@geraldmaron/construct 1.0.17 → 1.0.19

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (88) hide show
  1. package/README.md +6 -4
  2. package/bin/construct +26 -3
  3. package/commands/design/flow.md +2 -0
  4. package/commands/design/ui.md +2 -0
  5. package/db/schema/003_observation_reconciliation.sql +14 -0
  6. package/lib/bootstrap/resources.mjs +0 -1
  7. package/lib/cli-commands.mjs +33 -5
  8. package/lib/comment-lint.mjs +44 -0
  9. package/lib/contracts/validate.mjs +106 -0
  10. package/lib/decisions/enforced-baseline.json +23 -0
  11. package/lib/decisions/golden.mjs +87 -0
  12. package/lib/decisions/precedence.mjs +46 -0
  13. package/lib/decisions/registry.mjs +469 -0
  14. package/lib/deployment/parity-contract.mjs +148 -0
  15. package/lib/embed/cli.mjs +11 -0
  16. package/lib/embed/conflict-detection.mjs +4 -4
  17. package/lib/embed/customer-profiles.mjs +1 -1
  18. package/lib/embed/reconcile.mjs +60 -0
  19. package/lib/embed/semantic.mjs +5 -3
  20. package/lib/gates-audit.mjs +2 -2
  21. package/lib/hooks/config-protection.mjs +22 -3
  22. package/lib/hooks/guard-bash.mjs +1 -1
  23. package/lib/init-docs.mjs +1 -0
  24. package/lib/mode-commands.mjs +6 -8
  25. package/lib/observation-store.mjs +16 -2
  26. package/lib/opencode-telemetry.mjs +1 -1
  27. package/lib/roles/cli.mjs +10 -2
  28. package/lib/roles/gateway.mjs +50 -1
  29. package/lib/scheduler/index.mjs +31 -0
  30. package/lib/server/index.mjs +13 -3
  31. package/lib/server/static/index.html +1 -1
  32. package/lib/setup.mjs +6 -0
  33. package/lib/storage/hybrid-query.mjs +49 -38
  34. package/lib/storage/rrf.mjs +42 -0
  35. package/lib/storage/vector-client.mjs +18 -3
  36. package/lib/telemetry/backends/local.mjs +1 -1
  37. package/lib/telemetry/skill-calls.mjs +1 -1
  38. package/lib/templates/visual-requirements.mjs +84 -0
  39. package/package.json +12 -5
  40. package/rules/common/comments.md +3 -0
  41. package/rules/common/no-fabrication.md +3 -0
  42. package/rules/common/precedence.md +19 -0
  43. package/rules/common/research-sources.md +32 -0
  44. package/rules/common/research.md +59 -2
  45. package/skills/roles/data-engineer.pipeline.md +13 -1
  46. package/skills/roles/debugger.md +9 -0
  47. package/skills/roles/designer.accessibility.md +13 -3
  48. package/skills/roles/designer.md +10 -0
  49. package/skills/roles/engineer.platform.md +8 -0
  50. package/skills/roles/operator.md +10 -1
  51. package/skills/roles/operator.release.md +8 -0
  52. package/skills/roles/operator.sre.md +10 -1
  53. package/skills/roles/orchestrator.md +9 -2
  54. package/skills/roles/product-manager.business-strategy.md +10 -1
  55. package/skills/roles/researcher.explorer.md +12 -1
  56. package/skills/roles/researcher.ux.md +13 -1
  57. package/skills/roles/reviewer.devil-advocate.md +14 -2
  58. package/skills/roles/reviewer.evaluator.md +17 -4
  59. package/skills/roles/reviewer.trace.md +12 -1
  60. package/skills/roles/security.legal-compliance.md +8 -0
  61. package/skills/roles/security.md +11 -0
  62. package/specialists/contracts.json +18 -0
  63. package/specialists/prompts/cx-architect.md +1 -0
  64. package/specialists/prompts/cx-designer.md +1 -1
  65. package/specialists/prompts/cx-operations.md +1 -0
  66. package/specialists/prompts/cx-rd-lead.md +1 -0
  67. package/specialists/prompts/cx-researcher.md +4 -2
  68. package/specialists/prompts/cx-sre.md +1 -0
  69. package/specialists/registry.json +2 -2
  70. package/templates/docs/backlog-proposal.md +1 -1
  71. package/templates/docs/customer-profile.md +1 -1
  72. package/templates/docs/evidence-brief.md +5 -1
  73. package/templates/docs/incident-report.md +37 -21
  74. package/templates/docs/prfaq.md +2 -2
  75. package/templates/docs/product-intelligence-report.md +1 -1
  76. package/templates/docs/research-brief.md +8 -6
  77. package/templates/docs/research-finding.md +32 -7
  78. package/templates/docs/rfc.md +13 -1
  79. package/templates/docs/runbook.md +20 -1
  80. package/templates/docs/signal-brief.md +4 -1
  81. package/templates/docs/skill-artifact.md +27 -7
  82. package/templates/docs/strategy.md +23 -2
  83. package/templates/docs/test-plan.md +96 -0
  84. package/lib/bootstrap/lazy-install.mjs +0 -161
  85. package/lib/embed/jobs/vector-sync.mjs +0 -198
  86. package/lib/knowledge/postgres-search.mjs +0 -132
  87. package/lib/services/pattern-promotion-service.mjs +0 -167
  88. package/lib/storage/unified-storage.mjs +0 -550
@@ -69,10 +69,19 @@ Load this before producing operator output. SRE, ops, release, and durable-knowl
69
69
 
70
70
  **Why it fails**: no systematic comparison between planned work (documents) and actual work (tickets). Gaps accumulate silently until delivery dates slip.
71
71
 
72
- **Counter-move**: run periodic gap analysis: query strategy/PRDs/RFCs from knowledge base, compare with Jira tickets via search, identify missing tickets. Create补缺 tickets automatically (or queue for approval). Treat "execution gap" as a first-class risk signal.
72
+ **Counter-move**: run periodic gap analysis: query strategy/PRDs/RFCs from knowledge base, compare with Jira tickets via search, identify missing tickets. Create gap-filling tickets automatically (or queue for approval). Treat "execution gap" as a first-class risk signal.
73
+
74
+ ## Methodology
75
+
76
+ Sequencing work is a calculation, not a vibe:
77
+
78
+ - **Critical path.** Build the dependency graph of the work, then find the longest chain of dependent tasks — that chain, not the total task count, sets the earliest finish. Shortening anything off the critical path does not move the date; shortening the critical path does. Re-find it after every scope change, because it moves.
79
+ - **Slack.** Tasks off the critical path have slack (they can slip without moving the date). Spend attention proportional to slack: a one-day slip on a zero-slack task is a schedule slip; the same slip with five days of slack is noise.
80
+ - **Resource leveling.** Two critical tasks needing the same owner cannot truly run in parallel — leveling for the real constraint (people, environments, review capacity) usually extends the path the naive graph hid. Sequence to the actual bottleneck.
73
81
 
74
82
  ## Self-check before shipping
75
83
 
84
+ - [ ] Critical path identified; the date is driven by it, not by task count
76
85
  - [ ] Each runbook step names its purpose and expected output
77
86
  - [ ] Rollback is a tested, first-class plan with trigger criteria
78
87
  - [ ] Every alert is actionable; non-actionable signals moved to dashboards
@@ -37,8 +37,16 @@ Additional failure modes on top of the operator core.
37
37
  **Why it fails**: regressions show up 30–60 minutes in; if nobody is watching, they compound.
38
38
  **Counter-move**: define the post-release watch window (metrics + duration) before pushing. Hold the release until it's clean.
39
39
 
40
+ ## Methodology
41
+
42
+ **Progressive delivery.** Ship to a small slice first (canary: 1% → 10% → 50% → 100%, or a ring of low-risk tenants) and let each stage bake for the watch window before widening. The point of a canary is to bound blast radius, so the canary must carry enough real traffic to move the metrics you watch — a canary no one uses proves nothing.
43
+
44
+ **Make rollback a decision rule, not a judgment call.** Before pushing, write the abort criteria as thresholds on the SLIs that protect the SLO (error rate, latency p99, saturation): "if error rate > X% or p99 > Y ms over Z minutes at any stage, roll back automatically." Wire it so the decision can be automated, and so a tired on-call follows a rule rather than improvising. Roll back, then diagnose — never the reverse.
45
+
40
46
  ## Self-check before shipping
41
47
  - [ ] Release is the smallest deployable increment
48
+ - [ ] Staged/canary rollout with a bake window per stage; canary carries real traffic
49
+ - [ ] Abort criteria written as SLI thresholds before push; rollback automatable
42
50
  - [ ] Rollback path documented and tested
43
51
  - [ ] Core release-facing docs landed with code and match shipped behavior
44
52
  - [ ] Post-release watch window defined and staffed
@@ -37,8 +37,17 @@ Additional failure modes on top of the operator core.
37
37
  **Why it fails**: the same incident repeats. Teams lose trust in the process.
38
38
  **Counter-move**: every corrective action has an owner, a ticket, and a target date. Review completion in the next monthly.
39
39
 
40
+ ## Methodology
41
+
42
+ The error-budget policy is the mechanism that makes an SLO consequential ([Google SRE](https://sre.google/workbook/error-budget-policy/)):
43
+
44
+ - The budget is `1 − SLO` over a window (99.9% over 28 days ≈ 43 min of allowed downtime). It is spent by every failure, planned or not.
45
+ - **Burn rate** is how fast the budget is being consumed relative to the window. Alert on burn rate with **multi-window** thresholds — a fast-burn alert (e.g. 2% of budget in 1 hour) pages now; a slow-burn alert (e.g. 10% over a few days) opens a ticket. This pages on severity, not on every blip, which is what kills alert fatigue.
46
+ - **The policy is written before the breach**: when the budget is exhausted, feature releases freeze and reliability work takes priority until it recovers; name the exceptions (infra failures, third-party) and who can override. The freeze is the forcing function that balances velocity against reliability — without it the SLO is decorative.
47
+
40
48
  ## Self-check before shipping
41
49
  - [ ] Every alert links to a runbook
42
- - [ ] SLOs have an explicit error-budget policy
50
+ - [ ] SLOs have an explicit, written-before-breach error-budget policy (freeze trigger, exceptions, owner)
51
+ - [ ] Burn-rate alerting uses multi-window thresholds (fast-burn pages, slow-burn ticket)
43
52
  - [ ] Dashboards are incident-shaped, not metric-dumps
44
53
  - [ ] Post-mortem actions are owned and dated
@@ -57,10 +57,17 @@ Use this as a fast dispatch checklist before producing orchestration output.
57
57
  - Symptom: large reads just to decide who should work.
58
58
  - Counter: probe with search, glob, or small reads first.
59
59
 
60
+ ## Sequencing methodology
61
+
62
+ - **Graph first**: map each specialist's input→output; parallelize only when no input is another's output. "All parallel"/"all sequential" both mean the graph was skipped.
63
+ - **Waves**: dispatch the set whose inputs are satisfied; the next starts at the slowest member's landing. Minimize waves, not specialists.
64
+ - **Critical path**: total time is the longest dependency chain, not the headcount. On-path specialists delay everything downstream.
65
+ - **Bound fan-out**: cap concurrent dispatch to what the consumer can absorb.
66
+
60
67
  ## Ship Check
61
68
 
62
- - Request classified.
63
- - Smallest adequate path selected.
69
+ - Request classified; smallest adequate path selected.
70
+ - Dependency graph drawn; specialists grouped into the fewest waves; critical path identified.
64
71
  - Handoffs have distinct ownership.
65
72
  - Blockers and user questions surfaced.
66
73
  - Original ask still matches final output.
@@ -37,8 +37,17 @@ Additional failure modes on top of the product-manager core.
37
37
  **Why it fails**: two products with identical features but different economics compete very differently.
38
38
  **Counter-move**: for each competitor, model the business (unit economics, distribution, defensibility) not just the surface.
39
39
 
40
+ ## Methodology
41
+
42
+ Two frameworks turn "market thesis" from intuition into analysis:
43
+
44
+ **Structural analysis (Porter's Five Forces).** Assess the industry's profit structure along five forces: rivalry among existing competitors, threat of new entrants, threat of substitutes, bargaining power of buyers, and bargaining power of suppliers. A market where all five are intense is structurally unattractive regardless of how good the product is; the strategy must name which force it is positioned against and what gives durable advantage (cost, differentiation, or focus — not all three).
45
+
46
+ **Scenario planning.** The future is not a point estimate. Identify the two or three uncertainties that most affect the bet (e.g. "do incumbents add this feature" × "does the buyer consolidate"), cross them into a small set of scenarios, and check the strategy against each. A strategy that only wins in one scenario is a gamble; name the leading signal that tells you which scenario is unfolding, early.
47
+
40
48
  ## Self-check before shipping
41
49
  - [ ] Rejected alternatives stated
42
- - [ ] Market thesis explicit
50
+ - [ ] Market thesis explicit, with the dominant Porter force named
51
+ - [ ] Strategy checked against 2–3 scenarios, not a single forecast
43
52
  - [ ] Falsification criterion and revisit threshold declared
44
53
  - [ ] Competitive analysis covers economics, not just features
@@ -37,8 +37,19 @@ Additional failure modes on top of the researcher core.
37
37
  **Why it fails**: burns the consumer's time and context window; the answer drowns in tangent.
38
38
  **Counter-move**: answer the question asked. Link supporting material; don't inline it unless asked.
39
39
 
40
+ ## Methodology
41
+
42
+ Explore by following the graph, not by grepping until something looks right:
43
+
44
+ - **Entry points first**: find where execution starts (CLI dispatch, route table, main, test setup) and trace *forward* along the call graph to the code in question. This locates the real path instead of a same-named decoy.
45
+ - **Both directions**: for a symbol, find its definition and its *callers* (who depends on this) — the blast radius of a change is the caller set, and missing it is how "small" changes break distant things.
46
+ - **Triangulate before concluding**: confirm a behavior from at least two of {the code, a test that exercises it, a config that wires it}. A single grep hit is a lead, not a conclusion.
47
+ - **Name the seams**: report where control crosses module/process/service boundaries; that is where the question usually actually lives.
48
+
40
49
  ## Self-check before shipping
50
+ - [ ] Traced from an entry point along the call graph, not from an isolated grep hit
51
+ - [ ] Both definition and callers (dependency blast radius) identified
52
+ - [ ] Behavior triangulated across code + test/config, not a single match
41
53
  - [ ] Every claim cites a path, ideally with a line
42
54
  - [ ] Function behavior verified from the body, not the name
43
- - [ ] Searched multiple naming variants and entry points
44
55
  - [ ] Response scoped to the question asked
@@ -37,8 +37,20 @@ Additional failure modes on top of the researcher core.
37
37
  **Why it fails**: collapses the problem-space exploration into a solution bias; design has less room to iterate.
38
38
  **Counter-move**: report the problem (friction, confusion, unmet need). Let design own the solution.
39
39
 
40
+ ## Methodology
41
+
42
+ The failure modes above are what to avoid. This is the rigor a senior UX researcher brings.
43
+
44
+ **Validity — name the threat.** Every study has four validity questions: *internal* (did the thing you changed cause the effect, or a confound?), *external* (does it generalize beyond these participants/tasks?), *construct* (does the measure capture the concept, or a proxy?), and *conclusion* (is the difference real or noise?). State which is weakest for this study; that is where the finding is most likely wrong.
45
+
46
+ **Sampling.** Sample size follows the claim, not the calendar. For discovering usability problems, ~5 participants per distinct user segment surfaces most issues — but that is *per segment*, and it finds problems, it does not measure their rate. Rate and preference claims need a powered sample; state the segment, N, and how participants were recruited (recruitment bias is the usual confound).
47
+
48
+ **Inter-rater reliability.** When themes are coded from qualitative data, two coders should code a sample independently and agree before the coding is trusted. Persistent disagreement means the codebook, not the data, is unfinished — fix the codebook.
49
+
40
50
  ## Self-check before shipping
41
51
  - [ ] Questions focus on past behavior, not hypothetical future
42
52
  - [ ] Observed behavior weighted over self-report
43
- - [ ] Sample size stated for every claim
53
+ - [ ] Weakest validity threat (internal/external/construct/conclusion) named
54
+ - [ ] Sample size and segment stated for every claim; recruitment noted
55
+ - [ ] Themes coded with inter-rater agreement, not a single coder
44
56
  - [ ] Findings describe problems, not prescribe solutions
@@ -37,8 +37,20 @@ Additional failure modes on top of the reviewer core.
37
37
  **Why it fails**: slows down learning that should be fast; teams stop bringing you early ideas.
38
38
  **Counter-move**: classify the decision on the reversibility axis first. Calibrate pushback accordingly.
39
39
 
40
+ ## Methodology
41
+
42
+ Beyond ad-hoc objection, run the plan through a structured failure-mode pass (FMEA — failure mode and effects analysis):
43
+
44
+ - For each component or step, ask *how could this fail* (the failure mode), *what happens when it does* (effect), and *why might it happen* (cause).
45
+ - Score each on three axes 1–10: **severity** (how bad the effect), **occurrence** (how likely the cause), **detection** (how likely you'd catch it before harm — high score = hard to detect). Their product is the **risk priority number (RPN)**.
46
+ - Rank by RPN, not by which objection came to mind first. A low-severity but undetectable-and-frequent failure can outrank a dramatic but obvious one.
47
+ - The highest-RPN modes are where the plan needs a mitigation or a detection point before it ships; explicitly mark the rest "acknowledge but proceed."
48
+
49
+ This turns "this seems risky" into a ranked, defensible list the author can act on.
50
+
40
51
  ## Self-check before shipping
41
- - [ ] Each objection names a concrete scenario
52
+ - [ ] Each objection names a concrete scenario (failure mode + effect + cause)
42
53
  - [ ] At least three categories of risk covered
43
- - [ ] Objections ranked by severity
54
+ - [ ] Objections ranked by RPN (severity × occurrence × detection), not recency
55
+ - [ ] Highest-RPN modes have a mitigation or detection point
44
56
  - [ ] Reversibility of the decision assessed
@@ -37,8 +37,21 @@ Additional failure modes on top of the reviewer core.
37
37
  **Why it fails**: can't tell which change did what; can't roll back specifically if quality regresses.
38
38
  **Counter-move**: change one variable at a time. Pin the others.
39
39
 
40
+ ## Methodology
41
+
42
+ The failure modes above are what to avoid. This is the discipline that separates a senior evaluator from a mid-level one.
43
+
44
+ **Rubric design.** A usable rubric has criteria that are *independent* (scoring one does not force another), *observable* (two reviewers reading the same output land within one level), and *level-anchored* (each level has a concrete descriptor, not just a number). Write one positive and one negative exemplar per criterion before scoring anything. If you cannot write the negative exemplar, the criterion is not yet measurable.
45
+
46
+ **Ground truth.** A score is only as good as the labels it is measured against. State how ground truth was established (expert label, consensus, reference output), and measure inter-rater reliability when more than one labeler is involved — disagreement above a small threshold means the rubric, not the output, is the problem. Resolve disagreements by tightening the rubric, not by averaging.
47
+
48
+ **False positives vs false negatives.** Name which error is more costly for this evaluation *before* setting the threshold. An eval that gates releases should tolerate false negatives and false positives asymmetrically depending on what the gate protects — shipping a regression is usually worse than blocking a good change. State the asymmetry; a single accuracy number hides it.
49
+
50
+ **Statistical significance.** Sample size follows from the smallest difference worth detecting, not from convenience. Report N, and for pass-rate claims report the interval, not just the point estimate — a 2-point improvement on N=20 is noise. When comparing to baseline, a difference inside the intervals is not a result; say so rather than reporting the delta as if it were real.
51
+
40
52
  ## Self-check before shipping
41
- - [ ] Rubric declared before scoring
42
- - [ ] Sample size reported and defensible
43
- - [ ] Baseline comparison included
44
- - [ ] One variable changed per run; others pinned
53
+ - [ ] Rubric declared before scoring, with a positive and negative exemplar per criterion
54
+ - [ ] Ground-truth basis stated; inter-rater reliability checked when multiple labelers
55
+ - [ ] False-positive vs false-negative cost asymmetry named before the threshold was set
56
+ - [ ] Sample size justified by the smallest meaningful difference; interval reported, not just point estimate
57
+ - [ ] Baseline comparison included; one variable changed per run, others pinned
@@ -37,8 +37,19 @@ Additional failure modes on top of the reviewer core.
37
37
  **Why it fails**: the final output may mask a degraded path that costs time, money, or reliability.
38
38
  **Counter-move**: examine the full tool-call chain. Flag any failure, retry, or fallback.
39
39
 
40
+ ## Methodology
41
+
42
+ Treat fleet scores as a process to monitor, not a number to eyeball (statistical process control):
43
+
44
+ - Establish a **baseline** distribution — mean and standard deviation of the score over a stable window — before calling anything a regression.
45
+ - A run is out of control when it crosses a **control limit** (commonly ~3σ from the mean) or shows a non-random pattern (e.g. several consecutive points drifting one direction). A single point inside the limits is noise, not signal — do not chase it.
46
+ - Separate **common-cause** variation (inherent noise; do not react per-point) from **special-cause** variation (a real shift; investigate). Reacting to common-cause noise — "tampering" — makes variance worse.
47
+ - Watch the **variance**, not just the median: a stable median can hide a widening spread where a subset of agents is failing. Report the spread alongside the central tendency.
48
+
40
49
  ## Self-check before shipping
41
- - [ ] Judged against a sampled distribution, not one trace
50
+ - [ ] Judged against a sampled distribution with a baseline mean and spread
51
+ - [ ] Out-of-control points distinguished from common-cause noise (no tampering)
52
+ - [ ] Variance reported, not just the median
42
53
  - [ ] Each issue cites a specific span or tool call
43
54
  - [ ] Latency and quality reported separately
44
55
  - [ ] Full tool-call chain examined
@@ -42,7 +42,15 @@ Additional failure modes on top of the security core.
42
42
  **Why it fails**: contaminates the license of the whole product; costly to unwind later.
43
43
  **Counter-move**: automated license scan in CI; allowlist policy per product tier.
44
44
 
45
+ ## Methodology
46
+
47
+ **Map obligations to controls through a risk register, not a checklist.** For each regulation in scope (GDPR, CCPA, HIPAA, EU AI Act, …), enumerate the obligations, and for each record: the control that satisfies it, where that control lives in code or process, its owner, and the residual risk if it fails. An obligation with no mapped control is an open finding; a control with no test is compliance theater. This register is the bridge between legal text and the system — it is what lets you answer an auditor (or an incident) with evidence rather than prose.
48
+
49
+ **Frame risk in business terms.** Rate each gap by likelihood × impact, where impact spans regulatory penalty, contractual liability, and trust. This lets non-lawyers prioritize: a low-likelihood/high-penalty gap (a deletion path that exists but is untested) and a high-likelihood/low-penalty one demand different responses. Translate "the regulation says X" into "if we don't do X, the exposure is Y" so the trade-off is decidable by the people who own the budget.
50
+
45
51
  ## Self-check before shipping
52
+ - [ ] Each in-scope obligation maps to a control, owner, and residual-risk note in a register
53
+ - [ ] Gaps rated by likelihood × impact (penalty, liability, trust)
46
54
  - [ ] Policies map to testable controls
47
55
  - [ ] Retention enforced by automated deletion
48
56
  - [ ] Consent granular, opt-in, withdrawable
@@ -58,8 +58,19 @@ Load this before drafting. These are the failure modes that separate strong role
58
58
  **Why it fails**: gives an attacker a map of the system; turns a reconnaissance step into a freebie.
59
59
  **Counter-move**: user-facing errors are generic. Detailed context goes to logs with appropriate access controls.
60
60
 
61
+ ## Methodology
62
+
63
+ Threat modeling is a process, not an instinct. Run it explicitly:
64
+
65
+ - **Decompose**: draw the data-flow — trust boundaries, entry points, assets, and where data crosses from less-trusted to more-trusted.
66
+ - **Enumerate with STRIDE** per element: **S**poofing, **T**ampering, **R**epudiation, **I**nformation disclosure, **D**enial of service, **E**levation of privilege. STRIDE forces coverage of categories an ad-hoc review skips (repudiation and tampering are the usual blind spots).
67
+ - **Rate and rank**: score each threat by likelihood × impact (or DREAD/CVSS where a number is needed), and treat the highest first. For higher-stakes systems, escalate to an attacker-simulation pass (PASTA) that reasons from an adversary's goals and capabilities, not just a category list.
68
+ - **Decide per threat**: mitigate, accept (with rationale), or transfer. An unrated threat is an unmade decision.
69
+
61
70
  ## Self-check before shipping
62
71
 
72
+ - [ ] Threat model decomposes data flow and enumerates STRIDE per trust boundary
73
+ - [ ] Threats rated and ranked; highest-risk handled first
63
74
  - [ ] No single control is the only line of defense
64
75
  - [ ] Secrets live in a secret manager, not in the repo
65
76
  - [ ] User input is validated and escaped at every boundary
@@ -133,6 +133,18 @@
133
133
  "check": "artifact-has-section",
134
134
  "section": "Rejected Alternatives"
135
135
  },
136
+ {
137
+ "id": "adr-reversibility-stated",
138
+ "description": "ADR Reversibility section is present and non-empty",
139
+ "check": "artifact-section-nonempty",
140
+ "section": "Reversibility"
141
+ },
142
+ {
143
+ "id": "adr-consequences-stated",
144
+ "description": "ADR Consequences section is present and non-empty",
145
+ "check": "artifact-section-nonempty",
146
+ "section": "Consequences"
147
+ },
136
148
  {
137
149
  "id": "adr-numeric-claims-cited",
138
150
  "description": "Every numeric claim in the ADR body cites a source",
@@ -547,6 +559,12 @@
547
559
  "check": "artifact-has-section",
548
560
  "section": "Market Context"
549
561
  },
562
+ {
563
+ "id": "strategic-memo-options-nonempty",
564
+ "description": "Strategic memo Options section is present and non-empty",
565
+ "check": "artifact-section-nonempty",
566
+ "section": "Options"
567
+ },
550
568
  {
551
569
  "id": "strategic-memo-has-strategic-risks",
552
570
  "description": "Strategic memo must contain a Strategic Risks section",
@@ -16,6 +16,7 @@ You have inherited enough unmaintainable systems to be permanently suspicious of
16
16
  **Failure mode warning**: If the ADR has no "options rejected" section, the decision wasn't made: it defaulted. Defaulted decisions are the ones that bite hardest.
17
17
 
18
18
  **Role guidance**: call `get_skill("roles/architect")` before drafting.
19
+ **Templates**: call `get_template("adr")` before authoring an ADR so the section structure, framing rules, and rejected-alternatives requirement come from the canonical template rather than memory. Use `list_templates` to discover overrides.
19
20
  **Strategy grounding**: for decisions with long-term interface or data model implications, check `.cx/knowledge/decisions/strategy/` for any declared strategy documents before choosing. A decision that contradicts a declared Bet or enables a Non-bet must surface the conflict explicitly in the ADR's OPTIONS CONSIDERED section. If no strategy documents exist, proceed without: do not block the workflow or invent strategy.
20
21
 
21
22
  When the architecture domain is clear, also load exactly one relevant overlay before drafting:
@@ -32,7 +32,7 @@ When the user asks for a visual deliverable, choose the lightest artifact that h
32
32
  - walkthroughs and demo videos: use the available browser/demo tooling and follow a discover → rehearse → record flow instead of jumping straight to recording
33
33
 
34
34
  Tool and skill discipline:
35
- - prefer existing visual tools such as `construct wireframe` or equivalent Mermaid/HTML outputs before inventing bespoke formats
35
+ - prefer the bundled generator before inventing bespoke formats: `construct wireframe "<description>" --type=<layout|flow|state|sequence|er|user-journey>` writes a diffable artifact to `.cx/wireframes/`. Use `layout` for screens, `flow`/`user-journey` for paths, `state`/`sequence`/`er` for system diagrams. It is zero-dependency and text-first; do not add a diagramming library
36
36
  - use `list_skills` and `search_skills` to load the host's relevant visual skill when the ask is a deck, presentation, polished UI exploration, or demo video
37
37
  - if the user provides source material like a `.pptx`, export, or PDF, ingest it first so the deliverable is grounded in the actual content
38
38
 
@@ -16,6 +16,7 @@ A beautiful plan is worthless if it can't be executed in the right sequence. You
16
16
  **Failure mode warning**: If every task can run in parallel, the dependency graph wasn't drawn. Real plans have sequences, and real sequences have blockers.
17
17
 
18
18
  **Role guidance**: call `get_skill("roles/operator")` before drafting.
19
+ **Templates**: call `get_template("runbook")` before authoring an operational runbook and `get_template("incident-report")` before authoring a post-incident writeup, so the section structure and required fields come from the canonical template rather than memory. Use `list_templates` to discover overrides.
19
20
 
20
21
  Start only after cx-architect and cx-engineer have produced a plan and cx-devil-advocate feedback is resolved.
21
22
 
@@ -16,6 +16,7 @@ Most "problems" that arrive on your desk are actually hypotheses masquerading as
16
16
  **Failure mode warning**: If you can't write a falsifiable hypothesis, you don't have an R&D task: you have a planning task being treated as R&D to avoid committing to a spec.
17
17
 
18
18
  **Role guidance**: call `get_skill("roles/architect")` before drafting.
19
+ **Templates**: call `get_template("research-brief")` before authoring so the section structure comes from the canonical template rather than memory. Use `list_templates` to discover overrides.
19
20
  **Evidence policy**: hypotheses must be grounded in evidence, not plausibility. Follow `rules/common/research.md` (most-recent-first, primary sources, verified URLs) when citing external literature, benchmarks, or published results to motivate an R&D task.
20
21
  **Strategy grounding**: before proposing an R&D direction, check `.cx/knowledge/decisions/strategy/` for declared Bets and Non-bets. A research direction that contradicts a Non-bet requires explicit surfacing and user decision before proceeding.
21
22
 
@@ -46,7 +46,9 @@ When querying search engines or paper indexes, always filter or sort by date: ne
46
46
 
47
47
  1. **Primary**: peer-reviewed papers, official docs for the exact version, published standards, raw source code, SEC filings, primary company announcements
48
48
  2. **Secondary**: changelogs, migration guides, tracked GitHub issues, maintainer posts, conference talks by the authors
49
- 3. **Tertiary**: blog posts, forums, Q&A, analyst summaries, AI-generated overviews: used only to locate primaries, never as evidence
49
+ 3. **Tertiary**: blog posts, forums, Q&A, analyst summaries, AI-generated overviews: used only to locate primaries, never as evidence for factual claims
50
+
51
+ Class is relative to the claim (`rules/common/research.md` §2): community/forum content (Reddit, Stack Overflow, HN) is **primary** evidence for sentiment, demand, and friction claims — admissible under the §10 checklist (corroborated, recent, engagement-backed) — and tertiary for factual claims. For community signal by domain, start from `rules/common/research-sources.md`. Grade every source on the Admiralty scale (reliability `A`–`F` × credibility `1`–`6`, e.g. `B2`) and map confidence accordingly: `high` only on `A1`/`A2`/`B1`.
50
52
 
51
53
  ### Step 4: Check internal evidence
52
54
 
@@ -76,7 +78,7 @@ Produce a research brief using the structure from `get_template("research-brief"
76
78
 
77
79
  **METHOD**: search terms, systems queried, date filters applied, domain starting points used, internal paths checked; enough detail to reproduce
78
80
 
79
- **SOURCES**: structured table: title/path | class (primary/secondary/tertiary) | date | URL | verified (yes/no) | relevance
81
+ **SOURCES**: structured table: title/path | class (primary/secondary/tertiary) | reliability (A–F) | credibility (1–6) | date | URL | verified (yes/no) | relevance
80
82
 
81
83
  **FINDINGS**: each finding labeled: what the source says (observation) | what is inferred (inference) | confidence (high/medium/low) | supporting source(s)
82
84
 
@@ -16,6 +16,7 @@ You have been paged at 2am enough times to know that reliability problems are de
16
16
  **Failure mode warning**: If there's no alert definition before deployment, nobody planned for failure. The first alert will be a user report.
17
17
 
18
18
  **Role guidance**: call `get_skill("roles/operator.sre")` before drafting.
19
+ **Templates**: call `get_template("runbook")` before authoring a runbook and `get_template("incident-report")` before authoring a postmortem, so the section structure and required fields come from the canonical template rather than memory. Use `list_templates` to discover overrides.
19
20
 
20
21
  For each observability or reliability initiative, define:
21
22
 
@@ -271,7 +271,7 @@
271
271
  "modelTier": "standard",
272
272
  "reasoningEffort": "medium",
273
273
  "codexSandbox": "read-only",
274
- "claudeTools": "Read,Grep,Glob,LS,WebSearch,WebFetch,list_skills,get_skill,search_skills,memory_search,memory_add_observations",
274
+ "claudeTools": "Read,Grep,Glob,LS,WebSearch,WebFetch,list_skills,get_skill,search_skills,get_template,list_templates,memory_search,memory_add_observations",
275
275
  "promptFile": "specialists/prompts/cx-researcher.md",
276
276
  "embedOrientation": {
277
277
  "focusAreas": [
@@ -1075,7 +1075,7 @@
1075
1075
  "modelTier": "standard",
1076
1076
  "reasoningEffort": "medium",
1077
1077
  "codexSandbox": "workspace-write",
1078
- "claudeTools": "Read,Grep,Glob,LS,Edit,Write,Bash,list_skills,get_skill,search_skills,memory_search,memory_add_observations",
1078
+ "claudeTools": "Read,Grep,Glob,LS,Edit,Write,Bash,list_skills,get_skill,search_skills,get_template,list_templates,memory_search,memory_add_observations",
1079
1079
  "promptFile": "specialists/prompts/cx-docs-keeper.md",
1080
1080
  "embedOrientation": {
1081
1081
  "focusAreas": [
@@ -11,7 +11,7 @@ autonomously; applying it requires explicit approval.
11
11
  -->
12
12
 
13
13
  ## Source evidence
14
- <!-- Evidence brief, PRD, customer notes, tickets, or research supporting the proposal. -->
14
+ <!-- Evidence brief, PRD, customer notes, tickets, or research supporting the proposal, each with its evidence grade (rules/common/research.md §10). A proposal resting only on low-graded or uncorroborated evidence should be a signal brief, not a backlog item. -->
15
15
 
16
16
  ## Proposed changes
17
17
  <!-- Table: create/update, target issue if any, title, rationale, evidence, acceptance criteria. -->
@@ -16,7 +16,7 @@ asks for cleanup. Keep facts tied to source evidence.
16
16
  <!-- Stack, tools, integrations, scale, constraints, and relevant operating model. -->
17
17
 
18
18
  ## Active pain points
19
- <!-- Current friction, with source links or dates. Distinguish severe blockers from preferences. -->
19
+ <!-- Current friction, each with a source link, a date, and its evidence grade (rules/common/research.md §10). Distinguish severe blockers from preferences, and a one-off mention from a corroborated pattern. -->
20
20
 
21
21
  ## Open asks
22
22
  <!-- Table: ask, first raised, times mentioned, source, linked issue, status. -->
@@ -19,7 +19,11 @@ source lists or grouped findings. Keep em dashes rare.
19
19
  <!-- State the minimum signal needed to proceed. Example: two independent customers, three repeated mentions, or one severe enterprise blocker. -->
20
20
 
21
21
  ## Sources
22
- <!-- Table: source, source class, date/access date, customer or actor, link/path, confidence, and whether it is direct evidence or secondhand summary. -->
22
+ <!-- Class is relative to the claim (rules/common/research.md §2); Reliability (A–F) and Credibility (1–6) are the Admiralty grade (§10). Direct = first-hand evidence vs secondhand summary. -->
23
+
24
+ | Source | Class | Reliability | Credibility | Date | Actor | Link / Path | Direct? |
25
+ |---|---|---|---|---|---|---|---|
26
+ | {title} | primary / secondary / tertiary | A–F | 1–6 | {YYYY-MM-DD} | {customer or actor} | {url or path} | direct / secondhand |
23
27
 
24
28
  ## What we observed
25
29
  <!-- Factual observations only. Separate direct evidence from interpretation. -->
@@ -3,44 +3,60 @@
3
3
  - **Incident ID**: {INC-NNNN}
4
4
  - **Date**: {YYYY-MM-DD}
5
5
  - **Severity**: SEV-1 | SEV-2 | SEV-3
6
- - **Duration**: {start} → {end} ({total})
7
- - **Authors**: {names}
6
+ - **Duration**: {detection} → {all-clear} ({total}; time-to-detect {ttd}, time-to-mitigate {ttm})
7
+ - **Authors**: {names — include everyone who responded}
8
8
  - **Status**: draft | final
9
9
 
10
+ <!--
11
+ Blameless postmortem. Describe systems and decisions, not people. Neutral, factual
12
+ language — no dramatic or animated descriptions. Publish within days while detail is
13
+ fresh, and share widely. See Google SRE postmortem culture:
14
+ https://sre.google/workbook/postmortem-culture/
15
+ -->
16
+
10
17
  ## Summary
11
- <!-- Two to four sentences. What happened, who was affected, how it was resolved. Blameless tone. -->
18
+ <!-- Two to four sentences: what happened, who was affected, how it was resolved. Blameless tone. -->
19
+
20
+ ## Severity rationale
21
+ <!-- Why this severity and not one higher or lower? State the criteria (user impact, data integrity, duration, blast radius). If it was reclassified mid-incident, say when and why. -->
12
22
 
13
23
  ## Impact
14
- <!-- Users affected, requests failed, revenue lost, data integrity consequences. Quantify. -->
24
+ <!-- Quantify: users affected, requests failed, error rate, revenue, data-integrity consequences. "Unknown" is acceptable; a guess is not. -->
15
25
 
16
26
  ## Timeline
17
- <!-- Times in UTC. Key events: detection, diagnosis, mitigation, resolution, all-clear. One line per event. -->
27
+ <!-- Times in UTC, one line per event. Mark the key transitions explicitly: detection, diagnosis, mitigation start, resolution, all-clear. The gaps between them are the response story. -->
18
28
 
19
- | Time (UTC) | Event |
20
- |------------|-------|
21
- | {HH:MM} | {what happened or what was done} |
29
+ | Time (UTC) | Event | Phase |
30
+ |------------|-------|-------|
31
+ | {HH:MM} | {what happened or was done} | detection / diagnosis / mitigation / resolution |
32
+
33
+ ## Trigger
34
+ <!-- The proximate cause — the specific change, event, or input that set the incident off (a deploy, a traffic spike, a dependency failure). Distinct from the root cause. -->
22
35
 
23
36
  ## Root cause
24
- <!-- The underlying cause, not just the proximate trigger. The five-whys, condensed. -->
37
+ <!-- The underlying system condition that let the trigger cause harm. The five-whys, condensed. A root cause is a system/design gap, never a person. -->
25
38
 
26
39
  ## Contributing factors
27
- <!-- Conditions that made the incident possible, worse, or harder to resolve. Include process gaps, not just code. -->
40
+ <!-- Conditions that made the incident possible, worse, or harder to resolve: missing alerts, brittle dependencies, process gaps, absent runbook. Not the root cause, but they shaped the outcome. -->
28
41
 
29
- ## What went well
30
- <!-- Detection, response, communication, tooling. Keep this honest. -->
42
+ ## Mitigators
43
+ <!-- What went right and reduced blast radius — a circuit breaker that tripped, a canary that caught it, a fast rollback. These are as instructive as the failures; preserve them. -->
31
44
 
32
- ## What went poorly
33
- <!-- Be specific. Blameless, not blameless-to-the-point-of-vague. -->
45
+ ## Detection and response
46
+ <!-- How was it detected (alert, customer report, dashboard)? Was detection fast enough? What slowed diagnosis or mitigation? Be specific and blameless. -->
34
47
 
35
- ## Corrective actions
36
- <!-- Each action: owner, deadline, ticket link. Prefer systemic fixes over "be more careful". -->
48
+ ## Action items
49
+ <!-- Each action: systemic fix preferred over "be more careful". Owner, priority, and tracking ID required. Priority: P0 (prevents recurrence, do now) → P2 (hardening). -->
37
50
 
38
- | Action | Owner | Deadline | Ticket |
39
- |--------|-------|----------|--------|
40
- | {what} | {who} | {date} | {link} |
51
+ | Action | Type (prevent/detect/mitigate) | Owner | Priority | Tracking |
52
+ |--------|--------------------------------|-------|----------|----------|
53
+ | {what} | {prevent/detect/mitigate} | {who} | P0/P1/P2 | {bd or ticket} |
41
54
 
42
55
  ## Lessons learned
43
- <!-- What this incident revealed about the system or the organization. -->
56
+ <!-- Organized by theme. What did this reveal about the system or the organization that generalizes beyond this incident? -->
57
+
58
+ ## Glossary
59
+ <!-- Define domain-specific terms, service names, and acronyms used above so a reader outside the team can follow the report. -->
44
60
 
45
61
  ## References
46
- <!-- Logs, dashboards, traces, related incidents, PRs that caused or fixed the issue. -->
62
+ <!-- Logs, dashboards, traces (with IDs preserved), related incidents, the PRs that caused and that fixed the issue. -->
@@ -16,13 +16,13 @@ or directly from evidence, but it must not invent customer demand.
16
16
  <!-- Two or three paragraphs grounded in evidence. Explain the customer problem, why now, and what is missing today. -->
17
17
 
18
18
  ## Press release
19
- <!-- Write as if the capability has shipped. Focus on customer outcome, not implementation. -->
19
+ <!-- Write as if the capability has shipped. Focus on customer outcome, not implementation. Include a spokesperson quote and a customer quote — mark a hypothetical quote as such; never invent an attributed one (rules/common/no-fabrication.md). -->
20
20
 
21
21
  ## External FAQ
22
22
  <!-- Customer-facing questions and answers. Keep answers concrete and honest about limits. -->
23
23
 
24
24
  ## Internal FAQ
25
- <!-- Questions from engineering, sales, support, security, finance, and leadership. Include unknowns as TBD with what would resolve them. -->
25
+ <!-- Questions from engineering, sales, support, security, finance, and leadership. Include unknowns as TBD with what would resolve them. Cover the launch/success metrics: what target defines success and by when. -->
26
26
 
27
27
  ## Evidence appendix
28
28
  <!-- Source links, customer quotes, related issues, research, and PRDs. -->
@@ -13,7 +13,7 @@ without becoming a backlog dump.
13
13
  <!-- Two or three paragraphs. What changed, what matters, and what decision should follow. -->
14
14
 
15
15
  ## Evidence base
16
- <!-- Summary of source types, coverage, recency, and known gaps. -->
16
+ <!-- Source types, coverage, recency, and known gaps. Grade the evidence (rules/common/research.md §10); for community/sentiment sources note corroboration. Each theme below inherits the strength of the evidence under it — do not report a strong theme on weakly-graded sources. -->
17
17
 
18
18
  ## Themes
19
19
  <!-- Each theme should include evidence strength, affected personas, representative sources, and counter-signal. -->
@@ -23,14 +23,16 @@
23
23
 
24
24
  ## Sources
25
25
 
26
- | Title / Path | Class | Date | URL | Verified | Relevance |
27
- |---|---|---|---|---|---|
28
- | {source title or file path} | primary / secondary / tertiary | {YYYY-MM-DD} | {URL or path} | yes / no / n/a | {one-line} |
26
+ | Title / Path | Class | Reliability | Credibility | Date | URL | Verified | Relevance |
27
+ |---|---|---|---|---|---|---|---|
28
+ | {source title or file path} | primary / secondary / tertiary | A–F | 1–6 | {YYYY-MM-DD} | {URL or path} | yes / no / n/a | {one-line} |
29
29
 
30
- <!-- Class definitions:
31
- - primary: peer-reviewed papers, official docs at exact version, raw source code, standards, company announcements, SEC filings
30
+ <!-- Class is relative to the claim (rules/common/research.md §2): community/forum content is
31
+ primary for sentiment/experience claims, tertiary for factual ones.
32
+ - primary: peer-reviewed papers, official docs at exact version, raw source code, standards, company announcements, SEC filings; first-hand accounts for the attitude they express
32
33
  - secondary: changelogs, migration guides, tracked issues, maintainer posts, conference talks by authors
33
- - tertiary: blog posts, forums, Q&A, analyst summaries: for discovery only, never as evidence
34
+ - tertiary: blog posts, forums, Q&A, analyst summaries: for factual claims, discovery only
35
+ Reliability (A–F) and Credibility (1–6) are the Admiralty grade (research.md §10); record both, e.g. B2.
34
36
  Mark Verified = yes only after fetching the URL and confirming content matches. -->
35
37
 
36
38
  ## Findings