From 2b571161141dffc2a161ea5897f80b3c3385f954 Mon Sep 17 00:00:00 2001
From: Diego Mauricio Lagos <diego.lagosmorales@pagopa.it>
Date: Tue, 21 Apr 2026 20:47:44 +0200
Subject: [PATCH 1/6] feat(sync): enhance sync contract and internal audit
 skills with critical rule mirroring guidance

---
 .../SKILL.md                                                    | 1 +
 .../references/sync-contract.md                                 | 1 +
 .github/skills/internal-copilot-audit/SKILL.md                  | 2 ++
 3 files changed, 4 insertions(+)

diff --git a/.github/skills/internal-agent-sync-global-copilot-configs-into-repo/SKILL.md b/.github/skills/internal-agent-sync-global-copilot-configs-into-repo/SKILL.md
index a822816..4dcd4c9 100644
--- a/.github/skills/internal-agent-sync-global-copilot-configs-into-repo/SKILL.md
+++ b/.github/skills/internal-agent-sync-global-copilot-configs-into-repo/SKILL.md
@@ -26,6 +26,7 @@ The paired agent should not restate default mode handling, preserved `local-*` b
 - Treat this repository as the source of truth.
 - Keep target assumptions narrow: GitHub Copilot assets live under `.github/` and `AGENTS.md` stays at repository root.
 - Preserve target `local-*` assets under mirrored categories, preserve the target consumer-local GitHub instructions overrides file after materialization, and delete target-only non-local assets there during `apply`.
+- When consumer-local creator bundles depend on shared runtime-critical rules, mirror those rules inside each creator bundle as source-managed files and keep the mirror paths registered in the source inventory and target manifest; do not rely on cross-bundle references or unsynced local-only resources for creator runtime behavior.
 - When the source baseline includes an approved imported-asset override registry plus replay patches, mirror that governance bundle as source-managed state instead of recreating target-local hidden forks on imported assets.
 - Exclude source resources named `internal-sync-*` from consumer mirroring and remove any target copies of those resources during `apply`.
 - Materialize the source template `.github/copilot-instructions.override.md.template` into the consumer target as the consumer-local copilot instructions override file when that target file is missing, then preserve target-authored changes there on later sync runs.
diff --git a/.github/skills/internal-agent-sync-global-copilot-configs-into-repo/references/sync-contract.md b/.github/skills/internal-agent-sync-global-copilot-configs-into-repo/references/sync-contract.md
index b01c0d2..66dbf2e 100644
--- a/.github/skills/internal-agent-sync-global-copilot-configs-into-repo/references/sync-contract.md
+++ b/.github/skills/internal-agent-sync-global-copilot-configs-into-repo/references/sync-contract.md
@@ -24,6 +24,7 @@ Mirror or structurally align these source-managed paths into the consumer reposi
 Do not sync `README.md`, changelogs, other workflows, templates, or bootstrap helpers unless the user explicitly expands scope.
 Do not sync consumer-facing resources whose file or directory name starts with `internal-sync-`; those remain source-only operational controls for the standards repository.
 Treat `LESSONS_LEARNED.md` as a structure-managed exception: sync the source template and contract, but preserve target-authored pending lesson rows instead of copying source rows into consumer repositories.
+When a consumer-local creator depends on shared runtime-critical rules, keep a self-contained mirror of those rules inside the creator bundle and track the mirror path in the source inventory plus the target `.github/copilot-sync.manifest.json`; do not assume cross-bundle references or target-local extras will be present at runtime.
 
 ## Target Rules
 
diff --git a/.github/skills/internal-copilot-audit/SKILL.md b/.github/skills/internal-copilot-audit/SKILL.md
index bb5a56f..ccaddea 100644
--- a/.github/skills/internal-copilot-audit/SKILL.md
+++ b/.github/skills/internal-copilot-audit/SKILL.md
@@ -28,6 +28,7 @@ Treat the declared governance contract in the relevant agent, root `AGENTS.md`,
 - Detect sync workflows that skip or fail to report governance review for `.github/copilot-instructions.md` and root `AGENTS.md`.
 - Detect naming violations and stale inventory references.
 - Detect governance files that still describe removed, renamed, or retired assets.
+- Detect catalog retirements or remaps that were not propagated in the same change to the local sync command center, `.github/scripts/validate-copilot-customizations.py`, and `.github/scripts/internal-sync-copilot-configs.py`.
 
 ## Audit Order
 
@@ -69,3 +70,4 @@ When a repository-owned internal replacement exists, prefer deleting the weaker
 - Keeping source-side command-center assets in consumer sync scope
 - Keeping upstream assets whose only value is historical familiarity
 - Treating stale inventory references as harmless
+- Retiring or remapping managed skills or agents without updating the local sync command center, validator, and sync script in the same change

From a7cc23f1f56afa490301f2f31ad0f8adc3b00960 Mon Sep 17 00:00:00 2001
From: Diego Mauricio Lagos <diego.lagosmorales@pagopa.it>
Date: Tue, 21 Apr 2026 22:47:00 +0200
Subject: [PATCH 2/6] feat(planning): refine planning policies and execution
 guidelines for repository-owned tasks

---
 .../agents/internal-planning-leader.agent.md  |  3 +-
 .github/copilot-instructions.md               | 10 ++--
 .../skills/internal-executing-plans/SKILL.md  |  4 +-
 .../skills/internal-writing-plans/SKILL.md    | 51 ++++++++++++-----
 .../internal-writing-plans/agents/openai.yaml |  2 +-
 AGENTS.md                                     |  7 ++-
 tests/test_plan_policy_contract.py            | 56 +++++++++++++++----
 7 files changed, 98 insertions(+), 35 deletions(-)

diff --git a/.github/agents/internal-planning-leader.agent.md b/.github/agents/internal-planning-leader.agent.md
index 7eaac83..1615350 100644
--- a/.github/agents/internal-planning-leader.agent.md
+++ b/.github/agents/internal-planning-leader.agent.md
@@ -31,6 +31,7 @@ You are the planning, authoring, and decision owner for non-trivial operational
 
 - Make assumptions, tradeoffs, and the selected direction explicit.
 - Own non-trivial repository-owned authoring for agents, skills, instructions, routing, and governance updates.
+- Do not create retained plan artifacts for clear, local, quick, or banal tasks; keep that planning ephemeral in chat.
 - Do not default into implementation once the design is settled; recommend the right next owner instead.
 - When the user is unsure which operational lane fits, treat that ambiguity as planning-owned until a clearer direct owner emerges.
 - Treat `obra-using-superpowers` as upstream workflow guidance, not as proof that every referenced tool contract or runtime term maps 1:1 to this repository's GitHub Copilot environment.
@@ -60,5 +61,5 @@ You are the planning, authoring, and decision owner for non-trivial operational
 ## Mode Guidance
 
 - Brainstorming mode: prefer `obra-brainstorming` when requirements, solution shape, or user intent are still fluid.
-- Plan-authoring mode: prefer `internal-writing-plans` when repository-owned work needs an execution plan under `tmp/superpowers/` and the local multi-file plan policy applies.
+- Plan-authoring mode: prefer `internal-writing-plans` only when repository-owned work needs a retained execution plan under `tmp/superpowers/` because the work crosses turns, macro-categories, handoff or tracking needs, or explicit tradeoffs. Keep planning in chat for clear, local, quick, or banal tasks.
 - Plan-execution oversight: prefer `internal-executing-plans` when an approved repository-owned plan is being applied and the `done-*` loop or blocker handling must stay explicit.
diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md
index 7168b99..68feb05 100644
--- a/.github/copilot-instructions.md
+++ b/.github/copilot-instructions.md
@@ -8,7 +8,7 @@ You are an expert software and platform engineer. Protect correctness, security,
 - Inspect nearby files before editing and follow the existing naming, frontmatter, and directory patterns.
 - Use only repository evidence that exists on disk. Do not invent runtimes, validators, sync flows, or test suites.
 - Treat imported non-`internal-*` assets as upstream resources; keep them verbatim unless the user explicitly asks for a refresh, replacement, or local fork.
-- Do not edit imported upstream assets in place unless the need is strong, the user explicitly counter-validates the exception, and the replay patch is registered in the `internal-agent-sync-control-center` bundle in the same change.
+- Do not edit imported upstream assets in place unless the need is strong, the user explicitly counter-validates the exception, and the replay patch is registered in the `internal-agent-sync-external-resources` bundle in the same change.
 
 ## Precedence And Projections
 
@@ -77,12 +77,14 @@ You are an expert software and platform engineer. Protect correctness, security,
 
 ## Superpowers Plan Policy
 
-- For repository-owned planning work, create or reuse a task folder at `tmp/superpowers/<clear-action-or-task-name>/`.
-- Keep execution plans as multiple numbered Markdown files by macro-category, such as `01-contesto-e-vincoli.md`, `02-implementazione.md`, and `03-validazione.md`; do not collapse them into one monolithic plan file.
+- Keep planning ephemeral in chat for clear, local, quick, or banal tasks.
+- Create or reuse `tmp/superpowers/<clear-action-or-task-name>/` only when retained planning is justified by non-banal work such as multi-turn coordination, multiple macro-categories, explicit handoff, tracking, or provenance, or tradeoffs and uncertainties that merit a saved plan.
+- Keep retained execution plans as numbered Markdown files: use a single `01-...md` file when one macro-category is enough, or multiple numbered files such as `01-contesto-e-vincoli.md`, `02-implementazione.md`, and `03-validazione.md` when the work genuinely spans multiple macro-categories.
+- Keep detailed plan-shape and authoring heuristics in `internal-writing-plans` instead of restating them in this repo-wide projection.
 - Keep doubts, open questions, and user decisions in `dubbi-e-domande.md`. This file stays outside the plan-and-apply loop and must not be treated as an executable plan file.
 - During execution, maintain matching `done-*` files. Move completed items into the corresponding `done-*` file, remove them from the active source file, delete an emptied source plan file, and continue through the remaining numbered plan files until the work is finished or a real blocker requires user input.
 - Preserve imported `obra-*`, `awesome-*`, `openai-*`, and other upstream assets; express this repository's planning policy through repository-owned internal wrappers instead of editing upstream planning skills.
-- If an imported asset still requires a direct repo-local exception, register the replay patch in `.github/skills/internal-agent-sync-control-center/references/imported-asset-overrides.yaml` instead of leaving an undocumented fork.
+- If an imported asset still requires a direct repo-local exception, register the replay patch in `.github/skills/internal-agent-sync-external-resources/references/imported-asset-overrides.yaml` instead of leaving an undocumented fork.
 
 ## Repository Workflow Reminders
 
diff --git a/.github/skills/internal-executing-plans/SKILL.md b/.github/skills/internal-executing-plans/SKILL.md
index 627c3d0..8fd5089 100644
--- a/.github/skills/internal-executing-plans/SKILL.md
+++ b/.github/skills/internal-executing-plans/SKILL.md
@@ -5,9 +5,9 @@ description: Use when executing a repository-owned plan from tmp/superpowers/<cl
 
 # Internal Executing Plans
 
-Use this skill as the repository-owned wrapper for applying multi-file plans in this repository.
+Use this skill as the repository-owned wrapper for applying retained numbered plans in this repository.
 
-Treat `obra-executing-plans` and `obra-subagent-driven-development` as imported execution depth and keep any repo-local drift fixes narrow. This skill adds the local execution loop for numbered plan files and `done-*` tracking.
+Treat `obra-executing-plans` and `obra-subagent-driven-development` as imported execution depth and keep any repo-local drift fixes narrow. This skill adds the local execution loop for one or more numbered plan files and `done-*` tracking.
 
 ## When to use
 
diff --git a/.github/skills/internal-writing-plans/SKILL.md b/.github/skills/internal-writing-plans/SKILL.md
index c3057a7..06aade9 100644
--- a/.github/skills/internal-writing-plans/SKILL.md
+++ b/.github/skills/internal-writing-plans/SKILL.md
@@ -1,35 +1,54 @@
 ---
 name: internal-writing-plans
-description: Use when repository-owned work needs a plan under tmp/superpowers/<clear-action-or-task-name>/ and the plan must follow the local multi-file, Italian-default structure.
+description: Use when repository-owned work needs a retained numbered plan under tmp/superpowers/<clear-action-or-task-name>/ and the plan must follow the local Italian-default execution-plan contract.
 ---
 
 # Internal Writing Plans
 
 Use this skill as the repository-owned wrapper for plan authoring in this repository.
 
-Treat `obra-writing-plans` as imported depth and keep any repo-local drift fixes narrow. This skill adds the local contract for where plans live, how they are split, what language they use, and what must stay outside the execution loop.
+Treat `obra-writing-plans` as imported depth and keep any repo-local drift fixes narrow. This skill adds the local contract for when a plan is retained, where it lives, how numbered files are split, what language they use, and what must stay outside the execution loop.
 
 ## When to use
 
-- Writing or rewriting a repository-owned execution plan under `tmp/superpowers/`.
-- Converting a monolithic plan into the local multi-file plan structure.
+- Writing or rewriting a retained repository-owned execution plan under `tmp/superpowers/` when the work is non-banal.
+- Retaining a plan because the work crosses turns, spans multiple macro-categories, needs handoff, tracking, or provenance, or carries tradeoffs or uncertainties that should stay reviewable.
+- Converting a monolithic or overgrown plan into the local numbered-plan structure.
 - Preparing a plan that will later be executed by `internal-executing-plans`.
 
 ## When not to use
 
 - General design or spec work under `tmp/superpowers/specs/`; use `obra-brainstorming` when that workflow is relevant.
+- Clear, local, quick, or banal tasks whose next steps fit in chat.
 - Local execution with no retained plan artifact.
 - Imported or sync-managed planning assets; do not edit `obra-*` skills to impose this policy.
 
-## Local plan contract
+## Local retained-plan contract
 
-- Create or reuse a task folder named `tmp/superpowers/<clear-action-or-task-name>/`.
-- Keep active execution plans in multiple numbered Markdown files by macro-category, for example `01-contesto-e-vincoli.md`, `02-implementazione.md`, and `03-validazione.md`.
+- Create or reuse a retained plan folder under `tmp/superpowers/<clear-action-or-task-name>/` only when the plan needs to survive the current turn.
+- Keep planning ephemeral in chat when the task is clear, local, quick, or banal.
+- Retain a plan only when at least one of these is true: the work crosses turns, spans multiple macro-categories, needs handoff, tracking, or provenance, or includes tradeoffs or uncertainties that should stay reviewable.
+- Use a single numbered file such as `01-implementazione.md` when the work has one macro-category.
+- Use multiple numbered Markdown files by macro-category, for example `01-contesto-e-vincoli.md`, `02-implementazione.md`, and `03-validazione.md`, when the work spans more than one macro-category.
 - Do not keep one monolithic plan file when the work spans multiple macro-categories.
 - Write those plan files in Italian by default unless the user explicitly asks for another language.
 - Keep unresolved questions, doubts, and user decisions in `dubbi-e-domande.md`.
 - `dubbi-e-domande.md` is not an execution-plan file and must stay outside the plan-and-apply loop.
 
+## Numbered-file shape
+
+- Optimize retained plan files for scanability and decision review rather than exhaustive prose.
+- Prefer explicit headings and short bullets; avoid long paragraphs.
+- Keep rationales brief and avoid duplicating context already captured in `AGENTS.md`, `.github/copilot-instructions.md`, or neighboring repository-owned assets.
+- `Obiettivo`
+- `Logica scelta`
+- `Assunzioni chiave`
+- `Passi eseguibili`
+- `Validazione`
+- Keep each section to 5-7 bullets when practical.
+- Keep bullets to 1-2 lines when practical.
+- Make each executable step easy to challenge, verify, or remove without rewriting the whole file.
+
 ## Relationship to OBRA
 
 - Use this skill first for repository-owned planning policy.
@@ -38,23 +57,29 @@ Treat `obra-writing-plans` as imported depth and keep any repo-local drift fixes
 
 ## Workflow
 
-1. Choose a clear task folder name under `tmp/superpowers/`.
-2. Define the macro-categories first, then create one numbered plan file per category.
-3. Keep each numbered file actionable and scoped to one macro-category.
-4. Put open questions and decision requests only in `dubbi-e-domande.md`.
-5. Keep executable next steps in the numbered plan files without mixing unresolved questions into them.
+1. Decide first whether retained planning is justified or whether in-chat planning is enough.
+2. Choose a clear task folder name under `tmp/superpowers/`.
+3. Define the macro-categories first and choose the smallest numbered-file shape that fits the work.
+4. Use a single `01-...md` file when one macro-category is enough, or create one numbered plan file per category when more than one macro-category exists.
+5. Give each numbered file the shape above and keep every section compact.
+6. Put open questions and decision requests only in `dubbi-e-domande.md`.
+7. Keep executable next steps in the numbered plan files without mixing unresolved questions into them.
 
 ## Validation
 
+- The plan exists only when retained planning is justified beyond the current turn.
 - The plan lives under `tmp/superpowers/<clear-action-or-task-name>/`.
-- There are `01-...`, `02-...`, `03-...` style plan files when more than one macro-category exists.
+- A single `01-...` file is used when one macro-category is enough; `01-...`, `02-...`, `03-...` style plan files exist when more than one macro-category exists.
 - Plan files are in Italian unless the user asked otherwise.
+- The numbered files follow the local shape contract with explicit headings and short bullets.
 - `dubbi-e-domande.md` exists when needed and remains separate from executable plan files.
 - The plan does not rely on imported `obra-*` skills as the policy owner; any repo-local drift fix stays narrow and subordinate to this wrapper.
 
 ## Common mistakes
 
+- Creating a retained plan artifact for a clear, local, quick task that should stay in chat.
 - Writing the whole plan in one Markdown file.
+- Writing long narrative paragraphs or duplicating canonical context instead of keeping the plan scannable.
 - Mixing executable checklist items with open questions.
 - Putting the plan under `docs/` instead of `tmp/superpowers/`.
 - Switching the whole repository to Italian instead of keeping the exception local to plan files.
diff --git a/.github/skills/internal-writing-plans/agents/openai.yaml b/.github/skills/internal-writing-plans/agents/openai.yaml
index d4618d5..b320be9 100644
--- a/.github/skills/internal-writing-plans/agents/openai.yaml
+++ b/.github/skills/internal-writing-plans/agents/openai.yaml
@@ -1,4 +1,4 @@
 interface:
   display_name: "Internal Writing Plans"
   short_description: "Repo wrapper for numbered plan authoring"
-  default_prompt: "Use $internal-writing-plans to author repository-owned multi-file plans under tmp/superpowers with numbered phases and a separate dubbi-e-domande file."
+  default_prompt: "Use $internal-writing-plans to author retained repository-owned numbered plans under tmp/superpowers, using a single or multi-file shape as needed and a separate dubbi-e-domande file."
diff --git a/AGENTS.md b/AGENTS.md
index 44e036b..2574f07 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -90,7 +90,8 @@ This file is the stable entrypoint for the repository instruction architecture.
 
 - Transient planning, brainstorming, and other Superpowers-generated working files must not be written under `docs/`.
 - When such artifacts are needed inside this repository, write them under `tmp/superpowers/`.
-- Repository-owned plan work under `tmp/superpowers/` should live in a task-specific folder named `tmp/superpowers/<clear-action-or-task-name>/`.
-- Keep active execution plans there as multiple numbered macro-category Markdown files, for example `01-contesto-e-vincoli.md`, `02-implementazione.md`, and `03-validazione.md`, instead of one monolithic plan document.
+- Keep planning ephemeral in chat for clear, local, quick, or banal tasks.
+- Create or reuse `tmp/superpowers/<clear-action-or-task-name>/` only for retained repository-owned planning that must survive the current turn because the work is non-banal, crosses turns, spans macro-categories, needs handoff, tracking, or provenance, or preserves tradeoffs worth review.
+- Keep retained execution plans as numbered Markdown files: a single `01-...md` file when one macro-category is enough, or multiple numbered files such as `01-contesto-e-vincoli.md`, `02-implementazione.md`, and `03-validazione.md` when the work spans multiple macro-categories.
 - Keep unresolved questions, doubts, or user decisions in `dubbi-e-domande.md`; this file stays separate from executable plan files and remains outside the plan-and-apply loop.
-- During execution, create matching `done-*` files, move completed items into them, remove completed items from the active source plan file, delete emptied numbered plan files, and continue through the remaining numbered plan files until the work is finished or a real blocker requires user input.
+- During execution, create matching `done-*` files, move completed items into them, remove them from the active numbered source file, and continue through the remaining numbered plan files until the work is finished or a real blocker requires user input.
diff --git a/tests/test_plan_policy_contract.py b/tests/test_plan_policy_contract.py
index 213bc3d..e5a220c 100644
--- a/tests/test_plan_policy_contract.py
+++ b/tests/test_plan_policy_contract.py
@@ -14,6 +14,14 @@ def read_text(relative_path: str) -> str:
     return Path(relative_path).read_text(encoding="utf-8")
 
 
+def assert_plan_policy_anchors(text: str) -> None:
+    assert PLAN_TASK_PATH in text
+    assert "01-...md" in text
+    assert "01-contesto-e-vincoli.md" in text
+    assert "dubbi-e-domande.md" in text
+    assert "done-*" in text
+
+
 def test_root_policy_files_define_repository_plan_defaults() -> None:
     agents_text = read_text("AGENTS.md")
     copilot_text = read_text(".github/copilot-instructions.md")
@@ -22,23 +30,26 @@ def test_root_policy_files_define_repository_plan_defaults() -> None:
         "The default authoring language for repository artifacts is English"
         in agents_text
     )
-    assert PLAN_TASK_PATH in agents_text
-    assert "01-contesto-e-vincoli.md" in agents_text
+    assert_plan_policy_anchors(agents_text)
     assert "Italian" in agents_text
-    assert "dubbi-e-domande.md" in agents_text
-    assert "done-*" in agents_text
+    assert "clear, local, quick, or banal tasks" in agents_text
+    assert "non-banal" in agents_text
+    assert "macro-categories" in agents_text
     assert "continue through the remaining numbered plan files" in agents_text
+    assert "`Obiettivo`" not in agents_text
+    assert "5-7 bullets when practical" not in agents_text
 
     assert (
         "The default authoring language for repository artifacts is English"
         in copilot_text
     )
-    assert PLAN_TASK_PATH in copilot_text
-    assert "01-contesto-e-vincoli.md" in copilot_text
+    assert_plan_policy_anchors(copilot_text)
     assert "Italian" in copilot_text
-    assert "dubbi-e-domande.md" in copilot_text
-    assert "done-*" in copilot_text
+    assert "retained planning is justified" in copilot_text
+    assert "`internal-writing-plans`" in copilot_text
     assert "continue through the remaining numbered plan files" in copilot_text
+    assert "`Obiettivo`" not in copilot_text
+    assert "5-7 bullets when practical" not in copilot_text
 
 
 def test_internal_planning_leader_prefers_repository_plan_wrappers() -> None:
@@ -48,6 +59,8 @@ def test_internal_planning_leader_prefers_repository_plan_wrappers() -> None:
     assert "- `internal-executing-plans`" in planning_leader_text
     assert "prefer `internal-writing-plans`" in planning_leader_text
     assert "prefer `internal-executing-plans`" in planning_leader_text
+    assert "clear, local, quick, or banal tasks" in planning_leader_text
+    assert "retained execution plan" in planning_leader_text
 
 
 def test_plan_wrapper_skills_are_listed_in_ownership_map_and_inventory() -> None:
@@ -76,14 +89,27 @@ def test_plan_wrapper_skills_define_local_plan_contracts() -> None:
 
     assert "## When to use" in writing_skill_text
     assert PLAN_TASK_PATH in writing_skill_text
+    assert "crosses turns" in writing_skill_text
+    assert "handoff, tracking, or provenance" in writing_skill_text
     assert "01-contesto-e-vincoli.md" in writing_skill_text
     assert "macro-category" in writing_skill_text
     assert "monolithic" in writing_skill_text
     assert "dubbi-e-domande.md" in writing_skill_text
     assert "Italian" in writing_skill_text
+    assert "## Local retained-plan contract" in writing_skill_text
+    assert "## Numbered-file shape" in writing_skill_text
+    assert "scanability and decision review" in writing_skill_text
+    assert "`Obiettivo`" in writing_skill_text
+    assert "`Logica scelta`" in writing_skill_text
+    assert "`Assunzioni chiave`" in writing_skill_text
+    assert "`Passi eseguibili`" in writing_skill_text
+    assert "`Validazione`" in writing_skill_text
+    assert "5-7 bullets when practical" in writing_skill_text
+    assert "1-2 lines when practical" in writing_skill_text
     assert "outside the plan-and-apply loop" in writing_skill_text
 
     assert "## When to use" in executing_skill_text
+    assert "retained numbered plans" in executing_skill_text
     assert "done-<source-file-name>.md" in executing_skill_text
     assert "dubbi-e-domande.md" in executing_skill_text
     assert "move it into the matching `done-*` file" in executing_skill_text
@@ -94,10 +120,18 @@ def test_plan_wrapper_skills_define_local_plan_contracts() -> None:
 
 
 def test_plan_wrapper_skills_ship_openai_metadata() -> None:
-    for skill_name in PLAN_SKILL_PATHS:
-        metadata_text = read_text(f".github/skills/{skill_name}/agents/openai.yaml")
+    writing_metadata_text = read_text(
+        ".github/skills/internal-writing-plans/agents/openai.yaml"
+    )
+    executing_metadata_text = read_text(
+        ".github/skills/internal-executing-plans/agents/openai.yaml"
+    )
 
+    for metadata_text in (writing_metadata_text, executing_metadata_text):
         assert "interface:" in metadata_text
         assert "display_name:" in metadata_text
         assert "short_description:" in metadata_text
-        assert f"${skill_name}" in metadata_text
+
+    assert "$internal-writing-plans" in writing_metadata_text
+    assert "single or multi-file shape as needed" in writing_metadata_text
+    assert "$internal-executing-plans" in executing_metadata_text

From 37a1fbda0fbe481ba048b09f91995cc72054d9de Mon Sep 17 00:00:00 2001
From: Diego Mauricio Lagos <diego.lagosmorales@pagopa.it>
Date: Tue, 21 Apr 2026 23:38:03 +0200
Subject: [PATCH 3/6] Refactor skills and documentation for clarity and
 consistency

- Updated internal-agent-sync-external-resources skill documentation to improve clarity in asset management steps.
- Enhanced internal-change-impact-analysis skill with additional self-questioning prompts and validation criteria.
- Revised internal-cloud-policy skill to clarify usage boundaries and mandatory rules.
- Improved internal-code-review skill with clearer escalation rules and validation requirements.
- Updated anti-pattern references for various languages (Bash, Java, Node.js, Python, Terraform) to enhance clarity and consistency.
- Enhanced internal-copilot-audit skill to specify updated script paths for catalog consistency checks.
- Improved internal-docker skill documentation for mandatory rules and validation steps.
- Clarified internal-github-action-composite and internal-github-actions skills with better relationship descriptions and mandatory rules.
- Updated internal-project skills (Java, Node.js, Python) with clearer project-specific guidance and validation steps.
- Enhanced internal-script skills (Bash, Python) with specific guidance for standalone scripts and validation requirements.
- Refined internal-terraform skill documentation for mandatory rules and validation steps.
- Updated markdownlint configuration to ignore generated tooling state and preserve upstream assets.
- Added tests for markdownlint configuration and validation entrypoints to ensure correctness and coverage.
---
 .github/CHANGELOG.md                          | 31 ++++++++++++++++++
 .github/DEPRECATION.md                        |  6 ++++
 .github/agents/README.md                      |  5 +++
 .../agents/internal-critical-master.agent.md  |  2 +-
 .../internal-delivery-operator.agent.md       |  2 +-
 .github/copilot-code-review-instructions.md   | 12 +++++++
 .../copilot-commit-message-instructions.md    |  4 +++
 .../internal-bash.instructions.md             |  4 +++
 .../internal-docker.instructions.md           |  3 ++
 ...al-github-action-composite.instructions.md |  2 ++
 .../internal-github-actions.instructions.md   |  3 ++
 .../internal-java.instructions.md             |  4 +++
 .../internal-json.instructions.md             |  4 +++
 .../internal-lambda.instructions.md           |  6 ++++
 .../internal-makefile.instructions.md         |  8 +++--
 .../internal-markdown.instructions.md         |  4 +++
 .../internal-nodejs.instructions.md           |  4 +++
 .../internal-python.instructions.md           |  4 +++
 .../internal-terraform.instructions.md        |  3 ++
 .../internal-yaml.instructions.md             |  3 ++
 .../internal-planning-kickoff.prompt.md       |  3 ++
 .github/prompts/internal-pre-mortem.prompt.md |  3 ++
 .../prompts/internal-review-kickoff.prompt.md |  3 ++
 .github/prompts/internal-sync-plan.prompt.md  |  3 ++
 .github/scripts/github_catalog_validation.py  | 10 ++++--
 .github/security-baseline.md                  |  9 ++++++
 .../internal-agent-development/SKILL.md       |  6 ++--
 .../references/example-transformations.md     | 24 +++++++-------
 .../SKILL.md                                  |  8 ++---
 .../internal-change-impact-analysis/SKILL.md  |  4 +++
 .../references/analysis-dimensions.md         |  1 +
 .github/skills/internal-cloud-policy/SKILL.md |  4 +++
 .github/skills/internal-code-review/SKILL.md  |  5 +++
 .../references/anti-patterns-bash.md          |  4 +++
 .../references/anti-patterns-java.md          |  4 +++
 .../references/anti-patterns-nodejs.md        |  4 +++
 .../references/anti-patterns-python.md        |  4 +++
 .../references/anti-patterns-terraform.md     |  4 +++
 .../skills/internal-copilot-audit/SKILL.md    |  2 +-
 .github/skills/internal-docker/SKILL.md       |  3 ++
 .../internal-github-action-composite/SKILL.md |  3 ++
 .../skills/internal-github-actions/SKILL.md   |  2 ++
 .../references/auth-snippets.md               |  6 ++++
 .../references/language-cues.md               |  2 +-
 .github/skills/internal-pr-editor/SKILL.md    |  8 +++++
 .github/skills/internal-project-java/SKILL.md |  6 ++++
 .../skills/internal-project-nodejs/SKILL.md   |  6 ++++
 .../skills/internal-project-python/SKILL.md   |  7 ++++
 .github/skills/internal-script-bash/SKILL.md  |  3 ++
 .../skills/internal-script-python/SKILL.md    |  7 ++++
 .github/skills/internal-terraform/SKILL.md    |  4 +++
 .../references/decision-guide.md              |  5 ++-
 .markdownlint-cli2.jsonc                      |  5 +++
 Makefile                                      |  2 +-
 tests/github/scripts/test_cli_entrypoints.py  |  1 +
 tests/test_markdownlint_config.py             | 32 +++++++++++++++++++
 tests/test_validation_entrypoints_contract.py | 23 +++++++++++++
 57 files changed, 315 insertions(+), 29 deletions(-)
 create mode 100644 tests/test_markdownlint_config.py
 create mode 100644 tests/test_validation_entrypoints_contract.py

diff --git a/.github/CHANGELOG.md b/.github/CHANGELOG.md
index 52fa102..d6fdacc 100644
--- a/.github/CHANGELOG.md
+++ b/.github/CHANGELOG.md
@@ -1,18 +1,30 @@
 # Changelog
 
 ## Entry template
+
 Use this format for new updates:
+
 - `## YYYY-MM-DD`
 - One bullet per meaningful change.
 - Include file/path scope when useful.
 
+## 2026-04-21
+
+- Realigned `.github/skills/internal-copilot-audit/SKILL.md` to the current catalog-consistency and sync entrypoints, removing stale references to retired source-side script names that were blocking `make skill-lint`.
+- Tightened `.markdownlint-cli2.jsonc` to exclude the local `.github/scripts/.venv/` tree and preserved imported `awesome-copilot-*` instruction files from repo-owned Markdown lint enforcement, keeping the lint target aligned with the repository rule that upstream assets stay verbatim unless explicitly refreshed.
+- Normalized repo-owned Markdown and prompt surfaces across `.github/agents/`, `.github/prompts/`, and multiple `.github/skills/internal-*/` files so `make docs-lint` now passes alongside the existing catalog validators.
+- Promoted `docs-lint` into the standard validation path through `Makefile` and `.github/scripts/github_catalog_validation.py`, and added regression coverage for the markdownlint config plus the aggregate `all` target.
+- Hardened `Makefile` again so the aggregate `lint` target now absorbs `docs-lint` without double-running it through `all`, and added a workflow-level contract test that keeps `_github-catalog-validation` pinned to the canonical Bash wrapper entrypoints.
+
 ## 2026-04-19
+
 - Renamed the root `Makefile` target from `catalog-validation` to `github-catalog-validation` for nomenclature consistency with the `_github-catalog-validation` workflow and refreshed `.github/README.md` plus `.github/agents/README.md` to remove remaining live `internal-router` wording in favor of the direct-entry operational model.
 - Renamed the canonical execution and challenge agents from `.github/agents/internal-fast-executor.agent.md` and `.github/agents/internal-critical-challenger.agent.md` to `.github/agents/internal-delivery-operator.agent.md` and `.github/agents/internal-critical-master.agent.md`, then realigned the live operational contracts, prompt references, shared boundary skills, and tests to the new canonical names.
 - Renamed `.github/workflows/catalog-validation.yml` to `.github/workflows/_github-catalog-validation.yml`, replaced the old Bash-only `catalog_validation` entrypoint with the new `.github/scripts/github_catalog_validation.py` plus matching Bash wrappers, and realigned `Makefile`, script coverage tests, and security-baseline references to the new workflow and script names.
 - Codified the pending retained-learning lessons into `.github/skills/internal-agent-sync-global-copilot-configs-into-repo/references/sync-contract.md`, `.github/skills/internal-agent-development/SKILL.md`, and `.github/skills/internal-agent-development/references/subagent-patterns.md`, added contract tests for the new guidance, and cleared the now-codified rows from `LESSONS_LEARNED.md`.
 
 ## 2026-04-18
+
 - Centralized lane-mismatch handling into the new repository-owned skill `.github/skills/internal-agent-boundary-recommendation-engine/`, realigned the four canonical operational agents plus the two sync command centers to stop and recommend the right owner through one shared protocol, removed the unused `agent` tool from the sync agents, and retired the orphaned `internal-agent-routing-engine` bundle from the live catalog.
 - Removed `internal-router` and the paired `internal-agent-routing-engine` from the live canonical operational model, left the four direct owners as the only canonical lanes, defaulted ambiguous entry to `internal-planning-leader`, platform-enforced no hidden peer dispatch by setting the canonical owners to `disable-model-invocation: true`, and realigned the active contracts, references, and tests away from router-centric dispatch.
 - Narrowed `.github/workflows/catalog-validation.yml` so it no longer repeats `_pre-commit` coverage: the workflow now runs the new `make catalog-lint` target for Bash syntax plus Python bytecode compilation, skips the duplicate YAML lint step, and leaves Markdown lint available as a manual target instead of failing the catalog-specific gate on long-standing repo-wide style debt.
@@ -21,11 +33,13 @@ Use this format for new updates:
 - Simplified `.github/workflows/_pre-commit.yml` so it no longer depends on the `inputs` context during `push` or `pull_request` runs, keeping the surviving workflow aligned with GitHub Actions context-availability rules.
 
 ## 2026-04-17
+
 - Added reusable prompt files under `.github/prompts/` for planning kickoff, pre-mortem challenge, review kickoff, and sync planning so the repository now ships concrete prompt-file surfaces instead of an empty placeholder directory.
 - Refreshed plan tracking under `tmp/done/superpowers/plans/` so completed plan work is mirrored outside the active plan files and the remaining plan sources can stay current-state only.
 - Rebuilt `.github/INVENTORY.md` after the catalog refresh so support-only imported office skills are labeled explicitly in the generated inventory output.
 
 ## 2026-04-12
+
 - Renamed the repository-root retained-learning ledger to `LESSONS_LEARNED.md`, then realigned the retained-learning contract, sync automation, and tests to use the new canonical path.
 - Aligned `.pre-commit-config.yaml` and expanded `.editorconfig` with file-type defaults for Python, shell, Terraform/HCL, YAML, JSON/TOML, Markdown, Make, and local config files so the repo and synced consumers get a practical editor baseline without the formatter ping-pong that left `pre-commit` failing with no visible git diff.
 - Expanded the cross-repository sync baseline to include `.editorconfig`, `.pre-commit-config.yaml`, and `.github/workflows/terraform-pre-commit.yml`, then updated the sync agent/skill contract and sync planner tests to keep that scope explicit and narrow.
@@ -37,6 +51,7 @@ Use this format for new updates:
 - Simplified `LESSONS_LEARNED.md` again so it now keeps only pending lessons; once a lesson is codified into a canonical owner, it is removed from the ledger instead of being duplicated there.
 
 ## 2026-04-11
+
 - Tightened the Python skill split instead of collapsing it: clarified the shared baseline in `.github/instructions/internal-python.instructions.md`, sharpened `internal-project-python` around structured package and application boundaries, and expanded `internal-script-python` plus its layout reference to cover the repository-aligned toolkit pattern used under `.github/scripts/` with shared `lib/`, hash-locked `requirements.txt`, shared `run.sh`, root-level tests, and thin wrapper entrypoints.
 - Renamed the sync engine skill from `.github/skills/internal-sync-global-copilot-configs-into-repo/` to `.github/skills/internal-agent-sync-global-copilot-configs-into-repo/`, then realigned the paired agent contract and skill invocation metadata to the new canonical skill name.
 - Updated `.github/scripts/lib/internal_skills.py` so documented workflow outputs under `tmp/` are treated as virtual paths during internal-skill validation, then refreshed `.github/README.md` to match the live tracked agent catalog and current source-side script entrypoints.
@@ -50,13 +65,16 @@ Use this format for new updates:
 - Removed `.github/instructions/awesome-copilot-copilot-sdk-python.instructions.md` from the live catalog and realigned `.github/INVENTORY.md`, `.github/README.md`, `.github/agents/internal-sync-external-resources.agent.md`, and `tmp/superpowers/2026-04-10-audit-catalogo-copilot.md` so the imported Python SDK instruction is no longer treated as active.
 
 ## 2026-04-10
+
 - Added the provider skill rollout beyond AWS by creating repository-owned Azure, GCP, and GitHub skill families under `.github/skills/internal-{azure,gcp,github}-*`, keeping the AWS boundary model as the baseline with short adaptive strategic skills, separate organization/governance/operations lanes where justified, minimal `references/`, and `agents/openai.yaml` metadata for every new skill.
 - Refreshed `.github/README.md` and `.github/INVENTORY.md` so the maintainer-facing catalog now matches the live provider-skill inventory and the current prompt, skill, and script counts on disk.
 
 ## 2026-04-07
+
 - Updated the completion-report policy in `.github/copilot-instructions.md`, `.github/README.md`, and the sync agent and skill contract so synced target repositories now inherit a summary format that lists only the actually used agents, instructions, prompts, skills, and other resources, each with a short reason.
 
 ## 2026-04-06
+
 - Externalized the exact path inventory into `.github/INVENTORY.md`, reduced root `AGENTS.md` to a bridge pointer, removed the current repository validator/test layer, and updated maintainer docs, templates, and governance text to stop depending on deleted validation assets and the removed `internal-agents-md-bridge` skill.
 - Refactored the instruction architecture around rule ownership: root `AGENTS.md` is now the strategic entrypoint and precedence anchor, `.github/copilot-instructions.md` is the compact repo-wide Copilot projection, `INTERNAL_CONTRACT.md` now captures rebuild-safe invariants instead of deleted automation behavior, scoped Markdown guidance now projects the central English-by-default rule, and sync governance assets were updated to stop treating root `AGENTS.md` as a subordinate thin bridge.
 - Slimmed `.github/copilot-instructions.md` by removing stack-owned Python template, script, Java, and Node guidance, and reduced `.github/instructions/internal-bash.instructions.md` to repo-local Bash additions so runtime-specific rules now stay with their matching instruction owners instead of the primary policy layer.
@@ -66,6 +84,7 @@ Use this format for new updates:
 - Tightened the active non-README governance layer after the refactor: reduced root `AGENTS.md` to a thinner bridge, refreshed `.github/INVENTORY.md` to match the live prompt catalog, removed stale prompt/script/source-of-truth references from active governance assets, and aligned the cross-repository sync agent/skill with the files that actually exist on disk.
 
 ## 2026-04-05
+
 - Added `scripts/internal_yaml.py` and reused it from both `internal-sync-copilot-configs.py` and `validate-copilot-customizations.py` so repository-owned Python automation now shares one YAML/frontmatter parser instead of duplicating parsing logic.
 - Restored hash-locked Python dependency policy for repository-owned scripts: `scripts/requirements.txt` now carries the pinned `PyYAML` wheel hash and `internal-python-runner.sh` installs with `--require-hashes` without any fallback path.
 - Removed the hash-detection fallback from `scripts/internal-python-runner.sh`, switched repository-owned Python launcher guidance to install directly from `requirements.txt`, and deleted the internal Python-policy clause that allowed a non-locked fallback path.
@@ -79,6 +98,7 @@ Use this format for new updates:
 - Refreshed `.github/README.md` so the maintainer-facing catalog now matches the live `internal-*`, `obra-*`, and imported support families, the canonical internal agent model, and the actual scripts and workflow present on disk after recent repository restructuring.
 
 ## 2026-04-04
+
 - Added a mandatory end-of-operation completion report contract to `.github/copilot-instructions.md`, documented the same emoji-based `Outcome` / `Agents` / `Instructions` / `Skills` structure in `.github/README.md`, and kept root `AGENTS.md` on a thin bridge pointer to the detailed policy.
 - Extended `INTERNAL_CONTRACT.md`, `tests/test_contract_runner.py`, `tests/test_validate_copilot_customizations.py`, and `.github/scripts/validate-copilot-customizations.py` so the completion-report contract is now source-governed and strict-validator enforced.
 - Updated `internal-sync-external-resources`, `internal-sync-global-copilot-configs-into-repo`, and the sync skill workflow so completed sync runs must also end with the same completion-report categories and explicit unused-category explanations.
@@ -86,10 +106,12 @@ Use this format for new updates:
 - Updated `.github/copilot-instructions.md`, `.github/instructions/internal-python.instructions.md`, and `.github/skills/internal-script-python/SKILL.md` so new Python scripts must make an explicit stdlib-vs-library decision, prefer mature third-party packages when they clearly simplify the final code, and record that choice in a short dependency decision note before implementation.
 
 ## 2026-03-19
+
 - Updated `.github/copilot-instructions.md`, `.github/instructions/python.instructions.md`, and `.github/prompts/tech-ai-python.prompt.md` so Python tasks now standardize on human-readable hash-locked `requirements.txt` files for external dependencies, clarify that the lock file should capture the full dependency closure, and treat third-party libraries as a recommendation only when they materially simplify the code.
 - Updated `.github/prompts/tech-ai-python-script.prompt.md`, `.github/skills/tech-ai-script-python/SKILL.md`, and `.github/instructions/bash.instructions.md` so new standalone Python tools default to a self-contained folder with a `run.sh` launcher, add a local `requirements.txt` only when external packages are used, and bootstrap `.venv` plus locked dependency installation only when that file exists.
 
 ## 2026-03-13
+
 - Updated `.pre-commit-config.yaml` to pin `pre-commit-hooks` `v6.0.0`, keep `pre-commit-terraform` explicitly annotated at `v1.105.0`, and move `shellcheck-py` to `v0.11.0.1`, adding inline release comments for each pinned revision.
 - Updated `.github/workflows/github-validate-copilot-customizations.yml` to pin the runner to `ubuntu-24.04`, add `actions/setup-python` pinned by SHA for Python `3.14.3`, pin `pip` to `26.0.1`, and replace the unpinned `apt` shellcheck install with the pinned Python dependency set from `.github/tech-ai-requirements-dev.txt`.
 - Annotated `.github/workflows/terraform-pre-commit.yml` image digest references with the corresponding `pre-commit-terraform` release version to make the SHA-based pin self-describing.
@@ -98,14 +120,17 @@ Use this format for new updates:
 - Updated `.github/scripts/internal-sync-copilot-configs.py` so the default VS Code PR description mode expected during consumer alignment is now `template` instead of `Copilot`.
 
 ## 2026-03-12
+
 - Renamed the canonical PR prompt from `tech-ai-pr-description.prompt.md` / `TechAIPRDescription` to `tech-ai-pr-editor.prompt.md` / `TechAIPREditor`, and updated `AGENTS.md`, the validator, and review notes to use the new canonical name consistently.
 - Updated `scripts/internal-sync-copilot-configs.py` and its tests so sync plans now delete manifest-managed files that were removed from the desired baseline, allowing canonical renames to cleanly remove deprecated managed assets in consumer repositories.
 
 ## 2026-03-11
+
 - Updated `scripts/internal-sync-copilot-configs.py` so consumer sync now discovers new instructions from `applyTo`, automatically includes all portable consumer-facing agents, and merges consumer-facing prompt/skill capabilities declared in the source `AGENTS.md` preferred sections. This prevents newly added shared assets such as the PAIR analysis flow from being silently skipped in downstream repos.
 - Updated `scripts/internal-sync-copilot-configs.py` and `tests/test_tech_ai_sync_copilot_configs.py` so consumer alignment now reports a target-side gap when `.vscode/settings.json` is missing or does not set `githubPullRequests.pullRequestDescription` to `Copilot`, making the VS Code PR-form Copilot dependency visible in sync reports.
 
 ## 2026-03-09
+
 - Added the repo-only `TechAIRepoCopilotExtender` agent, prompt, and skill for creating consumer-repository `internal-*` Copilot assets without duplicating the shared baseline, and excluded the trio from consumer sync.
 - Tightened `TechAIRepoCopilotExtender` so it must ground repo-local prompts, examples, schema snippets, and naming rules on concrete target files instead of generic remembered patterns.
 - Deprecated `.github/scripts/bootstrap-copilot-config.sh` in favor of `.github/scripts/internal-sync-copilot-configs.py`, updated lifecycle docs, and made quickstart plus `.github/README.md` prefer sync-first alignment.
@@ -115,6 +140,7 @@ Use this format for new updates:
 - Expanded validator and sync tests to cover new recommendation, rendering, provenance, and validation paths.
 
 ## 2026-03-08
+
 - Updated the PR-writing prompt, skill, and agent guidance to derive required sections from the resolved repository PR template instead of hardcoding older headings such as `Security and Compliance` or `Related Links`.
 - Updated `scripts/internal-sync-copilot-configs.py` and `scripts/validate-copilot-customizations.sh` so repository-owned prompt, skill, and agent assets outside the synced global baseline must use `internal-*` in both filenames and `name:` values, making internal customizations visibly distinct from synced `tech-ai-*` assets.
 - Updated `scripts/internal-sync-copilot-configs.py` so target-only skill detection compares full relative paths instead of the shared `SKILL.md` filename, fixing missed unmanaged skill assets in consumer repositories.
@@ -130,6 +156,7 @@ Use this format for new updates:
 - Updated `tests/test_tech_ai_sync_copilot_configs.py` to cover duplicate-alias detection and conflict behavior during sync planning.
 
 ## 2026-03-07
+
 - Added repo-only global customization agents `TechAIStandardsRepoConfigBuilder` and `TechAIStandardsRepoConfigAuditor` for standards-authoring and final quality gates in this repository.
 - Marked `TechAICustomizationAuditor` as a deprecated compatibility alias that now points to `TechAIStandardsRepoConfigAuditor`.
 - Updated root `AGENTS.md`, agent catalog docs, sync exclusions, validator semantics, and tests to treat the `TechAIGlobal*` pair as repo-only standards agents.
@@ -143,6 +170,7 @@ Use this format for new updates:
 - Removed the redundant `script-bash.prompt.md` and `script-python.prompt.md` alias prompts to keep one canonical script prompt per stack.
 
 ## 2026-03-06
+
 - Added `agents/tech-ai-sync-global-copilot-configs-into-repo.agent.md`: `TechAISyncGlobalCopilotConfigsIntoRepo` for local repository analysis and conservative Copilot-core alignment.
 - Added `prompts/tech-ai-sync-global-copilot-configs-into-repo.prompt.md` and `skills/tech-ai-sync-global-copilot-configs-into-repo/SKILL.md` for repeatable alignment workflows.
 - Added `scripts/internal-sync-copilot-configs.py` plus `tests/test_tech_ai_sync_copilot_configs.py` for deterministic analysis, manifest-based sync planning, and reporting.
@@ -152,6 +180,7 @@ Use this format for new updates:
 - Added `.github/tech-ai-requirements-dev.txt`, CI pytest execution, `shellcheck` pre-commit coverage, and validator integration tests for stronger local and CI validation.
 
 ## 2026-03-04
+
 - Added `skills/tech-ai-code-review/SKILL.md`: per-language anti-pattern catalogs with severity mappings and good-vs-bad examples.
 - Added `prompts/cs-code-review.prompt.md`: on-demand strict code review prompt with configurable strictness.
 - Added `agents/tech-ai-script-reviewer.agent.md`: exhaustive, nit-level code reviewer (`TechAIScriptReviewer`) for Python, Bash, and Terraform with review persona inspired by Martin Fowler, Raymond Hettinger, and Kelsey Hightower.
@@ -159,9 +188,11 @@ Use this format for new updates:
 - Updated `AGENTS.md` with `TechAIScriptReviewer` routing, `code-review` skill, and `cs-code-review` prompt.
 
 ## 2026-02-28
+
 - Renamed GitHub-related files to `github-*` prefix for consistency across agents, prompts, instructions, and workflows.
 
 ## 2026-02-07
+
 - Added missing global Copilot instruction files for commit messages and code review.
 - Added new instruction files: YAML, Markdown, Makefile, Scripts, Lambda.
 - Added new skills: `terraform-module`, `cloud-policy`.
diff --git a/.github/DEPRECATION.md b/.github/DEPRECATION.md
index fe90b65..8ea5ec9 100644
--- a/.github/DEPRECATION.md
+++ b/.github/DEPRECATION.md
@@ -1,14 +1,17 @@
 # Deprecation Policy
 
 ## Purpose
+
 Define a predictable process for deprecating Copilot customization assets (`instructions`, `skills`, `agents`, and templates).
 
 ## Lifecycle states
+
 - Active: recommended for current use.
 - Deprecated: still available but scheduled for removal.
 - Removed: no longer maintained or supported.
 
 ## Required process
+
 1. Mark the asset as deprecated in its file header or first section.
 2. Record the change in `.github/CHANGELOG.md` with migration guidance.
 3. Keep a minimum deprecation window of one release cycle (or 30 days if no release cycle exists).
@@ -16,14 +19,17 @@ Define a predictable process for deprecating Copilot customization assets (`inst
 5. Remove only after the window ends and no blocking consumers remain.
 
 ## Backward compatibility rules
+
 - Instructions: avoid changing mandatory behavior without documenting impact.
 - Skills: keep old skill path available during transition.
 - Agents: keep objective and restriction semantics stable where possible.
 
 ## Emergency exception
+
 Immediate removal is allowed only for security or compliance issues. The removal reason must be documented in `.github/CHANGELOG.md`.
 
 ## Current deprecations
+
 - `.github/workflows/_terraform-pre-commit.yml`: **Removed**. Replaced by `.github/workflows/_pre-commit.yml` after consolidating duplicate pre-commit workflows into one canonical entrypoint.
 - `.github/workflows/terraform-pre-commit.yml`: **Removed**. Replaced by `.github/workflows/_pre-commit.yml` so the source baseline ships a single pre-commit workflow.
 - `.github/skills/antigravity-domain-driven-design/SKILL.md`: **Removed**. Consolidated into `.github/skills/internal-ddd/SKILL.md`.
diff --git a/.github/agents/README.md b/.github/agents/README.md
index 4158889..14c8339 100644
--- a/.github/agents/README.md
+++ b/.github/agents/README.md
@@ -3,12 +3,14 @@
 This folder contains deliberate custom agents for repository-owned direct-owner operations plus repo-only sync workflows.
 
 ## Resolution order
+
 1. Apply repository non-negotiables from `copilot-instructions.md`.
 2. Apply explicit user request and selected agent behavior (agent-first).
 3. Apply matching `instructions/*.instructions.md` (`applyTo` by path).
 4. Apply referenced skill details.
 
 ## Recommended owner selection
+
 - Safe fallback when the right operational lane is still ambiguous: `internal-planning-leader`.
 - Direct canonical owners: `internal-delivery-operator`, `internal-planning-leader`, `internal-review-guard`, `internal-critical-master`.
 - Source-side catalog sync, rationalization, overlap cleanup, and governance drift correction in this repository: `internal-sync-external-resources`.
@@ -16,10 +18,12 @@ This folder contains deliberate custom agents for repository-owned direct-owner
 - PR-focused work should use the `internal-pr-editor` skill because this repository does not currently ship a dedicated PR editor agent.
 
 ## Repo-only agents (not synced to consumers)
+
 - `internal-sync-external-resources`
 - `internal-sync-global-copilot-configs-into-repo`
 
 ## Why this catalog stays deliberate
+
 - This repository keeps a deliberate set of source-side command-center agents under `.github/agents/`.
 - Prefer one cohesive agent per recurring operational or governance workflow.
 - Keep the four canonical owners explicit and non-overlapping, and keep reusable logic in skills instead of bloating agent bodies.
@@ -28,6 +32,7 @@ This folder contains deliberate custom agents for repository-owned direct-owner
 - Prefer skills for detailed task procedures unless a dedicated agent file is present.
 
 ## Selection guide
+
 1. Use `internal-planning-leader` when the user has not yet chosen the right owner or the request could plausibly be execution, planning, review, or challenge.
 2. Use `internal-delivery-operator` for clear, local execution work with concrete verification and no non-trivial strategic tradeoffs.
 3. Use `internal-review-guard` for defect-first review, merge readiness, regression analysis, and evidence-based validation.
diff --git a/.github/agents/internal-critical-master.agent.md b/.github/agents/internal-critical-master.agent.md
index 9e7a1f5..42fd0ef 100644
--- a/.github/agents/internal-critical-master.agent.md
+++ b/.github/agents/internal-critical-master.agent.md
@@ -82,4 +82,4 @@ You are the repository-owned pressure-test and reframing lane for reasoning, ass
 - Why it matters now
 - One probing question or reframing move
 - Closing synthesis when the pressure test is complete
-- Recommended owner when the next step no longer belongs to the challenge lane
\ No newline at end of file
+- Recommended owner when the next step no longer belongs to the challenge lane
diff --git a/.github/agents/internal-delivery-operator.agent.md b/.github/agents/internal-delivery-operator.agent.md
index 5d5759b..a694481 100644
--- a/.github/agents/internal-delivery-operator.agent.md
+++ b/.github/agents/internal-delivery-operator.agent.md
@@ -52,4 +52,4 @@ You are the execution owner for clear, local, low-risk work selected directly by
 - Execution scope
 - Relevant tactical skill or runtime lane
 - Validation path
-- Boundary note when the task no longer belongs to execution
\ No newline at end of file
+- Boundary note when the task no longer belongs to execution
diff --git a/.github/copilot-code-review-instructions.md b/.github/copilot-code-review-instructions.md
index 2e8ac35..27ab0d9 100644
--- a/.github/copilot-code-review-instructions.md
+++ b/.github/copilot-code-review-instructions.md
@@ -1,13 +1,16 @@
 # Code Review Instructions
 
 ## Objective
+
 - Protect the business: find defects, security flaws, and maintainability risks before they reach production.
 - Keep findings concise, severity-ordered, and tied to concrete evidence.
 - Preserve requested behavior first, then improve security, maintainability, and simplicity.
 - Never write review output to files unless the user explicitly asks. All output goes in chat.
 
 ## Self-questioning protocol
+
 Every review must include self-questioning:
+
 - Assign a confidence level to every finding: **High**, **Medium**, or **Low**.
 - For **Low** confidence findings, explain what context might be missing that could invalidate the finding.
 - After producing all findings, re-examine the top 3 most severe ones and ask: "Could this be intentional? Am I sure? Is my suggested fix actually simpler?"
@@ -15,13 +18,16 @@ Every review must include self-questioning:
 - Include a brief "Self-questioning notes" section at the end with any revised assessments.
 
 ## Priority order
+
 Apply this priority to all reviews:
+
 1. **Correctness** — Does it do what it claims?
 2. **Security** — Secrets, injection, privilege, unsafe operations.
 3. **Simplicity** — Is this the simplest thing that could work?
 4. **Maintainability** — Will this be easy to change in 6 months?
 
 ## Review output format
+
 - `Critical`: must-fix issues such as security flaws, correctness bugs, or data-loss risk.
 - `Major`: high-risk improvements such as mandatory rule violations, unsafe defaults, or missing validation.
 - `Minor`: worthwhile improvements that reduce technical debt or clarify intent.
@@ -29,12 +35,14 @@ Apply this priority to all reviews:
 - `Notes`: assumptions, follow-ups, or scope clarifications.
 
 Every finding must include:
+
 - Severity and confidence level.
 - File path and line reference.
 - What is wrong and why it matters (impact on business or operations).
 - Concrete fix suggestion.
 
 ## Baseline checks
+
 1. Security and least privilege.
 2. No hardcoded secrets or credentials.
 3. Consistency with repository naming and structure conventions.
@@ -42,16 +50,19 @@ Every finding must include:
 5. Documentation updates when behavior changes (excluding `README.md` unless explicitly requested).
 
 ## Escalation rules
+
 - Any repeated anti-pattern (3+ times in the same diff) escalates one severity level.
 - Any deviation from the matching `instructions/*.instructions.md` file is at minimum a `Nit`.
 - Any violation of `security-baseline.md` is at minimum a `Major`.
 
 ## Token-aware review protocol
+
 - Load only the diff, directly related files, and the matching instruction files.
 - Use `.github/skills/internal-code-review/SKILL.md` as the detailed anti-pattern catalog for Python, Bash, and Terraform.
 - Do not inline long language-specific catalogs when the `code-review` skill is available.
 
 ## Focus by area
+
 - Terraform: drift risk, lifecycle safety, variable typing, plan readability, provider pinning, and cloud-specific IAM patterns.
 - Workflows: SHA pinning, minimal permissions, environment protection, OIDC, and deterministic checks.
 - Scripts: input validation, early returns, readable control flow, and English logs.
@@ -62,6 +73,7 @@ Every finding must include:
 - Copilot customization assets: reusable wording, naming consistency, and low-noise token usage.
 
 ## Minimum language guardrails
+
 - Python: flag hardcoded secrets, `eval()`/`exec()`, unsafe `pickle`, bare `except`, `shell=True`, and missing tests for new logic.
 - Bash: flag hardcoded secrets, `eval`, unsafe temp files, missing `set -euo pipefail`, unquoted variables, and missing dependency checks.
 - Terraform: flag hardcoded secrets, wildcard IAM, missing state-locking expectations, unpinned providers, and hardcoded environment-specific identifiers.
diff --git a/.github/copilot-commit-message-instructions.md b/.github/copilot-commit-message-instructions.md
index dc25e09..e6de36b 100644
--- a/.github/copilot-commit-message-instructions.md
+++ b/.github/copilot-commit-message-instructions.md
@@ -1,9 +1,11 @@
 # Commit Message Instructions
 
 ## Format
+
 `<type>(<scope>): <summary>`
 
 ## Types
+
 - `feat`: New behavior
 - `fix`: Bug fix
 - `docs`: Documentation updates
@@ -12,12 +14,14 @@
 - `chore`: Tooling/maintenance
 
 ## Rules
+
 - Use imperative mood.
 - Keep summary concise (<= 72 chars preferred).
 - Scope should match changed area (for example `terraform`, `scripts`, `workflows`, `docs`).
 - Use an English body when context is needed.
 
 ## Examples
+
 - `feat(terraform): add policy assignment module`
 - `fix(workflows): pin checkout action by full SHA`
 - `docs(copilot): align skill and agent references`
diff --git a/.github/instructions/internal-bash.instructions.md b/.github/instructions/internal-bash.instructions.md
index 49d20e8..1e22a0e 100644
--- a/.github/instructions/internal-bash.instructions.md
+++ b/.github/instructions/internal-bash.instructions.md
@@ -14,6 +14,7 @@ Assume `.github/instructions/awesome-copilot-shell.instructions.md` covers the b
 The two instruction files intentionally co-load for `**/*.sh`: the imported file remains the generic shell baseline, while this file owns the repository-specific Bash defaults, operator-facing emoji logs, wrapper conventions, and Python-launcher rules.
 
 ## Repository-specific rules
+
 - Use Bash only: `#!/usr/bin/env bash`.
 - Add a short header comment with purpose and usage examples.
 - Use emoji logs (`ℹ️ ✅ ⚠️ ❌`) for operator-facing runtime messages.
@@ -23,6 +24,7 @@ The two instruction files intentionally co-load for `**/*.sh`: the imported file
 - Apply these rules for both create and modify operations.
 
 ## Minimal delta example
+
 ```bash
 #!/usr/bin/env bash
 #
@@ -45,10 +47,12 @@ main "$@"
 ```
 
 ## Python launcher additions
+
 - When the Bash script is a launcher for a standalone Python tool, use it only when that tool needs external packages or an isolated local bootstrap path.
 - Python launchers must keep the common invocation path zero-argument friendly by embedding sensible default Python-script parameters and exposing only optional overrides.
 - For those Python launchers, resolve the script directory, create or reuse a sibling `.venv`, install from the local hash-locked `requirements.txt`, and execute the sibling Python entry point.
 
 ## Validation
+
 - `bash -n <script>.sh`
 - `shellcheck -s bash <script>.sh` (if available)
diff --git a/.github/instructions/internal-docker.instructions.md b/.github/instructions/internal-docker.instructions.md
index 5c19879..7cb7300 100644
--- a/.github/instructions/internal-docker.instructions.md
+++ b/.github/instructions/internal-docker.instructions.md
@@ -6,6 +6,7 @@ applyTo: "**/Dockerfile,**/Dockerfile.*,**/*.dockerfile,**/.dockerignore,**/dock
 # Docker Instructions
 
 ## Baseline rules
+
 - Pin base and runtime images by digest and keep a nearby human-readable tag or version reference.
 - Prefer multi-stage builds when build tooling is not needed at runtime.
 - Run containers as a non-root user unless a documented exception is required.
@@ -14,10 +15,12 @@ applyTo: "**/Dockerfile,**/Dockerfile.*,**/*.dockerfile,**/.dockerignore,**/dock
 - Avoid privileged mode, host networking, and broad bind mounts unless explicitly justified.
 
 ## Use the skill for deeper guidance
+
 - Load `.github/skills/internal-docker/SKILL.md` for Dockerfile patterns, Compose topology choices, common mistakes, and container-hardening detail.
 - Keep this instruction as the auto-loaded baseline; keep workflow depth and examples in the skill.
 
 ## Validation
+
 - Validate Dockerfile or Compose syntax when tooling is available.
 - Check that image references remain digest-pinned before merge.
 - Review the final runtime stage for unnecessary tooling, shells, or package managers.
diff --git a/.github/instructions/internal-github-action-composite.instructions.md b/.github/instructions/internal-github-action-composite.instructions.md
index 5fe6ac0..0f84c4d 100644
--- a/.github/instructions/internal-github-action-composite.instructions.md
+++ b/.github/instructions/internal-github-action-composite.instructions.md
@@ -6,10 +6,12 @@ applyTo: "**/actions/**/action.y*ml"
 # Composite Action Instructions
 
 ## Scope
+
 - This instruction augments `.github/instructions/internal-github-actions.instructions.md`.
 - Keep only composite-specific rules here.
 
 ## Composite-specific rules
+
 - Define explicit `inputs` and `outputs`, and keep published names stable for existing callers.
 - Validate required values early and fail before the main logic runs.
 - Pass `${{ inputs.* }}` through `env:` before shell usage.
diff --git a/.github/instructions/internal-github-actions.instructions.md b/.github/instructions/internal-github-actions.instructions.md
index 73021f2..07a46c0 100644
--- a/.github/instructions/internal-github-actions.instructions.md
+++ b/.github/instructions/internal-github-actions.instructions.md
@@ -6,6 +6,7 @@ applyTo: "**/workflows/**,**/actions/**/action.y*ml"
 # GitHub Actions Instructions
 
 ## Security baseline
+
 - Prefer OIDC over long-lived secrets.
 - Pin actions to full-length commit SHAs with adjacent release comments and upstream release URLs.
 - Pin `docker://` references and workflow container images by digest.
@@ -18,6 +19,7 @@ applyTo: "**/workflows/**,**/actions/**/action.y*ml"
 - Treat self-hosted runners as trusted infrastructure and scope them to the repositories, runner groups, and network access they actually need.
 
 ## Family baseline
+
 - Use clear English step names and deterministic outputs.
 - Set explicit `timeout-minutes` for workflows that could otherwise hang.
 - Set `concurrency` when jobs can conflict on a shared target.
@@ -35,6 +37,7 @@ applyTo: "**/workflows/**,**/actions/**/action.y*ml"
 - Path-specific instructions can use `excludeAgent: "code-review"` or `excludeAgent: "cloud-agent"` when workflow guidance must be scoped to one GitHub Copilot surface, but treat that as a deliberate optimization rather than a default requirement.
 
 ## Use the skill for deeper guidance
+
 - Load `.github/skills/internal-github-actions/SKILL.md` for workflow-vs-reusable-vs-composite decisions, reusable workflow templates, cache and artifact patterns, and workflow hardening checklists.
 - Keep this instruction lean because it is part of the source-managed baseline mirrored into consumer repositories; add new always-on GitHub Actions depth only when downstream reuse justifies that sync cost, and keep advanced patterns, examples, and decision support in the skill references.
 - Keep this instruction as the auto-loaded baseline; keep authoring depth and examples in the skill.
diff --git a/.github/instructions/internal-java.instructions.md b/.github/instructions/internal-java.instructions.md
index 3b3276e..301bb85 100644
--- a/.github/instructions/internal-java.instructions.md
+++ b/.github/instructions/internal-java.instructions.md
@@ -6,6 +6,7 @@ applyTo: "**/*.java,**/pom.xml,**/build.gradle,**/build.gradle.kts"
 # Java Instructions
 
 ## Mandatory rules
+
 - Treat work as project-oriented (services/modules/components), not script-oriented.
 - Keep business logic separated from I/O and infrastructure concerns (SDK calls, persistence, external APIs).
 - Use clear, domain-relevant naming in class names, methods, and exceptions.
@@ -16,14 +17,17 @@ applyTo: "**/*.java,**/pom.xml,**/build.gradle,**/build.gradle.kts"
 - Add unit tests for testable logic.
 
 ## Testing defaults
+
 - Use JUnit 5.
 - Use BDD-like naming: `@DisplayName` and `given_when_then`.
 - Keep unit tests deterministic and isolated.
 - For modify tasks with existing tests: change implementation first, run existing tests, and update tests only for intentional behavior changes.
 
 ## Reference implementation
+
 - For code and test examples, use `.github/skills/internal-project-java/SKILL.md`.
 
 ## Build-file boundary
+
 - For `pom.xml`, `build.gradle`, and `build.gradle.kts`, keep guidance limited to dependency intent, plugin clarity, and test/runtime alignment.
 - Do not use this instruction to restate full Maven or Gradle style guidance that belongs in a narrower build-tool owner.
diff --git a/.github/instructions/internal-json.instructions.md b/.github/instructions/internal-json.instructions.md
index 0106417..b480c2e 100644
--- a/.github/instructions/internal-json.instructions.md
+++ b/.github/instructions/internal-json.instructions.md
@@ -6,20 +6,24 @@ applyTo: "**/authorizations/**/*.json,**/organization/**/*.json,**/src/**/*.json
 # JSON Instructions
 
 ## Scope boundary
+
 - This instruction intentionally applies only to registry-like JSON paths declared in `applyTo`.
 - Root-level or ecosystem-managed JSON files (for example `package.json`, lock files) are out of scope unless they match the configured paths.
 
 ## Formatting
+
 - Use 2-space indentation.
 - Keep keys in alphabetical order when applicable.
 - Do not use trailing commas.
 - For machine-managed files (for example `package.json`, lock files), preserve ecosystem conventions.
 
 ## Authorization registries
+
 - Validate schema before commit.
 - Keep consistency with existing patterns in the file.
 - Use lowercase identifiers.
 - Avoid unnecessary structural changes.
 
 ## Language of content
+
 - Use technical English in descriptive/documentation fields intended for operational output.
diff --git a/.github/instructions/internal-lambda.instructions.md b/.github/instructions/internal-lambda.instructions.md
index f40c097..d4af082 100644
--- a/.github/instructions/internal-lambda.instructions.md
+++ b/.github/instructions/internal-lambda.instructions.md
@@ -6,6 +6,7 @@ applyTo: "**/*lambda*.tf,**/*lambda*.py,**/*lambda*.js,**/*lambda*.ts"
 # Lambda Instructions
 
 ## Design
+
 - Treat this instruction as the repository-owned baseline for Lambda or serverless implementation guidance in this catalog; keep runtime-specific detail in the paired Python or Node.js instructions.
 - Prefer one focused function per trigger or operation; avoid monolithic handlers that mix unrelated flows.
 - Keep handlers small and explicit; move business logic to pure helpers.
@@ -16,6 +17,7 @@ applyTo: "**/*lambda*.tf,**/*lambda*.py,**/*lambda*.js,**/*lambda*.ts"
 - For queue-driven handlers, process records independently and make retry behavior explicit.
 
 ## Runtime and performance
+
 - Measure INIT duration separately from invocation latency before optimizing cold-start issues.
 - Minimize cold-start overhead by avoiding heavy imports in the global scope.
 - Keep dependencies small and prefer modular SDK clients over broad package imports.
@@ -24,6 +26,7 @@ applyTo: "**/*lambda*.tf,**/*lambda*.py,**/*lambda*.js,**/*lambda*.ts"
 - Avoid unnecessary VPC attachment; if a VPC is required, validate DNS, egress, and connection behavior under cold start.
 
 ## Packaging and deployment
+
 - Keep deployment artifact deterministic and reproducible.
 - Keep each function package focused on one responsibility instead of shipping a large shared monolith.
 - Use layers only for shared dependencies with clear versioning.
@@ -32,16 +35,19 @@ applyTo: "**/*lambda*.tf,**/*lambda*.py,**/*lambda*.js,**/*lambda*.ts"
 - When the event source supports partial batch failure reporting, enable it and return only failed record identifiers for retry.
 
 ## Runtime cross-references
+
 - For AWS-specific Lambda implementation patterns, load `.github/skills/internal-aws-serverless/SKILL.md` when the task needs API Gateway, SQS, packaging, or cold-start guidance.
 - For Python Lambdas, also follow `.github/instructions/internal-python.instructions.md`.
 - For JavaScript or TypeScript Lambdas, also follow `.github/instructions/internal-nodejs.instructions.md`.
 
 ## Observability
+
 - Log key lifecycle events in English with stable fields for filtering.
 - Prefer structured logs for production workloads.
 - Include request or correlation identifiers in error logs when the runtime provides them.
 - Emit enough context for correlation without leaking sensitive values.
 
 ## Testing
+
 - Keep unit tests isolated from cloud runtime.
 - Mock external dependencies and network calls.
diff --git a/.github/instructions/internal-makefile.instructions.md b/.github/instructions/internal-makefile.instructions.md
index fbf52e8..34e4101 100644
--- a/.github/instructions/internal-makefile.instructions.md
+++ b/.github/instructions/internal-makefile.instructions.md
@@ -6,26 +6,30 @@ applyTo: "**/Makefile,**/*.mk"
 # Makefile Instructions
 
 ## Conventions
+
 - Use lowercase, hyphenated target names.
 - Mark non-file targets with `.PHONY`.
 - Keep commands deterministic and readable.
 
 ## Recommended patterns
+
 - Provide a `help` target.
 - Centralize common variables near the top.
 - Avoid hidden side effects in default targets.
 
 ## Minimal example
+
 ```make
 .PHONY: help test
 
 help:
-	@echo "Available targets: test"
+ @echo "Available targets: test"
 
 test:
-	@echo "Run test suite"
+ @echo "Run test suite"
 ```
 
 ## Output
+
 - Keep runtime output in English.
 - Use clear success/error messages.
diff --git a/.github/instructions/internal-markdown.instructions.md b/.github/instructions/internal-markdown.instructions.md
index 9e40da2..d781055 100644
--- a/.github/instructions/internal-markdown.instructions.md
+++ b/.github/instructions/internal-markdown.instructions.md
@@ -6,21 +6,25 @@ applyTo: "**/*.md"
 # Markdown Instructions
 
 ## Scope
+
 - Use this file for Markdown structure, style, and maintenance rules.
 - Repository-wide language defaults live in `AGENTS.md` and `.github/copilot-instructions.md`.
 
 ## Structure
+
 - Use clear heading hierarchy.
 - Keep sections focused and short.
 - Prefer task-oriented sections over narrative blocks.
 
 ## Style
+
 - Prefer concise bullets over long paragraphs.
 - Use backticks for commands, paths, and identifiers.
 - Keep links explicit and maintainable.
 - Write Markdown in English unless a narrower scoped instruction explicitly allows another language.
 
 ## Maintenance
+
 - Update documentation when behavior or workflows change.
 - Do not modify `README.md` files unless explicitly requested by the user.
 - Avoid stale examples and mismatched file paths.
diff --git a/.github/instructions/internal-nodejs.instructions.md b/.github/instructions/internal-nodejs.instructions.md
index 6aa1985..55d35f6 100644
--- a/.github/instructions/internal-nodejs.instructions.md
+++ b/.github/instructions/internal-nodejs.instructions.md
@@ -6,6 +6,7 @@ applyTo: "**/*.js,**/*.cjs,**/*.mjs,**/*.ts,**/*.tsx,**/package.json,**/tsconfig
 # Node.js Instructions
 
 ## Mandatory rules
+
 - Treat work as project-oriented (modules/services/handlers), not script-oriented.
 - Keep business logic in focused modules, separate from transport adapters and infrastructure wiring.
 - Use clear, domain-relevant naming for core modules and errors.
@@ -16,15 +17,18 @@ applyTo: "**/*.js,**/*.cjs,**/*.mjs,**/*.ts,**/*.tsx,**/package.json,**/tsconfig
 - Add unit tests for testable logic.
 
 ## Testing defaults
+
 - Use built-in `node:test` + `node:assert/strict`.
 - Prefer BDD-like structure (`describe`/`it` where available).
 - Keep tests deterministic and isolated.
 - For modify tasks with existing tests: change implementation first, run existing tests, and update tests only for intentional behavior changes.
 
 ## Reference implementation
+
 - For module and test examples, use `.github/skills/internal-project-nodejs/SKILL.md`.
 
 ## Project config files
+
 - For `package.json`, keep scripts, engines, and dependency intent explicit; avoid redundant tooling drift or placeholder metadata.
 - For `tsconfig.json`, prefer strict compiler options unless the repository has a documented compatibility reason not to.
 - Keep project config guidance scoped to Node.js or TypeScript project ownership; do not restate generic JSON formatting rules here.
diff --git a/.github/instructions/internal-python.instructions.md b/.github/instructions/internal-python.instructions.md
index 7fc078b..4a09ce5 100644
--- a/.github/instructions/internal-python.instructions.md
+++ b/.github/instructions/internal-python.instructions.md
@@ -6,6 +6,7 @@ applyTo: "**/*.py"
 # Python Instructions
 
 ## Mandatory rules
+
 - Use emoji logs for key operator-facing execution states.
 - Prefer early return and clear guard clauses.
 - Keep code explicit and readable.
@@ -24,6 +25,7 @@ applyTo: "**/*.py"
 - Do not add local vendored libraries, wheelhouses, copied site-packages, fallback dependency mirrors, or deprecated alternate dependency paths unless explicitly requested.
 
 ## Use the right Python skill
+
 - Load `.github/skills/internal-project-python/SKILL.md` for structured package or application code, reusable library boundaries, async judgment, and application test shape.
 - Load `.github/skills/internal-script-python/SKILL.md` for standalone operational tools, toolkit layout, launcher rules, dependency choices, and script runtime orchestration.
 - Keep this instruction as the shared auto-loaded baseline; keep the standalone-tool versus structured-package workflow detail in the paired skills.
@@ -43,6 +45,7 @@ requests==2.32.3 \
 - Generate the locked file with `pip-compile --generate-hashes` or an equivalent workflow that captures the full dependency closure.
 
 ## Minimal skeleton
+
 ```python
 #!/usr/bin/env python3
 """Purpose: Explain what this script does.
@@ -53,6 +56,7 @@ Usage examples:
 ```
 
 ## Minimal test example
+
 ```python
 def test_example() -> None:
     assert 1 + 1 == 2
diff --git a/.github/instructions/internal-terraform.instructions.md b/.github/instructions/internal-terraform.instructions.md
index 51f46ea..38e7161 100644
--- a/.github/instructions/internal-terraform.instructions.md
+++ b/.github/instructions/internal-terraform.instructions.md
@@ -6,6 +6,7 @@ applyTo: "**/*.tf"
 # Terraform Instructions
 
 ## Baseline rules
+
 - Run `terraform fmt` before commit.
 - Use 2-space indentation.
 - Keep related resources grouped in predictable files such as `providers.tf`, `variables.tf`, `outputs.tf`, and domain-specific resource files when the target directory already follows that split.
@@ -25,10 +26,12 @@ applyTo: "**/*.tf"
 - Enable encryption at rest and in transit when the platform supports it.
 
 ## Use the skill for deeper guidance
+
 - Load `.github/skills/internal-terraform/SKILL.md` for feature-vs-module decisions, migration steps, state and delivery controls, templates, and common mistakes.
 - Keep this instruction as the auto-loaded baseline; keep detailed workflow and examples in the skill.
 
 ## Validation
+
 - Run `terraform validate` after changes.
 - Run `tflint` when available for the target project.
 - Review `terraform plan` before apply.
diff --git a/.github/instructions/internal-yaml.instructions.md b/.github/instructions/internal-yaml.instructions.md
index 4543992..873bf07 100644
--- a/.github/instructions/internal-yaml.instructions.md
+++ b/.github/instructions/internal-yaml.instructions.md
@@ -6,16 +6,19 @@ applyTo: "**/*.yml,**/*.yaml"
 # YAML Instructions
 
 ## Formatting
+
 - Use 2-space indentation.
 - Avoid tabs.
 - Keep key names stable and readable.
 
 ## Best practices
+
 - Quote values only when needed for correctness.
 - Keep anchors/aliases simple; prefer clarity.
 - Keep comments concise and in English.
 
 ## Validation
+
 - Validate syntax before commit.
 - Reuse existing schema/style in the target repository.
 - For GitHub Actions workflows, validate against the GitHub Actions schema when available.
diff --git a/.github/prompts/internal-planning-kickoff.prompt.md b/.github/prompts/internal-planning-kickoff.prompt.md
index b8152c9..a2e1f68 100644
--- a/.github/prompts/internal-planning-kickoff.prompt.md
+++ b/.github/prompts/internal-planning-kickoff.prompt.md
@@ -3,6 +3,8 @@ agent: "agent"
 description: "Create a planning brief for repository-owned Copilot governance or cross-boundary execution work"
 ---
 
+<!-- markdownlint-disable-file MD041 -->
+
 Task or handoff:
 ${input:request:Paste the user request, handoff package, or desired change}
 
@@ -13,6 +15,7 @@ Constraints or rollout risks:
 ${input:constraints:List non-negotiables, rollout concerns, or known blockers}
 
 Use these repository sources first:
+
 - [AGENTS.md](../../AGENTS.md)
 - [.github/copilot-instructions.md](../copilot-instructions.md)
 - [.github/INVENTORY.md](../INVENTORY.md)
diff --git a/.github/prompts/internal-pre-mortem.prompt.md b/.github/prompts/internal-pre-mortem.prompt.md
index 412c044..6ce5faa 100644
--- a/.github/prompts/internal-pre-mortem.prompt.md
+++ b/.github/prompts/internal-pre-mortem.prompt.md
@@ -3,6 +3,8 @@ agent: "agent"
 description: "Pressure-test a proposal before merge, refactor, or cross-boundary implementation"
 ---
 
+<!-- markdownlint-disable-file MD041 -->
+
 Proposal or decision under test:
 ${input:proposal:Describe the proposal, plan, or change you want challenged}
 
@@ -16,6 +18,7 @@ Constraints or non-negotiables:
 ${input:constraints:List technical, policy, or rollout constraints}
 
 Use these repository sources first:
+
 - [AGENTS.md](../../AGENTS.md)
 - [.github/copilot-instructions.md](../copilot-instructions.md)
 - [.github/agents/internal-critical-master.agent.md](../agents/internal-critical-master.agent.md)
diff --git a/.github/prompts/internal-review-kickoff.prompt.md b/.github/prompts/internal-review-kickoff.prompt.md
index 6619880..5991c8e 100644
--- a/.github/prompts/internal-review-kickoff.prompt.md
+++ b/.github/prompts/internal-review-kickoff.prompt.md
@@ -3,6 +3,8 @@ agent: "agent"
 description: "Kick off a defect-first review for governance, workflow, or repository-owned catalog changes"
 ---
 
+<!-- markdownlint-disable-file MD041 -->
+
 Change, diff, or asset to review:
 ${input:subject:Describe the PR, diff, file set, or asset under review}
 
@@ -13,6 +15,7 @@ Known assumptions or concerns:
 ${input:concerns:List any risks, assumptions, or reviewer comments already in play}
 
 Use these repository sources first:
+
 - [AGENTS.md](../../AGENTS.md)
 - [.github/copilot-code-review-instructions.md](../copilot-code-review-instructions.md)
 - [.github/skills/internal-code-review/SKILL.md](../skills/internal-code-review/SKILL.md)
diff --git a/.github/prompts/internal-sync-plan.prompt.md b/.github/prompts/internal-sync-plan.prompt.md
index 512248c..b768684 100644
--- a/.github/prompts/internal-sync-plan.prompt.md
+++ b/.github/prompts/internal-sync-plan.prompt.md
@@ -3,6 +3,8 @@ agent: "agent"
 description: "Prepare a source-authoritative sync or catalog-governance plan before applying changes to a consumer repository"
 ---
 
+<!-- markdownlint-disable-file MD041 -->
+
 Source repository or branch:
 ${input:source:Describe the source standards repo or branch under consideration}
 
@@ -16,6 +18,7 @@ Target-local exceptions to preserve:
 ${input:local:List local assets, overrides, or no-touch areas if known}
 
 Use these repository sources first:
+
 - [AGENTS.md](../../AGENTS.md)
 - [.github/copilot-instructions.md](../copilot-instructions.md)
 - [.github/INVENTORY.md](../INVENTORY.md)
diff --git a/.github/scripts/github_catalog_validation.py b/.github/scripts/github_catalog_validation.py
index 9e57342..a28258c 100644
--- a/.github/scripts/github_catalog_validation.py
+++ b/.github/scripts/github_catalog_validation.py
@@ -60,7 +60,13 @@ def main() -> int:
     run_token_risks = args.token_risks_only or not args.skip_token_risks
 
     if run_required_targets:
-        for target in ("catalog-lint", "test", "skill-lint", "catalog-check"):
+        for target in (
+            "catalog-lint",
+            "test",
+            "skill-lint",
+            "catalog-check",
+            "docs-lint",
+        ):
             exit_code = run_make_target(root, target, optional=False)
             if exit_code != 0:
                 return exit_code
@@ -72,4 +78,4 @@ def main() -> int:
 
 
 if __name__ == "__main__":
-    raise SystemExit(main())
\ No newline at end of file
+    raise SystemExit(main())
diff --git a/.github/security-baseline.md b/.github/security-baseline.md
index 47d49c7..cf7b87f 100644
--- a/.github/security-baseline.md
+++ b/.github/security-baseline.md
@@ -1,9 +1,11 @@
 # Security Baseline for Copilot Customization
 
 ## Objective
+
 Provide a portable baseline that teams can apply before enabling repository-wide Copilot customization.
 
 ## Minimum controls
+
 - Pin all third-party GitHub Actions by full commit SHA.
 - Keep `permissions` minimal in workflows (default to read-only unless write is required).
 - Prefer OIDC short-lived credentials over long-lived static secrets.
@@ -12,6 +14,7 @@ Provide a portable baseline that teams can apply before enabling repository-wide
 - Run `shellcheck` on Bash scripts under `.github/scripts/`.
 
 ## IAM and least privilege
+
 - Apply least privilege across all clouds: scope roles, policies, and bindings to the narrowest effective target.
 - AWS: no `"Action": "*"` or `"Resource": "*"` without documented justification; use permission boundaries on human roles; align with SCPs.
 - Azure: no Owner at subscription level without justification; scope role assignments narrowly; prefer managed identities over service principal secrets.
@@ -20,6 +23,7 @@ Provide a portable baseline that teams can apply before enabling repository-wide
 - Review blast radius: what is the worst-case impact if this identity is compromised?
 
 ## Supply chain and CI/CD security
+
 - Pin every GitHub Action to a full-length commit SHA with adjacent release/tag comment.
 - Pin `docker://` references by digest instead of floating tags.
 - Require OIDC for cloud authentication in workflows — no long-lived secrets.
@@ -29,22 +33,26 @@ Provide a portable baseline that teams can apply before enabling repository-wide
 - Set explicit `timeout-minutes` and `concurrency` on jobs.
 
 ## Instruction and artifact safety
+
 - Avoid instructions that request hidden or sensitive data.
 - Prohibit plaintext tokens, keys, and passwords in examples.
 - Use explicit guardrails for destructive operations.
 - Require deterministic, reviewable output in generated artifacts.
 
 ## Agent safety
+
 - Prefer read-only agents for planning/review.
 - Restrict write-capable agents to clearly scoped tasks.
 - Require explicit references to policy files for security-sensitive changes.
 
 ## Change governance
+
 - Document breaking instruction, skill, or agent changes in `.github/CHANGELOG.md`.
 - Use a deprecation window before removing instructions, skills, or agents in active use.
 - Keep a rollback path for workflow and policy changes.
 
 ## Enforcement status
+
 | Control | Status | Tool |
 | --- | --- | --- |
 | Third-party action SHA pinning | Manual review | `internal-github-actions.instructions.md` + PR review |
@@ -61,6 +69,7 @@ Provide a portable baseline that teams can apply before enabling repository-wide
 | CHANGELOG-based change governance | Manual review | PR review |
 
 ## Optional hardening
+
 - Add CODEOWNERS coverage for `.github/**`.
 - Add secret scanning and dependency update automation.
 - Add repository rulesets for workflow and environment protection.
diff --git a/.github/skills/internal-agent-development/SKILL.md b/.github/skills/internal-agent-development/SKILL.md
index 3cbebfd..b599d4d 100644
--- a/.github/skills/internal-agent-development/SKILL.md
+++ b/.github/skills/internal-agent-development/SKILL.md
@@ -101,14 +101,14 @@ Use this split when authoring command-center agents:
   - role and stance
   - boundary with neighboring agents
   - tool contract
-   - boundary definition and any agent-specific lane-break handling that is not shared elsewhere
+  - boundary definition and any agent-specific lane-break handling that is not shared elsewhere
   - output expectations
 - Engine skill:
-   - shared stop-and-recommend protocol when several neighboring agents need the same lane-mismatch handling
+  - shared stop-and-recommend protocol when several neighboring agents need the same lane-mismatch handling
   - decision matrix
   - threshold rules for medium or ambiguous tasks
   - old-to-new ownership mapping
-   - completion semantics and degraded-mode rules when delegation-based turns stall or return no usable worker result
+  - completion semantics and degraded-mode rules when delegation-based turns stall or return no usable worker result
   - anti-overlap checklist
   - shared workflow steps that would otherwise be duplicated
 
diff --git a/.github/skills/internal-agent-development/references/example-transformations.md b/.github/skills/internal-agent-development/references/example-transformations.md
index 7e04749..9760461 100644
--- a/.github/skills/internal-agent-development/references/example-transformations.md
+++ b/.github/skills/internal-agent-development/references/example-transformations.md
@@ -6,7 +6,7 @@ They show how to convert richer external agent ideas into repository-owned inter
 
 ## Example 1: Capability-Heavy External Expert to Internal Specialist
 
-### Situation
+### Example 1 Situation
 
 An imported agent has:
 
@@ -15,19 +15,19 @@ An imported agent has:
 - long expertise catalogs
 - broad claims about being an expert in a domain
 
-### Keep
+### Example 1 Keep
 
 - the distinct domain
 - the decisions the agent should own
 - the output shape users expect
 
-### Rewrite
+### Example 1 Rewrite
 
 - make `description:` say when the route wins
 - turn expertise bullets into routing priorities or output expectations
 - normalize copied tool ids to canonical aliases and declare a short explicit `tools:` contract
 
-### Internal Pattern
+### Example 1 Internal Pattern
 
 ```markdown
 ---
@@ -56,24 +56,24 @@ You are the specialist command center for ...
 
 ## Example 2: Workflow-Heavy Scaffold Agent to Internal Control Center
 
-### Situation
+### Example 2 Situation
 
 An imported agent is organized around commands such as bootstrap, validate, migrate, or sync.
 
-### Keep
+### Example 2 Keep
 
 - the ordered workflow
 - the governing rules
 - the checkpoints that protect correctness
 
-### Rewrite
+### Example 2 Rewrite
 
 - keep one command-center role
 - use `## Core Rules` for policy guardrails
 - use `## Skill Usage Contract` only when declared skills are conditional
 - rewrite slash commands into repo-local execution steps
 
-### Internal Pattern
+### Example 2 Internal Pattern
 
 ```markdown
 ---
@@ -120,7 +120,7 @@ You are the command center for ...
 
 ## Example 3: Governance Reviewer to Agent-plus-Skill Split
 
-### Situation
+### Example 4 Situation
 
 An imported agent is mostly made of checklists, policy rules, and enforcement steps.
 
@@ -158,20 +158,20 @@ An imported cloud architect agent has:
 - a framework matrix such as Well-Architected pillars
 - a long list of clarifying questions
 
-### Keep
+### Example 4 Keep
 
 - the docs-first decision model
 - the critical requirement gate
 - the expected tradeoff-heavy output shape
 
-### Rewrite
+### Example 4 Rewrite
 
 - move stale tool dependencies into repo-local research skills, routing rules about official documentation, or a short current `tools:` list that stays explicit and role-shaped
 - turn the framework matrix into a short decision lens in routing rules or output expectations
 - compress the clarifying questions into a short list of critical constraints
 - keep the route focused on when the provider-specific agent wins
 
-### Internal Pattern
+### Example 4 Internal Pattern
 
 ```markdown
 ---
diff --git a/.github/skills/internal-agent-sync-external-resources/SKILL.md b/.github/skills/internal-agent-sync-external-resources/SKILL.md
index 2011f80..3458eb2 100644
--- a/.github/skills/internal-agent-sync-external-resources/SKILL.md
+++ b/.github/skills/internal-agent-sync-external-resources/SKILL.md
@@ -60,10 +60,10 @@ Do not collapse these roles back into one file just because the current task tou
 1. Check the declared managed scope in `internal-sync-external-resources` plus the live local inventory and nearby trigger space.
 2. Decide whether the capability should remain an `internal-*` asset, remain an approved in-scope external-prefixed asset, or be retired.
 3. For imported assets, prefer verbatim refresh first. Allow a direct in-place override only when the reason is strong, the user explicitly counter-validates it, and the replay patch is registered in this skill bundle.
-3. Prefer consolidation over coexistence when two assets compete for the same trigger space.
-4. Repair broken references only when the asset still adds distinct value to the declared catalog.
-5. Apply the canonical change first, then remove deprecated duplicates, stale references, and hollow dependencies in the same pass.
-6. Re-check root `AGENTS.md` and `.github/copilot-instructions.md` whenever catalog meaning, routing, or governance language changed.
+4. Prefer consolidation over coexistence when two assets compete for the same trigger space.
+5. Repair broken references only when the asset still adds distinct value to the declared catalog.
+6. Apply the canonical change first, then remove deprecated duplicates, stale references, and hollow dependencies in the same pass.
+7. Re-check root `AGENTS.md` and `.github/copilot-instructions.md` whenever catalog meaning, routing, or governance language changed.
 
 ## Classification Matrix
 
diff --git a/.github/skills/internal-change-impact-analysis/SKILL.md b/.github/skills/internal-change-impact-analysis/SKILL.md
index b0c1a71..06524ad 100644
--- a/.github/skills/internal-change-impact-analysis/SKILL.md
+++ b/.github/skills/internal-change-impact-analysis/SKILL.md
@@ -6,11 +6,13 @@ description: Use when the user wants to understand the ripple effects of a chang
 # Change Impact Analysis Skill
 
 ## When to use
+
 - Analyze a set of repository changes (branch diff, PR, or file list) for correctness, design, and blind spots.
 - Evaluate architectural implications and unconsidered aspects of a change.
 - Complement line-level code review with systems-level and business-level thinking.
 
 ## Relationship to other skills
+
 - **internal-code-review** (`.github/skills/internal-code-review/SKILL.md`): per-line anti-patterns, severity catalogs, nit-level scanning.
 - **This skill**: change-set-level impact, architectural implications, unconsidered aspects.
 - Use both together: run `internal-code-review` first for detailed findings, then this skill for the bigger picture.
@@ -69,6 +71,7 @@ For empty sections, state "No findings in this category."
 ## Self-questioning
 
 Before presenting findings, verify:
+
 - Is this finding based on evidence in the diff, or am I assuming?
 - Could I be wrong about the intent of this change?
 - Am I flagging something that is actually fine for this specific context?
@@ -84,6 +87,7 @@ Before presenting findings, verify:
 6. Present findings in conversation using the output structure above.
 
 ## Validation
+
 - Every finding must reference a concrete file and line number.
 - Every finding must include a *why* explanation.
 - Every error or improvement must include a *how to fix* suggestion.
diff --git a/.github/skills/internal-change-impact-analysis/references/analysis-dimensions.md b/.github/skills/internal-change-impact-analysis/references/analysis-dimensions.md
index ed7d5de..5e20c05 100644
--- a/.github/skills/internal-change-impact-analysis/references/analysis-dimensions.md
+++ b/.github/skills/internal-change-impact-analysis/references/analysis-dimensions.md
@@ -1,6 +1,7 @@
 # Analysis Dimensions — Detailed Checklists
 
 ## 1. Correctness analysis
+
 - Does the code do what the change claims?
 - Are edge cases handled?
 - Are error paths tested?
diff --git a/.github/skills/internal-cloud-policy/SKILL.md b/.github/skills/internal-cloud-policy/SKILL.md
index 5919240..a2ac507 100644
--- a/.github/skills/internal-cloud-policy/SKILL.md
+++ b/.github/skills/internal-cloud-policy/SKILL.md
@@ -6,15 +6,18 @@ description: Use when authoring, comparing, or reviewing concrete cloud policy d
 # Cloud Policy Skill
 
 ## When to use
+
 - Create or modify governance policy definitions (AWS SCP, Azure Policy, GCP Org Policy).
 - Update policy scope, conditions, or effects.
 - Normalize policy structure for reviewability and rollout safety.
 
 ## Boundary
+
 - Use this skill for concrete policy artifacts or cross-cloud policy comparisons.
 - When the main question is IAM, RBAC, operating-model, or guardrail strategy rather than the policy definition itself, treat it as a governance-design problem instead of a policy-definition task.
 
 ## Mandatory rules
+
 - Keep scope explicit (organization / folder / subscription / project / management group).
 - Keep conditions readable and auditable.
 - Prefer deny-by-default for high-risk controls.
@@ -47,6 +50,7 @@ Load `references/policy-templates.md` for AWS SCP, Azure Policy, GCP Org Policy,
 | Hardcoded account/subscription/project IDs in policy | Non-portable across environments | Use variables or parameters |
 
 ## Validation
+
 - Validate syntax in the target format (JSON / HCL).
 - Validate policy behavior in non-production scope first.
 - Document behavioral impact and rollout scope.
diff --git a/.github/skills/internal-code-review/SKILL.md b/.github/skills/internal-code-review/SKILL.md
index 4333af7..6dbfdde 100644
--- a/.github/skills/internal-code-review/SKILL.md
+++ b/.github/skills/internal-code-review/SKILL.md
@@ -6,6 +6,7 @@ description: Use when a code review is requested, a PR needs reviewing, or the u
 # Code Review Skill
 
 ## When to use
+
 - Perform an exhaustive, nit-level code review on Python, Bash, Terraform, Java, or Node.js/TypeScript files.
 - Provide structured findings with per-language anti-pattern detection.
 - Complement specialist reviewer agents with deep language-specific checks.
@@ -34,6 +35,7 @@ Establish these review inputs before grading the diff:
 - What is the expected validation path, and what is still unverified?
 
 ## Severity levels
+
 | Level | Meaning | Action |
 |---|---|---|
 | `Critical` | Security flaw, data loss risk, or correctness bug | Must fix before merge |
@@ -43,6 +45,7 @@ Establish these review inputs before grading the diff:
 | `Notes` | Assumptions, open questions, or follow-up suggestions | Informational only |
 
 ## Escalation rules
+
 - Any single anti-pattern repeated three or more times in the same diff escalates one severity level (e.g., `Nit` → `Minor`, `Minor` → `Major`).
 - Any deviation from the matching `instructions/*.instructions.md` is at minimum a `Nit`.
 - Any violation of `security-baseline.md` is at minimum a `Major`.
@@ -120,6 +123,7 @@ Only elevate simplification suggestions when they materially improve maintainabi
 | Generic "this could be improved" without concrete fix | Not actionable | Every finding must include a fix suggestion |
 
 ## Cross-references
+
 - **internal-change-impact-analysis** (`.github/skills/internal-change-impact-analysis/SKILL.md`): for change-set-level impact analysis, architectural evaluation, and blind-spot detection beyond line-level review.
 - Use both together: this skill for nit-level anti-patterns first, then `internal-change-impact-analysis` for the bigger picture.
 
@@ -135,6 +139,7 @@ Use this skill as the default review owner, then add a narrower specialist only
 - Add language or domain specialists only when they materially improve the finding quality; do not fan out by default.
 
 ## Validation
+
 - Verify every finding references a real file path and line from the diff.
 - Verify severity assignments match the anti-pattern catalog rules.
 - Verify escalation rules are applied for repeated violations (3+ of the same kind).
diff --git a/.github/skills/internal-code-review/references/anti-patterns-bash.md b/.github/skills/internal-code-review/references/anti-patterns-bash.md
index 4253271..2d0c6e1 100644
--- a/.github/skills/internal-code-review/references/anti-patterns-bash.md
+++ b/.github/skills/internal-code-review/references/anti-patterns-bash.md
@@ -3,6 +3,7 @@
 Reference: `instructions/internal-bash.instructions.md`
 
 ## Critical
+
 | ID | Anti-pattern | Why |
 |---|---|---|
 | SH-C01 | Hardcoded secrets, tokens, or passwords | Credential exposure risk |
@@ -10,6 +11,7 @@ Reference: `instructions/internal-bash.instructions.md`
 | SH-C03 | World-writable temp files without `mktemp` | Race condition / symlink attack |
 
 ## Major
+
 | ID | Anti-pattern | Why |
 |---|---|---|
 | SH-M01 | Missing `set -euo pipefail` | Silent failures and undefined variables |
@@ -21,6 +23,7 @@ Reference: `instructions/internal-bash.instructions.md`
 | SH-M07 | Function body longer than 30 lines | Complexity concern |
 
 ## Minor
+
 | ID | Anti-pattern | Why |
 |---|---|---|
 | SH-m01 | `echo` for status messages instead of emoji logs (`ℹ️ ✅ ⚠️ ❌`) | Repo convention violation |
@@ -31,6 +34,7 @@ Reference: `instructions/internal-bash.instructions.md`
 | SH-m06 | Non-English log messages or comments | Language policy violation |
 
 ## Nit
+
 | ID | Anti-pattern | Why |
 |---|---|---|
 | SH-N01 | `[ ... ]` instead of `[[ ... ]]` | Bash convention |
diff --git a/.github/skills/internal-code-review/references/anti-patterns-java.md b/.github/skills/internal-code-review/references/anti-patterns-java.md
index a0469d1..4e56f2b 100644
--- a/.github/skills/internal-code-review/references/anti-patterns-java.md
+++ b/.github/skills/internal-code-review/references/anti-patterns-java.md
@@ -3,6 +3,7 @@
 Reference: `instructions/internal-java.instructions.md`
 
 ## Critical
+
 | ID | Anti-pattern | Why |
 |---|---|---|
 | JV-C01 | Hardcoded secrets, tokens, or passwords | Credential exposure risk |
@@ -10,6 +11,7 @@ Reference: `instructions/internal-java.instructions.md`
 | JV-C03 | SQL string concatenation instead of parameterized queries | SQL injection |
 
 ## Major
+
 | ID | Anti-pattern | Why |
 |---|---|---|
 | JV-M01 | Bare `catch (Exception e)` that swallows without re-throw or logging | Silent failures |
@@ -22,6 +24,7 @@ Reference: `instructions/internal-java.instructions.md`
 | JV-M08 | `System.out.println` in application/library code | No log level control |
 
 ## Minor
+
 | ID | Anti-pattern | Why |
 |---|---|---|
 | JV-m01 | Unused imports | Dead code noise |
@@ -32,6 +35,7 @@ Reference: `instructions/internal-java.instructions.md`
 | JV-m06 | Mutable collections returned from public API without wrapping | Encapsulation leak |
 
 ## Nit
+
 | ID | Anti-pattern | Why |
 |---|---|---|
 | JV-N01 | Non-standard naming (camelCase for methods, PascalCase for classes) | Convention consistency |
diff --git a/.github/skills/internal-code-review/references/anti-patterns-nodejs.md b/.github/skills/internal-code-review/references/anti-patterns-nodejs.md
index fcc9836..61790bc 100644
--- a/.github/skills/internal-code-review/references/anti-patterns-nodejs.md
+++ b/.github/skills/internal-code-review/references/anti-patterns-nodejs.md
@@ -3,6 +3,7 @@
 Reference: `instructions/internal-nodejs.instructions.md`
 
 ## Critical
+
 | ID | Anti-pattern | Why |
 |---|---|---|
 | ND-C01 | Hardcoded secrets, tokens, or passwords | Credential exposure risk |
@@ -10,6 +11,7 @@ Reference: `instructions/internal-nodejs.instructions.md`
 | ND-C03 | User input in `child_process.exec()` without sanitization | Command injection |
 
 ## Major
+
 | ID | Anti-pattern | Why |
 |---|---|---|
 | ND-M01 | Unhandled promise rejection (missing `.catch()` or `try/catch` on `await`) | Silent crash or process exit |
@@ -22,6 +24,7 @@ Reference: `instructions/internal-nodejs.instructions.md`
 | ND-M08 | Callback-based patterns where async/await is available | Readability and error propagation |
 
 ## Minor
+
 | ID | Anti-pattern | Why |
 |---|---|---|
 | ND-m01 | Unused imports or variables | Dead code noise |
@@ -32,6 +35,7 @@ Reference: `instructions/internal-nodejs.instructions.md`
 | ND-m06 | Event listener without corresponding cleanup/removal | Memory leak risk |
 
 ## Nit
+
 | ID | Anti-pattern | Why |
 |---|---|---|
 | ND-N01 | Non-standard naming (camelCase for functions, PascalCase for classes/types) | Convention consistency |
diff --git a/.github/skills/internal-code-review/references/anti-patterns-python.md b/.github/skills/internal-code-review/references/anti-patterns-python.md
index 002930e..86fe40c 100644
--- a/.github/skills/internal-code-review/references/anti-patterns-python.md
+++ b/.github/skills/internal-code-review/references/anti-patterns-python.md
@@ -3,6 +3,7 @@
 Reference: `instructions/internal-python.instructions.md`
 
 ## Critical
+
 | ID | Anti-pattern | Why |
 |---|---|---|
 | PY-C01 | Hardcoded secrets, tokens, or passwords | Credential exposure risk |
@@ -10,6 +11,7 @@ Reference: `instructions/internal-python.instructions.md`
 | PY-C03 | `pickle.load()` / `pickle.loads()` on untrusted data | Deserialization attack |
 
 ## Major
+
 | ID | Anti-pattern | Why |
 |---|---|---|
 | PY-M01 | Bare `except:` or `except Exception:` without re-raise or logging | Swallows errors silently |
@@ -23,6 +25,7 @@ Reference: `instructions/internal-python.instructions.md`
 | PY-M09 | Python tests outside repository-root `tests/` or without mirrored source paths | Breaks repository test discoverability and ownership mapping |
 
 ## Minor
+
 | ID | Anti-pattern | Why |
 |---|---|---|
 | PY-m01 | Unused imports | Dead code noise |
@@ -35,6 +38,7 @@ Reference: `instructions/internal-python.instructions.md`
 | PY-m08 | Nested functions deeper than 2 levels | Readability concern |
 
 ## Nit
+
 | ID | Anti-pattern | Why |
 |---|---|---|
 | PY-N01 | Line length > 120 characters | PEP8 / repo convention |
diff --git a/.github/skills/internal-code-review/references/anti-patterns-terraform.md b/.github/skills/internal-code-review/references/anti-patterns-terraform.md
index f0b22b7..6537948 100644
--- a/.github/skills/internal-code-review/references/anti-patterns-terraform.md
+++ b/.github/skills/internal-code-review/references/anti-patterns-terraform.md
@@ -3,6 +3,7 @@
 Reference: `instructions/internal-terraform.instructions.md`
 
 ## Critical
+
 | ID | Anti-pattern | Why |
 |---|---|---|
 | TF-C01 | Hardcoded secrets, access keys, or passwords in `.tf` files | Credential exposure |
@@ -10,6 +11,7 @@ Reference: `instructions/internal-terraform.instructions.md`
 | TF-C03 | Backend configuration with no state locking | Concurrent state corruption |
 
 ## Major
+
 | ID | Anti-pattern | Why |
 |---|---|---|
 | TF-M01 | `count` used where `for_each` with logical keys is appropriate | Index-based drift risk |
@@ -22,6 +24,7 @@ Reference: `instructions/internal-terraform.instructions.md`
 | TF-M08 | Missing tags on taggable resources | Governance and cost tracking gap |
 
 ## Minor
+
 | ID | Anti-pattern | Why |
 |---|---|---|
 | TF-m01 | Unused variables or outputs | Dead code |
@@ -32,6 +35,7 @@ Reference: `instructions/internal-terraform.instructions.md`
 | TF-m06 | Locals not grouped by domain | Organizational clarity |
 
 ## Nit
+
 | ID | Anti-pattern | Why |
 |---|---|---|
 | TF-N01 | Resource name not in `snake_case` | Naming convention |
diff --git a/.github/skills/internal-copilot-audit/SKILL.md b/.github/skills/internal-copilot-audit/SKILL.md
index ccaddea..638a8f1 100644
--- a/.github/skills/internal-copilot-audit/SKILL.md
+++ b/.github/skills/internal-copilot-audit/SKILL.md
@@ -28,7 +28,7 @@ Treat the declared governance contract in the relevant agent, root `AGENTS.md`,
 - Detect sync workflows that skip or fail to report governance review for `.github/copilot-instructions.md` and root `AGENTS.md`.
 - Detect naming violations and stale inventory references.
 - Detect governance files that still describe removed, renamed, or retired assets.
-- Detect catalog retirements or remaps that were not propagated in the same change to the local sync command center, `.github/scripts/validate-copilot-customizations.py`, and `.github/scripts/internal-sync-copilot-configs.py`.
+- Detect catalog retirements or remaps that were not propagated in the same change to the supported consistency and sync entrypoints, `.github/scripts/check_catalog_consistency.sh` and `.github/scripts/sync_copilot_catalog.sh`.
 
 ## Audit Order
 
diff --git a/.github/skills/internal-docker/SKILL.md b/.github/skills/internal-docker/SKILL.md
index 5eb1b27..4d105d5 100644
--- a/.github/skills/internal-docker/SKILL.md
+++ b/.github/skills/internal-docker/SKILL.md
@@ -6,11 +6,13 @@ description: Use when creating or modifying Dockerfiles, Compose assets, image b
 # Docker Skill
 
 ## When to use
+
 - Creating or updating `Dockerfile` assets.
 - Editing Compose manifests or workflow-local image references.
 - Hardening container build and runtime configuration.
 
 ## Mandatory rules
+
 - Pin images by digest (`@sha256:...`), never by floating tag alone.
 - Use multi-stage builds to separate build and runtime layers.
 - Run as non-root user in the final stage.
@@ -34,6 +36,7 @@ Load `references/dockerfile-patterns.md` when you need the canonical multi-stage
 | Missing `--no-cache-dir` on pip install | Wasted space from pip cache in layer | Always `pip install --no-cache-dir` |
 
 ## Validation
+
 - Verify image references use digests.
 - Verify non-root user in final stage.
 - Verify `.dockerignore` exists and excludes sensitive/unnecessary files.
diff --git a/.github/skills/internal-github-action-composite/SKILL.md b/.github/skills/internal-github-action-composite/SKILL.md
index 0532d21..4364f03 100644
--- a/.github/skills/internal-github-action-composite/SKILL.md
+++ b/.github/skills/internal-github-action-composite/SKILL.md
@@ -6,12 +6,14 @@ description: Use when creating or modifying a reusable GitHub composite action u
 # GitHub Composite Action Skill
 
 ## When to use
+
 - Create a new reusable composite action under `.github/actions/`.
 - Modify an existing composite action and preserve compatibility.
 - Deepen a GitHub Actions task that has already been classified as composite-action authoring.
 - Add or revise composite-action documentation, outputs, testing guidance, or release discipline.
 
 ## Relationship to the umbrella skill
+
 - `internal-github-actions` is the default entry point for GitHub Actions authoring.
 - Load this skill when the work is specifically a composite action or when the umbrella skill decides the reusable unit should move here.
 
@@ -25,6 +27,7 @@ description: Use when creating or modifying a reusable GitHub composite action u
 | Best for | Shared validation, setup, or step logic | Pipelines with their own jobs, runners, or environments |
 
 ## Mandatory rules
+
 - Follow `.github/instructions/internal-github-action-composite.instructions.md`.
 - Pass expression inputs via `env:` instead of interpolating `${{ }}` directly in `run:`.
 - Keep `shell: bash` explicit on composite steps.
diff --git a/.github/skills/internal-github-actions/SKILL.md b/.github/skills/internal-github-actions/SKILL.md
index 5cf3ecf..27a8f18 100644
--- a/.github/skills/internal-github-actions/SKILL.md
+++ b/.github/skills/internal-github-actions/SKILL.md
@@ -6,6 +6,7 @@ description: Use when authoring or revising GitHub Actions workflows, reusable w
 # GitHub Actions Skill
 
 ## When to use
+
 - Create or modify GitHub Actions workflows under `.github/workflows/`.
 - Create or modify reusable workflows exposed through `workflow_call`.
 - Decide whether repeated step logic should stay inline, move to a reusable workflow, or move to a composite action.
@@ -15,6 +16,7 @@ description: Use when authoring or revising GitHub Actions workflows, reusable w
 Use `internal-devops-core-principles` when the question is delivery strategy, release model, or operating-model health rather than workflow authoring.
 
 ## Mandatory rules
+
 - Follow `.github/instructions/internal-github-actions.instructions.md`.
 - Prefer OIDC for cloud authentication.
 - Pin every third-party action to a full-length SHA with adjacent release comment.
diff --git a/.github/skills/internal-github-actions/references/auth-snippets.md b/.github/skills/internal-github-actions/references/auth-snippets.md
index f7441d1..9aa372e 100644
--- a/.github/skills/internal-github-actions/references/auth-snippets.md
+++ b/.github/skills/internal-github-actions/references/auth-snippets.md
@@ -1,6 +1,7 @@
 # Cloud Auth Snippets for GitHub Actions
 
 ## AWS — OIDC Federation
+
 ```yaml
 permissions:
   id-token: write
@@ -17,11 +18,13 @@ steps:
 ```
 
 Prerequisites:
+
 - IAM OIDC provider for `token.actions.githubusercontent.com`
 - IAM role with trust policy scoped to repo/branch
 - No long-lived access keys
 
 ## Azure — OIDC Federation
+
 ```yaml
 permissions:
   id-token: write
@@ -39,11 +42,13 @@ steps:
 ```
 
 Prerequisites:
+
 - App registration with federated credential for GitHub Actions
 - Service principal with minimal RBAC role
 - No client secrets
 
 ## GCP — Workload Identity Federation
+
 ```yaml
 permissions:
   id-token: write
@@ -60,6 +65,7 @@ steps:
 ```
 
 Prerequisites:
+
 - Workload Identity Pool with GitHub provider
 - Service account with minimal IAM roles
 - No service account keys
diff --git a/.github/skills/internal-oop-design-patterns/references/language-cues.md b/.github/skills/internal-oop-design-patterns/references/language-cues.md
index 9313172..6e356a5 100644
--- a/.github/skills/internal-oop-design-patterns/references/language-cues.md
+++ b/.github/skills/internal-oop-design-patterns/references/language-cues.md
@@ -2,7 +2,7 @@
 
 Load this file when a pattern seems plausible but the host language should influence how heavy the solution becomes.
 
-## Java and C#
+## Java and C\#
 
 - Interfaces and explicit dependency injection are cheap when the variation point is real.
 - Prefer records or small immutable types for data carriers where the codebase already uses them.
diff --git a/.github/skills/internal-pr-editor/SKILL.md b/.github/skills/internal-pr-editor/SKILL.md
index 594429a..aa98932 100644
--- a/.github/skills/internal-pr-editor/SKILL.md
+++ b/.github/skills/internal-pr-editor/SKILL.md
@@ -6,12 +6,14 @@ description: Use when writing or updating a pull request title or body from a re
 # Internal PR Editor
 
 ## When to use
+
 - Create a new pull request description.
 - Improve an incomplete pull request body.
 - Summarize changes from modified files and checks.
 - Map a specification, issue, or template-driven request into a PR title and body without overstating what the diff actually delivers.
 
 ## Mandatory rules
+
 - Use English for all PR content.
 - Keep summary concise and outcome-oriented.
 - Include only relevant scope checkboxes.
@@ -22,7 +24,9 @@ description: Use when writing or updating a pull request title or body from a re
 - Do not modify any `README.md` file unless explicitly requested.
 
 ## Template resolution
+
 Resolve and use one existing repository template:
+
 1. `.github/PULL_REQUEST_TEMPLATE.md`
 2. the lowercase filename under `.github/` if the repository exposes one
 3. `PULL_REQUEST_TEMPLATE.md`
@@ -40,6 +44,7 @@ If the user provides a specification, issue, or acceptance outline:
 - Keep the PR body grounded in the repository template, not in the source specification's original formatting.
 
 ## Tool-driven workflow
+
 1. Detect whether an open PR exists for the current branch.
 2. If PR exists → update title/body directly.
 3. If PR does not exist → create a draft PR first.
@@ -49,6 +54,7 @@ If the user provides a specification, issue, or acceptance outline:
 7. If PR tools are unavailable → return ready-to-paste markdown plus CLI fallback commands.
 
 ## Minimal example
+
 - Input:
   - title: "Externalize Copilot inventory"
   - changed_files: "AGENTS.md, .github/INVENTORY.md, .github/copilot-instructions.md"
@@ -67,11 +73,13 @@ If the user provides a specification, issue, or acceptance outline:
 | Not including validation commands and output | Reviewer has no confidence that code was tested | Always include the exact commands and their results |
 
 ## Cross-references
+
 - **internal-change-impact-analysis** (`.github/skills/internal-change-impact-analysis/SKILL.md`): for change-impact analysis that feeds the risk section.
 - **internal-code-review** (`.github/skills/internal-code-review/SKILL.md`): for the review that follows the PR.
 - **openai-gh-address-comments** (`.github/skills/openai-gh-address-comments/SKILL.md`): for addressing review threads and PR comments after the PR body exists; keep this skill focused on PR title/body authoring.
 
 ## Validation
+
 - Every template-defined section heading is present.
 - `Changes` has concise bullets describing the real diff.
 - Risk and rollback are explicit and actionable.
diff --git a/.github/skills/internal-project-java/SKILL.md b/.github/skills/internal-project-java/SKILL.md
index 50283a1..3825cee 100644
--- a/.github/skills/internal-project-java/SKILL.md
+++ b/.github/skills/internal-project-java/SKILL.md
@@ -8,10 +8,12 @@ description: Use when creating or modifying Java project code and the main conce
 Follow `.github/instructions/internal-java.instructions.md` for the baseline Java rules. This skill adds project-specific guidance only.
 
 ## When to use
+
 - Services, handlers, controllers, utilities, modules.
 - Refactoring or extending existing Java components.
 
 ## Project-specific guidance
+
 - Prefer constructor injection and immutable dependencies in Spring components.
 - Keep controllers thin, services stateless, and API DTOs separate from persistence entities.
 - Use Java 21 features only when the project already targets them or the runtime requirement is explicit.
@@ -19,6 +21,7 @@ Follow `.github/instructions/internal-java.instructions.md` for the baseline Jav
 Load `references/examples.md` when you need a minimal class or test example.
 
 ## Test stack
+
 - Follow the JUnit 5 defaults from the instruction owner.
 - Use `@ParameterizedTest`, `assertAll`, `@Nested`, and `@Tag` when they improve test clarity rather than just adding ceremony.
 - Use Spring test slices such as `@WebMvcTest` or `@DataJpaTest` before defaulting to full-context tests.
@@ -26,10 +29,12 @@ Load `references/examples.md` when you need a minimal class or test example.
 - For modify tasks: edit implementation first, run existing tests, then update tests only for intentional behavior changes.
 
 ## Spring coordination
+
 - Keep Spring-specific design decisions lightweight here and treat controller, configuration, repository, or test-slice-heavy work as a separate framework-focused lane.
 - Prefer constructor injection with `private final` dependencies and keep transaction boundaries narrow.
 
 ## Modern Java guidance
+
 - Prefer records for small immutable data carriers when the codebase already uses them.
 - Use sealed hierarchies only when bounded polymorphism is a real domain constraint.
 - Consider virtual threads for high-concurrency I/O-heavy flows only when the framework and blocking model are understood.
@@ -50,6 +55,7 @@ Load `references/examples.md` when you need a minimal class or test example.
 | Over-using inheritance for code reuse | Rigid hierarchies, fragile base class problem | Prefer composition and delegation |
 
 ## Validation
+
 - Compile with `mvn compile` or `gradle build`.
 - Run tests with `mvn test` or `gradle test`.
 - Check code style with project linter when available.
diff --git a/.github/skills/internal-project-nodejs/SKILL.md b/.github/skills/internal-project-nodejs/SKILL.md
index 13aba28..6a7479a 100644
--- a/.github/skills/internal-project-nodejs/SKILL.md
+++ b/.github/skills/internal-project-nodejs/SKILL.md
@@ -8,10 +8,12 @@ description: Use when creating or modifying Node.js or TypeScript project code s
 Follow `.github/instructions/internal-nodejs.instructions.md` for the baseline Node.js rules. This skill adds project-specific guidance only.
 
 ## When to use
+
 - Services, handlers, adapters, and utility modules.
 - Refactoring or extending existing Node.js components.
 
 ## Project-specific guidance
+
 - Follow the existing module system and runtime constraints before introducing ESM/CJS or build-tool changes.
 - Validate inputs at API or function boundaries and keep async error handling explicit.
 - Keep framework wiring thin and move request-shaping logic out of transport handlers when reuse or testing would improve.
@@ -19,11 +21,13 @@ Follow `.github/instructions/internal-nodejs.instructions.md` for the baseline N
 Load `references/examples.md` when you need a minimal module or test example.
 
 ## Test stack
+
 - Follow the repository test-stack defaults from the instruction owner.
 - If the repository already uses Jest, stay with local Jest conventions instead of introducing mixed test stacks.
 - For modify tasks: edit implementation first, run existing tests, then update tests only for intentional behavior changes.
 
 ## Runtime and async guidance
+
 - Prefer `async`/`await` over promise chains unless streaming or concurrency composition clearly benefits from lower-level primitives.
 - Use `Promise.all` only for independent work; use `Promise.allSettled` when partial failure is acceptable.
 - Keep CPU-heavy work off request paths or move it to worker threads or an external service.
@@ -31,6 +35,7 @@ Load `references/examples.md` when you need a minimal module or test example.
 - Default to the current module system. Use ESM for new projects only when the repo and toolchain already support it cleanly.
 
 ## Testing guidance
+
 - Prefer unit tests and narrow integration tests over broad end-to-end coverage for every module change.
 - In Jest repos, use focused mocks and reset them between tests; do not introduce Jest where the project already standardizes on `node:test`.
 - Keep async tests explicit with `await`, `assert.rejects`, or the framework-native async helpers.
@@ -50,6 +55,7 @@ Load `references/examples.md` when you need a minimal module or test example.
 | Using `Promise.all` on dependent work | Masks ordering assumptions and makes failures harder to interpret | Keep dependent async steps sequential |
 
 ## Validation
+
 - Run tests: `node --test` or `npm test`.
 - Lint: `npx eslint .` when configured.
 - Type check: `npx tsc --noEmit` for TypeScript projects.
diff --git a/.github/skills/internal-project-python/SKILL.md b/.github/skills/internal-project-python/SKILL.md
index 7ccd98e..cc495d2 100644
--- a/.github/skills/internal-project-python/SKILL.md
+++ b/.github/skills/internal-project-python/SKILL.md
@@ -8,17 +8,20 @@ description: Use when creating or modifying Python package or application code w
 Follow `.github/instructions/internal-python.instructions.md` for the baseline Python rules. This skill adds application-specific guidance only.
 
 ## When to use
+
 - Services, use cases, adapters, packages, and modules in Python applications.
 - Refactoring or extending existing Python application components.
 - Reusable Python code whose primary contract is imported behavior rather than operator-facing execution.
 - Python application code that should keep logging neutral or framework-native; operator-facing emoji output belongs to CLI, script, or delivery boundaries instead.
 
 ## Boundary
+
 - This skill covers structured package, library, or application components whose primary contract is reusable domain, service, or framework behavior.
 - Small operator-facing tools remain out of scope even when they have multiple files or tests.
 - A `lib/` folder, root-level tests, or multiple entrypoints alone do not make a tool application code.
 
 ## Application-specific guidance
+
 - Use type hints on public APIs and keep data contracts explicit.
 - Choose async only when the workload is I/O-bound and the surrounding stack supports it cleanly.
 - Keep request or transport models, domain logic, and persistence concerns in separate modules.
@@ -27,6 +30,7 @@ Follow `.github/instructions/internal-python.instructions.md` for the baseline P
 Load `references/examples.md` when you need a minimal module or test example.
 
 ## Testing
+
 - Follow the repository pytest defaults from the instruction owner.
 - BDD-like names: `given_when_then` style.
 - Prefer fixtures, parameterization, and mocking only when they reduce duplication or isolate real external boundaries.
@@ -34,11 +38,13 @@ Load `references/examples.md` when you need a minimal module or test example.
 - For modify tasks: edit implementation first, run existing tests, then update tests only for intentional behavior changes.
 
 ## Architecture and framework guidance
+
 - Follow the repository's existing framework before introducing FastAPI, Flask, Django, or a new dependency stack.
 - Use dataclasses or typed DTOs for internal contracts, and boundary-validation models where the framework already expects them.
 - Keep async flows end-to-end; do not mix blocking libraries into async request paths without an explicit bridge.
 
 ## Test-shape guidance
+
 - Use parameterized tests for behavior that varies across a small, explicit input matrix.
 - Mock network, filesystem, database, or queue boundaries; do not mock internal business logic seams by default.
 - Use property-based testing only when the input space is large enough to justify it.
@@ -59,6 +65,7 @@ Load `references/examples.md` when you need a minimal module or test example.
 | God classes with 10+ methods | Hard to test, hard to reason about | Split by responsibility into focused classes |
 
 ## Validation
+
 - `python -m compileall <paths>` (syntax check)
 - `pytest tests/` (run tests)
 - Lint with project's configured linter.
diff --git a/.github/skills/internal-script-bash/SKILL.md b/.github/skills/internal-script-bash/SKILL.md
index cfa6126..ba5d0fa 100644
--- a/.github/skills/internal-script-bash/SKILL.md
+++ b/.github/skills/internal-script-bash/SKILL.md
@@ -8,10 +8,12 @@ description: Use when creating or modifying standalone Bash scripts or shell uti
 Follow `.github/instructions/internal-bash.instructions.md` for the baseline Bash rules. This skill adds script-specific hardening guidance only.
 
 ## When to use
+
 - New Bash scripts.
 - Existing Bash scripts that need updates.
 
 ## Script-specific hardening guidance
+
 - Prefer `printf` for formatted output and arrays for dynamic commands.
 - Destructive or repeatable scripts should be idempotent and expose `--dry-run` when operator risk is non-trivial.
 - Validate required external commands with `command -v` before first use.
@@ -34,6 +36,7 @@ Load `references/templates.md` when you need the starter script, the standard ar
 | Rewriting parser or cleanup scaffolding from scratch | Operator UX and failure handling drift between scripts | Reuse the starter and helper patterns from `references/templates.md` |
 
 ## Validation
+
 - `bash -n script.sh` (syntax check)
 - `shellcheck -s bash script.sh` (lint)
 - `shfmt -d script.sh` (format diff, if available)
diff --git a/.github/skills/internal-script-python/SKILL.md b/.github/skills/internal-script-python/SKILL.md
index 5a0e2af..43ecfb5 100644
--- a/.github/skills/internal-script-python/SKILL.md
+++ b/.github/skills/internal-script-python/SKILL.md
@@ -8,17 +8,20 @@ description: Use when creating or modifying standalone Python scripts, CLIs, or
 Follow `.github/instructions/internal-python.instructions.md` for the baseline Python rules. This skill adds standalone-script guidance only.
 
 ## When to use
+
 - New standalone Python scripts.
 - Existing Python scripts that need updates.
 - CLI tools, one-off automation, data processing.
 - Small multi-entrypoint toolkits whose primary contract is operator-facing execution rather than reusable package APIs.
 
 ## Boundary
+
 - This skill covers standalone operational tools, CLI entrypoints, and small script toolkits whose primary contract is direct execution.
 - A tool does not become application code just because it has multiple files, a `lib/` folder, or root-level tests.
 - Move out of this lane only when the primary contract becomes imported behavior, service boundaries, or framework-owned flows.
 
 ## Script-specific guidance
+
 - Standalone tools should default to a dedicated folder or toolkit root, not a loose top-level `.py` file.
 - Keep entrypoints thin: parse arguments, resolve paths, orchestrate helpers, and return an exit code through `main() -> int` plus `raise SystemExit(main())`.
 - Prefer `argparse`, `pathlib.Path`, and small helper functions for operator-facing tools.
@@ -30,6 +33,7 @@ Follow `.github/instructions/internal-python.instructions.md` for the baseline P
 - Add machine-readable output such as `--format json` only when the tool has a real automation consumer. Keep text output as the default operator path.
 
 ## Dependency decision note
+
 When the instruction owner requires a dependency decision note, keep it short, for example:
 
 ```text
@@ -57,12 +61,14 @@ Keep these rules visible while drafting:
 - Mirror script or toolkit coverage under the repository-root `tests/` tree; do not create ad-hoc test folders beside the tool.
 
 ## Testing
+
 - Follow the repository pytest defaults from the instruction owner.
 - Use coverage reports to inspect missing behavior on touched code, not to force blanket 100% coverage.
 - For modify tasks: edit implementation first, run existing tests, then update tests only for intentional behavior changes.
 - Prefer existing repository commands such as `make lint`, `make test`, or a shared script runner before inventing a one-off validation path.
 
 ## Runtime guidance
+
 - Prefer direct, readable orchestration over framework-like structure.
 - Keep shared helpers local to the toolkit, not promoted into application-style layering without a real need.
 - Centralize repeated environment bootstrap in one shared runner instead of copying `.venv` and `pip install` logic into every wrapper.
@@ -89,6 +95,7 @@ Keep these rules visible while drafting:
 | Forcing async or framework abstractions into a simple tool | Raises complexity without improving the script | Keep the script synchronous and direct unless concurrency is essential |
 
 ## Validation
+
 - `python -m py_compile <script_name>.py` (syntax check)
 - `bash -n run.sh` (launcher syntax check, only when `run.sh` exists)
 - `pytest tests/` (run tests)
diff --git a/.github/skills/internal-terraform/SKILL.md b/.github/skills/internal-terraform/SKILL.md
index c15a964..53db7b9 100644
--- a/.github/skills/internal-terraform/SKILL.md
+++ b/.github/skills/internal-terraform/SKILL.md
@@ -6,6 +6,7 @@ description: Use when adding, refactoring, or reviewing Terraform or OpenTofu co
 # Terraform Skill
 
 ## When to use
+
 - Add or modify resources, variables, outputs, data sources in existing configurations.
 - Create a new reusable Terraform module from scratch.
 - Refactor inline resources into a module.
@@ -23,6 +24,7 @@ See `references/decision-guide.md` for the full decision flowchart. Quick rule:
 | One-off resource for a single environment | Feature (inline) |
 
 ## Mandatory rules
+
 - Follow `.github/instructions/internal-terraform.instructions.md` for provider and external module pinning.
 - Use `snake_case` for all Terraform identifiers.
 - Add `description` and `type` to every variable.
@@ -53,6 +55,7 @@ See `references/decision-guide.md` for the full decision flowchart. Quick rule:
 - When `variables.tf` or `outputs.tf` exist as dedicated files, keep entries deterministic and easy to scan, typically alphabetical by identifier.
 
 ## Module standard layout
+
 - `main.tf` — resources and data sources
 - `variables.tf` — input variables with `description` and `type`
 - `outputs.tf` — outputs with `description`
@@ -84,6 +87,7 @@ Load `references/template-examples.md` when you need a minimal inline feature ex
 | `default = ""` instead of `default = null` for optional strings | Empty string passes validation but means "no value" ambiguously | Use `null` for truly optional inputs |
 
 ## Validation
+
 - `terraform fmt -check -recursive`
 - `terraform validate`
 - Review `terraform plan` output for unexpected changes
diff --git a/.github/skills/internal-terraform/references/decision-guide.md b/.github/skills/internal-terraform/references/decision-guide.md
index 62d4a00..2bf905b 100644
--- a/.github/skills/internal-terraform/references/decision-guide.md
+++ b/.github/skills/internal-terraform/references/decision-guide.md
@@ -6,7 +6,7 @@
 
 ## Decision flowchart
 
-```
+```text
 Is this resource group reused across 2+ root configs or repos?
 ├── YES → Create a module
 │         ├── Define interface (variables.tf + outputs.tf)
@@ -23,12 +23,14 @@ Is this resource group reused across 2+ root configs or repos?
 ```
 
 ## Signals that inline is correct
+
 - Single environment or single root config only
 - Simple resource (S3 bucket, IAM role, security group)
 - No consumers outside the current project
 - The resource lifecycle is tightly coupled to its parent
 
 ## Signals that a module is correct
+
 - Same pattern appears in multiple environments with small parameter changes
 - The resource group has 5+ resources working together
 - Multiple teams or repositories need the same infrastructure pattern
@@ -36,6 +38,7 @@ Is this resource group reused across 2+ root configs or repos?
 - You need to enforce a standard interface across projects
 
 ## Anti-patterns
+
 - **Premature module**: Creating a module "just in case" with only one consumer → adds indirection without benefit
 - **God module**: A single module that provisions 20+ resources for an entire application → loses composability
 - **Leaky module**: Module exposes internal resource attributes instead of stable output contracts → consumers break on internal refactors
diff --git a/.markdownlint-cli2.jsonc b/.markdownlint-cli2.jsonc
index 6eefac4..d834061 100644
--- a/.markdownlint-cli2.jsonc
+++ b/.markdownlint-cli2.jsonc
@@ -4,6 +4,11 @@
   },
   "ignores": [
     "tmp/**",
+    // Ignore the local script venv because it is generated tooling state, not repo-owned content.
+    ".github/scripts/.venv/**",
+    // Preserve imported awesome-copilot instructions verbatim unless an explicit refresh or fork is requested.
+    ".github/instructions/awesome-copilot-*.instructions.md",
+    // Preserve imported support skill families verbatim by default; lint only repo-owned Markdown.
     ".github/skills/antigravity-*/**",
     ".github/skills/awesome-copilot-*/**",
     ".github/skills/obra-*/**",
diff --git a/Makefile b/Makefile
index 096cbe2..144b13b 100644
--- a/Makefile
+++ b/Makefile
@@ -19,7 +19,7 @@ python-version-check:
 scripts-bootstrap: python-version-check
 	@$(SCRIPTS_RUNNER) build_inventory --help >/dev/null
 
-lint: python-version-check
+lint: python-version-check docs-lint
 	@if [ -n "$(SHELL_SCRIPTS)" ]; then bash -n $(SHELL_SCRIPTS); else printf '%s\n' 'No Bash scripts to lint.'; fi
 	@if command -v shellcheck >/dev/null 2>&1; then shellcheck -s bash $(SHELL_SCRIPTS); else printf '%s\n' 'shellcheck not installed; skipping.'; fi
 	$(PYTHON) -m compileall $(PYTHON_PATHS)
diff --git a/tests/github/scripts/test_cli_entrypoints.py b/tests/github/scripts/test_cli_entrypoints.py
index 0329e96..c2a7165 100644
--- a/tests/github/scripts/test_cli_entrypoints.py
+++ b/tests/github/scripts/test_cli_entrypoints.py
@@ -115,6 +115,7 @@ def fake_run(command: list[str], cwd: Path, check: bool) -> SimpleNamespace:
         "test",
         "skill-lint",
         "catalog-check",
+        "docs-lint",
         "token-risks",
     ]
     assert (
diff --git a/tests/test_markdownlint_config.py b/tests/test_markdownlint_config.py
new file mode 100644
index 0000000..83c13d0
--- /dev/null
+++ b/tests/test_markdownlint_config.py
@@ -0,0 +1,32 @@
+from __future__ import annotations
+
+import json
+from pathlib import Path
+
+
+def read_markdownlint_config() -> dict[str, object]:
+    raw_text = Path(".markdownlint-cli2.jsonc").read_text(encoding="utf-8")
+    json_text = "\n".join(
+        line for line in raw_text.splitlines() if not line.lstrip().startswith("//")
+    )
+    return json.loads(json_text)
+
+
+def test_markdownlint_ignores_local_venv_and_preserved_upstream_assets() -> None:
+    config = read_markdownlint_config()
+    ignores = config["ignores"]
+
+    assert ".github/scripts/.venv/**" in ignores
+    assert ".github/instructions/awesome-copilot-*.instructions.md" in ignores
+    assert ".github/skills/antigravity-*/**" in ignores
+    assert ".github/skills/awesome-copilot-*/**" in ignores
+    assert ".github/skills/openai-*/**" in ignores
+    assert ".github/skills/obra-*/**" in ignores
+
+
+def test_markdownlint_config_documents_why_special_paths_are_ignored() -> None:
+    config_text = Path(".markdownlint-cli2.jsonc").read_text(encoding="utf-8")
+
+    assert "generated tooling state" in config_text
+    assert "Preserve imported awesome-copilot instructions verbatim" in config_text
+    assert "Preserve imported support skill families verbatim" in config_text
diff --git a/tests/test_validation_entrypoints_contract.py b/tests/test_validation_entrypoints_contract.py
new file mode 100644
index 0000000..9ba09b3
--- /dev/null
+++ b/tests/test_validation_entrypoints_contract.py
@@ -0,0 +1,23 @@
+from __future__ import annotations
+
+from pathlib import Path
+
+
+def read_text(relative_path: str) -> str:
+    return Path(relative_path).read_text(encoding="utf-8")
+
+
+def test_makefile_lint_target_covers_docs_lint_without_double_running_from_all() -> None:
+    makefile_text = read_text("Makefile")
+
+    assert "lint: python-version-check docs-lint" in makefile_text
+    assert "all: lint test catalog-check" in makefile_text
+    assert "all: lint test catalog-check docs-lint" not in makefile_text
+
+
+def test_github_catalog_validation_workflow_uses_canonical_wrapper_entrypoints() -> None:
+    workflow_text = read_text(".github/workflows/_github-catalog-validation.yml")
+
+    assert "bash ./.github/scripts/github_catalog_validation.sh --skip-token-risks" in workflow_text
+    assert "bash ./.github/scripts/github_catalog_validation.sh --token-risks-only" in workflow_text
+    assert "python ./.github/scripts/github_catalog_validation.py" not in workflow_text

From f80d06db4d7533a7f4b56e2e8d6b22932b8a03f6 Mon Sep 17 00:00:00 2001
From: Diego Mauricio Lagos <diego.lagosmorales@pagopa.it>
Date: Tue, 21 Apr 2026 23:38:28 +0200
Subject: [PATCH 4/6] refactor(tests): improve formatting of test function
 signatures for consistency

---
 tests/test_validation_entrypoints_contract.py | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/tests/test_validation_entrypoints_contract.py b/tests/test_validation_entrypoints_contract.py
index 9ba09b3..629778f 100644
--- a/tests/test_validation_entrypoints_contract.py
+++ b/tests/test_validation_entrypoints_contract.py
@@ -7,7 +7,9 @@ def read_text(relative_path: str) -> str:
     return Path(relative_path).read_text(encoding="utf-8")
 
 
-def test_makefile_lint_target_covers_docs_lint_without_double_running_from_all() -> None:
+def test_makefile_lint_target_covers_docs_lint_without_double_running_from_all() -> (
+    None
+):
     makefile_text = read_text("Makefile")
 
     assert "lint: python-version-check docs-lint" in makefile_text
@@ -15,9 +17,17 @@ def test_makefile_lint_target_covers_docs_lint_without_double_running_from_all()
     assert "all: lint test catalog-check docs-lint" not in makefile_text
 
 
-def test_github_catalog_validation_workflow_uses_canonical_wrapper_entrypoints() -> None:
+def test_github_catalog_validation_workflow_uses_canonical_wrapper_entrypoints() -> (
+    None
+):
     workflow_text = read_text(".github/workflows/_github-catalog-validation.yml")
 
-    assert "bash ./.github/scripts/github_catalog_validation.sh --skip-token-risks" in workflow_text
-    assert "bash ./.github/scripts/github_catalog_validation.sh --token-risks-only" in workflow_text
+    assert (
+        "bash ./.github/scripts/github_catalog_validation.sh --skip-token-risks"
+        in workflow_text
+    )
+    assert (
+        "bash ./.github/scripts/github_catalog_validation.sh --token-risks-only"
+        in workflow_text
+    )
     assert "python ./.github/scripts/github_catalog_validation.py" not in workflow_text

From ffb78a2dc8c2fa5048d124690659e78873d1f564 Mon Sep 17 00:00:00 2001
From: Diego Mauricio Lagos <diego.lagosmorales@pagopa.it>
Date: Tue, 21 Apr 2026 23:39:31 +0200
Subject: [PATCH 5/6] chore(template): remove markdownlint and PR title format
 comments for clarity

---
 .github/PULL_REQUEST_TEMPLATE.md | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
index 5f20381..4325c7e 100644
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -1,8 +1,3 @@
-<!-- markdownlint-disable-file MD041 -->
-<!-- PR title format: <type>(<scope>): <summary> -->
-<!-- Examples: feat(skills): add reusable review workflow -->
-<!--           fix(workflows): tighten customization validation -->
-
 ## Description
 
 <!-- Describe what changed and why. -->

From 906f4aecd544788a8ff4225b2bf3871468bb1695 Mon Sep 17 00:00:00 2001
From: Diego Mauricio Lagos <diego.lagosmorales@pagopa.it>
Date: Tue, 21 Apr 2026 23:44:47 +0200
Subject: [PATCH 6/6] fix(template): correct header formatting in pull request
 template

---
 .github/PULL_REQUEST_TEMPLATE.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
index 4325c7e..cc861aa 100644
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -1,4 +1,4 @@
-## Description
+# Description
 
 <!-- Describe what changed and why. -->