@curdx/flow 2.3.11 → 3.1.0

package/skills/review/references/stage-execution.md

@@ -1,32 +0,0 @@
-# Review Stages — Core Two-Pass Protocol
-
-## Stage 1 — Spec Compliance
-
-Dispatch `flow-reviewer` in Stage 1 mode. It verifies:
-
-- every relevant `US`, `AC`, `FR`, and `NFR` in `requirements.md`
-- architecture decisions in `design.md`
-- `tasks.md` completion claims versus actual code
-- conventional commits versus declared task completion
-
-Output: the Stage 1 section of the review report with compliance gaps and
-evidence.
-
-## Stage 2 — Code Quality
-
-Dispatch `flow-reviewer` in Stage 2 mode. It checks:
-
-- naming, comments, and structure
-- error handling completeness
-- test quality and coverage
-- performance and resource concerns
-- security smells
-- Karpathy 4 principles
-
-Output: the Stage 2 section of the review report with prioritized findings.
-
-## Sequencing
-
-- `--stage=1` -> run only Stage 1
-- `--stage=2` -> run only Stage 2
-- `--stage=both` -> Stage 1 first, then Stage 2

package/skills/security-audit/SKILL.md

@@ -1,47 +0,0 @@
----
-name: security-audit
-description: Use when the user needs security review of code, specs, credentials, sensitive data, or dependency risk.
-when_to_use: Triggers on "security", "auth", "authentication", "credential", "password", "secret", "API key", "token", "OWASP", "STRIDE", "CVE", "vulnerability", "injection", "XSS", "CSRF", "SSRF", "SQL injection", "hardcoded secret", "sensitive data", "leak", "will my API key leak", "is this safe".
-argument-hint: "[scope] [--depth=<owasp|stride|full>]"
-context: fork
-agent: flow-security-auditor
-paths:
-  - "**/*.{js,jsx,ts,tsx,py,rb,go,java,kt,php,cs,rs,swift,sql,sh}"
-  - "**/*.{json,yml,yaml,toml,tf,hcl,conf,ini}"
-  - "**/.env*"
-  - "**/Dockerfile*"
-  - ".github/workflows/**"
-  - ".gitlab-ci.yml"
-  - "docker-compose*.yml"
-  - "k8s/**"
-  - "helm/**"
-  - "infra/**"
-  - "terraform/**"
----
-
-# Security Audit
-
-This skill orchestrates scoped security review. Keep the entrypoint focused on
-scope/depth selection, required audit outputs, and the blocking gate. Detailed
-rules live in:
-
-- `references/scope-and-depth.md`
-- `references/audit-contract.md`
-- `references/gate-handoff.md`
-
-## Scope and Depth
-
-Use `references/scope-and-depth.md` to confirm:
-
-- scope
-- audit depth
-- risk tolerance
-
-## Audit Contract
-
-`flow-security-auditor` should follow `references/audit-contract.md`.
-
-## Gate and Handoff
-
-Blocking semantics and next-step routing live in
-`references/gate-handoff.md`.

package/skills/security-audit/references/audit-contract.md

@@ -1,21 +0,0 @@
-# Security Audit Contract — What the Auditor Must Produce
-
-`flow-security-auditor` should:
-
-1. scan for secrets, weak crypto, and unsafe inputs
-2. apply OWASP Top 10
-3. apply STRIDE threat modeling when requested
-4. run dependency CVE scanning
-5. label findings by severity
-
-## Required Artifact
-
-- `.flow/specs/<active>/security-audit.md`
-
-The report should include:
-
-- SR (blocking)
-- SW (warning)
-- SM (mandatory baseline)
-- CVE hits
-- concrete fixes

package/skills/security-audit/references/gate-handoff.md

@@ -1,8 +0,0 @@
-# Security Gate Handoff — Blocking Rules and Next Steps
-
-Apply `@${CLAUDE_PLUGIN_ROOT}/gates/security-gate.md`.
-
-- if any SR findings exist, block completion until remediated or explicitly
-  waived with a D-NN decision in `STATE.md`
-- if findings are advisory only, hand off `security-audit.md` as evidence for
-  later implementation or review work

package/skills/security-audit/references/scope-and-depth.md

@@ -1,9 +0,0 @@
-# Security Scope and Depth — Confirm the Audit Shape
-
-Before dispatching, confirm:
-
-- scope: current spec, specific path, or whole repo
-- depth: `owasp`, `stride`, or `full`
-- risk tolerance: blocking vs advisory
-
-The positional first argument is the scope. Depth stays in `--depth=...`.

package/skills/spec/SKILL.md

@@ -1,100 +0,0 @@
----
-name: spec
-description: Generate or refresh research, requirements, design, and tasks for the active spec.
-when_to_use: Use when the user wants to generate, resume, regenerate, or review a feature spec across research, requirements, design, and task planning.
-argument-hint: "[--phase=<X[,Y,...]>] [--until=<X>] [--review[=<dim[,dim]>]] [--regenerate] [--resume]"
-disable-model-invocation: true
-allowed-tools: [Read, Write, Bash, Agent, AskUserQuestion]
----
-
-# Generate or Refresh the Active Spec
-
-This command writes `research.md`, `requirements.md`, `design.md`, and
-`tasks.md` into `.flow/specs/<active-spec>/`.
-
-Keep this entrypoint focused on phase selection and orchestration. Detailed
-phase prompts and landing checks live in:
-
-- `references/preflight-and-routing.md`
-- `references/phase-execution.md`
-- `references/artifact-landing.md`
-- `references/planning-review.md`
-- `references/reporting.md`
-
-## Flags
-
-| Flag | Default | Purpose |
-|------|---------|---------|
-| `--phase=<X[,Y]>` | (inferred from `.state.json`) | Run only the listed phase(s). `X ∈ {research, requirements, design, tasks}`. Accepts comma-separated list. |
-| `--until=<X>` | (none) | Run from the current phase forward, stopping after `X`. Mutually exclusive with `--phase`. |
-| `--review[=<dim[,dim]>]` | (not run) | After phases complete, run a planning review. `dim ∈ {ceo, eng, design, dx, all}`. Bare `--review` = `--review=all`. |
-| `--regenerate` | (resume) | Wipe existing phase output for the targeted phases and rebuild from scratch. |
-| `--resume` | (default) | Continue from `.state.json.phase`. This is the default when no flag is given. |
-
-## Preflight
-
-Use `references/preflight-and-routing.md` for:
-
-- `.flow/`, active spec, and `.state.json` checks
-- flag parsing and invalid flag combinations
-- ordered phase routing and `--regenerate` scope resolution
-
-## Phase Resolution
-
-The ordered pipeline is still `research -> requirements -> design -> tasks`.
-The exact routing rules and stopping points are defined in
-`references/preflight-and-routing.md`.
-
-## Phase Dispatch
-
-Phase-specific prompts, mandatory output protocols, and post-phase state updates
-live in `references/phase-execution.md`.
-
-Use this phase-to-agent mapping:
-
-| Phase | Agent | Output |
-|-------|-------|--------|
-| `research` | `flow-researcher` | `research.md` |
-| `requirements` | `flow-product-designer` | `requirements.md` |
-| `design` | `flow-architect` | `design.md` |
-| `tasks` | `flow-planner` | `tasks.md` |
-
-After each dispatch, run the landing guard from
-`references/artifact-landing.md`. Never advance phase state based only on the
-agent's narrative response.
-
-## Optional Planning Review
-
-If `--review` is present, use the dimension-expansion and aggregation protocol
-from `references/planning-review.md`.
-
-The review output lands at:
-
-- `.flow/specs/<active>/spec-review.md`
-
-## Reporting
-
-Use `references/reporting.md` for the final user-visible summary and next-step
-handoff.
-
-## Common Invocations
-
-```text
-/curdx-flow:spec
-/curdx-flow:spec --phase=design
-/curdx-flow:spec --phase=design,tasks
-/curdx-flow:spec --until=design
-/curdx-flow:spec --review
-/curdx-flow:spec --review=eng,dx
-/curdx-flow:spec --regenerate
-/curdx-flow:spec --regenerate --phase=tasks
-```
-
-## References
-
-- Agents: `@${CLAUDE_PLUGIN_ROOT}/agents/flow-researcher.md`,
-  `flow-product-designer.md`, `flow-architect.md`, `flow-planner.md`,
-  `flow-ux-designer.md`
-- Knowledge: `@${CLAUDE_PLUGIN_ROOT}/knowledge/spec-driven-development.md`,
-  `poc-first-workflow.md`
-- Preamble: `@${CLAUDE_PLUGIN_ROOT}/agent-preamble/preamble.md`

package/skills/spec/references/artifact-landing.md

@@ -1,31 +0,0 @@
-# Artifact Landing Check — Mandatory After Every Phase
-
-Sub-agent responses can be truncated before the `Write` tool call happens. Do
-not trust the agent response alone.
-
-## Landing Guard
-
-```bash
-ARTIFACT=".flow/specs/$SPEC_NAME/<phase>.md"
-if [ ! -f "$ARTIFACT" ]; then
-  echo "⚠ $ARTIFACT did not land. Re-dispatching <phase> agent with an explicit 'write the file' prompt."
-fi
-
-if [ -f "$ARTIFACT" ] && [ "$(wc -c < "$ARTIFACT" | tr -d ' ')" -lt 500 ]; then
-  echo "⚠ $ARTIFACT looks truncated (<500 bytes). Re-dispatching to complete it."
-fi
-```
-
-## Re-dispatch Rule
-
-If the artifact is missing or obviously truncated, front-load the retry prompt
-with:
-
-```text
-Your ONLY job is to call the Write tool with the full <phase>.md content now.
-Do not explain. Do not narrate. Write the file and stop.
-```
-
-Only advance `.state.json.phase` after the file exists and passes the size
-sanity check. If a second dispatch still fails, stop and surface the problem to
-the user rather than silently continuing.

package/skills/spec/references/phase-execution.md

@@ -1,50 +0,0 @@
-# Phase Execution — Dispatch Contracts
-
-Each phase writes exactly one artifact. The file is the deliverable; agent
-commentary is not.
-
-Shared runtime references:
-
-- `${CLAUDE_PLUGIN_ROOT}/knowledge/artifact-output-discipline.md`
-- `${CLAUDE_PLUGIN_ROOT}/knowledge/artifact-summary-contracts.md`
-
-## Phase Map
-
-| Phase | Agent | Inputs | Output |
-|-------|-------|--------|--------|
-| `research` | `flow-researcher` | spec goal + one-line description from `.state.json` | `research.md` |
-| `requirements` | `flow-product-designer` | `research.md` | `requirements.md` |
-| `design` | `flow-architect` | `research.md` + `requirements.md` | `design.md` |
-| `tasks` | `flow-planner` | all prior artifacts + `.flow/PROJECT.md` | `tasks.md` |
-
-## Shared Dispatch Rule
-
-Every phase dispatch must explicitly enforce the same two rules:
-
-1. The first substantive action is the `Write` call for the final artifact.
-2. After the write lands, emit only the matching summary contract from
-   `${CLAUDE_PLUGIN_ROOT}/knowledge/artifact-summary-contracts.md`.
-
-Do not inline previews, rationale summaries, or duplicate artifact content in
-the orchestration skill.
-
-## Phase Output Contracts
-
-| Phase | Artifact | Summary contract | Next line |
-|-------|----------|------------------|-----------|
-| `research` | `research.md` | `research.md` section | `Next: /curdx-flow:spec --phase=requirements` |
-| `requirements` | `requirements.md` | `requirements.md` section | `Next: /curdx-flow:spec --phase=design` |
-| `design` | `design.md` | `design.md` section | `Next: /curdx-flow:spec --phase=tasks` |
-| `tasks` | `tasks.md` | `tasks.md` section | `Next: /curdx-flow:implement` |
-
-## Post-Phase State Update
-
-After the artifact lands and passes landing checks, update `.state.json`:
-
-```json
-{
-  "phase": "<just-completed-phase>",
-  "phase_status": { "<phase>": "completed" },
-  "updated": "<ISO8601 timestamp>"
-}
-```

package/skills/spec/references/planning-review.md

@@ -1,31 +0,0 @@
-# Planning Review — Optional Multi-Dimension Pass
-
-Use this only when `--review` is present.
-
-## Preconditions
-
-- `design.md` must exist
-- Bare `--review` expands to `ceo,eng,design,dx`
-- `all` also expands to `ceo,eng,design,dx`
-
-## Dimension Map
-
-| Dim | Agent | Focus |
-|-----|-------|-------|
-| `ceo` | `flow-architect` (review mode) | Strategic scope fit, ROI, opportunity cost |
-| `eng` | `flow-architect` (review mode) | Lock-in risk, architecture debt, technical risk |
-| `design` | `flow-ux-designer` | UX, UI, accessibility, design system fit |
-| `dx` | `flow-architect` (review mode) | Naming, structure, setup, types, tests, developer loop |
-
-## Aggregation
-
-Dispatch one review agent per dimension, aggregate findings into:
-
-```text
-.flow/specs/<active>/spec-review.md
-```
-
-The report must contain:
-
-- one section per requested dimension
-- a consolidated verdict: `GO`, `GO-WITH-CHANGES`, or `HOLD`

package/skills/spec/references/preflight-and-routing.md

@@ -1,46 +0,0 @@
-# Spec Preflight and Routing — Resolve What Runs
-
-Before dispatching any phase:
-
-```bash
-[ ! -d ".flow" ] && {
-  echo "✗ Not a CurdX-Flow project. Run /curdx-flow:init first.";
-  exit 1;
-}
-
-SPEC_NAME=$(cat .flow/.active-spec 2>/dev/null)
-if [ -z "$SPEC_NAME" ]; then
-  echo "✗ No active spec. Run /curdx-flow:start <name> \"<goal>\" first.";
-  exit 1;
-fi
-SPEC_DIR=".flow/specs/$SPEC_NAME"
-STATE_FILE="$SPEC_DIR/.state.json"
-[ ! -f "$STATE_FILE" ] && { echo "✗ Missing $STATE_FILE"; exit 1; }
-
-FLAG_PHASE=$(echo "$ARGUMENTS" | grep -oP -- '--phase=\K[^\s]+' || true)
-FLAG_UNTIL=$(echo "$ARGUMENTS" | grep -oP -- '--until=\K[^\s]+' || true)
-FLAG_REVIEW=$(echo "$ARGUMENTS" | grep -oP -- '--review(?:=[^\s]+)?' || true)
-FLAG_REGENERATE=$(echo "$ARGUMENTS" | grep -q -- '--regenerate' && echo "1" || echo "0")
-
-if [ -n "$FLAG_PHASE" ] && [ -n "$FLAG_UNTIL" ]; then
-  echo "✗ --phase and --until cannot be combined. Pick one.";
-  exit 1;
-fi
-```
-
-The ordered pipeline is:
-
-```text
-research -> requirements -> design -> tasks
-```
-
-Routing rules:
-
-- no flags -> start at `.state.json.phase`, run forward to `tasks`
-- `--phase=design` -> run only `design`
-- `--phase=design,tasks` -> run `design` then `tasks`
-- `--until=design` -> start at `.state.json.phase`, stop after `design`
-- `--regenerate` -> clear targeted phase output before rerunning it
-
-Advance `.state.json.phase` only after the targeted artifact lands and passes
-`references/artifact-landing.md`.

package/skills/spec/references/reporting.md

@@ -1,21 +0,0 @@
-# Spec Reporting — Final Summary and Handoff
-
-End with a compact execution summary:
-
-```text
-✓ Spec <name> refreshed
-  Phases run:   research, requirements, design, tasks
-  Review dims:  ceo, eng, design, dx   (if --review was used)
-  Files:
-    .flow/specs/<name>/research.md
-    .flow/specs/<name>/requirements.md
-    .flow/specs/<name>/design.md
-    .flow/specs/<name>/tasks.md
-    .flow/specs/<name>/spec-review.md   (if --review was used)
-
-Next: /curdx-flow:implement
-```
-
-Do not summarize the full content of the artifacts inline. The files are the
-deliverables; the closing message only confirms what ran and where the outputs
-landed.

package/skills/start/SKILL.md

@@ -1,84 +0,0 @@
----
-name: start
-description: Create, resume, list, or switch the active feature spec.
-when_to_use: Use when the user wants to create a spec, switch active work, resume a prior spec, list specs, or set the workflow mode for a feature.
-argument-hint: "[<spec-name>] [\"<one-line goal>\"] [--resume] [--list] [--mode=<fast|standard|enterprise>]"
-disable-model-invocation: true
-allowed-tools: [Read, Write, Bash, AskUserQuestion, Agent]
----
-
-# Start or Resume a Feature Spec
-
-Entry point for every feature. Keep this skill focused on argument parsing,
-branch selection, state seeding, and next-step routing. Detailed branch behavior
-and workflow handoff rules live in:
-
-- `references/preflight.md`
-- `references/branch-routing.md`
-- `references/state-seeding.md`
-- `references/mode-semantics.md`
-- `references/workflow-handoff.md`
-- `references/reporting.md`
-
-## Invocation Patterns
-
-| Pattern | Behavior |
-|---------|----------|
-| `/curdx-flow:start my-feature "Add JWT auth to REST API"` | Create a fresh spec named `my-feature`, set it active, seed draft requirements. |
-| `/curdx-flow:start my-feature` (name exists) | Switch active spec to `my-feature` (same as v1 `/switch`). |
-| `/curdx-flow:start --resume` | Resume the last active spec from `.flow/.active-spec`. |
-| `/curdx-flow:start --list` | List all specs with their phase and last-updated time, prompt to pick. |
-| `/curdx-flow:start` (no args) | Interactive: ask the user whether to create new, resume recent, or list all. |
-| Add `--mode=<fast\|standard\|enterprise>` | Set the execution mode for this spec (stored in `.state.json`). |
-
-## Preflight
-
-Use `references/preflight.md` for the project-level guard.
-
-## Flag Parsing
-
-Do not shell-split `$ARGUMENTS`. Parse flags and positional arguments using the
-rules in `references/branch-routing.md`.
-
-Hard constraints:
-
-- Flags allowed: `--resume`, `--list`, `--mode=<fast|standard|enterprise>`
-- First positional token -> `SPEC_NAME`
-- Remaining trimmed content -> `GOAL`
-- `SPEC_NAME` must be kebab-case per `schemas/spec-state.schema.json`
-- Invalid mode -> warn and fall back to `standard`
-
-## Branch Selection
-
-Use `references/branch-routing.md` for the full branch contract:
-
-- Branch A: `--list`
-- Branch B: `--resume`
-- Branch C: existing `SPEC_NAME`
-- Branch D: new `SPEC_NAME`
-- Branch E: no args / no flags
-
-If a new spec must be created, seed `.state.json`, `.flow/.active-spec`, and
-`.progress.md` using `references/state-seeding.md`.
-
-## Mode Semantics
-
-Use `references/mode-semantics.md` for the workflow defaults implied by
-`mode`.
-
-## Post-Create and Resume Handoff
-
-The next-command routing rules are centralized in
-`references/workflow-handoff.md`.
-
-User-visible create/switch/resume summaries live in `references/reporting.md`.
-For a newly created spec, the immediate handoff remains:
-
-```text
-Next: /curdx-flow:spec
-```
-
-## References
-
-- State schema: `@${CLAUDE_PLUGIN_ROOT}/schemas/spec-state.schema.json`
-- Mode semantics: `@${CLAUDE_PLUGIN_ROOT}/knowledge/execution-strategies.md`

package/skills/start/references/branch-routing.md

@@ -1,51 +0,0 @@
-# Branch Routing — Start Skill Control Flow
-
-## Argument Parsing Rules
-
-Do not shell-split `$ARGUMENTS`.
-
-1. Detect and remove these flags from the raw string:
-   - `--resume`
-   - `--list`
-   - `--mode=<fast|standard|enterprise>`
-2. After flags are removed:
-   - first whitespace-delimited token -> `SPEC_NAME`
-   - remaining trimmed text -> `GOAL`
-   - strip one outer layer of matching single or double quotes from `GOAL`
-3. Reject unknown flags instead of ignoring them.
-
-## Branches
-
-### Branch A — `--list`
-
-- enumerate `.flow/specs/*`
-- read each `.state.json`
-- show phase + updated timestamp
-- use `AskUserQuestion` to choose
-- set `.flow/.active-spec`
-
-### Branch B — `--resume`
-
-- read `.flow/.active-spec`
-- if stale or missing, fall back to Branch A
-- report current phase and route using `references/workflow-handoff.md`
-
-### Branch C — Existing `SPEC_NAME`
-
-- switch `.flow/.active-spec` to that spec
-- confirm if the user likely intended to switch rather than overwrite
-- report current phase
-
-### Branch D — New `SPEC_NAME`
-
-- gather missing `GOAL` if necessary
-- create state and progress files using `references/state-seeding.md`
-- set `.flow/.active-spec`
-
-### Branch E — No args / no flags
-
-Ask the user to choose:
-
-- create a new spec
-- resume the last active spec
-- list all specs

package/skills/start/references/mode-semantics.md

@@ -1,12 +0,0 @@
-# Start Mode Semantics — What Each Mode Implies
-
-The `mode` field in `.state.json` drives later workflow defaults:
-
-| Mode | `/curdx-flow:spec` default | `/curdx-flow:implement` default | Gates applied |
-|------|---------------------------|--------------------------------|---------------|
-| `fast` | skipped (use `/curdx-flow:fast` instead) | linear strategy | karpathy + verification |
-| `standard` | full 4 phases | auto strategy | + tdd + coverage-audit |
-| `enterprise` | full 4 phases + `--review=all` | auto strategy + stricter gates | + adversarial + edge-case + security + devex |
-
-If an invalid mode is provided during argument parsing, warn and fall back to
-`standard`.

package/skills/start/references/preflight.md

@@ -1,13 +0,0 @@
-# Start Preflight — Project Must Be Initialized
-
-Before parsing arguments or touching spec state:
-
-```bash
-[ ! -d ".flow" ] && {
-  echo "✗ Not a CurdX-Flow project. Run /curdx-flow:init first.";
-  exit 1;
-}
-```
-
-`/curdx-flow:start` is the first mutable workflow entrypoint after init. If the
-project scaffold is missing, stop immediately instead of attempting recovery.

package/skills/start/references/reporting.md

@@ -1,20 +0,0 @@
-# Start Reporting — User-Facing Summaries
-
-For a newly created spec, report:
-
-```text
-✓ Spec ready: <name>
-  Goal:  <goal>
-  Mode:  <mode>
-  Path:  .flow/specs/<name>/
-
-Next: /curdx-flow:spec
-```
-
-For resume and switch flows, keep the message short:
-
-- identify the active spec
-- state the current phase when known
-- route using `references/workflow-handoff.md`
-
-Do not restate the full workflow. Point to the immediate next command only.

package/skills/start/references/state-seeding.md

@@ -1,44 +0,0 @@
-# State Seeding — New Spec Bootstrap
-
-When creating a fresh spec, use `Write` for all files so Claude checkpoints can
-rewind the bootstrap cleanly.
-
-## `.state.json`
-
-Required shape:
-
-```json
-{
-  "version": "1.0",
-  "spec_name": "$SPEC_NAME",
-  "goal": "$GOAL",
-  "mode": "$FLAG_MODE",
-  "phase": "research",
-  "phase_status": {},
-  "strategy": "auto",
-  "execute_state": {},
-  "created": "YYYY-MM-DD",
-  "updated": "YYYY-MM-DDTHH:MM:SSZ"
-}
-```
-
-## `.progress.md`
-
-```markdown
-# Progress Log — $SPEC_NAME
-
-**Goal**: $GOAL
-**Mode**: $FLAG_MODE
-**Created**: YYYY-MM-DD
-
-## Decisions
-(populated during /curdx-flow:spec)
-
-## Learnings
-(populated during /curdx-flow:implement)
-```
-
-## Activation
-
-Write `.flow/.active-spec` last, after the spec directory and both artifacts
-exist.

package/skills/start/references/workflow-handoff.md

@@ -1,26 +0,0 @@
-# Workflow Handoff — What Comes Next
-
-`/curdx-flow:start` is the entrypoint, but it should route users to the right
-next command based on current phase.
-
-## New Spec
-
-After a fresh spec is created:
-
-```text
-Next: /curdx-flow:spec
-```
-
-## Resume / Switch Routing
-
-When resuming an existing spec:
-
-- `phase` before `tasks` completion -> suggest `/curdx-flow:spec`
-- `tasks` completed but execution not complete -> suggest `/curdx-flow:implement`
-- `execute` completed but verification missing or failed -> suggest `/curdx-flow:verify`
-- `verify` completed but review missing or failed -> suggest `/curdx-flow:review`
-- both verification and review completed -> report evidence-backed handoff is
-  ready for human PR/release work
-
-Do not invent non-existent ship commands. The workflow ends at human handoff
-with persisted evidence.