@drafthq/draft 2.7.0

package/skills/ops/SKILL.md

@@ -0,0 +1,57 @@
+---
+name: ops
+description: "Primary router for operations, deployment, incident, and lifecycle workflows. Analyzes intent and dispatches to deploy-checklist, incident-response, standup, status, revert. Use for pre-deploy verification, handling outages, daily summaries, progress checks, and safe rollbacks."
+---
+
+# Ops - Operations & Lifecycle Router
+
+`/draft:ops` groups all operational, deployment, and runtime lifecycle commands.
+
+## When to Use
+
+- Preparing a deployment or release
+- Responding to incidents or outages
+- Generating team standup / activity summaries
+- Checking overall project or track status
+- Performing git-aware reverts or rollbacks
+
+## Routing Logic
+
+Intent keywords drive deterministic dispatch. Multi-intent requests are sequenced (e.g., status then incident).
+
+| User Intent Keywords                     | Dispatches To              | Purpose |
+|------------------------------------------|----------------------------|---------|
+| upload for review, git upload, submit code, open PR | `/draft:upload` | Pre-upload gate: review, approvals, validators, then push |
+| deploy checklist, pre-deploy, release check, readiness | `/draft:deploy-checklist` | Pre-deployment verification with rollback triggers |
+| incident, outage, sev, postmortem, triage | `/draft:incident-response` | Full incident lifecycle (triage → mitigate → postmortem) |
+| standup, daily summary, what did I do, activity report | `/draft:standup` | Git activity standup summary (read-only) |
+| status, progress, what's the state, track overview | `/draft:status` | Progress overview across tracks and git |
+| revert, rollback, undo, git revert, restore | `/draft:revert` | Git-aware safe rollback of changes or tracks |
+
+## Dispatch Examples
+
+User: "run the deploy checklist for the auth track"
+
+→ dispatches to `/draft:deploy-checklist [track auth]`
+
+User: "we had an outage last night, start postmortem"
+
+→ dispatches to `/draft:incident-response postmortem`
+
+User: "give me today's standup"
+
+→ dispatches to `/draft:standup`
+
+User: "what's the current status of the project"
+
+→ dispatches to `/draft:status`
+
+User: "revert the last two commits on this branch safely"
+
+→ dispatches to `/draft:revert`
+
+## Integration Notes
+
+Ops commands often read `draft/tracks.md`, `draft/*/plan.md`, and git metadata. They feed forward into documentation and jira flows when needed.
+
+Direct invocation of the leaf skills continues to work for power users and scripts during the deprecation window.

package/skills/plan/SKILL.md

@@ -0,0 +1,60 @@
+---
+name: plan
+description: "Primary router for planning, architecture, and track management workflows. Analyzes user intent and dispatches to new-track, decompose, adr, tech-debt, change (and related). Use for starting features, breaking down work, recording decisions, managing debt, or handling scope changes."
+---
+
+# Plan - Planning & Architecture Router
+
+`/draft:plan` is the consolidated entry point for all planning and upfront architecture work in the Context-Driven Development lifecycle.
+
+## When to Use
+
+- Starting a new feature, bug fix, or refactor track
+- Decomposing large modules or changes into dependency-aware units
+- Recording Architecture Decision Records (ADRs)
+- Cataloging and prioritizing technical debt
+- Handling mid-track requirement or scope changes
+
+## Routing Logic
+
+The router parses intent from natural language and dispatches to the correct leaf skill. Ambiguous requests surface a short menu of options.
+
+| User Intent Keywords                  | Dispatches To         | Purpose |
+|---------------------------------------|-----------------------|---------|
+| new feature, new track, start X, add Y, plan a refactor, fix the Z bug | `/draft:new-track` | Collaborative spec + plan creation for track |
+| decompose, break into modules, dependency map | `/draft:decompose` | Module decomposition + graph |
+| adr, architecture decision, record decision, design decision | `/draft:adr` | ADR authoring and evaluation |
+| tech debt, technical debt, catalog debt, debt analysis | `/draft:tech-debt` | 6-dimension debt scan + prioritization |
+| change, scope changed, requirements changed, update spec, mid-track pivot | `/draft:change` | Structured change impact & plan update |
+
+## Dispatch Examples
+
+User: "start a new feature for user profile editing"
+
+→ dispatches to `/draft:new-track "user profile editing"`
+
+User: "decompose the payment module"
+
+→ dispatches to `/draft:decompose "payment module"`
+
+User: "document our decision to use event sourcing"
+
+→ dispatches to `/draft:adr "Use event sourcing for order processing"`
+
+User: "find and prioritize our technical debt"
+
+→ dispatches to `/draft:tech-debt`
+
+User: "the requirements changed, we need to support multi-tenancy now"
+
+→ dispatches to `/draft:change "add multi-tenancy support"`
+
+## Relationship to Primary Workflow
+
+`/draft:plan` augments but does not replace the core `/draft:new-track` and `/draft:implement` flow. Many planning activities are launched via `/draft:plan` for discoverability, then flow into the primary track lifecycle.
+
+Direct leaf commands remain available during the transition period (see MIGRATION).
+
+## Quality Gate
+
+All planning dispatches should result in updated `draft/tracks/<id>/spec.md` or `plan.md` (or new ADR/debt artifacts) with proper metadata headers and citations back to product/tech-stack context.

package/skills/quick-review/SKILL.md

@@ -0,0 +1,216 @@
+---
+name: quick-review
+description: Ad-hoc PR/diff/file review. No track context needed. Four dimensions — security, performance, correctness, maintainability. Use for one-off reviews when you don't have or don't need a Draft track.
+---
+
+# Quick Review
+
+You are performing a lightweight, ad-hoc code review. This is the fast alternative to `/draft:review` — no track context needed, focused on a specific PR, diff, or file set.
+
+## MANDATORY GRAPH LOOKUP (read before dimension review)
+
+When `draft/graph/schema.yaml` exists, this skill **must** follow the graph-first lookup contract in [core/shared/graph-query.md](../../core/shared/graph-query.md) §Mandatory Lookup Contract. Quick-review keeps the graph load light:
+
+1. Always check `draft/graph/hotspots.jsonl` for every changed file (Step 2 blast-radius pre-check below).
+2. If a finding spans more than one file, run `scripts/tools/graph-callers.sh --repo . --symbol <name>` to enumerate the call sites before claiming "no other usages".
+
+Filesystem `grep` is reserved for source-text scans (literal strings, regex patterns). Symbol and caller discovery go through the graph.
+
+## Red Flags — STOP if you're:
+
+See [shared red flags](../../core/shared/red-flags.md) — applies to all code-touching skills.
+
+Skill-specific:
+- Reviewing without reading the code first
+- Providing generic feedback not grounded in the actual code
+- Missing security implications in authentication/authorization code
+- Ignoring error handling paths
+- Reviewing a whole module when asked for a specific file
+
+**Read the code. Ground every finding in a specific line.**
+
+---
+
+## Pre-Check
+
+### 0. Capture Git Context
+
+Before starting, capture the current git state:
+
+```bash
+git branch --show-current # Current branch name
+git rev-parse --short HEAD # Current commit hash
+```
+
+Store this for the review report header. The review is scoped to this specific branch/commit.
+
+### 1. Load Draft Context (if available)
+
+```bash
+ls draft/ 2>/dev/null
+```
+
+If `draft/` exists, read and follow `core/shared/draft-context-loading.md`. This enriches review with project patterns, guardrails, and accepted patterns from `tech-stack.md`. Layer 0.5 of that procedure includes loading the relevant `core/guardrails/language-standards.md` section for the project stack — apply those standards in Dimension 4 (Maintainability) and Dimension 3 (Correctness) for language-specific patterns.
+
+If no draft context, proceed with generic review — still valuable.
+
+## Step 1: Parse Arguments
+
+Check for arguments:
+- `/draft:quick-review` — Review staged changes (`git diff --cached`) or current branch diff
+- `/draft:quick-review <file>` — Review specific file(s)
+- `/draft:quick-review <PR-URL>` — Review a pull request (via GitHub/GitHub MCP)
+- `/draft:quick-review <commit-range>` — Review specific commits
+
+Determine the diff to review:
+1. If PR URL: fetch via GitHub MCP (`get_change_detail`, `get_change_diff`) or GitHub
+2. If file path: read the file(s)
+3. If commit range: `git diff <range>`
+4. Default: `git diff HEAD~1..HEAD` (last commit)
+
+## Step 2: Blast Radius Pre-check (if `draft/graph/hotspots.jsonl` exists)
+
+Before the four-dimension review, check if any files in scope appear in `draft/graph/hotspots.jsonl`. If any file has a `fanIn` in the top 20% of the list, add this warning at the top of the review report:
+
+```
+⚠ HIGH IMPACT: {file} is a high-fanIn hotspot (fanIn={N}). Changes here propagate to many callers — review with extra care.
+```
+
+If no hotspot data exists or no file matches, skip silently.
+
+## Step 3: Four-Dimension Review
+
+Review the code across four dimensions. For each finding, cite the specific `file:line`.
+
+### Dimension 1: Security
+
+Load `core/guardrails/security.md` before this dimension. Apply the **5-step security reasoning chain** (identify goal → check hard red lines SEC-01…SEC-10 → assess blast radius → trace generative paths → classify). Any hard red line violation is automatically **Critical**.
+
+If a violation has a `// SECURITY-OVERRIDE: <ticket> <justification>` annotation, downgrade to **Important** and include the ticket in the finding.
+
+- Authentication/authorization gaps `[RC-005, SEC-10]`
+- Input validation and sanitization `[RC-003]`
+- SQL injection, XSS, CSRF vulnerabilities `[RC-002, RC-011, SEC-03]`
+- Secrets or credentials in code `[RC-001, SEC-01]`
+- Disabled TLS or certificate verification `[SEC-04]`
+- Shell injection or unsafe subprocess calls `[SEC-06]`
+- PII or credentials in log output `[RC-006, SEC-05]`
+- OWASP Top 10 patterns
+- Insecure deserialization
+
+### Dimension 2: Performance
+
+- N+1 query patterns
+- Missing indexes for frequent queries
+- Unnecessary allocations in hot paths
+- Missing caching opportunities
+- Unbounded loops or recursion
+- Large payload serialization
+
+### Dimension 3: Correctness
+
+- Logic errors, off-by-one, null handling
+- Race conditions in concurrent code
+- Error handling gaps (uncaught exceptions, missing error paths)
+- Edge cases not covered
+- State management issues
+- Contract violations (API, type, invariant)
+
+### Dimension 4: Maintainability
+
+- Code clarity and naming
+- DRY violations (repeated logic)
+- Dead code or unreachable paths
+- Missing or misleading comments
+- Test coverage for new logic
+- Consistency with project patterns (from tech-stack.md if available)
+
+## Step 4: Classify Findings
+
+Classify each finding:
+
+| Severity | Action | Description |
+|----------|--------|-------------|
+| Critical | Must fix before merge | Security vulnerabilities, data corruption risks, crashes |
+| Important | Should fix | Performance issues, logic bugs, error handling gaps |
+| Suggestion | Nice to have | Style improvements, refactoring opportunities, documentation |
+
+## Step 5: Generate Review Report
+
+Present findings organized by severity:
+
+```markdown
+## Quick Review: {scope description}
+
+**Reviewer:** Draft Quick Review
+**Scope:** {files/PR/commits reviewed}
+**Date:** {ISO_TIMESTAMP}
+
+### Summary
+- Critical: {count}
+- Important: {count}
+- Suggestion: {count}
+
+### Verdict: {PASS | PASS WITH NOTES | NEEDS CHANGES}
+
+### Findings
+
+#### Critical
+1. **[finding title]** — `file:line`
+   [description and recommendation]
+
+#### Important
+...
+
+#### Suggestion
+...
+
+### What Went Well
+[2-3 positive observations about the code — good patterns, clean logic, thorough error handling]
+```
+
+**If track-scoped, save to `draft/tracks/<id>/quick-review-<timestamp>.md`.**
+
+Also check `core/guardrails/dependency-triage.md` if the diff modifies a dependency manifest file.
+
+**MANDATORY: Include YAML frontmatter with git metadata when saving.** Follow `core/shared/git-report-metadata.md`.
+
+Include the report header table immediately after frontmatter:
+
+```markdown
+| Field | Value |
+|-------|-------|
+| **Branch** | `{LOCAL_BRANCH}` → `{REMOTE/BRANCH}` |
+| **Commit** | `{SHORT_SHA}` — {COMMIT_MESSAGE} |
+| **Generated** | {ISO_TIMESTAMP} |
+| **Synced To** | `{FULL_SHA}` |
+```
+
+## Mandatory Self-Check (before review report)
+
+Before printing the review report, internally verify and report:
+
+1. **Graph files queried** — JSONL files loaded plus any live graph query-tool invocations.
+2. **Layer 1 files deliberately skipped** — list any context sections skipped.
+3. **Filesystem grep fallback justification** — for every `grep`/`find` run, state the concept it searched for.
+
+If `draft/graph/schema.yaml` does not exist, set `Graph files queried: NONE` and use justification `graph data unavailable`.
+
+## Graph Usage Report (append to review report)
+
+Emit the canonical footer from [core/shared/graph-usage-report.md](../../core/shared/graph-usage-report.md) §Canonical footer. The lint hook `scripts/tools/check-graph-usage-report.sh` validates the section on save.
+## Cross-Skill Dispatch
+
+- **Offered by:** `/draft:implement` at phase boundaries as lightweight alternative to full review
+- **Escalates to:** `/draft:review` if critical findings require deeper analysis
+- **Feeds into:** `/draft:learn` (findings update guardrails via pattern learning)
+- **Suggests at completion:**
+  - If many findings: "Consider running `/draft:review` for full three-stage analysis"
+  - If security findings: "Consider running `/draft:deep-review` for security audit"
+- **Jira sync:** If ticket linked, attach review and post summary via `core/shared/jira-sync.md`
+
+## Error Handling
+
+**If no diff/file found:** "No changes to review. Specify a file, PR URL, or commit range."
+**If MCP unavailable for PR:** Fall back to local git diff. "GitHub/GitHub MCP unavailable. Reviewing local diff instead."
+**If no draft context:** Proceed with generic review patterns. Note: "Review enriched when draft context is available (run `/draft:init`)."

package/skills/revert/SKILL.md

@@ -0,0 +1,178 @@
+---
+name: revert
+description: "Git-aware revert that understands Draft tracks, phases, and tasks. Safely undo work at task, phase, or track level. Use when the user asks to 'revert this track', 'undo a phase', 'revert task X', or says 'roll back the last task', 'undo this work'."
+---
+
+# Draft Revert
+
+Perform intelligent git revert that understands Draft's logical units of work.
+
+## Red Flags - STOP if you're:
+
+- Reverting without showing preview first
+- Skipping user confirmation
+- Not checking for uncommitted changes first
+- Reverting more than requested
+- Not updating Draft state after git revert
+- Assuming you know which commits to revert without checking
+
+**Preview and confirm before any destructive action.**
+
+---
+
+## Step 0: Pre-flight Check
+
+1. **Verify Draft context exists:**
+   ```bash
+   ls draft/tracks.md 2>/dev/null
+   ```
+   If `draft/` does not exist: **STOP** — "No Draft context found. Run `/draft:init` first."
+
+2. **Check working tree:**
+   Run `git status --porcelain`. If output is non-empty, warn the user about uncommitted changes and suggest stashing or committing first. Do NOT proceed until working tree is clean.
+
+---
+
+## Step 1: Analyze What to Revert
+
+Ask user what level to revert:
+
+1. **Task** - Revert a single task's commits
+2. **Phase** - Revert all commits in a phase
+3. **Track** - Revert entire track's commits
+
+If user specifies by name/description, find the matching commits.
+
+## Step 2: Find Related Commits
+
+**Primary method:** Read `plan.md` — every completed task has its commit SHA recorded inline. Use these SHAs directly.
+
+**If no commits found** (all tasks are `[ ]` Pending with no SHAs): announce "No commits found for this scope — nothing to revert." and **STOP**.
+
+**Fallback method (if SHAs missing but completed tasks exist):** Search git log by track ID pattern:
+
+For Draft-managed work, commits follow pattern:
+- `feat(<track_id>): <description>`
+- `fix(<track_id>): <description>`
+- `test(<track_id>): <description>`
+- `refactor(<track_id>): <description>`
+
+```bash
+# Find commits for a track
+git log --oneline --grep="<track_id>"
+
+# Find commits in date range (for phase)
+git log --oneline --since="<phase_start>" --until="<phase_end>" --grep="<track_id>"
+```
+
+**Cross-reference:** Verify SHAs from `plan.md` match the git log results. Git log is always authoritative for commit identification. plan.md is authoritative for task-to-commit mapping. On SHA mismatch, prefer git log and warn the user.
+
+## Step 3: Preview Revert
+
+Show user what will be reverted:
+
+```
+═══════════════════════════════════════════════════════════
+                    REVERT PREVIEW
+═══════════════════════════════════════════════════════════
+
+Reverting: [Task/Phase/Track] "[name]"
+
+Commits to revert (newest first):
+  abc1234 feat(add-auth): Add JWT validation
+  def5678 feat(add-auth): Create auth middleware
+  ghi9012 test(add-auth): Add auth middleware tests
+
+Files affected:
+  src/auth/middleware.ts
+  src/auth/jwt.ts
+  tests/auth/middleware.test.ts
+
+Plan.md changes:
+  Task 2.1: [x] (abc1234) → [ ]
+  Task 2.2: [x] (def5678) → [ ]
+
+═══════════════════════════════════════════════════════════
+Proceed with revert? (yes/no)
+```
+
+## Step 4: Execute Revert
+
+If confirmed:
+
+Maintain a list of successfully reverted commits during execution.
+
+Read `draft/workflow.md` → `## Toolchain` section for VCS CLI. See `core/shared/vcs-commands.md` for the full command mapping.
+
+**git mode:**
+```bash
+# Revert each commit in reverse order (newest first)
+git revert --no-commit <commit1>
+git revert --no-commit <commit2>
+# ... continue for all commits
+
+# Create single revert commit
+git commit -m "revert(<track_id>): Revert [task/phase description]"
+```
+
+On conflict, report: "Successfully reverted: [list]. Conflict on: [sha]. Run `git revert --abort` to undo partial state."
+
+## Step 5: Update Draft State
+
+1. Update `plan.md`:
+   - Change reverted tasks from `[x]` to `[ ]`
+   - Remove the commit SHA from the reverted task line
+   - Add revert note
+
+2. Update `metadata.json`:
+   - Decrement tasks.completed
+   - Decrement phases.completed if applicable
+   - Update timestamp
+   - **Note:** `metadata.json` only stores `phases.total` (int) and `phases.completed` (int). Decrement `phases.completed` if all tasks in a previously completed phase are reverted. Phase status markers (`[~]`, `[x]`, `[ ]`) are tracked in `plan.md` text, not in `metadata.json`. Update `plan.md` phase headings accordingly: if any task in a completed phase is reverted, mark that phase `[~]` In Progress in `plan.md`; if ALL tasks are reverted, mark it `[ ]` Pending in `plan.md`.
+
+3. Update `draft/tracks.md` if track status changed
+
+4. **Stale reports:** After revert, existing `review-report-latest.md` and `bughunt-report-latest.md` for the track are stale. Resolve symlink targets first: `readlink -f review-report-latest.md` and `readlink -f bughunt-report-latest.md`. Add a warning header to the symlink targets (the actual timestamped files): `> **WARNING: This report predates a revert operation and may be stale. Re-run the review/bughunt.**` Or delete them if the revert is substantial.
+
+## Step 6: Confirm
+
+```
+Revert complete
+
+Reverted:
+  - [list of tasks/commits]
+
+Updated:
+  - draft/tracks/<track_id>/plan.md
+  - draft/tracks/<track_id>/metadata.json
+
+Git status:
+  - Created revert commit: [sha]
+
+The reverted tasks are now available to re-implement.
+Run /draft:implement to continue.
+```
+
+## Recovery
+
+If the process is interrupted between git revert and Draft state update, the recovery procedure is: check `git log` for the revert commit, then manually update plan.md task statuses to match the reverted state.
+
+---
+
+## Abort Handling
+
+If user says no to preview:
+```
+Revert cancelled. No changes made.
+```
+
+If git revert has conflicts:
+```
+Revert conflict detected in: [files]
+
+Options:
+1. Resolve conflicts manually, then run: git revert --continue
+2. Abort revert: git revert --abort
+
+Draft state NOT updated (pending revert completion).
+```