@ryuenn3123/agentic-senior-core 3.0.26 → 3.0.28

package/.gemini/instructions.md

@@ -2,7 +2,7 @@
 
 Adapter Mode: thin
 Adapter Source: .instructions.md
-Canonical Snapshot SHA256: e6984d32169e98e32c9e6b6d6209bb2613b63b22d1e66af63a70788be00c55d5
+Canonical Snapshot SHA256: f11969bd96625ecf86c6d02630aa485cd54ead44544f15daf525b72bfc38653f
 
 Canonical policy source: [.instructions.md](../.instructions.md).
 
@@ -10,6 +10,7 @@ If your host stops at this file, follow this minimum floor:
 - Read `.agent-instructions.md` next when it exists.
 - For UI or redesign requests, load [.agent-context/prompts/bootstrap-design.md](../.agent-context/prompts/bootstrap-design.md) and [.agent-context/rules/frontend-architecture.md](../.agent-context/rules/frontend-architecture.md) before coding.
 - If UI scope and `docs/DESIGN.md` or `docs/design-intent.json` is missing, materialize them before UI implementation.
+- For backend/API/data/auth/event requests, load relevant global rules from [.agent-context/rules/](../.agent-context/rules) and do not create stack-specific governance adapters.
 - Memory continuity is host-dependent project memory and does not replace bootstrap loading.
 
 ## Bootstrap Sequence
@@ -20,7 +21,7 @@ If your host stops at this file, follow this minimum floor:
 4. Load request templates from [.agent-context/prompts/](../.agent-context/prompts).
 5. Apply review contracts from [.agent-context/review-checklists/](../.agent-context/review-checklists).
 6. Apply state awareness from [.agent-context/state/](../.agent-context/state) and policy thresholds from [.agent-context/policies/](../.agent-context/policies).
-7. Resolve stack, structure, and dependency choices from project context docs plus live evidence.
+7. Resolve runtime, structure, and dependency choices from project context docs plus live evidence.
 
 ## Completion Gate
 

package/.github/copilot-instructions.md

@@ -2,7 +2,7 @@
 
 Adapter Mode: thin
 Adapter Source: .instructions.md
-Canonical Snapshot SHA256: e6984d32169e98e32c9e6b6d6209bb2613b63b22d1e66af63a70788be00c55d5
+Canonical Snapshot SHA256: f11969bd96625ecf86c6d02630aa485cd54ead44544f15daf525b72bfc38653f
 
 The canonical policy source for this repository is [.instructions.md](../.instructions.md).
 
@@ -10,6 +10,7 @@ If your host stops at this file, follow this minimum floor:
 - Read `.agent-instructions.md` next when it exists.
 - For UI or redesign requests, load [.agent-context/prompts/bootstrap-design.md](../.agent-context/prompts/bootstrap-design.md) and [.agent-context/rules/frontend-architecture.md](../.agent-context/rules/frontend-architecture.md) before coding.
 - If UI scope and `docs/DESIGN.md` or `docs/design-intent.json` is missing, materialize them before UI implementation.
+- For backend/API/data/auth/event requests, load relevant global rules from [.agent-context/rules/](../.agent-context/rules) and do not create stack-specific governance adapters.
 - Memory continuity is host-dependent project memory and does not replace bootstrap loading.
 
 ## Required Load Order
@@ -20,7 +21,7 @@ If your host stops at this file, follow this minimum floor:
 4. Load request templates from [.agent-context/prompts/](../.agent-context/prompts).
 5. Apply review contracts from [.agent-context/review-checklists/](../.agent-context/review-checklists).
 6. Apply state awareness from [.agent-context/state/](../.agent-context/state) and thresholds from [.agent-context/policies/](../.agent-context/policies).
-7. Resolve stack, structure, and dependency choices from project context docs plus live evidence.
+7. Resolve runtime, structure, and dependency choices from project context docs plus live evidence.
 
 ## Completion Gate
 

package/.instructions.md

@@ -40,12 +40,27 @@ Available engineering rule files:
 
 **What to do**: Resolve only the rule files relevant to the current task. Do not read the entire rule directory by default. For UI-only work, start with `bootstrap-design.md` and `frontend-architecture.md` and keep backend or DevOps rules unloaded unless the task explicitly crosses those boundaries. For Docker or Compose work, load `docker-runtime.md` and verify the latest official Docker docs before authoring container assets. For framework or package setup work, use the latest stable compatible dependency set and official setup flow unless a documented compatibility constraint blocks it.
 
+### Global Backend/API Governance Routing
+
+This is global governance, not a stack-specific adapter system. Do not create Nest, Laravel, FastAPI, Express, Go, Ruby, PHP, Java, or framework-specific baseline adapters from this repository. The LLM may use its general knowledge and current official docs when a concrete project already uses a tool, but the governance layer stays architecture- and runtime-agnostic.
+
+When backend/API work is in scope, load only the relevant global rule files:
+
+- Data, schema, repository, ORM, query, transaction, migration, pagination, or persistence scope: load `architecture.md`, `database-design.md`, `performance.md`, and `testing.md`.
+- Endpoint, controller, route handler, public API, request/response contract, validation failure, or API error scope: load `architecture.md`, `api-docs.md`, `error-handling.md`, `security.md`, and `testing.md`.
+- Authentication, authorization, secrets, user input, webhook, upload, session, token, or permission scope: load `security.md`, `error-handling.md`, and `testing.md`.
+- Queue, worker, cron, event stream, message broker, async workflow, retry, or cross-system mutation scope: load `event-driven.md`, `database-design.md`, `error-handling.md`, `performance.md`, and `testing.md`.
+- Multi-service, distributed consistency, service boundary, or cross-domain data ownership scope: load `microservices.md`, `event-driven.md`, `database-design.md`, `api-docs.md`, and `architecture.md`.
+
+If multiple bullets match, load the union once, then implement against the project framework already present. Do not expand into unrelated stack guides just because a runtime name appears.
+
 ### Layer 2: Runtime Decision Signals (Dynamic)
 
 **Location**: dynamic runtime intelligence from project context, repository evidence, and live research.
 
 Runtime signals are evidence gates, not style cues or popularity rankings.
 Do not force the project into a listed stack when repository evidence, delivery constraints, or ecosystem reality require another shape.
+Runtime evidence must not become per-stack governance. Use it to understand the project that already exists, not to choose or inject framework-specific rule adapters.
 
 **What to do**: For fresh projects, recommend the runtime/framework from the first brief, current constraints, and live official documentation before coding. For existing projects, inspect repo evidence directly and treat detected markers as evidence only, not migration or design direction. Ignore pattern frequency, external rankings, and remembered defaults.
 
@@ -169,8 +184,9 @@ Use available MCP tools when you need validation, linting, or test execution.
 1. Read `.agent-context/prompts/bootstrap-design.md`.
 2. Read `.agent-context/rules/frontend-architecture.md`.
 3. Read UI-relevant repository evidence from `.agent-context/state/onboarding-report.json`, current UI code, and `docs/*`.
-4. Generate or refine `docs/DESIGN.md` plus `docs/design-intent.json` before UI implementation.
-5. Keep context isolated and do not eagerly load unrelated backend-only rules unless the task explicitly touches those boundaries.
+4. Before UI implementation, record a concrete creative commitment in the design contract: one specific real-world anchor reference, one signature motion behavior, and one typographic decision with meaningful role contrast.
+5. Generate or refine `docs/DESIGN.md` plus `docs/design-intent.json` before UI implementation.
+6. Keep context isolated and do not eagerly load unrelated backend-only rules unless the task explicitly touches those boundaries.
 
 ---
 
@@ -194,7 +210,8 @@ Why Required: [why the boundary protects the project]
 1. All relevant rules from `.agent-context/rules/` applied.
 2. Code reviewed against `.agent-context/review-checklists/pr-checklist.md` and `.agent-context/review-checklists/architecture-review.md`.
 3. Universal SOP hard gates satisfied (`docs/architecture-decision-record.md`, and `docs/DESIGN.md` plus `docs/design-intent.json` for UI scope).
-4. MCP validation passed (`npm run validate`).
+4. If `.agent-context/state/active-memory.json` exists and material project progress happened, refresh it directly before the final response: update current focus, durable achievements/issues/next actions/validation state, and `lastUpdatedAt` while preserving privacy rules and existing user-owned entries.
+5. MCP validation passed (`npm run validate`).
 
 ---
 
@@ -203,7 +220,7 @@ Why Required: [why the boundary protects the project]
 Verify that all nine layers are reachable:
 
 - Layer 1: Rules
-- Layer 2: Stack Strategy Signals
+- Layer 2: Runtime Decision Signals
 - Layer 3: Structural Planning Signals
 - Layer 4: Execution Contracts
 - Layer 5: Prompts

package/.windsurfrules

@@ -1,6 +1,6 @@
 # AGENTIC-SENIOR-CORE DYNAMIC GOVERNANCE RULESET
 
-Generated by Agentic-Senior-Core CLI v3.0.26
+Generated by Agentic-Senior-Core CLI v3.0.28
 Timestamp: 2026-04-24T06:02:48.303Z
 Selected policy file: .agent-context/policies/llm-judge-threshold.json
 

package/AGENTS.md

@@ -2,7 +2,7 @@
 
 Adapter Mode: thin
 Adapter Source: .instructions.md
-Canonical Snapshot SHA256: e6984d32169e98e32c9e6b6d6209bb2613b63b22d1e66af63a70788be00c55d5
+Canonical Snapshot SHA256: f11969bd96625ecf86c6d02630aa485cd54ead44544f15daf525b72bfc38653f
 
 This file is an adapter entrypoint for agent discovery.
 The canonical policy source is [.instructions.md](.instructions.md).
@@ -15,8 +15,9 @@ If your host stops at this file instead of following the full chain, obey the Cr
 - Memory continuity does not replace bootstrap loading. It is host-dependent project memory, not a guarantee that instructions were reloaded for this session.
 - For UI, UX, layout, screen, tailwind, frontend, or redesign requests: load [.agent-context/prompts/bootstrap-design.md](.agent-context/prompts/bootstrap-design.md) and [.agent-context/rules/frontend-architecture.md](.agent-context/rules/frontend-architecture.md) before editing code.
 - For UI scope: if `docs/DESIGN.md` or `docs/design-intent.json` is missing, materialize or refine them before implementing UI changes.
+- For backend, API, data, auth, error, event, queue, worker, or distributed-system requests: load the relevant global rules from [.agent-context/rules/](.agent-context/rules); do not create stack-specific governance adapters.
 - For refactor, improve, clean up, or fix requests: inspect the active rules and propose a plan before editing.
-- For new project or module requests: clarify constraints, stack decisions, and required docs before generating code.
+- For new project or module requests: clarify constraints, runtime decisions, and required docs before generating code.
 - For ecosystem, framework, dependency, or Docker claims: perform live web research instead of relying on stale local heuristics.
 
 ## Mandatory Bootstrap Chain
@@ -28,7 +29,7 @@ If your host stops at this file instead of following the full chain, obey the Cr
 5. Enforce review contracts from [.agent-context/review-checklists/](.agent-context/review-checklists).
 6. Read change-risk maps and continuity state from [.agent-context/state/](.agent-context/state).
 7. Enforce policy thresholds from [.agent-context/policies/](.agent-context/policies).
-8. Use dynamic stack, structure, and live research signals from project context docs.
+8. Use runtime evidence, structure, and live research signals from project context docs.
 
 ## Trigger Rules
 

package/README.md

@@ -10,10 +10,11 @@
 **Production-grade Rules Engine (Governance Engine) for AI coding agents.**
 Works with Cursor, Windsurf, GitHub Copilot, Claude Code, Gemini, and other LLM-powered IDE workflows.
 
-Latest release: 3.0.26 (2026-04-25).
+Latest release: 3.0.28 (2026-04-25).
 
-Highlights in 3.0.26:
-- Memory continuity now seeds `.agent-context/state/active-memory.json` once, so new sessions have a compact project-focus snapshot without overwriting active work during upgrade.
+Highlights in 3.0.28:
+- Memory continuity now requires agents to refresh `.agent-context/state/active-memory.json` directly at completion boundaries when material project progress happened.
+- UI design governance now forces an upfront creative commitment: a specific real-world anchor reference, signature motion, and typographic decision before compliance review or implementation.
 - Token optimization now exposes an output folding strategy that preserves failures, file/line details, and actionable warnings while folding repetitive shell noise.
 - UI design guidance now treats expressive motion as a first-class default for modern interfaces instead of letting safety wording become an excuse for static screens.
 - Agents must use live/current-year research for ecosystem, framework, dependency, Docker, and modern UI/library claims instead of offline repository guesses.

package/lib/cli/commands/init.mjs

@@ -429,6 +429,7 @@ export async function runInitCommand(targetDirectoryArgument, initOptions = {})
           '.github/copilot-instructions.md',
         ],
         stackLoadingMode: 'lazy',
+        domainRuleLoadingMode: 'lazy',
         selectedProfile: selectedPolicyProfileName,
         selectedProfileDisplayName: selectedPolicyProfile.displayName,
         blockingSeverities: selectedPolicyProfile.blockingSeverities,

package/lib/cli/commands/upgrade.mjs

@@ -253,6 +253,7 @@ export async function runUpgradeCommand(targetDirectoryArgument, upgradeOptions
         canonicalSource: '.instructions.md',
         compiledEntrypoints: ['.cursorrules', '.windsurfrules'],
         stackLoadingMode: 'lazy',
+        domainRuleLoadingMode: 'lazy',
         selectedProfile: selectedProfileName,
         selectedProfileDisplayName: toTitleCase(selectedProfileName),
         blockingSeverities: PROFILE_PRESETS[selectedProfileName]?.blockingSeverities || [],

package/lib/cli/compiler.mjs

@@ -88,6 +88,7 @@ export async function writeOnboardingReport({
     ruleLoadingPolicy: {
       canonicalSource: '.instructions.md',
       stackLoadingMode: 'lazy',
+      domainRuleLoadingMode: 'lazy',
       loadedOnDemand: true,
       primaryStack: hasExplicitRuntimeDecision ? selectedStackFileName : null,
       additionalStacks: hasExplicitRuntimeDecision ? selectedAdditionalStackFileNames : [],
@@ -241,14 +242,14 @@ export async function buildCompiledRulesContent({
   if (hasExplicitRuntimeDecision && normalizedAdditionalStackFileNames.length > 0) {
     contextBlocks.push(
       [
-        '## LAYER 2B: ADDITIONAL STACK PROFILES',
-        'This project uses multiple stacks. Load all additional stack profiles below:',
+        '## LAYER 2B: ADDITIONAL RUNTIME EVIDENCE',
+        'This project has multiple runtime constraints. Load additional runtime evidence below only when the task touches that runtime:',
         ...normalizedAdditionalStackFileNames.map((stackFileName, stackIndex) => {
           if (availableStackProfileFileNames.has(stackFileName)) {
             return `${stackIndex + 1}. stack-profile:${stackFileName}`;
           }
 
-          return `${stackIndex + 1}. ${stackFileName} (dynamic stack signal)`;
+          return `${stackIndex + 1}. ${stackFileName} (runtime evidence signal)`;
         }),
       ].join('\n')
     );
@@ -261,16 +262,16 @@ export async function buildCompiledRulesContent({
         ? `Primary runtime constraint: ${selectedStackFileName}`
         : 'Primary runtime constraint: unresolved until agent recommendation is approved',
       normalizedAdditionalStackFileNames.length > 0
-        ? `Additional stack profiles load on demand: ${normalizedAdditionalStackFileNames.map((stackFileName) => {
+        ? `Additional runtime evidence loads on demand: ${normalizedAdditionalStackFileNames.map((stackFileName) => {
           if (availableStackProfileFileNames.has(stackFileName)) {
             return `stack-profile:${stackFileName}`;
           }
 
-          return `${stackFileName} (dynamic signal)`;
+          return `${stackFileName} (runtime evidence signal)`;
         }).join(', ')}`
-        : 'Additional runtime guidance loads only when explicitly selected by the user or required by touched code.',
-      'Load runtime-specific guidance only when task scope touches that runtime.',
-      'Avoid eager loading unrelated runtime guidance to prevent instruction conflicts.',
+        : 'No stack-specific governance adapter is loaded by default.',
+      'Load global domain rules only when task scope touches that domain.',
+      'Avoid eager loading unrelated runtime or domain guidance to prevent instruction conflicts.',
     ].join('\n')
   );
 

package/lib/cli/memory-continuity.mjs

@@ -522,7 +522,10 @@ export function buildMemoryContinuityGuidanceBlock(memoryContinuityState) {
     `- Load compact index first (limit: ${sessionStartIndexLimit} entries).`,
     `- Hydrate full detail only for highest-value entries (limit: ${fullHydrationLimit}).`,
     '- Always redact sensitive text before persistence (<private> blocks and inline secret-like fields).',
-    '- Refresh `active-memory.json` at natural task boundaries, but never store secrets, raw chat logs, or stale visual taste.',
+    '- Refresh `.agent-context/state/active-memory.json` directly at natural task boundaries when material project progress happened.',
+    '- Before the final response, update `project.currentFocus`, compact `progress.lastAchievements`, `progress.pendingIssues`, `progress.nextBestActions`, `progress.validationState`, and `lastUpdatedAt` when they changed.',
+    '- Preserve existing user-owned entries, keep each array compact (12 entries or fewer), and append only durable facts proven by current repo evidence.',
+    '- If no durable project progress happened, leave the snapshot unchanged and state that no memory update was needed.',
     '- Current repo evidence, current user brief, and live research override active-memory when they conflict.',
     '',
     'Host compatibility scope:',

package/lib/cli/project-scaffolder/design-contract.mjs

@@ -152,6 +152,17 @@ function buildDesignIntentContractObject({
         doNotRevealHiddenCandidateList: true,
         outputOnlyChosenAnchor: true,
       },
+      creativeCommitmentPolicy: {
+        requiredBeforeComplianceReview: true,
+        recordInDesignDocs: true,
+        requiredCommitmentFields: [
+          'specificReferencePoint',
+          'signatureMotion',
+          'typographicDecision',
+        ],
+        rejectGenericQualityWordsOnly: true,
+        specificityFloor: 'name-a-real-material-instrument-artifact-architecture-editorial-genre-cinematic-behavior-exhibition-system-scientific-apparatus-or-industrial-mechanism',
+      },
       forbiddenFinalAnchorTerms: [
         'dashboard',
         'cards',
@@ -184,7 +195,10 @@ function buildDesignIntentContractObject({
           'name',
           'agentResearchMode',
           'sourceDomain',
+          'specificReferencePoint',
           'rationale',
+          'signatureMotion',
+          'typographicDecision',
           'derivedTokenLogic',
           'visualRiskBudget',
           'motionRiskBudget',
@@ -288,6 +302,7 @@ function buildDesignIntentContractObject({
       requireContentPriorityMap: true,
       requireTaskFlowNarrative: true,
       requireSignatureMoveRationale: true,
+      requireCreativeCommitmentGate: true,
       requireStructuredHandoff: true,
       requireRepoEvidenceAlignment: true,
       forbidScreenshotDependency: true,
@@ -406,6 +421,15 @@ function buildDesignIntentContractObject({
         requiredResetAxes: ['composition', 'hierarchy', 'motion-or-interaction', 'responsive-information-architecture'],
       },
       signatureMoveRationale: 'Agent must choose one project-specific visual, motion, typographic, or interaction move and explain why generic fallback weakens it.',
+      creativeCommitment: {
+        status: 'agent-must-complete-before-ui-implementation',
+        requiredFields: [
+          'specificReferencePoint',
+          'signatureMotion',
+          'typographicDecision',
+        ],
+        failureMode: 'generic quality words without a named real-world reference are not enough',
+      },
       implementationGuardrails: {
         requireBuildFromHandoff: true,
         requireGapNotesBeforeFallback: true,

package/lib/cli/project-scaffolder/prompt-builders.mjs

@@ -177,8 +177,10 @@ export function buildDesignBootstrapPrompt({
     '31. If modern UI, animation, scroll, 3D, canvas, chart, or icon libraries are useful, choose them from current official docs and record source URL, fetched date, reason, risk, and accessibility fallback.',
     '32. If the user supplies research files, library lists, screenshots, articles, or benchmark notes, read them as candidate evidence, summarize the useful signals, filter by project fit, and verify technology claims against current official docs before implementation.',
     '33. If no user-supplied research or reference is supplied for UI work, activate the Dynamic Avant-Garde Anchor Engine before coding. User-supplied research means current-task evidence from the user; this scaffold, prior UI, and old design docs do not count as research.',
-    '34. In Dynamic Avant-Garde mode, perform agent-led research when available, then internally consider at least three high-variance conceptual anchors, discard the two safest or most predictable options, output only the chosen anchor and rationale, and forbid final anchors named dashboard, portal, cards, admin panel, SaaS shell, web app shell, or minimalist interface.',
-    '35. The chosen anchor must drive typography, spacing, density, color behavior, morphology, motion, and responsive composition. Treat expressive motion, spatial transitions, micro-interactions, and modern animation libraries as first-class options; include performance notes and reduced-motion fallbacks instead of suppressing motion to look safe.',
+    '34. Before broad compliance review, make a creative commitment and record it in the design contract: one specific real-world anchor reference, one signature motion behavior more specific than smooth transitions, and one typographic decision with meaningful role contrast.',
+    '35. In Dynamic Avant-Garde mode, perform agent-led research when available, then internally consider at least three high-variance conceptual anchors, discard the two safest or most predictable options, output only the chosen anchor, its specific reference point, and rationale, and forbid final anchors named dashboard, portal, cards, admin panel, SaaS shell, web app shell, or minimalist interface.',
+    '36. Reject anchors that can only be described with generic quality words such as modern, clean, premium, expressive, minimal, or bold. The anchor must name a material, instrument, artifact class, architecture, editorial genre, cinematic behavior, exhibition system, scientific apparatus, or industrial mechanism.',
+    '37. The chosen anchor must drive typography, spacing, density, color behavior, morphology, motion, and responsive composition. Treat expressive motion, spatial transitions, micro-interactions, and modern animation libraries as first-class options; include performance notes and reduced-motion fallbacks instead of suppressing motion to look safe.',
     '',
     '## Project Inputs',
     `- Project name: ${discoveryAnswers.projectName}`,
@@ -209,7 +211,7 @@ export function buildDesignBootstrapPrompt({
     '12. Keep visualResetStrategy in the machine-readable handoff so reset-language tasks cannot quietly become restyles of the previous UI.',
     '13. Preserve externalResearchIntake so user-provided research becomes reviewed evidence without turning into an offline style or dependency preset.',
     '14. Preserve conceptualAnchor so prompt-only UI work has one cohesive non-template concept instead of a mixed collection of bold but unrelated visual decisions.',
-    '15. Record conceptualAnchor.agentResearchMode, visualRiskBudget, motionRiskBudget, and cohesionChecks so the final UI cannot quietly fall back to a timid dashboard/admin mental model.',
+    '15. Record conceptualAnchor.agentResearchMode, specificReferencePoint, signatureMotion, typographicDecision, visualRiskBudget, motionRiskBudget, and cohesionChecks so the final UI cannot quietly fall back to a timid dashboard/admin mental model.',
     '16. After the contract exists, use it as a first-class source for future UI tasks.',
     '',
   ].join('\n');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ryuenn3123/agentic-senior-core",
-  "version": "3.0.26",
+  "version": "3.0.28",
   "type": "module",
   "description": "Force your AI Agent to code like a Staff Engineer, not a Junior.",
   "bin": {

package/scripts/governance-weekly-report.mjs

@@ -22,8 +22,22 @@ const ARGUMENT_FLAGS = new Set(process.argv.slice(2));
 const isStdoutOnlyMode = ARGUMENT_FLAGS.has('--stdout-only');
 const WEEKLY_WINDOW_DAYS = 7;
 const HISTORY_LIMIT = 26;
+const BACKEND_REQUIRED_DOMAIN_NAMES = new Set([
+  'backend-architecture',
+  'backend-security',
+  'backend-data-access',
+  'backend-error-handling',
+  'backend-api-contract',
+  'backend-testing',
+  'backend-performance',
+  'backend-idempotency',
+  'backend-risk-map',
+]);
 const REQUIRED_VERIFIED_DOMAINS = new Set([
   'canonical-instructions',
+  'frontend-design-contract',
+  'frontend-architecture',
+  ...Array.from(BACKEND_REQUIRED_DOMAIN_NAMES),
   'pr-checklist',
   'architecture-review',
   'mcp-server',
@@ -31,11 +45,100 @@ const REQUIRED_VERIFIED_DOMAINS = new Set([
 ]);
 const GOVERNANCE_SURFACE_PATHS = {
   'canonical-instructions': '.instructions.md',
+  'frontend-design-contract': '.agent-context/prompts/bootstrap-design.md',
+  'frontend-architecture': '.agent-context/rules/frontend-architecture.md',
+  'backend-architecture': '.agent-context/rules/architecture.md',
+  'backend-security': '.agent-context/rules/security.md',
+  'backend-data-access': '.agent-context/rules/database-design.md',
+  'backend-error-handling': '.agent-context/rules/error-handling.md',
+  'backend-api-contract': '.agent-context/rules/api-docs.md',
+  'backend-testing': '.agent-context/rules/testing.md',
+  'backend-performance': '.agent-context/rules/performance.md',
+  'backend-idempotency': '.agent-context/rules/event-driven.md',
+  'backend-risk-map': '.agent-context/state/architecture-map.md',
   'pr-checklist': '.agent-context/review-checklists/pr-checklist.md',
   'architecture-review': '.agent-context/review-checklists/architecture-review.md',
   'mcp-server': 'scripts/mcp-server.mjs',
   'state-continuity': '.agent-context/state',
 };
+const BACKEND_GOVERNANCE_COVERAGE = [
+  {
+    constraint: 'Layered architecture and separation of concerns',
+    status: 'covered',
+    sourcePaths: [
+      '.agent-context/rules/architecture.md',
+      '.agent-context/review-checklists/architecture-review.md',
+    ],
+    signal: 'Transport, application, domain, and infrastructure boundaries are explicit.',
+  },
+  {
+    constraint: 'Global backend/API rule routing',
+    status: 'strengthened',
+    sourcePaths: [
+      '.instructions.md',
+      '.agent-context/rules/architecture.md',
+      '.agent-context/prompts/refactor.md',
+    ],
+    signal: 'Backend/API governance routes by problem domain and stays stack-agnostic; no stack-specific governance adapters are created.',
+  },
+  {
+    constraint: 'Zero-trust input validation',
+    status: 'strengthened',
+    sourcePaths: [
+      '.agent-context/rules/security.md',
+      '.agent-context/review-checklists/pr-checklist.md',
+    ],
+    signal: 'User-controlled body, query, params, headers, cookies, files, webhooks, and job payloads must be validated before service logic.',
+  },
+  {
+    constraint: 'Data access performance and integrity',
+    status: 'strengthened',
+    sourcePaths: [
+      '.agent-context/rules/database-design.md',
+      '.agent-context/rules/performance.md',
+      '.agent-context/state/architecture-map.md',
+    ],
+    signal: 'Backend reads must avoid N+1 and unbounded list responses; multi-write mutations need transaction or recovery evidence.',
+  },
+  {
+    constraint: 'Distributed consistency and outbox safety',
+    status: 'strengthened',
+    sourcePaths: [
+      '.agent-context/rules/event-driven.md',
+      '.agent-context/rules/database-design.md',
+      '.agent-context/rules/microservices.md',
+    ],
+    signal: 'Dual-write flows need outbox or equivalent replay safety, and cross-service consistency must define saga, compensation, or recovery behavior instead of defaulting to two-phase commit.',
+  },
+  {
+    constraint: 'Safe centralized API errors',
+    status: 'strengthened',
+    sourcePaths: [
+      '.agent-context/rules/error-handling.md',
+      '.agent-context/rules/api-docs.md',
+    ],
+    signal: 'HTTP/API responses use safe machine-readable error shapes, may align with RFC 9457 Problem Details, and preserve safe trace/correlation identifiers without leaking internals.',
+  },
+  {
+    constraint: 'Sensitive mutation idempotency',
+    status: 'strengthened',
+    sourcePaths: [
+      '.agent-context/rules/api-docs.md',
+      '.agent-context/rules/testing.md',
+      '.agent-context/rules/event-driven.md',
+    ],
+    signal: 'Payments, orders, status changes, and other risky mutations must document and test duplicate-submit behavior.',
+  },
+  {
+    constraint: 'API contract and behavior testing',
+    status: 'strengthened',
+    sourcePaths: [
+      '.agent-context/rules/testing.md',
+      '.agent-context/review-checklists/pr-checklist.md',
+    ],
+    signal: 'API tests cover validation, auth, documented error shapes, pagination defaults, empty states, and mutation retry safety.',
+  },
+];
 
 function readJsonOrNull(filePath) {
   if (!existsSync(filePath)) {
@@ -194,6 +297,37 @@ async function collectSkillTrustSignals() {
   };
 }
 
+function buildBackendGovernancePosture(skillTrustSignals) {
+  const backendSurfaceRows = skillTrustSignals.domains.filter((trustRow) => {
+    return BACKEND_REQUIRED_DOMAIN_NAMES.has(trustRow.domain);
+  });
+  const missingBackendSurfaceNames = backendSurfaceRows
+    .filter((trustRow) => trustRow.tier !== 'verified')
+    .map((trustRow) => trustRow.domain);
+  const verifiedSurfaceCount = backendSurfaceRows.length - missingBackendSurfaceNames.length;
+
+  return {
+    status: missingBackendSurfaceNames.length === 0 ? 'verified' : 'needs-attention',
+    summary: missingBackendSurfaceNames.length === 0
+      ? 'Backend governance is verified across architecture, security, data access, error handling, API contracts, testing, performance, idempotency, and risk-map surfaces.'
+      : 'Backend governance is missing one or more required surfaces.',
+    requiredSurfaceCount: backendSurfaceRows.length,
+    verifiedSurfaceCount,
+    missingSurfaceNames: missingBackendSurfaceNames,
+    coverage: BACKEND_GOVERNANCE_COVERAGE,
+    developmentFocus: [
+      {
+        focus: 'Keep backend guidance global and stack-agnostic.',
+        reason: 'The repo should enforce architecture, security, API, data, error, event, and testing thinking without building Nest, Laravel, FastAPI, Express, Go, or other stack-specific governance adapters.',
+      },
+      {
+        focus: 'Use framework facts only when implementing inside an existing project.',
+        reason: 'LLMs can apply current ecosystem knowledge directly; governance should route the relevant global constraints instead of acting as a stack detector.',
+      },
+    ],
+  };
+}
+
 function buildBlockers(qualityTrendReport, skillTrustSignals, commitSignals) {
   const blockers = [];
 
@@ -222,6 +356,7 @@ function buildHistoryEntry(weeklyReport) {
     blockerCount: weeklyReport.releaseReadiness.blockers.length,
     gatePassRatePercent: weeklyReport.qualitySignals.governanceHealth.gatePassRatePercent,
     verifiedSkillDomainCount: weeklyReport.skillTrust.tierCounts.verified,
+    backendVerifiedSurfaceCount: weeklyReport.backendGovernance?.verifiedSurfaceCount ?? null,
     releaseFrequencyPercent: weeklyReport.commitSignals.releaseFrequencyPercent,
     rollbackFrequencyPercent: weeklyReport.commitSignals.rollbackFrequencyPercent,
   };
@@ -243,6 +378,7 @@ async function runWeeklyGovernanceReport() {
   const qualityTrendReport = qualityTrendState.report;
 
   const skillTrustSignals = await collectSkillTrustSignals();
+  const backendGovernance = buildBackendGovernancePosture(skillTrustSignals);
   const commitSignals = collectCommitSignals(WEEKLY_WINDOW_DAYS);
   const blockers = buildBlockers(qualityTrendReport, skillTrustSignals, commitSignals);
 
@@ -267,12 +403,13 @@ async function runWeeklyGovernanceReport() {
       tokenEfficiency: qualityTrendReport?.tokenEfficiency || null,
     },
     skillTrust: skillTrustSignals,
+    backendGovernance,
     commitSignals,
     releaseReadiness: {
       isReady: blockers.length === 0,
       blockers,
       summary: blockers.length === 0
-        ? 'Weekly governance posture is ready for maintenance releases.'
+        ? 'Weekly governance posture is ready for maintenance releases with frontend and backend governance surfaces verified.'
         : 'Weekly governance posture is blocked by unresolved readiness signals.',
     },
     artifact: {

package/scripts/release-gate/audit-checks.mjs

@@ -312,7 +312,7 @@ export function runAuditReleaseChecks(results, diagnostics) {
       singleSourceLazyLoadingAuditExecution.report?.lazyRuleLoading?.enforced === true,
       'lazy-rule-loading-hard-rule',
       singleSourceLazyLoadingAuditExecution.report?.lazyRuleLoading?.enforced === true
-        ? 'Language-specific guidance is loaded lazily by detected scope'
+        ? 'Global domain governance is loaded lazily by touched scope'
         : 'Lazy rule loading enforcement failed in single-source lazy-loading audit'
     );
     pushResult(

package/scripts/release-gate/constants.mjs

@@ -32,17 +32,24 @@ export const REQUIRED_BACKEND_ARCHITECTURE_RULE_SNIPPETS = [
   'No premature abstraction.',
   'Readability over brevity.',
   'backend and shared core modules',
+  'Do not create or load stack-specific governance adapters as the baseline.',
 ];
 
 export const REQUIRED_BACKEND_REVIEW_CHECKLIST_SNIPPETS = [
   'No clever hacks in backend and shared core modules',
   'No premature abstraction (base classes/util layers created only after repeated stable patterns)',
   'Readability over brevity for maintainability',
+  'Controllers, route handlers, and transport adapters do not contain business policy',
+  'Sensitive mutations include idempotency or duplicate-submit coverage',
+  'Backend/API governance was applied through global domain rules',
 ];
 
 export const REQUIRED_REFACTOR_PROMPT_SNIPPETS = [
   'Enforce backend universal principles: no clever hacks, no premature abstraction, readability over brevity.',
   'Prioritize maintainability over compressed one-liners.',
+  'zero-trust input validation',
+  'idempotency for sensitive mutations',
+  'Backend/API governance is global and stack-agnostic.',
 ];
 
 export const REQUIRED_ARCHITECTURE_REVIEW_CHECKLIST_SNIPPETS = [
@@ -50,4 +57,8 @@ export const REQUIRED_ARCHITECTURE_REVIEW_CHECKLIST_SNIPPETS = [
   'No clever hacks in backend and shared core modules',
   'No premature abstraction',
   'Readability over brevity',
+  'Service or use-case code owns orchestration',
+  'Relational reads avoid N+1 patterns',
+  'Global backend/API governance is used directly',
+  'Dual-write database plus message flows use an outbox',
 ];

package/scripts/rules-guardian-audit.mjs

@@ -67,7 +67,7 @@ const REQUIRED_PR_CHECKLIST_SNIPPETS = [
 
 const REQUIRED_REVIEW_PROMPT_SNIPPETS = [
   'Review the code with a production-risk mindset.',
-  'Do not invent stack-specific concerns unless the repo or changed files prove they apply.',
+  'Do not create stack-specific governance concerns.',
 ];
 
 function pushResult(results, isPassed, checkName, details) {