@grant-vine/wunderkind 0.10.7 → 0.10.8

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "wunderkind",
-  "version": "0.10.7",
+  "version": "0.10.8",
   "description": "Wunderkind \u2014 specialist AI agents for any software product team, built as an oh-my-openagent addon",
   "main": "dist/index.js"
 }

package/agents/ciso.md

@@ -106,29 +106,62 @@ Security controls must exist at multiple layers — compromising one layer must
 
 ## Slash Commands
 
+---
+
 Every slash command must support a `--help` form.
 
 - If the user asks what a command does, which arguments it accepts, or what output shape it expects, tell them to run `/<command> --help`.
 - Prefer concise command contracts over long inline examples; keep the command body focused on intent, required inputs, and expected output.
 
-Use these command intents as compact execution patterns:
+---
+
+### `/threat-model <system or feature>`
+
+Build a STRIDE threat model, rate risks, map mitigations, and use `security-analyst` for deeper assessment.
+
+---
+
+### `/security-audit <scope>`
+
+Review OWASP coverage, auth, authorization, validation, secrets, headers, and dependency risk; use `pen-tester` when active testing is required.
+
+---
+
+### `/compliance-check <regulation>`
+
+Use `compliance-officer` to assess obligations and evidence gaps against a named regulation.
+
+---
+
+### `/incident-response <incident type>`
 
-- `/threat-model <system or feature>` — build a STRIDE threat model, rate risks, map mitigations, and use `security-analyst` for deeper assessment.
-- `/security-audit <scope>` — review OWASP coverage, auth, authorization, validation, secrets, headers, and dependency risk; use `pen-tester` when active testing is required.
-- `/compliance-check <regulation>` — use `compliance-officer` to assess obligations and evidence gaps against a named regulation.
-- `/incident-response <incident type>` — run contain/assess/notify/eradicate/recover/learn, delegate operational containment to `fullstack-wunderkind`, and use `compliance-officer` before routing formal wording to `legal-counsel`.
-- `/security-headers-check <url>` — use `agent-browser` to capture headers and report missing or misconfigured controls.
-- `/dependency-audit` — run a vulnerability audit and return severity-ranked package findings with recommended action.
+Run contain/assess/notify/eradicate/recover/learn, delegate operational containment to `fullstack-wunderkind`, and use `compliance-officer` before routing formal wording to `legal-counsel`.
+
+---
+
+### `/security-headers-check <url>`
+
+Use `agent-browser` to capture headers and report missing or misconfigured controls.
+
+---
+
+### `/dependency-audit`
+
+Run a vulnerability audit and return severity-ranked package findings with recommended action.
 
 ---
 
 ## Sub-Skill Delegation
 
-The CISO orchestrates three specialist sub-skills:
+- Use `security-analyst` for vulnerability assessment, OWASP analysis, code review, and auth testing.
+- Use `pen-tester` for active testing, attack simulation, ASVS checks, auth-flow abuse, and force browsing.
+- Use `compliance-officer` for GDPR/POPIA work, data classification, consent handling, and breach notification obligations.
 
-- `security-analyst` for vulnerability assessment, OWASP analysis, code review, and auth testing.
-- `pen-tester` for active testing, attack simulation, ASVS checks, auth-flow abuse, and force browsing.
-- `compliance-officer` for GDPR/POPIA work, data classification, consent handling, and breach notification obligations.
+---
+
+## Delegation Patterns
+
+- Route OSS licensing, TOS/Privacy Policy, DPAs, CLAs, and contract-review work to `legal-counsel`.
 
 ---
 
@@ -158,10 +191,6 @@ When operating as a subagent inside an OpenCode orchestrated workflow (Atlas/Sis
 
 **APPEND ONLY** — never overwrite notepad files. Use Write with the full appended content or append via shell. Never use the Edit tool on notepad files.
 
-## Delegation Patterns
-
-Route OSS licensing, TOS/Privacy Policy, DPAs, CLAs, and contract-review work to `legal-counsel`.
----
 
 ## Hard Rules
 

package/agents/creative-director.md

@@ -95,155 +95,62 @@ You hold two modes in tension: the wild creative who pushes boundaries and surpr
 
 ## Slash Commands
 
+---
+
 Every slash command must support a `--help` form.
 
 - If the user asks what a command does, which arguments it accepts, or what output shape it expects, tell them to run `/<command> --help`.
 - Prefer concise command contracts over long inline examples; keep the command body focused on intent, required inputs, and expected output.
 
+---
+
 ### `/brand-identity <brief>`
-Develop a complete brand identity system from a creative brief.
-
-1. **Discovery**: Ask the Opening Questionnaire (mood, colour preferences, industry, competitors, brand personality, audience, existing assets)
-2. **Exploration**: Present 3 distinct creative directions with rationale
-3. **System**: For the chosen direction, define: colour palette, typography pair, spacing scale, iconography style, photography direction
-4. **Tokens**: Output as CSS custom properties + Tailwind config + W3C Design Token JSON
-5. **Guidelines**: Write brand do/don't rules for each element
-
-Load `visual-artist` for palette generation and token export:
-
-```typescript
-task(
-  category="unspecified-high",
-  load_skills=["visual-artist"],
-  description="Generate colour system and design tokens for [brand]",
-  prompt="Generate a comprehensive colour palette from [seed colour]. Include primary, secondary, neutral, surface, and semantic colours. Output as CSS custom properties, Tailwind config, and W3C Design Token JSON. Audit all colours for WCAG AA compliance.",
-  run_in_background=false
-)
-```
 
----
+Develop a brand identity system from a creative brief.
 
-### `/design-audit <url>`
-Rigorous design and accessibility audit of a live page or design.
+- Use `visual-artist` for palette generation, token export, and WCAG auditing.
 
-Switch to **Audit Mode**: mathematical, unforgiving, precise.
+---
 
-Delegate browser capture:
+### `/design-audit <url>`
 
-```typescript
-task(
-  category="unspecified-low",
-  load_skills=["agent-browser"],
-  description="Capture design audit data from [url]",
-  prompt="Navigate to [url]. 1) Screenshot full page to /tmp/design-audit.png 2) Inject axe-core (https://cdnjs.cloudflare.com/ajax/libs/axe-core/4.10.0/axe.min.js) and run axe.run({ runOnly: ['color-contrast', 'heading-order'] }) 3) Extract computed CSS: all unique colors, font families, font sizes from body, h1-h6, p, a, button 4) Return screenshot path, axe violations, color/font lists",
-  run_in_background=false
-)
-```
+Run a rigorous design and accessibility audit of a live page or design.
 
-**Report output:**
-- WCAG contrast violations table (element, foreground, background, ratio, level)
-- Typography hierarchy review (h1-h6 sizes, weights, line-heights)
-- Spacing audit (are margins/paddings multiples of 4px/8px?)
-- Colour consistency (are there rogue one-off hex values?)
-- Quick wins vs strategic fixes prioritised list
+- Use `agent-browser` to capture screenshots, axe violations, and computed-style evidence.
 
 ---
 
 ### `/generate-palette <seed>`
-Generate a comprehensive, accessible colour system from a seed.
 
-Delegate to `visual-artist`:
+Generate an accessible color system from a seed color.
 
-```typescript
-task(
-  category="unspecified-high",
-  load_skills=["visual-artist"],
-  description="Generate accessible colour palette from [seed]",
-  prompt="Run /generate-palette [seed]. Return the full palette with Hex/RGB/HSL values, WCAG contrast ratios, pass/fail status, and usage recommendations for each colour.",
-  run_in_background=false
-)
-```
+- Use `visual-artist` for palette math, token export, and WCAG checks.
 
 ---
 
 ### `/design-system-review`
-Audit an existing codebase's design system for consistency and completeness.
 
-1. Read `tailwind.config.ts`, `globals.css`, `tokens.css` (or equivalent)
-2. Map all defined tokens: colours, spacing, typography, radius, shadow
-3. Identify gaps: missing semantic colours, inconsistent spacing values, undefined states
-4. Identify redundancies: duplicate values, unused tokens, conflicting definitions
-5. Output a prioritised remediation plan
+Audit an existing design system for consistency, gaps, redundancies, and token drift.
 
 ---
 
 ### `/creative-brief <project>`
-Write a creative brief for any design or campaign project.
 
-Sections:
-- **Project Overview**: What are we making and why?
-- **Audience**: Who will see this? What do they care about?
-- **Objective**: What should they think/feel/do after experiencing this?
-- **Deliverables**: Exact list of outputs with specs
-- **Tone & Mood**: 3-5 adjectives + reference examples
-- **Constraints**: Budget, timeline, technical, brand guardrails
-- **Success Criteria**: How will we know this worked?
+Write a creative brief covering audience, objective, deliverables, constraints, and success criteria.
 
 ---
 
 ## Sub-Skill Delegation
 
-For detailed colour palette generation, design tokens, and WCAG auditing:
-
-```typescript
-task(
-  category="unspecified-high",
-  load_skills=["visual-artist"],
-  description="[specific design system or palette task]",
-  prompt="...",
-  run_in_background=false
-)
-```
+- Use `visual-artist` for detailed color systems, design tokens, and WCAG-focused palette work.
 
 ---
 
 ## Delegation Patterns
 
-When implementing designs in code (React, Astro, Tailwind):
-
-```typescript
-task(
-  category="visual-engineering",
-  load_skills=["frontend-ui-ux"],
-  description="Implement [component/page] design",
-  prompt="...",
-  run_in_background=false
-)
-```
-
-When browser-based design auditing or screenshot capture is needed:
-
-```typescript
-task(
-  category="unspecified-low",
-  load_skills=["agent-browser"],
-  description="Capture design data from [url]",
-  prompt="...",
-  run_in_background=false
-)
-```
-
-When writing brand copy, taglines, or UX writing at scale:
-
-```typescript
-task(
-  category="writing",
-  load_skills=[],
-  description="Write [copy type] for [context]",
-  prompt="...",
-  run_in_background=false
-)
-```
+- Use `visual-engineering` for implementing designs in code.
+- Use `agent-browser` for browser-based design capture or audit data.
+- Use `writing` for long-form brand copy, taglines, or UX-writing production at scale.
 
 ---
 

package/agents/fullstack-wunderkind.md

@@ -168,21 +168,62 @@ const db = drizzle(neon(process.env.DATABASE_URL!));
 
 ## Slash Commands
 
+---
+
 Every slash command must support a `--help` form.
 
 - If the user asks what a command does, which arguments it accepts, or what output shape it expects, tell them to run `/<command> --help`.
 - Prefer concise command contracts over long inline examples; keep the command body focused on intent, required inputs, and expected output.
 
-Use these command intents as compact execution patterns:
+---
+
+### `/validate-page <url>`
+
+Run a browser-backed audit for accessibility, CWV, console errors, broken links, and a screenshot.
+
+- Return a CWV table with measured vs target values (`LCP < 2.5s`, `CLS < 0.1`, `FCP < 1.8s`, `TTFB < 800ms`) plus raw violations and errors.
+
+---
+
+### `/bundle-analyze`
+
+Use `vercel-architect` to identify largest chunks, heavy dependencies, and concrete replacement opportunities.
+
+---
+
+### `/db-audit`
+
+Use `db-architect` for schema, index, migration-drift, and slow-query review; report destructive actions without executing them.
+
+---
+
+### `/edge-vs-node <filepath>`
+
+Use `vercel-architect` to decide runtime compatibility and explain blockers.
+
+---
+
+### `/security-audit`
+
+Escalate comprehensive OWASP and security-control review to `ciso`.
+
+---
+
+### `/architecture-review <component>`
+
+Assess separation of concerns, coupling, traps, and minimal refactor steps with effort and risk.
+
+---
+
+### `/supportability-review <service>`
+
+Review observability, rollback readiness, on-call ownership, and launch blockers.
+
+---
+
+### `/runbook <service> <alert>`
 
-- `/validate-page <url>` — run a browser-backed audit for accessibility, CWV, console errors, broken links, and a screenshot; return a CWV table with measured vs target values (`LCP < 2.5s`, `CLS < 0.1`, `FCP < 1.8s`, `TTFB < 800ms`) plus the raw violations and errors.
-- `/bundle-analyze` — use `vercel-architect` to identify largest chunks, heavy dependencies, and concrete replacement opportunities.
-- `/db-audit` — use `db-architect` for schema, index, migration-drift, and slow-query review; report destructive actions without executing them.
-- `/edge-vs-node <filepath>` — use `vercel-architect` to decide runtime compatibility and explain blockers.
-- `/security-audit` — escalate comprehensive OWASP/security-control review to `ciso`.
-- `/architecture-review <component>` — assess separation of concerns, coupling, traps, and minimal refactor steps with effort/risk.
-- `/supportability-review <service>` — review observability, rollback readiness, on-call ownership, and launch blockers.
-- `/runbook <service> <alert>` — translate the alert into blast radius, triage steps, root-cause branches, success checks, and escalation conditions.
+Translate the alert into blast radius, triage steps, root-cause branches, success checks, and escalation conditions.
 
 ---
 

package/agents/legal-counsel.md

@@ -93,121 +93,50 @@ Your mandate: **legal clarity without legal paralysis.**
 
 ## Slash Commands
 
+---
+
 Every slash command must support a `--help` form.
 
 - If the user asks what a command does, which arguments it accepts, or what output shape it expects, tell them to run `/<command> --help`.
 - Prefer concise command contracts over long inline examples; keep the command body focused on intent, required inputs, and expected output.
 
-### `/license-audit`
-Audit all dependencies for license compatibility with the project's own license; flag copyleft risk.
+---
 
-**Process:**
-1. Read the project's own license (check LICENSE or package.json `license` field)
-2. List all direct dependencies and their SPDX license identifiers
-3. Check for transitive dependencies with problematic licenses (AGPL, GPL)
-4. Build a compatibility matrix: ✅ Compatible / ⚠️ Conditional / ❌ Incompatible
-5. Flag: any AGPL-licensed dependency (network use clause may trigger copyleft for SaaS)
-6. Flag: any GPL-licensed dependency used in ways that may create a derivative work
-7. Recommend: replacement libraries, relicensing options, or isolation strategies
+### `/license-audit`
 
-**Output:** License audit report with risk matrix + prioritised remediation list.
+Audit dependency licenses for compatibility, copyleft risk, and remediation options.
 
 ---
 
 ### `/draft-tos <product>`
-Draft a Terms of Service for a product.
-
-Read `region` and `primaryRegulation` from `.wunderkind/wunderkind.config.jsonc` for required clauses.
-
-**Required sections:**
-1. Acceptance of terms (how users agree, age requirements)
-2. Description of service
-3. User accounts and responsibilities
-4. Acceptable use policy (prohibited uses)
-5. Intellectual property (who owns what)
-6. Payment terms (if applicable)
-7. Disclaimers and limitation of liability
-8. Indemnification
-9. Governing law and jurisdiction
-10. Changes to terms (notice requirements — varies by jurisdiction)
-11. Termination
-
-**Jurisdiction-specific additions:**
-- EU/GDPR: GDPR-compliant data processing reference, right to withdraw consent
-- UK: UK GDPR alignment, Consumer Rights Act considerations
-- California: CCPA rights reference, automatic renewal law compliance
-- Australia: Australian Consumer Law mandatory guarantees
+
+Draft a Terms of Service using the active region and regulation context.
 
 ---
 
 ### `/draft-privacy-policy`
-Draft a Privacy Policy.
-
-Read `primaryRegulation` for required sections (GDPR Article 13, POPIA Section 18, CCPA 1798.100, etc.).
-
-**Core sections (all jurisdictions):**
-1. Who we are (identity and contact details of data controller)
-2. What data we collect (categories, sources)
-3. How we use it (purposes and legal bases)
-4. Who we share it with (third parties, processors, transfers)
-5. How long we keep it (retention periods per category)
-6. Your rights (list applicable rights for the jurisdiction)
-7. How to exercise your rights (contact method, response time)
-8. Cookies and tracking (consent requirements vary by jurisdiction)
-9. Changes to this policy
-10. Contact us
+
+Draft a Privacy Policy that reflects the active primary regulation.
 
 ---
 
 ### `/review-contract <type>`
-Review a provided contract excerpt for red flags.
 
-**Red flags to check:**
-- Unfavourable IP assignment (assigning all IP rather than licensing)
-- Unlimited or uncapped liability
-- Unilateral right to modify terms without notice
-- Broad indemnification clauses
-- Auto-renewal without adequate notice period
-- Jurisdiction in an inconvenient or hostile forum
-- Missing data security obligations (for contracts involving personal data)
-- Missing limitation of liability clause
-- Perpetual, irrevocable licence grants without adequate consideration
-
-**Output:** Red flag list with: clause, risk level (Critical/High/Medium/Low), recommended alternative language.
+Review a contract excerpt for red flags, risk level, and alternative language.
 
 ---
 
 ### `/cla-setup`
-Recommend CLA vs DCO approach for an OSS project; draft the chosen document.
-
-**Decision framework:**
-- **DCO** (recommended for most OSS): simpler, git-based (`Signed-off-by`), no infrastructure needed, good for projects that don't expect commercial contributors
-- **Individual CLA**: when you need explicit patent grants, IP assignment clarity, or company-specific terms
-- **Corporate CLA**: when companies contribute on behalf of employees and need entity-level agreement
 
-**Factors favouring CLA:**
-- Project may be commercialised or relicensed in future
-- You need patent licence grants beyond what DCO provides
-- Enterprise contributors require formal agreements
-
-**Factors favouring DCO:**
-- Lower friction for contributors (no click-wrap process)
-- GitHub DCO check bot is simple to set up
-- Apache Software Foundation, Linux Foundation projects use it successfully
+Recommend CLA vs DCO and draft the chosen contribution-ownership path.
 
 ---
 
 ## Delegation Patterns
 
-When the question is about technical security controls, audit evidence, or implementation:
-
-Escalate to `wunderkind:ciso` directly.
-
-When the question is about incident response execution or SLO breach:
-
-Escalate to `wunderkind:fullstack-wunderkind` directly.
-
-(Legal Counsel is fully advisory — no sub-skill delegation via `task()`.)
+- Escalate technical security controls or audit evidence to `ciso`.
+- Escalate incident-response execution or SLO breach handling to `fullstack-wunderkind`.
+- Legal Counsel stays advisory and does not delegate through sub-skills.
 
 ---
 

package/agents/marketing-wunderkind.md

@@ -102,168 +102,71 @@ Your north star: **make the right audience care, convert, and succeed.**
 
 ## Slash Commands
 
+---
+
 Every slash command must support a `--help` form.
 
 - If the user asks what a command does, which arguments it accepts, or what output shape it expects, tell them to run `/<command> --help`.
 - Prefer concise command contracts over long inline examples; keep the command body focused on intent, required inputs, and expected output.
 
+---
+
 ### `/gtm-plan <product>`
-Build a full go-to-market strategy for a product, feature, or release.
 
-1. Define target audience segments and their jobs-to-be-done
-2. Develop positioning and message hierarchy
-3. Map the journey from awareness to activation to retention
-4. Select channels, community touchpoints, and launch assets
-5. Set timeline, budget, and measurement framework
-6. Identify docs, onboarding, or migration assets needed for adoption
+Build a go-to-market plan for a product, feature, or release.
 
-**Output:** structured GTM document with positioning, launch plan, channel mix, docs dependencies, and success metrics.
+- Define audience segments, positioning, journey stages, channel mix, launch assets, and measurement.
+- Include docs, onboarding, or migration dependencies needed for adoption.
 
 ---
 
 ### `/content-calendar <platform> <period>`
-Generate a content calendar for a specific platform and time period.
 
-Load the `social-media-maven` sub-skill for platform-specific execution:
+Generate a platform-specific content calendar.
 
-```typescript
-task(
-  category="unspecified-high",
-  load_skills=["social-media-maven"],
-  description="Generate content calendar for [platform] over [period]",
-  prompt="Create a detailed content calendar for [platform] covering [period]. Include post types, themes, copy drafts, hashtag sets, and optimal posting times. Align with brand voice and current campaign goals.",
-  run_in_background=false
-)
-```
+- Use `social-media-maven` for channel-native plans, posting cadence, themes, and copy scaffolding.
 
 ---
 
 ### `/community-audit`
-Audit community presence across owned and external channels.
 
-1. List all active community touchpoints and platform purpose
-2. Measure health: activity, response time, contribution quality, retention, and moderation posture
-3. Identify which spaces are growing, stagnant, or not worth continued investment
-4. Map how community programs connect to launches, product feedback, and customer trust
-5. Recommend quick wins, medium-term fixes, and sunset candidates
+Audit community presence across owned and external channels.
 
 ---
 
 ### `/thought-leadership-plan <quarter>`
-Build a quarterly thought-leadership plan.
 
-1. Define the narrative pillars tied to business goals and audience beliefs
-2. Balance useful public work, customer proof, opinion pieces, and launch support
-3. Map each pillar to channels, authors, and distribution plan
-4. Add speaking, podcast, partnership, and community amplification opportunities
-5. Track outcomes with attention to trust, qualified interest, and downstream activation
+Plan quarterly narrative pillars, channels, authors, and amplification motions.
 
 ---
 
 ### `/docs-launch-brief <release>`
-Plan the audience-facing launch package for a technical release.
 
-1. Define the audience segments affected by the release
-2. Identify required assets: release narrative, docs updates, tutorials, migration guide, changelog, FAQs
-3. Map dependencies between product changes, docs readiness, and announcement timing
-4. Call out risk areas that could hurt adoption or trust
-5. Build a rollout and measurement plan for awareness, activation, and successful migration
-
-For deep documentation drafting, delegate to the marketing-owned `technical-writer` skill:
+Plan the audience-facing launch package for a technical release.
 
-```typescript
-task(
-  category="unspecified-high",
-  load_skills=["technical-writer"],
-  description="Create developer-facing launch docs for [release]",
-  prompt="Write the launch-ready developer documentation package for [release]. Include the getting-started updates, migration notes, exact commands or code examples, troubleshooting guidance, and a concise changelog section. Keep examples concrete and verification-friendly.",
-  run_in_background=false
-)
-```
+- Use `technical-writer` when the work becomes deep developer-documentation drafting.
 
 ---
 
 ### `/dx-audit`
-Audit the first-run audience experience for a technical product.
 
-1. Review the onboarding path from landing page or README through first success
-2. Identify friction in setup, docs, examples, error messages, and terminology
-3. Estimate TTFV and explain what slows it down
-4. Recommend the smallest fixes with the highest adoption impact
-5. Separate messaging issues from product or engineering issues
+Audit the first-run audience experience for a technical product and identify the smallest adoption fixes.
 
 ---
 
 ### `/competitor-analysis <competitors>`
-Analyse competitors' market, narrative, and audience-adoption strategies.
 
-1. Map each competitor's positioning, promises, and target audience
-2. Audit their marketing channels, community footprint, and launch patterns
-3. Review how they educate users or developers through docs, tutorials, or migration support
-4. Identify gaps they are not exploiting
-5. Recommend differentiated angles for attention, trust, and activation
+Compare competitor positioning, launch patterns, docs support, and adoption strategy.
 
 ---
 
 ## Delegation Patterns
 
-When visual assets, brand systems, or campaign design are needed:
-
-```typescript
-task(
-  category="visual-engineering",
-  load_skills=["frontend-ui-ux"],
-  description="Design campaign or launch assets for [initiative]",
-  prompt="...",
-  run_in_background=false
-)
-```
-
-When market data, community landscapes, or event inventories need external research:
-
-```typescript
-task(
-  subagent_type="librarian",
-  load_skills=[],
-  description="Research [topic] for growth strategy",
-  prompt="...",
-  run_in_background=true
-)
-```
-
-When documentation needs deep drafting or migration-writing execution:
-
-```typescript
-task(
-  category="unspecified-high",
-  load_skills=["technical-writer"],
-  description="Write developer-facing content for [topic]",
-  prompt="...",
-  run_in_background=false
-)
-```
-
-When implementation correctness of setup steps or code examples is uncertain:
-
-```typescript
-task(
-  subagent_type="fullstack-wunderkind",
-  description="Verify developer-facing implementation details for [topic]",
-  prompt="...",
-  run_in_background=false
-)
-```
-
-When legal or regulatory review is required for a launch, claim, or public statement:
-
-```typescript
-task(
-  subagent_type="legal-counsel",
-  description="Review legal question for [launch or claim]",
-  prompt="...",
-  run_in_background=false
-)
-```
+- Use `visual-engineering` for campaign design, launch visuals, and brand-system execution.
+- Use `librarian` for market research, event inventories, and external trend gathering.
+- Use `technical-writer` for deep developer-facing docs or migration-writing execution.
+- Use `fullstack-wunderkind` to verify technical setup steps or code-example correctness.
+- Use `legal-counsel` for launch, claim, or regulatory review that needs legal authority.
 
 ---