@geraldmaron/construct 1.0.18 → 1.0.19
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +6 -4
- package/bin/construct +26 -3
- package/db/schema/003_observation_reconciliation.sql +14 -0
- package/lib/bootstrap/resources.mjs +0 -1
- package/lib/cli-commands.mjs +33 -5
- package/lib/comment-lint.mjs +44 -0
- package/lib/contracts/validate.mjs +106 -0
- package/lib/decisions/enforced-baseline.json +23 -0
- package/lib/decisions/golden.mjs +87 -0
- package/lib/decisions/precedence.mjs +46 -0
- package/lib/decisions/registry.mjs +469 -0
- package/lib/deployment/parity-contract.mjs +148 -0
- package/lib/embed/cli.mjs +11 -0
- package/lib/embed/conflict-detection.mjs +4 -4
- package/lib/embed/customer-profiles.mjs +1 -1
- package/lib/embed/reconcile.mjs +60 -0
- package/lib/gates-audit.mjs +2 -2
- package/lib/hooks/config-protection.mjs +22 -3
- package/lib/hooks/guard-bash.mjs +1 -1
- package/lib/init-docs.mjs +1 -0
- package/lib/mode-commands.mjs +6 -8
- package/lib/observation-store.mjs +16 -2
- package/lib/opencode-telemetry.mjs +1 -1
- package/lib/roles/cli.mjs +10 -2
- package/lib/roles/gateway.mjs +50 -1
- package/lib/scheduler/index.mjs +31 -0
- package/lib/server/index.mjs +13 -3
- package/lib/server/static/index.html +1 -1
- package/lib/setup.mjs +6 -0
- package/lib/storage/hybrid-query.mjs +49 -38
- package/lib/storage/rrf.mjs +42 -0
- package/lib/storage/vector-client.mjs +18 -3
- package/lib/telemetry/backends/local.mjs +1 -1
- package/lib/telemetry/skill-calls.mjs +1 -1
- package/lib/templates/visual-requirements.mjs +84 -0
- package/package.json +9 -1
- package/rules/common/comments.md +3 -0
- package/rules/common/no-fabrication.md +3 -0
- package/rules/common/precedence.md +19 -0
- package/rules/common/research-sources.md +32 -0
- package/rules/common/research.md +59 -2
- package/skills/roles/data-engineer.pipeline.md +13 -1
- package/skills/roles/debugger.md +9 -0
- package/skills/roles/designer.accessibility.md +13 -3
- package/skills/roles/designer.md +10 -0
- package/skills/roles/engineer.platform.md +8 -0
- package/skills/roles/operator.md +10 -1
- package/skills/roles/operator.release.md +8 -0
- package/skills/roles/operator.sre.md +10 -1
- package/skills/roles/orchestrator.md +9 -2
- package/skills/roles/product-manager.business-strategy.md +10 -1
- package/skills/roles/researcher.explorer.md +12 -1
- package/skills/roles/researcher.ux.md +13 -1
- package/skills/roles/reviewer.devil-advocate.md +14 -2
- package/skills/roles/reviewer.evaluator.md +17 -4
- package/skills/roles/reviewer.trace.md +12 -1
- package/skills/roles/security.legal-compliance.md +8 -0
- package/skills/roles/security.md +11 -0
- package/specialists/contracts.json +18 -0
- package/specialists/prompts/cx-researcher.md +4 -2
- package/templates/docs/backlog-proposal.md +1 -1
- package/templates/docs/customer-profile.md +1 -1
- package/templates/docs/evidence-brief.md +5 -1
- package/templates/docs/incident-report.md +37 -21
- package/templates/docs/prfaq.md +2 -2
- package/templates/docs/product-intelligence-report.md +1 -1
- package/templates/docs/research-brief.md +8 -6
- package/templates/docs/research-finding.md +32 -7
- package/templates/docs/rfc.md +13 -1
- package/templates/docs/runbook.md +20 -1
- package/templates/docs/signal-brief.md +4 -1
- package/templates/docs/skill-artifact.md +27 -7
- package/templates/docs/strategy.md +23 -2
- package/lib/bootstrap/lazy-install.mjs +0 -161
- package/lib/embed/jobs/vector-sync.mjs +0 -198
- package/lib/knowledge/postgres-search.mjs +0 -132
- package/lib/services/pattern-promotion-service.mjs +0 -167
- package/lib/storage/unified-storage.mjs +0 -550
|
@@ -37,8 +37,16 @@ Additional failure modes on top of the operator core.
|
|
|
37
37
|
**Why it fails**: regressions show up 30–60 minutes in; if nobody is watching, they compound.
|
|
38
38
|
**Counter-move**: define the post-release watch window (metrics + duration) before pushing. Hold the release until it's clean.
|
|
39
39
|
|
|
40
|
+
## Methodology
|
|
41
|
+
|
|
42
|
+
**Progressive delivery.** Ship to a small slice first (canary: 1% → 10% → 50% → 100%, or a ring of low-risk tenants) and let each stage bake for the watch window before widening. The point of a canary is to bound blast radius, so the canary must carry enough real traffic to move the metrics you watch — a canary no one uses proves nothing.
|
|
43
|
+
|
|
44
|
+
**Make rollback a decision rule, not a judgment call.** Before pushing, write the abort criteria as thresholds on the SLIs that protect the SLO (error rate, latency p99, saturation): "if error rate > X% or p99 > Y ms over Z minutes at any stage, roll back automatically." Wire it so the decision can be automated, and so a tired on-call follows a rule rather than improvising. Roll back, then diagnose — never the reverse.
|
|
45
|
+
|
|
40
46
|
## Self-check before shipping
|
|
41
47
|
- [ ] Release is the smallest deployable increment
|
|
48
|
+
- [ ] Staged/canary rollout with a bake window per stage; canary carries real traffic
|
|
49
|
+
- [ ] Abort criteria written as SLI thresholds before push; rollback automatable
|
|
42
50
|
- [ ] Rollback path documented and tested
|
|
43
51
|
- [ ] Core release-facing docs landed with code and match shipped behavior
|
|
44
52
|
- [ ] Post-release watch window defined and staffed
|
|
@@ -37,8 +37,17 @@ Additional failure modes on top of the operator core.
|
|
|
37
37
|
**Why it fails**: the same incident repeats. Teams lose trust in the process.
|
|
38
38
|
**Counter-move**: every corrective action has an owner, a ticket, and a target date. Review completion in the next monthly.
|
|
39
39
|
|
|
40
|
+
## Methodology
|
|
41
|
+
|
|
42
|
+
The error-budget policy is the mechanism that makes an SLO consequential ([Google SRE](https://sre.google/workbook/error-budget-policy/)):
|
|
43
|
+
|
|
44
|
+
- The budget is `1 − SLO` over a window (99.9% over 28 days ≈ 43 min of allowed downtime). It is spent by every failure, planned or not.
|
|
45
|
+
- **Burn rate** is how fast the budget is being consumed relative to the window. Alert on burn rate with **multi-window** thresholds — a fast-burn alert (e.g. 2% of budget in 1 hour) pages now; a slow-burn alert (e.g. 10% over a few days) opens a ticket. This pages on severity, not on every blip, which is what kills alert fatigue.
|
|
46
|
+
- **The policy is written before the breach**: when the budget is exhausted, feature releases freeze and reliability work takes priority until it recovers; name the exceptions (infra failures, third-party) and who can override. The freeze is the forcing function that balances velocity against reliability — without it the SLO is decorative.
|
|
47
|
+
|
|
40
48
|
## Self-check before shipping
|
|
41
49
|
- [ ] Every alert links to a runbook
|
|
42
|
-
- [ ] SLOs have an explicit error-budget policy
|
|
50
|
+
- [ ] SLOs have an explicit, written-before-breach error-budget policy (freeze trigger, exceptions, owner)
|
|
51
|
+
- [ ] Burn-rate alerting uses multi-window thresholds (fast-burn pages, slow-burn ticket)
|
|
43
52
|
- [ ] Dashboards are incident-shaped, not metric-dumps
|
|
44
53
|
- [ ] Post-mortem actions are owned and dated
|
|
@@ -57,10 +57,17 @@ Use this as a fast dispatch checklist before producing orchestration output.
|
|
|
57
57
|
- Symptom: large reads just to decide who should work.
|
|
58
58
|
- Counter: probe with search, glob, or small reads first.
|
|
59
59
|
|
|
60
|
+
## Sequencing methodology
|
|
61
|
+
|
|
62
|
+
- **Graph first**: map each specialist's input→output; parallelize only when no input is another's output. "All parallel"/"all sequential" both mean the graph was skipped.
|
|
63
|
+
- **Waves**: dispatch the set whose inputs are satisfied; the next starts at the slowest member's landing. Minimize waves, not specialists.
|
|
64
|
+
- **Critical path**: total time is the longest dependency chain, not the headcount. On-path specialists delay everything downstream.
|
|
65
|
+
- **Bound fan-out**: cap concurrent dispatch to what the consumer can absorb.
|
|
66
|
+
|
|
60
67
|
## Ship Check
|
|
61
68
|
|
|
62
|
-
- Request classified.
|
|
63
|
-
-
|
|
69
|
+
- Request classified; smallest adequate path selected.
|
|
70
|
+
- Dependency graph drawn; specialists grouped into the fewest waves; critical path identified.
|
|
64
71
|
- Handoffs have distinct ownership.
|
|
65
72
|
- Blockers and user questions surfaced.
|
|
66
73
|
- Original ask still matches final output.
|
|
@@ -37,8 +37,17 @@ Additional failure modes on top of the product-manager core.
|
|
|
37
37
|
**Why it fails**: two products with identical features but different economics compete very differently.
|
|
38
38
|
**Counter-move**: for each competitor, model the business (unit economics, distribution, defensibility) not just the surface.
|
|
39
39
|
|
|
40
|
+
## Methodology
|
|
41
|
+
|
|
42
|
+
Two frameworks turn "market thesis" from intuition into analysis:
|
|
43
|
+
|
|
44
|
+
**Structural analysis (Porter's Five Forces).** Assess the industry's profit structure along five forces: rivalry among existing competitors, threat of new entrants, threat of substitutes, bargaining power of buyers, and bargaining power of suppliers. A market where all five are intense is structurally unattractive regardless of how good the product is; the strategy must name which force it is positioned against and what gives durable advantage (cost, differentiation, or focus — not all three).
|
|
45
|
+
|
|
46
|
+
**Scenario planning.** The future is not a point estimate. Identify the two or three uncertainties that most affect the bet (e.g. "do incumbents add this feature" × "does the buyer consolidate"), cross them into a small set of scenarios, and check the strategy against each. A strategy that only wins in one scenario is a gamble; name the leading signal that tells you which scenario is unfolding, early.
|
|
47
|
+
|
|
40
48
|
## Self-check before shipping
|
|
41
49
|
- [ ] Rejected alternatives stated
|
|
42
|
-
- [ ] Market thesis explicit
|
|
50
|
+
- [ ] Market thesis explicit, with the dominant Porter force named
|
|
51
|
+
- [ ] Strategy checked against 2–3 scenarios, not a single forecast
|
|
43
52
|
- [ ] Falsification criterion and revisit threshold declared
|
|
44
53
|
- [ ] Competitive analysis covers economics, not just features
|
|
@@ -37,8 +37,19 @@ Additional failure modes on top of the researcher core.
|
|
|
37
37
|
**Why it fails**: burns the consumer's time and context window; the answer drowns in tangent.
|
|
38
38
|
**Counter-move**: answer the question asked. Link supporting material; don't inline it unless asked.
|
|
39
39
|
|
|
40
|
+
## Methodology
|
|
41
|
+
|
|
42
|
+
Explore by following the graph, not by grepping until something looks right:
|
|
43
|
+
|
|
44
|
+
- **Entry points first**: find where execution starts (CLI dispatch, route table, main, test setup) and trace *forward* along the call graph to the code in question. This locates the real path instead of a same-named decoy.
|
|
45
|
+
- **Both directions**: for a symbol, find its definition and its *callers* (who depends on this) — the blast radius of a change is the caller set, and missing it is how "small" changes break distant things.
|
|
46
|
+
- **Triangulate before concluding**: confirm a behavior from at least two of {the code, a test that exercises it, a config that wires it}. A single grep hit is a lead, not a conclusion.
|
|
47
|
+
- **Name the seams**: report where control crosses module/process/service boundaries; that is where the question usually actually lives.
|
|
48
|
+
|
|
40
49
|
## Self-check before shipping
|
|
50
|
+
- [ ] Traced from an entry point along the call graph, not from an isolated grep hit
|
|
51
|
+
- [ ] Both definition and callers (dependency blast radius) identified
|
|
52
|
+
- [ ] Behavior triangulated across code + test/config, not a single match
|
|
41
53
|
- [ ] Every claim cites a path, ideally with a line
|
|
42
54
|
- [ ] Function behavior verified from the body, not the name
|
|
43
|
-
- [ ] Searched multiple naming variants and entry points
|
|
44
55
|
- [ ] Response scoped to the question asked
|
|
@@ -37,8 +37,20 @@ Additional failure modes on top of the researcher core.
|
|
|
37
37
|
**Why it fails**: collapses the problem-space exploration into a solution bias; design has less room to iterate.
|
|
38
38
|
**Counter-move**: report the problem (friction, confusion, unmet need). Let design own the solution.
|
|
39
39
|
|
|
40
|
+
## Methodology
|
|
41
|
+
|
|
42
|
+
The failure modes above are what to avoid. This is the rigor a senior UX researcher brings.
|
|
43
|
+
|
|
44
|
+
**Validity — name the threat.** Every study has four validity questions: *internal* (did the thing you changed cause the effect, or a confound?), *external* (does it generalize beyond these participants/tasks?), *construct* (does the measure capture the concept, or a proxy?), and *conclusion* (is the difference real or noise?). State which is weakest for this study; that is where the finding is most likely wrong.
|
|
45
|
+
|
|
46
|
+
**Sampling.** Sample size follows the claim, not the calendar. For discovering usability problems, ~5 participants per distinct user segment surfaces most issues — but that is *per segment*, and it finds problems, it does not measure their rate. Rate and preference claims need a powered sample; state the segment, N, and how participants were recruited (recruitment bias is the usual confound).
|
|
47
|
+
|
|
48
|
+
**Inter-rater reliability.** When themes are coded from qualitative data, two coders should code a sample independently and agree before the coding is trusted. Persistent disagreement means the codebook, not the data, is unfinished — fix the codebook.
|
|
49
|
+
|
|
40
50
|
## Self-check before shipping
|
|
41
51
|
- [ ] Questions focus on past behavior, not hypothetical future
|
|
42
52
|
- [ ] Observed behavior weighted over self-report
|
|
43
|
-
- [ ]
|
|
53
|
+
- [ ] Weakest validity threat (internal/external/construct/conclusion) named
|
|
54
|
+
- [ ] Sample size and segment stated for every claim; recruitment noted
|
|
55
|
+
- [ ] Themes coded with inter-rater agreement, not a single coder
|
|
44
56
|
- [ ] Findings describe problems, not prescribe solutions
|
|
@@ -37,8 +37,20 @@ Additional failure modes on top of the reviewer core.
|
|
|
37
37
|
**Why it fails**: slows down learning that should be fast; teams stop bringing you early ideas.
|
|
38
38
|
**Counter-move**: classify the decision on the reversibility axis first. Calibrate pushback accordingly.
|
|
39
39
|
|
|
40
|
+
## Methodology
|
|
41
|
+
|
|
42
|
+
Beyond ad-hoc objection, run the plan through a structured failure-mode pass (FMEA — failure mode and effects analysis):
|
|
43
|
+
|
|
44
|
+
- For each component or step, ask *how could this fail* (the failure mode), *what happens when it does* (effect), and *why might it happen* (cause).
|
|
45
|
+
- Score each on three axes 1–10: **severity** (how bad the effect), **occurrence** (how likely the cause), **detection** (how likely you'd catch it before harm — high score = hard to detect). Their product is the **risk priority number (RPN)**.
|
|
46
|
+
- Rank by RPN, not by which objection came to mind first. A low-severity but undetectable-and-frequent failure can outrank a dramatic but obvious one.
|
|
47
|
+
- The highest-RPN modes are where the plan needs a mitigation or a detection point before it ships; explicitly mark the rest "acknowledge but proceed."
|
|
48
|
+
|
|
49
|
+
This turns "this seems risky" into a ranked, defensible list the author can act on.
|
|
50
|
+
|
|
40
51
|
## Self-check before shipping
|
|
41
|
-
- [ ] Each objection names a concrete scenario
|
|
52
|
+
- [ ] Each objection names a concrete scenario (failure mode + effect + cause)
|
|
42
53
|
- [ ] At least three categories of risk covered
|
|
43
|
-
- [ ] Objections ranked by severity
|
|
54
|
+
- [ ] Objections ranked by RPN (severity × occurrence × detection), not recency
|
|
55
|
+
- [ ] Highest-RPN modes have a mitigation or detection point
|
|
44
56
|
- [ ] Reversibility of the decision assessed
|
|
@@ -37,8 +37,21 @@ Additional failure modes on top of the reviewer core.
|
|
|
37
37
|
**Why it fails**: can't tell which change did what; can't roll back specifically if quality regresses.
|
|
38
38
|
**Counter-move**: change one variable at a time. Pin the others.
|
|
39
39
|
|
|
40
|
+
## Methodology
|
|
41
|
+
|
|
42
|
+
The failure modes above are what to avoid. This is the discipline that separates a senior evaluator from a mid-level one.
|
|
43
|
+
|
|
44
|
+
**Rubric design.** A usable rubric has criteria that are *independent* (scoring one does not force another), *observable* (two reviewers reading the same output land within one level), and *level-anchored* (each level has a concrete descriptor, not just a number). Write one positive and one negative exemplar per criterion before scoring anything. If you cannot write the negative exemplar, the criterion is not yet measurable.
|
|
45
|
+
|
|
46
|
+
**Ground truth.** A score is only as good as the labels it is measured against. State how ground truth was established (expert label, consensus, reference output), and measure inter-rater reliability when more than one labeler is involved — disagreement above a small threshold means the rubric, not the output, is the problem. Resolve disagreements by tightening the rubric, not by averaging.
|
|
47
|
+
|
|
48
|
+
**False positives vs false negatives.** Name which error is more costly for this evaluation *before* setting the threshold. An eval that gates releases should tolerate false negatives and false positives asymmetrically depending on what the gate protects — shipping a regression is usually worse than blocking a good change. State the asymmetry; a single accuracy number hides it.
|
|
49
|
+
|
|
50
|
+
**Statistical significance.** Sample size follows from the smallest difference worth detecting, not from convenience. Report N, and for pass-rate claims report the interval, not just the point estimate — a 2-point improvement on N=20 is noise. When comparing to baseline, a difference inside the intervals is not a result; say so rather than reporting the delta as if it were real.
|
|
51
|
+
|
|
40
52
|
## Self-check before shipping
|
|
41
|
-
- [ ] Rubric declared before scoring
|
|
42
|
-
- [ ]
|
|
43
|
-
- [ ]
|
|
44
|
-
- [ ]
|
|
53
|
+
- [ ] Rubric declared before scoring, with a positive and negative exemplar per criterion
|
|
54
|
+
- [ ] Ground-truth basis stated; inter-rater reliability checked when multiple labelers
|
|
55
|
+
- [ ] False-positive vs false-negative cost asymmetry named before the threshold was set
|
|
56
|
+
- [ ] Sample size justified by the smallest meaningful difference; interval reported, not just point estimate
|
|
57
|
+
- [ ] Baseline comparison included; one variable changed per run, others pinned
|
|
@@ -37,8 +37,19 @@ Additional failure modes on top of the reviewer core.
|
|
|
37
37
|
**Why it fails**: the final output may mask a degraded path that costs time, money, or reliability.
|
|
38
38
|
**Counter-move**: examine the full tool-call chain. Flag any failure, retry, or fallback.
|
|
39
39
|
|
|
40
|
+
## Methodology
|
|
41
|
+
|
|
42
|
+
Treat fleet scores as a process to monitor, not a number to eyeball (statistical process control):
|
|
43
|
+
|
|
44
|
+
- Establish a **baseline** distribution — mean and standard deviation of the score over a stable window — before calling anything a regression.
|
|
45
|
+
- A run is out of control when it crosses a **control limit** (commonly ~3σ from the mean) or shows a non-random pattern (e.g. several consecutive points drifting one direction). A single point inside the limits is noise, not signal — do not chase it.
|
|
46
|
+
- Separate **common-cause** variation (inherent noise; do not react per-point) from **special-cause** variation (a real shift; investigate). Reacting to common-cause noise — "tampering" — makes variance worse.
|
|
47
|
+
- Watch the **variance**, not just the median: a stable median can hide a widening spread where a subset of agents is failing. Report the spread alongside the central tendency.
|
|
48
|
+
|
|
40
49
|
## Self-check before shipping
|
|
41
|
-
- [ ] Judged against a sampled distribution
|
|
50
|
+
- [ ] Judged against a sampled distribution with a baseline mean and spread
|
|
51
|
+
- [ ] Out-of-control points distinguished from common-cause noise (no tampering)
|
|
52
|
+
- [ ] Variance reported, not just the median
|
|
42
53
|
- [ ] Each issue cites a specific span or tool call
|
|
43
54
|
- [ ] Latency and quality reported separately
|
|
44
55
|
- [ ] Full tool-call chain examined
|
|
@@ -42,7 +42,15 @@ Additional failure modes on top of the security core.
|
|
|
42
42
|
**Why it fails**: contaminates the license of the whole product; costly to unwind later.
|
|
43
43
|
**Counter-move**: automated license scan in CI; allowlist policy per product tier.
|
|
44
44
|
|
|
45
|
+
## Methodology
|
|
46
|
+
|
|
47
|
+
**Map obligations to controls through a risk register, not a checklist.** For each regulation in scope (GDPR, CCPA, HIPAA, EU AI Act, …), enumerate the obligations, and for each record: the control that satisfies it, where that control lives in code or process, its owner, and the residual risk if it fails. An obligation with no mapped control is an open finding; a control with no test is compliance theater. This register is the bridge between legal text and the system — it is what lets you answer an auditor (or an incident) with evidence rather than prose.
|
|
48
|
+
|
|
49
|
+
**Frame risk in business terms.** Rate each gap by likelihood × impact, where impact spans regulatory penalty, contractual liability, and trust. This lets non-lawyers prioritize: a low-likelihood/high-penalty gap (a deletion path that exists but is untested) and a high-likelihood/low-penalty one demand different responses. Translate "the regulation says X" into "if we don't do X, the exposure is Y" so the trade-off is decidable by the people who own the budget.
|
|
50
|
+
|
|
45
51
|
## Self-check before shipping
|
|
52
|
+
- [ ] Each in-scope obligation maps to a control, owner, and residual-risk note in a register
|
|
53
|
+
- [ ] Gaps rated by likelihood × impact (penalty, liability, trust)
|
|
46
54
|
- [ ] Policies map to testable controls
|
|
47
55
|
- [ ] Retention enforced by automated deletion
|
|
48
56
|
- [ ] Consent granular, opt-in, withdrawable
|
package/skills/roles/security.md
CHANGED
|
@@ -58,8 +58,19 @@ Load this before drafting. These are the failure modes that separate strong role
|
|
|
58
58
|
**Why it fails**: gives an attacker a map of the system; turns a reconnaissance step into a freebie.
|
|
59
59
|
**Counter-move**: user-facing errors are generic. Detailed context goes to logs with appropriate access controls.
|
|
60
60
|
|
|
61
|
+
## Methodology
|
|
62
|
+
|
|
63
|
+
Threat modeling is a process, not an instinct. Run it explicitly:
|
|
64
|
+
|
|
65
|
+
- **Decompose**: draw the data-flow — trust boundaries, entry points, assets, and where data crosses from less-trusted to more-trusted.
|
|
66
|
+
- **Enumerate with STRIDE** per element: **S**poofing, **T**ampering, **R**epudiation, **I**nformation disclosure, **D**enial of service, **E**levation of privilege. STRIDE forces coverage of categories an ad-hoc review skips (repudiation and tampering are the usual blind spots).
|
|
67
|
+
- **Rate and rank**: score each threat by likelihood × impact (or DREAD/CVSS where a number is needed), and treat the highest first. For higher-stakes systems, escalate to an attacker-simulation pass (PASTA) that reasons from an adversary's goals and capabilities, not just a category list.
|
|
68
|
+
- **Decide per threat**: mitigate, accept (with rationale), or transfer. An unrated threat is an unmade decision.
|
|
69
|
+
|
|
61
70
|
## Self-check before shipping
|
|
62
71
|
|
|
72
|
+
- [ ] Threat model decomposes data flow and enumerates STRIDE per trust boundary
|
|
73
|
+
- [ ] Threats rated and ranked; highest-risk handled first
|
|
63
74
|
- [ ] No single control is the only line of defense
|
|
64
75
|
- [ ] Secrets live in a secret manager, not in the repo
|
|
65
76
|
- [ ] User input is validated and escaped at every boundary
|
|
@@ -133,6 +133,18 @@
|
|
|
133
133
|
"check": "artifact-has-section",
|
|
134
134
|
"section": "Rejected Alternatives"
|
|
135
135
|
},
|
|
136
|
+
{
|
|
137
|
+
"id": "adr-reversibility-stated",
|
|
138
|
+
"description": "ADR Reversibility section is present and non-empty",
|
|
139
|
+
"check": "artifact-section-nonempty",
|
|
140
|
+
"section": "Reversibility"
|
|
141
|
+
},
|
|
142
|
+
{
|
|
143
|
+
"id": "adr-consequences-stated",
|
|
144
|
+
"description": "ADR Consequences section is present and non-empty",
|
|
145
|
+
"check": "artifact-section-nonempty",
|
|
146
|
+
"section": "Consequences"
|
|
147
|
+
},
|
|
136
148
|
{
|
|
137
149
|
"id": "adr-numeric-claims-cited",
|
|
138
150
|
"description": "Every numeric claim in the ADR body cites a source",
|
|
@@ -547,6 +559,12 @@
|
|
|
547
559
|
"check": "artifact-has-section",
|
|
548
560
|
"section": "Market Context"
|
|
549
561
|
},
|
|
562
|
+
{
|
|
563
|
+
"id": "strategic-memo-options-nonempty",
|
|
564
|
+
"description": "Strategic memo Options section is present and non-empty",
|
|
565
|
+
"check": "artifact-section-nonempty",
|
|
566
|
+
"section": "Options"
|
|
567
|
+
},
|
|
550
568
|
{
|
|
551
569
|
"id": "strategic-memo-has-strategic-risks",
|
|
552
570
|
"description": "Strategic memo must contain a Strategic Risks section",
|
|
@@ -46,7 +46,9 @@ When querying search engines or paper indexes, always filter or sort by date: ne
|
|
|
46
46
|
|
|
47
47
|
1. **Primary**: peer-reviewed papers, official docs for the exact version, published standards, raw source code, SEC filings, primary company announcements
|
|
48
48
|
2. **Secondary**: changelogs, migration guides, tracked GitHub issues, maintainer posts, conference talks by the authors
|
|
49
|
-
3. **Tertiary**: blog posts, forums, Q&A, analyst summaries, AI-generated overviews: used only to locate primaries, never as evidence
|
|
49
|
+
3. **Tertiary**: blog posts, forums, Q&A, analyst summaries, AI-generated overviews: used only to locate primaries, never as evidence for factual claims
|
|
50
|
+
|
|
51
|
+
Class is relative to the claim (`rules/common/research.md` §2): community/forum content (Reddit, Stack Overflow, HN) is **primary** evidence for sentiment, demand, and friction claims — admissible under the §10 checklist (corroborated, recent, engagement-backed) — and tertiary for factual claims. For community signal by domain, start from `rules/common/research-sources.md`. Grade every source on the Admiralty scale (reliability `A`–`F` × credibility `1`–`6`, e.g. `B2`) and map confidence accordingly: `high` only on `A1`/`A2`/`B1`.
|
|
50
52
|
|
|
51
53
|
### Step 4: Check internal evidence
|
|
52
54
|
|
|
@@ -76,7 +78,7 @@ Produce a research brief using the structure from `get_template("research-brief"
|
|
|
76
78
|
|
|
77
79
|
**METHOD**: search terms, systems queried, date filters applied, domain starting points used, internal paths checked; enough detail to reproduce
|
|
78
80
|
|
|
79
|
-
**SOURCES**: structured table: title/path | class (primary/secondary/tertiary) | date | URL | verified (yes/no) | relevance
|
|
81
|
+
**SOURCES**: structured table: title/path | class (primary/secondary/tertiary) | reliability (A–F) | credibility (1–6) | date | URL | verified (yes/no) | relevance
|
|
80
82
|
|
|
81
83
|
**FINDINGS**: each finding labeled: what the source says (observation) | what is inferred (inference) | confidence (high/medium/low) | supporting source(s)
|
|
82
84
|
|
|
@@ -11,7 +11,7 @@ autonomously; applying it requires explicit approval.
|
|
|
11
11
|
-->
|
|
12
12
|
|
|
13
13
|
## Source evidence
|
|
14
|
-
<!-- Evidence brief, PRD, customer notes, tickets, or research supporting the proposal. -->
|
|
14
|
+
<!-- Evidence brief, PRD, customer notes, tickets, or research supporting the proposal, each with its evidence grade (rules/common/research.md §10). A proposal resting only on low-graded or uncorroborated evidence should be a signal brief, not a backlog item. -->
|
|
15
15
|
|
|
16
16
|
## Proposed changes
|
|
17
17
|
<!-- Table: create/update, target issue if any, title, rationale, evidence, acceptance criteria. -->
|
|
@@ -16,7 +16,7 @@ asks for cleanup. Keep facts tied to source evidence.
|
|
|
16
16
|
<!-- Stack, tools, integrations, scale, constraints, and relevant operating model. -->
|
|
17
17
|
|
|
18
18
|
## Active pain points
|
|
19
|
-
<!-- Current friction, with source
|
|
19
|
+
<!-- Current friction, each with a source link, a date, and its evidence grade (rules/common/research.md §10). Distinguish severe blockers from preferences, and a one-off mention from a corroborated pattern. -->
|
|
20
20
|
|
|
21
21
|
## Open asks
|
|
22
22
|
<!-- Table: ask, first raised, times mentioned, source, linked issue, status. -->
|
|
@@ -19,7 +19,11 @@ source lists or grouped findings. Keep em dashes rare.
|
|
|
19
19
|
<!-- State the minimum signal needed to proceed. Example: two independent customers, three repeated mentions, or one severe enterprise blocker. -->
|
|
20
20
|
|
|
21
21
|
## Sources
|
|
22
|
-
<!--
|
|
22
|
+
<!-- Class is relative to the claim (rules/common/research.md §2); Reliability (A–F) and Credibility (1–6) are the Admiralty grade (§10). Direct = first-hand evidence vs secondhand summary. -->
|
|
23
|
+
|
|
24
|
+
| Source | Class | Reliability | Credibility | Date | Actor | Link / Path | Direct? |
|
|
25
|
+
|---|---|---|---|---|---|---|---|
|
|
26
|
+
| {title} | primary / secondary / tertiary | A–F | 1–6 | {YYYY-MM-DD} | {customer or actor} | {url or path} | direct / secondhand |
|
|
23
27
|
|
|
24
28
|
## What we observed
|
|
25
29
|
<!-- Factual observations only. Separate direct evidence from interpretation. -->
|
|
@@ -3,44 +3,60 @@
|
|
|
3
3
|
- **Incident ID**: {INC-NNNN}
|
|
4
4
|
- **Date**: {YYYY-MM-DD}
|
|
5
5
|
- **Severity**: SEV-1 | SEV-2 | SEV-3
|
|
6
|
-
- **Duration**: {
|
|
7
|
-
- **Authors**: {names}
|
|
6
|
+
- **Duration**: {detection} → {all-clear} ({total}; time-to-detect {ttd}, time-to-mitigate {ttm})
|
|
7
|
+
- **Authors**: {names — include everyone who responded}
|
|
8
8
|
- **Status**: draft | final
|
|
9
9
|
|
|
10
|
+
<!--
|
|
11
|
+
Blameless postmortem. Describe systems and decisions, not people. Neutral, factual
|
|
12
|
+
language — no dramatic or animated descriptions. Publish within days while detail is
|
|
13
|
+
fresh, and share widely. See Google SRE postmortem culture:
|
|
14
|
+
https://sre.google/workbook/postmortem-culture/
|
|
15
|
+
-->
|
|
16
|
+
|
|
10
17
|
## Summary
|
|
11
|
-
<!-- Two to four sentences
|
|
18
|
+
<!-- Two to four sentences: what happened, who was affected, how it was resolved. Blameless tone. -->
|
|
19
|
+
|
|
20
|
+
## Severity rationale
|
|
21
|
+
<!-- Why this severity and not one higher or lower? State the criteria (user impact, data integrity, duration, blast radius). If it was reclassified mid-incident, say when and why. -->
|
|
12
22
|
|
|
13
23
|
## Impact
|
|
14
|
-
<!--
|
|
24
|
+
<!-- Quantify: users affected, requests failed, error rate, revenue, data-integrity consequences. "Unknown" is acceptable; a guess is not. -->
|
|
15
25
|
|
|
16
26
|
## Timeline
|
|
17
|
-
<!-- Times in UTC.
|
|
27
|
+
<!-- Times in UTC, one line per event. Mark the key transitions explicitly: detection, diagnosis, mitigation start, resolution, all-clear. The gaps between them are the response story. -->
|
|
18
28
|
|
|
19
|
-
| Time (UTC) | Event |
|
|
20
|
-
|
|
21
|
-
| {HH:MM} | {what happened or
|
|
29
|
+
| Time (UTC) | Event | Phase |
|
|
30
|
+
|------------|-------|-------|
|
|
31
|
+
| {HH:MM} | {what happened or was done} | detection / diagnosis / mitigation / resolution |
|
|
32
|
+
|
|
33
|
+
## Trigger
|
|
34
|
+
<!-- The proximate cause — the specific change, event, or input that set the incident off (a deploy, a traffic spike, a dependency failure). Distinct from the root cause. -->
|
|
22
35
|
|
|
23
36
|
## Root cause
|
|
24
|
-
<!-- The underlying
|
|
37
|
+
<!-- The underlying system condition that let the trigger cause harm. The five-whys, condensed. A root cause is a system/design gap, never a person. -->
|
|
25
38
|
|
|
26
39
|
## Contributing factors
|
|
27
|
-
<!-- Conditions that made the incident possible, worse, or harder to resolve
|
|
40
|
+
<!-- Conditions that made the incident possible, worse, or harder to resolve: missing alerts, brittle dependencies, process gaps, absent runbook. Not the root cause, but they shaped the outcome. -->
|
|
28
41
|
|
|
29
|
-
##
|
|
30
|
-
<!--
|
|
42
|
+
## Mitigators
|
|
43
|
+
<!-- What went right and reduced blast radius — a circuit breaker that tripped, a canary that caught it, a fast rollback. These are as instructive as the failures; preserve them. -->
|
|
31
44
|
|
|
32
|
-
##
|
|
33
|
-
<!-- Be specific
|
|
45
|
+
## Detection and response
|
|
46
|
+
<!-- How was it detected (alert, customer report, dashboard)? Was detection fast enough? What slowed diagnosis or mitigation? Be specific and blameless. -->
|
|
34
47
|
|
|
35
|
-
##
|
|
36
|
-
<!-- Each action:
|
|
48
|
+
## Action items
|
|
49
|
+
<!-- Each action: systemic fix preferred over "be more careful". Owner, priority, and tracking ID required. Priority: P0 (prevents recurrence, do now) → P2 (hardening). -->
|
|
37
50
|
|
|
38
|
-
| Action | Owner |
|
|
39
|
-
|
|
40
|
-
| {what} | {
|
|
51
|
+
| Action | Type (prevent/detect/mitigate) | Owner | Priority | Tracking |
|
|
52
|
+
|--------|--------------------------------|-------|----------|----------|
|
|
53
|
+
| {what} | {prevent/detect/mitigate} | {who} | P0/P1/P2 | {bd or ticket} |
|
|
41
54
|
|
|
42
55
|
## Lessons learned
|
|
43
|
-
<!-- What this
|
|
56
|
+
<!-- Organized by theme. What did this reveal about the system or the organization that generalizes beyond this incident? -->
|
|
57
|
+
|
|
58
|
+
## Glossary
|
|
59
|
+
<!-- Define domain-specific terms, service names, and acronyms used above so a reader outside the team can follow the report. -->
|
|
44
60
|
|
|
45
61
|
## References
|
|
46
|
-
<!-- Logs, dashboards, traces, related incidents, PRs that caused
|
|
62
|
+
<!-- Logs, dashboards, traces (with IDs preserved), related incidents, the PRs that caused and that fixed the issue. -->
|
package/templates/docs/prfaq.md
CHANGED
|
@@ -16,13 +16,13 @@ or directly from evidence, but it must not invent customer demand.
|
|
|
16
16
|
<!-- Two or three paragraphs grounded in evidence. Explain the customer problem, why now, and what is missing today. -->
|
|
17
17
|
|
|
18
18
|
## Press release
|
|
19
|
-
<!-- Write as if the capability has shipped. Focus on customer outcome, not implementation. -->
|
|
19
|
+
<!-- Write as if the capability has shipped. Focus on customer outcome, not implementation. Include a spokesperson quote and a customer quote — mark a hypothetical quote as such; never invent an attributed one (rules/common/no-fabrication.md). -->
|
|
20
20
|
|
|
21
21
|
## External FAQ
|
|
22
22
|
<!-- Customer-facing questions and answers. Keep answers concrete and honest about limits. -->
|
|
23
23
|
|
|
24
24
|
## Internal FAQ
|
|
25
|
-
<!-- Questions from engineering, sales, support, security, finance, and leadership. Include unknowns as TBD with what would resolve them. -->
|
|
25
|
+
<!-- Questions from engineering, sales, support, security, finance, and leadership. Include unknowns as TBD with what would resolve them. Cover the launch/success metrics: what target defines success and by when. -->
|
|
26
26
|
|
|
27
27
|
## Evidence appendix
|
|
28
28
|
<!-- Source links, customer quotes, related issues, research, and PRDs. -->
|
|
@@ -13,7 +13,7 @@ without becoming a backlog dump.
|
|
|
13
13
|
<!-- Two or three paragraphs. What changed, what matters, and what decision should follow. -->
|
|
14
14
|
|
|
15
15
|
## Evidence base
|
|
16
|
-
<!--
|
|
16
|
+
<!-- Source types, coverage, recency, and known gaps. Grade the evidence (rules/common/research.md §10); for community/sentiment sources note corroboration. Each theme below inherits the strength of the evidence under it — do not report a strong theme on weakly-graded sources. -->
|
|
17
17
|
|
|
18
18
|
## Themes
|
|
19
19
|
<!-- Each theme should include evidence strength, affected personas, representative sources, and counter-signal. -->
|
|
@@ -23,14 +23,16 @@
|
|
|
23
23
|
|
|
24
24
|
## Sources
|
|
25
25
|
|
|
26
|
-
| Title / Path | Class | Date | URL | Verified | Relevance |
|
|
27
|
-
|
|
28
|
-
| {source title or file path} | primary / secondary / tertiary | {YYYY-MM-DD} | {URL or path} | yes / no / n/a | {one-line} |
|
|
26
|
+
| Title / Path | Class | Reliability | Credibility | Date | URL | Verified | Relevance |
|
|
27
|
+
|---|---|---|---|---|---|---|---|
|
|
28
|
+
| {source title or file path} | primary / secondary / tertiary | A–F | 1–6 | {YYYY-MM-DD} | {URL or path} | yes / no / n/a | {one-line} |
|
|
29
29
|
|
|
30
|
-
<!-- Class
|
|
31
|
-
|
|
30
|
+
<!-- Class is relative to the claim (rules/common/research.md §2): community/forum content is
|
|
31
|
+
primary for sentiment/experience claims, tertiary for factual ones.
|
|
32
|
+
- primary: peer-reviewed papers, official docs at exact version, raw source code, standards, company announcements, SEC filings; first-hand accounts for the attitude they express
|
|
32
33
|
- secondary: changelogs, migration guides, tracked issues, maintainer posts, conference talks by authors
|
|
33
|
-
- tertiary: blog posts, forums, Q&A, analyst summaries: for
|
|
34
|
+
- tertiary: blog posts, forums, Q&A, analyst summaries: for factual claims, discovery only
|
|
35
|
+
Reliability (A–F) and Credibility (1–6) are the Admiralty grade (research.md §10); record both, e.g. B2.
|
|
34
36
|
Mark Verified = yes only after fetching the URL and confirming content matches. -->
|
|
35
37
|
|
|
36
38
|
## Findings
|
|
@@ -1,26 +1,51 @@
|
|
|
1
1
|
---
|
|
2
2
|
kind: research-finding
|
|
3
3
|
topic: "<short topic line>"
|
|
4
|
-
confidence:
|
|
4
|
+
confidence: high | medium | low
|
|
5
5
|
sources: []
|
|
6
6
|
created: <ISO timestamp set by construct knowledge add>
|
|
7
|
-
expiresAt: <ISO timestamp, default created + 90d>
|
|
7
|
+
expiresAt: <ISO timestamp, default created + 90d; shorten for fast-moving topics>
|
|
8
8
|
profile: <active profile id>
|
|
9
9
|
---
|
|
10
10
|
|
|
11
|
+
<!--
|
|
12
|
+
A lightweight but rigorous knowledge-store entry. Same evidence standard as a
|
|
13
|
+
research brief, condensed: observation separated from inference, every finding
|
|
14
|
+
cited, confidence tied to source grade, an explicit refresh trigger. See
|
|
15
|
+
rules/common/research.md.
|
|
16
|
+
-->
|
|
17
|
+
|
|
18
|
+
## SOURCES
|
|
19
|
+
|
|
20
|
+
| Title / Path | Class | Reliability | Credibility | Date | URL | Verified |
|
|
21
|
+
|---|---|---|---|---|---|---|
|
|
22
|
+
| {source} | primary / secondary / tertiary | A–F | 1–6 | {YYYY-MM-DD} | {url} | yes / no |
|
|
23
|
+
|
|
11
24
|
## FINDINGS
|
|
12
25
|
|
|
13
|
-
|
|
14
|
-
|
|
26
|
+
<!-- Observation only: what the source states. Each finding cites a source row above. -->
|
|
27
|
+
|
|
28
|
+
- <Finding 1 [source: …]>
|
|
29
|
+
- <Finding 2 [source: …]>
|
|
15
30
|
|
|
16
31
|
## INFERENCES
|
|
17
32
|
|
|
18
|
-
|
|
33
|
+
<!-- What is concluded beyond what any single source says. Labeled as inference, not fact. -->
|
|
34
|
+
|
|
35
|
+
- <Inference, with the findings it rests on>
|
|
36
|
+
|
|
37
|
+
## CONFIDENCE
|
|
38
|
+
|
|
39
|
+
<!-- high / medium / low, with the reasoning: tie it to the Admiralty grade of the sources (research.md §10). high only on A1/A2/B1. Name the strongest counter-evidence. -->
|
|
19
40
|
|
|
20
41
|
## GAPS
|
|
21
42
|
|
|
22
|
-
- <What
|
|
43
|
+
- <What could not be confirmed and would change the conclusion if known>
|
|
23
44
|
|
|
24
45
|
## RECOMMENDATION
|
|
25
46
|
|
|
26
|
-
- <Next action based on the evidence available>
|
|
47
|
+
- <Next action based on the evidence available, and the threshold that would change it>
|
|
48
|
+
|
|
49
|
+
## REFRESH
|
|
50
|
+
|
|
51
|
+
<!-- When this finding should be re-verified: the expiresAt date, or the event that would invalidate it (a new release, a superseding paper). -->
|
package/templates/docs/rfc.md
CHANGED
|
@@ -22,7 +22,19 @@ contract, API, schema, or protocol consumed by other systems.
|
|
|
22
22
|
<!-- What problem or limitation drives this proposal? Include evidence: incidents, performance data, support tickets, developer friction. Explain why the status quo is not acceptable. -->
|
|
23
23
|
|
|
24
24
|
## Proposed design
|
|
25
|
-
<!-- The concrete proposal. Enough detail for reviewers to evaluate feasibility and tradeoffs.
|
|
25
|
+
<!-- The concrete proposal. Enough detail for reviewers to evaluate feasibility and tradeoffs. The sequence below shows the proposed behavior in context — include the happy path and at least one error path. -->
|
|
26
|
+
|
|
27
|
+
```mermaid
|
|
28
|
+
sequenceDiagram
|
|
29
|
+
participant Client
|
|
30
|
+
participant Service
|
|
31
|
+
participant Store
|
|
32
|
+
Client->>Service: request
|
|
33
|
+
Service->>Store: read or write
|
|
34
|
+
Store-->>Service: result
|
|
35
|
+
Service-->>Client: response
|
|
36
|
+
Note over Service,Store: error path — Store unavailable → Service returns degraded response
|
|
37
|
+
```
|
|
26
38
|
|
|
27
39
|
## Tradeoffs and alternatives
|
|
28
40
|
<!-- The other credible designs considered. For each: what it is, why it was not chosen, and under what conditions it would be preferred. No strawmen. -->
|
|
@@ -14,8 +14,27 @@
|
|
|
14
14
|
## Impact
|
|
15
15
|
<!-- Who is affected and how badly. Data loss? Degraded performance? Complete outage? -->
|
|
16
16
|
|
|
17
|
+
## Severity and response
|
|
18
|
+
<!-- Map each severity to the response it triggers: page urgency, comms cadence, and error-budget consequence. A SEV-1 pages immediately and freezes related releases per the error-budget policy (https://sre.google/workbook/error-budget-policy/); a SEV-3 is handled in business hours. -->
|
|
19
|
+
|
|
20
|
+
| Severity | Trigger condition | Page within | Comms | Error budget |
|
|
21
|
+
|----------|-------------------|-------------|-------|--------------|
|
|
22
|
+
| SEV-1 | {full outage / data loss / SLO breach} | 5 min | exec + status page | breach → freeze releases |
|
|
23
|
+
| SEV-2 | {major degradation, workaround exists} | 15 min | team + stakeholders | partial spend |
|
|
24
|
+
| SEV-3 | {minor / single-tenant / cosmetic} | business hours | team channel | none |
|
|
25
|
+
|
|
17
26
|
## Diagnostic steps
|
|
18
|
-
<!-- Ordered checks from cheapest to most expensive. Each step: what to check, how to check it, what the answer means. -->
|
|
27
|
+
<!-- Ordered checks from cheapest to most expensive. Each step: what to check, how to check it, what the answer means. Keep the decision tree below in sync with the steps. -->
|
|
28
|
+
|
|
29
|
+
```mermaid
|
|
30
|
+
flowchart TD
|
|
31
|
+
A[Alert fires] --> B{Error rate elevated?}
|
|
32
|
+
B -->|Yes| C[Check upstream dependency health]
|
|
33
|
+
B -->|No| D{User-visible impact?}
|
|
34
|
+
C --> E[Apply remediation]
|
|
35
|
+
D -->|Yes| C
|
|
36
|
+
D -->|No| F[Monitor and stand down]
|
|
37
|
+
```
|
|
19
38
|
|
|
20
39
|
## Remediation
|
|
21
40
|
<!-- The fix. Step-by-step, with exact commands or UI paths. Include expected output for each step. -->
|
|
@@ -13,7 +13,10 @@ without pretending the requirements are ready.
|
|
|
13
13
|
<!-- One or two paragraphs. What appears to be happening, and where the signal came from. -->
|
|
14
14
|
|
|
15
15
|
## Evidence
|
|
16
|
-
<!-- Cite the concrete notes, tickets, customer quotes, traces, or analytics
|
|
16
|
+
<!-- Cite the concrete notes, tickets, customer quotes, traces, or analytics. Grade each source with its Admiralty reliability/credibility (rules/common/research.md §10); for community sources note corroboration and engagement. The signal strength above should follow from the grades, not precede them. -->
|
|
17
|
+
|
|
18
|
+
## Counter-signal
|
|
19
|
+
<!-- The strongest evidence against the signal, or its absence. A signal no one tried to disconfirm is weaker than it looks. -->
|
|
17
20
|
|
|
18
21
|
## Why it matters
|
|
19
22
|
<!-- What product, customer, or business decision this could affect if the signal strengthens. -->
|