@ryuenn3123/agentic-senior-core 2.5.12 → 2.5.14

package/.agent-context/prompts/review-code.md

@@ -16,6 +16,8 @@ Use these checklists:
 3. Apply documentation scope rules exactly: This applies to documentation, release notes, onboarding text, review summaries, and agent-facing explanations.
 4. Treat scope-style findings as advisory unless they hide factual errors, contract mismatches, or non-negotiable violations.
 5. Enforce documentation hard blockers on changed boundaries: public surface changes, API contract changes, and database structure changes must include synchronized documentation updates.
+6. Enforce context-triggered strict audits: review requests, PR-intent workflows, and major feature completion must run strict security and performance audits; small edits stay lightweight unless strict mode is explicitly forced.
+7. Enforce cross-session consistency guardian: session handoff must include active architecture contract summary, drift detection must warn before direction changes, and direction changes require explicit user confirmation.
 
 For EVERY violation found:
 - State the exact file and line

package/.agent-context/review-checklists/performance-audit.md

@@ -11,6 +11,12 @@ Evaluate every item below. For each finding, rate impact:
 - **MEDIUM** — Wasted resources, fix in this sprint
 - **LOW** — Optimization opportunity, track for later
 
+## Context Trigger Policy
+
+- Strict performance audit auto-runs for review requests, PR-intent workflows, and major feature completion.
+- Small edits default to lightweight mode unless strict mode is explicitly forced.
+- User can force strict mode manually at any time.
+
 ---
 
 ## Database & Queries

package/.agent-context/review-checklists/pr-checklist.md

@@ -109,3 +109,13 @@ VERDICT: PASS / FAIL (X/Y items passed)
 - [ ] Performance/quality claims include source and timestamp
 - [ ] Acronyms are expanded on first use
 - [ ] Facts and assumptions are explicitly separated
+
+### 11. Context-Triggered Audit Mode
+- [ ] Strict audit mode activates automatically on review and PR-intent workflows
+- [ ] Small edits avoid heavy checks by default unless strict mode is explicitly requested
+- [ ] User can always force strict audit mode manually
+
+### 12. Rules as Guardian (Cross-Session Consistency)
+- [ ] Session handoff includes active architecture contract summary
+- [ ] Drift detection warns before direction changes
+- [ ] Direction changes require explicit user confirmation

package/.agent-context/review-checklists/security-audit.md

@@ -24,6 +24,12 @@ Output format:
 VERDICT: X findings (🔴 N critical, 🟠 N high, 🟡 N medium, 🟢 N low)
 ```
 
+## Context Trigger Policy
+
+- Strict security audit auto-runs for review requests, PR-intent workflows, and major feature completion.
+- Small edits default to lightweight mode unless strict mode is explicitly forced.
+- User can force strict mode manually at any time.
+
 ---
 
 ## A1: Injection (SQL, NoSQL, OS, LDAP)

package/.agent-context/rules/architecture.md

@@ -13,6 +13,16 @@ These principles are mandatory for backend and shared core modules.
 
 If a short and a clear implementation are functionally equivalent, choose the clear implementation.
 
+## Rules as Guardian (Cross-Session Consistency)
+
+These guardrails are mandatory to preserve architecture direction across sessions.
+
+- Session handoff must include active architecture contract summary.
+- Contract summary must include declared stack, blueprint, profile, and active core patterns.
+- Detect drift before changing declared stack or core patterns.
+- Direction changes require explicit user confirmation before applying changes.
+- When confirmation is provided, record the rationale in session notes or PR context.
+
 ## The Core Principle
 
 **Every layer has ONE job. Layer leaks are bugs — not "pragmatic shortcuts."**

package/.agent-context/rules/performance.md

@@ -7,6 +7,16 @@
 
 **Do NOT optimize without evidence.** CPU time is cheap. Developer time is expensive.
 
+## Context-Triggered Strict Audit Mode
+
+Strict performance audits must activate automatically for:
+- review requests
+- PR-intent workflows (pull request preparation and merge readiness)
+- major feature completion
+
+Small edits stay in lightweight mode by default to avoid unnecessary heavy checks.
+Users can always force strict performance mode manually.
+
 BUT — there are patterns so obviously bad that they don't need benchmarks to reject.
 Those are listed below as **Death Penalties**.
 

package/.agent-context/rules/security.md

@@ -7,6 +7,16 @@
 
 **ALL data crossing a system boundary is untrusted until validated.**
 
+## Context-Triggered Strict Audit Mode
+
+Strict security audits must activate automatically for:
+- review requests
+- PR-intent workflows (pull request preparation and merge readiness)
+- major feature completion
+
+Small edits stay in lightweight mode by default to avoid unnecessary heavy checks.
+Users can always force strict security mode manually.
+
 System boundaries include:
 - HTTP request bodies, query params, headers, cookies
 - URL path parameters

package/.agent-context/state/memory-continuity-benchmark.json

@@ -1,5 +1,5 @@
 {
-  "generatedAt": "2026-04-17T09:57:09.275Z",
+  "generatedAt": "2026-04-17T12:51:43.241Z",
   "reportName": "memory-continuity-benchmark",
   "schemaVersion": "1.0.0",
   "passed": true,

package/.cursorrules

@@ -1,6 +1,6 @@
 # AGENTIC-SENIOR-CORE DYNAMIC GOVERNANCE RULESET
 
-Generated by Agentic-Senior-Core CLI v2.5.12
+Generated by Agentic-Senior-Core CLI v2.5.14
 Timestamp: 2026-04-15T00:14:51.184Z
 Selected profile: beginner
 Selected policy file: .agent-context/policies/llm-judge-threshold.json

package/.windsurfrules

@@ -1,6 +1,6 @@
 # AGENTIC-SENIOR-CORE DYNAMIC GOVERNANCE RULESET
 
-Generated by Agentic-Senior-Core CLI v2.5.12
+Generated by Agentic-Senior-Core CLI v2.5.14
 Timestamp: 2026-04-15T00:14:51.184Z
 Selected profile: beginner
 Selected policy file: .agent-context/policies/llm-judge-threshold.json

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ryuenn3123/agentic-senior-core",
-  "version": "2.5.12",
+  "version": "2.5.14",
   "type": "module",
   "description": "Force your AI Agent to code like a Staff Engineer, not a Junior.",
   "bin": {
@@ -44,6 +44,8 @@
     "init": "node ./bin/agentic-senior-core.js init",
     "audit:frontend-usability": "node ./scripts/frontend-usability-audit.mjs",
     "audit:documentation-boundary": "node ./scripts/documentation-boundary-audit.mjs",
+    "audit:context-triggered": "node ./scripts/context-triggered-audit.mjs",
+    "audit:rules-guardian": "node ./scripts/rules-guardian-audit.mjs",
     "gate:release": "node ./scripts/release-gate.mjs && node ./scripts/forbidden-content-check.mjs",
     "prepublishOnly": "npm run gate:release",
     "sbom:generate": "node ./scripts/generate-sbom.mjs",

package/scripts/context-triggered-audit.mjs

@@ -0,0 +1,395 @@
+#!/usr/bin/env node
+
+/**
+ * context-triggered-audit.mjs
+ *
+ * Determines whether strict security/performance audits should run based on
+ * workflow context, changed scope size, and explicit user override.
+ */
+
+import { existsSync, readFileSync } from 'node:fs';
+import { execFileSync } from 'node:child_process';
+import { dirname, resolve } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+const REPOSITORY_ROOT = resolve(__dirname, '..');
+
+const SECURITY_CHECKLIST_PATH = '.agent-context/review-checklists/security-audit.md';
+const PERFORMANCE_CHECKLIST_PATH = '.agent-context/review-checklists/performance-audit.md';
+const DEFAULT_WORKFLOW = 'auto';
+const SMALL_EDIT_MAX_FILES = 3;
+const MAJOR_FEATURE_MIN_SIGNIFICANT_FILES = 4;
+
+const STRICT_WORKFLOWS = new Set([
+  'review-request',
+  'pr-intent',
+  'pr-preparation',
+  'major-feature-completion',
+]);
+
+const SUPPORTED_WORKFLOWS = new Set([
+  DEFAULT_WORKFLOW,
+  ...STRICT_WORKFLOWS,
+  'small-edit',
+  'standard',
+]);
+
+const REQUIRED_SECURITY_CHECKLIST_SNIPPETS = [
+  '## Context Trigger Policy',
+  'Strict security audit auto-runs for review requests, PR-intent workflows, and major feature completion.',
+  'Small edits default to lightweight mode unless strict mode is explicitly forced.',
+  'User can force strict mode manually at any time.',
+];
+
+const REQUIRED_PERFORMANCE_CHECKLIST_SNIPPETS = [
+  '## Context Trigger Policy',
+  'Strict performance audit auto-runs for review requests, PR-intent workflows, and major feature completion.',
+  'Small edits default to lightweight mode unless strict mode is explicitly forced.',
+  'User can force strict mode manually at any time.',
+];
+
+function pushResult(results, isPassed, checkName, details) {
+  results.push({
+    checkName,
+    passed: isPassed,
+    details,
+  });
+}
+
+function normalizeFilePath(filePath) {
+  return filePath.replace(/\\/g, '/').replace(/^\.\//, '');
+}
+
+function parseGitFileList(rawOutput) {
+  if (typeof rawOutput !== 'string' || rawOutput.trim().length === 0) {
+    return [];
+  }
+
+  return rawOutput
+    .split(/\r?\n/)
+    .map((filePath) => filePath.trim())
+    .filter((filePath) => filePath.length > 0)
+    .map(normalizeFilePath);
+}
+
+function runGitFileQuery(commandArguments) {
+  try {
+    const rawOutput = execFileSync('git', commandArguments, {
+      cwd: REPOSITORY_ROOT,
+      encoding: 'utf8',
+      maxBuffer: 1024 * 1024,
+    });
+
+    return parseGitFileList(rawOutput);
+  } catch {
+    return [];
+  }
+}
+
+function uniqueSorted(filePaths) {
+  return Array.from(new Set(filePaths)).sort((leftPath, rightPath) => leftPath.localeCompare(rightPath));
+}
+
+function collectChangedFiles() {
+  const workingTreeFiles = runGitFileQuery(['diff', '--name-only']);
+  const stagedFiles = runGitFileQuery(['diff', '--name-only', '--cached']);
+  const workingScopeFiles = uniqueSorted([...workingTreeFiles, ...stagedFiles]);
+
+  if (workingScopeFiles.length > 0) {
+    return {
+      source: 'working-tree-and-index',
+      files: workingScopeFiles,
+    };
+  }
+
+  const latestCommitRangeFiles = runGitFileQuery(['diff', '--name-only', 'HEAD~1..HEAD']);
+  if (latestCommitRangeFiles.length > 0) {
+    return {
+      source: 'latest-commit-range',
+      files: uniqueSorted(latestCommitRangeFiles),
+    };
+  }
+
+  const headCommitFiles = runGitFileQuery(['show', '--pretty=format:', '--name-only', 'HEAD']);
+  if (headCommitFiles.length > 0) {
+    return {
+      source: 'head-commit',
+      files: uniqueSorted(headCommitFiles),
+    };
+  }
+
+  return {
+    source: 'none',
+    files: [],
+  };
+}
+
+function parseCliArguments(argumentList) {
+  let workflow = DEFAULT_WORKFLOW;
+  let strict = false;
+
+  for (let argumentIndex = 0; argumentIndex < argumentList.length; argumentIndex += 1) {
+    const argumentValue = argumentList[argumentIndex];
+
+    if (argumentValue === '--strict') {
+      strict = true;
+      continue;
+    }
+
+    if (argumentValue === '--workflow') {
+      const nextArgumentValue = argumentList[argumentIndex + 1];
+      if (nextArgumentValue && !nextArgumentValue.startsWith('--')) {
+        workflow = nextArgumentValue;
+        argumentIndex += 1;
+      }
+      continue;
+    }
+
+    if (argumentValue.startsWith('--workflow=')) {
+      workflow = argumentValue.slice('--workflow='.length);
+    }
+  }
+
+  const normalizedWorkflow = String(workflow).trim().toLowerCase() || DEFAULT_WORKFLOW;
+
+  return {
+    workflow: SUPPORTED_WORKFLOWS.has(normalizedWorkflow) ? normalizedWorkflow : DEFAULT_WORKFLOW,
+    strict,
+  };
+}
+
+function isLightweightFilePath(filePath) {
+  return filePath.endsWith('.md')
+    || filePath.startsWith('docs/')
+    || filePath.startsWith('.agent-context/review-checklists/')
+    || filePath.startsWith('.agent-context/rules/')
+    || filePath.startsWith('.agent-context/prompts/')
+    || filePath === 'CHANGELOG.md'
+    || filePath === 'README.md';
+}
+
+function countSignificantChangedFiles(changedFiles) {
+  return changedFiles.filter((filePath) => (
+    filePath.startsWith('bin/')
+    || filePath.startsWith('lib/')
+    || filePath.startsWith('scripts/')
+    || filePath.startsWith('tests/')
+  )).length;
+}
+
+function detectSmallEdit(changedFiles) {
+  const nonLightweightChangedFiles = changedFiles.filter((filePath) => !isLightweightFilePath(filePath));
+  return nonLightweightChangedFiles.length <= 1 && changedFiles.length <= SMALL_EDIT_MAX_FILES;
+}
+
+function detectMajorFeatureCompletion(changedFiles) {
+  const significantChangedFileCount = countSignificantChangedFiles(changedFiles);
+  return significantChangedFileCount >= MAJOR_FEATURE_MIN_SIGNIFICANT_FILES;
+}
+
+function detectReviewIntentFromEnvironment() {
+  const githubEventName = String(process.env.GITHUB_EVENT_NAME || '').toLowerCase();
+  const githubEventAction = String(process.env.GITHUB_EVENT_ACTION || '').toLowerCase();
+  const gitlabMergeRequestId = String(process.env.CI_MERGE_REQUEST_IID || '').trim();
+  const ciPullRequestMarker = String(process.env.CI_PULL_REQUEST || '').toLowerCase();
+  const auditWorkflowHint = String(process.env.AUDIT_WORKFLOW || '').toLowerCase();
+
+  if (githubEventName.includes('pull_request') || githubEventAction.includes('pull_request')) {
+    return true;
+  }
+
+  if (gitlabMergeRequestId.length > 0) {
+    return true;
+  }
+
+  if (ciPullRequestMarker === 'true' || ciPullRequestMarker === '1') {
+    return true;
+  }
+
+  return auditWorkflowHint.includes('review') || auditWorkflowHint.includes('pr');
+}
+
+function resolveAuditMode(options) {
+  const {
+    workflow,
+    manualForceStrict,
+    changedFiles,
+  } = options;
+
+  const smallEditDetected = detectSmallEdit(changedFiles);
+  const majorFeatureDetected = detectMajorFeatureCompletion(changedFiles);
+
+  if (manualForceStrict) {
+    return {
+      strictAuditMode: true,
+      triggerReason: 'manual-force-strict',
+      smallEditDetected,
+      majorFeatureDetected,
+    };
+  }
+
+  if (STRICT_WORKFLOWS.has(workflow)) {
+    return {
+      strictAuditMode: true,
+      triggerReason: `workflow-${workflow}`,
+      smallEditDetected,
+      majorFeatureDetected,
+    };
+  }
+
+  if (workflow === 'small-edit') {
+    return {
+      strictAuditMode: false,
+      triggerReason: 'workflow-small-edit-lightweight',
+      smallEditDetected: true,
+      majorFeatureDetected,
+    };
+  }
+
+  if (workflow === 'standard') {
+    return {
+      strictAuditMode: false,
+      triggerReason: 'workflow-standard-lightweight',
+      smallEditDetected,
+      majorFeatureDetected,
+    };
+  }
+
+  if (detectReviewIntentFromEnvironment()) {
+    return {
+      strictAuditMode: true,
+      triggerReason: 'auto-review-or-pr-intent',
+      smallEditDetected,
+      majorFeatureDetected,
+    };
+  }
+
+  if (majorFeatureDetected) {
+    return {
+      strictAuditMode: true,
+      triggerReason: 'auto-major-feature-completion',
+      smallEditDetected,
+      majorFeatureDetected,
+    };
+  }
+
+  if (smallEditDetected) {
+    return {
+      strictAuditMode: false,
+      triggerReason: 'auto-small-edit-lightweight',
+      smallEditDetected,
+      majorFeatureDetected,
+    };
+  }
+
+  return {
+    strictAuditMode: false,
+    triggerReason: 'auto-standard-lightweight',
+    smallEditDetected,
+    majorFeatureDetected,
+  };
+}
+
+function assertChecklist(checklistLabel, checklistPath, requiredSnippets, failures, results) {
+  const absoluteChecklistPath = resolve(REPOSITORY_ROOT, checklistPath);
+
+  if (!existsSync(absoluteChecklistPath)) {
+    failures.push(`Missing ${checklistLabel} checklist: ${checklistPath}`);
+    pushResult(results, false, `${checklistLabel}-checklist-exists`, `Missing ${checklistPath}`);
+    return;
+  }
+
+  pushResult(results, true, `${checklistLabel}-checklist-exists`, `${checklistPath} is present`);
+
+  const checklistContent = readFileSync(absoluteChecklistPath, 'utf8');
+  const missingChecklistSnippets = requiredSnippets.filter(
+    (requiredSnippet) => !checklistContent.includes(requiredSnippet)
+  );
+
+  if (missingChecklistSnippets.length > 0) {
+    failures.push(`Missing ${checklistLabel} checklist snippets: ${missingChecklistSnippets.join(', ')}`);
+    pushResult(
+      results,
+      false,
+      `${checklistLabel}-checklist-coverage`,
+      `Missing snippets in ${checklistPath}: ${missingChecklistSnippets.join(', ')}`
+    );
+    return;
+  }
+
+  pushResult(results, true, `${checklistLabel}-checklist-coverage`, `${checklistLabel} checklist snippets are complete`);
+}
+
+function runAudit() {
+  const parsedArguments = parseCliArguments(process.argv.slice(2));
+  const changedScope = collectChangedFiles();
+  const changedFiles = changedScope.files;
+
+  const auditMode = resolveAuditMode({
+    workflow: parsedArguments.workflow,
+    manualForceStrict: parsedArguments.strict,
+    changedFiles,
+  });
+
+  const results = [];
+  const failures = [];
+
+  pushResult(results, true, 'context-workflow', `workflow=${parsedArguments.workflow}`);
+  pushResult(
+    results,
+    true,
+    'manual-force-strict-flag',
+    parsedArguments.strict ? 'Manual strict mode requested' : 'Manual strict mode not requested'
+  );
+
+  if (auditMode.strictAuditMode) {
+    pushResult(results, true, 'strict-audit-activation', `Strict audit mode activated (${auditMode.triggerReason})`);
+
+    assertChecklist(
+      'security',
+      SECURITY_CHECKLIST_PATH,
+      REQUIRED_SECURITY_CHECKLIST_SNIPPETS,
+      failures,
+      results
+    );
+    assertChecklist(
+      'performance',
+      PERFORMANCE_CHECKLIST_PATH,
+      REQUIRED_PERFORMANCE_CHECKLIST_SNIPPETS,
+      failures,
+      results
+    );
+  } else {
+    pushResult(
+      results,
+      true,
+      'strict-audit-lightweight-mode',
+      `Strict audits skipped to avoid heavy mode (${auditMode.triggerReason})`
+    );
+  }
+
+  const reportPayload = {
+    generatedAt: new Date().toISOString(),
+    auditName: 'context-triggered-audit',
+    workflow: parsedArguments.workflow,
+    source: changedScope.source,
+    changedFileCount: changedFiles.length,
+    changedFiles,
+    userForcedStrictMode: parsedArguments.strict,
+    strictAuditMode: auditMode.strictAuditMode,
+    triggerReason: auditMode.triggerReason,
+    smallEditDetected: auditMode.smallEditDetected,
+    majorFeatureDetected: auditMode.majorFeatureDetected,
+    passed: failures.length === 0,
+    failureCount: failures.length,
+    failures,
+    results,
+  };
+
+  console.log(JSON.stringify(reportPayload, null, 2));
+  process.exit(reportPayload.passed ? 0 : 1);
+}
+
+runAudit();

package/scripts/release-gate.mjs

@@ -31,6 +31,8 @@ const FRONTEND_PARITY_CHECKLIST_PATH = '.agent-context/review-checklists/fronten
 const FRONTEND_EXCELLENCE_RUBRIC_PATH = '.agent-context/review-checklists/frontend-excellence-rubric.md';
 const FRONTEND_AUDIT_SCRIPT_PATH = 'scripts/frontend-usability-audit.mjs';
 const DOCUMENTATION_BOUNDARY_AUDIT_SCRIPT_PATH = 'scripts/documentation-boundary-audit.mjs';
+const CONTEXT_TRIGGERED_AUDIT_SCRIPT_PATH = 'scripts/context-triggered-audit.mjs';
+const RULES_GUARDIAN_AUDIT_SCRIPT_PATH = 'scripts/rules-guardian-audit.mjs';
 const BACKEND_ARCHITECTURE_RULE_PATH = '.agent-context/rules/architecture.md';
 const BACKEND_REVIEW_CHECKLIST_PATH = '.agent-context/review-checklists/pr-checklist.md';
 const REFACTOR_PROMPT_PATH = '.agent-context/prompts/refactor.md';
@@ -97,9 +99,9 @@ function parseMachineReadableReport(rawOutput) {
   }
 }
 
-function runMachineReadableScript(scriptRelativePath) {
+function runMachineReadableScript(scriptRelativePath, scriptArguments = []) {
   try {
-    const rawOutput = execFileSync('node', [scriptRelativePath], {
+    const rawOutput = execFileSync('node', [scriptRelativePath, ...scriptArguments], {
       cwd: REPOSITORY_ROOT,
       encoding: 'utf8',
       maxBuffer: 1024 * 1024,
@@ -376,6 +378,137 @@ function runReleaseGate() {
     }
   }
 
+  const contextTriggeredAuditExecution = runMachineReadableScript(
+    CONTEXT_TRIGGERED_AUDIT_SCRIPT_PATH,
+    ['--workflow', 'pr-preparation']
+  );
+  if (!contextTriggeredAuditExecution.report) {
+    const failureDetails = contextTriggeredAuditExecution.executionErrorMessage
+      ? `Context-triggered audit execution failed before producing a machine-readable report: ${contextTriggeredAuditExecution.executionErrorMessage}`
+      : 'Context-triggered audit did not produce machine-readable JSON output';
+    pushResult(results, false, 'context-triggered-audit', failureDetails);
+  } else {
+    diagnostics.contextTriggeredAudit = contextTriggeredAuditExecution.report;
+    pushResult(
+      results,
+      true,
+      'context-triggered-audit',
+      `context-triggered-audit executed (passed=${contextTriggeredAuditExecution.report.passed}, strict=${contextTriggeredAuditExecution.report.strictAuditMode}, failures=${contextTriggeredAuditExecution.report.failureCount})`
+    );
+
+    if (contextTriggeredAuditExecution.report.strictAuditMode === true) {
+      pushResult(
+        results,
+        true,
+        'context-triggered-strict-mode-auto',
+        `Strict audit mode activated automatically for workflow=${contextTriggeredAuditExecution.report.workflow}`
+      );
+    } else {
+      pushResult(
+        results,
+        false,
+        'context-triggered-strict-mode-auto',
+        `Strict audit mode was not activated for workflow=${contextTriggeredAuditExecution.report.workflow}`
+      );
+    }
+
+    if (contextTriggeredAuditExecution.report.passed === true) {
+      pushResult(
+        results,
+        true,
+        'context-triggered-security-performance-hard-rule',
+        'Context-triggered security and performance audit hard-rule passed'
+      );
+    } else {
+      const failedAuditDetails = Array.isArray(contextTriggeredAuditExecution.report.failures)
+        ? contextTriggeredAuditExecution.report.failures.join('; ')
+        : 'Unknown context-triggered audit failures';
+      pushResult(
+        results,
+        false,
+        'context-triggered-security-performance-hard-rule',
+        `Context-triggered audit failed: ${failedAuditDetails}`
+      );
+    }
+  }
+
+  const rulesGuardianAuditExecution = runMachineReadableScript(
+    RULES_GUARDIAN_AUDIT_SCRIPT_PATH,
+    ['--workflow', 'pr-preparation']
+  );
+  if (!rulesGuardianAuditExecution.report) {
+    const failureDetails = rulesGuardianAuditExecution.executionErrorMessage
+      ? `Rules guardian audit execution failed before producing a machine-readable report: ${rulesGuardianAuditExecution.executionErrorMessage}`
+      : 'Rules guardian audit did not produce machine-readable JSON output';
+    pushResult(results, false, 'rules-guardian-audit', failureDetails);
+  } else {
+    diagnostics.rulesGuardianAudit = rulesGuardianAuditExecution.report;
+    pushResult(
+      results,
+      true,
+      'rules-guardian-audit',
+      `rules-guardian-audit executed (passed=${rulesGuardianAuditExecution.report.passed}, driftDetected=${rulesGuardianAuditExecution.report?.driftDetection?.driftDetected}, failures=${rulesGuardianAuditExecution.report.failureCount})`
+    );
+
+    const sessionHandoffSummary = rulesGuardianAuditExecution.report?.sessionHandoff?.contractSummary;
+    const sessionHandoffIncluded = rulesGuardianAuditExecution.report?.sessionHandoff?.included === true
+      && typeof sessionHandoffSummary === 'string'
+      && sessionHandoffSummary.trim().length > 0;
+
+    if (sessionHandoffIncluded) {
+      pushResult(
+        results,
+        true,
+        'rules-guardian-session-handoff',
+        'Session handoff includes active architecture contract summary'
+      );
+    } else {
+      pushResult(
+        results,
+        false,
+        'rules-guardian-session-handoff',
+        'Rules guardian report is missing session handoff architecture contract summary'
+      );
+    }
+
+    const requiresExplicitConfirmation = rulesGuardianAuditExecution.report?.confirmationPolicy?.requiresExplicitUserConfirmation === true;
+
+    if (requiresExplicitConfirmation) {
+      pushResult(
+        results,
+        true,
+        'rules-guardian-confirmation-policy',
+        'Direction change policy requires explicit user confirmation'
+      );
+    } else {
+      pushResult(
+        results,
+        false,
+        'rules-guardian-confirmation-policy',
+        'Rules guardian report does not enforce explicit user confirmation policy'
+      );
+    }
+
+    if (rulesGuardianAuditExecution.report.passed === true) {
+      pushResult(
+        results,
+        true,
+        'rules-guardian-drift-confirmation',
+        'Rules guardian drift detection and confirmation checks passed'
+      );
+    } else {
+      const failedAuditDetails = Array.isArray(rulesGuardianAuditExecution.report.failures)
+        ? rulesGuardianAuditExecution.report.failures.join('; ')
+        : 'Unknown rules guardian audit failures';
+      pushResult(
+        results,
+        false,
+        'rules-guardian-drift-confirmation',
+        `Rules guardian audit failed: ${failedAuditDetails}`
+      );
+    }
+  }
+
   const frontendParityChecklistContent = readText(FRONTEND_PARITY_CHECKLIST_PATH);
   if (!frontendParityChecklistContent) {
     pushResult(results, false, 'frontend-parity-checklist-exists', `Missing ${FRONTEND_PARITY_CHECKLIST_PATH}`);

package/scripts/rules-guardian-audit.mjs

@@ -0,0 +1,576 @@
+#!/usr/bin/env node
+
+/**
+ * rules-guardian-audit.mjs
+ *
+ * Cross-session consistency audit for architecture direction.
+ * Ensures session handoff contains an active architecture contract summary,
+ * detects direction drift, and requires explicit user confirmation before
+ * direction changes are applied.
+ */
+
+import { existsSync, readFileSync } from 'node:fs';
+import { execFileSync } from 'node:child_process';
+import { dirname, resolve } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+const REPOSITORY_ROOT = resolve(__dirname, '..');
+
+const ONBOARDING_REPORT_PATH = '.agent-context/state/onboarding-report.json';
+const ARCHITECTURE_RULE_PATH = '.agent-context/rules/architecture.md';
+const PR_CHECKLIST_PATH = '.agent-context/review-checklists/pr-checklist.md';
+const REVIEW_PROMPT_PATH = '.agent-context/prompts/review-code.md';
+
+const DEFAULT_WORKFLOW = 'standard';
+const SUPPORTED_WORKFLOWS = new Set([
+  'auto',
+  'standard',
+  'review-request',
+  'pr-preparation',
+  'session-handoff',
+  'direction-change',
+]);
+
+const CORE_PATTERN_SIGNALS = [
+  {
+    pattern: 'layer-separation',
+    snippet: 'Every layer has ONE job.',
+  },
+  {
+    pattern: 'modular-monolith-default',
+    snippet: 'Default Architecture: Modular Monolith',
+  },
+  {
+    pattern: 'feature-based-grouping',
+    snippet: 'Project Structure: Feature-Based Grouping',
+  },
+  {
+    pattern: 'rules-as-guardian-cross-session',
+    snippet: 'Rules as Guardian (Cross-Session Consistency)',
+  },
+];
+
+const REQUIRED_ARCHITECTURE_RULE_SNIPPETS = [
+  '## Rules as Guardian (Cross-Session Consistency)',
+  'Session handoff must include active architecture contract summary.',
+  'Detect drift before changing declared stack or core patterns.',
+  'Direction changes require explicit user confirmation before applying changes.',
+];
+
+const REQUIRED_PR_CHECKLIST_SNIPPETS = [
+  'Session handoff includes active architecture contract summary',
+  'Drift detection warns before direction changes',
+  'Direction changes require explicit user confirmation',
+];
+
+const REQUIRED_REVIEW_PROMPT_SNIPPETS = [
+  'Enforce cross-session consistency guardian: session handoff must include active architecture contract summary, drift detection must warn before direction changes, and direction changes require explicit user confirmation.',
+];
+
+function pushResult(results, isPassed, checkName, details) {
+  results.push({
+    checkName,
+    passed: isPassed,
+    details,
+  });
+}
+
+function normalizeFilePath(filePath) {
+  return filePath.replace(/\\/g, '/').replace(/^\.\//, '');
+}
+
+function parseGitFileList(rawOutput) {
+  if (typeof rawOutput !== 'string' || rawOutput.trim().length === 0) {
+    return [];
+  }
+
+  return rawOutput
+    .split(/\r?\n/)
+    .map((filePath) => filePath.trim())
+    .filter((filePath) => filePath.length > 0)
+    .map(normalizeFilePath);
+}
+
+function runGitFileQuery(commandArguments) {
+  try {
+    const rawOutput = execFileSync('git', commandArguments, {
+      cwd: REPOSITORY_ROOT,
+      encoding: 'utf8',
+      maxBuffer: 1024 * 1024,
+    });
+
+    return parseGitFileList(rawOutput);
+  } catch {
+    return [];
+  }
+}
+
+function runGitRawQuery(commandArguments) {
+  try {
+    return execFileSync('git', commandArguments, {
+      cwd: REPOSITORY_ROOT,
+      encoding: 'utf8',
+      maxBuffer: 1024 * 1024,
+    });
+  } catch {
+    return '';
+  }
+}
+
+function uniqueSorted(filePaths) {
+  return Array.from(new Set(filePaths)).sort((leftPath, rightPath) => leftPath.localeCompare(rightPath));
+}
+
+function collectChangedFiles() {
+  const workingTreeFiles = runGitFileQuery(['diff', '--name-only']);
+  const stagedFiles = runGitFileQuery(['diff', '--name-only', '--cached']);
+  const workingScopeFiles = uniqueSorted([...workingTreeFiles, ...stagedFiles]);
+
+  if (workingScopeFiles.length > 0) {
+    return {
+      source: 'working-tree-and-index',
+      files: workingScopeFiles,
+    };
+  }
+
+  const latestCommitRangeFiles = runGitFileQuery(['diff', '--name-only', 'HEAD~1..HEAD']);
+  if (latestCommitRangeFiles.length > 0) {
+    return {
+      source: 'latest-commit-range',
+      files: uniqueSorted(latestCommitRangeFiles),
+    };
+  }
+
+  const headCommitFiles = runGitFileQuery(['show', '--pretty=format:', '--name-only', 'HEAD']);
+  if (headCommitFiles.length > 0) {
+    return {
+      source: 'head-commit',
+      files: uniqueSorted(headCommitFiles),
+    };
+  }
+
+  return {
+    source: 'none',
+    files: [],
+  };
+}
+
+function readText(relativeFilePath) {
+  const absolutePath = resolve(REPOSITORY_ROOT, relativeFilePath);
+  if (!existsSync(absolutePath)) {
+    return '';
+  }
+
+  return readFileSync(absolutePath, 'utf8');
+}
+
+function readPreviousRevisionText(relativeFilePath) {
+  const rawOutput = runGitRawQuery(['show', `HEAD~1:${relativeFilePath}`]);
+  return typeof rawOutput === 'string' && rawOutput.length > 0
+    ? rawOutput
+    : '';
+}
+
+function parseOnboardingReport(onboardingReportContent) {
+  if (typeof onboardingReportContent !== 'string' || onboardingReportContent.trim().length === 0) {
+    return null;
+  }
+
+  try {
+    return JSON.parse(onboardingReportContent);
+  } catch {
+    return null;
+  }
+}
+
+function normalizeCorePatterns(corePatterns) {
+  if (!Array.isArray(corePatterns)) {
+    return [];
+  }
+
+  return Array.from(new Set(corePatterns
+    .map((patternValue) => String(patternValue || '').trim().toLowerCase())
+    .filter((patternValue) => patternValue.length > 0))).sort((leftValue, rightValue) => (
+    leftValue.localeCompare(rightValue)
+  ));
+}
+
+function detectCorePatterns(architectureRuleContent) {
+  return CORE_PATTERN_SIGNALS
+    .filter((signalEntry) => architectureRuleContent.includes(signalEntry.snippet))
+    .map((signalEntry) => signalEntry.pattern);
+}
+
+function parseCliArguments(argumentList) {
+  let workflow = DEFAULT_WORKFLOW;
+  let confirmDirectionChange = false;
+  let proposedStack = '';
+  let proposedBlueprint = '';
+  let proposedCorePatterns = [];
+
+  for (let argumentIndex = 0; argumentIndex < argumentList.length; argumentIndex += 1) {
+    const argumentValue = argumentList[argumentIndex];
+
+    if (argumentValue === '--confirm-direction-change') {
+      confirmDirectionChange = true;
+      continue;
+    }
+
+    if (argumentValue === '--workflow') {
+      const nextArgumentValue = argumentList[argumentIndex + 1];
+      if (nextArgumentValue && !nextArgumentValue.startsWith('--')) {
+        workflow = nextArgumentValue;
+        argumentIndex += 1;
+      }
+      continue;
+    }
+
+    if (argumentValue.startsWith('--workflow=')) {
+      workflow = argumentValue.slice('--workflow='.length);
+      continue;
+    }
+
+    if (argumentValue === '--proposed-stack') {
+      const nextArgumentValue = argumentList[argumentIndex + 1];
+      if (nextArgumentValue && !nextArgumentValue.startsWith('--')) {
+        proposedStack = nextArgumentValue;
+        argumentIndex += 1;
+      }
+      continue;
+    }
+
+    if (argumentValue.startsWith('--proposed-stack=')) {
+      proposedStack = argumentValue.slice('--proposed-stack='.length);
+      continue;
+    }
+
+    if (argumentValue === '--proposed-blueprint') {
+      const nextArgumentValue = argumentList[argumentIndex + 1];
+      if (nextArgumentValue && !nextArgumentValue.startsWith('--')) {
+        proposedBlueprint = nextArgumentValue;
+        argumentIndex += 1;
+      }
+      continue;
+    }
+
+    if (argumentValue.startsWith('--proposed-blueprint=')) {
+      proposedBlueprint = argumentValue.slice('--proposed-blueprint='.length);
+      continue;
+    }
+
+    if (argumentValue === '--proposed-core-patterns') {
+      const nextArgumentValue = argumentList[argumentIndex + 1];
+      if (nextArgumentValue && !nextArgumentValue.startsWith('--')) {
+        proposedCorePatterns = nextArgumentValue.split(',');
+        argumentIndex += 1;
+      }
+      continue;
+    }
+
+    if (argumentValue.startsWith('--proposed-core-patterns=')) {
+      proposedCorePatterns = argumentValue.slice('--proposed-core-patterns='.length).split(',');
+    }
+  }
+
+  const normalizedWorkflow = String(workflow).trim().toLowerCase() || DEFAULT_WORKFLOW;
+
+  return {
+    workflow: SUPPORTED_WORKFLOWS.has(normalizedWorkflow) ? normalizedWorkflow : DEFAULT_WORKFLOW,
+    confirmDirectionChange,
+    proposedStack: String(proposedStack || '').trim(),
+    proposedBlueprint: String(proposedBlueprint || '').trim(),
+    proposedCorePatterns: normalizeCorePatterns(proposedCorePatterns),
+  };
+}
+
+function parseBooleanFromEnvironment(rawEnvironmentValue) {
+  const normalizedEnvironmentValue = String(rawEnvironmentValue || '').trim().toLowerCase();
+  return normalizedEnvironmentValue === '1'
+    || normalizedEnvironmentValue === 'true'
+    || normalizedEnvironmentValue === 'yes'
+    || normalizedEnvironmentValue === 'y';
+}
+
+function buildArchitectureContract(onboardingReport, corePatterns) {
+  return {
+    stack: String(onboardingReport?.selectedStack || 'unknown').trim() || 'unknown',
+    blueprint: String(onboardingReport?.selectedBlueprint || 'unknown').trim() || 'unknown',
+    profile: String(onboardingReport?.selectedProfile || 'unknown').trim() || 'unknown',
+    corePatterns: normalizeCorePatterns(corePatterns),
+  };
+}
+
+function toComparableContractValue(value) {
+  if (Array.isArray(value)) {
+    return normalizeCorePatterns(value).join(',');
+  }
+
+  return String(value || '').trim();
+}
+
+function detectContractDrift(baseContract, targetContract, driftSource) {
+  const driftItems = [];
+  const fieldNames = ['stack', 'blueprint', 'profile', 'corePatterns'];
+
+  for (const fieldName of fieldNames) {
+    const baseValue = toComparableContractValue(baseContract?.[fieldName]);
+    const targetValue = toComparableContractValue(targetContract?.[fieldName]);
+
+    if (baseValue !== targetValue) {
+      driftItems.push({
+        field: fieldName,
+        from: baseValue,
+        to: targetValue,
+        source: driftSource,
+      });
+    }
+  }
+
+  return driftItems;
+}
+
+function buildSessionHandoffSummary(architectureContract) {
+  const corePatternsSummary = architectureContract.corePatterns.length > 0
+    ? architectureContract.corePatterns.join(', ')
+    : 'none';
+
+  return `Architecture contract summary: stack=${architectureContract.stack}, blueprint=${architectureContract.blueprint}, profile=${architectureContract.profile}, corePatterns=${corePatternsSummary}.`;
+}
+
+function assertSnippetCoverage(sourceLabel, sourcePath, requiredSnippets, failures, results) {
+  const sourceContent = readText(sourcePath);
+
+  if (!sourceContent) {
+    failures.push(`Missing ${sourceLabel} source: ${sourcePath}`);
+    pushResult(results, false, `${sourceLabel}-source-exists`, `Missing ${sourcePath}`);
+    return;
+  }
+
+  pushResult(results, true, `${sourceLabel}-source-exists`, `${sourcePath} is present`);
+
+  const missingSnippets = requiredSnippets.filter((requiredSnippet) => !sourceContent.includes(requiredSnippet));
+
+  if (missingSnippets.length > 0) {
+    failures.push(`Missing ${sourceLabel} snippets: ${missingSnippets.join(', ')}`);
+    pushResult(
+      results,
+      false,
+      `${sourceLabel}-source-coverage`,
+      `Missing snippets in ${sourcePath}: ${missingSnippets.join(', ')}`
+    );
+    return;
+  }
+
+  pushResult(results, true, `${sourceLabel}-source-coverage`, `${sourceLabel} snippets are complete`);
+}
+
+function runAudit() {
+  const parsedArguments = parseCliArguments(process.argv.slice(2));
+  const changedScope = collectChangedFiles();
+  const changedFiles = changedScope.files;
+  const results = [];
+  const failures = [];
+  const warnings = [];
+
+  const envConfirmationFlag = parseBooleanFromEnvironment(process.env.RULES_GUARDIAN_CONFIRM_DIRECTION_CHANGE);
+  const confirmationProvided = parsedArguments.confirmDirectionChange || envConfirmationFlag;
+  const confirmationSource = parsedArguments.confirmDirectionChange
+    ? 'cli-flag'
+    : (envConfirmationFlag ? 'environment-variable' : 'none');
+
+  pushResult(results, true, 'context-workflow', `workflow=${parsedArguments.workflow}`);
+  pushResult(
+    results,
+    true,
+    'direction-change-confirmation-flag',
+    confirmationProvided
+      ? `Explicit direction-change confirmation provided via ${confirmationSource}`
+      : 'Explicit direction-change confirmation not provided'
+  );
+
+  assertSnippetCoverage(
+    'rules-guardian-architecture-rule',
+    ARCHITECTURE_RULE_PATH,
+    REQUIRED_ARCHITECTURE_RULE_SNIPPETS,
+    failures,
+    results
+  );
+
+  assertSnippetCoverage(
+    'rules-guardian-pr-checklist',
+    PR_CHECKLIST_PATH,
+    REQUIRED_PR_CHECKLIST_SNIPPETS,
+    failures,
+    results
+  );
+
+  assertSnippetCoverage(
+    'rules-guardian-review-prompt',
+    REVIEW_PROMPT_PATH,
+    REQUIRED_REVIEW_PROMPT_SNIPPETS,
+    failures,
+    results
+  );
+
+  const onboardingReportContent = readText(ONBOARDING_REPORT_PATH);
+  const onboardingReport = parseOnboardingReport(onboardingReportContent);
+
+  if (!onboardingReportContent) {
+    failures.push(`Missing architecture contract source: ${ONBOARDING_REPORT_PATH}`);
+    pushResult(results, false, 'architecture-contract-source', `Missing ${ONBOARDING_REPORT_PATH}`);
+  } else if (!onboardingReport) {
+    failures.push(`Cannot parse architecture contract source: ${ONBOARDING_REPORT_PATH}`);
+    pushResult(results, false, 'architecture-contract-source', `Invalid JSON in ${ONBOARDING_REPORT_PATH}`);
+  } else {
+    pushResult(results, true, 'architecture-contract-source', `${ONBOARDING_REPORT_PATH} is present and valid`);
+  }
+
+  const architectureRuleContent = readText(ARCHITECTURE_RULE_PATH);
+  const activeCorePatterns = detectCorePatterns(architectureRuleContent);
+
+  if (activeCorePatterns.length === 0) {
+    failures.push('Cannot resolve active core patterns from architecture rule snippets');
+    pushResult(
+      results,
+      false,
+      'architecture-core-patterns',
+      `No core pattern signals detected in ${ARCHITECTURE_RULE_PATH}`
+    );
+  } else {
+    pushResult(
+      results,
+      true,
+      'architecture-core-patterns',
+      `Resolved ${activeCorePatterns.length} core pattern signals: ${activeCorePatterns.join(', ')}`
+    );
+  }
+
+  const activeContract = buildArchitectureContract(onboardingReport, activeCorePatterns);
+  const sessionHandoffSummary = buildSessionHandoffSummary(activeContract);
+  const sessionHandoffIncluded = sessionHandoffSummary.trim().length > 0;
+
+  if (sessionHandoffIncluded) {
+    pushResult(results, true, 'session-handoff-contract-summary', sessionHandoffSummary);
+  } else {
+    failures.push('Session handoff summary is missing');
+    pushResult(results, false, 'session-handoff-contract-summary', 'Session handoff summary is empty');
+  }
+
+  const previousOnboardingReport = parseOnboardingReport(readPreviousRevisionText(ONBOARDING_REPORT_PATH));
+  const previousArchitectureRuleContent = readPreviousRevisionText(ARCHITECTURE_RULE_PATH) || architectureRuleContent;
+  const previousCorePatterns = detectCorePatterns(previousArchitectureRuleContent);
+
+  const previousContract = buildArchitectureContract(
+    previousOnboardingReport || onboardingReport,
+    previousCorePatterns.length > 0 ? previousCorePatterns : activeCorePatterns
+  );
+
+  const proposedContract = {
+    stack: parsedArguments.proposedStack || activeContract.stack,
+    blueprint: parsedArguments.proposedBlueprint || activeContract.blueprint,
+    profile: activeContract.profile,
+    corePatterns: parsedArguments.proposedCorePatterns.length > 0
+      ? parsedArguments.proposedCorePatterns
+      : activeContract.corePatterns,
+  };
+
+  const persistedContractDrift = detectContractDrift(
+    previousContract,
+    activeContract,
+    'persisted-change-since-previous-session'
+  );
+  const proposedContractDrift = detectContractDrift(
+    activeContract,
+    proposedContract,
+    'proposed-direction-change'
+  );
+
+  const driftItems = [...persistedContractDrift, ...proposedContractDrift];
+  const persistedDriftDetected = persistedContractDrift.length > 0;
+  const proposedDirectionChangeDetected = proposedContractDrift.length > 0;
+  const driftDetected = driftItems.length > 0;
+
+  if (driftDetected) {
+    const driftSummary = driftItems
+      .map((driftItem) => `${driftItem.field}: ${driftItem.from} -> ${driftItem.to} (${driftItem.source})`)
+      .join('; ');
+    warnings.push(`Direction drift detected: ${driftSummary}`);
+    pushResult(results, true, 'direction-drift-detection', `Drift detected: ${driftSummary}`);
+  } else {
+    pushResult(results, true, 'direction-drift-detection', 'No direction drift detected');
+  }
+
+  if (proposedDirectionChangeDetected && !confirmationProvided) {
+    failures.push('Direction change detected without explicit user confirmation');
+    pushResult(
+      results,
+      false,
+      'direction-change-explicit-confirmation',
+      'Direction change detected. Re-run with --confirm-direction-change (or set RULES_GUARDIAN_CONFIRM_DIRECTION_CHANGE=true) after explicit user approval.'
+    );
+  } else if (proposedDirectionChangeDetected && confirmationProvided) {
+    pushResult(
+      results,
+      true,
+      'direction-change-explicit-confirmation',
+      `Direction change confirmed explicitly via ${confirmationSource}`
+    );
+  } else if (persistedDriftDetected) {
+    pushResult(
+      results,
+      true,
+      'direction-change-explicit-confirmation',
+      'Persisted drift detected from previous session; explicit confirmation is required only for new proposed direction changes'
+    );
+  } else {
+    pushResult(
+      results,
+      true,
+      'direction-change-explicit-confirmation',
+      'No direction change detected; explicit confirmation not required'
+    );
+  }
+
+  const reportPayload = {
+    generatedAt: new Date().toISOString(),
+    auditName: 'rules-guardian-audit',
+    workflow: parsedArguments.workflow,
+    source: changedScope.source,
+    changedFileCount: changedFiles.length,
+    changedFiles,
+    confirmationPolicy: {
+      requiresExplicitUserConfirmation: true,
+      requiredForProposedDirectionChange: true,
+      confirmationProvided,
+      confirmationSource,
+    },
+    sessionHandoff: {
+      included: sessionHandoffIncluded,
+      contractSummary: sessionHandoffSummary,
+      activeArchitectureContract: activeContract,
+      previousArchitectureContract: previousContract,
+      proposedArchitectureContract: proposedContract,
+    },
+    driftDetection: {
+      driftDetected,
+      persistedDriftDetected,
+      proposedDirectionChangeDetected,
+      driftItemCount: driftItems.length,
+      persistedDriftItemCount: persistedContractDrift.length,
+      proposedDriftItemCount: proposedContractDrift.length,
+      driftItems,
+    },
+    passed: failures.length === 0,
+    failureCount: failures.length,
+    failures,
+    warnings,
+    results,
+  };
+
+  console.log(JSON.stringify(reportPayload, null, 2));
+  process.exit(reportPayload.passed ? 0 : 1);
+}
+
+runAudit();

package/scripts/validate.mjs

@@ -172,6 +172,8 @@ async function validateRequiredFiles() {
     'scripts/mcp-server.mjs',
     'scripts/frontend-usability-audit.mjs',
     'scripts/documentation-boundary-audit.mjs',
+    'scripts/context-triggered-audit.mjs',
+    'scripts/rules-guardian-audit.mjs',
     'scripts/release-gate.mjs',
     'scripts/generate-sbom.mjs',
     'scripts/init-project.sh',