agents-templated 1.2.7 → 1.2.9

package/templates/agents/rules/system-workflow.mdc

@@ -0,0 +1,63 @@
+---
+title: "System Workflow Orchestration"
+description: "Lifecycle gates and required artifacts for systematic delivery"
+version: "1.0.0"
+tags: ["workflow", "gates", "delivery", "governance"]
+---
+
+## Purpose
+
+Define a repeatable lifecycle so all work is traceable, verifiable, and releasable.
+
+## Workflow Phases
+
+1. Discover
+2. Plan
+3. Implement
+4. Verify
+5. Release
+
+## Phase Requirements
+
+### 1) Discover
+- Capture objective, scope boundaries, constraints, and risk profile.
+- Produce: context summary + assumptions.
+
+### 2) Plan
+- Break work into atomic units and dependency order.
+- Define acceptance criteria and rollback considerations.
+- Produce: execution plan with checkpoints.
+
+### 3) Implement
+- Apply smallest safe changes within declared scope.
+- Keep changes deterministic and reversible when possible.
+- Produce: change summary and affected files.
+
+### 4) Verify
+- Run relevant tests/checks (targeted first, broad second).
+- Confirm security and regression impact.
+- Produce: validation evidence.
+
+### 5) Release
+- Check gates: tests, security posture, migration safety, rollback readiness.
+- Produce: release decision + rollout/rollback steps.
+
+## Required Delivery Artifacts
+
+- Objective and scope
+- Acceptance criteria
+- Risk register
+- Validation evidence
+- Rollback strategy (for non-trivial changes)
+
+## Gate Rules
+
+- Fail any critical gate -> `status: blocked`.
+- Missing rollback for risky changes -> blocked.
+- Missing validation evidence -> blocked.
+
+## Rollback Requirements
+
+- Identify rollback trigger conditions.
+- Provide explicit rollback steps.
+- Keep backups/version references for destructive changes.

package/templates/agents/rules/testing.mdc

@@ -253,6 +253,19 @@ Test: Database query optimization
 - Measure execution time
 - Assert completes efficiently
 
+## Hardening Verification Testing
+
+When hardening/obfuscation is enabled (see `agents/rules/hardening.mdc`), require additional validation on hardened artifacts.
+
+### Required Checks for Hardened Builds
+
+- Run core functional regression tests against hardened output, not only non-hardened builds.
+- Run performance checks and compare against accepted budgets (startup, latency, memory as applicable).
+- Validate crash/debug workflow with restricted symbol/mapping artifact access controls.
+- Confirm release evidence includes hardening profile rationale and rollback trigger/steps.
+
+If these checks are missing for a hardening-required profile, release readiness should be treated as blocked.
+
 ## Security Testing
 
 Test security requirements and threat scenarios.
@@ -355,4 +368,4 @@ tests/
 
 Remember: **Tests are documentation** of how your code should behave.
 Write clear, concise tests that describe expected behavior.
-Good tests make refactoring and maintenance easier and reduce bugs in production.
+Good tests make refactoring and maintenance easier and reduce bugs in production.

package/templates/agents/rules/workflows.mdc

@@ -34,6 +34,12 @@ Before committing, consider running (in order):
 3. **Tests** – At least the fast test suite (e.g. unit tests) so regressions are caught early.
 4. **Project validation** – For agents-templated projects, `agents-templated validate` can confirm setup is intact.
 
+For high-risk or distributed-client releases, add hardening-specific checks before merge/release:
+
+5. **Hardening profile selection** – Document threat model and selected profile from `agents/rules/hardening.mdc`.
+6. **Post-hardening verification** – Run functional regression and performance checks on hardened artifacts.
+7. **Artifact controls** – Verify restricted handling for symbol/mapping/debug artifacts and confirm rollback path.
+
 Do not commit with failing lint or tests unless the user explicitly requests a WIP commit (e.g. with `--no-verify` or a clear “work in progress” message).
 
 ## Commit Messages
@@ -46,4 +52,5 @@ Do not commit with failing lint or tests unless the user explicitly requests a W
 
 - Use **agents-templated validate** and **doctor** to maintain project setup and get recommendations.
 - Run **lint**, **type check**, and **tests** before committing when possible.
+- For hardening-required releases, include profile rationale, post-hardening verification evidence, and rollback readiness.
 - Write clear commit messages and reference issues where applicable.

package/templates/agents/skills/README.md

@@ -57,6 +57,14 @@ To create a new skill for your specific domain:
 agents/skills/
 ├── find-skills/
 │   └── SKILL.md              # Meta-skill for discovering skills
+├── feature-delivery/
+│   └── SKILL.md              # Systematic feature scoping and execution contracts
+├── bug-triage/
+│   └── SKILL.md              # Reproduction-first debugging and regression workflows
+├── app-hardening/
+│   └── SKILL.md              # Risk-based hardening and obfuscation guidance
+├── ui-ux-pro-max/
+│   └── SKILL.md              # Premium UI/UX implementation patterns
 ├── my-custom-skill/
 │   └── SKILL.md              # Your custom skill
 └── README.md                 # This file
@@ -84,6 +92,12 @@ Consider creating skills for:
 | Design          | UI/UX, accessibility, design systems    |
 | Productivity    | Workflows, automation, git patterns      |
 
+## Recommended Baseline Skills
+
+- `feature-delivery`: Use when user asks are broad and you need objective, scope, acceptance criteria, and validation plan.
+- `bug-triage`: Use for defects and regressions requiring reproducible evidence, root-cause isolation, and minimal safe patches.
+- `app-hardening`: Use for high-risk/distributed runtimes to enforce hardening profile, obfuscation decisions, and release evidence.
+
 ## Using Skills in Your Project
 
 Skills can be referenced in all your AI assistant configuration files:
@@ -112,7 +126,7 @@ Reference the [skill-name] skill in `agents/skills/[skill-name]/SKILL.md` for pa
 When helping with [domain-specific task], reference the [skill-name] skill from `agents/skills/[skill-name]/SKILL.md`
 ```
 
-### Documentation (`AGENTS.md`)
+### Documentation (`AGENTS.MD`)
 ```markdown
 - When working with [domain], see the [skill-name] skill in `agents/skills/[skill-name]/SKILL.md`
 ```

package/templates/agents/skills/app-hardening/SKILL.md

@@ -0,0 +1,45 @@
+---
+name: app-hardening
+description: Applies risk-based application hardening guidance including obfuscation decisions, integrity controls, and release evidence.
+---
+
+# App Hardening
+
+Use this skill for security hardening of distributed applications and sensitive client-side logic.
+
+## Trigger Conditions
+
+- User asks for hardening, anti-tamper, reverse-engineering resistance, or secure release posture.
+- Project includes mobile/desktop/browser-delivered code with high-value logic.
+
+## Decision Matrix
+
+Apply hardening when:
+- Threat model includes tampering/repackaging/hooking, or
+- Client runtime is untrusted, or
+- Business/IP impact is high.
+
+Keep baseline controls regardless:
+- AuthN/AuthZ, validation, secrets hygiene, monitoring.
+
+## Workflow
+
+1. Define threat model and assets at risk.
+2. Select hardening profile by risk tier.
+3. Choose controls (obfuscation, integrity checks, runtime protections).
+4. Integrate into build/release pipeline.
+5. Run post-hardening functional + performance validation.
+6. Produce release evidence and rollback path.
+
+## Required Evidence
+
+- Hardening profile selection rationale
+- Verification results (functional + performance)
+- Symbol/mapping artifact access policy
+- Rollback steps and trigger conditions
+
+## Guardrails
+
+- Never treat obfuscation as a standalone security solution.
+- Never store secrets in client code.
+- Block release when hardening-required profile lacks evidence.

package/templates/agents/skills/bug-triage/SKILL.md

@@ -0,0 +1,36 @@
+---
+name: bug-triage
+description: Reproduction-first bug workflow for reliable root-cause isolation, minimal patching, and regression protection.
+---
+
+# Bug Triage
+
+Use this skill for defects, crashes, unexpected behavior, and regressions.
+
+## Trigger Conditions
+
+- User reports bug symptoms ("broken", "fails", "crash", "not working").
+- There is a failing test or reproducible scenario.
+
+## Workflow
+
+1. Capture reproducible steps and expected vs actual behavior.
+2. Confirm failure reproduction locally or from evidence.
+3. Isolate probable subsystem and narrow root cause.
+4. Apply smallest safe patch in bounded scope.
+5. Add or run regression tests.
+6. Validate fix and report residual risks.
+
+## Output Contract
+
+- Defect summary and reproduction
+- Root cause hypothesis/finding
+- Patch summary
+- Validation evidence
+- Regression coverage update
+
+## Guardrails
+
+- Do not patch without reproduction evidence unless explicitly approved.
+- Avoid broad refactors in bug-fix flow.
+- Block when scope or acceptance criteria are unsafe/unclear.

package/templates/agents/skills/feature-delivery/SKILL.md

@@ -0,0 +1,38 @@
+---
+name: feature-delivery
+description: Converts vague feature requests into scoped execution contracts with acceptance criteria, risk controls, and validation steps.
+---
+
+# Feature Delivery
+
+Use this skill when users describe features informally and need a systematic execution path.
+
+## Trigger Conditions
+
+- User asks to "build", "add", "create", or "implement" a feature.
+- Requirements are partial, broad, or non-technical.
+- Scope and acceptance criteria are not explicit.
+
+## Workflow
+
+1. Parse objective from user language.
+2. Define scope boundaries (in/out).
+3. Generate acceptance criteria (2-5 concrete checks).
+4. Derive implementation units in dependency order.
+5. Define validation plan (unit/integration/e2e where relevant).
+6. Identify risks and rollback notes.
+
+## Output Contract
+
+- Objective summary
+- Scope boundaries
+- Acceptance criteria
+- Execution steps
+- Verification steps
+- Risks and assumptions
+
+## Guardrails
+
+- Ask minimal clarifications only when blocked.
+- Do not execute destructive or broad changes without explicit scope.
+- Keep plans deterministic and auditable.