@laitszkin/apollo-toolkit 2.0.0

package/fix-github-issues/SKILL.md

@@ -0,0 +1,98 @@
+---
+name: fix-github-issues
+description: Resolve issues from remote GitHub repositories via GitHub CLI (`gh`), implement and validate fixes locally, then open a pull request through `open-source-pr-workflow` (or `open-pr-workflow` in environments that use that alias). Use when users ask to list remote issues, pick one or more issues to fix, and submit a PR linked to those issues.
+---
+
+# Fix GitHub Issues
+
+## Dependencies
+
+- Required: `systematic-debug` for diagnosis and validated fixes, plus `open-source-pr-workflow` (or `open-pr-workflow`) for PR submission.
+- Conditional: none.
+- Optional: none.
+- Fallback: If a required workflow dependency is unavailable, stop and report the blocked handoff instead of improvising a different flow.
+
+## Standards
+
+- Evidence: Verify repository context, fetch remote issue details, and derive expected behavior from issue text before coding.
+- Execution: Select the issue, open an isolated worktree by default, fix it through `systematic-debug`, validate locally, then hand off to the PR workflow.
+- Quality: Keep scope limited to the selected issue, capture exact validation commands, and preserve issue linkage in the final PR.
+- Output: Open the PR against the correct repository and clean up the temporary worktree when the work is complete.
+
+## Overview
+
+Use this skill to run an end-to-end issue-fixing loop with `gh`: discover open issues, select a target, implement and test the fix, and delegate PR creation to `open-source-pr-workflow` (or `open-pr-workflow` alias).
+
+## Prerequisites
+
+- `gh` is installed and authenticated (`gh auth status`).
+- The current directory is a git repository with the correct `origin`.
+- The repository has test or validation commands that can prove the fix.
+
+## Workflow
+
+### 1) Verify repository and remote context
+
+- Run `gh repo view --json nameWithOwner,isPrivate,defaultBranchRef` to confirm target repo.
+- If the user specifies another repository, always use `--repo <owner>/<repo>` in issue commands.
+- Run `git fetch --all --prune` before implementation.
+
+### 2) List remote issues with GitHub CLI
+
+- Preferred command:
+
+```bash
+python3 scripts/list_issues.py --limit 50 --state open
+```
+
+- Optional filters:
+  - `--repo owner/name`
+  - `--label bug`
+  - `--search "panic in parser"`
+- If the issue target is still unclear, present top candidates and ask the user which issue number to fix.
+
+### 3) Read issue details before coding
+
+- Run `gh issue view <issue-number> --comments` (plus `--repo` when needed).
+- Identify expected behavior, edge cases, and acceptance signals from issue text/comments.
+- Do not guess missing requirements; ask the user when critical details are ambiguous.
+
+### 4) Open worktree by default after issue selection
+
+- Immediately create and enter an isolated worktree once the issue number is selected and confirmed.
+- Use a compliant branch name (`codex/{change_type}/{changes}`) and keep all edits in that worktree.
+- If the user explicitly asks to stay in the current tree, follow that request; otherwise worktree is the default path.
+
+### 5) Implement the fix with `systematic-debug`
+
+- Execute the `systematic-debug` workflow: inspect, reproduce with tests, diagnose, then apply minimal fix.
+- Keep scope limited to the selected issue.
+- Reuse existing code patterns and avoid unrelated refactors.
+
+### 6) Validate the fix
+
+- Run focused tests/lint/build relevant to the touched area.
+- Capture exact commands and outcomes; these will be reused in the PR body.
+- Ensure the change can be linked back to the issue number.
+
+### 7) Open PR via dependency skill
+
+- After code is ready, invoke `open-source-pr-workflow` (or `open-pr-workflow` if that alias exists in the environment).
+- Provide required PR context:
+  - issue number or link
+  - motivation and engineering decisions
+  - executed test commands and results
+- Include issue-closing reference (for example, `Closes #<issue-number>`).
+
+### 8) Clean up the temporary worktree after PR creation
+
+- Once the PR is opened and no more work is needed in that isolated tree, remove the worktree you created for the fix.
+- Also clean up the matching local branch reference if it is no longer needed locally.
+
+## Included Script
+
+### `scripts/list_issues.py`
+
+- Purpose: consistent remote issue listing via `gh issue list`.
+- Outputs a readable table by default, or JSON with `--output json`.
+- Uses only GitHub CLI so it reflects remote GitHub state.

package/fix-github-issues/agents/openai.yaml

@@ -0,0 +1,4 @@
+interface:
+  display_name: "Fix GitHub Issues"
+  short_description: "Resolve remote GitHub issues and open linked PRs"
+  default_prompt: "Use $fix-github-issues to verify the target GitHub repository with gh, list and inspect remote issues, create an isolated worktree and compliant branch after issue selection, use $systematic-debug to reproduce and fix the issue with tests, validate the result, open a linked PR through $open-source-pr-workflow, then delete the temporary worktree when PR setup is complete."

package/fix-github-issues/scripts/list_issues.py

@@ -0,0 +1,148 @@
+#!/usr/bin/env python3
+import argparse
+import json
+import subprocess
+import sys
+from typing import Any
+
+ISSUE_FIELDS = "number,title,state,updatedAt,url,labels,assignees"
+
+
+def positive_int(raw: str) -> int:
+    value = int(raw)
+    if value <= 0:
+        raise argparse.ArgumentTypeError("limit must be a positive integer")
+    return value
+
+
+def parse_args() -> argparse.Namespace:
+    parser = argparse.ArgumentParser(
+        description="List remote GitHub issues with gh CLI and display table or JSON output."
+    )
+    parser.add_argument("--repo", help="Target repository in owner/name format.")
+    parser.add_argument("--state", default="open", choices=["open", "closed", "all"])
+    parser.add_argument("--limit", type=positive_int, default=50)
+    parser.add_argument(
+        "--label",
+        action="append",
+        default=[],
+        help="Label filter (repeat for multiple labels).",
+    )
+    parser.add_argument("--search", help="Search query for issue list filtering.")
+    parser.add_argument(
+        "--output",
+        choices=["table", "json"],
+        default="table",
+        help="Output format.",
+    )
+    return parser.parse_args()
+
+
+def build_command(args: argparse.Namespace) -> list[str]:
+    cmd = [
+        "gh",
+        "issue",
+        "list",
+        "--state",
+        args.state,
+        "--limit",
+        str(args.limit),
+        "--json",
+        ISSUE_FIELDS,
+    ]
+
+    if args.repo:
+        cmd.extend(["--repo", args.repo])
+    for label in args.label:
+        cmd.extend(["--label", label])
+    if args.search:
+        cmd.extend(["--search", args.search])
+
+    return cmd
+
+
+def truncate(text: str, width: int) -> str:
+    if len(text) <= width:
+        return text
+    if width <= 3:
+        return text[:width]
+    return text[: width - 3] + "..."
+
+
+def format_labels(issue: dict[str, Any]) -> str:
+    labels = issue.get("labels", [])
+    names = [item.get("name", "") for item in labels if item.get("name")]
+    return ",".join(names)
+
+
+def format_assignees(issue: dict[str, Any]) -> str:
+    assignees = issue.get("assignees", [])
+    logins = [item.get("login", "") for item in assignees if item.get("login")]
+    return ",".join(logins) if logins else "-"
+
+
+def print_table(issues: list[dict[str, Any]]) -> None:
+    columns = {
+        "number": 7,
+        "title": 54,
+        "labels": 22,
+        "assignees": 18,
+        "updated": 20,
+    }
+
+    header = (
+        f"{'NUMBER':<{columns['number']}} "
+        f"{'TITLE':<{columns['title']}} "
+        f"{'LABELS':<{columns['labels']}} "
+        f"{'ASSIGNEES':<{columns['assignees']}} "
+        f"{'UPDATED':<{columns['updated']}}"
+    )
+    print(header)
+    print("-" * len(header))
+
+    for issue in issues:
+        number = f"#{issue.get('number', '')}"
+        title = truncate(str(issue.get("title", "")), columns["title"])
+        labels = truncate(format_labels(issue), columns["labels"])
+        assignees = truncate(format_assignees(issue), columns["assignees"])
+        updated = truncate(str(issue.get("updatedAt", "")), columns["updated"])
+
+        row = (
+            f"{number:<{columns['number']}} "
+            f"{title:<{columns['title']}} "
+            f"{labels:<{columns['labels']}} "
+            f"{assignees:<{columns['assignees']}} "
+            f"{updated:<{columns['updated']}}"
+        )
+        print(row)
+
+
+def main() -> int:
+    args = parse_args()
+    cmd = build_command(args)
+
+    try:
+        result = subprocess.run(cmd, check=True, capture_output=True, text=True)
+    except FileNotFoundError:
+        print("Error: gh CLI is not installed or not in PATH.", file=sys.stderr)
+        return 1
+    except subprocess.CalledProcessError as exc:
+        print(exc.stderr.strip() or "gh issue list failed.", file=sys.stderr)
+        return exc.returncode
+
+    try:
+        issues = json.loads(result.stdout)
+    except json.JSONDecodeError:
+        print("Error: unable to parse gh output as JSON.", file=sys.stderr)
+        return 1
+
+    if args.output == "json":
+        print(json.dumps(issues, indent=2))
+        return 0
+
+    print_table(issues)
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())

package/fix-github-issues/tests/test_list_issues.py

@@ -0,0 +1,127 @@
+#!/usr/bin/env python3
+
+from __future__ import annotations
+
+import argparse
+import importlib.util
+import io
+import json
+import unittest
+from argparse import Namespace
+from pathlib import Path
+from unittest.mock import patch
+
+
+SCRIPT_PATH = Path(__file__).resolve().parents[1] / "scripts" / "list_issues.py"
+SPEC = importlib.util.spec_from_file_location("list_issues", SCRIPT_PATH)
+MODULE = importlib.util.module_from_spec(SPEC)
+SPEC.loader.exec_module(MODULE)
+
+
+class ListIssuesTests(unittest.TestCase):
+    def test_build_command_with_filters(self) -> None:
+        args = Namespace(
+            repo="owner/repo",
+            state="open",
+            limit=25,
+            label=["bug", "needs-triage"],
+            search="panic parser",
+            output="table",
+        )
+
+        cmd = MODULE.build_command(args)
+
+        self.assertEqual(
+            cmd,
+            [
+                "gh",
+                "issue",
+                "list",
+                "--state",
+                "open",
+                "--limit",
+                "25",
+                "--json",
+                MODULE.ISSUE_FIELDS,
+                "--repo",
+                "owner/repo",
+                "--label",
+                "bug",
+                "--label",
+                "needs-triage",
+                "--search",
+                "panic parser",
+            ],
+        )
+
+    def test_positive_int_rejects_zero(self) -> None:
+        with self.assertRaises(argparse.ArgumentTypeError):
+            MODULE.positive_int("0")
+
+    def test_truncate_handles_small_width(self) -> None:
+        self.assertEqual(MODULE.truncate("abcdef", 2), "ab")
+
+    def test_print_table_handles_missing_fields(self) -> None:
+        with patch("sys.stdout", new_callable=io.StringIO) as stdout:
+            MODULE.print_table([
+                {
+                    "number": 42,
+                    "title": "Fix formatter fallback",
+                }
+            ])
+
+        output = stdout.getvalue()
+        self.assertIn("NUMBER", output)
+        self.assertIn("#42", output)
+
+    def test_main_returns_error_when_gh_missing(self) -> None:
+        args = Namespace(
+            repo=None,
+            state="open",
+            limit=50,
+            label=[],
+            search=None,
+            output="table",
+        )
+
+        with patch.object(MODULE, "parse_args", return_value=args), patch(
+            "subprocess.run", side_effect=FileNotFoundError
+        ), patch("sys.stderr", new_callable=io.StringIO) as stderr:
+            code = MODULE.main()
+
+        self.assertEqual(code, 1)
+        self.assertIn("not in PATH", stderr.getvalue())
+
+    def test_main_json_output(self) -> None:
+        args = Namespace(
+            repo=None,
+            state="open",
+            limit=50,
+            label=[],
+            search=None,
+            output="json",
+        )
+        payload = [
+            {
+                "number": 1,
+                "title": "Fix bug",
+                "labels": [],
+                "assignees": [],
+                "updatedAt": "2026-02-26T00:00:00Z",
+            }
+        ]
+
+        class Result:
+            stdout = json.dumps(payload)
+
+        with patch.object(MODULE, "parse_args", return_value=args), patch(
+            "subprocess.run", return_value=Result()
+        ), patch("sys.stdout", new_callable=io.StringIO) as stdout:
+            code = MODULE.main()
+
+        self.assertEqual(code, 0)
+        self.assertEqual(json.loads(stdout.getvalue()), payload)
+
+
+if __name__ == "__main__":
+    unittest.main()

package/generate-spec/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Lai Tsz Kin
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/generate-spec/README.md

@@ -0,0 +1,61 @@
+# generate-spec
+
+A shared planning skill for feature work. It centralizes creation and maintenance of `spec.md`, `tasks.md`, and `checklist.md` so other skills can reuse one consistent approval-gated spec workflow.
+
+## Core capabilities
+
+- Generates `docs/plans/{YYYY-MM-DD}_{change_name}/spec.md`, `tasks.md`, and `checklist.md` in one step.
+- Uses shared templates so spec-first and brownfield workflows follow the same planning structure.
+- Requires clarification handling and explicit user approval before implementation starts.
+- Backfills task and checklist status after implementation and testing.
+- Keeps requirement, task, and test coverage mapping traceable.
+
+## Repository layout
+
+```text
+.
+├── SKILL.md
+├── README.md
+├── LICENSE
+├── agents/
+│   └── openai.yaml
+├── references/
+│   └── templates/
+│       ├── spec.md
+│       ├── tasks.md
+│       └── checklist.md
+└── scripts/
+    └── create-specs
+```
+
+## Quick start
+
+```bash
+SKILL_ROOT=/path/to/generate-spec
+WORKSPACE_ROOT=/path/to/target-project
+python3 "$SKILL_ROOT/scripts/create-specs" "Membership upgrade flow" \
+  --change-name membership-upgrade-flow \
+  --template-dir "$SKILL_ROOT/references/templates" \
+  --output-dir "$WORKSPACE_ROOT/docs/plans"
+```
+
+Default output:
+
+```text
+docs/plans/<today>_membership-upgrade-flow/
+├── spec.md
+├── tasks.md
+└── checklist.md
+```
+
+## Authoring rules
+
+- `spec.md`: use BDD keywords `GIVEN / WHEN / THEN / AND / Requirements`.
+- `tasks.md`: use `## **Task N: ...**`, `- N. [ ]`, and `- N.x [ ]`.
+- `checklist.md`: use `- [ ]` only, adapt items to real scope, and record actual results.
+- If clarification responses change the plan, update the docs and obtain approval again before coding.
+
+## Notes
+
+- `scripts/...` and `references/...` are skill-folder paths, not project-folder paths.
+- The generator replaces `[YYYY-MM-DD]`, `[Feature Name]`, `[功能名稱]`, and `[change_name]` placeholders.

package/generate-spec/SKILL.md

@@ -0,0 +1,96 @@
+---
+name: generate-spec
+description: Generate and maintain shared feature planning artifacts (`spec.md`, `tasks.md`, `checklist.md`) from standard templates with clarification tracking, approval gating, and post-implementation backfill. Use when a workflow needs specs before coding, or when another skill needs to create/update `docs/plans/{YYYY-MM-DD}_{change_name}/` planning docs.
+---
+
+# Generate Spec
+
+## Dependencies
+
+- Required: none.
+- Conditional: none.
+- Optional: none.
+- Fallback: not applicable.
+
+## Standards
+
+- Evidence: Review the relevant code, configs, and authoritative docs before filling requirements or test plans.
+- Execution: Generate the planning files first, complete them with traceable requirements and risks, handle clarification updates, then wait for explicit approval before implementation.
+- Quality: Keep `spec.md`, `tasks.md`, and `checklist.md` synchronized and map each planned test to a concrete risk or requirement.
+- Output: Store planning artifacts under `docs/plans/{YYYY-MM-DD}_{change_name}/` and keep them concise, executable, and easy to update.
+
+## Goal
+
+Own the shared planning-doc lifecycle for feature work so other skills can reuse one consistent spec-generation workflow.
+
+## Workflow
+
+### 1) Gather inputs and evidence
+
+- Confirm the target workspace root, feature name, and a kebab-case `change_name`.
+- Review only the code, configuration, and external docs needed to understand the requested behavior.
+- Record the references that should appear in `spec.md`.
+
+### 2) Generate the planning files
+
+- Resolve paths from this skill directory, not the target project directory.
+- Use:
+  - `SKILL_ROOT=<path_to_generate-spec_skill>`
+  - `WORKSPACE_ROOT=<target_project_root>`
+  - `python3 "$SKILL_ROOT/scripts/create-specs" "<feature_name>" --change-name <kebab-case> --template-dir "$SKILL_ROOT/references/templates" --output-dir "$WORKSPACE_ROOT/docs/plans"`
+- Always generate:
+  - `references/templates/spec.md`
+  - `references/templates/tasks.md`
+  - `references/templates/checklist.md`
+- Save files under `docs/plans/{YYYY-MM-DD}_{change_name}/`.
+
+### 3) Fill `spec.md`
+
+- Keep the goal and scope concrete.
+- Write functional behaviors in BDD form with `GIVEN`, `WHEN`, `THEN`, `AND`, and `Requirements`.
+- Make each requirement testable.
+- Cover boundaries, authorization, external dependency states, abuse/adversarial paths, failure handling, and any relevant idempotency/concurrency/data-integrity risks.
+- If requirements are unclear, list 3-5 clarification questions; otherwise write `None`.
+
+### 4) Fill `tasks.md`
+
+- Use `## **Task N: [Task Title]**` for each main task.
+- Describe each task's purpose and the related requirement IDs.
+- Use `- N. [ ]` for tasks and `- N.x [ ]` for subtasks.
+- Include explicit tasks for testing, mocks/fakes, regression coverage, and adversarial or edge-case hardening when relevant.
+
+### 5) Fill `checklist.md`
+
+- Use checkbox format `- [ ]` only.
+- Treat the template as a starting point and adapt it to the actual scope.
+- Map observable behaviors to requirement IDs and real test case IDs.
+- Record risk class, oracle/assertion focus, dependency strategy, and test results.
+- Property-based coverage is required for business-logic changes unless a concrete `N/A` reason is recorded.
+
+### 6) Process clarifications and approval
+
+- When the user answers clarification questions, first update the clarification and approval section in `checklist.md`.
+- Review whether `spec.md`, `tasks.md`, and `checklist.md` must be updated.
+- After any clarification-driven update, obtain explicit approval on the updated spec set again.
+- Do not modify implementation code before approval.
+
+### 7) Backfill after implementation and testing
+
+- Mark completed tasks in `tasks.md`.
+- Update `checklist.md` with real test outcomes, `N/A` reasons, and any scope adjustments.
+- Remove stale placeholders or template-only guidance once the documents are finalized.
+
+## Working Rules
+
+- By default, write planning docs in the user's language.
+- Keep requirement IDs, task IDs, and test IDs traceable across all three files.
+- Prefer realistic coverage over boilerplate: add or remove checklist items based on actual risk.
+- Use kebab-case for `change_name`; avoid spaces and special characters.
+- Path rule: `scripts/...` and `references/...` in this file always mean paths under the current skill folder, not the target project root.
+
+## References
+
+- `scripts/create-specs`: shared planning file generator.
+- `references/templates/spec.md`: BDD requirement template.
+- `references/templates/tasks.md`: task breakdown template.
+- `references/templates/checklist.md`: behavior-to-test alignment template.

package/generate-spec/agents/openai.yaml

@@ -0,0 +1,4 @@
+interface:
+  display_name: "generate-spec"
+  short_description: "Generate shared feature spec, task, and checklist docs before coding"
+  default_prompt: "Use $generate-spec to create or update docs/plans/<date>_<change_name>/{spec.md,tasks.md,checklist.md} from shared templates, fill BDD requirements and risk-driven test planning, process clarification updates, and wait for explicit approval before implementation."

package/generate-spec/references/templates/checklist.md

@@ -0,0 +1,78 @@
+# Checklist: [Feature Name]
+
+- Date: [YYYY-MM-DD]
+- Feature: [Feature Name]
+
+## Usage Notes
+- This checklist is a starter template. Add, remove, or rewrite items based on actual scope.
+- Use `- [ ]` for all items; mark completed items as `- [x]`.
+- If an item is not applicable, keep `N/A` with a concrete reason.
+- Suggested test result values: `PASS / FAIL / BLOCKED / NOT RUN / N/A`.
+- For business-logic changes, property-based coverage is required unless a concrete `N/A` reason is recorded.
+- Each checklist item should map to a distinct risk; avoid repeating shallow happy-path cases.
+
+## Clarification & Approval Gate (required when clarification replies exist)
+- [ ] User clarification responses are recorded (map to `spec.md`; if none, mark `N/A`).
+- [ ] Affected specs are reviewed/updated (`spec.md` / `tasks.md` / `checklist.md`; if no updates needed, mark `N/A` + reason).
+- [ ] Explicit user approval on updated specs is obtained (date/conversation reference: [to be filled]).
+
+## Behavior-to-Test Checklist (customizable)
+
+- [ ] CL-01 [Observable behavior]
+  - Requirement mapping: [R1.x]
+  - Actual test case IDs: [UT/PBT/IT/E2E-xx]
+  - Test level: [Unit / Property-based / Integration / E2E]
+  - Risk class: [boundary / authorization / concurrency / external failure / data integrity / adversarial abuse / regression]
+  - Property/matrix focus: [invariant / generated business input space / external state matrix / adversarial case]
+  - External dependency strategy: [none / mocked service states / near-real dependency]
+  - Oracle/assertion focus: [exact output / persisted state / side effects / no partial write / compensation / emitted event / permission denial]
+  - Test result: `PASS / FAIL / BLOCKED / NOT RUN / N/A`
+  - Notes (optional): [risk, limitation, observation]
+
+- [ ] CL-02 [Observable behavior]
+  - Requirement mapping: [R?.?]
+  - Actual test case IDs: [UT/PBT/IT/E2E-xx]
+  - Test level: [Unit / Property-based / Integration / E2E]
+  - Risk class: [boundary / authorization / concurrency / external failure / data integrity / adversarial abuse / regression]
+  - Property/matrix focus: [invariant / generated business input space / external state matrix / adversarial case]
+  - External dependency strategy: [none / mocked service states / near-real dependency]
+  - Oracle/assertion focus: [exact output / persisted state / side effects / no partial write / compensation / emitted event / permission denial]
+  - Test result: `PASS / FAIL / BLOCKED / NOT RUN / N/A`
+  - Notes (optional): [risk, limitation, observation]
+
+- [ ] CL-03 [Observable behavior]
+  - Requirement mapping: [R?.?]
+  - Actual test case IDs: [UT/PBT/IT/E2E-xx]
+  - Test level: [Unit / Property-based / Integration / E2E]
+  - Risk class: [boundary / authorization / concurrency / external failure / data integrity / adversarial abuse / regression]
+  - Property/matrix focus: [invariant / generated business input space / external state matrix / adversarial case]
+  - External dependency strategy: [none / mocked service states / near-real dependency]
+  - Oracle/assertion focus: [exact output / persisted state / side effects / no partial write / compensation / emitted event / permission denial]
+  - Test result: `PASS / FAIL / BLOCKED / NOT RUN / N/A`
+  - Notes (optional): [risk, limitation, observation]
+
+## Required Hardening Records
+- [ ] Regression tests are added/updated for bug-prone or high-risk behavior, or `N/A` is recorded with a concrete reason.
+- [ ] Property-based coverage is added/updated for changed business logic, or `N/A` is recorded with a concrete reason.
+- [ ] External services in the business logic chain are mocked/faked for scenario testing, or `N/A` is recorded with a concrete reason.
+- [ ] Adversarial/penetration-style cases are added/updated for abuse paths and edge combinations, or `N/A` is recorded with a concrete reason.
+- [ ] Authorization, invalid transition, replay/idempotency, and concurrency risks are evaluated; uncovered items are marked `N/A` with concrete reasons.
+- [ ] Assertions verify business outcomes and side effects/no-side-effects, not only "returns 200" or "does not throw".
+- [ ] Test fixtures are reproducible (fixed seed/clock/fixtures) or `N/A` is recorded with a concrete reason.
+
+## E2E Decision Record (pick one or customize)
+- [ ] Build E2E (case: [E2E-xx]; reason: [importance/complexity/cross-layer risk]).
+- [ ] Do not build E2E; cover with integration tests instead (alternative case: [IT-xx]; reason: [stability/cost/environment limitation]).
+- [ ] No additional E2E/integration hardening required (reason: [existing coverage already addresses risk]).
+
+## Execution Summary (fill with actual results)
+- [ ] Unit tests: `PASS / FAIL / NOT RUN / N/A`
+- [ ] Regression tests: `PASS / FAIL / NOT RUN / N/A`
+- [ ] Property-based tests: `PASS / FAIL / NOT RUN / N/A`
+- [ ] Integration tests: `PASS / FAIL / NOT RUN / N/A`
+- [ ] E2E tests: `PASS / FAIL / NOT RUN / N/A`
+- [ ] External service mock scenarios: `PASS / FAIL / NOT RUN / N/A`
+- [ ] Adversarial/penetration-style cases: `PASS / FAIL / NOT RUN / N/A`
+
+## Completion Rule
+- [ ] Agent has updated checkboxes, test outcomes, and necessary notes based on real execution (including added/removed items).