release: merge dev into main

openspec/CHANGE_ORDER.md

@@ -33,6 +33,7 @@
 | ✅ packaging-01-bundle-resource-payloads | archived 2026-04-05 |
 | ✅ module-bundle-deps-auto-install | archived 2026-04-05 |
 | ✅ governance-03-github-hierarchy-cache | archived 2026-04-09 |
+| ✅ marketplace-06-ci-module-signing | archived 2026-04-16; [#185](https://github.com/nold-ai/specfact-cli-modules/issues/185); paired core [specfact-cli#500](https://github.com/nold-ai/specfact-cli/issues/500) |
 
 ## Pending
 
@@ -85,18 +86,13 @@ These changes are the modules-side runtime companions to split core governance a
 
 These changes are the modules-side runtime companions to the five-pillar governance wave in `specfact-cli`. Core remains authoritative for schemas, scoring, resolution semantics, and shared report contracts; this repo owns the runnable bundle packages, manifests, and packaged tool integrations.
 
+**Most of this wave is paused.** The core counterparts for FinOps, knowledge, review-resiliency, security, and enterprise have been parked in `specfact-cli` (see [core PR #551](https://github.com/nold-ai/specfact-cli/pull/551)). The corresponding nine modules-side proposals have been moved to [`openspec/parking-lot/`](parking-lot/) until their core contracts are un-parked. See [`parking-lot/README.md`](parking-lot/README.md) for the full mapping and un-park triggers.
+
+The architecture pillar remains active because `architecture-02-well-architected-review` in core is gated (waiting on `architecture-01` to ship and be used for one cycle), not parked.
+
 | Module | Order | Change folder | GitHub # | Blocked by |
 |--------|-------|---------------|----------|------------|
-| telemetry + finops | 01 | finops-01-module-cost-outcome | [#223](https://github.com/nold-ai/specfact-cli-modules/issues/223) | Parent Epic: [#216](https://github.com/nold-ai/specfact-cli-modules/issues/216); Parent Feature: [#220](https://github.com/nold-ai/specfact-cli-modules/issues/220); core umbrella [specfact-cli#511](https://github.com/nold-ai/specfact-cli/issues/511); paired core changes `telemetry-01-opentelemetry-default-on` and `finops-01-telemetry-and-outcomes` |
-| knowledge | 02 | knowledge-01-module-memory-runtime | [#224](https://github.com/nold-ai/specfact-cli-modules/issues/224) | Parent Epic: [#216](https://github.com/nold-ai/specfact-cli-modules/issues/216); Parent Feature: [#221](https://github.com/nold-ai/specfact-cli-modules/issues/221); core umbrella [specfact-cli#511](https://github.com/nold-ai/specfact-cli/issues/511); paired core change `knowledge-01-distillation-engine`; uses default markdown-graph runtime |
-| review | 03 | review-resiliency-01-module | [#226](https://github.com/nold-ai/specfact-cli-modules/issues/226) | Parent Epic: [#216](https://github.com/nold-ai/specfact-cli-modules/issues/216); Parent Feature: [#217](https://github.com/nold-ai/specfact-cli-modules/issues/217); core umbrella [specfact-cli#511](https://github.com/nold-ai/specfact-cli/issues/511); paired core change `review-resiliency-01-contracts`; optional evidence hooks depend on `knowledge-01-module-memory-runtime` |
-| security | 03 | security-01-module-sast-sca-secret | [#227](https://github.com/nold-ai/specfact-cli-modules/issues/227) | Parent Epic: [#216](https://github.com/nold-ai/specfact-cli-modules/issues/216); Parent Feature: [#218](https://github.com/nold-ai/specfact-cli-modules/issues/218); core umbrella [specfact-cli#511](https://github.com/nold-ai/specfact-cli/issues/511); paired core change `security-01-unified-findings-model`; shared policy semantics from `policy-02-packs-and-modes` |
-| architecture | 03 | architecture-02-module-well-architected | [#230](https://github.com/nold-ai/specfact-cli-modules/issues/230) | Parent Epic: [#216](https://github.com/nold-ai/specfact-cli-modules/issues/216); Parent Feature: [#219](https://github.com/nold-ai/specfact-cli-modules/issues/219); core umbrella [specfact-cli#511](https://github.com/nold-ai/specfact-cli/issues/511); paired core change `architecture-02-well-architected-review`; boundary rules align with `ALLOWED_IMPORTS.md` |
-| security | 04 | security-02-module-license-compliance | [#228](https://github.com/nold-ai/specfact-cli-modules/issues/228) | Parent Epic: [#216](https://github.com/nold-ai/specfact-cli-modules/issues/216); Parent Feature: [#218](https://github.com/nold-ai/specfact-cli-modules/issues/218); core umbrella [specfact-cli#511](https://github.com/nold-ai/specfact-cli/issues/511); `security-01-module-sast-sca-secret`; paired core changes `security-01-unified-findings-model` and shared policy semantics |
-| security | 05 | security-03-module-pii-gdpr-eu | [#229](https://github.com/nold-ai/specfact-cli-modules/issues/229) | Parent Epic: [#216](https://github.com/nold-ai/specfact-cli-modules/issues/216); Parent Feature: [#218](https://github.com/nold-ai/specfact-cli-modules/issues/218); core umbrella [specfact-cli#511](https://github.com/nold-ai/specfact-cli/issues/511); `security-01-module-sast-sca-secret`; paired core changes `security-01-unified-findings-model` and `security-02-eu-gdpr-baseline` |
-| knowledge | 06 | knowledge-02-module-writeback | [#225](https://github.com/nold-ai/specfact-cli-modules/issues/225) | Parent Epic: [#216](https://github.com/nold-ai/specfact-cli-modules/issues/216); Parent Feature: [#221](https://github.com/nold-ai/specfact-cli-modules/issues/221); core umbrella [specfact-cli#511](https://github.com/nold-ai/specfact-cli/issues/511); `knowledge-01-module-memory-runtime`; paired core change `knowledge-02-preflight-context-assembly` |
-| enterprise | 09 | enterprise-01-module-policy-client | [#231](https://github.com/nold-ai/specfact-cli-modules/issues/231) | Parent Epic: [#216](https://github.com/nold-ai/specfact-cli-modules/issues/216); Parent Feature: [#222](https://github.com/nold-ai/specfact-cli-modules/issues/222); core umbrella [specfact-cli#511](https://github.com/nold-ai/specfact-cli/issues/511); paired core change `enterprise-01-policy-resolution-extension`; depends on prior five-pillar runtime bundles being available for policy application targets |
-| enterprise | 10 | enterprise-02-module-audit-client | [#232](https://github.com/nold-ai/specfact-cli-modules/issues/232) | Parent Epic: [#216](https://github.com/nold-ai/specfact-cli-modules/issues/216); Parent Feature: [#222](https://github.com/nold-ai/specfact-cli-modules/issues/222); core umbrella [specfact-cli#511](https://github.com/nold-ai/specfact-cli/issues/511); `enterprise-01-module-policy-client`; paired core change `enterprise-02-rbac-and-audit-trail` |
+| architecture | 03 | architecture-02-module-well-architected | [#230](https://github.com/nold-ai/specfact-cli-modules/issues/230) | Parent Epic: [#216](https://github.com/nold-ai/specfact-cli-modules/issues/216); Parent Feature: [#219](https://github.com/nold-ai/specfact-cli-modules/issues/219); core umbrella [specfact-cli#511](https://github.com/nold-ai/specfact-cli/issues/511); paired core change `architecture-02-well-architected-review` (gated on `architecture-01-solution-layer` shipping + 1 usage cycle); boundary rules align with `ALLOWED_IMPORTS.md` |
 
 ### Code review and sidecar validation improvements
 
@@ -105,12 +101,6 @@ These changes are the modules-side runtime companions to the five-pillar governa
 | code-review + codebase | 01 | code-review-bug-finding-and-sidecar-venv-fix | [#174](https://github.com/nold-ai/specfact-cli-modules/issues/174) | Parent Feature: [#175](https://github.com/nold-ai/specfact-cli-modules/issues/175); Epic: [#162](https://github.com/nold-ai/specfact-cli-modules/issues/162) |
 | codebase + project-runtime | 02 | codebase-import-runtime-hardening | [#235](https://github.com/nold-ai/specfact-cli-modules/issues/235) | Parent Feature: [#234](https://github.com/nold-ai/specfact-cli-modules/issues/234); Epic: [#162](https://github.com/nold-ai/specfact-cli-modules/issues/162); no known blockers |
 
-### Module trust chain and CI security
-
-| Module | Order | Change folder | GitHub # | Blocked by |
-|--------|-------|---------------|----------|------------|
-| marketplace | 06 | marketplace-06-ci-module-signing | [#185](https://github.com/nold-ai/specfact-cli-modules/issues/185) | Parent Feature: [#187](https://github.com/nold-ai/specfact-cli-modules/issues/187); Parent Epic: [#186](https://github.com/nold-ai/specfact-cli-modules/issues/186); paired core [specfact-cli#500](https://github.com/nold-ai/specfact-cli/issues/500) |
-
 ### Documentation restructure
 
 | Module | Order | Change folder | GitHub # | Blocked by |
@@ -127,4 +117,4 @@ These changes are the modules-side runtime companions to the five-pillar governa
 
 | Module | Order | Change folder | GitHub # | Blocked by |
 |--------|-------|---------------|----------|------------|
-| peer-deps | 01 | ✅ module-bundle-deps-auto-install (archived 2026-04-05) | [#135](https://github.com/nold-ai/specfact-cli-modules/issues/135) | — |
+| peer-deps | 01 | ✅ module-bundle-deps-auto-install (archived 2026-04-05) | [#135](https://github.com/nold-ai/specfact-cli-modules/issues/135) | — |

openspec/parking-lot/README.md

@@ -0,0 +1,59 @@
+# Parking Lot (modules side)
+
+These module-runtime change proposals are **paused, not abandoned**, because
+their core-side counterparts in `nold-ai/specfact-cli` have been parked. A
+module runtime cannot land before the core contracts it implements, so these
+nine proposals are pinned to whatever signal un-parks the core side.
+
+For background and the parent triage rationale, see:
+
+- Core PR: <https://github.com/nold-ai/specfact-cli/pull/551>
+- Core parking-lot README: <https://github.com/nold-ai/specfact-cli/blob/ba944021c0b186698658cdde6ed9a7776eff05a0/openspec/parking-lot/README.md>
+
+## Restoration policy
+
+A modules-side proposal can be returned to `openspec/changes/` only after:
+
+1. The core counterpart has itself been un-parked (i.e. moved back into
+   `nold-ai/specfact-cli/openspec/changes/`).
+2. The current core API surface has been re-validated against this module's
+   proposal — six months of drift may have invalidated assumptions.
+3. The directory is moved back under `openspec/changes/` here, and
+   `openspec validate <change-id>` passes.
+
+## Contents and un-park triggers
+
+| Modules change | Paired core change | GH issue | Un-park trigger |
+|---|---|---|---|
+| `enterprise-01-module-policy-client` | `enterprise-01-policy-resolution-extension` | [#231](https://github.com/nold-ai/specfact-cli-modules/issues/231) | Core enterprise-01 un-parked |
+| `enterprise-02-module-audit-client` | `enterprise-02-rbac-and-audit-trail` | [#232](https://github.com/nold-ai/specfact-cli-modules/issues/232) | Core enterprise-02 un-parked |
+| `finops-01-module-cost-outcome` | `finops-01-telemetry-and-outcomes` | [#223](https://github.com/nold-ai/specfact-cli-modules/issues/223) | Core finops-01 un-parked |
+| `knowledge-01-module-memory-runtime` | `knowledge-01-distillation-engine` | [#224](https://github.com/nold-ai/specfact-cli-modules/issues/224) | Core knowledge-01 un-parked |
+| `knowledge-02-module-writeback` | `knowledge-02-preflight-context-assembly` | [#225](https://github.com/nold-ai/specfact-cli-modules/issues/225) | Core knowledge-02 un-parked |
+| `review-resiliency-01-module` | `review-resiliency-01-contracts` | [#226](https://github.com/nold-ai/specfact-cli-modules/issues/226) | Core review-resiliency-01 un-parked |
+| `security-01-module-sast-sca-secret` | `security-01-unified-findings-model` | [#227](https://github.com/nold-ai/specfact-cli-modules/issues/227) | Core security-01 un-parked |
+| `security-02-module-license-compliance` | `security-01-unified-findings-model` (license findings aspect) | [#228](https://github.com/nold-ai/specfact-cli-modules/issues/228) | Core security-01 un-parked |
+| `security-03-module-pii-gdpr-eu` | `security-02-eu-gdpr-baseline` (GDPR aspect) | [#229](https://github.com/nold-ai/specfact-cli-modules/issues/229) | Core security-02 un-parked |
+
+## Not parked here (still active)
+
+The following modules-side proposals remain in `openspec/changes/` because
+their core counterparts are still active or in the core repo's modify queue:
+
+- `architecture-01-solution-layer` *(paired core: active)*
+- `architecture-02-module-well-architected` *(paired core: gated, not parked)*
+- `requirements-02-module-commands`, `requirements-03-backlog-sync`
+- `traceability-01-index-and-orphans`, `validation-02-full-chain-engine`
+- `governance-01-evidence-output`, `governance-02-exception-management`
+- `policy-02-packs-and-modes`, `sync-01-unified-kernel`,
+  `ceremony-02-requirements-aware-output`
+- `openspec-01-intent-trace` *(paired core: in modify queue, will be trimmed)*
+- All `backlog-*` and `docs-*` changes
+- `codebase-import-runtime-hardening`, `project-runtime-01-safe-artifact-write-policy`
+
+## Completed / awaiting archive
+
+- `marketplace-07-pr-auto-sign-updates`
+
+The core marketplace-06 work (`marketplace-06-ci-module-signing`) was already
+archived here on 2026-04-16 — no parking action needed.