engineering-intelligence 1.3.0 → 1.5.0

package/templates/canonical/skills/security-audit-engine/SKILL.md

@@ -32,8 +32,13 @@ Identify security risks through systematic, evidence-backed analysis of dependen
    - Check version against known CVE databases (cite CVE IDs)
    - Flag dependencies with no updates in >12 months (abandonment risk)
    - Identify transitive dependencies with known vulnerabilities
+   - Check license compatibility against the project license
+   - Check maintenance health (days since last release/commit when available)
+   - For frontend packages, estimate bundle size impact or require a bundle-size check
    - Note severity: critical, high, medium, low
 
+   Trigger this targeted dependency risk review whenever manifests add a new package. Critical CVEs block completion before commit. Unknown license or maintenance data must be recorded as risk, not ignored.
+
 2. **Auth/Authz Pattern Review** — Analyze authentication and authorization:
 
    | Check | What to Look For |
@@ -90,6 +95,14 @@ Identify security risks through systematic, evidence-backed analysis of dependen
 
 6. **Generate Assessment** — Write findings to `knowledge-base/20-security-assessment.md`.
 
+7. **Targeted Dependency-Risk Output** — During implementation runs triggered by new or upgraded packages, write a lighter unit artifact instead of conflating the result with a full audit:
+
+   ```text
+   .engineering-intelligence/aidlc/construction/<unit>/dependency-risk-summary.md
+   ```
+
+   This summary must include CVE, license, maintenance, and bundle impact findings for changed dependencies. Critical CVEs block completion.
+
 ## Output Format
 
 Write `knowledge-base/20-security-assessment.md`:
@@ -104,9 +117,9 @@ Write `knowledge-base/20-security-assessment.md`:
 - Overall risk: low | medium | high | critical
 
 ## Dependency Vulnerabilities
-| Dependency | Version | CVE | Severity | Fix Available |
-|---|---|---|---|---|
-| lodash | 4.17.15 | CVE-2020-8203 | High | Yes (4.17.21) |
+| Dependency | Version | CVE | Severity | Fix Available | License | Maintenance | Bundle Impact |
+|---|---|---|---|---|---|---|---|
+| lodash | 4.17.15 | CVE-2020-8203 | High | Yes (4.17.21) | MIT | maintained | n/a |
 
 ## Auth/Authz Assessment
 - Mechanism: <description>
@@ -138,6 +151,18 @@ Write `knowledge-base/20-security-assessment.md`:
 *This security assessment did not modify product code.*
 ```
 
+### Targeted Dependency Risk Summary
+
+```markdown
+# Dependency Risk Summary: <unit>
+
+| Package | Change | CVE Risk | License | Maintenance | Bundle Impact | Decision |
+|---|---|---|---|---|---|---|
+
+## Blocking Findings
+- <critical CVE or policy violation>
+```
+
 ## Rules
 
 - Never assume a vulnerability exists without evidence — cite file paths and line numbers
@@ -149,6 +174,8 @@ Write `knowledge-base/20-security-assessment.md`:
 ## Quality Gates
 
 - [ ] All dependency vulnerabilities cite CVE IDs and affected versions
+- [ ] New package additions include CVE, license, maintenance, and bundle-size risk where applicable
+- [ ] Critical CVEs block completion
 - [ ] Auth/authz review covers both authentication and authorization
 - [ ] Secrets scan does not expose actual secret values in the report
 - [ ] OWASP Top 10 items each have a status with evidence or rationale

package/templates/canonical/skills/staleness-detector/SKILL.md

@@ -96,6 +96,15 @@ This capability does not modify product code.
    - If no freshness comment exists, add it after the document title (first `#` heading)
    - Never modify document content — only metadata comments
 
+   Also add section-level confidence metadata to each H2 section when evidence can be resolved:
+
+   ```markdown
+   ## Authentication Flow
+   <!-- section-confidence: level=high, score=91, verified_at=2026-06-04T10:00:00Z, evidence=src/auth/middleware.ts -->
+   ```
+
+   Agents must prefer high/medium confidence sections and skip low-confidence sections unless they verify the section against source first.
+
 6. **Determine sync actions** — Based on freshness scores, determine required actions:
 
    | Condition | Action |
@@ -161,6 +170,14 @@ This capability does not modify product code.
    - The list of changed source files
    - The staleness reason (file modified, file deleted, file moved, age)
 
+9. **Pre-Implementation Drift Trigger** — When invoked by `engineering-intelligence-skill`, return a blocking drift decision:
+
+   | Condition | Decision |
+   |---|---|
+   | All scoped artifacts >= 60 | Proceed |
+   | Any scoped artifact 50-59 | Sync before implementation or mark stale risk in impact report |
+   | Any scoped artifact < 50 | Block implementation until incremental sync or explicit user risk acceptance |
+
 ## Quality Gates
 
 - [ ] All knowledge base, memory, and context documents are inventoried
@@ -169,10 +186,12 @@ This capability does not modify product code.
 - [ ] Freshness scores follow the defined calculation formula
 - [ ] Score interpretation matches the defined status table
 - [ ] Freshness metadata is injected without modifying document content
+- [ ] Section-level confidence metadata is added for H2 sections where evidence can be resolved
 - [ ] FRESHNESS-report.md exists at `.engineering-intelligence/reports/FRESHNESS-report.md`
 - [ ] Structural changes (deleted/moved files) are detected and reported
 - [ ] Documents below threshold are queued for incremental sync
 - [ ] Module-level aggregation is included in the report
+- [ ] Pre-implementation drift decision is returned when scoped to a planned change
 
 ## Cross-References
 

package/templates/canonical/skills/testing-intelligence-engine/SKILL.md

@@ -13,6 +13,8 @@ Determine the minimum sufficient test coverage for a change based on risk assess
 - Impact report (`.engineering-intelligence/reports/IMP-XXX-*.md`)
 - Existing test patterns in the repository
 - Change classification (feature, bugfix, refactor, etc.)
+- Coverage reports when available (`coverage-final.json`, `coverage.xml`, `lcov.info`, `go test -cover`, pytest coverage output)
+- Agile acceptance criteria from `.engineering-intelligence/aidlc/agile/acceptance-criteria.md`
 
 ## Risk-Based Test Selection Matrix
 
@@ -29,11 +31,18 @@ Determine the minimum sufficient test coverage for a change based on risk assess
    - Identify test framework(s) in use (Jest, Mocha, pytest, Go testing, etc.)
    - Locate test directories and naming patterns
    - Map tests to source files (by convention or configuration)
-   - Identify untested critical paths
+   - Parse real coverage reports where available:
+     - Jest/Vitest/Istanbul JSON (`coverage-final.json`)
+     - LCOV (`lcov.info`)
+     - pytest `coverage.xml`
+     - Go `go test -cover` output
+   - Map uncovered lines to modules and critical paths
 
 2. **Map Change to Tests** — Using the impact report:
    - List source files/functions changed
    - Find existing tests covering those files
+   - Build a source-line to test-file map from coverage where possible
+   - Run or recommend targeted impacted tests first, then broader validation
    - Identify tests that should exist but don't (coverage gaps)
 
 3. **Determine Required Tests** — Using the risk matrix above:
@@ -56,6 +65,15 @@ Determine the minimum sufficient test coverage for a change based on risk assess
    - Negative-path and permission tests for security changes
    - Data migration and rollback tests for schema changes
 
+   **For API/service integration changes**:
+   - Generate integration test stubs from `knowledge-base/04-api-documentation.md` and `service-graph.json`
+   - Cover happy path, auth failure, downstream timeout, and validation error
+   - Match existing test framework, describe/it nesting, mock setup, assertion library, and factory style
+
+   **For complex validators or combinatorial logic**:
+   - Recommend property-based tests (`fast-check`, `hypothesis`, `proptest`, or project equivalent)
+   - Include seed examples and rationale
+
 4. **Identify Coverage Gaps** — Report:
    - Critical paths with no test coverage
    - Changed behavior with no corresponding test
@@ -66,6 +84,10 @@ Determine the minimum sufficient test coverage for a change based on risk assess
    - Test cases to write (describe what, not write the test code)
    - Validation commands to run
 
+6. **Verify Acceptance Criteria** — Produce an Acceptance Criteria Verification Matrix mapping every criterion to automated tests, manual verification, or an unavailable check. Missing mappings block Definition of Done.
+
+7. **Propose Regression Patterns** — For bugfixes, compare against `.engineering-intelligence/memory/regression-patterns.md`. Reuse matching templates. If a new recurring bug category is found, propose a durable pattern to `memory-sync-engine`; Memory Sync owns durable persistence.
+
 ## Output
 
 ### Per-Change Testing (in `.changes/CHG-XXX-*.md`)
@@ -99,6 +121,14 @@ Only update when documenting project-wide testing posture:
 ## Coverage Gaps
 - <critical untested areas>
 
+## Evidence-Based Coverage
+| Source File | Changed Lines | Covering Tests | Uncovered Lines |
+|---|---|---|---|
+
+## Acceptance Criteria Verification Matrix
+| Criterion | Covering Test / Manual Check | Result |
+|---|---|---|
+
 ## Running Tests
 - All tests: `<command>`
 - Specific suite: `<command>`
@@ -110,6 +140,9 @@ Only update when documenting project-wide testing posture:
 - Recommend tests proportional to risk — don't mandate full-suite runs for low-risk changes
 - Always note when validation was not actually run (only recommended)
 - Never claim test coverage without checking existing tests
+- Prefer real coverage reports over proximity estimates when reports exist
+- Target impacted tests first, then run broader suites according to risk
+- Missing acceptance-criteria mappings block Definition of Done
 - Record test results honestly, including failures
 
 ## Quality Gates
@@ -117,7 +150,10 @@ Only update when documenting project-wide testing posture:
 - [ ] Impact report was consulted for risk level
 - [ ] Test recommendations match the risk level
 - [ ] Existing test coverage was checked before recommending new tests
+- [ ] Coverage reports were parsed when available
+- [ ] Impacted tests were identified separately from full-suite validation
 - [ ] Coverage gaps in critical paths are flagged
+- [ ] Acceptance criteria are mapped to validation evidence
 
 ## Cross-References
 

package/templates/canonical/skills/type-safety-engine/SKILL.md

@@ -0,0 +1,81 @@
+---
+name: type-safety-engine
+description: Validates generated code against the project type system, traces type-level dependencies, and loops on compiler errors until clean or blocked.
+version: 1.0.0
+---
+
+# Type Safety Engine
+
+Use this skill for TypeScript, Python, Go, Rust, Java, Kotlin, C#, or any project with a declared type checker. It is a blocking gate for generated code in typed projects.
+
+## Inputs
+
+- Changed files from the impact report or current diff
+- Project manifests and type-check configuration
+- Existing graph artifacts under `.engineering-intelligence/graph/`
+
+## Procedure
+
+1. **Detect Type System**
+   - TypeScript: `tsconfig.json`, `package.json`, `tsc`
+   - Python: `mypy.ini`, `pyproject.toml`, `pyrightconfig.json`, annotations
+   - Go: `go.mod`
+   - Rust: `Cargo.toml`
+   - Java/Kotlin/C#: project build files
+
+2. **Trace Type Dependencies**
+   - TypeScript: run or recommend `tsc --listFilesOnly` and use the TypeScript compiler API when available to identify interface, type alias, enum, generic, declaration, and ambient type dependencies.
+   - Python: run or recommend `mypy --show-column-numbers` or `pyright` and trace annotation/import relationships.
+   - Add high-confidence `imports-type` edges to `.engineering-intelligence/graph/dependency-graph.json` for type-only dependencies, with evidence paths.
+
+3. **Run Type Check**
+   - Use the project’s existing command first (`npm run typecheck`, `pnpm typecheck`, `mypy`, `pyright`, `go test`, `cargo check`, etc.).
+   - If no command exists, use the safest detected command and record that it was inferred.
+
+4. **Map Errors**
+   Write a Type Error Map in the active unit build/test summary:
+
+   ```markdown
+   ## Type Error Map
+   | File | Line | Column | Symbol | Error | Proposed Fix | Status |
+   |---|---:|---:|---|---|---|---|
+   ```
+
+5. **Fix Loop**
+   - Fix targeted type errors only.
+   - Rerun the relevant type check.
+   - Continue until clean or a blocker is recorded.
+
+## Output
+
+Write or update `.engineering-intelligence/aidlc/construction/<unit>/build-and-test/type-safety-summary.md`:
+
+```markdown
+# Type Safety Summary: <unit>
+
+## Commands
+- `<command>`: <passed|failed|unavailable>
+
+## Type Dependency Edges
+- `imports-type`: <from> -> <to> (evidence: <path>)
+
+## Type Error Map
+<table>
+
+## Result
+<clean|blocked|not applicable>
+```
+
+## Rules
+
+- Never mark typed code complete while type errors remain unaddressed.
+- If a type checker is unavailable, record `not applicable` with evidence rather than silently skipping.
+- Type-only dependencies must be included in impact analysis for typed languages.
+
+## Quality Gates
+
+- [ ] Type checker command was detected or explicitly unavailable
+- [ ] Type-level dependencies were traced for shared types/interfaces
+- [ ] `imports-type` graph edges were added or confirmed unnecessary
+- [ ] Type Error Map exists for failures
+- [ ] Final type status is clean, blocked with evidence, or not applicable

package/templates/canonical/workflows/engineering-intelligence.md

@@ -14,10 +14,11 @@ Use the `engineering-intelligence-skill` capability for the user's accompanying
 4. **Plan Agile + AI-DLC Work** — Update backlog, acceptance criteria, Definition of Ready, `.engineering-intelligence/aidlc/execution-plan.md`, and `aidlc-state.md`
 5. **Implement** — Make the requested code changes following established patterns
 6. **Test** — Add/update tests proportional to risk; execute and record results
-7. **Validate** — Run available linters, type checks, test suites, scans, and architecture checks as environmental backpressure
-8. **Sync Intelligence** — Incrementally update only affected knowledge, memory, context, event, graph artifacts, and AI-DLC artifacts
-9. **Record Change** — Write `.changes/CHG-XXX-<summary>.md` referencing related reports
-10. **Review Gate** — For high-risk changes, run engineering-change review before completion
+7. **Safety Gates** — Run freshness, type safety, API compatibility, API snapshot replay, migration safety, convention, acceptance-mapping, dependency-risk, env-var, ADR compliance, LLM prompt-injection, and rollback gates when applicable
+8. **Validate** — Run available linters, type checks, test suites, scans, and architecture checks as environmental backpressure
+9. **Sync Intelligence** — Incrementally update only affected knowledge, memory, context, event, graph artifacts, and AI-DLC artifacts
+10. **Record Change** — Write `.changes/CHG-XXX-<summary>.md` referencing related reports and acceptance verification
+11. **Review Gate** — For high-risk changes, run engineering-change review before completion
 
 ## Completion Report
 
@@ -28,5 +29,6 @@ Finish with:
 - Synchronized intelligence artifacts
 - Related reports (IMP-XXX, REV-XXX)
 - Agile artifacts updated (backlog, stories, acceptance criteria, Definition of Done)
+- Safety gates run (freshness, type, API, snapshots, migration, dependency, env, ADR, LLM, acceptance mapping, rollback)
 - Unresolved risks or follow-ups
 - AI-DLC breadcrumb (`AI-DLC: <phase> -> <stage> -> <status>`)

package/templates/canonical/workflows/initialize-engineering-intelligence.md

@@ -30,8 +30,9 @@ Analyzes this repository thoroughly without changing product code. Produces a co
 4. **Generate Memory** — Extract durable decisions and patterns
 5. **Generate Context** — Create concise AI navigation maps
 6. **Build Graphs** — Generate evidence-backed architecture graphs
-7. **Initialize AI-DLC + Agile** — Create `aidlc-state.md`, `audit.md`, `open-questions.md`, `execution-plan.md`, Agile delivery artifacts, and `construction/cross-unit-discoveries.md`
-8. **Record** — Write initialization change record
+7. **Initialize AI-DLC + Agile** — Create `aidlc-state.md`, `audit.md`, `open-questions.md`, `execution-plan.md`, `checkpoints.md`, Agile delivery artifacts, and `construction/cross-unit-discoveries.md`
+8. **Audit Memory** — Run memory pruning audit and initialize `.engineering-intelligence/memory/regression-patterns.md`
+9. **Record** — Write initialization change record
 
 ## Important