feat(core-domain): GT-377 AC-3 — ESLint stateless-Core *Repository guard + CI gate

.github/workflows/ci-cd.yml

@@ -61,6 +61,13 @@ jobs:
       - name: Install dependencies
         run: npm ci
 
+      # GT-377 AC-3: stateless-Core architecture boundary guard. Fails the build
+      # if a *Repository for product/initiative/evidence/decision appears in
+      # core-domain (Core is a stateless Evaluation Engine — those are context,
+      # not entities — per ADR-0101), and enforces the inner-layer import rules.
+      - name: Run core-domain architecture boundary guard (GT-377)
+        run: npm run lint:boundaries --workspace @evolith/core-domain
+
       # GT-382 follow-up: the core-domain OPA integration test loads the real
       # compiled policy.wasm. Build it (pinned opa toolchain) so the test runs
       # end-to-end; it self-skips if the artifact is absent.

packages/core-domain/eslint.config.mjs

@@ -0,0 +1,117 @@
+// @ts-check
+/**
+ * ESLint flat config for @evolith/core-domain (ESLint 9+).
+ *
+ * Migrated from the legacy `.eslintrc.js` + `--no-eslintrc` invocation, which is
+ * incompatible with ESLint 9 (the `--no-eslintrc` flag was removed and the legacy
+ * eslintrc loader broke eslint-plugin-boundaries with "Cannot set properties of
+ * undefined (setting defaultMeta)").
+ *
+ * Enforces two architectural guards:
+ *
+ *  1. Layer boundaries — core-domain is a pure inner package. Imports may only
+ *     flow inward across the layer hierarchy:
+ *
+ *       common / types
+ *         └─ domain        (entities, value objects, domain services)
+ *             └─ application (use cases)
+ *                 └─ infrastructure (adapters)
+ *
+ *  2. Stateless Core (GT-377 / ADR-0101) — Core is a stateless Evaluation Engine.
+ *     `product` / `initiative` / `evidence` / `decision` are CONTEXT, never
+ *     persisted entities, so a `*Repository` for any of them must NEVER appear in
+ *     this package. The `no-restricted-syntax` rule below fails the build (and CI)
+ *     if such an identifier is declared, imported, or referenced.
+ */
+import boundaries from 'eslint-plugin-boundaries';
+import tseslint from 'typescript-eslint';
+// Shared (CommonJS) so the negative regression test enforces the EXACT same rule.
+import guards from './eslint.guards.cjs';
+
+const { STATELESS_CORE_REPOSITORY_BAN } = guards;
+
+export default tseslint.config(
+  {
+    ignores: [
+      'dist/**',
+      'coverage/**',
+      'node_modules/**',
+      '**/*.js',
+      '**/*.cjs',
+      '**/*.mjs',
+    ],
+  },
+  {
+    files: ['src/**/*.ts'],
+    plugins: {
+      '@typescript-eslint': tseslint.plugin,
+      boundaries,
+    },
+    languageOptions: {
+      parser: tseslint.parser,
+      ecmaVersion: 2022,
+      sourceType: 'module',
+    },
+    settings: {
+      'boundaries/elements': [
+        { type: 'common', pattern: 'src/common/**/*' },
+        { type: 'domain', pattern: 'src/domain/**/*' },
+        { type: 'application', pattern: 'src/application/**/*' },
+        { type: 'infrastructure', pattern: 'src/infrastructure/**/*' },
+        { type: 'gates', pattern: 'src/gates/**/*' },
+        { type: 'phases', pattern: 'src/phases/**/*' },
+        { type: 'tenancy', pattern: 'src/tenancy/**/*' },
+        { type: 'providers', pattern: 'src/providers/**/*' },
+        { type: 'evidence', pattern: 'src/evidence/**/*' },
+        { type: 'evaluation', pattern: 'src/evaluation/**/*' },
+      ],
+      'boundaries/ignore': ['src/**/*.spec.ts', 'src/**/*.test.ts'],
+    },
+    rules: {
+      '@typescript-eslint/no-explicit-any': 'warn',
+
+      'boundaries/element-types': [
+        'error',
+        {
+          default: 'disallow',
+          rules: [
+            // common: no internal imports
+            { from: 'common', allow: [] },
+
+            // domain: innermost — only common
+            { from: 'domain', allow: ['domain', 'common'] },
+
+            // application: use cases — domain + common
+            { from: 'application', allow: ['application', 'domain', 'common'] },
+
+            // infrastructure: adapters — can use all inner layers
+            {
+              from: 'infrastructure',
+              allow: ['infrastructure', 'application', 'domain', 'common'],
+            },
+
+            // gates/phases/tenancy/providers/evidence: cross-cutting within this package
+            { from: 'gates', allow: ['gates', 'domain', 'application', 'common'] },
+            { from: 'phases', allow: ['phases', 'domain', 'application', 'common'] },
+            { from: 'tenancy', allow: ['tenancy', 'domain', 'common'] },
+            {
+              from: 'providers',
+              allow: ['providers', 'infrastructure', 'domain', 'common'],
+            },
+            { from: 'evidence', allow: ['evidence', 'domain', 'application', 'common'] },
+
+            // evaluation: stateless Core Evaluation Engine (GT-377/ADR-0101) —
+            // canonical contracts + orchestrator; composes domain + application.
+            {
+              from: 'evaluation',
+              allow: ['evaluation', 'domain', 'application', 'common'],
+            },
+          ],
+        },
+      ],
+
+      // Stateless-Core guard (GT-377 AC-3 / ADR-0101): no business-entity repositories.
+      'no-restricted-syntax': ['error', STATELESS_CORE_REPOSITORY_BAN],
+    },
+  },
+);

packages/core-domain/eslint.guards.cjs

@@ -0,0 +1,29 @@
+'use strict';
+
+/**
+ * Architecture guards shared between the ESLint flat config (`eslint.config.mjs`)
+ * and the regression test (`stateless-core-repository.guard.spec.ts`), so both
+ * enforce the EXACT same rule — single source of truth for GT-377 AC-3.
+ *
+ * CommonJS on purpose: the `.mjs` config imports it statically and the ts-jest
+ * (CommonJS) test `require`s it, with no ESM/dynamic-import interop hazard.
+ */
+
+/**
+ * Bans any identifier shaped like a repository for a business entity that Core
+ * treats as pure context (GT-377 / ADR-0101 — Core is a stateless Evaluation
+ * Engine). Matches declarations, imports and type references such as
+ * `ProductRepository`, `IInitiativeRepository`, `EvidenceRepositoryPort`,
+ * `InMemoryDecisionRepository`, … while leaving legitimate infrastructure
+ * repositories (`AuditRepository`, `SubscriptionRepository`, `DeliveryRepository`)
+ * untouched.
+ *
+ * @type {{ selector: string, message: string }}
+ */
+const STATELESS_CORE_REPOSITORY_BAN = {
+  selector: 'Identifier[name=/(Product|Initiative|Evidence|Decision)Repository/]',
+  message:
+    'GT-377/ADR-0101: Core is a stateless Evaluation Engine. product/initiative/evidence/decision are context, not entities — a *Repository for them must not appear in core-domain.',
+};
+
+module.exports = { STATELESS_CORE_REPOSITORY_BAN };

packages/core-domain/package.json

@@ -70,7 +70,7 @@
   },
   "scripts": {
     "build": "tsc",
-    "lint:boundaries": "eslint \"src/**/*.ts\" --no-eslintrc -c .eslintrc.js",
+    "lint:boundaries": "eslint \"src/**/*.ts\"",
     "test": "jest --config jest.config.js --runInBand",
     "test:cov": "jest --config jest.config.js --runInBand --coverage",
     "test:e2e": "jest --config jest.e2e.config.js --runInBand"

packages/core-domain/src/evaluation/stateless-core-repository.guard.spec.ts

@@ -0,0 +1,104 @@
+/**
+ * GT-377 AC-3 — architecture guard regression test.
+ *
+ * Asserts that the stateless-Core repository ban actually fails when a
+ * `*Repository` for a business entity that Core treats as pure context
+ * (product / initiative / evidence / decision) appears — and, crucially, does
+ * NOT fire for legitimate infrastructure repositories. This is the negative test
+ * proving the guard from `gap-reference-catalog.md` "#### GT-377" AC-3 ("ESLint
+ * boundary guard fails CI if a `*Repository` for product/initiative/evidence/
+ * decision appears") is wired and effective, not merely declared.
+ *
+ * It exercises the SAME rule object that ships in `eslint.config.mjs` by
+ * importing it from the shared `eslint.guards.cjs` (single source of truth), and
+ * runs it through ESLint's synchronous flat-config `Linter` — no config-file
+ * dynamic import, so it is jest/ts-jest safe.
+ *
+ * The banned identifiers below live ONLY inside string literals (lint input),
+ * never as real code, so this spec itself stays green under `lint:boundaries`.
+ */
+import { Linter } from 'eslint';
+
+// require (not import) so the runtime object matches what ESLint expects, free of
+// ts-jest ESM-interop wrapping (`@typescript-eslint/parser` sets `__esModule`).
+const tsParser = require('@typescript-eslint/parser') as Linter.Parser;
+const { STATELESS_CORE_REPOSITORY_BAN } = require('../../eslint.guards.cjs') as {
+  STATELESS_CORE_REPOSITORY_BAN: { selector: string; message: string };
+};
+
+const GUARD_RULE = 'no-restricted-syntax';
+
+const linter = new Linter({ configType: 'flat' });
+
+function guardErrors(code: string): string[] {
+  const messages = linter.verify(code, {
+    languageOptions: {
+      parser: tsParser,
+      ecmaVersion: 2022,
+      sourceType: 'module',
+    },
+    rules: {
+      [GUARD_RULE]: ['error', STATELESS_CORE_REPOSITORY_BAN],
+    },
+  });
+  return messages
+    .filter((m) => m.ruleId === GUARD_RULE && m.severity === 2)
+    .map((m) => m.message);
+}
+
+describe('GT-377 AC-3 — stateless-Core repository guard', () => {
+  const BANNED_ENTITIES = ['Product', 'Initiative', 'Evidence', 'Decision'];
+
+  it.each(BANNED_ENTITIES)(
+    'FAILS when a %sRepository is imported and referenced',
+    (entity) => {
+      const code = [
+        `import { ${entity}Repository } from '../infrastructure/persistence';`,
+        `export function use(repo: ${entity}Repository): void { void repo; }`,
+        '',
+      ].join('\n');
+
+      const errors = guardErrors(code);
+
+      expect(errors.length).toBeGreaterThan(0);
+      expect(errors.every((m) => m.includes('GT-377'))).toBe(true);
+    },
+  );
+
+  it.each(BANNED_ENTITIES)(
+    'FAILS when a %sRepository interface is declared inline',
+    (entity) => {
+      const code = `export interface ${entity}Repository { findById(id: string): unknown; }\n`;
+
+      const errors = guardErrors(code);
+
+      expect(errors.length).toBeGreaterThan(0);
+    },
+  );
+
+  it.each([
+    'AuditRepository',
+    'SubscriptionRepository',
+    'DeliveryRepository',
+    'createRepository',
+    'getRepository',
+  ])('does NOT flag the legitimate identifier %s (no false positive)', (ident) => {
+    const code = [
+      `import { ${ident} } from '../infrastructure/persistence';`,
+      `export const ref = ${ident};`,
+      '',
+    ].join('\n');
+
+    expect(guardErrors(code)).toEqual([]);
+  });
+
+  it('produces zero guard errors for a clean evaluation module', () => {
+    const code = [
+      "import type { EvaluationContext } from './contracts';",
+      'export function evaluate(ctx: EvaluationContext): EvaluationContext { return ctx; }',
+      '',
+    ].join('\n');
+
+    expect(guardErrors(code)).toEqual([]);
+  });
+});

reference/governance/standards/vision/gap-reference-catalog.es.md

@@ -56,7 +56,7 @@ Este catálogo explica cada gap: problema, propósito, evidencia, criterios de c
 - **Criterios de aceptación:**
   - [x] `evaluation-context.schema.json` / `evaluation-result.schema.json` validan round-trip; `schemaVersion` obligatorio.
   - [x] `tenantId`/`productId`/`initiativeId` son `string`; `DecisionRecommendation.binding` literal `false`.
-  - [ ] Guard ESLint falla el CI si aparece un `*Repository` de producto/iniciativa/evidencia/decisión.
+  - [x] Guard ESLint falla el CI si aparece un `*Repository` de producto/iniciativa/evidencia/decisión. **(MET — Oleada 2026-06-29)** `packages/core-domain/eslint.config.mjs` (flat config, ESLint 9) prohíbe `Identifier[name=/(Product|Initiative|Evidence|Decision)Repository/]` vía `no-restricted-syntax` (regla compartida desde `eslint.guards.cjs`); gateado por el step `Run core-domain architecture boundary guard (GT-377)` en `ci-cd.yml` (`test-core-domain`); test de regresión negativo `src/evaluation/stateless-core-repository.guard.spec.ts` (14 casos) prueba que dispara en las cuatro entidades prohibidas y nunca en `*Repository` legítimo (`AuditRepository`, `createRepository`, …). La rotura previa (override global `ajv:8.17.1` en conflicto con el dep directo `ajv:8.20.0` de los workspaces, dejando a `eslint`/`@eslint/eslintrc` sin `ajv@6`) se corrige con `overrides` acotados en el `package.json` raíz.
 - **Dependencias:** `GT-376`.
 
 #### GT-378

reference/governance/standards/vision/gap-reference-catalog.md

@@ -56,7 +56,7 @@ This catalog explains each gap: problem, purpose, evidence, closure criteria, an
 - **Acceptance criteria:**
   - [x] `evaluation-context.schema.json` / `evaluation-result.schema.json` validate round-trip; `schemaVersion` mandatory.
   - [x] `tenantId`/`productId`/`initiativeId` are `string`; `DecisionRecommendation.binding` literal `false`.
-  - [ ] ESLint boundary guard fails CI if a `*Repository` for product/initiative/evidence/decision appears.
+  - [x] ESLint boundary guard fails CI if a `*Repository` for product/initiative/evidence/decision appears. **(MET — Wave 2026-06-29)** `packages/core-domain/eslint.config.mjs` (flat config, ESLint 9) bans `Identifier[name=/(Product|Initiative|Evidence|Decision)Repository/]` via `no-restricted-syntax` (rule shared from `eslint.guards.cjs`); gated by the `Run core-domain architecture boundary guard (GT-377)` step in `ci-cd.yml` (`test-core-domain`); negative regression test `src/evaluation/stateless-core-repository.guard.spec.ts` (14 cases) proves it fires on the four banned entities and never on legit `*Repository` (`AuditRepository`, `createRepository`, …). The prior breakage (global `ajv:8.17.1` override conflicting with workspaces' direct `ajv:8.20.0`, starving `eslint`/`@eslint/eslintrc` of `ajv@6`) is fixed with scoped `overrides` in the root `package.json`.
 - **Dependencies:** `GT-376`.
 
 #### GT-378