universal-dev-standards 5.11.0 → 5.12.1

package/bundled/ai/standards/acceptance-criteria-traceability.ai.yaml

@@ -61,11 +61,17 @@ standard:
 
       - status: not_implemented
         symbol: "🚫"
-        definition: AC has no corresponding implementation (feature code does not exist)
+        definition: AC has no corresponding implementation or test verification (feature code or test body does not exist)
         criteria: |
-          No business logic in src/ corresponds to this AC.
-          Distinct from uncovered: uncovered = code exists but no test; not_implemented = code does not exist.
-          Typical signals: throw NotImplementedException(), empty stub body, FEATURE_STUB: marker.
+          No business logic in src/ corresponds to this AC, OR the only test mapped
+          to this AC is an it.todo() placeholder (test body not implemented).
+          Distinct from uncovered: uncovered = code exists but test was forgotten;
+          not_implemented = explicitly marked as pending implementation.
+          Typical signals:
+            - throw NotImplementedException(), empty stub body, FEATURE_STUB: marker
+            - it.todo("AC-XXX: ...") — test slot reserved but verification not written
+          XSPEC-220: it.todo() tests map to not_implemented, NOT to uncovered.
+          Rationale: it.todo() is a deliberate placeholder, not an oversight.
         decision_tree: |
           Q1: Does the corresponding code exist in src/?
             No → not_implemented

package/bundled/ai/standards/full-coverage-testing.ai.yaml

@@ -75,13 +75,20 @@ standard:
       instruction: |
         FORBIDDEN: Tautology assertions that always pass regardless of behavior.
         These add false coverage without verifying anything.
+        AI SKELETON RULE (XSPEC-220): When generating unimplemented test skeletons,
+        use it.todo("AC-XXX: Given ... When ... Then ..."). Any it() callback whose
+        body contains only tautology assertions is an [ANTI-FAKE-001] violation,
+        regardless of whether the skeleton was generated by a human or an AI agent.
       priority: required
       forbidden_patterns:
         - "expect(true).toBe(true)"
         - "expect(false).toBe(false)"
         - "expect(result).toBeDefined()  // without specific value"
         - "expect(result).not.toBeNull()  // without specific value"
-      required_instead: "expect(result).toBe(<specific expected value>)"
+        - "it('...', () => { expect(true).toBe(true) })  // AI-generated skeleton"
+      required_instead: |
+        Real assertion: expect(result).toBe(<specific expected value>)
+        Unimplemented skeleton: it.todo("AC-XXX: Given ... When ... Then ...")
 
     - id: no-mock-business-logic
       trigger: deciding what to mock

package/bundled/ai/standards/license-compliance.ai.yaml

@@ -1,18 +1,102 @@
 # License Compliance Standards - AI Optimized
-# Source: XSPEC-066 Wave 3 Compliance Pack
+# Sources:
+#   v1.0.0 — XSPEC-066 Wave 3 Compliance Pack (general OSS practices)
+#   v2.0.0 — XSPEC-193 §7.1 (AI-specific rules for AI-Generated Code)
+#   v2.1.0 — XSPEC-193 Phase 2 (ClearlyDefined API + AST PII + EmbeddingProvider + ASPEC-001)
 
 id: license-compliance
-title: License Compliance Standards
-version: "1.0.0"
+title: License Compliance Standards for AI-Generated Code
+version: "2.1.0"
 status: Active
-tags: [compliance, licensing, open-source, legal, supply-chain]
+tags: [compliance, licensing, open-source, legal, supply-chain, ai-generated, eu-ai-act, sbom, pii, clearly-defined, ast-pii, embedding]
+created: 2026-04-30
+updated: 2026-05-16
+
+agent_ref: ASPEC-001   # License Compliance Agent spec (XSPEC-205 format)
+
+references:
+  - XSPEC-066   # v1.0.0 baseline - Wave 3 Compliance Pack
+  - XSPEC-193   # v2.0.0 + v2.1.0 AI-specific rules - VibeOps License Compliance Agent
+  - DEC-041     # EU AI Act compliance
+  - DEC-062     # Harness Engineering 2026 adoption
+  - DEC-063     # VibeOps legal & compliance strategy
+  - DEC-064     # Customer IP isolation (cache salt)
+  - XSPEC-189   # Telemetry Schema v2 (event types referenced below)
+  - ASPEC-001   # License Compliance Agent SPEC (XSPEC-205 §REQ-2 format)
+
 summary: |
-  Defines how teams identify, track, and manage open-source and third-party
-  software licenses throughout the software development lifecycle. Covers
-  license classification (permissive vs. copyleft), prohibited licenses,
-  SBOM generation, license scanning in CI/CD, and remediation processes
-  for license violations. Designed to prevent legal exposure from
-  incompatible license combinations and ensure supply-chain transparency.
+  Comprehensive license compliance for AI-augmented development.
+
+  Tier 1 (REQ-001~006) — General OSS practices: license classification,
+  CI scanning, SBOM generation, attribution, violation remediation, and
+  technology adoption review. Applies to every project regardless of AI use.
+
+  Tier 2 (LC-001~009) — AI-specific rules: SPDX-first, independent evaluator,
+  evidence-based decisions, blocklist/allowlist/greylist enforcement, SBOM
+  required on every PR, PII pattern detection, copyright similarity check,
+  EU AI Act Article 50 transparency markers, and customer policy sovereignty.
+
+  Tier 2 is binding on AI Agents that produce code (VibeOps Generator Agent
+  and equivalents). Designed to prevent legal exposure from incompatible
+  license combinations, ensure supply-chain transparency, and satisfy
+  EU AI Act Article 50 obligations.
+
+  v2.1.0 enhancements (XSPEC-193 Phase 2, 2026-05-16):
+  - LC-001 now backed by ClearlyDefined API (confidence ≥ 0.95 when CD available)
+  - LC-007 PII detection upgraded with tree-sitter AST semantic context
+  - LC-006 copyright similarity upgraded with EmbeddingProvider strategy
+    (onnx-minilm / ollama-bge-m3 / jaccard fallback)
+
+scope:
+  applies_to:
+    - AI-generated code (Generator Agent output)
+    - Dependency manifests (package.json / requirements.txt / go.mod / Cargo.toml / etc.)
+    - Open-source code snippet references and copy-paste
+  excludes:
+    - Internal-only tooling scripts with no external distribution (SBOM still recommended)
+    - Fully hand-written, non-AI-generated code (SBOM still recommended)
+
+principles:
+  - id: P-1
+    name: SPDX First
+    description: |
+      All license identifiers MUST use SPDX standard IDs (https://spdx.org/licenses/).
+      Vague descriptions like "MIT-like" or "BSD-style" are prohibited. If no
+      SPDX match can be found, the Agent MUST escalate to a human rather than
+      guess.
+
+  - id: P-2
+    name: Independent Evaluator
+    description: |
+      The License Compliance Agent MUST use a model class different from the
+      code Generator Agent. This avoids Generator/Evaluator error correlation
+      and preserves review independence (DEC-062 H6).
+
+  - id: P-3
+    name: Evidence-Based Decision
+    description: |
+      Every block or review-required decision MUST carry traceable evidence:
+      SPDX ID lookup source, similarity score, comparison repo URL, etc.
+      Verdicts without evidence are prohibited.
+
+  - id: P-4
+    name: Transparency by Default
+    description: |
+      AI-generated output MUST carry a transparency marker per EU AI Act
+      Article 50. Marker removal requires explicit human action; an AI Agent
+      MAY NOT decide to remove markers autonomously.
+
+  - id: P-5
+    name: Customer Sovereignty
+    description: |
+      Customers MAY customize license policy within their accepted liability
+      scope, but MAY NOT bypass platform-floor limits set in the VibeOps
+      EULA §9. Overrides MUST be telemetered with justification.
+
+# ─────────────────────────────────────────────────────────────
+# Tier 1 — General OSS Compliance Practices (v1.0.0 baseline)
+# Applies to every project regardless of AI use.
+# ─────────────────────────────────────────────────────────────
 
 requirements:
   - id: REQ-001
@@ -104,3 +188,288 @@ requirements:
       - "ADR-042 notes: 'Library X uses Apache 2.0 — approved tier, no legal review needed'"
       - "ADR-043 notes: 'Library Y uses LGPL-3.0 — review-required, legal approved 2026-03-10'"
       - "Technology radar entry includes license classification for each evaluated tool"
+
+# ─────────────────────────────────────────────────────────────
+# Tier 2 — AI-Specific Rules (v2.0.0, XSPEC-193 §7.1)
+# Binding on AI Agents that produce code.
+# ─────────────────────────────────────────────────────────────
+
+rules:
+  - id: LC-001
+    name: SPDX ID Lookup Required
+    severity: blocking
+    description: |
+      Every dependency license MUST be resolved to a SPDX standard ID
+      before any list comparison.
+
+      v2.1.0: Primary source is ClearlyDefined API (confidence ≥ 0.95 for
+      well-known packages). Falls back to SPDX database (confidence ≤ 0.8)
+      or package metadata heuristics. Requests are token-bucket-rate-limited
+      (10 req/s, burst 20) and cached with 24h TTL + DEC-064 client_salt
+      isolation. offline=true bypasses external calls entirely.
+    checks:
+      - "license_lookup() result must have non-null spdx_id"
+      - "If confidence < 0.7, escalate_to_human"
+      - "Free-text license fields from package metadata MUST NOT be used directly"
+      - "ClearlyDefined API: GET /definitions/{type}/{provider}/{namespace}/{name}/{revision}"
+      - "On 5xx: exponential backoff × 3 (200ms/1s/3s); on 429: batch fallback immediately"
+      - "Cache key = sha256(client_salt + ':' + purl) — DEC-064 isolation guaranteed"
+
+  - id: LC-002
+    name: Blocklist Auto-Block
+    severity: blocking
+    description: |
+      SPDX IDs on the Blocklist MUST trigger block_pr automatically. No
+      exception channel inside the platform (customer override layer may
+      remove items, but the override is logged via telemetry).
+    blocklist:
+      # Strong-copyleft (viral)
+      - GPL-2.0
+      - GPL-2.0-only
+      - GPL-2.0-or-later
+      - GPL-3.0
+      - GPL-3.0-only
+      - GPL-3.0-or-later
+      - AGPL-1.0
+      - AGPL-3.0
+      - AGPL-3.0-only
+      - AGPL-3.0-or-later
+      # Source-Available (non-OSS, commercially restrictive)
+      - SSPL-1.0
+      - Commons-Clause              # Not a formal SPDX ID; treated as non-OSS
+      - BUSL-1.1
+      - BUSL-1.0
+      - Confluent-Community-License
+      - Elastic-License-2.0
+    checks:
+      - "license_blocklist_check() returns decision='block' → call block_pr() immediately"
+      - "block_pr() reason field is mandatory in form: '{pkg}@{version} uses {spdx_id}'"
+
+  - id: LC-003
+    name: Allowlist Auto-Approve
+    severity: informational
+    description: |
+      SPDX IDs on the Allowlist MUST be auto-approved, recorded in SBOM
+      without triggering review.
+    allowlist:
+      - MIT
+      - MIT-0
+      - BSD-2-Clause
+      - BSD-3-Clause
+      - BSD-3-Clause-Clear
+      - Apache-2.0
+      - ISC
+      - 0BSD
+      - CC0-1.0
+      - Unlicense
+      - Zlib
+      - WTFPL
+      - CC-BY-4.0          # Documentation only
+      - CC-BY-SA-4.0       # Documentation only
+      - Python-2.0         # PSF-specific
+
+  - id: LC-004
+    name: Greylist Human Review
+    severity: review_required
+    description: |
+      SPDX IDs on the Greylist enter the review queue. A human judges
+      whether the static/dynamic-linking model triggers copyleft contagion.
+    greylist:
+      - LGPL-2.1
+      - LGPL-2.1-only
+      - LGPL-2.1-or-later
+      - LGPL-3.0
+      - LGPL-3.0-only
+      - LGPL-3.0-or-later
+      - MPL-2.0
+      - EPL-1.0
+      - EPL-2.0
+      - CDDL-1.0
+      - CDDL-1.1
+      - GPL-Classpath-exception-2.0  # OpenJDK
+    review_guidance:
+      - "Determine static-link vs dynamic-link"
+      - "Determine whether the package is on the production path or only a dev/test dependency"
+      - "LGPL dynamic-link is generally safe; static-link requires legal sign-off"
+
+  - id: LC-005
+    name: SBOM Mandatory Generation
+    severity: blocking
+    description: |
+      Every dependency-list change or PR merge MUST regenerate the SBOM in
+      CycloneDX 1.5 or SPDX 2.3 format. SHA-256 hash of the SBOM file MUST
+      be recorded.
+    checks:
+      - "SBOM file passes the corresponding schema validation (CycloneDX XML/JSON schema)"
+      - "Every component in the SBOM has an SPDX license expression"
+      - "SBOM path: `{project_root}/sbom.cdx.json` (or `.spdx.json`)"
+
+  - id: LC-006
+    name: Copyright Similarity Threshold
+    severity: blocking
+    description: |
+      AI-generated code with embedding similarity ≥ 0.85 to a known
+      open-source repo MUST be inspected. If the source repo is on the
+      blocklist (GPL/AGPL), the PR MUST be blocked.
+
+      v2.1.0: EmbeddingProvider strategy (XSPEC-193 Phase 2):
+        - provider='onnx-minilm': local ONNX inference (all-MiniLM-L6-v2)
+        - provider='ollama-bge-m3': Ollama local API (bge-m3, localhost:11434)
+        - provider='jaccard' (default): Jaccard token similarity (Phase 1)
+      Known snippet index is per-customer (DEC-064 client_salt isolated).
+      External search is opt-in (enableExternalSearch=false by default).
+    checks:
+      - "overall_similarity >= 0.85 AND source_license in blocklist → block_pr"
+      - "overall_similarity >= 0.70 AND source_license in greylist → review"
+      - "overall_similarity >= 0.85 AND source_license in allowlist → record info event, do not block"
+      - "ONNX/Ollama unavailable → graceful fallback to Jaccard (no exception)"
+      - "snippet index build: buildSnippetIndex(snippets, provider) per-customer"
+    evidence_required:
+      - "source_repo URL"
+      - "source_license SPDX ID"
+      - "similarity score (4 decimal places)"
+      - "matched_section (first 5 lines of the snippet)"
+      - "embedding_provider used (for audit trail)"
+
+  - id: LC-007
+    name: PII Pattern Detection
+    severity: review_required
+    description: |
+      When AI-generated code contains a personal-data handling pattern,
+      issue a warning with a remediation hint. severity="critical" patterns
+      MUST escalate to human review.
+
+      v2.1.0: AST-enhanced detection via tree-sitter (XSPEC-193 Phase 2):
+        - Language support: TypeScript, JavaScript, Python
+        - AST context classification:
+            hardcoded_value → severity upgraded to critical
+            comment         → severity downgraded to info
+            schema_field    → ast_context='schema_field'
+        - Pragma support: // pii:ignore on same line suppresses finding
+        - tree-sitter unavailable → graceful fallback to regex (no exception)
+        - LLM assist: stub (enableLLMAssist=false default, Phase 3 integration)
+        - PIIPattern.confidence and PIIPattern.ast_context are new optional fields
+    pii_types:
+      critical:
+        - ssn               # Social security number
+        - credit_card       # Credit-card number
+        - biometric         # Biometric identifiers
+        - health_record     # Health records (HIPAA / Taiwan PDPA §6 special category)
+      warning:
+        - email
+        - phone
+        - id_number         # National ID
+        - date_of_birth
+        - address
+    detection_strategy:
+      - "regex: field-name patterns (email, phone_number, ssn, credit_card_number, ...)"
+      - "ast: tree-sitter semantic context (hardcoded_value / comment / schema_field)"
+      - "llm_assist: ambiguous contexts (confidence threshold 0.8, Phase 3)"
+
+  - id: LC-008
+    name: EU AI Act Transparency Marker
+    severity: blocking
+    description: |
+      Every AI-generated source file MUST carry a transparency marker at
+      output time, per EU AI Act Article 50 (Limited-Risk transparency
+      obligation).
+    marker_format:
+      source_code: |
+        // AI-generated: VibeOps v{version} on {date}
+        // AI Generation Disclosure: Per EU AI Act Article 50.
+        // Modifications by humans should remove this notice.
+      markdown: |
+        ---
+        > AI Generation Disclosure: This content was AI-generated by VibeOps
+        > v{version} on {date}. Per EU AI Act Article 50.
+      json_yaml: |
+        _ai_generated: "VibeOps v{version} on {date} — EU AI Act Article 50"
+    checks:
+      - "Marker MUST be in the file header (source code) or metadata block (JSON/YAML)"
+      - "Marker removal requires the transparency_marker tool's explicit remove operation plus human confirmation"
+      - "When eu_ai_act_classifier() returns high_risk, additionally include a human_oversight statement"
+
+  - id: LC-009
+    name: Customer Policy Ceiling
+    severity: informational
+    description: |
+      Customers MAY adjust lists via ~/.vibeops/license-policy.yaml, but
+      adjustments MUST be telemetered (human_override_block event) and MUST
+      NOT modify the EULA §9 liability-allocation clause at the platform
+      layer.
+    checks:
+      - "If allowlist_add contains blocklist members, record a warning telemetry"
+      - "greylist_review: 'auto-allow' requires an extra telemetry tag customer_risk_accepted=true"
+      - "If the customer config schema validation fails, fall back to platform default policy"
+
+# ─────────────────────────────────────────────────────────────
+# Tool integration (XSPEC-193 §2, §3)
+# ─────────────────────────────────────────────────────────────
+
+tooling_integration:
+  description: |
+    Maps to the 10 tools defined in XSPEC-193 §2. Tool call order is fixed
+    to keep prompts cache-friendly under the DEC-064 cache-salt strategy.
+  tool_sequence:
+    1: dependency_reader            # Read dependency manifest
+    2: license_lookup               # SPDX lookup
+    3: license_blocklist_check      # Tier check
+    4: sbom_generator               # SBOM generation (LC-005)
+    5: pii_pattern_detector         # PII detection (LC-007)
+    6: copyright_similarity_check   # Copyright similarity (LC-006)
+    7: eu_ai_act_classifier         # EU AI Act risk classification
+    8: transparency_marker          # Transparency marker (LC-008)
+    9: block_pr                     # Sole flow-interrupting authority
+    10: suggest_alternative         # Alternative package suggestion (XSPEC-193 §4.5)
+    11: escalate_to_human           # Fallback when automation cannot decide
+
+# ─────────────────────────────────────────────────────────────
+# Telemetry (DEC-066 / XSPEC-189 v2 envelope)
+# ─────────────────────────────────────────────────────────────
+
+telemetry:
+  required_events:
+    - license_compliance_result    # Final result of each review
+    - block_pr                     # Block event detail
+    - license_lookup_failure       # SPDX lookup failure (drives alternative-table updates)
+    - copyright_similarity_high    # High-similarity warning
+    - eu_ai_act_classification     # Classification distribution
+    - human_override_block         # Human override of a block (requires reason)
+  envelope_reference: XSPEC-189    # Telemetry Schema v2 envelope
+  event_type: quality
+  event_subtype_examples:
+    - license_compliance_result    # LC rule outcomes
+    - gate_pass / gate_fail        # When License Compliance acts as a gate
+
+# ─────────────────────────────────────────────────────────────
+# Adoption guidance
+# ─────────────────────────────────────────────────────────────
+
+adoption_guidance:
+  uds_install_path: ai/standards/license-compliance.ai.yaml
+  vibeops_config_path: src/agents/license-compliance/rules.yaml
+  customer_config_path: ~/.vibeops/license-policy.yaml
+  notes:
+    - "v2.1.0 adds ClearlyDefined API integration, AST PII analysis, and EmbeddingProvider strategy. Requires VibeOps ≥ v1.6.0 (commit c44a4bf)."
+    - "v2.0.0 Tier 2 rules are Active for AI-augmented projects. Legal sign-off on the blocklist remains pending; treat the blocklist as authoritative-pending-review."
+    - "LGPL greylist decisions should consult legal counsel."
+    - "Alternative-package table (XSPEC-193 §4.5) is updated quarterly, driven by license_lookup_failure telemetry."
+    - "When this standard is consumed by VibeOps, the License Compliance Agent enforces every LC rule listed above. Other adopters MAY choose to enforce LC rules via CI alone (Tier 1 REQ-002 path)."
+
+# ─────────────────────────────────────────────────────────────
+# Compatibility note
+# ─────────────────────────────────────────────────────────────
+
+compatibility:
+  v1_to_v2: |
+    v1.0.0 REQ-001~006 are unchanged and remain authoritative for general
+    OSS practice. v2.0.0 adds Tier 2 LC-001~009 as a strict superset for
+    AI-augmented projects. A project that adopted v1.0.0 remains compliant;
+    AI-augmented projects MUST additionally enforce Tier 2.
+  v2_to_v2_1: |
+    v2.1.0 is a backward-compatible superset of v2.0.0. New features
+    (ClearlyDefined API, AST PII, EmbeddingProvider) are opt-in via
+    ComplianceAgentConfig. All existing LC-001~009 rules are unchanged.
+    PIIPattern gains optional fields (confidence, ast_context); existing
+    code that reads PIIPattern is unaffected.
+    Minimum runtime: Node.js 22 + VibeOps v1.6.0.

package/bundled/ai/standards/test-governance.ai.yaml

@@ -158,3 +158,22 @@ standard:
       evidence: >
         BUG-A08 post-mortem (2026-04-20): 22 tests existed in UDS but were never
         executed by any CI gate, passing silently and masking real failures.
+
+    - id: gate-wiring-required
+      trigger: adding any quality detection script to the repository
+      instruction: |
+        Quality detection scripts (anti-fake check, stub check, coverage ratchet,
+        tautology scanner) MUST appear in at least one CI workflow job AND at least
+        one local hook (pre-commit or pre-push). A script that exists in scripts/
+        but is never called by CI is equivalent to not existing and constitutes a
+        governance gap. Apply the same execution-continuity principle to detection
+        scripts as to test cases: existence ≠ execution.
+        Checklist when adding a detection script:
+          [ ] Script is called in .github/workflows/*.yml (at least one job)
+          [ ] Script is called in .husky/pre-commit or .husky/pre-push
+          [ ] CI step name references the XSPEC or standard that mandates it
+      priority: required
+      evidence: >
+        XSPEC-220 post-mortem (2026-05-19): check-anti-fake-tests.sh existed in
+        vibeops/scripts/ for months but was not called by pre-commit, allowing
+        tautology assertions to be committed undetected.

package/bundled/core/license-compliance.md

@@ -0,0 +1,118 @@
+# License Compliance Standards
+
+> **Version**: 2.1.0 | **Status**: Active | **Updated**: 2026-05-16
+> **AI-optimized version**: `ai/standards/license-compliance.ai.yaml`
+> **Agent Spec**: ASPEC-001 (cross-project/aspec/ASPEC-001-license-compliance-agent.md)
+
+## Overview
+
+Comprehensive license compliance for AI-augmented development, covering both general OSS practice (Tier 1) and AI-specific rules for AI-generated code (Tier 2).
+
+## Tier 1 — General OSS Compliance Practices
+
+Applies to every project regardless of AI use.
+
+| ID | Rule | Level |
+|----|------|-------|
+| REQ-001 | License classification and allowlist | MUST |
+| REQ-002 | Automated license scanning in CI | MUST |
+| REQ-003 | SBOM generation (CycloneDX 1.5 or SPDX 2.3) | MUST |
+| REQ-004 | License attribution and NOTICES file | MUST |
+| REQ-005 | License violation remediation (5 business days) | MUST |
+| REQ-006 | License review for new technology adoption | SHOULD |
+
+### License Tiers
+
+| Tier | Licenses | Action |
+|------|----------|--------|
+| APPROVED | MIT, Apache 2.0, BSD-2/3-Clause, ISC, CC0 | Auto-approve |
+| REVIEW-REQUIRED | LGPL-2.1/3.0, MPL-2.0, CDDL | Legal review before adoption |
+| PROHIBITED | GPL-2.0/3.0, AGPL-3.0, SSPL-1.0, BUSL-1.1 | Block PR immediately |
+
+## Tier 2 — AI-Specific Rules
+
+Binding on AI Agents that produce code (VibeOps Generator Agent and equivalents).
+
+| ID | Rule | Severity |
+|----|------|----------|
+| LC-001 | SPDX ID lookup required | Blocking |
+| LC-002 | Blocklist auto-block | Blocking |
+| LC-003 | Allowlist auto-approve | Informational |
+| LC-004 | Greylist human review | Review required |
+| LC-005 | SBOM mandatory generation | Blocking |
+| LC-006 | Copyright similarity threshold (≥0.85 block) | Blocking |
+| LC-007 | PII pattern detection | Review required |
+| LC-008 | EU AI Act transparency marker | Blocking |
+| LC-009 | Customer policy ceiling | Informational |
+
+## v2.1.0 Enhancements (XSPEC-193 Phase 2)
+
+### ClearlyDefined API (LC-001)
+
+- Primary license lookup source: `https://api.clearlydefined.io/definitions/{type}/{provider}/{namespace}/{name}/{revision}`
+- Confidence ≥ 0.95 for well-known packages (score.total ≥ 80)
+- 24h TTL LRU cache (cap=500) + negative cache for 404
+- Token bucket: 10 req/s, burst 20
+- Retry strategy: 5xx → exponential backoff × 3 (200ms/1s/3s); 429 → batch fallback
+- DEC-064 cache key isolation: `sha256(client_salt + ':' + purl)`
+
+### AST PII Analysis (LC-007)
+
+- Tree-sitter support: TypeScript, JavaScript, Python
+- Context classification:
+  - `hardcoded_value` → severity upgraded to `critical`
+  - `comment` → severity downgraded to `info`
+  - `schema_field` → annotated, no severity change
+- `// pii:ignore` pragma: suppresses findings on same line
+- Optional fields: `PIIPattern.confidence`, `PIIPattern.ast_context`
+- Graceful fallback to regex when tree-sitter unavailable
+
+### EmbeddingProvider Strategy (LC-006)
+
+- `provider='onnx-minilm'`: ONNX local inference (all-MiniLM-L6-v2)
+- `provider='ollama-bge-m3'`: Ollama local API (localhost:11434)
+- `provider='jaccard'`: Jaccard token similarity (Phase 1 baseline, default)
+- In-memory snippet index (`buildSnippetIndex()`) per-customer (DEC-064 salt)
+- External search: opt-in via `enableExternalSearch=true` (default=false)
+
+## Principles
+
+| ID | Principle |
+|----|-----------|
+| P-1 | SPDX First — all license IDs must be SPDX standard |
+| P-2 | Independent Evaluator — different model class from Generator |
+| P-3 | Evidence-Based Decision — every block carries traceable evidence |
+| P-4 | Transparency by Default — EU AI Act Article 50 markers required |
+| P-5 | Customer Sovereignty — policy customizable within EULA §9 limits |
+
+## Tool Sequence (XSPEC-193 §2)
+
+```
+1. dependency_reader
+2. license_lookup         ← ClearlyDefined API (v2.1.0)
+3. license_blocklist_check
+4. sbom_generator
+5. pii_pattern_detector   ← AST-enhanced (v2.1.0)
+6. copyright_similarity_check ← EmbeddingProvider (v2.1.0)
+7. eu_ai_act_classifier
+8. transparency_marker
+9. block_pr
+10. suggest_alternative
+11. escalate_to_human
+```
+
+## Related Specs
+
+- XSPEC-193 — License Compliance Agent complete spec
+- XSPEC-066 — Wave 3 Compliance Pack (v1.0.0 baseline)
+- DEC-063 — VibeOps legal & compliance strategy
+- DEC-064 — Customer IP isolation (cache salt)
+- ASPEC-001 — License Compliance Agent SPEC (XSPEC-205 §REQ-2 format)
+
+## Changelog
+
+| Version | Date | Changes |
+|---------|------|---------|
+| v1.0.0 | 2026-04-30 | Initial — REQ-001~006 general OSS practices |
+| v2.0.0 | 2026-05-14 | Added Tier 2 LC-001~009 AI-specific rules |
+| v2.1.0 | 2026-05-16 | ClearlyDefined API + AST PII + EmbeddingProvider + ASPEC-001 ref |

package/bundled/locales/zh-CN/CHANGELOG.md

@@ -1,8 +1,8 @@
 ---
 source: ../../CHANGELOG.md
-source_version: 5.11.0
-translation_version: 5.11.0
-last_synced: 2026-05-14
+source_version: 5.12.1
+translation_version: 5.12.1
+last_synced: 2026-05-19
 status: current
 ---
 
@@ -17,6 +17,35 @@ status: current
 
 ## [Unreleased]
 
+## [5.12.0] - 2026-05-16
+
+### 新增
+- **`docs/user/` 用户文档体系**（XSPEC-211）：新增双轨文档结构，仿照 VibeOps 惯例，包含 8 份文档：
+  - `docs/user/GETTING-STARTED.md` — 5 分钟端到端教程（install → `uds init` → `/sdd` → `/commit`）
+  - `docs/user/SKILLS-INDEX.md` — 自动生成的 54 个 skill 索引，按 Tier（DEC-061）与 Category 分类，含「触发时机速查」表
+  - `docs/user/COMMANDS-INDEX.md` — 自动生成的 48 个 slash command 字母序列表，含 skill 对应
+  - `docs/user/FAQ.md` — 14 题常见问题（安装、skill、SDD、升级、架构）
+  - `docs/user/GLOSSARY.md` — UDS、SDD、ATDD、BDD、TDD、XSPEC、Dual-Layer、Skill Tier、Standard、Activity、Bundle/Source、ADR、AC 等术语定义
+  - `docs/user/TROUBLESHOOTING.md` — 问题→解法指南，整合 `SKILL-FALLBACK-GUIDE.md` 内容
+  - `docs/user/README.md` — 三类受众入口（新手 / 日常用户 / 维护者）+ 文档地图
+  - `docs/user/CHEATSHEET.md` — 从 `docs/` 移入（内容不变）
+- **`scripts/generate-skill-index.ts`** — 从 `uds-manifest.json` + `skills/*/SKILL.md` frontmatter 生成 SKILLS-INDEX.md 与 COMMANDS-INDEX.md。执行：`npm run docs:generate-index`
+- **`scripts/check-skill-index.ts`** — pre-commit 守门；重生成后 diff，不同步则 exit 非零。执行：`npm run docs:check-index`
+- **`scripts/setup-hooks.sh`** — 安装 `.git/hooks/pre-commit`，每次 commit 自动调用 `docs:check-index`
+- **`.github/workflows/docs-check.yml`** — CI job：PR 修改 manifest/SKILL.md/registry 时验证 INDEX 文档已同步
+- **`docs/reference/FEATURE-REFERENCE.md`** — FEATURE-REFERENCE.md 从 `docs/` 迁移至 `docs/reference/`（自动生成，内容不变）
+- **`docs/archive/USER-MANUAL-2026-03-24.md`** — 已废弃 User Manual 的归档备份
+
+### 变更
+- **`package.json`**：新增 `docs:generate-index` 与 `docs:check-index` npm scripts
+- **`scripts/generate-usage-docs.mjs`**：更新英文输出路径（FEATURE-REFERENCE → `docs/reference/`，CHEATSHEET → `docs/user/`）
+- **`skills/README.md`**：新增 banner 指向 `docs/user/SKILLS-INDEX.md` 与 `COMMANDS-INDEX.md`
+- **`README.md`**：Quick Start 段落新增「📚 Documentation」表格，列出 7 份 `docs/user/` 文档直链
+- **`docs/USER-MANUAL.md`**：新增 deprecation banner 指向 `docs/user/README.md`；归档备份保留于 `docs/archive/`
+
+### 移除
+- **`docs/SKILL-FALLBACK-GUIDE.md`**：内容已整合至 `docs/user/TROUBLESHOOTING.md`。非 Claude Code 工具的 fallback 策略与 Skill→Core Standard 对应表保留于「Using UDS Without Claude Code」段落
+
 ## [5.11.0] - 2026-05-14
 
 ### 新增 / Added

package/bundled/locales/zh-CN/README.md

@@ -14,7 +14,7 @@ status: current
 
 > **语言**: [English](../../README.md) | [繁體中文](../zh-TW/README.md) | 简体中文
 
-**版本**: 5.11.0 | **发布日期**: 2026-05-14 | **授权**: [双重授权](../../LICENSE) (CC BY 4.0 + MIT)
+**版本**: 5.12.1 | **发布日期**: 2026-05-14 | **授权**: [双重授权](../../LICENSE) (CC BY 4.0 + MIT)
 
 语言无关、框架无关的软件项目文档标准。通过 AI 原生工作流，确保不同技术栈之间的一致性、质量和可维护性。
 

package/bundled/locales/zh-TW/CHANGELOG.md

@@ -1,8 +1,8 @@
 ---
 source: ../../CHANGELOG.md
-source_version: 5.11.0
-translation_version: 5.11.0
-last_synced: 2026-05-14
+source_version: 5.12.1
+translation_version: 5.12.1
+last_synced: 2026-05-19
 status: current
 ---
 
@@ -17,6 +17,42 @@ status: current
 
 ## [Unreleased]
 
+## [5.12.1] - 2026-05-19
+
+### 變更
+- **`full-coverage-testing.ai.yaml`**（`no-tautology-assertions` 規則，XSPEC-220）：AI agent 生成未實作測試骨架時，**必須**使用 `it.todo("AC-XXX: ...")`，禁止使用含 `expect(true).toBe(true)` 的 `it()` callback——無論由人類或 AI agent 生成，均視為 `[ANTI-FAKE-001]` 違規。
+- **`test-governance.ai.yaml`**（`gate-wiring-required` 規則，XSPEC-220）：品質偵測腳本（anti-fake、stub-check、coverage ratchet）**必須**同時出現在至少一個 CI workflow job 與至少一個 local hook。腳本存在於 `scripts/` 但從未被 CI 呼叫，等同不存在，視為治理缺口。
+- **`acceptance-criteria-traceability.ai.yaml`**（`not_implemented` 狀態，XSPEC-220）：明確定義 `it.todo()` 佔位符對應 `not_implemented 🚫` 狀態（不計入覆蓋率分母），補充決策樹區分 `not_implemented`（有意識標記）與 `uncovered`（遺漏）。
+
+## [5.12.0] - 2026-05-16
+
+### 新增
+- **`docs/user/` 使用者文件體系**（XSPEC-211）：新增雙軌文件結構，仿照 VibeOps 慣例，包含 8 份文件：
+  - `docs/user/GETTING-STARTED.md` — 5 分鐘端到端教學（install → `uds init` → `/sdd` → `/commit`）
+  - `docs/user/SKILLS-INDEX.md` — 自動生成的 54 個 skill 索引，依 Tier（DEC-061）與 Category 分類，含「觸發時機速查」表
+  - `docs/user/COMMANDS-INDEX.md` — 自動生成的 48 個 slash command 字母序清單，含 skill 對應
+  - `docs/user/FAQ.md` — 14 題常見問題（安裝、skill、SDD、升級、架構）
+  - `docs/user/GLOSSARY.md` — UDS、SDD、ATDD、BDD、TDD、XSPEC、Dual-Layer、Skill Tier、Standard、Activity、Bundle/Source、ADR、AC 等術語定義
+  - `docs/user/TROUBLESHOOTING.md` — 問題→解法指南，整合 `SKILL-FALLBACK-GUIDE.md` 內容
+  - `docs/user/README.md` — 三類受眾入口（新手 / 日常使用者 / 維護者）+ 文件地圖
+  - `docs/user/CHEATSHEET.md` — 從 `docs/` 移入（內容不變）
+- **`scripts/generate-skill-index.ts`** — 從 `uds-manifest.json` + `skills/*/SKILL.md` frontmatter 生成 SKILLS-INDEX.md 與 COMMANDS-INDEX.md。執行：`npm run docs:generate-index`
+- **`scripts/check-skill-index.ts`** — pre-commit 守門；重生成後 diff，不同步則 exit 非零。執行：`npm run docs:check-index`
+- **`scripts/setup-hooks.sh`** — 安裝 `.git/hooks/pre-commit`，每次 commit 自動呼叫 `docs:check-index`
+- **`.github/workflows/docs-check.yml`** — CI job：PR 修改 manifest/SKILL.md/registry 時驗證 INDEX 文件已同步
+- **`docs/reference/FEATURE-REFERENCE.md`** — FEATURE-REFERENCE.md 從 `docs/` 遷移至 `docs/reference/`（自動生成，內容不變）
+- **`docs/archive/USER-MANUAL-2026-03-24.md`** — 已廢棄 User Manual 的歸檔備份
+
+### 變更
+- **`package.json`**：新增 `docs:generate-index` 與 `docs:check-index` npm scripts
+- **`scripts/generate-usage-docs.mjs`**：更新英文輸出路徑（FEATURE-REFERENCE → `docs/reference/`，CHEATSHEET → `docs/user/`）
+- **`skills/README.md`**：新增 banner 指向 `docs/user/SKILLS-INDEX.md` 與 `COMMANDS-INDEX.md`
+- **`README.md`**：Quick Start 段落新增「📚 Documentation」表格，列出 7 份 `docs/user/` 文件直連
+- **`docs/USER-MANUAL.md`**：新增 deprecation banner 指向 `docs/user/README.md`；歸檔備份保留於 `docs/archive/`
+
+### 移除
+- **`docs/SKILL-FALLBACK-GUIDE.md`**：內容已整合至 `docs/user/TROUBLESHOOTING.md`。非 Claude Code 工具的 fallback 策略與 Skill→Core Standard 對應表保留於「Using UDS Without Claude Code」段落
+
 ## [5.11.0] - 2026-05-14
 
 ### 新增 / Added

package/bundled/locales/zh-TW/README.md

@@ -14,7 +14,7 @@ status: current
 
 > **語言**: [English](../../README.md) | 繁體中文 | [简体中文](../zh-CN/README.md)
 
-**版本**: 5.11.0 | **發布日期**: 2026-05-14 | **授權**: [雙重授權](../../LICENSE) (CC BY 4.0 + MIT)
+**版本**: 5.12.1 | **發布日期**: 2026-05-14 | **授權**: [雙重授權](../../LICENSE) (CC BY 4.0 + MIT)
 
 語言無關、框架無關的軟體專案文件標準。透過 AI 原生工作流，確保不同技術堆疊之間的一致性、品質和可維護性。
 

package/bundled/skills/README.md

@@ -4,6 +4,9 @@ This directory contains the reference implementations of Universal Development S
 
 > Derived from [universal-dev-standards](https://github.com/AsiaOstrich/universal-dev-standards) core standards.
 
+> **For the full indexed skill list** (by Tier, Category, and use case), see **[docs/user/SKILLS-INDEX.md](../docs/user/SKILLS-INDEX.md)** (auto-generated).
+> For slash command reference, see **[docs/user/COMMANDS-INDEX.md](../docs/user/COMMANDS-INDEX.md)**.
+
 ## Directory Structure
 
 ```

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "universal-dev-standards",
-  "version": "5.11.0",
+  "version": "5.12.1",
   "description": "CLI tool for adopting Universal Development Standards",
   "keywords": [
     "documentation",

package/standards-registry.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "version": "5.11.0",
+  "version": "5.12.1",
   "lastUpdated": "2026-05-13",
   "description": "Standards registry for universal-dev-standards with integrated skills and AI-optimized formats",
   "formats": {
@@ -58,14 +58,14 @@
     "standards": {
       "name": "universal-dev-standards",
       "url": "https://github.com/AsiaOstrich/universal-dev-standards",
-      "version": "5.11.0"
+      "version": "5.12.1"
     },
     "skills": {
       "name": "universal-dev-standards",
       "url": "https://github.com/AsiaOstrich/universal-dev-standards",
       "localPath": "skills",
       "rawUrl": "https://raw.githubusercontent.com/AsiaOstrich/universal-dev-standards/main/skills",
-      "version": "5.11.0",
+      "version": "5.12.1",
       "note": "Skills are now included in the main repository under skills/"
     }
   },
@@ -2326,12 +2326,13 @@
       "id": "license-compliance",
       "name": "License Compliance Standards",
       "nameZh": "授權合規標準",
+      "version": "5.12.1",
       "source": {
         "human": "core/license-compliance.md",
         "ai": "ai/standards/license-compliance.ai.yaml"
       },
       "category": "core",
-      "description": "License tier classification, automated scanning in CI, SBOM generation, attribution notices, and violation remediation"
+      "description": "License tier classification, automated scanning in CI, SBOM generation, attribution notices, violation remediation, ClearlyDefined API, AST PII analysis, and EmbeddingProvider copyright similarity"
     },
     {
       "id": "pii-classification",