feat(reference-v1.2.0): enforcement + bundles + self-dogfooding

Andrew Dunnrequested to merge
feat/v1.2.0-prep into main

Summary

Coordinated release with catalog v3.4.0 (pipeline!56 (merged)). Merge sequence: catalog v3.4.0-prep → tag catalog v3.4.0 → ci-tools image rebuilds → this MR's CI passes → merge this MR → tag reference v1.2.0. The CI on this MR will FAIL until catalog tags because v3.4.0 catalog pins won't resolve yet. That's the expected coordination.

Three load-bearing shifts

1. The reference contract is CI-enforceable

Catalog v3.4.0 ships the reference-check component. This MR wires it into every consumer template (templates/{lab,docs,paper}/.gitlab-ci.yml) AND the reference's own pipeline. The contract that was prose-only now blocks merges per the consumer's .reference.yaml adoption phase.

2. Sector bundles as practical aggregate facets

Four bundles (sector:dod, sector:health, sector:finance, sector:education) under compliance/sectors/<slug>.yaml. Consumer writes applicable_frameworks: [sector:dod] in one line instead of enumerating frameworks. The bundle is "frameworks a project shipping into that sector typically grades against" — not a finer-grained row-filtering subset. The matrix's row granularity stays framework-keyed; true row-level sector subsets are deferred to v1.3.0.

3. Self-dogfooding the catalog

Reference's own CI dropped 5 apk add chains and pins every light job to ci-tools:v3.4.0. The reference now consumes the catalog the way it teaches consumers to. Five jobs cleaner; ~25 lines of alpine band-aids removed.

Other substantive moves

  • Standards flipped to enforcing (per v1.0.0's published schedule): security-md (was already enforced in prose but not in SKILL.md frontmatter — drift fixed), agents-md (newly enforced, but contract is real now).
  • agents-md vacuity closed. The SKILL.md promised conditional .ai/<topic>.md files; check.sh enforced none. Closed by a new tenth primitive check_file_exists_when (per-assertion conditional; distinct from whole-standard applies_when_file). Deliberate vocabulary extension at v1.2.0 per the project's primitive-set convention.
  • applicable_standards:applicable_frameworks: rename with backward-compat alias.
  • hipaa sector → health (framework yaml_key hipaa unchanged; Astro redirect for the URL).
  • SOX promoted from yaml_keys alias to a full framework entry with detail page.
  • Vale voice opt-outs via catalog's new disable_rules input. Voice rules suppressed (em-dash, "via", "GitLab's"), mechanical rules continue to fire.
  • Stale "planned for v3.1.0" / workaround prose swept across README, .ai/ci-cd.md, pipeline SKILL.md, every template, every site page.
  • VERSION bump v1.1.0 → v1.2.0; CATALOG-VERSION bump v3.3.0 → v3.4.0. make sync propagated.

Test plan

  • Local make ship green (verified: validate + guard + check-self + capture + build + agent all pass)
  • After catalog v3.4.0 tags + ci-tools rebuilds: MR CI green
  • After merge: main pipeline runs reference-check against the reference itself — should pass with the documented self-exemptions applied
  • After tag: make new-project TEMPLATE=lab produces a project with reference-check wired in by default

Stats

55 files, 1507+/295-.

Explicitly deferred to v1.3.0

  • True row-level sector control subsets in unified.yaml
  • Other "introduced" standards' enforcing flips per the v1.0.0 schedule (contributing, changelog, ai-assisted at +60 days; design, llms-txt at +90 days)
  • The 21-file "stale catalog version" sweep is included in this MR; further follow-up at v1.3.0 if any drift accumulates

Supersedes

Closes the closed-without-merge sector-bundles branch (was MR !7 (closed)). All bundle work carries forward in this MR, reframed as "practical aggregate facets."

Merge request reports