@ryuenn3123/agentic-senior-core 3.0.25 → 3.0.27

package/scripts/governance-weekly-report.mjs

@@ -22,8 +22,22 @@ const ARGUMENT_FLAGS = new Set(process.argv.slice(2));
 const isStdoutOnlyMode = ARGUMENT_FLAGS.has('--stdout-only');
 const WEEKLY_WINDOW_DAYS = 7;
 const HISTORY_LIMIT = 26;
+const BACKEND_REQUIRED_DOMAIN_NAMES = new Set([
+  'backend-architecture',
+  'backend-security',
+  'backend-data-access',
+  'backend-error-handling',
+  'backend-api-contract',
+  'backend-testing',
+  'backend-performance',
+  'backend-idempotency',
+  'backend-risk-map',
+]);
 const REQUIRED_VERIFIED_DOMAINS = new Set([
   'canonical-instructions',
+  'frontend-design-contract',
+  'frontend-architecture',
+  ...Array.from(BACKEND_REQUIRED_DOMAIN_NAMES),
   'pr-checklist',
   'architecture-review',
   'mcp-server',
@@ -31,11 +45,100 @@ const REQUIRED_VERIFIED_DOMAINS = new Set([
 ]);
 const GOVERNANCE_SURFACE_PATHS = {
   'canonical-instructions': '.instructions.md',
+  'frontend-design-contract': '.agent-context/prompts/bootstrap-design.md',
+  'frontend-architecture': '.agent-context/rules/frontend-architecture.md',
+  'backend-architecture': '.agent-context/rules/architecture.md',
+  'backend-security': '.agent-context/rules/security.md',
+  'backend-data-access': '.agent-context/rules/database-design.md',
+  'backend-error-handling': '.agent-context/rules/error-handling.md',
+  'backend-api-contract': '.agent-context/rules/api-docs.md',
+  'backend-testing': '.agent-context/rules/testing.md',
+  'backend-performance': '.agent-context/rules/performance.md',
+  'backend-idempotency': '.agent-context/rules/event-driven.md',
+  'backend-risk-map': '.agent-context/state/architecture-map.md',
   'pr-checklist': '.agent-context/review-checklists/pr-checklist.md',
   'architecture-review': '.agent-context/review-checklists/architecture-review.md',
   'mcp-server': 'scripts/mcp-server.mjs',
   'state-continuity': '.agent-context/state',
 };
+const BACKEND_GOVERNANCE_COVERAGE = [
+  {
+    constraint: 'Layered architecture and separation of concerns',
+    status: 'covered',
+    sourcePaths: [
+      '.agent-context/rules/architecture.md',
+      '.agent-context/review-checklists/architecture-review.md',
+    ],
+    signal: 'Transport, application, domain, and infrastructure boundaries are explicit.',
+  },
+  {
+    constraint: 'Global backend/API rule routing',
+    status: 'strengthened',
+    sourcePaths: [
+      '.instructions.md',
+      '.agent-context/rules/architecture.md',
+      '.agent-context/prompts/refactor.md',
+    ],
+    signal: 'Backend/API governance routes by problem domain and stays stack-agnostic; no stack-specific governance adapters are created.',
+  },
+  {
+    constraint: 'Zero-trust input validation',
+    status: 'strengthened',
+    sourcePaths: [
+      '.agent-context/rules/security.md',
+      '.agent-context/review-checklists/pr-checklist.md',
+    ],
+    signal: 'User-controlled body, query, params, headers, cookies, files, webhooks, and job payloads must be validated before service logic.',
+  },
+  {
+    constraint: 'Data access performance and integrity',
+    status: 'strengthened',
+    sourcePaths: [
+      '.agent-context/rules/database-design.md',
+      '.agent-context/rules/performance.md',
+      '.agent-context/state/architecture-map.md',
+    ],
+    signal: 'Backend reads must avoid N+1 and unbounded list responses; multi-write mutations need transaction or recovery evidence.',
+  },
+  {
+    constraint: 'Distributed consistency and outbox safety',
+    status: 'strengthened',
+    sourcePaths: [
+      '.agent-context/rules/event-driven.md',
+      '.agent-context/rules/database-design.md',
+      '.agent-context/rules/microservices.md',
+    ],
+    signal: 'Dual-write flows need outbox or equivalent replay safety, and cross-service consistency must define saga, compensation, or recovery behavior instead of defaulting to two-phase commit.',
+  },
+  {
+    constraint: 'Safe centralized API errors',
+    status: 'strengthened',
+    sourcePaths: [
+      '.agent-context/rules/error-handling.md',
+      '.agent-context/rules/api-docs.md',
+    ],
+    signal: 'HTTP/API responses use safe machine-readable error shapes, may align with RFC 9457 Problem Details, and preserve safe trace/correlation identifiers without leaking internals.',
+  },
+  {
+    constraint: 'Sensitive mutation idempotency',
+    status: 'strengthened',
+    sourcePaths: [
+      '.agent-context/rules/api-docs.md',
+      '.agent-context/rules/testing.md',
+      '.agent-context/rules/event-driven.md',
+    ],
+    signal: 'Payments, orders, status changes, and other risky mutations must document and test duplicate-submit behavior.',
+  },
+  {
+    constraint: 'API contract and behavior testing',
+    status: 'strengthened',
+    sourcePaths: [
+      '.agent-context/rules/testing.md',
+      '.agent-context/review-checklists/pr-checklist.md',
+    ],
+    signal: 'API tests cover validation, auth, documented error shapes, pagination defaults, empty states, and mutation retry safety.',
+  },
+];
 
 function readJsonOrNull(filePath) {
   if (!existsSync(filePath)) {
@@ -194,6 +297,37 @@ async function collectSkillTrustSignals() {
   };
 }
 
+function buildBackendGovernancePosture(skillTrustSignals) {
+  const backendSurfaceRows = skillTrustSignals.domains.filter((trustRow) => {
+    return BACKEND_REQUIRED_DOMAIN_NAMES.has(trustRow.domain);
+  });
+  const missingBackendSurfaceNames = backendSurfaceRows
+    .filter((trustRow) => trustRow.tier !== 'verified')
+    .map((trustRow) => trustRow.domain);
+  const verifiedSurfaceCount = backendSurfaceRows.length - missingBackendSurfaceNames.length;
+
+  return {
+    status: missingBackendSurfaceNames.length === 0 ? 'verified' : 'needs-attention',
+    summary: missingBackendSurfaceNames.length === 0
+      ? 'Backend governance is verified across architecture, security, data access, error handling, API contracts, testing, performance, idempotency, and risk-map surfaces.'
+      : 'Backend governance is missing one or more required surfaces.',
+    requiredSurfaceCount: backendSurfaceRows.length,
+    verifiedSurfaceCount,
+    missingSurfaceNames: missingBackendSurfaceNames,
+    coverage: BACKEND_GOVERNANCE_COVERAGE,
+    developmentFocus: [
+      {
+        focus: 'Keep backend guidance global and stack-agnostic.',
+        reason: 'The repo should enforce architecture, security, API, data, error, event, and testing thinking without building Nest, Laravel, FastAPI, Express, Go, or other stack-specific governance adapters.',
+      },
+      {
+        focus: 'Use framework facts only when implementing inside an existing project.',
+        reason: 'LLMs can apply current ecosystem knowledge directly; governance should route the relevant global constraints instead of acting as a stack detector.',
+      },
+    ],
+  };
+}
+
 function buildBlockers(qualityTrendReport, skillTrustSignals, commitSignals) {
   const blockers = [];
 
@@ -222,6 +356,7 @@ function buildHistoryEntry(weeklyReport) {
     blockerCount: weeklyReport.releaseReadiness.blockers.length,
     gatePassRatePercent: weeklyReport.qualitySignals.governanceHealth.gatePassRatePercent,
     verifiedSkillDomainCount: weeklyReport.skillTrust.tierCounts.verified,
+    backendVerifiedSurfaceCount: weeklyReport.backendGovernance?.verifiedSurfaceCount ?? null,
     releaseFrequencyPercent: weeklyReport.commitSignals.releaseFrequencyPercent,
     rollbackFrequencyPercent: weeklyReport.commitSignals.rollbackFrequencyPercent,
   };
@@ -243,6 +378,7 @@ async function runWeeklyGovernanceReport() {
   const qualityTrendReport = qualityTrendState.report;
 
   const skillTrustSignals = await collectSkillTrustSignals();
+  const backendGovernance = buildBackendGovernancePosture(skillTrustSignals);
   const commitSignals = collectCommitSignals(WEEKLY_WINDOW_DAYS);
   const blockers = buildBlockers(qualityTrendReport, skillTrustSignals, commitSignals);
 
@@ -267,12 +403,13 @@ async function runWeeklyGovernanceReport() {
       tokenEfficiency: qualityTrendReport?.tokenEfficiency || null,
     },
     skillTrust: skillTrustSignals,
+    backendGovernance,
     commitSignals,
     releaseReadiness: {
       isReady: blockers.length === 0,
       blockers,
       summary: blockers.length === 0
-        ? 'Weekly governance posture is ready for maintenance releases.'
+        ? 'Weekly governance posture is ready for maintenance releases with frontend and backend governance surfaces verified.'
         : 'Weekly governance posture is blocked by unresolved readiness signals.',
     },
     artifact: {

package/scripts/release-gate/audit-checks.mjs

@@ -312,7 +312,7 @@ export function runAuditReleaseChecks(results, diagnostics) {
       singleSourceLazyLoadingAuditExecution.report?.lazyRuleLoading?.enforced === true,
       'lazy-rule-loading-hard-rule',
       singleSourceLazyLoadingAuditExecution.report?.lazyRuleLoading?.enforced === true
-        ? 'Language-specific guidance is loaded lazily by detected scope'
+        ? 'Global domain governance is loaded lazily by touched scope'
         : 'Lazy rule loading enforcement failed in single-source lazy-loading audit'
     );
     pushResult(

package/scripts/release-gate/constants.mjs

@@ -32,17 +32,24 @@ export const REQUIRED_BACKEND_ARCHITECTURE_RULE_SNIPPETS = [
   'No premature abstraction.',
   'Readability over brevity.',
   'backend and shared core modules',
+  'Do not create or load stack-specific governance adapters as the baseline.',
 ];
 
 export const REQUIRED_BACKEND_REVIEW_CHECKLIST_SNIPPETS = [
   'No clever hacks in backend and shared core modules',
   'No premature abstraction (base classes/util layers created only after repeated stable patterns)',
   'Readability over brevity for maintainability',
+  'Controllers, route handlers, and transport adapters do not contain business policy',
+  'Sensitive mutations include idempotency or duplicate-submit coverage',
+  'Backend/API governance was applied through global domain rules',
 ];
 
 export const REQUIRED_REFACTOR_PROMPT_SNIPPETS = [
   'Enforce backend universal principles: no clever hacks, no premature abstraction, readability over brevity.',
   'Prioritize maintainability over compressed one-liners.',
+  'zero-trust input validation',
+  'idempotency for sensitive mutations',
+  'Backend/API governance is global and stack-agnostic.',
 ];
 
 export const REQUIRED_ARCHITECTURE_REVIEW_CHECKLIST_SNIPPETS = [
@@ -50,4 +57,8 @@ export const REQUIRED_ARCHITECTURE_REVIEW_CHECKLIST_SNIPPETS = [
   'No clever hacks in backend and shared core modules',
   'No premature abstraction',
   'Readability over brevity',
+  'Service or use-case code owns orchestration',
+  'Relational reads avoid N+1 patterns',
+  'Global backend/API governance is used directly',
+  'Dual-write database plus message flows use an outbox',
 ];

package/scripts/rules-guardian-audit.mjs

@@ -67,7 +67,7 @@ const REQUIRED_PR_CHECKLIST_SNIPPETS = [
 
 const REQUIRED_REVIEW_PROMPT_SNIPPETS = [
   'Review the code with a production-risk mindset.',
-  'Do not invent stack-specific concerns unless the repo or changed files prove they apply.',
+  'Do not create stack-specific governance concerns.',
 ];
 
 function pushResult(results, isPassed, checkName, details) {

package/scripts/single-source-lazy-loading-audit.mjs

@@ -5,7 +5,7 @@
  *
  * Enforces V3.0-010 policy:
  * - One canonical rule source is explicitly defined and enforced.
- * - Language-specific rule guidance loads lazily by detected scope.
+ * - Global domain governance loads lazily by touched scope.
  * - Conflicting duplicate instruction paths are prevented.
  */
 
@@ -60,24 +60,24 @@ const MAX_EAGER_STACK_MENTIONS = 4;
 const REQUIRED_ARCHITECTURE_RULE_SNIPPETS = [
   '## Single Source of Truth and Lazy Rule Loading',
   'Canonical rule source is .instructions.md.',
-  'Load language-specific stack guidance lazily based on detected scope.',
-  'Do not preload unrelated stack profiles during normal flow.',
+  'Load global domain rules lazily based on touched scope.',
+  'Do not create or load stack-specific governance adapters as the baseline.',
 ];
 
 const REQUIRED_PR_CHECKLIST_SNIPPETS = [
   'Canonical rule source is explicitly defined and enforced',
-  'Language-specific guidance is loaded lazily based on detected scope',
+  'Global domain governance is loaded lazily based on touched scope',
   'No conflicting duplicate rule instructions during normal flow',
 ];
 
 const REQUIRED_REVIEW_PROMPT_SNIPPETS = [
-  'Enforce single-source and lazy-loading policy: canonical rule source must be explicitly enforced, language-specific guidance must load lazily based on detected scope, and conflicting duplicate rule instructions must not appear during normal flow.',
+  'Enforce single-source and lazy-loading policy: canonical rule source must be explicitly enforced, global domain governance must load lazily based on touched scope, and conflicting duplicate rule instructions must not appear during normal flow.',
 ];
 
 const REQUIRED_COMPILER_SNIPPETS = [
   '## LAYER 2 POLICY: LAZY RULE LOADING',
-  'Load runtime-specific guidance only when task scope touches that runtime.',
-  'Avoid eager loading unrelated runtime guidance to prevent instruction conflicts.',
+  'Load global domain rules only when task scope touches that domain.',
+  'Avoid eager loading unrelated runtime or domain guidance to prevent instruction conflicts.',
   "stackLoadingMode: 'lazy'",
 ];
 
@@ -377,6 +377,7 @@ function runAudit() {
     if (lazyPolicy
       && lazyPolicy.canonicalSource === CANONICAL_SOURCE_PATH
       && lazyPolicy.stackLoadingMode === 'lazy'
+      && (lazyPolicy.domainRuleLoadingMode === 'lazy' || typeof lazyPolicy.domainRuleLoadingMode === 'undefined')
       && lazyPolicy.loadedOnDemand === true) {
       onboardingLazyPolicyMode = 'explicit-lazy-policy';
       onboardingLazyPolicyValidated = true;
@@ -478,7 +479,7 @@ function runAudit() {
     && !eagerLoadingDetected;
 
   if (lazyRuleLoadingEnforced) {
-    pushResult(results, true, 'lazy-rule-loading-hard-rule', 'Language-specific guidance is loaded lazily by detected scope');
+    pushResult(results, true, 'lazy-rule-loading-hard-rule', 'Global domain governance is loaded lazily by touched scope');
   } else {
     failures.push('Lazy rule loading hard-rule is not fully enforced');
     pushResult(results, false, 'lazy-rule-loading-hard-rule', 'Lazy loading enforcement failed');
@@ -514,6 +515,7 @@ function runAudit() {
       onboardingPolicyValidated: onboardingLazyPolicyValidated,
       eagerLoadingDetected,
       maxAllowedStackMentions: MAX_EAGER_STACK_MENTIONS,
+      globalDomainGovernance: true,
     },
     duplicationPolicy: {
       noConflictingDuplicates,

package/scripts/sync-thin-adapters.mjs

@@ -44,8 +44,9 @@ If your host stops at this file instead of following the full chain, obey the Cr
 - Memory continuity does not replace bootstrap loading. It is host-dependent project memory, not a guarantee that instructions were reloaded for this session.
 - For UI, UX, layout, screen, tailwind, frontend, or redesign requests: load [.agent-context/prompts/bootstrap-design.md](.agent-context/prompts/bootstrap-design.md) and [.agent-context/rules/frontend-architecture.md](.agent-context/rules/frontend-architecture.md) before editing code.
 - For UI scope: if \`docs/DESIGN.md\` or \`docs/design-intent.json\` is missing, materialize or refine them before implementing UI changes.
+- For backend, API, data, auth, error, event, queue, worker, or distributed-system requests: load the relevant global rules from [.agent-context/rules/](.agent-context/rules); do not create stack-specific governance adapters.
 - For refactor, improve, clean up, or fix requests: inspect the active rules and propose a plan before editing.
-- For new project or module requests: clarify constraints, stack decisions, and required docs before generating code.
+- For new project or module requests: clarify constraints, runtime decisions, and required docs before generating code.
 - For ecosystem, framework, dependency, or Docker claims: perform live web research instead of relying on stale local heuristics.
 
 ## Mandatory Bootstrap Chain
@@ -57,7 +58,7 @@ If your host stops at this file instead of following the full chain, obey the Cr
 5. Enforce review contracts from [.agent-context/review-checklists/](.agent-context/review-checklists).
 6. Read change-risk maps and continuity state from [.agent-context/state/](.agent-context/state).
 7. Enforce policy thresholds from [.agent-context/policies/](.agent-context/policies).
-8. Use dynamic stack, structure, and live research signals from project context docs.
+8. Use runtime evidence, structure, and live research signals from project context docs.
 
 ## Trigger Rules
 
@@ -82,6 +83,7 @@ If your host stops at this file, follow this minimum floor:
 - Read \`.agent-instructions.md\` next when it exists.
 - For UI or redesign requests, load [.agent-context/prompts/bootstrap-design.md](../.agent-context/prompts/bootstrap-design.md) and [.agent-context/rules/frontend-architecture.md](../.agent-context/rules/frontend-architecture.md) before coding.
 - If UI scope and \`docs/DESIGN.md\` or \`docs/design-intent.json\` is missing, materialize them before UI implementation.
+- For backend/API/data/auth/event requests, load relevant global rules from [.agent-context/rules/](../.agent-context/rules) and do not create stack-specific governance adapters.
 - Memory continuity is host-dependent project memory and does not replace bootstrap loading.
 
 ## Required Load Order
@@ -92,7 +94,7 @@ If your host stops at this file, follow this minimum floor:
 4. Load request templates from [.agent-context/prompts/](../.agent-context/prompts).
 5. Apply review contracts from [.agent-context/review-checklists/](../.agent-context/review-checklists).
 6. Apply state awareness from [.agent-context/state/](../.agent-context/state) and thresholds from [.agent-context/policies/](../.agent-context/policies).
-7. Resolve stack, structure, and dependency choices from project context docs plus live evidence.
+7. Resolve runtime, structure, and dependency choices from project context docs plus live evidence.
 
 ## Completion Gate
 
@@ -113,6 +115,7 @@ If your host stops at this file, follow this minimum floor:
 - Read \`.agent-instructions.md\` next when it exists.
 - For UI or redesign requests, load [.agent-context/prompts/bootstrap-design.md](../.agent-context/prompts/bootstrap-design.md) and [.agent-context/rules/frontend-architecture.md](../.agent-context/rules/frontend-architecture.md) before coding.
 - If UI scope and \`docs/DESIGN.md\` or \`docs/design-intent.json\` is missing, materialize them before UI implementation.
+- For backend/API/data/auth/event requests, load relevant global rules from [.agent-context/rules/](../.agent-context/rules) and do not create stack-specific governance adapters.
 - Memory continuity is host-dependent project memory and does not replace bootstrap loading.
 
 ## Bootstrap Sequence
@@ -123,7 +126,7 @@ If your host stops at this file, follow this minimum floor:
 4. Load request templates from [.agent-context/prompts/](../.agent-context/prompts).
 5. Apply review contracts from [.agent-context/review-checklists/](../.agent-context/review-checklists).
 6. Apply state awareness from [.agent-context/state/](../.agent-context/state) and policy thresholds from [.agent-context/policies/](../.agent-context/policies).
-7. Resolve stack, structure, and dependency choices from project context docs plus live evidence.
+7. Resolve runtime, structure, and dependency choices from project context docs plus live evidence.
 
 ## Completion Gate
 

package/scripts/ui-design-judge/prompting.mjs

@@ -14,7 +14,7 @@ export function buildSystemPrompt() {
     'Use repoEvidence.designEvidenceSummary as implementation evidence when deciding whether the diff follows the intended system.',
     'Do not reward generic SaaS defaults or popular template patterns.',
     'Do not penalize originality when the implementation still aligns with the contract.',
-    'Purposeful motion is allowed and can improve quality. Only flag motion when it drifts from the contract, ignores reduced-motion expectations, or adds avoidable performance/accessibility risk.',
+    'Treat purposeful motion as a first-class quality signal for modern UI work. Flag missing or timid motion when the contract calls for expressive interaction, and only flag motion itself when it drifts from the contract, ignores reduced-motion expectations, or adds avoidable performance/accessibility risk.',
     'Only flag drift when there is a clear mismatch with the contract, accessibility non-negotiables, or cross-viewport adaptation rules.',
     'Treat WCAG 2.2 AA failures as hard accessibility drift.',
     'Treat APCA as advisory perceptual tuning only. Do not set blocking solely because APCA indicates a stronger readability adjustment when WCAG hard requirements still pass.',