@ryuenn3123/agentic-senior-core 3.0.26 → 3.0.27

package/.agent-context/prompts/bootstrap-design.md

@@ -15,7 +15,7 @@ The agent must:
 2. If `docs/DESIGN.md` or `docs/design-intent.json` exists, refine them instead of replacing them blindly.
 3. If either design doc is missing, create it before UI implementation.
 4. Use current repo evidence, product copy, route names, component names, user goals, and existing constraints as the source of truth.
-5. Treat prior-chat visuals, unrelated project memory, benchmark screenshots, and famous-product aesthetics as tainted unless the user explicitly asks for continuity.
+5. Treat prior-chat visuals, unrelated project memory, benchmark screenshots, and famous-product aesthetics as tainted context unless the user explicitly asks for continuity.
 6. When choosing a new UI, animation, styling, or component library, research current official docs and choose the latest stable compatible option for this project. Do not rely on offline defaults.
 7. Keep external references non-copying: extract constraints and reasoning only, never clone the surface.
 

package/.agent-context/prompts/refactor.md

@@ -13,6 +13,8 @@ Before editing:
 5. If the change touches a dependency, framework, Docker, runtime, or ecosystem claim, verify current official docs before choosing.
 6. Enforce Universal SOP hard gate: stop implementation if `docs/architecture-decision-record.md` is missing, and for UI scope stop if `docs/DESIGN.md` or `docs/design-intent.json` is missing.
 7. Enforce backend universal principles: no clever hacks, no premature abstraction, readability over brevity.
+8. For backend/API scope, enforce layered boundaries, zero-trust input validation, safe centralized error responses, bounded list reads, transaction safety for multi-write mutations, idempotency for sensitive mutations, and behavior-focused API tests.
+9. Backend/API governance is global and stack-agnostic. Do not create stack-specific adapters or framework-specific rule branches; apply the global rules through the framework already present in the target project.
 
 Refactor rules:
 - Improve clarity, boundaries, naming, validation, error handling, tests, and docs.

package/.agent-context/prompts/review-code.md

@@ -12,7 +12,7 @@ Before reviewing:
 4. Load only the rules relevant to the changed scope.
 5. For UI changes, load .agent-context/prompts/bootstrap-design.md, .agent-context/rules/frontend-architecture.md, docs/DESIGN.md, and docs/design-intent.json when present.
 6. Enforce Universal SOP hard gate: block coding flow when required project docs are missing (`docs/architecture-decision-record.md`, and for UI scope `docs/DESIGN.md` plus `docs/design-intent.json`).
-7. Enforce single-source and lazy-loading policy: canonical rule source must be explicitly enforced, language-specific guidance must load lazily based on detected scope, and conflicting duplicate rule instructions must not appear during normal flow.
+7. Enforce single-source and lazy-loading policy: canonical rule source must be explicitly enforced, global domain governance must load lazily based on touched scope, and conflicting duplicate rule instructions must not appear during normal flow.
 
 Prioritize findings in this order:
 1. Correctness, data loss, security, privacy, auth, and permission risks.
@@ -27,5 +27,5 @@ For every finding:
 - reference the rule or contract only when it materially supports the finding
 - propose the smallest safe fix
 
-Do not invent stack-specific concerns unless the repo or changed files prove they apply.
+Do not create stack-specific governance concerns. Use project framework details only for concrete implementation risks proven by changed code, docs, or current official documentation.
 ```

package/.agent-context/review-checklists/architecture-review.md

@@ -6,6 +6,10 @@ Use this when module structure, feature shape, public contracts, topology, or re
 
 - [ ] The changed code has clear transport, application, domain, and infrastructure boundaries where those layers exist.
 - [ ] Business policy is not hidden in transport handlers, UI adapters, database queries, framework glue, or generated code.
+- [ ] Controllers and route handlers only translate protocol input/output, enforce edge checks, and delegate business flow.
+- [ ] Service or use-case code owns orchestration, transactions, state transitions, and idempotency decisions.
+- [ ] Repository or adapter code owns persistence and external IO details without hiding product policy in queries.
+- [ ] Global backend/API governance is used directly; no stack-specific adapter or framework-specific rule fork was introduced.
 - [ ] Internal models do not leak across public API, event, CLI, library, or UI contracts without a deliberate mapping.
 - [ ] Modules import through public entrypoints instead of deep internal paths.
 - [ ] Circular dependencies are absent or explicitly removed.
@@ -35,6 +39,10 @@ Use this when module structure, feature shape, public contracts, topology, or re
 - [ ] API, event, CLI, library, data, and UI contracts are documented before or alongside implementation.
 - [ ] Schema and validation strategy matches the project’s chosen runtime and official docs.
 - [ ] Error contracts are safe, stable, and do not leak internals.
+- [ ] List endpoints have bounded pagination, limits, or streaming behavior documented.
+- [ ] Sensitive mutations have documented idempotency, retry, and duplicate-submit behavior.
+- [ ] Error contracts document stable codes, safe trace or correlation identifiers, and any Problem Details-style fields when exposed.
+- [ ] Async/event contracts document retry, ordering, duplicate handling, and dead-letter or recovery behavior.
 - [ ] Migration and rollback plans exist for risky data or public contract changes.
 
 ## Operational Review
@@ -43,3 +51,7 @@ Use this when module structure, feature shape, public contracts, topology, or re
 - [ ] Observability, logging, and health checks match the project’s runtime and risk level.
 - [ ] Security assumptions are documented and enforced at trust boundaries.
 - [ ] Performance-sensitive paths avoid avoidable repeated work, unbounded lists, and hidden blocking operations.
+- [ ] Relational reads avoid N+1 patterns or include an explicit query-shape rationale.
+- [ ] Multi-table or cross-resource writes are transactional or include a documented compensating recovery path.
+- [ ] Dual-write database plus message flows use an outbox or equivalent atomicity and replay strategy.
+- [ ] Cross-service consistency avoids default two-phase commit and defines saga, compensation, or recovery behavior when needed.

package/.agent-context/review-checklists/pr-checklist.md

@@ -24,6 +24,10 @@ Run this before declaring a task done. Apply only the sections relevant to the c
 - [ ] No clever hacks in backend and shared core modules
 - [ ] No premature abstraction (base classes/util layers created only after repeated stable patterns)
 - [ ] Readability over brevity for maintainability
+- [ ] Controllers, route handlers, and transport adapters do not contain business policy, raw queries, or cross-resource orchestration.
+- [ ] Services or use cases own business flow, transaction boundaries, and mutation safety.
+- [ ] Repositories or adapters own persistence/external IO details without hiding business decisions.
+- [ ] Backend/API governance was applied through global domain rules, not stack-specific adapters or framework-only branches.
 - [ ] Code is grouped by feature/domain where that improves maintainability.
 - [ ] Cross-module access uses public contracts instead of internal file reach-through.
 - [ ] Files above roughly 1000 lines were split or explicitly justified.
@@ -32,14 +36,18 @@ Run this before declaring a task done. Apply only the sections relevant to the c
 ## 4. Security And Privacy
 
 - [ ] External input is validated at trust boundaries using the project’s chosen validation approach.
+- [ ] Body, query, params, headers, cookies, uploads, webhooks, and job payloads are treated as untrusted until validated and normalized.
 - [ ] Secrets, tokens, credentials, and private data are not committed or logged.
 - [ ] Authorization is enforced at a trusted boundary.
 - [ ] Error responses and logs do not leak internals.
+- [ ] Least privilege, resource-level authorization, and secret handling are preserved where sensitive data or privileged actions are touched.
 - [ ] Dependency or platform security claims are based on current official docs or repo evidence.
 
 ## 5. Testing
 
 - [ ] Changed behavior has appropriate tests at the smallest useful level.
+- [ ] API changes cover validation, authorization, documented error shape, pagination defaults, and empty states where relevant.
+- [ ] Sensitive mutations include idempotency or duplicate-submit coverage where duplicate side effects would be harmful.
 - [ ] Tests assert behavior and contracts, not implementation trivia.
 - [ ] Critical flows include failure-path coverage.
 - [ ] Test fixtures are readable and do not hide the behavior under test.
@@ -88,7 +96,7 @@ Run this before declaring a task done. Apply only the sections relevant to the c
 - [ ] State internals are exposed only on explicit request.
 - [ ] Diagnostic mode can explain relevant state decisions when needed.
 - [ ] Canonical rule source is explicitly defined and enforced
-- [ ] Language-specific guidance is loaded lazily based on detected scope
+- [ ] Global domain governance is loaded lazily based on touched scope
 - [ ] No conflicting duplicate rule instructions during normal flow
 - [ ] Canonical rule source is explicit and duplicate/conflicting instructions are avoided.
 

package/.agent-context/rules/api-docs.md

@@ -9,6 +9,10 @@ If a change affects an API, CLI command, exported library behavior, schema, even
 - Document the public surface before or alongside implementation.
 - Machine-readable API contracts should use the current project standard. If unresolved, the LLM must recommend a current maintained option from official docs.
 - HTTP APIs should prefer OpenAPI 3.1 when no stronger project standard exists.
+- List endpoints must document pagination, limits, filtering, sorting, and empty-state behavior.
+- Sensitive mutation endpoints must document idempotency behavior, retry safety, duplicate-submit handling, and any required idempotency key or request fingerprint.
+- Public error contracts must document stable machine-readable codes and any RFC 9457 Problem Details-style fields the project exposes, including safe trace or correlation identifiers when present.
+- Async, webhook, and event contracts must document idempotency, retry, ordering, dead-letter or recovery behavior, and duplicate-message handling.
 - Event APIs should define producer, consumer, payload, versioning, retry, and failure behavior.
 - CLI/library public behavior must update README, help text, changelog, or docs as appropriate.
 - Do not write "see code" as the contract.

package/.agent-context/rules/architecture.md

@@ -50,9 +50,9 @@ The `.agent-context/rules/` directory is the default guidance source for impleme
 
 - Canonical rule source is .instructions.md.
 - Adapter entry files stay thin and must point to the canonical source.
-- Load language-specific stack guidance lazily based on detected scope.
-- Load language-specific or framework-specific guidance lazily based on changed files, explicit constraints, and repo evidence.
-- Do not preload unrelated stack profiles during normal flow.
+- Load global domain rules lazily based on touched scope.
+- Do not create or load stack-specific governance adapters as the baseline.
+- Runtime or framework evidence can clarify implementation details, but it must not replace the global architecture, security, data, API, error, event, and testing boundaries.
 - Keep rule-loading output deterministic for init and release validation.
 
 ## Architecture Decision Boundary

package/.agent-context/rules/database-design.md

@@ -10,4 +10,13 @@ Reject these bad habits:
 - raw query construction that bypasses safe parameterization
 - destructive data changes without backup, migration, or deployment sequencing notes
 
+Backend data access rules:
+- Relational reads must avoid N+1 query patterns. Use eager loading, joins, batching, or explicit query-shape rationale based on the project's ORM or database driver.
+- List endpoints and exports must paginate, limit, stream, or otherwise bound growable datasets by default.
+- Use cursor pagination for large or frequently changing datasets when the project contract allows it; offset pagination is acceptable for small, stable, explicitly bounded collections.
+- Define maximum page size, payload size, and export limits so list responses cannot exhaust memory or connection pools.
+- Mutations that write more than one table, aggregate, queue, or external consistency boundary must run inside a transaction or document the compensating recovery path.
+- Repository and data-access layers own persistence mechanics. They must not hide business policy that belongs in application or domain logic.
+- Cross-domain persistence must respect ownership boundaries. Independent services must not share database tables as an integration contract; modular monoliths may share one database only when module ownership and access paths stay explicit.
+
 Docs must record entity ownership, relationships, constraints, data lifecycle, migration risk, and assumptions to validate.

package/.agent-context/rules/error-handling.md

@@ -9,4 +9,12 @@ Reject these failure patterns:
 - retries without transient-failure evidence, limits, backoff, and a clear final outcome
 - logs that say only "something failed" without action, target, actor, or trace context
 
+Backend API error rules:
+- Use the framework's normal centralized error boundary or middleware for HTTP/API responses.
+- Do not return raw exception messages, stack traces, SQL, provider payloads, file paths, secrets, or infrastructure details to callers.
+- Public API errors must use a stable JSON shape with at least `code` and `message`; include `details` only when the data is safe, documented, and useful to the caller. HTTP APIs may use an RFC 9457 Problem Details-style shape when it fits the project contract.
+- Domain and validation errors should keep machine-readable codes so tests, clients, and operators can distinguish expected failures from defects.
+- API boundary errors should include a safe correlation or trace identifier when observability exists, while protected logs keep the internal exception, actor, target, and trace context.
+- Distributed systems should preserve trace context across ingress and egress using the project's tracing standard, such as W3C Trace Context or OpenTelemetry propagation.
+
 At boundaries, validate early, return safe user-facing errors, and keep machine-readable error context for operators and callers.

package/.agent-context/rules/event-driven.md

@@ -17,6 +17,9 @@ Hard rules:
 - consumers are idempotent
 - retries are bounded and dead-letter or recovery behavior is defined
 - transactional publishing uses an outbox or equivalent safety pattern when data consistency matters
+- dual-write flows that update local state and publish a message must use a transactional outbox or document an equivalent atomicity and replay strategy
+- distributed transactions and two-phase commit are not the default recovery model; prefer local transactions plus saga, choreography, orchestration, or explicit compensating actions when consistency crosses service boundaries
+- message handlers must record processed message identifiers or use another duplicate-detection strategy when the delivery model can retry or redeliver
 - event catalogs or docs identify producer, consumers, ownership, and schema evolution rules
 
 If event tooling is unresolved, the LLM must recommend a current project-fit broker or managed service from official docs before implementation.

package/.agent-context/rules/microservices.md

@@ -35,7 +35,9 @@ Hard rules:
 - Each service owns its data boundary.
 - Public service contracts must be documented before implementation or extraction.
 - Cross-service calls need timeout, retry, idempotency, observability, and recovery behavior.
+- Independent services must not use shared tables as their integration contract; communicate through documented APIs, events, or async workflows owned by the source domain.
 - Avoid synchronous call chains that turn services into a distributed monolith.
+- Critical cross-service mutations should prefer local transactions plus outbox, saga, choreography, orchestration, or compensating actions over two-phase commit by default.
 - Prefer incremental extraction over rewrites.
 
 If the evidence is unclear, document the uncertainty and keep the topology agent-recommended instead of pretending an offline default is correct.

package/.agent-context/rules/security.md

@@ -10,5 +10,16 @@ Hard rules:
 - enforce authorization at the server or trusted boundary, not only in UI state
 - return safe client-facing errors and keep sensitive detail in protected logs
 - document auth, permission, data exposure, rate-limit, and abuse assumptions before changing sensitive flows
+- apply least privilege to service accounts, API tokens, database users, background jobs, and operator/admin actions
+- retrieve secrets through environment, runtime secret injection, or the project's secret manager; do not store static secrets in source or plaintext config
+- keep `.env` and local secret files covered by `.gitignore`; commit only safe examples such as `.env.example`
+- treat transport encryption, secure cookies, and trusted proxy boundaries as deployment assumptions that must be documented when sensitive traffic is involved
+
+Zero-trust API input rules:
+- Treat body, query, params, headers, cookies, uploaded files, webhook payloads, and background job payloads as untrusted until validated.
+- Validate and normalize input at the outer boundary before it reaches service, use-case, repository, or domain logic.
+- Services should receive typed, already-validated values and still enforce domain invariants for security-sensitive rules.
+- Sanitization must match the sink: SQL, shell, file path, log, HTML, template, and URL contexts need different protections.
+- Authorization must be resource-aware when data ownership matters. Prefer row, tenant, account, organization, or resource-level checks over role-only checks for sensitive records.
 
 For high-risk changes, check current framework security docs and record the relevant source or assumption in the implementation notes.

package/.agent-context/rules/testing.md

@@ -8,6 +8,14 @@ Test what can break:
 - regressions around bugs being fixed
 - critical accessibility or responsive behavior when UI is in scope
 
+Backend/API test rules:
+- API tests must cover request validation, authorization boundaries, success responses, documented error shapes, pagination defaults, and empty states for touched endpoints.
+- Sensitive mutations such as payments, orders, status changes, inventory adjustments, and account/security changes must include duplicate-submit or retry tests when idempotency is required.
+- Data-access changes must include evidence for query shape, transaction behavior, rollback or recovery paths, and N+1 prevention when relational reads are touched.
+- Event or worker changes must test retry, duplicate-message handling, dead-letter or recovery behavior, and outbox relay semantics when those paths exist.
+- Distributed consistency changes must test the local transaction, publish/retry behavior, and compensating action or recovery path rather than only the happy path.
+- Tests should make the API contract obvious from the fixture names, inputs, and expected response shape.
+
 Do not test framework internals, third-party library behavior, private implementation trivia, or snapshots that only freeze noise.
 
 Tests should describe behavior, keep setup readable, and mock only at real boundaries such as network, filesystem, clock, database, or external services.

package/.agent-context/state/memory-continuity-benchmark.json

@@ -1,5 +1,5 @@
 {
-  "generatedAt": "2026-04-25T03:25:49.150Z",
+  "generatedAt": "2026-04-25T10:16:51.159Z",
   "reportName": "memory-continuity-benchmark",
   "schemaVersion": "1.0.0",
   "passed": true,

package/.agent-context/state/weekly-governance-report.json

@@ -1,16 +1,27 @@
 {
-  "generatedAt": "2026-04-11T12:21:37.776Z",
+  "generatedAt": "2026-04-25T09:59:20.980Z",
   "reportName": "weekly-governance-report",
   "methodology": {
     "qualityTrendSource": "state-file",
     "qualityTrendGeneratedAt": "2026-04-11T12:21:35.779Z",
     "commitWindowDays": 7,
     "requiredVerifiedDomains": [
-      "cli",
-      "frontend",
-      "fullstack",
-      "distribution",
-      "review-quality"
+      "canonical-instructions",
+      "frontend-design-contract",
+      "frontend-architecture",
+      "backend-architecture",
+      "backend-security",
+      "backend-data-access",
+      "backend-error-handling",
+      "backend-api-contract",
+      "backend-testing",
+      "backend-performance",
+      "backend-idempotency",
+      "backend-risk-map",
+      "pr-checklist",
+      "architecture-review",
+      "mcp-server",
+      "state-continuity"
     ]
   },
   "qualitySignals": {
@@ -31,64 +42,236 @@
   "skillTrust": {
     "domains": [
       {
-        "domain": "backend",
-        "tier": "experimental",
-        "score": 25
+        "domain": "architecture-review",
+        "tier": "verified",
+        "score": 100,
+        "sourcePath": ".agent-context/review-checklists/architecture-review.md"
+      },
+      {
+        "domain": "backend-api-contract",
+        "tier": "verified",
+        "score": 100,
+        "sourcePath": ".agent-context/rules/api-docs.md"
+      },
+      {
+        "domain": "backend-architecture",
+        "tier": "verified",
+        "score": 100,
+        "sourcePath": ".agent-context/rules/architecture.md"
+      },
+      {
+        "domain": "backend-data-access",
+        "tier": "verified",
+        "score": 100,
+        "sourcePath": ".agent-context/rules/database-design.md"
+      },
+      {
+        "domain": "backend-error-handling",
+        "tier": "verified",
+        "score": 100,
+        "sourcePath": ".agent-context/rules/error-handling.md"
+      },
+      {
+        "domain": "backend-idempotency",
+        "tier": "verified",
+        "score": 100,
+        "sourcePath": ".agent-context/rules/event-driven.md"
       },
       {
-        "domain": "cli",
+        "domain": "backend-performance",
         "tier": "verified",
-        "score": 100
+        "score": 100,
+        "sourcePath": ".agent-context/rules/performance.md"
       },
       {
-        "domain": "distribution",
+        "domain": "backend-risk-map",
         "tier": "verified",
-        "score": 100
+        "score": 100,
+        "sourcePath": ".agent-context/state/architecture-map.md"
       },
       {
-        "domain": "frontend",
+        "domain": "backend-security",
         "tier": "verified",
-        "score": 100
+        "score": 100,
+        "sourcePath": ".agent-context/rules/security.md"
       },
       {
-        "domain": "fullstack",
+        "domain": "backend-testing",
         "tier": "verified",
-        "score": 100
+        "score": 100,
+        "sourcePath": ".agent-context/rules/testing.md"
       },
       {
-        "domain": "review-quality",
+        "domain": "canonical-instructions",
         "tier": "verified",
-        "score": 100
+        "score": 100,
+        "sourcePath": ".instructions.md"
+      },
+      {
+        "domain": "frontend-architecture",
+        "tier": "verified",
+        "score": 100,
+        "sourcePath": ".agent-context/rules/frontend-architecture.md"
+      },
+      {
+        "domain": "frontend-design-contract",
+        "tier": "verified",
+        "score": 100,
+        "sourcePath": ".agent-context/prompts/bootstrap-design.md"
+      },
+      {
+        "domain": "mcp-server",
+        "tier": "verified",
+        "score": 100,
+        "sourcePath": "scripts/mcp-server.mjs"
+      },
+      {
+        "domain": "pr-checklist",
+        "tier": "verified",
+        "score": 100,
+        "sourcePath": ".agent-context/review-checklists/pr-checklist.md"
+      },
+      {
+        "domain": "state-continuity",
+        "tier": "verified",
+        "score": 100,
+        "sourcePath": ".agent-context/state"
       }
     ],
     "tierCounts": {
-      "verified": 5,
+      "verified": 16,
       "community": 0,
-      "experimental": 1
+      "experimental": 0
     },
     "requiredVerifiedDomains": [
-      "cli",
-      "frontend",
-      "fullstack",
-      "distribution",
-      "review-quality"
+      "canonical-instructions",
+      "frontend-design-contract",
+      "frontend-architecture",
+      "backend-architecture",
+      "backend-security",
+      "backend-data-access",
+      "backend-error-handling",
+      "backend-api-contract",
+      "backend-testing",
+      "backend-performance",
+      "backend-idempotency",
+      "backend-risk-map",
+      "pr-checklist",
+      "architecture-review",
+      "mcp-server",
+      "state-continuity"
     ],
     "requiredVerifiedDomainFailures": [],
     "allRequiredVerified": true
   },
+  "backendGovernance": {
+    "status": "verified",
+    "summary": "Backend governance is verified across architecture, security, data access, error handling, API contracts, testing, performance, idempotency, and risk-map surfaces.",
+    "requiredSurfaceCount": 9,
+    "verifiedSurfaceCount": 9,
+    "missingSurfaceNames": [],
+    "coverage": [
+      {
+        "constraint": "Layered architecture and separation of concerns",
+        "status": "covered",
+        "sourcePaths": [
+          ".agent-context/rules/architecture.md",
+          ".agent-context/review-checklists/architecture-review.md"
+        ],
+        "signal": "Transport, application, domain, and infrastructure boundaries are explicit."
+      },
+      {
+        "constraint": "Global backend/API rule routing",
+        "status": "strengthened",
+        "sourcePaths": [
+          ".instructions.md",
+          ".agent-context/rules/architecture.md",
+          ".agent-context/prompts/refactor.md"
+        ],
+        "signal": "Backend/API governance routes by problem domain and stays stack-agnostic; no stack-specific governance adapters are created."
+      },
+      {
+        "constraint": "Zero-trust input validation",
+        "status": "strengthened",
+        "sourcePaths": [
+          ".agent-context/rules/security.md",
+          ".agent-context/review-checklists/pr-checklist.md"
+        ],
+        "signal": "User-controlled body, query, params, headers, cookies, files, webhooks, and job payloads must be validated before service logic."
+      },
+      {
+        "constraint": "Data access performance and integrity",
+        "status": "strengthened",
+        "sourcePaths": [
+          ".agent-context/rules/database-design.md",
+          ".agent-context/rules/performance.md",
+          ".agent-context/state/architecture-map.md"
+        ],
+        "signal": "Backend reads must avoid N+1 and unbounded list responses; multi-write mutations need transaction or recovery evidence."
+      },
+      {
+        "constraint": "Distributed consistency and outbox safety",
+        "status": "strengthened",
+        "sourcePaths": [
+          ".agent-context/rules/event-driven.md",
+          ".agent-context/rules/database-design.md",
+          ".agent-context/rules/microservices.md"
+        ],
+        "signal": "Dual-write flows need outbox or equivalent replay safety, and cross-service consistency must define saga, compensation, or recovery behavior instead of defaulting to two-phase commit."
+      },
+      {
+        "constraint": "Safe centralized API errors",
+        "status": "strengthened",
+        "sourcePaths": [
+          ".agent-context/rules/error-handling.md",
+          ".agent-context/rules/api-docs.md"
+        ],
+        "signal": "HTTP/API responses use safe machine-readable error shapes, may align with RFC 9457 Problem Details, and preserve safe trace/correlation identifiers without leaking internals."
+      },
+      {
+        "constraint": "Sensitive mutation idempotency",
+        "status": "strengthened",
+        "sourcePaths": [
+          ".agent-context/rules/api-docs.md",
+          ".agent-context/rules/testing.md",
+          ".agent-context/rules/event-driven.md"
+        ],
+        "signal": "Payments, orders, status changes, and other risky mutations must document and test duplicate-submit behavior."
+      },
+      {
+        "constraint": "API contract and behavior testing",
+        "status": "strengthened",
+        "sourcePaths": [
+          ".agent-context/rules/testing.md",
+          ".agent-context/review-checklists/pr-checklist.md"
+        ],
+        "signal": "API tests cover validation, auth, documented error shapes, pagination defaults, empty states, and mutation retry safety."
+      }
+    ],
+    "developmentFocus": [
+      {
+        "focus": "Keep backend guidance global and stack-agnostic.",
+        "reason": "The repo should enforce architecture, security, API, data, error, event, and testing thinking without building Nest, Laravel, FastAPI, Express, Go, or other stack-specific governance adapters."
+      },
+      {
+        "focus": "Use framework facts only when implementing inside an existing project.",
+        "reason": "LLMs can apply current ecosystem knowledge directly; governance should route the relevant global constraints instead of acting as a stack detector."
+      }
+    ]
+  },
   "commitSignals": {
     "windowDays": 7,
-    "commitCount": 18,
-    "releaseCommitCount": 7,
+    "commitCount": 30,
+    "releaseCommitCount": 18,
     "rollbackCommitCount": 1,
-    "releaseFrequencyPercent": 38.89,
-    "rollbackFrequencyPercent": 5.56,
+    "releaseFrequencyPercent": 60,
+    "rollbackFrequencyPercent": 3.33,
     "error": null
   },
   "releaseReadiness": {
     "isReady": true,
     "blockers": [],
-    "summary": "Weekly governance posture is ready for maintenance releases."
+    "summary": "Weekly governance posture is ready for maintenance releases with frontend and backend governance surfaces verified."
   },
   "artifact": {
     "path": "E:\\Project\\Agentic-Senior-Core\\.agent-context\\state\\weekly-governance-report.json",
@@ -121,6 +304,26 @@
       "verifiedSkillDomainCount": 5,
       "releaseFrequencyPercent": 38.89,
       "rollbackFrequencyPercent": 5.56
+    },
+    {
+      "generatedAt": "2026-04-25T06:41:17.654Z",
+      "readinessStatus": "ready",
+      "blockerCount": 0,
+      "gatePassRatePercent": 100,
+      "verifiedSkillDomainCount": 16,
+      "backendVerifiedSurfaceCount": 9,
+      "releaseFrequencyPercent": 60,
+      "rollbackFrequencyPercent": 3.33
+    },
+    {
+      "generatedAt": "2026-04-25T09:59:20.980Z",
+      "readinessStatus": "ready",
+      "blockerCount": 0,
+      "gatePassRatePercent": 100,
+      "verifiedSkillDomainCount": 16,
+      "backendVerifiedSurfaceCount": 9,
+      "releaseFrequencyPercent": 60,
+      "rollbackFrequencyPercent": 3.33
     }
   ]
 }

package/.cursorrules

@@ -1,6 +1,6 @@
 # AGENTIC-SENIOR-CORE DYNAMIC GOVERNANCE RULESET
 
-Generated by Agentic-Senior-Core CLI v3.0.26
+Generated by Agentic-Senior-Core CLI v3.0.27
 Timestamp: 2026-04-24T06:02:48.303Z
 Selected policy file: .agent-context/policies/llm-judge-threshold.json
 

package/.gemini/instructions.md

@@ -2,7 +2,7 @@
 
 Adapter Mode: thin
 Adapter Source: .instructions.md
-Canonical Snapshot SHA256: e6984d32169e98e32c9e6b6d6209bb2613b63b22d1e66af63a70788be00c55d5
+Canonical Snapshot SHA256: 11eeafb3ff6a0977785e3668a704c6bba543b515d2828c02de8276f6cf1c391c
 
 Canonical policy source: [.instructions.md](../.instructions.md).
 
@@ -10,6 +10,7 @@ If your host stops at this file, follow this minimum floor:
 - Read `.agent-instructions.md` next when it exists.
 - For UI or redesign requests, load [.agent-context/prompts/bootstrap-design.md](../.agent-context/prompts/bootstrap-design.md) and [.agent-context/rules/frontend-architecture.md](../.agent-context/rules/frontend-architecture.md) before coding.
 - If UI scope and `docs/DESIGN.md` or `docs/design-intent.json` is missing, materialize them before UI implementation.
+- For backend/API/data/auth/event requests, load relevant global rules from [.agent-context/rules/](../.agent-context/rules) and do not create stack-specific governance adapters.
 - Memory continuity is host-dependent project memory and does not replace bootstrap loading.
 
 ## Bootstrap Sequence
@@ -20,7 +21,7 @@ If your host stops at this file, follow this minimum floor:
 4. Load request templates from [.agent-context/prompts/](../.agent-context/prompts).
 5. Apply review contracts from [.agent-context/review-checklists/](../.agent-context/review-checklists).
 6. Apply state awareness from [.agent-context/state/](../.agent-context/state) and policy thresholds from [.agent-context/policies/](../.agent-context/policies).
-7. Resolve stack, structure, and dependency choices from project context docs plus live evidence.
+7. Resolve runtime, structure, and dependency choices from project context docs plus live evidence.
 
 ## Completion Gate
 

package/.github/copilot-instructions.md

@@ -2,7 +2,7 @@
 
 Adapter Mode: thin
 Adapter Source: .instructions.md
-Canonical Snapshot SHA256: e6984d32169e98e32c9e6b6d6209bb2613b63b22d1e66af63a70788be00c55d5
+Canonical Snapshot SHA256: 11eeafb3ff6a0977785e3668a704c6bba543b515d2828c02de8276f6cf1c391c
 
 The canonical policy source for this repository is [.instructions.md](../.instructions.md).
 
@@ -10,6 +10,7 @@ If your host stops at this file, follow this minimum floor:
 - Read `.agent-instructions.md` next when it exists.
 - For UI or redesign requests, load [.agent-context/prompts/bootstrap-design.md](../.agent-context/prompts/bootstrap-design.md) and [.agent-context/rules/frontend-architecture.md](../.agent-context/rules/frontend-architecture.md) before coding.
 - If UI scope and `docs/DESIGN.md` or `docs/design-intent.json` is missing, materialize them before UI implementation.
+- For backend/API/data/auth/event requests, load relevant global rules from [.agent-context/rules/](../.agent-context/rules) and do not create stack-specific governance adapters.
 - Memory continuity is host-dependent project memory and does not replace bootstrap loading.
 
 ## Required Load Order
@@ -20,7 +21,7 @@ If your host stops at this file, follow this minimum floor:
 4. Load request templates from [.agent-context/prompts/](../.agent-context/prompts).
 5. Apply review contracts from [.agent-context/review-checklists/](../.agent-context/review-checklists).
 6. Apply state awareness from [.agent-context/state/](../.agent-context/state) and thresholds from [.agent-context/policies/](../.agent-context/policies).
-7. Resolve stack, structure, and dependency choices from project context docs plus live evidence.
+7. Resolve runtime, structure, and dependency choices from project context docs plus live evidence.
 
 ## Completion Gate
 

package/.instructions.md

@@ -40,12 +40,27 @@ Available engineering rule files:
 
 **What to do**: Resolve only the rule files relevant to the current task. Do not read the entire rule directory by default. For UI-only work, start with `bootstrap-design.md` and `frontend-architecture.md` and keep backend or DevOps rules unloaded unless the task explicitly crosses those boundaries. For Docker or Compose work, load `docker-runtime.md` and verify the latest official Docker docs before authoring container assets. For framework or package setup work, use the latest stable compatible dependency set and official setup flow unless a documented compatibility constraint blocks it.
 
+### Global Backend/API Governance Routing
+
+This is global governance, not a stack-specific adapter system. Do not create Nest, Laravel, FastAPI, Express, Go, Ruby, PHP, Java, or framework-specific baseline adapters from this repository. The LLM may use its general knowledge and current official docs when a concrete project already uses a tool, but the governance layer stays architecture- and runtime-agnostic.
+
+When backend/API work is in scope, load only the relevant global rule files:
+
+- Data, schema, repository, ORM, query, transaction, migration, pagination, or persistence scope: load `architecture.md`, `database-design.md`, `performance.md`, and `testing.md`.
+- Endpoint, controller, route handler, public API, request/response contract, validation failure, or API error scope: load `architecture.md`, `api-docs.md`, `error-handling.md`, `security.md`, and `testing.md`.
+- Authentication, authorization, secrets, user input, webhook, upload, session, token, or permission scope: load `security.md`, `error-handling.md`, and `testing.md`.
+- Queue, worker, cron, event stream, message broker, async workflow, retry, or cross-system mutation scope: load `event-driven.md`, `database-design.md`, `error-handling.md`, `performance.md`, and `testing.md`.
+- Multi-service, distributed consistency, service boundary, or cross-domain data ownership scope: load `microservices.md`, `event-driven.md`, `database-design.md`, `api-docs.md`, and `architecture.md`.
+
+If multiple bullets match, load the union once, then implement against the project framework already present. Do not expand into unrelated stack guides just because a runtime name appears.
+
 ### Layer 2: Runtime Decision Signals (Dynamic)
 
 **Location**: dynamic runtime intelligence from project context, repository evidence, and live research.
 
 Runtime signals are evidence gates, not style cues or popularity rankings.
 Do not force the project into a listed stack when repository evidence, delivery constraints, or ecosystem reality require another shape.
+Runtime evidence must not become per-stack governance. Use it to understand the project that already exists, not to choose or inject framework-specific rule adapters.
 
 **What to do**: For fresh projects, recommend the runtime/framework from the first brief, current constraints, and live official documentation before coding. For existing projects, inspect repo evidence directly and treat detected markers as evidence only, not migration or design direction. Ignore pattern frequency, external rankings, and remembered defaults.
 
@@ -203,7 +218,7 @@ Why Required: [why the boundary protects the project]
 Verify that all nine layers are reachable:
 
 - Layer 1: Rules
-- Layer 2: Stack Strategy Signals
+- Layer 2: Runtime Decision Signals
 - Layer 3: Structural Planning Signals
 - Layer 4: Execution Contracts
 - Layer 5: Prompts

package/.windsurfrules

@@ -1,6 +1,6 @@
 # AGENTIC-SENIOR-CORE DYNAMIC GOVERNANCE RULESET
 
-Generated by Agentic-Senior-Core CLI v3.0.26
+Generated by Agentic-Senior-Core CLI v3.0.27
 Timestamp: 2026-04-24T06:02:48.303Z
 Selected policy file: .agent-context/policies/llm-judge-threshold.json
 

package/AGENTS.md

@@ -2,7 +2,7 @@
 
 Adapter Mode: thin
 Adapter Source: .instructions.md
-Canonical Snapshot SHA256: e6984d32169e98e32c9e6b6d6209bb2613b63b22d1e66af63a70788be00c55d5
+Canonical Snapshot SHA256: 11eeafb3ff6a0977785e3668a704c6bba543b515d2828c02de8276f6cf1c391c
 
 This file is an adapter entrypoint for agent discovery.
 The canonical policy source is [.instructions.md](.instructions.md).
@@ -15,8 +15,9 @@ If your host stops at this file instead of following the full chain, obey the Cr
 - Memory continuity does not replace bootstrap loading. It is host-dependent project memory, not a guarantee that instructions were reloaded for this session.
 - For UI, UX, layout, screen, tailwind, frontend, or redesign requests: load [.agent-context/prompts/bootstrap-design.md](.agent-context/prompts/bootstrap-design.md) and [.agent-context/rules/frontend-architecture.md](.agent-context/rules/frontend-architecture.md) before editing code.
 - For UI scope: if `docs/DESIGN.md` or `docs/design-intent.json` is missing, materialize or refine them before implementing UI changes.
+- For backend, API, data, auth, error, event, queue, worker, or distributed-system requests: load the relevant global rules from [.agent-context/rules/](.agent-context/rules); do not create stack-specific governance adapters.
 - For refactor, improve, clean up, or fix requests: inspect the active rules and propose a plan before editing.
-- For new project or module requests: clarify constraints, stack decisions, and required docs before generating code.
+- For new project or module requests: clarify constraints, runtime decisions, and required docs before generating code.
 - For ecosystem, framework, dependency, or Docker claims: perform live web research instead of relying on stale local heuristics.
 
 ## Mandatory Bootstrap Chain
@@ -28,7 +29,7 @@ If your host stops at this file instead of following the full chain, obey the Cr
 5. Enforce review contracts from [.agent-context/review-checklists/](.agent-context/review-checklists).
 6. Read change-risk maps and continuity state from [.agent-context/state/](.agent-context/state).
 7. Enforce policy thresholds from [.agent-context/policies/](.agent-context/policies).
-8. Use dynamic stack, structure, and live research signals from project context docs.
+8. Use runtime evidence, structure, and live research signals from project context docs.
 
 ## Trigger Rules
 

package/lib/cli/commands/init.mjs

@@ -429,6 +429,7 @@ export async function runInitCommand(targetDirectoryArgument, initOptions = {})
           '.github/copilot-instructions.md',
         ],
         stackLoadingMode: 'lazy',
+        domainRuleLoadingMode: 'lazy',
         selectedProfile: selectedPolicyProfileName,
         selectedProfileDisplayName: selectedPolicyProfile.displayName,
         blockingSeverities: selectedPolicyProfile.blockingSeverities,

package/lib/cli/commands/upgrade.mjs

@@ -253,6 +253,7 @@ export async function runUpgradeCommand(targetDirectoryArgument, upgradeOptions
         canonicalSource: '.instructions.md',
         compiledEntrypoints: ['.cursorrules', '.windsurfrules'],
         stackLoadingMode: 'lazy',
+        domainRuleLoadingMode: 'lazy',
         selectedProfile: selectedProfileName,
         selectedProfileDisplayName: toTitleCase(selectedProfileName),
         blockingSeverities: PROFILE_PRESETS[selectedProfileName]?.blockingSeverities || [],

package/lib/cli/compiler.mjs

@@ -88,6 +88,7 @@ export async function writeOnboardingReport({
     ruleLoadingPolicy: {
       canonicalSource: '.instructions.md',
       stackLoadingMode: 'lazy',
+      domainRuleLoadingMode: 'lazy',
       loadedOnDemand: true,
       primaryStack: hasExplicitRuntimeDecision ? selectedStackFileName : null,
       additionalStacks: hasExplicitRuntimeDecision ? selectedAdditionalStackFileNames : [],
@@ -241,14 +242,14 @@ export async function buildCompiledRulesContent({
   if (hasExplicitRuntimeDecision && normalizedAdditionalStackFileNames.length > 0) {
     contextBlocks.push(
       [
-        '## LAYER 2B: ADDITIONAL STACK PROFILES',
-        'This project uses multiple stacks. Load all additional stack profiles below:',
+        '## LAYER 2B: ADDITIONAL RUNTIME EVIDENCE',
+        'This project has multiple runtime constraints. Load additional runtime evidence below only when the task touches that runtime:',
         ...normalizedAdditionalStackFileNames.map((stackFileName, stackIndex) => {
           if (availableStackProfileFileNames.has(stackFileName)) {
             return `${stackIndex + 1}. stack-profile:${stackFileName}`;
           }
 
-          return `${stackIndex + 1}. ${stackFileName} (dynamic stack signal)`;
+          return `${stackIndex + 1}. ${stackFileName} (runtime evidence signal)`;
         }),
       ].join('\n')
     );
@@ -261,16 +262,16 @@ export async function buildCompiledRulesContent({
         ? `Primary runtime constraint: ${selectedStackFileName}`
         : 'Primary runtime constraint: unresolved until agent recommendation is approved',
       normalizedAdditionalStackFileNames.length > 0
-        ? `Additional stack profiles load on demand: ${normalizedAdditionalStackFileNames.map((stackFileName) => {
+        ? `Additional runtime evidence loads on demand: ${normalizedAdditionalStackFileNames.map((stackFileName) => {
           if (availableStackProfileFileNames.has(stackFileName)) {
             return `stack-profile:${stackFileName}`;
           }
 
-          return `${stackFileName} (dynamic signal)`;
+          return `${stackFileName} (runtime evidence signal)`;
         }).join(', ')}`
-        : 'Additional runtime guidance loads only when explicitly selected by the user or required by touched code.',
-      'Load runtime-specific guidance only when task scope touches that runtime.',
-      'Avoid eager loading unrelated runtime guidance to prevent instruction conflicts.',
+        : 'No stack-specific governance adapter is loaded by default.',
+      'Load global domain rules only when task scope touches that domain.',
+      'Avoid eager loading unrelated runtime or domain guidance to prevent instruction conflicts.',
     ].join('\n')
   );
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ryuenn3123/agentic-senior-core",
-  "version": "3.0.26",
+  "version": "3.0.27",
   "type": "module",
   "description": "Force your AI Agent to code like a Staff Engineer, not a Junior.",
   "bin": {

package/scripts/governance-weekly-report.mjs

@@ -22,8 +22,22 @@ const ARGUMENT_FLAGS = new Set(process.argv.slice(2));
 const isStdoutOnlyMode = ARGUMENT_FLAGS.has('--stdout-only');
 const WEEKLY_WINDOW_DAYS = 7;
 const HISTORY_LIMIT = 26;
+const BACKEND_REQUIRED_DOMAIN_NAMES = new Set([
+  'backend-architecture',
+  'backend-security',
+  'backend-data-access',
+  'backend-error-handling',
+  'backend-api-contract',
+  'backend-testing',
+  'backend-performance',
+  'backend-idempotency',
+  'backend-risk-map',
+]);
 const REQUIRED_VERIFIED_DOMAINS = new Set([
   'canonical-instructions',
+  'frontend-design-contract',
+  'frontend-architecture',
+  ...Array.from(BACKEND_REQUIRED_DOMAIN_NAMES),
   'pr-checklist',
   'architecture-review',
   'mcp-server',
@@ -31,11 +45,100 @@ const REQUIRED_VERIFIED_DOMAINS = new Set([
 ]);
 const GOVERNANCE_SURFACE_PATHS = {
   'canonical-instructions': '.instructions.md',
+  'frontend-design-contract': '.agent-context/prompts/bootstrap-design.md',
+  'frontend-architecture': '.agent-context/rules/frontend-architecture.md',
+  'backend-architecture': '.agent-context/rules/architecture.md',
+  'backend-security': '.agent-context/rules/security.md',
+  'backend-data-access': '.agent-context/rules/database-design.md',
+  'backend-error-handling': '.agent-context/rules/error-handling.md',
+  'backend-api-contract': '.agent-context/rules/api-docs.md',
+  'backend-testing': '.agent-context/rules/testing.md',
+  'backend-performance': '.agent-context/rules/performance.md',
+  'backend-idempotency': '.agent-context/rules/event-driven.md',
+  'backend-risk-map': '.agent-context/state/architecture-map.md',
   'pr-checklist': '.agent-context/review-checklists/pr-checklist.md',
   'architecture-review': '.agent-context/review-checklists/architecture-review.md',
   'mcp-server': 'scripts/mcp-server.mjs',
   'state-continuity': '.agent-context/state',
 };
+const BACKEND_GOVERNANCE_COVERAGE = [
+  {
+    constraint: 'Layered architecture and separation of concerns',
+    status: 'covered',
+    sourcePaths: [
+      '.agent-context/rules/architecture.md',
+      '.agent-context/review-checklists/architecture-review.md',
+    ],
+    signal: 'Transport, application, domain, and infrastructure boundaries are explicit.',
+  },
+  {
+    constraint: 'Global backend/API rule routing',
+    status: 'strengthened',
+    sourcePaths: [
+      '.instructions.md',
+      '.agent-context/rules/architecture.md',
+      '.agent-context/prompts/refactor.md',
+    ],
+    signal: 'Backend/API governance routes by problem domain and stays stack-agnostic; no stack-specific governance adapters are created.',
+  },
+  {
+    constraint: 'Zero-trust input validation',
+    status: 'strengthened',
+    sourcePaths: [
+      '.agent-context/rules/security.md',
+      '.agent-context/review-checklists/pr-checklist.md',
+    ],
+    signal: 'User-controlled body, query, params, headers, cookies, files, webhooks, and job payloads must be validated before service logic.',
+  },
+  {
+    constraint: 'Data access performance and integrity',
+    status: 'strengthened',
+    sourcePaths: [
+      '.agent-context/rules/database-design.md',
+      '.agent-context/rules/performance.md',
+      '.agent-context/state/architecture-map.md',
+    ],
+    signal: 'Backend reads must avoid N+1 and unbounded list responses; multi-write mutations need transaction or recovery evidence.',
+  },
+  {
+    constraint: 'Distributed consistency and outbox safety',
+    status: 'strengthened',
+    sourcePaths: [
+      '.agent-context/rules/event-driven.md',
+      '.agent-context/rules/database-design.md',
+      '.agent-context/rules/microservices.md',
+    ],
+    signal: 'Dual-write flows need outbox or equivalent replay safety, and cross-service consistency must define saga, compensation, or recovery behavior instead of defaulting to two-phase commit.',
+  },
+  {
+    constraint: 'Safe centralized API errors',
+    status: 'strengthened',
+    sourcePaths: [
+      '.agent-context/rules/error-handling.md',
+      '.agent-context/rules/api-docs.md',
+    ],
+    signal: 'HTTP/API responses use safe machine-readable error shapes, may align with RFC 9457 Problem Details, and preserve safe trace/correlation identifiers without leaking internals.',
+  },
+  {
+    constraint: 'Sensitive mutation idempotency',
+    status: 'strengthened',
+    sourcePaths: [
+      '.agent-context/rules/api-docs.md',
+      '.agent-context/rules/testing.md',
+      '.agent-context/rules/event-driven.md',
+    ],
+    signal: 'Payments, orders, status changes, and other risky mutations must document and test duplicate-submit behavior.',
+  },
+  {
+    constraint: 'API contract and behavior testing',
+    status: 'strengthened',
+    sourcePaths: [
+      '.agent-context/rules/testing.md',
+      '.agent-context/review-checklists/pr-checklist.md',
+    ],
+    signal: 'API tests cover validation, auth, documented error shapes, pagination defaults, empty states, and mutation retry safety.',
+  },
+];
 
 function readJsonOrNull(filePath) {
   if (!existsSync(filePath)) {
@@ -194,6 +297,37 @@ async function collectSkillTrustSignals() {
   };
 }
 
+function buildBackendGovernancePosture(skillTrustSignals) {
+  const backendSurfaceRows = skillTrustSignals.domains.filter((trustRow) => {
+    return BACKEND_REQUIRED_DOMAIN_NAMES.has(trustRow.domain);
+  });
+  const missingBackendSurfaceNames = backendSurfaceRows
+    .filter((trustRow) => trustRow.tier !== 'verified')
+    .map((trustRow) => trustRow.domain);
+  const verifiedSurfaceCount = backendSurfaceRows.length - missingBackendSurfaceNames.length;
+
+  return {
+    status: missingBackendSurfaceNames.length === 0 ? 'verified' : 'needs-attention',
+    summary: missingBackendSurfaceNames.length === 0
+      ? 'Backend governance is verified across architecture, security, data access, error handling, API contracts, testing, performance, idempotency, and risk-map surfaces.'
+      : 'Backend governance is missing one or more required surfaces.',
+    requiredSurfaceCount: backendSurfaceRows.length,
+    verifiedSurfaceCount,
+    missingSurfaceNames: missingBackendSurfaceNames,
+    coverage: BACKEND_GOVERNANCE_COVERAGE,
+    developmentFocus: [
+      {
+        focus: 'Keep backend guidance global and stack-agnostic.',
+        reason: 'The repo should enforce architecture, security, API, data, error, event, and testing thinking without building Nest, Laravel, FastAPI, Express, Go, or other stack-specific governance adapters.',
+      },
+      {
+        focus: 'Use framework facts only when implementing inside an existing project.',
+        reason: 'LLMs can apply current ecosystem knowledge directly; governance should route the relevant global constraints instead of acting as a stack detector.',
+      },
+    ],
+  };
+}
+
 function buildBlockers(qualityTrendReport, skillTrustSignals, commitSignals) {
   const blockers = [];
 
@@ -222,6 +356,7 @@ function buildHistoryEntry(weeklyReport) {
     blockerCount: weeklyReport.releaseReadiness.blockers.length,
     gatePassRatePercent: weeklyReport.qualitySignals.governanceHealth.gatePassRatePercent,
     verifiedSkillDomainCount: weeklyReport.skillTrust.tierCounts.verified,
+    backendVerifiedSurfaceCount: weeklyReport.backendGovernance?.verifiedSurfaceCount ?? null,
     releaseFrequencyPercent: weeklyReport.commitSignals.releaseFrequencyPercent,
     rollbackFrequencyPercent: weeklyReport.commitSignals.rollbackFrequencyPercent,
   };
@@ -243,6 +378,7 @@ async function runWeeklyGovernanceReport() {
   const qualityTrendReport = qualityTrendState.report;
 
   const skillTrustSignals = await collectSkillTrustSignals();
+  const backendGovernance = buildBackendGovernancePosture(skillTrustSignals);
   const commitSignals = collectCommitSignals(WEEKLY_WINDOW_DAYS);
   const blockers = buildBlockers(qualityTrendReport, skillTrustSignals, commitSignals);
 
@@ -267,12 +403,13 @@ async function runWeeklyGovernanceReport() {
       tokenEfficiency: qualityTrendReport?.tokenEfficiency || null,
     },
     skillTrust: skillTrustSignals,
+    backendGovernance,
     commitSignals,
     releaseReadiness: {
       isReady: blockers.length === 0,
       blockers,
       summary: blockers.length === 0
-        ? 'Weekly governance posture is ready for maintenance releases.'
+        ? 'Weekly governance posture is ready for maintenance releases with frontend and backend governance surfaces verified.'
         : 'Weekly governance posture is blocked by unresolved readiness signals.',
     },
     artifact: {

package/scripts/release-gate/audit-checks.mjs

@@ -312,7 +312,7 @@ export function runAuditReleaseChecks(results, diagnostics) {
       singleSourceLazyLoadingAuditExecution.report?.lazyRuleLoading?.enforced === true,
       'lazy-rule-loading-hard-rule',
       singleSourceLazyLoadingAuditExecution.report?.lazyRuleLoading?.enforced === true
-        ? 'Language-specific guidance is loaded lazily by detected scope'
+        ? 'Global domain governance is loaded lazily by touched scope'
         : 'Lazy rule loading enforcement failed in single-source lazy-loading audit'
     );
     pushResult(

package/scripts/release-gate/constants.mjs

@@ -32,17 +32,24 @@ export const REQUIRED_BACKEND_ARCHITECTURE_RULE_SNIPPETS = [
   'No premature abstraction.',
   'Readability over brevity.',
   'backend and shared core modules',
+  'Do not create or load stack-specific governance adapters as the baseline.',
 ];
 
 export const REQUIRED_BACKEND_REVIEW_CHECKLIST_SNIPPETS = [
   'No clever hacks in backend and shared core modules',
   'No premature abstraction (base classes/util layers created only after repeated stable patterns)',
   'Readability over brevity for maintainability',
+  'Controllers, route handlers, and transport adapters do not contain business policy',
+  'Sensitive mutations include idempotency or duplicate-submit coverage',
+  'Backend/API governance was applied through global domain rules',
 ];
 
 export const REQUIRED_REFACTOR_PROMPT_SNIPPETS = [
   'Enforce backend universal principles: no clever hacks, no premature abstraction, readability over brevity.',
   'Prioritize maintainability over compressed one-liners.',
+  'zero-trust input validation',
+  'idempotency for sensitive mutations',
+  'Backend/API governance is global and stack-agnostic.',
 ];
 
 export const REQUIRED_ARCHITECTURE_REVIEW_CHECKLIST_SNIPPETS = [
@@ -50,4 +57,8 @@ export const REQUIRED_ARCHITECTURE_REVIEW_CHECKLIST_SNIPPETS = [
   'No clever hacks in backend and shared core modules',
   'No premature abstraction',
   'Readability over brevity',
+  'Service or use-case code owns orchestration',
+  'Relational reads avoid N+1 patterns',
+  'Global backend/API governance is used directly',
+  'Dual-write database plus message flows use an outbox',
 ];

package/scripts/rules-guardian-audit.mjs

@@ -67,7 +67,7 @@ const REQUIRED_PR_CHECKLIST_SNIPPETS = [
 
 const REQUIRED_REVIEW_PROMPT_SNIPPETS = [
   'Review the code with a production-risk mindset.',
-  'Do not invent stack-specific concerns unless the repo or changed files prove they apply.',
+  'Do not create stack-specific governance concerns.',
 ];
 
 function pushResult(results, isPassed, checkName, details) {

package/scripts/single-source-lazy-loading-audit.mjs

@@ -5,7 +5,7 @@
  *
  * Enforces V3.0-010 policy:
  * - One canonical rule source is explicitly defined and enforced.
- * - Language-specific rule guidance loads lazily by detected scope.
+ * - Global domain governance loads lazily by touched scope.
  * - Conflicting duplicate instruction paths are prevented.
  */
 
@@ -60,24 +60,24 @@ const MAX_EAGER_STACK_MENTIONS = 4;
 const REQUIRED_ARCHITECTURE_RULE_SNIPPETS = [
   '## Single Source of Truth and Lazy Rule Loading',
   'Canonical rule source is .instructions.md.',
-  'Load language-specific stack guidance lazily based on detected scope.',
-  'Do not preload unrelated stack profiles during normal flow.',
+  'Load global domain rules lazily based on touched scope.',
+  'Do not create or load stack-specific governance adapters as the baseline.',
 ];
 
 const REQUIRED_PR_CHECKLIST_SNIPPETS = [
   'Canonical rule source is explicitly defined and enforced',
-  'Language-specific guidance is loaded lazily based on detected scope',
+  'Global domain governance is loaded lazily based on touched scope',
   'No conflicting duplicate rule instructions during normal flow',
 ];
 
 const REQUIRED_REVIEW_PROMPT_SNIPPETS = [
-  'Enforce single-source and lazy-loading policy: canonical rule source must be explicitly enforced, language-specific guidance must load lazily based on detected scope, and conflicting duplicate rule instructions must not appear during normal flow.',
+  'Enforce single-source and lazy-loading policy: canonical rule source must be explicitly enforced, global domain governance must load lazily based on touched scope, and conflicting duplicate rule instructions must not appear during normal flow.',
 ];
 
 const REQUIRED_COMPILER_SNIPPETS = [
   '## LAYER 2 POLICY: LAZY RULE LOADING',
-  'Load runtime-specific guidance only when task scope touches that runtime.',
-  'Avoid eager loading unrelated runtime guidance to prevent instruction conflicts.',
+  'Load global domain rules only when task scope touches that domain.',
+  'Avoid eager loading unrelated runtime or domain guidance to prevent instruction conflicts.',
   "stackLoadingMode: 'lazy'",
 ];
 
@@ -377,6 +377,7 @@ function runAudit() {
     if (lazyPolicy
       && lazyPolicy.canonicalSource === CANONICAL_SOURCE_PATH
       && lazyPolicy.stackLoadingMode === 'lazy'
+      && (lazyPolicy.domainRuleLoadingMode === 'lazy' || typeof lazyPolicy.domainRuleLoadingMode === 'undefined')
       && lazyPolicy.loadedOnDemand === true) {
       onboardingLazyPolicyMode = 'explicit-lazy-policy';
       onboardingLazyPolicyValidated = true;
@@ -478,7 +479,7 @@ function runAudit() {
     && !eagerLoadingDetected;
 
   if (lazyRuleLoadingEnforced) {
-    pushResult(results, true, 'lazy-rule-loading-hard-rule', 'Language-specific guidance is loaded lazily by detected scope');
+    pushResult(results, true, 'lazy-rule-loading-hard-rule', 'Global domain governance is loaded lazily by touched scope');
   } else {
     failures.push('Lazy rule loading hard-rule is not fully enforced');
     pushResult(results, false, 'lazy-rule-loading-hard-rule', 'Lazy loading enforcement failed');
@@ -514,6 +515,7 @@ function runAudit() {
       onboardingPolicyValidated: onboardingLazyPolicyValidated,
       eagerLoadingDetected,
       maxAllowedStackMentions: MAX_EAGER_STACK_MENTIONS,
+      globalDomainGovernance: true,
     },
     duplicationPolicy: {
       noConflictingDuplicates,

package/scripts/sync-thin-adapters.mjs

@@ -44,8 +44,9 @@ If your host stops at this file instead of following the full chain, obey the Cr
 - Memory continuity does not replace bootstrap loading. It is host-dependent project memory, not a guarantee that instructions were reloaded for this session.
 - For UI, UX, layout, screen, tailwind, frontend, or redesign requests: load [.agent-context/prompts/bootstrap-design.md](.agent-context/prompts/bootstrap-design.md) and [.agent-context/rules/frontend-architecture.md](.agent-context/rules/frontend-architecture.md) before editing code.
 - For UI scope: if \`docs/DESIGN.md\` or \`docs/design-intent.json\` is missing, materialize or refine them before implementing UI changes.
+- For backend, API, data, auth, error, event, queue, worker, or distributed-system requests: load the relevant global rules from [.agent-context/rules/](.agent-context/rules); do not create stack-specific governance adapters.
 - For refactor, improve, clean up, or fix requests: inspect the active rules and propose a plan before editing.
-- For new project or module requests: clarify constraints, stack decisions, and required docs before generating code.
+- For new project or module requests: clarify constraints, runtime decisions, and required docs before generating code.
 - For ecosystem, framework, dependency, or Docker claims: perform live web research instead of relying on stale local heuristics.
 
 ## Mandatory Bootstrap Chain
@@ -57,7 +58,7 @@ If your host stops at this file instead of following the full chain, obey the Cr
 5. Enforce review contracts from [.agent-context/review-checklists/](.agent-context/review-checklists).
 6. Read change-risk maps and continuity state from [.agent-context/state/](.agent-context/state).
 7. Enforce policy thresholds from [.agent-context/policies/](.agent-context/policies).
-8. Use dynamic stack, structure, and live research signals from project context docs.
+8. Use runtime evidence, structure, and live research signals from project context docs.
 
 ## Trigger Rules
 
@@ -82,6 +83,7 @@ If your host stops at this file, follow this minimum floor:
 - Read \`.agent-instructions.md\` next when it exists.
 - For UI or redesign requests, load [.agent-context/prompts/bootstrap-design.md](../.agent-context/prompts/bootstrap-design.md) and [.agent-context/rules/frontend-architecture.md](../.agent-context/rules/frontend-architecture.md) before coding.
 - If UI scope and \`docs/DESIGN.md\` or \`docs/design-intent.json\` is missing, materialize them before UI implementation.
+- For backend/API/data/auth/event requests, load relevant global rules from [.agent-context/rules/](../.agent-context/rules) and do not create stack-specific governance adapters.
 - Memory continuity is host-dependent project memory and does not replace bootstrap loading.
 
 ## Required Load Order
@@ -92,7 +94,7 @@ If your host stops at this file, follow this minimum floor:
 4. Load request templates from [.agent-context/prompts/](../.agent-context/prompts).
 5. Apply review contracts from [.agent-context/review-checklists/](../.agent-context/review-checklists).
 6. Apply state awareness from [.agent-context/state/](../.agent-context/state) and thresholds from [.agent-context/policies/](../.agent-context/policies).
-7. Resolve stack, structure, and dependency choices from project context docs plus live evidence.
+7. Resolve runtime, structure, and dependency choices from project context docs plus live evidence.
 
 ## Completion Gate
 
@@ -113,6 +115,7 @@ If your host stops at this file, follow this minimum floor:
 - Read \`.agent-instructions.md\` next when it exists.
 - For UI or redesign requests, load [.agent-context/prompts/bootstrap-design.md](../.agent-context/prompts/bootstrap-design.md) and [.agent-context/rules/frontend-architecture.md](../.agent-context/rules/frontend-architecture.md) before coding.
 - If UI scope and \`docs/DESIGN.md\` or \`docs/design-intent.json\` is missing, materialize them before UI implementation.
+- For backend/API/data/auth/event requests, load relevant global rules from [.agent-context/rules/](../.agent-context/rules) and do not create stack-specific governance adapters.
 - Memory continuity is host-dependent project memory and does not replace bootstrap loading.
 
 ## Bootstrap Sequence
@@ -123,7 +126,7 @@ If your host stops at this file, follow this minimum floor:
 4. Load request templates from [.agent-context/prompts/](../.agent-context/prompts).
 5. Apply review contracts from [.agent-context/review-checklists/](../.agent-context/review-checklists).
 6. Apply state awareness from [.agent-context/state/](../.agent-context/state) and policy thresholds from [.agent-context/policies/](../.agent-context/policies).
-7. Resolve stack, structure, and dependency choices from project context docs plus live evidence.
+7. Resolve runtime, structure, and dependency choices from project context docs plus live evidence.
 
 ## Completion Gate