create-sdd-project 0.18.4 → 0.20.0

package/README.md

@@ -312,7 +312,7 @@ SDD DevFlow combines three proven practices:
 | `/review-plan` | Cross-model plan review — runs automatically after plan self-review when external CLIs are available; catches implementation blind spots |
 | `/context-prompt` | Generates a context recovery prompt after `/compact` with Workflow Recovery to prevent checkpoint skipping |
 | `/review-project` | Comprehensive project-level review using up to 3 AI models in parallel — 6 domains, audit context, consolidated report with action plan |
-| `/audit-merge` | Automated compliance audit — 11 pre-merge checks (ticket, tracker, evidence, merge base, working tree, data files). Auto-fixes issues. |
+| `/audit-merge` | Automated compliance audit — 13 structural pre-merge checks (ticket, tracker, evidence, merge base, working tree, data files, CI state via `gh pr checks`, MCE Action 9 + Audit Merge Output) + 17 advisory drift patterns. Auto-fixes issues. |
 
 ### Spec & Plan Quality
 
@@ -372,7 +372,7 @@ Classify complexity for each (Simple / Standard / Complex):
 
 After classification, the loop runs autonomously: spec → plan → implement → review → merge for each feature, with all quality gates enforced.
 
-**9 guardrails** prevent runaway execution: max 5 features/session, circuit breaker (3 failures → stop), kill switch (`stop pm`), session lock, post-merge sanity check (`npm test`), rolling batch (1-3 features at a time), clean workspace validation, quality gates always on, `/audit-merge` auto-execution.
+**11 guardrails** prevent runaway execution: max 5 features/session, mandatory compact after 2 features, target-branch baseline check, intra-batch dependency check, circuit breaker (3 failures → stop), kill switch (`stop pm`), session lock, post-merge sanity check (`npm test`), rolling batch (1-3 features at a time), clean workspace validation, quality gates always on (`/audit-merge` included).
 
 **Recovery**: after `/compact` or terminal restart, run `continue pm` — the session state in `pm-session.md` tracks exactly where you left off.
 

package/lib/doctor.js

@@ -82,6 +82,9 @@ function runDoctor(cwd) {
   // 15. .sdd-meta.json structural integrity (v0.17.0)
   results.push(checkMetaJson(cwd, aiTools, projectType));
 
+  // 16. PM session coherence (v0.20.0) — pm-session.md SDD version vs current
+  results.push(checkSessionCoherence(cwd));
+
   return results;
 }
 
@@ -1179,7 +1182,94 @@ function checkMetaJson(cwd, aiTools, projectType) {
   };
 }
 
+/**
+ * checkSessionCoherence — v0.20.0 Item B (PM session SDD-version drift).
+ *
+ * If a PM session is in-progress AND its recorded "SDD version at start"
+ * differs from the currently-installed .sdd-version, emit WARN. The cached
+ * PM session context (system prompt + skill references loaded at session
+ * start) does NOT auto-refresh on SDD upgrade — only /compact reloads.
+ *
+ * Returns PASS if:
+ *   - No pm-session.md (no active session to check).
+ *   - pm-session.md has Status: done (terminated session).
+ *   - SDD version at start matches current .sdd-version.
+ *
+ * Returns WARN if:
+ *   - pm-session.md Status: in-progress AND versions differ.
+ *
+ * Returns PASS (N/A note) if pm-session.md exists but lacks the field
+ * (legacy session pre-v0.20.0; no actionable signal).
+ */
+function checkSessionCoherence(cwd) {
+  const pmSessionPath = path.join(cwd, 'docs', 'project_notes', 'pm-session.md');
+  const sddVersionPath = path.join(cwd, '.sdd-version');
+
+  if (!fs.existsSync(pmSessionPath)) {
+    return {
+      status: PASS,
+      message: 'PM session: none active (N/A)',
+      details: [],
+    };
+  }
+
+  if (!fs.existsSync(sddVersionPath)) {
+    // SDD not installed cleanly; let earlier checks flag this.
+    return {
+      status: PASS,
+      message: 'PM session coherence: N/A (no .sdd-version)',
+      details: [],
+    };
+  }
+
+  const sessionContent = fs.readFileSync(pmSessionPath, 'utf8');
+  const currentVersion = fs.readFileSync(sddVersionPath, 'utf8').trim();
+
+  const statusMatch = sessionContent.match(/^\*\*Status:\*\*\s*(\S+)/m);
+  if (!statusMatch || statusMatch[1].toLowerCase() !== 'in-progress') {
+    return {
+      status: PASS,
+      message: 'PM session: not in-progress (N/A)',
+      details: [],
+    };
+  }
+
+  const versionFieldMatch = sessionContent.match(
+    /^\*\*SDD version at start:\*\*\s*(\S+)/m,
+  );
+  if (!versionFieldMatch) {
+    return {
+      status: PASS,
+      message: 'PM session coherence: legacy session (no version field; v0.20.0+ records it)',
+      details: [
+        'Pre-v0.20.0 PM sessions did not record SDD version at start.',
+        'Drift detection unavailable for this session; consider /compact + continue pm to refresh.',
+      ],
+    };
+  }
+
+  const startVersion = versionFieldMatch[1];
+  if (startVersion === currentVersion) {
+    return {
+      status: PASS,
+      message: `PM session coherence: in sync (SDD ${currentVersion})`,
+      details: [],
+    };
+  }
+
+  return {
+    status: WARN,
+    message: `PM session coherence: SDD drift detected — session started under ${startVersion}, current ${currentVersion}`,
+    details: [
+      'Cached workflow references in this session may be stale.',
+      'Recommendation: run `/compact` then `continue pm` to reload templates.',
+      'See pm-orchestrator/SKILL.md "Session-coherence check" for details.',
+    ],
+  };
+}
+
 module.exports = {
   runDoctor,
   printResults,
+  checkSessionCoherence,
 };

package/lib/upgrade-generator.js

@@ -1329,6 +1329,36 @@ function generateUpgrade(config) {
     );
   }
 
+  // v0.20.0 Item B — upgrade-time PM session coherence advisory.
+  // If a pm-session.md is in-progress, the agent's cached context (loaded at
+  // session start under the prior SDD version) survives the upgrade in memory.
+  // Recommend /compact + continue pm to reload templates before next Step.
+  const pmSessionPath = path.join(config.projectDir, 'docs', 'project_notes', 'pm-session.md');
+  if (fs.existsSync(pmSessionPath)) {
+    try {
+      const sessionContent = fs.readFileSync(pmSessionPath, 'utf8');
+      const statusMatch = sessionContent.match(/^\*\*Status:\*\*\s*(\S+)/m);
+      if (statusMatch && statusMatch[1].toLowerCase() === 'in-progress') {
+        console.log('\n  ⚠ PM SESSION COHERENCE (v0.20.0):');
+        console.log(
+          '    An in-progress PM session was detected (docs/project_notes/pm-session.md).'
+        );
+        console.log(
+          '    The cached PM orchestrator context loaded under the prior SDD version'
+        );
+        console.log(
+          '    does NOT auto-refresh on this upgrade. Run `/compact` and then'
+        );
+        console.log(
+          '    `continue pm` to reload templates before resuming development work.'
+        );
+        console.log('    Doctor check #16 will WARN until /compact runs.');
+      }
+    } catch (_err) {
+      // best-effort advisory; never block the upgrade on read failure
+    }
+  }
+
   console.log(`\nNext: git add -A && git commit -m "chore: upgrade SDD DevFlow to ${newVersion}"\n`);
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-sdd-project",
-  "version": "0.18.4",
+  "version": "0.20.0",
   "description": "Create a new SDD DevFlow project with AI-assisted development workflow",
   "bin": {
     "create-sdd-project": "bin/cli.js"

package/template/.claude/agents/code-review-specialist.md

@@ -35,6 +35,7 @@ Go beyond checklist review — actively try to break the implementation:
 - **Malicious input**: What data could a malicious user inject? Are all inputs validated at system boundaries?
 - **State corruption**: What if the database is slow, a transaction fails midway, or cache is stale?
 - **Missing validation**: Are values range-checked, type-checked, and null-checked before use?
+- **Defensive guards**: For every `if (cond)` / `if (!cond)` / SQL `WHERE` predicate / type-narrowing check that exists "to prevent X", trace the boolean with three concrete value scenarios — (a) the danger case the guard targets, (b) a normal/expected case, (c) an edge case (null/0/empty/duplicate). Does the guard fire ONLY on the danger case? Common failure: a defensive predicate is written that fires on the SAFE case and skips the DANGER case (boolean inverted). Treat any guard whose conditions you cannot mentally trace through values as a critical-review item — request author justification or write the trace yourself.
 
 ### 4. Categorize Findings
 

package/template/.claude/commands/audit-merge.md

@@ -48,11 +48,82 @@ If DIVERGED, flag as FAIL with instruction to merge target branch first.
 
 Run only if `git diff origin/<target-branch>..HEAD --name-only` shows `.json` files in seed-data or fixtures directories.
 
+**12. CI State** (added v0.19.0) — Verify GitHub Actions / CI checks for the current PR show no FAILURE / ERROR / CANCELLED / TIMED_OUT conclusion. PENDING is acceptable (still running). Emits distinct `N/A` messages when `gh` is unavailable, `jq` is unavailable, or no PR is open for the current branch — these are not blockers. Empirical motivation: F107a (PR #279) shipped with `ci-success` BLOCKED on 3 real failures (test-api lint, test-web build, branch-protection gate); the agent claimed "CI: green" without verification. C3 makes the claim auditable structurally.
+```bash
+if ! command -v gh >/dev/null 2>&1; then
+  echo "C3 N/A: gh CLI unavailable"
+elif ! command -v jq >/dev/null 2>&1; then
+  echo "C3 N/A: jq unavailable"
+else
+  # In GitHub Actions `pull_request` jobs, `actions/checkout` defaults to a
+  # detached HEAD (no branch context), so `gh pr view` with no arg cannot
+  # resolve "the PR for the current branch". Read the PR number from
+  # GITHUB_REF (`refs/pull/<N>/merge`) when available so C3 still queries
+  # the right PR. Local runs (no GITHUB_REF) keep the no-arg behavior.
+  PR_NUM_FROM_CI=""
+  if [ -n "${GITHUB_REF:-}" ]; then
+    PR_NUM_FROM_CI=$(printf '%s' "$GITHUB_REF" | sed -n 's@^refs/pull/\([0-9]\{1,\}\)/.*@\1@p')
+  fi
+  if [ -n "$PR_NUM_FROM_CI" ]; then
+    PR_JSON=$(gh pr view "$PR_NUM_FROM_CI" --json number,statusCheckRollup 2>/dev/null || true)
+  else
+    PR_JSON=$(gh pr view --json number,statusCheckRollup 2>/dev/null || true)
+  fi
+  if [ -z "$PR_JSON" ]; then
+    echo "C3 N/A: no PR open for current branch"
+  else
+    PR_NUM=$(echo "$PR_JSON" | jq -r '.number // "unknown"')
+    FAILURES=$(echo "$PR_JSON" | jq -r '
+      .statusCheckRollup[]?
+      | select((.conclusion // .status) as $s
+        | $s == "FAILURE" or $s == "ERROR" or $s == "CANCELLED" or $s == "TIMED_OUT")
+      | .name // .context
+    ' | sort -u)
+    if [ -n "$FAILURES" ]; then
+      flag "C3 BLOCKER: PR #$PR_NUM has failing checks — $(echo "$FAILURES" | tr '\n' ',' | sed 's/,$//')"
+    else
+      echo "C3 PASS: PR #$PR_NUM — all checks pass or pending"
+    fi
+  fi
+fi
+```
+
+**13. MCE Action 9 present** (D1, added v0.20.0) — Verify the ticket's `## Merge Checklist Evidence` table includes row 9 marked `[x]`, AND the dedicated `## Audit Merge Output` section below the MCE table has non-empty body content containing a structural-compliance signal (e.g. `Structural: 13/13 PASS` or `Verdict: APPROVE`). Stable ID `D1`. Empirical motivation: fx PR #299 F-WEB-HISTORY merged without `/audit-merge` having been run — MCE table contained Actions 0-8 only (no row 9). The prose instruction at `merge-checklist.md:87` ("Run /audit-merge to verify all compliance checks pass automatically") was easier to skip than a structural table row. D1 makes the skip falsifiable: row 9 stays unfilled if the audit didn't run.
+```bash
+ACTION_9_LINE=$(awk '/^## Merge Checklist Evidence/,/^---|^## (Audit Merge Output|Acceptance|$)/' "$TICKET" | grep -E '^\| 9\. ' | head -1)
+AUDIT_SECTION=$(awk '/^## Audit Merge Output/,/^## |^---|^\*Ticket/' "$TICKET")
+AUDIT_SECTION_BODY=$(printf '%s' "$AUDIT_SECTION" | sed '1d;$d' | grep -vE '^[[:space:]]*>' | tr -d '[:space:]')
+# Compliance signal: case-insensitive. Mirrors JS twin's `.*?` semantics so
+# `Structural: N/N PASS` (colon), `Structural — N/N` (em-dash), `Structural N/N`
+# (space) all match. The `/audit-merge` Output Format section MUST emit at least
+# one canonical signal per the Self-Verification Guarantee (see Output Format).
+COMPLIANCE_HIT=$(printf '%s' "$AUDIT_SECTION" | grep -ciE '(structural[^[:alnum:]]+[0-9]+/[0-9]+)|(\b13/13\b)|(\ball[[:space:]]+(checks[[:space:]]+)?pass)|(verdict[[:space:]]*:[[:space:]]*approve)')
+
+if [ -z "$ACTION_9_LINE" ] && [ -z "$AUDIT_SECTION" ]; then
+  # Legacy ticket predating v0.20.0 — neither row 9 NOR Audit Merge Output section exists.
+  # Emit N/A with migration hint instead of BLOCKER. Forward-looking: tickets created
+  # post-v0.20.0 will have at least the section header (from ticket-template.md), so
+  # legitimate skips still surface via the other branches below.
+  echo "D1 N/A: legacy ticket (no row 9 and no ## Audit Merge Output section) — add both per merge-checklist.md to comply with v0.20.0"
+elif [ -z "$ACTION_9_LINE" ]; then
+  flag "D1 BLOCKER: MCE Action 9 row missing (required since v0.20.0; ## Audit Merge Output section exists but row 9 not added to MCE table)"
+elif printf '%s' "$ACTION_9_LINE" | grep -qE '\| \[ \] \|'; then
+  flag "D1 BLOCKER: MCE Action 9 row unchecked — /audit-merge not run"
+elif [ -z "$AUDIT_SECTION_BODY" ]; then
+  flag "D1 BLOCKER: ## Audit Merge Output section missing or empty"
+elif [ "$COMPLIANCE_HIT" -eq 0 ]; then
+  flag "D1 BLOCKER: ## Audit Merge Output section present but no structural compliance signal (expect 'Structural: N/N PASS' or 'Verdict: APPROVE')"
+else
+  CHAR_COUNT=$(printf '%s' "$AUDIT_SECTION" | wc -c | tr -d ' ')
+  echo "D1 PASS: ## Audit Merge Output section pasted (~${CHAR_COUNT} chars)"
+fi
+```
+
 ### Drift Checks (added v0.18.0) — ADVISORY, not blocking
 
-Eleven empirically-validated drift patterns. Failures are NOT blockers for the compliance verdict, but MUST be refreshed before requesting user authorization (the user will otherwise catch them during audit and send the PR back). Each check has a concrete shell recipe — use BSD-grep-compatible regex (no `\K`).
+Sixteen empirically-validated drift patterns. Failures are NOT blockers for the compliance verdict, but MUST be refreshed before requesting user authorization (the user will otherwise catch them during audit and send the PR back). Each check has a concrete shell recipe — use BSD-grep-compatible regex (no `\K`).
 
-**12. P1 — PR body test count stale (v0.18.3 multi-workspace extension — C1).** The PR body's test ratios should all appear in ticket evidence (AC / DoD / Completion Log). Agents commonly open the PR at Step 4 and add tests during Step 5 review — the PR body numbers become stale. In monorepos with multiple workspaces (e.g. api, web, bot, scraper) the PR body may quote several `N/N` ratios; v0.18.3 walks them all instead of comparing only the first. Subset direction: PR ratios ⊆ ticket ratios (the ticket Completion Log is the more comprehensive record and accumulates intermediate per-step ratios that the PR body legitimately omits). Three fallback cases: (a) ≥ 1 ratio on each side → verify each PR ratio appears in ticket; (b) PR has ratios but ticket has none (or vice versa) → emit explicit `P1 N/A` note, no drift flag; (c) neither side has ratios → emit `P1 N/A` note.
+**14. P1 — PR body test count stale (v0.18.3 multi-workspace extension — C1).** The PR body's test ratios should all appear in ticket evidence (AC / DoD / Completion Log). Agents commonly open the PR at Step 4 and add tests during Step 5 review — the PR body numbers become stale. In monorepos with multiple workspaces (e.g. api, web, bot, scraper) the PR body may quote several `N/N` ratios; v0.18.3 walks them all instead of comparing only the first. Subset direction: PR ratios ⊆ ticket ratios (the ticket Completion Log is the more comprehensive record and accumulates intermediate per-step ratios that the PR body legitimately omits). Three fallback cases: (a) ≥ 1 ratio on each side → verify each PR ratio appears in ticket; (b) PR has ratios but ticket has none (or vice versa) → emit explicit `P1 N/A` note, no drift flag; (c) neither side has ratios → emit `P1 N/A` note.
 ```bash
 TEST_KW_RE='(npm test|pnpm test|tests?[^|]*[0-9]|[*: ]tests?[*: ]+[0-9])'
 PR_BODY=$(gh pr view --json body -q .body 2>/dev/null || true)
@@ -69,14 +140,14 @@ else
 fi
 ```
 
-**13. P2 — Merge Checklist Evidence rows aspirational.** Rows marked `[x]` with future-tense Evidence ("will land", "to be created", "pending", "next commit", "TBD") — the row claims done but the work hasn't happened yet.
+**15. P2 — Merge Checklist Evidence rows aspirational.** Rows marked `[x]` with future-tense Evidence ("will land", "to be created", "pending", "next commit", "TBD") — the row claims done but the work hasn't happened yet.
 ```bash
 awk '/^## Merge Checklist Evidence/{flag=1; next} /^## /{flag=0} flag' "$TICKET" \
   | grep -E '^\|.*\[x\].*(to be |will |pending|TBD|Will be |to be created|next commit|aspirational)' \
   && flag "P2 drift: aspirational row(s) found"
 ```
 
-**14. P3 — Post-merge actions not logged** (only fires if PR is MERGED and ticket Status is Done). Items marked as post-merge operator actions (AC / DoD / Test plan unchecked with post-merge keywords) should have a Completion Log row documenting execution.
+**16. P3 — Post-merge actions not logged** (only fires if PR is MERGED and ticket Status is Done). Items marked as post-merge operator actions (AC / DoD / Test plan unchecked with post-merge keywords) should have a Completion Log row documenting execution.
 ```bash
 # Strip checkbox prefix before comparison; use grep -Fq fixed-string match.
 grep -E "^- \[ \].*(post-merge|operator|prod rollout|pending verification)" "$TICKET" \
@@ -89,14 +160,14 @@ while IFS= read -r item; do
 done < /tmp/pm_items.txt
 ```
 
-**15. P4 — Remote branch orphan after "deleted".** Workflow Step 6 claims `[x] branch deleted` but origin still has the branch.
+**17. P4 — Remote branch orphan after "deleted".** Workflow Step 6 claims `[x] branch deleted` but origin still has the branch.
 ```bash
 BRANCH=$(grep -oE '\*\*[Bb]ranch:\*\*[[:space:]]*[^[:space:]|()]+' "$TICKET" | head -1 | sed -E 's/^\*\*[Bb]ranch:\*\*[[:space:]]*//')
 git fetch origin --prune --quiet
 git ls-remote --heads origin "$BRANCH" 2>/dev/null | grep -q refs/heads && flag "P4 drift: remote branch $BRANCH still exists (run: git push origin --delete $BRANCH)"
 ```
 
-**16. P5 — Frozen ticket Status post-merge.** Scan all tickets in `docs/tickets/`; flag any with Status ≠ Done whose ticket-ID appears in `git log --all --grep`. Multi-word Status values like "Ready for Merge" must be handled (use `sed -E` char class, not `\w+`).
+**18. P5 — Frozen ticket Status post-merge.** Scan all tickets in `docs/tickets/`; flag any with Status ≠ Done whose ticket-ID appears in `git log --all --grep`. Multi-word Status values like "Ready for Merge" must be handled (use `sed -E` char class, not `\w+`).
 ```bash
 FROZEN_COUNT=0
 for t in docs/tickets/*.md; do
@@ -114,30 +185,49 @@ done
 [ "$FROZEN_COUNT" -eq 1 ] && flag "P5 drift: 1 frozen ticket"
 ```
 
-**17. P6 — AC count off-by-N.** Merge Checklist Evidence row 1 claim diverges from actual count. Two canonical forms: `all N marked` (N = total, implies all are `[x]`) and `AC: X/Y done` (X = marked, Y = total — supports deferred ACs where Y > X intentionally). For `AC: X/Y` form, compare Y to actual total AND X to actual marked. For `all N marked` form, compare N to actual total.
+**19. P6 — AC count off-by-N (header-form aware since v0.19.0).** Merge Checklist Evidence row 1 claim diverges from actual count. Supports two canonical AC forms: `[x]`/`[ ]` checkbox form and `### AC<N>` header form. When header form is present (≥ 1 `### AC<N>` heading), headers are authoritative — checkbox sub-items under each header are NOT double-counted. A header is "deferred" (not marked) when its body contains `**Status**: Deferred|Pending|Skipped|Blocked` before the next `### ` or section terminator. Two MCE claim shapes: `all N marked` (N = total, implies all marked) and `AC: X/Y done` (X = marked, Y = total — supports deferred ACs where Y > X intentionally). v0.19.0 drops the v0.18.3 `-ge 2` tolerance — comparison is now exact-match (off-by-1 advisories surface).
 ```bash
 AC_BLOCK=$(awk '/^## Acceptance Criteria/,/^## Definition of Done/' "$TICKET")
-ACTUAL_TOTAL=$(echo "$AC_BLOCK" | grep -cE "^- \[[x ]\]")
-ACTUAL_MARKED=$(echo "$AC_BLOCK" | grep -cE "^- \[x\]")
+HEADER_ACS=$(echo "$AC_BLOCK" | grep -cE '^### AC[0-9]+')
+
+if [ "$HEADER_ACS" -gt 0 ]; then
+  ACTUAL_TOTAL=$HEADER_ACS
+  # Per-AC pass: emit one line per AC ("marked" or "deferred"). Then count.
+  PER_AC=$(echo "$AC_BLOCK" | awk '
+    function flush() { if (have) { print (deferred ? "deferred" : "marked"); have=0; deferred=0 } }
+    /^### AC[0-9]+/ { flush(); have=1; next }
+    /^## / { flush(); next }
+    have && /^\*\*Status\*\*:[[:space:]]*(Deferred|Pending|Skipped|Blocked)/ { deferred=1 }
+    END { flush() }
+  ')
+  ACTUAL_MARKED=$(printf '%s\n' "$PER_AC" | grep -c '^marked$' || true)
+else
+  ACTUAL_TOTAL=$(echo "$AC_BLOCK" | grep -cE "^- \[[x ]\]")
+  ACTUAL_MARKED=$(echo "$AC_BLOCK" | grep -cE "^- \[x\]")
+fi
+
 CLAIM_LINE=$(grep -oE 'all [0-9]+ marked|AC: [0-9]+/[0-9]+' "$TICKET" | head -1)
 if echo "$CLAIM_LINE" | grep -qE '^AC: [0-9]+/[0-9]+'; then
   CLAIMED_MARKED=$(echo "$CLAIM_LINE" | grep -oE '[0-9]+' | head -1)
   CLAIMED_TOTAL=$(echo "$CLAIM_LINE" | grep -oE '[0-9]+' | tail -1)
   [ -n "$CLAIMED_TOTAL" ] && [ "$CLAIMED_TOTAL" != "$ACTUAL_TOTAL" ] \
-    && [ $((ACTUAL_TOTAL - CLAIMED_TOTAL)) -ge 2 -o $((CLAIMED_TOTAL - ACTUAL_TOTAL)) -ge 2 ] \
-    && flag "P6 drift: claim AC total '$CLAIMED_TOTAL' vs actual total $ACTUAL_TOTAL"
+    && flag "P6 drift: claim AC total '$CLAIMED_TOTAL' vs actual total $ACTUAL_TOTAL (form: $([ "$HEADER_ACS" -gt 0 ] && echo header || echo checkbox))"
   [ -n "$CLAIMED_MARKED" ] && [ "$CLAIMED_MARKED" != "$ACTUAL_MARKED" ] \
-    && [ $((ACTUAL_MARKED - CLAIMED_MARKED)) -ge 2 -o $((CLAIMED_MARKED - ACTUAL_MARKED)) -ge 2 ] \
-    && flag "P6 drift: claim AC marked '$CLAIMED_MARKED' vs actual marked $ACTUAL_MARKED"
+    && flag "P6 drift: claim AC marked '$CLAIMED_MARKED' vs actual marked $ACTUAL_MARKED (form: $([ "$HEADER_ACS" -gt 0 ] && echo header || echo checkbox))"
 elif [ -n "$CLAIM_LINE" ]; then
   CLAIMED=$(echo "$CLAIM_LINE" | grep -oE '[0-9]+' | head -1)
-  [ -n "$CLAIMED" ] && [ "$CLAIMED" != "$ACTUAL_TOTAL" ] \
-    && [ $((ACTUAL_TOTAL - CLAIMED)) -ge 2 -o $((CLAIMED - ACTUAL_TOTAL)) -ge 2 ] \
-    && flag "P6 drift: 'all $CLAIMED marked' vs actual AC count $ACTUAL_TOTAL"
+  if [ -n "$CLAIMED" ]; then
+    [ "$CLAIMED" != "$ACTUAL_TOTAL" ] \
+      && flag "P6 drift: 'all $CLAIMED marked' vs actual AC total $ACTUAL_TOTAL (form: $([ "$HEADER_ACS" -gt 0 ] && echo header || echo checkbox))"
+    # `all N marked` IMPLIES all ACs are marked; flag when actual marked < N
+    # (e.g. some ACs deferred via `**Status**: Deferred` or unchecked `[ ]`).
+    [ "$CLAIMED" != "$ACTUAL_MARKED" ] \
+      && flag "P6 drift: 'all $CLAIMED marked' but only $ACTUAL_MARKED actually marked (form: $([ "$HEADER_ACS" -gt 0 ] && echo header || echo checkbox))"
+  fi
 fi
 ```
 
-**18. P7 — Test count drift within ticket (final-sections only).** Only flag AC / DoD / tracker Active-Session numbers diverging from Completion Log terminal. Intermediate rows are legitimate.
+**20. P7 — Test count drift within ticket (final-sections only).** Only flag AC / DoD / tracker Active-Session numbers diverging from Completion Log terminal. Intermediate rows are legitimate.
 ```bash
 TERMINAL=$(awk '/^## Completion Log/,/^## Merge Checklist/' "$TICKET" | grep -iE "(test|pass|green)" | grep -oE "[0-9]+/[0-9]+" | tail -1)
 AC=$(awk '/^## Acceptance Criteria/,/^## Definition of Done/' "$TICKET")
@@ -148,7 +238,7 @@ for n in $FINAL_NUMS; do
 done
 ```
 
-**19. P8 — Completion Log gap vs Workflow Checklist.** Each `[x]` Step N in Workflow should have ≥1 Completion Log row mentioning "Step N". Use `while-read` on unique step numbers (not `for-in` which splits on whitespace).
+**21. P8 — Completion Log gap vs Workflow Checklist.** Each `[x]` Step N in Workflow should have ≥1 Completion Log row mentioning "Step N". Use `while-read` on unique step numbers (not `for-in` which splits on whitespace).
 ```bash
 WORKFLOW=$(awk '/^## Workflow Checklist/,/^## Completion Log/' "$TICKET")
 COMPLETION=$(awk '/^## Completion Log/,/^## Merge Checklist/' "$TICKET")
@@ -159,7 +249,7 @@ while read -r step_num; do
 done <<< "$CHECKED_STEPS"
 ```
 
-**20. P9 — Tracker header "Last Updated" stale.** The `**Last Updated:**` header and the `**Active Feature:**` detail should agree on step number (e.g., both say 5/6). Mismatch suggests the header wasn't refreshed after state transitions.
+**22. P9 — Tracker header "Last Updated" stale.** The `**Last Updated:**` header and the `**Active Feature:**` detail should agree on step number (e.g., both say 5/6). Mismatch suggests the header wasn't refreshed after state transitions.
 ```bash
 TRACKER=docs/project_notes/product-tracker.md
 HEADER_STEP=$(grep '^\*\*Last Updated:\*\*' "$TRACKER" | grep -oE '(Step )?[0-9]+/6' | head -1 | sed -E 's/^Step //')
@@ -168,7 +258,7 @@ DETAIL_STEP=$(grep -A 1 '^\*\*Active Feature:\*\*' "$TRACKER" | grep -oE '(Step
   && flag "P9 drift: tracker header says $HEADER_STEP, Active Feature says $DETAIL_STEP"
 ```
 
-**21. P10 — Duplicate Completion Log rows.** Hash `date | action | first-80-of-notes`. Duplicates suggest copy-paste error during editing.
+**23. P10 — Duplicate Completion Log rows.** Hash `date | action | first-80-of-notes`. Duplicates suggest copy-paste error during editing.
 ```bash
 awk -F'|' '/^\| [0-9]{4}-[0-9]{2}-[0-9]{2}/ {
   key = $2 "|" $3 "|" substr($4, 1, 80)
@@ -178,7 +268,7 @@ awk -F'|' '/^\| [0-9]{4}-[0-9]{2}-[0-9]{2}/ {
   | while read -r dup; do flag "P10 drift: duplicate Completion Log row: $dup"; done
 ```
 
-**22. P11 — Tracker Features table status vs ticket Status mismatch.** Ticket Status=Ready for Merge / Review → tracker expects `in-progress`. Ticket Status=Done → tracker expects `done`. Mismatch means one side wasn't updated after the state change.
+**24. P11 — Tracker Features table status vs ticket Status mismatch.** Ticket Status=Ready for Merge / Review → tracker expects `in-progress`. Ticket Status=Done → tracker expects `done`. Mismatch means one side wasn't updated after the state change.
 ```bash
 TICKET_STATUS=$(grep -E "^\*\*Status:\*\*" "$TICKET" | head -1 \
     | sed -E 's/^\*\*Status:\*\*[[:space:]]*\*?\*?//' \
@@ -215,7 +305,7 @@ case "$TICKET_BASENAME" in
 esac
 ```
 
-**23. P12 — Tracker HEAD references stale (added v0.18.2).** The `**Last Updated:**` and `**Active Feature:**` lines may embed `HEAD <sha>` or `HEAD: <sha>` references that were correct when written but went stale as further commits landed (empirically observed in fx F-WEB-MENU-VISION-001 audit cycle 2026-05-06: tracker said `HEAD: fd752e4` while `git rev-parse HEAD` was `6fa801e` after the agent's own self-edit commit). Compare each extracted SHA against the active branch HEAD. Bidirectional prefix tolerance: a 7-char tracker SHA matches the full 40-char actual HEAD if it's a prefix; a full 40-char tracker SHA matches if its first 7 chars equal the actual short form. Scoped strictly to the two header lines so narrative SHAs in "Last Completed" prose never false-positive-fire.
+**25. P12 — Tracker HEAD references stale (added v0.18.2).** The `**Last Updated:**` and `**Active Feature:**` lines may embed `HEAD <sha>` or `HEAD: <sha>` references that were correct when written but went stale as further commits landed (empirically observed in fx F-WEB-MENU-VISION-001 audit cycle 2026-05-06: tracker said `HEAD: fd752e4` while `git rev-parse HEAD` was `6fa801e` after the agent's own self-edit commit). Compare each extracted SHA against the active branch HEAD. Bidirectional prefix tolerance: a 7-char tracker SHA matches the full 40-char actual HEAD if it's a prefix; a full 40-char tracker SHA matches if its first 7 chars equal the actual short form. Scoped strictly to the two header lines so narrative SHAs in "Last Completed" prose never false-positive-fire.
 ```bash
 TRACKER=docs/project_notes/product-tracker.md
 if [ -f "$TRACKER" ]; then
@@ -235,7 +325,7 @@ if [ -f "$TRACKER" ]; then
 fi
 ```
 
-**24. P13 — key_facts delta vs ticket atom-count mismatch (added v0.18.3).** When the ticket's Completion Log or MCE quantifies a delta against `key_facts.md` (e.g. `+8 atoms`, `+5 aliases`, `+27 dishes`), the corresponding feature row in `key_facts.md` should record the same delta. Whitespace-safe iteration via `while IFS= read -r`; FEATURE_ID-anchored block scan avoids false-pass on identical deltas elsewhere in the file. English keyword set; Spanish (`átomos`, `platos`) deferred to v0.19.x.
+**26. P13 — key_facts delta vs ticket atom-count mismatch (added v0.18.3).** When the ticket's Completion Log or MCE quantifies a delta against `key_facts.md` (e.g. `+8 atoms`, `+5 aliases`, `+27 dishes`), the corresponding feature row in `key_facts.md` should record the same delta. Whitespace-safe iteration via `while IFS= read -r`; FEATURE_ID-anchored block scan avoids false-pass on identical deltas elsewhere in the file. English keyword set; Spanish (`átomos`, `platos`) deferred to v0.19.x.
 ```bash
 KEY_FACTS=docs/project_notes/key_facts.md
 if [ -f "$KEY_FACTS" ]; then
@@ -251,7 +341,7 @@ if [ -f "$KEY_FACTS" ]; then
 fi
 ```
 
-**25. P14 — MCE Action 1 row stale post-merge (added v0.18.3).** When ticket Status normalizes to `Done` AND the MCE Action 1 row still has `Step 6 [ ]` / `Step 6 [-]`, the row was written pre-merge and not updated post-squash. **Strict scoping**: awk state machine terminates the MCE block at the NEXT `^## ` line of any name (NOT `[^M]` — that incorrectly absorbs subsequent `## M*` sections). **Strict signal**: only `Step 6 [ ]` / `Step 6 [-]` patterns flag; standalone `(this merge)` is omitted because it commonly appears in past-tense narrative ("merged at SHA (this merge)") and produces false positives. Reuses `TICKET_STATUS` defined in P11; do NOT use `$status` from the P5 loop. NIT severity.
+**27. P14 — MCE Action 1 row stale post-merge (added v0.18.3).** When ticket Status normalizes to `Done` AND the MCE Action 1 row still has `Step 6 [ ]` / `Step 6 [-]`, the row was written pre-merge and not updated post-squash. **Strict scoping**: awk state machine terminates the MCE block at the NEXT `^## ` line of any name (NOT `[^M]` — that incorrectly absorbs subsequent `## M*` sections). **Strict signal**: only `Step 6 [ ]` / `Step 6 [-]` patterns flag; standalone `(this merge)` is omitted because it commonly appears in past-tense narrative ("merged at SHA (this merge)") and produces false positives. Reuses `TICKET_STATUS` defined in P11; do NOT use `$status` from the P5 loop. NIT severity.
 ```bash
 if [ "$TICKET_STATUS" = "Done" ]; then
   MCE_BLOCK=$(awk '
@@ -265,7 +355,7 @@ if [ "$TICKET_STATUS" = "Done" ]; then
 fi
 ```
 
-**26. P15 — AC with `post-deploy` keyword admitted without Completion Log evidence (added v0.18.3).** ACs containing production-parity keywords (`post-deploy`, `post-merge`, `production parity`, `prod verification`, `on dev API`, `on prod`) are explicit gates; marking them `[x]` without a dated Completion Log row defeats their purpose. Empirical origin: fx F-CATALOG-COV-001 AC-NEW-qa-battery silent-PASS until external audit caught it. Line-safe iteration via `while IFS= read -r`.
+**28. P15 — AC with `post-deploy` keyword admitted without Completion Log evidence (added v0.18.3).** ACs containing production-parity keywords (`post-deploy`, `post-merge`, `production parity`, `prod verification`, `on dev API`, `on prod`) are explicit gates; marking them `[x]` without a dated Completion Log row defeats their purpose. Empirical origin: fx F-CATALOG-COV-001 AC-NEW-qa-battery silent-PASS until external audit caught it. Line-safe iteration via `while IFS= read -r`.
 ```bash
 COMPLETION=$(awk '/^## Completion Log/,/^## Merge Checklist/' "$TICKET")
 AC_LINES=$(grep -nE '^[[:space:]]*-[[:space:]]*\[[ x]\][[:space:]]+AC-[A-Za-z0-9_-]+' "$TICKET" \
@@ -281,7 +371,7 @@ while IFS= read -r line; do
 done <<< "$AC_LINES"
 ```
 
-**27. P16 — Feature missing from Features table (added v0.18.3).** Ticket Status `Ready for Merge` / `Done` should have a row in some `## Features — *` table in `product-tracker.md`. **Strict signal**: requires the feature ID to appear as the first cell of a pipe-table row (`| FEATURE_ID |` with optional whitespace), NOT just anywhere in the tracker — narrative mentions or `**Active Feature:**` references must not silence the drift. NIT severity. Reuses `TICKET_STATUS` and `FEATURE_ID` defined in P11.
+**29. P16 — Feature missing from Features table (added v0.18.3).** Ticket Status `Ready for Merge` / `Done` should have a row in some `## Features — *` table in `product-tracker.md`. **Strict signal**: requires the feature ID to appear as the first cell of a pipe-table row (`| FEATURE_ID |` with optional whitespace), NOT just anywhere in the tracker — narrative mentions or `**Active Feature:**` references must not silence the drift. NIT severity. Reuses `TICKET_STATUS` and `FEATURE_ID` defined in P11.
 ```bash
 TRACKER=docs/project_notes/product-tracker.md
 case "$TICKET_STATUS" in
@@ -295,9 +385,66 @@ case "$TICKET_STATUS" in
 esac
 ```
 
+**30. P17 — Auth-touching backend change requires bearer-flow integration test on non-/me route** (added v0.20.0). When the diff modifies a backend auth-adjacent module (`auth*`, `actorResolver*`, `bearer*`, `rateLimit*`), the diff should ALSO include or modify an integration test that exercises the bearer flow on a NON-`/me` route. Empirically double-confirmed: BUG-PROD-013 (actorResolver bearer-path 500 on `/conversation/*` — non-`/me`), BUG-API-RATELIMIT-BEARER-001 (rateLimit helpers tested only api-key + IP, no bearer-through-global-limiter integration coverage). The `/me`-itself integrity bug class (F107a-FU2) is a distinct pattern — opt-out annotation `P17 N/A: <reason ≥ 1 word>` is recognized for frontend-only auth changes or other edge cases. Advisory, never blocks merge.
+```bash
+# P17 — Auth-touching change requires bearer-flow integration test on non-/me route.
+AUTH_TOUCHED=$(git diff --name-only "$BASE_REF...HEAD" 2>/dev/null | \
+  grep -iE '(auth|actorResolver|bearer|rateLimit)' | \
+  grep -E '^(packages/api|api|server|backend|src/server|src/api)/' | \
+  grep -vE '\.(test|spec)\.[jt]sx?$|__tests__/|/web/|/frontend/|/client/' | head -20)
+
+if [ -z "$AUTH_TOUCHED" ]; then
+  echo "P17 N/A: no backend auth-adjacent files in diff"
+else
+  TOUCHED_COUNT=$(printf '%s\n' "$AUTH_TOUCHED" | wc -l | tr -d ' ')
+
+  # Explicit opt-out (Gemini R1 M4 strengthened: require `: <reason ≥ 1 word>`)
+  OPTOUT=$(grep -E 'P17[[:space:]]+(N/A|opt[- ]?out|exempt)[[:space:]]*:[[:space:]]+[A-Za-z0-9].{2,}' "$TICKET" 2>/dev/null | head -1)
+  if [ -n "$OPTOUT" ]; then
+    echo "P17 N/A: explicit opt-out — $(printf '%s' "$OPTOUT" | head -c 120)"
+  else
+    INTEGRATION_TESTS=$(git diff --name-only "$BASE_REF...HEAD" 2>/dev/null | \
+      grep -iE '(integration|__tests__/.*\.integration\.|/integration/)' | \
+      grep -E '\.(test|spec)\.[jt]sx?$')
+
+    # Two extraction passes (Codex R2 I-1 multi-line fix + Gemini R2 I-1 backticks):
+    #   Pass A: dot-method calls — `.get('/path')` / `.post(\`/path\`)` (single-line).
+    #   Pass B: `url: '...'` property values within multi-line app.inject({ ... }).
+    BEARER_NON_ME_HITS=0
+    while IFS= read -r test_file; do
+      [ -z "$test_file" ] && continue
+      [ ! -f "$test_file" ] && continue
+      if ! grep -qiE '(bearer|authorization)' "$test_file" 2>/dev/null; then
+        continue
+      fi
+      ROUTES_A=$(grep -iE "\.(get|post|put|patch|delete)\([\`\"'](/[^\`\"']+)[\`\"']" "$test_file" 2>/dev/null | \
+        grep -oE "[\`\"'](/[^\`\"']+)[\`\"']" | sed -E "s/^[\`\"']|[\`\"']\$//g")
+      ROUTES_B=$(grep -iE "url[[:space:]]*:[[:space:]]*[\`\"'](/[^\`\"']+)[\`\"']" "$test_file" 2>/dev/null | \
+        grep -oE "[\`\"'](/[^\`\"']+)[\`\"']" | sed -E "s/^[\`\"']|[\`\"']\$//g")
+      ROUTE_STRINGS=$(printf '%s\n%s\n' "$ROUTES_A" "$ROUTES_B" | grep -vE '^$' | sort -u)
+      # Strip ${...} template-literal interpolations
+      ROUTE_STRINGS=$(printf '%s\n' "$ROUTE_STRINGS" | sed -E 's/\$\{[^}]*\}//g')
+      if [ -n "$ROUTE_STRINGS" ]; then
+        if printf '%s\n' "$ROUTE_STRINGS" | grep -qvE '^/me($|/)' ; then
+          BEARER_NON_ME_HITS=$((BEARER_NON_ME_HITS + 1))
+        fi
+      fi
+    done <<EOF
+$INTEGRATION_TESTS
+EOF
+
+    if [ "$BEARER_NON_ME_HITS" -eq 0 ]; then
+      flag "P17 drift (advisory): $TOUCHED_COUNT backend auth-adjacent file(s) but no integration test exercises bearer on a non-/me route (BUG-PROD-013 / BUG-RATELIMIT-BEARER pattern). Add an integration test or annotate \`P17 N/A: <reason>\` in the ticket."
+    else
+      echo "P17 PASS: $TOUCHED_COUNT auth-adjacent backend file(s), $BEARER_NON_ME_HITS integration test(s) cover bearer non-/me routes"
+    fi
+  fi
+fi
+```
+
 ### Execution discipline (added v0.18.1)
 
-For each of the 16 drift checks (P1–P16), if you declare PASS, **include the literal command output** (or its absence — explicit "no rows matched", "extracted: feature/foo", "FROZEN_COUNT=0") as evidence in your report. A bare "PASS" without supporting output is treated as **NOT EXECUTED** by the auditor — re-run with output captured.
+For each of the 17 drift checks (P1–P17), if you declare PASS, **include the literal command output** (or its absence — explicit "no rows matched", "extracted: feature/foo", "FROZEN_COUNT=0") as evidence in your report. A bare "PASS" without supporting output is treated as **NOT EXECUTED** by the auditor — re-run with output captured.
 
 Recommended pattern:
 
@@ -316,7 +463,7 @@ Report two tables — one for **structural (blocking)** compliance, one for **dr
 ```
 ## Merge Compliance Audit — [FEATURE-ID]
 
-### Structural (1-11) — blocking merge gate
+### Structural (1-13) — blocking merge gate
 
 | # | Check | Status | Detail |
 |---|-------|:------:|--------|
@@ -324,46 +471,69 @@ Report two tables — one for **structural (blocking)** compliance, one for **dr
 | 2 | Acceptance Criteria | PASS | 14/14 |
 | 3 | Definition of Done | PASS | 7/7 |
 | 4 | Workflow Checklist | PASS | 7/8 (Step 6 pending) |
-| 5 | Merge Checklist Evidence | PASS | 8/8 with evidence |
+| 5 | Merge Checklist Evidence | PASS | 9/9 with evidence |
 | 6 | Completion Log | PASS | 5 entries, bugs documented |
 | 7 | Tracker Sync | PASS | Active Session + Features table correct |
 | 8 | key_facts.md | PASS | N/A — no new infrastructure |
 | 9 | Merge Base | PASS | Up to date with develop |
 | 10 | Working Tree | PASS | Clean |
 | 11 | Data Files | PASS | N/A — no JSON seed files |
+| 12 | CI State | PASS | PR #123 — all checks pass or pending |
+| 13 | MCE Action 9 (D1) | PASS | ## Audit Merge Output section pasted (~3200 chars) |
 
 **STRUCTURAL: READY FOR MERGE** (or **STRUCTURAL: NEEDS FIX — N blockers**)
 
-### Drift (12-27) — advisory, refresh before user authorization
+### Drift (14-30) — advisory, refresh before user authorization
 
 | # | Pattern | Status | Detail |
 |---|---------|:------:|--------|
-| 12 | P1 PR body test count stale | PASS | matches ticket terminal |
-| 13 | P2 Aspirational Evidence rows | PASS | all rows past-tense |
-| 14 | P3 Post-merge actions logged | PASS | N/A pre-merge |
-| 15 | P4 Remote branch orphan | PASS | not checked pre-merge |
-| 16 | P5 Frozen ticket Status | PASS | 0 frozen |
-| 17 | P6 AC count off-by-N | PASS | claim matches actual |
-| 18 | P7 Intra-ticket test drift | PASS | final sections = terminal |
-| 19 | P8 Completion Log gap | PASS | every [x] step has narrative |
-| 20 | P9 Tracker header stale | PASS | header = detail |
-| 21 | P10 Duplicate log rows | PASS | no duplicates |
-| 22 | P11 Tracker status mismatch | PASS | in-progress for Ready for Merge |
-| 23 | P12 Tracker HEAD reference | PASS | tracker HEAD = git HEAD |
-| 24 | P13 key_facts delta mismatch | PASS | N/A — no quantified deltas |
-| 25 | P14 MCE Action 1 stale post-merge | PASS | N/A pre-merge / row past-tense |
-| 26 | P15 Post-deploy AC without evidence | PASS | no post-deploy keyword in ACs |
-| 27 | P16 Feature missing from tracker | PASS | feature in Features table |
+| 14 | P1 PR body test count stale | PASS | matches ticket terminal |
+| 15 | P2 Aspirational Evidence rows | PASS | all rows past-tense |
+| 16 | P3 Post-merge actions logged | PASS | N/A pre-merge |
+| 17 | P4 Remote branch orphan | PASS | not checked pre-merge |
+| 18 | P5 Frozen ticket Status | PASS | 0 frozen |
+| 19 | P6 AC count off-by-N | PASS | claim matches actual (form: header) |
+| 20 | P7 Intra-ticket test drift | PASS | final sections = terminal |
+| 21 | P8 Completion Log gap | PASS | every [x] step has narrative |
+| 22 | P9 Tracker header stale | PASS | header = detail |
+| 23 | P10 Duplicate log rows | PASS | no duplicates |
+| 24 | P11 Tracker status mismatch | PASS | in-progress for Ready for Merge |
+| 25 | P12 Tracker HEAD reference | PASS | tracker HEAD = git HEAD |
+| 26 | P13 key_facts delta mismatch | PASS | N/A — no quantified deltas |
+| 27 | P14 MCE Action 1 stale post-merge | PASS | N/A pre-merge / row past-tense |
+| 28 | P15 Post-deploy AC without evidence | PASS | no post-deploy keyword in ACs |
+| 29 | P16 Feature missing from tracker | PASS | feature in Features table |
+| 30 | P17 Auth integration coverage | PASS | 2 backend file(s), 1 integration test covers bearer non-/me |
 
 **DRIFT: CLEAN** (or **DRIFT: N advisories — refresh before merge**)
 
 ### Combined verdict
 
-- Both PASS → **READY FOR MERGE** (compliance 11/11, drift clean)
+- Both PASS → **READY FOR MERGE** (compliance 13/13, drift clean)
 - Structural fail → **NEEDS FIX — N structural blockers** (any drift noted separately)
 - Structural pass + drift advisories → **READY FOR MERGE PENDING DRIFT CLEANUP — N advisories**
 ```
 
+**Recipe-output verbatim rule** (added v0.19.0): When filling Detail columns of either the structural or drift tables, use the **literal output of the corresponding recipe** — do not normalize, summarize, or smooth values. Specifically:
+- Numeric ratios (`N/M`): preserve as emitted. `18/19` MUST NOT become `18/18` even when N < M.
+- MCE row 1 claim text: when a check (e.g. P6) references it in its Detail message, quote it verbatim including parentheticals such as `(AC19 deploy-deferred)` or `(operator action pending)`. Do not strip qualifiers.
+- "Form" annotations (e.g. P6 emits `(form: header)` or `(form: checkbox)`): preserve them so the reader can tell which AC form the ticket used.
+- `N/A` reasons: quote the literal reason emitted by the recipe (`no PR open`, `gh CLI unavailable`, `jq unavailable`, `not checked pre-merge`).
+
+This rule exists because an LLM auditor, given header-form tickets where checkbox count is 0, will hallucinate `18/18` to "agree" with the MCE row 1 claim. The recipe says `0` and the MCE says `18/19`; the audit Detail must reflect both honestly so the reader can spot the form mismatch.
+
+**Audit Output Self-Verification Guarantee** (added v0.20.0, required by D1): after emitting all structural rows + drift rows + combined verdict, ALWAYS append a final single-line summary in this exact form, regardless of pass/fail:
+
+```
+Structural: <passed>/<total> PASS | Drift: <flagged> advisory | Verdict: <APPROVE|REVISE>
+```
+
+Examples:
+- `Structural: 13/13 PASS | Drift: 0 advisory | Verdict: APPROVE`
+- `Structural: 11/13 PASS | Drift: 4 advisory | Verdict: REVISE`
+
+This line is the canonical compliance signal that `D1` (MCE Action 9 present, line 92) parses. Without it, a verbatim paste of legitimate audit output may fail D1's signal check. The line must always be the last non-empty line in the output.
+
 ### If issues are found
 
 Fix them directly:
@@ -372,8 +542,9 @@ Fix them directly:
 - Tracker stale → update Active Session and Features table
 - Merge base diverged → `git merge origin/<target-branch>` and resolve conflicts
 - Data file issues → fix the data
+- CI failures (C3) → re-run failed jobs after addressing root cause; do NOT merge while `ci-success` is BLOCKED
 
-**Drift advisories (12-27) fixes:**
+**Drift advisories (13-28) fixes:**
 - **P1 (PR body test count stale)** → edit PR body "Quality Gates" / "npm test" line to match ticket terminal count; add "(+N new tests)" delta note
 - **P2 (Aspirational Evidence)** → rewrite `[x]` rows with past-tense text + commit SHA + concrete numbers
 - **P3 (Post-merge action unlogged)** → add a Completion Log row documenting the post-merge execution with date + action + empirical result