@hegemonart/get-design-done 1.59.9 → 1.60.0

package/.claude-plugin/marketplace.json

@@ -5,14 +5,14 @@
   },
   "metadata": {
     "description": "Get Design Done — 5-stage agent-orchestrated design pipeline (Brief → Explore → Plan → Design → Verify) for AI coding agents. 64 agents, 96 skills, 39 connection integrations, two MCP servers, opt-in SQLite state backbone, bidirectional Figma write-back, and a reflector-driven self-improvement loop. Cross-runtime install for Claude Code, Codex, Cursor, OpenCode, Gemini, and more.",
-    "version": "1.59.9"
+    "version": "1.60.0"
   },
   "plugins": [
     {
       "name": "get-design-done",
       "source": "./",
       "description": "Agent-orchestrated 5-stage design pipeline (Brief → Explore → Plan → Design → Verify) for AI coding agents. 64 specialized agents, 96 skills, 39 connection integrations (Figma, Refero, Preview, Storybook, Chromatic, Graphify, Linear, Jira, Notion, …), bidirectional Figma write-back, queryable intel store, opt-in SQLite state backbone, and a reflector-driven self-improvement loop. Two MCP servers (gdd-state for typed STATE mutators, gdd-mcp for 13 read-only project-priming tools), tier-aware routing with cost telemetry, and defense-in-depth hooks (protected paths, MCP circuit breaker, injection scanner, budget enforcer). Cross-runtime install for Claude Code, Codex, Cursor, OpenCode, Gemini, Copilot, and more.",
-      "version": "1.59.9",
+      "version": "1.60.0",
       "author": {
         "name": "hegemonart"
       },

package/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "get-design-done",
   "short_name": "gdd",
-  "version": "1.59.9",
+  "version": "1.60.0",
   "description": "Agent-orchestrated 5-stage design pipeline (Brief → Explore → Plan → Design → Verify) for AI coding agents. 64 specialized agents, 96 skills, 39 connection integrations (Figma, Refero, Preview, Storybook, Chromatic, Graphify, Linear, Jira, Notion, …), bidirectional Figma write-back, queryable intel store for O(1) design-surface lookups, opt-in SQLite state backbone, and a reflector-driven self-improvement loop. Two MCP servers (`gdd-state` for typed STATE mutators, `gdd-mcp` for 13 read-only project-priming tools), tier-aware agent routing with cost telemetry, defense-in-depth hooks (protected paths, MCP circuit breaker, injection scanner, budget enforcer), and a cross-runtime install layer for Claude Code, Codex, Cursor, OpenCode, Gemini, Copilot, and more.",
   "author": {
     "name": "hegemonart",

package/CHANGELOG.md

@@ -4,6 +4,31 @@ All notable changes to get-design-done are documented here. Versions follow [sem
 
 ---
 
+## [1.60.0] - 2026-06-10
+
+**Foundation & Honesty** - the subtract-first base the v2.0 work and the upcoming rebrand depend on. Make the catalog enumerable and the capability claims machine-checked *before* building or renaming anything. A pre-flight audit found the catalog already clean (0 content-duplicate skills, 0 orphan skills or agents, a perfect manifest to template to generated bijection, and every count and capability claim already tracing to source), so this release does not manufacture cuts - it removes genuinely dead code and adds the guards that lock the clean state in.
+
+### Removed
+
+- **Dead jsdom/puppeteer detection scaffolding** from `gdd-detect`. The CLI carried soft `try-require` probes for a `jsdom` "DOM-aware" engine and a `puppeteer` URL engine, plus `--fast`/`--puppeteer` flags - none of which were ever wired (the engine is and was pure regex over local files). 1.59.8 stopped the misleading mode label; this release deletes the dead probes and flags outright and rewrites the comments/help to the regex-only reality. `gdd-detect --help` now matches what it does. (A real DOM/URL engine is planned separately; this removal is reversed then.)
+
+### Added
+
+- **Catalog-integrity validator** (`validate:catalog`, wired into CI): exact content-hash duplicate detection across skill templates and agents, near-duplicate description detection (calibrated above the existing distinct-but-parallel writer family, so a future copy-paste clone is caught), a manifest to template to generated three-way bijection check (no orphans in any direction), and description-length sanity. Passes on the current catalog; fails if bloat, dupes, or orphans are introduced later.
+- **Capability-honesty assertion** (in the same CI gate): every MCP server named in the plugin/marketplace manifests resolves to a real `sdk/mcp/<server>/server.ts`, and the advertised read-only MCP-tool count is derived from the actual `gdd_*.ts` tool files rather than hand-typed. Combined with the existing source-derived feature counts, the 64 agents / 96 skills / 39 integrations / 13 MCP-tools / 2 MCP-servers claims are now machine-verified.
+
+### Notes
+
+- Catalog audited clean - no skills or agents were merged or deleted. The integrity guard exists to keep it that way.
+
+### Breaking changes
+
+None.
+
+5,102/5,102 tests pass.
+
+---
+
 ## [1.59.9] - 2026-06-10
 
 New-model-family readiness and cost truth (audit `.planning/audits/SELF-AUDIT-v1.59.7.md` §4). A new or unknown Anthropic model previously degraded cost accounting silently - billed at $0 or the sonnet rate and mis-attributed to the sonnet tier. This release makes unknown models loud and conservative, handles the 1M-context `[1m]` variant, and records context-window size in the model registry.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hegemonart/get-design-done",
-  "version": "1.59.9",
+  "version": "1.60.0",
   "description": "A design-quality pipeline for AI coding agents: brief, explore, plan, design, and verify UI work against your design system.",
   "author": "Hegemon",
   "homepage": "https://github.com/hegemonart/get-design-done",
@@ -84,6 +84,7 @@
     "validate:composition-graph": "node scripts/validate-composition-graph.cjs",
     "validate:design-context": "node scripts/validate-design-context.cjs",
     "validate:skill-frontmatter": "node scripts/validate-skill-frontmatter.cjs",
+    "validate:catalog": "node scripts/validate-catalog-integrity.cjs",
     "build:skill-graph": "node scripts/generate-skill-graph.cjs",
     "build:skill-graph:check": "node scripts/generate-skill-graph.cjs --check",
     "sync:rule-catalogue": "node scripts/sync-rule-catalogue.cjs --check",

package/scripts/lib/detect/cli.cjs

@@ -1,38 +1,35 @@
 'use strict';
-// Phase 41 — gdd-detect CLI. Dep-free by default (regex-fast). The DOM-aware (jsdom) and URL
-// (puppeteer) paths are SOFT optionals loaded via try-require — never a package.json dependency, so
-// the SC#10 network-isolation scan stays clean and the plugin keeps its zero-runtime-dep guarantee.
+// Phase 41 — gdd-detect CLI. A regex anti-pattern scanner over LOCAL files: it walks a file or
+// directory and runs each BAN-NN rule's matcher against the file text. There is exactly one engine
+// (regex over file content) and it never touches the network or any optional dependency, so the
+// SC#10 network-isolation scan stays clean and the plugin keeps its zero-runtime-dep guarantee.
 //
-//   gdd-detect <path> [--json] [--fast] [--rule BAN-NN] [--puppeteer]
+//   gdd-detect <path> [--json] [--rule BAN-NN]
 //
 // Exit codes: 0 = clean · 2 = findings · 1 = invocation error.
 
 const engine = require('./engine.cjs');
 
-const HELP = `gdd-detect — scan HTML/CSS/JSX for GDD anti-patterns (BAN-NN).
+const HELP = `gdd-detect — scan local HTML/CSS/JSX for GDD anti-patterns (BAN-NN).
 
 Usage:
   gdd-detect <path> [options]
 
 Arguments:
-  <path>            A file or directory (scanned recursively), or a http(s):// URL (needs --puppeteer).
+  <path>            A file or directory (scanned recursively). Regex anti-pattern scan over local files.
 
 Options:
   --json            Machine-readable JSON output.
-  --fast            Regex-only; do not load jsdom even if present.
   --rule <BAN-NN>   Run a single rule (e.g. --rule BAN-08).
-  --puppeteer       Allow scanning a URL via Puppeteer (an optional, separately-installed dependency).
   -h, --help        This help.
 
 Exit codes: 0 clean · 2 findings · 1 invocation error.`;
 
 function parseArgs(argv) {
-  const opts = { path: null, json: false, fast: false, rule: null, puppeteer: false, help: false };
+  const opts = { path: null, json: false, rule: null, help: false };
   for (let i = 0; i < argv.length; i++) {
     const a = argv[i];
     if (a === '--json') opts.json = true;
-    else if (a === '--fast') opts.fast = true;
-    else if (a === '--puppeteer') opts.puppeteer = true;
     else if (a === '-h' || a === '--help') opts.help = true;
     else if (a === '--rule') opts.rule = argv[++i] || null;
     else if (a.startsWith('--rule=')) opts.rule = a.slice('--rule='.length);
@@ -46,22 +43,11 @@ function isUrl(p) {
 }
 
 /**
- * Select the detection engine. Returns { mode, warning }.
- *
- * There is exactly one engine path: regex over file text (see engine.cjs#run, which takes no
- * jsdom/DOM parameter and is byte-identical whether or not jsdom is installed). So the truthful
- * mode is always 'regex-fast'. We still probe jsdom (unless --fast) to surface a one-line hint
- * that a DOM-aware path is not wired in this build — but we no longer claim a 'dom-aware' mode the
- * engine does not have.
+ * Report the active engine. There is exactly one path: regex over file text (see engine.cjs#run).
+ * Returns { mode } so callers and the --json report can label output truthfully.
  */
-function selectEngine(opts, requireFn) {
-  if (opts.fast) return { mode: 'regex-fast', warning: null };
-  let hasJsdom = false;
-  try { requireFn('jsdom'); hasJsdom = true; } catch { hasJsdom = false; }
-  // jsdom presence does not change the engine — only emit a hint when it's absent, and never
-  // promise a mode we can't deliver.
-  const warning = hasJsdom ? null : 'jsdom not installed — running regex-fast (the only wired mode; a DOM-aware path is not implemented). Pass --fast to silence this.';
-  return { mode: 'regex-fast', warning };
+function selectEngine() {
+  return { mode: 'regex-fast' };
 }
 
 function renderHuman(result, mode) {
@@ -78,14 +64,13 @@ function renderHuman(result, mode) {
 
 /**
  * @param {string[]} argv  process.argv.slice(2)
- * @param {{ cwd?: string, log?: fn, err?: fn, requireFn?: fn }} [io]  injectable for tests
+ * @param {{ cwd?: string, log?: fn, err?: fn }} [io]  injectable for tests
  * @returns {number} exit code
  */
 function main(argv, io) {
   const o = io || {};
   const log = o.log || ((s) => process.stdout.write(s + '\n'));
   const err = o.err || ((s) => process.stderr.write(s + '\n'));
-  const requireFn = o.requireFn || require;
   const cwd = o.cwd || process.cwd();
   const opts = parseArgs(argv);
 
@@ -93,18 +78,13 @@ function main(argv, io) {
   if (!opts.path) { err('gdd-detect: missing <path>. See --help.'); return 1; }
   if (opts.rule && !/^BAN-\d{2}$/i.test(opts.rule)) { err(`gdd-detect: --rule expects a BAN-NN id (got "${opts.rule}").`); return 1; }
 
-  // URL path → Puppeteer (optional, separately installed). Never a stack trace.
+  // URL path is not wired: this is a regex scanner over local files. Never a stack trace.
   if (isUrl(opts.path)) {
-    if (!opts.puppeteer) { err('gdd-detect: scanning a URL requires --puppeteer. Pass --puppeteer (and `npm i -D puppeteer`) to enable URL scans.'); return 1; }
-    let hasPuppeteer = false;
-    try { requireFn('puppeteer'); hasPuppeteer = true; } catch { hasPuppeteer = false; }
-    if (!hasPuppeteer) { err('gdd-detect: --puppeteer given but puppeteer is not installed. Install it with `npm i -D puppeteer` (it stays an optional dependency).'); return 1; }
     err('gdd-detect: URL scanning is not wired in this build; clone the page locally and scan the files instead.');
     return 1;
   }
 
-  const { mode, warning } = selectEngine(opts, requireFn);
-  if (warning && !opts.json) err('gdd-detect: ' + warning);
+  const { mode } = selectEngine();
 
   let result;
   try { result = engine.run(opts.path, { ruleId: opts.rule, cwd }); }

package/scripts/lib/detect/engine.cjs

@@ -1,8 +1,8 @@
 'use strict';
-// Phase 41 — gdd-detect engine. Pure, dep-free (regex-fast path). Walks a path, runs each rule's
-// matcher against file content, returns structured findings. The DOM-aware (jsdom) + URL (puppeteer)
-// paths are layered on in cli.cjs via soft try-require; the engine itself never touches the network
-// or any optional dependency — so the SC#10 network-isolation scan stays clean.
+// Phase 41 — gdd-detect engine. Pure, dep-free regex engine over file content. Walks a path, runs
+// each rule's matcher against the text of each scannable file, and returns structured findings. The
+// engine never touches the network or any optional dependency — so the SC#10 network-isolation scan
+// stays clean.
 
 const fs = require('node:fs');
 const path = require('node:path');