@geraldmaron/construct 1.0.14 → 1.0.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (259) hide show
  1. package/README.md +6 -0
  2. package/bin/construct +3 -3
  3. package/commands/build/feature.md +0 -6
  4. package/commands/build/fix.md +0 -6
  5. package/commands/design/access.md +0 -6
  6. package/commands/design/flow.md +0 -6
  7. package/commands/design/ui.md +0 -6
  8. package/commands/measure/experiment.md +0 -6
  9. package/commands/measure/metrics.md +0 -6
  10. package/commands/measure/results.md +0 -6
  11. package/commands/plan/api.md +0 -6
  12. package/commands/plan/challenge.md +0 -6
  13. package/commands/plan/decide.md +0 -6
  14. package/commands/plan/feature.md +0 -7
  15. package/commands/plan/requirements.md +0 -6
  16. package/commands/remember/context.md +0 -6
  17. package/commands/remember/handoff.md +0 -6
  18. package/commands/remember/runbook.md +0 -6
  19. package/commands/review/code.md +0 -6
  20. package/commands/review/quality.md +0 -6
  21. package/commands/review/security.md +0 -6
  22. package/commands/ship/ready.md +0 -6
  23. package/commands/ship/release.md +0 -6
  24. package/commands/ship/status.md +0 -6
  25. package/commands/understand/docs.md +0 -6
  26. package/commands/understand/research.md +0 -6
  27. package/commands/understand/this.md +0 -6
  28. package/commands/understand/why.md +0 -6
  29. package/commands/work/clean.md +0 -6
  30. package/commands/work/drive.md +0 -6
  31. package/commands/work/optimize-prompts.md +0 -6
  32. package/commands/work/parallel-review.md +0 -6
  33. package/lib/beads-client.mjs +19 -1
  34. package/lib/comment-lint.mjs +5 -1
  35. package/lib/context-state.mjs +15 -3
  36. package/lib/contracts/validate.mjs +54 -10
  37. package/lib/contracts/violation-log.mjs +154 -0
  38. package/lib/document-extract/docling-client.mjs +114 -0
  39. package/lib/document-extract/docling-sidecar.py +122 -0
  40. package/lib/document-extract/whisper-client.mjs +79 -0
  41. package/lib/document-extract.mjs +73 -8
  42. package/lib/document-ingest.mjs +26 -4
  43. package/lib/embed/daemon.mjs +6 -1
  44. package/lib/flavors/loader.mjs +1 -1
  45. package/lib/handoffs/contract.mjs +2 -2
  46. package/lib/hooks/session-start.mjs +1 -1
  47. package/lib/ingest/chunker.mjs +94 -0
  48. package/lib/ingest/pipeline.mjs +53 -0
  49. package/lib/ingest/store.mjs +82 -0
  50. package/lib/knowledge/search.mjs +12 -0
  51. package/lib/mcp/server.mjs +142 -1
  52. package/lib/mcp/tools/skills.mjs +6 -3
  53. package/lib/mcp/tools/workflow.mjs +6 -2
  54. package/lib/observation-store.mjs +14 -5
  55. package/lib/ollama-manager.mjs +32 -28
  56. package/lib/prompt-composer.js +11 -1
  57. package/lib/runtime/uv-bootstrap.mjs +129 -0
  58. package/lib/runtime/whisper-bootstrap.mjs +102 -0
  59. package/lib/server/index.mjs +22 -1
  60. package/lib/server/static/index.html +1 -1
  61. package/lib/specialists/postconditions.mjs +1 -1
  62. package/lib/sync/skill-frontmatter.mjs +113 -21
  63. package/lib/tracking-surfaces.mjs +2 -0
  64. package/lib/validators/skills.mjs +86 -54
  65. package/package.json +5 -5
  66. package/personas/construct.md +4 -7
  67. package/platforms/claude/settings.template.json +1 -1
  68. package/rules/common/beads-hygiene.md +3 -9
  69. package/rules/common/code-review.md +3 -6
  70. package/rules/common/coding-style.md +3 -6
  71. package/rules/common/comments.md +3 -7
  72. package/rules/common/commit-approval.md +3 -6
  73. package/rules/common/cx-agent-routing.md +3 -7
  74. package/rules/common/cx-skill-routing.md +3 -3
  75. package/rules/common/doc-ownership.md +3 -8
  76. package/rules/common/efficiency.md +3 -8
  77. package/rules/common/framing.md +3 -8
  78. package/rules/common/git-workflow.md +3 -5
  79. package/rules/common/no-fabrication.md +4 -12
  80. package/rules/common/patterns.md +3 -5
  81. package/rules/common/release-gates.md +3 -8
  82. package/rules/common/research.md +3 -8
  83. package/rules/common/review-before-change.md +3 -9
  84. package/rules/common/security.md +3 -6
  85. package/rules/common/skill-composition.md +3 -7
  86. package/rules/common/testing.md +3 -6
  87. package/rules/golang/coding-style.md +1 -5
  88. package/rules/golang/hooks.md +1 -5
  89. package/rules/golang/patterns.md +1 -5
  90. package/rules/golang/security.md +1 -5
  91. package/rules/golang/testing.md +1 -5
  92. package/rules/python/coding-style.md +1 -5
  93. package/rules/python/hooks.md +1 -5
  94. package/rules/python/patterns.md +1 -5
  95. package/rules/python/security.md +1 -5
  96. package/rules/python/testing.md +1 -5
  97. package/rules/swift/coding-style.md +1 -5
  98. package/rules/swift/hooks.md +1 -5
  99. package/rules/swift/patterns.md +1 -5
  100. package/rules/swift/security.md +1 -5
  101. package/rules/swift/testing.md +1 -5
  102. package/rules/typescript/coding-style.md +1 -5
  103. package/rules/typescript/hooks.md +1 -5
  104. package/rules/typescript/patterns.md +1 -5
  105. package/rules/typescript/security.md +1 -5
  106. package/rules/typescript/testing.md +1 -5
  107. package/rules/web/coding-style.md +3 -5
  108. package/rules/web/design-quality.md +3 -5
  109. package/rules/web/hooks.md +3 -5
  110. package/rules/web/patterns.md +3 -5
  111. package/rules/web/performance.md +3 -5
  112. package/rules/web/security.md +3 -5
  113. package/rules/web/testing.md +3 -5
  114. package/skills/ai/agent-dev.md +4 -5
  115. package/skills/ai/llm-security.md +4 -5
  116. package/skills/ai/ml-ops.md +4 -5
  117. package/skills/ai/orchestration-workflow.md +4 -5
  118. package/skills/ai/prompt-and-eval.md +4 -5
  119. package/skills/ai/prompt-optimizer.md +4 -6
  120. package/skills/ai/rag-system.md +4 -5
  121. package/skills/architecture/api-design.md +4 -5
  122. package/skills/architecture/caching.md +4 -5
  123. package/skills/architecture/cloud-native.md +4 -5
  124. package/skills/architecture/message-queue.md +4 -5
  125. package/skills/architecture/security-arch.md +4 -5
  126. package/skills/compliance/ai-disclosure.md +4 -5
  127. package/skills/compliance/data-privacy.md +4 -5
  128. package/skills/compliance/license-audit.md +4 -5
  129. package/skills/compliance/regulatory-review.md +4 -5
  130. package/skills/development/cpp.md +4 -5
  131. package/skills/development/go.md +4 -5
  132. package/skills/development/java.md +4 -5
  133. package/skills/development/kotlin.md +4 -5
  134. package/skills/development/mobile-crossplatform.md +4 -5
  135. package/skills/development/python.md +4 -5
  136. package/skills/development/rust.md +4 -5
  137. package/skills/development/shell.md +4 -5
  138. package/skills/development/swift.md +4 -5
  139. package/skills/development/typescript.md +4 -5
  140. package/skills/devops/ci-cd.md +4 -5
  141. package/skills/devops/containerization.md +4 -5
  142. package/skills/devops/cost-optimization.md +4 -5
  143. package/skills/devops/data-engineering.md +4 -5
  144. package/skills/devops/database.md +4 -5
  145. package/skills/devops/dependency-management.md +4 -5
  146. package/skills/devops/devsecops.md +4 -5
  147. package/skills/devops/git-workflow.md +4 -5
  148. package/skills/devops/incident-response.md +4 -5
  149. package/skills/devops/monorepo.md +4 -5
  150. package/skills/devops/observability.md +4 -5
  151. package/skills/devops/performance.md +4 -5
  152. package/skills/devops/testing.md +4 -5
  153. package/skills/docs/adr-workflow.md +4 -7
  154. package/skills/docs/backlog-proposal-workflow.md +4 -3
  155. package/skills/docs/customer-profile-workflow.md +4 -3
  156. package/skills/docs/document-ingest-workflow.md +4 -3
  157. package/skills/docs/evidence-ingest-workflow.md +4 -3
  158. package/skills/docs/init-docs.md +4 -5
  159. package/skills/docs/init-project.md +4 -5
  160. package/skills/docs/prd-workflow.md +4 -7
  161. package/skills/docs/prfaq-workflow.md +4 -3
  162. package/skills/docs/product-intelligence-review.md +4 -3
  163. package/skills/docs/product-intelligence-workflow.md +4 -6
  164. package/skills/docs/product-signal-workflow.md +4 -5
  165. package/skills/docs/research-workflow.md +4 -5
  166. package/skills/docs/runbook-workflow.md +4 -5
  167. package/skills/docs/strategy-workflow.md +4 -5
  168. package/skills/exploration/dependency-graph-reading.md +4 -7
  169. package/skills/exploration/repo-map.md +4 -5
  170. package/skills/exploration/tracer-bullet-method.md +4 -7
  171. package/skills/exploration/unknown-codebase-onboarding.md +4 -7
  172. package/skills/frameworks/django.md +4 -5
  173. package/skills/frameworks/nextjs.md +4 -5
  174. package/skills/frameworks/react.md +4 -5
  175. package/skills/frameworks/spring-boot.md +4 -5
  176. package/skills/frontend-design/accessibility.md +4 -5
  177. package/skills/frontend-design/component-patterns.md +4 -5
  178. package/skills/frontend-design/engineering.md +4 -5
  179. package/skills/frontend-design/state-management.md +4 -5
  180. package/skills/frontend-design/ui-aesthetics.md +4 -5
  181. package/skills/frontend-design/ux-principles.md +4 -5
  182. package/skills/operating/change-management.md +4 -8
  183. package/skills/operating/incident-response.md +4 -8
  184. package/skills/operating/oncall-rotation.md +4 -7
  185. package/skills/operating/orchestration-reference.md +4 -10
  186. package/skills/quality-gates/review-work.md +4 -5
  187. package/skills/quality-gates/verify-change.md +4 -5
  188. package/skills/quality-gates/verify-module.md +4 -5
  189. package/skills/quality-gates/verify-quality.md +4 -5
  190. package/skills/quality-gates/verify-security.md +4 -5
  191. package/skills/roles/architect.ai-systems.md +6 -9
  192. package/skills/roles/architect.data.md +6 -9
  193. package/skills/roles/architect.enterprise.md +6 -9
  194. package/skills/roles/architect.integration.md +6 -9
  195. package/skills/roles/architect.md +7 -14
  196. package/skills/roles/architect.platform.md +6 -9
  197. package/skills/roles/data-analyst.experiment.md +6 -9
  198. package/skills/roles/data-analyst.md +6 -9
  199. package/skills/roles/data-analyst.product-intelligence.md +7 -9
  200. package/skills/roles/data-analyst.product.md +6 -9
  201. package/skills/roles/data-analyst.telemetry.md +7 -9
  202. package/skills/roles/data-engineer.pipeline.md +6 -9
  203. package/skills/roles/data-engineer.vector-retrieval.md +7 -9
  204. package/skills/roles/data-engineer.warehouse.md +6 -9
  205. package/skills/roles/debugger.md +6 -9
  206. package/skills/roles/designer.accessibility.md +6 -9
  207. package/skills/roles/designer.md +7 -9
  208. package/skills/roles/engineer.ai.md +6 -9
  209. package/skills/roles/engineer.data.md +6 -9
  210. package/skills/roles/engineer.md +9 -9
  211. package/skills/roles/engineer.platform.md +6 -9
  212. package/skills/roles/operator.docs.md +6 -9
  213. package/skills/roles/operator.md +9 -9
  214. package/skills/roles/operator.release.md +6 -9
  215. package/skills/roles/operator.sre.md +6 -9
  216. package/skills/roles/orchestrator.md +6 -9
  217. package/skills/roles/product-manager.ai-product.md +6 -9
  218. package/skills/roles/product-manager.business-strategy.md +6 -9
  219. package/skills/roles/product-manager.enterprise.md +6 -9
  220. package/skills/roles/product-manager.growth.md +7 -9
  221. package/skills/roles/product-manager.md +7 -9
  222. package/skills/roles/product-manager.platform.md +6 -9
  223. package/skills/roles/product-manager.product.md +6 -9
  224. package/skills/roles/qa.ai-eval.md +8 -9
  225. package/skills/roles/qa.api-contract.md +7 -9
  226. package/skills/roles/qa.data-pipeline.md +7 -9
  227. package/skills/roles/qa.md +7 -9
  228. package/skills/roles/qa.test-automation.md +6 -9
  229. package/skills/roles/qa.web-ui.md +7 -9
  230. package/skills/roles/researcher.explorer.md +6 -9
  231. package/skills/roles/researcher.md +8 -9
  232. package/skills/roles/researcher.ux.md +6 -9
  233. package/skills/roles/reviewer.devil-advocate.md +6 -9
  234. package/skills/roles/reviewer.evaluator.md +6 -9
  235. package/skills/roles/reviewer.md +9 -9
  236. package/skills/roles/reviewer.trace.md +6 -9
  237. package/skills/roles/security.ai.md +7 -9
  238. package/skills/roles/security.appsec.md +6 -9
  239. package/skills/roles/security.cloud.md +6 -9
  240. package/skills/roles/security.legal-compliance.md +6 -9
  241. package/skills/roles/security.md +7 -9
  242. package/skills/roles/security.privacy.md +7 -9
  243. package/skills/roles/security.supply-chain.md +7 -9
  244. package/skills/security/blue-team.md +4 -5
  245. package/skills/security/code-audit.md +4 -5
  246. package/skills/security/pentest.md +4 -5
  247. package/skills/security/red-team.md +4 -5
  248. package/skills/security/threat-intel.md +4 -5
  249. package/skills/security/vuln-research.md +4 -5
  250. package/skills/strategy/competitive-landscape.md +4 -8
  251. package/skills/strategy/market-research-methods.md +4 -8
  252. package/skills/strategy/narrative-arc.md +4 -8
  253. package/skills/strategy/pricing-positioning.md +4 -8
  254. package/skills/utility/clean-code.md +4 -5
  255. package/specialists/policy-inventory.json +14 -0
  256. package/lib/specialist-contracts-enforce.mjs +0 -172
  257. package/rules/common/agents.md +0 -28
  258. package/rules/common/development-workflow.md +0 -32
  259. package/rules/common/performance.md +0 -55
@@ -1,16 +1,13 @@
1
- <!--
2
- skills/roles/reviewer.devil-advocate.md. Anti-pattern guidance for the Reviewer.devil-advocate (devil advocate) role.
3
-
4
- Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
5
- Covers common failure modes for the reviewer.devil-advocate (devil advocate) domain and counter-moves to avoid them.
6
- Applies to: cx-devil-advocate.
7
- -->
8
1
  ---
2
+ name: roles-reviewer-devil-advocate
3
+ description: Surfaces anti-patterns, failure modes, and counter-moves specific to the Reviewer — Devil Advocate role. Use when reviewing or generating work by cx-devil-advocate, or when an agent is acting in the Reviewer — Devil Advocate role.
9
4
  role: reviewer.devil-advocate
10
- applies_to: [cx-devil-advocate]
5
+ applies_to:
6
+ - cx-devil-advocate
11
7
  inherits: reviewer
12
8
  version: 2
13
- profiles: [rnd]
9
+ profiles:
10
+ - rnd
14
11
  cap: 1
15
12
  ---
16
13
  # Devil's Advocate Overlay
@@ -1,16 +1,13 @@
1
- <!--
2
- skills/roles/reviewer.evaluator.md. Anti-pattern guidance for the Reviewer.evaluator (evaluator) role.
3
-
4
- Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
5
- Covers common failure modes for the reviewer.evaluator (evaluator) domain and counter-moves to avoid them.
6
- Applies to: cx-evaluator.
7
- -->
8
1
  ---
2
+ name: roles-reviewer-evaluator
3
+ description: Surfaces anti-patterns, failure modes, and counter-moves specific to the Reviewer — Evaluator role. Use when reviewing or generating work by cx-evaluator, or when an agent is acting in the Reviewer — Evaluator role.
9
4
  role: reviewer.evaluator
10
- applies_to: [cx-evaluator]
5
+ applies_to:
6
+ - cx-evaluator
11
7
  inherits: reviewer
12
8
  version: 2
13
- profiles: [rnd]
9
+ profiles:
10
+ - rnd
14
11
  cap: 1
15
12
  ---
16
13
  # Evaluator Overlay
@@ -1,16 +1,16 @@
1
- <!--
2
- skills/roles/reviewer.md. Anti-pattern guidance for the Reviewer role.
3
-
4
- Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
5
- Covers common failure modes for the reviewer domain and counter-moves to avoid them.
6
- Applies to: cx-reviewer, cx-devil-advocate, cx-evaluator, cx-trace-reviewer.
7
- -->
8
1
  ---
2
+ name: roles-reviewer
3
+ description: Surfaces anti-patterns, failure modes, and counter-moves specific to the Reviewer role. Use when reviewing or generating work by cx-reviewer, cx-devil-advocate, cx-evaluator, cx-trace-reviewer, or when an agent is acting in the Reviewer role.
9
4
  role: reviewer
10
- applies_to: [cx-reviewer, cx-devil-advocate, cx-evaluator, cx-trace-reviewer]
5
+ applies_to:
6
+ - cx-reviewer
7
+ - cx-devil-advocate
8
+ - cx-evaluator
9
+ - cx-trace-reviewer
11
10
  inherits: null
12
11
  version: 2
13
- profiles: [rnd]
12
+ profiles:
13
+ - rnd
14
14
  cap: 1
15
15
  ---
16
16
  # Reviewer. Role guidance
@@ -1,16 +1,13 @@
1
- <!--
2
- skills/roles/reviewer.trace.md. Anti-pattern guidance for the Reviewer.trace (trace) role.
3
-
4
- Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
5
- Covers common failure modes for the reviewer.trace (trace) domain and counter-moves to avoid them.
6
- Applies to: cx-trace-reviewer.
7
- -->
8
1
  ---
2
+ name: roles-reviewer-trace
3
+ description: Surfaces anti-patterns, failure modes, and counter-moves specific to the Reviewer — Trace role. Use when reviewing or generating work by cx-trace-reviewer, or when an agent is acting in the Reviewer — Trace role.
9
4
  role: reviewer.trace
10
- applies_to: [cx-trace-reviewer]
5
+ applies_to:
6
+ - cx-trace-reviewer
11
7
  inherits: reviewer
12
8
  version: 2
13
- profiles: [rnd]
9
+ profiles:
10
+ - rnd
14
11
  cap: 1
15
12
  ---
16
13
  # Trace Reviewer Overlay
@@ -1,16 +1,14 @@
1
- <!--
2
- skills/roles/security.ai.md. Anti-pattern guidance for the Security.ai (ai) role.
3
-
4
- Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
5
- Covers common failure modes for the security.ai (ai) domain and counter-moves to avoid them.
6
- Applies to: cx-security, cx-ai-engineer.
7
- -->
8
1
  ---
2
+ name: roles-security-ai
3
+ description: Surfaces anti-patterns, failure modes, and counter-moves specific to the Security — AI role. Use when reviewing or generating work by cx-security, cx-ai-engineer, or when an agent is acting in the Security — AI role.
9
4
  role: security.ai
10
- applies_to: [cx-security, cx-ai-engineer]
5
+ applies_to:
6
+ - cx-security
7
+ - cx-ai-engineer
11
8
  inherits: security
12
9
  version: 2
13
- profiles: [rnd]
10
+ profiles:
11
+ - rnd
14
12
  cap: 1
15
13
  ---
16
14
  # AI Security Overlay
@@ -1,16 +1,13 @@
1
- <!--
2
- skills/roles/security.appsec.md. Anti-pattern guidance for the Security.appsec (appsec) role.
3
-
4
- Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
5
- Covers common failure modes for the security.appsec (appsec) domain and counter-moves to avoid them.
6
- Applies to: cx-security.
7
- -->
8
1
  ---
2
+ name: roles-security-appsec
3
+ description: Surfaces anti-patterns, failure modes, and counter-moves specific to the Security — Appsec role. Use when reviewing or generating work by cx-security, or when an agent is acting in the Security — Appsec role.
9
4
  role: security.appsec
10
- applies_to: [cx-security]
5
+ applies_to:
6
+ - cx-security
11
7
  inherits: security
12
8
  version: 2
13
- profiles: [rnd]
9
+ profiles:
10
+ - rnd
14
11
  cap: 1
15
12
  ---
16
13
  # AppSec Overlay
@@ -1,16 +1,13 @@
1
- <!--
2
- skills/roles/security.cloud.md. Anti-pattern guidance for the Security.cloud (cloud) role.
3
-
4
- Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
5
- Covers common failure modes for the security.cloud (cloud) domain and counter-moves to avoid them.
6
- Applies to: cx-security.
7
- -->
8
1
  ---
2
+ name: roles-security-cloud
3
+ description: Surfaces anti-patterns, failure modes, and counter-moves specific to the Security — Cloud role. Use when reviewing or generating work by cx-security, or when an agent is acting in the Security — Cloud role.
9
4
  role: security.cloud
10
- applies_to: [cx-security]
5
+ applies_to:
6
+ - cx-security
11
7
  inherits: security
12
8
  version: 2
13
- profiles: [rnd]
9
+ profiles:
10
+ - rnd
14
11
  cap: 1
15
12
  ---
16
13
  # Cloud Security Overlay
@@ -1,16 +1,13 @@
1
- <!--
2
- skills/roles/security.legal-compliance.md. Anti-pattern guidance for the Security.legal-compliance (legal compliance) role.
3
-
4
- Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
5
- Covers common failure modes for the security.legal-compliance (legal compliance) domain and counter-moves to avoid them.
6
- Applies to: cx-legal-compliance.
7
- -->
8
1
  ---
2
+ name: roles-security-legal-compliance
3
+ description: Surfaces anti-patterns, failure modes, and counter-moves specific to the Security — Legal Compliance role. Use when reviewing or generating work by cx-legal-compliance, or when an agent is acting in the Security — Legal Compliance role.
9
4
  role: security.legal-compliance
10
- applies_to: [cx-legal-compliance]
5
+ applies_to:
6
+ - cx-legal-compliance
11
7
  inherits: security
12
8
  version: 2
13
- profiles: [rnd]
9
+ profiles:
10
+ - rnd
14
11
  cap: 1
15
12
  ---
16
13
  # Legal & Compliance Overlay
@@ -1,16 +1,14 @@
1
- <!--
2
- skills/roles/security.md. Anti-pattern guidance for the Security role.
3
-
4
- Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
5
- Covers common failure modes for the security domain and counter-moves to avoid them.
6
- Applies to: cx-security, cx-legal-compliance.
7
- -->
8
1
  ---
2
+ name: roles-security
3
+ description: Surfaces anti-patterns, failure modes, and counter-moves specific to the Security role. Use when reviewing or generating work by cx-security, cx-legal-compliance, or when an agent is acting in the Security role.
9
4
  role: security
10
- applies_to: [cx-security, cx-legal-compliance]
5
+ applies_to:
6
+ - cx-security
7
+ - cx-legal-compliance
11
8
  inherits: null
12
9
  version: 2
13
- profiles: [rnd]
10
+ profiles:
11
+ - rnd
14
12
  cap: 1
15
13
  ---
16
14
  # Security. Role guidance
@@ -1,16 +1,14 @@
1
- <!--
2
- skills/roles/security.privacy.md. Anti-pattern guidance for the Security.privacy (privacy) role.
3
-
4
- Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
5
- Covers common failure modes for the security.privacy (privacy) domain and counter-moves to avoid them.
6
- Applies to: cx-security, cx-legal-compliance.
7
- -->
8
1
  ---
2
+ name: roles-security-privacy
3
+ description: Surfaces anti-patterns, failure modes, and counter-moves specific to the Security — Privacy role. Use when reviewing or generating work by cx-security, cx-legal-compliance, or when an agent is acting in the Security — Privacy role.
9
4
  role: security.privacy
10
- applies_to: [cx-security, cx-legal-compliance]
5
+ applies_to:
6
+ - cx-security
7
+ - cx-legal-compliance
11
8
  inherits: security
12
9
  version: 2
13
- profiles: [rnd]
10
+ profiles:
11
+ - rnd
14
12
  cap: 1
15
13
  ---
16
14
  # Privacy Security Overlay
@@ -1,16 +1,14 @@
1
- <!--
2
- skills/roles/security.supply-chain.md. Anti-pattern guidance for the Security.supply-chain (supply chain) role.
3
-
4
- Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
5
- Covers common failure modes for the security.supply-chain (supply chain) domain and counter-moves to avoid them.
6
- Applies to: cx-security, cx-platform-engineer.
7
- -->
8
1
  ---
2
+ name: roles-security-supply-chain
3
+ description: Surfaces anti-patterns, failure modes, and counter-moves specific to the Security — Supply Chain role. Use when reviewing or generating work by cx-security, cx-platform-engineer, or when an agent is acting in the Security — Supply Chain role.
9
4
  role: security.supply-chain
10
- applies_to: [cx-security, cx-platform-engineer]
5
+ applies_to:
6
+ - cx-security
7
+ - cx-platform-engineer
11
8
  inherits: security
12
9
  version: 2
13
- profiles: [rnd]
10
+ profiles:
11
+ - rnd
14
12
  cap: 1
15
13
  ---
16
14
  # Supply Chain Security Overlay
@@ -1,8 +1,7 @@
1
- <!--
2
- skills/security/blue-team.md (Blue Team) Use this skill when defending systems, responding to incidents, or building dete
3
-
4
- Use this skill when defending systems, responding to incidents, or building detection and monitoring capabilities. ## Detection Engineering
5
- -->
1
+ ---
2
+ name: security-blue-team
3
+ description: Use this skill when defending systems, responding to incidents, or building detection and monitoring capabilities.
4
+ ---
6
5
  # Blue Team
7
6
 
8
7
  Use this skill when defending systems, responding to incidents, or building detection and monitoring capabilities.
@@ -1,8 +1,7 @@
1
- <!--
2
- skills/security/code-audit.md (Code Audit) Use this skill when reviewing source code for security vulnerabilities through s
3
-
4
- Use this skill when reviewing source code for security vulnerabilities through static analysis. ## Taint Analysis
5
- -->
1
+ ---
2
+ name: security-code-audit
3
+ description: Use this skill when reviewing source code for security vulnerabilities through static analysis.
4
+ ---
6
5
  # Code Audit
7
6
 
8
7
  Use this skill when reviewing source code for security vulnerabilities through static analysis.
@@ -1,8 +1,7 @@
1
- <!--
2
- skills/security/pentest.md (Penetration Testing) Use this skill when testing web applications or APIs for security vulnerabilitie
3
-
4
- Use this skill when testing web applications or APIs for security vulnerabilities. ## OWASP Top 10 Checklist
5
- -->
1
+ ---
2
+ name: security-pentest
3
+ description: Use this skill when testing web applications or APIs for security vulnerabilities.
4
+ ---
6
5
  # Penetration Testing
7
6
 
8
7
  Use this skill when testing web applications or APIs for security vulnerabilities.
@@ -1,8 +1,7 @@
1
- <!--
2
- skills/security/red-team.md (Red Team) Use this skill when planning or executing offensive security assessments, advers
3
-
4
- Use this skill when planning or executing offensive security assessments, adversary emulation, or attack simulations. ## Reconnaissance
5
- -->
1
+ ---
2
+ name: security-red-team
3
+ description: Use this skill when planning or executing offensive security assessments, adversary emulation, or attack simulations.
4
+ ---
6
5
  # Red Team
7
6
 
8
7
  Use this skill when planning or executing offensive security assessments, adversary emulation, or attack simulations.
@@ -1,8 +1,7 @@
1
- <!--
2
- skills/security/threat-intel.md (Threat Intelligence) Use this skill when performing OSINT, threat modeling, or building threat intell
3
-
4
- Use this skill when performing OSINT, threat modeling, or building threat intelligence programs. ## OSINT Collection
5
- -->
1
+ ---
2
+ name: security-threat-intel
3
+ description: Use this skill when performing OSINT, threat modeling, or building threat intelligence programs.
4
+ ---
6
5
  # Threat Intelligence
7
6
 
8
7
  Use this skill when performing OSINT, threat modeling, or building threat intelligence programs.
@@ -1,8 +1,7 @@
1
- <!--
2
- skills/security/vuln-research.md (Vulnerability Research) Use this skill when analyzing binaries, fuzzing software, or developing exploits
3
-
4
- Use this skill when analyzing binaries, fuzzing software, or developing exploits for security research. ## Binary Analysis
5
- -->
1
+ ---
2
+ name: security-vuln-research
3
+ description: Use this skill when analyzing binaries, fuzzing software, or developing exploits for security research.
4
+ ---
6
5
  # Vulnerability Research
7
6
 
8
7
  Use this skill when analyzing binaries, fuzzing software, or developing exploits for security research.
@@ -1,11 +1,7 @@
1
- <!--
2
- skills/strategy/competitive-landscape.md (Competitive Landscape Analysis)
3
- Use when the team needs a structured read on where competitors sit, what
4
- customers have already decided, and where defensible whitespace exists.
5
- Covers Porter Five Forces, Jobs-to-be-Done framing, and competitive
6
- response sequencing.
7
- -->
8
-
1
+ ---
2
+ name: strategy-competitive-landscape
3
+ description: Use when the team needs a structured read on market positioning before committing direction.
4
+ ---
9
5
  # Competitive Landscape Analysis
10
6
 
11
7
  Use when the team needs a structured read on market positioning before committing direction.
@@ -1,11 +1,7 @@
1
- <!--
2
- skills/strategy/market-research-methods.md (Market Research Methods)
3
- Use when planning customer discovery, validating product direction, or
4
- sizing a market. Covers qualitative and quantitative methods, JTBD
5
- interview technique, survey design traps, and research-to-decision
6
- handoff.
7
- -->
8
-
1
+ ---
2
+ name: strategy-market-research-methods
3
+ description: Use when the team needs to validate assumptions before committing resources, or when a decision is being made on vibes rather than signal.
4
+ ---
9
5
  # Market Research Methods
10
6
 
11
7
  Use when the team needs to validate assumptions before committing resources, or when a decision is being made on vibes rather than signal.
@@ -1,11 +1,7 @@
1
- <!--
2
- skills/strategy/narrative-arc.md (Strategic Narrative Construction)
3
- Use when drafting a strategy memo, PRD positioning section, board update,
4
- or fundraising narrative. Covers Andy Raskin's strategic narrative
5
- structure, the five components of a compelling story, and common failure
6
- modes in executive communication.
7
- -->
8
-
1
+ ---
2
+ name: strategy-narrative-arc
3
+ description: Use when the argument must move people, not just inform them. Strategic narrative is the difference between a document that gets read and one that changes what people do.
4
+ ---
9
5
  # Strategic Narrative Construction
10
6
 
11
7
  Use when the argument must move people, not just inform them. Strategic narrative is the difference between a document that gets read and one that changes what people do.
@@ -1,11 +1,7 @@
1
- <!--
2
- skills/strategy/pricing-positioning.md (Pricing and Positioning)
3
- Use when setting or revisiting price, defining positioning vs. competitors,
4
- or preparing a go-to-market argument. Covers value-based vs. cost-plus
5
- pricing, willingness-to-pay research techniques, and positioning statement
6
- construction.
7
- -->
8
-
1
+ ---
2
+ name: strategy-pricing-positioning
3
+ description: Use when the team needs to set price, adjust positioning, or defend either to stakeholders.
4
+ ---
9
5
  # Pricing and Positioning
10
6
 
11
7
  Use when the team needs to set price, adjust positioning, or defend either to stakeholders.
@@ -1,8 +1,7 @@
1
- <!--
2
- skills/utility/clean-code.md (AI Slop Removal) Patterns and heuristics for identifying and removing AI-generated code smells. U
3
-
4
- Patterns and heuristics for identifying and removing AI-generated code smells. Use when cleaning up output from AI coding tools. ## Decision Tree
5
- -->
1
+ ---
2
+ name: utility-clean-code
3
+ description: Patterns and heuristics for identifying and removing AI-generated code smells. Use when cleaning up output from AI coding tools.
4
+ ---
6
5
  # AI Slop Removal
7
6
 
8
7
  Patterns and heuristics for identifying and removing AI-generated code smells. Use when cleaning up output from AI coding tools.
@@ -155,6 +155,20 @@
155
155
  "enforcement": "(persona prompt)",
156
156
  "mode": "honor-system",
157
157
  "description": "Architectural pattern guidance (module boundaries, error handling, async contracts) applied at authoring time."
158
+ },
159
+ {
160
+ "id": "review-before-change",
161
+ "source": "rules/common/review-before-change.md",
162
+ "enforcement": "(persona prompt)",
163
+ "mode": "honor-system",
164
+ "description": "Requires an existing-artifact audit before authoring or rewriting any durable doc, rule, template, or PRD/ADR/RFC. Extend or supersede; do not duplicate."
165
+ },
166
+ {
167
+ "id": "session-efficiency",
168
+ "source": "rules/common/efficiency.md",
169
+ "enforcement": "lib/read-tracker-store.mjs + session-start digest",
170
+ "mode": "deterministic",
171
+ "description": "Read discipline, probe-before-bulk-read, and tool parallelism rules. Read counts tracked per-file; the session-start efficiency digest surfaces files crossing the re-read threshold."
158
172
  }
159
173
  ]
160
174
  }
@@ -1,172 +0,0 @@
1
- /**
2
- * lib/specialist-contracts-enforce.mjs — runtime contract enforcement.
3
- *
4
- * Wraps `validatePacket` from `lib/specialist-contracts.mjs` with three production
5
- * concerns:
6
- *
7
- * 1. Block on violation. `enforcePacket` throws a `ContractViolationError`
8
- * when the packet doesn't satisfy the contract direction. Callers can
9
- * catch and degrade if they want advisory mode, but the default is hard
10
- * enforcement so contract bugs surface loudly.
11
- *
12
- * 2. Tamper-evident violation log. Every violation appends a JSONL record
13
- * to `~/.cx/contract-violations.jsonl` with a sha256 chain-hash over
14
- * the prior line. Same pattern as the mutation audit trail. Operators
15
- * can replay the chain to detect after-the-fact tampering.
16
- *
17
- * 3. Visibility into `construct doctor`. `recentViolations(windowMs)`
18
- * returns the last N violations so doctor can surface
19
- * "3 contract violations in the last 24h — see ~/.cx/contract-violations.jsonl".
20
- *
21
- * The enforcement is identity-aware. Each violation logs the active agent
22
- * (via `~/.cx/last-agent.json` like audit-trail does) so operators can
23
- * identify which producer or consumer is at fault.
24
- */
25
-
26
- import { existsSync, mkdirSync, statSync, readFileSync } from 'node:fs';
27
- import { join, dirname } from 'node:path';
28
- import { homedir } from 'node:os';
29
- import { createHash } from 'node:crypto';
30
- import { getContractById, validatePacket } from './specialist-contracts.mjs';
31
- import { appendBounded } from './logging/rotate.mjs';
32
- import { resolveProjectScopedPath } from './project-root.mjs';
33
- import { validatePostconditions } from './specialists/postconditions.mjs';
34
-
35
- const CX_DIR = join(homedir(), '.cx');
36
- // contract-violations are PROJECT-SCOPED — a violation belongs to a
37
- // specific contract chain in a specific project. Resolves to
38
- // <project>/.cx/contract-violations.jsonl when inside a project, falling
39
- // back to the legacy ~/.cx path for standalone invocations. Resolved on
40
- // every call so cwd/HOME changes inside the same process (tests, harness
41
- // reuse) route correctly.
42
-
43
- function logFile() {
44
- return resolveProjectScopedPath('contract-violations.jsonl', { ensureDir: false });
45
- }
46
- const LAST_AGENT = join(CX_DIR, 'last-agent.json');
47
-
48
- export class ContractViolationError extends Error {
49
- constructor({ contractId, direction, missing, verdict = 'CONTRACT_VIOLATION', postconditionFailures = [] }) {
50
- const detail = postconditionFailures.length > 0
51
- ? `postcondition(s) failed: ${postconditionFailures.map((f) => f.id).join(', ')}`
52
- : `missing field(s): ${(missing || []).join(', ')}`;
53
- super(`contract '${contractId}' (${direction}) violated — ${detail}`);
54
- this.name = 'ContractViolationError';
55
- this.contractId = contractId;
56
- this.direction = direction;
57
- this.missing = missing || [];
58
- this.verdict = verdict;
59
- this.postconditionFailures = postconditionFailures;
60
- }
61
- }
62
-
63
- function sha256(input) { return createHash('sha256').update(input).digest('hex'); }
64
-
65
- function readLastAgent() {
66
- try { return JSON.parse(readFileSync(LAST_AGENT, 'utf8'))?.agent || 'construct'; }
67
- catch { return 'construct'; }
68
- }
69
-
70
- function readPrevLineHash() {
71
- try {
72
- const file = logFile();
73
- if (!existsSync(file)) return null;
74
- const size = statSync(file).size;
75
- if (size === 0) return null;
76
- const tail = readFileSync(file, 'utf8').slice(Math.max(0, size - 2048));
77
- const lines = tail.split('\n').filter(Boolean);
78
- return lines.length === 0 ? null : sha256(lines[lines.length - 1]);
79
- } catch { return null; }
80
- }
81
-
82
- function logViolation(contractId, direction, missing, packet, extra = {}) {
83
- try {
84
- const file = logFile();
85
- mkdirSync(dirname(file), { recursive: true });
86
- const record = {
87
- ts: new Date().toISOString(),
88
- agent: readLastAgent(),
89
- contractId,
90
- direction,
91
- missing,
92
- packet_keys: packet && typeof packet === 'object' ? Object.keys(packet) : null,
93
- prev_line_hash: readPrevLineHash(),
94
- ...extra,
95
- };
96
- appendBounded('contract-violations', file, JSON.stringify(record) + '\n');
97
- } catch { /* logging is best-effort */ }
98
- }
99
-
100
- /**
101
- * Validate `packet` against `contractId` in the given `direction`. Throws
102
- * a `ContractViolationError` on failure (and logs the violation). Returns
103
- * the validation result on success so callers can inspect the resolved
104
- * contract metadata.
105
- *
106
- * For `direction === 'output'`, also evaluates the producer's binary
107
- * postconditions from `lib/agents/postconditions.mjs`. A failed postcondition
108
- * raises with `verdict: 'BLOCKED_CONTRACT'` so the dispatcher can branch on
109
- * the typed verdict rather than parsing the error message.
110
- *
111
- * @param {string} contractId
112
- * @param {object} packet
113
- * @param {'input'|'output'} [direction]
114
- * @returns {{ ok: true, contract, direction }}
115
- */
116
- export function enforcePacket(contractId, packet, direction = 'input') {
117
- const result = validatePacket(contractId, packet, direction);
118
- if (!result.ok) {
119
- if (result.reason === 'contract-not-found') {
120
- throw new ContractViolationError({
121
- contractId,
122
- direction,
123
- missing: ['(contract not found)'],
124
- });
125
- }
126
- logViolation(contractId, direction, result.missing || [], packet);
127
- throw new ContractViolationError({
128
- contractId,
129
- direction,
130
- missing: result.missing || [],
131
- });
132
- }
133
-
134
- if (direction === 'output') {
135
- const contract = result.contract || getContractById(contractId);
136
- const producer = contract?.producer;
137
- if (producer) {
138
- const postcondition = validatePostconditions(producer, packet);
139
- if (!postcondition.ok) {
140
- logViolation(contractId, direction, [], packet, {
141
- verdict: 'BLOCKED_CONTRACT',
142
- postconditionFailures: postcondition.failures,
143
- });
144
- throw new ContractViolationError({
145
- contractId,
146
- direction,
147
- verdict: 'BLOCKED_CONTRACT',
148
- postconditionFailures: postcondition.failures,
149
- });
150
- }
151
- }
152
- }
153
-
154
- return result;
155
- }
156
-
157
- /**
158
- * Read recent violations from the chain log. Returns oldest-first.
159
- */
160
- export function recentViolations({ windowMs = 24 * 60 * 60 * 1000 } = {}) {
161
- const file = logFile();
162
- if (!existsSync(file)) return [];
163
- try {
164
- const cutoff = Date.now() - windowMs;
165
- return readFileSync(file, 'utf8')
166
- .trim()
167
- .split('\n')
168
- .filter(Boolean)
169
- .map((line) => { try { return JSON.parse(line); } catch { return null; } })
170
- .filter((r) => r && new Date(r.ts).getTime() >= cutoff);
171
- } catch { return []; }
172
- }
@@ -1,28 +0,0 @@
1
- <!--
2
- rules/common/agents.md: platform-agnostic agent orchestration guidance.
3
-
4
- Defines when to route to specialist agents, parallel execution rules,
5
- and multi-perspective analysis patterns. Does not reference specific
6
- platform agent types or config paths.
7
- -->
8
- # Agent Orchestration
9
-
10
- ## Immediate Agent Usage
11
-
12
- No user prompt needed: match the task to the right specialist:
13
- 1. Complex feature requests - planning specialist
14
- 2. Code just written/modified - code review specialist
15
- 3. Bug fix or new feature - TDD specialist
16
- 4. Architectural decision - architecture specialist
17
-
18
- ## Parallel Task Execution
19
-
20
- ALWAYS use parallel execution for independent operations. Launch multiple specialists concurrently when their work is independent.
21
-
22
- ## Multi-Perspective Analysis
23
-
24
- For complex problems, use multiple specialist perspectives:
25
- - Factual reviewer
26
- - Senior engineer
27
- - Security expert
28
- - Consistency reviewer