@oisincoveney/pipeline 1.8.0 → 1.9.0

package/README.md

@@ -37,11 +37,17 @@ Momokaya remote endpoint
 
 The default GitHub MCP registration uses GitHub's official container in
 read-only mode and reads `GITHUB_PERSONAL_ACCESS_TOKEN` from the environment.
-The Momokaya Qdrant endpoint is protected by Traefik HTTP Basic auth. Set either
-`MOMOKAYA_MCP_AUTHORIZATION` to the complete Authorization header value
-(`Basic <base64-user-colon-password>`) or `MEMORY_MCP_BASIC_AUTH` to only the
-base64 payload. `pipe init` resolves that value before registering the remote
-server with MCPM.
+The Momokaya Qdrant endpoint is protected by Traefik HTTP Basic auth. Set
+`MEMORY_MCP_BASIC_AUTH` to the base64 `user:password` payload before running
+`pipe init` if you want init to register that remote server with MCPM:
+
+```shell
+export MEMORY_MCP_BASIC_AUTH="$(printf '%s' 'user:password' | base64)"
+```
+
+When `MEMORY_MCP_BASIC_AUTH` is not set, `pipe init` still writes the default
+scaffold and keeps the generated `qdrant` MCP entry, but skips immediate MCPM
+registration for that private endpoint.
 
 Check local prerequisites and config health:
 
@@ -90,7 +96,7 @@ pipe epic PIPE-31
 
 The `epic` entrypoint routes an epic's child tickets into fixed specialist
 tracks, runs those tracks in parallel, merges passing branches, and then runs a
-hardened review.
+thermo-nuclear code quality review.
 
 The `pipe` binary also accepts the task directly:
 
@@ -201,11 +207,11 @@ The built-in `epic` entrypoint uses those primitives:
 entrypoints:
   epic:
     workflow: epic-drain
-    description: Route an epic's tickets into specialist tracks, run them in parallel, then hardened-review.
+    description: Route an epic's tickets into specialist tracks, run them in parallel, then thermo-nuclear review.
 
 workflows:
   epic-drain:
-    description: Research, route, parallel-implement tracks in isolated worktrees, integrate, hardened-review.
+    description: Research, route, parallel-implement tracks in isolated worktrees, integrate, thermo-nuclear review.
     nodes:
       - id: research
         kind: agent
@@ -240,7 +246,7 @@ workflows:
         needs: [implement]
       - id: review
         kind: agent
-        profile: pipeline-hardened-reviewer
+        profile: pipeline-thermo-nuclear-reviewer
         needs: [merge]
         gates:
           - { id: review-verdict, kind: verdict, target: stdout }
@@ -253,10 +259,9 @@ branches share a base SHA, and merges passing branches into an integration
 branch in declaration order. It reports merge conflicts; it does not resolve
 them automatically.
 
-The `hardened-review` skill is an external/local skill registered at
-`.agents/skills/hardened-review/SKILL.md`. When that file is absent, normal
-validation reports a `missing-file-reference` warning and continues; `--strict`
-promotes that warning to a failure.
+The `thermo-nuclear-code-quality-review` skill is installed from
+`cursor/plugins` and registered at
+`.agents/skills/thermo-nuclear-code-quality-review/SKILL.md`.
 
 ## Generated Host Resources
 

package/defaults/install-manifest.json

@@ -30,6 +30,10 @@
         "deprecation-and-migration"
       ]
     },
+    {
+      "source": "cursor/plugins",
+      "skills": ["thermo-nuclear-code-quality-review"]
+    },
     {
       "source": "trailofbits/skills",
       "skills": ["semgrep", "supply-chain-risk-auditor"]
@@ -78,12 +82,10 @@
       "name": "oisin-pipeline-qdrant",
       "transport": "remote",
       "url": "https://memory-mcp.momokaya.ee/mcp/",
+      "optionalRegistration": true,
       "headers": {
         "Authorization": {
-          "sources": [
-            { "env": "MOMOKAYA_MCP_AUTHORIZATION" },
-            { "env": "MEMORY_MCP_BASIC_AUTH", "prefix": "Basic " }
-          ]
+          "sources": [{ "env": "MEMORY_MCP_BASIC_AUTH", "prefix": "Basic " }]
         }
       }
     },

package/dist/pipeline-init.js

@@ -29,6 +29,18 @@ var PipelineMcpInstallError = class extends Error {
 		this.name = "PipelineMcpInstallError";
 	}
 };
+var PipelineMcpMissingCredentialError = class extends PipelineMcpInstallError {
+	headerName;
+	missingEnv;
+	serverName;
+	constructor(serverName, headerName, missingEnv) {
+		super([`MCP server ${serverName} requires ${headerName} credentials before it can be registered.`, `Set ${missingEnv.join(" or ")} and re-run pipeline init.`].join("\n"));
+		this.name = "PipelineMcpMissingCredentialError";
+		this.serverName = serverName;
+		this.headerName = headerName;
+		this.missingEnv = missingEnv;
+	}
+};
 var PipelineDefaultManifestError = class extends Error {
 	constructor(message) {
 		super(message);
@@ -58,6 +70,7 @@ const pipelineMcpInstallSpecSchema = z.object({
 	env: z.record(z.string(), z.string()).optional(),
 	headers: z.record(z.string(), pipelineMcpHeaderValueSchema).optional(),
 	name: z.string().min(1),
+	optionalRegistration: z.boolean().optional(),
 	transport: z.enum(["remote", "stdio"]),
 	url: z.string().url().optional()
 }).strict().superRefine((spec, ctx) => {
@@ -125,6 +138,9 @@ entrypoints:
   inspect:
     workflow: inspect
     description: Read-only repository inspection
+  epic:
+    workflow: epic-drain
+    description: Route an epic's tickets into specialist tracks, run them in parallel, then thermo-nuclear review.
 
 orchestrator:
   profile: orchestrator
@@ -234,6 +250,121 @@ workflows:
         kind: agent
         profile: pipeline-learner
         needs: [verify]
+  infra:
+    description: Default-shaped stub workflow for infrastructure specialization.
+    nodes:
+      - id: research
+        kind: agent
+        profile: pipeline-researcher
+      - id: red
+        kind: agent
+        profile: pipeline-test-writer
+        needs: [research]
+        gates:
+          - id: red-test-file-policy
+            kind: changed_files
+            changed_files:
+              allow:
+                [
+                  "**/*.test.*",
+                  "**/*.spec.*",
+                  "**/*_test.*",
+                  "**/__tests__/**",
+                  "test/**",
+                  "tests/**",
+                  "**/*.snap",
+                ]
+              require_any:
+                [
+                  "**/*.test.*",
+                  "**/*.spec.*",
+                  "**/*_test.*",
+                  "**/__tests__/**",
+                  "test/**",
+                  "tests/**",
+                ]
+      - id: green
+        kind: agent
+        profile: pipeline-code-writer
+        needs: [red]
+      - id: acceptance
+        kind: agent
+        profile: pipeline-acceptance-reviewer
+        needs: [green]
+        gates:
+          - id: acceptance-coverage
+            kind: acceptance
+            target: stdout
+            required: false
+          - id: acceptance-verdict
+            kind: verdict
+            target: stdout
+      - id: verify
+        kind: agent
+        profile: pipeline-verifier
+        needs: [acceptance]
+        gates:
+          - id: verify-typecheck
+            kind: builtin
+            builtin: typecheck
+          - id: verify-tests
+            kind: builtin
+            builtin: test
+          - id: verify-semgrep
+            kind: builtin
+            builtin: semgrep
+          - id: verify-duplication
+            kind: builtin
+            builtin: duplication
+          - id: verify-verdict
+            kind: verdict
+            target: stdout
+      - id: learn
+        kind: agent
+        profile: pipeline-learner
+        needs: [verify]
+  epic-drain:
+    description: Research, route, parallel-implement tracks in isolated worktrees, integrate, thermo-nuclear review.
+    nodes:
+      - id: research
+        kind: agent
+        profile: pipeline-researcher
+      - id: plan
+        kind: agent
+        profile: pipeline-epic-router
+        needs: [research]
+      - id: implement
+        kind: parallel
+        needs: [plan]
+        nodes:
+          - id: test
+            kind: workflow
+            workflow: default
+            worktree_root: .pipeline/runs/\${runId}/test
+          - id: frontend
+            kind: workflow
+            workflow: default
+            worktree_root: .pipeline/runs/\${runId}/frontend
+          - id: backend
+            kind: workflow
+            workflow: default
+            worktree_root: .pipeline/runs/\${runId}/backend
+          - id: k8s
+            kind: workflow
+            workflow: infra
+            worktree_root: .pipeline/runs/\${runId}/k8s
+      - id: merge
+        kind: builtin
+        builtin: drain-merge
+        needs: [implement]
+      - id: review
+        kind: agent
+        profile: pipeline-thermo-nuclear-reviewer
+        needs: [merge]
+        gates:
+          - id: review-verdict
+            kind: verdict
+            target: stdout
 `;
 const DEFAULT_RUNNERS_YAML = `version: 1
 
@@ -364,6 +495,8 @@ skills:
     path: .agents/skills/incremental-implementation/SKILL.md
   debugging-and-error-recovery:
     path: .agents/skills/debugging-and-error-recovery/SKILL.md
+  thermo-nuclear-code-quality-review:
+    path: .agents/skills/thermo-nuclear-code-quality-review/SKILL.md
   code-review-and-quality:
     path: .agents/skills/code-review-and-quality/SKILL.md
   doubt-driven-development:
@@ -489,6 +622,25 @@ profiles:
       mode: inherit
     output:
       format: text
+  pipeline-epic-router:
+    runner: codex
+    description: Route epic sub-tickets into fixed implementation tracks.
+    instructions:
+      path: .pipeline/prompts/epic-router.md
+    mcp_servers: [backlog, github-readonly]
+    tools: [read, list, grep, glob, bash]
+    filesystem:
+      mode: read-only
+      allow: ["**/*"]
+      deny: ["node_modules/**", "dist/**", ".git/**"]
+    network:
+      mode: inherit
+    output:
+      format: json_schema
+      schema_path: .pipeline/schemas/epic-plan.schema.json
+      repair:
+        enabled: true
+        max_attempts: 1
   pipeline-code-writer:
     runner: codex
     description: Implement production code until the failing tests pass.
@@ -539,6 +691,26 @@ profiles:
       repair:
         enabled: true
         max_attempts: 1
+  pipeline-thermo-nuclear-reviewer:
+    runner: codex
+    description: Perform the final thermo-nuclear code quality review of the integration branch.
+    instructions:
+      path: .agents/skills/thermo-nuclear-code-quality-review/SKILL.md
+    skills: [thermo-nuclear-code-quality-review]
+    mcp_servers: [serena, semgrep, github-readonly]
+    tools: [read, list, grep, glob, bash]
+    filesystem:
+      mode: read-only
+      allow: ["**/*"]
+      deny: ["node_modules/**", "dist/**", ".git/**"]
+    network:
+      mode: inherit
+    output:
+      format: json_schema
+      schema_path: .pipeline/schemas/review.schema.json
+      repair:
+        enabled: true
+        max_attempts: 1
   pipeline-verifier:
     runner: codex
     description: Verify checks, implementation fit, and final evidence.
@@ -696,6 +868,109 @@ const ACCEPTANCE_SCHEMA = JSON.stringify({
 	],
 	type: "object"
 }, null, 2);
+const EPIC_PLAN_SCHEMA = JSON.stringify({
+	additionalProperties: false,
+	properties: {
+		backend: {
+			items: {
+				additionalProperties: false,
+				properties: {
+					id: { type: "string" },
+					rationale: { type: "string" },
+					title: { type: "string" }
+				},
+				required: ["id"],
+				type: "object"
+			},
+			type: "array"
+		},
+		frontend: {
+			items: {
+				additionalProperties: false,
+				properties: {
+					id: { type: "string" },
+					rationale: { type: "string" },
+					title: { type: "string" }
+				},
+				required: ["id"],
+				type: "object"
+			},
+			type: "array"
+		},
+		k8s: {
+			items: {
+				additionalProperties: false,
+				properties: {
+					id: { type: "string" },
+					rationale: { type: "string" },
+					title: { type: "string" }
+				},
+				required: ["id"],
+				type: "object"
+			},
+			type: "array"
+		},
+		rationale: { type: "string" },
+		test: {
+			items: {
+				additionalProperties: false,
+				properties: {
+					id: { type: "string" },
+					rationale: { type: "string" },
+					title: { type: "string" }
+				},
+				required: ["id"],
+				type: "object"
+			},
+			type: "array"
+		}
+	},
+	required: [
+		"test",
+		"frontend",
+		"backend",
+		"k8s"
+	],
+	type: "object"
+}, null, 2);
+const REVIEW_SCHEMA = JSON.stringify({
+	additionalProperties: false,
+	properties: {
+		findings: {
+			items: {
+				additionalProperties: false,
+				properties: {
+					file: { type: "string" },
+					line: {
+						minimum: 1,
+						type: "integer"
+					},
+					message: { type: "string" },
+					rule: { type: "string" },
+					severity: {
+						enum: [
+							"info",
+							"warn",
+							"error",
+							"critical"
+						],
+						type: "string"
+					}
+				},
+				required: ["severity", "message"],
+				type: "object"
+			},
+			type: "array"
+		},
+		summary: { type: "string" },
+		verdict: {
+			enum: ["PASS", "FAIL"],
+			type: "string"
+		}
+	},
+	required: ["verdict", "findings"],
+	type: "object"
+}, null, 2);
 const SCAFFOLD_FILES = {
 	[PIPELINE_CONFIG_PATH]: DEFAULT_PIPELINE_YAML,
 	[PROFILES_CONFIG_PATH]: DEFAULT_PROFILES_YAML,
@@ -733,6 +1008,36 @@ const SCAFFOLD_FILES = {
 		"Return concrete failing-test evidence.",
 		""
 	].join("\n"),
+	".pipeline/prompts/epic-router.md": [
+		"# Epic router",
+		"",
+		"You read an epic ticket and its sub-tickets via the Backlog MCP server, then route each sub-ticket into exactly one of four named tracks: test, frontend, backend, k8s. You output a JSON document matching `.pipeline/schemas/epic-plan.schema.json`.",
+		"",
+		"## Inputs",
+		"",
+		"- The user's task is an epic id (or a description that names one). Use the Backlog MCP `task_view` and `task_search` tools to find the epic and enumerate its sub-tickets.",
+		"- For each sub-ticket, read its title, description, labels, and any referenced files.",
+		"",
+		"## Routing rules",
+		"",
+		"Pick the single best-fit track per ticket. Heuristics, in priority order:",
+		"",
+		"1. **k8s** - anything touching deployment, Kubernetes manifests, Helm charts, infra YAML, CI/CD pipelines, Docker, ingress, RBAC, cluster config.",
+		"2. **backend** - server-side APIs, services, database schema, server-side data flows, MCP servers, non-UI integrations.",
+		"3. **frontend** - UI components, client-side state, styling, browser interactions, accessibility, Figma-referenced work.",
+		"4. **test** - work that is *primarily* writing or restructuring tests (e.g. coverage uplift, harness changes). Don't route a feature ticket here just because it mentions tests - features go to their domain track and write their own tests there.",
+		"",
+		"Ties: prefer **backend > frontend > test > k8s** unless a strong signal flips it.",
+		"",
+		"A track may be empty (`[]`).",
+		"",
+		"## Output",
+		"",
+		"Emit a single JSON document conforming to the schema. Include a short `rationale` string explaining notable routing decisions.",
+		"",
+		"Do not modify any files. Do not invoke other agents.",
+		""
+	].join("\n"),
 	".pipeline/prompts/code-writer.md": [
 		"You are the GREEN/code-write phase for the pipeline.",
 		"Implement the smallest production change that satisfies the failing tests.",
@@ -785,7 +1090,9 @@ const SCAFFOLD_FILES = {
 	].join("\n"),
 	".pipeline/schemas/research.schema.json": `${RESEARCH_SCHEMA}\n`,
 	".pipeline/schemas/acceptance.schema.json": `${ACCEPTANCE_SCHEMA}\n`,
+	".pipeline/schemas/epic-plan.schema.json": `${EPIC_PLAN_SCHEMA}\n`,
 	".pipeline/schemas/verify.schema.json": `${VERIFY_SCHEMA}\n`,
+	".pipeline/schemas/review.schema.json": `${REVIEW_SCHEMA}\n`,
 	".pipeline/schemas/learn.schema.json": `${LEARN_SCHEMA}\n`,
 	".pipeline/host-resources/claude.md": hostResourceInput("Claude Code"),
 	".pipeline/host-resources/codex.md": hostResourceInput("Codex"),
@@ -824,8 +1131,13 @@ async function installDefaultSkillsWithCli(specs, cwd) {
 	}
 }
 async function installDefaultMcpsWithCli(specs, cwd) {
+	const skipped = [];
 	for (const spec of specs) {
 		const install = mcpInstallArgs(spec);
+		if ("skipped" in install) {
+			skipped.push(install.skipped);
+			continue;
+		}
 		try {
 			await execa("uvx", [...DEFAULT_MCPM_ARGS, ...install.args], {
 				cwd,
@@ -848,6 +1160,7 @@ async function installDefaultMcpsWithCli(specs, cwd) {
 			].filter(Boolean).join("\n"));
 		}
 	}
+	return { skipped };
 }
 function mcpInstallArgs(spec) {
 	if (spec.catalog) return {
@@ -870,19 +1183,29 @@ function mcpInstallArgs(spec) {
 	if (spec.transport === "remote") {
 		if (!spec.url) throw new PipelineMcpInstallError(`MCP server ${spec.name} is remote but has no url.`);
 		const redactions = [];
-		return {
-			args: [
-				...args,
-				"--url",
-				spec.url,
-				...Object.entries(spec.headers ?? {}).flatMap(([key, value]) => {
-					const headerValue = resolveMcpHeaderValue(spec.name, key, value);
-					redactions.push(headerValue);
-					return ["--headers", `${key}=${headerValue}`];
-				})
-			],
-			redactions
-		};
+		try {
+			const headers = Object.entries(spec.headers ?? {}).flatMap(([key, value]) => {
+				const headerValue = resolveMcpHeaderValue(spec.name, key, value);
+				redactions.push(headerValue);
+				return ["--headers", `${key}=${headerValue}`];
+			});
+			return {
+				args: [
+					...args,
+					"--url",
+					spec.url,
+					...headers
+				],
+				redactions
+			};
+		} catch (err) {
+			if (spec.optionalRegistration && err instanceof PipelineMcpMissingCredentialError) return { skipped: {
+				missingEnv: err.missingEnv,
+				name: spec.name,
+				reason: `missing ${err.headerName} credentials`
+			} };
+			throw err;
+		}
 	}
 	if (!spec.command) throw new PipelineMcpInstallError(`MCP server ${spec.name} is stdio but has no command.`);
 	return {
@@ -914,8 +1237,7 @@ function resolveMcpHeaderValue(serverName, headerName, header) {
 		const rawValue = process.env[source.env];
 		if (rawValue && rawValue.trim().length > 0) return `${source.prefix ?? ""}${rawValue}${source.suffix ?? ""}`;
 	}
-	const envNames = header.sources.map((source) => source.env).join(" or ");
-	throw new PipelineMcpInstallError([`MCP server ${serverName} requires ${headerName} credentials before it can be registered.`, `Set ${envNames} and re-run pipeline init.`].join("\n"));
+	throw new PipelineMcpMissingCredentialError(serverName, headerName, header.sources.map((source) => source.env));
 }
 function assertDefaultSkillsInstalled(cwd) {
 	const paths = defaultSkillPaths();
@@ -935,7 +1257,7 @@ async function initPipelineProject(options = {}) {
 	const paths = Object.keys(files);
 	const conflicts = paths.filter((path) => existsSync(join(cwd, path)));
 	if (conflicts.length > 0 && !options.overwrite) throw new PipelineInitError(conflicts);
-	await (options.mcpInstaller ?? installDefaultMcpsWithCli)(DEFAULT_MCP_INSTALLS, cwd);
+	const mcpInstallResult = await (options.mcpInstaller ?? installDefaultMcpsWithCli)(DEFAULT_MCP_INSTALLS, cwd);
 	await (options.skillInstaller ?? installDefaultSkillsWithCli)(DEFAULT_SKILL_INSTALLS, cwd);
 	const skillPaths = assertDefaultSkillsInstalled(cwd);
 	for (const [path, content] of Object.entries(files)) {
@@ -949,10 +1271,18 @@ async function initPipelineProject(options = {}) {
 		...existsSync(join(cwd, "skills-lock.json")) ? ["skills-lock.json"] : []
 	];
 	loadPipelineConfig(cwd);
-	return { files: generatedPaths };
+	return {
+		files: generatedPaths,
+		skippedMcps: mcpInstallResult?.skipped ?? []
+	};
 }
 function formatPipelineInitResult(result) {
-	return ["Initialized pipeline scaffold:", ...result.files.map((path) => `create ${path}`)].join("\n");
+	const skippedMcps = result.skippedMcps ?? [];
+	return [
+		"Initialized pipeline scaffold:",
+		...result.files.map((path) => `create ${path}`),
+		...skippedMcps.flatMap((skip) => [`Skipped MCPM registration for ${skip.name}: ${skip.reason}.`, `Set ${skip.missingEnv.join(" or ")} before retrying MCPM registration. The generated MCP entry remains in .mcp.json.`])
+	].join("\n");
 }
 function hostResourceInput(host) {
 	return [

package/package.json

@@ -82,7 +82,7 @@
     "prepack": "bun run build:cli"
   },
   "type": "module",
-  "version": "1.8.0",
+  "version": "1.9.0",
   "description": "Config-driven multi-agent pipeline runner for repository work",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",