@ryuenn3123/agentic-senior-core 3.0.38 → 3.0.40

package/.agent-context/prompts/bootstrap-design.md

@@ -57,7 +57,7 @@ Before UI code, record:
 - one morphology or composition choice that avoids interchangeable card stacks when the product allows it
 - at least three at-a-glance product-specific signals for new screens or broad redesigns
 
-Do not ship AI-safe UI. Record exact drift signals in `reviewRubric`; at minimum reject decorative grid wallpaper, soft glow backgrounds, generic abstract marks, and first-output composition with only local copy swapped in when they have no product function.
+Do not ship AI-safe UI. Record exact drift signals in `reviewRubric`; at minimum reject decorative grid wallpaper, default line backgrounds, soft glow backgrounds, generic abstract marks, and first-output composition with only local copy swapped in when they have no product function.
 
 ## AI Color and Template Residue Audit
 
@@ -171,6 +171,7 @@ Block or flag:
 - scale-only responsive behavior
 - default component-kit styling without product rationale
 - nonfunctional background effects, including decorative grid wallpaper
+- grid or line backgrounds used as filler instead of product function
 - palette choices that use readability as an excuse for safe defaults
 - visual direction copied from unrelated memory or external references
 - genericity findings that cannot name the exact drift signal

package/.agent-context/prompts/refactor.md

@@ -15,6 +15,7 @@ Before editing:
 7. Enforce backend universal principles: no clever hacks, no premature abstraction, readability over brevity.
 8. For backend/API scope, enforce layered boundaries, zero-trust input validation, safe centralized error responses, bounded list reads, transaction safety for multi-write mutations, idempotency for sensitive mutations, and behavior-focused API tests.
 9. Backend/API governance is global and stack-agnostic. Do not create stack-specific adapters or framework-specific rule branches; apply the global rules through the framework already present in the target project.
+10. Enforce the complexity budget: choose fewer moving parts only when behavior, safety, clarity, and maintainability stay intact.
 
 Refactor rules:
 - Improve clarity, boundaries, naming, validation, error handling, tests, and docs.
@@ -23,6 +24,9 @@ Refactor rules:
 - Keep module boundaries explicit and project-specific.
 - Split large files when the split makes the flow easier to understand.
 - Do not introduce abstractions before the repeated pattern is real.
+- Remove code that does not carry behavior, safety, clarity, maintainability, or test value.
+- Prefer the shorter implementation only when it keeps the same guarantees.
+- Run a final simplification pass before completion.
 - Update tests and docs whenever behavior contracts, public APIs, data shape, or UI contracts change.
 
 For every meaningful change, explain:

package/.agent-context/review-checklists/pr-checklist.md

@@ -25,6 +25,7 @@ Run this before declaring a task done. Apply only the sections relevant to the c
 - [ ] No clever hacks in backend and shared core modules
 - [ ] No premature abstraction (base classes/util layers created only after repeated stable patterns)
 - [ ] Readability over brevity for maintainability
+- [ ] Complexity budget was applied: equivalent behavior uses fewer moving parts without losing validation, error handling, fallbacks, accessibility, tests, or security boundaries.
 - [ ] Controllers, route handlers, and transport adapters do not contain business policy, raw queries, or cross-resource orchestration.
 - [ ] Services or use cases own business flow, transaction boundaries, and mutation safety.
 - [ ] Repositories or adapters own persistence/external IO details without hiding business decisions.

package/.agent-context/rules/architecture.md

@@ -12,6 +12,19 @@ These principles are mandatory for backend and shared core modules.
 - Keep transport, application, domain, and infrastructure concerns separated.
 - Favor explicit module boundaries over hidden cross-layer shortcuts.
 
+## Complexity Budget (Mandatory)
+
+Prefer the smallest clear implementation that fully preserves behavior, safety, and maintainability.
+
+- If two implementations are equivalent in behavior and quality, choose the one with fewer moving parts.
+- Remove code that does not carry behavior, safety, clarity, maintainability, or test value.
+- Prefer direct logic over extra wrappers, layers, classes, config, or state when the abstraction does not reduce real complexity.
+- Keep validation, error handling, fallback paths, accessibility, tests, security boundaries, and observability when they protect real behavior.
+- Run a final simplification pass before completion.
+- Do not optimize for line count alone.
+- Do not replace clear code with clever, dense, or surprising code.
+- Do not remove safeguards just because the happy path works.
+
 ## Universal SOP Baseline (Mandatory)
 
 The `.agent-context/rules/` directory is the default guidance source for implementation and review.
@@ -91,6 +104,7 @@ Service separation only makes sense when multiple signals are true, such as:
 - Cross-cutting utilities belong in explicit shared locations, not scattered feature internals.
 - Files above roughly 1000 lines are a refactor trigger, not a success signal.
 - Preserve one clear public entrypoint per module when helpful, but move implementation into smaller focused files.
+- Keep code compact because the design is understood, not because safeguards were removed.
 
 ## Module Communication
 

package/.agent-context/rules/frontend-architecture.md

@@ -43,7 +43,7 @@ For new screens or broad redesigns, make at least three at-a-glance product-spec
 
 Use the rename test: if the UI can be renamed to another product category without changing composition, palette, iconography, and motion language, revise before implementation is considered complete.
 
-Background lines, grids, scanlines, noise, glows, blobs, abstract logos, and decorative geometry are invalid as wallpaper. Use them only for a named product function such as alignment, crop guidance, map/route orientation, timeline reading, measurement, status, or motion continuity.
+Background lines, grids, scanlines, noise, glows, blobs, abstract logos, and decorative geometry are invalid as wallpaper. Do not use grid or line backgrounds as first-output filler. Use them only for a named product function such as alignment, crop guidance, map/route orientation, timeline reading, measurement, status, or motion continuity.
 
 ## Dynamic Anchor Gate
 

package/.agent-context/state/architecture-map.md

@@ -1,25 +1,40 @@
-# Architecture Map (State Awareness)
+# Architecture Map
 
-> This file defines protected architectural boundaries for AI-assisted changes.
+Use this file as repo-local agent context. It records the current governance architecture and the boundaries agents must protect.
 
 ## Boundary Classification
 
-| Module/Path Pattern | Criticality | Change Policy | Required Checks |
-|---------------------|-------------|---------------|-----------------|
-| `src/modules/payment/**` | critical | Must preserve transactional behavior and idempotency | Unit + integration + rollback test |
-| `src/modules/authentication/**` | critical | Never bypass auth guards or token validation | Security audit + integration tests |
-| `src/modules/**/repository/**` | high | Preserve query contracts and avoid N+1 regressions | Query plan review + performance audit |
-| `src/features/**` | medium | Keep UI contracts stable and avoid API drift | Component tests + contract checks |
-| `src/shared/**` | high | Backward compatibility required for public utilities | Cross-module usage validation |
+| Surface | Criticality | Change Policy | Required Checks |
+| --- | --- | --- | --- |
+| `.instructions.md`, `AGENTS.md`, generated adapters | critical | Keep `.instructions.md` canonical and adapters thin/hash-synced | `npm run sync:adapters`, `npm run check:adapters`, `npm run validate` |
+| `.agent-context/rules/**`, `.agent-context/prompts/**`, `.agent-context/review-checklists/**` | critical | Keep rules imperative, compact, scope-resolved, and non-duplicative | adapter sync, validation, targeted smoke tests |
+| `.agent-context/state/**` | high | Track only seed/config and current operational state; keep generated reports local-only | `npm pack --dry-run`, state README review |
+| `lib/cli/compiler.mjs`, `scripts/sync-thin-adapters.mjs` | critical | Preserve generated surface compatibility across Codex, Cursor, Windsurf, Copilot, Claude, and Gemini | adapter tests, smoke tests, validation |
+| `lib/cli/commands/init.mjs`, `lib/cli/commands/upgrade.mjs` | high | Preserve fresh-project and existing-project behavior without silent stack/style decisions | CLI smoke tests, onboarding report checks |
+| `lib/cli/project-scaffolder/**` | high | Preserve docs-first and design-contract behavior without hardcoded house style | design/detection smoke tests, validation |
+| `scripts/validate*.mjs`, `scripts/validate/**` | high | Keep validation mechanical and aligned with current shipped surfaces | `node ./scripts/validate.mjs`, targeted script checks |
+| `tests/**` | high | Test behavior and contracts, not private implementation trivia | `npm test` |
+| `package.json`, `package-lock.json`, package allowlist | high | Keep release metadata and tarball contents synchronized | `npm pack --dry-run`, release gate |
 
-## Required Agent Behavior
+## Frontend Governance Context
 
-1. Before editing a `critical` area, load `.agent-context/review-checklists/pr-checklist.md` and `.agent-context/review-checklists/architecture-review.md`.
-2. For boundary-crossing changes, verify no circular dependencies are introduced (see `dependency-map.md`).
-3. Every critical-path change must include explicit risk notes in PR description.
+- Frontend guidance is efficient enough for the current architecture because it is scope-resolved: UI tasks load `bootstrap-design.md` and `frontend-architecture.md`; backend-only tasks do not.
+- Keep the current design contract. It does not prescribe a palette or layout; it requires product evidence, anchor-derived tokens, motion/spatial fit decisions, and accessibility.
+- Do not reduce motion, 3D, canvas, WebGL, or animation guidance. These are capability unlocks, not mandatory decoration.
+- Treat product categories as heuristics only. They must not become style presets.
+- Treat grid, line, glow, blob, and abstract-logo backgrounds as review findings unless they serve a named product function.
 
-## Project-Specific Notes
+## Backend Governance Context
 
-- Replace placeholder path patterns with your actual module map.
-- Mark payment, identity, and financial reconciliation flows as `critical`.
-- Keep this file updated whenever module ownership changes.
+- Backend guidance is efficient enough for the current architecture because backend/API rules are lazy-loaded by scope.
+- Keep global backend principles stack-agnostic: architecture boundaries, validation, safe errors, security, testing, event boundaries, and data design.
+- Do not add framework-specific governance adapters unless real repo evidence proves a repeated project need.
+- New dependencies are allowed when they improve efficiency, delivery time, correctness, or maintainability, and current official docs support the choice.
+
+## Agent Behavior
+
+1. Load the smallest relevant rule set.
+2. Use README only for overview/install/user context when governance files conflict.
+3. Preserve generated adapter sync before release.
+4. Treat stale generated state, dual lockfiles, and obsolete V2/V3 transition files as cleanup findings.
+5. Before claiming done, run the relevant validation gate and report any skipped checks.

package/.agent-context/state/dependency-map.md

@@ -1,32 +1,41 @@
-# Dependency Map (State Awareness)
+# Dependency Map
 
-> This map documents allowed dependency direction to prevent circular references during refactors.
+Use this map to keep Agentic-Senior-Core's CLI, governance, and validation layers from collapsing into circular or over-coupled code.
 
-## Layer Dependency Rules
+## Allowed Dependency Direction
 
-1. Transport layer may depend on Service layer.
-2. Service layer may depend on Domain contracts and Repository interfaces.
-3. Infrastructure layer may implement Repository interfaces.
-4. Domain layer must not depend on Transport or Infrastructure.
+1. `bin/` may call command modules only.
+2. `lib/cli/commands/**` may orchestrate detector, compiler, scaffolder, memory, token, backup, rollback, preflight, and utility modules.
+3. `lib/cli/compiler.mjs` may read constants and utilities, but must not import command modules.
+4. `lib/cli/project-scaffolder/**` may use utilities and local scaffolder submodules; validation logic stays below the scaffolder entrypoint.
+5. `scripts/**` may call CLI library modules for audits and reports, but release/validation scripts must avoid mutating generated state unless that is their explicit job.
+6. `tests/**` may exercise public CLI commands, public module exports, scripts, and generated artifacts.
+7. `.agent-context/**` stores governance data and must not depend on generated adapter content as its authority.
 
-## Module-Level Constraints
+## Module Constraints
 
-| Source Module | Allowed Dependencies | Forbidden Dependencies |
-|---------------|----------------------|------------------------|
-| `authentication` | `shared`, `user` | `payment` internals |
-| `payment` | `shared`, `billing`, `notification` contracts | `authentication` internals |
-| `reporting` | `shared`, read-only repository ports | write-side service internals |
-| `frontend` | public API clients only | direct repository access |
+| Source | Allowed Dependencies | Forbidden Dependencies |
+| --- | --- | --- |
+| `bin/agentic-senior-core.js` | `lib/cli/commands/*` | direct compiler, scaffolder, or validation internals |
+| `lib/cli/commands/init.mjs` | detector, compiler, scaffolder, token/memory continuity, setup helpers | UI style presets, backend framework defaults, generated adapters as source |
+| `lib/cli/commands/upgrade.mjs` | detector, compiler, scaffolder seeds, backup/rollback, shared setup helpers | duplicated setup-policy helpers, silent stack migration |
+| `lib/cli/project-scaffolder.mjs` | stable public scaffolder exports | private validation helpers that do not need public API exposure |
+| `lib/cli/project-scaffolder/design-contract.mjs` | validation submodule, constants, utilities | hardcoded final palettes, fixed layouts, external design memory |
+| `scripts/sync-thin-adapters.mjs` | canonical instructions and adapter targets | hand-maintained duplicate policy blocks |
+| `scripts/validate*.mjs` | config, coverage checks, file evidence | stale V2 skill-marketplace artifacts |
+| `.agent-context/prompts/bootstrap-design.md` | current repo evidence and frontend rule | prior-chat visuals, unrelated screenshots, template style presets |
 
 ## Circular Dependency Guardrail
 
-When refactoring:
+- Reject `commands -> project-scaffolder -> commands`.
+- Reject `compiler -> commands`.
+- Reject `scripts/validate -> tests`.
+- Reject generated adapters becoming inputs for `.instructions.md` or `.agent-context/`.
+- Move repeated command setup policy into shared helper modules instead of copying local functions.
 
-1. Detect import graph changes before applying bulk edits.
-2. Reject any change introducing `A -> B -> A` cycles.
-3. Move shared contracts to `shared` module when two-way dependencies appear.
+## Package Hygiene
 
-## Project-Specific Notes
-
-- Replace sample modules with your real domain modules.
-- Keep this map synchronized with architecture decisions and ADRs.
+- Keep one npm lockfile: `package-lock.json`.
+- Ignore Bun lockfiles unless the package manager strategy changes explicitly.
+- Keep generated reports out of the shipped package.
+- Keep `onboarding-report.json` tracked only as current repo operational state; installed projects regenerate it.

package/.cursorrules

@@ -1,6 +1,6 @@
 # .cursorrules - Legacy Thin Adapter
 
-Generated by Agentic-Senior-Core CLI v3.0.38
+Generated by Agentic-Senior-Core CLI v3.0.40
 Adapter Mode: legacy-thin
 Adapter Source: .agent-instructions.md when present; fallback .instructions.md
 Canonical baseline: .instructions.md

package/.windsurfrules

@@ -1,6 +1,6 @@
 # .windsurfrules - Legacy Thin Adapter
 
-Generated by Agentic-Senior-Core CLI v3.0.38
+Generated by Agentic-Senior-Core CLI v3.0.40
 Adapter Mode: legacy-thin
 Adapter Source: .agent-instructions.md when present; fallback .instructions.md
 Canonical baseline: .instructions.md

package/CONTRIBUTING.md

@@ -95,6 +95,8 @@ If all three are "yes", it belongs here.
 
 ## Local Development
 
+The npm package is published under `@ryuenn3123`, while the GitHub repository is hosted under `fatidaprilian`.
+
 ```bash
 # Clone
 git clone https://github.com/fatidaprilian/Agentic-Senior-Core.git

package/README.md

@@ -10,12 +10,12 @@
 **Production-grade Rules Engine (Governance Engine) for AI coding agents.**
 Works with Cursor, Windsurf, GitHub Copilot, Claude Code, Gemini, and other LLM-powered IDE workflows.
 
-Latest release: 3.0.38 (2026-04-30).
+Latest release: 3.0.40 (2026-04-30).
 
-Highlights in 3.0.38:
-- Phase 11 cleanup removes stale skill-marketplace artifacts and generated report snapshots from the shipped package.
-- Large init, utility, design-contract, and design/detection smoke surfaces are split into smaller modules.
-- UI governance keeps anti-generic drift checks while preserving product-derived, non-prescriptive palette decisions.
+Highlights in 3.0.40:
+- Adds a mandatory complexity budget so agents choose fewer moving parts only when quality stays intact.
+- Refactor guidance now requires a final simplification pass before completion.
+- Release tooling keeps legacy root adapter version metadata aligned with package bumps.
 
 </div>
 
@@ -34,6 +34,7 @@ One command to initialize rules, checklists, thin discovery adapters, and a comp
 > **See [docs/deep-dive.md](docs/deep-dive.md) and [docs/roadmap.md](docs/roadmap.md) for advanced configuration, planning mode, snapshot, and realtime options.**
 
 - This command writes `.agent-context/state/v3-purge-audit.json` and reports whether static directory deletion is safe.
+- Package scope is `@ryuenn3123`; the GitHub repository owner is `fatidaprilian`.
 
 ---
 

package/lib/cli/commands/upgrade.mjs

@@ -48,6 +48,7 @@ import {
   buildDesignIntentSeedFromSignals,
 } from '../project-scaffolder.mjs';
 import { ensureActiveMemorySnapshot } from '../memory-continuity.mjs';
+import { buildExistingProjectMajorConstraints } from '../init-detection-flow.mjs';
 
 export function parseUpgradeArguments(commandArguments) {
   const parsedUpgradeOptions = {
@@ -102,14 +103,6 @@ export function parseUpgradeArguments(commandArguments) {
   return parsedUpgradeOptions;
 }
 
-function buildExistingProjectMajorConstraints() {
-  return [
-    'Preserve existing project markers and avoid forced stack migration.',
-    'Use runtime markers as evidence only unless the user already recorded an explicit runtime constraint.',
-    'Upgrade keeps prior explicit onboarding constraints but does not create new stack or blueprint decisions.',
-  ];
-}
-
 function buildUpgradeDesignIntentSeed({
   targetDirectoryPath,
   packageManifest,
@@ -243,7 +236,7 @@ export async function runUpgradeCommand(targetDirectoryArgument, upgradeOptions
       })
       : null;
 
-    const detectionMajorConstraints = buildExistingProjectMajorConstraints();
+    const detectionMajorConstraints = buildExistingProjectMajorConstraints({ mode: 'upgrade' });
     const detectionTransparency = {
       declaredAt: new Date().toISOString(),
       declarationType: 'existing-project',

package/lib/cli/init-detection-flow.mjs

@@ -1,4 +1,12 @@
-export function buildExistingProjectMajorConstraints() {
+export function buildExistingProjectMajorConstraints({ mode = 'init' } = {}) {
+  if (mode === 'upgrade') {
+    return [
+      'Preserve existing project markers and avoid forced stack migration.',
+      'Use runtime markers as evidence only unless the user already recorded an explicit runtime constraint.',
+      'Upgrade keeps prior explicit onboarding constraints but does not create new stack or blueprint decisions.',
+    ];
+  }
+
   return [
     'Preserve existing project markers and avoid forced stack migration.',
     'Use detected runtime markers as evidence only; do not convert them into stack migration or design direction.',

package/lib/cli/init-selection.mjs

@@ -27,8 +27,3 @@ export function normalizeAdditionalBlueprintSelection(selectedBlueprintFileName,
     (blueprintFileName) => blueprintFileName && blueprintFileName !== selectedBlueprintFileName
   )));
 }
-
-export function resolveScopeBlueprintCandidates(projectScopeKey) {
-  void projectScopeKey;
-  return null;
-}

package/lib/cli/project-scaffolder/design-contract.mjs

@@ -274,7 +274,7 @@ function buildDesignIntentContractObject({
     },
     aiSafeUiAudit: {
       status: 'agent-must-complete-before-ui-implementation',
-      failureDefinition: 'AI-safe UI uses template cards, generic marks, decorative grid wallpaper, safe palettes, glow backgrounds, or copied scaffold composition.',
+      failureDefinition: 'AI-safe UI uses template cards, generic marks, decorative grid or line wallpaper, safe palettes, glow backgrounds, or copied scaffold composition.',
       interchangeabilityTest: `If this UI can be renamed from ${projectName} to another product category without changing composition, palette, iconography, and motion, revise it.`,
       requiredProductSpecificSignals: [
         'agent-defined-product-specific-data-treatment',
@@ -282,7 +282,7 @@ function buildDesignIntentContractObject({
         'agent-defined-product-specific-morphology-iconography-or-spatial-structure',
       ],
       paletteExplorationRule: 'Use a visually exploratory product-derived palette with WCAG contrast and status clarity.',
-      backgroundPatternRule: 'Lines, grids, scanlines, noise, glows, blobs, logos, and geometry must serve a named product function.',
+      backgroundPatternRule: 'Lines, grids, scanlines, noise, glows, blobs, logos, and geometry must serve a named product function; never use grid or line backgrounds as first-output filler.',
       aiColorAudit: {
         status: 'agent-must-complete-before-ui-implementation',
         failureDefinition: 'AI color drift uses safe defaults before deriving roles from the product anchor.',

package/lib/cli/project-scaffolder.mjs

@@ -14,8 +14,6 @@ export {
 export {
   normalizeDocsLanguage,
   runProjectDiscovery,
-  resolveProjectDocTargets,
-  buildSynthesisContext,
   loadProjectConfig,
 } from './project-scaffolder/discovery.mjs';
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ryuenn3123/agentic-senior-core",
-  "version": "3.0.38",
+  "version": "3.0.40",
   "type": "module",
   "description": "Force your AI Agent to code like a Staff Engineer, not a Junior.",
   "bin": {

package/scripts/bump-version.mjs

@@ -48,7 +48,21 @@ async function bumpVersion() {
   await writeTextFile(packageJsonPath, JSON.stringify(packageJson, null, 2) + '\n');
   console.log(`Updated package.json (was ${oldVersion})`);
 
-  // 2. Update docs/deep_analysis_and_roadmap_backlog.md
+  // 2. Update package-lock.json when it exists.
+  const packageLockPath = path.join(ROOT_DIR, 'package-lock.json');
+  if (await fileExists(packageLockPath)) {
+    const packageLock = JSON.parse(await readTextFile(packageLockPath));
+    if (packageLock.name === packageJson.name) {
+      packageLock.version = newVersion;
+    }
+    if (packageLock.packages?.['']?.name === packageJson.name) {
+      packageLock.packages[''].version = newVersion;
+    }
+    await writeTextFile(packageLockPath, JSON.stringify(packageLock, null, 2) + '\n');
+    console.log('Updated package-lock.json');
+  }
+
+  // 3. Update docs/deep_analysis_and_roadmap_backlog.md
   const roadmapPath = path.join(ROOT_DIR, 'docs', 'deep_analysis_and_roadmap_backlog.md');
   if (await fileExists(roadmapPath)) {
     let roadmapContent = await readTextFile(roadmapPath);
@@ -57,19 +71,22 @@ async function bumpVersion() {
     console.log('Updated docs/deep_analysis_and_roadmap_backlog.md');
   }
 
-  // 3. Update Rule files (.cursorrules, .windsurfrules)
-  const ruleFiles = ['.cursorrules', '.windsurfrules'];
-  for (const ruleFile of ruleFiles) {
-    const fullPath = path.join(ROOT_DIR, ruleFile);
-    if (await fileExists(fullPath)) {
-      let content = await readTextFile(fullPath);
-      content = content.replace(`Generated by Agentic-Senior-Core CLI v${oldVersion}`, `Generated by Agentic-Senior-Core CLI v${newVersion}`);
-      await writeTextFile(fullPath, content);
-      console.log(`Updated ${ruleFile}`);
+  // 4. Update legacy root adapters that carry release metadata.
+  const legacyAdapterFiles = ['.cursorrules', '.windsurfrules'];
+  for (const legacyAdapterFile of legacyAdapterFiles) {
+    const legacyAdapterPath = path.join(ROOT_DIR, legacyAdapterFile);
+    if (await fileExists(legacyAdapterPath)) {
+      const legacyAdapterContent = await readTextFile(legacyAdapterPath);
+      const updatedLegacyAdapterContent = legacyAdapterContent.replace(
+        /Generated by Agentic-Senior-Core CLI v\d+\.\d+\.\d+/,
+        `Generated by Agentic-Senior-Core CLI v${newVersion}`
+      );
+      await writeTextFile(legacyAdapterPath, updatedLegacyAdapterContent);
+      console.log(`Updated ${legacyAdapterFile}`);
     }
   }
 
-  // 4. Update CHANGELOG.md
+  // 5. Update CHANGELOG.md
   const changelogPath = path.join(ROOT_DIR, 'CHANGELOG.md');
   if (await fileExists(changelogPath)) {
     let changelogContent = await readTextFile(changelogPath);

package/scripts/validate.mjs

@@ -42,6 +42,8 @@ const ROOT_DIR = resolve(dirname(SCRIPT_FILE_PATH), '..');
 const AGENT_CONTEXT_DIR = join(ROOT_DIR, '.agent-context');
 const CANONICAL_INSTRUCTION_PATH = join(ROOT_DIR, '.instructions.md');
 const PACKAGE_JSON_PATH = join(ROOT_DIR, 'package.json');
+const PACKAGE_LOCK_PATH = join(ROOT_DIR, 'package-lock.json');
+const BUN_LOCK_PATH = join(ROOT_DIR, 'bun.lock');
 const CHANGELOG_PATH = join(ROOT_DIR, 'CHANGELOG.md');
 const README_PATH = join(ROOT_DIR, 'README.md');
 const POLICY_FILE_PATH = join(ROOT_DIR, '.agent-context', 'policies', 'llm-judge-threshold.json');
@@ -473,6 +475,12 @@ async function validatePackageMetadata() {
   } else {
     fail('package.json must publish .instructions.md so init and upgrade can copy the canonical root instructions file');
   }
+
+  if (await fileExists(BUN_LOCK_PATH)) {
+    fail('bun.lock must not be tracked while npm is the package manager source of truth');
+  } else {
+    pass('No bun.lock drift file present');
+  }
 }
 
 async function validatePolicyFile() {
@@ -529,6 +537,18 @@ async function validateVersionConsistency() {
     fail(`CHANGELOG.md is missing a ## ${packageVersion} heading`);
   }
 
+  if (await fileExists(PACKAGE_LOCK_PATH)) {
+    const packageLock = JSON.parse(await readTextFile(PACKAGE_LOCK_PATH));
+    const rootLockVersion = packageLock.packages?.['']?.version;
+    if (packageLock.version === packageVersion && rootLockVersion === packageVersion) {
+      pass(`package-lock.json matches package version ${packageVersion}`);
+    } else {
+      fail(`package-lock.json version drift: expected ${packageVersion}, found ${packageLock.version || 'missing'} / ${rootLockVersion || 'missing'}`);
+    }
+  } else {
+    fail('package-lock.json is required for npm release consistency');
+  }
+
   for (const generatedRuleFileName of GENERATED_RULE_FILES) {
     const generatedRuleContent = await readTextFile(join(ROOT_DIR, generatedRuleFileName));
 

package/scripts/validate-evidence-bundle.mjs

@@ -1,76 +0,0 @@
-import fs from 'node:fs/promises';
-import path from 'node:path';
-
-/**
- * Validates the structure and content of an evidence bundle for an artifact.
- * Target artifact directory must be provided as an argument.
- */
-export async function validateEvidenceBundle(artifactPath) {
-  const evidenceDirPath = path.join(artifactPath, '.evidence');
-  
-  try {
-    const stats = await fs.stat(evidenceDirPath);
-    if (!stats.isDirectory()) {
-       return { passed: false, error: '.evidence is not a directory' };
-    }
-   } catch {
-    return { passed: false, error: 'Missing .evidence directory' };
-  }
-
-  const requiredFiles = [
-    'compatibility-manifest.json',
-    'test-report.json',
-    'sbom-excerpt.json'
-  ];
-
-  for (const fileName of requiredFiles) {
-    try {
-       await fs.stat(path.join(evidenceDirPath, fileName));
-    } catch {
-       return { passed: false, error: `Missing required evidence file: ${fileName}` };
-    }
-  }
-
-  // Validate compatibility manifest structure
-  try {
-     const manifestData = JSON.parse(await fs.readFile(path.join(evidenceDirPath, 'compatibility-manifest.json'), 'utf8'));
-     if (!manifestData.ides || !Array.isArray(manifestData.ides)) {
-        return { passed: false, error: 'compatibility-manifest.json is missing the "ides" array' };
-     }
-  } catch (err) {
-     return { passed: false, error: `Invalid compatibility-manifest.json: ${err.message}` };
-  }
-
-  // Validate test report structure
-  try {
-     const testReportData = JSON.parse(await fs.readFile(path.join(evidenceDirPath, 'test-report.json'), 'utf8'));
-     if (typeof testReportData.passed !== 'boolean' || typeof testReportData.total !== 'number') {
-        return { passed: false, error: 'test-report.json must contain boolean "passed" and numeric "total"' };
-     }
-  } catch (err) {
-     return { passed: false, error: `Invalid test-report.json: ${err.message}` };
-  }
-
-  return { passed: true, error: null };
-}
-
-// Allow CLI usage
-if (process.argv[1] && process.argv[1] === new URL(import.meta.url).pathname || process.argv[1] === import.meta.filename) {
-    const targetDir = process.argv[2];
-    if (!targetDir) {
-        console.error('Usage: node validate-evidence-bundle.mjs <target-directory>');
-        process.exit(1);
-    }
-    
-    validateEvidenceBundle(path.resolve(targetDir))
-        .then(result => {
-             if (result.passed) {
-                 console.log('[OK] Evidence bundle is valid.');
-                 process.exit(0);
-             } else {
-                 console.error(`[FAIL] Evidence bundle validation failed: ${result.error}`);
-                 process.exit(1);
-             }
-        })
-        .catch(console.error);
-}