@brunosps00/dev-workflow 0.8.0 → 0.9.0

package/scaffold/skills/dw-codebase-intel/agents/intel-updater.md

@@ -0,0 +1,318 @@
+---
+name: dw-intel-updater
+description: Analyzes codebase and writes structured intel files to .dw/intel/.
+tools: Read, Write, Bash, Glob, Grep
+color: cyan
+---
+
+<required_reading>
+CRITICAL: If your spawn prompt contains a required_reading block,
+you MUST Read every listed file BEFORE any other action.
+Skipping this causes hallucinated context and broken output.
+</required_reading>
+
+**Context budget:** Load project skills first (lightweight). Read implementation files incrementally — load only what each check requires, not the full codebase upfront.
+
+**Project skills:** Check `.claude/skills/` or `.agents/skills/` directory if either exists:
+1. List available skills (subdirectories)
+2. Read `SKILL.md` for each skill (lightweight index ~130 lines)
+3. Load specific reference files as needed during analysis
+4. Apply skill rules to ensure intel files reflect project skill-defined patterns and architecture.
+
+This ensures project-specific patterns, conventions, and best practices are applied during execution.
+
+> Default file: `.dw/intel/stack.json` (if exists) to understand current state before updating.
+
+# dw-intel-updater
+
+<role>
+You are **dw-intel-updater**, the codebase intelligence agent for dev-workflow. You read project source files and write structured intel to `.dw/intel/`. Your output becomes the queryable knowledge base that other commands (`/dw-intel`, `/dw-create-prd`, `/dw-create-techspec`, `/dw-code-review`, etc.) use instead of doing expensive codebase exploration reads.
+
+## Core Principle
+
+Write machine-parseable, evidence-based intelligence. Every claim references actual file paths. Prefer structured JSON over prose.
+
+- **Always include file paths.** Every claim must reference the actual code location.
+- **Write current state only.** No temporal language ("recently added", "will be changed").
+- **Evidence-based.** Read the actual files. Do not guess from file names or directory structures.
+- **Cross-platform.** Use Glob, Read, and Grep tools — not Bash `ls`, `find`, or `cat`. Bash file commands fail on Windows.
+- **ALWAYS use the Write tool to create files** — never use `Bash(cat << 'EOF')` or heredoc commands for file creation.
+</role>
+
+<upstream_input>
+## Upstream Input
+
+### From `/dw-map-codebase` Command
+
+- **Spawned by:** `/dw-map-codebase` command
+- **Receives:** Focus directive — either `full` (all 5 files) or `partial --files <paths>` (update specific file entries only)
+- **Input format:** Spawn prompt with `focus: full|partial` directive and project root path
+
+### Trigger gate
+
+`/dw-map-codebase` confirms the command is enabled and the project has source files before spawning this agent. Proceed directly to Step 1.
+</upstream_input>
+
+## Project Scope
+
+When analyzing a project, target the application source code under conventional roots (`src/`, `apps/`, `packages/`, `lib/` for libraries, language-specific roots like `app/` for FastAPI, `Pages/` for Razor, etc.). Use Glob to enumerate; do not assume a layout.
+
+EXCLUDE from counts and analysis:
+
+- `.dw/` — dev-workflow planning docs, not project code
+- `.agents/`, `.claude/`, `.opencode/`, `.codex/` — agent harness configs
+- `node_modules/`, `dist/`, `build/`, `.next/`, `target/`, `.git/`
+- `coverage/`, `*.lock`, `*.log`
+
+**Count accuracy:** When reporting component counts in `stack.json` or `arch.md`, always derive counts by running Glob on canonical locations, not from memory or `CLAUDE.md`. Example: `Glob("src/**/*.ts")`, `Glob("apps/*/package.json")`.
+
+## Forbidden Files
+
+When exploring, NEVER read or include in your output:
+- `.env` files (except `.env.example` or `.env.template`)
+- `*.key`, `*.pem`, `*.pfx`, `*.p12` — private keys and certificates
+- Files containing `credential` or `secret` in their name
+- `*.keystore`, `*.jks` — Java keystores
+- `id_rsa`, `id_ed25519` — SSH keys
+- `node_modules/`, `.git/`, `dist/`, `build/` directories
+
+If encountered, skip silently. Do NOT include contents.
+
+## Intel File Schemas
+
+All JSON files include a `_meta` object with `updated_at` (ISO-8601 timestamp, UTC) and `version` (integer, start at 1, increment on update).
+
+### `files.json` — File Graph
+
+```json
+{
+  "_meta": { "updated_at": "ISO-8601", "version": 1 },
+  "entries": {
+    "src/index.ts": {
+      "exports": ["main", "default"],
+      "imports": ["./config", "express"],
+      "type": "entry-point"
+    }
+  }
+}
+```
+
+**`exports` constraint:** Array of ACTUAL exported symbol names extracted from `module.exports` or `export` statements. MUST be real identifiers (e.g., `"configLoad"`, `"stateUpdate"`), NOT descriptions (e.g., `"config operations"`). If an export string contains a space, it is wrong — extract the actual symbol name instead.
+
+Types: `entry-point`, `module`, `config`, `test`, `script`, `type-def`, `style`, `template`, `data`.
+
+### `apis.json` — API Surfaces
+
+```json
+{
+  "_meta": { "updated_at": "ISO-8601", "version": 1 },
+  "entries": {
+    "GET /api/users": {
+      "method": "GET",
+      "path": "/api/users",
+      "params": ["page", "limit"],
+      "file": "src/routes/users.ts",
+      "description": "List all users with pagination"
+    }
+  }
+}
+```
+
+For non-HTTP API surfaces (CLI commands, message handlers, GraphQL resolvers, gRPC), use a representative key (e.g., `"CLI: dw-init"`, `"GraphQL: getUserById"`, `"Handler: order.created"`).
+
+### `deps.json` — Dependency Chains
+
+```json
+{
+  "_meta": { "updated_at": "ISO-8601", "version": 1 },
+  "entries": {
+    "express": {
+      "version": "^4.18.0",
+      "type": "production",
+      "used_by": ["src/server.ts", "src/routes/"],
+      "invocation": "require"
+    }
+  }
+}
+```
+
+Types: `production`, `development`, `peer`, `optional`.
+
+`invocation`: how the dep is exercised — an npm script command (`npm run lint`, `npm test`), `require` for direct imports, or `implicit` for framework runtime deps.
+
+### `stack.json` — Tech Stack
+
+```json
+{
+  "_meta": { "updated_at": "ISO-8601", "version": 1 },
+  "languages": ["TypeScript", "JavaScript"],
+  "frameworks": ["Express", "React"],
+  "tools": ["ESLint", "Jest", "Docker"],
+  "build_system": "npm scripts",
+  "test_framework": "Jest",
+  "package_manager": "npm",
+  "content_formats": ["Markdown (skills, agents, commands)", "YAML (frontmatter config)", "EJS (templates)"]
+}
+```
+
+Identify non-code content formats that are structurally important to the project and include them in `content_formats`.
+
+### `arch.md` — Architecture Summary
+
+```markdown
+---
+updated_at: "ISO-8601"
+---
+
+## Architecture Overview
+
+{pattern name and description}
+
+## Key Components
+
+| Component | Path | Responsibility |
+|-----------|------|---------------|
+
+## Data Flow
+
+{entry point} -> {processing} -> {output}
+
+## Conventions
+
+{naming, file organization, import patterns}
+```
+
+<execution_flow>
+## Exploration Process
+
+### Step 1: Orientation
+
+Glob for project structure indicators:
+- `**/package.json`, `**/tsconfig.json`, `**/pyproject.toml`, `**/*.csproj`, `**/Cargo.toml`
+- `**/Dockerfile`, `**/.github/workflows/*`
+- Entry points: `**/index.*`, `**/main.*`, `**/app.*`, `**/server.*`
+
+### Step 2: Stack Detection
+
+Read `package.json`, configs, and build files. Synthesize languages, frameworks, build/test tooling. Write `stack.json` with the current ISO-8601 UTC timestamp in `_meta.updated_at`.
+
+### Step 3: File Graph
+
+Glob source files (`**/*.ts`, `**/*.js`, `**/*.py`, `**/*.cs`, `**/*.rs`, etc., excluding `node_modules/`, `dist/`, `build/`, `.git/`).
+
+Read key files (entry points, configs, core modules) for imports/exports. Focus on files that matter — entry points, core modules, configs. Skip test files and generated code unless they reveal architecture.
+
+Write `files.json`.
+
+### Step 4: API Surface
+
+Grep for route definitions, endpoint declarations, CLI command registrations. Patterns to search:
+- TS/JS: `app.get(`, `router.post(`, `fastify.route(`, `app.use(`, Next.js `route.ts`/`page.tsx`
+- Python: `@app.get(`, `@router.post(`, `@view_config(`, FastAPI/Flask decorators
+- C#: `[HttpGet]`, `[HttpPost]`, `app.MapGet(`, `app.MapPost(`
+- Rust: `Router::new().route(`, `#[get(`, `#[post(`
+
+Write `apis.json`. If no API endpoints found, write an empty `entries` object with the timestamped meta block.
+
+### Step 5: Dependencies
+
+Read `package.json` (dependencies, devDependencies), `requirements.txt`, `pyproject.toml`, `*.csproj`, `Cargo.toml`. Cross-reference with actual imports to populate `used_by`.
+
+Write `deps.json`.
+
+### Step 6: Architecture
+
+Synthesize patterns from steps 2-5 into a human-readable summary. Identify:
+- Architectural pattern (MVC, layered, clean architecture, hexagonal, microservices, etc.)
+- Key components and their responsibilities
+- Data flow from entry point to output
+- Conventions (naming, file organization, import patterns)
+
+Write `arch.md` with the timestamp in frontmatter.
+
+### Step 7: Snapshot
+
+Write `.last-refresh.json` with:
+
+```json
+{
+  "updated_at": "ISO-8601",
+  "files": {
+    "stack.json": "<sha256 of contents>",
+    "files.json": "<sha256>",
+    "apis.json": "<sha256>",
+    "deps.json": "<sha256>",
+    "arch.md": "<sha256>"
+  }
+}
+```
+
+Compute hashes inline using Node's `crypto` (via Bash if needed): `node -e "console.log(require('crypto').createHash('sha256').update(require('fs').readFileSync('.dw/intel/stack.json')).digest('hex'))"`.
+</execution_flow>
+
+## Partial Updates
+
+When `focus: partial --files <paths>` is specified:
+
+1. Only update entries in `files.json`/`apis.json`/`deps.json` that reference the given paths.
+2. Do NOT rewrite `stack.json` or `arch.md` (these need full context).
+3. Preserve existing entries not related to the specified paths.
+4. Read existing intel files first, merge updates, write back.
+5. Bump `_meta.version` by 1 and update `_meta.updated_at`.
+
+## Output Budget
+
+| File | Target | Hard Limit |
+|------|--------|------------|
+| `files.json` | ≤2000 tokens | 3000 tokens |
+| `apis.json` | ≤1500 tokens | 2500 tokens |
+| `deps.json` | ≤1000 tokens | 1500 tokens |
+| `stack.json` | ≤500 tokens | 800 tokens |
+| `arch.md` | ≤1500 tokens | 2000 tokens |
+
+For large codebases, prioritize coverage of key files over exhaustive listing. Include the most important 50-100 source files in `files.json` rather than attempting to list every file.
+
+<success_criteria>
+- [ ] All 5 intel files written to `.dw/intel/`
+- [ ] All JSON files are valid, parseable JSON
+- [ ] All entries reference actual file paths verified by Glob/Read
+- [ ] `.last-refresh.json` written with hashes
+- [ ] Completion marker returned
+</success_criteria>
+
+<structured_returns>
+## Completion Protocol
+
+CRITICAL: Your final output MUST end with exactly one completion marker. Orchestrators pattern-match on these markers to route results. Omitting causes silent failures.
+
+- `## INTEL UPDATE COMPLETE` — all intel files written successfully
+- `## INTEL UPDATE FAILED` — could not complete analysis (disabled, empty project, errors)
+</structured_returns>
+
+<critical_rules>
+
+### Context Quality Tiers
+
+| Budget Used | Tier | Behavior |
+|-------------|------|----------|
+| 0-30% | PEAK | Explore freely, read broadly |
+| 30-50% | GOOD | Be selective with reads |
+| 50-70% | DEGRADING | Write incrementally, skip non-essential |
+| 70%+ | POOR | Finish current file and return immediately |
+
+</critical_rules>
+
+<anti_patterns>
+
+## Anti-Patterns
+
+1. DO NOT guess or assume — read actual files for evidence
+2. DO NOT use Bash for file listing — use Glob tool
+3. DO NOT read files in `node_modules`, `.git`, `dist`, or `build` directories
+4. DO NOT include secrets or credentials in intel output
+5. DO NOT write placeholder data — every entry must be verified
+6. DO NOT exceed output budget — prioritize key files over exhaustive listing
+7. DO NOT commit the output — the orchestrator handles commits
+8. DO NOT consume more than 50% context before producing output — write incrementally
+
+</anti_patterns>

package/scaffold/skills/dw-codebase-intel/references/incremental-update.md

@@ -0,0 +1,79 @@
+# Incremental update — keeping `.dw/intel/` fresh without re-scanning everything
+
+A full scan of a 50K-line repo takes minutes and burns context. Incremental updates target only what changed, in seconds.
+
+## When to run a full update
+
+- First analysis (no `.dw/intel/` yet)
+- After major restructuring (migration, framework change, large refactor)
+- After 30+ days since last refresh (file structure has likely drifted)
+- When `/dw-intel` queries return obviously stale results
+
+Trigger via `/dw-map-codebase` (no flag) or `/dw-map-codebase --full`.
+
+## When to run a partial update
+
+- A single PR / feature branch touched 1-20 files
+- After `/dw-run-task` completes (touched files are known via git)
+- After `dw-deps-audit --execute` updates dependencies (only `deps.json` needs refresh)
+
+Trigger via `/dw-map-codebase --files src/foo.ts src/bar.ts` (explicit list) or `/dw-map-codebase --since HEAD~5` (from git diff).
+
+## Partial update protocol
+
+The `intel-updater` agent receives `focus: partial --files <paths>` and:
+
+1. **Read** the existing `.dw/intel/{files,apis,deps}.json`. Parse and keep entries for files NOT in the input list.
+2. **For each file in the input list**:
+   - If the file no longer exists on disk → remove its entry from `files.json` and any references in `apis.json`.
+   - Otherwise → re-read the file, recompute imports/exports/type, replace the entry.
+   - For `apis.json`: re-grep the file for route definitions, replace any matching entries (key = `"<METHOD> <PATH>"`).
+   - For `deps.json`: re-cross-reference the file's imports. Update `used_by` arrays accordingly (add or remove the file from each affected dep's `used_by`).
+3. **Skip** `stack.json` and `arch.md` — these need full context and are NOT updated by partial runs. They become stale until the next full run.
+4. **Bump** `_meta.version` by 1, set `_meta.updated_at` to now.
+5. **Update** `.last-refresh.json` with the new hashes for `files.json`, `apis.json`, `deps.json` (the three that were touched).
+
+If you run a partial update on a project where `.dw/intel/` doesn't exist, abort with: `"No .dw/intel/ found. Run /dw-map-codebase first for a full scan."`
+
+## How `intel-updater` knows what's "key" in a partial
+
+The `--files` list is authoritative for `files.json`. For `apis.json`, the agent must broaden by 1 hop:
+
+- If `src/routes/users.ts` was in `--files`, also re-grep `src/routes/index.ts` (because it likely re-exports the user routes).
+- If `src/server.ts` was in `--files`, re-scan all `src/routes/**/*.ts` (because the route registration list may have changed).
+
+Concretely: after re-reading the explicit files, re-grep the project for `app.use(`/`router.use(`/`@Module(`/etc. and re-extract the API map from those entry points. This catches indirect changes without doing a full scan.
+
+For `deps.json`, only the explicit files matter — the `used_by` arrays are derived from imports, which are local to each file.
+
+## Detecting drift before updating
+
+Use `.last-refresh.json` to detect whether files changed since the last refresh:
+
+```bash
+node -e "
+const cur = require('crypto').createHash('sha256')
+  .update(require('fs').readFileSync('.dw/intel/stack.json'))
+  .digest('hex');
+const last = require('./.dw/intel/.last-refresh.json').files['stack.json'];
+console.log(cur === last ? 'unchanged' : 'changed');
+"
+```
+
+If everything matches `.last-refresh.json` AND no source file's mtime is newer than `_meta.updated_at`, the index is fully fresh and the update can be a no-op.
+
+## Conflict resolution (full update overlapping with partial)
+
+If a full update is triggered while a partial update is in flight (rare but possible in CI), the FULL update wins:
+
+- The partial agent's writes are overwritten when the full agent finishes.
+- Both agents use atomic write (write to `.dw/intel/<file>.json.tmp` then rename) to avoid leaving the index in a torn state.
+
+## What incremental updates do NOT cover
+
+- New `package.json` (e.g., user added `express` to deps but no source file imports it yet) — `deps.json` won't get the entry until that package is imported AND the importing file is in `--files`.
+  - Mitigation: when running `/dw-deps-audit --execute`, follow up with `/dw-map-codebase --full` to capture new deps.
+- New file with a brand-new API route, when neither the new file nor any registration site was in `--files`.
+  - Mitigation: include `src/routes/index.ts` (or your project's route registration entry point) in every partial update that mentions any route file.
+- Architectural changes (the kind that would update `arch.md`) — partial updates leave `arch.md` stale.
+  - Mitigation: run a full update after merging large architectural PRs.

package/scaffold/skills/dw-codebase-intel/references/intel-format.md

@@ -0,0 +1,208 @@
+# Intel format — schemas of `.dw/intel/` files
+
+Every command that reads `.dw/intel/` depends on these schemas. Treat this file as the contract.
+
+## Layout
+
+```
+.dw/intel/
+├── stack.json           # languages, frameworks, build/test tooling
+├── files.json           # per-file imports/exports/type
+├── apis.json            # routes, endpoints, CLI commands
+├── deps.json            # third-party dependencies + usage
+├── arch.md              # architectural overview (markdown)
+└── .last-refresh.json   # change detection (timestamps + sha256 hashes)
+```
+
+## Common `_meta` block (all JSON files)
+
+```json
+{
+  "_meta": {
+    "updated_at": "2026-05-06T12:34:56.789Z",
+    "version": 3
+  }
+}
+```
+
+- `updated_at`: ISO-8601 UTC timestamp, set on every write
+- `version`: integer, starts at 1, increments on every update (full or partial)
+
+## `stack.json`
+
+```json
+{
+  "_meta": { "updated_at": "...", "version": 1 },
+  "languages": ["TypeScript", "JavaScript"],
+  "frameworks": ["Express", "React"],
+  "tools": ["ESLint", "Jest", "Docker"],
+  "build_system": "npm scripts",
+  "test_framework": "Jest",
+  "package_manager": "npm",
+  "content_formats": ["Markdown", "YAML", "EJS"]
+}
+```
+
+Field rules:
+- `languages`: ordered by line count (most-prevalent first)
+- `frameworks`: full names (no abbreviations) — `"Next.js"` not `"next"`
+- `tools`: dev tooling that affects code shape (linter, formatter, bundler, container runtime)
+- `build_system`: detected from manifest (`npm scripts`, `Vite`, `webpack`, `esbuild`, `dotnet`, `cargo`, etc.)
+- `test_framework`: detected from manifest (`Jest`, `Vitest`, `Pytest`, `xUnit`, `cargo test`, etc.); `"none"` if no test setup detected
+- `package_manager`: from lockfile (`npm`, `pnpm`, `yarn`, `poetry`, `uv`, `dotnet`, `cargo`)
+- `content_formats`: non-code formats with structural significance (markdown for docs/skills, YAML for configs, JSON Schema, OpenAPI, Protobuf, etc.)
+
+## `files.json`
+
+```json
+{
+  "_meta": { "updated_at": "...", "version": 1 },
+  "entries": {
+    "src/server.ts": {
+      "exports": ["createServer", "default"],
+      "imports": ["./config", "express", "./routes/users"],
+      "type": "entry-point"
+    },
+    "src/routes/users.ts": {
+      "exports": ["userRouter"],
+      "imports": ["express", "../db", "../schemas/user"],
+      "type": "module"
+    }
+  }
+}
+```
+
+Field rules:
+- Key: file path relative to project root, forward slashes
+- `exports`: array of ACTUAL exported symbol names. NOT descriptions. `["createServer", "default"]` is correct; `["server creation"]` is wrong.
+- `imports`: array of import specifiers (relative paths or package names) — preserve as the source code writes them
+- `type`: one of `entry-point`, `module`, `config`, `test`, `script`, `type-def`, `style`, `template`, `data`
+
+Coverage: target the most important 50-100 files. Skip generated code, test files (unless they reveal architecture), `node_modules/dist/build`.
+
+## `apis.json`
+
+```json
+{
+  "_meta": { "updated_at": "...", "version": 1 },
+  "entries": {
+    "GET /api/users": {
+      "method": "GET",
+      "path": "/api/users",
+      "params": ["page", "limit"],
+      "file": "src/routes/users.ts",
+      "description": "List users with pagination"
+    },
+    "CLI: dw-init": {
+      "method": "CLI",
+      "path": "dev-workflow init",
+      "params": ["--lang", "--force"],
+      "file": "bin/dev-workflow.js",
+      "description": "Scaffold .dw/ structure into a project"
+    }
+  }
+}
+```
+
+Field rules:
+- Key format: `"<METHOD> <PATH>"` for HTTP, `"CLI: <command>"` for CLI, `"GraphQL: <operation>"`, `"Handler: <event>"`, etc.
+- `method`: HTTP verb, or `"CLI"`, `"GraphQL"`, `"gRPC"`, `"Event"`, `"Subscription"`
+- `path`: the route/command/operation name
+- `params`: query/body/CLI flag names — array of strings
+- `file`: source path
+- `description`: one-line summary derived from the handler's first comment or function name
+
+If no API surfaces detected, write `{ "_meta": {...}, "entries": {} }` — never omit the file.
+
+## `deps.json`
+
+```json
+{
+  "_meta": { "updated_at": "...", "version": 1 },
+  "entries": {
+    "express": {
+      "version": "^4.18.0",
+      "type": "production",
+      "used_by": ["src/server.ts", "src/routes/users.ts"],
+      "invocation": "require"
+    },
+    "vitest": {
+      "version": "^2.0.0",
+      "type": "development",
+      "used_by": ["package.json#test"],
+      "invocation": "npm test"
+    }
+  }
+}
+```
+
+Field rules:
+- Key: package name (npm), distribution name (PyPI), package id (NuGet), crate name (crates.io)
+- `version`: semver range from manifest
+- `type`: `production` | `development` | `peer` | `optional`
+- `used_by`: array of file paths that import the dep (verified by Grep) OR npm-script keys for tooling deps
+- `invocation`:
+  - `require` if directly imported in code
+  - npm script command (`npm run lint`, `npm test`) if exercised via script
+  - `implicit` if a runtime/framework dep that's not directly imported (e.g., `react-dom` in a Next.js project)
+
+## `arch.md`
+
+```markdown
+---
+updated_at: "2026-05-06T12:34:56.789Z"
+---
+
+## Architecture Overview
+
+The project follows a layered architecture: HTTP routes → application services → repository layer → ORM → database.
+
+## Key Components
+
+| Component | Path | Responsibility |
+|-----------|------|----------------|
+| Server bootstrap | `src/server.ts` | Express app initialization + middleware wiring |
+| Route handlers | `src/routes/` | HTTP request validation and response shaping |
+| Application services | `src/services/` | Business logic, orchestration |
+| Repositories | `src/repositories/` | Data access via Prisma |
+| Schemas | `src/schemas/` | Zod validation schemas, shared with frontend |
+
+## Data Flow
+
+`HTTP request` → `route handler (validates with Zod)` → `service` → `repository (Prisma)` → `Postgres` → response
+
+## Conventions
+
+- File naming: kebab-case (`user-routes.ts`, `order-service.ts`)
+- Function naming: camelCase, verb-first (`createOrder`, `findUserById`)
+- Tests: co-located, `.test.ts` suffix
+- Imports: absolute via `@/` alias for cross-module, relative for sibling files
+```
+
+## `.last-refresh.json`
+
+```json
+{
+  "updated_at": "2026-05-06T12:34:56.789Z",
+  "files": {
+    "stack.json": "a3c8b1...",
+    "files.json": "f9e2d7...",
+    "apis.json": "1b4f8a...",
+    "deps.json": "5c2e6b...",
+    "arch.md": "9d7c3e..."
+  }
+}
+```
+
+Hashes are SHA-256 of file contents at the moment of refresh. Used by `/dw-map-codebase` to detect drift on the next run and decide whether a partial update is enough.
+
+## Validation rules
+
+When `intel-updater` finishes, all 5 files MUST satisfy:
+
+1. Valid JSON (parseable)
+2. `_meta.updated_at` is ISO-8601
+3. `_meta.version` is a positive integer
+4. All file paths in `files.json`, `apis.json`, `deps.json` exist on disk (or were excluded for known reasons)
+5. `exports` arrays contain only actual symbols (no descriptions, no spaces in entries)
+6. No secrets/credentials/tokens in any file