@keighleykodric/weeve 0.1.0 → 0.1.2

package/examples/core/README.md

@@ -0,0 +1,63 @@
+# core preset
+
+## Who this is for
+
+The `core` preset is the foundation stack for early-stage startups and cross-functional teams that need strategic alignment, design coherence, and execution readiness in a single workflow. It covers the full arc from market orientation through UX quality to launch decision — without the specialized depth of dedicated engineering or marketing lanes. If you're a founding team or a small general squad shipping a new product line, start here.
+
+## What you get
+
+- **compass-signals.md** — prioritized strategic moves ranked by signal strength and urgency
+- **compass-context.md** — market position snapshot: competitors, shifts, and white space
+- **layers-plus-map.md** — audience segmentation with needs, motivations, and decision drivers per layer
+- **ally-principles.md** — accessibility requirements and inclusive design constraints for the product
+- **rubric-scorecard.md** — UX quality score against defined heuristics, with flagged regressions
+- **pilot-brief.md** — go/no-go recommendation with rationale, risks, and suggested launch window
+
+## Install
+
+```bash
+npx weeve add core
+```
+
+Equivalent individual lanes:
+
+```bash
+npx weeve add compass layers-plus ally rubric pilot
+```
+
+## First run sequence
+
+Run these skills in order. Steps marked **(parallel)** can be run simultaneously once their prerequisites are complete.
+
+1. **compass** — Scans market signals, competitor moves, and internal context to produce a ranked list of strategic opportunities and risks.
+2. **layers-plus** — Maps your audience into motivational layers; depends on compass context to weight which segments matter most right now.
+3. **(parallel)* ally** — Audits your product surface for accessibility gaps and outputs binding design constraints.
+4. **(parallel)* rubric** — Scores current UX flows against quality heuristics; uses the layers-plus audience map to calibrate severity ratings.
+5. **pilot** — Synthesizes all upstream outputs into a launch readiness brief with a go/no-go recommendation.
+
+## What you'll have at the end
+
+| File | Description |
+|---|---|
+| `weeve/compass/compass-signals.md` | Ranked strategic signals with evidence and urgency scores |
+| `weeve/compass/compass-context.md` | Current market position and competitive landscape snapshot |
+| `weeve/layers-plus/layers-plus-map.md` | Audience layer map with needs and decision drivers |
+| `weeve/ally/ally-principles.md` | Accessibility constraints and inclusive design requirements |
+| `weeve/rubric/rubric-scorecard.md` | UX heuristic scorecard with flagged issues and severity |
+| `weeve/pilot/pilot-brief.md` | Launch readiness brief with go/no-go recommendation |
+
+## CODEOWNERS
+
+Copy to `.github/CODEOWNERS`:
+
+```
+weeve/compass/       @leadership
+weeve/layers-plus/   @product
+weeve/ally/          @design
+weeve/rubric/        @design
+weeve/pilot/         @leadership
+```
+
+## Time estimate
+
+First full run: **45–75 minutes** depending on how much existing context is available in your repo. Subsequent runs (incremental updates) typically take 15–25 minutes.

package/examples/core/demo/README.md

@@ -0,0 +1,38 @@
+# Prism — core preset demo
+
+A design token management SaaS. Use this demo to try the **core** preset (Compass, Layers+, Ally, Rubric, Pilot) without needing your own project.
+
+## What's included
+
+- `weeve.yaml` — project config with `docs_root: ./docs` (no vault needed)
+- `weeve/shared/weeve-project.md` — project description and current state
+- `weeve/shared/weeve-guardrails.md` — hard limits and technical constraints
+- `weeve/shared/weeve-intake.md` — raw observations ready for intake skills
+
+## Run it
+
+```bash
+# 1. Install the core preset
+weeve add core
+
+# 2. Start with Compass
+/compass-intro
+
+# 3. Run the design system audit
+/rubric-intro
+
+# 4. Check accessibility
+/ally-intro
+
+# 5. Evaluate the product surface
+/layers-plus-intro
+
+# 6. When lane outputs exist, synthesize
+/pilot-priorities
+```
+
+All outputs land in `./weeve/<lane>/`. Nothing writes outside this folder.
+
+## The project
+
+Prism is a B2B SaaS for design token management. Private beta, ~40 teams. The demo has real tension baked in: token naming drift, an unaudited accessibility surface, a design system the team knows is behind, and enterprise prospects asking for features that aren't on the roadmap. Lane runs should surface genuine findings worth acting on.

package/examples/core/demo/weeve/ally/ally-intake.md

@@ -0,0 +1,16 @@
+# ally-intake — Prism
+# Source: user report (Safari bug), screen reader user feedback, team observation
+
+_Feed to `/ally-intake`. Just what's been noticed — no systematic audit has been run._
+
+---
+
+- Focus indicators work in Chrome, disappear completely in Safari. Reported by a user, never formally filed as a bug.
+- No skip-nav link. A screen reader user reported getting stuck navigating the sidebar on every page load.
+- The Figma plugin has no keyboard navigation — entirely mouse-dependent. Plugin API constraints may limit what's fixable here.
+- Token editor: color swatches have no meaningful text alternative. The alt text is the hex value (#3B82F6), not a name.
+- Embedded iframe (token preview): unknown AT compatibility. Never tested with assistive technology.
+
+---
+
+_No WCAG audit has been run. Compliance status is unknown. These are observations, not a complete picture._

package/examples/core/demo/weeve/compass/compass-intake.md

@@ -0,0 +1,15 @@
+# compass-intake — Prism
+# Source: team conversations, sales notes, weeve/shared/competitive.md
+
+_Feed to `/compass-intake`. Raw strategic observations._
+
+---
+
+- Private beta, ~40 teams — all Series A–C product companies. No enterprise customers yet.
+- Two enterprise prospects walked away in Q2 citing missing SAML/SSO. Combined would have been ~$3,600/mo.
+- ICP is undefined. The team describes customers as "design teams at startups" but there's no documented definition.
+- Theo (open-source) is gaining traction with developers who want CLI-first control. Prism's advantage is the Figma plugin + web editor but this isn't clearly articulated in positioning.
+- Figma Variables is a platform risk. If Figma ships native CI sync, the core token editing value prop weakens.
+- The open-source CLI strategy creates tension: OSS builds developer trust but limits monetization surface.
+- One customer churned citing "too much manual work to keep tokens in sync" — unclear if this is a UX problem or an onboarding mismatch.
+- "Design system as a service" framing has never been tested or pitched explicitly.

package/examples/core/demo/weeve/layers-plus/figma-notes.md

@@ -0,0 +1,31 @@
+# Figma audit notes — Prism
+
+_Quick notes from a 1-hour design review, Feb 2026. Not a full audit — treat as directional._
+
+## What exists
+
+- Main component library: ~35 components, mostly complete
+- Color tokens: defined in Figma but not using Figma Variables (notable given our product)
+- Spacing: hardcoded values in most frames, not using tokens
+- Typography: 3 type styles defined; ~8 actually used across frames
+
+## Issues noticed
+
+- Button component has 3 variants in Figma, 4 in code — an engineer added a variant without updating the library
+- Form inputs: 2 separate components that look identical but have different internal padding
+- No dark mode variants anywhere
+
+## Missing entirely
+
+- Empty states: not in the library; multiple product surfaces need them
+- Error states: only 2 of 12 form field types have error variants
+- Loading/skeleton states: none documented
+
+## Marketing site
+
+- Uses a forked button and card component — diverged ~6 months ago
+- Not in this Figma file; separate file owned by marketing
+
+---
+
+_No accessibility annotations. No responsive layout specs. Tokens not linked to code output._

package/examples/core/demo/weeve/layers-plus/layers-plus-intake.md

@@ -0,0 +1,13 @@
+# layers-plus-intake — Prism
+# Source: weeve/layers-plus/figma-notes.md, analytics (step 3 drop-off), team observations
+
+_Feed to `/layers-plus-intake`. Rough — not organized by layer yet._
+
+---
+
+- The web app and marketing site use different button components. Fork happened ~6 months ago, never merged back.
+- Token editor mental model: are tokens "variables" (key/value pairs) or "design decisions"? The UI treats them as variables, but power users think in decisions. Nobody has decided which framing the product should own.
+- Onboarding step 3 ("Connect your repo") has a 34% drop-off according to analytics. No investigation done.
+- No empty states designed for the token editor when a new token set is created.
+- Mobile view of the web app is broken below 768px. Not officially supported but not communicated to users either.
+- The Figma plugin and the web editor have diverged slightly — a color picker interaction works differently in each. Users who switch between them notice.

package/examples/core/demo/weeve/rubric/component-inventory.md

@@ -0,0 +1,42 @@
+# Component inventory — Prism
+
+_Partial audit. Web app only — marketing site not included._
+_Last updated: March 2026_
+
+## Core components (in use, documented)
+
+| Component | Storybook | Figma | Notes |
+|---|---|---|---|
+| Button | ✅ | ✅ | 3 variants in Figma, 4 in code. |
+| Input | ✅ | ✅ | Text, email, password. No date input. |
+| Select | ✅ | ✅ | Single-select only. |
+| Checkbox | ✅ | ✅ | |
+| Radio | ✅ | ✅ | |
+| Modal | ✅ | ⚠️ | Figma link broken. |
+| Toast | ✅ | ✅ | Success/error only. No warning variant. |
+| Tooltip | ✅ | ✅ | |
+| Badge | ✅ | ✅ | |
+| Avatar | ✅ | ✅ | |
+| Card | ✅ | ⚠️ | Engineer added a footer variant; Figma not updated. |
+| Table | ✅ | ❌ | No Figma. Built directly in code. Used in 4 places. |
+| Tabs | ✅ | ✅ | |
+| Sidebar nav | ✅ | ⚠️ | Web app version differs from marketing site. |
+| Token editor | ✅ | ❌ | Core product surface. No Figma component. |
+| Color swatch | ✅ | ❌ | No Figma. |
+
+## Draft / unclear status
+
+| Component | Status | Notes |
+|---|---|---|
+| DataGrid | Draft | Started for an enterprise feature, paused. |
+| DatePicker | Draft | Needed for audit log feature, not shipped. |
+| CommandPalette | Draft | Prototype only — never shipped. |
+| Combobox | Draft | May replace Select — decision unmade. |
+| Pagination | In use | One location. Not in Storybook. |
+| EmptyState | ❌ Missing | Multiple surfaces need it. Not built. |
+| Skeleton | ❌ Missing | No loading states exist anywhere. |
+
+---
+
+_Marketing site uses forked versions of Button, Card, and SidebarNav. Not reflected here._
+_6 components are confirmed as copy-pasted variants: Button (×3 — secondary and danger), Input (×1 — dark theme), Card (×1 — bordered)._

package/examples/core/demo/weeve/rubric/rubric-intake.md

@@ -0,0 +1,14 @@
+# rubric-intake — Prism
+# Source: weeve/rubric/component-inventory.md, Storybook, code review, Notion docs
+
+_Feed to `/rubric-intake`._
+
+---
+
+- ~35 components in the library. ~28 are clean with documented usage. 7 are in unclear state (draft, deprecated, or in-progress — nobody is sure).
+- The web app and marketing site share the same Storybook in theory, but the marketing site button was forked 6 months ago and is not in Storybook.
+- Token naming: color tokens use kebab-case in CSS (`color-brand-primary`), camelCase in Swift output (`brandPrimary`). No consistency rule is documented.
+- Design system docs live in Notion. Last meaningful update was pre-launch. Several component pages have broken Figma links.
+- No contribution process documented. Engineers add components directly to the shared library without design review.
+- One breaking change in Q1 broke the marketing site because there's no version pinning — consumers update automatically.
+- The token editor (core product surface) has no Figma component and no Storybook entry.

package/examples/core/demo/weeve/shared/competitive.md

@@ -0,0 +1,28 @@
+# Competitive landscape — Prism
+
+_Informal notes. Not a formal analysis — from team memory and occasional Twitter/LinkedIn._
+
+## Direct competitors
+
+**Theo** (open-source)
+- Growing fast with the developer audience. Free, CLI-first, no web UI.
+- Our overlap: teams who want open-source control over token output.
+- Our edge: Figma integration, web editor, CI sync out of the box.
+
+**Style Dictionary** (open-source, Amazon)
+- Older, widely adopted. No web UI, no Figma plugin.
+- Many Prism users migrated from Style Dictionary — this is our main acquisition story.
+
+## Adjacent / partial overlap
+
+- **Supernova** — design system documentation + tokens, more expensive, more opinionated
+- **Zeroheight** — documentation only, no token management
+- **Token Studio** (Figma plugin) — free, competes in the Figma plugin space specifically
+
+## Platform risk (not tracked formally)
+
+- **Figma Variables** — if Figma ships native CI sync, our core token editing value prop weakens significantly. No public timeline known.
+
+---
+
+_No win/loss tracking. No formal competitor research. These notes reflect what the team knows informally._

package/examples/core/demo/weeve/shared/roadmap.md

@@ -0,0 +1,26 @@
+# Roadmap — Prism
+
+_Last updated: roughly Q2. Ask Jamie for the up-to-date Notion link._
+
+## Now (shipping this quarter)
+
+- Multi-token-set support — dev/staging/prod environments
+- Webhook reliability improvements — dropping ~2% of events under load
+- Token search and filter in the editor
+
+## Next (planned, not sized)
+
+- Import from Style Dictionary — promised for 2 sprints, keeps slipping
+- SAML/SSO — enterprise inbound has asked for this 3 quarters in a row
+- Figma Variables sync — blocked on Figma API availability
+
+## Later / backlog
+
+- Native mobile SDKs (iOS/Android)
+- Team permissions and audit log
+- Self-hosted option
+- Custom output format templates (OSS users have asked — not planned)
+
+---
+
+_For sprint-level tracking, see Jira board PRISM. This doc is a rough planning artifact, not a commitment._

package/examples/core/demo/weeve/shared/weeve-guardrails.md

@@ -0,0 +1,28 @@
+# weeve-guardrails.md — Prism
+
+## Hard limits
+- React + TypeScript only — no framework migration in scope
+- Figma plugin API constraints: no background sync, must be user-initiated
+- CLI must stay open-source (MIT) — cannot bundle proprietary logic there
+- No native mobile apps in the current roadmap
+
+## Technical constraints
+- Figma plugin runs in a sandboxed iframe — no direct network access from plugin
+- Token output formats are fixed (CSS vars, Swift, Kotlin, JSON) — no custom template engine yet
+- CI sync uses webhooks over HTTPS; no self-hosted option currently
+- Auth is Clerk (social + email magic link); no SSO/SAML yet
+
+## Budget / resourcing
+- 1 PM, 2 designers, 4 frontend engineers — no dedicated backend, QA, or accessibility role
+- No design system team budget; it's owned by the two designers as a side concern
+
+## Non-negotiables
+- Token names must be human-readable (no machine-generated hashes)
+- Zero-downtime deploys — the sync pipeline cannot interrupt active CI runs
+- Figma plugin must work on the free Figma plan (no Enterprise API features)
+
+## Current pain points (captured from team retros)
+- Token naming drift: ~40% of tokens have inconsistent naming across platforms
+- Rubric/design system docs in Notion are stale — nobody updates them after ship
+- No automated accessibility checks in CI — manual only, rarely run
+- Ally (accessibility) has never been formally audited; assumed compliant, not verified

package/examples/core/demo/weeve/shared/weeve-intake.md

@@ -0,0 +1,18 @@
+# weeve-intake.md — Prism observations
+
+Raw observations from the team before lane runs. Feed these to `/compass-intake`, `/rubric-intake`, or `/ally-intake`.
+
+---
+
+## Captured observations
+
+- Token naming is inconsistent: color tokens use `color-brand-primary` in CSS but `brandPrimary` in Swift output — downstream consumers have to maintain translation maps
+- The Figma plugin has a 3-second lag on large token sets (500+ tokens); users are complaining
+- 2 of 35 components have no documented usage guidelines; 8 have outdated Figma links
+- Focus indicators are visible in Chrome but disappear in Safari — hasn't been filed as a bug
+- No skip-nav link on the web app; screen reader users have reported getting stuck in the sidebar nav
+- The marketing site uses a different button component than the web app — fork happened 6 months ago, nobody merged it back
+- Enterprise prospects keep asking for SAML/SSO; we've said "roadmap" for 3 quarters
+- Competitor Theo (open-source) is gaining traction with the developer audience we're targeting
+- The "import from Style Dictionary" feature has been promised for 2 sprints and keeps slipping
+- One customer churned last month citing "too much manual work to keep tokens in sync"

package/examples/core/demo/weeve/shared/weeve-project.md

@@ -0,0 +1,33 @@
+# Prism — project brief
+
+**What it is:** Prism is a design token management SaaS. Teams connect their Figma libraries, define token sets, and Prism generates platform-specific output (CSS variables, Swift, Kotlin, JSON) that syncs to their repos via CI.
+
+**Stage:** Private beta. ~40 design teams using it, mostly Series A–C product companies. No enterprise contracts yet.
+
+**Core product surface:**
+- Token editor (web app, React)
+- Figma plugin (reads/writes token values)
+- CLI (syncs tokens to repos)
+- Webhook integration (triggers CI on token changes)
+
+**Current state of the design system:**
+- ~200 design tokens defined; 60% have consistent naming, 40% are legacy/inconsistent
+- One shared component library (~35 components), used by the web app and marketing site
+- No formal accessibility audit has been run
+- Design system docs live in Notion, mostly out of date
+
+**Team:**
+- 2 product designers (one is the de facto design system owner)
+- 4 frontend engineers
+- 1 PM
+- No dedicated accessibility or QA role
+
+**Key decisions already made:**
+- Staying React + TypeScript; no plans to migrate
+- Figma as the single source of truth for design
+- Open-source CLI; proprietary web app
+
+**Open questions the team is wrestling with:**
+- Should we target enterprise (SSO, audit logs, custom domains) or stay SMB/startup-focused?
+- The token naming inconsistency is slowing down adopters — fix now or ship more features?
+- Accessibility hasn't been scoped — is it a blocker for enterprise?

package/examples/core/demo/weeve.yaml

@@ -0,0 +1,15 @@
+# weeve.yaml — core preset demo project
+schema_version: "0.4"
+
+project:
+  name: Prism
+  tag: PRM
+  docs_root: ./weeve      # outputs land here — no vault or Claudette needed
+
+roads:
+  - name: startup
+    path: roads/startup
+
+# Lanes in this preset: compass, layers-plus, ally, rubric, pilot
+# Demo project: Prism — design token management SaaS
+# Run /compass-intro to get started

package/examples/core/weeve.yaml

@@ -0,0 +1,14 @@
+# weeve.yaml — core preset
+# Generated by: weeve init core
+schema_version: "0.4"
+
+project:
+  name: My Project             # Replace with your project name
+  tag: MYP                     # Short ID — matches vault Projects/<tag>/ folder
+  # docs_root: ./weeve          # Uncomment to use a local path instead of vault
+
+roads:
+  - name: startup
+    path: roads/startup
+
+# Lanes in this preset: compass, layers-plus, ally, rubric, pilot

package/examples/engineering/CODEOWNERS.template

@@ -0,0 +1,9 @@
+# Weeve lane ownership
+# Copy to .github/CODEOWNERS and replace team handles with your org's teams
+# Requires GitHub branch protection with "Require review from Code Owners" enabled
+
+weeve/forge/         @engineering
+weeve/helm/          @engineering
+weeve/verify/        @engineering
+weeve/guard/         @security
+weeve/pilot/         @leadership

package/examples/engineering/README.md

@@ -0,0 +1,61 @@
+# engineering preset
+
+## Who this is for
+
+The `engineering` preset is built for software engineering teams that need structured visibility into code health, infrastructure risk, and release readiness. It covers the build pipeline, deployment configuration, test coverage, and security posture — giving engineering leads and platform teams a repeatable framework for assessing whether a codebase is ready to ship safely. Use this preset when your primary concern is technical quality and operational risk, not market positioning.
+
+## What you get
+
+- **forge-report.md** — build pipeline analysis: bottlenecks, flaky tests, and coverage gaps
+- **helm-manifest.md** — infrastructure and deployment configuration review with drift detection
+- **verify-results.md** — test suite health report with coverage map and identified blind spots
+- **guard-findings.md** — security scan results: CVEs, secret exposure risks, and dependency vulnerabilities
+- **pilot-brief.md** — release readiness assessment with go/no-go recommendation and risk register
+
+## Install
+
+```bash
+npx weeve add engineering
+```
+
+Equivalent individual lanes:
+
+```bash
+npx weeve add forge helm verify guard pilot
+```
+
+## First run sequence
+
+Run these skills in order. Steps marked **(parallel)** can be run simultaneously once their prerequisites are complete.
+
+1. **forge** — Analyzes the build pipeline, CI configuration, and artifact hygiene to surface bottlenecks and failure patterns.
+2. **(parallel)* helm** — Reviews deployment manifests, infrastructure-as-code, and environment configuration for drift and misconfiguration.
+3. **(parallel)* verify** — Maps test coverage across the codebase, identifies untested critical paths, and scores suite health.
+4. **(parallel)* guard** — Scans dependencies, secrets configuration, and access controls for security vulnerabilities and exposure risks.
+5. **pilot** — Aggregates forge, helm, verify, and guard outputs into a release readiness brief with a prioritized risk register.
+
+## What you'll have at the end
+
+| File | Description |
+|---|---|
+| `weeve/forge/forge-report.md` | Build pipeline analysis with bottlenecks and flaky test patterns |
+| `weeve/helm/helm-manifest.md` | Infrastructure configuration review with drift and misconfiguration findings |
+| `weeve/verify/verify-results.md` | Test coverage map with blind spots and suite health score |
+| `weeve/guard/guard-findings.md` | Security findings: CVEs, dependency risks, and secrets exposure |
+| `weeve/pilot/pilot-brief.md` | Release readiness brief with go/no-go recommendation and risk register |
+
+## CODEOWNERS
+
+Copy to `.github/CODEOWNERS`:
+
+```
+weeve/forge/         @engineering
+weeve/helm/          @engineering
+weeve/verify/        @engineering
+weeve/guard/         @security
+weeve/pilot/         @leadership
+```
+
+## Time estimate
+
+First full run: **30–50 minutes** for a mid-sized codebase (100–500 files). The forge and verify lanes are the most time-intensive on large repos with complex CI configurations. Subsequent runs run faster as baseline artifacts are cached.

package/examples/engineering/demo/README.md

@@ -0,0 +1,20 @@
+# Volta — engineering preset demo
+
+An internal developer platform at a 120-person SaaS company. Use this demo to try the **engineering** preset (Forge, Helm, Verify, Guard, Pilot).
+
+## Run it
+
+```bash
+weeve add engineering
+/forge-intro      # code health, architecture, CI/CD
+/helm-intro       # deployment ops, SLOs, rollback
+/verify-intro     # test strategy, regression, release readiness
+/guard-intro      # security posture, secrets, dependency audit
+/pilot-priorities # synthesize all lanes
+```
+
+Outputs land in `./weeve/<lane>/`.
+
+## The project
+
+Volta is a real-feeling internal platform with genuine technical debt: 9% test coverage on the most critical module, 3 P1s in 60 days, a secrets module that hasn't been audited in over a year, and a single engineer who owns 70% of the codebase. Lane runs will surface actionable findings in every zone.

package/examples/engineering/demo/weeve/forge/architecture.md

@@ -0,0 +1,39 @@
+# Architecture notes — Volta
+
+_Not a formal document. Assembled from code, Slack, and memory. Treat as approximate._
+
+## Module structure
+
+```
+volta/
+  api/            REST API (Go). Auth, routing, project management.
+  provisioner/    Env provisioning. Wraps Terraform. Longest module in the codebase.
+  deployer/       Deployment pipeline. Wraps GitHub Actions. Highest traffic (~200 deploys/day).
+  secrets/        Secrets management. Vault integration. Original Priya code.
+  scheduler/      On-call rotation. Thin wrapper on PagerDuty.
+  config-watcher/ Watches for config drift between environments. Patched 3 times.
+  legacy/env-v1/  Old provisioning code. Kept "in case we need to roll back."
+  web/            React frontend. Self-service portal.
+  pkg/datastore/  Shared data layer. Used by both provisioner/ and deployer/.
+```
+
+## Known coupling
+
+- `provisioner/` and `deployer/` both import `pkg/datastore` — was supposed to be temporary, never resolved
+- `config-watcher/` reads directly from Terraform state files — breaks on Terraform version changes
+
+## What's undocumented
+
+- How `deployer/` talks to GitHub Actions internally (no API contract)
+- The secrets module data model (only Alex knows this)
+- Why `legacy/env-v1/` hasn't been deleted
+
+## What's missing
+
+- No formal module dependency diagram
+- No documented data flow between services
+- No API contract docs for internal calls
+
+---
+
+_Tom designed this. Most of what's here is reconstructed from git history and asking Alex._

package/examples/engineering/demo/weeve/forge/ci-metrics.md

@@ -0,0 +1,47 @@
+# CI metrics — Volta
+
+_Pulled from GitHub Actions dashboard, Q2 2026._
+
+## Build performance
+
+| Metric | Value | Target | Status |
+|---|---|---|---|
+| Avg build time | 18 min | 10 min | ❌ |
+| p95 build time | 31 min | 15 min | ❌ |
+| Flake rate | ~7% | <2% | ❌ |
+| Cache hit rate | 0% | >70% | ❌ (cache not configured) |
+
+## Test coverage by module
+
+| Module | Coverage | Notes |
+|---|---|---|
+| api/ | 71% | Stable |
+| provisioner/ | 58% | Declining — 3 features added without tests in Q2 |
+| deployer/ | 9% | **Critical gap.** ~200 deploys/day through here. |
+| secrets/ | 34% | Low. Only Alex understands this module. |
+| scheduler/ | 61% | OK |
+| config-watcher/ | 22% | Low. Source of 2 of the last 3 P1 incidents. |
+| web/ | 41% | Frontend — lower priority |
+
+**Overall: ~42%**
+
+## Deploy volume
+
+- ~200 deploys/day across 80 engineers
+- No staged rollouts or canary deploys
+- No automated rollback trigger — rollback is always manual
+- Avg rollback time: ~8 min (SLO target: 5 min)
+
+## Known skipped tests
+
+```
+deployer/deploy_test.go:47     t.Skip("flaky, investigate - Jan 15")
+deployer/concurrent_test.go:23 t.Skip("race condition, needs fixing")
+```
+
+Both have been skipped for 3+ months. Neither has been investigated.
+
+## Recent CI incidents
+
+- March 2026: Build cache filled runner disk — all builds failed for 2 hours
+- April 2026: Flaky test caused false-positive failure — 3 engineers spent 4 hours on it before realizing

package/examples/engineering/demo/weeve/forge/forge-intake.md

@@ -0,0 +1,41 @@
+# forge-intake — Volta
+# Source: weeve/forge/architecture.md, weeve/forge/ci-metrics.md, git log, code review
+
+_Feed to `/forge-intake`. Organized by Forge zone._
+
+---
+
+## Architecture
+
+- Three-year-old codebase. No ADRs exist. Architecture decisions live in Slack threads or nowhere.
+- `provisioner/` and `deployer/` share a data layer (`pkg/datastore`) that was meant to be temporary in 2023. It's still shared.
+- `config-watcher/` reads directly from the Terraform state file — brittle, breaks when Terraform version changes.
+- Dead code in `legacy/env-v1/` — kept "in case we need to roll back" for 18 months.
+- Two original authors (Tom, Priya) built most of the core. Neither wrote architecture docs before leaving.
+
+## Code health
+
+- Overall test coverage: ~42%. Deployment pipeline module (`deployer/`): 9%.
+- `deployer/` processes ~200 deploys/day and has the lowest test coverage of any module.
+- CI runtime: 18 min average, 31 min p95. Engineers routinely skip CI on "small" PRs — no enforcement.
+- The `volta env create` CLI has 3 undocumented flags learned via Slack. Not in any docs or help output.
+- High cyclomatic complexity in `deploy.go` — flagged in a PR review 4 months ago, never addressed.
+
+## CI/CD
+
+- CI flake rate: ~7% (tracked informally). Two known flaky tests skipped with `t.Skip()`.
+- No build cache configured. Every run installs all Go dependencies from scratch.
+- ~200 deploys/day. No deploy freeze windows, no staged rollouts, no automated rollback triggers.
+- Feature flags: not implemented. All deploys are full rollouts to all 80 engineers.
+
+## Docs
+
+- No ADRs. No runbook for the deployment pipeline module.
+- README is 18 months old — setup instructions reference a tool that was replaced.
+- `--help` output for `volta env create` doesn't show 3 flags that exist in code.
+
+## Known tech debt
+
+- Secrets module: built by Priya, never documented, never audited. Only Alex understands it now.
+- Go modules: 3 packages not version-pinned. CVE audit not run this quarter.
+- `config-watcher`: patched 3 times for config drift, root cause never fixed.

package/examples/engineering/demo/weeve/guard/guard-intake.md

@@ -0,0 +1,17 @@
+# guard-intake — Volta
+# Source: team memory, code review, no formal audit has been run
+
+_Feed to `/guard-intake`. Very thin — security hasn't been a focus._
+
+---
+
+- Secrets module: built by Priya ~2.5 years ago. No security review since. Priya has left the company.
+- Go dependencies: 3 packages are not version-pinned. CVE audit not run this quarter.
+- The `volta env create` CLI accepts credentials via environment variables — unclear if they appear in process logs or CI output.
+- No secrets rotation policy documented anywhere.
+- Internal API calls between services use shared API keys, not per-service credentials.
+- Auth: Clerk for user authentication. Configuration has never been reviewed.
+
+---
+
+_No penetration test has been run. No formal threat model exists. Compliance: unknown._