docguard-cli 0.11.1 → 0.12.0

package/cli/docguard.mjs

@@ -40,10 +40,12 @@ import { runPublish } from './commands/publish.mjs';
 import { runTrace } from './commands/trace.mjs';
 import { runLlms } from './commands/llms.mjs';
 import { runSetup } from './commands/setup.mjs';
+import { runUpgrade } from './commands/upgrade.mjs';
 import { ensureSkills } from './ensure-skills.mjs';
 
 // ── Shared constants (imported to break circular dependencies) ──────────
 import { c, PROFILES } from './shared.mjs';
+import { mergeIgnoreFile } from './shared-ignore.mjs';
 export { c, PROFILES };
 
 // ── Config Loading ─────────────────────────────────────────────────────────
@@ -138,6 +140,9 @@ export function loadConfig(projectDir) {
           merged.testPatterns.push(merged.testPattern);
         }
       }
+      // Merge .docguardignore patterns into config.ignore so every validator
+      // honors them without having to know about the file.
+      mergeIgnoreFile(projectDir, merged);
       return merged;
     } catch (e) {
       console.error(`${c.red}Error parsing .docguard.json: ${e.message}${c.reset}`);
@@ -148,6 +153,9 @@ export function loadConfig(projectDir) {
   // No config file — auto-detect everything
   defaults.projectType = autoDetectProjectType(projectDir);
   defaults.projectTypeConfig = getProjectTypeDefaults(defaults.projectType);
+  // .docguardignore is read even when no .docguard.json exists — keeps
+  // ignore-only projects (no config but want to skip paths) working.
+  mergeIgnoreFile(projectDir, defaults);
   return defaults;
 }
 
@@ -365,6 +373,14 @@ async function main() {
     } else if (args[i] === '--since' && args[i + 1]) {
       flags.since = args[i + 1];
       i++;
+    } else if (args[i] === '--show-failing') {
+      flags.showFailing = true;
+    } else if (args[i] === '--check-only') {
+      flags.checkOnly = true;
+    } else if (args[i] === '--apply') {
+      flags.apply = true;
+    } else if (args[i] === '--changed-only') {
+      flags.changedOnly = true;
     } else if (args[i] === '--doc' && args[i + 1]) {
       flags.doc = args[i + 1];
       i++;
@@ -403,12 +419,21 @@ async function main() {
     process.exit(0);
   }
 
-  printBanner();
+  // In JSON mode the entire stdout MUST be parseable JSON. The banner and
+  // ensureSkills' install message would corrupt the output for any
+  // programmatic consumer (CI, dashboards, the Score-on-PR Action recipe).
+  // Headless flags (`--write`, `--check-only`, `--auto`) also suppress chrome.
+  const jsonMode = flags.format === 'json';
+  const headless = jsonMode || flags.write || flags.checkOnly || flags.changedOnly;
+
+  if (!jsonMode) printBanner();
 
   const config = loadConfig(projectDir);
 
-  // Silent auto-check: install skills/commands if missing
-  if (command !== 'setup' && command !== 'init') {
+  // Silent auto-check: install skills/commands if missing. Skip entirely in
+  // headless modes where the user wants deterministic, parseable output and
+  // doesn't expect side effects on their AI-agent skill directories.
+  if (command !== 'setup' && command !== 'init' && !headless) {
     ensureSkills(projectDir, flags);
   }
 
@@ -476,6 +501,10 @@ async function main() {
     case 'llms':
       runLlms(projectDir, config, flags);
       break;
+    case 'upgrade':
+    case 'update':
+      await runUpgrade(projectDir, config, flags);
+      break;
     default:
       console.error(`${c.red}Unknown command: ${command}${c.reset}`);
       console.log(`Run ${c.cyan}docguard --help${c.reset} for usage.`);

package/cli/ensure-skills.mjs

@@ -54,8 +54,13 @@ export function detectAgentMode(projectDir) {
     '.specify',
     '.github/copilot-instructions.md',
     'CLAUDE.md',
+    'GEMINI.md',
     '.gemini',
     '.agents',
+    '.antigravity',
+    'ANTIGRAVITY.md',
+    '.kiro',
+    '.windsurf',
   ];
 
   for (const signal of llmSignals) {
@@ -105,7 +110,9 @@ export function detectAIAgent(projectDir) {
     { signal: '.claude',                        agent: 'claude' },
     { signal: 'CLAUDE.md',                      agent: 'claude' },
     { signal: '.gemini',                        agent: 'gemini' },
-    { signal: '.agents',                        agent: 'agy' },         // Antigravity
+    { signal: '.agents',                        agent: 'agy' },         // Antigravity (Spec Kit convention)
+    { signal: '.antigravity',                   agent: 'agy' },         // Antigravity (alt convention)
+    { signal: 'ANTIGRAVITY.md',                 agent: 'agy' },         // Antigravity rules file
     { signal: '.github/copilot-instructions.md', agent: 'copilot' },
     { signal: '.windsurf',                      agent: 'windsurf' },
     { signal: '.codex',                         agent: 'codex' },

package/cli/shared-ignore.mjs

@@ -40,6 +40,56 @@ export const DEFAULT_IGNORE_DIRS = new Set([
 const ALWAYS_REJECT_PATH_RE =
   /(?:^|[/\\])(?:node_modules|\.claude[/\\]worktrees|\.git[/\\]worktrees|\.jj)(?:[/\\]|$)/;
 
+/**
+ * Read `.docguardignore` from a project directory and return its patterns.
+ *
+ * Format: gitignore-style — one pattern per line, `#` for comments, blank lines
+ * ignored. Returned patterns are normalized but not transformed (callers
+ * decide whether to expand directory globs).
+ *
+ * Returns [] if the file is missing or unreadable — never throws.
+ */
+import { readFileSync, existsSync } from 'node:fs';
+import { resolve as resolvePath } from 'node:path';
+
+export function loadDocguardIgnore(projectDir) {
+  const p = resolvePath(projectDir, '.docguardignore');
+  if (!existsSync(p)) return [];
+  try {
+    const raw = readFileSync(p, 'utf-8');
+    return raw
+      .split(/\r?\n/)
+      .map(line => line.trim())
+      .filter(line => line && !line.startsWith('#'));
+  } catch {
+    return [];
+  }
+}
+
+/**
+ * Merge `.docguardignore` patterns into a config object's `ignore` array.
+ *
+ * Used at config-load time so every validator sees the combined set without
+ * having to know about the file. Mutates and returns the config for ergonomics.
+ *
+ * Idempotent — calling twice produces the same result. Skips duplicates.
+ */
+export function mergeIgnoreFile(projectDir, config) {
+  const filePatterns = loadDocguardIgnore(projectDir);
+  if (filePatterns.length === 0) return config;
+  const existing = Array.isArray(config.ignore) ? config.ignore : [];
+  const seen = new Set(existing);
+  const merged = [...existing];
+  for (const p of filePatterns) {
+    if (!seen.has(p)) {
+      merged.push(p);
+      seen.add(p);
+    }
+  }
+  config.ignore = merged;
+  return config;
+}
+
 /**
  * Convert a glob pattern to a RegExp.
  * Supports: * (any chars except /), ** (any path segments), . (literal dot).

package/cli/shared-source.mjs

@@ -210,11 +210,16 @@ export function grepEnvUsage(projectDir, config = {}) {
   const roots = resolveSourceRoots(projectDir, config);
   const seen = new Set();
 
+  // Require names to start with a letter and END with a letter/digit (NOT an
+  // underscore) — fixes "VITE_" being captured as a literal env var name.
+  const NAME = '([A-Z][A-Z0-9_]*[A-Z0-9])';
   const patterns = [
-    /process\.env\.([A-Z][A-Z0-9_]+)/g,
-    /process\.env\[\s*['"]([A-Z][A-Z0-9_]+)['"]\s*\]/g,
-    /import\.meta\.env\.([A-Z][A-Z0-9_]+)/g,
+    new RegExp(`process\\.env\\.${NAME}`, 'g'),
+    new RegExp(`process\\.env\\[\\s*['"]${NAME}['"]\\s*\\]`, 'g'),
+    new RegExp(`import\\.meta\\.env\\.${NAME}`, 'g'),
   ];
+  // Vite injects these at build time; they are not user-set env vars.
+  const VITE_INTRINSICS = new Set(['DEV', 'PROD', 'MODE', 'BASE_URL', 'SSR']);
 
   const visit = (filePath) => {
     if (seen.has(filePath)) return;
@@ -225,10 +230,16 @@ export function grepEnvUsage(projectDir, config = {}) {
     let content;
     try { content = readFileSync(filePath, 'utf-8'); } catch { return; }
     if (!content.includes('env')) return;
-    for (const re of patterns) {
+    // patterns[2] is the import.meta.env one — its matches are Vite-injected
+    // when the name is an intrinsic, and must not be reported as user env vars.
+    for (let i = 0; i < patterns.length; i++) {
       let m;
-      const rx = new RegExp(re.source, 'g');
-      while ((m = rx.exec(content)) !== null) names.add(m[1]);
+      const rx = new RegExp(patterns[i].source, 'g');
+      const isViteSource = i === 2;
+      while ((m = rx.exec(content)) !== null) {
+        if (isViteSource && VITE_INTRINSICS.has(m[1])) continue;
+        names.add(m[1]);
+      }
     }
   };
 

package/cli/shared.mjs

@@ -4,6 +4,68 @@
  * All commands import from here instead of docguard.mjs.
  */
 
+/**
+ * Current .docguard.json schema version that this CLI version writes via
+ * `docguard init`. Bump this when adding fields that need migration (e.g.
+ * v0.12 adds `severity` overrides per validator).
+ *
+ * The post-guard nudge fires when an existing project's stored
+ * `.docguard.json.version` is BEHIND this constant — pointing users at
+ * `docguard upgrade` to migrate.
+ */
+export const CURRENT_SCHEMA_VERSION = '0.5';
+
+/**
+ * Allowed severity values for per-validator `severity` overrides in
+ * `.docguard.json`. Affects EXIT-CODE behavior of `docguard guard`:
+ *   - 'high':   warnings from this validator fail CI (exit 1)
+ *   - 'medium': default — warnings exit 2 (informational)
+ *   - 'low':    warnings ignored for exit code (exit 0)
+ *
+ * Display (the per-validator status lines and the summary) is unchanged
+ * regardless of severity — severity is a CI/operational knob, not a UI one.
+ */
+export const SEVERITY_LEVELS = new Set(['high', 'medium', 'low']);
+
+/**
+ * Resolve a validator's effective severity from config.
+ * Returns 'medium' (default) if no override is set or the override is bogus.
+ */
+export function resolveSeverity(config, validatorKey) {
+  const s = config && config.severity && config.severity[validatorKey];
+  if (typeof s === 'string' && SEVERITY_LEVELS.has(s.toLowerCase())) {
+    return s.toLowerCase();
+  }
+  return 'medium';
+}
+
+/**
+ * Parse a dotted-decimal version string into a tuple of integers for
+ * comparison. Tolerates extra suffixes (e.g. `0.4-beta` → [0, 4]).
+ * Returns null when the string is unparseable.
+ */
+export function parseVersion(v) {
+  if (!v || typeof v !== 'string') return null;
+  const m = v.match(/^(\d+)(?:\.(\d+))?(?:\.(\d+))?/);
+  if (!m) return null;
+  return [Number(m[1] || 0), Number(m[2] || 0), Number(m[3] || 0)];
+}
+
+/**
+ * Compare two version strings. Returns -1 if a<b, 0 if equal, 1 if a>b.
+ * Unparseable inputs sort as equal (no nag).
+ */
+export function compareVersions(a, b) {
+  const pa = parseVersion(a);
+  const pb = parseVersion(b);
+  if (!pa || !pb) return 0;
+  for (let i = 0; i < 3; i++) {
+    if (pa[i] < pb[i]) return -1;
+    if (pa[i] > pb[i]) return 1;
+  }
+  return 0;
+}
+
 // ── Colors (ANSI escape codes, zero deps) ──────────────────────────────────
 export const c = {
   reset: '\x1b[0m',

package/cli/validators/cross-reference.mjs

@@ -0,0 +1,281 @@
+/**
+ * Cross-Reference Validator — S-8 / K-7
+ *
+ * Scans canonical docs for cross-references between docs and verifies they
+ * resolve. Catches stale links when a section is renamed or removed.
+ *
+ * Reference forms supported (in rough order of frequency):
+ *   - Markdown relative links:        [text](./OTHER.md)
+ *                                     [text](./OTHER.md#anchor)
+ *                                     [text](#anchor-in-same-doc)
+ *   - Bare anchor refs:               see §3.2 ARCHITECTURE.md
+ *                                     (Section 3.2 in DATA-MODEL.md)
+ *   - Bracketed section refs:         [Section X.Y]
+ *                                     [ARCHITECTURE.md § Components]
+ *
+ * For each ref we extract: target_file (optional), anchor (optional). Then
+ * we check:
+ *   1. target_file exists (relative to projectDir or canonical doc dir)
+ *   2. anchor resolves to a heading or an explicit `<a name="...">` in that file
+ *
+ * Zero NPM dependencies. Pure Node.js built-ins.
+ *
+ * @req SC-K7-001 — broken markdown links between canonical docs are reported
+ * @req SC-K7-002 — broken intra-doc anchors are reported
+ * @req SC-K7-003 — external URLs (http/https) are NOT checked (those are not our problem)
+ * @req SC-K7-004 — code-fenced examples don't trigger false positives
+ */
+
+import { existsSync, readFileSync, readdirSync, statSync } from 'node:fs';
+import { resolve, join, dirname, basename } from 'node:path';
+
+/**
+ * Slugify a heading the way GitHub's markdown anchors work.
+ * Mirrors GFM rules: lowercase, strip non-word chars, hyphens for spaces.
+ * Good-enough for the 95% case; not bit-perfect.
+ */
+export function slugifyHeading(text) {
+  return text
+    // Remove leading "## " (markdown header marker) WITHOUT trimming the
+    // leading whitespace that may follow it — that whitespace is the
+    // position where an emoji used to live and GitHub's anchor builder
+    // converts it to a leading dash. Example: `## ⚡ Quick Start` →
+    // anchor `#-quick-start` (with leading dash). Stripping it here
+    // would cause false-positive "broken anchor" warnings on any TOC
+    // generated by GitHub itself.
+    .replace(/^#+\s+/, '')
+    .toLowerCase()
+    // Strip emoji + decorative pictographs (they leave a position which
+    // becomes a dash after whitespace-collapse below).
+    .replace(/[\u{1F300}-\u{1FAFF}\u{2600}-\u{27BF}\u{FE0F}]/gu, '')
+    // Strip GFM-deleted punctuation
+    .replace(/[.,;:!?'"`()[\]{}<>|\\/]/g, '')
+    // Convert whitespace runs to single dashes
+    .replace(/\s+/g, '-')
+    // Drop any remaining non-word/non-dash chars
+    .replace(/[^a-z0-9-]/g, '');
+    // NB: we do NOT collapse adjacent dashes and we do NOT strip leading/
+    // trailing dashes — GitHub's GFM keeps them. `& Academic` (with `&`
+    // removed) leaves two adjacent spaces which become `--`. README TOCs
+    // generated by GitHub itself rely on this exact behavior.
+}
+
+/**
+ * Extract all headings from a markdown file. Returns an array of
+ * { level, text, anchor } where anchor is the GFM-style slug.
+ *
+ * Skips headings inside ``` fenced code blocks to avoid false positives
+ * from example code.
+ */
+export function extractHeadings(content) {
+  const lines = content.split('\n');
+  const headings = [];
+  let inCodeFence = false;
+  for (const line of lines) {
+    if (line.startsWith('```')) {
+      inCodeFence = !inCodeFence;
+      continue;
+    }
+    if (inCodeFence) continue;
+    const m = line.match(/^(#{1,6})\s+(.+?)\s*$/);
+    if (m) {
+      const text = m[2];
+      headings.push({ level: m[1].length, text, anchor: slugifyHeading(text) });
+    }
+  }
+  return headings;
+}
+
+/**
+ * Extract all candidate cross-references from a markdown file.
+ *
+ * Returns an array of { source, file, anchor, raw } where:
+ *   - source = path of the document containing the reference (for reporting)
+ *   - file   = target file path, RELATIVE to the source file's directory.
+ *              null if the link is intra-doc (just `#anchor`).
+ *   - anchor = anchor part without `#`. null if no anchor.
+ *   - raw    = the original text matched (for error messages)
+ *
+ * Skips:
+ *   - External http(s) URLs (not our problem)
+ *   - mailto: links
+ *   - Code-fenced blocks
+ *   - Inline `code` with backticks
+ */
+export function extractRefs(content, sourcePath) {
+  const refs = [];
+  const lines = content.split('\n');
+  let inCodeFence = false;
+
+  // [text](target)  where target is one of:
+  //   ./RELATIVE.md
+  //   ../OTHER.md#anchor
+  //   #intra-doc-anchor
+  // We DON'T match http(s) targets here.
+  const markdownLinkRe = /\[([^\]]+)\]\(((?!https?:|mailto:)[^)]+)\)/g;
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (line.startsWith('```')) {
+      inCodeFence = !inCodeFence;
+      continue;
+    }
+    if (inCodeFence) continue;
+
+    // Strip inline `code` so we don't match links inside it
+    const stripped = line.replace(/`[^`]+`/g, '');
+
+    let m;
+    markdownLinkRe.lastIndex = 0;
+    while ((m = markdownLinkRe.exec(stripped)) !== null) {
+      const target = m[2].trim();
+      // Drop any title text: [foo](bar "title") → bar
+      const cleanTarget = target.split(/\s+/)[0];
+      const hashIdx = cleanTarget.indexOf('#');
+      let file, anchor;
+      if (hashIdx === 0) {
+        // Intra-doc anchor only
+        file = null;
+        anchor = cleanTarget.slice(1);
+      } else if (hashIdx > 0) {
+        file = cleanTarget.slice(0, hashIdx);
+        anchor = cleanTarget.slice(hashIdx + 1);
+      } else {
+        file = cleanTarget;
+        anchor = null;
+      }
+      refs.push({ source: sourcePath, file, anchor, raw: m[0], line: i + 1 });
+    }
+  }
+
+  return refs;
+}
+
+/**
+ * Resolve a target file path relative to a source markdown file.
+ * Returns the absolute path or null if the file doesn't exist.
+ */
+function resolveTarget(sourcePath, targetRel, projectDir) {
+  if (!targetRel) return null;
+  // Try relative to source's directory first
+  const fromSource = resolve(dirname(sourcePath), targetRel);
+  if (existsSync(fromSource)) return fromSource;
+  // Also try from project root (some authors write `docs-canonical/X.md`)
+  const fromRoot = resolve(projectDir, targetRel);
+  if (existsSync(fromRoot)) return fromRoot;
+  return null;
+}
+
+/**
+ * Collect canonical markdown docs to scan. Same selection logic as other
+ * validators — `docs-canonical/`, root tracking files, and AGENTS.md.
+ */
+function collectCanonicalDocs(projectDir) {
+  const docs = [];
+  const cdir = resolve(projectDir, 'docs-canonical');
+  if (existsSync(cdir)) {
+    try {
+      for (const f of readdirSync(cdir)) {
+        if (f.endsWith('.md')) {
+          const p = join(cdir, f);
+          if (statSync(p).isFile()) docs.push(p);
+        }
+      }
+    } catch {}
+  }
+  for (const f of ['AGENTS.md', 'CHANGELOG.md', 'DRIFT-LOG.md', 'ROADMAP.md', 'README.md']) {
+    const p = resolve(projectDir, f);
+    if (existsSync(p)) docs.push(p);
+  }
+  return docs;
+}
+
+/**
+ * Validator entrypoint — matches the standard signature returning
+ * { errors, warnings, passed, total }.
+ */
+export function validateCrossReferences(projectDir, _config = {}) {
+  const errors = [];
+  const warnings = [];
+  let passed = 0;
+  let total = 0;
+
+  const docs = collectCanonicalDocs(projectDir);
+  if (docs.length === 0) {
+    return { errors, warnings, passed, total, applicable: false };
+  }
+
+  // Build a map of doc path → anchor set for fast lookups during ref resolution.
+  const anchorIndex = new Map();
+  for (const d of docs) {
+    try {
+      const content = readFileSync(d, 'utf-8');
+      const headings = extractHeadings(content);
+      anchorIndex.set(d, new Set(headings.map(h => h.anchor)));
+    } catch {
+      anchorIndex.set(d, new Set());
+    }
+  }
+
+  // Walk every doc and validate each ref.
+  for (const docPath of docs) {
+    let content;
+    try { content = readFileSync(docPath, 'utf-8'); } catch { continue; }
+    const refs = extractRefs(content, docPath);
+    const docName = basename(docPath);
+
+    for (const ref of refs) {
+      total++;
+
+      // Resolve the target file (if any)
+      let targetPath = null;
+      if (ref.file) {
+        // Skip non-markdown files — we only validate doc cross-refs, not
+        // links to images / code / config files. Those have their own truth.
+        if (!ref.file.toLowerCase().endsWith('.md')) {
+          passed++;
+          continue;
+        }
+        targetPath = resolveTarget(docPath, ref.file, projectDir);
+        if (!targetPath) {
+          warnings.push(
+            `${docName}:${ref.line} — broken link: target file "${ref.file}" not found`
+          );
+          continue;
+        }
+      } else {
+        // Intra-doc anchor reference
+        targetPath = docPath;
+      }
+
+      // If there's an anchor, verify it resolves in the target doc.
+      // URL-decode the anchor first — some editors percent-encode chars
+      // like `️` (variation selector) in TOC links that wouldn't
+      // appear in the actual GitHub-rendered anchor. Decoding makes
+      // `#%EF%B8%8F-cicd-integration` compare against `#-cicd-integration`.
+      if (ref.anchor) {
+        let decodedAnchor;
+        try {
+          decodedAnchor = decodeURIComponent(ref.anchor);
+        } catch {
+          decodedAnchor = ref.anchor;
+        }
+        // After decode, re-apply the slug pipeline so we compare like-for-like.
+        const normalizedAnchor = slugifyHeading(decodedAnchor);
+        const anchors = anchorIndex.get(targetPath);
+        const matches = anchors && (anchors.has(ref.anchor) || anchors.has(normalizedAnchor));
+        if (!matches) {
+          const where = targetPath === docPath ? 'same doc' : basename(targetPath);
+          warnings.push(
+            `${docName}:${ref.line} — broken anchor: "#${ref.anchor}" in ${where} doesn't match any heading`
+          );
+          continue;
+        }
+      }
+
+      passed++;
+    }
+  }
+
+  return { errors, warnings, passed, total };
+}

package/cli/validators/docs-coverage.mjs

@@ -422,9 +422,12 @@ function checkReadmeSections(projectDir) {
     }
   }
 
+  // Recommended sections are a BONUS — present = +1 to both passed and total,
+  // missing = no-op. Counting missing recommended toward `total` without a
+  // corresponding warning would be a silent fail (caught by B-4 nudge).
   for (const section of recommendedSections) {
-    total++;
     if (section.patterns.some(p => lowerContent.includes(p))) {
+      total++;
       passed++;
     }
   }

package/cli/validators/environment.mjs

@@ -41,13 +41,19 @@ export function validateEnvironment(projectDir, config) {
   // CLI/library projects that declare no env vars skip this.)
   if (ptc.needsEnvVars !== false) {
     const documented = new Set();
-    const varRe = /`([A-Z][A-Z0-9_]{2,})`/g;
+    // Require the matched name to end with a letter/digit — prevents prose-only
+    // tokens like `VITE_` (the convention prefix) from being treated as a real
+    // variable name.
+    const varRe = /`([A-Z][A-Z0-9_]*[A-Z0-9])`/g;
     let m;
-    while ((m = varRe.exec(content)) !== null) documented.add(m[1]);
+    while ((m = varRe.exec(content)) !== null) {
+      if (m[1].length < 3) continue; // 'OK' / 'ID' etc. are too short to be env var refs
+      documented.add(m[1]);
+    }
     for (const envFile of ['.env.example', '.env.template']) {
       const p = resolve(projectDir, envFile);
       if (!existsSync(p)) continue;
-      const re = /^([A-Z][A-Z0-9_]+)\s*=/gm;
+      const re = /^([A-Z][A-Z0-9_]*[A-Z0-9])\s*=/gm;
       const ex = readFileSync(p, 'utf-8');
       let em;
       while ((em = re.exec(ex)) !== null) documented.add(em[1]);

package/commands/docguard.guard.md

@@ -1,5 +1,5 @@
 ---
-description: Run DocGuard guard validation — check project documentation against CDD standards with 20 validators
+description: Run DocGuard guard validation — check project documentation against CDD standards with 21 validators
 handoffs:
   - label: Fix All Issues
     agent: docguard.fix
@@ -23,7 +23,7 @@ Run the DocGuard CLI to validate all documentation against Canonical-Driven Deve
 npx docguard-cli guard
 ```
 
-2. **Parse the output**. Each of the 20 validators reports ✅ (pass), ⚠️ (warning), ❌ (fail), or ➖ (N/A — nothing to validate). **A ➖ N/A is NOT a pass**: it means the validator found nothing to check (e.g. no API-REFERENCE.md, no DB schema, no layer boundaries declared). Don't read N/A as "healthy" — read it as "not assessed".
+2. **Parse the output**. Each of the 21 validators reports ✅ (pass), ⚠️ (warning), ❌ (fail), or ➖ (N/A — nothing to validate). **A ➖ N/A is NOT a pass**: it means the validator found nothing to check (e.g. no API-REFERENCE.md, no DB schema, no layer boundaries declared). Don't read N/A as "healthy" — read it as "not assessed".
 
    | Validator | What It Checks |
    |-----------|---------------|

package/docs/quickstart.md

@@ -68,7 +68,7 @@ diagnose  →  AI reads prompts  →  AI fixes docs  →  guard verifies
 ## Verify
 
 ```bash
-npx docguard-cli guard        # Pass/fail check (20 validators)
+npx docguard-cli guard        # Pass/fail check (21 validators)
 npx docguard-cli score        # 0-100 maturity score
 ```
 

package/extensions/spec-kit-docguard/README.md

@@ -4,7 +4,7 @@ Enterprise-grade Canonical-Driven Development (CDD) enforcement and **AI-readabl
 
 ## Features
 
-- **20 Validators** — Structure, Security, Doc Quality, Test-Spec, Drift-Comments, API-Surface, Freshness, and 13 more
+- **21 Validators** — Structure, Security, Doc Quality, Test-Spec, Drift-Comments, API-Surface, Freshness, Cross-Reference, and 13 more
 - **Language-agnostic** — JS/TS, Python, Rust, Go, Java/Kotlin, Ruby, PHP, C#. Polyglot/monorepo-aware.
 - **AI-powered Generate** — `generate --plan` builds the code-truth skeleton in `<!-- docguard:section -->` markers and emits a structured agent task manifest; the AI writes the prose.
 - **Always up to date** — `sync` surgically refreshes code-truth doc sections in place, **preserves human prose**, flags prose for agent review.

package/extensions/spec-kit-docguard/commands/guard.md

@@ -14,7 +14,7 @@ handoffs:
 
 # DocGuard Guard
 
-Validate your project against its canonical documentation. Runs 160+ automated checks across 20 validators.
+Validate your project against its canonical documentation. Runs 160+ automated checks across 21 validators.
 
 ## User Input
 

package/extensions/spec-kit-docguard/extension.yml

@@ -3,7 +3,7 @@ schema_version: "1.0"
 extension:
   id: "docguard"
   name: "DocGuard — CDD Enforcement"
-  version: "0.11.1"
+  version: "0.12.0"
   description: "Canonical-Driven Development enforcement as a true spec-kit extension. LLM-first design with 19 automated validators, 4 AI behavior skills, spec-kit skill chaining, and workflow hooks. Zero NPM runtime dependencies."
   author: "Ricardo Accioly"
   repository: "https://github.com/raccioly/docguard"
@@ -53,6 +53,16 @@ provides:
       file: "commands/generate.md"
       description: "Reverse-engineer canonical docs from existing codebase"
 
+  # GitHub Actions workflow starters — copyable templates users drop into
+  # .github/workflows/ for guard/fix/sync/score integration.
+  workflows:
+    - name: "docguard-guard"
+      file: "templates/github-workflows/docguard-guard.yml"
+      description: "Mandatory CI gate — runs all 20 validators on PR + main push"
+    - name: "docguard-autofix"
+      file: "templates/github-workflows/docguard-autofix.yml"
+      description: "PR-time auto-fix — applies mechanical doc fixes + comments summary"
+
   # Helper scripts for CI/CD and automation
   scripts:
     - name: "docguard-check-docs"