npm - create-sdd-project - Versions diffs - 0.18.4 → 0.20.0 - Mend

create-sdd-project 0.18.4 → 0.20.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/template/.claude/skills/development-workflow/references/merge-checklist.md CHANGED Viewed

@@ -65,12 +65,14 @@ Determine the target branch from `docs/project_notes/key_facts.md` → `branchin
 ## Action 8: Fill Merge Checklist Evidence
-In the ticket, fill the `## Merge Checklist Evidence` table. For each action (0–7), mark `[x]` and write the actual evidence (not placeholders). Example:
+In the ticket, fill the `## Merge Checklist Evidence` table. For each action (0–7), mark `[x]` and write the actual evidence (not placeholders). Then complete Action 9 below — it MUST appear as the 9th row of the same table. Example:
 | Action | Done | Evidence |
 |--------|:----:|----------|
 | 0. Validate ticket structure | [x] | Sections verified: Spec, Plan, AC, DoD, Workflow, Log, Evidence |
 | 1. Mark all items | [x] | AC: 12/12, DoD: 7/7, Workflow: 0-5/6 |
+| ... (rows 2-7 follow same shape) | [x] | ... |
+| 9. Run `/audit-merge` | [x] | See § "Audit Merge Output" below |
 **Canonical form for the AC count claim:** write `AC: <marked>/<total>` — `marked` is the count of `[x]` Acceptance Criteria, `total` is the count of all AC items including any intentionally deferred `[ ]`. When all are checked use the matching form `AC: N/N` (or the shorthand `all N marked`). The `/audit-merge` P6 drift check parses both forms.
@@ -82,11 +84,30 @@ In the ticket, fill the `## Merge Checklist Evidence` table. For each action (0
 Sub-scope tickets reach `Status: Done` independently while the parent feature's tracker row stays at its parent status (typically `pending` or `in-progress`) until ALL sub-scopes close. `/audit-merge` P11 detects the suffix and emits `P11 N/A` instead of flagging the parent/sub-scope status divergence as drift.
-## Action 9: Run compliance audit
+## Action 9: Run compliance audit (MANDATORY, added v0.20.0 as structural MCE row)
-Run `/audit-merge` to verify all compliance checks pass automatically. If any check fails, fix it and re-run until all pass.
+**Action 9 is MANDATORY.** Run `/audit-merge` after Actions 0-8 are complete. Paste the FULL verbatim output (structural + drift tables + verdict + self-verification line `Structural: N/N PASS | Drift: K advisory | Verdict: X`) into the dedicated `## Audit Merge Output` section of the ticket, directly below the MCE table.
-Include the audit output in the merge approval request message so the reviewer can skip compliance checks and focus on code/architecture review.
+Do NOT abbreviate, summarize, or omit failing rows. If `/audit-merge` flags any STRUCTURAL check as FAIL, fix it and re-run until ALL structural checks PASS. Drift advisories may stay open with explanation in the surrounding ticket.
+The ticket structure for Action 9 (added v0.20.0):
+```markdown
+## Merge Checklist Evidence
+| Action | Done | Evidence |
+|--------|:----:|----------|
+| 0. … | [x] | … |
+| 1. … | [x] | … |
+| ... (rows 2-7) | [x] | … |
+| 9. Run `/audit-merge` | [x] | See § "Audit Merge Output" below |
+## Audit Merge Output
+<verbatim /audit-merge output goes here — see ticket-template.md>
+```
+The `/audit-merge` structural check `D1` (added v0.20.0) verifies row 9 exists with `[x]` AND the `## Audit Merge Output` section has non-empty body with a structural-compliance signal. Skipping this Action is now structurally visible (row 9 stays unfilled if you forget).
 ## Action 10: Request merge approval

package/template/.claude/skills/development-workflow/references/ticket-template.md CHANGED Viewed

@@ -102,6 +102,18 @@ This creates a feedback loop for improving future reviews. -->
 | 5. Commit documentation | [ ] | Commit: (hash) |
 | 6. Verify clean working tree | [ ] | `git status`: clean |
 | 7. Verify branch up to date | [ ] | merge-base: up to date / merged origin/<branch> |
+| 9. Run `/audit-merge` | [ ] | See § "Audit Merge Output" below |
+## Audit Merge Output
+> Paste the FULL verbatim output of `/audit-merge` below. The block must include both tables
+> (structural + drift), all rows, the combined verdict, AND the final self-verification line
+> in the form `Structural: N/N PASS | Drift: K advisory | Verdict: <APPROVE|REVISE>`. Do NOT
+> abbreviate, summarize, or omit failing rows. Required for the D1 structural check to PASS.
+```text
+<paste /audit-merge output here>
+```
 ---

package/template/.claude/skills/pm-orchestrator/SKILL.md CHANGED Viewed

@@ -87,8 +87,27 @@ For each feature in the batch:
 - **Lock**: If `docs/project_notes/pm-session.lock` is missing → stop (session was terminated externally).
 - **Circuit breaker**: If 3 consecutive features are `blocked` → stop and report to user.
 - **Context check**: If **2+ features have been completed** in this session, STOP and tell the user to run `/compact` followed by `continue pm`. Do NOT continue to the next feature — context degradation causes skipped steps, lost constraints, and poor quality. This is mandatory, not a suggestion.
+- **Session-coherence check (added v0.20.0)**: Read `.sdd-version` from the repo root and the `**SDD version at start:** X.Y.Z` field from `docs/project_notes/pm-session.md`. If they differ → emit ADVISORY (non-blocking) once per Step transition:
+  ```
+  ⚠ Session-coherence drift: SDD upgraded mid-session (X.Y.Z → CURRENT).
+  Cached workflow references and rules in this session may be stale.
+  Recommendation: complete current Step's atomic work, then run `/compact`
+  followed by `continue pm` to reload templates before next Step.
+  (Non-blocking — proceed if you've reviewed the upgrade CHANGELOG and
+  confirmed no workflow-affecting changes.)
+  ```
+  Do NOT auto-update the pm-session.md value here — capture the current cached-context coherence state. The field is auto-updated only by `continue pm` after `/compact` (see "Auto-update on /compact" below).
 - **Clean workspace**: Run `git status`. If dirty, commit or stash before proceeding.
+##### Auto-update on `/compact` (added v0.20.0)
+When `continue pm` resumes the orchestrator after a `/compact`:
+1. Re-read current `.sdd-version`.
+2. Update `**SDD version at start:** X.Y.Z` in `pm-session.md` to the current value.
+3. Reset the per-Step advisory-emitted flag.
+Rationale: `/compact` reloads the cached context from the filesystem. After /compact, the agent is operating on current SDD templates, so the `SDD version at start` field should reflect that. The drift advisory above targets the WINDOW between an SDD upgrade and the next /compact — that window is the risk zone.
 #### b. Start Feature
 1. Update `pm-session.md`:

package/template/.claude/skills/pm-orchestrator/references/pm-session-template.md CHANGED Viewed

@@ -5,6 +5,8 @@
 **Autonomy Level:** L5 (PM Autonomous)
 **Status:** in-progress
 **Target Branch:** {main|develop}
+**SDD version at start:** {sdd-version}  <!-- v0.20.0: session-coherence guard. Auto-updated by `/compact`. Do not edit manually. -->
 ## Current Batch

package/template/.gemini/agents/code-review-specialist.md CHANGED Viewed

@@ -19,6 +19,7 @@ Then go beyond checklist review — actively try to break the implementation:
 - What happens under concurrent requests? Race conditions?
 - What data could a malicious user inject?
 - What if a transaction fails midway or cache is stale?
+- **Defensive guards**: For every `if (cond)` / `if (!cond)` / SQL `WHERE` predicate / type-narrowing check that exists "to prevent X", trace the boolean with three concrete value scenarios — (a) the danger case the guard targets, (b) a normal/expected case, (c) an edge case (null/0/empty/duplicate). Does the guard fire ONLY on the danger case? Common failure: a defensive predicate is written that fires on the SAFE case and skips the DANGER case (boolean inverted). Treat any guard whose conditions you cannot mentally trace through values as a critical-review item — request author justification or write the trace yourself.
 ## Output Format

package/template/.gemini/commands/audit-merge-instructions.md CHANGED Viewed

@@ -48,11 +48,82 @@ If DIVERGED, flag as FAIL with instruction to merge target branch first.
 Run only if `git diff origin/<target-branch>..HEAD --name-only` shows `.json` files in seed-data or fixtures directories.
+**12. CI State** (added v0.19.0) — Verify GitHub Actions / CI checks for the current PR show no FAILURE / ERROR / CANCELLED / TIMED_OUT conclusion. PENDING is acceptable (still running). Emits distinct `N/A` messages when `gh` is unavailable, `jq` is unavailable, or no PR is open for the current branch — these are not blockers. Empirical motivation: F107a (PR #279) shipped with `ci-success` BLOCKED on 3 real failures (test-api lint, test-web build, branch-protection gate); the agent claimed "CI: green" without verification. C3 makes the claim auditable structurally.
+```bash
+if ! command -v gh >/dev/null 2>&1; then
+  echo "C3 N/A: gh CLI unavailable"
+elif ! command -v jq >/dev/null 2>&1; then
+  echo "C3 N/A: jq unavailable"
+else
+  # In GitHub Actions `pull_request` jobs, `actions/checkout` defaults to a
+  # detached HEAD (no branch context), so `gh pr view` with no arg cannot
+  # resolve "the PR for the current branch". Read the PR number from
+  # GITHUB_REF (`refs/pull/<N>/merge`) when available so C3 still queries
+  # the right PR. Local runs (no GITHUB_REF) keep the no-arg behavior.
+  PR_NUM_FROM_CI=""
+  if [ -n "${GITHUB_REF:-}" ]; then
+    PR_NUM_FROM_CI=$(printf '%s' "$GITHUB_REF" | sed -n 's@^refs/pull/\([0-9]\{1,\}\)/.*@\1@p')
+  fi
+  if [ -n "$PR_NUM_FROM_CI" ]; then
+    PR_JSON=$(gh pr view "$PR_NUM_FROM_CI" --json number,statusCheckRollup 2>/dev/null || true)
+  else
+    PR_JSON=$(gh pr view --json number,statusCheckRollup 2>/dev/null || true)
+  fi
+  if [ -z "$PR_JSON" ]; then
+    echo "C3 N/A: no PR open for current branch"
+  else
+    PR_NUM=$(echo "$PR_JSON" | jq -r '.number // "unknown"')
+    FAILURES=$(echo "$PR_JSON" | jq -r '
+      .statusCheckRollup[]?
+      | select((.conclusion // .status) as $s
+        | $s == "FAILURE" or $s == "ERROR" or $s == "CANCELLED" or $s == "TIMED_OUT")
+      | .name // .context
+    ' | sort -u)
+    if [ -n "$FAILURES" ]; then
+      flag "C3 BLOCKER: PR #$PR_NUM has failing checks — $(echo "$FAILURES" | tr '\n' ',' | sed 's/,$//')"
+    else
+      echo "C3 PASS: PR #$PR_NUM — all checks pass or pending"
+    fi
+  fi
+fi
+```
+**13. MCE Action 9 present** (D1, added v0.20.0) — Verify the ticket's `## Merge Checklist Evidence` table includes row 9 marked `[x]`, AND the dedicated `## Audit Merge Output` section below the MCE table has non-empty body content containing a structural-compliance signal (e.g. `Structural: 13/13 PASS` or `Verdict: APPROVE`). Stable ID `D1`. Empirical motivation: fx PR #299 F-WEB-HISTORY merged without `/audit-merge` having been run — MCE table contained Actions 0-8 only (no row 9). The prose instruction at `merge-checklist.md:87` ("Run /audit-merge to verify all compliance checks pass automatically") was easier to skip than a structural table row. D1 makes the skip falsifiable: row 9 stays unfilled if the audit didn't run.
+```bash
+ACTION_9_LINE=$(awk '/^## Merge Checklist Evidence/,/^---|^## (Audit Merge Output|Acceptance|$)/' "$TICKET" | grep -E '^\| 9\. ' | head -1)
+AUDIT_SECTION=$(awk '/^## Audit Merge Output/,/^## |^---|^\*Ticket/' "$TICKET")
+AUDIT_SECTION_BODY=$(printf '%s' "$AUDIT_SECTION" | sed '1d;$d' | grep -vE '^[[:space:]]*>' | tr -d '[:space:]')
+# Compliance signal: case-insensitive. Mirrors JS twin's `.*?` semantics so
+# `Structural: N/N PASS` (colon), `Structural — N/N` (em-dash), `Structural N/N`
+# (space) all match. The `/audit-merge` Output Format section MUST emit at least
+# one canonical signal per the Self-Verification Guarantee (see Output Format).
+COMPLIANCE_HIT=$(printf '%s' "$AUDIT_SECTION" | grep -ciE '(structural[^[:alnum:]]+[0-9]+/[0-9]+)|(\b13/13\b)|(\ball[[:space:]]+(checks[[:space:]]+)?pass)|(verdict[[:space:]]*:[[:space:]]*approve)')
+if [ -z "$ACTION_9_LINE" ] && [ -z "$AUDIT_SECTION" ]; then
+  # Legacy ticket predating v0.20.0 — neither row 9 NOR Audit Merge Output section exists.
+  # Emit N/A with migration hint instead of BLOCKER. Forward-looking: tickets created
+  # post-v0.20.0 will have at least the section header (from ticket-template.md), so
+  # legitimate skips still surface via the other branches below.
+  echo "D1 N/A: legacy ticket (no row 9 and no ## Audit Merge Output section) — add both per merge-checklist.md to comply with v0.20.0"
+elif [ -z "$ACTION_9_LINE" ]; then
+  flag "D1 BLOCKER: MCE Action 9 row missing (required since v0.20.0; ## Audit Merge Output section exists but row 9 not added to MCE table)"
+elif printf '%s' "$ACTION_9_LINE" | grep -qE '\| \[ \] \|'; then
+  flag "D1 BLOCKER: MCE Action 9 row unchecked — /audit-merge not run"
+elif [ -z "$AUDIT_SECTION_BODY" ]; then
+  flag "D1 BLOCKER: ## Audit Merge Output section missing or empty"
+elif [ "$COMPLIANCE_HIT" -eq 0 ]; then
+  flag "D1 BLOCKER: ## Audit Merge Output section present but no structural compliance signal (expect 'Structural: N/N PASS' or 'Verdict: APPROVE')"
+else
+  CHAR_COUNT=$(printf '%s' "$AUDIT_SECTION" | wc -c | tr -d ' ')
+  echo "D1 PASS: ## Audit Merge Output section pasted (~${CHAR_COUNT} chars)"
+fi
+```
 ### Drift Checks (added v0.18.0) — ADVISORY, not blocking
-Eleven empirically-validated drift patterns. Failures are NOT blockers for the compliance verdict, but MUST be refreshed before requesting user authorization. Use BSD-grep-compatible regex (no `\K`).
+Sixteen empirically-validated drift patterns. Failures are NOT blockers for the compliance verdict, but MUST be refreshed before requesting user authorization. Use BSD-grep-compatible regex (no `\K`).
-**12. P1 — PR body test count stale (v0.18.3 multi-workspace extension — C1).** All PR-body ratios must appear in ticket evidence. Subset direction: PR ⊆ ticket. Three fallback cases: (a) ratios on both sides → walk each PR ratio; (b)/(c) missing on either side → emit `P1 N/A`.
+**14. P1 — PR body test count stale (v0.18.3 multi-workspace extension — C1).** All PR-body ratios must appear in ticket evidence. Subset direction: PR ⊆ ticket. Three fallback cases: (a) ratios on both sides → walk each PR ratio; (b)/(c) missing on either side → emit `P1 N/A`.
 ```bash
 TEST_KW_RE='(npm test|pnpm test|tests?[^|]*[0-9]|[*: ]tests?[*: ]+[0-9])'
 PR_BODY=$(gh pr view --json body -q .body 2>/dev/null || true)
@@ -69,14 +140,14 @@ else
 fi
 ```
-**13. P2 — Merge Checklist Evidence aspirational.** `[x]` rows with future-tense text.
+**15. P2 — Merge Checklist Evidence aspirational.** `[x]` rows with future-tense text.
 ```bash
 awk '/^## Merge Checklist Evidence/{flag=1; next} /^## /{flag=0} flag' "$TICKET" \
   | grep -E '^\|.*\[x\].*(to be |will |pending|TBD|Will be |to be created|next commit|aspirational)' \
   && flag "P2 drift: aspirational row(s) found"
 ```
-**14. P3 — Post-merge actions not logged** (post-merge only).
+**16. P3 — Post-merge actions not logged** (post-merge only).
 ```bash
 # Strip checkbox prefix before comparison; use grep -Fq fixed-string match.
 grep -E "^- \[ \].*(post-merge|operator|prod rollout|pending verification)" "$TICKET" \
@@ -89,14 +160,14 @@ while IFS= read -r item; do
 done < /tmp/pm_items.txt
 ```
-**15. P4 — Remote branch orphan.**
+**17. P4 — Remote branch orphan.**
 ```bash
 BRANCH=$(grep -oE '\*\*[Bb]ranch:\*\*[[:space:]]*[^[:space:]|()]+' "$TICKET" | head -1 | sed -E 's/^\*\*[Bb]ranch:\*\*[[:space:]]*//')
 git fetch origin --prune --quiet
 git ls-remote --heads origin "$BRANCH" 2>/dev/null | grep -q refs/heads && flag "P4 drift: remote branch $BRANCH still exists (run: git push origin --delete $BRANCH)"
 ```
-**16. P5 — Frozen ticket Status post-merge.** Multi-word status via sed char class, not `\w+`.
+**18. P5 — Frozen ticket Status post-merge.** Multi-word status via sed char class, not `\w+`.
 ```bash
 FROZEN_COUNT=0
 for t in docs/tickets/*.md; do
@@ -114,30 +185,49 @@ done
 [ "$FROZEN_COUNT" -eq 1 ] && flag "P5 drift: 1 frozen ticket"
 ```
-**17. P6 — AC count off-by-N.** Two claim forms supported: `all N marked` (N = total) and `AC: X/Y done` (X = marked, Y = total — handles deferred ACs where Y > X).
+**19. P6 — AC count off-by-N (header-form aware since v0.19.0).** Supports two AC forms: `[x]`/`[ ]` checkbox form and `### AC<N>` header form. Headers authoritative when present (≥ 1). A header is "deferred" when its body contains `**Status**: Deferred|Pending|Skipped|Blocked` before the next `### `. Two claim shapes: `all N marked` and `AC: X/Y done`. v0.19.0 drops the v0.18.3 `-ge 2` tolerance — exact-match (off-by-1 advisories surface).
 ```bash
 AC_BLOCK=$(awk '/^## Acceptance Criteria/,/^## Definition of Done/' "$TICKET")
-ACTUAL_TOTAL=$(echo "$AC_BLOCK" | grep -cE "^- \[[x ]\]")
-ACTUAL_MARKED=$(echo "$AC_BLOCK" | grep -cE "^- \[x\]")
+HEADER_ACS=$(echo "$AC_BLOCK" | grep -cE '^### AC[0-9]+')
+if [ "$HEADER_ACS" -gt 0 ]; then
+  ACTUAL_TOTAL=$HEADER_ACS
+  # Per-AC pass: emit one line per AC ("marked" or "deferred"). Then count.
+  PER_AC=$(echo "$AC_BLOCK" | awk '
+    function flush() { if (have) { print (deferred ? "deferred" : "marked"); have=0; deferred=0 } }
+    /^### AC[0-9]+/ { flush(); have=1; next }
+    /^## / { flush(); next }
+    have && /^\*\*Status\*\*:[[:space:]]*(Deferred|Pending|Skipped|Blocked)/ { deferred=1 }
+    END { flush() }
+  ')
+  ACTUAL_MARKED=$(printf '%s\n' "$PER_AC" | grep -c '^marked$' || true)
+else
+  ACTUAL_TOTAL=$(echo "$AC_BLOCK" | grep -cE "^- \[[x ]\]")
+  ACTUAL_MARKED=$(echo "$AC_BLOCK" | grep -cE "^- \[x\]")
+fi
 CLAIM_LINE=$(grep -oE 'all [0-9]+ marked|AC: [0-9]+/[0-9]+' "$TICKET" | head -1)
 if echo "$CLAIM_LINE" | grep -qE '^AC: [0-9]+/[0-9]+'; then
   CLAIMED_MARKED=$(echo "$CLAIM_LINE" | grep -oE '[0-9]+' | head -1)
   CLAIMED_TOTAL=$(echo "$CLAIM_LINE" | grep -oE '[0-9]+' | tail -1)
   [ -n "$CLAIMED_TOTAL" ] && [ "$CLAIMED_TOTAL" != "$ACTUAL_TOTAL" ] \
-    && [ $((ACTUAL_TOTAL - CLAIMED_TOTAL)) -ge 2 -o $((CLAIMED_TOTAL - ACTUAL_TOTAL)) -ge 2 ] \
-    && flag "P6 drift: claim AC total '$CLAIMED_TOTAL' vs actual total $ACTUAL_TOTAL"
+    && flag "P6 drift: claim AC total '$CLAIMED_TOTAL' vs actual total $ACTUAL_TOTAL (form: $([ "$HEADER_ACS" -gt 0 ] && echo header || echo checkbox))"
   [ -n "$CLAIMED_MARKED" ] && [ "$CLAIMED_MARKED" != "$ACTUAL_MARKED" ] \
-    && [ $((ACTUAL_MARKED - CLAIMED_MARKED)) -ge 2 -o $((CLAIMED_MARKED - ACTUAL_MARKED)) -ge 2 ] \
-    && flag "P6 drift: claim AC marked '$CLAIMED_MARKED' vs actual marked $ACTUAL_MARKED"
+    && flag "P6 drift: claim AC marked '$CLAIMED_MARKED' vs actual marked $ACTUAL_MARKED (form: $([ "$HEADER_ACS" -gt 0 ] && echo header || echo checkbox))"
 elif [ -n "$CLAIM_LINE" ]; then
   CLAIMED=$(echo "$CLAIM_LINE" | grep -oE '[0-9]+' | head -1)
-  [ -n "$CLAIMED" ] && [ "$CLAIMED" != "$ACTUAL_TOTAL" ] \
-    && [ $((ACTUAL_TOTAL - CLAIMED)) -ge 2 -o $((CLAIMED - ACTUAL_TOTAL)) -ge 2 ] \
-    && flag "P6 drift: 'all $CLAIMED marked' vs actual AC count $ACTUAL_TOTAL"
+  if [ -n "$CLAIMED" ]; then
+    [ "$CLAIMED" != "$ACTUAL_TOTAL" ] \
+      && flag "P6 drift: 'all $CLAIMED marked' vs actual AC total $ACTUAL_TOTAL (form: $([ "$HEADER_ACS" -gt 0 ] && echo header || echo checkbox))"
+    # `all N marked` IMPLIES all ACs are marked; flag when actual marked < N
+    # (e.g. some ACs deferred via `**Status**: Deferred` or unchecked `[ ]`).
+    [ "$CLAIMED" != "$ACTUAL_MARKED" ] \
+      && flag "P6 drift: 'all $CLAIMED marked' but only $ACTUAL_MARKED actually marked (form: $([ "$HEADER_ACS" -gt 0 ] && echo header || echo checkbox))"
+  fi
 fi
 ```
-**18. P7 — Test count drift within ticket (final-sections only).**
+**20. P7 — Test count drift within ticket (final-sections only).**
 ```bash
 TERMINAL=$(awk '/^## Completion Log/,/^## Merge Checklist/' "$TICKET" | grep -iE "(test|pass|green)" | grep -oE "[0-9]+/[0-9]+" | tail -1)
 AC=$(awk '/^## Acceptance Criteria/,/^## Definition of Done/' "$TICKET")
@@ -148,7 +238,7 @@ for n in $FINAL_NUMS; do
 done
 ```
-**19. P8 — Completion Log gap vs Workflow Checklist.**
+**21. P8 — Completion Log gap vs Workflow Checklist.**
 ```bash
 WORKFLOW=$(awk '/^## Workflow Checklist/,/^## Completion Log/' "$TICKET")
 COMPLETION=$(awk '/^## Completion Log/,/^## Merge Checklist/' "$TICKET")
@@ -159,7 +249,7 @@ while read -r step_num; do
 done <<< "$CHECKED_STEPS"
 ```
-**20. P9 — Tracker header stale.**
+**22. P9 — Tracker header stale.**
 ```bash
 TRACKER=docs/project_notes/product-tracker.md
 HEADER_STEP=$(grep '^\*\*Last Updated:\*\*' "$TRACKER" | grep -oE '(Step )?[0-9]+/6' | head -1 | sed -E 's/^Step //')
@@ -168,7 +258,7 @@ DETAIL_STEP=$(grep -A 1 '^\*\*Active Feature:\*\*' "$TRACKER" | grep -oE '(Step
   && flag "P9 drift: tracker header says $HEADER_STEP, Active Feature says $DETAIL_STEP"
 ```
-**21. P10 — Duplicate Completion Log rows.**
+**23. P10 — Duplicate Completion Log rows.**
 ```bash
 awk -F'|' '/^\| [0-9]{4}-[0-9]{2}-[0-9]{2}/ {
   key = $2 "|" $3 "|" substr($4, 1, 80)
@@ -178,7 +268,7 @@ awk -F'|' '/^\| [0-9]{4}-[0-9]{2}-[0-9]{2}/ {
   | while read -r dup; do flag "P10 drift: duplicate Completion Log row: $dup"; done
 ```
-**22. P11 — Tracker Features table status vs ticket Status mismatch.**
+**24. P11 — Tracker Features table status vs ticket Status mismatch.**
 ```bash
 TICKET_STATUS=$(grep -E "^\*\*Status:\*\*" "$TICKET" | head -1 \
     | sed -E 's/^\*\*Status:\*\*[[:space:]]*\*?\*?//' \
@@ -215,7 +305,7 @@ case "$TICKET_BASENAME" in
 esac
 ```
-**23. P12 — Tracker HEAD references stale (added v0.18.2).** The `**Last Updated:**` and `**Active Feature:**` lines may embed `HEAD <sha>` or `HEAD: <sha>` references that were correct when written but went stale as further commits landed (empirically observed in fx F-WEB-MENU-VISION-001 audit cycle 2026-05-06: tracker said `HEAD: fd752e4` while `git rev-parse HEAD` was `6fa801e` after the agent's own self-edit commit). Compare each extracted SHA against the active branch HEAD. Bidirectional prefix tolerance: a 7-char tracker SHA matches the full 40-char actual HEAD if it's a prefix; a full 40-char tracker SHA matches if its first 7 chars equal the actual short form. Scoped strictly to the two header lines so narrative SHAs in "Last Completed" prose never false-positive-fire.
+**25. P12 — Tracker HEAD references stale (added v0.18.2).** The `**Last Updated:**` and `**Active Feature:**` lines may embed `HEAD <sha>` or `HEAD: <sha>` references that were correct when written but went stale as further commits landed (empirically observed in fx F-WEB-MENU-VISION-001 audit cycle 2026-05-06: tracker said `HEAD: fd752e4` while `git rev-parse HEAD` was `6fa801e` after the agent's own self-edit commit). Compare each extracted SHA against the active branch HEAD. Bidirectional prefix tolerance: a 7-char tracker SHA matches the full 40-char actual HEAD if it's a prefix; a full 40-char tracker SHA matches if its first 7 chars equal the actual short form. Scoped strictly to the two header lines so narrative SHAs in "Last Completed" prose never false-positive-fire.
 ```bash
 TRACKER=docs/project_notes/product-tracker.md
 if [ -f "$TRACKER" ]; then
@@ -235,7 +325,7 @@ if [ -f "$TRACKER" ]; then
 fi
 ```
-**24. P13 — key_facts delta vs ticket atom-count mismatch (added v0.18.3).** Whitespace-safe iteration + FEATURE_ID anchoring.
+**26. P13 — key_facts delta vs ticket atom-count mismatch (added v0.18.3).** Whitespace-safe iteration + FEATURE_ID anchoring.
 ```bash
 KEY_FACTS=docs/project_notes/key_facts.md
 if [ -f "$KEY_FACTS" ]; then
@@ -251,7 +341,7 @@ if [ -f "$KEY_FACTS" ]; then
 fi
 ```
-**25. P14 — MCE Action 1 row stale post-merge (added v0.18.3).** Strict awk state machine terminates MCE block at NEXT `^## ` of any name (not `[^M]`). Strict signal `Step 6 [ ]` / `Step 6 [-]` only — standalone `(this merge)` omitted to prevent false positives on past-tense narrative. Reuses `TICKET_STATUS` from P11. NIT severity.
+**27. P14 — MCE Action 1 row stale post-merge (added v0.18.3).** Strict awk state machine terminates MCE block at NEXT `^## ` of any name (not `[^M]`). Strict signal `Step 6 [ ]` / `Step 6 [-]` only — standalone `(this merge)` omitted to prevent false positives on past-tense narrative. Reuses `TICKET_STATUS` from P11. NIT severity.
 ```bash
 if [ "$TICKET_STATUS" = "Done" ]; then
   MCE_BLOCK=$(awk '
@@ -265,7 +355,7 @@ if [ "$TICKET_STATUS" = "Done" ]; then
 fi
 ```
-**26. P15 — AC with post-deploy keyword admitted without Completion Log evidence (added v0.18.3).** Line-safe iteration via `while IFS= read -r`.
+**28. P15 — AC with post-deploy keyword admitted without Completion Log evidence (added v0.18.3).** Line-safe iteration via `while IFS= read -r`.
 ```bash
 COMPLETION=$(awk '/^## Completion Log/,/^## Merge Checklist/' "$TICKET")
 AC_LINES=$(grep -nE '^[[:space:]]*-[[:space:]]*\[[ x]\][[:space:]]+AC-[A-Za-z0-9_-]+' "$TICKET" \
@@ -281,7 +371,7 @@ while IFS= read -r line; do
 done <<< "$AC_LINES"
 ```
-**27. P16 — Feature missing from Features table (added v0.18.3).** Strict signal: feature ID must appear as first cell of a pipe-table row (`| FEATURE_ID |`) — narrative mentions / `**Active Feature:**` references must not silence the drift. NIT severity. Reuses `TICKET_STATUS` and `FEATURE_ID` from P11.
+**29. P16 — Feature missing from Features table (added v0.18.3).** Strict signal: feature ID must appear as first cell of a pipe-table row (`| FEATURE_ID |`) — narrative mentions / `**Active Feature:**` references must not silence the drift. NIT severity. Reuses `TICKET_STATUS` and `FEATURE_ID` from P11.
 ```bash
 TRACKER=docs/project_notes/product-tracker.md
 case "$TICKET_STATUS" in
@@ -295,9 +385,66 @@ case "$TICKET_STATUS" in
 esac
 ```
+**30. P17 — Auth-touching backend change requires bearer-flow integration test on non-/me route** (added v0.20.0). When the diff modifies a backend auth-adjacent module (`auth*`, `actorResolver*`, `bearer*`, `rateLimit*`), the diff should ALSO include or modify an integration test that exercises the bearer flow on a NON-`/me` route. Empirically double-confirmed: BUG-PROD-013 (actorResolver bearer-path 500 on `/conversation/*` — non-`/me`), BUG-API-RATELIMIT-BEARER-001 (rateLimit helpers tested only api-key + IP, no bearer-through-global-limiter integration coverage). The `/me`-itself integrity bug class (F107a-FU2) is a distinct pattern — opt-out annotation `P17 N/A: <reason ≥ 1 word>` is recognized for frontend-only auth changes or other edge cases. Advisory, never blocks merge.
+```bash
+# P17 — Auth-touching change requires bearer-flow integration test on non-/me route.
+AUTH_TOUCHED=$(git diff --name-only "$BASE_REF...HEAD" 2>/dev/null | \
+  grep -iE '(auth|actorResolver|bearer|rateLimit)' | \
+  grep -E '^(packages/api|api|server|backend|src/server|src/api)/' | \
+  grep -vE '\.(test|spec)\.[jt]sx?$|__tests__/|/web/|/frontend/|/client/' | head -20)
+if [ -z "$AUTH_TOUCHED" ]; then
+  echo "P17 N/A: no backend auth-adjacent files in diff"
+else
+  TOUCHED_COUNT=$(printf '%s\n' "$AUTH_TOUCHED" | wc -l | tr -d ' ')
+  # Explicit opt-out (Gemini R1 M4 strengthened: require `: <reason ≥ 1 word>`)
+  OPTOUT=$(grep -E 'P17[[:space:]]+(N/A|opt[- ]?out|exempt)[[:space:]]*:[[:space:]]+[A-Za-z0-9].{2,}' "$TICKET" 2>/dev/null | head -1)
+  if [ -n "$OPTOUT" ]; then
+    echo "P17 N/A: explicit opt-out — $(printf '%s' "$OPTOUT" | head -c 120)"
+  else
+    INTEGRATION_TESTS=$(git diff --name-only "$BASE_REF...HEAD" 2>/dev/null | \
+      grep -iE '(integration|__tests__/.*\.integration\.|/integration/)' | \
+      grep -E '\.(test|spec)\.[jt]sx?$')
+    # Two extraction passes (Codex R2 I-1 multi-line fix + Gemini R2 I-1 backticks):
+    #   Pass A: dot-method calls — `.get('/path')` / `.post(\`/path\`)` (single-line).
+    #   Pass B: `url: '...'` property values within multi-line app.inject({ ... }).
+    BEARER_NON_ME_HITS=0
+    while IFS= read -r test_file; do
+      [ -z "$test_file" ] && continue
+      [ ! -f "$test_file" ] && continue
+      if ! grep -qiE '(bearer|authorization)' "$test_file" 2>/dev/null; then
+        continue
+      fi
+      ROUTES_A=$(grep -iE "\.(get|post|put|patch|delete)\([\`\"'](/[^\`\"']+)[\`\"']" "$test_file" 2>/dev/null | \
+        grep -oE "[\`\"'](/[^\`\"']+)[\`\"']" | sed -E "s/^[\`\"']|[\`\"']\$//g")
+      ROUTES_B=$(grep -iE "url[[:space:]]*:[[:space:]]*[\`\"'](/[^\`\"']+)[\`\"']" "$test_file" 2>/dev/null | \
+        grep -oE "[\`\"'](/[^\`\"']+)[\`\"']" | sed -E "s/^[\`\"']|[\`\"']\$//g")
+      ROUTE_STRINGS=$(printf '%s\n%s\n' "$ROUTES_A" "$ROUTES_B" | grep -vE '^$' | sort -u)
+      # Strip ${...} template-literal interpolations
+      ROUTE_STRINGS=$(printf '%s\n' "$ROUTE_STRINGS" | sed -E 's/\$\{[^}]*\}//g')
+      if [ -n "$ROUTE_STRINGS" ]; then
+        if printf '%s\n' "$ROUTE_STRINGS" | grep -qvE '^/me($|/)' ; then
+          BEARER_NON_ME_HITS=$((BEARER_NON_ME_HITS + 1))
+        fi
+      fi
+    done <<EOF
+$INTEGRATION_TESTS
+EOF
+    if [ "$BEARER_NON_ME_HITS" -eq 0 ]; then
+      flag "P17 drift (advisory): $TOUCHED_COUNT backend auth-adjacent file(s) but no integration test exercises bearer on a non-/me route (BUG-PROD-013 / BUG-RATELIMIT-BEARER pattern). Add an integration test or annotate \`P17 N/A: <reason>\` in the ticket."
+    else
+      echo "P17 PASS: $TOUCHED_COUNT auth-adjacent backend file(s), $BEARER_NON_ME_HITS integration test(s) cover bearer non-/me routes"
+    fi
+  fi
+fi
+```
 ### Execution discipline (added v0.18.1)
-For each of the 16 drift checks (P1–P16), if you declare PASS, **include the literal command output** (or its absence — explicit "no rows matched", "extracted: feature/foo", "FROZEN_COUNT=0") as evidence in your report. A bare "PASS" without supporting output is treated as **NOT EXECUTED** by the auditor — re-run with output captured.
+For each of the 17 drift checks (P1–P17), if you declare PASS, **include the literal command output** (or its absence — explicit "no rows matched", "extracted: feature/foo", "FROZEN_COUNT=0") as evidence in your report. A bare "PASS" without supporting output is treated as **NOT EXECUTED** by the auditor — re-run with output captured.
 Recommended pattern:
@@ -316,7 +463,7 @@ Report two tables — one for **structural (blocking)** compliance, one for **dr
 ```
 ## Merge Compliance Audit — [FEATURE-ID]
-### Structural (1-11) — blocking merge gate
+### Structural (1-13) — blocking merge gate
 | # | Check | Status | Detail |
 |---|-------|:------:|--------|
@@ -324,46 +471,69 @@ Report two tables — one for **structural (blocking)** compliance, one for **dr
 | 2 | Acceptance Criteria | PASS | 14/14 |
 | 3 | Definition of Done | PASS | 7/7 |
 | 4 | Workflow Checklist | PASS | 7/8 (Step 6 pending) |
-| 5 | Merge Checklist Evidence | PASS | 8/8 with evidence |
+| 5 | Merge Checklist Evidence | PASS | 9/9 with evidence |
 | 6 | Completion Log | PASS | 5 entries, bugs documented |
 | 7 | Tracker Sync | PASS | Active Session + Features table correct |
 | 8 | key_facts.md | PASS | N/A — no new infrastructure |
 | 9 | Merge Base | PASS | Up to date with develop |
 | 10 | Working Tree | PASS | Clean |
 | 11 | Data Files | PASS | N/A — no JSON seed files |
+| 12 | CI State | PASS | PR #123 — all checks pass or pending |
+| 13 | MCE Action 9 (D1) | PASS | ## Audit Merge Output section pasted (~3200 chars) |
 **STRUCTURAL: READY FOR MERGE** (or **STRUCTURAL: NEEDS FIX — N blockers**)
-### Drift (12-27) — advisory, refresh before user authorization
+### Drift (14-30) — advisory, refresh before user authorization
 | # | Pattern | Status | Detail |
 |---|---------|:------:|--------|
-| 12 | P1 PR body test count stale | PASS | matches ticket terminal |
-| 13 | P2 Aspirational Evidence rows | PASS | all past-tense |
-| 14 | P3 Post-merge actions logged | PASS | N/A pre-merge |
-| 15 | P4 Remote branch orphan | PASS | not checked pre-merge |
-| 16 | P5 Frozen ticket Status | PASS | 0 frozen |
-| 17 | P6 AC count off-by-N | PASS | claim matches actual |
-| 18 | P7 Intra-ticket test drift | PASS | final = terminal |
-| 19 | P8 Completion Log gap | PASS | every [x] step has narrative |
-| 20 | P9 Tracker header stale | PASS | header = detail |
-| 21 | P10 Duplicate log rows | PASS | no duplicates |
-| 22 | P11 Tracker status mismatch | PASS | status consistent |
-| 23 | P12 Tracker HEAD reference | PASS | tracker HEAD = git HEAD |
-| 24 | P13 key_facts delta mismatch | PASS | N/A — no quantified deltas |
-| 25 | P14 MCE Action 1 stale post-merge | PASS | N/A pre-merge / row past-tense |
-| 26 | P15 Post-deploy AC without evidence | PASS | no post-deploy keyword in ACs |
-| 27 | P16 Feature missing from tracker | PASS | feature in Features table |
+| 14 | P1 PR body test count stale | PASS | matches ticket terminal |
+| 15 | P2 Aspirational Evidence rows | PASS | all past-tense |
+| 16 | P3 Post-merge actions logged | PASS | N/A pre-merge |
+| 17 | P4 Remote branch orphan | PASS | not checked pre-merge |
+| 18 | P5 Frozen ticket Status | PASS | 0 frozen |
+| 19 | P6 AC count off-by-N | PASS | claim matches actual (form: header) |
+| 20 | P7 Intra-ticket test drift | PASS | final = terminal |
+| 21 | P8 Completion Log gap | PASS | every [x] step has narrative |
+| 22 | P9 Tracker header stale | PASS | header = detail |
+| 23 | P10 Duplicate log rows | PASS | no duplicates |
+| 24 | P11 Tracker status mismatch | PASS | status consistent |
+| 25 | P12 Tracker HEAD reference | PASS | tracker HEAD = git HEAD |
+| 26 | P13 key_facts delta mismatch | PASS | N/A — no quantified deltas |
+| 27 | P14 MCE Action 1 stale post-merge | PASS | N/A pre-merge / row past-tense |
+| 28 | P15 Post-deploy AC without evidence | PASS | no post-deploy keyword in ACs |
+| 29 | P16 Feature missing from tracker | PASS | feature in Features table |
+| 30 | P17 Auth integration coverage | PASS | 2 backend file(s), 1 integration test covers bearer non-/me |
 **DRIFT: CLEAN** (or **DRIFT: N advisories — refresh before merge**)
 ### Combined verdict
-- Both PASS → **READY FOR MERGE**
+- Both PASS → **READY FOR MERGE** (compliance 13/13, drift clean)
 - Structural fail → **NEEDS FIX — N blockers**
 - Structural pass + drift advisories → **READY FOR MERGE PENDING DRIFT CLEANUP — N advisories**
 ```
+**Recipe-output verbatim rule** (added v0.19.0): When filling Detail columns of either the structural or drift tables, use the **literal output of the corresponding recipe** — do not normalize, summarize, or smooth values. Specifically:
+- Numeric ratios (`N/M`): preserve as emitted. `18/19` MUST NOT become `18/18` even when N < M.
+- MCE row 1 claim text: when a check (e.g. P6) references it in its Detail message, quote it verbatim including parentheticals such as `(AC19 deploy-deferred)` or `(operator action pending)`. Do not strip qualifiers.
+- "Form" annotations (e.g. P6 emits `(form: header)` or `(form: checkbox)`): preserve them so the reader can tell which AC form the ticket used.
+- `N/A` reasons: quote the literal reason emitted by the recipe (`no PR open`, `gh CLI unavailable`, `jq unavailable`, `not checked pre-merge`).
+This rule exists because an LLM auditor, given header-form tickets where checkbox count is 0, will hallucinate `18/18` to "agree" with the MCE row 1 claim. The recipe says `0` and the MCE says `18/19`; the audit Detail must reflect both honestly so the reader can spot the form mismatch.
+**Audit Output Self-Verification Guarantee** (added v0.20.0, required by D1): after emitting all structural rows + drift rows + combined verdict, ALWAYS append a final single-line summary in this exact form, regardless of pass/fail:
+```
+Structural: <passed>/<total> PASS | Drift: <flagged> advisory | Verdict: <APPROVE|REVISE>
+```
+Examples:
+- `Structural: 13/13 PASS | Drift: 0 advisory | Verdict: APPROVE`
+- `Structural: 11/13 PASS | Drift: 4 advisory | Verdict: REVISE`
+This line is the canonical compliance signal that `D1` (MCE Action 9 present, line 92) parses. Without it, a verbatim paste of legitimate audit output may fail D1's signal check. The line must always be the last non-empty line in the output.
 ### If issues are found
 Fix them directly:
@@ -372,8 +542,9 @@ Fix them directly:
 - Tracker stale → update Active Session and Features table
 - Merge base diverged → `git merge origin/<target-branch>` and resolve conflicts
 - Data file issues → fix the data
+- CI failures (C3) → re-run failed jobs after addressing root cause; do NOT merge while `ci-success` is BLOCKED
-**Drift advisories (12-27) fixes:**
+**Drift advisories (13-28) fixes:**
 - **P1** → edit PR body npm test line to match ticket terminal count
 - **P2** → rewrite `[x]` rows with past-tense + commit SHA
 - **P3** → add Completion Log row for each post-merge execution

package/template/.gemini/skills/development-workflow/references/merge-checklist.md CHANGED Viewed

@@ -65,12 +65,14 @@ Determine the target branch from `docs/project_notes/key_facts.md` → `branchin
 ## Action 8: Fill Merge Checklist Evidence
-In the ticket, fill the `## Merge Checklist Evidence` table. For each action (0–7), mark `[x]` and write the actual evidence (not placeholders). Example:
+In the ticket, fill the `## Merge Checklist Evidence` table. For each action (0–7), mark `[x]` and write the actual evidence (not placeholders). Then complete Action 9 below — it MUST appear as the 9th row of the same table. Example:
 | Action | Done | Evidence |
 |--------|:----:|----------|
 | 0. Validate ticket structure | [x] | Sections verified: Spec, Plan, AC, DoD, Workflow, Log, Evidence |
 | 1. Mark all items | [x] | AC: 12/12, DoD: 7/7, Workflow: 0-5/6 |
+| ... (rows 2-7 follow same shape) | [x] | ... |
+| 9. Run `/audit-merge` | [x] | See § "Audit Merge Output" below |
 **Canonical form for the AC count claim:** write `AC: <marked>/<total>` — `marked` is the count of `[x]` Acceptance Criteria, `total` is the count of all AC items including any intentionally deferred `[ ]`. When all are checked use the matching form `AC: N/N` (or the shorthand `all N marked`). The `/audit-merge` P6 drift check parses both forms.
@@ -82,11 +84,30 @@ In the ticket, fill the `## Merge Checklist Evidence` table. For each action (0
 Sub-scope tickets reach `Status: Done` independently while the parent feature's tracker row stays at its parent status (typically `pending` or `in-progress`) until ALL sub-scopes close. `/audit-merge` P11 detects the suffix and emits `P11 N/A` instead of flagging the parent/sub-scope status divergence as drift.
-## Action 9: Run compliance audit
+## Action 9: Run compliance audit (MANDATORY, added v0.20.0 as structural MCE row)
-Run `/audit-merge` to verify all compliance checks pass automatically. If any check fails, fix it and re-run until all pass.
+**Action 9 is MANDATORY.** Run `/audit-merge` after Actions 0-8 are complete. Paste the FULL verbatim output (structural + drift tables + verdict + self-verification line `Structural: N/N PASS | Drift: K advisory | Verdict: X`) into the dedicated `## Audit Merge Output` section of the ticket, directly below the MCE table.
-Include the audit output in the merge approval request message so the reviewer can skip compliance checks and focus on code/architecture review.
+Do NOT abbreviate, summarize, or omit failing rows. If `/audit-merge` flags any STRUCTURAL check as FAIL, fix it and re-run until ALL structural checks PASS. Drift advisories may stay open with explanation in the surrounding ticket.
+The ticket structure for Action 9 (added v0.20.0):
+```markdown
+## Merge Checklist Evidence
+| Action | Done | Evidence |
+|--------|:----:|----------|
+| 0. … | [x] | … |
+| 1. … | [x] | … |
+| ... (rows 2-7) | [x] | … |
+| 9. Run `/audit-merge` | [x] | See § "Audit Merge Output" below |
+## Audit Merge Output
+<verbatim /audit-merge output goes here — see ticket-template.md>
+```
+The `/audit-merge` structural check `D1` (added v0.20.0) verifies row 9 exists with `[x]` AND the `## Audit Merge Output` section has non-empty body with a structural-compliance signal. Skipping this Action is now structurally visible (row 9 stays unfilled if you forget).
 ## Action 10: Request merge approval

package/template/.gemini/skills/development-workflow/references/ticket-template.md CHANGED Viewed

@@ -102,6 +102,18 @@ This creates a feedback loop for improving future reviews. -->
 | 5. Commit documentation | [ ] | Commit: (hash) |
 | 6. Verify clean working tree | [ ] | `git status`: clean |
 | 7. Verify branch up to date | [ ] | merge-base: up to date / merged origin/<branch> |
+| 9. Run `/audit-merge` | [ ] | See § "Audit Merge Output" below |
+## Audit Merge Output
+> Paste the FULL verbatim output of `/audit-merge` below. The block must include both tables
+> (structural + drift), all rows, the combined verdict, AND the final self-verification line
+> in the form `Structural: N/N PASS | Drift: K advisory | Verdict: <APPROVE|REVISE>`. Do NOT
+> abbreviate, summarize, or omit failing rows. Required for the D1 structural check to PASS.
+```text
+<paste /audit-merge output here>
+```
 ---