create-claude-cabinet 0.28.0 → 0.29.0

package/README.md

@@ -90,6 +90,16 @@ few sessions, or before a release) to get a full review from every
 relevant member. You don't need to audit every session. The cabinet
 waits until called.
 
+Each member is also a registered **agent type** — invoke any member
+directly with `@cabinet-security`, `@cabinet-architecture`, etc.
+
+When the Workflow tool is available, `/audit` runs a **deliberative
+workflow**: Stage-1 members investigate, then Stage-2 critics
+(anti-confirmation, QA, architecture) annotate findings — challenging
+assumptions, adding context, or confirming. Findings arrive to triage
+with the debate already attached. Optional `--rebuttal` mode lets
+challenged members respond before triage.
+
 Members are organized into **committees** — groups by concern, so you
 can convene just the experts you need. Security review? Convene the
 security committee. Performance concerns? Just the speed committee.
@@ -235,6 +245,8 @@ source code.
 │                    #   (incl. pib-db-access.md, pib-db-triggers.md)
 ├── briefing/        # project briefing templates
 ├── hooks/           # git guardrails, telemetry
+├── agents/          # generated agent-type wrappers (enables @cabinet-*)
+├── workflows/       # deliberative-audit.js (two-stage audit workflow)
 ├── rules/           # enforcement pipeline
 ├── memory/          # pattern templates
 └── settings.json    # hook configuration

package/lib/cli.js

@@ -546,6 +546,7 @@ const MODULES = {
       'scripts/triage-server.mjs', 'scripts/triage-ui.html',
       'scripts/finding-schema.json', 'scripts/resolve-committees.cjs',
       'scripts/review-server.mjs', 'scripts/review-ui.html',
+      'workflows/deliberative-audit.js', 'cabinet/critique-contract.md',
     ],
   },
   'lifecycle': {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-claude-cabinet",
-  "version": "0.28.0",
+  "version": "0.29.0",
   "description": "Claude Cabinet — opinionated process scaffolding for Claude Code projects",
   "bin": {
     "create-claude-cabinet": "bin/create-claude-cabinet.js"

package/templates/cabinet/critique-contract.md

@@ -0,0 +1,63 @@
+# Critique Contract — Stage-2 Audit Output
+
+This contract defines how **Stage-2 critics** annotate Stage-1 findings
+during a deliberative audit. Stage-1 members produce findings (see
+`output-contract.md`). Stage-2 members review those findings through
+their domain lens and produce annotations.
+
+## Input
+
+You receive a JSON array of findings from Stage-1 members. Each finding
+has the fields defined in `output-contract.md`: id, cabinet-member,
+severity, title, description, evidence, etc.
+
+## Your Task
+
+Review each finding through your domain lens. For findings that touch
+your expertise, produce an annotation. For findings outside your domain,
+stay silent — silence means "no objection from my perspective."
+
+Default to no annotation. Only speak when you have something to add:
+a factual correction, a challenge to an assumption, supporting evidence,
+or additional context that changes how the finding should be interpreted.
+
+## Annotation Types
+
+| Type | When to use | Example |
+|------|------------|---------|
+| `challenge` | You disagree with the finding's conclusion or severity | "This input is already escaped by the ORM — the vulnerability described doesn't exist in the current implementation" |
+| `support` | You have independent evidence confirming the finding | "The audit log also replicates to analytics DB — blast radius is wider than stated" |
+| `context` | Additional information that changes interpretation | "This coupling is intentional — it's the auth boundary described in the architecture doc" |
+| `correction` | A factual error in the finding | "The file path referenced was renamed in commit abc123 — the actual location is..." |
+
+## Output Format
+
+Return a JSON object matching this schema:
+
+```json
+{
+  "annotations": [
+    {
+      "findingId": "security-0001",
+      "type": "challenge",
+      "text": "Your annotation here",
+      "severitySuggestion": "info"
+    }
+  ]
+}
+```
+
+Fields:
+- **findingId** (required): the `id` of the Stage-1 finding you're annotating
+- **type** (required): one of `challenge`, `support`, `context`, `correction`
+- **text** (required): your annotation — be specific and cite evidence
+- **severitySuggestion** (optional): if you think the severity should change,
+  suggest the new level. Omit if the current severity is appropriate.
+
+## Scope Rules
+
+- Annotate only findings that intersect your domain expertise.
+- You may annotate findings from any Stage-1 member, not just your own domain.
+- Do not produce new findings — that's Stage 1's job.
+- Do not repeat or rephrase a finding. Add to it or challenge it.
+- If two findings contradict each other, annotate both to surface the tension.

package/templates/cabinet/output-contract.md

@@ -146,3 +146,22 @@ Return valid JSON matching `scripts/finding-schema.json`.
 
 Your response must be ONLY the JSON object — no markdown fences, no
 commentary outside the JSON.
+
+## Deliberation Fields (Two-Stage Audit)
+
+When the audit runs in two-stage deliberative mode, findings may acquire
+additional fields after initial creation:
+
+- `status` — Set during deliberation. Values: `upheld` (no challenges),
+  `challenged` (critic disagreed), `modified` (author accepted critique),
+  `withdrawn` (author conceded), `rebutted` (author defended).
+- `annotations[]` — Array of Stage-2 critic annotations. Each has
+  `cabinet-member`, `type` (challenge/support/context/correction),
+  `text`, and optional `severity-suggestion`.
+- `rebuttal` — The original author's response to challenges. Has
+  `response` (withdraw/modify/defend) and `comment`.
+
+**Stage-1 members:** Emit findings as normal using the schema above.
+These deliberation fields are added later by the workflow.
+
+**Stage-2 members:** Use `critique-contract.md` instead of this file.

package/templates/scripts/finding-schema.json

@@ -75,6 +75,55 @@
             "type": "array",
             "items": { "type": "string" },
             "description": "Categorization tags for filtering"
+          },
+          "status": {
+            "type": "string",
+            "enum": ["upheld", "challenged", "modified", "withdrawn", "rebutted"],
+            "description": "Set during Stage 2/3 deliberation. Absent for single-stage audits."
+          },
+          "annotations": {
+            "type": "array",
+            "items": {
+              "type": "object",
+              "required": ["cabinet-member", "type", "text"],
+              "properties": {
+                "cabinet-member": {
+                  "type": "string",
+                  "description": "Stage-2 critic who made this annotation"
+                },
+                "type": {
+                  "type": "string",
+                  "enum": ["challenge", "support", "context", "correction"],
+                  "description": "challenge = disagrees, support = confirms, context = adds info, correction = factual fix"
+                },
+                "text": {
+                  "type": "string",
+                  "description": "The annotation content"
+                },
+                "severity-suggestion": {
+                  "type": "string",
+                  "enum": ["critical", "warn", "info", "idea"],
+                  "description": "Critic's suggested severity change, if any"
+                }
+              }
+            },
+            "description": "Stage-2 critic annotations from deliberative audit. Absent for single-stage audits."
+          },
+          "rebuttal": {
+            "type": "object",
+            "properties": {
+              "response": {
+                "type": "string",
+                "enum": ["withdraw", "modify", "defend"],
+                "description": "Stage-1 member's response to challenges"
+              },
+              "comment": {
+                "type": "string",
+                "description": "Explanation of the response"
+              }
+            },
+            "required": ["response", "comment"],
+            "description": "Stage-1 member's response to Stage-2 challenges (opt-in rebuttal mode). Absent when no rebuttal requested or finding was not challenged."
           }
         }
       }

package/templates/scripts/merge-findings.js

@@ -90,23 +90,32 @@ for (const file of files) {
 const timestamp = new Date().toISOString();
 const runId = `run-${basename(runDir)}`;
 
-const summary = {
-  findings: allFindings,
-  meta: {
-    runId,
-    timestamp,
-    trigger: 'manual',
-    members: Object.keys(memberCounts),
-    counts: {
-      total: allFindings.length,
-      findings: allFindings.length - positiveCount,
-      positive: positiveCount,
-      ...severityCounts,
-    },
-    byMember: memberCounts,
+const meta = {
+  runId,
+  timestamp,
+  trigger: 'manual',
+  members: Object.keys(memberCounts),
+  counts: {
+    total: allFindings.length,
+    findings: allFindings.length - positiveCount,
+    positive: positiveCount,
+    ...severityCounts,
   },
+  byMember: memberCounts,
 };
 
+if (allFindings.some(f => f.annotations && f.annotations.length > 0)) {
+  meta.deliberation = {
+    annotatedCount: allFindings.filter(f => f.annotations && f.annotations.length > 0).length,
+    challengedCount: allFindings.filter(f => f.status === 'challenged' || f.status === 'rebutted').length,
+    upheldCount: allFindings.filter(f => f.status === 'upheld').length,
+    withdrawnCount: allFindings.filter(f => f.status === 'withdrawn').length,
+    modifiedCount: allFindings.filter(f => f.status === 'modified').length,
+  };
+}
+
+const summary = { findings: allFindings, meta };
+
 const summaryPath = join(runDir, 'run-summary.json');
 writeFileSync(summaryPath, JSON.stringify(summary, null, 2));
 console.log(`\nMerged ${allFindings.length} findings → ${summaryPath}`);

package/templates/scripts/pib-db-lib.mjs

@@ -285,21 +285,44 @@ export function ingestFindings(db, { runDir }) {
     VALUES (?, ?, ?, ?, ?)
   `).run(runId, dateStr, timestamp, data.meta?.trigger || 'manual', data.findings?.length || 0);
 
-  const insert = db.prepare(`
-    INSERT OR REPLACE INTO audit_findings
-      (id, run_id, cabinet_member, severity, title, description, assumption,
-       evidence, question, file, line, suggested_fix, auto_fixable, type)
-    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
-  `);
+  // Try the full INSERT with deliberation columns first; fall back to the
+  // legacy shape for existing databases that haven't added them yet.
+  let insert;
+  let hasDeliberationCols = true;
+  try {
+    insert = db.prepare(`
+      INSERT OR REPLACE INTO audit_findings
+        (id, run_id, cabinet_member, severity, title, description, assumption,
+         evidence, question, file, line, suggested_fix, auto_fixable, type,
+         status, annotations, rebuttal)
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+    `);
+  } catch {
+    hasDeliberationCols = false;
+    insert = db.prepare(`
+      INSERT OR REPLACE INTO audit_findings
+        (id, run_id, cabinet_member, severity, title, description, assumption,
+         evidence, question, file, line, suggested_fix, auto_fixable, type)
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+    `);
+  }
 
   let count = 0;
   for (const f of (data.findings || [])) {
-    insert.run(
+    const base = [
       f.id, runId, f['cabinet-member'], f.severity, f.title,
       f.description || null, f.assumption || null, f.evidence || null,
       f.question || null, f.file || null, f.line || null,
       f.suggestedFix || null, f.autoFixable ? 1 : 0, f.type || 'finding'
-    );
+    ];
+    if (hasDeliberationCols) {
+      base.push(
+        f.status || null,
+        f.annotations ? JSON.stringify(f.annotations) : null,
+        f.rebuttal ? JSON.stringify(f.rebuttal) : null
+      );
+    }
+    insert.run(...base);
     count++;
   }
   return { count, runId, message: `Ingested ${count} findings from ${runDir} (run: ${runId})` };

package/templates/scripts/pib-db-schema.sql

@@ -66,7 +66,11 @@ CREATE TABLE IF NOT EXISTS audit_findings (
                         CHECK(triage_status IN ('open','approved','rejected','deferred','fixed','archived')),
   triage_notes        TEXT,
   triaged_at          TEXT,
-  fix_description     TEXT
+  fix_description     TEXT,
+  -- Deliberation fields (two-stage audit). Absent for single-stage audits.
+  status              TEXT CHECK(status IS NULL OR status IN ('upheld','challenged','modified','withdrawn','rebutted')),
+  annotations         TEXT,  -- JSON array of Stage-2 critic annotations
+  rebuttal            TEXT   -- JSON object: Stage-1 member's response to challenges
 );
 
 -- Append-only history of trigger-condition evaluations.

package/templates/scripts/triage-ui.html

@@ -63,11 +63,17 @@
 
     /* Finding rows */
     .finding {
-      padding: 10px 14px;
+      padding: 10px 14px 10px 18px;
       border-top: 1px solid #2c2e33;
+      border-left: 4px solid transparent;
       transition: background 0.1s;
     }
     .finding:hover { background: #25262b; }
+    .finding[data-status="challenged"] { border-left-color: #e03131; background: #1e1a1a; }
+    .finding[data-status="rebutted"]   { border-left-color: #7048e8; background: #1a1820; }
+    .finding[data-status="upheld"]     { border-left-color: #2b8a3e; }
+    .finding[data-status="modified"]   { border-left-color: #f08c00; }
+    .finding[data-status="withdrawn"]  { border-left-color: #868e96; }
     .finding-top {
       display: flex;
       align-items: flex-start;
@@ -93,11 +99,119 @@
     .finding-id { color: #5c5f66; font-size: 11px; font-family: monospace; flex-shrink: 0; }
 
     .commentary {
-      color: #909296;
+      color: #c1c2c5;
+      font-size: 13px;
+      margin: 6px 0 8px 0;
+      padding: 0;
+      line-height: 1.6;
+    }
+
+    .finding-detail {
+      margin: 6px 0;
+      padding: 8px 10px;
+      background: #1a1b1e;
+      border-radius: 4px;
       font-size: 12px;
-      margin: 4px 0 8px 0;
-      padding-left: 2px;
       line-height: 1.6;
+      color: #c1c2c5;
+    }
+    .finding-detail p { margin: 0 0 6px 0; }
+    .finding-detail p:last-child { margin-bottom: 0; }
+    .detail-label {
+      color: #909296;
+      font-size: 11px;
+      font-weight: 600;
+      text-transform: uppercase;
+      letter-spacing: 0.5px;
+      margin-bottom: 2px;
+    }
+    .detail-section { margin-bottom: 8px; }
+    .detail-section:last-child { margin-bottom: 0; }
+    .detail-fix {
+      border-left: 2px solid #2b8a3e;
+      padding-left: 8px;
+      margin-top: 4px;
+    }
+    .detail-question {
+      border-left: 2px solid #f08c00;
+      padding-left: 8px;
+      margin-top: 4px;
+      font-style: italic;
+    }
+    .annotation {
+      margin: 6px 0 6px 20px;
+      padding: 7px 12px;
+      border-left: 3px solid;
+      border-radius: 0 4px 4px 0;
+      background: #1e1f22;
+      font-size: 12px;
+      line-height: 1.5;
+      color: #c1c2c5;
+    }
+    .annotation.ann-type-challenge  { border-left-color: #e03131; }
+    .annotation.ann-type-support    { border-left-color: #2b8a3e; }
+    .annotation.ann-type-context    { border-left-color: #1c7ed6; }
+    .annotation.ann-type-correction { border-left-color: #f08c00; }
+    .annotation-header {
+      display: flex;
+      gap: 6px;
+      align-items: center;
+      margin-bottom: 2px;
+      font-size: 11px;
+    }
+    .annotation-member { color: #909296; font-family: monospace; }
+    .ann-badge {
+      padding: 1px 5px;
+      border-radius: 3px;
+      font-size: 10px;
+      font-weight: 600;
+      text-transform: uppercase;
+    }
+    .ann-challenge { background: #e03131; color: #fff; }
+    .ann-support { background: #2b8a3e; color: #fff; }
+    .ann-context { background: #1c7ed6; color: #fff; }
+    .ann-correction { background: #f08c00; color: #fff; }
+    .finding-rebuttal {
+      margin: 6px 0 6px 40px;
+      padding: 7px 12px;
+      border-left: 3px solid #7048e8;
+      border-radius: 0 4px 4px 0;
+      background: #1e1f22;
+      font-size: 12px;
+      color: #c1c2c5;
+    }
+    .rebuttal-header { color: #7048e8; font-size: 11px; font-weight: 600; margin-bottom: 2px; }
+    .status-badge {
+      padding: 1px 5px;
+      border-radius: 3px;
+      font-size: 10px;
+      font-weight: 600;
+      margin-left: 6px;
+    }
+    .status-challenged { background: #e03131; color: #fff; }
+    .status-upheld { background: #2b8a3e; color: #fff; }
+    .status-modified { background: #f08c00; color: #fff; }
+    .status-withdrawn { background: #868e96; color: #fff; }
+    .status-rebutted { background: #7048e8; color: #fff; }
+    .annotation-section-label {
+      color: #5c5f66;
+      font-size: 11px;
+      font-weight: 600;
+      text-transform: uppercase;
+      letter-spacing: 0.5px;
+      margin: 8px 0 4px 16px;
+    }
+    .no-objections {
+      color: #5c5f66;
+      font-size: 11px;
+      font-style: italic;
+      margin: 6px 0 2px 16px;
+      padding: 4px 0;
+    }
+    .critique-zone {
+      margin-top: 10px;
+      padding-top: 10px;
+      border-top: 1px dashed #2c2e33;
     }
 
     .controls {
@@ -398,12 +512,15 @@
         group.className = 'member-group';
 
         // Header
+        const challenged = items.filter(f => f.status === 'challenged' || f.status === 'rebutted').length;
+
         const header = document.createElement('div');
         header.className = 'member-header';
         header.innerHTML = `
           <span class="member-name">${member} (${items.length})</span>
           <span class="member-stats">
             ${triaged}/${items.length} triaged
+            ${challenged ? ` · <span style="color:#e03131">${challenged} contested</span>` : ''}
           </span>
         `;
         header.addEventListener('click', () => {
@@ -418,15 +535,71 @@
         items.forEach(f => {
           const row = document.createElement('div');
           row.className = 'finding';
+          if (f.status) row.dataset.status = f.status;
           const v = verdicts[f.id]?.verdict || '';
 
+          // --- Finding detail section ---
+          const detailParts = [];
+          if (f.description) {
+            detailParts.push(`<div class="detail-section"><div class="detail-label">Description</div><p>${esc(f.description)}</p></div>`);
+          }
+          if (f.evidence) {
+            detailParts.push(`<div class="detail-section"><div class="detail-label">Evidence</div><p>${esc(f.evidence)}</p></div>`);
+          }
+          if (f.assumption) {
+            detailParts.push(`<div class="detail-section"><div class="detail-label">Assumption</div><p>${esc(f.assumption)}</p></div>`);
+          }
+          if (f.question) {
+            detailParts.push(`<div class="detail-section"><div class="detail-label">Open question</div><div class="detail-question">${esc(f.question)}</div></div>`);
+          }
+          if (f.suggestedFix) {
+            detailParts.push(`<div class="detail-section"><div class="detail-label">Suggested fix</div><div class="detail-fix">${esc(f.suggestedFix)}</div></div>`);
+          }
+          if (f.file) {
+            detailParts.push(`<div class="detail-section"><div class="detail-label">Location</div><p>${esc(f.file)}${f.line ? ':' + f.line : ''}</p></div>`);
+          }
+          const detailHtml = detailParts.length > 0
+            ? `<div class="finding-detail">${detailParts.join('')}</div>`
+            : '';
+
+          // --- Annotations section ---
+          const anns = f.annotations || [];
+          let annHtml = '';
+          if (anns.length > 0) {
+            annHtml = `<div class="annotation-section-label">Stage-2 critique (${anns.length})</div>` +
+              anns.map(a => `
+              <div class="annotation ann-type-${a.type || 'context'}">
+                <div class="annotation-header">
+                  <span class="annotation-member">${esc(a['cabinet-member'] || '')}</span>
+                  <span class="ann-badge ann-${a.type || 'context'}">${esc(a.type || 'context')}</span>
+                  ${a['severity-suggestion'] ? `<span class="badge badge-${a['severity-suggestion']}">→ ${esc(a['severity-suggestion'])}</span>` : ''}
+                </div>
+                ${esc(a.text || '')}
+              </div>`).join('');
+          } else if (f.status === 'upheld') {
+            const allAnns = findings.flatMap(ff => (ff.annotations || []).map(a => a['cabinet-member']));
+            const critics = [...new Set(allAnns)];
+            const criticList = critics.length > 0 ? critics.join(', ') : 'Stage-2 critics';
+            annHtml = `<div class="no-objections">Reviewed by ${esc(criticList)} — no objections</div>`;
+          }
+
+          const rebHtml = f.rebuttal ? `
+            <div class="annotation-section-label">Author response</div>
+            <div class="finding-rebuttal">
+              <div class="rebuttal-header">${esc(f['cabinet-member'])} — ${esc(f.rebuttal.response)}</div>
+              ${esc(f.rebuttal.comment || '')}
+            </div>` : '';
+          const statusHtml = f.status ? `<span class="status-badge status-${f.status}">${esc(f.status)}</span>` : '';
+
           row.innerHTML = `
             <div class="finding-top">
               <span class="badge badge-${f.severity}">${f.severity}</span>
-              <span class="finding-title">${esc(f.title)}</span>
+              <span class="finding-title">${esc(f.title)}${statusHtml}</span>
               <span class="finding-id">${esc(f.id)}</span>
             </div>
             ${f.commentary ? `<div class="commentary">${esc(f.commentary)}</div>` : ''}
+            ${detailHtml}
+            <div class="critique-zone">${annHtml}${rebHtml}</div>
             <div class="controls">
               <button class="verdict-btn ${v === 'fix' ? 'sel-fix' : ''}" data-id="${f.id}" data-v="fix">Fix</button>
               <button class="verdict-btn ${v === 'defer' ? 'sel-defer' : ''}" data-id="${f.id}" data-v="defer">Defer</button>

package/templates/site-audit-runtime/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@claude-cabinet/site-audit",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "description": "Comprehensive deployed-site quality audit engine for Claude Cabinet. Runs checks across performance, accessibility, security, SEO, content, DNS, and privacy against a deployed URL; single-site and comparison modes; standalone HTML report.",
   "type": "module",
   "bin": {
@@ -19,7 +19,6 @@
   "dependencies": {
     "@axe-core/cli": "^4.10.0",
     "@mdn/mdn-http-observatory": "^1.6.0",
-    "@themarkup/blacklight-collector": "^1.0.0",
     "lighthouse": "^12.0.0",
     "linkinator": "^7.0.0",
     "pa11y": "^9.0.0",

package/templates/site-audit-runtime/src/checks/axe-core.mjs

@@ -18,7 +18,17 @@ export function normalize(raw, durationMs) {
   }
   let data;
   try { data = JSON.parse(raw.stdout); } catch {
-    return { checkId, tool, status: 'error', score: null, grade: null, severity: null, findings: [], durationMs, reason: 'failed to parse axe-core JSON' };
+    // @axe-core/cli may output non-JSON prefix lines before the JSON array;
+    // strip lines until we find the opening bracket.
+    const lines = (raw.stdout || '').split('\n');
+    const jsonStart = lines.findIndex(l => l.trimStart().startsWith('[') || l.trimStart().startsWith('{'));
+    if (jsonStart >= 0) {
+      try { data = JSON.parse(lines.slice(jsonStart).join('\n')); } catch {
+        return { checkId, tool, status: 'error', score: null, grade: null, severity: null, findings: [], durationMs, reason: 'failed to parse axe-core JSON' };
+      }
+    } else {
+      return { checkId, tool, status: 'error', score: null, grade: null, severity: null, findings: [], durationMs, reason: 'failed to parse axe-core JSON' };
+    }
   }
 
   const violations = Array.isArray(data) ? data.flatMap(p => p.violations || []) : (data.violations || []);
@@ -34,8 +44,14 @@ export function normalize(raw, durationMs) {
     return (o[f.severity] ?? 3) < (o[w] ?? 3) ? f.severity : w;
   }, 'info') : null;
 
+  const pages = Array.isArray(data) ? data.length : 1;
+  const passSummary = findings.length === 0
+    ? `No WCAG AA violations across ${pages} page${pages !== 1 ? 's' : ''}`
+    : undefined;
+
   return {
     checkId, tool, status: findings.length === 0 ? 'pass' : 'fail',
     score: null, grade: null, severity: worstSev, findings, durationMs,
+    ...(passSummary && { passSummary }),
   };
 }

package/templates/site-audit-runtime/src/checks/blacklight.mjs

@@ -72,8 +72,15 @@ export function normalize(raw, durationMs) {
   }, 'info') : null;
 
   const hasSerious = findings.some(f => f.severity === 'serious' || f.severity === 'critical');
+  const passSummary = !hasSerious
+    ? (findings.length === 0
+      ? 'No trackers, fingerprinters, or session recorders detected'
+      : `No serious trackers detected (${findings.length} low-severity item${findings.length !== 1 ? 's' : ''} only)`)
+    : undefined;
+
   return {
     checkId, tool, status: hasSerious ? 'fail' : 'pass',
     score: null, grade: null, severity: worstSev, findings, durationMs,
+    ...(passSummary && { passSummary }),
   };
 }

package/templates/site-audit-runtime/src/checks/dns.mjs

@@ -53,13 +53,24 @@ export function normalize(raw, durationMs) {
   const passing = total - findings.filter(f => f.severity !== 'info').length;
   const score = Math.round((passing / total) * 100);
 
+  const isPass = !findings.some(f => f.severity !== 'info');
+  const passed = [];
+  if (!findings.some(f => f.message.includes('DNSSEC'))) passed.push('DNSSEC');
+  if (!findings.some(f => f.message.includes('SPF'))) passed.push('SPF');
+  if (!findings.some(f => f.message.includes('DMARC'))) passed.push('DMARC');
+  if (httpVersion && (httpVersion.startsWith('2') || httpVersion.startsWith('3'))) passed.push(`HTTP/${httpVersion}`);
+  const passSummary = isPass
+    ? `${passed.join(', ')} verified`
+    : undefined;
+
   return {
-    checkId, tool, status: findings.some(f => f.severity !== 'info') ? 'fail' : 'pass',
+    checkId, tool, status: isPass ? 'pass' : 'fail',
     score, grade: null,
     severity: findings.length ? findings.reduce((w, f) => {
       const o = { critical: 0, serious: 1, moderate: 2, info: 3 };
       return (o[f.severity] ?? 3) < (o[w] ?? 3) ? f.severity : w;
     }, 'info') : null,
     findings, durationMs,
+    ...(passSummary && { passSummary }),
   };
 }

package/templates/site-audit-runtime/src/checks/lighthouse.mjs

@@ -39,11 +39,17 @@ export function normalize(raw, durationMs) {
   const audits = data.audits || {};
   for (const [id, audit] of Object.entries(audits)) {
     if (audit.score !== null && audit.score < 0.5 && audit.title) {
-      findings.push({
+      const f = {
         severity: audit.score === 0 ? 'serious' : 'moderate',
         message: audit.title,
         context: audit.displayValue || undefined,
-      });
+      };
+      if (audit.details?.items?.length) {
+        f.url = audit.details.items.slice(0, 5).map(
+          item => item.url || item.source?.url || item.node?.selector || ''
+        ).filter(Boolean).join(', ') || undefined;
+      }
+      findings.push(f);
     }
   }
 
@@ -52,9 +58,15 @@ export function normalize(raw, durationMs) {
     return (order[f.severity] ?? 3) < (order[w] ?? 3) ? f.severity : w;
   }, 'info') : null;
 
+  const details = { categories: scores };
+  const passSummary = Object.entries(scores)
+    .map(([k, v]) => `${k.replace(/-/g, ' ')}: ${v}`)
+    .join(', ');
+
   return {
     checkId, tool, status: avg !== null && avg >= 50 ? 'pass' : 'fail',
-    score: avg, grade: scoreToGrade(avg), severity: worstSev, findings, durationMs,
+    score: avg, grade: scoreToGrade(avg), severity: worstSev, findings,
+    details, passSummary, durationMs,
   };
 }