agileflow 3.1.0 → 3.2.1

package/src/core/profiles/windsurf.yaml

@@ -0,0 +1,159 @@
+# Windsurf IDE Capability Profile
+# Wave 13+ - Most comprehensive hooks but no true sub-agent spawning
+# Reference: Cross-IDE Compatibility Findings (20260220)
+
+ide:
+  id: windsurf
+  name: Windsurf
+  displayName: Windsurf
+  description: Codeium's AI editor with native worktrees and 11 lifecycle hooks
+  configDir: .windsurf
+  configDirGlobal: ~/.codeium/windsurf
+  instructionsFile: WINDSURF.md
+  fileFormat: markdown
+  commandPrefix: "/"
+  agentPrefix: "agileflow-"
+
+paths:
+  commands: .windsurf/workflows/
+  agents: null                # Uses workflows + cascades instead
+  skills: .windsurf/skills/*/SKILL.md
+  rules: .windsurf/rules/
+  workflows: .windsurf/workflows/
+  hooks: .windsurf/hooks.json
+  hooksGlobal: ~/.codeium/windsurf/hooks.json
+  mcp: ~/.codeium/windsurf/mcp_config.json
+  mcpGlobal: true             # MCP config is global-only
+
+capabilities:
+  core:
+    fileOperations: true      # Native file read/write
+    shell: true               # Native shell (4-level auto-execution)
+    fileSearch: true          # Native search + analyze tools
+    interactiveInput: true    # Conversational only (no structured menus)
+    subAgents: false          # No true sub-agent spawning
+    nestedSubAgents: false    # Parallel Cascades via worktrees instead
+  planning:
+    planMode: true            # Native via "megaplan" keyword
+    planModeEditable: true    # Editable plans in ~/.windsurf/plans/
+  lifecycle:
+    hooks: true               # 9 lifecycle events (per official docs Feb 2026)
+    hookEvents:
+      - pre_read_code
+      - post_read_code
+      - pre_write_code
+      - post_write_code
+      - pre_run_command
+      - post_run_command
+      - pre_mcp_tool_use
+      - post_mcp_tool_use
+      - pre_user_prompt
+  external:
+    webSearch: true           # Web Search tool
+    webFetch: true            # URL Read and View Chunk
+    mcp: true                 # Full MCP support
+    mcpToolLimit: 100         # 100-tool cap
+    browser: true             # Browser Preview (in-IDE)
+  collaboration:
+    taskTracking: false       # Conversation-embedded only (not persistent)
+    persistentTasks: false
+    worktrees: true           # Native worktrees (up to 20 per workspace)
+    maxWorktrees: 20
+
+toolNames:
+  # Interactive
+  askUser: null               # Conversational only
+  # Delegation
+  spawnAgent: null            # Use workflows + cascades instead
+  # Planning
+  planModeEnter: null         # Native, use "megaplan" keyword
+  planModeExit: null          # Native
+  # Execution
+  bash: run_command
+  # Files
+  read: read_file
+  write: write_file
+  edit: edit_file
+  # Search
+  glob: search_files
+  grep: search_codebase
+  # Web
+  webSearch: web_search
+  webFetch: url_read
+  # Cascades
+  cascade: null               # Use /workflow-name chaining
+
+workflowModel:
+  format: markdown
+  maxCharacters: 12000        # Hard limit per workflow file
+  splitStrategy: "Split large workflows into multiple files"
+  chaining: "Use /workflow-name in instructions to chain workflows"
+  cascades: "Use @cascade to run multiple workflows in parallel"
+
+skillModel:
+  format: markdown
+  frontmatterFormat: yaml
+  spec: "agentskills.io"
+  fields:
+    - name
+    - description
+    - model
+    - requiredCapabilities
+
+frontmatter:
+  workflows:
+    format: null              # Workflows are commands, not structured prompts
+  rules:
+    format: markdown
+    fields:
+      - description
+      - globs
+      - alwaysApply
+  skills:
+    format: yaml
+    fields:
+      - name
+      - description
+      - model
+      - requiredCapabilities
+
+limits:
+  maxFileSize: 0              # 0 = unlimited
+  maxCommandLength: 0         # 0 = unlimited
+  maxWorkflowSize: 12000      # Hard limit per workflow file
+  maxToolsPerMCP: 100         # MCP tool limit
+  maxWorktreesPerWorkspace: 20
+  autoExecutionLevels: 4      # Shell auto-execution levels
+
+installation:
+  supportsFileOps: true
+  supportsHooks: true         # Native
+  supportsMCP: true           # Global-only config
+  commandsRequireApproval: false
+  skillsCanBeNestedDirs: true
+  projectLevelMCP: false      # MCP config is global-only
+
+worktreeModel:
+  supported: true
+  maxConcurrent: 20
+  useCase: "Parallel feature branches or multi-task execution"
+  gitIntegration: "Native git worktree support"
+  hostedOn: "Wave 13+"
+
+cascadeModel:
+  description: "Run multiple workflows in parallel"
+  syntax: "@cascade /workflow1 /workflow2"
+  useCase: "Execute independent tasks without blocking"
+  limitSubstitution: "Use cascades instead of Task tool"
+
+notes:
+  - "Windsurf has the most comprehensive hooks (11 events)"
+  - "NO true sub-agent spawning; use workflow chaining or cascades"
+  - "12,000 character limit per workflow - split large commands"
+  - "MCP config is global-only (in ~/.codeium/windsurf/mcp_config.json)"
+  - "Conversational input, no structured menus"
+  - "Native worktrees enable parallel development (up to 20 per workspace)"
+  - "Skills follow agentskills.io specification"
+  - "Use 'megaplan' keyword for advanced planning"
+  - "100-tool MCP limit; good balance between capability and performance"
+  - "Plan files stored in ~/.windsurf/plans/ (user's home, not project)"

package/src/core/teams/logic-audit.json

@@ -20,6 +20,12 @@
       "domain": "control-flow",
       "description": "Analyzes dead code, unreachable branches, and missing returns"
     },
+    {
+      "agent": "agileflow-logic-analyzer-invariant",
+      "role": "analyzer",
+      "domain": "invariants",
+      "description": "Analyzes pre/post conditions, state consistency, and contract violations"
+    },
     {
       "agent": "agileflow-logic-analyzer-race",
       "role": "analyzer",

package/src/core/teams/perf-audit.json

@@ -0,0 +1,71 @@
+{
+  "name": "perf-audit",
+  "description": "Multi-perspective performance bottleneck analysis team for finding optimization opportunities",
+  "version": "1.0.0",
+  "lead": {
+    "agent": "agileflow-perf-consensus",
+    "delegate_mode": true,
+    "plan_approval": false
+  },
+  "teammates": [
+    {
+      "agent": "agileflow-perf-analyzer-queries",
+      "role": "analyzer",
+      "domain": "queries",
+      "description": "Analyzes N+1 queries, unindexed lookups, missing pagination, ORM anti-patterns"
+    },
+    {
+      "agent": "agileflow-perf-analyzer-rendering",
+      "role": "analyzer",
+      "domain": "rendering",
+      "description": "Analyzes unnecessary re-renders, missing memoization, expensive computations in render"
+    },
+    {
+      "agent": "agileflow-perf-analyzer-memory",
+      "role": "analyzer",
+      "domain": "memory",
+      "description": "Analyzes memory leaks, event listener cleanup, growing collections, closure captures"
+    },
+    {
+      "agent": "agileflow-perf-analyzer-bundle",
+      "role": "analyzer",
+      "domain": "bundle",
+      "description": "Analyzes large imports, missing tree-shaking, absent dynamic imports, duplicate deps"
+    },
+    {
+      "agent": "agileflow-perf-analyzer-compute",
+      "role": "analyzer",
+      "domain": "compute",
+      "description": "Analyzes sync I/O, CPU-intensive loops, blocking operations, algorithmic inefficiency"
+    },
+    {
+      "agent": "agileflow-perf-analyzer-network",
+      "role": "analyzer",
+      "domain": "network",
+      "description": "Analyzes HTTP waterfall, missing batching, no compression, large payloads"
+    },
+    {
+      "agent": "agileflow-perf-analyzer-caching",
+      "role": "analyzer",
+      "domain": "caching",
+      "description": "Analyzes missing memoization, redundant computations, no HTTP cache headers"
+    },
+    {
+      "agent": "agileflow-perf-analyzer-assets",
+      "role": "analyzer",
+      "domain": "assets",
+      "description": "Analyzes unoptimized images, render-blocking resources, missing lazy loading"
+    }
+  ],
+  "quality_gates": {
+    "teammate_idle": {
+      "tests": false,
+      "lint": false,
+      "types": false
+    },
+    "task_completed": {
+      "require_validator_approval": false
+    }
+  },
+  "tags": ["analysis", "performance", "optimization", "audit"]
+}

package/src/core/teams/security-audit.json

@@ -0,0 +1,71 @@
+{
+  "name": "security-audit",
+  "description": "Multi-perspective security vulnerability analysis team for finding exploitable weaknesses",
+  "version": "1.0.0",
+  "lead": {
+    "agent": "agileflow-security-consensus",
+    "delegate_mode": true,
+    "plan_approval": false
+  },
+  "teammates": [
+    {
+      "agent": "agileflow-security-analyzer-injection",
+      "role": "analyzer",
+      "domain": "injection",
+      "description": "Analyzes SQL injection, command injection, NoSQL injection, template injection"
+    },
+    {
+      "agent": "agileflow-security-analyzer-auth",
+      "role": "analyzer",
+      "domain": "authentication",
+      "description": "Analyzes weak hashing, JWT flaws, session fixation, broken auth flows"
+    },
+    {
+      "agent": "agileflow-security-analyzer-authz",
+      "role": "analyzer",
+      "domain": "authorization",
+      "description": "Analyzes IDOR, privilege escalation, path traversal, CORS, CSRF"
+    },
+    {
+      "agent": "agileflow-security-analyzer-secrets",
+      "role": "analyzer",
+      "domain": "secrets-crypto",
+      "description": "Analyzes hardcoded credentials, weak crypto, insecure randomness"
+    },
+    {
+      "agent": "agileflow-security-analyzer-input",
+      "role": "analyzer",
+      "domain": "input-validation",
+      "description": "Analyzes XSS, prototype pollution, SSRF, file upload, ReDoS"
+    },
+    {
+      "agent": "agileflow-security-analyzer-deps",
+      "role": "analyzer",
+      "domain": "dependencies",
+      "description": "Analyzes known CVEs, typosquatting, overly permissive version ranges"
+    },
+    {
+      "agent": "agileflow-security-analyzer-infra",
+      "role": "analyzer",
+      "domain": "infrastructure",
+      "description": "Analyzes Docker security, security headers, HTTPS, exposed endpoints"
+    },
+    {
+      "agent": "agileflow-security-analyzer-api",
+      "role": "analyzer",
+      "domain": "api-security",
+      "description": "Analyzes mass assignment, data exposure, rate limiting, GraphQL"
+    }
+  ],
+  "quality_gates": {
+    "teammate_idle": {
+      "tests": false,
+      "lint": false,
+      "types": false
+    },
+    "task_completed": {
+      "require_validator_approval": false
+    }
+  },
+  "tags": ["analysis", "security", "vulnerabilities", "audit"]
+}

package/src/core/teams/test-audit.json

@@ -0,0 +1,71 @@
+{
+  "name": "test-audit",
+  "description": "Multi-perspective test quality analysis team for finding test suite weaknesses",
+  "version": "1.0.0",
+  "lead": {
+    "agent": "agileflow-test-consensus",
+    "delegate_mode": true,
+    "plan_approval": false
+  },
+  "teammates": [
+    {
+      "agent": "agileflow-test-analyzer-coverage",
+      "role": "analyzer",
+      "domain": "coverage",
+      "description": "Analyzes untested critical paths, missing error path tests, low branch coverage"
+    },
+    {
+      "agent": "agileflow-test-analyzer-fragility",
+      "role": "analyzer",
+      "domain": "fragility",
+      "description": "Analyzes timing-dependent tests, order-dependent tests, environment-dependent tests"
+    },
+    {
+      "agent": "agileflow-test-analyzer-mocking",
+      "role": "analyzer",
+      "domain": "mocking",
+      "description": "Analyzes over-mocking, mock leakage, testing mocks instead of code"
+    },
+    {
+      "agent": "agileflow-test-analyzer-assertions",
+      "role": "analyzer",
+      "domain": "assertions",
+      "description": "Analyzes weak assertions, missing negative tests, snapshot overuse"
+    },
+    {
+      "agent": "agileflow-test-analyzer-structure",
+      "role": "analyzer",
+      "domain": "structure",
+      "description": "Analyzes test organization, naming clarity, code duplication, file length"
+    },
+    {
+      "agent": "agileflow-test-analyzer-integration",
+      "role": "analyzer",
+      "domain": "integration",
+      "description": "Analyzes missing API tests, absent E2E coverage, unit-only test suites"
+    },
+    {
+      "agent": "agileflow-test-analyzer-maintenance",
+      "role": "analyzer",
+      "domain": "maintenance",
+      "description": "Analyzes dead tests, outdated assertions, tests passing for wrong reasons"
+    },
+    {
+      "agent": "agileflow-test-analyzer-patterns",
+      "role": "analyzer",
+      "domain": "patterns",
+      "description": "Analyzes anti-patterns: testing privates, deep mock chains, God test objects"
+    }
+  ],
+  "quality_gates": {
+    "teammate_idle": {
+      "tests": false,
+      "lint": false,
+      "types": false
+    },
+    "task_completed": {
+      "require_validator_approval": false
+    }
+  },
+  "tags": ["analysis", "testing", "quality", "audit"]
+}

package/src/core/templates/browser-qa-spec.yaml

@@ -0,0 +1,94 @@
+# Browser QA Test Spec Template
+# Part of AgileFlow Bowser Four-Layer Browser Automation
+#
+# Usage: Copy this template and fill in your scenario details.
+# Place specs in: .agileflow/ui-review/specs/ or docs/07-testing/agentic/
+# Run with: /agileflow:browser-qa SCENARIO=<path-to-this-file>
+#
+# Schema Version: 1.0.0
+
+# --- Required Fields ---
+
+# Unique test identifier (format: AGENTIC-NNN)
+test_id: AGENTIC-001
+
+# Associated user story (optional, links results to status.json)
+story_id: US-XXXX
+
+# Human-readable name for this test scenario
+name: "Example User Login Flow"
+
+# What this test validates
+description: "Verify that a user can log in with valid credentials and reach the dashboard"
+
+# --- Configuration ---
+
+# Base URL of the application under test
+url: http://localhost:3000
+
+# Maximum time for entire scenario (default: 60s)
+timeout: 60s
+
+# Retry attempts on failure before marking as failed (default: 2)
+max_retries: 2
+
+# Minimum pass rate to consider validated (default: 0.80)
+pass_rate_threshold: 0.80
+
+# Browsers to test against (default: [chromium])
+browsers:
+  - chromium
+
+# --- Test Steps ---
+# Each step has: name, action, and action-specific fields
+# Supported actions: navigate, click, fill, assert, wait, screenshot
+#
+# Optional per-step fields:
+#   wait_for: CSS selector to wait for before proceeding
+#   screenshot: true/false - capture screenshot after this step
+#   timeout: per-step timeout override
+
+steps:
+  - name: Navigate to login page
+    action: navigate
+    url: /login
+    wait_for: "[data-testid='login-form']"
+    screenshot: true
+
+  - name: Fill email field
+    action: fill
+    fields:
+      - selector: "[data-testid='email-input']"
+        value: "test@example.com"
+
+  - name: Fill password field
+    action: fill
+    fields:
+      - selector: "[data-testid='password-input']"
+        value: "testpassword123"
+
+  - name: Click login button
+    action: click
+    selector: "[data-testid='login-button']"
+    screenshot: true
+
+  - name: Verify dashboard loaded
+    action: assert
+    assertion: "User sees the dashboard page with a welcome message"
+    wait_for: "[data-testid='dashboard']"
+    screenshot: true
+
+# --- Expected Result ---
+# Natural language description of what success looks like
+expected_result: "User is logged in and sees the dashboard with their name displayed"
+
+# --- Metadata ---
+# Optional fields for tracking and reporting
+
+metadata:
+  author: AG-BROWSER-QA
+  created: "2026-02-16"
+  tags:
+    - authentication
+    - critical-path
+  priority: high

package/src/core/templates/command-prerequisites.yaml

@@ -0,0 +1,169 @@
+# command-prerequisites.yaml
+#
+# Declarative prerequisites for AgileFlow commands.
+# Checked before command execution to warn about unmet requirements.
+#
+# Schema:
+#   commands.<name>.prerequisites[]:
+#     signal      - Dot-path into extracted signals (e.g. git.branch, statusJson)
+#     description - Human-readable explanation of what's needed
+#     fix         - Actionable instruction to resolve
+#     severity    - critical (will fail) | high (poor results) | medium (suboptimal)
+#
+# Signals are extracted by smart-detect.js extractSignals() and include:
+#   git.branch, git.onFeatureBranch, git.isClean, git.filesChanged
+#   statusJson, storyCount, story, story.epic
+#   packageJson, tests.hasTestSetup
+#   files.playwright, files.tsconfig, files.coverage, files.ciConfig
+
+version: "1.0.0"
+
+settings:
+  fail_open: true
+  max_warnings: 5
+
+commands:
+  verify:
+    prerequisites:
+      - signal: tests.hasTestSetup
+        description: "Test framework must be configured (scripts.test in package.json)"
+        fix: "Add a test script to package.json, e.g. \"test\": \"jest\" or \"test\": \"vitest\""
+        severity: critical
+
+  babysit:
+    prerequisites:
+      - signal: statusJson
+        description: "status.json must exist with stories to work on"
+        fix: "Run: /agileflow:story to create stories, or /agileflow:epic to plan an epic"
+        severity: critical
+
+  pr:
+    prerequisites:
+      - signal: git.onFeatureBranch
+        description: "Must be on a feature branch (not main/master)"
+        fix: "Create a feature branch: git checkout -b feat/your-feature"
+        severity: critical
+      - signal: story
+        description: "An active story should be set for PR description"
+        fix: "Run: /agileflow:status to set a current story"
+        severity: high
+
+  deploy:
+    prerequisites:
+      - signal: git.branch
+        description: "Git repository must be initialized"
+        fix: "Run: git init"
+        severity: critical
+      - signal: packageJson
+        description: "package.json must exist for deployment configuration"
+        fix: "Run: npm init -y"
+        severity: critical
+
+  audit:
+    prerequisites:
+      - signal: story
+        description: "An active story is needed to audit completion"
+        fix: "Run: /agileflow:status to set a current story"
+        severity: critical
+      - signal: statusJson
+        description: "status.json must exist with story data"
+        fix: "Run: /agileflow:story to create stories"
+        severity: critical
+
+  board:
+    prerequisites:
+      - signal: statusJson
+        description: "status.json must exist to display the board"
+        fix: "Run: /agileflow:story to create your first story"
+        severity: critical
+      - signal: storyCount
+        description: "At least one story must exist"
+        fix: "Run: /agileflow:story to create a story"
+        severity: high
+
+  sprint:
+    prerequisites:
+      - signal: statusJson
+        description: "status.json must exist for sprint planning"
+        fix: "Run: /agileflow:story to create stories first"
+        severity: critical
+      - signal: storyCount
+        description: "Stories are needed for sprint planning"
+        fix: "Run: /agileflow:epic to break down features into stories"
+        severity: high
+
+  browser-qa:
+    prerequisites:
+      - signal: files.playwright
+        description: "Playwright must be configured (playwright.config.ts or .js)"
+        fix: "Run: npm init playwright@latest"
+        severity: critical
+
+  review:
+    prerequisites:
+      - signal: git.onFeatureBranch
+        description: "Must be on a feature branch for code review"
+        fix: "Create a feature branch: git checkout -b feat/your-feature"
+        severity: critical
+      - signal: git.filesChanged
+        description: "There should be changed files to review"
+        fix: "Make some code changes before requesting a review"
+        severity: high
+
+  baseline:
+    prerequisites:
+      - signal: tests.hasTestSetup
+        description: "Test framework must be configured to establish a baseline"
+        fix: "Add a test script to package.json"
+        severity: critical
+      - signal: git.branch
+        description: "Git repository must be initialized"
+        fix: "Run: git init"
+        severity: high
+
+  metrics:
+    prerequisites:
+      - signal: statusJson
+        description: "status.json must exist for metrics calculation"
+        fix: "Run: /agileflow:story to start tracking work"
+        severity: critical
+      - signal: storyCount
+        description: "Stories are needed to compute metrics"
+        fix: "Run: /agileflow:story to create stories"
+        severity: high
+
+  velocity:
+    prerequisites:
+      - signal: statusJson
+        description: "status.json must exist for velocity tracking"
+        fix: "Run: /agileflow:story to start tracking work"
+        severity: critical
+      - signal: storyCount
+        description: "Completed stories are needed for velocity calculation"
+        fix: "Complete some stories to build velocity history"
+        severity: high
+
+  compress:
+    prerequisites:
+      - signal: statusJson
+        description: "status.json must exist to compress"
+        fix: "No status.json to compress - create stories first with /agileflow:story"
+        severity: critical
+
+  retro:
+    prerequisites:
+      - signal: statusJson
+        description: "status.json must exist for retrospective data"
+        fix: "Run: /agileflow:story to start tracking work"
+        severity: critical
+      - signal: storyCount
+        description: "Stories are needed for meaningful retrospective"
+        fix: "Complete some stories before running a retrospective"
+        severity: high
+
+  changelog:
+    prerequisites:
+      - signal: git.branch
+        description: "Git repository must be initialized with commit history"
+        fix: "Run: git init && git add -A && git commit -m 'initial commit'"
+        severity: critical

package/src/core/templates/damage-control-patterns.yaml

@@ -228,6 +228,15 @@ agileflowProtections:
 #
 # =====================================================
 
+# ─── Release Process Enforcement ───
+# Forces use of ./scripts/release.sh instead of manual commands
+releaseProtections:
+  - pattern: '\bnpm\s+version\s+'
+    reason: "Use ./scripts/release.sh instead of npm version"
+
+  - pattern: '\bgit\s+tag\s+v\d+\.\d+\.\d+'
+    reason: "Use ./scripts/release.sh instead of manual git tag"
+
 # ─── Project-Specific Patterns (add yours below) ───
 # customPatterns:
 #   - pattern: 'your-pattern-here'