agents-templated 2.2.11 → 2.2.13

package/templates/agents/commands/risk-review.md

@@ -1,33 +1,58 @@
-# /risk-review
-
-## A. Intent
-Identify release risks that may pass CI but fail in production.
-
-## B. When to Use
-Use before merge or release candidate approval.
-
-## C. Required Inputs
-- Proposed changes
-- Test and validation status
-- Deployment context
-
-## D. Deterministic Execution Flow
-1. Inspect behavior deltas.
-2. Rank risks by impact and likelihood.
-3. Validate mitigation or rollback paths.
-4. Identify missing tests.
-5. Emit ship recommendation.
-
-## E. Structured Output Template
-- `risk_findings[]`
-- `severity_summary`
-- `mitigations[]`
-- `rollback_readiness`
-- `release_recommendation`
-
-## F. Stop Conditions
-- High-severity risk has no mitigation.
-- Rollback path is undefined.
-
-## G. Safety Constraints
-- Block release for unresolved high-severity findings.
+# /risk-review
+
+## A. Intent
+Perform deterministic release risk review with mitigation and rollback readiness.
+
+## B. When to Use
+- Use before merge or release approval on non-trivial changes.
+- Do not use as a substitute for running tests.
+
+## C. Context Assumptions
+- Change set is available.
+- Validation evidence exists.
+- Deployment context is known.
+
+## D. Required Inputs
+| Input | Type | Example |
+|---------------------|------------|----------------------------------|
+| `change_set` | string | "payment retry + queue changes" |
+| `validation_status` | string[] | ["unit pass", "integration pass"] |
+| `deployment_artifact` | artifact | rollout plan, env config snapshot |
+
+## E. Pre-Execution Guards <- fail fast, check ALL before running
+- [ ] change set is fully described
+- [ ] validation status is current
+- [ ] rollback path is defined
+
+## F. Execution Flow
+1. Inspect behavior deltas and blast radius.
+2. Rank risks by impact and likelihood.
+3. Validate mitigations and rollback readiness.
+4. Decision point ->
+   - condition A -> high unresolved risk -> block recommendation
+   - condition B ->  acceptable risk -> continue.
+5. Build release risk summary and actions.
+6. Emit risk review report.
+
+## G. Output Schema
+
+```json
+{
+  "review_id": "string",
+  "risks": ["array","of","strings"],
+  "risk_level": "low | medium | high",
+  "recommendation": "string | null"
+}
+```
+
+## H. Output Target
+- Default delivery: stdout
+- Override flag: --output=<target>
+
+## I. Stop Conditions <- abort with error message, never emit partial output
+- high-severity risk has no mitigation
+- rollback readiness is undefined
+
+## J. Safety Constraints
+- Hard block: hard block on unresolved high-severity risks
+- Warn only: warn when medium risks are accepted with owner

package/templates/agents/commands/scope-shape.md

@@ -1,33 +1,58 @@
-# /scope-shape
-
-## A. Intent
-Constrain scope to the smallest high-leverage release that still proves value.
-
-## B. When to Use
-Use after problem framing and before architecture planning.
-
-## C. Required Inputs
-- Problem frame
-- Candidate feature list
-- Delivery constraints
-
-## D. Deterministic Execution Flow
-1. Rank features by impact and effort.
-2. Define must-have vs defer list.
-3. Freeze first-release boundaries.
-4. Add explicit out-of-scope items.
-5. Emit scope decision rationale.
-
-## E. Structured Output Template
-- `scope_in[]`
-- `scope_out[]`
-- `tradeoffs[]`
-- `release_goal`
-- `defer_queue[]`
-
-## F. Stop Conditions
-- Scope still exceeds constraints.
-- No out-of-scope list produced.
-
-## G. Safety Constraints
-- Prefer one reversible release over broad irreversible scope.
+# /scope-shape
+
+## A. Intent
+Constrain delivery scope to the smallest high-value reversible release.
+
+## B. When to Use
+- Use after problem framing and before architectural design.
+- Do not use when requirements are already contractually frozen.
+
+## C. Context Assumptions
+- Problem map exists.
+- Candidate feature list exists.
+- Delivery constraints are known.
+
+## D. Required Inputs
+| Input | Type | Example |
+|---------------------|------------|----------------------------------|
+| `scope_goal` | string | "ship MVP in 2 weeks" |
+| `candidate_items` | string[] | ["email login", "social login", "tutorial"] |
+| `constraint_artifact` | artifact | timeline doc, staffing snapshot |
+
+## E. Pre-Execution Guards <- fail fast, check ALL before running
+- [ ] scope goal is explicit
+- [ ] candidate items are ranked
+- [ ] out-of-scope list can be produced
+
+## F. Execution Flow
+1. Rank candidate items by value and effort.
+2. Draft in-scope and out-of-scope sets.
+3. Check scope against constraints.
+4. Decision point ->
+   - condition A -> scope exceeds constraints -> trim to MVP
+   - condition B ->  feasible scope -> continue.
+5. Build scope rationale and tradeoffs.
+6. Emit scope decision package.
+
+## G. Output Schema
+
+```json
+{
+  "scope_id": "string",
+  "scope_in": ["array","of","strings"],
+  "confidence": "low | medium | high",
+  "scope_out": "string | null"
+}
+```
+
+## H. Output Target
+- Default delivery: stdout
+- Override flag: --output=<target>
+
+## I. Stop Conditions <- abort with error message, never emit partial output
+- scope cannot satisfy constraints
+- no explicit out-of-scope definition is produced
+
+## J. Safety Constraints
+- Hard block: hard block on hidden scope creep
+- Warn only: warn when deferred items carry significant risk

package/templates/agents/commands/task.md

@@ -1,35 +1,58 @@
-# /task
-
-## A. Intent
-Convert a plan item into a deterministic execution task.
-
-## B. When to Use
-Use for bounded work with clear acceptance criteria.
-
-## C. Required Inputs
-- Task identifier
-- Acceptance criteria
-- Allowed scope
-
-## D. Deterministic Execution Flow
-1. Resolve task identifier.
-2. Validate acceptance criteria completeness.
-3. Validate scope boundaries.
-4. Define execution steps.
-5. Define verification steps.
-6. Emit task contract.
-
-## E. Structured Output Template
-- `task_id`
-- `objective`
-- `allowed_scope`
-- `execution_steps[]`
-- `verification_steps[]`
-- `acceptance_criteria[]`
-
-## F. Stop Conditions
-- Unknown task identifier.
-- Missing acceptance criteria.
-
-## G. Safety Constraints
-- Reject out-of-scope changes.
+# /task
+
+## A. Intent
+Convert approved plans into deterministic, execution-ready task batches.
+
+## B. When to Use
+- Use when a plan exists and work must be distributed to implementers.
+- Do not use before planning is complete.
+
+## C. Context Assumptions
+- An approved plan exists.
+- Owners and execution context are known.
+- Dependencies can be sequenced.
+
+## D. Required Inputs
+| Input | Type | Example |
+|---------------------|------------|----------------------------------|
+| `plan_id` | string | "plan-2026-04-03" |
+| `task_scope` | string[] | ["api", "ui", "tests"] |
+| `source_artifacts` | artifact | plan file path or issue board URL |
+
+## E. Pre-Execution Guards <- fail fast, check ALL before running
+- [ ] plan exists and is approved
+- [ ] task scope maps to explicit plan items
+- [ ] dependency order is resolvable
+
+## F. Execution Flow
+1. Read plan outputs and dependency graph.
+2. Split work into atomic tasks.
+3. Assign execution order and ownership metadata.
+4. Decision point ->
+   - condition A -> blocking dependency found -> move item to blocked queue
+   - condition B ->  no blockers -> keep in active queue.
+5. Build task package with acceptance checks.
+6. Emit task list and execution order.
+
+## G. Output Schema
+
+```json
+{
+  "task_batch_id": "string",
+  "tasks": ["array","of","strings"],
+  "priority": "low | medium | high",
+  "blocker": "string | null"
+}
+```
+
+## H. Output Target
+- Default delivery: stdout
+- Override flag: --output=<target>
+
+## I. Stop Conditions <- abort with error message, never emit partial output
+- plan_id is missing or invalid
+- critical dependency cannot be resolved
+
+## J. Safety Constraints
+- Hard block: no task emission without traceability to a plan item
+- Warn only: warn when owner assignment is temporary

package/templates/agents/commands/test-data.md

@@ -0,0 +1,56 @@
+# /test-data
+
+## A. Intent
+Produce deterministic fixtures, seeds, and mocks for downstream validation, e2e, and load phases.
+
+## B. When to Use
+- Use when QA design or backend/database changes require repeatable datasets.
+- Use before `qa-specialist(mode=validation)`, `e2e-runner`, or `performance-specialist(mode=load)`.
+
+## C. Context Assumptions
+- Acceptance criteria and target test flows are defined.
+- Data shape constraints are known.
+- Generated data can be reset safely.
+
+## D. Required Inputs
+| Input | Type | Example |
+|---------------------|------------|----------------------------------|
+| `consumer_targets` | string[] | ["qa-validation", "e2e", "perf-load"] |
+| `dataset_scope` | string | "orders with edge-case payment states" |
+| `data_constraints` | string[] | ["no PII", "stable IDs", "seed-controlled randomness"] |
+
+## E. Pre-Execution Guards <- fail fast, check ALL before running
+- [ ] dataset scope is explicit and bounded
+- [ ] production secrets and real PII are excluded
+- [ ] setup/reset path is defined and reversible
+
+## F. Execution Flow
+1. Confirm required consumer targets and edge cases.
+2. Build deterministic fixtures/seeds/mocks.
+3. Package setup/reset instructions.
+4. Validate data reproducibility and cleanup safety.
+5. Emit test-data handoff report.
+
+## G. Output Schema
+
+```json
+{
+  "data_package_id": "string",
+  "assets": ["array", "of", "strings"],
+  "setup_steps": ["array", "of", "strings"],
+  "reset_steps": ["array", "of", "strings"],
+  "handoff_targets": ["array", "of", "strings"]
+}
+```
+
+## H. Output Target
+- Default delivery: stdout
+- Override flag: --output=<target>
+
+## I. Stop Conditions <- abort with error message, never emit partial output
+- dataset constraints are ambiguous or contradictory
+- setup/reset cannot be executed safely
+
+## J. Safety Constraints
+- Hard block: never use production credentials or real PII
+- Warn only: warn when synthetic distributions are approximate

package/templates/agents/commands/test.md

@@ -1,34 +1,58 @@
-# /test
-
-## A. Intent
-Generate or execute deterministic test plans and test artifacts.
-
-## B. When to Use
-Use for feature validation, regression prevention, and release readiness.
-
-## C. Required Inputs
-- Target scope
-- Test level
-- Expected behavior
-
-## D. Deterministic Execution Flow
-1. Resolve test scope.
-2. Map behavior to test cases.
-3. Execute or generate tests.
-4. Capture pass/fail artifacts.
-5. Classify failures.
-6. Emit test report.
-
-## E. Structured Output Template
-- `scope`
-- `test_matrix[]`
-- `execution_results[]`
-- `coverage_delta`
-- `failures[]`
-
-## F. Stop Conditions
-- Unavailable runtime.
-- Undefined scope.
-
-## G. Safety Constraints
-- Do not mark success if critical tests are skipped.
+# /test
+
+## A. Intent
+Run deterministic validation and gate release readiness based on test evidence.
+
+## B. When to Use
+- Use when validating behavior after implementation or before merge/release.
+- This command now includes quality-gate behavior; do not use /quality-gate.
+
+## C. Context Assumptions
+- Test targets are defined.
+- Required environments are available.
+- Pass/fail criteria are explicit.
+
+## D. Required Inputs
+| Input | Type | Example |
+|---------------------|------------|----------------------------------|
+| `test_scope` | string | "api regression" |
+| `test_suites` | string[] | ["unit", "integration", "critical-flow"] |
+| `evidence_artifact` | artifact | test report path or CI run URL |
+
+## E. Pre-Execution Guards <- fail fast, check ALL before running
+- [ ] test scope is non-empty
+- [ ] critical test suites are executable
+- [ ] pass criteria are declared
+
+## F. Execution Flow
+1. Collect test targets and runtime config.
+2. Execute suites in deterministic order.
+3. Aggregate results and failures.
+4. Decision point ->
+   - condition A -> critical failures present -> gate = blocked
+   - condition B ->  no critical failures -> gate = pass.
+5. Build validation evidence and remediation list.
+6. Emit test and gate report.
+
+## G. Output Schema
+
+```json
+{
+  "test_run_id": "string",
+  "results": ["array","of","strings"],
+  "gate_status": "low | medium | high",
+  "blocker": "string | null"
+}
+```
+
+## H. Output Target
+- Default delivery: stdout
+- Override flag: --output=<target>
+
+## I. Stop Conditions <- abort with error message, never emit partial output
+- critical test suite cannot run
+- result schema cannot be produced
+
+## J. Safety Constraints
+- Hard block: hard block when critical flow tests fail
+- Warn only: warn when flaky tests are excluded with justification

package/templates/agents/commands/ux-bar.md

@@ -1,33 +1,58 @@
-# /ux-bar
-
-## A. Intent
-Set a minimum UX quality bar with clear criteria before UI implementation.
-
-## B. When to Use
-Use when a feature has user-facing interaction or visual design impact.
-
-## C. Required Inputs
-- Target user flow
-- Existing design language
-- Accessibility requirements
-
-## D. Deterministic Execution Flow
-1. Evaluate key interaction states.
-2. Check visual hierarchy and clarity.
-3. Validate accessibility coverage.
-4. Identify UX risks and gaps.
-5. Emit UX quality checklist.
-
-## E. Structured Output Template
-- `ux_scorecard[]`
-- `interaction_states[]`
-- `accessibility_checks[]`
-- `ux_gaps[]`
-- `improvements[]`
-
-## F. Stop Conditions
-- Critical flow has undefined state handling.
-- Accessibility constraints are missing.
-
-## G. Safety Constraints
-- Preserve existing design system patterns unless an explicit redesign is approved.
+# /ux-bar
+
+## A. Intent
+Assess UX quality bar and guarantee core interaction states are defined before build.
+
+## B. When to Use
+- Use when UX quality and accessibility need pre-implementation validation.
+- Do not use as a replacement for visual design exploration.
+
+## C. Context Assumptions
+- Scope and architecture are available.
+- Primary user flows are identified.
+- Design references exist.
+
+## D. Required Inputs
+| Input | Type | Example |
+|---------------------|------------|----------------------------------|
+| `ux_goal` | string | "reduce checkout friction" |
+| `flows` | string[] | ["cart", "payment", "confirmation"] |
+| `design_artifact` | artifact | wireframes, Figma link, screenshots |
+
+## E. Pre-Execution Guards <- fail fast, check ALL before running
+- [ ] critical flows are enumerated
+- [ ] interaction states include loading/error/empty
+- [ ] accessibility checks are defined
+
+## F. Execution Flow
+1. Review flows and interaction states.
+2. Evaluate accessibility and usability risks.
+3. Score UX gaps by severity.
+4. Decision point ->
+   - condition A -> critical UX gap -> block readiness
+   - condition B ->  manageable gaps -> continue.
+5. Build prioritized improvement list.
+6. Emit UX quality package.
+
+## G. Output Schema
+
+```json
+{
+  "ux_review_id": "string",
+  "ux_gaps": ["array","of","strings"],
+  "severity": "low | medium | high",
+  "blocker": "string | null"
+}
+```
+
+## H. Output Target
+- Default delivery: stdout
+- Override flag: --output=<target>
+
+## I. Stop Conditions <- abort with error message, never emit partial output
+- critical flow lacks defined interaction states
+- accessibility baseline is not addressed
+
+## J. Safety Constraints
+- Hard block: hard block on unaddressed critical accessibility failures
+- Warn only: warn when medium UX issues are deferred

package/templates/agents/skills/README.md

@@ -61,6 +61,12 @@ To create a new skill for your specific domain:
 │   └── SKILL.md              # Systematic feature scoping and execution contracts
 ├── bug-triage/
 │   └── SKILL.md              # Reproduction-first debugging and regression workflows
+├── debug-skill/
+│   └── SKILL.md              # Breakpoint-first debugging and execution tracing
+├── secure-code-guardian/
+│   └── SKILL.md              # Secure-by-default coding for auth and input boundaries
+├── feature-forge/
+│   └── SKILL.md              # Requirements forging before implementation starts
 ├── error-patterns/
 │   └── SKILL.md              # Persistent debugging memory and known-fix application
 ├── app-hardening/
@@ -102,6 +108,9 @@ Consider creating skills for:
 
 - `feature-delivery`: Use when user asks are broad and you need objective, scope, acceptance criteria, and validation plan.
 - `bug-triage`: Use for defects and regressions requiring reproducible evidence, root-cause isolation, and minimal safe patches.
+- `debug-skill`: Use for breakpoint-driven debugging, execution tracing, and variable-state inspection.
+- `secure-code-guardian`: Use for secure-by-default implementation across auth, secrets, and untrusted input.
+- `feature-forge`: Use before coding to turn rough asks into execution-ready requirements and acceptance criteria.
 - `error-patterns`: Use when errors repeat to apply known fixes from lessons-learned and automatically record new resolutions.
 - `app-hardening`: Use for high-risk/distributed runtimes to enforce hardening profile, obfuscation decisions, and release evidence.
 - `shadcn-ui`: Use for shadcn/ui installation, component composition, form patterns, and theme customization.

package/templates/agents/skills/debug-skill/SKILL.md

@@ -0,0 +1,39 @@
+---
+name: debug-skill
+description: Enables breakpoint-driven debugging workflows with execution tracing, state inspection, and root-cause proof before patching.
+---
+
+# Debug Skill
+
+Use this skill when the user is stuck on a bug and needs debugger-style investigation instead of print-guessing.
+
+## Trigger Conditions
+
+- User asks to debug, set breakpoints, step through code, or inspect runtime state.
+- A bug is intermittent, difficult to localize, or likely branch/state dependent.
+- Existing logs are insufficient to prove root cause.
+
+## Workflow
+
+1. Confirm a reproducible scenario and expected vs actual behavior.
+2. Define a checkpoint plan (breakpoints/log points/frames).
+3. Trace execution order across checkpoints.
+4. Capture variable-state transitions at failure boundaries.
+5. Prove root cause with execution evidence.
+6. Apply the smallest safe patch and run focused regressions.
+
+## Output Contract
+
+- Reproduction summary
+- Checkpoint plan
+- Execution trace highlights
+- State snapshots at critical steps
+- Root-cause finding
+- Minimal patch plan
+- Regression checks and residual risk
+
+## Guardrails
+
+- Do not ship speculative fixes without trace-backed evidence.
+- Do not skip regression validation after state-sensitive fixes.
+- If reproduction fails, stop and request missing runtime context.

package/templates/agents/skills/feature-forge/SKILL.md

@@ -0,0 +1,39 @@
+---
+name: feature-forge
+description: Turns vague feature requests into execution-ready requirements, acceptance criteria, and validation plans before coding starts.
+---
+
+# Feature Forge
+
+Use this skill before implementation when feature requests are high-level, ambiguous, or under-specified.
+
+## Trigger Conditions
+
+- User says build/add/create/implement without a full spec.
+- Requirements are broad or mixed between business and technical language.
+- Scope boundaries and acceptance criteria are unclear.
+
+## Workflow
+
+1. Restate objective and target user outcome.
+2. Define in-scope and out-of-scope boundaries.
+3. Convert asks into concrete functional requirements.
+4. Produce testable acceptance criteria.
+5. Split work into dependency-ordered slices.
+6. Define validation approach and rollback notes.
+
+## Output Contract
+
+- Objective summary
+- Scope in/out
+- Functional requirements
+- Acceptance criteria
+- Implementation slices
+- Validation plan
+- Risks, assumptions, and rollback notes
+
+## Guardrails
+
+- Do not move to implementation planning without explicit scope boundaries.
+- Keep acceptance criteria measurable and testable.
+- Raise blockers when requirements conflict or remain ambiguous.

package/templates/agents/skills/secure-code-guardian/SKILL.md

@@ -0,0 +1,39 @@
+---
+name: secure-code-guardian
+description: Enforces secure-by-default implementation for auth, credentials, and untrusted input paths with OWASP-aligned controls.
+---
+
+# Secure Code Guardian
+
+Use this skill when building or reviewing features that touch authentication, secrets, session logic, or user-controlled input.
+
+## Trigger Conditions
+
+- User asks for secure implementation, auth, JWT, password handling, or OWASP checks.
+- New endpoints, forms, or integrations expose untrusted input boundaries.
+- A feature handles sensitive data, identity, or permissions.
+
+## Workflow
+
+1. Map trust boundaries, actors, and attack surface.
+2. Define authentication and authorization requirements.
+3. Apply input validation and injection defenses at boundaries.
+4. Enforce credential/secrets handling and safe logging rules.
+5. Add abuse protection controls (rate limiting, lockouts, replay defenses where relevant).
+6. Define security tests and residual risk before ship recommendation.
+
+## Output Contract
+
+- Attack surface map
+- Security requirements
+- Applied controls by boundary
+- OWASP alignment notes
+- Security validation checklist
+- Residual risks and mitigations
+- Ship/block recommendation
+
+## Guardrails
+
+- Never trust client-side validation alone.
+- Never expose secrets, credentials, or sensitive payloads in logs.
+- Block release recommendation if critical controls are missing.