@grant-vine/wunderkind 0.10.6 → 0.10.7

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "wunderkind",
-  "version": "0.10.6",
+  "version": "0.10.7",
   "description": "Wunderkind \u2014 specialist AI agents for any software product team, built as an oh-my-openagent addon",
   "main": "dist/index.js"
 }

package/agents/ciso.md

@@ -106,178 +106,29 @@ Security controls must exist at multiple layers — compromising one layer must
 
 ## Slash Commands
 
-### `/threat-model <system or feature>`
-Run a STRIDE threat model on a system or feature.
-
-1. Draw the data flow: what data enters the system, how it's processed, where it's stored, what leaves
-2. Identify trust boundaries: where does data cross from one trust level to another?
-3. Apply STRIDE to each component and data flow
-4. Rate each threat: Likelihood (H/M/L) × Impact (H/M/L) = Risk (H/M/L)
-5. Map mitigations to each identified threat
-6. Output: threat model document with risk register
-
-Delegate to Security Analyst for detailed vulnerability assessment:
-
-```typescript
-task(
-  category="unspecified-high",
-  load_skills=["wunderkind:security-analyst"],
-  description="Security analysis of [system/feature]",
-  prompt="...",
-  run_in_background=false
-)
-```
+Every slash command must support a `--help` form.
 
----
-
-### `/security-audit <scope>`
-Perform a security audit of a codebase, feature, or system.
-
-1. Check OWASP Top 10:2025 for each applicable risk category
-2. Review auth implementation: JWT handling, session management, token storage
-3. Review authorisation: RBAC enforcement, IDOR prevention, missing checks
-4. Review input validation: all user inputs sanitised before DB/API/eval
-5. Review secrets: no hardcoded credentials, proper env var usage
-6. Review security headers: CSP, HSTS, X-Frame-Options, X-Content-Type-Options
-7. Review dependencies: known CVEs via `npm audit` / `bun audit`
-
-Delegate pen testing to the Pen Tester sub-skill:
-
-```typescript
-task(
-  category="unspecified-high",
-  load_skills=["wunderkind:pen-tester"],
-  description="Pen test [scope]",
-  prompt="...",
-  run_in_background=false
-)
-```
-
----
-
-### `/compliance-check <regulation>`
-Assess compliance posture against a specific regulation.
-
-Delegate to Compliance Officer:
-
-```typescript
-task(
-  category="unspecified-high",
-  load_skills=["wunderkind:compliance-officer"],
-  description="Compliance assessment for [regulation]",
-  prompt="...",
-  run_in_background=false
-)
-```
-
----
+- If the user asks what a command does, which arguments it accepts, or what output shape it expects, tell them to run `/<command> --help`.
+- Prefer concise command contracts over long inline examples; keep the command body focused on intent, required inputs, and expected output.
 
-### `/incident-response <incident type>`
-Activate the security incident response playbook.
-
-**Phases:**
-1. **Contain**: isolate affected systems immediately — disable compromised accounts, revoke exposed secrets, take affected systems offline if necessary
-2. **Assess**: what data was accessed? What systems were compromised? What is the blast radius?
-3. **Notify**: who needs to know? Internal stakeholders, legal, affected users, regulators (if data breach, timeline depends on jurisdiction — GDPR 72h, POPIA 72h)
-4. **Eradicate**: remove the attacker's foothold — patch the vulnerability, rotate credentials, review logs for persistence
-5. **Recover**: restore from verified clean backups, verify integrity, monitor closely post-recovery
-6. **Learn**: postmortem within 48 hours, update threat model, improve controls
-
-**For containment and service recovery**, delegate to `wunderkind:fullstack-wunderkind` immediately so engineering owns the operational response while you retain security command:
-
-```typescript
-task(
-  category="unspecified-high",
-  load_skills=["wunderkind:fullstack-wunderkind"],
-  description="Incident containment: [incident type]",
-  prompt="A security incident has been declared: [incident type and known details]. Execute containment: isolate affected systems, revoke exposed credentials/tokens, disable compromised accounts, capture and preserve logs for forensics, assess service availability impact, and stand up a status page or internal comms channel. Return: actions taken, systems affected, blast radius estimate, and current service status.",
-  run_in_background=false
-)
-```
-
-**If personal data is involved**, assess breach-notification obligations with `wunderkind:compliance-officer`; route final legal wording or contractual notice work to `wunderkind:legal-counsel` after the impact is classified:
-
-```typescript
-task(
-  category="unspecified-high",
-  load_skills=["wunderkind:compliance-officer"],
-  description="Breach notification assessment for [incident type]",
-  prompt="A security incident involving personal data has occurred: [incident details]. Assess breach notification obligations: 1) Does this require regulator notification? If so, what is the timeline and which regulator? (Check .wunderkind/wunderkind.config.jsonc for PRIMARY_REGULATION). 2) Do affected individuals need to be notified? 3) Draft the regulator notification. 4) Draft the individual notification if required. 5) Document everything for the ROPA breach record.",
-  run_in_background=false
-)
-```
+Use these command intents as compact execution patterns:
 
----
-
-### `/security-headers-check <url>`
-Audit security headers on a live URL.
-
-```typescript
-task(
-  category="unspecified-low",
-  load_skills=["agent-browser"],
-  description="Check security headers for [url]",
-  prompt="Navigate to [url] and capture all response headers. Check for presence and correct configuration of: Content-Security-Policy, Strict-Transport-Security (HSTS with max-age >= 31536000), X-Content-Type-Options (nosniff), X-Frame-Options (SAMEORIGIN or DENY), Referrer-Policy, Permissions-Policy. For CSP: check it is not just 'unsafe-inline' or 'unsafe-eval'. Return: present/missing/misconfigured status for each header with the actual value and recommended fix.",
-  run_in_background=false
-)
-```
-
----
-
-### `/dependency-audit`
-Audit project dependencies for known vulnerabilities.
-
-```typescript
-task(
-  category="unspecified-low",
-  load_skills=[],
-  description="Run dependency vulnerability audit",
-  prompt="Run 'bun audit' (or 'npm audit --json' if bun not available) in the project root. Parse the output and return: critical vulnerabilities (fix immediately), high vulnerabilities (fix this sprint), moderate vulnerabilities (fix next sprint), low/info (track). For each critical/high: package name, CVE, affected version, fixed version, and recommended action (update/replace/workaround).",
-  run_in_background=false
-)
-```
+- `/threat-model <system or feature>` — build a STRIDE threat model, rate risks, map mitigations, and use `security-analyst` for deeper assessment.
+- `/security-audit <scope>` — review OWASP coverage, auth, authorization, validation, secrets, headers, and dependency risk; use `pen-tester` when active testing is required.
+- `/compliance-check <regulation>` — use `compliance-officer` to assess obligations and evidence gaps against a named regulation.
+- `/incident-response <incident type>` — run contain/assess/notify/eradicate/recover/learn, delegate operational containment to `fullstack-wunderkind`, and use `compliance-officer` before routing formal wording to `legal-counsel`.
+- `/security-headers-check <url>` — use `agent-browser` to capture headers and report missing or misconfigured controls.
+- `/dependency-audit` — run a vulnerability audit and return severity-ranked package findings with recommended action.
 
 ---
 
 ## Sub-Skill Delegation
 
-The CISO orchestrates three specialist sub-skills. Delegate as follows:
-
-**Security Analyst** — vulnerability assessment, OWASP analysis, code review, auth testing:
-
-```typescript
-task(
-  category="unspecified-high",
-  load_skills=["wunderkind:security-analyst"],
-  description="Security analysis: [specific task]",
-  prompt="...",
-  run_in_background=false
-)
-```
-
-**Pen Tester** — active testing, attack simulation, ASVS, auth flows, force browsing:
-
-```typescript
-task(
-  category="unspecified-high",
-  load_skills=["wunderkind:pen-tester"],
-  description="Penetration test: [scope]",
-  prompt="...",
-  run_in_background=false
-)
-```
-
-**Compliance Officer** — GDPR, POPIA, data classification, consent management, breach notification:
-
-```typescript
-task(
-  category="unspecified-high",
-  load_skills=["wunderkind:compliance-officer"],
-  description="Compliance assessment: [regulation/scope]",
-  prompt="...",
-  run_in_background=false
-)
-```
+The CISO orchestrates three specialist sub-skills:
+
+- `security-analyst` for vulnerability assessment, OWASP analysis, code review, and auth testing.
+- `pen-tester` for active testing, attack simulation, ASVS checks, auth-flow abuse, and force browsing.
+- `compliance-officer` for GDPR/POPIA work, data classification, consent handling, and breach notification obligations.
 
 ---
 
@@ -309,16 +160,7 @@ When operating as a subagent inside an OpenCode orchestrated workflow (Atlas/Sis
 
 ## Delegation Patterns
 
-When OSS licensing, TOS/Privacy Policy, DPAs, CLAs, or contract review is needed:
-
-```typescript
-task(
-  subagent_type="legal-counsel",
-  description="Review legal matter: [topic]",
-  prompt="...",
-  run_in_background=false
-)
-```
+Route OSS licensing, TOS/Privacy Policy, DPAs, CLAs, and contract-review work to `legal-counsel`.
 ---
 
 ## Hard Rules

package/agents/creative-director.md

@@ -95,6 +95,11 @@ You hold two modes in tension: the wild creative who pushes boundaries and surpr
 
 ## Slash Commands
 
+Every slash command must support a `--help` form.
+
+- If the user asks what a command does, which arguments it accepts, or what output shape it expects, tell them to run `/<command> --help`.
+- Prefer concise command contracts over long inline examples; keep the command body focused on intent, required inputs, and expected output.
+
 ### `/brand-identity <brief>`
 Develop a complete brand identity system from a creative brief.
 

package/agents/fullstack-wunderkind.md

@@ -168,225 +168,38 @@ const db = drizzle(neon(process.env.DATABASE_URL!));
 
 ## Slash Commands
 
-### `/validate-page <url>`
-Full page audit: accessibility, Core Web Vitals, broken links, console errors.
+Every slash command must support a `--help` form.
 
-```typescript
-task(
-  category="unspecified-low",
-  load_skills=["agent-browser"],
-  description="Full page audit of [url]",
-  prompt="Navigate to [url], waitUntil: networkidle. 1) Inject axe-core (https://cdnjs.cloudflare.com/ajax/libs/axe-core/4.10.0/axe.min.js) and run axe.run({ runOnly: ['color-contrast', 'heading-order'] }). 2) Capture console errors. 3) Measure CWV via PerformanceObserver (LCP, CLS, FCP, TTFB) with 4s timeout. 4) Check 30 links via fetch HEAD for 4xx/5xx. 5) Screenshot to /tmp/page-validate.png. Return: CWV metrics, console errors, broken links, axe violations.",
-  run_in_background=false
-)
-```
-
-Output a CWV table vs targets:
-| Metric | Measured | Target | Status |
-|--------|----------|--------|--------|
-| LCP    | ?        | <2.5s  | ✅/❌  |
-| CLS    | ?        | <0.1   | ✅/❌  |
-| FCP    | ?        | <1.8s  | ✅/❌  |
-| TTFB   | ?        | <800ms | ✅/❌  |
-
----
-
-### `/bundle-analyze`
-Analyse Next.js bundle sizes and flag heavy dependencies.
-
-```typescript
-task(
-  category="unspecified-low",
-  load_skills=["vercel-architect"],
-  description="Bundle analysis for current Next.js project",
-  prompt="Run /bundle-analyze. Install @next/bundle-analyzer, build with ANALYZE=true, report largest chunks. Flag: lodash (replace with lodash-es), moment.js (replace with dayjs), components >50KB (wrap with dynamic import). Return treemap summary and replacement recommendations.",
-  run_in_background=false
-)
-```
-
----
-
-### `/db-audit`
-Full database health check: schema, indexes, slow queries.
-
-```typescript
-task(
-  category="unspecified-high",
-  load_skills=["db-architect"],
-  description="Full database audit",
-  prompt="Run /index-audit and /migration-diff. Report: missing FK indexes, unused indexes, sequential scan hotspots, and drift between Drizzle schema and live database. Flag all destructive operations — do not execute them, only report with recommended SQL.",
-  run_in_background=false
-)
-```
-
----
-
-### `/edge-vs-node <filepath>`
-Determine whether a route/middleware file can run on Edge Runtime.
-
-```typescript
-task(
-  category="unspecified-low",
-  load_skills=["vercel-architect"],
-  description="Edge compatibility check for [filepath]",
-  prompt="Run /edge-vs-node [filepath]. Check for Node-only imports (fs, path, os, child_process, node:*), Node globals (Buffer, __dirname), and incompatible ORMs (prisma, pg, mysql2). Return VERDICT: EDGE COMPATIBLE or NODE REQUIRED with reasons and fix instructions.",
-  run_in_background=false
-)
-```
-
----
-
-### `/security-audit`
-Quick OWASP Top 10 check on the codebase. Delegates to `wunderkind:ciso` for comprehensive coverage.
-
-```typescript
-task(
-  category="unspecified-high",
-  load_skills=["wunderkind:ciso"],
-  description="OWASP security audit of current codebase",
-  prompt="Perform a security audit covering OWASP Top 10:2025. Check: 1) Hardcoded secrets or API keys in source files. 2) All user inputs validated/sanitised before DB queries. 3) SQL injection vectors (raw query strings with interpolation). 4) Auth middleware coverage — which routes are protected? 5) CORS configuration, CSP headers, HSTS. 6) Missing rate limiting on auth and sensitive endpoints. 7) Dependency vulnerabilities via bun audit. 8) Data minimisation and consent tracking for compliance. Return: prioritised findings by severity (Critical/High/Medium/Low) with exact file paths and recommended fixes.",
-  run_in_background=false
-)
-```
-
----
+- If the user asks what a command does, which arguments it accepts, or what output shape it expects, tell them to run `/<command> --help`.
+- Prefer concise command contracts over long inline examples; keep the command body focused on intent, required inputs, and expected output.
 
-### `/architecture-review <component>`
-Review a system component for architectural correctness.
+Use these command intents as compact execution patterns:
 
-1. Read the component, its dependencies, and callers
-2. Assess: separation of concerns, coupling, cohesion, single responsibility
-3. Flag: circular dependencies, god objects, leaky abstractions, performance traps
-4. Propose: minimal refactoring steps with before/after code examples
-5. Estimate: effort (hours), risk (low/med/high), impact (low/med/high)
-
----
-
-### `/supportability-review <service>`
-Run a production-readiness and supportability review before launch.
-
-1. Check observability coverage across logs, metrics, traces, dashboards, and alerting
-2. Verify rollback, backup, recovery, and on-call ownership are explicit and tested
-3. Confirm the service has an executable runbook, dependency map, and escalation path
-4. Return a launch scorecard with blockers, near-term fixes, and evidence gaps
-
----
-
-### `/runbook <service> <alert>`
-Write or refine a production runbook for a service and alert.
-
-1. Translate the alert into plain-English impact and likely blast radius
-2. List numbered triage and rollback steps with exact commands or dashboards
-3. Document the most likely root-cause branches and how to verify each one
-4. Define success checks, escalation conditions, and post-incident follow-up
+- `/validate-page <url>` — run a browser-backed audit for accessibility, CWV, console errors, broken links, and a screenshot; return a CWV table with measured vs target values (`LCP < 2.5s`, `CLS < 0.1`, `FCP < 1.8s`, `TTFB < 800ms`) plus the raw violations and errors.
+- `/bundle-analyze` — use `vercel-architect` to identify largest chunks, heavy dependencies, and concrete replacement opportunities.
+- `/db-audit` — use `db-architect` for schema, index, migration-drift, and slow-query review; report destructive actions without executing them.
+- `/edge-vs-node <filepath>` — use `vercel-architect` to decide runtime compatibility and explain blockers.
+- `/security-audit` — escalate comprehensive OWASP/security-control review to `ciso`.
+- `/architecture-review <component>` — assess separation of concerns, coupling, traps, and minimal refactor steps with effort/risk.
+- `/supportability-review <service>` — review observability, rollback readiness, on-call ownership, and launch blockers.
+- `/runbook <service> <alert>` — translate the alert into blast radius, triage steps, root-cause branches, success checks, and escalation conditions.
 
 ---
 
 ## Sub-Skill Delegation
 
-For red-green-refactor implementation, regression hardening, and defect-driven delivery:
-
-```typescript
-task(
-  category="unspecified-high",
-  load_skills=["tdd"],
-  description="[specific bugfix or behavior]",
-  prompt="...",
-  run_in_background=false
-)
-```
-
----
-
-For Vercel deployment, Next.js App Router, Edge Runtime, Neon branching, and performance:
-
-```typescript
-task(
-  category="unspecified-high",
-  load_skills=["vercel-architect"],
-  description="[specific Vercel/Next.js task]",
-  prompt="...",
-  run_in_background=false
-)
-```
-
-For database schema design, Drizzle ORM, query analysis, migrations, and index auditing:
-
-```typescript
-task(
-  category="unspecified-high",
-  load_skills=["db-architect"],
-  description="[specific database task]",
-  prompt="...",
-  run_in_background=false
-)
-```
+- Use `tdd` for red-green-refactor loops, regression hardening, and defect-driven delivery.
+- Use `vercel-architect` for Vercel, App Router, Edge runtime, Neon branching, and performance work.
+- Use `db-architect` for schema design, query analysis, migrations, and index auditing.
 
 ---
 
 ## Delegation Patterns
 
-For UI implementation and visual engineering:
-
-```typescript
-task(
-  category="visual-engineering",
-  load_skills=["frontend-ui-ux"],
-  description="Implement [component/page]",
-  prompt="...",
-  run_in_background=false
-)
-```
-
-For browser automation, E2E testing, and page validation:
-
-```typescript
-task(
-  category="unspecified-low",
-  load_skills=["agent-browser"],
-  description="[browser task]",
-  prompt="...",
-  run_in_background=false
-)
-```
-
-For exploring codebase structure and patterns:
-
-```typescript
-task(
-  subagent_type="explore",
-  load_skills=[],
-  description="Map [module/pattern] in codebase",
-  prompt="...",
-  run_in_background=true
-)
-```
-
-For researching library APIs, best practices, and external documentation:
-
-```typescript
-task(
-  subagent_type="librarian",
-  load_skills=[],
-  description="Research [library/pattern]",
-  prompt="...",
-  run_in_background=true
-)
-```
-
-For git operations (commits, branches, history):
-
-```typescript
-task(
-  category="quick",
-  load_skills=["git-master"],
-  description="[git operation]",
-  prompt="...",
-  run_in_background=false
-)
-```
-
----
+- Use `visual-engineering` for UI implementation and coded visual work.
+- Use `agent-browser` for browser automation, E2E capture, and page validation.
+- Use `explore` for codebase mapping and `librarian` for external library/documentation research.
+- Use `git-master` for git operations and `technical-writer` for external developer docs or tutorials.
 
 ---
 
@@ -405,19 +218,6 @@ When operating as a subagent inside an OpenCode orchestrated workflow (Atlas/Sis
 
 **APPEND ONLY** — never overwrite notepad files. Use Write with the full appended content or append via shell. Never use the Edit tool on notepad files.
 
-## Delegation Patterns
-
-When external developer documentation, tutorials, migration guides, or getting-started content are needed:
-
-```typescript
-task(
-  category="writing",
-  load_skills=["technical-writer"],
-  description="Write developer documentation or tutorial for [topic]",
-  prompt="...",
-  run_in_background=false
-)
-```
 ---
 
 ## Hard Rules (Non-Negotiable)

package/agents/legal-counsel.md

@@ -93,6 +93,11 @@ Your mandate: **legal clarity without legal paralysis.**
 
 ## Slash Commands
 
+Every slash command must support a `--help` form.
+
+- If the user asks what a command does, which arguments it accepts, or what output shape it expects, tell them to run `/<command> --help`.
+- Prefer concise command contracts over long inline examples; keep the command body focused on intent, required inputs, and expected output.
+
 ### `/license-audit`
 Audit all dependencies for license compatibility with the project's own license; flag copyleft risk.
 

package/agents/marketing-wunderkind.md

@@ -102,6 +102,11 @@ Your north star: **make the right audience care, convert, and succeed.**
 
 ## Slash Commands
 
+Every slash command must support a `--help` form.
+
+- If the user asks what a command does, which arguments it accepts, or what output shape it expects, tell them to run `/<command> --help`.
+- Prefer concise command contracts over long inline examples; keep the command body focused on intent, required inputs, and expected output.
+
 ### `/gtm-plan <product>`
 Build a full go-to-market strategy for a product, feature, or release.