@r3dlex/ai-catapult 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (132) hide show
  1. package/LICENSE +21 -0
  2. package/README.md +139 -0
  3. package/bin/ai-catapult.js +229 -0
  4. package/dist/claude-plugin/.claude-plugin/marketplace.json +28 -0
  5. package/dist/claude-plugin/.claude-plugin/plugin.json +21 -0
  6. package/dist/claude-plugin/skills/ai-catapult-init/REFERENCE.md +1284 -0
  7. package/dist/claude-plugin/skills/ai-catapult-init/SKILL.md +79 -0
  8. package/dist/claude-plugin/skills/ai-catapult-init/modules/README.md +48 -0
  9. package/dist/claude-plugin/skills/ai-catapult-init/modules/archgate.md +42 -0
  10. package/dist/claude-plugin/skills/ai-catapult-init/modules/brd-prd-traceability.md +64 -0
  11. package/dist/claude-plugin/skills/ai-catapult-init/modules/cascade.md +110 -0
  12. package/dist/claude-plugin/skills/ai-catapult-init/modules/ci-policy.md +107 -0
  13. package/dist/claude-plugin/skills/ai-catapult-init/modules/documentation-blueprint.md +185 -0
  14. package/dist/claude-plugin/skills/ai-catapult-init/modules/evals.md +93 -0
  15. package/dist/claude-plugin/skills/ai-catapult-init/modules/foundation.md +19 -0
  16. package/dist/claude-plugin/skills/ai-catapult-init/modules/host-policy-automation.md +151 -0
  17. package/dist/claude-plugin/skills/ai-catapult-init/modules/language-packs.md +63 -0
  18. package/dist/claude-plugin/skills/ai-catapult-init/modules/mcp-a2a.md +63 -0
  19. package/dist/claude-plugin/skills/ai-catapult-init/modules/memory.md +102 -0
  20. package/dist/claude-plugin/skills/ai-catapult-init/modules/migration.md +107 -0
  21. package/dist/claude-plugin/skills/ai-catapult-init/modules/phases/01-discover-decide.md +33 -0
  22. package/dist/claude-plugin/skills/ai-catapult-init/modules/phases/README.md +33 -0
  23. package/dist/claude-plugin/skills/ai-catapult-init/modules/readme-documentation.md +120 -0
  24. package/dist/claude-plugin/skills/ai-catapult-init/modules/release-versioning.md +188 -0
  25. package/dist/claude-plugin/skills/ai-catapult-init/modules/skill-modernization.md +72 -0
  26. package/dist/claude-plugin/skills/ai-catapult-init/modules/sync.md +111 -0
  27. package/dist/claude-plugin/skills/ai-catapult-init/modules/topology.md +102 -0
  28. package/dist/claude-plugin/skills/ai-catapult-init/modules/traceability.md +136 -0
  29. package/dist/claude-plugin/skills/ai-catapult-init/modules/tracker-adapters.md +51 -0
  30. package/dist/claude-plugin/skills/ai-catapult-init/modules/validation.md +276 -0
  31. package/dist/claude-plugin/skills/ai-catapult-init/modules/workflow.md +45 -0
  32. package/dist/claude-plugin/skills/ai-catapult-init/templates/AGENTS.md +69 -0
  33. package/dist/claude-plugin/skills/ai-catapult-init/templates/CLAUDE.md +3 -0
  34. package/dist/claude-plugin/skills/ai-catapult-init/templates/GEMINI.md +3 -0
  35. package/dist/claude-plugin/skills/ai-catapult-init/templates/boundary-manifest.json +247 -0
  36. package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/drift/backups/.gitkeep +0 -0
  37. package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/drift/last-drift.json +7 -0
  38. package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/evals/.gitkeep +0 -0
  39. package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/evals/coverage-exceptions.json +1 -0
  40. package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/handoff/.gitkeep +0 -0
  41. package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/matrix.json +19 -0
  42. package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/mcp/a2a-handoff.md +51 -0
  43. package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/mcp/registry.json +27 -0
  44. package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/observability/audit-checklist.md +32 -0
  45. package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/observability/conventions.md +35 -0
  46. package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/phases/01-discover-decide/status.json +16 -0
  47. package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/phases/02-govern-plan/status.json +15 -0
  48. package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/phases/03-configure-generate/status.json +22 -0
  49. package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/phases/04-validate-handoff/status.json +18 -0
  50. package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/policies/model-routing.json +29 -0
  51. package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/reviews/ai-failure-modes.md +42 -0
  52. package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/rules/security.md +38 -0
  53. package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/rules/technical-bounds.md +38 -0
  54. package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/skills/git-ops.json +6 -0
  55. package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/skills/workspace-sync.json +6 -0
  56. package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/system-prompts/architect.md +31 -0
  57. package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/system-prompts/developer.md +31 -0
  58. package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/system-prompts/qa-engineer.md +31 -0
  59. package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/traceability/.gitkeep +0 -0
  60. package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/workflows/repo-workflow.json +42 -0
  61. package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-ai/workflows/repo-workflow.md +52 -0
  62. package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-github/workflows/ci-prek.yml +21 -0
  63. package/dist/claude-plugin/skills/ai-catapult-init/templates/dot-rules.ts +178 -0
  64. package/dist/claude-plugin/skills/ai-catapult-init/templates/prek.toml +13 -0
  65. package/dist/codex-plugin/.codex-plugin/plugin.json +11 -0
  66. package/dist/codex-plugin/skills/ai-catapult-init/REFERENCE.md +1284 -0
  67. package/dist/codex-plugin/skills/ai-catapult-init/SKILL.md +79 -0
  68. package/dist/codex-plugin/skills/ai-catapult-init/modules/README.md +48 -0
  69. package/dist/codex-plugin/skills/ai-catapult-init/modules/archgate.md +42 -0
  70. package/dist/codex-plugin/skills/ai-catapult-init/modules/brd-prd-traceability.md +64 -0
  71. package/dist/codex-plugin/skills/ai-catapult-init/modules/cascade.md +110 -0
  72. package/dist/codex-plugin/skills/ai-catapult-init/modules/ci-policy.md +107 -0
  73. package/dist/codex-plugin/skills/ai-catapult-init/modules/documentation-blueprint.md +185 -0
  74. package/dist/codex-plugin/skills/ai-catapult-init/modules/evals.md +93 -0
  75. package/dist/codex-plugin/skills/ai-catapult-init/modules/foundation.md +19 -0
  76. package/dist/codex-plugin/skills/ai-catapult-init/modules/host-policy-automation.md +151 -0
  77. package/dist/codex-plugin/skills/ai-catapult-init/modules/language-packs.md +63 -0
  78. package/dist/codex-plugin/skills/ai-catapult-init/modules/mcp-a2a.md +63 -0
  79. package/dist/codex-plugin/skills/ai-catapult-init/modules/memory.md +102 -0
  80. package/dist/codex-plugin/skills/ai-catapult-init/modules/migration.md +107 -0
  81. package/dist/codex-plugin/skills/ai-catapult-init/modules/phases/01-discover-decide.md +33 -0
  82. package/dist/codex-plugin/skills/ai-catapult-init/modules/phases/README.md +33 -0
  83. package/dist/codex-plugin/skills/ai-catapult-init/modules/readme-documentation.md +120 -0
  84. package/dist/codex-plugin/skills/ai-catapult-init/modules/release-versioning.md +188 -0
  85. package/dist/codex-plugin/skills/ai-catapult-init/modules/skill-modernization.md +72 -0
  86. package/dist/codex-plugin/skills/ai-catapult-init/modules/sync.md +111 -0
  87. package/dist/codex-plugin/skills/ai-catapult-init/modules/topology.md +102 -0
  88. package/dist/codex-plugin/skills/ai-catapult-init/modules/traceability.md +136 -0
  89. package/dist/codex-plugin/skills/ai-catapult-init/modules/tracker-adapters.md +51 -0
  90. package/dist/codex-plugin/skills/ai-catapult-init/modules/validation.md +276 -0
  91. package/dist/codex-plugin/skills/ai-catapult-init/modules/workflow.md +45 -0
  92. package/dist/codex-plugin/skills/ai-catapult-init/templates/AGENTS.md +69 -0
  93. package/dist/codex-plugin/skills/ai-catapult-init/templates/CLAUDE.md +3 -0
  94. package/dist/codex-plugin/skills/ai-catapult-init/templates/GEMINI.md +3 -0
  95. package/dist/codex-plugin/skills/ai-catapult-init/templates/boundary-manifest.json +247 -0
  96. package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/drift/backups/.gitkeep +0 -0
  97. package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/drift/last-drift.json +7 -0
  98. package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/evals/.gitkeep +0 -0
  99. package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/evals/coverage-exceptions.json +1 -0
  100. package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/handoff/.gitkeep +0 -0
  101. package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/matrix.json +19 -0
  102. package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/mcp/a2a-handoff.md +51 -0
  103. package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/mcp/registry.json +27 -0
  104. package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/observability/audit-checklist.md +32 -0
  105. package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/observability/conventions.md +35 -0
  106. package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/phases/01-discover-decide/status.json +16 -0
  107. package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/phases/02-govern-plan/status.json +15 -0
  108. package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/phases/03-configure-generate/status.json +22 -0
  109. package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/phases/04-validate-handoff/status.json +18 -0
  110. package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/policies/model-routing.json +29 -0
  111. package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/reviews/ai-failure-modes.md +42 -0
  112. package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/rules/security.md +38 -0
  113. package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/rules/technical-bounds.md +38 -0
  114. package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/skills/git-ops.json +6 -0
  115. package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/skills/workspace-sync.json +6 -0
  116. package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/system-prompts/architect.md +31 -0
  117. package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/system-prompts/developer.md +31 -0
  118. package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/system-prompts/qa-engineer.md +31 -0
  119. package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/traceability/.gitkeep +0 -0
  120. package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/workflows/repo-workflow.json +42 -0
  121. package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-ai/workflows/repo-workflow.md +52 -0
  122. package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-github/workflows/ci-prek.yml +21 -0
  123. package/dist/codex-plugin/skills/ai-catapult-init/templates/dot-rules.ts +178 -0
  124. package/dist/codex-plugin/skills/ai-catapult-init/templates/prek.toml +13 -0
  125. package/package.json +51 -0
  126. package/scripts/build-claude-plugin.sh +179 -0
  127. package/scripts/build-codex-plugin.sh +104 -0
  128. package/scripts/snapshot-dist.sh +26 -0
  129. package/setup.sh +63 -0
  130. package/skills.lock.json +6 -0
  131. package/src/install.js +380 -0
  132. package/src/scaffold.js +220 -0
@@ -0,0 +1,1284 @@
1
+ # init-ai-repo — Reference
2
+
3
+ Detailed templates and operational documentation for every artifact the canonical `init-ai-repo` skill emits. The legacy `ai-sdlc-init` name remains a compatibility alias only.
4
+ Companion to [SKILL.md](SKILL.md) (the four-phase workflow entry point).
5
+
6
+ ---
7
+
8
+ ## Table of Contents
9
+
10
+ 1. [Templates](#templates)
11
+ - [.rules.ts template](#rulets-template)
12
+ - [upstream.lock template](#upstreamlock-template)
13
+ - [ci-prek.yml template](#ci-prekyml-template)
14
+ - [prek.toml template](#prektoml-template)
15
+ - [scripts/validate-rules.sh](#scriptsvalidate-rulessh)
16
+ - [scripts/verify-golden-dir.sh (reference only)](#scriptsverify-golden-dirsh-reference-only)
17
+ - [scripts/sync-upstream.sh (design pattern)](#scriptssync-upstreamsh-design-pattern)
18
+ - [.gitignore AI SDLC additions](#gitignore-ai-sdlc-additions)
19
+ - [raw/docs/incident-template.md](#rawdocsincident-templatemd)
20
+ - [docs/adr/ADR-TEMPLATE.md](#docsadradr-templatemd)
21
+ - [docs/adr/ADR-0001-record-architecture-decisions.md](#docsadradr-0001-record-architecture-decisionsmd)
22
+ - [.agents/skills/karpathy-guidelines/SKILL.md](#agentsskillskarpathy-guidelinesskillmd)
23
+ - [.agents/skills/karpathy-guidelines/REFERENCE.md](#agentsskillskarpathy-guidelinesreferencemd)
24
+ - [AGENTS.md append content](#agentsmd-append-content)
25
+ - [CLAUDE.md append content](#claudemd-append-content)
26
+ - [README.md append content](#readmemd-append-content)
27
+ 2. [Idempotency Guard Logic](#idempotency-guard-logic)
28
+ 3. [Setup-Skills Interaction](#setup-skills-interaction)
29
+ 4. [Agent Behaviors](#agent-behaviors)
30
+ 5. [Invocation Strategy](#invocation-strategy)
31
+ 6. [Prek Installation](#prek-installation)
32
+ 7. [upstream.lock Sync Procedure](#upstreamlock-sync-procedure)
33
+
34
+ ---
35
+
36
+ ## Templates
37
+
38
+ ### `.rules.ts` template
39
+
40
+ Archgate rules file. Five named domain exports, each a typed const array. The skill writes this
41
+ file verbatim; teams customize rule entries after scaffolding.
42
+
43
+ ```typescript
44
+ // .rules.ts — Archgate domain rules
45
+ // Each rule: name, severity ("error" | "warn" | "info"), match pattern, and example.
46
+ // This file is validated by scripts/validate-rules.sh (structural check only).
47
+ // Semantic enforcement is an agent behavior at PR review time.
48
+
49
+ export interface Rule {
50
+ name: string;
51
+ severity: "error" | "warn" | "info";
52
+ match: string;
53
+ violation?: string;
54
+ correction?: string;
55
+ }
56
+
57
+ // ─── backend ────────────────────────────────────────────────────────────────
58
+
59
+ export const backend: Rule[] = [
60
+ {
61
+ name: "api-versioning",
62
+ severity: "error",
63
+ match: "All public REST endpoints must include a version prefix (/v1/, /v2/, …).",
64
+ violation: "POST /users/create",
65
+ correction: "POST /v1/users",
66
+ },
67
+ {
68
+ name: "error-shape",
69
+ severity: "error",
70
+ match: "Error responses must use { error: { code, message, details? } } shape.",
71
+ violation: 'res.status(400).json({ msg: "bad input" })',
72
+ correction: 'res.status(400).json({ error: { code: "INVALID_INPUT", message: "…" } })',
73
+ },
74
+ {
75
+ name: "no-sql-injection-patterns",
76
+ severity: "error",
77
+ match: "String interpolation must not be used to build SQL queries.",
78
+ violation: '`SELECT * FROM users WHERE id = ${req.params.id}`',
79
+ correction: "db.query('SELECT * FROM users WHERE id = $1', [req.params.id])",
80
+ },
81
+ {
82
+ name: "middleware-order",
83
+ severity: "warn",
84
+ match: "Auth middleware must be registered before route handlers.",
85
+ violation: "router.get('/admin', handler, authMiddleware)",
86
+ correction: "router.get('/admin', authMiddleware, handler)",
87
+ },
88
+ ];
89
+
90
+ // ─── frontend ────────────────────────────────────────────────────────────────
91
+
92
+ export const frontend: Rule[] = [
93
+ {
94
+ name: "component-naming",
95
+ severity: "error",
96
+ match: "React components must use PascalCase filenames and exports.",
97
+ violation: "export function userCard() { … } // file: userCard.tsx",
98
+ correction: "export function UserCard() { … } // file: UserCard.tsx",
99
+ },
100
+ {
101
+ name: "props-interface",
102
+ severity: "error",
103
+ match: "Component props must be defined as a named TypeScript interface, not inline.",
104
+ violation: "function Button({ label }: { label: string }) { … }",
105
+ correction: "interface ButtonProps { label: string }\nfunction Button({ label }: ButtonProps) { … }",
106
+ },
107
+ {
108
+ name: "hook-patterns",
109
+ severity: "warn",
110
+ match: "Custom hooks must start with 'use' and return a typed object, not a tuple.",
111
+ violation: "function getUser() { … } // not a hook",
112
+ correction: "function useUser(): { user: User; loading: boolean } { … }",
113
+ },
114
+ {
115
+ name: "css-methodology",
116
+ severity: "info",
117
+ match: "Style declarations must use the project's CSS methodology (Tailwind/CSS Modules/…). Inline styles are prohibited except for dynamic values.",
118
+ violation: '<div style={{ color: "red" }}>',
119
+ correction: '<div className="text-red-500"> // or CSS module equivalent',
120
+ },
121
+ ];
122
+
123
+ // ─── data ────────────────────────────────────────────────────────────────────
124
+
125
+ export const data: Rule[] = [
126
+ {
127
+ name: "migration-naming",
128
+ severity: "error",
129
+ match: "Database migration files must follow the pattern YYYYMMDDHHMMSS_<slug>.sql.",
130
+ violation: "add_users_table.sql",
131
+ correction: "20260101120000_add_users_table.sql",
132
+ },
133
+ {
134
+ name: "query-batching",
135
+ severity: "warn",
136
+ match: "ORM queries inside loops are prohibited. Use batch/bulk methods or DataLoader.",
137
+ violation: "for (const id of ids) { await User.findOne(id); }",
138
+ correction: "await User.findAll({ where: { id: ids } });",
139
+ },
140
+ {
141
+ name: "cache-invalidation",
142
+ severity: "warn",
143
+ match: "Cache entries must be invalidated in the same transaction/service that mutates the source data.",
144
+ violation: "updateUser(id, data); // cache cleared in a separate cron",
145
+ correction: "await Promise.all([updateUser(id, data), cache.del(`user:${id}`)])",
146
+ },
147
+ ];
148
+
149
+ // ─── architecture ────────────────────────────────────────────────────────────
150
+
151
+ export const architecture: Rule[] = [
152
+ {
153
+ name: "layer-boundaries",
154
+ severity: "error",
155
+ match: "Route handlers must not import from the data layer directly. All data access goes through a service layer.",
156
+ violation: "import { db } from '../db' // inside routes/users.ts",
157
+ correction: "import { UserService } from '../services/UserService'",
158
+ },
159
+ {
160
+ name: "dependency-direction",
161
+ severity: "error",
162
+ match: "Dependencies must only flow inward (domain ← application ← infrastructure). Infrastructure must not import from the domain layer.",
163
+ violation: "import { User } from '../../domain/User' // inside infrastructure/",
164
+ correction: "Depend on the port interface, not the domain entity directly.",
165
+ },
166
+ {
167
+ name: "module-exports",
168
+ severity: "warn",
169
+ match: "Each module directory must have an index.ts that re-exports only its public surface.",
170
+ violation: "import { helper } from '../auth/internal/helper'",
171
+ correction: "import { helper } from '../auth' // via index.ts barrel",
172
+ },
173
+ {
174
+ name: "no-circular-dependencies",
175
+ severity: "error",
176
+ match: "Circular imports between modules are prohibited.",
177
+ violation: "// moduleA imports moduleB, moduleB imports moduleA",
178
+ correction: "Extract shared logic into a third module that neither A nor B imports.",
179
+ },
180
+ ];
181
+
182
+ // ─── general ─────────────────────────────────────────────────────────────────
183
+
184
+ export const general: Rule[] = [
185
+ {
186
+ name: "file-naming",
187
+ severity: "warn",
188
+ match: "Source files must use kebab-case. Test files must end in .test.ts or .spec.ts.",
189
+ violation: "UserService.ts, userservice.spec.ts",
190
+ correction: "user-service.ts, user-service.spec.ts",
191
+ },
192
+ {
193
+ name: "function-length",
194
+ severity: "warn",
195
+ match: "Functions must not exceed 40 lines. Extract logical sections into named helpers.",
196
+ violation: "// 80-line parseAndValidateAndSaveUser function",
197
+ correction: "parseUser(), validateUser(), saveUser() — each ≤ 40 lines",
198
+ },
199
+ {
200
+ name: "test-structure",
201
+ severity: "error",
202
+ match: "Tests must follow the Arrange-Act-Assert pattern with one assertion group per test.",
203
+ violation: "it('works', () => { /* 20 lines of mixed setup and assertions */ })",
204
+ correction: "it('returns 404 when user not found', () => { /* Arrange / Act / Assert */ })",
205
+ },
206
+ {
207
+ name: "import-ordering",
208
+ severity: "info",
209
+ match: "Imports must be ordered: Node built-ins → external packages → internal modules. Groups separated by a blank line.",
210
+ violation: "import { UserService } from './services'\nimport path from 'path'\nimport express from 'express'",
211
+ correction: "import path from 'path'\n\nimport express from 'express'\n\nimport { UserService } from './services'",
212
+ },
213
+ {
214
+ name: "comment-policy",
215
+ severity: "info",
216
+ match: "Comments must explain WHY, not WHAT. Do not comment code that is self-explanatory.",
217
+ violation: "// increment counter\ncounter++;",
218
+ correction: "// Retry budget: max 3 attempts before circuit-breaker trips\ncounter++;",
219
+ },
220
+ ];
221
+ ```
222
+
223
+ ---
224
+
225
+ ### `upstream.lock` template
226
+
227
+ Written by Step 3. The skill resolves `<SHA>` at scaffold time via
228
+ `git ls-remote https://github.com/mattpocock/skills.git HEAD`.
229
+
230
+ ```yaml
231
+ source: mattpocock/skills
232
+ via: r3dlex/skills
233
+ pinned_sha: <SHA from git ls-remote https://github.com/mattpocock/skills.git HEAD>
234
+ updated: <YYYY-MM-DD>
235
+ sync_script: scripts/sync-upstream.sh
236
+ ```
237
+
238
+ ---
239
+
240
+ ### `.github/workflows/ci-prek.yml` template
241
+
242
+ A **separate** workflow file. Never merged into an existing `ci.yml`.
243
+ Uses `j178/prek-action@v2`. The `extra-args: '--all-files'` key is required — there is no
244
+ bare `args:` key in this action.
245
+
246
+ ```yaml
247
+ name: AI SDLC Pre-commit Checks
248
+
249
+ on:
250
+ push:
251
+ branches: [main]
252
+ pull_request:
253
+ branches: [main]
254
+
255
+ jobs:
256
+ prek-check:
257
+ name: Pre-commit Hooks
258
+ runs-on: ubuntu-latest
259
+
260
+ steps:
261
+ - name: Checkout
262
+ uses: actions/checkout@v4
263
+
264
+ - name: Run prek
265
+ uses: j178/prek-action@v2
266
+ with:
267
+ extra-args: '--all-files'
268
+ ```
269
+
270
+ ---
271
+
272
+ ### `prek.toml` template
273
+
274
+ Hook configuration consumed by prek. prek expects the same schema as `.pre-commit-config.yaml`
275
+ (top-level `repos` array). Each repo entry has its own hooks. For Archgate, use a `local` repo
276
+ with the `validate-rules` hook — prek delegates `.rules.ts` validation to the shell script.
277
+
278
+ ```toml
279
+ # prek configuration — pre-commit hook manager (Rust-based, github.com/j178/prek)
280
+ # Schema mirrors `.pre-commit-config.yaml` (top-level `repos` field).
281
+
282
+ [[repos]]
283
+ repo = "local"
284
+
285
+ [[repos.hooks]]
286
+ id = "validate-rules"
287
+ name = "Validate Archgate rules structure"
288
+ entry = "bash scripts/validate-rules.sh"
289
+ language = "system"
290
+ files = '\.rules\.ts$'
291
+ exclude = '^reference/golden-(skills|root)/'
292
+ pass_filenames = false
293
+ ```
294
+
295
+ > **Why `pass_filenames = false`:** the script validates the canonical
296
+ > repo-root `.rules.ts`, not whatever files prek happened to match. With
297
+ > `pass_filenames = true`, prek would pass the matched files as positional
298
+ > args; the script would then only check `$1` and miss broken siblings.
299
+ > The `exclude` pattern prevents prek from running the hook against golden-dir
300
+ > baseline copies of `.rules.ts`.
301
+
302
+ > **Note:** Add more `[[repos]]` blocks for hosted hook collections (e.g.
303
+ > `https://github.com/pre-commit/pre-commit-hooks` for `trailing-whitespace`, `end-of-file-fixer`).
304
+ > Each hook within a `[[repos]]` block is added as a `[[repos.hooks]]` entry. The minimal local-only
305
+ > config above is what the init-ai-repo scaffold emits — extend it per project.
306
+
307
+ ---
308
+
309
+ ### `scripts/validate-rules.sh`
310
+
311
+ This is the script that `prek.toml`'s `validate-rules` hook executes. It checks structural
312
+ integrity of `.rules.ts`: five required domain exports present and optional TypeScript syntax
313
+ verification via `tsx`.
314
+
315
+ ```bash
316
+ #!/usr/bin/env bash
317
+ # validate-rules.sh — Structural validation of .rules.ts
318
+ # Checks that .rules.ts: (a) is valid TypeScript syntax, (b) exports
319
+ # all 5 required Archgate domains as const arrays with name+severity+match fields.
320
+ # This is NOT a full semantic check — it validates the rule STRUCTURE,
321
+ # not whether the rules are correct for the codebase.
322
+
323
+ set -euo pipefail
324
+
325
+ RULES_FILE="${1:-.rules.ts}"
326
+ errors=0
327
+
328
+ echo "=== Archgate Rules Validation ==="
329
+
330
+ # Check file exists
331
+ if [ ! -f "$RULES_FILE" ]; then
332
+ echo "FAIL: $RULES_FILE not found"
333
+ exit 1
334
+ fi
335
+
336
+ # Check 5 required domain exports (backend, frontend, data, architecture, general)
337
+ for domain in backend frontend data architecture general; do
338
+ if ! grep -q "export const $domain" "$RULES_FILE" 2>/dev/null; then
339
+ echo "FAIL: Missing required domain export: $domain"
340
+ errors=$((errors + 1))
341
+ else
342
+ echo "OK: $domain domain present"
343
+ fi
344
+ done
345
+
346
+ # Check TypeScript syntax with node --check (requires Node.js)
347
+ if command -v node &>/dev/null; then
348
+ # Transpile check: can npx tsx parse it?
349
+ if npx --yes tsx --eval "import('./.rules.ts').then(m => { const domains = ['backend','frontend','data','architecture','general']; domains.forEach(d => { if(!m[d]) throw new Error('Missing: '+d) }); console.log('TypeScript syntax OK'); process.exit(0); }).catch(e => { console.error(e.message); process.exit(1); })" 2>/dev/null; then
350
+ :
351
+ else
352
+ echo "WARNING: TypeScript syntax check failed (tsx not available or parse error)"
353
+ fi
354
+ else
355
+ echo "SKIP: Node.js not available for syntax check"
356
+ fi
357
+
358
+ echo "=== Result ==="
359
+ if [ "$errors" -eq 0 ]; then
360
+ echo "PASS: All 5 Archgate domains present."
361
+ exit 0
362
+ else
363
+ echo "FAIL: $errors domain(s) missing from .rules.ts"
364
+ exit 1
365
+ fi
366
+ ```
367
+
368
+ ---
369
+
370
+ ### `scripts/verify-golden-dir.sh` (reference only)
371
+
372
+ The `verify-golden-dir.sh` script lives at `scripts/verify-golden-dir.sh` in the skills repo.
373
+ It is a **pure diff-and-report tool** — it does not invoke the skill, it compares a real repo
374
+ against a golden directory that the developer has already scaffolded.
375
+
376
+ Key behaviours:
377
+ - Excludes `upstream.lock` from content diff (SHA drifts when upstream pushes). Instead it
378
+ validates only structural fields (`source:`, `via:`, `pinned_sha:`, `sync_script:`).
379
+ - Validates `.rules.ts` by calling `scripts/validate-rules.sh` — not via `prek --rules`
380
+ (no such flag exists).
381
+ - Checks for `<!-- ai-sdlc-init:start -->` marker presence in `AGENTS.md`, `CLAUDE.md`,
382
+ `README.md`, and `.gitignore`.
383
+ - Checks that `.github/workflows/ci-prek.yml` exists.
384
+ - Exits `0` on full pass, `1` on any failure.
385
+
386
+ Run after scaffolding a target repo:
387
+
388
+ ```bash
389
+ bash scripts/verify-golden-dir.sh /path/to/target-repo skills/reference/golden-skills
390
+ ```
391
+
392
+ ---
393
+
394
+ ### `scripts/sync-upstream.sh` (design pattern)
395
+
396
+ This is a **documented design pattern**, not a working script. The file is created with a
397
+ `# NOT IMPLEMENTED` header so future contributors can see the intended logic.
398
+
399
+ ```bash
400
+ #!/usr/bin/env bash
401
+ # sync-upstream.sh — DESIGN PATTERN (not a working script)
402
+ # Future implementation guide for syncing with mattpocock/skills upstream.
403
+ #
404
+ # Pseudocode:
405
+ # 1. Fetch the current HEAD SHA from upstream:
406
+ # UPSTREAM_SHA=$(git ls-remote https://github.com/mattpocock/skills.git HEAD | cut -f1)
407
+ # 2. Read the pinned_sha from upstream.lock:
408
+ # PINNED_SHA=$(grep 'pinned_sha:' upstream.lock | awk '{print $2}')
409
+ # 3. If UPSTREAM_SHA == PINNED_SHA: echo "Already up to date." && exit 0
410
+ # 4. Run git diff between pinned_sha and upstream HEAD on the remote (sparse clone or API diff):
411
+ # Generate list of changed files since PINNED_SHA
412
+ # 5. For each changed file in .agents/skills/:
413
+ # - Show the diff to the developer
414
+ # - Ask: "Apply this change? [y/N]"
415
+ # - If yes: copy the updated file into the local .agents/skills/ tree
416
+ # 6. Update upstream.lock with the new SHA and today's date.
417
+ # 7. Stage the changes for review: git add -p
418
+ #
419
+ # This script is intentionally incomplete. Upstream sync should be a deliberate
420
+ # human-reviewed process, not an automated overwrite.
421
+
422
+ echo "sync-upstream.sh is not yet implemented."
423
+ echo "See REFERENCE.md → upstream.lock Sync Procedure for the design intent."
424
+ exit 1
425
+ ```
426
+
427
+ ---
428
+
429
+ ### `.gitignore` AI SDLC additions
430
+
431
+ Append the following block to the repo's `.gitignore`. The marker comments use `#` syntax
432
+ (gitignore format) wrapping the HTML-comment namespace token so the idempotency guard can
433
+ still detect them via grep.
434
+
435
+ ```gitignore
436
+ # <!-- ai-sdlc-init:start -->
437
+ # AI SDLC artifacts
438
+ upstream-pocock/
439
+ .prek-cache/
440
+ # <!-- ai-sdlc-init:end -->
441
+ ```
442
+
443
+ ---
444
+
445
+ ### `raw/docs/incident-template.md`
446
+
447
+ Copy to `raw/docs/INC-YYYY-MM-DD-slug.md` and fill in each section.
448
+ Naming convention: `INC-2026-05-22-api-outage.md`.
449
+
450
+ ```markdown
451
+ # INC-YYYY-MM-DD — <short title>
452
+
453
+ **Status:** Open | Investigating | Resolved
454
+ **Severity:** P0 | P1 | P2 | P3
455
+ **Incident commander:** @handle
456
+ **Date opened:** YYYY-MM-DD HH:MM UTC
457
+ **Date resolved:** YYYY-MM-DD HH:MM UTC (leave blank if open)
458
+
459
+ ---
460
+
461
+ ## Summary
462
+
463
+ One paragraph. What happened, what was affected, and the outcome.
464
+
465
+ ## Timeline
466
+
467
+ | Time (UTC) | Event |
468
+ |-----------|-------|
469
+ | HH:MM | First alert fired |
470
+ | HH:MM | On-call engineer paged |
471
+ | HH:MM | Root cause identified |
472
+ | HH:MM | Mitigation applied |
473
+ | HH:MM | Service restored |
474
+
475
+ ## Root Cause
476
+
477
+ Describe the technical root cause. Use the 5-Whys if helpful:
478
+
479
+ 1. Why did X fail? → Because Y
480
+ 2. Why did Y happen? → Because Z
481
+ 3. …
482
+
483
+ ## Impact
484
+
485
+ - **Users affected:** N (estimated)
486
+ - **Duration:** HH hours MM minutes
487
+ - **Services affected:** list services, endpoints, or features
488
+ - **Data loss:** Yes / No / Under investigation
489
+
490
+ ## Action Items
491
+
492
+ | # | Action | Owner | Due date | Status |
493
+ |---|--------|-------|----------|--------|
494
+ | 1 | Add circuit breaker to payment service | @handle | YYYY-MM-DD | Open |
495
+ | 2 | Add alerting for DB connection pool exhaustion | @handle | YYYY-MM-DD | Open |
496
+
497
+ ## Blameless Statement
498
+
499
+ This incident review is conducted in the spirit of blameless post-mortems.
500
+ Systems fail; our goal is to understand failure modes and improve resilience —
501
+ not to assign individual blame. All contributors are encouraged to share
502
+ observations candidly.
503
+ ```
504
+
505
+ ---
506
+
507
+ ### `docs/adr/ADR-TEMPLATE.md`
508
+
509
+ MADR (Markdown Architectural Decision Records) format.
510
+
511
+ ```markdown
512
+ # ADR-NNNN — <title>
513
+
514
+ **Status:** Proposed | Accepted | Deprecated | Superseded by ADR-MMMM
515
+ **Date:** YYYY-MM-DD
516
+ **Deciders:** @handle1, @handle2
517
+
518
+ ---
519
+
520
+ ## Context
521
+
522
+ What is the issue that motivates this decision? What forces are at play
523
+ (technical, organisational, constraints)? Be specific about the problem space.
524
+
525
+ ## Decision
526
+
527
+ State the decision in one sentence. Then explain the reasoning.
528
+
529
+ > We will [do X] because [reason Y].
530
+
531
+ ## Consequences
532
+
533
+ ### Positive
534
+ - …
535
+
536
+ ### Negative
537
+ - …
538
+
539
+ ### Neutral / Trade-offs
540
+ - …
541
+
542
+ ## Compliance
543
+
544
+ How will adherence to this decision be verified? Options:
545
+ - Agent behavior (drift-check at PR review time)
546
+ - Automated lint rule in `.rules.ts`
547
+ - Manual review checklist in pull request template
548
+ - N/A — decision is structural, enforced by directory layout
549
+ ```
550
+
551
+ ---
552
+
553
+ ### `docs/adr/ADR-0001-record-architecture-decisions.md`
554
+
555
+ Bootstrap ADR. Records the meta-decision to use ADRs.
556
+
557
+ ```markdown
558
+ # ADR-0001 — Record Architecture Decisions
559
+
560
+ **Status:** Accepted
561
+ **Date:** <scaffold date>
562
+ **Deciders:** project maintainers
563
+
564
+ ---
565
+
566
+ ## Context
567
+
568
+ Architectural decisions accumulate silently in codebases. When a contributor asks
569
+ "why is this structured this way?", the answer lives in someone's memory or an
570
+ old Slack thread — not in the repository. New contributors repeat the same
571
+ trade-off analysis and sometimes reverse decisions whose rationale was sound but
572
+ undocumented.
573
+
574
+ We need a lightweight, version-controlled way to capture significant architectural
575
+ decisions alongside the code they describe.
576
+
577
+ ## Decision
578
+
579
+ We will record architecturally significant decisions in `docs/adr/` using MADR
580
+ (Markdown Architectural Decision Records) format. Each ADR is a numbered file:
581
+ `ADR-NNNN-slug.md`. ADRs are immutable once accepted; superseded ADRs are marked
582
+ "Superseded by ADR-MMMM" rather than deleted.
583
+
584
+ An ADR is warranted when a decision:
585
+ - Is hard to reverse without significant rework
586
+ - Involves non-obvious trade-offs
587
+ - Affects multiple modules or teams
588
+ - Contradicts a common default or industry practice
589
+
590
+ ## Consequences
591
+
592
+ ### Positive
593
+ - Decisions are traceable to the commit that introduced them.
594
+ - New contributors can understand constraints without asking senior engineers.
595
+ - Drift detection at PR review time has an authoritative source to compare against.
596
+
597
+ ### Negative
598
+ - Writing ADRs takes time. Teams may skip them under deadline pressure.
599
+ - Stale ADRs that are never marked "Deprecated" can mislead readers.
600
+
601
+ ### Neutral / Trade-offs
602
+ - ADRs capture intent, not enforcement. Compliance verification is an agent
603
+ behavior (see AGENTS.md — Drift Verification Protocol), not a CI gate in this
604
+ iteration.
605
+
606
+ ## Compliance
607
+
608
+ Agent behavior: at PR review time, the drift-verification agent loads the PR diff
609
+ and relevant ADRs, then flags conflicts. See AGENTS.md for the documented protocol.
610
+ ```
611
+
612
+ ---
613
+
614
+ ### `.agents/skills/karpathy-guidelines/SKILL.md`
615
+
616
+ Write this file into the **target repo** (not the skills repo) at
617
+ `.agents/skills/karpathy-guidelines/SKILL.md`. It encodes four Andrej Karpathy
618
+ software engineering heuristics as agent-facing rules.
619
+
620
+ ```markdown
621
+ ---
622
+ name: karpathy-guidelines
623
+ description: >
624
+ Enforce Karpathy software engineering principles: think before coding,
625
+ prefer simplicity, make surgical changes, stay goal-driven. Use when
626
+ reviewing code quality, planning implementation approach, or auditing
627
+ for over-engineering.
628
+ ---
629
+
630
+ # Karpathy Guidelines
631
+
632
+ Four principles that prevent the most common AI-assisted coding failure modes.
633
+ Load this skill when reviewing implementation plans or code output.
634
+
635
+ ## Rules
636
+
637
+ ### Rule 1 — Think Before Coding
638
+
639
+ Spend time understanding the problem before writing a single line.
640
+ Re-read the issue, the acceptance criteria, and any relevant ADRs.
641
+
642
+ **Bad:**
643
+ ```
644
+ // Immediately add a retry wrapper because the API call might fail
645
+ async function fetchWithRetry(url) { … }
646
+ ```
647
+
648
+ **Good:**
649
+ ```
650
+ // 1. Read the issue: the API is internal, on the same VPC. Retries not needed.
651
+ // 2. Check ADR-0005: we use circuit-breakers at the gateway, not per-caller.
652
+ // Conclusion: a plain fetch() is correct here.
653
+ async function fetchConfig(url) { return fetch(url).then(r => r.json()); }
654
+ ```
655
+
656
+ ---
657
+
658
+ ### Rule 2 — Simplicity First
659
+
660
+ Do not add abstraction until you have two concrete use cases that share it.
661
+ The cost of wrong abstraction is higher than the cost of duplication.
662
+
663
+ **Bad:**
664
+ ```typescript
665
+ // Premature factory for a single use case
666
+ class DataFetcherFactory {
667
+ static create(type: 'user' | 'post'): DataFetcher { … }
668
+ }
669
+ ```
670
+
671
+ **Good:**
672
+ ```typescript
673
+ // Concrete function for the one case that exists today
674
+ async function fetchUser(id: string): Promise<User> { … }
675
+ // If fetchPost() is needed later and shares logic → extract then, not now.
676
+ ```
677
+
678
+ ---
679
+
680
+ ### Rule 3 — Surgical Changes
681
+
682
+ Change only what the task requires. Do not refactor adjacent code, rename
683
+ variables "while you're here", or fix unrelated linting warnings in the same
684
+ commit.
685
+
686
+ **Bad:**
687
+ > Task: "Add timeout to fetchData()."
688
+ > Agent refactors all callers, introduces RetryConfig class, renames three
689
+ > variables for clarity, fixes unrelated import order.
690
+
691
+ **Good:**
692
+ > Task: "Add timeout to fetchData()."
693
+ > Agent adds one parameter with a default, threads it to the fetch call,
694
+ > updates the one test that exercises fetchData. Diff: 4 lines.
695
+
696
+ ---
697
+
698
+ ### Rule 4 — Goal-Driven Execution
699
+
700
+ Keep the original task visible. Before each action, ask: "Does this directly
701
+ advance the stated goal?" Stop when the goal is met — do not add polish,
702
+ documentation, or "nice to have" features beyond scope.
703
+
704
+ **Bad:**
705
+ ```
706
+ // Task complete, but agent adds:
707
+ // - JSDoc on every function (not requested)
708
+ // - A README section for the new parameter (not requested)
709
+ // - A CHANGELOG entry (not requested)
710
+ ```
711
+
712
+ **Good:**
713
+ ```
714
+ // Task complete. Verification run. No out-of-scope additions.
715
+ // Noted potential improvement → opened separate issue #47.
716
+ ```
717
+
718
+ ---
719
+
720
+ ## When to Apply These Rules
721
+
722
+ - Before starting any implementation: apply Rule 1 and Rule 4 (understand goal,
723
+ confirm scope).
724
+ - During implementation: apply Rule 3 (surgical).
725
+ - During review of your own output: apply Rule 2 (simplicity check).
726
+
727
+ See [REFERENCE.md](REFERENCE.md) for anti-pattern catalog and concrete scenarios.
728
+ ```
729
+
730
+ ---
731
+
732
+ ### `.agents/skills/karpathy-guidelines/REFERENCE.md`
733
+
734
+ Write into the target repo at `.agents/skills/karpathy-guidelines/REFERENCE.md`.
735
+
736
+ ```markdown
737
+ # Karpathy Guidelines — Reference
738
+
739
+ Anti-pattern catalog, integration guidance, and concrete scenarios for the four
740
+ rules in [SKILL.md](SKILL.md).
741
+
742
+ ---
743
+
744
+ ## Anti-Pattern Catalog
745
+
746
+ ### AP-1: The Helpful Refactor
747
+
748
+ **Pattern:** Agent fixes nearby code "while it's there" — renaming variables,
749
+ improving error messages, extracting helpers. None of it was requested.
750
+
751
+ **Why it's harmful:** Unreviewed scope expansion. The refactored code may have
752
+ had intentional quirks. The diff becomes harder to review and revert.
753
+
754
+ **Detection signal:** Diff touches files not named in the task description.
755
+
756
+ **Correction:** Open a separate issue for the cleanup. Link from the PR description.
757
+
758
+ ---
759
+
760
+ ### AP-2: The Premature Abstraction
761
+
762
+ **Pattern:** Agent introduces a class, interface, or utility function for a
763
+ pattern that exists exactly once.
764
+
765
+ **Why it's harmful:** Abstractions create coupling and maintenance surface. A
766
+ wrong abstraction is harder to remove than the duplication it replaced.
767
+
768
+ **Detection signal:** New class or function has exactly one call site.
769
+
770
+ **Correction:** Inline the logic. If a second use case appears, abstract then.
771
+
772
+ ---
773
+
774
+ ### AP-3: The Exhaustive Documentation Pass
775
+
776
+ **Pattern:** After completing a task, agent writes JSDoc on every function, adds
777
+ a README section, updates a CHANGELOG, and annotates every type.
778
+
779
+ **Why it's harmful:** Documentation written without user need adds noise and
780
+ drifts out of sync with the code.
781
+
782
+ **Detection signal:** Documentation changes exceed code changes in line count.
783
+
784
+ **Correction:** Document only what the task explicitly requests, or what is
785
+ genuinely non-obvious to a future reader.
786
+
787
+ ---
788
+
789
+ ### AP-4: The Safety Net Spiral
790
+
791
+ **Pattern:** Agent adds retries, circuit breakers, fallback paths, and error
792
+ logging "just in case" for a code path that calls an internal, highly-available
793
+ service.
794
+
795
+ **Why it's harmful:** Over-engineering failure paths adds complexity, masks real
796
+ errors, and creates false confidence in resilience.
797
+
798
+ **Detection signal:** The new code has more error-handling lines than happy-path
799
+ lines, without a documented failure scenario that justifies it.
800
+
801
+ **Correction:** Check the relevant ADR or architecture docs. Add only what the
802
+ architecture explicitly requires.
803
+
804
+ ---
805
+
806
+ ### AP-5: The Understanding Skip
807
+
808
+ **Pattern:** Agent starts writing code immediately after reading the first
809
+ sentence of the issue, without reading acceptance criteria, linked ADRs, or
810
+ existing implementations of the same interface.
811
+
812
+ **Why it's harmful:** Produces code that passes unit tests but violates
813
+ architectural constraints or contradicts existing conventions.
814
+
815
+ **Detection signal:** First code edit appears in the transcript before any file
816
+ reads.
817
+
818
+ **Correction:** Read the issue fully, read relevant ADRs, grep for existing
819
+ usages of the interface being extended. Then write.
820
+
821
+ ---
822
+
823
+ ### AP-6: The Completion Theater
824
+
825
+ **Pattern:** Agent declares "done" before running verification (build, tests,
826
+ lsp diagnostics). Or runs verification but ignores failures.
827
+
828
+ **Why it's harmful:** Breaks the contract between agent and reviewer. Reviewer
829
+ must re-run verification, find failures, and re-engage the agent.
830
+
831
+ **Detection signal:** No verification output in the transcript before "done."
832
+
833
+ **Correction:** Show fresh build/test output. If something fails, fix it before
834
+ claiming completion.
835
+
836
+ ---
837
+
838
+ ## Integration Guidance
839
+
840
+ These guidelines are most effective when:
841
+
842
+ 1. **Loaded at task start.** The agent reads SKILL.md before writing any code.
843
+ 2. **Referenced during self-review.** After drafting a change, the agent checks
844
+ the anti-pattern list before submitting.
845
+ 3. **Cited in PR review comments.** "AP-2 applies here — this helper has one
846
+ call site" gives precise, actionable feedback.
847
+
848
+ The guidelines do NOT replace acceptance criteria. They operate alongside task
849
+ requirements, not instead of them.
850
+
851
+ ---
852
+
853
+ ## Concrete Scenarios
854
+
855
+ ### Scenario 1: Add a field to an API response
856
+
857
+ **Task:** "Add `createdAt` field to the `/v1/users/:id` response."
858
+
859
+ **Karpathy-compliant approach:**
860
+ 1. (Rule 1) Read the issue. Find the UserResponse type. Check ADR-0003 (error
861
+ shape) to confirm field naming conventions.
862
+ 2. (Rule 3) Add `createdAt: string` to `UserResponse`. Add it to the serializer.
863
+ Update the one test that asserts response shape. Diff: ~8 lines.
864
+ 3. (Rule 4) Stop. Do not add `updatedAt` speculatively. Do not refactor the
865
+ serializer to a builder pattern.
866
+
867
+ ---
868
+
869
+ ### Scenario 2: Fix a flaky test
870
+
871
+ **Task:** "Test `auth.spec.ts:42` fails intermittently. Fix it."
872
+
873
+ **Karpathy-compliant approach:**
874
+ 1. (Rule 1) Read the test. Read the code under test. Reproduce the failure.
875
+ Identify the race condition (timer not mocked).
876
+ 2. (Rule 3) Mock the timer in the test setup. Confirm the test is now stable.
877
+ Do not refactor the auth module while you're there.
878
+ 3. (Rule 2) If the timer-mock pattern is needed in three other tests, extract a
879
+ helper. If it's needed only here, leave it inline.
880
+
881
+ ---
882
+
883
+ ### Scenario 3: Scaffold a new module
884
+
885
+ **Task:** "Create a notifications module following the existing user module pattern."
886
+
887
+ **Karpathy-compliant approach:**
888
+ 1. (Rule 1) Read `src/users/` fully before writing anything. Note file structure,
889
+ naming, error handling, and test patterns.
890
+ 2. (Rule 3) Create files that mirror the pattern exactly. No improvements to the
891
+ pattern unless explicitly requested.
892
+ 3. (Rule 2) Do not create a generic `createModule()` factory because two modules
893
+ now share a pattern. Duplication is fine at two instances.
894
+ 4. (Rule 4) Stop when the module is created and tests pass. Do not add
895
+ notification preferences, delivery receipts, or retry logic that aren't in
896
+ the acceptance criteria.
897
+ ```
898
+
899
+ ---
900
+
901
+ ### AGENTS.md append content
902
+
903
+ Insert between `<!-- ai-sdlc-init:start -->` and `<!-- ai-sdlc-init:end -->` markers.
904
+
905
+ ```markdown
906
+ <!-- ai-sdlc-init:start -->
907
+
908
+ ## AI SDLC Methodology
909
+
910
+ This repository uses the AI SDLC methodology scaffolded by `init-ai-repo` (legacy alias/path: `ai-sdlc-init`).
911
+
912
+ ### Architecture Decision Records
913
+
914
+ Significant architectural decisions are recorded in [`docs/adr/`](docs/adr/).
915
+ Before making a change that affects module boundaries, API contracts, data
916
+ schemas, or dependency direction, check whether a relevant ADR exists.
917
+ If your change contradicts an existing ADR, either update the ADR or open a
918
+ discussion before proceeding.
919
+
920
+ ### Archgate Rules
921
+
922
+ Code quality rules are defined in [`.rules.ts`](.rules.ts) across five domains:
923
+ `backend`, `frontend`, `data`, `architecture`, `general`. Rules carry a severity
924
+ (`error`, `warn`, `info`). Structural validation of `.rules.ts` runs in CI via
925
+ the `validate-rules` prek hook. Semantic enforcement (did the PR violate a rule?)
926
+ is an agent behavior at PR review time.
927
+
928
+ ### Karpathy Baseline
929
+
930
+ All agents operating in this repository load
931
+ [`.agents/skills/karpathy-guidelines/SKILL.md`](.agents/skills/karpathy-guidelines/SKILL.md)
932
+ as a baseline. Four rules apply to every task: Think Before Coding, Simplicity
933
+ First, Surgical Changes, Goal-Driven Execution. See the SKILL.md for violation
934
+ and correction examples.
935
+
936
+ ### Drift Verification Protocol
937
+
938
+ At PR review time, the reviewing agent:
939
+ 1. Loads the PR diff alongside the BRD, PRD, acceptance criteria, and any ADRs
940
+ whose scope overlaps with the changed files.
941
+ 2. Produces a drift report identifying whether changes match ACs, conflict with
942
+ ADRs, or violate architectural constraints from `.rules.ts`.
943
+ 3. Leaves the drift report as a PR comment or review summary.
944
+
945
+ This is a documented agent behavior. It is not enforced as a CI gate in this
946
+ iteration.
947
+
948
+ ### Circuit Breaker Protocol
949
+
950
+ Before starting work on an issue:
951
+ 1. Check whether ≥ 3 prior attempts exist without resolution (look for
952
+ `attempts:N` labels or a comment history showing repeated failures).
953
+ 2. If the circuit is tripped (≥ 3 attempts, no resolution), escalate to a
954
+ human with a written summary of what was tried and what blocked each attempt.
955
+ 3. Do not make a fourth attempt without human acknowledgement.
956
+
957
+ <!-- ai-sdlc-init:end -->
958
+ ```
959
+
960
+ ---
961
+
962
+ ### CLAUDE.md append content
963
+
964
+ Shorter than AGENTS.md — just enough for Claude Code to orient itself.
965
+
966
+ ```markdown
967
+ <!-- ai-sdlc-init:start -->
968
+
969
+ ## AI SDLC
970
+
971
+ This repository uses the AI SDLC methodology. Before starting work:
972
+
973
+ - Read [AGENTS.md](AGENTS.md) for the full methodology (ADRs, Archgate rules,
974
+ Karpathy baseline, drift verification, circuit breaker protocol).
975
+ - Check [`docs/adr/`](docs/adr/) for architectural constraints relevant to your task.
976
+ - Load `.agents/skills/karpathy-guidelines/SKILL.md` as a baseline for all tasks.
977
+
978
+ <!-- ai-sdlc-init:end -->
979
+ ```
980
+
981
+ ---
982
+
983
+ ### README.md append content
984
+
985
+ Public-facing. Brief and links out rather than duplicating.
986
+
987
+ ```markdown
988
+ <!-- ai-sdlc-init:start -->
989
+
990
+ ## AI SDLC Methodology
991
+
992
+ This project uses the [init-ai-repo AI SDLC methodology](https://github.com/r3dlex/skills/tree/main/init-ai-repo)
993
+ to maintain architectural governance alongside AI-assisted development.
994
+
995
+ Key practices:
996
+ - **Architecture Decision Records** in [`docs/adr/`](docs/adr/) — significant
997
+ decisions are version-controlled with context and rationale.
998
+ - **Archgate rules** in [`.rules.ts`](.rules.ts) — code quality constraints
999
+ across five domains, validated in CI.
1000
+ - **Karpathy baseline** — four engineering heuristics loaded by all agents
1001
+ operating in this repo (think, simplify, be surgical, stay on goal).
1002
+
1003
+ Contributing? Read [`AGENTS.md`](AGENTS.md) for agent-facing methodology details.
1004
+
1005
+ <!-- ai-sdlc-init:end -->
1006
+ ```
1007
+
1008
+ ---
1009
+
1010
+ ## Idempotency Guard Logic
1011
+
1012
+ All three append operations (AGENTS.md, CLAUDE.md, README.md) and the `.gitignore`
1013
+ append use a secondary-content-scan pattern to prevent duplicate insertions.
1014
+
1015
+ ### Decision Matrix
1016
+
1017
+ Before inserting any `<!-- ai-sdlc-init:start -->` block, the skill checks two
1018
+ independent signals:
1019
+
1020
+ | Marker present? | Content present? | Action |
1021
+ |-----------------|-----------------|--------|
1022
+ | Yes | Yes | Skip silently (already done) |
1023
+ | No | No | Insert (normal case) |
1024
+ | No | Yes | Log warning and skip — content exists without a marker; manual intervention may be needed |
1025
+ | Yes | No | Log warning and skip — marker exists but content is missing; this is a corrupt state |
1026
+
1027
+ ### Implementation
1028
+
1029
+ For AGENTS.md, CLAUDE.md, README.md:
1030
+
1031
+ ```
1032
+ marker_check = grep -q "<!-- ai-sdlc-init:start -->" <file>
1033
+ content_check = grep -q "AI SDLC" <file> # header text from the append block
1034
+ ```
1035
+
1036
+ For `.gitignore`:
1037
+
1038
+ ```
1039
+ marker_check = grep -q "# <!-- ai-sdlc-init:start -->" .gitignore
1040
+ content_check = grep -q "upstream-pocock/" .gitignore
1041
+ ```
1042
+
1043
+ ### Rationale
1044
+
1045
+ Checking both marker and content independently protects against:
1046
+ - Re-running the skill after a partial failure that wrote content but not the
1047
+ closing marker.
1048
+ - Manual edits that added the header text without markers.
1049
+ - Future skill runs after the markers were stripped by a formatter.
1050
+
1051
+ ---
1052
+
1053
+ ## Setup-Skills Interaction
1054
+
1055
+ The `init-ai-repo` compatibility path detects whether the `setup-skills` skill has already run
1056
+ in the target repo.
1057
+
1058
+ ### Detection
1059
+
1060
+ Scan for `<!-- setup-skills:start -->` in `AGENTS.md` or `CLAUDE.md`:
1061
+
1062
+ ```bash
1063
+ grep -q "<!-- setup-skills:start -->" AGENTS.md 2>/dev/null || \
1064
+ grep -q "<!-- setup-skills:start -->" CLAUDE.md 2>/dev/null
1065
+ ```
1066
+
1067
+ ### If setup-skills output is found
1068
+
1069
+ - Read `docs/agents/issue-tracker-github.md` (or `-gitlab.md` / `-local.md`)
1070
+ to detect the issue tracker. The filename suffix identifies the tracker type.
1071
+ - Read `docs/agents/triage-labels.md` for the five canonical label names.
1072
+ - **Skip** the tooling questions in Step 1 (issue tracker, CI platform).
1073
+ - Use detected values as scaffold defaults throughout the remaining steps.
1074
+
1075
+ ### If setup-skills was NOT run
1076
+
1077
+ Ask the two tooling questions:
1078
+
1079
+ 1. "What issue tracker does this repo use?" (GitHub Issues / GitLab Issues /
1080
+ Jira / Azure DevOps / local Markdown)
1081
+ 2. "What CI platform does this repo use?" (GitHub Actions / GitLab CI /
1082
+ Azure DevOps Pipelines / other)
1083
+
1084
+ ### Marker Namespace Separation
1085
+
1086
+ | Skill | Marker namespace | Files modified |
1087
+ |-------|-----------------|----------------|
1088
+ | setup-skills | `<!-- setup-skills:* -->` | AGENTS.md, CLAUDE.md |
1089
+ | init-ai-repo (legacy marker namespace) | `<!-- ai-sdlc-init:* -->` | AGENTS.md, CLAUDE.md, README.md, .gitignore |
1090
+
1091
+ No overlap. Both marker blocks can coexist in the same file. Each skill's
1092
+ idempotency guard checks only its own namespace.
1093
+
1094
+ ### Execution Order
1095
+
1096
+ If both skills will be run in a fresh repo:
1097
+
1098
+ 1. Run `setup-skills` first — it configures issue tracker and triage labels.
1099
+ 2. Run `init-ai-repo` second — it detects setup-skills output and skips
1100
+ redundant tooling questions.
1101
+
1102
+ ---
1103
+
1104
+ ## Agent Behaviors
1105
+
1106
+ These behaviors are documented here per Principle 3 (documentation-first governance).
1107
+ They are NOT CI gates in this iteration.
1108
+
1109
+ ### Drift Verification Protocol
1110
+
1111
+ Triggered at PR review time by a separate-context agent (not the implementation agent).
1112
+
1113
+ Steps:
1114
+ 1. Load: PR diff, BRD, PRD, acceptance criteria, all ADRs whose path or domain
1115
+ overlaps with the changed files.
1116
+ 2. Check: Do the changes satisfy all acceptance criteria? Do they conflict with
1117
+ any ADR? Do they violate any `error`-severity rule in `.rules.ts`?
1118
+ 3. Report: Produce a structured drift report with three sections:
1119
+ - **AC coverage** — which ACs are addressed, which are untouched.
1120
+ - **ADR conflicts** — any changes that contradict a recorded decision.
1121
+ - **Rule violations** — `error`-severity `.rules.ts` matches in the diff.
1122
+ 4. Post: Leave the report as a PR review comment or review summary.
1123
+
1124
+ The reviewing agent must be a **separate context** from the implementation agent
1125
+ to avoid self-approval bias.
1126
+
1127
+ ### Circuit Breaker Protocol
1128
+
1129
+ Triggered before starting work on any issue.
1130
+
1131
+ Steps:
1132
+ 1. Check the issue for an `attempts:N` label or a comment history showing
1133
+ ≥ 3 attempts without resolution.
1134
+ 2. If the circuit is tripped: do not start a new attempt. Instead, post a
1135
+ written escalation summary:
1136
+ - What was tried in each prior attempt.
1137
+ - What blocked resolution each time.
1138
+ - What human decision or context is needed to unblock.
1139
+ 3. Wait for human acknowledgement before proceeding.
1140
+
1141
+ Attempt tracking: use an `attempts:N` label in the issue tracker, incrementing N
1142
+ after each failed attempt. The circuit trips at `attempts:3`.
1143
+
1144
+ ---
1145
+
1146
+ ## Invocation Strategy
1147
+
1148
+ `init-ai-repo` is an OMC-compatible skill consumed by Claude Code. Legacy `/ai-sdlc-init` remains an alias/path only. It is not a standalone
1149
+ CLI tool.
1150
+
1151
+ ### Method 1 — Direct invocation (recommended)
1152
+
1153
+ ```bash
1154
+ cd /path/to/target-repo
1155
+ claude -p "/init-ai-repo"
1156
+ ```
1157
+
1158
+ The `-p` flag runs the slash command in print mode. The skill loads SKILL.md,
1159
+ reads the four-phase workflow, and executes against the current working directory.
1160
+
1161
+ ### Method 2 — Interactive session
1162
+
1163
+ In an active Claude Code session in the target repo:
1164
+
1165
+ ```
1166
+ /init-ai-repo
1167
+ ```
1168
+
1169
+ The skill loads and the agent follows the numbered steps interactively.
1170
+
1171
+ ### Method 3 — Agent delegation
1172
+
1173
+ From a parent orchestrating agent (e.g., the AiTool root repo):
1174
+
1175
+ ```
1176
+ Delegate to an executor agent with cwd set to the target repo.
1177
+ Instruct it to run /init-ai-repo.
1178
+ ```
1179
+
1180
+ ### Constraints
1181
+
1182
+ - Claude Code CLI has no `--skill`, `--cwd`, or `--repo-type` flags. The skill
1183
+ must be loaded via slash command.
1184
+ - The skill reads target repo files to determine state — it accepts no CLI
1185
+ arguments.
1186
+ - Golden-dir verification (`scripts/verify-golden-dir.sh`) is always
1187
+ developer-local. It cannot run in CI.
1188
+
1189
+ ---
1190
+
1191
+ ## Prek Installation
1192
+
1193
+ prek is a **Rust-based** pre-commit hook manager (github.com/j178/prek).
1194
+ It is NOT a Go tool. It has no `--rules` flag. `.rules.ts` validation happens
1195
+ exclusively via the `validate-rules` local hook defined in `prek.toml`.
1196
+
1197
+ ### CI
1198
+
1199
+ ```yaml
1200
+ - name: Run prek
1201
+ uses: j178/prek-action@v2
1202
+ with:
1203
+ extra-args: '--all-files'
1204
+ ```
1205
+
1206
+ Use `extra-args: '--all-files'` — there is no bare `args:` key in this action.
1207
+
1208
+ ### Local development
1209
+
1210
+ ```bash
1211
+ # macOS (recommended)
1212
+ brew install prek
1213
+
1214
+ # Cross-platform (requires Rust toolchain)
1215
+ cargo install --locked prek
1216
+
1217
+ # Python environment (pip wrapper)
1218
+ pip install prek
1219
+ ```
1220
+
1221
+ After installation, activate the pre-commit hook in the target repo:
1222
+
1223
+ ```bash
1224
+ prek install
1225
+ ```
1226
+
1227
+ This installs prek as the `pre-commit` git hook. On each commit, prek reads
1228
+ `prek.toml` and runs the configured hooks.
1229
+
1230
+ ### End-to-end hook flow
1231
+
1232
+ 1. Developer commits → `prek` runs hooks from `prek.toml`.
1233
+ 2. `trailing-whitespace` and `end-of-file-fixer` run on all staged files.
1234
+ 3. `validate-rules` runs `bash scripts/validate-rules.sh` when `.rules.ts` is
1235
+ staged.
1236
+ 4. `validate-rules.sh` checks that all 5 domain exports are present and
1237
+ optionally checks TypeScript syntax via `tsx`.
1238
+ 5. If any hook fails → commit is blocked.
1239
+ 6. In CI, `j178/prek-action@v2` runs `prek run --all-files` — same hooks, all
1240
+ files.
1241
+
1242
+ ---
1243
+
1244
+ ## upstream.lock Sync Procedure
1245
+
1246
+ ### Initial population (scaffold time)
1247
+
1248
+ Step 3 of the skill resolves the upstream SHA by running:
1249
+
1250
+ ```bash
1251
+ git ls-remote https://github.com/mattpocock/skills.git HEAD
1252
+ ```
1253
+
1254
+ The output is a tab-separated `<SHA>\tHEAD`. The skill writes the SHA into
1255
+ `pinned_sha:` in `upstream.lock` and sets `updated:` to today's date.
1256
+
1257
+ ### Verification exclusion
1258
+
1259
+ `verify-golden-dir.sh` **excludes** `upstream.lock` from the content diff.
1260
+ The `pinned_sha` field drifts whenever the upstream repo pushes new commits;
1261
+ a content diff would produce perpetual false failures.
1262
+
1263
+ Instead, the script validates only the structural fields:
1264
+ - `source:` is present
1265
+ - `via:` is present
1266
+ - `pinned_sha:` is present
1267
+ - `sync_script:` is present
1268
+
1269
+ The actual SHA value is not asserted — only field presence.
1270
+
1271
+ ### Sync design intent
1272
+
1273
+ The `scripts/sync-upstream.sh` file documents the intended sync workflow as
1274
+ pseudocode (see template above). A working implementation is out of scope for
1275
+ this iteration. The intended flow:
1276
+
1277
+ 1. Fetch current upstream HEAD SHA.
1278
+ 2. Compare against `pinned_sha` in `upstream.lock`.
1279
+ 3. If different, diff the upstream changes since `pinned_sha`.
1280
+ 4. Show the developer each changed file and ask for confirmation before applying.
1281
+ 5. Update `upstream.lock` with the new SHA and date.
1282
+
1283
+ Upstream sync is intentionally human-reviewed. Automated overwrite of
1284
+ `.agents/skills/` content is not the intended design.