agileflow 3.4.3 → 4.0.0-alpha.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (1093) hide show
  1. package/CHANGELOG.md +294 -478
  2. package/README.md +22 -114
  3. package/bin/agileflow.js +15 -0
  4. package/bin/hooks/pre-bash.js +35 -0
  5. package/bin/hooks/pre-compact.js +34 -0
  6. package/bin/hooks/pre-edit.js +32 -0
  7. package/bin/hooks/pre-write.js +32 -0
  8. package/bin/hooks/session-start.js +42 -0
  9. package/bin/hooks/stop.js +34 -0
  10. package/content/plugins/accessibility/plugin.yaml +14 -0
  11. package/content/plugins/accessibility/skills/agileflow-accessibility/SKILL.md +392 -0
  12. package/content/plugins/accessibility/skills/agileflow-accessibility/references/aria-patterns.md +528 -0
  13. package/content/plugins/accessibility/skills/agileflow-accessibility/references/testing-checklist.md +457 -0
  14. package/content/plugins/accessibility/skills/agileflow-accessibility/references/wcag-guide.md +683 -0
  15. package/content/plugins/accessibility/skills/agileflow-accessibility/workflows/audit-page.md +310 -0
  16. package/content/plugins/accessibility/skills/agileflow-accessibility/workflows/implement-accessible-component.md +479 -0
  17. package/content/plugins/ads/agents/ads-audit-budget.md +185 -0
  18. package/content/plugins/ads/agents/ads-audit-compliance.md +171 -0
  19. package/content/plugins/ads/agents/ads-audit-creative.md +168 -0
  20. package/content/plugins/ads/agents/ads-audit-google.md +227 -0
  21. package/content/plugins/ads/agents/ads-audit-meta.md +184 -0
  22. package/content/plugins/ads/agents/ads-audit-tracking.md +205 -0
  23. package/content/plugins/ads/agents/ads-consensus.md +410 -0
  24. package/content/plugins/ads/agents/ads-generate.md +152 -0
  25. package/content/plugins/ads/agents/ads-performance-tracker.md +212 -0
  26. package/content/plugins/ads/plugin.yaml +33 -0
  27. package/content/plugins/ads/skills/agileflow-ads/SKILL.md +218 -0
  28. package/content/plugins/ads/skills/agileflow-ads/references/ad-copy-formula-guide.md +131 -0
  29. package/content/plugins/ads/skills/agileflow-ads/references/audience-targeting-guide.md +137 -0
  30. package/content/plugins/ads/skills/agileflow-ads/references/bid-strategy-guide.md +115 -0
  31. package/content/plugins/ads/skills/agileflow-ads/references/platform-benchmarks.md +100 -0
  32. package/content/plugins/ads/skills/agileflow-ads/workflows/audit.md +118 -0
  33. package/content/plugins/ads/skills/agileflow-ads/workflows/generate.md +84 -0
  34. package/content/plugins/audit/agents/a11y-analyzer-aria.md +173 -0
  35. package/content/plugins/audit/agents/a11y-analyzer-forms.md +173 -0
  36. package/content/plugins/audit/agents/a11y-analyzer-keyboard.md +183 -0
  37. package/content/plugins/audit/agents/a11y-analyzer-semantic.md +169 -0
  38. package/content/plugins/audit/agents/a11y-analyzer-visual.md +172 -0
  39. package/content/plugins/audit/agents/a11y-consensus.md +249 -0
  40. package/content/plugins/audit/agents/accessibility.md +558 -0
  41. package/content/plugins/audit/agents/api-quality-analyzer-conventions.md +156 -0
  42. package/content/plugins/audit/agents/api-quality-analyzer-docs.md +184 -0
  43. package/content/plugins/audit/agents/api-quality-analyzer-errors.md +191 -0
  44. package/content/plugins/audit/agents/api-quality-analyzer-pagination.md +179 -0
  45. package/content/plugins/audit/agents/api-quality-analyzer-versioning.md +150 -0
  46. package/content/plugins/audit/agents/api-quality-consensus.md +217 -0
  47. package/content/plugins/audit/agents/api-validator.md +191 -0
  48. package/content/plugins/audit/agents/arch-analyzer-circular.md +156 -0
  49. package/content/plugins/audit/agents/arch-analyzer-complexity.md +193 -0
  50. package/content/plugins/audit/agents/arch-analyzer-coupling.md +152 -0
  51. package/content/plugins/audit/agents/arch-analyzer-layering.md +160 -0
  52. package/content/plugins/audit/agents/arch-analyzer-patterns.md +210 -0
  53. package/content/plugins/audit/agents/arch-consensus.md +228 -0
  54. package/content/plugins/audit/agents/browser-qa.md +342 -0
  55. package/content/plugins/audit/agents/code-reviewer.md +298 -0
  56. package/content/plugins/audit/agents/completeness-analyzer-api.md +199 -0
  57. package/content/plugins/audit/agents/completeness-analyzer-conditional.md +211 -0
  58. package/content/plugins/audit/agents/completeness-analyzer-handlers.md +166 -0
  59. package/content/plugins/audit/agents/completeness-analyzer-imports.md +165 -0
  60. package/content/plugins/audit/agents/completeness-analyzer-routes.md +190 -0
  61. package/content/plugins/audit/agents/completeness-analyzer-state.md +196 -0
  62. package/content/plugins/audit/agents/completeness-analyzer-stubs.md +206 -0
  63. package/content/plugins/audit/agents/completeness-consensus.md +295 -0
  64. package/content/plugins/audit/agents/error-analyzer.md +213 -0
  65. package/content/plugins/audit/agents/flow-analyzer-authorization.md +182 -0
  66. package/content/plugins/audit/agents/flow-analyzer-discovery.md +174 -0
  67. package/content/plugins/audit/agents/flow-analyzer-errors.md +186 -0
  68. package/content/plugins/audit/agents/flow-analyzer-feedback.md +185 -0
  69. package/content/plugins/audit/agents/flow-analyzer-navigation.md +177 -0
  70. package/content/plugins/audit/agents/flow-analyzer-persistence.md +193 -0
  71. package/content/plugins/audit/agents/flow-analyzer-wiring.md +169 -0
  72. package/content/plugins/audit/agents/flow-consensus.md +237 -0
  73. package/content/plugins/audit/agents/legal-analyzer-a11y.md +114 -0
  74. package/content/plugins/audit/agents/legal-analyzer-ai.md +121 -0
  75. package/content/plugins/audit/agents/legal-analyzer-consumer.md +114 -0
  76. package/content/plugins/audit/agents/legal-analyzer-content.md +117 -0
  77. package/content/plugins/audit/agents/legal-analyzer-international.md +119 -0
  78. package/content/plugins/audit/agents/legal-analyzer-licensing.md +119 -0
  79. package/content/plugins/audit/agents/legal-analyzer-privacy.md +112 -0
  80. package/content/plugins/audit/agents/legal-analyzer-security.md +116 -0
  81. package/content/plugins/audit/agents/legal-analyzer-terms.md +115 -0
  82. package/content/plugins/audit/agents/legal-consensus.md +250 -0
  83. package/content/plugins/audit/agents/logic-analyzer-edge.md +179 -0
  84. package/content/plugins/audit/agents/logic-analyzer-flow.md +264 -0
  85. package/content/plugins/audit/agents/logic-analyzer-invariant.md +215 -0
  86. package/content/plugins/audit/agents/logic-analyzer-race.md +280 -0
  87. package/content/plugins/audit/agents/logic-analyzer-type.md +227 -0
  88. package/content/plugins/audit/agents/logic-consensus.md +259 -0
  89. package/content/plugins/audit/agents/perf-analyzer-assets.md +182 -0
  90. package/content/plugins/audit/agents/perf-analyzer-bundle.md +173 -0
  91. package/content/plugins/audit/agents/perf-analyzer-caching.md +170 -0
  92. package/content/plugins/audit/agents/perf-analyzer-compute.md +173 -0
  93. package/content/plugins/audit/agents/perf-analyzer-memory.md +193 -0
  94. package/content/plugins/audit/agents/perf-analyzer-network.md +165 -0
  95. package/content/plugins/audit/agents/perf-analyzer-queries.md +162 -0
  96. package/content/plugins/audit/agents/perf-analyzer-rendering.md +168 -0
  97. package/content/plugins/audit/agents/perf-consensus.md +287 -0
  98. package/content/plugins/audit/agents/qa.md +820 -0
  99. package/content/plugins/audit/agents/quality-analyzer-comments.md +159 -0
  100. package/content/plugins/audit/agents/quality-analyzer-duplication.md +184 -0
  101. package/content/plugins/audit/agents/quality-analyzer-naming.md +160 -0
  102. package/content/plugins/audit/agents/quality-consensus.md +241 -0
  103. package/content/plugins/audit/agents/schema-validator.md +473 -0
  104. package/content/plugins/audit/agents/security-analyzer-api.md +210 -0
  105. package/content/plugins/audit/agents/security-analyzer-auth.md +169 -0
  106. package/content/plugins/audit/agents/security-analyzer-authz.md +180 -0
  107. package/content/plugins/audit/agents/security-analyzer-deps.md +153 -0
  108. package/content/plugins/audit/agents/security-analyzer-infra.md +184 -0
  109. package/content/plugins/audit/agents/security-analyzer-injection.md +155 -0
  110. package/content/plugins/audit/agents/security-analyzer-input.md +201 -0
  111. package/content/plugins/audit/agents/security-analyzer-secrets.md +183 -0
  112. package/content/plugins/audit/agents/security-consensus.md +283 -0
  113. package/content/plugins/audit/agents/test-analyzer-assertions.md +188 -0
  114. package/content/plugins/audit/agents/test-analyzer-coverage.md +189 -0
  115. package/content/plugins/audit/agents/test-analyzer-fragility.md +193 -0
  116. package/content/plugins/audit/agents/test-analyzer-integration.md +161 -0
  117. package/content/plugins/audit/agents/test-analyzer-maintenance.md +180 -0
  118. package/content/plugins/audit/agents/test-analyzer-mocking.md +188 -0
  119. package/content/plugins/audit/agents/test-analyzer-patterns.md +196 -0
  120. package/content/plugins/audit/agents/test-analyzer-structure.md +184 -0
  121. package/content/plugins/audit/agents/test-consensus.md +301 -0
  122. package/content/plugins/audit/agents/testing.md +561 -0
  123. package/content/plugins/audit/agents/ui-validator.md +344 -0
  124. package/content/plugins/audit/plugin.yaml +195 -0
  125. package/content/plugins/audit/skills/agileflow-audit/SKILL.md +113 -0
  126. package/content/plugins/audit/skills/agileflow-audit/references/audit-depth-guide.md +151 -0
  127. package/content/plugins/audit/skills/agileflow-audit/references/dependency-risk-guide.md +139 -0
  128. package/content/plugins/audit/skills/agileflow-audit/references/owasp-top10.md +120 -0
  129. package/content/plugins/audit/skills/agileflow-audit/references/performance-budget-guide.md +143 -0
  130. package/content/plugins/audit/skills/agileflow-audit/references/wcag-criteria.md +117 -0
  131. package/content/plugins/audit/skills/agileflow-audit/workflows/run-audit.md +52 -0
  132. package/content/plugins/audit/skills/agileflow-audit/workflows/tdd.md +66 -0
  133. package/content/plugins/core/agents/adr-writer.md +521 -0
  134. package/content/plugins/core/agents/epic-planner.md +520 -0
  135. package/content/plugins/core/agents/mentor.md +709 -0
  136. package/content/plugins/core/agents/orchestrator.md +776 -0
  137. package/content/plugins/core/agents/team-coordinator.md +334 -0
  138. package/content/plugins/core/agents/team-lead.md +181 -0
  139. package/content/plugins/core/agents/workspace-orchestrator.md +146 -0
  140. package/content/plugins/core/hooks/context-loader.js +196 -0
  141. package/content/plugins/core/hooks/damage-control-bash.js +86 -0
  142. package/content/plugins/core/hooks/damage-control-edit.js +79 -0
  143. package/content/plugins/core/hooks/damage-control-patterns.yaml +100 -0
  144. package/content/plugins/core/hooks/damage-control-write.js +75 -0
  145. package/content/plugins/core/hooks/post-compact-state.js +107 -0
  146. package/content/plugins/core/hooks/preferences-injector.js +352 -0
  147. package/content/plugins/core/hooks/session-welcome.js +19 -0
  148. package/content/plugins/core/plugin.yaml +78 -0
  149. package/content/plugins/core/skills/agileflow-adr/SKILL.md +205 -0
  150. package/content/plugins/core/skills/agileflow-adr/references/madr-format-guide.md +86 -0
  151. package/content/plugins/core/skills/agileflow-adr/workflows/write-adr.md +57 -0
  152. package/content/plugins/core/skills/agileflow-babysit-mentor/SKILL.md +211 -0
  153. package/content/plugins/core/skills/agileflow-babysit-mentor/references/mentor-decision-guide.md +81 -0
  154. package/content/plugins/core/skills/agileflow-babysit-mentor/workflows/mentor-session.md +79 -0
  155. package/content/plugins/core/skills/agileflow-epic-planner/SKILL.md +209 -0
  156. package/content/plugins/core/skills/agileflow-epic-planner/references/epic-sizing-guide.md +81 -0
  157. package/content/plugins/core/skills/agileflow-epic-planner/workflows/plan-epic.md +55 -0
  158. package/content/plugins/core/skills/agileflow-status-updater/SKILL.md +148 -0
  159. package/content/plugins/core/skills/agileflow-status-updater/references/status-transitions.md +89 -0
  160. package/content/plugins/core/skills/agileflow-status-updater/workflows/update-status.md +56 -0
  161. package/content/plugins/core/skills/agileflow-story-writer/SKILL.md +125 -0
  162. package/content/plugins/core/skills/agileflow-story-writer/references/estimation-reference.md +36 -0
  163. package/content/plugins/core/skills/agileflow-story-writer/references/story-template.md +92 -0
  164. package/content/plugins/core/skills/agileflow-story-writer/workflows/write-story.md +138 -0
  165. package/content/plugins/council/agents/council-advocate.md +223 -0
  166. package/content/plugins/council/agents/council-analyst.md +278 -0
  167. package/content/plugins/council/agents/council-compounder.md +204 -0
  168. package/content/plugins/council/agents/council-contrarian.md +217 -0
  169. package/content/plugins/council/agents/council-moonshot.md +217 -0
  170. package/content/plugins/council/agents/council-optimist.md +185 -0
  171. package/content/plugins/council/agents/council-revenue.md +200 -0
  172. package/content/plugins/council/agents/council-technical.md +218 -0
  173. package/content/plugins/council/agents/multi-expert.md +334 -0
  174. package/content/plugins/council/plugin.yaml +33 -0
  175. package/content/plugins/council/skills/agileflow-council/SKILL.md +102 -0
  176. package/content/plugins/council/skills/agileflow-council/references/decision-log-template.md +109 -0
  177. package/content/plugins/council/skills/agileflow-council/references/perspective-guide.md +104 -0
  178. package/content/plugins/council/skills/agileflow-council/references/when-to-convene-guide.md +112 -0
  179. package/content/plugins/council/skills/agileflow-council/workflows/convene.md +73 -0
  180. package/content/plugins/council/skills/agileflow-council/workflows/multi-expert.md +75 -0
  181. package/content/plugins/database/plugin.yaml +14 -0
  182. package/content/plugins/database/skills/agileflow-database/SKILL.md +284 -0
  183. package/content/plugins/database/skills/agileflow-database/references/indexing-guide.md +313 -0
  184. package/content/plugins/database/skills/agileflow-database/references/migration-guide.md +328 -0
  185. package/content/plugins/database/skills/agileflow-database/references/schema-design-guide.md +467 -0
  186. package/content/plugins/database/skills/agileflow-database/workflows/design-schema.md +213 -0
  187. package/content/plugins/database/skills/agileflow-database/workflows/optimize-query.md +253 -0
  188. package/content/plugins/debugging/plugin.yaml +14 -0
  189. package/content/plugins/debugging/skills/agileflow-debug/SKILL.md +236 -0
  190. package/content/plugins/debugging/skills/agileflow-debug/references/common-patterns.md +350 -0
  191. package/content/plugins/debugging/skills/agileflow-debug/references/debugging-strategies.md +328 -0
  192. package/content/plugins/debugging/skills/agileflow-debug/workflows/debug-issue.md +187 -0
  193. package/content/plugins/debugging/skills/agileflow-debug/workflows/reproduce-bug.md +194 -0
  194. package/content/plugins/delivery/agents/ci.md +547 -0
  195. package/content/plugins/delivery/agents/devops.md +789 -0
  196. package/content/plugins/delivery/plugin.yaml +19 -0
  197. package/content/plugins/delivery/skills/agileflow-delivery/SKILL.md +111 -0
  198. package/content/plugins/delivery/skills/agileflow-delivery/references/changelog-format-guide.md +133 -0
  199. package/content/plugins/delivery/skills/agileflow-delivery/references/ci-pipeline-guide.md +158 -0
  200. package/content/plugins/delivery/skills/agileflow-delivery/references/pr-checklist-guide.md +133 -0
  201. package/content/plugins/delivery/skills/agileflow-delivery/references/release-checklist.md +142 -0
  202. package/content/plugins/delivery/skills/agileflow-delivery/workflows/changelog.md +72 -0
  203. package/content/plugins/delivery/skills/agileflow-delivery/workflows/deploy.md +74 -0
  204. package/content/plugins/delivery/skills/agileflow-delivery/workflows/pr.md +75 -0
  205. package/content/plugins/docs/agents/documentation.md +544 -0
  206. package/content/plugins/docs/agents/readme-updater.md +640 -0
  207. package/content/plugins/docs/plugin.yaml +19 -0
  208. package/content/plugins/docs/skills/agileflow-docs/SKILL.md +106 -0
  209. package/content/plugins/docs/skills/agileflow-docs/references/api-doc-template.md +167 -0
  210. package/content/plugins/docs/skills/agileflow-docs/references/doc-types-guide.md +141 -0
  211. package/content/plugins/docs/skills/agileflow-docs/references/readme-template.md +156 -0
  212. package/content/plugins/docs/skills/agileflow-docs/workflows/readme-sync.md +57 -0
  213. package/content/plugins/docs/skills/agileflow-docs/workflows/sync.md +64 -0
  214. package/content/plugins/engineering/agents/api.md +718 -0
  215. package/content/plugins/engineering/agents/codebase-query.md +285 -0
  216. package/content/plugins/engineering/agents/compliance.md +559 -0
  217. package/content/plugins/engineering/agents/database.md +644 -0
  218. package/content/plugins/engineering/agents/integrations.md +644 -0
  219. package/content/plugins/engineering/agents/mobile.md +552 -0
  220. package/content/plugins/engineering/agents/monitoring.md +585 -0
  221. package/content/plugins/engineering/agents/performance.md +529 -0
  222. package/content/plugins/engineering/agents/refactor.md +592 -0
  223. package/content/plugins/engineering/agents/security.md +524 -0
  224. package/content/plugins/engineering/agents/ui.md +1336 -0
  225. package/content/plugins/engineering/plugin.yaml +37 -0
  226. package/content/plugins/engineering/skills/agileflow-engineering/SKILL.md +127 -0
  227. package/content/plugins/engineering/skills/agileflow-engineering/references/code-review-guide.md +126 -0
  228. package/content/plugins/engineering/skills/agileflow-engineering/references/domain-routing-guide.md +89 -0
  229. package/content/plugins/engineering/skills/agileflow-engineering/references/refactoring-guide.md +136 -0
  230. package/content/plugins/engineering/skills/agileflow-engineering/workflows/diagnose.md +63 -0
  231. package/content/plugins/engineering/skills/agileflow-engineering/workflows/impact.md +60 -0
  232. package/content/plugins/ideation/agents/brainstorm-analyzer-features.md +179 -0
  233. package/content/plugins/ideation/agents/brainstorm-analyzer-growth.md +169 -0
  234. package/content/plugins/ideation/agents/brainstorm-analyzer-integration.md +181 -0
  235. package/content/plugins/ideation/agents/brainstorm-analyzer-market.md +150 -0
  236. package/content/plugins/ideation/agents/brainstorm-analyzer-ux.md +180 -0
  237. package/content/plugins/ideation/agents/brainstorm-consensus.md +245 -0
  238. package/content/plugins/ideation/agents/design.md +568 -0
  239. package/content/plugins/ideation/agents/product.md +582 -0
  240. package/content/plugins/ideation/plugin.yaml +31 -0
  241. package/content/plugins/ideation/skills/agileflow-ideation/SKILL.md +109 -0
  242. package/content/plugins/ideation/skills/agileflow-ideation/references/brainstorm-techniques.md +138 -0
  243. package/content/plugins/ideation/skills/agileflow-ideation/references/competitive-analysis-template.md +148 -0
  244. package/content/plugins/ideation/skills/agileflow-ideation/references/feature-prioritization-guide.md +147 -0
  245. package/content/plugins/ideation/skills/agileflow-ideation/references/user-story-patterns.md +152 -0
  246. package/content/plugins/ideation/skills/agileflow-ideation/workflows/features.md +65 -0
  247. package/content/plugins/ideation/skills/agileflow-ideation/workflows/ideate.md +54 -0
  248. package/content/plugins/migration/agents/datamigration.md +757 -0
  249. package/content/plugins/migration/plugin.yaml +17 -0
  250. package/content/plugins/migration/skills/agileflow-migration/SKILL.md +106 -0
  251. package/content/plugins/migration/skills/agileflow-migration/references/data-validation-checklist.md +154 -0
  252. package/content/plugins/migration/skills/agileflow-migration/references/migration-patterns.md +209 -0
  253. package/content/plugins/migration/skills/agileflow-migration/references/rollback-playbook.md +171 -0
  254. package/content/plugins/migration/skills/agileflow-migration/references/version-compatibility-matrix.md +155 -0
  255. package/content/plugins/migration/skills/agileflow-migration/workflows/plan.md +73 -0
  256. package/content/plugins/migration/skills/agileflow-migration/workflows/validate.md +71 -0
  257. package/content/plugins/performance/plugin.yaml +14 -0
  258. package/content/plugins/performance/skills/agileflow-performance/SKILL.md +224 -0
  259. package/content/plugins/performance/skills/agileflow-performance/references/optimization-patterns.md +554 -0
  260. package/content/plugins/performance/skills/agileflow-performance/references/profiling-guide.md +383 -0
  261. package/content/plugins/performance/skills/agileflow-performance/references/web-vitals-guide.md +360 -0
  262. package/content/plugins/performance/skills/agileflow-performance/workflows/improve-web-vitals.md +344 -0
  263. package/content/plugins/performance/skills/agileflow-performance/workflows/profile-and-fix.md +254 -0
  264. package/content/plugins/planning/agents/analytics.md +670 -0
  265. package/content/plugins/planning/agents/rlm-subcore.md +215 -0
  266. package/content/plugins/planning/plugin.yaml +19 -0
  267. package/content/plugins/planning/skills/agileflow-planning/SKILL.md +111 -0
  268. package/content/plugins/planning/skills/agileflow-planning/references/estimation-guide.md +114 -0
  269. package/content/plugins/planning/skills/agileflow-planning/references/rpi-workflow.md +119 -0
  270. package/content/plugins/planning/skills/agileflow-planning/references/sprint-planning-guide.md +145 -0
  271. package/content/plugins/planning/skills/agileflow-planning/workflows/impact.md +63 -0
  272. package/content/plugins/planning/skills/agileflow-planning/workflows/rpi.md +104 -0
  273. package/content/plugins/psychology/plugin.yaml +14 -0
  274. package/content/plugins/psychology/skills/agileflow-retention/SKILL.md +252 -0
  275. package/content/plugins/psychology/skills/agileflow-retention/references/competitor-analysis.md +240 -0
  276. package/content/plugins/psychology/skills/agileflow-retention/references/psychology-models.md +349 -0
  277. package/content/plugins/psychology/skills/agileflow-retention/references/retention-patterns.md +279 -0
  278. package/content/plugins/psychology/skills/agileflow-retention/workflows/design-retention-feature.md +287 -0
  279. package/content/plugins/psychology/skills/agileflow-retention/workflows/retention-audit.md +259 -0
  280. package/content/plugins/refactoring/plugin.yaml +14 -0
  281. package/content/plugins/refactoring/skills/agileflow-refactor/SKILL.md +235 -0
  282. package/content/plugins/refactoring/skills/agileflow-refactor/references/refactoring-patterns.md +405 -0
  283. package/content/plugins/refactoring/skills/agileflow-refactor/references/safety-checks.md +177 -0
  284. package/content/plugins/refactoring/skills/agileflow-refactor/workflows/extract-module.md +226 -0
  285. package/content/plugins/refactoring/skills/agileflow-refactor/workflows/safe-refactor.md +169 -0
  286. package/content/plugins/research/agents/research.md +503 -0
  287. package/content/plugins/research/plugin.yaml +17 -0
  288. package/content/plugins/research/skills/agileflow-research/SKILL.md +110 -0
  289. package/content/plugins/research/skills/agileflow-research/references/knowledge-decay-guide.md +121 -0
  290. package/content/plugins/research/skills/agileflow-research/references/research-prompt-guide.md +141 -0
  291. package/content/plugins/research/skills/agileflow-research/references/synthesis-template.md +154 -0
  292. package/content/plugins/research/skills/agileflow-research/workflows/analyze.md +60 -0
  293. package/content/plugins/research/skills/agileflow-research/workflows/ask.md +64 -0
  294. package/content/plugins/research/skills/agileflow-research/workflows/import.md +66 -0
  295. package/content/plugins/research/skills/agileflow-research/workflows/synthesize.md +66 -0
  296. package/content/plugins/reviews/plugin.yaml +14 -0
  297. package/content/plugins/reviews/skills/agileflow-pr-reviewer/SKILL.md +241 -0
  298. package/content/plugins/reviews/skills/agileflow-pr-reviewer/references/review-checklist.md +200 -0
  299. package/content/plugins/reviews/skills/agileflow-pr-reviewer/references/security-patterns.md +328 -0
  300. package/content/plugins/reviews/skills/agileflow-pr-reviewer/workflows/review-pr.md +153 -0
  301. package/content/plugins/reviews/skills/agileflow-pr-reviewer/workflows/security-review.md +177 -0
  302. package/content/plugins/seo/agents/seo-analyzer-content.md +169 -0
  303. package/content/plugins/seo/agents/seo-analyzer-images.md +198 -0
  304. package/content/plugins/seo/agents/seo-analyzer-performance.md +217 -0
  305. package/content/plugins/seo/agents/seo-analyzer-schema.md +184 -0
  306. package/content/plugins/seo/agents/seo-analyzer-sitemap.md +177 -0
  307. package/content/plugins/seo/agents/seo-analyzer-technical.md +151 -0
  308. package/content/plugins/seo/agents/seo-consensus.md +304 -0
  309. package/content/plugins/seo/plugin.yaml +29 -0
  310. package/content/plugins/seo/skills/agileflow-seo/SKILL.md +188 -0
  311. package/content/plugins/seo/skills/agileflow-seo/references/cwv-thresholds.md +110 -0
  312. package/content/plugins/seo/skills/agileflow-seo/references/eeat-framework.md +144 -0
  313. package/content/plugins/seo/skills/agileflow-seo/references/keyword-research-guide.md +125 -0
  314. package/content/plugins/seo/skills/agileflow-seo/references/schema-types.md +139 -0
  315. package/content/plugins/seo/skills/agileflow-seo/references/technical-seo-checklist.md +139 -0
  316. package/content/plugins/seo/skills/agileflow-seo/workflows/audit.md +98 -0
  317. package/content/plugins/seo/skills/agileflow-seo/workflows/page.md +118 -0
  318. package/content/plugins/testing/plugin.yaml +16 -0
  319. package/content/plugins/testing/skills/agileflow-test-writer/SKILL.md +260 -0
  320. package/content/plugins/testing/skills/agileflow-test-writer/references/coverage-targets.md +239 -0
  321. package/content/plugins/testing/skills/agileflow-test-writer/references/test-patterns.md +420 -0
  322. package/content/plugins/testing/skills/agileflow-test-writer/workflows/add-coverage.md +154 -0
  323. package/content/plugins/testing/skills/agileflow-test-writer/workflows/write-tests-from-ac.md +225 -0
  324. package/package.json +30 -50
  325. package/src/cli/commands/doctor.js +947 -0
  326. package/src/cli/commands/hook.js +83 -0
  327. package/src/cli/commands/launch.js +1385 -0
  328. package/src/cli/commands/learn.js +149 -0
  329. package/src/cli/commands/plugins.js +113 -0
  330. package/src/cli/commands/setup.js +637 -0
  331. package/src/cli/commands/skills.js +324 -0
  332. package/src/cli/commands/status.js +45 -0
  333. package/src/cli/commands/update.js +144 -0
  334. package/src/cli/index.js +137 -0
  335. package/src/cli/wizard/babysit-mode-picker.js +192 -0
  336. package/src/cli/wizard/behaviors-picker.js +262 -0
  337. package/src/cli/wizard/ide-picker.js +69 -0
  338. package/src/cli/wizard/install-scope-picker.js +57 -0
  339. package/src/cli/wizard/launch-alias-picker.js +50 -0
  340. package/src/cli/wizard/launch-cli-picker.js +129 -0
  341. package/src/cli/wizard/launch-tmux-picker.js +133 -0
  342. package/src/cli/wizard/learnings-picker.js +40 -0
  343. package/src/cli/wizard/plugin-picker.js +137 -0
  344. package/src/lib/brand.js +116 -0
  345. package/src/lib/errors.js +120 -0
  346. package/src/lib/hash.js +41 -0
  347. package/src/lib/path-check.js +39 -0
  348. package/src/runtime/config/defaults.js +66 -0
  349. package/src/runtime/config/loader.js +186 -0
  350. package/src/runtime/config/schema.json +126 -0
  351. package/src/runtime/config/writer.js +57 -0
  352. package/src/runtime/hooks/aggregator.js +157 -0
  353. package/src/runtime/hooks/chain.js +93 -0
  354. package/src/runtime/hooks/logger.js +68 -0
  355. package/src/runtime/hooks/manifest-loader.js +228 -0
  356. package/src/runtime/hooks/orchestrator.js +322 -0
  357. package/src/runtime/ide/babysit-skill.js +202 -0
  358. package/src/runtime/ide/capabilities.js +166 -0
  359. package/src/runtime/ide/claude-code-content.js +177 -0
  360. package/src/runtime/ide/claude-code-settings.js +272 -0
  361. package/src/runtime/ide/claude-code-skills.js +217 -0
  362. package/src/runtime/ide/codex-config.js +295 -0
  363. package/src/runtime/installer/file-index.js +112 -0
  364. package/src/runtime/installer/install.js +557 -0
  365. package/src/runtime/installer/stash.js +61 -0
  366. package/src/runtime/installer/sync-engine.js +205 -0
  367. package/src/runtime/launch/alias-installer.js +191 -0
  368. package/src/runtime/launch/cli-resume.js +244 -0
  369. package/src/runtime/launch/closed-windows.js +338 -0
  370. package/src/runtime/launch/defaults.js +66 -0
  371. package/src/runtime/launch/detect-clis.js +69 -0
  372. package/src/runtime/launch/doctor.js +464 -0
  373. package/src/runtime/launch/exec-wrapper.js +114 -0
  374. package/src/runtime/launch/parallel-session.js +247 -0
  375. package/src/runtime/launch/prefs.js +211 -0
  376. package/src/runtime/launch/project-prefs.js +234 -0
  377. package/src/runtime/launch/resolve-cli.js +56 -0
  378. package/src/runtime/launch/restore.js +142 -0
  379. package/src/runtime/launch/schema.json +75 -0
  380. package/src/runtime/launch/session-lifecycle.js +313 -0
  381. package/src/runtime/launch/session-registry.js +401 -0
  382. package/src/runtime/launch/spawn.js +103 -0
  383. package/src/runtime/launch/tabs.js +315 -0
  384. package/src/runtime/launch/tmux.js +654 -0
  385. package/src/runtime/launch/worktree.js +260 -0
  386. package/src/runtime/plugins/registry.js +137 -0
  387. package/src/runtime/plugins/resolver.js +138 -0
  388. package/src/runtime/plugins/validator.js +210 -0
  389. package/src/runtime/skills/learnings.js +308 -0
  390. package/src/runtime/skills/validator.js +335 -0
  391. package/lib/README.md +0 -178
  392. package/lib/api-routes.js +0 -625
  393. package/lib/api-server.js +0 -278
  394. package/lib/cache-provider.js +0 -155
  395. package/lib/codebase-indexer.js +0 -819
  396. package/lib/colors.generated.js +0 -117
  397. package/lib/colors.js +0 -341
  398. package/lib/consent.js +0 -232
  399. package/lib/content-sanitizer.js +0 -464
  400. package/lib/correlation.js +0 -277
  401. package/lib/drivers/claude-driver.ts +0 -312
  402. package/lib/drivers/codex-driver.ts +0 -464
  403. package/lib/drivers/driver-manager.ts +0 -159
  404. package/lib/drivers/gemini-driver.ts +0 -498
  405. package/lib/drivers/index.ts +0 -17
  406. package/lib/error-codes.js +0 -590
  407. package/lib/errors.js +0 -670
  408. package/lib/feature-flags.js +0 -171
  409. package/lib/feedback.js +0 -595
  410. package/lib/file-cache.js +0 -541
  411. package/lib/flag-detection.js +0 -344
  412. package/lib/format-error.js +0 -156
  413. package/lib/gate-runner.js +0 -282
  414. package/lib/generator-factory.js +0 -333
  415. package/lib/git-operations.js +0 -266
  416. package/lib/lazy-require.js +0 -59
  417. package/lib/lock-file.js +0 -144
  418. package/lib/logger.js +0 -106
  419. package/lib/merge-operations.js +0 -1006
  420. package/lib/path-resolver.js +0 -544
  421. package/lib/path-utils.js +0 -49
  422. package/lib/paths.js +0 -291
  423. package/lib/placeholder-registry.js +0 -822
  424. package/lib/process-executor.js +0 -214
  425. package/lib/progress.js +0 -334
  426. package/lib/protocol/driver.ts +0 -354
  427. package/lib/protocol/index.ts +0 -12
  428. package/lib/protocol/ir.ts +0 -271
  429. package/lib/registry-cache.js +0 -80
  430. package/lib/registry-di.js +0 -358
  431. package/lib/result-schema.js +0 -363
  432. package/lib/result.js +0 -210
  433. package/lib/session-display.js +0 -331
  434. package/lib/session-operations.js +0 -611
  435. package/lib/session-registry.js +0 -484
  436. package/lib/session-state-machine.js +0 -465
  437. package/lib/session-switching.js +0 -191
  438. package/lib/skill-loader.js +0 -213
  439. package/lib/smart-json-file.js +0 -682
  440. package/lib/state-machine.js +0 -286
  441. package/lib/table-formatter.js +0 -519
  442. package/lib/template-loader.js +0 -143
  443. package/lib/transient-status.js +0 -374
  444. package/lib/ui-manager.js +0 -612
  445. package/lib/validate-args.js +0 -213
  446. package/lib/validate-commands.js +0 -308
  447. package/lib/validate-names.js +0 -143
  448. package/lib/validate-paths.js +0 -434
  449. package/lib/validate.js +0 -134
  450. package/lib/worktree-operations.js +0 -201
  451. package/lib/yaml-utils.js +0 -164
  452. package/scripts/README.md +0 -267
  453. package/scripts/af +0 -34
  454. package/scripts/agent-loop.js +0 -879
  455. package/scripts/agileflow-configure.js +0 -368
  456. package/scripts/agileflow-statusline.sh +0 -857
  457. package/scripts/agileflow-welcome.js +0 -2246
  458. package/scripts/api-server-runner.js +0 -177
  459. package/scripts/archive-completed-stories.sh +0 -308
  460. package/scripts/auto-self-improve.js +0 -326
  461. package/scripts/automation-run-due.js +0 -128
  462. package/scripts/babysit-clear-restore.js +0 -154
  463. package/scripts/babysit-context-restore.js +0 -89
  464. package/scripts/backfill-ideation-status.js +0 -128
  465. package/scripts/batch-pmap-loop.js +0 -551
  466. package/scripts/check-sessions.js +0 -116
  467. package/scripts/check-update.js +0 -282
  468. package/scripts/ci-summary.js +0 -294
  469. package/scripts/claude-smart.sh +0 -85
  470. package/scripts/claude-tmux.sh +0 -737
  471. package/scripts/claude-watchdog.sh +0 -225
  472. package/scripts/clear-active-command.js +0 -48
  473. package/scripts/compress-status.sh +0 -116
  474. package/scripts/context-loader.js +0 -310
  475. package/scripts/damage-control/bash-tool-damage-control.js +0 -22
  476. package/scripts/damage-control/edit-tool-damage-control.js +0 -19
  477. package/scripts/damage-control/patterns.yaml +0 -227
  478. package/scripts/damage-control/write-tool-damage-control.js +0 -19
  479. package/scripts/damage-control-bash.js +0 -51
  480. package/scripts/damage-control-edit.js +0 -48
  481. package/scripts/damage-control-multi-agent.js +0 -231
  482. package/scripts/damage-control-write.js +0 -48
  483. package/scripts/dependency-check.js +0 -311
  484. package/scripts/document-repl.js +0 -793
  485. package/scripts/expertise-metrics.sh +0 -264
  486. package/scripts/generate-all.sh +0 -77
  487. package/scripts/generate-colors.js +0 -314
  488. package/scripts/generators/agent-registry.js +0 -183
  489. package/scripts/generators/command-registry.js +0 -166
  490. package/scripts/generators/index.js +0 -85
  491. package/scripts/generators/inject-babysit.js +0 -191
  492. package/scripts/generators/inject-help.js +0 -125
  493. package/scripts/generators/inject-readme.js +0 -166
  494. package/scripts/generators/skill-registry.js +0 -188
  495. package/scripts/get-env.js +0 -225
  496. package/scripts/init.sh +0 -76
  497. package/scripts/lib/README-portable-tasks.md +0 -424
  498. package/scripts/lib/ac-test-matcher.js +0 -452
  499. package/scripts/lib/audit-cleanup.js +0 -250
  500. package/scripts/lib/audit-registry.js +0 -340
  501. package/scripts/lib/automation-registry.js +0 -544
  502. package/scripts/lib/automation-runner.js +0 -476
  503. package/scripts/lib/browser-qa-evidence.js +0 -409
  504. package/scripts/lib/browser-qa-status.js +0 -192
  505. package/scripts/lib/bus-utils.js +0 -473
  506. package/scripts/lib/colors.generated.sh +0 -82
  507. package/scripts/lib/colors.sh +0 -46
  508. package/scripts/lib/command-prereqs.js +0 -280
  509. package/scripts/lib/concurrency-limiter.js +0 -511
  510. package/scripts/lib/configure-detect.js +0 -596
  511. package/scripts/lib/configure-features.js +0 -1927
  512. package/scripts/lib/configure-repair.js +0 -327
  513. package/scripts/lib/configure-utils.js +0 -114
  514. package/scripts/lib/context-formatter.js +0 -1158
  515. package/scripts/lib/context-loader.js +0 -840
  516. package/scripts/lib/counter.js +0 -103
  517. package/scripts/lib/damage-control-utils.js +0 -619
  518. package/scripts/lib/feature-catalog.js +0 -332
  519. package/scripts/lib/file-lock.js +0 -392
  520. package/scripts/lib/file-tracking.js +0 -735
  521. package/scripts/lib/frontmatter-parser.js +0 -133
  522. package/scripts/lib/gate-enforcer.js +0 -295
  523. package/scripts/lib/hook-metrics.js +0 -324
  524. package/scripts/lib/ideation-index.js +0 -1205
  525. package/scripts/lib/json-utils.sh +0 -162
  526. package/scripts/lib/lifecycle-detector.js +0 -125
  527. package/scripts/lib/model-profiles.js +0 -118
  528. package/scripts/lib/portable-tasks-cli.js +0 -274
  529. package/scripts/lib/portable-tasks.js +0 -479
  530. package/scripts/lib/process-cleanup.js +0 -527
  531. package/scripts/lib/quality-gates.js +0 -788
  532. package/scripts/lib/scale-detector.js +0 -396
  533. package/scripts/lib/sessionRegistry.js +0 -678
  534. package/scripts/lib/signal-detectors.js +0 -867
  535. package/scripts/lib/skill-catalog.js +0 -557
  536. package/scripts/lib/skill-recommender.js +0 -311
  537. package/scripts/lib/state-migrator.js +0 -353
  538. package/scripts/lib/status-task-bridge.js +0 -522
  539. package/scripts/lib/status-writer.js +0 -255
  540. package/scripts/lib/story-claiming.js +0 -704
  541. package/scripts/lib/story-state-machine.js +0 -437
  542. package/scripts/lib/sync-ideation-status.js +0 -291
  543. package/scripts/lib/task-registry-cache.js +0 -490
  544. package/scripts/lib/task-registry.js +0 -1191
  545. package/scripts/lib/task-sync.js +0 -230
  546. package/scripts/lib/tdd-phase-manager.js +0 -455
  547. package/scripts/lib/team-events.js +0 -510
  548. package/scripts/lib/tmux-audit-monitor.js +0 -612
  549. package/scripts/lib/tmux-group-colors.js +0 -113
  550. package/scripts/lib/tool-registry.yaml +0 -241
  551. package/scripts/lib/tool-shed.js +0 -441
  552. package/scripts/lib/validation-registry.js +0 -177
  553. package/scripts/messaging-bridge.js +0 -561
  554. package/scripts/migrate-ideation-index.js +0 -553
  555. package/scripts/native-team-observer.js +0 -219
  556. package/scripts/obtain-context.js +0 -272
  557. package/scripts/pre-push-check.sh +0 -46
  558. package/scripts/precompact-context.sh +0 -306
  559. package/scripts/query-codebase.js +0 -543
  560. package/scripts/ralph-loop.js +0 -1278
  561. package/scripts/resume-session.sh +0 -121
  562. package/scripts/screenshot-verifier.js +0 -215
  563. package/scripts/session-boundary.js +0 -138
  564. package/scripts/session-coordinator.sh +0 -232
  565. package/scripts/session-manager.js +0 -546
  566. package/scripts/smart-detect.js +0 -449
  567. package/scripts/spawn-audit-sessions.js +0 -877
  568. package/scripts/spawn-parallel.js +0 -751
  569. package/scripts/strip-ai-attribution.js +0 -63
  570. package/scripts/task-completed-gate.js +0 -237
  571. package/scripts/team-manager.js +0 -596
  572. package/scripts/team-status-display.js +0 -200
  573. package/scripts/teammate-idle-gate.js +0 -237
  574. package/scripts/test-session-boundary.js +0 -80
  575. package/scripts/tmux-close-windows.sh +0 -180
  576. package/scripts/tmux-restore-window.sh +0 -67
  577. package/scripts/tmux-save-closed-window.sh +0 -35
  578. package/scripts/tui/App.js +0 -151
  579. package/scripts/tui/Dashboard.js +0 -277
  580. package/scripts/tui/blessed/data/watcher.js +0 -180
  581. package/scripts/tui/blessed/index.js +0 -244
  582. package/scripts/tui/blessed/panels/output.js +0 -101
  583. package/scripts/tui/blessed/panels/sessions.js +0 -150
  584. package/scripts/tui/blessed/panels/trace.js +0 -97
  585. package/scripts/tui/blessed/ui/help.js +0 -77
  586. package/scripts/tui/blessed/ui/screen.js +0 -52
  587. package/scripts/tui/blessed/ui/statusbar.js +0 -47
  588. package/scripts/tui/blessed/ui/tabbar.js +0 -99
  589. package/scripts/tui/index.js +0 -70
  590. package/scripts/tui/lib/crashRecovery.js +0 -304
  591. package/scripts/tui/lib/eventStream.js +0 -309
  592. package/scripts/tui/lib/keyboard.js +0 -261
  593. package/scripts/tui/lib/loopControl.js +0 -371
  594. package/scripts/tui/panels/OutputPanel.js +0 -240
  595. package/scripts/tui/panels/SessionPanel.js +0 -170
  596. package/scripts/tui/panels/TracePanel.js +0 -298
  597. package/scripts/tui/simple-tui.js +0 -510
  598. package/scripts/validate-expertise.sh +0 -263
  599. package/scripts/validate-tokens.sh +0 -73
  600. package/scripts/validators/README.md +0 -143
  601. package/scripts/validators/component-validator.js +0 -239
  602. package/scripts/validators/json-schema-validator.js +0 -186
  603. package/scripts/validators/markdown-validator.js +0 -152
  604. package/scripts/validators/migration-validator.js +0 -129
  605. package/scripts/validators/security-validator.js +0 -380
  606. package/scripts/validators/story-format-validator.js +0 -197
  607. package/scripts/validators/test-result-validator.js +0 -114
  608. package/scripts/validators/workflow-validator.js +0 -247
  609. package/scripts/welcome-deferred.js +0 -437
  610. package/scripts/worktree-create.sh +0 -111
  611. package/src/core/agents/a11y-analyzer-aria.md +0 -155
  612. package/src/core/agents/a11y-analyzer-forms.md +0 -162
  613. package/src/core/agents/a11y-analyzer-keyboard.md +0 -175
  614. package/src/core/agents/a11y-analyzer-semantic.md +0 -153
  615. package/src/core/agents/a11y-analyzer-visual.md +0 -158
  616. package/src/core/agents/a11y-consensus.md +0 -248
  617. package/src/core/agents/accessibility.md +0 -515
  618. package/src/core/agents/adr-writer.md +0 -463
  619. package/src/core/agents/ads-audit-budget.md +0 -181
  620. package/src/core/agents/ads-audit-compliance.md +0 -169
  621. package/src/core/agents/ads-audit-creative.md +0 -164
  622. package/src/core/agents/ads-audit-google.md +0 -226
  623. package/src/core/agents/ads-audit-meta.md +0 -183
  624. package/src/core/agents/ads-audit-tracking.md +0 -197
  625. package/src/core/agents/ads-consensus.md +0 -396
  626. package/src/core/agents/ads-generate.md +0 -145
  627. package/src/core/agents/ads-performance-tracker.md +0 -197
  628. package/src/core/agents/analytics.md +0 -617
  629. package/src/core/agents/api-quality-analyzer-conventions.md +0 -148
  630. package/src/core/agents/api-quality-analyzer-docs.md +0 -176
  631. package/src/core/agents/api-quality-analyzer-errors.md +0 -183
  632. package/src/core/agents/api-quality-analyzer-pagination.md +0 -171
  633. package/src/core/agents/api-quality-analyzer-versioning.md +0 -143
  634. package/src/core/agents/api-quality-consensus.md +0 -214
  635. package/src/core/agents/api-validator.md +0 -183
  636. package/src/core/agents/api.md +0 -665
  637. package/src/core/agents/arch-analyzer-circular.md +0 -148
  638. package/src/core/agents/arch-analyzer-complexity.md +0 -171
  639. package/src/core/agents/arch-analyzer-coupling.md +0 -146
  640. package/src/core/agents/arch-analyzer-layering.md +0 -151
  641. package/src/core/agents/arch-analyzer-patterns.md +0 -162
  642. package/src/core/agents/arch-consensus.md +0 -227
  643. package/src/core/agents/brainstorm-analyzer-features.md +0 -169
  644. package/src/core/agents/brainstorm-analyzer-growth.md +0 -161
  645. package/src/core/agents/brainstorm-analyzer-integration.md +0 -172
  646. package/src/core/agents/brainstorm-analyzer-market.md +0 -147
  647. package/src/core/agents/brainstorm-analyzer-ux.md +0 -167
  648. package/src/core/agents/brainstorm-consensus.md +0 -237
  649. package/src/core/agents/browser-qa.md +0 -328
  650. package/src/core/agents/ci.md +0 -511
  651. package/src/core/agents/code-reviewer.md +0 -288
  652. package/src/core/agents/codebase-query.md +0 -266
  653. package/src/core/agents/completeness-analyzer-api.md +0 -190
  654. package/src/core/agents/completeness-analyzer-conditional.md +0 -201
  655. package/src/core/agents/completeness-analyzer-handlers.md +0 -159
  656. package/src/core/agents/completeness-analyzer-imports.md +0 -159
  657. package/src/core/agents/completeness-analyzer-routes.md +0 -182
  658. package/src/core/agents/completeness-analyzer-state.md +0 -188
  659. package/src/core/agents/completeness-analyzer-stubs.md +0 -198
  660. package/src/core/agents/completeness-consensus.md +0 -286
  661. package/src/core/agents/compliance.md +0 -509
  662. package/src/core/agents/council-advocate.md +0 -206
  663. package/src/core/agents/council-analyst.md +0 -252
  664. package/src/core/agents/council-optimist.md +0 -170
  665. package/src/core/agents/database.md +0 -601
  666. package/src/core/agents/datamigration.md +0 -699
  667. package/src/core/agents/design.md +0 -525
  668. package/src/core/agents/devops.md +0 -720
  669. package/src/core/agents/documentation.md +0 -504
  670. package/src/core/agents/epic-planner.md +0 -480
  671. package/src/core/agents/error-analyzer.md +0 -201
  672. package/src/core/agents/integrations.md +0 -603
  673. package/src/core/agents/legal-analyzer-a11y.md +0 -110
  674. package/src/core/agents/legal-analyzer-ai.md +0 -117
  675. package/src/core/agents/legal-analyzer-consumer.md +0 -108
  676. package/src/core/agents/legal-analyzer-content.md +0 -113
  677. package/src/core/agents/legal-analyzer-international.md +0 -115
  678. package/src/core/agents/legal-analyzer-licensing.md +0 -115
  679. package/src/core/agents/legal-analyzer-privacy.md +0 -108
  680. package/src/core/agents/legal-analyzer-security.md +0 -112
  681. package/src/core/agents/legal-analyzer-terms.md +0 -111
  682. package/src/core/agents/legal-consensus.md +0 -242
  683. package/src/core/agents/logic-analyzer-edge.md +0 -170
  684. package/src/core/agents/logic-analyzer-flow.md +0 -253
  685. package/src/core/agents/logic-analyzer-invariant.md +0 -206
  686. package/src/core/agents/logic-analyzer-race.md +0 -266
  687. package/src/core/agents/logic-analyzer-type.md +0 -217
  688. package/src/core/agents/logic-consensus.md +0 -253
  689. package/src/core/agents/mentor.md +0 -654
  690. package/src/core/agents/mobile.md +0 -501
  691. package/src/core/agents/monitoring.md +0 -537
  692. package/src/core/agents/multi-expert.md +0 -311
  693. package/src/core/agents/orchestrator.md +0 -749
  694. package/src/core/agents/perf-analyzer-assets.md +0 -174
  695. package/src/core/agents/perf-analyzer-bundle.md +0 -165
  696. package/src/core/agents/perf-analyzer-caching.md +0 -160
  697. package/src/core/agents/perf-analyzer-compute.md +0 -165
  698. package/src/core/agents/perf-analyzer-memory.md +0 -182
  699. package/src/core/agents/perf-analyzer-network.md +0 -157
  700. package/src/core/agents/perf-analyzer-queries.md +0 -155
  701. package/src/core/agents/perf-analyzer-rendering.md +0 -156
  702. package/src/core/agents/perf-consensus.md +0 -280
  703. package/src/core/agents/performance.md +0 -492
  704. package/src/core/agents/product.md +0 -535
  705. package/src/core/agents/qa.md +0 -765
  706. package/src/core/agents/readme-updater.md +0 -579
  707. package/src/core/agents/refactor.md +0 -558
  708. package/src/core/agents/research.md +0 -453
  709. package/src/core/agents/rlm-subcore.md +0 -207
  710. package/src/core/agents/schema-validator.md +0 -454
  711. package/src/core/agents/security-analyzer-api.md +0 -199
  712. package/src/core/agents/security-analyzer-auth.md +0 -160
  713. package/src/core/agents/security-analyzer-authz.md +0 -168
  714. package/src/core/agents/security-analyzer-deps.md +0 -147
  715. package/src/core/agents/security-analyzer-infra.md +0 -176
  716. package/src/core/agents/security-analyzer-injection.md +0 -148
  717. package/src/core/agents/security-analyzer-input.md +0 -191
  718. package/src/core/agents/security-analyzer-secrets.md +0 -175
  719. package/src/core/agents/security-consensus.md +0 -276
  720. package/src/core/agents/security.md +0 -486
  721. package/src/core/agents/seo-analyzer-content.md +0 -167
  722. package/src/core/agents/seo-analyzer-images.md +0 -187
  723. package/src/core/agents/seo-analyzer-performance.md +0 -206
  724. package/src/core/agents/seo-analyzer-schema.md +0 -176
  725. package/src/core/agents/seo-analyzer-sitemap.md +0 -172
  726. package/src/core/agents/seo-analyzer-technical.md +0 -144
  727. package/src/core/agents/seo-consensus.md +0 -289
  728. package/src/core/agents/team-coordinator.md +0 -333
  729. package/src/core/agents/team-lead.md +0 -171
  730. package/src/core/agents/test-analyzer-assertions.md +0 -181
  731. package/src/core/agents/test-analyzer-coverage.md +0 -183
  732. package/src/core/agents/test-analyzer-fragility.md +0 -185
  733. package/src/core/agents/test-analyzer-integration.md +0 -155
  734. package/src/core/agents/test-analyzer-maintenance.md +0 -173
  735. package/src/core/agents/test-analyzer-mocking.md +0 -178
  736. package/src/core/agents/test-analyzer-patterns.md +0 -189
  737. package/src/core/agents/test-analyzer-structure.md +0 -177
  738. package/src/core/agents/test-consensus.md +0 -294
  739. package/src/core/agents/testing.md +0 -527
  740. package/src/core/agents/ui-validator.md +0 -331
  741. package/src/core/agents/ui.md +0 -1227
  742. package/src/core/commands/adr/list.md +0 -191
  743. package/src/core/commands/adr/update.md +0 -258
  744. package/src/core/commands/adr/view.md +0 -274
  745. package/src/core/commands/adr.md +0 -394
  746. package/src/core/commands/ads/audit.md +0 -453
  747. package/src/core/commands/ads/budget.md +0 -97
  748. package/src/core/commands/ads/competitor.md +0 -112
  749. package/src/core/commands/ads/creative.md +0 -85
  750. package/src/core/commands/ads/generate.md +0 -238
  751. package/src/core/commands/ads/google.md +0 -112
  752. package/src/core/commands/ads/health.md +0 -327
  753. package/src/core/commands/ads/landing.md +0 -119
  754. package/src/core/commands/ads/linkedin.md +0 -112
  755. package/src/core/commands/ads/meta.md +0 -91
  756. package/src/core/commands/ads/microsoft.md +0 -115
  757. package/src/core/commands/ads/plan.md +0 -321
  758. package/src/core/commands/ads/test-plan.md +0 -317
  759. package/src/core/commands/ads/tiktok.md +0 -129
  760. package/src/core/commands/ads/track.md +0 -288
  761. package/src/core/commands/ads/youtube.md +0 -124
  762. package/src/core/commands/ads.md +0 -140
  763. package/src/core/commands/agent.md +0 -256
  764. package/src/core/commands/api.md +0 -267
  765. package/src/core/commands/assign.md +0 -369
  766. package/src/core/commands/audit.md +0 -531
  767. package/src/core/commands/auto.md +0 -556
  768. package/src/core/commands/automate.md +0 -415
  769. package/src/core/commands/babysit.md +0 -643
  770. package/src/core/commands/baseline.md +0 -743
  771. package/src/core/commands/batch.md +0 -551
  772. package/src/core/commands/blockers.md +0 -602
  773. package/src/core/commands/board.md +0 -509
  774. package/src/core/commands/browser-qa.md +0 -240
  775. package/src/core/commands/changelog.md +0 -582
  776. package/src/core/commands/choose.md +0 -430
  777. package/src/core/commands/ci.md +0 -330
  778. package/src/core/commands/code/accessibility.md +0 -363
  779. package/src/core/commands/code/api.md +0 -313
  780. package/src/core/commands/code/architecture.md +0 -313
  781. package/src/core/commands/code/completeness.md +0 -519
  782. package/src/core/commands/code/legal.md +0 -509
  783. package/src/core/commands/code/logic.md +0 -432
  784. package/src/core/commands/code/performance.md +0 -506
  785. package/src/core/commands/code/security.md +0 -509
  786. package/src/core/commands/code/test.md +0 -505
  787. package/src/core/commands/compress.md +0 -408
  788. package/src/core/commands/configure.md +0 -1159
  789. package/src/core/commands/context/export.md +0 -296
  790. package/src/core/commands/context/full.md +0 -353
  791. package/src/core/commands/context/note.md +0 -380
  792. package/src/core/commands/council.md +0 -592
  793. package/src/core/commands/debt.md +0 -491
  794. package/src/core/commands/deploy.md +0 -864
  795. package/src/core/commands/deps.md +0 -728
  796. package/src/core/commands/diagnose.md +0 -404
  797. package/src/core/commands/docs.md +0 -469
  798. package/src/core/commands/epic/edit.md +0 -213
  799. package/src/core/commands/epic/list.md +0 -190
  800. package/src/core/commands/epic/view.md +0 -267
  801. package/src/core/commands/epic.md +0 -477
  802. package/src/core/commands/export.md +0 -238
  803. package/src/core/commands/feedback.md +0 -603
  804. package/src/core/commands/handoff.md +0 -386
  805. package/src/core/commands/help.md +0 -194
  806. package/src/core/commands/ideate/brief.md +0 -363
  807. package/src/core/commands/ideate/discover.md +0 -399
  808. package/src/core/commands/ideate/features.md +0 -497
  809. package/src/core/commands/ideate/history.md +0 -403
  810. package/src/core/commands/ideate/new.md +0 -900
  811. package/src/core/commands/impact.md +0 -407
  812. package/src/core/commands/install.md +0 -529
  813. package/src/core/commands/learn/explain.md +0 -118
  814. package/src/core/commands/learn/glossary.md +0 -135
  815. package/src/core/commands/learn/patterns.md +0 -138
  816. package/src/core/commands/learn/tour.md +0 -126
  817. package/src/core/commands/maintain.md +0 -558
  818. package/src/core/commands/metrics.md +0 -844
  819. package/src/core/commands/migrate/codemods.md +0 -151
  820. package/src/core/commands/migrate/plan.md +0 -131
  821. package/src/core/commands/migrate/scan.md +0 -114
  822. package/src/core/commands/migrate/validate.md +0 -119
  823. package/src/core/commands/multi-expert.md +0 -447
  824. package/src/core/commands/packages.md +0 -535
  825. package/src/core/commands/pr.md +0 -337
  826. package/src/core/commands/readme-sync.md +0 -329
  827. package/src/core/commands/research/analyze.md +0 -798
  828. package/src/core/commands/research/ask.md +0 -864
  829. package/src/core/commands/research/import.md +0 -1025
  830. package/src/core/commands/research/list.md +0 -273
  831. package/src/core/commands/research/synthesize.md +0 -928
  832. package/src/core/commands/research/view.md +0 -323
  833. package/src/core/commands/retro.md +0 -795
  834. package/src/core/commands/review.md +0 -694
  835. package/src/core/commands/rlm.md +0 -446
  836. package/src/core/commands/roadmap/analyze.md +0 -400
  837. package/src/core/commands/rpi.md +0 -633
  838. package/src/core/commands/seo/audit.md +0 -444
  839. package/src/core/commands/seo/competitor.md +0 -174
  840. package/src/core/commands/seo/content.md +0 -107
  841. package/src/core/commands/seo/geo.md +0 -229
  842. package/src/core/commands/seo/hreflang.md +0 -140
  843. package/src/core/commands/seo/images.md +0 -96
  844. package/src/core/commands/seo/page.md +0 -198
  845. package/src/core/commands/seo/plan.md +0 -163
  846. package/src/core/commands/seo/programmatic.md +0 -131
  847. package/src/core/commands/seo/references/cwv-thresholds.md +0 -64
  848. package/src/core/commands/seo/references/eeat-framework.md +0 -110
  849. package/src/core/commands/seo/references/quality-gates.md +0 -91
  850. package/src/core/commands/seo/references/schema-types.md +0 -102
  851. package/src/core/commands/seo/schema.md +0 -183
  852. package/src/core/commands/seo/sitemap.md +0 -97
  853. package/src/core/commands/seo/technical.md +0 -100
  854. package/src/core/commands/seo.md +0 -107
  855. package/src/core/commands/session/cleanup.md +0 -452
  856. package/src/core/commands/session/end.md +0 -865
  857. package/src/core/commands/session/history.md +0 -293
  858. package/src/core/commands/session/init.md +0 -210
  859. package/src/core/commands/session/new.md +0 -827
  860. package/src/core/commands/session/resume.md +0 -291
  861. package/src/core/commands/session/spawn.md +0 -205
  862. package/src/core/commands/session/status.md +0 -274
  863. package/src/core/commands/skill/list.md +0 -139
  864. package/src/core/commands/skill/recommend.md +0 -216
  865. package/src/core/commands/sprint.md +0 -714
  866. package/src/core/commands/status/undo.md +0 -191
  867. package/src/core/commands/status.md +0 -423
  868. package/src/core/commands/story/edit.md +0 -204
  869. package/src/core/commands/story/list.md +0 -199
  870. package/src/core/commands/story/view.md +0 -312
  871. package/src/core/commands/story-validate.md +0 -491
  872. package/src/core/commands/story.md +0 -465
  873. package/src/core/commands/tdd-next.md +0 -238
  874. package/src/core/commands/tdd.md +0 -211
  875. package/src/core/commands/team/guide.md +0 -688
  876. package/src/core/commands/team/list.md +0 -59
  877. package/src/core/commands/team/start.md +0 -130
  878. package/src/core/commands/team/status.md +0 -66
  879. package/src/core/commands/team/stop.md +0 -78
  880. package/src/core/commands/template.md +0 -644
  881. package/src/core/commands/tests.md +0 -731
  882. package/src/core/commands/update.md +0 -591
  883. package/src/core/commands/validate-expertise.md +0 -305
  884. package/src/core/commands/velocity.md +0 -630
  885. package/src/core/commands/verify.md +0 -534
  886. package/src/core/commands/whats-new.md +0 -201
  887. package/src/core/commands/workflow.md +0 -449
  888. package/src/core/council/sessions/.gitkeep +0 -0
  889. package/src/core/council/shared_reasoning.template.md +0 -106
  890. package/src/core/experts/README.md +0 -236
  891. package/src/core/experts/_core-expertise.yaml +0 -105
  892. package/src/core/experts/accessibility/expertise.yaml +0 -115
  893. package/src/core/experts/accessibility/question.md +0 -41
  894. package/src/core/experts/accessibility/self-improve.md +0 -45
  895. package/src/core/experts/accessibility/workflow.md +0 -59
  896. package/src/core/experts/adr-writer/expertise.yaml +0 -138
  897. package/src/core/experts/adr-writer/question.md +0 -56
  898. package/src/core/experts/adr-writer/self-improve.md +0 -106
  899. package/src/core/experts/adr-writer/workflow.md +0 -184
  900. package/src/core/experts/analytics/expertise.yaml +0 -119
  901. package/src/core/experts/analytics/question.md +0 -74
  902. package/src/core/experts/analytics/self-improve.md +0 -163
  903. package/src/core/experts/analytics/workflow.md +0 -272
  904. package/src/core/experts/api/expertise.yaml +0 -124
  905. package/src/core/experts/api/question.md +0 -74
  906. package/src/core/experts/api/self-improve.md +0 -122
  907. package/src/core/experts/api/workflow.md +0 -248
  908. package/src/core/experts/ci/expertise.yaml +0 -106
  909. package/src/core/experts/ci/question.md +0 -69
  910. package/src/core/experts/ci/self-improve.md +0 -100
  911. package/src/core/experts/ci/workflow.md +0 -145
  912. package/src/core/experts/codebase-query/expertise.yaml +0 -121
  913. package/src/core/experts/codebase-query/question.md +0 -73
  914. package/src/core/experts/codebase-query/self-improve.md +0 -105
  915. package/src/core/experts/compliance/expertise.yaml +0 -101
  916. package/src/core/experts/compliance/question.md +0 -56
  917. package/src/core/experts/compliance/self-improve.md +0 -106
  918. package/src/core/experts/compliance/workflow.md +0 -184
  919. package/src/core/experts/database/expertise.yaml +0 -109
  920. package/src/core/experts/database/question.md +0 -74
  921. package/src/core/experts/database/self-improve.md +0 -121
  922. package/src/core/experts/database/workflow.md +0 -234
  923. package/src/core/experts/datamigration/expertise.yaml +0 -141
  924. package/src/core/experts/datamigration/question.md +0 -56
  925. package/src/core/experts/datamigration/self-improve.md +0 -106
  926. package/src/core/experts/datamigration/workflow.md +0 -184
  927. package/src/core/experts/design/expertise.yaml +0 -116
  928. package/src/core/experts/design/question.md +0 -56
  929. package/src/core/experts/design/self-improve.md +0 -106
  930. package/src/core/experts/design/workflow.md +0 -184
  931. package/src/core/experts/devops/expertise.yaml +0 -116
  932. package/src/core/experts/devops/question.md +0 -68
  933. package/src/core/experts/devops/self-improve.md +0 -102
  934. package/src/core/experts/devops/workflow.md +0 -142
  935. package/src/core/experts/documentation/expertise.yaml +0 -126
  936. package/src/core/experts/documentation/question.md +0 -41
  937. package/src/core/experts/documentation/self-improve.md +0 -45
  938. package/src/core/experts/documentation/workflow.md +0 -55
  939. package/src/core/experts/epic-planner/expertise.yaml +0 -144
  940. package/src/core/experts/epic-planner/question.md +0 -56
  941. package/src/core/experts/epic-planner/self-improve.md +0 -106
  942. package/src/core/experts/epic-planner/workflow.md +0 -184
  943. package/src/core/experts/integrations/expertise.yaml +0 -113
  944. package/src/core/experts/integrations/question.md +0 -74
  945. package/src/core/experts/integrations/self-improve.md +0 -151
  946. package/src/core/experts/integrations/workflow.md +0 -246
  947. package/src/core/experts/mentor/expertise.yaml +0 -125
  948. package/src/core/experts/mentor/question.md +0 -56
  949. package/src/core/experts/mentor/self-improve.md +0 -106
  950. package/src/core/experts/mentor/workflow.md +0 -184
  951. package/src/core/experts/mobile/expertise.yaml +0 -136
  952. package/src/core/experts/mobile/question.md +0 -72
  953. package/src/core/experts/mobile/self-improve.md +0 -140
  954. package/src/core/experts/mobile/workflow.md +0 -240
  955. package/src/core/experts/monitoring/expertise.yaml +0 -132
  956. package/src/core/experts/monitoring/question.md +0 -76
  957. package/src/core/experts/monitoring/self-improve.md +0 -150
  958. package/src/core/experts/monitoring/workflow.md +0 -264
  959. package/src/core/experts/performance/expertise.yaml +0 -68
  960. package/src/core/experts/performance/question.md +0 -41
  961. package/src/core/experts/performance/self-improve.md +0 -45
  962. package/src/core/experts/performance/workflow.md +0 -61
  963. package/src/core/experts/product/expertise.yaml +0 -143
  964. package/src/core/experts/product/question.md +0 -56
  965. package/src/core/experts/product/self-improve.md +0 -106
  966. package/src/core/experts/product/workflow.md +0 -184
  967. package/src/core/experts/qa/expertise.yaml +0 -110
  968. package/src/core/experts/qa/question.md +0 -56
  969. package/src/core/experts/qa/self-improve.md +0 -106
  970. package/src/core/experts/qa/workflow.md +0 -184
  971. package/src/core/experts/readme-updater/expertise.yaml +0 -141
  972. package/src/core/experts/readme-updater/question.md +0 -56
  973. package/src/core/experts/readme-updater/self-improve.md +0 -106
  974. package/src/core/experts/readme-updater/workflow.md +0 -184
  975. package/src/core/experts/refactor/expertise.yaml +0 -135
  976. package/src/core/experts/refactor/question.md +0 -41
  977. package/src/core/experts/refactor/self-improve.md +0 -45
  978. package/src/core/experts/refactor/workflow.md +0 -57
  979. package/src/core/experts/research/expertise.yaml +0 -143
  980. package/src/core/experts/research/question.md +0 -56
  981. package/src/core/experts/research/self-improve.md +0 -106
  982. package/src/core/experts/research/workflow.md +0 -184
  983. package/src/core/experts/security/expertise.yaml +0 -117
  984. package/src/core/experts/security/question.md +0 -77
  985. package/src/core/experts/security/self-improve.md +0 -102
  986. package/src/core/experts/security/workflow.md +0 -152
  987. package/src/core/experts/templates/expertise-template.yaml +0 -67
  988. package/src/core/experts/templates/question-template.md +0 -56
  989. package/src/core/experts/templates/self-improve-template.md +0 -106
  990. package/src/core/experts/templates/workflow-template.md +0 -184
  991. package/src/core/experts/testing/expertise.yaml +0 -112
  992. package/src/core/experts/testing/question.md +0 -68
  993. package/src/core/experts/testing/self-improve.md +0 -102
  994. package/src/core/experts/testing/workflow.md +0 -143
  995. package/src/core/experts/ui/expertise.yaml +0 -133
  996. package/src/core/experts/ui/question.md +0 -74
  997. package/src/core/experts/ui/self-improve.md +0 -122
  998. package/src/core/experts/ui/workflow.md +0 -262
  999. package/src/core/knowledge/ads/ad-audit-checklist-scoring.md +0 -424
  1000. package/src/core/knowledge/ads/ad-optimization-logic.md +0 -590
  1001. package/src/core/knowledge/ads/ad-technical-specifications.md +0 -385
  1002. package/src/core/knowledge/ads/definitive-advertising-reference-2026.md +0 -506
  1003. package/src/core/knowledge/ads/paid-advertising-research-2026.md +0 -445
  1004. package/src/core/profiles/COMPARISON.md +0 -170
  1005. package/src/core/profiles/README.md +0 -178
  1006. package/src/core/profiles/claude-code.yaml +0 -111
  1007. package/src/core/profiles/codex.yaml +0 -103
  1008. package/src/core/profiles/cursor.yaml +0 -134
  1009. package/src/core/profiles/examples.js +0 -250
  1010. package/src/core/profiles/loader.js +0 -235
  1011. package/src/core/profiles/windsurf.yaml +0 -159
  1012. package/src/core/skills/_learnings/README.md +0 -91
  1013. package/src/core/skills/_learnings/_template.yaml +0 -106
  1014. package/src/core/skills/_learnings/code-review.yaml +0 -118
  1015. package/src/core/skills/_learnings/commit.yaml +0 -69
  1016. package/src/core/skills/_learnings/story-writer.yaml +0 -71
  1017. package/src/core/teams/backend.json +0 -41
  1018. package/src/core/teams/builder-validator.json +0 -51
  1019. package/src/core/teams/code-review.json +0 -41
  1020. package/src/core/teams/frontend.json +0 -41
  1021. package/src/core/teams/fullstack.json +0 -41
  1022. package/src/core/teams/logic-audit.json +0 -53
  1023. package/src/core/teams/perf-audit.json +0 -71
  1024. package/src/core/teams/qa.json +0 -41
  1025. package/src/core/teams/security-audit.json +0 -71
  1026. package/src/core/teams/solo.json +0 -35
  1027. package/src/core/teams/test-audit.json +0 -71
  1028. package/src/core/templates/CONTEXT.md.example +0 -49
  1029. package/src/core/templates/README-template.md +0 -16
  1030. package/src/core/templates/adr-template.md +0 -28
  1031. package/src/core/templates/agent-coordination-pattern.md +0 -38
  1032. package/src/core/templates/agent-profile-template.md +0 -51
  1033. package/src/core/templates/agileflow-metadata.json +0 -150
  1034. package/src/core/templates/browser-qa-spec.yaml +0 -94
  1035. package/src/core/templates/ci-workflow.yml +0 -74
  1036. package/src/core/templates/claude-settings.advanced.example.json +0 -75
  1037. package/src/core/templates/claude-settings.example.json +0 -26
  1038. package/src/core/templates/command-documentation.md +0 -187
  1039. package/src/core/templates/command-prerequisites.yaml +0 -169
  1040. package/src/core/templates/comms-note-template.md +0 -24
  1041. package/src/core/templates/damage-control-patterns.yaml +0 -243
  1042. package/src/core/templates/environment.json +0 -18
  1043. package/src/core/templates/epic-template.md +0 -27
  1044. package/src/core/templates/plan-template.md +0 -125
  1045. package/src/core/templates/preserve-rules-common.md +0 -107
  1046. package/src/core/templates/preserve-rules.json +0 -42
  1047. package/src/core/templates/proactive-action-spec.md +0 -29
  1048. package/src/core/templates/product-brief.md +0 -136
  1049. package/src/core/templates/quality-gate-priorities.md +0 -34
  1050. package/src/core/templates/research-template.md +0 -44
  1051. package/src/core/templates/session-harness-protocol.md +0 -128
  1052. package/src/core/templates/session-state.json +0 -56
  1053. package/src/core/templates/story-lifecycle.md +0 -213
  1054. package/src/core/templates/story-template.md +0 -92
  1055. package/src/core/templates/tdd-test-template.js +0 -241
  1056. package/src/core/templates/worktrees-guide.md +0 -231
  1057. package/tools/agileflow-npx.js +0 -52
  1058. package/tools/cli/agileflow-cli.js +0 -72
  1059. package/tools/cli/commands/config.js +0 -285
  1060. package/tools/cli/commands/doctor.js +0 -496
  1061. package/tools/cli/commands/list.js +0 -385
  1062. package/tools/cli/commands/session.js +0 -1176
  1063. package/tools/cli/commands/setup.js +0 -255
  1064. package/tools/cli/commands/status.js +0 -101
  1065. package/tools/cli/commands/tui.js +0 -56
  1066. package/tools/cli/commands/uninstall.js +0 -155
  1067. package/tools/cli/commands/update.js +0 -299
  1068. package/tools/cli/installers/core/installer.js +0 -892
  1069. package/tools/cli/installers/ide/_base-ide.js +0 -518
  1070. package/tools/cli/installers/ide/_interface.js +0 -238
  1071. package/tools/cli/installers/ide/claude-code.js +0 -432
  1072. package/tools/cli/installers/ide/codex.js +0 -426
  1073. package/tools/cli/installers/ide/cursor.js +0 -217
  1074. package/tools/cli/installers/ide/manager.js +0 -222
  1075. package/tools/cli/installers/ide/windsurf.js +0 -282
  1076. package/tools/cli/lib/command-context.js +0 -382
  1077. package/tools/cli/lib/config-manager.js +0 -446
  1078. package/tools/cli/lib/content-injector.js +0 -969
  1079. package/tools/cli/lib/content-transformer.js +0 -496
  1080. package/tools/cli/lib/docs-setup.js +0 -464
  1081. package/tools/cli/lib/error-handler.js +0 -165
  1082. package/tools/cli/lib/ide-error-factory.js +0 -421
  1083. package/tools/cli/lib/ide-errors.js +0 -367
  1084. package/tools/cli/lib/ide-generator.js +0 -357
  1085. package/tools/cli/lib/ide-health-monitor.js +0 -364
  1086. package/tools/cli/lib/ide-registry.js +0 -297
  1087. package/tools/cli/lib/npm-utils.js +0 -103
  1088. package/tools/cli/lib/self-update.js +0 -148
  1089. package/tools/cli/lib/ui.js +0 -211
  1090. package/tools/cli/lib/utils.js +0 -87
  1091. package/tools/cli/lib/validation-middleware.js +0 -491
  1092. package/tools/cli/lib/version-checker.js +0 -95
  1093. package/tools/postinstall.js +0 -190
@@ -0,0 +1,328 @@
1
+ # Security Patterns Reference
2
+
3
+ **Load this when:** reviewing code with security implications — auth changes, user input handling, database queries, file operations, cryptography, or external integrations.
4
+
5
+ ---
6
+
7
+ ## OWASP Top 10 (2021) — Review Checklist
8
+
9
+ ### A01: Broken Access Control
10
+
11
+ The #1 most common vulnerability. Users can access resources or perform actions they shouldn't.
12
+
13
+ **Patterns to look for:**
14
+
15
+ ```js
16
+ // BAD — IDOR: user can access any account by changing the ID
17
+ app.get("/api/orders/:orderId", async (req, res) => {
18
+ const order = await Order.findById(req.params.orderId);
19
+ res.json(order); // No check that order belongs to req.user!
20
+ });
21
+
22
+ // GOOD — ownership check before returning data
23
+ app.get("/api/orders/:orderId", requireAuth, async (req, res) => {
24
+ const order = await Order.findById(req.params.orderId);
25
+ if (!order || order.userId !== req.user.id) {
26
+ return res.status(404).json({ error: "Not found" });
27
+ }
28
+ res.json(order);
29
+ });
30
+ ```
31
+
32
+ **What to check:**
33
+
34
+ - Every endpoint that returns or modifies user data checks ownership
35
+ - Admin endpoints have role-based access checks
36
+ - Resource IDs are not predictable/guessable (UUIDs, not auto-increment)
37
+ - Access checks are server-side, not just UI-hidden
38
+
39
+ ---
40
+
41
+ ### A02: Cryptographic Failures
42
+
43
+ Sensitive data exposed due to weak encryption, missing encryption, or improper key management.
44
+
45
+ **Patterns to look for:**
46
+
47
+ ```python
48
+ # BAD — MD5 for password hashing (trivially crackable)
49
+ import hashlib
50
+ password_hash = hashlib.md5(password.encode()).hexdigest()
51
+
52
+ # GOOD — bcrypt with appropriate cost factor
53
+ import bcrypt
54
+ password_hash = bcrypt.hashpw(password.encode(), bcrypt.gensalt(rounds=12))
55
+
56
+ # BAD — SHA256 without salt (rainbow table vulnerable)
57
+ password_hash = hashlib.sha256(password.encode()).hexdigest()
58
+ ```
59
+
60
+ ```js
61
+ // BAD — token generated with Math.random() (predictable)
62
+ const token = Math.random().toString(36).slice(2);
63
+
64
+ // GOOD — cryptographically secure token
65
+ const token = crypto.randomBytes(32).toString("hex");
66
+ ```
67
+
68
+ **What to check:**
69
+
70
+ - Passwords use bcrypt, argon2, or scrypt (never MD5, SHA1, SHA256 alone)
71
+ - Session tokens use `crypto.randomBytes` or equivalent
72
+ - Sensitive data (PII, payment info) encrypted at rest in database
73
+ - TLS enforced — no HTTP fallback for sensitive operations
74
+ - API keys / secrets not hardcoded in source code (use env vars)
75
+ - JWT `alg: none` not accepted
76
+
77
+ ---
78
+
79
+ ### A03: Injection
80
+
81
+ User input flows into interpreters (SQL, shell, HTML, LDAP) without sanitisation.
82
+
83
+ **SQL Injection:**
84
+
85
+ ```js
86
+ // BAD — raw string interpolation
87
+ const user = await db.query(`SELECT * FROM users WHERE email = '${email}'`);
88
+ // Payload: ' OR '1'='1 — dumps all users
89
+
90
+ // GOOD — parameterised query
91
+ const user = await db.query("SELECT * FROM users WHERE email = $1", [email]);
92
+ ```
93
+
94
+ ```python
95
+ # BAD
96
+ cursor.execute(f"SELECT * FROM users WHERE email = '{email}'")
97
+
98
+ # GOOD
99
+ cursor.execute("SELECT * FROM users WHERE email = %s", (email,))
100
+ ```
101
+
102
+ **Command Injection:**
103
+
104
+ ```js
105
+ // BAD — user input in shell command
106
+ const { execSync } = require("child_process");
107
+ execSync(`convert ${req.body.filename} output.jpg`);
108
+ // Payload: "file.jpg && rm -rf /"
109
+
110
+ // GOOD — use a library instead of shell, or validate input strictly
111
+ const sharp = require("sharp");
112
+ await sharp(sanitisedFilePath).toFile("output.jpg");
113
+ ```
114
+
115
+ **Path Traversal:**
116
+
117
+ ```js
118
+ // BAD — allows ../../../etc/passwd
119
+ const filePath = path.join("/uploads", req.params.filename);
120
+
121
+ // GOOD — resolve and check it stays inside the intended directory
122
+ const filePath = path.resolve("/uploads", req.params.filename);
123
+ if (!filePath.startsWith(path.resolve("/uploads"))) {
124
+ return res.status(400).json({ error: "Invalid path" });
125
+ }
126
+ ```
127
+
128
+ ---
129
+
130
+ ### A04: Insecure Design
131
+
132
+ Architectural flaws in security model. These can't be fixed by patching code — they require design changes.
133
+
134
+ **Red flags to raise:**
135
+
136
+ - Passwords or tokens sent as URL query parameters (appear in server logs)
137
+ - Email-based "magic link" login with no expiry
138
+ - Password reset that reveals whether an email is registered (email enumeration)
139
+ - Rate limiting absent on authentication endpoints (brute-force vulnerable)
140
+ - File uploads with no type validation or virus scanning
141
+
142
+ ---
143
+
144
+ ### A05: Security Misconfiguration
145
+
146
+ **Patterns to check:**
147
+
148
+ - `DEBUG=true` or equivalent in production code
149
+ - Error responses include stack traces or internal paths
150
+ - Default credentials in database or admin panel setup
151
+ - CORS configured as `Access-Control-Allow-Origin: *` on authenticated endpoints
152
+ - HTTP security headers missing (CSP, X-Frame-Options, X-Content-Type-Options)
153
+ - Directory listing enabled on static file server
154
+
155
+ ---
156
+
157
+ ### A06: Vulnerable and Outdated Components
158
+
159
+ Not a code review finding, but flag if you see:
160
+
161
+ - `require('crypto-js')` for password hashing (use Node's built-in `crypto` or `bcrypt`)
162
+ - Old `jsonwebtoken` patterns without algorithm validation
163
+ - Direct eval of JSON from external sources
164
+ - Known-vulnerable package versions (check with `npm audit` / `pip-audit`)
165
+
166
+ ---
167
+
168
+ ### A07: Identification and Authentication Failures
169
+
170
+ ```js
171
+ // BAD — brute-force vulnerable login with no rate limiting
172
+ app.post("/login", async (req, res) => {
173
+ const user = await User.findByEmail(req.body.email);
174
+ if (user && user.password === req.body.password) {
175
+ // also: plaintext comparison!
176
+ req.session.userId = user.id;
177
+ res.json({ success: true });
178
+ }
179
+ });
180
+
181
+ // GOOD — rate limited, constant-time comparison, bcrypt
182
+ import rateLimit from "express-rate-limit";
183
+ import bcrypt from "bcrypt";
184
+
185
+ const loginLimiter = rateLimit({ windowMs: 15 * 60 * 1000, max: 10 });
186
+
187
+ app.post("/login", loginLimiter, async (req, res) => {
188
+ const user = await User.findByEmail(req.body.email);
189
+ const match =
190
+ user && (await bcrypt.compare(req.body.password, user.passwordHash));
191
+ if (!match) return res.status(401).json({ error: "Invalid credentials" });
192
+ req.session.userId = user.id;
193
+ res.json({ success: true });
194
+ });
195
+ ```
196
+
197
+ **What to check:**
198
+
199
+ - Rate limiting on login, password reset, and email verification endpoints
200
+ - Account lockout after N failed attempts (or CAPTCHA)
201
+ - Session tokens regenerated after privilege escalation (login, role change)
202
+ - Sessions invalidated on logout (server-side session store, not just clearing the cookie)
203
+ - JWT expiry enforced — `exp` claim checked
204
+
205
+ ---
206
+
207
+ ### A08: Software and Data Integrity Failures
208
+
209
+ - Deserialisation of untrusted data (pickle in Python, Java ObjectInputStream)
210
+ - CI/CD pipelines that pull dependencies without checksum verification
211
+ - Auto-update mechanisms that don't verify signatures
212
+
213
+ ---
214
+
215
+ ### A09: Security Logging and Monitoring Failures
216
+
217
+ **What to check:**
218
+
219
+ - Failed login attempts logged (email, IP, timestamp — NOT the attempted password)
220
+ - Admin actions logged (who did what, when)
221
+ - Logs don't contain sensitive data (passwords, full credit card numbers, session tokens)
222
+ - Errors logged with enough context to investigate (request ID, user ID if available)
223
+
224
+ ---
225
+
226
+ ### A10: Server-Side Request Forgery (SSRF)
227
+
228
+ Relevant when the application fetches URLs provided by the user.
229
+
230
+ ```js
231
+ // BAD — user can point the server to internal services
232
+ app.post("/fetch-preview", async (req, res) => {
233
+ const html = await fetch(req.body.url).then((r) => r.text());
234
+ res.json({ html });
235
+ // Payload: http://169.254.169.254/latest/meta-data/ (AWS metadata endpoint)
236
+ });
237
+
238
+ // GOOD — validate URL is on an allowlist of external domains
239
+ const ALLOWED_HOSTS = ["example.com", "another-trusted.com"];
240
+ const url = new URL(req.body.url);
241
+ if (!ALLOWED_HOSTS.includes(url.hostname)) {
242
+ return res.status(400).json({ error: "URL not allowed" });
243
+ }
244
+ ```
245
+
246
+ ---
247
+
248
+ ## Mass Assignment
249
+
250
+ **Web frameworks that auto-bind request body to model fields:**
251
+
252
+ ```js
253
+ // BAD — user can set any field, including isAdmin
254
+ const user = new User(req.body);
255
+ await user.save();
256
+
257
+ // GOOD — whitelist only the fields you intend to update
258
+ const { name, email } = req.body;
259
+ const user = new User({ name, email });
260
+ await user.save();
261
+ ```
262
+
263
+ ```python
264
+ # BAD — Flask-SQLAlchemy mass assignment
265
+ user = User(**request.json)
266
+
267
+ # GOOD
268
+ user = User(
269
+ name=request.json['name'],
270
+ email=request.json['email'],
271
+ )
272
+ ```
273
+
274
+ ---
275
+
276
+ ## JWT-specific issues
277
+
278
+ ```js
279
+ // BAD — algorithm confusion attack: accept 'none' or HS256 when expecting RS256
280
+ jwt.verify(token, publicKey); // default options accept alg: none
281
+
282
+ // GOOD — explicitly specify allowed algorithms
283
+ jwt.verify(token, publicKey, { algorithms: ["RS256"] });
284
+
285
+ // BAD — not checking expiry
286
+ const decoded = jwt.decode(token); // decode does NOT verify signature or expiry
287
+
288
+ // GOOD — always verify, never just decode in auth paths
289
+ const decoded = jwt.verify(token, secret);
290
+ ```
291
+
292
+ ---
293
+
294
+ ## File upload security
295
+
296
+ ```js
297
+ // BAD — no type checking, stores user filename directly
298
+ app.post("/upload", upload.single("file"), (req, res) => {
299
+ fs.renameSync(req.file.path, `/uploads/${req.file.originalname}`);
300
+ });
301
+
302
+ // GOOD — validate MIME type, generate safe filename
303
+ const ALLOWED_TYPES = ["image/jpeg", "image/png", "image/webp"];
304
+ if (!ALLOWED_TYPES.includes(req.file.mimetype)) {
305
+ return res.status(400).json({ error: "File type not allowed" });
306
+ }
307
+ const safeFilename = `${crypto.randomUUID()}${path.extname(req.file.originalname)}`;
308
+ fs.renameSync(req.file.path, `/uploads/${safeFilename}`);
309
+ ```
310
+
311
+ ---
312
+
313
+ ## Severity mapping for review findings
314
+
315
+ | Finding | OWASP category | Severity |
316
+ | ------------------------------ | -------------- | -------------------------- |
317
+ | SQL injection | A03 | P0 — block merge |
318
+ | Auth bypass | A07 | P0 — block merge |
319
+ | IDOR (missing ownership check) | A01 | P0 — block merge |
320
+ | Hardcoded secret | A02 | P0 — block merge |
321
+ | Plaintext password storage | A02 | P0 — block merge |
322
+ | Missing rate limiting on login | A07 | P1 |
323
+ | XSS (unescaped output) | A03 | P0–P1 depending on context |
324
+ | Missing CSRF | A01 | P1 |
325
+ | Sensitive data in logs | A09 | P1 |
326
+ | No JWT algorithm restriction | A02 | P1 |
327
+ | Missing security headers | A05 | P2 |
328
+ | Mass assignment | A08 | P0–P1 depending on fields |
@@ -0,0 +1,153 @@
1
+ # Workflow: Review PR
2
+
3
+ **Triggers:** "review this PR", "review my changes", "check my code", user shares a diff or file changes
4
+
5
+ **Goal:** Produce a structured, prioritised review with findings across all dimensions and a clear merge recommendation.
6
+
7
+ ---
8
+
9
+ ## Inputs needed
10
+
11
+ | Input | Required | How to get it |
12
+ | ------------------------- | --------- | ----------------------------------------------------- |
13
+ | The diff or changed files | Yes | Paste, file paths, or `git diff` output |
14
+ | PR description / context | Preferred | Paste; or ask "What does this change do?" |
15
+ | Target branch | No | Usually `main` — ask if branching strategy is unusual |
16
+ | Change type | Preferred | Feature, bugfix, refactor, chore |
17
+
18
+ ---
19
+
20
+ ## Steps
21
+
22
+ ### Step 1: Read the change
23
+
24
+ Read every changed file fully. Don't skim. Build a complete picture of:
25
+
26
+ - What the change is doing
27
+ - What it's removing
28
+ - What assumptions the author is making
29
+
30
+ ### Step 2: Read the surrounding context
31
+
32
+ For each changed file:
33
+
34
+ - Read 20–30 lines above and below each change for context
35
+ - Check if there is an existing test file for this module
36
+ - Check if there are related files that should also have changed but didn't
37
+
38
+ ### Step 3: Check the PR description
39
+
40
+ If no PR description was provided, ask:
41
+
42
+ - "What does this change do and why?"
43
+ - "Is there a ticket or issue this corresponds to?"
44
+
45
+ A PR without a description is harder to review — flag this as a P3 finding.
46
+
47
+ ### Step 4: Run dimension checks
48
+
49
+ Work through each dimension from `references/review-checklist.md` that applies to this change:
50
+
51
+ | Change type | Dimensions to run |
52
+ | -------------------------- | ------------------------------------ |
53
+ | New feature with endpoints | Security, Logic, Tests, API Contract |
54
+ | Bug fix | Logic, Tests |
55
+ | Refactor | Logic, Tests, Breaking Changes |
56
+ | Auth-related change | Security (full), Logic, Tests |
57
+ | Database migration | API Contract, Breaking Changes |
58
+ | Dependency update | Security (A06), Tests |
59
+ | UI / frontend only | Logic, Tests, style |
60
+
61
+ ### Step 5: Collect all findings
62
+
63
+ List every finding as you go. Don't filter yet — capture everything.
64
+
65
+ ### Step 6: Assign severities
66
+
67
+ Review the collected findings and assign P0–P3 using the severity table in the SKILL.md.
68
+
69
+ When in doubt between severities:
70
+
71
+ - If it can cause data loss, a security breach, or a crash in production → P0
72
+ - If it will cause incorrect behaviour → P1
73
+ - If it should be tested but isn't → P2
74
+ - If it's a style or readability concern → P3
75
+
76
+ ### Step 7: Sort and present findings
77
+
78
+ Present findings in P0 → P3 order. For each:
79
+
80
+ ```
81
+ [P{level}] {DIMENSION} — {One-line summary}
82
+ File: {filename}, line {N}
83
+ Issue: {What is wrong and why it matters}
84
+ Fix: {Concrete suggestion}
85
+ ```
86
+
87
+ ### Step 8: Write the summary block
88
+
89
+ Always end with a structured summary:
90
+
91
+ ```
92
+ ─────────────────────────────────────
93
+ REVIEW SUMMARY
94
+ ─────────────────────────────────────
95
+ Files reviewed: {N}
96
+ Lines changed: +{added} / -{removed}
97
+ Findings: {P0 count} P0, {P1 count} P1, {P2 count} P2, {P3 count} P3
98
+
99
+ VERDICT: {APPROVE | REQUEST CHANGES | NEEDS DISCUSSION}
100
+
101
+ {If REQUEST CHANGES: list the must-fix items}
102
+ {If APPROVE: one sentence on what looks good}
103
+ {If NEEDS DISCUSSION: what the design question is}
104
+ ─────────────────────────────────────
105
+ ```
106
+
107
+ ### Step 9: Offer next step
108
+
109
+ ```xml
110
+ <invoke name="AskUserQuestion">
111
+ <parameter name="questions">[{
112
+ "question": "Review complete — {verdict}. {N} findings.",
113
+ "header": "What next",
114
+ "multiSelect": false,
115
+ "options": [
116
+ {"label": "Fix the P0 and P1 issues now (Recommended)", "description": "I'll work through each finding and write the corrected code"},
117
+ {"label": "Explain a specific finding in more detail", "description": "Tell me which finding number you want me to expand on"},
118
+ {"label": "Write the missing tests", "description": "I'll add tests for the uncovered paths flagged in P2 findings"},
119
+ {"label": "Re-review after fixes", "description": "Once you've addressed the findings, share the updated diff for a re-review"}
120
+ ]
121
+ }]</parameter>
122
+ </invoke>
123
+ ```
124
+
125
+ ---
126
+
127
+ ## Special handling for large PRs (> 400 LOC)
128
+
129
+ If the diff is very large:
130
+
131
+ 1. Flag this as a P3 finding: "PRs over ~400 LOC are harder to review thoroughly and increase merge risk — consider splitting."
132
+ 2. Ask if there are sections to prioritise: "This is a large change. Shall I focus on the security-sensitive parts first?"
133
+ 3. Review in passes: security first, then logic, then tests, then style
134
+
135
+ ---
136
+
137
+ ## Fallbacks
138
+
139
+ **If AskUserQuestion is unavailable:**
140
+
141
+ Present the next step as a numbered list:
142
+
143
+ ```
144
+ Review complete — REQUEST CHANGES. 3 findings.
145
+
146
+ To continue:
147
+ 1. Fix the 3 findings now — I'll write the corrected code for each
148
+ 2. Explain finding #1 (SQL injection) in more detail
149
+ 3. Write the missing tests flagged in finding #3
150
+ 4. Mark as done and re-review the updated diff
151
+
152
+ Reply with a number or describe what you want to do next.
153
+ ```
@@ -0,0 +1,177 @@
1
+ # Workflow: Security Review
2
+
3
+ **Triggers:** user asks for a security review, change touches auth/login/permissions/file-upload/payments/database queries, or a P0 security finding was flagged in a standard review
4
+
5
+ **Goal:** Systematic, OWASP-anchored security review of the changed code, producing a prioritised list of vulnerabilities with concrete fixes.
6
+
7
+ ---
8
+
9
+ ## When to run a full security review
10
+
11
+ Run this workflow (instead of the standard review) when:
12
+
13
+ - Change touches authentication or session management
14
+ - Change adds or modifies API endpoints that handle user data
15
+ - Change adds file upload, import, or download functionality
16
+ - Change modifies database queries or ORM calls
17
+ - Change handles payments, billing, or financial data
18
+ - Change adds cryptographic operations (hashing, signing, encryption)
19
+ - Change modifies CORS, security headers, or cookie settings
20
+ - Change introduces a third-party integration with data exchange
21
+
22
+ ---
23
+
24
+ ## Inputs needed
25
+
26
+ | Input | Required | How to get it |
27
+ | --------------------- | --------- | ----------------------------------------------------------- |
28
+ | Changed files | Yes | Paste or file paths |
29
+ | What the change does | Yes | PR description or ask |
30
+ | Framework / language | Yes | Detect from code |
31
+ | Auth mechanism in use | Preferred | Ask: "How does this app handle auth? JWT, sessions, OAuth?" |
32
+
33
+ ---
34
+
35
+ ## Steps
36
+
37
+ ### Step 1: Identify the attack surface
38
+
39
+ Map what user-controlled input enters the system in this change:
40
+
41
+ - HTTP request body, query params, headers
42
+ - File uploads
43
+ - URLs fetched by the server
44
+ - Database record fields updated by the user
45
+ - External webhook payloads
46
+
47
+ For each input, trace where it goes:
48
+
49
+ - Into a SQL query?
50
+ - Into a shell command?
51
+ - Into an HTML response?
52
+ - Into a file path?
53
+ - Into a redirect URL?
54
+
55
+ ### Step 2: Run the OWASP Top 10 checklist
56
+
57
+ Work through each category from `references/security-patterns.md` that is relevant to this change:
58
+
59
+ | Category | Check if change touches... |
60
+ | ----------------------------- | ---------------------------------------------------------- |
61
+ | A01 Broken Access Control | Endpoints returning or modifying user-specific resources |
62
+ | A02 Cryptographic Failures | Password storage, tokens, encryption |
63
+ | A03 Injection | Database queries, shell commands, HTML output, URL parsing |
64
+ | A04 Insecure Design | Auth flows, rate limiting, account recovery |
65
+ | A05 Security Misconfiguration | CORS, headers, debug settings |
66
+ | A07 Auth Failures | Login, logout, session management, JWTs |
67
+ | A08 Integrity Failures | Deserialisation, file processing |
68
+ | A09 Logging Failures | What gets logged — is sensitive data included? |
69
+ | A10 SSRF | Server fetching user-provided URLs |
70
+
71
+ ### Step 3: Check for mass assignment
72
+
73
+ For any endpoint that takes a request body and uses it to create or update a database record:
74
+
75
+ 1. What fields does the model have?
76
+ 2. What fields are in the request body?
77
+ 3. Are there fields in the model that should NEVER be user-settable (isAdmin, role, balance, ownerId)?
78
+ 4. Is the code whitelisting only the intended fields?
79
+
80
+ ### Step 4: Check for information disclosure
81
+
82
+ - Do error messages reveal internal paths, table names, or stack traces?
83
+ - Do 404 and 401 responses behave identically for "not found" vs "not authorised" (to prevent enumeration)?
84
+ - Is debug mode or verbose error mode enabled in any code path?
85
+
86
+ ### Step 5: Verify dependency security
87
+
88
+ If the change adds or updates packages:
89
+
90
+ - Note the packages added
91
+ - Flag any known-vulnerable packages (CVE lookup if possible)
92
+ - Check that crypto-related packages are well-maintained
93
+
94
+ ### Step 6: Check the test coverage for security paths
95
+
96
+ Security paths that MUST have explicit tests:
97
+
98
+ - Authenticated endpoint with no token → 401
99
+ - Authenticated endpoint with another user's resource ID → 403 or 404
100
+ - Input with SQL injection payload → not executed as SQL
101
+ - File upload with wrong MIME type → rejected
102
+
103
+ If any of these are missing, add them as P2 findings.
104
+
105
+ ### Step 7: Produce findings
106
+
107
+ Use the same format as the standard review, but add the OWASP category reference:
108
+
109
+ ```
110
+ [P0] SECURITY (A03 - Injection) — SQL Injection in user search endpoint
111
+ File: src/api/users.js, line 34
112
+ Issue: User-provided 'search' query param concatenated into SQL:
113
+ `SELECT * FROM users WHERE name LIKE '%${search}%'`
114
+ An attacker can inject: "'; DROP TABLE users; --"
115
+ Fix: Use parameterised query: db.query("SELECT * FROM users WHERE name LIKE $1", [`%${search}%`])
116
+ Test: Add test: POST /api/users/search with payload "'; SELECT 1 --" should return 400 or safe empty result
117
+
118
+ [P0] SECURITY (A01 - Broken Access Control) — Missing ownership check on GET /api/documents/:id
119
+ File: src/api/documents.js, line 18
120
+ Issue: Any authenticated user can fetch any document by guessing its ID
121
+ Fix: Add check: if (doc.ownerId !== req.user.id) return res.status(403).json({ error: 'Forbidden' })
122
+ Test: Add test: authenticated request for another user's document should return 403
123
+ ```
124
+
125
+ ### Step 8: Summary and recommendation
126
+
127
+ ```
128
+ ─────────────────────────────────────
129
+ SECURITY REVIEW SUMMARY
130
+ ─────────────────────────────────────
131
+ Attack surface reviewed:
132
+ - {N} API endpoints
133
+ - {M} database operations
134
+ - {K} user-input paths
135
+
136
+ OWASP categories checked: A01, A02, A03, A07 (others N/A for this change)
137
+
138
+ Vulnerabilities found:
139
+ P0: {N} — must fix before merge
140
+ P1: {N} — strong recommendation to fix
141
+ P2: {N} — missing security tests
142
+
143
+ VERDICT: {APPROVE | REQUEST CHANGES}
144
+ ─────────────────────────────────────
145
+ ```
146
+
147
+ ---
148
+
149
+ ## Threat modelling quick questions
150
+
151
+ If the security review is for a new feature (not a bugfix), run through these:
152
+
153
+ 1. **Who is the adversary?** Unauthenticated users? Authenticated users acting maliciously? Internal bad actors?
154
+ 2. **What is the most valuable asset?** User PII? Financial data? Admin capabilities?
155
+ 3. **What is the worst-case scenario if this code has a vulnerability?**
156
+ 4. **What would a malicious user try first?**
157
+
158
+ Use these to prioritise which attack vectors to investigate most thoroughly.
159
+
160
+ ---
161
+
162
+ ## Fallbacks
163
+
164
+ **If AskUserQuestion is unavailable:**
165
+
166
+ Present findings as a numbered list and ask:
167
+
168
+ ```
169
+ Security review complete. {N} findings.
170
+
171
+ 1. Fix all P0 vulnerabilities now — I'll write the corrected code
172
+ 2. Explain how to exploit finding #1 (for understanding, not exploitation)
173
+ 3. Write the missing security tests
174
+ 4. Proceed to standard review after security fixes
175
+
176
+ Reply with a number.
177
+ ```