@nlaprell/shipit 1.0.0

package/scripts/command-manifest.yml

@@ -0,0 +1,131 @@
+# Command manifest: single source of truth for slash commands and pnpm scripts.
+# help.sh builds the "Available commands" list from this file.
+# Add a command by adding an entry; keep id, slash, pnpm, description, category.
+
+commands:
+  # Project Management
+  - id: init-project
+    slash: /init-project
+    pnpm: init-project
+    description: Initialize a new ShipIt project
+    category: Project Management
+  - id: scope-project
+    slash: /scope-project
+    pnpm: scope-project
+    description: AI-assisted feature breakdown
+    category: Project Management
+
+  # Intent Management
+  - id: new-intent
+    slash: /new_intent
+    pnpm: new-intent
+    description: Create a new intent (interactive wizard)
+    category: Intent Management
+  - id: kill
+    slash: /kill
+    pnpm: kill-intent
+    description: Kill an intent with rationale
+    category: Intent Management
+
+  # Workflow
+  - id: ship
+    slash: /ship
+    pnpm: workflow-orchestrator
+    description: Run full SDLC workflow (6 phases)
+    category: Workflow
+  - id: verify
+    slash: /verify
+    pnpm: verify
+    description: Re-run verification phase
+    category: Workflow
+
+  # Planning
+  - id: generate-release-plan
+    slash: /generate-release-plan
+    pnpm: generate-release-plan
+    description: Build release plan from intents
+    category: Planning
+  - id: generate-roadmap
+    slash: /generate-roadmap
+    pnpm: generate-roadmap
+    description: Generate roadmap (now/next/later)
+    category: Planning
+
+  # Operations
+  - id: deploy
+    slash: /deploy
+    pnpm: deploy
+    description: Deploy with readiness checks
+    category: Operations
+  - id: drift-check
+    slash: /drift_check
+    pnpm: drift-check
+    description: Check for entropy/decay
+    category: Operations
+  - id: risk
+    slash: /risk
+    pnpm: null
+    description: Force security/threat skim
+    category: Operations
+
+  # Help & Status
+  - id: help
+    slash: /help
+    pnpm: help
+    description: Show help for a command
+    category: Help & Status
+  - id: status
+    slash: /status
+    pnpm: status
+    description: Show current project status
+    category: Help & Status
+  - id: suggest
+    slash: /suggest
+    pnpm: suggest
+    description: Get suggested next actions
+    category: Help & Status
+  - id: usage-record
+    slash: /usage-record
+    pnpm: usage-record
+    description: Record token/cost for a phase (intent_id phase tokens_in tokens_out [cost])
+    category: Help & Status
+  - id: usage-report
+    slash: /usage-report
+    pnpm: usage-report
+    description: Show token/cost usage table (optionally --last N)
+    category: Help & Status
+  - id: calibration-report
+    slash: /calibration-report
+    pnpm: calibration-report
+    description: Confidence calibration report (stated vs actual); --json for dashboard
+    category: Help & Status
+  - id: pr
+    slash: /pr
+    pnpm: null
+    description: Generate PR summary/checklist
+    category: Help & Status
+  - id: create-pr
+    slash: /create-pr
+    pnpm: gh-create-pr
+    description: Generate pr.md then create GitHub PR for intent
+    category: Help & Status
+  - id: create-intent-from-issue
+    slash: /create-intent-from-issue
+    pnpm: create-intent-from-issue
+    description: Create intent from GitHub issue
+    category: Intent Management
+  - id: revert-plan
+    slash: /revert-plan
+    pnpm: null
+    description: Write rollback plan
+    category: Help & Status
+  - id: rollback
+    slash: /rollback
+    pnpm: execute-rollback
+    description: Execute rollback in guided mode (reads plan from /revert-plan)
+    category: Workflow
+  - id: dashboard
+    slash: /dashboard
+    pnpm: dashboard
+    description: Start web dashboard (exports data first, then launches UI)
+    category: Help & Status

package/scripts/create-test-plan-issue.sh

@@ -0,0 +1,110 @@
+#!/bin/bash
+set -euo pipefail
+
+usage() {
+  cat <<'EOF'
+Usage:
+  ./scripts/create-test-plan-issue.sh \
+    --title "..." \
+    --severity low|medium|high \
+    --step "4-1" \
+    --expected "..." \
+    --actual "..." \
+    --error "..." \
+    --impl "Action item 1" \
+    [--impl "Action item 2"] \
+    [--repo owner/name]
+
+Notes:
+  - If --repo is omitted, the script will try to resolve it via:
+      gh repo view --json nameWithOwner -q .nameWithOwner
+  - This script intentionally avoids literal '\n' sequences in the issue body.
+EOF
+}
+
+TITLE=""
+SEVERITY=""
+STEP_ID=""
+EXPECTED=""
+ACTUAL=""
+ERROR_TEXT=""
+REPO=""
+IMPL_ITEMS=()
+
+while [ $# -gt 0 ]; do
+  case "$1" in
+    --title) TITLE="${2:-}"; shift 2 ;;
+    --severity) SEVERITY="${2:-}"; shift 2 ;;
+    --step) STEP_ID="${2:-}"; shift 2 ;;
+    --expected) EXPECTED="${2:-}"; shift 2 ;;
+    --actual) ACTUAL="${2:-}"; shift 2 ;;
+    --error) ERROR_TEXT="${2:-}"; shift 2 ;;
+    --impl) IMPL_ITEMS+=("${2:-}"); shift 2 ;;
+    --repo) REPO="${2:-}"; shift 2 ;;
+    -h|--help) usage; exit 0 ;;
+    *) echo "Unknown arg: $1" >&2; usage; exit 2 ;;
+  esac
+done
+
+if [ -z "$TITLE" ] || [ -z "$SEVERITY" ] || [ -z "$STEP_ID" ] || [ -z "$EXPECTED" ] || [ -z "$ACTUAL" ] || [ -z "$ERROR_TEXT" ]; then
+  echo "Missing required arguments." >&2
+  usage
+  exit 2
+fi
+
+case "$SEVERITY" in
+  low|medium|high) ;;
+  *) echo "Invalid --severity: $SEVERITY (expected low|medium|high)" >&2; exit 2 ;;
+esac
+
+if ! command -v gh >/dev/null 2>&1; then
+  echo "gh is not installed (required)." >&2
+  exit 1
+fi
+
+gh auth status >/dev/null
+
+if [ -z "$REPO" ]; then
+  REPO="$(gh repo view --json nameWithOwner -q .nameWithOwner 2>/dev/null || true)"
+fi
+
+if [ -z "$REPO" ]; then
+  echo "Could not resolve GitHub repo. Provide --repo owner/name." >&2
+  exit 1
+fi
+
+FIRST_SEEN="$(date +%F)"
+
+BODY_FILE="$(mktemp)"
+{
+  echo "**Severity:** $SEVERITY"
+  echo "**Step:** $STEP_ID"
+  echo "**First Seen:** $FIRST_SEEN"
+  echo
+  echo "## Expected"
+  echo
+  echo "$EXPECTED"
+  echo
+  echo "## Actual"
+  echo
+  echo "$ACTUAL"
+  echo
+  echo "## Error"
+  echo
+  echo "$ERROR_TEXT"
+  echo
+  echo "## Implementation"
+  echo
+  if [ "${#IMPL_ITEMS[@]}" -eq 0 ]; then
+    echo "- (none provided)"
+  else
+    for item in "${IMPL_ITEMS[@]}"; do
+      echo "- $item"
+    done
+  fi
+} >"$BODY_FILE"
+
+gh issue create --repo "$REPO" --title "$TITLE" --body-file "$BODY_FILE"
+
+rm -f "$BODY_FILE"
+

package/scripts/dashboard-start.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+# Start the ShipIt dashboard: export data first, then launch the dev server.
+# Ensures fresh data whenever the dashboard is opened.
+# Usage: ./scripts/dashboard-start.sh  or  pnpm dashboard
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+cd "$REPO_ROOT"
+
+echo "Exporting dashboard data..."
+node scripts/export-dashboard-json.js
+
+echo "Starting dashboard dev server..."
+cd dashboard-app && pnpm dev

package/scripts/deploy.sh

@@ -0,0 +1,170 @@
+#!/bin/bash
+
+# Deployment Script
+# Handles deployment to various platforms
+
+set -euo pipefail
+
+error_exit() {
+    echo "ERROR: $1" >&2
+    exit "${2:-1}"
+}
+
+warning() {
+    echo "WARNING: $1" >&2
+}
+
+# Colors
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m'
+
+ENVIRONMENT="${1:-production}"
+PLATFORM="${2:-}"
+
+echo -e "${BLUE}Deploying to $ENVIRONMENT...${NC}"
+echo ""
+
+# Check prerequisites
+if [ ! -f "project.json" ]; then
+    error_exit "project.json not found. Run /init-project first." 1
+fi
+
+# Run readiness checks
+echo -e "${YELLOW}Running readiness checks...${NC}"
+if [ -f "scripts/check-readiness.sh" ]; then
+    if ! ./scripts/check-readiness.sh "$ENVIRONMENT"; then
+        error_exit "Readiness checks failed. Fix issues before deploying." 1
+    fi
+else
+    warning "check-readiness.sh not found, skipping checks"
+fi
+echo ""
+
+# Determine platform
+if [ -z "$PLATFORM" ]; then
+    if [ -f "vercel.json" ] || [ -f ".vercel/project.json" ]; then
+        PLATFORM="vercel"
+    elif [ -f "netlify.toml" ]; then
+        PLATFORM="netlify"
+    elif [ -f "Dockerfile" ]; then
+        PLATFORM="docker"
+    elif [ -d "infrastructure" ] && [ -f "infrastructure/cdk.json" ]; then
+        PLATFORM="aws-cdk"
+    else
+        echo -e "${YELLOW}Platform not detected. Available options:${NC}"
+        echo "1) Vercel"
+        echo "2) Netlify"
+        echo "3) Docker"
+        echo "4) AWS CDK"
+        echo "5) Manual (no automation)"
+        read -p "Select platform [1-5]: " platform_choice
+        
+        case $platform_choice in
+            1) PLATFORM="vercel" ;;
+            2) PLATFORM="netlify" ;;
+            3) PLATFORM="docker" ;;
+            4) PLATFORM="aws-cdk" ;;
+            5) PLATFORM="manual" ;;
+            *) PLATFORM="manual" ;;
+        esac
+    fi
+fi
+
+echo -e "${GREEN}Platform: $PLATFORM${NC}"
+echo ""
+
+# Create deployment history
+DEPLOY_HISTORY="deployment-history.md"
+if [ ! -f "$DEPLOY_HISTORY" ]; then
+    cat > "$DEPLOY_HISTORY" << EOF
+# Deployment History
+
+## Deployments
+
+EOF
+fi
+
+# Deploy based on platform
+case $PLATFORM in
+    vercel)
+        echo -e "${YELLOW}Deploying to Vercel...${NC}"
+        if command -v vercel >/dev/null 2>&1; then
+            vercel --prod
+        else
+            error_exit "Vercel CLI not found. Install with: npm i -g vercel" 1
+        fi
+        ;;
+    
+    netlify)
+        echo -e "${YELLOW}Deploying to Netlify...${NC}"
+        if command -v netlify >/dev/null 2>&1; then
+            netlify deploy --prod
+        else
+            error_exit "Netlify CLI not found. Install with: npm i -g netlify-cli" 1
+        fi
+        ;;
+    
+    docker)
+        echo -e "${YELLOW}Building and deploying Docker image...${NC}"
+        if [ ! -f "Dockerfile" ]; then
+            error_exit "Dockerfile not found" 1
+        fi
+        IMAGE_NAME=$(jq -r '.name' project.json | tr '[:upper:]' '[:lower:]' | tr ' ' '-')
+        docker build -t "$IMAGE_NAME:latest" .
+        echo -e "${GREEN}✓ Docker image built: $IMAGE_NAME:latest${NC}"
+        echo -e "${YELLOW}Note: Push and deploy manually or configure registry${NC}"
+        ;;
+    
+    aws-cdk)
+        echo -e "${YELLOW}Deploying with AWS CDK...${NC}"
+        if [ ! -d "infrastructure" ]; then
+            error_exit "infrastructure directory not found" 1
+        fi
+        cd infrastructure || error_exit "Failed to enter infrastructure directory" 1
+        if command -v cdk >/dev/null 2>&1; then
+            cdk deploy --require-approval never
+        else
+            error_exit "AWS CDK CLI not found. Install with: npm i -g aws-cdk" 1
+        fi
+        cd ..
+        ;;
+    
+    manual)
+        echo -e "${YELLOW}Manual deployment mode${NC}"
+        echo "Readiness checks passed. Deploy manually using your preferred method."
+        echo ""
+        echo "Suggested steps:"
+        echo "1. Build: pnpm build (or equivalent)"
+        echo "2. Test: pnpm test"
+        echo "3. Deploy using your platform's method"
+        ;;
+    
+    *)
+        error_exit "Unknown platform: $PLATFORM" 1
+        ;;
+esac
+
+# Record deployment
+DEPLOY_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+cat >> "$DEPLOY_HISTORY" << EOF
+### $DEPLOY_TIME - $ENVIRONMENT ($PLATFORM)
+- Environment: $ENVIRONMENT
+- Platform: $PLATFORM
+- Status: deployed
+- Readiness checks: passed
+
+EOF
+
+echo ""
+echo -e "${GREEN}════════════════════════════════════════${NC}"
+echo -e "${GREEN}✓ Deployment complete${NC}"
+echo -e "${GREEN}════════════════════════════════════════${NC}"
+echo ""
+echo -e "${YELLOW}Next steps:${NC}"
+echo "1. Verify deployment is healthy"
+echo "2. Run smoke tests"
+echo "3. Monitor logs and metrics"
+echo ""

package/scripts/drift-check.sh

@@ -0,0 +1,93 @@
+#!/bin/bash
+
+# Drift Metrics Check Script
+# Calculates entropy indicators to detect system drift
+
+set -euo pipefail
+
+# Error handling
+error_exit() {
+    echo "ERROR: $1" >&2
+    exit "${2:-1}"
+}
+
+# Validate prerequisites
+command -v git >/dev/null 2>&1 || error_exit "git is required but not installed"
+command -v jq >/dev/null 2>&1 || error_exit "jq is required but not installed"
+command -v bc >/dev/null 2>&1 || error_exit "bc is required but not installed"
+
+DRIFT_DIR="_system/drift"
+METRICS_FILE="$DRIFT_DIR/metrics.md"
+
+# Create drift directory if it doesn't exist
+mkdir -p "$DRIFT_DIR" || error_exit "Failed to create drift directory"
+
+# Start metrics report
+cat > "$METRICS_FILE" << EOF
+# Drift Metrics Report
+
+Generated: $(date -u +"%Y-%m-%dT%H:%M:%SZ")
+
+EOF
+
+# 1. Average PR size (last 20 PRs)
+echo "## PR Size Trend" >> "$METRICS_FILE" || error_exit "Failed to write to metrics file"
+if git rev-parse --git-dir > /dev/null 2>&1; then
+  PR_SIZE=$(git log --oneline -20 --stat 2>/dev/null | grep "files changed" | \
+    awk '{sum+=$1; count++} END {if (count > 0) print "Avg files changed: " sum/count; else print "No PR data available"}' || echo "No PR data available")
+  echo "$PR_SIZE" >> "$METRICS_FILE" || error_exit "Failed to write PR size data"
+else
+  echo "Not a git repository" >> "$METRICS_FILE" || error_exit "Failed to write git status"
+fi
+echo "" >> "$METRICS_FILE" || error_exit "Failed to write newline"
+
+# 2. Test-to-code ratio (git-tracked only so node_modules/dist/build/reports are excluded)
+echo "## Test-to-Code Ratio" >> "$METRICS_FILE"
+if git rev-parse --git-dir > /dev/null 2>&1; then
+  TEST_FILES=$(git ls-files -- '*.test.ts' '*.spec.ts' 2>/dev/null | tr '\n' ' ')
+  CODE_FILES=$(git ls-files -- '*.ts' 2>/dev/null | grep -v -E '\.(test|spec)\.ts$' | tr '\n' ' ')
+  if [ -z "$TEST_FILES" ]; then TEST_LINES=0; else TEST_LINES=$(echo "$TEST_FILES" | xargs wc -l 2>/dev/null | tail -1 | awk '{print $1}' || echo "0"); fi
+  if [ -z "$CODE_FILES" ]; then CODE_LINES=0; else CODE_LINES=$(echo "$CODE_FILES" | xargs wc -l 2>/dev/null | tail -1 | awk '{print $1}' || echo "0"); fi
+else
+  # Fallback: find with exclusions (no git or not a repo)
+  TEST_LINES=$(find . -type d \( -name node_modules -o -name dist -o -name build -o -name reports \) -prune -o -type f \( -name "*.test.ts" -o -name "*.spec.ts" \) -print 2>/dev/null | xargs wc -l 2>/dev/null | tail -1 | awk '{print $1}' || echo "0")
+  CODE_LINES=$(find . -type d \( -name node_modules -o -name dist -o -name build -o -name reports \) -prune -o -type f -name "*.ts" ! -name "*.test.ts" ! -name "*.spec.ts" -print 2>/dev/null | xargs wc -l 2>/dev/null | tail -1 | awk '{print $1}' || echo "0")
+fi
+if [ "${CODE_LINES:-0}" -gt 0 ]; then
+  RATIO=$(echo "scale=2; $TEST_LINES / $CODE_LINES" | bc 2>/dev/null || echo "N/A")
+  echo "Test lines: $TEST_LINES" >> "$METRICS_FILE"
+  echo "Code lines: $CODE_LINES" >> "$METRICS_FILE"
+  echo "Ratio: $RATIO" >> "$METRICS_FILE"
+else
+  echo "No code found" >> "$METRICS_FILE"
+fi
+echo "" >> "$METRICS_FILE"
+
+# 3. Dependency count
+echo "## Dependency Growth" >> "$METRICS_FILE" || error_exit "Failed to write dependency section"
+if [ -f "package.json" ]; then
+  DEPS=$(jq '.dependencies | length' package.json 2>/dev/null || echo "N/A")
+  DEV_DEPS=$(jq '.devDependencies | length' package.json 2>/dev/null || echo "N/A")
+  echo "Dependencies: $DEPS" >> "$METRICS_FILE" || error_exit "Failed to write dependencies"
+  echo "DevDependencies: $DEV_DEPS" >> "$METRICS_FILE" || error_exit "Failed to write devDependencies"
+else
+  echo "No package.json found" >> "$METRICS_FILE" || error_exit "Failed to write package.json status"
+fi
+echo "" >> "$METRICS_FILE" || error_exit "Failed to write newline"
+
+# 4. New files without intents
+echo "## Untracked New Concepts" >> "$METRICS_FILE"
+if git rev-parse --git-dir > /dev/null 2>&1; then
+  NEW_FILES=$(git diff --name-only HEAD~20 --diff-filter=A 2>/dev/null | grep -v "work/intent/" | head -10 || echo "No new files")
+  echo "$NEW_FILES" >> "$METRICS_FILE"
+else
+  echo "Not a git repository" >> "$METRICS_FILE"
+fi
+echo "" >> "$METRICS_FILE"
+
+# 5. CI Performance (placeholder)
+echo "## CI Performance" >> "$METRICS_FILE"
+echo "(Manually update from CI dashboard)" >> "$METRICS_FILE"
+echo "" >> "$METRICS_FILE"
+
+echo "Drift check complete. See $METRICS_FILE"

package/scripts/execute-rollback.sh

@@ -0,0 +1,177 @@
+#!/bin/bash
+# Execute rollback for an intent in guided mode.
+# Reads rollback plan from work/workflow-state/ (flat or per-intent per workflow-state-layout).
+# High-risk steps: display only. Safe steps: prompt [y/N], execute if confirmed.
+# Audit log: work/workflow-state/rollback-log.md
+# Usage: ./scripts/execute-rollback.sh <intent-id> [--dry-run]
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+cd "$REPO_ROOT"
+
+# shellcheck source=scripts/lib/common.sh
+. "$SCRIPT_DIR/lib/common.sh"
+
+INTENT_ID=""
+DRY_RUN=false
+
+while [ $# -gt 0 ]; do
+  case "$1" in
+    --dry-run) DRY_RUN=true; shift ;;
+    -*)
+      error_exit "Unknown option: $1. Usage: $0 <intent-id> [--dry-run]" 1
+      ;;
+    *)
+      [ -z "$INTENT_ID" ] || error_exit "Multiple intent IDs given. Usage: $0 <intent-id> [--dry-run]" 1
+      INTENT_ID="$1"
+      shift
+      ;;
+  esac
+done
+
+[ -n "$INTENT_ID" ] || error_exit "Missing intent-id. Usage: $0 <intent-id> [--dry-run]" 1
+
+WS="work/workflow-state"
+LOG_FILE="$WS/rollback-log.md"
+
+# Resolve rollback plan path per workflow-state-layout.md
+resolve_rollback_plan() {
+  local per_intent="$WS/$INTENT_ID"
+  if [ -d "$per_intent" ]; then
+    if [ -f "$per_intent/rollback.md" ]; then
+      echo "$per_intent/rollback.md"
+      return 0
+    fi
+    if [ -f "$per_intent/02_plan.md" ]; then
+      echo "$per_intent/02_plan.md"
+      return 0
+    fi
+  fi
+  if [ -f "$WS/rollback.md" ]; then
+    echo "$WS/rollback.md"
+    return 0
+  fi
+  if [ -f "$WS/02_plan.md" ]; then
+    echo "$WS/02_plan.md"
+    return 0
+  fi
+  return 1
+}
+
+ROLLBACK_SOURCE="$(resolve_rollback_plan)" || error_exit "No rollback plan found. Run /revert-plan $INTENT_ID first." 1
+
+# Extract rollback content: from rollback.md (full file) or from 02_plan.md (rollback section)
+get_rollback_content() {
+  if [[ "$ROLLBACK_SOURCE" == *rollback.md ]]; then
+    cat "$ROLLBACK_SOURCE"
+  else
+    awk '/^#+[[:space:]]+[Rr]ollback|^#[[:space:]]+Rollback Plan/,/^## [^Rr]/ {print}' "$ROLLBACK_SOURCE" || cat "$ROLLBACK_SOURCE"
+  fi
+}
+
+# High-risk keywords: do NOT offer execution, display only
+HIGH_RISK_PATTERNS="force|drop|delete|migration down|production|auth|secret|--force|-f |rm -r|rm -rf"
+
+# Safe pattern: simple git revert (single sha, no force)
+# Note: step is content AFTER the bullet "- ", so no leading dash
+is_safe_git_revert() {
+  local step="$1"
+  [[ "$step" =~ ^git[[:space:]]+revert[[:space:]]+[a-fA-F0-9]+([[:space:]]*$|[[:space:]]+-m) ]] && \
+  ! echo "$step" | grep -qEi "$HIGH_RISK_PATTERNS"
+}
+
+is_high_risk() {
+  echo "$1" | grep -qEi "$HIGH_RISK_PATTERNS"
+}
+
+log_entry() {
+  local outcome="$1"
+  local step_preview="$2"
+  local truncated="${step_preview:0:100}"
+  local suffix=""
+  [ ${#step_preview} -gt 100 ] && suffix="..."
+  mkdir -p "$(dirname "$LOG_FILE")"
+  {
+    echo ""
+    echo "## $(date -u +"%Y-%m-%dT%H:%M:%SZ") - $INTENT_ID"
+    echo "- **Outcome:** $outcome"
+    echo "- **Step:** ${truncated}${suffix}"
+    echo ""
+  } >> "$LOG_FILE"
+}
+
+CONTENT="$(get_rollback_content)"
+
+if [ -z "$CONTENT" ]; then
+  error_exit "Rollback plan is empty or has no rollback section." 1
+fi
+
+echo -e "${BLUE}Rollback Plan for $INTENT_ID${NC}"
+echo -e "${BLUE}Source: $ROLLBACK_SOURCE${NC}"
+echo ""
+
+if [ "$DRY_RUN" = true ]; then
+  echo -e "${YELLOW}[DRY RUN] Would process the following steps:${NC}"
+  echo "$CONTENT" | grep -E '^[[:space:]]*- ' | sed 's/^/  /'
+  echo ""
+  echo "Run without --dry-run to execute (safe steps only, with confirmation)."
+  exit 0
+fi
+
+# Extract bullet steps (lines starting with - )
+steps=()
+while IFS= read -r line; do
+  if [[ "$line" =~ ^[[:space:]]*-[[:space:]]+(.+) ]]; then
+    steps+=("${BASH_REMATCH[1]}")
+  fi
+done < <(echo "$CONTENT")
+
+if [ ${#steps[@]} -eq 0 ]; then
+  echo "No bullet steps found in rollback plan. Displaying full plan:"
+  echo "$CONTENT"
+  exit 0
+fi
+
+echo "Before executing any step that touches production, infra, or data, ensure you have reviewed the rollback plan."
+echo ""
+
+for step in "${steps[@]}"; do
+  step_trimmed="${step#"${step%%[![:space:]]*}"}"
+  if [ -z "$step_trimmed" ]; then
+    continue
+  fi
+
+  if is_high_risk "$step_trimmed"; then
+    echo -e "${RED}[MANUAL]${NC} $step_trimmed"
+    echo "  → Run this manually. Do not auto-execute."
+    log_entry "manual" "$step_trimmed"
+    continue
+  fi
+
+  if is_safe_git_revert "$step_trimmed"; then
+    echo -e "${YELLOW}[CONFIRM]${NC} $step_trimmed"
+    read -r -p "Run this? [y/N] " resp
+    if [[ "$resp" =~ ^[yY]$ ]]; then
+      sha="$(echo "$step_trimmed" | grep -oE '[a-fA-F0-9]{7,40}' | head -1)"
+      if [ -n "$sha" ] && git revert --no-edit "$sha"; then
+        echo -e "${GREEN}Done.${NC}"
+        log_entry "confirmed" "$step_trimmed"
+      else
+        echo -e "${RED}Failed. Run manually if needed.${NC}"
+        log_entry "failed" "$step_trimmed"
+      fi
+    else
+      echo "Skipped."
+      log_entry "skipped" "$step_trimmed"
+    fi
+  else
+    echo -e "${YELLOW}[MANUAL]${NC} $step_trimmed"
+    echo "  → Not in safe allowlist. Run manually."
+    log_entry "manual" "$step_trimmed"
+  fi
+  echo ""
+done
+
+echo -e "${GREEN}Rollback flow complete. Log: $LOG_FILE${NC}"