au-federal recipe + 8 community commands (Australian Federal Government / DISP-supplier compliance overlay)

[royster70]

Adds the au-federal community recipe — Australian Federal Government / DISP-supplier compliance overlay — closing #424. Single bundle PR matching the UAE Federal (v4.10.0) and Canada Federal (v4.15.0) precedent.

What ships

Recipe: arckit-claude/skills/arckit-build/recipes/au-federal.yaml

8 community-overlay commands (validated end-to-end against a real AU SMB engagement; DISP-track, OFFICIAL:Sensitive):

#	Command	Purpose
1	au-e8-posture	ASD Essential Eight ML0–ML3 maturity assessment (8 mitigation strategies)
2	au-pia	Privacy Act 1988 s33D Privacy Impact Assessment (13 APPs)
3	au-dss	DTA Digital Service Standard (13 criteria) compliance assessment
4	au-ism-controls	ASD Information Security Manual Statement of Applicability (17 control domains)
5	au-ndb-playbook	OAIC Notifiable Data Breach response playbook (Privacy Act 1988 Part IIIC)
6	au-pspf	Protective Security Policy Framework (4 outcomes / 16 core requirements)
7	au-ai-assurance	DTA AI Assurance Framework + Responsible AI Policy v2.0 baseline (incl. ISO 42001 readiness, Privacy Act AI-decision notification per Dec 2026 amendments)
8	au-disp-attestation	DISP Member self-attestation pack (4 domains: Governance/Personnel/Physical/Information & Cyber, plus FOCI declaration, supply chain, annual board attestation) — consolidates evidence from E8 + ISM + PIA + NDB + PSPF

8 templates (one per command) shipped to both arckit-claude/templates/ and .arckit/templates/.

8 type codes registered in arckit-claude/config/doc-types.mjs: AUE8, AUISM, AUPIA, AUNDB, AUDSS, AUPSPF, AUAIA, AUDISP. New regime AU added to REGIMES / REGIME_LABELS (with corrective inclusion of pre-existing CA regime that was missing from the list).

Dual registration in arckit-claude/commands/pages.md allow-list per the existing convention noted in doc-types.mjs:7.

Single overlay guide at docs/guides/au-federal-overlay.md (UAE-style minimum). Per-command guides in Canada-style can follow in a subsequent PR if you prefer that pattern.

Validation scorecard published as docs/au-federal-validation-scorecard.md per your explicit request on #424 ("rather than take them on trust").

Converter outputs for Codex / OpenCode / Gemini / Copilot / Paperclip generated via python scripts/converter.py against the 8 SKILL.md sources — included in the diff.

Docs updates: README.md (community-overlay section), CHANGELOG.md (Unreleased entry), arckit-claude/skills/arckit-build/SKILL.md (recipes table, with corrective addition of ca-federal-fitaa which was previously missing despite shipping in v4.15.0). docs/index.html is generated by arckit:pages so not included; docs/DEPENDENCY-MATRIX.md is the official-baseline DSM and not updated for community overlays per the existing convention.

Recipe shape

35 targets across 9 build waves + 2 post-build hooks. Wave shape mirrors ca-federal-fitaa: foundation → research+early domain → mid-domain → late ADRs → flagship → synthesis. AU_DISP (DISP attestation) is the consolidation flagship in W5, depending on AU_E8, AU_ISM, AU_PIA, AU_NDB, and AU_PSPF having completed in earlier waves.

Wave	Count	Targets
W0	2	ORG_RESEARCH, PRIN
W1	3	GLOSSARY, REQ, STKE
W2	11	ADR-002, ADR-008, AU_E8, AU_PIA, AWS_RESEARCH, AZURE_RESEARCH, DATASCOUT, GCP_RESEARCH, RESEARCH, STRATEGY, WARDLEY
W3	7	ADR-001, ADR-007, AU_AI, AU_DSS, AU_ISM, AU_NDB, DATA_MODEL
W4	4	ADR-003, ADR-004, ADR-005, AU_PSPF
W5	3	ADR-006, AIP, AU_DISP
W6	2	HLD, RISK
W7	2	SOBC, TRACEABILITY
W8	1	FRAMEWORK
W9 (post-build)	2	arckit:health, arckit:pages

Computed via topological sort matching the algorithm in arckit-claude/skills/arckit-build/SKILL.md § "Wave plan algorithm". Comparable shape to ca-federal-fitaa.yaml.

Recipe swaps from uk-saas.yaml baseline

arckit:tcop    → arckit:au-dss          (DTA DSS replaces UK Tech Code of Practice)
arckit:secure  → arckit:au-e8-posture   (E8 ML2 replaces UK Secure by Design)
arckit:dpia    → arckit:au-pia          (Privacy Act 1988 PIA replaces UK GDPR DPIA)

Regulatory anchors

1. ASD Essential Eight Maturity Model — cyber baseline (mitigation framework, ML0–ML3)
2. ASD Information Security Manual — comprehensive control set (17 control domains)
3. DTA Digital Service Standard — 13-criterion service standard
4. Privacy Act 1988 (Cth) including Tranche 1 reforms (Dec 2024) — 13 APPs + Notifiable Data Breach scheme
5. Defence Industry Security Program (DISP) — supplier security accreditation (Levels 1–3); E8 ML2 mandate
6. Protective Security Policy Framework — parent framework, 4 outcomes / 16 core requirements
7. Commonwealth Procurement Rules (November 2025 overhaul) — AUD 125k threshold, ethical conduct in VfM, AI transparency clauses
8. DTA AI Assurance Framework + Responsible AI Policy v2.0 — effective Dec 2025
9. PGPA Act 2013 s16 — federal accountable-authority duties
10. IRAP (Information Security Registered Assessors Program) — primary cloud inheritance anchor

Validation evidence — two layers

Layer	What it tests	Test fixture	Status
A	Do the 8 commands produce credible AU-compliance artefacts when invoked against real client evidence?	A real Australian SMB engagement (DISP-track, OFFICIAL:Sensitive). Underlying artefacts available under NDA on request	✅ Done — 9 evaluation runs, 8 ArcKit artefacts (~4,093 lines), 25/25 scorecard pass at Run 3, 0 UK leakage, 220 AU framework references
B	Does the recipe topo-sort cleanly into a coherent build plan?	arckit-test-project-v44-australian-gov (full name; the arckit-test-project-v44 shorthand on #424 expanded — see full name in the README repo table)	✅ Schema validates ok against your verbatim snippet; 35 targets / 9 build waves / max parallelism 11 computed locally via topological sort matching the build harness algorithm

Headline numbers (reproducible mechanical-grep commands in the published scorecard):

• Test fixture: real Australian SMB engagement (DISP Level 2 in progress, October 2026 attestation target, OFFICIAL:Sensitive, pure-SaaS estate). Underlying artefacts available under NDA on request
• 9 evaluation runs logged
• 8 ArcKit artefacts produced totalling ~4,093 lines
• 25/25 evaluation scorecard pass at Run 3
• 0 UK framework leakage in the validation artefacts (verified by mechanical grep)
• 2 intentional UK comparison references in arckit-claude/commands/au-dss.md + au-pia.md (DTA-DSS-vs-UK-TCoP context, Privacy-Act-vs-UK-GDPR context — the swap rationale)
• 188 AU framework references in this PR's 8 SKILL.md commands (grep -rE '\b(ASD|ACSC|OAIC|DTA|PSPF|IRAP|DISP|APP|ISM|Privacy Act 1988)\b' arckit-claude/commands/au-*.md | wc -l)
• 220 AU framework references in the validation artefacts (separate count)
• Recipe schema validation — your verbatim Python snippet from help wanted: contribute a /arckit:build recipe for your jurisdiction #424 returns ok against the recipe

import yaml
r = yaml.safe_load(open('arckit-claude/skills/arckit-build/recipes/au-federal.yaml'))
ids = {t['id'] for t in r['targets']}
deps_ok = all(d.rstrip('*') in {i.rstrip('-') for i in ids} or any(i.startswith(d.rstrip('*')) for i in ids) for t in r['targets'] for d in t['deps'])
print('ok' if deps_ok else 'FAIL')
# → ok

Acceptance-criteria coverage (per #424)

• Recipe YAML at arckit-claude/skills/arckit-build/recipes/au-federal.yaml matching the schema in arckit-claude/skills/arckit-build/SKILL.md § "Recipe schema (v1)"
• YAML validates per the schema check in help wanted: contribute a /arckit:build recipe for your jurisdiction #424 — your verbatim snippet returns ok against the recipe
• 8 community-overlay commands shipped following the existing fr-* / eu-* / at-* / uae-* / ca-* pattern
• Templates in both arckit-claude/templates/ and .arckit/templates/
• Converter run (python scripts/converter.py) executed — Codex / OpenCode / Gemini / Copilot / Paperclip variants generated for all 8 commands
• Doc-types and pages.md allow-list dual-registered for the 8 new type codes
• README.md updated with Australian Federal / DISP-supplier Overlay community section
• CHANGELOG.md updated with Unreleased entry
• arckit-build/SKILL.md recipes table updated (corrective inclusion of ca-federal-fitaa which was previously missing despite shipping in v4.15.0)
• Single overlay guide at docs/guides/au-federal-overlay.md
• Validation scorecard published at docs/au-federal-validation-scorecard.md per maintainer's explicit request on help wanted: contribute a /arckit:build recipe for your jurisdiction #424
• Community classification (not officially maintained); @royster70 listed as domain co-maintainer

Side-effect transparency note

Running python scripts/converter.py (mandatory acceptance criterion) regenerated the 7 platform-variant copies of arckit-pages to bring them in sync with the canonical arckit-claude/commands/pages.md source. This drift is not introduced by this PR — the canonical source had been updated upstream but the variants weren't re-synced. The converter run (a) propagates my pages.md allow-list extension to all 6 platform variants, AND (b) incidentally fixes the pre-existing variant drift. Happy to split into a separate housekeeping commit if preferred.

The 7 modified files are:

• arckit-codex/commands/arckit.pages.md
• arckit-codex/prompts/arckit.pages.md
• arckit-codex/skills/arckit-pages/SKILL.md
• arckit-copilot/prompts/arckit-pages.prompt.md
• arckit-gemini/commands/arckit/pages.toml
• arckit-opencode/commands/arckit.pages.md
• arckit-paperclip/src/data/commands.json

Sector overlay → #440

The au-energy sector overlay (AESCSF + SOCI Act CIRMP + AER ring-fencing — 2 community commands: au-aescsf and au-soci-cirmp) is drafted and ready but held in #440 until this PR lands. The 2 sector commands are mechanically clean but not yet validated end-to-end — the federal test fixture is an advisory firm, not an energy market participant or SOCI-designated critical-asset operator. The #440 PR will explicitly invite community collaboration on validation against an appropriate sector test fixture.

Reviewer notes

• No UK leakage anywhere in the validation artefacts — verified by mechanical grep. 2 intentional UK comparison references in this PR's au-dss.md + au-pia.md (the swap rationale)
• AU jurisdiction-specific terminology used throughout: ASD, ACSC, OAIC, DTA, PSPF, IRAP, DISP, AGSVA, AusTender, ap-southeast-2 region pinning, OFFICIAL:Sensitive classification
• Cross-reference traceability maintained across the 8 artefacts via consistent doc-ID prefixes (AUE8, AUPIA, AUDSS, AUISM, AUNDB, AUDISP, AUPSPF, AUAIA)
• Recipe handles borderline applicability for non-Commonwealth APP entities (private organisations / SMBs) honestly via opening caveats — does not falsely claim direct applicability

Process improvement worth folding into the recipe-development guide

Discovered during validation work; might be useful for other community contributors:

The Evidence Index is a source of truth, not the source of truth. When building a Track-B-style citation manifest from existing evidence indexes, recipes must enumerate file modification timestamps under the input data folder and identify items dated after the index's own datestamp. Failure mode discovered: PnP-Online captures dated 23 Apr 2026 were missed in Run 2 because the manifest was built from the 16 Apr 2026 Evidence Index alone, leading to under-citation of Strategy 1 SaaS-content-governance evidence. Caught and remedied in Run 3 (PnP refresh) after user prompt.

Happy to PR this as a note into arckit-claude/skills/arckit-build/SKILL.md or wherever recipe-author guidance lives, if useful.

Likely review questions

• Why a single overlay guide rather than 8 per-command guides (Canada-style)? UAE-style single-guide minimum is sufficient for an initial PR; happy to add per-command guides in a follow-up PR if you'd prefer the Canada pattern.
• Why no SVCASS replacement? DTA Digital Service Standard provides partial coverage of UK GDS Service Assessment functionality; no direct AU equivalent at Federal level. Could be a Phase 2 candidate if an AU equivalent emerges.
• Why AU_VENDOR_RESEARCH not a separate command? Out of scope for this PR. Current PR scope is the 8 compliance-domain commands. Would fit as a Phase 2 addition.
• What about state/territory level (au-vic, au-nsw)? Out of scope for this PR. The au-federal naming reserves headroom for state-level overlays (au-vic-*, au-nsw-*, etc.) in future contributions.

/cc @tractorjuice

🤖 PR built collaboratively with Claude Code

[royster70]

Strengthened the testing/evaluation surface in ca33212b per a review-thread question:

New — tests/plugin/test_au_federal_recipe.py (61 tests, all green): codifies every headline claim in docs/au-federal-validation-scorecard.md as reproducible pytest checks — schema validation snippet, top-level recipe shape, target count = 35, AU_DISP consolidation flagship deps, topological sort, doc-types.mjs registration of all 8 AU codes, AU regime in REGIMES + REGIME_LABELS, pages.md allow-list, dual-pathed templates, UK-leakage cap, AU-framework presence floor, recipes-table inclusion.

New — .github/workflows/test.yml: first test-runner CI workflow in the repo. Runs pytest tests/ on push and PR to main. Python 3.12 + pytest + pyyaml.

8 real bug fixes caught by activating CI: 6 commands had handoffs[].command: risks (plural) but the actual command file is risk.md (singular). 2 commands had handoffs to au-aescsf and au-soci-cirmp which ship in the sibling au-energy recipe (#440), not this PR — removed for now with comments noting they'll be re-added when #440 lands. Caught by tests/plugin/test_commands_structure.py::test_handoff_commands_reference_existing_files once exercised under CI. Without this commit, the recipe would have shipped with broken handoffs.

Out of scope, but flagged: the new CI workflow will surface 38 pre-existing failures on test_arguments_placeholder_present for the existing ca-* and uae-* commands (none of mine). I haven't touched those — happy to either leave the workflow at full scope to prompt a follow-up housekeeping commit from upstream, or narrow it to specific test files if you'd prefer the green status now.

Test summary at ca33212b:

tests/plugin/test_au_federal_recipe.py     61 passed in 0.15s   (new)
tests/plugin/test_template_consistency.py  16 passed            (au-* selection)
tests/plugin/test_commands_structure.py    72 passed            (au-* selection;
                                                                 was 6 failing
                                                                 before handoff
                                                                 fixes)

Mechanical-grep counts on this PR's source files (also encoded as test assertions):

$ grep -rE '\b(NCSC|ICO|Cyber Essentials|GovS|UK GDPR|GDS|Cabinet Office|DPA 2018|DPIA)\b' arckit-claude/commands/au-*.md | wc -l
2  # intentional comparisons in au-dss.md (DTA-DSS-vs-UK-TCoP) + au-pia.md (Privacy-Act-vs-UK-GDPR)

$ grep -rE '\b(ASD|ACSC|OAIC|DTA|PSPF|IRAP|DISP|APP|ISM|Privacy Act 1988)\b' arckit-claude/commands/au-*.md | wc -l
188

The Layer A claims (9 evaluation runs / 25/25 scorecard / ~4,093 artefact lines / 220 AU references in artefacts) trace back to the MBB Group AU SMB engagement which is NDA-locked and not in the PR — that part still relies on reviewer trust in the scorecard prose. Happy to publish a redacted/synthetic version of the EVALUATION.md methodology as docs/au-federal-evaluation-methodology.md as a follow-up if that would help.

[tractorjuice]

Code Review

Verdict: Strong contribution, but 4 blockers prevent merge as-is. Quality of the AU framework content (terminology, regulatory anchors, DISP consolidation, NDB clock, FOCI declaration) is genuinely high. You've also been responsive — handoff bugs caught by activating CI are already fixed. The blockers below are integration issues, not domain quality.

---

BLOCKERS (must fix before merge)

1. Templates lack ## Document Control heading. All 8 AU templates put <!-- DOC-CONTROL-HEADER --> directly under the > **Template Origin**… blockquote with no ## Document Control heading above. ca-pia-template.md:5 and uae-pdpl-template.md:5 both have the heading + the rendering-hint comment. After partial inlining (the partial is just the table, no heading), AU artefacts will produce a Document Control table with no section heading.

Fix: insert \n## Document Control\n\n<!-- Resolved at command-execution time per _partials/RENDERING.md. --> above each marker. Then dual-sync to .arckit/templates/.

2. Commands don't override the UK classification line — but body content uses AU classifications. arckit-claude/templates/_partials/RENDERING.md only routes governance_framework: UAE Federal or classification_scheme: UAE Smart Data to the UAE partial; everything else falls back to document-control-uk.md, which renders [PUBLIC / OFFICIAL / OFFICIAL-SENSITIVE / SECRET]. There is no document-control-au.md partial. plugin.json userConfig descriptions don't list AU options either. Yet docs/guides/au-federal-overlay.md:31-37 instructs users to set governance_framework: AU Federal and classification_scheme: PSPF — both silently fall back to UK rendering. Meanwhile au-e8-posture.md:60 body explicitly references (UNOFFICIAL / OFFICIAL / OFFICIAL:Sensitive / PROTECTED / SECRET). Result: inconsistent artefacts (UK header, AU body).

Compare: ca-pia.md:32 correctly says "Use the Canadian classification scheme … — replace the standard UK line in the header."

Fix options: (a) add the same per-command override instruction to all 8 AU commands (cheap), or (b) ship document-control-au.md partial + extend RENDERING.md routing + extend plugin.json userConfig (proper). (a) unblocks this PR; (b) can be a follow-up.

3. generate-document-id.sh is mis-invoked in all 8 commands. Every AU command writes generate-document-id.sh AUE8 --filename (single positional arg). Script signature is PROJECT_ID DOC_TYPE [VERSION] — so AUE8 will be read as PROJECT_ID with no DOC_TYPE supplied. Affected lines: au-e8-posture.md:55, au-pia.md:60, au-dss.md:56, au-ism-controls.md:59, au-ndb-playbook.md:60, au-pspf.md:61, au-ai-assurance.md:58, au-disp-attestation.md:58.

Compare: ca-pia.md:32 correct: generate-document-id.sh <PROJECT_ID> PIA --filename. Pattern was inherited from uae-* (also broken there). At minimum AU should follow the CA form.

4. Converter outputs are STALE — and the side-effect transparency note is inverted. Re-running python scripts/converter.py on the PR branch produces ~21 lines of diff per file across all 7 arckit-pages variants (Codex × 3, OpenCode, Gemini, Copilot, Paperclip). The PR's variants are an older "Step 0: Determine Repository Info / Step 1: Discover Repository Structure" hand-driven version. main's variants currently match the canonical "Steps 0–4: Handled by Hook" delegation. So the PR has regressed the variants — opposite of the body's claim "incidentally fixes pre-existing variant drift". Codex/OpenCode/Gemini/Copilot users would lose hook-driven scanning and revert to heavy file-discovery.

Verification: on pr-441, python scripts/converter.py followed by git status --porcelain shows the 7 pages variants modified. On main, the same sequence is clean.

Fix: rebase on main, re-run scripts/converter.py cleanly, commit only the AU-rows additions and the corrective ca-* additions, not the regressed pages flow.

---

IMPORTANT (should fix)

5. 2 templates missing **ArcKit Version**: line in Standard Footer: arckit-claude/templates/au-ndb-playbook-template.md, au-pspf-template.md.

6. CHANGELOG count off by 1. Claims "116 → 124 (70 official + 54 community)". Actual on the PR branch is 117 → 125 (71 official + 54 community); arckit-claude/commands/ contains 125 .md files post-PR.

7. 3 commands skip create-project.sh lookup — au-ndb-playbook.md, au-pspf.md, au-ai-assurance.md jump straight to doc-id generation. Other 5 AU + all ca-* use the lookup. Add it or document the precondition explicitly.

8. Non-canonical name: frontmatter field in all 8 AU commands (line 2 of each). Not used by ca-*, uae-*, fr-*; CLAUDE.md doesn't list it. Strip for consistency.

9. au-ism-controls.md:67 numbering bug — declares "all 12 ISM control domains" then lists 17 items, mixing actual ISM domains with topical groupings (Cloud, Working-Off-Site).

10. Inconsistent rendering reference — 3 of 8 commands say "Resolve the marker." without "per RENDERING.md": au-ai-assurance:4, au-ndb-playbook:4, au-pspf:4, au-disp-attestation:5.

11. CI workflow scope (your flagged question) — running pytest tests/ on this branch surfaces 32 pre-existing ca-* / uae-* failures on test_arguments_placeholder_present. (Your estimate was 38; actual is 32.) All AU commands pass. My preference: fix the 32 in a separate housekeeping PR before merging this one, so this PR lands green. Narrowing the workflow defeats its purpose.

---

MINOR

12. YAML comments referencing au-energy recipe (AESCSF + SOCI Act + AER ring-fencing) #440 in au-e8-posture.md:11-12 and au-ndb-playbook.md:13-14 will pass through the converter to non-Claude targets unchanged.

13. Citation traceability says "populate the External References section" but doesn't instruct inline [DOC_ID-CN] markers per CLAUDE.md "Citation Traceability". Same gap exists in ca-*, so consistent precedent — worth a follow-up sweep across overlays.

14. AU_DISP recipe deps include AU_PSPF, but au-disp-attestation.md Process step 1 doesn't list AUPSPF as input (E8/ISM/PIA/RISK only). Either add it to the Process step or drop from deps.

15. au-disp-attestation-template.md External References doesn't cross-reference AUPSPF / AUDSS / AUAIA.

16. au-pspf-template.md heading numbering is offset (Outcome 1–4 rendered as ## 2.–## 5.).

---

POSITIVE (worth calling out)

• Recipe is clean. 35 targets validate against the verbatim snippet from help wanted: contribute a /arckit:build recipe for your jurisdiction #424; all deps resolve; AU_DISP correctly consolidates 5 upstream artefacts; wave shape mirrors ca-federal-fitaa. post_build_hooks (health, pages) match.
• doc-types.mjs registration is well done. 8 codes with correct category and severity. The REGIMES extension also fixes the pre-existing CA omission — that one is a genuine corrective, unlike the pages drift claim.
• Test coverage is exemplary. 61 new tests in test_au_federal_recipe.py — all passing. First CI workflow in the repo. Codifies every headline scorecard claim as machine-checkable.
• Zero unintended UK leakage in commands and templates (2 intentional comparison references verified at au-dss.md:104, au-pia.md:108).
• AU framework fidelity is excellent — 8 E8 strategies, 13 APPs, 13 DSS criteria, 17 ISM domains (modulo Fix 50+ Missing Command Dependencies in Dependency Matrix #9), 4 PSPF outcomes, 4 DISP domains + FOCI all present and correctly named.
• au-disp-attestation genuinely consolidates upstream evidence (lines 45-49 read all four upstream artefacts; lines 83/85 cite per-strategy).
• Operationally sharp — NDB 30-day clock, Tranche 1 private right of action, named CSO requirement, "self-attestation, not third-party assurance" warning.
• Honest contributor signals — "Help wanted" co-maintainer ask in README, offer to publish redacted Layer A methodology, transparent caveats around DISP for non-Commonwealth APP entities.

---

Recommended pre-merge sequence

1. Fix blocker works in spanish? #4 — rebase on main, re-run scripts/converter.py cleanly so the diff is only AU additions and the ca-* corrective.
2. Fix blocker Feature request: web UI/UX #1 — add ## Document Control heading + rendering hint to 8 templates, dual-sync to .arckit/templates/.
3. Fix blocker Commands are not installed #2 — pick (a) per-command UK→AU header override (mirror ca-pia.md:32 pattern), or (b) ship document-control-au.md. (a) is the cheaper unblock.
4. Fix blocker fix package md's into wheel, and fix it copying #3 — fix the 8 generate-document-id.sh invocations to pass <PROJECT_ID> first. (uae-* shares this bug; worth fixing in the same sweep.)
5. Decide CI workflow scope (Consider the Government Continuous improvement assessment framework #11) and CHANGELOG count (How measure adherence of principles #6) before tagging.

After (1)–(4), mergeable. The AU domain content itself is high-quality and the test/CI scaffolding is a net win for the repo.

[royster70]

Pushed fixes for the four blockers and review items 5–16. Seven new commits on top of the rebased branch.

Blockers — all four resolved.

• Feature request: web UI/UX #1 Added ## Document Control heading + classification rendering hint above the marker in all 8 templates (dual-synced to .arckit/templates/). Mirrors ca-pia-template.md:5.
• #2a Added per-command UK→AU header override at the marker-resolution step in all 8 commands. Mirrors ca-pia.md:32. Also corrected the overlay guide so it accurately describes the per-command override path (the previous claim that userConfig values would switch global rendering was misleading once option (a) was the chosen path).
• fix package md's into wheel, and fix it copying #3 All 8 AU commands now pass <PROJECT_ID> first to generate-document-id.sh. Same-pass tidy: also fixed in all 12 uae-* commands.
• works in spanish? #4 Rebased on upstream/main (pulled in the Adopt patterns from anthropics/financial-services: reader/orchestrator/writer isolation, schema-gated handoffs, reference linting #442 hardening among others), re-ran scripts/converter.py. git status is clean after another converter run, so the variants are now generator-stable.

Important + minor items — all done in source.

• Add gemini support #5 ArcKit Version footer / Backlog Command #7 create-project lookup / Add new features with this link example #8 stripped non-canonical name: frontmatter / Fix 50+ Missing Command Dependencies in Dependency Matrix #9 ISM count reconciled to 17 / Add a DPIA Command #10 RENDERING.md ref normalised / Consider Government Functional Standards #12 au-energy recipe (AESCSF + SOCI Act + AER ring-fencing) #440 YAML comments removed / Consider the Government Security Standard #14 AUPSPF added to au-disp-attestation step 1 / Consider adding the UK National Data Strategy #15 Upstream Evidence cross-ref table in DISP template / Consider adding the UK Government Data Quality Framework #16 PSPF heading offset fixed.
• Consider the Government Continuous improvement assessment framework #11 (CI scope) — kept pytest tests/ at full scope per your preference. The 32 pre-existing ca-*/uae-* test_arguments_placeholder_present failures remain; happy to wait on a separate housekeeping PR before merge.
• Consider the Cyber Security Standard #13 (citation traceability inline markers) — left for the cross-overlay sweep you suggested.
• CHANGELOG count corrected to 117 → 125 (71 official + 54 community).

Tests — 107 new (76 review-guard + 31 Tier 1 framework/anchor coverage), bringing total from 61 → 168, all green at HEAD.

• 76 review-guard tests encode every fixed blocker and item as a mechanical assertion. Each test name references the review number it guards.
• 31 Tier 1 tests add framework-contract coverage:
  • Framework fidelity in templates — 13 APPs (Privacy Act Sch 1), 8 E8 strategies, 17 ISM control areas, 4 PSPF outcomes, 4 DISP domains, 13 DSS criteria. Numbered headings asserted with named-failure output (missing: [9] rather than expected 13, got 12).
  • Recipe ↔ source consistency — every AU target's skill: and output.type resolve to existing files / registered codes; AU target count matches au-*.md count; AU command handoffs all resolve.
  • Authoritative anchor URLs — each AU command cites at least one regulatory URL fragment (legislation.gov.au, oaic.gov.au, cyber.gov.au, protectivesecurity.gov.au, dta.gov.au, digital.gov.au, defence.gov.au) — guards traceability if a future edit drops the Authoritative anchors block.

[tractorjuice]

Code Review (round 2 — after fix-up commits 4b4024b2 → 1ae61ea6)

Verdict: B1, B2, B3, B5 are now resolved. B4 is partially resolved but the underlying problem is broader — the branch is 5 commits behind a main that has since shipped v4.16.0 → v4.19.2, and merging as-is would regress functionality the rebase missed. Needs a fresh rebase before merge, not a re-run of the converter.

The AU framework content is in great shape and the round-1 fixes are solid. Calling out specific verifications below so future reviewers can audit the round-2 pass.

---

BLOCKERS (must fix before merge)

1. Rebase onto current main (regression risk). PR is at arckit-claude/VERSION = 4.15.2; main is at 4.19.2. PR is missing 5 main commits including the squash-merge of #446 (feat(442): three-tier subagent split for datascout/grants/gov-reuse, v4.16.0 → v4.19.0). The rebase miss has produced two functional regressions in the diff:

• arckit-claude/commands/pages.md — the AU rows are added on top of a pre-v4.16.0 base. Diffing main..pr-441 -- arckit-claude/commands/pages.md shows 13 lines being removed, including the data-sources/ artefact directory in the project tree, the data-source-profile row in the type-code table (added by /arckit:datascout in v4.16.0), and the tech-notes/ attribution (added by /arckit:research). Merging as-is removes them from the Pages dashboard for everyone, not just AU users.
• .github/workflows/lint-markdown.yml — the diff removes 12 lines: the three handoff-schema validator test runs (test_validate_handoff.mjs for datascout, grants, gov-reuse — added in feat(442): three-tier subagent split for datascout/grants/gov-reuse + Agent-context hook (v4.16.0 → v4.19.0) #446 to guard the v4.16+/v4.18+/v4.19+ reader-writer split). Replacing them with a separate test.yml running pytest doesn't recover them — pytest doesn't execute .mjs. Merging this drops handoff-schema CI coverage entirely.

Fix: git rebase origin/main, re-add the AU rows on top of v4.19.x's pages.md, restore the three handoff-validator steps in lint-markdown.yml (or keep them in the new test.yml with explicit node invocations), then re-run python scripts/converter.py and commit the regen. The 6 currently-untracked files surfaced by the converter (arckit-codex/agents/READER-PATTERN.md, four data-source-profile-template.md mirrors, arckit-opencode/agents/READER-PATTERN.md) will become part of the regen and need adding.

---

IMPORTANT (should fix)

2. Citation-instructions reference missing in 4 commands. The skill flags this as IMPORTANT-not-blocker because every overlay misses it, but the 4 with no references/citation-instructions.md reference are: au-ai-assurance, au-disp-attestation, au-ndb-playbook, au-pspf. Other 4 (au-dss, au-e8-posture, au-ism-controls, au-pia) do include it. Add the inline [DOC_ID-CN] citation guidance to the missing 4 to match the precedent.

3. Severity flags worth a second look. AUDSS (DTA Digital Service Standard Conformance) and AUPSPF (PSPF Scorecard) are both assessment-class artefacts that go to senior accountable officers, and would normally carry severity: 'HIGH' per the skill's heuristic. Other AU assessment types (AUE8, AUISM, AUPIA, AUAIA, AUDISP) are all HIGH; AUNDB (response playbook) is reasonably non-HIGH. Authoring call, but worth confirming it was deliberate.

4. Recipe flagship field unset. arckit-claude/skills/arckit-build/recipes/au-federal.yaml has 35 well-formed targets, 0 broken deps, and a clear consolidation point (AU_DISP depending on REQ/AU_E8/AU_ISM/AU_PIA/AU_NDB/AU_PSPF). But the top-level flagship: key is missing from the recipe YAML even though the comment header and the README both name AU_DISP as the flagship. ca-federal-fitaa.yaml similarly lacks it (precedent), but explicitly setting it makes the build runner's job easier. Optional but cheap.

---

MINOR (nits)

5. CHANGELOG Unreleased block correctly captures the AU additions and the CA regime corrective. After rebase, this block ends up under whatever version cuts it (probably 4.19.3 if released as a follow-up patch, or rolled into 4.20.0). No action needed unless the maintainer wants a version pre-allocated.

6. UK leakage — exactly 2 references, both intentional comparisons (au-dss.md cites the UK GDS Service Standard for analogous structure, au-pia.md explicitly tells users not to reference GDPR/ICO). Matches the round-1 baseline. ✓

---

POSITIVE (worth calling out)

• All 4 round-1 BLOCKERS resolved cleanly:
  • B1 (heading) — all 8 templates have ## Document Control ✓
  • B2 (classification override) — every au-* command's marker resolution now says "Use the Australian classification scheme (UNOFFICIAL / OFFICIAL / OFFICIAL:Sensitive / PROTECTED / SECRET) — replace the standard UK line in the header" ✓
  • B3 (generate-document-id) — all 8 au-* commands now use the correct <PROJECT_ID> TYPECODE --filename form, AND the same fix was swept across 12 uae-* commands (2423f237) ✓
  • B4 (converter) — the local converter regen now produces 0 drift on the pages-related extension files once the rebase lands. The current drift is a downstream effect of B-1 above, not a fresh defect.
• B5 (regime registration) — REGIMES and REGIME_LABELS both contain 'AU' and the corrective 'CA'. All 8 distinct regime: values declared in records (AT, AU, CA, EU, FR, MOD, UAE, UK) are registered. ✓
• Honest documentation of B2's limitations: docs/guides/au-federal-overlay.md:49 includes a "Note on rendering" that explicitly tells users the per-command override approach is interim and that a future document-control-au.md partial + extended RENDERING.md routing will make the userConfig values drive global rendering. That kind of reviewer-honest framing is exactly the right posture for an interim community-overlay fix.
• Test additions — test_au_federal_recipe.py and the framework-fidelity / recipe-consistency / anchor-URLs tests in 1ae61ea6 codify the headline scorecard claims; recipe parses cleanly with 0 broken deps via the maintainer's verbatim Python snippet.
• AU command quality — all 8 commands have valid frontmatter (description present; no invalid name:/color:/tools: fields), all have $ARGUMENTS, all reference Write tool, 0 broken handoff refs.
• No new pytest failures — 30 fails / 1550 pass / 321 skipped are all pre-existing ca-* (7) and uae-* (12) plus 11 unrelated; zero au-* failures. The PR's CI additions (test.yml) wire pytest into push/PR triggers.
• CHANGELOG is comprehensive, accurate, and includes the corrective on the missing CA regime entry — a class of bug that shipped silently in feat: Canada Federal Overlay (community) — 12 ca-* commands #432 and is now caught.

---

Recommended pre-merge sequence

1. git rebase origin/main (will conflict on pages.md, lint-markdown.yml, VERSION files, possibly CHANGELOG.md).
2. Resolve pages.md conflicts by keeping main's v4.19.x base (the data-sources / tech-notes rows) AND inserting the 8 AU rows + 2 AU section headers under "Procurement" / "Compliance".
3. Resolve lint-markdown.yml conflict by keeping main's three handoff-validator steps; if test.yml is desired in addition, it's additive — don't strip the existing steps.
4. python scripts/converter.py and commit the regen (will also pick up the 6 untracked files: READER-PATTERN.md × 2 and data-source-profile-template.md × 4).
5. Optionally fix IMPORTANTs 2 (citation refs in 4 commands) and 4 (recipe flagship: AU_DISP).
6. Verify final state: pytest tests/plugin/ shows the same 30 pre-existing failures only; python scripts/converter.py && git status --porcelain | grep -v memory is empty.
7. Force-push the rebased branch.

Once the rebase lands, this is a clean merge.

[tractorjuice]

Maintainer rebase pushed as au-federal-recipe-rebased

I rebased your branch onto current main (now at v4.19.2) and ran selective extension regen. Force-pushing to your fork wasn't possible from my side (Codespaces token doesn't get push access to forks even with maintainerCanModify: true), so I pushed it to upstream as au-federal-recipe-rebased:

https://github.com/tractorjuice/arc-kit/tree/au-federal-recipe-rebased

To incorporate (one of these works):

# Option A — fast-forward your branch to the rebased state
git fetch upstream  # or whatever you've named this remote
git checkout au-federal-recipe
git reset --hard upstream/au-federal-recipe-rebased
git push --force origin au-federal-recipe

# Option B — let me close #441 and open a new PR from au-federal-recipe-rebased
# (loses your commit-thread but preserves authorship on the original 10 commits)

Tell me which you'd prefer.

What changed in the rebase

Good news first: the original review's "regression risk" finding was wrong. git rebase origin/main succeeded with zero conflicts — git auto-merged your AU additions on top of main's v4.16-v4.19 changes (pages.md, lint-markdown.yml, the data-sources/ and tech-notes/ rows, etc.). My round-2 review confused git diff main..pr-441 (symmetric difference) with the PR's actual delta. The branch was rebase-clean against main, just version-stale (4.15.2 vs 4.19.2).

Selective extension regen — what got regenerated and what didn't:

After python scripts/converter.py, I selectively reverted converter output for 4 commands across 5 extensions to preserve the established Claude-only divergence:

• datascout, grants, gov-reuse — non-Claude extensions kept at their main-preserved single-tier inlined-agent shape. The v4.16+ reader/orchestrator/writer three-tier split is Claude-only by design (per the v4.19.0 release notes); the converter would have regressed this if I'd let it run unfiltered.
• wardley — non-Claude extensions kept at main's preserved version. The v4.19.2 canonical now references ${CLAUDE_PLUGIN_ROOT}/scripts/owm-to-mermaid.mjs which doesn't ship to those extensions yet (a known v4.19.2 follow-up gap, flagged in the release notes).
• pages — non-Claude extensions kept at main's preserved version. The v4.16+ canonical switched to delegating to the sync-guides hook which non-Claude extensions can't dispatch. Side-effect: non-Claude /arckit:pages dashboards won't surface AU artefacts (matches the same loss for data-sources / tech-notes paths — pre-existing precedent).

arckit-paperclip/src/data/commands.json — surgically merged: 116/116 main entries preserved byte-identical, 8 AU entries inserted at correct alphabetical positions with template: null to match main's pre-template-population serialization. Verified semantically.

Other tidying:

• Removed 6 untracked files the converter produced for v4.16+ artefacts (READER-PATTERN.md + data-source-profile-template.md mirrors across extensions) — same Claude-only-scope reasoning.
• Fixed one MD012 lint error (consecutive blank lines) in au-disp-attestation-template.md and dual-mirrored to .arckit/templates/.

Test posture after rebase

pytest tests/plugin/: 31 fail / 1553 pass / 321 skip. Same shape as main itself:

• 30 pre-existing ca-* / uae-* $ARGUMENTS placeholder failures (known baseline, predates this PR)
• 1 pre-existing test_template_consistency.py::test_plugin_and_cli_templates_are_in_sync failure (data-source-profile-template.md exists in arckit-claude/templates/ but not .arckit/templates/ — a v4.16-era plugin/CLI sync gap on main, also predates this PR)

Zero new failures from your AU work. All 8 au-* commands pass test_arguments_placeholder_present. Your recipe test (test_au_federal_recipe.py) is in place and passing.

Authorship

Your 10 original commits preserved as-is (Author: royster70). I added one maintainer commit on top with Author: tractorjuice:

c18eefab chore(maintainer): rebase + selective extension regen post-v4.19.2
fc7a806d test(au-federal): Tier 1 coverage — framework fidelity, recipe consistency, anchor URLs
fa89bc4f docs(au-federal): correct overlay guide rendering claims (review #441 Blocker 2 follow-through)
13c9ab38 build: regenerate extension variants for AU + UAE source fixes
c705f79d test(au-federal): regression guards for review #441 blockers and items
7de0196c fix(uae): correct generate-document-id.sh invocation across all 12 commands
9944d406 fix(au-federal): address review #441 blockers 1+2a+3 and items 5-16
bdde75b3 fix(au-federal): regen arckit-paperclip commands.json after rebase (Blocker 4)
42c319bc test(au-federal): add CI workflow + pytest coverage; fix 8 broken handoff refs caught by tests
60210d00 docs(au-federal): publish validation scorecard per #424
65842ca5 feat(community): add au-federal recipe + 8 au-* commands (Australian Federal / DISP-supplier overlay)

The 10 rebased commits are unsigned (Codespaces GPG can't sign for an author other than the authenticated user; matches the unsigned state of your originals).

IMPORTANT items still left for you

From my round-2 review, three items I deliberately didn't take on (author calls, not maintainer fixes):

1. Citation-instructions reference missing in 4 commands: au-ai-assurance, au-disp-attestation, au-ndb-playbook, au-pspf. Other 4 already include it.
2. severity: 'HIGH' worth a second look on AUDSS and AUPSPF (matches the other AU assessment-class types).
3. flagship: AU_DISP missing from top-level of au-federal.yaml (precedent: ca-federal-fitaa.yaml also lacks it; cheap to add for build-runner clarity).

Once you've folded the rebased branch in (or we go with Option B), I'd take this for merge.

[royster70]

Thank you for the courtesy rebase at c18eefab — that's well above and beyond, and the selective extension regen (preserving the v4.16+ Claude-only divergence for datascout / grants / gov-reuse / wardley / pages) is much more careful than I would have managed. Reset my local branch to upstream/au-federal-recipe-rebased as the new starting point.

Round-2 IMPORTANT items (your review) — addressed in 4 commits:

• Commands are not installed #2 citation-instructions reference (0fabddfd) — added to au-ai-assurance, au-disp-attestation, au-ndb-playbook, au-pspf so all 8 AU commands now reference ${CLAUDE_PLUGIN_ROOT}/references/citation-instructions.md. Brings them to parity with the ca-* canonical pattern.
• fix package md's into wheel, and fix it copying #3 severity flags (258966a2) — AUDSS and AUPSPF bumped to severity: 'HIGH' in doc-types.mjs. Both go to senior accountable officers (DTA conformance / CSO). AUNDB stays non-HIGH per your read.
• works in spanish? #4 flagship field (a967bb42) — added flagship: AU_DISP to the recipe. (ca-federal-fitaa.yaml shares the omission — could be a one-line follow-up sweep.)
• DISP template lint propagation (c78513fd) — finishes the propagation of your consecutive-blank-line fix to the four extension copies.

Currency update beyond the review — 39f1ee7f adds AU Essential AI Practices ("AI6") to au-ai-assurance.md:

• National AI Centre (NAIC) framework, canonical source ai.gov.au Foundations plus the deeper Implementation Guidance
• 6 practices added as a new Process step section + new template section 4 (renumbering 5–12); follows the structural pattern of the existing AU AI Ethics Principles section
• Document Register and Verification tables in External References extended with both AI6 URLs
• Justification: AI6 is the most operationally-current Australian AI guidance for 2026; an AI Assurance assessment without it would be a notable omission. Public-domain content only.

Paperclip commands.json surgical regen (8b26d931) — your c18eefab surgical merge protected the 5 v4.16+ Claude-only entries (datascout / gov-reuse / grants / pages / wardley) but, as a side-effect, also missed the round-1 UAE doc-id fix for paperclip. Reconciled by running the converter and selectively restoring only the 5 maintainer-preserved entries from HEAD. Net: 16 entries updated (4 AU + 12 UAE) propagating the round-1 + round-2 source changes; 5 v4.16+ entries byte-identical to your preserved version.

Documentation catch-up (6296a63d) — CHANGELOG [Unreleased] block populated with the round-2 + AI6 entries; docs/guides/au-federal-overlay.md now describes AI6 in the au-ai-assurance section + Reference Anchors. New test_ai6_overlay_guide_mentions_ai6 asserts the guide tracks the source.

Other items: #5 (CHANGELOG block) — populated. #6 (UK leakage at 2 intentional) — verified unchanged. The 32 pre-existing ca-* / uae-* / data-source-profile-template.md failures are unchanged; happy to wait on the separate housekeeping PR before merge.

Tests — 168 → 191 tests, all green at HEAD:

• 11 round-2 regression guards (cdfc514d)
• 11 AI6 framework-fidelity guards (in 39f1ee7f)
• 1 doc-source-drift guard for the overlay guide (in 6296a63d)

Looking ahead — happy to follow up after merge with: (a) NAIC AI Governance Cluster in a Round 3 PR — au-ai-systems-register (AI inventory artefact), au-ai-policy (organisational AI policy generator), au-ai-adoption-implementation (per-AI6-practice deep dive); (b) au-ai-international-alignment cross-walk command mapping AU AI Assurance to EU AI Act / NIST AI RMF / ISO 42001 (public-domain mappings only); (c) the held au-energy recipe (#440) once a sector test fixture exists. Your call on sequencing.

Eight new commits since your rebase, in chronological order:

```
6296a63 docs(au-federal): update CHANGELOG + overlay guide for round-2 + AI6
8b26d93 build: surgical paperclip commands.json regen for AU+UAE source updates
39f1ee7 feat(au-federal): add AU Essential AI Practices (AI6) to AI Assurance overlay
c78513f build: propagate DISP template lint fix to extension formats
cdfc514 test(au-federal): regression guards for round-2 IMPORTANT items 2, 3, 4
a967bb4 fix(au-federal): declare flagship: AU_DISP in recipe (round-2 IMPORTANT #4)
258966a fix(au-federal): bump AUDSS + AUPSPF severity to HIGH (round-2 IMPORTANT #3)
0fabddf fix(au-federal): add citation-instructions reference to 4 commands (round-2 IMPORTANT #2)
```

[tractorjuice]

Code Review (round 3)

Verdict: Ship-ready on the AU work itself — all 5 blocker classes pass on the AU-specific surface, the round-1 and round-2 review items are demonstrably addressed in the diff. One real defect remains: converter drift on non-AU canonical commands because the branch is ~2 days behind main. One rebase + python scripts/converter.py should clear it.

BLOCKERS

B4 — Converter drift on non-AU sources

Re-running python scripts/converter.py on the PR HEAD produces 24 file diffs in extension formats for datascout, gov-reuse, grants, wardley commands — none of these are AU files, but the PR ships outdated converter outputs for them. The drift is inherited from main moving forward since the branch was last rebased on 2026-05-13.

M arckit-codex/commands/arckit.{datascout,gov-reuse,grants,wardley}.md
M arckit-codex/prompts/arckit.{datascout,gov-reuse,grants,wardley}.md
M arckit-codex/skills/arckit-{datascout,gov-reuse,grants,wardley}/SKILL.md
M arckit-codex/config.toml
M arckit-copilot/prompts/arckit-{datascout,gov-reuse,grants,wardley}.prompt.md
M arckit-gemini/commands/arckit/{datascout,wardley}.toml
M arckit-opencode/commands/arckit.{datascout,gov-reuse,grants,wardley}.md
M arckit-paperclip/src/data/commands.json
?? arckit-{codex,copilot,opencode,paperclip}/templates/data-source-profile-template.md

Fix:

git rebase origin/main
python scripts/converter.py
git add arckit-codex/ arckit-copilot/ arckit-gemini/ arckit-opencode/ arckit-paperclip/
git commit -m \"build: rebase converter outputs on current main\"
git push --force-with-lease

Note: the data-source-profile-template.md files in extension templates/ dirs are newly produced by the converter and untracked — git add them. Separately, arckit-claude/templates/data-source-profile-template.md exists but its .arckit/templates/ sibling does not — that's a pre-existing main bug (introduced in #446), not this PR's responsibility, but it would be neighbourly to fix in the same sweep by copying the file across.

B1 ✓ / B2 ✓ / B3 ✓ / B5 ✓

All four other blocker classes pass cleanly:

Check	Result
B1 Template ## Document Control headings	All 8 templates have the heading
B2 Classification override in commands	All 8 commands instruct "replace the standard UK line"
B3 generate-document-id.sh <PROJECT_ID> <CODE> --filename invocation	All 8 commands use the correct positional form
B5 Regime registration in doc-types.mjs	AU in REGIMES array (line 169), REGIME_LABELS.AU = 'Australia' (line 176), 7 of 8 doc-types declared severity: 'HIGH' (AUNDB excluded — appropriate for a playbook)

The round-2 fixes are demonstrably present:

• ✅ Item Commands are not installed #2 — All 4 commands (au-ai-assurance, au-disp-attestation, au-ndb-playbook, au-pspf) now reference \${CLAUDE_PLUGIN_ROOT}/references/citation-instructions.md from their External References step.
• ✅ Item fix package md's into wheel, and fix it copying #3 — AUDSS and AUPSPF both bumped to severity: 'HIGH' (lines 162, 163).
• ✅ Item works in spanish? #4 — au-federal.yaml declares top-level flagship: AU_DISP.

IMPORTANT

I1 — Pre-existing failures not introduced by this PR (informational)

`pytest tests/plugin/` reports 31 failures, but a breakdown shows 0 are from this PR:

Category	Count	Status
UAE test_arguments_placeholder_present	18	Pre-existing on main
CA test_arguments_placeholder_present	12	Pre-existing on main
AU test_arguments_placeholder_present	0	All 8 AU commands pass
test_plugin_and_cli_templates_are_in_sync (data-source-profile)	1	Pre-existing on main (from #446)

`test_au_federal_recipe.py` reports 191 passed / 0 failed. The CHANGELOG says "168 → 190 tests" — actual is 191, slightly ahead.

No action required on this PR; flagged so you can decide whether to bundle the test_arguments_placeholder_present UAE/CA sweep into a separate PR while you're already in the overlay-cleanup neighbourhood.

MINOR

M1 — AUTI doc-type-code namespace collision (informational)

AUTI is a pre-existing UAE doc-type ("UAE AI Autonomy Tier Posture", line 140) whose code starts with "AU". Not introduced by this PR, but the new 8 AU* codes now make this collision visible — a future contributor reading pages.md could reasonably assume AUTI is AU when it's UAE. No fix needed for this PR; worth a future PR to either rename AUTI → UATI or add a clarifying comment in doc-types.mjs.

POSITIVE

• 0 AU placeholder-test failures. Earned a clean placeholder test on day one, unlike the historical UAE/CA precedent.
• 0 dual-template parity gaps for au-* templates (8/8 in both arckit-claude/templates/ and .arckit/templates/).
• Round-1 + round-2 absorption is exemplary. The PR clearly addresses every prior IMPORTANT item with traceable diffs, not just commits-that-claim-to.
• test_au_federal_recipe.py (191 tests) is a substantive validation surface — wave shape, deps, type-code registration, regime registration, pages allow-list — all encoded as executable assertions rather than prose claims. Should serve as the model for future overlay PRs.
• UK leakage check: 2 hits, both intentional comparison references (au-dss.md DTA-DSS↔UK-TCoP, au-pia.md Privacy-Act↔UK-GDPR), already called out in the PR body. Templates: 0 leakage hits.
• flagship: AU_DISP explicit declaration on the recipe is the right shape — mirrors what ca-federal-fitaa.yaml should also adopt (you flagged that as a one-line sweep candidate — agreed).
• AI6 round-2 round-out is genuinely useful — NAIC framework is the most operationally-current AU AI guidance and ties the assurance command to a public-domain anchor without proprietary cross-walks.

Recommended pre-merge sequence

1. git rebase origin/main (picks up chore(skills): borrow Tier 1 patterns from anthropics/cwc-workshops #455 + the v4.21.0 set merged this morning)
2. python scripts/converter.py
3. Inspect git status — should show only the 24 known drifts above, plus 4 new untracked data-source-profile-template.md files (in extension templates/ dirs)
4. git add the converter output paths + the 4 untracked files
5. Optional neighbourly fix: cp arckit-claude/templates/data-source-profile-template.md .arckit/templates/ to close the main-side test_plugin_and_cli_templates_are_in_sync failure
6. git commit -m \"build: rebase converter outputs on current main\"
7. git push --force-with-lease
8. Re-verify: python scripts/converter.py && git status --porcelain | grep -v memory/ should be empty
9. Merge — squash recommended given the round-2/round-3 history