-commit",
1289
1633
  "cargo-husky"
1290
1634
  ],
1291
- "notes": "Use pre-commit with rust hooks for cargo fmt and cargo clippy on staged files. cargo-husky is an alternative.",
1292
- "verification": "Inspect .pre-commit-config.yaml and confirm that hooks run cargo fmt --check and cargo clippy before commits."
1635
+ "notes": "Use pre-commit with rust hooks for 'cargo fmt --check' and 'cargo clippy' on staged files. Pin rust-toolchain.toml for determinism across environments.",
1636
+ "verification": "Confirm hooks run cargo fmt --check (not cargo fmt) and cargo clippy before commits."
1293
1637
  },
1294
1638
  "typescript-js": {
1295
1639
  "exampleConfigFiles": [
1296
1640
  ".husky/",
1297
- "package.json"
1641
+ "package.json",
1642
+ "lint-staged.config.js"
1298
1643
  ],
1299
1644
  "exampleTools": [
1300
1645
  "husky",
1301
1646
  "lint-staged"
1302
1647
  ],
1303
- "notes": "Run ESLint and Prettier on staged files and enforce commit message format via commit-msg hooks.",
1304
- "verification": "Inspect the pre-commit and commit-msg hooks (for example, files under .husky or other hook tooling) and confirm they run linting/formatting and commit linting on staged changes."
1648
+ "notes": "Use Husky as the entry hook mechanism calling lint-staged. Hooks should CHECK (--check flags) not auto-fix to keep developers aware of issues. Scope to staged files only for speed. Invoke hooks through the repo toolchain (npx) not global installs to ensure environment pinning. Never let hook enforcement drift from CI.",
1649
+ "verification": "Run 'npm run verify' (or equivalent) and confirm the same checks run in both hooks and CI."
1305
1650
  }
1306
1651
  }
1307
1652
  },
@@ -1317,73 +1662,255 @@
1317
1662
  },
1318
1663
  "ciHints": {
1319
1664
  "azure-devops": {
1665
+ "notes": "CI should call the same verify script that hooks use locally.",
1320
1666
  "stage": "quality"
1321
1667
  },
1322
1668
  "github-actions": {
1323
- "job": "ci"
1669
+ "job": "ci",
1670
+ "notes": "CI should call the same verify script that hooks use locally."
1324
1671
  }
1325
1672
  },
1326
- "description": "Use static type checking to catch errors before runtime and enforce strictness on new code. For JS/TS stacks, require a TypeScript-first policy with strict mode and a CI typecheck step; allow JSDoc/checkJs migration for legacy JS.",
1673
+ "description": "Local hooks and CI must invoke identical verification commands to prevent 'works locally, fails in CI' issues. Use a single canonical verify entrypoint (e.g., npm run verify) that both hooks and CI call.",
1327
1674
  "enforcement": "required",
1328
- "id": "type-checking",
1329
- "label": "Type Checking",
1675
+ "executionStage": "pre-commit",
1676
+ "id": "hook-ci-parity",
1677
+ "label": "Hook/CI Parity",
1330
1678
  "severity": "error",
1331
1679
  "stackHints": {
1332
1680
  "csharp-dotnet": {
1333
- "bazelHints": {
1334
- "commands": [
1335
- "bazel build //..."
1336
- ],
1337
- "notes": "Example only; actual targets are repo-defined. C# type errors surface during bazel build with rules_dotnet."
1338
- },
1339
1681
  "exampleConfigFiles": [
1340
- ".editorconfig",
1341
- "Directory.Build.props",
1342
- "*.csproj"
1343
- ],
1344
- "exampleTools": [
1345
- "Roslyn analyzers"
1346
- ],
1347
- "notes": "Enable nullable reference types and relevant analyzers to catch type and nullability issues at compile time. C# project files (*.csproj) indicate the presence of projects that can be type-checked.",
1348
- "optionalFiles": [
1682
+ "Makefile",
1349
1683
  "Directory.Build.props"
1350
1684
  ],
1351
- "requiredFiles": [
1352
- ".editorconfig"
1685
+ "exampleTools": [
1686
+ "dotnet CLI",
1687
+ "make"
1353
1688
  ],
1354
- "verification": ".editorconfig must exist; Directory.Build.props is optional for shared build configuration."
1689
+ "notes": "Define a verify target (make verify or dotnet cake verify) that both hooks and CI invoke. Keep verification logic in one place.",
1690
+ "verification": "Compare hook commands with CI commands and confirm they invoke the same targets."
1355
1691
  },
1356
1692
  "go": {
1357
- "bazelHints": {
1358
- "commands": [
1359
- "bazel build //..."
1360
- ],
1361
- "notes": "Go type checking is inherent to compilation. bazel build with rules_go enforces type safety."
1362
- },
1363
1693
  "exampleConfigFiles": [
1364
- "go.mod"
1694
+ "Makefile",
1695
+ "magefile.go"
1365
1696
  ],
1366
1697
  "exampleTools": [
1367
- "go vet",
1368
- "staticcheck"
1369
- ],
1370
- "notes": "Go has compile-time type checking built in. Use 'go vet' for additional static analysis. staticcheck provides enhanced type-related checks.",
1371
- "requiredFiles": [
1372
- "go.mod"
1698
+ "make",
1699
+ "mage"
1373
1700
  ],
1374
- "verification": "Run 'go build ./...' to verify type correctness. Use 'go vet ./...' for additional static analysis."
1701
+ "notes": "Define a verify target (make verify) that runs go vet, golangci-lint, and go test. Both hooks and CI should use this target.",
1702
+ "verification": "Compare hook commands with CI commands and confirm they invoke the same make targets."
1375
1703
  },
1376
1704
  "python": {
1377
- "bazelHints": {
1378
- "commands": [
1379
- "bazel test //...:mypy_test",
1380
- "bazel run //tools/typecheck:mypy"
1381
- ],
1382
- "notes": "Example only; actual targets are repo-defined. Wrap mypy as a py_test or run target."
1383
- },
1384
1705
  "exampleConfigFiles": [
1385
- "mypy.ini",
1386
- "pyproject.toml"
1706
+ "Makefile",
1707
+ "tox.ini",
1708
+ "noxfile.py"
1709
+ ],
1710
+ "exampleTools": [
1711
+ "make",
1712
+ "tox",
1713
+ "nox"
1714
+ ],
1715
+ "notes": "Define a verify target (make verify, tox -e lint, or nox -s lint) that both pre-commit and CI invoke. Pin tool versions in pyproject.toml.",
1716
+ "verification": "Compare hook commands with CI commands and confirm they invoke the same targets."
1717
+ },
1718
+ "rust": {
1719
+ "exampleConfigFiles": [
1720
+ "Makefile",
1721
+ "Cargo.toml"
1722
+ ],
1723
+ "exampleTools": [
1724
+ "cargo",
1725
+ "make"
1726
+ ],
1727
+ "notes": "Define a verify target (make verify or cargo make verify) that runs fmt --check, clippy, and test. Both hooks and CI should use this target.",
1728
+ "verification": "Compare hook commands with CI commands and confirm they invoke the same cargo commands."
1729
+ },
1730
+ "typescript-js": {
1731
+ "exampleConfigFiles": [
1732
+ "package.json"
1733
+ ],
1734
+ "exampleTools": [
1735
+ "npm scripts"
1736
+ ],
1737
+ "notes": "Define a 'verify' script in package.json that runs all checks (lint, format:check, typecheck). Both .husky/pre-commit and CI should call 'npm run verify'. Never add checks to CI that don't run locally.",
1738
+ "requiredScripts": [
1739
+ "verify"
1740
+ ],
1741
+ "verification": "Compare hook commands with CI commands and confirm they invoke the same scripts."
1742
+ }
1743
+ }
1744
+ },
1745
+ {
1746
+ "appliesTo": {
1747
+ "stacks": [
1748
+ "typescript-js",
1749
+ "csharp-dotnet",
1750
+ "python",
1751
+ "rust",
1752
+ "go"
1753
+ ]
1754
+ },
1755
+ "ciHints": {
1756
+ "azure-devops": {
1757
+ "notes": "Also run secret scanning in CI as a safety net for commits that bypassed hooks.",
1758
+ "stage": "quality"
1759
+ },
1760
+ "github-actions": {
1761
+ "job": "ci",
1762
+ "notes": "Enable GitHub secret scanning and also run gitleaks in CI."
1763
+ }
1764
+ },
1765
+ "description": "Scan staged diffs for credentials, API keys, and secrets before they reach the remote repository. Catch secrets at commit time rather than after they're pushed.",
1766
+ "enforcement": "required",
1767
+ "executionStage": "pre-commit",
1768
+ "id": "secret-scanning-precommit",
1769
+ "label": "Pre-commit Secret Scanning",
1770
+ "scopeToChangedFiles": true,
1771
+ "severity": "error",
1772
+ "stackHints": {
1773
+ "csharp-dotnet": {
1774
+ "exampleConfigFiles": [
1775
+ ".gitleaks.toml"
1776
+ ],
1777
+ "exampleTools": [
1778
+ "gitleaks",
1779
+ "detect-secrets"
1780
+ ],
1781
+ "notes": "Add gitleaks to pre-commit hooks via Lefthook. Scan staged changes before commits.",
1782
+ "verification": "Run 'gitleaks protect --staged' and verify it catches test secrets."
1783
+ },
1784
+ "go": {
1785
+ "exampleConfigFiles": [
1786
+ ".gitleaks.toml",
1787
+ ".pre-commit-config.yaml"
1788
+ ],
1789
+ "exampleTools": [
1790
+ "gitleaks",
1791
+ "trufflehog"
1792
+ ],
1793
+ "notes": "Add gitleaks to pre-commit hooks. Scan staged changes only for speed.",
1794
+ "verification": "Run 'gitleaks protect --staged' and verify it catches test secrets."
1795
+ },
1796
+ "python": {
1797
+ "exampleConfigFiles": [
1798
+ ".pre-commit-config.yaml",
1799
+ ".secrets.baseline"
1800
+ ],
1801
+ "exampleTools": [
1802
+ "detect-secrets",
1803
+ "gitleaks"
1804
+ ],
1805
+ "notes": "Add detect-secrets or gitleaks to .pre-commit-config.yaml. Use detect-secrets audit to manage baselines.",
1806
+ "verification": "Run 'detect-secrets scan' or 'gitleaks protect' and verify scanning works."
1807
+ },
1808
+ "rust": {
1809
+ "exampleConfigFiles": [
1810
+ ".gitleaks.toml",
1811
+ ".pre-commit-config.yaml"
1812
+ ],
1813
+ "exampleTools": [
1814
+ "gitleaks"
1815
+ ],
1816
+ "notes": "Add gitleaks to pre-commit hooks. Configure Rust-specific patterns if needed.",
1817
+ "verification": "Run 'gitleaks protect --staged' and verify it catches test secrets."
1818
+ },
1819
+ "typescript-js": {
1820
+ "exampleConfigFiles": [
1821
+ ".gitleaks.toml",
1822
+ ".secrets.baseline"
1823
+ ],
1824
+ "exampleTools": [
1825
+ "gitleaks",
1826
+ "detect-secrets",
1827
+ "trufflehog"
1828
+ ],
1829
+ "notes": "Add gitleaks or detect-secrets to pre-commit hooks. Scan only staged changes for speed. Configure allowlists for false positives in .gitleaks.toml.",
1830
+ "verification": "Run 'gitleaks protect --staged' and verify it catches test secrets."
1831
+ }
1832
+ }
1833
+ },
1834
+ {
1835
+ "appliesTo": {
1836
+ "stacks": [
1837
+ "typescript-js",
1838
+ "csharp-dotnet",
1839
+ "python",
1840
+ "rust",
1841
+ "go"
1842
+ ]
1843
+ },
1844
+ "ciHints": {
1845
+ "azure-devops": {
1846
+ "stage": "quality"
1847
+ },
1848
+ "github-actions": {
1849
+ "job": "ci"
1850
+ }
1851
+ },
1852
+ "description": "Use static type checking to catch errors before runtime and enforce strictness on new code. For JS/TS stacks, require a TypeScript-first policy with strict mode and a CI typecheck step; allow JSDoc/checkJs migration for legacy JS.",
1853
+ "enforcement": "required",
1854
+ "executionStage": "pre-push",
1855
+ "id": "type-checking",
1856
+ "label": "Type Checking",
1857
+ "severity": "error",
1858
+ "stackHints": {
1859
+ "csharp-dotnet": {
1860
+ "bazelHints": {
1861
+ "commands": [
1862
+ "bazel build //..."
1863
+ ],
1864
+ "notes": "Example only; actual targets are repo-defined. C# type errors surface during bazel build with rules_dotnet."
1865
+ },
1866
+ "exampleConfigFiles": [
1867
+ ".editorconfig",
1868
+ "Directory.Build.props",
1869
+ "*.csproj"
1870
+ ],
1871
+ "exampleTools": [
1872
+ "Roslyn analyzers"
1873
+ ],
1874
+ "notes": "Enable nullable reference types and relevant analyzers to catch type and nullability issues at compile time. C# project files (*.csproj) indicate the presence of projects that can be type-checked.",
1875
+ "optionalFiles": [
1876
+ "Directory.Build.props"
1877
+ ],
1878
+ "requiredFiles": [
1879
+ ".editorconfig"
1880
+ ],
1881
+ "verification": ".editorconfig must exist; Directory.Build.props is optional for shared build configuration."
1882
+ },
1883
+ "go": {
1884
+ "bazelHints": {
1885
+ "commands": [
1886
+ "bazel build //..."
1887
+ ],
1888
+ "notes": "Go type checking is inherent to compilation. bazel build with rules_go enforces type safety."
1889
+ },
1890
+ "exampleConfigFiles": [
1891
+ "go.mod"
1892
+ ],
1893
+ "exampleTools": [
1894
+ "go vet",
1895
+ "staticcheck"
1896
+ ],
1897
+ "notes": "Go has compile-time type checking built in. Use 'go vet' for additional static analysis. staticcheck provides enhanced type-related checks.",
1898
+ "requiredFiles": [
1899
+ "go.mod"
1900
+ ],
1901
+ "verification": "Run 'go build ./...' to verify type correctness. Use 'go vet ./...' for additional static analysis."
1902
+ },
1903
+ "python": {
1904
+ "bazelHints": {
1905
+ "commands": [
1906
+ "bazel test //...:mypy_test",
1907
+ "bazel run //tools/typecheck:mypy"
1908
+ ],
1909
+ "notes": "Example only; actual targets are repo-defined. Wrap mypy as a py_test or run target."
1910
+ },
1911
+ "exampleConfigFiles": [
1912
+ "mypy.ini",
1913
+ "pyproject.toml"
1387
1914
  ],
1388
1915
  "exampleTools": [
1389
1916
  "mypy"
@@ -1463,6 +1990,7 @@
1463
1990
  },
1464
1991
  "description": "Lock dependencies and scan regularly for known vulnerabilities; fail CI on newly introduced high-severity issues.",
1465
1992
  "enforcement": "required",
1993
+ "executionStage": "pre-push",
1466
1994
  "id": "dependency-security",
1467
1995
  "label": "Dependency Management & Vulnerability Scanning",
1468
1996
  "severity": "error",
@@ -1572,6 +2100,7 @@
1572
2100
  },
1573
2101
  "description": "Ensure builds are reproducible by pinning dependencies, base images, and tool/runtime versions. Avoid network/time variance and fail when lockfiles drift.",
1574
2102
  "enforcement": "required",
2103
+ "executionStage": "ci-pr",
1575
2104
  "id": "deterministic-builds",
1576
2105
  "label": "Deterministic & Hermetic Builds",
1577
2106
  "severity": "error",
@@ -1695,6 +2224,7 @@
1695
2224
  },
1696
2225
  "description": "Produce SBOMs or provenance metadata, enable secret/code scanning, and sign tags or commits for critical repos.",
1697
2226
  "enforcement": "required",
2227
+ "executionStage": "release",
1698
2228
  "id": "provenance-security",
1699
2229
  "label": "Provenance & Security Metadata",
1700
2230
  "severity": "error",
@@ -1815,6 +2345,7 @@
1815
2345
  },
1816
2346
  "description": "Adopt standard CI templates and config samples to scale across repositories, minimizing bespoke pipeline logic.",
1817
2347
  "enforcement": "required",
2348
+ "executionStage": "ci-pr",
1818
2349
  "id": "ci-templates-automation",
1819
2350
  "label": "CI Templates & Automation",
1820
2351
  "severity": "error",
@@ -1936,6 +2467,7 @@
1936
2467
  },
1937
2468
  "description": "Specify required runtime/engine versions in package manifests to ensure environment stability and prevent version-related issues across development teams.",
1938
2469
  "enforcement": "required",
2470
+ "executionStage": "pre-commit",
1939
2471
  "id": "runtime-version",
1940
2472
  "label": "Runtime Version Specification",
1941
2473
  "severity": "error",
@@ -2029,6 +2561,7 @@
2029
2561
  },
2030
2562
  "description": "Maintain a comprehensive README and, where applicable, auto-generated API docs to support onboarding and maintainability.",
2031
2563
  "enforcement": "required",
2564
+ "executionStage": "ci-pr",
2032
2565
  "id": "documentation",
2033
2566
  "label": "Documentation Standards",
2034
2567
  "severity": "error",
@@ -2148,6 +2681,7 @@
2148
2681
  },
2149
2682
  "description": "Include standard governance files (LICENSE, CODE_OF_CONDUCT.md, CONTRIBUTING.md), branch protection rules, and review standards to define legal, ethical, and workflow expectations.",
2150
2683
  "enforcement": "required",
2684
+ "executionStage": "ci-pr",
2151
2685
  "id": "repository-governance",
2152
2686
  "label": "Repository Governance",
2153
2687
  "severity": "error",
@@ -2238,9 +2772,7 @@
2238
2772
  "verification": "LICENSE file is present in the repository root; CODE_OF_CONDUCT.md and CONTRIBUTING.md are present for contribution guidance."
2239
2773
  }
2240
2774
  }
2241
- }
2242
- ],
2243
- "optionalEnhancements": [
2775
+ },
2244
2776
  {
2245
2777
  "appliesTo": {
2246
2778
  "stacks": [
@@ -2253,68 +2785,85 @@
2253
2785
  },
2254
2786
  "ciHints": {
2255
2787
  "azure-devops": {
2256
- "stage": "observability"
2788
+ "notes": "CI should call the canonical verify command, not duplicate check logic.",
2789
+ "stage": "quality"
2257
2790
  },
2258
2791
  "github-actions": {
2259
- "job": "ci"
2792
+ "job": "ci",
2793
+ "notes": "CI should call the canonical verify command, not duplicate check logic."
2260
2794
  }
2261
2795
  },
2262
- "description": "Standardize error handling and structured logging to make debugging and production monitoring easier.",
2263
- "enforcement": "optional",
2264
- "id": "observability",
2265
- "label": "Observability (Logging & Error Handling)",
2266
- "severity": "info",
2796
+ "description": "Provide one canonical 'verify' command per repository/stack that all stages call with appropriate flags. This prevents duplication, drift, and ensures consistency between local development and CI.",
2797
+ "enforcement": "required",
2798
+ "executionStage": "pre-commit",
2799
+ "id": "canonical-verify",
2800
+ "label": "Canonical Verify Entrypoint",
2801
+ "severity": "error",
2267
2802
  "stackHints": {
2268
2803
  "csharp-dotnet": {
2269
2804
  "exampleConfigFiles": [
2270
- "appsettings.json"
2805
+ "Makefile",
2806
+ "build.cake"
2271
2807
  ],
2272
2808
  "exampleTools": [
2273
- "Serilog",
2274
- "NLog"
2809
+ "dotnet CLI",
2810
+ "make",
2811
+ "cake"
2275
2812
  ],
2276
- "notes": "Configure structured logging for your .NET services and ensure exceptions and key events are logged with useful context.",
2277
- "verification": "Confirm that a structured logging library (such as Serilog or NLog) is configured with an agreed sink and format, and that the application logs meaningful context for errors and key events."
2813
+ "notes": "Define 'make verify' or 'dotnet cake verify' that runs all checks. Both hooks and CI use this single entrypoint with stage-appropriate flags.",
2814
+ "verification": "Makefile or build script contains a 'verify' target."
2278
2815
  },
2279
2816
  "go": {
2280
- "exampleConfigFiles": [],
2817
+ "exampleConfigFiles": [
2818
+ "Makefile",
2819
+ "magefile.go"
2820
+ ],
2281
2821
  "exampleTools": [
2282
- "slog",
2283
- "zap",
2284
- "zerolog"
2822
+ "make",
2823
+ "mage"
2285
2824
  ],
2286
- "notes": "Use slog (stdlib) or zap/zerolog for structured logging. Configure JSON output for production and text for development.",
2287
- "verification": "Confirm that a structured logging library is configured with appropriate output format and log levels."
2825
+ "notes": "Define 'make verify' that runs go vet, golangci-lint, and go test. All stages use this single entrypoint.",
2826
+ "verification": "Makefile contains a 'verify' target."
2288
2827
  },
2289
2828
  "python": {
2290
2829
  "exampleConfigFiles": [
2291
- "logging configuration files",
2292
- "pyproject.toml"
2830
+ "Makefile",
2831
+ "tox.ini",
2832
+ "noxfile.py"
2293
2833
  ],
2294
2834
  "exampleTools": [
2295
- "structlog",
2296
- "loguru"
2835
+ "make",
2836
+ "tox",
2837
+ "nox"
2297
2838
  ],
2298
- "notes": "Use structured logging for Python services and ensure critical paths record enough context to debug issues after the fact.",
2299
- "verification": "Confirm that a structured logging setup (such as structlog or configured logging with JSON formatting) is in place and that critical paths log enough information to debug failures in production."
2839
+ "notes": "Define 'make verify' or 'tox -e verify' that runs ruff, black --check, mypy, and pytest. All stages use this entrypoint.",
2840
+ "verification": "Makefile or tox.ini contains a 'verify' target/environment."
2300
2841
  },
2301
2842
  "rust": {
2302
- "exampleConfigFiles": [],
2843
+ "exampleConfigFiles": [
2844
+ "Makefile",
2845
+ "Makefile.toml"
2846
+ ],
2303
2847
  "exampleTools": [
2304
- "tracing",
2305
- "log"
2848
+ "cargo",
2849
+ "make",
2850
+ "cargo-make"
2306
2851
  ],
2307
- "notes": "Use the tracing crate for structured logging with spans and events. Configure tracing-subscriber for output formatting.",
2308
- "verification": "Confirm that tracing or log crate is configured with appropriate subscriber/logger and emits structured output."
2852
+ "notes": "Define 'make verify' or 'cargo make verify' that runs fmt --check, clippy, and test. Both hooks and CI use this entrypoint.",
2853
+ "verification": "Makefile or Makefile.toml contains a 'verify' task."
2309
2854
  },
2310
2855
  "typescript-js": {
2311
- "exampleConfigFiles": [],
2856
+ "exampleConfigFiles": [
2857
+ "package.json"
2858
+ ],
2312
2859
  "exampleTools": [
2313
- "Winston",
2314
- "Pino"
2860
+ "npm scripts"
2315
2861
  ],
2316
- "notes": "Adopt structured JSON logging with correlation IDs and send logs to a centralized sink in production.",
2317
- "verification": "Confirm that a structured logging library (such as Winston or Pino) is configured to emit JSON or key-value logs and that error handling routes important failures through this logger."
2862
+ "notes": "Define 'npm run verify' that runs lint, format:check, typecheck, and test. Pre-commit hooks call 'npm run verify:quick' (lint + format only). CI calls 'npm run verify' (full suite). Never duplicate verification logic across multiple scripts.",
2863
+ "requiredScripts": [
2864
+ "verify"
2865
+ ],
2866
+ "verification": "package.json contains a 'verify' script that orchestrates all checks."
2318
2867
  }
2319
2868
  }
2320
2869
  },
@@ -2330,65 +2879,314 @@
2330
2879
  },
2331
2880
  "ciHints": {
2332
2881
  "azure-devops": {
2333
- "stage": "governance"
2882
+ "notes": "Ensure CI reads from authoritative configs, not duplicated settings.",
2883
+ "stage": "quality"
2334
2884
  },
2335
2885
  "github-actions": {
2336
- "job": "ci"
2886
+ "job": "ci",
2887
+ "notes": "Ensure CI reads from authoritative configs, not duplicated settings."
2337
2888
  }
2338
2889
  },
2339
- "description": "Define phase transition requirements in phase-gates.md for autonomous agent workflows with clear pre-conditions and approval gates.",
2340
- "enforcement": "optional",
2341
- "id": "agent-phase-gates",
2342
- "label": "Agent Phase Gates",
2343
- "severity": "info",
2890
+ "description": "Each configuration rule must live in exactly one authoritative config file. Avoid duplication across .editorconfig, linter configs, and CI definitions. Document which file is authoritative for each concern.",
2891
+ "enforcement": "required",
2892
+ "executionStage": "ci-pr",
2893
+ "id": "config-authority",
2894
+ "label": "Config File Authority Rules",
2895
+ "severity": "error",
2344
2896
  "stackHints": {
2345
2897
  "csharp-dotnet": {
2346
2898
  "exampleConfigFiles": [
2347
- "phase-gates.md"
2899
+ ".gitattributes",
2900
+ ".editorconfig",
2901
+ "Directory.Build.props"
2348
2902
  ],
2349
2903
  "exampleTools": [],
2350
- "notes": "Define phase gates with .NET-specific verification (dotnet test, coverage reports, NuGet package publishing) and approval workflows.",
2351
- "optionalFiles": [
2352
- "phase-gates.md"
2353
- ],
2354
- "verification": "phase-gates.md exists defining transition requirements."
2904
+ "notes": "Authority mapping: .gitattributes for EOL, .editorconfig for formatting rules, Directory.Build.props for shared build settings. Roslyn analyzers read from .editorconfig.",
2905
+ "verification": "Review configs and confirm no rule is duplicated across files."
2355
2906
  },
2356
2907
  "go": {
2357
2908
  "exampleConfigFiles": [
2358
- "phase-gates.md"
2909
+ ".gitattributes",
2910
+ "go.mod",
2911
+ ".golangci.yml"
2359
2912
  ],
2360
2913
  "exampleTools": [],
2361
- "notes": "Define gates with Go-specific checks (go test, go vet, module tagging) and approval workflows for phase transitions.",
2362
- "optionalFiles": [
2363
- "phase-gates.md"
2364
- ],
2365
- "verification": "phase-gates.md exists defining transition requirements."
2914
+ "notes": "Authority mapping: .gitattributes for EOL, go.mod for module config and Go version, .golangci.yml for all linting rules. Keep lint config consolidated in one file.",
2915
+ "verification": "Review configs and confirm .golangci.yml is the single source for lint rules."
2366
2916
  },
2367
2917
  "python": {
2368
2918
  "exampleConfigFiles": [
2369
- "phase-gates.md"
2919
+ ".gitattributes",
2920
+ "pyproject.toml",
2921
+ ".editorconfig"
2370
2922
  ],
2371
2923
  "exampleTools": [],
2372
- "notes": "Specify phase transitions with Python-specific checks (pytest results, wheel/sdist builds, PyPI publication) and approval processes.",
2373
- "optionalFiles": [
2374
- "phase-gates.md"
2375
- ],
2376
- "verification": "phase-gates.md exists defining transition requirements."
2924
+ "notes": "Authority mapping: .gitattributes for EOL, pyproject.toml for all tool configs (ruff, black, mypy, pytest). Avoid separate tool configs (.flake8, setup.cfg) when pyproject.toml can hold them.",
2925
+ "verification": "Review configs and confirm pyproject.toml is the single source for tool settings."
2377
2926
  },
2378
2927
  "rust": {
2379
2928
  "exampleConfigFiles": [
2380
- "phase-gates.md"
2929
+ ".gitattributes",
2930
+ "Cargo.toml",
2931
+ "rustfmt.toml",
2932
+ "clippy.toml"
2381
2933
  ],
2382
2934
  "exampleTools": [],
2383
- "notes": "Document phase gates with Rust-specific verification (cargo test, cargo check, crates.io publishing) and sign-off requirements.",
2384
- "optionalFiles": [
2385
- "phase-gates.md"
2386
- ],
2387
- "verification": "phase-gates.md exists defining transition requirements."
2935
+ "notes": "Authority mapping: .gitattributes for EOL, Cargo.toml for project config, rustfmt.toml for formatting, clippy.toml for linting. Each concern has one file.",
2936
+ "verification": "Review configs and confirm no rules are duplicated across files."
2388
2937
  },
2389
2938
  "typescript-js": {
2390
2939
  "exampleConfigFiles": [
2391
- "phase-gates.md"
2940
+ ".gitattributes",
2941
+ ".editorconfig",
2942
+ "eslint.config.js",
2943
+ "tsconfig.json"
2944
+ ],
2945
+ "exampleTools": [],
2946
+ "notes": "Authority mapping: .gitattributes for EOL (Git layer), .editorconfig for editor display, eslint.config.js for lint rules, tsconfig.json for TS compiler options, prettier for formatting. Never duplicate rules across files.",
2947
+ "verification": "Review configs and confirm no rule is defined in multiple places with potential for drift."
2948
+ }
2949
+ }
2950
+ },
2951
+ {
2952
+ "appliesTo": {
2953
+ "stacks": [
2954
+ "typescript-js",
2955
+ "csharp-dotnet",
2956
+ "python",
2957
+ "rust",
2958
+ "go"
2959
+ ]
2960
+ },
2961
+ "ciHints": {
2962
+ "azure-devops": {
2963
+ "notes": "CI should read skip paths from config files, not hardcode them in pipeline.",
2964
+ "stage": "quality"
2965
+ },
2966
+ "github-actions": {
2967
+ "job": "ci",
2968
+ "notes": "CI should read skip paths from config files, not hardcode them in pipeline."
2969
+ }
2970
+ },
2971
+ "description": "Encode path exclusions and skip rules deterministically in config files, not through ad-hoc human judgment. Make it clear which paths are excluded from checks and why.",
2972
+ "enforcement": "required",
2973
+ "executionStage": "ci-pr",
2974
+ "id": "explicit-skip-paths",
2975
+ "label": "Explicit Skip Paths",
2976
+ "severity": "error",
2977
+ "stackHints": {
2978
+ "csharp-dotnet": {
2979
+ "exampleConfigFiles": [
2980
+ ".editorconfig"
2981
+ ],
2982
+ "exampleTools": [
2983
+ "dotnet format",
2984
+ "Roslyn"
2985
+ ],
2986
+ "notes": "Use .editorconfig file globs to exclude generated code from analysis. Document exclusions with comments.",
2987
+ "verification": "Review .editorconfig and confirm exclusions are explicit and documented."
2988
+ },
2989
+ "go": {
2990
+ "exampleConfigFiles": [
2991
+ ".golangci.yml"
2992
+ ],
2993
+ "exampleTools": [
2994
+ "golangci-lint"
2995
+ ],
2996
+ "notes": "Define skip-dirs and skip-files in .golangci.yml. Use //nolint comments sparingly and always include justification (//nolint:errcheck // reason).",
2997
+ "verification": "Review .golangci.yml and confirm skip paths are explicit and documented."
2998
+ },
2999
+ "python": {
3000
+ "exampleConfigFiles": [
3001
+ "pyproject.toml"
3002
+ ],
3003
+ "exampleTools": [
3004
+ "ruff",
3005
+ "black",
3006
+ "mypy"
3007
+ ],
3008
+ "notes": "Define exclude patterns in pyproject.toml [tool.ruff], [tool.black], [tool.mypy] sections. Document why each path is excluded. Avoid runtime --exclude flags.",
3009
+ "verification": "Review pyproject.toml and confirm all exclusions are defined there, not in scripts."
3010
+ },
3011
+ "rust": {
3012
+ "exampleConfigFiles": [
3013
+ "rustfmt.toml",
3014
+ ".clippy.toml"
3015
+ ],
3016
+ "exampleTools": [
3017
+ "rustfmt",
3018
+ "clippy"
3019
+ ],
3020
+ "notes": "Use #[rustfmt::skip] or #[allow(clippy::*)] sparingly and document why. For directory-level exclusions, use Cargo.toml workspace exclude.",
3021
+ "verification": "Search for skip annotations and confirm each is documented."
3022
+ },
3023
+ "typescript-js": {
3024
+ "exampleConfigFiles": [
3025
+ ".eslintignore",
3026
+ ".prettierignore",
3027
+ "eslint.config.js"
3028
+ ],
3029
+ "exampleTools": [
3030
+ "eslint",
3031
+ "prettier"
3032
+ ],
3033
+ "notes": "Define ignores in eslint.config.js (ignores array) and .prettierignore. Document why each path is excluded (generated code, vendor, etc.). Avoid ad-hoc --ignore-path flags in scripts.",
3034
+ "verification": "Review ignore configs and confirm all exclusions are documented and intentional."
3035
+ }
3036
+ }
3037
+ }
3038
+ ],
3039
+ "optionalEnhancements": [
3040
+ {
3041
+ "appliesTo": {
3042
+ "stacks": [
3043
+ "typescript-js",
3044
+ "csharp-dotnet",
3045
+ "python",
3046
+ "rust",
3047
+ "go"
3048
+ ]
3049
+ },
3050
+ "ciHints": {
3051
+ "azure-devops": {
3052
+ "stage": "observability"
3053
+ },
3054
+ "github-actions": {
3055
+ "job": "ci"
3056
+ }
3057
+ },
3058
+ "description": "Standardize error handling and structured logging to make debugging and production monitoring easier.",
3059
+ "enforcement": "optional",
3060
+ "executionStage": "ci-pr",
3061
+ "id": "observability",
3062
+ "label": "Observability (Logging & Error Handling)",
3063
+ "severity": "info",
3064
+ "stackHints": {
3065
+ "csharp-dotnet": {
3066
+ "exampleConfigFiles": [
3067
+ "appsettings.json"
3068
+ ],
3069
+ "exampleTools": [
3070
+ "Serilog",
3071
+ "NLog"
3072
+ ],
3073
+ "notes": "Configure structured logging for your .NET services and ensure exceptions and key events are logged with useful context.",
3074
+ "verification": "Confirm that a structured logging library (such as Serilog or NLog) is configured with an agreed sink and format, and that the application logs meaningful context for errors and key events."
3075
+ },
3076
+ "go": {
3077
+ "exampleConfigFiles": [],
3078
+ "exampleTools": [
3079
+ "slog",
3080
+ "zap",
3081
+ "zerolog"
3082
+ ],
3083
+ "notes": "Use slog (stdlib) or zap/zerolog for structured logging. Configure JSON output for production and text for development.",
3084
+ "verification": "Confirm that a structured logging library is configured with appropriate output format and log levels."
3085
+ },
3086
+ "python": {
3087
+ "exampleConfigFiles": [
3088
+ "logging configuration files",
3089
+ "pyproject.toml"
3090
+ ],
3091
+ "exampleTools": [
3092
+ "structlog",
3093
+ "loguru"
3094
+ ],
3095
+ "notes": "Use structured logging for Python services and ensure critical paths record enough context to debug issues after the fact.",
3096
+ "verification": "Confirm that a structured logging setup (such as structlog or configured logging with JSON formatting) is in place and that critical paths log enough information to debug failures in production."
3097
+ },
3098
+ "rust": {
3099
+ "exampleConfigFiles": [],
3100
+ "exampleTools": [
3101
+ "tracing",
3102
+ "log"
3103
+ ],
3104
+ "notes": "Use the tracing crate for structured logging with spans and events. Configure tracing-subscriber for output formatting.",
3105
+ "verification": "Confirm that tracing or log crate is configured with appropriate subscriber/logger and emits structured output."
3106
+ },
3107
+ "typescript-js": {
3108
+ "exampleConfigFiles": [],
3109
+ "exampleTools": [
3110
+ "Winston",
3111
+ "Pino"
3112
+ ],
3113
+ "notes": "Adopt structured JSON logging with correlation IDs and send logs to a centralized sink in production.",
3114
+ "verification": "Confirm that a structured logging library (such as Winston or Pino) is configured to emit JSON or key-value logs and that error handling routes important failures through this logger."
3115
+ }
3116
+ }
3117
+ },
3118
+ {
3119
+ "appliesTo": {
3120
+ "stacks": [
3121
+ "typescript-js",
3122
+ "csharp-dotnet",
3123
+ "python",
3124
+ "rust",
3125
+ "go"
3126
+ ]
3127
+ },
3128
+ "ciHints": {
3129
+ "azure-devops": {
3130
+ "stage": "governance"
3131
+ },
3132
+ "github-actions": {
3133
+ "job": "ci"
3134
+ }
3135
+ },
3136
+ "description": "Define phase transition requirements in phase-gates.md for autonomous agent workflows with clear pre-conditions and approval gates.",
3137
+ "enforcement": "optional",
3138
+ "executionStage": "ci-pr",
3139
+ "id": "agent-phase-gates",
3140
+ "label": "Agent Phase Gates",
3141
+ "severity": "info",
3142
+ "stackHints": {
3143
+ "csharp-dotnet": {
3144
+ "exampleConfigFiles": [
3145
+ "phase-gates.md"
3146
+ ],
3147
+ "exampleTools": [],
3148
+ "notes": "Define phase gates with .NET-specific verification (dotnet test, coverage reports, NuGet package publishing) and approval workflows.",
3149
+ "optionalFiles": [
3150
+ "phase-gates.md"
3151
+ ],
3152
+ "verification": "phase-gates.md exists defining transition requirements."
3153
+ },
3154
+ "go": {
3155
+ "exampleConfigFiles": [
3156
+ "phase-gates.md"
3157
+ ],
3158
+ "exampleTools": [],
3159
+ "notes": "Define gates with Go-specific checks (go test, go vet, module tagging) and approval workflows for phase transitions.",
3160
+ "optionalFiles": [
3161
+ "phase-gates.md"
3162
+ ],
3163
+ "verification": "phase-gates.md exists defining transition requirements."
3164
+ },
3165
+ "python": {
3166
+ "exampleConfigFiles": [
3167
+ "phase-gates.md"
3168
+ ],
3169
+ "exampleTools": [],
3170
+ "notes": "Specify phase transitions with Python-specific checks (pytest results, wheel/sdist builds, PyPI publication) and approval processes.",
3171
+ "optionalFiles": [
3172
+ "phase-gates.md"
3173
+ ],
3174
+ "verification": "phase-gates.md exists defining transition requirements."
3175
+ },
3176
+ "rust": {
3177
+ "exampleConfigFiles": [
3178
+ "phase-gates.md"
3179
+ ],
3180
+ "exampleTools": [],
3181
+ "notes": "Document phase gates with Rust-specific verification (cargo test, cargo check, crates.io publishing) and sign-off requirements.",
3182
+ "optionalFiles": [
3183
+ "phase-gates.md"
3184
+ ],
3185
+ "verification": "phase-gates.md exists defining transition requirements."
3186
+ },
3187
+ "typescript-js": {
3188
+ "exampleConfigFiles": [
3189
+ "phase-gates.md"
2392
3190
  ],
2393
3191
  "exampleTools": [],
2394
3192
  "notes": "Document phase transitions (Planning → Implementation → Verification → Release) with required pre-conditions, approval mechanisms, and evidence artifacts for each gate.",
@@ -2419,6 +3217,7 @@
2419
3217
  },
2420
3218
  "description": "Document milestone completion criteria in victory-gates.md defining 'done' for releases and major deliverables with evidence requirements.",
2421
3219
  "enforcement": "optional",
3220
+ "executionStage": "release",
2422
3221
  "id": "agent-victory-gates",
2423
3222
  "label": "Agent Victory Gates",
2424
3223
  "severity": "info",
@@ -2504,6 +3303,7 @@
2504
3303
  },
2505
3304
  "description": "Automate dependency updates using Renovate or Dependabot to keep dependencies current and reduce security exposure window.",
2506
3305
  "enforcement": "recommended",
3306
+ "executionStage": "nightly",
2507
3307
  "id": "dependency-update-automation",
2508
3308
  "label": "Dependency Update Automation",
2509
3309
  "severity": "warn",
@@ -2622,6 +3422,7 @@
2622
3422
  },
2623
3423
  "description": "Enforce module boundaries and import constraints to prevent architectural drift and unwanted coupling.",
2624
3424
  "enforcement": "recommended",
3425
+ "executionStage": "ci-pr",
2625
3426
  "id": "dependency-architecture-rules",
2626
3427
  "label": "Dependency Architecture Rules",
2627
3428
  "severity": "warn",
@@ -2720,6 +3521,7 @@
2720
3521
  },
2721
3522
  "description": "Test how components interact with each other and external systems, running after unit tests with more relaxed coverage thresholds.",
2722
3523
  "enforcement": "recommended",
3524
+ "executionStage": "ci-main",
2723
3525
  "id": "integration-testing",
2724
3526
  "label": "Integration Testing",
2725
3527
  "severity": "warn",
@@ -2801,6 +3603,7 @@
2801
3603
  },
2802
3604
  "description": "Establish performance baselines and monitor for regressions using lightweight benchmarks or audits in CI.",
2803
3605
  "enforcement": "recommended",
3606
+ "executionStage": "nightly",
2804
3607
  "id": "performance-baselining",
2805
3608
  "label": "Performance Baselines",
2806
3609
  "severity": "warn",
@@ -2882,6 +3685,7 @@
2882
3685
  },
2883
3686
  "description": "Measure cyclomatic complexity or similar metrics to keep code maintainable, starting as a warning-only check.",
2884
3687
  "enforcement": "recommended",
3688
+ "executionStage": "ci-pr",
2885
3689
  "id": "complexity-analysis",
2886
3690
  "label": "Complexity Analysis",
2887
3691
  "severity": "warn",
@@ -2963,6 +3767,7 @@
2963
3767
  },
2964
3768
  "description": "Run accessibility checks on web-facing components to detect critical issues and improve inclusive UX.",
2965
3769
  "enforcement": "recommended",
3770
+ "executionStage": "ci-pr",
2966
3771
  "id": "accessibility-auditing",
2967
3772
  "label": "Accessibility Auditing",
2968
3773
  "severity": "warn",
@@ -3013,6 +3818,442 @@
3013
3818
  }
3014
3819
  }
3015
3820
  },
3821
+ {
3822
+ "appliesTo": {
3823
+ "stacks": [
3824
+ "typescript-js",
3825
+ "csharp-dotnet",
3826
+ "python",
3827
+ "rust",
3828
+ "go"
3829
+ ]
3830
+ },
3831
+ "ciHints": {
3832
+ "azure-devops": {
3833
+ "notes": "Run AI drift detection in a scheduled nightly pipeline separate from main CI.",
3834
+ "stage": "nightly"
3835
+ },
3836
+ "github-actions": {
3837
+ "job": "nightly",
3838
+ "notes": "Use scheduled workflow (cron) to run AI drift detection nightly."
3839
+ }
3840
+ },
3841
+ "description": "Run nightly or scheduled checks comparing AI-generated outputs against pinned baselines to detect model drift, prompt drift, or code changes affecting AI behavior. Attribute regressions to code changes vs model updates vs prompt changes.",
3842
+ "enforcement": "recommended",
3843
+ "executionStage": "nightly",
3844
+ "id": "ai-drift-detection",
3845
+ "label": "AI Drift Detection",
3846
+ "severity": "warn",
3847
+ "stackHints": {
3848
+ "csharp-dotnet": {
3849
+ "exampleConfigFiles": [
3850
+ "*.verified.txt",
3851
+ "ai-baselines/"
3852
+ ],
3853
+ "exampleTools": [
3854
+ "Verify",
3855
+ "custom baseline tests"
3856
+ ],
3857
+ "notes": "Use Verify library or custom comparison tests to detect AI output drift. Run nightly to catch model-side changes that don't show up in code diffs.",
3858
+ "verification": "Run AI baseline tests and confirm outputs match pinned baselines."
3859
+ },
3860
+ "go": {
3861
+ "exampleConfigFiles": [
3862
+ "testdata/golden/",
3863
+ "ai-baselines/"
3864
+ ],
3865
+ "exampleTools": [
3866
+ "go test",
3867
+ "golden files"
3868
+ ],
3869
+ "notes": "Use golden file testing pattern for AI outputs. Compare current output against pinned baselines nightly.",
3870
+ "verification": "Run golden tests and confirm AI outputs match baselines."
3871
+ },
3872
+ "python": {
3873
+ "exampleConfigFiles": [
3874
+ "tests/ai_baselines/",
3875
+ "pytest.ini"
3876
+ ],
3877
+ "exampleTools": [
3878
+ "pytest",
3879
+ "deepdiff",
3880
+ "great_expectations"
3881
+ ],
3882
+ "notes": "Create golden output tests for AI-generated content. Use deepdiff for structured comparison. For ML models, also track metrics drift (accuracy, latency) not just output drift.",
3883
+ "verification": "Run AI baseline tests nightly and confirm outputs match or drift is documented."
3884
+ },
3885
+ "rust": {
3886
+ "exampleConfigFiles": [
3887
+ "snapshots/",
3888
+ "ai-baselines/"
3889
+ ],
3890
+ "exampleTools": [
3891
+ "insta",
3892
+ "custom baseline tests"
3893
+ ],
3894
+ "notes": "Use insta for snapshot testing of AI outputs. Pin model versions and prompt templates. Run nightly to detect drift.",
3895
+ "verification": "Run 'cargo insta test' and confirm AI outputs match baselines."
3896
+ },
3897
+ "typescript-js": {
3898
+ "exampleConfigFiles": [
3899
+ "__snapshots__/",
3900
+ "ai-baselines/"
3901
+ ],
3902
+ "exampleTools": [
3903
+ "jest snapshots",
3904
+ "custom baseline comparator"
3905
+ ],
3906
+ "notes": "Pin AI outputs as baseline snapshots. Nightly runs compare current outputs against baselines. When drift detected, investigate: was it a code change, model update, or prompt change? Log model version, prompt hash, and code SHA for attribution.",
3907
+ "verification": "Run AI baseline tests and confirm outputs match pinned baselines or drift is intentional."
3908
+ }
3909
+ }
3910
+ },
3911
+ {
3912
+ "appliesTo": {
3913
+ "stacks": [
3914
+ "typescript-js",
3915
+ "csharp-dotnet",
3916
+ "python",
3917
+ "rust",
3918
+ "go"
3919
+ ]
3920
+ },
3921
+ "ciHints": {
3922
+ "azure-devops": {
3923
+ "notes": "Run schema validation tests as part of quality gates.",
3924
+ "stage": "quality"
3925
+ },
3926
+ "github-actions": {
3927
+ "job": "ci",
3928
+ "notes": "Include AI output schema validation in CI test suite."
3929
+ }
3930
+ },
3931
+ "description": "Validate all AI-generated outputs against strict JSON schemas or type definitions at system boundaries. Reject invalid outputs early rather than letting malformed data propagate through the system.",
3932
+ "enforcement": "recommended",
3933
+ "executionStage": "ci-pr",
3934
+ "id": "ai-schema-enforcement",
3935
+ "label": "AI Output Schema Enforcement",
3936
+ "severity": "warn",
3937
+ "stackHints": {
3938
+ "csharp-dotnet": {
3939
+ "exampleConfigFiles": [
3940
+ "*.schema.json",
3941
+ "Schemas/"
3942
+ ],
3943
+ "exampleTools": [
3944
+ "System.Text.Json",
3945
+ "FluentValidation",
3946
+ "JsonSchema.Net"
3947
+ ],
3948
+ "notes": "Use strongly-typed DTOs with validation attributes or FluentValidation for AI outputs. Deserialize with strict settings that reject unknown properties.",
3949
+ "verification": "Review AI integration code and confirm outputs are validated against schemas."
3950
+ },
3951
+ "go": {
3952
+ "exampleConfigFiles": [
3953
+ "schemas/"
3954
+ ],
3955
+ "exampleTools": [
3956
+ "go-playground/validator",
3957
+ "gojsonschema"
3958
+ ],
3959
+ "notes": "Define struct tags for JSON unmarshaling and use validator for additional constraints. Reject AI outputs that don't match expected schema.",
3960
+ "verification": "Review AI integration code and confirm schema validation is in place."
3961
+ },
3962
+ "python": {
3963
+ "exampleConfigFiles": [
3964
+ "schemas/",
3965
+ "models.py"
3966
+ ],
3967
+ "exampleTools": [
3968
+ "pydantic",
3969
+ "jsonschema",
3970
+ "marshmallow"
3971
+ ],
3972
+ "notes": "Use Pydantic models for AI output validation. Enable strict mode to reject extra fields. Define clear schemas at system boundaries where AI outputs enter the codebase.",
3973
+ "verification": "Review AI integration code and confirm Pydantic or equivalent validation is in place."
3974
+ },
3975
+ "rust": {
3976
+ "exampleConfigFiles": [
3977
+ "src/schemas/"
3978
+ ],
3979
+ "exampleTools": [
3980
+ "serde",
3981
+ "jsonschema",
3982
+ "validator"
3983
+ ],
3984
+ "notes": "Use serde with #[serde(deny_unknown_fields)] for strict deserialization of AI outputs. Add validator derives for business rule validation.",
3985
+ "verification": "Review AI integration code and confirm strict deserialization is enforced."
3986
+ },
3987
+ "typescript-js": {
3988
+ "exampleConfigFiles": [
3989
+ "src/schemas/",
3990
+ "*.schema.json"
3991
+ ],
3992
+ "exampleTools": [
3993
+ "zod",
3994
+ "ajv",
3995
+ "TypeScript"
3996
+ ],
3997
+ "notes": "Define strict schemas for AI outputs using Zod or JSON Schema. Parse and validate AI responses at integration boundaries. Fail fast on schema violations rather than handling partial/invalid data.",
3998
+ "verification": "Review AI integration code and confirm all AI outputs are validated against schemas."
3999
+ }
4000
+ }
4001
+ },
4002
+ {
4003
+ "appliesTo": {
4004
+ "stacks": [
4005
+ "typescript-js",
4006
+ "csharp-dotnet",
4007
+ "python",
4008
+ "rust",
4009
+ "go"
4010
+ ]
4011
+ },
4012
+ "ciHints": {
4013
+ "azure-devops": {
4014
+ "notes": "Run AI golden tests as part of the test stage.",
4015
+ "stage": "test"
4016
+ },
4017
+ "github-actions": {
4018
+ "job": "ci",
4019
+ "notes": "Include AI golden contract tests in CI test suite."
4020
+ }
4021
+ },
4022
+ "description": "Validate AI tool-generated patches, configs, and code against exact expected formats. Test that AI outputs respect forbidden paths, file patterns, and format constraints through golden contract tests.",
4023
+ "enforcement": "recommended",
4024
+ "executionStage": "ci-pr",
4025
+ "id": "ai-golden-tests",
4026
+ "label": "AI Golden Contract Tests",
4027
+ "severity": "warn",
4028
+ "stackHints": {
4029
+ "csharp-dotnet": {
4030
+ "exampleConfigFiles": [
4031
+ "TestData/",
4032
+ "*.verified.json"
4033
+ ],
4034
+ "exampleTools": [
4035
+ "xUnit",
4036
+ "Verify"
4037
+ ],
4038
+ "notes": "Use Verify for golden file testing of AI outputs. Ensure AI-generated code respects namespace conventions and doesn't modify protected files.",
4039
+ "verification": "Run golden tests and confirm AI outputs match verified snapshots."
4040
+ },
4041
+ "go": {
4042
+ "exampleConfigFiles": [
4043
+ "testdata/"
4044
+ ],
4045
+ "exampleTools": [
4046
+ "go test",
4047
+ "golden files"
4048
+ ],
4049
+ "notes": "Use golden file pattern for AI output testing. Verify generated code follows Go conventions and doesn't modify vendor/ or other protected paths.",
4050
+ "verification": "Run golden tests and confirm AI outputs match expected files."
4051
+ },
4052
+ "python": {
4053
+ "exampleConfigFiles": [
4054
+ "tests/fixtures/",
4055
+ "__snapshots__/"
4056
+ ],
4057
+ "exampleTools": [
4058
+ "pytest",
4059
+ "syrupy"
4060
+ ],
4061
+ "notes": "Use pytest with syrupy for snapshot testing AI outputs. Test that generated code follows project conventions and respects forbidden paths.",
4062
+ "verification": "Run snapshot tests and confirm AI outputs match golden fixtures."
4063
+ },
4064
+ "rust": {
4065
+ "exampleConfigFiles": [
4066
+ "snapshots/"
4067
+ ],
4068
+ "exampleTools": [
4069
+ "insta"
4070
+ ],
4071
+ "notes": "Use insta for snapshot testing AI-generated code and configs. Test format compliance and forbidden path restrictions.",
4072
+ "verification": "Run 'cargo insta test' and confirm AI outputs match snapshots."
4073
+ },
4074
+ "typescript-js": {
4075
+ "exampleConfigFiles": [
4076
+ "__fixtures__/ai-outputs/",
4077
+ "*.golden.json"
4078
+ ],
4079
+ "exampleTools": [
4080
+ "jest",
4081
+ "vitest"
4082
+ ],
4083
+ "notes": "Create golden test fixtures for AI-generated patches and configs. Test that outputs match exact formats, don't touch forbidden paths (node_modules, .git), and respect file naming conventions.",
4084
+ "verification": "Run golden tests and confirm AI outputs match expected fixtures exactly."
4085
+ }
4086
+ }
4087
+ },
4088
+ {
4089
+ "appliesTo": {
4090
+ "stacks": [
4091
+ "typescript-js",
4092
+ "csharp-dotnet",
4093
+ "python",
4094
+ "rust",
4095
+ "go"
4096
+ ]
4097
+ },
4098
+ "ciHints": {
4099
+ "azure-devops": {
4100
+ "notes": "Run AI safety tests as part of security stage on main branch.",
4101
+ "stage": "security"
4102
+ },
4103
+ "github-actions": {
4104
+ "job": "security",
4105
+ "notes": "Run AI safety checks on main branch merges."
4106
+ }
4107
+ },
4108
+ "description": "Test AI integrations for prompt injection resistance, input sanitization, output filtering, and data exfiltration prevention. Include adversarial test cases that attempt to manipulate AI behavior.",
4109
+ "enforcement": "recommended",
4110
+ "executionStage": "ci-main",
4111
+ "id": "ai-safety-checks",
4112
+ "label": "AI Adversarial & Safety Testing",
4113
+ "severity": "warn",
4114
+ "stackHints": {
4115
+ "csharp-dotnet": {
4116
+ "exampleConfigFiles": [
4117
+ "Tests/AiSafety/"
4118
+ ],
4119
+ "exampleTools": [
4120
+ "xUnit",
4121
+ "custom security tests"
4122
+ ],
4123
+ "notes": "Test prompt injection resistance and output sanitization. Ensure AI outputs are escaped/validated before use in SQL queries, command execution, or HTML rendering.",
4124
+ "verification": "Run AI safety tests and confirm adversarial inputs are handled safely."
4125
+ },
4126
+ "go": {
4127
+ "exampleConfigFiles": [
4128
+ "ai_safety_test.go"
4129
+ ],
4130
+ "exampleTools": [
4131
+ "go test",
4132
+ "go-fuzz"
4133
+ ],
4134
+ "notes": "Create adversarial test cases for AI integrations. Use fuzzing to discover input handling edge cases.",
4135
+ "verification": "Run AI safety tests and fuzz tests."
4136
+ },
4137
+ "python": {
4138
+ "exampleConfigFiles": [
4139
+ "tests/ai_safety/"
4140
+ ],
4141
+ "exampleTools": [
4142
+ "pytest",
4143
+ "hypothesis"
4144
+ ],
4145
+ "notes": "Use hypothesis for property-based testing of AI input handling. Test prompt injection, output sanitization, and data boundary enforcement.",
4146
+ "verification": "Run AI safety tests including adversarial cases."
4147
+ },
4148
+ "rust": {
4149
+ "exampleConfigFiles": [
4150
+ "tests/ai_safety/"
4151
+ ],
4152
+ "exampleTools": [
4153
+ "proptest",
4154
+ "custom tests"
4155
+ ],
4156
+ "notes": "Use proptest for property-based testing of AI input validation. Test that malicious inputs don't escape sandboxing.",
4157
+ "verification": "Run AI safety tests with adversarial inputs."
4158
+ },
4159
+ "typescript-js": {
4160
+ "exampleConfigFiles": [
4161
+ "tests/ai-safety/"
4162
+ ],
4163
+ "exampleTools": [
4164
+ "jest",
4165
+ "custom adversarial tests"
4166
+ ],
4167
+ "notes": "Create adversarial test suite with prompt injection attempts, malicious input patterns, and exfiltration scenarios. Test that AI outputs are sanitized before use in sensitive contexts (SQL, shell, HTML).",
4168
+ "verification": "Run AI safety test suite and confirm all adversarial cases are handled safely."
4169
+ }
4170
+ }
4171
+ },
4172
+ {
4173
+ "appliesTo": {
4174
+ "stacks": [
4175
+ "typescript-js",
4176
+ "csharp-dotnet",
4177
+ "python",
4178
+ "rust",
4179
+ "go"
4180
+ ]
4181
+ },
4182
+ "ciHints": {
4183
+ "azure-devops": {
4184
+ "notes": "Verify AI provenance logging is implemented in quality checks.",
4185
+ "stage": "quality"
4186
+ },
4187
+ "github-actions": {
4188
+ "job": "ci",
4189
+ "notes": "Check AI provenance logging implementation in CI."
4190
+ }
4191
+ },
4192
+ "description": "Log AI provider, model version, prompt template version, parameters, and tool versions for all AI operations. Enable attribution of outputs to specific model+prompt combinations for debugging and compliance.",
4193
+ "enforcement": "recommended",
4194
+ "executionStage": "ci-pr",
4195
+ "id": "ai-provenance-tracking",
4196
+ "label": "AI Provenance & Audit Logging",
4197
+ "severity": "warn",
4198
+ "stackHints": {
4199
+ "csharp-dotnet": {
4200
+ "exampleConfigFiles": [
4201
+ "AiProvenance.cs"
4202
+ ],
4203
+ "exampleTools": [
4204
+ "OpenTelemetry",
4205
+ "Serilog"
4206
+ ],
4207
+ "notes": "Use structured logging to capture AI call provenance. Include model version, prompt hash, and parameters in log context.",
4208
+ "verification": "Review AI integration and confirm provenance logging is implemented."
4209
+ },
4210
+ "go": {
4211
+ "exampleConfigFiles": [
4212
+ "ai/provenance.go"
4213
+ ],
4214
+ "exampleTools": [
4215
+ "slog",
4216
+ "OpenTelemetry"
4217
+ ],
4218
+ "notes": "Use structured logging (slog) to capture AI provenance. Include model, prompt version, and parameters in log context.",
4219
+ "verification": "Review AI integration and confirm provenance logging is implemented."
4220
+ },
4221
+ "python": {
4222
+ "exampleConfigFiles": [
4223
+ "ai/provenance.py"
4224
+ ],
4225
+ "exampleTools": [
4226
+ "structlog",
4227
+ "OpenTelemetry",
4228
+ "MLflow"
4229
+ ],
4230
+ "notes": "Log AI provenance using structlog or MLflow tracking. For ML models, also track training data version and model artifact hash.",
4231
+ "verification": "Review AI integration and confirm provenance is tracked."
4232
+ },
4233
+ "rust": {
4234
+ "exampleConfigFiles": [
4235
+ "src/ai/provenance.rs"
4236
+ ],
4237
+ "exampleTools": [
4238
+ "tracing",
4239
+ "OpenTelemetry"
4240
+ ],
4241
+ "notes": "Use tracing spans to capture AI call provenance. Include model version, prompt hash, and parameters as span attributes.",
4242
+ "verification": "Review AI integration and confirm provenance is logged."
4243
+ },
4244
+ "typescript-js": {
4245
+ "exampleConfigFiles": [
4246
+ "src/ai/provenance.ts"
4247
+ ],
4248
+ "exampleTools": [
4249
+ "OpenTelemetry",
4250
+ "custom logging"
4251
+ ],
4252
+ "notes": "Log for each AI call: provider (OpenAI, Anthropic), model ID, prompt template hash/version, temperature, timestamp, request ID. Store provenance alongside outputs for debugging 'why did AI do X?'",
4253
+ "verification": "Review AI integration code and confirm provenance is logged for all AI calls."
4254
+ }
4255
+ }
4256
+ },
3016
4257
  {
3017
4258
  "appliesTo": {
3018
4259
  "stacks": [
@@ -3035,6 +4276,7 @@
3035
4276
  },
3036
4277
  "description": "Maintain INVARIANTS.md defining repository-wide rules that must always hold true, with machine-readable verification commands for autonomous agents.",
3037
4278
  "enforcement": "recommended",
4279
+ "executionStage": "ci-pr",
3038
4280
  "id": "agent-invariants",
3039
4281
  "label": "Autonomous Agent Invariants",
3040
4282
  "severity": "warn",
@@ -3151,27 +4393,41 @@
3151
4393
  },
3152
4394
  "migrationGuide": [
3153
4395
  {
3154
- "description": "Start by adding pre-commit hooks and core formatting/linting so developers get fast feedback without touching CI.",
4396
+ "description": "Configure .gitattributes for cross-platform line ending correctness and establish the canonical verify entrypoint before adding any checks. This prevents 'works locally, fails in CI' issues from day one.",
4397
+ "focusIds": [
4398
+ "gitattributes-eol",
4399
+ "canonical-verify",
4400
+ "hook-ci-parity",
4401
+ "config-authority"
4402
+ ],
4403
+ "notes": "Start here to avoid debugging cryptic CRLF failures later. Use .gitattributes as the authority for EOL (not .editorconfig). Run 'git add --renormalize .' after adding .gitattributes to fix existing files.",
4404
+ "step": 0,
4405
+ "title": "Foundation: Line Endings and Hook Entry Point"
4406
+ },
4407
+ {
4408
+ "description": "Add pre-commit hooks with secret scanning, formatting, and linting. Hooks should CHECK (not auto-fix) and scope to changed files only for speed.",
3155
4409
  "focusIds": [
3156
4410
  "pre-commit-hooks",
4411
+ "secret-scanning-precommit",
3157
4412
  "linting",
3158
4413
  "code-formatter"
3159
4414
  ],
3160
- "notes": "Keep hooks fast and focused on changed files to avoid slowing down day-to-day work.",
4415
+ "notes": "Keep hooks fast by scoping to staged files. Use Husky as entry point calling lint-staged or pre-commit. Hooks should check, not fix, to keep developers aware of issues.",
3161
4416
  "step": 1,
3162
4417
  "title": "Establish Local Safety Nets First"
3163
4418
  },
3164
4419
  {
3165
- "description": "Introduce CI quality gates that mirror local checks, but treat existing violations as warnings wherever possible.",
4420
+ "description": "Introduce CI quality gates that mirror local hooks exactly. Add CRLF detection early in pipeline. Treat existing violations as warnings where possible.",
3166
4421
  "focusIds": [
4422
+ "crlf-detection",
3167
4423
  "ci-quality-gates",
3168
4424
  "linting",
3169
4425
  "code-formatter",
3170
4426
  "commit-linting"
3171
4427
  ],
3172
- "notes": "Use diff-based tools or baselines so only new violations break builds; legacy issues remain visible but non-blocking.",
4428
+ "notes": "CI must call the same verify scripts that hooks use. Add CRLF detection before other checks to fail fast on line ending issues. Use diff-based tools so only new violations break builds.",
3173
4429
  "step": 2,
3174
- "title": "Mirror Local Checks in CI (Soft-Fail on Legacy)"
4430
+ "title": "Mirror Local Checks in CI with CRLF Detection"
3175
4431
  },
3176
4432
  {
3177
4433
  "description": "Enable type-checking, coverage thresholds, and dependency/vulnerability scanning with gradual enforcement.",
@@ -3196,9 +4452,22 @@
3196
4452
  "complexity-analysis",
3197
4453
  "accessibility-auditing"
3198
4454
  ],
3199
- "notes": "Tackle recommended items in order of business value; backend-only repos can skip web-focused checks like accessibility. For AI/ML-heavy Python teams, consider extending containerization with data versioning (DVC) and unit tests with data quality checks (e.g., Great Expectations) as part of this step.",
4455
+ "notes": "Tackle recommended items in order of business value; backend-only repos can skip web-focused checks like accessibility.",
3200
4456
  "step": 4,
3201
4457
  "title": "Layer in Docs, Governance, and Recommended Checks"
4458
+ },
4459
+ {
4460
+ "description": "For repos using or building with generative AI, add drift detection, schema enforcement, golden contract tests, safety testing, and provenance tracking.",
4461
+ "focusIds": [
4462
+ "ai-drift-detection",
4463
+ "ai-schema-enforcement",
4464
+ "ai-golden-tests",
4465
+ "ai-safety-checks",
4466
+ "ai-provenance-tracking"
4467
+ ],
4468
+ "notes": "Skip this step if your repo has no AI/ML components. For AI-heavy repos: add nightly drift detection to catch model changes, enforce strict schemas at AI output boundaries, and log provenance for debugging 'why did AI do X?'",
4469
+ "step": 5,
4470
+ "title": "AI/ML Governance (If Applicable)"
3202
4471
  }
3203
4472
  ],
3204
4473
  "qualityGatePolicy": {