@geraldmaron/construct 1.0.18 → 1.0.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (93) hide show
  1. package/README.md +8 -4
  2. package/bin/construct +105 -3
  3. package/db/schema/003_observation_reconciliation.sql +14 -0
  4. package/lib/bootstrap/resources.mjs +0 -1
  5. package/lib/cli-commands.mjs +57 -6
  6. package/lib/comment-lint.mjs +44 -0
  7. package/lib/config/schema.mjs +31 -1
  8. package/lib/contracts/validate.mjs +106 -0
  9. package/lib/decisions/enforced-baseline.json +25 -0
  10. package/lib/decisions/golden.mjs +87 -0
  11. package/lib/decisions/precedence.mjs +46 -0
  12. package/lib/decisions/registry.mjs +469 -0
  13. package/lib/deployment/parity-contract.mjs +148 -0
  14. package/lib/document-ingest.mjs +71 -6
  15. package/lib/embed/cli.mjs +11 -0
  16. package/lib/embed/conflict-detection.mjs +4 -4
  17. package/lib/embed/customer-profiles.mjs +1 -1
  18. package/lib/embed/reconcile.mjs +60 -0
  19. package/lib/embedded-contract/capability.mjs +3 -3
  20. package/lib/embedded-contract/contract-version.mjs +1 -1
  21. package/lib/embedded-contract/execution.mjs +184 -0
  22. package/lib/embedded-contract/index.mjs +16 -0
  23. package/lib/embedded-contract/ingest.mjs +61 -7
  24. package/lib/gates-audit.mjs +2 -2
  25. package/lib/hooks/_lib/output-mode.mjs +101 -0
  26. package/lib/hooks/config-protection.mjs +22 -3
  27. package/lib/hooks/guard-bash.mjs +1 -1
  28. package/lib/hooks/session-start.mjs +13 -1
  29. package/lib/ingest/provider-extract.mjs +200 -0
  30. package/lib/ingest/strategy.mjs +95 -0
  31. package/lib/init-docs.mjs +1 -0
  32. package/lib/mcp/server.mjs +72 -4
  33. package/lib/mcp/tools/embedded-contract.mjs +17 -1
  34. package/lib/mode-commands.mjs +6 -8
  35. package/lib/observation-store.mjs +16 -2
  36. package/lib/opencode-telemetry.mjs +1 -1
  37. package/lib/orchestration/run-store.mjs +82 -0
  38. package/lib/orchestration/runtime.mjs +240 -0
  39. package/lib/roles/cli.mjs +10 -2
  40. package/lib/roles/gateway.mjs +50 -1
  41. package/lib/scheduler/index.mjs +31 -0
  42. package/lib/server/index.mjs +13 -3
  43. package/lib/server/static/index.html +1 -1
  44. package/lib/setup.mjs +6 -0
  45. package/lib/storage/hybrid-query.mjs +49 -38
  46. package/lib/storage/rrf.mjs +42 -0
  47. package/lib/storage/vector-client.mjs +18 -3
  48. package/lib/telemetry/backends/local.mjs +1 -1
  49. package/lib/telemetry/skill-calls.mjs +1 -1
  50. package/lib/templates/visual-requirements.mjs +84 -0
  51. package/package.json +10 -1
  52. package/rules/common/comments.md +3 -0
  53. package/rules/common/no-fabrication.md +3 -0
  54. package/rules/common/precedence.md +19 -0
  55. package/rules/common/research-sources.md +32 -0
  56. package/rules/common/research.md +59 -2
  57. package/skills/roles/data-engineer.pipeline.md +13 -1
  58. package/skills/roles/debugger.md +9 -0
  59. package/skills/roles/designer.accessibility.md +13 -3
  60. package/skills/roles/designer.md +10 -0
  61. package/skills/roles/engineer.platform.md +8 -0
  62. package/skills/roles/operator.md +10 -1
  63. package/skills/roles/operator.release.md +8 -0
  64. package/skills/roles/operator.sre.md +10 -1
  65. package/skills/roles/orchestrator.md +9 -2
  66. package/skills/roles/product-manager.business-strategy.md +10 -1
  67. package/skills/roles/researcher.explorer.md +12 -1
  68. package/skills/roles/researcher.ux.md +13 -1
  69. package/skills/roles/reviewer.devil-advocate.md +14 -2
  70. package/skills/roles/reviewer.evaluator.md +17 -4
  71. package/skills/roles/reviewer.trace.md +12 -1
  72. package/skills/roles/security.legal-compliance.md +8 -0
  73. package/skills/roles/security.md +11 -0
  74. package/specialists/contracts.json +18 -0
  75. package/specialists/prompts/cx-researcher.md +4 -2
  76. package/templates/docs/backlog-proposal.md +1 -1
  77. package/templates/docs/customer-profile.md +1 -1
  78. package/templates/docs/evidence-brief.md +5 -1
  79. package/templates/docs/incident-report.md +37 -21
  80. package/templates/docs/prfaq.md +2 -2
  81. package/templates/docs/product-intelligence-report.md +1 -1
  82. package/templates/docs/research-brief.md +8 -6
  83. package/templates/docs/research-finding.md +32 -7
  84. package/templates/docs/rfc.md +13 -1
  85. package/templates/docs/runbook.md +20 -1
  86. package/templates/docs/signal-brief.md +4 -1
  87. package/templates/docs/skill-artifact.md +27 -7
  88. package/templates/docs/strategy.md +23 -2
  89. package/lib/bootstrap/lazy-install.mjs +0 -161
  90. package/lib/embed/jobs/vector-sync.mjs +0 -198
  91. package/lib/knowledge/postgres-search.mjs +0 -132
  92. package/lib/services/pattern-promotion-service.mjs +0 -167
  93. package/lib/storage/unified-storage.mjs +0 -550
@@ -0,0 +1,32 @@
1
+ ---
2
+ description: Per-domain community starting points for sentiment and signal research.
3
+ enforced_by: rules/common/research.md
4
+ adr_reference: ADR-0017
5
+ ---
6
+ # Community source catalog
7
+
8
+ Starting points for **community signal** — sentiment, demand, friction, adoption experience — organized by research domain. These complement, never replace, the authoritative starting points in [research.md §2](research.md). Community sources are admissible only under the §10 checklist, and only for sentiment/experience claims (a source's class is relative to the claim — see research.md §2).
9
+
10
+ Treat every entry as a starting point, not a settled citation: confirm the venue is still active and record the post date and Admiralty grade (research.md §4, §10) before any community source becomes load-bearing.
11
+
12
+ | Domain | Reddit | Other community venues |
13
+ |---|---|---|
14
+ | AI tools, LLMs, agents | r/LocalLLaMA, r/MachineLearning, r/LanguageTechnology | Hacker News (Show HN / Ask HN), arXiv-sanity discussions, vendor Discords |
15
+ | Developer tools, IDEs, languages | r/programming, r/webdev, r/javascript, r/Python, r/rust, r/golang | Stack Overflow (by tag) + the annual Developer Survey, Hacker News, Lobsters |
16
+ | DevOps, platform, reliability | r/devops, r/sre, r/kubernetes, r/Terraform | CNCF Slack, Hacker News, platform vendor Discords |
17
+ | Security, vulnerabilities | r/netsec, r/cybersecurity, r/AskNetsec | HackerOne / Bugcrowd public disclosures, OSS-Security mailing list, Hacker News |
18
+ | Cloud infra, APIs, SDKs | r/aws, r/AZURE, r/googlecloud | Vendor community forums, provider Discords, Stack Overflow tags |
19
+ | Data / ML engineering | r/dataengineering, r/MachineLearning, r/datascience | dbt Community Slack, Hacker News |
20
+ | Product, market, adoption | r/SaaS, r/ProductManagement, r/startups | Hacker News (launches), Product Hunt discussion |
21
+ | Regulatory, compliance, privacy | r/privacy, r/gdpr | IAPP community forums (primary regulation text remains the authority) |
22
+
23
+ ## How to read community signal
24
+
25
+ - **Corroboration over volume from one place.** The same pain point raised independently across multiple threads or subreddits is stronger than one viral post.
26
+ - **Engagement is evidence of resonance, not of truth.** High upvotes mean many people relate to the sentiment; they do not make a factual claim in the post true.
27
+ - **Recency matters most for fast-moving domains** (research.md §1) — a frustration from two years ago may already be resolved.
28
+ - **Record the grade.** Community sentiment sources are typically `D`–`F` on reliability; they reach `1`–`2` on credibility only when cross-corroborated. Do not inflate.
29
+
30
+ ## References
31
+
32
+ - [Reddit](https://www.reddit.com), [Hacker News](https://news.ycombinator.com), [Stack Overflow Developer Survey](https://survey.stackoverflow.co)
@@ -29,6 +29,17 @@ Use the narrowest, most authoritative starting point for the research domain:
29
29
 
30
30
  Tertiary sources (blogs, forums, Q&A, AI-generated summaries) may help locate primaries. They are not sufficient evidence for load-bearing claims.
31
31
 
32
+ For where to look for community signal by domain, see [research-sources.md](research-sources.md).
33
+
34
+ ### Source class is relative to the claim
35
+
36
+ A source's class is not fixed — it depends on what the claim is about. The same artifact can be primary for one claim and tertiary for another.
37
+
38
+ - A Reddit thread is **tertiary** for "what does API X do" (the spec is primary), but **primary** for "developers report friction with API X's DX" — a first-hand account is primary evidence of the attitude it expresses.
39
+ - A vendor blog post is **secondary** for a feature's behavior (the docs/source are primary), but **primary** for "the vendor publicly committed to X on date Y."
40
+
41
+ Classify by the claim. For sentiment, demand, adoption-experience, and friction claims, community and forum content is admissible primary evidence under the conditions in §10. For factual, version, security, pricing, and compatibility claims, community content stays tertiary — locate the primary.
42
+
32
43
  ## 3. Start order
33
44
 
34
45
  Start with the narrowest authoritative source that can answer the question:
@@ -52,7 +63,8 @@ Start with the narrowest authoritative source that can answer the question:
52
63
  Record:
53
64
 
54
65
  - source title or path
55
- - source class: internal, primary, secondary, or tertiary
66
+ - source class: internal, primary, secondary, or tertiary (for the specific claim — see §2)
67
+ - Admiralty grade: source reliability `A`–`F` and information credibility `1`–`6` (see §10), recorded together, e.g. `B2`
56
68
  - version or revision when applicable
57
69
  - publication date, release date, or access date
58
70
  - why this source is relevant
@@ -119,7 +131,52 @@ Research outputs should include:
119
131
 
120
132
  Every substantive finding should point to a verified source path, URL, or document reference.
121
133
 
122
- ## 10. Anti-patterns
134
+ ## 10. Community sources, credibility grading, and signal
135
+
136
+ Community sources (Reddit, Stack Overflow, Hacker News, Discord, GitHub Discussions) are admissible as **primary evidence of sentiment, demand, friction, and adoption experience** (§2) — never as evidence for factual, version, security, pricing, or compatibility claims, where the primary must be located.
137
+
138
+ ### Admissibility checklist
139
+
140
+ A community source supports a load-bearing sentiment/demand claim only when:
141
+
142
+ - the venue is identified (which subreddit/tag/thread) and the post date is recorded;
143
+ - the signal is corroborated — multiple independent threads/posts, or one high-engagement thread (substantial upvotes and a comment consensus), not a single low-engagement post;
144
+ - it is recent enough for the topic's pace (§1);
145
+ - the claim is about expressed experience or opinion, not a fact the poster is merely repeating.
146
+
147
+ A single anonymous low-engagement post is noise. Cross-thread agreement, repeated independently-raised pain points, and high-engagement consensus are signal. State which you have.
148
+
149
+ ### Admiralty grade
150
+
151
+ Grade every source on two independent axes, adapted from the NATO Admiralty Code, and record them together (e.g. `A1`, `B2`, `D4`). The axes are independent: a usually-reliable source can carry improbable information (`B5`), and an unreliable source can report something independently confirmed (`E1`).
152
+
153
+ Source reliability:
154
+
155
+ | Grade | Meaning |
156
+ |---|---|
157
+ | A | Completely reliable — authoritative primary, history of reliability (official docs, standards, peer-reviewed) |
158
+ | B | Usually reliable — minor doubt (reputable vendor docs, established maintainers) |
159
+ | C | Fairly reliable — some doubt, valid in the past (reputable secondary reporting) |
160
+ | D | Not usually reliable — significant doubt (unvetted blogs, single-author claims) |
161
+ | E | Unreliable — history of invalid information |
162
+ | F | Cannot be judged — no basis to evaluate (anonymous, no track record) |
163
+
164
+ Information credibility:
165
+
166
+ | Grade | Meaning |
167
+ |---|---|
168
+ | 1 | Confirmed by other independent sources; consistent with known information |
169
+ | 2 | Probably true — not confirmed, but logical and consistent |
170
+ | 3 | Possibly true — not confirmed, reasonably logical, partial agreement |
171
+ | 4 | Doubtful — not confirmed, possible but not logical, uncorroborated |
172
+ | 5 | Improbable — contradicted by other information |
173
+ | 6 | Cannot be judged — insufficient basis |
174
+
175
+ Confidence mapping: a load-bearing claim may be stated `high` only on `A1`/`A2`/`B1`; `medium` on `B2`/`C2`/`C3`; otherwise `low`. Community sentiment sources are typically `D`–`F` on reliability but can reach `1`–`2` on credibility when cross-corroborated — record both honestly rather than inflating the claim.
176
+
177
+ References: [NATO Admiralty Code](https://en.wikipedia.org/wiki/Admiralty_code), [primary-source definition](https://en.wikipedia.org/wiki/Primary_source).
178
+
179
+ ## 11. Anti-patterns
123
180
 
124
181
  Do not:
125
182
 
@@ -31,8 +31,20 @@ Additional failure modes on top of the data engineer core.
31
31
  **Why it fails**: data breaks at the consumer boundary.
32
32
  **Counter-move**: publish contracts and run compatibility checks before deploy.
33
33
 
34
+ ## Methodology
35
+
36
+ The monitors above tell you a job broke; lineage and SLAs tell you what it broke and whether that matters.
37
+
38
+ **Lineage.** Every dataset should trace column-to-column from source to consumer, so that when a value is wrong you can answer "what fed this" and "what depends on this" without log archaeology. Capture lineage as metadata (which job, which inputs, which transform), not tribal knowledge; it is what makes an incident's blast radius computable.
39
+
40
+ **Data SLAs / SLOs.** A pipeline without a stated freshness and completeness target has no definition of "broken." Set an SLA per consumed dataset (e.g. "fresh within 1h, 99.5% of rows present") and alert against the SLO, not against raw job status — a job that "succeeded" but delivered half the rows is a breach. Tie the SLA to the consumer's actual decision cadence, not to convenience.
41
+
42
+ **Observability maturity.** Progress from "is the job green" → "is the data fresh and complete" → "is the distribution sane" (volume/null-rate/value drift). The last catches the silent corruption the first two miss.
43
+
34
44
  ## Self-check before shipping
35
45
  - [ ] Reruns, retries, and backfills are idempotent
36
- - [ ] Freshness, volume, schema, latency, and error monitors exist
46
+ - [ ] Column-level lineage from source to consumer is captured as metadata
47
+ - [ ] A freshness/completeness SLA exists per consumed dataset; alerts fire on SLO breach, not just job failure
48
+ - [ ] Distribution monitors (volume, null-rate, value drift) exist, not just success/failure
37
49
  - [ ] Data contracts and compatibility tests are present
38
50
  - [ ] Ownership and runbook are clear
@@ -57,6 +57,15 @@ Load this before drafting. These are the failure modes that separate strong role
57
57
  **Why it fails**: the same bug returns in six months, silently.
58
58
  **Counter-move**: add a test that fails against the broken code and passes against the fix. Keep it.
59
59
 
60
+ ## Methodology
61
+
62
+ Root cause is found by building a causal chain, not by guessing:
63
+
64
+ - **Earliest anomaly first**, then work *forward* along cause→effect. The first error in the log is usually an effect; trace upstream to the first place reality diverged from expectation.
65
+ - **Five whys, but each "why" is a tested link, not a story.** "Null pointer → the cache was empty → the warmer never ran → its trigger was disabled → the deploy disabled it." Every arrow must be confirmed by evidence (a log, a value, a repro), or the chain is fiction.
66
+ - **Distinguish the trigger from the root cause** (as in a postmortem): the input that set it off vs. the system condition that let that input cause harm. Fix the root cause; note the trigger.
67
+ - **Stop at the deepest link you can change.** Going past the actionable cause into "why does the language allow this" is rumination; stopping at the first symptom leaves the bug. The root cause is the earliest link whose change prevents recurrence.
68
+
60
69
  ## Self-check before shipping
61
70
 
62
71
  - [ ] Cause stated in one sentence before the fix
@@ -37,8 +37,18 @@ Additional failure modes on top of the designer core.
37
37
  **Why it fails**: triggers vestibular disorders; drives users away.
38
38
  **Counter-move**: honor `prefers-reduced-motion`. Provide pause controls for any auto-playing content.
39
39
 
40
+ ## Methodology
41
+
42
+ Automated checks (axe, Lighthouse) catch perhaps a third of WCAG issues; the rest are found by use, not by scan:
43
+
44
+ - **Test with a real screen reader**, not just the accessibility tree — drive the flow with VoiceOver or NVDA and confirm the announced order, labels, and state changes make sense aurally. The DOM can be valid while the spoken experience is incoherent.
45
+ - **Keyboard-only, full task**: complete the whole task with no pointer. Watch focus order, visible focus, and focus traps (modals must trap and restore focus). A reachable control that focus never lands on is unreachable.
46
+ - **Cover the four POUR principles** (Perceivable, Operable, Understandable, Robust) against WCAG 2.x AA — not just contrast and alt text. Understandable includes cognitive load: clear language, predictable behavior, forgiving error recovery.
47
+ - **Test at 200% zoom and with reduced-motion set**; reflow and motion are where "looks accessible" breaks.
48
+
40
49
  ## Self-check before shipping
41
- - [ ] Keyboard-only path tested for every interactive element
42
- - [ ] Screen-reader output verified
50
+ - [ ] Keyboard-only path completes the full task; focus order, visible focus, and traps checked
51
+ - [ ] Screen-reader output verified by listening (VoiceOver/NVDA), not just the a11y tree
52
+ - [ ] WCAG 2.x AA across POUR, including cognitive load — not only contrast/alt text
53
+ - [ ] Tested at 200% zoom and with reduced-motion
43
54
  - [ ] Semantic HTML first; ARIA only where needed
44
- - [ ] Reduced-motion path exists and is tested
@@ -58,8 +58,18 @@ Load this before drafting. These are the failure modes that separate strong role
58
58
  **Why it fails**: the product feels inconsistent even when individual screens are fine. Engineering cannot implement cleanly.
59
59
  **Counter-move**: name the tokens. space, color, type, radius, motion. before designing. Use them.
60
60
 
61
+ ## Methodology
62
+
63
+ Design at the system level, not the screen level:
64
+
65
+ - **Compose, don't draw.** Build from tokens → primitives → components → patterns (atomic design): a screen is an assembly of reused components, not a bespoke canvas. A new one-off where a component exists is debt; a new component should earn its place by appearing in ≥2 contexts.
66
+ - **States are part of the component, not an afterthought.** Each component specifies its empty, loading, error, disabled, and populated states up front — the happy state alone is an incomplete design.
67
+ - **Tokens carry meaning.** Name tokens by role (`color.text.danger`), not by value (`red-600`), so a theme or rebrand changes one definition, not every usage.
68
+ - **Maturity check**: ad-hoc styles → shared components → a governed design system with usage docs and contribution rules. Name the current rung; "we have a component library" with widespread one-offs is rung two.
69
+
61
70
  ## Self-check before shipping
62
71
 
72
+ - [ ] New UI composed from existing tokens/components; new components justified by reuse
63
73
  - [ ] Visual direction is explicit, not default
64
74
  - [ ] Empty / loading / error states designed as first-class
65
75
  - [ ] Primary actions visible at rest, not hover-gated
@@ -42,8 +42,16 @@ Additional failure modes on top of the engineer core.
42
42
  **Why it fails**: platform surface area compounds blast radius. one leaked token touches every repo.
43
43
  **Counter-move**: treat platform secrets as production secrets. Rotate, scope-minimize, and audit.
44
44
 
45
+ ## Methodology
46
+
47
+ **IaC maturity.** Infrastructure should climb a ladder: manual → scripted → declarative (Terraform/Pulumi) → declarative + policy-as-code + drift detection. The rung that matters is the last: state is reconciled (no manual console changes survive) and drift between declared and actual is detected and alerted, not discovered during an incident. Name the current rung honestly; "we have some Terraform" alongside hand-edited resources is rung two, not four.
48
+
49
+ **Supply chain.** Every build emits an SBOM (software bill of materials) so a new CVE can be answered with "are we affected, where" in minutes, not a manual audit. Pin and verify dependencies (lockfiles, checksums, ideally signed provenance), and run the dependency/CVE audit in CI as a gate, not a report. The platform's blast radius is every repo it serves — a compromised build step is the highest-leverage attack.
50
+
45
51
  ## Self-check before shipping
46
52
  - [ ] First consumer migrated and measured
53
+ - [ ] Infra is declarative with drift detection; no surviving manual changes
54
+ - [ ] Build emits an SBOM; dependencies pinned/verified; CVE audit gates CI
47
55
  - [ ] Deprecation window respected for any breaking change
48
56
  - [ ] Failure diagnostics and artifacts preserved
49
57
  - [ ] Build-time and cost deltas measured
@@ -69,10 +69,19 @@ Load this before producing operator output. SRE, ops, release, and durable-knowl
69
69
 
70
70
  **Why it fails**: no systematic comparison between planned work (documents) and actual work (tickets). Gaps accumulate silently until delivery dates slip.
71
71
 
72
- **Counter-move**: run periodic gap analysis: query strategy/PRDs/RFCs from knowledge base, compare with Jira tickets via search, identify missing tickets. Create补缺 tickets automatically (or queue for approval). Treat "execution gap" as a first-class risk signal.
72
+ **Counter-move**: run periodic gap analysis: query strategy/PRDs/RFCs from knowledge base, compare with Jira tickets via search, identify missing tickets. Create gap-filling tickets automatically (or queue for approval). Treat "execution gap" as a first-class risk signal.
73
+
74
+ ## Methodology
75
+
76
+ Sequencing work is a calculation, not a vibe:
77
+
78
+ - **Critical path.** Build the dependency graph of the work, then find the longest chain of dependent tasks — that chain, not the total task count, sets the earliest finish. Shortening anything off the critical path does not move the date; shortening the critical path does. Re-find it after every scope change, because it moves.
79
+ - **Slack.** Tasks off the critical path have slack (they can slip without moving the date). Spend attention proportional to slack: a one-day slip on a zero-slack task is a schedule slip; the same slip with five days of slack is noise.
80
+ - **Resource leveling.** Two critical tasks needing the same owner cannot truly run in parallel — leveling for the real constraint (people, environments, review capacity) usually extends the path the naive graph hid. Sequence to the actual bottleneck.
73
81
 
74
82
  ## Self-check before shipping
75
83
 
84
+ - [ ] Critical path identified; the date is driven by it, not by task count
76
85
  - [ ] Each runbook step names its purpose and expected output
77
86
  - [ ] Rollback is a tested, first-class plan with trigger criteria
78
87
  - [ ] Every alert is actionable; non-actionable signals moved to dashboards
@@ -37,8 +37,16 @@ Additional failure modes on top of the operator core.
37
37
  **Why it fails**: regressions show up 30–60 minutes in; if nobody is watching, they compound.
38
38
  **Counter-move**: define the post-release watch window (metrics + duration) before pushing. Hold the release until it's clean.
39
39
 
40
+ ## Methodology
41
+
42
+ **Progressive delivery.** Ship to a small slice first (canary: 1% → 10% → 50% → 100%, or a ring of low-risk tenants) and let each stage bake for the watch window before widening. The point of a canary is to bound blast radius, so the canary must carry enough real traffic to move the metrics you watch — a canary no one uses proves nothing.
43
+
44
+ **Make rollback a decision rule, not a judgment call.** Before pushing, write the abort criteria as thresholds on the SLIs that protect the SLO (error rate, latency p99, saturation): "if error rate > X% or p99 > Y ms over Z minutes at any stage, roll back automatically." Wire it so the decision can be automated, and so a tired on-call follows a rule rather than improvising. Roll back, then diagnose — never the reverse.
45
+
40
46
  ## Self-check before shipping
41
47
  - [ ] Release is the smallest deployable increment
48
+ - [ ] Staged/canary rollout with a bake window per stage; canary carries real traffic
49
+ - [ ] Abort criteria written as SLI thresholds before push; rollback automatable
42
50
  - [ ] Rollback path documented and tested
43
51
  - [ ] Core release-facing docs landed with code and match shipped behavior
44
52
  - [ ] Post-release watch window defined and staffed
@@ -37,8 +37,17 @@ Additional failure modes on top of the operator core.
37
37
  **Why it fails**: the same incident repeats. Teams lose trust in the process.
38
38
  **Counter-move**: every corrective action has an owner, a ticket, and a target date. Review completion in the next monthly.
39
39
 
40
+ ## Methodology
41
+
42
+ The error-budget policy is the mechanism that makes an SLO consequential ([Google SRE](https://sre.google/workbook/error-budget-policy/)):
43
+
44
+ - The budget is `1 − SLO` over a window (99.9% over 28 days ≈ 43 min of allowed downtime). It is spent by every failure, planned or not.
45
+ - **Burn rate** is how fast the budget is being consumed relative to the window. Alert on burn rate with **multi-window** thresholds — a fast-burn alert (e.g. 2% of budget in 1 hour) pages now; a slow-burn alert (e.g. 10% over a few days) opens a ticket. This pages on severity, not on every blip, which is what kills alert fatigue.
46
+ - **The policy is written before the breach**: when the budget is exhausted, feature releases freeze and reliability work takes priority until it recovers; name the exceptions (infra failures, third-party) and who can override. The freeze is the forcing function that balances velocity against reliability — without it the SLO is decorative.
47
+
40
48
  ## Self-check before shipping
41
49
  - [ ] Every alert links to a runbook
42
- - [ ] SLOs have an explicit error-budget policy
50
+ - [ ] SLOs have an explicit, written-before-breach error-budget policy (freeze trigger, exceptions, owner)
51
+ - [ ] Burn-rate alerting uses multi-window thresholds (fast-burn pages, slow-burn ticket)
43
52
  - [ ] Dashboards are incident-shaped, not metric-dumps
44
53
  - [ ] Post-mortem actions are owned and dated
@@ -57,10 +57,17 @@ Use this as a fast dispatch checklist before producing orchestration output.
57
57
  - Symptom: large reads just to decide who should work.
58
58
  - Counter: probe with search, glob, or small reads first.
59
59
 
60
+ ## Sequencing methodology
61
+
62
+ - **Graph first**: map each specialist's input→output; parallelize only when no input is another's output. "All parallel"/"all sequential" both mean the graph was skipped.
63
+ - **Waves**: dispatch the set whose inputs are satisfied; the next starts at the slowest member's landing. Minimize waves, not specialists.
64
+ - **Critical path**: total time is the longest dependency chain, not the headcount. On-path specialists delay everything downstream.
65
+ - **Bound fan-out**: cap concurrent dispatch to what the consumer can absorb.
66
+
60
67
  ## Ship Check
61
68
 
62
- - Request classified.
63
- - Smallest adequate path selected.
69
+ - Request classified; smallest adequate path selected.
70
+ - Dependency graph drawn; specialists grouped into the fewest waves; critical path identified.
64
71
  - Handoffs have distinct ownership.
65
72
  - Blockers and user questions surfaced.
66
73
  - Original ask still matches final output.
@@ -37,8 +37,17 @@ Additional failure modes on top of the product-manager core.
37
37
  **Why it fails**: two products with identical features but different economics compete very differently.
38
38
  **Counter-move**: for each competitor, model the business (unit economics, distribution, defensibility) not just the surface.
39
39
 
40
+ ## Methodology
41
+
42
+ Two frameworks turn "market thesis" from intuition into analysis:
43
+
44
+ **Structural analysis (Porter's Five Forces).** Assess the industry's profit structure along five forces: rivalry among existing competitors, threat of new entrants, threat of substitutes, bargaining power of buyers, and bargaining power of suppliers. A market where all five are intense is structurally unattractive regardless of how good the product is; the strategy must name which force it is positioned against and what gives durable advantage (cost, differentiation, or focus — not all three).
45
+
46
+ **Scenario planning.** The future is not a point estimate. Identify the two or three uncertainties that most affect the bet (e.g. "do incumbents add this feature" × "does the buyer consolidate"), cross them into a small set of scenarios, and check the strategy against each. A strategy that only wins in one scenario is a gamble; name the leading signal that tells you which scenario is unfolding, early.
47
+
40
48
  ## Self-check before shipping
41
49
  - [ ] Rejected alternatives stated
42
- - [ ] Market thesis explicit
50
+ - [ ] Market thesis explicit, with the dominant Porter force named
51
+ - [ ] Strategy checked against 2–3 scenarios, not a single forecast
43
52
  - [ ] Falsification criterion and revisit threshold declared
44
53
  - [ ] Competitive analysis covers economics, not just features
@@ -37,8 +37,19 @@ Additional failure modes on top of the researcher core.
37
37
  **Why it fails**: burns the consumer's time and context window; the answer drowns in tangent.
38
38
  **Counter-move**: answer the question asked. Link supporting material; don't inline it unless asked.
39
39
 
40
+ ## Methodology
41
+
42
+ Explore by following the graph, not by grepping until something looks right:
43
+
44
+ - **Entry points first**: find where execution starts (CLI dispatch, route table, main, test setup) and trace *forward* along the call graph to the code in question. This locates the real path instead of a same-named decoy.
45
+ - **Both directions**: for a symbol, find its definition and its *callers* (who depends on this) — the blast radius of a change is the caller set, and missing it is how "small" changes break distant things.
46
+ - **Triangulate before concluding**: confirm a behavior from at least two of {the code, a test that exercises it, a config that wires it}. A single grep hit is a lead, not a conclusion.
47
+ - **Name the seams**: report where control crosses module/process/service boundaries; that is where the question usually actually lives.
48
+
40
49
  ## Self-check before shipping
50
+ - [ ] Traced from an entry point along the call graph, not from an isolated grep hit
51
+ - [ ] Both definition and callers (dependency blast radius) identified
52
+ - [ ] Behavior triangulated across code + test/config, not a single match
41
53
  - [ ] Every claim cites a path, ideally with a line
42
54
  - [ ] Function behavior verified from the body, not the name
43
- - [ ] Searched multiple naming variants and entry points
44
55
  - [ ] Response scoped to the question asked
@@ -37,8 +37,20 @@ Additional failure modes on top of the researcher core.
37
37
  **Why it fails**: collapses the problem-space exploration into a solution bias; design has less room to iterate.
38
38
  **Counter-move**: report the problem (friction, confusion, unmet need). Let design own the solution.
39
39
 
40
+ ## Methodology
41
+
42
+ The failure modes above are what to avoid. This is the rigor a senior UX researcher brings.
43
+
44
+ **Validity — name the threat.** Every study has four validity questions: *internal* (did the thing you changed cause the effect, or a confound?), *external* (does it generalize beyond these participants/tasks?), *construct* (does the measure capture the concept, or a proxy?), and *conclusion* (is the difference real or noise?). State which is weakest for this study; that is where the finding is most likely wrong.
45
+
46
+ **Sampling.** Sample size follows the claim, not the calendar. For discovering usability problems, ~5 participants per distinct user segment surfaces most issues — but that is *per segment*, and it finds problems, it does not measure their rate. Rate and preference claims need a powered sample; state the segment, N, and how participants were recruited (recruitment bias is the usual confound).
47
+
48
+ **Inter-rater reliability.** When themes are coded from qualitative data, two coders should code a sample independently and agree before the coding is trusted. Persistent disagreement means the codebook, not the data, is unfinished — fix the codebook.
49
+
40
50
  ## Self-check before shipping
41
51
  - [ ] Questions focus on past behavior, not hypothetical future
42
52
  - [ ] Observed behavior weighted over self-report
43
- - [ ] Sample size stated for every claim
53
+ - [ ] Weakest validity threat (internal/external/construct/conclusion) named
54
+ - [ ] Sample size and segment stated for every claim; recruitment noted
55
+ - [ ] Themes coded with inter-rater agreement, not a single coder
44
56
  - [ ] Findings describe problems, not prescribe solutions
@@ -37,8 +37,20 @@ Additional failure modes on top of the reviewer core.
37
37
  **Why it fails**: slows down learning that should be fast; teams stop bringing you early ideas.
38
38
  **Counter-move**: classify the decision on the reversibility axis first. Calibrate pushback accordingly.
39
39
 
40
+ ## Methodology
41
+
42
+ Beyond ad-hoc objection, run the plan through a structured failure-mode pass (FMEA — failure mode and effects analysis):
43
+
44
+ - For each component or step, ask *how could this fail* (the failure mode), *what happens when it does* (effect), and *why might it happen* (cause).
45
+ - Score each on three axes 1–10: **severity** (how bad the effect), **occurrence** (how likely the cause), **detection** (how likely you'd catch it before harm — high score = hard to detect). Their product is the **risk priority number (RPN)**.
46
+ - Rank by RPN, not by which objection came to mind first. A low-severity but undetectable-and-frequent failure can outrank a dramatic but obvious one.
47
+ - The highest-RPN modes are where the plan needs a mitigation or a detection point before it ships; explicitly mark the rest "acknowledge but proceed."
48
+
49
+ This turns "this seems risky" into a ranked, defensible list the author can act on.
50
+
40
51
  ## Self-check before shipping
41
- - [ ] Each objection names a concrete scenario
52
+ - [ ] Each objection names a concrete scenario (failure mode + effect + cause)
42
53
  - [ ] At least three categories of risk covered
43
- - [ ] Objections ranked by severity
54
+ - [ ] Objections ranked by RPN (severity × occurrence × detection), not recency
55
+ - [ ] Highest-RPN modes have a mitigation or detection point
44
56
  - [ ] Reversibility of the decision assessed
@@ -37,8 +37,21 @@ Additional failure modes on top of the reviewer core.
37
37
  **Why it fails**: can't tell which change did what; can't roll back specifically if quality regresses.
38
38
  **Counter-move**: change one variable at a time. Pin the others.
39
39
 
40
+ ## Methodology
41
+
42
+ The failure modes above are what to avoid. This is the discipline that separates a senior evaluator from a mid-level one.
43
+
44
+ **Rubric design.** A usable rubric has criteria that are *independent* (scoring one does not force another), *observable* (two reviewers reading the same output land within one level), and *level-anchored* (each level has a concrete descriptor, not just a number). Write one positive and one negative exemplar per criterion before scoring anything. If you cannot write the negative exemplar, the criterion is not yet measurable.
45
+
46
+ **Ground truth.** A score is only as good as the labels it is measured against. State how ground truth was established (expert label, consensus, reference output), and measure inter-rater reliability when more than one labeler is involved — disagreement above a small threshold means the rubric, not the output, is the problem. Resolve disagreements by tightening the rubric, not by averaging.
47
+
48
+ **False positives vs false negatives.** Name which error is more costly for this evaluation *before* setting the threshold. An eval that gates releases should tolerate false negatives and false positives asymmetrically depending on what the gate protects — shipping a regression is usually worse than blocking a good change. State the asymmetry; a single accuracy number hides it.
49
+
50
+ **Statistical significance.** Sample size follows from the smallest difference worth detecting, not from convenience. Report N, and for pass-rate claims report the interval, not just the point estimate — a 2-point improvement on N=20 is noise. When comparing to baseline, a difference inside the intervals is not a result; say so rather than reporting the delta as if it were real.
51
+
40
52
  ## Self-check before shipping
41
- - [ ] Rubric declared before scoring
42
- - [ ] Sample size reported and defensible
43
- - [ ] Baseline comparison included
44
- - [ ] One variable changed per run; others pinned
53
+ - [ ] Rubric declared before scoring, with a positive and negative exemplar per criterion
54
+ - [ ] Ground-truth basis stated; inter-rater reliability checked when multiple labelers
55
+ - [ ] False-positive vs false-negative cost asymmetry named before the threshold was set
56
+ - [ ] Sample size justified by the smallest meaningful difference; interval reported, not just point estimate
57
+ - [ ] Baseline comparison included; one variable changed per run, others pinned
@@ -37,8 +37,19 @@ Additional failure modes on top of the reviewer core.
37
37
  **Why it fails**: the final output may mask a degraded path that costs time, money, or reliability.
38
38
  **Counter-move**: examine the full tool-call chain. Flag any failure, retry, or fallback.
39
39
 
40
+ ## Methodology
41
+
42
+ Treat fleet scores as a process to monitor, not a number to eyeball (statistical process control):
43
+
44
+ - Establish a **baseline** distribution — mean and standard deviation of the score over a stable window — before calling anything a regression.
45
+ - A run is out of control when it crosses a **control limit** (commonly ~3σ from the mean) or shows a non-random pattern (e.g. several consecutive points drifting one direction). A single point inside the limits is noise, not signal — do not chase it.
46
+ - Separate **common-cause** variation (inherent noise; do not react per-point) from **special-cause** variation (a real shift; investigate). Reacting to common-cause noise — "tampering" — makes variance worse.
47
+ - Watch the **variance**, not just the median: a stable median can hide a widening spread where a subset of agents is failing. Report the spread alongside the central tendency.
48
+
40
49
  ## Self-check before shipping
41
- - [ ] Judged against a sampled distribution, not one trace
50
+ - [ ] Judged against a sampled distribution with a baseline mean and spread
51
+ - [ ] Out-of-control points distinguished from common-cause noise (no tampering)
52
+ - [ ] Variance reported, not just the median
42
53
  - [ ] Each issue cites a specific span or tool call
43
54
  - [ ] Latency and quality reported separately
44
55
  - [ ] Full tool-call chain examined
@@ -42,7 +42,15 @@ Additional failure modes on top of the security core.
42
42
  **Why it fails**: contaminates the license of the whole product; costly to unwind later.
43
43
  **Counter-move**: automated license scan in CI; allowlist policy per product tier.
44
44
 
45
+ ## Methodology
46
+
47
+ **Map obligations to controls through a risk register, not a checklist.** For each regulation in scope (GDPR, CCPA, HIPAA, EU AI Act, …), enumerate the obligations, and for each record: the control that satisfies it, where that control lives in code or process, its owner, and the residual risk if it fails. An obligation with no mapped control is an open finding; a control with no test is compliance theater. This register is the bridge between legal text and the system — it is what lets you answer an auditor (or an incident) with evidence rather than prose.
48
+
49
+ **Frame risk in business terms.** Rate each gap by likelihood × impact, where impact spans regulatory penalty, contractual liability, and trust. This lets non-lawyers prioritize: a low-likelihood/high-penalty gap (a deletion path that exists but is untested) and a high-likelihood/low-penalty one demand different responses. Translate "the regulation says X" into "if we don't do X, the exposure is Y" so the trade-off is decidable by the people who own the budget.
50
+
45
51
  ## Self-check before shipping
52
+ - [ ] Each in-scope obligation maps to a control, owner, and residual-risk note in a register
53
+ - [ ] Gaps rated by likelihood × impact (penalty, liability, trust)
46
54
  - [ ] Policies map to testable controls
47
55
  - [ ] Retention enforced by automated deletion
48
56
  - [ ] Consent granular, opt-in, withdrawable
@@ -58,8 +58,19 @@ Load this before drafting. These are the failure modes that separate strong role
58
58
  **Why it fails**: gives an attacker a map of the system; turns a reconnaissance step into a freebie.
59
59
  **Counter-move**: user-facing errors are generic. Detailed context goes to logs with appropriate access controls.
60
60
 
61
+ ## Methodology
62
+
63
+ Threat modeling is a process, not an instinct. Run it explicitly:
64
+
65
+ - **Decompose**: draw the data-flow — trust boundaries, entry points, assets, and where data crosses from less-trusted to more-trusted.
66
+ - **Enumerate with STRIDE** per element: **S**poofing, **T**ampering, **R**epudiation, **I**nformation disclosure, **D**enial of service, **E**levation of privilege. STRIDE forces coverage of categories an ad-hoc review skips (repudiation and tampering are the usual blind spots).
67
+ - **Rate and rank**: score each threat by likelihood × impact (or DREAD/CVSS where a number is needed), and treat the highest first. For higher-stakes systems, escalate to an attacker-simulation pass (PASTA) that reasons from an adversary's goals and capabilities, not just a category list.
68
+ - **Decide per threat**: mitigate, accept (with rationale), or transfer. An unrated threat is an unmade decision.
69
+
61
70
  ## Self-check before shipping
62
71
 
72
+ - [ ] Threat model decomposes data flow and enumerates STRIDE per trust boundary
73
+ - [ ] Threats rated and ranked; highest-risk handled first
63
74
  - [ ] No single control is the only line of defense
64
75
  - [ ] Secrets live in a secret manager, not in the repo
65
76
  - [ ] User input is validated and escaped at every boundary
@@ -133,6 +133,18 @@
133
133
  "check": "artifact-has-section",
134
134
  "section": "Rejected Alternatives"
135
135
  },
136
+ {
137
+ "id": "adr-reversibility-stated",
138
+ "description": "ADR Reversibility section is present and non-empty",
139
+ "check": "artifact-section-nonempty",
140
+ "section": "Reversibility"
141
+ },
142
+ {
143
+ "id": "adr-consequences-stated",
144
+ "description": "ADR Consequences section is present and non-empty",
145
+ "check": "artifact-section-nonempty",
146
+ "section": "Consequences"
147
+ },
136
148
  {
137
149
  "id": "adr-numeric-claims-cited",
138
150
  "description": "Every numeric claim in the ADR body cites a source",
@@ -547,6 +559,12 @@
547
559
  "check": "artifact-has-section",
548
560
  "section": "Market Context"
549
561
  },
562
+ {
563
+ "id": "strategic-memo-options-nonempty",
564
+ "description": "Strategic memo Options section is present and non-empty",
565
+ "check": "artifact-section-nonempty",
566
+ "section": "Options"
567
+ },
550
568
  {
551
569
  "id": "strategic-memo-has-strategic-risks",
552
570
  "description": "Strategic memo must contain a Strategic Risks section",
@@ -46,7 +46,9 @@ When querying search engines or paper indexes, always filter or sort by date: ne
46
46
 
47
47
  1. **Primary**: peer-reviewed papers, official docs for the exact version, published standards, raw source code, SEC filings, primary company announcements
48
48
  2. **Secondary**: changelogs, migration guides, tracked GitHub issues, maintainer posts, conference talks by the authors
49
- 3. **Tertiary**: blog posts, forums, Q&A, analyst summaries, AI-generated overviews: used only to locate primaries, never as evidence
49
+ 3. **Tertiary**: blog posts, forums, Q&A, analyst summaries, AI-generated overviews: used only to locate primaries, never as evidence for factual claims
50
+
51
+ Class is relative to the claim (`rules/common/research.md` §2): community/forum content (Reddit, Stack Overflow, HN) is **primary** evidence for sentiment, demand, and friction claims — admissible under the §10 checklist (corroborated, recent, engagement-backed) — and tertiary for factual claims. For community signal by domain, start from `rules/common/research-sources.md`. Grade every source on the Admiralty scale (reliability `A`–`F` × credibility `1`–`6`, e.g. `B2`) and map confidence accordingly: `high` only on `A1`/`A2`/`B1`.
50
52
 
51
53
  ### Step 4: Check internal evidence
52
54
 
@@ -76,7 +78,7 @@ Produce a research brief using the structure from `get_template("research-brief"
76
78
 
77
79
  **METHOD**: search terms, systems queried, date filters applied, domain starting points used, internal paths checked; enough detail to reproduce
78
80
 
79
- **SOURCES**: structured table: title/path | class (primary/secondary/tertiary) | date | URL | verified (yes/no) | relevance
81
+ **SOURCES**: structured table: title/path | class (primary/secondary/tertiary) | reliability (A–F) | credibility (1–6) | date | URL | verified (yes/no) | relevance
80
82
 
81
83
  **FINDINGS**: each finding labeled: what the source says (observation) | what is inferred (inference) | confidence (high/medium/low) | supporting source(s)
82
84
 
@@ -11,7 +11,7 @@ autonomously; applying it requires explicit approval.
11
11
  -->
12
12
 
13
13
  ## Source evidence
14
- <!-- Evidence brief, PRD, customer notes, tickets, or research supporting the proposal. -->
14
+ <!-- Evidence brief, PRD, customer notes, tickets, or research supporting the proposal, each with its evidence grade (rules/common/research.md §10). A proposal resting only on low-graded or uncorroborated evidence should be a signal brief, not a backlog item. -->
15
15
 
16
16
  ## Proposed changes
17
17
  <!-- Table: create/update, target issue if any, title, rationale, evidence, acceptance criteria. -->
@@ -16,7 +16,7 @@ asks for cleanup. Keep facts tied to source evidence.
16
16
  <!-- Stack, tools, integrations, scale, constraints, and relevant operating model. -->
17
17
 
18
18
  ## Active pain points
19
- <!-- Current friction, with source links or dates. Distinguish severe blockers from preferences. -->
19
+ <!-- Current friction, each with a source link, a date, and its evidence grade (rules/common/research.md §10). Distinguish severe blockers from preferences, and a one-off mention from a corroborated pattern. -->
20
20
 
21
21
  ## Open asks
22
22
  <!-- Table: ask, first raised, times mentioned, source, linked issue, status. -->
@@ -19,7 +19,11 @@ source lists or grouped findings. Keep em dashes rare.
19
19
  <!-- State the minimum signal needed to proceed. Example: two independent customers, three repeated mentions, or one severe enterprise blocker. -->
20
20
 
21
21
  ## Sources
22
- <!-- Table: source, source class, date/access date, customer or actor, link/path, confidence, and whether it is direct evidence or secondhand summary. -->
22
+ <!-- Class is relative to the claim (rules/common/research.md §2); Reliability (A–F) and Credibility (1–6) are the Admiralty grade (§10). Direct = first-hand evidence vs secondhand summary. -->
23
+
24
+ | Source | Class | Reliability | Credibility | Date | Actor | Link / Path | Direct? |
25
+ |---|---|---|---|---|---|---|---|
26
+ | {title} | primary / secondary / tertiary | A–F | 1–6 | {YYYY-MM-DD} | {customer or actor} | {url or path} | direct / secondhand |
23
27
 
24
28
  ## What we observed
25
29
  <!-- Factual observations only. Separate direct evidence from interpretation. -->