@fredericboyer/dev-team 0.1.2 → 0.2.0

package/templates/hooks/dev-team-post-change-review.js

@@ -8,12 +8,20 @@
  * the file's domain. Advisory only — always exits 0.
  */
 
-'use strict';
+"use strict";
 
-const path = require('path');
+const path = require("path");
 
-const input = JSON.parse(process.argv[2] || '{}');
-const filePath = (input.tool_input && (input.tool_input.file_path || input.tool_input.path)) || '';
+let input = {};
+try {
+  input = JSON.parse(process.argv[2] || "{}");
+} catch (err) {
+  console.warn(
+    `[dev-team post-change-review] Warning: Failed to parse hook input, allowing operation. ${err.message}`,
+  );
+  process.exit(0);
+}
+const filePath = (input.tool_input && (input.tool_input.file_path || input.tool_input.path)) || "";
 
 if (!filePath) {
   process.exit(0);
@@ -47,7 +55,7 @@ const SECURITY_PATTERNS = [
 ];
 
 if (SECURITY_PATTERNS.some((p) => p.test(fullPath) || p.test(basename))) {
-  flags.push('@dev-team-szabo (security surface changed)');
+  flags.push("@dev-team-szabo (security surface changed)");
 }
 
 // API/contract patterns → flag for Mori
@@ -63,7 +71,7 @@ const API_PATTERNS = [
 ];
 
 if (API_PATTERNS.some((p) => p.test(fullPath))) {
-  flags.push('@dev-team-mori (API contract may affect UI)');
+  flags.push("@dev-team-mori (API contract may affect UI)");
 }
 
 // Config/infra patterns → flag for Voss
@@ -79,7 +87,7 @@ const INFRA_PATTERNS = [
 ];
 
 if (INFRA_PATTERNS.some((p) => p.test(fullPath))) {
-  flags.push('@dev-team-voss (architectural/config change)');
+  flags.push("@dev-team-voss (architectural/config change)");
 }
 
 // Tooling patterns → flag for Deming
@@ -96,7 +104,52 @@ const TOOLING_PATTERNS = [
 ];
 
 if (TOOLING_PATTERNS.some((p) => p.test(fullPath))) {
-  flags.push('@dev-team-deming (tooling change)');
+  flags.push("@dev-team-deming (tooling change)");
+}
+
+// Documentation patterns → flag for Docs
+const DOC_PATTERNS = [
+  /readme/,
+  /changelog/,
+  /\.md$/,
+  /\.mdx$/,
+  /\/docs?\//,
+  /api-doc/,
+  /jsdoc/,
+  /typedoc/,
+];
+
+if (DOC_PATTERNS.some((p) => p.test(fullPath))) {
+  flags.push("@dev-team-docs (documentation changed)");
+}
+
+// Architecture patterns → flag for Architect
+const ARCH_PATTERNS = [
+  /\/adr\//,
+  /architecture/,
+  /\/modules?\//,
+  /\/layers?\//,
+  /\/core\//,
+  /\/domain\//,
+  /\/shared\//,
+];
+
+if (ARCH_PATTERNS.some((p) => p.test(fullPath))) {
+  flags.push("@dev-team-architect (architectural boundary touched)");
+}
+
+// Release patterns → flag for Release
+const RELEASE_PATTERNS = [
+  /package\.json$/,
+  /pyproject\.toml$/,
+  /cargo\.toml$/i,
+  /changelog/i,
+  /version/,
+  /\.github\/workflows\/.*release/,
+];
+
+if (RELEASE_PATTERNS.some((p) => p.test(fullPath))) {
+  flags.push("@dev-team-release (version/release artifact changed)");
 }
 
 // Always flag Knuth for non-test implementation files
@@ -104,11 +157,11 @@ const isTestFile = /\.(test|spec)\.|__tests__|\/tests?\//.test(fullPath);
 const isCodeFile = /\.(js|ts|jsx|tsx|py|rb|go|java|rs|c|cpp|cs)$/.test(fullPath);
 
 if (isCodeFile && !isTestFile) {
-  flags.push('@dev-team-knuth (new or changed code path to audit)');
+  flags.push("@dev-team-knuth (new or changed code path to audit)");
 }
 
 if (flags.length > 0) {
-  console.log(`[dev-team review] Flag for review: ${flags.join(', ')}`);
+  console.log(`[dev-team review] Flag for review: ${flags.join(", ")}`);
 }
 
 process.exit(0);

package/templates/hooks/dev-team-pre-commit-gate.js

@@ -8,14 +8,14 @@
  * review agents if they were not consulted. Advisory — always exits 0.
  */
 
-'use strict';
+"use strict";
 
-const { execFileSync } = require('child_process');
+const { execFileSync } = require("child_process");
 
-let stagedFiles = '';
+let stagedFiles = "";
 try {
-  stagedFiles = execFileSync('git', ['diff', '--cached', '--name-only'], {
-    encoding: 'utf-8',
+  stagedFiles = execFileSync("git", ["diff", "--cached", "--name-only"], {
+    encoding: "utf-8",
     timeout: 5000,
   });
 } catch {
@@ -23,7 +23,7 @@ try {
   process.exit(0);
 }
 
-const files = stagedFiles.split('\n').filter(Boolean);
+const files = stagedFiles.split("\n").filter(Boolean);
 
 if (files.length === 0) {
   process.exit(0);
@@ -32,28 +32,26 @@ if (files.length === 0) {
 const reminders = [];
 
 const hasSecurityFiles = files.some((f) =>
-  /auth|login|password|token|session|crypto|secret|permission/.test(f)
+  /auth|login|password|token|session|crypto|secret|permission/.test(f),
 );
 if (hasSecurityFiles) {
-  reminders.push('@dev-team-szabo for security review');
+  reminders.push("@dev-team-szabo for security review");
 }
 
 const hasImplFiles = files.some(
-  (f) => /\.(js|ts|jsx|tsx|py|rb|go|java|rs)$/.test(f) && !/\.(test|spec)\./.test(f)
+  (f) => /\.(js|ts|jsx|tsx|py|rb|go|java|rs)$/.test(f) && !/\.(test|spec)\./.test(f),
 );
 if (hasImplFiles) {
-  reminders.push('@dev-team-knuth for quality audit');
+  reminders.push("@dev-team-knuth for quality audit");
 }
 
 const hasApiFiles = files.some((f) => /\/api\/|\/routes?\/|schema|\.graphql$/.test(f));
 if (hasApiFiles) {
-  reminders.push('@dev-team-mori for UI impact review');
+  reminders.push("@dev-team-mori for UI impact review");
 }
 
 if (reminders.length > 0) {
-  console.log(
-    `[dev-team pre-commit] Before committing, consider running: ${reminders.join(', ')}`
-  );
+  console.log(`[dev-team pre-commit] Before committing, consider running: ${reminders.join(", ")}`);
 }
 
 process.exit(0);

package/templates/hooks/dev-team-safety-guard.js

@@ -8,43 +8,53 @@
  * Exit 2 = block, exit 0 = allow.
  */
 
-'use strict';
+"use strict";
 
-const input = JSON.parse(process.argv[2] || '{}');
-const command = (input.tool_input && input.tool_input.command) || '';
+let input = {};
+try {
+  input = JSON.parse(process.argv[2] || "{}");
+} catch (err) {
+  // SECURITY TRADEOFF: Failing open means parse errors bypass safety checks.
+  // We accept this because failing closed (exit 2) would block all Bash operations when input is malformed.
+  console.warn(
+    `[dev-team safety-guard] Warning: Failed to parse hook input, allowing operation. ${err.message}`,
+  );
+  process.exit(0);
+}
+const command = (input.tool_input && input.tool_input.command) || "";
 
 const BLOCKED_PATTERNS = [
   {
     pattern: /\brm\s+(-[^\s]*r[^\s]*|--recursive)\s+[^\s]*\s*\/\s*$/,
-    reason: 'Recursive delete on root path is blocked.',
+    reason: "Recursive delete on root path is blocked.",
   },
   {
     pattern: /\brm\s+(-[^\s]*r[^\s]*|--recursive)\s+.*~\//,
-    reason: 'Recursive delete on home directory is blocked.',
+    reason: "Recursive delete on home directory is blocked.",
   },
   {
     pattern: /\bgit\s+push\s+.*--force\b.*\b(main|master)\b/,
-    reason: 'Force push to main/master is blocked. Use a PR instead.',
+    reason: "Force push to main/master is blocked. Use a PR instead.",
   },
   {
     pattern: /\bgit\s+push\s+.*\b(main|master)\b.*--force\b/,
-    reason: 'Force push to main/master is blocked. Use a PR instead.',
+    reason: "Force push to main/master is blocked. Use a PR instead.",
   },
   {
     pattern: /\bDROP\s+(TABLE|DATABASE)\b/i,
-    reason: 'DROP TABLE/DATABASE is blocked. Use a migration instead.',
+    reason: "DROP TABLE/DATABASE is blocked. Use a migration instead.",
   },
   {
     pattern: /\bchmod\s+777\b/,
-    reason: 'chmod 777 is blocked. Use specific permissions instead.',
+    reason: "chmod 777 is blocked. Use specific permissions instead.",
   },
   {
     pattern: /\bcurl\b.*\|\s*(sh|bash|zsh)\b/,
-    reason: 'Piping curl to a shell is blocked. Download and inspect scripts before executing.',
+    reason: "Piping curl to a shell is blocked. Download and inspect scripts before executing.",
   },
   {
     pattern: /\bwget\b.*\|\s*(sh|bash|zsh)\b/,
-    reason: 'Piping wget to a shell is blocked. Download and inspect scripts before executing.',
+    reason: "Piping wget to a shell is blocked. Download and inspect scripts before executing.",
   },
 ];
 

package/templates/hooks/dev-team-task-loop.js

@@ -13,12 +13,12 @@
  * State file: .claude/dev-team-task.json (created by /dev-team:task skill)
  */
 
-'use strict';
+"use strict";
 
-const fs = require('fs');
-const path = require('path');
+const fs = require("fs");
+const path = require("path");
 
-const STATE_FILE = path.join(process.cwd(), '.claude', 'dev-team-task.json');
+const STATE_FILE = path.join(process.cwd(), ".claude", "dev-team-task.json");
 
 // No state file means no active task loop — allow normal exit
 if (!fs.existsSync(STATE_FILE)) {
@@ -27,10 +27,14 @@ if (!fs.existsSync(STATE_FILE)) {
 
 let state;
 try {
-  state = JSON.parse(fs.readFileSync(STATE_FILE, 'utf-8'));
+  state = JSON.parse(fs.readFileSync(STATE_FILE, "utf-8"));
 } catch {
   // Corrupted state file — clean up and allow exit
-  try { fs.unlinkSync(STATE_FILE); } catch { /* ignore */ }
+  try {
+    fs.unlinkSync(STATE_FILE);
+  } catch {
+    /* ignore */
+  }
   process.exit(0);
 }
 
@@ -39,9 +43,13 @@ const { prompt, iteration = 1, maxIterations = 10, sessionId } = state;
 // Check iteration limit
 if (iteration >= maxIterations) {
   console.log(
-    `[dev-team task-loop] Max iterations (${maxIterations}) reached. Exiting loop. Review remaining issues manually.`
+    `[dev-team task-loop] Max iterations (${maxIterations}) reached. Exiting loop. Review remaining issues manually.`,
   );
-  try { fs.unlinkSync(STATE_FILE); } catch { /* ignore */ }
+  try {
+    fs.unlinkSync(STATE_FILE);
+  } catch {
+    /* ignore */
+  }
   process.exit(0);
 }
 
@@ -56,7 +64,7 @@ try {
 
 // Block exit and re-inject the task prompt
 const output = JSON.stringify({
-  decision: 'block',
+  decision: "block",
   reason: prompt,
   systemMessage: `[dev-team task-loop] Iteration ${iteration + 1}/${maxIterations}. Review findings and address any [DEFECT] challenges. When no [DEFECT] remains, output <promise>DONE</promise> to exit the loop. To cancel: delete .claude/dev-team-task.json`,
 });

package/templates/hooks/dev-team-tdd-enforce.js

@@ -12,13 +12,21 @@
  * Exit 2 = block, exit 0 = allow.
  */
 
-'use strict';
+"use strict";
 
-const { execFileSync } = require('child_process');
-const path = require('path');
+const { execFileSync } = require("child_process");
+const path = require("path");
 
-const input = JSON.parse(process.argv[2] || '{}');
-const filePath = (input.tool_input && (input.tool_input.file_path || input.tool_input.path)) || '';
+let input = {};
+try {
+  input = JSON.parse(process.argv[2] || "{}");
+} catch (err) {
+  console.warn(
+    `[dev-team tdd-enforce] Warning: Failed to parse hook input, allowing operation. ${err.message}`,
+  );
+  process.exit(0);
+}
+const filePath = (input.tool_input && (input.tool_input.file_path || input.tool_input.path)) || "";
 
 if (!filePath) {
   process.exit(0);
@@ -28,20 +36,27 @@ const basename = path.basename(filePath);
 const ext = path.extname(filePath);
 
 // Skip non-code files
-const SKIP_EXTENSIONS = ['.md', '.json', '.yml', '.yaml', '.toml', '.txt', '.css', '.svg', '.png', '.jpg', '.gif', '.ico', '.lock'];
+const SKIP_EXTENSIONS = [
+  ".md",
+  ".json",
+  ".yml",
+  ".yaml",
+  ".toml",
+  ".txt",
+  ".css",
+  ".svg",
+  ".png",
+  ".jpg",
+  ".gif",
+  ".ico",
+  ".lock",
+];
 if (SKIP_EXTENSIONS.includes(ext)) {
   process.exit(0);
 }
 
 // Skip if the file IS a test file
-const TEST_PATTERNS = [
-  /\.test\./,
-  /\.spec\./,
-  /_test\./,
-  /\/__tests__\//,
-  /\/test\//,
-  /\/tests\//,
-];
+const TEST_PATTERNS = [/\.test\./, /\.spec\./, /_test\./, /\/__tests__\//, /\/test\//, /\/tests\//];
 
 if (TEST_PATTERNS.some((p) => p.test(filePath))) {
   process.exit(0);
@@ -64,10 +79,10 @@ if (SKIP_PATTERNS.some((p) => p.test(filePath))) {
 }
 
 // Check if any test file has been modified in this session
-let changedFiles = '';
+let changedFiles = "";
 try {
-  changedFiles = execFileSync('git', ['diff', '--name-only'], {
-    encoding: 'utf-8',
+  changedFiles = execFileSync("git", ["diff", "--name-only"], {
+    encoding: "utf-8",
     timeout: 5000,
   });
 } catch {
@@ -76,7 +91,7 @@ try {
 }
 
 const hasTestChanges = changedFiles
-  .split('\n')
+  .split("\n")
   .filter(Boolean)
   .some((f) => TEST_PATTERNS.some((p) => p.test(f)));
 
@@ -88,19 +103,23 @@ if (hasTestChanges) {
 // No test changes — check if a corresponding test file already exists.
 // This allows refactoring (modifying existing tested code) without
 // requiring the test file to also be modified.
-const fs = require('fs');
+const fs = require("fs");
 const dir = path.dirname(filePath);
 const name = path.basename(filePath, ext);
 
 const CANDIDATE_PATTERNS = [
   path.join(dir, `${name}.test${ext}`),
   path.join(dir, `${name}.spec${ext}`),
-  path.join(dir, '__tests__', `${name}${ext}`),
-  path.join(dir, '__tests__', `${name}.test${ext}`),
+  path.join(dir, "__tests__", `${name}${ext}`),
+  path.join(dir, "__tests__", `${name}.test${ext}`),
 ];
 
 const hasExistingTests = CANDIDATE_PATTERNS.some((candidate) => {
-  try { return fs.statSync(candidate).isFile(); } catch { return false; }
+  try {
+    return fs.statSync(candidate).isFile();
+  } catch {
+    return false;
+  }
 });
 
 if (hasExistingTests) {
@@ -110,6 +129,6 @@ if (hasExistingTests) {
 
 // No test changes AND no existing test file — block
 console.error(
-  `[dev-team tdd-enforce] TDD violation: "${basename}" modified but no corresponding test file exists. Write tests first.`
+  `[dev-team tdd-enforce] TDD violation: "${basename}" modified but no corresponding test file exists. Write tests first.`,
 );
 process.exit(2);

package/templates/skills/dev-team-audit/SKILL.md

@@ -0,0 +1,85 @@
+---
+name: dev-team:audit
+description: Full codebase audit combining security, quality, and tooling assessments. Use to run a comprehensive scan with Szabo (security), Knuth (quality), and Deming (tooling) in parallel. Can be scoped to specific directories or file patterns.
+---
+
+Run a comprehensive audit of: $ARGUMENTS
+
+## Setup
+
+1. Determine the audit scope:
+   - If a directory or file pattern is given, scope the audit to those paths
+   - If no argument, audit the entire codebase
+   - Respect `.gitignore` — skip `node_modules/`, `dist/`, build artifacts
+
+2. The audit always spawns three specialist agents:
+   - **@dev-team-szabo** — Security audit
+   - **@dev-team-knuth** — Quality and correctness audit
+   - **@dev-team-deming** — Tooling and automation audit
+
+## Execution
+
+1. Spawn all three agents as **parallel background subagents** using the Agent tool with `subagent_type: "general-purpose"`.
+
+2. Each agent's prompt must include:
+   - The agent's full definition (read from `.claude/agents/<agent>.md`)
+   - The scope (directory/pattern or "full codebase")
+   - Instruction to produce classified findings: `[DEFECT]`, `[RISK]`, `[QUESTION]`, `[SUGGESTION]`
+   - Instruction to read the actual code and tests for full context
+
+3. Agent-specific instructions:
+
+   **Szabo (Security)**:
+   - Map all trust boundaries and entry points
+   - Check for OWASP Top 10 vulnerabilities
+   - Audit auth/authz flows end-to-end
+   - Review secret management and dependency vulnerabilities
+
+   **Knuth (Quality)**:
+   - Identify untested code paths and coverage gaps
+   - Find boundary conditions without tests
+   - Check assertion quality in existing tests
+   - Map test-to-requirement traceability
+
+   **Deming (Tooling)**:
+   - Inventory current tooling (linters, formatters, SAST, CI)
+   - Identify missing automation opportunities
+   - Check for stale dependencies and known vulnerabilities
+   - Evaluate CI pipeline efficiency
+
+4. Wait for all agents to complete.
+
+## Report
+
+Produce a consolidated audit report:
+
+### Executive summary
+
+One paragraph summarizing the overall health of the codebase across all three domains.
+
+### Security findings (@dev-team-szabo)
+
+List all findings, grouped by classification:
+- `[DEFECT]` — must fix
+- `[RISK]` — should address
+- `[QUESTION]` / `[SUGGESTION]` — consider
+
+### Quality findings (@dev-team-knuth)
+
+Same grouping. Include specific files and line references.
+
+### Tooling findings (@dev-team-deming)
+
+Same grouping. Include actionable recommendations.
+
+### Priority matrix
+
+| Priority | Finding | Agent | Action |
+|----------|---------|-------|--------|
+| P0 (fix now) | `[DEFECT]` items | ... | ... |
+| P1 (fix soon) | `[RISK]` items | ... | ... |
+| P2 (improve) | `[SUGGESTION]` items | ... | ... |
+
+### Recommended next steps
+
+Numbered list of concrete actions, ordered by priority. Each action should reference the specific finding it addresses.

package/templates/skills/dev-team-review/SKILL.md

@@ -0,0 +1,68 @@
+---
+name: dev-team:review
+description: Orchestrated multi-agent parallel review. Use to review a PR, branch, or set of changes with multiple specialist agents simultaneously. Spawns agents based on changed file patterns and produces a unified review summary.
+---
+
+Run a multi-agent parallel review of: $ARGUMENTS
+
+## Setup
+
+1. Determine what to review:
+   - If a PR number or branch is given, use `git diff` to get the changed files
+   - If a directory or file pattern is given, review those files
+   - If no argument, review all uncommitted changes (`git diff HEAD`)
+
+2. Categorize changed files by domain to determine which agents to spawn:
+
+| File pattern | Agent | Reason |
+|---|---|---|
+| `auth`, `login`, `password`, `token`, `session`, `crypto`, `secret`, `permission`, `oauth`, `jwt`, `cors`, `csrf` | @dev-team-szabo | Security surface |
+| `/api/`, `/routes/`, `schema`, `.graphql`, `.proto`, `openapi` | @dev-team-mori | API/UI contract |
+| `docker`, `.env`, `config`, `migration`, `database`, `.sql`, `deploy` | @dev-team-voss | Infrastructure |
+| `.github/workflows`, `.claude/`, `tsconfig`, `eslint`, `prettier`, `package.json` | @dev-team-deming | Tooling |
+| `readme`, `changelog`, `.md`, `/docs/` | @dev-team-docs | Documentation |
+| `/adr/`, `architecture`, `/core/`, `/domain/` | @dev-team-architect | Architecture |
+| `package.json`, `version`, `changelog`, release workflows | @dev-team-release | Release artifacts |
+| Any `.js`, `.ts`, `.py`, `.go`, `.java`, `.rs` (non-test) | @dev-team-knuth | Quality/coverage |
+
+3. Always include @dev-team-szabo and @dev-team-knuth — they review all code changes.
+
+## Execution
+
+1. Spawn each selected agent as a **parallel background subagent** using the Agent tool with `subagent_type: "general-purpose"`.
+
+2. Each agent's prompt must include:
+   - The agent's full definition (read from `.claude/agents/<agent>.md`)
+   - The list of changed files relevant to their domain
+   - Instruction to produce classified findings: `[DEFECT]`, `[RISK]`, `[QUESTION]`, `[SUGGESTION]`
+   - Instruction to read the actual code — not just the diff — for full context
+
+3. Wait for all agents to complete.
+
+## Report
+
+Produce a unified review summary:
+
+### Blocking findings ([DEFECT])
+
+List all `[DEFECT]` findings from all agents. These must be resolved before merge.
+
+Format each as:
+```
+**[DEFECT]** @agent-name — file:line
+Description of the defect and why it blocks.
+```
+
+### Advisory findings
+
+Group by severity:
+- **[RISK]** — likely failure modes
+- **[QUESTION]** — decisions needing justification
+- **[SUGGESTION]** — specific improvements
+
+### Verdict
+
+- **Approve** — No `[DEFECT]` findings. Advisory items noted.
+- **Request changes** — `[DEFECT]` findings must be resolved.
+
+State the verdict clearly. List what must be fixed for approval if requesting changes.