@slamb2k/mad-skills 2.0.40 → 2.0.42

package/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "mad-skills",
   "description": "AI-assisted planning, development and governance tools",
-  "version": "2.0.40",
+  "version": "2.0.42",
   "author": {
     "name": "slamb2k",
     "url": "https://github.com/slamb2k"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@slamb2k/mad-skills",
-  "version": "2.0.40",
+  "version": "2.0.42",
   "description": "Claude Code skills collection — full lifecycle development tools",
   "type": "module",
   "repository": {

package/skills/brace/SKILL.md

@@ -249,6 +249,21 @@ Before sending the prompt, substitute these variables:
 
 Parse SCAFFOLD_REPORT. If status is "failed", report to user and stop.
 
+### Branch Discipline Injection
+
+When updating an existing project CLAUDE.md (not creating from template):
+
+1. Check if `## Branch Discipline` already exists:
+   ```bash
+   grep -q "## Branch Discipline" CLAUDE.md
+   ```
+2. If NOT found, inject the Branch Discipline section before `## Guardrails`:
+   - Read the file content
+   - Find the line containing `## Guardrails`
+   - Insert the Branch Discipline section (from the template) immediately before it
+   - If no `## Guardrails` section exists, append the section at the end of the file
+3. If already present, skip (idempotent)
+
 ---
 
 ## Phase 5: Verification & Report
@@ -327,12 +342,12 @@ elif echo "$REMOTE_URL" | grep -q 'vs-ssh\.visualstudio\.com'; then
 elif echo "$REMOTE_URL" | grep -q 'visualstudio\.com'; then
   AZDO_ORG=$(echo "$REMOTE_URL" | sed -n 's|.*//\([^.]*\)\.visualstudio\.com.*|\1|p')
   AZDO_PROJECT=$(echo "$REMOTE_URL" | sed -n 's|.*/\([^/]*\)/_git/.*|\1|p')
-  AZDO_ORG_URL="https://dev.azure.com/$AZDO_ORG"
+  AZDO_ORG_URL="https://${AZDO_ORG}.visualstudio.com"
 fi
 # URL-decode for CLI/display; keep URL-safe versions for REST API paths
 AZDO_PROJECT_URL_SAFE="$AZDO_PROJECT"
-AZDO_ORG=$(printf '%b' "${AZDO_ORG//%/\\x}")
-AZDO_PROJECT=$(printf '%b' "${AZDO_PROJECT//%/\\x}")
+AZDO_ORG=$(python3 -c "import urllib.parse; print(urllib.parse.unquote('$AZDO_ORG'))")
+AZDO_PROJECT=$(python3 -c "import urllib.parse; print(urllib.parse.unquote('$AZDO_PROJECT_URL_SAFE'))")
 REPO_NAME=$(basename -s .git "$REMOTE_URL")
 ```
 
@@ -351,7 +366,7 @@ If org/project extraction fails, report ⚠️ and skip branch policies.
 
    **REST fallback:**
    ```bash
-   AUTH="Authorization: Basic $(echo -n ":$PAT" | base64)"
+   AUTH="Authorization: Basic $(printf ":%s" "$PAT" | base64 | tr -d '\n')"
    # Get repository ID first
    REPO_ID=$(curl -s -H "$AUTH" \
      "$AZDO_ORG_URL/$AZDO_PROJECT_URL_SAFE/_apis/git/repositories/$REPO_NAME?api-version=7.0" \

package/skills/brace/references/claude-md-template.md

@@ -51,6 +51,20 @@ handles curated facts.
 
 {UNIVERSAL_PRINCIPLES}
 
+## Branch Discipline
+
+- **Always sync to main before starting new work** — run `/sync` or
+  `git checkout main && git pull` before creating a feature branch
+- **Never branch from a feature branch** — always branch from an up-to-date `main`
+- **One feature per branch** — don't stack unrelated changes on the same branch
+- **After shipping a PR, sync immediately** — checkout main and pull before
+  starting the next task
+- **If a PR is pending review**, switch to main before starting unrelated work —
+  don't build on top of an unmerged branch
+
+These rules prevent divergent branches that require complex rebases with risk
+of silent conflict resolution.
+
 ## Guardrails
 
 - Verify tool output format before chaining into another tool

package/skills/build/SKILL.md

@@ -141,6 +141,39 @@ Before Stage 1, resolve the PLAN argument into content:
    - File: `Plan: {file path} ({line count} lines)`
    - Text: `Plan: inline ({word count} words)`
 
+## Pre-Build Branch Check
+
+Before starting Stage 1, verify the working tree is suitable for building:
+
+1. **Detect current branch and default branch:**
+   ```bash
+   CURRENT=$(git branch --show-current)
+   DEFAULT_BRANCH=$(git symbolic-ref refs/remotes/origin/HEAD 2>/dev/null | sed 's@^refs/remotes/origin/@@')
+   DEFAULT_BRANCH="${DEFAULT_BRANCH:-main}"
+   git fetch origin "$DEFAULT_BRANCH" --quiet 2>/dev/null
+   ```
+
+2. **If on a feature branch** (not `main`/`master`/default):
+   ```bash
+   BEHIND=$(git rev-list --count HEAD..origin/"$DEFAULT_BRANCH" 2>/dev/null || echo 0)
+   ```
+   If `BEHIND > 0`, warn the user via `AskUserQuestion`:
+   ```
+   "You're on branch '{CURRENT}' which is {BEHIND} commits behind {DEFAULT_BRANCH}.
+   Starting a new feature here risks divergent branches and complex rebases."
+   ```
+   Options:
+   - "Switch to main first (Recommended)" — run `/sync`, then create a new branch
+   - "Continue on this branch" — proceed (user accepts the risk)
+   - "Cancel" — stop
+
+3. **If on the default branch** and not up to date:
+   ```bash
+   LOCAL=$(git rev-parse "$DEFAULT_BRANCH")
+   REMOTE=$(git rev-parse "origin/$DEFAULT_BRANCH")
+   ```
+   If `LOCAL != REMOTE`, run `/sync` automatically before proceeding.
+
 ---
 
 ## Stage 1: Explore

package/skills/dock/SKILL.md

@@ -128,8 +128,9 @@ For each applicable row, in order:
    - **fallback**: notify user with Detail, continue with degraded behavior
 5. After all checks: summarize what's available and what's degraded
 
-When `PLATFORM == azdo`, follow `references/azdo-platform.md` for tooling
-detection (`AZDO_MODE`) and configuration validation (`AZDO_ORG`, `AZDO_PROJECT`).
+When `PLATFORM == azdo`, follow the shared AzDO platform guide
+(repo root: references/azdo-platform.md) for tooling detection (`AZDO_MODE`)
+and configuration validation (`AZDO_ORG`, `AZDO_PROJECT`).
 Pass these variables into all phase prompts alongside `{PLATFORM}`.
 
 ---

package/skills/keel/SKILL.md

@@ -124,8 +124,9 @@ For each applicable row, in order:
    - **fallback**: notify user with Detail, continue with degraded behavior
 5. After all checks: summarize what's available and what's degraded
 
-When `PLATFORM == azdo`, follow `references/azdo-platform.md` for tooling
-detection (`AZDO_MODE`) and configuration validation (`AZDO_ORG`, `AZDO_PROJECT`).
+When `PLATFORM == azdo`, follow the shared AzDO platform guide
+(repo root: references/azdo-platform.md) for tooling detection (`AZDO_MODE`)
+and configuration validation (`AZDO_ORG`, `AZDO_PROJECT`).
 Pass these variables into all phase prompts alongside `{PLATFORM}`.
 
 ---

package/skills/manifest.json

@@ -1,12 +1,12 @@
 {
-  "generated": "2026-03-18T00:48:31.500Z",
+  "generated": "2026-03-24T07:52:19.071Z",
   "count": 10,
   "skills": [
     {
       "name": "brace",
       "directory": "brace",
       "description": "'Initialize any project directory with a standard scaffold for AI-assisted development. Creates specs/ and context/ directories, a project CLAUDE.md with development workflow and guardrails, .gitignore, and branch protection. Recommends claude-mem for persistent memory. Idempotent — safe to run on existing projects. Triggers: \"init project\", \"setup brace\", \"brace\", \"initialize\", \"bootstrap\", \"scaffold\".'",
-      "lines": 445,
+      "lines": 460,
       "hasScripts": false,
       "hasReferences": true,
       "hasAssets": true,
@@ -16,7 +16,7 @@
       "name": "build",
       "directory": "build",
       "description": "Context-isolated feature development pipeline. Takes a detailed design/plan as argument and executes the full feature-dev lifecycle (explore, question, architect, implement, review, ship) inside subagents so the primary conversation stays compact. Use when you have a well-defined plan and want autonomous execution with minimal context window consumption.",
-      "lines": 378,
+      "lines": 411,
       "hasScripts": false,
       "hasReferences": true,
       "hasAssets": false,
@@ -36,7 +36,7 @@
       "name": "dock",
       "directory": "dock",
       "description": ">- Generate container-based release pipelines that build once and promote immutable artifacts through environments (dev → staging → prod). Detects your stack, interviews for infrastructure choices, then outputs deterministic CI/CD files (Dockerfile, workflows, deployment manifests) that run without an LLM. Use when setting up deployment pipelines, containerizing an app, creating release workflows, or connecting CI to container-friendly infrastructure (Azure Container Apps, AWS Fargate, Google Cloud Run, Kubernetes, Dokku, Coolify, CapRover, etc.).",
-      "lines": 431,
+      "lines": 432,
       "hasScripts": false,
       "hasReferences": true,
       "hasAssets": false,
@@ -46,7 +46,7 @@
       "name": "keel",
       "directory": "keel",
       "description": ">- Generate Infrastructure as Code (IaC) pipelines that provision the cloud and container infrastructure your app deploys to. Interview-driven: detects your stack and cloud provider, then outputs deterministic IaC files (Terraform, Bicep, Pulumi, or CDK) plus CI/CD pipelines that plan on PR and apply on merge. Use when setting up cloud infrastructure, provisioning container registries, databases, networking, DNS, or any infrastructure that containers deploy onto. Designed to run before /dock — /keel lays the infrastructure, /dock deploys to it.",
-      "lines": 419,
+      "lines": 420,
       "hasScripts": false,
       "hasReferences": true,
       "hasAssets": false,
@@ -66,7 +66,7 @@
       "name": "rig",
       "directory": "rig",
       "description": "'Idempotently bootstrap any repository with standard development tools, hooks, and workflows. Use when starting work on a new repo, onboarding to an existing project, or ensuring a repo has proper CI/CD setup. Configures: git hooks (lefthook), commit message templates, PR templates, and GitHub Actions for lint/format/type-check/build. Prompts for user confirmation before changes. Triggers: \"bootstrap repo\", \"setup hooks\", \"configure CI\", \"rig\", \"standardize repo\".'",
-      "lines": 343,
+      "lines": 363,
       "hasScripts": false,
       "hasReferences": true,
       "hasAssets": true,
@@ -76,7 +76,7 @@
       "name": "ship",
       "directory": "ship",
       "description": "\"Ship changes through the full PR lifecycle. Use after completing feature work to commit, push, create PR, wait for checks, and merge. Handles the entire workflow: syncs with main, creates feature branch if needed, groups commits logically with semantic messages, creates detailed PR, monitors CI, fixes issues, squash merges, and cleans up. Invoke when work is ready to ship.\"",
-      "lines": 418,
+      "lines": 495,
       "hasScripts": true,
       "hasReferences": true,
       "hasAssets": false,
@@ -86,7 +86,7 @@
       "name": "speccy",
       "directory": "speccy",
       "description": "Deep-dive interview skill for creating comprehensive specifications. Reviews existing code and docs, then interviews the user through multiple rounds of targeted questions covering technical implementation, UI/UX, concerns, and tradeoffs. Produces a structured spec in specs/. Use when starting a new feature, system, or major change that needs a spec.",
-      "lines": 253,
+      "lines": 272,
       "hasScripts": false,
       "hasReferences": true,
       "hasAssets": false,

package/skills/rig/SKILL.md

@@ -166,13 +166,13 @@ elif echo "$REMOTE_URL" | grep -q 'vs-ssh\.visualstudio\.com'; then
 elif echo "$REMOTE_URL" | grep -q 'visualstudio\.com'; then
   AZDO_ORG=$(echo "$REMOTE_URL" | sed -n 's|.*//\([^.]*\)\.visualstudio\.com.*|\1|p')
   AZDO_PROJECT=$(echo "$REMOTE_URL" | sed -n 's|.*/\([^/]*\)/_git/.*|\1|p')
-  AZDO_ORG_URL="https://dev.azure.com/$AZDO_ORG"
+  AZDO_ORG_URL="https://${AZDO_ORG}.visualstudio.com"
 fi
 
 # URL-decode for CLI/display; keep URL-safe versions for REST API paths
 AZDO_PROJECT_URL_SAFE="$AZDO_PROJECT"
-AZDO_ORG=$(printf '%b' "${AZDO_ORG//%/\\x}")
-AZDO_PROJECT=$(printf '%b' "${AZDO_PROJECT//%/\\x}")
+AZDO_ORG=$(python3 -c "import urllib.parse; print(urllib.parse.unquote('$AZDO_ORG'))")
+AZDO_PROJECT=$(python3 -c "import urllib.parse; print(urllib.parse.unquote('$AZDO_PROJECT_URL_SAFE'))")
 
 if [ -z "$AZDO_ORG" ] || [ -z "$AZDO_PROJECT" ]; then
   echo "❌ Could not extract organization/project from remote URL"
@@ -193,7 +193,7 @@ az devops configure --defaults organization="$AZDO_ORG_URL" project="$AZDO_PROJE
 
 When `AZDO_MODE == rest`, store these for API calls:
 - Base URL: `$AZDO_ORG_URL/$AZDO_PROJECT_URL_SAFE/_apis`
-- Auth header: `Authorization: Basic $(echo -n ":$PAT" | base64)`
+- Auth header: `Authorization: Basic $(printf ":%s" "$PAT" | base64 | tr -d '\n')`
 
 Report in pre-flight:
 - ✅ `azdo context` — org: `{AZDO_ORG}`, project: `{AZDO_PROJECT}`
@@ -293,6 +293,26 @@ If "Let me choose", present individual options as multi-select.
 For each approved item, follow the procedures in
 `references/configuration-steps.md`.
 
+### Branch Discipline in CLAUDE.md
+
+If the project has an existing `CLAUDE.md`:
+
+1. Check if `## Branch Discipline` already exists:
+   ```bash
+   grep -q "## Branch Discipline" CLAUDE.md
+   ```
+2. If NOT found, inject the Branch Discipline section before `## Guardrails`:
+   - Read the file content
+   - Find the line containing `## Guardrails`
+   - Insert the Branch Discipline section immediately before it
+   - If no `## Guardrails` section exists, append at the end of the file
+3. If already present, skip (idempotent)
+
+The Branch Discipline content to inject is the `## Branch Discipline` section
+from `skills/brace/references/claude-md-template.md`. Read that file to get
+the exact content — this avoids duplication and ensures both /brace and /rig
+inject identical text.
+
 ---
 
 ## Phase 5: Verification

package/skills/ship/SKILL.md

@@ -183,13 +183,13 @@ elif echo "$REMOTE_URL" | grep -q 'visualstudio\.com'; then
   # Legacy HTTPS format: https://{ORG}.visualstudio.com/{PROJECT}/_git/{REPO}
   AZDO_ORG=$(echo "$REMOTE_URL" | sed -n 's|.*//\([^.]*\)\.visualstudio\.com.*|\1|p')
   AZDO_PROJECT=$(echo "$REMOTE_URL" | sed -n 's|.*/\([^/]*\)/_git/.*|\1|p')
-  AZDO_ORG_URL="https://dev.azure.com/$AZDO_ORG"
+  AZDO_ORG_URL="https://${AZDO_ORG}.visualstudio.com"
 fi
 
 # URL-decode for CLI/display; keep URL-safe versions for REST API paths
 AZDO_PROJECT_URL_SAFE="$AZDO_PROJECT"
-AZDO_ORG=$(printf '%b' "${AZDO_ORG//%/\\x}")
-AZDO_PROJECT=$(printf '%b' "${AZDO_PROJECT//%/\\x}")
+AZDO_ORG=$(python3 -c "import urllib.parse; print(urllib.parse.unquote('$AZDO_ORG'))")
+AZDO_PROJECT=$(python3 -c "import urllib.parse; print(urllib.parse.unquote('$AZDO_PROJECT_URL_SAFE'))")
 
 if [ -z "$AZDO_ORG" ] || [ -z "$AZDO_PROJECT" ]; then
   echo "❌ Could not extract organization/project from remote URL"
@@ -210,7 +210,7 @@ az devops configure --defaults organization="$AZDO_ORG_URL" project="$AZDO_PROJE
 
 When `AZDO_MODE == rest`, store these for API calls:
 - Base URL: `$AZDO_ORG_URL/$AZDO_PROJECT_URL_SAFE/_apis`
-- Auth header: `Authorization: Basic $(echo -n ":$PAT" | base64)`
+- Auth header: `Authorization: Basic $(printf ":%s" "$PAT" | base64 | tr -d '\n')`
 
 Report in pre-flight:
 - ✅ `azdo context` — org: `{AZDO_ORG}`, project: `{AZDO_PROJECT}`
@@ -318,16 +318,51 @@ The fix subagent MUST commit and push before returning. Once it returns,
 attempt = 0
 while attempt < 2:
   CHECKS = run_watch()
-  if CHECKS.status == "all_passed" or CHECKS.status == "no_checks":
+  if CHECKS.status == "all_passed":
     break  → proceed immediately to Stage 5 (do NOT ask user to confirm merge)
+  if CHECKS.status == "no_checks":
+    → prompt user via AskUserQuestion:
+      "No CI checks found for PR #{PR_NUMBER} after waiting 30 seconds.
+       The repository may not have CI configured, or checks may still be registering."
+      Options:
+      - "Merge without checks (Recommended)" → break to Stage 5
+      - "Wait another 30 seconds" → re-run the watch (do not increment attempt)
+      - "Cancel" → stop /ship and display failure banner
+    break (if user chose merge or after re-wait resolves)
   attempt += 1
   run_fix(CHECKS.failing_checks)
   → loop back to watch
 
 if attempt == 2 and still failing:
-  report failures to user, stop
+  → display failure banner and stop (see Failure Handling below)
 ```
 
+### Failure Handling
+
+When /ship fails at ANY point (CI exhausts fix attempts, merge fails, post-merge
+verification fails), display the failure banner and STOP:
+
+```
+┌─ Ship · FAILED ──────────────────────────────────
+│
+│  ❌ PR #{PR_NUMBER} was NOT merged
+│
+│  Reason: {specific failure reason}
+│  Branch: {BRANCH} (still active)
+│
+│  ⚠️  You are still on branch '{BRANCH}'.
+│     Run /sync to return to main before starting new work.
+│
+└───────────────────────────────────────────────────
+```
+
+**Critical rules on failure:**
+- Do NOT proceed to "What's Next?"
+- Do NOT suggest next tasks or follow-up work
+- Do NOT invoke `/sync` or any other skill
+- Do NOT use language like "will be auto-merged" or "PR is pending"
+- The failure banner is the LAST output — nothing follows it
+
 ---
 
 ## Stage 5: Merge & Final Sync
@@ -352,6 +387,34 @@ bash "$SKILL_ROOT/skills/ship/scripts/merge.sh" \
 
 Parse LAND_REPORT from output markers. Exit code 0=merged, 1=failed.
 
+### 5a-verify. Verify merge completed
+
+After merge.sh reports success, verify the PR actually merged:
+
+**GitHub:**
+```bash
+PR_STATE=$(gh pr view "$PR_NUMBER" --json state --jq '.state')
+```
+Expected: `"MERGED"`
+
+**AzDO CLI:**
+```bash
+PR_STATE=$(az repos pr show --id "$PR_NUMBER" --query status -o tsv)
+```
+Expected: `"completed"`
+
+**AzDO REST:**
+```bash
+PR_RESP=$(curl -s -H "$AUTH" "${AZDO_ORG_URL}/${AZDO_PROJECT_URL_SAFE}/_apis/git/repositories/${REPO_ID}/pullRequests/${PR_NUMBER}?api-version=7.1")
+PR_STATE=$(echo "$PR_RESP" | jq -r '.status')
+```
+Expected: `"completed"`
+
+If the PR is NOT in the expected merged/completed state, treat as a failure —
+display the failure banner (see Failure Handling) with reason "PR merge was
+accepted but PR is still in '{PR_STATE}' state. The merge may be queued or
+deferred." and stop.
+
 ### 5b. Sync local repo
 
 After the merge script succeeds, run the sync script to checkout the default
@@ -361,10 +424,23 @@ branch, pull the merge commit, and **clean up stale branches**:
 bash "$SKILL_ROOT/skills/sync/scripts/sync.sh" "{REMOTE}" "{DEFAULT_BRANCH}"
 ```
 
+After sync completes, verify the working tree is on the default branch:
+
+```bash
+CURRENT=$(git branch --show-current)
+if [ "$CURRENT" != "{DEFAULT_BRANCH}" ]; then
+  git checkout {DEFAULT_BRANCH}
+  git pull {REMOTE} {DEFAULT_BRANCH}
+fi
+```
+
 ---
 
 ## What's Next?
 
+**Only run this section if /ship succeeded (PR is merged).** If any failure
+occurred, the failure banner was already displayed and nothing should follow it.
+
 After a successful merge, determine what work comes next by checking these
 sources (in priority order):
 
@@ -393,6 +469,7 @@ Compile all stage reports into a summary:
 │  🌿 Branch:  {branch}
 │  🔗 PR:      {pr_url}
 │  🔀 Merged:  {merge_commit} ({merge_type})
+│  🌿 Now on: {DEFAULT_BRANCH} (up to date)
 │
 │  📝 Commits
 │     • {commit message 1}

package/skills/ship/references/stage-prompts.md

@@ -130,7 +130,7 @@ Bad examples:
 
    **If PLATFORM == azdo AND AZDO_MODE == rest:**
      REPO_NAME=$(basename -s .git "$(git remote get-url origin)")
-     AUTH="Authorization: Basic $(echo -n ":{PAT}" | base64)"
+     AUTH="Authorization: Basic $(printf ":%s" "{PAT}" | base64 | tr -d '\n')"
      PR_JSON=$(curl -s -X POST \
        -H "$AUTH" \
        -H "Content-Type: application/json" \
@@ -231,7 +231,7 @@ FAILING CHECKS: {FAILING_CHECKS}
      rm -rf "$LOGDIR"
 
    **If PLATFORM == azdo AND AZDO_MODE == rest:**
-     AUTH="Authorization: Basic $(echo -n ":{PAT}" | base64)"
+     AUTH="Authorization: Basic $(printf ":%s" "{PAT}" | base64 | tr -d '\n')"
      # Get failed build ID
      RUN_ID=$(curl -s -H "$AUTH" \
        "{AZDO_ORG_URL}/{AZDO_PROJECT_URL_SAFE}/_apis/build/builds?branchName=refs/heads/{BRANCH}&resultFilter=failed&\$top=1&api-version=7.0" \

package/skills/ship/scripts/ci-watch.sh

@@ -22,12 +22,14 @@ for arg in "$@"; do
 done
 
 STATUS="" CHECKS="" FAILING=""
+GRACE_POLLS=0
 
 emit_report() {
   echo "CHECKS_REPORT_BEGIN"
   echo "status=$STATUS"
   echo "checks=$CHECKS"
   echo "failing_checks=${FAILING:-none}"
+  echo "grace_period_polls=$GRACE_POLLS"
   echo "CHECKS_REPORT_END"
 }
 
@@ -38,15 +40,29 @@ if [ "$PLATFORM" = "github" ]; then
     emit_report; exit 3
   fi
 
+  # Grace period: wait for checks to register (CI may not trigger immediately)
+  GRACE_POLLS=0
+  GRACE_JSON="[]"
+  for _ in $(seq 1 3); do
+    GRACE_POLLS=$((GRACE_POLLS + 1))
+    GRACE_JSON=$(gh pr checks "$PR_NUMBER" --json name,state 2>/dev/null || echo "[]")
+    if [ "$GRACE_JSON" != "[]" ]; then
+      break
+    fi
+    sleep 10
+  done
+
+  # If no checks found after grace period, report and exit
+  if [ "$GRACE_JSON" = "[]" ]; then
+    STATUS="no_checks"; CHECKS=""; FAILING="none"
+    emit_report; exit 0
+  fi
+
   # gh pr checks --watch blocks until done; --fail-fast stops on first failure
   gh pr checks "$PR_NUMBER" --watch --fail-fast 2>/dev/null || true
 
   # Parse final status
   CHECKS_JSON=$(gh pr checks "$PR_NUMBER" --json name,state 2>/dev/null || echo "[]")
-  if [ "$CHECKS_JSON" = "[]" ]; then
-    STATUS="no_checks"; CHECKS=""; FAILING="none"
-    emit_report; exit 0
-  fi
 
   FAIL_COUNT=$(echo "$CHECKS_JSON" | jq '[.[] | select(.state=="FAILURE")] | length')
   CHECKS=$(echo "$CHECKS_JSON" | jq -r '.[] | "\(.name):\(.state | ascii_downcase)"' | paste -sd, -)
@@ -72,19 +88,31 @@ if [ "$AZDO_MODE" = "rest" ]; then
     CHECKS="error:no PAT configured"
     emit_report; exit 3
   fi
-  AUTH="Authorization: Basic $(echo -n ":$PAT" | base64)"
+  AUTH="Authorization: Basic $(printf ":%s" "$PAT" | base64 | tr -d '\n')"
 fi
 
 # ── AzDO CLI mode ──────────────────────────────────────
 if [ "$AZDO_MODE" = "cli" ]; then
-  # Wait for CI to start (max 2 min)
+  # Grace period: wait for CI to start (max 2 min)
+  # Try PR merge ref first, then fall back to branch name
   RUNS_FOUND=false
+  CI_BRANCH=""
+  GRACE_POLLS=0
   for _ in $(seq 1 8); do
+    GRACE_POLLS=$((GRACE_POLLS + 1))
+    # Try PR merge ref first (AzDO sets sourceBranch to refs/pull/<N>/merge)
+    RUN_COUNT=$(az pipelines runs list --branch "refs/pull/$PR_NUMBER/merge" --top 5 \
+      --org "$AZDO_ORG_URL" --project "$AZDO_PROJECT" \
+      --query "length(@)" -o tsv 2>/dev/null)
+    if [ -n "$RUN_COUNT" ] && [ "$RUN_COUNT" != "0" ]; then
+      RUNS_FOUND=true; CI_BRANCH="refs/pull/$PR_NUMBER/merge"; break
+    fi
+    # Fallback: try branch name directly
     RUN_COUNT=$(az pipelines runs list --branch "$BRANCH" --top 5 \
       --org "$AZDO_ORG_URL" --project "$AZDO_PROJECT" \
       --query "length(@)" -o tsv 2>/dev/null)
     if [ -n "$RUN_COUNT" ] && [ "$RUN_COUNT" != "0" ]; then
-      RUNS_FOUND=true; break
+      RUNS_FOUND=true; CI_BRANCH="$BRANCH"; break
     fi
     sleep 15
   done
@@ -102,14 +130,14 @@ if [ "$AZDO_MODE" = "cli" ]; then
 
   # Wait for runs to complete with fail-fast (max 30 min)
   for _ in $(seq 1 120); do
-    FAILED=$(az pipelines runs list --branch "$BRANCH" --top 5 \
+    FAILED=$(az pipelines runs list --branch "$CI_BRANCH" --top 5 \
       --org "$AZDO_ORG_URL" --project "$AZDO_PROJECT" \
       --query "[?result=='failed'] | length(@)" -o tsv 2>/dev/null)
     if [ -n "$FAILED" ] && [ "$FAILED" != "0" ]; then
       break
     fi
 
-    IN_PROGRESS=$(az pipelines runs list --branch "$BRANCH" --top 5 \
+    IN_PROGRESS=$(az pipelines runs list --branch "$CI_BRANCH" --top 5 \
       --org "$AZDO_ORG_URL" --project "$AZDO_PROJECT" \
       --query "[?status=='inProgress'] | length(@)" -o tsv 2>/dev/null)
     if [ "$IN_PROGRESS" = "0" ] || [ -z "$IN_PROGRESS" ]; then break; fi
@@ -117,7 +145,7 @@ if [ "$AZDO_MODE" = "cli" ]; then
   done
 
   # Determine final status
-  RUNS_TABLE=$(az pipelines runs list --branch "$BRANCH" --top 5 \
+  RUNS_TABLE=$(az pipelines runs list --branch "$CI_BRANCH" --top 5 \
     --org "$AZDO_ORG_URL" --project "$AZDO_PROJECT" \
     --query "[].{name:definition.name, result:result}" -o json 2>/dev/null || echo "[]")
   CHECKS=$(echo "$RUNS_TABLE" | jq -r '.[] | "\(.name):\(.result // "pending")"' | paste -sd, -)
@@ -145,31 +173,64 @@ fi
 
 # ── AzDO REST mode ─────────────────────────────────────
 if [ "$AZDO_MODE" = "rest" ]; then
-  BUILDS_URL="$AZDO_ORG_URL/$AZDO_PROJECT_URL_SAFE/_apis/build/builds?branchName=refs/heads/$BRANCH&\$top=5&api-version=7.0"
+  BUILDS_BASE="$AZDO_ORG_URL/$AZDO_PROJECT_URL_SAFE/_apis/build/builds"
 
-  # Wait for CI to start (max 2 min)
+  # Grace period: wait for CI to start (max 2 min)
+  # Try PR merge ref first, then fall back to branch name
   RUNS_FOUND=false
+  BUILDS_URL=""
+  GRACE_POLLS=0
   for _ in $(seq 1 8); do
-    RUN_COUNT=$(curl -s -H "$AUTH" "$BUILDS_URL" | jq '.value | length')
+    GRACE_POLLS=$((GRACE_POLLS + 1))
+    # Try PR merge ref first (AzDO sets sourceBranch to refs/pull/<N>/merge)
+    PR_BUILDS_URL="${BUILDS_BASE}?branchName=refs/pull/$PR_NUMBER/merge&\$top=5&api-version=7.0"
+    RESPONSE=$(curl -s -H "$AUTH" "$PR_BUILDS_URL" 2>&1)
+    if ! echo "$RESPONSE" | jq empty 2>/dev/null; then
+      STATUS="no_checks"; FAILING="none"; CHECKS="error:non-JSON API response"
+      emit_report; exit 3
+    fi
+    RUN_COUNT=$(echo "$RESPONSE" | jq '.value | length')
+    if [ -n "$RUN_COUNT" ] && [ "$RUN_COUNT" != "0" ]; then
+      RUNS_FOUND=true; BUILDS_URL="$PR_BUILDS_URL"; break
+    fi
+    # Fallback: try branch name directly
+    BRANCH_BUILDS_URL="${BUILDS_BASE}?branchName=refs/heads/$BRANCH&\$top=5&api-version=7.0"
+    RESPONSE=$(curl -s -H "$AUTH" "$BRANCH_BUILDS_URL" 2>&1)
+    if ! echo "$RESPONSE" | jq empty 2>/dev/null; then
+      STATUS="no_checks"; FAILING="none"; CHECKS="error:non-JSON API response"
+      emit_report; exit 3
+    fi
+    RUN_COUNT=$(echo "$RESPONSE" | jq '.value | length')
     if [ -n "$RUN_COUNT" ] && [ "$RUN_COUNT" != "0" ]; then
-      RUNS_FOUND=true; break
+      RUNS_FOUND=true; BUILDS_URL="$BRANCH_BUILDS_URL"; break
     fi
     sleep 15
   done
 
   if [ "$RUNS_FOUND" = false ]; then
-    EVALS=$(curl -s -H "$AUTH" \
-      "$AZDO_ORG_URL/$AZDO_PROJECT_URL_SAFE/_apis/policy/evaluations?artifactId=vstfs:///CodeReview/CodeReviewId/$AZDO_PROJECT_URL_SAFE/$PR_NUMBER&api-version=7.0")
-    EVAL_COUNT=$(echo "$EVALS" | jq '.value | length')
+    RESPONSE=$(curl -s -H "$AUTH" \
+      "$AZDO_ORG_URL/$AZDO_PROJECT_URL_SAFE/_apis/policy/evaluations?artifactId=vstfs:///CodeReview/CodeReviewId/$AZDO_PROJECT_URL_SAFE/$PR_NUMBER&api-version=7.0" 2>&1)
+    if ! echo "$RESPONSE" | jq empty 2>/dev/null; then
+      STATUS="no_checks"; FAILING="none"; CHECKS="error:non-JSON API response"
+      emit_report; exit 3
+    fi
+    EVAL_COUNT=$(echo "$RESPONSE" | jq '.value | length')
     if [ "$EVAL_COUNT" = "0" ] || [ -z "$EVAL_COUNT" ]; then
       STATUS="no_checks"; CHECKS=""; FAILING="none"
       emit_report; exit 0
     fi
+    # Default BUILDS_URL for subsequent polling if policies exist but no runs yet
+    BUILDS_URL="${BUILDS_BASE}?branchName=refs/pull/$PR_NUMBER/merge&\$top=5&api-version=7.0"
   fi
 
   # Wait for runs with fail-fast (max 30 min)
   for _ in $(seq 1 120); do
-    BUILDS_JSON=$(curl -s -H "$AUTH" "$BUILDS_URL")
+    RESPONSE=$(curl -s -H "$AUTH" "$BUILDS_URL" 2>&1)
+    if ! echo "$RESPONSE" | jq empty 2>/dev/null; then
+      STATUS="no_checks"; FAILING="none"; CHECKS="error:non-JSON API response"
+      emit_report; exit 3
+    fi
+    BUILDS_JSON="$RESPONSE"
 
     FAIL_COUNT=$(echo "$BUILDS_JSON" | jq '[.value[] | select(.result=="failed")] | length')
     if [ "${FAIL_COUNT:-0}" -gt 0 ]; then break; fi
@@ -180,16 +241,25 @@ if [ "$AZDO_MODE" = "rest" ]; then
   done
 
   # Final status
-  BUILDS_JSON=$(curl -s -H "$AUTH" "$BUILDS_URL")
+  RESPONSE=$(curl -s -H "$AUTH" "$BUILDS_URL" 2>&1)
+  if ! echo "$RESPONSE" | jq empty 2>/dev/null; then
+    STATUS="no_checks"; FAILING="none"; CHECKS="error:non-JSON API response"
+    emit_report; exit 3
+  fi
+  BUILDS_JSON="$RESPONSE"
   CHECKS=$(echo "$BUILDS_JSON" | jq -r '.value[] | "\(.definition.name):\(.result // "pending")"' | paste -sd, -)
   FAILING=$(echo "$BUILDS_JSON" | jq -r '.value[] | select(.result=="failed") | .definition.name' | paste -sd, -)
   FAIL_COUNT=$(echo "$BUILDS_JSON" | jq '[.value[] | select(.result=="failed")] | length')
   STILL_RUNNING=$(echo "$BUILDS_JSON" | jq '[.value[] | select(.status=="inProgress")] | length')
 
   # Check policy evaluations
-  EVALS=$(curl -s -H "$AUTH" \
-    "$AZDO_ORG_URL/$AZDO_PROJECT_URL_SAFE/_apis/policy/evaluations?artifactId=vstfs:///CodeReview/CodeReviewId/$AZDO_PROJECT_URL_SAFE/$PR_NUMBER&api-version=7.0")
-  REJECTED=$(echo "$EVALS" | jq '[.value[] | select(.status=="rejected")] | length')
+  RESPONSE=$(curl -s -H "$AUTH" \
+    "$AZDO_ORG_URL/$AZDO_PROJECT_URL_SAFE/_apis/policy/evaluations?artifactId=vstfs:///CodeReview/CodeReviewId/$AZDO_PROJECT_URL_SAFE/$PR_NUMBER&api-version=7.0" 2>&1)
+  if ! echo "$RESPONSE" | jq empty 2>/dev/null; then
+    REJECTED="0"
+  else
+    REJECTED=$(echo "$RESPONSE" | jq '[.value[] | select(.status=="rejected")] | length')
+  fi
 
   if [ "${FAIL_COUNT:-0}" -gt 0 ] || [ "${REJECTED:-0}" -gt 0 ]; then
     STATUS="some_failed"

package/skills/ship/scripts/merge.sh

@@ -65,20 +65,38 @@ DELETE_FLAG=$( [ "$DELETE_BRANCH" = true ] && echo "true" || echo "false" )
 
 # ── AzDO CLI mode ──────────────────────────────────────
 if [ "$AZDO_MODE" = "cli" ]; then
-  # Check for rejected policies
-  REJECTED=$(az repos pr policy list --id "$PR_NUMBER" \
-    --org "$AZDO_ORG_URL" --project "$AZDO_PROJECT" \
-    --query "[?status=='rejected'] | length(@)" -o tsv 2>/dev/null)
-  if [ -n "$REJECTED" ] && [ "$REJECTED" != "0" ]; then
-    STATUS="failed"
-    ERRORS="$REJECTED PR policies are rejected"
-    MERGE_COMMIT=""; BRANCH_DELETED=false
-    emit_report; exit 1
-  fi
+  # Wait for all policies to reach terminal state (approved/rejected/notApplicable)
+  POLICY_TIMEOUT=20  # 20 iterations × 15 seconds = 5 minutes
+  for POLICY_ITER in $(seq 1 $POLICY_TIMEOUT); do
+    POLICY_JSON=$(az repos pr policy list --id "$PR_NUMBER" --org "$AZDO_ORG_URL" --project "$AZDO_PROJECT" -o json 2>/dev/null || echo "[]")
+
+    REJECTED=$(echo "$POLICY_JSON" | jq '[.[] | select(.status=="rejected")] | length')
+    PENDING=$(echo "$POLICY_JSON" | jq '[.[] | select(.status=="running" or .status=="queued" or .status=="pending")] | length')
+
+    if [ "${REJECTED:-0}" -gt 0 ]; then
+      STATUS="failed"
+      ERRORS="policies rejected"
+      MERGE_COMMIT=""; BRANCH_DELETED=false
+      emit_report; exit 1
+    fi
+
+    if [ "${PENDING:-0}" -eq 0 ]; then
+      break  # All policies terminal
+    fi
+
+    if [ "$POLICY_ITER" -eq "$POLICY_TIMEOUT" ]; then
+      STATUS="failed"
+      ERRORS="policies not evaluated after 5 minutes"
+      MERGE_COMMIT=""; BRANCH_DELETED=false
+      emit_report; exit 1
+    fi
+
+    sleep 15
+  done
 
   # Complete the PR
   if az repos pr update --id "$PR_NUMBER" --status completed \
-    --org "$AZDO_ORG_URL" --project "$AZDO_PROJECT" \
+    --org "$AZDO_ORG_URL" \
     --squash "$SQUASH_FLAG" \
     --delete-source-branch "$DELETE_FLAG" 2>/dev/null; then
     STATUS="success"
@@ -88,7 +106,7 @@ if [ "$AZDO_MODE" = "cli" ]; then
     # Retry once after 30s (policies may still be evaluating)
     sleep 30
     if az repos pr update --id "$PR_NUMBER" --status completed \
-      --org "$AZDO_ORG_URL" --project "$AZDO_PROJECT" \
+      --org "$AZDO_ORG_URL" \
       --squash "$SQUASH_FLAG" \
       --delete-source-branch "$DELETE_FLAG" 2>/dev/null; then
       STATUS="success"
@@ -107,20 +125,42 @@ fi
 
 # ── AzDO REST mode ─────────────────────────────────────
 if [ "$AZDO_MODE" = "rest" ]; then
-  AUTH="Authorization: Basic $(echo -n ":$PAT" | base64)"
+  AUTH="Authorization: Basic $(printf ":%s" "$PAT" | base64 | tr -d '\n')"
   REPO_NAME=$(basename -s .git "$(git remote get-url origin)")
   PR_API="$AZDO_ORG_URL/$AZDO_PROJECT_URL_SAFE/_apis/git/repositories/$REPO_NAME/pullrequests/$PR_NUMBER"
 
-  # Check for rejected policies
-  EVALS=$(curl -s -H "$AUTH" \
-    "$AZDO_ORG_URL/$AZDO_PROJECT_URL_SAFE/_apis/policy/evaluations?artifactId=vstfs:///CodeReview/CodeReviewId/$AZDO_PROJECT_URL_SAFE/$PR_NUMBER&api-version=7.0")
-  REJECTED=$(echo "$EVALS" | jq '[.value[] | select(.status=="rejected")] | length')
-  if [ "$REJECTED" != "0" ]; then
-    STATUS="failed"
-    ERRORS="PR has rejected policy evaluations"
-    MERGE_COMMIT=""; BRANCH_DELETED=false
-    emit_report; exit 1
-  fi
+  # Wait for all policy evaluations to reach terminal state
+  POLICY_TIMEOUT=20
+  for POLICY_ITER in $(seq 1 $POLICY_TIMEOUT); do
+    EVALS=$(curl -s -H "$AUTH" \
+      "$AZDO_ORG_URL/$AZDO_PROJECT_URL_SAFE/_apis/policy/evaluations?artifactId=vstfs:///CodeReview/CodeReviewId/$AZDO_PROJECT_URL_SAFE/$PR_NUMBER&api-version=7.0" 2>&1)
+    if ! echo "$EVALS" | jq empty 2>/dev/null; then
+      EVALS='{"value":[]}'
+    fi
+
+    REJECTED=$(echo "$EVALS" | jq '[.value[] | select(.status=="rejected")] | length')
+    PENDING=$(echo "$EVALS" | jq '[.value[] | select(.status=="running" or .status=="queued" or .status=="pending")] | length')
+
+    if [ "${REJECTED:-0}" -gt 0 ]; then
+      STATUS="failed"
+      ERRORS="PR has rejected policy evaluations"
+      MERGE_COMMIT=""; BRANCH_DELETED=false
+      emit_report; exit 1
+    fi
+
+    if [ "${PENDING:-0}" -eq 0 ]; then
+      break
+    fi
+
+    if [ "$POLICY_ITER" -eq "$POLICY_TIMEOUT" ]; then
+      STATUS="failed"
+      ERRORS="policies not evaluated after 5 minutes"
+      MERGE_COMMIT=""; BRANCH_DELETED=false
+      emit_report; exit 1
+    fi
+
+    sleep 15
+  done
 
   # Resolve merge strategy
   MERGE_STRATEGY=$( [ "$SQUASH" = true ] && echo "squash" || echo "noFastForward" )
@@ -128,7 +168,13 @@ if [ "$AZDO_MODE" = "rest" ]; then
   # Complete the PR
   RESPONSE=$(curl -s -X PATCH -H "$AUTH" -H "Content-Type: application/json" \
     "$PR_API?api-version=7.0" \
-    -d "{\"status\": \"completed\", \"completionOptions\": {\"mergeStrategy\": \"$MERGE_STRATEGY\", \"deleteSourceBranch\": $DELETE_FLAG}}")
+    -d "{\"status\": \"completed\", \"completionOptions\": {\"mergeStrategy\": \"$MERGE_STRATEGY\", \"deleteSourceBranch\": $DELETE_FLAG}}" 2>&1)
+  if ! echo "$RESPONSE" | jq empty 2>/dev/null; then
+    STATUS="failed"
+    ERRORS="REST merge returned non-JSON response"
+    MERGE_COMMIT=""; BRANCH_DELETED=false
+    emit_report; exit 1
+  fi
 
   PR_STATUS=$(echo "$RESPONSE" | jq -r '.status // empty')
   if [ "$PR_STATUS" = "completed" ]; then

package/skills/speccy/SKILL.md

@@ -84,6 +84,25 @@ For each row, in order:
 
 ## Stage 1: Context Gathering
 
+### Pre-Spec Branch Check
+
+Before gathering context, check if the user is on a stale branch:
+
+```bash
+CURRENT=$(git branch --show-current)
+if [ "$CURRENT" != "main" ] && [ "$CURRENT" != "master" ]; then
+  git fetch origin main --quiet 2>/dev/null
+  BEHIND=$(git rev-list --count HEAD..origin/main 2>/dev/null || echo 0)
+  if [ "$BEHIND" -gt 5 ]; then
+    echo "⚠️ Branch '$CURRENT' is $BEHIND commits behind main."
+    echo "   Consider running /sync before building from this spec."
+  fi
+fi
+```
+
+This is advisory only (specs don't modify code) — do not block, continue
+regardless of the result.
+
 Before asking any questions, build a thorough understanding of the project:
 
 1. **Capture GOAL** — the user's argument describing what needs to be specified

package/skills/dock/references/azdo-platform.md

@@ -1,88 +0,0 @@
-# Azure DevOps Platform Support
-
-Shared procedures for AzDO tooling detection and configuration validation.
-Referenced by SKILL.md during pre-flight when `PLATFORM == azdo`.
-
-## AzDO Tooling Detection
-
-When `PLATFORM == azdo`, determine which tooling is available. Set `AZDO_MODE`
-for use in all subsequent phases:
-
-```bash
-if az devops -h &>/dev/null; then
-  AZDO_MODE="cli"
-else
-  AZDO_MODE="rest"
-fi
-```
-
-- **`cli`**: Use `az repos` / `az pipelines` commands (preferred)
-- **`rest`**: Use Azure DevOps REST API via `curl`. Requires a PAT (personal
-  access token) in `AZURE_DEVOPS_EXT_PAT` or `AZDO_PAT` env var. If no PAT
-  is found, prompt the user to either install the CLI or set the env var.
-
-Report in pre-flight:
-- ✅ `az devops cli` — version found
-- ⚠️ `az devops cli` — not found → using REST API fallback
-- ❌ `az devops cli` — not found, no PAT configured → halt with setup instructions
-
-## AzDO Configuration Validation
-
-When `PLATFORM == azdo`, extract organization and project from the remote URL
-and validate they are usable. These values are needed by every `az repos` /
-`az pipelines` command and every REST API call.
-
-```bash
-# Extract org and project from remote URL patterns:
-#   https://dev.azure.com/{ORG}/{PROJECT}/_git/{REPO}
-#   https://{ORG}@dev.azure.com/{ORG}/{PROJECT}/_git/{REPO}
-#   {ORG}@vs-ssh.visualstudio.com:v3/{ORG}/{PROJECT}/{REPO}
-
-REMOTE_URL=$(git remote get-url origin 2>/dev/null)
-
-if echo "$REMOTE_URL" | grep -q 'dev\.azure\.com'; then
-  AZDO_ORG=$(echo "$REMOTE_URL" | sed -n 's|.*dev\.azure\.com/\([^/]*\)/.*|\1|p')
-  AZDO_PROJECT=$(echo "$REMOTE_URL" | sed -n 's|.*dev\.azure\.com/[^/]*/\([^/]*\)/.*|\1|p')
-  AZDO_ORG_URL="https://dev.azure.com/$AZDO_ORG"
-elif echo "$REMOTE_URL" | grep -q 'vs-ssh\.visualstudio\.com'; then
-  AZDO_ORG=$(echo "$REMOTE_URL" | sed -n 's|.*vs-ssh\.visualstudio\.com:v3/\([^/]*\)/.*|\1|p')
-  AZDO_PROJECT=$(echo "$REMOTE_URL" | sed -n 's|.*vs-ssh\.visualstudio\.com:v3/[^/]*/\([^/]*\)/.*|\1|p')
-  AZDO_ORG_URL="https://dev.azure.com/$AZDO_ORG"
-elif echo "$REMOTE_URL" | grep -q 'visualstudio\.com'; then
-  AZDO_ORG=$(echo "$REMOTE_URL" | sed -n 's|.*//\([^.]*\)\.visualstudio\.com.*|\1|p')
-  AZDO_PROJECT=$(echo "$REMOTE_URL" | sed -n 's|.*/\([^/]*\)/_git/.*|\1|p')
-  AZDO_ORG_URL="https://dev.azure.com/$AZDO_ORG"
-fi
-
-# URL-decode for CLI/display; keep URL-safe versions for REST API paths
-AZDO_PROJECT_URL_SAFE="$AZDO_PROJECT"
-AZDO_ORG=$(printf '%b' "${AZDO_ORG//%/\\x}")
-AZDO_PROJECT=$(printf '%b' "${AZDO_PROJECT//%/\\x}")
-
-if [ -z "$AZDO_ORG" ] || [ -z "$AZDO_PROJECT" ]; then
-  echo "❌ Could not extract organization/project from remote URL"
-  echo "   Remote: $REMOTE_URL"
-  echo ""
-  echo "Ensure the remote URL follows one of these formats:"
-  echo "  https://dev.azure.com/{ORG}/{PROJECT}/_git/{REPO}"
-  echo "  https://{ORG}.visualstudio.com/{PROJECT}/_git/{REPO}"
-  echo "  {ORG}@vs-ssh.visualstudio.com:v3/{ORG}/{PROJECT}/{REPO}"
-  # HALT — cannot proceed without org/project context
-fi
-```
-
-When `AZDO_MODE == cli`, also configure the defaults so commands work correctly:
-```bash
-az devops configure --defaults organization="$AZDO_ORG_URL" project="$AZDO_PROJECT"
-```
-
-When `AZDO_MODE == rest`, store these for API calls:
-- Base URL: `$AZDO_ORG_URL/$AZDO_PROJECT_URL_SAFE/_apis`
-- Auth header: `Authorization: Basic $(echo -n ":$PAT" | base64)`
-
-Report in pre-flight:
-- ✅ `azdo context` — org: `{AZDO_ORG}`, project: `{AZDO_PROJECT}`
-- ❌ `azdo context` — could not parse from remote URL → halt with instructions
-
-Pass `{AZDO_MODE}`, `{AZDO_ORG}`, `{AZDO_PROJECT}`, `{AZDO_ORG_URL}` into
-all phase prompts alongside `{PLATFORM}`.

package/skills/keel/references/azdo-platform.md

@@ -1,88 +0,0 @@
-# Azure DevOps Platform Support
-
-Shared procedures for AzDO tooling detection and configuration validation.
-Referenced by SKILL.md during pre-flight when `PLATFORM == azdo`.
-
-## AzDO Tooling Detection
-
-When `PLATFORM == azdo`, determine which tooling is available. Set `AZDO_MODE`
-for use in all subsequent phases:
-
-```bash
-if az devops -h &>/dev/null; then
-  AZDO_MODE="cli"
-else
-  AZDO_MODE="rest"
-fi
-```
-
-- **`cli`**: Use `az repos` / `az pipelines` commands (preferred)
-- **`rest`**: Use Azure DevOps REST API via `curl`. Requires a PAT (personal
-  access token) in `AZURE_DEVOPS_EXT_PAT` or `AZDO_PAT` env var. If no PAT
-  is found, prompt the user to either install the CLI or set the env var.
-
-Report in pre-flight:
-- ✅ `az devops cli` — version found
-- ⚠️ `az devops cli` — not found → using REST API fallback
-- ❌ `az devops cli` — not found, no PAT configured → halt with setup instructions
-
-## AzDO Configuration Validation
-
-When `PLATFORM == azdo`, extract organization and project from the remote URL
-and validate they are usable. These values are needed by every `az repos` /
-`az pipelines` command and every REST API call.
-
-```bash
-# Extract org and project from remote URL patterns:
-#   https://dev.azure.com/{ORG}/{PROJECT}/_git/{REPO}
-#   https://{ORG}@dev.azure.com/{ORG}/{PROJECT}/_git/{REPO}
-#   {ORG}@vs-ssh.visualstudio.com:v3/{ORG}/{PROJECT}/{REPO}
-
-REMOTE_URL=$(git remote get-url origin 2>/dev/null)
-
-if echo "$REMOTE_URL" | grep -q 'dev\.azure\.com'; then
-  AZDO_ORG=$(echo "$REMOTE_URL" | sed -n 's|.*dev\.azure\.com/\([^/]*\)/.*|\1|p')
-  AZDO_PROJECT=$(echo "$REMOTE_URL" | sed -n 's|.*dev\.azure\.com/[^/]*/\([^/]*\)/.*|\1|p')
-  AZDO_ORG_URL="https://dev.azure.com/$AZDO_ORG"
-elif echo "$REMOTE_URL" | grep -q 'vs-ssh\.visualstudio\.com'; then
-  AZDO_ORG=$(echo "$REMOTE_URL" | sed -n 's|.*vs-ssh\.visualstudio\.com:v3/\([^/]*\)/.*|\1|p')
-  AZDO_PROJECT=$(echo "$REMOTE_URL" | sed -n 's|.*vs-ssh\.visualstudio\.com:v3/[^/]*/\([^/]*\)/.*|\1|p')
-  AZDO_ORG_URL="https://dev.azure.com/$AZDO_ORG"
-elif echo "$REMOTE_URL" | grep -q 'visualstudio\.com'; then
-  AZDO_ORG=$(echo "$REMOTE_URL" | sed -n 's|.*//\([^.]*\)\.visualstudio\.com.*|\1|p')
-  AZDO_PROJECT=$(echo "$REMOTE_URL" | sed -n 's|.*/\([^/]*\)/_git/.*|\1|p')
-  AZDO_ORG_URL="https://dev.azure.com/$AZDO_ORG"
-fi
-
-# URL-decode for CLI/display; keep URL-safe versions for REST API paths
-AZDO_PROJECT_URL_SAFE="$AZDO_PROJECT"
-AZDO_ORG=$(printf '%b' "${AZDO_ORG//%/\\x}")
-AZDO_PROJECT=$(printf '%b' "${AZDO_PROJECT//%/\\x}")
-
-if [ -z "$AZDO_ORG" ] || [ -z "$AZDO_PROJECT" ]; then
-  echo "❌ Could not extract organization/project from remote URL"
-  echo "   Remote: $REMOTE_URL"
-  echo ""
-  echo "Ensure the remote URL follows one of these formats:"
-  echo "  https://dev.azure.com/{ORG}/{PROJECT}/_git/{REPO}"
-  echo "  https://{ORG}.visualstudio.com/{PROJECT}/_git/{REPO}"
-  echo "  {ORG}@vs-ssh.visualstudio.com:v3/{ORG}/{PROJECT}/{REPO}"
-  # HALT — cannot proceed without org/project context
-fi
-```
-
-When `AZDO_MODE == cli`, also configure the defaults so commands work correctly:
-```bash
-az devops configure --defaults organization="$AZDO_ORG_URL" project="$AZDO_PROJECT"
-```
-
-When `AZDO_MODE == rest`, store these for API calls:
-- Base URL: `$AZDO_ORG_URL/$AZDO_PROJECT_URL_SAFE/_apis`
-- Auth header: `Authorization: Basic $(echo -n ":$PAT" | base64)`
-
-Report in pre-flight:
-- ✅ `azdo context` — org: `{AZDO_ORG}`, project: `{AZDO_PROJECT}`
-- ❌ `azdo context` — could not parse from remote URL → halt with instructions
-
-Pass `{AZDO_MODE}`, `{AZDO_ORG}`, `{AZDO_PROJECT}`, `{AZDO_ORG_URL}` into
-all phase prompts alongside `{PLATFORM}`.