@wrongstack/core 0.250.0 → 0.256.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (104) hide show
  1. package/dist/{agent-bridge-4gc0vfW2.d.ts → agent-bridge-BrxWHEOm.d.ts} +1 -1
  2. package/dist/{agent-subagent-runner-Dz-9kiE6.d.ts → agent-subagent-runner-US741uBH.d.ts} +17 -8
  3. package/dist/{brain-sCZ3lCjq.d.ts → brain-TjEEwSpw.d.ts} +18 -1
  4. package/dist/{compactor-BRfg3QPd.d.ts → compactor-C5sT4U7I.d.ts} +1 -1
  5. package/dist/{config-eSsrto5d.d.ts → config-DuAu23zm.d.ts} +16 -1
  6. package/dist/{context-CLz3z_E8.d.ts → context-CGdgA0q6.d.ts} +13 -0
  7. package/dist/coordination/index.d.ts +14 -14
  8. package/dist/coordination/index.js +153 -2
  9. package/dist/coordination/index.js.map +1 -1
  10. package/dist/defaults/index.d.ts +25 -25
  11. package/dist/defaults/index.js +238 -42
  12. package/dist/defaults/index.js.map +1 -1
  13. package/dist/execution/index.d.ts +15 -15
  14. package/dist/execution/index.js +121 -22
  15. package/dist/execution/index.js.map +1 -1
  16. package/dist/execution/prompt-enhancer.d.ts +1 -1
  17. package/dist/extension/index.d.ts +6 -6
  18. package/dist/{goal-preamble-BjJpnLW4.d.ts → goal-preamble-UiEkbNmW.d.ts} +21 -10
  19. package/dist/{index-Dy8OwfBD.d.ts → index-CC0Mcm05.d.ts} +9 -9
  20. package/dist/{index-IehiNryU.d.ts → index-CitPrI3a.d.ts} +20 -7
  21. package/dist/index.d.ts +112 -42
  22. package/dist/index.js +759 -114
  23. package/dist/index.js.map +1 -1
  24. package/dist/infrastructure/index.d.ts +6 -6
  25. package/dist/infrastructure/index.js +12 -0
  26. package/dist/infrastructure/index.js.map +1 -1
  27. package/dist/kernel/index.d.ts +10 -10
  28. package/dist/kernel/index.js.map +1 -1
  29. package/dist/{llm-selector-D22R4AFz.d.ts → llm-selector-CJ4SyAFE.d.ts} +2 -2
  30. package/dist/{mcp-servers-DfXxCASH.d.ts → mcp-servers-D8YnLaEp.d.ts} +3 -3
  31. package/dist/models/index.d.ts +5 -5
  32. package/dist/{models-registry-DpanBg8D.d.ts → models-registry-ByZCdFuQ.d.ts} +1 -1
  33. package/dist/{multi-agent-coordinator-CnbEqpv0.d.ts → multi-agent-coordinator-DqTUEAeC.d.ts} +1 -1
  34. package/dist/{null-fleet-bus-Do1OLYpj.d.ts → null-fleet-bus-B5mfTJXT.d.ts} +17 -6
  35. package/dist/observability/index.d.ts +2 -2
  36. package/dist/{package-outdated-watcher-CA5GGB4C.d.ts → package-outdated-watcher-BSgR_kK-.d.ts} +24 -3
  37. package/dist/{parallel-eternal-engine-UZg1xOzE.d.ts → parallel-eternal-engine-C0juOszP.d.ts} +24 -10
  38. package/dist/{path-resolver-BaP06Owy.d.ts → path-resolver-CbkT-RMU.d.ts} +3 -3
  39. package/dist/{permission-DbWPbuoA.d.ts → permission-CwBBpCoF.d.ts} +1 -1
  40. package/dist/{permission-policy-AOk0LVsV.d.ts → permission-policy-B8rSu908.d.ts} +39 -2
  41. package/dist/{pipeline-D1n-gQI-.d.ts → pipeline-JG8XoudC.d.ts} +43 -3
  42. package/dist/{plan-templates-BUVRY0pU.d.ts → plan-templates-DPiQMkBz.d.ts} +5 -5
  43. package/dist/{provider-runner-D0HgUqwV.d.ts → provider-runner-hM7EXlLI.d.ts} +3 -3
  44. package/dist/{retry-policy-BVnkbMET.d.ts → retry-policy-Tg7LXkoK.d.ts} +1 -1
  45. package/dist/sdd/index.d.ts +8 -8
  46. package/dist/{secret-vault-CeVNiy_f.d.ts → secret-vault-BkYkJWQs.d.ts} +1 -1
  47. package/dist/security/index.d.ts +4 -4
  48. package/dist/security/index.js +89 -18
  49. package/dist/security/index.js.map +1 -1
  50. package/dist/{selector-Cb4_9-hf.d.ts → selector-DWsqVjGf.d.ts} +1 -1
  51. package/dist/{session-event-bridge-BhtkkFFy.d.ts → session-event-bridge-BAFWdgQ3.d.ts} +1 -1
  52. package/dist/{session-reader-CCOssnBS.d.ts → session-reader-CqRvaL5v.d.ts} +1 -1
  53. package/dist/{skill-Bj6Ezqb8.d.ts → skill-DGIXCtdv.d.ts} +6 -0
  54. package/dist/skills/index.d.ts +1 -1
  55. package/dist/storage/index.d.ts +10 -10
  56. package/dist/storage/index.js +8 -1
  57. package/dist/storage/index.js.map +1 -1
  58. package/dist/types/index.d.ts +19 -19
  59. package/dist/types/index.js +95 -25
  60. package/dist/types/index.js.map +1 -1
  61. package/dist/utils/index.d.ts +2 -2
  62. package/dist/utils/index.js +5 -0
  63. package/dist/utils/index.js.map +1 -1
  64. package/package.json +2 -2
  65. package/skills/api-design/SKILL.md +1 -0
  66. package/skills/api-design/SKILL.save.md +26 -0
  67. package/skills/audit-log/SKILL.md +9 -2
  68. package/skills/audit-log/SKILL.save.md +22 -0
  69. package/skills/bug-hunter/SKILL.md +10 -2
  70. package/skills/bug-hunter/SKILL.save.md +33 -0
  71. package/skills/chimera/SKILL.md +12 -18
  72. package/skills/chimera/SKILL.save.md +26 -0
  73. package/skills/docker-deploy/SKILL.md +1 -0
  74. package/skills/docker-deploy/SKILL.save.md +23 -0
  75. package/skills/git-flow/SKILL.md +23 -2
  76. package/skills/git-flow/SKILL.save.md +25 -0
  77. package/skills/multi-agent/SKILL.md +23 -2
  78. package/skills/multi-agent/SKILL.save.md +26 -0
  79. package/skills/node-modern/SKILL.md +2 -1
  80. package/skills/node-modern/SKILL.save.md +21 -0
  81. package/skills/observability/SKILL.md +1 -0
  82. package/skills/observability/SKILL.save.md +34 -0
  83. package/skills/output-standards/SKILL.md +133 -0
  84. package/skills/output-standards/SKILL.save.md +21 -0
  85. package/skills/prompt-engineering/SKILL.md +2 -1
  86. package/skills/prompt-engineering/SKILL.save.md +29 -0
  87. package/skills/react-modern/SKILL.md +2 -1
  88. package/skills/react-modern/SKILL.save.md +24 -0
  89. package/skills/refactor-planner/SKILL.md +9 -2
  90. package/skills/refactor-planner/SKILL.save.md +26 -0
  91. package/skills/research-web/SKILL.md +1 -0
  92. package/skills/research-web/SKILL.save.md +25 -0
  93. package/skills/sdd/SKILL.md +2 -1
  94. package/skills/sdd/SKILL.save.md +19 -0
  95. package/skills/security-scanner/SKILL.md +10 -3
  96. package/skills/security-scanner/SKILL.save.md +23 -0
  97. package/skills/skill-creator/SKILL.md +2 -1
  98. package/skills/skill-creator/SKILL.save.md +20 -0
  99. package/skills/tech-stack/SKILL.md +13 -226
  100. package/skills/tech-stack/SKILL.save.md +25 -0
  101. package/skills/testing/SKILL.md +1 -0
  102. package/skills/testing/SKILL.save.md +22 -0
  103. package/skills/typescript-strict/SKILL.md +2 -1
  104. package/skills/typescript-strict/SKILL.save.md +19 -0
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@wrongstack/core",
3
- "version": "0.250.0",
3
+ "version": "0.256.0",
4
4
  "license": "MIT",
5
5
  "description": "WrongStack core: kernel, types, defaults, and shared utilities for the WrongStack CLI agent.",
6
6
  "repository": {
@@ -97,7 +97,7 @@
97
97
  ],
98
98
  "wrongstackApiVersion": "0.1.10",
99
99
  "devDependencies": {
100
- "@types/node": "^25.9.2",
100
+ "@types/node": "^25.9.3",
101
101
  "tsup": "^8.5.1",
102
102
  "typescript": "^6.0.3"
103
103
  },
@@ -137,3 +137,4 @@ Body: { "status": "paused" }
137
137
  - `typescript-strict` — for type-safe request/response types
138
138
  - `security-scanner` — for scanning API implementations for injection, auth, and secrets
139
139
  - `testing` — for writing integration tests against API endpoints
140
+ - `output-standards` — for standardized `<next_steps>` formatting
@@ -0,0 +1,26 @@
1
+ # API Design — WrongStack (Compact)
2
+
3
+ Designs and reviews REST APIs for WrongStack services. JSON over HTTPS, conventional HTTP status codes, cursor-based pagination.
4
+
5
+ ## Rules
6
+
7
+ 1. Use conventional HTTP status codes: 200 (ok), 201 (created), 400 (bad request), 401 (unauthorized), 403 (forbidden), 404 (not found), 500 (server error).
8
+ 2. Always return consistent error shape: `{ "error": { "code": "ERROR_CODE", "message": "Human readable" } }`.
9
+ 3. Use plural nouns for resource names: `/sessions` not `/session`.
10
+ 4. Pagination: cursor-based for large datasets, not offset-based.
11
+ 5. Request validation: validate on server, return 400 with field-level errors.
12
+ 6. Idempotency: POST to /resources creates; PUT to /resources/:id replaces.
13
+ 7. No secrets in URLs — put auth in headers, not query params.
14
+ 8. Versioning: prefix with `/v1/` when breaking changes are inevitable.
15
+
16
+ ## Error codes
17
+
18
+ | Code | HTTP | When |
19
+ |------|------|------|
20
+ | VALIDATION_ERROR | 400 | Request invalid |
21
+ | UNAUTHORIZED | 401 | Missing/invalid auth |
22
+ | FORBIDDEN | 403 | No permission |
23
+ | NOT_FOUND | 404 | Resource missing |
24
+ | CONFLICT | 409 | Duplicate |
25
+ | RATE_LIMITED | 429 | Too many requests |
26
+ | INTERNAL_ERROR | 500 | Server failure |
@@ -4,7 +4,7 @@ description: |
4
4
  Use this skill when analyzing WrongStack session logs, event streams, or
5
5
  system traces to surface patterns, anomalies, or operational insights.
6
6
  Triggers: user says "audit", "session analysis", "log analysis", "usage patterns".
7
- version: 1.1.0
7
+ version: 1.2.0
8
8
  ---
9
9
 
10
10
  # Audit Log Agent — WrongStack
@@ -152,6 +152,12 @@ When reading a session file:
152
152
  ### Cost Trend
153
153
  - Iteration 1-10: avg $0.04/iteration
154
154
  - Iteration 11-20: avg $0.11/iteration (context growth)
155
+
156
+ <next_steps>
157
+ 1. Investigate bash failures — command timeout pattern in iterations 14-20
158
+ 2. Review tool call count in iteration 14 — 50+ tool calls suggests loop
159
+ 3. Run `pnpm test` to verify fixes for identified issues
160
+ </next_steps>
155
161
  ```
156
162
 
157
163
  ## Anti-patterns
@@ -166,4 +172,5 @@ When reading a session file:
166
172
 
167
173
  - `bug-hunter` — for turning audit findings into concrete bugs to fix
168
174
  - `refactor-planner` — for addressing systemic issues found in logs
169
- - `security-scanner` — for security-adjacent findings (leaked keys, injection patterns in logs)
175
+ - `security-scanner` — for security-adjacent findings (leaked keys, injection patterns in logs)
176
+ - `output-standards` — for standardized `<next_steps>` formatting
@@ -0,0 +1,22 @@
1
+ # Audit Log Agent — WrongStack (Compact)
2
+
3
+ Analyzes session logs, event streams, and system traces to surface patterns, anomalies, and actionable insights.
4
+
5
+ ## Rules
6
+
7
+ 1. Always parse from the source JSONL — never summarize what you didn't read.
8
+ 2. Analyze one session at a time, or aggregate with clear labeling.
9
+ 3. Cite specific data in reports: iteration numbers, tool names, error messages.
10
+ 4. Flag repeated failures (same tool, 5+ times) as a real issue.
11
+ 5. Report cost trends in context of iteration count.
12
+
13
+ ## What to look for
14
+
15
+ - **Tool usage**: 100+ calls to same tool = possible loop. Same tool failing 5x+ = bug.
16
+ - **Cost**: Tokens/iteration trending up = context bloat. Sudden 3x increase = large file reads.
17
+ - **Context**: >50 tool calls per iteration = unfocused. Compaction 3x+ = too much context.
18
+ - **Errors**: All errors in one tool = command timeout pattern. Same error 47x = systemic.
19
+
20
+ ## Session file structure
21
+
22
+ JSONL with events: iteration_start, tool_call, tool_result, error, compaction, cost, iteration_end.
@@ -4,7 +4,7 @@ description: |
4
4
  Use this skill when scanning source code for bugs, anti-patterns, code smells,
5
5
  or quality issues in a WrongStack project. Triggers: user says "bug", "bug hunt",
6
6
  "scan for issues", "find problems", "anti-pattern", "code smell", "static analysis".
7
- version: 1.1.0
7
+ version: 1.2.0
8
8
  ---
9
9
 
10
10
  # Bug Hunter — WrongStack
@@ -125,10 +125,18 @@ const data: any = response.json();
125
125
  | Low | 3 |
126
126
 
127
127
  Total: 16 findings in 12 files
128
+
129
+ <next_steps>
130
+ 1. [SHELL-INJ] `tools/shell.ts:42` — replace exec() with execFile()
131
+ 2. [SECRET] `lib/config.ts:8` — move API key to environment variable
132
+ 3. [MEMORY] `tools/pool.ts:89` — add cleanup in component unmount
133
+ 4. [TYPE] `core/agent.ts:103` — replace `as any` with proper type
134
+ </next_steps>
128
135
  ```
129
136
 
130
137
  ## Skills in scope
131
138
 
132
139
  - `security-scanner` — for hardcoded secrets and injection vectors
133
140
  - `refactor-planner` — for fixing findings across multiple files
134
- - `typescript-strict` — for type-safety related findings
141
+ - `typescript-strict` — for TypeScript type safety rules
142
+ - `output-standards` — for standardized `<next_steps>` formatting
@@ -0,0 +1,33 @@
1
+ # Bug Hunter — WrongStack (Compact)
2
+
3
+ Scans code for bugs and code smells. Outputs a prioritized hit list with file:line references.
4
+
5
+ ## Rules
6
+
7
+ 1. Always include `file:line` in every finding — no line reference = can't be fixed.
8
+ 2. Never scan `node_modules`.
9
+ 3. Don't report style issues as bugs — those are lint findings.
10
+ 4. If >30% of findings are noise, note the false positive rate.
11
+ 5. Sort output: critical > high > medium > low.
12
+ 6. Don't flag deprecated APIs without severity.
13
+
14
+ ## Severity levels
15
+
16
+ | Level | Meaning | Action |
17
+ |-------|---------|--------|
18
+ | **Critical** | Security breach, data loss, crash | Fix immediately |
19
+ | **High** | Logic bug, race condition, memory leak | Fix before release |
20
+ | **Medium** | Error handling gap, type unsafety | Fix soon |
21
+ | **Low** | Style, minor code smell | Consider fixing |
22
+
23
+ ## Key patterns to find
24
+
25
+ | Pattern | Severity |
26
+ |---------|----------|
27
+ | Uncaught promise `.then(` without `.catch` | high |
28
+ | Hardcoded secret `[A-Za-z0-9/+=]{40}` | critical |
29
+ | unsafe any `: any` or `as any` | medium |
30
+ | innerHTML assignment | high |
31
+ | Missing await | high |
32
+ | SQL concatenation `"SELECT * FROM " + table` | critical |
33
+ | Shell injection `exec(\`cmd ${input}\`)` | critical |
@@ -1,11 +1,10 @@
1
1
  ---
2
2
  name: chimera
3
3
  description: |
4
- Use this skill when performing a post-session code quality review of files
5
- changed during an AI coding session. Activated automatically by the chimera
6
- plugin after each session completes.
7
- Triggers: post-session review, chimera agent, session-end code check.
8
- version: 1.0.0
4
+ Use this skill for post-session code quality review of files changed during
5
+ a WrongStack session. Triggers: user says "review", "code review", "quality check",
6
+ "post-session review", "chimeric review".
7
+ version: 1.2.0
9
8
  ---
10
9
 
11
10
  # Chimera — Post-Session Code Guardian
@@ -33,19 +32,7 @@ issues the session agent may have missed.
33
32
  6. **One finding per line.** Each finding must have: severity, file:line, and a
34
33
  one-sentence fix.
35
34
 
36
- ## What to look for
37
-
38
- | Category | Examples | Severity |
39
- |----------|----------|----------|
40
- | **Logic bugs** | Off-by-one, inverted condition, null deref without guard | Critical / High |
41
- | **Type safety** | `as any`, missing return type on export, `!` assertion | Medium |
42
- | **Error handling** | Missing try/catch on async, swallowed errors | High |
43
- | **Security** | Hardcoded secret, shell injection, innerHTML XSS | Critical |
44
- | **Resource leaks** | Event listener not removed, file handle not closed | Medium |
45
- | **Test gaps** | New logic without corresponding test | Medium |
46
- | **API design** | Wrong status code, missing validation, secrets in URL | High |
47
-
48
- ## Report format
35
+ ## Output format
49
36
 
50
37
  Write your report as a single message appended to the chat. Use this structure:
51
38
 
@@ -68,6 +55,12 @@ Write your report as a single message appended to the chat. Use this structure:
68
55
  - Files reviewed: N
69
56
  - Findings: C critical, H high, M medium
70
57
  - Clean files: N
58
+
59
+ <next_steps>
60
+ 1. [CRITICAL] `path/file.ts:42` — add null guard for `user`
61
+ 2. [HIGH] `path/config.ts:8` — move API key to environment variable
62
+ 3. [MEDIUM] `path/helper.ts:15` — replace `as any` with `as unknown as T`
63
+ </next_steps>
71
64
  ```
72
65
 
73
66
  If you find **nothing** worth flagging: write a single line.
@@ -103,3 +96,4 @@ likely missed, not decisions it explicitly made.
103
96
  - `typescript-strict` — for TypeScript type safety rules
104
97
  - `api-design` — for API design review patterns
105
98
  - `testing` — for test coverage assessment
99
+ - `output-standards` — for standardized `<next_steps>` formatting
@@ -0,0 +1,26 @@
1
+ # Chimera — Post-Session Code Guardian (Compact)
2
+
3
+ Post-session code quality agent. Reviews files changed during the session.
4
+
5
+ ## Rules
6
+
7
+ 1. Only review changed files.
8
+ 2. Read before judging — always read the file before flagging.
9
+ 3. Be surgical — flag real bugs, not style preferences.
10
+ 4. No re-litigation — don't re-raise issues already discussed.
11
+ 5. Severity-ranked: Critical > High > Medium > Low.
12
+ 6. One finding per line: severity, file:line, one-sentence fix.
13
+
14
+ ## Output format
15
+
16
+ ```
17
+ ## 🦂 Chimera Review
18
+
19
+ ### Critical (N)
20
+ 1. [BUG] path/file.ts:42 — null deref on user.name
21
+ → Add guard: if (!user) throw new NotFoundError()
22
+
23
+ ### Summary
24
+ - Files reviewed: N
25
+ - Clean files: N
26
+ ```
@@ -153,3 +153,4 @@ trivy image --exit-code 1 --ignore-unfixed --severity HIGH,CRITICAL wrongstack:$
153
153
  - `git-flow` — for tagging releases and managing Docker image versions
154
154
  - `node-modern` — for Node.js-specific containerization patterns
155
155
  - `observability` — for logging and tracing in containerized environments
156
+ - `output-standards` — for standardized `<next_steps>` formatting
@@ -0,0 +1,23 @@
1
+ # Docker Deploy — WrongStack (Compact)
2
+
3
+ Containerizes and deploys WrongStack with Docker.
4
+
5
+ ## Rules
6
+
7
+ 1. Multi-stage build: build stage + runtime stage (production deps only).
8
+ 2. Use `node:*` base image with pinned version — not `node:latest`.
9
+ 3. Never run as root in the container — use a non-root user.
10
+ 4. Pass secrets via environment variables, not baked into the image.
11
+ 5. Tag images with git SHA: `wrongstack:$GIT_SHA`.
12
+ 6. Scan images for vulnerabilities: `trivy image` or `docker scout` before push.
13
+ 7. Use `.dockerignore` to exclude `node_modules`, `dist`, `.git`, `*.test.ts`.
14
+
15
+ ## Key best practices
16
+
17
+ | Practice | Why |
18
+ |----------|-----|
19
+ | Pin base image version | Reproducibility |
20
+ | Multi-stage build | 1GB → ~150MB |
21
+ | Non-root user | Security: container compromise ≠ host root |
22
+ | `.dockerignore` | Smaller image, faster builds |
23
+ | No `latest` tag | You always know which SHA |
@@ -4,7 +4,7 @@ description: |
4
4
  Use this skill when proposing, reviewing, or troubleshooting git commits,
5
5
  branches, pull requests, or merge strategies in a WrongStack project session.
6
6
  Triggers: user mentions "commit", "branch", "PR", "merge", "rebase", "stash", "diff".
7
- version: 1.1.0
7
+ version: 1.2.0
8
8
  ---
9
9
 
10
10
  # Git Workflow — WrongStack
@@ -132,8 +132,29 @@ git rebase main && git merge --ff-only feature
132
132
  - **Committing lockfile with logic changes**: Keep them separate for easier rollbacks
133
133
  - **Branching from branches**: Always branch from `main` or a stable release tag
134
134
 
135
+ ## Output format
136
+
137
+ ```
138
+ ## Git Workflow Report — <task>
139
+
140
+ ### Changes Summary
141
+ [What files changed, how many commits, what the impact is]
142
+
143
+ ### Recommended Actions
144
+ 1. Create branch `feature-name` from `main`
145
+ 2. Commit changes with conventional commit format
146
+ 3. Open PR with description linking to issue
147
+
148
+ <next_steps>
149
+ 1. `git checkout -b fix/session-leak` from `main`
150
+ 2. Commit with: `fix: correct race condition in token refresh`
151
+ 3. Open PR with description linking to issue #123
152
+ </next_steps>
153
+ ```
154
+
135
155
  ## Skills in scope
136
156
 
137
157
  - `refactor-planner` — when a refactor involves multiple git-managed changes
138
158
  - `multi-agent` — for fleet-wide version audits across packages
139
- - `bug-hunter` — for spotting bugs at commit time before they reach main
159
+ - `bug-hunter` — for spotting bugs at commit time before they reach main
160
+ - `output-standards` — for standardized `<next_steps>` formatting
@@ -0,0 +1,25 @@
1
+ # Git Workflow — WrongStack (Compact)
2
+
3
+ Guides commit messages, branch hygiene, PR strategy, and merge decisions. WrongStack uses pnpm workspaces.
4
+
5
+ ## Rules
6
+
7
+ 1. One concern per commit — never mix logic changes with lockfile updates.
8
+ 2. Never force-push shared branches — use `--force-with-lease` on own branches only.
9
+ 3. Always branch from `main` or a stable release tag.
10
+ 4. Small, frequent commits with clear messages beat large, vague ones.
11
+ 5. Rebase onto `main` before PR when safe for cleaner history.
12
+ 6. Delete branches after merge unless shared or releasing.
13
+
14
+ ## Commit format
15
+
16
+ `type: short description` — types: `fix`, `feat`, `docs`, `refactor`, `test`, `chore`, `perf`, `ci`
17
+
18
+ - Subject ≤ 72 chars, imperative mood, no trailing period.
19
+ - Body: explain **why**, not what (the diff shows what).
20
+ - Reference issues: `Fix #123` or `Closes GH-456`.
21
+
22
+ ## Branch strategy
23
+
24
+ - One topic per branch: `feat/login`, `fix/session-leak`, `refactor/auth-layer`
25
+ - Delete after merge, rebase onto main before PR
@@ -4,7 +4,7 @@ description: |
4
4
  Use this skill when a task would benefit from parallel execution across
5
5
  multiple AI agents, or when orchestrating leader/worker patterns in WrongStack.
6
6
  Triggers: user says "fan out", "parallel", "delegate", "subagent", "fleet", "coordinator".
7
- version: 1.1.0
7
+ version: 1.2.0
8
8
  ---
9
9
 
10
10
  # Multi-Agent Coordination — WrongStack
@@ -113,6 +113,26 @@ For each worker result:
113
113
  - Present as unified report
114
114
  ```
115
115
 
116
+ ## Leader output format
117
+
118
+ When a leader synthesizes results from subagents:
119
+
120
+ ```
121
+ ## Synthesis Report — <task>
122
+
123
+ ### Summary
124
+ [Unified summary of all findings]
125
+
126
+ ### Unified Next Steps
127
+ [Deduplicated and prioritized action items]
128
+
129
+ <next_steps>
130
+ 1. [Priority] Action item 1 — file:line reference
131
+ 2. [Priority] Action item 2 — file:line reference
132
+ 3. [Priority] Action item 3 — file:line reference
133
+ </next_steps>
134
+ ```
135
+
116
136
  ## Anti-patterns
117
137
 
118
138
  - **Over-delegation**: Firing 50 subagents in one turn — model context explodes, nothing gets done
@@ -131,6 +151,7 @@ Subagents share **nothing** — no memory, no session state, no variable scope.
131
151
  - `security-scanner` — parallel security scans
132
152
  - `refactor-planner` — parallel module analysis
133
153
  - `audit-log` — aggregating multiple session analyses
154
+ - `output-standards` — for standardized `<next_steps>` formatting
134
155
 
135
156
  ---
136
157
 
@@ -184,4 +205,4 @@ collab_debug(["packages/**/src/**/*.ts"])
184
205
 
185
206
  ### For large codebases
186
207
 
187
- Run **package-by-package** or **module-by-module** sessions. Target only the area under review, not the whole repo.
208
+ Run **package-by-package** or **module-by-module** sessions. Target only the area under review, not the whole repo.
@@ -0,0 +1,26 @@
1
+ # Multi-Agent Coordination — WrongStack (Compact)
2
+
3
+ Coordinates parallel AI agent execution for tasks that benefit from fanning out.
4
+
5
+ ## Rules
6
+
7
+ 1. Subagents share nothing — no memory, no session state.
8
+ 2. Leader must aggregate results.
9
+ 3. Narrow task scope per subagent — broad tasks exhaust budget.
10
+ 4. Role must match task — don't use bug-hunter to write docs.
11
+ 5. Check `stopReason`: end_turn (clean), budget_exhausted (retry), error (surface), aborted (don't retry).
12
+ 6. Don't fan out single atomic tasks under 5 tool calls.
13
+
14
+ ## When to fan out
15
+
16
+ ✅ Good: "Audit 50 files" — one subagent per 5-10 files. "Run tests in 12 packages" — parallel.
17
+ ❌ Avoid: Single atomic task under 5 calls. Tasks requiring shared state.
18
+
19
+ ## Roles
20
+
21
+ | Role | Responsibility |
22
+ |------|---------------|
23
+ | **Leader** | Coordinates, delegates, synthesizes |
24
+ | **Worker** | Executes a narrow subtask |
25
+ | **Reviewer** | Validates worker output |
26
+ | **Architect** | Design decisions when workers hit ambiguity |
@@ -186,4 +186,5 @@ while (true) {
186
186
  - `typescript-strict` — strict TypeScript patterns
187
187
  - `react-modern` — React Server Components with Node.js
188
188
  - `bug-hunter` — catching async/await bugs, unhandled rejections
189
- - `sdd` — for setting up new Node.js features with a spec first
189
+ - `sdd` — for setting up new Node.js features with a spec first
190
+ - `output-standards` — for standardized `<next_steps>` formatting
@@ -0,0 +1,21 @@
1
+ # Modern Node.js (>= 22) — WrongStack (Compact)
2
+
3
+ Node.js >= 22 patterns: ESM-only, native fetch with AbortSignal, Web Streams.
4
+
5
+ ## Rules
6
+
7
+ 1. Always use ESM (`import` with `.js` extension) — never `require()`.
8
+ 2. Always use `node:` protocol for built-in modules.
9
+ 3. Always use `AbortSignal.timeout()` for long-running operations.
10
+ 4. Never use axios, node-fetch, or got — native fetch is sufficient.
11
+ 5. Always handle `ENOENT` on file reads — use try/catch or `access` first.
12
+ 6. Use `Promise.allSettled` when partial failure is acceptable.
13
+
14
+ ## Key patterns
15
+
16
+ - **ESM**: `import * as fs from 'node:fs/promises'`, `import { helper } from './helper.js'`
17
+ - **fetch**: `const res = await fetch(url, { signal: AbortSignal.timeout(5000) })`
18
+ - **Atomic write**: write to `.tmp`, then `rename(tmp, target)`
19
+ - **Parallel**: `const results = await Promise.allSettled(tasks.map(t => t.run()))`
20
+ - **Streams**: `response.body.getReader()` with `TextDecoder`
21
+ - **AbortSignal**: Combine signals with `AbortSignal.any([userSignal, timeoutSignal])`
@@ -132,3 +132,4 @@ Every log should include:
132
132
  - `bug-hunter` — for finding bugs via error trace patterns
133
133
  - `security-scanner` — for ensuring no secrets leak into logs
134
134
  - `node-modern` — for async tracing patterns with AbortSignal
135
+ - `output-standards` — for standardized `<next_steps>` formatting
@@ -0,0 +1,34 @@
1
+ # Observability — WrongStack (Compact)
2
+
3
+ Instruments WrongStack code with structured logs, traces, and metrics.
4
+
5
+ ## Rules
6
+
7
+ 1. Log at the right level: DEBUG (dev), INFO (normal), WARN (recoverable), ERROR (needs attention).
8
+ 2. Structured logs only — JSON to stdout, not plain text to files.
9
+ 3. Every significant event needs a `traceId`.
10
+ 4. Never log secrets, tokens, or PII — redact before logging.
11
+ 5. Logs must answer: what happened, what context, what was the outcome.
12
+
13
+ ## Log schema
14
+
15
+ ```json
16
+ {
17
+ "level": "info|warn|error",
18
+ "traceId": "uuid",
19
+ "event": "event_name",
20
+ "timestamp": "ISO8601",
21
+ "duration_ms": 12,
22
+ "outcome": "success|failure|timeout"
23
+ }
24
+ ```
25
+
26
+ ## Metrics
27
+
28
+ | Metric | Type | Why |
29
+ |--------|------|-----|
30
+ | `tool.executions` | Counter | How often each tool runs |
31
+ | `tool.duration_ms` | Histogram | Latency per tool |
32
+ | `session.iterations` | Gauge | Active iterations |
33
+ | `error.count` | Counter | Errors by type |
34
+ | `context.tokens` | Gauge | Context size |
@@ -0,0 +1,133 @@
1
+ ---
2
+ name: output-standards
3
+ description: |
4
+ Use this skill when defining or enforcing output formatting standards for agent
5
+ responses in WrongStack. Triggers: user says "next steps format", "output standard",
6
+ "response format", "final message format", "standardize next steps".
7
+ version: 1.0.0
8
+ ---
9
+
10
+ # Output Standards — WrongStack
11
+
12
+ Standardizes the format of agent output, particularly the `next_steps` section
13
+ in final messages. This ensures system-level parsing and automation can reliably
14
+ extract structured data from agent responses.
15
+
16
+ ## Rules
17
+
18
+ 1. **Every final message MUST include `<next_steps>` tag** — no exceptions for completed tasks.
19
+ 2. **Tags must be properly closed** — `<next_steps>...</next_steps>` with exact tag names.
20
+ 3. **No markdown inside tags** — plain text only, one action per line.
21
+ 4. **Use imperative mood** — "Fix X", "Run Y", not "Fixed X" or "Running Y".
22
+ 5. **Be specific** — mention file paths, tool names, or exact commands.
23
+ 6. **Keep concise** — max 5 items unless the task genuinely requires more.
24
+
25
+ ## Output Format
26
+
27
+ Every agent's final message MUST end with this structure:
28
+
29
+ ```
30
+ [... task results ...]
31
+
32
+ <next_steps>
33
+ 1. First actionable next step — imperative, specific
34
+ 2. Second actionable next step
35
+ 3. Third actionable next step (if needed)
36
+ </next_steps>
37
+ ```
38
+
39
+ ### Format Requirements
40
+
41
+ | Element | Rule | Example |
42
+ |---------|------|---------|
43
+ | Opening tag | `<next_steps>` on its own line | `<next_steps>` |
44
+ | Numbered items | `1. ` prefix, one per line | `1. Fix auth bug in core/session.ts` |
45
+ | Closing tag | `</next_steps>` on its own line | `</next_steps>` |
46
+ | Blank line before | Optional but recommended | Improves readability |
47
+ | Blank line after | Not required | — |
48
+
49
+ ### ✅ Correct Examples
50
+
51
+ ```
52
+ Task completed successfully.
53
+
54
+ <next_steps>
55
+ 1. Fix shell injection in packages/cli/src/slash-commands/dev.ts:15
56
+ 2. Replace Math.random() with randomUUID() in 4 files
57
+ 3. Run pnpm run typecheck to verify fixes
58
+ </next_steps>
59
+ ```
60
+
61
+ ```
62
+ Analysis finished. Found 3 critical issues.
63
+
64
+ <next_steps>
65
+ 1. [CRITICAL] packages/cli/src/slash-commands/dev.ts:15 — exec() → execFile()
66
+ 2. [HIGH] packages/core/src/session-registry.ts:145 — remove ! assertion
67
+ 3. [HIGH] packages/core/src/session-registry.ts:169 — remove ! assertion
68
+ </next_steps>
69
+ ```
70
+
71
+ ### ❌ Incorrect Examples
72
+
73
+ ```
74
+ Task done. Next steps: 1) fix bug 2) run tests
75
+
76
+ # ❌ No tags — not parseable
77
+ ```
78
+
79
+ ```
80
+ <next_steps>
81
+ - Fix the bug in auth.ts # ❌ Dash, not number
82
+ - Run tests
83
+ </next_steps>
84
+
85
+ # ❌ Wrong bullet character
86
+ ```
87
+
88
+ ```
89
+ <next_steps>
90
+ 1. **Fix the bug** — use execFile instead # ❌ Markdown inside tags
91
+ 2. Run `pnpm test`
92
+ </next_steps>
93
+
94
+ # ❌ Markdown formatting not allowed inside tags
95
+ ```
96
+
97
+ ```
98
+ Next steps:
99
+ 1. Fix auth.ts
100
+
101
+ # ❌ Missing opening/closing tags
102
+ ```
103
+
104
+ ## Subagent Requirements
105
+
106
+ When a **leader agent** synthesizes output from **subagents**, the leader MUST:
107
+
108
+ 1. Aggregate all subagent `next_steps` into a unified `<next_steps>` section
109
+ 2. Remove duplicates (dedupe by file path + action)
110
+ 3. Re-prioritize if needed (critical > high > medium > low)
111
+ 4. Keep the unified list within the 5-item guideline, but no hard cap
112
+
113
+ When a **subagent** completes its task, it MUST:
114
+
115
+ 1. Include its own `<next_steps>` section in the final message
116
+ 2. Report what it found/achieved, not what the leader should do
117
+ 3. Leader will aggregate and decide on overall next steps
118
+
119
+ ## Anti-patterns
120
+
121
+ - **Don't use markdown inside `<next_steps>`** — plain text only
122
+ - **Don't skip the tag** — even if next steps are obvious, include them
123
+ - **Don't use dashes or asterisks** — use `1.`, `2.`, `3.` numbering
124
+ - **Don't be vague** — "fix bugs" is useless, "fix auth/session.ts:42" is actionable
125
+ - **Don't exceed 5 items without reason** — if >5, it's probably not a single task
126
+
127
+ ## Skills in scope
128
+
129
+ - `bug-hunter` — inherits output-standards for bug reports
130
+ - `security-scanner` — inherits output-standards for security findings
131
+ - `refactor-planner` — inherits output-standards for refactoring plans
132
+ - `architect` — inherits output-standards for architecture analysis
133
+ - `tech-stack` — inherits output-standards for dependency reports
@@ -0,0 +1,21 @@
1
+ # Output Standards — WrongStack (Compact)
2
+
3
+ Standardizes the format of agent output, particularly the `<next_steps>` section in final messages.
4
+
5
+ ## Rules
6
+
7
+ 1. Every final message MUST include `<next_steps>` tag — no exceptions.
8
+ 2. Tags must be properly closed — `<next_steps>...</next_steps>`.
9
+ 3. No markdown inside tags — plain text only, one action per line.
10
+ 4. Use imperative mood — "Fix X", not "Fixed X".
11
+ 5. Be specific — mention file paths, tool names, or exact commands.
12
+ 6. Keep concise — max 5 items unless the task genuinely requires more.
13
+
14
+ ## Format
15
+
16
+ ```
17
+ <next_steps>
18
+ 1. [Priority] Action item with file:line reference
19
+ 2. [Priority] Second action item
20
+ </next_steps>
21
+ ```
@@ -133,4 +133,5 @@ See `skill-creator` skill for the format. Key points:
133
133
 
134
134
  - `skill-creator` — for creating new skills (primary — prompt-engineering feeds into skill creation)
135
135
  - `typescript-strict` — for TypeScript-specific prompt typing
136
- - `react-modern` — for React component prompt conventions
136
+ - `react-modern` — for React component prompt conventions
137
+ - `output-standards` — for standardized `<next_steps>` formatting