@nklisch/pi-agile-workflow 0.15.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (203) hide show
  1. package/.claude-plugin/plugin.json +10 -0
  2. package/.codex-plugin/plugin.json +28 -0
  3. package/CHANGELOG.md +591 -0
  4. package/README.md +107 -0
  5. package/docs/ARCHITECTURE.md +716 -0
  6. package/docs/MIGRATION.md +419 -0
  7. package/docs/PRINCIPLES.md +464 -0
  8. package/docs/ROADMAP.md +95 -0
  9. package/docs/SPEC.md +855 -0
  10. package/docs/VISION.md +106 -0
  11. package/extensions/agile-workflow.test.ts +419 -0
  12. package/extensions/agile-workflow.ts +467 -0
  13. package/hooks/hooks.json +52 -0
  14. package/hooks/scripts/prompt-context.py +628 -0
  15. package/hooks/scripts/substrate-maintainer.py +359 -0
  16. package/hooks/scripts/test_prompt_context.py +757 -0
  17. package/package.json +30 -0
  18. package/scripts/install-work-view.sh +165 -0
  19. package/scripts/tests/agent-metadata.test.sh +75 -0
  20. package/scripts/tests/bump-version.test.sh +552 -0
  21. package/scripts/tests/channel-parity.test.sh +117 -0
  22. package/scripts/tests/convert-content-integrity.test.sh +246 -0
  23. package/scripts/tests/convert-install-routing.test.sh +159 -0
  24. package/scripts/tests/install-work-view.test.sh +411 -0
  25. package/scripts/tests/pi-package-metadata.test.sh +119 -0
  26. package/scripts/tests/work-board-shim.test.sh +239 -0
  27. package/scripts/tests/work-view-dist-version.test.sh +105 -0
  28. package/scripts/work-board.sh +64 -0
  29. package/scripts/work-view.sh +423 -0
  30. package/skills/autopilot/SKILL.md +330 -0
  31. package/skills/autopilot/agents/openai.yaml +6 -0
  32. package/skills/board/SKILL.md +62 -0
  33. package/skills/board/agents/openai.yaml +6 -0
  34. package/skills/bold-refactor/SKILL.md +244 -0
  35. package/skills/bold-refactor/agents/openai.yaml +6 -0
  36. package/skills/bug-scan/SKILL.md +378 -0
  37. package/skills/bug-scan/agents/openai.yaml +6 -0
  38. package/skills/bug-scan/references/async-promises.md +119 -0
  39. package/skills/bug-scan/references/concurrency-races.md +148 -0
  40. package/skills/bug-scan/references/data-layer.md +167 -0
  41. package/skills/bug-scan/references/error-handling.md +197 -0
  42. package/skills/bug-scan/references/gate-item-template.md +94 -0
  43. package/skills/bug-scan/references/language-footguns.md +219 -0
  44. package/skills/bug-scan/references/parked-item-template.md +103 -0
  45. package/skills/bug-scan/references/report-template.md +115 -0
  46. package/skills/bug-scan/references/resource-leaks.md +199 -0
  47. package/skills/bug-scan/references/state-closures.md +148 -0
  48. package/skills/bug-scan/references/time-numbers.md +158 -0
  49. package/skills/convert/SKILL.md +1463 -0
  50. package/skills/convert/agents/openai.yaml +6 -0
  51. package/skills/convert/references/legacy-overlap-migration.md +179 -0
  52. package/skills/deep-code-scan/SKILL.md +378 -0
  53. package/skills/deep-code-scan/agents/openai.yaml +6 -0
  54. package/skills/deep-code-scan/references/artifact-ledger.md +148 -0
  55. package/skills/deep-code-scan/references/consolidation.md +91 -0
  56. package/skills/deep-code-scan/references/decomposition.md +127 -0
  57. package/skills/deep-code-scan/references/item-templates.md +263 -0
  58. package/skills/deep-code-scan/references/lane-catalog.md +129 -0
  59. package/skills/deep-code-scan/references/review-gauntlet.md +108 -0
  60. package/skills/deep-code-scan/references/scanner-brief.md +152 -0
  61. package/skills/e2e-test-design/SKILL.md +517 -0
  62. package/skills/e2e-test-design/references/anti-tautology.md +261 -0
  63. package/skills/e2e-test-design/references/service-mocks.md +234 -0
  64. package/skills/e2e-test-design/references/test-taxonomy.md +211 -0
  65. package/skills/epic-design/SKILL.md +476 -0
  66. package/skills/epicize/SKILL.md +210 -0
  67. package/skills/epicize/agents/openai.yaml +6 -0
  68. package/skills/feature-design/SKILL.md +472 -0
  69. package/skills/fix/SKILL.md +173 -0
  70. package/skills/gate-cruft/SKILL.md +258 -0
  71. package/skills/gate-docs/SKILL.md +278 -0
  72. package/skills/gate-patterns/SKILL.md +389 -0
  73. package/skills/gate-refactor/SKILL.md +408 -0
  74. package/skills/gate-security/SKILL.md +275 -0
  75. package/skills/gate-tests/SKILL.md +367 -0
  76. package/skills/groom/SKILL.md +162 -0
  77. package/skills/groom/agents/openai.yaml +6 -0
  78. package/skills/ideate/SKILL.md +185 -0
  79. package/skills/ideate/agents/openai.yaml +6 -0
  80. package/skills/implement/SKILL.md +288 -0
  81. package/skills/implement-orchestrator/SKILL.md +604 -0
  82. package/skills/park/SKILL.md +111 -0
  83. package/skills/perf-design/SKILL.md +427 -0
  84. package/skills/perf-scout/SKILL.md +404 -0
  85. package/skills/perf-scout/agents/openai.yaml +6 -0
  86. package/skills/perf-scout/references/algorithmic-and-data-structures.md +126 -0
  87. package/skills/perf-scout/references/approximation-and-precomputation.md +136 -0
  88. package/skills/perf-scout/references/caching-and-memoization.md +123 -0
  89. package/skills/perf-scout/references/compiler-runtime-and-language.md +136 -0
  90. package/skills/perf-scout/references/database-and-storage-internals.md +144 -0
  91. package/skills/perf-scout/references/distributed-systems.md +150 -0
  92. package/skills/perf-scout/references/game-engine-and-realtime.md +136 -0
  93. package/skills/perf-scout/references/gpu-and-accelerators.md +130 -0
  94. package/skills/perf-scout/references/idea-ranking.md +75 -0
  95. package/skills/perf-scout/references/io-and-batching.md +135 -0
  96. package/skills/perf-scout/references/memory-and-data-locality.md +137 -0
  97. package/skills/perf-scout/references/parallelism-and-vectorization.md +126 -0
  98. package/skills/perf-scout/references/parked-item-template.md +117 -0
  99. package/skills/perf-scout/references/peer-review-pass.md +150 -0
  100. package/skills/perf-scout/references/report-template.md +148 -0
  101. package/skills/principles/SKILL.md +678 -0
  102. package/skills/principles/references/models.md +191 -0
  103. package/skills/principles/references/subagents.md +158 -0
  104. package/skills/prose-author/SKILL.md +185 -0
  105. package/skills/refactor-conventions-creator/SKILL.md +359 -0
  106. package/skills/refactor-conventions-creator/agents/openai.yaml +6 -0
  107. package/skills/refactor-conventions-creator/references/common-structures.md +91 -0
  108. package/skills/refactor-conventions-creator/references/common-styles.md +90 -0
  109. package/skills/refactor-design/SKILL.md +384 -0
  110. package/skills/release-deploy/SKILL.md +667 -0
  111. package/skills/release-deploy/agents/openai.yaml +6 -0
  112. package/skills/research/SKILL.md +166 -0
  113. package/skills/research/agents/openai.yaml +6 -0
  114. package/skills/review/SKILL.md +267 -0
  115. package/skills/review/references/deep-review.md +98 -0
  116. package/skills/review/references/review-lenses.md +68 -0
  117. package/skills/review/references/substrate-side-effects.md +161 -0
  118. package/skills/review/references/target-resolution.md +52 -0
  119. package/skills/scope/SKILL.md +486 -0
  120. package/work-view/Cargo.lock +486 -0
  121. package/work-view/Cargo.toml +9 -0
  122. package/work-view/crates/cli/.work-view-version +1 -0
  123. package/work-view/crates/cli/Cargo.toml +18 -0
  124. package/work-view/crates/cli/src/actionable.rs +500 -0
  125. package/work-view/crates/cli/src/args.rs +792 -0
  126. package/work-view/crates/cli/src/board/assets/board.css +855 -0
  127. package/work-view/crates/cli/src/board/assets/board.js +259 -0
  128. package/work-view/crates/cli/src/board/assets/card.js +139 -0
  129. package/work-view/crates/cli/src/board/assets/components.css +290 -0
  130. package/work-view/crates/cli/src/board/assets/dependency.js +1193 -0
  131. package/work-view/crates/cli/src/board/assets/detail.js +256 -0
  132. package/work-view/crates/cli/src/board/assets/filters.js +389 -0
  133. package/work-view/crates/cli/src/board/assets/index.html +77 -0
  134. package/work-view/crates/cli/src/board/assets/kanban.js +231 -0
  135. package/work-view/crates/cli/src/board/assets/markdown.js +260 -0
  136. package/work-view/crates/cli/src/board/assets/motion.css +131 -0
  137. package/work-view/crates/cli/src/board/assets/state.js +245 -0
  138. package/work-view/crates/cli/src/board/assets/table.js +304 -0
  139. package/work-view/crates/cli/src/board/assets/tokens.css +602 -0
  140. package/work-view/crates/cli/src/board/assets/views.js +41 -0
  141. package/work-view/crates/cli/src/board/assets.rs +162 -0
  142. package/work-view/crates/cli/src/board/feed.rs +204 -0
  143. package/work-view/crates/cli/src/board/mod.rs +246 -0
  144. package/work-view/crates/cli/src/board/open.rs +144 -0
  145. package/work-view/crates/cli/src/board/server.rs +407 -0
  146. package/work-view/crates/cli/src/main.rs +195 -0
  147. package/work-view/crates/cli/src/render.rs +354 -0
  148. package/work-view/crates/cli/src/scope.rs +157 -0
  149. package/work-view/crates/cli/src/stale.rs +581 -0
  150. package/work-view/crates/cli/tests/board-js/dependency-table.test.mjs +64 -0
  151. package/work-view/crates/cli/tests/board-js/expanded-browsing.test.mjs +79 -0
  152. package/work-view/crates/cli/tests/board-js/harness-smoke.test.mjs +11 -0
  153. package/work-view/crates/cli/tests/board-js/harness.mjs +437 -0
  154. package/work-view/crates/cli/tests/board-js/kanban-detail.test.mjs +75 -0
  155. package/work-view/crates/cli/tests/board-js/markdown-filter.test.mjs +60 -0
  156. package/work-view/crates/cli/tests/fixtures/golden/.work/CONVENTIONS.md +3 -0
  157. package/work-view/crates/cli/tests/fixtures/golden/.work/active/epics/epic-alpha.md +16 -0
  158. package/work-view/crates/cli/tests/fixtures/golden/.work/active/features/feat-a.md +16 -0
  159. package/work-view/crates/cli/tests/fixtures/golden/.work/active/features/feat-b.md +16 -0
  160. package/work-view/crates/cli/tests/fixtures/golden/.work/active/stories/story-alpha-1.md +16 -0
  161. package/work-view/crates/cli/tests/fixtures/golden/.work/active/stories/story-research-1.md +19 -0
  162. package/work-view/crates/cli/tests/fixtures/golden/.work/archive/feat-done.md +16 -0
  163. package/work-view/crates/cli/tests/fixtures/golden/.work/archive/feat-shipped.md +18 -0
  164. package/work-view/crates/cli/tests/fixtures/golden/.work/backlog/idea-backlog.md +7 -0
  165. package/work-view/crates/cli/tests/fixtures/golden/.work/releases/v1.0/v1.0.md +16 -0
  166. package/work-view/crates/cli/tests/fixtures/ready-drafting/.work/CONVENTIONS.md +6 -0
  167. package/work-view/crates/cli/tests/fixtures/ready-drafting/.work/active/features/feat-dep-done.md +17 -0
  168. package/work-view/crates/cli/tests/fixtures/ready-drafting/.work/active/features/feat-design-ready.md +17 -0
  169. package/work-view/crates/cli/tests/fixtures/ready-drafting/.work/active/features/feat-impl-ready.md +17 -0
  170. package/work-view/crates/cli/tests/fixtures/ready-drafting/.work/active/stories/story-review-ready.md +17 -0
  171. package/work-view/crates/cli/tests/fixtures/with-malformed/.work/CONVENTIONS.md +4 -0
  172. package/work-view/crates/cli/tests/fixtures/with-malformed/.work/active/epics/malformed-no-closing-fence.md +8 -0
  173. package/work-view/crates/cli/tests/fixtures/with-malformed/.work/active/features/good-item.md +16 -0
  174. package/work-view/crates/cli/tests/integration.rs +2833 -0
  175. package/work-view/crates/core/Cargo.toml +13 -0
  176. package/work-view/crates/core/src/error.rs +61 -0
  177. package/work-view/crates/core/src/filter.rs +804 -0
  178. package/work-view/crates/core/src/graph.rs +324 -0
  179. package/work-view/crates/core/src/index.rs +590 -0
  180. package/work-view/crates/core/src/lib.rs +54 -0
  181. package/work-view/crates/core/src/model.rs +202 -0
  182. package/work-view/crates/core/src/parse.rs +494 -0
  183. package/work-view/crates/core/tests/fixtures/golden/.work/CONVENTIONS.md +15 -0
  184. package/work-view/crates/core/tests/fixtures/golden/.work/active/epics/epic-core.md +16 -0
  185. package/work-view/crates/core/tests/fixtures/golden/.work/active/features/feat-parser.md +16 -0
  186. package/work-view/crates/core/tests/fixtures/golden/.work/active/features/feat-query.md +16 -0
  187. package/work-view/crates/core/tests/fixtures/golden/.work/active/stories/malformed-no-id.md +15 -0
  188. package/work-view/crates/core/tests/fixtures/golden/.work/active/stories/story-parse-unit.md +16 -0
  189. package/work-view/crates/core/tests/fixtures/golden/.work/active/stories/story-security-gate.md +16 -0
  190. package/work-view/crates/core/tests/fixtures/golden/.work/archive/feat-old.md +16 -0
  191. package/work-view/crates/core/tests/fixtures/golden/.work/archive/feat-parser.md +17 -0
  192. package/work-view/crates/core/tests/fixtures/golden/.work/backlog/idea-future-board.md +7 -0
  193. package/work-view/crates/core/tests/fixtures/golden/.work/releases/v1.0/v1.0.md +16 -0
  194. package/work-view/crates/core/tests/fixtures/precedence/.work/CONVENTIONS.md +10 -0
  195. package/work-view/crates/core/tests/fixtures/precedence/.work/archive/dup-item.md +18 -0
  196. package/work-view/crates/core/tests/fixtures/precedence/.work/releases/v2.0/dup-item.md +18 -0
  197. package/work-view/crates/core/tests/integration.rs +541 -0
  198. package/work-view/dist/.gitattributes +1 -0
  199. package/work-view/dist/README.md +42 -0
  200. package/work-view/dist/aarch64-apple-darwin/work-view +0 -0
  201. package/work-view/dist/aarch64-unknown-linux-musl/work-view +0 -0
  202. package/work-view/dist/x86_64-apple-darwin/work-view +0 -0
  203. package/work-view/dist/x86_64-unknown-linux-musl/work-view +0 -0
@@ -0,0 +1,408 @@
1
+ ---
2
+ name: gate-refactor
3
+ description: >
4
+ Refactor gate that discovers scan-rule libraries declared in the host project (default roots:
5
+ {project}/.agents/skills/scan-*/SKILL.md and {project}/.claude/skills/scan-*/SKILL.md; configurable
6
+ via CONVENTIONS.md: gate_refactor_scan_library_roots), loads every discovered library, checks the
7
+ release bundle's changed files against all loaded rules, and produces findings as items with
8
+ gate_origin:refactor; routing tag declared per library (libraries whose fixes are
9
+ behavior-preserving declare findings-route:refactor; behavior-changing libraries declare no route —
10
+ findings emit untagged and route through normal feature/story design). Rule libraries are
11
+ deployment-local — the gate ships the mechanism; adopters supply the rules. Auto-triggers during
12
+ /agile-workflow:release-deploy when the host project opts in via CONVENTIONS.md: gates_for_release:
13
+ [..., refactor, ...]. No-libraries behavior: graceful skip (logs "no scan-* libraries discovered"
14
+ and continues). Item-producer, NOT a pass/fail report.
15
+ ---
16
+
17
+ # Gate-Refactor
18
+
19
+ You orchestrate a refactor gate over the items bound to a release. You discover scan-rule
20
+ libraries the host project has installed, load them, and dispatch a **deep refactor scanner agent**
21
+ to check the release bundle's changed files against every loaded rule. Your role is library
22
+ discovery, bundle preparation, scanner dispatch, and converting findings into substrate items.
23
+
24
+ This gate ships **the mechanism, not the rules**. The scan rule libraries that supply the actual
25
+ rules live under the host project's configured `gate_refactor_scan_library_roots` (default:
26
+ `{project}/.agents/skills` and `{project}/.claude/skills`). The gate requires no built-in rule
27
+ knowledge — it adapts to whatever libraries the deploying project provides. This is why the gate is
28
+ opt-in (not in the default `gates_for_release` list): an install with no rule libraries has nothing
29
+ to check, and that is by design, not an error.
30
+
31
+ Scanner strength is explicit: spawn exactly one source-read-only deep refactor
32
+ scanner with the strongest inspection/reviewer setting the host exposes. Use a generic sub-agent prompted with the scanner posture from `../principles/references/subagents.md`. Use extra-high reasoning
33
+ for large/polyglot release bundles or when multiple libraries carry dense rule
34
+ sets. If the host has no scanner path, run the scan inline and record
35
+ the reduced isolation in the release body.
36
+
37
+ ## Trigger
38
+
39
+ - `/agile-workflow:release-deploy` invokes during `quality-gate` stage when `gates_for_release`
40
+ in `.work/CONVENTIONS.md` includes `refactor`.
41
+ - User can invoke manually: `/agile-workflow:gate-refactor <release-version>`
42
+
43
+ **Opt-in gate.** The default `gates_for_release` list does not include `refactor`. Add it
44
+ explicitly when your project has scan-rule libraries to enforce:
45
+
46
+ ```
47
+ gates_for_release: [security, tests, cruft, docs, patterns, refactor]
48
+ ```
49
+
50
+ ## Workflow
51
+
52
+ ### Phase 1: Identify bundle changes
53
+
54
+ ```bash
55
+ # Bound non-release items. `--release` auto-widens to ALL tiers (active + archive + releases).
56
+ # Include late-bound archived stubs; their bodies may be pruned, but their item id is still
57
+ # present and can recover the bundle commits/files. Ignore only the release orchestration item.
58
+ .work/bin/work-view --release <version> --paths | while IFS= read -r item; do
59
+ kind=$(grep -m1 '^kind:' "$item" | awk '{print $2}')
60
+ [ "$kind" = "release" ] && continue
61
+ echo "$item"
62
+ done > /tmp/bundle-items-<version>.txt
63
+
64
+ # Files changed by the bundle. For archived stubs, the body is pruned on disk by design; use the
65
+ # item id to find implementation commits instead of treating the missing body as a skip reason.
66
+ while IFS= read -r item; do
67
+ id=$(grep -m1 '^id:' "$item" | awk '{print $2}')
68
+ git log --grep "$id" --format='%H' | xargs -I{} git diff-tree --no-commit-id --name-only -r {}
69
+ done < /tmp/bundle-items-<version>.txt | sort -u > /tmp/bundle-files-<version>.txt
70
+ ```
71
+
72
+ ### Phase 2: Discover scan-rule libraries (idempotency prep)
73
+
74
+ Read `gate_refactor_scan_library_roots` from `.work/CONVENTIONS.md`. If absent, use the default
75
+ plugin-canonical and Claude-compat roots:
76
+
77
+ ```yaml
78
+ gate_refactor_scan_library_roots:
79
+ - .agents/skills
80
+ - .claude/skills
81
+ ```
82
+
83
+ Resolve relative roots from the project/substrate root; absolute roots are allowed. For each
84
+ configured root, glob `<root>/scan-*/SKILL.md`. If a configured root points outside the project
85
+ tree, continue but treat it as a trust-boundary expansion: the gate will load instructions and
86
+ reference files from that location.
87
+
88
+ For each discovered `SKILL.md`, in configured root order:
89
+ 1. Read the `SKILL.md` fully — its frontmatter `description` and body carry the rules the gate
90
+ must enforce.
91
+ 2. Read all files in the library's `references/` directory (if present) — reference files carry
92
+ the detailed per-rule specifications.
93
+ 3. Derive a **library tag** from the directory name by stripping `scan-` (e.g., `scan-wcag-aa`
94
+ → `wcag-aa`, `scan-structural` → `structural`).
95
+ 4. Read the library's **routing declaration**: look for a `findings-route:` line in the SKILL.md
96
+ body (format: `findings-route: refactor` or `findings-route: none`). This line declares whether
97
+ the library's findings carry `tags: [refactor]`. If the line is absent, the default is **no
98
+ routing tag** — untagged is safe-by-default (feature-design handles everything; the `[refactor]`
99
+ route is the optimization a library opts into by asserting its fixes are behavior-preserving).
100
+ Record the routing decision per library for use in Phase 4.
101
+ 5. If another discovered library has the same derived library tag, keep the first one discovered
102
+ and skip the duplicate. This preserves current `.agents/skills` before `.claude/skills`
103
+ precedence under the defaults and makes custom-root precedence follow configured root order.
104
+
105
+ **No-libraries behavior:** if all configured roots return zero results, log to the release body:
106
+
107
+ ```
108
+ gate-refactor (<date>) — no scan-* rule libraries discovered; gate-refactor has nothing to
109
+ check. To activate: install a scan-rule library under gate_refactor_scan_library_roots
110
+ (default: {project}/.agents/skills/scan-<name>/ or {project}/.claude/skills/scan-<name>/).
111
+ See gate-refactor/SKILL.md for the library contract.
112
+ ```
113
+
114
+ Then continue the gate sequence. This is not an error — the gate is designed to ship
115
+ content-free when no libraries are installed.
116
+
117
+ Read existing gate items (idempotency prep):
118
+
119
+ ```bash
120
+ .work/bin/work-view --release <version> --gate refactor --paths
121
+ ```
122
+
123
+ Capture the set of `(file:line, rule-slug)` already-tracked findings to feed into the
124
+ scanner brief so it skips duplicates.
125
+
126
+ ### Phase 3: Dispatch the refactor scanner
127
+
128
+ If at least one library was discovered, spawn ONE source-read-only deep scanner
129
+ agent with the full scan brief. Use a generic sub-agent prompted with the scanner
130
+ posture from `../principles/references/subagents.md` and the strongest
131
+ inspection/reviewer setting the host exposes, escalating for large/polyglot
132
+ bundles or dense rule sets. If scanner agents are unavailable, run the scan
133
+ inline and record the reduced isolation in the release body.
134
+
135
+ The scanner checks all rules from all libraries in one pass per file, returning structured
136
+ findings. Dispatching one scanner with the full library set (rather than one per library) avoids
137
+ M-times-N redundant file reads and allows cross-library finding deduplication.
138
+
139
+ **Brief template**:
140
+
141
+ > You are conducting a refactor gate scan for release `<version>` as an agile-workflow
142
+ > scanner. Use read/search/shell tools as needed. Scan ONLY the bundle's changed files —
143
+ > not the whole repo. Do not spawn nested sub-agents or implement fixes.
144
+ >
145
+ > **Bundle scope** (files changed by the bundle):
146
+ > ```
147
+ > <bundle-files>
148
+ > ```
149
+ >
150
+ > **Loaded rule libraries** (N libraries discovered):
151
+ >
152
+ > For each library `<tag>` (e.g. `structural`, `wcag-aa`):
153
+ >
154
+ > **Library: `<tag>`** (source: `{project}/.agents/skills/scan-<name>/` or `{project}/.claude/skills/scan-<name>/`)
155
+ > ```
156
+ > <full SKILL.md content>
157
+ > ```
158
+ > Reference files:
159
+ > ```
160
+ > <full content of each file in references/>
161
+ > ```
162
+ >
163
+ > **Already-tracked findings to skip**:
164
+ > ```
165
+ > <(file:line, rule-slug) pairs already written as items>
166
+ > ```
167
+ >
168
+ > **Instructions**:
169
+ >
170
+ > 1. Read every file in the bundle scope.
171
+ > 2. For each file, check against all rules from all loaded libraries in a single pass.
172
+ > 3. For each finding, record:
173
+ > - **Library tag**: which library's rule was violated (e.g. `structural`).
174
+ > - **Rule slug**: which specific rule was violated (from the library's rule inventory).
175
+ > - **File:line**: exact location.
176
+ > - **Issue**: one-sentence description of the violation.
177
+ > - **Fix**: specific proposed change (or "needs analysis" for findings requiring judgment).
178
+ > - **Confidence**: `high` / `medium` / `low` per the library's guidance for that rule.
179
+ > 4. Deduplicate against the already-tracked set.
180
+ > 5. Return findings as a structured list.
181
+ >
182
+ > **Rules**:
183
+ > - Scan only the bundle scope. Do not expand to the whole repo.
184
+ > - Cite file:line for every finding.
185
+ > - Do not fabricate findings. If a rule produces no matches, emit nothing for it.
186
+ > - Skip already-tracked findings (exact file:line + rule-slug match).
187
+ > - Confidence follows the library's own guidance for each rule. When the library
188
+ > does not specify, default to medium. Normalize any other severity vocabulary a
189
+ > library uses (e.g. critical/info, numeric scores) onto `high`/`medium`/`low`
190
+ > rather than defaulting mismatches to medium.
191
+ >
192
+ > **Output format** — return a single markdown document with:
193
+ >
194
+ > ```
195
+ > ## Findings
196
+ >
197
+ > ### Finding 1
198
+ > - **Title**: <one-line description>
199
+ > - **Library**: <library-tag>
200
+ > - **Rule**: <rule-slug>
201
+ > - **Confidence**: High | Medium | Low
202
+ > - **Location**: `<file>:<line>`
203
+ > - **Issue**: <one sentence>
204
+ > - **Fix**: <specific proposed change or "needs analysis">
205
+ >
206
+ > ### Finding 2
207
+ > ...
208
+ > ```
209
+ >
210
+ > Followed by:
211
+ >
212
+ > ```
213
+ > ## Scan summary
214
+ > - Libraries loaded: <list of library tags>
215
+ > - Files scanned: <count>
216
+ > - Findings by confidence: High=<n>, Medium=<n>, Low=<n>
217
+ > ```
218
+
219
+ ### Phase 4: Convert findings to items
220
+
221
+ For each finding the scanner returned:
222
+
223
+ Read `gate_finding_routing` from `.work/CONVENTIONS.md` before writing items. If absent, use the
224
+ default routing below. Normalize refactor confidence to routing keys as: `High -> high`,
225
+ `Medium -> medium`, and `Low -> low`. If a normalized key maps to `skip`, do not emit an item for
226
+ that finding; include the skipped count in the gate output and release-body gate-run record. If it
227
+ maps to `backlog`, write a `.work/backlog/` item instead of an active story.
228
+
229
+ **`gate_origin: refactor` is unconditional** — it records which gate produced the item, not the
230
+ nature of the fix. The `tags:` field is determined by the source library's routing declaration:
231
+ - Library declared `findings-route: refactor` → `tags: [refactor]` (behavior-preserving; routes
232
+ through refactor-design).
233
+ - Library declared `findings-route: none` or declaration absent → `tags: []` (behavior-changing or
234
+ unclassified; routes through the normal feature/story design path).
235
+
236
+ The rationale: `[refactor]` is strictly behavior-preserving by definition (black-box test — no
237
+ observable behavior change for any caller of the public surface). Libraries whose fixes change
238
+ observable behavior — a11y improvements, SEO changes, API corrections — must not carry the tag or
239
+ refactor-design will bounce them as mistagged.
240
+
241
+ **Example: behavior-preserving library (e.g. `scan-structural`, `findings-route: refactor`)**
242
+
243
+ ```yaml
244
+ ---
245
+ id: gate-refactor-<short-slug>
246
+ kind: story
247
+ stage: implementing | drafting # by gate_finding_routing
248
+ tags: [refactor]
249
+ parent: null
250
+ depends_on: []
251
+ release_binding: <version>
252
+ gate_origin: refactor
253
+ created: YYYY-MM-DD
254
+ updated: YYYY-MM-DD
255
+ ---
256
+ ```
257
+
258
+ **Example: behavior-changing library (e.g. `scan-wcag-aa`, no findings-route declaration)**
259
+
260
+ ```yaml
261
+ ---
262
+ id: gate-refactor-<short-slug>
263
+ kind: story
264
+ stage: implementing | drafting # by gate_finding_routing
265
+ tags: []
266
+ parent: null
267
+ depends_on: []
268
+ release_binding: <version>
269
+ gate_origin: refactor
270
+ created: YYYY-MM-DD
271
+ updated: YYYY-MM-DD
272
+ ---
273
+ ```
274
+
275
+ Item body (same for both cases):
276
+
277
+ ```markdown
278
+ # <one-line description>
279
+
280
+ ## Library
281
+ <library-tag>
282
+
283
+ ## Rule
284
+ <rule-slug>
285
+
286
+ ## Confidence
287
+ High | Medium | Low
288
+
289
+ ## Location
290
+ `<file>:<line>`
291
+
292
+ ## Issue
293
+ <one-sentence violation description>
294
+
295
+ ## Fix
296
+ <specific proposed change, or "needs analysis" for medium/low>
297
+ ```
298
+
299
+ Default confidence -> placement mapping:
300
+
301
+ | Confidence | Stage | Tier |
302
+ |---|---|---|
303
+ | High | `stage: implementing` | `.work/active/stories/` |
304
+ | Medium | `stage: drafting` | `.work/active/stories/` |
305
+ | Low | backlog file | `.work/backlog/` |
306
+
307
+ Slug: derive from library tag + rule slug + file fragment (e.g.
308
+ `gate-refactor-structural-routes-api`, `gate-refactor-wcag-aa-missing-alt`). If the derived
309
+ slug already exists (same rule firing twice in one file or across runs), append a counter
310
+ suffix (`-2`, `-3`, …) to keep slugs unique.
311
+
312
+ ### Phase 5: Update the release body
313
+
314
+ Append to the release body's gate-runs section:
315
+
316
+ ```markdown
317
+ - **gate-refactor** (YYYY-MM-DD) — N findings (H high, M medium, L low) from K libraries:
318
+ <library-tag-1> (<n> findings), <library-tag-2> (<n> findings)
319
+ ```
320
+
321
+ If no libraries were discovered, append the no-libraries log entry from Phase 2 instead.
322
+
323
+ ### Phase 6: Commit
324
+
325
+ ```bash
326
+ git add .work/active/stories/ .work/backlog/ .work/active/release-<version>.md
327
+ git commit -m "gate-refactor: <N> findings for <version> (<library-tags>)"
328
+ ```
329
+
330
+ If no findings and no libraries: `gate-refactor: no libraries discovered for <version> — gate skipped`.
331
+ If no findings but libraries ran: `gate-refactor: 0 findings for <version> (<library-tags> — clean)`.
332
+
333
+ ## Output
334
+
335
+ In conversation:
336
+ - **Bundle**: `<version>` — `<N>` items audited, `<M>` files changed
337
+ - **Libraries**: count and tags (`structural`, `wcag-aa`, ...) or "none discovered"
338
+ - **Findings**: count by confidence (High / Medium / Low), or "no findings"
339
+ - **Items created**: count, with new ids
340
+ - **Already-tracked**: count skipped
341
+
342
+ ## Guardrails
343
+
344
+ - **The scan happens in the scanner agent, not here.** Your job is library discovery, bundle prep,
345
+ dispatch, and item-writing. Do not replicate the scanner's analysis.
346
+ - Scan only the bundle's changed files, not the whole repo.
347
+ - Never apply fixes in this skill — produce items only.
348
+ - **No-libraries is not an error.** Graceful skip with a log entry is the correct behavior when
349
+ no scan-* libraries are installed.
350
+ - Pass already-tracked findings into the scanner brief so it skips duplicates (idempotency).
351
+ - Include archive stubs returned by `work-view --release <version> --paths`. Late-bound archived
352
+ stubs are part of the release bundle and must be scanned from their associated commits/files,
353
+ even when their on-disk bodies are pruned.
354
+ - Do NOT add `refactor` to the default `gates_for_release` list. The gate is opt-in by design.
355
+ Deployers with no scan-rule libraries would get a no-op gate on every release — unnecessary
356
+ overhead. Adopters opt in by editing their `.work/CONVENTIONS.md`.
357
+
358
+ ## Library contract (for adopters writing scan-rule libraries)
359
+
360
+ A scan-rule library declares itself by its directory name and the content of its SKILL.md:
361
+
362
+ - **Location**: `<root>/scan-<name>/SKILL.md`, where `<root>` comes from
363
+ `gate_refactor_scan_library_roots` in `.work/CONVENTIONS.md` (default:
364
+ `{project}/.agents/skills` then `{project}/.claude/skills`). Duplicate names are merged by
365
+ derived library tag; the first discovered library wins, so configured root order determines
366
+ precedence.
367
+ - **SKILL.md content**: the `description` frontmatter field and the body carry the rules. The
368
+ gate reads the full SKILL.md and all files in `references/` as the library declaration.
369
+ - **Rule format**: each rule should carry a slug (for deduplication), a description of what
370
+ constitutes a violation, and confidence guidance (when does a match warrant `high` vs. `medium`
371
+ vs. `low` confidence). These three values are the **required vocabulary** — the gate and
372
+ downstream tooling map directly on them.
373
+ - **Routing declaration** (one line in the SKILL.md **body** — NOT a frontmatter key; the gate
374
+ scans the body for this line, so a frontmatter placement would be silently missed):
375
+ ```
376
+ findings-route: refactor
377
+ ```
378
+ Declares that this library's rules are **behavior-preserving** (structural, stylistic, dead-code
379
+ removal) — every fix passes the black-box test: no observable behavior change for any caller of
380
+ the public surface. Findings from this library carry `tags: [refactor]` and may route through
381
+ `refactor-design`.
382
+
383
+ **Default when absent: no routing tag.** Libraries whose fixes are **behavior-changing** (a11y,
384
+ SEO, API corrections, anything altering observable behavior for any consumer) omit the
385
+ declaration or set `findings-route: none`. Their findings emit without a `[refactor]` tag and
386
+ route through the normal feature/story design path. Untagged is the safe default — feature-design
387
+ handles everything; the `[refactor]` route is the optimization a library opts into by asserting
388
+ behavior-preservation.
389
+ - **No registration required**: the gate discovers libraries by glob. No manifest entry needed.
390
+
391
+ Example library skeleton (behavior-preserving — opts in to `[refactor]` routing):
392
+
393
+ ```
394
+ {project}/.agents/skills/scan-structural/
395
+ SKILL.md ← library declaration + rule inventory + findings-route: refactor
396
+ references/
397
+ api-shape.md ← detailed rule: API structural conventions
398
+ error-shape.md ← detailed rule: error-handling conventions
399
+ ```
400
+
401
+ Example library skeleton (behavior-changing — omits routing declaration):
402
+
403
+ ```
404
+ {project}/.agents/skills/scan-wcag-aa/
405
+ SKILL.md ← library declaration + rule inventory (no findings-route line)
406
+ references/
407
+ wcag-aa-rules.md ← detailed WCAG 2.x AA rule set
408
+ ```
@@ -0,0 +1,275 @@
1
+ ---
2
+ name: gate-security
3
+ description: >
4
+ Security gate that scans items bound to a release and produces items as findings. Delegates the full
5
+ audit to a deep security scanner agent which discovers stack, picks relevant security domains
6
+ (auth, injection, secrets, deps, API, infra, crypto, data protection, error handling), audits the
7
+ bundle's code changes, and returns findings. The orchestrator converts findings into items in
8
+ .work/active/ with gate_origin:security and appropriate tags. Auto-triggers during
9
+ /agile-workflow:release-deploy quality-gate stage. Item-producer, NOT a pass/fail report.
10
+ ---
11
+
12
+ # Gate-Security
13
+
14
+ You orchestrate a security gate over the items bound to a release. The actual
15
+ audit runs inside a **deep security scanner agent** (a generic sub-agent prompted with the scanner posture from `../principles/references/subagents.md`); your role is to prepare the bundle context,
16
+ dispatch the scanner, and convert the findings it returns into items in the
17
+ substrate.
18
+
19
+ Scanner strength is explicit: spawn exactly one source-read-only deep security
20
+ scanner with the strongest inspection/reviewer setting the host exposes. Use a generic sub-agent prompted with the scanner posture from `../principles/references/subagents.md`. Use extra-high reasoning
21
+ only for auth, crypto, data-loss, broad public API, or large/polyglot release
22
+ bundles. If the host has no scanner path, run the audit inline and
23
+ record the reduced isolation in the release body.
24
+
25
+ This is NOT a standalone audit (for that, use a standalone `repo-eval` skill). This
26
+ is a gate over a specific release bundle, producing items the release-deploy
27
+ flow can drain to `done` before shipping.
28
+
29
+ ## Trigger
30
+
31
+ - `/agile-workflow:release-deploy` invokes this during the `quality-gate` stage
32
+ - User can invoke manually: `/agile-workflow:gate-security <release-version>`
33
+
34
+ ## Workflow
35
+
36
+ ### Phase 1: Identify the bundle
37
+
38
+ If a release version was provided:
39
+ ```bash
40
+ # Bound non-release items. `--release` auto-widens to ALL tiers (active + archive + releases).
41
+ # Include late-bound archived stubs; their bodies may be pruned, but their item id is still
42
+ # present and can recover the bundle commits/files. Ignore only the release orchestration item.
43
+ .work/bin/work-view --release <version> --paths | while IFS= read -r item; do
44
+ kind=$(grep -m1 '^kind:' "$item" | awk '{print $2}')
45
+ [ "$kind" = "release" ] && continue
46
+ echo "$item"
47
+ done > /tmp/bundle-items-<version>.txt
48
+ ```
49
+
50
+ Otherwise, find the active release file (the one at `stage: planned` or
51
+ `stage: quality-gate`) and use its version.
52
+
53
+ If no items are bound (the bundle-items file is empty), halt with: "No items
54
+ bound to release `<version>`. Bind items first via
55
+ `/agile-workflow:release-deploy`."
56
+
57
+ Build the union of files changed by the bundle. For archived stubs, the body is pruned on disk by
58
+ design; use the item id to find implementation commits instead of treating the missing body as a
59
+ skip reason:
60
+
61
+ ```bash
62
+ while IFS= read -r item; do
63
+ id=$(grep -m1 '^id:' "$item" | awk '{print $2}')
64
+ git log --grep "$id" --format='%H' | xargs -I{} git diff-tree --no-commit-id --name-only -r {}
65
+ done < /tmp/bundle-items-<version>.txt | sort -u > /tmp/bundle-files-<version>.txt
66
+ ```
67
+
68
+ ### Phase 2: Read existing gate items (idempotency prep)
69
+
70
+ ```bash
71
+ .work/bin/work-view --release <version> --gate security --paths
72
+ ```
73
+
74
+ Capture the set of `(file:line, severity)` already-tracked findings so the
75
+ scanner can be told to skip duplicates.
76
+
77
+ ### Phase 3: Dispatch the security scanner
78
+
79
+ Spawn ONE source-read-only deep scanner agent with the full audit brief. Use a generic sub-agent prompted with the scanner posture from `../principles/references/subagents.md` and the strongest
80
+ inspection/reviewer setting the host exposes, escalating for auth, crypto,
81
+ data-loss, broad public API, or large/polyglot bundles. If scanner agents
82
+ are unavailable, run the audit inline and record the reduced isolation in the
83
+ release body. The scanner does all of the analysis end-to-end — stack discovery,
84
+ domain selection, domain audit passes, severity classification — and returns
85
+ structured findings.
86
+
87
+ **Brief template** (substitute `<version>`, `<bundle-files>`,
88
+ `<bound-item-ids>`, `<already-tracked>`):
89
+
90
+ > You are conducting a security gate audit for release `<version>` as an
91
+ > agile-workflow scanner. Use read/search/shell/current-source lookup tools as
92
+ > needed, but do not spawn nested sub-agents or implement fixes.
93
+ >
94
+ > **Bundle scope** (audit ONLY these files; this is a release gate, not a
95
+ > repo-wide audit):
96
+ > ```
97
+ > <bundle-files>
98
+ > ```
99
+ >
100
+ > **Bound items** (an archived stub's body is pruned on disk — hydrate it from
101
+ > the stub's `git_ref` frontmatter via `git show <git_ref>:<path>`, trying the
102
+ > item's former `.work/active/` path at that ref): `<bound-item-ids>`
103
+ >
104
+ > **Already-tracked findings to skip** (do not re-report these):
105
+ > ```
106
+ > <already-tracked file:line / severity pairs>
107
+ > ```
108
+ >
109
+ > **Methodology**:
110
+ >
111
+ > 1. **Stack discovery** — read `package.json`, `tsconfig.json`, `Cargo.toml`,
112
+ > `go.mod`, `pyproject.toml`, `Dockerfile`, CI configs. Identify languages,
113
+ > frameworks, package managers, auth systems, entry points (API routes, CLI,
114
+ > serverless), infrastructure.
115
+ >
116
+ > 2. **Domain selection** — pick the relevant domains for this stack and the
117
+ > bundle's surface. The nine domains:
118
+ > 1. Authentication & Authorization — auth flows, sessions, RBAC/ABAC,
119
+ > tokens, password policies. Apps with user accounts; APIs with auth.
120
+ > 2. Input Validation & Injection — XSS, SQLi, command injection, path
121
+ > traversal, template injection, SSRF. Web apps, APIs.
122
+ > 3. Secrets & Configuration — hardcoded secrets, env leakage, insecure
123
+ > defaults, exposed config, `.env` in VCS. All projects.
124
+ > 4. Dependencies & Supply Chain — known CVEs, outdated packages, lockfile
125
+ > integrity, typosquatting risk, unnecessary deps. All projects with
126
+ > external deps.
127
+ > 5. Data Protection — encryption at rest/in transit, PII handling, log
128
+ > sanitization, secure deletion, backup security. Apps handling user
129
+ > data.
130
+ > 6. API Security — rate limiting, CORS, auth on all endpoints, mass
131
+ > assignment, response leakage, versioning. REST/GraphQL APIs.
132
+ > 7. Infrastructure & Deployment — Dockerfile security, CI/CD secrets,
133
+ > exposed ports, cloud IAM, container hardening, network policies.
134
+ > Deployed services.
135
+ > 8. Cryptography — weak algorithms, hardcoded keys, RNG, cert validation,
136
+ > key management. Apps doing encryption/signing.
137
+ > 9. Error Handling & Logging — stack trace leakage, audit gaps, PII in
138
+ > logs, missing error boundaries, verbose prod errors. All prod apps.
139
+ >
140
+ > 3. **Domain audit passes** — for each selected domain, audit the bundle's
141
+ > changed files against that domain's checklist. Use current-source lookup
142
+ > when needed to verify best practices for `<stack>+<domain>` combinations
143
+ > before judging.
144
+ >
145
+ > 4. **Severity classification** — every finding gets one of:
146
+ > | Severity | Meaning |
147
+ > |---|---|
148
+ > | Critical | Actively exploitable now (secrets in source, no auth on a public endpoint, plaintext password storage). Must fix before shipping. |
149
+ > | High | Significant control missing or known CVE in a deployed dep. Strong attacker leverage. Must fix before shipping. |
150
+ > | Medium | Hardening gap or non-obvious vuln requiring chained conditions. Should fix; can defer with explicit acknowledgement. |
151
+ > | Low | Defense-in-depth; minor info disclosure; outdated-but-not-vulnerable. Backlog. |
152
+ > | Info | Observation; not a finding. Don't return Info entries. |
153
+ >
154
+ > **Output format** — return a single markdown document with:
155
+ >
156
+ > ```
157
+ > ## Findings
158
+ >
159
+ > ### Finding 1
160
+ > - **Title**: <one-line>
161
+ > - **Severity**: Critical | High | Medium | Low
162
+ > - **Domain**: <domain name>
163
+ > - **Location**: `<file>:<line>`
164
+ > - **Evidence**:
165
+ > ```<lang>
166
+ > <1-5 lines of offending code>
167
+ > ```
168
+ > - **Remediation direction**: <direction, not finished fix>
169
+ >
170
+ > ### Finding 2
171
+ > ...
172
+ > ```
173
+ >
174
+ > Followed by:
175
+ >
176
+ > ```
177
+ > ## Audit summary
178
+ > - Stack: <one-line>
179
+ > - Domains audited: <list>
180
+ > - Files audited: <count>
181
+ > - Findings by severity: Critical=<n>, High=<n>, Medium=<n>, Low=<n>
182
+ > ```
183
+ >
184
+ > **Rules**:
185
+ > - Audit only the files listed in Bundle scope. Do NOT expand the audit.
186
+ > - Cite file:line for every finding.
187
+ > - Don't fabricate. If evidence is missing, don't report.
188
+ > - Skip findings that match the already-tracked list.
189
+ > - Don't implement fixes. Findings only.
190
+
191
+ ### Phase 4: Convert findings to items
192
+
193
+ For each finding the scanner returned (above Info severity):
194
+
195
+ Read `gate_finding_routing` from `.work/CONVENTIONS.md` before writing items.
196
+ If absent, use the default routing below. Normalize security severity to routing
197
+ keys as: `Critical -> critical`, `High -> high`, `Medium -> medium`,
198
+ `Low -> low`, and `Info -> info` (Info is not returned as a finding by the
199
+ scanner, but the route is reserved for consistency). If a normalized key maps
200
+ to `skip`, do not emit an item for that finding; include the skipped count in
201
+ the gate output. If it maps to `backlog`, write a `.work/backlog/` item instead
202
+ of an active story.
203
+
204
+ ```yaml
205
+ ---
206
+ id: gate-security-<short-slug>
207
+ kind: story
208
+ stage: implementing # Critical or High
209
+ # OR drafting for Medium
210
+ # OR backlog file for Low
211
+ tags: [security]
212
+ parent: null
213
+ depends_on: []
214
+ release_binding: <version>
215
+ gate_origin: security
216
+ created: YYYY-MM-DD
217
+ updated: YYYY-MM-DD
218
+ ---
219
+
220
+ # <one-line title>
221
+
222
+ ## Severity
223
+ Critical | High | Medium | Low
224
+
225
+ ## Domain
226
+ <domain>
227
+
228
+ ## Location
229
+ `<file>:<line>`
230
+
231
+ ## Evidence
232
+ \`\`\`<lang>
233
+ <short code snippet, 1-5 lines>
234
+ \`\`\`
235
+
236
+ ## Remediation direction
237
+ <what should change — direction, not a finished fix>
238
+ ```
239
+
240
+ Default severity -> placement mapping:
241
+ - **Critical** / **High** → `stage: implementing` in `.work/active/stories/`
242
+ - **Medium** → `stage: drafting` in `.work/active/stories/`
243
+ - **Low** → backlog file in `.work/backlog/` (not stage-managed)
244
+ - **Info** → skipped (no item emitted)
245
+
246
+ ### Phase 5: Commit
247
+
248
+ ```bash
249
+ git add .work/active/stories/ .work/backlog/
250
+ git commit -m "gate-security: <N> findings for <version>"
251
+ ```
252
+
253
+ ## Output
254
+
255
+ In conversation:
256
+ - **Bundle**: `<version>` — `<N>` items audited
257
+ - **Findings**: count by severity (Critical / High / Medium / Low)
258
+ - **Items created**: count, with new ids
259
+ - **Already-tracked**: count of duplicate findings skipped
260
+ - **Next**: gate-security adds to release readiness criteria. Release ships when
261
+ all bound items (including these) reach `stage: done`.
262
+
263
+ ## Guardrails
264
+
265
+ - **The audit happens in the scanner agent, not here.** Your job is bundle
266
+ prep, dispatch, and item-writing. Don't replicate the scanner's analysis in
267
+ the orchestrator's context.
268
+ - Never implement fixes — produce items only.
269
+ - Always cite file:line in finding bodies.
270
+ - Don't fabricate findings. If the scanner returns nothing for a domain, it
271
+ returns nothing. Don't paper that over.
272
+ - Idempotent re-runs: pass already-tracked findings into the scanner brief so it
273
+ skips duplicates. Double-check on item-write before creating.
274
+ - Audit only the bundle's changes, not the whole repo. Repo-wide audits are
275
+ a standalone `repo-eval`'s job, not a release gate's.