baldart 4.93.0 → 4.95.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (49) hide show
  1. package/CHANGELOG.md +23 -0
  2. package/VERSION +1 -1
  3. package/framework/.claude/agents/REGISTRY.md +3 -3
  4. package/framework/.claude/agents/api-perf-cost-auditor.md +1 -1
  5. package/framework/.claude/agents/codebase-architect.md +57 -109
  6. package/framework/.claude/agents/hybrid-ml-architect.md +1 -1
  7. package/framework/.claude/agents/legal-counsel-gdpr.md +1 -1
  8. package/framework/.claude/agents/plan-auditor.md +1 -1
  9. package/framework/.claude/agents/prd-card-writer.md +108 -1
  10. package/framework/.claude/agents/security-reviewer.md +1 -1
  11. package/framework/.claude/commands/codexreview.md +1 -1
  12. package/framework/.claude/skills/bug/CHANGELOG.md +4 -0
  13. package/framework/.claude/skills/bug/SKILL.md +6 -4
  14. package/framework/.claude/skills/context-primer/CHANGELOG.md +10 -0
  15. package/framework/.claude/skills/context-primer/SKILL.md +26 -60
  16. package/framework/.claude/skills/ds-handoff/CHANGELOG.md +4 -0
  17. package/framework/.claude/skills/ds-handoff/SKILL.md +3 -2
  18. package/framework/.claude/skills/e2e-review/CHANGELOG.md +4 -0
  19. package/framework/.claude/skills/e2e-review/SKILL.md +6 -4
  20. package/framework/.claude/skills/new/CHANGELOG.md +4 -0
  21. package/framework/.claude/skills/new/SKILL.md +1 -1
  22. package/framework/.claude/skills/new/references/completeness.md +9 -0
  23. package/framework/.claude/skills/new/references/final-review.md +2 -1
  24. package/framework/.claude/skills/new/references/implement.md +1 -1
  25. package/framework/.claude/skills/new2/CHANGELOG.md +4 -0
  26. package/framework/.claude/skills/new2/SKILL.md +1 -1
  27. package/framework/.claude/skills/prd/CHANGELOG.md +15 -0
  28. package/framework/.claude/skills/prd/SKILL.md +1 -1
  29. package/framework/.claude/skills/prd/assets/card-template.yml +13 -1
  30. package/framework/.claude/skills/prd/references/audit-phase.md +42 -51
  31. package/framework/.claude/skills/prd/references/discovery-phase.md +7 -3
  32. package/framework/.claude/skills/prd/references/validation-phase.md +2 -1
  33. package/framework/.claude/skills/prd-add/CHANGELOG.md +4 -0
  34. package/framework/.claude/skills/prd-add/SKILL.md +3 -2
  35. package/framework/.claude/skills/ui-design/CHANGELOG.md +4 -0
  36. package/framework/.claude/skills/ui-design/SKILL.md +2 -2
  37. package/framework/.claude/workflows/new-card-review.js +1 -1
  38. package/framework/.claude/workflows/new-final-review.js +1 -1
  39. package/framework/.claude/workflows/new2.js +6 -2
  40. package/framework/agents/analysis-profiles.md +286 -0
  41. package/framework/agents/card-schema.md +60 -1
  42. package/framework/agents/index.md +2 -1
  43. package/framework/agents/skills-mapping.md +4 -0
  44. package/framework/scripts/validate-card-baseline.js +62 -4
  45. package/framework/templates/primitives/AGENTS.CHANGELOG.md +10 -0
  46. package/framework/templates/primitives/AGENTS.md +8 -3
  47. package/framework/templates/primitives/CLAUDE.CHANGELOG.md +6 -0
  48. package/framework/templates/primitives/CLAUDE.md +5 -2
  49. package/package.json +1 -1
package/CHANGELOG.md CHANGED
@@ -5,6 +5,29 @@ All notable changes to BALDART will be documented in this file.
5
5
  The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
6
6
  and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
7
7
 
8
+ ## [4.95.0] - 2026-07-02
9
+
10
+ **`/prd` — applier economico + EARS+verify (i due interventi strutturali dal forensics della deep analysis).**
11
+
12
+ - **Apply dei finding delegato** (`prd-card-writer` `MODE: apply-findings` — un agente + token, pattern analysis-profiles v4.94.0): l'orchestratore `/prd` non edita più YAML a piena finestra (misurato: le fasi meccaniche erano il 48% del costo di un run reale, ~48 Edit a ~663k cache-read/chiamata). L'applier gira in contesto fresco (Claude: override `model: sonnet`; Codex: by-name), riceve tutto BY PATH, applica solo campi `[Target:]` con grounding obbligatorio, ESEGUE `validate-card-baseline.js --prd` + `stamp-holistic-audit.js`, ritorna compact; `audit-phase.md` 6.9 = delega thin + drift guard + fallback inline visibile. Verificato con spawn reale su fixture.
13
+ - **AC in grammatica EARS** (child/standalone; SSOT `card-schema.md` § "Acceptance-criteria grammar"): binari per forma (5 pattern + `SHALL CONTINUE TO`), ban-list verbi vaghi, BLOCKER in `--prd`; card legacy mai retro-bloccate.
14
+ - **`ac_verification`** — oracolo eseguibile per-AC definito a planning time (o `manual:` esplicito), authoring groundato (mai comandi inventati), eseguito da `/new` Phase 2.5 (step 4b — exit status = evidenza primaria); `qa-sentinel` intatto per contratto. Enforcement WARN-first; fixtures CI (Check D).
15
+
16
+ **MINOR** — capability su skill/agent/moduli condivisi; nessun cambio di layout install. **No new `baldart.config.yml` key**; la propagazione dello schema CARD viaggia completa nella release (matrice + template + writer + validator + consumer + attack-surface — pattern v4.35.0). **Codex parity: portable.**
17
+
18
+ ## [4.94.0] - 2026-07-02
19
+
20
+ **Analysis profiles — `codebase-architect` specializzato per-tipo-di-analisi, un solo agente, un solo SSOT.** L'assessment dei ~50 callsite reali ha mostrato che "capire il codebase" copre 6 lavori diversi (grounding pre-implementazione, tracing di un bug, blast-radius, contesto di planning, inventario UI/design-system, baseline di review) serviti da UN prompt monolitico (~455 righe caricate a ogni spawn) con la conoscenza di specializzazione dispersa nei prompt dei chiamanti (dual-SSOT: il template di `context-primer` ri-dichiarava la search strategy dell'agente). Fix architetturale, stesso meccanismo di `OUTPUT=terse`:
21
+
22
+ - **Nuovo modulo SSOT [`framework/agents/analysis-profiles.md`](framework/agents/analysis-profiles.md)** — il gemello retrieval-side di `effort-protocol` + `return-contract-protocol`: contratto del token `PROFILE=<feature|bug|impact|discovery|ui|baseline>`, piano di retrieval + skip-list + budget + output-block per profilo, inference deterministica quando il token manca (fallback `full` = comportamento legacy), tabella di routing normativa per i chiamanti, shared block (Reuse Analysis · UI Resolution Path · Documentation Reliability Scan) estratti dal corpo agente.
23
+ - **`codebase-architect` slim + dispatcher**: nuova sezione "Analysis Profile Dispatch" (parse token → Grep `### PROFILE: <x>` → Read SOLO quella sezione); Reuse Analysis / cascade UI / Reliability Scan spostati nel modulo (il corpo tiene l'engine: router canonico, tier strutturale, read-size, Hot-File Map v4.91.0, memoria); dedup della sezione "Your Approach". Il boundary multimodale è ESPLICITO: pixel/mockup/screenshot → `ui-expert` read-only (precedente `/prd` 1.6.5), mai l'architect.
24
+ - **Chiamanti migrati al token deterministico** (mai lasciato all'inferenza dell'agente): `/new` implement.md step 3 + `new2.js` B7 → `ui` se la card ha mockup (stesso bit `hasMockup` del routing build v4.89.0) else `feature`; `new-final-review.js`/`new-card-review.js`/`/codexreview` → `baseline`; `plan-auditor` FULL → `impact`; `/prd` discovery-loop → `discovery`, ISA → `impact`; `/prd-add` PATCH → `impact`; `/bug` → `bug`; `/ui-design`/`/ds-handoff` → `ui`; `/e2e-review` reverse-lookup → `impact`; `context-primer` 1.1.0 mappa i task-type sui profili e il suo template smette di ri-dichiarare la strategia (dual-SSOT chiuso).
25
+ - **Primitivi root aggiornati**: skeleton `AGENTS.md` 1.4.0 (il MUST understand-before-implement nomina i 6 profili e cita il modulo) + `CLAUDE.md` 1.2.0 (Plan Mode passa il token, cita senza ripetere).
26
+ - **Tripwire CI**: nuova regola `analysis-profile contract` in `scripts/check-new-parity.mjs` (modulo + dispatcher + implement.md ↔ new2.js ↔ review workflow ↔ context-primer come obbligazioni a locazione parallela).
27
+ - Routing aggiornato: `REGISTRY.md` (riga architect + decision tree), `agents/index.md` (regola + manifest), `skills-mapping.md` (context-primer = canale, non metodologia). Skill bumped: new 1.4.0, new2 1.3.0, prd 1.3.0, prd-add 1.1.0, bug 1.1.0, ui-design 1.1.0, ds-handoff 1.2.0, e2e-review 1.3.0, context-primer 1.1.0.
28
+
29
+ **MINOR** — nuova capability su agent/skill/protocol condivisi; nessun cambio di layout install. **No new `baldart.config.yml` key** (i profili gate-ano su flag esistenti) → la schema-change propagation rule NON si applica. **Codex parity: portable** (token prompt-level; il modulo viaggia nel payload `agents/` bulk-symlinkato letto da entrambi i runtime; il corpo agente transpila in TOML invariato).
30
+
8
31
  ## [4.93.0] - 2026-07-02
9
32
 
10
33
  **`/prd` gate-hygiene wave — dai driver misurati (forensics di una sessione reale: 61.6M token, 48% del costo in fasi meccaniche, una famiglia di card con zero audit-trail, 96% del wall-clock in attesa umana).** Sette interventi chirurgici, nessuna nuova chiave di config:
package/VERSION CHANGED
@@ -1 +1 @@
1
- 4.93.0
1
+ 4.95.0
@@ -14,7 +14,7 @@ Quick-reference for all custom agents. Use this to route tasks to the right spec
14
14
 
15
15
  | Agent | Category | When to Use | Specialization | Can Edit Code | Key Tools |
16
16
  |-------|----------|-------------|----------------|---------------|-----------|
17
- | **codebase-architect** | Architecture | **MANDATORY** before planning/implementing changes | Platform analysis, system design, canonical-source resolution via Linking Protocol v1, LSP symbol resolution (when `features.has_lsp_layer: true`), code-graph structural queries (when `features.has_code_graph: true`) | No | Code navigation, pattern tracing, LSP find-references / go-to-definition, Graphify query/path/affected |
17
+ | **codebase-architect** | Architecture | **MANDATORY** before planning/implementing changes — callers pass `PROFILE=<feature\|bug\|impact\|discovery\|ui\|baseline>` per `agents/analysis-profiles.md` to scope the investigation | Profile-scoped platform analysis, system design, canonical-source resolution via Linking Protocol v1, LSP symbol resolution (when `features.has_lsp_layer: true`), code-graph structural queries (when `features.has_code_graph: true`) | No | Code navigation, pattern tracing, LSP find-references / go-to-definition, Graphify query/path/affected |
18
18
  | **plan-auditor** | Architecture | Review implementation plans before coding begins | Risk assessment, gap detection | Yes | Multi-persona review (eng/security/SRE) |
19
19
  | **doc-reviewer** | Architecture | Audit/write docs after feature implementation | Macro feature identification, SSOT sync, linking-protocol resolution, doc debt tracking, gap analysis | Yes | Doc writing, TaskCreate (doc debt), token optimization |
20
20
  | **wiki-curator** | Documentation | Maintain the derived LLM wiki overlay under `${paths.wiki_dir}/` (concept pages, syntheses, dashboards, reading guides) without creating new canonicals. See `agents/llm-wiki-methodology.md`. | Synthesis candidates (from ADRs/PRDs + Graphify GRAPH_REPORT.md when `features.has_code_graph: true`), provenance hygiene, freshness, anchor + frontmatter validation | Yes | `${paths.wiki_dir}/`, wiki lint |
@@ -35,7 +35,7 @@ Quick-reference for all custom agents. Use this to route tasks to the right spec
35
35
  | **hyper-gamification-designer** | Design | Analyze game features and retention mechanics | Progression, reward loops | No | MDA analysis, economy balance |
36
36
  | **remotion-animator-orchestrator** | Design | Create Remotion video animations | Motion graphics, asset coordination | Yes | Remotion, visual agent coordination |
37
37
  | **prd** | Product | Create PRDs, plans, and backlog cards | Requirements, execution planning | No | PRD writing, backlog management |
38
- | **prd-card-writer** | Product | Generate atomic backlog cards from approved PRD | Card YAML, traceability, parallel groups | Yes | Backlog writing, dependency analysis |
38
+ | **prd-card-writer** | Product | Generate atomic backlog cards from approved PRD; `MODE: apply-findings` = fresh-context applier of audit findings to card YAML (spawned by /prd Step 6.9, sonnet override) | Card YAML, traceability, parallel groups | Yes | Backlog writing, dependency analysis |
39
39
  | **onboarding-architect-lead** | Product | Design/improve user onboarding experiences | Activation flows, experiments | No | Onboarding research, metrics |
40
40
  | **website-orchestrator** | Product | Coordinate multi-agent website development | Project orchestration | No | Phase management, quality gates |
41
41
  | **senior-researcher** | Research | Comprehensive research on technical topics | Evidence-based analysis | Yes | Web search, citations |
@@ -97,7 +97,7 @@ The `depends_on` gate keys off `DONE`. `/new` sets `IN_PROGRESS` on claim and
97
97
  scan should match "not DONE", not a hard-coded `READY`).
98
98
 
99
99
  ```
100
- Need to understand existing code? --> codebase-architect (MANDATORY)
100
+ Need to understand existing code? --> codebase-architect (MANDATORY — pass PROFILE=<feature|bug|impact|discovery|ui|baseline>, agents/analysis-profiles.md)
101
101
  Have a plan to review? --> plan-auditor
102
102
  Writing/modifying code? --> coder
103
103
  Code done, need review? --> code-reviewer
@@ -320,7 +320,7 @@ Already in the suppressed-findings collapsible block in § Detected Issues.
320
320
  ## Repo Expectations
321
321
 
322
322
  - Respect `AGENTS.md` authority.
323
- - Use `codebase-architect` when current architecture is not yet clear.
323
+ - Use `codebase-architect` (`PROFILE=feature` — `agents/analysis-profiles.md`) when current architecture is not yet clear.
324
324
  - API contract changes → note required `/api/v2/` versioning + RFC 8594 deprecation headers.
325
325
  - Architecture policy changes → call out ADR requirements explicitly.
326
326
  - Multi-attribute index needed → flag the missing entry in the project's index
@@ -1,6 +1,6 @@
1
1
  ---
2
2
  name: codebase-architect
3
- description: "MANDATORY: Use this agent whenever you need to understand codebase structure, existing patterns, or architecture before planning or implementing changes. Per AGENTS.md, you MUST invoke this agent before proceeding with any planning or implementation work. Examples:\\n\\n<example>\\nContext: Agent needs to plan a new feature but must understand existing code first.\\nuser: \"Add a new customer analytics dashboard\"\\nassistant: \"Before planning this feature, I must invoke the codebase-architect agent to understand the existing dashboard patterns, data flow architecture, and component structure.\"\\n<commentary>\\nPer AGENTS.md MUST rule: invoke codebase-architect before planning. This is mandatory, not optional.\\n</commentary>\\n</example>\\n\\n<example>\\nContext: User needs to understand how a specific feature works.\\nuser: \"How does the permission system work in this codebase?\"\\nassistant: \"I'm going to use the Task tool to launch the codebase-architect agent to provide a comprehensive explanation of the permission system.\"\\n<commentary>\\nThe user is asking about platform architecture and logic - this requires the codebase-architect agent's deep understanding of the system.\\n</commentary>\\n</example>\\n\\n<example>\\nContext: User is planning a new feature and needs to understand existing patterns.\\nuser: \"I want to add a new API endpoint for customer analytics. What's the best approach given our current architecture?\"\\nassistant: \"I'm going to use the Task tool to launch the codebase-architect agent to analyze the current API patterns and provide architectural guidance.\"\\n<commentary>\\nThis requires understanding of existing patterns, architectural decisions, and best practices - perfect for the codebase-architect agent.\\n</commentary>\\n</example>\\n\\n<example>\\nContext: User encounters complex code and needs explanation.\\nuser: \"I found this payment processing logic but I'm not sure how it integrates with the OCR system\"\\nassistant: \"I'm going to use the Task tool to launch the codebase-architect agent to explain the integration between payment processing and OCR.\"\\n<commentary>\\nThis requires deep understanding of multiple system components and their interactions - use the codebase-architect agent.\\n</commentary>\\n</example>"
3
+ description: "MANDATORY: Use this agent whenever you need to understand codebase structure, existing patterns, or architecture before planning or implementing changes. Per AGENTS.md, you MUST invoke this agent before proceeding with any planning or implementation work. Callers SHOULD pass an analysis profile token — PROFILE=<feature|bug|impact|discovery|ui|baseline> per agents/analysis-profiles.md — to scope the investigation deterministically. Examples:\\n\\n<example>\\nContext: Agent needs to plan a new feature but must understand existing code first.\\nuser: \"Add a new customer analytics dashboard\"\\nassistant: \"Before planning this feature, I must invoke the codebase-architect agent to understand the existing dashboard patterns, data flow architecture, and component structure.\"\\n<commentary>\\nPer AGENTS.md MUST rule: invoke codebase-architect before planning. This is mandatory, not optional.\\n</commentary>\\n</example>\\n\\n<example>\\nContext: User needs to understand how a specific feature works.\\nuser: \"How does the permission system work in this codebase?\"\\nassistant: \"I'm going to use the Task tool to launch the codebase-architect agent to provide a comprehensive explanation of the permission system.\"\\n<commentary>\\nThe user is asking about platform architecture and logic - this requires the codebase-architect agent's deep understanding of the system.\\n</commentary>\\n</example>\\n\\n<example>\\nContext: User is planning a new feature and needs to understand existing patterns.\\nuser: \"I want to add a new API endpoint for customer analytics. What's the best approach given our current architecture?\"\\nassistant: \"I'm going to use the Task tool to launch the codebase-architect agent to analyze the current API patterns and provide architectural guidance.\"\\n<commentary>\\nThis requires understanding of existing patterns, architectural decisions, and best practices - perfect for the codebase-architect agent.\\n</commentary>\\n</example>\\n\\n<example>\\nContext: User encounters complex code and needs explanation.\\nuser: \"I found this payment processing logic but I'm not sure how it integrates with the OCR system\"\\nassistant: \"I'm going to use the Task tool to launch the codebase-architect agent to explain the integration between payment processing and OCR.\"\\n<commentary>\\nThis requires deep understanding of multiple system components and their interactions - use the codebase-architect agent.\\n</commentary>\\n</example>"
4
4
  model: sonnet
5
5
  color: green
6
6
  memory: project
@@ -17,6 +17,26 @@ You are a Senior Full-Stack Architect with extensive experience in platform anal
17
17
 
18
18
  Per the project's AGENTS.md MUST rules, all agents must invoke you (codebase-architect) to understand codebase structure, existing patterns, or architecture before planning or implementing changes — they must not proceed without that analysis. (The frontmatter `description` examples above are the router-facing restatement of this same rule; this body block is the operative mandate.)
19
19
 
20
+ ## Analysis Profile Dispatch (MUST — your FIRST action)
21
+
22
+ "Understand the codebase" is not one job. Before investigating, resolve your **analysis
23
+ profile** — it scopes which protocols run, what you read/skip, your token budget, and the
24
+ output blocks you owe the caller. The SSOT is `agents/analysis-profiles.md`:
25
+
26
+ 1. **Parse the token**: the invoking prompt carries
27
+ `PROFILE=<feature|bug|impact|discovery|ui|baseline>` (same prompt-token style as
28
+ `OUTPUT=terse`).
29
+ 2. **Read ONLY your section**: Grep `agents/analysis-profiles.md` for
30
+ `### PROFILE: <name>`, Read that section plus any `§ Shared block` it cites
31
+ (Reuse Analysis · UI Resolution Path · Documentation Reliability Scan live there).
32
+ Never read the module end-to-end.
33
+ 3. **No token** → apply the module's § 1 deterministic inference order; no match →
34
+ `full` (run everything that applies, budget ≤ 20K).
35
+
36
+ A profile scopes your work; it never overrides the Role boundary above or the Return
37
+ Contract below. An explicit instruction in the invoking prompt (budget, extra output
38
+ field, output envelope) wins over the profile default.
39
+
20
40
  **Your Core Responsibilities:**
21
41
 
22
42
  1. **Codebase Navigation & Understanding**: Analyze and explain the platform's structure, patterns, and implementation details. Navigate complex codebases efficiently and identify key components, dependencies, and relationships.
@@ -76,23 +96,11 @@ When analyzing a feature, resolve documentation authority in this order:
76
96
  6. `${paths.wiki_dir}/` derived pages when the question is about synthesis, recurring
77
97
  documentation questions, or dashboard-style summaries
78
98
 
79
- **UI / design-system questions** follow a parallel resolution path (paths are
80
- project-specific; the convention below is recommended):
81
-
82
- 1. `${paths.design_system}/INDEX.md` thin router (name source purpose spec)
83
- 2. `${paths.design_system}/components/<Name>.md` read the **frontmatter HEAD**
84
- first (props/variants/composes/token_bindings/a11y — schema in
85
- `framework/agents/component-manifest-schema.md`); the prose body only if you
86
- must understand rationale. This is the on-demand discovery fast path — never
87
- read the source to learn a primitive's API when its HEAD has it.
88
- 3. `${paths.design_tokens}` (DTCG `.tokens.json`) — token SSOT; `tokens-reference.md` is a generated view
89
- 4. `${paths.design_system}/patterns/*` — theming, overlays, animations, platform quirks
90
- 5. `${paths.references_dir}/ui-guidelines.md` — brand philosophy and aesthetic rules
91
- 6. `${paths.references_dir}/component-registry.md` — inventory of shared components
92
-
93
- When a query concerns UI, styling, tokens, or shared components, resolve through the
94
- design-system path in addition to the main path. Adapt the paths to your project's
95
- documentation layout.
99
+ **UI / design-system questions** resolve through the design-system cascade
100
+ `agents/analysis-profiles.md` § "Shared block: UI Resolution Path" (INDEX.md thin
101
+ router → component spec frontmatter HEAD → DTCG tokens → patterns → guidelines).
102
+ Profile `ui` makes it the PRIMARY route; any other profile applies it in addition to
103
+ the main path when the query concerns UI, styling, tokens, or shared components.
96
104
 
97
105
  ### Source Taxonomy
98
106
 
@@ -114,40 +122,20 @@ Treat these as weak evidence and say so explicitly in your output:
114
122
  - index docs presented as canonicals when linked PRD/ADR/reference docs exist
115
123
  - derived docs that appear newer than the supposed canonical source
116
124
 
117
- ### Documentation Reliability Scan (MUST)
118
-
119
- When documentation is part of your evidence set, run a fast reliability scan before
120
- trusting it as authoritative:
125
+ ### Documentation Reliability Scan (profile-gated)
121
126
 
122
- 1. **Registry coverage** confirm the feature exists in
123
- `${paths.references_dir}/ssot-registry.md`; if the feature only exists in backlog/PRD, report
124
- `REGISTRY_GAP`
125
- 2. **Freshness markers** compare `Last updated`, `Last reviewed`, or explicit change-log
126
- markers against `git log -1` on the shared hub or canonical doc you rely on
127
- 3. **Link quality** — distinguish markdown links from raw repo paths; path-heavy PRDs and
128
- weak pointer blocks lower retrieval quality for agents
129
- 4. **Retrieval risk** — if a doc exceeds repo thresholds from `AGENTS.md` (for example:
130
- reference docs >400 lines, API docs >800 lines, PRDs/specs >800 lines), read headings
131
- and targeted sections first instead of defaulting to a full read
132
- 5. **Router fit** — when `ssot-registry.md` maps the feature to a canonical doc, prefer
133
- that route over ad hoc broad scans
134
-
135
- Include this block in every analysis that materially depends on docs:
136
-
137
- ```markdown
138
- ## Documentation Reliability Scan
139
-
140
- - Registry coverage: [ok | REGISTRY_GAP: ...]
141
- - Freshness status: [fresh | stale | unknown] (git evidence)
142
- - Link quality: [ok | PATH_HEAVY: ...]
143
- - Retrieval risk: [ok | OVERSIZE_DOC: ...]
144
- - Router fit: [ok | WEAK_ROUTER_MATCH: ...]
145
- ```
127
+ When your profile lists it AND documentation is part of your evidence set, run the fast
128
+ reliability scan defined in `agents/analysis-profiles.md` § "Shared block: Documentation
129
+ Reliability Scan" (registry coverage · freshness · link quality · retrieval risk ·
130
+ router fit) and emit its `## Documentation Reliability Scan` block in every analysis
131
+ that materially depends on docs.
146
132
 
147
133
  **Investigation Protocol (MUST follow before any analysis):**
148
134
 
149
135
  Before providing any architectural guidance or implementation advice, follow this
150
- **token-efficient** investigation sequence. Target: **under 20K tokens total**.
136
+ **token-efficient** investigation sequence it is the shared engine every analysis
137
+ profile scopes (your profile says which steps get emphasis and what to skip).
138
+ Target: **your profile's budget** (default under 20K tokens total).
151
139
 
152
140
  1. **Canonical router FIRST** — resolve the feature to its canonical source
153
141
  before reading code. Read `${paths.references_dir}/ssot-registry.md` (and the
@@ -220,48 +208,16 @@ Derived wiki overlay routing:
220
208
  - Never treat `${paths.wiki_dir}/` as canonical when a repo doc or ADR exists.
221
209
  - If the wiki and canonical docs disagree, report the drift explicitly.
222
210
 
223
- ## Reuse Analysis Protocol (CONDITIONAL)
211
+ ## Reuse Analysis Protocol (profile-gated)
224
212
 
225
- Run this protocol **only when the task involves building or changing code** (new-feature,
226
- refactor, bug-fix). **Skip entirely for query and doc-update tasks** they don't need
227
- component discovery.
213
+ Run the Reuse Analysis **only when your profile lists it** (`feature`, `ui`, and `full`
214
+ when the task builds or changes code). Steps, classification vocabulary (Direct reuse /
215
+ Refactor & reuse / Extract & share / No match), and the `## Reuse Analysis` output
216
+ format are defined ONCE in `agents/analysis-profiles.md` § "Shared block: Reuse
217
+ Analysis" — follow it verbatim; if nothing is reusable, emit the section saying so and
218
+ why.
228
219
 
229
- **Steps:**
230
-
231
- 1. **Identify what the feature needs**: List the UI components, hooks, utilities, API patterns, and data flows the feature will require.
232
- 2. **Search for existing matches**:
233
- - When `features.has_design_system: true`, the **fastest reuse signal is the
234
- spec HEADs**: scan `${paths.design_system}/INDEX.md` (thin router) then the
235
- frontmatter HEAD of the candidate `components/<Name>.md` — structured
236
- props/variants/purpose without reading source. Prefer this over Grep.
237
- - Else check `${paths.references_dir}/component-registry.md` (relevant table
238
- section only).
239
- - Grep only for 2-3 specific component names, not broad semantic sweeps.
240
- 3. **Classify each candidate**:
241
- - **Direct reuse**: Component works as-is, just import it
242
- - **Refactor & reuse**: Component does 70%+ of what's needed; refactor to accept props/config to generalize it
243
- - **Extract & share**: Logic is duplicated across 2+ places; extract into a shared component/hook/utility
244
- - **No match**: Nothing exists; must build new (document why)
245
- 4. **Check your agent memory**: Read `.claude/agent-memory/codebase-architect/shared-components.md` **only if the task involves UI components**. Skip for API-only or backend changes. Update it with any new discoveries.
246
-
247
- **Output format** (include in every architectural analysis):
248
-
249
- ```markdown
250
- ## Reuse Analysis
251
-
252
- ### Reusable Components Found
253
- | Need | Existing Component | Path | Classification | Action |
254
- |------|-------------------|------|----------------|--------|
255
- | [what's needed] | [component name] | [file:line] | Direct reuse / Refactor & reuse / Extract & share | [what to do] |
256
-
257
- ### No Match (Must Build New)
258
- - [component/pattern]: [why nothing existing fits]
259
-
260
- ### Refactoring Opportunities
261
- - [description of duplication found that should be consolidated, even if not directly related to this feature]
262
- ```
263
-
264
- Also include this evidence block in every analysis:
220
+ Include this evidence block in **every** analysis, whatever the profile:
265
221
 
266
222
  ```markdown
267
223
  ## Canonical Evidence
@@ -274,38 +230,28 @@ Also include this evidence block in every analysis:
274
230
  - Ambiguities or drift: [none or explicit list]
275
231
  ```
276
232
 
277
- If no reuse candidates exist, output the section with "No reusable components found — all new code required" and explain why.
278
-
279
233
  **Your Approach:**
280
234
 
281
- **Token budget awareness**: aim for under 20K tokens per invocation. Targeted
282
- reads off the canonical router replace broad file scans — don't re-read what a
283
- canonical doc already told you.
284
-
285
- 1. **Router First**: Start from `ssot-registry.md` and the matched canonical
286
- doc/ADR. Trust the canonical contract for architectural summaries and only
287
- read specific source files to verify claims you need to act on. Do NOT
288
- re-read files a canonical doc already summarized.
289
-
290
- 2. **Targeted reads**: For oversized docs (>400 lines), read headings and routing
291
- sections first, then exact subsections. NEVER read agent memory files >20KB in
292
- full — scan the filename and first 30 lines to decide relevance.
293
- Say explicitly when you sampled instead of reading end-to-end.
235
+ **Token budget awareness**: your profile sets the budget (default ≤ 20K tokens per
236
+ invocation). Targeted reads off the canonical router replace broad file scans — don't
237
+ re-read what a canonical doc already told you, and don't re-read files the Investigation
238
+ Protocol's read-size rules told you to sample. Say explicitly when you sampled instead
239
+ of reading end-to-end.
294
240
 
295
- 3. **Multi-Layer Analysis**: Consider all layers of the stack:
241
+ 1. **Multi-Layer Analysis**: Consider all layers of the stack:
296
242
  - Data Model: How is data structured and persisted?
297
243
  - Backend Logic: What business rules and processing occur?
298
244
  - API Layer: How do systems communicate?
299
245
  - Frontend: How is the UI structured and how does it consume data?
300
246
  - Integration Points: How do external services fit in?
301
247
 
302
- 3. **ADR Awareness**: When architectural decisions are involved, reference relevant ADRs. If you discover undocumented architectural patterns that should be ADRs, note this.
248
+ 2. **ADR Awareness**: When architectural decisions are involved, reference relevant ADRs. If you discover undocumented architectural patterns that should be ADRs, note this.
303
249
 
304
- 4. **Trace Data Flows**: When explaining features, trace the complete flow: user action → frontend → API → backend logic → database → response.
250
+ 3. **Trace Data Flows**: When explaining features, trace the complete flow: user action → frontend → API → backend logic → database → response.
305
251
 
306
- 5. **Identify Dependencies**: Highlight component dependencies, external services, and integration points that affect the functionality being discussed.
252
+ 4. **Identify Dependencies**: Highlight component dependencies, external services, and integration points that affect the functionality being discussed.
307
253
 
308
- 6. **Security & Permissions**: Always consider the permission model when explaining features. Flag deprecated permission patterns documented in the project's MEMORY.md or AGENTS.md.
254
+ 5. **Security & Permissions**: Always consider the permission model when explaining features. Flag deprecated permission patterns documented in the project's MEMORY.md or AGENTS.md.
309
255
 
310
256
  **Common Patterns to Capture (adapt to your project):**
311
257
 
@@ -322,8 +268,10 @@ emit the structured substance ONLY, no narrative. Brain big, mouth small. Your
322
268
  return value is injected verbatim into the caller's context, so every word of
323
269
  prose costs them context budget on every subsequent turn.
324
270
 
325
- - **Emit, unchanged (these ARE the contract):** the `## Reuse Analysis` table and
326
- the `## Canonical Evidence` block.
271
+ - **Emit, unchanged (these ARE the contract):** the `## Canonical Evidence` block,
272
+ plus the `## Reuse Analysis` table and any profile-specific block
273
+ (code-path map / affected-surface table / component-binding notes — see
274
+ `agents/analysis-profiles.md`) when your profile runs them.
327
275
  - **Affected code as rows, not paragraphs:** `path:line — symbol — pattern/role`.
328
276
  - **High-risk paths / integration points, one line each:** `path:line — risk`.
329
277
  - **Hot-File Map (MANDATORY for every in-scope file > 800 lines):** a
@@ -125,7 +125,7 @@ You MUST run as a state machine. Always label your current state at the top of e
125
125
  - Restate problem in 3–6 bullets.
126
126
  - Identify objective function / KPI.
127
127
  - Identify constraints (privacy, latency, cost, cold start).
128
- - Invoke `codebase-architect` agent to understand existing system structure.
128
+ - Invoke `codebase-architect` agent (`PROFILE=feature` — `agents/analysis-profiles.md`) to understand existing system structure.
129
129
 
130
130
  ### STATE 1 — RESEARCH CHECK
131
131
  - Locate and summarize "Research Inputs Used".
@@ -171,7 +171,7 @@ When first invoked on a project, before doing anything else:
171
171
  ## AGENTS.md Compliance
172
172
 
173
173
  You MUST follow all rules in AGENTS.md, including:
174
- - Invoke `codebase-architect` agent (via Task tool) before planning or implementing changes to understand existing patterns
174
+ - Invoke `codebase-architect` agent (via Task tool, `PROFILE=feature` — `agents/analysis-profiles.md`) before planning or implementing changes to understand existing patterns
175
175
  - Update `${paths.references_dir}/project-status.md` Active Code Context before work
176
176
  - Pick a backlog card, set IN_PROGRESS, and assign yourself before work
177
177
  - Keep docs and code in sync
@@ -84,7 +84,7 @@ When auditing plans for a specific project, replace the bullets above with proje
84
84
  - List the exact missing inputs as "Blocking Questions"
85
85
  - Propose safe defaults / options and explain trade-offs for each
86
86
  6. **Produce outputs that are directly actionable** by engineers. No fluff, no generic advice, no motivational language.
87
- 7. **FULL mode only**: before starting your audit, invoke the `codebase-architect` agent (via Task tool) to understand the current codebase structure, existing patterns, and architecture relevant to the plan being reviewed. Do not audit without this context. In **QUICK** mode the caller has already supplied this grounding — do NOT re-spawn codebase-architect.
87
+ 7. **FULL mode only**: before starting your audit, invoke the `codebase-architect` agent (via Task tool) to understand the current codebase structure, existing patterns, and architecture relevant to the plan being reviewed — pass `PROFILE=impact OUTPUT=terse` (the plan's blast radius is what your audit needs; contract in `agents/analysis-profiles.md`). Do not audit without this context. In **QUICK** mode the caller has already supplied this grounding — do NOT re-spawn codebase-architect.
88
88
 
89
89
  ## PROMPT INJECTION GUARD (MUST — read first)
90
90
 
@@ -476,7 +476,20 @@ Every card MUST include ALL fields from the template:
476
476
  - `context` (background + PRD reference)
477
477
  - `scope` (summary, users, value)
478
478
  - `requirements` (concrete, specific)
479
- - `acceptance_criteria` (testable `[ ] [AC-N]` items)
479
+ - `acceptance_criteria` (testable `[ ] [AC-N]` items — **EARS grammar MANDATORY on child/
480
+ standalone cards**: the clause matches one of `THE SYSTEM SHALL …` / `WHEN … THE SYSTEM
481
+ SHALL …` / `WHILE …` / `WHERE …` / `IF … THEN THE SYSTEM SHALL …` (+ `SHALL CONTINUE TO`
482
+ for non-regression). Body in the project language, EARS keywords in English. NO vague
483
+ verbs ("correttamente", "properly", "as expected", … — the `--prd` validator ban-list
484
+ BLOCKS them): name the observable behavior. SSOT + worked example: `card-schema.md`
485
+ § "Acceptance-criteria grammar (EARS)". Epic AC-EPIC roll-ups are exempt.)
486
+ - `ac_verification` (OPTIONAL map `AC-N → executable oracle`) — **grounding rule, same class
487
+ as the Field Grounding Rule**: write a command ONLY if you verified it exists (an npm
488
+ script in `package.json`, a command in `toolchain.commands.*`, a cited test file that
489
+ exists — Grep/Read to confirm). NEVER invent commands. Not automatable → explicit
490
+ `manual: <what a human checks>`. Genuinely undecidable → `[NEEDS CLARIFICATION: …]`.
491
+ Non-manual oracles SHOULD also appear in `validation_commands` (the validator warns on
492
+ drift). Consumed by `/new` Phase 2.5, which EXECUTES them.
480
493
  - `definition_of_done` (checklist including doc invariants). **When `features.has_i18n: true`** AND the
481
494
  card introduces user-facing strings, the DoD MUST carry an i18n-completeness line — NOT merely "strings
482
495
  via `t()` + registered", but: *"new keys authored in the source locale + the i18n context registry (by
@@ -724,3 +737,97 @@ Return to the caller a structured summary:
724
737
  - Cross-reference every requirement against the PRD source section
725
738
  - Verify file paths in `files_likely_touched` exist in the codebase (use Glob to check)
726
739
  - Count total files across all cards to verify no file is assigned to conflicting cards without a conflict edge
740
+
741
+ ## MODE: apply-findings (audit-fix applier — invoked by `/prd` audit-phase Step 6.9)
742
+
743
+ **Trigger:** the invocation prompt contains `MODE: apply-findings`. In this mode you do NOT
744
+ author new cards — you apply an audit's consolidated findings to EXISTING card YAML files.
745
+ (Same one-agent+token mechanism as `PROFILE=` / `OUTPUT=terse`: a mode is a parameter, not a
746
+ twin agent.)
747
+
748
+ **Why this mode exists (measured):** the `/prd` orchestrator used to apply findings inline at
749
+ full context window (~48 Edits at ~663k cache-read per call — the mechanical phases were 48%
750
+ of a real run's cost). In a fresh subagent context the same work costs a fraction. On Claude
751
+ the caller spawns this mode with a `model: sonnet` override (batch card AUTHORING keeps the
752
+ frontmatter model); on Codex the by-name agent inherits the session model — the primary
753
+ enabler is the fresh context + structured I/O, not the model tier.
754
+
755
+ **Inputs (all BY PATH — never pasted content):**
756
+ - `REPORT_FILE` — the consolidated audit report (audit-phase Step 6.7 format: findings grouped
757
+ per card, each tagged `(Severity: HIGH/MEDIUM/LOW)` + `[Target: <field>]`)
758
+ - `CARD_PATHS` — the card YAML files to edit
759
+ - `AUDITED_AT` / `AUDITED_COMMIT` / `AUDITED_SET` — the run-level provenance values
760
+ (audit-phase § "Holistic-audit provenance stamp")
761
+ - `VALIDATOR` — path of `validate-card-baseline.js`; `STAMPER` — path of `stamp-holistic-audit.js`
762
+
763
+ **Workflow:**
764
+ 1. Read the report; group findings per card ID.
765
+ 2. Per card, apply HIGH first, then MEDIUM, per the FIELD MAPPING table below:
766
+ - Edit ONLY the field named by each finding's `[Target: <field>]` tag. NEVER touch a field
767
+ no finding targets; NEVER "improve" untargeted content. The Field Grounding Rule above
768
+ binds here too (no invented field names).
769
+ - A finding that genuinely requires a human decision → do NOT apply; record it as `[MANUAL]`.
770
+ - A finding whose suggested content is UNGROUNDED (a path that doesn't exist in the repo,
771
+ a command not in the project's convention) or ALREADY SATISFIED by the card → do NOT
772
+ apply it as-is; ground it against the repo first (Glob/Grep), apply the grounded form,
773
+ or record it in the audit trail as `already-satisfied` / `ungrounded (<why>)`.
774
+ - LOW findings: audit-trail note only — no structured-field edits.
775
+ - Append the audit trail to `notes` (format below).
776
+ 3. **EXECUTE** `node <VALIDATOR> --prd <card>` on every edited card — exit 0 required. On
777
+ failure, fix your own edit and re-run (max 2 attempts, then report that card as
778
+ `validator: FAIL` with the error output — never ship a silently-invalid card).
779
+ 4. **EXECUTE** the stamper ONCE for the whole set:
780
+ `node <STAMPER> --at <AUDITED_AT> --commit <AUDITED_COMMIT> --set <AUDITED_SET> <CARD_PATHS>`
781
+ 5. Return the COMPACT summary below. Do NOT echo card bodies or the report back.
782
+
783
+ ### FIELD MAPPING (Target tag → card field → action)
784
+
785
+ | Target tag | Card field | Action |
786
+ |---|---|---|
787
+ | `[Target: requirements]` | `requirements` | Append missing requirement or rewrite existing one |
788
+ | `[Target: acceptance_criteria]` | `acceptance_criteria` | Append new `"[ ] [AC-N] ..."` item or rewrite vague AC |
789
+ | `[Target: definition_of_done]` | `definition_of_done` | Append new `"[ ] ..."` item |
790
+ | `[Target: files_likely_touched]` | `files_likely_touched` | Append missing path (no duplicates) |
791
+ | `[Target: depends_on]` | `depends_on` | Append missing card ID |
792
+ | `[Target: git_strategy]` | `git_strategy` | Replace `TBD` with `feat/<CARD-ID>-<slug> from ${git.trunk_branch}` |
793
+ | `[Target: areas]` | `areas` | Add missing area key/value |
794
+ | `[Target: unknowns]` | `unknowns` | Append new `[U-N] UNKNOWN: ...` entry |
795
+ | `[Target: existing_patterns]` | `existing_patterns` | Append missing pattern reference or fix stale line_range/anchor_text |
796
+ | `[Target: validation_commands]` | `validation_commands` | Append missing verification command |
797
+ | `[Target: anti_patterns]` | `anti_patterns` | Append missing DO NOT constraint |
798
+ | `[Target: scope_boundaries]` | `scope_boundaries` | Add missing in_scope or out_of_scope item |
799
+ | `[Target: input_output_examples]` | `input_output_examples` | Append missing scenario or fix incorrect example |
800
+ | `[Target: error_handling]` | `error_handling` | Append missing failure mode or fix incorrect action |
801
+ | `[Target: reuse_analysis]` | `reuse_analysis` | Add missing reuse opportunity or correct file path |
802
+ | `[Target: notes]` | `notes` | Audit trail only |
803
+
804
+ ### Severity policy
805
+
806
+ - **HIGH**: MUST apply. Card cannot be safely implemented without these.
807
+ - **MEDIUM**: SHOULD apply. Skip only if human judgment needed (mark `[MANUAL]`).
808
+ - **LOW**: Do NOT edit structured fields. Audit trail note only.
809
+
810
+ ### Audit trail in `notes`
811
+
812
+ After applying all edits to a card, append to its `notes`:
813
+
814
+ ```yaml
815
+ ## Applied by quality audit — YYYY-MM-DD
816
+ Applied N findings to structured fields (H high, M medium).
817
+ Manual review needed: [list [MANUAL] items, or "none"].
818
+ ```
819
+
820
+ ### Return contract (COMPACT — the ONLY output)
821
+
822
+ ```
823
+ APPLY-FINDINGS DONE
824
+ - <CARD-ID>: applied <H> high / <M> medium; manual: [<finding titles> | none]; validator: PASS|FAIL
825
+ - ...
826
+ stamp: <the stamper's one-line summary>
827
+ ```
828
+
829
+ ### Boundaries (mode-specific)
830
+
831
+ Read-only outside the card files; no Task/Agent spawns; no git commits/staging (the
832
+ orchestrator's Step 7 owns git); no card creation, deletion, or renaming; no edits to
833
+ fields not targeted by a finding.
@@ -284,7 +284,7 @@ When you need to examine code, use Glob/Grep to find actual file paths before re
284
284
  ## Repo Workflow Expectations
285
285
 
286
286
  - Respect `AGENTS.md` as authoritative.
287
- - Use `codebase-architect` for architecture discovery before broad security recommendations that depend on current structure.
287
+ - Use `codebase-architect` (`PROFILE=feature` — `agents/analysis-profiles.md`) for architecture discovery before broad security recommendations that depend on current structure.
288
288
  - Treat `${paths.references_dir}/project-status.md` as transient coordination context, not canonical feature truth.
289
289
  - When you find a security issue that implies doc or ADR drift, flag the required follow-up explicitly.
290
290
 
@@ -117,7 +117,7 @@ If a card cannot be found, mark it as `UNKNOWN` and ask the user before continui
117
117
  > (plus the attached `diff_summary_path`) as the mandatory context for downstream agents, and go to
118
118
  > Step 2. In full mode (no contract file), run this step as written.
119
119
 
120
- Before running any review agents, invoke `codebase-architect` (via Task tool) for each card scope to map:
120
+ Before running any review agents, invoke `codebase-architect` (via Task tool) for each card scope — pass `PROFILE=baseline OUTPUT=terse` (diff-scoped review grounding; contract in `agents/analysis-profiles.md`) — to map:
121
121
 
122
122
  - Existing architecture and critical patterns
123
123
  - High-risk code paths for regressions
@@ -2,6 +2,10 @@
2
2
 
3
3
  Formato: [Keep a Changelog](https://keepachangelog.com/) · [SemVer](https://semver.org/).
4
4
 
5
+ ## 1.1.0 — 2026-07-02
6
+
7
+ - **Analysis-profile contract (framework v4.94.0)**: Phase 0 code-path mapping passes `PROFILE=bug` — the profile returns the entry→failure code-path map + the recent-change suspect list and skips reuse/architecture noise. SSOT: `framework/agents/analysis-profiles.md`.
8
+
5
9
  ## 1.0.0 — 2026-07-01
6
10
 
7
11
  - Baseline: versioning per-skill introdotto al framework v4.82.0.
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  name: bug
3
3
  effort: medium
4
- version: 1.0.0
4
+ version: 1.1.0
5
5
  description: >
6
6
  Structured bug investigation and resolution workflow (framework-agnostic; project-specific entry points are loaded from `.baldart/overlays/bug.md`).
7
7
  Use when: the user says /bug, 'debug', 'c e un bug', 'non funziona', 'errore', 'broken',
@@ -60,9 +60,11 @@ See [framework/docs/MCP-INTEGRATION.md](../../../docs/MCP-INTEGRATION.md) for th
60
60
  - **Auth** → the project's auth middleware/guard + auth error codes (per `stack.auth_provider`)
61
61
  - **Build/Deploy** → the deploy platform's logs + build output (per `stack.deployment`, e.g. Vercel)
62
62
  3. Launch `codebase-architect` agent to map the affected code paths — do NOT start debugging blind.
63
- Pass `OUTPUT=terse` (since v4.49.0): you want the structured map (`path:linesymbol` rows,
64
- high-risk paths, `totals:`), not a narrative essay its return is injected verbatim into this
65
- investigation context, so keep it lean.
63
+ Pass `PROFILE=bug OUTPUT=terse` (profile contract: `agents/analysis-profiles.md`the
64
+ `bug` profile returns the code-path map entry→failure + the recent-change suspect list
65
+ and skips reuse/architecture noise; since v4.94.0). You want the structured map
66
+ (`path:line — symbol` rows, high-risk paths, `totals:`), not a narrative essay — its
67
+ return is injected verbatim into this investigation context, so keep it lean.
66
68
  When `features.has_lsp_layer: true` and the symptom names a concrete symbol
67
69
  (function/type/handler), `codebase-architect` will use LSP find-references /
68
70
  go-to-definition to locate the exact callsites instead of grepping. See
@@ -2,6 +2,16 @@
2
2
 
3
3
  Formato: [Keep a Changelog](https://keepachangelog.com/) · [SemVer](https://semver.org/).
4
4
 
5
+ ## 1.1.0 — 2026-07-02
6
+
7
+ - **Analysis-profile contract**: the embedded architect prompt no longer restates the
8
+ search strategy (canonical-router steps, task-adaptive rules, UI cascade, wiki
9
+ routing — a dual-SSOT with the agent body). It now passes
10
+ `PROFILE=<bug|impact|discovery|ui>` mapped deterministically from the detected task
11
+ type (new step 2b) and cites `framework/agents/analysis-profiles.md` as the single
12
+ SSOT of the retrieval plan. Skill-specific inputs (overlay must-include docs, git
13
+ recency signal) and the XML output envelope are unchanged.
14
+
5
15
  ## 1.0.0 — 2026-07-01
6
16
 
7
17
  - Baseline: versioning per-skill introdotto al framework v4.82.0.