@sienklogic/plan-build-run 2.23.0 → 2.24.0

package/CHANGELOG.md

@@ -5,6 +5,21 @@ All notable changes to Plan-Build-Run will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.24.0](https://github.com/SienkLogic/plan-build-run/compare/plan-build-run-v2.23.0...plan-build-run-v2.24.0) (2026-02-24)
+
+
+### Features
+
+* **35-05:** add Audit Reports view with /audits and /audits/:filename routes ([33dfae7](https://github.com/SienkLogic/plan-build-run/commit/33dfae7fff02cbba93e250211e54b26d565f4f76))
+* **35-05:** GREEN - implement audit.service.js with listAuditReports and getAuditReport ([c79179a](https://github.com/SienkLogic/plan-build-run/commit/c79179a75a386096e74589f13fea4a56174b1870))
+* **quick-003:** add data-flow to plan-format reference, verification template, and integration report template ([e73a31e](https://github.com/SienkLogic/plan-build-run/commit/e73a31e0c1eb9535014de4b60924bd98ced2f8cb))
+* **quick-003:** add data-flow verification to planner, verifier, and integration-checker agents ([e37e192](https://github.com/SienkLogic/plan-build-run/commit/e37e19297e038c38aecd7d04e93c007928242f0f))
+
+
+### Bug Fixes
+
+* **quick-003:** pass data.session_id to LLM operations instead of undefined ([df4d168](https://github.com/SienkLogic/plan-build-run/commit/df4d1682b50935b53ddcc665b8dcdc394b8b277e))
+
 ## [2.23.0](https://github.com/SienkLogic/plan-build-run/compare/plan-build-run-v2.22.2...plan-build-run-v2.23.0) (2026-02-24)
 
 

package/dashboard/package.json

@@ -19,7 +19,6 @@
   ],
   "license": "MIT",
   "dependencies": {
-    "@rollup/rollup-win32-x64-msvc": "^4.57.1",
     "chokidar": "^5.0.0",
     "commander": "^12.1.0",
     "ejs": "^3.1.10",
@@ -30,6 +29,7 @@
     "sanitize-html": "^2.13.0"
   },
   "devDependencies": {
+    "@rollup/rollup-win32-x64-msvc": "^4.57.1",
     "@vitest/coverage-v8": "^4.0.18",
     "memfs": "^4.56.10",
     "supertest": "^7.2.2",

package/dashboard/src/repositories/planning.repository.js

@@ -3,20 +3,10 @@ import { join, resolve, relative, normalize } from 'node:path';
 import matter from 'gray-matter';
 import { marked } from 'marked';
 import sanitizeHtml from 'sanitize-html';
+import { stripBOM } from '../utils/strip-bom.js';
 
 marked.setOptions({ gfm: true, breaks: false });
 
-/**
- * Strip UTF-8 BOM (Byte Order Mark) if present.
- * Windows editors (Notepad, older VS Code) may prepend BOM to UTF-8 files.
- * gray-matter will fail to detect frontmatter delimiters if BOM is present.
- * @param {string} content - Raw file content
- * @returns {string} Content without BOM
- */
-function stripBOM(content) {
-  return content.replace(/^\uFEFF/, '');
-}
-
 /**
  * Validate that a resolved path stays within the base directory.
  * Prevents path traversal attacks (e.g., ../../etc/passwd).

package/dashboard/src/routes/pages.routes.js

@@ -2,12 +2,13 @@ import { Router } from 'express';
 import { getPhaseDetail, getPhaseDocument } from '../services/phase.service.js';
 import { getRoadmapData, generateDependencyMermaid } from '../services/roadmap.service.js';
 import { parseStateFile, derivePhaseStatuses } from '../services/dashboard.service.js';
-import { listPendingTodos, getTodoDetail, createTodo, completeTodo } from '../services/todo.service.js';
+import { listPendingTodos, getTodoDetail, createTodo, completeTodo, listDoneTodos } from '../services/todo.service.js';
 import { getAllMilestones, getMilestoneDetail } from '../services/milestone.service.js';
 import { getProjectAnalytics } from '../services/analytics.service.js';
 import { getLlmMetrics } from '../services/local-llm-metrics.service.js';
-import { listNotes } from '../services/notes.service.js';
+import { listNotes, getNoteBySlug } from '../services/notes.service.js';
 import { listQuickTasks, getQuickTask } from '../services/quick.service.js';
+import { listAuditReports, getAuditReport } from '../services/audit.service.js';
 
 const router = Router();
 
@@ -190,6 +191,27 @@ router.get('/todos/new', (req, res) => {
   }
 });
 
+router.get('/todos/done', async (req, res) => {
+  const projectDir = req.app.locals.projectDir;
+  const todos = await listDoneTodos(projectDir);
+
+  const templateData = {
+    title: 'Completed Todos',
+    activePage: 'todos',
+    currentPath: '/todos/done',
+    breadcrumbs: [{ label: 'Todos', url: '/todos' }, { label: 'Completed' }],
+    todos
+  };
+
+  res.setHeader('Vary', 'HX-Request');
+
+  if (req.get('HX-Request') === 'true') {
+    res.render('partials/todos-done-content', templateData);
+  } else {
+    res.render('todos-done', templateData);
+  }
+});
+
 router.get('/todos/:id', async (req, res) => {
   const { id } = req.params;
 
@@ -404,6 +426,42 @@ router.get('/notes', async (req, res) => {
   }
 });
 
+router.get('/notes/:slug', async (req, res) => {
+  const { slug } = req.params;
+
+  // Validate slug: lowercase alphanumeric and dashes only
+  if (!/^[a-z0-9-]+$/.test(slug)) {
+    const err = new Error('Invalid note slug format');
+    err.status = 404;
+    throw err;
+  }
+
+  const projectDir = req.app.locals.projectDir;
+  const note = await getNoteBySlug(projectDir, slug);
+
+  if (!note) {
+    const err = new Error(`Note "${slug}" not found`);
+    err.status = 404;
+    throw err;
+  }
+
+  const templateData = {
+    title: note.title,
+    activePage: 'notes',
+    currentPath: '/notes/' + slug,
+    breadcrumbs: [{ label: 'Notes', url: '/notes' }, { label: note.title }],
+    ...note
+  };
+
+  res.setHeader('Vary', 'HX-Request');
+
+  if (req.get('HX-Request') === 'true') {
+    res.render('partials/note-detail-content', templateData);
+  } else {
+    res.render('note-detail', templateData);
+  }
+});
+
 router.get('/roadmap', async (req, res) => {
   const projectDir = req.app.locals.projectDir;
   const [roadmapData, stateData] = await Promise.all([
@@ -486,4 +544,61 @@ router.get('/quick/:id', async (req, res) => {
   }
 });
 
+router.get('/audits', async (req, res) => {
+  const projectDir = req.app.locals.projectDir;
+  const reports = await listAuditReports(projectDir);
+
+  const templateData = {
+    title: 'Audit Reports',
+    activePage: 'audits',
+    currentPath: '/audits',
+    breadcrumbs: [{ label: 'Audit Reports' }],
+    reports
+  };
+
+  res.setHeader('Vary', 'HX-Request');
+
+  if (req.get('HX-Request') === 'true') {
+    res.render('partials/audits-content', templateData);
+  } else {
+    res.render('audits', templateData);
+  }
+});
+
+router.get('/audits/:filename', async (req, res) => {
+  const { filename } = req.params;
+
+  // Validate filename: safe characters only, must end in .md
+  if (!/^[\w.-]+\.md$/.test(filename)) {
+    const err = new Error('Invalid audit report filename');
+    err.status = 404;
+    throw err;
+  }
+
+  const projectDir = req.app.locals.projectDir;
+  const report = await getAuditReport(projectDir, filename);
+
+  if (!report) {
+    const err = new Error(`Audit report "${filename}" not found`);
+    err.status = 404;
+    throw err;
+  }
+
+  const templateData = {
+    title: report.title,
+    activePage: 'audits',
+    currentPath: '/audits/' + filename,
+    breadcrumbs: [{ label: 'Audit Reports', url: '/audits' }, { label: report.title }],
+    ...report
+  };
+
+  res.setHeader('Vary', 'HX-Request');
+
+  if (req.get('HX-Request') === 'true') {
+    res.render('partials/audit-detail-content', templateData);
+  } else {
+    res.render('audit-detail', templateData);
+  }
+});
+
 export default router;

package/dashboard/src/server.js

@@ -1,6 +1,8 @@
 import { createApp } from './app.js';
 import { createWatcher } from './services/watcher.service.js';
 import { broadcast } from './services/sse.service.js';
+import { cache as milestoneCache } from './services/milestone.service.js';
+import { cache as analyticsCache } from './services/analytics.service.js';
 
 export function startServer(config) {
   const app = createApp(config);
@@ -8,6 +10,8 @@ export function startServer(config) {
 
   // Start file watcher for live updates
   const watcher = createWatcher(projectDir, (event) => {
+    milestoneCache.invalidateAll();
+    analyticsCache.invalidateAll();
     broadcast('file-change', event);
   });
 

package/dashboard/src/services/audit.service.js

@@ -0,0 +1,42 @@
+import { readdir } from 'node:fs/promises';
+import { join } from 'node:path';
+import { readMarkdownFile } from '../repositories/planning.repository.js';
+
+export async function listAuditReports(projectDir) {
+  const auditsDir = join(projectDir, '.planning', 'audits');
+  let entries;
+  try {
+    entries = await readdir(auditsDir);
+  } catch (err) {
+    if (err.code === 'ENOENT') return [];
+    throw err;
+  }
+  const mdFiles = entries.filter(f => f.endsWith('.md')).sort().reverse();
+  const reports = [];
+  for (const filename of mdFiles) {
+    const dateMatch = filename.match(/^(\d{4}-\d{2}-\d{2})-(.+)\.md$/);
+    const date = dateMatch ? dateMatch[1] : null;
+    const slug = dateMatch ? dateMatch[2] : filename.replace(/\.md$/, '');
+    const title = slug.split('-').map(w => w.charAt(0).toUpperCase() + w.slice(1)).join(' ');
+    reports.push({ filename, date, slug, title });
+  }
+  return reports;
+}
+
+export async function getAuditReport(projectDir, filename) {
+  if (!/^[\w.-]+\.md$/.test(filename)) return null;
+  if (filename.includes('/') || filename.includes('\\') || filename.includes('..')) return null;
+
+  const auditsDir = join(projectDir, '.planning', 'audits');
+  try {
+    const { frontmatter, html } = await readMarkdownFile(join(auditsDir, filename));
+    const dateMatch = filename.match(/^(\d{4}-\d{2}-\d{2})-(.+)\.md$/);
+    const date = dateMatch ? dateMatch[1] : null;
+    const slug = dateMatch ? dateMatch[2] : filename.replace(/\.md$/, '');
+    const title = slug.split('-').map(w => w.charAt(0).toUpperCase() + w.slice(1)).join(' ');
+    return { filename, date, slug, title, frontmatter, html };
+  } catch (err) {
+    if (err.code === 'ENOENT') return null;
+    throw err;
+  }
+}

package/dashboard/src/services/dashboard.service.js

@@ -1,17 +1,6 @@
 import { readFile } from 'node:fs/promises';
 import { join } from 'node:path';
-
-/**
- * Strip UTF-8 BOM from file content.
- * Duplicated from planning.repository.js intentionally --
- * this service reads raw text, not via the repository layer.
- *
- * @param {string} content - Raw file content
- * @returns {string} Content without BOM
- */
-function stripBOM(content) {
-  return content.replace(/^\uFEFF/, '');
-}
+import { stripBOM } from '../utils/strip-bom.js';
 
 /**
  * Parse STATE.md to extract project status information.

package/dashboard/src/services/roadmap.service.js

@@ -1,17 +1,7 @@
 import { readFile, readdir } from 'node:fs/promises';
 import { join } from 'node:path';
 import { parseRoadmapFile } from './dashboard.service.js';
-
-/**
- * Strip UTF-8 BOM from file content.
- * Duplicated intentionally -- this service reads raw text, not via the repository layer.
- *
- * @param {string} content - Raw file content
- * @returns {string} Content without BOM
- */
-function stripBOM(content) {
-  return content.replace(/^\uFEFF/, '');
-}
+import { stripBOM } from '../utils/strip-bom.js';
 
 /**
  * Count the number of PLAN.md files in a phase directory.

package/dashboard/src/utils/strip-bom.js

@@ -0,0 +1,8 @@
+/**
+ * Strip UTF-8 BOM (Byte Order Mark) if present.
+ * @param {string} content
+ * @returns {string}
+ */
+export function stripBOM(content) {
+  return content.replace(/^\uFEFF/, '');
+}

package/dashboard/src/views/audit-detail.ejs

@@ -0,0 +1,5 @@
+<%- include('partials/layout-top', { title: title, activePage: 'audits' }) %>
+
+<%- include('partials/audit-detail-content') %>
+
+<%- include('partials/layout-bottom') %>

package/dashboard/src/views/audits.ejs

@@ -0,0 +1,5 @@
+<%- include('partials/layout-top', { title: 'Audit Reports', activePage: 'audits' }) %>
+
+<%- include('partials/audits-content') %>
+
+<%- include('partials/layout-bottom') %>

package/dashboard/src/views/partials/audit-detail-content.ejs

@@ -0,0 +1,12 @@
+<%- include('breadcrumbs', { breadcrumbs: typeof breadcrumbs !== 'undefined' ? breadcrumbs : [] }) %>
+<h1><%= title %></h1>
+
+<p><a href="/audits">&larr; Back to Audit Reports</a></p>
+
+<% if (typeof date !== 'undefined' && date) { %>
+<p><small>Date: <%= date %></small></p>
+<% } %>
+
+<article class="markdown-body">
+  <%- html %>
+</article>

package/dashboard/src/views/partials/audits-content.ejs

@@ -0,0 +1,34 @@
+<%- include('breadcrumbs', { breadcrumbs: typeof breadcrumbs !== 'undefined' ? breadcrumbs : [] }) %>
+<h1>Audit Reports</h1>
+
+<% if (typeof reports !== 'undefined' && reports.length > 0) { %>
+<article>
+  <div class="table-wrap">
+  <table>
+    <thead>
+      <tr>
+        <th scope="col">Date</th>
+        <th scope="col">Report</th>
+      </tr>
+    </thead>
+    <tbody>
+      <% reports.forEach(function(report) { %>
+      <tr>
+        <td><%= report.date || '—' %></td>
+        <td>
+          <a href="/audits/<%= report.filename %>"
+             hx-get="/audits/<%= report.filename %>"
+             hx-target="#main-content"
+             hx-push-url="true">
+            <%= report.title %>
+          </a>
+        </td>
+      </tr>
+      <% }); %>
+    </tbody>
+  </table>
+  </div>
+</article>
+<% } else { %>
+<%- include('empty-state', { icon: '🔍', title: 'No audit reports found', action: 'Run /pbr:audit to generate a session audit report.' }) %>
+<% } %>

package/dashboard/src/views/partials/sidebar.ejs

@@ -87,6 +87,14 @@
             Quick Tasks
           </a>
         </li>
+        <li>
+          <a href="/audits"
+             hx-get="/audits"
+             hx-target="#main-content"
+             hx-push-url="true"<%= typeof activePage !== 'undefined' && activePage === 'audits' ? ' aria-current="page"' : '' %>>
+            Audit Reports
+          </a>
+        </li>
       </ul>
     </details>
 

package/dashboard/src/views/partials/todos-content.ejs

@@ -1,10 +1,17 @@
 <%- include('breadcrumbs', { breadcrumbs: typeof breadcrumbs !== 'undefined' ? breadcrumbs : [] }) %>
 <h1>Todos</h1>
 
-<p><a href="/todos/new" role="button"
+<p>
+  <a href="/todos/new" role="button"
       hx-get="/todos/new"
       hx-target="#main-content"
-      hx-push-url="true">Create Todo</a></p>
+      hx-push-url="true">Create Todo</a>
+  &nbsp;
+  <a href="/todos/done"
+      hx-get="/todos/done"
+      hx-target="#main-content"
+      hx-push-url="true">View Completed Todos</a>
+</p>
 
 <% const f = typeof filters !== 'undefined' ? filters : { priority: '', status: '', q: '' }; %>
 <article>
@@ -70,7 +77,10 @@
       <tr>
         <td><%= todo.id %></td>
         <td>
-          <a href="/todos/<%= todo.id %>">
+          <a href="/todos/<%= todo.id %>"
+             hx-get="/todos/<%= todo.id %>"
+             hx-target="#main-content"
+             hx-push-url="true">
             <%= todo.title %>
           </a>
         </td>

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sienklogic/plan-build-run",
-  "version": "2.23.0",
+  "version": "2.24.0",
   "description": "Plan it, Build it, Run it — structured development workflow for Claude Code",
   "keywords": [
     "claude-code",

package/plugins/copilot-pbr/agents/integration-checker.agent.md

@@ -35,6 +35,7 @@ You MUST perform all applicable categories (skip only if zero items exist for th
 3. **Auth Protection** — Every non-public route must have auth middleware. Frontend route guards must match backend protection.
 4. **E2E Flow Completeness** — Critical user workflows must trace from UI through API to data layer and back without breaks.
 5. **Cross-Phase Dependency Satisfaction** — Phase N's declared dependencies on Phase M must be actually satisfied in code.
+6. **Data-Flow Propagation** — Values originating at one boundary (hook stdin fields, API request params, env vars) must propagate correctly through the call chain to their destination (log entries, database records, API responses). A connected pipeline with missing data is a broken integration.
 
 > **First-phase edge case**: If no completed phases exist yet, focus on verifying the current phase's internal consistency — exports match imports within the phase, API contracts are self-consistent. Cross-phase checks are not applicable and should be skipped.
 
@@ -47,14 +48,19 @@ Read `references/agent-contracts.md` to validate agent-to-agent handoffs. Verify
 - **Write access for output artifact only** — you have Write access for your output artifact only. You CANNOT fix source code — you REPORT issues.
 - **Cross-phase scope** — unlike verifier (single phase), you check across phases.
 
-## 6-Step Verification Process
+## 7-Step Verification Process
 
 1. **Build Export/Import Map**: Read each completed phase's SUMMARY.md frontmatter (`requires`, `provides`, `affects`). Grep actual exports/imports in source. Cross-reference declared vs actual — flag mismatches.
 2. **Verify Export Usage**: For each `provides` item: locate actual export (missing = `MISSING_EXPORT` ERROR), find consumers (none = `ORPHANED` WARNING), verify usage not just import (`IMPORTED_UNUSED` WARNING), check signature compatibility (`MISMATCHED` ERROR). Status `CONSUMED` = OK.
 3. **Verify API Coverage**: Discover routes, find frontend callers, match by method+path+body/params. Produce coverage table. See `references/integration-patterns.md` for framework-specific patterns.
 4. **Verify Auth Protection**: Identify auth mechanism, list all routes, classify (public vs protected), check frontend guards. Flag UNPROTECTED routes.
 5. **Verify E2E Flows**: Trace critical workflows step-by-step — verify each step exists and connects to the next (import/call/redirect). Record evidence (file:line). Flow status: COMPLETE | BROKEN | PARTIAL | UNTRACEABLE. See `references/integration-patterns.md` for flow templates.
-6. **Compile Integration Report**: Produce final report with all findings by category.
+6. **Verify Data-Flow Propagation**: For each cross-boundary data field identified in plans or SUMMARY.md, trace the value from source through intermediate functions to destination. Verify the value is actually passed (not `undefined`/`null`/hardcoded) at each step.
+   - **Source examples**: hook stdin (`data.session_id`), API request params, environment variables, config fields
+   - **Destination examples**: log entries, database records, API responses, metric files
+   - **Method**: Grep each intermediate call site and inspect arguments. Flag `DATA_DROPPED` when a value available in scope is replaced by `undefined` or a placeholder.
+   - **Status**: `PROPAGATED` (value flows correctly) | `DATA_DROPPED` (value lost at some step) | `UNTRACEABLE` (cannot determine flow)
+7. **Compile Integration Report**: Produce final report with all findings by category.
 
 ## Output Format
 
@@ -119,3 +125,4 @@ See `references/integration-patterns.md` for grep/search patterns by framework.
 - "File exists" is not "component is integrated"
 - Auth middleware existing somewhere does not mean routes are protected
 - Always check error handling paths, not just happy paths
+- Structural connectivity is not data-flow correctness — a connected pipeline can still drop data at any step

package/plugins/copilot-pbr/agents/planner.agent.md

@@ -66,6 +66,23 @@ Each must-have maps to one or more tasks. Every task exists to make a must-have
 
 ---
 
+## Data Contracts for Cross-Boundary Parameters
+
+When a function signature includes parameters that flow across module boundaries — session IDs from hook stdin, config objects from disk, auth tokens from environment — the plan **MUST** specify the **source** for each argument, not just the type.
+
+For every cross-boundary call in a task's `<action>`, document:
+
+| Parameter | Source | Context | Fallback |
+|-----------|--------|---------|----------|
+| `sessionId` | `data.session_id` (hook stdin) | Hook scripts only | `undefined` (CLI context) |
+| `config` | `configLoad(planningDir)` | All callers | `resolveConfig(undefined)` |
+
+**When to apply:** Any function call where the caller and callee live in different modules AND at least one argument originates from an external boundary (stdin, env, disk, network). Internal helper calls within the same module do not need contracts.
+
+**Why this matters:** Without explicit source mapping, executors will use the type-correct but value-wrong default (e.g., `undefined` instead of `data.session_id`). The plan is the single source of truth for how data flows — if the plan says `undefined`, the executor will faithfully implement `undefined`.
+
+---
+
 ## Plan Structure
 
 Read `references/plan-format.md` for the complete plan file specification including:
@@ -165,6 +182,7 @@ When CONTEXT.md or RESEARCH-SUMMARY.md contains `[NEEDS DECISION]` flags from th
    - [ ] Dependencies are acyclic, no file conflicts within same wave
    - [ ] Locked decisions honored, no deferred ideas included
    - [ ] Verify commands are actually executable
+   - [ ] Cross-boundary parameters have documented sources (data contracts)
 
 ---
 
@@ -238,3 +256,4 @@ One-line task descriptions in `<name>`. File paths in `<files>`, not explanation
 9. DO NOT plan for features outside the current phase goal
 10. DO NOT assume research is done — check discovery level
 11. DO NOT leave done conditions vague — they must be observable
+12. DO NOT specify literal `undefined` for parameters that have a known source in the calling context — use data contracts to map sources

package/plugins/copilot-pbr/agents/verifier.agent.md

@@ -95,10 +95,29 @@ Verify the artifact is imported AND used by other parts of the system (functions
 | Yes | Yes | No | UNWIRED |
 | Yes | Yes | Yes | PASSED |
 
+> **Note:** WIRED status (Level 3) requires correct arguments, not just correct function names. A call that passes `undefined` for a parameter available in scope is `ARGS_WRONG`, not `WIRED`.
+
 ### Step 6: Verify Key Links (Always)
 
 For each key_link: identify source and target components, verify the import path resolves, verify the imported symbol is actually called/used, and verify call signatures match. Watch for: wrong import paths, imported-but-never-called symbols, defined-but-never-applied middleware, registered-but-never-triggered event handlers.
 
+### Step 6b: Argument-Level Spot Checks (Always)
+
+Beyond verifying that calls exist, spot-check that **arguments passed to cross-boundary calls carry the correct values**. A call with the right function but wrong arguments is effectively UNWIRED.
+
+**Focus on:** IDs (session, user, request), config objects, auth tokens, and context data that originate from external boundaries (stdin, env, disk).
+
+**Method:**
+1. For each key_link verified in Step 6, grep the call site and inspect the arguments
+2. Compare each argument against the data source available in the calling scope
+3. Flag any argument that passes `undefined`, `null`, or a hardcoded placeholder when the calling scope has the real value available (e.g., `data.session_id` is in scope but `undefined` is passed)
+
+**Classification:**
+- `WIRED` requires both correct function AND correct arguments
+- `ARGS_WRONG` = correct function called but one or more arguments are incorrect/missing — this is a key link gap
+
+**Example:** A hook script receives `data` from stdin containing `session_id`. If it calls `logMetric(planningDir, { session_id: undefined })` instead of `logMetric(planningDir, { session_id: data.session_id })`, that is an `ARGS_WRONG` gap even though the call itself exists.
+
 ### Step 7: Check Requirements Coverage (Always)
 
 Cross-reference all must-haves against verification results in a table:
@@ -107,8 +126,8 @@ Cross-reference all must-haves against verification results in a table:
 | # | Must-Have | Type | L1 (Exists) | L2 (Substantive) | L3 (Wired) | Status |
 |---|----------|------|-------------|-------------------|------------|--------|
 | 1 | {description} | truth | - | - | - | VERIFIED/FAILED |
-| 2 | {description} | artifact | YES/NO | YES/STUB/PARTIAL | WIRED/ORPHANED | PASS/FAIL |
-| 3 | {description} | key_link | - | - | YES/NO | PASS/FAIL |
+| 2 | {description} | artifact | YES/NO | YES/STUB/PARTIAL | WIRED/ORPHANED/ARGS_WRONG | PASS/FAIL |
+| 3 | {description} | key_link | - | - | YES/NO/ARGS_WRONG | PASS/FAIL |
 ```
 
 ### Step 8: Scan for Anti-Patterns (Full Verification Only)
@@ -226,3 +245,4 @@ Read `references/stub-patterns.md` for stub detection patterns by technology. Re
 9. DO NOT give PASSED status if ANY must-have fails at ANY level
 10. DO NOT count deferred items as gaps — they are intentionally not implemented
 11. DO NOT be lenient — your job is to find problems, not to be encouraging
+12. DO NOT mark a call as WIRED if it passes hardcoded `undefined`/`null` for parameters that have a known source in scope — check arguments, not just function names

package/plugins/copilot-pbr/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "pbr",
   "displayName": "Plan-Build-Run",
-  "version": "2.23.0",
+  "version": "2.24.0",
   "description": "Plan-Build-Run — Structured development workflow for GitHub Copilot CLI. Solves context rot through disciplined agent delegation, structured planning, atomic execution, and goal-backward verification.",
   "author": {
     "name": "SienkLogic",

package/plugins/copilot-pbr/references/plan-format.md

@@ -71,6 +71,28 @@ requirement_ids:
 | `consumes` | NO | array | What this plan needs from prior plans. Format: `"Thing (from plan XX-YY)"` |
 | `requirement_ids` | NO | array | Requirement IDs from REQUIREMENTS.md or ROADMAP.md goal IDs that this plan addresses. Enables bidirectional traceability between plans and requirements/goals. |
 | `dependency_fingerprints` | NO | object | Hashes of dependency phase SUMMARY.md files at plan-creation time. Used to detect stale plans. |
+| `data_contracts` | NO | array | Cross-boundary parameter mappings for calls where arguments originate from external boundaries. Format: `"param: source (context) [fallback]"` |
+
+### Data Contracts
+
+When a task's `<action>` includes calls across module boundaries where arguments come from external sources (hook stdin, env vars, API params, config files), document the parameter-to-source mapping in `data_contracts` frontmatter and in the `<action>` step itself.
+
+Example frontmatter:
+
+```yaml
+data_contracts:
+  - "sessionId: data.session_id (hook stdin) [undefined in CLI context]"
+  - "config: configLoad(planningDir) (disk) [resolveConfig(undefined)]"
+```
+
+Example in `<action>`:
+
+```
+3. Call classifyArtifact(llmConfig, planningDir, content, fileType, data.session_id)
+   Data contract: sessionId ← data.session_id from hook stdin (undefined in CLI context)
+```
+
+**When to apply:** Any call where caller and callee are in different modules AND at least one argument originates from an external boundary. Internal helper calls within the same module do not need contracts.
 
 ---
 

package/plugins/copilot-pbr/templates/INTEGRATION-REPORT.md.tmpl

@@ -112,7 +112,22 @@ Phase 03 (Core)  ──provides──→ Phase 04 (Frontend)
 ### Flow 2: {Flow Name} - {STATUS}
 ...
 
-## 5. Integration Issues Summary
+## 5. Data-Flow Propagation
+
+### Cross-Boundary Data Flows
+
+| Data Field | Source | Intermediate Steps | Destination | Status |
+|------------|--------|-------------------|-------------|--------|
+| {field name} | {origin, e.g., hook stdin `data.session_id`} | {module1:L12 → module2:L45} | {dest, e.g., metrics.jsonl `session_id`} | PROPAGATED |
+| {field name} | {origin} | {module1:L12 → module2:L45} | {dest} | DATA_DROPPED |
+
+### Data-Flow Issues
+
+| Field | Dropped At | Available In Scope | Passed Instead | Fix |
+|-------|-----------|-------------------|----------------|-----|
+| {field} | {file:line} | `data.session_id` | `undefined` | Pass `data.session_id` |
+
+## 6. Integration Issues Summary
 
 ### Critical Issues (system cannot function)
 
@@ -131,7 +146,7 @@ Phase 03 (Core)  ──provides──→ Phase 04 (Frontend)
 1. **{Issue}**: {description}
    - Fix: {recommended action}
 
-## 6. Integration Score
+## 7. Integration Score
 
 | Category | Items Checked | Passed | Failed | Score |
 |----------|--------------|--------|--------|-------|
@@ -139,6 +154,7 @@ Phase 03 (Core)  ──provides──→ Phase 04 (Frontend)
 | API coverage | {n} | {n} | {n} | {%} |
 | Auth protection | {n} | {n} | {n} | {%} |
 | E2E flows | {n} | {n} | {n} | {%} |
+| Data-flow propagation | {n} | {n} | {n} | {%} |
 | **Overall** | {n} | {n} | {n} | **{%}** |
 
 ## Recommendations

package/plugins/copilot-pbr/templates/VERIFICATION-DETAIL.md.tmpl

@@ -54,8 +54,9 @@ anti_patterns:
 
 | # | Link Description | Source | Target | Status | Evidence |
 |---|-----------------|--------|--------|--------|----------|
-| 1 | {what connects to what} | `{source_file}` | `{target_file}` | WIRED | Import at L12, called at L45 |
+| 1 | {what connects to what} | `{source_file}` | `{target_file}` | WIRED | Import at L12, called at L45, args correct |
 | 2 | {what connects to what} | `{source_file}` | `{target_file}` | BROKEN | Imported but never called |
+| 3 | {what connects to what} | `{source_file}` | `{target_file}` | ARGS_WRONG | Called at L45 but passes undefined for sessionId (data.session_id in scope) |
 
 ## Gaps Found
 

package/plugins/cursor-pbr/.cursor-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "pbr",
   "displayName": "Plan-Build-Run",
-  "version": "2.23.0",
+  "version": "2.24.0",
   "description": "Plan-Build-Run — Structured development workflow for Cursor. Solves context rot through disciplined subagent delegation, structured planning, atomic execution, and goal-backward verification.",
   "author": {
     "name": "SienkLogic",

package/plugins/cursor-pbr/agents/integration-checker.md

@@ -34,6 +34,7 @@ You MUST perform all applicable categories (skip only if zero items exist for th
 3. **Auth Protection** — Every non-public route must have auth middleware. Frontend route guards must match backend protection.
 4. **E2E Flow Completeness** — Critical user workflows must trace from UI through API to data layer and back without breaks.
 5. **Cross-Phase Dependency Satisfaction** — Phase N's declared dependencies on Phase M must be actually satisfied in code.
+6. **Data-Flow Propagation** — Values originating at one boundary (hook stdin fields, API request params, env vars) must propagate correctly through the call chain to their destination (log entries, database records, API responses). A connected pipeline with missing data is a broken integration.
 
 > **First-phase edge case**: If no completed phases exist yet, focus on verifying the current phase's internal consistency — exports match imports within the phase, API contracts are self-consistent. Cross-phase checks are not applicable and should be skipped.
 
@@ -46,14 +47,19 @@ Read `references/agent-contracts.md` to validate agent-to-agent handoffs. Verify
 - **Write access for output artifact only** — you have Write access for your output artifact only. You CANNOT fix source code — you REPORT issues.
 - **Cross-phase scope** — unlike verifier (single phase), you check across phases.
 
-## 6-Step Verification Process
+## 7-Step Verification Process
 
 1. **Build Export/Import Map**: Read each completed phase's SUMMARY.md frontmatter (`requires`, `provides`, `affects`). Grep actual exports/imports in source. Cross-reference declared vs actual — flag mismatches.
 2. **Verify Export Usage**: For each `provides` item: locate actual export (missing = `MISSING_EXPORT` ERROR), find consumers (none = `ORPHANED` WARNING), verify usage not just import (`IMPORTED_UNUSED` WARNING), check signature compatibility (`MISMATCHED` ERROR). Status `CONSUMED` = OK.
 3. **Verify API Coverage**: Discover routes, find frontend callers, match by method+path+body/params. Produce coverage table. See `references/integration-patterns.md` for framework-specific patterns.
 4. **Verify Auth Protection**: Identify auth mechanism, list all routes, classify (public vs protected), check frontend guards. Flag UNPROTECTED routes.
 5. **Verify E2E Flows**: Trace critical workflows step-by-step — verify each step exists and connects to the next (import/call/redirect). Record evidence (file:line). Flow status: COMPLETE | BROKEN | PARTIAL | UNTRACEABLE. See `references/integration-patterns.md` for flow templates.
-6. **Compile Integration Report**: Produce final report with all findings by category.
+6. **Verify Data-Flow Propagation**: For each cross-boundary data field identified in plans or SUMMARY.md, trace the value from source through intermediate functions to destination. Verify the value is actually passed (not `undefined`/`null`/hardcoded) at each step.
+   - **Source examples**: hook stdin (`data.session_id`), API request params, environment variables, config fields
+   - **Destination examples**: log entries, database records, API responses, metric files
+   - **Method**: Grep each intermediate call site and inspect arguments. Flag `DATA_DROPPED` when a value available in scope is replaced by `undefined` or a placeholder.
+   - **Status**: `PROPAGATED` (value flows correctly) | `DATA_DROPPED` (value lost at some step) | `UNTRACEABLE` (cannot determine flow)
+7. **Compile Integration Report**: Produce final report with all findings by category.
 
 ## Output Format
 
@@ -118,3 +124,4 @@ See `references/integration-patterns.md` for grep/search patterns by framework.
 - "File exists" is not "component is integrated"
 - Auth middleware existing somewhere does not mean routes are protected
 - Always check error handling paths, not just happy paths
+- Structural connectivity is not data-flow correctness — a connected pipeline can still drop data at any step

package/plugins/cursor-pbr/agents/planner.md

@@ -65,6 +65,23 @@ Each must-have maps to one or more tasks. Every task exists to make a must-have
 
 ---
 
+## Data Contracts for Cross-Boundary Parameters
+
+When a function signature includes parameters that flow across module boundaries — session IDs from hook stdin, config objects from disk, auth tokens from environment — the plan **MUST** specify the **source** for each argument, not just the type.
+
+For every cross-boundary call in a task's `<action>`, document:
+
+| Parameter | Source | Context | Fallback |
+|-----------|--------|---------|----------|
+| `sessionId` | `data.session_id` (hook stdin) | Hook scripts only | `undefined` (CLI context) |
+| `config` | `configLoad(planningDir)` | All callers | `resolveConfig(undefined)` |
+
+**When to apply:** Any function call where the caller and callee live in different modules AND at least one argument originates from an external boundary (stdin, env, disk, network). Internal helper calls within the same module do not need contracts.
+
+**Why this matters:** Without explicit source mapping, executors will use the type-correct but value-wrong default (e.g., `undefined` instead of `data.session_id`). The plan is the single source of truth for how data flows — if the plan says `undefined`, the executor will faithfully implement `undefined`.
+
+---
+
 ## Plan Structure
 
 Read `references/plan-format.md` for the complete plan file specification including:
@@ -164,6 +181,7 @@ When CONTEXT.md or RESEARCH-SUMMARY.md contains `[NEEDS DECISION]` flags from th
    - [ ] Dependencies are acyclic, no file conflicts within same wave
    - [ ] Locked decisions honored, no deferred ideas included
    - [ ] Verify commands are actually executable
+   - [ ] Cross-boundary parameters have documented sources (data contracts)
 
 ---
 
@@ -237,3 +255,4 @@ One-line task descriptions in `<name>`. File paths in `<files>`, not explanation
 9. DO NOT plan for features outside the current phase goal
 10. DO NOT assume research is done — check discovery level
 11. DO NOT leave done conditions vague — they must be observable
+12. DO NOT specify literal `undefined` for parameters that have a known source in the calling context — use data contracts to map sources

package/plugins/cursor-pbr/agents/verifier.md

@@ -94,10 +94,29 @@ Verify the artifact is imported AND used by other parts of the system (functions
 | Yes | Yes | No | UNWIRED |
 | Yes | Yes | Yes | PASSED |
 
+> **Note:** WIRED status (Level 3) requires correct arguments, not just correct function names. A call that passes `undefined` for a parameter available in scope is `ARGS_WRONG`, not `WIRED`.
+
 ### Step 6: Verify Key Links (Always)
 
 For each key_link: identify source and target components, verify the import path resolves, verify the imported symbol is actually called/used, and verify call signatures match. Watch for: wrong import paths, imported-but-never-called symbols, defined-but-never-applied middleware, registered-but-never-triggered event handlers.
 
+### Step 6b: Argument-Level Spot Checks (Always)
+
+Beyond verifying that calls exist, spot-check that **arguments passed to cross-boundary calls carry the correct values**. A call with the right function but wrong arguments is effectively UNWIRED.
+
+**Focus on:** IDs (session, user, request), config objects, auth tokens, and context data that originate from external boundaries (stdin, env, disk).
+
+**Method:**
+1. For each key_link verified in Step 6, grep the call site and inspect the arguments
+2. Compare each argument against the data source available in the calling scope
+3. Flag any argument that passes `undefined`, `null`, or a hardcoded placeholder when the calling scope has the real value available (e.g., `data.session_id` is in scope but `undefined` is passed)
+
+**Classification:**
+- `WIRED` requires both correct function AND correct arguments
+- `ARGS_WRONG` = correct function called but one or more arguments are incorrect/missing — this is a key link gap
+
+**Example:** A hook script receives `data` from stdin containing `session_id`. If it calls `logMetric(planningDir, { session_id: undefined })` instead of `logMetric(planningDir, { session_id: data.session_id })`, that is an `ARGS_WRONG` gap even though the call itself exists.
+
 ### Step 7: Check Requirements Coverage (Always)
 
 Cross-reference all must-haves against verification results in a table:
@@ -106,8 +125,8 @@ Cross-reference all must-haves against verification results in a table:
 | # | Must-Have | Type | L1 (Exists) | L2 (Substantive) | L3 (Wired) | Status |
 |---|----------|------|-------------|-------------------|------------|--------|
 | 1 | {description} | truth | - | - | - | VERIFIED/FAILED |
-| 2 | {description} | artifact | YES/NO | YES/STUB/PARTIAL | WIRED/ORPHANED | PASS/FAIL |
-| 3 | {description} | key_link | - | - | YES/NO | PASS/FAIL |
+| 2 | {description} | artifact | YES/NO | YES/STUB/PARTIAL | WIRED/ORPHANED/ARGS_WRONG | PASS/FAIL |
+| 3 | {description} | key_link | - | - | YES/NO/ARGS_WRONG | PASS/FAIL |
 ```
 
 ### Step 8: Scan for Anti-Patterns (Full Verification Only)
@@ -225,3 +244,4 @@ Read `references/stub-patterns.md` for stub detection patterns by technology. Re
 9. DO NOT give PASSED status if ANY must-have fails at ANY level
 10. DO NOT count deferred items as gaps — they are intentionally not implemented
 11. DO NOT be lenient — your job is to find problems, not to be encouraging
+12. DO NOT mark a call as WIRED if it passes hardcoded `undefined`/`null` for parameters that have a known source in scope — check arguments, not just function names

package/plugins/cursor-pbr/references/plan-format.md

@@ -71,6 +71,28 @@ requirement_ids:
 | `consumes` | NO | array | What this plan needs from prior plans. Format: `"Thing (from plan XX-YY)"` |
 | `requirement_ids` | NO | array | Requirement IDs from REQUIREMENTS.md or ROADMAP.md goal IDs that this plan addresses. Enables bidirectional traceability between plans and requirements/goals. |
 | `dependency_fingerprints` | NO | object | Hashes of dependency phase SUMMARY.md files at plan-creation time. Used to detect stale plans. |
+| `data_contracts` | NO | array | Cross-boundary parameter mappings for calls where arguments originate from external boundaries. Format: `"param: source (context) [fallback]"` |
+
+### Data Contracts
+
+When a task's `<action>` includes calls across module boundaries where arguments come from external sources (hook stdin, env vars, API params, config files), document the parameter-to-source mapping in `data_contracts` frontmatter and in the `<action>` step itself.
+
+Example frontmatter:
+
+```yaml
+data_contracts:
+  - "sessionId: data.session_id (hook stdin) [undefined in CLI context]"
+  - "config: configLoad(planningDir) (disk) [resolveConfig(undefined)]"
+```
+
+Example in `<action>`:
+
+```
+3. Call classifyArtifact(llmConfig, planningDir, content, fileType, data.session_id)
+   Data contract: sessionId ← data.session_id from hook stdin (undefined in CLI context)
+```
+
+**When to apply:** Any call where caller and callee are in different modules AND at least one argument originates from an external boundary. Internal helper calls within the same module do not need contracts.
 
 ---
 

package/plugins/cursor-pbr/templates/INTEGRATION-REPORT.md.tmpl

@@ -112,7 +112,22 @@ Phase 03 (Core)  ──provides──→ Phase 04 (Frontend)
 ### Flow 2: {Flow Name} - {STATUS}
 ...
 
-## 5. Integration Issues Summary
+## 5. Data-Flow Propagation
+
+### Cross-Boundary Data Flows
+
+| Data Field | Source | Intermediate Steps | Destination | Status |
+|------------|--------|-------------------|-------------|--------|
+| {field name} | {origin, e.g., hook stdin `data.session_id`} | {module1:L12 → module2:L45} | {dest, e.g., metrics.jsonl `session_id`} | PROPAGATED |
+| {field name} | {origin} | {module1:L12 → module2:L45} | {dest} | DATA_DROPPED |
+
+### Data-Flow Issues
+
+| Field | Dropped At | Available In Scope | Passed Instead | Fix |
+|-------|-----------|-------------------|----------------|-----|
+| {field} | {file:line} | `data.session_id` | `undefined` | Pass `data.session_id` |
+
+## 6. Integration Issues Summary
 
 ### Critical Issues (system cannot function)
 
@@ -131,7 +146,7 @@ Phase 03 (Core)  ──provides──→ Phase 04 (Frontend)
 1. **{Issue}**: {description}
    - Fix: {recommended action}
 
-## 6. Integration Score
+## 7. Integration Score
 
 | Category | Items Checked | Passed | Failed | Score |
 |----------|--------------|--------|--------|-------|
@@ -139,6 +154,7 @@ Phase 03 (Core)  ──provides──→ Phase 04 (Frontend)
 | API coverage | {n} | {n} | {n} | {%} |
 | Auth protection | {n} | {n} | {n} | {%} |
 | E2E flows | {n} | {n} | {n} | {%} |
+| Data-flow propagation | {n} | {n} | {n} | {%} |
 | **Overall** | {n} | {n} | {n} | **{%}** |
 
 ## Recommendations

package/plugins/cursor-pbr/templates/VERIFICATION-DETAIL.md.tmpl

@@ -54,8 +54,9 @@ anti_patterns:
 
 | # | Link Description | Source | Target | Status | Evidence |
 |---|-----------------|--------|--------|--------|----------|
-| 1 | {what connects to what} | `{source_file}` | `{target_file}` | WIRED | Import at L12, called at L45 |
+| 1 | {what connects to what} | `{source_file}` | `{target_file}` | WIRED | Import at L12, called at L45, args correct |
 | 2 | {what connects to what} | `{source_file}` | `{target_file}` | BROKEN | Imported but never called |
+| 3 | {what connects to what} | `{source_file}` | `{target_file}` | ARGS_WRONG | Called at L45 but passes undefined for sessionId (data.session_id in scope) |
 
 ## Gaps Found
 

package/plugins/pbr/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "pbr",
-  "version": "2.23.0",
+  "version": "2.24.0",
   "description": "Plan-Build-Run — Structured development workflow for Claude Code. Solves context rot through disciplined subagent delegation, structured planning, atomic execution, and goal-backward verification.",
   "author": {
     "name": "SienkLogic",

package/plugins/pbr/agents/integration-checker.md

@@ -40,6 +40,7 @@ You MUST perform all applicable categories (skip only if zero items exist for th
 3. **Auth Protection** — Every non-public route must have auth middleware. Frontend route guards must match backend protection.
 4. **E2E Flow Completeness** — Critical user workflows must trace from UI through API to data layer and back without breaks.
 5. **Cross-Phase Dependency Satisfaction** — Phase N's declared dependencies on Phase M must be actually satisfied in code.
+6. **Data-Flow Propagation** — Values originating at one boundary (hook stdin fields, API request params, env vars) must propagate correctly through the call chain to their destination (log entries, database records, API responses). A connected pipeline with missing data is a broken integration.
 
 > **First-phase edge case**: If no completed phases exist yet, focus on verifying the current phase's internal consistency — exports match imports within the phase, API contracts are self-consistent. Cross-phase checks are not applicable and should be skipped.
 
@@ -52,14 +53,19 @@ Read `references/agent-contracts.md` to validate agent-to-agent handoffs. Verify
 - **Write access for output artifact only** — you have Write access for your output artifact only. You CANNOT fix source code — you REPORT issues.
 - **Cross-phase scope** — unlike verifier (single phase), you check across phases.
 
-## 6-Step Verification Process
+## 7-Step Verification Process
 
 1. **Build Export/Import Map**: Read each completed phase's SUMMARY.md frontmatter (`requires`, `provides`, `affects`). Grep actual exports/imports in source. Cross-reference declared vs actual — flag mismatches.
 2. **Verify Export Usage**: For each `provides` item: locate actual export (missing = `MISSING_EXPORT` ERROR), find consumers (none = `ORPHANED` WARNING), verify usage not just import (`IMPORTED_UNUSED` WARNING), check signature compatibility (`MISMATCHED` ERROR). Status `CONSUMED` = OK.
 3. **Verify API Coverage**: Discover routes, find frontend callers, match by method+path+body/params. Produce coverage table. See `references/integration-patterns.md` for framework-specific patterns.
 4. **Verify Auth Protection**: Identify auth mechanism, list all routes, classify (public vs protected), check frontend guards. Flag UNPROTECTED routes.
 5. **Verify E2E Flows**: Trace critical workflows step-by-step — verify each step exists and connects to the next (import/call/redirect). Record evidence (file:line). Flow status: COMPLETE | BROKEN | PARTIAL | UNTRACEABLE. See `references/integration-patterns.md` for flow templates.
-6. **Compile Integration Report**: Produce final report with all findings by category.
+6. **Verify Data-Flow Propagation**: For each cross-boundary data field identified in plans or SUMMARY.md, trace the value from source through intermediate functions to destination. Verify the value is actually passed (not `undefined`/`null`/hardcoded) at each step.
+   - **Source examples**: hook stdin (`data.session_id`), API request params, environment variables, config fields
+   - **Destination examples**: log entries, database records, API responses, metric files
+   - **Method**: Grep each intermediate call site and inspect arguments. Flag `DATA_DROPPED` when a value available in scope is replaced by `undefined` or a placeholder.
+   - **Status**: `PROPAGATED` (value flows correctly) | `DATA_DROPPED` (value lost at some step) | `UNTRACEABLE` (cannot determine flow)
+7. **Compile Integration Report**: Produce final report with all findings by category.
 
 ## Output Format
 
@@ -124,3 +130,4 @@ See `references/integration-patterns.md` for grep/search patterns by framework.
 - "File exists" is not "component is integrated"
 - Auth middleware existing somewhere does not mean routes are protected
 - Always check error handling paths, not just happy paths
+- Structural connectivity is not data-flow correctness — a connected pipeline can still drop data at any step

package/plugins/pbr/agents/planner.md

@@ -73,6 +73,23 @@ Each must-have maps to one or more tasks. Every task exists to make a must-have
 
 ---
 
+## Data Contracts for Cross-Boundary Parameters
+
+When a function signature includes parameters that flow across module boundaries — session IDs from hook stdin, config objects from disk, auth tokens from environment — the plan **MUST** specify the **source** for each argument, not just the type.
+
+For every cross-boundary call in a task's `<action>`, document:
+
+| Parameter | Source | Context | Fallback |
+|-----------|--------|---------|----------|
+| `sessionId` | `data.session_id` (hook stdin) | Hook scripts only | `undefined` (CLI context) |
+| `config` | `configLoad(planningDir)` | All callers | `resolveConfig(undefined)` |
+
+**When to apply:** Any function call where the caller and callee live in different modules AND at least one argument originates from an external boundary (stdin, env, disk, network). Internal helper calls within the same module do not need contracts.
+
+**Why this matters:** Without explicit source mapping, executors will use the type-correct but value-wrong default (e.g., `undefined` instead of `data.session_id`). The plan is the single source of truth for how data flows — if the plan says `undefined`, the executor will faithfully implement `undefined`.
+
+---
+
 ## Plan Structure
 
 Read `references/plan-format.md` for the complete plan file specification including:
@@ -172,6 +189,7 @@ When CONTEXT.md or RESEARCH-SUMMARY.md contains `[NEEDS DECISION]` flags from th
    - [ ] Dependencies are acyclic, no file conflicts within same wave
    - [ ] Locked decisions honored, no deferred ideas included
    - [ ] Verify commands are actually executable
+   - [ ] Cross-boundary parameters have documented sources (data contracts)
 
 ---
 
@@ -245,3 +263,4 @@ One-line task descriptions in `<name>`. File paths in `<files>`, not explanation
 9. DO NOT plan for features outside the current phase goal
 10. DO NOT assume research is done — check discovery level
 11. DO NOT leave done conditions vague — they must be observable
+12. DO NOT specify literal `undefined` for parameters that have a known source in the calling context — use data contracts to map sources

package/plugins/pbr/agents/verifier.md

@@ -101,10 +101,29 @@ Verify the artifact is imported AND used by other parts of the system (functions
 | Yes | Yes | No | UNWIRED |
 | Yes | Yes | Yes | PASSED |
 
+> **Note:** WIRED status (Level 3) requires correct arguments, not just correct function names. A call that passes `undefined` for a parameter available in scope is `ARGS_WRONG`, not `WIRED`.
+
 ### Step 6: Verify Key Links (Always)
 
 For each key_link: identify source and target components, verify the import path resolves, verify the imported symbol is actually called/used, and verify call signatures match. Watch for: wrong import paths, imported-but-never-called symbols, defined-but-never-applied middleware, registered-but-never-triggered event handlers.
 
+### Step 6b: Argument-Level Spot Checks (Always)
+
+Beyond verifying that calls exist, spot-check that **arguments passed to cross-boundary calls carry the correct values**. A call with the right function but wrong arguments is effectively UNWIRED.
+
+**Focus on:** IDs (session, user, request), config objects, auth tokens, and context data that originate from external boundaries (stdin, env, disk).
+
+**Method:**
+1. For each key_link verified in Step 6, grep the call site and inspect the arguments
+2. Compare each argument against the data source available in the calling scope
+3. Flag any argument that passes `undefined`, `null`, or a hardcoded placeholder when the calling scope has the real value available (e.g., `data.session_id` is in scope but `undefined` is passed)
+
+**Classification:**
+- `WIRED` requires both correct function AND correct arguments
+- `ARGS_WRONG` = correct function called but one or more arguments are incorrect/missing — this is a key link gap
+
+**Example:** A hook script receives `data` from stdin containing `session_id`. If it calls `logMetric(planningDir, { session_id: undefined })` instead of `logMetric(planningDir, { session_id: data.session_id })`, that is an `ARGS_WRONG` gap even though the call itself exists.
+
 ### Step 7: Check Requirements Coverage (Always)
 
 Cross-reference all must-haves against verification results in a table:
@@ -113,8 +132,8 @@ Cross-reference all must-haves against verification results in a table:
 | # | Must-Have | Type | L1 (Exists) | L2 (Substantive) | L3 (Wired) | Status |
 |---|----------|------|-------------|-------------------|------------|--------|
 | 1 | {description} | truth | - | - | - | VERIFIED/FAILED |
-| 2 | {description} | artifact | YES/NO | YES/STUB/PARTIAL | WIRED/ORPHANED | PASS/FAIL |
-| 3 | {description} | key_link | - | - | YES/NO | PASS/FAIL |
+| 2 | {description} | artifact | YES/NO | YES/STUB/PARTIAL | WIRED/ORPHANED/ARGS_WRONG | PASS/FAIL |
+| 3 | {description} | key_link | - | - | YES/NO/ARGS_WRONG | PASS/FAIL |
 ```
 
 ### Step 8: Scan for Anti-Patterns (Full Verification Only)
@@ -232,3 +251,4 @@ Read `references/stub-patterns.md` for stub detection patterns by technology. Re
 9. DO NOT give PASSED status if ANY must-have fails at ANY level
 10. DO NOT count deferred items as gaps — they are intentionally not implemented
 11. DO NOT be lenient — your job is to find problems, not to be encouraging
+12. DO NOT mark a call as WIRED if it passes hardcoded `undefined`/`null` for parameters that have a known source in scope — check arguments, not just function names

package/plugins/pbr/references/plan-format.md

@@ -70,6 +70,28 @@ requirement_ids:
 | `consumes` | NO | array | What this plan needs from prior plans. Format: `"Thing (from plan XX-YY)"` |
 | `requirement_ids` | NO | array | Requirement IDs from REQUIREMENTS.md or ROADMAP.md goal IDs that this plan addresses. Enables bidirectional traceability between plans and requirements/goals. |
 | `dependency_fingerprints` | NO | object | Hashes of dependency phase SUMMARY.md files at plan-creation time. Used to detect stale plans. |
+| `data_contracts` | NO | array | Cross-boundary parameter mappings for calls where arguments originate from external boundaries. Format: `"param: source (context) [fallback]"` |
+
+### Data Contracts
+
+When a task's `<action>` includes calls across module boundaries where arguments come from external sources (hook stdin, env vars, API params, config files), document the parameter-to-source mapping in `data_contracts` frontmatter and in the `<action>` step itself.
+
+Example frontmatter:
+
+```yaml
+data_contracts:
+  - "sessionId: data.session_id (hook stdin) [undefined in CLI context]"
+  - "config: configLoad(planningDir) (disk) [resolveConfig(undefined)]"
+```
+
+Example in `<action>`:
+
+```
+3. Call classifyArtifact(llmConfig, planningDir, content, fileType, data.session_id)
+   Data contract: sessionId ← data.session_id from hook stdin (undefined in CLI context)
+```
+
+**When to apply:** Any call where caller and callee are in different modules AND at least one argument originates from an external boundary. Internal helper calls within the same module do not need contracts.
 
 ---
 

package/plugins/pbr/scripts/check-plan-format.js

@@ -84,7 +84,7 @@ async function main() {
           const llmConfig = loadLocalLlmConfig();
           const planningDir = path.join(process.cwd(), '.planning');
           const fileType = isPlan ? 'PLAN' : 'SUMMARY';
-          const llmResult = await classifyArtifact(llmConfig, planningDir, content, fileType, undefined);
+          const llmResult = await classifyArtifact(llmConfig, planningDir, content, fileType, data.session_id);
           if (llmResult && llmResult.classification) {
             const llmNote = `Local LLM: ${fileType} classified as "${llmResult.classification}" (confidence: ${(llmResult.confidence * 100).toFixed(0)}%)${llmResult.reason ? ' — ' + llmResult.reason : ''}`;
             result.warnings.push(llmNote);
@@ -287,7 +287,7 @@ async function checkPlanWrite(data) {
       const llmConfig = loadLocalLlmConfig();
       const planningDir = path.join(process.cwd(), '.planning');
       const fileType = isPlan ? 'PLAN' : 'SUMMARY';
-      const llmResult = await classifyArtifact(llmConfig, planningDir, content, fileType, undefined);
+      const llmResult = await classifyArtifact(llmConfig, planningDir, content, fileType, data.session_id);
       if (llmResult && llmResult.classification) {
         const llmNote = `Local LLM: ${fileType} classified as "${llmResult.classification}" (confidence: ${(llmResult.confidence * 100).toFixed(0)}%)${llmResult.reason ? ' — ' + llmResult.reason : ''}`;
         result.warnings.push(llmNote);

package/plugins/pbr/scripts/check-subagent-output.js

@@ -444,7 +444,7 @@ async function main() {
       const llmConfig = loadLocalLlmConfig(cwd);
       const errorText = (data.tool_output || '').substring(0, 500);
       if (errorText) {
-        const llmResult = await classifyError(llmConfig, planningDir, errorText, agentType, undefined);
+        const llmResult = await classifyError(llmConfig, planningDir, errorText, agentType, data.session_id);
         if (llmResult && llmResult.category) {
           llmCategoryNote = `\nLLM error category: ${llmResult.category} (confidence: ${(llmResult.confidence * 100).toFixed(0)}%)`;
         }
@@ -467,7 +467,7 @@ async function main() {
       const llmConfig = loadLocalLlmConfig(cwd);
       const errorText = (data.tool_output || '').substring(0, 500);
       if (errorText) {
-        const llmResult = await classifyError(llmConfig, planningDir, errorText, agentType, undefined);
+        const llmResult = await classifyError(llmConfig, planningDir, errorText, agentType, data.session_id);
         if (llmResult && llmResult.category) {
           llmCategoryNote = `\nLLM error category: ${llmResult.category} (confidence: ${(llmResult.confidence * 100).toFixed(0)}%)`;
         }

package/plugins/pbr/scripts/validate-task.js

@@ -805,7 +805,7 @@ function main() {
       try {
         const llmConfig = loadLocalLlmConfig(process.cwd());
         const planningDir = path.join(process.cwd(), '.planning');
-        const llmResult = await llmValidateTask(llmConfig, planningDir, data.tool_input || {}, undefined);
+        const llmResult = await llmValidateTask(llmConfig, planningDir, data.tool_input || {}, data.session_id);
         if (llmResult && !llmResult.coherent) {
           warnings.push('LLM task coherence advisory: ' + (llmResult.issue || 'Task description may not match intended operation.') + ' (confidence: ' + (llmResult.confidence * 100).toFixed(0) + '%)');
         }

package/plugins/pbr/templates/INTEGRATION-REPORT.md.tmpl

@@ -111,7 +111,22 @@ Phase 03 (Core)  ──provides──→ Phase 04 (Frontend)
 ### Flow 2: {Flow Name} - {STATUS}
 ...
 
-## 5. Integration Issues Summary
+## 5. Data-Flow Propagation
+
+### Cross-Boundary Data Flows
+
+| Data Field | Source | Intermediate Steps | Destination | Status |
+|------------|--------|-------------------|-------------|--------|
+| {field name} | {origin, e.g., hook stdin `data.session_id`} | {module1:L12 → module2:L45} | {dest, e.g., metrics.jsonl `session_id`} | PROPAGATED |
+| {field name} | {origin} | {module1:L12 → module2:L45} | {dest} | DATA_DROPPED |
+
+### Data-Flow Issues
+
+| Field | Dropped At | Available In Scope | Passed Instead | Fix |
+|-------|-----------|-------------------|----------------|-----|
+| {field} | {file:line} | `data.session_id` | `undefined` | Pass `data.session_id` |
+
+## 6. Integration Issues Summary
 
 ### Critical Issues (system cannot function)
 
@@ -130,7 +145,7 @@ Phase 03 (Core)  ──provides──→ Phase 04 (Frontend)
 1. **{Issue}**: {description}
    - Fix: {recommended action}
 
-## 6. Integration Score
+## 7. Integration Score
 
 | Category | Items Checked | Passed | Failed | Score |
 |----------|--------------|--------|--------|-------|
@@ -138,6 +153,7 @@ Phase 03 (Core)  ──provides──→ Phase 04 (Frontend)
 | API coverage | {n} | {n} | {n} | {%} |
 | Auth protection | {n} | {n} | {n} | {%} |
 | E2E flows | {n} | {n} | {n} | {%} |
+| Data-flow propagation | {n} | {n} | {n} | {%} |
 | **Overall** | {n} | {n} | {n} | **{%}** |
 
 ## Recommendations

package/plugins/pbr/templates/VERIFICATION-DETAIL.md.tmpl

@@ -53,8 +53,9 @@ anti_patterns:
 
 | # | Link Description | Source | Target | Status | Evidence |
 |---|-----------------|--------|--------|--------|----------|
-| 1 | {what connects to what} | `{source_file}` | `{target_file}` | WIRED | Import at L12, called at L45 |
+| 1 | {what connects to what} | `{source_file}` | `{target_file}` | WIRED | Import at L12, called at L45, args correct |
 | 2 | {what connects to what} | `{source_file}` | `{target_file}` | BROKEN | Imported but never called |
+| 3 | {what connects to what} | `{source_file}` | `{target_file}` | ARGS_WRONG | Called at L45 but passes undefined for sessionId (data.session_id in scope) |
 
 ## Gaps Found
 

package/dashboard/src/views/coming-soon.ejs

@@ -1,11 +0,0 @@
-<%- include('partials/layout-top', { title: title, activePage: activePage }) %>
-
-<h1><%= featureName %></h1>
-<p>This feature is coming soon.</p>
-<p>
-  The <strong><%= featureName %></strong> view is planned but not yet implemented.
-  Check back in a future phase.
-</p>
-<p><a href="/">Back to Dashboard</a></p>
-
-<%- include('partials/layout-bottom') %>