agileflow 3.1.0 → 3.2.0

package/src/core/teams/perf-audit.json

@@ -0,0 +1,71 @@
+{
+  "name": "perf-audit",
+  "description": "Multi-perspective performance bottleneck analysis team for finding optimization opportunities",
+  "version": "1.0.0",
+  "lead": {
+    "agent": "agileflow-perf-consensus",
+    "delegate_mode": true,
+    "plan_approval": false
+  },
+  "teammates": [
+    {
+      "agent": "agileflow-perf-analyzer-queries",
+      "role": "analyzer",
+      "domain": "queries",
+      "description": "Analyzes N+1 queries, unindexed lookups, missing pagination, ORM anti-patterns"
+    },
+    {
+      "agent": "agileflow-perf-analyzer-rendering",
+      "role": "analyzer",
+      "domain": "rendering",
+      "description": "Analyzes unnecessary re-renders, missing memoization, expensive computations in render"
+    },
+    {
+      "agent": "agileflow-perf-analyzer-memory",
+      "role": "analyzer",
+      "domain": "memory",
+      "description": "Analyzes memory leaks, event listener cleanup, growing collections, closure captures"
+    },
+    {
+      "agent": "agileflow-perf-analyzer-bundle",
+      "role": "analyzer",
+      "domain": "bundle",
+      "description": "Analyzes large imports, missing tree-shaking, absent dynamic imports, duplicate deps"
+    },
+    {
+      "agent": "agileflow-perf-analyzer-compute",
+      "role": "analyzer",
+      "domain": "compute",
+      "description": "Analyzes sync I/O, CPU-intensive loops, blocking operations, algorithmic inefficiency"
+    },
+    {
+      "agent": "agileflow-perf-analyzer-network",
+      "role": "analyzer",
+      "domain": "network",
+      "description": "Analyzes HTTP waterfall, missing batching, no compression, large payloads"
+    },
+    {
+      "agent": "agileflow-perf-analyzer-caching",
+      "role": "analyzer",
+      "domain": "caching",
+      "description": "Analyzes missing memoization, redundant computations, no HTTP cache headers"
+    },
+    {
+      "agent": "agileflow-perf-analyzer-assets",
+      "role": "analyzer",
+      "domain": "assets",
+      "description": "Analyzes unoptimized images, render-blocking resources, missing lazy loading"
+    }
+  ],
+  "quality_gates": {
+    "teammate_idle": {
+      "tests": false,
+      "lint": false,
+      "types": false
+    },
+    "task_completed": {
+      "require_validator_approval": false
+    }
+  },
+  "tags": ["analysis", "performance", "optimization", "audit"]
+}

package/src/core/teams/security-audit.json

@@ -0,0 +1,71 @@
+{
+  "name": "security-audit",
+  "description": "Multi-perspective security vulnerability analysis team for finding exploitable weaknesses",
+  "version": "1.0.0",
+  "lead": {
+    "agent": "agileflow-security-consensus",
+    "delegate_mode": true,
+    "plan_approval": false
+  },
+  "teammates": [
+    {
+      "agent": "agileflow-security-analyzer-injection",
+      "role": "analyzer",
+      "domain": "injection",
+      "description": "Analyzes SQL injection, command injection, NoSQL injection, template injection"
+    },
+    {
+      "agent": "agileflow-security-analyzer-auth",
+      "role": "analyzer",
+      "domain": "authentication",
+      "description": "Analyzes weak hashing, JWT flaws, session fixation, broken auth flows"
+    },
+    {
+      "agent": "agileflow-security-analyzer-authz",
+      "role": "analyzer",
+      "domain": "authorization",
+      "description": "Analyzes IDOR, privilege escalation, path traversal, CORS, CSRF"
+    },
+    {
+      "agent": "agileflow-security-analyzer-secrets",
+      "role": "analyzer",
+      "domain": "secrets-crypto",
+      "description": "Analyzes hardcoded credentials, weak crypto, insecure randomness"
+    },
+    {
+      "agent": "agileflow-security-analyzer-input",
+      "role": "analyzer",
+      "domain": "input-validation",
+      "description": "Analyzes XSS, prototype pollution, SSRF, file upload, ReDoS"
+    },
+    {
+      "agent": "agileflow-security-analyzer-deps",
+      "role": "analyzer",
+      "domain": "dependencies",
+      "description": "Analyzes known CVEs, typosquatting, overly permissive version ranges"
+    },
+    {
+      "agent": "agileflow-security-analyzer-infra",
+      "role": "analyzer",
+      "domain": "infrastructure",
+      "description": "Analyzes Docker security, security headers, HTTPS, exposed endpoints"
+    },
+    {
+      "agent": "agileflow-security-analyzer-api",
+      "role": "analyzer",
+      "domain": "api-security",
+      "description": "Analyzes mass assignment, data exposure, rate limiting, GraphQL"
+    }
+  ],
+  "quality_gates": {
+    "teammate_idle": {
+      "tests": false,
+      "lint": false,
+      "types": false
+    },
+    "task_completed": {
+      "require_validator_approval": false
+    }
+  },
+  "tags": ["analysis", "security", "vulnerabilities", "audit"]
+}

package/src/core/teams/test-audit.json

@@ -0,0 +1,71 @@
+{
+  "name": "test-audit",
+  "description": "Multi-perspective test quality analysis team for finding test suite weaknesses",
+  "version": "1.0.0",
+  "lead": {
+    "agent": "agileflow-test-consensus",
+    "delegate_mode": true,
+    "plan_approval": false
+  },
+  "teammates": [
+    {
+      "agent": "agileflow-test-analyzer-coverage",
+      "role": "analyzer",
+      "domain": "coverage",
+      "description": "Analyzes untested critical paths, missing error path tests, low branch coverage"
+    },
+    {
+      "agent": "agileflow-test-analyzer-fragility",
+      "role": "analyzer",
+      "domain": "fragility",
+      "description": "Analyzes timing-dependent tests, order-dependent tests, environment-dependent tests"
+    },
+    {
+      "agent": "agileflow-test-analyzer-mocking",
+      "role": "analyzer",
+      "domain": "mocking",
+      "description": "Analyzes over-mocking, mock leakage, testing mocks instead of code"
+    },
+    {
+      "agent": "agileflow-test-analyzer-assertions",
+      "role": "analyzer",
+      "domain": "assertions",
+      "description": "Analyzes weak assertions, missing negative tests, snapshot overuse"
+    },
+    {
+      "agent": "agileflow-test-analyzer-structure",
+      "role": "analyzer",
+      "domain": "structure",
+      "description": "Analyzes test organization, naming clarity, code duplication, file length"
+    },
+    {
+      "agent": "agileflow-test-analyzer-integration",
+      "role": "analyzer",
+      "domain": "integration",
+      "description": "Analyzes missing API tests, absent E2E coverage, unit-only test suites"
+    },
+    {
+      "agent": "agileflow-test-analyzer-maintenance",
+      "role": "analyzer",
+      "domain": "maintenance",
+      "description": "Analyzes dead tests, outdated assertions, tests passing for wrong reasons"
+    },
+    {
+      "agent": "agileflow-test-analyzer-patterns",
+      "role": "analyzer",
+      "domain": "patterns",
+      "description": "Analyzes anti-patterns: testing privates, deep mock chains, God test objects"
+    }
+  ],
+  "quality_gates": {
+    "teammate_idle": {
+      "tests": false,
+      "lint": false,
+      "types": false
+    },
+    "task_completed": {
+      "require_validator_approval": false
+    }
+  },
+  "tags": ["analysis", "testing", "quality", "audit"]
+}

package/src/core/templates/command-prerequisites.yaml

@@ -0,0 +1,169 @@
+# command-prerequisites.yaml
+#
+# Declarative prerequisites for AgileFlow commands.
+# Checked before command execution to warn about unmet requirements.
+#
+# Schema:
+#   commands.<name>.prerequisites[]:
+#     signal      - Dot-path into extracted signals (e.g. git.branch, statusJson)
+#     description - Human-readable explanation of what's needed
+#     fix         - Actionable instruction to resolve
+#     severity    - critical (will fail) | high (poor results) | medium (suboptimal)
+#
+# Signals are extracted by smart-detect.js extractSignals() and include:
+#   git.branch, git.onFeatureBranch, git.isClean, git.filesChanged
+#   statusJson, storyCount, story, story.epic
+#   packageJson, tests.hasTestSetup
+#   files.playwright, files.tsconfig, files.coverage, files.ciConfig
+
+version: "1.0.0"
+
+settings:
+  fail_open: true
+  max_warnings: 5
+
+commands:
+  verify:
+    prerequisites:
+      - signal: tests.hasTestSetup
+        description: "Test framework must be configured (scripts.test in package.json)"
+        fix: "Add a test script to package.json, e.g. \"test\": \"jest\" or \"test\": \"vitest\""
+        severity: critical
+
+  babysit:
+    prerequisites:
+      - signal: statusJson
+        description: "status.json must exist with stories to work on"
+        fix: "Run: /agileflow:story to create stories, or /agileflow:epic to plan an epic"
+        severity: critical
+
+  pr:
+    prerequisites:
+      - signal: git.onFeatureBranch
+        description: "Must be on a feature branch (not main/master)"
+        fix: "Create a feature branch: git checkout -b feat/your-feature"
+        severity: critical
+      - signal: story
+        description: "An active story should be set for PR description"
+        fix: "Run: /agileflow:status to set a current story"
+        severity: high
+
+  deploy:
+    prerequisites:
+      - signal: git.branch
+        description: "Git repository must be initialized"
+        fix: "Run: git init"
+        severity: critical
+      - signal: packageJson
+        description: "package.json must exist for deployment configuration"
+        fix: "Run: npm init -y"
+        severity: critical
+
+  audit:
+    prerequisites:
+      - signal: story
+        description: "An active story is needed to audit completion"
+        fix: "Run: /agileflow:status to set a current story"
+        severity: critical
+      - signal: statusJson
+        description: "status.json must exist with story data"
+        fix: "Run: /agileflow:story to create stories"
+        severity: critical
+
+  board:
+    prerequisites:
+      - signal: statusJson
+        description: "status.json must exist to display the board"
+        fix: "Run: /agileflow:story to create your first story"
+        severity: critical
+      - signal: storyCount
+        description: "At least one story must exist"
+        fix: "Run: /agileflow:story to create a story"
+        severity: high
+
+  sprint:
+    prerequisites:
+      - signal: statusJson
+        description: "status.json must exist for sprint planning"
+        fix: "Run: /agileflow:story to create stories first"
+        severity: critical
+      - signal: storyCount
+        description: "Stories are needed for sprint planning"
+        fix: "Run: /agileflow:epic to break down features into stories"
+        severity: high
+
+  browser-qa:
+    prerequisites:
+      - signal: files.playwright
+        description: "Playwright must be configured (playwright.config.ts or .js)"
+        fix: "Run: npm init playwright@latest"
+        severity: critical
+
+  review:
+    prerequisites:
+      - signal: git.onFeatureBranch
+        description: "Must be on a feature branch for code review"
+        fix: "Create a feature branch: git checkout -b feat/your-feature"
+        severity: critical
+      - signal: git.filesChanged
+        description: "There should be changed files to review"
+        fix: "Make some code changes before requesting a review"
+        severity: high
+
+  baseline:
+    prerequisites:
+      - signal: tests.hasTestSetup
+        description: "Test framework must be configured to establish a baseline"
+        fix: "Add a test script to package.json"
+        severity: critical
+      - signal: git.branch
+        description: "Git repository must be initialized"
+        fix: "Run: git init"
+        severity: high
+
+  metrics:
+    prerequisites:
+      - signal: statusJson
+        description: "status.json must exist for metrics calculation"
+        fix: "Run: /agileflow:story to start tracking work"
+        severity: critical
+      - signal: storyCount
+        description: "Stories are needed to compute metrics"
+        fix: "Run: /agileflow:story to create stories"
+        severity: high
+
+  velocity:
+    prerequisites:
+      - signal: statusJson
+        description: "status.json must exist for velocity tracking"
+        fix: "Run: /agileflow:story to start tracking work"
+        severity: critical
+      - signal: storyCount
+        description: "Completed stories are needed for velocity calculation"
+        fix: "Complete some stories to build velocity history"
+        severity: high
+
+  compress:
+    prerequisites:
+      - signal: statusJson
+        description: "status.json must exist to compress"
+        fix: "No status.json to compress - create stories first with /agileflow:story"
+        severity: critical
+
+  retro:
+    prerequisites:
+      - signal: statusJson
+        description: "status.json must exist for retrospective data"
+        fix: "Run: /agileflow:story to start tracking work"
+        severity: critical
+      - signal: storyCount
+        description: "Stories are needed for meaningful retrospective"
+        fix: "Complete some stories before running a retrospective"
+        severity: high
+
+  changelog:
+    prerequisites:
+      - signal: git.branch
+        description: "Git repository must be initialized with commit history"
+        fix: "Run: git init && git add -A && git commit -m 'initial commit'"
+        severity: critical

package/src/core/templates/damage-control-patterns.yaml

@@ -228,6 +228,15 @@ agileflowProtections:
 #
 # =====================================================
 
+# ─── Release Process Enforcement ───
+# Forces use of ./scripts/release.sh instead of manual commands
+releaseProtections:
+  - pattern: '\bnpm\s+version\s+'
+    reason: "Use ./scripts/release.sh instead of npm version"
+
+  - pattern: '\bgit\s+tag\s+v\d+\.\d+\.\d+'
+    reason: "Use ./scripts/release.sh instead of manual git tag"
+
 # ─── Project-Specific Patterns (add yours below) ───
 # customPatterns:
 #   - pattern: 'your-pattern-here'

package/tools/cli/installers/ide/_base-ide.js

@@ -71,7 +71,8 @@ class BaseIdeSetup {
     });
 
     // Replace standalone "docs" word (not followed by .)
-    result = result.replace(/\bdocs\b(?!\.)/g, this.docsFolder);
+    // Use replacement function to avoid $ in docsFolder being interpreted as regex backreference
+    result = result.replace(/\bdocs\b(?!\.)/g, () => this.docsFolder);
 
     return result;
   }
@@ -371,15 +372,38 @@ class BaseIdeSetup {
   /**
    * Recursively install markdown files from source to target directory
    * Handles content injection and docs reference replacement.
+   * Optionally applies IDE-specific transformations via ideTransform callback.
+   *
    * @param {string} sourceDir - Source directory path
    * @param {string} targetDir - Target directory path
    * @param {string} agileflowDir - AgileFlow installation directory (for dynamic content)
    * @param {boolean} injectDynamic - Whether to inject dynamic content (only for top-level commands)
+   * @param {Function} [ideTransform] - Optional IDE transformation function: (content, filename) => string
    * @returns {Promise<{commands: number, subdirs: number}>} Count of installed items
    * @throws {CommandInstallationError} If command installation fails
    * @throws {FilePermissionError} If permission denied
+   *
+   * @example
+   * // Without transformation (backward compatible)
+   * await installer.installCommandsRecursive(src, target, agileflow, true);
+   *
+   * @example
+   * // With IDE transformation
+   * await installer.installCommandsRecursive(
+   *   src,
+   *   target,
+   *   agileflow,
+   *   true,
+   *   (content, filename) => ideGenerator.generateForIde(content, 'cursor')
+   * );
    */
-  async installCommandsRecursive(sourceDir, targetDir, agileflowDir, injectDynamic = false) {
+  async installCommandsRecursive(
+    sourceDir,
+    targetDir,
+    agileflowDir,
+    injectDynamic = false,
+    ideTransform = null
+  ) {
     let commandCount = 0;
     let subdirCount = 0;
 
@@ -419,6 +443,11 @@ class BaseIdeSetup {
           // Replace docs/ references with custom folder name
           content = this.replaceDocsReferences(content);
 
+          // Apply IDE-specific transformation if provided
+          if (ideTransform && typeof ideTransform === 'function') {
+            content = ideTransform(content, entry.name);
+          }
+
           await this.writeFile(targetPath, content);
           commandCount++;
         } catch (error) {
@@ -437,7 +466,8 @@ class BaseIdeSetup {
           sourcePath,
           targetPath,
           agileflowDir,
-          false // Don't inject dynamic content in subdirectories
+          false, // Don't inject dynamic content in subdirectories
+          ideTransform // Pass ideTransform to recursive calls
         );
         commandCount += subResult.commands;
         subdirCount += 1 + subResult.subdirs;

package/tools/cli/installers/ide/claude-code.js

@@ -61,12 +61,9 @@ class ClaudeCodeSetup extends BaseIdeSetup {
     // Claude Code specific: Setup damage control hooks
     await this.setupDamageControl(projectDir, agileflowDir, ideDir, options);
 
-    // Claude Code specific: Setup SessionStart hooks (welcome, archive, context-loader, tmux-task-watcher)
+    // Claude Code specific: Setup SessionStart hooks (welcome, archive, context-loader)
     await this.setupSessionStartHooks(projectDir, agileflowDir, ideDir, options);
 
-    // Claude Code specific: Setup Stop hooks (tmux-task-watcher cleanup)
-    await this.setupStopHooks(projectDir, agileflowDir, ideDir, options);
-
     return result;
   }
 
@@ -259,12 +256,6 @@ class ClaudeCodeSetup extends BaseIdeSetup {
           'node $CLAUDE_PROJECT_DIR/.agileflow/scripts/context-loader.js 2>/dev/null || true',
         timeout: 5000,
       },
-      {
-        type: 'command',
-        command:
-          'bash $CLAUDE_PROJECT_DIR/.agileflow/scripts/tmux-task-watcher.sh 2>/dev/null || true',
-        timeout: 5000,
-      },
     ];
 
     // Check if SessionStart hooks already exist
@@ -294,65 +285,7 @@ class ClaudeCodeSetup extends BaseIdeSetup {
 
     // Write settings
     await fs.writeFile(settingsPath, JSON.stringify(settings, null, 2));
-    console.log(
-      chalk.dim(`    - SessionStart hooks: welcome, archive, context-loader, tmux-task-watcher`)
-    );
-  }
-
-  /**
-   * Setup Stop hooks (tmux-task-watcher cleanup)
-   * @param {string} projectDir - Project directory
-   * @param {string} agileflowDir - AgileFlow installation directory
-   * @param {string} claudeDir - .claude directory path
-   * @param {Object} options - Setup options
-   */
-  async setupStopHooks(projectDir, agileflowDir, claudeDir, options = {}) {
-    const settingsPath = path.join(claudeDir, 'settings.json');
-    let settings = {};
-
-    if (fs.existsSync(settingsPath)) {
-      try {
-        settings = JSON.parse(fs.readFileSync(settingsPath, 'utf8'));
-      } catch (e) {
-        settings = {};
-      }
-    }
-
-    if (!settings.hooks) settings.hooks = {};
-    if (!settings.hooks.Stop) settings.hooks.Stop = [];
-
-    const stopHooks = [
-      {
-        type: 'command',
-        command:
-          'bash $CLAUDE_PROJECT_DIR/.agileflow/scripts/tmux-task-watcher.sh stop 2>/dev/null || true',
-        timeout: 3000,
-      },
-    ];
-
-    const existingEntry = settings.hooks.Stop.find(
-      h => h.matcher === '' || h.matcher === undefined
-    );
-
-    if (existingEntry) {
-      if (!existingEntry.hooks) existingEntry.hooks = [];
-      for (const newHook of stopHooks) {
-        const alreadyExists = existingEntry.hooks.some(
-          h => h.command && h.command.includes('tmux-task-watcher')
-        );
-        if (!alreadyExists) {
-          existingEntry.hooks.push(newHook);
-        }
-      }
-    } else {
-      settings.hooks.Stop.push({
-        matcher: '',
-        hooks: stopHooks,
-      });
-    }
-
-    await fs.writeFile(settingsPath, JSON.stringify(settings, null, 2));
-    console.log(chalk.dim(`    - Stop hooks: tmux-task-watcher cleanup`));
+    console.log(chalk.dim(`    - SessionStart hooks: welcome, archive, context-loader`));
   }
 
   /**

package/tools/cli/installers/ide/codex.js

@@ -1,13 +1,13 @@
 /**
- * AgileFlow CLI - OpenAI Codex CLI Installer
+ * AgileFlow CLI - OpenAI Codex Installer
  *
- * Installs AgileFlow for OpenAI Codex CLI:
+ * Installs AgileFlow for OpenAI Codex:
  * - Agents become Codex Skills (.codex/skills/agileflow-NAME/)
  * - Commands become Codex Prompts (~/.codex/prompts/agileflow-NAME.md)
  * - AGENTS.md provides project instructions at repo root
  *
  * @see https://developers.openai.com/codex/
- * @see ADR-0002: Codex CLI Integration Strategy
+ * @see ADR-0002: OpenAI Codex Integration Strategy
  */
 
 const path = require('node:path');
@@ -24,11 +24,11 @@ const {
 } = require('../../lib/content-transformer');
 
 /**
- * OpenAI Codex CLI setup handler
+ * OpenAI Codex setup handler
  */
 class CodexSetup extends BaseIdeSetup {
   constructor() {
-    super('codex', 'OpenAI Codex CLI', false);
+    super('codex', 'OpenAI Codex', false);
     // Per-repo config directory
     this.configDir = '.codex';
     // User-level Codex home (can be overridden by $CODEX_HOME)
@@ -44,12 +44,12 @@ class CodexSetup extends BaseIdeSetup {
   }
 
   /**
-   * Detect if Codex CLI is installed/configured
+   * Detect if OpenAI Codex is installed/configured
    * @param {string} projectDir - Project directory
    * @returns {Promise<boolean>}
    */
   async detect(projectDir) {
-    // Check if Codex home exists (user has Codex CLI)
+    // Check if Codex home exists (user has OpenAI Codex)
     const codexHomeExists = await this.exists(this.codexHome);
     // Check if project has .codex/ or AGENTS.md
     const projectCodexExists = await this.exists(path.join(projectDir, this.configDir));
@@ -229,7 +229,7 @@ ${codexHeader}${bodyContent}`;
 
     const content = `# AGENTS.md
 
-> Project instructions for Codex CLI with AgileFlow integration
+> Project instructions for OpenAI Codex with AgileFlow integration
 
 ## Project Commands
 
@@ -334,7 +334,7 @@ This directory contains: [describe purpose]
   }
 
   /**
-   * Setup Codex CLI configuration
+   * Setup OpenAI Codex configuration
    * @param {string} projectDir - Project directory
    * @param {string} agileflowDir - AgileFlow installation directory
    * @param {Object} options - Setup options