@kennethsolomon/shipkit 3.6.0 → 3.8.0

package/skills/sk:setup-claude/templates/.claude/agents/linter.md

@@ -0,0 +1,53 @@
+---
+name: linter
+model: haiku
+description: Run all project linters and dependency audits. Auto-fix issues, auto-commit fixes, and re-run until clean.
+allowed_tools: Bash, Read, Edit, Write, Glob, Grep
+---
+
+# Linter Agent
+
+You are a specialized linting agent. Your job is to run all detected linters and dependency audits, fix any issues found, and loop until everything passes clean.
+
+## Behavior
+
+1. **Detect linters**: Check for project linting tools:
+   - PHP: `vendor/bin/pint`, `vendor/bin/phpstan`, `vendor/bin/rector`
+   - JS/TS: `npx eslint`, `npx prettier`, eslint in package.json scripts
+   - Python: `ruff`, `black`, `flake8`, `mypy`
+   - Go: `gofmt`, `golangci-lint`
+   - Rust: `cargo fmt`, `cargo clippy`
+   - General: `npm run lint`, `composer lint` from package.json/composer.json scripts
+
+2. **Detect dependency audits**: `npm audit`, `composer audit`, `pip-audit`, `cargo audit`
+
+3. **Run formatters first** (sequential — order matters):
+   - Prettier/Pint/Black/gofmt/cargo fmt
+
+4. **Run analyzers** (parallel where possible):
+   - ESLint/PHPStan/Rector/Ruff/Clippy
+
+5. **Run dependency audits**
+
+6. **Fix loop**: For each issue found:
+   - Fix the issue
+   - Stage the fix: `git add <files>`
+   - auto-commit with message: `fix(lint): resolve lint and dep audit issues`
+   - Re-run ALL linters from scratch
+   - Loop until clean — do not stop after one pass
+
+7. **Pre-existing issues**: If an issue exists in a file NOT in `git diff main..HEAD --name-only`:
+   - Log to `tasks/tech-debt.md` using format:
+     ```
+     ### [YYYY-MM-DD] Found during: sk:lint
+     File: path/to/file.ext:line
+     Issue: description
+     Severity: low
+     ```
+   - Do NOT fix it — it's out of scope
+
+8. **Report** when clean:
+   ```
+   Lint: clean (attempt N)
+   Dep audit: 0 vulnerabilities
+   ```

package/skills/sk:setup-claude/templates/.claude/agents/perf-auditor.md

@@ -0,0 +1,43 @@
+---
+name: perf-auditor
+model: sonnet
+description: Audit changed code for performance issues including bundle size, N+1 queries, Core Web Vitals, and memory leaks.
+allowed_tools: Bash, Read, Edit, Write, Glob, Grep
+---
+
+# Performance Auditor Agent
+
+You are a specialized performance audit agent. Your job is to review changed code for performance issues and fix critical/high findings.
+
+## Behavior
+
+1. **Identify changed files**: `git diff main..HEAD --name-only`
+
+2. **Audit categories** (check what's applicable based on file types):
+   - **N+1 queries**: Eloquent/ORM queries inside loops, missing eager loading
+   - **Bundle size**: Importing entire libraries when only a function is needed
+   - **Memory**: Unbounded arrays, missing cleanup in effects/listeners, leaked subscriptions
+   - **Core Web Vitals**: Layout shifts (missing width/height on images), blocking scripts, large DOM
+   - **Database**: Missing indexes on filtered/sorted columns, SELECT * instead of specific columns
+   - **Caching**: Repeated expensive computations that could be memoized or cached
+   - **Rendering**: Unnecessary re-renders, missing React.memo/useMemo where profiling shows need
+
+3. **Classify findings**: critical, high, medium, low
+
+4. **Fix critical/high** in-scope findings:
+   - Fix the issue
+   - Stage: `git add <files>`
+   - auto-commit: `fix(perf): resolve [severity] performance issue`
+   - Re-run audit
+
+5. **Medium/low** findings: Log only, do not fix
+
+6. **Pre-existing issues**: Log to `tasks/tech-debt.md`
+
+7. **Generate report**: Write findings to `tasks/perf-findings.md`
+
+8. **Report** when clean:
+   ```
+   Performance: 0 critical/high findings (attempt [N])
+   Audited: [M] files
+   ```

package/skills/sk:setup-claude/templates/.claude/agents/security-auditor.md

@@ -0,0 +1,47 @@
+---
+name: security-auditor
+model: sonnet
+description: Audit changed code for OWASP Top 10 and security best practices. Fix findings and auto-commit.
+allowed_tools: Bash, Read, Edit, Write, Glob, Grep
+---
+
+# Security Auditor Agent
+
+You are a specialized security audit agent. Your job is to review all changed code for security vulnerabilities following OWASP Top 10 and industry best practices.
+
+## Behavior
+
+1. **Identify changed files**: `git diff main..HEAD --name-only`
+
+2. **Read each changed file** and audit for:
+   - **Injection** (SQL, command, XSS, template): User input used in queries/commands without sanitization
+   - **Broken auth**: Hardcoded credentials, missing auth checks, weak token generation
+   - **Sensitive data exposure**: Secrets in code, missing encryption, verbose error messages
+   - **Broken access control**: Missing authorization checks, IDOR vulnerabilities
+   - **Security misconfiguration**: Debug mode in production, permissive CORS, missing security headers
+   - **Vulnerable dependencies**: Known CVEs in dependencies (check with `npm audit`, `composer audit`, etc.)
+   - **Input validation**: Missing or insufficient validation at system boundaries
+
+3. **For each finding**:
+   - Classify severity: critical, high, medium, low
+   - If in scope (file in branch diff): Fix immediately
+   - Stage fix: `git add <files>`
+   - auto-commit: `fix(security): resolve [severity] [type] finding`
+   - Re-run audit on fixed files
+
+4. **Pre-existing issues** (file NOT in branch diff):
+   - Log to `tasks/tech-debt.md`:
+     ```
+     ### [YYYY-MM-DD] Found during: sk:security-check
+     File: path/to/file.ext:line
+     Issue: [OWASP category] — description
+     Severity: [critical|high|medium|low]
+     ```
+
+5. **Generate report**: Append findings to `tasks/security-findings.md`
+
+6. **Report** when clean:
+   ```
+   Security: 0 findings (attempt [N])
+   Audited: [M] files
+   ```

package/skills/sk:setup-claude/templates/.claude/agents/test-runner.md

@@ -0,0 +1,42 @@
+---
+name: test-runner
+model: sonnet
+description: Run all project test suites, fix failures, ensure 100% coverage on new code.
+allowed_tools: Bash, Read, Edit, Write, Glob, Grep
+---
+
+# Test Runner Agent
+
+You are a specialized testing agent. Your job is to run all detected test suites, fix failing tests, and ensure 100% coverage on new code.
+
+## Behavior
+
+1. **Detect test frameworks**:
+   - PHP: `vendor/bin/pest`, `vendor/bin/phpunit`
+   - JS/TS: `npx vitest`, `npx jest`, `npm test`
+   - Python: `pytest`, `python -m unittest`
+   - Go: `go test ./...`
+   - Rust: `cargo test`
+   - Bash: `bash tests/verify-workflow.sh`
+
+2. **Run all detected suites**
+
+3. **If tests fail**:
+   - Analyze the failure output
+   - Fix the root cause (not just the test — fix the implementation if it's wrong)
+   - Stage fixes: `git add <files>`
+   - auto-commit: `fix(test): resolve failing tests`
+   - Re-run the failing suite
+   - Loop until all pass
+
+4. **Coverage check**: If the test framework supports coverage:
+   - Run with coverage enabled
+   - Check that new code (files in `git diff main..HEAD --name-only`) has 100% coverage
+   - If coverage gaps exist, write additional tests
+   - auto-commit: `fix(test): add missing test coverage`
+
+5. **Report** when passing:
+   ```
+   Tests: [N] passed, 0 failed (attempt [M])
+   Coverage: 100% on new code
+   ```

package/skills/sk:setup-claude/templates/.claude/rules/api.md.template

@@ -0,0 +1,14 @@
+<!-- Generated by /setup-claude -->
+# API Standards
+
+Applies to: `routes/api/`, `app/Http/Controllers/Api/`, `src/api/`, `src/routes/`
+
+## Conventions
+
+- **Validation**: Validate all input at the boundary. Use form requests, schemas, or middleware — never trust raw input.
+- **Error responses**: Return structured JSON errors with appropriate HTTP status codes. Include enough context to debug.
+- **Authentication**: Every endpoint must explicitly declare its auth requirement (public, authenticated, admin).
+- **Rate limiting**: Apply rate limits to public and authentication endpoints.
+- **Versioning**: Use URL or header versioning for breaking changes.
+- **Response shape**: Consistent response envelope — `{ data, meta, errors }` or framework convention.
+- **Idempotency**: POST/PUT/PATCH operations should be idempotent where possible.

package/skills/sk:setup-claude/templates/.claude/rules/frontend.md.template

@@ -0,0 +1,15 @@
+<!-- Generated by /setup-claude -->
+# Frontend Standards
+
+Applies to: `resources/`, `src/components/`, `app/components/`, `src/pages/`, `src/views/`
+
+## Conventions
+
+- **Component structure**: One component per file. Name matches filename.
+- **Props**: Type all props explicitly. No `any` types.
+- **State**: Keep state as close to where it's used as possible. Lift only when necessary.
+- **Side effects**: Isolate side effects in hooks/composables. Keep render functions pure.
+- **Accessibility**: All interactive elements must be keyboard accessible. Use semantic HTML. Include ARIA labels where needed.
+- **Loading states**: Handle loading, error, and empty states for every data-dependent component.
+- **Event handlers**: Name handlers descriptively (`handleSubmitForm`, not `onClick`).
+- **CSS**: Use utility classes or scoped styles. No global style modifications from components.

package/skills/sk:setup-claude/templates/.claude/rules/laravel.md.template

@@ -0,0 +1,15 @@
+<!-- Generated by /setup-claude -->
+# Laravel Standards
+
+Applies to: `app/`, `routes/`, `database/`, `config/`
+
+## Conventions
+
+- **Eloquent**: Use query scopes for reusable queries. Avoid raw SQL unless necessary for performance.
+- **N+1**: Always eager-load relationships. Use `->with()` or `->load()`.
+- **Form Requests**: Validate in Form Request classes, not in controllers.
+- **Service Layer**: Business logic belongs in services, not controllers or models.
+- **Resources**: Use API Resources for response transformation.
+- **Migrations**: One logical change per migration. Never modify a published migration.
+- **Config**: Access config via `config()` helper, never `env()` outside config files.
+- **Strict mode**: Models use strict mode (prevent lazy loading, silently discarding attributes, accessing missing attributes).

package/skills/sk:setup-claude/templates/.claude/rules/react.md.template

@@ -0,0 +1,14 @@
+<!-- Generated by /setup-claude -->
+# React Standards
+
+Applies to: `src/components/`, `src/hooks/`, `src/pages/`, `app/components/`
+
+## Conventions
+
+- **Hooks**: Follow Rules of Hooks. Custom hooks start with `use`. Extract complex logic into custom hooks.
+- **Components**: Prefer function components. Use `React.memo()` only when profiling shows a need.
+- **State**: Use `useState` for local state, context for shared state, external stores (Zustand/Redux) for complex state.
+- **Effects**: Minimize `useEffect`. Prefer derived state and event handlers. Always specify dependency arrays.
+- **Keys**: Use stable, unique keys for lists. Never use array index as key for dynamic lists.
+- **Error boundaries**: Wrap route-level components in error boundaries.
+- **TypeScript**: Type props interfaces, not inline. Export prop types for reusable components.

package/skills/sk:setup-claude/templates/.claude/rules/tests.md.template

@@ -0,0 +1,16 @@
+<!-- Generated by /setup-claude -->
+# Testing Standards
+
+Applies to: `tests/`, `test/`, `__tests__/`, `spec/`
+
+## Conventions
+
+- **Naming**: `test_[system]_[scenario]_[expected_result]` or `describe > it` blocks with descriptive names
+- **Structure**: Arrange / Act / Assert — every test must clearly separate setup, execution, and verification
+- **Independence**: Unit tests must not depend on external state (filesystem, network, database)
+- **Cleanup**: Integration tests must clean up artifacts after execution
+- **Coverage**: All new code requires test coverage. Target 100% coverage on new code paths.
+- **Regression**: Every bug fix requires a regression test that would have caught the original defect
+- **Fixtures**: Test data belongs in the test itself or dedicated fixtures — never shared mutable state
+- **Mocking**: Mock external dependencies, not the code under test. Test behavior, not implementation.
+- **Performance**: Tests should run fast. Mock slow dependencies (network, disk, database) in unit tests.

package/skills/sk:setup-claude/templates/.claude/settings.json.template

@@ -0,0 +1,76 @@
+{
+  "$schema": "https://json.schemastore.org/claude-code-settings.json",
+  "statusline": {
+    "command": "bash .claude/statusline.sh"
+  },
+  "permissions": {
+    "allow": [
+      "Bash(git status*)",
+      "Bash(git diff*)",
+      "Bash(git log*)",
+      "Bash(git branch*)",
+      "Bash(git rev-parse*)",
+      "Bash(ls*)",
+      "Bash(cat package.json)",
+      "Bash(cat composer.json)"
+    ],
+    "deny": [
+      "Bash(rm -rf*)",
+      "Bash(git push --force*)",
+      "Bash(git reset --hard*)",
+      "Bash(sudo *)",
+      "Bash(chmod -R 777*)",
+      "Bash(cat .env*)"
+    ]
+  },
+  "hooks": {
+    "SessionStart": [
+      {
+        "type": "command",
+        "command": "bash .claude/hooks/session-start.sh",
+        "timeout": 10000
+      }
+    ],
+    "PreCompact": [
+      {
+        "type": "command",
+        "command": "bash .claude/hooks/pre-compact.sh",
+        "timeout": 10000
+      }
+    ],
+    "PreToolUse": [
+      {
+        "type": "command",
+        "command": "bash .claude/hooks/validate-commit.sh",
+        "timeout": 10000,
+        "matcher": {
+          "tool_name": "Bash",
+          "command_pattern": "git commit*"
+        }
+      },
+      {
+        "type": "command",
+        "command": "bash .claude/hooks/validate-push.sh",
+        "timeout": 5000,
+        "matcher": {
+          "tool_name": "Bash",
+          "command_pattern": "git push*"
+        }
+      }
+    ],
+    "SubagentStart": [
+      {
+        "type": "command",
+        "command": "bash .claude/hooks/log-agent.sh",
+        "timeout": 5000
+      }
+    ],
+    "Stop": [
+      {
+        "type": "command",
+        "command": "bash .claude/hooks/session-stop.sh",
+        "timeout": 10000
+      }
+    ]
+  }
+}

package/skills/sk:setup-claude/templates/.claude/statusline.sh

@@ -0,0 +1,50 @@
+#!/bin/bash
+# Claude Code statusline: Shows persistent status in CLI
+# Receives JSON on stdin with context_window, model info
+# Outputs a single formatted line
+
+INPUT=$(cat)
+
+# Parse context and model — use jq if available
+if command -v jq >/dev/null 2>&1; then
+    MODEL=$(echo "$INPUT" | jq -r '.model // "unknown"' 2>/dev/null)
+    CTX_USED=$(echo "$INPUT" | jq -r '.context_window.used // 0' 2>/dev/null)
+    CTX_TOTAL=$(echo "$INPUT" | jq -r '.context_window.total // 1' 2>/dev/null)
+else
+    MODEL="unknown"
+    CTX_USED=0
+    CTX_TOTAL=1
+fi
+
+# Calculate context percentage
+if [ "$CTX_TOTAL" -gt 0 ] 2>/dev/null; then
+    CTX_PCT=$((CTX_USED * 100 / CTX_TOTAL))
+else
+    CTX_PCT=0
+fi
+
+# Branch
+BRANCH=$(git rev-parse --abbrev-ref HEAD 2>/dev/null || echo "none")
+
+# Current workflow step
+STEP="—"
+if [ -f "tasks/workflow-status.md" ]; then
+    NEXT_LINE=$(grep -E ">>\s*next\s*<<" "tasks/workflow-status.md" 2>/dev/null | head -1)
+    if [ -n "$NEXT_LINE" ]; then
+        # Extract step number and name from table row
+        STEP_NUM=$(echo "$NEXT_LINE" | grep -oE '^\|[[:space:]]*[0-9]+' | grep -oE '[0-9]+')
+        STEP_NAME=$(echo "$NEXT_LINE" | sed 's/.*| *>> next << *|.*//' | sed 's/|.*//;s/^ *//;s/ *$//')
+        if [ -n "$STEP_NUM" ]; then
+            STEP="Step ${STEP_NUM}"
+        fi
+    fi
+fi
+
+# Task name from todo.md
+TASK="—"
+if [ -f "tasks/todo.md" ]; then
+    TASK=$(head -1 "tasks/todo.md" 2>/dev/null | sed 's/^# TODO.*— //' | cut -c1-40)
+fi
+
+# Output single line
+echo "[${CTX_PCT}%] ${MODEL} | ${STEP} | ${BRANCH} | ${TASK}"

package/skills/sk:setup-claude/templates/CLAUDE.md.template

@@ -52,21 +52,15 @@ Progress is tracked in `tasks/workflow-status.md`. This file persists across con
 | 10 | Implement | `/sk:execute-plan` | required | no |
 | 11 | Commit | `/sk:smart-commit` | required | no |
 | 12 | Lint + Dep Audit | `/sk:lint` | required | yes — must be clean |
-| 13 | Commit | `/sk:smart-commit` | conditional (skip if lint was clean) | no |
-| 14 | Verify Tests | `/sk:test` | required | yes — 100% coverage required |
-| 15 | Commit | `/sk:smart-commit` | conditional (skip if tests passed clean) | no |
-| 16 | Security | `/sk:security-check` | required | yes — must reach 0 issues |
-| 17 | Commit | `/sk:smart-commit` | conditional (skip if security was clean) | no |
-| 18 | Performance | `/sk:perf` | optional (confirm to skip) | yes — loop until critical/high = 0 |
-| 19 | Commit | `/sk:smart-commit` | conditional (skip if perf was clean) | no |
-| 20 | Review + Simplify | `/sk:review` | required | yes — must reach 0 issues |
-| 21 | Commit | `/sk:smart-commit` | conditional (skip if review was clean) | no |
-| 22 | E2E Tests | `/sk:e2e` | required | yes — all scenarios must pass |
-| 23 | Commit | `/sk:smart-commit` | conditional (skip if E2E was clean) | no |
-| 24 | Update | `/sk:update-task` | required | no |
-| 25 | Finalize | `/sk:finish-feature` | required | no |
-| 26 | Sync Features | `/sk:features` | required | no |
-| 27 | Release | `/sk:release` | optional (confirm to skip) | no |
+| 13 | Verify Tests | `/sk:test` | required | yes — 100% coverage required |
+| 14 | Security | `/sk:security-check` | required | yes — must reach 0 issues |
+| 15 | Performance | `/sk:perf` | optional (confirm to skip) | yes — loop until critical/high = 0 |
+| 16 | Review + Simplify | `/sk:review` | required | yes — must reach 0 issues |
+| 17 | E2E Tests | `/sk:e2e` | required | yes — all scenarios must pass |
+| 18 | Update | `/sk:update-task` | required | no |
+| 19 | Finalize | `/sk:finish-feature` | required | no |
+| 20 | Sync Features | `/sk:features` | required | no |
+| 21 | Release | `/sk:release` | optional (confirm to skip) | no |
 
 ### Step Details
 
@@ -81,22 +75,16 @@ Progress is tracked in `tasks/workflow-status.md`. This file persists across con
 9.  **Write Tests** — run `/sk:write-tests` (TDD red phase). Write failing tests for all planned code. If modifying existing behavior, update existing tests first. Tests SHOULD fail — no implementation yet.
 10. **Implement** — run `/sk:execute-plan` to execute `tasks/todo.md` checkboxes in small batches, making the failing tests pass (TDD green phase). Log progress to `tasks/progress.md`.
 11. **Commit** — run `/sk:smart-commit` to commit tests + implementation
-12. **Lint + Dep Audit** — run `/sk:lint` — auto-detects and runs all project linters plus dependency vulnerability audits. Fix all issues immediately, then re-run until clean. Do not ask to re-run — fix and re-run automatically.
-13. **Commit** — run `/sk:smart-commit` if lint required fixes. Auto-skip if lint was clean.
-14. **Verify Tests** — run `/sk:test` — auto-detects and runs all project test suites. **100% test coverage required.** Fix failures immediately, then re-run. Do not ask to re-run — fix and re-run automatically.
-15. **Commit** — run `/sk:smart-commit` if test fixes were needed. Auto-skip if tests passed first try.
-16. **Security** — run `/sk:security-check`. Must reach 0 issues across all severities. Fix issues immediately, commit, then re-run. Loop until clean.
-17. **Commit** — run `/sk:smart-commit` if security required fixes. Auto-skip if clean.
-18. **Performance** — run `/sk:perf` to audit for performance issues. Produces `tasks/perf-findings.md`. Fix critical/high findings, commit, then re-run. Loop until critical/high = 0. Skip if confirmed with user.
-19. **Commit** — run `/sk:smart-commit` if perf required fixes. Auto-skip if clean.
-20. **Review + Simplify** — run `/sk:review`. First runs a simplify pre-pass on changed files, then performs full multi-dimensional review. Must reach 0 issues including nitpicks. Fix issues immediately, commit, then re-run. Loop until clean.
-21. **Commit** — run `/sk:smart-commit` if review required fixes. Auto-skip if clean.
-22. **E2E Tests** — run `/sk:e2e`. Verifies the complete, reviewed, secure implementation works end-to-end from a user's perspective using agent-browser. All scenarios must pass. Cannot be skipped.
-23. **Commit** — run `/sk:smart-commit` if E2E required fixes. Auto-skip if E2E was clean.
-24. **Update** — run `/sk:update-task` to mark the task done in `tasks/todo.md` and log completion to `tasks/progress.md`.
-25. **Finalize** — run `/sk:finish-feature` for changelog + PR
-26. **Sync Features** — run `/sk:features` to sync `docs/sk:features/` specs with what was actually shipped.
-27. **Release** — run `/sk:release` if deploying. Skip if not ready.
+12. **Lint + Dep Audit** — run `/sk:lint` — auto-detects and runs all project linters plus dependency vulnerability audits. Fix all issues immediately, then re-run until clean. Do not ask to re-run — fix and re-run automatically. Gates own their commits — commit any fixes before moving on.
+13. **Verify Tests** — run `/sk:test` — auto-detects and runs all project test suites. **100% test coverage required.** Fix failures immediately, then re-run. Do not ask to re-run — fix and re-run automatically. Gates own their commits — commit any fixes before moving on.
+14. **Security** — run `/sk:security-check`. Must reach 0 issues across all severities. Fix issues immediately, commit, then re-run. Loop until clean. Gates own their commits — commit any fixes before moving on.
+15. **Performance** — run `/sk:perf` to audit for performance issues. Produces `tasks/perf-findings.md`. Fix critical/high findings, commit, then re-run. Loop until critical/high = 0. Skip if confirmed with user. Gates own their commits — commit any fixes before moving on.
+16. **Review + Simplify** — run `/sk:review`. First runs a simplify pre-pass on changed files, then performs full multi-dimensional review. Must reach 0 issues including nitpicks. Fix issues immediately, commit, then re-run. Loop until clean. Gates own their commits — commit any fixes before moving on.
+17. **E2E Tests** — run `/sk:e2e`. Verifies the complete, reviewed, secure implementation works end-to-end from a user's perspective using agent-browser. All scenarios must pass. Cannot be skipped. Gates own their commits — commit any fixes before moving on.
+18. **Update** — run `/sk:update-task` to mark the task done in `tasks/todo.md` and log completion to `tasks/progress.md`.
+19. **Finalize** — run `/sk:finish-feature` for changelog + PR
+20. **Sync Features** — run `/sk:features` to sync `docs/sk:features/` specs with what was actually shipped.
+21. **Release** — run `/sk:release` if deploying. Skip if not ready.
 
 ### Workflow Tracker Rules
 
@@ -109,20 +97,20 @@ Progress is tracked in `tasks/workflow-status.md`. This file persists across con
    - Add relevant Notes (e.g., "clean on attempt 2", "backend-only, no UI")
    - Move `>> next <<` to the next pending step
 
-3. **Optional steps** (4, 5, 8, 18, 27): Ask the user "Skip [step]?" and require explicit confirmation. Record the reason in Notes.
+3. **Optional steps** (4, 5, 8, 15, 21): Ask the user "Skip [step]?" and require explicit confirmation. Record the reason in Notes.
 
-4. **Conditional commits** (13, 15, 17, 19, 21, 23): Auto-skip if no changes were made. Record reason (e.g., "lint was clean", "tests passed first try").
+4. **Gates own their commits.** Each hard gate (steps 12–17) is responsible for committing any fixes it produces before passing control to the next step. There are no separate conditional commit steps.
 
-5. **Loop steps are HARD GATES** (12, 14, 16, 20, 22): These steps BLOCK all forward progress until they pass clean. Fix issues immediately and re-run. Do NOT ask the user to re-run — fix and re-run automatically. Track attempt number in Notes (e.g., "clean on attempt 3").
+5. **Loop steps are HARD GATES** (12, 13, 14, 16, 17): These steps BLOCK all forward progress until they pass clean. Fix issues immediately and re-run. Do NOT ask the user to re-run — fix and re-run automatically. Track attempt number in Notes (e.g., "clean on attempt 3").
    - **Step 12 (Lint)**: All detected linting tools must pass — every single one.
-   - **Step 14 (Verify Tests)**: All detected test suites (BE + FE) must pass with 100% coverage on new code.
-   - **Step 16 (Security)**: 0 issues across all severities.
-   - **Step 20 (Review)**: 0 issues including nitpicks.
-   - **Step 22 (E2E Tests)**: All scenarios must pass. 0 failures allowed.
-   - **Step 18 (Performance)**: Optional gate — if run, loop until critical/high findings = 0. Can be skipped with explicit confirmation.
+   - **Step 13 (Verify Tests)**: All detected test suites (BE + FE) must pass with 100% coverage on new code.
+   - **Step 14 (Security)**: 0 issues across all severities.
+   - **Step 16 (Review)**: 0 issues including nitpicks.
+   - **Step 17 (E2E Tests)**: All scenarios must pass. 0 failures allowed.
+   - **Step 15 (Performance)**: Optional gate — if run, loop until critical/high findings = 0. Can be skipped with explicit confirmation.
    - **DO NOT mark these steps as `done` until every check passes.** If even one tool fails, the step is NOT done. Never proceed to the next step with errors remaining.
 
-6. **Never skip steps without confirmation.** Steps cannot run out of order. Hard gate steps (12, 14, 16, 20, 22) can NEVER be skipped. Optional gate step (18) requires explicit confirmation to skip.
+6. **Never skip steps without confirmation.** Steps cannot run out of order. Hard gate steps (12, 13, 14, 16, 17) can NEVER be skipped. Optional gate step (15) requires explicit confirmation to skip.
 
 7. **Requirements change mid-workflow?** Stop the current step and run `/sk:change` immediately. It will classify the scope (behavior tweak / new requirements / scope shift) and tell you exactly where to re-enter the workflow. Never continue implementing stale requirements.
 
@@ -142,7 +130,7 @@ This tells the user exactly what happened and what to do next. Never finish a st
 
 ### Fix & Retest Protocol
 
-**Applies to steps 12, 14, 16, 18, 20, 22 — any step that can produce code changes.**
+**Applies to steps 12, 13, 14, 15, 16, 17 — any step that can produce code changes.**
 
 When any of these steps require a fix, classify the fix before committing:
 
@@ -290,6 +278,7 @@ Read these files at the start of every task:
 - `tasks/findings.md` — key decisions and project constraints
 - `tasks/lessons.md` — past mistakes and how to avoid them
 - `tasks/todo.md` — current plan
+- `tasks/tech-debt.md` — known shortcuts, deferred work, and areas to revisit
 
 Write to these files continuously:
 - `tasks/progress.md` — every attempt, error, and resolution
@@ -321,7 +310,7 @@ Tests are written **before** implementation (step 9) and verified **after** (ste
 2. `/sk:execute-plan` — implement code to make tests pass (GREEN)
 3. `/sk:test` — verify all tests pass with 100% coverage (VERIFY)
 
-Every new function, endpoint, component, and module needs tests. No code proceeds past step 13 without 100% coverage on new code.
+Every new function, endpoint, component, and module needs tests. No code proceeds past step 12 without 100% coverage on new code.
 
 ## 3-Strike Protocol
 

package/skills/sk:setup-claude/templates/commands/brainstorm.md.template

@@ -6,7 +6,7 @@ description: "Start with design questions before writing code."
 
 # /brainstorm
 
-**Workflow:** Read → **Explore** → Design → Accessibility → Plan → Branch → Migrate → Write Tests → Implement → Lint → Verify Tests → Security → Performance → Review → E2E Tests → Finish → Sync Features
+**Workflow:** Read → **Explore** → Design → Accessibility → Plan → Branch → Migrate → Write Tests → Implement → Lint → Tests → Security → Perf → Review → E2E Tests → Update → Finish → Sync → Release
 
 Explore design and clarify requirements **before** any code is written.
 

package/skills/sk:setup-claude/templates/commands/execute-plan.md.template

@@ -6,7 +6,7 @@ description: "Execute tasks/todo.md checkboxes in small batches; log to tasks/pr
 
 # /execute-plan
 
-**Workflow:** Read → Explore → Design → Accessibility → Plan → Branch → Migrate → Write Tests → **Implement** → Lint → Verify Tests → Security → Performance → Review → E2E Tests → Finish → Sync Features
+**Workflow:** Read → Explore → Design → Accessibility → Plan → Branch → Migrate → Write Tests → **Implement** → Lint → Tests → Security → Perf → Review → E2E Tests → Update → Finish → Sync → Release
 
 Execute the plan in `tasks/todo.md` in small batches with clear checkpoints.
 

package/skills/sk:setup-claude/templates/commands/finish-feature.md.template

@@ -2,7 +2,7 @@
 
 # Finish Feature Command
 
-**Workflow:** Read → Explore → Design → Accessibility → Plan → Branch → Migrate → Write Tests → Implement → Lint → Verify Tests → Security → Performance → Review → E2E Tests → **Finish** → Sync Features
+**Workflow:** Read → Explore → Design → Accessibility → Plan → Branch → Migrate → Write Tests → Implement → Lint → Tests → Security → Perf → Review → E2E Tests → Update → **Finish** → Sync → Release
 
 Finalize a feature/bug-fix branch: changelog, arch log, security gate, verification, and PR creation.
 

package/skills/sk:setup-claude/templates/commands/security-check.md.template

@@ -6,7 +6,7 @@ description: "Audit changed code for security best practices, production-grade q
 
 # /security-check
 
-**Workflow:** Read → Explore → Design → Accessibility → Plan → Branch → Migrate → Write Tests → Implement → Lint → Verify Tests → **Security** → Performance → Review → E2E Tests → Finish → Sync Features
+**Workflow:** Read → Explore → Design → Accessibility → Plan → Branch → Migrate → Write Tests → Implement → Lint → Tests → **Security** → Perf → Review → E2E Tests → Update → Finish → Sync → Release
 
 Audit code for security vulnerabilities, production-grade quality, and industry gold-standard compliance.
 

package/skills/sk:setup-claude/templates/commands/write-plan.md.template

@@ -6,7 +6,7 @@ description: "Write a decision-complete plan into tasks/todo.md (no code yet)."
 
 # /write-plan
 
-**Workflow:** Read → Explore → Design → Accessibility → **Plan** → Branch → Migrate → Write Tests → Implement → Lint → Verify Tests → Security → Performance → Review → E2E Tests → Finish → Sync Features
+**Workflow:** Read → Explore → Design → Accessibility → **Plan** → Branch → Migrate → Write Tests → Implement → Lint → Tests → Security → Perf → Review → E2E Tests → Update → Finish → Sync → Release
 
 Create a decision-complete plan **before** writing code.
 

package/skills/sk:setup-claude/templates/hooks/log-agent.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+# Claude Code SubagentStart hook: Log agent invocations for audit trail
+# Tracks which agents are being used and when
+#
+# Input schema (SubagentStart):
+# { "agent_id": "agent-abc123", "agent_name": "linter", ... }
+
+INPUT=$(cat)
+
+# Parse agent name
+if command -v jq >/dev/null 2>&1; then
+    AGENT_NAME=$(echo "$INPUT" | jq -r '.agent_name // "unknown"' 2>/dev/null)
+else
+    AGENT_NAME=$(echo "$INPUT" | grep -oE '"agent_name"[[:space:]]*:[[:space:]]*"[^"]*"' | sed 's/"agent_name"[[:space:]]*:[[:space:]]*"//;s/"$//')
+    [ -z "$AGENT_NAME" ] && AGENT_NAME="unknown"
+fi
+
+TIMESTAMP=$(date +%Y%m%d_%H%M%S)
+
+# Append to audit log (create tasks/ dir if needed)
+mkdir -p tasks 2>/dev/null
+echo "$TIMESTAMP | Agent invoked: $AGENT_NAME" >> "tasks/agent-audit.log" 2>/dev/null
+
+exit 0