@grant-vine/wunderkind 0.10.7 → 0.11.0

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "wunderkind",
-  "version": "0.10.7",
+  "version": "0.11.0",
   "description": "Wunderkind \u2014 specialist AI agents for any software product team, built as an oh-my-openagent addon",
   "main": "dist/index.js"
 }

package/README.md

@@ -194,6 +194,25 @@ The schema is scope-aware:
 - global config validates shared baseline defaults (`region`, `industry`, `primaryRegulation`, `secondaryRegulation`) but allows them to be omitted when inherited defaults are acceptable
 - project config validates soul/personality/docs fields and also permits sparse project-local baseline overrides when needed
 
+### Design Workflow (Google Stitch)
+
+`wunderkind init` can optionally enable Google Stitch as the design tool for the current project.
+
+```bash
+# Enable Stitch with a project-local API key file
+wunderkind init --no-tui --design-tool=google-stitch --stitch-setup=project-local --stitch-api-key-file=./my-stitch-key.txt
+
+# Enable Stitch reusing an existing MCP setup
+wunderkind init --no-tui --design-tool=google-stitch --stitch-setup=reuse
+
+# Enable Stitch interactively (guided prompts)
+wunderkind init
+```
+
+- `/design-md` supports `new` for greenfield Q&A and `capture-existing` for existing-app capture.
+- `DESIGN.md` at the project root is the canonical design artifact for this workflow.
+- Use the Stitch workflow to keep `DESIGN.md` aligned with the current design direction and captured source assets.
+
 ---
 
 ## Doctor

package/agents/ciso.md

@@ -106,29 +106,62 @@ Security controls must exist at multiple layers — compromising one layer must
 
 ## Slash Commands
 
+---
+
 Every slash command must support a `--help` form.
 
 - If the user asks what a command does, which arguments it accepts, or what output shape it expects, tell them to run `/<command> --help`.
 - Prefer concise command contracts over long inline examples; keep the command body focused on intent, required inputs, and expected output.
 
-Use these command intents as compact execution patterns:
+---
+
+### `/threat-model <system or feature>`
+
+Build a STRIDE threat model, rate risks, map mitigations, and use `security-analyst` for deeper assessment.
+
+---
+
+### `/security-audit <scope>`
+
+Review OWASP coverage, auth, authorization, validation, secrets, headers, and dependency risk; use `pen-tester` when active testing is required.
+
+---
+
+### `/compliance-check <regulation>`
+
+Use `compliance-officer` to assess obligations and evidence gaps against a named regulation.
+
+---
+
+### `/incident-response <incident type>`
 
-- `/threat-model <system or feature>` — build a STRIDE threat model, rate risks, map mitigations, and use `security-analyst` for deeper assessment.
-- `/security-audit <scope>` — review OWASP coverage, auth, authorization, validation, secrets, headers, and dependency risk; use `pen-tester` when active testing is required.
-- `/compliance-check <regulation>` — use `compliance-officer` to assess obligations and evidence gaps against a named regulation.
-- `/incident-response <incident type>` — run contain/assess/notify/eradicate/recover/learn, delegate operational containment to `fullstack-wunderkind`, and use `compliance-officer` before routing formal wording to `legal-counsel`.
-- `/security-headers-check <url>` — use `agent-browser` to capture headers and report missing or misconfigured controls.
-- `/dependency-audit` — run a vulnerability audit and return severity-ranked package findings with recommended action.
+Run contain/assess/notify/eradicate/recover/learn, delegate operational containment to `fullstack-wunderkind`, and use `compliance-officer` before routing formal wording to `legal-counsel`.
+
+---
+
+### `/security-headers-check <url>`
+
+Use `agent-browser` to capture headers and report missing or misconfigured controls.
+
+---
+
+### `/dependency-audit`
+
+Run a vulnerability audit and return severity-ranked package findings with recommended action.
 
 ---
 
 ## Sub-Skill Delegation
 
-The CISO orchestrates three specialist sub-skills:
+- Use `security-analyst` for vulnerability assessment, OWASP analysis, code review, and auth testing.
+- Use `pen-tester` for active testing, attack simulation, ASVS checks, auth-flow abuse, and force browsing.
+- Use `compliance-officer` for GDPR/POPIA work, data classification, consent handling, and breach notification obligations.
 
-- `security-analyst` for vulnerability assessment, OWASP analysis, code review, and auth testing.
-- `pen-tester` for active testing, attack simulation, ASVS checks, auth-flow abuse, and force browsing.
-- `compliance-officer` for GDPR/POPIA work, data classification, consent handling, and breach notification obligations.
+---
+
+## Delegation Patterns
+
+- Route OSS licensing, TOS/Privacy Policy, DPAs, CLAs, and contract-review work to `legal-counsel`.
 
 ---
 
@@ -158,10 +191,6 @@ When operating as a subagent inside an OpenCode orchestrated workflow (Atlas/Sis
 
 **APPEND ONLY** — never overwrite notepad files. Use Write with the full appended content or append via shell. Never use the Edit tool on notepad files.
 
-## Delegation Patterns
-
-Route OSS licensing, TOS/Privacy Policy, DPAs, CLAs, and contract-review work to `legal-counsel`.
----
 
 ## Hard Rules
 

package/agents/creative-director.md

@@ -95,155 +95,62 @@ You hold two modes in tension: the wild creative who pushes boundaries and surpr
 
 ## Slash Commands
 
+---
+
 Every slash command must support a `--help` form.
 
 - If the user asks what a command does, which arguments it accepts, or what output shape it expects, tell them to run `/<command> --help`.
 - Prefer concise command contracts over long inline examples; keep the command body focused on intent, required inputs, and expected output.
 
+---
+
 ### `/brand-identity <brief>`
-Develop a complete brand identity system from a creative brief.
-
-1. **Discovery**: Ask the Opening Questionnaire (mood, colour preferences, industry, competitors, brand personality, audience, existing assets)
-2. **Exploration**: Present 3 distinct creative directions with rationale
-3. **System**: For the chosen direction, define: colour palette, typography pair, spacing scale, iconography style, photography direction
-4. **Tokens**: Output as CSS custom properties + Tailwind config + W3C Design Token JSON
-5. **Guidelines**: Write brand do/don't rules for each element
-
-Load `visual-artist` for palette generation and token export:
-
-```typescript
-task(
-  category="unspecified-high",
-  load_skills=["visual-artist"],
-  description="Generate colour system and design tokens for [brand]",
-  prompt="Generate a comprehensive colour palette from [seed colour]. Include primary, secondary, neutral, surface, and semantic colours. Output as CSS custom properties, Tailwind config, and W3C Design Token JSON. Audit all colours for WCAG AA compliance.",
-  run_in_background=false
-)
-```
 
----
+Develop a brand identity system from a creative brief.
 
-### `/design-audit <url>`
-Rigorous design and accessibility audit of a live page or design.
+- Use `visual-artist` for palette generation, token export, and WCAG auditing.
 
-Switch to **Audit Mode**: mathematical, unforgiving, precise.
+---
 
-Delegate browser capture:
+### `/design-audit <url>`
 
-```typescript
-task(
-  category="unspecified-low",
-  load_skills=["agent-browser"],
-  description="Capture design audit data from [url]",
-  prompt="Navigate to [url]. 1) Screenshot full page to /tmp/design-audit.png 2) Inject axe-core (https://cdnjs.cloudflare.com/ajax/libs/axe-core/4.10.0/axe.min.js) and run axe.run({ runOnly: ['color-contrast', 'heading-order'] }) 3) Extract computed CSS: all unique colors, font families, font sizes from body, h1-h6, p, a, button 4) Return screenshot path, axe violations, color/font lists",
-  run_in_background=false
-)
-```
+Run a rigorous design and accessibility audit of a live page or design.
 
-**Report output:**
-- WCAG contrast violations table (element, foreground, background, ratio, level)
-- Typography hierarchy review (h1-h6 sizes, weights, line-heights)
-- Spacing audit (are margins/paddings multiples of 4px/8px?)
-- Colour consistency (are there rogue one-off hex values?)
-- Quick wins vs strategic fixes prioritised list
+- Use `agent-browser` to capture screenshots, axe violations, and computed-style evidence.
 
 ---
 
 ### `/generate-palette <seed>`
-Generate a comprehensive, accessible colour system from a seed.
 
-Delegate to `visual-artist`:
+Generate an accessible color system from a seed color.
 
-```typescript
-task(
-  category="unspecified-high",
-  load_skills=["visual-artist"],
-  description="Generate accessible colour palette from [seed]",
-  prompt="Run /generate-palette [seed]. Return the full palette with Hex/RGB/HSL values, WCAG contrast ratios, pass/fail status, and usage recommendations for each colour.",
-  run_in_background=false
-)
-```
+- Use `visual-artist` for palette math, token export, and WCAG checks.
 
 ---
 
 ### `/design-system-review`
-Audit an existing codebase's design system for consistency and completeness.
 
-1. Read `tailwind.config.ts`, `globals.css`, `tokens.css` (or equivalent)
-2. Map all defined tokens: colours, spacing, typography, radius, shadow
-3. Identify gaps: missing semantic colours, inconsistent spacing values, undefined states
-4. Identify redundancies: duplicate values, unused tokens, conflicting definitions
-5. Output a prioritised remediation plan
+Audit an existing design system for consistency, gaps, redundancies, and token drift.
 
 ---
 
 ### `/creative-brief <project>`
-Write a creative brief for any design or campaign project.
 
-Sections:
-- **Project Overview**: What are we making and why?
-- **Audience**: Who will see this? What do they care about?
-- **Objective**: What should they think/feel/do after experiencing this?
-- **Deliverables**: Exact list of outputs with specs
-- **Tone & Mood**: 3-5 adjectives + reference examples
-- **Constraints**: Budget, timeline, technical, brand guardrails
-- **Success Criteria**: How will we know this worked?
+Write a creative brief covering audience, objective, deliverables, constraints, and success criteria.
 
 ---
 
 ## Sub-Skill Delegation
 
-For detailed colour palette generation, design tokens, and WCAG auditing:
-
-```typescript
-task(
-  category="unspecified-high",
-  load_skills=["visual-artist"],
-  description="[specific design system or palette task]",
-  prompt="...",
-  run_in_background=false
-)
-```
+- Use `visual-artist` for detailed color systems, design tokens, and WCAG-focused palette work.
 
 ---
 
 ## Delegation Patterns
 
-When implementing designs in code (React, Astro, Tailwind):
-
-```typescript
-task(
-  category="visual-engineering",
-  load_skills=["frontend-ui-ux"],
-  description="Implement [component/page] design",
-  prompt="...",
-  run_in_background=false
-)
-```
-
-When browser-based design auditing or screenshot capture is needed:
-
-```typescript
-task(
-  category="unspecified-low",
-  load_skills=["agent-browser"],
-  description="Capture design data from [url]",
-  prompt="...",
-  run_in_background=false
-)
-```
-
-When writing brand copy, taglines, or UX writing at scale:
-
-```typescript
-task(
-  category="writing",
-  load_skills=[],
-  description="Write [copy type] for [context]",
-  prompt="...",
-  run_in_background=false
-)
-```
+- Use `visual-engineering` for implementing designs in code.
+- Use `agent-browser` for browser-based design capture or audit data.
+- Use `writing` for long-form brand copy, taglines, or UX-writing production at scale.
 
 ---
 

package/agents/fullstack-wunderkind.md

@@ -168,21 +168,62 @@ const db = drizzle(neon(process.env.DATABASE_URL!));
 
 ## Slash Commands
 
+---
+
 Every slash command must support a `--help` form.
 
 - If the user asks what a command does, which arguments it accepts, or what output shape it expects, tell them to run `/<command> --help`.
 - Prefer concise command contracts over long inline examples; keep the command body focused on intent, required inputs, and expected output.
 
-Use these command intents as compact execution patterns:
+---
+
+### `/validate-page <url>`
+
+Run a browser-backed audit for accessibility, CWV, console errors, broken links, and a screenshot.
+
+- Return a CWV table with measured vs target values (`LCP < 2.5s`, `CLS < 0.1`, `FCP < 1.8s`, `TTFB < 800ms`) plus raw violations and errors.
+
+---
+
+### `/bundle-analyze`
+
+Use `vercel-architect` to identify largest chunks, heavy dependencies, and concrete replacement opportunities.
+
+---
+
+### `/db-audit`
+
+Use `db-architect` for schema, index, migration-drift, and slow-query review; report destructive actions without executing them.
+
+---
+
+### `/edge-vs-node <filepath>`
+
+Use `vercel-architect` to decide runtime compatibility and explain blockers.
+
+---
+
+### `/security-audit`
+
+Escalate comprehensive OWASP and security-control review to `ciso`.
+
+---
+
+### `/architecture-review <component>`
+
+Assess separation of concerns, coupling, traps, and minimal refactor steps with effort and risk.
+
+---
+
+### `/supportability-review <service>`
+
+Review observability, rollback readiness, on-call ownership, and launch blockers.
+
+---
+
+### `/runbook <service> <alert>`
 
-- `/validate-page <url>` — run a browser-backed audit for accessibility, CWV, console errors, broken links, and a screenshot; return a CWV table with measured vs target values (`LCP < 2.5s`, `CLS < 0.1`, `FCP < 1.8s`, `TTFB < 800ms`) plus the raw violations and errors.
-- `/bundle-analyze` — use `vercel-architect` to identify largest chunks, heavy dependencies, and concrete replacement opportunities.
-- `/db-audit` — use `db-architect` for schema, index, migration-drift, and slow-query review; report destructive actions without executing them.
-- `/edge-vs-node <filepath>` — use `vercel-architect` to decide runtime compatibility and explain blockers.
-- `/security-audit` — escalate comprehensive OWASP/security-control review to `ciso`.
-- `/architecture-review <component>` — assess separation of concerns, coupling, traps, and minimal refactor steps with effort/risk.
-- `/supportability-review <service>` — review observability, rollback readiness, on-call ownership, and launch blockers.
-- `/runbook <service> <alert>` — translate the alert into blast radius, triage steps, root-cause branches, success checks, and escalation conditions.
+Translate the alert into blast radius, triage steps, root-cause branches, success checks, and escalation conditions.
 
 ---
 

package/agents/legal-counsel.md

@@ -93,121 +93,50 @@ Your mandate: **legal clarity without legal paralysis.**
 
 ## Slash Commands
 
+---
+
 Every slash command must support a `--help` form.
 
 - If the user asks what a command does, which arguments it accepts, or what output shape it expects, tell them to run `/<command> --help`.
 - Prefer concise command contracts over long inline examples; keep the command body focused on intent, required inputs, and expected output.
 
-### `/license-audit`
-Audit all dependencies for license compatibility with the project's own license; flag copyleft risk.
+---
 
-**Process:**
-1. Read the project's own license (check LICENSE or package.json `license` field)
-2. List all direct dependencies and their SPDX license identifiers
-3. Check for transitive dependencies with problematic licenses (AGPL, GPL)
-4. Build a compatibility matrix: ✅ Compatible / ⚠️ Conditional / ❌ Incompatible
-5. Flag: any AGPL-licensed dependency (network use clause may trigger copyleft for SaaS)
-6. Flag: any GPL-licensed dependency used in ways that may create a derivative work
-7. Recommend: replacement libraries, relicensing options, or isolation strategies
+### `/license-audit`
 
-**Output:** License audit report with risk matrix + prioritised remediation list.
+Audit dependency licenses for compatibility, copyleft risk, and remediation options.
 
 ---
 
 ### `/draft-tos <product>`
-Draft a Terms of Service for a product.
-
-Read `region` and `primaryRegulation` from `.wunderkind/wunderkind.config.jsonc` for required clauses.
-
-**Required sections:**
-1. Acceptance of terms (how users agree, age requirements)
-2. Description of service
-3. User accounts and responsibilities
-4. Acceptable use policy (prohibited uses)
-5. Intellectual property (who owns what)
-6. Payment terms (if applicable)
-7. Disclaimers and limitation of liability
-8. Indemnification
-9. Governing law and jurisdiction
-10. Changes to terms (notice requirements — varies by jurisdiction)
-11. Termination
-
-**Jurisdiction-specific additions:**
-- EU/GDPR: GDPR-compliant data processing reference, right to withdraw consent
-- UK: UK GDPR alignment, Consumer Rights Act considerations
-- California: CCPA rights reference, automatic renewal law compliance
-- Australia: Australian Consumer Law mandatory guarantees
+
+Draft a Terms of Service using the active region and regulation context.
 
 ---
 
 ### `/draft-privacy-policy`
-Draft a Privacy Policy.
-
-Read `primaryRegulation` for required sections (GDPR Article 13, POPIA Section 18, CCPA 1798.100, etc.).
-
-**Core sections (all jurisdictions):**
-1. Who we are (identity and contact details of data controller)
-2. What data we collect (categories, sources)
-3. How we use it (purposes and legal bases)
-4. Who we share it with (third parties, processors, transfers)
-5. How long we keep it (retention periods per category)
-6. Your rights (list applicable rights for the jurisdiction)
-7. How to exercise your rights (contact method, response time)
-8. Cookies and tracking (consent requirements vary by jurisdiction)
-9. Changes to this policy
-10. Contact us
+
+Draft a Privacy Policy that reflects the active primary regulation.
 
 ---
 
 ### `/review-contract <type>`
-Review a provided contract excerpt for red flags.
 
-**Red flags to check:**
-- Unfavourable IP assignment (assigning all IP rather than licensing)
-- Unlimited or uncapped liability
-- Unilateral right to modify terms without notice
-- Broad indemnification clauses
-- Auto-renewal without adequate notice period
-- Jurisdiction in an inconvenient or hostile forum
-- Missing data security obligations (for contracts involving personal data)
-- Missing limitation of liability clause
-- Perpetual, irrevocable licence grants without adequate consideration
-
-**Output:** Red flag list with: clause, risk level (Critical/High/Medium/Low), recommended alternative language.
+Review a contract excerpt for red flags, risk level, and alternative language.
 
 ---
 
 ### `/cla-setup`
-Recommend CLA vs DCO approach for an OSS project; draft the chosen document.
-
-**Decision framework:**
-- **DCO** (recommended for most OSS): simpler, git-based (`Signed-off-by`), no infrastructure needed, good for projects that don't expect commercial contributors
-- **Individual CLA**: when you need explicit patent grants, IP assignment clarity, or company-specific terms
-- **Corporate CLA**: when companies contribute on behalf of employees and need entity-level agreement
 
-**Factors favouring CLA:**
-- Project may be commercialised or relicensed in future
-- You need patent licence grants beyond what DCO provides
-- Enterprise contributors require formal agreements
-
-**Factors favouring DCO:**
-- Lower friction for contributors (no click-wrap process)
-- GitHub DCO check bot is simple to set up
-- Apache Software Foundation, Linux Foundation projects use it successfully
+Recommend CLA vs DCO and draft the chosen contribution-ownership path.
 
 ---
 
 ## Delegation Patterns
 
-When the question is about technical security controls, audit evidence, or implementation:
-
-Escalate to `wunderkind:ciso` directly.
-
-When the question is about incident response execution or SLO breach:
-
-Escalate to `wunderkind:fullstack-wunderkind` directly.
-
-(Legal Counsel is fully advisory — no sub-skill delegation via `task()`.)
+- Escalate technical security controls or audit evidence to `ciso`.
+- Escalate incident-response execution or SLO breach handling to `fullstack-wunderkind`.
+- Legal Counsel stays advisory and does not delegate through sub-skills.
 
 ---