"`** (the README's HTML wrapper). The README-first-paragraph scan now skips HTML wrappers, GitHub callouts, nav rows, and badge clusters. - **2 hooks (`gdd-sessionstart-recap.js`, `gdd-precompact-snapshot.js`) resolved paths at module load** via `process.cwd()` instead of `payload.cwd` - broken in worktrees. Now thread `payload.cwd` through a `computePaths()` factory. - **`hooks/gdd-mcp-circuit-breaker.js` substring-matched `'timeout'` / `'failed'` against the entire stringified MCP response.** False-positives on legitimate successful Figma payloads (e.g. a node literally named "TimeoutBanner" or a summary line "2 of 5 nodes failed to update"). Now uses the structured `isError` / `is_error` envelope as the primary signal and only inspects dedicated error-message fields for timeout-vs-error classification. +4 regression tests. - **Windows SessionStart hooks (4 `.sh` scripts) failed without Git Bash on PATH.** Ported `scripts/bootstrap.sh`, `hooks/update-check.sh`, `hooks/first-run-nudge.sh`, `hooks/inject-using-gdd.sh` to Node `.cjs` modules. `hooks/hooks.json` rewired to `node …cjs`. One source of truth, no drift surface. - **`hooks/gdd-protected-paths.js` had 4 bypass vectors** in `extractBashTargets()`: chained commands (`rm safe.txt && rm reference/protected.md` extracted only `safe.txt`), multi-arg destructive verbs, `$(…)` subshell substitution, `` `…` `` backtick substitution. Rewrote as a 3-pass walker that recurses into subshells, splits on `&&`/`||`/`;`/`|`, and collects ALL non-flag args per segment. +12 regression tests. - **`skills/figma-write/SKILL.md` used invented `design-figma-writer` dispatch syntax** that Claude Code does not parse. The entire Figma write-back skill was a silent no-op since it was first authored. Replaced with the canonical `Task("design-figma-writer", "...")` block. Added `test/suite/skill-dispatch-syntax.test.cjs` regression gate that sweeps every SKILL.md. ### Added (5 new CI gates - structural drift prevention) - **`npm run validate:feature-counts`** (`scripts/check-feature-counts.cjs`): walks the filesystem and asserts every shipped surface's count claims (`plugin.json` / `marketplace.json` / `README.md` / `SKILL.md`) match reality (61 agents / 96 skills / 42 connections / 13 MCP tools). - **`npm run validate:registry-tiers`** (`scripts/validate-registry-tiers.cjs`): asserts every `registry.json` entry's `tier` field is one of `L0|L1|L2|L3`. Detects model-tier paste-errors (haiku/sonnet/opus accidentally placed in the cache-tier slot). - **`npm run validate:no-internal-refs`** (`scripts/validate-no-internal-refs.cjs`): ratcheted baseline at 1,749 hits across 286 files. Fails when any file regresses beyond its baseline count of Phase NN / Plan NN-MM / .planning/ / D-NN references. `--rebaseline` ratchets after legitimate cleanup. - **`npm run validate:cache-tiers`** (`scripts/check-cache-tiers.cjs`): SHA-256 of `reference/meta-rules.md` + `reference/shared-preamble.md` (the L0 cache prefix imported by 58 of 62 agents). Drift fails the build. See `reference/cache-tier-doctrine.md`. - **`npm run validate:skill-surface`** (`test/suite/skill-surface-sync.test.cjs`): asserts every `skills/` dir on disk is documented in at least one of SKILL.md's three surfaces (argument-hint / Command Reference table / Jump Mode). ### Added (Batch D wirings - 8 aspirational features made real) - **`skills/paper-write/`** (new): paper.design canvas write-back (modes: annotate / tokenize / roundtrip). Modeled on `skills/figma-write/`. - **`skills/pencil-write/`** (new): pencil.dev `.pen` file write-back (modes: annotate / roundtrip). File-based - no MCP. - **`hooks/gdd-intel-trigger.js`** (new): PostToolUse hook that fires `scripts/build-intel.cjs --incremental` in the background when Edit/Write touches `(skills|agents|reference|source/skills)/.*\.(md|json)`. 5-minute lock dedups rapid sequential edits. Opt-out via `GDD_DISABLE_INTEL_TRIGGER=1`. - **`design-component-generator` dispatch** wired into `skills/design/SKILL.md`. Fires opt-in when STATE.md `` shows a generator connection available (21st-dev / magic-patterns / plasmic / builder-io / v0-dev) and the plan has a `task_type: component` task without matching `src/components/*.tsx`. - **`design-context-reviewer` + gate** wired into `skills/explore/` Step 2.6. Cheap Haiku gate runs first; full 9-check graph review fires only when gate says "review needed". - **`design-research-synthesizer` opts into peer-CLI delegation** (`delegate_to: gemini-research`) - first agent in the 61-agent fleet. Bandit posterior now collects real arm data on `(design-research-synthesizer, *, gemini)` tuples. - **`touches-pattern-miner` wired into `apply-reflections`**: archived task-file `Touches:` signatures now surface as auto-crystallization proposals via `discoverTouchesPatternProposals()`. - **`design-planner` + `design-verifier` emit JSON output contracts** per `reference/output-contracts/{planner,verifier}-decision.schema.json` (fenced ```json block before the prose body). Typed envelope consumption by `scripts/lib/parse-contract.cjs#parsePlannerDecision` / `parseVerifierDecision`. DESIGN-PLAN.md and DESIGN-VERIFICATION.md continue to include both formats. ### Added (Batch H - Phase 57 wire-ups) - **Phase 56 calibration loop wired end-to-end.** `hooks/gdd-risk-gate.js` now calls `updateCalibration` after every scored decision (allow/block/review/require_confirmation → accepted true/false). `detectDrift` now fires from production traffic, not synthetic data. +9 regression tests. - **`scripts/lib/state/query-surface.cjs` backup-guard hardening**: `_safeBackup(srcPath, bakPath)` returns true only when the backup file exists AND is non-empty after `copyFileSync`. `backupCycle()`, `demigrate()`, `recover()` now gate `fs.unlinkSync` behind it. +7 regression tests covering happy path / missing source / zero-byte copy / mocked failing copy. - **`scripts/lib/state/state-store.cjs` `migrate()` async + JSDoc.** The underlying `migrateToSqlite` was already async; the wrapper now awaits it. Comprehensive JSDoc covers degraded paths, error semantics, idempotency, opt-in via `force`, dual-channel result shapes. +4 sqlite-path regression tests. ### Removed - **`scripts/lib/audit-aggregator/index.cjs`** (219 LOC + 15 unit tests). Shipped in Plan 23-04; zero production callers across `scripts/ sdk/ hooks/ agents/ skills/`. With Phase 56 risk-gate owning post-action consolidation and design-verifier owning audit aggregation natively, the module was dead-on-arrival. - **`scripts/lib/hedge-ensemble.cjs`** (AdaNormalHedge implementation). Shipped in Plan 23.5-02; never wired into `adaptive_mode='hedge'` or any production path. `isHedgeEnabled()` now always returns false. ### Changed (manifests + docs) - **Manifest count claims synchronized across all 11 surfaces** to filesystem truth: 61 agents / 96 skills / 42 connections / 13 MCP tools. plugin.json + marketplace.json descriptions trimmed from 2000+ chars to ~700 (dropped sprawling per-version history - see CHANGELOG for that). - **README rewritten from 968 lines to 623 lines.** Removed 30 per-version "Highlights" chronicle sections (all verified present in CHANGELOG before deletion). Product surface kept verbatim; release chronicle moves to CHANGELOG. - **agents/README.md authoring contract cleaned**: 13 Phase NN refs + 11 Plan NN-MM refs + 3 dangling `.planning/phases/` cross-refs + 4 CONTEXT D-NN shorthand refs removed. - **L0 cache prefix sanitized**: `reference/shared-preamble.md` "GSD Agent" → "GDD Agent" identity (every agent's first byte block). `reference/meta-rules.md` Phase NN refs stripped from the commit-scope guidance that propagates into every user repo. - **`reference/STATE-TEMPLATE.md` HTML comments scrubbed** - three `` comments inside the `==== BEGIN/END TEMPLATE ====` block were being copied verbatim into every user's `.design/STATE.md` at scan entry. - **`reference/registry.json` description-field sweep**: ~90 "Phase NN" prefixes stripped from description fields that load into router prompts. - **7 schema files cleaned of Phase / .planning refs** in description fields (they ship via `generated.d.ts` to user IDE autocomplete). - **9 skill `description:` frontmatter fields cleaned** (router LLM-signal surface): bandit-status, openrouter-status, state, override, peers, debug, report-issue, scan, discover. - **`agents/design-verifier.md` H2 headings renamed** `## Phase 1..5` → `## Stage 1..5` (those headings bleed into user `.design/DESIGN-VERIFICATION.md` output and collided with internal GDD-roadmap nomenclature). - **`gsd-health` references** in `skills/report-issue/SKILL.md`, `source/skills/report-issue/SKILL.md`, `scripts/lib/issue-reporter/report-flow.cjs` → `/gdd:health` (the actual command). - **`benchmark` agents output paths** moved from `.planning/benchmarks/` to `.design/benchmarks/` (`.planning/` is the plugin's own development workspace and must never appear in a user repo's writes). - **`connections/connections.md` matrix stage columns** `scan|discover` → `brief|explore` (the actual current 5-stage pipeline). - **`runtime-models.md` added "Verification status" banner** flagging 10 of 14 entries as unverified placeholder fills (BYOK / multi-provider; Anthropic-default mapping). - **`reference/cache-tier-doctrine.md`** (new): codifies the L0/L1/L2/L3 cache-tier contract that the new gates enforce. - **`reference/intel-schema.md`** documented the `agent-tiers.json` slice and softened the misleading "kept current" claim. - **`agents/design-research-synthesizer.md`** + **`agents/design-planner.md`** + **`agents/design-verifier.md`** gained delegate_to / Output Contract sections (see "Added" above). - **42nd connection added**: `connections/cursor.md` documents the cursor install path + the documented sibling-drop limitation (Cursor `installMultiArtifact` doesn't enumerate `/.md` files; the fix requires extending the StagedArtifact contract and is deferred with explicit doc trail). - **`hooks/budget-enforcer.js` → `.ts` references updated** across 11 docs files (Plan 20-13 conversion landed; docs lagged). - **Pipeline phrasing corrected**: `brief → plan → implement → verify` (4 surfaces) → `brief → explore → plan → design → verify` (the actual 5-stage pipeline). - **2 stale "Executor B pending" / "Executor A hasn't run" strings** updated to present tense (the SQLite migration shipped in v1.57.0). - **Composition graph edges added** for 5 high-traffic skills (compare, complete-cycle, darkmode, new-cycle, new-project) via `scripts/lib/manifest/skills.json`. `reference/skill-graph.md` regenerated. ### Test infrastructure - **`startsWith('design-')` filter widened to all agents** in 5 test files. Coverage jumped from 30 design-* agents to 61 (all). `agent-frontmatter` alone went from 60 tests to 122. - **7 Phase 28.8 baseline skips closed.** Disambiguated "runtime" (14 Tier-1 install targets) vs "registry entry" (16 entries with 2 Tier-2 channels codex-plugin + cursor-marketplace). - **`insight-line.schema tier:"haiku"` paste-error fixed** to L2 + new CI gate prevents recurrence. ### Security - 3 CodeQL alerts closed: `scripts/bootstrap.cjs` git arg-injection (added `--` separator + leading-`-` validation), `scripts/build-distribution-bundles.cjs` multi-character HTML strip (loop iteration + `/s` flag). --- ## [1.57.1] - 2026-06-03 ### Fixed Post-wave debug analysis (a 4-agent sweep after Phase 57) found and fixed a set of latent bugs that surface only when `better-sqlite3` is installed (the CI surface, which has no module, was unaffected - so these never failed CI but did degrade real users who have the module). No new dependency; the markdown floor is unchanged. - **Recall returned nothing for every `.md` file when better-sqlite3 was present.** `scripts/lib/design-search.cjs` passed unquoted query terms (e.g. `heuristics.md OR reference/heuristics.md`) to FTS5, whose trigram tokenizer rejects `.` and `/` as a syntax error; the error was swallowed and recall came back empty. Each term is now double-quoted (matching the instinct-store pattern), so FTS5 recall matches the JS-scan fallback. - **The Phase 57 fact-force freshness guard silently discarded hand-edits.** `state-store.cjs` detected an out-of-band STATE.md edit but its re-sync body was empty, so the edit was overwritten and lost. It now folds the hand-edit back into SQLite before the next mutation. - **Blocker rows duplicated on every re-migration** (no `ON CONFLICT`); migration now clears a cycle's blockers before re-inserting. **FTS5 virtual tables were never populated** by the migration; they are now. **`/gdd:state recover`** never awaited the async migration (always reported corruption); it is now async. **State getters threw** on an absent `state.sqlite` (exposing the fact-force hook); they now return empty. **`migrationActive`** guards against a directory named `state.sqlite`. **`WITH ... SELECT` CTEs** are allowed by the read-only query surface. - **The `risk_assessment` event did not conform to its own schema** (`tool`/`score` instead of `tool_name`/`risk_score`, no `event_id`, extra fields); `hooks/gdd-risk-gate.js` now emits the schema-correct shape, and an Ajv validation test guards it. The **dashboard risk column** read the wrong fields and case-mismatched the action vocabulary, so it was permanently blank; it is now wired and case-correct. - **The Phase 56 calibration loop was unwired.** `scripts/lib/risk/calibration.cjs` was a complete library - rolling-50 window, `updateCalibration`, `detectDrift`, `recordRiskOutcome` - but no caller invoked it outside its own tests, so drift detection could only fire from synthetic data. `hooks/gdd-risk-gate.js` now calls `updateCalibration` on every scored call when the writer agent is known (`payload.agent` or `GDD_AGENT`): `block` records `accepted:false`; `allow`, `review`, and `require_confirmation` record `accepted:true`. The store accrues from real traffic, so `detectDrift` flags `under_scoring` / `over_scoring` from production behaviour. Best-effort (a calibration write never breaks a tool call); no-op when the agent is unknown so an "unknown" bucket cannot pool the signal. `user_undo` / `post_apply_correct` are left unresolved at the PreToolUse boundary by design; a later PostToolUse pass can resolve them. - **`budget-enforcer` PreToolUse blocks** used `message` instead of `stopReason`, so the block reason was invisible to the user; they now use `stopReason`. The **read-injection scanner** loads its pattern file fail-open (a missing file no longer crashes the hook). Three package-root walk-ups now match the scoped package name. ## [1.57.0] - 2026-06-03 ### Phase 57 - SQLite State Backbone (Cross-Session Query Layer) GDD project state lives in per-file markdown (STATE.md blocks, recall, instincts). Cross-cycle queries ("every decision tagged accessibility across the last five cycles") require fan-out greps and are effectively infeasible. Phase 57 adds an opt-in `.design/state.sqlite` as an indexed query layer over that state, while markdown stays the human-editable source of truth. It is **built with zero new dependency**: SQLite is reached through the existing opportunistic `probeOptional('better-sqlite3')` runtime probe (the same pattern Phase 51 uses for the instinct store), with a guaranteed markdown / JS-scan fallback whenever the module is absent. Migration is opt-in (`--migrate-state`) in v1.57.0, dual-writes for one minor version, and is fully reversible (`/gdd:state demigrate`). When better-sqlite3 is not installed, GDD behaves exactly as before. Planned and executed via the GSD pipeline (3 + 1 + 2 parallel executors with one reconciliation pass). ### Breaking changes - **Opt-in SQLite state backbone.** Running `node scripts/lib/state/migrate-to-sqlite.cjs --migrate-state` builds `.design/state.sqlite` (14 tables plus FTS5) from your STATE.md. After migration, state mutations dual-write: SQLite is the authoritative store and STATE.md is rendered from it byte-for-byte (the existing `gdd-state` `read`/`mutate`/`transition` API is unchanged). Without migration, or when better-sqlite3 is absent, nothing changes - markdown stays authoritative. Markdown is always human-editable; a hand-edit is detected on the next write and folded back into SQLite. - **New `/gdd:state` skill** with three subcommands: `query ""` (engine-level read-only SELECT over the decisions/blockers/plans tables), `recover` (rebuild a corrupt `state.sqlite` from markdown), and `demigrate` (drop `state.sqlite` and fall back to the markdown-only source of truth). ### Added - **`scripts/lib/state/`** - `state-backend.cjs` (`probeOptional('better-sqlite3')` + FTS5 probe -> `{Database, BACKEND}`; WAL / busy_timeout / foreign_keys pragmas; engine-level readonly opens), `state-store.cjs` (dual-backend dispatch; the SQLite-authoritative -> render-markdown -> write-STATE.md transaction; hand-edit freshness guard), `migrate-to-sqlite.cjs` (idempotent UPSERT migration, `--migrate-state` opt-in, `--dry-run`), `render-markdown.cjs` (byte-equal STATE.md reconstruction from SQLite via the proven serializer), `query-surface.cjs` (readonly SQL + first-token denylist, recover, demigrate, cap-10 `.bak` rotation). - **`sdk/state/schema.sql`** - 14 tables (state_position, decisions, blockers, must_haves, plans, findings, design_debt, recall_records, instincts, sessions, worktree_state, conflict_incidents, plus `_meta`/`_block_meta`) with FTS5 virtual tables on decisions/findings/recall/instincts. - **Consumers read SQLite when migrated** - `gdd_state__get` and the dashboard data plane read SQLite-direct (markdown scrape fallback; the MCP tool schema is unchanged), and the Phase 56 fact-force gate gains an FTS5 tier-0 lookup with the grep fallback intact. ### Changed - **`sdk/state/index.ts`** routes `read`/`mutate`/`transition` through the SQLite dual-write path only when migration is active for the resolved state file (a sibling `state.sqlite` exists); otherwise the markdown path runs byte-identically. The new SQLite sibling lock (`state.sqlite.lock`) is always acquired before `STATE.md.lock`. ## [1.56.0] - 2026-06-03 ### Phase 56 - Risk-Scoring + Fact-Forcing Gate (Quantified Action Confidence) Every writer action now carries a quantified risk score instead of a binary allow/deny. Phase 56 adds a pure, deterministic risk scorer (no I/O, frozen tables) that grades each Write / Edit / MultiEdit / Bash by tool, file sensitivity, and input shape, then routes it through two PreToolUse hooks: a risk gate that emits a `risk_assessment` event and blocks only genuinely dangerous actions, and a fact-force gate that holds the FIRST write to a file until its graph consumers and recorded decisions have actually been read. Both are **dep-free** (a maintainer Rule-4 decision: a pure scorer plus static tables, no ML, no new dependency). The gate softens to a warning whenever the Phase 52 DesignContext graph is absent, so greenfield projects are never over-blocked. A new `/gdd:override` escalation skill clears a block or a fact-force hold with an approver and reason (audit-trailed as a `D-XX` override decision), and `design-fixer` gains a confidence-times-risk routing step. Planned and executed via the GSD pipeline (3 + 2 parallel executors). ### Breaking changes - **Writer actions are now risk-gated.** A new PreToolUse hook (`hooks/gdd-risk-gate.js`, matcher `Write|Edit|MultiEdit|Bash`) scores every writer action and blocks the few that score at or above 0.85 (destructive bash, high-sensitivity-file rewrites). Blocking uses the house-style `{continue:false, stopReason}` contract; `allow` is silent, `review` and `require_confirmation` attach advisory context for the agent to surface. Read-only agents are allowlisted through. - **The first write to a file is fact-forced.** A second PreToolUse hook (`hooks/gdd-fact-force.js`, matcher `Edit|Write|MultiEdit`) holds the first mutation of a file until its DesignContext consumers and any recorded decisions or blockers for it have been Read this session. The hold is soft (a `stopReason` listing the missing facts) and softens to a warning when no graph exists; clear it deliberately with `/gdd:override factforce `. ### Added - **Risk scorer** `scripts/lib/risk/` - `compute-risk.cjs` (`computeRisk(tool, input) -> {score, reasons, suggested_action, breakdown}`, pure and deterministic), `tables.cjs` (frozen BASE_TOOL_RISK / FILE_SENSITIVITY / INPUT_PATTERN_RISK / THRESHOLDS, config-overridable extend-only), `route.cjs` (`route(confidence, action) -> auto|confirm|skip|override`), `consumers.cjs` (best-effort file-to-node consumers lookup, soften-if-absent), `calibration.cjs` (rolling-50 per-agent calibration plus drift detection feeding the bandit reward), `override.cjs`. - **`/gdd:override`** - escalation surface for a risk-gate block or a fact-force hold; writes a `D-XX` override-tagged decision (audit trail) or clears the `checked[path]` lock, always with an approver and reason. - **`risk_assessment` event type** in `reference/schemas/events.schema.json` (score, suggested_action, reasons), surfaced by the Phase 55 dashboard risk pane. - **`design-fixer` Step 2.5** - a confidence-times-risk routing filter (auto-apply / confirm-with-diff / skip / escalate). ### Changed - **`hooks/gdd-decision-injector.js`** now records per-file reads so the fact-force gate can tell which files you have legitimately reviewed this session. ## [1.55.0] - 2026-06-03 ### Phase 55 - GDD Dashboard (Multi-Harness Control Plane + Graph Visualization + Session Surface) GDD ships to 14 runtimes and users run multi-harness sessions in parallel; a control plane is the natural way to surface that. Phase 55 ships a READ-ONLY dashboard: a terminal TUI (`bin/gdd-dashboard`) and an opt-in browser graph view (`gdd dashboard --web`) that visualizes the Phase 52 DesignContext graph. **Built fully dep-free** (maintainer Rule-4 decision): no Ink, no React / Vite / React Flow. The ROADMAP had named those stacks (~100 packages / ~84 MB + a CI build gate); a footprint study plus the read-only / single-machine / opt-in scale made a hand-rolled ANSI TUI + a self-contained-HTML graph (extending the Phase 35.5 `build-html.cjs` precedent) the better fit, and it keeps the zero-new-dependency streak intact. The web layer is kept swappable, so a React Flow migration later needs no data rewrite. Planned and executed via the GSD pipeline (3 + 3 parallel executors). ### Breaking changes - **New `bin/gdd-dashboard` + `gdd dashboard [--web]`.** A new bin (the TUI) and a new SDK CLI subcommand. Read-only by design: the dashboard never mutates state (the action surface is "open this file / copy this command / run the slash-skill"). The `--web` server is an ephemeral LOCAL loopback (127.0.0.1, OS-assigned port) serving a single self-contained HTML file to your own browser, then exits. - **`gsd-health` gains a 10th check** (`dashboard_reachable`); the health check count moves 9 -> 10. ### Added - **Data plane** `sdk/dashboard/data/` - `source.cjs` (`loadDashboardModel` reads state / events / graph / health via the shared libs in-process, with a `.design/*` file-scrape fallback; never throws), `cost-aggregator.cjs` (per-runtime + cumulative + per-cycle), `discovery.cjs` (14-runtime detection, worktree enumeration via `git worktree list`, best-effort session manifests). - **TUI** `bin/gdd-dashboard` + `sdk/dashboard/tui/` - a hand-rolled ANSI render core (`ansi.cjs`: box/column layout, width-aware truncation incl. CJK, line-diff repaint) + 5 panes (Sessions / Cycle / Cost / Findings / DesignContext-tree), keyboard navigation, alt-screen, event-tail live refresh. Plain `.cjs` (no bundle, no flags). - **Web graph** `scripts/lib/dashboard/graph-html.cjs` (`buildGraphHtml`) - one self-contained HTML doc (inline SVG + vanilla JS): layered Atomic / Molecular / Organism / Template layout with barycenter crossing-reduction, viewBox pan/zoom, click-to-inspect, type/tag filters, find-consumers highlight, unreachable outline, PNG export, minimap. Deterministic (hermetic byte-equal test). Launched by `gdd dashboard --web` (`node:http` loopback + browser-open; headless prints the URL; `--once` writes `.design/dashboard.html`). - **Risk surfacing** `sdk/dashboard/data/risk-surface.cjs` - reads `risk_score`/`confidence` when present (Phase 56), color-routes Allow/Review/RequireConfirmation/Block; a blank placeholder pre-56. ### Notes - 6-manifest lockstep at **v1.55.0** + `OFF_CADENCE_VERSIONS.add('1.55.0')` + 37 `manifests-version.txt` baselines. No new skill (the dashboard is a bin + CLI subcommand) -> skill-list / build:skills / skills.json unchanged. No new agent. The dashboard's local `node:http` server is allowlisted in `scripts/security/outbound-allowlist.json` (an inbound loopback read-only server, not outbound egress). Tarball golden 969 -> 979. **No new runtime dependency.** --- ## [1.54.0] - 2026-06-03 ### Phase 54 - Composable Reference Addendums (Per-DS + Per-Framework + Per-Motion-Lib) One general mapper prompt could not be stack-aware: it missed Tailwind's `@theme` tokens, shadcn's `cn()` convention, vanilla-extract's `style({})` shape. Phase 54 adds 18 composable prompt addendums (one per design system, framework, and motion library) that the explore mappers compose into their prompt at spawn time based on the detected stack. Adapted from Understand-Anything's per-language/per-framework addendum pattern. Maintainer-authored and vendor-cross-checked; no LLM-generated content. Planned and executed via the GSD pipeline (5 parallel executors + 1 integration executor). ### Breaking changes - **Mappers are now stack-aware.** `scripts/lib/detect/stack.cjs` detects `{ds, framework, motion_libs[]}` from package.json deps + config files + import signatures; `scripts/lib/mapper-spawn.cjs` composes the matching addendums (capped at 3: one DS, one framework, one motion) into each mapper's prompt before dispatch (additive and backward-compatible: no detected stack or no addendum leaves the base prompt unchanged). - **Registry gains a `stack-addendum` type.** `reference/registry.schema.json` adds `"stack-addendum"` to the entry type enum and an optional `composes_into` field; the 18 addendums register against it with their target mappers. ### Added - **Design-system addendums** (`reference/systems/`): tailwind, shadcn, radix-themes, mui, chakra, vanilla-extract, styled-components, css-modules. **Framework addendums** (`reference/frameworks/`): nextjs, remix, vite-react, astro, sveltekit, storybook. **Motion-lib addendums** (`reference/motion/`): framer-motion, gsap, motion-one, react-spring. Each is at most 50 lines with four sections (Conventions, File patterns, Gotchas, and an Example output fragment in the Phase 52 DesignContext schema). - **`/gdd:new-addendum `** skill + `scripts/lib/new-addendum.cjs` scaffolder (mirrors `/gdd:new-skill`; validates the kind and slug, defaults `composes_into` by kind, writes the 4-section skeleton). - **Fallback + coverage**: an unmatched stack falls back to the base prompt and flags the gap; `gsd-health` reports a "N/M detected stacks have addendums" coverage row. ### Notes - 6-manifest lockstep at **v1.54.0** + `OFF_CADENCE_VERSIONS.add('1.54.0')` + 37 `manifests-version.txt` baselines. Re-locked: skill-list (91 -> 92, +new-addendum) + the phase-28.5 distribution (new-addendum at 81 lines, clean; warn count unchanged at 10) + skill-graph + the registry-diff baseline (+18 stack-addendum entries) + resilience-primitives (+mapper-spawn.cjs +new-addendum.cjs) + the phase-42 compile count (115 -> 116) + the gsd-health check count (8 -> 9). Tarball golden 944 -> 969 (+25). **No new runtime dependency.** --- ## [1.53.0] - 2026-06-03 ### Phase 53 - Semantic Mapper Engine (Louvain Batching + neighborMap + Fingerprint Incremental) Phase 52 gave mappers a typed graph; Phase 53 makes them smart about scale and re-runs. Three Understand-Anything patterns adapted onto the Phase 52 schema: Louvain community batching so each parallel mapper sees files that import each other, a neighborMap sidecar so cross-batch edges emit without rereading other batches, and SHA-256 fingerprinting so re-runs only re-discover what actually changed. All dep-free (Node builtins; no `graphology`, no embeddings). Planned and executed via the GSD pipeline (4 parallel executors + 1 integration executor). ### Breaking changes - **`/gdd:discover` becomes incremental by default.** It now fingerprints the current graph against the rolling fingerprint store, classifies the delta (SKIP / PARTIAL_UPDATE / ARCHITECTURE_UPDATE / FULL_UPDATE), and dispatches mappers per decision instead of always re-mapping everything. Pass `--full` to force a full re-discover. First runs (no prior fingerprint store) classify as FULL automatically. The fingerprint store lives at `.design/fingerprints/` and follows the Phase 49 worktree-redirect (never written into a worktree-local `.design/`). ### Added - **Louvain batching**: `scripts/lib/mappers/compute-batches.mjs` (dep-free two-phase modularity maximization, deterministic lexicographic seed, `MAX_COMMUNITY_SIZE=35` sub-split, small-batch merger, `count-fallback` on any error) + `scripts/lib/mappers/graph-adjacency.mjs` (shared adjacency/degree builder). Non-code node groups (token / motion / a11y) emit as `mergeable:false` batches. - **neighborMap sidecar**: `scripts/lib/mappers/neighbor-map.mjs` (`buildNeighborMap`) - 1-hop external neighbors per batched file, ranked by degree, capped at 50, with graph-harvested exported symbols (no source reads). - **Fingerprint engine**: `sdk/fingerprint/index.ts` (`fingerprint`/`compareFingerprints` via `node:crypto`; per-type component/token/motion signatures; `NONE`/`COSMETIC`/`STRUCTURAL` with a structure-only sub-hash) + `sdk/fingerprint/classify.cjs` (4-action decision matrix) + `sdk/fingerprint/store.cjs` (`current.json` + rolling `cycle-NNN.json` N=5, atomic-write, worktree-redirect, optional FTS5 since-cycle via `probeOptional` with a JSON-scan fallback). - **Incremental wiring**: `scripts/lib/mappers/incremental-discover.cjs` (`planIncremental`) composes the above and is wired additively into `scripts/lib/explore-parallel-runner` (community batches before the rolling semaphore; concurrency from `resolveConcurrency`); `/gdd:discover` + `/gdd:explore` gain `--incremental` / `--full`. - **Graph-context reviewer**: `agents/design-context-reviewer.md` (Haiku tier; 9 checks; hard-reject on schema / referential / uniqueness breakage, soft-warn otherwise via the health-mirror surface) + `agents/design-context-reviewer-gate.md` (suppresses the reviewer on <5% change). ### Notes - 6-manifest lockstep at **v1.53.0** + `OFF_CADENCE_VERSIONS.add('1.53.0')` + 37 `manifests-version.txt` baselines. Re-locked: agent-list (60 -> 62; +design-context-reviewer +gate) + the design-* current baseline (28 -> 30) + the agent-frontmatter snapshot; the phase-28.5 distribution (discover 72 -> 78, explore 105 -> 107; warn count unchanged at 10); the explore post-migration baseline; skills.json `argument_hint` for discover/explore (then generate-skill-frontmatter + build:skills). Tarball golden 934 -> 944 (+10). No new reference docs, so the registry is unchanged. **No new runtime dependency.** --- ## [1.52.0] - 2026-06-03 ### Phase 52 - Typed DesignContext Graph Schema (KEYSTONE) GDD's design knowledge lived in flat `.design/map/*.md` mapper notes that nothing downstream could query. Phase 52 introduces a typed DesignContext graph: a design-semantic map of tokens, components, variants, states, motion fragments, a11y patterns, screens, layers, and design patterns, plus the typed edges between them. It is the keystone for phases 53-57 (semantic mapper engine, graph-aware verification, dashboard, SQLite mirror). Regex extraction (not tree-sitter), JSON storage (not SQLite), zero new dependency. Planned and executed via the GSD pipeline (5 parallel executor subagents). ### Breaking changes - **New graph contract at `.design/context-graph.json`.** Nodes are `{ id, type, name, summary, tags[], complexity }` over 10 node types; edges are `{ source, target, type, direction, weight }` over 12 edge types (`reference/schemas/design-context.schema.json`). The 5 mapper agents and the synthesizer now DUAL-EMIT: they keep writing `.design/map/*.md` AND emit graph fragments to `.design/fragments/.json` (backward-compatible for one minor version), so consumers gain the graph without losing the markdown maps. - **gdd-mcp tool cap raised 12 -> 13.** A 13th read-only tool, `gdd_context_query`, joins the registry (`sdk/mcp/gdd-mcp/tools/index.ts`). The hard cap in the tool index, the MCP-tools lint, and the Phase 27.7 baselines all move to 13. No write tools were added. ### Added - **Schema, validator, query lib**: `reference/schemas/design-context.schema.json` (plus `reference/design-context-schema.md` and `reference/design-context-tag-vocab.md`); `scripts/validate-design-context.cjs` (referential integrity, id uniqueness, completeness, controlled tag vocabulary; dep-free with an optional Ajv overlay; wired as the `validate:design-context` CI gate, a clean no-op when no graph is present); and `scripts/lib/design-context-query.cjs` (`load`/`nodes`/`edges`/`path`/`consumersOf`/`unreachable`/`cycles`/`coverage`; pure, dep-free). - **Extract and merge engine**: `scripts/lib/design-context/{extract-tokens,extract-components,extract-motion,extract-a11y,extract-visual-hierarchy,merge-fragments,integration-map}.mjs`, regex over source roots, dep-free, emitting schema-valid fragments; merge dedupes nodes by id and recovers or drops dangling edges. - **MCP and skills**: `gdd_context_query` (read-only graph query over the seven operations), `/gdd:context` (its front end), and `/gdd:migrate-context` (migrate a pre-Phase-52 project from `.design/map/*.md` to the graph, flagging low-confidence transforms; preview-first with `--dry-run`). - **Debt-crawler dual-mode**: `design-debt-crawler` queries the graph when `.design/context-graph.json` is present and falls back to grep otherwise; `/gdd:progress` surfaces graph coverage; `integration-map.mjs` renders a mermaid map per Atomic-Design layer. ### Notes - 6-manifest lockstep at **v1.52.0** + `OFF_CADENCE_VERSIONS.add('1.52.0')` + 37 `manifests-version.txt` baselines. Re-locked: skill-list (89 -> 91; +context +migrate-context), root SKILL.md rows, the phase-42 compile count (113 -> 115), the phase-28.5 distribution + warn count (8 -> 10; context at 137 and migrate-context at 123 lines, both in the advisory WARN band), the progress post-migration baseline, the gdd-mcp 27.7 tool-count + registry baselines (12 -> 13), and skills.json (+2). Tarball golden 917 -> 934 (+17). The `lint:md` ignore was widened to nested `node_modules`. --- ## [1.51.0] - 2026-06-03 ### Phase 51 - Instinct-Based Learnings GDD's reflection loop was extractive, not predictive: `/gdd:extract-learnings` wrote a prose `LEARNINGS.md` that no downstream agent read. Phase 51 restructures learnings into atomic, confidence-weighted instinct units that are queryable, deduplicable, promotable, and surfaced back into agent context. Adapted from ecc's continuous-learning v2 (project-vs-global scope). Planned and executed via the GSD pipeline (3 parallel executor subagents). No new runtime dependency, no new egress. ### Breaking changes - **Reflection output gains atomic instinct units.** `design-reflector` now emits a `## Atomic instincts` section (YAML units per `reference/instinct-format.md`) alongside a `## Narrative reflection` (dual-emit for one minor version), and `/gdd:apply-reflections` gains an `[INSTINCT]` proposal class (accept/reject/defer/edit). Consumers of the reflection format should read both sections. - **A new instinct store + schema.** `scripts/lib/instinct-store.cjs` is the source of truth (`.design/instincts/instincts.json` project + `~/.claude/gdd/global-instincts.json` global); `reference/schemas/instinct.schema.json` is wired into `validate:schemas` and enforces the unit shape (confidence 0.3-0.9, domain enum, scope, sha8 project_id). ### Added - **`reference/instinct-format.md`** + **`reference/schemas/instinct.schema.json`**: the atomic instinct unit (YAML frontmatter `id`/`trigger`/`confidence`/`domain`/`scope`/`project_id`/`source`/`cycles_seen`/`first_seen`/`last_seen` with a prose body), the K=2/M=2 promotion gate, the Beta(2,8) prior, and TTL decay. - **`scripts/lib/instinct-store.cjs`**: JSON-canonical store with OPTIONAL FTS5 acceleration via `probeOptional('better-sqlite3')` (the Phase 19.5 design-search pattern, so no dependency is added). Exports `add`/`list`/`query`/`get`/`promote`/`touch`/`decay`/`deriveProjectId`; atomic writes; worktree-safe. - **`/gdd:instinct`** skill: `list` / `query ""` (FTS5 or in-memory scan) / `promote ` (project to global, gated on `cycles_seen >= 2` across `>= 2` distinct project ids; user-confirmed). - **Decision-injector integration**: `gdd-decision-injector.js` surfaces a top-3 `## Relevant instincts` block in agent context (non-fatal; skipped when no store is present). - **TTL decay**: instincts not surfaced in 6 cycles decay (`confidence *= 0.9`); below 0.2 they archive. Wired into the cleanup sweep. Three `instinct_*` event types seeded into `events.schema.json`. `extract-learnings` dual-emits. ### Notes - 6-manifest lockstep at **v1.51.0** + `OFF_CADENCE_VERSIONS.add('1.51.0')` + 37 `manifests-version.txt` baselines. Re-locked: skill-list (89), registry (176), phase-42 count (113), the events-schema sha256 snapshot, resilience-primitives (40, +instinct-store.cjs), the phase-28.5 distribution + warn count (5 -> 8; apply-reflections was trimmed back to <=110), skill-graph regenerated. Tarball golden 912 -> 917 (+5; the cleanup/injector/schema edits are same-path). - Out of scope: cross-project federation, auto-skill-generation from instincts, embedding-based clustering, cross-runtime sync. --- ## [1.50.1] - 2026-06-03 ### Fixed Post-release consistency sweep against the shipped v1.50.0 surface. - **Audit terminology aligned to 7 pillars.** `design-auditor` has been a 7-pillar audit since Phase 48, but `skills/audit`, `skills/verify` (+ `verify-procedure.md`), `reference/skill-authoring-contract.md`, and the registry rubric description still said "6-pillar". All now read 7-pillar (the copy/visual-hierarchy/color/ typography/layout/experience/micro-polish set, /28). `copy-auditor`'s "the other six pillars" is correct and unchanged (copy plus six others is seven). - **Plugin positioning refreshed.** `.claude-plugin/plugin.json` advertised "22+ specialized agents, 9 connections"; it now reads the accurate **59 agents, 88 skills, 41 connection integrations**. - **Composition graph seeded.** Phase 50 shipped the composition manifest infrastructure with no data, so `reference/skill-graph.md` had zero edges. The true pipeline chain is now declared via `next_skills` (new-project → brief → explore → plan → design → verify → ship); `validate:composition-graph` confirms it stays an acyclic, dangle-free DAG. - **`SKILL.md` command table** no longer lists `benchmark` twice. - **Codex default prompt** uses the `/gdd-` command prefix consistently (`/gdd-brief`, `/gdd-explore`) instead of the Claude-style `/gdd:` and a stray `$gdd-explore`. ### Notes - 6-manifest lockstep at **v1.50.1** + `OFF_CADENCE_VERSIONS.add('1.50.1')` + 37 `manifests-version.txt` baselines. Re-locked `verify-after.md` after the terminology fix. No new shipped files (tarball golden unchanged). --- ## [1.50.0] - 2026-06-03 ### Phase 50 - Authoring Contract v3 Two cross-repo-validated additions to the authoring contract. A verb-based anti-slop rubric catches a different class of failure than the noun-based 7-pillar audit (the pillars ask "is the typography wrong?", the verb axes ask "is it generically AI-default?"). And a machine-parseable skill-composition manifest fills the "no skill calls another skill" gap with a DAG validator and an auto-generated skill graph. Planned and executed via the GSD pipeline (3 parallel executor subagents). No new runtime dependency, no new egress. This closes the 45-to-50 release run. ### Breaking changes - **Skill descriptions move to a multi-paragraph v3 form** (`. Use when . Activates for requests involving , , .`). Both the v2 and v3 forms are accepted for one minor version (transition window); `/gdd:health` reports adoption ("Skills: N/88 in v3 form"). The 1024-char cap is unchanged. A new boilerplate-cohort lint (`validate:skill-frontmatter`) fails CI if three or more skills share an identical opening sentence. - **Two new CI gates guard the composition graph.** `validate:composition-graph` fails on a cycle or a dangling `composes_with`/`next_skills` reference; `build:skill-graph:check` fails if `reference/skill-graph.md` drifts from `skills.json`. Authors adding composition edges must keep the graph acyclic and the generated graph current. ### Added - **`reference/anti-slop-rubric.md`**: 5 orthogonal verb axes (Directness, Distinctness, Hierarchy, Authenticity, Density), 1-10 each; `sum < 35/50` routes a finding to `design-debt-crawler` as `category: aesthetic-slop`. `design-auditor` emits `verb_axes_scored` as a lens-tag (no pillar change, mirrors `emotion_levels`). - **`reference/visual-tells.md` v2**: the 8 Phase-49 categories plus 5 more (stock-photo-people, badge-spam, oversized-single-word, motion-without-content-intent, narrator-from-a-distance-UI), each cross-linked to its primary verb axis. - **Skill composition manifest**: optional `composes_with`/`next_skills` frontmatter (documented in the skills schema), `scripts/validate-composition-graph.cjs` (cycle + dangling-ref detection), and an auto-generated `reference/skill-graph.md` (mermaid, grouped by lifecycle stage) via `scripts/generate-skill-graph.cjs`. - **`reference/skill-authoring-contract.md` v3** (description form + transition window + composition fields) + **`/gdd:new-skill`** scaffolder (`scripts/lib/manifest/scaffolder.cjs`, @clack/prompts) that emits a v3-compliant skill, with `composes_with` suggestions by lifecycle stage. - **Description migration**: 18 high-traffic skills (brief, explore, plan, design, verify, audit, scan, discover, do, ship, health, progress, live, connections, darkmode, compare, fast, quick) moved to the v3 form; the rest follow gradually under the transition window. `/gdd:health` + `/gdd:progress` surface adoption and composition-graph readiness. ### Notes - 6-manifest lockstep at **v1.50.0** + `OFF_CADENCE_VERSIONS.add('1.50.0')` + 37 `manifests-version.txt` baselines + plugin keywords (`anti-slop-rubric`, `skill-composition`, `skill-graph`). Re-locked: skill-list (88), registry (175), registry-diff, phase-42 count (112), 6 `*-after.md` byte snapshots (brief/design/explore/verify + health/progress), the phase-28.5 distribution + warn count (4 -> 5, progress crossed 100 lines), tarball golden 907 -> 912 (+5). - The verb axes are an orthogonal lens (no new pillar, no scoring-math change). `composes_with`/`next_skills` are optional in v3 (mandatory deferred to v4). Out of scope: rubric auto-fix, LLM-judge of axes, skill body migration. --- ## [1.49.0] - 2026-06-03 ### Phase 49 - Quick Anti-Slop Floor Three small, atomic safety and policy primitives identified in the cross-repo synthesis, each low-risk and high-signal: a worktree redirect that ends the recurring `.planning/` leak, a free anti-slop regex pass on every front-end file write, and a reviewer confidence gate that stops severity inflation. Planned and executed via the GSD pipeline (3 parallel executor subagents). No new runtime dependency, no new egress. ### Breaking changes - **`.design/` and `.planning/` writes redirect to the main repo root inside a git worktree.** `scripts/lib/worktree-resolve.cjs` detects a worktree (`git rev-parse --git-dir` vs `--git-common-dir`) and the gdd-state write path (`resolveStatePath`, used by all 11 state tools) now resolves STATE there, with a one-line stderr notice. Outside a worktree, behavior is unchanged. Tooling that assumed `.design/` always lived under `process.cwd()` should resolve through the helper. - **Findings now carry a `confidence` field and design-fixer filters on it.** design-auditor, design-verifier, and design-debt-crawler emit `confidence: 0.0-1.0` per finding; design-fixer drops `## Tentative` findings and routes BLOCKER/MAJOR findings below 0.8 confidence to user review instead of auto-fix. Consumers of these findings should read the new field. ### Added - **`scripts/lib/worktree-resolve.cjs`** (resolveRepoRoot / isWorktree / resolveDesignRoot / resolvePlanningRoot; graceful fallback, injectable exec) wired into the state write path + a one-line worktree note in the 7 artifact-writer agents. - **`hooks/gdd-design-quality-check.js`**: an advisory PostToolUse hook scanning `Write`/`Edit`/`MultiEdit` to `.tsx`/`.vue`/`.svelte`/`.astro` for 8 default-AI-aesthetic tells (gradient spam, generic CTAs, centered-everything, font-inter default, purple/violet default, glassmorphism spam, isometric fallback, decorative motion). WARN-only, emits a `design_quality_warn` event. Catalogued in **`reference/visual-tells.md`** (8 named categories with diagnostic regex + remediation). - **Reviewer confidence gate**: a 4-question Pre-Report Gate + the `confidence` field across the three audit agents, a `scripts/lib/confidence-route.cjs` routing helper (`fix` / `user-review` / `drop`), and **`reference/reviewer-confidence-gate.md`** (template + rationale + 4 before/after examples). ### Notes - 6-manifest lockstep at **v1.49.0** + `OFF_CADENCE_VERSIONS.add('1.49.0')` + 37 `manifests-version.txt` baselines + plugin keywords (`worktree-safe`, `anti-slop`, `confidence-gate`). Baselines re-locked: hook-list (19), resilience-primitives (39 `scripts/lib/*.cjs`), registry (173), tarball golden 902 -> 907 (+5). - WARN-only hook (never blocks); auto-fix of matched tells is out of scope (proposal-only); the verb-based anti-slop rubric and a wider tell catalog are deferred to Phase 50. --- ## [1.48.0] - 2026-06-03 ### Phase 48 - Audit & Pillar Expansion The audit surface had grown asymmetrically: output quality matured (7 pillars, multiple lenses, a quality-gate before verify) while input quality went ungraded, copy stayed a thin pillar, and there was no project-wide debt sweep or accessibility gate. Phase 48 closes four audit-side gaps in one release: a deepened copy pillar, a retroactive debt crawler, a brief critic, and an a11y quality-gate. Planned and executed via the GSD pipeline (2 research agents + 3 parallel executor subagents). No new runtime dependency, no new egress. ### Breaking changes - **The design-auditor scoring contract is now explicitly versioned.** `agents/design-auditor.md` carries a `scoring_contract_version` marker (7 pillars; copy deepened; an 8th pillar slot reserved and unscored), and the stale "6-Pillar" heading is corrected to 7. Consumers read pillars by name (not index), so existing integrations are unaffected, but tooling that parsed the heading text should read the version marker instead. - **`a11y` is now the fifth quality-gate failure bucket.** `quality-gate-runner` classifies `axe` / `pa11y` / `lighthouse` / `jsx-a11y` command output into a new `a11y` class (previously these fell through to `test`), and the quality-gate auto-detect allowlist runs them. A project with those scripts will see accessibility regressions surfaced and routed to `design-fixer` at Stage 4.5. ### Added - **Copy pillar deepened**: `reference/copy-quality.md` (microcopy rubric covering button/CTA labels, error messages, empty-states, ARIA-text, alt-text, loading copy, voice alignment; i18n-aware with a +40% expansion overflow lens) + `agents/copy-auditor.md` (a focused single-pillar auditor design-auditor folds into Pillar 1). - **`agents/design-debt-crawler.md`** + **`reference/debt-categories.md`**: a project-wide retroactive crawler (does not read STATE.md completed tasks) that walks the whole tree, enumerates raw color literals, anti-pattern hits, untokenized components, contrast and density issues, and writes a priority-scored `.design/debt/DEBT-CATALOG.md` (visible-delta x effort x prevalence). Pure catalog, one `/gdd:fast ""` suggestion per row. - **`agents/brief-auditor.md`** + **`reference/brief-quality-rubric.md`**: grades the brief against 5 anti-patterns (vague verbs, missing audience, immeasurable success criteria, scope creep, missing anti-goals); wired into the tail of `/gdd:brief` as a non-blocking warning that offers `/gdd:discuss brief`. - **`hooks/gdd-a11y-gate.js`**: an advisory PostToolUse surface for a11y findings, plus the quality-gate + quality-gate-runner + design-fixer a11y wiring. ### Notes - 6-manifest lockstep at **v1.48.0** + `OFF_CADENCE_VERSIONS.add('1.48.0')` + 37 `manifests-version.txt` baselines + tarball golden 895 -> 902 (3 agents, 3 reference docs, 1 hook). Agent baselines (`agent-list.txt` 60, `agent-frontmatter-snapshot.json`, `hook-list.txt`) + registry (171) re-locked. - The 7-pillar contract already existed in `design-auditor` (copy was Pillar 1); Phase 48 formalizes it rather than migrating 6->7. The unified cross-auditor finding schema (severity/confidence/issue-key/location/suggested-fix) is noted as a follow-up candidate, not shipped here. --- ## [1.47.0] - 2026-06-03 ### Phase 47 - In-Browser Design Iteration (Live Mode) GDD's design loop was repo-bound (edit, save, preview, screenshot) with no tight in-browser iteration. Phase 47 ships `/gdd:live`: pick an element on a running dev server, generate N variants in one batch, post-check each with gdd-detect, hot-swap via HMR, accept or discard, and the session persists for resume. It drives the existing Preview MCP connection at runtime (the same surface verify screenshots and darkmode injection already use), so there is no new runtime dependency and no new egress. Planned and executed via the GSD pipeline (2 research agents + 3 parallel executor subagents). ### Breaking changes - **`capability_matrix.mcp_support` now also gates live mode.** A harness declared `mcp_support: false` runs `/gdd:live` in degraded screenshot-only mode (no element-pick or HMR swap). Harness authors adding a runtime must set `mcp_support` honestly, since it now drives this behavioral split in addition to MCP tool availability. - **The live-session schema joins the validated set.** `reference/schemas/live-session.schema.json` is registered in `validate:schemas`, and the six `live_*` event types are seeded into `reference/schemas/events.schema.json`. Editing either must keep them valid (CI-gated). ### Added - **`/gdd:live`** at `source/skills/live/SKILL.md`: boot (probe Preview, detect dev server Vite/Next/Bun/static, degraded mode if no MCP), element pick, single-batch N-variant generation (default 3, loads the Phase 45 canonical reference first), per-variant gdd-detect post-check (findings inline; `error` flagged, never auto-rejected), accept/discard with canonical-edit selection, session persistence, and resume. - **`scripts/lib/live/` substrate** (all dependency-free, all unit-tested): `session-store` (the `.design/live-sessions/.json` lifecycle + resume), `scope-guard` (blocks writes outside the picked element's implicated source set), `postcheck` (wraps the gdd-detect engine in-memory), `events` (the six typed `live_*` emitters), `bandit-feed` (accepted variants call the Phase 38 store's `observe(..., {source:'dev_time'})` at a 0.5 dev-time weight; the `Beta(2,8)` prior keeps them advisory), `harness-mode` (mcp_support to puppeteer/degraded), `runtime` (the browser-side pick/swap script injected via `preview_eval`, keyed on `data-gdd-variant`). - **`reference/live-mode-integration.md`** documents the loop, the Preview surface, the events, the session file, the bandit feed, degraded mode, and the scope guard. ### Notes - 6-manifest lockstep at **v1.47.0** + `OFF_CADENCE_VERSIONS.add('1.47.0')` + 37 `manifests-version.txt` baselines + tarball golden 884 -> 895 (the `live` skill in `skills/` + `dist/claude-code/`, 7 `scripts/lib/live/*.cjs`, `reference/live-mode-integration.md`, `reference/schemas/live-session.schema.json`). - Testability: the deterministic substrate is fully unit-tested (session, scope, postcheck, events, bandit-feed, harness-mode, runtime shape) plus a deterministic session-replay baseline at `test/fixtures/baselines/phase-47/`. Live element-pick, HMR swap, and screenshots are runtime behaviors driven by the skill through the Preview connection, exercised by the existing conditional main-branch E2E rather than new browserless CI suites. --- ## [1.46.0] - 2026-06-03 ### Phase 46 - Skill UX Polish 70+ skills under one `/gdd:` namespace had three friction points at one surface (skill frontmatter): no shortcut for power users, 83 frontmatter blocks as 83 places to edit a description, and a description budget that was enforced but not gated explicitly. Phase 46 ships a metadata single source of truth, an order-preserving frontmatter generator, three pin shortcut skills, and an explicit budget gate. Planned and executed via the GSD pipeline (parallel research + three parallel executor subagents). No new runtime dependency, no new egress. ### Breaking changes - **A new CI drift gate guards skill frontmatter.** `npm run generate:skill-frontmatter:check` fails if any `source/skills//SKILL.md` frontmatter no longer matches `scripts/lib/manifest/skills.json`. Edit the description, argument hint, or tools allow-list in `skills.json`, then run `npm run generate:skill-frontmatter` and `npm run build:skills` to regenerate. Hand-editing the managed frontmatter keys directly now fails CI. - **The skill description budget is now an explicit blocking gate.** `npm run lint:agentskills` runs in CI and fails (R4) on any description over 1024 characters. The cap existed since Phase 28.5; it is now a first-class gate rather than an in-process check. ### Added - **`scripts/lib/manifest/skills.json` as the skill-metadata single source of truth.** All 86 skills carry `{description, argument_hint?, tools?, user_invocable?, disable_model_invocation?, ...}`; the JSON Schema (`scripts/lib/manifest/schemas/skills.schema.json`) documents the enriched fields and is validated by `npm run validate:manifest`. - **`scripts/generate-skill-frontmatter.cjs`** (maintainer-only): forward mode regenerates each skill's frontmatter from `skills.json`; `--extract` reseeds the manifest from current frontmatter; `--check` is the CI drift gate. It is **order-preserving** (each skill keeps its own frontmatter key order; only `name` leads and non-managed lines like `quality-gate`'s `writes:` block are carried verbatim), so the committed tree is a byte-for-byte fixed point and existing frontmatter-snapshot baselines never churn. - **`/gdd:pin `, `/gdd:unpin `, `/gdd:list-pins`** power-user shortcut skills. `pin` writes standalone alias stubs across every installed harness skills dir (so `/audit` resolves alongside `/gdd:audit`), each carrying a `` marker; descriptions and tools come from the `skills.json` catalogue, never a live frontmatter scrape. `unpin` removes only marked stubs. `list-pins` shows pinned aliases per harness with source and timestamp. Backed by `scripts/lib/pin/` (harness discovery via `scripts/lib/manifest/harnesses.cjs`, atomic `.tmp`+rename writes, cross-platform). - **`reference/skill-metadata.md`** documents the SoT, the generator, the build chain, and the budget. ### Notes - 6-manifest lockstep at **v1.46.0**, `OFF_CADENCE_VERSIONS.add('1.46.0')`, 37 `manifests-version.txt` baselines, tarball golden 874 -> 884 (the 3 pin skills land in `skills/` and `dist/claude-code/`, plus 3 `scripts/lib/pin/*.cjs` and `reference/skill-metadata.md`). The maintainer-only generator is correctly not shipped. - Description budget (SC#5): already enforced since Phase 28.5 (`validate-skill-length.cjs` + `lint-agentskills-spec.cjs`, both cap at 1024); Phase 46 hardens it into an explicit CI gate and a SoT-layer regression test. No skill needed trimming. --- ## [1.45.0] - 2026-06-02 ### Phase 45 - Canonical Domain Reference Index GDD has 38+ reference docs with flat indexing - agents loaded fragments by name and missed the rest, or loaded all 5 motion files and wasted tokens. Phase 45 ships 7 navigation entry-points over the existing content (it indexes, never re-authors). Planned and executed via the GSD pipeline (parallel research + parallel authoring subagents). No new runtime dependency, no new egress. ### Breaking changes - **Two CI gates now guard the domain indexes.** `npm run check:domain-links` fails if any cross-link in the 7 entry-points points at a missing file or anchor; `npm run check:no-duplication` fails if an index copies large blocks from the fragment it should only link. Contributors editing the 7 `reference/{typography,color,spatial,motion,interaction,responsive,ux-writing}.md` entries must keep links resolving and keep entries link-only. ### Added - **7 domain-index entry-points** at `reference/{typography,color,spatial,motion,interaction,responsive,ux-writing}.md`, each <=300 lines: a mission, a "use this when" index of the subordinate fragments, 3-5 rules-of-thumb, and cross-domain see-also links. `motion.md` and `typography.md` were transformed in place; the other five are new. - **Registry `domain-index` kind**: `reference/registry.schema.json` gains the type; the 7 entries register as `domain-index` so skills can query indexes first and drill into detail second. - **`scripts/check-domain-cross-links.cjs`** + **`scripts/check-no-duplication.cjs`** (maintainer-only) + the two CI steps. - **Consumer migration**: `motion-mapper` now loads `motion.md` (the index) and drills into a fragment only when classifying against it (an 89% token cut versus loading all four motion fragments up front); `design-auditor` and `design-executor` lead their reference reading with the domain indexes. Token-load baseline at `test/fixtures/baselines/phase-45/token-load.json`. ### Notes - 6-manifest lockstep at **v1.45.0** + `OFF_CADENCE_VERSIONS.add('1.45.0')` + 37 `manifests-version.txt` baselines forward-propagated 1.44.0 -> 1.45.0. Tarball golden 869 -> 874 (+5 new shipped `reference/*.md`; the two CI scripts are maintainer-only, not shipped). - SC#9 (Phase 41 rule `references[]` migration to canonical entries) is deferred to a follow-up; the rule links to `anti-patterns.md` still resolve, so the migration is a nice-to-have rather than a blocker. --- ## [1.44.0] - 2026-06-02 ### Phase 44 - Harness Capability Matrix Verifying support for a harness used to mean reading five reference files plus the README, with no "is this still current?" stamp anywhere. Phase 44 consolidates it into a generated `HARNESSES.md` backed by one source of truth, with an honest status taxonomy and a freshness gate. Planned and executed via the GSD pipeline (parallel research + pattern-mapper subagents, then parallel executor agents). No new runtime dependency, no new egress. ### Breaking changes - **A harness freshness gate now runs in CI.** `npm run check:harness-freshness` warns at 60 days and fails at 180 days for harnesses marked `tested` (others report `n/a` and never fail). A `tested` harness whose `last_verified` stamp goes stale will fail the build until re-verified with `npm run verify:harness `. CI also gains `npm run build:harnesses:check` (HARNESSES.md drift gate) and `npm run validate:manifest`. Contributors editing harness support must edit `scripts/lib/manifest/harnesses.json` and regenerate `HARNESSES.md`; see `CONTRIBUTING.md`. ### Added - **`HARNESSES.md`** at repo root - the human-readable capability matrix (skill discovery, command syntax, MCP, placeholder substitution, install path, status) + per-harness deep-dive links + a `Last verified` stamp. GENERATED by `scripts/generate-harnesses-md.cjs` from the SoT; CI drift-gates it. - **Harness matrix as a view of the Phase 41.5 SoT** - `scripts/lib/manifest/harnesses.json` records gain a `capability_matrix` + `last_verified` + `fragment_links`; the manifest schema + `validate:manifest` gate them. Unified with Phase 42's `harness-configs.cjs` (a `phase-44-harness-agreement` test fails on any ID or command-syntax disagreement). - **`scripts/lib/harness-freshness.cjs`** (shippable, pure, status-aware) + `scripts/check-harness-freshness.cjs` (CLI) + `gdd:health` check #8 (`harness_freshness`). - **`scripts/verify-harness.cjs `** - runs the Phase 42 compile + smoke, then atomically stamps `last_verified` and regenerates `HARNESSES.md`. - **Honest status taxonomy** - `claude` is `tested`; the five peer-CLI runtimes (codex, gemini, cursor, copilot, qwen) are `experimental`; the other eight are `untested`. The five reference fragments stay as appendices, cross-linked from the matrix (a cross-link checker fails generation on a broken anchor). ### Notes - 6-manifest lockstep at **v1.44.0** + `OFF_CADENCE_VERSIONS.add('1.44.0')` + 37 `manifests-version.txt` baselines forward-propagated 1.43.0 -> 1.44.0. - `gdd_health` now returns 8 checks (harness_freshness added). The generator, freshness CLI, and verify script are maintainer-only (not shipped); only `scripts/lib/harness-freshness.cjs` ships. Tarball golden 868 -> 869 (+`scripts/lib/harness-freshness.cjs`). `HARNESSES.md` is repo-root, not in the npm tarball. --- ## [1.43.0] - 2026-06-02 ### Phase 43 - Editorial Quality Floor Get Design Done audits design quality but never held its own prose to the same bar. Phase 43 ships a build-time editorial lint that fails CI on em dashes, prose double hyphens, and AI-prose tells in the project's own documentation. No new runtime dependency, no new egress. ### Breaking changes - **Contributors must keep prose clean of em dashes, prose double hyphens, and the AI-tell denylist.** `npm run lint:prose` is now a CI gate over `README.md`, `README.*.md`, `SKILL.md`, `source/skills/**`, `agents/**`, `CHANGELOG.md`, and `reference/**` (bodies AND frontmatter `description` fields). Put CLI flags in code spans; replace an em dash with a comma, colon, parentheses, or a spaced hyphen; wrap a genuine quote in a `prose-lint-disable` block. See `STYLE.md` and `CONTRIBUTING.md`. The one-time purge rewrote roughly 6700 em dashes plus tells across the existing corpus, so CI starts green. ### Added - **`scripts/lint-prose.cjs`** (maintainer, `npm run lint:prose`) - dep-free editorial linter reading the shared denylist at `scripts/lib/manifest/prose-denylist.json` (the Phase 41.5 SoT). Skips fenced code (any indent, nested), inline code (per-line, stray-tick-safe), frontmatter, HTML comments, `prose-lint-disable` blocks, and Cyrillic-majority files. The double-hyphen rule uses an exactly-two guard so structural `---` (tables, rules, frontmatter) never trips. - **`STYLE.md`** at repo root, generated from the denylist by `scripts/generate-style-md.cjs` (`npm run build:style`; CI drift-gated via `build:style:check`). - **Frontmatter description denylist** (SC#7): `lint:prose` also checks skill and agent `description` fields for em dashes and tells (the `--` flag token is exempt there, since descriptions name flags). - **`CONTRIBUTING.md`** editorial-style section; regression fixtures at `test/fixtures/baselines/phase-43/` (clean, violations, Cyrillic-skip). ### Notes - 6-manifest lockstep at **v1.43.0** + `OFF_CADENCE_VERSIONS.add('1.43.0')` + 37 `manifests-version.txt` baselines forward-propagated 1.42.0 -> 1.43.0. - The purge changed skill/agent prose, so 18 snapshot/assertion fixtures were reconciled (regenerated byte-for-byte SKILL.md baselines + hyphenated em-dash literals in 7 baseline tests). `lint-prose.cjs` and `generate-style-md.cjs` are maintainer-only (not shipped); `STYLE.md` is contributor-facing (not in the npm tarball). Tarball file list unchanged. --- ## [1.42.0] - 2026-06-02 ### Phase 42 - Multi-Harness Source Compilation One skill source, N provider bundles. The README advertised 14 harnesses but every skill hard-coded Claude syntax (`/gdd:`…). Phase 42 authors each skill **once** in `source/skills/` with placeholders and compiles per-harness bundles via a pure transformer factory that reads the Phase 41.5 manifest SoT. **No new runtime dependency, no new egress.** ### Breaking changes - **`skills/` is now a generated artifact, not the authoring source.** Skills are authored in **`source/skills/`** (with `{{command_prefix}}` and the other placeholders); the committed `skills/` tree is regenerated from it for the Claude-Code default, and CI's `npm run build:skills:check` fails on any drift. **Contributors must edit `source/skills/`, never `skills/` directly**, then run `npm run build:skills` and commit the regenerated `skills/` + `dist/claude-code/`. The plugin contract is unchanged - `.claude-plugin/plugin.json` still loads `./skills/`, now produced from `source/skills/`. See `reference/DEPRECATIONS.md` → Authoring surfaces and `reference/skill-placeholders.md`. ### Added - **`source/skills/`** - all 83 skills (107 `.md`) authored once with placeholders. `/gdd:` → `{{command_prefix}}` is a pure string inverse, so the Claude compile reproduces `skills/` byte-for-byte. - **`scripts/lib/build/factory.cjs`** - the pure `compile(text, config)` transformer (no I/O): the four placeholders, `` blocks, and `\{{…}}` escapes. - **`scripts/lib/build/harness-configs.cjs`** - per-harness substitutions layered over `scripts/lib/manifest/harnesses.json` (41.5). 14 records; `codex` is the flat-prefix (`/gdd-`) outlier. Adding a 15th harness = one manifest entry plus an optional override row. - **`scripts/build-skills.cjs`** (`npm run build:skills`, `build:skills:check`) - orchestrator with `--harness`, `--check` (drift gate), and `--zip`. Writes `dist///skills/…` and regenerates `skills/` in place. Idempotent + byte-stable. - **`dist/claude-code/`** - the default Claude-Code bundle, committed + shipped in the npm tarball (other per-harness bundles stay build-only artifacts; `--zip` packages them for releases). - **`gdd-sdk build skills [--harness ] [--zip] [--check]`** - SDK CLI surface (operates in a repo clone where `source/skills/` is present; the orchestrator + source are dev-only, not shipped). - **`reference/skill-placeholders.md`** - the placeholder catalogue + per-harness substitution table + escape and harness-only rules. ### Notes - 6-manifest lockstep at **v1.42.0** + `OFF_CADENCE_VERSIONS.add('1.42.0')` + the 37 live-pinned `manifests-version.txt` baselines forward-propagated 1.41.5 → 1.42.0. - CI gains a `build:skills:check` drift step in the validate job; a per-harness compile smoke + a 14-harness golden baseline (`test/fixtures/baselines/phase-42/`) pin the compile output. - Inventory: tarball golden 757 → 868 (+111: `dist/claude-code/**` 107, `scripts/lib/build/**` 2, `reference/skill-placeholders.md`, `sdk/cli/commands/build.ts`). `source/skills/` is dev-only (not shipped). --- ## [1.41.5] - 2026-06-02 ### Phase 41.5 - SoT Manifest Consolidation A 2026-05-16 audit found Phase 42/44/45/47 each scoping its own "single source of truth" in a different corner - four formats, four schemas, four CI drift gates. 41.5 lands **one** root, **one** schema directory, **one** validator, **before** those phases plan their work. **No new runtime dependency, no new egress.** ### Added - **`scripts/lib/manifest/`** - the cross-phase SoT root: - `loader.cjs` - the one shared reader; a missing/unparseable file returns an empty fallback + a one-line warning (never throws), with a file-mtime cache. Dep-free. - `index.cjs` - typed readers `readHarnesses()` / `readSkills()` / `readProseDenylist()`. - `harnesses.json` (+ `.cjs` view) - the 14 canonical runtimes (Phase 42 adds build config, Phase 45 the capability matrix, as views of this one record). `skills.json` - the 83 live skill names (Phase 47 enriches). `prose-denylist.json` - the AI-tell denylist + em-dash/`--` markers (Phase 43/44 consume). - `schemas/*.schema.json` - one JSON Schema per manifest. `README.md` - the contract + migration note. - **`scripts/validate-manifest.cjs`** (`npm run validate:manifest`) - the single ajv CI gate that replaces the four per-file drift gates 43/44/45/47 would each have shipped. ### Notes - **No new runtime dependency** - the shipped `loader.cjs`/`index.cjs` are dep-free; `validate-manifest.cjs` uses the already-present `ajv` and is maintainer-only (not shipped, like `lint-changelog.cjs`). - 6-manifest lockstep at **v1.41.5** + `OFF_CADENCE_VERSIONS.add('1.41.5')` + the 36 live-pinned `manifests-version.txt` baselines forward-propagated 1.41.0 → 1.41.5. - Inventory: tarball golden 747 → 757 (+10: `scripts/lib/manifest/**`). No skill/agent/registry deltas. --- ## [1.41.0] - 2026-06-02 ### Phase 41 - Deterministic Anti-Pattern CLI (`gdd-detect`) GDD's BAN-NN anti-pattern catalogue was consumable only by spawning a Claude session through `design-auditor` - no fast CI gate, no pre-commit hook, no zero-LLM regression check. 41 ships **`gdd-detect`**: a **dep-free, offline** Node CLI that scans HTML/CSS/JSX for the 11 statically- detectable BAN rules and emits JSON or human findings, each linked to its catalogue paragraph. (Inspired by `pbakaus/impeccable`.) **No new runtime dependency, no new egress.** ### Breaking changes **None.** `gdd-detect` is purely additive - a new `bin` entry + a new `lint:design` script + new `scripts/lib/detect/` modules. Nothing existing changes behavior; `design-auditor` swaps its inline BAN greps for a `gdd-detect --json` call (same findings, deterministic). Upgrading from v1.40.5 is a no-op for existing workflows. ### Added - **`bin/gdd-detect`** (`gdd-detect [--json] [--fast] [--rule BAN-NN] [--puppeteer]`) - exit `0` clean / `2` findings / `1` invocation error. Recursive scan of HTML/CSS/JSX/TSX. - **`scripts/lib/detect/`** - a pure, dep-free engine + `rule-schema.json` + 11 per-rule matchers (`rules/ban-NN.cjs`) ported verbatim from the catalogue's own `**Grep**` patterns (BAN-01/02/03/05/06/07/08/09/11/12/13). BAN-04 + BAN-10 are subjective (matcher-exempt). - **`scripts/sync-rule-catalogue.cjs`** - bidirectional parity gate: every rule ↔ a `### BAN-NN:` heading + a `bdId: BAN-NN` marker; no orphans; no un-ported detectable rule. - **`scripts/hooks/pre-commit-detect.sh`** - opt-in pre-commit scaffold. - **`lint:design`** npm script + `sync:rule-catalogue` npm script. ### Changed - **`reference/anti-patterns.md`** - `bdId: BAN-NN` markers under every BAN heading. - **`agents/design-auditor.md`** - Pillar-7 inline BAN greps replaced by one `gdd-detect --json` call. - **`skills/quality-gate/SKILL.md`** - `lint:design` added to the Phase-25 auto-detect linter allowlist. ### Notes - **Two execution paths**: regex-fast (the dep-free default) and DOM-aware (`jsdom`, a soft `try-require` optional - **not** a `package.json` dependency); `--fast` forces regex; absent jsdom falls back with a one-line warning. A `http(s)://` path needs `--puppeteer` (also soft-optional) and prints a clear install message otherwise - never a stack trace. The CLI is **offline by default** (a static network-isolation test fails the build on any network primitive in the detect tree). - 6-manifest lockstep at **v1.41.0** + `OFF_CADENCE_VERSIONS.add('1.41.0')` (minor) + the 35 live-pinned `manifests-version.txt` baselines forward-propagated 1.40.5 → 1.41.0. - Inventory: tarball golden 731 → 747 (+16: `bin/gdd-detect` + `scripts/lib/detect/**`). No skill/agent/registry deltas (`sync-rule-catalogue.cjs` + the pre-commit scaffold are maintainer-only). --- ## [1.40.5] - 2026-06-01 ### Phase 40.5 - GDD CLI Localization GDD's README is multilingual, but the CLI talked English. 40.5 adds locale resolution + per-locale message tables for the highest-traffic surface - `--help`, common error messages, and skill prompt headers. English is always the final fallback, so a partial locale never breaks the CLI. **No new runtime dependency, no new egress.** ### Added - **`scripts/lib/i18n/index.cjs`** - locale resolver: `resolveLocale` (`config.locale` > env `LANG`/`LC_ALL` > `en`), `fallbackChain` (`locale → base → en`), `translate` (chain walk; a missing key returns the key, never throws), `descriptionFor` (`description_i18n` || English). Pure functions + a thin `loadTable` reader. - **`scripts/lib/i18n/messages/{en,ru,uk,de,fr,zh,ja}.json`** - flat message tables. `en` is the complete source (24 keys: `help.*`/`error.*`/`prompt.*`/`status.*`), `ru` a full translation, `uk`/`de`/`fr`/`zh`/`ja` placeholders (a `_meta` marker + a starter subset) that fall back to English. - **`skills/locale/SKILL.md`** (`/gdd:locale [

]`) - inspect the resolved locale + per-locale coverage, or set `.design/config.json#locale`.
- **`reference/cli-localization.md`** - the resolver contract + the add-a-locale contribution path (translate the table, add a `NOTICE` translator credit, open a PR; warn-only completeness). Registered. Distinct from `reference/i18n.md` (which covers *user-design* i18n).

### Changed

- **`reference/schemas/config.schema.json`** - + `locale` (enum en/ru/uk/de/fr/zh/ja); `generated.d.ts` regenerated.
- **`agents/README.md`** - document the opt-in `description_i18n` frontmatter field (falls back to the English `description`; backward-compatible - the 28.5 contract validates it only when present).

### Notes

- **No new runtime dependency, no new egress.** Pure resolver + JSON tables + docs.
- The completeness gate is **warn-only** - only `en` + `ru` are full; the five placeholder locales rely on the English fallback and are never required to be 100%.
- 6-manifest lockstep at **v1.40.5** + `OFF_CADENCE_VERSIONS.add('1.40.5')` + the 34 live-pinned `manifests-version.txt` baselines forward-propagated 1.40.0 → 1.40.5.
- Inventory relock: registry-diff 159 → 160 (+`cli-localization`), skill-list 82 → 83 (+`locale`), skill-length-distribution relocked, tarball golden 721 → 731 (+10). No agent/event deltas. Root `SKILL.md` command table += `locale`.

---

## [1.40.0] - 2026-06-01

### Phase 40 - Team Collaboration Mode

The largest architectural phase: GDD's single-operator baseline (Phase 20 lockfile + atomic STATE.md) now extends to **multiple developers**. Multi-writer STATE.md merges per-section, decisions are attributed + reviewed through an async queue with hard locks, a conflict-resolver reconciles parallel branches, decisions export to a read-only shared journal, and per-section permissions + sectional handoff gate who writes what. Everything is **git-native + advisory** - no server, no live multiplayer, no SSO. **No new runtime dependency, no new egress.**

### Breaking changes

**None.** Every Phase 40 surface is additive and **off by default**: `gdd_cycle_mode` defaults to `full` (current behavior), `permissions` absent = everyone is `owner`, `collab.multi_writer_enabled` defaults to `false`, `collab.sync_backend` defaults to `git`, and the decision attribution suffix is optional + backward-compatible. A single-operator project upgrading to v1.40.0 behaves exactly as it did on v1.39.5.

### Added

- **`reference/multi-author-model.md`** - the team-collaboration contract (merge model, attribution, review queue + locks, lock policy, sectional handoff, permissions, journal export + PR threading, opt-in sync). Registered.
- **`scripts/lib/collab/`** - 7 pure, dep-free cores: `attribution` (decision `[author= co-author=]` suffix), `section-merge` (git-merge-driver per-section semantic merge - union by D-id, conflict only on same-id divergence), `lock-policy` (team-mode advisory-lock backoff), `review-queue` (proposed→reviewing→approved→locked + audited unlock), `cycle-mode` (sectional handoff stage gate), `permissions` (per-section `can()`), `sync-backend` (git/s3/git-lfs selector).
- **`agents/conflict-resolver.md`** - three-way STATE.md merge, per-section + human-confirmed; never auto-picks or drops a decision.
- **`agents/decision-journal-exporter.md`** - `` → `pseudonymize` → read-only Notion/Confluence on cycle close (write-only; degrades to local markdown).
- **`skills/review-decisions/SKILL.md`** (`/gdd:review-decisions`) + **`skills/unlock-decision/SKILL.md`** (`/gdd:unlock-decision  --approver`, the only audited escape from a hard lock).

### Changed

- **`reference/schemas/config.schema.json`** - + `gdd_cycle_mode` (designer|dev|full) + `permissions` + `collab` (multi_writer_enabled / lock_timeout_ms / sync_backend); `generated.d.ts` regenerated.
- **`reference/STATE-TEMPLATE.md`** - document the optional decision attribution suffix.
- **`agents/design-reflector.md`** - a "Per-author patterns" note (reads attribution).
- **`agents/pr-commenter.md`** - thread PR comments on `D-XX` decisions (team-mode).

### Notes

- **No new runtime dependency, no new egress** - 7 pure cores + reference/agent/skill prose + an additive config-schema; the live S3/git-LFS sync client is explicitly out of scope (the selector ships, the backend is pluggable).
- 6-manifest lockstep at **v1.40.0** + `OFF_CADENCE_VERSIONS.add('1.40.0')` (a minor bump) + the 33 live-pinned `manifests-version.txt` baselines forward-propagated 1.39.5 → 1.40.0.
- Inventory relock: registry-diff 158 → 159 (+`multi-author-model`), skill-list 80 → 82 (+`review-decisions`, +`unlock-decision`), agent-list +`conflict-resolver` +`decision-journal-exporter` + both frontmatter-snapshots, skill-length-distribution relocked, tarball golden 709 → 721 (+12). Root `SKILL.md` command table += both skills.

---

## [1.39.5] - 2026-06-01

### Phase 39.5 - GDD Self-Migration Tooling

GDD migrates *user* design systems (39.1) but had no systematic story for **its own** breaking
changes - Phase 31.5 moved `scripts/lib/**` → `sdk/**` with ad-hoc shims. 39.5 formalizes it: a
machine-readable deprecation registry, a version-aware reader, a `/gdd:migrate` skill, a post-update
advisory, and two CI gates (a completeness check + a CHANGELOG Breaking-changes linter). **No new
runtime dependency, no new egress** - two pure helpers + a docs/skill surface.

### Breaking changes

None. (This release *adds* the deprecation machinery; it removes nothing. The historical Phase 31.5 →
`sdk/` removals it documents already shipped in v1.33.0.)

### Added

- **`reference/DEPRECATIONS.md`** - a `## Path migrations (machine-readable)` table
  (`Since · Removed in · Old · New · Migration hint`) + status semantics, backfilled with the 10
  verified Phase 31.5 → `sdk/` removals (all confirmed gone from the tree).
- **`scripts/lib/deprecation-registry.cjs`** - pure, dep-free reader: `compareVersions`,
  `parseDeprecations` (markdown-table parser), `classify` (pending/deprecated/removed by version),
  `checkReference`.
- **`skills/migrate/SKILL.md`** (`/gdd:migrate [--yes] [--dry-run]`) - scans a project's references for
  paths deprecated/removed at the installed version and **previews a diff** before rewriting. Preview-first.
- **`scripts/lint-changelog.cjs`** (`npm run lint:changelog`) - every `## [x.y.0]` minor at/after the
  1.39.0 floor must declare a `### Breaking changes` section; historical minors are grandfathered.
- **`test/suite/deprecation-completeness.test.cjs`** - the SC#4 gate: every `removed` entry's old path
  is gone + its replacement exists; every `deprecated` entry still has a shim. No orphan entries.

### Changed

- **`skills/update/SKILL.md`** - a post-update step that reports deprecations crossing into
  `deprecated`/`removed` over the upgrade window and points the user at `/gdd:migrate`.

### Notes

- **No new runtime dependency, no new egress.** `lint-changelog.cjs` is a maintainer/CI tool (not shipped).
- 6-manifest lockstep at **v1.39.5** + `OFF_CADENCE_VERSIONS.add('1.39.5')` + the 32 live-pinned
  `manifests-version.txt` baselines forward-propagated 1.39.2 → 1.39.5.
- Inventory relock: skill-list 79 → 80 (+`migrate`, phase-20 + current), tarball golden 707 → 709
  (+`deprecation-registry.cjs` + `skills/migrate/SKILL.md`). No agent/event/connection deltas. Root
  `SKILL.md` command table += `migrate`.

---

## [1.39.2] - 2026-06-01

### Phase 39.2 - Long-Horizon Cost Governance

Closes the split Phase 39 (39.1 shipped DS migration). Phase 10.1 per-task caps + Phase 26 per-runtime telemetry track *cost* - none **forecast** it, cap it at the *project* level, or show whether the spend actually *shipped* anything. 39.2 adds a per-cycle spend **forecast**, a **`project_cap`** hard-halt, and an **ROI dashboard**. **No new runtime dependency, no new egress** - three pure helpers + an additive, disabled-by-default branch on the existing budget-enforcer hook.

### Added

- **`scripts/lib/budget/cost-forecast.cjs`** - pure, dep-free per-cycle forecast: `forecast()` (best/typical/worst from the mean ± k·σ of historical per-cycle rates) + `cyclesToCap()` ("hit your cap in Y cycles"). Deterministic.
- **`scripts/lib/budget/roi.cjs`** - pure ROI join: `computeRoi()` (per-cycle cost ⋈ shipped/reverted commits → cost-per-shipped-commit + stick rate) + `roiTableMarkdown()`.
- **`scripts/lib/budget/project-cap.cjs`** - pure cap classifier: `classifyProjectBudget(spend, cap)` → `ok`/`warn-50`/`warn-80`/`halt`; **disabled when `cap ≤ 0`** (the non-breaking default).
- **`agents/cost-forecaster.md`** - groups `costs.jsonl` by cycle, runs the model, supports `--scenario best|typical|worst`, emits a `budget_forecast` event. Report-only (sonnet, size_budget M).
- **`skills/budget/SKILL.md`** (`/gdd:budget [--cycles N] [--scenario …]`) - forecast + "at the current rate you'll hit your $X project cap in Y cycles."
- **`skills/roi/SKILL.md`** (`/gdd:roi [--since ] [--window-days 14]`) - the ROI table; "shipped" = a commit surviving ≥ 14 days (catches revert-after-bug-discovery).
- **`reference/cost-governance.md`** - the contract (forecast model, `project_cap` semantics, ROI signal, events). Registered.

### Changed

- **`hooks/budget-enforcer.ts`** - an **additive** `project_cap` branch (delegates the threshold math to `project-cap.cjs`): warns at 50% + 80%, hard-halts at 100% under `enforce`. **Disabled by default** (`project_cap_usd: 0`) so existing users see zero behavior change. **Graceful** - it blocks the *next* PreToolUse:Agent spawn, letting the current stage finish.
- **`reference/schemas/budget.schema.json`** - + `project_cap_usd` (≥ 0; 0/absent = disabled) + `project_cap_enforcement_mode` (enforce|warn|log).
- **`reference/schemas/events.schema.json`** - free-form `type` seed += `budget_forecast` / `project_cap_warning` / `project_cap_halt` (schema-seed only; `KNOWN_EVENT_TYPES` count unchanged).

### Notes

- **No new runtime dependency, no new egress** - three pure text/arithmetic helpers + a local `package.json`/`costs.jsonl` read; the hook only ever *blocks*, never spends.
- 6-manifest lockstep at **v1.39.2** + `OFF_CADENCE_VERSIONS.add('1.39.2')` + the 31 live-pinned `manifests-version.txt` baselines forward-propagated 1.39.1 → 1.39.2.
- Inventory relock: registry-diff 157 → 158 (+`cost-governance`), skill-list 77 → 79 (+`budget`, +`roi`), agent-list +`cost-forecaster` + both frontmatter-snapshots, event-schema-snapshot sha256 re-locked (the seed-list edit, LF-normalized), tarball golden 700 → 707 (+7). Root `SKILL.md` command table += `budget` + `roi`.

---

## [1.39.1] - 2026-06-01

### Phase 39.1 - DS Migration Workflows

Opens the v1.39.x arc and the first half of the split Phase 39. When a design system ships a breaking major (shadcn/ui v1→v2, Tailwind v3→v4, MUI v5→v6, Material 2/3 token rename), GDD can now read the in-repo `package.json`, detect the version skew, consult a curated rule library, and produce an **impact-scored, proposal-only migration plan** with codemod scaffolds. Nothing runs automatically and no codemod engine is bundled - `codemod-gen` emits jscodeshift/ast-grep template **text** the developer reviews and runs themselves. **No new runtime dependency, no new egress.**

### Added

- **`reference/migrations/{shadcn-v2,tailwind-v4,mui-v6,material-3-to-4}.md`** - 4 curated rule libraries. Each carries `## Detection` (package.json dep + version), a `## Migration rules` table (Rule ID · Kind · From → To · Note, where Kind ∈ `rename-class`/`rename-prop`/`remove-component`/`token-rename`/`new-default`), and `## Impact notes`. Grounded in the official upstream migration guides (Tailwind v4 browser baseline, MUI Grid2/`experimental_` removal, Material M2→M3 `--mdc-*` → `--md-sys-*` tokens). Registered.
- **`scripts/lib/migration/codemod-gen.cjs`** - pure, dep-free `emitCodemod(rule, { engine: 'jscodeshift' | 'ast-grep' })` → `{ ruleId, engine, kind, template }`. One template per rule kind; deterministic. Emits template **text only** - it never imports or runs jscodeshift/ast-grep.
- **`agents/ds-migration-planner.md`** - detects the DS + version from `package.json`, consults `reference/migrations/.md`, scores each affected component (visual-delta × usage × tests-affected), and emits codemod scaffolds to `.design/migration/` via `codemod-gen`. **Proposal-only**; long-tail DS fall back to a generic template.
- **`agents/design-verifier.md`** - an in-place note (net-zero, stays at the 700-line cap): when a DS migration is in flight, the verifier also asserts the migration preserved the contract (visual-diff within threshold, component API surface unchanged, tests pass) and treats an unmigrated high-impact rule as a gap.

### Notes

- **No new runtime dependency, no new egress** - `codemod-gen` is a pure text emitter; version detection is a local `package.json` read.
- 6-manifest lockstep at **v1.39.1** + `OFF_CADENCE_VERSIONS.add('1.39.1')` + the 30 live-pinned `manifests-version.txt` baselines forward-propagated 1.38.5 → 1.39.1.
- Inventory relock: registry-diff 153 → 157 (+4 rule libraries), agent-list +`ds-migration-planner` + both frontmatter-snapshots, tarball golden 694 → 700 (+6: 4 rule libraries + `codemod-gen.cjs` + `ds-migration-planner.md`). No skill/connection deltas.

---

## [1.38.5] - 2026-06-01

### Phase 38.5 - Deployment Coordination Loop

Bridges the gap between `/gdd:verify` passing and the design **actually being live**. `/gdd:ship` ends at "PR merged"; the post-merge journey (staging → canary % → 100% rollout) was invisible. 38.5 reads the feature-flag service (Phase 38's LaunchDarkly/Statsig/GrowthBook connections), tracks per-cycle rollout %, and weights the `design_arms` posterior by how widely a variant actually deployed. **No new runtime dependency, no new egress** (pure classifier + the Phase-38 read-only connections). **Read-only** - GDD reports + notifies; it never advances or rolls back.

### Added

- **`scripts/lib/rollout/rollout-status.cjs`** - pure, dep-free classifier: `classifyRollout` (`unrolled`/`staging-only`/`canary-N%`/`prod-100%`), `deployedPct`, `isStuck` (default 14 days), `deployedWeight` (linear). Deterministic.
- **`agents/rollout-coordinator.md`** - reads the flag service → classifies → writes `STATE.md ` → emits `rollout_*`/`verify_outcome` events → folds the outcome into `design_arms` weighted by `deployedPct` (a 10%-rolled variant counts 0.1; a 100% one counts 1.0). Read-only, notify-on-stuck.
- **`skills/rollout-status/SKILL.md`** (`/gdd:rollout-status [] [--all] [--stuck]`) - reports rollout state + surfaces stuck rollouts.
- **`reference/rollout-coordination.md`** - the `` schema + state transitions + the deployed_pct weighting + the events. Registered.
- **`reference/schemas/events.schema.json`** - the free-form `type` seed list gains `verify_outcome` / `rollout_started` / `rollout_advanced` / `rollout_stuck` (Phase 22 extension).

### Notes

- **No new runtime dependency, no new egress** - pure classifier; the flag-service reads reuse Phase 38's read-only connections.
- 6-manifest lockstep at **v1.38.5** + `OFF_CADENCE_VERSIONS.add('1.38.5')` + the 29 live-pinned `manifests-version.txt` baselines forward-propagated 1.38.0 → 1.38.5.
- Inventory relock: skill-list 76 → 77 (+`rollout-status`), agent-list 52 → 53 (+`rollout-coordinator`) + both frontmatter-snapshots, registry-diff 152 → 153, tarball golden 690 → 694 (+4), and the phase-20 `event-schema-snapshot.json` sha256 re-locked (the seed-list edit). Root `SKILL.md` command table + `command-count-sync` updated.

---

## [1.38.0] - 2026-06-01

### Phase 38 - Outcome-Driven Adaptation (A/B Variants + Inbound User-Research Signals)

Closes the external-outcome loop. The bandit's reward was **internal** (lint/test/visual pass-fail); it couldn't learn "which design pattern wins with **users**" because user-outcome signals never entered the system. Phase 38 adds two external signal sources - **A/B experiments** + **user research** - feeding a new `design_arms` posterior + the brief/verify loop. **No new runtime dependency** (a pure Beta-posterior store + injectable `fetch`; the platforms are opt-in, read-only).

### Added

- **`scripts/lib/ds-arms/design-arms-store.cjs`** - a pure `design_arms` posterior class, **distinct from the routing bandit** (`bandit-router.cjs`). Keyed by `(component_type, variant_pattern_hash)` (inline FNV-1a - no `crypto`), conservative **Beta(2, 8)** prior (mean 0.2 - a pattern earns trust from real outcomes). `variantKey` / `pull` / `observe` / `all`; atomic persist to `.design/telemetry/design-arms.json`. node-builtins only.
- **`reference/design-variants.md`** + **`design` `--variants N`** - N competing, hypothesis-tagged variants (``, default N=2); the design stage consults the posterior to bias generation - **advisory, never directive (the user always wins, D-03)**. Registered.
- **`connections/launchdarkly.md` + `statsig.md` + `growthbook.md`** - A/B **experiment-source** connections (read-only; never run experiments - D-04). **`agents/experiment-result-ingester.md`** maps variant→outcome by the primary metric + significance → `observe()` into `design_arms` → `experiment_result` event.
- **`connections/usertesting.md` + `maze.md` + `hotjar.md`** + **`agents/user-research-synthesizer.md`** - user-research sources (read-only, indexed insights). **PII guard (D-05): every payload routes through `scripts/lib/pseudonymize.cjs` BEFORE any agent context** - enforced by `test/suite/phase-38-pii-guard.test.cjs`. Synthesizes ranked findings (finding · frequency · severity) into the brief **``** block.
- **Verify cross-check** - `design-verifier` asserts each `` finding is addressed or explicitly deferred (unaddressed `critical`/`serious` = a gap).

### Notes

- **No new runtime dependency, no new egress** - pure Beta store + injectable `fetchImpl` (hermetic tests); the A/B + research platforms are opt-in user-connected MCP/API, read-only.
- The 6 outcome connections are **Active-table + onboarding entries** (27 → 33 onboarded), NOT pipeline-stage capability-matrix rows - outcome-ingest is post-pipeline (the Notion export-only precedent), so it does not occupy a stage column.
- 6-manifest lockstep at **v1.38.0** + `OFF_CADENCE_VERSIONS.add('1.38.0')` + the 28 live-pinned `manifests-version.txt` baselines forward-propagated 1.37.2 → 1.38.0.
- Inventory relock: connection-list 35 → 41 (+6), phase-20 agent-list 50 → 52 (+`experiment-result-ingester` + `user-research-synthesizer`) + both frontmatter-snapshots, registry-diff 151 → 152 (+`design-variants`), tarball golden 680 → 690 (+10). `design-verifier` augmented in place (stays at the 700 cap).

---

## [1.37.2] - 2026-06-01

### Phase 37.2 - Greenfield Design-System Bootstrap (`/gdd:bootstrap-ds`) - completes Phase 37

Second and **FINAL** sub-phase of the split **Phase 37** - completing it marks the **parent Phase 37 COMPLETE** (AI-Native Tools Wave 2 + Greenfield DS Bootstrap). Closes the greenfield gap: GDD assumed a design system already existed (in code or Figma) - a brand-new project has none. `/gdd:bootstrap-ds` turns a brand input into a coherent token system + proof components. **No new runtime dependency** - the token math emits native CSS `oklch()` (no color-conversion library).

### Added

- **`scripts/lib/ds/token-scale.cjs`** - a pure, dependency-free (zero `require`) token generator. `oklchScale(primary)` → 9 tint/shade stops as native CSS `oklch()`, anchored at the primary, lightness interpolated toward white/black, chroma damped at the extremes (no OKLab→sRGB conversion, no color library); `typeScale` (modular), `spacingScale` (4pt/8pt), `radiusScale`. Deterministic.
- **`reference/ds-bootstrap-rubric.md`** - greenfield emission rules: primary → 9 tints; **never more than 2 brand colors**; neutrals + semantic colors; type ratios 1.2/1.25/1.333; 4pt/8pt spacing; radius + motion defaults; the 3 variants; role-named CSS-custom-property emission + framework mapping; proof scaffolding. Registered (`type: heuristic`, `phase: 37.2`; 150 → 151).
- **`agents/ds-generator.md`** - brand-input → token system via `token-scale.cjs` + the rubric + `color-theory.md`. Emits **3 variants** (conservative / balanced / bold), the user picks one, then scaffolds **button / input / card** in the detected framework (web default; native via Phase 34). Never invents a brand; never overwrites an existing DS; proposal→confirm.
- **`skills/bootstrap-ds/SKILL.md`** (`/gdd:bootstrap-ds`) - brand-input intake (primary + secondary + tone tags + target framework) → `ds-generator`. 43 lines (≤100 Phase-28.5 contract).

### Notes

- **No new runtime dependency** (native `oklch()`), **no new egress**.
- 6-manifest lockstep at **v1.37.2** + `OFF_CADENCE_VERSIONS.add('1.37.2')` + the 27 live-pinned `manifests-version.txt` baselines forward-propagated 1.37.1 → 1.37.2.
- Inventory relock: skill-list 75 → 76 (+`bootstrap-ds`, both `current/` + `phase-20/`), phase-20 agent-list 49 → 50 (+`ds-generator`) + both frontmatter-snapshots, registry-diff 150 → 151, tarball golden 676 → 680 (+4); root `SKILL.md` command table + `command-count-sync` gate updated.
- **This completes the parent Phase 37 (AI-Native Tools Wave 2 + Greenfield DS Bootstrap).**

---

## [1.37.1] - 2026-06-01

### Phase 37.1 - AI-Native Tools Wave 2 (Framer + Penpot + Webflow + v0.dev + Plasmic + Builder.io)

First sub-phase of the split **Phase 37**. Schedules Phase 14's explicit backlog: six AI-native design tools, each under the existing connection capability contract (canvas | generator | shared probe). **No new runtime dependency, no new egress** - each tool is an opt-in user-connected MCP/API, probed via ToolSearch/env; absent → degrade-to-code-only.

### Added

- **`connections/framer.md`** + **`penpot.md`** + **`webflow.md`** - canvas-category specs. Framer (read frames + write proposals), Penpot (open-source Figma alt; self-hosted-vs-cloud probe), Webflow (read site structure as a design-adaptation source - not CMS authoring). Contribute at the **design** stage.
- **`connections/v0-dev.md`** + **`plasmic.md`** + **`builder-io.md`** - generator-category specs. v0.dev (MCP-first → REST + `V0_API_KEY`), Plasmic (dual: canvas read + code emission), Builder.io Visual Copilot (pull-only this phase). Drive the **generator** stage.
- **`agents/design-component-generator.md`** - Step-0 detection + `--tool` flag extended to `v0|plasmic|builder-io`, plus compact `` / `` / `` sections that cross-link to the connection specs (231 → 259, under the LARGE budget). Priority: magic-patterns > 21st.dev > v0 > plasmic > builder-io; `--tool` overrides.
- **`connections/connections.md`** + onboarding - 21 → 27 onboarded (6 Active rows + 6 capability-matrix rows: framer/penpot → canvas, webflow/v0/builder-io → generator, **Plasmic → canvas + generator dual**; probes + value-prop + setup matrix).

### Notes

- **No new runtime dependency, no new egress** - opt-in MCP/API connections; the generator never writes to `src/` without proposal→confirm.
- 6-manifest lockstep at **v1.37.1** + `OFF_CADENCE_VERSIONS.add('1.37.1')` + the 26 live-pinned `manifests-version.txt` baselines forward-propagated 1.36.3 → 1.37.1 (opens the v1.37.x arc).
- Inventory relock: connection-list 29 → 35 (+6), onboarding → 27, tarball golden 670 → 676 (+6). Registry unchanged (no `reference/` doc); no new skill/agent dir (the generator agent pre-exists).

---

## [1.36.3] - 2026-06-01

### Phase 36.3 - Knowledge Tier-3: Conversational UI - completes Phase 36

Third and **FINAL** sub-phase of the split **Phase 36 (Knowledge Tier 3)** - completing it marks the **parent Phase 36 COMPLETE** (domain packs 36.1 + motion-tool verification 36.2 + conversational UI 36.3 all shipped). Conversational UI was zero-coverage even though it's a real surface (chatbot empty-states, voice flow design, prompt-as-UX). **No new pillar, no new runtime dependency, no new egress** (reference markdown + an agent-prompt enum addition).

### Added

- **`reference/conversational-ui.md`** - voice-flow patterns (no-input / no-match reprompts, confirmation, human handoff), multi-turn dialogue (context carryover, slot-filling, repair), prompt-as-UX (the assistant persona/tone/boundaries as a versioned design artifact), chatbot empty-states + suggested replies, voice-first onboarding, and error recovery + accessibility (transcripts/captions). Carries a `## Detection signals` section + an `## Audit checklist`. Registered in `reference/registry.json` (`type: heuristic`, `phase: 36.3`; 149 → 150). CLI/REPL UX is out of scope this phase.
- **`agents/design-context-builder.md`** - Step 0E gains a **7th** project type `conversational` (enum 6 → 7). It routes to `design-executor` (a chat widget / voice-app card is still rendered code) **and loads `reference/conversational-ui.md`** for the interaction patterns. Detection from brief keywords (chatbot, voice, assistant, conversational) + `package.json` deps (`botpress`, `rasa`, `dialogflow`, `actions-on-google`, `ask-sdk-core`, `botframework`). The first six project types remain the Phase-34 rendered-output set; `conversational` is the Phase-36.3 interaction-surface type on the same axis.

### Notes

- **No new runtime dependency, no new egress.** Detection is the agent matching keywords/deps; no code, no network.
- 6-manifest lockstep at **v1.36.3** + `OFF_CADENCE_VERSIONS.add('1.36.3')` + the 25 live-pinned `manifests-version.txt` baselines forward-propagated 1.36.2 → 1.36.3.
- Inventory relock: registry-diff 149 → 150, tarball golden 669 → 670 (+`reference/conversational-ui.md`). No new connection/skill/agent dir. `design-verifier.md` deliberately untouched (it is at its 700-line cap; conversational verify rides the normal web path).
- **This completes the parent Phase 36 (Knowledge Tier 3) - domain packs + motion-tool verification + conversational UI.**

---

## [1.36.2] - 2026-06-01

### Phase 36.2 - Knowledge Tier-3: Motion-Tool Verification (Lottie + Rive)

Second sub-phase of the split **Phase 36**. Motion existed as a *principle* (Phase 18) but not as a *verifiable artifact* - Lottie/Rive ship animation exports + state machines and GDD never opened them. 36.2 adds a pure motion validator + two optional connections + a verify-time agent. **No new runtime dependency, no new egress** (pure `JSON.parse` + file checks; the Lottie player / Rive runtime are opt-in). Every motion finding is a **warning, never a blocker** (motion is creative, not contractually broken).

### Added

- **`scripts/lib/motion/validate-motion.cjs`** - a pure, dependency-free (zero `require`) motion validator. `validateLottie(json, {bytes, budgetBytes})` checks frame-rate sanity, non-positive duration, layer count, embedded-asset bloat, and the perf budget (rules `MO-PARSE/FR/DUR/LAYERS/IMG/BUDGET`); `motionBudget` is the shared byte-cap check; `riveHeader` is the `.riv` magic-byte sanity. Deterministic.
- **`connections/lottie.md`** - file-probe connection for Lottie JSON exports; static floor = `validateLottie`; the live player is opt-in; degrade-to-static → code-only.
- **`connections/rive.md`** - file-probe connection for Rive `.riv` exports. `.riv` is binary, so the deep state-machine graph (unreachable states, no-exit loops) needs the opt-in Rive runtime; the pure-JS floor is size + the `RIVE` header + a manual-review advisory.
- **`agents/motion-verifier.md`** - at verify time, discovers Lottie/Rive exports, runs `validate-motion.cjs`, enforces a perf budget (`motion_budget_kb`, fallback 200 KB), and WARNs. Reads-only.
- **`agents/design-verifier.md`** - Phase 4E motion hook (gate on exports → delegate to `motion-verifier` → degrade-to-noop).
- **`connections/connections.md`** + onboarding - 19 → 21 (Lottie + Rive Active rows, `verify` capability-matrix entries, file probes, value-prop + setup matrix).

### Notes

- **No new runtime dependency, no new egress.** The pure validator never opens the network; the Lottie player + Rive runtime are maintainer-supplied opt-ins (the print-render precedent).
- 6-manifest lockstep at **v1.36.2** + `OFF_CADENCE_VERSIONS.add('1.36.2')` + the 24 live-pinned `manifests-version.txt` baselines forward-propagated 1.36.1 → 1.36.2.
- Inventory relock: connection-list 27 → 29, phase-20 agent-list + frontmatter-snapshot += `motion-verifier`, onboarding → 21, tarball golden 665 → 669 (+4). Registry unchanged (no new `reference/` doc).

---

## [1.36.1] - 2026-06-01

### Phase 36.1 - Knowledge Tier-3: Domain Packs (finance + healthcare + gaming + civic)

First sub-phase of the split **Phase 36 (Knowledge Tier 3)**. Adds four industry-specific design-pattern reference packs and wires **domain detection** into the pipeline - closing the industry-lens gap (GDD shipped 18 generic design systems + foundational Tier-2, but no domain-specific patterns). Finance and healthcare especially carry regulatory constraints (PCI-DSS, MiFID II, HIPAA, Section 508) that bleed into UI. **No new pillar, no breaking scoring change, no new runtime dependency, no new egress** - pure reference markdown + agent-prompt edits; detection is keyword/dep matching done by the agent.

### Added

- **`reference/domains/finance-patterns.md`** - data-table density (tabular-nums, right-aligned numerics), trading-interface conventions (gain/loss never color-alone), regulatory disclosure placement (Reg-T, MiFID II cost & charges), PCI-DSS PAN masking, number-formatting precision, real-time data states.
- **`reference/domains/healthcare-patterns.md`** - HIPAA-aware PHI isolation (no PHI in URLs/logs/analytics), idle auto-logout, audit-trail-as-UI, MyChart-class flows, WCAG 2.1 AAA, medical-data visualization. Surfaces risk; does **not** certify compliance.
- **`reference/domains/gaming-patterns.md`** - HUD/diegetic UI taxonomy, vestibular + photosensitive safety (≤3 flashes/sec, reduced-motion + in-game toggles), ESRB/PEGI age-gates, input-model adaptation (controller/touch/KBM), TV-safe area.
- **`reference/domains/civic-patterns.md`** - Section 508 + WCAG 2.1 AA hard floor, multi-language gov forms (EN/ES/zh-Hans), Plain Writing Act (grade 6-8), USWDS, session-timeout warnings, one-thing-per-page forms.
- **`agents/design-context-builder.md`** - new **Step 0F (Domain Detection)**: a dispatcher table (keywords + `package.json` deps → pack) + the confidence rule (≥2 signals or any dep match → auto-apply; 1 weak keyword → suggest; none → skip) + a `` line in DESIGN-CONTEXT.md. Orthogonal to project-type.
- **`agents/design-auditor.md`** - **domain checklist addendum**: when a `` is active, also run that pack's `## Audit checklist` and fold findings into the relevant pillar (additive - never replaces the 7-pillar scoring).
- All four packs **registered** in `reference/registry.json` (`type: heuristic`, `phase: 36.1`); 145 → 149 entries.

### Notes

- **No new runtime dependency, no new egress.** Detection is the agent matching a small embedded signal table - no code, no network.
- 6-manifest lockstep at **v1.36.1** + `OFF_CADENCE_VERSIONS.add('1.36.1')` + the 23 live-pinned `manifests-version.txt` baselines forward-propagated 1.35.5 → 1.36.1 (opens the v1.36.x arc).
- The 31.5 tarball golden was regenerated as a reviewed delta: **+4** (the four domain packs), zero removals (661 → 665).

---

## [1.35.5] - 2026-06-01

### Phase 35.5 - Design-Artifact Export (`/gdd:export`)

Closes the gap that a completed cycle's design output (`EXPERIENCE.md`, `DESIGN.md`, `DESIGN-VERIFICATION.md`, the decision log, screenshots) lives only in the repo - stakeholders not in code can't consume it. `/gdd:export  --format html|pdf|notion` packages it into a shareable artifact. **No new runtime dependency** (D-02): `build-html.cjs` is a pure, dep-free assembler; the PDF format is the same HTML plus Paged.js-compatible `@page` print CSS that the user renders (GDD ships **no** PDF runtime); Notion is written via the Notion MCP. Every artifact is **redacted** (mandatory `scripts/lib/redact.cjs`); `--pseudonymize` masks git identity / paths / hostname for external sharing; `--pr` posts the HTML preview as a PR comment via `pr-commenter`.

### Added

- **`scripts/lib/export/build-html.cjs`** - a pure, dependency-free self-contained HTML assembler: inline `