npm - create-sdd-project - Versions diffs - 0.19.0 → 0.20.0 - Mend

create-sdd-project 0.19.0 → 0.20.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/README.md CHANGED Viewed

@@ -312,7 +312,7 @@ SDD DevFlow combines three proven practices:
 | `/review-plan` | Cross-model plan review — runs automatically after plan self-review when external CLIs are available; catches implementation blind spots |
 | `/context-prompt` | Generates a context recovery prompt after `/compact` with Workflow Recovery to prevent checkpoint skipping |
 | `/review-project` | Comprehensive project-level review using up to 3 AI models in parallel — 6 domains, audit context, consolidated report with action plan |
-| `/audit-merge` | Automated compliance audit — 12 structural pre-merge checks (ticket, tracker, evidence, merge base, working tree, data files, CI state via `gh pr checks`) + 16 advisory drift patterns. Auto-fixes issues. |
+| `/audit-merge` | Automated compliance audit — 13 structural pre-merge checks (ticket, tracker, evidence, merge base, working tree, data files, CI state via `gh pr checks`, MCE Action 9 + Audit Merge Output) + 17 advisory drift patterns. Auto-fixes issues. |
 ### Spec & Plan Quality
@@ -372,7 +372,7 @@ Classify complexity for each (Simple / Standard / Complex):
 After classification, the loop runs autonomously: spec → plan → implement → review → merge for each feature, with all quality gates enforced.
-**9 guardrails** prevent runaway execution: max 5 features/session, circuit breaker (3 failures → stop), kill switch (`stop pm`), session lock, post-merge sanity check (`npm test`), rolling batch (1-3 features at a time), clean workspace validation, quality gates always on, `/audit-merge` auto-execution.
+**11 guardrails** prevent runaway execution: max 5 features/session, mandatory compact after 2 features, target-branch baseline check, intra-batch dependency check, circuit breaker (3 failures → stop), kill switch (`stop pm`), session lock, post-merge sanity check (`npm test`), rolling batch (1-3 features at a time), clean workspace validation, quality gates always on (`/audit-merge` included).
 **Recovery**: after `/compact` or terminal restart, run `continue pm` — the session state in `pm-session.md` tracks exactly where you left off.

package/lib/doctor.js CHANGED Viewed

@@ -82,6 +82,9 @@ function runDoctor(cwd) {
   // 15. .sdd-meta.json structural integrity (v0.17.0)
   results.push(checkMetaJson(cwd, aiTools, projectType));
+  // 16. PM session coherence (v0.20.0) — pm-session.md SDD version vs current
+  results.push(checkSessionCoherence(cwd));
   return results;
 }
@@ -1179,7 +1182,94 @@ function checkMetaJson(cwd, aiTools, projectType) {
   };
 }
+/**
+ * checkSessionCoherence — v0.20.0 Item B (PM session SDD-version drift).
+ *
+ * If a PM session is in-progress AND its recorded "SDD version at start"
+ * differs from the currently-installed .sdd-version, emit WARN. The cached
+ * PM session context (system prompt + skill references loaded at session
+ * start) does NOT auto-refresh on SDD upgrade — only /compact reloads.
+ *
+ * Returns PASS if:
+ *   - No pm-session.md (no active session to check).
+ *   - pm-session.md has Status: done (terminated session).
+ *   - SDD version at start matches current .sdd-version.
+ *
+ * Returns WARN if:
+ *   - pm-session.md Status: in-progress AND versions differ.
+ *
+ * Returns PASS (N/A note) if pm-session.md exists but lacks the field
+ * (legacy session pre-v0.20.0; no actionable signal).
+ */
+function checkSessionCoherence(cwd) {
+  const pmSessionPath = path.join(cwd, 'docs', 'project_notes', 'pm-session.md');
+  const sddVersionPath = path.join(cwd, '.sdd-version');
+  if (!fs.existsSync(pmSessionPath)) {
+    return {
+      status: PASS,
+      message: 'PM session: none active (N/A)',
+      details: [],
+    };
+  }
+  if (!fs.existsSync(sddVersionPath)) {
+    // SDD not installed cleanly; let earlier checks flag this.
+    return {
+      status: PASS,
+      message: 'PM session coherence: N/A (no .sdd-version)',
+      details: [],
+    };
+  }
+  const sessionContent = fs.readFileSync(pmSessionPath, 'utf8');
+  const currentVersion = fs.readFileSync(sddVersionPath, 'utf8').trim();
+  const statusMatch = sessionContent.match(/^\*\*Status:\*\*\s*(\S+)/m);
+  if (!statusMatch || statusMatch[1].toLowerCase() !== 'in-progress') {
+    return {
+      status: PASS,
+      message: 'PM session: not in-progress (N/A)',
+      details: [],
+    };
+  }
+  const versionFieldMatch = sessionContent.match(
+    /^\*\*SDD version at start:\*\*\s*(\S+)/m,
+  );
+  if (!versionFieldMatch) {
+    return {
+      status: PASS,
+      message: 'PM session coherence: legacy session (no version field; v0.20.0+ records it)',
+      details: [
+        'Pre-v0.20.0 PM sessions did not record SDD version at start.',
+        'Drift detection unavailable for this session; consider /compact + continue pm to refresh.',
+      ],
+    };
+  }
+  const startVersion = versionFieldMatch[1];
+  if (startVersion === currentVersion) {
+    return {
+      status: PASS,
+      message: `PM session coherence: in sync (SDD ${currentVersion})`,
+      details: [],
+    };
+  }
+  return {
+    status: WARN,
+    message: `PM session coherence: SDD drift detected — session started under ${startVersion}, current ${currentVersion}`,
+    details: [
+      'Cached workflow references in this session may be stale.',
+      'Recommendation: run `/compact` then `continue pm` to reload templates.',
+      'See pm-orchestrator/SKILL.md "Session-coherence check" for details.',
+    ],
+  };
+}
 module.exports = {
   runDoctor,
   printResults,
+  checkSessionCoherence,
 };

package/lib/upgrade-generator.js CHANGED Viewed

@@ -1329,6 +1329,36 @@ function generateUpgrade(config) {
     );
   }
+  // v0.20.0 Item B — upgrade-time PM session coherence advisory.
+  // If a pm-session.md is in-progress, the agent's cached context (loaded at
+  // session start under the prior SDD version) survives the upgrade in memory.
+  // Recommend /compact + continue pm to reload templates before next Step.
+  const pmSessionPath = path.join(config.projectDir, 'docs', 'project_notes', 'pm-session.md');
+  if (fs.existsSync(pmSessionPath)) {
+    try {
+      const sessionContent = fs.readFileSync(pmSessionPath, 'utf8');
+      const statusMatch = sessionContent.match(/^\*\*Status:\*\*\s*(\S+)/m);
+      if (statusMatch && statusMatch[1].toLowerCase() === 'in-progress') {
+        console.log('\n  ⚠ PM SESSION COHERENCE (v0.20.0):');
+        console.log(
+          '    An in-progress PM session was detected (docs/project_notes/pm-session.md).'
+        );
+        console.log(
+          '    The cached PM orchestrator context loaded under the prior SDD version'
+        );
+        console.log(
+          '    does NOT auto-refresh on this upgrade. Run `/compact` and then'
+        );
+        console.log(
+          '    `continue pm` to reload templates before resuming development work.'
+        );
+        console.log('    Doctor check #16 will WARN until /compact runs.');
+      }
+    } catch (_err) {
+      // best-effort advisory; never block the upgrade on read failure
+    }
+  }
   console.log(`\nNext: git add -A && git commit -m "chore: upgrade SDD DevFlow to ${newVersion}"\n`);
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "create-sdd-project",
-  "version": "0.19.0",
+  "version": "0.20.0",
   "description": "Create a new SDD DevFlow project with AI-assisted development workflow",
   "bin": {
     "create-sdd-project": "bin/cli.js"

package/template/.claude/commands/audit-merge.md CHANGED Viewed

@@ -88,11 +88,42 @@ else
 fi
 ```
+**13. MCE Action 9 present** (D1, added v0.20.0) — Verify the ticket's `## Merge Checklist Evidence` table includes row 9 marked `[x]`, AND the dedicated `## Audit Merge Output` section below the MCE table has non-empty body content containing a structural-compliance signal (e.g. `Structural: 13/13 PASS` or `Verdict: APPROVE`). Stable ID `D1`. Empirical motivation: fx PR #299 F-WEB-HISTORY merged without `/audit-merge` having been run — MCE table contained Actions 0-8 only (no row 9). The prose instruction at `merge-checklist.md:87` ("Run /audit-merge to verify all compliance checks pass automatically") was easier to skip than a structural table row. D1 makes the skip falsifiable: row 9 stays unfilled if the audit didn't run.
+```bash
+ACTION_9_LINE=$(awk '/^## Merge Checklist Evidence/,/^---|^## (Audit Merge Output|Acceptance|$)/' "$TICKET" | grep -E '^\| 9\. ' | head -1)
+AUDIT_SECTION=$(awk '/^## Audit Merge Output/,/^## |^---|^\*Ticket/' "$TICKET")
+AUDIT_SECTION_BODY=$(printf '%s' "$AUDIT_SECTION" | sed '1d;$d' | grep -vE '^[[:space:]]*>' | tr -d '[:space:]')
+# Compliance signal: case-insensitive. Mirrors JS twin's `.*?` semantics so
+# `Structural: N/N PASS` (colon), `Structural — N/N` (em-dash), `Structural N/N`
+# (space) all match. The `/audit-merge` Output Format section MUST emit at least
+# one canonical signal per the Self-Verification Guarantee (see Output Format).
+COMPLIANCE_HIT=$(printf '%s' "$AUDIT_SECTION" | grep -ciE '(structural[^[:alnum:]]+[0-9]+/[0-9]+)|(\b13/13\b)|(\ball[[:space:]]+(checks[[:space:]]+)?pass)|(verdict[[:space:]]*:[[:space:]]*approve)')
+if [ -z "$ACTION_9_LINE" ] && [ -z "$AUDIT_SECTION" ]; then
+  # Legacy ticket predating v0.20.0 — neither row 9 NOR Audit Merge Output section exists.
+  # Emit N/A with migration hint instead of BLOCKER. Forward-looking: tickets created
+  # post-v0.20.0 will have at least the section header (from ticket-template.md), so
+  # legitimate skips still surface via the other branches below.
+  echo "D1 N/A: legacy ticket (no row 9 and no ## Audit Merge Output section) — add both per merge-checklist.md to comply with v0.20.0"
+elif [ -z "$ACTION_9_LINE" ]; then
+  flag "D1 BLOCKER: MCE Action 9 row missing (required since v0.20.0; ## Audit Merge Output section exists but row 9 not added to MCE table)"
+elif printf '%s' "$ACTION_9_LINE" | grep -qE '\| \[ \] \|'; then
+  flag "D1 BLOCKER: MCE Action 9 row unchecked — /audit-merge not run"
+elif [ -z "$AUDIT_SECTION_BODY" ]; then
+  flag "D1 BLOCKER: ## Audit Merge Output section missing or empty"
+elif [ "$COMPLIANCE_HIT" -eq 0 ]; then
+  flag "D1 BLOCKER: ## Audit Merge Output section present but no structural compliance signal (expect 'Structural: N/N PASS' or 'Verdict: APPROVE')"
+else
+  CHAR_COUNT=$(printf '%s' "$AUDIT_SECTION" | wc -c | tr -d ' ')
+  echo "D1 PASS: ## Audit Merge Output section pasted (~${CHAR_COUNT} chars)"
+fi
+```
 ### Drift Checks (added v0.18.0) — ADVISORY, not blocking
 Sixteen empirically-validated drift patterns. Failures are NOT blockers for the compliance verdict, but MUST be refreshed before requesting user authorization (the user will otherwise catch them during audit and send the PR back). Each check has a concrete shell recipe — use BSD-grep-compatible regex (no `\K`).
-**13. P1 — PR body test count stale (v0.18.3 multi-workspace extension — C1).** The PR body's test ratios should all appear in ticket evidence (AC / DoD / Completion Log). Agents commonly open the PR at Step 4 and add tests during Step 5 review — the PR body numbers become stale. In monorepos with multiple workspaces (e.g. api, web, bot, scraper) the PR body may quote several `N/N` ratios; v0.18.3 walks them all instead of comparing only the first. Subset direction: PR ratios ⊆ ticket ratios (the ticket Completion Log is the more comprehensive record and accumulates intermediate per-step ratios that the PR body legitimately omits). Three fallback cases: (a) ≥ 1 ratio on each side → verify each PR ratio appears in ticket; (b) PR has ratios but ticket has none (or vice versa) → emit explicit `P1 N/A` note, no drift flag; (c) neither side has ratios → emit `P1 N/A` note.
+**14. P1 — PR body test count stale (v0.18.3 multi-workspace extension — C1).** The PR body's test ratios should all appear in ticket evidence (AC / DoD / Completion Log). Agents commonly open the PR at Step 4 and add tests during Step 5 review — the PR body numbers become stale. In monorepos with multiple workspaces (e.g. api, web, bot, scraper) the PR body may quote several `N/N` ratios; v0.18.3 walks them all instead of comparing only the first. Subset direction: PR ratios ⊆ ticket ratios (the ticket Completion Log is the more comprehensive record and accumulates intermediate per-step ratios that the PR body legitimately omits). Three fallback cases: (a) ≥ 1 ratio on each side → verify each PR ratio appears in ticket; (b) PR has ratios but ticket has none (or vice versa) → emit explicit `P1 N/A` note, no drift flag; (c) neither side has ratios → emit `P1 N/A` note.
 ```bash
 TEST_KW_RE='(npm test|pnpm test|tests?[^|]*[0-9]|[*: ]tests?[*: ]+[0-9])'
 PR_BODY=$(gh pr view --json body -q .body 2>/dev/null || true)
@@ -109,14 +140,14 @@ else
 fi
 ```
-**14. P2 — Merge Checklist Evidence rows aspirational.** Rows marked `[x]` with future-tense Evidence ("will land", "to be created", "pending", "next commit", "TBD") — the row claims done but the work hasn't happened yet.
+**15. P2 — Merge Checklist Evidence rows aspirational.** Rows marked `[x]` with future-tense Evidence ("will land", "to be created", "pending", "next commit", "TBD") — the row claims done but the work hasn't happened yet.
 ```bash
 awk '/^## Merge Checklist Evidence/{flag=1; next} /^## /{flag=0} flag' "$TICKET" \
   | grep -E '^\|.*\[x\].*(to be |will |pending|TBD|Will be |to be created|next commit|aspirational)' \
   && flag "P2 drift: aspirational row(s) found"
 ```
-**15. P3 — Post-merge actions not logged** (only fires if PR is MERGED and ticket Status is Done). Items marked as post-merge operator actions (AC / DoD / Test plan unchecked with post-merge keywords) should have a Completion Log row documenting execution.
+**16. P3 — Post-merge actions not logged** (only fires if PR is MERGED and ticket Status is Done). Items marked as post-merge operator actions (AC / DoD / Test plan unchecked with post-merge keywords) should have a Completion Log row documenting execution.
 ```bash
 # Strip checkbox prefix before comparison; use grep -Fq fixed-string match.
 grep -E "^- \[ \].*(post-merge|operator|prod rollout|pending verification)" "$TICKET" \
@@ -129,14 +160,14 @@ while IFS= read -r item; do
 done < /tmp/pm_items.txt
 ```
-**16. P4 — Remote branch orphan after "deleted".** Workflow Step 6 claims `[x] branch deleted` but origin still has the branch.
+**17. P4 — Remote branch orphan after "deleted".** Workflow Step 6 claims `[x] branch deleted` but origin still has the branch.
 ```bash
 BRANCH=$(grep -oE '\*\*[Bb]ranch:\*\*[[:space:]]*[^[:space:]|()]+' "$TICKET" | head -1 | sed -E 's/^\*\*[Bb]ranch:\*\*[[:space:]]*//')
 git fetch origin --prune --quiet
 git ls-remote --heads origin "$BRANCH" 2>/dev/null | grep -q refs/heads && flag "P4 drift: remote branch $BRANCH still exists (run: git push origin --delete $BRANCH)"
 ```
-**17. P5 — Frozen ticket Status post-merge.** Scan all tickets in `docs/tickets/`; flag any with Status ≠ Done whose ticket-ID appears in `git log --all --grep`. Multi-word Status values like "Ready for Merge" must be handled (use `sed -E` char class, not `\w+`).
+**18. P5 — Frozen ticket Status post-merge.** Scan all tickets in `docs/tickets/`; flag any with Status ≠ Done whose ticket-ID appears in `git log --all --grep`. Multi-word Status values like "Ready for Merge" must be handled (use `sed -E` char class, not `\w+`).
 ```bash
 FROZEN_COUNT=0
 for t in docs/tickets/*.md; do
@@ -154,7 +185,7 @@ done
 [ "$FROZEN_COUNT" -eq 1 ] && flag "P5 drift: 1 frozen ticket"
 ```
-**18. P6 — AC count off-by-N (header-form aware since v0.19.0).** Merge Checklist Evidence row 1 claim diverges from actual count. Supports two canonical AC forms: `[x]`/`[ ]` checkbox form and `### AC<N>` header form. When header form is present (≥ 1 `### AC<N>` heading), headers are authoritative — checkbox sub-items under each header are NOT double-counted. A header is "deferred" (not marked) when its body contains `**Status**: Deferred|Pending|Skipped|Blocked` before the next `### ` or section terminator. Two MCE claim shapes: `all N marked` (N = total, implies all marked) and `AC: X/Y done` (X = marked, Y = total — supports deferred ACs where Y > X intentionally). v0.19.0 drops the v0.18.3 `-ge 2` tolerance — comparison is now exact-match (off-by-1 advisories surface).
+**19. P6 — AC count off-by-N (header-form aware since v0.19.0).** Merge Checklist Evidence row 1 claim diverges from actual count. Supports two canonical AC forms: `[x]`/`[ ]` checkbox form and `### AC<N>` header form. When header form is present (≥ 1 `### AC<N>` heading), headers are authoritative — checkbox sub-items under each header are NOT double-counted. A header is "deferred" (not marked) when its body contains `**Status**: Deferred|Pending|Skipped|Blocked` before the next `### ` or section terminator. Two MCE claim shapes: `all N marked` (N = total, implies all marked) and `AC: X/Y done` (X = marked, Y = total — supports deferred ACs where Y > X intentionally). v0.19.0 drops the v0.18.3 `-ge 2` tolerance — comparison is now exact-match (off-by-1 advisories surface).
 ```bash
 AC_BLOCK=$(awk '/^## Acceptance Criteria/,/^## Definition of Done/' "$TICKET")
 HEADER_ACS=$(echo "$AC_BLOCK" | grep -cE '^### AC[0-9]+')
@@ -196,7 +227,7 @@ elif [ -n "$CLAIM_LINE" ]; then
 fi
 ```
-**19. P7 — Test count drift within ticket (final-sections only).** Only flag AC / DoD / tracker Active-Session numbers diverging from Completion Log terminal. Intermediate rows are legitimate.
+**20. P7 — Test count drift within ticket (final-sections only).** Only flag AC / DoD / tracker Active-Session numbers diverging from Completion Log terminal. Intermediate rows are legitimate.
 ```bash
 TERMINAL=$(awk '/^## Completion Log/,/^## Merge Checklist/' "$TICKET" | grep -iE "(test|pass|green)" | grep -oE "[0-9]+/[0-9]+" | tail -1)
 AC=$(awk '/^## Acceptance Criteria/,/^## Definition of Done/' "$TICKET")
@@ -207,7 +238,7 @@ for n in $FINAL_NUMS; do
 done
 ```
-**20. P8 — Completion Log gap vs Workflow Checklist.** Each `[x]` Step N in Workflow should have ≥1 Completion Log row mentioning "Step N". Use `while-read` on unique step numbers (not `for-in` which splits on whitespace).
+**21. P8 — Completion Log gap vs Workflow Checklist.** Each `[x]` Step N in Workflow should have ≥1 Completion Log row mentioning "Step N". Use `while-read` on unique step numbers (not `for-in` which splits on whitespace).
 ```bash
 WORKFLOW=$(awk '/^## Workflow Checklist/,/^## Completion Log/' "$TICKET")
 COMPLETION=$(awk '/^## Completion Log/,/^## Merge Checklist/' "$TICKET")
@@ -218,7 +249,7 @@ while read -r step_num; do
 done <<< "$CHECKED_STEPS"
 ```
-**21. P9 — Tracker header "Last Updated" stale.** The `**Last Updated:**` header and the `**Active Feature:**` detail should agree on step number (e.g., both say 5/6). Mismatch suggests the header wasn't refreshed after state transitions.
+**22. P9 — Tracker header "Last Updated" stale.** The `**Last Updated:**` header and the `**Active Feature:**` detail should agree on step number (e.g., both say 5/6). Mismatch suggests the header wasn't refreshed after state transitions.
 ```bash
 TRACKER=docs/project_notes/product-tracker.md
 HEADER_STEP=$(grep '^\*\*Last Updated:\*\*' "$TRACKER" | grep -oE '(Step )?[0-9]+/6' | head -1 | sed -E 's/^Step //')
@@ -227,7 +258,7 @@ DETAIL_STEP=$(grep -A 1 '^\*\*Active Feature:\*\*' "$TRACKER" | grep -oE '(Step
   && flag "P9 drift: tracker header says $HEADER_STEP, Active Feature says $DETAIL_STEP"
 ```
-**22. P10 — Duplicate Completion Log rows.** Hash `date | action | first-80-of-notes`. Duplicates suggest copy-paste error during editing.
+**23. P10 — Duplicate Completion Log rows.** Hash `date | action | first-80-of-notes`. Duplicates suggest copy-paste error during editing.
 ```bash
 awk -F'|' '/^\| [0-9]{4}-[0-9]{2}-[0-9]{2}/ {
   key = $2 "|" $3 "|" substr($4, 1, 80)
@@ -237,7 +268,7 @@ awk -F'|' '/^\| [0-9]{4}-[0-9]{2}-[0-9]{2}/ {
   | while read -r dup; do flag "P10 drift: duplicate Completion Log row: $dup"; done
 ```
-**23. P11 — Tracker Features table status vs ticket Status mismatch.** Ticket Status=Ready for Merge / Review → tracker expects `in-progress`. Ticket Status=Done → tracker expects `done`. Mismatch means one side wasn't updated after the state change.
+**24. P11 — Tracker Features table status vs ticket Status mismatch.** Ticket Status=Ready for Merge / Review → tracker expects `in-progress`. Ticket Status=Done → tracker expects `done`. Mismatch means one side wasn't updated after the state change.
 ```bash
 TICKET_STATUS=$(grep -E "^\*\*Status:\*\*" "$TICKET" | head -1 \
     | sed -E 's/^\*\*Status:\*\*[[:space:]]*\*?\*?//' \
@@ -274,7 +305,7 @@ case "$TICKET_BASENAME" in
 esac
 ```
-**24. P12 — Tracker HEAD references stale (added v0.18.2).** The `**Last Updated:**` and `**Active Feature:**` lines may embed `HEAD <sha>` or `HEAD: <sha>` references that were correct when written but went stale as further commits landed (empirically observed in fx F-WEB-MENU-VISION-001 audit cycle 2026-05-06: tracker said `HEAD: fd752e4` while `git rev-parse HEAD` was `6fa801e` after the agent's own self-edit commit). Compare each extracted SHA against the active branch HEAD. Bidirectional prefix tolerance: a 7-char tracker SHA matches the full 40-char actual HEAD if it's a prefix; a full 40-char tracker SHA matches if its first 7 chars equal the actual short form. Scoped strictly to the two header lines so narrative SHAs in "Last Completed" prose never false-positive-fire.
+**25. P12 — Tracker HEAD references stale (added v0.18.2).** The `**Last Updated:**` and `**Active Feature:**` lines may embed `HEAD <sha>` or `HEAD: <sha>` references that were correct when written but went stale as further commits landed (empirically observed in fx F-WEB-MENU-VISION-001 audit cycle 2026-05-06: tracker said `HEAD: fd752e4` while `git rev-parse HEAD` was `6fa801e` after the agent's own self-edit commit). Compare each extracted SHA against the active branch HEAD. Bidirectional prefix tolerance: a 7-char tracker SHA matches the full 40-char actual HEAD if it's a prefix; a full 40-char tracker SHA matches if its first 7 chars equal the actual short form. Scoped strictly to the two header lines so narrative SHAs in "Last Completed" prose never false-positive-fire.
 ```bash
 TRACKER=docs/project_notes/product-tracker.md
 if [ -f "$TRACKER" ]; then
@@ -294,7 +325,7 @@ if [ -f "$TRACKER" ]; then
 fi
 ```
-**25. P13 — key_facts delta vs ticket atom-count mismatch (added v0.18.3).** When the ticket's Completion Log or MCE quantifies a delta against `key_facts.md` (e.g. `+8 atoms`, `+5 aliases`, `+27 dishes`), the corresponding feature row in `key_facts.md` should record the same delta. Whitespace-safe iteration via `while IFS= read -r`; FEATURE_ID-anchored block scan avoids false-pass on identical deltas elsewhere in the file. English keyword set; Spanish (`átomos`, `platos`) deferred to v0.19.x.
+**26. P13 — key_facts delta vs ticket atom-count mismatch (added v0.18.3).** When the ticket's Completion Log or MCE quantifies a delta against `key_facts.md` (e.g. `+8 atoms`, `+5 aliases`, `+27 dishes`), the corresponding feature row in `key_facts.md` should record the same delta. Whitespace-safe iteration via `while IFS= read -r`; FEATURE_ID-anchored block scan avoids false-pass on identical deltas elsewhere in the file. English keyword set; Spanish (`átomos`, `platos`) deferred to v0.19.x.
 ```bash
 KEY_FACTS=docs/project_notes/key_facts.md
 if [ -f "$KEY_FACTS" ]; then
@@ -310,7 +341,7 @@ if [ -f "$KEY_FACTS" ]; then
 fi
 ```
-**26. P14 — MCE Action 1 row stale post-merge (added v0.18.3).** When ticket Status normalizes to `Done` AND the MCE Action 1 row still has `Step 6 [ ]` / `Step 6 [-]`, the row was written pre-merge and not updated post-squash. **Strict scoping**: awk state machine terminates the MCE block at the NEXT `^## ` line of any name (NOT `[^M]` — that incorrectly absorbs subsequent `## M*` sections). **Strict signal**: only `Step 6 [ ]` / `Step 6 [-]` patterns flag; standalone `(this merge)` is omitted because it commonly appears in past-tense narrative ("merged at SHA (this merge)") and produces false positives. Reuses `TICKET_STATUS` defined in P11; do NOT use `$status` from the P5 loop. NIT severity.
+**27. P14 — MCE Action 1 row stale post-merge (added v0.18.3).** When ticket Status normalizes to `Done` AND the MCE Action 1 row still has `Step 6 [ ]` / `Step 6 [-]`, the row was written pre-merge and not updated post-squash. **Strict scoping**: awk state machine terminates the MCE block at the NEXT `^## ` line of any name (NOT `[^M]` — that incorrectly absorbs subsequent `## M*` sections). **Strict signal**: only `Step 6 [ ]` / `Step 6 [-]` patterns flag; standalone `(this merge)` is omitted because it commonly appears in past-tense narrative ("merged at SHA (this merge)") and produces false positives. Reuses `TICKET_STATUS` defined in P11; do NOT use `$status` from the P5 loop. NIT severity.
 ```bash
 if [ "$TICKET_STATUS" = "Done" ]; then
   MCE_BLOCK=$(awk '
@@ -324,7 +355,7 @@ if [ "$TICKET_STATUS" = "Done" ]; then
 fi
 ```
-**27. P15 — AC with `post-deploy` keyword admitted without Completion Log evidence (added v0.18.3).** ACs containing production-parity keywords (`post-deploy`, `post-merge`, `production parity`, `prod verification`, `on dev API`, `on prod`) are explicit gates; marking them `[x]` without a dated Completion Log row defeats their purpose. Empirical origin: fx F-CATALOG-COV-001 AC-NEW-qa-battery silent-PASS until external audit caught it. Line-safe iteration via `while IFS= read -r`.
+**28. P15 — AC with `post-deploy` keyword admitted without Completion Log evidence (added v0.18.3).** ACs containing production-parity keywords (`post-deploy`, `post-merge`, `production parity`, `prod verification`, `on dev API`, `on prod`) are explicit gates; marking them `[x]` without a dated Completion Log row defeats their purpose. Empirical origin: fx F-CATALOG-COV-001 AC-NEW-qa-battery silent-PASS until external audit caught it. Line-safe iteration via `while IFS= read -r`.
 ```bash
 COMPLETION=$(awk '/^## Completion Log/,/^## Merge Checklist/' "$TICKET")
 AC_LINES=$(grep -nE '^[[:space:]]*-[[:space:]]*\[[ x]\][[:space:]]+AC-[A-Za-z0-9_-]+' "$TICKET" \
@@ -340,7 +371,7 @@ while IFS= read -r line; do
 done <<< "$AC_LINES"
 ```
-**28. P16 — Feature missing from Features table (added v0.18.3).** Ticket Status `Ready for Merge` / `Done` should have a row in some `## Features — *` table in `product-tracker.md`. **Strict signal**: requires the feature ID to appear as the first cell of a pipe-table row (`| FEATURE_ID |` with optional whitespace), NOT just anywhere in the tracker — narrative mentions or `**Active Feature:**` references must not silence the drift. NIT severity. Reuses `TICKET_STATUS` and `FEATURE_ID` defined in P11.
+**29. P16 — Feature missing from Features table (added v0.18.3).** Ticket Status `Ready for Merge` / `Done` should have a row in some `## Features — *` table in `product-tracker.md`. **Strict signal**: requires the feature ID to appear as the first cell of a pipe-table row (`| FEATURE_ID |` with optional whitespace), NOT just anywhere in the tracker — narrative mentions or `**Active Feature:**` references must not silence the drift. NIT severity. Reuses `TICKET_STATUS` and `FEATURE_ID` defined in P11.
 ```bash
 TRACKER=docs/project_notes/product-tracker.md
 case "$TICKET_STATUS" in
@@ -354,9 +385,66 @@ case "$TICKET_STATUS" in
 esac
 ```
+**30. P17 — Auth-touching backend change requires bearer-flow integration test on non-/me route** (added v0.20.0). When the diff modifies a backend auth-adjacent module (`auth*`, `actorResolver*`, `bearer*`, `rateLimit*`), the diff should ALSO include or modify an integration test that exercises the bearer flow on a NON-`/me` route. Empirically double-confirmed: BUG-PROD-013 (actorResolver bearer-path 500 on `/conversation/*` — non-`/me`), BUG-API-RATELIMIT-BEARER-001 (rateLimit helpers tested only api-key + IP, no bearer-through-global-limiter integration coverage). The `/me`-itself integrity bug class (F107a-FU2) is a distinct pattern — opt-out annotation `P17 N/A: <reason ≥ 1 word>` is recognized for frontend-only auth changes or other edge cases. Advisory, never blocks merge.
+```bash
+# P17 — Auth-touching change requires bearer-flow integration test on non-/me route.
+AUTH_TOUCHED=$(git diff --name-only "$BASE_REF...HEAD" 2>/dev/null | \
+  grep -iE '(auth|actorResolver|bearer|rateLimit)' | \
+  grep -E '^(packages/api|api|server|backend|src/server|src/api)/' | \
+  grep -vE '\.(test|spec)\.[jt]sx?$|__tests__/|/web/|/frontend/|/client/' | head -20)
+if [ -z "$AUTH_TOUCHED" ]; then
+  echo "P17 N/A: no backend auth-adjacent files in diff"
+else
+  TOUCHED_COUNT=$(printf '%s\n' "$AUTH_TOUCHED" | wc -l | tr -d ' ')
+  # Explicit opt-out (Gemini R1 M4 strengthened: require `: <reason ≥ 1 word>`)
+  OPTOUT=$(grep -E 'P17[[:space:]]+(N/A|opt[- ]?out|exempt)[[:space:]]*:[[:space:]]+[A-Za-z0-9].{2,}' "$TICKET" 2>/dev/null | head -1)
+  if [ -n "$OPTOUT" ]; then
+    echo "P17 N/A: explicit opt-out — $(printf '%s' "$OPTOUT" | head -c 120)"
+  else
+    INTEGRATION_TESTS=$(git diff --name-only "$BASE_REF...HEAD" 2>/dev/null | \
+      grep -iE '(integration|__tests__/.*\.integration\.|/integration/)' | \
+      grep -E '\.(test|spec)\.[jt]sx?$')
+    # Two extraction passes (Codex R2 I-1 multi-line fix + Gemini R2 I-1 backticks):
+    #   Pass A: dot-method calls — `.get('/path')` / `.post(\`/path\`)` (single-line).
+    #   Pass B: `url: '...'` property values within multi-line app.inject({ ... }).
+    BEARER_NON_ME_HITS=0
+    while IFS= read -r test_file; do
+      [ -z "$test_file" ] && continue
+      [ ! -f "$test_file" ] && continue
+      if ! grep -qiE '(bearer|authorization)' "$test_file" 2>/dev/null; then
+        continue
+      fi
+      ROUTES_A=$(grep -iE "\.(get|post|put|patch|delete)\([\`\"'](/[^\`\"']+)[\`\"']" "$test_file" 2>/dev/null | \
+        grep -oE "[\`\"'](/[^\`\"']+)[\`\"']" | sed -E "s/^[\`\"']|[\`\"']\$//g")
+      ROUTES_B=$(grep -iE "url[[:space:]]*:[[:space:]]*[\`\"'](/[^\`\"']+)[\`\"']" "$test_file" 2>/dev/null | \
+        grep -oE "[\`\"'](/[^\`\"']+)[\`\"']" | sed -E "s/^[\`\"']|[\`\"']\$//g")
+      ROUTE_STRINGS=$(printf '%s\n%s\n' "$ROUTES_A" "$ROUTES_B" | grep -vE '^$' | sort -u)
+      # Strip ${...} template-literal interpolations
+      ROUTE_STRINGS=$(printf '%s\n' "$ROUTE_STRINGS" | sed -E 's/\$\{[^}]*\}//g')
+      if [ -n "$ROUTE_STRINGS" ]; then
+        if printf '%s\n' "$ROUTE_STRINGS" | grep -qvE '^/me($|/)' ; then
+          BEARER_NON_ME_HITS=$((BEARER_NON_ME_HITS + 1))
+        fi
+      fi
+    done <<EOF
+$INTEGRATION_TESTS
+EOF
+    if [ "$BEARER_NON_ME_HITS" -eq 0 ]; then
+      flag "P17 drift (advisory): $TOUCHED_COUNT backend auth-adjacent file(s) but no integration test exercises bearer on a non-/me route (BUG-PROD-013 / BUG-RATELIMIT-BEARER pattern). Add an integration test or annotate \`P17 N/A: <reason>\` in the ticket."
+    else
+      echo "P17 PASS: $TOUCHED_COUNT auth-adjacent backend file(s), $BEARER_NON_ME_HITS integration test(s) cover bearer non-/me routes"
+    fi
+  fi
+fi
+```
 ### Execution discipline (added v0.18.1)
-For each of the 16 drift checks (P1–P16), if you declare PASS, **include the literal command output** (or its absence — explicit "no rows matched", "extracted: feature/foo", "FROZEN_COUNT=0") as evidence in your report. A bare "PASS" without supporting output is treated as **NOT EXECUTED** by the auditor — re-run with output captured.
+For each of the 17 drift checks (P1–P17), if you declare PASS, **include the literal command output** (or its absence — explicit "no rows matched", "extracted: feature/foo", "FROZEN_COUNT=0") as evidence in your report. A bare "PASS" without supporting output is treated as **NOT EXECUTED** by the auditor — re-run with output captured.
 Recommended pattern:
@@ -375,7 +463,7 @@ Report two tables — one for **structural (blocking)** compliance, one for **dr
 ```
 ## Merge Compliance Audit — [FEATURE-ID]
-### Structural (1-12) — blocking merge gate
+### Structural (1-13) — blocking merge gate
 | # | Check | Status | Detail |
 |---|-------|:------:|--------|
@@ -383,7 +471,7 @@ Report two tables — one for **structural (blocking)** compliance, one for **dr
 | 2 | Acceptance Criteria | PASS | 14/14 |
 | 3 | Definition of Done | PASS | 7/7 |
 | 4 | Workflow Checklist | PASS | 7/8 (Step 6 pending) |
-| 5 | Merge Checklist Evidence | PASS | 8/8 with evidence |
+| 5 | Merge Checklist Evidence | PASS | 9/9 with evidence |
 | 6 | Completion Log | PASS | 5 entries, bugs documented |
 | 7 | Tracker Sync | PASS | Active Session + Features table correct |
 | 8 | key_facts.md | PASS | N/A — no new infrastructure |
@@ -391,35 +479,37 @@ Report two tables — one for **structural (blocking)** compliance, one for **dr
 | 10 | Working Tree | PASS | Clean |
 | 11 | Data Files | PASS | N/A — no JSON seed files |
 | 12 | CI State | PASS | PR #123 — all checks pass or pending |
+| 13 | MCE Action 9 (D1) | PASS | ## Audit Merge Output section pasted (~3200 chars) |
 **STRUCTURAL: READY FOR MERGE** (or **STRUCTURAL: NEEDS FIX — N blockers**)
-### Drift (13-28) — advisory, refresh before user authorization
+### Drift (14-30) — advisory, refresh before user authorization
 | # | Pattern | Status | Detail |
 |---|---------|:------:|--------|
-| 13 | P1 PR body test count stale | PASS | matches ticket terminal |
-| 14 | P2 Aspirational Evidence rows | PASS | all rows past-tense |
-| 15 | P3 Post-merge actions logged | PASS | N/A pre-merge |
-| 16 | P4 Remote branch orphan | PASS | not checked pre-merge |
-| 17 | P5 Frozen ticket Status | PASS | 0 frozen |
-| 18 | P6 AC count off-by-N | PASS | claim matches actual (form: header) |
-| 19 | P7 Intra-ticket test drift | PASS | final sections = terminal |
-| 20 | P8 Completion Log gap | PASS | every [x] step has narrative |
-| 21 | P9 Tracker header stale | PASS | header = detail |
-| 22 | P10 Duplicate log rows | PASS | no duplicates |
-| 23 | P11 Tracker status mismatch | PASS | in-progress for Ready for Merge |
-| 24 | P12 Tracker HEAD reference | PASS | tracker HEAD = git HEAD |
-| 25 | P13 key_facts delta mismatch | PASS | N/A — no quantified deltas |
-| 26 | P14 MCE Action 1 stale post-merge | PASS | N/A pre-merge / row past-tense |
-| 27 | P15 Post-deploy AC without evidence | PASS | no post-deploy keyword in ACs |
-| 28 | P16 Feature missing from tracker | PASS | feature in Features table |
+| 14 | P1 PR body test count stale | PASS | matches ticket terminal |
+| 15 | P2 Aspirational Evidence rows | PASS | all rows past-tense |
+| 16 | P3 Post-merge actions logged | PASS | N/A pre-merge |
+| 17 | P4 Remote branch orphan | PASS | not checked pre-merge |
+| 18 | P5 Frozen ticket Status | PASS | 0 frozen |
+| 19 | P6 AC count off-by-N | PASS | claim matches actual (form: header) |
+| 20 | P7 Intra-ticket test drift | PASS | final sections = terminal |
+| 21 | P8 Completion Log gap | PASS | every [x] step has narrative |
+| 22 | P9 Tracker header stale | PASS | header = detail |
+| 23 | P10 Duplicate log rows | PASS | no duplicates |
+| 24 | P11 Tracker status mismatch | PASS | in-progress for Ready for Merge |
+| 25 | P12 Tracker HEAD reference | PASS | tracker HEAD = git HEAD |
+| 26 | P13 key_facts delta mismatch | PASS | N/A — no quantified deltas |
+| 27 | P14 MCE Action 1 stale post-merge | PASS | N/A pre-merge / row past-tense |
+| 28 | P15 Post-deploy AC without evidence | PASS | no post-deploy keyword in ACs |
+| 29 | P16 Feature missing from tracker | PASS | feature in Features table |
+| 30 | P17 Auth integration coverage | PASS | 2 backend file(s), 1 integration test covers bearer non-/me |
 **DRIFT: CLEAN** (or **DRIFT: N advisories — refresh before merge**)
 ### Combined verdict
-- Both PASS → **READY FOR MERGE** (compliance 12/12, drift clean)
+- Both PASS → **READY FOR MERGE** (compliance 13/13, drift clean)
 - Structural fail → **NEEDS FIX — N structural blockers** (any drift noted separately)
 - Structural pass + drift advisories → **READY FOR MERGE PENDING DRIFT CLEANUP — N advisories**
 ```
@@ -432,6 +522,18 @@ Report two tables — one for **structural (blocking)** compliance, one for **dr
 This rule exists because an LLM auditor, given header-form tickets where checkbox count is 0, will hallucinate `18/18` to "agree" with the MCE row 1 claim. The recipe says `0` and the MCE says `18/19`; the audit Detail must reflect both honestly so the reader can spot the form mismatch.
+**Audit Output Self-Verification Guarantee** (added v0.20.0, required by D1): after emitting all structural rows + drift rows + combined verdict, ALWAYS append a final single-line summary in this exact form, regardless of pass/fail:
+```
+Structural: <passed>/<total> PASS | Drift: <flagged> advisory | Verdict: <APPROVE|REVISE>
+```
+Examples:
+- `Structural: 13/13 PASS | Drift: 0 advisory | Verdict: APPROVE`
+- `Structural: 11/13 PASS | Drift: 4 advisory | Verdict: REVISE`
+This line is the canonical compliance signal that `D1` (MCE Action 9 present, line 92) parses. Without it, a verbatim paste of legitimate audit output may fail D1's signal check. The line must always be the last non-empty line in the output.
 ### If issues are found
 Fix them directly:

package/template/.claude/skills/development-workflow/references/merge-checklist.md CHANGED Viewed

@@ -65,12 +65,14 @@ Determine the target branch from `docs/project_notes/key_facts.md` → `branchin
 ## Action 8: Fill Merge Checklist Evidence
-In the ticket, fill the `## Merge Checklist Evidence` table. For each action (0–7), mark `[x]` and write the actual evidence (not placeholders). Example:
+In the ticket, fill the `## Merge Checklist Evidence` table. For each action (0–7), mark `[x]` and write the actual evidence (not placeholders). Then complete Action 9 below — it MUST appear as the 9th row of the same table. Example:
 | Action | Done | Evidence |
 |--------|:----:|----------|
 | 0. Validate ticket structure | [x] | Sections verified: Spec, Plan, AC, DoD, Workflow, Log, Evidence |
 | 1. Mark all items | [x] | AC: 12/12, DoD: 7/7, Workflow: 0-5/6 |
+| ... (rows 2-7 follow same shape) | [x] | ... |
+| 9. Run `/audit-merge` | [x] | See § "Audit Merge Output" below |
 **Canonical form for the AC count claim:** write `AC: <marked>/<total>` — `marked` is the count of `[x]` Acceptance Criteria, `total` is the count of all AC items including any intentionally deferred `[ ]`. When all are checked use the matching form `AC: N/N` (or the shorthand `all N marked`). The `/audit-merge` P6 drift check parses both forms.
@@ -82,11 +84,30 @@ In the ticket, fill the `## Merge Checklist Evidence` table. For each action (0
 Sub-scope tickets reach `Status: Done` independently while the parent feature's tracker row stays at its parent status (typically `pending` or `in-progress`) until ALL sub-scopes close. `/audit-merge` P11 detects the suffix and emits `P11 N/A` instead of flagging the parent/sub-scope status divergence as drift.
-## Action 9: Run compliance audit
+## Action 9: Run compliance audit (MANDATORY, added v0.20.0 as structural MCE row)
-Run `/audit-merge` to verify all compliance checks pass automatically. If any check fails, fix it and re-run until all pass.
+**Action 9 is MANDATORY.** Run `/audit-merge` after Actions 0-8 are complete. Paste the FULL verbatim output (structural + drift tables + verdict + self-verification line `Structural: N/N PASS | Drift: K advisory | Verdict: X`) into the dedicated `## Audit Merge Output` section of the ticket, directly below the MCE table.
-Include the audit output in the merge approval request message so the reviewer can skip compliance checks and focus on code/architecture review.
+Do NOT abbreviate, summarize, or omit failing rows. If `/audit-merge` flags any STRUCTURAL check as FAIL, fix it and re-run until ALL structural checks PASS. Drift advisories may stay open with explanation in the surrounding ticket.
+The ticket structure for Action 9 (added v0.20.0):
+```markdown
+## Merge Checklist Evidence
+| Action | Done | Evidence |
+|--------|:----:|----------|
+| 0. … | [x] | … |
+| 1. … | [x] | … |
+| ... (rows 2-7) | [x] | … |
+| 9. Run `/audit-merge` | [x] | See § "Audit Merge Output" below |
+## Audit Merge Output
+<verbatim /audit-merge output goes here — see ticket-template.md>
+```
+The `/audit-merge` structural check `D1` (added v0.20.0) verifies row 9 exists with `[x]` AND the `## Audit Merge Output` section has non-empty body with a structural-compliance signal. Skipping this Action is now structurally visible (row 9 stays unfilled if you forget).
 ## Action 10: Request merge approval

package/template/.claude/skills/development-workflow/references/ticket-template.md CHANGED Viewed

@@ -102,6 +102,18 @@ This creates a feedback loop for improving future reviews. -->
 | 5. Commit documentation | [ ] | Commit: (hash) |
 | 6. Verify clean working tree | [ ] | `git status`: clean |
 | 7. Verify branch up to date | [ ] | merge-base: up to date / merged origin/<branch> |
+| 9. Run `/audit-merge` | [ ] | See § "Audit Merge Output" below |
+## Audit Merge Output
+> Paste the FULL verbatim output of `/audit-merge` below. The block must include both tables
+> (structural + drift), all rows, the combined verdict, AND the final self-verification line
+> in the form `Structural: N/N PASS | Drift: K advisory | Verdict: <APPROVE|REVISE>`. Do NOT
+> abbreviate, summarize, or omit failing rows. Required for the D1 structural check to PASS.
+```text
+<paste /audit-merge output here>
+```
 ---

package/template/.claude/skills/pm-orchestrator/SKILL.md CHANGED Viewed

@@ -87,8 +87,27 @@ For each feature in the batch:
 - **Lock**: If `docs/project_notes/pm-session.lock` is missing → stop (session was terminated externally).
 - **Circuit breaker**: If 3 consecutive features are `blocked` → stop and report to user.
 - **Context check**: If **2+ features have been completed** in this session, STOP and tell the user to run `/compact` followed by `continue pm`. Do NOT continue to the next feature — context degradation causes skipped steps, lost constraints, and poor quality. This is mandatory, not a suggestion.
+- **Session-coherence check (added v0.20.0)**: Read `.sdd-version` from the repo root and the `**SDD version at start:** X.Y.Z` field from `docs/project_notes/pm-session.md`. If they differ → emit ADVISORY (non-blocking) once per Step transition:
+  ```
+  ⚠ Session-coherence drift: SDD upgraded mid-session (X.Y.Z → CURRENT).
+  Cached workflow references and rules in this session may be stale.
+  Recommendation: complete current Step's atomic work, then run `/compact`
+  followed by `continue pm` to reload templates before next Step.
+  (Non-blocking — proceed if you've reviewed the upgrade CHANGELOG and
+  confirmed no workflow-affecting changes.)
+  ```
+  Do NOT auto-update the pm-session.md value here — capture the current cached-context coherence state. The field is auto-updated only by `continue pm` after `/compact` (see "Auto-update on /compact" below).
 - **Clean workspace**: Run `git status`. If dirty, commit or stash before proceeding.
+##### Auto-update on `/compact` (added v0.20.0)
+When `continue pm` resumes the orchestrator after a `/compact`:
+1. Re-read current `.sdd-version`.
+2. Update `**SDD version at start:** X.Y.Z` in `pm-session.md` to the current value.
+3. Reset the per-Step advisory-emitted flag.
+Rationale: `/compact` reloads the cached context from the filesystem. After /compact, the agent is operating on current SDD templates, so the `SDD version at start` field should reflect that. The drift advisory above targets the WINDOW between an SDD upgrade and the next /compact — that window is the risk zone.
 #### b. Start Feature
 1. Update `pm-session.md`:

package/template/.claude/skills/pm-orchestrator/references/pm-session-template.md CHANGED Viewed

@@ -5,6 +5,8 @@
 **Autonomy Level:** L5 (PM Autonomous)
 **Status:** in-progress
 **Target Branch:** {main|develop}
+**SDD version at start:** {sdd-version}  <!-- v0.20.0: session-coherence guard. Auto-updated by `/compact`. Do not edit manually. -->
 ## Current Batch

package/template/.gemini/commands/audit-merge-instructions.md CHANGED Viewed

@@ -88,11 +88,42 @@ else
 fi
 ```
+**13. MCE Action 9 present** (D1, added v0.20.0) — Verify the ticket's `## Merge Checklist Evidence` table includes row 9 marked `[x]`, AND the dedicated `## Audit Merge Output` section below the MCE table has non-empty body content containing a structural-compliance signal (e.g. `Structural: 13/13 PASS` or `Verdict: APPROVE`). Stable ID `D1`. Empirical motivation: fx PR #299 F-WEB-HISTORY merged without `/audit-merge` having been run — MCE table contained Actions 0-8 only (no row 9). The prose instruction at `merge-checklist.md:87` ("Run /audit-merge to verify all compliance checks pass automatically") was easier to skip than a structural table row. D1 makes the skip falsifiable: row 9 stays unfilled if the audit didn't run.
+```bash
+ACTION_9_LINE=$(awk '/^## Merge Checklist Evidence/,/^---|^## (Audit Merge Output|Acceptance|$)/' "$TICKET" | grep -E '^\| 9\. ' | head -1)
+AUDIT_SECTION=$(awk '/^## Audit Merge Output/,/^## |^---|^\*Ticket/' "$TICKET")
+AUDIT_SECTION_BODY=$(printf '%s' "$AUDIT_SECTION" | sed '1d;$d' | grep -vE '^[[:space:]]*>' | tr -d '[:space:]')
+# Compliance signal: case-insensitive. Mirrors JS twin's `.*?` semantics so
+# `Structural: N/N PASS` (colon), `Structural — N/N` (em-dash), `Structural N/N`
+# (space) all match. The `/audit-merge` Output Format section MUST emit at least
+# one canonical signal per the Self-Verification Guarantee (see Output Format).
+COMPLIANCE_HIT=$(printf '%s' "$AUDIT_SECTION" | grep -ciE '(structural[^[:alnum:]]+[0-9]+/[0-9]+)|(\b13/13\b)|(\ball[[:space:]]+(checks[[:space:]]+)?pass)|(verdict[[:space:]]*:[[:space:]]*approve)')
+if [ -z "$ACTION_9_LINE" ] && [ -z "$AUDIT_SECTION" ]; then
+  # Legacy ticket predating v0.20.0 — neither row 9 NOR Audit Merge Output section exists.
+  # Emit N/A with migration hint instead of BLOCKER. Forward-looking: tickets created
+  # post-v0.20.0 will have at least the section header (from ticket-template.md), so
+  # legitimate skips still surface via the other branches below.
+  echo "D1 N/A: legacy ticket (no row 9 and no ## Audit Merge Output section) — add both per merge-checklist.md to comply with v0.20.0"
+elif [ -z "$ACTION_9_LINE" ]; then
+  flag "D1 BLOCKER: MCE Action 9 row missing (required since v0.20.0; ## Audit Merge Output section exists but row 9 not added to MCE table)"
+elif printf '%s' "$ACTION_9_LINE" | grep -qE '\| \[ \] \|'; then
+  flag "D1 BLOCKER: MCE Action 9 row unchecked — /audit-merge not run"
+elif [ -z "$AUDIT_SECTION_BODY" ]; then
+  flag "D1 BLOCKER: ## Audit Merge Output section missing or empty"
+elif [ "$COMPLIANCE_HIT" -eq 0 ]; then
+  flag "D1 BLOCKER: ## Audit Merge Output section present but no structural compliance signal (expect 'Structural: N/N PASS' or 'Verdict: APPROVE')"
+else
+  CHAR_COUNT=$(printf '%s' "$AUDIT_SECTION" | wc -c | tr -d ' ')
+  echo "D1 PASS: ## Audit Merge Output section pasted (~${CHAR_COUNT} chars)"
+fi
+```
 ### Drift Checks (added v0.18.0) — ADVISORY, not blocking
 Sixteen empirically-validated drift patterns. Failures are NOT blockers for the compliance verdict, but MUST be refreshed before requesting user authorization. Use BSD-grep-compatible regex (no `\K`).
-**13. P1 — PR body test count stale (v0.18.3 multi-workspace extension — C1).** All PR-body ratios must appear in ticket evidence. Subset direction: PR ⊆ ticket. Three fallback cases: (a) ratios on both sides → walk each PR ratio; (b)/(c) missing on either side → emit `P1 N/A`.
+**14. P1 — PR body test count stale (v0.18.3 multi-workspace extension — C1).** All PR-body ratios must appear in ticket evidence. Subset direction: PR ⊆ ticket. Three fallback cases: (a) ratios on both sides → walk each PR ratio; (b)/(c) missing on either side → emit `P1 N/A`.
 ```bash
 TEST_KW_RE='(npm test|pnpm test|tests?[^|]*[0-9]|[*: ]tests?[*: ]+[0-9])'
 PR_BODY=$(gh pr view --json body -q .body 2>/dev/null || true)
@@ -109,14 +140,14 @@ else
 fi
 ```
-**14. P2 — Merge Checklist Evidence aspirational.** `[x]` rows with future-tense text.
+**15. P2 — Merge Checklist Evidence aspirational.** `[x]` rows with future-tense text.
 ```bash
 awk '/^## Merge Checklist Evidence/{flag=1; next} /^## /{flag=0} flag' "$TICKET" \
   | grep -E '^\|.*\[x\].*(to be |will |pending|TBD|Will be |to be created|next commit|aspirational)' \
   && flag "P2 drift: aspirational row(s) found"
 ```
-**15. P3 — Post-merge actions not logged** (post-merge only).
+**16. P3 — Post-merge actions not logged** (post-merge only).
 ```bash
 # Strip checkbox prefix before comparison; use grep -Fq fixed-string match.
 grep -E "^- \[ \].*(post-merge|operator|prod rollout|pending verification)" "$TICKET" \
@@ -129,14 +160,14 @@ while IFS= read -r item; do
 done < /tmp/pm_items.txt
 ```
-**16. P4 — Remote branch orphan.**
+**17. P4 — Remote branch orphan.**
 ```bash
 BRANCH=$(grep -oE '\*\*[Bb]ranch:\*\*[[:space:]]*[^[:space:]|()]+' "$TICKET" | head -1 | sed -E 's/^\*\*[Bb]ranch:\*\*[[:space:]]*//')
 git fetch origin --prune --quiet
 git ls-remote --heads origin "$BRANCH" 2>/dev/null | grep -q refs/heads && flag "P4 drift: remote branch $BRANCH still exists (run: git push origin --delete $BRANCH)"
 ```
-**17. P5 — Frozen ticket Status post-merge.** Multi-word status via sed char class, not `\w+`.
+**18. P5 — Frozen ticket Status post-merge.** Multi-word status via sed char class, not `\w+`.
 ```bash
 FROZEN_COUNT=0
 for t in docs/tickets/*.md; do
@@ -154,7 +185,7 @@ done
 [ "$FROZEN_COUNT" -eq 1 ] && flag "P5 drift: 1 frozen ticket"
 ```
-**18. P6 — AC count off-by-N (header-form aware since v0.19.0).** Supports two AC forms: `[x]`/`[ ]` checkbox form and `### AC<N>` header form. Headers authoritative when present (≥ 1). A header is "deferred" when its body contains `**Status**: Deferred|Pending|Skipped|Blocked` before the next `### `. Two claim shapes: `all N marked` and `AC: X/Y done`. v0.19.0 drops the v0.18.3 `-ge 2` tolerance — exact-match (off-by-1 advisories surface).
+**19. P6 — AC count off-by-N (header-form aware since v0.19.0).** Supports two AC forms: `[x]`/`[ ]` checkbox form and `### AC<N>` header form. Headers authoritative when present (≥ 1). A header is "deferred" when its body contains `**Status**: Deferred|Pending|Skipped|Blocked` before the next `### `. Two claim shapes: `all N marked` and `AC: X/Y done`. v0.19.0 drops the v0.18.3 `-ge 2` tolerance — exact-match (off-by-1 advisories surface).
 ```bash
 AC_BLOCK=$(awk '/^## Acceptance Criteria/,/^## Definition of Done/' "$TICKET")
 HEADER_ACS=$(echo "$AC_BLOCK" | grep -cE '^### AC[0-9]+')
@@ -196,7 +227,7 @@ elif [ -n "$CLAIM_LINE" ]; then
 fi
 ```
-**19. P7 — Test count drift within ticket (final-sections only).**
+**20. P7 — Test count drift within ticket (final-sections only).**
 ```bash
 TERMINAL=$(awk '/^## Completion Log/,/^## Merge Checklist/' "$TICKET" | grep -iE "(test|pass|green)" | grep -oE "[0-9]+/[0-9]+" | tail -1)
 AC=$(awk '/^## Acceptance Criteria/,/^## Definition of Done/' "$TICKET")
@@ -207,7 +238,7 @@ for n in $FINAL_NUMS; do
 done
 ```
-**20. P8 — Completion Log gap vs Workflow Checklist.**
+**21. P8 — Completion Log gap vs Workflow Checklist.**
 ```bash
 WORKFLOW=$(awk '/^## Workflow Checklist/,/^## Completion Log/' "$TICKET")
 COMPLETION=$(awk '/^## Completion Log/,/^## Merge Checklist/' "$TICKET")
@@ -218,7 +249,7 @@ while read -r step_num; do
 done <<< "$CHECKED_STEPS"
 ```
-**21. P9 — Tracker header stale.**
+**22. P9 — Tracker header stale.**
 ```bash
 TRACKER=docs/project_notes/product-tracker.md
 HEADER_STEP=$(grep '^\*\*Last Updated:\*\*' "$TRACKER" | grep -oE '(Step )?[0-9]+/6' | head -1 | sed -E 's/^Step //')
@@ -227,7 +258,7 @@ DETAIL_STEP=$(grep -A 1 '^\*\*Active Feature:\*\*' "$TRACKER" | grep -oE '(Step
   && flag "P9 drift: tracker header says $HEADER_STEP, Active Feature says $DETAIL_STEP"
 ```
-**22. P10 — Duplicate Completion Log rows.**
+**23. P10 — Duplicate Completion Log rows.**
 ```bash
 awk -F'|' '/^\| [0-9]{4}-[0-9]{2}-[0-9]{2}/ {
   key = $2 "|" $3 "|" substr($4, 1, 80)
@@ -237,7 +268,7 @@ awk -F'|' '/^\| [0-9]{4}-[0-9]{2}-[0-9]{2}/ {
   | while read -r dup; do flag "P10 drift: duplicate Completion Log row: $dup"; done
 ```
-**23. P11 — Tracker Features table status vs ticket Status mismatch.**
+**24. P11 — Tracker Features table status vs ticket Status mismatch.**
 ```bash
 TICKET_STATUS=$(grep -E "^\*\*Status:\*\*" "$TICKET" | head -1 \
     | sed -E 's/^\*\*Status:\*\*[[:space:]]*\*?\*?//' \
@@ -274,7 +305,7 @@ case "$TICKET_BASENAME" in
 esac
 ```
-**24. P12 — Tracker HEAD references stale (added v0.18.2).** The `**Last Updated:**` and `**Active Feature:**` lines may embed `HEAD <sha>` or `HEAD: <sha>` references that were correct when written but went stale as further commits landed (empirically observed in fx F-WEB-MENU-VISION-001 audit cycle 2026-05-06: tracker said `HEAD: fd752e4` while `git rev-parse HEAD` was `6fa801e` after the agent's own self-edit commit). Compare each extracted SHA against the active branch HEAD. Bidirectional prefix tolerance: a 7-char tracker SHA matches the full 40-char actual HEAD if it's a prefix; a full 40-char tracker SHA matches if its first 7 chars equal the actual short form. Scoped strictly to the two header lines so narrative SHAs in "Last Completed" prose never false-positive-fire.
+**25. P12 — Tracker HEAD references stale (added v0.18.2).** The `**Last Updated:**` and `**Active Feature:**` lines may embed `HEAD <sha>` or `HEAD: <sha>` references that were correct when written but went stale as further commits landed (empirically observed in fx F-WEB-MENU-VISION-001 audit cycle 2026-05-06: tracker said `HEAD: fd752e4` while `git rev-parse HEAD` was `6fa801e` after the agent's own self-edit commit). Compare each extracted SHA against the active branch HEAD. Bidirectional prefix tolerance: a 7-char tracker SHA matches the full 40-char actual HEAD if it's a prefix; a full 40-char tracker SHA matches if its first 7 chars equal the actual short form. Scoped strictly to the two header lines so narrative SHAs in "Last Completed" prose never false-positive-fire.
 ```bash
 TRACKER=docs/project_notes/product-tracker.md
 if [ -f "$TRACKER" ]; then
@@ -294,7 +325,7 @@ if [ -f "$TRACKER" ]; then
 fi
 ```
-**25. P13 — key_facts delta vs ticket atom-count mismatch (added v0.18.3).** Whitespace-safe iteration + FEATURE_ID anchoring.
+**26. P13 — key_facts delta vs ticket atom-count mismatch (added v0.18.3).** Whitespace-safe iteration + FEATURE_ID anchoring.
 ```bash
 KEY_FACTS=docs/project_notes/key_facts.md
 if [ -f "$KEY_FACTS" ]; then
@@ -310,7 +341,7 @@ if [ -f "$KEY_FACTS" ]; then
 fi
 ```
-**26. P14 — MCE Action 1 row stale post-merge (added v0.18.3).** Strict awk state machine terminates MCE block at NEXT `^## ` of any name (not `[^M]`). Strict signal `Step 6 [ ]` / `Step 6 [-]` only — standalone `(this merge)` omitted to prevent false positives on past-tense narrative. Reuses `TICKET_STATUS` from P11. NIT severity.
+**27. P14 — MCE Action 1 row stale post-merge (added v0.18.3).** Strict awk state machine terminates MCE block at NEXT `^## ` of any name (not `[^M]`). Strict signal `Step 6 [ ]` / `Step 6 [-]` only — standalone `(this merge)` omitted to prevent false positives on past-tense narrative. Reuses `TICKET_STATUS` from P11. NIT severity.
 ```bash
 if [ "$TICKET_STATUS" = "Done" ]; then
   MCE_BLOCK=$(awk '
@@ -324,7 +355,7 @@ if [ "$TICKET_STATUS" = "Done" ]; then
 fi
 ```
-**27. P15 — AC with post-deploy keyword admitted without Completion Log evidence (added v0.18.3).** Line-safe iteration via `while IFS= read -r`.
+**28. P15 — AC with post-deploy keyword admitted without Completion Log evidence (added v0.18.3).** Line-safe iteration via `while IFS= read -r`.
 ```bash
 COMPLETION=$(awk '/^## Completion Log/,/^## Merge Checklist/' "$TICKET")
 AC_LINES=$(grep -nE '^[[:space:]]*-[[:space:]]*\[[ x]\][[:space:]]+AC-[A-Za-z0-9_-]+' "$TICKET" \
@@ -340,7 +371,7 @@ while IFS= read -r line; do
 done <<< "$AC_LINES"
 ```
-**28. P16 — Feature missing from Features table (added v0.18.3).** Strict signal: feature ID must appear as first cell of a pipe-table row (`| FEATURE_ID |`) — narrative mentions / `**Active Feature:**` references must not silence the drift. NIT severity. Reuses `TICKET_STATUS` and `FEATURE_ID` from P11.
+**29. P16 — Feature missing from Features table (added v0.18.3).** Strict signal: feature ID must appear as first cell of a pipe-table row (`| FEATURE_ID |`) — narrative mentions / `**Active Feature:**` references must not silence the drift. NIT severity. Reuses `TICKET_STATUS` and `FEATURE_ID` from P11.
 ```bash
 TRACKER=docs/project_notes/product-tracker.md
 case "$TICKET_STATUS" in
@@ -354,9 +385,66 @@ case "$TICKET_STATUS" in
 esac
 ```
+**30. P17 — Auth-touching backend change requires bearer-flow integration test on non-/me route** (added v0.20.0). When the diff modifies a backend auth-adjacent module (`auth*`, `actorResolver*`, `bearer*`, `rateLimit*`), the diff should ALSO include or modify an integration test that exercises the bearer flow on a NON-`/me` route. Empirically double-confirmed: BUG-PROD-013 (actorResolver bearer-path 500 on `/conversation/*` — non-`/me`), BUG-API-RATELIMIT-BEARER-001 (rateLimit helpers tested only api-key + IP, no bearer-through-global-limiter integration coverage). The `/me`-itself integrity bug class (F107a-FU2) is a distinct pattern — opt-out annotation `P17 N/A: <reason ≥ 1 word>` is recognized for frontend-only auth changes or other edge cases. Advisory, never blocks merge.
+```bash
+# P17 — Auth-touching change requires bearer-flow integration test on non-/me route.
+AUTH_TOUCHED=$(git diff --name-only "$BASE_REF...HEAD" 2>/dev/null | \
+  grep -iE '(auth|actorResolver|bearer|rateLimit)' | \
+  grep -E '^(packages/api|api|server|backend|src/server|src/api)/' | \
+  grep -vE '\.(test|spec)\.[jt]sx?$|__tests__/|/web/|/frontend/|/client/' | head -20)
+if [ -z "$AUTH_TOUCHED" ]; then
+  echo "P17 N/A: no backend auth-adjacent files in diff"
+else
+  TOUCHED_COUNT=$(printf '%s\n' "$AUTH_TOUCHED" | wc -l | tr -d ' ')
+  # Explicit opt-out (Gemini R1 M4 strengthened: require `: <reason ≥ 1 word>`)
+  OPTOUT=$(grep -E 'P17[[:space:]]+(N/A|opt[- ]?out|exempt)[[:space:]]*:[[:space:]]+[A-Za-z0-9].{2,}' "$TICKET" 2>/dev/null | head -1)
+  if [ -n "$OPTOUT" ]; then
+    echo "P17 N/A: explicit opt-out — $(printf '%s' "$OPTOUT" | head -c 120)"
+  else
+    INTEGRATION_TESTS=$(git diff --name-only "$BASE_REF...HEAD" 2>/dev/null | \
+      grep -iE '(integration|__tests__/.*\.integration\.|/integration/)' | \
+      grep -E '\.(test|spec)\.[jt]sx?$')
+    # Two extraction passes (Codex R2 I-1 multi-line fix + Gemini R2 I-1 backticks):
+    #   Pass A: dot-method calls — `.get('/path')` / `.post(\`/path\`)` (single-line).
+    #   Pass B: `url: '...'` property values within multi-line app.inject({ ... }).
+    BEARER_NON_ME_HITS=0
+    while IFS= read -r test_file; do
+      [ -z "$test_file" ] && continue
+      [ ! -f "$test_file" ] && continue
+      if ! grep -qiE '(bearer|authorization)' "$test_file" 2>/dev/null; then
+        continue
+      fi
+      ROUTES_A=$(grep -iE "\.(get|post|put|patch|delete)\([\`\"'](/[^\`\"']+)[\`\"']" "$test_file" 2>/dev/null | \
+        grep -oE "[\`\"'](/[^\`\"']+)[\`\"']" | sed -E "s/^[\`\"']|[\`\"']\$//g")
+      ROUTES_B=$(grep -iE "url[[:space:]]*:[[:space:]]*[\`\"'](/[^\`\"']+)[\`\"']" "$test_file" 2>/dev/null | \
+        grep -oE "[\`\"'](/[^\`\"']+)[\`\"']" | sed -E "s/^[\`\"']|[\`\"']\$//g")
+      ROUTE_STRINGS=$(printf '%s\n%s\n' "$ROUTES_A" "$ROUTES_B" | grep -vE '^$' | sort -u)
+      # Strip ${...} template-literal interpolations
+      ROUTE_STRINGS=$(printf '%s\n' "$ROUTE_STRINGS" | sed -E 's/\$\{[^}]*\}//g')
+      if [ -n "$ROUTE_STRINGS" ]; then
+        if printf '%s\n' "$ROUTE_STRINGS" | grep -qvE '^/me($|/)' ; then
+          BEARER_NON_ME_HITS=$((BEARER_NON_ME_HITS + 1))
+        fi
+      fi
+    done <<EOF
+$INTEGRATION_TESTS
+EOF
+    if [ "$BEARER_NON_ME_HITS" -eq 0 ]; then
+      flag "P17 drift (advisory): $TOUCHED_COUNT backend auth-adjacent file(s) but no integration test exercises bearer on a non-/me route (BUG-PROD-013 / BUG-RATELIMIT-BEARER pattern). Add an integration test or annotate \`P17 N/A: <reason>\` in the ticket."
+    else
+      echo "P17 PASS: $TOUCHED_COUNT auth-adjacent backend file(s), $BEARER_NON_ME_HITS integration test(s) cover bearer non-/me routes"
+    fi
+  fi
+fi
+```
 ### Execution discipline (added v0.18.1)
-For each of the 16 drift checks (P1–P16), if you declare PASS, **include the literal command output** (or its absence — explicit "no rows matched", "extracted: feature/foo", "FROZEN_COUNT=0") as evidence in your report. A bare "PASS" without supporting output is treated as **NOT EXECUTED** by the auditor — re-run with output captured.
+For each of the 17 drift checks (P1–P17), if you declare PASS, **include the literal command output** (or its absence — explicit "no rows matched", "extracted: feature/foo", "FROZEN_COUNT=0") as evidence in your report. A bare "PASS" without supporting output is treated as **NOT EXECUTED** by the auditor — re-run with output captured.
 Recommended pattern:
@@ -375,7 +463,7 @@ Report two tables — one for **structural (blocking)** compliance, one for **dr
 ```
 ## Merge Compliance Audit — [FEATURE-ID]
-### Structural (1-12) — blocking merge gate
+### Structural (1-13) — blocking merge gate
 | # | Check | Status | Detail |
 |---|-------|:------:|--------|
@@ -383,7 +471,7 @@ Report two tables — one for **structural (blocking)** compliance, one for **dr
 | 2 | Acceptance Criteria | PASS | 14/14 |
 | 3 | Definition of Done | PASS | 7/7 |
 | 4 | Workflow Checklist | PASS | 7/8 (Step 6 pending) |
-| 5 | Merge Checklist Evidence | PASS | 8/8 with evidence |
+| 5 | Merge Checklist Evidence | PASS | 9/9 with evidence |
 | 6 | Completion Log | PASS | 5 entries, bugs documented |
 | 7 | Tracker Sync | PASS | Active Session + Features table correct |
 | 8 | key_facts.md | PASS | N/A — no new infrastructure |
@@ -391,35 +479,37 @@ Report two tables — one for **structural (blocking)** compliance, one for **dr
 | 10 | Working Tree | PASS | Clean |
 | 11 | Data Files | PASS | N/A — no JSON seed files |
 | 12 | CI State | PASS | PR #123 — all checks pass or pending |
+| 13 | MCE Action 9 (D1) | PASS | ## Audit Merge Output section pasted (~3200 chars) |
 **STRUCTURAL: READY FOR MERGE** (or **STRUCTURAL: NEEDS FIX — N blockers**)
-### Drift (13-28) — advisory, refresh before user authorization
+### Drift (14-30) — advisory, refresh before user authorization
 | # | Pattern | Status | Detail |
 |---|---------|:------:|--------|
-| 13 | P1 PR body test count stale | PASS | matches ticket terminal |
-| 14 | P2 Aspirational Evidence rows | PASS | all past-tense |
-| 15 | P3 Post-merge actions logged | PASS | N/A pre-merge |
-| 16 | P4 Remote branch orphan | PASS | not checked pre-merge |
-| 17 | P5 Frozen ticket Status | PASS | 0 frozen |
-| 18 | P6 AC count off-by-N | PASS | claim matches actual (form: header) |
-| 19 | P7 Intra-ticket test drift | PASS | final = terminal |
-| 20 | P8 Completion Log gap | PASS | every [x] step has narrative |
-| 21 | P9 Tracker header stale | PASS | header = detail |
-| 22 | P10 Duplicate log rows | PASS | no duplicates |
-| 23 | P11 Tracker status mismatch | PASS | status consistent |
-| 24 | P12 Tracker HEAD reference | PASS | tracker HEAD = git HEAD |
-| 25 | P13 key_facts delta mismatch | PASS | N/A — no quantified deltas |
-| 26 | P14 MCE Action 1 stale post-merge | PASS | N/A pre-merge / row past-tense |
-| 27 | P15 Post-deploy AC without evidence | PASS | no post-deploy keyword in ACs |
-| 28 | P16 Feature missing from tracker | PASS | feature in Features table |
+| 14 | P1 PR body test count stale | PASS | matches ticket terminal |
+| 15 | P2 Aspirational Evidence rows | PASS | all past-tense |
+| 16 | P3 Post-merge actions logged | PASS | N/A pre-merge |
+| 17 | P4 Remote branch orphan | PASS | not checked pre-merge |
+| 18 | P5 Frozen ticket Status | PASS | 0 frozen |
+| 19 | P6 AC count off-by-N | PASS | claim matches actual (form: header) |
+| 20 | P7 Intra-ticket test drift | PASS | final = terminal |
+| 21 | P8 Completion Log gap | PASS | every [x] step has narrative |
+| 22 | P9 Tracker header stale | PASS | header = detail |
+| 23 | P10 Duplicate log rows | PASS | no duplicates |
+| 24 | P11 Tracker status mismatch | PASS | status consistent |
+| 25 | P12 Tracker HEAD reference | PASS | tracker HEAD = git HEAD |
+| 26 | P13 key_facts delta mismatch | PASS | N/A — no quantified deltas |
+| 27 | P14 MCE Action 1 stale post-merge | PASS | N/A pre-merge / row past-tense |
+| 28 | P15 Post-deploy AC without evidence | PASS | no post-deploy keyword in ACs |
+| 29 | P16 Feature missing from tracker | PASS | feature in Features table |
+| 30 | P17 Auth integration coverage | PASS | 2 backend file(s), 1 integration test covers bearer non-/me |
 **DRIFT: CLEAN** (or **DRIFT: N advisories — refresh before merge**)
 ### Combined verdict
-- Both PASS → **READY FOR MERGE** (compliance 12/12, drift clean)
+- Both PASS → **READY FOR MERGE** (compliance 13/13, drift clean)
 - Structural fail → **NEEDS FIX — N blockers**
 - Structural pass + drift advisories → **READY FOR MERGE PENDING DRIFT CLEANUP — N advisories**
 ```
@@ -432,6 +522,18 @@ Report two tables — one for **structural (blocking)** compliance, one for **dr
 This rule exists because an LLM auditor, given header-form tickets where checkbox count is 0, will hallucinate `18/18` to "agree" with the MCE row 1 claim. The recipe says `0` and the MCE says `18/19`; the audit Detail must reflect both honestly so the reader can spot the form mismatch.
+**Audit Output Self-Verification Guarantee** (added v0.20.0, required by D1): after emitting all structural rows + drift rows + combined verdict, ALWAYS append a final single-line summary in this exact form, regardless of pass/fail:
+```
+Structural: <passed>/<total> PASS | Drift: <flagged> advisory | Verdict: <APPROVE|REVISE>
+```
+Examples:
+- `Structural: 13/13 PASS | Drift: 0 advisory | Verdict: APPROVE`
+- `Structural: 11/13 PASS | Drift: 4 advisory | Verdict: REVISE`
+This line is the canonical compliance signal that `D1` (MCE Action 9 present, line 92) parses. Without it, a verbatim paste of legitimate audit output may fail D1's signal check. The line must always be the last non-empty line in the output.
 ### If issues are found
 Fix them directly:

package/template/.gemini/skills/development-workflow/references/merge-checklist.md CHANGED Viewed

@@ -65,12 +65,14 @@ Determine the target branch from `docs/project_notes/key_facts.md` → `branchin
 ## Action 8: Fill Merge Checklist Evidence
-In the ticket, fill the `## Merge Checklist Evidence` table. For each action (0–7), mark `[x]` and write the actual evidence (not placeholders). Example:
+In the ticket, fill the `## Merge Checklist Evidence` table. For each action (0–7), mark `[x]` and write the actual evidence (not placeholders). Then complete Action 9 below — it MUST appear as the 9th row of the same table. Example:
 | Action | Done | Evidence |
 |--------|:----:|----------|
 | 0. Validate ticket structure | [x] | Sections verified: Spec, Plan, AC, DoD, Workflow, Log, Evidence |
 | 1. Mark all items | [x] | AC: 12/12, DoD: 7/7, Workflow: 0-5/6 |
+| ... (rows 2-7 follow same shape) | [x] | ... |
+| 9. Run `/audit-merge` | [x] | See § "Audit Merge Output" below |
 **Canonical form for the AC count claim:** write `AC: <marked>/<total>` — `marked` is the count of `[x]` Acceptance Criteria, `total` is the count of all AC items including any intentionally deferred `[ ]`. When all are checked use the matching form `AC: N/N` (or the shorthand `all N marked`). The `/audit-merge` P6 drift check parses both forms.
@@ -82,11 +84,30 @@ In the ticket, fill the `## Merge Checklist Evidence` table. For each action (0
 Sub-scope tickets reach `Status: Done` independently while the parent feature's tracker row stays at its parent status (typically `pending` or `in-progress`) until ALL sub-scopes close. `/audit-merge` P11 detects the suffix and emits `P11 N/A` instead of flagging the parent/sub-scope status divergence as drift.
-## Action 9: Run compliance audit
+## Action 9: Run compliance audit (MANDATORY, added v0.20.0 as structural MCE row)
-Run `/audit-merge` to verify all compliance checks pass automatically. If any check fails, fix it and re-run until all pass.
+**Action 9 is MANDATORY.** Run `/audit-merge` after Actions 0-8 are complete. Paste the FULL verbatim output (structural + drift tables + verdict + self-verification line `Structural: N/N PASS | Drift: K advisory | Verdict: X`) into the dedicated `## Audit Merge Output` section of the ticket, directly below the MCE table.
-Include the audit output in the merge approval request message so the reviewer can skip compliance checks and focus on code/architecture review.
+Do NOT abbreviate, summarize, or omit failing rows. If `/audit-merge` flags any STRUCTURAL check as FAIL, fix it and re-run until ALL structural checks PASS. Drift advisories may stay open with explanation in the surrounding ticket.
+The ticket structure for Action 9 (added v0.20.0):
+```markdown
+## Merge Checklist Evidence
+| Action | Done | Evidence |
+|--------|:----:|----------|
+| 0. … | [x] | … |
+| 1. … | [x] | … |
+| ... (rows 2-7) | [x] | … |
+| 9. Run `/audit-merge` | [x] | See § "Audit Merge Output" below |
+## Audit Merge Output
+<verbatim /audit-merge output goes here — see ticket-template.md>
+```
+The `/audit-merge` structural check `D1` (added v0.20.0) verifies row 9 exists with `[x]` AND the `## Audit Merge Output` section has non-empty body with a structural-compliance signal. Skipping this Action is now structurally visible (row 9 stays unfilled if you forget).
 ## Action 10: Request merge approval

package/template/.gemini/skills/development-workflow/references/ticket-template.md CHANGED Viewed

@@ -102,6 +102,18 @@ This creates a feedback loop for improving future reviews. -->
 | 5. Commit documentation | [ ] | Commit: (hash) |
 | 6. Verify clean working tree | [ ] | `git status`: clean |
 | 7. Verify branch up to date | [ ] | merge-base: up to date / merged origin/<branch> |
+| 9. Run `/audit-merge` | [ ] | See § "Audit Merge Output" below |
+## Audit Merge Output
+> Paste the FULL verbatim output of `/audit-merge` below. The block must include both tables
+> (structural + drift), all rows, the combined verdict, AND the final self-verification line
+> in the form `Structural: N/N PASS | Drift: K advisory | Verdict: <APPROVE|REVISE>`. Do NOT
+> abbreviate, summarize, or omit failing rows. Required for the D1 structural check to PASS.
+```text
+<paste /audit-merge output here>
+```
 ---

package/template/.gemini/skills/pm-orchestrator/SKILL.md CHANGED Viewed

@@ -87,8 +87,27 @@ For each feature in the batch:
 - **Lock**: If `docs/project_notes/pm-session.lock` is missing → stop (session was terminated externally).
 - **Circuit breaker**: If 3 consecutive features are `blocked` → stop and report to user.
 - **Context check**: If **2+ features have been completed** in this session, STOP and tell the user to run `/compact` followed by `continue pm`. Do NOT continue to the next feature — context degradation causes skipped steps, lost constraints, and poor quality. This is mandatory, not a suggestion.
+- **Session-coherence check (added v0.20.0)**: Read `.sdd-version` from the repo root and the `**SDD version at start:** X.Y.Z` field from `docs/project_notes/pm-session.md`. If they differ → emit ADVISORY (non-blocking) once per Step transition:
+  ```
+  ⚠ Session-coherence drift: SDD upgraded mid-session (X.Y.Z → CURRENT).
+  Cached workflow references and rules in this session may be stale.
+  Recommendation: complete current Step's atomic work, then run `/compact`
+  followed by `continue pm` to reload templates before next Step.
+  (Non-blocking — proceed if you've reviewed the upgrade CHANGELOG and
+  confirmed no workflow-affecting changes.)
+  ```
+  Do NOT auto-update the pm-session.md value here — capture the current cached-context coherence state. The field is auto-updated only by `continue pm` after `/compact` (see "Auto-update on /compact" below).
 - **Clean workspace**: Run `git status`. If dirty, commit or stash before proceeding.
+##### Auto-update on `/compact` (added v0.20.0)
+When `continue pm` resumes the orchestrator after a `/compact`:
+1. Re-read current `.sdd-version`.
+2. Update `**SDD version at start:** X.Y.Z` in `pm-session.md` to the current value.
+3. Reset the per-Step advisory-emitted flag.
+Rationale: `/compact` reloads the cached context from the filesystem. After /compact, the agent is operating on current SDD templates, so the `SDD version at start` field should reflect that. The drift advisory above targets the WINDOW between an SDD upgrade and the next /compact — that window is the risk zone.
 #### b. Start Feature
 1. Update `pm-session.md`:

package/template/.gemini/skills/pm-orchestrator/references/pm-session-template.md CHANGED Viewed

@@ -5,6 +5,8 @@
 **Autonomy Level:** L5 (PM Autonomous)
 **Status:** in-progress
 **Target Branch:** {main|develop}
+**SDD version at start:** {sdd-version}  <!-- v0.20.0: session-coherence guard. Auto-updated by `/compact`. Do not edit manually. -->
 ## Current Batch