@event4u/agent-config 2.24.0 → 2.26.0

package/.agent-src/skills/git-workflow/SKILL.md

@@ -27,8 +27,8 @@ Do NOT use when:
 
 ## Procedure: Before opening a PR
 
-1. Run quality pipeline: PHPStan → Rector → ECS → PHPStan (see `quality-tools` skill).
-2. Run tests: `php artisan test`.
+1. Run the project's quality pipeline (see `quality-tools` skill) — typically: type-checker → auto-fixer → linter → type-checker.
+2. Run the project's test command — detect from manifest: `php artisan test` / `vendor/bin/phpunit` (PHP), `npm test` / `pnpm test` / `vitest` / `jest` (JS-TS), `pytest` (Python), `cargo test` (Rust), `go test ./...` (Go).
 3. Rebase onto `main`.
 4. Fill in PR template completely.
 
@@ -77,6 +77,139 @@ The project uses `.github/pull_request_template.md`:
 - `main` is default/production branch.
 - Merge strategy: merge commits (not squash).
 
+## Procedure: Safe squash-after-push
+
+Use ONLY when the user explicitly authorized a squash on a branch that
+is already on origin. The whole sequence runs in **one turn** — never
+end the session between rewrite and push.
+
+Trigger context: `git-history-discipline` rule routed here.
+
+### 1. Snapshot before touching anything
+
+```bash
+BRANCH=$(git branch --show-current)
+DATE=$(date +%F)
+git fetch origin
+git tag "safe-squash-pre/${BRANCH}/${DATE}" HEAD
+git tag "safe-squash-origin/${BRANCH}/${DATE}" "@{u}"
+```
+
+Two tags = two recoveries (local tip + origin tip). Do not skip the
+tags — `git reflog` is TTL-bounded and unreliable across sessions.
+
+### 2. Verify aligned starting state
+
+```bash
+git rev-list --left-right --count HEAD...@{u}
+```
+
+- `0  0` → aligned, proceed.
+- `N  0` (local ahead) → unpushed work, proceed.
+- `0  N` (origin ahead) → `git pull --ff-only` first, then re-check.
+- `M  N` (both non-zero) → **divergent**. Abandon the squash and run
+  § Divergent-State Recovery below.
+
+### 3. Perform the squash
+
+Default — soft-reset path (single token-cheap rewrite):
+
+```bash
+git reset --soft "$(git merge-base HEAD <base>)"
+git commit -m "<conventional commit message>"
+```
+
+Interactive rebase only when the user wants per-commit control — it
+replays derived files (`.compression-hashes.json`, router projections)
+per commit and conflicts on every replay.
+
+### 4. Re-push in the SAME turn
+
+```bash
+FETCHED_SHA=$(git rev-parse "@{u}")
+git push --force-with-lease="${BRANCH}:${FETCHED_SHA}" origin "${BRANCH}"
+git fetch origin
+[ "$(git rev-parse HEAD)" = "$(git rev-parse @{u})" ] \
+  && echo "OK: origin matches HEAD" \
+  || echo "MISMATCH — do not end session"
+```
+
+If the push fails (pre-push hook, network, token budget):
+- Fix the underlying cause **now**.
+- Re-push immediately.
+- Do not commit new work on top of the squashed-but-unpushed tip.
+- Do not end the session until `HEAD == @{u}`.
+
+### 5. Hand off only with verified parity
+
+Report exactly:
+- pre-squash tip SHA (from step 1)
+- pre-squash tag name (for recovery)
+- post-squash tip SHA == origin SHA (verified in step 4)
+- PR number, if any, and confirm it picked up the new tip
+
+## Procedure: Divergent-State Recovery
+
+Fires when `git rev-list --left-right --count HEAD...@{u}` shows
+**both** sides non-zero on the current branch.
+
+### 1. Stop. Do not pull.
+
+A blind `git pull --rebase` here replays remote commits on top of a
+local history that may already represent the same work in a different
+shape — guaranteed conflict storm in derived files, possible
+double-application of the same change. This is the documented failure
+mode behind `git-history-discipline`.
+
+### 2. Tag both sides immediately
+
+```bash
+TS=$(date +%FT%H%M)
+git tag "diverged-local/${TS}" HEAD
+git tag "diverged-origin/${TS}" "@{u}"
+```
+
+### 3. Diagnose: which side is the correct future?
+
+```bash
+git log --oneline @{u}..HEAD   # local-only commits
+git log --oneline HEAD..@{u}   # origin-only commits
+git diff @{u}..HEAD --stat     # shape of local-ahead work
+```
+
+Decision matrix:
+
+| Pattern | Future | Action |
+|---|---|---|
+| Local has the same logical work as origin, just reshaped (squash/rebase) | **Local** | After PR-review check (step 4), `git push --force-with-lease=<branch>:<origin-sha>` |
+| Origin has commits local does not reflect (another contributor pushed) | **Origin** | Tag any local-ahead work for cherry-pick, then `git reset --hard @{u}` |
+| Both sides have genuine independent work | **ask user** | Never decide silently — surface the two commit lists and let the user pick |
+
+### 4. PR review-comment check (mandatory before any force-push)
+
+If a PR is open on this branch:
+```bash
+gh pr view --json reviews,comments
+# or via GitHub API: /repos/<owner>/<repo>/pulls/<num>/{reviews,comments}
+```
+
+If review comments are anchored to commits that the force-push will
+erase → STOP, ask the user how to preserve them. A force-push that
+destroys live review feedback is unrecoverable from the agent side.
+
+### 5. Recover or proceed
+
+Use the tags from step 2 to restore either side if step 4 surfaces a
+problem. After resolution, verify `HEAD == @{u}` and report both
+SHAs plus the tags created.
+
+## Hard prohibitions on a pushed branch
+
+- No `git pull --rebase` after detecting divergent state.
+- No `git push --force` without `--force-with-lease=<branch>:<sha>`.
+- No squash-then-end-session — the push must complete in the same turn.
+- No reflog-only recovery — always tag the state explicitly first.
+
 ## Output format
 
 1. Commits following conventional commit format

package/.agent-src/skills/laravel-api-endpoint/SKILL.md

@@ -0,0 +1,187 @@
+---
+name: laravel-api-endpoint
+description: "Use when creating a new Laravel API endpoint — Controller, FormRequest, Resource, route, Policy, OpenAPI annotations — versioned route layout, single-action `__invoke` controllers."
+source: package
+domain: engineering
+---
+
+# laravel-api-endpoint
+
+## When to use
+
+Use this skill when the project is **Laravel** (detected via `artisan` + `composer.json` with `laravel/framework`) and the user asks to create a new API endpoint, REST route, or controller action.
+
+Routed in from [`api-endpoint`](../api-endpoint/SKILL.md) once the stack is detected as Laravel.
+
+Do NOT use when:
+- Modifying existing endpoints — use the code-refactoring skill.
+- API design decisions — use [`api-design`](../api-design/SKILL.md).
+- The project is Symfony / Next.js / FastAPI / etc. — go back to [`api-endpoint`](../api-endpoint/SKILL.md) and pick the right carve-out.
+
+## Procedure: Create a Laravel API endpoint
+
+1. **Read project docs** — Check `./agents/` and `AGENTS.md` for controller conventions, resource patterns, routing.
+2. **Create route** — Add to the correct `routes/api.php` or module route file (`routes/api/v{N}/{domain}.php`).
+3. **Create controller** — Single-action invokable controller, thin, delegate logic to a service.
+4. **Create FormRequest** — Validate all input at the boundary; authorize via Policy in `authorize()`.
+5. **Create Resource** — Transform model output via API Resource (never raw arrays / models / `response()->json()`).
+6. **Create Policy** — If authorization is needed and no Policy exists yet.
+7. **Verify** — Run PHPStan, run tests, confirm response shape matches conventions.
+
+## What to generate
+
+1. **Controller** — Single Action (invokable). Read `agents/docs/controller.md` and `../../../docs/guidelines/php/controllers.md`.
+2. **FormRequest** — Validation rules, `authorize()` via policies. Read `../../../docs/guidelines/php/validations.md`.
+3. **Resource** — JSON response transformation. Read `agents/docs/api-resources.md`.
+4. **Route** — Add to the correct versioned route file.
+5. **Policy** — If authorization is needed.
+6. **Filter classes** — If it's a list endpoint with filtering. Read `agents/docs/query-filter.md` (if it exists).
+
+## Conventions
+
+- Controllers are thin — delegate to Services.
+- **Every controller MUST return an API Resource** — never raw arrays, models, or `response()->json()`.
+- Controllers type-hint the return value as the Resource class (e.g. `): ProjectResource`).
+- Use `Resource::make()` for single items, `Resource::collection()` for lists.
+- Use method injection on `__invoke()` for new controllers.
+- Use DTOs for data transfer between layers.
+
+## Show endpoint example
+
+```php
+declare(strict_types=1);
+
+namespace App\Http\Controllers\v1\Project;
+
+use App\Http\Controllers\Controller;
+use App\Http\Requests\v1\Projects\ShowProjectRequest;
+use App\Http\Resources\v1\Project\ProjectResource;
+use App\Models\ExternalCustomerDatabase\Project\Project;
+use App\OpenApi\Schema\Request\ShowResourceRequestSchema;
+use App\OpenApi\Schema\Response\ResourceNotFoundResponse;
+use App\OpenApi\Schema\Response\ShowResourceResponseSchema;
+
+class ShowProjectController extends Controller
+{
+    #[ShowResourceRequestSchema(path: '/projects/{id}', version: '1', resource: ProjectResource::class)]
+    #[ShowResourceResponseSchema(ProjectResource::class, wrapInDataObject: false)]
+    #[ResourceNotFoundResponse(ProjectResource::class)]
+    public function __invoke(ShowProjectRequest $request, Project $project): ProjectResource
+    {
+        return ProjectResource::make($project);
+    }
+}
+```
+
+## Create endpoint with service injection
+
+```php
+class CreateCustomerController extends Controller
+{
+    #[CreateCustomerRequestSchema(path: '/customers', version: '1', resource: CustomerResource::class)]
+    #[CreateResourceResponseSchema(resource: CreatedCustomerResource::class, wrapInDataObject: false)]
+    #[ValidationErrorResponse]
+    public function __invoke(
+        CreateCustomerRequest $request,
+        CustomerModelService $customerService,
+    ): CustomerResource {
+        $result = $customerService->create(CreateCustomerDTO::fromRequest($request));
+
+        return CreatedCustomerResource::make($result);
+    }
+}
+```
+
+## FormRequest example
+
+```php
+declare(strict_types=1);
+
+namespace App\Http\Requests\v1\Projects;
+
+use Illuminate\Foundation\Http\FormRequest;
+
+class ShowProjectRequest extends FormRequest
+{
+    public function authorize(): bool
+    {
+        return $this->user()->can('view', $this->route('project'));
+    }
+
+    /** @return array<string, mixed> */
+    public function rules(): array
+    {
+        return [];
+    }
+}
+```
+
+## List endpoint with CollectionFormRequest
+
+For list endpoints, extend `CollectionFormRequest` which provides `perPage`, `page`, and `orderBy` rules:
+
+```php
+use App\Contracts\Http\Requests\CollectionFormRequest;
+
+class ListProjectsRequest extends CollectionFormRequest
+{
+    public string $model = Project::class;
+
+    /** @return array<string, mixed> */
+    public function rules(): array
+    {
+        return [
+            ...parent::rules(),
+            'status' => ['sometimes', 'string'],
+        ];
+    }
+}
+```
+
+## File locations
+
+| Component | Path |
+|---|---|
+| Controller | `app/Http/Controllers/v{N}/{Domain}/{Action}{Entity}Controller.php` |
+| FormRequest | `app/Http/Requests/v{N}/{Domain}/{Action}{Entity}Request.php` |
+| Resource | `app/Http/Resources/v{N}/{Domain}/{Entity}Resource.php` |
+| Route | `routes/api/v{N}/{domain}.php` |
+| Policy | `app/Policies/{Entity}Policy.php` |
+
+## OpenAPI documentation
+
+Controllers use PHP 8 attributes for OpenAPI spec generation from `App\OpenApi\Schema\`:
+
+- `ShowResourceRequestSchema`, `ListResourceRequestSchema`, `CreateResourceRequestSchema`
+- `ShowResourceResponseSchema`, `ListResourceResponseSchema`, `CreateResourceResponseSchema`
+- `ResourceNotFoundResponse`, `ValidationErrorResponse`
+
+## Output format
+
+1. Generated files — controller, route registration, FormRequest, Resource, Policy.
+2. Test file with happy path and validation error cases.
+3. Summary of created files and their locations.
+
+## Gotcha
+
+- Don't forget to register the route — creating the controller without the route is a common miss.
+- Always check if a similar endpoint already exists — duplicates cause confusion.
+- FormRequest validation rules must match the OpenAPI schema — keep them in sync.
+- The model tends to forget the `return` type on Resource `toArray()` methods.
+
+## Do NOT
+
+- Do NOT put business logic in controllers — delegate to services.
+- Do NOT skip FormRequest validation — every controller needs a FormRequest.
+- Do NOT return raw Eloquent models — always use API Resources.
+- Do NOT create routes without proper authorization (Policy in FormRequest or middleware).
+- Do NOT create multi-action controllers — only single-action with `__invoke()`.
+- Do NOT use `response()->json()` — use `Resource::make()`.
+
+## Auto-trigger keywords
+
+- laravel endpoint
+- laravel controller
+- form request
+- API resource
+- laravel api route

package/.agent-src/skills/{dto-creator → laravel-dto}/SKILL.md

@@ -1,11 +1,12 @@
 ---
-name: dto-creator
-description: "Use when the user says "create a DTO", "new data transfer object", or needs to convert request/response data into a typed PHP class. Creates DTOs with SimpleDto base class and attribute mapping."
+name: laravel-dto
+description: "Use when creating a Laravel/PHP DTO with the SimpleDto base class and attribute mapping. For DTOs in other stacks, use the stack-native skill (TypeScript, Python, Rust, Go)."
 source: package
 domain: engineering
+framework: laravel
 ---
 
-# dto-creator
+# laravel-dto
 
 ## When to use
 
@@ -102,7 +103,7 @@ Always check `composer.json` for DTO-related packages before choosing the approa
 
 - DTOs must extend `SimpleDto` — don't create plain PHP classes as DTOs.
 - The model forgets to add the model linkage (`$modelClass`) when the DTO maps to an Eloquent model.
-- Attribute names in the DTO must match the DB column names (snake_case), not the PHP property names.
+- Attribute names in the DTO must match the database column names (snake_case), not the PHP property names.
 
 ## Do NOT
 

package/.agent-src/skills/{migration-creator → laravel-migration}/SKILL.md

@@ -1,11 +1,12 @@
 ---
-name: migration-creator
-description: "Use when the user says "create migration", "add column", or "new table". Creates migrations with correct table prefixes, column naming, and multi-tenant awareness."
+name: laravel-migration
+description: "Use when creating a Laravel migration — table prefixes, column naming, multi-tenant awareness, php artisan make:migration. Other stacks: use stack-native migration tooling."
 source: package
 domain: engineering
+framework: laravel
 ---
 
-# migration-creator
+# laravel-migration
 
 ## When to use
 
@@ -27,9 +28,9 @@ Use this skill when the user asks to create a database migration, add a column,
 
 ## Laravel projects
 
-### Multi-DB architecture
+### Multi-database architecture
 
-Some projects use multiple DB connections. Check `config/database.php` for connections.
+Some projects use multiple database connections. Check `config/database.php` for connections.
 
 | Check | How |
 |---|---|
@@ -37,9 +38,9 @@ Some projects use multiple DB connections. Check `config/database.php` for conne
 | Migration directories | `database/migrations/` (default), check for additional directories |
 | Custom migrate commands | `php artisan list migrate` — look for project-specific commands |
 
-**Always determine which DB the table belongs to before creating a migration.**
+**Always determine which database the table belongs to before creating a migration.**
 
-### API DB migration
+### API database migration
 
 ```bash
 php artisan make:migration create_example_table
@@ -73,13 +74,13 @@ return new class extends Migration {
 };
 ```
 
-### Customer DB migration
+### Customer database migration
 
 ```bash
 php artisan make:migration:customer AddWeatherColumn --table=cl_lv_weather
 ```
 
-Customer DB tables use the `cl_` prefix (e.g. `cl_user`, `cl_lv_weather`).
+Customer database tables use the `cl_` prefix (e.g. `cl_user`, `cl_lv_weather`).
 
 ### Adding a column (with explicit connection)
 
@@ -153,7 +154,7 @@ Focus on the "Database migrations" attack questions: Can this destroy data? Is r
 
 ## Auto-trigger keywords
 
-- DB migration
+- database migration
 - create migration
 - table prefix
 - column naming

package/.agent-src/skills/laravel-reverb/SKILL.md

@@ -16,12 +16,12 @@ Use this skill for anything specific to **Laravel Reverb** as the WebSocket serv
 - Pusher protocol compatibility questions
 
 For **general WebSocket patterns**, broadcasting events, channel authorization,
-and Laravel Echo client setup, see the [websocket](../websocket/SKILL.md) skill.
+and Laravel Echo client setup, see the [laravel-websocket](../laravel-websocket/SKILL.md) skill.
 
 ## Procedure: Set up Reverb
 
 1. **Install** — `php artisan install:broadcasting` or manual setup (see below).
-2. **Configure** — Set env variables for Reverb host, port, app credentials.
+2. **Configure** — Set environment variables for Reverb host, port, app credentials.
 3. **Start server** — `php artisan reverb:start`.
 4. **Connect client** — Configure Laravel Echo with Reverb credentials.
 5. **Verify** — Confirm WebSocket connection in browser console, test event delivery.
@@ -195,7 +195,7 @@ location /app {
 ## Gotcha
 
 - Reverb requires a persistent process — it's not compatible with serverless deployments.
-- The model forgets to configure the `REVERB_HOST` and `REVERB_PORT` env variables.
+- The model forgets to configure the `REVERB_HOST` and `REVERB_PORT` environment variables.
 - WebSocket connections bypass middleware — don't rely on session auth for channel authorization.
 
 ## Do NOT

package/.agent-src/skills/{websocket → laravel-websocket}/SKILL.md

@@ -1,11 +1,12 @@
 ---
-name: websocket
-description: "Use when building real-time features — WebSocket broadcasting, live updates, presence channels, connection state — even when the user just says 'push this to the client live'."
+name: laravel-websocket
+description: "Use when building Laravel real-time features — Broadcasting events, ShouldBroadcast, private/presence channels, Echo client. For non-Laravel WebSockets, use the stack-native skill."
 source: package
 domain: engineering
+framework: laravel
 ---
 
-# websocket
+# laravel-websocket
 
 ## When to use
 

package/.agent-src/skills/learning-to-rule-or-skill/SKILL.md

@@ -79,7 +79,7 @@ Before proceeding, the learning MUST pass all gates:
 | Minimal | Update existing preferred over creation? |
 
 If ANY gate fails → **stop**. Do not create or update anything.
-→ See `capture-learnings` rule for rejection criteria.
+Memory-entry rejection criteria live in `/memory:add` (see § "When to skip").
 
 ### 1. State the learning clearly
 

package/.agent-src/skills/merge-conflicts/SKILL.md

@@ -51,19 +51,29 @@ For each conflicted file:
 | Auto-generated files (OpenAPI spec, baselines) | **Regenerate** — resolve source, then regenerate the output |
 | Formatting-only conflicts | **Accept either** — then run quality tools to normalize |
 
-### 4. File-type specific rules
+### 4. File-type specific rules (stack-aware)
 
-#### PHP files
+#### Source files (any language)
 
-- After resolving, check that `use` statements are correct (no duplicates, no missing imports).
-- Verify the resolved code compiles: `php -l filename.php`
-- Run PHPStan on the file: `vendor/bin/phpstan analyse` (see `quality-tools` skill)
+- After resolving, check that import statements are correct (no duplicates, no missing imports). Applies to PHP `use`, JS/TS `import`, Python `import`, Go `import`, Rust `use`.
+- Verify the resolved file parses with the project's type-checker / linter on just the touched file:
+  - PHP: `php -l filename.php` then `vendor/bin/phpstan analyse path/to/file.php`
+  - TypeScript: `tsc --noEmit` (full project) or `eslint path/to/file.ts`
+  - Python: `python -m py_compile path/to/file.py` then `mypy path/to/file.py`
+  - Go: `go vet ./path/to/pkg/...`
+  - Rust: `cargo check`
 
-#### Migrations
+#### Database migrations
 
 - Never merge two migrations that modify the same table into one.
-- If both branches added migrations, keep both — adjust timestamps if they collide.
-- After resolving, run migrations to verify: `php artisan migrate --env=testing`
+- If both branches added migrations, keep both — adjust timestamps / ordering to avoid collision.
+- After resolving, run migrations against a disposable database to verify:
+  - Laravel: `php artisan migrate --env=testing`
+  - Symfony / Doctrine: `php bin/console doctrine:migrations:migrate --env=test --no-interaction`
+  - Node / Prisma: `pnpm prisma migrate dev --schema=...`
+  - Node / Knex: `pnpm knex migrate:latest --env test`
+  - Python / Alembic: `alembic upgrade head` (against a test DB URL)
+  - Go / golang-migrate: `migrate -path ./migrations -database "$TEST_DATABASE_URL" up`
 
 #### Config files
 
@@ -95,18 +105,40 @@ For each conflicted file:
 After resolving ALL conflicts:
 
 ```bash
-# 1. Check no conflict markers remain
-grep -rn "<<<<<<< \|======= \|>>>>>>> " --include="*.php" --include="*.js" --include="*.ts" .
+# 1. Check no conflict markers remain (stack-agnostic — no --include filter)
+grep -rn "<<<<<<< \|======= \|>>>>>>> " . \
+  --exclude-dir=node_modules --exclude-dir=vendor --exclude-dir=.git
+```
 
-# 2. Syntax check PHP files
-find . -name "*.php" -newer .git/MERGE_HEAD -exec php -l {} \;
+```bash
+# 2. Syntax-check changed files (stack-dependent — pick the row that matches the project)
+# PHP:    find . -name "*.php" -newer .git/MERGE_HEAD -exec php -l {} \;
+# TS:     tsc --noEmit
+# Python: python -m compileall -q .
+# Go:     go build ./...
+# Rust:   cargo check
+```
 
-# 3. Run quality tools
-vendor/bin/phpstan analyse
+```bash
+# 3. Run the project's quality tools — resolve via the quality-tools skill, Taskfile,
+#    package.json scripts, composer.json scripts, or Makefile. Examples per stack:
+# PHP:    vendor/bin/phpstan analyse
+# TS:     pnpm lint
+# Python: ruff check && mypy
+# Go:     golangci-lint run
+# Rust:   cargo clippy
+```
 
-# 4. Run tests
-php artisan test
+```bash
+# 4. Run tests — full suite, not just the touched files
+# PHP:    php artisan test    (or vendor/bin/pest)
+# TS:     pnpm test
+# Python: pytest
+# Go:     go test ./...
+# Rust:   cargo test
+```
 
+```bash
 # 5. Complete the merge/rebase
 git add .
 # Don't commit — let the user decide when to commit
@@ -156,4 +188,4 @@ git add .
 
 - Do NOT rebase or force-push without explicit permission.
 - Do NOT leave conflict markers (`<<<<<<<`) in any file.
-- Do NOT skip verification (PHPStan + tests) after resolving.
+- Do NOT skip verification (project type-checker + tests) after resolving.

package/.agent-src/skills/migration-architect/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: migration-architect
-description: "Use when shaping a non-trivial migration — rollout phases, dual-write windows, cutover sequencing, deprecation cycles — hands off to `migration-creator` for DDL once locked."
+description: "Use when shaping a non-trivial migration — rollout phases, dual-write windows, cutover sequencing, deprecation cycles — hands off to the framework-specific migration skill for DDL once locked."
 personas:
   - backend-architect
   - senior-engineer
@@ -13,8 +13,8 @@ domain: process
 > Shape the **rollout strategy** for a migration before any DDL or
 > code is written. Plans phases, dual-write windows, cutover
 > sequencing, deprecation cycles, and cross-service coordination.
-> Hands off to [`migration-creator`](../migration-creator/SKILL.md)
-> for tactical DDL once the plan is locked.
+> Hands off to [`laravel-migration`](../laravel-migration/SKILL.md)
+> (or the framework-native equivalent) for tactical DDL once the plan is locked.
 
 ## When to use
 
@@ -28,7 +28,7 @@ domain: process
 Do NOT use when:
 
 - The change is a single additive migration safe in one deploy →
-  route to [`migration-creator`](../migration-creator/SKILL.md).
+  route to [`laravel-migration`](../laravel-migration/SKILL.md) (or framework-native equivalent).
 - The decision is *whether* to migrate at all → route to
   [`decision-record`](../decision-record/SKILL.md) first.
 - The concern is data correctness during the migration → route to
@@ -100,7 +100,7 @@ Phases:
 Deprecation cycle (if any):
   Announce <duration>  →  soft-fail <duration>  →  hard-fail <duration>  →  remove
 
-Next: /migration-creator for the DDL of phase 1
+Next: /laravel-migration (or framework-native equivalent) for the DDL of phase 1
 ```
 
 ## Gotcha
@@ -112,7 +112,7 @@ Next: /migration-creator for the DDL of phase 1
 
 ## Do NOT
 
-- Do NOT write DDL — that is `migration-creator`'s job.
+- Do NOT write DDL — that is the framework-specific migration skill's job (`laravel-migration` for Laravel).
 - Do NOT collapse phases to "ship it" because the user is impatient;
   surface the risk and let the user decide.
 - Do NOT skip the deprecation cycle because nobody is using the old

package/.agent-src/skills/module-management/SKILL.md

@@ -3,6 +3,7 @@ name: module-management
 description: "Use when the user says "create module", "explore module", or works within app/Modules/. Understands module structure, auto-loading, route registration, and namespace conventions."
 source: package
 domain: process
+framework: laravel
 ---
 
 # module

package/.agent-src/skills/motion-choreographer/SKILL.md

@@ -147,3 +147,15 @@ stdin shape. The orchestrator pipes this into the video adapter's
 - Do NOT paraphrase identity tokens from `character.json`.
 - Do NOT call any network API — this skill is provider-tuning
   prose only.
+
+## Policies
+
+Motion prompts inherit upstream blueprint constraints. Before emitting provider-tuned prose:
+
+- [`agents/policies/media/disclosure.md`](../../../agents/policies/media/disclosure.md) — every distributed clip → non-removable AI-generation disclosure; refuse adapter flags that suppress it.
+- [`agents/policies/media/transparency.md`](../../../agents/policies/media/transparency.md) — provider provenance (C2PA / SynthID) preserved; refuse re-encode flags that strip provenance.
+- [`agents/policies/media/voice-cloning.md`](../../../agents/policies/media/voice-cloning.md) — motion prompt requests `audio: native` in named voice.
+- [`agents/policies/media/brand-impersonation.md`](../../../agents/policies/media/brand-impersonation.md) — copies recognised brand's chyron / mascot / signature transition.
+
+Refuse-and-surface; motion prompt cannot launder upstream policy gap.
+