@clue-ai/cli 0.0.3 → 0.0.5

package/src/setup-prepare.mjs

@@ -0,0 +1,170 @@
+import { mkdir, writeFile } from "node:fs/promises";
+import { dirname, join, resolve } from "node:path";
+import {
+	buildSemanticWorkflowRequestFromFlags,
+	writeSemanticWorkflow,
+} from "./init-tool.mjs";
+import { runSetupDetect } from "./setup-detect.mjs";
+
+const DEFAULT_SETUP_MANIFEST_PATH = ".clue/setup-manifest.json";
+
+const writeJson = async ({ repoRoot, path, value }) => {
+	const absolutePath = join(resolve(repoRoot), path);
+	await mkdir(dirname(absolutePath), { recursive: true });
+	await writeFile(absolutePath, `${JSON.stringify(value, null, 2)}\n`, "utf8");
+};
+
+const firstCandidateOrBlocker = (detection) => {
+	if (!detection.detected || detection.candidates.length === 0) {
+		return {
+			candidate: null,
+			blockers: detection.blockers.length
+				? detection.blockers
+				: [
+						{
+							code: "NO_SETUP_CANDIDATE",
+							message: "No setup candidate was mechanically detected.",
+						},
+					],
+		};
+	}
+	return {
+		candidate: detection.candidates[0],
+		blockers: [],
+	};
+};
+
+const DEFAULT_SETUP_LIFECYCLE = [
+	"init",
+	"identify",
+	"set-account",
+	"logout",
+	"event-sent",
+];
+
+const buildWatchTargets = (detection, fallbackCandidate) => {
+	const frontendServices = Array.isArray(detection.services?.frontend)
+		? detection.services.frontend
+		: [];
+	const backendServices = Array.isArray(detection.services?.backend)
+		? detection.services.backend
+		: [
+				{
+					kind: "backend",
+					framework: fallbackCandidate.framework,
+					root_path: fallbackCandidate.backend_root_path,
+					service_key: fallbackCandidate.service_key,
+					local_url_candidates: [],
+				},
+			];
+	return [...frontendServices, ...backendServices].map((service) => ({
+		kind: service.kind,
+		framework: service.framework,
+		root_path: service.root_path,
+		service_key: service.service_key,
+		producer_id: service.service_key,
+		expected_lifecycle: DEFAULT_SETUP_LIFECYCLE,
+		local_url_candidates: service.local_url_candidates ?? [],
+		url_env_name:
+			service.kind === "frontend"
+				? `CLUE_LOCAL_${service.service_key.toUpperCase().replace(/[^A-Z0-9]+/g, "_")}_FRONTEND_URL`
+				: `CLUE_LOCAL_${service.service_key.toUpperCase().replace(/[^A-Z0-9]+/g, "_")}_BACKEND_URL`,
+	}));
+};
+
+export const runSetupPrepare = async ({
+	repoRoot,
+	target,
+	skillRoot,
+	setupManifestPath = DEFAULT_SETUP_MANIFEST_PATH,
+}) => {
+	const resolvedRepoRoot = resolve(repoRoot ?? ".");
+	const detection = await runSetupDetect({ repoRoot: resolvedRepoRoot });
+	const { candidate, blockers } = firstCandidateOrBlocker(detection);
+	if (!candidate) {
+		const manifest = {
+			status: "blocked",
+			target,
+			skill_root: skillRoot,
+			blockers,
+			detection,
+			ai_next_scope: "blocked_until_backend_routes_are_detected",
+			machine_owned_artifacts: [],
+			ai_owned_workstreams: [
+				"sdk_lifecycle_implementation_after_blockers_are_resolved",
+			],
+		};
+		await writeJson({
+			repoRoot: resolvedRepoRoot,
+			path: setupManifestPath,
+			value: manifest,
+		});
+		return manifest;
+	}
+
+	const request = buildSemanticWorkflowRequestFromFlags({
+		framework: candidate.framework,
+		backendRootPath: candidate.backend_root_path,
+		serviceKey: candidate.service_key,
+	});
+	const workflow = await writeSemanticWorkflow({
+		repoRoot: resolvedRepoRoot,
+		request,
+	});
+
+	const manifest = {
+		status: "ready_for_ai",
+		target,
+		skill_root: skillRoot,
+		detected: {
+			framework: candidate.framework,
+			backend_root_path: candidate.backend_root_path,
+			service_key: candidate.service_key,
+		},
+		service_identity: {
+			canonical_field: "service_key",
+			backend_env_name: "CLUE_SERVICE_KEY",
+			frontend_env_name: "NEXT_PUBLIC_CLUE_SERVICE_KEY",
+			producer_id_derivation: "producer_id defaults to service_key",
+		},
+		lifecycle_verification: {
+			watch_target_format:
+				"frontend:<service-key>[init,identify,set-account,logout,event-sent]=<frontend-url>,backend:<service-key>[init,identify,set-account,logout,event-sent]=<backend-url>",
+			rule:
+				"setup-watch --local uses the structured watch_targets below. Lifecycle checks are fixed for setup verification and are evaluated per service_key.",
+			watch_targets: buildWatchTargets(detection, candidate),
+		},
+		artifacts: {
+			ci_workflow_path: workflow.ci_workflow_path,
+			setup_manifest_path: setupManifestPath,
+			runtime_request_committed: false,
+		},
+		machine_owned_artifacts: [workflow.ci_workflow_path, setupManifestPath],
+		ai_must_not_edit: [workflow.ci_workflow_path],
+		ai_owned_workstreams: ["sdk_lifecycle_implementation"],
+		required_final_check: {
+			command:
+				`npx @clue-ai/cli setup-check --framework ${candidate.framework} ` +
+				`--backend-root-path ${candidate.backend_root_path} --repo . --target ${target} --require-sdk-lifecycle`,
+		},
+		required_env_names: [
+			"NEXT_PUBLIC_CLUE_SERVICE_KEY",
+			"NEXT_PUBLIC_CLUE_PROJECT_KEY",
+			"NEXT_PUBLIC_CLUE_ENVIRONMENT",
+			"NEXT_PUBLIC_CLUE_INGEST_ENDPOINT",
+			"CLUE_SERVICE_KEY",
+			"CLUE_API_KEY",
+			"AI_PROVIDER_API_KEY",
+			"CLUE_PROJECT_KEY",
+			"CLUE_ENVIRONMENT",
+			"CLUE_API_BASE_URL",
+			"CLUE_AI_MODEL",
+		],
+	};
+	await writeJson({
+		repoRoot: resolvedRepoRoot,
+		path: setupManifestPath,
+		value: manifest,
+	});
+	return manifest;
+};

package/src/setup-tool.mjs

@@ -3,139 +3,256 @@ import { join, resolve } from "node:path";
 import readline from "node:readline/promises";
 
 const SKILL_NAMES = [
-  "clue-route-semantic-snapshot",
-  "clue-semantic-ci",
-  "clue-sdk-instrumentation",
-  "clue-setup-audit",
-  "clue-local-verification",
-  "clue-setup-report",
+	"clue-setup-orchestrator",
+	"clue-route-semantic-snapshot",
+	"clue-semantic-ci",
+	"clue-sdk-instrumentation",
+	"clue-setup-audit",
+	"clue-local-verification",
+	"clue-setup-report",
 ];
 
 const TARGETS = new Set(["codex", "claude_code"]);
 
 const TARGET_SKILL_ROOTS = {
-  codex: [".agents", "skills"],
-  claude_code: [".claude", "skills"],
+	codex: [".agents", "skills"],
+	claude_code: [".claude", "skills"],
 };
 
 const normalizeTarget = (target) => {
-  const normalized = String(target ?? "").trim().toLowerCase().replace(/[\s-]+/g, "_");
-  if (!TARGETS.has(normalized)) {
-    throw new Error("target must be codex or claude_code");
-  }
-  return normalized;
+	const normalized = String(target ?? "")
+		.trim()
+		.toLowerCase()
+		.replace(/[\s-]+/g, "_");
+	if (!TARGETS.has(normalized)) {
+		throw new Error("AIツールは codex または claude_code を指定してください");
+	}
+	return normalized;
 };
 
 const skillBody = (name) => {
-  const descriptions = {
-    "clue-route-semantic-snapshot":
-      "Use when analyzing backend routes, handlers, controllers, or endpoints to create privacy-safe Clue semantic snapshots.",
-    "clue-semantic-ci":
-      "Use when adding or updating Clue semantic snapshot CI for this repository.",
-    "clue-sdk-instrumentation":
-      "Use when adding ClueInit, ClueIdentify, ClueSetAccount, and ClueLogout lifecycle calls to a customer repository.",
-    "clue-setup-audit":
-      "Use when reviewing Clue setup changes for missing lifecycle calls, unsafe instrumentation, leaked secrets, or bad insertion points.",
-    "clue-local-verification":
-      "Use when verifying local Clue setup artifacts before checking event delivery in the Clue setup screen.",
-    "clue-setup-report":
-      "Use when producing the final Clue setup report with changed files, blockers, env names, and next steps.",
-  };
+	const descriptions = {
+		"clue-setup-orchestrator":
+			"Use first when running the full Clue setup so one execution agent per implementation workstream and multiple monitoring agents coordinate separate setup phases.",
+		"clue-route-semantic-snapshot":
+			"Use when checking backend route coverage and semantic snapshot readiness without hand-authoring generated snapshot files.",
+		"clue-semantic-ci":
+			"Use when adding or updating Clue semantic snapshot CI for this repository.",
+		"clue-sdk-instrumentation":
+			"Use when adding ClueInit, ClueIdentify, ClueSetAccount, and ClueLogout lifecycle calls to a customer repository.",
+		"clue-setup-audit":
+			"Use when reviewing Clue setup changes for missing lifecycle calls, unsafe instrumentation, leaked secrets, or bad insertion points.",
+		"clue-local-verification":
+			"Use when verifying local Clue setup artifacts before checking event delivery in the Clue setup screen.",
+		"clue-setup-report":
+			"Use when producing the final Clue setup report with changed files, blockers, env names, and next steps.",
+	};
 
-  const steps = {
-    "clue-route-semantic-snapshot": [
-      "Inspect only allowed source paths.",
-      "Identify route, handler, controller, and endpoint behavior from privacy-safe evidence.",
-      "Create semantic snapshot inputs without raw source, secrets, prompts, or completions.",
-      "Report unresolved routes as blockers instead of guessing.",
-    ],
-    "clue-semantic-ci": [
-      "Create or update `.github/workflows/clue-semantic-snapshot.yml`.",
-      "Use `npx @clue-ai/cli semantic-ci --request .clue/semantic-request.runtime.json --repo .`.",
-      "Reference GitHub Secrets and Variables by name only.",
-      "Do not print or commit secret values.",
-    ],
-    "clue-sdk-instrumentation": [
-      "Find the app/bootstrap entrypoint and add ClueInit only when the location is clear.",
-      "Find login success handling and add ClueIdentify only when the user identity is available.",
-      "Find account, workspace, organization, or tenant resolution and add ClueSetAccount only when the subject is available.",
-      "Find logout/sign-out completion and add ClueLogout only when the session reset point is clear.",
-      "Skip unclear lifecycle points and report blockers.",
-    ],
-    "clue-setup-audit": [
-      "Review changed files line by line.",
-      "Reject broad ClueTrack instrumentation and DOM clue tags.",
-      "Confirm no project key, API key, secret, or env value appears in diff or report.",
-      "Confirm lifecycle insertions are minimal and reviewable.",
-    ],
-    "clue-local-verification": [
-      "Confirm generated skill files exist.",
-      "Confirm workflow files and SDK lifecycle imports/calls exist when those phases have run.",
-      "Confirm only env names are reported.",
-      "Leave event delivery verification to the Clue setup screen.",
-    ],
-    "clue-setup-report": [
-      "Summarize changed files.",
-      "List completed setup phases.",
-      "List blockers with exact file or environment names when available.",
-      "List required env names without values.",
-      "State that commit and push were not performed.",
-    ],
-  };
+	const steps = {
+		"clue-setup-orchestrator": [
+			"Use one execution agent per implementation workstream.",
+			"Each execution agent owns exactly one workstream and its tests.",
+			"Required execution agents: SDK Lifecycle Execution Agent, Semantic Snapshot Readiness Execution Agent, and Semantic Snapshot CI Execution Agent.",
+			"Run execution agents in parallel only when file ownership does not conflict; otherwise run them sequentially with monitor gates between workstreams.",
+			"Use multiple monitoring agents for read-only checks, or named review passes if subagents are unavailable.",
+			"The initial `clue-ai setup` command already performs repository discovery, semantic CI workflow generation, and setup manifest generation when backend routes can be detected.",
+			"Before implementation, read `.clue/setup-manifest.json` and treat it as the mechanical setup source of truth.",
+			"If `.clue/setup-manifest.json` has status `blocked`, stop and report its blockers instead of guessing.",
+			"Treat only semantic snapshot readiness, semantic snapshot CI, and SDK lifecycle implementation as implementation workstreams with execution agents.",
+			"Before each workstream, read and apply the matching Clue setup skill.",
+			"After each implementation workstream, run a monitoring check with `clue-setup-audit` before continuing.",
+			"For final local verification, read and apply `clue-local-verification`.",
+			"For the final report, read and apply `clue-setup-report`.",
+			"Do not continue past P0/P1 monitoring findings until fixed or reported as blocked.",
+		],
+		"clue-route-semantic-snapshot": [
+			"Use this skill as the source of truth for semantic snapshot readiness and route coverage verification.",
+			"Do not hand-author semantic snapshot content files.",
+			"Do not create or commit `.clue/semantic-request.runtime.json`; the semantic CI request must be passed through the generated workflow environment instead of a repository file.",
+			"Keep route coverage/readiness checks separate from CI workflow creation and SDK lifecycle implementation.",
+			"Do not create CI workflow files or SDK lifecycle calls from this skill.",
+			"Do not create or commit `.clue/semantic-routes.json`; route inventory is dynamic and must be recomputed mechanically by `clue-ai semantic-inventory`, `clue-ai setup-check`, or `clue-ai semantic-ci`.",
+			"If route inventory must be inspected locally, run `npx @clue-ai/cli semantic-inventory --framework <framework> --backend-root-path <path> --repo .` and review stdout instead of writing a repo file.",
+			"Inspect only allowed source paths.",
+			"Identify the backend framework, backend root path, route files, controllers, handlers, and route declaration patterns from privacy-safe evidence.",
+			"Run `npx @clue-ai/cli semantic-inventory --framework <framework> --backend-root-path <path> --repo .` whenever possible to verify route discovery without AI or secrets.",
+			"If `npx` cannot be used in the current environment, use the local `clue-ai semantic-inventory` command equivalent.",
+			"Verify that every API route can be discovered from the selected backend root path and that unsupported frameworks are reported as blockers.",
+			"The semantic snapshot CI command must mechanically enumerate operation_source_key, method, path_template, route fingerprints, and privacy-safe evidence before AI interpretation.",
+			"AI interpretation may summarize each mechanically discovered route, but it must not create missing routes or operation_source_key values.",
+			"The expected generated snapshot structure includes route entries with operation_source_key, method/path_template when available, route_summary, route_confidence, confidence_reason, and source_evidence_refs.",
+			"The expected generated snapshot structure includes layer_evidence for data effects, side effects, validation, permissions, failures, and component fingerprints when available.",
+			"The expected generated snapshot structure includes operation_effects only when target object evidence and domain behavior evidence are sufficient.",
+			"The expected generated snapshot structure preserves unresolved_operation_effects with missing_context instead of fabricating unknown operation effects.",
+			"Report route coverage gaps, unsupported backend frameworks, and unclear backend roots as blockers instead of guessing.",
+		],
+		"clue-semantic-ci": [
+			"Use this skill as the source of truth for semantic snapshot CI workflow format.",
+			"Keep CI workflow creation separate from route coverage/readiness checks and SDK lifecycle implementation.",
+			"Do not author semantic snapshot content, runtime request files, or SDK lifecycle calls from this skill.",
+			"Treat `.github/workflows/clue-semantic-snapshot.yml` as a machine-owned artifact generated by `clue-ai setup`; do not hand-edit it.",
+			"Create or update `.github/workflows/clue-semantic-snapshot.yml` only by running `npx @clue-ai/cli semantic-workflow --framework <framework> --backend-root-path <path> --repo .` when it must be refreshed.",
+			"If `npx` cannot be used in the current environment, use the local `clue-ai semantic-workflow` command equivalent instead of hand-writing the workflow.",
+			"The workflow must pass `CLUE_SEMANTIC_REQUEST_JSON` through the workflow environment and then call `npx @clue-ai/cli semantic-ci --request-env CLUE_SEMANTIC_REQUEST_JSON --repo .`.",
+			"Do not create, commit, or stage `.clue/semantic-request.runtime.json` in the customer repository.",
+			"The workflow must not send GitHub actor, triggering_actor, sender, repository owner, repository name, or default branch to Clue.",
+			"The workflow should send only repository id, commit sha, workflow run id, project key variable, service key, framework, source path allowlist, source path denylist, Clue API base URL variable, and AI model variable.",
+			"Use minimal GitHub permissions and checkout without persisted credentials when generating the workflow.",
+			"Reference GitHub Secrets and Variables by name only.",
+			"Required secrets are `CLUE_API_KEY` and `AI_PROVIDER_API_KEY`.",
+			"Required variables are `CLUE_PROJECT_KEY`, `CLUE_ENVIRONMENT`, `CLUE_API_BASE_URL`, and optionally `CLUE_AI_MODEL`.",
+			"Do not print or commit secret values.",
+		],
+		"clue-sdk-instrumentation": [
+			"Use this skill as the source of truth for Clue SDK lifecycle implementation.",
+			"Keep SDK lifecycle implementation separate from semantic snapshot and CI workflow work.",
+			"Do not create semantic snapshot content or semantic snapshot CI workflow files from this skill.",
+			"Do not create no-op wrappers around nonexistent `window.Clue*` globals or local placeholder functions.",
+			"Lifecycle calls must resolve to real Clue SDK imports or a real repository adapter that forwards to the Clue SDK.",
+			"Every Clue lifecycle call must be failure-isolated with try/catch, try/except, `.catch`, or an explicit safe Clue helper so Clue failure never stops the host service.",
+			"Never await a Clue lifecycle call in a way that can block login, logout, account selection, request handling, page rendering, or API responses.",
+			"Add or report the required SDK dependency instead of fabricating lifecycle APIs.",
+			"When lifecycle edits are clear, write an exact replacement plan to a temporary local JSON file and apply it with `npx @clue-ai/cli lifecycle-apply --plan <plan-file> --repo .`.",
+			"If `npx` cannot be used in the current environment, use the local `clue-ai lifecycle-apply` command equivalent instead of manually applying the exact replacements.",
+			"Delete the temporary lifecycle plan file after applying it unless the user explicitly asks to keep it for review.",
+			"Use environment variable names for Clue configuration values; do not paste project keys or API keys into code.",
+			"For browser code, use `NEXT_PUBLIC_CLUE_PROJECT_KEY`, `NEXT_PUBLIC_CLUE_ENVIRONMENT`, and `NEXT_PUBLIC_CLUE_INGEST_ENDPOINT`.",
+			"For FastAPI code, add `clue-fastapi-sdk` to the backend dependency file when missing, import `clue_init_fastapi` plus `ClueIdentify`, `ClueSetAccount`, and `ClueLogout` where needed, and use `CLUE_PROJECT_KEY`, `CLUE_ENVIRONMENT`, `CLUE_API_KEY`, and `CLUE_INGEST_ENDPOINT`.",
+			"Use `CLUE_SERVICE_KEY` as the canonical local service identifier. Do not ask the user to manage a separate producer id; SDKs should send producer id as the service key for setup verification compatibility.",
+			"For frontend code, pass `serviceKey: process.env.NEXT_PUBLIC_CLUE_SERVICE_KEY` to `ClueInit`. Do not require a separate `NEXT_PUBLIC_CLUE_PRODUCER_ID` unless the repository already has one for compatibility.",
+			"For Django code, add `clue-django-sdk` to the backend dependency file when missing and use the Django SDK lifecycle helpers.",
+			"For other backend frameworks, use the matching Clue backend SDK if one exists; if no backend SDK exists, report a blocker instead of silently frontend-only setup.",
+			"Do not send raw email, raw person names, tokens, workspace names, organization names, or tenant names as lifecycle traits unless the repository already has an explicit Clue privacy policy allowing them.",
+			"Prefer stable ids and non-PII booleans/counts for ClueIdentify and ClueSetAccount traits.",
+			"Find the app/bootstrap entrypoint and add ClueInit only when the location is clear.",
+			"Place ClueInit in a stable app bootstrap, SDK adapter, or client singleton; do not place ClueInit inside React component lifecycle hooks, page components, sidebars, login/register success callbacks, or other paths that can run repeatedly.",
+			"If the repository needs lifecycle calls from UI hooks, import a shared initialized Clue adapter instead of calling ClueInit again.",
+			"Find every clear frontend and backend login success path and add ClueIdentify to every one when the user identity is available.",
+			"Find every clear frontend and backend account, workspace, organization, or tenant resolution path and add ClueSetAccount to every one when the subject is available.",
+			"Find every clear frontend and backend logout/sign-out/session reset completion path and add ClueLogout to every one when the reset point is clear.",
+			"Skip unclear lifecycle points and report blockers.",
+		],
+		"clue-setup-audit": [
+			"Act as a read-only monitoring agent, not the execution agent.",
+			"Check one completed workstream at a time and report P0/P1 issues before more implementation continues.",
+			"Review changed files line by line.",
+			"Verify semantic snapshot, semantic CI, and SDK lifecycle responsibilities did not bleed into each other.",
+			"Reject hand-authored semantic snapshot content and runtime request files.",
+			"Reject semantic CI workflows that were not generated by or equivalent to `clue-ai semantic-workflow`.",
+			"Reject semantic CI workflows that send GitHub actor, triggering_actor, sender, repository owner, repository name, or default branch to Clue.",
+			"Reject no-op lifecycle wrappers or lifecycle calls that do not resolve to a real Clue SDK import.",
+			"Reject backend setup when backend routes exist but no backend Clue SDK dependency/import/init was added.",
+			"Reject lifecycle calls that are not failure-isolated; Clue failure must never stop the host service.",
+			"Reject setup that covers only one login path when multiple login success paths are clearly present.",
+			"Reject ClueInit inside React component lifecycle hooks, page components, sidebars, login/register success callbacks, or any repeated user interaction path.",
+			"Reject broad ClueTrack instrumentation and DOM clue tags.",
+			"Confirm no project key, API key, secret, or env value appears in diff or report.",
+			"Confirm lifecycle insertions are minimal and reviewable.",
+		],
+		"clue-local-verification": [
+			"Act as a read-only monitoring agent for local verification evidence.",
+			"Verify each workstream independently before the final setup report.",
+			"Confirm generated skill files exist.",
+			"Confirm workflow files and SDK lifecycle imports/calls exist when those phases have run.",
+			"Confirm backend routes have a backend Clue SDK dependency/import/init when a backend exists.",
+			"Confirm `.github/workflows/clue-semantic-snapshot.yml` calls `npx @clue-ai/cli semantic-ci --request-env CLUE_SEMANTIC_REQUEST_JSON`.",
+			"Confirm the semantic workflow does not send GitHub actor, triggering_actor, sender, repository owner, repository name, or default branch to Clue.",
+			"Confirm `.clue/semantic-request.runtime.json` is not created, committed, or staged.",
+			"Run `npx @clue-ai/cli setup-check --framework <framework> --backend-root-path <path> --repo . --target <codex|claude_code> --require-sdk-lifecycle` when possible.",
+			"For interactive local verification, run `npx @clue-ai/cli setup-watch --project-key <project-key> --environment <environment> --clue-api-base-url <clue-api-base-url> --watch-targets frontend:<service-key>[init,identify,set-account,event-sent]=<frontend-url>,backend:<service-key>[init,identify,set-account,logout,event-sent]=<backend-url>` and operate every local frontend/backend service until all expected checks pass.",
+			"Only include lifecycle checks that the implementation ownership plan expects for that service. If a service emits an undeclared lifecycle event, treat it as a possible duplicate instrumentation issue.",
+			"Never assume localhost ports. Ask the repository scripts, env examples, or the running service output for the actual frontend/backend URLs.",
+			"If `npx` cannot be used in the current environment, use the local `clue-ai setup-check` command equivalent.",
+			"Confirm only env names are reported.",
+			"Leave event delivery verification to the Clue setup screen.",
+		],
+		"clue-setup-report": [
+			"Use this skill only after execution and monitoring passes are finished.",
+			"Summarize changed files.",
+			"List completed setup phases.",
+			"List skills used for each workstream.",
+			"List execution agent and monitoring agents, or named review passes if subagents were unavailable.",
+			"List blockers with exact file or environment names when available.",
+			"List required env names without values.",
+			"List P0/P1 monitoring findings and fixes.",
+			"State that commit and push were not performed.",
+		],
+	};
 
-  return [
-    "---",
-    `name: ${name}`,
-    `description: ${descriptions[name]}`,
-    "---",
-    "",
-    "# Rules",
-    "",
-    "- Do not expose project keys, API keys, secrets, tokens, or environment variable values.",
-    "- Do not commit or push changes.",
-    "- Prefer existing repository patterns and minimal diffs.",
-    "- If evidence is unclear, report a blocker instead of guessing.",
-    "",
-    "# Workflow",
-    "",
-    ...steps[name].map((step, index) => `${index + 1}. ${step}`),
-    "",
-  ].join("\n");
+	return [
+		"---",
+		`name: ${name}`,
+		`description: ${descriptions[name]}`,
+		"---",
+		"",
+		"# Rules",
+		"",
+		"- For full Clue setup, use one execution agent per implementation workstream and multiple monitoring agents for read-only checks.",
+		"- The full setup must start with `clue-setup-orchestrator`.",
+		"- Each execution agent owns exactly one workstream; monitoring agents review one workstream at a time and report P0/P1 issues.",
+		"- Do not continue past a P0/P1 monitoring finding until it is fixed or explicitly reported as blocked.",
+		"- If subagents are unavailable, run the same structure as separate named review passes and say so in the final report.",
+		"- Do not expose project keys, API keys, secrets, tokens, or environment variable values.",
+		"- Do not ask the user to paste secret values.",
+		"- Do not read `.env`, `.env.*`, secret files, logs, dumps, build output, coverage output, `node_modules`, vendor directories, dependency directories, or dependency output.",
+		"- Report only environment variable names, never values.",
+		"- Do not commit or push changes.",
+		"- Prefer existing repository patterns and minimal diffs.",
+		"- If evidence is unclear, report a blocker instead of guessing.",
+		"- Do not merge semantic snapshot, semantic CI, SDK lifecycle, audit, verification, and report responsibilities into one undifferentiated task.",
+		"",
+		"# Workflow",
+		"",
+		...steps[name].map((step, index) => `${index + 1}. ${step}`),
+		"",
+	].join("\n");
 };
 
-const askTarget = async ({ input = process.stdin, output = process.stdout } = {}) => {
-  const rl = readline.createInterface({ input, output });
-  try {
-    const answer = await rl.question("Use Clue setup skills for which AI tool? [codex/claude_code] ");
-    return normalizeTarget(answer);
-  } finally {
-    rl.close();
-  }
+const askTarget = async ({
+	input = process.stdin,
+	output = process.stdout,
+} = {}) => {
+	const rl = readline.createInterface({ input, output });
+	try {
+		const answer = await rl.question(
+			"ClueのセットアップSkillsをどのAIツールに追加しますか？ [codex/claude_code] ",
+		);
+		return normalizeTarget(answer);
+	} finally {
+		rl.close();
+	}
 };
 
 export const installSetupSkills = async ({
-  repoRoot,
-  target,
-  input,
-  output,
+	repoRoot,
+	target,
+	input,
+	output,
 } = {}) => {
-  const resolvedTarget = target ? normalizeTarget(target) : await askTarget({ input, output });
-  const resolvedRepoRoot = resolve(repoRoot ?? ".");
-  const skillRoot = join(resolvedRepoRoot, ...TARGET_SKILL_ROOTS[resolvedTarget]);
-  const installed = [];
+	const resolvedTarget = target
+		? normalizeTarget(target)
+		: await askTarget({ input, output });
+	const resolvedRepoRoot = resolve(repoRoot ?? ".");
+	const skillRoot = join(
+		resolvedRepoRoot,
+		...TARGET_SKILL_ROOTS[resolvedTarget],
+	);
+	const installed = [];
 
-  for (const skillName of SKILL_NAMES) {
-    const skillDir = join(skillRoot, skillName);
-    const skillPath = join(skillDir, "SKILL.md");
-    await mkdir(skillDir, { recursive: true });
-    await writeFile(skillPath, skillBody(skillName), "utf8");
-    installed.push(skillPath);
-  }
+	for (const skillName of SKILL_NAMES) {
+		const skillDir = join(skillRoot, skillName);
+		const skillPath = join(skillDir, "SKILL.md");
+		await mkdir(skillDir, { recursive: true });
+		await writeFile(skillPath, skillBody(skillName), "utf8");
+		installed.push(skillPath);
+	}
 
-  return {
-    target: resolvedTarget,
-    skill_root: join(...TARGET_SKILL_ROOTS[resolvedTarget]),
-    skills: SKILL_NAMES,
-    installed_files: installed.map((path) => path.replace(`${resolvedRepoRoot}/`, "")),
-  };
+	return {
+		target: resolvedTarget,
+		skill_root: join(...TARGET_SKILL_ROOTS[resolvedTarget]),
+		skills: SKILL_NAMES,
+		installed_files: installed.map((path) =>
+			path.replace(`${resolvedRepoRoot}/`, ""),
+		),
+	};
 };

package/bin/clue-tool.mjs

@@ -1,83 +0,0 @@
-#!/usr/bin/env node
-import { readFile } from "node:fs/promises";
-import { resolve } from "node:path";
-import { commandSpecs } from "../src/command-spec.mjs";
-import { runInitTool } from "../src/init-tool.mjs";
-import { runSemanticCi } from "../src/semantic-ci.mjs";
-import { installSetupSkills } from "../src/setup-tool.mjs";
-
-const parseArgs = (argv) => {
-  const [command = "help", ...tokens] = argv;
-  const flags = new Map();
-  for (let index = 0; index < tokens.length; index += 1) {
-    const token = tokens[index];
-    if (!token.startsWith("--")) continue;
-    const key = token.slice(2);
-    const next = tokens[index + 1];
-    if (next && !next.startsWith("--")) {
-      flags.set(key, next);
-      index += 1;
-    } else {
-      flags.set(key, true);
-    }
-  }
-  return { command, flags };
-};
-
-const readJson = async (path) => JSON.parse(await readFile(path, "utf8"));
-
-const usage = () => [
-  "Usage:",
-  "  /clue-init",
-  "  clue-ai setup",
-  "  clue-ai init --request clue-init-request.json --repo .",
-  "  clue-ai semantic-ci --request clue-semantic-request.json --repo .",
-].join("\n");
-
-const main = async () => {
-  const { command, flags } = parseArgs(process.argv.slice(2));
-  if (command === "help" || flags.has("help")) {
-    process.stdout.write(`${usage()}\n`);
-    return;
-  }
-
-  if (command === "commands") {
-    process.stdout.write(`${JSON.stringify({ commands: commandSpecs }, null, 2)}\n`);
-    return;
-  }
-
-  const requestPath = flags.get("request");
-  const repoRoot = resolve(String(flags.get("repo") || "."));
-  if (command === "setup") {
-    const report = await installSetupSkills({
-      repoRoot,
-      target: typeof flags.get("target") === "string" ? flags.get("target") : undefined,
-    });
-    process.stdout.write(`${JSON.stringify(report, null, 2)}\n`);
-    return;
-  }
-
-  if (typeof requestPath !== "string") {
-    throw new Error("--request is required");
-  }
-  const request = await readJson(resolve(requestPath));
-
-  if (command === "init") {
-    const report = await runInitTool({ repoRoot, request });
-    process.stdout.write(`${JSON.stringify(report, null, 2)}\n`);
-    return;
-  }
-
-  if (command === "semantic-ci") {
-    const result = await runSemanticCi({ repoRoot, request, env: process.env });
-    process.stdout.write(`${JSON.stringify(result, null, 2)}\n`);
-    return;
-  }
-
-  throw new Error(`Unknown command: ${command}\n${usage()}`);
-};
-
-main().catch((error) => {
-  process.stderr.write(`${error instanceof Error ? error.message : String(error)}\n`);
-  process.exitCode = 1;
-});