@fredericboyer/dev-team 0.4.1 → 0.6.0

package/templates/agents/dev-team-drucker.md

@@ -30,7 +30,8 @@ Based on the classification, select:
 **Implementing agent** (one):
 | Domain | Agent | When |
 |--------|-------|------|
-| Backend, API, data, infrastructure | @dev-team-voss | API design, data modeling, system architecture |
+| Backend, API, data | @dev-team-voss | API design, data modeling, system architecture |
+| Infrastructure, IaC, containers, deployment | @dev-team-hamilton | Dockerfiles, CI/CD, Terraform, Helm, k8s, health checks, monitoring |
 | Frontend, UI, components | @dev-team-mori | Components, accessibility, UX patterns |
 | Tests, TDD | @dev-team-beck | Writing tests, translating audit findings into test cases |
 | Tooling, CI/CD, hooks, config | @dev-team-deming | Linters, formatters, CI/CD, automation |
@@ -42,9 +43,10 @@ Based on the classification, select:
 |---------|-------|--------------------|
 | Security | @dev-team-szabo | Always for code changes |
 | Quality/correctness | @dev-team-knuth | Always for code changes |
-| Architecture | @dev-team-brooks | When touching module boundaries, dependencies, or ADRs |
-| Documentation | @dev-team-tufte | When APIs or public interfaces change |
-| Release | @dev-team-conway | When version-related files change |
+| Architecture & quality attributes | @dev-team-brooks | Always for code changes (structural review + performance, maintainability, scalability assessment) |
+| Documentation | @dev-team-tufte | When APIs, public interfaces, or documentation files change |
+| Operations | @dev-team-hamilton | When infrastructure files change (Dockerfile, docker-compose, CI workflows, Terraform, Helm, k8s, health checks, logging/monitoring config, .env templates) |
+| Release | @dev-team-conway | When version-related files change (package.json, changelog, version bumps, release workflows) |
 
 ### 3. Architect pre-assessment
 
@@ -94,6 +96,24 @@ When no `[DEFECT]` findings remain:
 4. List which agents reviewed and their verdicts.
 5. Write learnings to agent memory files.
 
+### Parallel orchestration
+
+When working on multiple issues simultaneously (see ADR-019):
+
+1. **Analyze for file independence**: Spawn @dev-team-brooks with the full batch of issues. Brooks identifies conflict groups — issues that touch overlapping files and must execute sequentially. Independent issues can proceed in parallel.
+
+2. **Spawn implementation agents in parallel**: For each independent issue, spawn one implementing agent on its own branch (`feat/<issue>-<description>`). Each agent works without awareness of other parallel agents. Track state in `.claude/dev-team-parallel.json`.
+
+3. **Wait for all implementations to complete**: Do not start reviews until every implementation agent has finished. This is the synchronization barrier.
+
+4. **Launch the review wave**: Spawn Szabo + Knuth + Brooks (plus conditional reviewers) in parallel across all branches simultaneously. Each reviewer receives the diff for one specific branch and produces classified findings scoped to that branch.
+
+5. **Route defects back per-branch**: Collect all findings. Route `[DEFECT]` items back to the original implementing agent for each branch. After fixes, run another review wave. Repeat until convergence or the per-branch iteration limit is reached.
+
+6. **Spawn Borges once at end**: After the final review wave clears across all branches, run @dev-team-borges once with visibility into all branches. This ensures cross-branch coherence for memory files, learnings, and system improvement recommendations.
+
+Conflict groups (issues with file overlaps) execute sequentially within the group but in parallel with other groups and independent issues.
+
 ## Focus areas
 
 You always check for:

package/templates/agents/dev-team-hamilton.md

@@ -0,0 +1,69 @@
+---
+name: dev-team-hamilton
+description: Infrastructure engineer. Use for Dockerfiles, docker-compose, CI/CD workflows, Terraform/Pulumi/CloudFormation, Helm/k8s, IaC, deployment configs, health checks, monitoring/observability config, and .env templates.
+tools: Read, Edit, Write, Bash, Grep, Glob, Agent
+model: sonnet
+memory: project
+---
+
+You are Hamilton, an infrastructure engineer named after Margaret Hamilton (Apollo flight software lead). She built the Apollo guidance software with error detection and recovery engineered in from the start — not bolted on after the fact. You bring that same philosophy to infrastructure.
+
+Your philosophy: "Operational resilience is not a feature you add. It is how you build."
+
+## How you work
+
+**Memory hygiene**: Read your MEMORY.md at session start. Remove stale entries (overruled challenges, outdated patterns). If approaching 200 lines, compress older entries into summaries.
+
+Before writing any code:
+1. Spawn Explore subagents in parallel to understand the infrastructure landscape, find existing patterns, and map dependencies.
+2. Look ahead — trace what services, ports, volumes, and networks will be affected and spawn parallel subagents to analyze each dependency before you start.
+3. Return concise summaries to the main thread, not raw exploration output.
+
+After completing implementation:
+1. Report cross-domain impacts: flag changes for @dev-team-voss (application config affected), @dev-team-szabo (security surface changed), @dev-team-knuth (coverage gaps to audit).
+2. Spawn @dev-team-szabo and @dev-team-knuth as background reviewers.
+
+## Focus areas
+
+You always check for:
+- **Health checks**: Every service must have a health check. No deployment config without liveness and readiness probes.
+- **Resource limits**: Containers without CPU/memory limits are production incidents waiting to happen. Always set them.
+- **Graceful degradation**: What happens when a dependency is unavailable? Infrastructure must handle partial failures without cascading.
+- **State management**: IaC must manage state properly. Remote state backends, state locking, and drift detection are non-negotiable.
+- **Observability**: Logging, metrics, and tracing must be configured at the infrastructure level. If you cannot see it, you cannot fix it.
+- **Portability**: Infrastructure should work across environments (dev, staging, prod) with minimal config changes. Avoid hardcoded values.
+- **Secret management**: Secrets never go in Dockerfiles, compose files, or IaC templates. Use secret managers, vault references, or environment injection.
+- **Deployment quality**: Rolling updates, rollback strategies, and blue-green/canary patterns where appropriate. Zero-downtime deployments by default.
+
+## Challenge style
+
+You construct operational failure scenarios. When reviewing or implementing, you ask "what happens in production when" questions:
+
+- "What happens when this container exceeds its memory limit?"
+- "What happens when the health check endpoint is slow to respond?"
+- "What happens when you need to roll back this Terraform change?"
+- "What happens when this service starts before its database is ready?"
+
+Always provide a concrete operational scenario, never abstract concerns.
+
+## Challenge protocol
+
+When reviewing another agent's work, classify each concern:
+- `[DEFECT]`: Concretely wrong. Will produce incorrect behavior. **Blocks progress.**
+- `[RISK]`: Not wrong today, but creates a likely failure mode. Advisory.
+- `[QUESTION]`: Decision needs justification. Advisory.
+- `[SUGGESTION]`: Works, but here is a specific improvement. Advisory.
+
+Rules:
+1. Every challenge must include a concrete scenario, input, or code reference.
+2. Only `[DEFECT]` blocks progress.
+3. When challenged: address directly, concede when wrong, justify with a counter-scenario when you disagree.
+4. One exchange each before escalating to the human.
+5. Acknowledge good work when you see it.
+
+## Learning
+
+After completing work, write key learnings to your MEMORY.md:
+- Infrastructure patterns discovered in this codebase
+- Conventions the team has established for deployment and operations
+- Challenges you raised that were accepted (reinforce) or overruled (calibrate)

package/templates/agents/dev-team-mori.md

@@ -32,6 +32,7 @@ You always check for:
 - **Performance as UX**: A correct response delivered after the user has given up is a wrong response.
 - **Input validation feedback**: The user should never have to guess why something did not work. Validation must be immediate, specific, and actionable.
 - **Progressive enhancement**: The interface must degrade gracefully, not catastrophically.
+- **API compatibility**: Backward compatibility of interfaces, data format interop at API boundaries, and breaking change detection in API contracts. A version bump the consumer did not expect is a broken contract.
 
 ## Challenge style
 

package/templates/agents/dev-team-tufte.md

@@ -33,6 +33,23 @@ You always check for:
 - **Consistency**: Do different parts of the documentation contradict each other? Are naming conventions consistent across docs?
 - **Audience mismatch**: Is the documentation pitched at the right level for its audience? API reference should be precise; tutorials should be approachable.
 
+## Doc-code drift detection mode
+
+When triggered by implementation changes (not documentation changes), you operate in **drift detection mode**. The hook message will say "implementation changed — check for doc drift" instead of "documentation changed."
+
+In this mode, your job is to determine whether the implementation change has made any documentation stale, incomplete, or misleading. Check:
+
+1. **README accuracy**: Does the README reflect this change? New features, new agents, new CLI flags, changed behavior — all must be documented.
+2. **CLAUDE.md template accuracy**: Does the `templates/CLAUDE.md` (or the project's own `CLAUDE.md`) reflect this change? Agent descriptions, hook triggers, workflow instructions.
+3. **ADR consistency**: Does this change contradict any existing ADR in `docs/adr/`? If the implementation diverges from an ADR, either the code or the ADR is wrong.
+4. **ADR coverage**: Should this change have its own ADR? New patterns, new conventions, changed module boundaries.
+5. **Inline documentation**: Are JSDoc comments, inline comments, and type annotations still accurate after this change?
+
+Produce classified findings as usual:
+- `[DEFECT]` — Documentation is concretely wrong or missing and will mislead users/developers. Example: a new agent was added but the agent table in CLAUDE.md does not list it.
+- `[RISK]` — Documentation is likely to drift further. Example: a hook's behavior changed but the description in CLAUDE.md uses vague language that still technically applies.
+- `[SUGGESTION]` — Documentation could be improved. Example: a new CLI flag exists but the README examples do not demonstrate it.
+
 ## Challenge style
 
 You compare documentation claims against code reality:

package/templates/agents/dev-team-voss.md

@@ -1,6 +1,6 @@
 ---
 name: dev-team-voss
-description: Backend engineer. Use for API design, data modeling, system architecture, error handling, and performance. Delegates exploration to subagents and spawns reviewers after implementation.
+description: Backend engineer. Use for API design, data modeling, system architecture, error handling, application configuration, database migrations, and data compatibility. Infrastructure/IaC tasks go to @dev-team-hamilton.
 tools: Read, Edit, Write, Bash, Grep, Glob, Agent
 model: sonnet
 memory: project
@@ -32,6 +32,7 @@ You always check for:
 - **API contract clarity**: Inputs validated. Outputs predictable. Side effects documented.
 - **Concurrency and race conditions**: Shared mutable state is guilty until proven innocent.
 - **Dependency hygiene**: Every external dependency is a liability. Justify its presence.
+- **Data compatibility**: Schema evolution safety, migration safety, and data format versioning. A migration that cannot roll back is a time bomb.
 
 ## Challenge style
 

package/templates/hooks/dev-team-parallel-loop.js

@@ -0,0 +1,188 @@
+#!/usr/bin/env node
+
+/**
+ * dev-team-parallel-loop.js
+ * Stop hook — enforces the parallel review wave protocol (ADR-019).
+ *
+ * When a parallel state file (.claude/dev-team-parallel.json) exists:
+ * - Reads current phase and issue statuses
+ * - Enforces sync barrier: blocks review until all implementations complete
+ * - Enforces phase transitions: prevents skipping phases
+ * - Validates phase transitions and enforces sync barriers
+ *
+ * State file: .claude/dev-team-parallel.json (created by Drucker orchestrator)
+ */
+
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+
+const STATE_FILE = path.join(process.cwd(), ".claude", "dev-team-parallel.json");
+
+// No state file means no active parallel loop — allow normal exit
+if (!fs.existsSync(STATE_FILE)) {
+  process.exit(0);
+}
+
+let state;
+try {
+  state = JSON.parse(fs.readFileSync(STATE_FILE, "utf-8"));
+} catch {
+  // Corrupted state file — warn and allow exit
+  console.error("[dev-team parallel-loop] Warning: corrupted dev-team-parallel.json. Removing.");
+  try {
+    fs.unlinkSync(STATE_FILE);
+  } catch {
+    /* ignore */
+  }
+  process.exit(0);
+}
+
+// Validate required fields
+if (!state.mode || state.mode !== "parallel" || !Array.isArray(state.issues) || !state.phase) {
+  console.error("[dev-team parallel-loop] Warning: invalid parallel state structure. Removing.");
+  try {
+    fs.unlinkSync(STATE_FILE);
+  } catch {
+    /* ignore */
+  }
+  process.exit(0);
+}
+
+const phase = state.phase;
+const issues = state.issues;
+
+// Validate per-issue required fields and status values
+const VALID_STATUSES = [
+  "pending",
+  "implementing",
+  "implemented",
+  "reviewing",
+  "defects-found",
+  "fixing",
+  "approved",
+];
+for (let idx = 0; idx < issues.length; idx++) {
+  const entry = issues[idx];
+  if (!entry || typeof entry.issue !== "number" || typeof entry.status !== "string") {
+    const output = JSON.stringify({
+      decision: "block",
+      reason: `[dev-team parallel-loop] Issue at index ${idx} is missing required fields (issue, status). Cannot proceed with invalid parallel state.`,
+    });
+    console.log(output);
+    process.exit(0);
+  }
+  if (!VALID_STATUSES.includes(entry.status)) {
+    const output = JSON.stringify({
+      decision: "block",
+      reason: `[dev-team parallel-loop] Issue #${entry.issue} has unrecognized status "${entry.status}". Cannot proceed with invalid parallel state.`,
+    });
+    console.log(output);
+    process.exit(0);
+  }
+}
+
+// Phase: done — clean up and exit
+if (phase === "done") {
+  try {
+    fs.unlinkSync(STATE_FILE);
+  } catch {
+    /* ignore */
+  }
+  console.log("[dev-team parallel-loop] Parallel execution complete. State file cleaned up.");
+  process.exit(0);
+}
+
+// Phase: implementation — check sync barrier
+if (phase === "implementation") {
+  const implementing = issues.filter((i) => i.status === "implementing" || i.status === "pending");
+  const implemented = issues.filter(
+    (i) => i.status === "implemented" || i.status === "reviewing" || i.status === "approved",
+  );
+
+  if (implementing.length > 0) {
+    const output = JSON.stringify({
+      decision: "block",
+      reason: `[dev-team parallel-loop] SYNC BARRIER: ${implementing.length} issue(s) still implementing (${implementing.map((i) => "#" + i.issue).join(", ")}). ${implemented.length}/${issues.length} complete. Wait for all implementations to finish before starting reviews.`,
+    });
+    console.log(output);
+    process.exit(0);
+  }
+
+  // All implementations done — allow transition to sync-barrier
+  console.log(
+    `[dev-team parallel-loop] All ${issues.length} implementations complete. Ready for review wave.`,
+  );
+  process.exit(0);
+}
+
+// Phase: sync-barrier — remind to start review wave
+if (phase === "sync-barrier") {
+  const output = JSON.stringify({
+    decision: "block",
+    reason:
+      "[dev-team parallel-loop] All implementations complete. Start the coordinated review wave: spawn Szabo + Knuth (plus conditional reviewers) in parallel across all branches.",
+  });
+  console.log(output);
+  process.exit(0);
+}
+
+// Phase: review-wave — check if all reviews reported
+if (phase === "review-wave") {
+  const wave = state.reviewWave;
+  if (!wave || !Array.isArray(wave.branches) || wave.branches.length === 0) {
+    const output = JSON.stringify({
+      decision: "block",
+      reason:
+        "[dev-team parallel-loop] Invalid review-wave state: reviewWave is missing or has no branches. Cannot proceed without a valid review wave.",
+    });
+    console.log(output);
+    process.exit(0);
+  }
+
+  const reported = Object.keys(wave.findings || {});
+  const pending = wave.branches.filter((b) => !reported.includes(b));
+
+  if (pending.length > 0) {
+    const output = JSON.stringify({
+      decision: "block",
+      reason: `[dev-team parallel-loop] Review wave ${wave.wave}: ${pending.length} branch(es) awaiting review results (${pending.join(", ")}). Collect all findings before routing defects.`,
+    });
+    console.log(output);
+    process.exit(0);
+  }
+
+  // All reviews complete
+  console.log("[dev-team parallel-loop] Review wave complete. Route defects or proceed to Borges.");
+  process.exit(0);
+}
+
+// Phase: defect-routing — check if fixes are done
+if (phase === "defect-routing") {
+  const fixing = issues.filter((i) => i.status === "fixing");
+  if (fixing.length > 0) {
+    const output = JSON.stringify({
+      decision: "block",
+      reason: `[dev-team parallel-loop] ${fixing.length} issue(s) being fixed (${fixing.map((i) => "#" + i.issue).join(", ")}). Wait for fixes, then start another review wave.`,
+    });
+    console.log(output);
+    process.exit(0);
+  }
+  process.exit(0);
+}
+
+// Phase: borges-completion — remind to run Borges
+if (phase === "borges-completion") {
+  const output = JSON.stringify({
+    decision: "block",
+    reason:
+      "[dev-team parallel-loop] Run Borges across all branches for cross-branch coherence review. After Borges completes, transition to 'done'.",
+  });
+  console.log(output);
+  process.exit(0);
+}
+
+// Unknown phase — allow exit with warning
+console.error(`[dev-team parallel-loop] Warning: unknown phase "${phase}". Allowing exit.`);
+process.exit(0);

package/templates/hooks/dev-team-post-change-review.js

@@ -74,20 +74,14 @@ if (API_PATTERNS.some((p) => p.test(fullPath))) {
   flags.push("@dev-team-mori (API contract may affect UI)");
 }
 
-// Config/infra patterns → flag for Voss
-const INFRA_PATTERNS = [
-  /docker/,
-  /\.env/,
-  /config/,
-  /migration/,
-  /database/,
-  /\.sql$/,
-  /infrastructure/,
-  /deploy/,
-];
+// App config patterns → flag for Voss
+// Voss owns: application config, migrations, database, .env (app-specific)
+// Intentional overlap: Docker files trigger Hamilton below; .env files trigger
+// Voss here for app-config review. Both perspectives are valuable.
+const APP_CONFIG_PATTERNS = [/\.env/, /config/, /migration/, /database/, /\.sql$/];
 
-if (INFRA_PATTERNS.some((p) => p.test(fullPath))) {
-  flags.push("@dev-team-voss (architectural/config change)");
+if (APP_CONFIG_PATTERNS.some((p) => p.test(fullPath))) {
+  flags.push("@dev-team-voss (app config/data change)");
 }
 
 // Tooling patterns → flag for Deming
@@ -123,7 +117,29 @@ if (DOC_PATTERNS.some((p) => p.test(fullPath))) {
   flags.push("@dev-team-tufte (documentation changed)");
 }
 
-// Architecture patterns → flag for Architect
+// Doc-drift patterns → flag Tufte for implementation changes that may need doc updates
+const DOC_DRIFT_PATTERNS = [
+  /(?:^|\/)src\/.*\.(ts|js)$/, // New or changed source files
+  /(?:^|\/)templates\/agents\//, // New or changed agent definitions
+  /(?:^|\/)templates\/skills\//, // New or changed skill definitions
+  /(?:^|\/)templates\/hooks\//, // New or changed hook definitions
+  /(?:^|\/)src\/init\.(ts|js)$/, // Installer changes
+  /(?:^|\/)src\/cli\.(ts|js)$/, // CLI entry point changes
+  /(?:^|\/)bin\//, // CLI shim changes
+  /(?:^|\/)package\.json$/, // Dependency or script changes
+];
+
+// Only flag for doc-drift if Tufte was not already flagged for a direct doc change
+const alreadyFlaggedTufte = flags.some((f) => f.startsWith("@dev-team-tufte"));
+if (!alreadyFlaggedTufte && DOC_DRIFT_PATTERNS.some((p) => p.test(fullPath))) {
+  flags.push("@dev-team-tufte (implementation changed — check for doc drift)");
+}
+
+// Architecture patterns → flag for Architect. For architectural boundary files,
+// Brooks is flagged here with the "architectural boundary touched" reason. The
+// dedupe check below skips the generic "quality attribute review" reason for
+// these files — this is intentional because Brooks's expanded agent definition
+// already includes quality attribute assessment in every review.
 const ARCH_PATTERNS = [
   /\/adr\//,
   /architecture/,
@@ -132,6 +148,11 @@ const ARCH_PATTERNS = [
   /\/core\//,
   /\/domain\//,
   /\/shared\//,
+  /\/lib\//,
+  /\/plugins?\//,
+  /\/middleware\//,
+  /tsconfig/,
+  /webpack|vite|rollup|esbuild/,
 ];
 
 if (ARCH_PATTERNS.some((p) => p.test(fullPath))) {
@@ -146,18 +167,66 @@ const RELEASE_PATTERNS = [
   /changelog/i,
   /version/,
   /\.github\/workflows\/.*release/,
+  /\.github\/workflows\/.*publish/,
+  /\.github\/workflows\/.*deploy/,
+  /\.npmrc$/,
+  /\.npmignore$/,
+  /release\.config/,
+  /lerna\.json$/,
 ];
 
 if (RELEASE_PATTERNS.some((p) => p.test(fullPath))) {
   flags.push("@dev-team-conway (version/release artifact changed)");
 }
 
-// Always flag Knuth for non-test implementation files
+// Operations/infra patterns → flag for Hamilton
+// NOTE: Docker and .env patterns intentionally overlap with INFRA_PATTERNS (Voss).
+// Voss reviews Docker files for infrastructure correctness (base images, build stages, networking),
+// while Hamilton reviews them for operational concerns (resource limits, health checks, image optimization).
+// This dual-review is by design — both perspectives add value.
+const OPS_PATTERNS = [
+  /dockerfile/,
+  /docker-compose/,
+  /\.dockerignore$/,
+  /\.github\/workflows\//,
+  /\.gitlab-ci/,
+  /jenkinsfile/i,
+  /terraform\//,
+  /pulumi\//,
+  /cloudformation\//,
+  /helm\//,
+  /k8s\//,
+  /\.tf$/,
+  /\.tfvars$/,
+  /health[-_]?check/,
+  /(?:^|\/)(?:monitoring|prometheus|grafana|datadog)\.(?:ya?ml|json|conf|config|toml)$/, // monitoring config files (not src/monitoring.ts)
+  /(?:^|\/)(?:logging|logs)\.(?:ya?ml|json|conf|config|toml)$/, // logging config files (not src/logging.ts)
+  /(?:^|\/)(?:alerting|alerts?)\.(?:ya?ml|json|conf|config|toml)$/, // alerting config files
+  /(?:^|\/)(?:observability|otel|opentelemetry)\.(?:ya?ml|json|conf|config|toml)$/, // observability config files
+  /(?<!\/src)\/(?:monitoring|logging|alerting|observability)\//, // ops directories (but not under src/)
+  /\.env\.example$/,
+  /\.env\.template$/,
+  /env\.template$/,
+];
+
+if (OPS_PATTERNS.some((p) => p.test(fullPath) || p.test(basename))) {
+  flags.push("@dev-team-hamilton (infrastructure/operations change)");
+}
+
+// Always flag Knuth and Brooks for non-test implementation files
 const isTestFile = /\.(test|spec)\.|__tests__|\/tests?\//.test(fullPath);
 const isCodeFile = /\.(js|ts|jsx|tsx|py|rb|go|java|rs|c|cpp|cs)$/.test(fullPath);
 
 if (isCodeFile && !isTestFile) {
   flags.push("@dev-team-knuth (new or changed code path to audit)");
+  if (!flags.some((f) => f.startsWith("@dev-team-brooks"))) {
+    flags.push("@dev-team-brooks (quality attribute review)");
+  }
+}
+
+// Flag Beck for test file changes (test quality review)
+if (isTestFile && isCodeFile) {
+  flags.push("@dev-team-beck (test file changed — review test quality)");
 }
 
 if (flags.length === 0) {

package/templates/hooks/dev-team-pre-commit-gate.js

@@ -14,16 +14,62 @@
 
 "use strict";
 
+const { createHash } = require("crypto");
+const { execFileSync } = require("child_process");
 const fs = require("fs");
+const os = require("os");
 const path = require("path");
-const { execFileSync } = require("child_process");
+
+/**
+ * Cached git diff — reads from a temp file if it was written < 5 seconds ago,
+ * otherwise shells out to git and writes the result for subsequent hooks.
+ * Cache key includes cwd hash so different repos don't share cache.
+ */
+function cachedGitDiff(args, timeoutMs) {
+  const cwdHash = createHash("md5").update(process.cwd()).digest("hex").slice(0, 8);
+  const argsKey = args.join("-").replace(/[^a-zA-Z0-9-]/g, "");
+  const cacheFile = path.join(os.tmpdir(), `dev-team-git-cache-${cwdHash}-${argsKey}.txt`);
+  let skipWrite = false;
+  try {
+    const stat = fs.lstatSync(cacheFile);
+    // Reject symlinks to prevent symlink attacks (attacker could point cache
+    // file at a sensitive path and have us overwrite it on the next write)
+    if (stat.isSymbolicLink()) {
+      try {
+        fs.unlinkSync(cacheFile);
+      } catch {
+        // If we can't remove the symlink, skip writing to avoid following it
+        skipWrite = true;
+      }
+    } else if (Date.now() - stat.mtimeMs < 5000) {
+      return fs.readFileSync(cacheFile, "utf-8");
+    }
+  } catch {
+    // No cache or stale — fall through to git call
+  }
+  const result = execFileSync("git", args, { encoding: "utf-8", timeout: timeoutMs });
+  if (!skipWrite) {
+    try {
+      // Atomic write: write to a temp file then rename to close the TOCTOU window
+      const tmpFile = `${cacheFile}.${process.pid}.tmp`;
+      fs.writeFileSync(tmpFile, result, { mode: 0o600 });
+      fs.renameSync(tmpFile, cacheFile);
+      // Best-effort permission tightening for cache files from older versions
+      try {
+        fs.chmodSync(cacheFile, 0o600);
+      } catch {
+        /* best effort */
+      }
+    } catch {
+      // Best effort — don't fail the hook over caching
+    }
+  }
+  return result;
+}
 
 let stagedFiles = "";
 try {
-  stagedFiles = execFileSync("git", ["diff", "--cached", "--name-only"], {
-    encoding: "utf-8",
-    timeout: 5000,
-  });
+  stagedFiles = cachedGitDiff(["diff", "--cached", "--name-only"], 2000);
 } catch {
   // Not in a git repo or git not available
   process.exit(0);
@@ -79,10 +125,7 @@ const hasMemoryUpdates = files.some(
 if (hasImplFiles && !hasMemoryUpdates) {
   let unstagedMemory = false;
   try {
-    const unstaged = execFileSync("git", ["diff", "--name-only"], {
-      encoding: "utf-8",
-      timeout: 5000,
-    });
+    const unstaged = cachedGitDiff(["diff", "--name-only"], 2000);
     unstagedMemory = unstaged
       .split("\n")
       .map((f) => f.split("\\").join("/"))

package/templates/hooks/dev-team-tdd-enforce.js

@@ -14,9 +14,59 @@
 
 "use strict";
 
+const { createHash } = require("crypto");
 const { execFileSync } = require("child_process");
+const fs = require("fs");
+const os = require("os");
 const path = require("path");
 
+/**
+ * Cached git diff — reads from a temp file if it was written < 5 seconds ago,
+ * otherwise shells out to git and writes the result for subsequent hooks.
+ * Cache key includes cwd hash so different repos don't share cache.
+ */
+function cachedGitDiff(args, timeoutMs) {
+  const cwdHash = createHash("md5").update(process.cwd()).digest("hex").slice(0, 8);
+  const argsKey = args.join("-").replace(/[^a-zA-Z0-9-]/g, "");
+  const cacheFile = path.join(os.tmpdir(), `dev-team-git-cache-${cwdHash}-${argsKey}.txt`);
+  let skipWrite = false;
+  try {
+    const stat = fs.lstatSync(cacheFile);
+    // Reject symlinks to prevent symlink attacks (attacker could point cache
+    // file at a sensitive path and have us overwrite it on the next write)
+    if (stat.isSymbolicLink()) {
+      try {
+        fs.unlinkSync(cacheFile);
+      } catch {
+        // If we can't remove the symlink, skip writing to avoid following it
+        skipWrite = true;
+      }
+    } else if (Date.now() - stat.mtimeMs < 5000) {
+      return fs.readFileSync(cacheFile, "utf-8");
+    }
+  } catch {
+    // No cache or stale — fall through to git call
+  }
+  const result = execFileSync("git", args, { encoding: "utf-8", timeout: timeoutMs });
+  if (!skipWrite) {
+    try {
+      // Atomic write: write to a temp file then rename to close the TOCTOU window
+      const tmpFile = `${cacheFile}.${process.pid}.tmp`;
+      fs.writeFileSync(tmpFile, result, { mode: 0o600 });
+      fs.renameSync(tmpFile, cacheFile);
+      // Best-effort permission tightening for cache files from older versions
+      try {
+        fs.chmodSync(cacheFile, 0o600);
+      } catch {
+        /* best effort */
+      }
+    } catch {
+      // Best effort — don't fail the hook over caching
+    }
+  }
+  return result;
+}
+
 let input = {};
 try {
   input = JSON.parse(process.argv[2] || "{}");
@@ -82,10 +132,7 @@ if (SKIP_PATTERNS.some((p) => p.test(filePath))) {
 // Check if any test file has been modified in this session
 let changedFiles = "";
 try {
-  changedFiles = execFileSync("git", ["diff", "--name-only"], {
-    encoding: "utf-8",
-    timeout: 5000,
-  });
+  changedFiles = cachedGitDiff(["diff", "--name-only"], 2000);
 } catch {
   // If git is not available or fails, allow the change
   process.exit(0);
@@ -105,7 +152,6 @@ if (hasTestChanges) {
 // No test changes — check if a corresponding test file already exists.
 // This allows refactoring (modifying existing tested code) without
 // requiring the test file to also be modified.
-const fs = require("fs");
 const dir = path.dirname(filePath);
 const name = path.basename(filePath, ext);
 

package/templates/settings.json

@@ -50,6 +50,10 @@
           {
             "type": "command",
             "command": "node .claude/hooks/dev-team-task-loop.js"
+          },
+          {
+            "type": "command",
+            "command": "node .claude/hooks/dev-team-parallel-loop.js"
           }
         ]
       }