feat(#218): audit-skill artefact persistence + canonical structure

[atlas-apex]

Summary

• New shared library .claude/hooks/_lib-audit-history.sh (4 functions: audit_resolve_dir, audit_run_persist, audit_run_list, audit_render_trend) generalises /launch-check's existing per-run persistence convention to the whole audit-skill family
• Pilot retrofits on /threat-model and /security-review — both now persist a JSON + MD pair per run and render the trend section after each invocation
• /launch-check refactored to consume the lib without behaviour change. JSON is a superset preserving the legacy scores{} map (so the existing chart renderer plots the same shape) plus the canonical generic fields (so the lib's trend renderer reads it). Adopters' existing history at the legacy path is read-merged transparently — no mv required, no destructive migration
• 11 lib tests covering write/read/derive/preserve/marker/sort/legacy-path/silent/render/dispatch/regression-merge — all passing
• Per-dim canonical templates at templates/audits/threat-model.md and templates/audits/security-review.md (reference material; per-skill bodies are inline per AgDR-0019)
• Follow-up [Chore] Retrofit remaining 7 audit skills onto _lib-audit-history.sh #221 filed for the remaining 7 audit skills (compliance-check, accessibility-audit, performance-audit, seo-audit, monitoring-audit, docs-audit, analytics-audit) — mechanical retrofit per the pattern proven here

Why this matters

Before this PR the audit family was inconsistent: /launch-check persisted (since #183) and rendered a trend chart; the other nine audit skills wrote only to stdout and disappeared as soon as the terminal scrolled. Comparing two threat models from a quarter apart was an exercise in reading two different free-form essays. After this PR every audit run produces a structurally consistent on-disk artefact with parseable frontmatter, and the trend renderer renders identically across all dimensions.

The launch-check refactor is the load-bearing piece: it changes how persistence happens (lib-driven instead of inline) without changing what operators see (chart shape unchanged, existing history preserved). The regression test (case 11) confirms the legacy + canonical path merge keeps adopters' existing history visible on the first post-refactor run.

The decision airing in AgDR-0019 covers the four load-bearing calls (paired JSON+MD, rigid common-denominator findings shape, non-destructive backward compat, four discrete shell functions). The technical design at docs/technical-designs/audit-artefact-persistence.md embeds a Mermaid C4 L3 component diagram and a Mermaid DFD showing the audit subsystem boundaries.

Testing

• Lib tests: bash .claude/hooks/tests/test_audit_history.sh → 11 passed, 0 failed
• Lib syntax: bash -n .claude/hooks/_lib-audit-history.sh → OK
• Regression test for launch-check (case 11): one run in legacy path + one run in canonical path → both dates appear in the rendered chart
• Stats derivation (case 3): payload with 2 high + 1 medium → stats.by_severity.high=2, .medium=1
• Marker semantics (case 5): absent → runs/ ignored; present → !runs/*.json un-ignored
• Reviewer can spot-check the lib's jq invocations (the schema-augmentation jq in audit_run_persist and the frontmatter-generation jq next to it are the two non-trivial pieces)
• Reviewer can confirm the launch-check Step 6 rewrite preserves the JSON superset shape (legacy scores{} / branch / commit / top_risks[] AND new dimension / score / findings[] / stats{} / schema_version)
• Manual smoke test post-merge: invoke /threat-model against any registered project, confirm projects/<name>/audits/threat-model/<ts>.md is written with valid frontmatter

Glossary

Term	Definition
Audit-history lib	.claude/hooks/_lib-audit-history.sh — shared shell library with four functions handling persistence + trend rendering for all audit skills. Sourced by SKILL.md flows.
Per-run JSON	The trend-renderer's input file at projects/<name>/audits/<dimension>/runs/<ts>.json. Schema includes ts, dimension, verdict, score, findings[], stats{}, plus dimension-specific extras (e.g. launch-check preserves scores{} + branch + commit + top_risks[]).
Per-run MD	The durable human-readable artefact at projects/<name>/audits/<dimension>/<ts>.md. Frontmatter is generated by the lib from the JSON; body is freeform per dimension.
Findings shape	The common denominator across all nine audit dimensions: {id, severity, status, summary} per finding. Per-dimension nuance (STRIDE category, OWASP class, WCAG criterion) lives in the MD body via per-dim templates.
Headline score	A single 0-100 number per run plotted on the trend chart's Y-axis. Generic skills derive it from severity-weighted finding count; /launch-check keeps its existing mean(scores.*) derivation for byte-equal chart output.
Legacy + canonical merge	audit_run_list reads JSON files from BOTH projects/<name>/audits/<dim>/runs/ (canonical) AND projects/<name>/launch-check/runs/ (legacy, launch-check only) so adopters' existing trend history isn't orphaned by the path change.
Opt-in commit marker	.audit-history-tracked — presence-only file inside the dimension's audit dir that flips the runs/ .gitignore from "ignore everything" to "un-ignore *.json". MD artefacts are committed unconditionally.
Verdict	One of pass / conditional / fail (generic vocabulary). /launch-check keeps its four-state vocabulary (go / go-with-warnings / conditional-go / no-go) in its body, but maps to the generic three-state in the frontmatter for cross-dim consistency.

🤖 Generated with Claude Code

[atlas-apex]

Code Review: PR #222

Commit: 0498641505d6ce5fc1cf08553744ae77bcc497b2

Summary

Generalises /launch-check's per-run persistence convention into a shared bash lib (_lib-audit-history.sh, 4 functions) and pilots it on /threat-model + /security-review. /launch-check is refactored to consume the lib without behaviour change — JSON is a SUPERSET preserving the legacy scores{} map AND adding canonical dimension/score/findings[]/stats{}/schema_version. Legacy path read-merged transparently. AgDR-0019 captures the four load-bearing decisions. 11 lib tests pass locally (re-run on review: all green).

Checklist Results

• Architecture & Design: Pass — clean separation; lib mirrors existing _lib-*.sh shape; dispatch-to-legacy for launch-check is a sensible bridge.
• Code Quality: Pass — bash is readable, jq invocations are correct, error paths return non-zero with stderr context.
• Testing: Pass — 11 cases cover all AC claims (write/read/derive/preserve/marker/sort/legacy/silent/render/dispatch/regression-merge); case 11 specifically validates the load-bearing legacy+canonical merge for /launch-check.
• Security: Pass (N/A — no auth/crypto/secrets touched).
• Performance: Pass — jq calls are bounded (one per file in trend window, default 5).
• PR Description & Glossary: Pass — 8-row glossary covers every new term (audit-history lib, per-run JSON/MD, findings shape, headline score, legacy+canonical merge, opt-in commit marker, verdict).
• Technical Decisions (AgDR): Pass — AgDR-0019 captures all four decisions (paired JSON+MD, rigid common-denominator findings, non-destructive launch-check backcompat, four-function shell lib) with options-considered tables and explicit per-decision rationale per the AgDR template.

Verifications performed

1. audit_run_persist jq (lines 165-180 of lib): correct. Schema-augmentation uses $in + {…} so caller-provided fields like launch-check's scores{} / branch / commit / top_risks[] survive untouched. Stats derivation reduces over findings[] only when stats is absent — case 4 confirms explicit stats are preserved.
2. Frontmatter jq (lines 188-204): emits valid YAML, ((.stats // {}).by_severity.X // 0) correctly fallbacks to 0 for every severity bucket.
3. audit_run_list legacy merge (lines 249-268): canonical + legacy paths globbed, ts-sorted ascending. Cases 7 + 11 both green.
4. Launch-check Step 6 superset: payload example at SKILL.md:249-265 includes both legacy fields (scores, branch, commit, top_risks) and canonical (findings[] derived from per-dimension scores). After lib augmentation, JSON contains both — no field loss. Legacy render-trend.sh keeps reading ts/scores/verdict unchanged.
5. Pilot SKILL retrofit consistency: both /threat-model Step 5 and /security-review Persist section use identical score formula (max(0, 100 - 25*crit - 10*high - 3*med - 1*low)), identical verdict mapping (worst-severity rule → pass/conditional/fail), identical lowercase-severity rule, identical marker semantics.
6. Commit format: both commits match type(#218): description (docs + feat).
7. AgDR template conformance: AgDR-0019 has the canonical context/options-considered/decision/consequences/artifacts sections; each of the four decisions has its own options table.

Issues Found

None blocking.

Suggestions (non-blocking, optional)

• The launch-check dispatch in audit_render_trend (line 309-318) stages files into a tmp dir then rm -rfs it — works fine, but if render-trend.sh ever grows to tail-on-stdin (unlikely) the staging becomes redundant. Worth a comment pinning the contract; current comment at lines 304-308 already covers this. Fine as-is.
• audit_render_trend's generic ASCII chart (lines 359-384) duplicates render-trend.sh shape. Acceptable for now; AgDR-0019 explicitly defers full absorption of render-trend.sh to a follow-up.
• Follow-up #221 captures the remaining 7 retrofits — mechanical, well-scoped, no review concerns from this PR.

Verdict

APPROVED

The two-commit shape (docs first, then feat) is exemplary. Schema-superset approach for launch-check + read-merged legacy path is the right backcompat call — the regression test (case 11) makes that explicit. Pilot retrofits are clean and consistent. Ship it.

---

🤖 Reviewed by Rex (Code Reviewer Agent)
📌 Reviewed commit: `0498641505d6ce5fc1cf08553744ae77bcc497b2`

[atlas-apex]

Re-Review: PR #222 (follow-up commit)

Commit: fbda3d3e86a5daff58d930bbafc8e467d2b62c01

Verification

• Diff confirmed: +1/-0, single blank line inserted after Design rationale: heading at .claude/skills/launch-check/SKILL.md:358 to satisfy markdownlint MD032
• No content changes — purely a CI-fix
• All 4 CI checks green: markdownlint-cli2, lychee, shellcheck, Verify Ticket ID
• Load-bearing decisions untouched: shared lib API (_lib-audit-history.sh), JSON+MD artefact pair, launch-check superset schema, and legacy+canonical merge strategy all unchanged from prior approval at 0498641505d6ce5fc1cf08553744ae77bcc497b2

Verdict

APPROVED — prior approval still applies in spirit; the markdownlint fix is the minimum mechanical change to unblock CI.

(Posted as comment because GitHub disallows self-approval; approval marker written at .claude/session/reviews/222-rex.approved.)

---

🤖 Reviewed by Rex (Code Reviewer Agent)
📌 Reviewed commit: fbda3d3e86a5daff58d930bbafc8e467d2b62c01