docguard-cli 0.11.2 → 0.12.0

package/cli/shared-ignore.mjs

@@ -40,6 +40,56 @@ export const DEFAULT_IGNORE_DIRS = new Set([
 const ALWAYS_REJECT_PATH_RE =
   /(?:^|[/\\])(?:node_modules|\.claude[/\\]worktrees|\.git[/\\]worktrees|\.jj)(?:[/\\]|$)/;
 
+/**
+ * Read `.docguardignore` from a project directory and return its patterns.
+ *
+ * Format: gitignore-style — one pattern per line, `#` for comments, blank lines
+ * ignored. Returned patterns are normalized but not transformed (callers
+ * decide whether to expand directory globs).
+ *
+ * Returns [] if the file is missing or unreadable — never throws.
+ */
+import { readFileSync, existsSync } from 'node:fs';
+import { resolve as resolvePath } from 'node:path';
+
+export function loadDocguardIgnore(projectDir) {
+  const p = resolvePath(projectDir, '.docguardignore');
+  if (!existsSync(p)) return [];
+  try {
+    const raw = readFileSync(p, 'utf-8');
+    return raw
+      .split(/\r?\n/)
+      .map(line => line.trim())
+      .filter(line => line && !line.startsWith('#'));
+  } catch {
+    return [];
+  }
+}
+
+/**
+ * Merge `.docguardignore` patterns into a config object's `ignore` array.
+ *
+ * Used at config-load time so every validator sees the combined set without
+ * having to know about the file. Mutates and returns the config for ergonomics.
+ *
+ * Idempotent — calling twice produces the same result. Skips duplicates.
+ */
+export function mergeIgnoreFile(projectDir, config) {
+  const filePatterns = loadDocguardIgnore(projectDir);
+  if (filePatterns.length === 0) return config;
+  const existing = Array.isArray(config.ignore) ? config.ignore : [];
+  const seen = new Set(existing);
+  const merged = [...existing];
+  for (const p of filePatterns) {
+    if (!seen.has(p)) {
+      merged.push(p);
+      seen.add(p);
+    }
+  }
+  config.ignore = merged;
+  return config;
+}
+
 /**
  * Convert a glob pattern to a RegExp.
  * Supports: * (any chars except /), ** (any path segments), . (literal dot).

package/cli/shared.mjs

@@ -4,6 +4,68 @@
  * All commands import from here instead of docguard.mjs.
  */
 
+/**
+ * Current .docguard.json schema version that this CLI version writes via
+ * `docguard init`. Bump this when adding fields that need migration (e.g.
+ * v0.12 adds `severity` overrides per validator).
+ *
+ * The post-guard nudge fires when an existing project's stored
+ * `.docguard.json.version` is BEHIND this constant — pointing users at
+ * `docguard upgrade` to migrate.
+ */
+export const CURRENT_SCHEMA_VERSION = '0.5';
+
+/**
+ * Allowed severity values for per-validator `severity` overrides in
+ * `.docguard.json`. Affects EXIT-CODE behavior of `docguard guard`:
+ *   - 'high':   warnings from this validator fail CI (exit 1)
+ *   - 'medium': default — warnings exit 2 (informational)
+ *   - 'low':    warnings ignored for exit code (exit 0)
+ *
+ * Display (the per-validator status lines and the summary) is unchanged
+ * regardless of severity — severity is a CI/operational knob, not a UI one.
+ */
+export const SEVERITY_LEVELS = new Set(['high', 'medium', 'low']);
+
+/**
+ * Resolve a validator's effective severity from config.
+ * Returns 'medium' (default) if no override is set or the override is bogus.
+ */
+export function resolveSeverity(config, validatorKey) {
+  const s = config && config.severity && config.severity[validatorKey];
+  if (typeof s === 'string' && SEVERITY_LEVELS.has(s.toLowerCase())) {
+    return s.toLowerCase();
+  }
+  return 'medium';
+}
+
+/**
+ * Parse a dotted-decimal version string into a tuple of integers for
+ * comparison. Tolerates extra suffixes (e.g. `0.4-beta` → [0, 4]).
+ * Returns null when the string is unparseable.
+ */
+export function parseVersion(v) {
+  if (!v || typeof v !== 'string') return null;
+  const m = v.match(/^(\d+)(?:\.(\d+))?(?:\.(\d+))?/);
+  if (!m) return null;
+  return [Number(m[1] || 0), Number(m[2] || 0), Number(m[3] || 0)];
+}
+
+/**
+ * Compare two version strings. Returns -1 if a<b, 0 if equal, 1 if a>b.
+ * Unparseable inputs sort as equal (no nag).
+ */
+export function compareVersions(a, b) {
+  const pa = parseVersion(a);
+  const pb = parseVersion(b);
+  if (!pa || !pb) return 0;
+  for (let i = 0; i < 3; i++) {
+    if (pa[i] < pb[i]) return -1;
+    if (pa[i] > pb[i]) return 1;
+  }
+  return 0;
+}
+
 // ── Colors (ANSI escape codes, zero deps) ──────────────────────────────────
 export const c = {
   reset: '\x1b[0m',

package/cli/validators/cross-reference.mjs

@@ -0,0 +1,281 @@
+/**
+ * Cross-Reference Validator — S-8 / K-7
+ *
+ * Scans canonical docs for cross-references between docs and verifies they
+ * resolve. Catches stale links when a section is renamed or removed.
+ *
+ * Reference forms supported (in rough order of frequency):
+ *   - Markdown relative links:        [text](./OTHER.md)
+ *                                     [text](./OTHER.md#anchor)
+ *                                     [text](#anchor-in-same-doc)
+ *   - Bare anchor refs:               see §3.2 ARCHITECTURE.md
+ *                                     (Section 3.2 in DATA-MODEL.md)
+ *   - Bracketed section refs:         [Section X.Y]
+ *                                     [ARCHITECTURE.md § Components]
+ *
+ * For each ref we extract: target_file (optional), anchor (optional). Then
+ * we check:
+ *   1. target_file exists (relative to projectDir or canonical doc dir)
+ *   2. anchor resolves to a heading or an explicit `<a name="...">` in that file
+ *
+ * Zero NPM dependencies. Pure Node.js built-ins.
+ *
+ * @req SC-K7-001 — broken markdown links between canonical docs are reported
+ * @req SC-K7-002 — broken intra-doc anchors are reported
+ * @req SC-K7-003 — external URLs (http/https) are NOT checked (those are not our problem)
+ * @req SC-K7-004 — code-fenced examples don't trigger false positives
+ */
+
+import { existsSync, readFileSync, readdirSync, statSync } from 'node:fs';
+import { resolve, join, dirname, basename } from 'node:path';
+
+/**
+ * Slugify a heading the way GitHub's markdown anchors work.
+ * Mirrors GFM rules: lowercase, strip non-word chars, hyphens for spaces.
+ * Good-enough for the 95% case; not bit-perfect.
+ */
+export function slugifyHeading(text) {
+  return text
+    // Remove leading "## " (markdown header marker) WITHOUT trimming the
+    // leading whitespace that may follow it — that whitespace is the
+    // position where an emoji used to live and GitHub's anchor builder
+    // converts it to a leading dash. Example: `## ⚡ Quick Start` →
+    // anchor `#-quick-start` (with leading dash). Stripping it here
+    // would cause false-positive "broken anchor" warnings on any TOC
+    // generated by GitHub itself.
+    .replace(/^#+\s+/, '')
+    .toLowerCase()
+    // Strip emoji + decorative pictographs (they leave a position which
+    // becomes a dash after whitespace-collapse below).
+    .replace(/[\u{1F300}-\u{1FAFF}\u{2600}-\u{27BF}\u{FE0F}]/gu, '')
+    // Strip GFM-deleted punctuation
+    .replace(/[.,;:!?'"`()[\]{}<>|\\/]/g, '')
+    // Convert whitespace runs to single dashes
+    .replace(/\s+/g, '-')
+    // Drop any remaining non-word/non-dash chars
+    .replace(/[^a-z0-9-]/g, '');
+    // NB: we do NOT collapse adjacent dashes and we do NOT strip leading/
+    // trailing dashes — GitHub's GFM keeps them. `& Academic` (with `&`
+    // removed) leaves two adjacent spaces which become `--`. README TOCs
+    // generated by GitHub itself rely on this exact behavior.
+}
+
+/**
+ * Extract all headings from a markdown file. Returns an array of
+ * { level, text, anchor } where anchor is the GFM-style slug.
+ *
+ * Skips headings inside ``` fenced code blocks to avoid false positives
+ * from example code.
+ */
+export function extractHeadings(content) {
+  const lines = content.split('\n');
+  const headings = [];
+  let inCodeFence = false;
+  for (const line of lines) {
+    if (line.startsWith('```')) {
+      inCodeFence = !inCodeFence;
+      continue;
+    }
+    if (inCodeFence) continue;
+    const m = line.match(/^(#{1,6})\s+(.+?)\s*$/);
+    if (m) {
+      const text = m[2];
+      headings.push({ level: m[1].length, text, anchor: slugifyHeading(text) });
+    }
+  }
+  return headings;
+}
+
+/**
+ * Extract all candidate cross-references from a markdown file.
+ *
+ * Returns an array of { source, file, anchor, raw } where:
+ *   - source = path of the document containing the reference (for reporting)
+ *   - file   = target file path, RELATIVE to the source file's directory.
+ *              null if the link is intra-doc (just `#anchor`).
+ *   - anchor = anchor part without `#`. null if no anchor.
+ *   - raw    = the original text matched (for error messages)
+ *
+ * Skips:
+ *   - External http(s) URLs (not our problem)
+ *   - mailto: links
+ *   - Code-fenced blocks
+ *   - Inline `code` with backticks
+ */
+export function extractRefs(content, sourcePath) {
+  const refs = [];
+  const lines = content.split('\n');
+  let inCodeFence = false;
+
+  // [text](target)  where target is one of:
+  //   ./RELATIVE.md
+  //   ../OTHER.md#anchor
+  //   #intra-doc-anchor
+  // We DON'T match http(s) targets here.
+  const markdownLinkRe = /\[([^\]]+)\]\(((?!https?:|mailto:)[^)]+)\)/g;
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (line.startsWith('```')) {
+      inCodeFence = !inCodeFence;
+      continue;
+    }
+    if (inCodeFence) continue;
+
+    // Strip inline `code` so we don't match links inside it
+    const stripped = line.replace(/`[^`]+`/g, '');
+
+    let m;
+    markdownLinkRe.lastIndex = 0;
+    while ((m = markdownLinkRe.exec(stripped)) !== null) {
+      const target = m[2].trim();
+      // Drop any title text: [foo](bar "title") → bar
+      const cleanTarget = target.split(/\s+/)[0];
+      const hashIdx = cleanTarget.indexOf('#');
+      let file, anchor;
+      if (hashIdx === 0) {
+        // Intra-doc anchor only
+        file = null;
+        anchor = cleanTarget.slice(1);
+      } else if (hashIdx > 0) {
+        file = cleanTarget.slice(0, hashIdx);
+        anchor = cleanTarget.slice(hashIdx + 1);
+      } else {
+        file = cleanTarget;
+        anchor = null;
+      }
+      refs.push({ source: sourcePath, file, anchor, raw: m[0], line: i + 1 });
+    }
+  }
+
+  return refs;
+}
+
+/**
+ * Resolve a target file path relative to a source markdown file.
+ * Returns the absolute path or null if the file doesn't exist.
+ */
+function resolveTarget(sourcePath, targetRel, projectDir) {
+  if (!targetRel) return null;
+  // Try relative to source's directory first
+  const fromSource = resolve(dirname(sourcePath), targetRel);
+  if (existsSync(fromSource)) return fromSource;
+  // Also try from project root (some authors write `docs-canonical/X.md`)
+  const fromRoot = resolve(projectDir, targetRel);
+  if (existsSync(fromRoot)) return fromRoot;
+  return null;
+}
+
+/**
+ * Collect canonical markdown docs to scan. Same selection logic as other
+ * validators — `docs-canonical/`, root tracking files, and AGENTS.md.
+ */
+function collectCanonicalDocs(projectDir) {
+  const docs = [];
+  const cdir = resolve(projectDir, 'docs-canonical');
+  if (existsSync(cdir)) {
+    try {
+      for (const f of readdirSync(cdir)) {
+        if (f.endsWith('.md')) {
+          const p = join(cdir, f);
+          if (statSync(p).isFile()) docs.push(p);
+        }
+      }
+    } catch {}
+  }
+  for (const f of ['AGENTS.md', 'CHANGELOG.md', 'DRIFT-LOG.md', 'ROADMAP.md', 'README.md']) {
+    const p = resolve(projectDir, f);
+    if (existsSync(p)) docs.push(p);
+  }
+  return docs;
+}
+
+/**
+ * Validator entrypoint — matches the standard signature returning
+ * { errors, warnings, passed, total }.
+ */
+export function validateCrossReferences(projectDir, _config = {}) {
+  const errors = [];
+  const warnings = [];
+  let passed = 0;
+  let total = 0;
+
+  const docs = collectCanonicalDocs(projectDir);
+  if (docs.length === 0) {
+    return { errors, warnings, passed, total, applicable: false };
+  }
+
+  // Build a map of doc path → anchor set for fast lookups during ref resolution.
+  const anchorIndex = new Map();
+  for (const d of docs) {
+    try {
+      const content = readFileSync(d, 'utf-8');
+      const headings = extractHeadings(content);
+      anchorIndex.set(d, new Set(headings.map(h => h.anchor)));
+    } catch {
+      anchorIndex.set(d, new Set());
+    }
+  }
+
+  // Walk every doc and validate each ref.
+  for (const docPath of docs) {
+    let content;
+    try { content = readFileSync(docPath, 'utf-8'); } catch { continue; }
+    const refs = extractRefs(content, docPath);
+    const docName = basename(docPath);
+
+    for (const ref of refs) {
+      total++;
+
+      // Resolve the target file (if any)
+      let targetPath = null;
+      if (ref.file) {
+        // Skip non-markdown files — we only validate doc cross-refs, not
+        // links to images / code / config files. Those have their own truth.
+        if (!ref.file.toLowerCase().endsWith('.md')) {
+          passed++;
+          continue;
+        }
+        targetPath = resolveTarget(docPath, ref.file, projectDir);
+        if (!targetPath) {
+          warnings.push(
+            `${docName}:${ref.line} — broken link: target file "${ref.file}" not found`
+          );
+          continue;
+        }
+      } else {
+        // Intra-doc anchor reference
+        targetPath = docPath;
+      }
+
+      // If there's an anchor, verify it resolves in the target doc.
+      // URL-decode the anchor first — some editors percent-encode chars
+      // like `️` (variation selector) in TOC links that wouldn't
+      // appear in the actual GitHub-rendered anchor. Decoding makes
+      // `#%EF%B8%8F-cicd-integration` compare against `#-cicd-integration`.
+      if (ref.anchor) {
+        let decodedAnchor;
+        try {
+          decodedAnchor = decodeURIComponent(ref.anchor);
+        } catch {
+          decodedAnchor = ref.anchor;
+        }
+        // After decode, re-apply the slug pipeline so we compare like-for-like.
+        const normalizedAnchor = slugifyHeading(decodedAnchor);
+        const anchors = anchorIndex.get(targetPath);
+        const matches = anchors && (anchors.has(ref.anchor) || anchors.has(normalizedAnchor));
+        if (!matches) {
+          const where = targetPath === docPath ? 'same doc' : basename(targetPath);
+          warnings.push(
+            `${docName}:${ref.line} — broken anchor: "#${ref.anchor}" in ${where} doesn't match any heading`
+          );
+          continue;
+        }
+      }
+
+      passed++;
+    }
+  }
+
+  return { errors, warnings, passed, total };
+}

package/commands/docguard.guard.md

@@ -1,5 +1,5 @@
 ---
-description: Run DocGuard guard validation — check project documentation against CDD standards with 20 validators
+description: Run DocGuard guard validation — check project documentation against CDD standards with 21 validators
 handoffs:
   - label: Fix All Issues
     agent: docguard.fix
@@ -23,7 +23,7 @@ Run the DocGuard CLI to validate all documentation against Canonical-Driven Deve
 npx docguard-cli guard
 ```
 
-2. **Parse the output**. Each of the 20 validators reports ✅ (pass), ⚠️ (warning), ❌ (fail), or ➖ (N/A — nothing to validate). **A ➖ N/A is NOT a pass**: it means the validator found nothing to check (e.g. no API-REFERENCE.md, no DB schema, no layer boundaries declared). Don't read N/A as "healthy" — read it as "not assessed".
+2. **Parse the output**. Each of the 21 validators reports ✅ (pass), ⚠️ (warning), ❌ (fail), or ➖ (N/A — nothing to validate). **A ➖ N/A is NOT a pass**: it means the validator found nothing to check (e.g. no API-REFERENCE.md, no DB schema, no layer boundaries declared). Don't read N/A as "healthy" — read it as "not assessed".
 
    | Validator | What It Checks |
    |-----------|---------------|

package/docs/quickstart.md

@@ -68,7 +68,7 @@ diagnose  →  AI reads prompts  →  AI fixes docs  →  guard verifies
 ## Verify
 
 ```bash
-npx docguard-cli guard        # Pass/fail check (20 validators)
+npx docguard-cli guard        # Pass/fail check (21 validators)
 npx docguard-cli score        # 0-100 maturity score
 ```
 

package/extensions/spec-kit-docguard/README.md

@@ -4,7 +4,7 @@ Enterprise-grade Canonical-Driven Development (CDD) enforcement and **AI-readabl
 
 ## Features
 
-- **20 Validators** — Structure, Security, Doc Quality, Test-Spec, Drift-Comments, API-Surface, Freshness, and 13 more
+- **21 Validators** — Structure, Security, Doc Quality, Test-Spec, Drift-Comments, API-Surface, Freshness, Cross-Reference, and 13 more
 - **Language-agnostic** — JS/TS, Python, Rust, Go, Java/Kotlin, Ruby, PHP, C#. Polyglot/monorepo-aware.
 - **AI-powered Generate** — `generate --plan` builds the code-truth skeleton in `<!-- docguard:section -->` markers and emits a structured agent task manifest; the AI writes the prose.
 - **Always up to date** — `sync` surgically refreshes code-truth doc sections in place, **preserves human prose**, flags prose for agent review.

package/extensions/spec-kit-docguard/commands/guard.md

@@ -14,7 +14,7 @@ handoffs:
 
 # DocGuard Guard
 
-Validate your project against its canonical documentation. Runs 160+ automated checks across 20 validators.
+Validate your project against its canonical documentation. Runs 160+ automated checks across 21 validators.
 
 ## User Input
 

package/extensions/spec-kit-docguard/extension.yml

@@ -3,7 +3,7 @@ schema_version: "1.0"
 extension:
   id: "docguard"
   name: "DocGuard — CDD Enforcement"
-  version: "0.11.2"
+  version: "0.12.0"
   description: "Canonical-Driven Development enforcement as a true spec-kit extension. LLM-first design with 19 automated validators, 4 AI behavior skills, spec-kit skill chaining, and workflow hooks. Zero NPM runtime dependencies."
   author: "Ricardo Accioly"
   repository: "https://github.com/raccioly/docguard"
@@ -53,6 +53,16 @@ provides:
       file: "commands/generate.md"
       description: "Reverse-engineer canonical docs from existing codebase"
 
+  # GitHub Actions workflow starters — copyable templates users drop into
+  # .github/workflows/ for guard/fix/sync/score integration.
+  workflows:
+    - name: "docguard-guard"
+      file: "templates/github-workflows/docguard-guard.yml"
+      description: "Mandatory CI gate — runs all 20 validators on PR + main push"
+    - name: "docguard-autofix"
+      file: "templates/github-workflows/docguard-autofix.yml"
+      description: "PR-time auto-fix — applies mechanical doc fixes + comments summary"
+
   # Helper scripts for CI/CD and automation
   scripts:
     - name: "docguard-check-docs"

package/extensions/spec-kit-docguard/skills/docguard-fix/SKILL.md

@@ -6,10 +6,10 @@ description: AI-driven documentation repair with structured research workflow, t
 compatibility: Requires DocGuard CLI installed (npm i -g docguard-cli or npx docguard-cli)
 metadata:
   author: docguard
-  version: 0.11.2
+  version: 0.12.0
   source: extensions/spec-kit-docguard/skills/docguard-fix
 ---
-<!-- docguard:version: 0.11.2 -->
+<!-- docguard:version: 0.12.0 -->
 
 # DocGuard Fix Skill
 

package/extensions/spec-kit-docguard/skills/docguard-guard/SKILL.md

@@ -7,10 +7,10 @@ description: Run DocGuard guard validation against Canonical-Driven Development
 compatibility: Requires DocGuard CLI installed (npm i -g docguard-cli or npx docguard-cli)
 metadata:
   author: docguard
-  version: 0.11.2
+  version: 0.12.0
   source: extensions/spec-kit-docguard/skills/docguard-guard
 ---
-<!-- docguard:version: 0.11.2 -->
+<!-- docguard:version: 0.12.0 -->
 
 # DocGuard Guard Skill
 
@@ -139,7 +139,7 @@ For each finding, provide a **specific, actionable fix** — not "fix the issue"
 
 Based on the triage results:
 
-- **If all PASS**: "All 20 validators passed. Project is CDD-compliant. Ready to commit."
+- **If all PASS**: "All 21 validators passed. Project is CDD-compliant. Ready to commit."
 - **If only MEDIUM/LOW warnings**: "Non-blocking warnings found. Safe to commit, but consider running `/docguard.fix` for automated remediation."
 - **If HIGH or CRITICAL failures**: "Blocking issues found. Fix these before committing. Suggest running `/docguard.fix --doc [most impactful doc]` next."
 

package/extensions/spec-kit-docguard/skills/docguard-review/SKILL.md

@@ -6,10 +6,10 @@ description: Cross-document consistency analysis and quality assessment. Perform
 compatibility: Requires DocGuard CLI installed (npm i -g docguard-cli or npx docguard-cli)
 metadata:
   author: docguard
-  version: 0.11.2
+  version: 0.12.0
   source: extensions/spec-kit-docguard/skills/docguard-review
 ---
-<!-- docguard:version: 0.11.2 -->
+<!-- docguard:version: 0.12.0 -->
 
 # DocGuard Review Skill
 

package/extensions/spec-kit-docguard/skills/docguard-score/SKILL.md

@@ -6,10 +6,10 @@ description: CDD maturity assessment with category-aware improvement roadmap. Ru
 compatibility: Requires DocGuard CLI installed (npm i -g docguard-cli or npx docguard-cli)
 metadata:
   author: docguard
-  version: 0.11.2
+  version: 0.12.0
   source: extensions/spec-kit-docguard/skills/docguard-score
 ---
-<!-- docguard:version: 0.11.2 -->
+<!-- docguard:version: 0.12.0 -->
 
 # DocGuard Score Skill
 

package/extensions/spec-kit-docguard/skills/docguard-sync/SKILL.md

@@ -4,7 +4,7 @@ description: Keep canonical documentation ALWAYS UP TO DATE. Refreshes code-trut
 compatibility: Requires DocGuard CLI installed (npm i -g docguard-cli or npx docguard-cli)
 metadata:
   author: docguard
-  version: 0.11.2
+  version: 0.12.0
   source: extensions/spec-kit-docguard/skills/docguard-sync
 ---
 

package/extensions/spec-kit-docguard/templates/github-workflows/docguard-autofix.yml

@@ -0,0 +1,51 @@
+# DocGuard Auto-Fix — applies mechanical doc fixes on every PR.
+#
+# What this does on each PR:
+#   1. Runs `docguard fix --write` (deterministic fixes: version bumps,
+#      counts, endpoint removal from API-REFERENCE, changelog stubs).
+#   2. If anything changed, commits the diff back to the PR branch as
+#      `docguard-bot` and posts a summary comment.
+#   3. If nothing changed, posts a "no fixes needed" comment.
+#
+# Prose rewrites (entire-section regenerations) still need an AI agent —
+# run `/docguard.fix` in your editor for those.
+#
+# Setup:
+#   1. Copy this file to .github/workflows/docguard-autofix.yml
+#   2. Ensure the workflow has the permissions block below (write access).
+#   3. (Optional) Pin to a specific DocGuard version by changing `@main` to a tag.
+#
+# Security note: this workflow makes commits back to the PR branch. It refuses
+# to run on PRs from forks (where pushing back is impossible by design).
+name: DocGuard Auto-Fix
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+permissions:
+  contents: write          # commit fixes back to the PR branch
+  pull-requests: write     # post the summary comment
+
+jobs:
+  autofix:
+    runs-on: ubuntu-latest
+    # Skip on fork PRs — the next step would error trying to push.
+    if: github.event.pull_request.head.repo.full_name == github.repository
+    steps:
+      - name: Checkout PR branch (with write token)
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+          # Default GITHUB_TOKEN has the contents:write scope granted above.
+          # For org-protected branches or commit signing, swap in a PAT/App token.
+          token: ${{ secrets.GITHUB_TOKEN }}
+          fetch-depth: 0
+
+      - name: Run DocGuard fix --write + auto-commit + PR comment
+        uses: raccioly/docguard@main
+        with:
+          command: fix
+          auto-commit: 'true'
+          comment-on-pr: 'true'
+          commit-message: 'docs: apply DocGuard mechanical fixes'

package/extensions/spec-kit-docguard/templates/github-workflows/docguard-guard.yml

@@ -0,0 +1,48 @@
+# DocGuard Guard — runs all 20 validators on every PR and main push.
+#
+# This is the canonical CI gate. It does NOT modify your repo — it only
+# reports. Pair with `docguard-autofix.yml` if you want mechanical fixes
+# applied automatically.
+#
+# Setup:
+#   1. Copy this file to .github/workflows/docguard-guard.yml
+#   2. (Optional) Set `fail-on-warning: 'true'` to make warnings block the PR.
+name: DocGuard Guard
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+  pull-requests: write     # only needed for the optional score comment below
+
+jobs:
+  guard:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Run all validators
+        uses: raccioly/docguard@main
+        with:
+          command: guard
+          # Flip to 'true' once your repo is clean — turns warnings into hard failures.
+          fail-on-warning: 'false'
+
+  # Optional: post the CDD score on every PR as a tracked metric.
+  score:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Score & comment
+        uses: raccioly/docguard@main
+        with:
+          command: score
+          format: json

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "docguard-cli",
-  "version": "0.11.2",
+  "version": "0.12.0",
   "description": "The enforcement tool for Canonical-Driven Development (CDD). Audit, generate, and guard your project documentation.",
   "type": "module",
   "bin": {