@geraldmaron/construct 1.0.0 → 1.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.env.example +9 -6
- package/LICENSE +201 -21
- package/README.md +132 -257
- package/agents/contracts.json +387 -0
- package/agents/prompts/cx-accessibility.md +8 -0
- package/agents/prompts/cx-ai-engineer.md +92 -0
- package/agents/prompts/cx-architect.md +10 -2
- package/agents/prompts/cx-business-strategist.md +13 -0
- package/agents/prompts/cx-data-analyst.md +80 -0
- package/agents/prompts/cx-data-engineer.md +4 -0
- package/agents/prompts/cx-debugger.md +8 -0
- package/agents/prompts/cx-designer.md +19 -0
- package/agents/prompts/cx-devil-advocate.md +4 -0
- package/agents/prompts/cx-docs-keeper.md +128 -0
- package/agents/prompts/cx-engineer.md +13 -0
- package/agents/prompts/cx-evaluator.md +4 -0
- package/agents/prompts/cx-explorer.md +12 -0
- package/agents/prompts/cx-legal-compliance.md +13 -0
- package/agents/prompts/cx-operations.md +13 -0
- package/agents/prompts/cx-orchestrator.md +107 -4
- package/agents/prompts/cx-platform-engineer.md +75 -0
- package/agents/prompts/cx-product-manager.md +8 -0
- package/agents/prompts/cx-qa.md +100 -0
- package/agents/prompts/cx-rd-lead.md +13 -0
- package/agents/prompts/cx-release-manager.md +8 -0
- package/agents/prompts/cx-researcher.md +21 -1
- package/agents/prompts/cx-reviewer.md +8 -0
- package/agents/prompts/cx-security.md +104 -0
- package/agents/prompts/cx-sre.md +104 -0
- package/agents/prompts/cx-test-automation.md +4 -0
- package/agents/prompts/cx-trace-reviewer.md +7 -3
- package/agents/prompts/cx-ux-researcher.md +4 -0
- package/agents/registry.json +365 -90
- package/agents/role-manifests.json +217 -0
- package/bin/construct +3345 -141
- package/bin/construct-postinstall.mjs +87 -0
- package/commands/build/feature.md +6 -6
- package/commands/plan/feature.md +6 -5
- package/commands/plan/requirements.md +1 -1
- package/commands/ship/status.md +1 -1
- package/commands/work/drive.md +3 -3
- package/commands/work/optimize-prompts.md +3 -3
- package/db/{migrations → schema}/001_init.sql +2 -0
- package/db/schema/002_pgvector.sql +182 -0
- package/db/schema/003_intake.sql +47 -0
- package/examples/README.md +85 -0
- package/examples/internal/roles/architect/bad/clever-plan-without-contracts.md +30 -0
- package/examples/internal/roles/architect/golden/explicit-tradeoff-before-plan.md +23 -0
- package/examples/internal/roles/engineer/bad/speculative-abstraction.md +30 -0
- package/examples/internal/roles/engineer/golden/read-before-write.md +28 -0
- package/examples/internal/roles/orchestrator/bad/everything-becomes-multi-agent.md +29 -0
- package/examples/internal/roles/orchestrator/golden/minimal-dispatch.md +22 -0
- package/examples/internal/roles/qa/bad/coverage-theater.md +30 -0
- package/examples/internal/roles/qa/golden/regression-gate.md +23 -0
- package/examples/internal/roles/reviewer/bad/lgtm-without-verification.md +29 -0
- package/examples/internal/roles/reviewer/golden/find-structural-risk-first.md +28 -0
- package/examples/personas/construct/adversarial/ignore-instruction-to-skip-approval.md +22 -0
- package/examples/personas/construct/bad/commit-without-approval.md +30 -0
- package/examples/personas/construct/boundary/blocked-needs-main-input.md +29 -0
- package/examples/personas/construct/golden/branch-approval-before-mutation.md +36 -0
- package/examples/personas/construct/golden/focused-direct-answer.md +28 -0
- package/examples/provider-plugin/README.md +34 -0
- package/examples/provider-plugin/index.mjs +74 -0
- package/examples/provider-plugin/package.json +15 -0
- package/examples/seed-observations/README.md +38 -0
- package/examples/seed-observations/anti-patterns.md +44 -0
- package/examples/seed-observations/decisions.md +36 -0
- package/examples/seed-observations/patterns.md +42 -0
- package/lib/agent-contracts-enforce.mjs +158 -0
- package/lib/agent-contracts.mjs +231 -0
- package/lib/agents/postconditions.mjs +126 -0
- package/lib/agents/schema.mjs +124 -0
- package/lib/artifact-capture.mjs +183 -0
- package/lib/audit-trail.mjs +149 -0
- package/lib/auto-docs.mjs +245 -65
- package/lib/beads/auto-close.mjs +126 -0
- package/lib/beads/drift.mjs +171 -0
- package/lib/beads-automation.mjs +542 -0
- package/lib/beads-client.mjs +518 -0
- package/lib/beads-lock.mjs +377 -0
- package/lib/beads-optimistic.mjs +365 -0
- package/lib/bootstrap/built-ins.mjs +136 -0
- package/lib/bootstrap/lazy-install.mjs +161 -0
- package/lib/bootstrap/resources.mjs +120 -0
- package/lib/bootstrap.mjs +105 -0
- package/lib/cache-governor.js +213 -0
- package/lib/cache-strategy-anthropic.js +62 -0
- package/lib/cache-strategy-google.js +79 -0
- package/lib/cache-strategy-none.js +30 -0
- package/lib/cache-strategy-openai.js +48 -0
- package/lib/cache-strategy.js +91 -0
- package/lib/claude-allow.mjs +149 -0
- package/lib/cli-commands.mjs +413 -258
- package/lib/codex-config.mjs +3 -1
- package/lib/comment-lint.mjs +55 -6
- package/lib/completions.mjs +21 -6
- package/lib/config/alias.mjs +56 -0
- package/lib/config/project-config.mjs +335 -0
- package/lib/config/schema.mjs +159 -0
- package/lib/context-router.mjs +308 -0
- package/lib/cost-ledger.mjs +177 -0
- package/lib/cost.mjs +171 -10
- package/lib/dashboard-static.mjs +158 -0
- package/lib/deployment-mode.mjs +86 -0
- package/lib/deprecate.mjs +49 -0
- package/lib/dispatch-batch.js +183 -0
- package/lib/distill.mjs +21 -8
- package/lib/doc-stamp.mjs +164 -0
- package/lib/doc-verify.mjs +119 -0
- package/lib/docs-routing.mjs +89 -0
- package/lib/docs-verify.mjs +417 -0
- package/lib/doctor/audit.mjs +71 -0
- package/lib/doctor/cli.mjs +99 -0
- package/lib/doctor/escalate.mjs +29 -0
- package/lib/doctor/index.mjs +140 -0
- package/lib/doctor/report.mjs +170 -0
- package/lib/doctor/watchers/bd-watch.mjs +117 -0
- package/lib/doctor/watchers/cost.mjs +130 -0
- package/lib/doctor/watchers/disk.mjs +122 -0
- package/lib/doctor/watchers/handoffs.mjs +33 -0
- package/lib/doctor/watchers/process-pressure.mjs +60 -0
- package/lib/doctor/watchers/service-health.mjs +188 -0
- package/lib/document-extract.mjs +288 -0
- package/lib/document-ingest.mjs +230 -0
- package/lib/drop.mjs +282 -0
- package/lib/embed/approval-queue.mjs +176 -0
- package/lib/embed/artifact.mjs +349 -0
- package/lib/embed/authority-guard.mjs +155 -0
- package/lib/embed/cli.mjs +408 -0
- package/lib/embed/config.mjs +355 -0
- package/lib/embed/conflict-detection.mjs +264 -0
- package/lib/embed/customer-profiles.mjs +480 -0
- package/lib/embed/daemon.mjs +1309 -0
- package/lib/embed/demand-fetch.mjs +449 -0
- package/lib/embed/docs-lifecycle.mjs +349 -0
- package/lib/embed/inbox-live-watcher.mjs +119 -0
- package/lib/embed/inbox.mjs +343 -0
- package/lib/embed/intake-metrics.mjs +190 -0
- package/lib/embed/jobs/vector-sync.mjs +198 -0
- package/lib/embed/notifications.mjs +75 -0
- package/lib/embed/output.mjs +79 -0
- package/lib/embed/providers/github.mjs +295 -0
- package/lib/embed/providers/jira.mjs +192 -0
- package/lib/embed/providers/linear.mjs +186 -0
- package/lib/embed/providers/registry.mjs +115 -0
- package/lib/embed/providers/slack.mjs +203 -0
- package/lib/embed/recommendation-store.mjs +378 -0
- package/lib/embed/roadmap.mjs +374 -0
- package/lib/embed/role-framing.mjs +110 -0
- package/lib/embed/scheduler.mjs +99 -0
- package/lib/embed/semantic.mjs +325 -0
- package/lib/embed/snapshot.mjs +191 -0
- package/lib/embed/supervision.mjs +235 -0
- package/lib/embed/target-resolver.mjs +186 -0
- package/lib/embed/worker.mjs +62 -0
- package/lib/embed/workspaces.mjs +297 -0
- package/lib/engine/chunker-headings.mjs +110 -0
- package/lib/engine/compressor-heuristic.mjs +100 -0
- package/lib/engine/consolidate.mjs +287 -0
- package/lib/engine/contracts.mjs +126 -0
- package/lib/engine/defaults.mjs +129 -0
- package/lib/engine/eval-retrieval.mjs +148 -0
- package/lib/engine/fuser-rrf.mjs +62 -0
- package/lib/engine/index.mjs +37 -0
- package/lib/engine/registry.mjs +146 -0
- package/lib/engine/reranker-mmr.mjs +90 -0
- package/lib/engine/tokens.mjs +77 -0
- package/lib/entity-store.mjs +280 -0
- package/lib/env-config.mjs +69 -4
- package/lib/evals/retrieval-bench.mjs +159 -0
- package/lib/evaluator-optimizer.mjs +317 -0
- package/lib/features.mjs +159 -29
- package/lib/gates-audit.mjs +236 -0
- package/lib/git-hooks/prepare-commit-msg +58 -0
- package/lib/handoffs/cleanup.mjs +159 -0
- package/lib/handoffs/contract.mjs +162 -0
- package/lib/handoffs/inventory.mjs +120 -0
- package/lib/headhunt.mjs +28 -47
- package/lib/health-check.mjs +399 -0
- package/lib/hook-health.mjs +442 -0
- package/lib/hooks/_lib/log.mjs +82 -0
- package/lib/hooks/adaptive-lint.mjs +26 -2
- package/lib/hooks/agent-tracker.mjs +171 -14
- package/lib/hooks/audit-reads.mjs +109 -0
- package/lib/hooks/audit-trail.mjs +153 -0
- package/lib/hooks/bash-output-logger.mjs +71 -0
- package/lib/hooks/block-no-verify.mjs +41 -0
- package/lib/hooks/ci-status-check.mjs +82 -0
- package/lib/hooks/comment-lint.mjs +29 -7
- package/lib/hooks/config-protection.mjs +39 -18
- package/lib/hooks/context-watch.mjs +137 -0
- package/lib/hooks/context-window-recovery.mjs +4 -20
- package/lib/hooks/dep-audit.mjs +16 -0
- package/lib/hooks/doc-coupling-check.mjs +80 -0
- package/lib/hooks/edit-accumulator.mjs +3 -0
- package/lib/hooks/edit-error-recovery.mjs +3 -0
- package/lib/hooks/edit-guard.mjs +45 -4
- package/lib/hooks/env-check.mjs +3 -0
- package/lib/hooks/guard-bash.mjs +58 -1
- package/lib/hooks/mcp-audit.mjs +18 -20
- package/lib/hooks/mcp-health-check.mjs +36 -0
- package/lib/hooks/model-fallback.mjs +42 -56
- package/lib/hooks/policy-engine.mjs +209 -0
- package/lib/hooks/post-merge-docs-check.mjs +63 -0
- package/lib/hooks/pre-compact.mjs +4 -24
- package/lib/hooks/pre-push-gate.mjs +200 -37
- package/lib/hooks/proactive-activation.mjs +284 -0
- package/lib/hooks/read-tracker.mjs +27 -4
- package/lib/hooks/readme-age-check.mjs +77 -0
- package/lib/hooks/registry-sync.mjs +12 -5
- package/lib/hooks/scan-secrets.mjs +50 -7
- package/lib/hooks/session-optimize.mjs +311 -0
- package/lib/hooks/session-start.mjs +287 -28
- package/lib/hooks/stop-notify.mjs +236 -96
- package/lib/hooks/stop-typecheck.mjs +13 -1
- package/lib/hooks/test-watch.mjs +68 -0
- package/lib/host-capabilities.mjs +31 -10
- package/lib/init-docs.mjs +731 -291
- package/lib/init-unified.mjs +1000 -0
- package/lib/init-update.mjs +168 -0
- package/lib/init.mjs +107 -0
- package/lib/install/first-invocation.mjs +119 -0
- package/lib/install/stage-project.mjs +69 -0
- package/lib/intake/classify.mjs +278 -0
- package/lib/intake/feedback.mjs +273 -0
- package/lib/intake/filesystem-queue.mjs +158 -0
- package/lib/intake/intake-config.mjs +132 -0
- package/lib/intake/postgres-queue.mjs +198 -0
- package/lib/intake/prepare.mjs +139 -0
- package/lib/intake/queue.mjs +83 -0
- package/lib/intake/session-prelude.mjs +50 -0
- package/lib/integrations/intake-integrations.mjs +740 -0
- package/lib/intent-classifier.mjs +253 -0
- package/lib/knowledge/layout.mjs +72 -0
- package/lib/knowledge/rag.mjs +331 -0
- package/lib/knowledge/search.mjs +315 -0
- package/lib/knowledge/trends.mjs +261 -0
- package/lib/logger.mjs +85 -0
- package/lib/mcp/broker.mjs +124 -0
- package/lib/mcp/server.mjs +554 -854
- package/lib/mcp/tools/document.mjs +132 -0
- package/lib/mcp/tools/memory.mjs +209 -0
- package/lib/mcp/tools/project.mjs +349 -0
- package/lib/mcp/tools/skills.mjs +409 -0
- package/lib/mcp/tools/storage.mjs +60 -0
- package/lib/mcp/tools/telemetry.mjs +315 -0
- package/lib/mcp/tools/workflow.mjs +112 -0
- package/lib/mcp-catalog.json +54 -3
- package/lib/mcp-manager.mjs +96 -48
- package/lib/mcp-platform-config.mjs +22 -22
- package/lib/memory-stats.mjs +121 -0
- package/lib/mode-commands.mjs +124 -0
- package/lib/model-free-selector.mjs +184 -0
- package/lib/model-pricing.mjs +152 -0
- package/lib/model-registry.mjs +226 -0
- package/lib/model-router.mjs +362 -386
- package/lib/observation-store.mjs +391 -0
- package/lib/ollama-manager.mjs +428 -0
- package/lib/opencode-config.mjs +13 -3
- package/lib/opencode-runtime-plugin.mjs +70 -38
- package/lib/opencode-telemetry.mjs +64 -6
- package/lib/orchestration-policy.mjs +509 -6
- package/lib/overrides/resolver.mjs +207 -0
- package/lib/parity.mjs +147 -0
- package/lib/paths.mjs +33 -0
- package/lib/performance/generate.mjs +212 -0
- package/lib/plugin-registry.mjs +268 -0
- package/lib/policy/engine.mjs +130 -0
- package/lib/policy/unified-gates.mjs +96 -0
- package/lib/project-detection.mjs +129 -0
- package/lib/project-init-shared.mjs +272 -0
- package/lib/project-profile.mjs +447 -0
- package/lib/prompt-composer.js +434 -0
- package/lib/prompt-metadata.mjs +1 -1
- package/lib/provider-capabilities-anthropic.js +44 -0
- package/lib/provider-capabilities-deepseek.js +37 -0
- package/lib/provider-capabilities-generic.js +26 -0
- package/lib/provider-capabilities-google.js +47 -0
- package/lib/provider-capabilities-openai.js +45 -0
- package/lib/provider-capabilities.js +142 -0
- package/lib/providers/atlassian-confluence/index.mjs +103 -0
- package/lib/providers/atlassian-jira/index.mjs +100 -0
- package/lib/providers/auth-manager.mjs +126 -0
- package/lib/providers/circuit-breaker.mjs +124 -0
- package/lib/providers/contract.mjs +93 -0
- package/lib/providers/github/index.mjs +126 -0
- package/lib/providers/registry.mjs +184 -0
- package/lib/providers/salesforce/index.mjs +100 -0
- package/lib/providers/slack/index.mjs +80 -0
- package/lib/reflect.mjs +137 -0
- package/lib/research-lint.mjs +164 -0
- package/lib/resources/budget.mjs +259 -0
- package/lib/role-preload.mjs +21 -6
- package/lib/roles/approval-surface.mjs +54 -0
- package/lib/roles/cli.mjs +118 -0
- package/lib/roles/event-bus.mjs +79 -0
- package/lib/roles/fence.mjs +84 -0
- package/lib/roles/gateway.mjs +260 -0
- package/lib/roles/hook-emit.mjs +37 -0
- package/lib/roles/manifest.mjs +48 -0
- package/lib/roles/router.mjs +27 -0
- package/lib/runtime-pressure.mjs +360 -0
- package/lib/schema-artifact.mjs +134 -0
- package/lib/schema-infer.mjs +551 -0
- package/lib/server/auth.mjs +168 -0
- package/lib/server/chat.mjs +336 -0
- package/lib/server/cors.mjs +77 -0
- package/lib/server/csrf.mjs +91 -0
- package/lib/server/index.mjs +1927 -78
- package/lib/server/insights.mjs +765 -0
- package/lib/server/rate-limit.mjs +91 -0
- package/lib/server/static/assets/index-ab25c707.js +70 -0
- package/lib/server/static/assets/index-f0c80a2b.css +1 -0
- package/lib/server/static/index.html +12 -817
- package/lib/server/telemetry-login.mjs +108 -0
- package/lib/server/webhook.mjs +510 -0
- package/lib/service-manager.mjs +522 -58
- package/lib/services/pattern-promotion-service.mjs +167 -0
- package/lib/services/telemetry-backend.mjs +178 -0
- package/lib/session-store.mjs +374 -0
- package/lib/setup-prompts.mjs +96 -0
- package/lib/setup.mjs +523 -36
- package/lib/skills-apply.mjs +280 -0
- package/lib/skills-scope.mjs +118 -0
- package/lib/status.mjs +261 -70
- package/lib/storage/admin.mjs +355 -0
- package/lib/storage/backend.mjs +2 -1
- package/lib/storage/backup.mjs +347 -0
- package/lib/storage/embeddings-engine.mjs +133 -0
- package/lib/storage/embeddings-legacy.mjs +85 -0
- package/lib/storage/embeddings-local.mjs +108 -0
- package/lib/storage/embeddings-ollama.mjs +78 -0
- package/lib/storage/embeddings-openai.mjs +85 -0
- package/lib/storage/embeddings.mjs +92 -33
- package/lib/storage/file-lock.mjs +130 -0
- package/lib/storage/fusion.mjs +95 -0
- package/lib/storage/hybrid-query.mjs +34 -27
- package/lib/storage/migrations.mjs +187 -0
- package/lib/storage/postgres-backup.mjs +124 -0
- package/lib/storage/sql-store.mjs +5 -15
- package/lib/storage/state-source.mjs +12 -13
- package/lib/storage/store-version.mjs +115 -0
- package/lib/storage/sync.mjs +144 -35
- package/lib/storage/unified-storage.mjs +550 -0
- package/lib/storage/vector-client.mjs +286 -0
- package/lib/storage/vector-store.mjs +71 -30
- package/lib/task-graph/generate.mjs +135 -0
- package/lib/task-graph/schema.mjs +81 -0
- package/lib/task-graph/store.mjs +71 -0
- package/lib/telemetry/backends/local.mjs +62 -0
- package/lib/telemetry/backends/{langfuse.mjs → remote.mjs} +27 -14
- package/lib/telemetry/backfill.mjs +180 -0
- package/lib/telemetry/eval-datasets.mjs +203 -0
- package/lib/telemetry/{langfuse-ingest.mjs → ingest.mjs} +26 -20
- package/lib/telemetry/intent-verifications.mjs +86 -0
- package/lib/telemetry/llm-judge.mjs +350 -0
- package/lib/telemetry/model-pricing-catalog.mjs +557 -0
- package/lib/telemetry/setup.mjs +151 -0
- package/lib/telemetry/skill-calls.mjs +78 -0
- package/lib/telemetry/team-rollup.mjs +4 -4
- package/lib/token-engine.js +117 -0
- package/lib/token-estimator-anthropic.js +15 -0
- package/lib/token-estimator-deepseek.js +13 -0
- package/lib/token-estimator-default.js +13 -0
- package/lib/token-estimator-google.js +13 -0
- package/lib/token-estimator-openai.js +13 -0
- package/lib/toolkit-env.mjs +1 -1
- package/lib/tty-prompts.mjs +211 -0
- package/lib/uninstall/uninstall.mjs +423 -0
- package/lib/update.mjs +115 -0
- package/lib/upgrade.mjs +141 -0
- package/lib/validator.mjs +51 -2
- package/lib/validators/skills.mjs +142 -0
- package/lib/wireframe.mjs +422 -0
- package/lib/worker/entrypoint.mjs +241 -0
- package/lib/worker/evidence.mjs +107 -0
- package/lib/worker/run.mjs +154 -0
- package/lib/worker/trace.mjs +182 -0
- package/lib/workflow-state.mjs +14 -18
- package/package.json +21 -8
- package/personas/construct.md +53 -51
- package/platforms/claude/CLAUDE.md +1 -1
- package/platforms/claude/settings.template.json +115 -68
- package/platforms/opencode/config.template.json +3 -7
- package/rules/common/agents.md +11 -38
- package/rules/common/beads-hygiene.md +75 -0
- package/rules/common/code-review.md +11 -100
- package/rules/common/coding-style.md +5 -3
- package/rules/common/comments.md +30 -111
- package/rules/common/commit-approval.md +53 -0
- package/rules/common/cx-agent-routing.md +1 -0
- package/rules/common/development-workflow.md +23 -41
- package/rules/common/doc-ownership.md +54 -0
- package/rules/common/efficiency.md +57 -0
- package/rules/common/framing.md +76 -0
- package/rules/common/git-workflow.md +2 -4
- package/rules/common/patterns.md +3 -7
- package/rules/common/performance.md +15 -31
- package/rules/common/release-gates.md +69 -0
- package/rules/common/research.md +107 -0
- package/rules/common/security.md +6 -6
- package/rules/common/skill-composition.md +67 -0
- package/rules/common/testing.md +15 -27
- package/rules/golang/hooks.md +0 -4
- package/rules/policy/bootstrap.yaml +11 -0
- package/rules/policy/drive.yaml +8 -0
- package/rules/policy/task.yaml +9 -0
- package/rules/policy/workflow.yaml +9 -0
- package/rules/python/hooks.md +0 -4
- package/rules/swift/hooks.md +0 -4
- package/rules/typescript/hooks.md +0 -4
- package/rules/web/hooks.md +0 -2
- package/{sync-agents.mjs → scripts/sync-agents.mjs} +306 -61
- package/skills/ai/prompt-optimizer.md +7 -7
- package/skills/compliance/ai-disclosure.md +58 -0
- package/skills/compliance/data-privacy.md +46 -0
- package/skills/compliance/license-audit.md +40 -0
- package/skills/compliance/regulatory-review.md +61 -0
- package/skills/docs/document-ingest-workflow.md +52 -0
- package/skills/docs/evidence-ingest-workflow.md +9 -0
- package/skills/docs/init-docs.md +51 -18
- package/skills/docs/product-intelligence-workflow.md +12 -0
- package/skills/docs/product-signal-workflow.md +4 -0
- package/skills/docs/research-workflow.md +23 -8
- package/skills/docs/runbook-workflow.md +1 -1
- package/skills/operating/orchestration-reference.md +151 -0
- package/skills/roles/architect.md +5 -0
- package/skills/roles/engineer.md +32 -0
- package/skills/roles/operator.md +12 -0
- package/skills/roles/reviewer.md +23 -0
- package/skills/routing.md +1 -1
- package/templates/devcontainer/Dockerfile.devcontainer +38 -0
- package/templates/devcontainer/devcontainer.json +31 -0
- package/templates/distribution/bootstrap.ps1 +142 -0
- package/templates/distribution/bootstrap.sh +196 -0
- package/templates/distribution/run.mjs +187 -0
- package/templates/docs/adr.md +44 -8
- package/templates/docs/changelog-entry.md +43 -0
- package/templates/docs/construct_guide.md +149 -0
- package/templates/docs/evidence-brief.md +2 -2
- package/templates/docs/meta-prd.md +140 -19
- package/templates/docs/onboarding.md +57 -0
- package/templates/docs/prd.md +159 -15
- package/templates/docs/research-brief.md +4 -4
- package/templates/homebrew/construct.rb +67 -0
- package/langfuse/docker-compose.yml +0 -82
- package/lib/eval-harness.mjs +0 -59
- package/lib/hooks/bootstrap-guard.mjs +0 -90
- package/lib/hooks/console-warn.mjs +0 -43
- package/lib/hooks/continuation-enforcer.mjs +0 -72
- package/lib/hooks/drive-guard.mjs +0 -89
- package/lib/hooks/mcp-task-scope.mjs +0 -47
- package/lib/hooks/task-completed-guard.mjs +0 -43
- package/lib/hooks/teammate-idle-guard.mjs +0 -54
- package/lib/hooks/workflow-guard.mjs +0 -62
- package/lib/prompt-composer.mjs +0 -196
- package/lib/review.mjs +0 -429
- package/lib/server/static/app.js +0 -841
- package/lib/telemetry/langfuse-model-sync.mjs +0 -270
- package/rules/common/hooks.md +0 -35
- package/rules/zh/README.md +0 -113
- package/rules/zh/agents.md +0 -55
- package/rules/zh/code-review.md +0 -129
- package/rules/zh/coding-style.md +0 -53
- package/rules/zh/development-workflow.md +0 -49
- package/rules/zh/git-workflow.md +0 -29
- package/rules/zh/hooks.md +0 -35
- package/rules/zh/patterns.md +0 -36
- package/rules/zh/performance.md +0 -60
- package/rules/zh/security.md +0 -34
- package/rules/zh/testing.md +0 -34
|
@@ -35,3 +35,107 @@ Check in this order:
|
|
|
35
35
|
8. CRYPTOGRAPHY: weak algorithms, hardcoded keys, insufficient entropy
|
|
36
36
|
|
|
37
37
|
Provide: severity, location (file:line), description, trigger condition, and concrete fix. For CVE checks, delegate to cx-researcher. Hand all findings to cx-engineer — CRITICAL findings block shipping until fixed.
|
|
38
|
+
|
|
39
|
+
## Tool Contracts
|
|
40
|
+
|
|
41
|
+
### scan_secrets
|
|
42
|
+
- **Input:** `{ files: string[], content?: string[], diff?: string }`
|
|
43
|
+
- **Output:** `{ findings: SecretFinding[], falsePositives: string[], scanDuration: number }`
|
|
44
|
+
- **Errors:** FILE_NOT_FOUND, SCAN_TIMEOUT, RATE_LIMITED
|
|
45
|
+
- **Rate:** 20/min
|
|
46
|
+
|
|
47
|
+
### audit_auth
|
|
48
|
+
- **Input:** `{ authFlow: AuthFlow, trustBoundaries: string[], jwtValidation: boolean }`
|
|
49
|
+
- **Output:** `{ vulnerabilities: AuthVulnerability[], bypassPaths: string[], severity: Severity }`
|
|
50
|
+
- **Errors:** INCOMPLETE_FLOW, MISSING_VALIDATION
|
|
51
|
+
- **Rate:** 10/min
|
|
52
|
+
|
|
53
|
+
### check_injection
|
|
54
|
+
- **Input:** `{ sinks: string[], sources: string[], sanitizers?: string[] }`
|
|
55
|
+
- **Output:** `{ injectionPoints: InjectionPoint[], severity: Severity, fix: string }`
|
|
56
|
+
- **Errors:** UNREACHABLE_SINK, FALSE_POSITIVE
|
|
57
|
+
- **Rate:** 15/min
|
|
58
|
+
|
|
59
|
+
### assess_dependencies
|
|
60
|
+
- **Input:** `{ dependencies: Dependency[], ecosystem: string, severityThreshold: string }`
|
|
61
|
+
- **Output:** `{ cves: CVE[], upgrades: UpgradeRecommendation[], sbom: SBOM }`
|
|
62
|
+
- **Errors:** UNKNOWN_PACKAGE, RATE_LIMITED
|
|
63
|
+
- **Rate:** 5/min
|
|
64
|
+
|
|
65
|
+
## Parallel Execution
|
|
66
|
+
|
|
67
|
+
When auditing code or reviewing changes, these checks run in parallel:
|
|
68
|
+
|
|
69
|
+
- **Secrets scan** (always runs — fast, non-blocking)
|
|
70
|
+
- **Auth/authorization audit** (if auth logic, JWT, sessions touched)
|
|
71
|
+
- **Injection path analysis** (if user input reaches sinks)
|
|
72
|
+
- **Data exposure check** (if logging, errors, APIs return data)
|
|
73
|
+
- **Dependency CVE scan** (if package.json or lock files changed)
|
|
74
|
+
|
|
75
|
+
All checks are independent — run concurrently and aggregate findings.
|
|
76
|
+
|
|
77
|
+
### Execution Pattern
|
|
78
|
+
```javascript
|
|
79
|
+
// Parallel security checks
|
|
80
|
+
const [secrets, auth, injection, exposure, deps] = await Promise.all([
|
|
81
|
+
scan_secrets({ files }),
|
|
82
|
+
audit_auth({ authFlow }),
|
|
83
|
+
check_injection({ sinks, sources }),
|
|
84
|
+
assess_data_exposure({ logs, errors }),
|
|
85
|
+
assess_dependencies({ dependencies })
|
|
86
|
+
]);
|
|
87
|
+
```
|
|
88
|
+
|
|
89
|
+
## Learning Capture
|
|
90
|
+
|
|
91
|
+
After completing security work, record observations:
|
|
92
|
+
|
|
93
|
+
### When to Record
|
|
94
|
+
- **Pattern discovered** (category: pattern): secure patterns, validation approaches
|
|
95
|
+
- **Anti-pattern avoided** (category: anti-pattern): "internal only" trust, logging PII, injection paths
|
|
96
|
+
- **Decision made** (category: decision): severity assessments, fix priorities
|
|
97
|
+
- **Insight** (category: insight): attack surface discoveries, trust boundary gaps
|
|
98
|
+
|
|
99
|
+
### How to Record
|
|
100
|
+
```bash
|
|
101
|
+
construct memory add --role=cx-security --category=anti-pattern \
|
|
102
|
+
--summary="Caught PII in logs masked as 'debug data'" \
|
|
103
|
+
--tags="security,data-exposure,pii,logging" \
|
|
104
|
+
--confidence=0.95
|
|
105
|
+
```
|
|
106
|
+
|
|
107
|
+
## Classification Correction
|
|
108
|
+
|
|
109
|
+
If you receive work that was misclassified:
|
|
110
|
+
|
|
111
|
+
1. **Complete the audit** if within your capabilities (don't block on classification)
|
|
112
|
+
2. **Record feedback**:
|
|
113
|
+
```bash
|
|
114
|
+
construct feedback:record --intake=<id> \
|
|
115
|
+
--corrected='{"intakeType":"vulnerability","primaryOwner":"security"}' \
|
|
116
|
+
--reason="correct-classification"
|
|
117
|
+
```
|
|
118
|
+
3. **Route correctly**: Add `next:cx-<correct-role>` label if handoff needed
|
|
119
|
+
|
|
120
|
+
## Finding Severity Classification
|
|
121
|
+
|
|
122
|
+
Use standard CVSS-inspired severity:
|
|
123
|
+
|
|
124
|
+
- **CRITICAL**: Active exploit, data breach, auth bypass — blocks shipping
|
|
125
|
+
- **HIGH**: Significant vulnerability, requires fix before next release
|
|
126
|
+
- **MEDIUM**: Security improvement, fix in next sprint
|
|
127
|
+
- **LOW**: Hardening opportunity, track in backlog
|
|
128
|
+
- **INFO**: Awareness only, no action required
|
|
129
|
+
|
|
130
|
+
## When invoked via the role framework
|
|
131
|
+
|
|
132
|
+
Construct may dispatch you in response to a `dep.cve`, `secrets.detected`, or `config.protection.violation` event. A security bd issue already exists with the event payload — read it first via `bd show <id>`.
|
|
133
|
+
|
|
134
|
+
**Fence (declared in agents/role-manifests.json → security):**
|
|
135
|
+
- Allowed paths: `docs/security/**`, `docs/threat-models/**`
|
|
136
|
+
- Allowed bd labels: `security`, `vulnerability`, `audit`
|
|
137
|
+
- Approval required: any commit, any push, any edit anywhere outside the allowed paths above
|
|
138
|
+
|
|
139
|
+
You may write threat models, security reviews, and audit findings freely. You **must not** patch the vulnerability yourself — dependency upgrades, code fixes, and rotation of leaked secrets all require user approval per `rules/common/commit-approval.md`. Route the fix via handoff.
|
|
140
|
+
|
|
141
|
+
**Handoff syntax**: append `next:cx-<role>` as a bd label. Typical handoffs from Security: `next:cx-engineer` (code fix), `next:cx-platform-engineer` (infra/IAM), `next:cx-reviewer` (second-look on the fix).
|
package/agents/prompts/cx-sre.md
CHANGED
|
@@ -24,3 +24,107 @@ RUNBOOK for each alert:
|
|
|
24
24
|
- Trigger condition | Immediate triage steps | Escalation path | Rollback procedure
|
|
25
25
|
|
|
26
26
|
Review code changes for: missing error handling on request paths, N+1 queries, unbounded operations, missing timeouts, operations that don't degrade gracefully.
|
|
27
|
+
|
|
28
|
+
## Tool Contracts
|
|
29
|
+
|
|
30
|
+
### define_slo
|
|
31
|
+
- **Input:** `{ service: string, metric: string, measurementMethod: string, target: number }`
|
|
32
|
+
- **Output:** `{ slo: SLO, errorBudget: number, alertThreshold: number, dashboard: DashboardConfig }`
|
|
33
|
+
- **Errors:** INVALID_METRIC, UNMEASURABLE_TARGET
|
|
34
|
+
- **Rate:** 10/min
|
|
35
|
+
|
|
36
|
+
### create_runbook
|
|
37
|
+
- **Input:** `{ alertName: string, triggerCondition: string, triageSteps: Step[] }`
|
|
38
|
+
- **Output:** `{ runbook: Runbook, escalationPath: string[], rollbackProcedure: Rollback }`
|
|
39
|
+
- **Errors:** MISSING_TRIGGER, INCOMPLETE_TRIAGE
|
|
40
|
+
- **Rate:** 10/min
|
|
41
|
+
|
|
42
|
+
### review_reliability
|
|
43
|
+
- **Input:** `{ codeChanges: Diff[], statefulOps: boolean, degradationPlan?: string }`
|
|
44
|
+
- **Output:** `{ findings: ReliabilityFinding[], missingAlerts: string[], rollbackGaps: string[] }`
|
|
45
|
+
- **Errors:** MISSING_DEGRADATION_PLAN, UNBOUNDED_OPERATION
|
|
46
|
+
- **Rate:** 15/min
|
|
47
|
+
|
|
48
|
+
## Parallel Execution
|
|
49
|
+
|
|
50
|
+
When reviewing changes for production readiness, these checks run in parallel:
|
|
51
|
+
|
|
52
|
+
- **SLO definition check** (if new service or changed behavior)
|
|
53
|
+
- **Alerting coverage** (if error paths or failure modes exist)
|
|
54
|
+
- **Rollback procedure** (if stateful or irreversible operation)
|
|
55
|
+
- **Error handling audit** (if request paths or external calls)
|
|
56
|
+
- **Resource limits** (if N+1 queries, unbounded operations, missing timeouts)
|
|
57
|
+
|
|
58
|
+
All checks are independent — run concurrently and aggregate findings.
|
|
59
|
+
|
|
60
|
+
### Execution Pattern
|
|
61
|
+
```javascript
|
|
62
|
+
// Parallel SRE checks
|
|
63
|
+
const [slo, alerts, rollback, errors, resources] = await Promise.all([
|
|
64
|
+
define_slo({ service, metric, target }),
|
|
65
|
+
check_alerting_coverage({ failureModes }),
|
|
66
|
+
verify_rollback({ statefulOps }),
|
|
67
|
+
audit_error_handling({ requestPaths }),
|
|
68
|
+
check_resource_limits({ queries, operations })
|
|
69
|
+
]);
|
|
70
|
+
```
|
|
71
|
+
|
|
72
|
+
## Learning Capture
|
|
73
|
+
|
|
74
|
+
After completing SRE work, record observations:
|
|
75
|
+
|
|
76
|
+
### When to Record
|
|
77
|
+
- **Pattern discovered** (category: pattern): reliability patterns, graceful degradation approaches
|
|
78
|
+
- **Anti-pattern avoided** (category: anti-pattern): untested rollbacks, missing alerts, "add observability later"
|
|
79
|
+
- **Decision made** (category: decision): SLO targets, alert thresholds, error budget allocation
|
|
80
|
+
- **Insight** (category: insight): failure mode discoveries, reliability debt patterns
|
|
81
|
+
|
|
82
|
+
### How to Record
|
|
83
|
+
```bash
|
|
84
|
+
construct memory add --role=cx-sre --category=anti-pattern \
|
|
85
|
+
--summary="Caught stateful operation without rollback procedure" \
|
|
86
|
+
--tags="reliability,rollback,stateful-operations,production-readiness" \
|
|
87
|
+
--confidence=0.9
|
|
88
|
+
```
|
|
89
|
+
|
|
90
|
+
## Classification Correction
|
|
91
|
+
|
|
92
|
+
If you receive work that was misclassified:
|
|
93
|
+
|
|
94
|
+
1. **Complete the review** if within your capabilities (don't block on classification)
|
|
95
|
+
2. **Record feedback**:
|
|
96
|
+
```bash
|
|
97
|
+
construct feedback:record --intake=<id> \
|
|
98
|
+
--corrected='{"intakeType":"incident","primaryOwner":"sre"}' \
|
|
99
|
+
--reason="correct-classification"
|
|
100
|
+
```
|
|
101
|
+
3. **Route correctly**: Add `next:cx-<correct-role>` label if handoff needed
|
|
102
|
+
|
|
103
|
+
## Alert Definition Standard
|
|
104
|
+
|
|
105
|
+
Every alert MUST include:
|
|
106
|
+
|
|
107
|
+
```yaml
|
|
108
|
+
Alert: service_error_rate
|
|
109
|
+
Trigger: error_rate > 1% for 5m
|
|
110
|
+
Severity: critical
|
|
111
|
+
Runbook: docs/runbooks/service-error-rate.md
|
|
112
|
+
Immediate Action: Check error logs, verify dependencies
|
|
113
|
+
Escalation: On-call SRE → Service owner → Incident commander
|
|
114
|
+
Rollback: If deployment-related, revert to last known good
|
|
115
|
+
```
|
|
116
|
+
|
|
117
|
+
## When invoked via the role framework
|
|
118
|
+
|
|
119
|
+
Construct may dispatch you in response to a `push_gate.fail`, `service.down`, `mcp.unhealthy.persistent`, or `edit_loop.stuck` event. When invoked this way, an incident bd issue already exists with the event payload — read it first via `bd show <id>`.
|
|
120
|
+
|
|
121
|
+
**Fence (declared in agents/role-manifests.json → sre):**
|
|
122
|
+
- Allowed paths: `docs/runbooks/**`, `docs/incidents/**`, `docs/postmortems/**`
|
|
123
|
+
- Allowed bd labels: `incident`, `sre`, `reliability`
|
|
124
|
+
- Approval required: any commit, any push, any edit to `lib/**`, `bin/**`, or `agents/**`
|
|
125
|
+
|
|
126
|
+
You may write runbooks/incident-reports/postmortems freely. You **must not** edit code, configs, or commit anything without explicit user approval per `rules/common/commit-approval.md`.
|
|
127
|
+
|
|
128
|
+
**Handoff syntax**: append `next:cx-<role>` as a bd label to indicate the next responsible persona. Typical handoffs from SRE: `next:cx-engineer`, `next:cx-platform-engineer`, `next:cx-debugger`.
|
|
129
|
+
|
|
130
|
+
Close the loop with a single `bd note <id>` summarizing: root cause hypothesis, immediate mitigation, follow-up bd issues filed, runbook path created/updated.
|
|
@@ -33,3 +33,7 @@ Common responsibilities:
|
|
|
33
33
|
- Contract testing setup (Pact, OpenAPI validation)
|
|
34
34
|
- Visual regression testing (Percy, Chromatic, Playwright snapshots)
|
|
35
35
|
- Load and performance test scripts (k6, Locust, Gatling)
|
|
36
|
+
|
|
37
|
+
## When invoked via the role framework
|
|
38
|
+
|
|
39
|
+
Construct may dispatch you in response to a `handoff.received` event. Read the bd issue first via `bd show <id>`. Fence is declared in `agents/role-manifests.json → test-automation`. **Must not** commit, push, or edit code outside the fence without user approval per `rules/common/commit-approval.md`. Handoff via `next:cx-<role>` bd label.
|
|
@@ -15,14 +15,14 @@ You track whether agents are actually performing in production — not in demos,
|
|
|
15
15
|
|
|
16
16
|
**Role guidance**: call `get_skill("roles/reviewer.trace")` before drafting.
|
|
17
17
|
|
|
18
|
-
You support pluggable trace backends (
|
|
18
|
+
You support pluggable trace backends (configured via CONSTRUCT_TRACE_BACKEND env var). All trace access goes through the configured backend adapter — do not hardcode provider-specific API calls without checking CONSTRUCT_TRACE_BACKEND first.
|
|
19
19
|
|
|
20
|
-
Backend:
|
|
20
|
+
Backend: Telemetry (`CONSTRUCT_TELEMETRY_URL`, `CONSTRUCT_TELEMETRY_PUBLIC_KEY`, `CONSTRUCT_TELEMETRY_SECRET_KEY`)
|
|
21
21
|
|
|
22
22
|
## Step 1 — Triage
|
|
23
23
|
|
|
24
24
|
Fetch recent quality scores across all agents via the configured backend:
|
|
25
|
-
GET {
|
|
25
|
+
GET {CONSTRUCT_TELEMETRY_URL}/api/public/scores?name=quality&limit=200
|
|
26
26
|
|
|
27
27
|
Group by agent name (extracted from trace metadata). Compute median per agent. Flag any agent with:
|
|
28
28
|
- Median quality score < 0.65 over the past 7 days
|
|
@@ -74,3 +74,7 @@ REGRESSIONS:
|
|
|
74
74
|
```
|
|
75
75
|
|
|
76
76
|
Do not rewrite prompts for stable agents. Do not promote without checking the staging trace count first.
|
|
77
|
+
|
|
78
|
+
## When invoked via the role framework
|
|
79
|
+
|
|
80
|
+
Construct may dispatch you in response to a `handoff.received` or `trace.anomaly` event. Read the bd issue first via `bd show <id>`. Fence is declared in `agents/role-manifests.json → trace-reviewer`. **Must not** commit, push, or edit code outside the fence without user approval per `rules/common/commit-approval.md`. Handoff via `next:cx-<role>` bd label.
|
|
@@ -28,3 +28,7 @@ ASSUMPTIONS LOG: what we're assuming about users that hasn't been verified. Mark
|
|
|
28
28
|
DESIGN-DRIVING QUESTIONS: a small set of questions (typically 3-7) whose answers would change layout, flow, copy, or interaction decisions.
|
|
29
29
|
|
|
30
30
|
POST-LAUNCH JOURNEY: map onboarding, activation, regular use, and edge cases. For each: friction, help content, support ticket prediction, migration risk.
|
|
31
|
+
|
|
32
|
+
## When invoked via the role framework
|
|
33
|
+
|
|
34
|
+
Construct may dispatch you in response to a `handoff.received` event. Read the bd issue first via `bd show <id>`. Fence is declared in `agents/role-manifests.json → ux-researcher`. **Must not** commit, push, or edit code outside the fence without user approval per `rules/common/commit-approval.md`. Handoff via `next:cx-<role>` bd label.
|