@ryuenn3123/agentic-senior-core 2.5.12 → 2.5.13

package/.agent-context/prompts/review-code.md

@@ -16,6 +16,7 @@ Use these checklists:
 3. Apply documentation scope rules exactly: This applies to documentation, release notes, onboarding text, review summaries, and agent-facing explanations.
 4. Treat scope-style findings as advisory unless they hide factual errors, contract mismatches, or non-negotiable violations.
 5. Enforce documentation hard blockers on changed boundaries: public surface changes, API contract changes, and database structure changes must include synchronized documentation updates.
+6. Enforce context-triggered strict audits: review requests, PR-intent workflows, and major feature completion must run strict security and performance audits; small edits stay lightweight unless strict mode is explicitly forced.
 
 For EVERY violation found:
 - State the exact file and line

package/.agent-context/review-checklists/performance-audit.md

@@ -11,6 +11,12 @@ Evaluate every item below. For each finding, rate impact:
 - **MEDIUM** — Wasted resources, fix in this sprint
 - **LOW** — Optimization opportunity, track for later
 
+## Context Trigger Policy
+
+- Strict performance audit auto-runs for review requests, PR-intent workflows, and major feature completion.
+- Small edits default to lightweight mode unless strict mode is explicitly forced.
+- User can force strict mode manually at any time.
+
 ---
 
 ## Database & Queries

package/.agent-context/review-checklists/pr-checklist.md

@@ -109,3 +109,8 @@ VERDICT: PASS / FAIL (X/Y items passed)
 - [ ] Performance/quality claims include source and timestamp
 - [ ] Acronyms are expanded on first use
 - [ ] Facts and assumptions are explicitly separated
+
+### 11. Context-Triggered Audit Mode
+- [ ] Strict audit mode activates automatically on review and PR-intent workflows
+- [ ] Small edits avoid heavy checks by default unless strict mode is explicitly requested
+- [ ] User can always force strict audit mode manually

package/.agent-context/review-checklists/security-audit.md

@@ -24,6 +24,12 @@ Output format:
 VERDICT: X findings (🔴 N critical, 🟠 N high, 🟡 N medium, 🟢 N low)
 ```
 
+## Context Trigger Policy
+
+- Strict security audit auto-runs for review requests, PR-intent workflows, and major feature completion.
+- Small edits default to lightweight mode unless strict mode is explicitly forced.
+- User can force strict mode manually at any time.
+
 ---
 
 ## A1: Injection (SQL, NoSQL, OS, LDAP)

package/.agent-context/rules/performance.md

@@ -7,6 +7,16 @@
 
 **Do NOT optimize without evidence.** CPU time is cheap. Developer time is expensive.
 
+## Context-Triggered Strict Audit Mode
+
+Strict performance audits must activate automatically for:
+- review requests
+- PR-intent workflows (pull request preparation and merge readiness)
+- major feature completion
+
+Small edits stay in lightweight mode by default to avoid unnecessary heavy checks.
+Users can always force strict performance mode manually.
+
 BUT — there are patterns so obviously bad that they don't need benchmarks to reject.
 Those are listed below as **Death Penalties**.
 

package/.agent-context/rules/security.md

@@ -7,6 +7,16 @@
 
 **ALL data crossing a system boundary is untrusted until validated.**
 
+## Context-Triggered Strict Audit Mode
+
+Strict security audits must activate automatically for:
+- review requests
+- PR-intent workflows (pull request preparation and merge readiness)
+- major feature completion
+
+Small edits stay in lightweight mode by default to avoid unnecessary heavy checks.
+Users can always force strict security mode manually.
+
 System boundaries include:
 - HTTP request bodies, query params, headers, cookies
 - URL path parameters

package/.agent-context/state/memory-continuity-benchmark.json

@@ -1,5 +1,5 @@
 {
-  "generatedAt": "2026-04-17T09:57:09.275Z",
+  "generatedAt": "2026-04-17T11:50:07.714Z",
   "reportName": "memory-continuity-benchmark",
   "schemaVersion": "1.0.0",
   "passed": true,

package/.cursorrules

@@ -1,6 +1,6 @@
 # AGENTIC-SENIOR-CORE DYNAMIC GOVERNANCE RULESET
 
-Generated by Agentic-Senior-Core CLI v2.5.12
+Generated by Agentic-Senior-Core CLI v2.5.13
 Timestamp: 2026-04-15T00:14:51.184Z
 Selected profile: beginner
 Selected policy file: .agent-context/policies/llm-judge-threshold.json

package/.windsurfrules

@@ -1,6 +1,6 @@
 # AGENTIC-SENIOR-CORE DYNAMIC GOVERNANCE RULESET
 
-Generated by Agentic-Senior-Core CLI v2.5.12
+Generated by Agentic-Senior-Core CLI v2.5.13
 Timestamp: 2026-04-15T00:14:51.184Z
 Selected profile: beginner
 Selected policy file: .agent-context/policies/llm-judge-threshold.json

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ryuenn3123/agentic-senior-core",
-  "version": "2.5.12",
+  "version": "2.5.13",
   "type": "module",
   "description": "Force your AI Agent to code like a Staff Engineer, not a Junior.",
   "bin": {
@@ -44,6 +44,7 @@
     "init": "node ./bin/agentic-senior-core.js init",
     "audit:frontend-usability": "node ./scripts/frontend-usability-audit.mjs",
     "audit:documentation-boundary": "node ./scripts/documentation-boundary-audit.mjs",
+    "audit:context-triggered": "node ./scripts/context-triggered-audit.mjs",
     "gate:release": "node ./scripts/release-gate.mjs && node ./scripts/forbidden-content-check.mjs",
     "prepublishOnly": "npm run gate:release",
     "sbom:generate": "node ./scripts/generate-sbom.mjs",

package/scripts/context-triggered-audit.mjs

@@ -0,0 +1,395 @@
+#!/usr/bin/env node
+
+/**
+ * context-triggered-audit.mjs
+ *
+ * Determines whether strict security/performance audits should run based on
+ * workflow context, changed scope size, and explicit user override.
+ */
+
+import { existsSync, readFileSync } from 'node:fs';
+import { execFileSync } from 'node:child_process';
+import { dirname, resolve } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+const REPOSITORY_ROOT = resolve(__dirname, '..');
+
+const SECURITY_CHECKLIST_PATH = '.agent-context/review-checklists/security-audit.md';
+const PERFORMANCE_CHECKLIST_PATH = '.agent-context/review-checklists/performance-audit.md';
+const DEFAULT_WORKFLOW = 'auto';
+const SMALL_EDIT_MAX_FILES = 3;
+const MAJOR_FEATURE_MIN_SIGNIFICANT_FILES = 4;
+
+const STRICT_WORKFLOWS = new Set([
+  'review-request',
+  'pr-intent',
+  'pr-preparation',
+  'major-feature-completion',
+]);
+
+const SUPPORTED_WORKFLOWS = new Set([
+  DEFAULT_WORKFLOW,
+  ...STRICT_WORKFLOWS,
+  'small-edit',
+  'standard',
+]);
+
+const REQUIRED_SECURITY_CHECKLIST_SNIPPETS = [
+  '## Context Trigger Policy',
+  'Strict security audit auto-runs for review requests, PR-intent workflows, and major feature completion.',
+  'Small edits default to lightweight mode unless strict mode is explicitly forced.',
+  'User can force strict mode manually at any time.',
+];
+
+const REQUIRED_PERFORMANCE_CHECKLIST_SNIPPETS = [
+  '## Context Trigger Policy',
+  'Strict performance audit auto-runs for review requests, PR-intent workflows, and major feature completion.',
+  'Small edits default to lightweight mode unless strict mode is explicitly forced.',
+  'User can force strict mode manually at any time.',
+];
+
+function pushResult(results, isPassed, checkName, details) {
+  results.push({
+    checkName,
+    passed: isPassed,
+    details,
+  });
+}
+
+function normalizeFilePath(filePath) {
+  return filePath.replace(/\\/g, '/').replace(/^\.\//, '');
+}
+
+function parseGitFileList(rawOutput) {
+  if (typeof rawOutput !== 'string' || rawOutput.trim().length === 0) {
+    return [];
+  }
+
+  return rawOutput
+    .split(/\r?\n/)
+    .map((filePath) => filePath.trim())
+    .filter((filePath) => filePath.length > 0)
+    .map(normalizeFilePath);
+}
+
+function runGitFileQuery(commandArguments) {
+  try {
+    const rawOutput = execFileSync('git', commandArguments, {
+      cwd: REPOSITORY_ROOT,
+      encoding: 'utf8',
+      maxBuffer: 1024 * 1024,
+    });
+
+    return parseGitFileList(rawOutput);
+  } catch {
+    return [];
+  }
+}
+
+function uniqueSorted(filePaths) {
+  return Array.from(new Set(filePaths)).sort((leftPath, rightPath) => leftPath.localeCompare(rightPath));
+}
+
+function collectChangedFiles() {
+  const workingTreeFiles = runGitFileQuery(['diff', '--name-only']);
+  const stagedFiles = runGitFileQuery(['diff', '--name-only', '--cached']);
+  const workingScopeFiles = uniqueSorted([...workingTreeFiles, ...stagedFiles]);
+
+  if (workingScopeFiles.length > 0) {
+    return {
+      source: 'working-tree-and-index',
+      files: workingScopeFiles,
+    };
+  }
+
+  const latestCommitRangeFiles = runGitFileQuery(['diff', '--name-only', 'HEAD~1..HEAD']);
+  if (latestCommitRangeFiles.length > 0) {
+    return {
+      source: 'latest-commit-range',
+      files: uniqueSorted(latestCommitRangeFiles),
+    };
+  }
+
+  const headCommitFiles = runGitFileQuery(['show', '--pretty=format:', '--name-only', 'HEAD']);
+  if (headCommitFiles.length > 0) {
+    return {
+      source: 'head-commit',
+      files: uniqueSorted(headCommitFiles),
+    };
+  }
+
+  return {
+    source: 'none',
+    files: [],
+  };
+}
+
+function parseCliArguments(argumentList) {
+  let workflow = DEFAULT_WORKFLOW;
+  let strict = false;
+
+  for (let argumentIndex = 0; argumentIndex < argumentList.length; argumentIndex += 1) {
+    const argumentValue = argumentList[argumentIndex];
+
+    if (argumentValue === '--strict') {
+      strict = true;
+      continue;
+    }
+
+    if (argumentValue === '--workflow') {
+      const nextArgumentValue = argumentList[argumentIndex + 1];
+      if (nextArgumentValue && !nextArgumentValue.startsWith('--')) {
+        workflow = nextArgumentValue;
+        argumentIndex += 1;
+      }
+      continue;
+    }
+
+    if (argumentValue.startsWith('--workflow=')) {
+      workflow = argumentValue.slice('--workflow='.length);
+    }
+  }
+
+  const normalizedWorkflow = String(workflow).trim().toLowerCase() || DEFAULT_WORKFLOW;
+
+  return {
+    workflow: SUPPORTED_WORKFLOWS.has(normalizedWorkflow) ? normalizedWorkflow : DEFAULT_WORKFLOW,
+    strict,
+  };
+}
+
+function isLightweightFilePath(filePath) {
+  return filePath.endsWith('.md')
+    || filePath.startsWith('docs/')
+    || filePath.startsWith('.agent-context/review-checklists/')
+    || filePath.startsWith('.agent-context/rules/')
+    || filePath.startsWith('.agent-context/prompts/')
+    || filePath === 'CHANGELOG.md'
+    || filePath === 'README.md';
+}
+
+function countSignificantChangedFiles(changedFiles) {
+  return changedFiles.filter((filePath) => (
+    filePath.startsWith('bin/')
+    || filePath.startsWith('lib/')
+    || filePath.startsWith('scripts/')
+    || filePath.startsWith('tests/')
+  )).length;
+}
+
+function detectSmallEdit(changedFiles) {
+  const nonLightweightChangedFiles = changedFiles.filter((filePath) => !isLightweightFilePath(filePath));
+  return nonLightweightChangedFiles.length <= 1 && changedFiles.length <= SMALL_EDIT_MAX_FILES;
+}
+
+function detectMajorFeatureCompletion(changedFiles) {
+  const significantChangedFileCount = countSignificantChangedFiles(changedFiles);
+  return significantChangedFileCount >= MAJOR_FEATURE_MIN_SIGNIFICANT_FILES;
+}
+
+function detectReviewIntentFromEnvironment() {
+  const githubEventName = String(process.env.GITHUB_EVENT_NAME || '').toLowerCase();
+  const githubEventAction = String(process.env.GITHUB_EVENT_ACTION || '').toLowerCase();
+  const gitlabMergeRequestId = String(process.env.CI_MERGE_REQUEST_IID || '').trim();
+  const ciPullRequestMarker = String(process.env.CI_PULL_REQUEST || '').toLowerCase();
+  const auditWorkflowHint = String(process.env.AUDIT_WORKFLOW || '').toLowerCase();
+
+  if (githubEventName.includes('pull_request') || githubEventAction.includes('pull_request')) {
+    return true;
+  }
+
+  if (gitlabMergeRequestId.length > 0) {
+    return true;
+  }
+
+  if (ciPullRequestMarker === 'true' || ciPullRequestMarker === '1') {
+    return true;
+  }
+
+  return auditWorkflowHint.includes('review') || auditWorkflowHint.includes('pr');
+}
+
+function resolveAuditMode(options) {
+  const {
+    workflow,
+    manualForceStrict,
+    changedFiles,
+  } = options;
+
+  const smallEditDetected = detectSmallEdit(changedFiles);
+  const majorFeatureDetected = detectMajorFeatureCompletion(changedFiles);
+
+  if (manualForceStrict) {
+    return {
+      strictAuditMode: true,
+      triggerReason: 'manual-force-strict',
+      smallEditDetected,
+      majorFeatureDetected,
+    };
+  }
+
+  if (STRICT_WORKFLOWS.has(workflow)) {
+    return {
+      strictAuditMode: true,
+      triggerReason: `workflow-${workflow}`,
+      smallEditDetected,
+      majorFeatureDetected,
+    };
+  }
+
+  if (workflow === 'small-edit') {
+    return {
+      strictAuditMode: false,
+      triggerReason: 'workflow-small-edit-lightweight',
+      smallEditDetected: true,
+      majorFeatureDetected,
+    };
+  }
+
+  if (workflow === 'standard') {
+    return {
+      strictAuditMode: false,
+      triggerReason: 'workflow-standard-lightweight',
+      smallEditDetected,
+      majorFeatureDetected,
+    };
+  }
+
+  if (detectReviewIntentFromEnvironment()) {
+    return {
+      strictAuditMode: true,
+      triggerReason: 'auto-review-or-pr-intent',
+      smallEditDetected,
+      majorFeatureDetected,
+    };
+  }
+
+  if (majorFeatureDetected) {
+    return {
+      strictAuditMode: true,
+      triggerReason: 'auto-major-feature-completion',
+      smallEditDetected,
+      majorFeatureDetected,
+    };
+  }
+
+  if (smallEditDetected) {
+    return {
+      strictAuditMode: false,
+      triggerReason: 'auto-small-edit-lightweight',
+      smallEditDetected,
+      majorFeatureDetected,
+    };
+  }
+
+  return {
+    strictAuditMode: false,
+    triggerReason: 'auto-standard-lightweight',
+    smallEditDetected,
+    majorFeatureDetected,
+  };
+}
+
+function assertChecklist(checklistLabel, checklistPath, requiredSnippets, failures, results) {
+  const absoluteChecklistPath = resolve(REPOSITORY_ROOT, checklistPath);
+
+  if (!existsSync(absoluteChecklistPath)) {
+    failures.push(`Missing ${checklistLabel} checklist: ${checklistPath}`);
+    pushResult(results, false, `${checklistLabel}-checklist-exists`, `Missing ${checklistPath}`);
+    return;
+  }
+
+  pushResult(results, true, `${checklistLabel}-checklist-exists`, `${checklistPath} is present`);
+
+  const checklistContent = readFileSync(absoluteChecklistPath, 'utf8');
+  const missingChecklistSnippets = requiredSnippets.filter(
+    (requiredSnippet) => !checklistContent.includes(requiredSnippet)
+  );
+
+  if (missingChecklistSnippets.length > 0) {
+    failures.push(`Missing ${checklistLabel} checklist snippets: ${missingChecklistSnippets.join(', ')}`);
+    pushResult(
+      results,
+      false,
+      `${checklistLabel}-checklist-coverage`,
+      `Missing snippets in ${checklistPath}: ${missingChecklistSnippets.join(', ')}`
+    );
+    return;
+  }
+
+  pushResult(results, true, `${checklistLabel}-checklist-coverage`, `${checklistLabel} checklist snippets are complete`);
+}
+
+function runAudit() {
+  const parsedArguments = parseCliArguments(process.argv.slice(2));
+  const changedScope = collectChangedFiles();
+  const changedFiles = changedScope.files;
+
+  const auditMode = resolveAuditMode({
+    workflow: parsedArguments.workflow,
+    manualForceStrict: parsedArguments.strict,
+    changedFiles,
+  });
+
+  const results = [];
+  const failures = [];
+
+  pushResult(results, true, 'context-workflow', `workflow=${parsedArguments.workflow}`);
+  pushResult(
+    results,
+    true,
+    'manual-force-strict-flag',
+    parsedArguments.strict ? 'Manual strict mode requested' : 'Manual strict mode not requested'
+  );
+
+  if (auditMode.strictAuditMode) {
+    pushResult(results, true, 'strict-audit-activation', `Strict audit mode activated (${auditMode.triggerReason})`);
+
+    assertChecklist(
+      'security',
+      SECURITY_CHECKLIST_PATH,
+      REQUIRED_SECURITY_CHECKLIST_SNIPPETS,
+      failures,
+      results
+    );
+    assertChecklist(
+      'performance',
+      PERFORMANCE_CHECKLIST_PATH,
+      REQUIRED_PERFORMANCE_CHECKLIST_SNIPPETS,
+      failures,
+      results
+    );
+  } else {
+    pushResult(
+      results,
+      true,
+      'strict-audit-lightweight-mode',
+      `Strict audits skipped to avoid heavy mode (${auditMode.triggerReason})`
+    );
+  }
+
+  const reportPayload = {
+    generatedAt: new Date().toISOString(),
+    auditName: 'context-triggered-audit',
+    workflow: parsedArguments.workflow,
+    source: changedScope.source,
+    changedFileCount: changedFiles.length,
+    changedFiles,
+    userForcedStrictMode: parsedArguments.strict,
+    strictAuditMode: auditMode.strictAuditMode,
+    triggerReason: auditMode.triggerReason,
+    smallEditDetected: auditMode.smallEditDetected,
+    majorFeatureDetected: auditMode.majorFeatureDetected,
+    passed: failures.length === 0,
+    failureCount: failures.length,
+    failures,
+    results,
+  };
+
+  console.log(JSON.stringify(reportPayload, null, 2));
+  process.exit(reportPayload.passed ? 0 : 1);
+}
+
+runAudit();

package/scripts/release-gate.mjs

@@ -31,6 +31,7 @@ const FRONTEND_PARITY_CHECKLIST_PATH = '.agent-context/review-checklists/fronten
 const FRONTEND_EXCELLENCE_RUBRIC_PATH = '.agent-context/review-checklists/frontend-excellence-rubric.md';
 const FRONTEND_AUDIT_SCRIPT_PATH = 'scripts/frontend-usability-audit.mjs';
 const DOCUMENTATION_BOUNDARY_AUDIT_SCRIPT_PATH = 'scripts/documentation-boundary-audit.mjs';
+const CONTEXT_TRIGGERED_AUDIT_SCRIPT_PATH = 'scripts/context-triggered-audit.mjs';
 const BACKEND_ARCHITECTURE_RULE_PATH = '.agent-context/rules/architecture.md';
 const BACKEND_REVIEW_CHECKLIST_PATH = '.agent-context/review-checklists/pr-checklist.md';
 const REFACTOR_PROMPT_PATH = '.agent-context/prompts/refactor.md';
@@ -97,9 +98,9 @@ function parseMachineReadableReport(rawOutput) {
   }
 }
 
-function runMachineReadableScript(scriptRelativePath) {
+function runMachineReadableScript(scriptRelativePath, scriptArguments = []) {
   try {
-    const rawOutput = execFileSync('node', [scriptRelativePath], {
+    const rawOutput = execFileSync('node', [scriptRelativePath, ...scriptArguments], {
       cwd: REPOSITORY_ROOT,
       encoding: 'utf8',
       maxBuffer: 1024 * 1024,
@@ -376,6 +377,60 @@ function runReleaseGate() {
     }
   }
 
+  const contextTriggeredAuditExecution = runMachineReadableScript(
+    CONTEXT_TRIGGERED_AUDIT_SCRIPT_PATH,
+    ['--workflow', 'pr-preparation']
+  );
+  if (!contextTriggeredAuditExecution.report) {
+    const failureDetails = contextTriggeredAuditExecution.executionErrorMessage
+      ? `Context-triggered audit execution failed before producing a machine-readable report: ${contextTriggeredAuditExecution.executionErrorMessage}`
+      : 'Context-triggered audit did not produce machine-readable JSON output';
+    pushResult(results, false, 'context-triggered-audit', failureDetails);
+  } else {
+    diagnostics.contextTriggeredAudit = contextTriggeredAuditExecution.report;
+    pushResult(
+      results,
+      true,
+      'context-triggered-audit',
+      `context-triggered-audit executed (passed=${contextTriggeredAuditExecution.report.passed}, strict=${contextTriggeredAuditExecution.report.strictAuditMode}, failures=${contextTriggeredAuditExecution.report.failureCount})`
+    );
+
+    if (contextTriggeredAuditExecution.report.strictAuditMode === true) {
+      pushResult(
+        results,
+        true,
+        'context-triggered-strict-mode-auto',
+        `Strict audit mode activated automatically for workflow=${contextTriggeredAuditExecution.report.workflow}`
+      );
+    } else {
+      pushResult(
+        results,
+        false,
+        'context-triggered-strict-mode-auto',
+        `Strict audit mode was not activated for workflow=${contextTriggeredAuditExecution.report.workflow}`
+      );
+    }
+
+    if (contextTriggeredAuditExecution.report.passed === true) {
+      pushResult(
+        results,
+        true,
+        'context-triggered-security-performance-hard-rule',
+        'Context-triggered security and performance audit hard-rule passed'
+      );
+    } else {
+      const failedAuditDetails = Array.isArray(contextTriggeredAuditExecution.report.failures)
+        ? contextTriggeredAuditExecution.report.failures.join('; ')
+        : 'Unknown context-triggered audit failures';
+      pushResult(
+        results,
+        false,
+        'context-triggered-security-performance-hard-rule',
+        `Context-triggered audit failed: ${failedAuditDetails}`
+      );
+    }
+  }
+
   const frontendParityChecklistContent = readText(FRONTEND_PARITY_CHECKLIST_PATH);
   if (!frontendParityChecklistContent) {
     pushResult(results, false, 'frontend-parity-checklist-exists', `Missing ${FRONTEND_PARITY_CHECKLIST_PATH}`);

package/scripts/validate.mjs

@@ -172,6 +172,7 @@ async function validateRequiredFiles() {
     'scripts/mcp-server.mjs',
     'scripts/frontend-usability-audit.mjs',
     'scripts/documentation-boundary-audit.mjs',
+    'scripts/context-triggered-audit.mjs',
     'scripts/release-gate.mjs',
     'scripts/generate-sbom.mjs',
     'scripts/init-project.sh',