@jaimevalasek/aioson 1.7.2 → 1.8.0

package/template/.aioson/rules/output-brevity.md

@@ -0,0 +1,44 @@
+---
+name: output-brevity
+description: All agents must produce terse, direct output — no preambles, no trailing summaries, no narration of actions
+priority: 8
+version: 1.0.0
+---
+
+# Output Brevity
+
+All agents produce direct output. No padding.
+
+## What to eliminate
+
+- Preambles: "I will now...", "Let me...", "I'm going to..."
+- Trailing summaries: "In summary, I have...", "To recap what was done..."
+- Action narration: "Reading the file...", "Now I'll check..."
+- Filler acknowledgements: "Great!", "Sure!", "Of course!", "Absolutely!"
+- Restating the user's request before answering it
+
+## What to keep
+
+- Artifact content — complete and uncompressed
+- Technical explanations when genuinely non-obvious
+- Questions when clarification is required
+- Security warnings, irreversible action confirmations — revert to full prose for these
+
+## Pattern
+
+```
+❌  "I'll analyze the project structure and then provide my findings..."
+✅  [analysis output directly]
+
+❌  "In summary, I've created 3 files and updated the spec."
+✅  "Created: spec-auth.md, prd-auth.md, features.md"
+
+❌  "Great question! Let me explain how this works..."
+✅  [explanation directly]
+```
+
+## Exceptions — use full prose
+
+- Security warnings or destructive action confirmations
+- Multi-step sequences where brevity would cause ambiguity
+- User appears confused or has contradictory requirements

package/template/.aioson/rules/prd-section-ownership.md

@@ -0,0 +1,49 @@
+---
+name: prd-section-ownership
+description: Define qual agente é dono de cada seção do PRD — outros agentes não podem modificar seções que não são suas
+priority: 9
+version: 1.0.0
+agents: [product, pm, analyst, architect, ux-ui, sheldon]
+---
+
+# PRD Section Ownership
+
+`prd.md` and `prd-{slug}.md` are shared documents. Each section has one owner — others may only read or append sub-sections, never replace.
+
+## Ownership table
+
+| PRD Section | Owner | Others may |
+|---|---|---|
+| `## Objetivo` | `@product` | Read only |
+| `## Problema` | `@product` | Read only |
+| `## Usuários e Personas` | `@product` | Read only |
+| `## Funcionalidades` | `@product` | Read only |
+| `## Critérios de Aceite` | `@product` (structure) / `@pm` (enrichment) | `@analyst`, `@architect` add technical sub-items |
+| `## Fases de Entrega` | `@pm` | Read only |
+| `## Restrições Técnicas` | `@architect` | Read only |
+| `## Considerações de UX` | `@ux-ui` | Read only |
+| `## Riscos` | `@pm` | `@analyst`, `@architect` add new risks only |
+| `## Decisões Registradas` | `@sheldon` (project) / `@pm` (feature) | Read only |
+
+## Modification rule
+
+An agent may only modify sections it owns. Non-owners may only **add** a new sub-section at the end — never replace or rewrite existing content.
+
+## Safe addition pattern
+
+```markdown
+## Critérios de Aceite
+<!-- @product: owner of this section -->
+
+- CA-01: User can schedule an appointment
+- CA-02: System sends confirmation email
+
+### Technical criteria (added by @analyst)
+- CA-T01: Scheduling validates availability via DB query before confirming
+- CA-T02: Email queue uses BullMQ with 3x retry
+```
+
+## On violation detected
+
+1. Do not overwrite the section.
+2. Create a sub-section with explicit attribution (`<!-- added by @{agent} -->`), OR create a separate artifact (`requirements-{slug}.md`, `architecture.md`, etc.).

package/template/.aioson/rules/security-baseline.md

@@ -0,0 +1,139 @@
+---
+name: security-baseline
+description: Secure by Default baseline controls for technical agents
+priority: 10
+version: 1.0.0
+agents: [analyst, architect, dev, qa]
+---
+
+# Security Baseline — Secure by Default
+
+> Implements `Article VII — Zero Trust by Default` of the AIOSON constitution.
+> Loaded by `@analyst`, `@architect`, `@dev`, and `@qa`. Other agents must not
+> load this rule — product, copy, design and orchestration scopes are out of band.
+
+This rule defines the minimum security baseline every technical agent must
+respect. It does **not** promise absolute security. It declares concrete
+controls, expected evidence and how each project classification consumes them.
+Deviations are allowed only when recorded as an explicit decision in the
+feature `spec-{slug}.md` with N/A rationale.
+
+## Classification policy
+
+| Classification | Behavior |
+|---|---|
+| **MICRO** | **Advisory.** Controls are surfaced as recommendations. No automated blocking. `@qa` may still flag obviously dangerous patterns. |
+| **SMALL** | **Scan-oriented.** Static checks and tool-first scans run automatically. `@pentester` is **not** mandatory. Open Medium+ findings are reported but do not block by default. |
+| **MEDIUM** | **Audit-blocking.** Surface assessment runs against attack-surface map. **Open High or Critical findings block Gate D** until resolved or explicitly waived with rationale recorded in `spec-{slug}.md`. |
+
+`@pentester` (`app_target` mode) may be invoked by `@qa` for any feature with
+auth, money, ownership, file uploads, external URLs or suspicious audit
+findings — regardless of classification. It is never required by classification
+alone.
+
+## Severity scale
+
+| Severity | Examples |
+|---|---|
+| `critical` | Ownership bypass, financial race condition, committed production secret. |
+| `high` | Missing server-side validation, unsafe upload signature handling, missing rate limit on sensitive endpoint. |
+| `medium` | Unsanitized external URL, low-impact tracker, storage boundary abuse surface. |
+| `advisory` | MICRO recommendations or surfaces marked N/A with explicit rationale. |
+
+## Direct LLM mode (no CLI)
+
+When the `aioson` CLI is unavailable, agents must fall back to **checklist-only
+verification** of the controls below, record the limitation in the session
+devlog, and **must not** fabricate runtime telemetry events. Findings still
+land in `.aioson/context/security-findings-{slug}.json` (one of the few
+machine-readable exceptions allowed under `.aioson/context/`).
+
+## Controls
+
+### SEC-SBD-01 — Server-side input limits
+
+- Maps to: OWASP A03 / A04
+- Default severity: `high`
+- Owner agent: `@dev` (implements), `@analyst` (declares limits), `@qa` (verifies)
+- Applies to: analyst, dev, qa
+- Classification policy: MICRO advisory; SMALL scan-oriented; MEDIUM audit-blocking when feature accepts user input
+- Required evidence: explicit field-length / type / range limits enforced server-side, plus negative tests asserting rejection on overflow or wrong type. N/A rationale required when feature has no user input.
+
+### SEC-SBD-02 — Upload file signature validation
+
+- Maps to: OWASP A03 / A05
+- Default severity: `high`
+- Owner agent: `@dev` (implements), `@qa` (verifies)
+- Applies to: analyst, dev, qa
+- Classification policy: MICRO advisory; SMALL scan-oriented; MEDIUM audit-blocking when feature accepts uploads
+- Required evidence: magic-byte / file-signature validation independent of MIME header and extension; rejection test for spoofed extension. N/A when no upload surface exists.
+
+### SEC-SBD-03 — Ownership / IDOR authorization
+
+- Maps to: OWASP A01
+- Default severity: `critical`
+- Owner agent: `@dev` (implements), `@analyst` (maps surfaces), `@qa` (verifies)
+- Applies to: analyst, architect, dev, qa
+- Classification policy: MICRO advisory; SMALL scan-oriented; MEDIUM audit-blocking on every endpoint that returns or mutates per-user data
+- Required evidence: ownership check at the data layer (not only route), and a negative test where user A attempts to access user B's resource and receives 403/404. N/A only when resource is intentionally public.
+
+### SEC-SBD-04 — Atomic critical state changes
+
+- Maps to: OWASP A04
+- Default severity: `critical`
+- Owner agent: `@architect` (designs), `@dev` (implements), `@qa` (verifies)
+- Applies to: architect, dev, qa
+- Classification policy: MICRO advisory; SMALL scan-oriented; MEDIUM audit-blocking on money, inventory, quotas, ownership transfers, balance updates
+- Required evidence: transactional boundary (DB transaction, row lock, or equivalent) plus a concurrency test or documented invariant proving no double-spend / lost update. N/A when feature has no shared mutable state.
+
+### SEC-SBD-05 — Secrets outside code
+
+- Maps to: OWASP A02 / A05
+- Default severity: `critical` (committed) / `high` (config drift)
+- Owner agent: `@dev` (implements), `@qa` (verifies)
+- Applies to: analyst, architect, dev, qa
+- Classification policy: MICRO advisory; SMALL scan-oriented; MEDIUM audit-blocking on any commit
+- Required evidence: secrets loaded from environment / vault / managed config; `.env` and equivalents in `.gitignore`; secret-scan pass on diff. Brownfield exception: pre-existing secret must be rotated and tracked, never silently kept.
+
+### SEC-SBD-06 — External URL sanitization
+
+- Maps to: OWASP A03 / A10
+- Default severity: `medium` (raises to `high` when URL is followed server-side)
+- Owner agent: `@dev` (implements), `@qa` (verifies)
+- Applies to: analyst, dev, qa
+- Classification policy: MICRO advisory; SMALL scan-oriented; MEDIUM audit-blocking when feature accepts or follows external URLs
+- Required evidence: scheme allowlist, host validation, SSRF protection (private-range block) when followed server-side, escaping when rendered. N/A when no external URL is accepted.
+
+### SEC-SBD-07 — Storage default-deny / RLS boundary
+
+- Maps to: OWASP A01 / A05
+- Default severity: `critical`
+- Owner agent: `@architect` (designs), `@dev` (implements), `@qa` (verifies)
+- Applies to: architect, dev, qa
+- Classification policy: MICRO advisory; SMALL scan-oriented; MEDIUM audit-blocking on every multi-tenant or per-user store
+- Required evidence: storage layer denies by default (RLS policies enabled, bucket private, queue ACL closed) plus a negative test from an unauthorized identity. N/A when storage is single-tenant and intentionally public.
+
+### SEC-SBD-08 — Auth enumeration / rate limiting
+
+- Maps to: OWASP A07
+- Default severity: `high`
+- Owner agent: `@dev` (implements), `@qa` (verifies)
+- Applies to: analyst, dev, qa
+- Classification policy: MICRO advisory; SMALL scan-oriented; MEDIUM audit-blocking on login, password reset, signup, OTP and any auth-adjacent endpoint
+- Required evidence: per-endpoint rate limit (per IP and per identifier), uniform error response for "user not found" vs "wrong password", lockout or backoff after N failures, and a negative test asserting enumeration is not possible. N/A when feature has no auth surface.
+
+## Out of scope (v1)
+
+The following are explicitly **not** part of this baseline and require a future
+PRD before adoption: deceptive endpoints (honeypots), jump-scare responses,
+adversarial CAPTCHAs, and any technique whose primary purpose is to deceive
+attackers. The baseline is preventive, not deceptive.
+
+## Maintenance
+
+- Control IDs are stable. Adding a control means appending `SEC-SBD-09`, never
+  renumbering or repurposing an existing ID.
+- Severity defaults can be raised per-feature in `spec-{slug}.md` with rationale; they cannot be silently lowered.
+- Changes to this rule require an explicit decision recorded in the relevant
+  feature spec and a `last_amended`-style note in the constitution if they
+  alter Article VII semantics.

package/template/.aioson/rules/spec-level-ownership.md

@@ -0,0 +1,61 @@
+---
+name: spec-level-ownership
+description: spec.md é de projeto, spec-{slug}.md é de feature — os dois níveis nunca se misturam
+priority: 9
+version: 1.0.0
+agents: [dev, qa, pm, sheldon]
+---
+
+# Spec Ownership: Project vs Feature Level
+
+Two distinct levels — never mix them.
+
+| File | Level | Owner | Content |
+|---|---|---|---|
+| `spec.md` | **Project** | `@dev` (full project) | Stack, global patterns, infrastructure — decisions affecting the whole project |
+| `spec-{slug}.md` | **Feature** | `@dev` (specific feature) | Decisions, entities, dependencies, ACs for ONE feature |
+
+## Absolute rules
+
+1. `spec.md` never receives feature-specific content → create `spec-{slug}.md` for that.
+2. `spec-{slug}.md` never receives project decisions → stack decisions go in `spec.md` or `architecture.md`.
+3. `spec-{slug}.md` is created by `@dev` at feature implementation start. One file per slug. Slug must match `prd-{slug}.md` and `implementation-plan-{slug}.md`.
+4. No `spec-{slug}.md` without a corresponding `prd-{slug}.md`.
+
+## Mandatory structure: spec-{slug}.md
+
+```markdown
+---
+feature: {slug}
+status: in_progress | done
+phase_gates:
+  requirements: approved | pending | skipped
+  design: approved | pending | skipped
+  plan: approved | pending | skipped
+---
+
+# Spec — {feature name}
+
+## Implemented entities
+## Technical decisions
+## Dependencies
+## QA approval
+(filled by @qa on feature close)
+```
+
+## Mandatory structure: spec.md (project level)
+
+```markdown
+# Spec — {project name}
+
+## Stack and infrastructure
+## Global code patterns
+## External integrations
+## Cross-feature architecture decisions
+```
+
+## On violation detected
+
+1. Do not write to the wrong file.
+2. Identify the correct level.
+3. Write to the correct file (create if needed following mandatory structure above).

package/template/.aioson/rules/squad-driver-pattern.md

@@ -0,0 +1,81 @@
+---
+name: squad-driver-pattern
+description: Territory boundaries and integration pattern for AIOSON squads — separates squad definitions (owned by @squad) from application driver code (owned by @dev)
+priority: 9
+version: 1.0.0
+agents: [dev, sheldon, pm, qa, architect]
+---
+
+# Squad Driver Pattern
+
+Two distinct layers — never mixed:
+
+```
+Layer 1 — Definition (owned by @squad)
+  .aioson/squads/{squad-slug}/
+    agents/greeting-agent.md     ← prompt and personality
+    agents/orquestrador.md       ← orchestration logic
+    squad.manifest.json          ← configuration
+    workflows/main.md            ← execution pipeline
+
+Layer 2 — Driver (owned by @dev)
+  src/services/squadRunner.js    ← loads and executes definitions
+  src/services/greetingService.js ← driver consuming greeting-agent.md
+```
+
+## Territory rules — absolute for all agents
+
+| Agent | Can create/modify | Must never touch |
+|---|---|---|
+| `@squad` | `.aioson/squads/` | Application code (`src/`, `app/`, etc.) |
+| `@dev` | Application code | `.aioson/squads/` |
+| `@pm` | Implementation plan | Either layer |
+| `@architect` | `architecture.md` | Squad files or agent code |
+
+## Correct integration pattern
+
+The application service is a **driver** — loads the squad definition and sends it to the LLM. Never embeds prompts in code.
+
+```javascript
+// CORRECT — driver consuming @squad definition
+class GreetingService {
+  async respond(message) {
+    const agentDef = fs.readFileSync(
+      '.aioson/squads/squad-greeting/agents/greeting-agent.md', 'utf-8'
+    )
+    return await llm.call({ system: agentDef, user: message })
+  }
+}
+
+// WRONG — prompt embedded in code (@dev must not do this)
+class GreetingService {
+  async respond(message) {
+    const prompt = "Voce e um atendente de farmacia..." // ← @squad territory
+    return await llm.call({ system: prompt, user: message })
+  }
+}
+```
+
+## Per-agent responsibilities
+
+**`@product` / `@sheldon`:** describe squad behavior and objective in PRDs — never literal prompts. Prompts are `@squad` territory.
+
+**`@analyst` / `@architect`:** include the driver layer as explicit component in `architecture.md`:
+```
+SquadRunner — loads definitions from .aioson/squads/ and executes via LLM API
+  dependencies: fs (read .md), llm-client (model call)
+  no domain logic — only orchestrates loading and execution
+```
+
+**`@pm`:** separate squad phases from code phases in implementation plans:
+- Squad phases → `executor: @squad`
+- Driver phases → `executor: @dev` with task "create SquadRunner that loads `.aioson/squads/{slug}/`"
+
+**`@dev`:** never write inline prompts. If a task requires creating/modifying files in `.aioson/squads/` — stop and redirect to `@squad`.
+
+**`@squad`:** read `implementation-plan` and `prd` before asking anything — context is already in artifacts.
+
+**`@qa`:** verify:
+- [ ] Squad services are drivers (load `.md`, never embed prompts)
+- [ ] No agent prompt is hardcoded in application code
+- [ ] `.aioson/squads/` was not modified by `@dev`

package/template/.aioson/schemas/squad-blueprint.schema.json

@@ -31,6 +31,30 @@
       "enum": ["content", "software", "research", "mixed"]
     },
     "domain": { "type": "string" },
+    "locale_scope": {
+      "type": "string",
+      "description": "Universal or locale-specific scope for generated agent files",
+      "pattern": "^(universal|[A-Za-z]{2,3}(?:-[A-Za-z0-9]{2,8})*)$"
+    },
+    "locale_rationale": { "type": "string" },
+    "domainClassification": {
+      "type": "object",
+      "properties": {
+        "tier": {
+          "type": "string",
+          "enum": ["tier-1-regulated", "tier-2-specialized", "tier-3-common"]
+        },
+        "rationale": { "type": "string" },
+        "regulations": {
+          "type": "array",
+          "items": { "type": "string" }
+        },
+        "investigationPolicy": {
+          "type": "string",
+          "enum": ["required", "recommended", "optional"]
+        }
+      }
+    },
     "executors": {
       "type": "array",
       "items": {

package/template/.aioson/schemas/squad-manifest.schema.json

@@ -38,6 +38,34 @@
       "enum": ["private", "public"],
       "default": "private"
     },
+    "locale_scope": {
+      "type": "string",
+      "description": "Universal or locale-specific scope for agent prompt files",
+      "pattern": "^(universal|[A-Za-z]{2,3}(?:-[A-Za-z0-9]{2,8})*)$"
+    },
+    "locale_rationale": {
+      "type": "string",
+      "description": "Why the squad is locale-specific when locale_scope is not universal"
+    },
+    "domainClassification": {
+      "type": "object",
+      "description": "Classification of the squad domain for research and safety routing",
+      "properties": {
+        "tier": {
+          "type": "string",
+          "enum": ["tier-1-regulated", "tier-2-specialized", "tier-3-common"]
+        },
+        "rationale": { "type": "string" },
+        "regulations": {
+          "type": "array",
+          "items": { "type": "string" }
+        },
+        "investigationPolicy": {
+          "type": "string",
+          "enum": ["required", "recommended", "optional"]
+        }
+      }
+    },
     "ephemeral": {
       "type": "boolean",
       "default": false,
@@ -48,6 +76,22 @@
       "description": "Time-to-live for ephemeral squads (e.g. '24h', '7d'). After TTL, squad files are eligible for cleanup."
     },
     "aiosLiteCompatibility": { "type": "string" },
+    "sourceDocs": {
+      "type": "array",
+      "items": { "type": "string" },
+      "description": "Project artifacts consumed during squad design"
+    },
+    "investigation": {
+      "type": "object",
+      "description": "Reference to a persisted @orache investigation report",
+      "properties": {
+        "slug": { "type": "string" },
+        "path": { "type": "string" },
+        "confidence": { "type": "number", "minimum": 0, "maximum": 1 },
+        "dimensionsCovered": { "type": "integer", "minimum": 0, "maximum": 7 },
+        "date": { "type": "string", "format": "date" }
+      }
+    },
     "storagePolicy": {
       "type": "object",
       "properties": {

package/template/.aioson/skills/process/aioson-spec-driven/references/pm.md

@@ -0,0 +1,30 @@
+# Spec-Driven Reference — @pm
+
+> Router file. Do not duplicate logic from the generic references — load those directly.
+
+## Which references to load for backlog and delivery planning
+
+### Always load when this skill is active
+
+- `approval-gates.md` — @pm owns Gate C; use it to know exactly what must be true before `phase_gates.plan` can be set to `approved` and before handing off to @dev or @orchestrator
+- `classification-map.md` — use to calibrate sprint sizing and decide how many delivery phases are appropriate for MICRO/SMALL/MEDIUM
+
+### Load when plan structure is ambiguous
+
+- `artifact-map.md` — use to understand which artifacts @pm may read (prd, requirements, spec, architecture) vs. which it must not overwrite (@analyst's requirements, @architect's architecture)
+- `maintenance-and-state.md` — use when retaking a sprint session or checking if a spec-{slug}.md checkpoint needs updating before continuing
+
+### Do not load for @pm
+
+- `hardening-lane.md` — @pm receives hardened input from @product and @analyst; if input is still vague, send it back upstream, do not harden it yourself
+- `qa.md` — Gate D belongs to @qa, not @pm
+
+## Behavioral notes for @pm under SDD
+
+- @pm is the **Gate C owner** — the plan is not complete until `spec-{slug}.md` has `phase_gates.plan: approved` and `implementation-plan-{slug}.md` (if MEDIUM) has `status: approved`
+- Gate C is **blocking in MEDIUM** — @dev and @orchestrator must not execute without Gate C passing
+- Gate C is **informational in SMALL** — flag if the plan looks thin, but do not block
+- Gate C is **skipped in MICRO** — @dev reads prd.md directly; @pm does not run for MICRO
+- ACs produced by @pm must match or extend the ACs in `conformance-{slug}.yaml` when it exists — never contradict the analyst's behavioral contracts
+- @pm adds delivery phases and prioritization; it does NOT rewrite Vision, Problem, Users, or Flows — those belong to @product
+- At session end, always tell the user explicitly: "Gate C passed — activate [@orchestrator / @dev]" OR "Gate C blocked — [reason]"

package/template/.aioson/skills/process/secure-tdd/SKILL.md

@@ -0,0 +1,97 @@
+---
+name: secure-tdd
+description: Process skill for adversarial TDD in security-sensitive features. Load after aioson-spec-driven when classification and attack surface justify it.
+activation: |
+  You are now running the secure-tdd process. Confirm the feature classification and attack surface, load only the stack reference you need, write adversarial tests first, then implement production code.
+---
+
+# Skill: secure-tdd
+
+> Process skill. Adversarial tests before production code.
+> Load this file first. Then load only the stack reference you need.
+
+## When to use
+
+Load this skill only after the normal feature workflow is already active.
+
+- **MEDIUM:** load when the feature has auth, ownership, money, uploads, external URLs, secrets/credentials, or sensitive storage boundaries.
+- **SMALL:** optional reduced mode for the same surfaces.
+- **MICRO:** do not auto-load.
+
+This skill complements `aioson-spec-driven`. It never replaces it.
+
+## Loading order
+
+1. Load `.aioson/skills/process/aioson-spec-driven/SKILL.md` first when the feature is spec-driven.
+2. Read the current `requirements-{slug}.md`, `spec-{slug}.md`, and `architecture.md`.
+3. Load `secure-tdd/SKILL.md`.
+4. Load only one stack reference:
+   - `references/node-express.md`
+   - `references/nextjs.md`
+5. If your stack is not covered by a full v1 reference, read `references/planned-stacks.md` for the minimal fallback.
+
+## Goal
+
+Make `@dev` write the security-sensitive tests first, before implementation, for the attack paths most likely to regress:
+
+- auth bypass
+- IDOR / ownership breaks
+- race conditions / double-submit
+- server-side validation gaps
+- upload validation gaps
+- unsafe external URL handling
+- auth enumeration / rate limiting gaps
+
+## Core rule
+
+Frontend is never the authority.
+Validation, authorization, limits, and sensitive state rules must be enforced server-side.
+
+## Adversarial loop
+
+1. Confirm the sensitive surface from requirements or the Attack Surface Map.
+2. Map the surface to the relevant controls:
+   - `SEC-SBD-01` input limits
+   - `SEC-SBD-02` upload validation
+   - `SEC-SBD-03` ownership / IDOR / auth bypass
+   - `SEC-SBD-04` race condition / atomicity
+   - `SEC-SBD-06` external URL sanitization
+   - `SEC-SBD-08` auth enumeration / rate limiting
+3. Write the minimum failing adversarial tests first.
+4. Implement only enough production code to make those tests pass.
+5. Re-run the tests immediately.
+6. Record in `spec-{slug}.md` which attack classes are now covered.
+
+`SEC-SBD-05` remains primarily tool-first via `security:scan`. Mention it in implementation decisions when relevant, but do not turn this skill into a secrets-scanning checklist.
+
+## Output contract
+
+When this skill is active, `@dev` should produce:
+
+- at least one adversarial test per relevant sensitive surface
+- a short note in `spec-{slug}.md` listing the covered attack classes
+- no new product rules beyond what requirements and architecture already define
+
+## Reduced mode for SMALL
+
+For SMALL features:
+
+- choose only the highest-risk surfaces
+- prefer 1-2 adversarial tests over a full matrix
+- do not block implementation just to expand the suite
+
+## Non-goals
+
+- do not invoke `@pentester`
+- do not emit runtime events
+- do not create CLI commands
+- do not auto-generate large prompt libraries
+- do not duplicate the baseline rule prose
+
+## References available
+
+| File | Load when |
+|---|---|
+| `references/node-express.md` | Implementing Node / Express or service-style Node boundaries |
+| `references/nextjs.md` | Implementing Next.js route handlers, server actions, or server-side validation |
+| `references/planned-stacks.md` | The target stack is Laravel, Django, Rails, FastAPI, or another non-v1 stack |

package/template/.aioson/skills/process/secure-tdd/references/nextjs.md

@@ -0,0 +1,81 @@
+# secure-tdd reference: Next.js
+
+Use this when the feature runs on Next.js route handlers, server actions, or server-side validation flows.
+
+## Preferred runners
+
+- Vitest
+- Testing Library
+- direct assertions on route handlers or server actions when available
+
+## Write first
+
+Start with failing tests that prove the server side rejects forged or cross-user behavior even if the UI looks correct.
+
+Priority order:
+1. auth bypass in route handlers or server actions
+2. forged payload that bypasses UI constraints
+3. IDOR / ownership checks on resource fetch or mutation
+4. unsafe redirect / external URL handling
+5. optimistic UI or double-submit that must not create duplicate critical state
+
+## Minimum patterns
+
+### Server-side validation independent of UI
+
+```tsx
+it('rejects forged payloads on the server', async () => {
+  const res = await POST(new Request('http://test.local/api/resources', {
+    method: 'POST',
+    body: JSON.stringify({ title: 'x'.repeat(10000) })
+  }));
+  expect(res.status).toBe(422);
+});
+```
+
+### Auth / ownership
+
+```tsx
+it('blocks access to another users resource', async () => {
+  const res = await GET(
+    new Request('http://test.local/api/resources/foreign-id'),
+    { params: { id: 'foreign-id' } }
+  );
+  expect([401, 403]).toContain(res.status);
+});
+```
+
+### External URL sanitization
+
+```tsx
+it('rejects unsafe redirect targets', async () => {
+  const res = await POST(new Request('http://test.local/api/redirects', {
+    method: 'POST',
+    body: JSON.stringify({ target: 'javascript:alert(1)' })
+  }));
+  expect(res.status).toBe(422);
+});
+```
+
+### Double-submit / optimistic UI distrust
+
+Write a test proving the server allows only one critical mutation even if the client sends duplicates quickly.
+
+## Control mapping
+
+- `SEC-SBD-01`: route handler / action validation
+- `SEC-SBD-03`: auth bypass / ownership
+- `SEC-SBD-04`: duplicate mutation / optimistic UI distrust
+- `SEC-SBD-06`: unsafe URL / redirect target
+- `SEC-SBD-08`: auth messaging / rate-limiting when applicable
+
+## Core reminder
+
+UI affordances are not evidence.
+Server actions, route handlers, and backend services must enforce the rule.
+
+## Avoid
+
+- testing only component rendering for a security-sensitive feature
+- assuming hidden fields or disabled buttons are protection
+- skipping server-action tests because the page already validates input