fix: harden validation onboarding

[pascalandr]

Summary

• Fixes validation path handling for Windows path separators in operational-folder checks.
• Updates generated CodeMap templates and root/module CodeMaps so auto-onboarded repositories validate cleanly.
• Cleans placeholder validation blockers without weakening placeholder validation rules.
• Records task evidence and onboarding artifact disposition used to close the hardening work.

Why

This PR is the practical validation-readiness proof point: after a real local auto-onboarding run, validation exposed Windows separator false positives, CodeMap local-knowledge issues, and placeholder/documentation gaps. The fix makes the "auto-onboard then validate" path pass cleanly.

Review notes

• Independent PR targeting dev.
• Validation and repository hygiene hardening, not new product behavior.
• The checked-in workflow/task registry artifacts are intentional for this repository's NomadWorks continuity.
• .nomadworks/ runtime/generated state remains ignored and is not part of the PR.

Verification

• Branch verification:
  • npm test — PASS, 13 tests
  • nomadworks_validate — PASS, 0 warnings
  • npm run release:check — PASS

[pascalandr]

@CodeNomadBot

I want you to perform the gatekeeper checks for latest PR state

check for regressions
check for better possible implementations
Be the PR gatekeeper
Be ruthless about code quality

[codenomadbot]

Gatekeeper review complete for the latest PR state.

Request understood: perform a ruthless PR gatekeeper pass for regressions, implementation quality, and merge readiness. I treated this as review-only and did not change the PR.

Blocking Finding

1. src/validate_logic.js:136 has a path-prefix false negative for placeholder validation. The exemption now checks toPosixRelativePath(relDir).startsWith("tasks/done"), which also exempts sibling names such as tasks/done-old, tasks/done_backup, etc. That weakens the placeholder rule outside the intended archived registry and directly conflicts with the PR goal of cleaning blockers without weakening placeholder validation. I reproduced this with a temp repo containing tasks/done-old/leak.md with [To be defined]; nomadworks_validate_logic returned ok: true with no errors. The fix should use a segment-boundary check, e.g. normalized path equals tasks/done or starts with tasks/done/.

Quality Concerns

1. The new tests do not actually exercise Windows path separators. The added nested operational-folder tests run through the host OS path separator, so on non-Windows CI they would have passed before the Windows normalization fix. Since the PR claim is specifically Windows separator hardening, add a regression test that forces backslash relative paths or extracts/tests the path classifier directly.

Verification Run

1. npm test initially failed because dependencies were not installed in this worktree: missing node_modules/jest/bin/jest.js.
2. npm ci completed, with existing npm audit output reporting 3 vulnerabilities in dependencies.
3. npm test passed: 13 tests.
4. npm run build passed.
5. npm run release:check passed.
6. Direct repo validation via nomadworks_validate_logic(process.cwd()) passed with 0 errors and 0 warnings.
7. git diff --check origin/dev...HEAD passed.

Gatekeeper Decision
Not merge-ready until the tasks/done boundary bug is fixed and covered. The implementation is close, but the current placeholder exemption can hide unresolved template placeholders in non-archived task folders.

--
Yours,
CodeNomadBot

[pascalandr]

@CodeNomadBot
same review

[codenomadbot]

Gatekeeper re-review complete for the latest PR state.

Request understood: rerun the same ruthless gatekeeper review after the latest PR update. I treated this as review-only and did not change the PR.

Findings
No blocking findings in the latest diff for the stated operational-folder/placeholder hardening scope.

Previously Blocking Issue

1. The prior tasks/done prefix false negative is fixed. src/validate_logic.js now uses isPlaceholderExemptPath(), which only exempts exactly tasks/done or descendants under tasks/done/.
2. I re-ran the prior repro with tasks/done-old/leak.md containing [To be defined]; validation now fails as expected.
3. Tests now cover the prefix boundary cases and Windows-style backslash classifier inputs.

Residual Quality Concern

1. src/validate_logic.js:50 and src/validate_logic.js:134 still pass raw path.relative(...) values into ignore.ignores(...). The ignore package does not match backslash paths against slash-based .gitignore patterns, e.g. ignored/ matches ignored/logic.ts but not ignored\\logic.ts. This appears pre-existing and is outside the exact operational-folder fix, so I am not treating it as a blocker for this PR. If the acceptance bar is broader “Windows-safe validation,” this should be fixed by normalizing relative paths before every .gitignore check.

Verification Run

1. git diff --check origin/dev...HEAD passed.
2. npm test passed: 15 tests.
3. npm run release:check passed.
4. Direct repo validation via nomadworks_validate_logic(process.cwd()) passed with 0 errors and 0 warnings.
5. Worktree remained clean after verification.

Gatekeeper Decision
Merge-ready for the stated PR scope. The follow-up .gitignore normalization gap should be tracked separately unless this PR is intended to fully certify Windows validation behavior beyond operational-folder checks.

--
Yours,
CodeNomadBot

[pascalandr]

@CodeNomadBot
same review

[codenomadbot]

Gatekeeper re-review complete for the latest PR state.

Request understood: rerun the same ruthless gatekeeper review after the latest PR update. I treated this as review-only and did not change the PR.

Findings
No blocking findings found.

Previously Raised Issues

1. The tasks/done prefix false negative remains fixed. Placeholder exemptions are now segment-bounded to exactly tasks/done or descendants under tasks/done/.
2. The previous .gitignore normalization concern is now addressed. src/validate_logic.js routes .gitignore checks through isIgnoredPath(), which normalizes backslashes before calling ignore.ignores(...).
3. Tests now cover operational folder nesting, tasks/done boundary behavior, Windows-style classifier paths, and slash-based .gitignore matching against backslash relative paths.

Verification Run

1. git diff --check origin/dev...HEAD passed.
2. npm test passed: 16 tests.
3. npm run release:check passed.
4. Direct repo validation via nomadworks_validate_logic(process.cwd()) passed with 0 errors and 0 warnings.
5. Additional targeted checks confirmed tasks/done-old placeholders fail validation and ignored\\logic.ts matches an ignored/ ignore rule.
6. Worktree remained clean after verification.

Gatekeeper Decision
Merge-ready for this PR scope. The latest implementation is appropriately narrow, covers the prior regressions, and does not introduce an obvious weaker validation path.

--
Yours,
CodeNomadBot