@eltonssouza/development-utility-kit 1.0.0

package/dashboard/public/content/docs/agents-reference.en.md

@@ -0,0 +1,911 @@
+# Agents reference
+
+This reference catalogs the 25 agents in the `development-utility-kit` harness. Each agent is a specialist declared in `.claude/agents/<name>.md` with a YAML frontmatter (`name`, `description`, `tools`, `model`). Skills invoke agents through the `Task` tool; agents can also invoke other agents (orchestration). Use this page as the operational index: which agent to open, with which model, at which point in the pipeline, and which downstream agents it dispatches.
+
+Audience: developers on the team who open the local dashboard and need to decide, in seconds, which harness piece to move. Who decides what is consolidated in [autonomy-matrix](autonomy-matrix). Who enters each pipeline stage is in [pipeline](pipeline).
+
+## Master table — 25 agents
+
+| Agent | Model | Domain | Decides alone? | When to invoke |
+|---|---|---|---|---|
+| `product-owner` | opus 4.7 | Product, scope, UX, business rule | Yes (4 human-only exceptions) | Decide scope, priority, MVP, API contract |
+| `tech-lead` | opus 4.7 | Stack, pattern, refactor, final review | Yes (3 human-only exceptions) | Approve merge, decide pattern, resolve technical conflict |
+| `security-engineer` | opus 4.7 | OWASP, LGPD, hardening | Yes (technical veto HIGH/CRITICAL) | Security audit, vulnerability, headers, CORS |
+| `analyst` | sonnet 4.6 | Technical decomposition, goal-ready PLAN_*.md | Yes within scope | Break feature into FR/NFR/BR/IR and sprints with DoD |
+| `architect` | sonnet 4.6 | Macro architecture, ADR | Yes; cross-context escalates to tech-lead | Decide architectural pattern, propose ADR |
+| `backend-developer` | sonnet 4.6 | Java 25 + Spring Boot 4 | Yes within scope | Implement endpoint, service, DTO, repository |
+| `frontend-developer` | sonnet 4.6 | Angular 21 + Signals + ng-bootstrap | Yes within scope | Build component, screen, typed service |
+| `mobile-developer` | sonnet 4.6 | React Native 0.84 + Expo SDK 54 | Yes within scope | Mobile app from scratch, Angular→RN conversion, native integration |
+| `database-engineer` | sonnet 4.6 | PostgreSQL, MongoDB, Redis | Yes; cross-cutting goes to tech-lead | Modeling, index, migration, query perf |
+| `devops-engineer` | sonnet 4.6 | Docker, K8s, CI/CD, cloud | Yes up to R$ 200/month | CI/CD pipeline, containerization, deploy |
+| `n8n-specialist` | sonnet 4.6 | n8n workflow + LangChain | Yes within scope | Create workflow, automation, AI agent in n8n |
+| `ux-designer` | sonnet 4.6 | Wireframes, design system, a11y | Yes on "how it looks"; scope goes to PO | Wireframe, component spec, screen flow |
+| `qa-engineer` | sonnet 4.6 | Unit/integration/E2E/mutation tests | Yes within scope | Write JUnit, Jest, Playwright, PIT tests |
+| `gate-keeper` | sonnet 4.6 | Senior+ quality gate | Yes; blocks merge on red | Validate coverage, mutation, a11y, Lighthouse, pyramid |
+| `test-coverage-auditor` | sonnet 4.6 | Coverage + debt audit | Yes (gate inside prd-ready-check) | Map test debt, P0/P1 |
+| `code-reviewer` | sonnet 4.6 | Initial code review | Recommends; tech-lead merges | Review PR, findings by severity |
+| `prd-ready-check` | sonnet 4.6 | Final pre-production gate | Yes; GO/NO-GO | Final checklist before deploy |
+| `api-integration-test` | sonnet 4.6 | Real backend↔frontend smoke | Yes within scope | Boot stack and validate curl + clean console |
+| `sprint-runner` | sonnet 4.6 | TDD sprint orchestration | Yes; asks on plan ambiguity | Execute Sprint N of PLAN_*.md |
+| `scaffold` | haiku 4.5 | Java/Angular initial skeleton | Yes (mechanical, idempotent) | Create backend/, frontend/, or fullstack from scratch |
+| `update-template` | haiku 4.5 | Sync with development-utility-kit | Yes (with Y checkpoint) | Update `.claude/` + CLAUDE.md |
+| `migrator` | sonnet 4.6 | Legacy → target stack migration | Yes per phase; ADR per major cross | Java 8/11/17→25, Spring 2/3→4, Angular 14-20→21 |
+| `release-engineer` | sonnet 4.6 | SemVer bump + CHANGELOG | Yes through command output; human pushes | Cut release, generate tag, validate permissions |
+| `auditor` | sonnet 4.6 | Audit drift vs template | Reports only (read-only) | Compare project vs template, list divergent files |
+| `brain-keeper` | sonnet 4.6 | Obsidian vault under `docs/brain/` | Yes within scope | Record daily, feature, ADR, bug at end of PLAN |
+
+---
+
+## Top authorities
+
+### product-owner
+
+**Model**: opus 4.7
+
+**When to invoke**: any product, scope, business rule, flow, priority, persona, success metric or API contract question. The single voice when the team needs a business decision.
+
+PT triggers: `"decide produto"`, `"define escopo"`, `"regra de negócio"`, `"prioriza backlog"`, `"MVP ou v2"`.
+
+**Mission**: decide product and record an ADR. Never asks the human outside the 4 exceptions (deleting real customer data, relevant financial cost, breaking change on a published public contract, brand identity change approved by marketing).
+
+**Expected inputs**: raw user demand or hand-off from `analyst`/`architect`/developers with a product question.
+
+**Outputs / artifacts**:
+- ADR at `docs/brain/decisions/ADR-NNN-<slug>.md`
+- "Product decision" log block
+- Ordered backlog MVP → v2 → v3 with promotion criteria
+- Numbered business rules, named edge cases, endpoint and screen contracts
+
+**Inviolable rules**:
+- You decide; asking the human is a rare exception.
+- Every decision becomes an ADR — never an informal decision.
+- Edge cases always named (empty, duplicate, concurrency, no permission, no network, invalid data, limit reached).
+- Brutal MVP; cut what can be cut.
+- Never contradict an active ADR without formally superseding it.
+
+**Escalation**: human only in the 4 Autonomy Matrix situations. Product/technical conflict → joint ADR with `tech-lead`.
+
+**Tools**: Read, Write, Glob, Grep, Bash(find/cat/git log/git diff/ls).
+
+**When NOT to use**: direct code implementation (use `backend-developer`/`frontend-developer`). Stack/pattern decisions (use `tech-lead`).
+
+### tech-lead
+
+**Model**: opus 4.7
+
+**When to invoke**: any non-trivial technical decision, stack/pattern choice, cross-cutting refactor, technical debt, final review before merge, or conflict between specialists.
+
+PT triggers: `"decisão técnica"`, `"qual padrão"`, `"aprova merge"`, `"review final"`, `"refactor disso"`.
+
+**Mission**: orchestrate specialists, maintain technical consistency, block merge if the senior+ gate fails. Decides with a weighted framework (Impact 30 / Effort 25 / Risk 25 / Adherence 20).
+
+**Expected inputs**: technical demand, ADR proposed by `architect`, PR ready after `code-reviewer`.
+
+**Outputs**:
+- Technical decision ADR with score grid in `## Justification`
+- Delegation plan (which agent does what, parallel or sequential)
+- Explicit merge approval or block
+- Entry in `tech-debt.md` when debt is accepted
+
+**Inviolable rules**:
+- Decide with framework — never by intuition.
+- Every significant technical decision becomes an ADR.
+- Never implement directly; delegate to the correct specialist.
+- Block merge if `gate-keeper` returns red; coverage/mutation/SpotBugs/OWASP are non-negotiable.
+- Always consult active ADRs before deciding.
+
+**Human escalation**: only 3 situations (irreconcilable requirement conflict, breaking change on public production contract, infra cost > R$ 200/month).
+
+**Tools**: Read, Write, Glob, Grep, Bash(git/find/cat/ls).
+
+**When NOT to use**: product question (go to `product-owner`). Implementation (go to the specialist). Trivial patch bump (delegate directly to the developer).
+
+### security-engineer
+
+**Model**: opus 4.7
+
+**When to invoke**: security audit, OWASP Top 10 review, LGPD compliance, auth/CORS/headers analysis, vulnerability scan, hardening.
+
+PT triggers: `"auditoria de segurança"`, `"OWASP"`, `"LGPD"`, `"audita vulnerabilidade"`, `"revisa CORS e headers"`.
+
+**Mission**: classify security findings and apply fixes. Has technical veto on HIGH/CRITICAL — blocks merge without human confirmation.
+
+**Expected inputs**: codebase or PR diff, auth configuration, dependency list.
+
+**Outputs**:
+- Audit report structured by severity (CRITICAL/HIGH/MEDIUM)
+- Veto formatted as `## SECURITY VETO — MERGE BLOCKED` when applicable
+- Fix code applied via `Edit`/`Write`, not just description
+- LGPD checklist when personal data is involved
+
+**Inviolable rules**:
+- HIGH/CRITICAL = merge blocked, no exception.
+- Never assume something is secure without reading the code.
+- Always deliver fix code, not just a description.
+- Prioritize by real attacker impact, not CVSS alone.
+- Never lower severity to unblock a sprint.
+
+**Escalation**: human only in the single provided situation (irreversible action on real customer data). Notifies `tech-lead` on veto.
+
+**Tools**: Read, Write, Edit, Glob, Grep, Bash(grep/find/cat/mvn/npm audit).
+
+**When NOT to use**: functional bug without security component (use `backend-developer`/`frontend-developer`). Stack decision (use `tech-lead`).
+
+---
+
+## Decomposition and architecture
+
+### analyst
+
+**Model**: sonnet 4.6
+
+**When to invoke**: transform a PRD or DISCOVERY into a goal-ready technical PLAN with FR/NFR/BR/IR, BDD user stories, sprints, and machine-checkable DoD.
+
+PT triggers: `"analisa essa tarefa"`, `"faz o plano"`, `"quebra em requisitos"`, `"cria as user stories"`.
+
+**Mission**: produce `docs/plans/PLAN_<NAME>.md` executable by `sprint-runner` and by `/goal`. Every task and sprint ends with a DoD verifiable by an evaluator (Haiku).
+
+**Expected inputs** (human path — requires discovery artifact):
+- `docs/prd/PRD_<NAME>.md` (primary, from `to-prd`), or
+- `docs/discovery/DISCOVERY_<NAME>.md` (fallback, from `grill-me`), or
+- PLAN seed with §1 + §7 filled, or
+- Proposed ADR.
+
+Autonomous path (`sprint-runner`, `release-engineer`): exempt via signal `caller: sprint-runner|autonomous` in the Task prompt.
+
+**Outputs**: `docs/plans/PLAN_<NAME>.md` with 9 fixed sections (context, requirements, modeling, BDD, sprints, risks, pending decisions, `/goal` block, history).
+
+**Inviolable rules**:
+- No discovery artifact on the human path = refuse.
+- Every task and every sprint has a machine-checkable DoD.
+- `/goal` block at the end of the file is mandatory.
+- Never invent a requirement — ambiguities go in §7 "Pending decisions".
+- Filename always `PLAN_<NAME_KEBAB_CASE>.md`, no spaces or accents.
+
+**Escalation**: `architect` for new architectural decisions; `tech-lead` for ambiguity between stacks.
+
+**Tools**: Read, Write, Edit, Glob, Grep, Bash(cat/find/git log).
+
+**When NOT to use**: implementation (use `backend-developer`/`frontend-developer`). Trivial single-file edit. Bug with unknown root cause (use `pair-debug`).
+
+### architect
+
+**Model**: sonnet 4.6
+
+**When to invoke**: decide architectural pattern (DDD vs CRUD, modular monolith vs microservices, REST vs Event-Driven), model domain, record macro ADR.
+
+PT triggers: `"decide arquitetura"`, `"qual padrão usar"`, `"modela domínio"`, `"trade-off arquitetural"`, `"registra ADR"`.
+
+**Mission**: propose architecture with weighted framework (Impact 30 / Effort 25 / Risk 25 / Adherence 20). `tech-lead` approves cross-cutting decisions.
+
+**Expected inputs**: technical context (scale, team, domain complexity), constraints, existing code.
+
+**Outputs**: ADR saved at `docs/brain/decisions/ADR-NNN-<slug>.md` with Context, Decision, Consequences, Discarded alternatives and score grid.
+
+**Inviolable rules**:
+- No ADR, no architecture change.
+- Decision framework mandatory — score in the ADR.
+- Never introduce a dependency without justification.
+- Inspect code before proposing; never propose a rewrite of code you have not read.
+- No premature abstraction — only complicate with a concrete requirement.
+
+**Escalation**: `tech-lead` when decision spans > 1 bounded context, cost > R$ 200/month, or public external contract.
+
+**Tools**: Read, Write, Glob, Grep, Bash(git log/git diff/cat/find).
+
+**When NOT to use**: implementation (use a developer). Patch or lib bump (use `tech-lead`). Product decision (use `product-owner`).
+
+---
+
+## Implementation
+
+### backend-developer
+
+**Model**: sonnet 4.6
+
+**When to invoke**: implement, refactor, or debug Java 25+ / Spring Boot 4.0+ code.
+
+PT triggers: `"cria endpoint"`, `"implementa controller"`, `"faz o service"`, `"cria DTO"`, `"refatora backend"`.
+
+**Mission**: deliver backend features inside the standards — `record` DTOs, Bean Validation, `ProblemDetail` (RFC 9457), Flyway with indexes, Testcontainers (never H2), JaCoCo ≥ 85% / PIT ≥ 70%.
+
+**Expected inputs**: task from `sprint-runner` or `tech-lead` with a defined API contract.
+
+**Outputs**: controllers, services, repositories, Flyway migrations, JUnit + Mockito + Testcontainers tests, ProblemDetail mapping.
+
+**Inviolable rules**:
+- `record` DTOs separated req/res; never expose entity.
+- Bean Validation + `@ControllerAdvice` → `ProblemDetail`.
+- No `var` in signatures/returns; no `// TODO`.
+- Flyway migration with FK index on the N side in the same migration.
+- Every external call has timeout + retry + domain-exception mapping.
+- Never log token/password/PII.
+
+**Escalation**: cross-table schema → `database-engineer`. Auth/headers/secrets → `security-engineer`. Contract change → `product-owner` + `frontend-developer`. Red gate → `gate-keeper`.
+
+**Tools**: Read, Write, Edit, MultiEdit, Glob, Grep, Bash(mvn/mvnw/gradle/gradlew/java/curl).
+
+**When NOT to use**: Angular screen or component (use `frontend-developer`). Pattern decision (use `tech-lead`).
+
+### frontend-developer
+
+**Model**: sonnet 4.6
+
+**When to invoke**: implement, refactor, or debug Angular 21+ standalone + Signals + OnPush + ng-bootstrap.
+
+PT triggers: `"cria componente"`, `"faz a tela"`, `"implementa frontend"`, `"refatora componente"`.
+
+**Mission**: deliver Angular UI inside the mandatory multi-file layout (`.ts` + `.html` + `.scss`), with Signal Forms, lazy loading, a11y AA, and coverage ≥ 85%.
+
+**Expected inputs**: wireframe from `ux-designer`, API contract from `backend-developer`, task from `sprint-runner`.
+
+**Outputs**: standalone OnPush components, typed services, lazy routes, Jest + Testing Library + jest-axe tests.
+
+**Inviolable rules**:
+- Multi-file always — `templateUrl` + `styleUrls`. Inline forbidden (hard CLAUDE.md rule, overrides ADR-008).
+- Standalone + OnPush + Signals; no NgModule or default ChangeDetection.
+- Never `any`; always `unknown` + narrowing.
+- Lazy loading mandatory on feature routes.
+- `@if`/`@for`/`@switch` in new code; `*ngIf`/`*ngFor` are legacy.
+- ng-bootstrap before reinventing a component.
+
+**Escalation**: visual token or design system → `ux-designer`. Contract change → `product-owner` + `backend-developer`. Bundle/LCP regression → `tech-lead`.
+
+**Tools**: Read, Write, Edit, MultiEdit, Glob, Grep, Bash(npm/npx/ng/node).
+
+**When NOT to use**: Spring backend (use `backend-developer`). Native app (use `mobile-developer`). UX/visual identity decision (use `ux-designer`).
+
+### mobile-developer
+
+**Model**: sonnet 4.6
+
+**When to invoke**: build iOS/Android app from scratch, convert Angular to mobile, implement native features (camera, push, biometrics), store deploy.
+
+PT triggers: `"cria app mobile"`, `"transforma em mobile"`, `"react native"`, `"implementa tela mobile"`.
+
+**Mission**: deliver React Native 0.84+ with New Architecture, Expo SDK 54+, TS strict, Reanimated 4, FlashList 2, React Navigation 7.
+
+**Expected inputs**: wireframe or existing Angular app (for conversion), backend API contract, platform requirements.
+
+**Outputs**: features-first structure, screens, hooks, services, env configs (dev/staging/prod), EAS build, deploy to TestFlight/Play Internal.
+
+**Inviolable rules**:
+- TS strict, never `any`.
+- Functional components with hooks; never classes.
+- React Navigation for navigation; never manual linking.
+- Reanimated 4 (not the old Animated API).
+- FlashList for long lists; FlatList only legacy.
+- MMKV for sync storage; AsyncStorage only legacy.
+- Error boundary on every screen; skeleton instead of spinner.
+
+**Escalation**: stack/lib decision → `tech-lead`. Product decision → `product-owner`. UX → `ux-designer`.
+
+**Tools**: Read, Write, Edit, MultiEdit, Glob, Grep, Bash(npx/npm/yarn/node/expo/pod/xcodebuild/adb/gradle/gradlew/cat/find/curl/git).
+
+**When NOT to use**: Angular web (use `frontend-developer`). Backend (use `backend-developer`).
+
+### database-engineer
+
+**Model**: sonnet 4.6
+
+**When to invoke**: relational modeling, index strategy, migration plan, query optimization, PostgreSQL/MongoDB/Redis decision.
+
+PT triggers: `"modela banco"`, `"otimiza query"`, `"estratégia de índice"`, `"planeja migration"`, `"performance de banco"`.
+
+**Mission**: produce Flyway DDL with indexes created together with the table, with each index justified by query pattern, and N+1 prevention.
+
+**Expected inputs**: domain requirements, predicted query patterns, estimated data volume.
+
+**Outputs**: entity table (field/type/constraint/index/justification), relationship table, dedicated indexes, Flyway `V<N>__<description>.sql`.
+
+**Inviolable rules**:
+- Every index has a justification (which query it benefits).
+- Index created in the same migration as the table.
+- Never suggests an index without analyzing the pattern.
+- Considers volume on type choice (VARCHAR vs TEXT, INT vs BIGINT).
+- No N+1 — checks fetch strategy on JPA relationships.
+
+**Escalation**: cross-context schema → `tech-lead`. Migration applied in production → `tech-lead` approves.
+
+**Tools**: Read, Write, Edit, Glob, Grep, Bash(mvn/mvnw/cat/find/grep).
+
+**When NOT to use**: service or controller implementation (use `backend-developer`). Trivial app cache (use `backend-developer`).
+
+### devops-engineer
+
+**Model**: sonnet 4.6
+
+**When to invoke**: containerization, CI/CD, K8s, deploy, observability (Prometheus, ELK, Jaeger), cloud choice.
+
+PT triggers: `"containeriza"`, `"configura CI/CD"`, `"monta pipeline"`, `"deploy cloud"`, `"infra"`.
+
+**Mission**: deliver non-root multi-stage Dockerfile, docker-compose with healthcheck, lint→build→test→scan→deploy pipeline, blue/green or canary strategy.
+
+**Expected inputs**: project stack, uptime requirements, cost constraints.
+
+**Outputs**: Dockerfile, docker-compose.yml, CI/CD workflow, Prometheus/Grafana dashboards, AlertManager rules.
+
+**Inviolable rules**:
+- Containers always run non-root.
+- Always multi-stage builds.
+- Healthcheck on every service.
+- Secrets never in env vars in compose — vault or Docker secrets.
+- Dependency cache, parallelism, fail-fast in the pipeline.
+- Never push to prod without a rollback plan.
+
+**Escalation**: cost > R$ 200/month → human with proposal + recommendation. Decision that affects architecture pattern → `tech-lead`.
+
+**Tools**: Read, Write, Edit, Glob, Grep, Bash(docker/docker-compose/kubectl/cat/find/curl/git log/git status).
+
+**When NOT to use**: product/scope question (use `product-owner`). Stack migration (use `migrator`).
+
+### n8n-specialist
+
+**Model**: sonnet 4.6
+
+**When to invoke**: build/debug n8n workflows, integrations between systems, AI agents with LangChain, webhooks, n8n deploy on Docker/K8s.
+
+PT triggers: `"cria workflow n8n"`, `"automação n8n"`, `"debug workflow"`, `"integra n8n com backend"`.
+
+**Mission**: deliver workflow with error handling, idempotency, rate limiting, reusable subworkflows, and managed credentials (never hardcoded).
+
+**Expected inputs**: desired trigger (webhook/cron/chat), systems to integrate, transformation rules, retry requirements.
+
+**Outputs**: workflow exported as JSON, n8n + PostgreSQL + Redis compose deploy, execution dashboards, AI Agent with tools and memory.
+
+**Inviolable rules**:
+- Every workflow has error handling — never silent errors.
+- Production webhooks validate payload on the first node.
+- Credentials never hardcoded.
+- Function nodes commented explaining logic.
+- Subworkflows for reusable logic.
+- Rate limiting on external calls.
+- Idempotency on webhooks.
+
+**Escalation**: Spring Boot API contract → `backend-developer`. Auth/JWT → `security-engineer`. Product decision → `product-owner`.
+
+**Tools**: Read, Write, Edit, MultiEdit, Glob, Grep, Bash(docker/docker-compose/npm/npx/node/curl/cat/find/git).
+
+**When NOT to use**: core domain logic (use `backend-developer`). Trivial automation that fits in cron (use `devops-engineer`).
+
+---
+
+## UX/UI
+
+### ux-designer
+
+**Model**: sonnet 4.6
+
+**When to invoke**: descriptive wireframe, screen flow, component spec with states, heuristic analysis, design system, WCAG 2.1 AA a11y.
+
+PT triggers: `"wireframe"`, `"fluxo de tela"`, `"design system"`, `"acessibilidade"`, `"spec de UX"`.
+
+**Mission**: define "how it looks" — states, animations, layout, spacing, microcopy, ng-bootstrap component choice. Decides and produces the spec.
+
+**Expected inputs**: feature or screen defined by `product-owner`, user flow, design system constraints.
+
+**Outputs**: descriptive wireframe (route, access, layout, ng-bootstrap components, default/loading/empty/error/disabled states, flow, responsiveness, a11y).
+
+**Inviolable rules**:
+- Always specify ALL states — never only the happy path.
+- Error message guides the user to fix it; never a generic "an error occurred".
+- Empty state has a clear CTA.
+- Skeleton on lists; spinner only for short actions.
+- Never use absolute colors — reference design tokens / Bootstrap variables.
+- ng-bootstrap before inventing a component.
+- WCAG 2.1 AA is not optional.
+
+**Escalation**: scope or flow → `product-owner`. New visual dependency → `tech-lead`.
+
+**Tools**: Read, Write, Glob, Grep, Bash(cat/find).
+
+**When NOT to use**: implement the component (use `frontend-developer`). Decide what the user can do (use `product-owner`).
+
+---
+
+## Quality
+
+### qa-engineer
+
+**Model**: sonnet 4.6
+
+**When to invoke**: write, fix, or improve unit, integration, or E2E tests. Raise mutation score. Cover an untested scenario.
+
+PT triggers: `"cria testes"`, `"escreve teste unitário"`, `"teste de integração"`, `"teste E2E"`.
+
+**Mission**: cover behavior with JUnit 5 + Mockito + Testcontainers (backend), Jest + Testing Library (frontend), Playwright + axe (E2E), PIT (mutation).
+
+**Expected inputs**: new code to cover, bug to reproduce, threshold to reach.
+
+**Outputs**: unit tests, integration (`*IT.java`), E2E with axe scan, jest-axe scan in components, Lighthouse CI config.
+
+**Inviolable rules**:
+- Reproduce the bug before fixing — every fix starts with a red test.
+- Testcontainers, never H2.
+- AssertJ in Java instead of `assertEquals`.
+- Testing Library instead of `fixture.debugElement`.
+- `@Disabled`/`.skip()` only with ADR and deadline.
+- Mutation score ≥ 70% in `domain/` + `application/`.
+- A11y `serious`/`critical` = hard-fail.
+- Lighthouse: median-of-3 within budget.
+- Pyramid: hard-fail if `e2e_ratio > 30%`.
+
+**Escalation**: test fails due to a production bug → responsible developer. Mutation score < 70% after trying → `tech-lead`.
+
+**Tools**: Read, Write, Edit, MultiEdit, Glob, Grep, Bash(mvn test/mvnw test/npm test/npx jest/npx playwright).
+
+**When NOT to use**: red gate without understanding what failed (use `gate-keeper`). Feature implementation (use developers).
+
+### gate-keeper
+
+**Model**: sonnet 4.6
+
+**When to invoke**: at the end of every task or sprint, to generate missing tests and run the full senior+ gate (coverage, mutation, SpotBugs, OWASP, jest-axe, axe-playwright, Lighthouse CI, pyramid).
+
+PT triggers: `"roda os testes"`, `"gera os testes"`, `"garante que nada quebrou"`, `"valida a tarefa"`, `"testa tudo"`, `"suite completa"`.
+
+**Mission**: senior+ safety net. Blocks merge if any threshold fails. Diagnoses and returns to the specialist with a clear instruction.
+
+**Expected inputs**: scope detected via `git diff --name-only HEAD~1..HEAD` (or `--cached`).
+
+**Outputs**: generated tests per layer, report with counts/coverage/mutation score, pyramid line (`unit X% | integration Y% | e2e Z% → balanced | warn | RED`), GREEN/RED verdict.
+
+**Inviolable rules**:
+- Task without green gate = task incomplete.
+- Never `@Disabled`/`.skip()`/`xit()` to pass.
+- Never lowers a threshold.
+- Surviving mutant becomes an immediate fix, not debt.
+- Browser console clean on E2E (via Chrome MCP).
+- Suite runs on the whole project, not just touched modules.
+- A11y `serious`/`critical` blocks merge.
+- Lighthouse outside the budget blocks merge (never re-runs until it passes).
+- Pyramid `e2e_ratio > 30%` blocks merge.
+
+**Escalation**: production bug → correct developer. Persistent low mutation → `tech-lead`. Critical CVE → `security-engineer`. Business rule changed → `product-owner`.
+
+**Tools**: Read, Write, Edit, MultiEdit, Glob, Grep, Bash(git/node/mvn/mvnw/gradle/gradlew/npm/npx/ng/cat/find/ls).
+
+**When NOT to use**: debt audit without running the suite (use `test-coverage-auditor`). Decision about what to test (use `qa-engineer`).
+
+### test-coverage-auditor
+
+**Model**: sonnet 4.6
+
+**When to invoke**: map untested code, identify recurring manual tests, prioritize debt (P0/P1/P2/P3). Acts as a gate inside `prd-ready-check`.
+
+PT triggers: `"audita os testes"`, `"tem débito de teste?"`, `"cobertura tá ok?"`, `"faz auditoria de cobertura"`.
+
+**Mission**: audit and report. Does not write tests (that's `qa-engineer`) nor run the suite (that's `gate-keeper`).
+
+**Expected inputs**: source tree (backend + frontend), JaCoCo + Jest reports, previous `tech-debt.md`.
+
+**Outputs**: count by severity, trend vs previous audit, verdict for the PRD gate, update to `tech-debt.md` with P0/P1.
+
+**Inviolable rules**:
+- Never lowers threshold without a formal ADR.
+- Never closes a P0 without a corresponding committed automated test.
+- Never confuses "passes CI" with "actually covered" — analyzes assertions.
+
+**Escalation**: open P0 → blocks `prd-ready-check`. Prioritization → `tech-lead`. Test generation → `gate-keeper`.
+
+**Tools**: Read, Write, Edit, Glob, Grep, Bash(git/mvn/mvnw/npm/npx/find/cat/ls).
+
+**When NOT to use**: generate the tests (use `qa-engineer`/`gate-keeper`). Formally accept the debt (use `tech-lead`).
+
+### code-reviewer
+
+**Model**: sonnet 4.6
+
+**When to invoke**: review PR before `tech-lead`. Classifies findings as BLOCKER/MAJOR/MINOR/NIT/PRAISE and recommends approve, request changes, or block.
+
+PT triggers: `"revisa o PR"`, `"code review"`, `"audita o código"`, `"revisa qualidade"`.
+
+**Mission**: initial review covering backend (per DDD layer), frontend (standalone/OnPush/Signals), tests, security, observability. Does not merge — only recommends.
+
+**Expected inputs**: branch + diff vs main, commits since base.
+
+**Outputs**: report with scope, verdict (APPROVE/REQUEST CHANGES/BLOCK), findings by severity with `file:line` and fix suggestion.
+
+**Inviolable rules**:
+- No "looks good to me" — every approve lists what was checked.
+- 1 BLOCKER = PR blocked.
+- Never silently dismisses a security finding — escalates to `security-engineer`.
+- Praises concretely — recognition culture matters.
+- Reviews the test diff with the same rigor as the production diff.
+- Does not merge — `tech-lead` merges.
+
+**Escalation**: security HIGH/CRITICAL → `security-engineer`. Conflict with active ADR → `tech-lead`. Architectural smell → `architect`. Test regression → `gate-keeper`.
+
+**Tools**: Read, Glob, Grep, Bash(git diff/git log/git show).
+
+**When NOT to use**: formal merge approval (use `tech-lead`). Deep security audit (use `security-engineer`).
+
+### prd-ready-check
+
+**Model**: sonnet 4.6
+
+**When to invoke**: final gate before deploy. Runs the full checklist (tests, coverage, lint, production build, smoke E2E, security, observability, database) and returns GO or NO-GO.
+
+PT triggers: `"tá pronto pra PRD?"`, `"pode subir pra produção?"`, `"roda o checklist final"`, `"DoD"`, `"definição de pronto"`.
+
+**Mission**: confidently say whether the release goes to production. Never relaxes the gate — broken test = NO-GO; critical warning = NO-GO; console with error = NO-GO.
+
+**Expected inputs**: ready branch, viable local build, accessible smoke infrastructure.
+
+**Outputs**: report with each item OK/FAIL and evidence (HTTP status, console log, finding counts).
+
+**Inviolable rules**:
+- Any FAIL = NO-GO.
+- Never relaxes limits without a formal ADR.
+- Runs real commands — never assumes it passes because it passed yesterday.
+- Flaky: 1 failure in 3 = NO-GO + open a bug.
+- P0 from `test-coverage-auditor` = automatic NO-GO.
+- No recent GREEN from `gate-keeper` = NO-GO.
+
+**Escalation**: NO-GO returns to the specialist (backend/frontend/qa) with pending items.
+
+**Tools**: Read, Glob, Grep, Bash(mvn/mvnw/npm/npx/ng/docker/docker-compose/git/ls/cat/find).
+
+**When NOT to use**: task or sprint validation (use `gate-keeper`). Debt audit (use `test-coverage-auditor`).
+
+### api-integration-test
+
+**Model**: sonnet 4.6
+
+**When to invoke**: validate real backend↔frontend integration after the green gate, before the final gate. Boots the stack, hits curl, opens a browser via Chrome MCP and checks console + network.
+
+PT triggers: `"testa a integração"`, `"smoke test"`, `"sobe tudo e testa"`, `"verifica se a tela funciona"`, `"faz o E2E rápido"`.
+
+**Mission**: confirm backend and frontend talk in a live dev environment. Anything failing = integration NOT-OK.
+
+**Expected inputs**: built project, docker-compose or boot command, documented main endpoints.
+
+**Outputs**: report of each check with OK/FAIL and evidence. Process tear-down at the end (even on failure).
+
+**Inviolable rules**:
+- Never "proves OK" by reading code only — must boot and observe.
+- Zero console errors is a hard requirement.
+- Process tear-down on exit (uses trap).
+- Documents tested URLs, methods, and responses.
+
+**Escalation**: failure → returns to `backend-developer` or `frontend-developer`.
+
+**Tools**: Read, Glob, Grep, Bash(mvn/mvnw/npm/npx/ng/docker/docker-compose/curl/ss/netstat/cat/ls/sleep).
+
+**When NOT to use**: unit/integration suite (use `gate-keeper`). Final pre-production gate (use `prd-ready-check`).
+
+---
+
+## Orchestration
+
+### sprint-runner
+
+**Model**: sonnet 4.6
+
+**When to invoke**: execute Sprint N of a `PLAN_*.md` with mandatory TDD cycle (red tests before implementation).
+
+PT triggers: `"roda a sprint 1"`, `"executa a sprint"`, `"implementa as tarefas da sprint"`, `"bora codar essa sprint"`.
+
+**Mission**: consume the plan and execute the sprint task by task, with green tests at the end of each. Spawn `qa-engineer` for red tests → `backend-developer`/`frontend-developer` to implement until green → `gate-keeper` at the end of each task.
+
+**Expected inputs**: existing `docs/plans/PLAN_<NAME>.md`, sprint number/name.
+
+**Outputs**: implementation task by task, green gate at each checkpoint, sprint validated with lint + acceptance criteria per user story.
+
+**Inviolable rules**:
+- Every task passes through `gate-keeper`.
+- One task at a time, respecting dependencies.
+- Complete code, no TODO, no `any`.
+- Failing tests precede implementation — always. Applies to old plans too.
+- Plan ambiguity → ask, do not invent.
+
+**Escalation**: when a plan needs regenerating in an autonomous run, passes `caller: sprint-runner` in the `analyst` prompt (bypasses the discovery-artifact gate).
+
+**Tools**: Read, Write, Edit, MultiEdit, Glob, Grep, Bash(mvn/mvnw/npm/npx/ng/git/cat/find).
+
+**When NOT to use**: create the plan (use `analyst`). Implement 1 isolated task (call the developer directly). Cut a release (use `release-engineer`).
+
+---
+
+## Project lifecycle
+
+### scaffold
+
+**Model**: haiku 4.5
+
+**When to invoke**: create the initial project skeleton. Reads `## Identidade deste projeto` in `CLAUDE.md` and runs the `backend` (Spring Initializr), `frontend` (Angular CLI), or `fullstack` (both + compose) pipeline.
+
+PT triggers: `"scaffolda o projeto"`, `"monta a estrutura"`, `"cria o esqueleto"`, `"inicializa o backend"`, `"inicializa o frontend"`, `"inicializa fullstack"`.
+
+**Mission**: mechanical, idempotent scaffolder. Replaces the 3 old `bootstrap-*` agents (V5.17). Never implements business logic — only the empty skeleton.
+
+**Expected inputs**: `CLAUDE.md` with valid type (`backend` | `frontend` | `fullstack`), Java 25+, Node 22+, mvn 3.9+.
+
+**Outputs**: `backend/` (Spring Boot 4 + DDD + Flyway + Postgres/Redis compose) and/or `frontend/` (Angular 21 standalone + ng-bootstrap + Jest + Playwright + jest-axe + LHCI).
+
+**Inviolable rules**:
+- Idempotent — refuses if `backend/` or `frontend/` already exists.
+- No business logic — only `HealthController` and generated stubs.
+- Versions pinned to `CLAUDE.md`; never silent fallback.
+- Smoke build mandatory (`./mvnw compile` or `npm run build` returns 0).
+
+**Escalation**: type missing → `tech-lead`. Stack version unavailable → `devops-engineer`. After scaffold, first feature → `analyst` → `architect` → `sprint-runner`.
+
+**Tools**: Read, Write, Edit, Glob, Grep, Bash(mvn/mvnw/npm/npx/ng/curl/cat/find/mkdir/unzip).
+
+**When NOT to use**: implement a feature (use `sprint-runner`). Migrate a legacy project (use `migrator`).
+
+### update-template
+
+**Model**: haiku 4.5
+
+**When to invoke**: sync existing project with the latest harness version. Merges `.claude/` with automatic backup and injects `CLAUDE.md` preserving the `Project Identity` section.
+
+PT triggers: `"atualiza o template"`, `"sync com claude-code-agents"`, `"traz as skills novas"`, `"adota o template"`.
+
+**Mission**: idempotent. Never overwrites without backup. Never removes local customizations the template lacks.
+
+**Expected inputs**: target project (must have `CLAUDE.md` or be detectable via `pom.xml`/`angular.json`/`vite.config.*`), template location.
+
+**Outputs**: merged `.claude/`, updated `CLAUDE.md` preserving `Project Identity`, backup `.claude.backup-YYYYMMDD-HHMMSS/`.
+
+**Inviolable rules**:
+- Never overwrites without backup.
+- Never removes a local file the template lacks.
+- Template wins on name conflict (backup preserves the old version).
+- Never runs on top of the template directory itself.
+
+**Escalation**: local custom skills the template lacks → notifies `tech-lead`.
+
+**Tools**: Read, Write, Edit, Glob, Grep, Bash(bash/cp/mkdir/ls/find/cat/git).
+
+**When NOT to use**: create project from scratch (use `scaffold`). Implement feature (use `sprint-runner`). Dependency update (`npm update`, `mvn versions`) — unrelated to the template.
+
+### migrator
+
+**Model**: sonnet 4.6
+
+**When to invoke**: migrate a project from a legacy stack version to the harness target — Java 8/11/17 → 25, Spring Boot 2.x/3.x → 4.0, Angular 14-20 → 21, React Native 0.70+ → 0.84+.
+
+PT triggers: `"migrate legacy"`, `"modernize stack"`, `"java 8 pra 25"`, `"spring boot 2 pra 4"`, `"angular 14 pra 21"`, `"upgrade do projeto"`, `"sair do legado"`.
+
+**Mission**: 4 gated phases — Assessment (read-only), Quick wins (non-breaking), Breaking changes (ADR per major cross), Validation gate.
+
+**Expected inputs**: current versions (read from `pom.xml`/`package.json`), target version, **green baseline test suite** (refuses to migrate without it).
+
+**Outputs**: `MIGRATION-<from>-to-<to>.md`, ADR per major cross, separate commits per step, green smoke at the end.
+
+**Inviolable rules**:
+- Without green baseline test suite, dispatches `gate-keeper` first.
+- 1 major cross per ADR per commit. Never bundles multi-version.
+- Suite must be green after every commit. Red = stop + revert + investigate.
+- Breaking change without ADR is forbidden.
+- Never lowers thresholds to "land the migration".
+- The developer writes the code; this agent decides what and in what order.
+- `tech-lead` is the final approver of each major-cross ADR.
+
+**Escalation**: each ADR approval → `tech-lead`. Residual CVE → `security-engineer`. Schema migration → `database-engineer`. Final tag post-migration → `release-engineer`.
+
+**Tools**: Read, Write, Edit, Glob, Grep, Bash(find/grep/cat/git log/git diff/mvnw/mvn/npm/npx).
+
+**When NOT to use**: greenfield (use `scaffold`). Patch bump (use `tech-lead` + specialist). Cross-stack rewrite Java→Node or Angular→React (rewrite, not migration).
+
+### release-engineer
+
+**Model**: sonnet 4.6
+
+**When to invoke**: cut a release of the harness or a derived project — bumps SemVer in `.claude-version.json`, drafts the CHANGELOG entry, validates `permissions.allow` (TD-7 prevention), runs `lint-harness.sh` + `verify-integrity.sh`, creates the git tag.
+
+PT triggers: `"release"`, `"bump version"`, `"cria tag"`, `"novo release"`, `"preparar V5.X.Y"`.
+
+**Mission**: zero hand-rolled tag/push. Prepares everything and emits exact commands for the human to review and execute. Never pushes.
+
+**Expected inputs**: target version (or infers via SemVer), current version in `.claude-version.json`, commits since last tag.
+
+**Outputs**: updated `.claude-version.json`, CHANGELOG entry in PT-BR, updated `PLAN_harness-improvements.md`, proposed ADR for MAJOR, command block `git commit && git tag && git push`.
+
+**Inviolable rules**:
+- Never commits or tags autonomously — only the human pushes.
+- Never bumps on a dirty working tree.
+- Never skips lint or verify-integrity.
+- Never mentions Anthropic/AI/LLM/assistant in CHANGELOG or commit message.
+- Never adds `Co-Authored-By`.
+- MAJOR requires an ADR.
+- Old CHANGELOG entries stay intact — mistakes become errata, never a rewrite.
+
+**Escalation**: final approval → `tech-lead`. Unresolved CVE → `security-engineer` before release. Gate not green → asks the human to run `gate-keeper`.
+
+**Tools**: Read, Write, Edit, Glob, Grep, Bash(git log/git diff/git tag/git status/git rev-parse/bash scripts/lint-harness.sh/bash scripts/verify-integrity.sh/jq/cat/grep).
+
+**When NOT to use**: dependency update (use `tech-lead`). Revert release (use `tech-lead` + ADR — never undoes, bumps again). Intermediate QA tag (branch + manual tag, outside release flow).
+
+### auditor
+
+**Model**: sonnet 4.6
+
+**When to invoke**: compare a project's structure against the official template. Detects missing, divergent, and outdated files in `.claude/`, `CLAUDE.md`, `.claude/agents`, `.claude/commands`, `.claude/skills`, `.claude/settings.json`, `.claude-version.json`.
+
+PT triggers: `"audita estrutura claude"`, `"compara projetos com template"`, `"verifica desatualizado"`.
+
+**Mission**: read-only. Never copies, edits, deletes, or overwrites. Reports and recommends `/sync-all-projects` or `/update-template`.
+
+**Expected inputs**: project path, official template path.
+
+**Outputs**: per project — Path, Status, Missing files, Divergent files, Local version, Expected version, Risk, Recommendation.
+
+**Inviolable rules**:
+- Auditor only. NEVER copies/edits/deletes/overwrites.
+- When it finds an issue, recommends a command — does not fix.
+
+**Escalation**: corrective action → `update-template` (with human confirmation).
+
+**Tools**: Read, Glob, Bash.
+
+**When NOT to use**: apply correction (use `update-template`). Create project (use `scaffold`).
+
+---
+
+## History
+
+### brain-keeper
+
+**Model**: sonnet 4.6
+
+**When to invoke**: at the end of each `PLAN_*` — records daily, feature, ADR, bug, and updates tech-debt + MOC in the Obsidian vault at `docs/brain/`. Also provisions the vault on the first run (with `.obsidian/` + folder color snippet).
+
+PT triggers: `"registra no cérebro"`, `"atualiza brain"`, `"log do dia"`, `"salva ADR no vault"`, `"registra histórico"`.
+
+**Mission**: WRITE mode in `docs/brain/`. Never deletes history — on conflict, new note prevails with `[[supersedes ADR-XXX]]` or a `## History` section.
+
+**Expected inputs**: plan path, output of `sprint-runner`, output of `gate-keeper`, output of `prd-ready-check`, git range (starting SHA → HEAD).
+
+**Outputs**:
+- `daily/YYYY-MM-DD.md` (always)
+- `features/<plan-slug>.md` (one per PLAN_*)
+- `decisions/ADR-NNN-<slug>.md` (if a new decision exists)
+- `bugs/<slug>.md` (if a relevant fix happened)
+- `architecture/tech-debt.md` (append on accepted debt)
+- updated MOC
+
+**Inviolable rules**:
+- Never deletes an existing note.
+- YAML frontmatter mandatory.
+- Wiki links between related notes.
+- Absolute dates (ISO YYYY-MM-DD), never "today"/"yesterday".
+- Idempotent — running it twice does not duplicate.
+- Provisions `.obsidian/` with color snippet on first run.
+- Never logs PII/token/password.
+- Read-only outside `docs/brain/` (except marking PLAN as `status: completed`).
+
+**Escalation**: formal ADR comes from `architect`; this agent only records. Accepting debt is `tech-lead`'s call; this agent only persists into `tech-debt.md`.
+
+**Tools**: Read, Write, Edit, MultiEdit, Glob, Grep, Bash(git log/git diff/git show/find/cat/ls/mkdir/cp).
+
+**When NOT to use**: history lookup (read the vault directly, or use `analyst`). Manual edit of an existing note (human edits; this agent only appends to daily).
+
+---
+
+## Decision matrix (summary)
+
+| Domain | Who decides | Blocks for human in |
+|---|---|---|
+| Scope, business rule, UX, API contract | `product-owner` | 4 situations: deleting real data, relevant financial cost, breaking change to public contract, identity change |
+| Stack, pattern, refactor, lib, final review | `tech-lead` | 3 situations: irreconcilable requirement conflict, public breaking change, infra cost > R$ 200/month |
+| Macro architecture | `architect` proposes → `tech-lead` decides | Never (escalates via `tech-lead`) |
+| Schema, index, DB perf | `database-engineer` | Cross-cutting → `tech-lead` |
+| Security HIGH/CRITICAL | `security-engineer` (technical veto) | 1 situation: irreversible action on real data |
+| Infra, cost, deploy | `devops-engineer` | Cost > R$ 200/month → human |
+| UI/microinteraction | `ux-designer` | Scope → `product-owner`; new dep → `tech-lead` |
+| Java/Angular/RN implementation | developers | Never escalate to human — go to PO or TL |
+| Tests, quality gate | `gate-keeper` | Blocks merge on red gate |
+| Conflict between agents | `tech-lead` triage | Never |
+
+Full details in [autonomy-matrix](autonomy-matrix).
+
+---
+
+## Who invokes whom
+
+```
+                     user prompt
+                            │
+                            ▼
+                  ┌──────────────────┐
+                  │     SKILL        │  (keyword match in .claude/skills/)
+                  └─────────┬────────┘
+                            │ Task
+              ┌─────────────┼─────────────────────────┐
+              ▼             ▼                         ▼
+       product-owner   tech-lead                  scaffold / update-template / migrator
+              │             │
+              │             │ delegates
+              │             ▼
+              │       analyst ──► architect ──► (ADR)
+              │             │
+              │             │
+              │             ▼
+              │       sprint-runner
+              │       ┌──────┴──────────────┐
+              │       ▼                     ▼
+              │  qa-engineer       backend / frontend / mobile / database / devops / n8n
+              │       │                     │
+              │       └────────►  ux-designer (parallel for wireframe)
+              │
+              └──────────────────────────────┐
+                                              ▼
+                                       gate-keeper ◄── calls qa-engineer for details
+                                              │
+                                              ▼
+                                      code-reviewer
+                                              │
+                                              ▼
+                                       tech-lead (final review, merge)
+                                              │
+                          ┌───────────────────┼───────────────────┐
+                          ▼                   ▼                   ▼
+                api-integration-test   prd-ready-check     security-engineer
+                                              │             (veto at any point)
+                                              ▼
+                                       release-engineer
+                                              │
+                                              ▼
+                                       brain-keeper (records history)
+```
+
+Reading the diagram:
+
+- `sprint-runner` is the central orchestrator during sprint execution. It fans out to `qa-engineer` (red tests first), then to the developers of the appropriate stack, then to `gate-keeper`.
+- `gate-keeper` can call `qa-engineer` for specific test details but is the one who decides whether the task closes green.
+- `code-reviewer` recommends; only `tech-lead` merges.
+- `security-engineer` has lateral entry — can issue veto at any point in the flow.
+- `brain-keeper` is always the last step of the PLAN.
+- `test-coverage-auditor` is an internal gate inside `prd-ready-check`.
+- `auditor` operates outside the feature flow — it diagnoses against the template.
+
+---
+
+## How to add a new agent
+
+1. **Create `.claude/agents/<name>.md`** with YAML frontmatter:
+
+```yaml
+---
+name: agent-name
+description: "Short description + PT triggers in quotes. Use ALWAYS when ... PT triggers: 'trigger 1', 'trigger 2'."
+tools: Read, Write, Edit, Glob, Grep, Bash(command:*)
+model: opus | sonnet | haiku
+---
+```
+
+2. **Pick the model per the master rule**:
+   - `opus` only for irreversible decision, technical veto, or macro trade-off (`product-owner`, `tech-lead`, `security-engineer`).
+   - `haiku` for scaffold, template, mechanical sync (`scaffold`, `update-template`).
+   - `sonnet` for everything else — default.
+
+3. **Write the description in English** (the rest of the prompt too), but **include 2-5 PT triggers** at the end of the `description`, in quotes, in the format `PT triggers: '...', '...'`. The project-manager matcher keys on those triggers.
+
+4. **List required tools** with scoped Bash permissions (`Bash(mvn:*)`, not `Bash`). Avoid open `Bash` except when the agent must run arbitrary commands (case of `auditor`).
+
+5. **Write the agent body** following the pattern of the 25 existing ones: "You decide. You don't ask." block at the top, mission, flow, numbered inviolable rules, interface with other agents, examples when useful.
+
+6. **Register in `CLAUDE.md`** in the sections:
+   - "Sub-Agent Routing" table
+   - "Autonomy Matrix" table (who decides what)
+   - "Sub-agents — model per agent" table (if non-default model)
+
+7. **Update this page** with a new card under the right category group, and add a row to the master table.
+
+8. **Run `bash scripts/lint-harness.sh`** and `bash scripts/verify-integrity.sh` — both must be green before committing.
+
+9. **Commit** following Conventional Commits, with no mention of Anthropic/Claude/AI/LLM and no `Co-Authored-By` (hard rule from `CLAUDE.md §Git Conventions`).
+
+---
+
+## Cross-references
+
+- [skills-reference](skills-reference) — catalog of skills (keyword entry points).
+- [pipeline](pipeline) — end-to-end flow from PRD to release.
+- [autonomy-matrix](autonomy-matrix) — who decides what and when to escalate.
+- [quality-gate](quality-gate) — senior+ thresholds enforced by `gate-keeper`.
+- [stack-rules](stack-rules) — Java/Angular/database/security conventions.
+- [architecture-overview](architecture-overview) — overview of the Skill → Agent layers.