contract-driven-delivery 1.12.0 → 1.16.0

package/dist/cli/index.js

@@ -107,21 +107,297 @@ var init_provider = __esm({
   }
 });
 
+// src/commands/context-scan.ts
+var context_scan_exports = {};
+__export(context_scan_exports, {
+  contextScan: () => contextScan
+});
+import { existsSync as existsSync6, mkdirSync as mkdirSync3, readFileSync as readFileSync5, readdirSync as readdirSync4, writeFileSync as writeFileSync2 } from "fs";
+import { createHash as createHash2 } from "crypto";
+import { basename, dirname as dirname3, join as join7, relative as relative2 } from "path";
+function sha256OfFile(path) {
+  try {
+    return createHash2("sha256").update(readFileSync5(path)).digest("hex");
+  } catch {
+    return "";
+  }
+}
+function inputsDigest(paths) {
+  const combined = paths.slice().sort().map((p) => `${p}:${sha256OfFile(p)}`).join("\n");
+  return createHash2("sha256").update(combined).digest("hex");
+}
+function stripGlobSuffix(pattern) {
+  return pattern.replace(/\/\*\*$/, "").replace(/\/\*$/, "");
+}
+function getForbiddenPaths(cwd) {
+  const forbidden = new Set(DEFAULT_FORBIDDEN);
+  const policyPath = join7(cwd, ".cdd", "context-policy.json");
+  try {
+    if (existsSync6(policyPath)) {
+      const policy = JSON.parse(readFileSync5(policyPath, "utf8"));
+      for (const pattern of policy.forbiddenPaths ?? []) {
+        forbidden.add(stripGlobSuffix(pattern));
+      }
+    }
+  } catch {
+    log.warn("Could not parse .cdd/context-policy.json; using default context-scan excludes.");
+  }
+  return [...forbidden];
+}
+function isForbidden(relPath, forbidden) {
+  const normalized = relPath.replace(/\\/g, "/");
+  return forbidden.some((pattern) => normalized === pattern || normalized.startsWith(`${pattern}/`));
+}
+function buildTree(dir, cwd, forbidden, stats, prefix = "", depth = 0) {
+  const entries = readdirSync4(dir, { withFileTypes: true }).sort((a, b) => {
+    if (a.isDirectory() === b.isDirectory())
+      return a.name.localeCompare(b.name);
+    return a.isDirectory() ? -1 : 1;
+  });
+  let output = "";
+  const visible = entries.filter((entry) => {
+    const relPath = relative2(cwd, join7(dir, entry.name));
+    return !isForbidden(relPath, forbidden);
+  });
+  const truncated = visible.length > PER_DIR_ENTRY_CAP;
+  const shown = truncated ? visible.slice(0, PER_DIR_ENTRY_CAP) : visible;
+  if (truncated)
+    stats.truncatedDirs += 1;
+  shown.forEach((entry, index) => {
+    const fullPath = join7(dir, entry.name);
+    const isLast = index === shown.length - 1 && !truncated;
+    const connector = isLast ? "\\-- " : "|-- ";
+    output += `${prefix}${connector}${entry.name}${entry.isDirectory() ? "/" : ""}
+`;
+    if (entry.isDirectory()) {
+      stats.dirs += 1;
+      if (depth >= 3) {
+        stats.omittedDirs += 1;
+        output += `${prefix}${isLast ? "    " : "|   "}\\-- ... (max depth)
+`;
+      } else {
+        output += buildTree(fullPath, cwd, forbidden, stats, prefix + (isLast ? "    " : "|   "), depth + 1);
+      }
+    } else {
+      stats.files += 1;
+    }
+  });
+  if (truncated) {
+    output += `${prefix}\\-- ... (${visible.length - PER_DIR_ENTRY_CAP} more entries truncated; cap=${PER_DIR_ENTRY_CAP})
+`;
+  }
+  return output;
+}
+function firstHeading(content) {
+  const match = content.match(/^#\s+(.+)$/m);
+  return match?.[1]?.trim();
+}
+function deriveContractType(relPath, metadata) {
+  if (metadata.contract)
+    return metadata.contract;
+  const parts = relPath.split("/");
+  return parts.length >= 2 ? parts[1] : "unknown";
+}
+function parseContractMetadata(content) {
+  const metadata = {};
+  let summary;
+  const cddMatch = content.match(/<!--\s*cdd:([\s\S]*?)-->/);
+  const yamlMatch = content.match(/^---\r?\n([\s\S]*?)\r?\n---/);
+  const block = cddMatch?.[1] ?? yamlMatch?.[1];
+  if (block) {
+    for (const line of block.split(/\r?\n/)) {
+      const colon = line.indexOf(":");
+      if (colon === -1)
+        continue;
+      const key = line.slice(0, colon).trim();
+      const value = line.slice(colon + 1).trim();
+      if (!key || !value)
+        continue;
+      if (key === "summary")
+        summary = value;
+      else
+        metadata[key] = value;
+    }
+  }
+  if (!summary) {
+    const summaryMatch = content.match(/#+\s*Summary\s*\r?\n+([^#\r\n][^\r\n]*)/i);
+    summary = summaryMatch?.[1]?.trim();
+  }
+  return { title: firstHeading(content), summary, metadata };
+}
+function findContractFiles(dir, found = []) {
+  if (!existsSync6(dir))
+    return found;
+  for (const entry of readdirSync4(dir, { withFileTypes: true })) {
+    const fullPath = join7(dir, entry.name);
+    if (entry.isDirectory())
+      findContractFiles(fullPath, found);
+    else if (entry.isFile() && entry.name.endsWith(".md") && entry.name !== "INDEX.md" && entry.name !== "CHANGELOG.md")
+      found.push(fullPath);
+  }
+  return found;
+}
+async function contextScan(opts = {}) {
+  const cwd = process.cwd();
+  const specsContextDir = join7(cwd, "specs", "context");
+  mkdirSync3(specsContextDir, { recursive: true });
+  const forbidden = getForbiddenPaths(cwd);
+  const surface = opts.surface;
+  let scanRoot = cwd;
+  if (surface) {
+    const resolvedSurface = join7(cwd, surface);
+    if (!existsSync6(resolvedSurface)) {
+      log.error(`--surface path not found: ${surface}`);
+      process.exit(1);
+    }
+    if (!resolvedSurface.startsWith(cwd)) {
+      log.error(`--surface must be inside the repo: ${surface}`);
+      process.exit(1);
+    }
+    scanRoot = resolvedSurface;
+  }
+  const treeStats = { dirs: 0, files: 0, omittedDirs: 0, truncatedDirs: 0 };
+  const tree = buildTree(scanRoot, cwd, forbidden, treeStats);
+  const policyPath = join7(cwd, ".cdd", "context-policy.json");
+  const projectMapInputs = [policyPath].filter(existsSync6);
+  writeFileSync2(
+    join7(specsContextDir, "project-map.md"),
+    [
+      "---",
+      "artifact: project-map",
+      "generated-by: cdd-kit context-scan",
+      "schema-version: 1",
+      `root: ${basename(cwd)}`,
+      ...surface ? [`surface: ${surface}`] : [],
+      `visible-dirs: ${treeStats.dirs}`,
+      `visible-files: ${treeStats.files}`,
+      `omitted-dirs: ${treeStats.omittedDirs}`,
+      `truncated-dirs: ${treeStats.truncatedDirs}`,
+      `inputs-digest: ${inputsDigest(projectMapInputs)}`,
+      "---",
+      "",
+      "# Project Map",
+      "",
+      "Use this deterministic map to choose candidate context paths before reading files.",
+      "",
+      "## Excluded Paths",
+      ...forbidden.map((path) => `- ${path}`),
+      "",
+      "## Tree",
+      "",
+      "```",
+      `${basename(cwd)}/`,
+      tree.trimEnd(),
+      "```",
+      ""
+    ].join("\n"),
+    "utf8"
+  );
+  log.ok("Created specs/context/project-map.md");
+  const contractFiles = findContractFiles(join7(cwd, "contracts")).sort((a, b) => relative2(cwd, a).localeCompare(relative2(cwd, b)));
+  const contractEntries = [];
+  const inventoryRows = [];
+  let missingSummary = 0;
+  for (const file of contractFiles) {
+    const relPath = relative2(cwd, file).replace(/\\/g, "/");
+    const dir = dirname3(relPath).replace(/\\/g, "/");
+    const { title, summary, metadata } = parseContractMetadata(readFileSync5(file, "utf8"));
+    const contractType = deriveContractType(relPath, metadata);
+    const owner = metadata.owner ?? "unknown";
+    const surface2 = metadata.surface ?? dir;
+    const summaryText = summary ?? "MISSING - add YAML frontmatter `summary:` or `<!-- cdd: summary: ... -->`.";
+    inventoryRows.push(`| ${relPath} | ${contractType} | ${surface2} | ${owner} | ${summary ? "yes" : "no"} |`);
+    let entry = `## ${relPath}
+`;
+    entry += `- path: \`${relPath}\`
+`;
+    entry += `- type: ${contractType}
+`;
+    entry += `- directory: ${dir}
+`;
+    if (title)
+      entry += `- title: ${title}
+`;
+    for (const [key, value] of Object.entries(metadata)) {
+      if (key === "contract")
+        continue;
+      entry += `- ${key}: ${value}
+`;
+    }
+    entry += `- summary: ${summaryText}
+
+`;
+    contractEntries.push(entry);
+    if (!summary) {
+      missingSummary += 1;
+    }
+  }
+  const contractIndex = [
+    "---",
+    "artifact: contracts-index",
+    "generated-by: cdd-kit context-scan",
+    "schema-version: 1",
+    `contract-count: ${contractFiles.length}`,
+    `missing-summary-count: ${missingSummary}`,
+    `inputs-digest: ${inputsDigest(contractFiles)}`,
+    "---",
+    "",
+    "# Contracts Index",
+    "",
+    "Generated from deterministic metadata. Add YAML frontmatter fields such as `summary`, `owner`, and `surface` to improve classifier accuracy.",
+    "",
+    "## Contract Inventory",
+    "",
+    "| path | type | surface | owner | has-summary |",
+    "|---|---|---|---|---|",
+    ...inventoryRows,
+    "",
+    "## Contract Details",
+    "",
+    ...contractEntries
+  ].join("\n");
+  writeFileSync2(join7(specsContextDir, "contracts-index.md"), contractIndex, "utf8");
+  if (missingSummary > 0) {
+    log.warn(`Created specs/context/contracts-index.md with ${missingSummary} missing summary warning(s).`);
+  } else {
+    log.ok("Created specs/context/contracts-index.md");
+  }
+}
+var DEFAULT_FORBIDDEN, PER_DIR_ENTRY_CAP;
+var init_context_scan = __esm({
+  "src/commands/context-scan.ts"() {
+    "use strict";
+    init_logger();
+    DEFAULT_FORBIDDEN = [
+      ".claude",
+      ".git",
+      "node_modules",
+      "dist",
+      "build",
+      "assets",
+      "specs/archive",
+      "specs/changes"
+    ];
+    PER_DIR_ENTRY_CAP = 50;
+  }
+});
+
 // src/commands/doctor.ts
 var doctor_exports = {};
 __export(doctor_exports, {
   doctor: () => doctor
 });
-import { existsSync as existsSync10, readdirSync as readdirSync6, readFileSync as readFileSync8, statSync as statSync2 } from "fs";
-import { join as join11 } from "path";
+import { existsSync as existsSync11, readdirSync as readdirSync7, readFileSync as readFileSync9 } from "fs";
+import { createHash as createHash4 } from "crypto";
+import { join as join12 } from "path";
 function fileExists(cwd, relPath) {
-  return existsSync10(join11(cwd, relPath));
+  return existsSync11(join12(cwd, relPath));
 }
 function findFiles(dir, predicate, found = []) {
-  if (!existsSync10(dir))
+  if (!existsSync11(dir))
     return found;
-  for (const entry of readdirSync6(dir, { withFileTypes: true })) {
-    const fullPath = join11(dir, entry.name);
+  for (const entry of readdirSync7(dir, { withFileTypes: true })) {
+    const fullPath = join12(dir, entry.name);
     if (entry.isDirectory())
       findFiles(fullPath, predicate, found);
     else if (entry.isFile() && predicate(entry.name))
@@ -129,54 +405,76 @@ function findFiles(dir, predicate, found = []) {
   }
   return found;
 }
-function newestMtime(paths) {
-  let newest = 0;
-  for (const path of paths) {
-    try {
-      newest = Math.max(newest, statSync2(path).mtimeMs);
-    } catch {
-    }
+function sha256OfFile3(path) {
+  try {
+    return createHash4("sha256").update(readFileSync9(path)).digest("hex");
+  } catch {
+    return "";
   }
-  return newest;
 }
-function readMissingSummaryCount(cwd) {
-  const indexPath = join11(cwd, "specs", "context", "contracts-index.md");
-  if (!existsSync10(indexPath))
-    return null;
-  const match = readFileSync8(indexPath, "utf8").match(/^missing-summary-count:\s*(\d+)/m);
-  return match ? Number(match[1]) : null;
+function inputDigest(paths) {
+  const combined = paths.slice().sort().map((p) => `${p}:${sha256OfFile3(p)}`).join("\n");
+  return createHash4("sha256").update(combined).digest("hex");
+}
+function readContextIndexMetadata(filePath) {
+  if (!existsSync11(filePath))
+    return {};
+  const text = readFileSync9(filePath, "utf8");
+  const out = {};
+  const digestMatch = text.match(/^inputs-digest:\s*([a-f0-9]+)/m);
+  if (digestMatch)
+    out.inputsDigest = digestMatch[1];
+  const missingMatch = text.match(/^missing-summary-count:\s*(\d+)/m);
+  if (missingMatch)
+    out.missingSummary = Number(missingMatch[1]);
+  return out;
 }
 function checkContextFreshness(cwd) {
   const findings = [];
-  const projectMap = join11(cwd, "specs", "context", "project-map.md");
-  const contractsIndex = join11(cwd, "specs", "context", "contracts-index.md");
-  const contextPolicy = join11(cwd, ".cdd", "context-policy.json");
-  const contractFiles = findFiles(join11(cwd, "contracts"), (name) => name.endsWith(".md"));
-  if (!existsSync10(projectMap) || !existsSync10(contractsIndex)) {
+  const projectMap = join12(cwd, "specs", "context", "project-map.md");
+  const contractsIndex = join12(cwd, "specs", "context", "contracts-index.md");
+  const contextPolicy = join12(cwd, ".cdd", "context-policy.json");
+  const contractFiles = findFiles(
+    join12(cwd, "contracts"),
+    (name) => name.endsWith(".md") && name !== "INDEX.md" && name !== "CHANGELOG.md"
+  );
+  if (!existsSync11(projectMap) || !existsSync11(contractsIndex)) {
     findings.push({
       level: "warning",
       message: "specs/context indexes are missing; run cdd-kit context-scan before classification"
     });
     return findings;
   }
-  const projectInputs = [contextPolicy].filter(existsSync10);
-  if (projectInputs.length > 0 && statSync2(projectMap).mtimeMs < newestMtime(projectInputs)) {
+  const projectMapMeta = readContextIndexMetadata(projectMap);
+  const contractsIndexMeta = readContextIndexMetadata(contractsIndex);
+  const projectInputDigest = inputDigest([contextPolicy].filter(existsSync11));
+  if (projectMapMeta.inputsDigest === void 0) {
+    findings.push({
+      level: "warning",
+      message: "specs/context/project-map.md was generated by an older cdd-kit (no inputs-digest); re-run cdd-kit context-scan"
+    });
+  } else if (projectInputDigest && projectMapMeta.inputsDigest !== projectInputDigest) {
     findings.push({
       level: "warning",
-      message: "specs/context/project-map.md is older than .cdd/context-policy.json; run cdd-kit context-scan"
+      message: "specs/context/project-map.md inputs changed (.cdd/context-policy.json); re-run cdd-kit context-scan"
     });
   }
-  if (contractFiles.length > 0 && statSync2(contractsIndex).mtimeMs < newestMtime(contractFiles)) {
+  const contractsInputDigest = inputDigest(contractFiles);
+  if (contractsIndexMeta.inputsDigest === void 0) {
     findings.push({
       level: "warning",
-      message: "specs/context/contracts-index.md is older than contracts/; run cdd-kit context-scan"
+      message: "specs/context/contracts-index.md was generated by an older cdd-kit (no inputs-digest); re-run cdd-kit context-scan"
+    });
+  } else if (contractsInputDigest && contractsIndexMeta.inputsDigest !== contractsInputDigest) {
+    findings.push({
+      level: "warning",
+      message: "specs/context/contracts-index.md inputs changed (contracts/*); re-run cdd-kit context-scan"
     });
   }
-  const missingSummaryCount = readMissingSummaryCount(cwd);
-  if (missingSummaryCount !== null && missingSummaryCount > 0) {
+  if (contractsIndexMeta.missingSummary !== void 0 && contractsIndexMeta.missingSummary > 0) {
     findings.push({
       level: "warning",
-      message: `contracts-index reports ${missingSummaryCount} contract(s) without deterministic summary metadata`
+      message: `contracts-index reports ${contractsIndexMeta.missingSummary} contract(s) without deterministic summary metadata`
     });
   }
   if (findings.length === 0) {
@@ -184,6 +482,63 @@ function checkContextFreshness(cwd) {
   }
   return findings;
 }
+function readAgentModel(path) {
+  try {
+    const text = readFileSync9(path, "utf8");
+    const m = text.match(/^model:\s*(\S+)/m);
+    return m ? m[1] : null;
+  } catch {
+    return null;
+  }
+}
+function checkModelPolicyDrift(cwd) {
+  const policyPath = join12(cwd, ".cdd", "model-policy.json");
+  if (!existsSync11(policyPath))
+    return [];
+  let policy;
+  try {
+    policy = JSON.parse(readFileSync9(policyPath, "utf8"));
+  } catch {
+    return [{ level: "warning", message: ".cdd/model-policy.json is not valid JSON" }];
+  }
+  const roles = policy.roles ?? {};
+  if (Object.keys(roles).length === 0) {
+    return [{
+      level: "warning",
+      message: ".cdd/model-policy.json has no role bindings; run cdd-kit upgrade to install defaults"
+    }];
+  }
+  const candidateDirs = [
+    join12(cwd, ".claude", "agents"),
+    process.env.HOME ? join12(process.env.HOME, ".claude", "agents") : "",
+    process.env.USERPROFILE ? join12(process.env.USERPROFILE, ".claude", "agents") : ""
+  ].filter((p) => p && existsSync11(p));
+  if (candidateDirs.length === 0)
+    return [];
+  const findings = [];
+  for (const [role, expected] of Object.entries(roles)) {
+    let foundAny = false;
+    for (const dir of candidateDirs) {
+      const path = join12(dir, `${role}.md`);
+      if (!existsSync11(path))
+        continue;
+      foundAny = true;
+      const actual = readAgentModel(path);
+      if (actual && actual !== expected) {
+        findings.push({
+          level: "warning",
+          message: `model-policy drift: ${role} expected ${expected}, agent prompt uses ${actual} (${path})`
+        });
+      }
+    }
+    if (!foundAny) {
+    }
+  }
+  if (findings.length === 0) {
+    findings.push({ level: "ok", message: "model-policy roles match installed agent prompts" });
+  }
+  return findings;
+}
 function buildDoctorReport(cwd, opts) {
   const requestedProvider = opts.provider ?? "auto";
   if (!validateProviderOption(requestedProvider)) {
@@ -206,6 +561,7 @@ function buildDoctorReport(cwd, opts) {
     findings.push({ level: "warning", message: "CODEX.md is missing for Codex provider; run cdd-kit upgrade --provider codex --yes" });
   }
   findings.push(...checkContextFreshness(cwd));
+  findings.push(...checkModelPolicyDrift(cwd));
   const errors = findings.filter((finding) => finding.level === "error").length;
   const warnings = findings.filter((finding) => finding.level === "warning").length;
   return {
@@ -217,8 +573,89 @@ function buildDoctorReport(cwd, opts) {
     ok: errors === 0 && (!strict || warnings === 0)
   };
 }
+async function attemptAutoFixes(cwd, report) {
+  const fixed = [];
+  const remaining = [];
+  for (const finding of report.findings) {
+    if (finding.level !== "warning") {
+      remaining.push(finding);
+      continue;
+    }
+    if (/specs\/context indexes are missing|inputs changed|older cdd-kit|older than/i.test(finding.message)) {
+      try {
+        const { contextScan: contextScan2 } = await Promise.resolve().then(() => (init_context_scan(), context_scan_exports));
+        await contextScan2();
+        fixed.push(`ran context-scan to refresh specs/context/`);
+        continue;
+      } catch (err) {
+        remaining.push({ level: "warning", message: `${finding.message} (auto-fix failed: ${err.message})` });
+        continue;
+      }
+    }
+    if (/model-policy\.json has no role bindings/i.test(finding.message)) {
+      const policyPath = join12(cwd, ".cdd", "model-policy.json");
+      try {
+        let existing = {};
+        try {
+          existing = JSON.parse(readFileSync9(policyPath, "utf8"));
+        } catch {
+        }
+        const merged = {
+          ...existing,
+          roles: {
+            "change-classifier": "claude-opus-4-7",
+            "spec-architect": "claude-opus-4-7",
+            "qa-reviewer": "claude-opus-4-7",
+            "contract-reviewer": "claude-sonnet-4-6",
+            "test-strategist": "claude-sonnet-4-6",
+            "backend-engineer": "claude-sonnet-4-6",
+            "frontend-engineer": "claude-sonnet-4-6",
+            "ci-cd-gatekeeper": "claude-sonnet-4-6",
+            "e2e-resilience-engineer": "claude-sonnet-4-6",
+            "monkey-test-engineer": "claude-sonnet-4-6",
+            "stress-soak-engineer": "claude-sonnet-4-6",
+            "ui-ux-reviewer": "claude-sonnet-4-6",
+            "visual-reviewer": "claude-sonnet-4-6",
+            "dependency-security-reviewer": "claude-sonnet-4-6",
+            "spec-drift-auditor": "claude-sonnet-4-6",
+            "repo-context-scanner": "claude-haiku-4-5"
+          }
+        };
+        const { writeFileSync: writeFileSync10 } = await import("fs");
+        writeFileSync10(policyPath, JSON.stringify(merged, null, 2) + "\n", "utf8");
+        fixed.push(`populated .cdd/model-policy.json with default role bindings`);
+        continue;
+      } catch (err) {
+        remaining.push({ level: "warning", message: `${finding.message} (auto-fix failed: ${err.message})` });
+        continue;
+      }
+    }
+    if (/\.cdd\/.*is missing|run cdd-kit upgrade/i.test(finding.message)) {
+      remaining.push({
+        level: "warning",
+        message: `${finding.message} (run \`cdd-kit upgrade --yes\` manually \u2014 too invasive for --fix)`
+      });
+      continue;
+    }
+    remaining.push(finding);
+  }
+  return { fixed, remaining };
+}
 async function doctor(opts = {}) {
-  const report = buildDoctorReport(process.cwd(), opts);
+  const cwd = process.cwd();
+  let report = buildDoctorReport(cwd, opts);
+  if (opts.fix && !opts.json) {
+    log.blank();
+    log.info("Doctor --fix: attempting safe auto-resolutions\u2026");
+    const { fixed, remaining } = await attemptAutoFixes(cwd, report);
+    for (const f of fixed)
+      log.ok(`fixed: ${f}`);
+    if (fixed.length > 0) {
+      report = buildDoctorReport(cwd, opts);
+    } else {
+      log.info("no auto-fixable findings");
+    }
+  }
   if (opts.json) {
     console.log(JSON.stringify(report, null, 2));
     if (!report.ok)
@@ -260,14 +697,24 @@ var migrate_exports = {};
 __export(migrate_exports, {
   migrate: () => migrate
 });
-import { join as join12 } from "path";
-import { existsSync as existsSync11, readdirSync as readdirSync7, readFileSync as readFileSync9, writeFileSync as writeFileSync4 } from "fs";
+import { join as join13 } from "path";
+import { cpSync as cpSync2, existsSync as existsSync12, mkdirSync as mkdirSync5, readdirSync as readdirSync8, readFileSync as readFileSync10, renameSync, rmSync as rmSync2, writeFileSync as writeFileSync5 } from "fs";
+function backupChangeDir(cwd, changeId, sessionStamp) {
+  const backupRoot = join13(cwd, ".cdd", "migrate-backup", sessionStamp);
+  const backupDir2 = join13(backupRoot, changeId);
+  mkdirSync5(backupRoot, { recursive: true });
+  const sourceDir = join13(cwd, "specs", "changes", changeId);
+  if (existsSync12(sourceDir)) {
+    cpSync2(sourceDir, backupDir2, { recursive: true });
+  }
+  return backupDir2;
+}
 function buildLegacyContextManifest(changeId) {
   return [
     "# Context Manifest",
     "",
     "Generated by `cdd-kit migrate` for an existing change.",
-    "This legacy manifest records a conservative default context boundary without enabling context-governance: v1.",
+    "Legacy manifest. Forbidden paths come from `.cdd/context-policy.json`.",
     "",
     "## Affected Surfaces",
     "- legacy-unknown",
@@ -275,16 +722,6 @@ function buildLegacyContextManifest(changeId) {
     "## Allowed Paths",
     `- specs/changes/${changeId}/`,
     "",
-    "## Forbidden Paths",
-    "- .claude/worktrees/**",
-    "- .git/**",
-    "- node_modules/**",
-    "- dist/**",
-    "- build/**",
-    "- assets/**",
-    "- specs/archive/**",
-    `- specs/changes/* except specs/changes/${changeId}/`,
-    "",
     "## Required Contracts",
     "- legacy-unknown",
     "",
@@ -321,6 +758,7 @@ function buildContextGovernedManifest(changeId) {
     "",
     "Generated by `cdd-kit migrate --enable-context-governance` for an existing change.",
     "Review and narrow the allowed paths before assigning implementation work.",
+    "Forbidden paths come from `.cdd/context-policy.json`.",
     "",
     "## Affected Surfaces",
     "- legacy-unknown",
@@ -330,16 +768,6 @@ function buildContextGovernedManifest(changeId) {
     "- specs/context/project-map.md",
     "- specs/context/contracts-index.md",
     "",
-    "## Forbidden Paths",
-    "- .claude/worktrees/**",
-    "- .git/**",
-    "- node_modules/**",
-    "- dist/**",
-    "- build/**",
-    "- assets/**",
-    "- specs/archive/**",
-    `- specs/changes/* except specs/changes/${changeId}/`,
-    "",
     "## Required Contracts",
     "- legacy-unknown",
     "",
@@ -372,12 +800,14 @@ function buildContextGovernedManifest(changeId) {
     ""
   ].join("\n");
 }
-function migrateOne(changeId, changeDir, dryRun, enableContextGovernance) {
+function migrateOne(changeId, changeDir, enableContextGovernance) {
   const changed = [];
   const warnings = [];
-  const tasksPath = join12(changeDir, "tasks.md");
-  if (existsSync11(tasksPath)) {
-    let content = readFileSync9(tasksPath, "utf8");
+  const pending = [];
+  let detectedTier = null;
+  const tasksPath = join13(changeDir, "tasks.md");
+  if (existsSync12(tasksPath)) {
+    let content = readFileSync10(tasksPath, "utf8");
     const norm = content.replace(/\r\n/g, "\n");
     let modified = false;
     const taskChanges = [];
@@ -413,19 +843,19 @@ status: ${inferredStatus}
     }
     if (modified) {
       changed.push(`tasks.md: ${taskChanges.join("; ")}`);
-      if (!dryRun)
-        writeFileSync4(tasksPath, content, "utf8");
+      pending.push({ path: tasksPath, content });
     }
   } else {
     warnings.push("tasks.md not found \u2014 skipping frontmatter migration");
   }
-  const classifPath = join12(changeDir, "change-classification.md");
-  if (existsSync11(classifPath)) {
-    const content = readFileSync9(classifPath, "utf8");
+  const classifPath = join13(changeDir, "change-classification.md");
+  if (existsSync12(classifPath)) {
+    const content = readFileSync10(classifPath, "utf8");
     const hasNewTierFormat = /^## Tier\s*\n\s*-\s*\d\s*$/m.test(content);
+    const oldMatch = content.match(/\*\*Tier[:\*]+\s*(?:Tier\s*)?(\d)/i) ?? content.match(/^-?\s*Tier:\s*(?:Tier\s*)?(\d)/mi);
+    if (oldMatch)
+      detectedTier = oldMatch[1];
     if (!hasNewTierFormat) {
-      const oldMatch = content.match(/\*\*Tier[:\*]+\s*(?:Tier\s*)?(\d)/i) ?? content.match(/^-?\s*Tier:\s*(?:Tier\s*)?(\d)/mi);
-      const detectedTier = oldMatch ? oldMatch[1] : null;
       if (detectedTier) {
         const addition = `
 ## Tier
@@ -435,54 +865,100 @@ status: ${inferredStatus}
           changed.push(
             `change-classification.md: appended "## Tier\\n- ${detectedTier}" (converted from old format)`
           );
-          if (!dryRun)
-            writeFileSync4(classifPath, content + addition, "utf8");
+          pending.push({ path: classifPath, content: content + addition });
         }
       } else {
         warnings.push(
-          "change-classification.md: could not detect tier (no **Tier:** N or ## Tier N found). gate tier-based agent-log checks will be skipped for this change."
+          "change-classification.md: could not detect tier (no **Tier:** N or ## Tier N found). Set `tier: <0-5>` in tasks.md frontmatter to enable tier-based gate checks."
         );
       }
+    } else {
+      const structured = content.match(/^## Tier\s*\n\s*-\s*(\d)\s*$/m);
+      if (structured)
+        detectedTier = structured[1];
     }
   }
-  const manifestPath = join12(changeDir, "context-manifest.md");
-  if (!existsSync11(manifestPath)) {
-    changed.push(enableContextGovernance ? "context-manifest.md: added context-governance v1 manifest scaffold" : "context-manifest.md: added legacy context manifest scaffold");
-    if (!dryRun) {
-      writeFileSync4(
-        manifestPath,
-        enableContextGovernance ? buildContextGovernedManifest(changeId) : buildLegacyContextManifest(changeId),
-        "utf8"
-      );
+  if (existsSync12(tasksPath)) {
+    const tasksWrite = pending.find((p) => p.path === tasksPath);
+    let content = tasksWrite ? tasksWrite.content : readFileSync10(tasksPath, "utf8");
+    let modified = false;
+    const subChanges = [];
+    if (detectedTier && !/^tier:\s*\d/m.test(content)) {
+      content = upsertFrontmatterField(content, "tier", detectedTier);
+      modified = true;
+      subChanges.push(`backfilled tier: ${detectedTier}`);
+    }
+    if (!/^archive-tasks:/m.test(content)) {
+      content = upsertFrontmatterField(content, "archive-tasks", '["7.1", "7.2"]');
+      modified = true;
+      subChanges.push("added default archive-tasks list");
+    }
+    if (modified) {
+      if (tasksWrite) {
+        tasksWrite.content = content;
+      } else {
+        pending.push({ path: tasksPath, content });
+      }
+      changed.push(`tasks.md: ${subChanges.join("; ")}`);
     }
+  }
+  const manifestPath = join13(changeDir, "context-manifest.md");
+  if (!existsSync12(manifestPath)) {
+    changed.push(enableContextGovernance ? "context-manifest.md: added context-governance v1 manifest scaffold" : "context-manifest.md: added legacy context manifest scaffold");
+    pending.push({
+      path: manifestPath,
+      content: enableContextGovernance ? buildContextGovernedManifest(changeId) : buildLegacyContextManifest(changeId)
+    });
   } else if (enableContextGovernance) {
     warnings.push("context-manifest.md already exists \u2014 review allowed paths before relying on context-governance: v1");
   }
-  return { changed, warnings };
+  return { result: { changed, warnings }, pending };
+}
+function commitWritesAtomically(pending) {
+  const renames = [];
+  try {
+    for (const write of pending) {
+      const tmp = `${write.path}.cdd-migrate.tmp`;
+      writeFileSync5(tmp, write.content, "utf8");
+      renames.push({ tmp, final: write.path });
+    }
+  } catch (err) {
+    for (const r of renames) {
+      try {
+        rmSync2(r.tmp, { force: true });
+      } catch {
+      }
+    }
+    throw err;
+  }
+  for (const r of renames) {
+    renameSync(r.tmp, r.final);
+  }
 }
 async function migrate(changeId, opts = {}) {
   const cwd = process.cwd();
   const dryRun = opts.dryRun ?? false;
   const enableContextGovernance = opts.enableContextGovernance ?? false;
+  const noBackup = opts.noBackup ?? false;
   const idsToMigrate = [];
   if (opts.all) {
-    const changesDir = join12(cwd, "specs", "changes");
-    if (!existsSync11(changesDir)) {
+    const changesDir = join13(cwd, "specs", "changes");
+    if (!existsSync12(changesDir)) {
       log.info("No specs/changes/ directory found \u2014 nothing to migrate.");
       return;
     }
     idsToMigrate.push(
-      ...readdirSync7(changesDir, { withFileTypes: true }).filter((d) => d.isDirectory()).map((d) => d.name)
+      ...readdirSync8(changesDir, { withFileTypes: true }).filter((d) => d.isDirectory()).map((d) => d.name)
     );
   } else if (changeId) {
-    const specificDir = join12(cwd, "specs", "changes", changeId);
-    if (!existsSync11(specificDir)) {
+    const specificDir = join13(cwd, "specs", "changes", changeId);
+    if (!existsSync12(specificDir)) {
       log.error(`Change not found: specs/changes/${changeId}`);
       process.exit(1);
     }
     idsToMigrate.push(changeId);
   } else {
-    log.error("Usage: cdd-kit migrate <change-id>  |  cdd-kit migrate --all  [--dry-run]");
+    log.error("Usage: cdd-kit migrate <change-id>  |  cdd-kit migrate --all  [--dry-run] [--no-backup]");
     process.exit(1);
   }
   if (idsToMigrate.length === 0) {
@@ -493,35 +969,54 @@ async function migrate(changeId, opts = {}) {
     log.info("Dry run \u2014 no files will be written.");
     log.blank();
   }
+  const sessionStamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
   let migratedCount = 0;
   let upToDateCount = 0;
+  const backupRoot = join13(cwd, ".cdd", "migrate-backup", sessionStamp);
   for (const id of idsToMigrate) {
-    const changeDir = join12(cwd, "specs", "changes", id);
-    if (!existsSync11(changeDir)) {
+    const changeDir = join13(cwd, "specs", "changes", id);
+    if (!existsSync12(changeDir)) {
       log.warn(`  ${id}: directory not found \u2014 skipping`);
       continue;
     }
-    const { changed, warnings } = migrateOne(id, changeDir, dryRun, enableContextGovernance);
-    if (changed.length > 0) {
-      log.ok(`  ${id}: migrated`);
-      for (const c of changed)
-        log.info(`    + ${c}`);
-      migratedCount++;
-    } else {
+    const { result, pending } = migrateOne(id, changeDir, enableContextGovernance);
+    const { changed, warnings } = result;
+    if (changed.length === 0) {
       log.info(`  ${id}: already up to date`);
       upToDateCount++;
+      for (const w of warnings)
+        log.warn(`  ${id}: ${w}`);
+      continue;
     }
-    for (const w of warnings) {
-      log.warn(`  ${id}: ${w}`);
+    if (!dryRun) {
+      try {
+        if (!noBackup)
+          backupChangeDir(cwd, id, sessionStamp);
+        commitWritesAtomically(pending);
+      } catch (err) {
+        log.error(`  ${id}: migration failed \u2014 ${err.message}`);
+        if (!noBackup) {
+          log.error(`  ${id}: restore from .cdd/migrate-backup/${sessionStamp}/${id}/`);
+        }
+        process.exit(1);
+      }
     }
+    log.ok(`  ${id}: migrated`);
+    for (const c of changed)
+      log.info(`    + ${c}`);
+    migratedCount++;
+    for (const w of warnings)
+      log.warn(`  ${id}: ${w}`);
   }
   log.blank();
   if (dryRun) {
     log.info(`Dry run complete: ${migratedCount} change(s) would be updated, ${upToDateCount} already up to date.`);
   } else {
     log.ok(`Migration complete: ${migratedCount} updated, ${upToDateCount} already up to date.`);
-    if (migratedCount > 0) {
+    if (migratedCount > 0 && !noBackup) {
+      log.info(`Backup: ${backupRoot}`);
       log.info('Next: git add specs/changes/ && git commit -m "chore: migrate changes to current cdd-kit format"');
+      log.info("When stable, remove backup: rm -rf .cdd/migrate-backup/");
     }
   }
 }
@@ -537,39 +1032,39 @@ var upgrade_exports = {};
 __export(upgrade_exports, {
   upgrade: () => upgrade
 });
-import { existsSync as existsSync12, mkdirSync as mkdirSync4, readdirSync as readdirSync8, copyFileSync as copyFileSync3, writeFileSync as writeFileSync5 } from "fs";
-import { dirname as dirname3, join as join13, relative as relative2 } from "path";
+import { existsSync as existsSync13, mkdirSync as mkdirSync6, readdirSync as readdirSync9, copyFileSync as copyFileSync3, readFileSync as readFileSync11, writeFileSync as writeFileSync6 } from "fs";
+import { dirname as dirname4, join as join14, relative as relative3 } from "path";
 function planMissingFiles(srcDir, destDir, label, planned) {
-  if (!existsSync12(srcDir))
+  if (!existsSync13(srcDir))
     return;
-  for (const entry of readdirSync8(srcDir, { withFileTypes: true })) {
-    const src = join13(srcDir, entry.name);
-    const dest = join13(destDir, entry.name);
+  for (const entry of readdirSync9(srcDir, { withFileTypes: true })) {
+    const src = join14(srcDir, entry.name);
+    const dest = join14(destDir, entry.name);
     if (entry.isDirectory()) {
-      planMissingFiles(src, dest, join13(label, entry.name), planned);
+      planMissingFiles(src, dest, join14(label, entry.name), planned);
       continue;
     }
-    if (!existsSync12(dest)) {
-      planned.push({ src, dest, rel: join13(label, relative2(srcDir, src)) });
+    if (!existsSync13(dest)) {
+      planned.push({ src, dest, rel: join14(label, relative3(srcDir, src)) });
     }
   }
 }
 function planProviderGuidance(cwd, provider, planned) {
   if (provider === "claude" || provider === "both") {
-    if (!existsSync12(join13(cwd, "CLAUDE.md"))) {
-      planned.push({ src: ASSET.claudeTemplate, dest: join13(cwd, "CLAUDE.md"), rel: "CLAUDE.md" });
+    if (!existsSync13(join14(cwd, "CLAUDE.md"))) {
+      planned.push({ src: ASSET.claudeTemplate, dest: join14(cwd, "CLAUDE.md"), rel: "CLAUDE.md" });
     }
-    if (!existsSync12(join13(cwd, "AGENTS.md"))) {
-      planned.push({ src: ASSET.agentsTemplate, dest: join13(cwd, "AGENTS.md"), rel: "AGENTS.md" });
+    if (!existsSync13(join14(cwd, "AGENTS.md"))) {
+      planned.push({ src: ASSET.agentsTemplate, dest: join14(cwd, "AGENTS.md"), rel: "AGENTS.md" });
     }
   }
-  if ((provider === "codex" || provider === "both") && !existsSync12(join13(cwd, "CODEX.md"))) {
-    planned.push({ src: ASSET.codexTemplate, dest: join13(cwd, "CODEX.md"), rel: "CODEX.md" });
+  if ((provider === "codex" || provider === "both") && !existsSync13(join14(cwd, "CODEX.md"))) {
+    planned.push({ src: ASSET.codexTemplate, dest: join14(cwd, "CODEX.md"), rel: "CODEX.md" });
   }
 }
 function applyCopy(plan) {
   for (const item of plan) {
-    mkdirSync4(dirname3(item.dest), { recursive: true });
+    mkdirSync6(dirname4(item.dest), { recursive: true });
     copyFileSync3(item.src, item.dest);
   }
 }
@@ -582,12 +1077,12 @@ async function upgrade(opts = {}) {
   }
   const provider = inferProvider(cwd, requestedProvider);
   const plan = [];
-  planMissingFiles(ASSET.contracts, join13(cwd, "contracts"), "contracts", plan);
-  planMissingFiles(ASSET.specsTemplates, join13(cwd, "specs", "templates"), "specs/templates", plan);
-  planMissingFiles(ASSET.testsTemplates, join13(cwd, "tests", "templates"), "tests/templates", plan);
-  planMissingFiles(ASSET.ci, join13(cwd, "ci"), "ci", plan);
-  planMissingFiles(ASSET.githubWorkflows, join13(cwd, ".github", "workflows"), ".github/workflows", plan);
-  planMissingFiles(ASSET.cddConfig, join13(cwd, ".cdd"), ".cdd", plan);
+  planMissingFiles(ASSET.contracts, join14(cwd, "contracts"), "contracts", plan);
+  planMissingFiles(ASSET.specsTemplates, join14(cwd, "specs", "templates"), "specs/templates", plan);
+  planMissingFiles(ASSET.testsTemplates, join14(cwd, "tests", "templates"), "tests/templates", plan);
+  planMissingFiles(ASSET.ci, join14(cwd, "ci"), "ci", plan);
+  planMissingFiles(ASSET.githubWorkflows, join14(cwd, ".github", "workflows"), ".github/workflows", plan);
+  planMissingFiles(ASSET.cddConfig, join14(cwd, ".cdd"), ".cdd", plan);
   planProviderGuidance(cwd, provider, plan);
   log.blank();
   log.info(`Upgrade provider: ${provider}`);
@@ -624,13 +1119,20 @@ async function upgrade(opts = {}) {
     return;
   }
   applyCopy(plan);
-  const modelPolicyPath = join13(cwd, ".cdd", "model-policy.json");
-  if (existsSync12(modelPolicyPath)) {
-    writeFileSync5(modelPolicyPath, JSON.stringify({
+  const modelPolicyPath = join14(cwd, ".cdd", "model-policy.json");
+  if (existsSync13(modelPolicyPath)) {
+    let existing = {};
+    try {
+      existing = JSON.parse(readFileSync11(modelPolicyPath, "utf8"));
+    } catch {
+    }
+    const merged = {
+      ...existing,
       provider,
       generated_at: (/* @__PURE__ */ new Date()).toISOString(),
-      roles: {}
-    }, null, 2) + "\n", "utf8");
+      roles: existing.roles && typeof existing.roles === "object" ? existing.roles : {}
+    };
+    writeFileSync6(modelPolicyPath, JSON.stringify(merged, null, 2) + "\n", "utf8");
   }
   log.blank();
   log.ok(`Upgrade complete: ${plan.length} missing file(s) added.`);
@@ -661,26 +1163,26 @@ var archive_exports = {};
 __export(archive_exports, {
   archive: () => archive
 });
-import { join as join14 } from "path";
-import { existsSync as existsSync13, mkdirSync as mkdirSync5, renameSync, readFileSync as readFileSync10, writeFileSync as writeFileSync6, appendFileSync, cpSync as cpSync2, rmSync as rmSync2 } from "fs";
+import { join as join15 } from "path";
+import { existsSync as existsSync14, mkdirSync as mkdirSync7, renameSync as renameSync2, readFileSync as readFileSync12, writeFileSync as writeFileSync7, appendFileSync, cpSync as cpSync3, rmSync as rmSync3 } from "fs";
 async function archive(changeId) {
   const cwd = process.cwd();
-  const changeDir = join14(cwd, "specs", "changes", changeId);
+  const changeDir = join15(cwd, "specs", "changes", changeId);
   const archiveYear = (/* @__PURE__ */ new Date()).getFullYear().toString();
-  const archiveBase = join14(cwd, "specs", "archive", archiveYear);
-  const archiveDir = join14(archiveBase, changeId);
-  const indexPath = join14(cwd, "specs", "archive", "INDEX.md");
-  if (!existsSync13(changeDir)) {
+  const archiveBase = join15(cwd, "specs", "archive", archiveYear);
+  const archiveDir = join15(archiveBase, changeId);
+  const indexPath = join15(cwd, "specs", "archive", "INDEX.md");
+  if (!existsSync14(changeDir)) {
     log.error(`Change not found: specs/changes/${changeId}`);
     process.exit(1);
   }
-  if (existsSync13(archiveDir)) {
+  if (existsSync14(archiveDir)) {
     log.error(`Already archived: specs/archive/${archiveYear}/${changeId}`);
     process.exit(1);
   }
-  const tasksPath = join14(changeDir, "tasks.md");
-  if (existsSync13(tasksPath)) {
-    const content = readFileSync10(tasksPath, "utf8");
+  const tasksPath = join15(changeDir, "tasks.md");
+  if (existsSync14(tasksPath)) {
+    const content = readFileSync12(tasksPath, "utf8");
     if (content.includes("status: gate-blocked")) {
       log.warn("tasks.md has status: gate-blocked \u2014 archiving anyway (change was paused).");
     }
@@ -689,15 +1191,15 @@ async function archive(changeId) {
       log.warn(`${pending} task(s) still pending ([ ]). Archive anyway.`);
     }
   }
-  if (!existsSync13(archiveBase)) {
-    mkdirSync5(archiveBase, { recursive: true });
+  if (!existsSync14(archiveBase)) {
+    mkdirSync7(archiveBase, { recursive: true });
   }
   try {
-    renameSync(changeDir, archiveDir);
+    renameSync2(changeDir, archiveDir);
   } catch (err) {
     if (err.code === "EXDEV") {
-      cpSync2(changeDir, archiveDir, { recursive: true });
-      rmSync2(changeDir, { recursive: true, force: true });
+      cpSync3(changeDir, archiveDir, { recursive: true });
+      rmSync3(changeDir, { recursive: true, force: true });
     } else {
       throw err;
     }
@@ -706,8 +1208,8 @@ async function archive(changeId) {
   const today = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
   const indexLine = `| ${changeId} | ${archiveYear} | ${today} | specs/archive/${archiveYear}/${changeId}/ |
 `;
-  if (!existsSync13(indexPath)) {
-    writeFileSync6(indexPath, `# Archive Index
+  if (!existsSync14(indexPath)) {
+    writeFileSync7(indexPath, `# Archive Index
 
 | change-id | year | archived-date | path |
 |---|---|---|---|
@@ -720,357 +1222,125 @@ ${indexLine}`, "utf8");
   log.info(`Next: promote durable learnings from archive.md to contracts/ or CLAUDE.md`);
 }
 var init_archive = __esm({
-  "src/commands/archive.ts"() {
-    "use strict";
-    init_logger();
-  }
-});
-
-// src/commands/abandon.ts
-var abandon_exports = {};
-__export(abandon_exports, {
-  abandon: () => abandon
-});
-import { join as join15 } from "path";
-import { existsSync as existsSync14, readFileSync as readFileSync11, writeFileSync as writeFileSync7, appendFileSync as appendFileSync2, mkdirSync as mkdirSync6 } from "fs";
-async function abandon(changeId, opts) {
-  const cwd = process.cwd();
-  const changeDir = join15(cwd, "specs", "changes", changeId);
-  const tasksPath = join15(changeDir, "tasks.md");
-  if (!existsSync14(changeDir)) {
-    log.error(`Change not found: specs/changes/${changeId}`);
-    process.exit(1);
-  }
-  if (existsSync14(tasksPath)) {
-    let content = readFileSync11(tasksPath, "utf8");
-    if (content.match(/^status:/m)) {
-      content = content.replace(/^status: .*/m, "status: abandoned");
-    } else {
-      content = `---
-change-id: ${changeId}
-status: abandoned
----
-
-` + content;
-    }
-    writeFileSync7(tasksPath, content, "utf8");
-  }
-  const today = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
-  const archiveDir = join15(cwd, "specs", "archive");
-  const indexPath = join15(archiveDir, "INDEX.md");
-  const reason = opts.reason ?? "no reason given";
-  const indexLine = `| ${changeId} | abandoned | ${today} | ${reason} |
-`;
-  if (!existsSync14(archiveDir)) {
-    mkdirSync6(archiveDir, { recursive: true });
-  }
-  if (!existsSync14(indexPath)) {
-    writeFileSync7(indexPath, `# Archive Index
-
-| change-id | status | date | notes |
-|---|---|---|---|
-${indexLine}`, "utf8");
-  } else {
-    appendFileSync2(indexPath, indexLine, "utf8");
-  }
-  log.ok(`Change ${changeId} marked as abandoned.`);
-  log.info(`specs/changes/${changeId}/ remains on disk (git history preserved).`);
-  log.info(`Run \`cdd-kit archive ${changeId}\` to physically move it, or leave it for git history.`);
-}
-var init_abandon = __esm({
-  "src/commands/abandon.ts"() {
-    "use strict";
-    init_logger();
-  }
-});
-
-// src/commands/list-changes.ts
-var list_changes_exports = {};
-__export(list_changes_exports, {
-  listChanges: () => listChanges
-});
-import { join as join16 } from "path";
-import { existsSync as existsSync15, readdirSync as readdirSync9, readFileSync as readFileSync12 } from "fs";
-async function listChanges() {
-  const cwd = process.cwd();
-  const changesDir = join16(cwd, "specs", "changes");
-  log.blank();
-  const active = [];
-  if (existsSync15(changesDir)) {
-    active.push(...readdirSync9(changesDir, { withFileTypes: true }).filter((d) => d.isDirectory()).map((d) => d.name));
-  }
-  if (active.length === 0) {
-    log.info("No active changes in specs/changes/");
-  } else {
-    log.info("Active changes:");
-    for (const id of active) {
-      const tasksPath = join16(changesDir, id, "tasks.md");
-      let status = "in-progress";
-      let pending = 0;
-      if (existsSync15(tasksPath)) {
-        const content = readFileSync12(tasksPath, "utf8");
-        if (content.includes("status: gate-blocked"))
-          status = "gate-blocked";
-        else if (content.includes("status: abandoned"))
-          status = "abandoned";
-        pending = (content.match(/^\s*-\s*\[ \]/gm) || []).length;
-      }
-      const pendingStr = pending > 0 ? ` (${pending} pending)` : "";
-      log.info(`  ${id}  [${status}]${pendingStr}`);
-    }
-  }
-  log.blank();
-}
-var init_list_changes = __esm({
-  "src/commands/list-changes.ts"() {
-    "use strict";
-    init_logger();
-  }
-});
-
-// src/commands/context-scan.ts
-var context_scan_exports = {};
-__export(context_scan_exports, {
-  contextScan: () => contextScan
-});
-import { existsSync as existsSync16, mkdirSync as mkdirSync7, readFileSync as readFileSync13, readdirSync as readdirSync10, writeFileSync as writeFileSync8 } from "fs";
-import { basename, dirname as dirname4, join as join17, relative as relative3 } from "path";
-function stripGlobSuffix(pattern) {
-  return pattern.replace(/\/\*\*$/, "").replace(/\/\*$/, "");
-}
-function getForbiddenPaths(cwd) {
-  const forbidden = new Set(DEFAULT_FORBIDDEN);
-  const policyPath = join17(cwd, ".cdd", "context-policy.json");
-  try {
-    if (existsSync16(policyPath)) {
-      const policy = JSON.parse(readFileSync13(policyPath, "utf8"));
-      for (const pattern of policy.forbiddenPaths ?? []) {
-        forbidden.add(stripGlobSuffix(pattern));
-      }
-    }
-  } catch {
-    log.warn("Could not parse .cdd/context-policy.json; using default context-scan excludes.");
-  }
-  return [...forbidden];
-}
-function isForbidden(relPath, forbidden) {
-  const normalized = relPath.replace(/\\/g, "/");
-  return forbidden.some((pattern) => normalized === pattern || normalized.startsWith(`${pattern}/`));
-}
-function buildTree(dir, cwd, forbidden, stats, prefix = "", depth = 0) {
-  const entries = readdirSync10(dir, { withFileTypes: true }).sort((a, b) => {
-    if (a.isDirectory() === b.isDirectory())
-      return a.name.localeCompare(b.name);
-    return a.isDirectory() ? -1 : 1;
-  });
-  let output = "";
-  const visible = entries.filter((entry) => {
-    const relPath = relative3(cwd, join17(dir, entry.name));
-    return !isForbidden(relPath, forbidden);
-  });
-  visible.forEach((entry, index) => {
-    const fullPath = join17(dir, entry.name);
-    const isLast = index === visible.length - 1;
-    const connector = isLast ? "\\-- " : "|-- ";
-    output += `${prefix}${connector}${entry.name}${entry.isDirectory() ? "/" : ""}
-`;
-    if (entry.isDirectory()) {
-      stats.dirs += 1;
-      if (depth >= 3) {
-        stats.omittedDirs += 1;
-        output += `${prefix}${isLast ? "    " : "|   "}\\-- ... (max depth)
-`;
-      } else {
-        output += buildTree(fullPath, cwd, forbidden, stats, prefix + (isLast ? "    " : "|   "), depth + 1);
-      }
-    } else {
-      stats.files += 1;
-    }
-  });
-  return output;
-}
-function firstHeading(content) {
-  const match = content.match(/^#\s+(.+)$/m);
-  return match?.[1]?.trim();
-}
-function deriveContractType(relPath, metadata) {
-  if (metadata.contract)
-    return metadata.contract;
-  const parts = relPath.split("/");
-  return parts.length >= 2 ? parts[1] : "unknown";
-}
-function parseContractMetadata(content) {
-  const metadata = {};
-  let summary;
-  const cddMatch = content.match(/<!--\s*cdd:([\s\S]*?)-->/);
-  const yamlMatch = content.match(/^---\r?\n([\s\S]*?)\r?\n---/);
-  const block = cddMatch?.[1] ?? yamlMatch?.[1];
-  if (block) {
-    for (const line of block.split(/\r?\n/)) {
-      const colon = line.indexOf(":");
-      if (colon === -1)
-        continue;
-      const key = line.slice(0, colon).trim();
-      const value = line.slice(colon + 1).trim();
-      if (!key || !value)
-        continue;
-      if (key === "summary")
-        summary = value;
-      else
-        metadata[key] = value;
-    }
-  }
-  if (!summary) {
-    const summaryMatch = content.match(/#+\s*Summary\s*\r?\n+([^#\r\n][^\r\n]*)/i);
-    summary = summaryMatch?.[1]?.trim();
-  }
-  return { title: firstHeading(content), summary, metadata };
-}
-function findContractFiles(dir, found = []) {
-  if (!existsSync16(dir))
-    return found;
-  for (const entry of readdirSync10(dir, { withFileTypes: true })) {
-    const fullPath = join17(dir, entry.name);
-    if (entry.isDirectory())
-      findContractFiles(fullPath, found);
-    else if (entry.isFile() && entry.name.endsWith(".md") && entry.name !== "INDEX.md" && entry.name !== "CHANGELOG.md")
-      found.push(fullPath);
-  }
-  return found;
-}
-async function contextScan() {
-  const cwd = process.cwd();
-  const specsContextDir = join17(cwd, "specs", "context");
-  mkdirSync7(specsContextDir, { recursive: true });
-  const forbidden = getForbiddenPaths(cwd);
-  const treeStats = { dirs: 0, files: 0, omittedDirs: 0 };
-  const tree = buildTree(cwd, cwd, forbidden, treeStats);
-  writeFileSync8(
-    join17(specsContextDir, "project-map.md"),
-    [
-      "---",
-      "artifact: project-map",
-      "generated-by: cdd-kit context-scan",
-      "schema-version: 1",
-      `root: ${basename(cwd)}`,
-      `visible-dirs: ${treeStats.dirs}`,
-      `visible-files: ${treeStats.files}`,
-      `omitted-dirs: ${treeStats.omittedDirs}`,
-      "---",
-      "",
-      "# Project Map",
-      "",
-      "Use this deterministic map to choose candidate context paths before reading files.",
-      "",
-      "## Excluded Paths",
-      ...forbidden.map((path) => `- ${path}`),
-      "",
-      "## Tree",
-      "",
-      "```",
-      `${basename(cwd)}/`,
-      tree.trimEnd(),
-      "```",
-      ""
-    ].join("\n"),
-    "utf8"
-  );
-  log.ok("Created specs/context/project-map.md");
-  const contractFiles = findContractFiles(join17(cwd, "contracts")).sort((a, b) => relative3(cwd, a).localeCompare(relative3(cwd, b)));
-  const contractEntries = [];
-  const inventoryRows = [];
-  let missingSummary = 0;
-  for (const file of contractFiles) {
-    const relPath = relative3(cwd, file).replace(/\\/g, "/");
-    const dir = dirname4(relPath).replace(/\\/g, "/");
-    const { title, summary, metadata } = parseContractMetadata(readFileSync13(file, "utf8"));
-    const contractType = deriveContractType(relPath, metadata);
-    const owner = metadata.owner ?? "unknown";
-    const surface = metadata.surface ?? dir;
-    const summaryText = summary ?? "MISSING - add YAML frontmatter `summary:` or `<!-- cdd: summary: ... -->`.";
-    inventoryRows.push(`| ${relPath} | ${contractType} | ${surface} | ${owner} | ${summary ? "yes" : "no"} |`);
-    let entry = `## ${relPath}
-`;
-    entry += `- path: \`${relPath}\`
-`;
-    entry += `- type: ${contractType}
-`;
-    entry += `- directory: ${dir}
-`;
-    if (title)
-      entry += `- title: ${title}
-`;
-    for (const [key, value] of Object.entries(metadata)) {
-      if (key === "contract")
-        continue;
-      entry += `- ${key}: ${value}
-`;
-    }
-    entry += `- summary: ${summaryText}
+  "src/commands/archive.ts"() {
+    "use strict";
+    init_logger();
+  }
+});
 
-`;
-    contractEntries.push(entry);
-    if (!summary) {
-      missingSummary += 1;
+// src/commands/abandon.ts
+var abandon_exports = {};
+__export(abandon_exports, {
+  abandon: () => abandon
+});
+import { join as join16 } from "path";
+import { existsSync as existsSync15, readFileSync as readFileSync13, writeFileSync as writeFileSync8, appendFileSync as appendFileSync2, mkdirSync as mkdirSync8 } from "fs";
+async function abandon(changeId, opts) {
+  const cwd = process.cwd();
+  const changeDir = join16(cwd, "specs", "changes", changeId);
+  const tasksPath = join16(changeDir, "tasks.md");
+  if (!existsSync15(changeDir)) {
+    log.error(`Change not found: specs/changes/${changeId}`);
+    process.exit(1);
+  }
+  if (existsSync15(tasksPath)) {
+    let content = readFileSync13(tasksPath, "utf8");
+    if (content.match(/^status:/m)) {
+      content = content.replace(/^status: .*/m, "status: abandoned");
+    } else {
+      content = `---
+change-id: ${changeId}
+status: abandoned
+---
+
+` + content;
     }
+    writeFileSync8(tasksPath, content, "utf8");
   }
-  const contractIndex = [
-    "---",
-    "artifact: contracts-index",
-    "generated-by: cdd-kit context-scan",
-    "schema-version: 1",
-    `contract-count: ${contractFiles.length}`,
-    `missing-summary-count: ${missingSummary}`,
-    "---",
-    "",
-    "# Contracts Index",
-    "",
-    "Generated from deterministic metadata. Add YAML frontmatter fields such as `summary`, `owner`, and `surface` to improve classifier accuracy.",
-    "",
-    "## Contract Inventory",
-    "",
-    "| path | type | surface | owner | has-summary |",
-    "|---|---|---|---|---|",
-    ...inventoryRows,
-    "",
-    "## Contract Details",
-    "",
-    ...contractEntries
-  ].join("\n");
-  writeFileSync8(join17(specsContextDir, "contracts-index.md"), contractIndex, "utf8");
-  if (missingSummary > 0) {
-    log.warn(`Created specs/context/contracts-index.md with ${missingSummary} missing summary warning(s).`);
+  const today = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
+  const archiveDir = join16(cwd, "specs", "archive");
+  const indexPath = join16(archiveDir, "INDEX.md");
+  const reason = opts.reason ?? "no reason given";
+  const indexLine = `| ${changeId} | abandoned | ${today} | ${reason} |
+`;
+  if (!existsSync15(archiveDir)) {
+    mkdirSync8(archiveDir, { recursive: true });
+  }
+  if (!existsSync15(indexPath)) {
+    writeFileSync8(indexPath, `# Archive Index
+
+| change-id | status | date | notes |
+|---|---|---|---|
+${indexLine}`, "utf8");
   } else {
-    log.ok("Created specs/context/contracts-index.md");
+    appendFileSync2(indexPath, indexLine, "utf8");
   }
+  log.ok(`Change ${changeId} marked as abandoned.`);
+  log.info(`specs/changes/${changeId}/ remains on disk (git history preserved).`);
+  log.info(`Run \`cdd-kit archive ${changeId}\` to physically move it, or leave it for git history.`);
 }
-var DEFAULT_FORBIDDEN;
-var init_context_scan = __esm({
-  "src/commands/context-scan.ts"() {
+var init_abandon = __esm({
+  "src/commands/abandon.ts"() {
+    "use strict";
+    init_logger();
+  }
+});
+
+// src/commands/list-changes.ts
+var list_changes_exports = {};
+__export(list_changes_exports, {
+  listChanges: () => listChanges
+});
+import { join as join17 } from "path";
+import { existsSync as existsSync16, readdirSync as readdirSync10, readFileSync as readFileSync14 } from "fs";
+async function listChanges() {
+  const cwd = process.cwd();
+  const changesDir = join17(cwd, "specs", "changes");
+  log.blank();
+  const active = [];
+  if (existsSync16(changesDir)) {
+    active.push(...readdirSync10(changesDir, { withFileTypes: true }).filter((d) => d.isDirectory()).map((d) => d.name));
+  }
+  if (active.length === 0) {
+    log.info("No active changes in specs/changes/");
+  } else {
+    log.info("Active changes:");
+    for (const id of active) {
+      const tasksPath = join17(changesDir, id, "tasks.md");
+      let status = "in-progress";
+      let pending = 0;
+      if (existsSync16(tasksPath)) {
+        const content = readFileSync14(tasksPath, "utf8");
+        if (content.includes("status: gate-blocked"))
+          status = "gate-blocked";
+        else if (content.includes("status: abandoned"))
+          status = "abandoned";
+        pending = (content.match(/^\s*-\s*\[ \]/gm) || []).length;
+      }
+      const pendingStr = pending > 0 ? ` (${pending} pending)` : "";
+      log.info(`  ${id}  [${status}]${pendingStr}`);
+    }
+  }
+  log.blank();
+}
+var init_list_changes = __esm({
+  "src/commands/list-changes.ts"() {
     "use strict";
     init_logger();
-    DEFAULT_FORBIDDEN = [
-      ".claude",
-      ".git",
-      "node_modules",
-      "dist",
-      "build",
-      "assets",
-      "specs/archive",
-      "specs/changes"
-    ];
   }
 });
 
 // src/commands/context.ts
 var context_exports = {};
 __export(context_exports, {
+  approveAllPending: () => approveAllPending,
   approveContextExpansion: () => approveContextExpansion,
   listContextExpansions: () => listContextExpansions,
+  rejectAllPending: () => rejectAllPending,
   rejectContextExpansion: () => rejectContextExpansion,
   requestContextExpansion: () => requestContextExpansion
 });
-import { existsSync as existsSync17, readFileSync as readFileSync14, writeFileSync as writeFileSync9 } from "fs";
+import { existsSync as existsSync17, readFileSync as readFileSync15, writeFileSync as writeFileSync9 } from "fs";
 import { join as join18 } from "path";
 function normalizePath(path) {
   return path.replace(/\\/g, "/").replace(/^\.\//, "").trim();
@@ -1093,7 +1363,7 @@ function readManifest(changeId) {
     log.error(`context manifest not found: specs/changes/${changeId}/context-manifest.md`);
     process.exit(1);
   }
-  return readFileSync14(manifestPath, "utf8");
+  return readFileSync15(manifestPath, "utf8");
 }
 function writeManifest(changeId, content) {
   writeFileSync9(manifestPathFor(changeId), content.endsWith("\n") ? content : `${content}
@@ -1240,6 +1510,21 @@ async function listContextExpansions(changeId, json = false) {
       log.dim(`    ${path}`);
   }
 }
+function applyApproval(content, request) {
+  for (const path of request.paths) {
+    const validationError = validateRepoRelativePath(path);
+    if (validationError) {
+      log.error(validationError);
+      process.exit(1);
+    }
+  }
+  const approved = approvedExpansionSet(content);
+  for (const path of request.paths)
+    approved.add(path);
+  let next = replaceSection(content, "Approved Expansions", [...approved].sort().map((p) => `- ${p}`));
+  next = setRequestStatus(next, request.requestId, "approved");
+  return next;
+}
 async function approveContextExpansion(changeId, requestId) {
   const content = readManifest(changeId);
   const request = parseRequests(content).find((item) => item.requestId === requestId && item.status === "pending");
@@ -1251,28 +1536,53 @@ async function approveContextExpansion(changeId, requestId) {
     log.error(`context expansion request has no requested_paths: ${requestId}`);
     process.exit(1);
   }
-  for (const path of request.paths) {
-    const validationError = validateRepoRelativePath(path);
-    if (validationError) {
-      log.error(validationError);
-      process.exit(1);
-    }
-  }
-  const approved = approvedExpansionSet(content);
-  for (const path of request.paths)
-    approved.add(path);
-  let next = replaceSection(content, "Approved Expansions", [...[...approved].sort().map((path) => `- ${path}`)]);
-  next = setRequestStatus(next, requestId, "approved");
+  const next = applyApproval(content, request);
   writeManifest(changeId, next);
   log.ok(`approved context expansion ${requestId} for ${changeId}`);
   for (const path of request.paths)
     log.info(`  ${path}`);
 }
+async function approveAllPending(changeId) {
+  let content = readManifest(changeId);
+  const pending = parseRequests(content).filter((r) => r.status === "pending");
+  if (pending.length === 0) {
+    log.info(`no pending context expansion requests for ${changeId}`);
+    return;
+  }
+  const skipped = [];
+  let approvedCount = 0;
+  for (const request of pending) {
+    if (request.paths.length === 0) {
+      skipped.push(`${request.requestId} (no requested_paths)`);
+      continue;
+    }
+    content = applyApproval(content, request);
+    approvedCount += 1;
+  }
+  writeManifest(changeId, content);
+  log.ok(`approved ${approvedCount} pending context expansion request(s) for ${changeId}`);
+  for (const reason of skipped) {
+    log.warn(`  skipped ${reason}`);
+  }
+}
 async function rejectContextExpansion(changeId, requestId) {
   const next = setRequestStatus(readManifest(changeId), requestId, "rejected");
   writeManifest(changeId, next);
   log.ok(`rejected context expansion ${requestId} for ${changeId}`);
 }
+async function rejectAllPending(changeId) {
+  let content = readManifest(changeId);
+  const pending = parseRequests(content).filter((r) => r.status === "pending");
+  if (pending.length === 0) {
+    log.info(`no pending context expansion requests for ${changeId}`);
+    return;
+  }
+  for (const request of pending) {
+    content = setRequestStatus(content, request.requestId, "rejected");
+  }
+  writeManifest(changeId, content);
+  log.ok(`rejected ${pending.length} pending context expansion request(s) for ${changeId}`);
+}
 var init_context = __esm({
   "src/commands/context.ts"() {
     "use strict";
@@ -1281,7 +1591,7 @@ var init_context = __esm({
 });
 
 // src/cli/index.ts
-import { readFileSync as readFileSync15 } from "fs";
+import { readFileSync as readFileSync16 } from "fs";
 import { fileURLToPath as fileURLToPath2 } from "url";
 import { dirname as dirname5, join as join19 } from "path";
 import { Command } from "commander";
@@ -1590,11 +1900,18 @@ async function init(opts) {
       log.ok(`.cdd/ - ${cddConfigCount} file(s) written.`);
       const modelPolicyPath = join4(cwd, ".cdd", "model-policy.json");
       if (existsSync3(modelPolicyPath)) {
-        writeFileSync(modelPolicyPath, JSON.stringify({
+        let existing = {};
+        try {
+          existing = JSON.parse(readFileSync2(modelPolicyPath, "utf8"));
+        } catch {
+        }
+        const merged = {
+          ...existing,
           provider: opts.provider,
           generated_at: (/* @__PURE__ */ new Date()).toISOString(),
-          roles: {}
-        }, null, 2) + "\n", "utf8");
+          roles: existing.roles && typeof existing.roles === "object" && Object.keys(existing.roles).length > 0 ? existing.roles : {}
+        };
+        writeFileSync(modelPolicyPath, JSON.stringify(merged, null, 2) + "\n", "utf8");
       }
       const { count: wfCount, created: wfCreated } = copyDirTracked(
         ASSET.githubWorkflows,
@@ -1823,9 +2140,58 @@ async function update(opts) {
 
 // src/commands/new-change.ts
 init_paths();
-import { join as join7 } from "path";
-import { existsSync as existsSync6, readFileSync as readFileSync5, readdirSync as readdirSync4, writeFileSync as writeFileSync2 } from "fs";
+import { join as join8 } from "path";
+import { createHash as createHash3 } from "crypto";
+import { existsSync as existsSync7, readFileSync as readFileSync6, readdirSync as readdirSync5, writeFileSync as writeFileSync3 } from "fs";
 init_logger();
+init_context_scan();
+function sha256OfFile2(path) {
+  try {
+    return createHash3("sha256").update(readFileSync6(path)).digest("hex");
+  } catch {
+    return "";
+  }
+}
+function inputsDigest2(paths) {
+  const combined = paths.slice().sort().map((p) => `${p}:${sha256OfFile2(p)}`).join("\n");
+  return createHash3("sha256").update(combined).digest("hex");
+}
+function findContractFiles2(dir, found = []) {
+  if (!existsSync7(dir))
+    return found;
+  for (const entry of readdirSync5(dir, { withFileTypes: true })) {
+    const fullPath = join8(dir, entry.name);
+    if (entry.isDirectory())
+      findContractFiles2(fullPath, found);
+    else if (entry.isFile() && entry.name.endsWith(".md") && entry.name !== "INDEX.md" && entry.name !== "CHANGELOG.md") {
+      found.push(fullPath);
+    }
+  }
+  return found;
+}
+function readIndexDigest(filePath) {
+  if (!existsSync7(filePath))
+    return null;
+  const m = readFileSync6(filePath, "utf8").match(/^inputs-digest:\s*([a-f0-9]+)/m);
+  return m ? m[1] : null;
+}
+async function ensureFreshContextIndexes(cwd) {
+  const projectMap = join8(cwd, "specs", "context", "project-map.md");
+  const contractsIndex = join8(cwd, "specs", "context", "contracts-index.md");
+  const policyPath = join8(cwd, ".cdd", "context-policy.json");
+  const policyInputs = [policyPath].filter(existsSync7);
+  const contractFiles = findContractFiles2(join8(cwd, "contracts"));
+  const wantProjectDigest = inputsDigest2(policyInputs);
+  const wantContractsDigest = inputsDigest2(contractFiles);
+  const haveProjectDigest = readIndexDigest(projectMap);
+  const haveContractsDigest = readIndexDigest(contractsIndex);
+  const needsScan = !existsSync7(projectMap) || !existsSync7(contractsIndex) || haveProjectDigest !== wantProjectDigest || haveContractsDigest !== wantContractsDigest;
+  if (!needsScan)
+    return;
+  log.info("context indexes missing or stale \u2014 running cdd-kit context-scan\u2026");
+  await contextScan();
+  log.dim("  (skip with --skip-scan)");
+}
 var REQUIRED_TEMPLATES = [
   "change-request.md",
   "change-classification.md",
@@ -1836,7 +2202,7 @@ var REQUIRED_TEMPLATES = [
 ];
 function listOptional() {
   try {
-    const all = readdirSync4(ASSET.specsTemplates).filter((f) => f.endsWith(".md"));
+    const all = readdirSync5(ASSET.specsTemplates).filter((f) => f.endsWith(".md"));
     return all.filter((f) => !REQUIRED_TEMPLATES.includes(f));
   } catch {
     return [];
@@ -1866,8 +2232,8 @@ async function newChange(name, opts) {
     }
   }
   const cwd = process.cwd();
-  const changeDir = join7(cwd, "specs", "changes", name);
-  if (existsSync6(changeDir)) {
+  const changeDir = join8(cwd, "specs", "changes", name);
+  if (existsSync7(changeDir)) {
     if (opts.force) {
       log.warn(`Forcing re-scaffold of existing change directory: ${changeDir}`);
       log.warn("Existing files will NOT be deleted; only template files will be overwritten.");
@@ -1877,15 +2243,22 @@ async function newChange(name, opts) {
       return;
     }
   }
+  if (!opts.skipScan) {
+    try {
+      await ensureFreshContextIndexes(cwd);
+    } catch (err) {
+      log.warn(`context-scan failed: ${err.message}; continuing without fresh indexes`);
+    }
+  }
   log.blank();
   log.info(`Creating change scaffold: specs/changes/${name}`);
   ensureDir(changeDir);
   const templates = opts.all ? [...REQUIRED_TEMPLATES, ...listOptional()] : [...REQUIRED_TEMPLATES];
   let written = 0;
   for (const tmpl of templates) {
-    const src = join7(ASSET.specsTemplates, tmpl);
-    const dest = join7(changeDir, tmpl);
-    if (!existsSync6(src)) {
+    const src = join8(ASSET.specsTemplates, tmpl);
+    const dest = join8(changeDir, tmpl);
+    if (!existsSync7(src)) {
       log.warn(`Template not found, skipping: ${tmpl}`);
       continue;
     }
@@ -1894,11 +2267,11 @@ async function newChange(name, opts) {
     written += 1;
   }
   if (dependencies.length > 0) {
-    const tasksPath = join7(changeDir, "tasks.md");
-    if (existsSync6(tasksPath)) {
-      const tasks = readFileSync5(tasksPath, "utf8");
+    const tasksPath = join8(changeDir, "tasks.md");
+    if (existsSync7(tasksPath)) {
+      const tasks = readFileSync6(tasksPath, "utf8");
       const nextTasks = tasks.replace(/^depends-on:\s*.*$/m, formatDependsOn(dependencies));
-      writeFileSync2(tasksPath, nextTasks, "utf8");
+      writeFileSync3(tasksPath, nextTasks, "utf8");
       log.dim(`depends-on: ${dependencies.join(", ")}`);
     }
   }
@@ -1910,8 +2283,8 @@ async function newChange(name, opts) {
 // src/commands/validate.ts
 init_paths();
 init_logger();
-import { join as join8 } from "path";
-import { existsSync as existsSync7 } from "fs";
+import { join as join9 } from "path";
+import { existsSync as existsSync8 } from "fs";
 import { spawnSync } from "child_process";
 var VALIDATORS = [
   {
@@ -1944,15 +2317,15 @@ async function validate(opts) {
     log.error(e instanceof Error ? e.message : String(e));
     process.exit(1);
   }
-  const scriptsDir = join8(ASSET.skill, "scripts");
+  const scriptsDir = join9(ASSET.skill, "scripts");
   const runAll = !opts.contracts && !opts.env && !opts.ci && !opts.spec && !opts.versions;
   log.blank();
   let failed = false;
   for (const v of VALIDATORS) {
     if (!runAll && !opts[v.flag])
       continue;
-    const scriptPath = join8(scriptsDir, v.script);
-    if (!existsSync7(scriptPath)) {
+    const scriptPath = join9(scriptsDir, v.script);
+    if (!existsSync8(scriptPath)) {
       log.warn(`${v.label}: script not found, skipping (${v.script})`);
       log.blank();
       continue;
@@ -1968,8 +2341,8 @@ async function validate(opts) {
     log.blank();
     if (v.chain) {
       for (const chained of v.chain) {
-        const chainedPath = join8(scriptsDir, chained.script);
-        if (!existsSync7(chainedPath)) {
+        const chainedPath = join9(scriptsDir, chained.script);
+        if (!existsSync8(chainedPath)) {
           log.warn(`${chained.label}: script not found, skipping (${chained.script})`);
           log.blank();
           continue;
@@ -1997,9 +2370,8 @@ async function validate(opts) {
 
 // src/commands/gate.ts
 init_logger();
-import { existsSync as existsSync8, readFileSync as readFileSync6, readdirSync as readdirSync5 } from "fs";
-import { join as join9 } from "path";
-import { spawnSync as spawnSync2 } from "child_process";
+import { existsSync as existsSync9, readFileSync as readFileSync7, readdirSync as readdirSync6 } from "fs";
+import { join as join10 } from "path";
 var REQUIRED_FILES = [
   "change-request.md",
   "change-classification.md",
@@ -2080,11 +2452,11 @@ function loadContextPolicy(cwd) {
       unknownFilesRead: "warn-for-legacy-fail-for-new"
     }
   };
-  const policyPath = join9(cwd, ".cdd", "context-policy.json");
-  if (!existsSync8(policyPath))
+  const policyPath = join10(cwd, ".cdd", "context-policy.json");
+  if (!existsSync9(policyPath))
     return defaults;
   try {
-    const custom = JSON.parse(readFileSync6(policyPath, "utf8"));
+    const custom = JSON.parse(readFileSync7(policyPath, "utf8"));
     return {
       ...defaults,
       ...custom,
@@ -2097,53 +2469,219 @@ function loadContextPolicy(cwd) {
   }
 }
 function isContextGovernedChange(changeDir) {
-  const tasksPath = join9(changeDir, "tasks.md");
-  if (!existsSync8(tasksPath))
+  const tasksPath = join10(changeDir, "tasks.md");
+  if (!existsSync9(tasksPath))
     return false;
-  return /^context-governance:\s*v1\b/m.test(readFileSync6(tasksPath, "utf8"));
+  return /^context-governance:\s*v1\b/m.test(readFileSync7(tasksPath, "utf8"));
+}
+var KNOWN_FRONTMATTER_KEYS = /* @__PURE__ */ new Set([
+  "change-id",
+  "status",
+  "tier",
+  "archive-tasks",
+  "context-governance",
+  "depends-on",
+  // Allowed but informational only:
+  "token-budget",
+  "created",
+  "completed"
+]);
+var VALID_TASK_STATUSES = /* @__PURE__ */ new Set(["in-progress", "completed", "complete", "done", "gate-blocked", "abandoned", "needs-review"]);
+function lintFrontmatter(content, errors, warnings) {
+  const fm = parseTaskFrontmatter(content);
+  if (!fm["change-id"]) {
+    errors.push("tasks.md frontmatter: missing required `change-id`");
+  }
+  if (!fm.status) {
+    errors.push("tasks.md frontmatter: missing required `status`");
+  } else if (!VALID_TASK_STATUSES.has(fm.status.toLowerCase())) {
+    errors.push(`tasks.md frontmatter: invalid status \`${fm.status}\` (expected one of: ${[...VALID_TASK_STATUSES].join(", ")})`);
+  }
+  if (fm.tier !== void 0 && fm.tier !== "") {
+    const n = parseInt(fm.tier, 10);
+    if (Number.isNaN(n) || n < 0 || n > 5) {
+      errors.push(`tasks.md frontmatter: invalid tier \`${fm.tier}\` (expected 0-5)`);
+    }
+  }
+  for (const key of Object.keys(fm)) {
+    if (!KNOWN_FRONTMATTER_KEYS.has(key)) {
+      const lower = key.toLowerCase();
+      const suggestion = KNOWN_FRONTMATTER_KEYS.has(lower) ? ` (did you mean \`${lower}\`?)` : "";
+      warnings.push(`tasks.md frontmatter: unknown key \`${key}\`${suggestion}`);
+    }
+  }
+}
+function parseTaskFrontmatter(content) {
+  const match = content.match(/^---\r?\n([\s\S]*?)\r?\n---/);
+  if (!match)
+    return {};
+  const out = {};
+  for (const line of match[1].split(/\r?\n/)) {
+    const colon = line.indexOf(":");
+    if (colon === -1)
+      continue;
+    const key = line.slice(0, colon).trim();
+    if (!key)
+      continue;
+    out[key] = line.slice(colon + 1).trim();
+  }
+  return out;
 }
-function parseDependsOn2(content) {
-  const lineMatch = content.match(/^depends-on:\s*(.+)$/m);
-  if (!lineMatch)
+function parseListField(raw) {
+  if (!raw)
     return [];
-  const raw = lineMatch[1].trim();
-  if (!raw || raw === "[]")
+  const trimmed = raw.trim();
+  if (!trimmed || trimmed === "[]")
     return [];
-  if (raw.startsWith("[") && raw.endsWith("]")) {
-    return raw.slice(1, -1).split(",").map((item) => item.trim()).filter(Boolean);
-  }
-  return raw.split(",").map((item) => item.trim()).filter(Boolean);
+  const inner = trimmed.startsWith("[") && trimmed.endsWith("]") ? trimmed.slice(1, -1) : trimmed;
+  return inner.split(",").map((item) => item.trim().replace(/^["']|["']$/g, "")).filter(Boolean);
+}
+function parseDependsOn2(content) {
+  return parseListField(parseTaskFrontmatter(content)["depends-on"]);
 }
 function parseTaskStatus(content) {
-  const match = content.match(/^status:\s*([a-zA-Z0-9_-]+)/m);
-  return match ? match[1].trim().toLowerCase() : "in-progress";
+  const fm = parseTaskFrontmatter(content);
+  return (fm.status ?? "in-progress").toLowerCase();
+}
+function resolveTier(changeDir) {
+  const classifPath = join10(changeDir, "change-classification.md");
+  const classificationPresent = existsSync9(classifPath);
+  const classificationText = classificationPresent ? readFileSync7(classifPath, "utf8") : "";
+  const classificationHasLooseMarker = classificationPresent && TIER_PATTERN.test(classificationText);
+  const tasksPath = join10(changeDir, "tasks.md");
+  if (existsSync9(tasksPath)) {
+    const fm = parseTaskFrontmatter(readFileSync7(tasksPath, "utf8"));
+    const raw = fm.tier;
+    if (raw && raw !== "") {
+      const n = parseInt(raw, 10);
+      if (!Number.isNaN(n) && n >= 0 && n <= 5) {
+        return { tier: n, source: "tasks-frontmatter", classificationPresent, classificationHasLooseMarker };
+      }
+    }
+  }
+  if (classificationPresent) {
+    const structured = classificationText.match(/^## Tier\s*\n\s*-\s*(\d)\s*$/m);
+    if (structured) {
+      const n = parseInt(structured[1], 10);
+      if (!Number.isNaN(n) && n >= 0 && n <= 5) {
+        return { tier: n, source: "classification-structured", classificationPresent, classificationHasLooseMarker };
+      }
+    }
+    const bold = classificationText.match(/\*\*Tier:\*\*\s*Tier\s*(\d)\b/i);
+    if (bold) {
+      const n = parseInt(bold[1], 10);
+      if (!Number.isNaN(n) && n >= 0 && n <= 5) {
+        return { tier: n, source: "classification-bold", classificationPresent, classificationHasLooseMarker };
+      }
+    }
+  }
+  return { tier: null, source: "none", classificationPresent, classificationHasLooseMarker };
+}
+var DEFAULT_ARCHIVE_TASKS = ["7.1", "7.2"];
+function getArchiveTaskIds(content) {
+  const fm = parseTaskFrontmatter(content);
+  const parsed = parseListField(fm["archive-tasks"]);
+  return parsed.length > 0 ? parsed : DEFAULT_ARCHIVE_TASKS;
+}
+function enforceTierRequirements(changeDir, agentLogDir, errors, warnings) {
+  const resolution = resolveTier(changeDir);
+  if (resolution.tier === null) {
+    if (resolution.classificationPresent && !resolution.classificationHasLooseMarker) {
+      errors.push(
+        "change-classification.md: missing tier marker. Set `tier: <0-5>` in tasks.md frontmatter (preferred) or include `## Tier\\n- N` in change-classification.md."
+      );
+    }
+    return;
+  }
+  if (resolution.source === "classification-bold") {
+    warnings.push(
+      "tier marker is bold-text only (legacy format); set `tier: <0-5>` in tasks.md frontmatter so tier-specific agent requirements are enforced."
+    );
+    return;
+  }
+  const tier = resolution.tier;
+  const agentLogFiles = agentLogDir && existsSync9(agentLogDir) ? readdirSync6(agentLogDir).map((f) => f.replace(".md", "")) : [];
+  if (tier <= 1) {
+    for (const required of ["e2e-resilience-engineer", "monkey-test-engineer", "stress-soak-engineer"]) {
+      if (!agentLogFiles.includes(required)) {
+        errors.push(`Tier ${tier} change requires agent-log/${required}.md (high-risk change \u2014 E2E/monkey/stress testing mandatory)`);
+      }
+    }
+  }
+  if (tier <= 3) {
+    for (const required of ["contract-reviewer", "qa-reviewer"]) {
+      if (!agentLogFiles.includes(required)) {
+        errors.push(`Tier ${tier} change requires agent-log/${required}.md`);
+      }
+    }
+  }
+  if (resolution.source === "tasks-frontmatter" && resolution.classificationPresent) {
+    const text = readFileSync7(join10(changeDir, "change-classification.md"), "utf8");
+    const structured = text.match(/^## Tier\s*\n\s*-\s*(\d)\s*$/m);
+    const bold = text.match(/\*\*Tier:\*\*\s*Tier\s*(\d)\b/i);
+    const classifTier = structured ? parseInt(structured[1], 10) : bold ? parseInt(bold[1], 10) : NaN;
+    if (!Number.isNaN(classifTier) && classifTier !== tier) {
+      warnings.push(
+        `tier mismatch: tasks.md frontmatter says ${tier}, change-classification.md says ${classifTier} (frontmatter wins; reconcile classification).`
+      );
+    }
+  }
 }
 function isArchivedChange(cwd, changeId) {
-  const archiveRoot = join9(cwd, "specs", "archive");
-  if (!existsSync8(archiveRoot))
+  const archiveRoot = join10(cwd, "specs", "archive");
+  if (!existsSync9(archiveRoot))
     return false;
-  const years = readdirSync5(archiveRoot, { withFileTypes: true }).filter((d) => d.isDirectory());
-  return years.some((year) => existsSync8(join9(archiveRoot, year.name, changeId)));
+  const years = readdirSync6(archiveRoot, { withFileTypes: true }).filter((d) => d.isDirectory());
+  return years.some((year) => existsSync9(join10(archiveRoot, year.name, changeId)));
+}
+function detectDependencyCycle(cwd, startChangeId) {
+  const visited = /* @__PURE__ */ new Set();
+  const stack = [];
+  function visit(id) {
+    if (stack.includes(id)) {
+      return [...stack.slice(stack.indexOf(id)), id];
+    }
+    if (visited.has(id))
+      return null;
+    visited.add(id);
+    stack.push(id);
+    const tasksPath = join10(cwd, "specs", "changes", id, "tasks.md");
+    if (existsSync9(tasksPath)) {
+      const deps = parseDependsOn2(readFileSync7(tasksPath, "utf8"));
+      for (const dep of deps) {
+        const found = visit(dep);
+        if (found)
+          return found;
+      }
+    }
+    stack.pop();
+    return null;
+  }
+  return visit(startChangeId);
 }
 function validateDependencies(cwd, changeId, changeDir) {
-  const tasksPath = join9(changeDir, "tasks.md");
-  if (!existsSync8(tasksPath))
+  const tasksPath = join10(changeDir, "tasks.md");
+  if (!existsSync9(tasksPath))
     return [];
-  const dependencies = parseDependsOn2(readFileSync6(tasksPath, "utf8"));
+  const dependencies = parseDependsOn2(readFileSync7(tasksPath, "utf8"));
   const errors = [];
+  const cycle = detectDependencyCycle(cwd, changeId);
+  if (cycle) {
+    errors.push(`depends-on cycle detected: ${cycle.join(" \u2192 ")}`);
+  }
   for (const dep of dependencies) {
     if (dep === changeId) {
       errors.push(`tasks.md: change cannot depend on itself (${dep})`);
       continue;
     }
-    const upstreamDir = join9(cwd, "specs", "changes", dep);
-    if (existsSync8(upstreamDir)) {
-      const upstreamTasks = join9(upstreamDir, "tasks.md");
-      if (!existsSync8(upstreamTasks)) {
+    const upstreamDir = join10(cwd, "specs", "changes", dep);
+    if (existsSync9(upstreamDir)) {
+      const upstreamTasks = join10(upstreamDir, "tasks.md");
+      if (!existsSync9(upstreamTasks)) {
         errors.push(`dependency ${dep}: missing tasks.md`);
         continue;
       }
-      const status = parseTaskStatus(readFileSync6(upstreamTasks, "utf8"));
+      const status = parseTaskStatus(readFileSync7(upstreamTasks, "utf8"));
       if (!["complete", "completed", "done"].includes(status)) {
         errors.push(`dependency ${dep}: upstream change is not completed (status: ${status})`);
       }
@@ -2200,9 +2738,10 @@ function parseFilesRead(content) {
 }
 async function gate(changeId, opts = {}) {
   const strict = opts.strict ?? false;
+  const lax = opts.lax ?? false;
   const cwd = process.cwd();
-  const changeDir = join9(cwd, "specs", "changes", changeId);
-  if (!existsSync8(changeDir)) {
+  const changeDir = join10(cwd, "specs", "changes", changeId);
+  if (!existsSync9(changeDir)) {
     log.error(`change not found: ${changeId} (looked in ${changeDir})`);
     process.exit(1);
   }
@@ -2210,13 +2749,13 @@ async function gate(changeId, opts = {}) {
   const warnings = [];
   const contextPolicy = loadContextPolicy(cwd);
   const isNewChange = isContextGovernedChange(changeDir);
-  const manifestPath = join9(changeDir, "context-manifest.md");
-  const hasManifest = existsSync8(manifestPath);
+  const manifestPath = join10(changeDir, "context-manifest.md");
+  const hasManifest = existsSync9(manifestPath);
   let allowedPaths = [];
   let approvedExpansions = [];
   errors.push(...validateDependencies(cwd, changeId, changeDir));
   if (hasManifest) {
-    const manifest = parseContextManifest(readFileSync6(manifestPath, "utf8"));
+    const manifest = parseContextManifest(readFileSync7(manifestPath, "utf8"));
     allowedPaths = manifest.allowedPaths;
     approvedExpansions = manifest.approvedExpansions;
     if (manifest.pendingExpansions > 0) {
@@ -2234,7 +2773,7 @@ async function gate(changeId, opts = {}) {
       }
       continue;
     }
-    if (!existsSync8(join9(changeDir, f))) {
+    if (!existsSync9(join10(changeDir, f))) {
       errors.push(`missing required artifact: ${f}`);
     }
   }
@@ -2242,24 +2781,31 @@ async function gate(changeId, opts = {}) {
     for (const f of REQUIRED_FILES) {
       if (f === "context-manifest.md" && !hasManifest)
         continue;
-      const content = readFileSync6(join9(changeDir, f), "utf8");
+      const content = readFileSync7(join10(changeDir, f), "utf8");
       const minChars = MIN_CHARS[f] ?? 100;
       if (meaningfulChars(content) < minChars) {
         errors.push(`${f}: appears to be a stub (< ${minChars} meaningful chars)`);
       }
     }
-    const classifPath = join9(changeDir, "change-classification.md");
-    if (existsSync8(classifPath)) {
-      const text = readFileSync6(classifPath, "utf8");
-      if (!TIER_PATTERN.test(text)) {
-        errors.push("change-classification.md: missing tier/risk marker (Tier 0-5 or low/medium/high/critical)");
-      }
-    }
-  }
-  const tasksPath = join9(changeDir, "tasks.md");
-  if (existsSync8(tasksPath)) {
-    const tasksContent = readFileSync6(tasksPath, "utf8");
-    const nonArchivePending = (tasksContent.match(/^\s*-\s*\[ \] (?!7\.[12])/gm) || []).length;
+    const classifPath = join10(changeDir, "change-classification.md");
+    const tierResolution = resolveTier(changeDir);
+    if (tierResolution.tier === null && existsSync9(classifPath) && !tierResolution.classificationHasLooseMarker) {
+      errors.push("change-classification.md: missing tier/risk marker (set tier in tasks.md frontmatter, or include Tier 0-5 / low|medium|high|critical in change-classification.md)");
+    }
+  }
+  const tasksPath = join10(changeDir, "tasks.md");
+  if (existsSync9(tasksPath)) {
+    const tasksContent = readFileSync7(tasksPath, "utf8");
+    lintFrontmatter(tasksContent, errors, warnings);
+    const archiveTaskIds = new Set(getArchiveTaskIds(tasksContent));
+    const pendingMatches = tasksContent.match(/^\s*-\s*\[ \]\s+([\d.]+)?[^\n]*/gm) || [];
+    const nonArchivePending = pendingMatches.filter((line) => {
+      const idMatch = line.match(/\[ \]\s+([\d.]+)/);
+      const id = idMatch?.[1];
+      if (!id)
+        return true;
+      return !archiveTaskIds.has(id);
+    }).length;
     if (nonArchivePending > 0) {
       if (strict) {
         errors.push(`${nonArchivePending} task(s) still pending (use [-] for N/A items, [x] for done). Run gate without --strict during development.`);
@@ -2268,11 +2814,11 @@ async function gate(changeId, opts = {}) {
       }
     }
   }
-  const agentLogDir = join9(changeDir, "agent-log");
-  if (existsSync8(agentLogDir)) {
-    const logFiles = readdirSync5(agentLogDir).filter((f) => f.endsWith(".md"));
+  const agentLogDir = join10(changeDir, "agent-log");
+  if (existsSync9(agentLogDir)) {
+    const logFiles = readdirSync6(agentLogDir).filter((f) => f.endsWith(".md"));
     for (const f of logFiles) {
-      const content = readFileSync6(join9(agentLogDir, f), "utf8");
+      const content = readFileSync7(join10(agentLogDir, f), "utf8");
       const filesRead = parseFilesRead(content);
       if (!filesRead.present) {
         if (contextPolicy.audit.requireFilesRead) {
@@ -2295,6 +2841,27 @@ async function gate(changeId, opts = {}) {
             errors.push(`agent-log/${f}: read unauthorized path -> ${pathRead} (not in allowed paths or approved expansions)`);
           }
         }
+        const runtimeLog = join10(cwd, ".cdd", "runtime", `${changeId}-files-read.jsonl`);
+        if (existsSync9(runtimeLog)) {
+          const runtimePaths = readFileSync7(runtimeLog, "utf8").split("\n").filter(Boolean).map((line) => {
+            try {
+              return JSON.parse(line).path;
+            } catch {
+              return void 0;
+            }
+          }).filter((p) => Boolean(p)).map((p) => p.replace(/\\/g, "/").replace(/^\.\//, ""));
+          const declared = new Set(filesRead.files);
+          const undeclared = runtimePaths.filter((p) => !declared.has(p));
+          if (undeclared.length > 0) {
+            const sample = undeclared.slice(0, 5).join(", ");
+            const more = undeclared.length > 5 ? ` (+${undeclared.length - 5} more)` : "";
+            const msg = `agent-log/${f}: runtime log shows ${undeclared.length} read(s) not declared in files-read: ${sample}${more}`;
+            if (strict)
+              errors.push(msg);
+            else
+              warnings.push(msg);
+          }
+        }
       }
       const statusMatch = content.match(/^\s*-\s*status:\s*(complete|needs-review|blocked)\s*$/m);
       if (!statusMatch) {
@@ -2308,7 +2875,7 @@ async function gate(changeId, opts = {}) {
           errors.push(`agent-log/${f}: status=blocked requires concrete "next-action:" line (>= 10 chars, not "none")`);
         }
       }
-      if (strict) {
+      if (!lax) {
         const artifactsMatch = content.match(/- artifacts:([\s\S]*?)(?:\n- |\n#|$)/);
         if (artifactsMatch) {
           const artifactLines = artifactsMatch[1].split("\n").filter((l) => l.trim().startsWith("-"));
@@ -2316,8 +2883,8 @@ async function gate(changeId, opts = {}) {
             const pointer = line.replace(/^\s*-\s*[\w-]+:\s*/, "").trim();
             const pathPart = pointer.split(":")[0];
             if (pathPart.includes("/") && !pointer.startsWith("http")) {
-              const abs = join9(cwd, pathPart);
-              if (!existsSync8(abs)) {
+              const abs = join10(cwd, pathPart);
+              if (!existsSync9(abs)) {
                 errors.push(`agent-log/${f}: artifact pointer not found: ${pathPart}`);
               }
             }
@@ -2325,48 +2892,9 @@ async function gate(changeId, opts = {}) {
         }
       }
     }
-    const classifPath = join9(changeDir, "change-classification.md");
-    if (existsSync8(classifPath)) {
-      const classificationContent = readFileSync6(classifPath, "utf8");
-      const tierMatch = classificationContent.match(/^## Tier\s*\n\s*-\s*(\d)\s*$/m);
-      const tier = tierMatch ? parseInt(tierMatch[1]) : null;
-      if (tier !== null) {
-        const agentLogFiles = readdirSync5(agentLogDir).map((f) => f.replace(".md", ""));
-        if (tier <= 1) {
-          for (const required of ["e2e-resilience-engineer", "monkey-test-engineer", "stress-soak-engineer"]) {
-            if (!agentLogFiles.includes(required)) {
-              errors.push(`Tier ${tier} change requires agent-log/${required}.md (high-risk change \u2014 E2E/monkey/stress testing mandatory)`);
-            }
-          }
-        }
-        if (tier <= 3) {
-          for (const required of ["contract-reviewer", "qa-reviewer"]) {
-            if (!agentLogFiles.includes(required)) {
-              errors.push(`Tier ${tier} change requires agent-log/${required}.md`);
-            }
-          }
-        }
-      }
-    }
+    enforceTierRequirements(changeDir, agentLogDir, errors, warnings);
   } else {
-    const classifPath = join9(changeDir, "change-classification.md");
-    if (existsSync8(classifPath)) {
-      const classificationContent = readFileSync6(classifPath, "utf8");
-      const tierMatch = classificationContent.match(/^## Tier\s*\n\s*-\s*(\d)\s*$/m);
-      const tier = tierMatch ? parseInt(tierMatch[1]) : null;
-      if (tier !== null) {
-        if (tier <= 1) {
-          for (const required of ["e2e-resilience-engineer", "monkey-test-engineer", "stress-soak-engineer"]) {
-            errors.push(`Tier ${tier} change requires agent-log/${required}.md (high-risk change \u2014 E2E/monkey/stress testing mandatory)`);
-          }
-        }
-        if (tier <= 3) {
-          for (const required of ["contract-reviewer", "qa-reviewer"]) {
-            errors.push(`Tier ${tier} change requires agent-log/${required}.md`);
-          }
-        }
-      }
-    }
+    enforceTierRequirements(changeDir, null, errors, warnings);
   }
   for (const w of warnings) {
     log.warn(`  ${w}`);
@@ -2379,12 +2907,10 @@ async function gate(changeId, opts = {}) {
     process.exit(1);
   }
   log.info(`gate: running contract validators for ${changeId}\u2026`);
-  const r = spawnSync2(process.execPath, [process.argv[1], "validate", "--contracts", "--env", "--ci", "--versions"], {
-    cwd,
-    stdio: "inherit"
-  });
-  if (r.status !== 0) {
-    log.error(`gate failed for change: ${changeId} (validators returned non-zero)`);
+  try {
+    await validate({ contracts: true, env: true, ci: true, spec: false, versions: true });
+  } catch (err) {
+    log.error(`gate failed for change: ${changeId} (validators threw): ${err.message}`);
     process.exit(1);
   }
   for (const w of warnings) {
@@ -2396,26 +2922,26 @@ async function gate(changeId, opts = {}) {
 // src/commands/install-hooks.ts
 init_paths();
 init_logger();
-import { existsSync as existsSync9, readFileSync as readFileSync7, writeFileSync as writeFileSync3, chmodSync, mkdirSync as mkdirSync3 } from "fs";
-import { join as join10 } from "path";
+import { existsSync as existsSync10, readFileSync as readFileSync8, writeFileSync as writeFileSync4, chmodSync, mkdirSync as mkdirSync4 } from "fs";
+import { join as join11 } from "path";
 var START_MARKER = "# cdd-kit-managed-block-start";
 var END_MARKER = "# cdd-kit-managed-block-end";
 async function installHooks() {
   const cwd = process.cwd();
-  const gitDir = join10(cwd, ".git");
-  if (!existsSync9(gitDir)) {
+  const gitDir = join11(cwd, ".git");
+  if (!existsSync10(gitDir)) {
     log.error("not a git repository (no .git/ found in cwd)");
     process.exit(1);
   }
-  const hooksDir = join10(gitDir, "hooks");
-  mkdirSync3(hooksDir, { recursive: true });
-  const dest = join10(hooksDir, "pre-commit");
-  const ourHook = readFileSync7(join10(ASSET.hooks, "pre-commit"), "utf8");
+  const hooksDir = join11(gitDir, "hooks");
+  mkdirSync4(hooksDir, { recursive: true });
+  const dest = join11(hooksDir, "pre-commit");
+  const ourHook = readFileSync8(join11(ASSET.hooks, "pre-commit"), "utf8");
   let final;
-  if (!existsSync9(dest)) {
+  if (!existsSync10(dest)) {
     final = ourHook;
   } else {
-    const existing = readFileSync7(dest, "utf8");
+    const existing = readFileSync8(dest, "utf8");
     const startIdx = existing.indexOf(START_MARKER);
     const endIdx = existing.indexOf(END_MARKER);
     if (startIdx >= 0 && endIdx > startIdx) {
@@ -2439,7 +2965,7 @@ async function installHooks() {
       }
     }
   }
-  writeFileSync3(dest, final, "utf8");
+  writeFileSync4(dest, final, "utf8");
   try {
     chmodSync(dest, 493);
   } catch {
@@ -2450,7 +2976,7 @@ async function installHooks() {
 
 // src/cli/index.ts
 var __dirname2 = dirname5(fileURLToPath2(import.meta.url));
-var pkg = JSON.parse(readFileSync15(join19(__dirname2, "..", "..", "package.json"), "utf8"));
+var pkg = JSON.parse(readFileSync16(join19(__dirname2, "..", "..", "package.json"), "utf8"));
 var program = new Command();
 program.name("cdd-kit").description("Contract-Driven Delivery Kit CLI").version(pkg.version);
 program.command("init").description(
@@ -2464,9 +2990,9 @@ program.command("init").description(
   })
 );
 program.command("update").description("Update provider assets for the current project (does not overwrite project guidance files)").option("--yes", "Apply changes (default is dry-run)", false).option("--provider <provider>", "Provider adapter to update: auto, claude, codex, or both", "auto").action((opts) => update({ yes: opts.yes, provider: opts.provider }));
-program.command("doctor").description("Inspect cdd-kit repo health, provider guidance, and context index freshness").option("--strict", "Treat warnings as errors", false).option("--json", "Print a machine-readable health report", false).option("--provider <provider>", "Provider adapter to inspect: auto, claude, codex, or both", "auto").action(async (opts) => {
+program.command("doctor").description("Inspect cdd-kit repo health, provider guidance, and context index freshness").option("--strict", "Treat warnings as errors", false).option("--json", "Print a machine-readable health report", false).option("--provider <provider>", "Provider adapter to inspect: auto, claude, codex, or both", "auto").option("--fix", "Auto-resolve safe warnings (stale context indexes, missing role bindings)", false).action(async (opts) => {
   const { doctor: doctor2 } = await Promise.resolve().then(() => (init_doctor(), doctor_exports));
-  await doctor2({ strict: opts.strict, json: opts.json, provider: opts.provider });
+  await doctor2({ strict: opts.strict, json: opts.json, provider: opts.provider, fix: opts.fix });
 });
 program.command("upgrade").description("Add missing cdd-kit repo-level files without overwriting existing project files").option("--yes", "Apply changes (default is dry-run)", false).option("--migrate-changes", "Also migrate existing specs/changes/* directories", false).option("--enable-context-governance", "When migrating changes, opt them into context-governance: v1", false).option("--provider <provider>", "Provider adapter to scaffold: auto, claude, codex, or both", "auto").action(async (opts) => {
   const { upgrade: upgrade2 } = await Promise.resolve().then(() => (init_upgrade(), upgrade_exports));
@@ -2477,8 +3003,8 @@ program.command("upgrade").description("Add missing cdd-kit repo-level files wit
     provider: opts.provider
   });
 });
-program.command("new <name>").description("Scaffold a new change directory under specs/changes/<name>").option("--all", "Include optional templates in addition to required ones", false).option("--force", "Overwrite existing template files in the change folder", false).option("--depends-on <change-ids>", "Comma-separated upstream change ids that must complete first").action(
-  (name, opts) => newChange(name, { all: opts.all, force: opts.force, dependsOn: opts.dependsOn })
+program.command("new <name>").description("Scaffold a new change directory under specs/changes/<name>").option("--all", "Include optional templates in addition to required ones", false).option("--force", "Overwrite existing template files in the change folder", false).option("--depends-on <change-ids>", "Comma-separated upstream change ids that must complete first").option("--skip-scan", "Skip the auto context-scan when indexes are stale (advanced)", false).action(
+  (name, opts) => newChange(name, { all: opts.all, force: opts.force, dependsOn: opts.dependsOn, skipScan: opts.skipScan })
 );
 program.command("validate").description("Run validation scripts (defaults to all)").option("--contracts", "Validate API/data/CSS contracts (use --env separately for env)", false).option("--env", "Validate env contract", false).option("--ci", "Validate CI gate policy", false).option("--spec", "Validate spec traceability", false).option("--versions", "Validate contract frontmatter and version bumps", false).action(
   (opts) => validate({
@@ -2489,8 +3015,8 @@ program.command("validate").description("Run validation scripts (defaults to all
     versions: opts.versions
   })
 );
-program.command("gate <change-id>").description("Run full orchestration gate for a change (required artifacts, content, tier, contracts)").option("--strict", "Treat pending tasks (except section 7) as errors, and validate artifact pointers", false).action(async (id, opts) => {
-  await gate(id, { strict: opts.strict });
+program.command("gate <change-id>").description("Run full orchestration gate for a change (required artifacts, content, tier, contracts)").option("--strict", "Treat pending tasks (except section 7) as errors, and treat runtime/declared files-read drift as errors", false).option("--lax", "Skip artifact-pointer existence check (for legacy repos with stale logs)", false).action(async (id, opts) => {
+  await gate(id, { strict: opts.strict, lax: opts.lax });
 });
 program.command("archive <change-id>").description("Move a completed change from specs/changes/ to specs/archive/<year>/").action(async (changeId) => {
   const { archive: archive2 } = await Promise.resolve().then(() => (init_archive(), archive_exports));
@@ -2500,9 +3026,14 @@ program.command("abandon <change-id>").description("Mark a change as abandoned (
   const { abandon: abandon2 } = await Promise.resolve().then(() => (init_abandon(), abandon_exports));
   await abandon2(changeId, opts);
 });
-program.command("migrate [change-id]").description("Upgrade existing change directories to the current cdd-kit format (tasks.md frontmatter + tier format)").option("--all", "Migrate all changes in specs/changes/", false).option("--dry-run", "Show what would change without writing files", false).option("--enable-context-governance", "Opt legacy changes into context-governance: v1 hard gate behavior", false).action(async (changeId, opts = {}) => {
+program.command("migrate [change-id]").description("Upgrade existing change directories to the current cdd-kit format (tasks.md frontmatter + tier format)").option("--all", "Migrate all changes in specs/changes/", false).option("--dry-run", "Show what would change without writing files", false).option("--enable-context-governance", "Opt legacy changes into context-governance: v1 hard gate behavior", false).option("--no-backup", "Skip the per-session backup at .cdd/migrate-backup/<stamp>/ (not recommended)").action(async (changeId, opts = {}) => {
   const { migrate: migrate2 } = await Promise.resolve().then(() => (init_migrate(), migrate_exports));
-  await migrate2(changeId, opts);
+  await migrate2(changeId, {
+    all: opts.all,
+    dryRun: opts.dryRun,
+    enableContextGovernance: opts.enableContextGovernance,
+    noBackup: opts.backup === false
+  });
 });
 program.command("list").description("List active changes in specs/changes/").action(async () => {
   const { listChanges: listChanges2 } = await Promise.resolve().then(() => (init_list_changes(), list_changes_exports));
@@ -2524,22 +3055,46 @@ program.command("detect-stack").description("Detect the project tech stack and p
     );
   }
 });
-program.command("context-scan").description("Deterministically scan project context and generate specs/context maps").action(async () => {
+program.command("context-scan").description("Deterministically scan project context and generate specs/context maps").option("--surface <path>", "Limit project-map tree to a sub-directory (e.g. --surface src/server)").action(async (opts) => {
   const { contextScan: contextScan2 } = await Promise.resolve().then(() => (init_context_scan(), context_scan_exports));
-  await contextScan2();
+  await contextScan2({ surface: opts.surface });
 });
 var context = program.command("context").description("Manage context governance manifests");
 context.command("request <change-id> <request-id>").description("Record a new pending Context Expansion Request").requiredOption("--path <paths...>", "Repo-relative path(s) requested by the agent").option("--reason <text>", "Reason the extra context is required").action(async (changeId, requestId, opts) => {
   const { requestContextExpansion: requestContextExpansion2 } = await Promise.resolve().then(() => (init_context(), context_exports));
   await requestContextExpansion2(changeId, requestId, opts.path, opts.reason);
 });
-context.command("approve <change-id> <request-id>").description("Approve a pending Context Expansion Request and add its paths to Approved Expansions").action(async (changeId, requestId) => {
-  const { approveContextExpansion: approveContextExpansion2 } = await Promise.resolve().then(() => (init_context(), context_exports));
-  await approveContextExpansion2(changeId, requestId);
+context.command("approve <change-id> [request-id]").description("Approve a pending Context Expansion Request (or all with --all-pending)").option("--all-pending", "Approve every pending Context Expansion Request for this change", false).action(async (changeId, requestId, opts) => {
+  const { approveContextExpansion: approveContextExpansion2, approveAllPending: approveAllPending2 } = await Promise.resolve().then(() => (init_context(), context_exports));
+  if (opts.allPending) {
+    if (requestId) {
+      console.error("--all-pending cannot be combined with a request-id");
+      process.exit(1);
+    }
+    await approveAllPending2(changeId);
+  } else {
+    if (!requestId) {
+      console.error("request-id is required (or pass --all-pending)");
+      process.exit(1);
+    }
+    await approveContextExpansion2(changeId, requestId);
+  }
 });
-context.command("reject <change-id> <request-id>").description("Reject a pending Context Expansion Request").action(async (changeId, requestId) => {
-  const { rejectContextExpansion: rejectContextExpansion2 } = await Promise.resolve().then(() => (init_context(), context_exports));
-  await rejectContextExpansion2(changeId, requestId);
+context.command("reject <change-id> [request-id]").description("Reject a pending Context Expansion Request (or all with --all-pending)").option("--all-pending", "Reject every pending Context Expansion Request for this change", false).action(async (changeId, requestId, opts) => {
+  const { rejectContextExpansion: rejectContextExpansion2, rejectAllPending: rejectAllPending2 } = await Promise.resolve().then(() => (init_context(), context_exports));
+  if (opts.allPending) {
+    if (requestId) {
+      console.error("--all-pending cannot be combined with a request-id");
+      process.exit(1);
+    }
+    await rejectAllPending2(changeId);
+  } else {
+    if (!requestId) {
+      console.error("request-id is required (or pass --all-pending)");
+      process.exit(1);
+    }
+    await rejectContextExpansion2(changeId, requestId);
+  }
 });
 context.command("list <change-id>").description("List Context Expansion Requests for a change").option("--json", "Print machine-readable JSON", false).action(async (changeId, opts) => {
   const { listContextExpansions: listContextExpansions2 } = await Promise.resolve().then(() => (init_context(), context_exports));