universal-dev-standards 5.10.0 → 5.12.1

package/bundled/ai/standards/acceptance-criteria-traceability.ai.yaml

@@ -61,11 +61,17 @@ standard:
 
       - status: not_implemented
         symbol: "🚫"
-        definition: AC has no corresponding implementation (feature code does not exist)
+        definition: AC has no corresponding implementation or test verification (feature code or test body does not exist)
         criteria: |
-          No business logic in src/ corresponds to this AC.
-          Distinct from uncovered: uncovered = code exists but no test; not_implemented = code does not exist.
-          Typical signals: throw NotImplementedException(), empty stub body, FEATURE_STUB: marker.
+          No business logic in src/ corresponds to this AC, OR the only test mapped
+          to this AC is an it.todo() placeholder (test body not implemented).
+          Distinct from uncovered: uncovered = code exists but test was forgotten;
+          not_implemented = explicitly marked as pending implementation.
+          Typical signals:
+            - throw NotImplementedException(), empty stub body, FEATURE_STUB: marker
+            - it.todo("AC-XXX: ...") — test slot reserved but verification not written
+          XSPEC-220: it.todo() tests map to not_implemented, NOT to uncovered.
+          Rationale: it.todo() is a deliberate placeholder, not an oversight.
         decision_tree: |
           Q1: Does the corresponding code exist in src/?
             No → not_implemented

package/bundled/ai/standards/full-coverage-testing.ai.yaml

@@ -75,13 +75,20 @@ standard:
       instruction: |
         FORBIDDEN: Tautology assertions that always pass regardless of behavior.
         These add false coverage without verifying anything.
+        AI SKELETON RULE (XSPEC-220): When generating unimplemented test skeletons,
+        use it.todo("AC-XXX: Given ... When ... Then ..."). Any it() callback whose
+        body contains only tautology assertions is an [ANTI-FAKE-001] violation,
+        regardless of whether the skeleton was generated by a human or an AI agent.
       priority: required
       forbidden_patterns:
         - "expect(true).toBe(true)"
         - "expect(false).toBe(false)"
         - "expect(result).toBeDefined()  // without specific value"
         - "expect(result).not.toBeNull()  // without specific value"
-      required_instead: "expect(result).toBe(<specific expected value>)"
+        - "it('...', () => { expect(true).toBe(true) })  // AI-generated skeleton"
+      required_instead: |
+        Real assertion: expect(result).toBe(<specific expected value>)
+        Unimplemented skeleton: it.todo("AC-XXX: Given ... When ... Then ...")
 
     - id: no-mock-business-logic
       trigger: deciding what to mock

package/bundled/ai/standards/license-compliance.ai.yaml

@@ -1,18 +1,102 @@
 # License Compliance Standards - AI Optimized
-# Source: XSPEC-066 Wave 3 Compliance Pack
+# Sources:
+#   v1.0.0 — XSPEC-066 Wave 3 Compliance Pack (general OSS practices)
+#   v2.0.0 — XSPEC-193 §7.1 (AI-specific rules for AI-Generated Code)
+#   v2.1.0 — XSPEC-193 Phase 2 (ClearlyDefined API + AST PII + EmbeddingProvider + ASPEC-001)
 
 id: license-compliance
-title: License Compliance Standards
-version: "1.0.0"
+title: License Compliance Standards for AI-Generated Code
+version: "2.1.0"
 status: Active
-tags: [compliance, licensing, open-source, legal, supply-chain]
+tags: [compliance, licensing, open-source, legal, supply-chain, ai-generated, eu-ai-act, sbom, pii, clearly-defined, ast-pii, embedding]
+created: 2026-04-30
+updated: 2026-05-16
+
+agent_ref: ASPEC-001   # License Compliance Agent spec (XSPEC-205 format)
+
+references:
+  - XSPEC-066   # v1.0.0 baseline - Wave 3 Compliance Pack
+  - XSPEC-193   # v2.0.0 + v2.1.0 AI-specific rules - VibeOps License Compliance Agent
+  - DEC-041     # EU AI Act compliance
+  - DEC-062     # Harness Engineering 2026 adoption
+  - DEC-063     # VibeOps legal & compliance strategy
+  - DEC-064     # Customer IP isolation (cache salt)
+  - XSPEC-189   # Telemetry Schema v2 (event types referenced below)
+  - ASPEC-001   # License Compliance Agent SPEC (XSPEC-205 §REQ-2 format)
+
 summary: |
-  Defines how teams identify, track, and manage open-source and third-party
-  software licenses throughout the software development lifecycle. Covers
-  license classification (permissive vs. copyleft), prohibited licenses,
-  SBOM generation, license scanning in CI/CD, and remediation processes
-  for license violations. Designed to prevent legal exposure from
-  incompatible license combinations and ensure supply-chain transparency.
+  Comprehensive license compliance for AI-augmented development.
+
+  Tier 1 (REQ-001~006) — General OSS practices: license classification,
+  CI scanning, SBOM generation, attribution, violation remediation, and
+  technology adoption review. Applies to every project regardless of AI use.
+
+  Tier 2 (LC-001~009) — AI-specific rules: SPDX-first, independent evaluator,
+  evidence-based decisions, blocklist/allowlist/greylist enforcement, SBOM
+  required on every PR, PII pattern detection, copyright similarity check,
+  EU AI Act Article 50 transparency markers, and customer policy sovereignty.
+
+  Tier 2 is binding on AI Agents that produce code (VibeOps Generator Agent
+  and equivalents). Designed to prevent legal exposure from incompatible
+  license combinations, ensure supply-chain transparency, and satisfy
+  EU AI Act Article 50 obligations.
+
+  v2.1.0 enhancements (XSPEC-193 Phase 2, 2026-05-16):
+  - LC-001 now backed by ClearlyDefined API (confidence ≥ 0.95 when CD available)
+  - LC-007 PII detection upgraded with tree-sitter AST semantic context
+  - LC-006 copyright similarity upgraded with EmbeddingProvider strategy
+    (onnx-minilm / ollama-bge-m3 / jaccard fallback)
+
+scope:
+  applies_to:
+    - AI-generated code (Generator Agent output)
+    - Dependency manifests (package.json / requirements.txt / go.mod / Cargo.toml / etc.)
+    - Open-source code snippet references and copy-paste
+  excludes:
+    - Internal-only tooling scripts with no external distribution (SBOM still recommended)
+    - Fully hand-written, non-AI-generated code (SBOM still recommended)
+
+principles:
+  - id: P-1
+    name: SPDX First
+    description: |
+      All license identifiers MUST use SPDX standard IDs (https://spdx.org/licenses/).
+      Vague descriptions like "MIT-like" or "BSD-style" are prohibited. If no
+      SPDX match can be found, the Agent MUST escalate to a human rather than
+      guess.
+
+  - id: P-2
+    name: Independent Evaluator
+    description: |
+      The License Compliance Agent MUST use a model class different from the
+      code Generator Agent. This avoids Generator/Evaluator error correlation
+      and preserves review independence (DEC-062 H6).
+
+  - id: P-3
+    name: Evidence-Based Decision
+    description: |
+      Every block or review-required decision MUST carry traceable evidence:
+      SPDX ID lookup source, similarity score, comparison repo URL, etc.
+      Verdicts without evidence are prohibited.
+
+  - id: P-4
+    name: Transparency by Default
+    description: |
+      AI-generated output MUST carry a transparency marker per EU AI Act
+      Article 50. Marker removal requires explicit human action; an AI Agent
+      MAY NOT decide to remove markers autonomously.
+
+  - id: P-5
+    name: Customer Sovereignty
+    description: |
+      Customers MAY customize license policy within their accepted liability
+      scope, but MAY NOT bypass platform-floor limits set in the VibeOps
+      EULA §9. Overrides MUST be telemetered with justification.
+
+# ─────────────────────────────────────────────────────────────
+# Tier 1 — General OSS Compliance Practices (v1.0.0 baseline)
+# Applies to every project regardless of AI use.
+# ─────────────────────────────────────────────────────────────
 
 requirements:
   - id: REQ-001
@@ -104,3 +188,288 @@ requirements:
       - "ADR-042 notes: 'Library X uses Apache 2.0 — approved tier, no legal review needed'"
       - "ADR-043 notes: 'Library Y uses LGPL-3.0 — review-required, legal approved 2026-03-10'"
       - "Technology radar entry includes license classification for each evaluated tool"
+
+# ─────────────────────────────────────────────────────────────
+# Tier 2 — AI-Specific Rules (v2.0.0, XSPEC-193 §7.1)
+# Binding on AI Agents that produce code.
+# ─────────────────────────────────────────────────────────────
+
+rules:
+  - id: LC-001
+    name: SPDX ID Lookup Required
+    severity: blocking
+    description: |
+      Every dependency license MUST be resolved to a SPDX standard ID
+      before any list comparison.
+
+      v2.1.0: Primary source is ClearlyDefined API (confidence ≥ 0.95 for
+      well-known packages). Falls back to SPDX database (confidence ≤ 0.8)
+      or package metadata heuristics. Requests are token-bucket-rate-limited
+      (10 req/s, burst 20) and cached with 24h TTL + DEC-064 client_salt
+      isolation. offline=true bypasses external calls entirely.
+    checks:
+      - "license_lookup() result must have non-null spdx_id"
+      - "If confidence < 0.7, escalate_to_human"
+      - "Free-text license fields from package metadata MUST NOT be used directly"
+      - "ClearlyDefined API: GET /definitions/{type}/{provider}/{namespace}/{name}/{revision}"
+      - "On 5xx: exponential backoff × 3 (200ms/1s/3s); on 429: batch fallback immediately"
+      - "Cache key = sha256(client_salt + ':' + purl) — DEC-064 isolation guaranteed"
+
+  - id: LC-002
+    name: Blocklist Auto-Block
+    severity: blocking
+    description: |
+      SPDX IDs on the Blocklist MUST trigger block_pr automatically. No
+      exception channel inside the platform (customer override layer may
+      remove items, but the override is logged via telemetry).
+    blocklist:
+      # Strong-copyleft (viral)
+      - GPL-2.0
+      - GPL-2.0-only
+      - GPL-2.0-or-later
+      - GPL-3.0
+      - GPL-3.0-only
+      - GPL-3.0-or-later
+      - AGPL-1.0
+      - AGPL-3.0
+      - AGPL-3.0-only
+      - AGPL-3.0-or-later
+      # Source-Available (non-OSS, commercially restrictive)
+      - SSPL-1.0
+      - Commons-Clause              # Not a formal SPDX ID; treated as non-OSS
+      - BUSL-1.1
+      - BUSL-1.0
+      - Confluent-Community-License
+      - Elastic-License-2.0
+    checks:
+      - "license_blocklist_check() returns decision='block' → call block_pr() immediately"
+      - "block_pr() reason field is mandatory in form: '{pkg}@{version} uses {spdx_id}'"
+
+  - id: LC-003
+    name: Allowlist Auto-Approve
+    severity: informational
+    description: |
+      SPDX IDs on the Allowlist MUST be auto-approved, recorded in SBOM
+      without triggering review.
+    allowlist:
+      - MIT
+      - MIT-0
+      - BSD-2-Clause
+      - BSD-3-Clause
+      - BSD-3-Clause-Clear
+      - Apache-2.0
+      - ISC
+      - 0BSD
+      - CC0-1.0
+      - Unlicense
+      - Zlib
+      - WTFPL
+      - CC-BY-4.0          # Documentation only
+      - CC-BY-SA-4.0       # Documentation only
+      - Python-2.0         # PSF-specific
+
+  - id: LC-004
+    name: Greylist Human Review
+    severity: review_required
+    description: |
+      SPDX IDs on the Greylist enter the review queue. A human judges
+      whether the static/dynamic-linking model triggers copyleft contagion.
+    greylist:
+      - LGPL-2.1
+      - LGPL-2.1-only
+      - LGPL-2.1-or-later
+      - LGPL-3.0
+      - LGPL-3.0-only
+      - LGPL-3.0-or-later
+      - MPL-2.0
+      - EPL-1.0
+      - EPL-2.0
+      - CDDL-1.0
+      - CDDL-1.1
+      - GPL-Classpath-exception-2.0  # OpenJDK
+    review_guidance:
+      - "Determine static-link vs dynamic-link"
+      - "Determine whether the package is on the production path or only a dev/test dependency"
+      - "LGPL dynamic-link is generally safe; static-link requires legal sign-off"
+
+  - id: LC-005
+    name: SBOM Mandatory Generation
+    severity: blocking
+    description: |
+      Every dependency-list change or PR merge MUST regenerate the SBOM in
+      CycloneDX 1.5 or SPDX 2.3 format. SHA-256 hash of the SBOM file MUST
+      be recorded.
+    checks:
+      - "SBOM file passes the corresponding schema validation (CycloneDX XML/JSON schema)"
+      - "Every component in the SBOM has an SPDX license expression"
+      - "SBOM path: `{project_root}/sbom.cdx.json` (or `.spdx.json`)"
+
+  - id: LC-006
+    name: Copyright Similarity Threshold
+    severity: blocking
+    description: |
+      AI-generated code with embedding similarity ≥ 0.85 to a known
+      open-source repo MUST be inspected. If the source repo is on the
+      blocklist (GPL/AGPL), the PR MUST be blocked.
+
+      v2.1.0: EmbeddingProvider strategy (XSPEC-193 Phase 2):
+        - provider='onnx-minilm': local ONNX inference (all-MiniLM-L6-v2)
+        - provider='ollama-bge-m3': Ollama local API (bge-m3, localhost:11434)
+        - provider='jaccard' (default): Jaccard token similarity (Phase 1)
+      Known snippet index is per-customer (DEC-064 client_salt isolated).
+      External search is opt-in (enableExternalSearch=false by default).
+    checks:
+      - "overall_similarity >= 0.85 AND source_license in blocklist → block_pr"
+      - "overall_similarity >= 0.70 AND source_license in greylist → review"
+      - "overall_similarity >= 0.85 AND source_license in allowlist → record info event, do not block"
+      - "ONNX/Ollama unavailable → graceful fallback to Jaccard (no exception)"
+      - "snippet index build: buildSnippetIndex(snippets, provider) per-customer"
+    evidence_required:
+      - "source_repo URL"
+      - "source_license SPDX ID"
+      - "similarity score (4 decimal places)"
+      - "matched_section (first 5 lines of the snippet)"
+      - "embedding_provider used (for audit trail)"
+
+  - id: LC-007
+    name: PII Pattern Detection
+    severity: review_required
+    description: |
+      When AI-generated code contains a personal-data handling pattern,
+      issue a warning with a remediation hint. severity="critical" patterns
+      MUST escalate to human review.
+
+      v2.1.0: AST-enhanced detection via tree-sitter (XSPEC-193 Phase 2):
+        - Language support: TypeScript, JavaScript, Python
+        - AST context classification:
+            hardcoded_value → severity upgraded to critical
+            comment         → severity downgraded to info
+            schema_field    → ast_context='schema_field'
+        - Pragma support: // pii:ignore on same line suppresses finding
+        - tree-sitter unavailable → graceful fallback to regex (no exception)
+        - LLM assist: stub (enableLLMAssist=false default, Phase 3 integration)
+        - PIIPattern.confidence and PIIPattern.ast_context are new optional fields
+    pii_types:
+      critical:
+        - ssn               # Social security number
+        - credit_card       # Credit-card number
+        - biometric         # Biometric identifiers
+        - health_record     # Health records (HIPAA / Taiwan PDPA §6 special category)
+      warning:
+        - email
+        - phone
+        - id_number         # National ID
+        - date_of_birth
+        - address
+    detection_strategy:
+      - "regex: field-name patterns (email, phone_number, ssn, credit_card_number, ...)"
+      - "ast: tree-sitter semantic context (hardcoded_value / comment / schema_field)"
+      - "llm_assist: ambiguous contexts (confidence threshold 0.8, Phase 3)"
+
+  - id: LC-008
+    name: EU AI Act Transparency Marker
+    severity: blocking
+    description: |
+      Every AI-generated source file MUST carry a transparency marker at
+      output time, per EU AI Act Article 50 (Limited-Risk transparency
+      obligation).
+    marker_format:
+      source_code: |
+        // AI-generated: VibeOps v{version} on {date}
+        // AI Generation Disclosure: Per EU AI Act Article 50.
+        // Modifications by humans should remove this notice.
+      markdown: |
+        ---
+        > AI Generation Disclosure: This content was AI-generated by VibeOps
+        > v{version} on {date}. Per EU AI Act Article 50.
+      json_yaml: |
+        _ai_generated: "VibeOps v{version} on {date} — EU AI Act Article 50"
+    checks:
+      - "Marker MUST be in the file header (source code) or metadata block (JSON/YAML)"
+      - "Marker removal requires the transparency_marker tool's explicit remove operation plus human confirmation"
+      - "When eu_ai_act_classifier() returns high_risk, additionally include a human_oversight statement"
+
+  - id: LC-009
+    name: Customer Policy Ceiling
+    severity: informational
+    description: |
+      Customers MAY adjust lists via ~/.vibeops/license-policy.yaml, but
+      adjustments MUST be telemetered (human_override_block event) and MUST
+      NOT modify the EULA §9 liability-allocation clause at the platform
+      layer.
+    checks:
+      - "If allowlist_add contains blocklist members, record a warning telemetry"
+      - "greylist_review: 'auto-allow' requires an extra telemetry tag customer_risk_accepted=true"
+      - "If the customer config schema validation fails, fall back to platform default policy"
+
+# ─────────────────────────────────────────────────────────────
+# Tool integration (XSPEC-193 §2, §3)
+# ─────────────────────────────────────────────────────────────
+
+tooling_integration:
+  description: |
+    Maps to the 10 tools defined in XSPEC-193 §2. Tool call order is fixed
+    to keep prompts cache-friendly under the DEC-064 cache-salt strategy.
+  tool_sequence:
+    1: dependency_reader            # Read dependency manifest
+    2: license_lookup               # SPDX lookup
+    3: license_blocklist_check      # Tier check
+    4: sbom_generator               # SBOM generation (LC-005)
+    5: pii_pattern_detector         # PII detection (LC-007)
+    6: copyright_similarity_check   # Copyright similarity (LC-006)
+    7: eu_ai_act_classifier         # EU AI Act risk classification
+    8: transparency_marker          # Transparency marker (LC-008)
+    9: block_pr                     # Sole flow-interrupting authority
+    10: suggest_alternative         # Alternative package suggestion (XSPEC-193 §4.5)
+    11: escalate_to_human           # Fallback when automation cannot decide
+
+# ─────────────────────────────────────────────────────────────
+# Telemetry (DEC-066 / XSPEC-189 v2 envelope)
+# ─────────────────────────────────────────────────────────────
+
+telemetry:
+  required_events:
+    - license_compliance_result    # Final result of each review
+    - block_pr                     # Block event detail
+    - license_lookup_failure       # SPDX lookup failure (drives alternative-table updates)
+    - copyright_similarity_high    # High-similarity warning
+    - eu_ai_act_classification     # Classification distribution
+    - human_override_block         # Human override of a block (requires reason)
+  envelope_reference: XSPEC-189    # Telemetry Schema v2 envelope
+  event_type: quality
+  event_subtype_examples:
+    - license_compliance_result    # LC rule outcomes
+    - gate_pass / gate_fail        # When License Compliance acts as a gate
+
+# ─────────────────────────────────────────────────────────────
+# Adoption guidance
+# ─────────────────────────────────────────────────────────────
+
+adoption_guidance:
+  uds_install_path: ai/standards/license-compliance.ai.yaml
+  vibeops_config_path: src/agents/license-compliance/rules.yaml
+  customer_config_path: ~/.vibeops/license-policy.yaml
+  notes:
+    - "v2.1.0 adds ClearlyDefined API integration, AST PII analysis, and EmbeddingProvider strategy. Requires VibeOps ≥ v1.6.0 (commit c44a4bf)."
+    - "v2.0.0 Tier 2 rules are Active for AI-augmented projects. Legal sign-off on the blocklist remains pending; treat the blocklist as authoritative-pending-review."
+    - "LGPL greylist decisions should consult legal counsel."
+    - "Alternative-package table (XSPEC-193 §4.5) is updated quarterly, driven by license_lookup_failure telemetry."
+    - "When this standard is consumed by VibeOps, the License Compliance Agent enforces every LC rule listed above. Other adopters MAY choose to enforce LC rules via CI alone (Tier 1 REQ-002 path)."
+
+# ─────────────────────────────────────────────────────────────
+# Compatibility note
+# ─────────────────────────────────────────────────────────────
+
+compatibility:
+  v1_to_v2: |
+    v1.0.0 REQ-001~006 are unchanged and remain authoritative for general
+    OSS practice. v2.0.0 adds Tier 2 LC-001~009 as a strict superset for
+    AI-augmented projects. A project that adopted v1.0.0 remains compliant;
+    AI-augmented projects MUST additionally enforce Tier 2.
+  v2_to_v2_1: |
+    v2.1.0 is a backward-compatible superset of v2.0.0. New features
+    (ClearlyDefined API, AST PII, EmbeddingProvider) are opt-in via
+    ComplianceAgentConfig. All existing LC-001~009 rules are unchanged.
+    PIIPattern gains optional fields (confidence, ast_context); existing
+    code that reads PIIPattern is unaffected.
+    Minimum runtime: Node.js 22 + VibeOps v1.6.0.

package/bundled/ai/standards/test-governance.ai.yaml

@@ -158,3 +158,22 @@ standard:
       evidence: >
         BUG-A08 post-mortem (2026-04-20): 22 tests existed in UDS but were never
         executed by any CI gate, passing silently and masking real failures.
+
+    - id: gate-wiring-required
+      trigger: adding any quality detection script to the repository
+      instruction: |
+        Quality detection scripts (anti-fake check, stub check, coverage ratchet,
+        tautology scanner) MUST appear in at least one CI workflow job AND at least
+        one local hook (pre-commit or pre-push). A script that exists in scripts/
+        but is never called by CI is equivalent to not existing and constitutes a
+        governance gap. Apply the same execution-continuity principle to detection
+        scripts as to test cases: existence ≠ execution.
+        Checklist when adding a detection script:
+          [ ] Script is called in .github/workflows/*.yml (at least one job)
+          [ ] Script is called in .husky/pre-commit or .husky/pre-push
+          [ ] CI step name references the XSPEC or standard that mandates it
+      priority: required
+      evidence: >
+        XSPEC-220 post-mortem (2026-05-19): check-anti-fake-tests.sh existed in
+        vibeops/scripts/ for months but was not called by pre-commit, allowing
+        tautology assertions to be committed undetected.

package/bundled/core/adversarial-test.md

@@ -210,3 +210,6 @@ Layer 4: 稽核日誌（hash chain）  — 確保不可篡改
 - ISO/IEC 42001:2023 — AI 管理系統
 - [UDS `secure-op.ai.yaml`](./secure-op.md) — AI Agent 安全操作六大支柱
 - [UDS `llm-output-validation.ai.yaml`](./llm-output-validation.md) — LLM 輸出驗證標準
+
+
+**Scope**: universal

package/bundled/core/behavior-snapshot.md

@@ -3,7 +3,7 @@
 > **Language**: English | 繁體中文
 
 **Applicability**: Migration and refactoring projects requiring behavioral parity verification
-**Scope**: universal (HTTP-based systems)
+**Scope**: universal
 
 ---
 

package/bundled/core/capability-declaration.md

@@ -57,3 +57,6 @@ const FAIL_CLOSED_DEFAULTS: CapabilityDeclaration = {
 - AI-optimized: [ai/standards/capability-declaration.ai.yaml](../ai/standards/capability-declaration.ai.yaml)
 - XSPEC-037: Cross-project specification
 - Borrowed from: [claude-code-book](https://github.com/lintsinghua/claude-code-book) Ch.3 `buildTool` Fail-Closed factory
+
+
+**Scope**: universal

package/bundled/core/cd-deployment-strategies.md

@@ -119,3 +119,6 @@ Q4: 基礎設施預算有限？
 - [rollback-standards.md](rollback-standards.md) — 回滾觸發條件矩陣
 - [no-cicd-deployment.md](no-cicd-deployment.md) — 無 CI/CD 部署策略
 - AI 格式：[../ai/standards/cd-deployment-strategies.ai.yaml](../ai/standards/cd-deployment-strategies.ai.yaml)
+
+
+**Scope**: universal

package/bundled/core/chaos-injection-tests.md

@@ -114,3 +114,6 @@ it('pipeline continues when one agent throws', async () => {
 - `testing.ai.yaml` — general test structure
 - `secure-op.ai.yaml` — Fail-Closed principle for AI agents
 - `security-standards.ai.yaml` — security invariants
+
+
+**Scope**: universal

package/bundled/core/circuit-breaker.md

@@ -56,3 +56,6 @@ interface CircuitBreaker {
 - AI-optimized: [ai/standards/circuit-breaker.ai.yaml](../ai/standards/circuit-breaker.ai.yaml)
 - XSPEC-036: Cross-project specification
 - Borrowed from: [claude-code-book](https://github.com/lintsinghua/claude-code-book) Ch.2 `MAX_CONSECUTIVE_AUTOCOMPACT_FAILURES`
+
+
+**Scope**: universal

package/bundled/core/container-security.md

@@ -519,3 +519,6 @@ lsattr /var/log/ai-agent/audit    # 驗證 a 屬性
 □ Audit log volume：append-only partition（非 emptyDir）
 □ Lockfile 固定（npm ci / pip --require-hashes / go mod verify）
 ```
+
+
+**Scope**: universal

package/bundled/core/cost-budget-test.md

@@ -67,3 +67,6 @@ describe("PipelineBudgetConfig semantics", () => {
 - [Mutation Testing Standards](mutation-testing.md) — constants without test coverage survive mutations
 - [Testing Standards](testing.md) — overall test pyramid
 - [LLM Output Validation](llm-output-validation.md) — output-layer budget constraints
+
+
+**Scope**: universal

package/bundled/core/data-migration-testing.md

@@ -108,3 +108,6 @@ Use `testcontainers` to spin up a fresh PostgreSQL container per test suite. The
 - `database-standards.ai.yaml` — schema design principles
 - `testing.ai.yaml` — general test structure and pyramid
 - `verification-evidence.ai.yaml` — audit evidence requirements
+
+
+**Scope**: universal

package/bundled/core/disaster-recovery-drill.md

@@ -71,3 +71,6 @@ See `docs/DR-RUNBOOK.md` for the full runbook template.
 - [Deployment Standards](deployment-standards.md) — deployment pipeline
 - [Chaos Engineering Standards](chaos-engineering-standards.md) — failure injection
 - [Verification Evidence Standards](verification-evidence.md) — drill records
+
+
+**Scope**: universal

package/bundled/core/dual-phase-output.md

@@ -54,3 +54,6 @@ Applications may add fields inside `<summary>` but must not remove core fields:
 - AI-optimized: [ai/standards/dual-phase-output.ai.yaml](../ai/standards/dual-phase-output.ai.yaml)
 - XSPEC-035: Cross-project specification
 - Borrowed from: [claude-code-book](https://github.com/lintsinghua/claude-code-book) Ch.7 `formatCompactSummary`
+
+
+**Scope**: universal

package/bundled/core/failure-source-taxonomy.md

@@ -70,3 +70,6 @@ interface FailureDetail {
 - XSPEC-045: Cross-project specification
 - Depends on: Recovery Recipe Registry (XSPEC-046)
 - Borrowed from: [ultraworkers/claw-code](https://github.com/ultraworkers/claw-code) ROADMAP Phase 2 Failure Taxonomy
+
+
+**Scope**: universal

package/bundled/core/feature-manifest-standard.md

@@ -3,7 +3,7 @@
 > **Language**: English | 繁體中文
 
 **Applicability**: Migration and refactoring projects where an existing system is being ported or restructured
-**Scope**: universal (language-agnostic manifest format)
+**Scope**: universal
 
 ---
 

package/bundled/core/flaky-test-management.md

@@ -71,3 +71,6 @@ export default defineConfig({
 
 - [Testing Standards](testing.md) — overall test pyramid
 - [Test Governance Standards](test-governance.md) — CI policies
+
+
+**Scope**: universal

package/bundled/core/full-coverage-testing.md

@@ -181,3 +181,6 @@ The ratchet starts at your current coverage. From that point on, it can only inc
 - `integration-testing.ai.yaml` — Integration test patterns
 - `deployment-standards.ai.yaml` — Deploy gate requirements
 - XSPEC-178 — Full specification and implementation phases
+
+
+**Scope**: universal

package/bundled/core/health-check-standards.md

@@ -70,3 +70,6 @@
 - DEC-043: UDS 覆蓋完整性路線圖（驅動來源）
 - Related: `deployment-standards`, `circuit-breaker`, observability-standards (XSPEC-063 規劃中)
 - Industry: Kubernetes probes, Microsoft eShop health checks, Google SRE Book Ch.6
+
+
+**Scope**: universal

package/bundled/core/immutability-first.md

@@ -103,3 +103,6 @@ interface PipelineMemoryEntry {
 
 - AI-optimized: [ai/standards/immutability-first.ai.yaml](../ai/standards/immutability-first.ai.yaml)
 - XSPEC-044: Cross-project specification
+
+
+**Scope**: universal