@nklisch/pi-agile-workflow 0.16.1 → 0.16.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude-plugin/plugin.json +1 -1
- package/.codex-plugin/plugin.json +1 -1
- package/docs/ARCHITECTURE.md +23 -11
- package/docs/PRINCIPLES.md +84 -18
- package/docs/SPEC.md +19 -2
- package/docs/VISION.md +11 -6
- package/hooks/scripts/prompt-context.py +7 -1
- package/hooks/scripts/test_prompt_context.py +16 -0
- package/package.json +1 -1
- package/scripts/work-view.sh +1 -1
- package/skills/autopilot/SKILL.md +49 -34
- package/skills/convert/SKILL.md +27 -3
- package/skills/epic-design/SKILL.md +21 -3
- package/skills/feature-design/SKILL.md +34 -11
- package/skills/gate-cruft/SKILL.md +69 -24
- package/skills/gate-docs/SKILL.md +12 -5
- package/skills/gate-patterns/SKILL.md +7 -3
- package/skills/gate-refactor/SKILL.md +18 -6
- package/skills/gate-security/SKILL.md +16 -7
- package/skills/gate-tests/SKILL.md +86 -71
- package/skills/implement/SKILL.md +18 -8
- package/skills/principles/SKILL.md +67 -13
- package/skills/principles/references/advisory-review.md +8 -1
- package/skills/principles/references/code-design.md +62 -5
- package/skills/refactor-design/SKILL.md +23 -13
- package/skills/review/SKILL.md +36 -17
- package/skills/review/references/substrate-side-effects.md +17 -10
- package/skills/scope/SKILL.md +20 -7
- package/work-view/crates/cli/.work-view-version +1 -1
- package/work-view/dist/aarch64-apple-darwin/work-view +0 -0
- package/work-view/dist/aarch64-unknown-linux-musl/work-view +0 -0
- package/work-view/dist/x86_64-apple-darwin/work-view +0 -0
- package/work-view/dist/x86_64-unknown-linux-musl/work-view +0 -0
|
@@ -146,9 +146,9 @@ The body should already have a brief from `scope`. Use it as the seed for design
|
|
|
146
146
|
|
|
147
147
|
### Phase 2: Ground yourself
|
|
148
148
|
|
|
149
|
-
The principles skill auto-loads —
|
|
150
|
-
|
|
151
|
-
Rolling-Foundation, Late-Binding
|
|
149
|
+
The principles skill auto-loads — code-design includes proportional rigor, code
|
|
150
|
+
economy, useful tests, and leaving touched areas simpler; substrate-execution
|
|
151
|
+
includes Item-IS-the-Work, Rolling-Foundation, and Late-Binding.
|
|
152
152
|
|
|
153
153
|
Read:
|
|
154
154
|
1. `docs/VISION.md`, `docs/SPEC.md`, `docs/ARCHITECTURE.md` (foundation docs that
|
|
@@ -281,6 +281,17 @@ For each unit, specify:
|
|
|
281
281
|
|
|
282
282
|
Make strong decisions about abstractions, naming, and module boundaries.
|
|
283
283
|
|
|
284
|
+
#### 5d. Elimination and cleanup pass
|
|
285
|
+
|
|
286
|
+
Before adding another unit or abstraction, ask what this feature can delete,
|
|
287
|
+
inline, consolidate, or make unnecessary in the area it touches. Consider code,
|
|
288
|
+
tests, checks, configuration, compatibility paths, and existing abstractions.
|
|
289
|
+
Fold safe cohesive cleanup into a unit. Create explicit `[refactor]` or
|
|
290
|
+
`[cleanup]` child stories when the cleanup is worthwhile but independently
|
|
291
|
+
reviewable; park broader work. If a candidate reduces behavior or guarantees,
|
|
292
|
+
record it as a design decision for user confirmation rather than assuming
|
|
293
|
+
removal.
|
|
294
|
+
|
|
284
295
|
### Phase 5.5: Pre-mortem
|
|
285
296
|
|
|
286
297
|
Before finalizing, attack the design:
|
|
@@ -295,12 +306,20 @@ feature body.
|
|
|
295
306
|
|
|
296
307
|
### Phase 6: Test approach
|
|
297
308
|
|
|
298
|
-
|
|
299
|
-
- **
|
|
300
|
-
-
|
|
301
|
-
- **
|
|
302
|
-
|
|
303
|
-
|
|
309
|
+
Design the smallest useful test surface:
|
|
310
|
+
- **Interface tests** — important behavior at stable public boundaries and
|
|
311
|
+
cross-unit seams
|
|
312
|
+
- **Regression tests** — bugs or demonstrated risks this work must not repeat
|
|
313
|
+
- **Unit tests** — only for genuinely complex isolated logic where examples add
|
|
314
|
+
confidence
|
|
315
|
+
- **Test removal** — duplicate, tautological, obsolete, or implementation-bound
|
|
316
|
+
tests this change can safely retire
|
|
317
|
+
- **Test data** — only fixtures or factories the chosen tests actually need
|
|
318
|
+
|
|
319
|
+
Do not create a test for every unit, branch, edge, or acceptance statement by
|
|
320
|
+
default. State what risk or contract each proposed test protects. Hard-to-test
|
|
321
|
+
important behavior may indicate a bad boundary; simple code needing no isolated
|
|
322
|
+
test is not itself a design flaw.
|
|
304
323
|
|
|
305
324
|
### Phase 7: Order and child stories
|
|
306
325
|
|
|
@@ -379,9 +398,13 @@ Update the feature file. Append (after the existing brief) sections like:
|
|
|
379
398
|
1. <unit / story>
|
|
380
399
|
2. <unit / story>
|
|
381
400
|
|
|
401
|
+
## Simplification
|
|
402
|
+
- <code/tests/checks/abstractions removed, consolidated, or intentionally retained>
|
|
403
|
+
- <cleanup/refactor stories, if any>
|
|
404
|
+
|
|
382
405
|
## Testing
|
|
383
|
-
|
|
384
|
-
<
|
|
406
|
+
- <interface, regression, or complex-unit tests and the value each protects>
|
|
407
|
+
- <low-value tests to remove, if any>
|
|
385
408
|
|
|
386
409
|
## Risks
|
|
387
410
|
<from pre-mortem, if any>
|
|
@@ -1,9 +1,10 @@
|
|
|
1
1
|
---
|
|
2
2
|
name: gate-cruft
|
|
3
3
|
description: >
|
|
4
|
-
Cruft gate
|
|
5
|
-
|
|
6
|
-
|
|
4
|
+
Cruft gate focused on release-bound items that may follow relevant evidence into adjacent or
|
|
5
|
+
system-wide code. Finds dead code, stale comments, low-value tests and checks, compatibility
|
|
6
|
+
shims, defensive bloat, and over-abstraction, including whole systems that may no longer earn
|
|
7
|
+
their cost. Delegates the scan to a deep cleanup scanner agent which runs language-aware
|
|
7
8
|
detection plus heuristic pattern-matching, then returns findings. The orchestrator converts findings
|
|
8
9
|
into items in .work/active/ with gate_origin:cruft and tags:[cleanup]. Auto-triggers during
|
|
9
10
|
/agile-workflow:release-deploy.
|
|
@@ -11,11 +12,14 @@ description: >
|
|
|
11
12
|
|
|
12
13
|
# Gate-Cruft
|
|
13
14
|
|
|
14
|
-
You orchestrate a cruft gate
|
|
15
|
-
|
|
15
|
+
You orchestrate a cruft gate focused on the items bound to a release. Bound
|
|
16
|
+
items establish the center of gravity, not a hard file boundary: the scanner may
|
|
17
|
+
follow relevant call paths, dependencies, shared infrastructure, tests, or
|
|
18
|
+
system-wide mechanisms needed to understand whether complexity still earns its
|
|
19
|
+
cost. The actual scan runs inside a **deep cleanup scanner agent** (a generic sub-agent prompted with the scanner posture from `../principles/references/subagents.md`); your role is to prepare the bundle context,
|
|
16
20
|
dispatch the scanner, and convert the findings it returns into items in the
|
|
17
21
|
substrate. Findings get `gate_origin: cruft`,
|
|
18
|
-
`tags: [cleanup]`, with
|
|
22
|
+
`tags: [cleanup]`, with confidence shaping placement and stage.
|
|
19
23
|
|
|
20
24
|
Scanner strength is explicit: spawn exactly one source-read-only deep cleanup
|
|
21
25
|
scanner with the strongest inspection/reviewer setting the host exposes. Use a generic sub-agent prompted with the scanner posture from `../principles/references/subagents.md`. Use extra-high reasoning
|
|
@@ -70,9 +74,10 @@ confidence, and returns structured findings.
|
|
|
70
74
|
**Brief template**:
|
|
71
75
|
|
|
72
76
|
> You are conducting a cruft scan for release `<version>` as an agile-workflow
|
|
73
|
-
> scanner. Use read/search/shell tools as needed.
|
|
74
|
-
> changed files
|
|
75
|
-
>
|
|
77
|
+
> scanner. Use read/search/shell tools as needed. Start with the bundle's
|
|
78
|
+
> changed files, then follow relevant evidence into adjacent dependencies,
|
|
79
|
+
> shared infrastructure, tests, or system-wide mechanisms. Do not perform an
|
|
80
|
+
> aimless whole-repo sweep, spawn nested sub-agents, or implement fixes.
|
|
76
81
|
>
|
|
77
82
|
> **Bundle scope**:
|
|
78
83
|
> ```
|
|
@@ -90,8 +95,9 @@ confidence, and returns structured findings.
|
|
|
90
95
|
> `Cargo.toml`, `go.mod`, `pyproject.toml`, `Makefile`. This determines
|
|
91
96
|
> which language-aware detection tools are available.
|
|
92
97
|
>
|
|
93
|
-
> 2. **Language-aware detection (high confidence)** — run against the
|
|
94
|
-
>
|
|
98
|
+
> 2. **Language-aware detection (high confidence)** — run against the bundle
|
|
99
|
+
> files first; expand a tool's scope only when needed to establish callers,
|
|
100
|
+
> duplication, reachability, ownership, or system-level cost:
|
|
95
101
|
> - **TypeScript/JavaScript** — `tsc --noUnusedLocals --noUnusedParameters
|
|
96
102
|
> --noEmit`, eslint unused rules
|
|
97
103
|
> - **Python** — `ruff check --select F811,F841,F401`, `vulture`
|
|
@@ -99,7 +105,8 @@ confidence, and returns structured findings.
|
|
|
99
105
|
> - **Rust** — compiler warnings for `#[warn(dead_code)]`
|
|
100
106
|
> Capture output and parse into findings.
|
|
101
107
|
>
|
|
102
|
-
> 3. **Heuristic pattern-matching** via Grep
|
|
108
|
+
> 3. **Heuristic pattern-matching** via Grep, beginning with bundle files and
|
|
109
|
+
> following concrete references where the evidence leads:
|
|
103
110
|
>
|
|
104
111
|
> **Medium confidence:**
|
|
105
112
|
> - Comments containing "removed", "backwards compat", "for backwards
|
|
@@ -117,12 +124,27 @@ confidence, and returns structured findings.
|
|
|
117
124
|
> - Single-use helper functions that could be inlined
|
|
118
125
|
> - Config/options parameters that only ever receive one value
|
|
119
126
|
> - Abstractions with a single implementation
|
|
127
|
+
> - Duplicate, tautological, obsolete, or implementation-bound tests
|
|
128
|
+
> - Validation/check layers whose guarantees exceed the project's actual scope
|
|
120
129
|
>
|
|
121
|
-
> 4. **
|
|
130
|
+
> 4. **System-level challenge** — inspect whether an entire validation layer,
|
|
131
|
+
> invariant/check system, test suite, compatibility mechanism, defensive
|
|
132
|
+
> subsystem, or abstraction family exposed by the bundle still justifies its
|
|
133
|
+
> maintenance cost. State its current purpose, evidence of cost, what removal
|
|
134
|
+
> would simplify, and which behavior or guarantee would be lost. Classify
|
|
135
|
+
> these as `Decision required`; never assume the guarantee should disappear.
|
|
136
|
+
>
|
|
137
|
+
> 5. **Cross-check existing patterns** — read `.agents/skills/patterns/` and
|
|
122
138
|
> legacy `.claude/skills/patterns/` if
|
|
123
139
|
> present. Intentional repetition documented as a pattern is NOT cruft.
|
|
124
140
|
>
|
|
125
|
-
>
|
|
141
|
+
> 6. **Triage by confidence, release relevance, and decision need**:
|
|
142
|
+
> - `Release-relevant`: caused by, exposed by, or materially affects the bundle.
|
|
143
|
+
> - `Ambient`: useful discovery outside release scope; propose as unbound backlog.
|
|
144
|
+
> - `Decision required: yes`: any whole-system removal candidate, especially
|
|
145
|
+
> one that changes behavior or guarantees; ask before creating removal work.
|
|
146
|
+
>
|
|
147
|
+
> Then triage confidence:
|
|
126
148
|
> | Confidence | Stage of produced item |
|
|
127
149
|
> |---|---|
|
|
128
150
|
> | High (tool-detected) | `stage: implementing` |
|
|
@@ -139,7 +161,11 @@ confidence, and returns structured findings.
|
|
|
139
161
|
> - **Confidence**: High | Medium | Low
|
|
140
162
|
> - **Category**: unused import | dead function | stale comment |
|
|
141
163
|
> compatibility shim | passthrough wrapper | defensive try/catch |
|
|
142
|
-
> single-use helper | over-abstraction
|
|
164
|
+
> single-use helper | over-abstraction | low-value test | redundant checks |
|
|
165
|
+
> system-level simplification
|
|
166
|
+
> - **Relevance**: Release-relevant | Ambient
|
|
167
|
+
> - **Decision required**: yes | no
|
|
168
|
+
> - **Guarantee affected**: none | <behavior/validation/determinism/compatibility/safety>
|
|
143
169
|
> - **Location**: `<file>:<line>`
|
|
144
170
|
> - **Evidence**:
|
|
145
171
|
> ```<lang>
|
|
@@ -162,7 +188,8 @@ confidence, and returns structured findings.
|
|
|
162
188
|
> ```
|
|
163
189
|
>
|
|
164
190
|
> **Rules**:
|
|
165
|
-
> -
|
|
191
|
+
> - Bundle scope is the focus, not a hard boundary. Expand only by following
|
|
192
|
+
> concrete evidence; record why each out-of-bundle file or system was inspected.
|
|
166
193
|
> - Cite file:line for every finding.
|
|
167
194
|
> - Don't fabricate. If a tool produces no output, don't invent findings.
|
|
168
195
|
> - Skip already-tracked. Patterns documented in
|
|
@@ -172,9 +199,19 @@ confidence, and returns structured findings.
|
|
|
172
199
|
> used externally?" — if you can't confirm zero callers, downgrade to
|
|
173
200
|
> medium confidence rather than high).
|
|
174
201
|
|
|
175
|
-
### Phase 4:
|
|
202
|
+
### Phase 4: Resolve system-level removal decisions
|
|
203
|
+
|
|
204
|
+
For each `Decision required` candidate, present the system's purpose, current
|
|
205
|
+
cost, proposed simplification, and guarantees or behavior removal would weaken.
|
|
206
|
+
Ask the user whether to remove, reduce, retain, or park it. Group related
|
|
207
|
+
candidates and use the structured question tool in batches when available.
|
|
208
|
+
Never turn a guarantee-reducing proposal into active work without confirmation.
|
|
209
|
+
In a non-interactive gate path, write an unbound backlog decision proposal and
|
|
210
|
+
continue; do not assume consent or block unrelated release work.
|
|
176
211
|
|
|
177
|
-
|
|
212
|
+
### Phase 5: Convert findings to items
|
|
213
|
+
|
|
214
|
+
For each confirmed or ordinary finding the scanner returned:
|
|
178
215
|
|
|
179
216
|
Read `gate_finding_routing` from `.work/CONVENTIONS.md` before writing items.
|
|
180
217
|
If absent, use the default routing below. Normalize cruft confidence to routing
|
|
@@ -191,7 +228,7 @@ stage: implementing | drafting # by confidence
|
|
|
191
228
|
tags: [cleanup]
|
|
192
229
|
parent: null
|
|
193
230
|
depends_on: []
|
|
194
|
-
release_binding: <version>
|
|
231
|
+
release_binding: <version> | null # null for ambient or unconfirmed decision proposals
|
|
195
232
|
gate_origin: cruft
|
|
196
233
|
created: YYYY-MM-DD
|
|
197
234
|
updated: YYYY-MM-DD
|
|
@@ -217,12 +254,17 @@ High | Medium | Low
|
|
|
217
254
|
<what to remove and what to fix in the surroundings — imports, whitespace, etc.>
|
|
218
255
|
```
|
|
219
256
|
|
|
257
|
+
Release-relevant findings use the normal confidence mapping and bind to the
|
|
258
|
+
release. Ambient findings and unconfirmed decision proposals always go to the
|
|
259
|
+
unbound backlog regardless of confidence. A confirmed system removal may bind
|
|
260
|
+
only when the user explicitly includes it in the current release.
|
|
261
|
+
|
|
220
262
|
Default confidence -> placement mapping:
|
|
221
263
|
- **High** → `stage: implementing` in `.work/active/stories/`
|
|
222
264
|
- **Medium** → `stage: drafting` in `.work/active/stories/`
|
|
223
265
|
- **Low** → backlog file in `.work/backlog/`
|
|
224
266
|
|
|
225
|
-
### Phase
|
|
267
|
+
### Phase 6: Commit
|
|
226
268
|
|
|
227
269
|
```bash
|
|
228
270
|
git add .work/active/stories/ .work/backlog/
|
|
@@ -233,7 +275,7 @@ git commit -m "gate-cruft: <N> findings for <version>"
|
|
|
233
275
|
|
|
234
276
|
In conversation:
|
|
235
277
|
- **Bundle**: `<version>` — `<N>` items audited, `<M>` files changed
|
|
236
|
-
- **Findings**: count by confidence (
|
|
278
|
+
- **Findings**: count by confidence and relevance (release / ambient / decision)
|
|
237
279
|
- **Items created**: count, with new ids
|
|
238
280
|
- **Already-tracked**: count skipped
|
|
239
281
|
|
|
@@ -247,10 +289,13 @@ and parallelizes well."
|
|
|
247
289
|
|
|
248
290
|
- **The scan happens in the scanner agent, not here.** Your job is bundle
|
|
249
291
|
prep, dispatch, and item-writing. Don't replicate the scanner's analysis.
|
|
250
|
-
-
|
|
292
|
+
- Release-bound items define focus, not a hard boundary. Follow concrete
|
|
293
|
+
evidence into adjacent or system-wide code, but do not turn the gate into an
|
|
294
|
+
unfocused whole-repo audit.
|
|
251
295
|
- Never remove code in this skill — produce items only.
|
|
252
|
-
-
|
|
253
|
-
|
|
296
|
+
- Local cleanup items should stay surgical. Whole-system simplification is
|
|
297
|
+
allowed as a proposal, but any reduction in behavior or guarantees requires
|
|
298
|
+
explicit user confirmation and appropriately scoped design work.
|
|
254
299
|
- Patterns documented in `.agents/skills/patterns/` or legacy
|
|
255
300
|
`.claude/skills/patterns/` are intentional, not
|
|
256
301
|
cruft. The scanner cross-checks; don't override.
|
|
@@ -155,6 +155,7 @@ returns structured findings.
|
|
|
155
155
|
> changelog-gap | repo-skill-staleness | pattern-skill-staleness |
|
|
156
156
|
> generated-file-needs-regen | doc-misplacement
|
|
157
157
|
> - **Confidence**: High | Medium
|
|
158
|
+
> - **Relevance**: Release-relevant | Ambient
|
|
158
159
|
> - **Doc location**: `<file>:<line>`
|
|
159
160
|
> - **Code location**: `<file>:<line>` (for assertion drift; omit for gaps)
|
|
160
161
|
> - **Current doc text**:
|
|
@@ -179,8 +180,9 @@ returns structured findings.
|
|
|
179
180
|
> ```
|
|
180
181
|
>
|
|
181
182
|
> **Rules**:
|
|
182
|
-
> -
|
|
183
|
-
>
|
|
183
|
+
> - Bundle changes and their owning docs are the focus, not a hard boundary.
|
|
184
|
+
> Follow concrete references into adjacent docs, generated catalogs, or
|
|
185
|
+
> system-wide documentation when needed; do not perform an aimless doc sweep.
|
|
184
186
|
> - Cite file:line for every finding.
|
|
185
187
|
> - Required edits ENFORCE rolling-foundation: replace stale assertions in
|
|
186
188
|
> place. Do NOT propose adding "previously" or "in v1.x" prose. Git is the
|
|
@@ -210,7 +212,7 @@ stage: implementing # high-confidence drift
|
|
|
210
212
|
tags: [documentation]
|
|
211
213
|
parent: null
|
|
212
214
|
depends_on: []
|
|
213
|
-
release_binding: <version>
|
|
215
|
+
release_binding: <version> | null # null for ambient findings
|
|
214
216
|
gate_origin: docs
|
|
215
217
|
created: YYYY-MM-DD
|
|
216
218
|
updated: YYYY-MM-DD
|
|
@@ -239,6 +241,10 @@ no "previously" prose, no "in v1.x" notes. Replace the assertion in place.>
|
|
|
239
241
|
For generated files needing regeneration, the item describes the regeneration
|
|
240
242
|
command rather than a manual edit.
|
|
241
243
|
|
|
244
|
+
Release-relevant drift uses the normal confidence mapping and binds to the
|
|
245
|
+
release. Ambient staleness merely discovered while following references goes to
|
|
246
|
+
the unbound backlog.
|
|
247
|
+
|
|
242
248
|
Default confidence -> placement mapping:
|
|
243
249
|
- **High** → `stage: implementing` in `.work/active/stories/`
|
|
244
250
|
- **Medium** → `stage: drafting` in `.work/active/stories/`
|
|
@@ -272,7 +278,8 @@ In conversation:
|
|
|
272
278
|
place. Do NOT propose adding "previously" or "in v1.x" prose.
|
|
273
279
|
- Don't fix the docs in this skill — produce items only. Implementation of
|
|
274
280
|
the fixes happens via `/agile-workflow:implement` on each item.
|
|
275
|
-
-
|
|
276
|
-
|
|
281
|
+
- Release-bound changes define focus, not a hard boundary. Follow concrete
|
|
282
|
+
documentation ownership and reference chains; route merely ambient drift to
|
|
283
|
+
the unbound backlog rather than silently expanding the release.
|
|
277
284
|
- Generated files get items describing the regeneration command, not manual
|
|
278
285
|
edits.
|
|
@@ -107,7 +107,7 @@ output.
|
|
|
107
107
|
> Use read/search/shell tools as needed. Do not spawn nested sub-agents or modify
|
|
108
108
|
> source files.
|
|
109
109
|
>
|
|
110
|
-
> **Bundle
|
|
110
|
+
> **Bundle focus** (start here; follow recurring shapes across the repository):
|
|
111
111
|
> ```
|
|
112
112
|
> <bundle-files>
|
|
113
113
|
> ```
|
|
@@ -120,8 +120,10 @@ output.
|
|
|
120
120
|
>
|
|
121
121
|
> **Methodology**:
|
|
122
122
|
>
|
|
123
|
-
> 1. **Pattern discovery passes** — inspect the bundle's changed files
|
|
124
|
-
>
|
|
123
|
+
> 1. **Pattern discovery passes** — inspect the bundle's changed files first,
|
|
124
|
+
> then follow candidate shapes through consumers and the wider repository
|
|
125
|
+
> where needed to establish genuine recurrence. Bound files are the focus,
|
|
126
|
+
> not a hard scan boundary:
|
|
125
127
|
> - **Shared abstractions & utilities** — find new shared/reusable code
|
|
126
128
|
> introduced in the bundle: utility functions, base classes, common
|
|
127
129
|
> helpers, types used across multiple modules. List each with
|
|
@@ -225,6 +227,8 @@ output.
|
|
|
225
227
|
> the divergence instead.
|
|
226
228
|
> - Don't fabricate patterns. If discovery yields nothing, return an empty
|
|
227
229
|
> "New patterns" section.
|
|
230
|
+
> - Expansion beyond the bundle must follow a concrete candidate pattern or
|
|
231
|
+
> inconsistency; do not perform an unfocused whole-repo style audit.
|
|
228
232
|
|
|
229
233
|
### Phase 4: Write pattern files
|
|
230
234
|
|
|
@@ -139,8 +139,10 @@ M-times-N redundant file reads and allows cross-library finding deduplication.
|
|
|
139
139
|
**Brief template**:
|
|
140
140
|
|
|
141
141
|
> You are conducting a refactor gate scan for release `<version>` as an agile-workflow
|
|
142
|
-
> scanner. Use read/search/shell tools as needed.
|
|
143
|
-
>
|
|
142
|
+
> scanner. Use read/search/shell tools as needed. Start with the bundle's changed
|
|
143
|
+
> files and follow concrete rule-relevant references into adjacent consumers,
|
|
144
|
+
> dependencies, or shared systems. Do not perform an aimless whole-repo sweep,
|
|
145
|
+
> spawn nested sub-agents, or implement fixes.
|
|
144
146
|
>
|
|
145
147
|
> **Bundle scope** (files changed by the bundle):
|
|
146
148
|
> ```
|
|
@@ -169,6 +171,7 @@ M-times-N redundant file reads and allows cross-library finding deduplication.
|
|
|
169
171
|
>
|
|
170
172
|
> 1. Read every file in the bundle scope.
|
|
171
173
|
> 2. For each file, check against all rules from all loaded libraries in a single pass.
|
|
174
|
+
> Expand only when a rule or concrete reference requires adjacent/system-wide context.
|
|
172
175
|
> 3. For each finding, record:
|
|
173
176
|
> - **Library tag**: which library's rule was violated (e.g. `structural`).
|
|
174
177
|
> - **Rule slug**: which specific rule was violated (from the library's rule inventory).
|
|
@@ -176,11 +179,13 @@ M-times-N redundant file reads and allows cross-library finding deduplication.
|
|
|
176
179
|
> - **Issue**: one-sentence description of the violation.
|
|
177
180
|
> - **Fix**: specific proposed change (or "needs analysis" for findings requiring judgment).
|
|
178
181
|
> - **Confidence**: `high` / `medium` / `low` per the library's guidance for that rule.
|
|
182
|
+
> - **Relevance**: `Release-relevant` or `Ambient`.
|
|
179
183
|
> 4. Deduplicate against the already-tracked set.
|
|
180
184
|
> 5. Return findings as a structured list.
|
|
181
185
|
>
|
|
182
186
|
> **Rules**:
|
|
183
|
-
> -
|
|
187
|
+
> - Bundle scope is the focus, not a hard boundary. Follow concrete rule-relevant
|
|
188
|
+
> evidence and record why any out-of-bundle surface was inspected.
|
|
184
189
|
> - Cite file:line for every finding.
|
|
185
190
|
> - Do not fabricate findings. If a rule produces no matches, emit nothing for it.
|
|
186
191
|
> - Skip already-tracked findings (exact file:line + rule-slug match).
|
|
@@ -199,6 +204,7 @@ M-times-N redundant file reads and allows cross-library finding deduplication.
|
|
|
199
204
|
> - **Library**: <library-tag>
|
|
200
205
|
> - **Rule**: <rule-slug>
|
|
201
206
|
> - **Confidence**: High | Medium | Low
|
|
207
|
+
> - **Relevance**: Release-relevant | Ambient
|
|
202
208
|
> - **Location**: `<file>:<line>`
|
|
203
209
|
> - **Issue**: <one sentence>
|
|
204
210
|
> - **Fix**: <specific proposed change or "needs analysis">
|
|
@@ -248,7 +254,7 @@ stage: implementing | drafting # by gate_finding_routing
|
|
|
248
254
|
tags: [refactor]
|
|
249
255
|
parent: null
|
|
250
256
|
depends_on: []
|
|
251
|
-
release_binding: <version>
|
|
257
|
+
release_binding: <version> | null # null for ambient findings
|
|
252
258
|
gate_origin: refactor
|
|
253
259
|
created: YYYY-MM-DD
|
|
254
260
|
updated: YYYY-MM-DD
|
|
@@ -265,7 +271,7 @@ stage: implementing | drafting # by gate_finding_routing
|
|
|
265
271
|
tags: []
|
|
266
272
|
parent: null
|
|
267
273
|
depends_on: []
|
|
268
|
-
release_binding: <version>
|
|
274
|
+
release_binding: <version> | null # null for ambient findings
|
|
269
275
|
gate_origin: refactor
|
|
270
276
|
created: YYYY-MM-DD
|
|
271
277
|
updated: YYYY-MM-DD
|
|
@@ -296,6 +302,10 @@ High | Medium | Low
|
|
|
296
302
|
<specific proposed change, or "needs analysis" for medium/low>
|
|
297
303
|
```
|
|
298
304
|
|
|
305
|
+
Release-relevant findings use the normal confidence mapping and bind to the
|
|
306
|
+
release. Ambient rule violations discovered outside the bundle go to the
|
|
307
|
+
unbound backlog regardless of confidence.
|
|
308
|
+
|
|
299
309
|
Default confidence -> placement mapping:
|
|
300
310
|
|
|
301
311
|
| Confidence | Stage | Tier |
|
|
@@ -343,7 +353,9 @@ In conversation:
|
|
|
343
353
|
|
|
344
354
|
- **The scan happens in the scanner agent, not here.** Your job is library discovery, bundle prep,
|
|
345
355
|
dispatch, and item-writing. Do not replicate the scanner's analysis.
|
|
346
|
-
-
|
|
356
|
+
- Release-bound files define focus, not a hard boundary. Follow concrete
|
|
357
|
+
rule-relevant evidence into adjacent or system-wide code, but do not perform
|
|
358
|
+
an unfocused whole-repo scan; route ambient findings to the unbound backlog.
|
|
347
359
|
- Never apply fixes in this skill — produce items only.
|
|
348
360
|
- **No-libraries is not an error.** Graceful skip with a log entry is the correct behavior when
|
|
349
361
|
no scan-* libraries are installed.
|
|
@@ -91,8 +91,8 @@ structured findings.
|
|
|
91
91
|
> agile-workflow scanner. Use read/search/shell/current-source lookup tools as
|
|
92
92
|
> needed, but do not spawn nested sub-agents or implement fixes.
|
|
93
93
|
>
|
|
94
|
-
> **Bundle
|
|
95
|
-
>
|
|
94
|
+
> **Bundle focus** (start here; follow concrete security-relevant call paths,
|
|
95
|
+
> dependencies, shared infrastructure, and controls as needed):
|
|
96
96
|
> ```
|
|
97
97
|
> <bundle-files>
|
|
98
98
|
> ```
|
|
@@ -138,7 +138,8 @@ structured findings.
|
|
|
138
138
|
> logs, missing error boundaries, verbose prod errors. All prod apps.
|
|
139
139
|
>
|
|
140
140
|
> 3. **Domain audit passes** — for each selected domain, audit the bundle's
|
|
141
|
-
> changed files against that domain's checklist
|
|
141
|
+
> changed files against that domain's checklist, following concrete evidence
|
|
142
|
+
> into adjacent security boundaries, dependencies, and shared controls. Use current-source lookup
|
|
142
143
|
> when needed to verify best practices for `<stack>+<domain>` combinations
|
|
143
144
|
> before judging.
|
|
144
145
|
>
|
|
@@ -160,6 +161,7 @@ structured findings.
|
|
|
160
161
|
> - **Title**: <one-line>
|
|
161
162
|
> - **Severity**: Critical | High | Medium | Low
|
|
162
163
|
> - **Domain**: <domain name>
|
|
164
|
+
> - **Relevance**: Release-relevant | Ambient
|
|
163
165
|
> - **Location**: `<file>:<line>`
|
|
164
166
|
> - **Evidence**:
|
|
165
167
|
> ```<lang>
|
|
@@ -182,7 +184,8 @@ structured findings.
|
|
|
182
184
|
> ```
|
|
183
185
|
>
|
|
184
186
|
> **Rules**:
|
|
185
|
-
> -
|
|
187
|
+
> - Bundle files are the focus, not a hard boundary. Expand only along concrete
|
|
188
|
+
> security-relevant evidence and record why out-of-bundle surfaces were inspected.
|
|
186
189
|
> - Cite file:line for every finding.
|
|
187
190
|
> - Don't fabricate. If evidence is missing, don't report.
|
|
188
191
|
> - Skip findings that match the already-tracked list.
|
|
@@ -211,7 +214,7 @@ stage: implementing # Critical or High
|
|
|
211
214
|
tags: [security]
|
|
212
215
|
parent: null
|
|
213
216
|
depends_on: []
|
|
214
|
-
release_binding: <version>
|
|
217
|
+
release_binding: <version> | null # null for ambient findings
|
|
215
218
|
gate_origin: security
|
|
216
219
|
created: YYYY-MM-DD
|
|
217
220
|
updated: YYYY-MM-DD
|
|
@@ -237,6 +240,11 @@ Critical | High | Medium | Low
|
|
|
237
240
|
<what should change — direction, not a finished fix>
|
|
238
241
|
```
|
|
239
242
|
|
|
243
|
+
Release-relevant findings use the normal severity mapping and bind to the
|
|
244
|
+
release. Ambient findings discovered outside the release's material risk go to
|
|
245
|
+
the unbound backlog regardless of severity; a genuinely critical repository
|
|
246
|
+
vulnerability is release-relevant when shipping would expose or perpetuate it.
|
|
247
|
+
|
|
240
248
|
Default severity -> placement mapping:
|
|
241
249
|
- **Critical** / **High** → `stage: implementing` in `.work/active/stories/`
|
|
242
250
|
- **Medium** → `stage: drafting` in `.work/active/stories/`
|
|
@@ -271,5 +279,6 @@ In conversation:
|
|
|
271
279
|
returns nothing. Don't paper that over.
|
|
272
280
|
- Idempotent re-runs: pass already-tracked findings into the scanner brief so it
|
|
273
281
|
skips duplicates. Double-check on item-write before creating.
|
|
274
|
-
-
|
|
275
|
-
|
|
282
|
+
- Release-bound items define focus, not a hard boundary. Follow concrete
|
|
283
|
+
security evidence into adjacent or system-wide controls, but do not perform
|
|
284
|
+
an unfocused whole-repo audit. Route merely ambient findings to the unbound backlog.
|