@hegemonart/get-design-done 1.0.7 → 1.14.1

package/reference/schemas/config.schema.json

@@ -36,6 +36,10 @@
           }
         }
       }
+    },
+    "update_dismissed": {
+      "type": "string",
+      "description": "Latest plugin tag (e.g. \"v1.0.7.3\") whose update nudge the user has dismissed. Set by /gdd:check-update --dismiss and by hooks/update-check.sh on the --dismiss code path. When a newer tag ships, the nudge reappears."
     }
   }
 }

package/reference/schemas/marketplace.schema.json

@@ -25,7 +25,7 @@
       "required": ["description", "version"],
       "properties": {
         "description": { "type": "string", "minLength": 1 },
-        "version": { "type": "string", "pattern": "^\\d+\\.\\d+\\.\\d+$" }
+        "version": { "type": "string", "pattern": "^\\d+\\.\\d+\\.\\d+(\\.\\d+)?$" }
       }
     },
     "plugins": {
@@ -48,7 +48,7 @@
           "name": { "type": "string", "minLength": 1 },
           "source": { "type": "string", "minLength": 1 },
           "description": { "type": "string", "minLength": 1 },
-          "version": { "type": "string", "pattern": "^\\d+\\.\\d+\\.\\d+$" },
+          "version": { "type": "string", "pattern": "^\\d+\\.\\d+\\.\\d+(\\.\\d+)?$" },
           "author": {
             "type": "object",
             "additionalProperties": true,

package/reference/schemas/plugin.schema.json

@@ -28,7 +28,7 @@
     },
     "version": {
       "type": "string",
-      "pattern": "^\\d+\\.\\d+\\.\\d+$"
+      "pattern": "^\\d+\\.\\d+\\.\\d+(\\.\\d+)?$"
     },
     "description": {
       "type": "string",

package/scripts/aggregate-agent-metrics.js

@@ -25,6 +25,7 @@ const os = require('os');
 const CWD = process.cwd();
 const TELEMETRY_PATH = path.join(CWD, '.design', 'telemetry', 'costs.jsonl');
 const METRICS_PATH = path.join(CWD, '.design', 'agent-metrics.json');
+const PHASE_TOTALS_PATH = path.join(CWD, '.design', 'telemetry', 'phase-totals.json');
 const AGENTS_DIR = path.join(CWD, 'agents');
 
 // ---- frontmatter reader (no YAML dep) ----
@@ -124,6 +125,18 @@ function writeAtomic(filePath, content) {
   fs.renameSync(tmp, filePath);
 }
 
+// ---- phase totals aggregator (WR-02: avoids full JSONL replay in budget enforcer) ----
+function aggregateByPhase(rows) {
+  const byPhase = {};
+  for (const r of rows) {
+    const phase = r.phase || 'unknown';
+    byPhase[phase] = (byPhase[phase] || 0) + Number(r.est_cost_usd || 0);
+  }
+  // Round to 6dp to match per-agent precision
+  for (const k of Object.keys(byPhase)) byPhase[k] = Number(byPhase[k].toFixed(6));
+  return byPhase;
+}
+
 // ---- main ----
 function main() {
   const rows = readTelemetryRows();
@@ -133,6 +146,13 @@ function main() {
     agents,
   };
   writeAtomic(METRICS_PATH, JSON.stringify(payload, null, 2) + '\n');
+  // Write lightweight phase-totals.json so budget-enforcer can read phase spend
+  // in O(1) without replaying the full JSONL on every agent spawn (WR-02).
+  const phaseTotals = {
+    generated_at: new Date().toISOString(),
+    totals: aggregateByPhase(rows),
+  };
+  writeAtomic(PHASE_TOTALS_PATH, JSON.stringify(phaseTotals, null, 2) + '\n');
 }
 
 try {

package/scripts/build-intel.cjs

@@ -17,7 +17,7 @@
 
 const fs = require('fs');
 const path = require('path');
-const { execSync } = require('child_process');
+const { spawnSync } = require('child_process');
 
 const ROOT = process.cwd();
 const INTEL_DIR = path.join(ROOT, '.design', 'intel');
@@ -46,15 +46,23 @@ function writeSlice(name, data) {
 
 function gitHash(filePath) {
   try {
-    return execSync(`git log -1 --format=%h -- "${filePath}"`, { stdio: ['pipe', 'pipe', 'ignore'] })
-      .toString().trim() || 'untracked';
+    const r = spawnSync('git', ['log', '-1', '--format=%h', '--', filePath], {
+      stdio: ['pipe', 'pipe', 'ignore'],
+      encoding: 'utf8',
+      timeout: 5000,
+    });
+    return r.stdout.trim() || 'untracked';
   } catch { return 'untracked'; }
 }
 
 function headHash() {
   try {
-    return execSync('git rev-parse --short HEAD', { stdio: ['pipe', 'pipe', 'ignore'] })
-      .toString().trim();
+    const r = spawnSync('git', ['rev-parse', '--short', 'HEAD'], {
+      stdio: ['pipe', 'pipe', 'ignore'],
+      encoding: 'utf8',
+      timeout: 5000,
+    });
+    return r.stdout.trim() || 'unknown';
   } catch { return 'unknown'; }
 }
 

package/scripts/injection-patterns.cjs

@@ -0,0 +1,17 @@
+'use strict';
+// Shared prompt-injection patterns — single source of truth for both
+// hooks/gdd-read-injection-scanner.js (runtime hook) and
+// scripts/run-injection-scanner-ci.cjs (CI scanner).
+// Add new patterns here; both consumers pick them up automatically.
+
+const INJECTION_PATTERNS = [
+  { name: 'ignore previous',         re: /ignore\s+(all\s+)?(previous|prior|above)\s+instructions?/i },
+  { name: 'disregard previous',      re: /disregard\s+(all\s+)?(previous|prior|above)\s+instructions?/i },
+  { name: 'you are now a different', re: /you\s+are\s+now\s+a\s+different/i },
+  { name: 'system: you are',         re: /system\s*:\s*you\s+are/i },
+  { name: 'role tag injection',      re: /<\s*\/?\s*(system|assistant|human)\s*>/i },
+  { name: '[INST] fragment',         re: /\[INST\]/i },
+  { name: '### instruction fragment',re: /###\s*instruction/i },
+];
+
+module.exports = { INJECTION_PATTERNS };

package/scripts/run-injection-scanner-ci.cjs

@@ -13,16 +13,7 @@ const path = require('path');
 
 const REPO_ROOT = path.resolve(__dirname, '..');
 
-// Patterns mirror hooks/gdd-read-injection-scanner.js.
-const INJECTION_PATTERNS = [
-  { name: 'ignore previous', re: /ignore\s+(all\s+)?(previous|prior|above)\s+instructions?/i },
-  { name: 'disregard previous', re: /disregard\s+(all\s+)?(previous|prior|above)\s+instructions?/i },
-  { name: 'you are now a different', re: /you\s+are\s+now\s+a\s+different/i },
-  { name: 'system: you are', re: /system\s*:\s*you\s+are/i },
-  { name: 'role tag injection', re: /<\s*\/?\s*(system|assistant|human)\s*>/i },
-  { name: '[INST] fragment', re: /\[INST\]/i },
-  { name: '### instruction fragment', re: /###\s*instruction/i },
-];
+const { INJECTION_PATTERNS } = require('./injection-patterns.cjs');
 
 function walkMd(dir, out) {
   if (!fs.existsSync(dir)) return;

package/scripts/tests/test-authority-rejected-kinds.sh

@@ -0,0 +1,58 @@
+#!/usr/bin/env bash
+# test-authority-rejected-kinds.sh
+#
+# Asserts that reference/authority-feeds.md does NOT contain trend-aggregator
+# hosts OUTSIDE the explicit "## Rejected kinds" section. Enforces the anti-slop
+# thesis structurally (CONTEXT.md D-08, D-28).
+#
+# Exit 0 = clean. Exit 1 = at least one rejected host appeared in the active
+# whitelist, or the rejected-kinds section itself was removed.
+
+set -euo pipefail
+
+WHITELIST="${WHITELIST:-reference/authority-feeds.md}"
+
+if [ ! -f "$WHITELIST" ]; then
+  echo "FAIL: $WHITELIST not found." >&2
+  exit 1
+fi
+
+# Split the file at the "## Rejected kinds" heading. Everything BEFORE it is
+# the active whitelist; everything AFTER is the rejection manifest (which is
+# allowed to mention these hosts — that's the whole point).
+ACTIVE_SECTION="$(awk '/^## Rejected kinds/{exit} {print}' "$WHITELIST")"
+
+REJECTED_PATTERNS=(
+  'dribbble\.com'
+  'behance\.net'
+  'linkedin\.com'
+  'medium\.com/topic'
+  'producthunt\.com/posts'
+  'top[[:space:]]*10[[:space:]]*ui'
+  'trending-ui'
+)
+
+FAIL=0
+for pat in "${REJECTED_PATTERNS[@]}"; do
+  if echo "$ACTIVE_SECTION" | grep -iEq "$pat"; then
+    echo "FAIL: rejected pattern '$pat' matched in active whitelist section of $WHITELIST." >&2
+    FAIL=1
+  fi
+done
+
+if [ "$FAIL" -ne 0 ]; then
+  echo "" >&2
+  echo "The whitelist must not contain trend-aggregator hosts outside the '## Rejected kinds' block." >&2
+  echo "See .planning/phases/13.2-external-authority-watcher/13.2-CONTEXT.md §D-08." >&2
+  exit 1
+fi
+
+# Also assert the rejected-kinds section itself is present — regression against
+# someone deleting the section entirely.
+if ! grep -q '^## Rejected kinds$' "$WHITELIST"; then
+  echo "FAIL: '## Rejected kinds' section is missing from $WHITELIST." >&2
+  exit 1
+fi
+
+echo "OK: $WHITELIST passes rejected-kinds check."
+exit 0

package/scripts/tests/test-authority-watcher-diff.sh

@@ -0,0 +1,113 @@
+#!/usr/bin/env bash
+# test-authority-watcher-diff.sh
+#
+# Structural-only v1: validates that the frozen authority-report baseline at
+# test-fixture/baselines/phase-13.2/authority-report.expected.md preserves the
+# shape the watcher-diff test depends on. Full end-to-end byte-diff against a
+# live watcher run is deferred — CI cannot spawn Claude Code agents.
+#
+# What this test asserts (structural-only v1):
+#   1. The fixture directory exists and is non-empty.
+#   2. The baseline file exists, is non-empty, and starts with an Authority
+#      Report header.
+#   3. The baseline contains the canonical classification section headings in
+#      the D-21 weighted order (spec > heuristic > pattern > craft).
+#   4. The baseline declares a total-entries line consistent with the count of
+#      bulleted entries under its classification sections.
+#   5. The baseline ends with a `**Skipped:**` footer.
+#
+# Exit 0 = structural shape preserved. Exit 1 = shape drift detected.
+#
+# Full end-to-end byte-diff (running the watcher against the fixtures and
+# diffing stdout against the baseline) is a follow-up tracked in STATE.md
+# "Open follow-ups". When the agent runtime becomes available in CI this
+# script graduates from structural-only v1 to the full diff check.
+
+set -euo pipefail
+
+FIXTURE_DIR="test-fixture/authority-feeds"
+BASELINE="test-fixture/baselines/phase-13.2/authority-report.expected.md"
+
+if [ ! -d "$FIXTURE_DIR" ]; then
+  echo "FAIL: fixture dir $FIXTURE_DIR missing." >&2
+  exit 1
+fi
+
+# Count actual fixture files (should be 4 frozen feeds + 1 README; we only
+# care that at least one XML/JSON fixture is present).
+# Use null-delimited find to handle filenames with spaces/newlines (WR-05).
+FIXTURE_COUNT=0
+while IFS= read -r -d '' _f; do
+  FIXTURE_COUNT=$((FIXTURE_COUNT + 1))
+done < <(find "$FIXTURE_DIR" -maxdepth 1 -type f \( -name '*.atom' -o -name '*.rss' -o -name '*.json' \) -print0)
+if [ "$FIXTURE_COUNT" -lt 1 ]; then
+  echo "FAIL: $FIXTURE_DIR contains no feed fixtures (.atom/.rss/.json)." >&2
+  exit 1
+fi
+
+if [ ! -f "$BASELINE" ]; then
+  echo "FAIL: baseline $BASELINE missing." >&2
+  exit 1
+fi
+
+if [ ! -s "$BASELINE" ]; then
+  echo "FAIL: baseline $BASELINE is empty." >&2
+  exit 1
+fi
+
+# Header: must start with "# Authority Report"
+if ! head -1 "$BASELINE" | grep -q '^# Authority Report'; then
+  echo "FAIL: baseline does not begin with '# Authority Report' header." >&2
+  exit 1
+fi
+
+# Totals line must declare a non-negative surfaced-entries count.
+if ! grep -qE '^[0-9]+ entries surfaced across [0-9]+ feeds\. [0-9]+ skipped\.$' "$BASELINE"; then
+  echo "FAIL: baseline is missing the 'N entries surfaced across M feeds. K skipped.' totals line." >&2
+  exit 1
+fi
+
+# Classification sections — at least one of the four non-skip buckets must
+# appear. (Empty buckets are omitted by D-21, but a well-shaped baseline
+# always has at least one.)
+SECTION_HITS=0
+for heading in '^## spec-change' '^## heuristic-update' '^## pattern-guidance' '^## craft-tip'; do
+  if grep -qE "$heading" "$BASELINE"; then
+    SECTION_HITS=$((SECTION_HITS + 1))
+  fi
+done
+
+if [ "$SECTION_HITS" -lt 1 ]; then
+  echo "FAIL: baseline does not contain any classification heading (spec-change / heuristic-update / pattern-guidance / craft-tip)." >&2
+  exit 1
+fi
+
+# Count consistency check: the header's "N entries surfaced" must match the
+# total bulleted entries across the four classification sections.
+HEADER_COUNT=$(grep -oE '^[0-9]+ entries surfaced' "$BASELINE" | head -1 | grep -oE '^[0-9]+')
+
+# Extract the body between the first "## spec-change|heuristic-update|pattern-guidance|craft-tip"
+# heading and the closing "---" horizontal rule before the Skipped footer.
+BULLET_COUNT=$(awk '
+  /^## (spec-change|heuristic-update|pattern-guidance|craft-tip)/ { in_section=1; next }
+  /^---$/ { in_section=0 }
+  in_section && /^- / { count++ }
+  END { print count+0 }
+' "$BASELINE")
+
+if [ "$HEADER_COUNT" != "$BULLET_COUNT" ]; then
+  echo "FAIL: baseline header declares $HEADER_COUNT entries but the classification sections contain $BULLET_COUNT bullets." >&2
+  echo "      Counts MUST match — regenerate the baseline or fix the header." >&2
+  exit 1
+fi
+
+# Footer: must have a Skipped line.
+if ! grep -qE '^\*\*Skipped:\*\*' "$BASELINE"; then
+  echo "FAIL: baseline is missing the '**Skipped:**' footer line." >&2
+  exit 1
+fi
+
+echo "OK: authority-report baseline shape preserved (structural-only v1)."
+echo "    Fixtures: $FIXTURE_COUNT files under $FIXTURE_DIR"
+echo "    Entries:  $HEADER_COUNT (header) = $BULLET_COUNT (bullets)"
+exit 0

package/scripts/validate-schemas.cjs

@@ -69,6 +69,14 @@ const PAIRS = [
     data: null,
     required: false,
   },
+  {
+    name: 'authority-snapshot',
+    schema: 'reference/schemas/authority-snapshot.schema.json',
+    // .design/authority-snapshot.json is runtime-only (gitignored via .design/).
+    // Only schema-compile it; Phase 13.2-02's watcher emits the data file at runtime.
+    data: null,
+    required: false,
+  },
 ];
 
 const USE_NPX = !process.argv.includes('--no-npx');
@@ -76,11 +84,20 @@ const USE_NPX = !process.argv.includes('--no-npx');
 /**
  * Try running ajv-cli via npx. Returns { ok, stdout, stderr, status, fetchFailed }.
  * fetchFailed=true if npx couldn't fetch the package (offline); caller should fall back.
+ *
+ * We pass `-c ajv-formats` so schemas declaring `format: "date-time"` (etc.) are
+ * validated against the standard JSON Schema formats plugin rather than being
+ * rejected as unknown formats under ajv's strict mode. Schemas that declare no
+ * formats (e.g., plugin, marketplace) are unaffected.
  */
 function runAjv(args) {
+  const injected = [...args];
+  // Inject `-c ajv-formats` after the sub-command (compile/validate) but before -s flags.
+  // Simpler: just append; ajv-cli accepts -c at any position.
+  injected.push('-c', 'ajv-formats');
   const result = spawnSync(
     'npx',
-    ['--yes', 'ajv-cli@5', ...args],
+    ['--yes', '-p', 'ajv-cli@5', '-p', 'ajv-formats@3', 'ajv', ...injected],
     { encoding: 'utf8', cwd: REPO_ROOT }
   );
   const combined = (result.stdout || '') + (result.stderr || '');

package/skills/audit/SKILL.md

@@ -2,7 +2,7 @@
 name: gdd-audit
 description: "Run design audit — wraps design-verifier + design-auditor + design-reflector. --retroactive audits the full cycle scope."
 argument-hint: "[--retroactive] [--quick] [--no-reflect]"
-tools: Read, Write, Task, Glob
+tools: Read, Write, Task, Glob, Bash
 ---
 
 # /gdd:audit
@@ -51,4 +51,14 @@ Run only `design-auditor` (skip `design-integration-checker`). Faster health che
 - Do not modify source files.
 - Do not rerun stages; this is a read-only audit.
 
+## Step 7 — Update notice (post-closeout surface)
+
+After the consolidated audit summary has been printed (and any reflection-proposal count appended), emit the plugin-update banner if one is present:
+
+```bash
+[ -f .design/update-available.md ] && cat .design/update-available.md
+```
+
+Written by `hooks/update-check.sh`; suppressed mid-pipeline and when the latest release is dismissed.
+
 ## AUDIT COMPLETE

package/skills/check-update/SKILL.md

@@ -0,0 +1,135 @@
+---
+name: gdd-check-update
+description: "Manual plugin-update check. Shows cached state by default; --refresh bypasses the 24h TTL; --dismiss hides the nudge until a newer release ships; --prompt spawns design-update-checker for a richer summary."
+argument-hint: "[--refresh] [--dismiss] [--prompt]"
+tools: Read, Write, Bash, Task
+---
+
+# /gdd:check-update
+
+**Role:** Manual entry point for the plugin-update checker. The SessionStart hook (`hooks/update-check.sh`) already runs on its own 24h cadence and writes `.design/update-cache.json` + `.design/update-available.md`. This command lets the user inspect / force / dismiss / enrich that state on demand.
+
+## Flags
+
+| Flag | Effect |
+|---|---|
+| *(none)* | Print cached state (latest_tag, delta, is_newer). If the cache is older than 24h, trigger `--refresh` implicitly. |
+| `--refresh` | Invoke `hooks/update-check.sh --refresh` — bypasses the 24h TTL and re-fetches immediately. |
+| `--dismiss` | Write `update_dismissed: "<latest_tag>"` to `.design/config.json` atomically and delete `.design/update-available.md`. Sticky until a newer release ships. |
+| `--prompt` | Spawn `design-update-checker` agent (Haiku) to produce a 3–5-line "what this release changes for you" summary. Does not alter the banner or cache. |
+
+Flags can be combined: `--refresh --prompt` is valid (re-fetch, then enrich). `--dismiss` is the only flag that mutates `.design/config.json`.
+
+## Steps
+
+1. **Parse flags.** Detect `--refresh`, `--dismiss`, `--prompt` in `$ARGUMENTS`. Any unknown flag: print `Unknown flag: <flag>` and exit.
+
+2. **--refresh path** (if `--refresh` in flags):
+    Run the hot-path hook with the refresh flag:
+    ```bash
+    bash "${CLAUDE_PLUGIN_ROOT:-$(pwd)}/hooks/update-check.sh" --refresh
+    ```
+    This re-fetches `/releases/latest`, rewrites `.design/update-cache.json`, and re-renders `.design/update-available.md` subject to the same state/dismissal gates.
+
+3. **Read cache.** After any optional refresh, read `.design/update-cache.json`. If it does not exist:
+    - Print: `No cache. Network may be unreachable or the hook has not run yet. Try /gdd:check-update --refresh.`
+    - Exit.
+
+<!-- markdownlint-disable MD025 -->
+
+4. **Dismiss path** (if `--dismiss` in flags):
+    Compute new config contents and write atomically. The python heredoc receives CONFIG_PATH and LATEST_TAG via the ENVIRONMENT (env-prefix form — `KEY=VALUE python3 <<PY`), NOT via trailing argv. Passing `python3 -c '...' KEY=VALUE` makes Python treat the assignments as `sys.argv`, which the old draft did incorrectly; env-prefix form is the portable fix.
+
+    ```bash
+    CONFIG_PATH=".design/config.json"
+    LATEST_TAG="$(grep -E '"latest_tag"' .design/update-cache.json | head -n1 | sed -E 's/.*"latest_tag"[[:space:]]*:[[:space:]]*"([^"]+)".*/\1/')"
+    [ -n "$LATEST_TAG" ] || { echo 'No latest_tag in cache — nothing to dismiss.'; exit 0; }
+
+    mkdir -p .design
+
+    # Env-prefix form: CONFIG_PATH and LATEST_TAG are placed into the child process env,
+    # then python3 reads them via os.environ. Heredoc body is flat at column 0 (required —
+    # any leading indentation breaks Python parsing in a heredoc).
+    CONFIG_PATH="$CONFIG_PATH" LATEST_TAG="$LATEST_TAG" python3 <<'PY'
+import json, os, sys, tempfile
+
+config_path = os.environ['CONFIG_PATH']
+latest_tag = os.environ['LATEST_TAG']
+
+# Load existing config if present; otherwise start fresh. Preserve every unknown key.
+try:
+    with open(config_path, 'r', encoding='utf-8') as f:
+        data = json.load(f)
+    if not isinstance(data, dict):
+        data = {}
+except (FileNotFoundError, json.JSONDecodeError):
+    data = {}
+
+# Set ONLY the dismissal key — every other pre-existing key is preserved verbatim.
+data['update_dismissed'] = latest_tag
+
+# Atomic write: write to tmp on the SAME filesystem, then os.replace() (POSIX rename(2)).
+target_dir = os.path.dirname(config_path) or '.'
+fd, tmp_path = tempfile.mkstemp(prefix='config.', suffix='.tmp', dir=target_dir)
+try:
+    with os.fdopen(fd, 'w', encoding='utf-8') as f:
+        json.dump(data, f, indent=2)
+        f.write('\n')
+    os.replace(tmp_path, config_path)  # atomic on same filesystem
+except Exception as exc:
+    try:
+        os.unlink(tmp_path)
+    except OSError:
+        pass
+    sys.exit(1)
+PY
+
+    # Remove the rendered banner (user dismissed — stop showing it until a newer release ships).
+    rm -f .design/update-available.md
+    echo "Dismissed $LATEST_TAG. The nudge will return when a newer release ships."
+    ```
+
+    D-14 atomic-write invariant: `os.replace()` (POSIX `rename(2)`) is atomic on the same filesystem — an interrupted write leaves the original config intact. The `json.load → set single key → json.dump` round-trip guarantees every unknown top-level key (e.g. `model_profile`, `parallelism`) is preserved verbatim.
+
+5. **Print default state** (always, unless the skill exited early):
+    ```
+    ━━━ /gdd:check-update ━━━
+    Current:   v<X.Y.Z>
+    Latest:    v<A.B.C>   (delta: <major|minor|patch|off-cadence|none>)
+    Newer:     <true|false>
+    Checked:   <ISO time of checked_at>
+    Dismissed: <tag or "no">
+    ━━━━━━━━━━━━━━━━━━━━━━━━━━
+    ```
+    Parse these fields from `.design/update-cache.json` using `grep + sed` (no jq dependency). Read dismissal from `.design/config.json` via the same pattern as hooks/update-check.sh:
+    ```bash
+    [ -f .design/config.json ] && grep -E '"update_dismissed"' .design/config.json | sed -E 's/.*"update_dismissed"[[:space:]]*:[[:space:]]*"([^"]+)".*/\1/'
+    ```
+
+6. **--prompt path** (if `--prompt` in flags):
+    Spawn the `design-update-checker` agent via the Task tool. Pass as context:
+    - `current_tag` — from `.design/update-cache.json`
+    - `latest_tag` — from `.design/update-cache.json`
+    - `delta` — from `.design/update-cache.json`
+    - `release_body` — the `changelog_excerpt` from the cache (may be pre-truncated to 500 chars; that's fine — the agent knows)
+
+    Display the agent's inline response verbatim below the state banner. The agent ends with `## UPDATE-CHECKER COMPLETE` — the skill's own completion marker (below) is the final line.
+
+## Defaults
+
+- No flags → behave as: `--refresh (only if cache >24h old) → print state`. Silent no-op if cache is fresh and there is no newer version.
+
+## Do Not
+
+- Do not fetch from GitHub in this skill directly — always go through `hooks/update-check.sh --refresh` so the caching + state-guard + dismissal logic stays in one place.
+- Do not modify `.design/update-available.md` except to delete it on `--dismiss`. The hot-path hook is the only writer of that banner (D-06).
+- Do not rewrite `.design/config.json` wholesale — the atomic python rewrite preserves every unknown key (D-14).
+- Do not pass variables to the python heredoc via trailing `KEY=VALUE` argv — that assigns to `sys.argv`, not `os.environ`. Use env-prefix form only.
+
+## Completion marker
+
+Last line of output:
+
+```
+## CHECK-UPDATE COMPLETE
+```

package/skills/complete-cycle/SKILL.md

@@ -30,4 +30,14 @@ Closes the current cycle: marks CYCLES.md entry complete, archives pipeline arti
 - Do not delete source files in `src/` — only archive `.design/` artifacts.
 - Do not auto-start a new cycle — user invokes `/gdd:new-cycle` explicitly.
 
+## Step 6 — Update notice (post-closeout surface)
+
+After the archive has been written and STATE.md has been cleared for the next cycle, emit the plugin-update banner if one is present:
+
+```bash
+[ -f .design/update-available.md ] && cat .design/update-available.md
+```
+
+Written by `hooks/update-check.sh`; suppressed mid-pipeline and when the latest release is dismissed.
+
 ## COMPLETE-CYCLE COMPLETE

package/skills/design/SKILL.md

@@ -41,7 +41,7 @@ Skip if `auto_mode=true`.
 
 ## Pre-execution — Project-local conventions
 
-When spawning the executor, include any `./.claude/skills/design-*-conventions.md` files in `<required_reading>` so the executor sees project-local design conventions (typography, color, layout, motion, component, interaction decisions codified from prior sketch wrap-ups). Also include any `~/.claude/gdd/global-skills/*.md` files if the directory exists � global skills are cross-project conventions that inform but do not override project-local D-XX decisions.
+When spawning the executor, include any `./.claude/skills/design-*-conventions.md` files in `<required_reading>` so the executor sees project-local design conventions (typography, color, layout, motion, component, interaction decisions codified from prior sketch wrap-ups). Also include any `~/.claude/gdd/global-skills/*.md` files if the directory exists � global skills are cross-project conventions that inform but do not override project-local D-XX decisions.
 
 ---
 
@@ -256,13 +256,13 @@ Next: /get-design-done:verify
 
 After design-executor has finished and DESIGN-PLAN.md tasks are complete:
 
-1. Read `figma_writer:` status from `.design/STATE.md` `<connections>`:
-   - If `figma_writer: not_configured` or absent → skip this block entirely (no prompt, no output)
-   - If `figma_writer: available` → proceed to step 2
+1. Read `figma:` status from `.design/STATE.md` `<connections>` (the unified remote MCP covers both reads and writes as of v1.0.7.1):
+   - If `figma: not_configured` or `figma: unavailable` or absent → skip this block entirely (no prompt, no output)
+   - If `figma: available` → proceed to step 2
 
 2. Offer the user a prompt:
    ```
-   figma-writer is available — propagate design decisions back to Figma?
+   figma write-back is available — propagate design decisions back to Figma?
    Modes: annotate (layer comments) | tokenize (variable bindings) | mappings (Code Connect)
    Run figma-write? (y/N):
    ```

package/skills/discover/SKILL.md

@@ -22,9 +22,9 @@ user-invocable: true
    **A — Figma probe:**
 
    ```
-   A1. ToolSearch({ query: "select:mcp__figma-desktop__get_metadata", max_results: 1 })
+   A1. ToolSearch({ query: "select:mcp__figma__get_metadata", max_results: 1 })
    A2. Empty result → figma: not_configured (skip all Figma paths)
-       Non-empty result → call mcp__figma-desktop__get_metadata
+       Non-empty result → call mcp__figma__get_metadata
          Success → figma: available
          Error   → figma: unavailable
    ```

package/skills/explore/SKILL.md

@@ -19,9 +19,9 @@ Probe connection availability and update `.design/STATE.md` `<connections>`:
 
 **A — Figma probe:**
 ```
-ToolSearch({ query: "select:mcp__figma-desktop__get_metadata", max_results: 1 })
+ToolSearch({ query: "select:mcp__figma__get_metadata", max_results: 1 })
 Empty → figma: not_configured
-Non-empty → call mcp__figma-desktop__get_metadata; success → available; error → unavailable
+Non-empty → call mcp__figma__get_metadata; success → available; error → unavailable
 ```
 
 **B — Refero probe:**
@@ -31,7 +31,59 @@ Empty → refero: not_configured
 Non-empty → refero: available
 ```
 
-Write results to STATE.md `<connections>`.
+**C — 21st.dev probe:**
+```
+ToolSearch({ query: "mcp__21st", max_results: 5 })
+Empty → 21st-dev: not_configured
+Non-empty → 21st-dev: available
+```
+
+**D — Magic Patterns probe:**
+```
+ToolSearch({ query: "mcp__magic_patterns", max_results: 5 })
+Empty → magic-patterns: not_configured
+Non-empty → magic-patterns: available
+```
+
+**E — paper.design probe:**
+```
+ToolSearch({ query: "mcp__paper", max_results: 5 })
+Empty → paper-design: not_configured
+Non-empty → call mcp__paper-design__get_selection; success → available; error → unavailable
+```
+
+**F — pencil.dev probe (file-based):**
+```bash
+find . -name "*.pen" -not -path "*/node_modules/*" 2>/dev/null | head -1
+Empty → pencil-dev: not_configured
+Found → pencil-dev: available
+```
+
+Write all results to STATE.md `<connections>`.
+
+## Step 1.5 — 21st.dev Prior-Art Check (when 21st-dev: available)
+
+If `21st-dev: not_configured` in STATE.md: skip this step entirely.
+
+When the explore stage identifies any greenfield component in scope (component name from BRIEF.md or user request that does not yet have an implementation file):
+
+1. `21st_magic_component_search(component_name, limit: 3)`
+2. Evaluate top result:
+   - **fit ≥ 80%**: add `<prior-art>` block to DESIGN.md:
+     ```xml
+     <prior-art source="21st.dev" component="<name>" fit="<score>%" id="<component_id>">
+       Recommendation: adopt — do not build custom. Confirm with design-executor.
+     </prior-art>
+     ```
+   - **fit < 80%**: note top candidate in DESIGN.md as a reference, proceed with custom build:
+     ```xml
+     <prior-art source="21st.dev" component="<name>" fit="<score>%" id="<component_id>">
+       Low fit — noted for reference. Building custom component.
+     </prior-art>
+     ```
+3. If `svgl_get_brand_logo` is available and explore scope includes brand logo assets: call `svgl_get_brand_logo(brand_name)` for each required brand asset; add SVG results to `.design/assets/` and note in DESIGN.md.
+
+If no greenfield components in scope: skip this step.
 
 ## Step 2 — Inventory scan (unless `--skip-scan`)