@josstei/maestro 1.6.4-rc.1 → 1.6.4-rc.3

package/CHANGELOG.md

@@ -15,10 +15,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Changed
 
-- **npm package identity**: renamed the planned npm package to `@josstei/maestro`, added `hello@josstei.dev` to public author metadata, and moved the stable release publish path toward GitHub Actions trusted publishing.
+- **npm package identity**: renamed the planned npm package to `@josstei/maestro`, added `hello@josstei.dev` to public author metadata, and moved the stable release publish path into GitHub Actions with npm token authentication.
 
 ### Fixed
 
+- **Stable npm release recovery**: Release now uses `NPM_TOKEN` for stable publishes, supports manual recovery from an existing `vX.Y.Z` tag and target SHA, and enforces a stable-only `latest` dist-tag through the idempotent npm publish helper.
 - **Codex plugin MCP server fails to start**: corrected `npx` args in `plugins/maestro/.mcp.json` — added `-p`/`--package` flag so `maestro-mcp-server` is resolved as the binary name rather than an argument to the package's default binary.
 - **Release metadata drift**: runtime manifests, marketplace entries, detached payload versions, and Codex MCP package specs are now generated from `package.json` so stable and prerelease packages stay self-consistent.
 

package/EXAMPLES.md

@@ -247,9 +247,9 @@ Source: `justfile`, `package.json`
 ```bash
 # edit README.md, EXAMPLES.md, docs/*.md, or canonical src/ docs as appropriate
 node --test tests/unit/doc-drift-guard.test.js
-just check
+node scripts/generate.js --diff
 ```
 
-Expected outcome: user-facing docs remain aligned with command names, runtime counts, MCP tool names, and generated-output rules.
+Expected outcome: user-facing docs remain aligned with command names, runtime counts, MCP tool names, and generated-output rules, and the generator reports no additional pending runtime output. In CI or a clean worktree, `just check` covers the same drift check with `git diff --exit-code`.
 
 Source: `tests/unit/doc-drift-guard.test.js`

package/GEMINI.md

@@ -76,7 +76,7 @@ For each domain, determine if the task has needs that warrant specialist involve
 
 | Domain | Signal questions | Candidate agents |
 | --- | --- | --- |
-| Engineering | Does the task involve code, infrastructure, or data? | `architect`, `api_designer`, `coder`, `code_reviewer`, `tester`, `refactor`, `data_engineer`, `debugger`, `devops_engineer`, `performance_engineer`, `security_engineer`, `technical_writer` |
+| Engineering | Does the task involve code, infrastructure, APIs, data, or delivery? | `architect`, `api_designer`, `coder`, `code_reviewer`, `tester`, `refactor`, `data_engineer`, `database_administrator`, `debugger`, `devops_engineer`, `integration_engineer`, `platform_engineer`, `cloud_architect`, `solutions_architect`, `site_reliability_engineer`, `observability_engineer`, `performance_engineer`, `security_engineer`, `technical_writer`, `release_manager` |
 | Product | Are requirements unclear, or does success depend on user outcomes? | `product_manager` |
 | Design | Does the deliverable have a user-facing interface or interaction? | `ux_designer`, `accessibility_specialist`, `design_system_engineer` |
 | Content | Does the task produce or modify user-visible text, copy, or media? | `content_strategist`, `copywriter` |
@@ -84,13 +84,16 @@ For each domain, determine if the task has needs that warrant specialist involve
 | Compliance | Does the task handle user data, payments, or operate in a regulated domain? | `compliance_reviewer` |
 | Internationalization | Must the deliverable support multiple locales? | `i18n_specialist` |
 | Analytics | Does success need to be measured, or does the feature need instrumentation? | `analytics_engineer` |
+| ML/AI | Does the task involve model training, inference, prompts, or model operations? | `ml_engineer`, `mlops_engineer`, `prompt_engineer` |
+| Mobile | Does the task target iOS, Android, React Native, Flutter, or mobile release constraints? | `mobile_engineer` |
+| Mainframe / IBM | Does the task involve COBOL, JCL, DB2 for z/OS or IBM i, HLASM, RACF, CICS, IMS, or USS? | `cobol_engineer`, `db2_dba`, `zos_sysprog`, `hlasm_assembler_specialist`, `ibm_i_specialist` |
 
 Skip domains where the answer is clearly "no." For relevant domains, include appropriate agents in the phase plan alongside engineering agents. Domain agents participate at whatever phase makes sense — design, implementation, or post-build audit — based on the specific task.
 
 Apply domain analysis proportional to `task_complexity`:
 - `simple`: Engineering domain only. Skip other domains unless explicitly requested.
 - `medium`: Engineering + domains with clear signals from the task description.
-- `complex`: Full 8-domain sweep (current behavior).
+- `complex`: Full domain sweep (current behavior).
 
 
 ## Native Parallel Contract
@@ -141,7 +144,7 @@ CORRECT — Delegating via the agent's own tool:
 
 When building delegation prompts:
 
-1. Call the agent's registered tool by its exact name from the Agent Roster (e.g., `coder`, `tester`, `design_system_engineer`). Use `get_agent` to load the full methodology body and declared tool restrictions for the matching kebab-case agent.
+1. Call the agent's registered tool by its exact name from the Agent Roster (e.g., `coder`, `tester`, `design_system_engineer`). Use `get_agent` to load the full methodology body, declared tool restrictions, and runtime `tool_name` for the matching canonical agent.
 2. Do not rely on Maestro-level model, temperature, turn, or timeout overrides. Use agent frontmatter and runtime-level agent configuration for native tuning.
 3. Inject shared protocols from `get_skill_content` with resources: `["agent-base-protocol", "filesystem-safety-protocol"]`.
 4. Include dependency downstream context from session state.
@@ -189,30 +192,47 @@ All agent names use **snake_case** (underscores, not hyphens). When delegating,
 
 ## Agent Roster
 
-| Agent | Focus | Key Tool Profile |
+| Agent | Focus | Capability Tier |
 | --- | --- | --- |
-| `architect` | System design | Read tools + web search/fetch |
-| `api_designer` | API contracts | Read tools + web search/fetch |
-| `code_reviewer` | Code quality review | Read-only |
-| `coder` | Feature implementation | Read/write/shell + todos + skill activation |
-| `data_engineer` | Schema/data/queries | Read/write/shell + todos + web search |
-| `debugger` | Root cause analysis | Read + shell + todos |
-| `devops_engineer` | CI/CD and infra | Read/write/shell + todos + web search/fetch |
-| `performance_engineer` | Performance profiling | Read + shell + todos + web search/fetch |
-| `refactor` | Structural refactoring | Read/write/shell + todos + skill activation |
-| `security_engineer` | Security auditing | Read + shell + todos + web search/fetch |
-| `technical_writer` | Documentation | Read/write + todos + web search |
-| `tester` | Test implementation | Read/write/shell + todos + skill activation + web search |
-| `seo_specialist` | Technical SEO auditing | Read + shell + web search/fetch + todos |
-| `copywriter` | Marketing copy & content | Read/write |
-| `content_strategist` | Content planning & strategy | Read + web search/fetch |
-| `ux_designer` | User experience design | Read/write + web search |
-| `accessibility_specialist` | WCAG compliance auditing | Read + shell + web search + todos |
-| `product_manager` | Requirements & product strategy | Read/write + web search |
-| `analytics_engineer` | Tracking & measurement | Read/write/shell + web search + todos |
-| `i18n_specialist` | Internationalization | Read/write/shell + todos |
-| `design_system_engineer` | Design tokens & theming | Read/write/shell + todos + skill activation |
-| `compliance_reviewer` | Legal & regulatory compliance | Read + web search/fetch |
+| `accessibility_specialist` | WCAG compliance auditing, ARIA review | Read + shell |
+| `analytics_engineer` | Event tracking, conversion funnels | Full access |
+| `api_designer` | API contracts and endpoint design | Read-only |
+| `architect` | System design and architecture decisions | Read-only |
+| `cloud_architect` | AWS/GCP/Azure topology, IaC, multi-region design | Read-only |
+| `cobol_engineer` | Mainframe COBOL, JCL, CICS/IMS on z/OS | Full access |
+| `code_reviewer` | Code quality review and bug identification | Read-only |
+| `coder` | Feature implementation | Full access |
+| `compliance_reviewer` | Legal and regulatory compliance | Read-only |
+| `content_strategist` | Content planning and strategy | Read-only |
+| `copywriter` | Marketing copy and landing-page content | Read + write |
+| `data_engineer` | Schema design, queries, and data pipelines | Full access |
+| `database_administrator` | RDBMS tuning, indexes, and migration safety | Read + shell |
+| `db2_dba` | DB2 for z/OS and LUW, REORG, RUNSTATS, bind/rebind | Read + shell |
+| `debugger` | Root cause analysis and defect investigation | Read + shell |
+| `design_system_engineer` | Design tokens and theming | Full access |
+| `devops_engineer` | CI/CD, containerization, and deployment | Full access |
+| `hlasm_assembler_specialist` | IBM HLASM for z/OS, macros, SVCs | Full access |
+| `i18n_specialist` | Internationalization and locale management | Full access |
+| `ibm_i_specialist` | IBM i RPG/CL, DB2 for i, OS/400 | Full access |
+| `integration_engineer` | B2B APIs, ETL, and message brokers | Full access |
+| `ml_engineer` | Model training, feature pipelines, and evaluation | Full access |
+| `mlops_engineer` | Model registry, CI/CD for models, drift detection | Full access |
+| `mobile_engineer` | iOS/Android/React Native/Flutter platform work | Full access |
+| `observability_engineer` | Metrics, logs, traces, OpenTelemetry, dashboards | Full access |
+| `performance_engineer` | Performance profiling and optimization | Read + shell |
+| `platform_engineer` | Internal developer platforms and paved paths | Full access |
+| `product_manager` | Requirements and product strategy | Read + write |
+| `prompt_engineer` | LLM prompt design, few-shot, and RAG tuning | Read + write |
+| `refactor` | Structural refactoring and technical debt | Full access |
+| `release_manager` | Release notes, changelogs, rollout planning | Read + write |
+| `security_engineer` | Security assessment and vulnerability analysis | Read + shell |
+| `seo_specialist` | Technical SEO auditing and structured data | Read + shell |
+| `site_reliability_engineer` | SLOs, error budgets, runbooks, postmortems | Read + shell |
+| `solutions_architect` | Enterprise integration and cross-team architecture | Read-only |
+| `technical_writer` | Documentation and technical writing | Read + write |
+| `tester` | Test implementation and coverage analysis | Full access |
+| `ux_designer` | User experience design | Read + write |
+| `zos_sysprog` | z/OS systems programming, JCL, USS, RACF | Read + shell |
 
 ## Hooks
 

package/QWEN.md

@@ -34,20 +34,33 @@ Before running orchestration commands:
 
 - Extension settings from `qwen-extension.json` are exposed as `MAESTRO_*` env vars via Qwen Code extension settings; honor them as runtime source of truth.
 - Maestro slash commands are file commands loaded from `commands/maestro/*.toml`; they are expected to resolve as `/maestro:*`.
-- Hook entries must remain `type: "command"` in `hooks/hooks.json` for compatibility with current Qwen Code hook validation.
+- Hook entries must remain `type: "command"` in `qwen/hooks.json` for compatibility with current Qwen Code hook validation.
 - Extension workflows run only when the extension is linked/enabled and workspace trust allows extension assets.
 - Keep `ask_user_question` header fields short (aim for 16 characters or fewer) to fit the UI chip display. Short headers like `Database`, `Auth`, `Approach` work best.
 - The extension contributes deny/ask policy rules from `policies/maestro.toml`. Treat these as safety rails that complement, but do not replace, prompt-level instructions.
 
 ## Qwen Tool Name Mapping
 
-This extension was authored for Qwen Code. When following agent methodology files that reference Gemini tool names, use the following mapping:
+This extension was authored for Qwen Code. When following agent methodology files that reference canonical tool names, use the runtime mapping from `src/platforms/qwen/runtime-config.js`:
 
 | Source (raw file) | Qwen tool |
 |---|---|
+| `read_file` | `read_file` |
+| `read_many_files` | `read_many_files` |
+| `list_directory` | `list_directory` |
+| `glob` | `glob` |
+| `grep_search` | `grep_search` |
+| `google_web_search` | `web_search` |
+| `web_fetch` | `web_fetch` |
+| `write_file` | `write_file` |
+| `replace` | `edit` |
+| `run_shell_command` | `run_shell_command` |
 | `ask_user` | `ask_user_question` |
-
-**Known residual gap:** Other Gemini tool names (e.g., `google_web_search`, `write_todos`, `activate_skill`) may still appear in raw source agent files. Where encountered, apply the same mapping principle if the Qwen-equivalent tool exists and is semantically equivalent. Do not assume equivalence for tools with different invocation semantics — verify behavior first.
+| `write_todos` | `todo_write` |
+| `activate_skill` | `skill` |
+| `enter_plan_mode` | `enter_plan_mode` |
+| `exit_plan_mode` | `exit_plan_mode` |
+| `codebase_investigator` | `codebase_investigator` |
 
 ## Context Budget
 
@@ -86,7 +99,7 @@ For each domain, determine if the task has needs that warrant specialist involve
 
 | Domain | Signal questions | Candidate agents |
 | --- | --- | --- |
-| Engineering | Does the task involve code, infrastructure, or data? | `architect`, `api_designer`, `coder`, `code_reviewer`, `tester`, `refactor`, `data_engineer`, `debugger`, `devops_engineer`, `performance_engineer`, `security_engineer`, `technical_writer` |
+| Engineering | Does the task involve code, infrastructure, APIs, data, or delivery? | `architect`, `api_designer`, `coder`, `code_reviewer`, `tester`, `refactor`, `data_engineer`, `database_administrator`, `debugger`, `devops_engineer`, `integration_engineer`, `platform_engineer`, `cloud_architect`, `solutions_architect`, `site_reliability_engineer`, `observability_engineer`, `performance_engineer`, `security_engineer`, `technical_writer`, `release_manager` |
 | Product | Are requirements unclear, or does success depend on user outcomes? | `product_manager` |
 | Design | Does the deliverable have a user-facing interface or interaction? | `ux_designer`, `accessibility_specialist`, `design_system_engineer` |
 | Content | Does the task produce or modify user-visible text, copy, or media? | `content_strategist`, `copywriter` |
@@ -94,13 +107,16 @@ For each domain, determine if the task has needs that warrant specialist involve
 | Compliance | Does the task handle user data, payments, or operate in a regulated domain? | `compliance_reviewer` |
 | Internationalization | Must the deliverable support multiple locales? | `i18n_specialist` |
 | Analytics | Does success need to be measured, or does the feature need instrumentation? | `analytics_engineer` |
+| ML/AI | Does the task involve model training, inference, prompts, or model operations? | `ml_engineer`, `mlops_engineer`, `prompt_engineer` |
+| Mobile | Does the task target iOS, Android, React Native, Flutter, or mobile release constraints? | `mobile_engineer` |
+| Mainframe / IBM | Does the task involve COBOL, JCL, DB2 for z/OS or IBM i, HLASM, RACF, CICS, IMS, or USS? | `cobol_engineer`, `db2_dba`, `zos_sysprog`, `hlasm_assembler_specialist`, `ibm_i_specialist` |
 
 Skip domains where the answer is clearly "no." For relevant domains, include appropriate agents in the phase plan alongside engineering agents. Domain agents participate at whatever phase makes sense — design, implementation, or post-build audit — based on the specific task.
 
 Apply domain analysis proportional to `task_complexity`:
 - `simple`: Engineering domain only. Skip other domains unless explicitly requested.
 - `medium`: Engineering + domains with clear signals from the task description.
-- `complex`: Full 8-domain sweep (current behavior).
+- `complex`: Full domain sweep (current behavior).
 
 
 ## Native Parallel Contract
@@ -151,7 +167,7 @@ CORRECT — Delegating via the agent's own tool:
 
 When building delegation prompts:
 
-1. Call the agent's registered tool by its exact name from the Agent Roster (e.g., `coder`, `tester`, `design_system_engineer`). Use `get_agent` to load the full methodology body and declared tool restrictions for the matching kebab-case agent.
+1. Call the agent's registered tool by its exact name from the Agent Roster (e.g., `coder`, `tester`, `design_system_engineer`). Use `get_agent` to load the full methodology body, declared tool restrictions, and runtime `tool_name` for the matching canonical agent.
 2. Do not rely on Maestro-level model, temperature, turn, or timeout overrides. Use agent frontmatter and runtime-level agent configuration for native tuning.
 3. Inject shared protocols from `get_skill_content` with resources: `["agent-base-protocol", "filesystem-safety-protocol"]`.
 4. Include dependency downstream context from session state.
@@ -199,30 +215,47 @@ All agent names use **snake_case** (underscores, not hyphens). When delegating,
 
 ## Agent Roster
 
-| Agent | Focus | Key Tool Profile |
+| Agent | Focus | Capability Tier |
 | --- | --- | --- |
-| `architect` | System design | Read tools + web search/fetch |
-| `api_designer` | API contracts | Read tools + web search/fetch |
-| `code_reviewer` | Code quality review | Read-only |
-| `coder` | Feature implementation | Read/write/shell + todos + skill activation |
-| `data_engineer` | Schema/data/queries | Read/write/shell + todos + web search |
-| `debugger` | Root cause analysis | Read + shell + todos |
-| `devops_engineer` | CI/CD and infra | Read/write/shell + todos + web search/fetch |
-| `performance_engineer` | Performance profiling | Read + shell + todos + web search/fetch |
-| `refactor` | Structural refactoring | Read/write/shell + todos + skill activation |
-| `security_engineer` | Security auditing | Read + shell + todos + web search/fetch |
-| `technical_writer` | Documentation | Read/write + todos + web search |
-| `tester` | Test implementation | Read/write/shell + todos + skill activation + web search |
-| `seo_specialist` | Technical SEO auditing | Read + shell + web search/fetch + todos |
-| `copywriter` | Marketing copy & content | Read/write |
-| `content_strategist` | Content planning & strategy | Read + web search/fetch |
-| `ux_designer` | User experience design | Read/write + web search |
-| `accessibility_specialist` | WCAG compliance auditing | Read + shell + web search + todos |
-| `product_manager` | Requirements & product strategy | Read/write + web search |
-| `analytics_engineer` | Tracking & measurement | Read/write/shell + web search + todos |
-| `i18n_specialist` | Internationalization | Read/write/shell + todos |
-| `design_system_engineer` | Design tokens & theming | Read/write/shell + todos + skill activation |
-| `compliance_reviewer` | Legal & regulatory compliance | Read + web search/fetch |
+| `accessibility_specialist` | WCAG compliance auditing, ARIA review | Read + shell |
+| `analytics_engineer` | Event tracking, conversion funnels | Full access |
+| `api_designer` | API contracts and endpoint design | Read-only |
+| `architect` | System design and architecture decisions | Read-only |
+| `cloud_architect` | AWS/GCP/Azure topology, IaC, multi-region design | Read-only |
+| `cobol_engineer` | Mainframe COBOL, JCL, CICS/IMS on z/OS | Full access |
+| `code_reviewer` | Code quality review and bug identification | Read-only |
+| `coder` | Feature implementation | Full access |
+| `compliance_reviewer` | Legal and regulatory compliance | Read-only |
+| `content_strategist` | Content planning and strategy | Read-only |
+| `copywriter` | Marketing copy and landing-page content | Read + write |
+| `data_engineer` | Schema design, queries, and data pipelines | Full access |
+| `database_administrator` | RDBMS tuning, indexes, and migration safety | Read + shell |
+| `db2_dba` | DB2 for z/OS and LUW, REORG, RUNSTATS, bind/rebind | Read + shell |
+| `debugger` | Root cause analysis and defect investigation | Read + shell |
+| `design_system_engineer` | Design tokens and theming | Full access |
+| `devops_engineer` | CI/CD, containerization, and deployment | Full access |
+| `hlasm_assembler_specialist` | IBM HLASM for z/OS, macros, SVCs | Full access |
+| `i18n_specialist` | Internationalization and locale management | Full access |
+| `ibm_i_specialist` | IBM i RPG/CL, DB2 for i, OS/400 | Full access |
+| `integration_engineer` | B2B APIs, ETL, and message brokers | Full access |
+| `ml_engineer` | Model training, feature pipelines, and evaluation | Full access |
+| `mlops_engineer` | Model registry, CI/CD for models, drift detection | Full access |
+| `mobile_engineer` | iOS/Android/React Native/Flutter platform work | Full access |
+| `observability_engineer` | Metrics, logs, traces, OpenTelemetry, dashboards | Full access |
+| `performance_engineer` | Performance profiling and optimization | Read + shell |
+| `platform_engineer` | Internal developer platforms and paved paths | Full access |
+| `product_manager` | Requirements and product strategy | Read + write |
+| `prompt_engineer` | LLM prompt design, few-shot, and RAG tuning | Read + write |
+| `refactor` | Structural refactoring and technical debt | Full access |
+| `release_manager` | Release notes, changelogs, rollout planning | Read + write |
+| `security_engineer` | Security assessment and vulnerability analysis | Read + shell |
+| `seo_specialist` | Technical SEO auditing and structured data | Read + shell |
+| `site_reliability_engineer` | SLOs, error budgets, runbooks, postmortems | Read + shell |
+| `solutions_architect` | Enterprise integration and cross-team architecture | Read-only |
+| `technical_writer` | Documentation and technical writing | Read + write |
+| `tester` | Test implementation and coverage analysis | Full access |
+| `ux_designer` | User experience design | Read + write |
+| `zos_sysprog` | z/OS systems programming, JCL, USS, RACF | Read + shell |
 
 ## Hooks
 

package/claude/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "maestro",
-  "version": "1.6.4-rc.1",
+  "version": "1.6.4-rc.3",
   "description": "Multi-agent development orchestration platform — 39 specialists, 4-phase orchestration, native parallel subagents, persistent sessions, and standalone review/debug/security/perf/seo/a11y/compliance commands",
   "author": {
     "name": "josstei",

package/claude/src/platforms/shared/agent-names.js

@@ -1,10 +1,15 @@
 module.exports = {
   agentNames: [
     'accessibility-specialist', 'analytics-engineer', 'api-designer', 'architect',
-    'code-reviewer', 'coder', 'compliance-reviewer', 'content-strategist',
-    'copywriter', 'data-engineer', 'debugger', 'design-system-engineer',
-    'devops-engineer', 'i18n-specialist', 'performance-engineer', 'product-manager',
-    'refactor', 'security-engineer', 'seo-specialist', 'technical-writer',
-    'tester', 'ux-designer',
+    'cloud-architect', 'cobol-engineer', 'code-reviewer', 'coder',
+    'compliance-reviewer', 'content-strategist', 'copywriter', 'data-engineer',
+    'database-administrator', 'db2-dba', 'debugger', 'design-system-engineer',
+    'devops-engineer', 'hlasm-assembler-specialist', 'i18n-specialist',
+    'ibm-i-specialist', 'integration-engineer', 'ml-engineer', 'mlops-engineer',
+    'mobile-engineer', 'observability-engineer', 'performance-engineer',
+    'platform-engineer', 'product-manager', 'prompt-engineer', 'refactor',
+    'release-manager', 'security-engineer', 'seo-specialist',
+    'site-reliability-engineer', 'solutions-architect', 'technical-writer',
+    'tester', 'ux-designer', 'zos-sysprog',
   ],
 };

package/claude/src/skills/shared/delegation/SKILL.md

@@ -130,17 +130,26 @@ Explicitly state what the agent must NOT do:
 | Task Domain | Agent | Key Capability |
 |-------------|-------|---------------|
 | System architecture, component design | `architect` | Read-only analysis, architecture patterns |
+| Cloud architecture, multi-region topology | `cloud-architect` | Read-only cloud/IaC architecture |
+| Enterprise integration architecture | `solutions-architect` | Read-only cross-team architecture |
 | API contracts, endpoint design | `api-designer` | Read-only, REST/GraphQL expertise |
 | Feature implementation, coding | `coder` | Full read/write/shell access |
 | Code quality assessment | `code-reviewer` | Read-only, verified findings |
 | Database schema, queries, ETL | `data-engineer` | Full read/write/shell access |
+| RDBMS tuning, indexes, migration safety | `database-administrator` | Read + shell for database analysis |
+| DB2 operations and tuning | `db2-dba` | Read + shell for DB2-specific work |
 | Bug investigation, root cause | `debugger` | Read + shell for investigation |
 | CI/CD, infrastructure, deployment | `devops-engineer` | Full read/write/shell access |
+| Internal platforms, paved paths | `platform-engineer` | Full platform implementation access |
+| B2B APIs, ETL, message brokers | `integration-engineer` | Full integration implementation access |
+| SLOs, runbooks, reliability | `site-reliability-engineer` | Read + shell reliability analysis |
+| Metrics, logs, traces, dashboards | `observability-engineer` | Full observability implementation access |
 | Performance analysis, profiling | `performance-engineer` | Read + shell for profiling |
 | Code restructuring, modernization | `refactor` | Read/write/shell, skill activation |
 | Security assessment, vulnerability | `security-engineer` | Read + shell for scanning |
 | Test creation, TDD, coverage | `tester` | Full read/write/shell access |
 | Documentation, READMEs, guides | `technical-writer` | Read/write, no shell |
+| Release notes, changelogs, rollout | `release-manager` | Read/write for release artifacts |
 | Technical SEO auditing | `seo-specialist` | Read + shell + web search/fetch |
 | Marketing copy, content writing | `copywriter` | Read/write |
 | Content planning, strategy | `content-strategist` | Read + web search/fetch |
@@ -151,6 +160,14 @@ Explicitly state what the agent must NOT do:
 | Internationalization | `i18n-specialist` | Full read/write/shell access |
 | Design tokens, theming | `design-system-engineer` | Full read/write/shell access |
 | Legal, regulatory compliance | `compliance-reviewer` | Read + web search/fetch |
+| Mobile platform work | `mobile-engineer` | Full mobile implementation access |
+| Model training and inference integration | `ml-engineer` | Full ML implementation access |
+| Model operations and model CI/CD | `mlops-engineer` | Full MLOps implementation access |
+| Prompt design, few-shot, RAG tuning | `prompt-engineer` | Read/write prompt and eval design |
+| Mainframe COBOL, JCL, CICS/IMS | `cobol-engineer` | Full mainframe implementation access |
+| IBM HLASM for z/OS | `hlasm-assembler-specialist` | Full assembly implementation access |
+| IBM i RPG/CL, DB2 for i | `ibm-i-specialist` | Full IBM i implementation access |
+| z/OS systems programming, JCL, RACF | `zos-sysprog` | Read + shell for z/OS system work |
 
 ## Agent Tool Dispatch Contract
 
@@ -269,7 +286,7 @@ Before each agent dispatch, a hook tracks which agent is currently executing:
 - Preferred signal: the required `Agent: <agent_name>` header in the delegation prompt
 - Legacy fallbacks: `MAESTRO_CURRENT_AGENT` from the environment, then regex-based detection of patterns like `delegate to <agent>` or `@<agent>`
 
-The detected agent name is persisted to `/tmp/maestro-hooks/<session-id>/active-agent` and cleared by the post-delegation hook on every allowed response (both successful validation and retry allow-through). On deny (malformed output), the active agent is preserved to enable re-validation on retry.
+The detected agent name is persisted to `${MAESTRO_HOOKS_DIR:-<os.tmpdir()>/maestro-hooks-<uid>}/<session-id>/active-agent` and cleared by the post-delegation hook on every allowed response (both successful validation and retry allow-through). On deny (malformed output), the active agent is preserved to enable re-validation on retry.
 
 ### Session Context Injection
 

package/claude/src/skills/shared/design-dialogue/SKILL.md

@@ -257,7 +257,7 @@ Apply depth-gated reasoning enrichment to design section content during the conv
 
 The write path depends on whether your runtime provides a Plan Mode surface (check `get_runtime_context`, loaded at session start, step 0):
 
-- **Plan Mode active**: Some runtimes restrict writes to a temporary staging directory during Plan Mode. Write the design document there. After `exit_plan_mode` approval in Phase 2, copy it to the permanent location.
+- **Plan Mode active**: Some runtimes restrict writes to a temporary staging directory during Plan Mode. Write the design document there first, then exit Plan Mode and complete the design approval handoff. When the runtime's Plan Mode path is not visible to the MCP server, use the `record_design_approval` content variant so the server materializes the canonical copy under `<state_dir>/plans/`.
 - **Plan Mode not active or not available**: Write directly to the permanent location. If your runtime does not provide Plan Mode, track design progress using the plan-update mechanism from runtime context and use the user-prompt tool from runtime context for section approvals and final signoff.
 
 Permanent location: `<state_dir>/plans/YYYY-MM-DD-<topic-slug>-design.md` (where `<state_dir>` resolves from `MAESTRO_STATE_DIR`, default `docs/maestro`).

package/claude/src/skills/shared/execution/SKILL.md

@@ -121,7 +121,7 @@ Hooks fire automatically at agent boundaries. The orchestrator does not invoke t
 
 The hooks system tracks which agent is currently executing. Before each agent dispatch, a hook resolves the active agent identity from the required `Agent:` header first, then falls back to legacy env/regex detection, and injects compact session context. After completion, a hook validates that the response contains both `Task Report` and `Downstream Context`; it requests one retry on the first malformed response.
 
-The hook state directory under `/tmp/maestro-hooks/<session-id>/` is transient and separate from orchestration state.
+The hook state directory under `${MAESTRO_HOOKS_DIR:-<os.tmpdir()>/maestro-hooks-<uid>}/<session-id>/` is transient and separate from orchestration state.
 
 ## Sequential Execution Protocol
 

package/claude/src/skills/shared/implementation-planning/SKILL.md

@@ -77,12 +77,12 @@ Before finalizing agent assignments, verify each phase's agent can deliver its r
 
 | Phase Deliverable | Required Tier | Compatible Agents |
 |-------------------|--------------|-------------------|
-| Creates/modifies files | Full Access or Read+Write | coder, data-engineer, devops-engineer, tester, refactor, design-system-engineer, i18n-specialist, analytics-engineer, technical-writer, product-manager, ux-designer, copywriter |
-| Runs shell commands | Full Access or Read+Shell | coder, data-engineer, devops-engineer, tester, refactor, design-system-engineer, i18n-specialist, analytics-engineer, debugger, performance-engineer, security-engineer, seo-specialist, accessibility-specialist |
+| Creates/modifies files | Full Access or Read+Write | analytics-engineer, cobol-engineer, coder, copywriter, data-engineer, design-system-engineer, devops-engineer, hlasm-assembler-specialist, i18n-specialist, ibm-i-specialist, integration-engineer, ml-engineer, mlops-engineer, mobile-engineer, observability-engineer, platform-engineer, product-manager, prompt-engineer, refactor, release-manager, technical-writer, tester, ux-designer |
+| Runs shell commands | Full Access or Read+Shell | accessibility-specialist, analytics-engineer, cobol-engineer, coder, data-engineer, database-administrator, db2-dba, debugger, design-system-engineer, devops-engineer, hlasm-assembler-specialist, i18n-specialist, ibm-i-specialist, integration-engineer, ml-engineer, mlops-engineer, mobile-engineer, observability-engineer, performance-engineer, platform-engineer, refactor, security-engineer, seo-specialist, site-reliability-engineer, tester, zos-sysprog |
 | Analysis/review only | Any tier | All agents |
 
 <HARD-GATE>
-Read-Only agents (architect, api-designer, code-reviewer, content-strategist, compliance-reviewer)
+Read-Only agents (architect, api-designer, cloud-architect, code-reviewer, compliance-reviewer, content-strategist, solutions-architect)
 CANNOT be assigned to phases that create or modify files. If a phase requires file creation
 and domain expertise from a Read-Only agent, split it: the Read-Only agent produces a spec
 or analysis, then a write-capable agent (typically coder) implements the files based on that output.
@@ -180,17 +180,26 @@ If `validate_plan` is available, review its `parallelization_profile` and `redun
 | Task Domain | Primary Agent | Secondary Agent | Rationale |
 |-------------|--------------|-----------------|-----------|
 | System design, architecture | `architect` | - | Read-only analysis, design expertise |
+| Cloud architecture, multi-region topology | `cloud-architect` | `devops-engineer` | Architecture first, implementation second |
+| Enterprise integration architecture | `solutions-architect` | `integration-engineer` | Cross-team design before implementation |
 | API contracts, endpoints | `api-designer` | `coder` | Design then implement |
 | Feature implementation | `coder` | - | Full implementation access |
 | Code quality review | `code-reviewer` | - | Read-only verification |
 | Database schema, queries | `data-engineer` | - | Schema + implementation |
+| RDBMS tuning, indexes, migration safety | `database-administrator` | `data-engineer` | DBA analysis before schema/code changes |
+| DB2 administration | `db2-dba` | `data-engineer` | DB2-specific operations and design |
 | Bug investigation | `debugger` | - | Read + shell for investigation |
 | CI/CD, infrastructure | `devops-engineer` | - | Full DevOps access |
+| Internal platforms, paved paths | `platform-engineer` | `devops-engineer` | Platform conventions and implementation |
+| B2B integrations, ETL, message brokers | `integration-engineer` | - | Full integration implementation |
+| SLOs, runbooks, reliability | `site-reliability-engineer` | `observability-engineer` | Reliability assessment plus telemetry implementation |
+| Observability, metrics, traces | `observability-engineer` | - | Full telemetry implementation |
 | Performance analysis | `performance-engineer` | - | Read + shell for profiling |
 | Code restructuring | `refactor` | - | Write + shell access (for validation) |
 | Security assessment | `security-engineer` | - | Read + shell for scanning |
 | Test creation | `tester` | - | Full test implementation |
 | Documentation | `technical-writer` | - | Write access for docs |
+| Release notes, changelogs, rollout | `release-manager` | - | Write access for release artifacts |
 | Technical SEO audit | `seo-specialist` | - | Read + shell + web search |
 | Marketing copy, content | `copywriter` | - | Read/write |
 | Content planning | `content-strategist` | - | Read + web search/fetch |
@@ -201,6 +210,14 @@ If `validate_plan` is available, review its `parallelization_profile` and `redun
 | Internationalization | `i18n-specialist` | `coder` | Implement then localize |
 | Design tokens, theming | `design-system-engineer` | `coder` | Tokens then consume |
 | Legal, regulatory | `compliance-reviewer` | - | Read + web search/fetch |
+| Mobile platform work | `mobile-engineer` | `tester` | Mobile implementation plus validation |
+| Model training, inference integration | `ml-engineer` | `tester` | ML implementation plus evaluation |
+| Model registry, drift, model CI/CD | `mlops-engineer` | `devops-engineer` | Model operations and deployment |
+| Prompt design, few-shot, RAG tuning | `prompt-engineer` | `coder` | Prompt spec before integration |
+| Mainframe COBOL, JCL, CICS/IMS | `cobol-engineer` | `tester` | Mainframe implementation and validation |
+| IBM HLASM for z/OS | `hlasm-assembler-specialist` | - | Assembly implementation |
+| IBM i RPG/CL, DB2 for i | `ibm-i-specialist` | - | IBM i implementation |
+| z/OS systems programming, JCL, RACF | `zos-sysprog` | `security-engineer` | System-level analysis and controls |
 
 ### Assignment Rules
 1. Match the primary task domain to the agent specialization
@@ -216,32 +233,19 @@ Estimate token consumption per phase based on:
 - Agent's max_turns limit as upper bound
 - Historical averages: ~500 input tokens per file read, ~200 output tokens per file written
 
-### Cost Estimation
+### Resource Estimation
 
-#### Per-Phase Cost Factors
-- **Model tier**: Pro agents (~$0.01/1K input, ~$0.04/1K output) vs Flash agents (~$0.001/1K input, ~$0.004/1K output)
-- **Input complexity**: Number of files read, average file size, context from previous phases
-- **Output complexity**: Lines of code generated, number of files created/modified
-- **Retry budget**: Add 50% buffer per phase for potential retries (max 2 retries)
+Do not invent provider pricing or model tiers. Agent model selection is runtime-owned through agent frontmatter and runtime configuration. Estimate execution size in stable, codebase-derived terms instead:
 
-#### Estimation Formula
-```
-Phase Cost = (input_tokens × input_rate + output_tokens × output_rate) × retry_multiplier
-```
-
-Where:
-- `input_tokens` = files_to_read × 500 + context_tokens
-- `output_tokens` = files_to_write × 200 + validation_output
-- `retry_multiplier` = 1.5 (accounts for up to 2 retries)
+- **Input complexity**: number of files likely to be read, average file size, and prior-phase context
+- **Output complexity**: number of files created or modified, validation output volume, and expected handoff detail
+- **Retry budget**: note phases likely to need retries because of broad file ownership, external dependencies, or uncertain validation
 
-#### Plan-Level Cost Summary
-Include this table in every implementation plan:
+Include a lightweight plan-level resource summary when useful:
 
-| Phase | Agent | Model | Est. Input | Est. Output | Est. Cost |
-|-------|-------|-------|-----------|------------|----------|
-| 1 | [agent] | [model] | [tokens] | [tokens] | [$X.XX] |
-| ... | ... | ... | ... | ... | ... |
-| **Total** | | | **[sum]** | **[sum]** | **[$X.XX]** |
+| Phase | Agent | Est. Files Read | Est. Files Written | Retry Risk | Notes |
+|-------|-------|-----------------|--------------------|------------|-------|
+| 1 | [agent] | [N] | [N] | LOW/MEDIUM/HIGH | [why] |
 
 ## Plan Document Generation
 
@@ -296,7 +300,7 @@ After writing the implementation plan:
 1. Confirm the file path to the user
 2. Present the dependency graph and execution strategy
 3. Highlight parallel execution opportunities
-4. Provide token budget estimates
+4. Provide resource estimates when useful
 5. If your runtime provides Plan Mode, call `exit_plan_mode` with the plan path to present the plan for user approval. If Plan Mode is not available, present the completed plan for user approval using the user-prompt tool from runtime context.
 6. Ensure the approved plan is at `<state_dir>/plans/YYYY-MM-DD-<slug>-impl-plan.md` as the permanent project reference (copy from the staging directory if Plan Mode was used)
 7. Ask if the user is ready to proceed to execution (Phase 3)

package/claude/src/skills/shared/session-management/SKILL.md

@@ -18,12 +18,12 @@ Detection: check whether MCP state tools appear in your available tools. If they
 
 ## Hook-Level Session State
 
-Maestro hooks maintain a separate, transient state directory at `/tmp/maestro-hooks/<session-id>/` that is distinct from orchestration state in `<MAESTRO_STATE_DIR>`:
+Maestro hooks maintain a separate, transient state directory under `${MAESTRO_HOOKS_DIR:-<os.tmpdir()>/maestro-hooks-<uid>}/<session-id>/` that is distinct from orchestration state in `<MAESTRO_STATE_DIR>`:
 
 | Concern | Orchestration State | Hook State |
 | --- | --- | --- |
-| Location | `<MAESTRO_STATE_DIR>/state/` | `/tmp/maestro-hooks/<session-id>/` (Unix) or `<os.tmpdir()>/maestro-hooks/<session-id>/` (Windows) |
-| Lifecycle | Created in Phase 2, archived in Phase 4 | Directory created by the session-start hook when an active session exists; active-agent file written by the pre-delegation hook and cleared by the post-delegation hook; stale directories pruned by both session-start and pre-delegation hooks |
+| Location | `<MAESTRO_STATE_DIR>/state/` | `${MAESTRO_HOOKS_DIR:-<os.tmpdir()>/maestro-hooks-<uid>}/<session-id>/` |
+| Lifecycle | Created at execution setup, archived in Phase 4 | Directory created by the session-start hook when an active session exists; active-agent file written by the pre-delegation hook and cleared by the post-delegation hook; stale directories pruned by both session-start and pre-delegation hooks |
 | Contents | Session metadata, phase tracking, token usage, file manifests | Active agent tracking file (`active-agent`) |
 | Persistence | Survives session restarts (supports `/maestro:resume`) | Ephemeral — lost on session end or system reboot |
 | Managed by | Orchestrator via session-management skill | The runtime's pre-delegation and post-delegation hooks |
@@ -35,7 +35,7 @@ The orchestrator does not read or write hook-level state directly. It interacts
 ## Session Creation Protocol
 
 ### When to Create
-For Standard workflow, create a new session when beginning Phase 2 (Team Assembly & Planning) of orchestration, after the design document has been approved. For Express workflow, create a session after the structured brief is approved (see Express Workflow section in the orchestrator template).
+For Standard workflow, create a new session at execution setup after the design document and implementation plan are approved and the execution mode gate has resolved. For Express workflow, create a session after the structured brief is approved (see Express Workflow section in the orchestrator template).
 
 ### Session ID Format
 `YYYY-MM-DD-<topic-slug>`

package/claude/src/version.json

@@ -1,3 +1,3 @@
 {
-  "version": "1.6.4-rc.1"
+  "version": "1.6.4-rc.3"
 }