create-sdd-project 0.18.3 → 0.19.0

package/README.md

@@ -312,7 +312,7 @@ SDD DevFlow combines three proven practices:
 | `/review-plan` | Cross-model plan review — runs automatically after plan self-review when external CLIs are available; catches implementation blind spots |
 | `/context-prompt` | Generates a context recovery prompt after `/compact` with Workflow Recovery to prevent checkpoint skipping |
 | `/review-project` | Comprehensive project-level review using up to 3 AI models in parallel — 6 domains, audit context, consolidated report with action plan |
-| `/audit-merge` | Automated compliance audit — 11 pre-merge checks (ticket, tracker, evidence, merge base, working tree, data files). Auto-fixes issues. |
+| `/audit-merge` | Automated compliance audit — 12 structural pre-merge checks (ticket, tracker, evidence, merge base, working tree, data files, CI state via `gh pr checks`) + 16 advisory drift patterns. Auto-fixes issues. |
 
 ### Spec & Plan Quality
 

package/lib/meta.js

@@ -12,13 +12,27 @@
  * warnings on cross-version upgrades — the Codex P1 finding from the
  * v0.16.10 cross-model review).
  *
- * Core invariant (Codex M1 from plan v1.0 review): a hash in this file
- * represents "the last time the tool wrote this file, the content hashed
- * to X". Hashes are ONLY written/updated when the tool actually wrote
- * canonical output to a file in the current run (replaced, new, or
- * --force-template paths). Preserved files leave their hash entry
- * untouched — otherwise the user's customized content would be hashed and
- * silently overwritten on the next upgrade.
+ * Core invariant (Codex M1 from plan v1.0 review, refined v0.18.4 G1):
+ * a hash in this file represents the canonical TEMPLATE output the tool
+ * last attempted to install for this path. Hashes are written/updated in
+ * three situations:
+ *
+ *   1. The tool wrote canonical output (replaced, new file, or
+ *      --force-template paths) — record the new template hash.
+ *   2. v0.18.4 G1 — Case 3c fallback preserve writes the template hash to
+ *      bootstrap a previously-untracked path into the hash-based decision
+ *      tree for future upgrades. The file on disk is NOT modified (user's
+ *      customization is preserved + .new is written); only the meta entry
+ *      is recorded so the next upgrade can enter Case 2 instead of falling
+ *      through Case 3 again. Records what we "attempted to install", which
+ *      is the correct anchor for both: (a) the user later accepting .new
+ *      → user_current == stored → Case 2a clean replace, and (b) the user
+ *      keeping their customization → user_current != stored → Case 2b
+ *      preserve (situation (3) below then applies).
+ *   3. NEVER on Case 2b preserve — when a stored hash already exists and
+ *      the current file diverges from it, the prior baseline is kept
+ *      untouched. Otherwise the user's customized content would be hashed
+ *      and silently overwritten on the next upgrade.
  *
  * File format (schemaVersion: 1):
  *   {

package/lib/upgrade-generator.js

@@ -540,8 +540,21 @@ function generateUpgrade(config) {
               continue;
             }
 
-            // Content mismatch → preserve. Same rule: no hash update.
+            // Content mismatch → preserve.
+            //
+            // v0.18.4 G1: bootstrap hash AFTER preserve so next upgrade enters
+            // the hash-based path (Case 2) instead of falling through Case 3c
+            // again. Recording the TEMPLATE hash (not the user's hash) is the
+            // correct semantic anchor:
+            //   - If user later accepts .new → user_current == stored → Case 2a
+            //     clean replace.
+            //   - If user keeps customization → user_current != stored → Case 2b
+            //     preserve (Codex M1 invariant then applies — no further hash
+            //     updates).
+            // This is opt-in at the CALL SITE, not inside preserveFile, so
+            // Case 2b callers above remain governed by the M1 invariant.
             preserveFile(adaptedFullTargetFallback);
+            newHashes[posixPath] = computeHash(adaptedFullTargetFallback);
           }
           continue;
         }
@@ -651,7 +664,9 @@ function generateUpgrade(config) {
               replaced++;
               continue;
             }
+            // v0.18.4 G1: Case 3c bootstrap (see agents site for full rationale).
             preserveCmd();
+            newHashes[posixPath] = computeHash(rawTemplate);
           }
           continue;
         }
@@ -836,6 +851,8 @@ function generateUpgrade(config) {
     }
     modifiedAgentsResults.push({ name: relativePath, modified: true });
     preserved++;
+    // v0.18.4 G1: Case 3c bootstrap (see agents site for full rationale).
+    newHashes[posix] = computeHash(adaptedTarget);
   }
 
   // --- d) Handle standards (smart diff) ---
@@ -979,7 +996,9 @@ function generateUpgrade(config) {
       replaced++;
       continue;
     }
+    // v0.18.4 G1: Case 3c bootstrap (see agents site for full rationale).
     preserveStandard();
+    newHashes[spec.posix] = computeHash(freshAdapted);
   }
 
   step('Updated standards files');
@@ -1055,7 +1074,9 @@ function generateUpgrade(config) {
       newHashes[AGENTS_MD_POSIX] = computeHash(adaptedAgentsMd);
       replaced++;
     } else {
+      // v0.18.4 G1: Case 3c bootstrap (see agents site for full rationale).
       preserveAgentsMd();
+      newHashes[AGENTS_MD_POSIX] = computeHash(adaptedAgentsMd);
     }
   }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-sdd-project",
-  "version": "0.18.3",
+  "version": "0.19.0",
   "description": "Create a new SDD DevFlow project with AI-assisted development workflow",
   "bin": {
     "create-sdd-project": "bin/cli.js"

package/template/.claude/agents/code-review-specialist.md

@@ -35,6 +35,7 @@ Go beyond checklist review — actively try to break the implementation:
 - **Malicious input**: What data could a malicious user inject? Are all inputs validated at system boundaries?
 - **State corruption**: What if the database is slow, a transaction fails midway, or cache is stale?
 - **Missing validation**: Are values range-checked, type-checked, and null-checked before use?
+- **Defensive guards**: For every `if (cond)` / `if (!cond)` / SQL `WHERE` predicate / type-narrowing check that exists "to prevent X", trace the boolean with three concrete value scenarios — (a) the danger case the guard targets, (b) a normal/expected case, (c) an edge case (null/0/empty/duplicate). Does the guard fire ONLY on the danger case? Common failure: a defensive predicate is written that fires on the SAFE case and skips the DANGER case (boolean inverted). Treat any guard whose conditions you cannot mentally trace through values as a critical-review item — request author justification or write the trace yourself.
 
 ### 4. Categorize Findings
 

package/template/.claude/commands/audit-merge.md

@@ -48,11 +48,51 @@ If DIVERGED, flag as FAIL with instruction to merge target branch first.
 
 Run only if `git diff origin/<target-branch>..HEAD --name-only` shows `.json` files in seed-data or fixtures directories.
 
+**12. CI State** (added v0.19.0) — Verify GitHub Actions / CI checks for the current PR show no FAILURE / ERROR / CANCELLED / TIMED_OUT conclusion. PENDING is acceptable (still running). Emits distinct `N/A` messages when `gh` is unavailable, `jq` is unavailable, or no PR is open for the current branch — these are not blockers. Empirical motivation: F107a (PR #279) shipped with `ci-success` BLOCKED on 3 real failures (test-api lint, test-web build, branch-protection gate); the agent claimed "CI: green" without verification. C3 makes the claim auditable structurally.
+```bash
+if ! command -v gh >/dev/null 2>&1; then
+  echo "C3 N/A: gh CLI unavailable"
+elif ! command -v jq >/dev/null 2>&1; then
+  echo "C3 N/A: jq unavailable"
+else
+  # In GitHub Actions `pull_request` jobs, `actions/checkout` defaults to a
+  # detached HEAD (no branch context), so `gh pr view` with no arg cannot
+  # resolve "the PR for the current branch". Read the PR number from
+  # GITHUB_REF (`refs/pull/<N>/merge`) when available so C3 still queries
+  # the right PR. Local runs (no GITHUB_REF) keep the no-arg behavior.
+  PR_NUM_FROM_CI=""
+  if [ -n "${GITHUB_REF:-}" ]; then
+    PR_NUM_FROM_CI=$(printf '%s' "$GITHUB_REF" | sed -n 's@^refs/pull/\([0-9]\{1,\}\)/.*@\1@p')
+  fi
+  if [ -n "$PR_NUM_FROM_CI" ]; then
+    PR_JSON=$(gh pr view "$PR_NUM_FROM_CI" --json number,statusCheckRollup 2>/dev/null || true)
+  else
+    PR_JSON=$(gh pr view --json number,statusCheckRollup 2>/dev/null || true)
+  fi
+  if [ -z "$PR_JSON" ]; then
+    echo "C3 N/A: no PR open for current branch"
+  else
+    PR_NUM=$(echo "$PR_JSON" | jq -r '.number // "unknown"')
+    FAILURES=$(echo "$PR_JSON" | jq -r '
+      .statusCheckRollup[]?
+      | select((.conclusion // .status) as $s
+        | $s == "FAILURE" or $s == "ERROR" or $s == "CANCELLED" or $s == "TIMED_OUT")
+      | .name // .context
+    ' | sort -u)
+    if [ -n "$FAILURES" ]; then
+      flag "C3 BLOCKER: PR #$PR_NUM has failing checks — $(echo "$FAILURES" | tr '\n' ',' | sed 's/,$//')"
+    else
+      echo "C3 PASS: PR #$PR_NUM — all checks pass or pending"
+    fi
+  fi
+fi
+```
+
 ### Drift Checks (added v0.18.0) — ADVISORY, not blocking
 
-Eleven empirically-validated drift patterns. Failures are NOT blockers for the compliance verdict, but MUST be refreshed before requesting user authorization (the user will otherwise catch them during audit and send the PR back). Each check has a concrete shell recipe — use BSD-grep-compatible regex (no `\K`).
+Sixteen empirically-validated drift patterns. Failures are NOT blockers for the compliance verdict, but MUST be refreshed before requesting user authorization (the user will otherwise catch them during audit and send the PR back). Each check has a concrete shell recipe — use BSD-grep-compatible regex (no `\K`).
 
-**12. P1 — PR body test count stale (v0.18.3 multi-workspace extension — C1).** The PR body's test ratios should all appear in ticket evidence (AC / DoD / Completion Log). Agents commonly open the PR at Step 4 and add tests during Step 5 review — the PR body numbers become stale. In monorepos with multiple workspaces (e.g. api, web, bot, scraper) the PR body may quote several `N/N` ratios; v0.18.3 walks them all instead of comparing only the first. Subset direction: PR ratios ⊆ ticket ratios (the ticket Completion Log is the more comprehensive record and accumulates intermediate per-step ratios that the PR body legitimately omits). Three fallback cases: (a) ≥ 1 ratio on each side → verify each PR ratio appears in ticket; (b) PR has ratios but ticket has none (or vice versa) → emit explicit `P1 N/A` note, no drift flag; (c) neither side has ratios → emit `P1 N/A` note.
+**13. P1 — PR body test count stale (v0.18.3 multi-workspace extension — C1).** The PR body's test ratios should all appear in ticket evidence (AC / DoD / Completion Log). Agents commonly open the PR at Step 4 and add tests during Step 5 review — the PR body numbers become stale. In monorepos with multiple workspaces (e.g. api, web, bot, scraper) the PR body may quote several `N/N` ratios; v0.18.3 walks them all instead of comparing only the first. Subset direction: PR ratios ⊆ ticket ratios (the ticket Completion Log is the more comprehensive record and accumulates intermediate per-step ratios that the PR body legitimately omits). Three fallback cases: (a) ≥ 1 ratio on each side → verify each PR ratio appears in ticket; (b) PR has ratios but ticket has none (or vice versa) → emit explicit `P1 N/A` note, no drift flag; (c) neither side has ratios → emit `P1 N/A` note.
 ```bash
 TEST_KW_RE='(npm test|pnpm test|tests?[^|]*[0-9]|[*: ]tests?[*: ]+[0-9])'
 PR_BODY=$(gh pr view --json body -q .body 2>/dev/null || true)
@@ -69,14 +109,14 @@ else
 fi
 ```
 
-**13. P2 — Merge Checklist Evidence rows aspirational.** Rows marked `[x]` with future-tense Evidence ("will land", "to be created", "pending", "next commit", "TBD") — the row claims done but the work hasn't happened yet.
+**14. P2 — Merge Checklist Evidence rows aspirational.** Rows marked `[x]` with future-tense Evidence ("will land", "to be created", "pending", "next commit", "TBD") — the row claims done but the work hasn't happened yet.
 ```bash
 awk '/^## Merge Checklist Evidence/{flag=1; next} /^## /{flag=0} flag' "$TICKET" \
   | grep -E '^\|.*\[x\].*(to be |will |pending|TBD|Will be |to be created|next commit|aspirational)' \
   && flag "P2 drift: aspirational row(s) found"
 ```
 
-**14. P3 — Post-merge actions not logged** (only fires if PR is MERGED and ticket Status is Done). Items marked as post-merge operator actions (AC / DoD / Test plan unchecked with post-merge keywords) should have a Completion Log row documenting execution.
+**15. P3 — Post-merge actions not logged** (only fires if PR is MERGED and ticket Status is Done). Items marked as post-merge operator actions (AC / DoD / Test plan unchecked with post-merge keywords) should have a Completion Log row documenting execution.
 ```bash
 # Strip checkbox prefix before comparison; use grep -Fq fixed-string match.
 grep -E "^- \[ \].*(post-merge|operator|prod rollout|pending verification)" "$TICKET" \
@@ -89,14 +129,14 @@ while IFS= read -r item; do
 done < /tmp/pm_items.txt
 ```
 
-**15. P4 — Remote branch orphan after "deleted".** Workflow Step 6 claims `[x] branch deleted` but origin still has the branch.
+**16. P4 — Remote branch orphan after "deleted".** Workflow Step 6 claims `[x] branch deleted` but origin still has the branch.
 ```bash
 BRANCH=$(grep -oE '\*\*[Bb]ranch:\*\*[[:space:]]*[^[:space:]|()]+' "$TICKET" | head -1 | sed -E 's/^\*\*[Bb]ranch:\*\*[[:space:]]*//')
 git fetch origin --prune --quiet
 git ls-remote --heads origin "$BRANCH" 2>/dev/null | grep -q refs/heads && flag "P4 drift: remote branch $BRANCH still exists (run: git push origin --delete $BRANCH)"
 ```
 
-**16. P5 — Frozen ticket Status post-merge.** Scan all tickets in `docs/tickets/`; flag any with Status ≠ Done whose ticket-ID appears in `git log --all --grep`. Multi-word Status values like "Ready for Merge" must be handled (use `sed -E` char class, not `\w+`).
+**17. P5 — Frozen ticket Status post-merge.** Scan all tickets in `docs/tickets/`; flag any with Status ≠ Done whose ticket-ID appears in `git log --all --grep`. Multi-word Status values like "Ready for Merge" must be handled (use `sed -E` char class, not `\w+`).
 ```bash
 FROZEN_COUNT=0
 for t in docs/tickets/*.md; do
@@ -114,30 +154,49 @@ done
 [ "$FROZEN_COUNT" -eq 1 ] && flag "P5 drift: 1 frozen ticket"
 ```
 
-**17. P6 — AC count off-by-N.** Merge Checklist Evidence row 1 claim diverges from actual count. Two canonical forms: `all N marked` (N = total, implies all are `[x]`) and `AC: X/Y done` (X = marked, Y = total — supports deferred ACs where Y > X intentionally). For `AC: X/Y` form, compare Y to actual total AND X to actual marked. For `all N marked` form, compare N to actual total.
+**18. P6 — AC count off-by-N (header-form aware since v0.19.0).** Merge Checklist Evidence row 1 claim diverges from actual count. Supports two canonical AC forms: `[x]`/`[ ]` checkbox form and `### AC<N>` header form. When header form is present (≥ 1 `### AC<N>` heading), headers are authoritative — checkbox sub-items under each header are NOT double-counted. A header is "deferred" (not marked) when its body contains `**Status**: Deferred|Pending|Skipped|Blocked` before the next `### ` or section terminator. Two MCE claim shapes: `all N marked` (N = total, implies all marked) and `AC: X/Y done` (X = marked, Y = total — supports deferred ACs where Y > X intentionally). v0.19.0 drops the v0.18.3 `-ge 2` tolerance — comparison is now exact-match (off-by-1 advisories surface).
 ```bash
 AC_BLOCK=$(awk '/^## Acceptance Criteria/,/^## Definition of Done/' "$TICKET")
-ACTUAL_TOTAL=$(echo "$AC_BLOCK" | grep -cE "^- \[[x ]\]")
-ACTUAL_MARKED=$(echo "$AC_BLOCK" | grep -cE "^- \[x\]")
+HEADER_ACS=$(echo "$AC_BLOCK" | grep -cE '^### AC[0-9]+')
+
+if [ "$HEADER_ACS" -gt 0 ]; then
+  ACTUAL_TOTAL=$HEADER_ACS
+  # Per-AC pass: emit one line per AC ("marked" or "deferred"). Then count.
+  PER_AC=$(echo "$AC_BLOCK" | awk '
+    function flush() { if (have) { print (deferred ? "deferred" : "marked"); have=0; deferred=0 } }
+    /^### AC[0-9]+/ { flush(); have=1; next }
+    /^## / { flush(); next }
+    have && /^\*\*Status\*\*:[[:space:]]*(Deferred|Pending|Skipped|Blocked)/ { deferred=1 }
+    END { flush() }
+  ')
+  ACTUAL_MARKED=$(printf '%s\n' "$PER_AC" | grep -c '^marked$' || true)
+else
+  ACTUAL_TOTAL=$(echo "$AC_BLOCK" | grep -cE "^- \[[x ]\]")
+  ACTUAL_MARKED=$(echo "$AC_BLOCK" | grep -cE "^- \[x\]")
+fi
+
 CLAIM_LINE=$(grep -oE 'all [0-9]+ marked|AC: [0-9]+/[0-9]+' "$TICKET" | head -1)
 if echo "$CLAIM_LINE" | grep -qE '^AC: [0-9]+/[0-9]+'; then
   CLAIMED_MARKED=$(echo "$CLAIM_LINE" | grep -oE '[0-9]+' | head -1)
   CLAIMED_TOTAL=$(echo "$CLAIM_LINE" | grep -oE '[0-9]+' | tail -1)
   [ -n "$CLAIMED_TOTAL" ] && [ "$CLAIMED_TOTAL" != "$ACTUAL_TOTAL" ] \
-    && [ $((ACTUAL_TOTAL - CLAIMED_TOTAL)) -ge 2 -o $((CLAIMED_TOTAL - ACTUAL_TOTAL)) -ge 2 ] \
-    && flag "P6 drift: claim AC total '$CLAIMED_TOTAL' vs actual total $ACTUAL_TOTAL"
+    && flag "P6 drift: claim AC total '$CLAIMED_TOTAL' vs actual total $ACTUAL_TOTAL (form: $([ "$HEADER_ACS" -gt 0 ] && echo header || echo checkbox))"
   [ -n "$CLAIMED_MARKED" ] && [ "$CLAIMED_MARKED" != "$ACTUAL_MARKED" ] \
-    && [ $((ACTUAL_MARKED - CLAIMED_MARKED)) -ge 2 -o $((CLAIMED_MARKED - ACTUAL_MARKED)) -ge 2 ] \
-    && flag "P6 drift: claim AC marked '$CLAIMED_MARKED' vs actual marked $ACTUAL_MARKED"
+    && flag "P6 drift: claim AC marked '$CLAIMED_MARKED' vs actual marked $ACTUAL_MARKED (form: $([ "$HEADER_ACS" -gt 0 ] && echo header || echo checkbox))"
 elif [ -n "$CLAIM_LINE" ]; then
   CLAIMED=$(echo "$CLAIM_LINE" | grep -oE '[0-9]+' | head -1)
-  [ -n "$CLAIMED" ] && [ "$CLAIMED" != "$ACTUAL_TOTAL" ] \
-    && [ $((ACTUAL_TOTAL - CLAIMED)) -ge 2 -o $((CLAIMED - ACTUAL_TOTAL)) -ge 2 ] \
-    && flag "P6 drift: 'all $CLAIMED marked' vs actual AC count $ACTUAL_TOTAL"
+  if [ -n "$CLAIMED" ]; then
+    [ "$CLAIMED" != "$ACTUAL_TOTAL" ] \
+      && flag "P6 drift: 'all $CLAIMED marked' vs actual AC total $ACTUAL_TOTAL (form: $([ "$HEADER_ACS" -gt 0 ] && echo header || echo checkbox))"
+    # `all N marked` IMPLIES all ACs are marked; flag when actual marked < N
+    # (e.g. some ACs deferred via `**Status**: Deferred` or unchecked `[ ]`).
+    [ "$CLAIMED" != "$ACTUAL_MARKED" ] \
+      && flag "P6 drift: 'all $CLAIMED marked' but only $ACTUAL_MARKED actually marked (form: $([ "$HEADER_ACS" -gt 0 ] && echo header || echo checkbox))"
+  fi
 fi
 ```
 
-**18. P7 — Test count drift within ticket (final-sections only).** Only flag AC / DoD / tracker Active-Session numbers diverging from Completion Log terminal. Intermediate rows are legitimate.
+**19. P7 — Test count drift within ticket (final-sections only).** Only flag AC / DoD / tracker Active-Session numbers diverging from Completion Log terminal. Intermediate rows are legitimate.
 ```bash
 TERMINAL=$(awk '/^## Completion Log/,/^## Merge Checklist/' "$TICKET" | grep -iE "(test|pass|green)" | grep -oE "[0-9]+/[0-9]+" | tail -1)
 AC=$(awk '/^## Acceptance Criteria/,/^## Definition of Done/' "$TICKET")
@@ -148,7 +207,7 @@ for n in $FINAL_NUMS; do
 done
 ```
 
-**19. P8 — Completion Log gap vs Workflow Checklist.** Each `[x]` Step N in Workflow should have ≥1 Completion Log row mentioning "Step N". Use `while-read` on unique step numbers (not `for-in` which splits on whitespace).
+**20. P8 — Completion Log gap vs Workflow Checklist.** Each `[x]` Step N in Workflow should have ≥1 Completion Log row mentioning "Step N". Use `while-read` on unique step numbers (not `for-in` which splits on whitespace).
 ```bash
 WORKFLOW=$(awk '/^## Workflow Checklist/,/^## Completion Log/' "$TICKET")
 COMPLETION=$(awk '/^## Completion Log/,/^## Merge Checklist/' "$TICKET")
@@ -159,7 +218,7 @@ while read -r step_num; do
 done <<< "$CHECKED_STEPS"
 ```
 
-**20. P9 — Tracker header "Last Updated" stale.** The `**Last Updated:**` header and the `**Active Feature:**` detail should agree on step number (e.g., both say 5/6). Mismatch suggests the header wasn't refreshed after state transitions.
+**21. P9 — Tracker header "Last Updated" stale.** The `**Last Updated:**` header and the `**Active Feature:**` detail should agree on step number (e.g., both say 5/6). Mismatch suggests the header wasn't refreshed after state transitions.
 ```bash
 TRACKER=docs/project_notes/product-tracker.md
 HEADER_STEP=$(grep '^\*\*Last Updated:\*\*' "$TRACKER" | grep -oE '(Step )?[0-9]+/6' | head -1 | sed -E 's/^Step //')
@@ -168,7 +227,7 @@ DETAIL_STEP=$(grep -A 1 '^\*\*Active Feature:\*\*' "$TRACKER" | grep -oE '(Step
   && flag "P9 drift: tracker header says $HEADER_STEP, Active Feature says $DETAIL_STEP"
 ```
 
-**21. P10 — Duplicate Completion Log rows.** Hash `date | action | first-80-of-notes`. Duplicates suggest copy-paste error during editing.
+**22. P10 — Duplicate Completion Log rows.** Hash `date | action | first-80-of-notes`. Duplicates suggest copy-paste error during editing.
 ```bash
 awk -F'|' '/^\| [0-9]{4}-[0-9]{2}-[0-9]{2}/ {
   key = $2 "|" $3 "|" substr($4, 1, 80)
@@ -178,7 +237,7 @@ awk -F'|' '/^\| [0-9]{4}-[0-9]{2}-[0-9]{2}/ {
   | while read -r dup; do flag "P10 drift: duplicate Completion Log row: $dup"; done
 ```
 
-**22. P11 — Tracker Features table status vs ticket Status mismatch.** Ticket Status=Ready for Merge / Review → tracker expects `in-progress`. Ticket Status=Done → tracker expects `done`. Mismatch means one side wasn't updated after the state change.
+**23. P11 — Tracker Features table status vs ticket Status mismatch.** Ticket Status=Ready for Merge / Review → tracker expects `in-progress`. Ticket Status=Done → tracker expects `done`. Mismatch means one side wasn't updated after the state change.
 ```bash
 TICKET_STATUS=$(grep -E "^\*\*Status:\*\*" "$TICKET" | head -1 \
     | sed -E 's/^\*\*Status:\*\*[[:space:]]*\*?\*?//' \
@@ -186,18 +245,36 @@ TICKET_STATUS=$(grep -E "^\*\*Status:\*\*" "$TICKET" | head -1 \
     | sed -E 's/[[:space:]]+(\(.*\)|—.*|–.*|-.*)$//' \
     | sed -E 's/\*\*[[:space:]]*$//' \
     | sed -E 's/[[:space:]]+$//')
-FEATURE_ID=$(basename "$TICKET" .md | sed -E 's/-[a-z].*//')
-TRACKER_STATUS=$(grep -F "$FEATURE_ID" docs/project_notes/product-tracker.md | grep -oE "\| (in-progress|done|pending|blocked) \|" | head -1 | sed -E 's/\| ([a-z-]+) \|/\1/')
-case "$TICKET_STATUS" in
-  "Ready for Merge"|"Review"|"In Progress"|"Planning"|"Spec") EXPECTED="in-progress" ;;
-  "Done") EXPECTED="done" ;;
-  *) EXPECTED="" ;;
+TICKET_BASENAME=$(basename "$TICKET" .md)
+# v0.18.4 P11-B: sub-scope tickets (-lite / -FU / -FU[0-9]*) close a partial
+# scope of a parent feature; the parent tracker row stays at its parent status
+# (typically `pending` or `in-progress`) while the sub-scope ticket reaches
+# `Done`. P11 must NOT enforce status mapping across this boundary. Pattern
+# scope: empirically derived from fx convention (uppercase -FU + -lite). If
+# future projects introduce -spike / -mini / -aux variants, expand here.
+case "$TICKET_BASENAME" in
+  *-lite|*-lite-*|*-FU|*-FU-*|*-FU[0-9]*)
+    echo "P11 N/A: $TICKET_BASENAME is a sub-scope ticket — parent tracker row status independent" >&2
+    ;;
+  *)
+    FEATURE_ID=$(echo "$TICKET_BASENAME" | sed -E 's/-[a-z].*//')
+    # v0.18.4 P11-B drive-by hardening: anchor tracker lookup to pipe-table row
+    # (FEATURE_ID as first cell). Mirrors v0.18.3 P16 idiom — prevents narrative
+    # mentions earlier in the tracker from silencing or false-firing the check.
+    TRACKER_STATUS=$(grep -E "^\|[[:space:]]*$FEATURE_ID[[:space:]]*\|" docs/project_notes/product-tracker.md \
+        | grep -oE "\| (in-progress|done|pending|blocked) \|" | head -1 | sed -E 's/\| ([a-z-]+) \|/\1/')
+    case "$TICKET_STATUS" in
+      "Ready for Merge"|"Review"|"In Progress"|"Planning"|"Spec") EXPECTED="in-progress" ;;
+      "Done") EXPECTED="done" ;;
+      *) EXPECTED="" ;;
+    esac
+    [ -n "$EXPECTED" ] && [ -n "$TRACKER_STATUS" ] && [ "$TRACKER_STATUS" != "$EXPECTED" ] \
+      && flag "P11 drift: ticket Status='$TICKET_STATUS' expects tracker='$EXPECTED' but tracker='$TRACKER_STATUS'"
+    ;;
 esac
-[ -n "$EXPECTED" ] && [ -n "$TRACKER_STATUS" ] && [ "$TRACKER_STATUS" != "$EXPECTED" ] \
-  && flag "P11 drift: ticket Status='$TICKET_STATUS' expects tracker='$EXPECTED' but tracker='$TRACKER_STATUS'"
 ```
 
-**23. P12 — Tracker HEAD references stale (added v0.18.2).** The `**Last Updated:**` and `**Active Feature:**` lines may embed `HEAD <sha>` or `HEAD: <sha>` references that were correct when written but went stale as further commits landed (empirically observed in fx F-WEB-MENU-VISION-001 audit cycle 2026-05-06: tracker said `HEAD: fd752e4` while `git rev-parse HEAD` was `6fa801e` after the agent's own self-edit commit). Compare each extracted SHA against the active branch HEAD. Bidirectional prefix tolerance: a 7-char tracker SHA matches the full 40-char actual HEAD if it's a prefix; a full 40-char tracker SHA matches if its first 7 chars equal the actual short form. Scoped strictly to the two header lines so narrative SHAs in "Last Completed" prose never false-positive-fire.
+**24. P12 — Tracker HEAD references stale (added v0.18.2).** The `**Last Updated:**` and `**Active Feature:**` lines may embed `HEAD <sha>` or `HEAD: <sha>` references that were correct when written but went stale as further commits landed (empirically observed in fx F-WEB-MENU-VISION-001 audit cycle 2026-05-06: tracker said `HEAD: fd752e4` while `git rev-parse HEAD` was `6fa801e` after the agent's own self-edit commit). Compare each extracted SHA against the active branch HEAD. Bidirectional prefix tolerance: a 7-char tracker SHA matches the full 40-char actual HEAD if it's a prefix; a full 40-char tracker SHA matches if its first 7 chars equal the actual short form. Scoped strictly to the two header lines so narrative SHAs in "Last Completed" prose never false-positive-fire.
 ```bash
 TRACKER=docs/project_notes/product-tracker.md
 if [ -f "$TRACKER" ]; then
@@ -217,7 +294,7 @@ if [ -f "$TRACKER" ]; then
 fi
 ```
 
-**24. P13 — key_facts delta vs ticket atom-count mismatch (added v0.18.3).** When the ticket's Completion Log or MCE quantifies a delta against `key_facts.md` (e.g. `+8 atoms`, `+5 aliases`, `+27 dishes`), the corresponding feature row in `key_facts.md` should record the same delta. Whitespace-safe iteration via `while IFS= read -r`; FEATURE_ID-anchored block scan avoids false-pass on identical deltas elsewhere in the file. English keyword set; Spanish (`átomos`, `platos`) deferred to v0.19.x.
+**25. P13 — key_facts delta vs ticket atom-count mismatch (added v0.18.3).** When the ticket's Completion Log or MCE quantifies a delta against `key_facts.md` (e.g. `+8 atoms`, `+5 aliases`, `+27 dishes`), the corresponding feature row in `key_facts.md` should record the same delta. Whitespace-safe iteration via `while IFS= read -r`; FEATURE_ID-anchored block scan avoids false-pass on identical deltas elsewhere in the file. English keyword set; Spanish (`átomos`, `platos`) deferred to v0.19.x.
 ```bash
 KEY_FACTS=docs/project_notes/key_facts.md
 if [ -f "$KEY_FACTS" ]; then
@@ -233,7 +310,7 @@ if [ -f "$KEY_FACTS" ]; then
 fi
 ```
 
-**25. P14 — MCE Action 1 row stale post-merge (added v0.18.3).** When ticket Status normalizes to `Done` AND the MCE Action 1 row still has `Step 6 [ ]` / `Step 6 [-]`, the row was written pre-merge and not updated post-squash. **Strict scoping**: awk state machine terminates the MCE block at the NEXT `^## ` line of any name (NOT `[^M]` — that incorrectly absorbs subsequent `## M*` sections). **Strict signal**: only `Step 6 [ ]` / `Step 6 [-]` patterns flag; standalone `(this merge)` is omitted because it commonly appears in past-tense narrative ("merged at SHA (this merge)") and produces false positives. Reuses `TICKET_STATUS` defined in P11; do NOT use `$status` from the P5 loop. NIT severity.
+**26. P14 — MCE Action 1 row stale post-merge (added v0.18.3).** When ticket Status normalizes to `Done` AND the MCE Action 1 row still has `Step 6 [ ]` / `Step 6 [-]`, the row was written pre-merge and not updated post-squash. **Strict scoping**: awk state machine terminates the MCE block at the NEXT `^## ` line of any name (NOT `[^M]` — that incorrectly absorbs subsequent `## M*` sections). **Strict signal**: only `Step 6 [ ]` / `Step 6 [-]` patterns flag; standalone `(this merge)` is omitted because it commonly appears in past-tense narrative ("merged at SHA (this merge)") and produces false positives. Reuses `TICKET_STATUS` defined in P11; do NOT use `$status` from the P5 loop. NIT severity.
 ```bash
 if [ "$TICKET_STATUS" = "Done" ]; then
   MCE_BLOCK=$(awk '
@@ -247,7 +324,7 @@ if [ "$TICKET_STATUS" = "Done" ]; then
 fi
 ```
 
-**26. P15 — AC with `post-deploy` keyword admitted without Completion Log evidence (added v0.18.3).** ACs containing production-parity keywords (`post-deploy`, `post-merge`, `production parity`, `prod verification`, `on dev API`, `on prod`) are explicit gates; marking them `[x]` without a dated Completion Log row defeats their purpose. Empirical origin: fx F-CATALOG-COV-001 AC-NEW-qa-battery silent-PASS until external audit caught it. Line-safe iteration via `while IFS= read -r`.
+**27. P15 — AC with `post-deploy` keyword admitted without Completion Log evidence (added v0.18.3).** ACs containing production-parity keywords (`post-deploy`, `post-merge`, `production parity`, `prod verification`, `on dev API`, `on prod`) are explicit gates; marking them `[x]` without a dated Completion Log row defeats their purpose. Empirical origin: fx F-CATALOG-COV-001 AC-NEW-qa-battery silent-PASS until external audit caught it. Line-safe iteration via `while IFS= read -r`.
 ```bash
 COMPLETION=$(awk '/^## Completion Log/,/^## Merge Checklist/' "$TICKET")
 AC_LINES=$(grep -nE '^[[:space:]]*-[[:space:]]*\[[ x]\][[:space:]]+AC-[A-Za-z0-9_-]+' "$TICKET" \
@@ -263,7 +340,7 @@ while IFS= read -r line; do
 done <<< "$AC_LINES"
 ```
 
-**27. P16 — Feature missing from Features table (added v0.18.3).** Ticket Status `Ready for Merge` / `Done` should have a row in some `## Features — *` table in `product-tracker.md`. **Strict signal**: requires the feature ID to appear as the first cell of a pipe-table row (`| FEATURE_ID |` with optional whitespace), NOT just anywhere in the tracker — narrative mentions or `**Active Feature:**` references must not silence the drift. NIT severity. Reuses `TICKET_STATUS` and `FEATURE_ID` defined in P11.
+**28. P16 — Feature missing from Features table (added v0.18.3).** Ticket Status `Ready for Merge` / `Done` should have a row in some `## Features — *` table in `product-tracker.md`. **Strict signal**: requires the feature ID to appear as the first cell of a pipe-table row (`| FEATURE_ID |` with optional whitespace), NOT just anywhere in the tracker — narrative mentions or `**Active Feature:**` references must not silence the drift. NIT severity. Reuses `TICKET_STATUS` and `FEATURE_ID` defined in P11.
 ```bash
 TRACKER=docs/project_notes/product-tracker.md
 case "$TICKET_STATUS" in
@@ -298,7 +375,7 @@ Report two tables — one for **structural (blocking)** compliance, one for **dr
 ```
 ## Merge Compliance Audit — [FEATURE-ID]
 
-### Structural (1-11) — blocking merge gate
+### Structural (1-12) — blocking merge gate
 
 | # | Check | Status | Detail |
 |---|-------|:------:|--------|
@@ -313,39 +390,48 @@ Report two tables — one for **structural (blocking)** compliance, one for **dr
 | 9 | Merge Base | PASS | Up to date with develop |
 | 10 | Working Tree | PASS | Clean |
 | 11 | Data Files | PASS | N/A — no JSON seed files |
+| 12 | CI State | PASS | PR #123 — all checks pass or pending |
 
 **STRUCTURAL: READY FOR MERGE** (or **STRUCTURAL: NEEDS FIX — N blockers**)
 
-### Drift (12-27) — advisory, refresh before user authorization
+### Drift (13-28) — advisory, refresh before user authorization
 
 | # | Pattern | Status | Detail |
 |---|---------|:------:|--------|
-| 12 | P1 PR body test count stale | PASS | matches ticket terminal |
-| 13 | P2 Aspirational Evidence rows | PASS | all rows past-tense |
-| 14 | P3 Post-merge actions logged | PASS | N/A pre-merge |
-| 15 | P4 Remote branch orphan | PASS | not checked pre-merge |
-| 16 | P5 Frozen ticket Status | PASS | 0 frozen |
-| 17 | P6 AC count off-by-N | PASS | claim matches actual |
-| 18 | P7 Intra-ticket test drift | PASS | final sections = terminal |
-| 19 | P8 Completion Log gap | PASS | every [x] step has narrative |
-| 20 | P9 Tracker header stale | PASS | header = detail |
-| 21 | P10 Duplicate log rows | PASS | no duplicates |
-| 22 | P11 Tracker status mismatch | PASS | in-progress for Ready for Merge |
-| 23 | P12 Tracker HEAD reference | PASS | tracker HEAD = git HEAD |
-| 24 | P13 key_facts delta mismatch | PASS | N/A — no quantified deltas |
-| 25 | P14 MCE Action 1 stale post-merge | PASS | N/A pre-merge / row past-tense |
-| 26 | P15 Post-deploy AC without evidence | PASS | no post-deploy keyword in ACs |
-| 27 | P16 Feature missing from tracker | PASS | feature in Features table |
+| 13 | P1 PR body test count stale | PASS | matches ticket terminal |
+| 14 | P2 Aspirational Evidence rows | PASS | all rows past-tense |
+| 15 | P3 Post-merge actions logged | PASS | N/A pre-merge |
+| 16 | P4 Remote branch orphan | PASS | not checked pre-merge |
+| 17 | P5 Frozen ticket Status | PASS | 0 frozen |
+| 18 | P6 AC count off-by-N | PASS | claim matches actual (form: header) |
+| 19 | P7 Intra-ticket test drift | PASS | final sections = terminal |
+| 20 | P8 Completion Log gap | PASS | every [x] step has narrative |
+| 21 | P9 Tracker header stale | PASS | header = detail |
+| 22 | P10 Duplicate log rows | PASS | no duplicates |
+| 23 | P11 Tracker status mismatch | PASS | in-progress for Ready for Merge |
+| 24 | P12 Tracker HEAD reference | PASS | tracker HEAD = git HEAD |
+| 25 | P13 key_facts delta mismatch | PASS | N/A — no quantified deltas |
+| 26 | P14 MCE Action 1 stale post-merge | PASS | N/A pre-merge / row past-tense |
+| 27 | P15 Post-deploy AC without evidence | PASS | no post-deploy keyword in ACs |
+| 28 | P16 Feature missing from tracker | PASS | feature in Features table |
 
 **DRIFT: CLEAN** (or **DRIFT: N advisories — refresh before merge**)
 
 ### Combined verdict
 
-- Both PASS → **READY FOR MERGE** (compliance 11/11, drift clean)
+- Both PASS → **READY FOR MERGE** (compliance 12/12, drift clean)
 - Structural fail → **NEEDS FIX — N structural blockers** (any drift noted separately)
 - Structural pass + drift advisories → **READY FOR MERGE PENDING DRIFT CLEANUP — N advisories**
 ```
 
+**Recipe-output verbatim rule** (added v0.19.0): When filling Detail columns of either the structural or drift tables, use the **literal output of the corresponding recipe** — do not normalize, summarize, or smooth values. Specifically:
+- Numeric ratios (`N/M`): preserve as emitted. `18/19` MUST NOT become `18/18` even when N < M.
+- MCE row 1 claim text: when a check (e.g. P6) references it in its Detail message, quote it verbatim including parentheticals such as `(AC19 deploy-deferred)` or `(operator action pending)`. Do not strip qualifiers.
+- "Form" annotations (e.g. P6 emits `(form: header)` or `(form: checkbox)`): preserve them so the reader can tell which AC form the ticket used.
+- `N/A` reasons: quote the literal reason emitted by the recipe (`no PR open`, `gh CLI unavailable`, `jq unavailable`, `not checked pre-merge`).
+
+This rule exists because an LLM auditor, given header-form tickets where checkbox count is 0, will hallucinate `18/18` to "agree" with the MCE row 1 claim. The recipe says `0` and the MCE says `18/19`; the audit Detail must reflect both honestly so the reader can spot the form mismatch.
+
 ### If issues are found
 
 Fix them directly:
@@ -354,8 +440,9 @@ Fix them directly:
 - Tracker stale → update Active Session and Features table
 - Merge base diverged → `git merge origin/<target-branch>` and resolve conflicts
 - Data file issues → fix the data
+- CI failures (C3) → re-run failed jobs after addressing root cause; do NOT merge while `ci-success` is BLOCKED
 
-**Drift advisories (12-27) fixes:**
+**Drift advisories (13-28) fixes:**
 - **P1 (PR body test count stale)** → edit PR body "Quality Gates" / "npm test" line to match ticket terminal count; add "(+N new tests)" delta note
 - **P2 (Aspirational Evidence)** → rewrite `[x]` rows with past-tense text + commit SHA + concrete numbers
 - **P3 (Post-merge action unlogged)** → add a Completion Log row documenting the post-merge execution with date + action + empirical result

package/template/.claude/skills/development-workflow/references/merge-checklist.md

@@ -74,6 +74,14 @@ In the ticket, fill the `## Merge Checklist Evidence` table. For each action (0
 
 **Canonical form for the AC count claim:** write `AC: <marked>/<total>` — `marked` is the count of `[x]` Acceptance Criteria, `total` is the count of all AC items including any intentionally deferred `[ ]`. When all are checked use the matching form `AC: N/N` (or the shorthand `all N marked`). The `/audit-merge` P6 drift check parses both forms.
 
+**Sub-scope ticket naming convention (recognized by `/audit-merge` P11 since v0.18.4):** when a feature is too large to close in one ticket, split it into sub-scope tickets using one of these suffixes on the basename:
+
+- `<FEATURE_ID>-lite-<descriptor>.md` — minimal viable closure of a partial scope (e.g. `F116-lite-ci-hardening.md`)
+- `<FEATURE_ID>-FU.md` — single follow-up closing a deferred piece
+- `<FEATURE_ID>-FU<N>.md` — numbered follow-ups (e.g. `F-H7-FU1.md`, `F-H10-FU2.md`)
+
+Sub-scope tickets reach `Status: Done` independently while the parent feature's tracker row stays at its parent status (typically `pending` or `in-progress`) until ALL sub-scopes close. `/audit-merge` P11 detects the suffix and emits `P11 N/A` instead of flagging the parent/sub-scope status divergence as drift.
+
 ## Action 9: Run compliance audit
 
 Run `/audit-merge` to verify all compliance checks pass automatically. If any check fails, fix it and re-run until all pass.

package/template/.gemini/agents/code-review-specialist.md

@@ -19,6 +19,7 @@ Then go beyond checklist review — actively try to break the implementation:
 - What happens under concurrent requests? Race conditions?
 - What data could a malicious user inject?
 - What if a transaction fails midway or cache is stale?
+- **Defensive guards**: For every `if (cond)` / `if (!cond)` / SQL `WHERE` predicate / type-narrowing check that exists "to prevent X", trace the boolean with three concrete value scenarios — (a) the danger case the guard targets, (b) a normal/expected case, (c) an edge case (null/0/empty/duplicate). Does the guard fire ONLY on the danger case? Common failure: a defensive predicate is written that fires on the SAFE case and skips the DANGER case (boolean inverted). Treat any guard whose conditions you cannot mentally trace through values as a critical-review item — request author justification or write the trace yourself.
 
 ## Output Format
 

package/template/.gemini/commands/audit-merge-instructions.md

@@ -48,11 +48,51 @@ If DIVERGED, flag as FAIL with instruction to merge target branch first.
 
 Run only if `git diff origin/<target-branch>..HEAD --name-only` shows `.json` files in seed-data or fixtures directories.
 
+**12. CI State** (added v0.19.0) — Verify GitHub Actions / CI checks for the current PR show no FAILURE / ERROR / CANCELLED / TIMED_OUT conclusion. PENDING is acceptable (still running). Emits distinct `N/A` messages when `gh` is unavailable, `jq` is unavailable, or no PR is open for the current branch — these are not blockers. Empirical motivation: F107a (PR #279) shipped with `ci-success` BLOCKED on 3 real failures (test-api lint, test-web build, branch-protection gate); the agent claimed "CI: green" without verification. C3 makes the claim auditable structurally.
+```bash
+if ! command -v gh >/dev/null 2>&1; then
+  echo "C3 N/A: gh CLI unavailable"
+elif ! command -v jq >/dev/null 2>&1; then
+  echo "C3 N/A: jq unavailable"
+else
+  # In GitHub Actions `pull_request` jobs, `actions/checkout` defaults to a
+  # detached HEAD (no branch context), so `gh pr view` with no arg cannot
+  # resolve "the PR for the current branch". Read the PR number from
+  # GITHUB_REF (`refs/pull/<N>/merge`) when available so C3 still queries
+  # the right PR. Local runs (no GITHUB_REF) keep the no-arg behavior.
+  PR_NUM_FROM_CI=""
+  if [ -n "${GITHUB_REF:-}" ]; then
+    PR_NUM_FROM_CI=$(printf '%s' "$GITHUB_REF" | sed -n 's@^refs/pull/\([0-9]\{1,\}\)/.*@\1@p')
+  fi
+  if [ -n "$PR_NUM_FROM_CI" ]; then
+    PR_JSON=$(gh pr view "$PR_NUM_FROM_CI" --json number,statusCheckRollup 2>/dev/null || true)
+  else
+    PR_JSON=$(gh pr view --json number,statusCheckRollup 2>/dev/null || true)
+  fi
+  if [ -z "$PR_JSON" ]; then
+    echo "C3 N/A: no PR open for current branch"
+  else
+    PR_NUM=$(echo "$PR_JSON" | jq -r '.number // "unknown"')
+    FAILURES=$(echo "$PR_JSON" | jq -r '
+      .statusCheckRollup[]?
+      | select((.conclusion // .status) as $s
+        | $s == "FAILURE" or $s == "ERROR" or $s == "CANCELLED" or $s == "TIMED_OUT")
+      | .name // .context
+    ' | sort -u)
+    if [ -n "$FAILURES" ]; then
+      flag "C3 BLOCKER: PR #$PR_NUM has failing checks — $(echo "$FAILURES" | tr '\n' ',' | sed 's/,$//')"
+    else
+      echo "C3 PASS: PR #$PR_NUM — all checks pass or pending"
+    fi
+  fi
+fi
+```
+
 ### Drift Checks (added v0.18.0) — ADVISORY, not blocking
 
-Eleven empirically-validated drift patterns. Failures are NOT blockers for the compliance verdict, but MUST be refreshed before requesting user authorization. Use BSD-grep-compatible regex (no `\K`).
+Sixteen empirically-validated drift patterns. Failures are NOT blockers for the compliance verdict, but MUST be refreshed before requesting user authorization. Use BSD-grep-compatible regex (no `\K`).
 
-**12. P1 — PR body test count stale (v0.18.3 multi-workspace extension — C1).** All PR-body ratios must appear in ticket evidence. Subset direction: PR ⊆ ticket. Three fallback cases: (a) ratios on both sides → walk each PR ratio; (b)/(c) missing on either side → emit `P1 N/A`.
+**13. P1 — PR body test count stale (v0.18.3 multi-workspace extension — C1).** All PR-body ratios must appear in ticket evidence. Subset direction: PR ⊆ ticket. Three fallback cases: (a) ratios on both sides → walk each PR ratio; (b)/(c) missing on either side → emit `P1 N/A`.
 ```bash
 TEST_KW_RE='(npm test|pnpm test|tests?[^|]*[0-9]|[*: ]tests?[*: ]+[0-9])'
 PR_BODY=$(gh pr view --json body -q .body 2>/dev/null || true)
@@ -69,14 +109,14 @@ else
 fi
 ```
 
-**13. P2 — Merge Checklist Evidence aspirational.** `[x]` rows with future-tense text.
+**14. P2 — Merge Checklist Evidence aspirational.** `[x]` rows with future-tense text.
 ```bash
 awk '/^## Merge Checklist Evidence/{flag=1; next} /^## /{flag=0} flag' "$TICKET" \
   | grep -E '^\|.*\[x\].*(to be |will |pending|TBD|Will be |to be created|next commit|aspirational)' \
   && flag "P2 drift: aspirational row(s) found"
 ```
 
-**14. P3 — Post-merge actions not logged** (post-merge only).
+**15. P3 — Post-merge actions not logged** (post-merge only).
 ```bash
 # Strip checkbox prefix before comparison; use grep -Fq fixed-string match.
 grep -E "^- \[ \].*(post-merge|operator|prod rollout|pending verification)" "$TICKET" \
@@ -89,14 +129,14 @@ while IFS= read -r item; do
 done < /tmp/pm_items.txt
 ```
 
-**15. P4 — Remote branch orphan.**
+**16. P4 — Remote branch orphan.**
 ```bash
 BRANCH=$(grep -oE '\*\*[Bb]ranch:\*\*[[:space:]]*[^[:space:]|()]+' "$TICKET" | head -1 | sed -E 's/^\*\*[Bb]ranch:\*\*[[:space:]]*//')
 git fetch origin --prune --quiet
 git ls-remote --heads origin "$BRANCH" 2>/dev/null | grep -q refs/heads && flag "P4 drift: remote branch $BRANCH still exists (run: git push origin --delete $BRANCH)"
 ```
 
-**16. P5 — Frozen ticket Status post-merge.** Multi-word status via sed char class, not `\w+`.
+**17. P5 — Frozen ticket Status post-merge.** Multi-word status via sed char class, not `\w+`.
 ```bash
 FROZEN_COUNT=0
 for t in docs/tickets/*.md; do
@@ -114,30 +154,49 @@ done
 [ "$FROZEN_COUNT" -eq 1 ] && flag "P5 drift: 1 frozen ticket"
 ```
 
-**17. P6 — AC count off-by-N.** Two claim forms supported: `all N marked` (N = total) and `AC: X/Y done` (X = marked, Y = total — handles deferred ACs where Y > X).
+**18. P6 — AC count off-by-N (header-form aware since v0.19.0).** Supports two AC forms: `[x]`/`[ ]` checkbox form and `### AC<N>` header form. Headers authoritative when present (≥ 1). A header is "deferred" when its body contains `**Status**: Deferred|Pending|Skipped|Blocked` before the next `### `. Two claim shapes: `all N marked` and `AC: X/Y done`. v0.19.0 drops the v0.18.3 `-ge 2` tolerance — exact-match (off-by-1 advisories surface).
 ```bash
 AC_BLOCK=$(awk '/^## Acceptance Criteria/,/^## Definition of Done/' "$TICKET")
-ACTUAL_TOTAL=$(echo "$AC_BLOCK" | grep -cE "^- \[[x ]\]")
-ACTUAL_MARKED=$(echo "$AC_BLOCK" | grep -cE "^- \[x\]")
+HEADER_ACS=$(echo "$AC_BLOCK" | grep -cE '^### AC[0-9]+')
+
+if [ "$HEADER_ACS" -gt 0 ]; then
+  ACTUAL_TOTAL=$HEADER_ACS
+  # Per-AC pass: emit one line per AC ("marked" or "deferred"). Then count.
+  PER_AC=$(echo "$AC_BLOCK" | awk '
+    function flush() { if (have) { print (deferred ? "deferred" : "marked"); have=0; deferred=0 } }
+    /^### AC[0-9]+/ { flush(); have=1; next }
+    /^## / { flush(); next }
+    have && /^\*\*Status\*\*:[[:space:]]*(Deferred|Pending|Skipped|Blocked)/ { deferred=1 }
+    END { flush() }
+  ')
+  ACTUAL_MARKED=$(printf '%s\n' "$PER_AC" | grep -c '^marked$' || true)
+else
+  ACTUAL_TOTAL=$(echo "$AC_BLOCK" | grep -cE "^- \[[x ]\]")
+  ACTUAL_MARKED=$(echo "$AC_BLOCK" | grep -cE "^- \[x\]")
+fi
+
 CLAIM_LINE=$(grep -oE 'all [0-9]+ marked|AC: [0-9]+/[0-9]+' "$TICKET" | head -1)
 if echo "$CLAIM_LINE" | grep -qE '^AC: [0-9]+/[0-9]+'; then
   CLAIMED_MARKED=$(echo "$CLAIM_LINE" | grep -oE '[0-9]+' | head -1)
   CLAIMED_TOTAL=$(echo "$CLAIM_LINE" | grep -oE '[0-9]+' | tail -1)
   [ -n "$CLAIMED_TOTAL" ] && [ "$CLAIMED_TOTAL" != "$ACTUAL_TOTAL" ] \
-    && [ $((ACTUAL_TOTAL - CLAIMED_TOTAL)) -ge 2 -o $((CLAIMED_TOTAL - ACTUAL_TOTAL)) -ge 2 ] \
-    && flag "P6 drift: claim AC total '$CLAIMED_TOTAL' vs actual total $ACTUAL_TOTAL"
+    && flag "P6 drift: claim AC total '$CLAIMED_TOTAL' vs actual total $ACTUAL_TOTAL (form: $([ "$HEADER_ACS" -gt 0 ] && echo header || echo checkbox))"
   [ -n "$CLAIMED_MARKED" ] && [ "$CLAIMED_MARKED" != "$ACTUAL_MARKED" ] \
-    && [ $((ACTUAL_MARKED - CLAIMED_MARKED)) -ge 2 -o $((CLAIMED_MARKED - ACTUAL_MARKED)) -ge 2 ] \
-    && flag "P6 drift: claim AC marked '$CLAIMED_MARKED' vs actual marked $ACTUAL_MARKED"
+    && flag "P6 drift: claim AC marked '$CLAIMED_MARKED' vs actual marked $ACTUAL_MARKED (form: $([ "$HEADER_ACS" -gt 0 ] && echo header || echo checkbox))"
 elif [ -n "$CLAIM_LINE" ]; then
   CLAIMED=$(echo "$CLAIM_LINE" | grep -oE '[0-9]+' | head -1)
-  [ -n "$CLAIMED" ] && [ "$CLAIMED" != "$ACTUAL_TOTAL" ] \
-    && [ $((ACTUAL_TOTAL - CLAIMED)) -ge 2 -o $((CLAIMED - ACTUAL_TOTAL)) -ge 2 ] \
-    && flag "P6 drift: 'all $CLAIMED marked' vs actual AC count $ACTUAL_TOTAL"
+  if [ -n "$CLAIMED" ]; then
+    [ "$CLAIMED" != "$ACTUAL_TOTAL" ] \
+      && flag "P6 drift: 'all $CLAIMED marked' vs actual AC total $ACTUAL_TOTAL (form: $([ "$HEADER_ACS" -gt 0 ] && echo header || echo checkbox))"
+    # `all N marked` IMPLIES all ACs are marked; flag when actual marked < N
+    # (e.g. some ACs deferred via `**Status**: Deferred` or unchecked `[ ]`).
+    [ "$CLAIMED" != "$ACTUAL_MARKED" ] \
+      && flag "P6 drift: 'all $CLAIMED marked' but only $ACTUAL_MARKED actually marked (form: $([ "$HEADER_ACS" -gt 0 ] && echo header || echo checkbox))"
+  fi
 fi
 ```
 
-**18. P7 — Test count drift within ticket (final-sections only).**
+**19. P7 — Test count drift within ticket (final-sections only).**
 ```bash
 TERMINAL=$(awk '/^## Completion Log/,/^## Merge Checklist/' "$TICKET" | grep -iE "(test|pass|green)" | grep -oE "[0-9]+/[0-9]+" | tail -1)
 AC=$(awk '/^## Acceptance Criteria/,/^## Definition of Done/' "$TICKET")
@@ -148,7 +207,7 @@ for n in $FINAL_NUMS; do
 done
 ```
 
-**19. P8 — Completion Log gap vs Workflow Checklist.**
+**20. P8 — Completion Log gap vs Workflow Checklist.**
 ```bash
 WORKFLOW=$(awk '/^## Workflow Checklist/,/^## Completion Log/' "$TICKET")
 COMPLETION=$(awk '/^## Completion Log/,/^## Merge Checklist/' "$TICKET")
@@ -159,7 +218,7 @@ while read -r step_num; do
 done <<< "$CHECKED_STEPS"
 ```
 
-**20. P9 — Tracker header stale.**
+**21. P9 — Tracker header stale.**
 ```bash
 TRACKER=docs/project_notes/product-tracker.md
 HEADER_STEP=$(grep '^\*\*Last Updated:\*\*' "$TRACKER" | grep -oE '(Step )?[0-9]+/6' | head -1 | sed -E 's/^Step //')
@@ -168,7 +227,7 @@ DETAIL_STEP=$(grep -A 1 '^\*\*Active Feature:\*\*' "$TRACKER" | grep -oE '(Step
   && flag "P9 drift: tracker header says $HEADER_STEP, Active Feature says $DETAIL_STEP"
 ```
 
-**21. P10 — Duplicate Completion Log rows.**
+**22. P10 — Duplicate Completion Log rows.**
 ```bash
 awk -F'|' '/^\| [0-9]{4}-[0-9]{2}-[0-9]{2}/ {
   key = $2 "|" $3 "|" substr($4, 1, 80)
@@ -178,7 +237,7 @@ awk -F'|' '/^\| [0-9]{4}-[0-9]{2}-[0-9]{2}/ {
   | while read -r dup; do flag "P10 drift: duplicate Completion Log row: $dup"; done
 ```
 
-**22. P11 — Tracker Features table status vs ticket Status mismatch.**
+**23. P11 — Tracker Features table status vs ticket Status mismatch.**
 ```bash
 TICKET_STATUS=$(grep -E "^\*\*Status:\*\*" "$TICKET" | head -1 \
     | sed -E 's/^\*\*Status:\*\*[[:space:]]*\*?\*?//' \
@@ -186,18 +245,36 @@ TICKET_STATUS=$(grep -E "^\*\*Status:\*\*" "$TICKET" | head -1 \
     | sed -E 's/[[:space:]]+(\(.*\)|—.*|–.*|-.*)$//' \
     | sed -E 's/\*\*[[:space:]]*$//' \
     | sed -E 's/[[:space:]]+$//')
-FEATURE_ID=$(basename "$TICKET" .md | sed -E 's/-[a-z].*//')
-TRACKER_STATUS=$(grep -F "$FEATURE_ID" docs/project_notes/product-tracker.md | grep -oE "\| (in-progress|done|pending|blocked) \|" | head -1 | sed -E 's/\| ([a-z-]+) \|/\1/')
-case "$TICKET_STATUS" in
-  "Ready for Merge"|"Review"|"In Progress"|"Planning"|"Spec") EXPECTED="in-progress" ;;
-  "Done") EXPECTED="done" ;;
-  *) EXPECTED="" ;;
+TICKET_BASENAME=$(basename "$TICKET" .md)
+# v0.18.4 P11-B: sub-scope tickets (-lite / -FU / -FU[0-9]*) close a partial
+# scope of a parent feature; the parent tracker row stays at its parent status
+# (typically `pending` or `in-progress`) while the sub-scope ticket reaches
+# `Done`. P11 must NOT enforce status mapping across this boundary. Pattern
+# scope: empirically derived from fx convention (uppercase -FU + -lite). If
+# future projects introduce -spike / -mini / -aux variants, expand here.
+case "$TICKET_BASENAME" in
+  *-lite|*-lite-*|*-FU|*-FU-*|*-FU[0-9]*)
+    echo "P11 N/A: $TICKET_BASENAME is a sub-scope ticket — parent tracker row status independent" >&2
+    ;;
+  *)
+    FEATURE_ID=$(echo "$TICKET_BASENAME" | sed -E 's/-[a-z].*//')
+    # v0.18.4 P11-B drive-by hardening: anchor tracker lookup to pipe-table row
+    # (FEATURE_ID as first cell). Mirrors v0.18.3 P16 idiom — prevents narrative
+    # mentions earlier in the tracker from silencing or false-firing the check.
+    TRACKER_STATUS=$(grep -E "^\|[[:space:]]*$FEATURE_ID[[:space:]]*\|" docs/project_notes/product-tracker.md \
+        | grep -oE "\| (in-progress|done|pending|blocked) \|" | head -1 | sed -E 's/\| ([a-z-]+) \|/\1/')
+    case "$TICKET_STATUS" in
+      "Ready for Merge"|"Review"|"In Progress"|"Planning"|"Spec") EXPECTED="in-progress" ;;
+      "Done") EXPECTED="done" ;;
+      *) EXPECTED="" ;;
+    esac
+    [ -n "$EXPECTED" ] && [ -n "$TRACKER_STATUS" ] && [ "$TRACKER_STATUS" != "$EXPECTED" ] \
+      && flag "P11 drift: ticket Status='$TICKET_STATUS' expects tracker='$EXPECTED' but tracker='$TRACKER_STATUS'"
+    ;;
 esac
-[ -n "$EXPECTED" ] && [ -n "$TRACKER_STATUS" ] && [ "$TRACKER_STATUS" != "$EXPECTED" ] \
-  && flag "P11 drift: ticket Status='$TICKET_STATUS' expects tracker='$EXPECTED' but tracker='$TRACKER_STATUS'"
 ```
 
-**23. P12 — Tracker HEAD references stale (added v0.18.2).** The `**Last Updated:**` and `**Active Feature:**` lines may embed `HEAD <sha>` or `HEAD: <sha>` references that were correct when written but went stale as further commits landed (empirically observed in fx F-WEB-MENU-VISION-001 audit cycle 2026-05-06: tracker said `HEAD: fd752e4` while `git rev-parse HEAD` was `6fa801e` after the agent's own self-edit commit). Compare each extracted SHA against the active branch HEAD. Bidirectional prefix tolerance: a 7-char tracker SHA matches the full 40-char actual HEAD if it's a prefix; a full 40-char tracker SHA matches if its first 7 chars equal the actual short form. Scoped strictly to the two header lines so narrative SHAs in "Last Completed" prose never false-positive-fire.
+**24. P12 — Tracker HEAD references stale (added v0.18.2).** The `**Last Updated:**` and `**Active Feature:**` lines may embed `HEAD <sha>` or `HEAD: <sha>` references that were correct when written but went stale as further commits landed (empirically observed in fx F-WEB-MENU-VISION-001 audit cycle 2026-05-06: tracker said `HEAD: fd752e4` while `git rev-parse HEAD` was `6fa801e` after the agent's own self-edit commit). Compare each extracted SHA against the active branch HEAD. Bidirectional prefix tolerance: a 7-char tracker SHA matches the full 40-char actual HEAD if it's a prefix; a full 40-char tracker SHA matches if its first 7 chars equal the actual short form. Scoped strictly to the two header lines so narrative SHAs in "Last Completed" prose never false-positive-fire.
 ```bash
 TRACKER=docs/project_notes/product-tracker.md
 if [ -f "$TRACKER" ]; then
@@ -217,7 +294,7 @@ if [ -f "$TRACKER" ]; then
 fi
 ```
 
-**24. P13 — key_facts delta vs ticket atom-count mismatch (added v0.18.3).** Whitespace-safe iteration + FEATURE_ID anchoring.
+**25. P13 — key_facts delta vs ticket atom-count mismatch (added v0.18.3).** Whitespace-safe iteration + FEATURE_ID anchoring.
 ```bash
 KEY_FACTS=docs/project_notes/key_facts.md
 if [ -f "$KEY_FACTS" ]; then
@@ -233,7 +310,7 @@ if [ -f "$KEY_FACTS" ]; then
 fi
 ```
 
-**25. P14 — MCE Action 1 row stale post-merge (added v0.18.3).** Strict awk state machine terminates MCE block at NEXT `^## ` of any name (not `[^M]`). Strict signal `Step 6 [ ]` / `Step 6 [-]` only — standalone `(this merge)` omitted to prevent false positives on past-tense narrative. Reuses `TICKET_STATUS` from P11. NIT severity.
+**26. P14 — MCE Action 1 row stale post-merge (added v0.18.3).** Strict awk state machine terminates MCE block at NEXT `^## ` of any name (not `[^M]`). Strict signal `Step 6 [ ]` / `Step 6 [-]` only — standalone `(this merge)` omitted to prevent false positives on past-tense narrative. Reuses `TICKET_STATUS` from P11. NIT severity.
 ```bash
 if [ "$TICKET_STATUS" = "Done" ]; then
   MCE_BLOCK=$(awk '
@@ -247,7 +324,7 @@ if [ "$TICKET_STATUS" = "Done" ]; then
 fi
 ```
 
-**26. P15 — AC with post-deploy keyword admitted without Completion Log evidence (added v0.18.3).** Line-safe iteration via `while IFS= read -r`.
+**27. P15 — AC with post-deploy keyword admitted without Completion Log evidence (added v0.18.3).** Line-safe iteration via `while IFS= read -r`.
 ```bash
 COMPLETION=$(awk '/^## Completion Log/,/^## Merge Checklist/' "$TICKET")
 AC_LINES=$(grep -nE '^[[:space:]]*-[[:space:]]*\[[ x]\][[:space:]]+AC-[A-Za-z0-9_-]+' "$TICKET" \
@@ -263,7 +340,7 @@ while IFS= read -r line; do
 done <<< "$AC_LINES"
 ```
 
-**27. P16 — Feature missing from Features table (added v0.18.3).** Strict signal: feature ID must appear as first cell of a pipe-table row (`| FEATURE_ID |`) — narrative mentions / `**Active Feature:**` references must not silence the drift. NIT severity. Reuses `TICKET_STATUS` and `FEATURE_ID` from P11.
+**28. P16 — Feature missing from Features table (added v0.18.3).** Strict signal: feature ID must appear as first cell of a pipe-table row (`| FEATURE_ID |`) — narrative mentions / `**Active Feature:**` references must not silence the drift. NIT severity. Reuses `TICKET_STATUS` and `FEATURE_ID` from P11.
 ```bash
 TRACKER=docs/project_notes/product-tracker.md
 case "$TICKET_STATUS" in
@@ -298,7 +375,7 @@ Report two tables — one for **structural (blocking)** compliance, one for **dr
 ```
 ## Merge Compliance Audit — [FEATURE-ID]
 
-### Structural (1-11) — blocking merge gate
+### Structural (1-12) — blocking merge gate
 
 | # | Check | Status | Detail |
 |---|-------|:------:|--------|
@@ -313,39 +390,48 @@ Report two tables — one for **structural (blocking)** compliance, one for **dr
 | 9 | Merge Base | PASS | Up to date with develop |
 | 10 | Working Tree | PASS | Clean |
 | 11 | Data Files | PASS | N/A — no JSON seed files |
+| 12 | CI State | PASS | PR #123 — all checks pass or pending |
 
 **STRUCTURAL: READY FOR MERGE** (or **STRUCTURAL: NEEDS FIX — N blockers**)
 
-### Drift (12-27) — advisory, refresh before user authorization
+### Drift (13-28) — advisory, refresh before user authorization
 
 | # | Pattern | Status | Detail |
 |---|---------|:------:|--------|
-| 12 | P1 PR body test count stale | PASS | matches ticket terminal |
-| 13 | P2 Aspirational Evidence rows | PASS | all past-tense |
-| 14 | P3 Post-merge actions logged | PASS | N/A pre-merge |
-| 15 | P4 Remote branch orphan | PASS | not checked pre-merge |
-| 16 | P5 Frozen ticket Status | PASS | 0 frozen |
-| 17 | P6 AC count off-by-N | PASS | claim matches actual |
-| 18 | P7 Intra-ticket test drift | PASS | final = terminal |
-| 19 | P8 Completion Log gap | PASS | every [x] step has narrative |
-| 20 | P9 Tracker header stale | PASS | header = detail |
-| 21 | P10 Duplicate log rows | PASS | no duplicates |
-| 22 | P11 Tracker status mismatch | PASS | status consistent |
-| 23 | P12 Tracker HEAD reference | PASS | tracker HEAD = git HEAD |
-| 24 | P13 key_facts delta mismatch | PASS | N/A — no quantified deltas |
-| 25 | P14 MCE Action 1 stale post-merge | PASS | N/A pre-merge / row past-tense |
-| 26 | P15 Post-deploy AC without evidence | PASS | no post-deploy keyword in ACs |
-| 27 | P16 Feature missing from tracker | PASS | feature in Features table |
+| 13 | P1 PR body test count stale | PASS | matches ticket terminal |
+| 14 | P2 Aspirational Evidence rows | PASS | all past-tense |
+| 15 | P3 Post-merge actions logged | PASS | N/A pre-merge |
+| 16 | P4 Remote branch orphan | PASS | not checked pre-merge |
+| 17 | P5 Frozen ticket Status | PASS | 0 frozen |
+| 18 | P6 AC count off-by-N | PASS | claim matches actual (form: header) |
+| 19 | P7 Intra-ticket test drift | PASS | final = terminal |
+| 20 | P8 Completion Log gap | PASS | every [x] step has narrative |
+| 21 | P9 Tracker header stale | PASS | header = detail |
+| 22 | P10 Duplicate log rows | PASS | no duplicates |
+| 23 | P11 Tracker status mismatch | PASS | status consistent |
+| 24 | P12 Tracker HEAD reference | PASS | tracker HEAD = git HEAD |
+| 25 | P13 key_facts delta mismatch | PASS | N/A — no quantified deltas |
+| 26 | P14 MCE Action 1 stale post-merge | PASS | N/A pre-merge / row past-tense |
+| 27 | P15 Post-deploy AC without evidence | PASS | no post-deploy keyword in ACs |
+| 28 | P16 Feature missing from tracker | PASS | feature in Features table |
 
 **DRIFT: CLEAN** (or **DRIFT: N advisories — refresh before merge**)
 
 ### Combined verdict
 
-- Both PASS → **READY FOR MERGE**
+- Both PASS → **READY FOR MERGE** (compliance 12/12, drift clean)
 - Structural fail → **NEEDS FIX — N blockers**
 - Structural pass + drift advisories → **READY FOR MERGE PENDING DRIFT CLEANUP — N advisories**
 ```
 
+**Recipe-output verbatim rule** (added v0.19.0): When filling Detail columns of either the structural or drift tables, use the **literal output of the corresponding recipe** — do not normalize, summarize, or smooth values. Specifically:
+- Numeric ratios (`N/M`): preserve as emitted. `18/19` MUST NOT become `18/18` even when N < M.
+- MCE row 1 claim text: when a check (e.g. P6) references it in its Detail message, quote it verbatim including parentheticals such as `(AC19 deploy-deferred)` or `(operator action pending)`. Do not strip qualifiers.
+- "Form" annotations (e.g. P6 emits `(form: header)` or `(form: checkbox)`): preserve them so the reader can tell which AC form the ticket used.
+- `N/A` reasons: quote the literal reason emitted by the recipe (`no PR open`, `gh CLI unavailable`, `jq unavailable`, `not checked pre-merge`).
+
+This rule exists because an LLM auditor, given header-form tickets where checkbox count is 0, will hallucinate `18/18` to "agree" with the MCE row 1 claim. The recipe says `0` and the MCE says `18/19`; the audit Detail must reflect both honestly so the reader can spot the form mismatch.
+
 ### If issues are found
 
 Fix them directly:
@@ -354,8 +440,9 @@ Fix them directly:
 - Tracker stale → update Active Session and Features table
 - Merge base diverged → `git merge origin/<target-branch>` and resolve conflicts
 - Data file issues → fix the data
+- CI failures (C3) → re-run failed jobs after addressing root cause; do NOT merge while `ci-success` is BLOCKED
 
-**Drift advisories (12-27) fixes:**
+**Drift advisories (13-28) fixes:**
 - **P1** → edit PR body npm test line to match ticket terminal count
 - **P2** → rewrite `[x]` rows with past-tense + commit SHA
 - **P3** → add Completion Log row for each post-merge execution

package/template/.gemini/skills/development-workflow/references/merge-checklist.md

@@ -74,6 +74,14 @@ In the ticket, fill the `## Merge Checklist Evidence` table. For each action (0
 
 **Canonical form for the AC count claim:** write `AC: <marked>/<total>` — `marked` is the count of `[x]` Acceptance Criteria, `total` is the count of all AC items including any intentionally deferred `[ ]`. When all are checked use the matching form `AC: N/N` (or the shorthand `all N marked`). The `/audit-merge` P6 drift check parses both forms.
 
+**Sub-scope ticket naming convention (recognized by `/audit-merge` P11 since v0.18.4):** when a feature is too large to close in one ticket, split it into sub-scope tickets using one of these suffixes on the basename:
+
+- `<FEATURE_ID>-lite-<descriptor>.md` — minimal viable closure of a partial scope (e.g. `F116-lite-ci-hardening.md`)
+- `<FEATURE_ID>-FU.md` — single follow-up closing a deferred piece
+- `<FEATURE_ID>-FU<N>.md` — numbered follow-ups (e.g. `F-H7-FU1.md`, `F-H10-FU2.md`)
+
+Sub-scope tickets reach `Status: Done` independently while the parent feature's tracker row stays at its parent status (typically `pending` or `in-progress`) until ALL sub-scopes close. `/audit-merge` P11 detects the suffix and emits `P11 N/A` instead of flagging the parent/sub-scope status divergence as drift.
+
 ## Action 9: Run compliance audit
 
 Run `/audit-merge` to verify all compliance checks pass automatically. If any check fails, fix it and re-run until all pass.