@nlaprell/shipit 1.0.0

package/scripts/workflow-templates/01_analysis.md.tpl

@@ -0,0 +1,25 @@
+# Analysis: {{INTENT_ID}}
+
+**Generated:** {{DATE_UTC}}
+**Intent:** {{INTENT_ID}}
+
+## Requirements
+
+[To be filled by PM agent]
+
+## Acceptance Criteria
+
+[To be filled by PM agent]
+
+## Confidence Scores
+
+- Requirements clarity: [0.0-1.0]
+- Domain assumptions: [0.0-1.0]
+
+## Do-Not-Repeat Check
+
+[Results from _system/do-not-repeat/ check]
+
+## Next Steps
+
+Proceed to Planning phase.

package/scripts/workflow-templates/02_plan.md.tpl

@@ -0,0 +1,30 @@
+# Plan: {{INTENT_ID}}
+
+**Generated:** {{DATE_UTC}}
+**Intent:** {{INTENT_ID}}
+
+## Technical Approach
+
+[To be filled by Architect agent]
+
+## Files to Create/Modify
+
+- [File list]
+
+## CANON.md Compliance
+
+[Compliance check results]
+
+## Rollback Strategy
+
+[Rollback plan]
+
+## Approval Status
+
+- [ ] Human approval required
+- [ ] Approved
+- [ ] Blocked
+
+## Next Steps
+
+Proceed to Test Writing phase.

package/scripts/workflow-templates/03_implementation.md.tpl

@@ -0,0 +1,25 @@
+# Implementation: {{INTENT_ID}}
+
+**Generated:** {{DATE_UTC}}
+**Intent:** {{INTENT_ID}}
+
+## Implementation Progress
+
+[To be filled by Implementer agent]
+
+## Files Modified
+
+- [List of files]
+
+## Tests Status
+
+- [ ] All tests pass
+- [ ] Coverage meets threshold
+
+## Deviations from Plan
+
+[Any deviations and rationale]
+
+## Next Steps
+
+Proceed to Verification phase.

package/scripts/workflow-templates/04_verification.md.tpl

@@ -0,0 +1,29 @@
+# Verification: {{INTENT_ID}}
+
+**Generated:** {{DATE_UTC}}
+**Intent:** {{INTENT_ID}}
+
+## Test Results
+
+[QA agent results]
+
+## Mutation Testing
+
+[Mutation test results]
+
+## Security Review
+
+[Security agent findings]
+
+## Dependency Audit
+
+[Audit results]
+
+## Verification Status
+
+- [ ] All checks pass
+- [ ] Ready for release
+
+## Next Steps
+
+Proceed to Release phase.

package/scripts/workflow-templates/05_release_notes.md.tpl

@@ -0,0 +1,16 @@
+# Release Notes: {{INTENT_ID}}
+
+**Generated:** {{DATE_UTC}}
+**Intent:** {{INTENT_ID}}
+
+## Documentation Updates
+
+[Docs agent updates]
+
+## Release Notes
+
+[Release notes]
+
+## Approval Summary
+
+[Steward decision and rationale]

package/scripts/workflow-templates/05_verification_legacy.md.tpl

@@ -0,0 +1,6 @@
+# Verification (Legacy): {{INTENT_ID}}
+
+**Generated:** {{DATE_UTC}}
+**Intent:** {{INTENT_ID}}
+
+This file is deprecated. Use `work/workflow-state/04_verification.md`.

package/scripts/workflow-templates/active.md.tpl

@@ -0,0 +1,18 @@
+# Active Intent
+
+**Intent ID:** {{INTENT_ID}}
+**Status:** active
+**Current Phase:** [Phase name]
+**Started:** {{DATE_UTC}}
+
+## Progress
+
+- [ ] Phase 1: Analysis
+- [ ] Phase 2: Planning
+- [ ] Phase 3: Implementation
+- [ ] Phase 4: Verification
+- [ ] Phase 5: Release Notes
+
+## Assigned Agents
+
+[Agent assignments]

package/scripts/workflow-templates/phases.yml

@@ -0,0 +1,39 @@
+# Workflow phase spec: single source of truth for workflow-orchestrator.
+# Add a phase by adding an entry here and a matching .tpl file.
+
+phases:
+  - id: analysis
+    output: 01_analysis.md
+    template: 01_analysis.md.tpl
+    name: Analysis
+    role: PM
+  - id: plan
+    output: 02_plan.md
+    template: 02_plan.md.tpl
+    name: Planning
+    role: Architect
+  - id: implementation
+    output: 03_implementation.md
+    template: 03_implementation.md.tpl
+    name: Implementation
+    role: Implementer
+  - id: verification
+    output: 04_verification.md
+    template: 04_verification.md.tpl
+    name: Verification
+    role: QA
+  - id: release
+    output: 05_release_notes.md
+    template: 05_release_notes.md.tpl
+    name: Release
+    role: Docs
+  - id: legacy_verification
+    output: 05_verification.md
+    template: 05_verification_legacy.md.tpl
+    name: Legacy Verification
+    role: null
+  - id: active
+    output: active.md
+    template: active.md.tpl
+    name: Active
+    role: null

package/stryker.conf.json

@@ -0,0 +1,8 @@
+{
+  "$schema": "./node_modules/@stryker-mutator/core/schema/stryker-schema.json",
+  "testRunner": "vitest",
+  "plugins": ["@stryker-mutator/vitest-runner"],
+  "reporters": ["progress", "clear-text", "html"],
+  "mutate": ["src/**/*.ts"],
+  "coverageAnalysis": "off"
+}

package/work/intent/templates/api-endpoint.md

@@ -0,0 +1,124 @@
+# F-###: Title
+
+## Type
+
+feature | bug | tech-debt
+
+## Status
+
+planned | active | blocked | validating | shipped | killed
+
+## Priority
+
+p0 | p1 | p2 | p3
+
+## Effort
+
+s | m | l
+
+## Release Target
+
+R1 | R2 | R3 | R4
+
+## Motivation
+
+(Why it exists, 1–3 bullets)
+
+## Endpoint (API)
+
+- Path: (e.g. `/api/v1/resources`)
+- Method: GET | POST | PUT | PATCH | DELETE
+- Request schema: (body/params)
+- Response schema: (status codes, body)
+- Auth: (none | API key | JWT | scope)
+- Rate limit: (if applicable)
+
+## Confidence
+
+Requirements: 0.0–1.0  
+Domain assumptions: 0.0–1.0
+(If either < threshold, document why proceeding or request human interrupt)
+
+## Invariants (Hard Constraints)
+
+Written in dual form: human-readable AND executable. For API: latency, backward compat.
+
+Human-readable:
+
+- p95 latency < 200ms (or project budget)
+- Schema backward compatible for 3 versions
+- (Add API-specific invariants)
+
+Executable (add to \_system/architecture/invariants.yml):
+
+```yaml
+invariants:
+  - p95_latency_ms: 200
+  - schema_backward_compat_versions: 3
+success_metrics:
+  - test_pass_rate: 99.5
+```
+
+## Acceptance (Executable)
+
+These are the ONLY criteria for "done." If it can't be checked automatically, it doesn't belong here.
+
+- [ ] Contract tests: API response matches schema; status codes documented and tested
+- [ ] CLI: `pnpm test` green
+- [ ] CLI: `pnpm lint && pnpm typecheck` green
+- [ ] Performance: p95 < budget (if applicable)
+- [ ] (Add endpoint-specific checks)
+
+## Assumptions (MUST BE EXPLICIT)
+
+Every assumption is a potential bug. List them and make them testable where possible.
+
+- (ex: "Auth provider returns consistent claims" — add contract?)
+- (ex: "Rate limiter is configured per endpoint" — add test?)
+
+## Risk Level
+
+low | medium | high
+
+Risk triggers:
+
+- high: auth, money, data migration, permissions, infra, PII
+- medium: new dependencies, API changes, performance-sensitive
+- low: docs, refactors, tests, internal tooling
+
+## Kill Criteria (Stop Conditions)
+
+If ANY of these trigger, the intent is KILLED (not paused, not reworked—killed):
+
+- Cannot satisfy latency invariant without major redesign
+- Requires breaking schema compatibility beyond allowed versions
+- Conflicts with architecture canon
+- (Add API-specific kill criteria)
+
+## Rollback Plan
+
+REQUIRED before implementation begins.
+
+- Feature flag or route toggle: disable endpoint
+- Config revert: previous version
+- Revert commit: clean revert possible without data loss
+
+## Dependencies
+
+- (Other intent IDs that must ship first)
+- (ADRs that must be approved)
+- (External systems/APIs)
+
+## GitHub issue
+
+(Optional) Link to a GitHub issue for tracking/collaboration. Single source of truth for the link is this intent file. Use `#123` (same repo) or `owner/repo#123`.
+
+- (e.g. `#42` or leave blank)
+
+## Do Not Repeat Check
+
+Before starting, verify this hasn't been tried before:
+
+- [ ] Checked \_system/do-not-repeat/abandoned-designs.md
+- [ ] Checked \_system/do-not-repeat/failed-experiments.md
+- [ ] No similar rejected approaches exist

package/work/intent/templates/bugfix.md

@@ -0,0 +1,116 @@
+# F-###: Title
+
+## Type
+
+feature | bug | tech-debt
+
+## Status
+
+planned | active | blocked | validating | shipped | killed
+
+## Priority
+
+p0 | p1 | p2 | p3
+
+## Effort
+
+s | m | l
+
+## Release Target
+
+R1 | R2 | R3 | R4
+
+## Motivation
+
+(Why it exists, 1–3 bullets — e.g. "User-reported wrong result when X; impacts Y")
+
+## Reproduction
+
+- (Steps to reproduce the bug)
+- (Environment/version where it occurs)
+- (Optional: link to issue or ticket)
+
+## Root Cause
+
+- (Brief description of cause once known)
+- (Where in code or design the fault is)
+
+## Fix Scope
+
+- (What will change: files, behavior, config)
+- (What will NOT change — avoid scope creep)
+
+## Confidence
+
+Requirements: 0.0–1.0  
+Domain assumptions: 0.0–1.0
+(If either < threshold, document why proceeding or request human interrupt)
+
+## Invariants (Hard Constraints)
+
+- No new regressions: existing tests pass; new test captures the bug and passes after fix
+- (Add any other hard constraints for this fix)
+
+Executable (add to \_system/architecture/invariants.yml if applicable):
+
+```yaml
+invariants:
+  - regression_test_added: true
+success_metrics:
+  - test_pass_rate: 99.5
+```
+
+## Acceptance (Executable)
+
+These are the ONLY criteria for "done." If it can't be checked automatically, it doesn't belong here.
+
+- [ ] Test that failed before the bug and passes after: (describe or reference test name)
+- [ ] CLI: `pnpm test` green
+- [ ] CLI: `pnpm lint && pnpm typecheck` green
+- [ ] No new regressions: full test suite (or relevant subset) passes
+- [ ] (Add bug-specific checks: e.g. repro steps no longer fail)
+
+## Assumptions (MUST BE EXPLICIT)
+
+- (ex: "Root cause is in component X" — confirm before broad change?)
+- (ex: "Fix does not require API contract change" — verify?)
+
+## Risk Level
+
+low | medium | high
+
+Risk triggers:
+
+- high: auth, money, data loss, permissions, infra, PII
+- medium: new dependencies, behavior change in hot path
+- low: docs, refactors, tests, internal tooling
+
+## Kill Criteria (Stop Conditions)
+
+- Root cause is elsewhere; fix would be a workaround only
+- Fix introduces unacceptable regression or complexity
+- (Add bug-specific kill criteria)
+
+## Rollback Plan
+
+- Revert commit: clean revert possible (preferred for bugfixes)
+- (If config/feature flag: how to disable the fix)
+
+## Dependencies
+
+- (Other intent IDs that must ship first)
+- (Blocking issues or environment requirements)
+
+## GitHub issue
+
+(Optional) Link to a GitHub issue. Use `#123` or `owner/repo#123`.
+
+- (e.g. `#42` or leave blank)
+
+## Do Not Repeat Check
+
+Before starting, verify this hasn't been tried before:
+
+- [ ] Checked \_system/do-not-repeat/abandoned-designs.md
+- [ ] Checked \_system/do-not-repeat/failed-experiments.md
+- [ ] No similar rejected approaches exist

package/work/intent/templates/frontend-feature.md

@@ -0,0 +1,115 @@
+# F-###: Title
+
+## Type
+
+feature | bug | tech-debt
+
+## Status
+
+planned | active | blocked | validating | shipped | killed
+
+## Priority
+
+p0 | p1 | p2 | p3
+
+## Effort
+
+s | m | l
+
+## Release Target
+
+R1 | R2 | R3 | R4
+
+## Motivation
+
+(Why it exists, 1–3 bullets)
+
+## Screens / Components
+
+- (List screens or components touched)
+- User-facing flows: (brief description)
+
+## User Flows
+
+- (Key flows: e.g. "User logs in → sees dashboard → clicks X → Y")
+- (Optional: link to wireframes or figma)
+
+## Accessibility
+
+- (a11y requirements: keyboard nav, ARIA, contrast, screen reader)
+- (WCAG level if applicable)
+
+## Confidence
+
+Requirements: 0.0–1.0  
+Domain assumptions: 0.0–1.0
+(If either < threshold, document why proceeding or request human interrupt)
+
+## Invariants (Hard Constraints)
+
+- No regressions on core flows (existing E2E or smoke tests still pass)
+- (Add feature-specific invariants)
+
+Executable (add to \_system/architecture/invariants.yml if applicable):
+
+```yaml
+invariants:
+  - core_flows_e2e_pass: true
+success_metrics:
+  - test_pass_rate: 99.5
+```
+
+## Acceptance (Executable)
+
+These are the ONLY criteria for "done." If it can't be checked automatically, it doesn't belong here.
+
+- [ ] E2E or component tests: cover new/changed flows
+- [ ] Accessibility: a11y checks pass (e.g. axe, lint)
+- [ ] CLI: `pnpm test` green
+- [ ] CLI: `pnpm lint && pnpm typecheck` green
+- [ ] No regressions: existing core-flow tests pass
+
+## Assumptions (MUST BE EXPLICIT)
+
+- (ex: "Design system components are accessible" — verify?)
+- (ex: "Target browsers support feature X" — add check?)
+
+## Risk Level
+
+low | medium | high
+
+Risk triggers:
+
+- high: auth, money, permissions, PII
+- medium: new dependencies, breaking UI changes
+- low: docs, refactors, tests, internal tooling
+
+## Kill Criteria (Stop Conditions)
+
+- Conflicts with architecture canon
+- Core flows cannot be preserved
+- (Add feature-specific kill criteria)
+
+## Rollback Plan
+
+- Feature flag: disable feature in UI
+- Revert commit: clean revert possible
+
+## Dependencies
+
+- (Other intent IDs that must ship first)
+- (Design/UX sign-off if required)
+
+## GitHub issue
+
+(Optional) Link to a GitHub issue. Use `#123` or `owner/repo#123`.
+
+- (e.g. `#42` or leave blank)
+
+## Do Not Repeat Check
+
+Before starting, verify this hasn't been tried before:
+
+- [ ] Checked \_system/do-not-repeat/abandoned-designs.md
+- [ ] Checked \_system/do-not-repeat/failed-experiments.md
+- [ ] No similar rejected approaches exist

package/work/intent/templates/generic.md

@@ -0,0 +1,122 @@
+# F-###: Title
+
+## Type
+
+feature | bug | tech-debt
+
+## Status
+
+planned | active | blocked | validating | shipped | killed
+
+## Priority
+
+p0 | p1 | p2 | p3
+
+## Effort
+
+s | m | l
+
+## Release Target
+
+R1 | R2 | R3 | R4
+
+## Motivation
+
+(Why it exists, 1–3 bullets)
+
+## Confidence
+
+Requirements: 0.0–1.0  
+Domain assumptions: 0.0–1.0
+(If either < threshold, document why proceeding or request human interrupt)
+
+## Invariants (Hard Constraints)
+
+Written in dual form: human-readable AND executable
+
+Human-readable:
+
+- No PII stored unencrypted
+- p95 latency < 200ms
+- Schema backward compatible for 3 versions
+
+Executable (add to \_system/architecture/invariants.yml):
+
+```yaml
+invariants:
+  - no_pii_unencrypted
+  - p95_latency_ms: 200
+  - schema_backward_compat_versions: 3
+success_metrics:
+  - test_pass_rate: 99.5
+  - zero_data_loss_on_replay: true
+```
+
+## Acceptance (Executable)
+
+These are the ONLY criteria for "done." If it can't be checked automatically, it doesn't belong here.
+
+- [ ] Tests: `<test_name>` added; fails before fix, passes after
+- [ ] CLI: `pnpm test` green
+- [ ] CLI: `pnpm lint && pnpm typecheck` green
+- [ ] Observability: metric X emitted (if applicable)
+- [ ] Contract: API response matches schema (if applicable)
+- [ ] Performance: p95 < budget (if applicable)
+
+## Assumptions (MUST BE EXPLICIT)
+
+Every assumption is a potential bug. List them and make them testable where possible.
+
+- (ex: "User sessions never exceed 24h" — add test?)
+- (ex: "Database connection pool size is sufficient" — add monitoring?)
+- (ex: "This regex handles all Unicode correctly" — add property test?)
+
+## Risk Level
+
+low | medium | high
+
+Risk triggers:
+
+- high: auth, money, data migration, permissions, infra, PII
+- medium: new dependencies, API changes, performance-sensitive
+- low: docs, refactors, tests, internal tooling
+
+## Kill Criteria (Stop Conditions)
+
+If ANY of these trigger, the intent is KILLED (not paused, not reworked—killed):
+
+- Cannot satisfy latency invariant without major redesign
+- Requires breaking schema compatibility beyond allowed versions
+- Adds >20% complexity to core execution path
+- Conflicts with architecture canon
+- Requires >N days without progress (define N)
+- Cost exceeds budget by >X%
+
+## Rollback Plan
+
+REQUIRED before implementation begins.
+
+- Feature flag: `FEATURE_X_ENABLED=false`
+- Config toggle: revert to previous config
+- Database: migration has corresponding down migration
+- Revert commit: clean revert possible without data loss
+
+## Dependencies
+
+- (Other intent IDs that must ship first)
+- (ADRs that must be approved)
+- (External systems/APIs)
+
+## GitHub issue
+
+(Optional) Link to a GitHub issue for tracking/collaboration. Single source of truth for the link is this intent file. Use `#123` (same repo) or `owner/repo#123`.
+
+- (e.g. `#42` or leave blank)
+
+## Do Not Repeat Check
+
+Before starting, verify this hasn't been tried before:
+
+- [ ] Checked \_system/do-not-repeat/abandoned-designs.md
+- [ ] Checked \_system/do-not-repeat/failed-experiments.md
+- [ ] No similar rejected approaches exist