@oddessentials/repo-standards 4.4.0 → 5.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (27) hide show
  1. package/README.md +2 -1
  2. package/dist/config/standards.csharp-dotnet.azure-devops.json +377 -12
  3. package/dist/config/standards.csharp-dotnet.github-actions.json +378 -13
  4. package/dist/config/standards.csharp-dotnet.json +435 -13
  5. package/dist/config/standards.go.azure-devops.json +367 -10
  6. package/dist/config/standards.go.github-actions.json +368 -11
  7. package/dist/config/standards.go.json +425 -11
  8. package/dist/config/standards.json +1470 -81
  9. package/dist/config/standards.python.azure-devops.json +383 -10
  10. package/dist/config/standards.python.github-actions.json +384 -11
  11. package/dist/config/standards.python.json +441 -11
  12. package/dist/config/standards.rust.azure-devops.json +370 -10
  13. package/dist/config/standards.rust.github-actions.json +371 -11
  14. package/dist/config/standards.rust.json +428 -11
  15. package/dist/config/standards.schema.json +24 -2
  16. package/dist/config/standards.typescript-js.azure-devops.json +387 -11
  17. package/dist/config/standards.typescript-js.github-actions.json +388 -12
  18. package/dist/config/standards.typescript-js.json +445 -12
  19. package/dist/index.cjs +2 -2
  20. package/dist/index.cjs.map +1 -1
  21. package/dist/index.d.cts +2 -2
  22. package/dist/index.d.ts +2 -2
  23. package/dist/index.js +2 -2
  24. package/dist/index.js.map +1 -1
  25. package/package.json +1 -1
  26. package/scripts/check-version-unchanged.sh +50 -0
  27. package/scripts/validate-schema.ts +46 -0
package/dist/config/standards.json CHANGED
@@ -1,6 +1,244 @@
1
1
  {
2
2
  "checklist": {
3
3
  "core": [
4
+ {
5
+ "appliesTo": {
6
+ "stacks": [
7
+ "typescript-js",
8
+ "csharp-dotnet",
9
+ "python",
10
+ "rust",
11
+ "go"
12
+ ]
13
+ },
14
+ "ciHints": {
15
+ "azure-devops": {
16
+ "notes": "Run CRLF detection early in pipeline before other checks.",
17
+ "stage": "quality"
18
+ },
19
+ "github-actions": {
20
+ "job": "ci",
21
+ "notes": "Add .gitattributes check as first step in CI job."
22
+ }
23
+ },
24
+ "description": "Enforce line endings at the Git layer using .gitattributes. Mark text files with appropriate EOL handling (eol=lf for shell scripts, eol=auto for most files) and binary files as binary to prevent corruption. This prevents 'works locally, fails in CI' issues caused by CRLF/LF mismatches.",
25
+ "enforcement": "required",
26
+ "executionStage": "pre-commit",
27
+ "id": "gitattributes-eol",
28
+ "label": "Git Attributes (Line Endings)",
29
+ "severity": "error",
30
+ "stackHints": {
31
+ "csharp-dotnet": {
32
+ "exampleConfigFiles": [
33
+ ".gitattributes",
34
+ ".editorconfig"
35
+ ],
36
+ "exampleTools": [
37
+ "git"
38
+ ],
39
+ "machineCheck": {
40
+ "command": "git ls-files --eol | grep -E 'w/crlf.*\\.sh$' && exit 1 || exit 0",
41
+ "description": "Verify no CRLF in shell scripts",
42
+ "expectExitCode": 0
43
+ },
44
+ "notes": "Use .gitattributes for EOL authority. Mark *.sh, *.ps1 scripts appropriately. .editorconfig drives editor behavior but .gitattributes is the source of truth for Git operations.",
45
+ "optionalFiles": [
46
+ ".editorconfig"
47
+ ],
48
+ "requiredFiles": [
49
+ ".gitattributes"
50
+ ],
51
+ "verification": "Run 'git ls-files --eol' to check EOL consistency."
52
+ },
53
+ "go": {
54
+ "exampleConfigFiles": [
55
+ ".gitattributes",
56
+ ".editorconfig"
57
+ ],
58
+ "exampleTools": [
59
+ "git"
60
+ ],
61
+ "machineCheck": {
62
+ "command": "git ls-files --eol | grep -E 'w/crlf.*\\.sh$' && exit 1 || exit 0",
63
+ "description": "Verify no CRLF in shell scripts",
64
+ "expectExitCode": 0
65
+ },
66
+ "notes": "Go files should use LF for consistency. Mark *.go as text. Shell scripts (*.sh) must use eol=lf. Binary artifacts should be marked as binary.",
67
+ "optionalFiles": [
68
+ ".editorconfig"
69
+ ],
70
+ "requiredFiles": [
71
+ ".gitattributes"
72
+ ],
73
+ "verification": "Run 'git ls-files --eol' to verify EOL handling."
74
+ },
75
+ "python": {
76
+ "exampleConfigFiles": [
77
+ ".gitattributes",
78
+ ".editorconfig"
79
+ ],
80
+ "exampleTools": [
81
+ "git"
82
+ ],
83
+ "machineCheck": {
84
+ "command": "git ls-files --eol | grep -E 'w/crlf.*\\.py$' && exit 1 || exit 0",
85
+ "description": "Verify no CRLF in Python files",
86
+ "expectExitCode": 0
87
+ },
88
+ "notes": "Python files should use LF endings for cross-platform compatibility. Mark *.py as eol=lf in .gitattributes. Shebang scripts fail with CRLF.",
89
+ "optionalFiles": [
90
+ ".editorconfig"
91
+ ],
92
+ "requiredFiles": [
93
+ ".gitattributes"
94
+ ],
95
+ "verification": "Run 'git ls-files --eol' and verify Python files use LF."
96
+ },
97
+ "rust": {
98
+ "exampleConfigFiles": [
99
+ ".gitattributes",
100
+ ".editorconfig"
101
+ ],
102
+ "exampleTools": [
103
+ "git"
104
+ ],
105
+ "machineCheck": {
106
+ "command": "git ls-files --eol | grep -E 'w/crlf.*\\.sh$' && exit 1 || exit 0",
107
+ "description": "Verify no CRLF in shell scripts",
108
+ "expectExitCode": 0
109
+ },
110
+ "notes": "Mark *.rs, *.toml as text with auto EOL handling. Mark shell scripts as eol=lf. Binary files (*.exe, *.dll) should be marked as binary.",
111
+ "optionalFiles": [
112
+ ".editorconfig"
113
+ ],
114
+ "requiredFiles": [
115
+ ".gitattributes"
116
+ ],
117
+ "verification": "Run 'git ls-files --eol' to verify EOL consistency."
118
+ },
119
+ "typescript-js": {
120
+ "exampleConfigFiles": [
121
+ ".gitattributes",
122
+ ".editorconfig"
123
+ ],
124
+ "exampleTools": [
125
+ "git"
126
+ ],
127
+ "machineCheck": {
128
+ "command": "git ls-files --eol | grep -E 'w/crlf.*\\.(sh|bash|py)$' && exit 1 || exit 0",
129
+ "description": "Verify no CRLF in shell/script files",
130
+ "expectExitCode": 0
131
+ },
132
+ "notes": "Use .gitattributes as the authority for EOL; .editorconfig is supplementary for editor display. Mark *.sh, *.bash as eol=lf. After adding .gitattributes, run 'git add --renormalize .' to fix existing files. Windows contributors should set core.autocrlf=false.",
133
+ "optionalFiles": [
134
+ ".editorconfig"
135
+ ],
136
+ "requiredFiles": [
137
+ ".gitattributes"
138
+ ],
139
+ "verification": "Run 'git ls-files --eol' and verify no unexpected CRLF in LF-only files."
140
+ }
141
+ }
142
+ },
143
+ {
144
+ "appliesTo": {
145
+ "stacks": [
146
+ "typescript-js",
147
+ "csharp-dotnet",
148
+ "python",
149
+ "rust",
150
+ "go"
151
+ ]
152
+ },
153
+ "ciHints": {
154
+ "azure-devops": {
155
+ "notes": "Run CRLF detection as the first quality check before linting or testing.",
156
+ "stage": "quality"
157
+ },
158
+ "github-actions": {
159
+ "job": "ci",
160
+ "notes": "Add CRLF detection step before main CI steps."
161
+ }
162
+ },
163
+ "description": "Fail CI early for Linux-executed files containing CRLF line endings. Shell scripts, Python files, and other interpreted files fail silently or with cryptic errors when they contain \\r characters. Detect this before running deeper CI steps.",
164
+ "enforcement": "required",
165
+ "executionStage": "ci-pr",
166
+ "id": "crlf-detection",
167
+ "label": "CRLF Detection in CI",
168
+ "severity": "error",
169
+ "stackHints": {
170
+ "csharp-dotnet": {
171
+ "exampleConfigFiles": [],
172
+ "exampleTools": [
173
+ "file",
174
+ "grep"
175
+ ],
176
+ "machineCheck": {
177
+ "command": "git ls-files --eol | grep -E 'w/crlf.*\\.sh$' && exit 1 || exit 0",
178
+ "description": "Detect CRLF in shell scripts",
179
+ "expectExitCode": 0
180
+ },
181
+ "notes": "Detect CRLF in shell scripts and CI configuration files. C# source files can tolerate CRLF but shell scripts cannot.",
182
+ "verification": "Run CRLF detection on .sh files in CI."
183
+ },
184
+ "go": {
185
+ "exampleConfigFiles": [],
186
+ "exampleTools": [
187
+ "file",
188
+ "grep"
189
+ ],
190
+ "machineCheck": {
191
+ "command": "git ls-files --eol | grep -E 'w/crlf.*\\.(sh|bash)$' && exit 1 || exit 0",
192
+ "description": "Detect CRLF in shell scripts",
193
+ "expectExitCode": 0
194
+ },
195
+ "notes": "Go source files tolerate CRLF but shell scripts and Makefiles do not. Check .sh, Makefile, and go.mod for CRLF.",
196
+ "verification": "Run CRLF detection on shell scripts and Makefiles."
197
+ },
198
+ "python": {
199
+ "exampleConfigFiles": [],
200
+ "exampleTools": [
201
+ "file",
202
+ "grep"
203
+ ],
204
+ "machineCheck": {
205
+ "command": "git ls-files --eol | grep -E 'w/crlf.*\\.(py|sh)$' && exit 1 || exit 0",
206
+ "description": "Detect CRLF in Python/shell files",
207
+ "expectExitCode": 0
208
+ },
209
+ "notes": "Python shebang scripts fail with CRLF. Check all .py and .sh files for CRLF before running pytest or other Python tools.",
210
+ "verification": "Run CRLF detection on Python and shell files."
211
+ },
212
+ "rust": {
213
+ "exampleConfigFiles": [],
214
+ "exampleTools": [
215
+ "file",
216
+ "grep"
217
+ ],
218
+ "machineCheck": {
219
+ "command": "git ls-files --eol | grep -E 'w/crlf.*\\.(sh|bash)$' && exit 1 || exit 0",
220
+ "description": "Detect CRLF in shell scripts",
221
+ "expectExitCode": 0
222
+ },
223
+ "notes": "Rust build scripts (build.rs) and shell scripts must not have CRLF. Cargo tolerates CRLF in .rs files but shell invocations fail.",
224
+ "verification": "Run CRLF detection on shell and build scripts."
225
+ },
226
+ "typescript-js": {
227
+ "exampleConfigFiles": [],
228
+ "exampleTools": [
229
+ "file",
230
+ "grep"
231
+ ],
232
+ "machineCheck": {
233
+ "command": "git ls-files --eol | grep -E 'w/crlf.*\\.(sh|js|ts|mjs|cjs)$' && exit 1 || exit 0",
234
+ "description": "Detect CRLF in script files",
235
+ "expectExitCode": 0
236
+ },
237
+ "notes": "Check for CRLF in .sh, .js, .ts, .json files early in CI. Use 'file' command or grep for \\r to detect issues before they cause cryptic failures.",
238
+ "verification": "Run 'git ls-files --eol | grep w/crlf' and verify no unexpected CRLF files."
239
+ }
240
+ }
241
+ },
4
242
  {
5
243
  "appliesTo": {
6
244
  "stacks": [
@@ -21,6 +259,7 @@
21
259
  },
22
260
  "description": "Maintain proper .gitignore and .dockerignore files to prevent committing secrets, build artifacts, or unnecessary files.",
23
261
  "enforcement": "required",
262
+ "executionStage": "pre-commit",
24
263
  "id": "gitignore-and-dockerignore",
25
264
  "label": "Git and Docker Ignore Files",
26
265
  "severity": "error",
@@ -117,8 +356,10 @@
117
356
  },
118
357
  "description": "Run static code linting to enforce consistency and catch common issues early.",
119
358
  "enforcement": "required",
359
+ "executionStage": "pre-commit",
120
360
  "id": "linting",
121
361
  "label": "Linting",
362
+ "scopeToChangedFiles": true,
122
363
  "severity": "error",
123
364
  "stackHints": {
124
365
  "csharp-dotnet": {
@@ -284,6 +525,7 @@
284
525
  },
285
526
  "description": "Provide a deterministic unit test framework with a single command to run all tests.",
286
527
  "enforcement": "required",
528
+ "executionStage": "pre-push",
287
529
  "id": "unit-test-runner",
288
530
  "label": "Unit Test Runner",
289
531
  "severity": "error",
@@ -420,6 +662,7 @@
420
662
  },
421
663
  "description": "Provide a Dockerfile and, if applicable, a docker-compose file for local dev and CI parity.",
422
664
  "enforcement": "required",
665
+ "executionStage": "ci-pr",
423
666
  "id": "containerization",
424
667
  "label": "Containerization (Docker / Docker Compose)",
425
668
  "severity": "error",
@@ -521,6 +764,7 @@
521
764
  },
522
765
  "description": "Use MAJOR.MINOR.PATCH versioning with clear rules and automated changelog generation based on commit history. Maintain a single canonical version source (for example, package.json or VERSION) that all release artifacts use.",
523
766
  "enforcement": "required",
767
+ "executionStage": "release",
524
768
  "id": "semantic-versioning",
525
769
  "label": "Semantic Versioning",
526
770
  "severity": "error",
@@ -637,6 +881,126 @@
637
881
  }
638
882
  }
639
883
  },
884
+ {
885
+ "appliesTo": {
886
+ "stacks": [
887
+ "typescript-js",
888
+ "csharp-dotnet",
889
+ "python",
890
+ "rust",
891
+ "go"
892
+ ]
893
+ },
894
+ "ciHints": {
895
+ "azure-devops": {
896
+ "notes": "Run the version guard in PR validation jobs before merge.",
897
+ "stage": "quality"
898
+ },
899
+ "github-actions": {
900
+ "job": "ci",
901
+ "notes": "Run the version guard in PR workflows against the base ref."
902
+ }
903
+ },
904
+ "description": "If semantic-release or automated versioning is enabled, block manual edits to canonical version fields in pull requests. Enforce a CI guard (and optional pre-push hook) that fails when version lines change outside the release workflow.",
905
+ "enforcement": "required",
906
+ "executionStage": "ci-pr",
907
+ "id": "version-guard",
908
+ "label": "Version Guard (Automated Releases)",
909
+ "severity": "error",
910
+ "stackHints": {
911
+ "csharp-dotnet": {
912
+ "exampleConfigFiles": [
913
+ "scripts/check-version-unchanged.sh",
914
+ ".github/workflows/ci.yml",
915
+ "azure-pipelines.yml"
916
+ ],
917
+ "exampleTools": [
918
+ "GitVersion",
919
+ "git"
920
+ ],
921
+ "notes": "When GitVersion or similar tooling computes versions, block manual edits to Directory.Build.props or *.csproj version fields via the version guard. Allow changes only in release automation.",
922
+ "optionalFiles": [
923
+ "Directory.Build.props",
924
+ "*.csproj",
925
+ "VERSION"
926
+ ],
927
+ "verification": "Run the guard and confirm it fails when <Version> or <VersionPrefix> changes in props/csproj files."
928
+ },
929
+ "go": {
930
+ "exampleConfigFiles": [
931
+ "scripts/check-version-unchanged.sh",
932
+ ".github/workflows/ci.yml",
933
+ "azure-pipelines.yml"
934
+ ],
935
+ "exampleTools": [
936
+ "goreleaser",
937
+ "git"
938
+ ],
939
+ "notes": "Go versioning is tag-driven; only enable the guard if you keep a VERSION file or embed version constants in code. The guard should ensure those fields are not edited manually in PRs.",
940
+ "optionalFiles": [
941
+ "VERSION"
942
+ ],
943
+ "verification": "Run the guard and confirm it fails when VERSION or version constants change outside release automation."
944
+ },
945
+ "python": {
946
+ "exampleConfigFiles": [
947
+ "scripts/check-version-unchanged.sh",
948
+ ".github/workflows/ci.yml",
949
+ "azure-pipelines.yml"
950
+ ],
951
+ "exampleTools": [
952
+ "semantic-release",
953
+ "git"
954
+ ],
955
+ "notes": "Block manual edits to version fields in pyproject.toml or setup.cfg when automated release tooling computes versions from commit history.",
956
+ "optionalFiles": [
957
+ "setup.cfg",
958
+ "setup.py",
959
+ "VERSION"
960
+ ],
961
+ "requiredFiles": [
962
+ "pyproject.toml"
963
+ ],
964
+ "verification": "Run the guard and confirm it fails when version lines change in pyproject.toml or setup.cfg."
965
+ },
966
+ "rust": {
967
+ "exampleConfigFiles": [
968
+ "scripts/check-version-unchanged.sh",
969
+ ".github/workflows/ci.yml",
970
+ "azure-pipelines.yml"
971
+ ],
972
+ "exampleTools": [
973
+ "cargo-release",
974
+ "semantic-release",
975
+ "git"
976
+ ],
977
+ "notes": "When using cargo-release or semantic-release-cargo, guard against manual edits to Cargo.toml version fields in PRs.",
978
+ "requiredFiles": [
979
+ "Cargo.toml"
980
+ ],
981
+ "verification": "Run the guard and confirm it fails when Cargo.toml version changes."
982
+ },
983
+ "typescript-js": {
984
+ "exampleConfigFiles": [
985
+ "scripts/check-version-unchanged.sh",
986
+ ".github/workflows/ci.yml",
987
+ "azure-pipelines.yml"
988
+ ],
989
+ "exampleTools": [
990
+ "semantic-release",
991
+ "git"
992
+ ],
993
+ "notes": "Add a CI step that runs scripts/check-version-unchanged.sh against the PR base ref. This blocks manual edits to package.json version when semantic-release owns versioning. Optionally wire the same script into a pre-push hook for fast feedback.",
994
+ "optionalFiles": [
995
+ "VERSION"
996
+ ],
997
+ "requiredFiles": [
998
+ "package.json"
999
+ ],
1000
+ "verification": "Run the guard with the PR base ref (for example, origin/main) and confirm it fails when package.json version changes."
1001
+ }
1002
+ }
1003
+ },
640
1004
  {
641
1005
  "appliesTo": {
642
1006
  "stacks": [
@@ -657,6 +1021,7 @@
657
1021
  },
658
1022
  "description": "Use a single CI release pipeline that publishes all artifacts (GitHub releases, packages, containers) from the same canonical version source.",
659
1023
  "enforcement": "required",
1024
+ "executionStage": "release",
660
1025
  "id": "unified-release-workflow",
661
1026
  "label": "Unified Release Workflow",
662
1027
  "severity": "error",
@@ -775,35 +1140,124 @@
775
1140
  },
776
1141
  "ciHints": {
777
1142
  "azure-devops": {
778
- "stage": "quality"
1143
+ "notes": "Set HUSKY=0 or equivalent in release pipeline to disable hooks.",
1144
+ "stage": "release"
779
1145
  },
780
1146
  "github-actions": {
781
- "job": "ci"
1147
+ "job": "release",
1148
+ "notes": "Set HUSKY=0 or equivalent in release job to disable hooks."
782
1149
  }
783
1150
  },
784
- "description": "Enforce structured commit messages such as Conventional Commits via commit-msg hooks and CI. This is required for deterministic versioning and changelog generation.",
1151
+ "description": "Release automation must bypass local developer hooks (HUSKY=0, --no-verify) and rely solely on CI gates for validation. This ensures idempotent, reproducible releases that don't fail due to hook environment differences.",
785
1152
  "enforcement": "required",
786
- "id": "commit-linting",
787
- "label": "Commit Linting",
1153
+ "executionStage": "release",
1154
+ "id": "release-hook-bypass",
1155
+ "label": "Release Hook Bypass",
788
1156
  "severity": "error",
789
1157
  "stackHints": {
790
1158
  "csharp-dotnet": {
791
- "anyOfFiles": [
792
- "commitlint.config.js",
793
- "commitlint.config.cjs",
794
- "commitlint.config.mjs",
795
- "commitlint.config.json",
796
- ".cz.toml"
797
- ],
798
1159
  "exampleConfigFiles": [
799
- "commitlint.config.*",
800
- ".cz.toml"
1160
+ "azure-pipelines.yml",
1161
+ ".github/workflows/release.yml"
801
1162
  ],
802
1163
  "exampleTools": [
803
- "commitlint",
804
- "commitizen"
1164
+ "GitVersion"
805
1165
  ],
806
- "notes": "Document your Conventional Commit convention and enforce it via commit-msg hooks and CI so release tooling can compute versions deterministically.",
1166
+ "notes": "Release pipelines should skip local hooks. If using Lefthook, set LEFTHOOK=0. Rely on CI gates for all validation.",
1167
+ "verification": "Check release pipeline for hook bypass configuration."
1168
+ },
1169
+ "go": {
1170
+ "exampleConfigFiles": [
1171
+ ".goreleaser.yml",
1172
+ ".github/workflows/release.yml"
1173
+ ],
1174
+ "exampleTools": [
1175
+ "goreleaser"
1176
+ ],
1177
+ "notes": "Goreleaser handles releases without invoking local hooks. Ensure any git operations use --no-verify.",
1178
+ "verification": "Check release workflow for hook bypass configuration."
1179
+ },
1180
+ "python": {
1181
+ "exampleConfigFiles": [
1182
+ ".github/workflows/release.yml"
1183
+ ],
1184
+ "exampleTools": [
1185
+ "semantic-release",
1186
+ "bumpversion"
1187
+ ],
1188
+ "notes": "Set PRE_COMMIT_ALLOW_NO_CONFIG=1 or SKIP=all to bypass pre-commit hooks in release automation. CI gates already validated.",
1189
+ "verification": "Check release workflow for pre-commit bypass."
1190
+ },
1191
+ "rust": {
1192
+ "exampleConfigFiles": [
1193
+ ".github/workflows/release.yml"
1194
+ ],
1195
+ "exampleTools": [
1196
+ "cargo-release"
1197
+ ],
1198
+ "notes": "Use --no-verify with git commands in release scripts. If using pre-commit, set SKIP=all.",
1199
+ "verification": "Check release workflow for hook bypass."
1200
+ },
1201
+ "typescript-js": {
1202
+ "exampleConfigFiles": [
1203
+ ".github/workflows/release.yml"
1204
+ ],
1205
+ "exampleTools": [
1206
+ "semantic-release",
1207
+ "husky"
1208
+ ],
1209
+ "machineCheck": {
1210
+ "command": "grep -r 'HUSKY=0\\|--no-verify' .github/workflows/ || echo 'WARNING: No hook bypass in release workflow'",
1211
+ "description": "Verify release workflows disable hooks",
1212
+ "expectExitCode": 0
1213
+ },
1214
+ "notes": "In release workflows, set HUSKY=0 environment variable to disable husky hooks. Release commits from semantic-release should bypass commitlint since they're generated. CI gates already validated the code.",
1215
+ "verification": "Check release workflow for HUSKY=0 or --no-verify flags."
1216
+ }
1217
+ }
1218
+ },
1219
+ {
1220
+ "appliesTo": {
1221
+ "stacks": [
1222
+ "typescript-js",
1223
+ "csharp-dotnet",
1224
+ "python",
1225
+ "rust",
1226
+ "go"
1227
+ ]
1228
+ },
1229
+ "ciHints": {
1230
+ "azure-devops": {
1231
+ "stage": "quality"
1232
+ },
1233
+ "github-actions": {
1234
+ "job": "ci"
1235
+ }
1236
+ },
1237
+ "description": "Enforce structured commit messages such as Conventional Commits via commit-msg hooks and CI. This is required for deterministic versioning and changelog generation.",
1238
+ "enforcement": "required",
1239
+ "executionStage": "pre-commit",
1240
+ "id": "commit-linting",
1241
+ "label": "Commit Linting",
1242
+ "severity": "error",
1243
+ "stackHints": {
1244
+ "csharp-dotnet": {
1245
+ "anyOfFiles": [
1246
+ "commitlint.config.js",
1247
+ "commitlint.config.cjs",
1248
+ "commitlint.config.mjs",
1249
+ "commitlint.config.json",
1250
+ ".cz.toml"
1251
+ ],
1252
+ "exampleConfigFiles": [
1253
+ "commitlint.config.*",
1254
+ ".cz.toml"
1255
+ ],
1256
+ "exampleTools": [
1257
+ "commitlint",
1258
+ "commitizen"
1259
+ ],
1260
+ "notes": "Document your Conventional Commit convention and enforce it via commit-msg hooks and CI so release tooling can compute versions deterministically.",
807
1261
  "requiredScripts": [
808
1262
  "commitlint"
809
1263
  ],
@@ -916,6 +1370,7 @@
916
1370
  },
917
1371
  "description": "Generate readable unit test and coverage reports and enforce a minimum coverage threshold (around 80%) for new or changed code.",
918
1372
  "enforcement": "required",
1373
+ "executionStage": "ci-pr",
919
1374
  "id": "unit-test-reporter",
920
1375
  "label": "Unit Test Reporter / Coverage",
921
1376
  "severity": "error",
@@ -1030,6 +1485,7 @@
1030
1485
  },
1031
1486
  "description": "Single CI pipeline that runs linting, formatting, type checking, tests, coverage, build, and containerization.",
1032
1487
  "enforcement": "required",
1488
+ "executionStage": "ci-pr",
1033
1489
  "id": "ci-quality-gates",
1034
1490
  "label": "CI Quality Gates",
1035
1491
  "severity": "error",
@@ -1136,8 +1592,10 @@
1136
1592
  },
1137
1593
  "description": "Automatic code formatting to maintain a consistent style across all contributors.",
1138
1594
  "enforcement": "required",
1595
+ "executionStage": "pre-commit",
1139
1596
  "id": "code-formatter",
1140
1597
  "label": "Code Formatter",
1598
+ "scopeToChangedFiles": true,
1141
1599
  "severity": "error",
1142
1600
  "stackHints": {
1143
1601
  "csharp-dotnet": {
@@ -1236,27 +1694,33 @@
1236
1694
  },
1237
1695
  "ciHints": {
1238
1696
  "azure-devops": {
1697
+ "notes": "Hooks and CI must invoke identical verification commands. Use npm run verify or equivalent.",
1239
1698
  "stage": "quality"
1240
1699
  },
1241
1700
  "github-actions": {
1242
- "job": "ci"
1701
+ "job": "ci",
1702
+ "notes": "Hooks and CI must invoke identical verification commands. Use npm run verify or equivalent."
1243
1703
  }
1244
1704
  },
1245
- "description": "Use git hooks to run linting, formatting, tests, and commit linting before changes are committed.",
1705
+ "description": "Use git hooks to run linting, formatting, and commit linting before changes are committed. Hooks should CHECK by default (not auto-fix), be fast, and scope to changed files only. Use a single entry hook mechanism (e.g., Husky as entry point calling pre-commit or lint-staged).",
1246
1706
  "enforcement": "required",
1707
+ "executionStage": "pre-commit",
1247
1708
  "id": "pre-commit-hooks",
1248
1709
  "label": "Pre-Commit Hooks",
1710
+ "scopeToChangedFiles": true,
1249
1711
  "severity": "error",
1250
1712
  "stackHints": {
1251
1713
  "csharp-dotnet": {
1252
1714
  "exampleConfigFiles": [
1253
- "lefthook.yml"
1715
+ "lefthook.yml",
1716
+ ".husky/"
1254
1717
  ],
1255
1718
  "exampleTools": [
1256
- "Lefthook"
1719
+ "Lefthook",
1720
+ "husky.net"
1257
1721
  ],
1258
- "notes": "Configure Lefthook or similar to run formatting and basic checks on staged files before commits.",
1259
- "verification": "Inspect the hook configuration (for example, Lefthook or similar) and confirm it runs at least formatting and basic checks on staged changes before commits or pushes."
1722
+ "notes": "Configure Lefthook or husky.net to run formatting checks (not auto-fix) on staged files. Hooks should be deterministic and environment-pinned via global.json SDK version.",
1723
+ "verification": "Inspect hook configuration and confirm checks run in verify mode, not auto-fix mode."
1260
1724
  },
1261
1725
  "go": {
1262
1726
  "exampleConfigFiles": [
@@ -1267,8 +1731,8 @@
1267
1731
  "pre-commit",
1268
1732
  "lefthook"
1269
1733
  ],
1270
- "notes": "Use pre-commit with go hooks for gofmt, goimports, and golangci-lint on staged files.",
1271
- "verification": "Inspect hooks configuration and confirm that go fmt and golangci-lint run before commits."
1734
+ "notes": "Use pre-commit or lefthook with go hooks for 'gofmt -d' (check mode) and golangci-lint. Pin Go version in go.mod and .go-version for determinism.",
1735
+ "verification": "Confirm hooks run format checks (not auto-fix) and golangci-lint before commits."
1272
1736
  },
1273
1737
  "python": {
1274
1738
  "exampleConfigFiles": [
@@ -1277,8 +1741,8 @@
1277
1741
  "exampleTools": [
1278
1742
  "pre-commit"
1279
1743
  ],
1280
- "notes": "Use pre-commit to run ruff, black, and optionally mypy on staged files before committing.",
1281
- "verification": "Inspect .pre-commit-config.yaml and confirm that hooks for linting, formatting, and optionally type checking are enabled and run on changed files before commits."
1744
+ "notes": "Use pre-commit framework as both entry and executor. Pin hook versions in .pre-commit-config.yaml for determinism. Hooks should run checks (ruff check, black --check) not auto-fix. Run pre-commit install to set up hooks.",
1745
+ "verification": "Inspect .pre-commit-config.yaml and confirm hooks use check/verify flags, not auto-fix."
1282
1746
  },
1283
1747
  "rust": {
1284
1748
  "exampleConfigFiles": [
@@ -1288,20 +1752,202 @@
1288
1752
  "pre-commit",
1289
1753
  "cargo-husky"
1290
1754
  ],
1291
- "notes": "Use pre-commit with rust hooks for cargo fmt and cargo clippy on staged files. cargo-husky is an alternative.",
1292
- "verification": "Inspect .pre-commit-config.yaml and confirm that hooks run cargo fmt --check and cargo clippy before commits."
1755
+ "notes": "Use pre-commit with rust hooks for 'cargo fmt --check' and 'cargo clippy' on staged files. Pin rust-toolchain.toml for determinism across environments.",
1756
+ "verification": "Confirm hooks run cargo fmt --check (not cargo fmt) and cargo clippy before commits."
1293
1757
  },
1294
1758
  "typescript-js": {
1295
1759
  "exampleConfigFiles": [
1296
1760
  ".husky/",
1297
- "package.json"
1761
+ "package.json",
1762
+ "lint-staged.config.js"
1298
1763
  ],
1299
1764
  "exampleTools": [
1300
1765
  "husky",
1301
1766
  "lint-staged"
1302
1767
  ],
1303
- "notes": "Run ESLint and Prettier on staged files and enforce commit message format via commit-msg hooks.",
1304
- "verification": "Inspect the pre-commit and commit-msg hooks (for example, files under .husky or other hook tooling) and confirm they run linting/formatting and commit linting on staged changes."
1768
+ "notes": "Use Husky as the entry hook mechanism calling lint-staged. Hooks should CHECK (--check flags) not auto-fix to keep developers aware of issues. Scope to staged files only for speed. Invoke hooks through the repo toolchain (npx) not global installs to ensure environment pinning. Never let hook enforcement drift from CI.",
1769
+ "verification": "Run 'npm run verify' (or equivalent) and confirm the same checks run in both hooks and CI."
1770
+ }
1771
+ }
1772
+ },
1773
+ {
1774
+ "appliesTo": {
1775
+ "stacks": [
1776
+ "typescript-js",
1777
+ "csharp-dotnet",
1778
+ "python",
1779
+ "rust",
1780
+ "go"
1781
+ ]
1782
+ },
1783
+ "ciHints": {
1784
+ "azure-devops": {
1785
+ "notes": "CI should call the same verify script that hooks use locally.",
1786
+ "stage": "quality"
1787
+ },
1788
+ "github-actions": {
1789
+ "job": "ci",
1790
+ "notes": "CI should call the same verify script that hooks use locally."
1791
+ }
1792
+ },
1793
+ "description": "Local hooks and CI must invoke identical verification commands to prevent 'works locally, fails in CI' issues. Use a single canonical verify entrypoint (e.g., npm run verify) that both hooks and CI call.",
1794
+ "enforcement": "required",
1795
+ "executionStage": "pre-commit",
1796
+ "id": "hook-ci-parity",
1797
+ "label": "Hook/CI Parity",
1798
+ "severity": "error",
1799
+ "stackHints": {
1800
+ "csharp-dotnet": {
1801
+ "exampleConfigFiles": [
1802
+ "Makefile",
1803
+ "Directory.Build.props"
1804
+ ],
1805
+ "exampleTools": [
1806
+ "dotnet CLI",
1807
+ "make"
1808
+ ],
1809
+ "notes": "Define a verify target (make verify or dotnet cake verify) that both hooks and CI invoke. Keep verification logic in one place.",
1810
+ "verification": "Compare hook commands with CI commands and confirm they invoke the same targets."
1811
+ },
1812
+ "go": {
1813
+ "exampleConfigFiles": [
1814
+ "Makefile",
1815
+ "magefile.go"
1816
+ ],
1817
+ "exampleTools": [
1818
+ "make",
1819
+ "mage"
1820
+ ],
1821
+ "notes": "Define a verify target (make verify) that runs go vet, golangci-lint, and go test. Both hooks and CI should use this target.",
1822
+ "verification": "Compare hook commands with CI commands and confirm they invoke the same make targets."
1823
+ },
1824
+ "python": {
1825
+ "exampleConfigFiles": [
1826
+ "Makefile",
1827
+ "tox.ini",
1828
+ "noxfile.py"
1829
+ ],
1830
+ "exampleTools": [
1831
+ "make",
1832
+ "tox",
1833
+ "nox"
1834
+ ],
1835
+ "notes": "Define a verify target (make verify, tox -e lint, or nox -s lint) that both pre-commit and CI invoke. Pin tool versions in pyproject.toml.",
1836
+ "verification": "Compare hook commands with CI commands and confirm they invoke the same targets."
1837
+ },
1838
+ "rust": {
1839
+ "exampleConfigFiles": [
1840
+ "Makefile",
1841
+ "Cargo.toml"
1842
+ ],
1843
+ "exampleTools": [
1844
+ "cargo",
1845
+ "make"
1846
+ ],
1847
+ "notes": "Define a verify target (make verify or cargo make verify) that runs fmt --check, clippy, and test. Both hooks and CI should use this target.",
1848
+ "verification": "Compare hook commands with CI commands and confirm they invoke the same cargo commands."
1849
+ },
1850
+ "typescript-js": {
1851
+ "exampleConfigFiles": [
1852
+ "package.json"
1853
+ ],
1854
+ "exampleTools": [
1855
+ "npm scripts"
1856
+ ],
1857
+ "notes": "Define a 'verify' script in package.json that runs all checks (lint, format:check, typecheck). Both .husky/pre-commit and CI should call 'npm run verify'. Never add checks to CI that don't run locally.",
1858
+ "requiredScripts": [
1859
+ "verify"
1860
+ ],
1861
+ "verification": "Compare hook commands with CI commands and confirm they invoke the same scripts."
1862
+ }
1863
+ }
1864
+ },
1865
+ {
1866
+ "appliesTo": {
1867
+ "stacks": [
1868
+ "typescript-js",
1869
+ "csharp-dotnet",
1870
+ "python",
1871
+ "rust",
1872
+ "go"
1873
+ ]
1874
+ },
1875
+ "ciHints": {
1876
+ "azure-devops": {
1877
+ "notes": "Also run secret scanning in CI as a safety net for commits that bypassed hooks.",
1878
+ "stage": "quality"
1879
+ },
1880
+ "github-actions": {
1881
+ "job": "ci",
1882
+ "notes": "Enable GitHub secret scanning and also run gitleaks in CI."
1883
+ }
1884
+ },
1885
+ "description": "Scan staged diffs for credentials, API keys, and secrets before they reach the remote repository. Catch secrets at commit time rather than after they're pushed.",
1886
+ "enforcement": "required",
1887
+ "executionStage": "pre-commit",
1888
+ "id": "secret-scanning-precommit",
1889
+ "label": "Pre-commit Secret Scanning",
1890
+ "scopeToChangedFiles": true,
1891
+ "severity": "error",
1892
+ "stackHints": {
1893
+ "csharp-dotnet": {
1894
+ "exampleConfigFiles": [
1895
+ ".gitleaks.toml"
1896
+ ],
1897
+ "exampleTools": [
1898
+ "gitleaks",
1899
+ "detect-secrets"
1900
+ ],
1901
+ "notes": "Add gitleaks to pre-commit hooks via Lefthook. Scan staged changes before commits.",
1902
+ "verification": "Run 'gitleaks protect --staged' and verify it catches test secrets."
1903
+ },
1904
+ "go": {
1905
+ "exampleConfigFiles": [
1906
+ ".gitleaks.toml",
1907
+ ".pre-commit-config.yaml"
1908
+ ],
1909
+ "exampleTools": [
1910
+ "gitleaks",
1911
+ "trufflehog"
1912
+ ],
1913
+ "notes": "Add gitleaks to pre-commit hooks. Scan staged changes only for speed.",
1914
+ "verification": "Run 'gitleaks protect --staged' and verify it catches test secrets."
1915
+ },
1916
+ "python": {
1917
+ "exampleConfigFiles": [
1918
+ ".pre-commit-config.yaml",
1919
+ ".secrets.baseline"
1920
+ ],
1921
+ "exampleTools": [
1922
+ "detect-secrets",
1923
+ "gitleaks"
1924
+ ],
1925
+ "notes": "Add detect-secrets or gitleaks to .pre-commit-config.yaml. Use detect-secrets audit to manage baselines.",
1926
+ "verification": "Run 'detect-secrets scan' or 'gitleaks protect' and verify scanning works."
1927
+ },
1928
+ "rust": {
1929
+ "exampleConfigFiles": [
1930
+ ".gitleaks.toml",
1931
+ ".pre-commit-config.yaml"
1932
+ ],
1933
+ "exampleTools": [
1934
+ "gitleaks"
1935
+ ],
1936
+ "notes": "Add gitleaks to pre-commit hooks. Configure Rust-specific patterns if needed.",
1937
+ "verification": "Run 'gitleaks protect --staged' and verify it catches test secrets."
1938
+ },
1939
+ "typescript-js": {
1940
+ "exampleConfigFiles": [
1941
+ ".gitleaks.toml",
1942
+ ".secrets.baseline"
1943
+ ],
1944
+ "exampleTools": [
1945
+ "gitleaks",
1946
+ "detect-secrets",
1947
+ "trufflehog"
1948
+ ],
1949
+ "notes": "Add gitleaks or detect-secrets to pre-commit hooks. Scan only staged changes for speed. Configure allowlists for false positives in .gitleaks.toml.",
1950
+ "verification": "Run 'gitleaks protect --staged' and verify it catches test secrets."
1305
1951
  }
1306
1952
  }
1307
1953
  },
@@ -1325,6 +1971,7 @@
1325
1971
  },
1326
1972
  "description": "Use static type checking to catch errors before runtime and enforce strictness on new code. For JS/TS stacks, require a TypeScript-first policy with strict mode and a CI typecheck step; allow JSDoc/checkJs migration for legacy JS.",
1327
1973
  "enforcement": "required",
1974
+ "executionStage": "pre-push",
1328
1975
  "id": "type-checking",
1329
1976
  "label": "Type Checking",
1330
1977
  "severity": "error",
@@ -1463,6 +2110,7 @@
1463
2110
  },
1464
2111
  "description": "Lock dependencies and scan regularly for known vulnerabilities; fail CI on newly introduced high-severity issues.",
1465
2112
  "enforcement": "required",
2113
+ "executionStage": "pre-push",
1466
2114
  "id": "dependency-security",
1467
2115
  "label": "Dependency Management & Vulnerability Scanning",
1468
2116
  "severity": "error",
@@ -1572,6 +2220,7 @@
1572
2220
  },
1573
2221
  "description": "Ensure builds are reproducible by pinning dependencies, base images, and tool/runtime versions. Avoid network/time variance and fail when lockfiles drift.",
1574
2222
  "enforcement": "required",
2223
+ "executionStage": "ci-pr",
1575
2224
  "id": "deterministic-builds",
1576
2225
  "label": "Deterministic & Hermetic Builds",
1577
2226
  "severity": "error",
@@ -1695,6 +2344,7 @@
1695
2344
  },
1696
2345
  "description": "Produce SBOMs or provenance metadata, enable secret/code scanning, and sign tags or commits for critical repos.",
1697
2346
  "enforcement": "required",
2347
+ "executionStage": "release",
1698
2348
  "id": "provenance-security",
1699
2349
  "label": "Provenance & Security Metadata",
1700
2350
  "severity": "error",
@@ -1815,6 +2465,7 @@
1815
2465
  },
1816
2466
  "description": "Adopt standard CI templates and config samples to scale across repositories, minimizing bespoke pipeline logic.",
1817
2467
  "enforcement": "required",
2468
+ "executionStage": "ci-pr",
1818
2469
  "id": "ci-templates-automation",
1819
2470
  "label": "CI Templates & Automation",
1820
2471
  "severity": "error",
@@ -1936,6 +2587,7 @@
1936
2587
  },
1937
2588
  "description": "Specify required runtime/engine versions in package manifests to ensure environment stability and prevent version-related issues across development teams.",
1938
2589
  "enforcement": "required",
2590
+ "executionStage": "pre-commit",
1939
2591
  "id": "runtime-version",
1940
2592
  "label": "Runtime Version Specification",
1941
2593
  "severity": "error",
@@ -2029,6 +2681,7 @@
2029
2681
  },
2030
2682
  "description": "Maintain a comprehensive README and, where applicable, auto-generated API docs to support onboarding and maintainability.",
2031
2683
  "enforcement": "required",
2684
+ "executionStage": "ci-pr",
2032
2685
  "id": "documentation",
2033
2686
  "label": "Documentation Standards",
2034
2687
  "severity": "error",
@@ -2148,6 +2801,7 @@
2148
2801
  },
2149
2802
  "description": "Include standard governance files (LICENSE, CODE_OF_CONDUCT.md, CONTRIBUTING.md), branch protection rules, and review standards to define legal, ethical, and workflow expectations.",
2150
2803
  "enforcement": "required",
2804
+ "executionStage": "ci-pr",
2151
2805
  "id": "repository-governance",
2152
2806
  "label": "Repository Governance",
2153
2807
  "severity": "error",
@@ -2238,9 +2892,7 @@
2238
2892
  "verification": "LICENSE file is present in the repository root; CODE_OF_CONDUCT.md and CONTRIBUTING.md are present for contribution guidance."
2239
2893
  }
2240
2894
  }
2241
- }
2242
- ],
2243
- "optionalEnhancements": [
2895
+ },
2244
2896
  {
2245
2897
  "appliesTo": {
2246
2898
  "stacks": [
@@ -2253,68 +2905,85 @@
2253
2905
  },
2254
2906
  "ciHints": {
2255
2907
  "azure-devops": {
2256
- "stage": "observability"
2908
+ "notes": "CI should call the canonical verify command, not duplicate check logic.",
2909
+ "stage": "quality"
2257
2910
  },
2258
2911
  "github-actions": {
2259
- "job": "ci"
2912
+ "job": "ci",
2913
+ "notes": "CI should call the canonical verify command, not duplicate check logic."
2260
2914
  }
2261
2915
  },
2262
- "description": "Standardize error handling and structured logging to make debugging and production monitoring easier.",
2263
- "enforcement": "optional",
2264
- "id": "observability",
2265
- "label": "Observability (Logging & Error Handling)",
2266
- "severity": "info",
2916
+ "description": "Provide one canonical 'verify' command per repository/stack that all stages call with appropriate flags. This prevents duplication, drift, and ensures consistency between local development and CI.",
2917
+ "enforcement": "required",
2918
+ "executionStage": "pre-commit",
2919
+ "id": "canonical-verify",
2920
+ "label": "Canonical Verify Entrypoint",
2921
+ "severity": "error",
2267
2922
  "stackHints": {
2268
2923
  "csharp-dotnet": {
2269
2924
  "exampleConfigFiles": [
2270
- "appsettings.json"
2925
+ "Makefile",
2926
+ "build.cake"
2271
2927
  ],
2272
2928
  "exampleTools": [
2273
- "Serilog",
2274
- "NLog"
2929
+ "dotnet CLI",
2930
+ "make",
2931
+ "cake"
2275
2932
  ],
2276
- "notes": "Configure structured logging for your .NET services and ensure exceptions and key events are logged with useful context.",
2277
- "verification": "Confirm that a structured logging library (such as Serilog or NLog) is configured with an agreed sink and format, and that the application logs meaningful context for errors and key events."
2933
+ "notes": "Define 'make verify' or 'dotnet cake verify' that runs all checks. Both hooks and CI use this single entrypoint with stage-appropriate flags.",
2934
+ "verification": "Makefile or build script contains a 'verify' target."
2278
2935
  },
2279
2936
  "go": {
2280
- "exampleConfigFiles": [],
2937
+ "exampleConfigFiles": [
2938
+ "Makefile",
2939
+ "magefile.go"
2940
+ ],
2281
2941
  "exampleTools": [
2282
- "slog",
2283
- "zap",
2284
- "zerolog"
2942
+ "make",
2943
+ "mage"
2285
2944
  ],
2286
- "notes": "Use slog (stdlib) or zap/zerolog for structured logging. Configure JSON output for production and text for development.",
2287
- "verification": "Confirm that a structured logging library is configured with appropriate output format and log levels."
2945
+ "notes": "Define 'make verify' that runs go vet, golangci-lint, and go test. All stages use this single entrypoint.",
2946
+ "verification": "Makefile contains a 'verify' target."
2288
2947
  },
2289
2948
  "python": {
2290
2949
  "exampleConfigFiles": [
2291
- "logging configuration files",
2292
- "pyproject.toml"
2950
+ "Makefile",
2951
+ "tox.ini",
2952
+ "noxfile.py"
2293
2953
  ],
2294
2954
  "exampleTools": [
2295
- "structlog",
2296
- "loguru"
2955
+ "make",
2956
+ "tox",
2957
+ "nox"
2297
2958
  ],
2298
- "notes": "Use structured logging for Python services and ensure critical paths record enough context to debug issues after the fact.",
2299
- "verification": "Confirm that a structured logging setup (such as structlog or configured logging with JSON formatting) is in place and that critical paths log enough information to debug failures in production."
2959
+ "notes": "Define 'make verify' or 'tox -e verify' that runs ruff, black --check, mypy, and pytest. All stages use this entrypoint.",
2960
+ "verification": "Makefile or tox.ini contains a 'verify' target/environment."
2300
2961
  },
2301
2962
  "rust": {
2302
- "exampleConfigFiles": [],
2963
+ "exampleConfigFiles": [
2964
+ "Makefile",
2965
+ "Makefile.toml"
2966
+ ],
2303
2967
  "exampleTools": [
2304
- "tracing",
2305
- "log"
2968
+ "cargo",
2969
+ "make",
2970
+ "cargo-make"
2306
2971
  ],
2307
- "notes": "Use the tracing crate for structured logging with spans and events. Configure tracing-subscriber for output formatting.",
2308
- "verification": "Confirm that tracing or log crate is configured with appropriate subscriber/logger and emits structured output."
2972
+ "notes": "Define 'make verify' or 'cargo make verify' that runs fmt --check, clippy, and test. Both hooks and CI use this entrypoint.",
2973
+ "verification": "Makefile or Makefile.toml contains a 'verify' task."
2309
2974
  },
2310
2975
  "typescript-js": {
2311
- "exampleConfigFiles": [],
2976
+ "exampleConfigFiles": [
2977
+ "package.json"
2978
+ ],
2312
2979
  "exampleTools": [
2313
- "Winston",
2314
- "Pino"
2980
+ "npm scripts"
2315
2981
  ],
2316
- "notes": "Adopt structured JSON logging with correlation IDs and send logs to a centralized sink in production.",
2317
- "verification": "Confirm that a structured logging library (such as Winston or Pino) is configured to emit JSON or key-value logs and that error handling routes important failures through this logger."
2982
+ "notes": "Define 'npm run verify' that runs lint, format:check, typecheck, and test. Pre-commit hooks call 'npm run verify:quick' (lint + format only). CI calls 'npm run verify' (full suite). Never duplicate verification logic across multiple scripts.",
2983
+ "requiredScripts": [
2984
+ "verify"
2985
+ ],
2986
+ "verification": "package.json contains a 'verify' script that orchestrates all checks."
2318
2987
  }
2319
2988
  }
2320
2989
  },
@@ -2330,15 +2999,264 @@
2330
2999
  },
2331
3000
  "ciHints": {
2332
3001
  "azure-devops": {
2333
- "stage": "governance"
3002
+ "notes": "Ensure CI reads from authoritative configs, not duplicated settings.",
3003
+ "stage": "quality"
2334
3004
  },
2335
3005
  "github-actions": {
2336
- "job": "ci"
3006
+ "job": "ci",
3007
+ "notes": "Ensure CI reads from authoritative configs, not duplicated settings."
2337
3008
  }
2338
3009
  },
2339
- "description": "Define phase transition requirements in phase-gates.md for autonomous agent workflows with clear pre-conditions and approval gates.",
2340
- "enforcement": "optional",
2341
- "id": "agent-phase-gates",
3010
+ "description": "Each configuration rule must live in exactly one authoritative config file. Avoid duplication across .editorconfig, linter configs, and CI definitions. Document which file is authoritative for each concern.",
3011
+ "enforcement": "required",
3012
+ "executionStage": "ci-pr",
3013
+ "id": "config-authority",
3014
+ "label": "Config File Authority Rules",
3015
+ "severity": "error",
3016
+ "stackHints": {
3017
+ "csharp-dotnet": {
3018
+ "exampleConfigFiles": [
3019
+ ".gitattributes",
3020
+ ".editorconfig",
3021
+ "Directory.Build.props"
3022
+ ],
3023
+ "exampleTools": [],
3024
+ "notes": "Authority mapping: .gitattributes for EOL, .editorconfig for formatting rules, Directory.Build.props for shared build settings. Roslyn analyzers read from .editorconfig.",
3025
+ "verification": "Review configs and confirm no rule is duplicated across files."
3026
+ },
3027
+ "go": {
3028
+ "exampleConfigFiles": [
3029
+ ".gitattributes",
3030
+ "go.mod",
3031
+ ".golangci.yml"
3032
+ ],
3033
+ "exampleTools": [],
3034
+ "notes": "Authority mapping: .gitattributes for EOL, go.mod for module config and Go version, .golangci.yml for all linting rules. Keep lint config consolidated in one file.",
3035
+ "verification": "Review configs and confirm .golangci.yml is the single source for lint rules."
3036
+ },
3037
+ "python": {
3038
+ "exampleConfigFiles": [
3039
+ ".gitattributes",
3040
+ "pyproject.toml",
3041
+ ".editorconfig"
3042
+ ],
3043
+ "exampleTools": [],
3044
+ "notes": "Authority mapping: .gitattributes for EOL, pyproject.toml for all tool configs (ruff, black, mypy, pytest). Avoid separate tool configs (.flake8, setup.cfg) when pyproject.toml can hold them.",
3045
+ "verification": "Review configs and confirm pyproject.toml is the single source for tool settings."
3046
+ },
3047
+ "rust": {
3048
+ "exampleConfigFiles": [
3049
+ ".gitattributes",
3050
+ "Cargo.toml",
3051
+ "rustfmt.toml",
3052
+ "clippy.toml"
3053
+ ],
3054
+ "exampleTools": [],
3055
+ "notes": "Authority mapping: .gitattributes for EOL, Cargo.toml for project config, rustfmt.toml for formatting, clippy.toml for linting. Each concern has one file.",
3056
+ "verification": "Review configs and confirm no rules are duplicated across files."
3057
+ },
3058
+ "typescript-js": {
3059
+ "exampleConfigFiles": [
3060
+ ".gitattributes",
3061
+ ".editorconfig",
3062
+ "eslint.config.js",
3063
+ "tsconfig.json"
3064
+ ],
3065
+ "exampleTools": [],
3066
+ "notes": "Authority mapping: .gitattributes for EOL (Git layer), .editorconfig for editor display, eslint.config.js for lint rules, tsconfig.json for TS compiler options, prettier for formatting. Never duplicate rules across files.",
3067
+ "verification": "Review configs and confirm no rule is defined in multiple places with potential for drift."
3068
+ }
3069
+ }
3070
+ },
3071
+ {
3072
+ "appliesTo": {
3073
+ "stacks": [
3074
+ "typescript-js",
3075
+ "csharp-dotnet",
3076
+ "python",
3077
+ "rust",
3078
+ "go"
3079
+ ]
3080
+ },
3081
+ "ciHints": {
3082
+ "azure-devops": {
3083
+ "notes": "CI should read skip paths from config files, not hardcode them in pipeline.",
3084
+ "stage": "quality"
3085
+ },
3086
+ "github-actions": {
3087
+ "job": "ci",
3088
+ "notes": "CI should read skip paths from config files, not hardcode them in pipeline."
3089
+ }
3090
+ },
3091
+ "description": "Encode path exclusions and skip rules deterministically in config files, not through ad-hoc human judgment. Make it clear which paths are excluded from checks and why.",
3092
+ "enforcement": "required",
3093
+ "executionStage": "ci-pr",
3094
+ "id": "explicit-skip-paths",
3095
+ "label": "Explicit Skip Paths",
3096
+ "severity": "error",
3097
+ "stackHints": {
3098
+ "csharp-dotnet": {
3099
+ "exampleConfigFiles": [
3100
+ ".editorconfig"
3101
+ ],
3102
+ "exampleTools": [
3103
+ "dotnet format",
3104
+ "Roslyn"
3105
+ ],
3106
+ "notes": "Use .editorconfig file globs to exclude generated code from analysis. Document exclusions with comments.",
3107
+ "verification": "Review .editorconfig and confirm exclusions are explicit and documented."
3108
+ },
3109
+ "go": {
3110
+ "exampleConfigFiles": [
3111
+ ".golangci.yml"
3112
+ ],
3113
+ "exampleTools": [
3114
+ "golangci-lint"
3115
+ ],
3116
+ "notes": "Define skip-dirs and skip-files in .golangci.yml. Use //nolint comments sparingly and always include justification (//nolint:errcheck // reason).",
3117
+ "verification": "Review .golangci.yml and confirm skip paths are explicit and documented."
3118
+ },
3119
+ "python": {
3120
+ "exampleConfigFiles": [
3121
+ "pyproject.toml"
3122
+ ],
3123
+ "exampleTools": [
3124
+ "ruff",
3125
+ "black",
3126
+ "mypy"
3127
+ ],
3128
+ "notes": "Define exclude patterns in pyproject.toml [tool.ruff], [tool.black], [tool.mypy] sections. Document why each path is excluded. Avoid runtime --exclude flags.",
3129
+ "verification": "Review pyproject.toml and confirm all exclusions are defined there, not in scripts."
3130
+ },
3131
+ "rust": {
3132
+ "exampleConfigFiles": [
3133
+ "rustfmt.toml",
3134
+ ".clippy.toml"
3135
+ ],
3136
+ "exampleTools": [
3137
+ "rustfmt",
3138
+ "clippy"
3139
+ ],
3140
+ "notes": "Use #[rustfmt::skip] or #[allow(clippy::*)] sparingly and document why. For directory-level exclusions, use Cargo.toml workspace exclude.",
3141
+ "verification": "Search for skip annotations and confirm each is documented."
3142
+ },
3143
+ "typescript-js": {
3144
+ "exampleConfigFiles": [
3145
+ ".eslintignore",
3146
+ ".prettierignore",
3147
+ "eslint.config.js"
3148
+ ],
3149
+ "exampleTools": [
3150
+ "eslint",
3151
+ "prettier"
3152
+ ],
3153
+ "notes": "Define ignores in eslint.config.js (ignores array) and .prettierignore. Document why each path is excluded (generated code, vendor, etc.). Avoid ad-hoc --ignore-path flags in scripts.",
3154
+ "verification": "Review ignore configs and confirm all exclusions are documented and intentional."
3155
+ }
3156
+ }
3157
+ }
3158
+ ],
3159
+ "optionalEnhancements": [
3160
+ {
3161
+ "appliesTo": {
3162
+ "stacks": [
3163
+ "typescript-js",
3164
+ "csharp-dotnet",
3165
+ "python",
3166
+ "rust",
3167
+ "go"
3168
+ ]
3169
+ },
3170
+ "ciHints": {
3171
+ "azure-devops": {
3172
+ "stage": "observability"
3173
+ },
3174
+ "github-actions": {
3175
+ "job": "ci"
3176
+ }
3177
+ },
3178
+ "description": "Standardize error handling and structured logging to make debugging and production monitoring easier.",
3179
+ "enforcement": "optional",
3180
+ "executionStage": "ci-pr",
3181
+ "id": "observability",
3182
+ "label": "Observability (Logging & Error Handling)",
3183
+ "severity": "info",
3184
+ "stackHints": {
3185
+ "csharp-dotnet": {
3186
+ "exampleConfigFiles": [
3187
+ "appsettings.json"
3188
+ ],
3189
+ "exampleTools": [
3190
+ "Serilog",
3191
+ "NLog"
3192
+ ],
3193
+ "notes": "Configure structured logging for your .NET services and ensure exceptions and key events are logged with useful context.",
3194
+ "verification": "Confirm that a structured logging library (such as Serilog or NLog) is configured with an agreed sink and format, and that the application logs meaningful context for errors and key events."
3195
+ },
3196
+ "go": {
3197
+ "exampleConfigFiles": [],
3198
+ "exampleTools": [
3199
+ "slog",
3200
+ "zap",
3201
+ "zerolog"
3202
+ ],
3203
+ "notes": "Use slog (stdlib) or zap/zerolog for structured logging. Configure JSON output for production and text for development.",
3204
+ "verification": "Confirm that a structured logging library is configured with appropriate output format and log levels."
3205
+ },
3206
+ "python": {
3207
+ "exampleConfigFiles": [
3208
+ "logging configuration files",
3209
+ "pyproject.toml"
3210
+ ],
3211
+ "exampleTools": [
3212
+ "structlog",
3213
+ "loguru"
3214
+ ],
3215
+ "notes": "Use structured logging for Python services and ensure critical paths record enough context to debug issues after the fact.",
3216
+ "verification": "Confirm that a structured logging setup (such as structlog or configured logging with JSON formatting) is in place and that critical paths log enough information to debug failures in production."
3217
+ },
3218
+ "rust": {
3219
+ "exampleConfigFiles": [],
3220
+ "exampleTools": [
3221
+ "tracing",
3222
+ "log"
3223
+ ],
3224
+ "notes": "Use the tracing crate for structured logging with spans and events. Configure tracing-subscriber for output formatting.",
3225
+ "verification": "Confirm that tracing or log crate is configured with appropriate subscriber/logger and emits structured output."
3226
+ },
3227
+ "typescript-js": {
3228
+ "exampleConfigFiles": [],
3229
+ "exampleTools": [
3230
+ "Winston",
3231
+ "Pino"
3232
+ ],
3233
+ "notes": "Adopt structured JSON logging with correlation IDs and send logs to a centralized sink in production.",
3234
+ "verification": "Confirm that a structured logging library (such as Winston or Pino) is configured to emit JSON or key-value logs and that error handling routes important failures through this logger."
3235
+ }
3236
+ }
3237
+ },
3238
+ {
3239
+ "appliesTo": {
3240
+ "stacks": [
3241
+ "typescript-js",
3242
+ "csharp-dotnet",
3243
+ "python",
3244
+ "rust",
3245
+ "go"
3246
+ ]
3247
+ },
3248
+ "ciHints": {
3249
+ "azure-devops": {
3250
+ "stage": "governance"
3251
+ },
3252
+ "github-actions": {
3253
+ "job": "ci"
3254
+ }
3255
+ },
3256
+ "description": "Define phase transition requirements in phase-gates.md for autonomous agent workflows with clear pre-conditions and approval gates.",
3257
+ "enforcement": "optional",
3258
+ "executionStage": "ci-pr",
3259
+ "id": "agent-phase-gates",
2342
3260
  "label": "Agent Phase Gates",
2343
3261
  "severity": "info",
2344
3262
  "stackHints": {
@@ -2419,6 +3337,7 @@
2419
3337
  },
2420
3338
  "description": "Document milestone completion criteria in victory-gates.md defining 'done' for releases and major deliverables with evidence requirements.",
2421
3339
  "enforcement": "optional",
3340
+ "executionStage": "release",
2422
3341
  "id": "agent-victory-gates",
2423
3342
  "label": "Agent Victory Gates",
2424
3343
  "severity": "info",
@@ -2504,6 +3423,7 @@
2504
3423
  },
2505
3424
  "description": "Automate dependency updates using Renovate or Dependabot to keep dependencies current and reduce security exposure window.",
2506
3425
  "enforcement": "recommended",
3426
+ "executionStage": "nightly",
2507
3427
  "id": "dependency-update-automation",
2508
3428
  "label": "Dependency Update Automation",
2509
3429
  "severity": "warn",
@@ -2622,6 +3542,7 @@
2622
3542
  },
2623
3543
  "description": "Enforce module boundaries and import constraints to prevent architectural drift and unwanted coupling.",
2624
3544
  "enforcement": "recommended",
3545
+ "executionStage": "ci-pr",
2625
3546
  "id": "dependency-architecture-rules",
2626
3547
  "label": "Dependency Architecture Rules",
2627
3548
  "severity": "warn",
@@ -2720,6 +3641,7 @@
2720
3641
  },
2721
3642
  "description": "Test how components interact with each other and external systems, running after unit tests with more relaxed coverage thresholds.",
2722
3643
  "enforcement": "recommended",
3644
+ "executionStage": "ci-main",
2723
3645
  "id": "integration-testing",
2724
3646
  "label": "Integration Testing",
2725
3647
  "severity": "warn",
@@ -2801,6 +3723,7 @@
2801
3723
  },
2802
3724
  "description": "Establish performance baselines and monitor for regressions using lightweight benchmarks or audits in CI.",
2803
3725
  "enforcement": "recommended",
3726
+ "executionStage": "nightly",
2804
3727
  "id": "performance-baselining",
2805
3728
  "label": "Performance Baselines",
2806
3729
  "severity": "warn",
@@ -2882,6 +3805,7 @@
2882
3805
  },
2883
3806
  "description": "Measure cyclomatic complexity or similar metrics to keep code maintainable, starting as a warning-only check.",
2884
3807
  "enforcement": "recommended",
3808
+ "executionStage": "ci-pr",
2885
3809
  "id": "complexity-analysis",
2886
3810
  "label": "Complexity Analysis",
2887
3811
  "severity": "warn",
@@ -2963,6 +3887,7 @@
2963
3887
  },
2964
3888
  "description": "Run accessibility checks on web-facing components to detect critical issues and improve inclusive UX.",
2965
3889
  "enforcement": "recommended",
3890
+ "executionStage": "ci-pr",
2966
3891
  "id": "accessibility-auditing",
2967
3892
  "label": "Accessibility Auditing",
2968
3893
  "severity": "warn",
@@ -3013,6 +3938,442 @@
3013
3938
  }
3014
3939
  }
3015
3940
  },
3941
+ {
3942
+ "appliesTo": {
3943
+ "stacks": [
3944
+ "typescript-js",
3945
+ "csharp-dotnet",
3946
+ "python",
3947
+ "rust",
3948
+ "go"
3949
+ ]
3950
+ },
3951
+ "ciHints": {
3952
+ "azure-devops": {
3953
+ "notes": "Run AI drift detection in a scheduled nightly pipeline separate from main CI.",
3954
+ "stage": "nightly"
3955
+ },
3956
+ "github-actions": {
3957
+ "job": "nightly",
3958
+ "notes": "Use scheduled workflow (cron) to run AI drift detection nightly."
3959
+ }
3960
+ },
3961
+ "description": "Run nightly or scheduled checks comparing AI-generated outputs against pinned baselines to detect model drift, prompt drift, or code changes affecting AI behavior. Attribute regressions to code changes vs model updates vs prompt changes.",
3962
+ "enforcement": "recommended",
3963
+ "executionStage": "nightly",
3964
+ "id": "ai-drift-detection",
3965
+ "label": "AI Drift Detection",
3966
+ "severity": "warn",
3967
+ "stackHints": {
3968
+ "csharp-dotnet": {
3969
+ "exampleConfigFiles": [
3970
+ "*.verified.txt",
3971
+ "ai-baselines/"
3972
+ ],
3973
+ "exampleTools": [
3974
+ "Verify",
3975
+ "custom baseline tests"
3976
+ ],
3977
+ "notes": "Use Verify library or custom comparison tests to detect AI output drift. Run nightly to catch model-side changes that don't show up in code diffs.",
3978
+ "verification": "Run AI baseline tests and confirm outputs match pinned baselines."
3979
+ },
3980
+ "go": {
3981
+ "exampleConfigFiles": [
3982
+ "testdata/golden/",
3983
+ "ai-baselines/"
3984
+ ],
3985
+ "exampleTools": [
3986
+ "go test",
3987
+ "golden files"
3988
+ ],
3989
+ "notes": "Use golden file testing pattern for AI outputs. Compare current output against pinned baselines nightly.",
3990
+ "verification": "Run golden tests and confirm AI outputs match baselines."
3991
+ },
3992
+ "python": {
3993
+ "exampleConfigFiles": [
3994
+ "tests/ai_baselines/",
3995
+ "pytest.ini"
3996
+ ],
3997
+ "exampleTools": [
3998
+ "pytest",
3999
+ "deepdiff",
4000
+ "great_expectations"
4001
+ ],
4002
+ "notes": "Create golden output tests for AI-generated content. Use deepdiff for structured comparison. For ML models, also track metrics drift (accuracy, latency) not just output drift.",
4003
+ "verification": "Run AI baseline tests nightly and confirm outputs match or drift is documented."
4004
+ },
4005
+ "rust": {
4006
+ "exampleConfigFiles": [
4007
+ "snapshots/",
4008
+ "ai-baselines/"
4009
+ ],
4010
+ "exampleTools": [
4011
+ "insta",
4012
+ "custom baseline tests"
4013
+ ],
4014
+ "notes": "Use insta for snapshot testing of AI outputs. Pin model versions and prompt templates. Run nightly to detect drift.",
4015
+ "verification": "Run 'cargo insta test' and confirm AI outputs match baselines."
4016
+ },
4017
+ "typescript-js": {
4018
+ "exampleConfigFiles": [
4019
+ "__snapshots__/",
4020
+ "ai-baselines/"
4021
+ ],
4022
+ "exampleTools": [
4023
+ "jest snapshots",
4024
+ "custom baseline comparator"
4025
+ ],
4026
+ "notes": "Pin AI outputs as baseline snapshots. Nightly runs compare current outputs against baselines. When drift detected, investigate: was it a code change, model update, or prompt change? Log model version, prompt hash, and code SHA for attribution.",
4027
+ "verification": "Run AI baseline tests and confirm outputs match pinned baselines or drift is intentional."
4028
+ }
4029
+ }
4030
+ },
4031
+ {
4032
+ "appliesTo": {
4033
+ "stacks": [
4034
+ "typescript-js",
4035
+ "csharp-dotnet",
4036
+ "python",
4037
+ "rust",
4038
+ "go"
4039
+ ]
4040
+ },
4041
+ "ciHints": {
4042
+ "azure-devops": {
4043
+ "notes": "Run schema validation tests as part of quality gates.",
4044
+ "stage": "quality"
4045
+ },
4046
+ "github-actions": {
4047
+ "job": "ci",
4048
+ "notes": "Include AI output schema validation in CI test suite."
4049
+ }
4050
+ },
4051
+ "description": "Validate all AI-generated outputs against strict JSON schemas or type definitions at system boundaries. Reject invalid outputs early rather than letting malformed data propagate through the system.",
4052
+ "enforcement": "recommended",
4053
+ "executionStage": "ci-pr",
4054
+ "id": "ai-schema-enforcement",
4055
+ "label": "AI Output Schema Enforcement",
4056
+ "severity": "warn",
4057
+ "stackHints": {
4058
+ "csharp-dotnet": {
4059
+ "exampleConfigFiles": [
4060
+ "*.schema.json",
4061
+ "Schemas/"
4062
+ ],
4063
+ "exampleTools": [
4064
+ "System.Text.Json",
4065
+ "FluentValidation",
4066
+ "JsonSchema.Net"
4067
+ ],
4068
+ "notes": "Use strongly-typed DTOs with validation attributes or FluentValidation for AI outputs. Deserialize with strict settings that reject unknown properties.",
4069
+ "verification": "Review AI integration code and confirm outputs are validated against schemas."
4070
+ },
4071
+ "go": {
4072
+ "exampleConfigFiles": [
4073
+ "schemas/"
4074
+ ],
4075
+ "exampleTools": [
4076
+ "go-playground/validator",
4077
+ "gojsonschema"
4078
+ ],
4079
+ "notes": "Define struct tags for JSON unmarshaling and use validator for additional constraints. Reject AI outputs that don't match expected schema.",
4080
+ "verification": "Review AI integration code and confirm schema validation is in place."
4081
+ },
4082
+ "python": {
4083
+ "exampleConfigFiles": [
4084
+ "schemas/",
4085
+ "models.py"
4086
+ ],
4087
+ "exampleTools": [
4088
+ "pydantic",
4089
+ "jsonschema",
4090
+ "marshmallow"
4091
+ ],
4092
+ "notes": "Use Pydantic models for AI output validation. Enable strict mode to reject extra fields. Define clear schemas at system boundaries where AI outputs enter the codebase.",
4093
+ "verification": "Review AI integration code and confirm Pydantic or equivalent validation is in place."
4094
+ },
4095
+ "rust": {
4096
+ "exampleConfigFiles": [
4097
+ "src/schemas/"
4098
+ ],
4099
+ "exampleTools": [
4100
+ "serde",
4101
+ "jsonschema",
4102
+ "validator"
4103
+ ],
4104
+ "notes": "Use serde with #[serde(deny_unknown_fields)] for strict deserialization of AI outputs. Add validator derives for business rule validation.",
4105
+ "verification": "Review AI integration code and confirm strict deserialization is enforced."
4106
+ },
4107
+ "typescript-js": {
4108
+ "exampleConfigFiles": [
4109
+ "src/schemas/",
4110
+ "*.schema.json"
4111
+ ],
4112
+ "exampleTools": [
4113
+ "zod",
4114
+ "ajv",
4115
+ "TypeScript"
4116
+ ],
4117
+ "notes": "Define strict schemas for AI outputs using Zod or JSON Schema. Parse and validate AI responses at integration boundaries. Fail fast on schema violations rather than handling partial/invalid data.",
4118
+ "verification": "Review AI integration code and confirm all AI outputs are validated against schemas."
4119
+ }
4120
+ }
4121
+ },
4122
+ {
4123
+ "appliesTo": {
4124
+ "stacks": [
4125
+ "typescript-js",
4126
+ "csharp-dotnet",
4127
+ "python",
4128
+ "rust",
4129
+ "go"
4130
+ ]
4131
+ },
4132
+ "ciHints": {
4133
+ "azure-devops": {
4134
+ "notes": "Run AI golden tests as part of the test stage.",
4135
+ "stage": "test"
4136
+ },
4137
+ "github-actions": {
4138
+ "job": "ci",
4139
+ "notes": "Include AI golden contract tests in CI test suite."
4140
+ }
4141
+ },
4142
+ "description": "Validate AI tool-generated patches, configs, and code against exact expected formats. Test that AI outputs respect forbidden paths, file patterns, and format constraints through golden contract tests.",
4143
+ "enforcement": "recommended",
4144
+ "executionStage": "ci-pr",
4145
+ "id": "ai-golden-tests",
4146
+ "label": "AI Golden Contract Tests",
4147
+ "severity": "warn",
4148
+ "stackHints": {
4149
+ "csharp-dotnet": {
4150
+ "exampleConfigFiles": [
4151
+ "TestData/",
4152
+ "*.verified.json"
4153
+ ],
4154
+ "exampleTools": [
4155
+ "xUnit",
4156
+ "Verify"
4157
+ ],
4158
+ "notes": "Use Verify for golden file testing of AI outputs. Ensure AI-generated code respects namespace conventions and doesn't modify protected files.",
4159
+ "verification": "Run golden tests and confirm AI outputs match verified snapshots."
4160
+ },
4161
+ "go": {
4162
+ "exampleConfigFiles": [
4163
+ "testdata/"
4164
+ ],
4165
+ "exampleTools": [
4166
+ "go test",
4167
+ "golden files"
4168
+ ],
4169
+ "notes": "Use golden file pattern for AI output testing. Verify generated code follows Go conventions and doesn't modify vendor/ or other protected paths.",
4170
+ "verification": "Run golden tests and confirm AI outputs match expected files."
4171
+ },
4172
+ "python": {
4173
+ "exampleConfigFiles": [
4174
+ "tests/fixtures/",
4175
+ "__snapshots__/"
4176
+ ],
4177
+ "exampleTools": [
4178
+ "pytest",
4179
+ "syrupy"
4180
+ ],
4181
+ "notes": "Use pytest with syrupy for snapshot testing AI outputs. Test that generated code follows project conventions and respects forbidden paths.",
4182
+ "verification": "Run snapshot tests and confirm AI outputs match golden fixtures."
4183
+ },
4184
+ "rust": {
4185
+ "exampleConfigFiles": [
4186
+ "snapshots/"
4187
+ ],
4188
+ "exampleTools": [
4189
+ "insta"
4190
+ ],
4191
+ "notes": "Use insta for snapshot testing AI-generated code and configs. Test format compliance and forbidden path restrictions.",
4192
+ "verification": "Run 'cargo insta test' and confirm AI outputs match snapshots."
4193
+ },
4194
+ "typescript-js": {
4195
+ "exampleConfigFiles": [
4196
+ "__fixtures__/ai-outputs/",
4197
+ "*.golden.json"
4198
+ ],
4199
+ "exampleTools": [
4200
+ "jest",
4201
+ "vitest"
4202
+ ],
4203
+ "notes": "Create golden test fixtures for AI-generated patches and configs. Test that outputs match exact formats, don't touch forbidden paths (node_modules, .git), and respect file naming conventions.",
4204
+ "verification": "Run golden tests and confirm AI outputs match expected fixtures exactly."
4205
+ }
4206
+ }
4207
+ },
4208
+ {
4209
+ "appliesTo": {
4210
+ "stacks": [
4211
+ "typescript-js",
4212
+ "csharp-dotnet",
4213
+ "python",
4214
+ "rust",
4215
+ "go"
4216
+ ]
4217
+ },
4218
+ "ciHints": {
4219
+ "azure-devops": {
4220
+ "notes": "Run AI safety tests as part of security stage on main branch.",
4221
+ "stage": "security"
4222
+ },
4223
+ "github-actions": {
4224
+ "job": "security",
4225
+ "notes": "Run AI safety checks on main branch merges."
4226
+ }
4227
+ },
4228
+ "description": "Test AI integrations for prompt injection resistance, input sanitization, output filtering, and data exfiltration prevention. Include adversarial test cases that attempt to manipulate AI behavior.",
4229
+ "enforcement": "recommended",
4230
+ "executionStage": "ci-main",
4231
+ "id": "ai-safety-checks",
4232
+ "label": "AI Adversarial & Safety Testing",
4233
+ "severity": "warn",
4234
+ "stackHints": {
4235
+ "csharp-dotnet": {
4236
+ "exampleConfigFiles": [
4237
+ "Tests/AiSafety/"
4238
+ ],
4239
+ "exampleTools": [
4240
+ "xUnit",
4241
+ "custom security tests"
4242
+ ],
4243
+ "notes": "Test prompt injection resistance and output sanitization. Ensure AI outputs are escaped/validated before use in SQL queries, command execution, or HTML rendering.",
4244
+ "verification": "Run AI safety tests and confirm adversarial inputs are handled safely."
4245
+ },
4246
+ "go": {
4247
+ "exampleConfigFiles": [
4248
+ "ai_safety_test.go"
4249
+ ],
4250
+ "exampleTools": [
4251
+ "go test",
4252
+ "go-fuzz"
4253
+ ],
4254
+ "notes": "Create adversarial test cases for AI integrations. Use fuzzing to discover input handling edge cases.",
4255
+ "verification": "Run AI safety tests and fuzz tests."
4256
+ },
4257
+ "python": {
4258
+ "exampleConfigFiles": [
4259
+ "tests/ai_safety/"
4260
+ ],
4261
+ "exampleTools": [
4262
+ "pytest",
4263
+ "hypothesis"
4264
+ ],
4265
+ "notes": "Use hypothesis for property-based testing of AI input handling. Test prompt injection, output sanitization, and data boundary enforcement.",
4266
+ "verification": "Run AI safety tests including adversarial cases."
4267
+ },
4268
+ "rust": {
4269
+ "exampleConfigFiles": [
4270
+ "tests/ai_safety/"
4271
+ ],
4272
+ "exampleTools": [
4273
+ "proptest",
4274
+ "custom tests"
4275
+ ],
4276
+ "notes": "Use proptest for property-based testing of AI input validation. Test that malicious inputs don't escape sandboxing.",
4277
+ "verification": "Run AI safety tests with adversarial inputs."
4278
+ },
4279
+ "typescript-js": {
4280
+ "exampleConfigFiles": [
4281
+ "tests/ai-safety/"
4282
+ ],
4283
+ "exampleTools": [
4284
+ "jest",
4285
+ "custom adversarial tests"
4286
+ ],
4287
+ "notes": "Create adversarial test suite with prompt injection attempts, malicious input patterns, and exfiltration scenarios. Test that AI outputs are sanitized before use in sensitive contexts (SQL, shell, HTML).",
4288
+ "verification": "Run AI safety test suite and confirm all adversarial cases are handled safely."
4289
+ }
4290
+ }
4291
+ },
4292
+ {
4293
+ "appliesTo": {
4294
+ "stacks": [
4295
+ "typescript-js",
4296
+ "csharp-dotnet",
4297
+ "python",
4298
+ "rust",
4299
+ "go"
4300
+ ]
4301
+ },
4302
+ "ciHints": {
4303
+ "azure-devops": {
4304
+ "notes": "Verify AI provenance logging is implemented in quality checks.",
4305
+ "stage": "quality"
4306
+ },
4307
+ "github-actions": {
4308
+ "job": "ci",
4309
+ "notes": "Check AI provenance logging implementation in CI."
4310
+ }
4311
+ },
4312
+ "description": "Log AI provider, model version, prompt template version, parameters, and tool versions for all AI operations. Enable attribution of outputs to specific model+prompt combinations for debugging and compliance.",
4313
+ "enforcement": "recommended",
4314
+ "executionStage": "ci-pr",
4315
+ "id": "ai-provenance-tracking",
4316
+ "label": "AI Provenance & Audit Logging",
4317
+ "severity": "warn",
4318
+ "stackHints": {
4319
+ "csharp-dotnet": {
4320
+ "exampleConfigFiles": [
4321
+ "AiProvenance.cs"
4322
+ ],
4323
+ "exampleTools": [
4324
+ "OpenTelemetry",
4325
+ "Serilog"
4326
+ ],
4327
+ "notes": "Use structured logging to capture AI call provenance. Include model version, prompt hash, and parameters in log context.",
4328
+ "verification": "Review AI integration and confirm provenance logging is implemented."
4329
+ },
4330
+ "go": {
4331
+ "exampleConfigFiles": [
4332
+ "ai/provenance.go"
4333
+ ],
4334
+ "exampleTools": [
4335
+ "slog",
4336
+ "OpenTelemetry"
4337
+ ],
4338
+ "notes": "Use structured logging (slog) to capture AI provenance. Include model, prompt version, and parameters in log context.",
4339
+ "verification": "Review AI integration and confirm provenance logging is implemented."
4340
+ },
4341
+ "python": {
4342
+ "exampleConfigFiles": [
4343
+ "ai/provenance.py"
4344
+ ],
4345
+ "exampleTools": [
4346
+ "structlog",
4347
+ "OpenTelemetry",
4348
+ "MLflow"
4349
+ ],
4350
+ "notes": "Log AI provenance using structlog or MLflow tracking. For ML models, also track training data version and model artifact hash.",
4351
+ "verification": "Review AI integration and confirm provenance is tracked."
4352
+ },
4353
+ "rust": {
4354
+ "exampleConfigFiles": [
4355
+ "src/ai/provenance.rs"
4356
+ ],
4357
+ "exampleTools": [
4358
+ "tracing",
4359
+ "OpenTelemetry"
4360
+ ],
4361
+ "notes": "Use tracing spans to capture AI call provenance. Include model version, prompt hash, and parameters as span attributes.",
4362
+ "verification": "Review AI integration and confirm provenance is logged."
4363
+ },
4364
+ "typescript-js": {
4365
+ "exampleConfigFiles": [
4366
+ "src/ai/provenance.ts"
4367
+ ],
4368
+ "exampleTools": [
4369
+ "OpenTelemetry",
4370
+ "custom logging"
4371
+ ],
4372
+ "notes": "Log for each AI call: provider (OpenAI, Anthropic), model ID, prompt template hash/version, temperature, timestamp, request ID. Store provenance alongside outputs for debugging 'why did AI do X?'",
4373
+ "verification": "Review AI integration code and confirm provenance is logged for all AI calls."
4374
+ }
4375
+ }
4376
+ },
3016
4377
  {
3017
4378
  "appliesTo": {
3018
4379
  "stacks": [
@@ -3035,6 +4396,7 @@
3035
4396
  },
3036
4397
  "description": "Maintain INVARIANTS.md defining repository-wide rules that must always hold true, with machine-readable verification commands for autonomous agents.",
3037
4398
  "enforcement": "recommended",
4399
+ "executionStage": "ci-pr",
3038
4400
  "id": "agent-invariants",
3039
4401
  "label": "Autonomous Agent Invariants",
3040
4402
  "severity": "warn",
@@ -3151,27 +4513,41 @@
3151
4513
  },
3152
4514
  "migrationGuide": [
3153
4515
  {
3154
- "description": "Start by adding pre-commit hooks and core formatting/linting so developers get fast feedback without touching CI.",
4516
+ "description": "Configure .gitattributes for cross-platform line ending correctness and establish the canonical verify entrypoint before adding any checks. This prevents 'works locally, fails in CI' issues from day one.",
4517
+ "focusIds": [
4518
+ "gitattributes-eol",
4519
+ "canonical-verify",
4520
+ "hook-ci-parity",
4521
+ "config-authority"
4522
+ ],
4523
+ "notes": "Start here to avoid debugging cryptic CRLF failures later. Use .gitattributes as the authority for EOL (not .editorconfig). Run 'git add --renormalize .' after adding .gitattributes to fix existing files.",
4524
+ "step": 0,
4525
+ "title": "Foundation: Line Endings and Hook Entry Point"
4526
+ },
4527
+ {
4528
+ "description": "Add pre-commit hooks with secret scanning, formatting, and linting. Hooks should CHECK (not auto-fix) and scope to changed files only for speed.",
3155
4529
  "focusIds": [
3156
4530
  "pre-commit-hooks",
4531
+ "secret-scanning-precommit",
3157
4532
  "linting",
3158
4533
  "code-formatter"
3159
4534
  ],
3160
- "notes": "Keep hooks fast and focused on changed files to avoid slowing down day-to-day work.",
4535
+ "notes": "Keep hooks fast by scoping to staged files. Use Husky as entry point calling lint-staged or pre-commit. Hooks should check, not fix, to keep developers aware of issues.",
3161
4536
  "step": 1,
3162
4537
  "title": "Establish Local Safety Nets First"
3163
4538
  },
3164
4539
  {
3165
- "description": "Introduce CI quality gates that mirror local checks, but treat existing violations as warnings wherever possible.",
4540
+ "description": "Introduce CI quality gates that mirror local hooks exactly. Add CRLF detection early in pipeline. Treat existing violations as warnings where possible.",
3166
4541
  "focusIds": [
4542
+ "crlf-detection",
3167
4543
  "ci-quality-gates",
3168
4544
  "linting",
3169
4545
  "code-formatter",
3170
4546
  "commit-linting"
3171
4547
  ],
3172
- "notes": "Use diff-based tools or baselines so only new violations break builds; legacy issues remain visible but non-blocking.",
4548
+ "notes": "CI must call the same verify scripts that hooks use. Add CRLF detection before other checks to fail fast on line ending issues. Use diff-based tools so only new violations break builds.",
3173
4549
  "step": 2,
3174
- "title": "Mirror Local Checks in CI (Soft-Fail on Legacy)"
4550
+ "title": "Mirror Local Checks in CI with CRLF Detection"
3175
4551
  },
3176
4552
  {
3177
4553
  "description": "Enable type-checking, coverage thresholds, and dependency/vulnerability scanning with gradual enforcement.",
@@ -3196,9 +4572,22 @@
3196
4572
  "complexity-analysis",
3197
4573
  "accessibility-auditing"
3198
4574
  ],
3199
- "notes": "Tackle recommended items in order of business value; backend-only repos can skip web-focused checks like accessibility. For AI/ML-heavy Python teams, consider extending containerization with data versioning (DVC) and unit tests with data quality checks (e.g., Great Expectations) as part of this step.",
4575
+ "notes": "Tackle recommended items in order of business value; backend-only repos can skip web-focused checks like accessibility.",
3200
4576
  "step": 4,
3201
4577
  "title": "Layer in Docs, Governance, and Recommended Checks"
4578
+ },
4579
+ {
4580
+ "description": "For repos using or building with generative AI, add drift detection, schema enforcement, golden contract tests, safety testing, and provenance tracking.",
4581
+ "focusIds": [
4582
+ "ai-drift-detection",
4583
+ "ai-schema-enforcement",
4584
+ "ai-golden-tests",
4585
+ "ai-safety-checks",
4586
+ "ai-provenance-tracking"
4587
+ ],
4588
+ "notes": "Skip this step if your repo has no AI/ML components. For AI-heavy repos: add nightly drift detection to catch model changes, enforce strict schemas at AI output boundaries, and log provenance for debugging 'why did AI do X?'",
4589
+ "step": 5,
4590
+ "title": "AI/ML Governance (If Applicable)"
3202
4591
  }
3203
4592
  ],
3204
4593
  "qualityGatePolicy": {
@@ -3228,5 +4617,5 @@
3228
4617
  "languageFamily": "js"
3229
4618
  }
3230
4619
  },
3231
- "version": 4
4620
+ "version": 5
3232
4621
  }