baldart 3.41.0 → 4.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (49) hide show
  1. package/CHANGELOG.md +34 -0
  2. package/VERSION +1 -1
  3. package/framework/.claude/agents/REGISTRY.md +72 -24
  4. package/framework/.claude/agents/api-perf-cost-auditor.md +12 -5
  5. package/framework/.claude/agents/code-reviewer.md +30 -23
  6. package/framework/.claude/agents/codebase-architect.md +47 -43
  7. package/framework/.claude/agents/coder.md +29 -18
  8. package/framework/.claude/agents/doc-reviewer.md +55 -28
  9. package/framework/.claude/agents/plan-auditor.md +77 -12
  10. package/framework/.claude/agents/prd-card-writer.md +43 -13
  11. package/framework/.claude/agents/prd.md +22 -3
  12. package/framework/.claude/agents/qa-sentinel.md +33 -15
  13. package/framework/.claude/agents/security-reviewer.md +65 -10
  14. package/framework/.claude/agents/senior-researcher.md +8 -1
  15. package/framework/.claude/agents/ui-expert.md +22 -7
  16. package/framework/.claude/commands/check.md +31 -11
  17. package/framework/.claude/commands/codexreview.md +48 -29
  18. package/framework/.claude/commands/new.md +29 -330
  19. package/framework/.claude/commands/qa.md +57 -37
  20. package/framework/.claude/skills/context-primer/SKILL.md +29 -8
  21. package/framework/.claude/skills/doc-writing-for-rag/SKILL.md +36 -36
  22. package/framework/.claude/skills/frontend-design/SKILL.md +10 -8
  23. package/framework/.claude/skills/new/SKILL.md +409 -302
  24. package/framework/.claude/skills/prd/SKILL.md +67 -38
  25. package/framework/.claude/skills/prd/assets/card-template.yml +22 -26
  26. package/framework/.claude/skills/prd/assets/epic-template.yml +5 -5
  27. package/framework/.claude/skills/prd/assets/state-template.md +25 -3
  28. package/framework/.claude/skills/prd/references/api-perf-gate.md +143 -33
  29. package/framework/.claude/skills/prd/references/audit-phase.md +48 -34
  30. package/framework/.claude/skills/prd/references/backlog-phase.md +38 -11
  31. package/framework/.claude/skills/prd/references/discovery-phase.md +121 -44
  32. package/framework/.claude/skills/prd/references/impact-analysis.md +127 -23
  33. package/framework/.claude/skills/prd/references/prd-add-phase.md +18 -214
  34. package/framework/.claude/skills/prd/references/prd-writing-phase.md +52 -42
  35. package/framework/.claude/skills/prd/references/research-phase.md +105 -19
  36. package/framework/.claude/skills/prd/references/ui-design-phase.md +20 -8
  37. package/framework/.claude/skills/prd/references/validation-phase.md +97 -72
  38. package/framework/.claude/skills/prd-add/SKILL.md +70 -20
  39. package/framework/.claude/skills/simplify/SKILL.md +22 -12
  40. package/framework/.claude/skills/ui-design/SKILL.md +26 -7
  41. package/framework/.claude/skills/webapp-testing/SKILL.md +6 -4
  42. package/framework/.claude/skills/worktree-manager/SKILL.md +206 -143
  43. package/framework/agents/coding-standards.md +85 -0
  44. package/framework/agents/skills-mapping.md +85 -82
  45. package/framework/agents/testing.md +6 -4
  46. package/framework/templates/baldart.config.template.yml +29 -7
  47. package/package.json +1 -1
  48. package/src/commands/configure.js +43 -9
  49. package/framework/.claude/skills/prd-add/references/impact-analysis.md +0 -233
@@ -21,8 +21,12 @@ If `/codexreview` is invoked **without card IDs**, infer them from context in th
21
21
  2. **In-progress backlog cards**: run `grep -rl "status: IN_PROGRESS" /backlog/*.yml` and read their `id` fields.
22
22
  3. **Current branch name**: parse the branch name (e.g. `feat/FEAT-0123-slug` → `FEAT-0123`).
23
23
 
24
+ The patterns above (`FEAT-`, `BUG-`, `TECH-`, `UI-`) are BALDART's default taxonomy; consumer
25
+ projects with a different convention (e.g. JIRA-style `PROJ-123`) should extend the match list to
26
+ their own prefixes. If 0 IDs match, fall through to `AskUserQuestion` rather than guessing.
27
+
24
28
  Deduplicate, then:
25
- - If exactly 1–3 cards are inferred: announce them ("Inferred cards from context: FEAT-XXXX, FEAT-YYYY") and proceed.
29
+ - If exactly 1–3 cards are inferred: announce them ("Inferred cards from context: FEAT-XXXX, FEAT-YYYY") and proceed. [DESIGN-CHOICE: cap at 3 to prevent token-budget saturation in a single orchestrator context; larger batch should be split into separate runs]
26
30
  - If 0 or more than 3 are inferred: ask the user to specify which cards to review using `AskUserQuestion`. Do not guess.
27
31
 
28
32
  ---
@@ -52,17 +56,17 @@ For the (single) card in scope, check for `/tmp/codexreview-lean-<CARD-ID>.json`
52
56
  - `arch_baseline_path` readable → **skip Step 1** (do NOT re-spawn `codebase-architect`); load the
53
57
  baseline from that file and ALSO attach the `diff_summary_path` contents to every review agent so
54
58
  they see what changed against the existing-architecture map. *(A1)*
55
- - `skip_doc_reviewer: true` → **omit agent #4 (`doc-reviewer`)** in Step 2. Doc concerns are covered
59
+ - `skip_doc_reviewer: true` → **omit agent #3 (`doc-reviewer`)** in Step 2. Doc concerns are covered
56
60
  by `/new` Phase 3, which runs `doc-reviewer` (with the spec/docs-drift lens) on the same diff
57
61
  immediately before this gate. *(A2)*
58
- - `profile: "light"` → ALSO omit agent #2 (`qa-sentinel`), agent #3 (`api-perf-cost-auditor`),
59
- **agent #5 (Codex adversarial)** (since v3.38.0), and **skip Step 3.5 (CoVe)**. Only agent #1
62
+ - `profile: "light"` → ALSO omit agent #2 (`api-perf-cost-auditor`),
63
+ **agent #4 (Codex adversarial)** (since v3.38.0), and **skip Step 3.5 (CoVe)**. Only agent #1
60
64
  (`code-reviewer`) and the Step 3 false-positive gate run. The Codex adversarial pass is the
61
65
  prerogative of `full` and of the final cross-check — every `light` card's code is still reviewed
62
66
  by Codex adversarial at the unconditional Final-review FULL gate before merge (see `/new`
63
67
  "Final-review FULL gate"), and any high-risk diff trigger escalates the card to `full` per-card
64
68
  so it gets Codex adversarial immediately. *(B1)*
65
- - `profile: "full"` (or missing) → full agent set incl. Codex adversarial, minus #4 if `skip_doc_reviewer`.
69
+ - `profile: "full"` (or missing) → full agent set incl. Codex adversarial, minus #3 if `skip_doc_reviewer`.
66
70
 
67
71
  **Invariant**: lean mode NEVER suppresses the run itself — at minimum `code-reviewer` + the Step 3
68
72
  FP-gate execute on every card (`light`); `full` additionally runs the Codex adversarial pass. If the
@@ -83,9 +87,9 @@ For each provided card ID:
83
87
  - `acceptance_criteria`
84
88
  - `entrypoints`
85
89
  - `files_likely_touched` (if present)
86
- 3. Gather git evidence:
90
+ 3. Gather git evidence (resolve `<trunk>` from `git.trunk_branch` in `baldart.config.yml`; if absent, autodetect the integration branch):
87
91
  - `git log --oneline --all --grep "<CARD-ID>"`
88
- - `git diff --name-only develop...HEAD` (fallback to `git diff --name-only HEAD~1`)
92
+ - `git diff --name-only <trunk>...HEAD` (fallback to `git diff --name-only HEAD~1`)
89
93
  4. Build `review_scope_files` as union of card-indicated files + git-touched files.
90
94
  5. Persist scope context to `/tmp/codexreview-<CARD-ID>-scope.md`.
91
95
 
@@ -131,29 +135,32 @@ Defaults per agent (override only if scope is unusually small/large):
131
135
  | Agent | file_reads | bash_calls | search_docs |
132
136
  |---|---|---|---|
133
137
  | `code-reviewer` | 15 | 25 | 5 |
134
- | `qa-sentinel` | 15 | 25 | 5 |
135
138
  | `api-perf-cost-auditor` | 15 | 25 | 5 |
136
139
  | `doc-reviewer` | 20 | 25 | 8 |
137
140
 
138
- Codex (agent #5, via Bash + companion script) does NOT receive this block — it manages its own context.
141
+ Codex (agent #4, via Bash + companion script) does NOT receive this block — it manages its own context.
139
142
 
140
143
  ### Agents
141
144
 
142
145
  Launch these agents in parallel for each card:
143
146
 
144
147
  1. `code-reviewer` — functional bugs, regressions, logic flaws
145
- 2. `qa-sentinel` — reproducibility, edge cases, testing gaps
146
- 3. `api-perf-cost-auditor` — API/data/performance/cost defects
147
- 4. `doc-reviewer` — spec/docs drift that can cause incorrect behavior
148
- 5. **Codex (GPT-5.5)** — adversarial review via `codex-companion.mjs`
148
+ 2. `api-perf-cost-auditor` — API/data/performance/cost defects
149
+ 3. `doc-reviewer` — spec/docs drift that can cause incorrect behavior
150
+ 4. **Codex (a non-Anthropic frontier reviewer, e.g. `gpt-5`)**adversarial review via `codex-companion.mjs`
151
+
152
+ > `qa-sentinel` is intentionally NOT in this set. It is a mechanical gate-runner (lint / tsc / tests /
153
+ > build / audit → PASS/FAIL); it cannot read source files or perform the source-level review this step
154
+ > requires. Gate-running for the card happens in the QA flow, not in this deep-review parallel set.
149
155
 
150
156
  > **Lean agent set (Step -0.5)**: when a contract file is active, launch only the agents the resolved
151
- > mode permits — `skip_doc_reviewer` omits #4; `profile: light` additionally omits #2, #3, AND **#5
152
- > (Codex adversarial)** (since v3.38.0). At `light`, only agent #1 (`code-reviewer`) launches (+ the
153
- > Step 3 FP-gate). At `full` (and in full mode with no contract file), launch all five (Codex #5
154
- > included). The standalone `/codexreview <CARD-ID>` invocation (no contract) is always full.
157
+ > mode permits — `skip_doc_reviewer` omits #3 (`doc-reviewer`); `profile: light` additionally omits #2
158
+ > (`api-perf-cost-auditor`) AND **#4 (Codex adversarial)** (since v3.38.0). At `light`, only agent #1
159
+ > (`code-reviewer`) launches (+ the Step 3 FP-gate). At `full` (and in full mode with no contract
160
+ > file), launch all four (Codex #4 included). The standalone `/codexreview <CARD-ID>` invocation (no
161
+ > contract) is always full.
155
162
 
156
- **Codex invocation rules (agent #5):**
163
+ **Codex invocation rules (agent #4):**
157
164
 
158
165
  Codex is NOT invoked via the `Agent` tool (the `codex:codex-rescue` subagent_type is not registered in the harness). Instead, invoke it directly with Bash:
159
166
 
@@ -164,12 +171,21 @@ node "$PLUGIN_ROOT/scripts/codex-companion.mjs" task \
164
171
  --wait
165
172
  ```
166
173
 
167
- - Use `--wait` to get results synchronously in the same turn.
174
+ - **Path-safety (MUST)**: the `<file list>` is built from `review_scope_files` (card-indicated +
175
+ git-touched paths). Before interpolating any path into a shell command, pass each path as a
176
+ separate, properly-quoted argument — never splice an unvalidated, unquoted path into a command
177
+ string, and never feed the list through `xargs -I{} git show HEAD:{}` (an unquoted `{}` lets a
178
+ crafted path inject shell metacharacters). When you must read a tree blob, validate the path
179
+ against `review_scope_files` and quote it (`git show "HEAD:$path"` with `$path` from a vetted
180
+ array), or read the working-tree file directly with the `Read` tool.
181
+ - Use `--wait` to get results synchronously in the same turn. Run this Codex call ONLY as a
182
+ foreground `--wait` invocation — do NOT also pass it to `run_in_background` in the same call;
183
+ `--wait` already blocks for the synchronous result and the two are mutually exclusive.
168
184
  - The `PLUGIN_ROOT` discovery handles version upgrades automatically.
169
185
  - Capture stdout verbatim in a `codex_raw_output` field, then normalize each Codex finding into the schema.
170
- - If Codex exits non-zero or the script is not found, log `CODEX_UNAVAILABLE` with the error and continue with the remaining 4 agents. Do not block the run.
186
+ - If Codex exits non-zero or the script is not found, log `CODEX_UNAVAILABLE` with the error and continue with the remaining 3 agents. Do not block the run.
171
187
 
172
- Each agent (1–4) MUST return findings using this schema:
188
+ Each agent (1–3) MUST return findings using this schema:
173
189
 
174
190
  - `finding_id`: unique ID (`<CARD-ID>-F###`)
175
191
  - `title`
@@ -182,7 +198,7 @@ Each agent (1–4) MUST return findings using this schema:
182
198
  - `risk_if_unfixed`
183
199
  - `minimal_fix_direction`
184
200
 
185
- Codex findings (agent #5) are normalized into the same schema after capture, with `source: "codex"` appended.
201
+ Codex findings (agent #4) are normalized into the same schema after capture, with `source: "codex"` appended.
186
202
 
187
203
  No generic findings allowed. Every finding must have concrete evidence.
188
204
 
@@ -190,10 +206,10 @@ No generic findings allowed. Every finding must have concrete evidence.
190
206
 
191
207
  ## Step 3 — Mandatory False-Positive Check
192
208
 
193
- Collect all findings from Step 2 — including normalized Codex findings — into a single pool, then run independent validation in parallel for each finding:
209
+ Collect all findings from Step 2 — including normalized Codex findings — into a single pool, then run independent validation in parallel for each finding. Both validators must be **code-aware** (able to read the source and reason about the claimed behavior) — `qa-sentinel` is excluded here because it is a mechanical gate-runner that cannot read source files:
194
210
 
195
- 1. Static validator: `code-reviewer` or `codebase-architect`
196
- 2. Behavior validator: `qa-sentinel`
211
+ 1. Path/pattern validator: `codebase-architect` confirms the cited file/symbol exists and the structural claim holds.
212
+ 2. Behavior validator: `code-reviewer` — reads the cited code and confirms or refutes the claimed runtime behavior.
197
213
 
198
214
  Classify each finding strictly as:
199
215
 
@@ -215,8 +231,8 @@ Only `VERIFIED` findings can be reported as bugs.
215
231
 
216
232
  After Step 3 false-positive gating, the orchestrator runs ONE additional Chain-of-Verification pass on the consolidated VERIFIED pool. This catches two failure modes the per-agent CoVe doesn't:
217
233
 
218
- 1. **Cross-agent echo allucination**: 2+ agents independently produce the same hallucinated finding (e.g. wrong file path that "looks plausible") and reinforce each other through Step 3 cross-validation.
219
- 2. **Undetected ripple effects**: a VERIFIED finding is real but its scope is wider than reported (e.g. "missing withAuth on route X" is true, but routes Y and Z have the same gap and weren't flagged).
234
+ 1. **Cross-agent echo hallucination**: 2+ agents independently produce the same hallucinated finding (e.g. wrong file path that "looks plausible") and reinforce each other through Step 3 cross-validation.
235
+ 2. **Undetected ripple effects**: a VERIFIED finding is real but its scope is wider than reported (e.g. "an authz guard is missing on route X" is true, but routes Y and Z have the same gap and weren't flagged).
220
236
 
221
237
  ### Procedure
222
238
 
@@ -224,7 +240,7 @@ For each VERIFIED finding in the pool, generate ONE residual verification questi
224
240
 
225
241
  > "If this finding is true, which OTHER file or function SHOULD also be modified and is not currently flagged?"
226
242
 
227
- Execute targeted grep/read commands (max 10 total across all findings — shared budget). Two outcomes:
243
+ Execute targeted grep/read commands (max 10 total across all findings — shared budget [DESIGN-CHOICE: limits CoVe cost to a bounded constant regardless of finding count; findings not reached are tagged `cove_unverified`]). Two outcomes:
228
244
 
229
245
  - **Verification expands the finding**: append a `ripple_files: [<paths>]` field to the finding's evidence, and bump severity by one level if ≥2 ripple files found. Note: `[ripple-expanded]` tag.
230
246
  - **Verification disproves the finding**: cross-validators were both fooled. Move the finding to `Hallucinated findings dropped (post-validation CoVe)` with the falsifying evidence quoted. Do NOT report as a bug.
@@ -239,7 +255,10 @@ Execute targeted grep/read commands (max 10 total across all findings — shared
239
255
 
240
256
  ## Step 4 — Final Report
241
257
 
242
- Write one consolidated report per run to `/tmp/codexreview-report-<TIMESTAMP>.md`.
258
+ Write one consolidated report per run to `/tmp/codexreview-report-<CARD-ID>-<RUN-ID>.md`, where
259
+ `<RUN-ID>` is a full timestamp-plus-uuid (e.g. `20260601T142233Z-a1b2c3`) — a date-only name collides
260
+ across same-day concurrent runs. Return this exact path to the caller; downstream consumers must use
261
+ the returned path, never reconstruct it via wildcard/timestamp guess.
243
262
 
244
263
  Report structure:
245
264
 
@@ -1,334 +1,33 @@
1
1
  ---
2
- description: Orchestrate a team of specialized agents to implement one or more backlog cards end-to-end, with code review, doc review, and commit for each.
2
+ description: Orchestrate a team of specialized agents to implement one or more backlog cards end-to-end, with code review, doc review, QA, and commit for each.
3
3
  allowed-tools: Bash, Task, Edit, Write, Read, Grep, Glob, WebFetch, WebSearch, TaskCreate, TaskUpdate, TaskList, TaskGet, TeamCreate, TeamDelete, SendMessage
4
4
  ---
5
5
 
6
- You are the **backlog orchestrator**. When the user invokes `/new <CARD-IDS>`, you create and coordinate specialized agents to implement the listed backlog cards. You NEVER write production code yourself — you only orchestrate.
7
-
8
- Parse the card IDs from the arguments. Cards can be specified as:
9
- - Space-separated: `GLOB-001 GLOB-002 GLOB-003`
10
- - Hyphen-range: `GLOB-001-GLOB-008` (expands to all cards in range)
11
- - Comma-separated: `GLOB-001, GLOB-002, GLOB-003`
12
- - **Epic expansion (`-full` / `--full`)**: `/new <PARENT-ID> -full` (e.g., `/new FEAT-005 -full`) expands to ALL children of the parent epic with **NO questions asked**. Children = YAML files in `backlog/` whose filename starts with `<PARENT-ID>-` (e.g., `FEAT-005-1.yml`, `FEAT-005-2.yml`) OR whose `group.parent` field equals `<PARENT-ID>`. The parent epic card itself is excluded. Sort by `group.sequence` ASC, fallback to lexicographic ID. The flag is batch-scoped (`/new FEAT-005 FEAT-008 -full` expands both). If a parent has zero children → HALT and report. All children share `group.parent`, so the existing worktree logic groups them into ONE worktree under the parent's `git_strategy.branch`.
13
-
14
- If no card IDs are provided, ask the user which cards to implement.
15
-
16
- ---
17
-
18
- ## Context Tracking (CRITICAL)
19
-
20
- You MUST maintain a **persistent tracking file** at `/tmp/batch-tracker-<FIRST-CARD-ID>.md` throughout the entire batch run (e.g., `/tmp/batch-tracker-FEAT-0396.md`). Use the **first card ID** from the batch as the suffix. This ensures multiple `/new` sessions running in parallel terminals (e.g., one per worktree) do NOT conflict.
21
-
22
- This file is your single source of truth if your context gets compacted or you lose track of what happened, **re-read this file first**.
23
-
24
- ### Tracking file format
25
-
26
- At batch start, create `/tmp/batch-tracker-<FIRST-CARD-ID>.md` with:
27
-
28
- ```markdown
29
- # Batch Run: [CARD-IDS]
30
- Started: [timestamp]
31
- Total cards: [N]
32
-
33
- ## Worktree
34
- Branch: [feat/FEAT-XXXX-slug]
35
- Path: [../wt/feat-FEAT-XXXX-slug]
36
- Group parent: [FEAT-XXXX or "standalone"]
37
- Main repo: [/absolute/path/to/main/repo]
38
-
39
- ## Card Queue
40
- - [ ] CARD-001 — [title from backlog]
41
- - [ ] CARD-002 — [title from backlog]
42
- ...
43
-
44
- ## Completed Cards
45
- (none yet)
46
-
47
- ## Current Card
48
- (none — starting pre-flight)
49
-
50
- ## Issues & Flags
51
- (none yet)
52
- ```
53
-
54
- ### Update rules
55
-
56
- - **Before starting a card**: move it to `## Current Card` with phase info.
57
- - **After each phase**: update the current card's phase status in the tracker.
58
- - **After completing a card**: move it from `Current Card` to `## Completed Cards` with:
59
- - Commit hash
60
- - One-line summary of what was implemented
61
- - Any flags/issues found
62
- - Code review result (pass/fail + fixes)
63
- - Doc review result (pass/fail + what was added)
64
- - Test results (new + existing count, pass/fail)
65
- - Fix cycles count
66
- - QA result (profile used: skip/light/balanced/deep | verdict: PASS/FAIL/SKIP | confidence % | findings: N blockers, N majors)
67
- - QA findings file (e.g. `/qa/FEAT-XXXX.md` or "skipped")
68
- - **When blocked**: log the blocker in `## Issues & Flags`.
69
- - **On context recovery**: if you ever feel lost or after context compaction, IMMEDIATELY read your tracker file (`/tmp/batch-tracker-<FIRST-CARD-ID>.md`) to restore your state.
70
-
71
- ---
72
-
73
- ## Pre-flight (once)
74
-
75
- 1. Read each backlog card from `/backlog/*.yml` to understand scope and dependencies.
76
- 2. Check `docs/references/project-status.md` for current state.
77
- 3. Determine which cards can run in **parallel** (no shared files/components) vs which must be **sequential** (dependencies or overlapping paths). Use `group.sequence` to determine execution order within a group.
78
- 4. **Worktree grouping** (automated from card metadata — do NOT ask the user if metadata is complete):
79
- a. Check each card's `group.parent` field.
80
- b. If all cards share the same `group.parent` → ONE worktree, branch derived from parent card.
81
- c. If cards have no `group.parent` but share a common ID prefix (e.g., `FEAT-0396-*`) → suggest grouping to user.
82
- d. If cards are unrelated (no shared parent, no common prefix) → each gets its own worktree.
83
- e. Read the parent/epic card for `git_strategy.branch` if set; otherwise derive branch name per AGENTS.md naming convention: `feat/<PARENT-ID>-<slug>`.
84
- f. If `group.parent` is set AND the parent card has `git_strategy.branch` → use it directly, NO questions asked.
85
- 5. **Create worktree(s)**:
86
- a. Ensure the base branch is clean: `git checkout <base-branch> && git pull`.
87
- b. For each worktree group:
88
- - Create: `git worktree add ../wt/<branch-name> -b <branch-name>`.
89
- - Copy environment files if needed: `cp <main-repo>/.env.local <worktree-path>/.env.local 2>/dev/null`.
90
- - Install dependencies in worktree (e.g., `npm install`, `pip install`, etc.).
91
- - Verify build in worktree.
92
- - If build fails → STOP, report, do NOT continue.
93
- c. Switch working directory to worktree for all subsequent operations.
94
- 6. Create the tracking file `/tmp/batch-tracker-<FIRST-CARD-ID>.md` (include worktree path and branch name).
95
- 7. Create a task list to track progress across all cards.
96
-
97
- ---
98
-
99
- ## QA Profile Selector
100
-
101
- Before Phase 3.5, determine the review profile for each card. **Primary path (since v3.38.0): READ the card's `review_profile` field** (`skip|light|balanced|deep`), computed deterministically by the PRD `prd-card-writer` (SSOT). Use it verbatim — do NOT recompute. **Fallback (legacy cards with no field): compute** from the table below (the SKILL.md version is authoritative — keep in sync with `prd-card-writer.md § Rule C`).
102
-
103
- | Profile | When to apply (fallback compute only) |
104
- |---------|--------------|
105
- | **SKIP** | Card type is `docs`, `chore`, or `config` — OR all changed paths are `.md`/`.yml` (non-API)/CSS with zero logic files — OR title contains only cosmetic keywords (typo, rename, copy, wording, style) with no code areas |
106
- | **LIGHT** | 5 or fewer files likely touched — AND no HIGH-risk keywords in paths/areas — OR card type is `bugfix` with small scope — OR pure refactoring with no logic change |
107
- | **BALANCED** | Default for all `feature` / `enhancement` cards not matching LIGHT or DEEP rules |
108
- | **DEEP** | ANY of: areas includes both `api` + `data` — OR paths/title contain `auth`, `payment`, `permission`, `schema`, `migration`, `cron`, `webhook`, `transaction` — OR >15 files likely touched — OR acceptance criteria count > 5 — OR DB indexes changed — OR API contract changed |
109
-
110
- When in doubt between LIGHT and BALANCED, use BALANCED. When in doubt between BALANCED and DEEP, use DEEP.
111
-
112
- ---
113
-
114
- ## Per-card pipeline
115
-
116
- For each card, execute these phases in order:
117
-
118
- ### Phase 1 — Claim & Context
119
- 1. **Update tracker**: set current card, phase = "1-claim".
120
- 2. Set the card status to `IN_PROGRESS` and assign yourself.
121
- 3. Update `docs/references/project-status.md` Active Code Context.
122
- 4. Invoke the **codebase-architect** agent (MUST per AGENTS.md) to understand the relevant codebase area, existing patterns, and architecture before any implementation.
123
- 5. **Update tracker**: phase = "1-claim DONE", log codebase-architect key findings (1-2 lines).
124
-
125
- ### Phase 2 — Implement (self-healing, up to 3 retries)
126
- 6. **Update tracker**: phase = "2-implement".
127
- 7. Create an agent team of **coder** agent (or appropriate specialist from `.claude/agents/REGISTRY.md`) to implement the card. Pass the codebase-architect findings as context.
128
- 8. Run tests (if they exist), build, and lint to verify everything passes.
129
- 9. **If any check fails**: spawn a **fix agent** with the error output and the list of files touched. Do NOT ask the user — just fix and re-run. Fix the code, not the tests (unless the test itself is wrong). Repeat up to **3 times**.
130
- 10. If still failing after 3 retries, log the failure in `## Issues & Flags` and ask the user before continuing.
131
- 11. **Update tracker**: phase = "2-implement DONE", log files changed (short list), retry count, and test results (new + existing test count, pass/fail).
132
-
133
- ### Phase 3 — Review (parallel read-only audits, then single fix pass)
134
- 12. **Update tracker**: phase = "3-review".
135
- 13. Invoke the **code-reviewer** agent and the **doc-reviewer** agent **in parallel** as **read-only audits** — each collects findings into a list WITHOUT making any changes.
136
- 14. **Merge all findings** from both reviews into a single consolidated fix list.
137
- 15. If findings exist, invoke the **coder** agent once to apply **ALL fixes sequentially in one pass**.
138
- 16. Run tests (if they exist), lint, and build once at the end to verify everything passes. If any check fails, apply the same self-healing retry loop (up to 3 times, no user prompt).
139
- 17. **Update tracker**: phase = "3-review DONE", log review findings count, fixes applied, and test results.
140
-
141
- ### Phase 3.5 — QA Validation
142
-
143
- 18. **Update tracker**: phase = "3.5-qa".
144
- 19. **Select QA profile**: read the card's `review_profile` field (use verbatim); only compute from the QA Profile Selector table above when the field is absent (legacy card). Log the chosen profile and source (`from card` | `computed`) in the tracker (1 line).
145
- 20. **If profile is SKIP**: log "QA skipped — [reason]" in the tracker. Proceed to Phase 4.
146
- 21. **If profile is LIGHT, BALANCED, or DEEP**: invoke the **`qa-sentinel`** agent (subagent_type: `qa-sentinel`) via Task tool with the following context:
147
-
148
- ```
149
- Run QA on card <CARD-ID> at the tier dictated by the QA profile (do NOT default to FULL).
150
-
151
- Context:
152
- - Worktree path: <worktree-path>
153
- - Branch: <branch-name>
154
- - Latest commit: <hash> <message>
155
- - Changed files: <list from implementation phase>
156
- - Risk level: [Low | Medium | High]
157
- - QA profile selected: [light | balanced | deep]
158
-
159
- Profile → tier mapping:
160
- - light → SCOPED (related tests only)
161
- - balanced → SCOPED (related tests only; risk drift in the diff may escalate to FULL)
162
- - deep → FULL (whole suite + audit + e2e smoke suite if configured)
163
- Only path-based risk drift (auth/permission/payment/schema/migration/API contract) escalates;
164
- file count never does.
165
-
166
- After running all gates, write the complete QA Report to:
167
- /qa/<CARD-ID>.md
168
-
169
- Use the findings file format defined in /qa/README.md.
170
- Return your full structured QA Report and final verdict.
171
- ```
172
-
173
- 22. **Read qa-sentinel's output.** Verify the findings file was written to `/qa/<CARD-ID>.md`.
174
- 23. **If QA verdict is FAIL**:
175
- - Spawn the **coder** agent to fix all BLOCKER findings (pass it the findings file path + list of blockers). Do NOT ask the user.
176
- - After coder fixes, re-invoke `qa-sentinel` in the same mode to re-validate. Repeat up to **2 times**.
177
- - If still FAIL after 2 retries: log in `## Issues & Flags` and **ask the user** whether to proceed or stop.
178
- - The commit in Phase 4 MUST NOT happen until QA verdict is PASS (or user explicitly overrides).
179
- 24. **Update tracker**: phase = "3.5-qa DONE", log: profile used, verdict (PASS/FAIL/SKIP), confidence %, findings count (blockers/majors/minors), findings file path.
180
-
181
- ### Phase 4 — Commit (in worktree, NO merge yet)
182
- 25. **Update tracker**: phase = "4-commit".
183
- 26. Stage and commit **all changes together** in the worktree using format `[CARD-ID] Brief description` (MUST per AGENTS.md). Include all relevant files — implementation, review fixes, QA-driven fixes, and doc updates in a single commit. Do NOT merge or push yet — that happens post-batch.
184
- - **IMPORTANT — atomic staging**: Always combine `git add` and `git commit` in a single chained command so staging is never lost on retry:
185
- ```
186
- cd <worktree-path> && git add -A && git commit -m "[CARD-ID] Brief description"
187
- ```
188
- - **If commit fails** (e.g., lint-staged or pre-commit hook error): re-run the **same full command** (`git add -A && git commit ...`). Never run `git commit` alone after a failure — the staging area may have been altered by lint-staged auto-fixes.
189
- 27. Update the backlog card: set status to `DONE`, add implementation notes.
190
- 28. **Update tracker**: move card to `## Completed Cards` with commit hash, summary, and flags.
191
-
192
- ### Sub-agent failure protocol
193
- - If any sub-agent **crashes or errors** during any phase: log the failure in the tracker, **attempt the work yourself directly**, and note it in the final report.
194
- - Never block the pipeline waiting for a failed agent — recover and continue.
195
-
196
- ### Phase 5 — Context Clean & Continue
197
- 29. Archive the card from Active Code Context in `docs/references/project-status.md`.
198
- 30. **CONTEXT PURGE**: After updating the tracker, deliberately forget the implementation details of this card. From this point forward, you should NOT reference any code, file contents, or review details from this card — only the summary in the tracker. If you need to recall what happened, read the tracker file. This keeps your working context lean for the next card.
199
- 31. **Update tracker**: clear `## Current Card`, move to next pending card.
200
- 32. Move to the next card.
201
-
202
- ---
203
-
204
- ## Final review (after all cards)
205
-
206
- Once ALL cards are committed in the worktree:
207
- 1. **Read the tracker file** to get the full picture of what was implemented.
208
- 2. Invoke the **code-reviewer** agent and the **doc-reviewer** agent **in parallel** for a holistic review across all implementations — check for inconsistencies, duplicated logic, integration gaps between cards, and missing documentation.
209
- 3. **Persist findings to file.** Write the consolidated final review findings to `/tmp/batch-final-review-<FIRST-CARD-ID>.md` using the Write tool. This ensures findings survive context compaction. If context is compacted before fixes are applied, re-read from this file.
210
- 4. **Auto-apply fixes.** If findings exist, invoke the **coder** agent once to apply ALL fixes in a single pass (same pattern as Phase 3 per-card review). Run tests (if they exist), lint, and build to verify. If any check fails, apply the self-healing retry loop (up to 3 times).
211
- 5. Run build one final time in the worktree to confirm stability.
212
- 6. **Update tracker** with final review results (findings count, fixes applied, build status).
213
- 7. **Proceed to Phase 6** (post-batch merge & cleanup).
214
- 8. Present a **single summary report** to the user per card (and a batch summary at the end):
215
- - **Files changed** (short list per card)
216
- - **Test results** (new tests + existing tests count, pass rate at each iteration)
217
- - **Build/lint status** (pass + retry count if any)
218
- - **Fix cycles** (total number of self-healing retries across phases)
219
- - **Review findings fixed** (count and brief description)
220
- - **QA result** (profile: skip/light/balanced/deep | verdict: PASS/FAIL/SKIP | confidence % | findings: N blockers, N majors, N minors | findings file path)
221
- - **Issues needing user attention** (anything unresolved, partially wired, or flagged)
222
- - **Commit hashes** (from tracker)
223
- - **Merge commit hash** (from Phase 6)
224
- - **Worktree cleanup status** (success/failed)
225
- - Overall implementation status
226
- 9. **Proceed to Phase 7** (production readiness checklist).
227
-
228
- ---
229
-
230
- ## Phase 6 — Post-batch merge & cleanup
231
-
232
- After the final review passes AND all cards are committed in the worktree:
233
-
234
- ### 6a. Push feature branch
235
- 1. From the worktree directory: `git push -u origin <branch-name>`.
236
-
237
- ### 6b. Merge into base branch
238
- 2. Switch to main repo: `cd <main-repo-path>` (read from tracker `## Worktree > Main repo`).
239
- 3. `git checkout <base-branch> && git pull`.
240
- 4. `git merge --no-ff <branch-name>`.
241
- 5. **If merge conflicts** → STOP immediately, report conflicting files to user. Do NOT auto-resolve.
242
-
243
- ### 6c. Verify post-merge integrity
244
- 6. Run build — must pass.
245
- 7. Run tests — must pass (if tests exist).
246
- 8. **If anything fails** → STOP, report. Do NOT delete branch or worktree.
247
-
248
- ### 6d. Push base branch
249
- 9. `git push`.
250
-
251
- ### 6e. Cleanup
252
- 10. Delete local branch: `git branch -d <branch-name>`.
253
- 11. Delete remote branch: `git push origin --delete <branch-name>`.
254
- 12. Remove worktree: `git worktree remove ../wt/<branch-name>`.
255
- 13. Prune: `git worktree prune`.
256
- 14. **Update tracker**: log merge commit hash, cleanup status.
257
-
258
- ### Fail-safe rules
259
- - Never force push.
260
- - Never delete a branch before successful merge.
261
- - Never remove a worktree before confirming the base branch is stable.
262
- - Stop execution immediately if any command fails.
263
-
264
- ---
265
-
266
- ## Phase 7 — Production Readiness Checklist
267
-
268
- After Phase 6 completes (or after the final summary report if Phase 6 is deferred), present a **Production Readiness Checklist** — a clear list of all manual or infrastructure actions required to launch the implemented changes in production.
269
-
270
- ### How to detect items
271
-
272
- Scan ALL files changed across the batch (use the tracker's completed cards + `git diff` against the base branch) and check for:
273
-
274
- | Category | Detection signal | Action to report |
275
- |----------|-----------------|------------------|
276
- | **DB indexes** | New/modified index config files, or code using new compound queries | Deploy indexes (e.g., `firebase deploy --only firestore:indexes`, run migrations, etc.) |
277
- | **DB security/access rules** | New/modified access rule files | Deploy updated rules |
278
- | **Environment variables** | New `process.env.*` references not present in the base branch, new entries in `.env.example` | Add to hosting platform settings (list each var name) |
279
- | **Scheduled functions / cron** | New or modified cron/scheduled functions | Deploy functions |
280
- | **Database migrations** | New collections/tables, field renames, data backfills referenced in code or ADRs | Run migration script (specify which) |
281
- | **New API endpoints** | New route files | Verify CORS/auth config; update API docs if public |
282
- | **Third-party services** | New API keys, webhook URLs, or external service integrations | Configure in provider dashboard + add secrets |
283
- | **DNS / domain changes** | Hosting or redirect config changes | Update DNS records or hosting domain settings |
284
- | **Package upgrades with breaking changes** | Major version bumps in dependency files | Verify compatibility; check migration guides |
285
-
286
- ### Output format
287
-
288
- Present the checklist as a clearly formatted section in the final report:
289
-
290
- ```
291
- ## Production Readiness Checklist
292
-
293
- ### Required before deploy
294
- 1. **[Category]** Description
295
- - Command or UI path
296
- - Reason: which card/feature requires it
297
-
298
- ### No action needed
299
- - (list categories that don't apply)
300
-
301
- ### Notes
302
- - Any timing dependencies (e.g., "deploy indexes BEFORE releasing code")
303
- - Any environment variables that must be set BEFORE deployment
304
- ```
305
-
306
- ### Rules
307
-
308
- - **Always present this section**, even if the checklist is empty (in that case, state "No infrastructure changes required — deploy is code-only").
309
- - Order items by **deployment sequence** (items that must happen first go first).
310
- - For each item, include the **reason** (which card/feature requires it) and the **exact command or UI path**.
311
- - If an item is **uncertain**, mark it with `VERIFY` and explain what to check.
312
- - **Update the tracker** with the full checklist under a new `## Production Readiness` section.
313
-
314
- ---
315
-
316
- ## Context recovery protocol
317
-
318
- If at ANY point you are unsure where you are in the batch:
319
- 1. Read your tracker file (`/tmp/batch-tracker-<FIRST-CARD-ID>.md`)
320
- 2. Check `## Current Card` — if populated, resume that card at the listed phase.
321
- 3. Check `## Card Queue` — find the next unchecked card.
322
- 4. Check `## Completed Cards` — know what's already done (don't redo).
323
- 5. Continue the pipeline from where you left off.
324
-
325
- ---
326
-
327
- ## Parallelism rules
328
-
329
- - Cards with non-overlapping `claimed_paths` CAN run in parallel.
330
- - Cards with shared dependencies or overlapping files MUST run sequentially.
331
- - Code review and doc review for the same card run as **parallel read-only audits**, then fixes are applied in a single sequential pass.
332
- - Different cards' implementations CAN run in parallel if independent.
333
- - When running parallel agents, expect "file modified since read" errors on shared files (like the backlog yml) — handle gracefully.
334
- - When running in parallel, each parallel branch updates the tracker with its own card — use card ID as prefix to avoid conflicts.
6
+ # /new redirect to the `new` skill (SSOT)
7
+
8
+ > **This command is a thin entry point. It contains NO orchestration logic of its own.**
9
+ > The authoritative, maintained `/new` pipeline lives in the **`new` skill**:
10
+ > `framework/.claude/skills/new/SKILL.md` (installed as `.claude/skills/new/`).
11
+ >
12
+ > A previous version of this file carried a full, hand-maintained copy of the pipeline.
13
+ > That copy silently drifted from the skill (it omitted the BLOCKING Phase 0 hygiene,
14
+ > AC-Closure, Simplify, E2E, Pre-Merge Codex, post-merge hygiene, and Metrics phases,
15
+ > ran `code-reviewer` where the skill forbids it, and referenced a QA README
16
+ > file that does not exist). To eliminate the dual-source-of-truth, the logic now lives in
17
+ > exactly one place. **Do not re-introduce pipeline steps here.**
18
+
19
+ When the user invokes `/new <CARD-IDS>`:
20
+
21
+ 1. **Load and follow the `new` skill** (`skills/new/SKILL.md`) verbatim, passing the
22
+ user's arguments through unchanged (card IDs, ranges, `-full` epic expansion, etc.).
23
+ 2. The skill owns the entire flow: Phase 0 (workspace hygiene pre-flight) → Phase 1–8
24
+ (claim, implement, completeness, AC-closure, simplify, E2E, doc review, QA,
25
+ pre-merge Codex gate, commit, batch review, merge, reconciliation, post-merge
26
+ hygiene, production-readiness, metrics), including the `review_profile`-driven QA
27
+ tiering and all worktree-isolation safety rules.
28
+ 3. Do not duplicate or summarise the skill's steps in this file — read them from the
29
+ skill so they cannot diverge.
30
+
31
+ If the `new` skill is not available in the current install, that is an install/integrity
32
+ error: surface it (`new skill not found — run \`npx baldart\` to repair the install`)
33
+ rather than falling back to an inline pipeline.