@polymorphism-tech/morph-spec 4.9.0 → 4.10.1

package/README.md

@@ -3,7 +3,7 @@
 > Spec-driven development framework for multi-stack projects. Turns feature requests into implementation-ready code through structured, AI-orchestrated phases.
 
 **Package:** `@polymorphism-tech/morph-spec`
-**Version:** 4.9.0  
+**Version:** 4.10.1  
 **Requires:** Node.js 18+, Claude Code
 
 ---
@@ -376,4 +376,4 @@ Code generated by morph-spec (contracts, templates, implementation output) belon
 
 ---
 
-*morph-spec v4.9.0 by [Polymorphism Tech](https://polymorphism.tech)*
+*morph-spec v4.10.1 by [Polymorphism Tech](https://polymorphism.tech)*

package/bin/morph-spec.js

@@ -22,6 +22,7 @@ import { stateCommand } from '../src/commands/state/state.js';
 import { advancePhaseCommand } from '../src/commands/state/advance-phase.js';
 import { approveCommand, approvalStatusCommand, unapproveCommand } from '../src/commands/state/approve.js';
 import { phaseRunCommand } from '../src/commands/state/phase-runner.js';
+import { phaseResetCommand } from '../src/commands/phase/phase-reset.js';
 
 // Agent commands
 import { dispatchAgentsCommand } from '../src/commands/agents/dispatch-agents.js';
@@ -29,6 +30,10 @@ import { dispatchAgentsCommand } from '../src/commands/agents/dispatch-agents.js
 // Task commands
 import { taskDoneCommand, taskStartCommand, taskNextCommand } from '../src/commands/tasks/task.js';
 
+// Scope escalation commands
+import { scopeEscalateCommand } from '../src/commands/scope/escalate.js';
+import { taskExpandCommand } from '../src/commands/task/expand.js';
+
 // Validation commands
 import { validateCommand } from './validate.js';
 import { validateFeatureCommand } from '../src/commands/validation/validate-feature.js';
@@ -146,6 +151,12 @@ taskCommand
   .description('Show next suggested task')
   .action((feature, options) => taskNextCommand(feature, options));
 
+taskCommand
+  .command('expand <feature> <task-id>')
+  .description('Expand a task into sub-tasks (low-impact scope escalation)')
+  .option('--into <subtasks...>', 'Sub-task definitions ("T017a: Title")')
+  .action((feature, taskId, options) => taskExpandCommand(feature, taskId, options));
+
 // Generation commands
 const generateCommand = program
   .command('generate')
@@ -196,6 +207,11 @@ phaseCommand
   .option('--skip-approval', 'Skip approval gate checks')
   .action((feature, options) => phaseRunCommand(feature, options));
 
+phaseCommand
+  .command('reset <feature> <phase>')
+  .description('Reset feature phase (recovery tool — bypasses approval gates)')
+  .action((feature, phase) => phaseResetCommand(feature, phase));
+
 // Feature validation command (content-aware)
 program
   .command('validate-feature <feature>')
@@ -285,4 +301,18 @@ program
   .option('-v, --verbose', 'Show stack trace on error')
   .action((feature, phase, options) => dispatchAgentsCommand(feature, phase, options));
 
+// Scope escalation commands
+const scopeCommand = program
+  .command('scope')
+  .description('Scope management (escalate)');
+
+scopeCommand
+  .command('escalate <feature>')
+  .description('Escalate scope when implementation reveals unexpected complexity')
+  .option('--task <id>', 'Trigger task ID (required)')
+  .option('--reason <text>', 'Reason for escalation (required)')
+  .option('--target <phase>', 'Override target phase (tasks | design)')
+  .option('--dry-run', 'Show recommendation without executing')
+  .action((feature, options) => scopeEscalateCommand(feature, options));
+
 program.parse();

package/bin/task-manager.js

@@ -17,6 +17,7 @@ import { loadState, saveState } from '../src/core/state/state-manager.js';
 import { parseTasksMd, ensureTaskList, syncCounters } from '../src/lib/tasks/task-parser.js';
 import { isTestTask } from '../src/lib/tasks/task-classifier.js';
 import { runTestSuite } from '../src/lib/tasks/test-runner.js';
+import { STALE_MS, isStaleTask } from '../framework/hooks/shared/stale-task-reset.js';
 
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
@@ -112,7 +113,7 @@ class TaskManager {
     const taskList = await ensureTaskList(feature, featureName);
 
     if (taskList.length === 0) {
-      const tasksPath = join(process.cwd(), `.morph/features/${featureName}/3-tasks/tasks.md`);
+      const tasksPath = join(process.cwd(), `.morph/features/${featureName}/4-tasks/tasks.md`);
       const tasksExist = await access(tasksPath).then(() => true).catch(() => false);
       if (!tasksExist) {
         throw new Error(`No tasks found for '${featureName}' — tasks.md not generated yet.\n  Complete the tasks phase first: run /phase-tasks`);
@@ -290,6 +291,18 @@ class TaskManager {
     // Display progress
     this.displayProgress(feature);
 
+    // Emit VALIDATION DISPATCH for PostToolUse hook (strategy 1 parsing).
+    // Skipped when --skip-validation is active (no validators needed).
+    if (!options.skipValidation && results.length > 0) {
+      try {
+        const { emitValidatorDispatch } = await import('../src/lib/validators/shared/emit-validator-dispatch.js');
+        const phase = feature.phase || 'implement';
+        await emitValidatorDispatch(featureName, phase, process.cwd());
+      } catch {
+        // Non-blocking
+      }
+    }
+
     // Suggest next task
     const nextTask = this.getNextTask(taskList);
     if (nextTask) {
@@ -407,10 +420,12 @@ class TaskManager {
    * Calculate progress
    */
   calculateProgress(tasks) {
-    const total = tasks.length;
-    const completed = tasks.filter(t => t.status === 'completed').length;
-    const inProgress = tasks.filter(t => t.status === 'in_progress').length;
-    const pending = tasks.filter(t => t.status === 'pending').length;
+    // Exclude expanded tasks — they are replaced by their sub-tasks
+    const activeTasks = tasks.filter(t => t.status !== 'expanded');
+    const total = activeTasks.length;
+    const completed = activeTasks.filter(t => t.status === 'completed').length;
+    const inProgress = activeTasks.filter(t => t.status === 'in_progress').length;
+    const pending = activeTasks.filter(t => t.status === 'pending').length;
     const percentage = total > 0 ? Math.round((completed / total) * 100) : 0;
 
     return { total, completed, inProgress, pending, percentage };
@@ -565,16 +580,11 @@ class TaskManager {
    * treated as effectively pending and included as candidates.
    */
   getNextTask(tasks) {
-    const STALE_MS = 60 * 60 * 1000;
-    const now = Date.now();
-
     // Include stale in_progress tasks as effectively pending candidates
     const isEffectivelyAvailable = (t) => {
+      if (t.status === 'expanded') return false;
       if (t.status === 'pending') return true;
-      if (t.status === 'in_progress') {
-        const age = t.startedAt ? now - new Date(t.startedAt).getTime() : Infinity;
-        return age > STALE_MS;
-      }
+      if (t.status === 'in_progress') return isStaleTask(t);
       return false;
     };
 
@@ -603,6 +613,13 @@ class TaskManager {
     const filledLength = Math.round((percentage / 100) * barLength);
     const bar = '█'.repeat(filledLength) + '░'.repeat(barLength - filledLength);
     console.log(chalk.cyan(`   [${bar}] ${percentage}%`));
+
+    // Warn about tasks flagged for review (from scope escalation)
+    const taskList = feature.taskList || [];
+    const needsReviewTasks = taskList.filter(t => t.needsReview && (t.status === 'done' || t.status === 'completed'));
+    if (needsReviewTasks.length > 0) {
+      console.log(chalk.yellow(`\n   ⚠  ${needsReviewTasks.length} completed task(s) flagged for review (scope escalation)`));
+    }
   }
 
   /**
@@ -619,7 +636,7 @@ class TaskManager {
     const taskList = await ensureTaskList(feature, featureName);
 
     if (taskList.length === 0) {
-      const tasksPath = join(process.cwd(), `.morph/features/${featureName}/3-tasks/tasks.md`);
+      const tasksPath = join(process.cwd(), `.morph/features/${featureName}/4-tasks/tasks.md`);
       const tasksExist = await access(tasksPath).then(() => true).catch(() => false);
       if (!tasksExist) {
         throw new Error(`No tasks found for '${featureName}' — tasks.md not generated yet.\n  Complete the tasks phase first: run /phase-tasks`);
@@ -645,16 +662,11 @@ class TaskManager {
 
     // Reset any sibling tasks stuck in in_progress from a previous session.
     // Only tasks OTHER than the one being started, and only if stale (>1h).
-    const STALE_MS = 60 * 60 * 1000;
-    const now = Date.now();
     for (const t of taskList) {
-      if (t.id !== taskId && t.status === 'in_progress') {
-        const age = t.startedAt ? now - new Date(t.startedAt).getTime() : Infinity;
-        if (age > STALE_MS) {
-          t.status = 'pending';
-          delete t.startedAt;
-          console.log(chalk.yellow(`⚠️  Task ${t.id} auto-reset to pending (stale from previous session)`));
-        }
+      if (t.id !== taskId && isStaleTask(t)) {
+        t.status = 'pending';
+        delete t.startedAt;
+        console.log(chalk.yellow(`⚠️  Task ${t.id} auto-reset to pending (stale from previous session)`));
       }
     }
 

package/claude-plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "morph-spec",
-  "version": "4.9.0",
+  "version": "4.10.1",
   "displayName": "MORPH-SPEC Framework",
   "description": "Spec-driven development with 38 agents and 8-phase workflow for .NET/Blazor/Next.js/Azure",
   "publisher": "polymorphism-tech",

package/docs/CHEATSHEET.md

@@ -198,4 +198,4 @@ These files are never edited directly. Use CLI commands or `morph-spec update` i
 
 ---
 
-*morph-spec v4.9.0 by Polymorphism Tech*
+*morph-spec v4.10.1 by Polymorphism Tech*

package/docs/QUICKSTART.md

@@ -203,4 +203,4 @@ morph-spec doctor
 
 ---
 
-*morph-spec v4.9.0 by Polymorphism Tech*
+*morph-spec v4.10.1 by Polymorphism Tech*

package/framework/CLAUDE.md

@@ -1,98 +1,35 @@
-# MORPH-SPEC Runtime Instructions
-
-> by Polymorphism Tech — Spec-driven development for .NET/Blazor/Next.js/Azure
-
----
-
-## Project Context
-
-@.morph/context/README.md
-
----
-
-## Critical Rules
-
-**NEVER:**
-- Skip to code without a specification
-- Implement without design approval
-- Ignore standards in `.morph/framework/standards/`
-- Create infrastructure manually
-- Generate code without defined contracts
-- List questions as plain text — always use the `AskUserQuestion` tool
-
-**ALWAYS:**
-- Follow the mandatory phases
-- Generate outputs in `.morph/features/{feature}/`
-- Document decisions in `decisions.md`
-- Checkpoint every 3 implemented tasks
-- Use Infrastructure as Code
-- Use `AskUserQuestion` tool whenever asking the user anything (1–4 questions per call; split into sequential calls if more)
-
----
-
-## Quick Reference
-
-| Command | Purpose |
-|---------|---------|
-| `/morph-proposal {feature}` | Full spec pipeline (phases 1–4, pauses for approval) |
-| `/morph-apply {feature}` | Implement feature (phase 5) |
-| `/morph-status` | Feature status dashboard |
-| `/morph-preflight` | Pre-implementation validation |
-
----
-
-## State & Outputs
-
-| Path | Notes |
-|------|-------|
-| `.morph/state.json` | **READ-ONLY** — use `morph-spec` CLI to update |
-| `.morph/features/{feature}/{phase}/` | Feature outputs organized by phase |
-| `.morph/framework/` | **READ-ONLY** — framework files managed by morph-spec |
-| `.morph/config/config.json` | Project configuration (editable) |
-
-### mark-output types
-
-Use `morph-spec state mark-output <feature> <type>` with one of these exact type names:
-
-| Type | Phase | kebab alias |
-|------|-------|-------------|
-| `proposal` | proposal | — |
-| `schemaAnalysis` | design | `schema-analysis` |
-| `spec` | design | — |
-| `contracts` | design | — |
-| `contractsVsa` | design | `contracts-vsa` |
-| `decisions` | design | — |
-| `clarifications` | clarify | — |
-| `tasks` | tasks | — |
-| `uiDesignSystem` | uiux | `ui-design-system` |
-| `uiMockups` | uiux | `ui-mockups` |
-| `uiComponents` | uiux | `ui-components` |
-| `uiFlows` | uiux | `ui-flows` |
-| `recap` | implement | — |
----
-
-## Phase Sequence
-
-```
-proposal → setup → [uiux] → design → clarify → tasks → implement → [sync]
-```
-
-Use `morph-spec status {feature}` to see current phase and pending approval gates.
-
----
-
-## Agents
-
-Tier-1 and tier-2 MORPH agents are available as native subagents in `.claude/agents/`.
-They can be invoked directly by Claude Code during multi-agent workflows.
-
----
-
-## Context Window Tip
-
-When using 3+ MCPs, add `"experimental": { "mcpCliMode": true }` to `.claude/settings.json`.
-MCP tools load on-demand instead of all at startup — keeps context clean for actual work.
-
----
-
-*MORPH-SPEC by Polymorphism Tech*
+# MORPH-SPEC Runtime Instructions
+
+> by Polymorphism Tech — Spec-driven development for .NET/Blazor/Next.js/Azure
+
+@.morph/context/README.md
+
+## Critical Rules
+
+**NEVER:**
+- Skip to code without a specification
+- Implement without design approval
+- Ignore standards in `.morph/framework/standards/`
+- Generate code without defined contracts
+- List questions as plain text — always use the `AskUserQuestion` tool
+
+**ALWAYS:**
+- Follow the mandatory phases
+- Generate outputs in `.morph/features/{feature}/`
+- Document decisions in `decisions.md`
+- Use `AskUserQuestion` tool whenever asking the user anything (1-4 questions per call)
+
+## Quick Reference
+
+| Command | Purpose |
+|---------|---------|
+| `/morph-proposal {feature}` | Full spec pipeline (pauses for approval) |
+| `/morph-apply {feature}` | Implement feature |
+| `/morph-status` | Status dashboard |
+| `/morph-preflight` | Pre-deploy validation |
+
+## Agents
+
+Tier-1 and tier-2 MORPH agents are available as native subagents in `.claude/agents/`.
+
+*MORPH-SPEC by Polymorphism Tech*

package/framework/agents/backend/api-designer.md

@@ -2,6 +2,9 @@
 name: api-designer
 description: API Designer specialist for REST API design, OpenAPI/Swagger specs, endpoint architecture, and HTTP contract definitions. Use when designing API endpoints, creating OpenAPI specs, defining REST contracts, or implementing Minimal API controllers in .NET.
 allowed-tools: Read, Write, Edit, Bash, Glob, Grep
+stacks:
+  - dotnet
+  - nextjs
 ---
 
 # API Designer

package/framework/agents/backend/dotnet-senior.md

@@ -2,6 +2,9 @@
 name: dotnet-senior
 description: Senior .NET engineer and Backend Squad Leader for C#, Minimal API, async patterns, and Clean Architecture implementation. Use when implementing .NET/C# services, designing backend architecture, implementing async operations with CancellationToken, or coordinating backend domain specialists.
 allowed-tools: Read, Write, Edit, Bash, Glob, Grep
+stacks:
+  - dotnet
+  - blazor
 ---
 
 # .NET Senior Engineer

package/framework/agents/backend/ef-modeler.md

@@ -2,6 +2,8 @@
 name: ef-modeler
 description: Entity Framework Modeler specialist for database schema design, EF Core migrations, DbContext configuration, and ORM patterns including IDbContextFactory. Use when designing database models, creating EF Core migrations, configuring DbContext, or implementing repository patterns with EF Core.
 allowed-tools: Read, Write, Edit, Bash, Glob, Grep
+stacks:
+  - dotnet
 ---
 
 # EF Modeler

package/framework/agents/backend/hangfire-orchestrator.md

@@ -2,6 +2,8 @@
 name: hangfire-orchestrator
 description: Hangfire Orchestrator specialist for background job design, recurring task scheduling, queue management, and idempotent job patterns in .NET. Use when implementing background jobs, scheduling recurring tasks, managing job queues, or integrating Hangfire with .NET services.
 allowed-tools: Read, Write, Edit, Bash, Glob, Grep
+stacks:
+  - dotnet
 ---
 
 # Hangfire Orchestrator

package/framework/agents/backend/ms-agent-expert.md

@@ -2,6 +2,8 @@
 name: ms-agent-expert
 description: Microsoft Agent Framework Expert for Semantic Kernel, AI extensions, function calling, MCP/A2A protocols, and agentic pipeline implementation. Use when building AI agents with Semantic Kernel, implementing tool/plugin calling, designing multi-agent workflows, or integrating LLMs with .NET services.
 allowed-tools: Read, Write, Edit, Bash, Glob, Grep
+stacks:
+  - dotnet
 ---
 
 # Agent Framework Expert

package/framework/agents/frontend/blazor-builder.md

@@ -2,6 +2,8 @@
 name: blazor-builder
 description: Blazor Builder specialist for .NET + Blazor Server stack, Razor components, Fluent UI Blazor, MudBlazor, and .NET 10 patterns. Use when implementing Blazor components and pages, configuring Program.cs, handling Blazor lifecycle patterns, or choosing between Fluent UI and MudBlazor libraries.
 allowed-tools: Read, Write, Edit, Bash, Glob, Grep
+stacks:
+  - blazor
 ---
 
 # .NET + Blazor Stack

package/framework/agents/frontend/nextjs-expert.md

@@ -2,6 +2,8 @@
 name: nextjs-expert
 description: Next.js specialist for App Router, shadcn/ui, TanStack Query, react-hook-form/Zod, and EasyPanel deployment. Use when building Next.js pages or components, implementing forms, setting up data fetching from a .NET API, or configuring TypeScript/Docker for Next.js.
 allowed-tools: Read, Write, Edit, Bash, Glob, Grep
+stacks:
+  - nextjs
 ---
 
 # Next.js Expert

package/framework/agents/infrastructure/azure-architect.md

@@ -2,6 +2,8 @@
 name: azure-architect
 description: Azure Architect specialist for designing Azure infrastructure, creating Bicep IaC templates, estimating resource costs, and enforcing zero-portal policy. Use when designing Azure architecture, provisioning cloud resources, creating Bicep templates, or planning multi-environment deployments.
 allowed-tools: Read, Write, Edit, Bash, Glob, Grep
+stacks:
+  - azure
 ---
 
 # Azure Architect

package/framework/agents/infrastructure/azure-deploy-specialist.md

@@ -2,6 +2,8 @@
 name: azure-deploy-specialist
 description: Azure Deploy Specialist for end-to-end deployments to Azure Container Apps using systematic playbooks, validation checklists, and accumulated deployment knowledge. Use when deploying to Azure Container Apps, debugging deployment failures, configuring CI/CD pipelines, or performing pre-flight deployment validation.
 allowed-tools: Read, Write, Edit, Bash, Glob, Grep
+stacks:
+  - azure
 ---
 
 # Azure Deploy Specialist

package/framework/agents/infrastructure/bicep-architect.md

@@ -2,6 +2,8 @@
 name: bicep-architect
 description: Bicep Architect specialist for Azure Infrastructure as Code, modular Bicep templates, ARM deployments, and resource configuration. Use when writing Bicep templates, structuring IaC modules, validating Azure deployments with what-if, or converting ARM JSON to Bicep.
 allowed-tools: Read, Write, Edit, Bash, Glob, Grep
+stacks:
+  - azure
 ---
 
 # Bicep Architect

package/framework/agents/infrastructure/container-specialist.md

@@ -2,6 +2,8 @@
 name: container-specialist
 description: Container Specialist for Docker, Compose, Azure Container Registry, and containerized .NET application patterns. Use when creating Dockerfiles, configuring multi-stage builds, setting up container registries, or containerizing .NET applications for Azure Container Apps.
 allowed-tools: Read, Write, Edit, Bash, Glob, Grep
+stacks:
+  - docker
 ---
 
 # Container Specialist

package/framework/agents/infrastructure/devops-engineer.md

@@ -2,6 +2,9 @@
 name: devops-engineer
 description: DevOps Engineer (Tier 2 Domain Leader) for CI/CD pipeline strategy, GitHub Actions workflows, Azure DevOps, monitoring, and release automation. Use when designing deployment pipelines, configuring GitHub Actions, setting up Azure DevOps, or planning release strategies.
 allowed-tools: Read, Write, Edit, Bash, Glob, Grep
+stacks:
+  - azure
+  - docker
 ---
 
 # DevOps Engineer

package/framework/agents/infrastructure/infra-architect.md

@@ -2,6 +2,9 @@
 name: infra-architect
 description: Infrastructure Squad Leader for cloud-agnostic infrastructure coordination. Use when planning deployments, provisioning any cloud resources, setting up CI/CD pipelines, containerizing applications, or designing infrastructure architecture regardless of cloud provider.
 allowed-tools: Read, Write, Edit, Bash, Glob, Grep
+stacks:
+  - azure
+  - docker
 ---
 
 # Infrastructure Squad Leader

package/framework/agents/integrations/asaas-financial.md

@@ -2,6 +2,8 @@
 name: asaas-financial
 description: Asaas Financial specialist for Asaas API integration, payment processing, Pix/boleto billing, and subscription management in Brazilian projects. Use when integrating Asaas payments, implementing billing flows, handling payment webhooks, or building subscription management features.
 allowed-tools: Read, Write, Edit, Bash, Glob, Grep
+stacks:
+  - dotnet
 ---
 
 # Asaas Financial

package/framework/agents/integrations/azure-identity.md

@@ -2,6 +2,8 @@
 name: azure-identity
 description: Azure Identity specialist for Microsoft Entra ID, OAuth 2.0/OIDC, MSAL, JWT authentication, and enterprise SSO patterns. Use when implementing Microsoft authentication, configuring Entra ID app registrations, securing APIs with OAuth/JWT, or setting up enterprise SSO with Azure AD.
 allowed-tools: Read, Write, Edit, Bash, Glob, Grep
+stacks:
+  - azure
 ---
 
 # Azure Identity (Microsoft Identity)

package/framework/agents/integrations/clerk-auth.md

@@ -2,6 +2,9 @@
 name: clerk-auth
 description: Clerk Auth specialist for Clerk SDK integration, social login, JWT session management, and user management in Next.js and .NET projects. Use when integrating Clerk authentication, implementing social login flows, managing user sessions with Clerk JWT, or protecting routes with Clerk middleware.
 allowed-tools: Read, Write, Edit, Bash, Glob, Grep
+stacks:
+  - dotnet
+  - nextjs
 ---
 
 # Clerk Auth

package/framework/agents/integrations/hangfire-integration.md

@@ -2,6 +2,8 @@
 name: hangfire-orchestrator-integration
 description: Hangfire integration specialist for connecting background jobs with external services, implementing webhook handlers, and building event-driven workflows in .NET. Use when integrating Hangfire with third-party APIs, processing webhooks asynchronously, or designing event-driven job pipelines.
 allowed-tools: Read, Write, Edit, Bash, Glob, Grep
+stacks:
+  - dotnet
 ---
 
 # Hangfire Orchestrator

package/framework/agents/integrations/resend-email.md

@@ -2,6 +2,8 @@
 name: resend-email
 description: Resend Email specialist for transactional email, HTML/React email templates, Resend API integration, and notification systems in .NET and Next.js. Use when implementing email notifications, integrating Resend API, creating transactional email templates, or configuring email delivery in MORPH-SPEC projects.
 allowed-tools: Read, Write, Edit, Bash, Glob, Grep
+stacks:
+  - dotnet
 ---
 
 # Resend Email

package/framework/agents.json

@@ -2144,7 +2144,11 @@
           "priority": "required"
         }
       ],
-      "teammate": null,
+      "teammate": {
+        "icon": "🛡️",
+        "role": "Security Validator (read-only)",
+        "spawn_prompt": "You are the Security Validator (Tier 4, READ-ONLY). Scan ALL source files (.cs, .razor, .tsx, .ts, .js) in the project for security vulnerabilities:\n\n1. SQL injection — string concatenation in queries (look for $\"...{var}...\" inside SQL/EF raw queries)\n2. Hardcoded secrets — API keys, passwords, connection strings in source code (not in appsettings)\n3. XSS — @Html.Raw usage in Razor/Blazor without sanitization\n4. Insecure deserialization — BinaryFormatter usage\n5. CSRF — POST forms/endpoints missing anti-forgery tokens ([ValidateAntiForgeryToken] or @Html.AntiForgeryToken)\n\nUse Grep and Glob to scan. Do NOT modify any files.\n\nOutput a JSON object: { \"passed\": boolean, \"issues\": [{ \"file\": string, \"line\": number, \"message\": string, \"severity\": \"error\" }] }"
+      },
       "hook_behavior": {
         "validates": [
           "SQL injection (string concatenation in queries)",
@@ -2196,7 +2200,11 @@
           "priority": "required"
         }
       ],
-      "teammate": null,
+      "teammate": {
+        "icon": "🏗️",
+        "role": "Architecture Validator (read-only)",
+        "spawn_prompt": "You are the Architecture Validator (Tier 4, READ-ONLY). Scan the project for architectural violations:\n\n1. DbContext injection — look for direct DbContext injection instead of IDbContextFactory in Blazor components (.razor, .razor.cs)\n2. Async/await anti-patterns — search for .Result, .Wait(), .GetAwaiter().GetResult() in async code\n3. DI registration order — in Program.cs, verify services are registered before middleware (app.Use*/Map*)\n4. Blazor render mode — verify InteractiveServer/InteractiveWebAssembly components don't use incompatible patterns\n5. Layer violations — Domain/Application projects must not reference Infrastructure or Web projects\n\nUse Grep and Glob to scan. Do NOT modify any files.\n\nOutput a JSON object: { \"passed\": boolean, \"issues\": [{ \"file\": string, \"line\": number, \"message\": string, \"severity\": \"error\" }] }"
+      },
       "hook_behavior": {
         "validates": [
           "DbContext injection (IDbContextFactory required)",
@@ -2241,7 +2249,11 @@
           "priority": "required"
         }
       ],
-      "teammate": null,
+      "teammate": {
+        "icon": "📦",
+        "role": "Packages Validator (read-only)",
+        "spawn_prompt": "You are the Packages Validator (Tier 4, READ-ONLY). Scan all project files for package issues:\n\n1. NuGet version conflicts — search *.csproj files for the same PackageReference appearing with different versions across projects\n2. Incompatible .NET 10 packages — check that major package versions are compatible with the target framework\n3. Security vulnerabilities — look for known outdated packages (Newtonsoft.Json < 13.0.1, System.Text.Json < 8.0.5, etc.)\n4. For npm projects: check package.json for duplicate dependencies, outdated major versions\n\nUse Grep and Glob to scan. Do NOT modify any files.\n\nOutput a JSON object: { \"passed\": boolean, \"issues\": [{ \"file\": string, \"message\": string, \"severity\": \"error\" }] }"
+      },
       "hook_behavior": {
         "validates": [
           "NuGet version conflicts (same package, different versions)",
@@ -2290,7 +2302,11 @@
           "priority": "required"
         }
       ],
-      "teammate": null,
+      "teammate": {
+        "icon": "🎨",
+        "role": "Design System Validator (read-only)",
+        "spawn_prompt": "You are the Design System Validator (Tier 4, READ-ONLY). Scan CSS/SCSS and component files for design system compliance:\n\n1. Color palette — look for hardcoded hex/rgb colors instead of CSS variables (var(--color-primary), var(--color-secondary), etc.)\n2. Spacing — look for hardcoded px/rem values instead of spacing variables (var(--spacing-*))\n3. Typography — look for hardcoded font-size/font-family instead of typography variables (var(--font-*))\n4. Component naming — verify PascalCase for Blazor components (.razor) and kebab-case for CSS classes\n5. Check .morph/context/design-system.md if it exists for project-specific design tokens\n\nUse Grep and Glob to scan. Do NOT modify any files.\n\nOutput a JSON object: { \"passed\": boolean, \"issues\": [{ \"file\": string, \"line\": number, \"message\": string, \"severity\": \"warning\" }] }"
+      },
       "hook_behavior": {
         "validates": [
           "CSS color palette compliance (primary, secondary, accent)",
@@ -2346,7 +2362,11 @@
           "priority": "required"
         }
       ],
-      "teammate": null,
+      "teammate": {
+        "icon": "⚡",
+        "role": "Blazor Concurrency Validator (read-only)",
+        "spawn_prompt": "You are the Blazor Concurrency Validator (Tier 4, READ-ONLY). Scan all Blazor component files (.razor, .razor.cs) for concurrency and lifecycle violations:\n\n1. DbContext lifecycle — look for injected DbContext (not IDbContextFactory), disposed context usage, scope issues\n2. Async void — search for 'async void' methods (must be 'async Task' except event handlers)\n3. JSInterop in OnInitialized — look for IJSRuntime calls in OnInitialized/OnInitializedAsync (must be in OnAfterRender/OnAfterRenderAsync)\n4. State mutation — look for property changes without calling StateHasChanged() or InvokeAsync(StateHasChanged)\n5. Thread safety — look for shared mutable state without synchronization in Blazor Server components\n\nUse Grep and Glob to scan. Do NOT modify any files.\n\nOutput a JSON object: { \"passed\": boolean, \"issues\": [{ \"file\": string, \"line\": number, \"message\": string, \"severity\": \"error\" }] }"
+      },
       "hook_behavior": {
         "validates": [
           "DbContext lifecycle violations (dispose, scope issues)",
@@ -2386,7 +2406,13 @@
         ]
       },
       "standards": [],
-      "teammate": null,
+      "teammate": {
+        "icon": "🔬",
+        "role": "Morph-Spec Validator (read-only)",
+        "tools": "Read, Glob, Grep, Bash",
+        "maxTurns": 12,
+        "spawn_prompt": "You are the Morph-Spec Validator (Tier 4, READ-ONLY). Scan the morph-spec framework codebase for standards compliance:\n\n1. ESM imports — all relative imports must use .js extensions (e.g., './foo.js' not './foo')\n2. Command registration — new commands in src/commands/ must be imported and registered in bin/morph-spec.js\n3. Test coverage — each module in src/ should have a corresponding test file in tests/\n4. No CommonJS — search for require() or module.exports (must use import/export)\n5. Hook fail-open — all hooks in framework/hooks/ must have try/catch with exit(0) fallback\n6. Run 'npm test' to verify all tests pass\n\nUse Grep, Glob, and Bash to scan. Do NOT modify any files.\n\nOutput a JSON object: { \"passed\": boolean, \"issues\": [{ \"file\": string, \"line\": number, \"message\": string, \"severity\": \"error\" }] }"
+      },
       "hook_behavior": {
         "validates": [
           "ESM imports use .js extensions on relative paths",
@@ -2424,7 +2450,11 @@
           "file naming"
         ]
       },
-      "spawn_prompt": "You are the Next.js Component Validator (Tier 4). Scan all .tsx/.ts files under src/ and validate: (1) \"use client\" is present when React hooks are used, (2) \"use client\" is absent for pure Server Components (no hooks, no event handlers), (3) component files use kebab-case naming. Output { \"passed\": boolean, \"issues\": [{\"file\": string, \"message\": string, \"suggestion\": string}] }."
+      "teammate": {
+        "icon": "⚛️",
+        "role": "Next.js Component Validator (read-only)",
+        "spawn_prompt": "You are the Next.js Component Validator (Tier 4, READ-ONLY). Scan all .tsx/.ts files under src/ and validate:\n\n1. \"use client\" directive — must be present when React hooks (useState, useEffect, etc.) are used\n2. Server Components — \"use client\" must be absent for pure Server Components (no hooks, no event handlers)\n3. File naming — component files must use kebab-case naming convention\n4. Import patterns — client components should not import server-only modules\n\nUse Grep and Glob to scan. Do NOT modify any files.\n\nOutput a JSON object: { \"passed\": boolean, \"issues\": [{ \"file\": string, \"message\": string, \"suggestion\": string, \"severity\": \"warning\" }] }"
+      }
     }
   },
   "squads": {