@nklisch/pi-agile-workflow 0.15.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude-plugin/plugin.json +10 -0
- package/.codex-plugin/plugin.json +28 -0
- package/CHANGELOG.md +591 -0
- package/README.md +107 -0
- package/docs/ARCHITECTURE.md +716 -0
- package/docs/MIGRATION.md +419 -0
- package/docs/PRINCIPLES.md +464 -0
- package/docs/ROADMAP.md +95 -0
- package/docs/SPEC.md +855 -0
- package/docs/VISION.md +106 -0
- package/extensions/agile-workflow.test.ts +419 -0
- package/extensions/agile-workflow.ts +467 -0
- package/hooks/hooks.json +52 -0
- package/hooks/scripts/prompt-context.py +628 -0
- package/hooks/scripts/substrate-maintainer.py +359 -0
- package/hooks/scripts/test_prompt_context.py +757 -0
- package/package.json +30 -0
- package/scripts/install-work-view.sh +165 -0
- package/scripts/tests/agent-metadata.test.sh +75 -0
- package/scripts/tests/bump-version.test.sh +552 -0
- package/scripts/tests/channel-parity.test.sh +117 -0
- package/scripts/tests/convert-content-integrity.test.sh +246 -0
- package/scripts/tests/convert-install-routing.test.sh +159 -0
- package/scripts/tests/install-work-view.test.sh +411 -0
- package/scripts/tests/pi-package-metadata.test.sh +119 -0
- package/scripts/tests/work-board-shim.test.sh +239 -0
- package/scripts/tests/work-view-dist-version.test.sh +105 -0
- package/scripts/work-board.sh +64 -0
- package/scripts/work-view.sh +423 -0
- package/skills/autopilot/SKILL.md +330 -0
- package/skills/autopilot/agents/openai.yaml +6 -0
- package/skills/board/SKILL.md +62 -0
- package/skills/board/agents/openai.yaml +6 -0
- package/skills/bold-refactor/SKILL.md +244 -0
- package/skills/bold-refactor/agents/openai.yaml +6 -0
- package/skills/bug-scan/SKILL.md +378 -0
- package/skills/bug-scan/agents/openai.yaml +6 -0
- package/skills/bug-scan/references/async-promises.md +119 -0
- package/skills/bug-scan/references/concurrency-races.md +148 -0
- package/skills/bug-scan/references/data-layer.md +167 -0
- package/skills/bug-scan/references/error-handling.md +197 -0
- package/skills/bug-scan/references/gate-item-template.md +94 -0
- package/skills/bug-scan/references/language-footguns.md +219 -0
- package/skills/bug-scan/references/parked-item-template.md +103 -0
- package/skills/bug-scan/references/report-template.md +115 -0
- package/skills/bug-scan/references/resource-leaks.md +199 -0
- package/skills/bug-scan/references/state-closures.md +148 -0
- package/skills/bug-scan/references/time-numbers.md +158 -0
- package/skills/convert/SKILL.md +1463 -0
- package/skills/convert/agents/openai.yaml +6 -0
- package/skills/convert/references/legacy-overlap-migration.md +179 -0
- package/skills/deep-code-scan/SKILL.md +378 -0
- package/skills/deep-code-scan/agents/openai.yaml +6 -0
- package/skills/deep-code-scan/references/artifact-ledger.md +148 -0
- package/skills/deep-code-scan/references/consolidation.md +91 -0
- package/skills/deep-code-scan/references/decomposition.md +127 -0
- package/skills/deep-code-scan/references/item-templates.md +263 -0
- package/skills/deep-code-scan/references/lane-catalog.md +129 -0
- package/skills/deep-code-scan/references/review-gauntlet.md +108 -0
- package/skills/deep-code-scan/references/scanner-brief.md +152 -0
- package/skills/e2e-test-design/SKILL.md +517 -0
- package/skills/e2e-test-design/references/anti-tautology.md +261 -0
- package/skills/e2e-test-design/references/service-mocks.md +234 -0
- package/skills/e2e-test-design/references/test-taxonomy.md +211 -0
- package/skills/epic-design/SKILL.md +476 -0
- package/skills/epicize/SKILL.md +210 -0
- package/skills/epicize/agents/openai.yaml +6 -0
- package/skills/feature-design/SKILL.md +472 -0
- package/skills/fix/SKILL.md +173 -0
- package/skills/gate-cruft/SKILL.md +258 -0
- package/skills/gate-docs/SKILL.md +278 -0
- package/skills/gate-patterns/SKILL.md +389 -0
- package/skills/gate-refactor/SKILL.md +408 -0
- package/skills/gate-security/SKILL.md +275 -0
- package/skills/gate-tests/SKILL.md +367 -0
- package/skills/groom/SKILL.md +162 -0
- package/skills/groom/agents/openai.yaml +6 -0
- package/skills/ideate/SKILL.md +185 -0
- package/skills/ideate/agents/openai.yaml +6 -0
- package/skills/implement/SKILL.md +288 -0
- package/skills/implement-orchestrator/SKILL.md +604 -0
- package/skills/park/SKILL.md +111 -0
- package/skills/perf-design/SKILL.md +427 -0
- package/skills/perf-scout/SKILL.md +404 -0
- package/skills/perf-scout/agents/openai.yaml +6 -0
- package/skills/perf-scout/references/algorithmic-and-data-structures.md +126 -0
- package/skills/perf-scout/references/approximation-and-precomputation.md +136 -0
- package/skills/perf-scout/references/caching-and-memoization.md +123 -0
- package/skills/perf-scout/references/compiler-runtime-and-language.md +136 -0
- package/skills/perf-scout/references/database-and-storage-internals.md +144 -0
- package/skills/perf-scout/references/distributed-systems.md +150 -0
- package/skills/perf-scout/references/game-engine-and-realtime.md +136 -0
- package/skills/perf-scout/references/gpu-and-accelerators.md +130 -0
- package/skills/perf-scout/references/idea-ranking.md +75 -0
- package/skills/perf-scout/references/io-and-batching.md +135 -0
- package/skills/perf-scout/references/memory-and-data-locality.md +137 -0
- package/skills/perf-scout/references/parallelism-and-vectorization.md +126 -0
- package/skills/perf-scout/references/parked-item-template.md +117 -0
- package/skills/perf-scout/references/peer-review-pass.md +150 -0
- package/skills/perf-scout/references/report-template.md +148 -0
- package/skills/principles/SKILL.md +678 -0
- package/skills/principles/references/models.md +191 -0
- package/skills/principles/references/subagents.md +158 -0
- package/skills/prose-author/SKILL.md +185 -0
- package/skills/refactor-conventions-creator/SKILL.md +359 -0
- package/skills/refactor-conventions-creator/agents/openai.yaml +6 -0
- package/skills/refactor-conventions-creator/references/common-structures.md +91 -0
- package/skills/refactor-conventions-creator/references/common-styles.md +90 -0
- package/skills/refactor-design/SKILL.md +384 -0
- package/skills/release-deploy/SKILL.md +667 -0
- package/skills/release-deploy/agents/openai.yaml +6 -0
- package/skills/research/SKILL.md +166 -0
- package/skills/research/agents/openai.yaml +6 -0
- package/skills/review/SKILL.md +267 -0
- package/skills/review/references/deep-review.md +98 -0
- package/skills/review/references/review-lenses.md +68 -0
- package/skills/review/references/substrate-side-effects.md +161 -0
- package/skills/review/references/target-resolution.md +52 -0
- package/skills/scope/SKILL.md +486 -0
- package/work-view/Cargo.lock +486 -0
- package/work-view/Cargo.toml +9 -0
- package/work-view/crates/cli/.work-view-version +1 -0
- package/work-view/crates/cli/Cargo.toml +18 -0
- package/work-view/crates/cli/src/actionable.rs +500 -0
- package/work-view/crates/cli/src/args.rs +792 -0
- package/work-view/crates/cli/src/board/assets/board.css +855 -0
- package/work-view/crates/cli/src/board/assets/board.js +259 -0
- package/work-view/crates/cli/src/board/assets/card.js +139 -0
- package/work-view/crates/cli/src/board/assets/components.css +290 -0
- package/work-view/crates/cli/src/board/assets/dependency.js +1193 -0
- package/work-view/crates/cli/src/board/assets/detail.js +256 -0
- package/work-view/crates/cli/src/board/assets/filters.js +389 -0
- package/work-view/crates/cli/src/board/assets/index.html +77 -0
- package/work-view/crates/cli/src/board/assets/kanban.js +231 -0
- package/work-view/crates/cli/src/board/assets/markdown.js +260 -0
- package/work-view/crates/cli/src/board/assets/motion.css +131 -0
- package/work-view/crates/cli/src/board/assets/state.js +245 -0
- package/work-view/crates/cli/src/board/assets/table.js +304 -0
- package/work-view/crates/cli/src/board/assets/tokens.css +602 -0
- package/work-view/crates/cli/src/board/assets/views.js +41 -0
- package/work-view/crates/cli/src/board/assets.rs +162 -0
- package/work-view/crates/cli/src/board/feed.rs +204 -0
- package/work-view/crates/cli/src/board/mod.rs +246 -0
- package/work-view/crates/cli/src/board/open.rs +144 -0
- package/work-view/crates/cli/src/board/server.rs +407 -0
- package/work-view/crates/cli/src/main.rs +195 -0
- package/work-view/crates/cli/src/render.rs +354 -0
- package/work-view/crates/cli/src/scope.rs +157 -0
- package/work-view/crates/cli/src/stale.rs +581 -0
- package/work-view/crates/cli/tests/board-js/dependency-table.test.mjs +64 -0
- package/work-view/crates/cli/tests/board-js/expanded-browsing.test.mjs +79 -0
- package/work-view/crates/cli/tests/board-js/harness-smoke.test.mjs +11 -0
- package/work-view/crates/cli/tests/board-js/harness.mjs +437 -0
- package/work-view/crates/cli/tests/board-js/kanban-detail.test.mjs +75 -0
- package/work-view/crates/cli/tests/board-js/markdown-filter.test.mjs +60 -0
- package/work-view/crates/cli/tests/fixtures/golden/.work/CONVENTIONS.md +3 -0
- package/work-view/crates/cli/tests/fixtures/golden/.work/active/epics/epic-alpha.md +16 -0
- package/work-view/crates/cli/tests/fixtures/golden/.work/active/features/feat-a.md +16 -0
- package/work-view/crates/cli/tests/fixtures/golden/.work/active/features/feat-b.md +16 -0
- package/work-view/crates/cli/tests/fixtures/golden/.work/active/stories/story-alpha-1.md +16 -0
- package/work-view/crates/cli/tests/fixtures/golden/.work/active/stories/story-research-1.md +19 -0
- package/work-view/crates/cli/tests/fixtures/golden/.work/archive/feat-done.md +16 -0
- package/work-view/crates/cli/tests/fixtures/golden/.work/archive/feat-shipped.md +18 -0
- package/work-view/crates/cli/tests/fixtures/golden/.work/backlog/idea-backlog.md +7 -0
- package/work-view/crates/cli/tests/fixtures/golden/.work/releases/v1.0/v1.0.md +16 -0
- package/work-view/crates/cli/tests/fixtures/ready-drafting/.work/CONVENTIONS.md +6 -0
- package/work-view/crates/cli/tests/fixtures/ready-drafting/.work/active/features/feat-dep-done.md +17 -0
- package/work-view/crates/cli/tests/fixtures/ready-drafting/.work/active/features/feat-design-ready.md +17 -0
- package/work-view/crates/cli/tests/fixtures/ready-drafting/.work/active/features/feat-impl-ready.md +17 -0
- package/work-view/crates/cli/tests/fixtures/ready-drafting/.work/active/stories/story-review-ready.md +17 -0
- package/work-view/crates/cli/tests/fixtures/with-malformed/.work/CONVENTIONS.md +4 -0
- package/work-view/crates/cli/tests/fixtures/with-malformed/.work/active/epics/malformed-no-closing-fence.md +8 -0
- package/work-view/crates/cli/tests/fixtures/with-malformed/.work/active/features/good-item.md +16 -0
- package/work-view/crates/cli/tests/integration.rs +2833 -0
- package/work-view/crates/core/Cargo.toml +13 -0
- package/work-view/crates/core/src/error.rs +61 -0
- package/work-view/crates/core/src/filter.rs +804 -0
- package/work-view/crates/core/src/graph.rs +324 -0
- package/work-view/crates/core/src/index.rs +590 -0
- package/work-view/crates/core/src/lib.rs +54 -0
- package/work-view/crates/core/src/model.rs +202 -0
- package/work-view/crates/core/src/parse.rs +494 -0
- package/work-view/crates/core/tests/fixtures/golden/.work/CONVENTIONS.md +15 -0
- package/work-view/crates/core/tests/fixtures/golden/.work/active/epics/epic-core.md +16 -0
- package/work-view/crates/core/tests/fixtures/golden/.work/active/features/feat-parser.md +16 -0
- package/work-view/crates/core/tests/fixtures/golden/.work/active/features/feat-query.md +16 -0
- package/work-view/crates/core/tests/fixtures/golden/.work/active/stories/malformed-no-id.md +15 -0
- package/work-view/crates/core/tests/fixtures/golden/.work/active/stories/story-parse-unit.md +16 -0
- package/work-view/crates/core/tests/fixtures/golden/.work/active/stories/story-security-gate.md +16 -0
- package/work-view/crates/core/tests/fixtures/golden/.work/archive/feat-old.md +16 -0
- package/work-view/crates/core/tests/fixtures/golden/.work/archive/feat-parser.md +17 -0
- package/work-view/crates/core/tests/fixtures/golden/.work/backlog/idea-future-board.md +7 -0
- package/work-view/crates/core/tests/fixtures/golden/.work/releases/v1.0/v1.0.md +16 -0
- package/work-view/crates/core/tests/fixtures/precedence/.work/CONVENTIONS.md +10 -0
- package/work-view/crates/core/tests/fixtures/precedence/.work/archive/dup-item.md +18 -0
- package/work-view/crates/core/tests/fixtures/precedence/.work/releases/v2.0/dup-item.md +18 -0
- package/work-view/crates/core/tests/integration.rs +541 -0
- package/work-view/dist/.gitattributes +1 -0
- package/work-view/dist/README.md +42 -0
- package/work-view/dist/aarch64-apple-darwin/work-view +0 -0
- package/work-view/dist/aarch64-unknown-linux-musl/work-view +0 -0
- package/work-view/dist/x86_64-apple-darwin/work-view +0 -0
- package/work-view/dist/x86_64-unknown-linux-musl/work-view +0 -0
|
@@ -0,0 +1,408 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: gate-refactor
|
|
3
|
+
description: >
|
|
4
|
+
Refactor gate that discovers scan-rule libraries declared in the host project (default roots:
|
|
5
|
+
{project}/.agents/skills/scan-*/SKILL.md and {project}/.claude/skills/scan-*/SKILL.md; configurable
|
|
6
|
+
via CONVENTIONS.md: gate_refactor_scan_library_roots), loads every discovered library, checks the
|
|
7
|
+
release bundle's changed files against all loaded rules, and produces findings as items with
|
|
8
|
+
gate_origin:refactor; routing tag declared per library (libraries whose fixes are
|
|
9
|
+
behavior-preserving declare findings-route:refactor; behavior-changing libraries declare no route —
|
|
10
|
+
findings emit untagged and route through normal feature/story design). Rule libraries are
|
|
11
|
+
deployment-local — the gate ships the mechanism; adopters supply the rules. Auto-triggers during
|
|
12
|
+
/agile-workflow:release-deploy when the host project opts in via CONVENTIONS.md: gates_for_release:
|
|
13
|
+
[..., refactor, ...]. No-libraries behavior: graceful skip (logs "no scan-* libraries discovered"
|
|
14
|
+
and continues). Item-producer, NOT a pass/fail report.
|
|
15
|
+
---
|
|
16
|
+
|
|
17
|
+
# Gate-Refactor
|
|
18
|
+
|
|
19
|
+
You orchestrate a refactor gate over the items bound to a release. You discover scan-rule
|
|
20
|
+
libraries the host project has installed, load them, and dispatch a **deep refactor scanner agent**
|
|
21
|
+
to check the release bundle's changed files against every loaded rule. Your role is library
|
|
22
|
+
discovery, bundle preparation, scanner dispatch, and converting findings into substrate items.
|
|
23
|
+
|
|
24
|
+
This gate ships **the mechanism, not the rules**. The scan rule libraries that supply the actual
|
|
25
|
+
rules live under the host project's configured `gate_refactor_scan_library_roots` (default:
|
|
26
|
+
`{project}/.agents/skills` and `{project}/.claude/skills`). The gate requires no built-in rule
|
|
27
|
+
knowledge — it adapts to whatever libraries the deploying project provides. This is why the gate is
|
|
28
|
+
opt-in (not in the default `gates_for_release` list): an install with no rule libraries has nothing
|
|
29
|
+
to check, and that is by design, not an error.
|
|
30
|
+
|
|
31
|
+
Scanner strength is explicit: spawn exactly one source-read-only deep refactor
|
|
32
|
+
scanner with the strongest inspection/reviewer setting the host exposes. Use a generic sub-agent prompted with the scanner posture from `../principles/references/subagents.md`. Use extra-high reasoning
|
|
33
|
+
for large/polyglot release bundles or when multiple libraries carry dense rule
|
|
34
|
+
sets. If the host has no scanner path, run the scan inline and record
|
|
35
|
+
the reduced isolation in the release body.
|
|
36
|
+
|
|
37
|
+
## Trigger
|
|
38
|
+
|
|
39
|
+
- `/agile-workflow:release-deploy` invokes during `quality-gate` stage when `gates_for_release`
|
|
40
|
+
in `.work/CONVENTIONS.md` includes `refactor`.
|
|
41
|
+
- User can invoke manually: `/agile-workflow:gate-refactor <release-version>`
|
|
42
|
+
|
|
43
|
+
**Opt-in gate.** The default `gates_for_release` list does not include `refactor`. Add it
|
|
44
|
+
explicitly when your project has scan-rule libraries to enforce:
|
|
45
|
+
|
|
46
|
+
```
|
|
47
|
+
gates_for_release: [security, tests, cruft, docs, patterns, refactor]
|
|
48
|
+
```
|
|
49
|
+
|
|
50
|
+
## Workflow
|
|
51
|
+
|
|
52
|
+
### Phase 1: Identify bundle changes
|
|
53
|
+
|
|
54
|
+
```bash
|
|
55
|
+
# Bound non-release items. `--release` auto-widens to ALL tiers (active + archive + releases).
|
|
56
|
+
# Include late-bound archived stubs; their bodies may be pruned, but their item id is still
|
|
57
|
+
# present and can recover the bundle commits/files. Ignore only the release orchestration item.
|
|
58
|
+
.work/bin/work-view --release <version> --paths | while IFS= read -r item; do
|
|
59
|
+
kind=$(grep -m1 '^kind:' "$item" | awk '{print $2}')
|
|
60
|
+
[ "$kind" = "release" ] && continue
|
|
61
|
+
echo "$item"
|
|
62
|
+
done > /tmp/bundle-items-<version>.txt
|
|
63
|
+
|
|
64
|
+
# Files changed by the bundle. For archived stubs, the body is pruned on disk by design; use the
|
|
65
|
+
# item id to find implementation commits instead of treating the missing body as a skip reason.
|
|
66
|
+
while IFS= read -r item; do
|
|
67
|
+
id=$(grep -m1 '^id:' "$item" | awk '{print $2}')
|
|
68
|
+
git log --grep "$id" --format='%H' | xargs -I{} git diff-tree --no-commit-id --name-only -r {}
|
|
69
|
+
done < /tmp/bundle-items-<version>.txt | sort -u > /tmp/bundle-files-<version>.txt
|
|
70
|
+
```
|
|
71
|
+
|
|
72
|
+
### Phase 2: Discover scan-rule libraries (idempotency prep)
|
|
73
|
+
|
|
74
|
+
Read `gate_refactor_scan_library_roots` from `.work/CONVENTIONS.md`. If absent, use the default
|
|
75
|
+
plugin-canonical and Claude-compat roots:
|
|
76
|
+
|
|
77
|
+
```yaml
|
|
78
|
+
gate_refactor_scan_library_roots:
|
|
79
|
+
- .agents/skills
|
|
80
|
+
- .claude/skills
|
|
81
|
+
```
|
|
82
|
+
|
|
83
|
+
Resolve relative roots from the project/substrate root; absolute roots are allowed. For each
|
|
84
|
+
configured root, glob `<root>/scan-*/SKILL.md`. If a configured root points outside the project
|
|
85
|
+
tree, continue but treat it as a trust-boundary expansion: the gate will load instructions and
|
|
86
|
+
reference files from that location.
|
|
87
|
+
|
|
88
|
+
For each discovered `SKILL.md`, in configured root order:
|
|
89
|
+
1. Read the `SKILL.md` fully — its frontmatter `description` and body carry the rules the gate
|
|
90
|
+
must enforce.
|
|
91
|
+
2. Read all files in the library's `references/` directory (if present) — reference files carry
|
|
92
|
+
the detailed per-rule specifications.
|
|
93
|
+
3. Derive a **library tag** from the directory name by stripping `scan-` (e.g., `scan-wcag-aa`
|
|
94
|
+
→ `wcag-aa`, `scan-structural` → `structural`).
|
|
95
|
+
4. Read the library's **routing declaration**: look for a `findings-route:` line in the SKILL.md
|
|
96
|
+
body (format: `findings-route: refactor` or `findings-route: none`). This line declares whether
|
|
97
|
+
the library's findings carry `tags: [refactor]`. If the line is absent, the default is **no
|
|
98
|
+
routing tag** — untagged is safe-by-default (feature-design handles everything; the `[refactor]`
|
|
99
|
+
route is the optimization a library opts into by asserting its fixes are behavior-preserving).
|
|
100
|
+
Record the routing decision per library for use in Phase 4.
|
|
101
|
+
5. If another discovered library has the same derived library tag, keep the first one discovered
|
|
102
|
+
and skip the duplicate. This preserves current `.agents/skills` before `.claude/skills`
|
|
103
|
+
precedence under the defaults and makes custom-root precedence follow configured root order.
|
|
104
|
+
|
|
105
|
+
**No-libraries behavior:** if all configured roots return zero results, log to the release body:
|
|
106
|
+
|
|
107
|
+
```
|
|
108
|
+
gate-refactor (<date>) — no scan-* rule libraries discovered; gate-refactor has nothing to
|
|
109
|
+
check. To activate: install a scan-rule library under gate_refactor_scan_library_roots
|
|
110
|
+
(default: {project}/.agents/skills/scan-<name>/ or {project}/.claude/skills/scan-<name>/).
|
|
111
|
+
See gate-refactor/SKILL.md for the library contract.
|
|
112
|
+
```
|
|
113
|
+
|
|
114
|
+
Then continue the gate sequence. This is not an error — the gate is designed to ship
|
|
115
|
+
content-free when no libraries are installed.
|
|
116
|
+
|
|
117
|
+
Read existing gate items (idempotency prep):
|
|
118
|
+
|
|
119
|
+
```bash
|
|
120
|
+
.work/bin/work-view --release <version> --gate refactor --paths
|
|
121
|
+
```
|
|
122
|
+
|
|
123
|
+
Capture the set of `(file:line, rule-slug)` already-tracked findings to feed into the
|
|
124
|
+
scanner brief so it skips duplicates.
|
|
125
|
+
|
|
126
|
+
### Phase 3: Dispatch the refactor scanner
|
|
127
|
+
|
|
128
|
+
If at least one library was discovered, spawn ONE source-read-only deep scanner
|
|
129
|
+
agent with the full scan brief. Use a generic sub-agent prompted with the scanner
|
|
130
|
+
posture from `../principles/references/subagents.md` and the strongest
|
|
131
|
+
inspection/reviewer setting the host exposes, escalating for large/polyglot
|
|
132
|
+
bundles or dense rule sets. If scanner agents are unavailable, run the scan
|
|
133
|
+
inline and record the reduced isolation in the release body.
|
|
134
|
+
|
|
135
|
+
The scanner checks all rules from all libraries in one pass per file, returning structured
|
|
136
|
+
findings. Dispatching one scanner with the full library set (rather than one per library) avoids
|
|
137
|
+
M-times-N redundant file reads and allows cross-library finding deduplication.
|
|
138
|
+
|
|
139
|
+
**Brief template**:
|
|
140
|
+
|
|
141
|
+
> You are conducting a refactor gate scan for release `<version>` as an agile-workflow
|
|
142
|
+
> scanner. Use read/search/shell tools as needed. Scan ONLY the bundle's changed files —
|
|
143
|
+
> not the whole repo. Do not spawn nested sub-agents or implement fixes.
|
|
144
|
+
>
|
|
145
|
+
> **Bundle scope** (files changed by the bundle):
|
|
146
|
+
> ```
|
|
147
|
+
> <bundle-files>
|
|
148
|
+
> ```
|
|
149
|
+
>
|
|
150
|
+
> **Loaded rule libraries** (N libraries discovered):
|
|
151
|
+
>
|
|
152
|
+
> For each library `<tag>` (e.g. `structural`, `wcag-aa`):
|
|
153
|
+
>
|
|
154
|
+
> **Library: `<tag>`** (source: `{project}/.agents/skills/scan-<name>/` or `{project}/.claude/skills/scan-<name>/`)
|
|
155
|
+
> ```
|
|
156
|
+
> <full SKILL.md content>
|
|
157
|
+
> ```
|
|
158
|
+
> Reference files:
|
|
159
|
+
> ```
|
|
160
|
+
> <full content of each file in references/>
|
|
161
|
+
> ```
|
|
162
|
+
>
|
|
163
|
+
> **Already-tracked findings to skip**:
|
|
164
|
+
> ```
|
|
165
|
+
> <(file:line, rule-slug) pairs already written as items>
|
|
166
|
+
> ```
|
|
167
|
+
>
|
|
168
|
+
> **Instructions**:
|
|
169
|
+
>
|
|
170
|
+
> 1. Read every file in the bundle scope.
|
|
171
|
+
> 2. For each file, check against all rules from all loaded libraries in a single pass.
|
|
172
|
+
> 3. For each finding, record:
|
|
173
|
+
> - **Library tag**: which library's rule was violated (e.g. `structural`).
|
|
174
|
+
> - **Rule slug**: which specific rule was violated (from the library's rule inventory).
|
|
175
|
+
> - **File:line**: exact location.
|
|
176
|
+
> - **Issue**: one-sentence description of the violation.
|
|
177
|
+
> - **Fix**: specific proposed change (or "needs analysis" for findings requiring judgment).
|
|
178
|
+
> - **Confidence**: `high` / `medium` / `low` per the library's guidance for that rule.
|
|
179
|
+
> 4. Deduplicate against the already-tracked set.
|
|
180
|
+
> 5. Return findings as a structured list.
|
|
181
|
+
>
|
|
182
|
+
> **Rules**:
|
|
183
|
+
> - Scan only the bundle scope. Do not expand to the whole repo.
|
|
184
|
+
> - Cite file:line for every finding.
|
|
185
|
+
> - Do not fabricate findings. If a rule produces no matches, emit nothing for it.
|
|
186
|
+
> - Skip already-tracked findings (exact file:line + rule-slug match).
|
|
187
|
+
> - Confidence follows the library's own guidance for each rule. When the library
|
|
188
|
+
> does not specify, default to medium. Normalize any other severity vocabulary a
|
|
189
|
+
> library uses (e.g. critical/info, numeric scores) onto `high`/`medium`/`low`
|
|
190
|
+
> rather than defaulting mismatches to medium.
|
|
191
|
+
>
|
|
192
|
+
> **Output format** — return a single markdown document with:
|
|
193
|
+
>
|
|
194
|
+
> ```
|
|
195
|
+
> ## Findings
|
|
196
|
+
>
|
|
197
|
+
> ### Finding 1
|
|
198
|
+
> - **Title**: <one-line description>
|
|
199
|
+
> - **Library**: <library-tag>
|
|
200
|
+
> - **Rule**: <rule-slug>
|
|
201
|
+
> - **Confidence**: High | Medium | Low
|
|
202
|
+
> - **Location**: `<file>:<line>`
|
|
203
|
+
> - **Issue**: <one sentence>
|
|
204
|
+
> - **Fix**: <specific proposed change or "needs analysis">
|
|
205
|
+
>
|
|
206
|
+
> ### Finding 2
|
|
207
|
+
> ...
|
|
208
|
+
> ```
|
|
209
|
+
>
|
|
210
|
+
> Followed by:
|
|
211
|
+
>
|
|
212
|
+
> ```
|
|
213
|
+
> ## Scan summary
|
|
214
|
+
> - Libraries loaded: <list of library tags>
|
|
215
|
+
> - Files scanned: <count>
|
|
216
|
+
> - Findings by confidence: High=<n>, Medium=<n>, Low=<n>
|
|
217
|
+
> ```
|
|
218
|
+
|
|
219
|
+
### Phase 4: Convert findings to items
|
|
220
|
+
|
|
221
|
+
For each finding the scanner returned:
|
|
222
|
+
|
|
223
|
+
Read `gate_finding_routing` from `.work/CONVENTIONS.md` before writing items. If absent, use the
|
|
224
|
+
default routing below. Normalize refactor confidence to routing keys as: `High -> high`,
|
|
225
|
+
`Medium -> medium`, and `Low -> low`. If a normalized key maps to `skip`, do not emit an item for
|
|
226
|
+
that finding; include the skipped count in the gate output and release-body gate-run record. If it
|
|
227
|
+
maps to `backlog`, write a `.work/backlog/` item instead of an active story.
|
|
228
|
+
|
|
229
|
+
**`gate_origin: refactor` is unconditional** — it records which gate produced the item, not the
|
|
230
|
+
nature of the fix. The `tags:` field is determined by the source library's routing declaration:
|
|
231
|
+
- Library declared `findings-route: refactor` → `tags: [refactor]` (behavior-preserving; routes
|
|
232
|
+
through refactor-design).
|
|
233
|
+
- Library declared `findings-route: none` or declaration absent → `tags: []` (behavior-changing or
|
|
234
|
+
unclassified; routes through the normal feature/story design path).
|
|
235
|
+
|
|
236
|
+
The rationale: `[refactor]` is strictly behavior-preserving by definition (black-box test — no
|
|
237
|
+
observable behavior change for any caller of the public surface). Libraries whose fixes change
|
|
238
|
+
observable behavior — a11y improvements, SEO changes, API corrections — must not carry the tag or
|
|
239
|
+
refactor-design will bounce them as mistagged.
|
|
240
|
+
|
|
241
|
+
**Example: behavior-preserving library (e.g. `scan-structural`, `findings-route: refactor`)**
|
|
242
|
+
|
|
243
|
+
```yaml
|
|
244
|
+
---
|
|
245
|
+
id: gate-refactor-<short-slug>
|
|
246
|
+
kind: story
|
|
247
|
+
stage: implementing | drafting # by gate_finding_routing
|
|
248
|
+
tags: [refactor]
|
|
249
|
+
parent: null
|
|
250
|
+
depends_on: []
|
|
251
|
+
release_binding: <version>
|
|
252
|
+
gate_origin: refactor
|
|
253
|
+
created: YYYY-MM-DD
|
|
254
|
+
updated: YYYY-MM-DD
|
|
255
|
+
---
|
|
256
|
+
```
|
|
257
|
+
|
|
258
|
+
**Example: behavior-changing library (e.g. `scan-wcag-aa`, no findings-route declaration)**
|
|
259
|
+
|
|
260
|
+
```yaml
|
|
261
|
+
---
|
|
262
|
+
id: gate-refactor-<short-slug>
|
|
263
|
+
kind: story
|
|
264
|
+
stage: implementing | drafting # by gate_finding_routing
|
|
265
|
+
tags: []
|
|
266
|
+
parent: null
|
|
267
|
+
depends_on: []
|
|
268
|
+
release_binding: <version>
|
|
269
|
+
gate_origin: refactor
|
|
270
|
+
created: YYYY-MM-DD
|
|
271
|
+
updated: YYYY-MM-DD
|
|
272
|
+
---
|
|
273
|
+
```
|
|
274
|
+
|
|
275
|
+
Item body (same for both cases):
|
|
276
|
+
|
|
277
|
+
```markdown
|
|
278
|
+
# <one-line description>
|
|
279
|
+
|
|
280
|
+
## Library
|
|
281
|
+
<library-tag>
|
|
282
|
+
|
|
283
|
+
## Rule
|
|
284
|
+
<rule-slug>
|
|
285
|
+
|
|
286
|
+
## Confidence
|
|
287
|
+
High | Medium | Low
|
|
288
|
+
|
|
289
|
+
## Location
|
|
290
|
+
`<file>:<line>`
|
|
291
|
+
|
|
292
|
+
## Issue
|
|
293
|
+
<one-sentence violation description>
|
|
294
|
+
|
|
295
|
+
## Fix
|
|
296
|
+
<specific proposed change, or "needs analysis" for medium/low>
|
|
297
|
+
```
|
|
298
|
+
|
|
299
|
+
Default confidence -> placement mapping:
|
|
300
|
+
|
|
301
|
+
| Confidence | Stage | Tier |
|
|
302
|
+
|---|---|---|
|
|
303
|
+
| High | `stage: implementing` | `.work/active/stories/` |
|
|
304
|
+
| Medium | `stage: drafting` | `.work/active/stories/` |
|
|
305
|
+
| Low | backlog file | `.work/backlog/` |
|
|
306
|
+
|
|
307
|
+
Slug: derive from library tag + rule slug + file fragment (e.g.
|
|
308
|
+
`gate-refactor-structural-routes-api`, `gate-refactor-wcag-aa-missing-alt`). If the derived
|
|
309
|
+
slug already exists (same rule firing twice in one file or across runs), append a counter
|
|
310
|
+
suffix (`-2`, `-3`, …) to keep slugs unique.
|
|
311
|
+
|
|
312
|
+
### Phase 5: Update the release body
|
|
313
|
+
|
|
314
|
+
Append to the release body's gate-runs section:
|
|
315
|
+
|
|
316
|
+
```markdown
|
|
317
|
+
- **gate-refactor** (YYYY-MM-DD) — N findings (H high, M medium, L low) from K libraries:
|
|
318
|
+
<library-tag-1> (<n> findings), <library-tag-2> (<n> findings)
|
|
319
|
+
```
|
|
320
|
+
|
|
321
|
+
If no libraries were discovered, append the no-libraries log entry from Phase 2 instead.
|
|
322
|
+
|
|
323
|
+
### Phase 6: Commit
|
|
324
|
+
|
|
325
|
+
```bash
|
|
326
|
+
git add .work/active/stories/ .work/backlog/ .work/active/release-<version>.md
|
|
327
|
+
git commit -m "gate-refactor: <N> findings for <version> (<library-tags>)"
|
|
328
|
+
```
|
|
329
|
+
|
|
330
|
+
If no findings and no libraries: `gate-refactor: no libraries discovered for <version> — gate skipped`.
|
|
331
|
+
If no findings but libraries ran: `gate-refactor: 0 findings for <version> (<library-tags> — clean)`.
|
|
332
|
+
|
|
333
|
+
## Output
|
|
334
|
+
|
|
335
|
+
In conversation:
|
|
336
|
+
- **Bundle**: `<version>` — `<N>` items audited, `<M>` files changed
|
|
337
|
+
- **Libraries**: count and tags (`structural`, `wcag-aa`, ...) or "none discovered"
|
|
338
|
+
- **Findings**: count by confidence (High / Medium / Low), or "no findings"
|
|
339
|
+
- **Items created**: count, with new ids
|
|
340
|
+
- **Already-tracked**: count skipped
|
|
341
|
+
|
|
342
|
+
## Guardrails
|
|
343
|
+
|
|
344
|
+
- **The scan happens in the scanner agent, not here.** Your job is library discovery, bundle prep,
|
|
345
|
+
dispatch, and item-writing. Do not replicate the scanner's analysis.
|
|
346
|
+
- Scan only the bundle's changed files, not the whole repo.
|
|
347
|
+
- Never apply fixes in this skill — produce items only.
|
|
348
|
+
- **No-libraries is not an error.** Graceful skip with a log entry is the correct behavior when
|
|
349
|
+
no scan-* libraries are installed.
|
|
350
|
+
- Pass already-tracked findings into the scanner brief so it skips duplicates (idempotency).
|
|
351
|
+
- Include archive stubs returned by `work-view --release <version> --paths`. Late-bound archived
|
|
352
|
+
stubs are part of the release bundle and must be scanned from their associated commits/files,
|
|
353
|
+
even when their on-disk bodies are pruned.
|
|
354
|
+
- Do NOT add `refactor` to the default `gates_for_release` list. The gate is opt-in by design.
|
|
355
|
+
Deployers with no scan-rule libraries would get a no-op gate on every release — unnecessary
|
|
356
|
+
overhead. Adopters opt in by editing their `.work/CONVENTIONS.md`.
|
|
357
|
+
|
|
358
|
+
## Library contract (for adopters writing scan-rule libraries)
|
|
359
|
+
|
|
360
|
+
A scan-rule library declares itself by its directory name and the content of its SKILL.md:
|
|
361
|
+
|
|
362
|
+
- **Location**: `<root>/scan-<name>/SKILL.md`, where `<root>` comes from
|
|
363
|
+
`gate_refactor_scan_library_roots` in `.work/CONVENTIONS.md` (default:
|
|
364
|
+
`{project}/.agents/skills` then `{project}/.claude/skills`). Duplicate names are merged by
|
|
365
|
+
derived library tag; the first discovered library wins, so configured root order determines
|
|
366
|
+
precedence.
|
|
367
|
+
- **SKILL.md content**: the `description` frontmatter field and the body carry the rules. The
|
|
368
|
+
gate reads the full SKILL.md and all files in `references/` as the library declaration.
|
|
369
|
+
- **Rule format**: each rule should carry a slug (for deduplication), a description of what
|
|
370
|
+
constitutes a violation, and confidence guidance (when does a match warrant `high` vs. `medium`
|
|
371
|
+
vs. `low` confidence). These three values are the **required vocabulary** — the gate and
|
|
372
|
+
downstream tooling map directly on them.
|
|
373
|
+
- **Routing declaration** (one line in the SKILL.md **body** — NOT a frontmatter key; the gate
|
|
374
|
+
scans the body for this line, so a frontmatter placement would be silently missed):
|
|
375
|
+
```
|
|
376
|
+
findings-route: refactor
|
|
377
|
+
```
|
|
378
|
+
Declares that this library's rules are **behavior-preserving** (structural, stylistic, dead-code
|
|
379
|
+
removal) — every fix passes the black-box test: no observable behavior change for any caller of
|
|
380
|
+
the public surface. Findings from this library carry `tags: [refactor]` and may route through
|
|
381
|
+
`refactor-design`.
|
|
382
|
+
|
|
383
|
+
**Default when absent: no routing tag.** Libraries whose fixes are **behavior-changing** (a11y,
|
|
384
|
+
SEO, API corrections, anything altering observable behavior for any consumer) omit the
|
|
385
|
+
declaration or set `findings-route: none`. Their findings emit without a `[refactor]` tag and
|
|
386
|
+
route through the normal feature/story design path. Untagged is the safe default — feature-design
|
|
387
|
+
handles everything; the `[refactor]` route is the optimization a library opts into by asserting
|
|
388
|
+
behavior-preservation.
|
|
389
|
+
- **No registration required**: the gate discovers libraries by glob. No manifest entry needed.
|
|
390
|
+
|
|
391
|
+
Example library skeleton (behavior-preserving — opts in to `[refactor]` routing):
|
|
392
|
+
|
|
393
|
+
```
|
|
394
|
+
{project}/.agents/skills/scan-structural/
|
|
395
|
+
SKILL.md ← library declaration + rule inventory + findings-route: refactor
|
|
396
|
+
references/
|
|
397
|
+
api-shape.md ← detailed rule: API structural conventions
|
|
398
|
+
error-shape.md ← detailed rule: error-handling conventions
|
|
399
|
+
```
|
|
400
|
+
|
|
401
|
+
Example library skeleton (behavior-changing — omits routing declaration):
|
|
402
|
+
|
|
403
|
+
```
|
|
404
|
+
{project}/.agents/skills/scan-wcag-aa/
|
|
405
|
+
SKILL.md ← library declaration + rule inventory (no findings-route line)
|
|
406
|
+
references/
|
|
407
|
+
wcag-aa-rules.md ← detailed WCAG 2.x AA rule set
|
|
408
|
+
```
|
|
@@ -0,0 +1,275 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: gate-security
|
|
3
|
+
description: >
|
|
4
|
+
Security gate that scans items bound to a release and produces items as findings. Delegates the full
|
|
5
|
+
audit to a deep security scanner agent which discovers stack, picks relevant security domains
|
|
6
|
+
(auth, injection, secrets, deps, API, infra, crypto, data protection, error handling), audits the
|
|
7
|
+
bundle's code changes, and returns findings. The orchestrator converts findings into items in
|
|
8
|
+
.work/active/ with gate_origin:security and appropriate tags. Auto-triggers during
|
|
9
|
+
/agile-workflow:release-deploy quality-gate stage. Item-producer, NOT a pass/fail report.
|
|
10
|
+
---
|
|
11
|
+
|
|
12
|
+
# Gate-Security
|
|
13
|
+
|
|
14
|
+
You orchestrate a security gate over the items bound to a release. The actual
|
|
15
|
+
audit runs inside a **deep security scanner agent** (a generic sub-agent prompted with the scanner posture from `../principles/references/subagents.md`); your role is to prepare the bundle context,
|
|
16
|
+
dispatch the scanner, and convert the findings it returns into items in the
|
|
17
|
+
substrate.
|
|
18
|
+
|
|
19
|
+
Scanner strength is explicit: spawn exactly one source-read-only deep security
|
|
20
|
+
scanner with the strongest inspection/reviewer setting the host exposes. Use a generic sub-agent prompted with the scanner posture from `../principles/references/subagents.md`. Use extra-high reasoning
|
|
21
|
+
only for auth, crypto, data-loss, broad public API, or large/polyglot release
|
|
22
|
+
bundles. If the host has no scanner path, run the audit inline and
|
|
23
|
+
record the reduced isolation in the release body.
|
|
24
|
+
|
|
25
|
+
This is NOT a standalone audit (for that, use a standalone `repo-eval` skill). This
|
|
26
|
+
is a gate over a specific release bundle, producing items the release-deploy
|
|
27
|
+
flow can drain to `done` before shipping.
|
|
28
|
+
|
|
29
|
+
## Trigger
|
|
30
|
+
|
|
31
|
+
- `/agile-workflow:release-deploy` invokes this during the `quality-gate` stage
|
|
32
|
+
- User can invoke manually: `/agile-workflow:gate-security <release-version>`
|
|
33
|
+
|
|
34
|
+
## Workflow
|
|
35
|
+
|
|
36
|
+
### Phase 1: Identify the bundle
|
|
37
|
+
|
|
38
|
+
If a release version was provided:
|
|
39
|
+
```bash
|
|
40
|
+
# Bound non-release items. `--release` auto-widens to ALL tiers (active + archive + releases).
|
|
41
|
+
# Include late-bound archived stubs; their bodies may be pruned, but their item id is still
|
|
42
|
+
# present and can recover the bundle commits/files. Ignore only the release orchestration item.
|
|
43
|
+
.work/bin/work-view --release <version> --paths | while IFS= read -r item; do
|
|
44
|
+
kind=$(grep -m1 '^kind:' "$item" | awk '{print $2}')
|
|
45
|
+
[ "$kind" = "release" ] && continue
|
|
46
|
+
echo "$item"
|
|
47
|
+
done > /tmp/bundle-items-<version>.txt
|
|
48
|
+
```
|
|
49
|
+
|
|
50
|
+
Otherwise, find the active release file (the one at `stage: planned` or
|
|
51
|
+
`stage: quality-gate`) and use its version.
|
|
52
|
+
|
|
53
|
+
If no items are bound (the bundle-items file is empty), halt with: "No items
|
|
54
|
+
bound to release `<version>`. Bind items first via
|
|
55
|
+
`/agile-workflow:release-deploy`."
|
|
56
|
+
|
|
57
|
+
Build the union of files changed by the bundle. For archived stubs, the body is pruned on disk by
|
|
58
|
+
design; use the item id to find implementation commits instead of treating the missing body as a
|
|
59
|
+
skip reason:
|
|
60
|
+
|
|
61
|
+
```bash
|
|
62
|
+
while IFS= read -r item; do
|
|
63
|
+
id=$(grep -m1 '^id:' "$item" | awk '{print $2}')
|
|
64
|
+
git log --grep "$id" --format='%H' | xargs -I{} git diff-tree --no-commit-id --name-only -r {}
|
|
65
|
+
done < /tmp/bundle-items-<version>.txt | sort -u > /tmp/bundle-files-<version>.txt
|
|
66
|
+
```
|
|
67
|
+
|
|
68
|
+
### Phase 2: Read existing gate items (idempotency prep)
|
|
69
|
+
|
|
70
|
+
```bash
|
|
71
|
+
.work/bin/work-view --release <version> --gate security --paths
|
|
72
|
+
```
|
|
73
|
+
|
|
74
|
+
Capture the set of `(file:line, severity)` already-tracked findings so the
|
|
75
|
+
scanner can be told to skip duplicates.
|
|
76
|
+
|
|
77
|
+
### Phase 3: Dispatch the security scanner
|
|
78
|
+
|
|
79
|
+
Spawn ONE source-read-only deep scanner agent with the full audit brief. Use a generic sub-agent prompted with the scanner posture from `../principles/references/subagents.md` and the strongest
|
|
80
|
+
inspection/reviewer setting the host exposes, escalating for auth, crypto,
|
|
81
|
+
data-loss, broad public API, or large/polyglot bundles. If scanner agents
|
|
82
|
+
are unavailable, run the audit inline and record the reduced isolation in the
|
|
83
|
+
release body. The scanner does all of the analysis end-to-end — stack discovery,
|
|
84
|
+
domain selection, domain audit passes, severity classification — and returns
|
|
85
|
+
structured findings.
|
|
86
|
+
|
|
87
|
+
**Brief template** (substitute `<version>`, `<bundle-files>`,
|
|
88
|
+
`<bound-item-ids>`, `<already-tracked>`):
|
|
89
|
+
|
|
90
|
+
> You are conducting a security gate audit for release `<version>` as an
|
|
91
|
+
> agile-workflow scanner. Use read/search/shell/current-source lookup tools as
|
|
92
|
+
> needed, but do not spawn nested sub-agents or implement fixes.
|
|
93
|
+
>
|
|
94
|
+
> **Bundle scope** (audit ONLY these files; this is a release gate, not a
|
|
95
|
+
> repo-wide audit):
|
|
96
|
+
> ```
|
|
97
|
+
> <bundle-files>
|
|
98
|
+
> ```
|
|
99
|
+
>
|
|
100
|
+
> **Bound items** (an archived stub's body is pruned on disk — hydrate it from
|
|
101
|
+
> the stub's `git_ref` frontmatter via `git show <git_ref>:<path>`, trying the
|
|
102
|
+
> item's former `.work/active/` path at that ref): `<bound-item-ids>`
|
|
103
|
+
>
|
|
104
|
+
> **Already-tracked findings to skip** (do not re-report these):
|
|
105
|
+
> ```
|
|
106
|
+
> <already-tracked file:line / severity pairs>
|
|
107
|
+
> ```
|
|
108
|
+
>
|
|
109
|
+
> **Methodology**:
|
|
110
|
+
>
|
|
111
|
+
> 1. **Stack discovery** — read `package.json`, `tsconfig.json`, `Cargo.toml`,
|
|
112
|
+
> `go.mod`, `pyproject.toml`, `Dockerfile`, CI configs. Identify languages,
|
|
113
|
+
> frameworks, package managers, auth systems, entry points (API routes, CLI,
|
|
114
|
+
> serverless), infrastructure.
|
|
115
|
+
>
|
|
116
|
+
> 2. **Domain selection** — pick the relevant domains for this stack and the
|
|
117
|
+
> bundle's surface. The nine domains:
|
|
118
|
+
> 1. Authentication & Authorization — auth flows, sessions, RBAC/ABAC,
|
|
119
|
+
> tokens, password policies. Apps with user accounts; APIs with auth.
|
|
120
|
+
> 2. Input Validation & Injection — XSS, SQLi, command injection, path
|
|
121
|
+
> traversal, template injection, SSRF. Web apps, APIs.
|
|
122
|
+
> 3. Secrets & Configuration — hardcoded secrets, env leakage, insecure
|
|
123
|
+
> defaults, exposed config, `.env` in VCS. All projects.
|
|
124
|
+
> 4. Dependencies & Supply Chain — known CVEs, outdated packages, lockfile
|
|
125
|
+
> integrity, typosquatting risk, unnecessary deps. All projects with
|
|
126
|
+
> external deps.
|
|
127
|
+
> 5. Data Protection — encryption at rest/in transit, PII handling, log
|
|
128
|
+
> sanitization, secure deletion, backup security. Apps handling user
|
|
129
|
+
> data.
|
|
130
|
+
> 6. API Security — rate limiting, CORS, auth on all endpoints, mass
|
|
131
|
+
> assignment, response leakage, versioning. REST/GraphQL APIs.
|
|
132
|
+
> 7. Infrastructure & Deployment — Dockerfile security, CI/CD secrets,
|
|
133
|
+
> exposed ports, cloud IAM, container hardening, network policies.
|
|
134
|
+
> Deployed services.
|
|
135
|
+
> 8. Cryptography — weak algorithms, hardcoded keys, RNG, cert validation,
|
|
136
|
+
> key management. Apps doing encryption/signing.
|
|
137
|
+
> 9. Error Handling & Logging — stack trace leakage, audit gaps, PII in
|
|
138
|
+
> logs, missing error boundaries, verbose prod errors. All prod apps.
|
|
139
|
+
>
|
|
140
|
+
> 3. **Domain audit passes** — for each selected domain, audit the bundle's
|
|
141
|
+
> changed files against that domain's checklist. Use current-source lookup
|
|
142
|
+
> when needed to verify best practices for `<stack>+<domain>` combinations
|
|
143
|
+
> before judging.
|
|
144
|
+
>
|
|
145
|
+
> 4. **Severity classification** — every finding gets one of:
|
|
146
|
+
> | Severity | Meaning |
|
|
147
|
+
> |---|---|
|
|
148
|
+
> | Critical | Actively exploitable now (secrets in source, no auth on a public endpoint, plaintext password storage). Must fix before shipping. |
|
|
149
|
+
> | High | Significant control missing or known CVE in a deployed dep. Strong attacker leverage. Must fix before shipping. |
|
|
150
|
+
> | Medium | Hardening gap or non-obvious vuln requiring chained conditions. Should fix; can defer with explicit acknowledgement. |
|
|
151
|
+
> | Low | Defense-in-depth; minor info disclosure; outdated-but-not-vulnerable. Backlog. |
|
|
152
|
+
> | Info | Observation; not a finding. Don't return Info entries. |
|
|
153
|
+
>
|
|
154
|
+
> **Output format** — return a single markdown document with:
|
|
155
|
+
>
|
|
156
|
+
> ```
|
|
157
|
+
> ## Findings
|
|
158
|
+
>
|
|
159
|
+
> ### Finding 1
|
|
160
|
+
> - **Title**: <one-line>
|
|
161
|
+
> - **Severity**: Critical | High | Medium | Low
|
|
162
|
+
> - **Domain**: <domain name>
|
|
163
|
+
> - **Location**: `<file>:<line>`
|
|
164
|
+
> - **Evidence**:
|
|
165
|
+
> ```<lang>
|
|
166
|
+
> <1-5 lines of offending code>
|
|
167
|
+
> ```
|
|
168
|
+
> - **Remediation direction**: <direction, not finished fix>
|
|
169
|
+
>
|
|
170
|
+
> ### Finding 2
|
|
171
|
+
> ...
|
|
172
|
+
> ```
|
|
173
|
+
>
|
|
174
|
+
> Followed by:
|
|
175
|
+
>
|
|
176
|
+
> ```
|
|
177
|
+
> ## Audit summary
|
|
178
|
+
> - Stack: <one-line>
|
|
179
|
+
> - Domains audited: <list>
|
|
180
|
+
> - Files audited: <count>
|
|
181
|
+
> - Findings by severity: Critical=<n>, High=<n>, Medium=<n>, Low=<n>
|
|
182
|
+
> ```
|
|
183
|
+
>
|
|
184
|
+
> **Rules**:
|
|
185
|
+
> - Audit only the files listed in Bundle scope. Do NOT expand the audit.
|
|
186
|
+
> - Cite file:line for every finding.
|
|
187
|
+
> - Don't fabricate. If evidence is missing, don't report.
|
|
188
|
+
> - Skip findings that match the already-tracked list.
|
|
189
|
+
> - Don't implement fixes. Findings only.
|
|
190
|
+
|
|
191
|
+
### Phase 4: Convert findings to items
|
|
192
|
+
|
|
193
|
+
For each finding the scanner returned (above Info severity):
|
|
194
|
+
|
|
195
|
+
Read `gate_finding_routing` from `.work/CONVENTIONS.md` before writing items.
|
|
196
|
+
If absent, use the default routing below. Normalize security severity to routing
|
|
197
|
+
keys as: `Critical -> critical`, `High -> high`, `Medium -> medium`,
|
|
198
|
+
`Low -> low`, and `Info -> info` (Info is not returned as a finding by the
|
|
199
|
+
scanner, but the route is reserved for consistency). If a normalized key maps
|
|
200
|
+
to `skip`, do not emit an item for that finding; include the skipped count in
|
|
201
|
+
the gate output. If it maps to `backlog`, write a `.work/backlog/` item instead
|
|
202
|
+
of an active story.
|
|
203
|
+
|
|
204
|
+
```yaml
|
|
205
|
+
---
|
|
206
|
+
id: gate-security-<short-slug>
|
|
207
|
+
kind: story
|
|
208
|
+
stage: implementing # Critical or High
|
|
209
|
+
# OR drafting for Medium
|
|
210
|
+
# OR backlog file for Low
|
|
211
|
+
tags: [security]
|
|
212
|
+
parent: null
|
|
213
|
+
depends_on: []
|
|
214
|
+
release_binding: <version>
|
|
215
|
+
gate_origin: security
|
|
216
|
+
created: YYYY-MM-DD
|
|
217
|
+
updated: YYYY-MM-DD
|
|
218
|
+
---
|
|
219
|
+
|
|
220
|
+
# <one-line title>
|
|
221
|
+
|
|
222
|
+
## Severity
|
|
223
|
+
Critical | High | Medium | Low
|
|
224
|
+
|
|
225
|
+
## Domain
|
|
226
|
+
<domain>
|
|
227
|
+
|
|
228
|
+
## Location
|
|
229
|
+
`<file>:<line>`
|
|
230
|
+
|
|
231
|
+
## Evidence
|
|
232
|
+
\`\`\`<lang>
|
|
233
|
+
<short code snippet, 1-5 lines>
|
|
234
|
+
\`\`\`
|
|
235
|
+
|
|
236
|
+
## Remediation direction
|
|
237
|
+
<what should change — direction, not a finished fix>
|
|
238
|
+
```
|
|
239
|
+
|
|
240
|
+
Default severity -> placement mapping:
|
|
241
|
+
- **Critical** / **High** → `stage: implementing` in `.work/active/stories/`
|
|
242
|
+
- **Medium** → `stage: drafting` in `.work/active/stories/`
|
|
243
|
+
- **Low** → backlog file in `.work/backlog/` (not stage-managed)
|
|
244
|
+
- **Info** → skipped (no item emitted)
|
|
245
|
+
|
|
246
|
+
### Phase 5: Commit
|
|
247
|
+
|
|
248
|
+
```bash
|
|
249
|
+
git add .work/active/stories/ .work/backlog/
|
|
250
|
+
git commit -m "gate-security: <N> findings for <version>"
|
|
251
|
+
```
|
|
252
|
+
|
|
253
|
+
## Output
|
|
254
|
+
|
|
255
|
+
In conversation:
|
|
256
|
+
- **Bundle**: `<version>` — `<N>` items audited
|
|
257
|
+
- **Findings**: count by severity (Critical / High / Medium / Low)
|
|
258
|
+
- **Items created**: count, with new ids
|
|
259
|
+
- **Already-tracked**: count of duplicate findings skipped
|
|
260
|
+
- **Next**: gate-security adds to release readiness criteria. Release ships when
|
|
261
|
+
all bound items (including these) reach `stage: done`.
|
|
262
|
+
|
|
263
|
+
## Guardrails
|
|
264
|
+
|
|
265
|
+
- **The audit happens in the scanner agent, not here.** Your job is bundle
|
|
266
|
+
prep, dispatch, and item-writing. Don't replicate the scanner's analysis in
|
|
267
|
+
the orchestrator's context.
|
|
268
|
+
- Never implement fixes — produce items only.
|
|
269
|
+
- Always cite file:line in finding bodies.
|
|
270
|
+
- Don't fabricate findings. If the scanner returns nothing for a domain, it
|
|
271
|
+
returns nothing. Don't paper that over.
|
|
272
|
+
- Idempotent re-runs: pass already-tracked findings into the scanner brief so it
|
|
273
|
+
skips duplicates. Double-check on item-write before creating.
|
|
274
|
+
- Audit only the bundle's changes, not the whole repo. Repo-wide audits are
|
|
275
|
+
a standalone `repo-eval`'s job, not a release gate's.
|