codex-genesis-harness 0.1.7 → 0.1.9

package/.codebase/COMPRESSED_CONTEXT.md

@@ -0,0 +1,80 @@
+# Compressed Context & Dependency Graph
+
+## src/auth.js
+### Implements Features
+- `Đăng nhập`
+- `Cập nhật Profile`
+
+## tests/integration/cli-smoke.test.js
+### Dependencies
+- `assert`
+- `fs`
+- `os`
+- `path`
+- `child_process`
+
+## tests/unit/contract_integrity_gate.test.js
+### Dependencies
+- `assert`
+- `fs`
+- `path`
+- `child_process`
+
+## tests/unit/healing_telemetry.test.js
+### Dependencies
+- `assert`
+- `fs`
+- `path`
+- `child_process`
+
+## tests/unit/prompt_sentinel.test.js
+### Dependencies
+- `assert`
+- `fs`
+- `path`
+- `child_process`
+
+## tests/unit/spec_visual_sync.test.js
+### Dependencies
+- `assert`
+- `fs`
+- `path`
+- `child_process`
+
+## tests/unit/test_generator.test.js
+### Dependencies
+- `assert`
+- `fs`
+- `path`
+- `child_process`
+
+## bin/genesis-harness.js
+### Dependencies
+- `fs`
+- `path`
+- `child_process`
+- `@babel/parser`
+- `@babel/traverse`
+- `child_process`
+
+
+## Project Planning & Roadmap
+# Phase 1: Core Features
+
+## Role: User
+- [x] Đăng nhập (files: src/auth.js)
+- [/] Cập nhật Profile (depends_on: Đăng nhập) (files: src/auth.js, src/db.js)
+- [ ] Mua hàng (depends_on: Đăng nhập)
+
+## Role: Admin
+- [x] Quản lý User
+- [ ] Xem thống kê doanh thu (depends_on: Mua hàng)
+- [~] Xử lý đơn hàng (depends_on: Mua hàng)
+
+# Phase 2: Nâng Cao
+
+## Role: Analytics
+- [ ] Xuất báo cáo Excel (depends_on: Xem thống kê doanh thu)
+- [ ] Tích hợp Google Analytics
+- [/] Dashboard Real-time (depends_on: Google Analytics)
+

package/.codebase/CURRENT_STATE.md

@@ -1,11 +1,11 @@
-# Current State: COMPLETED
-Last updated: Mon Jun 01 17:15:00 +07 2026
+# Current System State
 
-## Reason
-Successfully completed the Visual Mockup Generation & Interactive TUI Mockup Viewer integration (v0.3.0), followed by Harness Engineering standardizations and preparation for release `0.1.7`:
-- **Interactive Keyboard-Navigated CLI TUI**: Developed an elegant console interface for `genesis-harness view-mockup` capturing stdin keypresses.
-- **Harness Verification Streamlining**: Refactored `scripts/verify.sh` and `scripts/run-evals.sh` to dynamically evaluate skill names, removing legacy hard-coded mapping logic. Cleaned up deprecated skills (e.g., `genesis-mvp-planning`, `genesis-release-orchestration`, `genesis-state-machine`, `genesis-research`, `genesis-docs`).
-- **Skill Consolidation**: Merged overlapping skills to resolve duplicated slash commands and clean up the architecture.
-- **Bead Memory Test Coverage**: Added rigorous CLI command validations in `scripts/run-evals.sh` to guarantee that `remember`, `recall`, `prime`, and `forget` function reliably.
-- **Skill Enrichment Directives**: Packaged new visual contract requirements inside `genesis-design-spec` (utilizing `generate_image`) and visual alignment checks inside `genesis-new-design` (utilizing `view_file`).
-- **Verification Evidence**: Structural checks and regression evaluations pass 100% cleanly, confirming absolute stability in the current codebase state. Ready for 0.1.7 release.
+**Time**: 2026-06-12
+**Status**: `COMPLETED`
+**Latest Session**: `2026-06-12-lifecycle-pipeline-hardening`
+**Time to First Verification (TTFV)**: 180s
+
+## Latest Transition
+
+- State changed to `COMPLETED`
+- Reason: End-to-end lifecycle pipeline verified with project closure and audit

package/.codebase/DEPENDENCY_GRAPH.md

@@ -5,10 +5,23 @@ flowchart TD
   npm["npm package"] --> cli["bin/genesis-harness.js"]
   npm --> skills[".codex/skills"]
   cli --> verify["scripts/verify.sh"]
+  cli --> evals["scripts/run-evals.sh"]
   cli --> install["scripts/install.sh"]
+  cli --> docsgate["genesis-harness docs-gate"]
+  cli --> leanctx["genesis-harness leanctx"]
+  cli --> prime["genesis-harness prime"]
+  leanctx --> policy[".codebase/context-policy.json"]
+  prime --> policy
+  sentinel["scripts/prompt_sentinel.js"] --> policy
+  docsgate --> docsync["check-docs-sync.sh"]
+  docsgate --> specsync["check-spec-changelog.sh"]
   verify --> memory[".codebase"]
   verify --> contracts["contracts"]
   verify --> fixtures["fixtures"]
   verify --> tests["tests and playwright"]
+  evals --> unit["tests/unit/*.test.js"]
+  evals --> integration["tests/integration/*.test.js"]
+  evals --> visual[".codebase/VISUAL_GRAPH.md"]
+  evals --> handoff[".codebase/IMPLEMENTATION_HANDOFF.md"]
+  evals --> policy
 ```
-

package/.codebase/IMPLEMENTATION_HANDOFF.md

@@ -1,351 +1,49 @@
-# Implementation Handoff Template
+# Implementation Handoff: Harness Drift Gate Hardening + LeanCTX
 
-**Purpose**: Document what was implemented, current state, and how to continue if work is paused or passed to another team member.
+**Completed date**: 2026-06-03  
+**Status**: Completed, pending user-requested commit only  
+**Owner**: Codex harness engineering  
 
-**Use After**: Successful implementation completion, before moving to next phase.
+## Summary
 
----
+The harness has been hardened against source-of-truth drift, stale Mermaid graphs, placeholder handoffs, long skill entrypoints, and missing executable CLI smoke coverage. It now also ships portable LeanCTX defaults and auto-seeds them during install/postinstall when a project root is detected, so npm users get token-budget guidance without requiring a machine-specific command wrapper or a manual inspection command.
 
-## Header
+## Changed Subsystems
 
-**Feature/Bug**: _[Name and reference]_  
-**Implemented By**: _Name_  
-**Completed Date**: _YYYY-MM-DD_  
-**Estimated Handoff Date**: _YYYY-MM-DD_  
-**Next Owner**: _Name (if known)_  
+- **CLI**: `genesis-harness sync` now generates harness relationship Mermaid graphs and keeps roadmap-derived output generic so sample app task names do not leak into `.codebase/VISUAL_GRAPH.md`.
+- **Verification**: `scripts/verify.sh` enforces a 500-line maximum for skill entrypoints. `scripts/run-evals.sh` now validates handoff freshness, state freshness, sync-generated Mermaid, and integration smoke coverage.
+- **LeanCTX**: `.codebase/context-policy.json` defines token budget layers, `genesis-harness install` and npm `postinstall` seed it into detected projects without overwriting custom policies, `genesis-harness leanctx` reports the policy, `genesis-harness prime` includes the same policy, and `scripts/prompt_sentinel.js` reads the policy for compaction thresholds.
+- **Skills**: Oversized `SKILL.md` entrypoints were converted into short routing files that point to existing references, playbooks, templates, and checklists.
+- **State and memory**: `.codebase/CURRENT_STATE.md`, `.codebase/state.json`, `.codebase/TEST_MATRIX.md`, `.codebase/RECOVERY_POINTS.md`, `.codebase/DEPENDENCY_GRAPH.md`, `.codebase/PIPELINE_FLOW.md`, and `.codebase/VISUAL_GRAPH.md` now describe the current harness gates.
 
----
+## Verification Evidence
 
-## Executive Summary
-
-_Brief (2-3 sentences) overview of what was implemented._
-
-Example:
-```
-Implemented OAuth 2.0 authentication with Google and GitHub providers.
-Added user registration flow, login page, and session management.
-Integrated with existing user database and role system.
-```
-
----
-
-## What Was Built
-
-### Modules Created
-
-List all new files/modules:
-
-```
-├── src/auth/
-│   ├── oauth-provider.ts (new)
-│   ├── session-manager.ts (new)
-│   └── token-handler.ts (new)
-├── src/ui/pages/
-│   ├── login.tsx (new)
-│   └── register.tsx (new)
-├── tests/
-│   ├── auth.test.ts (new)
-│   └── oauth.integration.test.ts (new)
-└── docs/
-    └── AUTH_SETUP.md (new)
-```
-
-### Modules Modified
-
-List all files changed:
-
-```
-├── src/app.ts (modified)
-│   └── Added auth middleware
-├── src/db/user-model.ts (modified)
-│   └── Added oauth provider fields
-├── .codebase/API_CONTRACTS.md (updated)
-│   └── Added /auth/* endpoints
-└── package.json (updated)
-    └── Added oauth2 dependencies
-```
-
-### Key Features Implemented
-
-- [ ] Feature A: Description
-- [ ] Feature B: Description
-- [ ] Feature C: Description
-
----
-
-## Current State
-
-### ✅ What's Complete
-
-```
-Implementation:
-  ✓ OAuth flow implemented
-  ✓ Database migrations applied
-  ✓ API endpoints created
-  ✓ UI components built
-  ✓ Error handling added
-
-Testing:
-  ✓ Unit tests passing (15/15)
-  ✓ Integration tests passing (8/8)
-  ✓ E2E tests passing (5/5)
-  ✓ Coverage: 85%
-
-Documentation:
-  ✓ API_CONTRACTS.md updated
-  ✓ README updated with setup instructions
-  ✓ Database schema documented
-  ✓ Error handling documented
-
-Deployment:
-  ✓ Code review approved
-  ✓ All linting passed
-  ✓ Build successful
-```
-
-### ⚠️ Known Issues / Limitations
-
-```
-Issue #1: Rate limiting not yet enforced
-  - Status: Identified
-  - Severity: Low
-  - Next: Implement in next sprint
-  - Workaround: None needed, non-blocking
-
-Issue #2: Session timeout not configurable
-  - Status: Identified
-  - Severity: Medium
-  - Next: Add config options
-  - Workaround: Contact admin to adjust
-
-Issue #3: OAuth token refresh edge case
-  - Status: Identified, isolated to specific provider
-  - Severity: Low
-  - Next: Add retry logic
-  - Workaround: User re-login
-```
-
-### 📊 Metrics & Status
-
-```
-Code Quality:
-  - Test coverage: 85% (target: 80%)
-  - Cyclomatic complexity: Low
-  - Code review: Approved
-  - Linting: 0 errors
-
-Performance:
-  - Auth flow latency: 250ms avg
-  - Login page load: 1.2s
-  - No performance regressions detected
-
-Deployment Readiness:
-  - Staging: ✓ Deployed, tested
-  - Production: Ready
-```
-
----
-
-## Files & Artifacts
-
-### Documentation
-
-- **AUTH_SETUP.md**: Setup instructions for OAuth providers
-- **API_CONTRACTS.md**: Endpoint specifications
-- **.codebase/CURRENT_STATE.md**: Updated implementation status
-- **RECOVERY_POINTS.md**: Resumption points if work pauses
-
-### Code Locations
-
-```
-Authentication logic: src/auth/
-UI components: src/ui/pages/auth/
-Tests: tests/auth/, tests/integration/oauth/
-Database: src/db/migrations/auth-v1.sql
-Configuration: config/oauth-providers.json
-```
-
-### Contracts & Schemas
-
-```
-API Contracts: .codebase/API_CONTRACTS.md
-  - POST /auth/login
-  - POST /auth/register
-  - POST /auth/logout
-  - GET /auth/callback
-
-Database: src/db/schema/users.sql
-  - oauth_provider field
-  - oauth_id field
-  - oauth_email field
-  - oauth_metadata field
-```
-
----
-
-## For Next Developer / Phase
-
-### To Continue This Work
-
-1. **Read These First**:
-   ```bash
-   cat .codebase/CURRENT_STATE.md
-   cat AUTH_SETUP.md
-   cat RECOVERY_POINTS.md
-   ```
-
-2. **Environment Setup**:
-   ```bash
-   npm install
-   npm run db:migrate
-   npm test  # Should see 28 tests passing
-   ```
-
-3. **Known Issues to Address** (Priority Order):
-   - [ ] Rate limiting (Low priority, next sprint)
-   - [ ] Configurable timeout (Medium priority)
-   - [ ] Token refresh edge case (Low priority)
-
-4. **Next Steps**:
-   - [ ] Deploy to production (when ready)
-   - [ ] Monitor error rates for 24 hours
-   - [ ] Gather user feedback
-   - [ ] Plan Phase 2: Social login enhancements
-
-### Recovery Points
-
-See **RECOVERY_POINTS.md** for:
-- Pause points if work interrupted
-- How to resume mid-implementation
-- Rollback procedures if needed
-- Dependencies and blockers
-
----
-
-## Testing Status
-
-### Test Coverage By Module
-
-```
-Authentication (oauth-provider.ts):     ✓ 90% (9/10 functions)
-Session management (session-manager.ts): ✓ 85% (6/7 functions)
-Token handling (token-handler.ts):      ✓ 100% (5/5 functions)
-UI components (login.tsx, register.tsx): ✓ 75% (styling not tested)
-API endpoints:                          ✓ 95% (18/19 paths)
-```
-
-### Test Execution
+Required commands for this handoff:
 
 ```bash
-# All tests
-npm test
-
-# Specific suite
-npm test -- auth.test.ts
-
-# With coverage
-npm test -- --coverage
-```
-
-### Critical Tests to Monitor
-
-```
-1. OAuth token refresh flow
-2. Session expiry handling
-3. Concurrent login attempts
-4. Provider callback validation
+node --check bin/genesis-harness.js
+node --check scripts/prompt_sentinel.js
+node tests/integration/cli-smoke.test.js
+node tests/unit/prompt_sentinel.test.js
+bash -n scripts/verify.sh
+bash -n scripts/run-evals.sh
+npm run verify
+npm run eval
+npm run pack:check
+node bin/genesis-harness.js docs-gate
 ```
 
----
-
-## Deployment Notes
-
-### Prerequisites
-
-```
-Required environment variables:
-  - OAUTH_GOOGLE_CLIENT_ID
-  - OAUTH_GOOGLE_CLIENT_SECRET
-  - OAUTH_GITHUB_CLIENT_ID
-  - OAUTH_GITHUB_CLIENT_SECRET
-  - SESSION_SECRET
-  - SESSION_TIMEOUT_MINUTES
-
-Database:
-  - Run: npm run db:migrate
-  - Check: SELECT * FROM migrations; (should see auth-v1)
-
-Dependencies:
-  - All installed: npm install
-  - Versions locked in package-lock.json
-```
-
-### Deployment Checklist
-
-- [ ] Environment variables configured
-- [ ] Database migrations applied
-- [ ] SSL certificates configured
-- [ ] Rate limiting enabled
-- [ ] Logging configured
-- [ ] Monitoring alerts set up
-- [ ] Rollback plan tested
-
-### Rollback Procedure
-
-```bash
-# If deployment fails:
-1. Revert git commit: git revert [commit-hash]
-2. Rollback database: npm run db:rollback -- auth-v1
-3. Clear session cache: redis-cli FLUSHDB
-4. Restart app: npm restart
-5. Verify health check: curl https://api/health
-```
-
----
-
-## Architecture Decisions
-
-### Why This Approach?
-
-**Decision 1: OAuth 2.0 via provider-specific libraries**
-- Alternative: Build custom OAuth implementation
-- Chose this because: Security, maintainability, reduces code
-- Tradeoff: Slight vendor lock-in, but worth it
-
-**Decision 2: Session-based auth**
-- Alternative: JWT tokens only
-- Chose this because: Server-side logout control, CSRF protection
-- Tradeoff: Slight more server memory, but better security
-
-**Decision 3: Async token refresh**
-- Alternative: Refresh on every request
-- Chose this because: Performance, reduces provider calls
-- Tradeoff: Slight risk of stale tokens, mitigated by retry logic
-
-See **ARCHITECTURE.md** for full design decisions.
-
----
-
-## Contact & Questions
-
-**Original Developer**: _Name_ (_email_)  
-**Current Owner**: _Name_ (_email_)  
-**Questions**: See KNOWN_PROBLEMS.md or ask in #[Slack channel]
-
----
-
-## Sign-Off
+Last expected status: all commands pass.
 
-- [ ] **Implementation Complete**: ✓ Verified
-- [ ] **All Tests Passing**: ✓ Verified
-- [ ] **Documentation Complete**: ✓ Verified
-- [ ] **Ready for Handoff**: ✓ Verified
+## Remaining Risks
 
-**Handoff Date**: _YYYY-MM-DD_  
-**Handed Off By**: _Name_  
-**Received By**: _Name (if applicable)_
+- Full 10/10 WalkingLabs parity still requires CI/CD enforcement and an application-backed browser E2E target. This repo is a package harness, so the current executable E2E layer is CLI-focused.
+- Worktree is intentionally not staged or committed until the user requests it.
 
----
+## Resume Instructions
 
-**Last Updated**: _YYYY-MM-DD_  
-**Next Review**: _YYYY-MM-DD_
+1. Start with `.codebase/CURRENT_STATE.md`, `.codebase/state.json`, and this handoff.
+2. Re-run `npm run verify`, `npm run eval`, and `npm run pack:check` before publishing or committing.
+3. If a future change reintroduces Mermaid or handoff drift, inspect `scripts/run-evals.sh` first; it owns the regression checks.
+4. If skill entrypoint size fails, move operational detail into the skill's references, playbooks, templates, or checklists instead of raising the limit.
+5. If token budget behavior changes, update `.codebase/context-policy.json`, install/postinstall seeding, `genesis-harness leanctx`, and `scripts/prompt_sentinel.js` together.

package/.codebase/KNOWN_PROBLEMS.md

@@ -1,6 +1,76 @@
 # Known Problems
 
-- `.npm-cache/` was previously committed by mistake; it is now ignored but may still exist in history.
-- The current package provides templates and verification scaffolds, not application-specific generated tests.
-- Downstream projects must fill concrete endpoint, UI, provider, and persistence details.
+Last updated: 2026-06-12
 
+## Active Technical Debt
+
+### TD-001: `SKILL.md` size boundary not auto-enforced during authoring
+- **Symptom**: `genesis-observability-automation/SKILL.md` reached 383 lines before the `verify.sh` line-limit gate caught it. The gate catches after-the-fact but does not block during writing.
+- **Impact**: L04 (Instruction Not Bloated) is only enforced at verification time, not at authoring time.
+- **Mitigation**: Added `references/` split for the observability skill. Gate in `verify.sh` at 500-line hard cap.
+- **Permanent Fix Needed**: Add a pre-commit git hook that warns when `SKILL.md` exceeds 200 lines.
+- **Assigned to**: `genesis-harness-engineering`
+- **Priority**: P2
+
+### TD-002: `KNOWN_PROBLEMS.md` was not populated with actual debt (was 323 bytes)
+- **Symptom**: L12 (Clean State Each Session) downgraded — the clean state file was effectively a placeholder.
+- **Impact**: Agents in new sessions couldn't assess actual risk before starting work.
+- **Fix applied**: This file (2026-06-03).
+- **Status**: RESOLVED
+
+### TD-003: Feature list existed only as prose (pre-2026-06-03)
+- **Symptom**: Features were described in `ROADMAP.md` and `EVOLUTION_PLAN.md` as human narrative. No `verify_cmd` per feature. No machine-readable status.
+- **Impact**: L08 (Feature List as Harness Primitive) gap — agent could not verify individual feature status programmatically.
+- **Fix applied**: Created `features/REGISTRY.md` + `contracts/features/registry-schema.json` + test gate.
+- **Status**: RESOLVED
+
+### TD-004: Observability directories were empty scaffolding (pre-2026-06-03)
+- **Symptom**: `observability/agent-runs/`, `decision-logs/`, `failures/` had no actual data.
+- **Impact**: L11 (Observability Inside Harness) gap — harness was designed to observe but collected no data.
+- **Fix applied**: Created schemas, sample run, sample failure, and real decision log.
+- **Status**: RESOLVED
+
+### TD-005: No per-session `session_id` in `state.json`
+- **Symptom**: History entries have timestamps but no unique session identifier. Cannot cross-reference `state.json` with `observability/agent-runs/`.
+- **Impact**: L05 (Session Continuity) — cannot trace which session produced which state transition.
+- **Mitigation**: Added `session_id` field to state history entries (2026-06-03).
+- **Permanent Fix Needed**: CLI `genesis-harness sync` should auto-write the session_id to state on each invocation.
+- **Priority**: P2
+
+### TD-006: Playwright templates not populated with executable tests
+- **Symptom**: `playwright/` directory contains templates and fixtures but no runnable `.spec.js` files.
+- **Impact**: L10 (E2E Testing Changes Outcomes) — E2E layer exists in design but not in execution.
+- **Mitigation**: Added `playwright/e2e/auth/login-screen.spec.js` with mocked HTML route (2026-06-03).
+- **Status**: RESOLVED
+
+### TD-007: Cold-start test not automated
+- **Symptom**: The 5-question cold-start test (L03) is documented conceptually but not executable as a CI gate.
+- **Impact**: Drift between repo docs and actual cold-start readiness could go undetected.
+- **Fix applied**: `scripts/cold-start-check.js` created (2026-06-03).
+- **Priority**: P1 → RESOLVED
+
+### TD-008: No automatic "Context Anxiety" detection
+- **Symptom**: No mechanism detects when an agent is converging prematurely due to context pressure.
+- **Impact**: L05 — agents may hallucinate completion under context pressure with no harness intervention.
+- **Mitigation**: `genesis-verification-before-completion` skill partially addresses this through mandatory evidence.
+- **Permanent Fix Needed**: Integrate a token-budget warning callback in the `prompt_sentinel.js` that flags imminent convergence.
+- **Priority**: P3
+
+### TD-009: Dependency directory was tracked in Git
+- **Symptom**: `node_modules/` contributed hundreds of tracked files even though dependencies are reproducible from `package-lock.json`.
+- **Impact**: Noisy diffs, larger clones, and a higher risk of stale or platform-specific dependency artifacts.
+- **Fix applied**: Removed `node_modules/` from the Git index, added it to `.gitignore`, and added `scripts/check-repository-hygiene.js` to the structural verification path.
+- **Status**: RESOLVED
+
+### TD-010: Historical unpacked package artifact remains tracked
+- **Symptom**: `tmp_pack/` keeps a full historical package tree in Git.
+- **Impact**: Repository duplication remains higher than necessary.
+- **Mitigation**: Explicitly allowlisted for now because current repository state identifies it as historical evidence.
+- **Permanent Fix Needed**: Replace it with a compact expected tarball manifest after confirming no release or regression workflow consumes the unpacked tree.
+- **Priority**: P2
+
+### TD-011: Feature completion previously lacked project closure
+- **Symptom**: A verified active feature could be presented as lifecycle completion without proving all queued work or producing a release-ready handoff.
+- **Impact**: Projects could stop between feature execution and acceptance with no deterministic next action.
+- **Fix applied**: Added queue promotion, `verify-project`, `RELEASE_READY`, `complete-project`, append-only event history, and `pipeline-audit`.
+- **Status**: RESOLVED

package/.codebase/MODULE_INDEX.md

@@ -1,13 +1,34 @@
 # Module Index
 
 - `.codex/skills/`: packaged Codex skills.
-- `bin/genesis-harness.js`: npm CLI for install, verify, uninstall, and path output.
+- `bin/genesis-harness.js`: npm CLI for install, verify, uninstall, docs gates, idea bootstrap, resumable execution, multi-feature queue routing, feature/project verification, release-ready completion, and pipeline audit.
+- `scripts/check-repository-hygiene.js`: blocks tracked dependency and generated artifacts such as `node_modules/`, `dist/`, and package tarballs.
+- `contracts/features/project-registry-schema.json`: contract for generated `.planning/FEATURE_REGISTRY.json` lifecycle queues.
+- `.github/workflows/reusable-verify.yml`: reusable GitHub Actions workflow that runs the canonical `genesis-harness verify-gate` path and uploads verification artifacts.
+- `.github/workflows/docs-sync.yml`: CI entrypoint that delegates pull-request and protected-branch verification to the reusable verify workflow.
+- `.github/workflows/publish-npm.yml`: release-oriented npm publishing workflow using GitHub OIDC trusted publishing and provenance.
 - `scripts/verify.sh`: structural and smoke verification.
 - `scripts/run-evals.sh`: package-level regression checks.
 - `.codebase/`: compressed repository memory.
 - `contracts/`: API, agent, event, and UI contract templates.
+- `contracts/features/registry-schema.json`: JSON schema for the feature registry (L08).
+- `contracts/observability/agent-run-schema.json`: JSON schema for agent-run observability logs (L11).
+- `contracts/observability/failure-schema.json`: JSON schema for failure observability records (L11).
+- `features/REGISTRY.md`: machine-readable feature list primitive — canonical status + verify_cmd per feature (L08).
 - `fixtures/`: reusable test and validation fixtures.
 - `tests/`: harness test architecture templates.
+- `tests/unit/feature_registry.test.js`: validates feature registry schema and observability live data (L08 + L11).
+- `tests/unit/workflow_contracts.test.js`: validates that GitHub workflows use the reusable verify path and trusted npm publishing defaults.
 - `playwright/`: UI smoke, e2e, and visual harness templates.
 - `observability/`: autonomous run and decision logging templates.
-
+- `observability/agent-runs/`: per-session agent execution records (L11).
+- `observability/decision-logs/`: rationale logs for significant decisions (L11).
+- `observability/failures/`: failure records with root-cause and prevention notes (L11).
+- `.codex/skills/genesis-harness/scripts/init-planning.sh`: planning bootstrap that now creates Foundation + Discovery/QA scaffolds.
+- `.planning/INIT_QA.md`: initialization questionnaire for product approach, QA closure, and tech stack sign-off.
+- `.codebase/PHASE_DEPENDENCY_MAP.md`: init-created dependency map used by spec-impact-engine and downstream planning.
+- `.codebase/state.json`: canonical runtime state for the harness repo and generated projects; `run --idea` now advances project state into `IMPLEMENTATION` with `active_feature`, and `resume` restores the next actionable task from it.
+- `.runs/`: per-session run artifacts (`INPUT.md`, `DISCOVERY.json`, `STATE.json`, `RESUME.md`, `EVENTS.jsonl`) used for resume and append-only lifecycle history.
+- `.planning/FEATURE_REGISTRY.json`: generated project-level execution queue consumed by `add-feature`, `next`, `complete-feature`, `verify-project`, `complete-project`, and `pipeline-audit`.
+- `.planning/PROJECT_VERIFICATION.json`: project-wide feature proof and acceptance proof record.
+- `.planning/IMPLEMENTATION_HANDOFF.md`: release-ready handoff generated only after all proofs pass.

package/.codebase/PIPELINE_FLOW.md

@@ -3,12 +3,22 @@
 ```mermaid
 flowchart LR
   state["Read .codebase state"] --> test["Create failing test"]
+  state --> leanctx["Load LeanCTX policy"]
+  leanctx --> test
   test --> fixture["Create fixture and expected output"]
-  fixture --> impl["Implement minimum change"]
-  impl --> verify["Run verification"]
-  verify --> contracts["Update contracts"]
-  contracts --> memory["Update .codebase memory"]
+  fixture --> contracts["Update contracts when behavior changes"]
+  contracts --> impl["Implement minimum change"]
+  impl --> featureVerify["Run feature proof"]
+  featureVerify --> featureComplete["complete-feature records evidence"]
+  featureComplete --> queued{"Queued feature remains?"}
+  queued -->|yes| impl
+  queued -->|no| projectVerify["verify-project reruns all feature proofs and project proof"]
+  projectVerify --> handoff["Write project verification and implementation handoff"]
+  handoff --> releaseReady["RELEASE_READY"]
+  releaseReady --> projectComplete["complete-project records release or acceptance evidence"]
+  projectComplete --> audit["pipeline-audit checks state, proofs, handoff, and event history"]
+  audit --> memory["Update .codebase memory and metrics"]
   memory --> docs["Update docs"]
-  docs --> summary["Write change summary"]
+  docs --> sync["Run genesis-harness sync"]
+  sync --> summary["Write change summary"]
 ```
-