universal-dev-standards 5.8.0 → 5.11.0

package/bundled/ai/standards/multi-environment-e2e-testing.ai.yaml

@@ -0,0 +1,250 @@
+# Multi-Environment E2E Testing Standards - AI Optimized
+# Source: XSPEC-204 (UDS Issue #94, #95)
+
+id: multi-environment-e2e-testing
+meta:
+  version: "1.0.0"
+  updated: "2026-05-13"
+  description: >
+    Standards for E2E test configuration across multiple deployment targets.
+    Core principle: The run command IS the documentation.
+    Each environment has one entry-point script that self-checks prerequisites
+    and runs the correct test subset.
+
+# ─────────────────────────────────────────────────────────
+# Core Principle
+# ─────────────────────────────────────────────────────────
+core_principle:
+  name: Executable Environment Documentation
+  statement: "The run command IS the documentation."
+  rationale: >
+    Developers repeatedly ask "how do I run tests against environment X?"
+    because the answer is scattered across README, wiki, and verbal knowledge.
+    When the run script self-checks prerequisites and sets the correct BASE_URL,
+    the script itself becomes the authoritative environment setup guide.
+  anti_pattern: >
+    Manually changing BASE_URL in .env before test runs — breaks other
+    developers' configs and cannot be committed without affecting everyone.
+
+# ─────────────────────────────────────────────────────────
+# Test Framework Multi-Environment Config
+# ─────────────────────────────────────────────────────────
+test_framework_config:
+  rule: "BASE_URL is baked into test project config, not read from .env"
+  rationale: >
+    If BASE_URL comes from .env, developers must modify .env before running
+    against a specific environment, creating race conditions in teams and
+    accidental commits of wrong URLs.
+
+  playwright_pattern: |
+    // playwright.config.ts
+    const ENVS = {
+      'local-iis':         'http://localhost/corp',
+      'local-iis-express': 'http://localhost:18080/lotest',
+      'uat':               'http://portal_uat.example.com/app',
+      'prd':               'https://app.example.com',
+    } as const;
+
+    export default defineConfig({
+      projects: Object.entries(ENVS).map(([name, url]) => ({
+        name,
+        use: { browserName: 'chromium', baseURL: url },
+      })),
+    });
+
+  cypress_pattern: |
+    // cypress.config.ts
+    const ENVS = {
+      'local':  { baseUrl: 'http://localhost:3000' },
+      'uat':    { baseUrl: 'http://uat.example.com' },
+      'prd':    { baseUrl: 'https://app.example.com' },
+    };
+    // Pass via --env target=uat; default to local
+
+  rules:
+    - "One test config file; environment distinction via project name or --project flag"
+    - "No environment-specific playwright/cypress.config.*.ts files"
+    - "BASE_URL never in .env for E2E test configs"
+
+# ─────────────────────────────────────────────────────────
+# Runner Script Pattern
+# ─────────────────────────────────────────────────────────
+runner_script_pattern:
+  rule: "Each environment has one entry-point script that self-checks prerequisites"
+  location: "scripts/run-tests-<env>.(ps1|sh)"
+  template_powershell: |
+    # scripts/run-tests-local-iis.ps1
+    # Self-check prerequisites before running tests
+
+    # 1. Check Docker
+    if (-not (Get-Process "com.docker.backend" -ErrorAction SilentlyContinue)) {
+      Write-Error "Docker is not running. Start Docker Desktop first."
+      exit 1
+    }
+
+    # 2. Check App is responding
+    try {
+      $resp = Invoke-WebRequest "http://localhost/corp/health" -UseBasicParsing -TimeoutSec 5
+    } catch {
+      Write-Error "App not responding at http://localhost/corp. Start IIS site first."
+      exit 1
+    }
+
+    # 3. Run tests
+    npx playwright test --project=local-iis @args
+
+  template_bash: |
+    #!/bin/bash
+    # scripts/run-tests-local.sh
+
+    # 1. Check Docker
+    if ! docker info > /dev/null 2>&1; then
+      echo "ERROR: Docker is not running." >&2
+      exit 1
+    fi
+
+    # 2. Check App
+    if ! curl -s -f http://localhost:3000/health > /dev/null 2>&1; then
+      echo "ERROR: App not responding at http://localhost:3000" >&2
+      exit 1
+    fi
+
+    npx playwright test --project=local "$@"
+
+  prerequisite_checks:
+    - "Docker / container runtime"
+    - "Application health endpoint"
+    - "Database connectivity (if separate from app)"
+    - "Required environment-specific services"
+
+# ─────────────────────────────────────────────────────────
+# Environment Capability Matrix
+# ─────────────────────────────────────────────────────────
+capability_matrix:
+  rule: >
+    Projects with external dependencies MUST maintain an environment capability
+    matrix committed to the repository (docs/testing/environment-capability-matrix.md
+    or inline in testing README).
+  when_required: "Any project with external HTTP services, IdP, payment, messaging"
+
+  template: |
+    ## Environment Capability Matrix
+
+    | Service / Feature | local-dev | local-iis | UAT | PRD |
+    |-------------------|:---------:|:---------:|:---:|:---:|
+    | Auth / SAML       | ⚠️ Keycloak stub | ✅ Keycloak local | ✅ Keycloak UAT | ✅ Enterprise IdP |
+    | SMS Gateway       | ⚠️ stub-server | ⚠️ stub-server | ⚠️ stub-server / ❌ | ✅ Real Gateway + billing |
+    | Payment / Finance | ⚠️ stub-server | ⚠️ stub-server | ⚠️ partial | ✅ Real + reconciliation |
+    | Background Jobs   | ✅ in-process | ✅ in-process | ✅ | ✅ |
+    | File Storage      | ✅ local | ✅ local | ✅ blob | ✅ blob |
+
+    Legend:
+    ✅ Full verification possible
+    ⚠️ Flow passes but through stub (real-world dimensions NOT verified)
+    ❌ Cannot test in this environment
+
+    ### Dimensions NOT verifiable in UAT (must defer to PRD smoke)
+    - SMS: Billing correctness, carrier delivery confirmation, DR reporting
+    - Payment: Real debit/credit, bank reconciliation, card validation
+
+  when_to_update: "Update matrix when adding any new external service dependency"
+
+# ─────────────────────────────────────────────────────────
+# CI Gate Mapping
+# ─────────────────────────────────────────────────────────
+ci_gate_mapping:
+  rule: "Map environments to CI/CD stages; document which gate must pass before each deployment stage"
+
+  pattern: |
+    # .github/workflows/ci.yml or .gitlab-ci.yml
+
+    e2e-smoke-gate:       # Must pass → any deployment
+      runs-on: ubuntu-latest
+      script: scripts/run-tests-local.sh --grep smoke
+
+    e2e-uat-gate:         # Must pass → PRD deployment
+      environment: uat
+      script: scripts/run-tests-uat.sh
+      only: [tags, release-branches]
+
+    e2e-prd-smoke:        # Must pass → mark release as stable
+      environment: prd
+      script: scripts/run-tests-prd-smoke.sh
+      only: [tags]
+
+  gate_requirements:
+    before_staging_deploy: ["unit tests", "integration tests", "e2e-smoke-gate"]
+    before_uat_deploy:     ["all staging gates", "e2e-uat-gate (if UAT environment available)"]
+    before_prd_deploy:     ["e2e-uat-gate", "sign-off from capability matrix review"]
+    after_prd_deploy:      ["e2e-prd-smoke within 10 min of deploy"]
+
+# ─────────────────────────────────────────────────────────
+# Credential Handling
+# ─────────────────────────────────────────────────────────
+credential_handling:
+  rule: "Separate what goes in git from what stays gitignored"
+
+  commit_to_git:
+    - "Base URLs per environment (non-secret, team needs to share)"
+    - "Test usernames for non-PRD environments"
+    - "Feature flags and test configuration"
+    - "Self-check scripts (no credentials embedded)"
+
+  gitignore:
+    - "Passwords and secrets"
+    - "API keys and tokens"
+    - ".env.test.local (personal overrides)"
+
+  ci_secrets: "Pass PRD test passwords via CI secret variables (GitHub Secrets / GitLab CI Variables)"
+
+  example_gitignore: |
+    # Test credentials
+    .env.test.local
+    tests/fixtures/auth-secrets.json
+    # Base URLs and non-secrets are committed; see playwright.config.ts
+
+# ─────────────────────────────────────────────────────────
+# Rules
+# ─────────────────────────────────────────────────────────
+rules:
+  - id: base-url-in-config
+    trigger: setting up E2E tests for a project with multiple environments
+    instruction: >
+      Define all environment BASE_URLs in the test framework config (playwright.config.ts /
+      cypress.config.ts) as named projects. Do not rely on .env for BASE_URL.
+    priority: required
+
+  - id: one-runner-per-env
+    trigger: adding a new deployment target
+    instruction: >
+      Create scripts/run-tests-<env>.(ps1|sh) with self-checking prerequisite steps.
+      The script must verify all required services before invoking the test runner.
+    priority: required
+
+  - id: capability-matrix-required
+    trigger: feature has external service dependencies (SMS, payment, IdP, file storage)
+    instruction: >
+      Create or update the environment capability matrix in docs/testing/.
+      Clearly mark ✅/⚠️/❌ for each service × environment combination.
+      List dimensions NOT verifiable in UAT; mark these as "PRD-only smoke" items.
+    priority: required
+
+  - id: ci-gate-mapping
+    trigger: defining CI/CD pipeline stages
+    instruction: >
+      Map each CI gate to the environments it must pass.
+      E2E gate must specify which environment it targets.
+    priority: required
+
+# ─────────────────────────────────────────────────────────
+# Relationship to Other Standards
+# ─────────────────────────────────────────────────────────
+related_standards:
+  - id: deployment-standards
+    relationship: "Extends — adds environment dimension to CI gates and deployment readiness"
+  - id: test-completeness-dimensions
+    relationship: "Complements — adds dimension 11: Environment Verifiability"
+  - id: verification-evidence
+    relationship: "Complements — evidence must specify which environment it was collected from"
+  - id: mock-boundary
+    relationship: "Complements — capability matrix references Level 2 stub server usage"

package/bundled/ai/standards/test-completeness-dimensions.ai.yaml

@@ -3,10 +3,12 @@
 
 id: test-completeness-dimensions
 meta:
-  version: "1.2.0"
-  updated: "2026-05-04"
+  version: "1.3.0"
+  updated: "2026-05-13"
   source: core/test-completeness-dimensions.md
-  description: Framework for evaluating test completeness across 10 dimensions (v1.2.0 adds Flow Completeness and Branch Coverage)
+  description: >
+    Framework for evaluating test completeness across 11 dimensions.
+    v1.3.0 adds Dimension 11: Environment Verifiability (XSPEC-204).
 
 dimensions:
   - id: 1
@@ -114,6 +116,21 @@ dimensions:
     when_required: When flow has any conditional logic or decision points
     note: Use decision_table_expansion from flow-based-testing.ai.yaml to enumerate scenarios
 
+  - id: 11
+    name: Environment Verifiability
+    description: >
+      For each AC with external service dependencies, document which environment layer
+      can fully verify it, and plan PRD-smoke coverage for items that cannot be verified in UAT.
+    test_items:
+      - Environment stratification responsibility matrix exists for features with external dependencies
+      - Each AC is tagged with its minimum verifiable environment layer (local / UAT / PRD)
+      - ACs that are PRD-only are explicitly tracked and have a PRD smoke test plan
+      - Evidence for externally-dependent ACs includes environment_layer field
+    when_required: >
+      Any feature with external service dependencies (SMS, payment, IdP, email,
+      SOAP integrations, external REST APIs)
+    note: See multi-environment-e2e-testing.ai.yaml and deployment-standards.ai.yaml for environment capability matrix templates
+
 feature_type_mapping:
   note: "Dimension 8 (AI Generation Quality) applies when tests are AI-generated"
   types:
@@ -138,8 +155,9 @@ feature_type_mapping:
       with_ai: [1, 3, 5, 8]
 
     - type: External Integration
-      dimensions: [1, 3, 7]
-      with_ai: [1, 3, 7, 8]
+      dimensions: [1, 3, 7, 11]
+      with_ai: [1, 3, 7, 8, 11]
+      note: Dimension 11 required for any external service dependency
 
     - type: Workflow / Multi-step Process
       dimensions: [1, 3, 4, 5, 9, 10]
@@ -147,6 +165,11 @@ feature_type_mapping:
       required_pattern: journey-chained-test
       note: Apply flow-based-testing standard; use shared ctx; Each-Choice minimum branch coverage
 
+    - type: External-Dependent Workflow
+      dimensions: [1, 3, 4, 5, 9, 10, 11]
+      with_ai: [1, 3, 4, 5, 9, 10, 8, 11]
+      note: Combines Workflow + External Integration; Dimension 11 mandatory
+
 error_code_coverage:
   - code: 200
     meaning: Success
@@ -198,7 +221,7 @@ anti_patterns:
 rules:
   - id: use-checklist
     trigger: designing tests for a feature
-    instruction: Use the 10 dimensions checklist to ensure completeness (dim 8 for AI-generated tests; dim 9/10 for multi-step workflows)
+    instruction: Use the 11 dimensions checklist to ensure completeness (dim 8 for AI-generated tests; dim 9/10 for multi-step workflows; dim 11 for external dependencies)
     priority: required
 
   - id: authorization-matrix
@@ -278,6 +301,12 @@ checklist_template: |
     □ Each distinct error branch has its own describe block
     □ Critical flows (auth/payment/security) use All-Combinations
 
+  □ Environment Verifiability (for features with external dependencies)
+    □ Environment stratification matrix created/updated
+    □ Each AC tagged with minimum verifiable environment layer
+    □ PRD-only ACs documented with smoke test plan
+    □ Evidence includes environment_layer field for externally-dependent ACs
+
 quick_reference:
   dimensions:
     columns: [ID, Dimension, Key Focus]
@@ -292,9 +321,10 @@ quick_reference:
       - [8, AI Generation, AI-generated test quality]
       - [9, Flow Completeness, Complete path to each terminal state]
       - [10, Branch Coverage, All decision-point branches covered]
+      - [11, Environment Verifiability, External-dep ACs tagged with environment layer]
 
   feature_dimensions:
-    note: "*Dimension 8 applies when tests are AI-generated; †Dimensions 9/10 apply to multi-step workflows"
+    note: "*Dimension 8 applies when tests are AI-generated; †Dimensions 9/10 apply to multi-step workflows; ‡Dimension 11 applies to features with external service dependencies"
     columns: [Feature Type, Required Dimensions]
     rows:
       - [CRUD API, "1,2,3,4,6,7,8*"]
@@ -304,3 +334,5 @@ quick_reference:
       - [Background Job, "1,3,5,8*"]
       - [External Integration, "1,3,7,8*"]
       - [Workflow / Multi-step Process, "1,3,4,5,9†,10†,8*"]
+      - [External Integration, "1,3,7,11‡,8*"]
+      - [External-Dependent Workflow, "1,3,4,5,9†,10†,11‡,8*"]

package/bundled/ai/standards/verification-evidence.ai.yaml

@@ -8,15 +8,19 @@ standard:
   description: 驗證證據標準，強化 anti-hallucination
 
   meta:
-    version: "1.0.0"
-    updated: "2026-03-20"
+    version: "1.1.0"
+    updated: "2026-05-13"
     source: core/verification-evidence.md
-    description: 驗證證據標準 — Iron Law: 無驗證證據不可聲稱完成
+    description: >
+      驗證證據標準 — Iron Law: 無驗證證據不可聲稱完成。
+      v1.1.0: Evidence must specify which environment layer it was collected from (XSPEC-204).
     inspired_by: superpowers/verification-before-completion
 
   guidelines:
     - "Iron Law：無驗證證據 = 不可聲稱完成"
     - "每次驗證必須記錄 command + exitCode + output + timestamp"
+    - "Iron Law（Environment）：驗收前必須確認「此環境層次能驗證此流程的哪些維度」"
+    - "驗收證據必須標明收集自哪個環境層次（local / UAT / PRD）"
     - "回歸測試必須展示 RED → GREEN 循環"
     - "代理報告 success ≠ 實際 success，需獨立驗證"
     - "驗證輸出截斷至合理長度（2000 字元）但保留關鍵資訊"
@@ -39,6 +43,13 @@ standard:
         type: string
         required: true
         description: "執行時間（ISO 8601 格式）"
+      - name: environment_layer
+        type: string
+        required: false
+        description: >
+          收集證據的環境層次（local / uat / prd）。
+          對有外部服務依賴的功能為必填——缺少此欄位時，該 AC 的驗收等級視為 local-only。
+        example: "uat"
 
   red_green_cycle:
     description: "回歸測試的 RED → GREEN 驗證"
@@ -72,13 +83,28 @@ standard:
       action: "截斷但保留錯誤訊息與摘要行"
       priority: medium
 
+  environment_rules:
+    - id: VE-005
+      trigger: "AC 涉及外部服務依賴（SMS、金流、IdP）"
+      action: >
+        驗收證據必須標明 environment_layer。
+        local-only 證據對此類 AC 不足——需確認 UAT 或 PRD 層次的驗證計畫。
+      priority: required
+    - id: VE-006
+      trigger: "有外部服務依賴的 AC 標記為 done，但無 environment_layer"
+      action: >
+        降級為 done_with_concerns。
+        要求補充環境層次聲明，或在 environment-stratification-matrix 中標記為 ⚠️/❌。
+      priority: high
+
 physical_spec:
   type: checklist
   validator:
     type: ai_review
-    rule: "檢查任務完成是否附帶驗證證據（command + exit_code + output + timestamp）"
+    rule: "檢查任務完成是否附帶驗證證據（command + exit_code + output + timestamp + environment_layer）"
   checks:
     - "完成聲明是否附帶 verification_evidence"
     - "evidence 是否包含所有必填欄位"
     - "exit_code 是否為 0（成功）"
     - "Bug fix 是否有 RED → GREEN 循環證據"
+    - "有外部服務依賴的 AC 是否標明 environment_layer"

package/bundled/core/adversarial-test.md

@@ -210,3 +210,6 @@ Layer 4: 稽核日誌（hash chain）  — 確保不可篡改
 - ISO/IEC 42001:2023 — AI 管理系統
 - [UDS `secure-op.ai.yaml`](./secure-op.md) — AI Agent 安全操作六大支柱
 - [UDS `llm-output-validation.ai.yaml`](./llm-output-validation.md) — LLM 輸出驗證標準
+
+
+**Scope**: universal

package/bundled/core/behavior-snapshot.md

@@ -3,7 +3,7 @@
 > **Language**: English | 繁體中文
 
 **Applicability**: Migration and refactoring projects requiring behavioral parity verification
-**Scope**: universal (HTTP-based systems)
+**Scope**: universal
 
 ---
 

package/bundled/core/capability-declaration.md

@@ -57,3 +57,6 @@ const FAIL_CLOSED_DEFAULTS: CapabilityDeclaration = {
 - AI-optimized: [ai/standards/capability-declaration.ai.yaml](../ai/standards/capability-declaration.ai.yaml)
 - XSPEC-037: Cross-project specification
 - Borrowed from: [claude-code-book](https://github.com/lintsinghua/claude-code-book) Ch.3 `buildTool` Fail-Closed factory
+
+
+**Scope**: universal

package/bundled/core/cd-deployment-strategies.md

@@ -119,3 +119,6 @@ Q4: 基礎設施預算有限？
 - [rollback-standards.md](rollback-standards.md) — 回滾觸發條件矩陣
 - [no-cicd-deployment.md](no-cicd-deployment.md) — 無 CI/CD 部署策略
 - AI 格式：[../ai/standards/cd-deployment-strategies.ai.yaml](../ai/standards/cd-deployment-strategies.ai.yaml)
+
+
+**Scope**: universal

package/bundled/core/chaos-injection-tests.md

@@ -114,3 +114,6 @@ it('pipeline continues when one agent throws', async () => {
 - `testing.ai.yaml` — general test structure
 - `secure-op.ai.yaml` — Fail-Closed principle for AI agents
 - `security-standards.ai.yaml` — security invariants
+
+
+**Scope**: universal

package/bundled/core/circuit-breaker.md

@@ -56,3 +56,6 @@ interface CircuitBreaker {
 - AI-optimized: [ai/standards/circuit-breaker.ai.yaml](../ai/standards/circuit-breaker.ai.yaml)
 - XSPEC-036: Cross-project specification
 - Borrowed from: [claude-code-book](https://github.com/lintsinghua/claude-code-book) Ch.2 `MAX_CONSECUTIVE_AUTOCOMPACT_FAILURES`
+
+
+**Scope**: universal

package/bundled/core/container-security.md

@@ -519,3 +519,6 @@ lsattr /var/log/ai-agent/audit    # 驗證 a 屬性
 □ Audit log volume：append-only partition（非 emptyDir）
 □ Lockfile 固定（npm ci / pip --require-hashes / go mod verify）
 ```
+
+
+**Scope**: universal

package/bundled/core/cost-budget-test.md

@@ -67,3 +67,6 @@ describe("PipelineBudgetConfig semantics", () => {
 - [Mutation Testing Standards](mutation-testing.md) — constants without test coverage survive mutations
 - [Testing Standards](testing.md) — overall test pyramid
 - [LLM Output Validation](llm-output-validation.md) — output-layer budget constraints
+
+
+**Scope**: universal

package/bundled/core/data-migration-testing.md

@@ -108,3 +108,6 @@ Use `testcontainers` to spin up a fresh PostgreSQL container per test suite. The
 - `database-standards.ai.yaml` — schema design principles
 - `testing.ai.yaml` — general test structure and pyramid
 - `verification-evidence.ai.yaml` — audit evidence requirements
+
+
+**Scope**: universal

package/bundled/core/disaster-recovery-drill.md

@@ -71,3 +71,6 @@ See `docs/DR-RUNBOOK.md` for the full runbook template.
 - [Deployment Standards](deployment-standards.md) — deployment pipeline
 - [Chaos Engineering Standards](chaos-engineering-standards.md) — failure injection
 - [Verification Evidence Standards](verification-evidence.md) — drill records
+
+
+**Scope**: universal

package/bundled/core/dual-phase-output.md

@@ -54,3 +54,6 @@ Applications may add fields inside `<summary>` but must not remove core fields:
 - AI-optimized: [ai/standards/dual-phase-output.ai.yaml](../ai/standards/dual-phase-output.ai.yaml)
 - XSPEC-035: Cross-project specification
 - Borrowed from: [claude-code-book](https://github.com/lintsinghua/claude-code-book) Ch.7 `formatCompactSummary`
+
+
+**Scope**: universal

package/bundled/core/failure-source-taxonomy.md

@@ -70,3 +70,6 @@ interface FailureDetail {
 - XSPEC-045: Cross-project specification
 - Depends on: Recovery Recipe Registry (XSPEC-046)
 - Borrowed from: [ultraworkers/claw-code](https://github.com/ultraworkers/claw-code) ROADMAP Phase 2 Failure Taxonomy
+
+
+**Scope**: universal

package/bundled/core/feature-manifest-standard.md

@@ -3,7 +3,7 @@
 > **Language**: English | 繁體中文
 
 **Applicability**: Migration and refactoring projects where an existing system is being ported or restructured
-**Scope**: universal (language-agnostic manifest format)
+**Scope**: universal
 
 ---
 

package/bundled/core/flaky-test-management.md

@@ -71,3 +71,6 @@ export default defineConfig({
 
 - [Testing Standards](testing.md) — overall test pyramid
 - [Test Governance Standards](test-governance.md) — CI policies
+
+
+**Scope**: universal

package/bundled/core/full-coverage-testing.md

@@ -181,3 +181,6 @@ The ratchet starts at your current coverage. From that point on, it can only inc
 - `integration-testing.ai.yaml` — Integration test patterns
 - `deployment-standards.ai.yaml` — Deploy gate requirements
 - XSPEC-178 — Full specification and implementation phases
+
+
+**Scope**: universal

package/bundled/core/health-check-standards.md

@@ -70,3 +70,6 @@
 - DEC-043: UDS 覆蓋完整性路線圖（驅動來源）
 - Related: `deployment-standards`, `circuit-breaker`, observability-standards (XSPEC-063 規劃中)
 - Industry: Kubernetes probes, Microsoft eShop health checks, Google SRE Book Ch.6
+
+
+**Scope**: universal

package/bundled/core/immutability-first.md

@@ -103,3 +103,6 @@ interface PipelineMemoryEntry {
 
 - AI-optimized: [ai/standards/immutability-first.ai.yaml](../ai/standards/immutability-first.ai.yaml)
 - XSPEC-044: Cross-project specification
+
+
+**Scope**: universal

package/bundled/core/llm-output-validation.md

@@ -176,3 +176,6 @@ npx vitest run agents/__tests__/contract.test.ts
 - ISO/IEC 42001:2023 — AI 管理系統
 - [UDS `security-testing.ai.yaml`](./security-testing.md) — SAST + DAST 整合
 - [UDS `adversarial-test.ai.yaml`](./adversarial-test.md) — Prompt injection 紅隊標準
+
+
+**Scope**: universal

package/bundled/core/no-cicd-deployment.md

@@ -203,3 +203,6 @@ status:
 - `deployment-standards.ai.yaml` — 有 CI/CD 平台的部署策略（本文件的補充前提）
 - `health-check-standards.ai.yaml` — /health 端點設計規範
 - `circuit-breaker.ai.yaml` — 斷路器整合（進階場景）
+
+
+**Scope**: universal

package/bundled/core/pipeline-security-gates.md

@@ -107,3 +107,6 @@
 - [pipeline-integration-standards.md](pipeline-integration-standards.md) — CI 管線整合標準
 - [deployment-standards.md](deployment-standards.md) — 部署基礎原則
 - AI 格式：[../ai/standards/pipeline-security-gates.ai.yaml](../ai/standards/pipeline-security-gates.ai.yaml)
+
+
+**Scope**: universal

package/bundled/core/policy-as-code-testing.md

@@ -186,3 +186,6 @@ policies/
 - [UDS `secure-op.ai.yaml`](./secure-op.md) — AI Agent 安全操作六大支柱
 - [UDS `adversarial-test.ai.yaml`](./adversarial-test.md) — 對抗性測試（OWASP LLM01）
 - [UDS `container-security.ai.yaml`](./container-security.md) — 容器安全（OPA Sidecar 部署）
+
+
+**Scope**: universal

package/bundled/core/prompt-regression.md

@@ -70,3 +70,6 @@ The comment is mandatory. PRs that update checksums without explanatory comments
 - [LLM Output Validation](llm-output-validation.md) — schema-level validation
 - [Adversarial Test](adversarial-test.md) — red-team corpus
 - [Testing Standards](testing.md) — overall testing pyramid
+
+
+**Scope**: universal

package/bundled/core/property-based-testing.md

@@ -71,3 +71,6 @@ fc.assert(property, { seed: 1234567890 })
 - [Mutation Testing Standards](mutation-testing.md) — complement to PBT
 - [Testing Standards](testing-standards.md) — overall test pyramid
 - [Adversarial Test Standards](adversarial-test.md) — security-focused fuzzing
+
+
+**Scope**: universal

package/bundled/core/recovery-recipe-registry.md

@@ -67,3 +67,6 @@ escalation:                         # required
 - XSPEC-046: Cross-project specification
 - Depends on: Failure Source Taxonomy (XSPEC-045)
 - Borrowed from: [ultraworkers/claw-code](https://github.com/ultraworkers/claw-code) ROADMAP Phase 3 Recovery Recipes
+
+
+**Scope**: universal

package/bundled/core/release-quality-manifest.md

@@ -191,3 +191,6 @@ Generate a Markdown table alongside the YAML for inclusion in release notes:
 - `supply-chain-attestation.ai.yaml` — SBOM and provenance
 - `testing.ai.yaml` — overall test strategy
 - `deployment-standards.ai.yaml` — release gate integration
+
+
+**Scope**: universal

package/bundled/core/replay-test.md

@@ -84,3 +84,6 @@ describe("Guardian replay fixtures", () => {
 - [Adversarial Test Standards](adversarial-test.md) — red-team corpus
 - [Verification Evidence Standards](verification-evidence.md) — AC traceability
 - [Testing Standards](testing.md) — overall test pyramid
+
+
+**Scope**: universal

package/bundled/core/retry-standards.md

@@ -60,3 +60,6 @@ wait_ms = min(cap_ms, base_ms * 2^attempt) * (0.5 + random() * 0.5)
 - DEC-043: UDS 覆蓋完整性路線圖（驅動來源）
 - Related: `circuit-breaker`, `failure-source-taxonomy`, `timeout-standards`, `recovery-recipe-registry`
 - Industry: Netflix Hystrix retry, Google SRE Book Ch.22, AWS Architecture Blog — exponential backoff and jitter
+
+
+**Scope**: universal

package/bundled/core/rollback-standards.md

@@ -102,3 +102,6 @@
 - [deployment-standards.md](deployment-standards.md) — 部署基礎策略
 - [cd-deployment-strategies.md](cd-deployment-strategies.md) — 部署策略選用矩陣
 - AI 格式：[../ai/standards/rollback-standards.ai.yaml](../ai/standards/rollback-standards.ai.yaml)
+
+
+**Scope**: universal