autoworkflow 3.1.0 → 3.1.2

package/.claude/commands/audit.md

@@ -1,10 +1,11 @@
 # /audit - Audit Command
 
-Run UI enforcement and circular dependency checks.
+Run code quality, security, and architecture audits.
 
 ## Trigger
 - User invokes `/audit`
 - User invokes `/audit project` (full project scan)
+- User invokes `/audit [feature]` (audit specific feature)
 - **AUTOMATIC:** When BLUEPRINT.md is missing at session start
 - Or: Automatically after VERIFY phase (for features)
 - Or: Part of audit_loop
@@ -16,12 +17,95 @@ Per `system/router.md`, audit is required for:
 - `perf` - Performance changes
 
 ## Arguments
-- `/audit` - Run standard UI + cycle checks
-- `/audit project` - Full project scan (generates/updates BLUEPRINT.md)
+- `/audit` - Run standard checks (UI + cycles)
+- `/audit project` - Full project scan (generates BLUEPRINT.md)
+- `/audit [feature name]` - Deep audit of specific feature
 
 ---
 
-## Mode 1: Project Audit (Full Scan)
+## Audit Types
+
+### Type 1: Feature Audit (`/audit [feature]`)
+
+Deep code review of a specific feature. Check for:
+
+**Security:**
+- [ ] Authentication/authorization on all endpoints
+- [ ] CSRF protection on POST/PUT/DELETE
+- [ ] Input validation (length, type, format)
+- [ ] SQL injection prevention (parameterized queries)
+- [ ] XSS prevention (output encoding)
+- [ ] Sensitive data exposure
+
+**Code Quality:**
+- [ ] Error handling and logging
+- [ ] Consistent response formats
+- [ ] No hardcoded values (use constants/config)
+- [ ] No TODO/FIXME comments
+- [ ] No console.log/debug statements
+
+**Architecture:**
+- [ ] Follows existing patterns
+- [ ] No circular dependencies
+- [ ] Proper separation of concerns
+
+### Output Format (Feature Audit):
+```
+## Audit Report: [Feature Name]
+
+### Files Reviewed
+| File | Lines | Purpose |
+|------|-------|---------|
+| [file] | [count] | [purpose] |
+
+### Status: [PASS/PASS with recommendations/FAIL]
+
+### Strengths
+| Item | Location | Status |
+|------|----------|--------|
+| [good thing] | [where] | ✅ |
+
+### Issues Found
+| Severity | Issue | Location | Recommendation |
+|----------|-------|----------|----------------|
+| 🔴 High | [issue] | [where] | [fix] |
+| 🟡 Medium | [issue] | [where] | [fix] |
+| 🟢 Low | [issue] | [where] | [fix] |
+| ℹ️ Info | [issue] | [where] | [fix] |
+
+---
+
+## 🔧 Suggested Fixes
+
+Based on the issues found, I recommend:
+
+1. **[Issue 1]** - [Detailed fix description]
+   - File: [path]
+   - Change: [what to change]
+
+2. **[Issue 2]** - [Detailed fix description]
+   - File: [path]
+   - Change: [what to change]
+
+---
+
+**Should I implement these fixes?**
+- `yes` - Fix all issues
+- `high only` - Fix only high/medium severity
+- `1, 2, 4` - Fix specific issues by number
+- `no` - Skip fixes, proceed to next audit
+```
+
+**IMPORTANT:** When issues are found:
+1. ALWAYS offer to fix them
+2. WAIT for user approval
+3. Implement approved fixes
+4. Re-run audit to verify
+5. ONLY THEN ask about next feature
+
+---
+
+### Type 2: Project Audit (`/audit project`)
 
 When `/audit project` is invoked OR when BLUEPRINT.md is missing:
 
@@ -31,7 +115,7 @@ When `/audit project` is invoked OR when BLUEPRINT.md is missing:
 - Just notify and run immediately
 - Only ask permission when presenting results to SAVE
 
-### Step 1: Scan Codebase (Single Pass)
+#### Step 1: Scan Codebase (Single Pass)
 ```bash
 # All discovery commands run ONCE
 cat package.json | grep -A 30 "dependencies"
@@ -46,7 +130,7 @@ ls -la src/
 grep -r "/api/" src/ | head -30
 ```
 
-### Step 2: Present Dual Updates
+#### Step 2: Present Dual Updates
 ```
 ## 🔍 Project Audit Complete
 
@@ -81,16 +165,16 @@ src/
 - BLUEPRINT.md → Create/update with discoveries
 ```
 
-### Step 3: Save After Approval
+#### Step 3: Save After Approval
 Update both files with discovered information.
 
 ---
 
-## Mode 2: Standard Audit (Default)
+### Type 3: Standard Audit (`/audit`)
 
-## Workflow
+Quick check for UI enforcement and circular dependencies.
 
-### Step 1: Run UI Enforcement
+#### Step 1: Run UI Enforcement
 ```bash
 npm run audit:ui
 ```
@@ -101,7 +185,7 @@ Check for orphan features:
 - Utilities not imported anywhere
 - Routes without page components
 
-### Step 2: Run Circular Dependency Check
+#### Step 2: Run Circular Dependency Check
 ```bash
 npm run audit:cycles
 ```
@@ -111,7 +195,7 @@ Check for import cycles:
 - A → B → C → A
 - Longer chains
 
-### Step 3: Report Results
+#### Step 3: Report Results
 
 **On Success:**
 ```
@@ -129,86 +213,49 @@ Check for import cycles:
 Ready to proceed to COMMIT.
 ```
 
-**On UI Failure:**
+**On Failure:**
 ```
 ## Audit
 
 | Check | Status | Details |
 |-------|--------|---------|
 | UI Enforcement | ⛔ | Orphan features found |
-| Circular Deps | ✅ | No cycles |
-
-### Orphan Features Detected
-
-**API without UI:**
-- `/api/users` - No component calls this endpoint
-
-**Unused Hooks:**
-- `useAuth` - Not used by any component
+| Circular Deps | ⛔ | Cycles detected |
 
-**Unreachable Routes:**
-- `/settings` - No navigation leads here
+### Issues Found
 
-**Gate Status:** `audit_gate` ⛔ BLOCKED
+[List all issues with locations]
 
 ---
 
-⛔ **BLOCKED: Cannot commit orphan features**
-
-Must add UI for each backend feature.
+## 🔧 Suggested Fixes
 
-### Required Actions
-1. Create `UserList.tsx` component for `/api/users`
-2. Use `useAuth` hook in `AuthProvider.tsx`
-3. Add navigation link to `/settings`
+1. **[Issue 1]** - [Fix description]
+2. **[Issue 2]** - [Fix description]
 
-Building missing UI components...
+**Should I implement these fixes?**
 ```
 
-**On Cycle Failure:**
-```
-## Audit
-
-| Check | Status | Details |
-|-------|--------|---------|
-| UI Enforcement | ✅ | No orphans |
-| Circular Deps | ⛔ | Cycles detected |
+---
 
-### Circular Dependencies Found
+## Critical Rule: Always Offer to Fix
 
-**Cycle 1:**
-```
-src/hooks/useAuth.ts
-    → src/api/auth.ts
-    → src/hooks/useAuth.ts (CYCLE)
-```
+**NEVER** just report issues and move on. The workflow is:
 
-**Cycle 2:**
 ```
-src/components/Button.tsx
-    → src/utils/helpers.ts
-    → src/components/Icon.tsx
-    → src/components/Button.tsx (CYCLE)
+1. AUDIT → Find issues
+2. REPORT → Show issues with severity
+3. SUGGEST → Offer specific fixes
+4. WAIT → Get user approval
+5. FIX → Implement approved fixes
+6. RE-AUDIT → Verify fixes worked
+7. THEN → Proceed to next item
 ```
 
-**Gate Status:** `audit_gate` ⛔ BLOCKED
+If user says "no" to fixes, log it and proceed. But ALWAYS offer.
 
 ---
 
-⛔ **BLOCKED: Cannot commit with circular dependencies**
-
-### Required Actions
-1. Extract shared code from `useAuth` and `auth.ts`
-2. Break Button → Icon dependency
-
-Resolving cycles...
-```
-
-### Step 4: Fix Loop (if issues)
-Per `system/loops.md`:
-- `ui_fix_loop` - Build missing UI
-- `cycle_fix_loop` - Resolve import cycles
-
 ## Gate
 `audit_gate` - Must pass before COMMIT for features.
 
@@ -223,5 +270,7 @@ npm run audit:all     # Run all audits
 See `system/loops.md#audit_loop` for loop definition.
 
 ## Examples
-- `/audit` - Run all audit checks
-- Automatic after verify passes (for features)
+- `/audit` - Quick UI + cycles check
+- `/audit project` - Full project scan
+- `/audit authentication` - Deep audit of auth feature
+- `/audit EntityController` - Audit specific file/class

package/.claude/settings.local.json

@@ -10,7 +10,8 @@
       "Bash(chmod:*)",
       "Bash(npm run typecheck:*)",
       "Bash(git add:*)",
-      "Bash(git commit -m \"$\\(cat <<''EOF''\nfeat\\(hooks\\): implement full auto-trigger system with blocking gates\n\n- Add 7 new hook scripts for workflow automation:\n  - session-check.sh: Init, blueprint check, task classification\n  - post-edit.sh: Auto-verify with loop tracking \\(max 10 iterations\\)\n  - pre-tool-router.sh: Route Bash commands to appropriate checks\n  - pre-commit-check.sh: All 7 gate checks with blocking \\(exit 1\\)\n  - phase-transition.sh: State management and gate enforcement\n  - audit-runner.sh: UI enforcement + circular dependency checks\n  - blueprint-generator.sh: Auto-scan project structure\n\n- Pre-commit gate now checks:\n  - TypeScript errors\n  - ESLint warnings\n  - TODO/FIXME comments\n  - console.log statements\n  - Orphan features \\(UI enforcement\\)\n  - Circular dependencies\n  - Conventional commit format\n\n- State tracking in .claude/.autoworkflow/:\n  - phase, task-type, verify-iteration, audit-iteration\n  - verify-status, audit-status, plan-approved\n\n- Updated CLAUDE.md files with:\n  - Slash commands table\n  - Hook files reference\n  - Hook integration section\n\nCo-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>\nEOF\n\\)\")"
+      "Bash(git commit -m \"$\\(cat <<''EOF''\nfeat\\(hooks\\): implement full auto-trigger system with blocking gates\n\n- Add 7 new hook scripts for workflow automation:\n  - session-check.sh: Init, blueprint check, task classification\n  - post-edit.sh: Auto-verify with loop tracking \\(max 10 iterations\\)\n  - pre-tool-router.sh: Route Bash commands to appropriate checks\n  - pre-commit-check.sh: All 7 gate checks with blocking \\(exit 1\\)\n  - phase-transition.sh: State management and gate enforcement\n  - audit-runner.sh: UI enforcement + circular dependency checks\n  - blueprint-generator.sh: Auto-scan project structure\n\n- Pre-commit gate now checks:\n  - TypeScript errors\n  - ESLint warnings\n  - TODO/FIXME comments\n  - console.log statements\n  - Orphan features \\(UI enforcement\\)\n  - Circular dependencies\n  - Conventional commit format\n\n- State tracking in .claude/.autoworkflow/:\n  - phase, task-type, verify-iteration, audit-iteration\n  - verify-status, audit-status, plan-approved\n\n- Updated CLAUDE.md files with:\n  - Slash commands table\n  - Hook files reference\n  - Hook integration section\n\nCo-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>\nEOF\n\\)\")",
+      "Bash(git commit:*)"
     ]
   }
 }

package/bin/cli.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 
-import { existsSync, cpSync, mkdirSync, chmodSync, renameSync } from 'fs';
+import { existsSync, cpSync, mkdirSync, chmodSync, renameSync, unlinkSync } from 'fs';
 import { dirname, join } from 'path';
 import { fileURLToPath } from 'url';
 
@@ -101,9 +101,21 @@ function init(options = {}) {
   // Required files
   console.log(colors.bold('Required files:'));
   copyFile(join(packageRoot, 'CLAUDE.md'), join(cwd, 'CLAUDE.md'), 'CLAUDE.md');
-  copyFile(join(packageRoot, 'instructions'), join(cwd, 'instructions'), 'instructions/');
+  copyFile(join(packageRoot, 'system'), join(cwd, 'system'), 'system/');
   copyFile(join(packageRoot, '.claude'), join(cwd, '.claude'), '.claude/');
 
+  // Copy instructions folder but remove BLUEPRINT.md (hook will auto-generate it)
+  copyFile(join(packageRoot, 'instructions'), join(cwd, 'instructions'), 'instructions/');
+  const blueprintPath = join(cwd, 'instructions', 'BLUEPRINT.md');
+  if (existsSync(blueprintPath)) {
+    try {
+      unlinkSync(blueprintPath);
+      console.log(`  ${colors.cyan('ℹ')} BLUEPRINT.md removed (will be auto-generated on first run)`);
+    } catch (e) {
+      // Ignore
+    }
+  }
+
   // Make Claude hooks executable
   if (process.platform !== 'win32' && existsSync(join(cwd, '.claude', 'hooks'))) {
     try {
@@ -173,11 +185,12 @@ function init(options = {}) {
   console.log(`\n${colors.green('✓')} ${colors.bold('AutoWorkflow initialized!')}\n`);
 
   console.log(`${colors.bold('Next steps:')}`);
-  console.log(`  1. Edit ${colors.cyan('instructions/AI_RULES.md')} with your coding standards`);
-  console.log(`  2. Open VS Code with Claude Code extension`);
-  console.log(`  3. Claude will auto-generate ${colors.cyan('BLUEPRINT.md')} on first task\n`);
+  console.log(`  1. Open VS Code with Claude Code extension`);
+  console.log(`  2. Send any message - Claude will ${colors.cyan('auto-scan')} your project`);
+  console.log(`  3. Claude generates ${colors.cyan('BLUEPRINT.md')} with your features/routes/APIs`);
+  console.log(`  4. Review and approve the generated blueprint\n`);
 
-  console.log(`Or run ${colors.cyan('/audit project')} in Claude Code to scan your codebase now.\n`);
+  console.log(`${colors.dim('Optional: Edit instructions/AI_RULES.md to customize coding standards')}\n`);
 }
 
 // Main

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "autoworkflow",
-  "version": "3.1.0",
+  "version": "3.1.2",
   "description": "Automated workflow enforcement for Claude Code via hooks and system prompts",
   "type": "module",
   "bin": {