@slamb2k/mad-skills 2.0.55 → 2.0.57

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "mad-skills",
3
3
  "description": "AI-assisted planning, development and governance tools",
4
- "version": "2.0.55",
4
+ "version": "2.0.57",
5
5
  "author": {
6
6
  "name": "slamb2k",
7
7
  "url": "https://github.com/slamb2k"
package/hooks/hooks.json CHANGED
@@ -2,7 +2,10 @@
2
2
  "hooks": {
3
3
  "SessionStart": [{
4
4
  "matcher": "startup|clear|compact",
5
- "hooks": [{ "type": "command", "command": "_R=\"${CLAUDE_PLUGIN_ROOT}\"; [ -z \"$_R\" ] && _R=\"$HOME/.claude/plugins/marketplaces/slamb2k\"; node \"$_R/hooks/session-guard.cjs\" check", "timeout": 30 }]
5
+ "hooks": [
6
+ { "type": "command", "command": "_R=\"${CLAUDE_PLUGIN_ROOT}\"; [ -z \"$_R\" ] && _R=\"$HOME/.claude/plugins/marketplaces/slamb2k\"; node \"$_R/hooks/session-guard.cjs\" check", "timeout": 30 },
7
+ { "type": "command", "command": "_R=\"${CLAUDE_PLUGIN_ROOT}\"; [ -z \"$_R\" ] && _R=\"$HOME/.claude/plugins/marketplaces/slamb2k\"; bash \"$_R/skills/handover/scripts/handover.sh\" load", "timeout": 10 }
8
+ ]
6
9
  }],
7
10
  "UserPromptSubmit": [{
8
11
  "hooks": [{ "type": "command", "command": "_R=\"${CLAUDE_PLUGIN_ROOT}\"; [ -z \"$_R\" ] && _R=\"$HOME/.claude/plugins/marketplaces/slamb2k\"; node \"$_R/hooks/session-guard.cjs\" remind", "timeout": 10 }]
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@slamb2k/mad-skills",
3
- "version": "2.0.55",
3
+ "version": "2.0.57",
4
4
  "description": "Claude Code skills collection — full lifecycle development tools",
5
5
  "type": "module",
6
6
  "repository": {
@@ -76,6 +76,8 @@ Parse optional flags from the request:
76
76
  - `--no-ship`: Stop after Stage 8 docs update
77
77
  - `--parallel-impl`: Split implementation into parallel agents when independent
78
78
  - `--no-superpowers`: Force the standalone pipeline even when Superpowers is installed
79
+ - `--handoff`: Skip the execution-mode question and hand off to a clean session
80
+ - `--no-handoff`: Skip the execution-mode question and run here now
79
81
 
80
82
  ---
81
83
 
@@ -91,6 +93,7 @@ Before starting, check all dependencies in this table:
91
93
  | feature-dev:code-architect | agent | — | no | fallback | Uses general-purpose agent |
92
94
  | feature-dev:code-reviewer | agent | — | no | fallback | Uses general-purpose agent |
93
95
  | superpowers | plugin | on-disk glob via scripts/lib/superpowers.js | no | fallback | Routes Stage 4 impl core to superpowers:executing-plans / subagent-driven-development when present; see references/superpowers-deferral.md |
96
+ | handover | skill | `ls .claude/skills/handover/SKILL.md ~/.claude/skills/handover/SKILL.md ~/.claude/plugins/marketplaces/slamb2k/skills/handover/SKILL.md 2>/dev/null` | no | fallback | Powers the "hand off to a clean session" execution mode; ships with mad-skills, so normally present |
94
97
 
95
98
  For each row, in order:
96
99
  1. Run the Check command (for cli/npm) or test file existence (for agent/skill)
@@ -193,6 +196,67 @@ Before starting Stage 1, verify the working tree is suitable for building:
193
196
 
194
197
  ---
195
198
 
199
+ ## Execution Mode
200
+
201
+ `/build` runs every heavy stage in subagents, so the primary conversation stays
202
+ compact *during* the build. The one thing subagents can't fix is a context
203
+ window that's **already** large when you invoke `/build` — the orchestrator
204
+ (this thread) still reads reports and runs the review/ship loop on top of
205
+ whatever came before. For that, a clean start beats a clean middle.
206
+
207
+ So there is exactly one execution-mode decision, and subagents are always on
208
+ underneath either choice:
209
+
210
+ - **Run here now** — orchestrate the build in this session, stages in subagents.
211
+ - **Hand off to a clean session** — write a handover, arm the resume signal, and
212
+ let a fresh session run the *same* `/build` with its own subagents.
213
+
214
+ These are mutually exclusive — one stops here, one continues here. Do **not**
215
+ offer a "clear? yes/no" toggle on top of run-now; the handover mode *replaces*
216
+ the run-now decision.
217
+
218
+ **Resolve the mode:**
219
+
220
+ 1. If `--no-handoff` → run here now. Skip to Stage 1.
221
+ 2. If `--handoff` → hand off (only if the handover skill exists; else warn it's
222
+ unavailable and run here now).
223
+ 3. If the handover skill is **not** installed (pre-flight) → run here now
224
+ silently. No question.
225
+ 4. Otherwise, decide whether to *offer* the hand-off at all. Only offer it when a
226
+ clean start would actually help **and** the plan can survive the reset:
227
+ - **Context already large** — this session has had substantial prior work
228
+ before `/build` (long conversation, many file reads, a prior task), so the
229
+ orchestrator would start bloated. A fresh `/build` invocation in an empty
230
+ session does not need this — just run here now.
231
+ - **Plan is self-contained** — PLAN is a spec file or a complete written plan
232
+ that a handover doc can capture losslessly. If the plan leans on nuance from
233
+ *this* conversation (decisions made live, things looked at together), a
234
+ handover is lossy — prefer run-here-now so that context isn't thrown away.
235
+
236
+ If **both** hold, ask via `AskUserQuestion`:
237
+ ```
238
+ "This session already carries significant context. Hand this build off to a
239
+ clean session, or run it here now?"
240
+ ```
241
+ Options:
242
+ - **"Run here now (Recommended)"** — orchestrate in this session (subagents underneath).
243
+ - **"Hand off to a clean session"** — reset context, resume the build fresh.
244
+
245
+ If either condition fails, don't ask — run here now.
246
+
247
+ **If handing off:** capture the resolved PLAN and any Stage-2 clarifications
248
+ gathered so far, then invoke the `handover` skill. The handover document's
249
+ "next steps" MUST be a single resume action: re-run this exact build in the
250
+ fresh session, e.g. `/build {original PLAN argument}` (plus any active flags,
251
+ minus `--handoff`). Include the resolved plan content and PROJECT_CONFIG so the
252
+ fresh session doesn't re-derive them. The handover skill arms the one-shot
253
+ signal and tells the user to `/clear`. **Stop here** — do not run Stage 1; the
254
+ fresh session does.
255
+
256
+ **If running here now:** continue to Stage 1 unchanged.
257
+
258
+ ---
259
+
196
260
  ## Stage 1: Explore
197
261
 
198
262
  Launch **feature-dev:code-explorer** (fallback: general-purpose):
@@ -280,6 +280,14 @@ with development overrides (volume mounts, hot reload, debug ports).
280
280
  Detect CI system from Phase 1 (GitHub Actions / Azure Pipelines / GitLab CI).
281
281
  Read the appropriate template from `references/pipeline-templates.md`.
282
282
 
283
+ For GitHub Actions and Azure Pipelines, the templates are **hardened by default**
284
+ — read `references/hardening.md` for the OIDC auth, keyless cosign signing,
285
+ idempotency guards, and digest-pinned promotion these templates implement. The
286
+ generated workflow MUST include `id-token: write`, `provenance: true`, a cosign
287
+ `sign` in the build job and `verify` in every promotion job, an existence guard
288
+ before build, and deploy steps that reference the image by `@sha256:` digest.
289
+ (GitLab CI remains credential-based.)
290
+
283
291
  Generate a workflow that implements:
284
292
 
285
293
  **On pull request:**
@@ -349,6 +357,14 @@ If the detected framework doesn't already have a health endpoint, add a comment
349
357
  in the generated workflow noting that a `/healthz` or `/health` endpoint is
350
358
  recommended for deployment readiness probes.
351
359
 
360
+ ### 3.7 — Deployment Setup Guide (deploy/SETUP.md)
361
+
362
+ Because the pipelines are secure by default, first-run requires one-time
363
+ cloud-side trust. Generate `deploy/SETUP.md` from the **Generated deploy/SETUP.md**
364
+ section of `references/hardening.md`, substituting the target repo (`OWNER/REPO`),
365
+ chosen registry, and cloud identifiers. This file lists the federated-credential
366
+ / IAM-trust steps and the cosign verification command.
367
+
352
368
  ---
353
369
 
354
370
  ## Phase 4: Verify
@@ -366,6 +382,10 @@ Also validate generated workflow files:
366
382
  - GitHub Actions: check YAML syntax
367
383
  - Azure Pipelines: check YAML syntax
368
384
  - GitLab CI: check YAML syntax
385
+ - For the GitHub workflow, confirm it sets `id-token: write`; for Azure Pipelines,
386
+ confirm it authenticates via a Workload Identity Federation service connection
387
+ (`azureSubscription`). Both must contain a cosign `sign`+`verify` pair and
388
+ reference deploy images by `@sha256:` digest. Flag any absence as a generation error.
369
389
 
370
390
  Present the user with a summary of all generated files before writing.
371
391
 
@@ -396,6 +416,11 @@ After all files are generated and verified, present:
396
416
  │ Merge → build + test → push → deploy dev → smoke
397
417
  │ Tag → retag (no rebuild) → staging → e2e → prod
398
418
 
419
+ │ 🔐 Required cloud setup
420
+ │ • Configure federated identity (see deploy/SETUP.md)
421
+ │ • {registry-specific: IAM role / ACR federated cred / GCP WIP}
422
+ │ • First run fails until trust is configured — this is expected
423
+
399
424
  │ 🔗 Links
400
425
  │ Dockerfile: {path}
401
426
  │ Workflow: {path}
@@ -0,0 +1,104 @@
1
+ # Pipeline Hardening Reference
2
+
3
+ How `/dock` hardens the pipelines it generates. These patterns mirror
4
+ mad-skills' own release workflow, translated from npm publishing to OCI
5
+ containers. Hardened is the only mode for GitHub Actions and Azure Pipelines.
6
+
7
+ ## OIDC Registry Auth
8
+
9
+ Never store long-lived cloud registry credentials in CI. Authenticate with the
10
+ CI provider's OIDC identity, federated to a cloud role/identity.
11
+
12
+ - **GHCR** — keep the ephemeral `GITHUB_TOKEN` (already short-lived, OIDC-backed).
13
+ Requires `permissions: packages: write`.
14
+ - **AWS ECR** — `aws-actions/configure-aws-credentials@v4` with `role-to-assume`
15
+ (an IAM role trusting the GitHub OIDC provider). No access keys.
16
+ - **Azure ACR** — `azure/login@v2` with Workload Identity Federation
17
+ (`client-id` + `tenant-id` + `subscription-id`, federated credential scoped to
18
+ the repo). No client secret. Then `az acr login`.
19
+ - **Google Artifact Registry** — `google-github-actions/auth@v2` with a Workload
20
+ Identity Provider + service account. No SA key JSON.
21
+
22
+ All jobs that need OIDC set `permissions: id-token: write` (plus
23
+ `contents: read`). Azure Pipelines uses a **Workload Identity Federation service
24
+ connection** (`azureSubscription:`) instead of a stored password.
25
+
26
+ ## Signing & Provenance
27
+
28
+ - Build with `provenance: true` and `sbom: true` (buildx emits SLSA provenance +
29
+ SBOM attestations attached to the image).
30
+ - Sign the image **by digest** with keyless cosign (Fulcio certificate + Rekor
31
+ transparency log, authorized by the `id-token: write` OIDC token — no signing
32
+ key in secrets).
33
+ - Every promotion job runs `cosign verify` against the digest, asserting the
34
+ certificate identity matches the workflow's OIDC issuer and
35
+ `repo:OWNER/REPO`. Verification failure blocks promotion.
36
+
37
+ > **Private-infra note:** keyless cosign writes to the public Rekor log. Orgs
38
+ > that cannot use public transparency infra can switch to a key pair
39
+ > (`cosign generate-key-pair`, private key in a CI secret,
40
+ > `cosign sign --key`). This is a documented fallback — dock does not generate it.
41
+
42
+ ## Idempotency Guards
43
+
44
+ - Before build, guard with `crane manifest <ref>` (fallback:
45
+ `docker manifest inspect`). If the artifact already exists, skip build+push and
46
+ reuse the existing digest — the container analog of mad-skills' `npm view`
47
+ publish-guard.
48
+ - Promote/retag steps are check-then-act and tolerate an already-promoted digest
49
+ ("recovery mode") so a re-run exits cleanly instead of failing.
50
+ - A `concurrency:` group keyed on workflow + ref (`cancel-in-progress`) prevents
51
+ overlapping release runs from racing.
52
+
53
+ ## Digest-Pinned Promotion
54
+
55
+ - The build job outputs `IMAGE@sha256:<digest>` as a job output.
56
+ - Dev, staging, and prod deploy by that **digest**, never a mutable tag. Tags
57
+ like `latest` / `vX.Y.Z` may be attached for humans, but deploys resolve the
58
+ digest.
59
+ - `deploy/environments.yml` records the deployed digest so the matrix captures
60
+ exactly what shipped.
61
+
62
+ ## Generated deploy/SETUP.md
63
+
64
+ `/dock` writes `deploy/SETUP.md` into the target repo, tailored to the chosen
65
+ registry. Template body (substitute `OWNER/REPO`, registry, cloud identifiers):
66
+
67
+ ```markdown
68
+ # Deployment Setup — Required Before First Run
69
+
70
+ This pipeline uses keyless OIDC and image signing. Complete the cloud-side
71
+ trust below once; no long-lived credentials are stored in CI.
72
+
73
+ ## 1. Federated identity (pick your registry)
74
+
75
+ ### AWS ECR
76
+ - Create an IAM role trusting the GitHub OIDC provider
77
+ (`token.actions.githubusercontent.com`), condition
78
+ `token.actions.githubusercontent.com:sub = repo:OWNER/REPO:ref:refs/heads/main`
79
+ (add tag refs for releases).
80
+ - Attach a policy allowing `ecr:*` push to your repository.
81
+ - Put the role ARN in the workflow `role-to-assume`.
82
+
83
+ ### Azure ACR
84
+ - Register an app / user-assigned managed identity.
85
+ - Add a **federated credential** scoped to `repo:OWNER/REPO` (branch `main` and
86
+ tag refs), subject `repo:OWNER/REPO:ref:refs/heads/main`.
87
+ - Grant it `AcrPush` on the registry.
88
+ - Set `client-id` / `tenant-id` / `subscription-id` in the workflow.
89
+
90
+ ### Google Artifact Registry
91
+ - Create a Workload Identity Pool + provider for GitHub.
92
+ - Bind a service account with `artifactregistry.writer`, allowing
93
+ `principalSet://…/attribute.repository/OWNER/REPO`.
94
+ - Set `workload_identity_provider` + `service_account` in the workflow.
95
+
96
+ ## 2. Signing
97
+
98
+ Keyless cosign needs no setup — it uses the workflow OIDC token and the public
99
+ Rekor log. To verify locally:
100
+ `cosign verify --certificate-identity-regexp 'https://github.com/OWNER/REPO/.*' --certificate-oidc-issuer https://token.actions.githubusercontent.com REGISTRY/IMAGE@sha256:...`
101
+
102
+ If public transparency logging is not allowed, switch to a key pair (see the
103
+ Signing & Provenance note in the dock hardening reference).
104
+ ```