@kennethsolomon/shipkit 3.6.0 → 3.7.0

package/README.md

@@ -93,21 +93,15 @@ Brainstorm → Plan → Branch → [Schema] → Write Tests → Implement → Co
 | 10 | `/sk:execute-plan` | TDD green: make tests pass |
 | 11 | `/sk:smart-commit` | Conventional commit |
 | 12 | **`/sk:lint`** | **GATE** — Lint + Dep Audit — all linters must pass |
-| 13 | `/sk:smart-commit` | Auto-skip if already clean |
-| 14 | **`/sk:test`** | **GATE** — 100% coverage on new code |
-| 15 | `/sk:smart-commit` | Auto-skip if already clean |
-| 16 | **`/sk:security-check`** | **GATE** — 0 issues |
-| 17 | `/sk:smart-commit` | Auto-skip if already clean |
-| 18 | **`/sk:perf`** | **GATE** *(optional)* — critical/high findings = 0 |
-| 19 | `/sk:smart-commit` | Auto-skip if already clean |
-| 20 | **`/sk:review`** | **GATE** — Review + Simplify + Blast Radius — 0 issues including nitpicks |
-| 21 | `/sk:smart-commit` | Auto-skip if already clean |
-| 22 | **`/sk:e2e`** | **GATE** — E2E Tests — prefers Playwright CLI when config detected, falls back to agent-browser; all scenarios must pass |
-| 23 | `/sk:smart-commit` | Auto-skip if already clean |
-| 24 | `/sk:update-task` | Mark done, log completion |
-| 25 | `/sk:finish-feature` | Changelog + PR |
-| 26 | `/sk:features` | Sync Features — update docs/features/ specs *(required)* |
-| 27 | `/sk:release` | Version bump + tag *(optional)* |
+| 13 | **`/sk:test`** | **GATE** — 100% coverage on new code |
+| 14 | **`/sk:security-check`** | **GATE** — 0 issues |
+| 15 | **`/sk:perf`** | **GATE** *(optional)* — critical/high findings = 0 |
+| 16 | **`/sk:review`** | **GATE** — Review + Simplify + Blast Radius — 0 issues including nitpicks |
+| 17 | **`/sk:e2e`** | **GATE** — E2E Tests — prefers Playwright CLI when config detected, falls back to agent-browser; all scenarios must pass |
+| 18 | `/sk:update-task` | Mark done, log completion |
+| 19 | `/sk:finish-feature` | Changelog + PR |
+| 20 | `/sk:features` | Sync Features — update docs/features/ specs *(required)* |
+| 21 | `/sk:release` | Version bump + tag *(optional)* |
 
 > **Fix & Retest Protocol:** All code-producing gates (Lint, Test, Security, Performance, Review, E2E) apply the Fix & Retest Protocol: logic changes require updating unit tests before committing the fix. Fix immediately, then re-run — never ask the user to re-run.
 

package/commands/sk/security-check.md

@@ -12,7 +12,15 @@ By default, this checks only files changed on the current branch. Use `--all` to
 
 ## Hard Rules
 
-- **DO NOT fix code.** This is an audit — report only. The user decides what to fix.
+- **Fix all in-scope findings** (files in `git diff main..HEAD --name-only`) immediately after the audit. auto-commit with `fix(security): resolve [severity] security findings`. Re-run the audit until 0 findings remain.
+- **Pre-existing findings** (files outside the current branch diff): log to `tasks/tech-debt.md` using this format — do NOT fix inline:
+  ```
+  ### [YYYY-MM-DD] Found during: sk:security-check
+  File: path/to/file.ext:line
+  Issue: description of the vulnerability
+  Severity: critical | high | medium | low
+  ```
+- **Gates own their commits** — the fix-commit-rerun loop is fully internal. No manual commit step needed after this gate.
 - **DO NOT skip checks** because the project is small or simple. Production is production.
 - **Every finding must cite a specific file and line number.**
 - **Every finding must reference the standard it violates** (OWASP, CWE, NIST, etc.).
@@ -165,13 +173,11 @@ Tell the user:
 > "Security audit complete. Findings saved to `tasks/security-findings.md`.
 > - **Critical:** N open (N resolved) | **High:** N open (N resolved) | **Medium:** N open | **Low:** N open
 >
-> Review the findings, then run `/sk:finish-feature` when ready to finalize."
+> All in-scope findings have been fixed and committed. Pre-existing issues logged to `tasks/tech-debt.md`."
 
 If there are Critical or High findings:
 > "There are critical/high findings that MUST be fixed before merging. These are HARD GATE items — `- [ ]` findings block all forward progress. Fix them, then re-run `/sk:security-check` to verify."
 
-**Do not auto-fix.** The user decides what to address.
-
 ### Fix & Retest Protocol
 
 When applying a fix, classify it before committing:

package/commands/sk/update-task.md

@@ -16,6 +16,15 @@ Mark the current task as complete and log progress.
 - In `tasks/todo.md`, change the task's checkbox from `[ ]` to `[x]`
 - If the task has subtasks, verify all subtasks are also checked
 
+### 2.5. Mark Resolved Tech Debt
+
+- Read `tasks/tech-debt.md` if it exists
+- Find any unresolved entries (entries with no `Resolved:` line) whose `File:` or `Issue:` description relates to files or features changed in the current task (cross-reference with `tasks/todo.md` plan and current branch diff via `git diff main..HEAD --name-only`)
+- For each matched entry, append this line directly after the entry's `Severity:` line:
+  `Resolved: [YYYY-MM-DD] — [current branch name]`
+- Never delete entries — only append the `Resolved:` line
+- If `tasks/tech-debt.md` doesn't exist or no matches found: skip silently
+
 ### 3. Log Completion
 - Append a completion entry to `tasks/progress.md`:
 

package/commands/sk/write-plan.md

@@ -19,6 +19,11 @@ Create a decision-complete plan **before** writing code.
      constraints, and open questions explicitly into the plan
    - `tasks/lessons.md` — if it exists, apply all active lessons as constraints
      before writing any plan steps
+   - `tasks/tech-debt.md` — if it exists, filter to entries with no `Resolved:` line (unresolved only).
+     If any unresolved items exist, after presenting the draft plan ask:
+     > "There are N unresolved tech debt items in `tasks/tech-debt.md`. Should any be included in this task?"
+     List the unresolved items (file, issue, severity). If the user says yes, add them as tasks in the plan before final approval.
+     If the file doesn't exist or has 0 unresolved entries, skip silently.
 3. Update `tasks/todo.md` with:
    - **Goal** (1–2 lines)
    - **Milestones** — group tasks under milestone headers for multi-phase projects

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kennethsolomon/shipkit",
-  "version": "3.6.0",
+  "version": "3.7.0",
   "description": "A structured workflow toolkit for Claude Code.",
   "keywords": [
     "claude",

package/skills/sk:context/SKILL.md

@@ -32,6 +32,7 @@ Load all project context files into the conversation and output a formatted sess
 | 5 | `tasks/lessons.md` | All active lessons — read in full, apply as constraints for this session |
 | 6 | `docs/decisions.md` | If exists: last 3 ADR entries. If missing: note "no decisions log yet" |
 | 7 | `docs/vision.md` | If exists: product name + value proposition. If missing: note "no vision.md found" |
+| 8 | `tasks/tech-debt.md` | If exists: count entries with no `Resolved:` line (unresolved), highest severity among unresolved |
 
 ### Reading Strategy
 
@@ -58,6 +59,7 @@ Last done:  [last progress.md entry summary, 1 line]
 Pending:    [N] checkboxes remaining in todo.md
 Lessons:    [count] active — [most critical 1-liner from lessons.md]
 Open Qs:    [open questions from findings.md, or "none"]
+Tech Debt:  [N] unresolved — highest: [severity] ([file:line])
 Product:    [value prop from vision.md, or "no vision.md found"]
 ════════════════════════════════════════════
 ```
@@ -71,6 +73,7 @@ Product:    [value prop from vision.md, or "no vision.md found"]
 - **Pending:** Count `- [ ]` lines in `tasks/todo.md`. Stop counting at the first `## Verification`, `## Acceptance Criteria`, or `## Risks` heading (these are meta-sections, not tasks).
 - **Lessons:** Count `### [` headings in `tasks/lessons.md` (each lesson starts with `### [YYYY-MM-DD]`). Show the count + the **Prevention:** line from the most recent lesson.
 - **Open Qs:** Check for an "## Open Questions" section in `tasks/findings.md`. List them or say "none".
+- **Tech Debt:** Read `tasks/tech-debt.md` if it exists. Count entries that have no `Resolved:` line — each entry starts with `### [`. For unresolved entries, find the highest severity. Show `N unresolved — highest: [severity] ([file])`. If file missing or 0 unresolved, show `none`.
 - **Product:** From `docs/vision.md`, extract the value proposition. If file doesn't exist, say "no vision.md found".
 
 ---
@@ -96,6 +99,7 @@ After outputting the session brief:
 | No `tasks/lessons.md` | Show "0 active" for Lessons |
 | No `docs/decisions.md` | Show "no decisions log yet" — do not error |
 | No `docs/vision.md` | Show "no vision.md found" — do not error |
+| No `tasks/tech-debt.md` | Show "none" for Tech Debt field — do not error |
 | All checkboxes done in todo.md | Show "Task complete — 0 pending" |
 
 ---

package/skills/sk:e2e/SKILL.md

@@ -184,22 +184,39 @@ If any fail → apply Fix & Retest Protocol.
 
 When this gate requires a fix, classify it before committing:
 
-**a. Style/config/wording change** (CSS tweak, copy change, selector fix) → commit and re-run `/sk:e2e` (no unit test update needed)
+**a. Style/config/wording change** (CSS tweak, copy change, selector fix) → auto-commit with `fix(e2e): resolve failing E2E scenarios` and re-run `/sk:e2e`. Do not ask the user.
 
 **b. Logic change** (new branch, modified condition, new data path, query change, new function, API change) → trigger protocol:
 1. Update or add failing unit tests for the new behavior
 2. Re-run `/sk:test` — must pass at 100% coverage
-3. Commit (tests + fix together in one commit)
+3. Auto-commit tests + fix together with `fix(e2e): [description]`.
 4. Re-run `/sk:e2e` from scratch
 
 **Exception:** Formatter auto-fixes are never logic changes — bypass protocol automatically.
 
+Gates own their commits — the fix-commit-rerun loop is fully internal. No manual commit step needed after this gate.
+
 **This gate cannot be skipped.** All scenarios must pass before proceeding to `/sk:update-task`.
 
+### Pre-existing Issues
+
+If during E2E testing a bug is found in functionality **outside** the current feature being tested (pre-existing issue unrelated to this branch), do NOT fix it inline. Log it to `tasks/tech-debt.md`:
+
+```
+### [YYYY-MM-DD] Found during: sk:e2e
+File: path/to/file.ext:line
+Issue: description of the pre-existing bug
+Severity: critical | high | medium | low
+```
+
+Continue testing the current feature. Pre-existing bugs do not block this gate unless they affect the current feature's scenarios.
+
 ## Next Steps
 
 If all scenarios pass:
 > "E2E gate clean. Run `/sk:update-task` to mark the task done."
+>
+> No manual commit is needed — any fixes made during this gate were auto-committed.
 
 If failures remain after fixes:
 > "Re-running /sk:e2e — [N] scenarios still failing."

package/skills/sk:frontend-design/SKILL.md

@@ -111,13 +111,20 @@ Only run this phase if:
 - The user answers **y** or **yes** to the prompt above, OR
 - The user invoked the skill with `--pencil`
 
-### Step 1 — Find or create the .pen file
+### Step 1 — Derive the filename and open the .pen file
 
-Check `docs/design/` for an existing `.pen` file that matches this design (by name or topic).
+Before opening any Pencil document:
 
-- **Existing file found**: call `open_document(filePath)` to open it, then skip to Step 3.
-- **No file found**: call `open_document('new')` to create a fresh canvas.
-  - The file will be saved to `docs/design/{design-name}.pen` — use a slug derived from the design subject (e.g., `docs/design/dashboard-analytics.pen`).
+1. Read `tasks/todo.md` and extract the task name from the first `# TODO` heading:
+   - Pattern: `# TODO — YYYY-MM-DD — <task-name>`
+   - Convert to kebab-case (e.g., `"Gate Auto-Commit + Tech Debt"` → `gate-auto-commit-tech-debt`)
+   - If no `# TODO` heading exists, derive a slug from the design subject instead (e.g., `dashboard-analytics`)
+
+2. Target path: `docs/design/[task-name].pen`
+
+3. Call `open_document('docs/design/[task-name].pen')` — use the full path whether the file exists or not. The tool auto-detects existence: opens the file if it's already there, creates it on disk if not.
+
+The `.pen` file is created at `docs/design/[task-name].pen` before any design work begins, ensuring the design is saved to disk and committable.
 
 ### Step 2 — Load design context
 

package/skills/sk:lint/SKILL.md

@@ -91,11 +91,30 @@ Skip stacks not present in the project.
 ### 6. Fix and Re-run
 
 If any analyzer reports errors or the dep audit blocks:
-1. Fix all reported issues
+
+**Before fixing, classify each issue by scope:**
+
+- Run `git diff main..HEAD --name-only` to get the current branch diff.
+- If the issue is in a file **not** in that list (pre-existing issue outside the current branch), do **not** fix it inline. Log it to `tasks/tech-debt.md` in this format and move on:
+
+  ```
+  ### [YYYY-MM-DD] Found during: sk:lint
+  File: path/to/file.ext:line
+  Issue: description of the problem
+  Severity: high | medium | low
+  ```
+
+- If the issue is in a file **in** the branch diff (in-scope), fix it.
+
+**Fix loop (in-scope issues only):**
+1. Fix all in-scope issues
 2. Re-run formatters (fixes may need formatting)
 3. Re-launch all analyzers in parallel
 4. Re-run dep audit if any dependency was fixed
-5. Loop until every tool exits clean
+5. Auto-commit with message `fix(lint): resolve lint and dep audit issues` — do NOT ask the user
+6. Re-run from step 3 until every tool exits clean
+
+> Gates own their commits — the fix-commit-rerun loop is fully internal. No manual commit step needed after this gate.
 
 ### 7. Report Results
 
@@ -125,20 +144,22 @@ Only include lines for detected tools. All must show "clean" before this skill p
 
 When this gate requires a fix, classify it before committing:
 
-**a. Formatter auto-fix** (Pint, Prettier, gofmt, cargo fmt changed whitespace/style) → commit and re-run `/sk:lint`. Never a logic change — bypass protocol.
+**a. Formatter auto-fix** (Pint, Prettier, gofmt, cargo fmt changed whitespace/style) → auto-commit and re-run `/sk:lint`. Never a logic change — bypass protocol.
 
 **b. Analyzer fix** (PHPStan type error, Rector suggestion, ESLint error, ruff violation) → classify each fix:
-  - Type annotation, import order, unused var, style rule → **style fix** → commit and re-run
+  - Type annotation, import order, unused var, style rule → **style fix** → auto-commit and re-run
   - New guard clause, changed condition, extracted function, modified data flow → **logic change** → trigger protocol:
     1. Update or add failing unit tests for the new behavior
     2. Re-run `/sk:test` — must pass at 100% coverage
-    3. Commit (tests + fix together in one commit)
+    3. Auto-commit (tests + fix together in one commit)
     4. Re-run `/sk:lint` from scratch
 
 **c. Dependency vulnerability fix** (composer audit / npm audit finding) → classify:
-  - Version bump with no API change → **style fix** → commit and re-run
+  - Version bump with no API change → **style fix** → auto-commit and re-run
   - Version bump with API/behavior change → **logic change** → trigger protocol
 
+All commits in this protocol are automatic — do not prompt the user for commit approval.
+
 ---
 
 ## Model Routing

package/skills/sk:perf/SKILL.md

@@ -1,18 +1,27 @@
 ---
 name: sk:perf
-description: Performance audit. Use before /sk:review to catch performance issues: bundle size, N+1 queries, slow DB queries, Core Web Vitals, memory leaks, caching opportunities. Auto-detects stack. Reports findings — does NOT fix code.
+description: Performance audit. Use before /sk:review to catch performance issues: bundle size, N+1 queries, slow DB queries, Core Web Vitals, memory leaks, caching opportunities. Auto-detects stack. Fixes critical/high in-scope findings and auto-commits. Logs pre-existing issues to tech-debt.
 license: Complete terms in LICENSE.txt
 ---
 
 ## Purpose
 
-Audit the implementation for performance issues before the final review. This is an audit skill — it identifies issues and produces a findings report. It does NOT fix code.
+Audit the implementation for performance issues before the final review. This skill identifies issues, produces a findings report, fixes in-scope critical/high findings immediately, and auto-commits. Pre-existing findings outside the branch diff are logged to `tasks/tech-debt.md`.
 
 Run this skill after implementing and passing lint/tests, but before `/sk:review`.
 
 ## Hard Rules
 
-- **DO NOT fix code.** Report only. The user decides what to fix.
+- **Fix all critical and high in-scope findings** (files in `git diff main..HEAD --name-only`) immediately after the audit. Auto-commit with `fix(perf): resolve [severity] performance findings`. Re-run the audit until critical/high = 0.
+- **Medium/low in-scope findings:** fix them in the same commit if straightforward, otherwise log to `tasks/tech-debt.md`.
+- **Pre-existing findings** (files outside the current branch diff): log to `tasks/tech-debt.md` using this format — do NOT fix inline:
+  ```
+  ### [YYYY-MM-DD] Found during: sk:perf
+  File: path/to/file.ext:line
+  Issue: description of the performance issue
+  Severity: critical | high | medium | low
+  ```
+- **Gates own their commits** — the fix-commit-rerun loop is fully internal. No manual commit step needed after this gate.
 - **Every finding must cite a specific file and line number.**
 - **Every finding must include an estimated impact** (high/medium/low) and a recommendation.
 - **Auto-detect the stack** — only run checks relevant to what's present.
@@ -158,6 +167,8 @@ Write findings to `tasks/perf-findings.md`:
 
 **Never overwrite** `tasks/perf-findings.md` — append new audits with a date header.
 
+The report is written first, then fixes are applied to in-scope critical/high findings.
+
 ## When Done
 
 Tell the user:
@@ -165,7 +176,7 @@ Tell the user:
 > "Performance audit complete. Findings saved to `tasks/perf-findings.md`.
 > - **Critical:** N | **High:** N | **Medium:** N | **Low:** N
 >
-> Address critical and high findings, then run `/sk:review` to proceed."
+> All critical/high in-scope findings have been fixed and committed. Pre-existing issues logged to `tasks/tech-debt.md`. Run `/sk:review` to proceed."
 
 If there are no critical or high findings:
 > "No critical or high performance issues found. N medium/low findings noted in `tasks/perf-findings.md`. Run `/sk:review` to proceed."

package/skills/sk:review/SKILL.md

@@ -33,7 +33,7 @@ Use `git diff main..HEAD --name-only` to identify the changed files, then run si
 
 If simplify makes any changes:
 1. Verify the changes are correct
-2. Commit them with `/sk:smart-commit` before continuing the review
+2. Auto-commit them with message `fix(review): simplify pre-pass` before continuing the review. Do not ask the user.
 3. Note in the review report: "Simplify pre-pass: X files updated"
 
 If simplify makes no changes, proceed directly to step 1.
@@ -436,20 +436,28 @@ Format findings with severity levels and review dimensions:
 - Include a brief "What Looks Good" section (2-3 items) — acknowledge strong patterns so they're reinforced. This isn't cheerleading — it's calibrating signal.
 - If you genuinely find nothing wrong after all 7 dimensions, say so — but that's rare
 
-### 11. Next Steps
+### 11. Fix and Re-run
 
-After presenting the review:
+After presenting the review report, fix **all** findings regardless of severity (Critical, Warning, and Nitpick). Do not ask the user whether to fix nitpicks — fix everything.
 
-If there are **Critical** or **Warning** items:
-> "Review found issues that should be addressed. Fix them with `/sk:debug`, commit with `/sk:smart-commit`, then re-run `/sk:review` to verify."
+**For each finding:**
+- If the issue is in a file **within** the current branch diff (`git diff $BASE..HEAD --name-only`): fix it inline, include in the auto-commit
+- If the issue is in a file **outside** the current branch diff (pre-existing issue found via blast-radius): log it to `tasks/tech-debt.md` — do NOT fix it inline:
+  ```
+  ### [YYYY-MM-DD] Found during: sk:review
+  File: path/to/file.ext:line
+  Issue: description of the problem
+  Severity: critical | high | medium | low
+  ```
 
-If there are only **Nitpick** items (no Critical/Warning):
-> "Review complete — no critical issues found, but there are some nitpicks. Would you like to fix them now, or proceed to `/sk:finish-feature`?"
+After all in-scope fixes are applied: auto-commit with `fix(review): address review findings`. Do not ask the user. Re-run `/sk:review` from scratch.
 
-If the user wants to fix nitpicks, loop back to `/sk:debug` + `/sk:smart-commit` → `/sk:review`.
+Loop until the review is completely clean (0 findings across all severities for in-scope code).
 
-If the review is **completely clean**:
-> "Review complete — no issues found. Run `/sk:finish-feature` to finalize the branch and create a PR."
+When clean:
+> "Review complete — 0 findings. Run `/sk:finish-feature` to finalize the branch and create a PR."
+
+**Note:** Gates own their commits — the fix-commit-rerun loop is fully internal. No manual commit step needed after this gate.
 
 ### Fix & Retest Protocol
 
@@ -460,7 +468,7 @@ When applying a fix from this review, classify it before committing:
 **b. Logic change** (fix incorrect condition, add missing null check, change data flow, refactor algorithm, fix async bug) → trigger protocol:
 1. Update or add failing unit tests for the corrected behavior
 2. Re-run `/sk:test` — must pass at 100% coverage
-3. Commit (tests + fix together in one commit)
+3. Auto-commit tests + fix together with `fix(review): [description]`.
 4. Re-run `/sk:review` from scratch
 
 **Why:** Review catches logic bugs. Fixing a logic bug without updating tests leaves the test suite asserting on the old (wrong) behavior.

package/skills/sk:schema-migrate/SKILL.md

@@ -24,6 +24,28 @@ guidance. Auto-detects the ORM from project files — no configuration needed.
 
 ---
 
+## Phase 0: Auto-Detect Migration Changes
+
+Before doing anything else, check whether the current branch has any migration-related changes:
+
+```bash
+git diff main..HEAD --name-only
+```
+
+Scan the output for migration-related files:
+- Files under `migrations/`, `database/migrations/`, `prisma/migrations/`, `alembic/versions/`, `db/migrate/`
+- Schema definition files: `prisma/schema.prisma`, `drizzle.config.ts`, `drizzle.config.js`, `alembic.ini`
+- Any `*.sql` files in migration-related directories
+
+**If NO migration-related files are found in the diff:**
+> auto-skip: No migration changes detected in this branch — skipping `/sk:schema-migrate`.
+
+Exit cleanly. Do not ask the user. Do not proceed to Phase 1.
+
+**If migration-related files ARE found:** proceed to Phase 1 (ORM Detection) below.
+
+---
+
 ## Phase 1: ORM Detection
 
 ### Step 1 — Read in Parallel

package/skills/sk:setup-claude/templates/CLAUDE.md.template

@@ -52,21 +52,15 @@ Progress is tracked in `tasks/workflow-status.md`. This file persists across con
 | 10 | Implement | `/sk:execute-plan` | required | no |
 | 11 | Commit | `/sk:smart-commit` | required | no |
 | 12 | Lint + Dep Audit | `/sk:lint` | required | yes — must be clean |
-| 13 | Commit | `/sk:smart-commit` | conditional (skip if lint was clean) | no |
-| 14 | Verify Tests | `/sk:test` | required | yes — 100% coverage required |
-| 15 | Commit | `/sk:smart-commit` | conditional (skip if tests passed clean) | no |
-| 16 | Security | `/sk:security-check` | required | yes — must reach 0 issues |
-| 17 | Commit | `/sk:smart-commit` | conditional (skip if security was clean) | no |
-| 18 | Performance | `/sk:perf` | optional (confirm to skip) | yes — loop until critical/high = 0 |
-| 19 | Commit | `/sk:smart-commit` | conditional (skip if perf was clean) | no |
-| 20 | Review + Simplify | `/sk:review` | required | yes — must reach 0 issues |
-| 21 | Commit | `/sk:smart-commit` | conditional (skip if review was clean) | no |
-| 22 | E2E Tests | `/sk:e2e` | required | yes — all scenarios must pass |
-| 23 | Commit | `/sk:smart-commit` | conditional (skip if E2E was clean) | no |
-| 24 | Update | `/sk:update-task` | required | no |
-| 25 | Finalize | `/sk:finish-feature` | required | no |
-| 26 | Sync Features | `/sk:features` | required | no |
-| 27 | Release | `/sk:release` | optional (confirm to skip) | no |
+| 13 | Verify Tests | `/sk:test` | required | yes — 100% coverage required |
+| 14 | Security | `/sk:security-check` | required | yes — must reach 0 issues |
+| 15 | Performance | `/sk:perf` | optional (confirm to skip) | yes — loop until critical/high = 0 |
+| 16 | Review + Simplify | `/sk:review` | required | yes — must reach 0 issues |
+| 17 | E2E Tests | `/sk:e2e` | required | yes — all scenarios must pass |
+| 18 | Update | `/sk:update-task` | required | no |
+| 19 | Finalize | `/sk:finish-feature` | required | no |
+| 20 | Sync Features | `/sk:features` | required | no |
+| 21 | Release | `/sk:release` | optional (confirm to skip) | no |
 
 ### Step Details
 
@@ -81,22 +75,16 @@ Progress is tracked in `tasks/workflow-status.md`. This file persists across con
 9.  **Write Tests** — run `/sk:write-tests` (TDD red phase). Write failing tests for all planned code. If modifying existing behavior, update existing tests first. Tests SHOULD fail — no implementation yet.
 10. **Implement** — run `/sk:execute-plan` to execute `tasks/todo.md` checkboxes in small batches, making the failing tests pass (TDD green phase). Log progress to `tasks/progress.md`.
 11. **Commit** — run `/sk:smart-commit` to commit tests + implementation
-12. **Lint + Dep Audit** — run `/sk:lint` — auto-detects and runs all project linters plus dependency vulnerability audits. Fix all issues immediately, then re-run until clean. Do not ask to re-run — fix and re-run automatically.
-13. **Commit** — run `/sk:smart-commit` if lint required fixes. Auto-skip if lint was clean.
-14. **Verify Tests** — run `/sk:test` — auto-detects and runs all project test suites. **100% test coverage required.** Fix failures immediately, then re-run. Do not ask to re-run — fix and re-run automatically.
-15. **Commit** — run `/sk:smart-commit` if test fixes were needed. Auto-skip if tests passed first try.
-16. **Security** — run `/sk:security-check`. Must reach 0 issues across all severities. Fix issues immediately, commit, then re-run. Loop until clean.
-17. **Commit** — run `/sk:smart-commit` if security required fixes. Auto-skip if clean.
-18. **Performance** — run `/sk:perf` to audit for performance issues. Produces `tasks/perf-findings.md`. Fix critical/high findings, commit, then re-run. Loop until critical/high = 0. Skip if confirmed with user.
-19. **Commit** — run `/sk:smart-commit` if perf required fixes. Auto-skip if clean.
-20. **Review + Simplify** — run `/sk:review`. First runs a simplify pre-pass on changed files, then performs full multi-dimensional review. Must reach 0 issues including nitpicks. Fix issues immediately, commit, then re-run. Loop until clean.
-21. **Commit** — run `/sk:smart-commit` if review required fixes. Auto-skip if clean.
-22. **E2E Tests** — run `/sk:e2e`. Verifies the complete, reviewed, secure implementation works end-to-end from a user's perspective using agent-browser. All scenarios must pass. Cannot be skipped.
-23. **Commit** — run `/sk:smart-commit` if E2E required fixes. Auto-skip if E2E was clean.
-24. **Update** — run `/sk:update-task` to mark the task done in `tasks/todo.md` and log completion to `tasks/progress.md`.
-25. **Finalize** — run `/sk:finish-feature` for changelog + PR
-26. **Sync Features** — run `/sk:features` to sync `docs/sk:features/` specs with what was actually shipped.
-27. **Release** — run `/sk:release` if deploying. Skip if not ready.
+12. **Lint + Dep Audit** — run `/sk:lint` — auto-detects and runs all project linters plus dependency vulnerability audits. Fix all issues immediately, then re-run until clean. Do not ask to re-run — fix and re-run automatically. Gates own their commits — commit any fixes before moving on.
+13. **Verify Tests** — run `/sk:test` — auto-detects and runs all project test suites. **100% test coverage required.** Fix failures immediately, then re-run. Do not ask to re-run — fix and re-run automatically. Gates own their commits — commit any fixes before moving on.
+14. **Security** — run `/sk:security-check`. Must reach 0 issues across all severities. Fix issues immediately, commit, then re-run. Loop until clean. Gates own their commits — commit any fixes before moving on.
+15. **Performance** — run `/sk:perf` to audit for performance issues. Produces `tasks/perf-findings.md`. Fix critical/high findings, commit, then re-run. Loop until critical/high = 0. Skip if confirmed with user. Gates own their commits — commit any fixes before moving on.
+16. **Review + Simplify** — run `/sk:review`. First runs a simplify pre-pass on changed files, then performs full multi-dimensional review. Must reach 0 issues including nitpicks. Fix issues immediately, commit, then re-run. Loop until clean. Gates own their commits — commit any fixes before moving on.
+17. **E2E Tests** — run `/sk:e2e`. Verifies the complete, reviewed, secure implementation works end-to-end from a user's perspective using agent-browser. All scenarios must pass. Cannot be skipped. Gates own their commits — commit any fixes before moving on.
+18. **Update** — run `/sk:update-task` to mark the task done in `tasks/todo.md` and log completion to `tasks/progress.md`.
+19. **Finalize** — run `/sk:finish-feature` for changelog + PR
+20. **Sync Features** — run `/sk:features` to sync `docs/sk:features/` specs with what was actually shipped.
+21. **Release** — run `/sk:release` if deploying. Skip if not ready.
 
 ### Workflow Tracker Rules
 
@@ -109,20 +97,20 @@ Progress is tracked in `tasks/workflow-status.md`. This file persists across con
    - Add relevant Notes (e.g., "clean on attempt 2", "backend-only, no UI")
    - Move `>> next <<` to the next pending step
 
-3. **Optional steps** (4, 5, 8, 18, 27): Ask the user "Skip [step]?" and require explicit confirmation. Record the reason in Notes.
+3. **Optional steps** (4, 5, 8, 15, 21): Ask the user "Skip [step]?" and require explicit confirmation. Record the reason in Notes.
 
-4. **Conditional commits** (13, 15, 17, 19, 21, 23): Auto-skip if no changes were made. Record reason (e.g., "lint was clean", "tests passed first try").
+4. **Gates own their commits.** Each hard gate (steps 12–17) is responsible for committing any fixes it produces before passing control to the next step. There are no separate conditional commit steps.
 
-5. **Loop steps are HARD GATES** (12, 14, 16, 20, 22): These steps BLOCK all forward progress until they pass clean. Fix issues immediately and re-run. Do NOT ask the user to re-run — fix and re-run automatically. Track attempt number in Notes (e.g., "clean on attempt 3").
+5. **Loop steps are HARD GATES** (12, 13, 14, 16, 17): These steps BLOCK all forward progress until they pass clean. Fix issues immediately and re-run. Do NOT ask the user to re-run — fix and re-run automatically. Track attempt number in Notes (e.g., "clean on attempt 3").
    - **Step 12 (Lint)**: All detected linting tools must pass — every single one.
-   - **Step 14 (Verify Tests)**: All detected test suites (BE + FE) must pass with 100% coverage on new code.
-   - **Step 16 (Security)**: 0 issues across all severities.
-   - **Step 20 (Review)**: 0 issues including nitpicks.
-   - **Step 22 (E2E Tests)**: All scenarios must pass. 0 failures allowed.
-   - **Step 18 (Performance)**: Optional gate — if run, loop until critical/high findings = 0. Can be skipped with explicit confirmation.
+   - **Step 13 (Verify Tests)**: All detected test suites (BE + FE) must pass with 100% coverage on new code.
+   - **Step 14 (Security)**: 0 issues across all severities.
+   - **Step 16 (Review)**: 0 issues including nitpicks.
+   - **Step 17 (E2E Tests)**: All scenarios must pass. 0 failures allowed.
+   - **Step 15 (Performance)**: Optional gate — if run, loop until critical/high findings = 0. Can be skipped with explicit confirmation.
    - **DO NOT mark these steps as `done` until every check passes.** If even one tool fails, the step is NOT done. Never proceed to the next step with errors remaining.
 
-6. **Never skip steps without confirmation.** Steps cannot run out of order. Hard gate steps (12, 14, 16, 20, 22) can NEVER be skipped. Optional gate step (18) requires explicit confirmation to skip.
+6. **Never skip steps without confirmation.** Steps cannot run out of order. Hard gate steps (12, 13, 14, 16, 17) can NEVER be skipped. Optional gate step (15) requires explicit confirmation to skip.
 
 7. **Requirements change mid-workflow?** Stop the current step and run `/sk:change` immediately. It will classify the scope (behavior tweak / new requirements / scope shift) and tell you exactly where to re-enter the workflow. Never continue implementing stale requirements.
 
@@ -142,7 +130,7 @@ This tells the user exactly what happened and what to do next. Never finish a st
 
 ### Fix & Retest Protocol
 
-**Applies to steps 12, 14, 16, 18, 20, 22 — any step that can produce code changes.**
+**Applies to steps 12, 13, 14, 15, 16, 17 — any step that can produce code changes.**
 
 When any of these steps require a fix, classify the fix before committing:
 
@@ -290,6 +278,7 @@ Read these files at the start of every task:
 - `tasks/findings.md` — key decisions and project constraints
 - `tasks/lessons.md` — past mistakes and how to avoid them
 - `tasks/todo.md` — current plan
+- `tasks/tech-debt.md` — known shortcuts, deferred work, and areas to revisit
 
 Write to these files continuously:
 - `tasks/progress.md` — every attempt, error, and resolution
@@ -321,7 +310,7 @@ Tests are written **before** implementation (step 9) and verified **after** (ste
 2. `/sk:execute-plan` — implement code to make tests pass (GREEN)
 3. `/sk:test` — verify all tests pass with 100% coverage (VERIFY)
 
-Every new function, endpoint, component, and module needs tests. No code proceeds past step 13 without 100% coverage on new code.
+Every new function, endpoint, component, and module needs tests. No code proceeds past step 12 without 100% coverage on new code.
 
 ## 3-Strike Protocol
 

package/skills/sk:setup-claude/templates/commands/brainstorm.md.template

@@ -6,7 +6,7 @@ description: "Start with design questions before writing code."
 
 # /brainstorm
 
-**Workflow:** Read → **Explore** → Design → Accessibility → Plan → Branch → Migrate → Write Tests → Implement → Lint → Verify Tests → Security → Performance → Review → E2E Tests → Finish → Sync Features
+**Workflow:** Read → **Explore** → Design → Accessibility → Plan → Branch → Migrate → Write Tests → Implement → Lint → Tests → Security → Perf → Review → E2E Tests → Update → Finish → Sync → Release
 
 Explore design and clarify requirements **before** any code is written.
 

package/skills/sk:setup-claude/templates/commands/execute-plan.md.template

@@ -6,7 +6,7 @@ description: "Execute tasks/todo.md checkboxes in small batches; log to tasks/pr
 
 # /execute-plan
 
-**Workflow:** Read → Explore → Design → Accessibility → Plan → Branch → Migrate → Write Tests → **Implement** → Lint → Verify Tests → Security → Performance → Review → E2E Tests → Finish → Sync Features
+**Workflow:** Read → Explore → Design → Accessibility → Plan → Branch → Migrate → Write Tests → **Implement** → Lint → Tests → Security → Perf → Review → E2E Tests → Update → Finish → Sync → Release
 
 Execute the plan in `tasks/todo.md` in small batches with clear checkpoints.
 

package/skills/sk:setup-claude/templates/commands/finish-feature.md.template

@@ -2,7 +2,7 @@
 
 # Finish Feature Command
 
-**Workflow:** Read → Explore → Design → Accessibility → Plan → Branch → Migrate → Write Tests → Implement → Lint → Verify Tests → Security → Performance → Review → E2E Tests → **Finish** → Sync Features
+**Workflow:** Read → Explore → Design → Accessibility → Plan → Branch → Migrate → Write Tests → Implement → Lint → Tests → Security → Perf → Review → E2E Tests → Update → **Finish** → Sync → Release
 
 Finalize a feature/bug-fix branch: changelog, arch log, security gate, verification, and PR creation.
 

package/skills/sk:setup-claude/templates/commands/security-check.md.template

@@ -6,7 +6,7 @@ description: "Audit changed code for security best practices, production-grade q
 
 # /security-check
 
-**Workflow:** Read → Explore → Design → Accessibility → Plan → Branch → Migrate → Write Tests → Implement → Lint → Verify Tests → **Security** → Performance → Review → E2E Tests → Finish → Sync Features
+**Workflow:** Read → Explore → Design → Accessibility → Plan → Branch → Migrate → Write Tests → Implement → Lint → Tests → **Security** → Perf → Review → E2E Tests → Update → Finish → Sync → Release
 
 Audit code for security vulnerabilities, production-grade quality, and industry gold-standard compliance.
 

package/skills/sk:setup-claude/templates/commands/write-plan.md.template

@@ -6,7 +6,7 @@ description: "Write a decision-complete plan into tasks/todo.md (no code yet)."
 
 # /write-plan
 
-**Workflow:** Read → Explore → Design → Accessibility → **Plan** → Branch → Migrate → Write Tests → Implement → Lint → Verify Tests → Security → Performance → Review → E2E Tests → Finish → Sync Features
+**Workflow:** Read → Explore → Design → Accessibility → **Plan** → Branch → Migrate → Write Tests → Implement → Lint → Tests → Security → Perf → Review → E2E Tests → Update → Finish → Sync → Release
 
 Create a decision-complete plan **before** writing code.
 

package/skills/sk:setup-claude/templates/tasks/workflow-status.md.template

@@ -16,19 +16,13 @@
 | 9 | Write Tests (`/sk:write-tests`) | not yet | |
 | 10 | Implement (`/sk:execute-plan`) | not yet | |
 | 11 | Commit (`/sk:smart-commit`) | not yet | |
-| 12 | **Lint + Dep Audit** (`/sk:lint`) | not yet | HARD GATE — loop until clean |
-| 13 | Commit (`/sk:smart-commit`) | not yet | conditional |
-| 14 | **Verify Tests** (`/sk:test`) | not yet | HARD GATE — 100% coverage |
-| 15 | Commit (`/sk:smart-commit`) | not yet | conditional |
-| 16 | **Security** (`/sk:security-check`) | not yet | HARD GATE — 0 issues |
-| 17 | Commit (`/sk:smart-commit`) | not yet | conditional |
-| 18 | Performance (`/sk:perf`) | not yet | optional gate |
-| 19 | Commit (`/sk:smart-commit`) | not yet | conditional |
-| 20 | **Review + Simplify** (`/sk:review`) | not yet | HARD GATE — 0 issues |
-| 21 | Commit (`/sk:smart-commit`) | not yet | conditional |
-| 22 | **E2E** (`/sk:e2e`) | not yet | HARD GATE — all E2E scenarios must pass |
-| 23 | Commit (`/sk:smart-commit`) | not yet | conditional — skip if E2E was clean |
-| 24 | Update (`/sk:update-task`) | not yet | |
-| 25 | Finalize (`/sk:finish-feature`) | not yet | |
-| 26 | Sync Features (`/sk:features`) | not yet | required — sync feature specs after ship |
-| 27 | Release (`/sk:release`) | not yet | optional |
+| 12 | **Lint + Dep Audit** (`/sk:lint`) | not yet | HARD GATE — loop until clean, gates own their commits |
+| 13 | **Verify Tests** (`/sk:test`) | not yet | HARD GATE — 100% coverage, gates own their commits |
+| 14 | **Security** (`/sk:security-check`) | not yet | HARD GATE — 0 issues, gates own their commits |
+| 15 | Performance (`/sk:perf`) | not yet | optional gate, gates own their commits |
+| 16 | **Review + Simplify** (`/sk:review`) | not yet | HARD GATE — 0 issues, gates own their commits |
+| 17 | **E2E** (`/sk:e2e`) | not yet | HARD GATE — all E2E scenarios must pass, gates own their commits |
+| 18 | Update (`/sk:update-task`) | not yet | |
+| 19 | Finalize (`/sk:finish-feature`) | not yet | |
+| 20 | Sync Features (`/sk:features`) | not yet | required — sync feature specs after ship |
+| 21 | Release (`/sk:release`) | not yet | optional |

package/skills/sk:setup-optimizer/SKILL.md

@@ -43,7 +43,7 @@ Before making any changes, runs a diagnostic pass on the existing CLAUDE.md:
 - **Stale content** — detects outdated info (stale model/route counts, removed dependencies, old command names like `/laravel-lint` instead of `/sk:lint`)
 - **Inconsistencies** — compares documented vs actual project state (directories, scripts, workflows)
 - **Section completeness** — flags sections that exist but are empty or have only placeholder text
-- **Outdated workflow** — checks if the workflow matches the current 27-step TDD flow with hard gates
+- **Outdated workflow** — checks if the workflow matches the current 21-step TDD flow with hard gates
 
 Reports findings before proceeding. If issues are found, they inform subsequent steps.
 
@@ -51,15 +51,15 @@ Reports findings before proceeding. If issues are found, they inform subsequent
 
 If the workflow section is outdated or missing, replace it with the latest version:
 
-**Current workflow (27 steps, TDD with hard gates):**
+**Current workflow (21 steps, TDD with hard gates):**
 ```
 Read → Explore → Design → Accessibility → Plan → Branch → Migrate → Write Tests → Implement → Lint → Verify Tests → Security → Performance → Review → E2E Tests → Finish → Sync Features
 ```
 
 **What gets updated:**
-- Workflow table (27 steps with correct commands: `/sk:write-tests`, `/sk:lint`, `/sk:test`, `/sk:accessibility`, `/sk:perf`, `/sk:e2e`)
+- Workflow table (21 steps with correct commands: `/sk:write-tests`, `/sk:lint`, `/sk:test`, `/sk:accessibility`, `/sk:perf`, `/sk:e2e`)
 - Step details (TDD red/green/verify descriptions)
-- Tracker rules (hard gates at 12, 14, 16, 20, 22; optional steps 4, 5, 8, 18, 27)
+- Tracker rules (hard gates at 12, 14, 16, 20, 17; optional steps 4, 5, 8, 18, 21)
 - Step completion summary rule (NON-NEGOTIABLE)
 - Bug fix flow section
 - Sub-Agent Patterns section (if missing)

package/skills/sk:test/SKILL.md

@@ -126,8 +126,12 @@ Sub-agent 3: [FE command]
 - Read the failure output carefully — identify the root cause
 - Fix the failing **implementation code** or test setup, not the test assertions (tests define expected behavior)
 - Do NOT skip, mark incomplete, or delete failing tests
-- Re-run the failing suite until all tests pass
-- If a fix changes behavior, confirm with the user before applying
+- Auto-commit with message `fix(test): resolve failing tests` — do NOT ask the user
+- Re-run the failing suite
+- Loop until all pass
+- Fix the implementation and auto-commit. If the fix is a logic change (new behavior, changed contract), update the relevant tests to reflect the new behavior before committing.
+
+> Gates own their commits — the fix-commit-rerun loop is fully internal. No manual commit step needed after this gate.
 
 ### 5. Verify Coverage