feat(skills/update-stack): block on undeclared drift vs upstream

[PierreBrisorgueil]

Summary

• Adds gate 3ter to Phase 1 of /update-stack (after /verify passes, before Phase 2): diffs each stack-module non-test file against devkit-node/master; any divergence not declared in DOWNSTREAM_PATCHES.md causes exit 1 with a clear fix message
• Missing DOWNSTREAM_PATCHES.md = no declared divergences allowed (treated as empty)
• config/defaults/<project>.config.js is auto-skipped (absent from devkit → upstream_blob empty)

Why

A 2026-05-30 audit of comes-io/trawl_node found 3 architectural violations + 9 promote-up candidates in stack-managed modules (auth, users, billing, lib). These accumulated silently over weeks because /update-stack had no gate — ISO merge could pass with --theirs resolving conflicts while downstream-committed changes in shared modules sailed through undetected.

This gate enforces the "no dev in shared modules" rule at the only moment it can be enforced mechanically: when the downstream actually runs /update-stack.

Gate test output (fake-drift exercise on trawl_node)

Block path (undeclared drift — exit 1):

BLOCK: undeclared drift on stack file: lib/helpers/guides.js
  Fix A — revert to upstream:  git checkout devkit-node/master -- lib/helpers/guides.js
  Fix B — declare it:          add 'lib/helpers/guides.js' + rationale to DOWNSTREAM_PATCHES.md
BLOCK: undeclared drift on stack file: lib/services/express.js
  ...
BLOCK: undeclared drift on stack file: modules/tasks/doc/tasks.yml
  ...
EXIT 1 — gate blocked as expected

Pass path (all diverging files declared in ledger — exit 0):

OK (declared): lib/helpers/guides.js
OK (declared): lib/services/express.js
OK (declared): modules/auth/controllers/auth.controller.js
OK (declared): modules/tasks/doc/tasks.yml
3ter: no undeclared drift — OK (EXIT 0)

Note: the 3 real blocking files (lib/helpers/guides.js, lib/services/express.js, modules/tasks/doc/tasks.yml) are genuine pre-existing drift in trawl_node — Task E.1 (ledger bootstrap) will resolve them by declaring or reverting each one.

Complement

• E.1: DOWNSTREAM_PATCHES.md ledger convention (downstreams must create ledger before first /update-stack with this gate)
• E.3: PRF Phase 0.5 gate — catches drift at PR time (complement; this gate catches it at sync time)
• E.6: memory feedback_no_dev_in_shared_modules

Closes #3759 — plan 2026-05-30-trawl-devkit-perfect-alignment.md Task E.2

Summary by CodeRabbit

• Documentation
  • Added documentation for a new validation gate that detects and blocks undeclared drift in stack files by comparing against upstream sources. The gate skips downstream-only files and test files, providing clear guidance when issues are found.

[coderabbitai]

Warning

Review limit reached

@PierreBrisorgueil, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 54 minutes and 44 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 67e41dc2-0f76-4382-9b8f-4b04cf6ac417

📥 Commits

Reviewing files that changed from the base of the PR and between 8a6a1cb and 9d91546.

📒 Files selected for processing (1)

• .claude/skills/update-stack/SKILL.md

Walkthrough

This PR adds documentation for a new Phase 1 verification gate that blocks Phase 2 execution if any stack file differs from upstream without being declared in DOWNSTREAM_PATCHES.md. The gate compares local and upstream blob hashes, skips downstream-only and test files, and provides blocking guidance when undeclared drift is detected.

Changes

Undeclared Drift Gate Documentation

Layer / File(s)	Summary
Phase 1 undeclared drift gate specification .claude/skills/update-stack/SKILL.md	Documented the "3ter" gate that compares local stack files against upstream devkit-node/master by blob hash after /verify passes and before Phase 2. The gate blocks if any drifted file is not listed in DOWNSTREAM_PATCHES.md, skips files missing upstream and test/spec JS files, and documents explicit rules for handling missing patch declarations and downstream-only config files.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related issues

• pierreb-devkit/Node#3759: Directly addresses the same "block on undeclared drift vs upstream" Phase 1 gate in update-stack/SKILL.md.
• pierreb-devkit/Vue#4227: Adds the same "3ter" Phase 1 gate to the equivalent Vue devkit SKILL.md.

Possibly related PRs

• pierreb-devkit/Node#3177: Introduced the two-phase verification workflow in update-stack/SKILL.md that this PR's undeclared drift gate builds upon.

Suggested labels

Chore

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description is comprehensive and well-structured with Summary, Why, and test output sections; however, it deviates significantly from the required template structure with missing Scope, Validation, and Guardrails sections.	Restructure the description to match the template: add Scope (modules impacted, cross-module impact, risk level), Validation section with checklist items, and Guardrails section addressing secrets, renames, merge-friendliness, and tests.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding a gate to block undeclared drift against upstream in the update-stack skill.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/update-stack-undeclared-drift-gate

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Adds a new “3ter” gate to the /update-stack skill documentation to block Phase 2 when stack-managed files drift from devkit-node/master without being declared in DOWNSTREAM_PATCHES.md, strengthening enforcement of ISO alignment before project-specific work begins.

Changes:

• Introduces “3ter. Block on undeclared drift” (post-/verify, pre-Phase 2) with a bash sweep that checks stack paths for upstream divergence.
• Defines operational rules around missing DOWNSTREAM_PATCHES.md and auto-skipping downstream-only project config files.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.claude/skills/update-stack/SKILL.md:
- Around line 111-112: The gate currently lists "modules/billing" in the git
ls-files filter but the declared stack module set in SKILL.md only includes
"home/auth/users/tasks/uploads" (references to the stack module declarations
around the top and the module list). Either remove "modules/billing" from the
done < <(git ls-files ...) command or add "billing" to the declared stack
modules list so the gate and the module declarations match; update the module
list in the doc to include "billing" if that module should be stack-managed, or
remove it from the gate if it should be excluded.
- Line 112: The current grep pipeline line that excludes test files ("| grep -v
\"/tests/\" | grep -vE \"\\.(test|spec)\\.js$\"") is too narrow; update it to
also exclude common test directories like "__tests__" and common test file
extensions (.test/.spec with js, jsx, ts, tsx). Replace the two filters with
broader exclusions that drop "/tests/" and "/__tests__/" and use a single
extended regex to filter "\.(test|spec)\.(js|jsx|ts|tsx)$" so files like
"foo.test.tsx" and directories "__tests__" are ignored.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: a5636a60-c6f8-4dca-b33c-b9818efab3c2

📥 Commits

Reviewing files that changed from the base of the PR and between 0a9db27 and 8a6a1cb.

📒 Files selected for processing (1)

• .claude/skills/update-stack/SKILL.md

Stale review — findings addressed in commits 3829536 (billing declared + test exclusion broadened) and 9d91546 (billing added to header + conflict table). CR rate-limited, cannot re-review.