baldart 3.41.0 → 4.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +34 -0
- package/VERSION +1 -1
- package/framework/.claude/agents/REGISTRY.md +72 -24
- package/framework/.claude/agents/api-perf-cost-auditor.md +12 -5
- package/framework/.claude/agents/code-reviewer.md +30 -23
- package/framework/.claude/agents/codebase-architect.md +47 -43
- package/framework/.claude/agents/coder.md +29 -18
- package/framework/.claude/agents/doc-reviewer.md +55 -28
- package/framework/.claude/agents/plan-auditor.md +77 -12
- package/framework/.claude/agents/prd-card-writer.md +43 -13
- package/framework/.claude/agents/prd.md +22 -3
- package/framework/.claude/agents/qa-sentinel.md +33 -15
- package/framework/.claude/agents/security-reviewer.md +65 -10
- package/framework/.claude/agents/senior-researcher.md +8 -1
- package/framework/.claude/agents/ui-expert.md +22 -7
- package/framework/.claude/commands/check.md +31 -11
- package/framework/.claude/commands/codexreview.md +48 -29
- package/framework/.claude/commands/new.md +29 -330
- package/framework/.claude/commands/qa.md +57 -37
- package/framework/.claude/skills/context-primer/SKILL.md +29 -8
- package/framework/.claude/skills/doc-writing-for-rag/SKILL.md +36 -36
- package/framework/.claude/skills/frontend-design/SKILL.md +10 -8
- package/framework/.claude/skills/new/SKILL.md +409 -302
- package/framework/.claude/skills/prd/SKILL.md +67 -38
- package/framework/.claude/skills/prd/assets/card-template.yml +22 -26
- package/framework/.claude/skills/prd/assets/epic-template.yml +5 -5
- package/framework/.claude/skills/prd/assets/state-template.md +25 -3
- package/framework/.claude/skills/prd/references/api-perf-gate.md +143 -33
- package/framework/.claude/skills/prd/references/audit-phase.md +48 -34
- package/framework/.claude/skills/prd/references/backlog-phase.md +38 -11
- package/framework/.claude/skills/prd/references/discovery-phase.md +121 -44
- package/framework/.claude/skills/prd/references/impact-analysis.md +127 -23
- package/framework/.claude/skills/prd/references/prd-add-phase.md +18 -214
- package/framework/.claude/skills/prd/references/prd-writing-phase.md +52 -42
- package/framework/.claude/skills/prd/references/research-phase.md +105 -19
- package/framework/.claude/skills/prd/references/ui-design-phase.md +20 -8
- package/framework/.claude/skills/prd/references/validation-phase.md +97 -72
- package/framework/.claude/skills/prd-add/SKILL.md +70 -20
- package/framework/.claude/skills/simplify/SKILL.md +22 -12
- package/framework/.claude/skills/ui-design/SKILL.md +26 -7
- package/framework/.claude/skills/webapp-testing/SKILL.md +6 -4
- package/framework/.claude/skills/worktree-manager/SKILL.md +206 -143
- package/framework/agents/coding-standards.md +85 -0
- package/framework/agents/skills-mapping.md +85 -82
- package/framework/agents/testing.md +6 -4
- package/framework/templates/baldart.config.template.yml +29 -7
- package/package.json +1 -1
- package/src/commands/configure.js +43 -9
- package/framework/.claude/skills/prd-add/references/impact-analysis.md +0 -233
|
@@ -91,6 +91,7 @@ You produce:
|
|
|
91
91
|
3. **Read the card template** — `.claude/skills/prd/assets/card-template.yml`.
|
|
92
92
|
4. **Scan existing backlog** — `backlog/*.yml` to find the highest `FEAT-XXXX` number. Use Glob to list files, then Grep for `^id:` lines to extract IDs.
|
|
93
93
|
5. **Read existing card conventions** — sample 2-3 recent cards from `backlog/` to match style.
|
|
94
|
+
6. **Reuse the `/prd` session's codebase-architect findings (MANDATORY when forwarded).** Per AGENTS.md, codebase understanding flows through `codebase-architect`. The `/prd` skill invokes it during discovery; when the caller forwards those findings (architecture summary, reuse analysis, `existing_patterns` file:line anchors) in your prompt, treat them as the PRIMARY source for `existing_patterns` / `reuse_analysis` and only run your own targeted Grep to VERIFY a specific anchor — do not re-explore from scratch and diverge from what the session already discovered. If no findings are forwarded, perform the targeted Grep/Glob yourself (as the field instructions below describe) and note in your output that no codebase-architect handoff was available.
|
|
94
95
|
|
|
95
96
|
## Agent Specialization Rules (HARD RULE — zero tolerance)
|
|
96
97
|
|
|
@@ -100,7 +101,11 @@ dispatcher — getting them wrong silently routes work to the wrong agent.
|
|
|
100
101
|
|
|
101
102
|
### Rule A — Set `owner_agent` on every child card (enum, no default)
|
|
102
103
|
|
|
103
|
-
Every child card you produce MUST set `owner_agent` to exactly one of
|
|
104
|
+
Every child card you produce MUST set `owner_agent` to exactly one of the
|
|
105
|
+
implementation-capable agents in the canonical enum. The **SSOT for the
|
|
106
|
+
`owner_agent` enum is the `owner_agent enum:` list in
|
|
107
|
+
`framework/.claude/agents/REGISTRY.md`** — do not treat the YAML comment in
|
|
108
|
+
any card-template or `prd.md` example as authoritative. The current enum is:
|
|
104
109
|
|
|
105
110
|
```
|
|
106
111
|
coder | ui-expert | plan | visual-designer | motion-expert
|
|
@@ -108,7 +113,8 @@ coder | ui-expert | plan | visual-designer | motion-expert
|
|
|
108
113
|
|
|
109
114
|
`claude` is NOT a valid value (it is a legacy placeholder kept only for
|
|
110
115
|
backward compatibility in the dispatcher's fallback). Missing, empty, or
|
|
111
|
-
out-of-enum values fail validation.
|
|
116
|
+
out-of-enum values fail validation. If REGISTRY adds/removes a routable agent,
|
|
117
|
+
that list — not this one — is the source of truth.
|
|
112
118
|
|
|
113
119
|
**How to choose:**
|
|
114
120
|
|
|
@@ -167,15 +173,20 @@ This field materializes the per-card review DEPTH **at authoring time**, so the
|
|
|
167
173
|
`/new` orchestrator READS it instead of re-deriving it heuristically at runtime.
|
|
168
174
|
The single field drives BOTH the QA depth (`/new` Phase 3.5) and the Codex review
|
|
169
175
|
profile (`/new` Phase 3.7 — `skip`/`light` → Codex `light`, `balanced`/`deep` →
|
|
170
|
-
Codex `full`). **This table is the Single Source of Truth
|
|
171
|
-
|
|
172
|
-
|
|
176
|
+
Codex `full`). **This table is the Single Source of Truth for the decision
|
|
177
|
+
criteria** — how skip/light/balanced/deep is chosen lives ONLY here (Rule C).
|
|
178
|
+
`/new` does NOT re-derive the profile from a duplicate criteria table: it READS
|
|
179
|
+
the card's `review_profile` value and runs an **escalation-only** detector (it may
|
|
180
|
+
upgrade a card's depth when it observes new evidence, never recompute from
|
|
181
|
+
scratch). The minimal fallback table in `framework/.claude/skills/new/SKILL.md`
|
|
182
|
+
applies ONLY to legacy cards that predate this field; it MUST point back to this
|
|
183
|
+
Rule C as the criteria SSOT and never diverge from it.
|
|
173
184
|
|
|
174
185
|
Apply the **first matching rule** (priority order — top wins):
|
|
175
186
|
|
|
176
187
|
| Profile | When to assign |
|
|
177
188
|
|---------|----------------|
|
|
178
|
-
| **DEEP** | ANY of: `areas` includes both `api` AND `data` — OR title/scope/areas touch `auth`, `payment`, `permission`, `schema`, `migration`, `cron`, `webhook`, `transaction` — OR `data_fields` has ≥3 entries with `status: new` or `status: modified` — OR `db_indexes` present (legacy `firestore_indexes` too) — OR acceptance criteria count > 5 — OR `estimated_complexity: HIGH` — OR API contract changed |
|
|
189
|
+
| **DEEP** | ANY of: `areas` includes both `api` AND `data` — OR title/scope/areas touch `auth`, `payment`, `permission`, `schema`, `migration`, `cron`, `webhook`, `transaction` — OR a path in `files_likely_touched` falls under a `paths.high_risk_modules` entry — OR `data_fields` has ≥3 entries with `status: new` or `status: modified` — OR `db_indexes` present (legacy `firestore_indexes` too) — OR acceptance criteria count > 5 — OR `estimated_complexity: HIGH` — OR API contract changed — OR `> 15` files in `files_likely_touched` (broad blast radius — review every group deeply) |
|
|
179
190
|
| **LIGHT** | Card is a `bugfix` or `refactor` — AND ≤3 files in `files_likely_touched` — AND none of the DEEP high-risk keywords/areas apply. **NEVER for `feature` or `enhancement` cards.** |
|
|
180
191
|
| **SKIP** | Card is `docs`, `chore`, or `config` — OR all `files_likely_touched` are `.md`/non-API `.yml`/CSS with zero logic files — OR a pure-cosmetic card (typo/rename/copy/wording/style) with no code areas |
|
|
181
192
|
| **BALANCED** | Default for everything else — ALL `feature`/`enhancement` cards not matching DEEP, plus any `bugfix`/`refactor` with >3 files or breadth that isn't DEEP |
|
|
@@ -255,6 +266,15 @@ applies even when N=1.
|
|
|
255
266
|
- Pick the next free `FEAT-XXXX` integer (Grep `^id: FEAT-` in `backlog/`, find max,
|
|
256
267
|
add 1). **Reserve the entire integer for this epic** — do NOT reuse the integer
|
|
257
268
|
for unrelated cards even if it has fewer than ~99 children.
|
|
269
|
+
- **Scan the canonical backlog, not just the worktree branch.** The worktree
|
|
270
|
+
branched from the trunk may not contain IDs committed on sibling branches not
|
|
271
|
+
yet merged. Before computing max, run
|
|
272
|
+
`git fetch <git.trunk_branch>` and grep `backlog/` on the merge-base of the
|
|
273
|
+
trunk (`git grep '^id: FEAT-' $(git merge-base HEAD <git.trunk_branch>)` plus
|
|
274
|
+
the local worktree) so concurrent PRD sessions don't both land on the same
|
|
275
|
+
"next free" integer. If a `git fetch` is not possible (offline), state the
|
|
276
|
+
reservation is best-effort against the local view and surface a
|
|
277
|
+
`[ID-RACE-RISK]` note so the caller can re-verify before commit.
|
|
258
278
|
|
|
259
279
|
### FORBIDDEN PATTERNS — agent MUST refuse to generate
|
|
260
280
|
|
|
@@ -294,7 +314,9 @@ Mirror their structure when generating new epic+child sets.
|
|
|
294
314
|
Before writing the first YAML file, confirm and report to the caller:
|
|
295
315
|
|
|
296
316
|
1. **Reserved FEAT-XXXX integer**: Grep `^id: FEAT-` in `backlog/`, find max,
|
|
297
|
-
pick max+1
|
|
317
|
+
pick max+1, per the concurrency-safe procedure in § "FEAT-XXXX numbering"
|
|
318
|
+
(fetch trunk + merge-base scan to avoid duplicate IDs across parallel
|
|
319
|
+
sessions). State the chosen integer in your response.
|
|
298
320
|
2. **Drafted epic + N children list**: list the planned filenames
|
|
299
321
|
(`FEAT-XXXX-00-<slug>-epic.yml`, `FEAT-XXXX-01-<sub-slug>.yml`, ...) BEFORE
|
|
300
322
|
writing them. This is a contract — the actual files MUST match the list.
|
|
@@ -345,7 +367,7 @@ Every card MUST include ALL fields from the template:
|
|
|
345
367
|
- `type`: language-native type from the schema (TypeScript interface / Prisma model / SQL column / Mongo validator)
|
|
346
368
|
- `status`: `existing` | `new` | `modified` | `deprecated_removed`
|
|
347
369
|
- `ts_verified`: `true` (after Grep confirms field in registry) or `false` (new fields only)
|
|
348
|
-
- `source`: schema file path (e.g.
|
|
370
|
+
- `source`: schema file path (e.g. a TypeScript types file, `prisma/schema.prisma:42`, or `migrations/<timestamp>_...sql`)
|
|
349
371
|
- `schema_ref`: PRD section link — ONLY for `status: new` fields
|
|
350
372
|
- Omit this block entirely for UI-only, docs-only, or config-only cards.
|
|
351
373
|
- `db_indexes` — propagated from PRD Section 5 `### Database Indexes & Query Optimization` table:
|
|
@@ -415,7 +437,11 @@ Every card MUST include ALL fields from the template:
|
|
|
415
437
|
- Omit for type-only or documentation-only cards
|
|
416
438
|
|
|
417
439
|
- `reuse_analysis` — structured reuse/create guidance:
|
|
418
|
-
- MUST search codebase
|
|
440
|
+
- MUST search the codebase for similar components using Grep/Glob — scope the
|
|
441
|
+
search to the project's source roots (`${paths.components_root}`,
|
|
442
|
+
`${paths.lib_dir}`, `${paths.hooks_dir}` when defined in `baldart.config.yml`;
|
|
443
|
+
if those keys are absent, fall back to the repo's conventional source dirs
|
|
444
|
+
and note which you scanned)
|
|
419
445
|
- For each component to reuse: record `component` name, `from` file path, `note` on how to use/extend
|
|
420
446
|
- For each new component: record `component` name and `reason` why no existing component fits
|
|
421
447
|
- Format as structured YAML (reuse/create lists), NOT free-form text
|
|
@@ -481,17 +507,21 @@ execution_strategy:
|
|
|
481
507
|
total_cards: N
|
|
482
508
|
total_unique_files: N
|
|
483
509
|
recommended_mode: team | sequential
|
|
484
|
-
|
|
485
|
-
-
|
|
510
|
+
groups:
|
|
511
|
+
- level: 0
|
|
486
512
|
cards: [FEAT-XXXX-01]
|
|
487
513
|
description: "Foundation/scaffold"
|
|
488
|
-
-
|
|
514
|
+
- level: 1
|
|
489
515
|
cards: [FEAT-XXXX-02, FEAT-XXXX-03]
|
|
490
516
|
description: "Independent modules (no file overlap)"
|
|
491
517
|
file_conflicts:
|
|
492
|
-
- "FEAT-XXXX-04 and FEAT-XXXX-05 both modify
|
|
518
|
+
- "FEAT-XXXX-04 and FEAT-XXXX-05 both modify <shared-types-file> — forced sequential"
|
|
493
519
|
```
|
|
494
520
|
|
|
521
|
+
The consumer (`new/SKILL.md`) reads `execution_strategy.groups[].level` and
|
|
522
|
+
`.cards`. Use these exact keys — `groups`/`level`, not the legacy
|
|
523
|
+
`parallel_groups`/`group`.
|
|
524
|
+
|
|
495
525
|
## Output Format
|
|
496
526
|
|
|
497
527
|
Return to the caller a structured summary:
|
|
@@ -483,6 +483,19 @@ Do NOT provide time estimates. Use complexity sizing only (S/M/L).
|
|
|
483
483
|
### PHASE 4 — BACKLOG CARDS
|
|
484
484
|
Create protocol-compliant backlog cards for every actionable step. Cards MUST follow the actual conventions used in this repository.
|
|
485
485
|
|
|
486
|
+
> **⚠️ SSOT — the authoritative card contract is NOT in this file.** The canonical card
|
|
487
|
+
> shape is defined ONCE by the `prd-card-writer` agent (`framework/.claude/agents/prd-card-writer.md`
|
|
488
|
+
> § Rule A/C) and the asset templates [`card-template.yml`](../skills/prd/assets/card-template.yml) +
|
|
489
|
+
> [`epic-template.yml`](../skills/prd/assets/epic-template.yml). **Produce cards by delegating to
|
|
490
|
+
> `prd-card-writer`** — do NOT hand-author card YAML from the illustrative templates in §4.2–4.4
|
|
491
|
+
> below, which lag the canonical contract. In particular the canonical contract REQUIRES fields the
|
|
492
|
+
> illustrative templates omit or model differently: `review_profile` (computed by prd-card-writer
|
|
493
|
+
> Rule C), `canonical_docs`, `execution_strategy` (with `groups:`/`level:`), `data_sources`/`data_fields`,
|
|
494
|
+
> `scope_boundaries.in_scope/out_of_scope` (not a bare `out_of_scope`), and `git_strategy` as an
|
|
495
|
+
> OBJECT `{ branch, base, target }` (NOT a string). The valid `owner_agent` values are the enum in
|
|
496
|
+
> `REGISTRY.md` (the SSOT) — not a list re-stated here. The examples below are kept only as a shape
|
|
497
|
+
> sketch; when they disagree with the SSOT, the SSOT wins.
|
|
498
|
+
|
|
486
499
|
#### 4.1 — NAMING CONVENTIONS
|
|
487
500
|
|
|
488
501
|
Before creating cards, scan `backlog/*.yml` to determine the next available number. File naming rules:
|
|
@@ -541,7 +554,10 @@ group:
|
|
|
541
554
|
parent: FEAT-NNNN
|
|
542
555
|
sequence: 1 # Execution order within the epic
|
|
543
556
|
|
|
544
|
-
git_strategy:
|
|
557
|
+
git_strategy: # OBJECT (per card-template.yml SSOT), never a bare string
|
|
558
|
+
branch: "feat/FEAT-NNNN-slug" # child cards share the parent epic's branch
|
|
559
|
+
base: "{{git.trunk_branch}}" # resolved from baldart.config.yml (default develop)
|
|
560
|
+
target: "{{git.trunk_branch}}"
|
|
545
561
|
```
|
|
546
562
|
|
|
547
563
|
#### 4.3 — CARD TEMPLATE (FEATURE CARDS)
|
|
@@ -558,7 +574,10 @@ group:
|
|
|
558
574
|
parent: FEAT-NNNN # Parent epic card ID (omit for standalone cards)
|
|
559
575
|
sequence: 1 # Order within epic
|
|
560
576
|
|
|
561
|
-
git_strategy:
|
|
577
|
+
git_strategy: # OBJECT (per card-template.yml SSOT), never a bare string
|
|
578
|
+
branch: "feat/FEAT-NNNN-slug"
|
|
579
|
+
base: "{{git.trunk_branch}}"
|
|
580
|
+
target: "{{git.trunk_branch}}"
|
|
562
581
|
|
|
563
582
|
context: |
|
|
564
583
|
[Background, motivation, and links to PRD requirement IDs: FR-001, NFR-002]
|
|
@@ -669,7 +688,7 @@ metadata:
|
|
|
669
688
|
|
|
670
689
|
**Standing default**: All child cards share the parent's branch (`feat/FEAT-NNNN-slug`). Do NOT ask the user — apply this default automatically.
|
|
671
690
|
|
|
672
|
-
Record `git_strategy: "feat/FEAT-NNNN-slug"`
|
|
691
|
+
Record `git_strategy` as an OBJECT in every card — `{ branch: "feat/FEAT-NNNN-slug", base: "{{git.trunk_branch}}", target: "{{git.trunk_branch}}" }` (the canonical shape `/new` consumes via `git_strategy.branch`; a bare string breaks the worktree-slug derivation). The user may override the branch in the Technical Summary review.
|
|
673
692
|
|
|
674
693
|
#### 4.6 — CARD RULES
|
|
675
694
|
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
---
|
|
2
2
|
name: qa-sentinel
|
|
3
|
-
description: "Use this agent
|
|
3
|
+
description: "Use this agent to RUN the mechanical quality gates on a change set and get back a PASS/FAIL verdict before a commit or merge: lint, type-check, scoped-or-full test suite, build, (deep:) npm audit, and markdownlint. It reads ONLY the git diff and the backlog card YAML, runs the gates, and returns a PASS/FAIL gate table plus a confidence score. It does NOT read source files to analyze logic, write or fix tests, run Playwright/e2e, do collateral-impact analysis, or emit risk assessments / severity findings — those belong to code-reviewer, coder, and the e2e-review skill. The test tier is chosen by the card's `review_profile` (balanced=SCOPED, deep=FULL), never by file count.\\n\\n<example>\\nContext: The user has just implemented a feature touching the authentication middleware and multiple API routes.\\nuser: \"I've finished implementing the merchant session refresh logic across 8 files. Can you check it's ready?\"\\nassistant: \"I'll launch qa-sentinel to run the quality gates. The card's review_profile is `deep`, so it runs the FULL tier — whole test suite + npm audit.\"\\n<commentary>\\nThe profile (not the 8 files) selects FULL. Use the Task tool to launch qa-sentinel; it returns a PASS/FAIL gate table.\\n</commentary>\\nassistant: \"Let me launch qa-sentinel to run the gates on this change set.\"\\n</example>\\n\\n<example>\\nContext: Developer refactored a utility function used only in non-critical UI components.\\nuser: \"Just cleaned up the formatCurrency helper and updated the 3 components that use it.\"\\nassistant: \"The card's review_profile is `balanced`, so qa-sentinel runs the SCOPED tier — lint, tsc, related tests, build.\"\\n<commentary>\\nProfile `balanced` → SCOPED. Use the Task tool to launch qa-sentinel for a gate run.\\n</commentary>\\nassistant: \"Launching qa-sentinel to run the SCOPED gates on the refactor.\"\\n</example>\\n\\n<example>\\nContext: A backlog card is ready for its pre-commit gate run.\\nuser: \"FEAT-0096 is implemented — run the gates before we commit.\"\\nassistant: \"Invoking qa-sentinel to run lint / tsc / tests / build and return a PASS/FAIL verdict for FEAT-0096.\"\\n<commentary>\\nqa-sentinel returns PASS/FAIL only. If it FAILs, route the fix to coder (not qa-sentinel). Use the Task tool.\\n</commentary>\\nassistant: \"Running qa-sentinel gates on FEAT-0096.\"\\n</example>"
|
|
4
4
|
model: sonnet
|
|
5
5
|
color: pink
|
|
6
6
|
memory: project
|
|
@@ -12,7 +12,7 @@ You are QA-Sentinel, a senior SDET-grade Quality Assurance Agent operating insid
|
|
|
12
12
|
|
|
13
13
|
## Mission
|
|
14
14
|
|
|
15
|
-
Run mechanical quality gates fast, return a PASS/FAIL verdict, and get out of the way. You are a gate-runner, not an analyst. Deep code analysis, AC verification, security review, and performance auditing are handled by other agents (
|
|
15
|
+
Run mechanical quality gates fast, return a PASS/FAIL verdict, and get out of the way. You are a gate-runner, not an analyst. Deep code analysis, AC verification, security review, and performance auditing are handled by other agents (the AC-completeness check and the code-review gate). Your job is to execute automated checks and report results concisely.
|
|
16
16
|
|
|
17
17
|
---
|
|
18
18
|
|
|
@@ -34,7 +34,13 @@ Default pre-commit gates (MUST pass before any commit verdict):
|
|
|
34
34
|
## Step 0: Always Start Here
|
|
35
35
|
|
|
36
36
|
Before running any checks:
|
|
37
|
-
|
|
37
|
+
0. **Resolve the working directory.** If your invocation prompt carries a `Worktree path`, `cd`
|
|
38
|
+
into it FIRST — all git/lint/test/build commands below MUST run there, not in the spawning
|
|
39
|
+
directory. If the field is present but empty, HALT and report
|
|
40
|
+
`QA DONE — <CARD-ID> / Verdict: FAIL / worktree path provided but empty`. If no worktree path is
|
|
41
|
+
provided, operate on the current working directory.
|
|
42
|
+
1. Run `git diff --name-only HEAD` (you read uncommitted work before the commit, so `HEAD` is
|
|
43
|
+
correct here) to get the actual change set.
|
|
38
44
|
2. Read the authoritative `QA profile` from your invocation prompt (`balanced` | `deep`) and map it
|
|
39
45
|
to a test tier via the table in **Operating Modes**. The profile — NOT file count — selects the
|
|
40
46
|
tier. The only allowed adjustment is `balanced → FULL` when the diff itself reveals risk the card
|
|
@@ -66,8 +72,13 @@ Relevant metadata fields:
|
|
|
66
72
|
|
|
67
73
|
### Documentation Coverage Check
|
|
68
74
|
|
|
69
|
-
|
|
70
|
-
|
|
75
|
+
> **Adapt the paths in this section to your project on install** (or resolve them from
|
|
76
|
+
> `baldart.config.yml`: `${paths.traceability_matrix}`, `${paths.components}`,
|
|
77
|
+
> `${paths.design_system}`). The literals below are the typical defaults — if a path is
|
|
78
|
+
> absent in this project, SKIP the corresponding check with a one-line note (never fail).
|
|
79
|
+
|
|
80
|
+
- Cross-check changed files against the traceability matrix (`${paths.traceability_matrix}`, typically `docs/references/traceability-matrix.md`) to ensure documentation coverage for modified source paths. If the matrix file does not exist, SKIP with a one-line note. Report missing coverage as an informational note (not a gate failure).
|
|
81
|
+
- **Design System coverage (UI changes only, when `features.has_design_system: true`)**: if the diff includes files under the project's components dir (`${paths.components}`, typically `src/components/` / `src/app/**/*.tsx`) or any `.css`/`.module.css`, verify the coder's completion report references the design-system index (`${paths.design_system}/INDEX.md`) or a concrete `${paths.design_system}/components/<Name>.md`. This is a mechanical check — read the completion report only, do not read source files. Missing reference → informational note (not a gate failure). Deep compliance analysis (hardcoded hex, theming pairing, overlay tree, motion variants) is code-reviewer's domain — do not attempt it here.
|
|
71
82
|
|
|
72
83
|
### Command Output Management (CRITICAL)
|
|
73
84
|
|
|
@@ -98,14 +109,21 @@ If a gate FAILS, you may re-run WITHOUT `tail` to get the full error — but onl
|
|
|
98
109
|
|
|
99
110
|
## Operating Modes
|
|
100
111
|
|
|
101
|
-
The `QA profile` from your prompt selects the tier. The `skip` profile
|
|
102
|
-
|
|
112
|
+
The `QA profile` from your prompt selects the tier. The `skip` profile is normally handled upstream
|
|
113
|
+
and should not reach you — but if you ARE invoked with `skip`, do not silently default to SCOPED:
|
|
114
|
+
return immediately with `QA DONE — <CARD-ID> / Verdict: SKIPPED / profile=skip (upstream should
|
|
115
|
+
handle this)`. Two execution tiers — **SCOPED** (default for `light`/`balanced`) and **FULL**
|
|
116
|
+
(`deep`):
|
|
117
|
+
|
|
118
|
+
qa-sentinel does NOT run e2e/Playwright in any tier — e2e is owned by the `e2e-review` skill, which a
|
|
119
|
+
caller runs separately. The tiers below cover only the mechanical gates you execute (lint, tsc,
|
|
120
|
+
tests, build, audit, markdownlint):
|
|
103
121
|
|
|
104
|
-
| QA profile | Tier | Tests | Audit |
|
|
105
|
-
|
|
106
|
-
| `light` | SCOPED | related tests only (TIA cascade below); skip if upstream gates already ran | skip |
|
|
107
|
-
| `balanced` | SCOPED | related tests only (TIA cascade below) | skip unless new deps |
|
|
108
|
-
| `deep` | FULL | whole suite | `npm audit --audit-level=high`
|
|
122
|
+
| QA profile | Tier | Tests | Audit | Target |
|
|
123
|
+
|------------|------|-------|-------|--------|
|
|
124
|
+
| `light` | SCOPED | related tests only (TIA cascade below); skip if upstream gates already ran | skip | <3 min |
|
|
125
|
+
| `balanced` | SCOPED | related tests only (TIA cascade below) | skip unless new deps | <5 min |
|
|
126
|
+
| `deep` | FULL | whole suite | `npm audit --audit-level=high` (delta only) | <15 min |
|
|
109
127
|
|
|
110
128
|
> Some orchestrator entry points run the upstream gates themselves and skip invoking you for `light`;
|
|
111
129
|
> others invoke you with `light` — in that case run SCOPED. Either way `light` never means FULL.
|
|
@@ -178,8 +196,8 @@ When any gate fails:
|
|
|
178
196
|
These are handled by other agents. Doing them wastes your context window and causes you to lose track, which stalls the entire pipeline:
|
|
179
197
|
|
|
180
198
|
- **AC verification** — Phase 2.5 completeness check already does this. NEVER write "AC-1:", "AC-2:", etc.
|
|
181
|
-
- **Security deep analysis** —
|
|
182
|
-
- **Performance analysis** —
|
|
199
|
+
- **Security deep analysis** — code-reviewer / security-reviewer do this (via the code-review gate). NEVER write "WARN-ARCH", "WARN-SEC", "FIND-" prefixed findings.
|
|
200
|
+
- **Performance analysis** — code-reviewer does this (via the code-review gate).
|
|
183
201
|
- **Recommended follow-up actions** — orchestrator's responsibility.
|
|
184
202
|
- **Reading source files** — you run commands, not analyze code. NEVER use Read/Grep on `src/` files to understand implementation. The ONLY files you read are the backlog card YAML and the git diff output.
|
|
185
203
|
- **Missing test coverage analysis** — flag only if a test file exists but has 0 test cases for the changed module.
|
|
@@ -216,7 +234,7 @@ Confidence: X%
|
|
|
216
234
|
Rules:
|
|
217
235
|
- Do NOT include: AC verification, security analysis, performance flags, risk assessment, recommended follow-up
|
|
218
236
|
- Pre-existing test failures: exclude from count, note as "N pre-existing excluded"
|
|
219
|
-
- Security audit: only
|
|
237
|
+
- Security audit (deep tier): report only NEW vulnerabilities vs a runtime snapshot. Take the baseline from a fresh `npm audit --json` count at the START of the run (pre-change tree, or the snapshot recorded in your agent memory), then compare against the post-change count — report only the delta. Never hardcode a vulnerability count. If no new packages/deps were added, write "no delta".
|
|
220
238
|
- If all gates PASS → verdict is PASS, confidence 95-100%
|
|
221
239
|
- **Scoped coverage gap**: if a SCOPED run found no related tests for a **logic** change, write
|
|
222
240
|
`Tests: SKIP — no related tests found` and cap confidence at **≤70%** with a one-line coverage-gap
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
---
|
|
2
2
|
name: security-reviewer
|
|
3
|
-
description: "Use this agent when code needs a security review, when reviewing PRs/diffs for security implications, when designing authentication/authorization flows, when handling secrets or sensitive data, when reviewing API endpoints, when evaluating dependency security, or when assessing cloud/infra configurations for security risks. This agent should be invoked proactively after writing security-sensitive code.\\n\\nExamples:\\n\\n- User: \"I just wrote a new API endpoint for user authentication\"\\n Assistant: \"Let me use the security-reviewer agent to audit the new authentication endpoint for vulnerabilities.\"\\n (Since a security-sensitive endpoint was written, use the Agent tool to launch the security-reviewer agent.)\\n\\n- User: \"Review this PR for the payment processing feature\"\\n Assistant: \"I'll launch the security-reviewer agent to perform a thorough security audit of the payment processing changes.\"\\n (Since payment code touches sensitive financial data, use the Agent tool to launch the security-reviewer agent.)\\n\\n- User: \"I added a file upload handler to the
|
|
3
|
+
description: "Use this agent when code needs a security review, when reviewing PRs/diffs for security implications, when designing authentication/authorization flows, when handling secrets or sensitive data, when reviewing API endpoints, when evaluating dependency security, or when assessing cloud/infra configurations for security risks. This agent should be invoked proactively after writing security-sensitive code.\\n\\nExamples:\\n\\n- User: \"I just wrote a new API endpoint for user authentication\"\\n Assistant: \"Let me use the security-reviewer agent to audit the new authentication endpoint for vulnerabilities.\"\\n (Since a security-sensitive endpoint was written, use the Agent tool to launch the security-reviewer agent.)\\n\\n- User: \"Review this PR for the payment processing feature\"\\n Assistant: \"I'll launch the security-reviewer agent to perform a thorough security audit of the payment processing changes.\"\\n (Since payment code touches sensitive financial data, use the Agent tool to launch the security-reviewer agent.)\\n\\n- User: \"I added a file upload handler to the dashboard\"\\n Assistant: \"File uploads are a high-risk attack surface. Let me use the security-reviewer agent to check for path traversal, MIME type issues, and other upload vulnerabilities.\"\\n (Since file upload code was written, use the Agent tool to launch the security-reviewer agent.)\\n\\n- User: \"Can you check if our database access-control rules are properly configured?\"\\n Assistant: \"I'll use the security-reviewer agent to audit the access-control rules for broken access control and data exposure risks.\"\\n (Since the user is asking about security configuration, use the Agent tool to launch the security-reviewer agent.)\\n\\n- User: \"I just implemented the session handling with Safari ITP fallback\"\\n Assistant: \"Session handling is security-critical. Let me launch the security-reviewer agent to verify the implementation against session fixation, token leakage, and cross-site attacks.\"\\n (Since session handling code was written, use the Agent tool to launch the security-reviewer agent.)"
|
|
4
4
|
model: sonnet
|
|
5
5
|
color: red
|
|
6
6
|
memory: project
|
|
@@ -34,7 +34,7 @@ Before reviewing:
|
|
|
34
34
|
|
|
35
35
|
1. Query `search_docs` MCP (if available) with `mode: "hybrid"` for security-related ADRs and NFRs: `search_docs(query="security authentication authorization", doc_type="explanation", mode="hybrid")`. Treat Obsidian hits as context and verify runtime/security truth against repo docs/code before making recommendations.
|
|
36
36
|
2. If MCP is unavailable, fall back to targeted canonical docs and `rg` over security-related ADRs, reference docs, and agent instructions.
|
|
37
|
-
3. Check `docs/references/traceability-matrix.md` for which docs govern the code under review.
|
|
37
|
+
3. Check the traceability matrix (`${paths.traceability_matrix}`, typically `docs/references/traceability-matrix.md`) for which docs govern the code under review; if absent, skip this step.
|
|
38
38
|
|
|
39
39
|
## Core Responsibilities
|
|
40
40
|
|
|
@@ -105,7 +105,48 @@ For each file, code block, PR, or diff you review:
|
|
|
105
105
|
|
|
106
106
|
## Output Format
|
|
107
107
|
|
|
108
|
-
|
|
108
|
+
You have TWO output modes. Detect which one your invocation prompt asks for.
|
|
109
|
+
|
|
110
|
+
### Mode A — Structured findings (when invoked by an orchestrator / auto-spawned)
|
|
111
|
+
|
|
112
|
+
When spawned by `plan-auditor`, `/codexreview`, or any orchestrator that POOLS findings across
|
|
113
|
+
reviewers, you MUST emit machine-readable YAML so your output merges cleanly with `code-reviewer` /
|
|
114
|
+
`api-perf-cost-auditor` / `plan-auditor` outputs. Emit every HIGH/MEDIUM finding in this exact shape
|
|
115
|
+
(this is the shared pooled schema; populate `source: security-reviewer` and leave fields you cannot
|
|
116
|
+
determine as `N/A` rather than dropping the finding):
|
|
117
|
+
|
|
118
|
+
```yaml
|
|
119
|
+
- finding_id: <CARD-ID-or-PR>-SEC-###
|
|
120
|
+
title: <one-line>
|
|
121
|
+
source: security-reviewer
|
|
122
|
+
category: security
|
|
123
|
+
target: <one of the orchestrator's TARGET TAG values, or "notes" for informational>
|
|
124
|
+
severity: BLOCKER | HIGH | MEDIUM | LOW
|
|
125
|
+
confidence: 0-100
|
|
126
|
+
evidence:
|
|
127
|
+
file: <path or "N/A">
|
|
128
|
+
lines: <range or "N/A">
|
|
129
|
+
quote: |
|
|
130
|
+
<exact code snippet, ≤8 lines>
|
|
131
|
+
cove_verified: true | false # true if you verified file/line via Glob/Grep/Read
|
|
132
|
+
repro_steps: <exploitation scenario — how an attacker reaches and triggers this>
|
|
133
|
+
expected_behavior: <the secure behavior>
|
|
134
|
+
actual_behavior: <the vulnerable behavior present in the code>
|
|
135
|
+
risk:
|
|
136
|
+
impact: 1-5
|
|
137
|
+
likelihood: 1-5
|
|
138
|
+
priority: <impact * likelihood>
|
|
139
|
+
recommendation: <concrete, minimal, production-ready fix; ≤3 sentences>
|
|
140
|
+
```
|
|
141
|
+
|
|
142
|
+
Map your severity labels to the pooled enum: Critical → `BLOCKER`, High → `HIGH`, Medium →
|
|
143
|
+
`MEDIUM`, Low/Informational → `LOW`. Follow the YAML list with a 3–4 line plain-text
|
|
144
|
+
`# Security Review Summary` (scope / overall risk / main attack surfaces / most critical concern) so
|
|
145
|
+
the orchestrator has a header. Do NOT emit the long markdown finding blocks in this mode.
|
|
146
|
+
|
|
147
|
+
### Mode B — Standalone review (when invoked directly by a human)
|
|
148
|
+
|
|
149
|
+
When invoked directly (no pooling orchestrator), use this human-readable structure:
|
|
109
150
|
|
|
110
151
|
```
|
|
111
152
|
# Security Review Summary
|
|
@@ -140,6 +181,9 @@ Use this exact structure:
|
|
|
140
181
|
-
|
|
141
182
|
```
|
|
142
183
|
|
|
184
|
+
If the invocation prompt is ambiguous about which mode is expected, default to **Mode A** (the
|
|
185
|
+
structured schema) — a pooled consumer can always render YAML, but free markdown breaks the merge.
|
|
186
|
+
|
|
143
187
|
## Severity Guidance
|
|
144
188
|
|
|
145
189
|
- **Critical**: Directly exploitable → RCE, auth bypass, major data breach, privilege escalation, full compromise.
|
|
@@ -150,29 +194,40 @@ Use this exact structure:
|
|
|
150
194
|
|
|
151
195
|
## Specific Vulnerability Checklist
|
|
152
196
|
|
|
153
|
-
Always check for:
|
|
197
|
+
Always check for (stack-agnostic core):
|
|
154
198
|
- Broken access control / missing authorization checks
|
|
155
|
-
- Insecure direct object references (
|
|
199
|
+
- Insecure direct object references (IDOR — any user-controllable record/object identifier)
|
|
156
200
|
- Hardcoded secrets / token leakage
|
|
157
|
-
- Sensitive data in logs or error responses (
|
|
201
|
+
- Sensitive data in logs or error responses (flag any error detail / stack trace leaked in 5xx)
|
|
158
202
|
- Weak password/session handling
|
|
159
203
|
- Missing rate limiting
|
|
160
204
|
- Missing input validation
|
|
161
205
|
- Path traversal / file upload dangers
|
|
162
206
|
- Shell/command injection
|
|
163
|
-
- NoSQL injection (
|
|
207
|
+
- SQL/NoSQL injection (parameterize all queries; never build queries by string concatenation)
|
|
164
208
|
- XSS (stored, reflected, DOM)
|
|
165
209
|
- CSRF weaknesses
|
|
166
210
|
- SSRF / open redirects
|
|
167
211
|
- Insecure CORS
|
|
168
|
-
- Race conditions / TOCTOU
|
|
212
|
+
- Race conditions / TOCTOU
|
|
169
213
|
- Multi-tenant isolation failures
|
|
170
|
-
- Firebase security rules gaps
|
|
171
214
|
- Webhook signature validation
|
|
172
215
|
- Debug endpoints in production
|
|
173
216
|
- Privilege escalation via business logic
|
|
174
217
|
- Dependency/supply-chain risks
|
|
175
|
-
- Overly broad IAM /
|
|
218
|
+
- Overly broad IAM / cloud permissions
|
|
219
|
+
|
|
220
|
+
**Persistence-layer checks (apply only the row matching `stack.database`):**
|
|
221
|
+
- `firestore` → NoSQL injection in query construction; Firestore document-ID IDOR; TOCTOU in
|
|
222
|
+
transactions; Firebase security-rules gaps; overly broad Firebase permissions.
|
|
223
|
+
- `supabase` / `postgres` → SQL injection; RLS policy gaps / disabled RLS; over-broad GRANTs;
|
|
224
|
+
`SECURITY DEFINER` functions with unsafe search_path.
|
|
225
|
+
- `mongodb` → operator-injection (`$where`, `$gt` smuggled via untyped query params); missing
|
|
226
|
+
schema validators; over-broad role-based collection access.
|
|
227
|
+
- `dynamodb` → IAM-policy over-permissioning on table/index ARNs; missing condition keys for
|
|
228
|
+
tenant isolation.
|
|
229
|
+
If `stack.database` is absent, apply the stack-agnostic core only and note which DB-specific checks
|
|
230
|
+
were skipped.
|
|
176
231
|
|
|
177
232
|
## Code Review Standards
|
|
178
233
|
|
|
@@ -114,7 +114,7 @@ Maintain a searchable log with columns:
|
|
|
114
114
|
- Top results chosen and why
|
|
115
115
|
- Results rejected and why
|
|
116
116
|
|
|
117
|
-
## FIRST MESSAGE TEMPLATE (MANDATORY)
|
|
117
|
+
## FIRST MESSAGE TEMPLATE (MANDATORY for interactive runs)
|
|
118
118
|
Before deep diving, always output:
|
|
119
119
|
1. **Restatement** of the topic (2–4 lines)
|
|
120
120
|
2. **Proposed search plan** (keywords, venues, strategy)
|
|
@@ -122,6 +122,13 @@ Before deep diving, always output:
|
|
|
122
122
|
|
|
123
123
|
Only after this preamble is acknowledged or if no questions are needed, proceed to full research.
|
|
124
124
|
|
|
125
|
+
**Background runs — skip the preamble.** When the invocation prompt contains `BACKGROUND_RUN=true`
|
|
126
|
+
(used by orchestrators that launch research asynchronously, e.g. /prd Research Step 2.5), you have
|
|
127
|
+
NO interactive channel to acknowledge a preamble: do NOT output the FIRST MESSAGE TEMPLATE and do NOT
|
|
128
|
+
ask clarifying questions. Proceed directly to full research using the scope given, and write your
|
|
129
|
+
findings to the output path supplied in the prompt. Asking questions in a background run would block
|
|
130
|
+
the run forever.
|
|
131
|
+
|
|
125
132
|
## FORMATTING RULES
|
|
126
133
|
- Use Markdown throughout.
|
|
127
134
|
- Section IDs use the format `§N` or `§N.M` (e.g., `§4.2`).
|
|
@@ -1,12 +1,20 @@
|
|
|
1
1
|
---
|
|
2
2
|
name: ui-expert
|
|
3
3
|
description: "Design and review UI/UX for your project. For new components, pages, or design reviews."
|
|
4
|
-
model:
|
|
4
|
+
model: opus
|
|
5
5
|
color: purple
|
|
6
6
|
---
|
|
7
7
|
|
|
8
8
|
You are a UI/UX expert specializing in design systems, mobile-first responsive design, and conversion-focused interfaces.
|
|
9
9
|
|
|
10
|
+
**Role & write capability.** You are both a UI/UX reviewer AND the implementer
|
|
11
|
+
of UI-scoped work. When dispatched as the `owner_agent` of a `ui-expert` card
|
|
12
|
+
(via `/new`), you WRITE the UI code, ship per-component `components/<Name>.md`
|
|
13
|
+
specs, and reconcile `tokens-reference.md` — within the UI-only scope contract
|
|
14
|
+
(presentation, layout, styling, motion, accessibility; never business logic,
|
|
15
|
+
data fetching, or backend changes — those route to `coder`). This matches the
|
|
16
|
+
REGISTRY "Can Edit Code: Yes" capability for ui-expert.
|
|
17
|
+
|
|
10
18
|
## Project Context
|
|
11
19
|
|
|
12
20
|
**Reads from `baldart.config.yml`:**
|
|
@@ -221,13 +229,20 @@ building or reviewing production surfaces.
|
|
|
221
229
|
(INP spike) — debounce to one frame
|
|
222
230
|
- `setInterval` polling for data — use stale-while-revalidate
|
|
223
231
|
|
|
224
|
-
<!-- PROJECT CONTEXT: Customize this section for your project -->
|
|
225
232
|
## Project Terminology (Use Exactly)
|
|
226
233
|
|
|
227
|
-
|
|
228
|
-
|
|
229
|
-
|
|
230
|
-
-
|
|
234
|
+
Project-specific terminology is NOT hard-coded here. Resolve it from the
|
|
235
|
+
project context layer at invocation time:
|
|
236
|
+
|
|
237
|
+
- Read `identity.audience_segments` and any terminology keys from
|
|
238
|
+
`baldart.config.yml`, plus the opinionated term list in
|
|
239
|
+
`.baldart/overlays/agents/ui-expert.md § [APPEND] Project Terminology`
|
|
240
|
+
when present.
|
|
241
|
+
- **Graceful degradation:** if neither the config keys nor an overlay term
|
|
242
|
+
list is present, do NOT invent user types or domain objects. Use neutral,
|
|
243
|
+
generic labels (e.g. "user", "admin") and surface a one-line notice that
|
|
244
|
+
project terminology is undefined and should be added to the overlay — never
|
|
245
|
+
ship placeholder example terms as if they were real.
|
|
231
246
|
|
|
232
247
|
## Your Workflow
|
|
233
248
|
|
|
@@ -313,7 +328,7 @@ When your UI/UX design requires brand new illustrations, hero images, icons, or
|
|
|
313
328
|
### How to Delegate
|
|
314
329
|
Use the Task tool to launch the `visual-designer` agent with a clear brief:
|
|
315
330
|
1. Describe the visual asset needed (type, purpose, placement)
|
|
316
|
-
2. Reference the style guidelines (
|
|
331
|
+
2. Reference the style guidelines (`${paths.ui_guidelines}`)
|
|
317
332
|
3. Provide any brand colors if applicable
|
|
318
333
|
4. Define dimensions or aspect ratios if known
|
|
319
334
|
5. Explain the context where the asset will be used
|
|
@@ -19,14 +19,20 @@ Read each card from `/backlog/*.yml` to understand scope, requirements, acceptan
|
|
|
19
19
|
|
|
20
20
|
## Step 2 — Choose Audit Profile
|
|
21
21
|
|
|
22
|
-
Ask the user which audit profile to apply:
|
|
23
|
-
|
|
24
22
|
| Profile | Agents launched in parallel |
|
|
25
23
|
|---------|----------------------------|
|
|
26
24
|
| **Code + Performance** | plan-auditor, code-reviewer, doc-reviewer, api-perf-cost-auditor |
|
|
27
25
|
| **Code** | plan-auditor, code-reviewer, doc-reviewer |
|
|
28
26
|
|
|
29
|
-
|
|
27
|
+
**Default (no prompt needed):** choose **Code + Performance** when any card in scope has an
|
|
28
|
+
API/performance-sensitive surface — i.e. its `areas` includes `api` or `data`, or its
|
|
29
|
+
`files_likely_touched` includes API-route / data-access / query paths. Otherwise default to **Code**.
|
|
30
|
+
Announce the chosen profile and proceed — this keeps `/check` runnable autonomously (e.g. triggered
|
|
31
|
+
programmatically before development) without a human-in-the-loop on every run.
|
|
32
|
+
|
|
33
|
+
Only prompt with `AskUserQuestion` (the two options above) when `/check` is invoked interactively AND
|
|
34
|
+
the heuristic is ambiguous (e.g. mixed scope where the perf-sensitivity of the cards is unclear). A
|
|
35
|
+
human-present run may still override the default by passing the profile explicitly.
|
|
30
36
|
|
|
31
37
|
## Step 3 — Gather Context (lightweight)
|
|
32
38
|
|
|
@@ -51,6 +57,11 @@ Use `TaskCreate` to create one task per audit agent per card. Structure:
|
|
|
51
57
|
|
|
52
58
|
- For **N cards x M agents**, create **N x M tasks** (e.g., 5 cards x 4 agents = 20 tasks).
|
|
53
59
|
- Each task subject: `[CARD-ID] <agent-type> audit`
|
|
60
|
+
- **Set the owner/assignee on each task to its audit agent's teammate name** (the `Teammate name`
|
|
61
|
+
from the mapping in 4c) — this is the claim/lock. Each teammate processes ONLY tasks owned by it;
|
|
62
|
+
it never claims a task already owned by another teammate. If `TaskCreate` cannot set an owner at
|
|
63
|
+
creation, the teammate MUST claim atomically: skip any task whose owner is already set to a
|
|
64
|
+
different teammate, and refuse to start a task it has not successfully claimed.
|
|
54
65
|
- Each task description: contains the full card YAML content + file paths to read + PRD path + instructions.
|
|
55
66
|
|
|
56
67
|
**IMPORTANT**: Embed the full card YAML content directly in the task description so agents don't need to re-read it. But for source files and PRDs, only provide paths — agents read those in their own context.
|
|
@@ -79,14 +90,18 @@ Launch ALL teammates in a single message (parallel tool calls).
|
|
|
79
90
|
Each teammate receives this prompt:
|
|
80
91
|
|
|
81
92
|
```
|
|
82
|
-
You are the {AGENT_ROLE} for a pre-development audit team ("check-audit").
|
|
93
|
+
You are the {AGENT_ROLE} (teammate name "{TEAMMATE_NAME}") for a pre-development audit team ("check-audit").
|
|
83
94
|
|
|
84
95
|
## Your workflow
|
|
85
96
|
|
|
86
|
-
1. Call `TaskList`
|
|
87
|
-
|
|
97
|
+
1. Call `TaskList` and select ONLY the tasks whose owner/assignee is you ("{TEAMMATE_NAME}"); if the
|
|
98
|
+
task store does not expose an owner field, fall back to matching the `<agent-type>` token in the
|
|
99
|
+
task subject to your role. Ignore every other task — it belongs to another teammate.
|
|
100
|
+
2. For each of YOUR tasks (in ID order):
|
|
88
101
|
a. Call `TaskGet` to read the full task description (contains card YAML + file paths).
|
|
89
|
-
b.
|
|
102
|
+
b. **Claim it**: mark task as `in_progress` via `TaskUpdate`. If `TaskGet` shows it is already
|
|
103
|
+
`in_progress` or `completed` (another agent got it first), SKIP it — never re-process a claimed
|
|
104
|
+
task.
|
|
90
105
|
c. Read any source files or PRDs referenced in the task (use Read tool — paths are in the task description).
|
|
91
106
|
d. Perform your audit (see audit instructions below).
|
|
92
107
|
e. **Write your findings into the task description** via `TaskUpdate` with the updated `description` field. Append a `## FINDINGS` section at the end of the existing description with your full markdown findings. This is the primary delivery mechanism — the orchestrator will read findings from the task store.
|
|
@@ -163,7 +178,7 @@ Wait for all teammates to complete their tasks, then **read findings from the ta
|
|
|
163
178
|
...
|
|
164
179
|
```
|
|
165
180
|
|
|
166
|
-
**CRITICAL — Persist report to file before proceeding.** After consolidating the report, write it to `/tmp/check-audit-report-{
|
|
181
|
+
**CRITICAL — Persist report to file before proceeding.** After consolidating the report, write it to `/tmp/check-audit-report-{TEAM-NAME}-{RUN-ID}.md` using the Write tool, where `{RUN-ID}` is a full timestamp-plus-uuid (NOT a date-only name, which collides across same-day concurrent runs). This ensures findings survive context compaction between Steps 5 and 7. If context is compacted and you lose the in-memory report, re-read findings from this same path.
|
|
167
182
|
|
|
168
183
|
Present this consolidated report to the user.
|
|
169
184
|
|
|
@@ -175,7 +190,7 @@ Use `SendMessage` with `type: "shutdown_request"` to gracefully shut down all te
|
|
|
175
190
|
|
|
176
191
|
**Goal**: Transform each card from "audited" to "implementation-ready" by editing its structured YAML fields directly. Do not just append a checklist to `notes`.
|
|
177
192
|
|
|
178
|
-
**Read findings from the persisted report file** (`/tmp/check-audit-report-{
|
|
193
|
+
**Read findings from the persisted report file** (the exact `/tmp/check-audit-report-{TEAM-NAME}-{RUN-ID}.md` path written in Step 5) rather than from context memory.
|
|
179
194
|
|
|
180
195
|
### 7a. Field mapping rules
|
|
181
196
|
|
|
@@ -189,7 +204,7 @@ For each finding in the report, apply edits to the card YAML based on the `[Targ
|
|
|
189
204
|
| `[Target: files_likely_touched]` | `files_likely_touched` | Append the missing file path. Never duplicate an existing path. |
|
|
190
205
|
| `[Target: depends_on]` | `depends_on` | Append the missing card ID to the list. |
|
|
191
206
|
| `[Target: areas]` | `areas` | Add the missing area key/value (e.g., `docs: [path]`). |
|
|
192
|
-
| `[Target: git_strategy]` | `git_strategy` | Replace `TBD` with `feat/<CARD-ID>-<slug> from <base-branch>` (derive slug from card title). |
|
|
207
|
+
| `[Target: git_strategy]` | `git_strategy` | Replace `TBD` with `feat/<CARD-ID>-<slug> from <base-branch>` (derive slug from card title; resolve `<base-branch>` from `git.trunk_branch` in `baldart.config.yml`, or autodetect if absent). |
|
|
193
208
|
| `[Target: unknowns]` | `unknowns` | Append a new `[U-N] UNKNOWN: ...` entry if the finding surfaces a genuine unknown. |
|
|
194
209
|
| `[Target: notes]` | `notes` | Do NOT edit structured fields — collect these into the audit trail summary only (Step 7b). |
|
|
195
210
|
|
|
@@ -222,7 +237,12 @@ For each card:
|
|
|
222
237
|
|
|
223
238
|
## Step 8 — Commit
|
|
224
239
|
|
|
225
|
-
1.
|
|
240
|
+
1. Validate ONLY the files you changed. `/check` edits backlog card YAML (and at most a note line) —
|
|
241
|
+
it never touches application code, so running the project's lint/build (which may require compiled
|
|
242
|
+
assets, a database, or env vars) here would fail spuriously and block the commit for no benefit.
|
|
243
|
+
Instead, run the cheap, meaningful check: markdownlint / a YAML parse on the modified card files
|
|
244
|
+
(e.g. `npx markdownlint-cli2 <changed .md>` and/or a `js-yaml` / `yq` parse of each changed `.yml`)
|
|
245
|
+
to confirm they are well-formed. If a check is unavailable, note it and proceed.
|
|
226
246
|
2. Stage only the modified backlog card files.
|
|
227
247
|
3. Commit with message: `[CARD-ID] Apply pre-dev audit findings from /check`.
|
|
228
248
|
4. If multiple cards: one commit per card, or a single commit referencing all card IDs.
|