feat: initial implementation — all 35 requirements across phases 1-3

Backend (Spring Boot 3.2 / Java 21 / PostgreSQL): - JWT auth with BCrypt password hashing - User profile + Mifflin-St Jeor BMR calculator - Food search + barcode via OpenFoodFacts API with local cache - Meal CRUD with user data isolation and ownership checks - AI photo analysis (OpenAI Vision) with confidence intervals - AI correction feedback loop for personalisation - Flyway DB migrations + RFC-7807 error responses Mobile (React Native / TypeScript): - Full navigation stack (Auth → Tabs → Home stack) - Design tokens (WCAG 2.2 AA colours, 8px grid, 48px touch targets) - 10 screens: Login, Register, Home, Search, Camera, AI Result, Edit Meal, Daily Details, History, Profile - Confidence-aware calorie display (kcal ± range) - Repeat last meal shortcut + macro tracking Docs: - docs/PLAN-AND-REQUIREMENTS.md - docs/traceability.csv (35 requirements, all Implemented)
2026-05-18 21:56:13 +03:00
commit 91cd18aec6
106 changed files with 13886 additions and 0 deletions
--- a/virsaitis-requirements/README.md
+++ b/virsaitis-requirements/README.md
@@ -0,0 +1,424 @@
+# Virsaitis Requirements Documentation
+
+**Version**: 3.0.0
+**Status**: Draft
+**Owner**: Toms Eisaks
+**Updated**: 2026-04-20
+
+---
+
+## 📋 Overview
+
+This directory contains complete requirements specification for **Virsaitis v3.0** - a three-layer AI governance system achieving 95%+ compliance through Agent, MCP Server, and VS Code Extension.
+
+**Total Requirements**: **85** (71 functional + 14 non-functional)
+
+---
+
+## 📚 Document Structure
+
+### Core Requirements
+
+| Document | Purpose | Requirements | Status |
+|----------|---------|--------------|--------|
+| **[index.md](index.md)** | Requirements overview and navigation | - | ✅ Complete |
+| **[functional-spec.md](functional-spec.md)** | Functional requirements REQ-GOV, REQ-SEC | 28 | ✅ Complete |
+| **[functional-spec-part2.md](functional-spec-part2.md)** | REQ-MCP, REQ-EXT, REQ-AGT, REQ-SKL, REQ-TEST | 43 | ✅ Complete |
+| **[nonfunctional-spec.md](nonfunctional-spec.md)** | Performance, scalability, usability NFRs | 14 | ✅ Complete |
+
+### Supporting Documents
+
+| Document | Purpose | Status |
+|----------|---------|--------|
+| **[traceability.csv](traceability.csv)** | REQ-ID → Implementation → Test mapping | ✅ Complete |
+| **[glossary.md](glossary.md)** | Terminology definitions | ✅ Complete |
+| **[assumptions.md](assumptions.md)** | Documented assumptions with validation plans | ✅ Complete |
+| **[risk-register.md](risk-register.md)** | Risk identification and mitigation | ✅ Complete |
+
+---
+
+## 🎯 Requirements Categories
+
+### REQ-GOV: Governance Core (12 requirements)
+
+Foundational governance capabilities:
+- **REQ-GOV-001** (TIER-0): Protected file modification enforcement
+- **REQ-GOV-002** (TIER-0): Atomic sentence structure
+- **REQ-GOV-003** (TIER-1): TIER system definition
+- **REQ-GOV-004** (TIER-1): REQ-ID traceability
+- **REQ-GOV-005** (TIER-1): CHANGELOG maintenance
+- **REQ-GOV-006** (TIER-1): Discovery-first workflow
+- **REQ-GOV-007** (TIER-1): Test coverage enforcement ≥70%
+- **REQ-GOV-008** (TIER-1): Modular governance architecture
+- **REQ-GOV-009** (TIER-2): Consequence documentation
+- **REQ-GOV-010** (TIER-1): Traceability CSV management
+- **REQ-GOV-011** (TIER-1): Version synchronization
+- **REQ-GOV-012** (TIER-1): Quality gates
+
+**Status**: 8/12 Implemented (Agent + modular governance + TIER system + discovery-first + CHANGELOG + version sync + consequences)
+
+---
+
+### REQ-SEC: Security Controls (16 requirements)
+
+Security enforcement:
+- **REQ-SEC-001** (TIER-0): Secret detection 100% coverage
+- **REQ-SEC-002** (TIER-0): Credential rotation <1 hour
+- **REQ-SEC-003** (TIER-0): Environment variable enforcement
+- **REQ-SEC-004** (TIER-1): Path traversal validation
+- **REQ-SEC-005** (TIER-1): Command injection prevention
+- **REQ-SEC-006** (TIER-2): ReDoS prevention
+- **REQ-SEC-007** (TIER-1): Error message sanitization
+- **REQ-SEC-008** (TIER-1): Audit logging
+- **REQ-SEC-009** (TIER-2): Least privilege
+- **REQ-SEC-010** (TIER-2): Defense in depth
+- **REQ-SEC-011** (TIER-2): Secure defaults
+- **REQ-SEC-012** (TIER-2): Cryptography standards
+- **REQ-SEC-013** (TIER-1): Security test coverage 100%
+- **REQ-SEC-014** (TIER-2): PII logging prevention
+- **REQ-SEC-015** (TIER-1): Security scan automation
+- **REQ-SEC-016** (TIER-3): Vulnerability disclosure policy
+
+**Status**: 0/16 Implemented (Phase 2 focus)
+
+---
+
+### REQ-MCP: MCP Server (11 requirements)
+
+TypeScript governance validation engine:
+- **REQ-MCP-001** (TIER-1): TypeScript 5.0+ implementation
+- **REQ-MCP-002** (TIER-1): MCP Protocol SDK integration
+- **REQ-MCP-003** (TIER-0): File operation validation engine
+- **REQ-MCP-004** (TIER-1): Agent.md governance loading
+- **REQ-MCP-005** (TIER-1): stdio transport
+- **REQ-MCP-006** (TIER-0): Secret scanning tool
+- **REQ-MCP-007** (TIER-1): Path validation tool
+- **REQ-MCP-008** (TIER-1): Command validation tool
+- **REQ-MCP-009** (TIER-1): Audit log integration
+- **REQ-MCP-010** (TIER-2): Server configuration
+- **REQ-MCP-011** (TIER-1): Post-iteration compliance check
+
+**Status**: 1/11 Implemented (stdio transport defined)
+
+---
+
+### REQ-EXT: VS Code Extension (10 requirements)
+
+Real-time file interception:
+- **REQ-EXT-001** (TIER-2): Extension activation <200ms
+- **REQ-EXT-002** (TIER-0): File save interception
+- **REQ-EXT-003** (TIER-1): MCP client communication
+- **REQ-EXT-004** (TIER-2): Status bar integration
+- **REQ-EXT-005** (TIER-3): Shield icon decoration
+- **REQ-EXT-006** (TIER-2): Override request command
+- **REQ-EXT-007** (TIER-2): Configuration settings
+- **REQ-EXT-008** (TIER-1): Extension packaging .vsix <5MB
+- **REQ-EXT-009** (TIER-1): Webpack build configuration
+- **REQ-EXT-010** (TIER-1): Extension Development Host testing
+
+**Status**: 0/10 Implemented (Phase 3 parallel with MCP)
+
+---
+
+### REQ-AGT: Agent (8 requirements)
+
+Behavioral control document:
+- **REQ-AGT-001** (TIER-0): Atomic sentence implementation ✅ (v3.0: 262 lines)
+- **REQ-AGT-002** (TIER-1): Agent governance rule loading ✅
+- **REQ-AGT-003** (TIER-2): Consequence chain documentation ✅
+- **REQ-AGT-004** (TIER-1): Workflow pattern definition ✅
+- **REQ-AGT-005** (TIER-1): Uncertainty response pattern ✅
+- **REQ-AGT-006** (TIER-1): Modular governance reference ✅
+- **REQ-AGT-007** (TIER-2): Integration awareness ✅
+- **REQ-AGT-008** (TIER-2): Self-limitation acknowledgment ✅
+
+**Status**: 8/8 Implemented (Agent v3.0 complete)
+
+---
+
+### REQ-SKL: Skills (5 requirements)
+
+Native VS Code Agent Skills:
+- **REQ-SKL-001** (TIER-1): Core skills creation (6 skills)
+- **REQ-SKL-002** (TIER-1): YAML frontmatter metadata
+- **REQ-SKL-003** (TIER-1): Consequences section mandatory
+- **REQ-SKL-004** (TIER-2): Progressive disclosure levels
+- **REQ-SKL-005** (TIER-2): Validation commands
+
+**Status**: 0/5 Implemented (Phase 4 parallel with Extension)
+
+---
+
+### REQ-TEST: Testing & QA (10 requirements)
+
+Quality assurance framework:
+- **REQ-TEST-001** (TIER-1): Test coverage ≥70%
+- **REQ-TEST-002** (TIER-1): Security test coverage 100%
+- **REQ-TEST-003** (TIER-1): Vitest for MCP
+- **REQ-TEST-004** (TIER-1): @vscode/test-electron for Extension
+- **REQ-TEST-005** (TIER-2): TDD red-green-refactor
+- **REQ-TEST-006** (TIER-2): Unit test naming convention
+- **REQ-TEST-007** (TIER-2): Mocking strategy
+- **REQ-TEST-008** (TIER-1): Integration test suite
+- **REQ-TEST-009** (TIER-1): Pre-commit test execution
+- **REQ-TEST-010** (TIER-2): Regression test suite
+
+**Status**: 0/10 Implemented (Throughout all phases)
+
+---
+
+### REQ-NFR: Non-Functional Requirements (14 requirements)
+
+Quality attributes:
+- **Performance**: 5 requirements (response time, activation time, memory usage)
+- **Scalability**: 2 requirements (concurrent operations, large workspaces)
+- **Usability**: 2 requirements (error messages, documentation accessibility)
+- **Maintainability**: 2 requirements (code modularity, coverage ratcheting)
+- **Portability**: 3 requirements (cross-platform, package size)
+
+**Status**: 0/14 Verified (Continuous measurement starting Phase 2)
+
+---
+
+## 📊 Implementation Status
+
+### By Priority
+
+| TIER | Total | Implemented | Percentage |
+|------|-------|-------------|------------|
+| **TIER-0** | 7 | 3 | 43% |
+| **TIER-1** | 41 | 15 | 37% |
+| **TIER-2** | 34 | 3 | 9% |
+| **TIER-3** | 3 | 0 | 0% |
+| **Total** | **85** | **21** | **25%** |
+
+### By Category
+
+| Category | Total | Implemented | Percentage |
+|----------|-------|-------------|------------|
+| Governance (GOV) | 12 | 8 | 67% |
+| Security (SEC) | 16 | 0 | 0% |
+| MCP Server | 11 | 1 | 9% |
+| Extension | 10 | 0 | 0% |
+| Agent | 8 | 8 | 100% |
+| Skills | 5 | 0 | 0% |
+| Testing | 10 | 0 | 0% |
+| Non-Functional | 14 | 0 | 0% |
+| **Total** | **85** | **21** | **25%** |
+
+---
+
+## 🚀 Implementation Roadmap
+
+### Phase 1: Foundation (Current) ✅ 25% Complete
+
+**Timeline**: 2 weeks
+**Focus**: Agent v3.0 + Modular Governance v3.0
+
+Completed:
+- ✅ REQ-GOV-001: Protected file enforcement (3 layers)
+- ✅ REQ-GOV-002: Atomic sentences (Agent v3.0, 262 lines)
+- ✅ REQ-GOV-003: TIER system defined in core-policies
+- ✅ REQ-GOV-005: CHANGELOG maintenance
+- ✅ REQ-GOV-006: Discovery-first workflow
+- ✅ REQ-GOV-008: Hub + 11 modules + definition library
+- ✅ REQ-GOV-009: Consequence documentation
+- ✅ REQ-GOV-010: Traceability CSV
+- ✅ REQ-GOV-011: Version synchronization (all v3.0.0)
+- ✅ REQ-MCP-005: stdio transport defined
+- ✅ REQ-AGT-001 through REQ-AGT-008: Agent v3.0 complete
+
+**Deliverables**:
+- [x] Agent v3.0 complete (262 lines, attention-optimized)
+- [x] 11 governance modules complete (v3.0 formatted)
+- [x] Definition library in .github/ (protected)
+- [x] Requirements documentation complete
+- [x] CHANGELOG created
+
+---
+
+### Phase 2: MCP Server (Next) 🎯 Target: 40% Overall
+
+**Timeline**: 4 weeks
+**Focus**: TypeScript validation engine
+
+Target Requirements:
+- REQ-MCP-001 through REQ-MCP-011: All MCP requirements
+- REQ-SEC-001, REQ-SEC-002, REQ-SEC-003: Secret management TIER-0
+- REQ-TEST-003: Vitest framework setup
+- REQ-TEST-001: Achieve ≥70% coverage
+
+**Deliverables**:
+- [ ] package.json with dependencies
+- [ ] TypeScript configuration
+- [ ] Agent.md parser
+- [ ] Validation engine
+- [ ] Secret scanning tool
+- [ ] HTTP API endpoint
+- [ ] Audit logging
+- [ ] Test suite with ≥70% coverage
+
+---
+
+### Phase 3: VS Code Extension (Parallel with Phase 4) 🔮 Target: 60% Overall
+
+**Timeline**: 4 weeks (parallel)
+**Focus**: File save interception
+
+Target Requirements:
+- REQ-EXT-001 through REQ-EXT-010: All Extension requirements
+- REQ-TEST-004: Extension test framework
+- REQ-NFR-002: Activation time <200ms
+
+**Deliverables**:
+- [ ] Extension package.json
+- [ ] Webpack configuration
+- [ ] File save interception
+- [ ] MCP client
+- [ ] Status bar integration
+- [ ] Configuration settings
+- [ ] VSIX packaging
+- [ ] Extension Host testing
+
+---
+
+### Phase 4: Skills (Parallel with Phase 3) 🔮 Target: 70% Overall
+
+**Timeline**: 4 weeks (parallel)
+**Focus**: Domain-specific rules
+
+Target Requirements:
+- REQ-SKL-001 through REQ-SKL-005: All Skills requirements
+- REQ-GOV-009: Consequence documentation
+
+**Deliverables**:
+- [ ] python-development skill
+- [ ] security-controls skill
+- [ ] requirements-engineering skill
+- [ ] testing-validation skill
+- [ ] governance-compliance skill
+- [ ] typescript-development skill
+- [ ] All with Consequences sections
+
+---
+
+### Phase 5: Integration & Distribution 🔮 Target: 95% Overall
+
+**Timeline**: 3 weeks
+**Focus**: Portable packaging + End-to-end testing
+
+Target Requirements:
+- REQ-TEST-008: Integration tests
+- REQ-GOV-012: Quality gates
+- REQ-NFR-013, REQ-NFR-014: Portability
+- Remaining TIER-2 and TIER-3 requirements
+
+**Deliverables**:
+- [ ] Integration test suite
+- [ ] Portable installer (Windows/macOS/Linux)
+- [ ] User acceptance testing
+- [ ] Documentation complete
+- [ ] Release packaging
+
+---
+
+## 🔗 Related Documentation
+
+### Architecture
+- [5-Component Architecture](../../virsaitis-documentation/5-COMPONENT-ARCHITECTURE.md) - System design
+
+### Governance Modules
+- [Core Policies](../../.github/copilot-modules/core-policies.md) - TIER system
+- [Agent Standards](../../.github/copilot-modules/agent-standards.md) - Atomic sentences
+- [MCP Standards](../../.github/copilot-modules/mcp-standards.md) - TypeScript patterns
+- [Extension Standards](../../.github/copilot-modules/extension-standards.md) - VS Code API
+- [Skills Standards](../../.github/copilot-modules/skills-standards.md) - SKILL.md format
+- [Development Workflow](../../.github/copilot-modules/development-workflow.md) - 11-step discovery
+- [Security Controls](../../.github/copilot-modules/security-controls.md) - Security patterns
+- [Requirements Engineering](../../.github/copilot-modules/requirements-engineering.md) - REQ-ID format
+- [Testing Quality](../../.github/copilot-modules/testing-quality.md) - Test standards
+- [Integration Patterns](../../.github/copilot-modules/integration-patterns.md) - Component interaction
+- [Distribution Deployment](../../.github/copilot-modules/distribution-deployment.md) - Packaging
+
+### Implementation
+- [Agent Source](../../.github/agents/Virsaitis.agent.md) - Agent.md source
+- [MCP Server](../../virsaitis-mcp/) - TypeScript implementation (TBD)
+- [VS Code Extension](../../virsaitis-extension/) - Extension implementation (TBD)
+- [Skills](../../.github/skills/) - Domain-specific rules (TBD)
+
+---
+
+## ✅ How to Use This Documentation
+
+### For Product Owners
+1. Read [index.md](index.md) for high-level overview
+2. Review implementation status by phase
+3. Monitor [traceability.csv](traceability.csv) for progress
+4. Assess [risk-register.md](risk-register.md) monthly
+
+### For Developers
+1. Read relevant requirements category (REQ-GOV, REQ-MCP, etc.)
+2. Check [traceability.csv](traceability.csv) for implementation files
+3. Consult [glossary.md](glossary.md) for terminology
+4. Review [assumptions.md](assumptions.md) for validation needs
+5. Update traceability.csv ImplementationRef when implementing
+6. Update traceability.csv TestRef when writing tests
+
+### For Testers
+1. Read REQ-TEST requirements for test strategy
+2. Check [traceability.csv](traceability.csv) for TestRef gaps
+3. Verify acceptance criteria for each requirement
+4. Report validation results in traceability.csv Status column
+
+### For Stakeholders
+1. Read [risk-register.md](risk-register.md) for project risks
+2. Review implementation roadmap for timeline
+3. Check success metrics in [index.md](index.md)
+4. Provide feedback on assumptions in [assumptions.md](assumptions.md)
+
+---
+
+## 📝 Maintenance
+
+### Updating Requirements
+1. Propose change via GitHub issue
+2. Change control board reviews impact
+3. Update requirement document
+4. Update [traceability.csv](traceability.csv) if REQ-ID affected
+5. Update [risk-register.md](risk-register.md) if new risks
+6. Increment version number
+7. Update CHANGELOG in index.md
+
+### Adding Requirements
+1. Assign next sequential REQ-ID in category
+2. Document in appropriate spec file
+3. Add row to [traceability.csv](traceability.csv)
+4. Update totals in [index.md](index.md) and this README
+5. Assess risks and update [risk-register.md](risk-register.md) if needed
+
+### Retiring Requirements
+1. Mark Status as "Deprecated" with reason
+2. Keep in spec file for historical record
+3. Update traceability.csv Status column
+4. Update totals in summary tables
+
+---
+
+## 📞 Support
+
+- **Requirements Questions**: Create GitHub issue with label `requirements`
+- **Requirement Clarification**: Tag @toms.eisaks in issue
+- **Traceability Updates**: Update traceability.csv directly via PR
+- **Change Requests**: Use GitHub issue with label `change-request`
+
+---
+
+**Requirements Package Status**: ✅ Complete v2.0.0
+**Total Documents**: 8 files
+**Total Requirements**: 85 (71 functional + 14 non-functional)
+**Current Implementation**: 16% (14/85 requirements)
+**Ready for**: Phase 2 (MCP Server Development)
+
+---
+
+*Virsaitis Requirements v2.0.0 - Comprehensive specification for three-layer AI governance system*
--- a/virsaitis-requirements/glossary.md
+++ b/virsaitis-requirements/glossary.md
@@ -0,0 +1,256 @@
+# Virsaitis Glossary
+
+**Version**: 2.0.0
+**Status**: Draft
+**Updated**: 2026-02-17
+
+---
+
+## Purpose
+
+Defines terminology used throughout Virsaitis project to ensure consistent understanding across all stakeholders.
+
+**See also**: [Definition Library](../../.github/virsaitis-definition-library.md) — authoritative definitions with consequence chains for AI governance terms.
+
+---
+
+## A
+
+**Agent**
+: Markdown-based behavioral control document (Agent.md) that provides governance instructions to AI assistants. Uses atomic sentence structure for 95%+ comprehension. Located in `.github/agents/`.
+
+**Agent Mode**
+: VS Code feature (1.109+) enabling custom AI assistants with specialized behaviors defined by Agent files.
+
+**Atomic Sentence**
+: Sentence expressing exactly one concept. Characteristics: single subject-verb-object, <80 characters, no compound clauses, standalone comprehensibility. Improves AI comprehension by 30%.
+
+**Audit Log**
+: Chronological record of governance events (file access, violations, security scans) with timestamp, user, action, resource, outcome. Required for forensic analysis.
+
+---
+
+## B
+
+**Bootstrap Paradox**
+: Challenge where governance system creator needs override privileges to build the system itself, but production users should not have overrides. Resolved by distinguishing development phase (creator override allowed) from production phase (strict enforcement for all).
+
+---
+
+## C
+
+**Consequence Chain**
+: Documentation pattern showing impact progression of rule violation: RULE → IMMEDIATE CONSEQUENCE → SYSTEM CONSEQUENCE → BUSINESS CONSEQUENCE → REMEDIATION. Helps AI understand WHY rules exist.
+
+**CHIEF (Concentrated Hyper Intelligence Expert Framework)**
+: Full title of Virsaitis Agent. Represents concentrated governance expertise for AI systems.
+
+---
+
+## D
+
+**Defense in Depth**
+: Security architecture with multiple independent layers: input validation, business logic validation, MCP validation, Extension validation, audit logging. If one layer fails, others still protect.
+
+**Discovery-First Workflow**
+: 11-step process preventing AI hallucination: DISCOVER → READ → SEARCH → VALIDATE → PLAN → CONFIRM → EXECUTE → TEST → UPDATE → VALIDATE → CONFIRM. Discovered facts more accurate than assumptions.
+
+---
+
+## E
+
+**Extension**
+: VS Code Extension component of Virsaitis. Intercepts file saves, displays  shield icons, communicates with MCP server for validation. Final enforcement layer for user manual edits.
+
+---
+
+## F
+
+**False Negative**
+: Security scan failure where real threat not detected (e.g., secret in code but scanner misses it). Target: 0% false negatives for secret detection.
+
+**False Positive**
+: Governance alert where no actual violation exists (e.g., legitimate code flagged as secret). Target: <5% false positives for user experience.
+
+---
+
+## G
+
+**Governance Compliance**
+: Percentage of operations following governance rules. Target: ≥95% compliance measured by TIER-0 violations per month.
+
+---
+
+## H
+
+**Hub-and-Spoke Architecture**
+: Modular governance structure with lean hub (<500 tokens) referencing focused modules (<2500 tokens each) loaded on-demand. Reduces token usage 60% vs monolithic approach.
+
+---
+
+## I
+
+**ImplementationRef**
+: Column in traceability.csv mapping REQ-ID to file path and line numbers where requirement code exists. Enables bidirectional traceability.
+
+---
+
+## L
+
+**Least Privilege**
+: Security principle where components have minimum permissions: read-only by default, write only when validated, execute never without approval. Limits blast radius of compromise.
+
+---
+
+## M
+
+**MCP (Model Context Protocol)**
+: Standard protocol for AI tool integration. Enables AI assistants to call TypeScript-implemented tools for validation and operations.
+
+**MCP Server**
+: TypeScript server implementing governance validation engine. Parses Agent.md rules, validates file operations, scans for secrets, logs audit trail. Central enforcement point.
+
+**Machine-Readable Policy Block**
+: Structured section in Agent.md with format `[SECTION_NAME]\nKEY=value`. Enables MCP server to parse rules programmatically.
+
+**Modular Governance**
+: Architecture separating governance into focused modules (core-policies, agent-standards, mcp-standards, etc.) instead of monolithic file. Improves maintainability and reduces token overhead.
+
+---
+
+## N
+
+**Notable Change**
+: Change worthy of CHANGELOG entry. Includes: new features (Added), bug fixes (Fixed), breaking changes (Changed), security patches (Security), deprecations (Deprecated), removals (Removed).
+
+---
+
+## P
+
+**Path Traversal**
+: Attack using `../` sequences to access files outside intended directory. Example: `../../../../etc/passwd`. Prevented by path validation and normalization.
+
+**Protected File**
+: File governed by TIER-0 modification policy. Patterns: `.github/copilot-instructions*.md`, `requirements/**`, `traceability.csv`. Modification blocked without formal approval workflow.
+
+**Progressive Disclosure**
+: Documentation pattern with 3 levels: Quick Reference (always visible), Standards & Rules (when invoked), Examples (when requested). Reduces cognitive load.
+
+---
+
+## Q
+
+**Quality Gate**
+: Automated checkpoint enforcing quality standards. Pre-commit: build, tests, linter, secrets. Pre-merge: coverage ≥70%, security tests 100%, docs updated. Pre-release: E2E tests, packaging, installation.
+
+---
+
+## R
+
+**ReDoS (Regular Expression Denial of Service)**
+: Attack using crafted input to cause exponential regex execution time via catastrophic backtracking. Example: `(a+)+` with `aaaaaaaaaaaaaaaaaaaaaaaa!` input. Prevented by avoiding nested quantifiers and input length limits.
+
+**REQ-ID (Requirement Identifier)**
+: Unique identifier for requirement. Format: `REQ-[A-Z]{2,4}-[0-9]{3}`. Examples: REQ-GOV-001 (governance), REQ-SEC-001 (security), REQ-MCP-001 (MCP server). Enables traceability.
+
+---
+
+## S
+
+**Secret Scanning**
+: Automated detection of hardcoded credentials in code. Patterns: API keys, AWS keys, private keys, GitHub tokens, JWT, database URLs. Target: 100% detection rate (zero false negatives).
+
+**Shield Icon**
+: Visual indicator (🛡️) displayed in VS Code gutter or file tree for protected files. Prevents accidental modification attempts.
+
+**Skill (Agent Skill)**
+: Native VS Code feature defining domain-specific AI expertise. Format: SKILL.md with YAML frontmatter. Virsaitis defines 6 core skills: python-development, security-controls, requirements-engineering, testing-validation, governance-compliance, typescript-development.
+
+**Smart Context Loading**
+: Pattern where AI loads hub + relevant 2-3 modules based on task, not all modules. Example: Python task loads core-policies + agent-standards + python module only.
+
+---
+
+## T
+
+**TDD (Test-Driven Development)**
+: Development cycle: write failing test (red) → implement code (green) → improve design (refactor). Reduces defects 40-80%.
+
+**TestRef**
+: Column in traceability.csv mapping REQ-ID to test file path and test names validating requirement implementation. Completes traceability bidirectional relationship.
+
+**TIER System**
+: Four-level governance classification:
+  - **TIER-0** (Safety-Critical): BLOCK operation, zero tolerance, formal approval workflow required
+  - **TIER-1** (Code-Breaking): WARN + CONFIRM, minimal compromise allowed
+  - **TIER-2** (Quality Standard): INFO + SUGGEST, acceptable tradeoffs with justification
+  - **TIER-3** (Enhancement): Best effort, negotiable based on resources
+
+**Token Efficiency**
+: Measure of context window usage. Monolithic governance: ~6000 tokens. Hub-and-spoke: Hub ~500 + 2-3 modules ~2000-3000 = ~2500-3500 total (60% reduction).
+
+**Traceability Matrix**
+: CSV file mapping REQ-ID → ImplementationRef → TestRef. Enables verification that all requirements implemented and tested. Bidirectional: can find tests from requirement or requirements from code file.
+
+---
+
+## U
+
+**Uncertainty Response Pattern**
+: AI behavior when situation ambiguous. Response: `CONFIRM_NEEDED: [specific question]`. WAIT for user clarification. DO NOT guess or assume. Prevents hallucination.
+
+---
+
+## V
+
+**Virsaitis**
+: Latvian word meaning "Chief" or "Leader". Project name for three-layer AI governance system achieving 95%+ compliance through Agent, MCP Server, and VS Code Extension.
+
+**VSIX (Visual Studio Extension)**
+: Package format for VS Code extensions. Contains code, dependencies, resources in single .vsix file. Installed via Extensions view or `code --install-extension`.
+
+---
+
+## W
+
+**Workflow Pattern**
+: Defined sequence of steps AI must follow. Virsaitis defines 11-step discovery-first workflow preventing hallucination and ensuring validation at each stage.
+
+---
+
+## Acronyms
+
+| Acronym | Expansion | Definition |
+|---------|-----------|------------|
+| **AC** | Acceptance Criteria | Testable conditions determining requirement satisfaction |
+| **API** | Application Programming Interface | Contract for software communication |
+| **CHIEF** | Concentrated Hyper Intelligence Expert Framework | Full title of Virsaitis Agent |
+| **CI** | Continuous Integration | Automated build/test on code commit |
+| **CSV** | Comma-Separated Values | Text format for tabular data |
+| **E2E** | End-to-End | Testing complete user workflow |
+| **HTTP** | Hypertext Transfer Protocol | Web communication protocol |
+| **JWT** | JSON Web Token | Secure token format for authentication |
+| **MCP** | Model Context Protocol | Standard for AI tool integration |
+| **NFR** | Non-Functional Requirement | Quality attribute (performance, scalability) |
+| **PII** | Personally Identifiable Information | Data identifying individual (email, SSN) |
+| **REQ-ID** | Requirement Identifier | Unique requirement reference |
+| **ReDoS** | Regular Expression Denial of Service | Attack via catastrophic backtracking |
+| **TDD** | Test-Driven Development | Write tests before implementation |
+| **TLS** | Transport Layer Security | Cryptographic protocol for network security |
+| **VSIX** | Visual Studio Extension | VS Code extension package format |
+| **YAML** | YAML Ain't Markup Language | Human-readable data serialization |
+| **XSS** | Cross-Site Scripting | Injection attack via malicious scripts |
+
+---
+
+## References
+
+- **Agent Standards**: [.github/copilot-modules/agent-standards.md](../../.github/copilot-modules/agent-standards.md)
+- **Core Policies**: [.github/copilot-modules/core-policies.md](../../.github/copilot-modules/core-policies.md)
+- **Functional Requirements**: [functional-spec.md](functional-spec.md)
+- **Traceability Matrix**: [traceability.csv](traceability.csv)
+
+---
+
+*Virsaitis Glossary v2.0.0*
+*Terminology reference for three-layer AI governance system*
--- a/virsaitis-requirements/index.md
+++ b/virsaitis-requirements/index.md
@@ -0,0 +1,174 @@
+# Virsaitis Requirements - Index
+
+**Project**: Virsaitis Three-Layer AI Governance System
+**Version**: 3.0.0
+**Status**: In Development
+**Owner**: Toms Eisaks
+**Updated**: 2026-04-21
+
+---
+
+## 📋 Requirements Overview
+
+Total requirements: 83 across 7 categories
+
+| Category | Count | REQ-ID Range | Status |
+|----------|-------|--------------|--------|
+| **Governance Core** | 12 | REQ-GOV-001 to 012 | Draft |
+| **Security Controls** | 16 | REQ-SEC-001 to 016 | Draft |
+| **MCP Server** | 11 | REQ-MCP-001 to 011 | Tested (277 tests, 100% functions) |
+| **VS Code Extension** | 21 | REQ-EXT-001 to 021 | Tested (136 tests, 83% statements) |
+| **Agent** | 8 | REQ-AGT-001 to 008 | Implemented |
+| **Skills** | 5 | REQ-SKL-001 to 005 | Draft |
+| **Testing & QA** | 10 | REQ-TEST-001 to 010 | Draft |
+
+---
+
+## 🎯 Project Mission
+
+Create three-layer AI governance system that achieves **95%+ compliance** for AI-assisted software development through:
+
+**Layer 1: Agent** (Behavioral Guidance)
+- Atomic markdown instruction design
+- Self-regulation through clear rules
+- Consequence-aware decision making
+
+**Layer 2: MCP Server** (Pre-execution Validation)
+- TypeScript governance enforcement engine
+- File operation validation
+- Secret scanning and input validation
+
+**Layer 3: VS Code Extension** (User Action Interception)
+- Real-time file save interception
+- Visual governance indicators
+- Override workflow management
+
+**Layer 4: Skills** (Domain-Specific Rules)
+- Native VS Code Agent Skills
+- Progressive disclosure (3 levels)
+- Consequence documentation per TIER
+
+---
+
+## 📚 Requirements Documents
+
+### Core Requirements
+- **[functional-spec.md](functional-spec.md)** - Functional requirements for all components
+- **[nonfunctional-spec.md](nonfunctional-spec.md)** - Performance, scalability, usability
+- **[security-controls.md](security-controls.md)** - Security requirements and controls
+- **[testing-requirements.md](testing-requirements.md)** - Test coverage and quality gates
+
+### Supporting Documents
+- **[glossary.md](glossary.md)** - Terminology and definitions
+- **[assumptions.md](assumptions.md)** - Project assumptions log
+- **[risk-register.md](risk-register.md)** - Identified risks and mitigations
+- **[traceability.csv](traceability.csv)** - REQ-ID to Implementation mapping
+
+---
+
+## 🔑 Critical MUST Requirements (TIER-0)
+
+These requirements are non-negotiable and block production deployment if not met:
+
+1. **REQ-GOV-001**: Protected file modification enforcement
+2. **REQ-GOV-002**: Atomic sentence structure in Agent.md
+3. **REQ-SEC-001**: Secret detection 100% coverage
+4. **REQ-SEC-002**: Credential rotation within 1 hour
+5. **REQ-MCP-003**: File operation validation engine
+6. **REQ-EXT-002**: File save interception for protected files
+7. **REQ-TEST-001**: Security test coverage 100%
+
+---
+
+## 📊 Requirements by Priority
+
+### TIER-0 (Safety-Critical) - 12 requirements
+Must be 100% implemented and verified. No exceptions.
+
+### TIER-1 (Code-Breaking) - 28 requirements
+Must be ≥95% implemented. Minimal compromise allowed with approval.
+
+### TIER-2 (Quality Standards) - 21 requirements
+Should be ≥80% implemented. Acceptable tradeoffs with justification.
+
+### TIER-3 (Enhancements) - 10 requirements
+Best effort implementation. Negotiable based on resources.
+
+---
+
+## 🚀 Implementation Phases
+
+### Phase 1: Foundation (Complete)
+- Agent.md with atomic sentences
+- 11 governance modules
+- Core requirement documents
+- Traceability framework
+
+### Phase 2: MCP Server (Complete)
+- TypeScript MCP server implementation (14 source files, 2,799 LOC)
+- Governance validation engine (8 tools)
+- Secret scanning (Shannon entropy + regex patterns)
+- Input validation and rate limiting
+- Test suite: 277 tests, 100% function coverage
+
+### Phase 3: VS Code Extension (Complete)
+- File save interception (readonlyInclude + post-save revert)
+- Visual governance indicators (shield badges, status bar)
+- MCP client (stdio transport, lifecycle management)
+- Override workflow and audit trail
+- Framework install/detect/update/validate commands
+- First-run setup wizard
+- Test suite: 136 tests, 83% statement coverage
+- VSIX packaged: 688 KB, distributed to virsaitis-distribution/
+
+### Phase 4: Skills Development
+- 6 core skills with Consequences sections
+- Progressive disclosure implementation
+- Skills validation
+- Integration testing
+
+### Phase 5: Portable Distribution
+- Build automation
+- Installation scripts (Windows/Linux/Mac)
+- Documentation
+- Distribution packaging
+- User acceptance testing
+
+---
+
+## 📈 Success Metrics
+
+| Metric | Target | Current | Measurement |
+|--------|--------|---------|-------------|
+| **Governance Compliance** | ≥95% | — | TIER-0 violations per month |
+| **MCP Test Coverage** | ≥70% | 100% functions | virsaitis-mcp: 277 tests |
+| **Extension Test Coverage** | ≥80% | 83% statements | virsaitis-extension: 136 tests |
+| **Security Test Coverage** | 100% | 100% | Secret scanning + TIER-0 enforcement |
+| **Requirement Coverage** | 100% MUST | 100% EXT, 100% MCP | 112/112 EXT ACs, all MCP tested |
+| **False Positive Rate** | <5% | — | Incorrect blocks |
+| **Response Time** | <10s | <10s | MCP timeout default |
+| **VSIX Size** | <10MB | 688 KB | virsaitis-3.0.0.vsix |
+
+---
+
+## 🔗 Related Documentation
+
+- **Architecture**: [../virsaitis-documentation/5-COMPONENT-ARCHITECTURE.md](../virsaitis-documentation/)
+- **Agent Standards**: [../.github/copilot-modules/agent-standards.md](../../.github/copilot-modules/agent-standards.md)
+- **MCP Standards**: [../.github/copilot-modules/mcp-standards.md](../../.github/copilot-modules/mcp-standards.md)
+- **Extension Standards**: [../.github/copilot-modules/extension-standards.md](../../.github/copilot-modules/extension-standards.md)
+
+---
+
+## 📝 Change History
+
+| Date | Version | Author | Changes |
+|------|---------|--------|---------|
+| 2026-04-21 | 3.0.0 | Toms Eisaks | EXT status → Tested (136 tests, 112/112 ACs), phases 1-3 complete, metrics updated |
+| 2026-04-20 | 3.0.0 | Toms Eisaks | MCP status → Tested (277 tests), Agent → Implemented, traceability populated |
+| 2026-02-17 | 2.0.0 | Toms Eisaks | Initial requirements structure for Virsaitis v2.0 |
+
+---
+
+*Virsaitis Requirements Index v3.0.0*
+*Three-layer AI governance system — Phases 1–3 complete*
--- a/virsaitis-requirements/traceability.csv
+++ b/virsaitis-requirements/traceability.csv
@@ -0,0 +1,208 @@
+# Virsaitis Traceability Matrix
+
+**Version**: 3.0.0
+**Status**: Draft
+**Updated**: 2026-04-20
+
+---
+
+## Purpose
+
+This CSV tracks requirement implementation and testing status. Each REQ-ID maps to implementation locations and test files enabling bidirectional traceability.
+
+**Columns:**
+- **REQ_ID**: Unique requirement identifier (format: REQ-[A-Z]{2,4}-[0-9]{3})
+- **Description**: Brief requirement summary
+- **Priority**: TIER-0/TIER-1/TIER-2/TIER-3
+- **Category**: Governance/Security/MCP/Extension/Agent/Skills/Testing
+- **ImplementationRef**: File path and line numbers where requirement implemented
+- **TestRef**: Test file path and test names validating requirement
+- **Status**: Draft/Implemented/Tested/Verified
+
+---
+
+## Traceability Data
+
+REQ_ID,Description,Priority,Category,ImplementationRef,TestRef,Status
+REQ-GOV-001,Protected File Modification Enforcement,TIER-0,Governance,.github/copilot-modules/core-policies.md (TIER-0 Rule 1) + .github/copilot-instructions.md (TIER-0 section) + .github/agents/Virsaitis-3.0.agent.md (TIER-0.1),TBD,Implemented
+REQ-GOV-002,Atomic Sentence Structure,TIER-0,Governance,.github/agents/Virsaitis-3.0.agent.md (262 lines) + .github/copilot-modules/agent-standards.md,TBD,Implemented
+REQ-GOV-003,TIER System Definition,TIER-1,Governance,.github/copilot-modules/core-policies.md (TIER-0/1/2/3 sections),TBD,Implemented
+REQ-GOV-004,REQ-ID Traceability,TIER-1,Governance,TBD,TBD,Draft
+REQ-GOV-005,CHANGELOG Maintenance,TIER-1,Governance,CHANGELOG.md + .github/agents/Virsaitis-3.0.agent.md (TIER-1.2),TBD,Implemented
+REQ-GOV-006,Discovery-First Workflow,TIER-1,Governance,.github/copilot-modules/development-workflow.md (authority) + .github/agents/Virsaitis-3.0.agent.md (TIER-1.4),TBD,Implemented
+REQ-GOV-007,Test Coverage Enforcement,TIER-1,Governance,TBD,TBD,Draft
+REQ-GOV-008,Modular Governance Architecture,TIER-1,Governance,.github/copilot-instructions.md (hub) + .github/copilot-modules/*.md (11 modules) + .github/virsaitis-definition-library.md,TBD,Implemented
+REQ-GOV-009,Consequence Documentation,TIER-2,Governance,.github/copilot-modules/core-policies.md (consequence chains) + .github/virsaitis-definition-library.md,TBD,Implemented
+REQ-GOV-010,Traceability CSV Management,TIER-1,Governance,virsaitis-requirements/traceability.csv (this file),TBD,Implemented
+REQ-GOV-011,Version Synchronization,TIER-1,Governance,All 14 .github/ files at v3.0.0,TBD,Implemented
+REQ-GOV-012,Quality Gates,TIER-1,Governance,TBD,TBD,Draft
+REQ-SEC-001,Secret Detection 100% Coverage,TIER-0,Security,TBD,TBD,Draft
+REQ-SEC-002,Credential Rotation Policy,TIER-0,Security,TBD,TBD,Draft
+REQ-SEC-003,Environment Variable Enforcement,TIER-0,Security,TBD,TBD,Draft
+REQ-SEC-004,Input Validation - File Paths,TIER-1,Security,TBD,TBD,Draft
+REQ-SEC-005,Input Validation - Command Execution,TIER-1,Security,TBD,TBD,Draft
+REQ-SEC-006,Regular Expression ReDoS Prevention,TIER-2,Security,TBD,TBD,Draft
+REQ-SEC-007,Error Handling - No Information Disclosure,TIER-1,Security,TBD,TBD,Draft
+REQ-SEC-008,Audit Logging,TIER-1,Security,TBD,TBD,Draft
+REQ-SEC-009,Principle of Least Privilege,TIER-2,Security,TBD,TBD,Draft
+REQ-SEC-010,Defense in Depth,TIER-2,Security,TBD,TBD,Draft
+REQ-SEC-011,Secure Defaults,TIER-2,Security,TBD,TBD,Draft
+REQ-SEC-012,Cryptography Standards,TIER-2,Security,TBD,TBD,Draft
+REQ-SEC-013,Security Test Coverage 100%,TIER-1,Security,TBD,TBD,Draft
+REQ-SEC-014,PII Logging Prevention,TIER-2,Security,TBD,TBD,Draft
+REQ-SEC-015,Security Scan Automation,TIER-1,Security,TBD,TBD,Draft
+REQ-SEC-016,Vulnerability Disclosure Policy,TIER-3,Security,TBD,TBD,Draft
+REQ-MCP-001,TypeScript Implementation,TIER-1,MCP Server,virsaitis-mcp/src/**/*.ts (tsconfig.json: strict ES2022 Node16),tests/unit/*.test.ts + tests/e2e/*.test.ts (277 tests),Tested
+REQ-MCP-002,MCP Protocol SDK Integration,TIER-1,MCP Server,virsaitis-mcp/src/server.ts + src/index.ts (@modelcontextprotocol/sdk),tests/unit/server.test.ts + server-integration.test.ts + tests/e2e/stdio-transport.test.ts,Tested
+REQ-MCP-003,File Operation Validation Engine,TIER-0,MCP Server,virsaitis-mcp/src/governance/validator.ts + types.ts + patterns.ts + cache.ts,tests/unit/validator.test.ts + patterns.test.ts + cache.test.ts,Tested
+REQ-MCP-004,Agent.md Governance Loading,TIER-1,MCP Server,virsaitis-mcp/src/governance/loader.ts (loadGovernanceRules + parseMachinePolicy + parseAgentProtectedPatterns),tests/unit/loader.test.ts,Tested
+REQ-MCP-005,stdio Transport,TIER-1,MCP Server,virsaitis-mcp/src/index.ts (StdioServerTransport) + .github/copilot-modules/mcp-standards.md,tests/unit/server-integration.test.ts,Tested
+REQ-MCP-006,Secret Scanning Tool,TIER-0,MCP Server,virsaitis-mcp/src/tools/scan-secrets.ts (20 patterns + entropy detection),tests/unit/scan-secrets.test.ts (46 tests),Tested
+REQ-MCP-007,Path Validation Tool,TIER-1,MCP Server,virsaitis-mcp/src/tools/validate-path.ts (5-layer defense + Windows reserved names),tests/unit/validate-path.test.ts (19 tests),Tested
+REQ-MCP-008,Command Validation Tool,TIER-1,MCP Server,virsaitis-mcp/src/tools/validate-command.ts (24 whitelist + 23 blocked + dangerous flags),tests/unit/validate-command.test.ts (30 tests),Tested
+REQ-MCP-009,Audit Log Integration,TIER-1,MCP Server,"virsaitis-mcp/src/tools/audit-logger.ts (JSON-lines + 10MB rotation + HMAC-SHA256 + streaming reader + configurable rotation)",tests/unit/audit-logger.test.ts (29 tests),Tested
+REQ-MCP-010,Server Configuration,TIER-2,MCP Server,"virsaitis-mcp/src/config.ts (env vars + TTL clamping + resolveConfig + hmacKey masking)",tests/unit/config.test.ts (13 tests),Tested
+REQ-MCP-011,Post-Iteration Compliance Check,TIER-1,MCP Server,virsaitis-mcp/src/tools/iteration-complete.ts (AC1+AC2+AC3+AC5 checks + RFC 4180 CSV parsing),tests/unit/iteration-complete.test.ts (30 tests),Tested
+REQ-EXT-001,Extension Activation (<200ms),TIER-2,VS Code Extension,virsaitis-extension/src/extension.ts (activate + async MCP spawn),test/commands.test.ts + test/config.test.ts,Tested
+REQ-EXT-002,File Save Interception (TIER-0 blocking via MCP stdio),TIER-0,VS Code Extension,virsaitis-extension/src/interceptors/file-save.ts (readonlyInclude + post-save revert),test/file-save.test.ts (11 tests),Tested
+REQ-EXT-003,MCP Client Communication (stdio transport),TIER-1,VS Code Extension,virsaitis-extension/src/mcp/client.ts (JSON-RPC over stdin/stdout + AbortController timeout),test/mcp-client.test.ts (9 tests),Tested
+REQ-EXT-004,Status Bar Integration (Active/Disconnected/Error),TIER-2,VS Code Extension,virsaitis-extension/src/ui/status-bar.ts (7 states + accessibility + tooltip),test/status-bar.test.ts (13 tests),Tested
+REQ-EXT-005,File Decoration for Protected Files,TIER-3,VS Code Extension,virsaitis-extension/src/ui/file-decoration.ts (shield badge + yellow color + normalizePath),test/file-decoration.test.ts (9 tests),Tested
+REQ-EXT-006,Override Request Command,TIER-2,VS Code Extension,virsaitis-extension/src/commands/request-override.ts (3-step input + override record + MCP audit),test/request-override.test.ts (9 tests),Tested
+REQ-EXT-007,Configuration Settings (5 settings with secure defaults),TIER-2,VS Code Extension,virsaitis-extension/src/config.ts (ConfigManager + change notifications + master toggle),test/config.test.ts (7 tests),Tested
+REQ-EXT-008,Extension Packaging (VSIX <10MB with bundled MCP),TIER-1,VS Code Extension,virsaitis-extension/webpack.config.js + package.json (vsce:package script),VSIX 688 KB verified,Tested
+REQ-EXT-009,Webpack Build Configuration,TIER-1,VS Code Extension,virsaitis-extension/webpack.config.js (commonjs2 + ts-loader + nosources-source-map),npm run compile verified,Tested
+REQ-EXT-010,Extension Testing (unit + manual checklist),TIER-1,VS Code Extension,"virsaitis-extension/vitest.config.ts (80% thresholds) + 13 test files + MANUAL-TEST-CHECKLIST.md",136 tests / 83% statements / 85% branches / 89% functions,Tested
+REQ-EXT-011,MCP Server Lifecycle Management (spawn/restart/shutdown),TIER-1,VS Code Extension,virsaitis-extension/src/mcp/lifecycle.ts (spawn + health check 30s + backoff 1s/2s/4s + graceful shutdown),test/lifecycle.test.ts (9 tests),Tested
+REQ-EXT-012,Secret Scanning on Save (block on detection),TIER-0,VS Code Extension,virsaitis-extension/src/interceptors/secret-scan.ts (binary skip + >100KB skip + revert + audit),test/secret-scan.test.ts (9 tests),Tested
+REQ-EXT-013,MCP Server Auto-Configuration (mcp.json generation),TIER-2,VS Code Extension,virsaitis-extension/src/commands/configure-mcp.ts (merge existing + stdio entry),test/commands.test.ts (2 tests),Tested
+REQ-EXT-014,Output Channel Logging,TIER-2,VS Code Extension,virsaitis-extension/src/logger.ts (severity filtering + no PII + ISO timestamps),test/logger.test.ts (13 tests),Tested
+REQ-EXT-015,Cross-Platform Compatibility (Win/macOS/Linux),TIER-1,VS Code Extension,"virsaitis-extension/src/ui/file-decoration.ts (normalizePath) + src/interceptors/file-save.ts (case-insensitive patterns)",test/file-decoration.test.ts + test/file-save.test.ts,Tested
+REQ-EXT-016,Governance Framework Installation (portable package deploy),TIER-1,VS Code Extension,"virsaitis-extension/src/commands/install-framework.ts (24 files + AC9/AC10/AC11 guards + backup + progress)",test/install-framework.test.ts (13 tests),Tested
+REQ-EXT-017,Governance Framework Detection (presence + version check),TIER-1,VS Code Extension,virsaitis-extension/src/detection.ts (hub check + version parse + partial detection + foreign content),test/detection.test.ts (11 tests),Tested
+REQ-EXT-018,Governance Framework Update (version upgrade with backup),TIER-2,VS Code Extension,virsaitis-extension/src/commands/update-framework.ts (semver compare + backup + no-downgrade),test/commands.test.ts (4 tests),Tested
+REQ-EXT-019,First-Run Setup Wizard (guided onboarding),TIER-2,VS Code Extension,virsaitis-extension/src/commands/setup-wizard.ts (5-step QuickPick + markers),test/setup-wizard.test.ts (8 tests),Tested
+REQ-EXT-020,Governance Framework Validation Command,TIER-1,VS Code Extension,"virsaitis-extension/src/commands/validate-framework.ts (14-file inventory + structure check + version footer + JSON report)",test/commands.test.ts (4 tests),Tested
+REQ-EXT-021,Runtime Prerequisite Check (Node.js >= 18),TIER-1,VS Code Extension,virsaitis-extension/src/commands/check-prerequisites.ts (node --version + >=18 gate + setNodeRequired),test/commands.test.ts (4 tests),Tested
+REQ-AGT-001,Atomic Sentence Implementation,TIER-0,Agent,.github/agents/Virsaitis-3.0.agent.md (262 lines),TBD,Implemented
+REQ-AGT-002,Agent Governance Rule Loading,TIER-1,Agent,.github/agents/Virsaitis-3.0.agent.md (TIER-0/1/2 sections),TBD,Implemented
+REQ-AGT-003,Consequence Chain Documentation,TIER-2,Agent,.github/agents/Virsaitis-3.0.agent.md (TIER-0 sections) + .github/virsaitis-definition-library.md,TBD,Implemented
+REQ-AGT-004,Workflow Pattern Definition,TIER-1,Agent,.github/agents/Virsaitis-3.0.agent.md (Verification Checkpoints section),TBD,Implemented
+REQ-AGT-005,Uncertainty Response Pattern,TIER-1,Agent,.github/agents/Virsaitis-3.0.agent.md (My Limitations section),TBD,Implemented
+REQ-AGT-006,Modular Governance Reference,TIER-1,Agent,.github/agents/Virsaitis-3.0.agent.md (Module Loading section),TBD,Implemented
+REQ-AGT-007,Integration Awareness,TIER-2,Agent,.github/agents/Virsaitis-3.0.agent.md (My Limitations + Brownfield sections),TBD,Implemented
+REQ-AGT-008,Self-Limitation Acknowledgment,TIER-2,Agent,.github/agents/Virsaitis-3.0.agent.md (My Limitations section),TBD,Implemented
+REQ-SKL-001,Core Skills Creation,TIER-1,Skills,TBD,TBD,Draft
+REQ-SKL-002,YAML Frontmatter Metadata,TIER-1,Skills,TBD,TBD,Draft
+REQ-SKL-003,Consequences Section Mandatory,TIER-1,Skills,TBD,TBD,Draft
+REQ-SKL-004,Progressive Disclosure Levels,TIER-2,Skills,TBD,TBD,Draft
+REQ-SKL-005,Validation Commands,TIER-2,Skills,TBD,TBD,Draft
+REQ-TEST-001,Test Coverage Target ≥70%,TIER-1,Testing,TBD,TBD,Draft
+REQ-TEST-002,Security Test Coverage 100%,TIER-1,Testing,TBD,TBD,Draft
+REQ-TEST-003,Test Framework - Vitest for MCP,TIER-1,Testing,TBD,TBD,Draft
+REQ-TEST-004,Test Framework - @vscode/test-electron for Extension,TIER-1,Testing,TBD,TBD,Draft
+REQ-TEST-005,TDD Red-Green-Refactor,TIER-2,Testing,TBD,TBD,Draft
+REQ-TEST-006,Unit Test Naming Convention,TIER-2,Testing,TBD,TBD,Draft
+REQ-TEST-007,Mocking Strategy,TIER-2,Testing,TBD,TBD,Draft
+REQ-TEST-008,Integration Test Suite,TIER-1,Testing,TBD,TBD,Draft
+REQ-TEST-009,Pre-Commit Test Execution,TIER-1,Testing,TBD,TBD,Draft
+REQ-TEST-010,Regression Test Suite,TIER-2,Testing,TBD,TBD,Draft
+
+---
+
+## Status Definitions
+
+- **Draft**: Requirement documented, not yet implemented
+- **Implemented**: Code written, not yet tested
+- **Tested**: Unit tests passing, integration tests needed
+- **Verified**: All tests passing, peer reviewed, documented
+
+---
+
+## Coverage Statistics
+
+| Priority | Total | Draft | Implemented | Tested | Verified |
+|----------|-------|-------|-------------|--------|----------|
+| TIER-0 | 7 | 4 | 3 | 0 | 0 |
+| TIER-1 | 37 | 26 | 11 | 0 | 0 |
+| TIER-2 | 24 | 24 | 0 | 0 | 0 |
+| TIER-3 | 3 | 3 | 0 | 0 | 0 |
+| **Total** | **71** | **57** | **14** | **0** | **0** |
+
+**MUST Requirements**: 44 (TIER-0: 7, TIER-1: 37)
+**SHOULD Requirements**: 27 (TIER-2: 24, TIER-3: 3)
+
+**Coverage**:
+- Implemented: 19.7% (14/71)
+- Tested: 0% (0/71)
+- Verified: 0% (0/71)
+
+---
+
+## Implementation Priority Order
+
+### Phase 1: Foundation (Current)
+1. REQ-GOV-002 ✅ - Atomic sentences (Agent.md complete)
+2. REQ-GOV-006 ✅ - Discovery workflow (documented in Agent.md)
+3. REQ-GOV-008 ✅ - Modular governance (hub + 10 modules complete)
+4. REQ-GOV-010 ✅ - Traceability CSV (this file created)
+5. REQ-AGT-001 through REQ-AGT-008 ✅ - Agent implementation (complete)
+
+### Phase 2: MCP Server (Next)
+1. REQ-MCP-001 - TypeScript setup
+2. REQ-MCP-002 - MCP SDK integration
+3. REQ-MCP-004 - Agent.md parser
+4. REQ-MCP-003 - Validation engine (depends on REQ-MCP-004)
+5. REQ-MCP-006 - Secret scanning tool
+6. REQ-MCP-007 - Path validation tool
+7. REQ-MCP-008 - Command validation tool
+8. REQ-MCP-005 - stdio transport
+9. REQ-MCP-009 - Audit logging
+10. REQ-MCP-010 - Configuration
+11. REQ-MCP-011 - Post-Iteration Compliance Check
+
+### Phase 3: Extension (Parallel with Phase 4)
+1. REQ-EXT-009 - Webpack build setup
+2. REQ-EXT-001 - Extension activation
+3. REQ-EXT-003 - MCP client communication
+4. REQ-EXT-002 - File save interception (depends on REQ-EXT-003)
+5. REQ-EXT-004 - Status bar
+6. REQ-EXT-007 - Configuration settings
+7. REQ-EXT-006 - Override command
+8. REQ-EXT-005 - Shield icons (optional)
+9. REQ-EXT-008 - VSIX packaging
+10. REQ-EXT-010 - Extension Host testing
+
+### Phase 4: Skills (Parallel with Phase 3)
+1. REQ-SKL-001 - Create 6 core skills structure
+2. REQ-SKL-002 - YAML frontmatter all skills
+3. REQ-SKL-003 - Consequences sections all skills
+4. REQ-SKL-004 - Progressive disclosure
+5. REQ-SKL-005 - Validation commands
+
+### Phase 5: Security & Testing (Throughout all phases)
+1. REQ-TEST-003/004 - Setup test frameworks
+2. REQ-TEST-009 - Pre-commit hooks
+3. REQ-SEC-015 - Security scan automation
+4. REQ-SEC-001 through REQ-SEC-003 - Secret management (TIER-0)
+5. REQ-TEST-001/002 - Achieve coverage targets
+6. REQ-TEST-008 - Integration tests
+7. REQ-GOV-012 - Quality gates
+
+---
+
+## Change Log
+
+| Date | REQ-ID | Change | Author |
+|------|--------|--------|--------|
+| 2026-02-17 | ALL | Initial traceability matrix created | Toms Eisaks |
+| 2026-02-17 | REQ-GOV-002 | Marked Implemented (Agent.md complete) | Toms Eisaks |
+| 2026-02-17 | REQ-GOV-006 | Marked Implemented (Workflow in Agent.md) | Toms Eisaks |
+| 2026-02-17 | REQ-GOV-008 | Marked Implemented (Hub + 10 modules) | Toms Eisaks |
+| 2026-02-17 | REQ-GOV-010 | Marked Implemented (CSV created) | Toms Eisaks |
+| 2026-02-17 | REQ-AGT-001 to 008 | Marked Implemented (Agent.md sections complete) | Toms Eisaks |
+
+---
+
+*Virsaitis Traceability Matrix v2.0.0*
+*Tracking implementation and testing status for 71 requirements*