@kennethsolomon/shipkit 3.17.0 → 3.18.0

package/README.md

@@ -21,28 +21,15 @@ npm install -g @kennethsolomon/shipkit && shipkit
 
 ---
 
-## What's New (v3.16.0 — March 2026)
-
-**Formal Agent Definitions, Path-Scoped Rules, and 2 new skills:**
-
-- **`.claude/agents/`** — 6 formal agent definitions (backend-dev, frontend-dev, qa-engineer, security-reviewer, code-reviewer, debugger) with `memory: project`, `isolation: worktree`, and `background: true` where appropriate. `/sk:setup-claude` deploys these to every new project.
-- **`.claude/rules/`** — 6 path-scoped rule files that auto-activate in Claude Code when you edit matching files: `laravel.md`, `react.md`, `vue.md`, `tests.md`, `api.md`, `migrations.md`. Stack-relevant rules are deployed by `/sk:setup-claude` automatically.
-- **`/sk:ci`** — Set up GitHub Actions or GitLab CI with Claude Code workflows: auto PR review, issue triage, nightly security audit, release automation. Supports enterprise setups (AWS Bedrock OIDC, Google Vertex AI Workload Identity).
-- **`/sk:plugin`** — Package your project-level customizations (skills, agents, hooks) into a distributable Claude Code plugin with a `.claude-plugin/plugin.json` manifest.
-- **Skill frontmatter upgrades** — model routing (`haiku` for lightweight skills, `sonnet` for analysis), `disable-model-invocation: true` on side-effect skills (commit, release, branch), `context: fork` on expensive standalone skills (seo-audit, accessibility, reverse-doc).
-- **Bug fix** — `allowed_tools` → `allowed-tools` (underscore typo silently ignored by Claude Code) fixed in 7 skills + all agent templates.
-
----
-
 ## What is ShipKit?
 
-ShipKit turns Claude Code into a disciplined development partner. Instead of "write some code," every feature goes through:
+ShipKit turns Claude Code into a disciplined development partner. Instead of "write some code and hope," every task follows a structured path:
 
-**Plan** → **Build (TDD)** → **Quality Gates** → **Ship**
+**Plan → Build (TDD) → Quality Gates → Ship**
 
 Each gate must pass before the next step. Lint fails? Fix it. Tests don't cover new code? Write them. Security issues? They block the PR. Quality is structural, not optional.
 
-ShipKit auto-detects your stack — linters, test runners, frameworks, package managers. No configuration needed.
+ShipKit auto-detects your stack — linters, test runners, frameworks, ORMs. No configuration needed.
 
 ---
 
@@ -52,536 +39,433 @@ ShipKit auto-detects your stack — linters, test runners, frameworks, package m
 # 1. Install
 npm install -g @kennethsolomon/shipkit && shipkit
 
-# 2. Bootstrap your project (run once)
+# 2. Bootstrap your project (run once per project)
 /sk:setup-claude
 
-# 3. Start building
-/sk:start
+# 3. Start any task
+/sk:start add user authentication
 ```
 
-That's it. `/sk:setup-claude` creates your project scaffolding: planning files, lifecycle hooks, path-scoped coding rules, and a persistent statusline — all auto-configured for your stack.
+`/sk:setup-claude` creates everything your project needs: planning files, lifecycle hooks, 13 agent definitions, path-scoped rules, LSP config, and MCP servers.
 
-`/sk:start` is the recommended entry point — it classifies your task and routes you to the optimal flow automatically. You can also jump directly to `/sk:brainstorm`, `/sk:debug`, or any other flow entry point.
-
-### Updating ShipKit
+`/sk:start` is your single entry point — tell it what you want to do in plain English and it classifies the task, picks the right flow, and routes you automatically.
 
+To update ShipKit later:
 ```bash
-# Update the package
-npm install -g @kennethsolomon/shipkit && shipkit
-
-# Then in each project, update CLAUDE.md + deploy new hooks:
-/sk:setup-optimizer
+npm install -g @kennethsolomon/shipkit && shipkit  # update globally
+/sk:setup-optimizer                                 # update each project
 ```
 
-`shipkit` re-installs all skills and commands globally. `/sk:setup-optimizer` updates each project's CLAUDE.md with new commands and deploys any missing hooks.
-
 ---
 
-## Lifecycle Hooks
-
-`/sk:setup-claude` installs lifecycle hooks that automate common tasks. Core hooks are always installed; enhanced hooks are opt-in.
-
-**Core hooks (always installed):**
-| Hook | Event | What it does |
-|------|-------|-------------|
-| `session-start` | SessionStart | Loads branch, recent commits, tech debt, code health |
-| `session-stop` | Stop | Logs session accomplishments to `tasks/progress.md` |
-| `pre-compact` | PreCompact | Saves git state before context compression |
-| `validate-commit` | PreToolUse (git commit) | Validates conventional commit format, detects secrets |
-| `validate-push` | PreToolUse (git push) | Warns before pushing to protected branches |
-| `log-agent` | SubagentStart | Logs sub-agent invocations to `tasks/agent-audit.log` |
-
-**Enhanced hooks (opt-in via `/sk:setup-claude` or `/sk:setup-optimizer`):**
-| Hook | Event | What it does |
-|------|-------|-------------|
-| `config-protection` | PreToolUse (Edit/Write) | Blocks modifications to linter/formatter configs |
-| `post-edit-format` | PostToolUse (Edit) | Auto-formats with Biome/Prettier/Pint/gofmt after edits |
-| `console-log-warning` | Stop | Warns about `console.log`, `dd()`, `var_dump()` in modified files |
-| `suggest-compact` | PreToolUse (Edit/Write) | Suggests `/compact` after 50+ tool calls |
-| `cost-tracker` | Stop | Logs session metadata to `.claude/sessions/cost-log.jsonl` |
-| `safety-guard` | PreToolUse (Bash/Edit/Write) | Enforces `/sk:safety-guard` freeze/careful mode |
+## Which scenario are you in?
+
+| I want to... | Start here | Flow |
+|---|---|---|
+| **Not sure — just describe my task** | `/sk:start <description>` | Auto-classified |
+| **Build a new feature** | `/sk:start add <feature>` | Feature (8 phases + scope check, learn, retro) |
+| **Build a full-stack feature (backend + frontend + mobile)** | `/sk:start --team add <feature>` | Feature with parallel agents |
+| **Make a small change** (config, copy, dependency bump) | `/sk:start bump lodash` | Fast-track (5 steps) |
+| **Fix a bug** | `/sk:start fix <description>` | Debug (7 steps) |
+| **Fix a production emergency** | `/sk:start hotfix <description>` | Hotfix (6 steps) |
+| **Requirement changed mid-way** | `/sk:change` | Re-enter at the right step |
+| **Understand an unfamiliar codebase** | `/sk:reverse-doc architecture src/` | Generate architecture docs |
+| **Set up CI/CD** | `/sk:ci` | GitHub Actions or GitLab CI |
+| **Clean up messy code** | Use `refactor-specialist` agent | Behavior-preserving refactor |
+| **Generate missing docs** | Use `tech-writer` agent | README, API, architecture docs |
 
 ---
 
-## Formal Agent Definitions
-
-`/sk:setup-claude` deploys 13 agent definitions to `.claude/agents/` — specialized sub-agents with `memory`, `model`, `tools`, and `isolation` pre-configured. Invoke any agent by mentioning its name in Claude Code.
+## Scenario Tutorials
 
-**Implementation agents** — build things:
+### Scenario A — Building a New Feature
 
-| Agent | Memory | Isolation | When to use |
-|-------|--------|-----------|------------|
-| `backend-dev` | project | worktree | Parallel backend work in `/sk:team` — API, services, models |
-| `frontend-dev` | project | worktree | Parallel frontend work in `/sk:team` — components, pages, state |
-| `mobile-dev` | project | worktree | React Native / Expo / Flutter — mobile-specific patterns and store prep |
+You want to add user authentication to your app.
 
-**Quality agents** — find and fix problems:
+```
+/sk:start add email/password authentication with JWT
+```
 
-| Agent | Memory | Isolation | When to use |
-|-------|--------|-----------|------------|
-| `qa-engineer` | project | background | Write E2E scenarios while other agents implement |
-| `code-reviewer` | project | — | 7-dimension review after implementation (read-only) |
-| `security-reviewer` | user | — | OWASP audit before shipping sensitive changes (read-only) |
-| `performance-optimizer` | project | worktree | When `/sk:perf` finds Critical/High issues — finds AND fixes them |
+ShipKit classifies this as a **full-stack feature** and confirms:
 
-**Design agents** — plan before building:
+```
+Detected: Full-stack feature
+Flow:   feature (8 steps)
+Mode:   autopilot
+Agents: team (backend + frontend + QA)
 
-| Agent | Memory | Isolation | When to use |
-|-------|--------|-----------|------------|
-| `architect` | project | — | Before `/sk:write-plan` on complex tasks — proposes options with trade-offs |
-| `database-architect` | project | — | Before `/sk:schema-migrate` — migration safety analysis and index recommendations |
+Proceed? (y)
+```
 
-**Operations agents** — infrastructure and maintenance:
+Type `y`. Here's what happens automatically:
 
-| Agent | Memory | Isolation | When to use |
-|-------|--------|-----------|------------|
-| `devops-engineer` | project | worktree | CI/CD pipelines, Docker, deployment config — use with `/sk:ci` |
-| `debugger` | project | — | Structured root-cause analysis — use with `/sk:debug` |
-| `refactor-specialist` | project | worktree | Behavior-preserving cleanups — tests must pass before AND after |
-| `tech-writer` | project | — | README, API docs, architecture docs from existing code |
+**Step 1 — Brainstorm** (`/sk:brainstorming`)
+Reads your `tasks/findings.md` and `tasks/lessons.md`. Asks clarifying questions one at a time: session vs token auth? remember me? email verification? Writes decisions to `tasks/findings.md`.
 
-`memory: project` — agent accumulates knowledge across sessions for that project. `isolation: worktree` — works in a separate git worktree, safe for risky changes. `background: true` — runs without blocking your conversation.
+For complex architecture decisions, the `architect` agent kicks in before you write a plan:
+> Reads your codebase → proposes 2-3 approaches with trade-offs → outputs: "Use Laravel Sanctum (already in composer.json) — not Passport"
 
----
+**Step 2 — Design**
+- `architect` agent produces API contracts: `POST /auth/login`, `POST /auth/register`, etc.
+- `/sk:frontend-design` produces login/register page mockups.
+- `database-architect` agent reviews the proposed schema: flags missing index on `users.email`, recommends nullable `email_verified_at`.
 
-## Path-Scoped Rules
+**Step 3 — Plan** (`/sk:write-plan`)
+Writes `tasks/todo.md` with every checkbox: migrations, models, controllers, frontend pages, tests.
 
-`/sk:setup-claude` installs coding rule files in `.claude/rules/` that Claude Code auto-activates when you open or edit matching files — no manual context loading needed.
+**Step 4 — Branch**
+```
+git checkout -b feature/add-authentication
+```
 
-| Rule file | Activates when editing | What it enforces |
-|-----------|----------------------|-----------------|
-| `laravel.md` | `app/**/*.php`, `routes/**`, `config/**` | Laravel conventions, service containers, Eloquent patterns |
-| `react.md` | `**/*.tsx`, `**/*.jsx`, `src/**/*.ts` | Hooks rules, component patterns, TypeScript strictness |
-| `vue.md` | `**/*.vue`, `resources/js/**/*.ts` | Composition API only, `<script setup>`, Pinia patterns |
-| `tests.md` | `tests/**`, `**/*.test.*`, `**/*.spec.*` | TDD standards, assertion quality, test isolation |
-| `api.md` | `routes/api.php`, `app/Http/Controllers/**` | RESTful conventions, auth patterns, error response shapes |
-| `migrations.md` | `database/migrations/**`, `prisma/**` | Migration safety rules, reversibility, index naming |
+**Step 5 — Implement** (`/sk:team`)
+Three agents fire simultaneously:
 
-Stack-relevant rules are detected and deployed automatically during `/sk:setup-claude` and `/sk:setup-optimizer`.
+```
+backend-dev  (worktree)   → writes AuthTest.php → implements migration, User model, AuthController
+frontend-dev (worktree)   → writes LoginPage.test.ts → implements LoginPage, useAuth composable
+qa-engineer  (background) → writes 14 Playwright E2E scenarios while others implement
+```
 
----
+Backend and frontend work in isolated worktrees — zero conflicts. Results merge when both complete.
 
-## Pick Your Flow
+**Step 5.5 — Scope Check** (`/sk:scope-check`)
+Compares everything that was implemented against `tasks/todo.md`. Flags anything that crept in beyond the plan — extra features, unrequested refactors, new files not in scope. Trims or defers the excess before committing.
 
-| I want to... | Run this | What happens |
-|--------------|----------|-------------|
-| **Not sure — let ShipKit decide** | `/sk:start` | Classifies your task, routes to optimal flow/mode/agents |
-| **Build a new feature** | `/sk:brainstorm` | Full workflow: plan → TDD → quality gates → PR |
-| **Build hands-free** | `/sk:autopilot` | All 8 steps, auto-skip, auto-advance, auto-commit |
-| **Full-stack feature (parallel)** | `/sk:team` | Parallel domain agents (backend + frontend + QA) |
-| **Make a small change** | `/sk:fast-track` | Skip planning, keep all quality gates |
-| **Fix a bug** | `/sk:debug` | Investigate → regression test → fix → gates → PR |
-| **Fix a production emergency** | `/sk:hotfix` | Skip TDD, but quality gates still enforced |
-| **Handle a requirement change** | `/sk:change` | Assess scope, re-enter workflow at the right step |
+**Step 6 — Commit** (`/sk:smart-commit`)
+Presents the diff. You approve. Commits.
 
----
+**Step 7 — Gates** (`/sk:gates`)
+Four batches run:
 
-## Workflows
+```
+Batch 1 (parallel):
+  security-reviewer  → OWASP audit → flags: no rate limit on POST /login
+  performance-optimizer → scans for N+1 → clean
+  linter             → pint auto-fixes formatting
 
-### Feature Flow — full planning + TDD + all gates
+Batch 2:
+  test runner        → 97% coverage → adds missing test → 100%
 
-> Start with: `/sk:brainstorm`
+Batch 3:
+  code-reviewer      → 7-dimension review → flags: logout doesn't revoke all tokens
 
-| Step | Command | What it does | Phase |
-|------|---------|-------------|-------|
-| 1 | `/sk:brainstorm` | Explore requirements, propose approaches | Think |
-| 2 | `/sk:frontend-design` or `/sk:api-design` | *Optional* — UI mockup or API contracts (includes accessibility) | Think |
-| 3 | `/sk:write-plan` | Write decision-complete plan | Think |
-| 4 | `/sk:branch` | Create feature branch | Build |
-| 5 | `/sk:write-tests` + `/sk:execute-plan` | TDD: write failing tests, then implement | Build |
-| 6 | `/sk:smart-commit` | Conventional commit | Build |
-| 7 | `/sk:gates` | All 6 quality gates (parallel batches) | Verify |
-| 8 | `/sk:finish-feature` | Update task, changelog, PR, feature sync, release | Ship |
+Batch 4:
+  E2E tester         → runs 14 Playwright scenarios → 14/14 pass
+```
 
----
+Each failure auto-fixes and re-runs. One squash commit per gate pass.
 
-### Fast-Track Flow — skip planning, keep all gates
+**Step 8 — Finalize** (`/sk:finish-feature`)
+Changelog updated. PR created. Feature spec synced. Asks about release.
 
-> Start with: `/sk:fast-track`
+**Step 8.5 — Learn** (`/sk:learn`)
+Extracts reusable patterns from this session:
+> "Rate limiting must be applied to all auth endpoints — security-reviewer flagged POST /login"
 
-| Step | Command | What it does | Phase |
-|------|---------|-------------|-------|
-| 1 | `/sk:branch` | Create feature branch | Build |
-| 2 | implement directly | No TDD — write code | Build |
-| 3 | `/sk:smart-commit` | Conventional commit | Build |
-| 4 | `/sk:gates` | All quality gates (parallel batches) | Verify |
-| 5 | `/sk:finish-feature` | Changelog + PR | Ship |
+Saved to `~/.claude/skills/learned/` — available in future sessions across all projects.
 
-Guard rails: warns if diff > 300 lines or > 5 new files.
+**Step 8.6 — Retro** (`/sk:retro`)
+Brief post-ship retrospective — 3-5 bullets:
+- What went well (gates caught rate-limit issue before PR)
+- What slowed down (schema index discovery required re-migration)
+- Next action (add rate-limit check to write-tests template)
 
 ---
 
-### Bug Fix Flow — investigate first, then fix
-
-> Start with: `/sk:debug`
+### Scenario B — Fixing a Bug
 
-| Step | Command | What it does | Phase |
-|------|---------|-------------|-------|
-| 1 | `/sk:debug` | Reproduce, isolate, hypothesize, verify | Think |
-| 2 | `/sk:branch` | Create fix branch | Build |
-| 3 | `/sk:write-tests` | Regression test that reproduces the bug | Build |
-| 4 | implement the fix | Make regression test pass | Build |
-| 5 | `/sk:smart-commit` | Commit fix + test | Build |
-| 6 | `/sk:gates` | All quality gates (parallel batches) | Verify |
-| 7 | `/sk:finish-feature` | Changelog + PR | Ship |
+Checkout total is wrong when a coupon and tax are both applied.
 
----
+```
+/sk:start fix checkout total wrong when coupon and tax applied
+```
 
-### Hotfix Flow — production emergency
+ShipKit detects `fix` keyword → routes to **debug flow**.
 
-> Start with: `/sk:hotfix`
+The `debugger` agent takes over:
+1. Reproduces: `POST /checkout` with `SAVE20` + CA tax → wrong total
+2. Isolates: `OrderCalculator::applyDiscount()` runs before `TaxService::calculate()`
+3. Hypothesis: discount should apply to subtotal, tax should compute on the discounted subtotal
+4. Verifies: writes a failing unit test proving expected vs actual
+5. Proposes minimal fix in `OrderCalculator.php:47`
 
-| Step | Command | What it does | Phase |
-|------|---------|-------------|-------|
-| 1 | `/sk:debug` | Root-cause analysis | Think |
-| 2 | `/sk:branch` | Create hotfix branch | Build |
-| 3 | implement directly | Fix the issue | Build |
-| 4 | `/sk:smart-commit` | Commit the fix | Build |
-| 5 | `/sk:gates` | All quality gates (parallel batches) | Verify |
-| 6 | `/sk:finish-feature` | Changelog + PR (marked as hotfix) | Ship |
+You approve → fix applied → regression test committed → `/sk:gates` → PR.
 
-After merging: add regression test + lesson to `tasks/lessons.md`.
+After merge, `/sk:learn` captures:
+> "Calculation order matters in pricing pipeline — always test discount + tax combinations together"
 
 ---
 
-### Requirement Change — mid-workflow pivot
+### Scenario C — Production Hotfix
 
-> Run: `/sk:change` — it classifies scope and re-enters at the right step
+Login is broken in production (500 error). It's 2am.
 
-| Tier | What changed | Example | Re-entry point |
-|------|-------------|---------|----------------|
-| **Tier 1** | Behavior tweak (same scope) | "Delete all" → "Delete users only" | `/sk:write-tests` |
-| **Tier 2** | New requirements (new scope) | "Also add export to CSV" | `/sk:write-plan` |
-| **Tier 3** | Scope shift (rethink) | "Different approach entirely" | `/sk:brainstorm` |
-
----
+```
+/sk:start hotfix login 500 error in production
+```
 
-## Quality Gates (`/sk:gates`)
+ShipKit detects `hotfix` + `production` → routes to **hotfix flow** (no TDD ceremony, gates still enforced).
 
-One command runs all 6 gates in parallel batches:
+```
+/sk:debug    → reads Sentry trace → undefined method 'getAuthToken' on User model
+/sk:branch   → hotfix/login-500-missing-auth-token
+```
 
-| Batch | Gates | Why this order |
-|-------|-------|---------------|
-| **1** (parallel) | lint + security + perf | Independent — run simultaneously |
-| **2** | tests | Needs lint fixes first |
-| **3** | code review | Needs deep understanding |
-| **4** | E2E Tests | Needs review fixes |
+Fix applied directly — no brainstorm, no write-tests. Then:
 
-Each gate auto-fixes and re-runs until clean. Fixes are squashed into one commit per gate pass. If a gate fails 3 times, it stops and asks for help.
+```
+/sk:gates    → all gates pass
+/sk:finish-feature → PR marked as hotfix
+```
 
-Pre-existing issues are logged to `tasks/tech-debt.md` — not fixed inline.
+After merge: add regression test + lesson to `tasks/lessons.md`. Never skip this step.
 
 ---
 
-## On-Demand Tools
-
-Use these anytime — they're not part of any workflow.
-
-### Intelligence
-
-| Command | Usage | What it does |
-|---------|-------|-------------|
-| `/sk:learn` | `/sk:learn` | Extract reusable patterns from the session with confidence scoring (0.3-0.9) |
-| `/sk:learn` | `/sk:learn --list` | Show all learned patterns |
-| `/sk:context-budget` | `/sk:context-budget` | Audit token consumption across skills, agents, MCP tools, CLAUDE.md |
-| `/sk:context-budget` | `/sk:context-budget --verbose` | Per-file token breakdown |
-| `/sk:health` | `/sk:health` | Scorecard across 7 categories (0-70): tools, context, gates, memory, evals, security, cost |
-| `/sk:eval` | `/sk:eval define auth` | Define eval criteria before coding |
-| `/sk:eval` | `/sk:eval check auth` | Run evals during implementation |
-| `/sk:eval` | `/sk:eval report` | Summary of all eval results with pass@k metrics |
-
-### Session Management
-
-| Command | Usage | What it does |
-|---------|-------|-------------|
-| `/sk:save-session` | `/sk:save-session` | Save branch, task, progress, open questions to `.claude/sessions/` |
-| `/sk:save-session` | `/sk:save-session --name "auth-flow"` | Save with a custom name |
-| `/sk:resume-session` | `/sk:resume-session` | List saved sessions and pick one to restore |
-| `/sk:resume-session` | `/sk:resume-session --latest` | Auto-pick most recent session |
-| `/sk:context` | `/sk:context` | Load all project context (automatic via hooks on session start) |
-
-### Safety
+### Scenario D — Small Change
 
-| Command | Usage | What it does |
-|---------|-------|-------------|
-| `/sk:safety-guard` | `/sk:safety-guard careful` | Block destructive commands (rm -rf, force push, etc.) |
-| `/sk:safety-guard` | `/sk:safety-guard freeze --dir src/` | Lock edits to `src/` only |
-| `/sk:safety-guard` | `/sk:safety-guard guard --dir src/` | Both careful + freeze combined |
-| `/sk:safety-guard` | `/sk:safety-guard off` | Disable all guards |
-| `/sk:safety-guard` | `/sk:safety-guard status` | Show current mode + blocked action count |
+Bump lodash to the latest version.
 
-### Code Quality
+```
+/sk:start bump lodash dependency to latest
+```
 
-| Command | When to use |
-|---------|------------|
-| `/sk:scope-check` | Mid-implementation — detect scope creep (On Track / Minor / Significant / Out of Control) |
-| `/sk:retro` | After shipping — analyze velocity, blockers, patterns, generate action items |
-| `/sk:seo-audit` | Web projects — SEO audit with source + dev server scanning |
+ShipKit detects `bump` + `dependency` → routes to **fast-track flow** (5 steps, no planning ceremony).
 
-### Documentation & Setup
+```
+/sk:branch   → fast-track/bump-lodash
+update package.json
+/sk:smart-commit
+/sk:gates    → same gates, no shortcuts on quality
+/sk:finish-feature
+```
 
-| Command | When to use |
-|---------|------------|
-| `/sk:reverse-doc` | Inherited codebase — generate architecture/design docs from existing code |
-| `/sk:setup-optimizer` | Maintenance — diagnose, update workflow, deploy hooks, enrich CLAUDE.md |
-| `/sk:ci` | Team — set up GitHub Actions / GitLab CI with PR review, issue triage, nightly audits |
-| `/sk:plugin` | Distribution — package custom skills/agents/hooks as a shareable Claude Code plugin |
-| `/sk:mvp` | New idea — generate a complete MVP app from a single prompt |
-| `/sk:status` | Quick view of workflow and task status |
-| `/sk:dashboard` | Visual Kanban board across all git worktrees |
+Guard rails: warns if the diff exceeds 300 lines (should be a full workflow at that point).
 
 ---
 
-## Stack Support
-
-| Area | Supported |
-|------|-----------|
-| **Frameworks** | Laravel, Next.js, Nuxt, React, Vue, Node.js |
-| **Linters** | Pint, ESLint, PHPStan, Rector, Prettier, Biome |
-| **Test runners** | Pest, PHPUnit, Jest, Vitest, Playwright |
-| **Schema / ORM** | Prisma, Drizzle, Eloquent, SQLAlchemy, ActiveRecord |
-| **Release** | npm, Composer, iOS (App Store), Android (Play Store) |
-
----
+### Scenario E — Requirement Changed Mid-Way
 
-## Code Navigation (LSP)
+You're implementing a payment feature and the stakeholder adds "also support PayPal" after the plan is already written.
 
-ShipKit configures LSP (Language Server Protocol) automatically — giving Claude Code go-to-definition, find-references, hover, and diagnostics instead of plain text search.
+```
+/sk:change
+```
 
-**`/sk:setup-claude`** and **`/sk:setup-optimizer`** both run an LSP Integration step that:
-- Sets `ENABLE_LSP_TOOL=1` in `~/.claude/settings.json`
-- Detects your stack and installs the appropriate language server
+ShipKit classifies the scope change:
 
-| Stack | Language Server |
-|-------|----------------|
-| TypeScript / JavaScript | `typescript-language-server` |
-| PHP | `intelephense` |
-| Python | `pylsp` |
-| Go | `gopls` |
-| Rust | `rust-analyzer` |
-| Swift | `sourcekit-lsp` |
+| Tier | What it means | Example |
+|---|---|---|
+| **Tier 1** | Behavior tweak, same scope | "Delete all" → "Delete users only" → re-enter at Write Tests |
+| **Tier 2** | New requirements added | "Also add PayPal support" → re-enter at Write Plan |
+| **Tier 3** | Scope shift, rethink needed | "Different approach entirely" → re-enter at Brainstorm |
 
-**Rule:** Prefer LSP over `rg`/Grep for code navigation. Use `rg` only when LSP is unavailable or for arbitrary text/pattern matching.
+PayPal support = Tier 2. ShipKit revises the plan and re-enters at Step 3.
 
 ---
 
-## MCP Servers & Plugins
-
-Both `/sk:setup-claude` and `/sk:setup-optimizer` offer to install three tools that enhance Claude Code's reasoning, knowledge, and session visibility. All are opt-in and idempotent.
+## The 13 Agents
 
-### Sequential Thinking MCP
+Agents are specialized sub-agents deployed to `.claude/agents/` by `/sk:setup-claude`. They are **explicitly invoked** by the workflow skills — not guessed. Each has its own memory, model, and isolation settings.
 
-**Why it exists:** Complex problems — architecture decisions, multi-step debugging, tasks with many constraints — benefit from structured reasoning. Without it, Claude works through hard problems in a single pass, which can miss steps or lose track of constraints.
+### Implementation Agents — build things
 
-**What it does:** Gives Claude a dedicated reasoning scratchpad. It thinks through steps sequentially before responding, without cluttering your conversation with the intermediate work.
+| Agent | Invoked by | What it does |
+|---|---|---|
+| `backend-dev` | `sk:team` Step 2 | Writes backend tests (TDD red) then implements API, services, models in a worktree |
+| `frontend-dev` | `sk:team` Step 2 | Writes frontend tests then implements components, pages, composables in a worktree |
+| `mobile-dev` | `sk:team` Step 2 (mobile scope) | React Native / Expo / Flutter — mobile patterns, permissions, store prep |
 
-**Benefit:** More coherent, thorough responses on hard problems. Especially useful during `/sk:brainstorm`, `/sk:debug`, and `/sk:review`.
+### Quality Agents — find and fix problems
 
-**How it's installed:** Adds `@modelcontextprotocol/server-sequential-thinking` to `~/.mcp.json` (global, applies to all projects).
+| Agent | Invoked by | What it does |
+|---|---|---|
+| `qa-engineer` | `sk:team` Step 2 | Writes E2E scenarios while others implement (background — doesn't block) |
+| `code-reviewer` | `sk:gates` Batch 3 | 7-dimension review: correctness, security, performance, reliability, design, best practices, testing (read-only) |
+| `security-reviewer` | `sk:gates` Batch 1, `sk:security-check` | OWASP audit — memory: user (remembers security patterns across all your projects) (read-only) |
+| `performance-optimizer` | `sk:gates` Batch 1, `sk:perf` | Finds AND fixes Critical/High perf issues in a worktree |
 
-### Context7
+### Design Agents — plan before building
 
-**Why it exists:** Claude's training has a knowledge cutoff. When you're working with libraries that release frequently — React, Next.js, Tailwind, shadcn/ui — Claude's suggestions can reference outdated APIs, deprecated methods, or patterns that no longer apply.
+| Agent | Invoked by | What it does |
+|---|---|---|
+| `architect` | `sk:brainstorming` (complex tasks) | Proposes 2-3 architectural approaches with trade-offs before `/sk:write-plan` (read-only) |
+| `database-architect` | `sk:schema-migrate` Phase 0 | Migration safety analysis, index recommendations, breaking change flags (read-only) |
 
-**What it does:** Fetches current, version-accurate documentation for libraries you're using and injects it into Claude's context at the moment it's needed.
+### Operations Agents — infrastructure and maintenance
 
-**Benefit:** Accurate code suggestions for the actual version you're running. No more `useEffect` patterns from React 17 when you're on React 19.
+| Agent | Invoked by | What it does |
+|---|---|---|
+| `devops-engineer` | `sk:ci` | Generates CI/CD workflow files in a worktree — GitHub Actions, GitLab CI, Docker |
+| `debugger` | `sk:debug` | Structured root-cause analysis: reproduce → isolate → hypothesize → verify → fix |
+| `refactor-specialist` | On demand | Behavior-preserving cleanups — runs tests before AND after every change |
+| `tech-writer` | `sk:reverse-doc` Phase 3 | README, API docs, architecture docs — reads code first, never invents behavior |
 
-**How it's installed:** Enables `context7@claude-plugins-official` in `~/.claude/settings.json`.
+**Key rule:** Read-only agents (`security-reviewer`, `code-reviewer`, `architect`, `database-architect`) report findings — the main context or a write agent applies fixes. Write agents (`performance-optimizer`, `backend-dev`, `devops-engineer`, etc.) make changes directly in a worktree.
 
-### ccstatusline
+---
 
-**Why it exists:** Knowing your context window %, active model, and current branch at a glance matters. Without it, you have to run `/sk:status` or guess when to `/compact`.
+## Quality Gates
 
-**What it does:** Adds a persistent statusline to the Claude Code CLI showing context window usage, active model, git branch, and current task.
+`/sk:gates` runs all 6 gates in optimized parallel batches. One command replaces six.
 
-**Benefit:** Always-visible session state. Know when you're approaching context limits before it becomes a problem.
+| Batch | Gates | Notes |
+|---|---|---|
+| **1** (parallel) | lint + `security-reviewer` + `performance-optimizer` | Independent — run simultaneously |
+| **2** | tests (100% coverage on new code) | Needs lint fixes first |
+| **3** | `code-reviewer` (7-dimension) | Needs test confirmation |
+| **4** | E2E (Playwright or agent-browser) | Uses scenarios from `qa-engineer` |
 
-**How it's installed:** Runs `npx ccstatusline@latest` which writes the statusline config to `~/.claude/settings.json`.
+Each gate auto-fixes and re-runs until clean. One squash commit per gate pass. If a gate fails 3 times it stops and asks for help. Pre-existing issues are logged to `tasks/tech-debt.md` — never fixed inline.
 
 ---
 
-## Highest ROI Workflow — Using Every Feature
-
-This is the recommended workflow that gets the most value from every ShipKit feature. It's not the fastest path — it's the most reliable path over the lifetime of a project.
-
-### One-Time Project Setup (Do This Once)
-
-```bash
-# 1. Install ShipKit globally
-npm install -g @kennethsolomon/shipkit && shipkit
-
-# 2. Bootstrap your project
-/sk:setup-claude
-```
+## Lifecycle Hooks
 
-`/sk:setup-claude` deploys: CLAUDE.md, lifecycle hooks, 13 agent definitions, path-scoped rules, planning files, LSP config, MCP servers (Sequential Thinking, Context7), and ccstatusline.
+Installed by `/sk:setup-claude`. Fire automatically on Claude Code events.
 
-```bash
-# 3. Set up CI (once per repo)
-/sk:ci
-```
+**Always installed:**
 
-`/sk:ci` generates GitHub Actions workflows for auto PR review, issue triage, and nightly security audits. From this point on, every PR gets reviewed by Claude automatically.
+| Hook | When | What it does |
+|---|---|---|
+| `session-start` | Session opens | Loads branch, recent commits, active task, tech debt |
+| `session-stop` | Session closes | Logs accomplishments to `tasks/progress.md` |
+| `pre-compact` | Before context compression | Saves git state |
+| `validate-commit` | Before `git commit` | Validates conventional commit format, detects secrets |
+| `validate-push` | Before `git push` | Warns before pushing to protected branches |
+| `log-agent` | Sub-agent starts | Logs invocations to `tasks/agent-audit.log` |
 
-### Session Start (Every Session)
+**Opt-in:**
 
-The `session-start` hook fires automatically and loads: branch, recent commits, active task, tech debt, and code health. You see the session brief before you type anything.
+| Hook | What it does |
+|---|---|
+| `post-edit-format` | Auto-formats with Biome/Prettier/Pint/gofmt after every edit |
+| `config-protection` | Blocks edits to linter/formatter config files |
+| `console-log-warning` | Warns about `console.log`, `dd()`, `var_dump()` in modified files |
+| `cost-tracker` | Logs session metadata to `.claude/sessions/cost-log.jsonl` |
+| `safety-guard` | Enforces `/sk:safety-guard` freeze/careful mode |
 
-If starting on an unfamiliar codebase:
-```
-/sk:reverse-doc architecture src/
-```
-`/sk:reverse-doc` reads your code and generates architecture documentation — maps layers, traces data flow, asks clarifying questions to distinguish intentional design from accidental implementation. Run it once when you join a codebase or after a long break.
+---
 
-### Feature Development (The Core Loop)
+## Path-Scoped Rules
 
-**Step 1 — Before writing the plan, use the `architect` agent on complex tasks:**
-```
-Use the architect agent: analyze the authentication system and propose an approach for adding OAuth
-```
-The `architect` agent reads your findings, lessons, and existing code — then proposes 2-3 options with trade-offs. This prevents architectural mistakes before a single line is written.
+Rule files in `.claude/rules/` auto-activate in Claude Code when you edit matching files — no manual context loading.
 
-**Step 2 — For database changes, use the `database-architect` agent first:**
-```
-Use the database-architect agent: review the proposed users table changes
-```
-Gets you a migration safety classification (Safe / Careful / Breaking), index recommendations, and a deployment plan before `/sk:schema-migrate` runs.
+| Rule file | Activates when editing | Enforces |
+|---|---|---|
+| `laravel.md` | `app/**/*.php`, `routes/**`, `config/**` | Laravel conventions, Eloquent patterns |
+| `react.md` | `**/*.tsx`, `**/*.jsx` | Hooks rules, component patterns, TypeScript strictness |
+| `vue.md` | `**/*.vue`, `resources/js/**` | Composition API only, `<script setup>`, Pinia |
+| `tests.md` | `tests/**`, `**/*.test.*`, `**/*.spec.*` | TDD standards, assertion quality, test isolation |
+| `api.md` | `routes/api.php`, `app/Http/Controllers/**` | RESTful conventions, auth patterns, error shapes |
+| `migrations.md` | `database/migrations/**`, `prisma/**` | Migration safety, reversibility, index naming |
 
-**Step 3 — Run the standard workflow:**
-```
-/sk:start               ← classifies task, routes to optimal flow
-/sk:brainstorm          ← explore requirements, extract checklist
-/sk:write-plan          ← decision-complete plan (auto-generates contracts.md for API tasks)
-/sk:branch              ← feature branch auto-named from task
-/sk:write-tests         ← TDD red: failing tests first
-/sk:execute-plan        ← TDD green: implement to pass tests
-/sk:smart-commit        ← conventional commit with approval
-/sk:gates               ← all 6 quality gates in parallel batches
-/sk:finish-feature      ← changelog + PR + arch log
-```
+---
 
-**For full-stack features — run `/sk:team` instead of execute-plan:**
-```
-/sk:team
-```
-Spawns `backend-dev`, `frontend-dev`, and `qa-engineer` in parallel worktrees. Backend implements the API, frontend mocks and builds UI, QA writes E2E scenarios — simultaneously. Results merge after all complete.
+## MCP Servers
 
-### During Gates — When Things Fail
+Installed optionally by `/sk:setup-claude` and `/sk:setup-optimizer`.
 
-**Perf gate fails with Critical issues:**
-```
-Use the performance-optimizer agent: fix the N+1 queries found in /sk:perf
-```
-The `performance-optimizer` agent reads `tasks/perf-findings.md`, implements fixes, and runs tests to confirm no regression. Works in an isolated worktree.
+| Server | What it does | Best for |
+|---|---|---|
+| **Sequential Thinking** | Structured reasoning scratchpad — Claude thinks through hard problems step-by-step without cluttering the conversation | `/sk:brainstorm`, `/sk:debug`, `/sk:review` |
+| **Context7** | Fetches current, version-accurate docs for libraries you're using — no stale API suggestions | React 19, Next.js 15, Tailwind v4, shadcn/ui |
+| **ccstatusline** | Persistent statusline: context window %, model, git branch, current task | Every session |
 
-**Security gate blocks with High findings:**
-```
-Use the security-reviewer agent: audit the auth changes
-```
-The `security-reviewer` agent runs a focused OWASP audit. Its memory is `user`-scoped — it remembers security patterns across ALL your projects.
+---
 
-**Review gate blocks:**
-```
-Use the code-reviewer agent
-```
-7-dimension review: correctness, security, performance, reliability, design, best practices, testing. Tells you exactly what to fix.
+## On-Demand Tools
 
-### After Shipping
+Use these anytime outside of the main workflow.
 
-```
-/sk:learn               ← extract reusable patterns from the session (confidence-scored)
-/sk:retro               ← velocity, blockers, patterns, 3-5 action items
-```
+### Intelligence
 
-`/sk:learn` is the compounding step. Each session adds patterns that future sessions apply automatically. Over time, you stop repeating the same mistakes.
+| Command | Usage | What it does |
+|---|---|---|
+| `/sk:learn` | `/sk:learn` | Extract reusable patterns from the session with confidence scoring (0.3–0.9) |
+| `/sk:learn` | `/sk:learn --list` | Show all learned patterns |
+| `/sk:eval` | `/sk:eval define auth` | Define eval criteria before coding |
+| `/sk:eval` | `/sk:eval check auth` | Run evals during implementation |
+| `/sk:health` | `/sk:health` | Scorecard across 7 categories (0–70) |
+| `/sk:context-budget` | `/sk:context-budget` | Audit token consumption across skills, agents, CLAUDE.md |
 
-### Maintenance Workflows
+### Session Management
 
-**Codebase cleanup:**
-```
-Use the refactor-specialist agent: clean up the authentication module
-```
-The `refactor-specialist` runs tests before starting, makes behavior-preserving changes one at a time, runs tests after each change, and commits with `refactor(scope): description`. If tests go red, it reverts and reports.
+| Command | Usage | What it does |
+|---|---|---|
+| `/sk:save-session` | `/sk:save-session` | Save branch, task, progress to `.claude/sessions/` |
+| `/sk:resume-session` | `/sk:resume-session --latest` | Restore most recent session |
+| `/sk:context` | `/sk:context` | Load all project context (automatic via hooks) |
 
-**Documentation gaps:**
-```
-Use the tech-writer agent: document the payment service API
-```
-The `tech-writer` reads code first, never invents behavior, and produces README, API docs, or architecture docs in your project's existing style.
+### Safety
 
-**Mobile store submission:**
-```
-Use the mobile-dev agent: prepare the iOS release
-/sk:release --ios
-```
+| Command | Usage | What it does |
+|---|---|---|
+| `/sk:safety-guard` | `careful` | Block destructive commands |
+| `/sk:safety-guard` | `freeze --dir src/` | Lock edits to a directory |
+| `/sk:safety-guard` | `off` | Disable all guards |
 
-**Infrastructure changes:**
-```
-Use the devops-engineer agent: set up Docker for local development
-/sk:ci                  ← or update CI workflows
-```
+### Code Quality
 
-### Health Checks (Weekly/Monthly)
+| Command | When to use |
+|---|---|
+| `/sk:scope-check` | Mid-implementation — detect scope creep |
+| `/sk:retro` | After shipping — velocity, blockers, action items |
+| `/sk:seo-audit` | Web projects — SEO audit against source + dev server |
 
-```
-/sk:health              ← scorecard across 7 categories (0-70)
-/sk:setup-optimizer     ← update CLAUDE.md, deploy missing agents/rules/hooks
-```
+### Setup & Docs
 
-`/sk:health` scores your project setup. `< 50` means you're leaving significant reliability on the table. `/sk:setup-optimizer` fixes the gaps.
+| Command | When to use |
+|---|---|
+| `/sk:reverse-doc` | New to a codebase — generate architecture/design/API docs from existing code |
+| `/sk:setup-optimizer` | Monthly — update CLAUDE.md, deploy missing agents, hooks, rules |
+| `/sk:ci` | Once per repo — GitHub Actions or GitLab CI with PR review + nightly audits |
+| `/sk:plugin` | Distribute — package custom skills/agents/hooks as a shareable Claude Code plugin |
+| `/sk:mvp` | New idea — generate a complete MVP app from a single prompt |
+| `/sk:website` | Client work — build a full multi-page marketing site from a brief or URL |
 
 ---
 
-### Summary: Which Tool for Which Situation
-
-| Situation | What to reach for |
-|-----------|------------------|
-| Starting a feature | `/sk:start` → `/sk:brainstorm` |
-| Complex architecture decision | `architect` agent before `/sk:write-plan` |
-| Database schema change | `database-architect` agent before `/sk:schema-migrate` |
-| Full-stack feature | `/sk:team` (parallel agents) |
-| Performance issues | `performance-optimizer` agent |
-| Security review | `security-reviewer` agent |
-| Code review | `code-reviewer` agent |
-| Bug investigation | `/sk:debug` + `debugger` agent |
-| Codebase cleanup | `refactor-specialist` agent |
-| Missing docs | `tech-writer` agent + `/sk:reverse-doc` |
-| CI/CD setup | `/sk:ci` + `devops-engineer` agent |
-| Mobile feature | `mobile-dev` agent |
-| New to a codebase | `/sk:reverse-doc` first |
-| Session start | Hooks auto-run, or `/sk:context` |
-| After shipping | `/sk:learn` + `/sk:retro` |
-| Monthly maintenance | `/sk:health` + `/sk:setup-optimizer` |
+## Stack Support
+
+| Area | Supported |
+|---|---|
+| **Frameworks** | Laravel, Next.js, Nuxt, React, Vue, Node.js |
+| **Linters** | Pint, ESLint, PHPStan, Rector, Prettier, Biome |
+| **Test runners** | Pest, PHPUnit, Jest, Vitest, Playwright |
+| **Schema / ORM** | Prisma, Drizzle, Eloquent, SQLAlchemy, ActiveRecord |
+| **Release** | npm, Composer, iOS (App Store), Android (Play Store) |
 
 ---
 
 ## All Commands
 
 <details>
-<summary><strong>54 commands</strong> — click to expand</summary>
+<summary><strong>43 skills + 13 agents</strong> — click to expand</summary>
 
 | Command | Purpose |
-|---------|---------|
+|---|---|
 | `/sk:accessibility` | WCAG 2.1 AA audit |
 | `/sk:api-design` | Design API contracts before implementation |
 | `/sk:autopilot` | Hands-free workflow — auto-skip, auto-advance, auto-commit |
-| `/sk:brainstorm` | Explore requirements and design; extracts requirements checklist |
+| `/sk:brainstorm` | Explore requirements and design |
 | `/sk:branch` | Create feature branch from current task |
 | `/sk:change` | Handle mid-workflow requirement changes |
+| `/sk:ci` | Set up GitHub Actions / GitLab CI |
 | `/sk:config` | View/edit project config |
-| `/sk:context` | Load project context (automatic via hooks) |
+| `/sk:context` | Load project context |
 | `/sk:context-budget` | Audit context window token consumption |
-| `/sk:dashboard` | Live Kanban board — sk:dashboard across worktrees |
+| `/sk:dashboard` | Live Kanban board across worktrees |
 | `/sk:debug` | Structured bug investigation |
-| `/sk:e2e` | E2E Tests — behavioral verification |
-| `/sk:eval` | Define, run, and report evals for agent reliability |
-| `/sk:execute-plan` | Execute plan checkboxes in batches with status checkpoints |
+| `/sk:e2e` | E2E behavioral verification |
+| `/sk:eval` | Define, run, and report evals |
+| `/sk:execute-plan` | Execute plan checkboxes in batches |
 | `/sk:fast-track` | Small changes — skip planning, keep gates |
 | `/sk:features` | Sync feature specs with codebase |
 | `/sk:finish-feature` | Changelog + PR |
 | `/sk:frontend-design` | UI mockup + optional Pencil visual design |
-| `/sk:gates` | All quality gates in parallel batches with batch checkpoints |
+| `/sk:gates` | All quality gates in parallel batches |
 | `/sk:health` | Harness self-audit scorecard |
 | `/sk:help` | Show all commands |
 | `/sk:hotfix` | Emergency fix workflow |
@@ -592,31 +476,30 @@ Use the devops-engineer agent: set up Docker for local development
 | `/sk:mvp` | Generate MVP app from a prompt |
 | `/sk:perf` | Performance audit |
 | `/sk:plan` | Create/refresh planning files |
+| `/sk:plugin` | Package skills/agents/hooks as a plugin |
 | `/sk:release` | Version bump + tag (`--android` / `--ios` for store audit) |
 | `/sk:resume-session` | Resume a previously saved session |
 | `/sk:retro` | Post-ship retrospective |
 | `/sk:reverse-doc` | Generate docs from existing code |
-| `/sk:review` | 7-dimension code review with `<think>` reasoning and exhaustiveness |
+| `/sk:review` | 7-dimension code review |
 | `/sk:safety-guard` | Protect against destructive ops |
 | `/sk:save-session` | Save session state for continuity |
 | `/sk:schema-migrate` | Database schema change analysis |
 | `/sk:scope-check` | Detect scope creep mid-implementation |
-| `/sk:security-check` | OWASP security audit with content isolation and CVSS scoring |
-| `/sk:ci` | Set up Claude Code GitHub Actions or GitLab CI — PR review, issue triage, nightly audits, release automation |
-| `/sk:plugin` | Package custom skills, agents, and hooks as a distributable Claude Code plugin |
+| `/sk:security-check` | OWASP security audit with CVSS scoring |
 | `/sk:seo-audit` | SEO audit for web projects |
 | `/sk:set-profile` | Switch model routing profile |
-| `/sk:website` | Build a complete, client-deliverable multi-page marketing website from a brief or URL. Supports `--stack nuxt`, `--stack laravel`, `--deploy`, `--revise`. Full guide: `docs/guides/sk-website-guide.md` |
 | `/sk:setup-claude` | Bootstrap project scaffolding |
-| `/sk:setup-optimizer` | Diagnose + update workflow + deploy hooks + enrich CLAUDE.md |
+| `/sk:setup-optimizer` | Update workflow, agents, hooks, CLAUDE.md |
 | `/sk:skill-creator` | Create or improve skills |
 | `/sk:smart-commit` | Conventional commit with approval |
-| `/sk:start` | Smart entry point — classifies task, routes to optimal flow |
+| `/sk:start` | Smart entry point — classifies task, routes to flow |
 | `/sk:status` | Show workflow + task status |
 | `/sk:team` | Parallel domain agents for full-stack tasks |
 | `/sk:test` | Run all test suites |
 | `/sk:update-task` | Mark task done |
-| `/sk:write-plan` | Write plan to `tasks/todo.md`; auto-generates `tasks/contracts.md` for API tasks |
+| `/sk:website` | Build a full multi-page marketing site |
+| `/sk:write-plan` | Write plan to `tasks/todo.md` |
 | `/sk:write-tests` | TDD: write failing tests first |
 
 </details>
@@ -626,12 +509,11 @@ Use the devops-engineer agent: set up Docker for local development
 ## Learn More
 
 | Topic | Where |
-|-------|-------|
-| Detailed workflow steps (8-step flow) | [DOCUMENTATION.md](.claude/docs/DOCUMENTATION.md) |
+|---|---|
+| Detailed 8-step workflow | [DOCUMENTATION.md](.claude/docs/DOCUMENTATION.md) |
 | Feature specifications | [docs/FEATURES.md](docs/FEATURES.md) |
 | Model routing profiles & config | [DOCUMENTATION.md — Config](.claude/docs/DOCUMENTATION.md#config-reference) |
 | Infrastructure (hooks, agents, rules) | [DOCUMENTATION.md — Setup](.claude/docs/DOCUMENTATION.md#what-gets-created) |
-| Security & permissions | [DOCUMENTATION.md — Security](.claude/docs/DOCUMENTATION.md#security) |
 
 ---
 

package/commands/sk/finish-feature.md

@@ -155,6 +155,20 @@ If unresolved Critical/High findings remain, warn the user before proceeding.
 
    e) Report the PR URL to the user.
 
+8. **Capture Patterns** (`/sk:learn`)
+
+   After the PR is created, run `/sk:learn` to extract reusable patterns from this session.
+   Present extracted patterns and ask: "Save patterns? (all / 1,3 / none)"
+
+9. **Retrospective** (`/sk:retro`)
+
+   Run `/sk:retro` to capture a brief post-ship retrospective:
+   - What went well
+   - What slowed things down
+   - Top action items for next time
+
+   Output is appended to `tasks/progress.md`.
+
 ## When Done
 
 > "Feature finalized and PR created! Run `/sk:release` when ready to tag and publish."

package/commands/sk/help.md

@@ -21,21 +21,19 @@ Run these commands in order for a complete, quality-gated feature build.
 
 ## Feature Workflow
 
-| Command | Purpose |
-|---------|---------|
-| `/sk:brainstorm` | Explore requirements and design — **no code yet** |
-| `/sk:write-plan` | Write a decision-complete plan to `tasks/todo.md` |
-| `/sk:branch` | Create a feature branch from the current task |
-| `/sk:schema-migrate` | Analyze schema changes *(skip if no DB changes)* |
-| `/sk:write-tests` | TDD red: write failing tests first |
-| `/sk:execute-plan` | TDD green: implement until tests pass |
-| `/sk:smart-commit` | Conventional commit with approval |
-| `/sk:lint` | **GATE** — all linters must pass |
-| `/sk:test` | **GATE** — 100% coverage on new code |
-| `/sk:security-check` | **GATE** — 0 security issues |
-| `/sk:review` | **GATE** — blast-radius-aware self-review across 7 dimensions + cross-file impact |
-| `/sk:update-task` | Mark task done, log completion |
-| `/sk:finish-feature` | Changelog + PR creation |
+| # | Command | Purpose |
+|---|---------|---------|
+| 1 | `/sk:brainstorm` | Explore requirements — **no code yet** |
+| 2 | `/sk:frontend-design` or `/sk:api-design` | Design UI or API contracts *(auto-skip if no frontend/API keywords)* |
+| 3 | `/sk:write-plan` | Write a decision-complete plan to `tasks/todo.md` |
+| 4 | `/sk:branch` | Create a feature branch from the current task |
+| 5 | `/sk:write-tests` + `/sk:execute-plan` | TDD red + green (includes `/sk:schema-migrate` if DB keywords detected) |
+| 5.5 | `/sk:scope-check` | Trim scope creep — compare implementation to plan |
+| 6 | `/sk:smart-commit` | Conventional commit with approval |
+| 7 | `/sk:gates` | **All quality gates** — lint, test, security, perf, review, e2e *(hard gate)* |
+| 8 | `/sk:finish-feature` | Changelog + PR creation |
+| 8.5 | `/sk:learn` | Extract reusable patterns from this session |
+| 8.6 | `/sk:retro` | Post-ship retrospective — velocity, blockers, next actions |
 
 ## Requirement Change Flow
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kennethsolomon/shipkit",
-  "version": "3.17.0",
+  "version": "3.18.0",
   "description": "A structured workflow toolkit for Claude Code.",
   "keywords": [
     "claude",

package/skills/sk:autopilot/SKILL.md

@@ -1,12 +1,12 @@
 ---
 name: sk:autopilot
-description: Hands-free workflow — runs all 8 steps with auto-skip, auto-advance, auto-commit. Stops only for direction approval, 3-strike failures, and PR push.
+description: Hands-free workflow — runs all 8 phases (including scope check, learn, retro) with auto-skip, auto-advance, auto-commit. Stops only for direction approval, 3-strike failures, and PR push.
 allowed-tools: Read, Write, Bash, Glob, Grep, Agent, Skill
 ---
 
 # Autopilot Mode
 
-Hands-free workflow that executes all 8 steps of the ShipIt workflow with minimal interruptions. Same quality gates, same fix loops, same 100% coverage — just fewer stops.
+Hands-free workflow that executes all 8 phases (including scope check, learn, and retro) of the ShipIt workflow with minimal interruptions. Same quality gates, same fix loops, same 100% coverage — just fewer stops.
 
 ## When to Use
 
@@ -22,7 +22,7 @@ Hands-free workflow that executes all 8 steps of the ShipIt workflow with minima
 
 ## Quality Guarantee
 
-Autopilot runs the EXACT same 8 steps as manual mode:
+Autopilot runs the EXACT same workflow as manual mode (8 phases: explore, design, plan, branch, implement + scope check, commit, gates, ship + learn + retro):
 - ALL quality gates enforced (lint, test, security, perf, review, e2e)
 - ALL fix-rerun loops active
 - 100% test coverage required on new code
@@ -64,6 +64,13 @@ Create feature branch auto-named from the task. Do NOT ask for confirmation.
 - Run `/sk:execute-plan` (TDD green phase)
 - Auto-advance when done
 
+### 5.5. Scope Check (auto-advance)
+
+Run `/sk:scope-check` to compare the implementation against `tasks/todo.md`.
+
+- If scope creep detected: log findings, trim the excess, re-commit
+- If on-scope: auto-advance silently
+
 ### 6. Commit (auto-commit)
 
 Auto-commit with conventional commit format. Do NOT ask for commit message approval.
@@ -96,6 +103,20 @@ After confirmation:
 - Sync features (`/sk:features`)
 - Ask about release (never auto-skipped)
 
+### 8.5. Learn (auto-advance)
+
+Run `/sk:learn` to extract reusable patterns from this session.
+
+- Patterns are saved to `~/.claude/skills/learned/` automatically
+- Auto-advance after saving — no confirmation needed in autopilot
+
+### 8.6. Retro (auto-advance)
+
+Run `/sk:retro` to capture velocity, blockers, and action items for this feature.
+
+- Output is brief — 3-5 bullets covering what went well, what slowed down, and next actions
+- Appended to `tasks/progress.md`
+
 ## 3-Strike Protocol
 
 If any step fails 3 times:
@@ -111,6 +132,7 @@ If any step fails 3 times:
 | Direction approval | After brainstorm (step 1) | User must approve the approach |
 | 3-strike failure | Any step fails 3x | Needs human judgment |
 | PR push | Before creating PR (step 8) | Visible to others — always confirm |
+| Release | After step 8.6 | Never auto-skipped — always ask |
 
 Everything else auto-advances.
 

package/skills/sk:gates/SKILL.md

@@ -10,7 +10,7 @@ Run all quality gates (lint, test, security, perf, review, e2e) in optimized bat
 
 ## When to Use
 
-Run `/sk:gates` after committing implementation code (step 11). This single command handles steps 12-17 of the workflow.
+Run `/sk:gates` after `/sk:smart-commit` completes (step 6). This single command covers all quality gates (step 7 of the workflow).
 
 ## Execution Strategy
 
@@ -23,6 +23,7 @@ Launch 3 agents simultaneously:
 1. **Linter agent** — runs all formatters, analyzers, dep audits
 2. **`security-reviewer` agent** — OWASP audit on changed files (read-only; reports findings, does not fix)
 3. **`performance-optimizer` agent** — bundle, N+1, Core Web Vitals, memory (worktree isolation — finds AND fixes critical/high issues)
+   **Auto-skip:** If NO frontend keywords (component, view, page, CSS, UI, form, modal, button, react, vue, svelte, blade) AND NO database keywords (migration, schema, table, column, model, database, foreign key, index, seed) appear in `tasks/todo.md`, skip this agent and log: `Auto-skipped: Performance (no frontend or database keywords in plan)`.
 
 These 3 have no dependencies on each other. Run them in parallel using the Agent tool.
 

package/skills/sk:setup-claude/templates/CLAUDE.md.template

@@ -51,9 +51,12 @@ Progress is tracked via git branch + `tasks/todo.md` checkboxes.
 | 3 | Plan | `/sk:write-plan` | required |
 | 4 | Branch | `/sk:branch` | required |
 | 5 | Write Tests + Implement | `/sk:write-tests` then `/sk:execute-plan` | required |
+| 5.5 | Scope Check | `/sk:scope-check` | required |
 | 6 | Commit | `/sk:smart-commit` | required |
 | 7 | Gates | `/sk:gates` | required (hard gate) |
 | 8 | Finalize | `/sk:finish-feature` | required |
+| 8.5 | Learn | `/sk:learn` | required |
+| 8.6 | Retro | `/sk:retro` | required |
 
 ### Step Details
 
@@ -62,9 +65,12 @@ Progress is tracked via git branch + `tasks/todo.md` checkboxes.
 3.  **Plan** — run `/sk:write-plan` to write a decision-complete plan into `tasks/todo.md`. No code in this step. After the plan is written, auto-skip detection runs for step 2 if not already done.
 4.  **Branch** — run `/sk:branch` to create a feature branch auto-named from the current task.
 5.  **Write Tests + Implement** — run `/sk:write-tests` (TDD red phase), then `/sk:execute-plan` (TDD green phase). Includes `/sk:schema-migrate` if database keywords detected in the plan. Log progress to `tasks/progress.md`.
+5.5. **Scope Check** — run `/sk:scope-check` to compare implementation against `tasks/todo.md`. Trim scope creep before committing.
 6.  **Commit** — run `/sk:smart-commit` to commit tests + implementation.
 7.  **Gates** — run `/sk:gates` to execute all quality gates in optimized parallel batches (lint, test, security, perf, review, e2e). This is a **hard gate** — blocks all forward progress until every check passes. Individual gate commands (`/sk:lint`, `/sk:test`, `/sk:security-check`, `/sk:perf`, `/sk:review`, `/sk:e2e`) are still available standalone.
 8.  **Finalize** — run `/sk:finish-feature` for changelog, PR creation, `/sk:update-task`, `/sk:features` sync. Ask about `/sk:release` (never auto-skipped).
+8.5. **Learn** — run `/sk:learn` to extract reusable patterns from the session into `~/.claude/skills/learned/`.
+8.6. **Retro** — run `/sk:retro` for a brief post-ship retrospective (velocity, blockers, next actions).
 
 ### Workflow Rules
 
@@ -286,7 +292,7 @@ Create entries in: `[ARCH_CHANGELOG_DIR]`
 |---------|---------|
 | `/sk:accessibility` | WCAG 2.1 AA audit — runs after design, before implementation |
 | `/sk:api-design` | Design API contracts (endpoints, payloads, auth, errors) before implementation |
-| `/sk:autopilot` | Hands-free workflow — all 8 steps, auto-skip, auto-advance, auto-commit |
+| `/sk:autopilot` | Hands-free workflow — all 8 phases (scope check, learn, retro included), auto-skip, auto-advance, auto-commit |
 | `/sk:brainstorm` | Explore requirements and design (includes search-first research) |
 | `/sk:branch` | Create feature branch auto-named from current task |
 | `/sk:change` | Handle mid-workflow requirement changes — re-enter at correct step |

package/skills/sk:setup-optimizer/SKILL.md

@@ -44,7 +44,7 @@ Before making any changes, runs a diagnostic pass on the existing CLAUDE.md:
 - **Stale content** — detects outdated info (stale model/route counts, removed dependencies, old command names like `/laravel-lint` instead of `/sk:lint`)
 - **Inconsistencies** — compares documented vs actual project state (directories, scripts, workflows)
 - **Section completeness** — flags sections that exist but are empty or have only placeholder text
-- **Outdated workflow** — checks if the workflow matches the current 8-step flow with `/sk:gates` as single gate step
+- **Outdated workflow** — checks if the workflow matches the current 11-step flow (1, 2, 3, 4, 5, 5.5, 6, 7, 8, 8.5, 8.6) with `/sk:gates` as single gate step
 - **Missing commands** — checks for `sk:start`, `sk:autopilot`, `sk:team`, `sk:learn`, `sk:context-budget`, `sk:health`, `sk:save-session`, `sk:resume-session`, `sk:safety-guard`, `sk:eval`, `sk:ci`, `sk:plugin` in the Commands table
 - **Missing agents** — checks if `.claude/agents/` exists and contains the 13 core agents: `backend-dev`, `frontend-dev`, `mobile-dev`, `qa-engineer`, `code-reviewer`, `security-reviewer`, `performance-optimizer`, `architect`, `database-architect`, `devops-engineer`, `debugger`, `refactor-specialist`, `tech-writer`
 - **Missing rules** — checks if `.claude/rules/` exists and contains the project-relevant rule files based on detected stack (laravel.md, react.md, vue.md, tests.md, api.md, migrations.md)
@@ -59,13 +59,13 @@ Reports findings before proceeding. If issues are found, they inform subsequent
 
 If the workflow section is outdated or missing, replace it with the latest version:
 
-**Current workflow (8 steps, TDD with `/sk:gates` as single gate step):**
+**Current workflow (11 steps, TDD with `/sk:gates` as single gate step):**
 ```
-Explore → Design → Plan → Branch → Write Tests + Implement → Commit → Gates → Finalize
+Explore → Design → Plan → Branch → Write Tests + Implement → Scope Check → Commit → Gates → Finalize + Learn + Retro
 ```
 
 **What gets updated:**
-- Workflow table (8 steps — `/sk:brainstorm`, `/sk:frontend-design` or `/sk:api-design`, `/sk:write-plan`, `/sk:branch`, `/sk:write-tests` + `/sk:execute-plan`, `/sk:smart-commit`, `/sk:gates`, `/sk:finish-feature`)
+- Workflow table (11 steps — `/sk:brainstorm`, `/sk:frontend-design` or `/sk:api-design`, `/sk:write-plan`, `/sk:branch`, `/sk:write-tests` + `/sk:execute-plan`, `/sk:scope-check`, `/sk:smart-commit`, `/sk:gates`, `/sk:finish-feature`, `/sk:learn`, `/sk:retro`)
 - Step details (TDD red/green/verify descriptions)
 - Workflow rules (auto-advance, conditional summary, auto-skip, squash gate commits)
 - Bug fix flow section (7 steps)

package/skills/sk:start/SKILL.md

@@ -32,7 +32,7 @@ Read the task description from arguments. Scan for signal keywords to determine
 | bug, fix, broken, error, regression, failing, crash, wrong | `debug` (7 steps) |
 | urgent, prod down, hotfix, emergency, critical, production, incident | `hotfix` (6 steps) |
 | config, bump, typo, copy, rename, dependency, upgrade, version, docs | `fast-track` (5 steps) |
-| *(default — no special signals)* | `feature` (8 steps) |
+| *(default — no special signals)* | `feature` (8 phases + scope check, learn, retro) |
 
 **Scope detection:**
 
@@ -84,7 +84,7 @@ Present the classification and recommendation:
 ```
 Detected: [Full-stack feature / Backend bug fix / Frontend hotfix / Small config change / etc.]
 Recommended:
-  Flow:   [feature (8 steps) / debug (7 steps) / hotfix (6 steps) / fast-track (5 steps)]
+  Flow:   [feature (8 phases) / debug (7 steps) / hotfix (6 steps) / fast-track (5 steps)]
   Mode:   [autopilot / manual]
   Agents: [team (backend + frontend + QA) / solo]
 

package/skills/sk:team/SKILL.md

@@ -106,7 +106,7 @@ If both agents used worktree isolation and made changes:
 
 ### 5. Collect QA Agent Results
 
-Collect the QA Agent's E2E scenarios. These will be used in the E2E gate (step 17).
+Collect the QA Agent's E2E scenarios. These will be used in the E2E gate (step 7 / Batch 4).
 
 ### 6. Report Results