@groupby/ai-dev 0.5.8 → 0.5.9

package/teams/agentic-checkout/prompts/review-change.md

@@ -2,6 +2,8 @@
 
 Review the current changes in `components/`.
 
+Use **Claude Sonnet 4.6** (`claude-sonnet-4.6`) for this workflow. If the current session is not already using Claude Sonnet 4.6, switch to it before performing the review.
+
 ## Review Focus
 
 - Correctness and regressions
@@ -9,6 +11,7 @@ Review the current changes in `components/`.
 - Producer/consumer alignment for events and APIs
 - Validation and error handling
 - Secret leakage in logs/config/examples
+- Secret-bearing files or token patterns that would be committed or pushed
 - Missing or weak tests
 - Build/test risk
 
@@ -30,7 +33,7 @@ Lead with findings:
 
 ## Checks
 
-- {command}: {result}
+- {component-dir} `{command}`: {result}
 
 ## Summary
 
@@ -41,4 +44,7 @@ If no issues are found, say that clearly and list residual risks.
 
 ## Optional Next Step
 
-If findings or suggestions are reported and code updates are required, run `prompts/fix-review-findings.md`.
+If findings or suggestions are reported and code updates are required:
+
+1. Use the `secret-safety` skill if any findings involve config, examples, logs, or credential-adjacent files before editing.
+2. Run `prompts/fix-review-findings.md`.

package/teams/agentic-checkout/scripts/check-secrets

@@ -0,0 +1,51 @@
+#!/usr/bin/env sh
+set -eu
+
+target="${1:-.}"
+repo_root="$(CDPATH='' cd -- "$target" && git rev-parse --show-toplevel)"
+
+cd "$repo_root"
+
+fail=0
+
+suspicious_files="$(
+  git ls-files --cached --others --exclude-standard | awk '
+    function basename(path, parts, count) {
+      count = split(path, parts, "/")
+      return parts[count]
+    }
+    {
+      name = basename($0)
+      if (name == ".env" ||
+          (name ~ /^\.env\./ && name !~ /^\.env\.(example|sample|template)$/) ||
+          name ~ /^(id_rsa|id_dsa|id_ecdsa|id_ed25519)$/ ||
+          name ~ /\.(pem|key|p12|pfx|jks|keystore)$/ ||
+          name ~ /^(credentials|secrets)\.(json|ya?ml|toml|ini)$/) {
+        print $0
+      }
+    }
+  '
+)"
+
+if [ -n "$suspicious_files" ]; then
+  echo "Potential secret-bearing files are tracked:" >&2
+  echo "$suspicious_files" >&2
+  fail=1
+fi
+
+secret_pattern='-----BEGIN (RSA |OPENSSH |EC |DSA )?PRIVATE KEY-----|gh[pousr]_[A-Za-z0-9_]{36,}|github_pat_[A-Za-z0-9_]{22,}|AKIA[0-9A-Z]{16}|ASIA[0-9A-Z]{16}|xox[baprs]-[A-Za-z0-9-]{20,}|(sk|rk)_live_[A-Za-z0-9]{20,}|SG\.[A-Za-z0-9_-]{16,}\.[A-Za-z0-9_-]{16,}|AIza[0-9A-Za-z_-]{35}'
+
+matches="$(git grep --untracked --exclude-standard -nIE -e "$secret_pattern" -- . || true)"
+
+if [ -n "$matches" ]; then
+  echo "Potential hard-coded secrets found in tracked files:" >&2
+  echo "$matches" >&2
+  fail=1
+fi
+
+if [ "$fail" -ne 0 ]; then
+  echo "Secret scan failed. Remove secrets from tracked files and use environment variables or local untracked config." >&2
+  exit "$fail"
+fi
+
+echo "Secret scan passed for $repo_root"

package/teams/agentic-checkout/scripts/install-git-hooks

@@ -0,0 +1,15 @@
+#!/usr/bin/env sh
+set -eu
+
+repo_root="$(CDPATH='' cd -- "$(dirname -- "$0")/.." && pwd)"
+hook_dir="$repo_root/.git/hooks"
+
+if [ ! -d "$hook_dir" ]; then
+  echo "error: git hooks directory not found: $hook_dir" >&2
+  exit 1
+fi
+
+cp "$repo_root/hooks/pre-push" "$hook_dir/pre-push"
+chmod +x "$hook_dir/pre-push"
+
+echo "Installed pre-push secret scan hook"

package/teams/agentic-checkout/scripts/local-fast-report

@@ -0,0 +1,5 @@
+#!/usr/bin/env sh
+set -eu
+
+script_dir="$(CDPATH='' cd -- "$(dirname -- "$0")" && pwd)"
+exec "$script_dir/local-report" "$@"

package/teams/agentic-checkout/scripts/local-report

@@ -0,0 +1,205 @@
+#!/usr/bin/env sh
+set -eu
+
+script_dir="$(CDPATH='' cd -- "$(dirname -- "$0")" && pwd)"
+framework_dir="$(CDPATH='' cd -- "$script_dir/.." && pwd)"
+tmp_dir="$framework_dir/tmp"
+model="${BC_FORGE_LOCAL_MODEL:-qwen2.5-coder:1.5b}"
+mode="${BC_FORGE_LOCAL_FAST_MODEL_MODE:-off}"
+mkdir -p "$tmp_dir"
+
+usage() {
+  printf '%s\n' \
+    "Usage: scripts/local-report <kind> [args...]" \
+    "       scripts/local-fast-report <kind> [args...]" \
+    "" \
+    "Run an approved deterministic report and summarize it with the local fast model." \
+    "Mode is controlled by BC_FORGE_LOCAL_FAST_MODEL_MODE=auto|always|off (default: off)." \
+    "" \
+    "Kinds:" \
+    "  sync          Run scripts/sync-components" \
+    "  deps-start    Run scripts/start-deps" \
+    "  deps-status   Run scripts/status-deps" \
+    "  deps-stop     Run scripts/stop-deps" \
+    "  deps-logs     Summarize bounded dependency logs (default tail: 200)" \
+    "  git-status    Summarize framework git status" \
+    "  diff-stat     Summarize framework diff stat and changed files" \
+    "  workspace     Summarize component checkout presence/branch/dirty state" \
+    "  secrets       Run scripts/check-secrets .; summarize pass only" \
+    "  hooks         Run scripts/install-git-hooks"
+}
+
+sanitize_for_model() {
+  sed -E \
+    -e 's/-----BEGIN ([A-Z0-9 ]+)?PRIVATE KEY-----/[REDACTED PRIVATE KEY]/g' \
+    -e 's/gh[pousr]_[A-Za-z0-9_]{36,}/[REDACTED GITHUB TOKEN]/g' \
+    -e 's/github_pat_[A-Za-z0-9_]{22,}/[REDACTED GITHUB TOKEN]/g' \
+    -e 's/(AKIA|ASIA)[0-9A-Z]{16}/[REDACTED AWS KEY]/g' \
+    -e 's/xox[baprs]-[A-Za-z0-9-]{20,}/[REDACTED SLACK TOKEN]/g' \
+    -e 's/(sk|rk)_live_[A-Za-z0-9]{20,}/[REDACTED LIVE KEY]/g' \
+    -e 's/SG\.[A-Za-z0-9_-]{16,}\.[A-Za-z0-9_-]{16,}/[REDACTED SENDGRID TOKEN]/g' \
+    -e 's/AIza[0-9A-Za-z_-]{35}/[REDACTED GOOGLE API KEY]/g'
+}
+
+summarize_file() {
+  input_file="$1"
+  case "$mode" in
+    off)
+      echo "Local fast model mode is off; using hosted model for this summary." >&2
+      ;;
+    always)
+      echo "Summarizing deterministic output with required local fast model: $model (mode: always)" >&2
+      ;;
+    auto)
+      echo "Attempting deterministic output summary with local fast model: $model (mode: auto)" >&2
+      ;;
+    *)
+      echo "Invalid BC_FORGE_LOCAL_FAST_MODEL_MODE: $mode" >&2
+      return 2
+      ;;
+  esac
+  if ! "$script_dir/local-summarize" < "$input_file"; then
+    if [ "$mode" = "always" ]; then
+      echo "Local fast model is required but unavailable; not falling back to the hosted model." >&2
+      return 79
+    fi
+    echo "Local fast model is not available; falling back to the hosted model for this summary." >&2
+    echo "Deterministic output for hosted-model summary:" >&2
+    cat "$input_file"
+  fi
+}
+
+run_and_summarize() {
+  output_file="$tmp_dir/local-report.$$"
+  if "$@" > "$output_file" 2>&1; then
+    status=0
+  else
+    status=$?
+  fi
+  sanitize_for_model < "$output_file" > "$output_file.sanitized"
+  summarize_file "$output_file.sanitized"
+  rm -f "$output_file" "$output_file.sanitized"
+  return "$status"
+}
+
+workspace_inventory() {
+  components_file="$framework_dir/components.txt"
+  if [ ! -f "$components_file" ]; then
+    echo "missing components.txt"
+    return 1
+  fi
+
+  awk '
+    {
+      sub(/\r$/, "")
+      sub(/^[[:space:]]+/, "")
+      sub(/[[:space:]]+$/, "")
+      if ($0 != "" && $0 !~ /^#/) print
+    }
+  ' "$components_file" | while IFS= read -r remote || [ -n "$remote" ]; do
+    repo_name="${remote##*/}"
+    repo_name="${repo_name%.git}"
+    repo_path="$framework_dir/components/$repo_name"
+
+    if [ ! -d "$repo_path" ]; then
+      printf 'missing %s\n' "$repo_name"
+      continue
+    fi
+
+    if ! git -C "$repo_path" rev-parse --is-inside-work-tree >/dev/null 2>&1; then
+      printf 'not-git-repository %s\n' "$repo_name"
+      continue
+    fi
+
+    branch="$(git -C "$repo_path" branch --show-current)"
+    if [ -n "$(git -C "$repo_path" status --short)" ]; then
+      state="dirty"
+    else
+      state="clean"
+    fi
+
+    printf 'component %s branch=%s state=%s\n' "$repo_name" "${branch:-detached}" "$state"
+  done
+}
+
+if [ "$#" -lt 1 ]; then
+  usage >&2
+  exit 2
+fi
+
+kind="$1"
+shift
+
+case "$kind" in
+  -h|--help)
+    usage
+    ;;
+  sync)
+    run_and_summarize "$script_dir/sync-components" "$@"
+    ;;
+  deps-start)
+    run_and_summarize "$script_dir/start-deps" "$@"
+    ;;
+  deps-status)
+    run_and_summarize "$script_dir/status-deps" "$@"
+    ;;
+  deps-stop)
+    run_and_summarize "$script_dir/stop-deps" "$@"
+    ;;
+  deps-logs)
+    output_file="$tmp_dir/local-report.$$"
+    log_tail="${BC_FORGE_LOG_TAIL:-200}"
+    if docker compose -f "$framework_dir/docker-compose.dependencies.yml" logs --no-color --tail="$log_tail" "$@" > "$output_file" 2>&1; then
+      status=0
+    else
+      status=$?
+    fi
+    sanitize_for_model < "$output_file" > "$output_file.sanitized"
+    summarize_file "$output_file.sanitized"
+    rm -f "$output_file" "$output_file.sanitized"
+    exit "$status"
+    ;;
+  git-status)
+    output_file="$tmp_dir/local-report.$$"
+    {
+      git -C "$framework_dir" status --short --branch
+      git -C "$framework_dir" log --oneline --max-count=3
+    } > "$output_file" 2>&1
+    summarize_file "$output_file"
+    rm -f "$output_file"
+    ;;
+  diff-stat)
+    output_file="$tmp_dir/local-report.$$"
+    {
+      git -C "$framework_dir" diff --stat
+      git -C "$framework_dir" diff --name-only
+    } > "$output_file" 2>&1
+    summarize_file "$output_file"
+    rm -f "$output_file"
+    ;;
+  workspace)
+    output_file="$tmp_dir/local-report.$$"
+    workspace_inventory > "$output_file" 2>&1
+    summarize_file "$output_file"
+    rm -f "$output_file"
+    ;;
+  secrets)
+    output_file="$tmp_dir/local-report.$$"
+    if "$script_dir/check-secrets" "$framework_dir" > "$output_file" 2>&1; then
+      summarize_file "$output_file"
+      rm -f "$output_file"
+    else
+      cat "$output_file" >&2
+      rm -f "$output_file"
+      echo "Secret scan failed; not sending failure output to any model." >&2
+      exit 1
+    fi
+    ;;
+  hooks)
+    run_and_summarize "$script_dir/install-git-hooks" "$@"
+    ;;
+  *)
+    usage >&2
+    exit 2
+    ;;
+esac

package/teams/agentic-checkout/scripts/local-summarize

@@ -0,0 +1,47 @@
+#!/usr/bin/env sh
+set -eu
+
+script_dir="$(CDPATH='' cd -- "$(dirname -- "$0")" && pwd)"
+model="${BC_FORGE_LOCAL_MODEL:-qwen2.5-coder:1.5b}"
+mode="${BC_FORGE_LOCAL_FAST_MODEL_MODE:-off}"
+input="$(cat)"
+
+if [ -z "$input" ]; then
+  echo "No input received on stdin." >&2
+  echo "Usage: <command> | scripts/local-summarize" >&2
+  exit 2
+fi
+
+case "$mode" in
+  off)
+    echo "Local fast model mode is off; use the hosted model for this summary." >&2
+    exit 78
+    ;;
+  auto|always) ;;
+  *)
+    echo "Invalid BC_FORGE_LOCAL_FAST_MODEL_MODE: $mode" >&2
+    exit 2
+    ;;
+esac
+
+if ! "$script_dir/setup-local-fast-model" >/dev/null; then
+  if [ "$mode" = "always" ]; then
+    echo "Local fast model is required but not available; not falling back to hosted summary." >&2
+    exit 79
+  fi
+  echo "Local fast model is not available; use the hosted model for this summary." >&2
+  exit 78
+fi
+
+echo "Using local fast model for summary: $model (mode: $mode)" >&2
+
+{
+  printf '%s\n' "Summarize this deterministic command output for a developer."
+  printf '%s\n' "Rules:"
+  printf '%s\n' "- Be concise."
+  printf '%s\n' "- Report pass/fail/skipped items exactly when present."
+  printf '%s\n' "- Do not infer code behavior, propose code changes, or debug failures."
+  printf '%s\n' "- If output mentions possible secrets, say to inspect the scanner output manually and do not reproduce secret-like values."
+  printf '\n%s\n\n' "Command output:"
+  printf '%s\n' "$input"
+} | ollama run "$model"

package/teams/agentic-checkout/scripts/logs-deps

@@ -0,0 +1,9 @@
+#!/usr/bin/env sh
+set -eu
+
+script_dir="$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)"
+framework_dir="$(CDPATH= cd -- "$script_dir/.." && pwd)"
+
+cd "$framework_dir"
+docker compose -f docker-compose.dependencies.yml logs -f "$@"
+

package/teams/agentic-checkout/scripts/setup-local-fast-model

@@ -0,0 +1,20 @@
+#!/usr/bin/env sh
+set -eu
+
+model="${BC_FORGE_LOCAL_MODEL:-qwen2.5-coder:1.5b}"
+
+if ! command -v ollama >/dev/null 2>&1; then
+  echo "Ollama is required for the local fast model workflow." >&2
+  echo "Install it with: brew install ollama" >&2
+  echo "Then start it with: ollama serve" >&2
+  exit 127
+fi
+
+if ollama list | awk 'NR > 1 { print $1 }' | grep -Fx "$model" >/dev/null 2>&1; then
+  printf 'Local fast model already available: %s\n' "$model"
+  exit 0
+fi
+
+printf 'Downloading local fast model: %s\n' "$model"
+ollama pull "$model"
+printf 'Local fast model ready: %s\n' "$model"

package/teams/agentic-checkout/scripts/start-deps

@@ -0,0 +1,15 @@
+#!/usr/bin/env sh
+set -eu
+
+script_dir="$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)"
+framework_dir="$(CDPATH= cd -- "$script_dir/.." && pwd)"
+
+cd "$framework_dir"
+docker compose -f docker-compose.dependencies.yml up -d "$@"
+
+printf '\nDependencies are starting.\n'
+printf 'RabbitMQ:   amqp://guest:guest@localhost:5672  UI: http://localhost:15672\n'
+printf 'PostgreSQL: postgres://postgres:postgres@localhost:5432/bc_agent_db\n'
+printf 'OTEL:       grpc://localhost:4319  http://localhost:4320  metrics: http://localhost:8890\n'
+printf 'Jaeger:     http://localhost:16687\n'
+printf 'Prometheus: http://localhost:9091\n'

package/teams/agentic-checkout/scripts/status-deps

@@ -0,0 +1,9 @@
+#!/usr/bin/env sh
+set -eu
+
+script_dir="$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)"
+framework_dir="$(CDPATH= cd -- "$script_dir/.." && pwd)"
+
+cd "$framework_dir"
+docker compose -f docker-compose.dependencies.yml ps
+

package/teams/agentic-checkout/scripts/stop-deps

@@ -0,0 +1,9 @@
+#!/usr/bin/env sh
+set -eu
+
+script_dir="$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)"
+framework_dir="$(CDPATH= cd -- "$script_dir/.." && pwd)"
+
+cd "$framework_dir"
+docker compose -f docker-compose.dependencies.yml down "$@"
+

package/teams/agentic-checkout/scripts/sync-components

@@ -0,0 +1,110 @@
+#!/usr/bin/env sh
+set -eu
+
+script_dir="$(CDPATH='' cd -- "$(dirname -- "$0")" && pwd)"
+framework_dir="$(CDPATH='' cd -- "$script_dir/.." && pwd)"
+components_file="$framework_dir/components.txt"
+components_dir="$framework_dir/components"
+tmp_dir="$framework_dir/tmp"
+entries_file="$tmp_dir/sync-components.entries"
+fail=0
+
+usage() {
+  printf '%s\n' \
+    "Usage: scripts/sync-components" \
+    "" \
+    "Clone missing repositories from components.txt into components/ and sync existing" \
+    "repositories by checking out main, fetching origin/main, and rebasing main onto origin/main." \
+    "" \
+    "Dirty existing repositories are skipped to avoid destructive changes."
+}
+
+if [ "${1:-}" = "-h" ] || [ "${1:-}" = "--help" ]; then
+  usage
+  exit 0
+fi
+
+if [ "$#" -ne 0 ]; then
+  usage >&2
+  exit 2
+fi
+
+if [ ! -f "$components_file" ]; then
+  echo "failed: components.txt not found at $components_file" >&2
+  exit 1
+fi
+
+mkdir -p "$components_dir" "$tmp_dir"
+
+awk '
+  {
+    sub(/\r$/, "")
+    sub(/^[[:space:]]+/, "")
+    sub(/[[:space:]]+$/, "")
+    if ($0 != "" && $0 !~ /^#/) print
+  }
+' "$components_file" > "$entries_file"
+
+while IFS= read -r remote || [ -n "$remote" ]; do
+  repo_name="${remote##*/}"
+  repo_name="${repo_name%.git}"
+  repo_path="$components_dir/$repo_name"
+
+  if [ -z "$repo_name" ] || [ "$repo_name" = "$remote" ]; then
+    printf 'failed invalid-entry %s\n' "$remote" >&2
+    fail=1
+    continue
+  fi
+
+  if [ ! -d "$repo_path" ]; then
+    if git clone "$remote" "$repo_path"; then
+      printf 'cloned %s\n' "$repo_name"
+    else
+      printf 'failed clone %s\n' "$repo_name" >&2
+      fail=1
+      continue
+    fi
+  else
+    printf 'exists %s\n' "$repo_name"
+  fi
+
+  if ! git -C "$repo_path" rev-parse --is-inside-work-tree >/dev/null 2>&1; then
+    printf 'failed not-git-repository %s\n' "$repo_name" >&2
+    fail=1
+    continue
+  fi
+
+  if [ -n "$(git -C "$repo_path" status --short)" ]; then
+    printf 'skipped-dirty %s\n' "$repo_name" >&2
+    continue
+  fi
+
+  if ! git -C "$repo_path" checkout main >/dev/null 2>&1; then
+    if ! git -C "$repo_path" fetch origin main; then
+      printf 'failed fetch-before-checkout %s\n' "$repo_name" >&2
+      fail=1
+      continue
+    fi
+    if ! git -C "$repo_path" checkout main >/dev/null 2>&1; then
+      printf 'failed checkout-main %s\n' "$repo_name" >&2
+      fail=1
+      continue
+    fi
+  fi
+  printf 'checked-out-main %s\n' "$repo_name"
+
+  if ! git -C "$repo_path" fetch origin main; then
+    printf 'failed fetch-main %s\n' "$repo_name" >&2
+    fail=1
+    continue
+  fi
+
+  if git -C "$repo_path" rebase origin/main; then
+    printf 'rebased-main %s\n' "$repo_name"
+  else
+    printf 'failed rebase-main %s\n' "$repo_name" >&2
+    fail=1
+  fi
+done < "$entries_file"
+
+exit "$fail"

package/teams/agentic-checkout/skills/approval-gated-task-execution/SKILL.md

@@ -0,0 +1,57 @@
+---
+name: approval-gated-task-execution
+description: Execute planned implementation tasks sequentially with per-task approval, critique, scoped sub-agents, handoff bundles, and a final integration gate.
+license: MIT
+---
+
+# Approval-Gated Task Execution
+
+Use this skill when implementing an approved component plan.
+
+## Workflow
+
+1. Build an execution matrix from the approved plan:
+   - task
+   - affected component
+   - dependencies
+   - files/contracts
+   - verification checks
+2. Execute tasks sequentially, one task at a time, in approved plan order.
+3. Before each task starts, prepare a short approval summary containing:
+   - goal
+   - affected component
+   - key files/contracts
+   - risks
+   - checks
+   - rollback note
+4. Apply the `karpathy-guidelines` skill to the task summary before the critique: check for overcomplication, scope creep, and missing success criteria.
+5. Run a quick rubber-duck critique on the task summary before implementation.
+   - In Brain Checkout implementation workflows, rely on the current session/default model for the rubber-duck sub-agent unless the user requests another model.
+6. If the critique flags a likely flaw, pause, revise the task summary, and get user approval again.
+7. After approval, use a component-scoped sub-agent when useful to keep context small.
+   - In Brain Checkout implementation workflows, rely on the current session/default model for implementation/check sub-agents unless the user requests another model.
+8. Hard-limit the sub-agent to task-scoped files unless the user explicitly approves broader scan access.
+9. After the task completes, capture a compact result bundle:
+   - files changed
+   - spec/contract deltas
+   - tests/checks run
+   - unresolved risks
+10. Use the completed task result bundle as the primary handoff artifact for the next task instead of replaying full history.
+11. After all tasks finish, run a final integration gate across affected components and summarize:
+    - cross-component contract consistency status
+    - all task result bundles
+    - unresolved risks
+
+## Rules
+
+- Follow the approved plan exactly; do not derail from the plan or reorder tasks unless the plan itself is updated first.
+- Implement every planned item; do not leave planned tasks partially done or forgotten.
+- For multi-component work, implement the plan across all affected components.
+- Do not ask the user to choose which planned tasks to do; all approved plan tasks must be executed.
+- If new required work is discovered outside the approved plan, stop, update the plan, and re-approve before continuing.
+- On failed checks, keep fixing within the same task until passing, unless blocked.
+- Treat a task as blocked only when required information is missing, destructive action on a dirty repository is needed, or external credentials/access are required.
+- Make only the changes needed for the plan scope.
+- Preserve existing formatting and component patterns.
+- Do not add unrelated dependencies.
+- Do not edit out-of-scope folders.

package/teams/agentic-checkout/skills/component-verification/SKILL.md

@@ -0,0 +1,34 @@
+---
+name: component-verification
+description: Select and run the relevant Brain Checkout component checks using AGENTS.md as the canonical verification matrix.
+license: MIT
+---
+
+# Component Verification
+
+Use this skill when code, specs, contracts, prompts, or component behavior changes need verification.
+
+## Source Of Truth
+
+Use the verification matrix in `AGENTS.md` as the canonical source for component install, test, build, lint, and format commands.
+
+## Workflow
+
+1. Identify touched components from changed files and plan scope.
+2. Read component-local `.github/copilot-instructions.md` when present and prefer any narrower local check guidance.
+3. Run the narrowest relevant check first.
+4. Broaden verification when the change touches:
+   - shared contracts
+   - event payloads
+   - public APIs
+   - payment framework libraries
+   - cross-component producer/consumer behavior
+5. For documentation-only harness changes, review the diff; do not run component builds unless docs have dedicated checks.
+6. Report commands run, results, checks intentionally skipped, and remaining risk.
+
+## Rules
+
+- Run checks from the affected component directory.
+- Do not invent new tooling or commands.
+- Do not copy verification command lists into prompts; reference `AGENTS.md`.
+- If a check is unavailable or known unsupported in the current component, report that explicitly and run the nearest meaningful check.

package/teams/agentic-checkout/skills/grill-me/SKILL.md

@@ -0,0 +1,23 @@
+---
+name: grill-me
+description: Interview the user relentlessly about a plan or design until reaching shared understanding, resolving each branch of the decision tree. Use when user wants to stress-test a plan, get grilled on their design, or mentions "grill me".
+license: MIT
+---
+
+# Grill Me
+
+## Workflow
+
+1. Ask the user what plan or design to stress-test if not already stated.
+2. Identify the top-level decision branches in the plan.
+3. Walk through each branch sequentially, resolving dependencies between decisions before moving on.
+4. For each question, provide your recommended answer before asking.
+5. If a question can be answered by exploring the codebase, explore it and present the finding instead of asking.
+6. Continue until every branch is resolved and a shared understanding is reached.
+
+## Rules
+
+- One question per turn — do not stack multiple questions.
+- Do not accept vague answers; follow up until the answer is concrete.
+- Surface tradeoffs explicitly for each design decision.
+- Recommend an answer for every question you raise.