beth-copilot 1.1.0 → 2.1.0

package/templates/.github/agents/product-manager.agent.md

@@ -2,7 +2,6 @@
 name: product-manager
 description: Expert product manager for IDEO-style digital products. Specializes in product vision, user stories, roadmaps, and stakeholder alignment for React/TypeScript/Next.js applications. Use when defining features, prioritizing work, writing requirements, or making product decisions.
 model: Claude Opus 4.6
-infer: true
 tools:
   - codebase
   - readFile
@@ -25,13 +24,23 @@ You are an expert product manager on an IDEO-style team, specializing in human-c
 
 ## Work Tracking & Coordination
 
-**Follow the workflow in `AGENTS.md`** — dual tracking (beads + Backlog.md), session startup, and team coordination protocols all live there. If Beth spawned you with an issue ID, that's your contract: deliver and close it with `npx beth-copilot close <id>`.
+**Follow the workflow in `AGENTS.md`** — task tracking (Backlog.md), session startup, and team coordination protocols all live there. If Beth spawned you with a task ID, that's your contract: deliver and mark it done with `backlog task edit <id> -s "Done" --plain`.
 
-## Skills
+## MANDATORY Skills (Non-Negotiable)
 
-When the user asks to create a PRD, product requirements document, or spec out a feature:
-1. Read and follow the instructions in `.github/skills/prd/SKILL.md`
-2. Apply the PRD template and workflow defined there
+**BEFORE doing ANY work**, you MUST load your required skills. This is not optional.
+Skills are also injected by the `SubagentStart` hook when you are spawned as a subagent.
+
+**Required skills — load ALL of these before responding to any request:**
+
+1. **Read** `.github/skills/prd/SKILL.md` — PRD template, requirements framework, user story format
+
+After reading, confirm which key patterns you will apply before proceeding with work.
+
+### Conditional Skills (load when relevant)
+
+- **Azure Cost Optimization**: For Azure cost analysis, read `.github/skills/azure-cost-optimization/SKILL.md`
+- **Azure Cloud Migration**: For cross-cloud migration planning, read `.github/skills/azure-cloud-migrate/SKILL.md`
 
 ## Core Philosophy
 

package/templates/.github/agents/researcher.agent.md

@@ -2,7 +2,6 @@
 name: researcher
 description: Expert UX and market researcher for IDEO-style human-centered design. Specializes in user interviews, competitive analysis, analytics interpretation, and insight synthesis. Use when validating assumptions, understanding users, analyzing competition, or interpreting usage data.
 model: Claude Opus 4.6
-infer: true
 tools:
   - codebase
   - readFile
@@ -24,14 +23,18 @@ You are an expert UX and market researcher on an IDEO-style team, specializing i
 
 ## Work Tracking & Coordination
 
-**Follow the workflow in `AGENTS.md`** — dual tracking (beads + Backlog.md), session startup, and team coordination protocols all live there. If Beth spawned you with an issue ID, that's your contract: deliver and close it with `npx beth-copilot close <id>`.
+**Follow the workflow in `AGENTS.md`** — task tracking (Backlog.md), session startup, and team coordination protocols all live there. If Beth spawned you with a task ID, that's your contract: deliver and mark it done with `backlog task edit <id> -s "Done" --plain`.
 
-## Skills
+## MANDATORY Skills (Non-Negotiable)
 
-When conducting web research, competitive analysis, or market research:
-1. Read and follow the instructions in `.github/skills/web-search/SKILL.md`
-2. Verify MCP availability (Brave Search) before attempting web queries
-3. Fall back to `fetch` tool for specific URLs if MCP is unavailable
+**BEFORE doing ANY work**, you MUST load your required skills. This is not optional.
+Skills are also injected by the `SubagentStart` hook when you are spawned as a subagent.
+
+**Required skills — load ALL of these before responding to any request:**
+
+1. **Read** `.github/skills/web-search/SKILL.md` — Web research methodology, Brave Search MCP usage, fallback patterns
+
+After reading, verify MCP availability (Brave Search) and confirm your research approach.
 
 ## Core Philosophy
 

package/templates/.github/agents/security-reviewer.agent.md

@@ -2,7 +2,6 @@
 name: security-reviewer
 description: Enterprise security specialist applying Azure Well-Architected Framework and OWASP standards. Performs threat modeling, vulnerability assessment, compliance verification, and security architecture review. Use for security audits, penetration testing guidance, secure code review, or compliance validation.
 model: GPT 5.3-codex
-infer: true
 tools:
   - codebase
   - readFile
@@ -29,14 +28,24 @@ You are an enterprise security specialist operating at the intersection of appli
 
 ## Work Tracking & Coordination
 
-**Follow the workflow in `AGENTS.md`** — dual tracking (beads + Backlog.md), session startup, and team coordination protocols all live there. If Beth spawned you with an issue ID, that's your contract: deliver and close it with `npx beth-copilot close <id>`.
+**Follow the workflow in `AGENTS.md`** — task tracking (Backlog.md), session startup, and team coordination protocols all live there. If Beth spawned you with a task ID, that's your contract: deliver and mark it done with `backlog task edit <id> -s "Done" --plain`.
 
-## Skills
+## MANDATORY Skills (Non-Negotiable)
 
-When performing security analysis, threat modeling, or compliance reviews:
-1. Read and follow the instructions in `.github/skills/security-analysis/SKILL.md`
-2. Apply the Azure WAF Security checklist (SE:01-SE:12)
-3. Reference OWASP Top 10:2025 for vulnerability classification
+**BEFORE doing ANY work**, you MUST load your required skills. This is not optional.
+Skills are also injected by the `SubagentStart` hook when you are spawned as a subagent.
+
+**Required skills — load ALL of these before responding to any request:**
+
+1. **Read** `.github/skills/security-analysis/SKILL.md` — OWASP Top 10:2025, Azure WAF Security (SE:01-SE:12), threat modeling framework
+
+After reading, confirm which key patterns you will apply before proceeding with work.
+
+### Conditional Skills (load when relevant)
+
+- **Azure RBAC**: For role assignments and least-privilege, read `.github/skills/azure-rbac/SKILL.md`
+- **Azure Compliance**: For compliance auditing and best practices, read `.github/skills/azure-compliance/SKILL.md`
+- **Entra ID**: For app registration, OAuth, and MSAL, read `.github/skills/entra-app-registration/SKILL.md`
 
 ## Core Philosophy: Zero Trust
 

package/templates/.github/agents/tester.agent.md

@@ -2,7 +2,6 @@
 name: tester
 description: Expert QA engineer for IDEO-style React/TypeScript/Next.js applications. Specializes in testing strategies, accessibility auditing, performance testing, and quality assurance. Use for testing features, writing test suites, validating accessibility, or performance auditing.
 model: Claude Opus 4.6
-infer: true
 tools:
   - codebase
   - readFile
@@ -30,14 +29,23 @@ You are an expert QA engineer on an IDEO-style team, ensuring cutting-edge React
 
 ## Work Tracking & Coordination
 
-**Follow the workflow in `AGENTS.md`** — dual tracking (beads + Backlog.md), session startup, and team coordination protocols all live there. If Beth spawned you with an issue ID, that's your contract: deliver and close it with `npx beth-copilot close <id>`.
+**Follow the workflow in `AGENTS.md`** — task tracking (Backlog.md), session startup, and team coordination protocols all live there. If Beth spawned you with a task ID, that's your contract: deliver and mark it done with `backlog task edit <id> -s "Done" --plain`.
 
-## Skills
+## MANDATORY Skills (Non-Negotiable)
 
-When auditing UI design, accessibility compliance, or visual consistency:
-1. Read and follow the instructions in `.github/skills/web-design-guidelines/SKILL.md`
-2. Fetch latest guidelines from the source URL before each review
-3. Report findings in the file:line format specified in the skill
+**BEFORE doing ANY work**, you MUST load your required skills. This is not optional.
+Skills are also injected by the `SubagentStart` hook when you are spawned as a subagent.
+
+**Required skills — load ALL of these before responding to any request:**
+
+1. **Read** `.github/skills/web-design-guidelines/SKILL.md` — Web interface compliance, accessibility audit format, design guideline rules
+
+After reading, fetch the latest guidelines from the source URL and confirm which key rules you will apply.
+
+### Conditional Skills (load when relevant)
+
+- **Azure Diagnostics**: For production debugging and log analysis, read `.github/skills/azure-diagnostics/SKILL.md`
+- **App Insights**: For telemetry and APM verification, read `.github/skills/appinsights-instrumentation/SKILL.md`
 
 ## Core Philosophy
 
@@ -462,7 +470,7 @@ When creating tests for any issue — whether spawned by Beth or self-initiated:
 - `npm test` passes with 0 failures
 - New test files are committed alongside the code
 - Test report documents: total, passed, failed, skipped
-- Any failures create follow-up issues via `bd create`
+- Any failures create follow-up tasks via `backlog task create`
 
 ## Testing Best Practices
 

package/templates/.github/agents/ux-designer.agent.md

@@ -2,7 +2,6 @@
 name: ux-designer
 description: Expert UX/UI designer for IDEO-style digital experiences. Specializes in interaction design, design systems, component patterns, and accessibility for React/TypeScript/Next.js applications. Use when designing interfaces, defining patterns, creating prototypes, or establishing design systems.
 model: Claude Opus 4.6
-infer: true
 tools:
   - codebase
   - readFile
@@ -24,17 +23,20 @@ You are an expert UX/UI designer on an IDEO-style team, creating cutting-edge us
 
 ## Work Tracking & Coordination
 
-**Follow the workflow in `AGENTS.md`** — dual tracking (beads + Backlog.md), session startup, and team coordination protocols all live there. If Beth spawned you with an issue ID, that's your contract: deliver and close it with `npx beth-copilot close <id>`.
+**Follow the workflow in `AGENTS.md`** — task tracking (Backlog.md), session startup, and team coordination protocols all live there. If Beth spawned you with a task ID, that's your contract: deliver and mark it done with `backlog task edit <id> -s "Done" --plain`.
 
-## Skills
+## MANDATORY Skills (Non-Negotiable)
 
-When designing Framer components or specifying property controls for design system components:
-1. Read and follow the instructions in `.github/skills/framer-components/SKILL.md`
-2. Reference the ControlType options when specifying component properties
+**BEFORE doing ANY work**, you MUST load your required skills. This is not optional.
+Skills are also injected by the `SubagentStart` hook when you are spawned as a subagent.
 
-When reviewing UI for web design guideline compliance:
-1. Read and follow the instructions in `.github/skills/web-design-guidelines/SKILL.md`
-2. Check component specs against the fetched guideline rules
+**Required skills — load ALL of these before responding to any request:**
+
+1. **Read** `.github/skills/framer-components/SKILL.md` — Framer component patterns, ControlType options, property controls
+2. **Read** `.github/skills/web-design-guidelines/SKILL.md` — Web interface compliance rules, accessibility, design audit format
+3. **Read** `.github/prompts/ui-ux-pro-max/PROMPT.md` — UI UX Pro Max design intelligence: 67 styles, 161 color palettes, 57 font pairings, industry-specific design system generation
+
+After reading, confirm which key patterns you will apply before proceeding with work.
 
 ## Core Philosophy
 
@@ -64,6 +66,7 @@ Deep knowledge loaded via skills on-demand:
 |--------|--------|
 | Framer Components & Property Controls | `.github/skills/framer-components/SKILL.md` |
 | Web Design & Accessibility Guidelines | `.github/skills/web-design-guidelines/SKILL.md` |
+| UI UX Pro Max Design Intelligence | `.github/prompts/ui-ux-pro-max/PROMPT.md` |
 
 Core competencies (always available): interaction design, user flows, micro-interactions, typography systems, color theory, layout/spacing, design tokens, component library architecture, theming, WCAG 2.1 AA compliance, screen reader optimization, keyboard navigation, focus management.
 

package/templates/.github/copilot-instructions.md

@@ -2,6 +2,14 @@
 
 A ruthless, hyper-competent AI orchestrator for GitHub Copilot multi-agent workflows.
 
+## Installation
+
+```bash
+npx beth-copilot init
+```
+
+That's it. See [docs/INSTALLATION.md](../docs/INSTALLATION.md) for detailed setup.
+
 ## Architecture Overview
 
 ```
@@ -71,7 +79,28 @@ Skills are domain-knowledge modules in `.github/skills/<name>/SKILL.md`. Agents
 | Vercel React Best Practices | `skills/vercel-react-best-practices/` | React/Next.js performance work |
 | Web Design Guidelines | `skills/web-design-guidelines/` | "review my UI", "check accessibility" |
 | shadcn/ui Components | `skills/shadcn-ui/` | "shadcn", "ui component", component installation |
+| UI UX Pro Max | `prompts/ui-ux-pro-max/` | "design system", "color palette", "style guide", UI/UX design work |
 | Security Analysis | `skills/security-analysis/` | "security review", "OWASP", "threat model", "compliance" |
+| Azure App Prep | `skills/azure-prepare/` | "create app", "deploy to Azure", "generate Bicep/Terraform" |
+| Azure Validation | `skills/azure-validate/` | "validate my app", "check deployment readiness" |
+| Azure Deploy | `skills/azure-deploy/` | "run azd up", "push to production", "ship it" |
+| Azure Compute | `skills/azure-compute/` | "recommend VM size", "VM pricing", "scale set" |
+| Azure Storage | `skills/azure-storage/` | "blob storage", "file shares", "queue storage" |
+| Azure AI | `skills/azure-ai/` | "AI Search", "speech-to-text", "vector search" |
+| Azure AI Gateway | `skills/azure-aigateway/` | "semantic caching", "AI model governance", "token limit" |
+| Azure Kusto | `skills/azure-kusto/` | "KQL queries", "Data Explorer", "log analytics" |
+| Azure Messaging | `skills/azure-messaging/` | "Event Hub", "Service Bus", "AMQP error" |
+| Azure Copilot SDK | `skills/azure-hosted-copilot-sdk/` | "copilot SDK", "build copilot app" |
+| App Insights | `skills/appinsights-instrumentation/` | "App Insights", "telemetry", "APM" |
+| Microsoft Foundry | `skills/microsoft-foundry/` | "deploy agent to Foundry", "evaluate agent" |
+| Azure RBAC | `skills/azure-rbac/` | "least privilege role", "role assignment" |
+| Azure Compliance | `skills/azure-compliance/` | "compliance scan", "security audit", "azqr" |
+| Entra ID | `skills/entra-app-registration/` | "app registration", "OAuth", "MSAL" |
+| Azure Cost Optimization | `skills/azure-cost-optimization/` | "optimize Azure costs", "reduce spending" |
+| Azure Cloud Migration | `skills/azure-cloud-migrate/` | "migrate Lambda to Azure", "cross-cloud" |
+| Azure Diagnostics | `skills/azure-diagnostics/` | "troubleshoot container apps", "debug production" |
+| Azure Resource Lookup | `skills/azure-resource-lookup/` | "list my VMs", "find resources" |
+| Azure Resource Visualizer | `skills/azure-resource-visualizer/` | "architecture diagram", "visualize resources" |
 
 ## Development Conventions
 
@@ -120,8 +149,8 @@ Apply human-centered design methodology across agent workflows:
 | Phase | Agent | Activities |
 |-------|-------|------------|
 | **Empathize** | `@researcher` | User interviews, observation, pain point discovery |
-| **Define** | `@product-manager` | Problem framing, requirements, success criteria |
-| **Ideate** | `@ux-designer` | Solution exploration, design patterns, prototypes |
+| **Define** | `@product-manager` | Problem framing, requirements, priorities, success metrics |
+| **Ideate** | `@ux-designer` | Component specs, design tokens, interaction patterns |
 | **Prototype** | `@developer` | Build to learn, rapid iteration, feature spikes |
 | **Test** | `@tester` | Validate assumptions, accessibility audits, performance |
 
@@ -180,9 +209,9 @@ export async function deleteUser(userId: string) {
 
 ### New Feature Flow
 1. `@Beth` → analyzes request, proposes workflow
-2. `@product-manager` → defines requirements (uses PRD skill)
+2. `@product-manager` → defines WHAT (requirements, priorities, success metrics)
 3. `@researcher` → validates user needs (optional)
-4. `@ux-designer` → designs interface
+4. `@ux-designer` → specifies HOW (component specs, tokens, accessibility)
 5. `@developer` → implements in React/TypeScript
 6. `@security-reviewer` → audits for vulnerabilities
 7. `@tester` → verifies quality

package/templates/.github/copilot-mcp-config.json

@@ -0,0 +1,12 @@
+{
+  "mcpServers": {
+    "context7": {
+      "type": "sse",
+      "tools": [
+        "resolve-library-id",
+        "get-library-docs"
+      ],
+      "url": "https://mcp.context7.com/mcp"
+    }
+  }
+}

package/templates/.github/dependabot.yml

@@ -0,0 +1,68 @@
+# Dependabot configuration for automated dependency updates
+# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates
+
+version: 2
+updates:
+  # npm ecosystem - production and dev dependencies
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+      timezone: "America/New_York"
+    # Group minor/patch updates to reduce PR noise
+    groups:
+      production-dependencies:
+        patterns:
+          - "*"
+        exclude-patterns:
+          - "@types/*"
+          - "eslint*"
+          - "prettier*"
+          - "typescript"
+          - "vitest"
+          - "@vitest/*"
+        update-types:
+          - "minor"
+          - "patch"
+      dev-dependencies:
+        patterns:
+          - "@types/*"
+          - "eslint*"
+          - "prettier*"
+          - "typescript"
+          - "vitest"
+          - "@vitest/*"
+        update-types:
+          - "minor"
+          - "patch"
+    # Limit open PRs to avoid overwhelming maintainers
+    open-pull-requests-limit: 10
+    # Labels for easy filtering
+    labels:
+      - "dependencies"
+      - "automated"
+    # Commit message format
+    commit-message:
+      prefix: "deps"
+      include: "scope"
+    # Reviewers for dependency PRs
+    # reviewers:
+    #   - "username"
+
+  # GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+      timezone: "America/New_York"
+    labels:
+      - "dependencies"
+      - "github-actions"
+      - "automated"
+    commit-message:
+      prefix: "ci"
+    open-pull-requests-limit: 5

package/templates/.github/hooks/scripts/inject-skills.mjs

@@ -0,0 +1,139 @@
+#!/usr/bin/env node
+
+/**
+ * Skill Enforcement Hook — SubagentStart
+ *
+ * Deterministic skill injection for subagents. When Beth (or any orchestrator)
+ * spawns a subagent, this hook maps agent_type → required skills and injects
+ * them as additionalContext. The LLM doesn't decide whether to load skills —
+ * this script does.
+ *
+ * Hook event: SubagentStart
+ * Input: JSON via stdin with agent_type field
+ * Output: JSON to stdout with hookSpecificOutput.additionalContext
+ */
+
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+
+// ─── Agent → Required Skills mapping ───────────────────────────────────────
+// This is the single source of truth for which skills each agent MUST use.
+// Update this map when adding new agents or skills.
+const AGENT_SKILLS = {
+  'ux-designer': {
+    inject: ['.github/skills/web-design-guidelines/SKILL.md'],
+    readFile: [
+      '.github/skills/framer-components/SKILL.md',
+      '.github/prompts/ui-ux-pro-max/PROMPT.md',
+    ],
+  },
+  'developer': {
+    inject: ['.github/skills/vercel-react-best-practices/SKILL.md'],
+    readFile: [
+      '.github/skills/shadcn-ui/SKILL.md',
+      '.github/skills/vercel-react-best-practices/AGENTS.md',
+    ],
+  },
+  'product-manager': {
+    inject: [],
+    readFile: ['.github/skills/prd/SKILL.md'],
+  },
+  'security-reviewer': {
+    inject: [],
+    readFile: ['.github/skills/security-analysis/SKILL.md'],
+  },
+  'tester': {
+    inject: ['.github/skills/web-design-guidelines/SKILL.md'],
+    readFile: [],
+  },
+  'researcher': {
+    inject: ['.github/skills/web-search/SKILL.md'],
+    readFile: [],
+  },
+};
+
+// ─── Read stdin ────────────────────────────────────────────────────────────
+let input = '';
+for await (const chunk of process.stdin) {
+  input += chunk;
+}
+
+let data;
+try {
+  data = JSON.parse(input);
+} catch {
+  // If we can't parse input, exit cleanly — don't block the subagent
+  process.stdout.write(JSON.stringify({ continue: true }));
+  process.exit(0);
+}
+
+const agentType = data.agent_type;
+const cwd = data.cwd || process.cwd();
+
+// ─── Look up skills for this agent ─────────────────────────────────────────
+const config = AGENT_SKILLS[agentType];
+
+if (!config) {
+  // Unknown agent type — no skill enforcement needed
+  process.stdout.write(JSON.stringify({ continue: true }));
+  process.exit(0);
+}
+
+// ─── Build the injection context ───────────────────────────────────────────
+const sections = [];
+
+sections.push('## ⚡ SKILL ENFORCEMENT — INJECTED BY HOOK (NON-NEGOTIABLE)');
+sections.push('');
+sections.push(`You are \`${agentType}\`. The following skills are MANDATORY for your work.`);
+sections.push('This context was injected by the skill-enforcement hook — not by your own instructions.');
+sections.push('You MUST apply these rules. Ignoring them is a compliance violation.');
+sections.push('');
+
+// Inject small skill files directly into context
+if (config.inject.length > 0) {
+  sections.push('### Skills loaded into context (apply immediately):');
+  sections.push('');
+
+  for (const skillPath of config.inject) {
+    try {
+      const fullPath = join(cwd, skillPath);
+      const content = readFileSync(fullPath, 'utf8');
+      sections.push(`#### ${skillPath}`);
+      sections.push('');
+      sections.push(content);
+      sections.push('');
+    } catch (err) {
+      sections.push(`> ⚠️ WARNING: Could not load ${skillPath}: ${err.message}`);
+      sections.push(`> You MUST use readFile to load this skill manually.`);
+      sections.push('');
+    }
+  }
+}
+
+// For larger skill files, mandate readFile as first action
+if (config.readFile.length > 0) {
+  sections.push('### Skills to load via readFile (MANDATORY FIRST STEP):');
+  sections.push('');
+  sections.push('Before doing ANY work, you MUST read these files using the readFile tool:');
+  sections.push('');
+  for (const skillPath of config.readFile) {
+    sections.push(`- \`${skillPath}\``);
+  }
+  sections.push('');
+  sections.push('Do NOT proceed with any task until you have read ALL of the above files.');
+  sections.push('After reading, briefly confirm which key patterns you will apply.');
+  sections.push('');
+}
+
+const additionalContext = sections.join('\n');
+
+// ─── Output ────────────────────────────────────────────────────────────────
+const output = {
+  continue: true,
+  hookSpecificOutput: {
+    hookEventName: 'SubagentStart',
+    additionalContext,
+  },
+};
+
+process.stdout.write(JSON.stringify(output));

package/templates/.github/hooks/scripts/verify-skills.mjs

@@ -0,0 +1,47 @@
+#!/usr/bin/env node
+
+/**
+ * Skill Verification Hook — SubagentStop / Agent Stop
+ *
+ * Fires when a subagent completes (or an agent stops). On the FIRST stop
+ * attempt, blocks and asks the agent to confirm it applied its required skills.
+ * On the second attempt (stop_hook_active=true), lets it through.
+ *
+ * This is a lightweight enforcement gate — not a deep analysis of output.
+ * The real skill content was already injected by inject-skills.mjs at
+ * SubagentStart. This hook just forces a final compliance check.
+ */
+
+let input = '';
+for await (const chunk of process.stdin) {
+  input += chunk;
+}
+
+let data;
+try {
+  data = JSON.parse(input);
+} catch {
+  process.stdout.write(JSON.stringify({ continue: true }));
+  process.exit(0);
+}
+
+// If this is a retry (stop_hook_active), let the agent complete
+if (data.stop_hook_active) {
+  process.stdout.write(JSON.stringify({ continue: true }));
+  process.exit(0);
+}
+
+// First stop attempt — block and request skill verification
+const output = {
+  hookSpecificOutput: {
+    hookEventName: 'Stop',
+    decision: 'block',
+    reason:
+      'Before finishing: Confirm you loaded and applied your MANDATORY skills. ' +
+      'If you were injected skill context by the enforcement hook, state which ' +
+      'key rules you applied. If you did NOT read your required skill files, ' +
+      'read them now and verify your work complies.',
+  },
+};
+
+process.stdout.write(JSON.stringify(output));

package/templates/.github/hooks/skill-enforcement.json

@@ -0,0 +1,18 @@
+{
+  "hooks": {
+    "SubagentStart": [
+      {
+        "type": "command",
+        "command": "node .github/hooks/scripts/inject-skills.mjs",
+        "timeout": 15
+      }
+    ],
+    "SubagentStop": [
+      {
+        "type": "command",
+        "command": "node .github/hooks/scripts/verify-skills.mjs",
+        "timeout": 10
+      }
+    ]
+  }
+}

package/templates/.github/pull_request_template.md

@@ -0,0 +1,48 @@
+## Summary
+
+<!-- Brief description of what this PR does -->
+
+## Changes
+
+<!-- List the specific changes made -->
+- 
+- 
+- 
+
+## Testing
+
+<!-- How you tested these changes -->
+
+- [ ] All existing tests pass (`npm test`)
+- [ ] Added new tests for new functionality
+- [ ] Manually verified changes work as expected
+
+## Security Considerations
+
+<!-- Any security implications or mitigations -->
+
+- [ ] No new security risks introduced
+- [ ] Security scans pass (`npm audit`, gitleaks)
+- [ ] Follows security guidelines in [SECURITY.md](../SECURITY.md)
+
+## Documentation
+
+- [ ] Updated relevant docs
+- [ ] Added/updated code comments
+- [ ] Updated [CHANGELOG.md](../CHANGELOG.md)
+
+## Checklist
+
+- [ ] Branch follows naming convention (see [CONTRIBUTING.md](../CONTRIBUTING.md))
+- [ ] Tests pass
+- [ ] Security scans pass
+- [ ] Documentation updated
+- [ ] Commit messages are descriptive
+- [ ] Changes are minimal and focused
+
+---
+
+<!-- 
+For more details, see CONTRIBUTING.md
+Questions? Open a discussion or ask in the PR comments.
+-->