feat: gitignore consistency check and delta re-audit orchestrator (v1.1.6)

Author: saiganakato

CHANGELOG.md

@@ -4,6 +4,25 @@ All notable changes to this regulation shelf are documented here.
 
 The detailed shelf changelog lives in `regulation/shelf/SHELF_CHANGELOG.md`.
 
+## [1.1.6] - 2026-06-17
+
+### Added
+
+- `scripts/check-gitignore-consistency.*` — tracked vs `.gitignore` index checks (`G-04`)
+- `scripts/run-delta-audit.*` — delta re-audit orchestrator per `RE_AUDIT_POLICY.md`
+- `regulation/reference/GITIGNORE_CONSISTENCY.md`
+- `templates/delta-audit-record.md.template`
+
+### Changed
+
+- `collect-audit-evidence.*` includes gitignore consistency output
+- `OUTPUT_PATHS.md` documents `delta-audit-record.md`
+
+### Fixed
+
+- `run-delta-audit.*` sensitive-path detection uses `--name-only` (Windows `Mpath` format)
+- `run-delta-audit.*` `Open Blockers: 0` no longer false-positive invalidates delta
+
 ## [1.1.5] - 2026-06-17
 
 ### Added

README.md

@@ -44,6 +44,10 @@ Orchestrator: `scripts/run-full-audit.*` (shelf validate + scaffold + evidence)
 
 Tracked-file screening: `scripts/check-tracked-files.*` (flags unnecessary `git ls-files` entries)
 
+Gitignore consistency: `scripts/check-gitignore-consistency.*` (tracked vs ignore rules)
+
+Delta re-audit: `scripts/run-delta-audit.*` (changed-file scope per `RE_AUDIT_POLICY.md`)
+
 Optional accelerators: `scripts/`, `audit.manifest.yml` in target repo
 
 Human role: optional publication approval, not default command execution.

regulation/REGULATION_INDEX.md

@@ -40,6 +40,7 @@ Completeness proof: `regulation/REGULATION_COMPLETENESS.md`
 
 - `regulation/reference/REPO_CONTENT_CLASSIFICATION.md`
 - `regulation/reference/TRACKED_FILE_SCREENING.md`
+- `regulation/reference/GITIGNORE_CONSISTENCY.md`
 - `regulation/reference/TOOL_VERIFICATION_MATRIX.md`
 - `regulation/reference/TOOL_REVIEW_CADENCE.md`
 - `regulation/reference/EVIDENCE_COMMANDS.md`
@@ -86,11 +87,16 @@ Completeness proof: `regulation/REGULATION_COMPLETENESS.md`
 - `templates/tier2-defer-record.md.template`
 - `templates/accepted-risk-record.md.template`
 - `templates/audit.manifest.yml.template`
+- `templates/delta-audit-record.md.template`
 
 ### Automation scripts
 
 - `scripts/check-tracked-files.ps1`
 - `scripts/check-tracked-files.sh`
+- `scripts/check-gitignore-consistency.ps1`
+- `scripts/check-gitignore-consistency.sh`
+- `scripts/run-delta-audit.ps1`
+- `scripts/run-delta-audit.sh`
 - `scripts/collect-audit-evidence.ps1`
 - `scripts/collect-audit-evidence.sh`
 - `scripts/run-audit-quickstart.ps1`

regulation/execution/RE_AUDIT_POLICY.md

@@ -67,7 +67,19 @@ git ls-files --others --exclude-standard
 - every file referenced by changed gates in the prior report
 - every file in the dependency cone of changed runtime or workflow paths
 
-5. Re-run machine evidence (`scripts/collect-audit-evidence.*`)
+Preferred orchestrator:
+
+```powershell
+& "$Shelf/scripts/run-delta-audit.ps1" -RepoPath <repo> -HostedRepo owner/repo -AuditSlug <slug> -AuditMode release
+```
+
+```bash
+"$Shelf/scripts/run-delta-audit.sh" <repo> owner/repo release <slug>
+```
+
+The orchestrator writes `audits/<slug>/delta-audit-record.md` and runs machine evidence.
+
+5. Re-run machine evidence (`scripts/collect-audit-evidence.*`) when not using `run-delta-audit.*`
 6. Re-score every gate row affected by the change set
 7. Copy forward unchanged gate rows only when evidence still applies and assigner allows carry-forward
 

regulation/reference/GITIGNORE_CONSISTENCY.md

@@ -0,0 +1,48 @@
+# Gitignore Consistency
+
+Status: Active
+
+## Purpose
+
+Detect mismatch between `.gitignore` rules and what Git still tracks.
+
+Supports `G-04` and complements `scripts/check-tracked-files.*`.
+
+## Script
+
+```powershell
+& "$Shelf/scripts/check-gitignore-consistency.ps1" -RepoPath <target-repo>
+```
+
+```bash
+"$Shelf/scripts/check-gitignore-consistency.sh" <target-repo>
+```
+
+`collect-audit-evidence.*` runs this automatically.
+
+## Checks
+
+| Check | Severity | Meaning |
+|---|---|---|
+| tracked-but-ignored | blocked | path is in the index but matches `.gitignore` (`git ls-files -ci --exclude-standard`) |
+| missing-recommended-rule | review | `templates/gitignore.public-prep.template` pattern absent from `.gitignore` |
+| no-gitignore | review | repository has no `.gitignore` at root |
+
+## Fix Guidance
+
+Tracked-but-ignored rows usually need:
+
+```bash
+git rm --cached <path>
+```
+
+Then confirm the path stays ignored locally.
+
+## Gate Mapping
+
+| Gate | Role |
+|---|---|
+| G-04 | proves ignore boundaries are enforced in the index |
+| G-03 | complements developer-only screening |
+
+Read: `regulation/reference/TRACKED_FILE_SCREENING.md`

regulation/shelf/OUTPUT_PATHS.md

@@ -17,6 +17,7 @@ Replace `<slug>` with the audited repository slug (`adop`, `veil`, etc.):
 | Artifact | Path |
 |---|---|
 | audit report | `audits/<slug>/audit-report.md` |
+| delta audit record | `audits/<slug>/delta-audit-record.md` |
 | publication decision record | `audits/<slug>/publication-decision-record.md` |
 | Tier 2 defer record | `audits/<slug>/tier2-defer-record.md` |
 | accepted risk record | `audits/<slug>/accepted-risk-record.md` |

regulation/shelf/SHELF_CHANGELOG.md

@@ -2,6 +2,21 @@
 
 All notable changes to the generic regulation shelf.
 
+## 1.1.6 — 2026-06-17
+
+### Added
+
+- gitignore consistency checker (`git ls-files -ci --exclude-standard`)
+- delta re-audit orchestrator and `delta-audit-record.md.template`
+
+### Changed
+
+- evidence bundle includes gitignore consistency screening
+
+### Fixed
+
+- delta orchestrator: Windows name-status parse, Open Blockers count parse
+
 ## 1.1.5 — 2026-06-17
 
 ### Added

regulation/shelf/SHELF_VERSION.md

@@ -5,7 +5,7 @@ Status: Active
 ## Current
 
 ```text
-1.1.5
+1.1.6
 ```
 
 ## Meaning

scripts/README.md

@@ -18,6 +18,10 @@ Output is designed to paste into `templates/audit-report.md.template`.
 | `validate-regulation-index.sh` | Linux/macOS bash — shelf self-check |
 | `check-tracked-files.ps1` | Windows PowerShell — unnecessary tracked-file scan |
 | `check-tracked-files.sh` | Linux/macOS bash — unnecessary tracked-file scan |
+| `check-gitignore-consistency.ps1` | Windows PowerShell — `.gitignore` vs index consistency |
+| `check-gitignore-consistency.sh` | Linux/macOS bash — `.gitignore` vs index consistency |
+| `run-delta-audit.ps1` | Windows PowerShell — delta re-audit orchestrator |
+| `run-delta-audit.sh` | Linux/macOS bash — delta re-audit orchestrator |
 | `collect-audit-evidence.ps1` | Windows PowerShell |
 | `collect-audit-evidence.sh` | Linux/macOS bash |
 | `run-audit-quickstart.ps1` | Windows PowerShell |
@@ -51,6 +55,7 @@ Output is designed to paste into `templates/audit-report.md.template`.
 
 - `git ls-files` count
 - tracked-file screening for developer-only, internal-management, cache, and misplaced audit paths
+- gitignore consistency (`git ls-files -ci --exclude-standard`)
 - HEAD and describe
 - root/github file presence
 - latest CI run summary when `gh` is available

scripts/check-gitignore-consistency.ps1

@@ -0,0 +1,86 @@
+param(
+    [Parameter(Mandatory = $true)]
+    [string]$RepoPath
+)
+
+$ErrorActionPreference = "Stop"
+$RepoPath = (Resolve-Path -LiteralPath $RepoPath).Path
+Push-Location $RepoPath
+
+$findings = New-Object System.Collections.Generic.List[object]
+
+function Add-Finding {
+    param(
+        [string]$Path,
+        [string]$Category,
+        [string]$Severity,
+        [string]$Reason
+    )
+    $script:findings.Add([pscustomobject]@{
+            Path     = $Path
+            Category = $Category
+            Severity = $Severity
+            Reason   = $Reason
+        }) | Out-Null
+}
+
+$recommended = @(
+    "__pycache__/",
+    "*.pyc",
+    ".pytest_cache/",
+    ".env",
+    "AGENTS.md",
+    "CLAUDE.md",
+    ".claudeignore"
+)
+
+$gitignorePath = Join-Path $RepoPath ".gitignore"
+$gitignoreText = ""
+if (Test-Path $gitignorePath) {
+    $gitignoreText = Get-Content $gitignorePath -Raw
+} else {
+    Add-Finding ".gitignore" "missing-file" "review" "No root .gitignore file"
+}
+
+foreach ($pattern in $recommended) {
+    $escaped = [regex]::Escape($pattern)
+    if ($gitignoreText -and ($gitignoreText -notmatch $escaped)) {
+        Add-Finding $pattern "missing-recommended-rule" "review" "Recommended public-prep ignore rule not present in .gitignore"
+    }
+}
+
+$ignoredTracked = @(git ls-files -ci --exclude-standard 2>$null)
+foreach ($rel in $ignoredTracked) {
+    if (-not $rel) { continue }
+    $rule = (git check-ignore -v $rel 2>$null | Select-Object -First 1)
+    Add-Finding $rel "tracked-but-ignored" "blocked" "Tracked file matches ignore rule: $rule"
+}
+
+Write-Output "=== Gitignore Consistency ==="
+Write-Output "Repository: $RepoPath"
+Write-Output "Tracked files: $((git ls-files | Measure-Object).Count)"
+
+$blocked = @($findings | Where-Object { $_.Severity -eq "blocked" })
+$review = @($findings | Where-Object { $_.Severity -eq "review" })
+
+if ($findings.Count -eq 0) {
+    Write-Output "Findings: none"
+    Write-Output "result: PASS"
+    Pop-Location
+    exit 0
+}
+
+Write-Output "Findings: $($findings.Count) (blocked: $($blocked.Count), review: $($review.Count))"
+foreach ($item in $findings) {
+    Write-Output "[$($item.Severity)/$($item.Category)] $($item.Path) — $($item.Reason)"
+}
+
+if ($blocked.Count -gt 0) {
+    Write-Output "result: BLOCKED"
+    Pop-Location
+    exit 1
+}
+
+Write-Output "result: PASS_WITH_REVIEW"
+Pop-Location
+exit 0