@grainulation/silo 1.0.0

package/packs/security.json

@@ -0,0 +1,175 @@
+{
+  "name": "Application Security",
+  "description": "OWASP top 10 mitigations, auth patterns, secrets management, supply chain security, and hardening guidance for web applications.",
+  "version": "1.0.0",
+  "claims": [
+    {
+      "id": "sec-001",
+      "type": "constraint",
+      "topic": "SQL injection prevention",
+      "content": "All database queries must use parameterized statements or prepared queries. String concatenation for SQL is never acceptable, even for internal tools. ORMs provide this by default but raw queries must be audited. OWASP ranks injection as A03:2021.",
+      "source": { "origin": "best-practice", "artifact": null, "connector": null },
+      "evidence": "documented",
+      "status": "active",
+      "phase_added": "define",
+      "timestamp": "2025-01-01T00:00:00.000Z",
+      "conflicts_with": [],
+      "resolved_by": null,
+      "tags": ["security", "owasp", "injection", "sql"]
+    },
+    {
+      "id": "sec-002",
+      "type": "constraint",
+      "topic": "secrets never in source control",
+      "content": "Secrets (API keys, database credentials, signing keys) must never appear in source control, including in commit history. Use environment variables, secret managers (Vault, AWS Secrets Manager, 1Password CLI), or encrypted .env files with .gitignore. Rotate any secret that has ever been committed.",
+      "source": { "origin": "best-practice", "artifact": null, "connector": null },
+      "evidence": "documented",
+      "status": "active",
+      "phase_added": "define",
+      "timestamp": "2025-01-01T00:00:00.000Z",
+      "conflicts_with": [],
+      "resolved_by": null,
+      "tags": ["security", "secrets", "source-control"]
+    },
+    {
+      "id": "sec-003",
+      "type": "recommendation",
+      "topic": "JWT access token lifetime",
+      "content": "JWT access tokens should have a lifetime of 5-15 minutes. Refresh tokens should be opaque (not JWT), stored server-side, rotated on each use, and have a maximum lifetime of 7-30 days. Never store JWTs in localStorage; use httpOnly secure cookies or in-memory storage.",
+      "source": { "origin": "best-practice", "artifact": null, "connector": null },
+      "evidence": "documented",
+      "status": "active",
+      "phase_added": "define",
+      "timestamp": "2025-01-01T00:00:00.000Z",
+      "conflicts_with": [],
+      "resolved_by": null,
+      "tags": ["security", "auth", "jwt", "tokens"]
+    },
+    {
+      "id": "sec-004",
+      "type": "risk",
+      "topic": "dependency supply chain attacks",
+      "content": "npm, PyPI, and other registries are vectors for supply chain attacks (typosquatting, maintainer account takeover, malicious postinstall scripts). Pin exact dependency versions, use lockfiles, audit with npm audit / pip-audit, and consider running install with --ignore-scripts in CI.",
+      "source": { "origin": "best-practice", "artifact": null, "connector": null },
+      "evidence": "production",
+      "status": "active",
+      "phase_added": "define",
+      "timestamp": "2025-01-01T00:00:00.000Z",
+      "conflicts_with": [],
+      "resolved_by": null,
+      "tags": ["security", "supply-chain", "dependencies", "npm"]
+    },
+    {
+      "id": "sec-005",
+      "type": "factual",
+      "topic": "bcrypt cost factor",
+      "content": "bcrypt with a cost factor of 10 takes approximately 100ms to hash on modern hardware. Increase to 12 (roughly 400ms) for high-security contexts. Argon2id is the current OWASP recommendation for new projects, with minimum parameters: 19 MiB memory, 2 iterations, 1 parallelism.",
+      "source": { "origin": "best-practice", "artifact": null, "connector": null },
+      "evidence": "documented",
+      "status": "active",
+      "phase_added": "define",
+      "timestamp": "2025-01-01T00:00:00.000Z",
+      "conflicts_with": [],
+      "resolved_by": null,
+      "tags": ["security", "auth", "hashing", "passwords"]
+    },
+    {
+      "id": "sec-006",
+      "type": "constraint",
+      "topic": "CORS allowlist",
+      "content": "CORS Access-Control-Allow-Origin must never be set to * for authenticated endpoints. Maintain an explicit allowlist of permitted origins. Reflect the Origin header only if it matches the allowlist. Misconfigured CORS is OWASP A01:2021 (Broken Access Control).",
+      "source": { "origin": "best-practice", "artifact": null, "connector": null },
+      "evidence": "documented",
+      "status": "active",
+      "phase_added": "define",
+      "timestamp": "2025-01-01T00:00:00.000Z",
+      "conflicts_with": [],
+      "resolved_by": null,
+      "tags": ["security", "cors", "owasp", "access-control"]
+    },
+    {
+      "id": "sec-007",
+      "type": "recommendation",
+      "topic": "CSP header configuration",
+      "content": "Content-Security-Policy should start strict and loosen as needed: default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; connect-src 'self'; frame-ancestors 'none'. Avoid 'unsafe-inline' and 'unsafe-eval'. Use nonces for inline scripts if unavoidable. Report violations with report-uri or report-to.",
+      "source": { "origin": "best-practice", "artifact": null, "connector": null },
+      "evidence": "documented",
+      "status": "active",
+      "phase_added": "define",
+      "timestamp": "2025-01-01T00:00:00.000Z",
+      "conflicts_with": [],
+      "resolved_by": null,
+      "tags": ["security", "csp", "headers", "xss"]
+    },
+    {
+      "id": "sec-008",
+      "type": "risk",
+      "topic": "SSRF in internal services",
+      "content": "Server-Side Request Forgery (SSRF) allows attackers to make requests from your server to internal networks, cloud metadata endpoints (169.254.169.254), or localhost services. Validate and allowlist all URLs that originate from user input. Block requests to private IP ranges and link-local addresses.",
+      "source": { "origin": "best-practice", "artifact": null, "connector": null },
+      "evidence": "production",
+      "status": "active",
+      "phase_added": "define",
+      "timestamp": "2025-01-01T00:00:00.000Z",
+      "conflicts_with": [],
+      "resolved_by": null,
+      "tags": ["security", "ssrf", "owasp", "cloud"]
+    },
+    {
+      "id": "sec-009",
+      "type": "recommendation",
+      "topic": "rate limiting auth endpoints",
+      "content": "Login endpoints must be rate-limited to no more than 10 attempts per IP per minute and 5 attempts per account per minute. After 5 consecutive failures for an account, enforce exponential backoff or temporary lockout (15-30 minutes). Log all failed attempts with IP and timestamp for anomaly detection.",
+      "source": { "origin": "best-practice", "artifact": null, "connector": null },
+      "evidence": "documented",
+      "status": "active",
+      "phase_added": "define",
+      "timestamp": "2025-01-01T00:00:00.000Z",
+      "conflicts_with": [],
+      "resolved_by": null,
+      "tags": ["security", "auth", "rate-limiting", "brute-force"]
+    },
+    {
+      "id": "sec-010",
+      "type": "factual",
+      "topic": "HTTPS and HSTS requirements",
+      "content": "All production traffic must use TLS 1.2 or higher. TLS 1.0 and 1.1 are deprecated (RFC 8996). Set Strict-Transport-Security header with max-age of at least 31536000 (1 year) and includeSubDomains. Submit to the HSTS preload list for public-facing domains.",
+      "source": { "origin": "best-practice", "artifact": null, "connector": null },
+      "evidence": "documented",
+      "status": "active",
+      "phase_added": "define",
+      "timestamp": "2025-01-01T00:00:00.000Z",
+      "conflicts_with": [],
+      "resolved_by": null,
+      "tags": ["security", "tls", "https", "hsts"]
+    },
+    {
+      "id": "sec-011",
+      "type": "risk",
+      "topic": "insecure deserialization",
+      "content": "Never deserialize untrusted data with language-native serialization (Java ObjectInputStream, Python pickle, PHP unserialize). These allow arbitrary code execution. Use JSON or Protocol Buffers with schema validation instead. OWASP A08:2021 (Software and Data Integrity Failures).",
+      "source": { "origin": "best-practice", "artifact": null, "connector": null },
+      "evidence": "documented",
+      "status": "active",
+      "phase_added": "define",
+      "timestamp": "2025-01-01T00:00:00.000Z",
+      "conflicts_with": [],
+      "resolved_by": null,
+      "tags": ["security", "deserialization", "owasp", "rce"]
+    },
+    {
+      "id": "sec-012",
+      "type": "recommendation",
+      "topic": "least privilege for service accounts",
+      "content": "Service accounts and IAM roles must follow least privilege: grant only the specific actions on the specific resources needed. Audit permissions quarterly. AWS policies should never use Resource: * with Action: *. Use IAM Access Analyzer to identify unused permissions.",
+      "source": { "origin": "best-practice", "artifact": null, "connector": null },
+      "evidence": "documented",
+      "status": "active",
+      "phase_added": "define",
+      "timestamp": "2025-01-01T00:00:00.000Z",
+      "conflicts_with": [],
+      "resolved_by": null,
+      "tags": ["security", "iam", "least-privilege", "cloud"]
+    }
+  ]
+}

package/packs/team-process.json

@@ -0,0 +1,175 @@
+{
+  "name": "Team Process and Engineering Culture",
+  "description": "Code review practices, on-call rotation design, postmortem processes, RFC workflows, tech debt management, and estimation techniques for engineering teams.",
+  "version": "1.0.0",
+  "claims": [
+    {
+      "id": "team-001",
+      "type": "constraint",
+      "topic": "code review turnaround time",
+      "content": "Code reviews should receive first-pass feedback within 4 business hours. Reviews taking longer than 24 hours are the top-cited blocker for developer productivity (Google Developer Survey 2023). Set team norms: reviews under 400 lines get same-day response, larger PRs should be split or paired on.",
+      "source": { "origin": "best-practice", "artifact": null, "connector": null },
+      "evidence": "documented",
+      "status": "active",
+      "phase_added": "define",
+      "timestamp": "2025-01-01T00:00:00.000Z",
+      "conflicts_with": [],
+      "resolved_by": null,
+      "tags": ["team-process", "code-review", "developer-experience", "productivity"]
+    },
+    {
+      "id": "team-002",
+      "type": "factual",
+      "topic": "PR size and defect correlation",
+      "content": "Code review effectiveness drops sharply after 400 lines of change. Google research shows defect detection rate falls from 70% for small PRs (<200 lines) to under 30% for large PRs (>1000 lines). Reviewers spend an average of 20 minutes regardless of PR size. Break large changes into stacked PRs of 200-400 lines each.",
+      "source": { "origin": "industry", "artifact": null, "connector": null },
+      "evidence": "documented",
+      "status": "active",
+      "phase_added": "define",
+      "timestamp": "2025-01-01T00:00:00.000Z",
+      "conflicts_with": [],
+      "resolved_by": null,
+      "tags": ["team-process", "code-review", "pr-size", "quality"]
+    },
+    {
+      "id": "team-003",
+      "type": "recommendation",
+      "topic": "on-call rotation design",
+      "content": "On-call rotations should be 1 week per engineer, with a minimum of 6 people in the rotation (no more than 1 week in 6 on primary). Provide a secondary on-call who shadows. Compensate on-call with either extra pay (10-15% of base for the week) or time off (1 day per week on-call). On-call without compensation breeds resentment and attrition.",
+      "source": { "origin": "best-practice", "artifact": null, "connector": null },
+      "evidence": "production",
+      "status": "active",
+      "phase_added": "define",
+      "timestamp": "2025-01-01T00:00:00.000Z",
+      "conflicts_with": [],
+      "resolved_by": null,
+      "tags": ["team-process", "on-call", "rotation", "compensation"]
+    },
+    {
+      "id": "team-004",
+      "type": "recommendation",
+      "topic": "RFC process for decisions",
+      "content": "Use RFCs (Request for Comments) for decisions that are: cross-team, hard to reverse, or affect more than 3 people. RFC template: Context (why now), Proposal (what), Alternatives considered (at least 2), Tradeoffs, Migration plan. Set a review period of 5 business days. Silence is not consent; require explicit approvals from stakeholders. Archive accepted RFCs as ADRs.",
+      "source": { "origin": "best-practice", "artifact": null, "connector": null },
+      "evidence": "documented",
+      "status": "active",
+      "phase_added": "define",
+      "timestamp": "2025-01-01T00:00:00.000Z",
+      "conflicts_with": [],
+      "resolved_by": null,
+      "tags": ["team-process", "rfc", "decision-making", "adr"]
+    },
+    {
+      "id": "team-005",
+      "type": "risk",
+      "topic": "tech debt compounding",
+      "content": "Tech debt compounds: workarounds on top of workarounds increase the cost of every future change. Without explicit allocation, tech debt grows 25-40% per year in velocity cost (Stripe Developer Survey 2018: developers spend 42% of time on tech debt). Allocate 15-20% of sprint capacity to tech debt reduction, tracked with a dedicated backlog and quarterly review.",
+      "source": { "origin": "industry", "artifact": null, "connector": null },
+      "evidence": "web",
+      "status": "active",
+      "phase_added": "define",
+      "timestamp": "2025-01-01T00:00:00.000Z",
+      "conflicts_with": [],
+      "resolved_by": null,
+      "tags": ["team-process", "tech-debt", "velocity", "planning"]
+    },
+    {
+      "id": "team-006",
+      "type": "factual",
+      "topic": "estimation accuracy ranges",
+      "content": "Software estimation accuracy follows the Cone of Uncertainty: at project inception, estimates are 0.25x-4x actual. After requirements, 0.5x-2x. After detailed design, 0.67x-1.5x. After code complete, 0.9x-1.1x. Communicate estimates as ranges, never single points. Use relative sizing (story points) for prioritization and historical velocity for date forecasting.",
+      "source": { "origin": "best-practice", "artifact": null, "connector": null },
+      "evidence": "documented",
+      "status": "active",
+      "phase_added": "define",
+      "timestamp": "2025-01-01T00:00:00.000Z",
+      "conflicts_with": [],
+      "resolved_by": null,
+      "tags": ["team-process", "estimation", "planning", "uncertainty"]
+    },
+    {
+      "id": "team-007",
+      "type": "recommendation",
+      "topic": "postmortem action item tracking",
+      "content": "Postmortem action items must have: a single owner (not a team), a due date within 30 days, and a tracking ticket. Review incomplete action items at the start of every postmortem meeting. Teams that do not track action items to completion repeat the same incidents. 60% of incidents are caused by previously identified but unresolved issues.",
+      "source": { "origin": "best-practice", "artifact": null, "connector": null },
+      "evidence": "production",
+      "status": "active",
+      "phase_added": "define",
+      "timestamp": "2025-01-01T00:00:00.000Z",
+      "conflicts_with": [],
+      "resolved_by": null,
+      "tags": ["team-process", "postmortem", "incident-response", "accountability"]
+    },
+    {
+      "id": "team-008",
+      "type": "constraint",
+      "topic": "meeting hygiene for engineers",
+      "content": "Protect maker time: engineers need 4-hour uninterrupted blocks for complex work. Meeting-free mornings or meeting-free days (e.g., no meetings on Tuesday/Thursday) measurably increase output. Context-switching between meetings costs 15-25 minutes of recovery time per switch. Batch meetings into afternoon blocks.",
+      "source": { "origin": "best-practice", "artifact": null, "connector": null },
+      "evidence": "web",
+      "status": "active",
+      "phase_added": "define",
+      "timestamp": "2025-01-01T00:00:00.000Z",
+      "conflicts_with": [],
+      "resolved_by": null,
+      "tags": ["team-process", "meetings", "focus-time", "productivity"]
+    },
+    {
+      "id": "team-009",
+      "type": "recommendation",
+      "topic": "runbook-driven operations",
+      "content": "Every alert and recurring operational task should have a runbook: what the alert means, how to diagnose, step-by-step remediation, escalation criteria, and who to contact. Runbooks reduce MTTR by 40-60% for on-call engineers encountering unfamiliar alerts. Store runbooks alongside alert definitions, linked by alert name. Review and update runbooks after every incident.",
+      "source": { "origin": "best-practice", "artifact": null, "connector": null },
+      "evidence": "production",
+      "status": "active",
+      "phase_added": "define",
+      "timestamp": "2025-01-01T00:00:00.000Z",
+      "conflicts_with": [],
+      "resolved_by": null,
+      "tags": ["team-process", "runbooks", "on-call", "operations"]
+    },
+    {
+      "id": "team-010",
+      "type": "risk",
+      "topic": "bus factor for critical systems",
+      "content": "Bus factor (number of people who could be hit by a bus before the project stalls) of 1 is a critical risk. Mitigate with: pair programming or rotation on critical systems, mandatory documentation for system architecture and runbooks, cross-training sessions quarterly, and code review requirements that expose at least 2 people to every area of the codebase.",
+      "source": { "origin": "best-practice", "artifact": null, "connector": null },
+      "evidence": "documented",
+      "status": "active",
+      "phase_added": "define",
+      "timestamp": "2025-01-01T00:00:00.000Z",
+      "conflicts_with": [],
+      "resolved_by": null,
+      "tags": ["team-process", "bus-factor", "knowledge-sharing", "risk"]
+    },
+    {
+      "id": "team-011",
+      "type": "estimate",
+      "topic": "onboarding ramp-up time",
+      "content": "New engineer onboarding to full productivity takes: 1-2 weeks for development environment setup and first PR, 1-3 months for independent feature delivery, 3-6 months for system-level understanding and architecture contributions. Structured onboarding programs (buddy system, 30/60/90-day goals, curated codebase walkthroughs) reduce ramp-up by 30-40% compared to ad-hoc onboarding.",
+      "source": { "origin": "industry", "artifact": null, "connector": null },
+      "evidence": "web",
+      "status": "active",
+      "phase_added": "define",
+      "timestamp": "2025-01-01T00:00:00.000Z",
+      "conflicts_with": [],
+      "resolved_by": null,
+      "tags": ["team-process", "onboarding", "hiring", "ramp-up"]
+    },
+    {
+      "id": "team-012",
+      "type": "recommendation",
+      "topic": "retrospective action limits",
+      "content": "Limit retrospective action items to 2-3 per sprint. Teams that generate 8-10 action items per retro complete fewer than 20% of them, creating learned helplessness. Pick the highest-impact items, assign owners, and carry forward only incomplete items from the previous retro. If the same item appears 3 retros in a row, escalate it.",
+      "source": { "origin": "best-practice", "artifact": null, "connector": null },
+      "evidence": "documented",
+      "status": "active",
+      "phase_added": "define",
+      "timestamp": "2025-01-01T00:00:00.000Z",
+      "conflicts_with": [],
+      "resolved_by": null,
+      "tags": ["team-process", "retrospective", "agile", "continuous-improvement"]
+    }
+  ]
+}

package/packs/testing.json

@@ -0,0 +1,147 @@
+{
+  "name": "Testing Strategy",
+  "description": "Integration and smoke testing patterns for multi-tool ecosystems. Covers server endpoint testing, UI consistency validation, cross-tool integration, and CI pipeline alignment with zero external test dependencies.",
+  "version": "1.0.0",
+  "claims": [
+    {
+      "id": "test-001",
+      "type": "constraint",
+      "topic": "test framework",
+      "content": "All tests must use node:test and node:assert/strict with zero external dependencies. No Jest, Mocha, Vitest, or other frameworks.",
+      "source": { "origin": "architecture", "artifact": null, "connector": null },
+      "evidence": "documented",
+      "status": "active",
+      "phase_added": "define",
+      "timestamp": "2026-03-16T00:00:00.000Z",
+      "conflicts_with": [],
+      "resolved_by": null,
+      "tags": ["testing", "node-test", "zero-dep"]
+    },
+    {
+      "id": "test-002",
+      "type": "constraint",
+      "topic": "test isolation",
+      "content": "Tests must use real filesystem (mkdtempSync), real processes (child_process.spawn), and real HTTP. No mocks, no spies, no test doubles.",
+      "source": { "origin": "architecture", "artifact": null, "connector": null },
+      "evidence": "documented",
+      "status": "active",
+      "phase_added": "define",
+      "timestamp": "2026-03-16T00:00:00.000Z",
+      "conflicts_with": [],
+      "resolved_by": null,
+      "tags": ["testing", "integration", "no-mocks"]
+    },
+    {
+      "id": "test-003",
+      "type": "recommendation",
+      "topic": "server endpoint tests",
+      "content": "Every tool server needs endpoint tests: spawn server on random port, hit each route with node:http, assert status codes and response shapes, teardown. Covers /health, /api/state, SSE /events, and tool-specific CRUD endpoints.",
+      "source": { "origin": "research", "artifact": null, "connector": null },
+      "evidence": "tested",
+      "status": "active",
+      "phase_added": "research",
+      "timestamp": "2026-03-16T00:00:00.000Z",
+      "conflicts_with": [],
+      "resolved_by": null,
+      "tags": ["testing", "server", "http", "endpoints"]
+    },
+    {
+      "id": "test-004",
+      "type": "recommendation",
+      "topic": "UI smoke tests",
+      "content": "Validate HTML consistency by parsing index.html as a string: check required DOM IDs (searchInput, grainLogo, main-content, sse-dot), CSS tokens (--bg, --accent), TOOL config object, self-contained rule (no external scripts/styles), and keyboard shortcut handlers.",
+      "source": { "origin": "research", "artifact": null, "connector": null },
+      "evidence": "tested",
+      "status": "active",
+      "phase_added": "research",
+      "timestamp": "2026-03-16T00:00:00.000Z",
+      "conflicts_with": [],
+      "resolved_by": null,
+      "tags": ["testing", "ui", "smoke-test", "consistency"]
+    },
+    {
+      "id": "test-005",
+      "type": "recommendation",
+      "topic": "cross-tool integration",
+      "content": "Integration tests must validate the full pipeline: wheat init -> compile -> mill reads compilation, silo imports claims, barn detects sprints, wheat connect farmer registers hooks. Each test creates a temp sprint and cleans up.",
+      "source": { "origin": "research", "artifact": null, "connector": null },
+      "evidence": "tested",
+      "status": "active",
+      "phase_added": "research",
+      "timestamp": "2026-03-16T00:00:00.000Z",
+      "conflicts_with": [],
+      "resolved_by": null,
+      "tags": ["testing", "integration", "cross-tool", "pipeline"]
+    },
+    {
+      "id": "test-006",
+      "type": "constraint",
+      "topic": "CI matrix",
+      "content": "CI must test on Node 18, 20, and 22. Every CI run verifies zero runtime dependencies, runs all tests, checks CLI --help, and performs a dry-run npm publish.",
+      "source": { "origin": "architecture", "artifact": ".github/workflows/ci.yml", "connector": null },
+      "evidence": "documented",
+      "status": "active",
+      "phase_added": "define",
+      "timestamp": "2026-03-16T00:00:00.000Z",
+      "conflicts_with": [],
+      "resolved_by": null,
+      "tags": ["testing", "ci", "node-matrix", "github-actions"]
+    },
+    {
+      "id": "test-007",
+      "type": "factual",
+      "topic": "test coverage baseline",
+      "content": "Baseline: 191 tests across 5 repos (wheat 25, barn 58, mill 30, silo 21, ranch 44). After adding server, UI smoke, and cross-tool tests: ~260 tests total.",
+      "source": { "origin": "measurement", "artifact": null, "connector": null },
+      "evidence": "tested",
+      "status": "active",
+      "phase_added": "research",
+      "timestamp": "2026-03-16T00:00:00.000Z",
+      "conflicts_with": [],
+      "resolved_by": null,
+      "tags": ["testing", "coverage", "baseline"]
+    },
+    {
+      "id": "test-008",
+      "type": "risk",
+      "topic": "server test port conflicts",
+      "content": "Server tests must use random ports (bind to port 0, read assigned port) to avoid conflicts with running dev servers or parallel CI jobs.",
+      "source": { "origin": "experience", "artifact": null, "connector": null },
+      "evidence": "tested",
+      "status": "active",
+      "phase_added": "research",
+      "timestamp": "2026-03-16T00:00:00.000Z",
+      "conflicts_with": [],
+      "resolved_by": null,
+      "tags": ["testing", "server", "ports", "ci"]
+    },
+    {
+      "id": "test-009",
+      "type": "recommendation",
+      "topic": "SSE testing pattern",
+      "content": "Test SSE endpoints by connecting with http.get, reading the first data frame, parsing it as JSON, and asserting the state shape. Destroy the connection after assertion to avoid hanging tests.",
+      "source": { "origin": "research", "artifact": null, "connector": null },
+      "evidence": "tested",
+      "status": "active",
+      "phase_added": "research",
+      "timestamp": "2026-03-16T00:00:00.000Z",
+      "conflicts_with": [],
+      "resolved_by": null,
+      "tags": ["testing", "sse", "server-sent-events", "pattern"]
+    },
+    {
+      "id": "test-010",
+      "type": "recommendation",
+      "topic": "test execution order",
+      "content": "Execute in layers: (1) fix broken tests, (2) server endpoint tests, (3) UI smoke tests, (4) cross-tool integration, (5) CI wiring. Each layer is independently valuable and ships as its own commit.",
+      "source": { "origin": "research", "artifact": null, "connector": null },
+      "evidence": "stated",
+      "status": "active",
+      "phase_added": "research",
+      "timestamp": "2026-03-16T00:00:00.000Z",
+      "conflicts_with": [],
+      "resolved_by": null,
+      "tags": ["testing", "strategy", "execution-order"]
+    }
+  ]
+}