docs/coding-policy-audit.md
This file defines how to run an exhaustive audit against
docs/coding-policy.md. It does not define coding standards, add exceptions, or
weaken the policy. If this procedure and the policy disagree, the policy wins
and this procedure must be corrected before the audit is accepted.
An auditor reads both files in this order:
docs/coding-policy.md: the source of truth for standards, scope, examples,
and completion requirements.docs/coding-policy-audit.md: the execution protocol used to prove that the
policy was checked completely and evenly.No sampling. Every in-scope file, policy rule, sibling group, cross-file dependency, hot-path surface, and required verification gate is represented by an artifact row.
No cherry-picking. A local fix is incomplete until comparable files and the affected group rows are checked to the same depth.
No unstated memory. Previous conversations, old audit notes, and prior summaries may suggest probes, but they are not evidence until rechecked against the current worktree and recorded in the current artifacts.
No summary-only evidence. Counts, grep success, formatter success, or reviewer summaries do not prove a cell unless the underlying row names what was inspected and why the verdict follows.
Use precise result labels. A run is an exhaustive audit only when the Completion Gate is satisfied. Until then, or when the requested scope is intentionally narrower, report the work as a targeted review, fix pass, gate check, or pending audit according to the artifacts actually produced.
The worktree under review is the audit target. Start from git ls-files, then
add any untracked files intended for the audited change set. Apply the
policy's Scope section to that combined file set.
All artifacts are regenerated after meaningful fixes. Stale rows are treated
as pending, not reused as proof.
Run this procedure:
docs/coding-policy.md, on every file whose
verdict may change because of the revision;Each audit run writes artifacts to a single run directory. The directory can be temporary, but it must be named in the final report. Every TSV has a header row, uses one row per checked unit, and has the declared column count on every row. Fields contain no literal tabs or newlines; do not use CSV quoting as an escape mechanism. Lists inside a field use JSON arrays or a stable comma-separated format.
Every countable row has a stable key. The key is either an explicit id column or
the declared natural key for that artifact, such as path plus criterion_id
in file_matrix.tsv. Fields named criterion_id or criterion_ids reference
existing criteria.tsv rows. Missing keys, duplicate keys, unknown criteria,
invalid enum values, empty evidence, broken evidence references, missing
expected keys, unexpected keys, column-count mismatches, and row-count
mismatches are audit failures. Expected matrix keys are derived before verdicts
are written, not inferred from the produced rows afterward.
criteria.tsv
criterion_id, policy_lines, policy_path,
criterion_type, rule_text, example_families.criterion_type is one of file, cross_file, group, process, or
command.policy_coverage.tsv
policy_line, line_text, coverage_kind, criterion_ids,
evidence.docs/coding-policy.md to one or more
criteria, or marks it as structural text.coverage_kind is criterion or structural. Criterion rows name one or
more criteria; structural rows explain why no criterion is needed.scope.tsv
path, source, scope_status, reason, policy_lines.source is tracked or untracked_intended; scope_status is
included or excluded.group_inventory.tsv
path, group_id, group_kind, peer_paths,
singleton_reason.hot_path_inventory.tsv
hot_path_id, policy_lines, hot_path_kind, paths,
entry_points, cost_risks_checked, verdict, evidence_ref.docs/coding-policy.md.cost_risks_checked names the concrete risks inspected, such as allocation,
copying, conversion, bounds-check, dispatch, SIMD, inlining, or lock costs.cross_dependencies.tsv
dependency_id, dependency_kind, paths, criterion_ids,
policy_lines, derivation.criterion_ids is non-empty and names the exact criteria the dependency
exercises.languages arrays, generated/manual
pairs, widget conventions, proper-noun usage, release notes against code
diffs, and test coverage against changed behavior.file_matrix.tsv
path, criterion_id, verdict, evidence, evidence_ref.criterion_id set matches criteria.tsv
exactly: no omissions, extras, or duplicates.pass only when the
evidence explains why the file cannot violate the criterion and names the
artifact row that carries the authoritative check.cross_matrix.tsv
dependency_id, criterion_id, verdict, evidence,
evidence_ref.criterion_id set matches that dependency's
cross_dependencies.tsv row exactly.group_uniformity.tsv
group_id, criterion_id, verdict, evidence,
evidence_ref.process_matrix.tsv
gate_id, criterion_id, policy_lines, verdict, evidence,
evidence_ref.criteria.tsv.findings.tsv
finding_id, source_artifact, source_row, severity,
path_or_dependency, criterion_id, finding, proposed_fix.severity is one of blocker, high, medium, or low. Use blocker
when completion cannot be trusted, high for broad or user-visible policy
risk, medium for localized policy violations, and low for narrow
cleanup. Severity is not based on fix size.fix, review, or pending verdict ever discovered in the
run.pass matrix row without a corresponding finding row is an artifact
failure. Fixed findings remain in this file and are resolved through
classifications.tsv.finding_distribution.tsv
probe_family, criterion_ids, finding_ids, finding_count,
coverage_evidence_ref, imbalance_verdict, rationale.coverage_evidence_ref names the concrete artifact rows or commands that
performed the comparable probe; this is required even when finding_count
is zero.imbalance_verdict is pass, review, or pending.classifications.tsv
finding_id, disposition, design_intent, rationale,
action_ref.fixed, accepted, or deferred_blocker.accepted covers both false positives and true findings kept by a
documented rationale; the rationale requirements are defined in the
classification phase.deferred_blocker disposition blocks completion.command_evidence.tsv
command_id, cwd, command, trigger, exit_status,
key_output, artifact_ref.exit_status is a process exit code when the command ran, or not_run when
user direction or the environment prevents execution. not_run rows name
the blocker in key_output, and the related process gate remains pending.current-diff.patch
audit_summary.json
Every artifact verdict is one of:
pass: the criterion is satisfied, with concrete evidence.fix: the criterion is violated and the file or group must change.review: the criterion may be violated and needs semantic judgment.pending: required evidence, verification, artifact generation, or review is
incomplete.Do not use not applicable as a verdict. If the local file has no surface for a
criterion, record pass with evidence that names the absence and points to the
cross-file, group, process, or command row that performs the real check.
Evidence is substantive only when it:
Search output, file inventories, formatter success, test success, and reviewer summaries are probes or command evidence, not findings by themselves. A finding names the inspected line or artifact row, the policy criterion, and, for cross-file or group concerns, the peer or dependency evidence that makes the issue actionable.
evidence_ref holds one or more references separated by semicolons. Each
reference is a path:line or path:first-last location, a bare path for a
whole-file check, or an artifact-row reference — process:<gate_id>,
cross:<dependency_id>, group:<group_id>, command:<command_id>, or
hotpath:<hot_path_id> — naming the row that carries the authoritative check.
Any other form, or a reference to a row that does not exist, is a broken
evidence reference. After fixes, line references are rechecked against the
current file content before completion is claimed.
The criteria extracted from the policy are authoritative. This section is a
minimum guard against common omissions; if the policy later adds a category, the
new category is still required through policy_coverage.tsv.
Artifacts must contain explicit rows for at least these probe families:
Source code: hot-path inventory, hot-path performance, symbol naming, file and
directory naming, ordering, comments, formatting, sibling-group consistency,
exception groups, parallel mirrors, and .pyi effective defaults.
Comments: English-only comments, intent-bearing comments, required headers for long blocks, group separator symmetry, label-vs-sentence punctuation, documentation-comment bans, domain convention comments, and self-contained wording.
Testing: behavior that needs unit coverage, behavior left to screenshot or
manual coverage, test claims that can actually fail, deterministic assertions,
and test inclusion in make test.
Documentation: natural prose, Japanese spacing, Japanese technical loanword spellings, parenthesis width, translation source chains, target-language conventions, product names, other proper nouns, and context labels that stand in for product names.
Release notes: user benefit, maintainer breadcrumb, sub-change splitting, release-relative grouping, unshipped-change folding, category-specific wording, line length, diff verification, and documentation wording bundles.
Verification: scope exclusions, generated or toolchain-output files, code-side aspects of prose files, formatter/lint/test triggers, targeted structured-file checks, and rerun requirements.
Policy-document conventions: section placement, incident folding,
authoritative enumerations, e.g. sub-bullet usage, language-specific rule
statements, and whole-file balance after policy revisions.
Enumeration freshness: every authoritative enumeration in the policy (hot
paths, adopted spellings, product names, scope exclusions) is checked against
the current repository for members the code has added but the list has not.
Policy-named sibling and exception group examples are checked for current
paths and rationales, but exhaustive group coverage comes from
group_inventory.tsv, not from the examples.
Run phases in order. A phase cannot close with pending, stale artifacts,
schema errors, or row-count errors. fix and review verdicts move to
classification and repair; verification and completion remain blocked until they
are resolved.
Freeze the audit target.
git status --short, and artifact directory.current-diff.patch, including tracked changes and intended
untracked files.scope.tsv even before they are staged.Extract criteria from the policy.
docs/coding-policy.md from top to bottom.policy_coverage.tsv.Build scope and groups.
git ls-files.git status --short.Build cross-file dependencies before judging files.
pending.Build the hot-path inventory.
hot_path_inventory.tsv, but it
does not replace the inventory row.Fill the file matrix.
Fill the cross-file and group matrices.
Probe for imbalance.
finding_distribution.tsv.pending.Classify and fix findings.
review findings, decide whether the current state follows policy
intent or needs a change.accepted disposition requires a policy-derived rationale, or a design
rationale that does not contradict the policy, in classifications.tsv. A
category name alone is not evidence.docs/coding-policy.md first;
otherwise keep the rationale local to the finding.Regenerate artifacts after fixes.
Run verification commands.
make format after code or formatter-managed document changes.make lint and make lint-wasm after code or web changes.make test after code changes.jq empty for
JSON.git diff --check.command_evidence.tsv.pending with the reason; do not
infer pass from file inspection or neighboring commands.Run independent review.
pending; do not claim
completion.When the audit is split across multiple auditors, the lead auditor gives each auditor:
docs/coding-policy.md;Delegated work is not accepted from summaries. The lead auditor reads the
delegated rows, checks the evidence, and marks weak or copied evidence
pending. If assignments overlap, conflicting verdicts are resolved by
re-reading the files and updating the artifacts.
The audit is complete only when all conditions are true:
policy_coverage.tsv covers every non-blank line of
docs/coding-policy.md.scope.tsv contains every tracked file and every intended untracked file,
either included or excluded with a policy-backed reason.group_inventory.tsv assigns every included file to a group or singleton.file_matrix.tsv covers every included-file and criterion pair exactly once;
its row count equals included-file count multiplied by criteria count, and
every included file has exactly the criterion set from criteria.tsv.hot_path_inventory.tsv covers every policy-listed hot-path family, and every
row verdict is pass.cross_matrix.tsv covers every dependency and exact dependency/criterion pair
declared by cross_dependencies.tsv exactly once.group_uniformity.tsv covers every group and every required group/criterion
pair exactly once, plus any file or cross-file criterion routed to a group
row.process_matrix.tsv covers every repository-level and command-level policy
requirement, and every process or command criterion in criteria.tsv.command_evidence.tsv records every required and targeted command with its
working directory, exit status, and key output.current-diff.patch includes every changed tracked file and every intended
untracked file.pass matrix verdict has a corresponding row in findings.tsv.findings.tsv has a resolved row in classifications.tsv.finding_distribution.tsv covers every named probe in the Minimum Probe
Families, and every imbalance_verdict is pass.classifications.tsv contains no deferred_blocker.audit_summary.json reports zero row-count mismatches, zero column-count
mismatches, zero invalid enum values, zero duplicate keys, zero missing
expected keys, zero unexpected keys, zero empty evidence fields, zero broken
evidence references, and zero stale artifacts.Do not claim completion before the gate is satisfied. If any condition is
uncertain, the verdict is pending.