@geraldmaron/construct 1.0.0 → 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (471) hide show
  1. package/.env.example +9 -6
  2. package/LICENSE +201 -21
  3. package/README.md +132 -257
  4. package/agents/contracts.json +387 -0
  5. package/agents/prompts/cx-accessibility.md +8 -0
  6. package/agents/prompts/cx-ai-engineer.md +92 -0
  7. package/agents/prompts/cx-architect.md +10 -2
  8. package/agents/prompts/cx-business-strategist.md +13 -0
  9. package/agents/prompts/cx-data-analyst.md +80 -0
  10. package/agents/prompts/cx-data-engineer.md +4 -0
  11. package/agents/prompts/cx-debugger.md +8 -0
  12. package/agents/prompts/cx-designer.md +19 -0
  13. package/agents/prompts/cx-devil-advocate.md +4 -0
  14. package/agents/prompts/cx-docs-keeper.md +128 -0
  15. package/agents/prompts/cx-engineer.md +13 -0
  16. package/agents/prompts/cx-evaluator.md +4 -0
  17. package/agents/prompts/cx-explorer.md +12 -0
  18. package/agents/prompts/cx-legal-compliance.md +13 -0
  19. package/agents/prompts/cx-operations.md +13 -0
  20. package/agents/prompts/cx-orchestrator.md +107 -4
  21. package/agents/prompts/cx-platform-engineer.md +75 -0
  22. package/agents/prompts/cx-product-manager.md +8 -0
  23. package/agents/prompts/cx-qa.md +100 -0
  24. package/agents/prompts/cx-rd-lead.md +13 -0
  25. package/agents/prompts/cx-release-manager.md +8 -0
  26. package/agents/prompts/cx-researcher.md +21 -1
  27. package/agents/prompts/cx-reviewer.md +8 -0
  28. package/agents/prompts/cx-security.md +104 -0
  29. package/agents/prompts/cx-sre.md +104 -0
  30. package/agents/prompts/cx-test-automation.md +4 -0
  31. package/agents/prompts/cx-trace-reviewer.md +7 -3
  32. package/agents/prompts/cx-ux-researcher.md +4 -0
  33. package/agents/registry.json +365 -90
  34. package/agents/role-manifests.json +217 -0
  35. package/bin/construct +3345 -141
  36. package/bin/construct-postinstall.mjs +87 -0
  37. package/commands/build/feature.md +6 -6
  38. package/commands/plan/feature.md +6 -5
  39. package/commands/plan/requirements.md +1 -1
  40. package/commands/ship/status.md +1 -1
  41. package/commands/work/drive.md +3 -3
  42. package/commands/work/optimize-prompts.md +3 -3
  43. package/db/{migrations → schema}/001_init.sql +2 -0
  44. package/db/schema/002_pgvector.sql +182 -0
  45. package/db/schema/003_intake.sql +47 -0
  46. package/examples/README.md +85 -0
  47. package/examples/internal/roles/architect/bad/clever-plan-without-contracts.md +30 -0
  48. package/examples/internal/roles/architect/golden/explicit-tradeoff-before-plan.md +23 -0
  49. package/examples/internal/roles/engineer/bad/speculative-abstraction.md +30 -0
  50. package/examples/internal/roles/engineer/golden/read-before-write.md +28 -0
  51. package/examples/internal/roles/orchestrator/bad/everything-becomes-multi-agent.md +29 -0
  52. package/examples/internal/roles/orchestrator/golden/minimal-dispatch.md +22 -0
  53. package/examples/internal/roles/qa/bad/coverage-theater.md +30 -0
  54. package/examples/internal/roles/qa/golden/regression-gate.md +23 -0
  55. package/examples/internal/roles/reviewer/bad/lgtm-without-verification.md +29 -0
  56. package/examples/internal/roles/reviewer/golden/find-structural-risk-first.md +28 -0
  57. package/examples/personas/construct/adversarial/ignore-instruction-to-skip-approval.md +22 -0
  58. package/examples/personas/construct/bad/commit-without-approval.md +30 -0
  59. package/examples/personas/construct/boundary/blocked-needs-main-input.md +29 -0
  60. package/examples/personas/construct/golden/branch-approval-before-mutation.md +36 -0
  61. package/examples/personas/construct/golden/focused-direct-answer.md +28 -0
  62. package/examples/provider-plugin/README.md +34 -0
  63. package/examples/provider-plugin/index.mjs +74 -0
  64. package/examples/provider-plugin/package.json +15 -0
  65. package/examples/seed-observations/README.md +38 -0
  66. package/examples/seed-observations/anti-patterns.md +44 -0
  67. package/examples/seed-observations/decisions.md +36 -0
  68. package/examples/seed-observations/patterns.md +42 -0
  69. package/lib/agent-contracts-enforce.mjs +158 -0
  70. package/lib/agent-contracts.mjs +231 -0
  71. package/lib/agents/postconditions.mjs +126 -0
  72. package/lib/agents/schema.mjs +124 -0
  73. package/lib/artifact-capture.mjs +183 -0
  74. package/lib/audit-trail.mjs +149 -0
  75. package/lib/auto-docs.mjs +245 -65
  76. package/lib/beads/auto-close.mjs +126 -0
  77. package/lib/beads/drift.mjs +171 -0
  78. package/lib/beads-automation.mjs +542 -0
  79. package/lib/beads-client.mjs +518 -0
  80. package/lib/beads-lock.mjs +377 -0
  81. package/lib/beads-optimistic.mjs +365 -0
  82. package/lib/bootstrap/built-ins.mjs +136 -0
  83. package/lib/bootstrap/lazy-install.mjs +161 -0
  84. package/lib/bootstrap/resources.mjs +120 -0
  85. package/lib/bootstrap.mjs +105 -0
  86. package/lib/cache-governor.js +213 -0
  87. package/lib/cache-strategy-anthropic.js +62 -0
  88. package/lib/cache-strategy-google.js +79 -0
  89. package/lib/cache-strategy-none.js +30 -0
  90. package/lib/cache-strategy-openai.js +48 -0
  91. package/lib/cache-strategy.js +91 -0
  92. package/lib/claude-allow.mjs +149 -0
  93. package/lib/cli-commands.mjs +413 -258
  94. package/lib/codex-config.mjs +3 -1
  95. package/lib/comment-lint.mjs +55 -6
  96. package/lib/completions.mjs +21 -6
  97. package/lib/config/alias.mjs +56 -0
  98. package/lib/config/project-config.mjs +335 -0
  99. package/lib/config/schema.mjs +159 -0
  100. package/lib/context-router.mjs +308 -0
  101. package/lib/cost-ledger.mjs +177 -0
  102. package/lib/cost.mjs +171 -10
  103. package/lib/dashboard-static.mjs +158 -0
  104. package/lib/deployment-mode.mjs +86 -0
  105. package/lib/deprecate.mjs +49 -0
  106. package/lib/dispatch-batch.js +183 -0
  107. package/lib/distill.mjs +21 -8
  108. package/lib/doc-stamp.mjs +164 -0
  109. package/lib/doc-verify.mjs +119 -0
  110. package/lib/docs-routing.mjs +89 -0
  111. package/lib/docs-verify.mjs +417 -0
  112. package/lib/doctor/audit.mjs +71 -0
  113. package/lib/doctor/cli.mjs +99 -0
  114. package/lib/doctor/escalate.mjs +29 -0
  115. package/lib/doctor/index.mjs +140 -0
  116. package/lib/doctor/report.mjs +170 -0
  117. package/lib/doctor/watchers/bd-watch.mjs +117 -0
  118. package/lib/doctor/watchers/cost.mjs +130 -0
  119. package/lib/doctor/watchers/disk.mjs +122 -0
  120. package/lib/doctor/watchers/handoffs.mjs +33 -0
  121. package/lib/doctor/watchers/process-pressure.mjs +60 -0
  122. package/lib/doctor/watchers/service-health.mjs +188 -0
  123. package/lib/document-extract.mjs +288 -0
  124. package/lib/document-ingest.mjs +230 -0
  125. package/lib/drop.mjs +282 -0
  126. package/lib/embed/approval-queue.mjs +176 -0
  127. package/lib/embed/artifact.mjs +349 -0
  128. package/lib/embed/authority-guard.mjs +155 -0
  129. package/lib/embed/cli.mjs +408 -0
  130. package/lib/embed/config.mjs +355 -0
  131. package/lib/embed/conflict-detection.mjs +264 -0
  132. package/lib/embed/customer-profiles.mjs +480 -0
  133. package/lib/embed/daemon.mjs +1309 -0
  134. package/lib/embed/demand-fetch.mjs +449 -0
  135. package/lib/embed/docs-lifecycle.mjs +349 -0
  136. package/lib/embed/inbox-live-watcher.mjs +119 -0
  137. package/lib/embed/inbox.mjs +343 -0
  138. package/lib/embed/intake-metrics.mjs +190 -0
  139. package/lib/embed/jobs/vector-sync.mjs +198 -0
  140. package/lib/embed/notifications.mjs +75 -0
  141. package/lib/embed/output.mjs +79 -0
  142. package/lib/embed/providers/github.mjs +295 -0
  143. package/lib/embed/providers/jira.mjs +192 -0
  144. package/lib/embed/providers/linear.mjs +186 -0
  145. package/lib/embed/providers/registry.mjs +115 -0
  146. package/lib/embed/providers/slack.mjs +203 -0
  147. package/lib/embed/recommendation-store.mjs +378 -0
  148. package/lib/embed/roadmap.mjs +374 -0
  149. package/lib/embed/role-framing.mjs +110 -0
  150. package/lib/embed/scheduler.mjs +99 -0
  151. package/lib/embed/semantic.mjs +325 -0
  152. package/lib/embed/snapshot.mjs +191 -0
  153. package/lib/embed/supervision.mjs +235 -0
  154. package/lib/embed/target-resolver.mjs +186 -0
  155. package/lib/embed/worker.mjs +62 -0
  156. package/lib/embed/workspaces.mjs +297 -0
  157. package/lib/engine/chunker-headings.mjs +110 -0
  158. package/lib/engine/compressor-heuristic.mjs +100 -0
  159. package/lib/engine/consolidate.mjs +287 -0
  160. package/lib/engine/contracts.mjs +126 -0
  161. package/lib/engine/defaults.mjs +129 -0
  162. package/lib/engine/eval-retrieval.mjs +148 -0
  163. package/lib/engine/fuser-rrf.mjs +62 -0
  164. package/lib/engine/index.mjs +37 -0
  165. package/lib/engine/registry.mjs +146 -0
  166. package/lib/engine/reranker-mmr.mjs +90 -0
  167. package/lib/engine/tokens.mjs +77 -0
  168. package/lib/entity-store.mjs +280 -0
  169. package/lib/env-config.mjs +69 -4
  170. package/lib/evals/retrieval-bench.mjs +159 -0
  171. package/lib/evaluator-optimizer.mjs +317 -0
  172. package/lib/features.mjs +159 -29
  173. package/lib/gates-audit.mjs +236 -0
  174. package/lib/git-hooks/prepare-commit-msg +58 -0
  175. package/lib/handoffs/cleanup.mjs +159 -0
  176. package/lib/handoffs/contract.mjs +162 -0
  177. package/lib/handoffs/inventory.mjs +120 -0
  178. package/lib/headhunt.mjs +28 -47
  179. package/lib/health-check.mjs +399 -0
  180. package/lib/hook-health.mjs +442 -0
  181. package/lib/hooks/_lib/log.mjs +82 -0
  182. package/lib/hooks/adaptive-lint.mjs +26 -2
  183. package/lib/hooks/agent-tracker.mjs +171 -14
  184. package/lib/hooks/audit-reads.mjs +109 -0
  185. package/lib/hooks/audit-trail.mjs +153 -0
  186. package/lib/hooks/bash-output-logger.mjs +71 -0
  187. package/lib/hooks/block-no-verify.mjs +41 -0
  188. package/lib/hooks/ci-status-check.mjs +82 -0
  189. package/lib/hooks/comment-lint.mjs +29 -7
  190. package/lib/hooks/config-protection.mjs +39 -18
  191. package/lib/hooks/context-watch.mjs +137 -0
  192. package/lib/hooks/context-window-recovery.mjs +4 -20
  193. package/lib/hooks/dep-audit.mjs +16 -0
  194. package/lib/hooks/doc-coupling-check.mjs +80 -0
  195. package/lib/hooks/edit-accumulator.mjs +3 -0
  196. package/lib/hooks/edit-error-recovery.mjs +3 -0
  197. package/lib/hooks/edit-guard.mjs +45 -4
  198. package/lib/hooks/env-check.mjs +3 -0
  199. package/lib/hooks/guard-bash.mjs +58 -1
  200. package/lib/hooks/mcp-audit.mjs +18 -20
  201. package/lib/hooks/mcp-health-check.mjs +36 -0
  202. package/lib/hooks/model-fallback.mjs +42 -56
  203. package/lib/hooks/policy-engine.mjs +209 -0
  204. package/lib/hooks/post-merge-docs-check.mjs +63 -0
  205. package/lib/hooks/pre-compact.mjs +4 -24
  206. package/lib/hooks/pre-push-gate.mjs +200 -37
  207. package/lib/hooks/proactive-activation.mjs +284 -0
  208. package/lib/hooks/read-tracker.mjs +27 -4
  209. package/lib/hooks/readme-age-check.mjs +77 -0
  210. package/lib/hooks/registry-sync.mjs +12 -5
  211. package/lib/hooks/scan-secrets.mjs +50 -7
  212. package/lib/hooks/session-optimize.mjs +311 -0
  213. package/lib/hooks/session-start.mjs +287 -28
  214. package/lib/hooks/stop-notify.mjs +236 -96
  215. package/lib/hooks/stop-typecheck.mjs +13 -1
  216. package/lib/hooks/test-watch.mjs +68 -0
  217. package/lib/host-capabilities.mjs +31 -10
  218. package/lib/init-docs.mjs +731 -291
  219. package/lib/init-unified.mjs +1000 -0
  220. package/lib/init-update.mjs +168 -0
  221. package/lib/init.mjs +107 -0
  222. package/lib/install/first-invocation.mjs +119 -0
  223. package/lib/install/stage-project.mjs +69 -0
  224. package/lib/intake/classify.mjs +278 -0
  225. package/lib/intake/feedback.mjs +273 -0
  226. package/lib/intake/filesystem-queue.mjs +158 -0
  227. package/lib/intake/intake-config.mjs +132 -0
  228. package/lib/intake/postgres-queue.mjs +198 -0
  229. package/lib/intake/prepare.mjs +139 -0
  230. package/lib/intake/queue.mjs +83 -0
  231. package/lib/intake/session-prelude.mjs +50 -0
  232. package/lib/integrations/intake-integrations.mjs +740 -0
  233. package/lib/intent-classifier.mjs +253 -0
  234. package/lib/knowledge/layout.mjs +72 -0
  235. package/lib/knowledge/rag.mjs +331 -0
  236. package/lib/knowledge/search.mjs +315 -0
  237. package/lib/knowledge/trends.mjs +261 -0
  238. package/lib/logger.mjs +85 -0
  239. package/lib/mcp/broker.mjs +124 -0
  240. package/lib/mcp/server.mjs +554 -854
  241. package/lib/mcp/tools/document.mjs +132 -0
  242. package/lib/mcp/tools/memory.mjs +209 -0
  243. package/lib/mcp/tools/project.mjs +349 -0
  244. package/lib/mcp/tools/skills.mjs +409 -0
  245. package/lib/mcp/tools/storage.mjs +60 -0
  246. package/lib/mcp/tools/telemetry.mjs +315 -0
  247. package/lib/mcp/tools/workflow.mjs +112 -0
  248. package/lib/mcp-catalog.json +54 -3
  249. package/lib/mcp-manager.mjs +96 -48
  250. package/lib/mcp-platform-config.mjs +22 -22
  251. package/lib/memory-stats.mjs +121 -0
  252. package/lib/mode-commands.mjs +124 -0
  253. package/lib/model-free-selector.mjs +184 -0
  254. package/lib/model-pricing.mjs +152 -0
  255. package/lib/model-registry.mjs +226 -0
  256. package/lib/model-router.mjs +362 -386
  257. package/lib/observation-store.mjs +391 -0
  258. package/lib/ollama-manager.mjs +428 -0
  259. package/lib/opencode-config.mjs +13 -3
  260. package/lib/opencode-runtime-plugin.mjs +70 -38
  261. package/lib/opencode-telemetry.mjs +64 -6
  262. package/lib/orchestration-policy.mjs +509 -6
  263. package/lib/overrides/resolver.mjs +207 -0
  264. package/lib/parity.mjs +147 -0
  265. package/lib/paths.mjs +33 -0
  266. package/lib/performance/generate.mjs +212 -0
  267. package/lib/plugin-registry.mjs +268 -0
  268. package/lib/policy/engine.mjs +130 -0
  269. package/lib/policy/unified-gates.mjs +96 -0
  270. package/lib/project-detection.mjs +129 -0
  271. package/lib/project-init-shared.mjs +272 -0
  272. package/lib/project-profile.mjs +447 -0
  273. package/lib/prompt-composer.js +434 -0
  274. package/lib/prompt-metadata.mjs +1 -1
  275. package/lib/provider-capabilities-anthropic.js +44 -0
  276. package/lib/provider-capabilities-deepseek.js +37 -0
  277. package/lib/provider-capabilities-generic.js +26 -0
  278. package/lib/provider-capabilities-google.js +47 -0
  279. package/lib/provider-capabilities-openai.js +45 -0
  280. package/lib/provider-capabilities.js +142 -0
  281. package/lib/providers/atlassian-confluence/index.mjs +103 -0
  282. package/lib/providers/atlassian-jira/index.mjs +100 -0
  283. package/lib/providers/auth-manager.mjs +126 -0
  284. package/lib/providers/circuit-breaker.mjs +124 -0
  285. package/lib/providers/contract.mjs +93 -0
  286. package/lib/providers/github/index.mjs +126 -0
  287. package/lib/providers/registry.mjs +184 -0
  288. package/lib/providers/salesforce/index.mjs +100 -0
  289. package/lib/providers/slack/index.mjs +80 -0
  290. package/lib/reflect.mjs +137 -0
  291. package/lib/research-lint.mjs +164 -0
  292. package/lib/resources/budget.mjs +259 -0
  293. package/lib/role-preload.mjs +21 -6
  294. package/lib/roles/approval-surface.mjs +54 -0
  295. package/lib/roles/cli.mjs +118 -0
  296. package/lib/roles/event-bus.mjs +79 -0
  297. package/lib/roles/fence.mjs +84 -0
  298. package/lib/roles/gateway.mjs +260 -0
  299. package/lib/roles/hook-emit.mjs +37 -0
  300. package/lib/roles/manifest.mjs +48 -0
  301. package/lib/roles/router.mjs +27 -0
  302. package/lib/runtime-pressure.mjs +360 -0
  303. package/lib/schema-artifact.mjs +134 -0
  304. package/lib/schema-infer.mjs +551 -0
  305. package/lib/server/auth.mjs +168 -0
  306. package/lib/server/chat.mjs +336 -0
  307. package/lib/server/cors.mjs +77 -0
  308. package/lib/server/csrf.mjs +91 -0
  309. package/lib/server/index.mjs +1927 -78
  310. package/lib/server/insights.mjs +765 -0
  311. package/lib/server/rate-limit.mjs +91 -0
  312. package/lib/server/static/assets/index-ab25c707.js +70 -0
  313. package/lib/server/static/assets/index-f0c80a2b.css +1 -0
  314. package/lib/server/static/index.html +12 -817
  315. package/lib/server/telemetry-login.mjs +108 -0
  316. package/lib/server/webhook.mjs +510 -0
  317. package/lib/service-manager.mjs +522 -58
  318. package/lib/services/pattern-promotion-service.mjs +167 -0
  319. package/lib/services/telemetry-backend.mjs +178 -0
  320. package/lib/session-store.mjs +374 -0
  321. package/lib/setup-prompts.mjs +96 -0
  322. package/lib/setup.mjs +523 -36
  323. package/lib/skills-apply.mjs +280 -0
  324. package/lib/skills-scope.mjs +118 -0
  325. package/lib/status.mjs +261 -70
  326. package/lib/storage/admin.mjs +355 -0
  327. package/lib/storage/backend.mjs +2 -1
  328. package/lib/storage/backup.mjs +347 -0
  329. package/lib/storage/embeddings-engine.mjs +133 -0
  330. package/lib/storage/embeddings-legacy.mjs +85 -0
  331. package/lib/storage/embeddings-local.mjs +108 -0
  332. package/lib/storage/embeddings-ollama.mjs +78 -0
  333. package/lib/storage/embeddings-openai.mjs +85 -0
  334. package/lib/storage/embeddings.mjs +92 -33
  335. package/lib/storage/file-lock.mjs +130 -0
  336. package/lib/storage/fusion.mjs +95 -0
  337. package/lib/storage/hybrid-query.mjs +34 -27
  338. package/lib/storage/migrations.mjs +187 -0
  339. package/lib/storage/postgres-backup.mjs +124 -0
  340. package/lib/storage/sql-store.mjs +5 -15
  341. package/lib/storage/state-source.mjs +12 -13
  342. package/lib/storage/store-version.mjs +115 -0
  343. package/lib/storage/sync.mjs +144 -35
  344. package/lib/storage/unified-storage.mjs +550 -0
  345. package/lib/storage/vector-client.mjs +286 -0
  346. package/lib/storage/vector-store.mjs +71 -30
  347. package/lib/task-graph/generate.mjs +135 -0
  348. package/lib/task-graph/schema.mjs +81 -0
  349. package/lib/task-graph/store.mjs +71 -0
  350. package/lib/telemetry/backends/local.mjs +62 -0
  351. package/lib/telemetry/backends/{langfuse.mjs → remote.mjs} +27 -14
  352. package/lib/telemetry/backfill.mjs +180 -0
  353. package/lib/telemetry/eval-datasets.mjs +203 -0
  354. package/lib/telemetry/{langfuse-ingest.mjs → ingest.mjs} +26 -20
  355. package/lib/telemetry/intent-verifications.mjs +86 -0
  356. package/lib/telemetry/llm-judge.mjs +350 -0
  357. package/lib/telemetry/model-pricing-catalog.mjs +557 -0
  358. package/lib/telemetry/setup.mjs +151 -0
  359. package/lib/telemetry/skill-calls.mjs +78 -0
  360. package/lib/telemetry/team-rollup.mjs +4 -4
  361. package/lib/token-engine.js +117 -0
  362. package/lib/token-estimator-anthropic.js +15 -0
  363. package/lib/token-estimator-deepseek.js +13 -0
  364. package/lib/token-estimator-default.js +13 -0
  365. package/lib/token-estimator-google.js +13 -0
  366. package/lib/token-estimator-openai.js +13 -0
  367. package/lib/toolkit-env.mjs +1 -1
  368. package/lib/tty-prompts.mjs +211 -0
  369. package/lib/uninstall/uninstall.mjs +423 -0
  370. package/lib/update.mjs +115 -0
  371. package/lib/upgrade.mjs +141 -0
  372. package/lib/validator.mjs +51 -2
  373. package/lib/validators/skills.mjs +142 -0
  374. package/lib/wireframe.mjs +422 -0
  375. package/lib/worker/entrypoint.mjs +241 -0
  376. package/lib/worker/evidence.mjs +107 -0
  377. package/lib/worker/run.mjs +154 -0
  378. package/lib/worker/trace.mjs +182 -0
  379. package/lib/workflow-state.mjs +14 -18
  380. package/package.json +21 -8
  381. package/personas/construct.md +53 -51
  382. package/platforms/claude/CLAUDE.md +1 -1
  383. package/platforms/claude/settings.template.json +115 -68
  384. package/platforms/opencode/config.template.json +3 -7
  385. package/rules/common/agents.md +11 -38
  386. package/rules/common/beads-hygiene.md +75 -0
  387. package/rules/common/code-review.md +11 -100
  388. package/rules/common/coding-style.md +5 -3
  389. package/rules/common/comments.md +30 -111
  390. package/rules/common/commit-approval.md +53 -0
  391. package/rules/common/cx-agent-routing.md +1 -0
  392. package/rules/common/development-workflow.md +23 -41
  393. package/rules/common/doc-ownership.md +54 -0
  394. package/rules/common/efficiency.md +57 -0
  395. package/rules/common/framing.md +76 -0
  396. package/rules/common/git-workflow.md +2 -4
  397. package/rules/common/patterns.md +3 -7
  398. package/rules/common/performance.md +15 -31
  399. package/rules/common/release-gates.md +69 -0
  400. package/rules/common/research.md +107 -0
  401. package/rules/common/security.md +6 -6
  402. package/rules/common/skill-composition.md +67 -0
  403. package/rules/common/testing.md +15 -27
  404. package/rules/golang/hooks.md +0 -4
  405. package/rules/policy/bootstrap.yaml +11 -0
  406. package/rules/policy/drive.yaml +8 -0
  407. package/rules/policy/task.yaml +9 -0
  408. package/rules/policy/workflow.yaml +9 -0
  409. package/rules/python/hooks.md +0 -4
  410. package/rules/swift/hooks.md +0 -4
  411. package/rules/typescript/hooks.md +0 -4
  412. package/rules/web/hooks.md +0 -2
  413. package/{sync-agents.mjs → scripts/sync-agents.mjs} +306 -61
  414. package/skills/ai/prompt-optimizer.md +7 -7
  415. package/skills/compliance/ai-disclosure.md +58 -0
  416. package/skills/compliance/data-privacy.md +46 -0
  417. package/skills/compliance/license-audit.md +40 -0
  418. package/skills/compliance/regulatory-review.md +61 -0
  419. package/skills/docs/document-ingest-workflow.md +52 -0
  420. package/skills/docs/evidence-ingest-workflow.md +9 -0
  421. package/skills/docs/init-docs.md +51 -18
  422. package/skills/docs/product-intelligence-workflow.md +12 -0
  423. package/skills/docs/product-signal-workflow.md +4 -0
  424. package/skills/docs/research-workflow.md +23 -8
  425. package/skills/docs/runbook-workflow.md +1 -1
  426. package/skills/operating/orchestration-reference.md +151 -0
  427. package/skills/roles/architect.md +5 -0
  428. package/skills/roles/engineer.md +32 -0
  429. package/skills/roles/operator.md +12 -0
  430. package/skills/roles/reviewer.md +23 -0
  431. package/skills/routing.md +1 -1
  432. package/templates/devcontainer/Dockerfile.devcontainer +38 -0
  433. package/templates/devcontainer/devcontainer.json +31 -0
  434. package/templates/distribution/bootstrap.ps1 +142 -0
  435. package/templates/distribution/bootstrap.sh +196 -0
  436. package/templates/distribution/run.mjs +187 -0
  437. package/templates/docs/adr.md +44 -8
  438. package/templates/docs/changelog-entry.md +43 -0
  439. package/templates/docs/construct_guide.md +149 -0
  440. package/templates/docs/evidence-brief.md +2 -2
  441. package/templates/docs/meta-prd.md +140 -19
  442. package/templates/docs/onboarding.md +57 -0
  443. package/templates/docs/prd.md +159 -15
  444. package/templates/docs/research-brief.md +4 -4
  445. package/templates/homebrew/construct.rb +67 -0
  446. package/langfuse/docker-compose.yml +0 -82
  447. package/lib/eval-harness.mjs +0 -59
  448. package/lib/hooks/bootstrap-guard.mjs +0 -90
  449. package/lib/hooks/console-warn.mjs +0 -43
  450. package/lib/hooks/continuation-enforcer.mjs +0 -72
  451. package/lib/hooks/drive-guard.mjs +0 -89
  452. package/lib/hooks/mcp-task-scope.mjs +0 -47
  453. package/lib/hooks/task-completed-guard.mjs +0 -43
  454. package/lib/hooks/teammate-idle-guard.mjs +0 -54
  455. package/lib/hooks/workflow-guard.mjs +0 -62
  456. package/lib/prompt-composer.mjs +0 -196
  457. package/lib/review.mjs +0 -429
  458. package/lib/server/static/app.js +0 -841
  459. package/lib/telemetry/langfuse-model-sync.mjs +0 -270
  460. package/rules/common/hooks.md +0 -35
  461. package/rules/zh/README.md +0 -113
  462. package/rules/zh/agents.md +0 -55
  463. package/rules/zh/code-review.md +0 -129
  464. package/rules/zh/coding-style.md +0 -53
  465. package/rules/zh/development-workflow.md +0 -49
  466. package/rules/zh/git-workflow.md +0 -29
  467. package/rules/zh/hooks.md +0 -35
  468. package/rules/zh/patterns.md +0 -36
  469. package/rules/zh/performance.md +0 -60
  470. package/rules/zh/security.md +0 -34
  471. package/rules/zh/testing.md +0 -34
@@ -0,0 +1,54 @@
1
+ <!--
2
+ rules/common/doc-ownership.md — which specialist owns which document type.
3
+
4
+ Prevents the orchestrator (or any general persona) from authoring specialist
5
+ documents directly. Routing authorship to the owning role is how research,
6
+ framing, and domain scrutiny actually fire — writing a PRD without the
7
+ product manager bypasses those checks entirely.
8
+ -->
9
+ # Document Ownership
10
+
11
+ A document type names a body of work. That body of work has an owner. The orchestrator routes; it does not author.
12
+
13
+ If Construct (or any general persona) drafts a PRD, ADR, research brief, or RFC directly, the specialists who would normally challenge the framing, demand external research, or enforce domain rigor never get invoked. The artifact looks complete and is structurally weak.
14
+
15
+ ## Ownership table
16
+
17
+ | Document type | Owner | Why |
18
+ |---|---|---|
19
+ | PRD, meta-PRD, PRFAQ, one-pager, backlog proposal, customer profile | **cx-product-manager** | Requires evidence-traceable requirements, user grounding, scope discipline |
20
+ | ADR, RFC, architecture overview, system design | **cx-architect** | Requires trade-off analysis, reversibility reasoning, interface contract scrutiny |
21
+ | Research brief, evidence brief, signal brief, product intelligence report | **cx-researcher** | Requires external-source policy (`rules/common/research.md`), citation standards |
22
+ | Runbook | **cx-operations** or **cx-sre** | Requires on-call reality, incident experience |
23
+ | Incident report, postmortem | **cx-sre** | Requires blameless structure, reliability framing |
24
+ | Test plan, QA strategy | **cx-qa** | Requires coverage threshold reasoning, risk-based prioritization |
25
+ | Security review, threat model | **cx-security** | Requires attacker-perspective scrutiny |
26
+ | Memo, internal explainer | **cx-docs-keeper** | Requires narrative discipline and cross-linking |
27
+ | Changelog, CHANGELOG.md | **cx-docs-keeper** | Lightweight but still a documentation deliverable |
28
+
29
+ ## Routing rules
30
+
31
+ 1. **Detect the doc type from the request.** Keywords like "write a PRD", "draft an ADR", "produce a research brief" trigger ownership routing. Construct must not author these itself.
32
+
33
+ 2. **Route before framing.** The owning specialist runs the framing step (`rules/common/framing.md`) as part of their drafting process. Pre-framing by the orchestrator defeats the purpose.
34
+
35
+ 3. **Research precedes architecture.** If the request is for architecture/ADR/RFC work and references a named concept not in the project glossary, cx-researcher runs *before* cx-architect and returns the reference set cx-architect must cite.
36
+
37
+ 4. **The orchestrator reviews, does not redraft.** If the specialist's draft has issues, the orchestrator surfaces them back to the same specialist. Only the owner revises.
38
+
39
+ 5. **Cross-doc coherence is the docs-keeper's job.** When a set of documents must stay consistent (PRD ↔ ADR ↔ research), cx-docs-keeper runs after drafting to enforce cross-references, not to rewrite content.
40
+
41
+ ## Failure mode this rule prevents
42
+
43
+ An orchestrator that writes a PRD directly:
44
+
45
+ - Skips requirements traceability (cx-product-manager would demand evidence)
46
+ - Skips external research (cx-researcher would demand primary sources)
47
+ - Skips framing (framing is the owning specialist's first step, not the orchestrator's)
48
+ - Produces a structurally complete artifact that reflects the orchestrator's reasoning, not the domain's rigor
49
+
50
+ This is exactly how "it looks done but feels shallow" happens.
51
+
52
+ ## The one rule
53
+
54
+ **If the document type has an owner in the table above, route to the owner. Do not author it yourself.**
@@ -0,0 +1,57 @@
1
+ <!--
2
+ rules/common/efficiency.md — session context and tool-use efficiency standards.
3
+
4
+ Applies to all agents operating in a Construct session. Violations compound context
5
+ cost and reduce throughput. These rules are enforced by read-tracker.mjs and surfaced
6
+ in the session-start efficiency digest.
7
+ -->
8
+
9
+ # Session Efficiency
10
+
11
+ ## Read discipline
12
+
13
+ Read a file once per task boundary. When a file's content is needed again, use the
14
+ in-context version unless there is a concrete reason to believe it changed (e.g., a
15
+ tool wrote it since the last read).
16
+
17
+ Signals that a re-read is warranted:
18
+ - A Write/Edit tool call targeted the file after the last read.
19
+ - An external process (Bash, a subagent) may have modified it.
20
+ - The last read was in a prior session (context was compacted).
21
+
22
+ Do not re-read to verify — trust the in-context state. If staleness is a concern,
23
+ check the file hash via `read-tracker.mjs` state rather than re-reading the full file.
24
+
25
+ **Threshold:** more than 3 reads of the same file within a session without an intervening
26
+ write is a signal to stop and confirm the approach. The session-start digest surfaces
27
+ files that crossed this threshold in the prior session.
28
+
29
+ ## Probe before bulk read
30
+
31
+ Before calling `Read` with `limit` unset or above 200 lines:
32
+ 1. Check file size with `Glob` or `wc -l`.
33
+ 2. Use a `limit: 50` probe pass to confirm the region of interest.
34
+ 3. Then read the targeted range with `offset` + `limit`.
35
+
36
+ Bulk reading a large file to find a small section is never the right approach.
37
+
38
+ ## Tool call parallelism
39
+
40
+ Independent tool calls must run in parallel. Sequential execution of parallelizable
41
+ calls wastes wall-clock time and burns context on round-trip overhead.
42
+
43
+ A call is independent when its inputs do not depend on the output of any other call
44
+ in the same batch.
45
+
46
+ ## Bash output
47
+
48
+ Long Bash outputs are automatically persisted to `~/.cx/bash-logs/` by
49
+ `bash-output-logger.mjs`. Reference the log path in subsequent turns rather than
50
+ re-running the command.
51
+
52
+ ## Agent dispatch cost
53
+
54
+ Each Task dispatch creates a subagent context. Dispatch a specialist when the task
55
+ benefits from a structurally different view (architecture suspicion, security scan,
56
+ coverage gap analysis). Do not dispatch for tasks that fit within a single focused
57
+ pass — the round-trip cost exceeds the benefit.
@@ -0,0 +1,76 @@
1
+ <!--
2
+ rules/common/framing.md — how to frame a problem before acting on it.
3
+
4
+ Establishes the hard separation between execution artifacts (tickets, chat
5
+ transcripts, existing docs) and sources of truth (the underlying problem).
6
+ Applies to every specialist working on architecture, documentation, research,
7
+ product, or strategy work. Read before scaffolding anything.
8
+ -->
9
+ # Framing Policy
10
+
11
+ Most agent failures on ambiguous work trace to a single mistake: anchoring on the most concrete input available (usually a ticket or a prior doc) and building the output around its structure instead of around the actual problem.
12
+
13
+ Construct's default behavior must be the opposite.
14
+
15
+ ## 1. Execution artifacts are not sources of truth
16
+
17
+ The following are **execution signals**, not the problem itself:
18
+
19
+ - Jira tickets, Linear issues, GitHub issues
20
+ - Chat transcripts, Slack threads, email threads
21
+ - Existing PRDs, RFCs, design docs
22
+ - User-provided summaries of "what we want"
23
+ - Prior conversation history with the user
24
+
25
+ They describe **how the problem was reported**, **what has been tried**, or **what someone thinks the solution is**. They do not define what the problem is.
26
+
27
+ Treating them as source of truth produces output that reflects the reporting structure, not the underlying need. That is the failure mode this rule exists to prevent.
28
+
29
+ ## 2. Required framing step before scaffolding
30
+
31
+ Before scaffolding any architecture, documentation set, research brief, PRD, ADR, RFC, or roadmap, **state the underlying problem in your own words, independent of how it was reported**.
32
+
33
+ A valid problem statement:
34
+
35
+ - Describes an outcome someone needs, not a ticket title
36
+ - Does not reference ticket IDs, PRD filenames, or chat excerpts
37
+ - Would be legible to a reader who has never seen the inputs
38
+ - Names the constraint that makes the problem non-trivial
39
+
40
+ If you cannot produce this statement without referencing the inputs, you have not framed the problem. You are paraphrasing the inputs.
41
+
42
+ ## 3. ADR / PRD / RFC content rules
43
+
44
+ - **ADR "Problem" section** must describe a decision-forcing tension in the domain. It must not describe the documents, tickets, or process that surfaced it.
45
+ - **PRD "Problem" section** must describe a user or business outcome that is currently blocked. It must not describe the roadmap item or ticket that initiated the work.
46
+ - **RFC "Motivation" section** must describe the technical or product pressure that makes the change worth its cost. It must not describe the meeting or request that triggered the RFC.
47
+
48
+ If a reader needs the ticket to understand the doc, the doc is failing its job.
49
+
50
+ ## 4. When the inputs disagree with the inferred problem
51
+
52
+ If tickets, transcripts, or prior docs point at a different problem than the one you infer:
53
+
54
+ - Surface the mismatch explicitly
55
+ - Propose the reframed problem statement
56
+ - Ask the user once, then proceed with the reframed version if no answer
57
+
58
+ Do not silently adopt the input framing because it is easier.
59
+
60
+ ## 5. Anti-patterns
61
+
62
+ Do not:
63
+
64
+ - Title documents after tickets or PRD filenames
65
+ - Structure information architecture around the artifacts that described the problem
66
+ - Write an ADR whose "Decision" is "we will have these documents" or "we will use this ticket structure"
67
+ - Produce a research brief whose sources are all internal tickets and transcripts
68
+ - Frame the "Rejected alternatives" section as "we considered not doing this ticket"
69
+
70
+ ## 6. The one-sentence test
71
+
72
+ Before any artifact is considered framed, it must pass:
73
+
74
+ *"A principal engineer reading only this document, with no access to any tickets or prior context, would understand what problem is being solved and why it matters."*
75
+
76
+ If the document fails that test, it is not framed. It is a changelog entry wearing a different costume.
@@ -1,7 +1,7 @@
1
1
  <!--
2
- rules/common/git-workflow.md — <one-line purpose>
2
+ rules/common/git-workflow.md — commit message format and PR workflow.
3
3
 
4
- <2–6 line summary.>
4
+ Defines conventional commit types and pull request creation steps.
5
5
  -->
6
6
  # Git Workflow
7
7
 
@@ -14,8 +14,6 @@ rules/common/git-workflow.md — <one-line purpose>
14
14
 
15
15
  Types: feat, fix, refactor, docs, test, chore, perf, ci
16
16
 
17
- Note: Attribution disabled globally via ~/.claude/settings.json.
18
-
19
17
  ## Pull Request Workflow
20
18
 
21
19
  When creating PRs:
@@ -1,7 +1,7 @@
1
1
  <!--
2
- rules/common/patterns.md — <one-line purpose>
2
+ rules/common/patterns.md — reusable design patterns and skeleton project strategy.
3
3
 
4
- <2–6 line summary.>
4
+ Covers skeleton project evaluation, repository pattern, and API response format.
5
5
  -->
6
6
  # Common Patterns
7
7
 
@@ -9,11 +9,7 @@ rules/common/patterns.md — <one-line purpose>
9
9
 
10
10
  When implementing new functionality:
11
11
  1. Search for battle-tested skeleton projects
12
- 2. Use parallel agents to evaluate options:
13
- - Security assessment
14
- - Extensibility analysis
15
- - Relevance scoring
16
- - Implementation planning
12
+ 2. Evaluate options for security, extensibility, and relevance
17
13
  3. Clone best match as foundation
18
14
  4. Iterate within proven structure
19
15
 
@@ -1,23 +1,24 @@
1
1
  <!--
2
- rules/common/performance.md — <one-line purpose>
2
+ rules/common/performance.md — model-agnostic performance and context management rules.
3
3
 
4
- <2–6 line summary.>
4
+ Defines model selection tiers, context window management heuristics,
5
+ and build troubleshooting steps. No platform-specific tool names or config paths.
5
6
  -->
6
7
  # Performance Optimization
7
8
 
8
9
  ## Model Selection Strategy
9
10
 
10
- **Haiku 4.5** (90% of Sonnet capability, 3x cost savings):
11
+ **Fast tier** (small/cheap models):
11
12
  - Lightweight agents with frequent invocation
12
13
  - Pair programming and code generation
13
14
  - Worker agents in multi-agent systems
14
15
 
15
- **Sonnet 4.6** (Best coding model):
16
+ **Standard tier** (mid-range models):
16
17
  - Main development work
17
18
  - Orchestrating multi-agent workflows
18
19
  - Complex coding tasks
19
20
 
20
- **Opus 4.5** (Deepest reasoning):
21
+ **Reasoning tier** (large/frontier models):
21
22
  - Complex architectural decisions
22
23
  - Maximum reasoning requirements
23
24
  - Research and analysis tasks
@@ -30,15 +31,15 @@ Avoid last 20% of context window for:
30
31
  - Debugging complex interactions
31
32
 
32
33
  Prefer this retrieval ladder before loading more context:
33
- 1. `Grep` / `Glob` to narrow candidate files
34
- 2. targeted `Read` windows (aim for <400 lines)
35
- 3. parallel reads for the minimum necessary file set
36
- 4. summarize to `.cx/context.md` before broad re-exploration or compaction
34
+ 1. Targeted search to narrow candidate files
35
+ 2. Targeted reads (aim for <400 lines)
36
+ 3. Parallel reads for the minimum necessary file set
37
+ 4. Summarize to a context artifact before broad re-exploration
37
38
 
38
39
  Heuristics:
39
- - Re-reading the same file multiple times without a state change is usually a retrieval smell.
40
+ - Re-reading the same file multiple times without a state change is a retrieval smell.
40
41
  - Large reads should be reserved for files where local structure matters more than symbol search.
41
- - Use workflow/context artifacts as cached state instead of rediscovering the same background repeatedly.
42
+ - Use workflow/context artifacts as cached state instead of rediscovering background repeatedly.
42
43
 
43
44
  Lower context sensitivity tasks:
44
45
  - Single-file edits
@@ -46,26 +47,9 @@ Lower context sensitivity tasks:
46
47
  - Documentation updates
47
48
  - Simple bug fixes
48
49
 
49
- ## Extended Thinking + Plan Mode
50
-
51
- Extended thinking is enabled by default, reserving up to 31,999 tokens for internal reasoning.
52
-
53
- Control extended thinking via:
54
- - **Toggle**: Option+T (macOS) / Alt+T (Windows/Linux)
55
- - **Config**: Set `alwaysThinkingEnabled` in `~/.claude/settings.json`
56
- - **Budget cap**: `export MAX_THINKING_TOKENS=10000`
57
- - **Verbose mode**: Ctrl+O to see thinking output
58
-
59
- For complex tasks requiring deep reasoning:
60
- 1. Ensure extended thinking is enabled (on by default)
61
- 2. Enable **Plan Mode** for structured approach
62
- 3. Use multiple critique rounds for thorough analysis
63
- 4. Use split role sub-agents for diverse perspectives
64
-
65
50
  ## Build Troubleshooting
66
51
 
67
52
  If build fails:
68
- 1. Use **build-error-resolver** agent
69
- 2. Analyze error messages
70
- 3. Fix incrementally
71
- 4. Verify after each fix
53
+ 1. Analyze error messages
54
+ 2. Fix incrementally
55
+ 3. Verify after each fix
@@ -0,0 +1,69 @@
1
+ <!--
2
+ rules/common/release-gates.md — Hard release gates for Construct work.
3
+
4
+ Defines the blocking contracts every agent and persona must satisfy locally
5
+ before any commit, push, or "done" claim. Loaded by the construct persona,
6
+ AGENTS.md, and the engineer/reviewer/operator role overlays. Enforcement is at
7
+ the prompt level — CI is a backstop, not the primary gate.
8
+ -->
9
+ # Release Gates — Hard Contracts
10
+
11
+ These are blocking gates. Every agent, persona, and harness session working in or shipping Construct must satisfy them locally **before** any commit, push, or "done" claim. CI is a backstop, not the primary check.
12
+
13
+ The goal is simple: if a gate would fail in CI, it fails locally first. We never push and pray.
14
+
15
+ ## The five local gates
16
+
17
+ Run these before declaring work done. Pasting the output into the PR body or `bd note` is the standard evidence.
18
+
19
+ | Gate | Command | Pass criterion |
20
+ |---|---|---|
21
+ | Tests | `npm test` | 0 failed, 0 unexpected skips |
22
+ | Comment policy | `node bin/construct lint:comments` | 0 errors AND 0 warnings |
23
+ | Doc verification | `node bin/construct docs:verify` | "All documentation checks passed" — no warnings either |
24
+ | AUTO doc drift | `node bin/construct docs:update --check` | "Docs are up to date" |
25
+ | Template policy | `npm run lint:templates` | "Template policy: clean." |
26
+
27
+ The shortcut for all five (plus dashboard sync) is:
28
+
29
+ ```bash
30
+ npm run release:check
31
+ ```
32
+
33
+ ## Commit + PR templates
34
+
35
+ The repo enforces `.gitmessage` and `.github/pull_request_template.md`. Both are validated by `scripts/lint-commits-pr.mjs` (the `lint-templates` CI job) and fail the build on any deviation.
36
+
37
+ Commit subjects must match `type(scope): subject` — type from {feat, fix, refactor, perf, docs, test, chore, ci, build, style}, imperative mood, ≤72 chars, no trailing period, lowercase after the colon. Run `git config commit.template .gitmessage` once per clone to load the template into your editor.
38
+
39
+ PR descriptions must keep all six headings — Summary, Beads issue, Doc updates included, Local gates, Test plan, Risks / rollback — with at least one checked box in both the "Doc updates" and "Local gates" sections. Empty templates fail.
40
+
41
+ Forbidden in commit messages: `Co-Authored-By: Claude*` trailers (unless the user explicitly asks), `--no-verify`, `--no-gpg-sign`. Forbidden in PR bodies: deleting the required headings, leaving every gate box unchecked.
42
+
43
+ ## The tracker contract
44
+
45
+ For every non-trivial change:
46
+
47
+ 1. **A Beads issue exists.** `bd ready` to find or create one. `bd show <id>` to read context. `bd update <id> --claim` to claim before editing files.
48
+ 2. **`plan.md` reflects the work.** Even though `plan.md` is local-only and gitignored, it stays the human-readable working plan. Mark items `done` when they ship; add new rows for work that wasn't previously tracked.
49
+ 3. **Doc updates land in the same change as code.** If runtime shape, contracts, boundaries, or major dependencies changed, update `docs/concepts/architecture.md` in the same commit. If the docs surface or maintenance contract changed, update `docs/README.md`. If active work, decisions, or assumptions changed, update `.cx/context.md` and `.cx/context.json`. Always add a `CHANGELOG.md` entry.
50
+ 4. **Beads close on green.** `bd close <id>` happens after CI is green and the work is verified — not before.
51
+
52
+ ## Hard rules
53
+
54
+ - **Do not commit if any gate fails.** Fix the underlying issue. Do not skip hooks (`--no-verify`), do not bypass with `[skip ci]` for code changes.
55
+ - **Do not push expecting CI to catch it.** If you would not run a gate locally, do not run it in CI.
56
+ - **Do not declare DONE before the gates run.** "Tests pass" without `npm test` evidence is not done.
57
+ - **Comment policy violations are blocking, not advisory.** Warnings count as failures for this gate.
58
+ - **Documentation drift is a code change.** A code commit that should have triggered a doc update but did not is incomplete work, not a follow-up.
59
+
60
+ ## When a gate must be bypassed
61
+
62
+ If a gate is genuinely broken (tooling regression, infra issue) and the change is unrelated:
63
+
64
+ 1. State the gate name and the failure.
65
+ 2. Confirm with the user before bypassing.
66
+ 3. File a Beads issue for the broken gate.
67
+ 4. Note the bypass in the PR body and the Beads issue.
68
+
69
+ This is the only authorized form of bypass. "I'll fix it later" is not.
@@ -0,0 +1,107 @@
1
+ <!--
2
+ rules/common/research.md — canonical research and evidence policy for Construct.
3
+
4
+ Defines how research starts, which sources to prefer, how claims are verified,
5
+ and what must be recorded so findings are reproducible. Applies to research,
6
+ product evidence synthesis, document ingest follow-up, and any recommendation
7
+ that depends on external facts or evolving internal evidence.
8
+ -->
9
+ # Research Policy
10
+
11
+ Construct treats research as a reproducible evidence-gathering process, not free-form browsing. If a claim could change decisions, scope, architecture, or roadmap, it must be tied to verifiable evidence.
12
+
13
+ ## 1. Start order
14
+
15
+ Start with the narrowest authoritative source that can answer the question:
16
+
17
+ 1. **Local project evidence first**
18
+ - `.cx/research/`
19
+ - `.cx/knowledge/`
20
+ - `docs/prd/`, `docs/meta-prd/`, `docs/adr/`, `docs/runbooks/`
21
+ - ingested markdown artifacts under `.cx/knowledge/`
22
+ - repo code, tests, configs, and existing decisions
23
+ 2. **Primary external sources second**
24
+ - official docs for the exact version in use
25
+ - source code, standards, specifications, API references, vendor security advisories
26
+ 3. **Secondary sources third**
27
+ - changelogs, migration guides, maintainer issue comments, release notes
28
+ 4. **Tertiary sources last**
29
+ - blogs, forums, Q&A, analyst summaries, AI-generated summaries
30
+
31
+ Tertiary sources may help discover primary sources. They are not sufficient evidence for load-bearing claims.
32
+
33
+ ## 2. Required metadata for every source
34
+
35
+ Record:
36
+
37
+ - source title or path
38
+ - source class: internal, primary, secondary, or tertiary
39
+ - version or revision when applicable
40
+ - publication date, release date, or access date
41
+ - why this source is relevant
42
+
43
+ If a source has no date and the topic is time-sensitive, treat confidence as reduced until recency is established another way.
44
+
45
+ ## 3. Verification rules
46
+
47
+ For each load-bearing claim:
48
+
49
+ - prefer **two independent sources**
50
+ - one source is acceptable only when it is the authoritative primary source for that exact fact
51
+ - separate **observation** from **inference**
52
+ - label confidence as `high`, `medium`, or `low`
53
+ - state the strongest counter-evidence or contradiction when one exists
54
+
55
+ Claims about versions, APIs, security, pricing, compatibility, regulations, and timelines must cite the exact version/date basis.
56
+
57
+ ## 4. Reproducibility
58
+
59
+ Research must be reproducible by another person in the repo.
60
+
61
+ Record:
62
+
63
+ - the exact question being answered
64
+ - search terms, commands, paths, or systems queried
65
+ - inclusion/exclusion decisions
66
+ - unresolved gaps that would change the recommendation
67
+
68
+ If you cannot explain how the answer was obtained, the research is incomplete.
69
+
70
+ ## 5. Evidence thresholds
71
+
72
+ Recommendations must state what evidence threshold was used.
73
+
74
+ Examples:
75
+
76
+ - feature demand threshold
77
+ - migration-risk threshold
78
+ - security severity threshold
79
+ - benchmark or performance threshold
80
+ - confidence threshold for acting now vs gathering more evidence
81
+
82
+ If the threshold is not met, the output should recommend more research, a weaker artifact, or a narrower decision.
83
+
84
+ ## 6. Output standard
85
+
86
+ Research outputs should include:
87
+
88
+ - question
89
+ - method
90
+ - sources
91
+ - findings
92
+ - confidence
93
+ - open questions
94
+ - recommendation or next step
95
+
96
+ Every substantive finding should point to a source path, URL, or document reference.
97
+
98
+ ## 7. Anti-patterns
99
+
100
+ Do not:
101
+
102
+ - stop at the first plausible answer
103
+ - cite a blog when the spec or source code is available
104
+ - present inference as if the source said it directly
105
+ - ignore conflicting evidence
106
+ - use stale undated material for fast-moving topics without saying so
107
+ - promote weak product evidence into committed requirements
@@ -1,7 +1,8 @@
1
1
  <!--
2
- rules/common/security.md — <one-line purpose>
2
+ rules/common/security.md — mandatory security checks and secret management.
3
3
 
4
- <2–6 line summary.>
4
+ Defines pre-commit security checklist, secret management rules,
5
+ and response protocol for discovered vulnerabilities.
5
6
  -->
6
7
  # Security Guidelines
7
8
 
@@ -28,7 +29,6 @@ Before ANY commit:
28
29
 
29
30
  If security issue found:
30
31
  1. STOP immediately
31
- 2. Use **security-reviewer** agent
32
- 3. Fix CRITICAL issues before continuing
33
- 4. Rotate any exposed secrets
34
- 5. Review entire codebase for similar issues
32
+ 2. Fix CRITICAL issues before continuing
33
+ 3. Rotate any exposed secrets
34
+ 4. Review entire codebase for similar issues
@@ -0,0 +1,67 @@
1
+ <!--
2
+ rules/common/skill-composition.md — how specialist prompts compose with skill files.
3
+
4
+ Defines the default boundary between what lives in the agent's base prompt and
5
+ what is fetched via `get_skill` at runtime. Aims to keep prompts lean while
6
+ keeping domain knowledge reliably available when needed.
7
+ -->
8
+ # Skill Composition Policy
9
+
10
+ Specialist agent prompts are lean on purpose. Domain depth lives in skill files and is pulled in on demand, not pre-inlined.
11
+
12
+ ## Default: on-demand skill loading
13
+
14
+ Every specialist prompt carries a marker:
15
+
16
+ ```
17
+ **Role guidance**: call `get_skill("roles/NAME")` before drafting.
18
+ ```
19
+
20
+ When the agent begins substantive work in its domain, it calls `get_skill("roles/NAME")` via the construct-mcp server. The skill body is returned for that turn only — no permanent prompt budget is consumed.
21
+
22
+ All hosts Construct supports (Claude Code, OpenCode, Codex, Copilot) have `get_skill` available through the construct-mcp server, so the runtime call is reliable.
23
+
24
+ ## Why on-demand is the default
25
+
26
+ Inlining every role skill at sync time used to consume ~1000–2000 words of prompt budget per specialist, regardless of whether the skill content was relevant to the current task. That budget is fixed — it reduces the window available for actual context.
27
+
28
+ On-demand loading means:
29
+
30
+ - Quick tasks that don't need the full role body never pay the word cost
31
+ - The agent can load only the flavor overlay it actually needs
32
+ - Prompt caps become a real soft target, not a constant overage
33
+ - Skill content can be updated without re-syncing every agent prompt
34
+
35
+ ## Opt-in preload: `preloadRoleGuidance: true`
36
+
37
+ Set `preloadRoleGuidance: true` on a registry entry only when:
38
+
39
+ - The agent ships to hosts that do not expose `get_skill` reliably
40
+ - The role content is so load-bearing that every single turn needs it
41
+ - The agent's model is weak at tool-calling discipline and skips the `get_skill` call in practice
42
+
43
+ This should be rare. If you find yourself preloading most agents, revisit the reasoning — the default exists because the cost is real.
44
+
45
+ ## Skill array vs. role guidance
46
+
47
+ Two different mechanisms for two different purposes:
48
+
49
+ - **Registry `skills: [...]` array** — declarative metadata listing which skills the agent is *entitled* to call. Not inlined into the prompt. Used by `list_skills`, routing heuristics, and audit tooling. Add skills here liberally.
50
+ - **Role guidance directive** — the single `**Role guidance**: call get_skill("roles/NAME")` line in the prompt. Points the agent at its role file and (by default) tells it to load on demand. Exactly one per agent.
51
+
52
+ ## Contributor guidance
53
+
54
+ When adding or editing a specialist:
55
+
56
+ 1. Keep the base prompt short — role, perspective, productive tension, handoff contract. Under 400 words is normal.
57
+ 2. Put domain depth into `skills/roles/NAME.md` and optional flavor overlays like `skills/roles/NAME.FLAVOR.md`.
58
+ 3. Leave the role-guidance directive in place. Do not manually inline role content into the prompt body.
59
+ 4. Only add `preloadRoleGuidance: true` with a written reason in the registry description.
60
+
61
+ ## Anti-patterns
62
+
63
+ Do not:
64
+
65
+ - Paste role-skill content directly into the prompt body "to be safe"
66
+ - Add `preloadRoleGuidance: true` to push a prompt under the cap without fixing the underlying bloat
67
+ - Split a role skill into many tiny files to dodge the cap — keep the cohesive unit, load it on demand instead
@@ -1,7 +1,8 @@
1
1
  <!--
2
- rules/common/testing.md — <one-line purpose>
2
+ rules/common/testing.md — test coverage requirements and TDD workflow.
3
3
 
4
- <2–6 line summary.>
4
+ Defines minimum 80% coverage, TDD red-green-refactor cycle,
5
+ AAA test structure, and descriptive naming conventions.
5
6
  -->
6
7
  # Testing Requirements
7
8
 
@@ -24,39 +25,26 @@ MANDATORY workflow:
24
25
 
25
26
  ## Troubleshooting Test Failures
26
27
 
27
- 1. Use **tdd-guide** agent
28
- 2. Check test isolation
29
- 3. Verify mocks are correct
30
- 4. Fix implementation, not tests (unless tests are wrong)
31
-
32
- ## Agent Support
33
-
34
- - **tdd-guide** - Use PROACTIVELY for new features, enforces write-tests-first
28
+ 1. Check test isolation
29
+ 2. Verify mocks are correct
30
+ 3. Fix implementation, not tests (unless tests are wrong)
35
31
 
36
32
  ## Test Structure (AAA Pattern)
37
33
 
38
- Prefer Arrange-Act-Assert structure for tests:
39
-
40
- ```typescript
41
- test('calculates similarity correctly', () => {
42
- // Arrange
43
- const vector1 = [1, 0, 0]
44
- const vector2 = [0, 1, 0]
34
+ Prefer Arrange-Act-Assert:
45
35
 
46
- // Act
47
- const similarity = calculateCosineSimilarity(vector1, vector2)
48
-
49
- // Assert
50
- expect(similarity).toBe(0)
51
- })
36
+ ```
37
+ // Arrange - set up test data
38
+ // Act - call the function under test
39
+ // Assert - verify the result
52
40
  ```
53
41
 
54
42
  ### Test Naming
55
43
 
56
44
  Use descriptive names that explain the behavior under test:
57
45
 
58
- ```typescript
59
- test('returns empty array when no markets match query', () => {})
60
- test('throws error when API key is missing', () => {})
61
- test('falls back to substring search when Redis is unavailable', () => {})
46
+ ```
47
+ returns empty array when no items match query
48
+ throws error when required config is missing
49
+ falls back to default when service is unavailable
62
50
  ```
@@ -11,12 +11,8 @@ paths:
11
11
  ---
12
12
  # Go Hooks
13
13
 
14
- > This file extends [common/hooks.md](../common/hooks.md) with Go specific content.
15
-
16
14
  ## PostToolUse Hooks
17
15
 
18
- Configure in `~/.claude/settings.json`:
19
-
20
16
  - **gofmt/goimports**: Auto-format `.go` files after edit
21
17
  - **go vet**: Run static analysis after editing `.go` files
22
18
  - **staticcheck**: Run extended static checks on modified packages