agents-templated 1.2.7 → 1.2.9

package/templates/README.md

@@ -105,7 +105,7 @@ Agents Templated automatically configures 4 major AI coding assistants:
 | **Claude** | `CLAUDE.md` | ✅ Auto-loads in Claude IDE/API |
 | **Gemini** | `GEMINI.md` | ✅ Auto-loads in Gemini IDE/API |
 
-**All agents follow the same rules:** `agents/rules/` directory contains unified patterns for security, testing, code style, and architecture. No duplication, one source of truth.
+**All agents follow the same standards:** `agents/rules/` contains behavior rules, and `agents/commands/` contains deterministic slash-command contracts.
 
 ---
 
@@ -116,7 +116,7 @@ When you run `agents-templated init`, you get:
 ```
 your-project/
 ├── agent-docs/                      # 📚 Comprehensive documentation
-│   ├── AGENTS.md                   # AI assistant guide
+│   ├── AGENTS.MD                   # AI assistant guide
 │   ├── ARCHITECTURE.md             # Project architecture & tech stack
 │   └── README.md                   # Human-readable setup guide
 │
@@ -128,8 +128,17 @@ your-project/
 │   │   ├── frontend.mdc           # Frontend patterns
 │   │   ├── database.mdc           # Database patterns
 │   │   └── style.mdc              # Code style guidelines
+│   ├── commands/
+│   │   ├── SCHEMA.md              # Global slash-command response schema
+│   │   ├── plan.md                # /plan contract
+│   │   ├── fix.md                 # /fix contract
+│   │   ├── audit.md               # /audit contract
+│   │   ├── release.md             # /release contract
+│   │   ├── ...                    # Other command contracts
+│   │   └── README.md              # Commands directory guide
 │   └── skills/
 │       ├── find-skills/           # Skill discovery helper
+│       ├── ui-ux-pro-max/         # Advanced UI/UX design implementation skill
 │       ├── README.md              # Guide for creating custom skills
 │       └── [your-custom-skills]/  # Your project-specific skills
 │
@@ -256,7 +265,7 @@ Skills define *how to execute specific tasks*, complementing rules that define *
 
 ### 4. Read the Documentation
 
-- **[AGENTS.md](AGENTS.md)** – AI assistant guide
+- **[AGENTS.MD](AGENTS.MD)** – AI assistant guide
 - **[agent-docs/ARCHITECTURE.md](agent-docs/ARCHITECTURE.md)** – Project architecture & tech stack guidance
 - **[agents/skills/README.md](agents/skills/README.md)** – Custom skills guide
 - **[agents/rules/security.mdc](agents/rules/security.mdc)** – Security patterns (CRITICAL)
@@ -306,7 +315,7 @@ Your AI will follow the enterprise patterns automatically!
 | **TestAgent** | Unit, integration, E2E, accessibility testing |
 | **SecurityAgent** | Input validation, authentication, OWASP compliance |
 
-**Reference**: [AGENTS.md](AGENTS.md)
+**Reference**: [AGENTS.MD](AGENTS.MD)
 
 ---
 

package/templates/agent-docs/ARCHITECTURE.md

@@ -7,7 +7,7 @@ These guidelines are for both humans and AI assistants working with any technolo
 - **Agent responsibilities** and MCP integration are documented in `AGENTS.MD`.
 - **Detailed implementation rules** live in `agents/rules/*.mdc` files.
 
-Read this file first to understand the architecture, then consult `AGENTS.md` for agent delegation.
+Read this file first to understand the architecture, then consult `AGENTS.MD` for agent delegation.
 
 ---
 

package/templates/agent-docs/README.md

@@ -8,7 +8,7 @@ Depending on what you installed, you may have:
 
 - **AGENTS.MD**: Agent patterns and delegation guide
 - **ARCHITECTURE.md**: Project guidelines and architecture
-- **AGENTS.md**: Instructions for AI assistants
+- **AGENTS.MD**: Instructions for AI assistants
 - **agents/rules/**: Development rules and patterns (6 files)
 - **agents/skills/**: Reusable agent skills
 - **CLAUDE.md**: Claude AI configuration
@@ -68,7 +68,7 @@ All AI assistants support skill references. Create custom skills in `agents/skil
 
 ## Getting Started
 
-1. Review AGENTS.md for AI assistance guidance
+1. Review AGENTS.MD for AI assistance guidance
 2. Review ARCHITECTURE.md for overall project guidelines
 3. Adapt the rules to your specific technology stack
 4. Create custom skills in `agents/skills/` for your domain

package/templates/agents/commands/README.md

@@ -0,0 +1,24 @@
+# Deterministic Slash Command Contracts
+
+This directory is the modular source of truth for slash-command execution contracts.
+
+- Global protocol and safety framework: `AGENTS.MD` → `Deterministic Slash Command System Standard`
+- Global response schema: `agents/commands/SCHEMA.md`
+- Command contracts:
+  - `plan.md`
+  - `task.md`
+  - `scaffold.md`
+  - `fix.md`
+  - `refactor.md`
+  - `audit.md`
+  - `perf.md`
+  - `test.md`
+  - `pr.md`
+  - `release.md`
+  - `docs.md`
+
+Execution requirements:
+- Parse slash commands deterministically.
+- Return structured output only.
+- No conversational fallback in slash mode.
+- Enforce destructive confirmation token: `CONFIRM-DESTRUCTIVE:<target>`.

package/templates/agents/commands/SCHEMA.md

@@ -0,0 +1,22 @@
+# Slash Command Output Schema
+
+All slash command responses MUST include the following top-level fields:
+
+- `command`
+- `execution_id`
+- `mode`
+- `status`
+- `inputs`
+- `prechecks`
+- `execution_log`
+- `artifacts`
+- `risks`
+- `safety_checks`
+- `stop_condition`
+- `next_action`
+
+Constraints:
+- `mode` MUST be one of: `slash-command`, `slash-command-auto`.
+- `status` MUST be one of: `completed`, `blocked`, `failed`.
+- If a field value is unknown, set it to `null`.
+- Unknown or malformed slash commands MUST return structured error output and stop.

package/templates/agents/commands/audit.md

@@ -0,0 +1,38 @@
+# /audit
+
+## A. Intent
+Run structured engineering audit across security, correctness, and maintainability.
+
+## B. When to Use
+Use before high-impact merges, releases, and external reviews.
+
+## C. Required Inputs
+- Audit scope
+- Risk profile
+- Compliance baseline
+- Hardening profile requirement (if applicable)
+
+## D. Deterministic Execution Flow
+1. Resolve audit scope.
+2. Run static checks.
+3. Run security checks.
+4. Run dependency/config checks.
+5. Verify hardening evidence when hardening-required profile applies.
+6. Classify findings by severity.
+7. Emit audit report.
+
+## E. Structured Output Template
+- `scope`
+- `checks_executed[]`
+- `findings[]`
+- `severity_summary`
+- `remediation_plan[]`
+- `hardening_evidence_status`
+
+## F. Stop Conditions
+- Inaccessible scope.
+- Unavailable tooling.
+
+## G. Safety Constraints
+- Classify secret leaks and auth bypass as critical.
+- Classify missing hardening verification evidence as release-blocking when hardening is required.

package/templates/agents/commands/docs.md

@@ -0,0 +1,34 @@
+# /docs
+
+## A. Intent
+Generate or update documentation aligned to implemented behavior.
+
+## B. When to Use
+Use when code, APIs, operations, or workflows change.
+
+## C. Required Inputs
+- Documentation scope
+- Source changes
+- Target audience
+
+## D. Deterministic Execution Flow
+1. Resolve source-of-truth artifacts.
+2. Extract behavior and API deltas.
+3. Map deltas to sections.
+4. Apply concise updates.
+5. Validate examples/commands.
+6. Emit docs change report.
+
+## E. Structured Output Template
+- `scope`
+- `sources[]`
+- `sections_updated[]`
+- `example_validation`
+- `follow_up_actions[]`
+
+## F. Stop Conditions
+- Missing source artifacts.
+- Unresolved ambiguity.
+
+## G. Safety Constraints
+- Do not publish secrets, tokens, or credentials.

package/templates/agents/commands/fix.md

@@ -0,0 +1,34 @@
+# /fix
+
+## A. Intent
+Apply the smallest safe change that resolves a verified defect.
+
+## B. When to Use
+Use for bugs with reproducible evidence.
+
+## C. Required Inputs
+- Defect description
+- Reproduction evidence
+- Target scope
+
+## D. Deterministic Execution Flow
+1. Validate defect evidence.
+2. Reproduce failure.
+3. Locate root cause.
+4. Generate minimal patch.
+5. Execute targeted validation.
+6. Emit fix report.
+
+## E. Structured Output Template
+- `defect_id`
+- `root_cause`
+- `patch_summary`
+- `files_changed[]`
+- `validation_results[]`
+
+## F. Stop Conditions
+- Non-reproducible failure.
+- Root cause unresolved.
+
+## G. Safety Constraints
+- Do not broaden scope beyond defect boundary.

package/templates/agents/commands/perf.md

@@ -0,0 +1,34 @@
+# /perf
+
+## A. Intent
+Evaluate and optimize performance using measurable baselines.
+
+## B. When to Use
+Use when latency, throughput, memory, or build-time regressions are reported.
+
+## C. Required Inputs
+- Target metrics
+- Baseline environment
+- Optimization scope
+
+## D. Deterministic Execution Flow
+1. Capture baseline metrics.
+2. Identify bottlenecks.
+3. Apply one optimization unit.
+4. Re-measure metrics.
+5. Compare against baseline.
+6. Emit performance report.
+
+## E. Structured Output Template
+- `baseline_metrics`
+- `optimization_units[]`
+- `post_metrics`
+- `regression_check`
+- `recommendation`
+
+## F. Stop Conditions
+- Missing baseline metrics.
+- Non-reproducible benchmark.
+
+## G. Safety Constraints
+- Do not trade security controls for performance.

package/templates/agents/commands/plan.md

@@ -0,0 +1,34 @@
+# /plan
+
+## A. Intent
+Generate an executable implementation plan with ordered steps and risk controls.
+
+## B. When to Use
+Use for non-trivial work requiring sequencing, dependencies, and checkpoints.
+
+## C. Required Inputs
+- Objective
+- Scope boundaries
+- Constraints
+
+## D. Deterministic Execution Flow
+1. Parse objective and constraints.
+2. Extract atomic work units.
+3. Compute dependency order.
+4. Attach validation checkpoints.
+5. Attach risk and rollback notes.
+6. Emit plan artifacts.
+
+## E. Structured Output Template
+- `plan_summary`
+- `work_units[]`
+- `dependency_graph`
+- `validation_checkpoints[]`
+- `risk_register[]`
+
+## F. Stop Conditions
+- Missing objective or scope.
+- Contradictory constraints.
+
+## G. Safety Constraints
+- Include security and testing gates for code-changing units.

package/templates/agents/commands/pr.md

@@ -0,0 +1,35 @@
+# /pr
+
+## A. Intent
+Prepare a deterministic pull request payload with implementation evidence.
+
+## B. When to Use
+Use after validated changes are ready for review.
+
+## C. Required Inputs
+- Change summary
+- Linked issues/tasks
+- Validation evidence
+
+## D. Deterministic Execution Flow
+1. Collect changed files.
+2. Summarize intent and impact.
+3. Attach validation evidence.
+4. Classify risk and rollout impact.
+5. Build reviewer checklist.
+6. Emit PR package.
+
+## E. Structured Output Template
+- `title`
+- `summary`
+- `files_changed[]`
+- `validation_evidence[]`
+- `risk_assessment`
+- `review_checklist[]`
+
+## F. Stop Conditions
+- Missing validation evidence.
+- Open critical findings.
+
+## G. Safety Constraints
+- Block PR package when critical issues remain unresolved.

package/templates/agents/commands/refactor.md

@@ -0,0 +1,34 @@
+# /refactor
+
+## A. Intent
+Improve internal structure without changing externally observable behavior.
+
+## B. When to Use
+Use for maintainability and modularity improvements.
+
+## C. Required Inputs
+- Target component/module
+- Non-functional goals
+- Behavior invariants
+
+## D. Deterministic Execution Flow
+1. Capture behavior invariants.
+2. Define refactor units.
+3. Apply one unit at a time.
+4. Verify invariants after each unit.
+5. Measure complexity delta.
+6. Emit refactor report.
+
+## E. Structured Output Template
+- `target`
+- `invariants[]`
+- `transformations[]`
+- `behavior_check_results[]`
+- `complexity_delta`
+
+## F. Stop Conditions
+- Invariant violation.
+- Missing baseline behavior.
+
+## G. Safety Constraints
+- Abort on behavior-change risk.

package/templates/agents/commands/release.md

@@ -0,0 +1,39 @@
+# /release
+
+## A. Intent
+Produce deterministic release readiness decision and rollout contract.
+
+## B. When to Use
+Use when promoting validated changes to release channels.
+
+## C. Required Inputs
+- Version/tag
+- Change manifest
+- Rollback strategy
+- Hardening verification evidence (when required by risk profile)
+
+## D. Deterministic Execution Flow
+1. Validate release prerequisites.
+2. Validate compatibility and migration risks.
+3. Validate security and test gates.
+4. Validate hardening verification evidence when hardening-required profile applies.
+5. Build release notes.
+6. Build rollout and rollback steps.
+7. Emit release contract.
+
+## E. Structured Output Template
+- `version`
+- `release_readiness`
+- `gates[]`
+- `rollout_plan[]`
+- `rollback_plan[]`
+- `release_notes`
+- `hardening_verification`
+
+## F. Stop Conditions
+- Gate failure.
+- Missing rollback strategy.
+
+## G. Safety Constraints
+- Block release when any critical gate fails.
+- Block release when required hardening evidence is missing.

package/templates/agents/commands/scaffold.md

@@ -0,0 +1,34 @@
+# /scaffold
+
+## A. Intent
+Create deterministic project/module boilerplate with secure defaults.
+
+## B. When to Use
+Use to initialize new modules/features with approved structure.
+
+## C. Required Inputs
+- Target module name
+- Runtime/stack
+- Required patterns
+
+## D. Deterministic Execution Flow
+1. Validate target path non-conflict.
+2. Resolve scaffold template.
+3. Generate file tree.
+4. Apply secure defaults.
+5. Generate baseline tests.
+6. Emit scaffold manifest.
+
+## E. Structured Output Template
+- `target`
+- `template_source`
+- `files_created[]`
+- `secure_defaults[]`
+- `tests_created[]`
+
+## F. Stop Conditions
+- Path collision.
+- Unsupported template/runtime.
+
+## G. Safety Constraints
+- Do not overwrite existing files without explicit confirmation.

package/templates/agents/commands/task.md

@@ -0,0 +1,35 @@
+# /task
+
+## A. Intent
+Convert a plan item into a deterministic execution task.
+
+## B. When to Use
+Use for bounded work with clear acceptance criteria.
+
+## C. Required Inputs
+- Task identifier
+- Acceptance criteria
+- Allowed scope
+
+## D. Deterministic Execution Flow
+1. Resolve task identifier.
+2. Validate acceptance criteria completeness.
+3. Validate scope boundaries.
+4. Define execution steps.
+5. Define verification steps.
+6. Emit task contract.
+
+## E. Structured Output Template
+- `task_id`
+- `objective`
+- `allowed_scope`
+- `execution_steps[]`
+- `verification_steps[]`
+- `acceptance_criteria[]`
+
+## F. Stop Conditions
+- Unknown task identifier.
+- Missing acceptance criteria.
+
+## G. Safety Constraints
+- Reject out-of-scope changes.

package/templates/agents/commands/test.md

@@ -0,0 +1,34 @@
+# /test
+
+## A. Intent
+Generate or execute deterministic test plans and test artifacts.
+
+## B. When to Use
+Use for feature validation, regression prevention, and release readiness.
+
+## C. Required Inputs
+- Target scope
+- Test level
+- Expected behavior
+
+## D. Deterministic Execution Flow
+1. Resolve test scope.
+2. Map behavior to test cases.
+3. Execute or generate tests.
+4. Capture pass/fail artifacts.
+5. Classify failures.
+6. Emit test report.
+
+## E. Structured Output Template
+- `scope`
+- `test_matrix[]`
+- `execution_results[]`
+- `coverage_delta`
+- `failures[]`
+
+## F. Stop Conditions
+- Unavailable runtime.
+- Undefined scope.
+
+## G. Safety Constraints
+- Do not mark success if critical tests are skipped.

package/templates/agents/rules/hardening.mdc

@@ -0,0 +1,52 @@
+---
+title: "Application Hardening & Obfuscation"
+description: "Risk-based hardening model including obfuscation, tamper resilience, and verification"
+version: "1.0.0"
+tags: ["hardening", "obfuscation", "anti-tamper", "security"]
+---
+
+## Purpose
+
+Define a technology-agnostic hardening baseline for distributed applications and high-value logic.
+
+## Core Principles
+
+- Hardening is defense-in-depth, not a replacement for secure design.
+- Obfuscation increases reverse-engineering cost but does not eliminate risk.
+- Keep authentication, authorization, secrets management, and validation as primary controls.
+
+## Risk-Based Applicability
+
+Use hardening when one or more conditions apply:
+- Client-distributed app (mobile/desktop/browser-delivered logic)
+- High-value IP in client-side logic
+- Elevated tampering, hooking, or repackaging threat model
+- High-risk business operations exposed in untrusted runtime
+
+## Hardening Control Set
+
+- Code obfuscation/minification hardening as applicable
+- Runtime integrity/tamper detection where platform allows
+- Debug/instrumentation resistance where legally and technically appropriate
+- Binary/artifact integrity verification in delivery pipeline
+- Secure handling of symbol/mapping artifacts
+
+## Obfuscation Guidance
+
+- Apply near build/release stage, not as source-authoring substitute.
+- Validate behavior after obfuscation with full regression checks.
+- Enforce performance and startup budget checks post-hardening.
+- Maintain reproducible builds and deterministic config snapshots.
+
+## Verification Requirements
+
+- Functional regression tests pass on hardened build.
+- Performance budgets remain within accepted thresholds.
+- Crash/debug workflow documented with restricted symbol access.
+- Release notes include hardening profile and known tradeoffs.
+
+## Safety Constraints
+
+- Do not claim obfuscation as complete protection.
+- Do not rely on obfuscation to protect embedded secrets.
+- Block release if hardening-required profile lacks verification evidence.

package/templates/agents/rules/intent-routing.mdc

@@ -0,0 +1,45 @@
+---
+title: "Intent Routing & Command Selection"
+description: "Deterministic intent routing from natural language to executable command contracts"
+version: "1.0.0"
+tags: ["routing", "deterministic", "workflow", "commands"]
+---
+
+## Purpose
+
+Provide deterministic routing from user intent to the correct execution pathway, with minimal clarification and strict safety behavior.
+
+## Deterministic Routing Contract
+
+1. Normalize input (trim, collapse whitespace, preserve semantic tokens).
+2. Detect explicit slash command first.
+3. If no slash command, run implicit intent routing against known command set.
+4. Select exactly one command only when confidence is sufficient.
+5. If ambiguous, return blocked output with decision-critical missing fields.
+6. Never execute destructive actions without confirmation token.
+
+## Confidence & Ambiguity Rules
+
+- High confidence: execute selected contract.
+- Medium confidence: execute with explicit assumptions in output.
+- Low confidence: return `status: blocked` with 1-2 critical clarifications.
+- Multi-intent input: split into ordered tasks only when boundaries are explicit; otherwise block.
+
+## Minimal Clarification Policy
+
+- Ask questions only when unsafe or logically blocked.
+- Ask at most 2 questions per command cycle.
+- Questions must be single-purpose and decision-critical.
+
+## Structured Output Defaults
+
+All routed executions must return schema-compliant output:
+- `command`, `execution_id`, `mode`, `status`, `inputs`
+- `prechecks`, `execution_log`, `artifacts`
+- `risks`, `safety_checks`, `stop_condition`, `next_action`
+
+## Safety Behavior
+
+- Unknown slash command: structured error and stop.
+- Ambiguous non-slash intent: blocked with minimal missing inputs.
+- High-risk actions: blocked until explicit confirmation token is present.

package/templates/agents/rules/security.mdc

@@ -241,6 +241,14 @@ No sensitive variables should ever be:
 - Included in client-side code
 - Transmitted in URLs
 
+## Application Hardening & Obfuscation
+
+- Treat obfuscation as **defense in depth**, not a replacement for authentication, authorization, secrets hygiene, or validation.
+- Apply hardening selectively by risk profile, especially for distributed clients (mobile/desktop/browser) and high-value IP logic.
+- Integrate hardening into build/release flow and require post-hardening functional regression and performance checks.
+- Protect symbol/mapping/debug artifacts with restricted access and secure retention policies.
+- Require reproducible builds and a clear rollback path for hardened releases.
+
 ## Security Checklist
 
 Before deploying to production:
@@ -266,4 +274,4 @@ Before deploying to production:
 ---
 
 Remember: **Security must be built in from the beginning, not added as an afterthought.**
-Every feature should consider security implications, and every developer should understand these principles.
+Every feature should consider security implications, and every developer should understand these principles.