cclaw-cli 0.51.30 → 0.55.2

package/dist/artifact-linter/review-army.js

@@ -0,0 +1,365 @@
+import fs from "node:fs/promises";
+import path from "node:path";
+import { RUNTIME_ROOT } from "../constants.js";
+import { exists } from "../fs-utils.js";
+import { extractH2Sections, sectionBodyByName } from "./shared.js";
+async function resolveNamedArtifactPath(projectRoot, fileName) {
+    const relPath = path.join(RUNTIME_ROOT, "artifacts", fileName);
+    const absPath = path.join(projectRoot, relPath);
+    return { absPath, relPath };
+}
+function isNonEmptyString(v) {
+    return typeof v === "string" && v.length > 0;
+}
+function isFiniteNumber(v) {
+    return typeof v === "number" && Number.isFinite(v);
+}
+function isNonNegativeInteger(v) {
+    return Number.isInteger(v) && v >= 0;
+}
+function isStringArray(v) {
+    return Array.isArray(v) && v.every((item) => typeof item === "string");
+}
+export async function validateReviewArmy(projectRoot) {
+    const errors = [];
+    const { absPath, relPath } = await resolveNamedArtifactPath(projectRoot, "07-review-army.json");
+    if (!(await exists(absPath))) {
+        return { valid: false, errors: [`Missing file: ${relPath}`] };
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(await fs.readFile(absPath, "utf8"));
+    }
+    catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        return { valid: false, errors: [`Invalid JSON: ${msg}`] };
+    }
+    if (parsed === null || typeof parsed !== "object" || Array.isArray(parsed)) {
+        return { valid: false, errors: ["Root value must be a JSON object."] };
+    }
+    const root = parsed;
+    if (!("version" in root) || !isFiniteNumber(root.version) || root.version < 1) {
+        errors.push('Field "version" must be a finite number >= 1.');
+    }
+    if (!isNonEmptyString(root.generatedAt)) {
+        errors.push('Field "generatedAt" must be a non-empty string.');
+    }
+    if (!("scope" in root) || root.scope === null || typeof root.scope !== "object" || Array.isArray(root.scope)) {
+        errors.push('Field "scope" must be an object.');
+    }
+    else {
+        const scope = root.scope;
+        if (!isNonEmptyString(scope.base)) {
+            errors.push("scope.base must be a non-empty string.");
+        }
+        if (!isNonEmptyString(scope.head)) {
+            errors.push("scope.head must be a non-empty string.");
+        }
+        if (!isStringArray(scope.files)) {
+            errors.push("scope.files must be an array of strings.");
+        }
+    }
+    const severitySet = new Set(["Critical", "Important", "Suggestion"]);
+    const statusSet = new Set(["open", "accepted", "resolved"]);
+    const sourceSet = new Set([
+        "spec",
+        "correctness",
+        "security",
+        "performance",
+        "architecture",
+        "external-safety"
+    ]);
+    const findingIds = new Set();
+    const openCriticalIds = new Set();
+    if (!Array.isArray(root.findings)) {
+        errors.push('Field "findings" must be an array.');
+    }
+    else {
+        root.findings.forEach((f, i) => {
+            if (f === null || typeof f !== "object" || Array.isArray(f)) {
+                errors.push(`findings[${i}] must be an object.`);
+                return;
+            }
+            const o = f;
+            if (!isNonEmptyString(o.id)) {
+                errors.push(`findings[${i}].id must be a non-empty string.`);
+            }
+            else if (findingIds.has(o.id)) {
+                errors.push(`findings[${i}].id must be unique.`);
+            }
+            else {
+                findingIds.add(o.id);
+            }
+            if (!isNonEmptyString(o.severity) || !severitySet.has(o.severity)) {
+                errors.push(`findings[${i}].severity must be one of: Critical, Important, Suggestion.`);
+            }
+            if (!isNonEmptyString(o.status) || !statusSet.has(o.status)) {
+                errors.push(`findings[${i}].status must be one of: open, accepted, resolved.`);
+            }
+            if (!isNonEmptyString(o.fingerprint)) {
+                errors.push(`findings[${i}].fingerprint must be a non-empty string.`);
+            }
+            if (!isFiniteNumber(o.confidence) || o.confidence < 1 || o.confidence > 10) {
+                errors.push(`findings[${i}].confidence must be a number in [1,10].`);
+            }
+            if (!isStringArray(o.reportedBy) || o.reportedBy.length === 0) {
+                errors.push(`findings[${i}].reportedBy must be a non-empty string array.`);
+            }
+            if (o.sources !== undefined) {
+                if (!isStringArray(o.sources) || o.sources.length === 0) {
+                    errors.push(`findings[${i}].sources must be a non-empty string array when present.`);
+                }
+                else {
+                    const invalidSources = o.sources.filter((source) => !sourceSet.has(source));
+                    if (invalidSources.length > 0) {
+                        errors.push(`findings[${i}].sources contains unknown values: ${invalidSources.join(", ")}.`);
+                    }
+                }
+            }
+            if (o.location === undefined || o.location === null) {
+                errors.push(`findings[${i}].location is required and must be an object with file + line.`);
+            }
+            else if (typeof o.location !== "object" || Array.isArray(o.location)) {
+                errors.push(`findings[${i}].location must be an object with file + line.`);
+            }
+            else {
+                const loc = o.location;
+                if (!isNonEmptyString(loc.file)) {
+                    errors.push(`findings[${i}].location.file must be a non-empty string.`);
+                }
+                if (!isFiniteNumber(loc.line) || loc.line < 1) {
+                    errors.push(`findings[${i}].location.line must be a positive number.`);
+                }
+            }
+            if (o.recommendation !== undefined && !isNonEmptyString(o.recommendation)) {
+                errors.push(`findings[${i}].recommendation must be a non-empty string when present.`);
+            }
+            if (o.severity === "Critical" && o.status === "open" && !isNonEmptyString(o.recommendation)) {
+                errors.push(`findings[${i}] open Critical finding must include recommendation.`);
+            }
+            if (o.id && o.severity === "Critical" && o.status === "open" && typeof o.id === "string") {
+                openCriticalIds.add(o.id);
+            }
+        });
+    }
+    if (!("reconciliation" in root) || root.reconciliation === null || typeof root.reconciliation !== "object") {
+        errors.push('Field "reconciliation" must be an object.');
+    }
+    else {
+        const rec = root.reconciliation;
+        if (!isNonNegativeInteger(rec.duplicatesCollapsed)) {
+            errors.push("reconciliation.duplicatesCollapsed must be a non-negative integer.");
+        }
+        if (!Array.isArray(rec.conflicts)) {
+            errors.push("reconciliation.conflicts must be an array.");
+        }
+        else {
+            rec.conflicts.forEach((c, ci) => {
+                if (c === null || typeof c !== "object" || Array.isArray(c)) {
+                    errors.push(`reconciliation.conflicts[${ci}] must be an object.`);
+                    return;
+                }
+                const co = c;
+                if (!isNonEmptyString(co.findingId)) {
+                    errors.push(`reconciliation.conflicts[${ci}].findingId must be a non-empty string.`);
+                }
+                else if (!findingIds.has(co.findingId)) {
+                    errors.push(`reconciliation.conflicts[${ci}].findingId references unknown finding "${co.findingId}".`);
+                }
+                if (!isNonEmptyString(co.description)) {
+                    errors.push(`reconciliation.conflicts[${ci}].description must be a non-empty string.`);
+                }
+            });
+        }
+        if (!isStringArray(rec.multiSpecialistConfirmed)) {
+            errors.push("reconciliation.multiSpecialistConfirmed must be an array of finding ids.");
+        }
+        else {
+            for (const msId of rec.multiSpecialistConfirmed) {
+                if (!findingIds.has(msId)) {
+                    errors.push(`reconciliation.multiSpecialistConfirmed references unknown finding id "${msId}".`);
+                    continue;
+                }
+                if (Array.isArray(root.findings)) {
+                    const finding = root.findings.find((f) => {
+                        return f && typeof f === "object" && !Array.isArray(f) && f.id === msId;
+                    });
+                    if (finding && typeof finding === "object" && !Array.isArray(finding)) {
+                        const reportedBy = finding.reportedBy;
+                        const count = Array.isArray(reportedBy)
+                            ? new Set(reportedBy.filter((v) => typeof v === "string")).size
+                            : 0;
+                        if (count < 2) {
+                            errors.push(`reconciliation.multiSpecialistConfirmed entry "${msId}" must be confirmed by at least 2 distinct reviewers (found ${count}).`);
+                        }
+                    }
+                }
+            }
+        }
+        if (!isStringArray(rec.shipBlockers)) {
+            errors.push("reconciliation.shipBlockers must be an array of finding ids.");
+        }
+        else {
+            const blockers = new Set(rec.shipBlockers);
+            for (const id of rec.shipBlockers) {
+                if (!findingIds.has(id)) {
+                    errors.push(`reconciliation.shipBlockers references unknown finding id "${id}".`);
+                }
+            }
+            for (const criticalId of openCriticalIds) {
+                if (!blockers.has(criticalId)) {
+                    errors.push(`reconciliation.shipBlockers must include open Critical finding "${criticalId}".`);
+                }
+            }
+        }
+        if (isStringArray(rec.multiSpecialistConfirmed)) {
+            for (const id of rec.multiSpecialistConfirmed) {
+                if (!findingIds.has(id)) {
+                    errors.push(`reconciliation.multiSpecialistConfirmed references unknown finding id "${id}".`);
+                }
+            }
+        }
+        if (rec.layerCoverage !== undefined) {
+            if (rec.layerCoverage === null || typeof rec.layerCoverage !== "object" || Array.isArray(rec.layerCoverage)) {
+                errors.push("reconciliation.layerCoverage must be an object when present.");
+            }
+            else {
+                const coverage = rec.layerCoverage;
+                for (const source of sourceSet) {
+                    if (coverage[source] !== undefined && typeof coverage[source] !== "boolean") {
+                        errors.push(`reconciliation.layerCoverage.${source} must be boolean when present.`);
+                    }
+                }
+            }
+        }
+    }
+    return { valid: errors.length === 0, errors };
+}
+/**
+ * Ensure the narrative verdict in 07-review.md is consistent with the
+ * structured review-army reconciliation. A review cannot declare
+ * APPROVED while open Critical findings or shipBlockers remain.
+ */
+export async function checkReviewVerdictConsistency(projectRoot) {
+    const errors = [];
+    const reviewMdPath = path.join(projectRoot, RUNTIME_ROOT, "artifacts", "07-review.md");
+    const armyJsonPath = path.join(projectRoot, RUNTIME_ROOT, "artifacts", "07-review-army.json");
+    let finalVerdict = "UNKNOWN";
+    if (await exists(reviewMdPath)) {
+        const raw = await fs.readFile(reviewMdPath, "utf8");
+        const sections = extractH2Sections(raw);
+        const verdictBody = sectionBodyByName(sections, "Final Verdict");
+        if (verdictBody) {
+            const chosen = [];
+            for (const token of ["APPROVED_WITH_CONCERNS", "APPROVED", "BLOCKED"]) {
+                const regex = new RegExp(`\\b${token}\\b`, "u");
+                if (regex.test(verdictBody)) {
+                    // APPROVED would match inside APPROVED_WITH_CONCERNS; prefer the longer match first.
+                    if (token === "APPROVED" && /\bAPPROVED_WITH_CONCERNS\b/u.test(verdictBody))
+                        continue;
+                    chosen.push(token);
+                }
+            }
+            if (chosen.length === 1) {
+                finalVerdict = chosen[0];
+            }
+            else if (chosen.length > 1) {
+                errors.push(`Final Verdict section lists multiple verdict tokens (${chosen.join(", ")}). Select exactly one.`);
+            }
+            else {
+                errors.push('Final Verdict section does not select APPROVED, APPROVED_WITH_CONCERNS, or BLOCKED.');
+            }
+        }
+        else {
+            errors.push('07-review.md is missing the "## Final Verdict" section.');
+        }
+    }
+    let openCriticalCount = 0;
+    let shipBlockerCount = 0;
+    if (await exists(armyJsonPath)) {
+        try {
+            const raw = await fs.readFile(armyJsonPath, "utf8");
+            const parsed = JSON.parse(raw);
+            const findings = Array.isArray(parsed.findings) ? parsed.findings : [];
+            for (const f of findings) {
+                if (!f || typeof f !== "object" || Array.isArray(f))
+                    continue;
+                const o = f;
+                if (o.severity === "Critical" && o.status === "open") {
+                    openCriticalCount++;
+                }
+            }
+            const rec = parsed.reconciliation && typeof parsed.reconciliation === "object" && !Array.isArray(parsed.reconciliation)
+                ? parsed.reconciliation
+                : null;
+            if (rec && Array.isArray(rec.shipBlockers)) {
+                shipBlockerCount = rec.shipBlockers.filter((v) => typeof v === "string").length;
+            }
+        }
+        catch {
+            // JSON validity is the concern of validateReviewArmy; skip silently here.
+        }
+    }
+    if (finalVerdict === "APPROVED" && (openCriticalCount > 0 || shipBlockerCount > 0)) {
+        errors.push(`Final Verdict is APPROVED but review-army has ${openCriticalCount} open Critical finding(s) and ${shipBlockerCount} shipBlocker(s). Use BLOCKED or APPROVED_WITH_CONCERNS.`);
+    }
+    // APPROVED_WITH_CONCERNS is intended for Important/Suggestion findings
+    // the author has accepted. An *open* Critical finding or an active
+    // shipBlocker must route through BLOCKED (review_verdict_blocked gate)
+    // rather than pass as a concession — previously this slipped through.
+    if (finalVerdict === "APPROVED_WITH_CONCERNS" &&
+        (openCriticalCount > 0 || shipBlockerCount > 0)) {
+        errors.push(`Final Verdict is APPROVED_WITH_CONCERNS but review-army has ${openCriticalCount} open Critical finding(s) and ${shipBlockerCount} shipBlocker(s). Resolve them or use BLOCKED.`);
+    }
+    return {
+        ok: errors.length === 0,
+        errors,
+        finalVerdict,
+        openCriticalCount,
+        shipBlockerCount
+    };
+}
+export async function checkReviewSecurityNoChangeAttestation(projectRoot) {
+    const reviewMdPath = path.join(projectRoot, RUNTIME_ROOT, "artifacts", "07-review.md");
+    if (!(await exists(reviewMdPath))) {
+        return {
+            ok: true,
+            errors: [],
+            hasSecurityFinding: false,
+            hasNoChangeAttestation: false
+        };
+    }
+    const errors = [];
+    const raw = await fs.readFile(reviewMdPath, "utf8");
+    const sections = extractH2Sections(raw);
+    const securityBody = sectionBodyByName(sections, "Layer 2 Security")
+        ?? sectionBodyByName(sections, "Layer 2b: Security")
+        ?? sectionBodyByName(sections, "Layer 2 Findings");
+    if (!securityBody) {
+        errors.push('07-review.md is missing a Layer 2 security section.');
+        return {
+            ok: false,
+            errors,
+            hasSecurityFinding: false,
+            hasNoChangeAttestation: false
+        };
+    }
+    const securityTableRowPattern = /^\|\s*[^|\n]+\|\s*[^|\n]+\|\s*security\s*\|\s*[^|\n]+\|\s*[^|\n]+\|/imu;
+    const securityBulletPattern = /^[*-]\s+.*\b(?:security|auth|injection|secret|credential|permission)\b/imu;
+    const hasSecurityFinding = securityTableRowPattern.test(securityBody) || securityBulletPattern.test(securityBody);
+    const attestationMatch = /\b(NO_CHANGE_ATTESTATION|NO_SECURITY_IMPACT)\b\s*:\s*(.*)/iu.exec(securityBody);
+    const attestationToken = attestationMatch?.[1] ?? "NO_CHANGE_ATTESTATION";
+    const hasNoChangeAttestation = Boolean(attestationMatch && attestationMatch[2]?.trim().length > 0);
+    if (attestationMatch && attestationMatch[2]?.trim().length === 0) {
+        errors.push(`${attestationToken} must include a non-empty rationale.`);
+    }
+    if (!hasSecurityFinding && !hasNoChangeAttestation) {
+        errors.push("Layer 2 security evidence missing: include at least one security finding or `NO_CHANGE_ATTESTATION: <reason>` / `NO_SECURITY_IMPACT: <reason>`.");
+    }
+    return {
+        ok: errors.length === 0,
+        errors,
+        hasSecurityFinding,
+        hasNoChangeAttestation
+    };
+}

package/dist/artifact-linter/review.d.ts

@@ -0,0 +1,2 @@
+import { type StageLintContext } from "./shared.js";
+export declare function lintReviewStage(ctx: StageLintContext): Promise<void>;

package/dist/artifact-linter/review.js

@@ -0,0 +1,65 @@
+import { sectionBodyByName } from "./shared.js";
+export async function lintReviewStage(ctx) {
+    const { projectRoot, track, raw, absFile, sections, findings, parsedFrontmatter, brainstormShortCircuitBody, brainstormShortCircuitActivated, staleDiagramAuditEnabled, isTrivialOverride } = ctx;
+    // Universal Layer 2.7 structural checks (superpowers requesting + receiving).
+    const frameBody = sectionBodyByName(sections, "Pre-Critic Self-Review");
+    if (frameBody !== null) {
+        const required = [
+            "Build/lint/type-check/tests passed locally",
+            "Diff matches spec/plan (no scope creep)",
+            "Evidence (commands + result):",
+            "Goal:",
+            "Approach:",
+            "Risk areas:",
+            "Verification done:",
+            "Open questions"
+        ];
+        const missing = required.filter((token) => {
+            const escaped = token
+                .replace(/[.*+?^${}()|[\]\\]/gu, "\\$&")
+                .replace(/\\:/gu, "\\s*:");
+            return !new RegExp(escaped, "iu").test(frameBody);
+        });
+        findings.push({
+            section: "Pre-Critic Self-Review Coverage",
+            required: true,
+            rule: "Pre-Critic Self-Review must include key self-check lines plus Goal, Approach, Risk areas, Verification done, and Open questions.",
+            found: missing.length === 0,
+            details: missing.length === 0
+                ? "Pre-Critic Self-Review covers all required fields."
+                : `Pre-Critic Self-Review is missing field(s): ${missing.join(", ")}.`
+        });
+    }
+    const criticBody = sectionBodyByName(sections, "Critic Subagent Dispatch");
+    if (criticBody !== null) {
+        const required = [
+            "Critic agent definition path",
+            "Dispatch surface",
+            "Frame sent",
+            "Critic returned"
+        ];
+        const missing = required.filter((token) => !criticBody.includes(token));
+        findings.push({
+            section: "Critic Subagent Dispatch Shape",
+            required: true,
+            rule: "Critic Subagent Dispatch must declare agent definition path, dispatch surface, frame sent, and critic-returned summary.",
+            found: missing.length === 0,
+            details: missing.length === 0
+                ? "Critic dispatch metadata complete."
+                : `Critic Subagent Dispatch is missing field(s): ${missing.join(", ")}.`
+        });
+    }
+    const receivingBody = sectionBodyByName(sections, "Receiving Posture");
+    if (receivingBody !== null) {
+        const ack = /no performative agreement/iu.test(receivingBody);
+        findings.push({
+            section: "Receiving Posture Anti-Sycophancy",
+            required: true,
+            rule: "Receiving Posture must affirm `No performative agreement (forbidden openers acknowledged)`.",
+            found: ack,
+            details: ack
+                ? "Receiving posture acknowledged anti-sycophancy."
+                : "Receiving Posture is missing the anti-sycophancy acknowledgement line."
+        });
+    }
+}

package/dist/artifact-linter/scope.d.ts

@@ -0,0 +1,2 @@
+import { type StageLintContext } from "./shared.js";
+export declare function lintScopeStage(ctx: StageLintContext): Promise<void>;

package/dist/artifact-linter/scope.js

@@ -0,0 +1,115 @@
+import { sectionBodyByHeadingPrefix, sectionBodyByName, extractCanonicalScopeMode, sectionBodyByAnyName, collectPatternHits, SCOPE_REDUCTION_PATTERNS, validateLockedDecisionAnchors, getMarkdownTableRows } from "./shared.js";
+import { readDelegationLedger } from "../delegation.js";
+export async function lintScopeStage(ctx) {
+    const { projectRoot, track, raw, absFile, sections, findings, parsedFrontmatter, brainstormShortCircuitBody, brainstormShortCircuitActivated, staleDiagramAuditEnabled, isTrivialOverride } = ctx;
+    const lockedDecisionsBody = sectionBodyByHeadingPrefix(sections, "Locked Decisions") ?? "";
+    const scopeSummaryBody = sectionBodyByName(sections, "Scope Summary") ?? "";
+    const selectedScopeMode = extractCanonicalScopeMode(scopeSummaryBody);
+    const strictScopeGuards = parsedFrontmatter.hasFrontmatter ||
+        sectionBodyByHeadingPrefix(sections, "Locked Decisions") !== null;
+    const scopeSections = [
+        sectionBodyByAnyName(sections, ["In Scope / Out of Scope", "In Scope", "Out of Scope"]) ?? "",
+        sectionBodyByName(sections, "Scope Summary") ?? "",
+        lockedDecisionsBody
+    ].join("\n");
+    const strategistRequired = selectedScopeMode === "SCOPE EXPANSION" || selectedScopeMode === "SELECTIVE EXPANSION";
+    if (strategistRequired) {
+        const delegationLedger = await readDelegationLedger(projectRoot);
+        const strategistRows = delegationLedger.entries.filter((entry) => entry.stage === "scope" &&
+            entry.agent === "product-strategist" &&
+            entry.runId === delegationLedger.runId &&
+            entry.status === "completed");
+        const hasCompleted = strategistRows.length > 0;
+        const hasEvidence = strategistRows.some((entry) => Array.isArray(entry.evidenceRefs) && entry.evidenceRefs.length > 0);
+        findings.push({
+            section: "Expansion Strategist Delegation",
+            required: true,
+            rule: "When Scope Summary selects SCOPE EXPANSION or SELECTIVE EXPANSION, a completed `product-strategist` delegation for the active run with non-empty evidenceRefs is required.",
+            found: hasCompleted && hasEvidence,
+            details: !hasCompleted
+                ? `Scope mode ${selectedScopeMode} requires a completed product-strategist delegation row for active run ${delegationLedger.runId}.`
+                : hasEvidence
+                    ? `product-strategist delegation satisfied for mode ${selectedScopeMode}.`
+                    : "product-strategist delegation exists but evidenceRefs is empty; add at least one artifact/code evidence reference."
+        });
+    }
+    const reductionHits = collectPatternHits(scopeSections, SCOPE_REDUCTION_PATTERNS);
+    findings.push({
+        section: "No Scope Reduction Language",
+        required: strictScopeGuards,
+        rule: "Scope boundary sections must not use reduction placeholders (`v1`, `for now`, `later`, `temporary`, `placeholder`).",
+        found: reductionHits.length === 0,
+        details: reductionHits.length === 0
+            ? "No scope-reduction phrases detected in scope boundary sections."
+            : `Detected scope-reduction phrase(s): ${reductionHits.join(", ")}.`
+    });
+    if (sectionBodyByHeadingPrefix(sections, "Locked Decisions") !== null) {
+        const anchorValidation = validateLockedDecisionAnchors(lockedDecisionsBody);
+        findings.push({
+            section: "Locked Decisions Hash Integrity",
+            required: true,
+            rule: "Locked Decisions section must list unique LD#<sha8> content-derived anchors.",
+            found: anchorValidation.ok,
+            details: anchorValidation.details
+        });
+        // Legacy D-XX rows remain advisory for older artifacts, but new templates
+        // use LD#hash anchors. This check keeps D-XX duplicates visible without
+        // making old artifacts the primary contract.
+        const listDecisionLines = lockedDecisionsBody
+            .split(/\r?\n/u)
+            .map((line) => line.trim())
+            .filter((line) => /^[-*]\s+\S/u.test(line));
+        const tableDecisionRows = getMarkdownTableRows(lockedDecisionsBody);
+        const tableDecisionLines = tableDecisionRows.map((row) => row.join(" | "));
+        const decisionLines = [...listDecisionLines, ...tableDecisionLines];
+        const orphanDecisionLines = decisionLines.filter((line) => !/\bD-\d+\b/u.test(line));
+        const rowDecisionIds = [
+            ...listDecisionLines.map((line) => /\bD-\d+\b/u.exec(line)?.[0]),
+            ...tableDecisionRows.map((row) => /\bD-\d+\b/u.exec(row[0] ?? "")?.[0])
+        ].filter((id) => typeof id === "string");
+        const duplicateIds = (() => {
+            const counts = new Map();
+            for (const id of rowDecisionIds)
+                counts.set(id, (counts.get(id) ?? 0) + 1);
+            return [...counts.entries()].filter(([, n]) => n > 1).map(([id]) => id);
+        })();
+        const issues = [];
+        if (rowDecisionIds.length === 0 && decisionLines.length === 0) {
+            issues.push("section is empty");
+        }
+        if (orphanDecisionLines.length > 0) {
+            const examples = orphanDecisionLines
+                .slice(0, 3)
+                .map((line) => `\`${line.slice(0, 120)}\``)
+                .join(", ");
+            issues.push(`${orphanDecisionLines.length} decision row(s) missing a D-XX ID${examples.length > 0 ? `: ${examples}` : ""}`);
+        }
+        if (duplicateIds.length > 0) {
+            issues.push(`duplicate IDs: ${duplicateIds.join(", ")}`);
+        }
+        findings.push({
+            section: "Locked Decisions ID Integrity",
+            required: false,
+            rule: "Locked Decisions section must list each decision with a unique stable D-XX ID.",
+            found: issues.length === 0,
+            details: issues.length === 0
+                ? `${rowDecisionIds.length} decision ID(s) recorded with no duplicates.`
+                : issues.join("; ")
+        });
+    }
+    // Universal Layer 2.2 structural checks (gstack plan-ceo-review). All
+    // present-only — they validate shape when the section exists.
+    const altsBody = sectionBodyByName(sections, "Implementation Alternatives");
+    if (altsBody !== null) {
+        const recommendation = /^RECOMMENDATION:\s*(.+)$/imu.test(altsBody);
+        findings.push({
+            section: "Implementation Alternatives Recommendation",
+            required: true,
+            rule: "Implementation Alternatives must conclude with a `RECOMMENDATION:` line citing the chosen option and rationale.",
+            found: recommendation,
+            details: recommendation
+                ? "Recommendation marker present."
+                : "Missing or empty `RECOMMENDATION:` line under Implementation Alternatives."
+        });
+    }
+}