cfsa-antigravity 2.0.0 → 2.2.0

package/template/.agent/skills/regex-patterns/references/go.md

@@ -0,0 +1,44 @@
+# Go Regex Patterns
+
+Language-specific API for the `regex-patterns` skill. Read `SKILL.md` first for universal syntax.
+
+---
+
+## Core API
+
+```go
+package main
+
+import (
+    "fmt"
+    "regexp"
+)
+
+func main() {
+    // Compile (returns error)
+    re, err := regexp.Compile(`^hello\s+(\w+)$`)
+    if err != nil {
+        panic(err)
+    }
+
+    // MustCompile panics on invalid pattern (for constants)
+    re = regexp.MustCompile(`\d+`)
+
+    // Methods
+    matched := re.MatchString("hello world")           // bool
+    result := re.FindString("abc 123 def")              // "123"
+    allResults := re.FindAllString("a1 b2 c3", -1)     // ["1", "2", "3"]
+    submatch := re.FindStringSubmatch("hello world")    // ["hello world", "world"]
+    replaced := re.ReplaceAllString("foo 123", "NUM")   // "foo NUM"
+
+    fmt.Println(matched, result, allResults, submatch, replaced)
+}
+```
+
+## Important: RE2 Engine
+
+Go uses the **RE2 engine** which guarantees linear-time execution (no ReDoS). Trade-off:
+- ✅ No backtracking — immune to ReDoS
+- ❌ No backreferences (`\1`)
+- ❌ No lookahead/lookbehind
+- ✅ Supports `\p{L}` Unicode properties

package/template/.agent/skills/regex-patterns/references/javascript.md

@@ -0,0 +1,63 @@
+# JavaScript Regex Patterns
+
+Language-specific API for the `regex-patterns` skill. Read `SKILL.md` first for universal syntax.
+
+---
+
+## Syntax
+
+```javascript
+// Literal
+const re = /^hello\s+(\w+)$/i;
+
+// Constructor (dynamic patterns)
+const pattern = 'hello';
+const re2 = new RegExp(`^${escapeRegExp(pattern)}$`, 'i');
+
+// Escape special characters
+function escapeRegExp(str) {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+```
+
+## Methods
+
+```javascript
+str.match(re)                    // Match array or null
+[...str.matchAll(/\d+/g)]       // Iterator of all matches
+str.replace(/foo/g, 'bar')      // Replace
+str.split(/[,;\s]+/)            // Split
+re.test(str)                    // Boolean
+```
+
+## Named Groups
+
+```javascript
+const { groups } = /(?<year>\d{4})-(?<month>\d{2})/.exec('2025-06');
+// groups.year === '2025'
+```
+
+## Unicode
+
+```javascript
+// Requires /u or /v flag
+/\p{L}+/u                  // Any letter (any script)
+/\p{Nd}+/u                 // Decimal digit (any script)
+/[\p{L}\p{M}]+/u           // Unicode-aware word matching
+/\p{Script=Greek}+/u       // Script-specific
+```
+
+## Number Formatting with Lookaround
+
+```javascript
+'1234567'.replace(/\B(?=(\d{3})+(?!\d))/g, ',');
+// "1,234,567"
+```
+
+## ReDoS Prevention
+
+```javascript
+// No built-in timeout — use re2 package for linear-time engine
+const RE2 = require('re2');
+const re = new RE2(/pattern/);
+```

package/template/.agent/skills/regex-patterns/references/python.md

@@ -0,0 +1,77 @@
+# Python Regex Patterns
+
+Language-specific API for the `regex-patterns` skill. Read `SKILL.md` first for universal syntax.
+
+---
+
+## Core API
+
+```python
+import re
+
+# Compile for reuse
+pattern = re.compile(r'^hello\s+(\w+)$', re.IGNORECASE)
+
+# Methods
+match = pattern.match(string)          # Match at start
+match = pattern.search(string)         # Search anywhere
+matches = pattern.findall(string)      # All matches (list)
+matches = pattern.finditer(string)     # Iterator of Match objects
+result = pattern.sub(r'bar', string)   # Replace
+parts = pattern.split(string)          # Split
+
+# Match object
+if match:
+    match.group(0)           # Full match
+    match.group(1)           # First capture group
+    match.group('name')      # Named group
+    match.start()            # Start position
+    match.end()              # End position
+
+# Raw strings: ALWAYS use r'...' for regex
+# r'\n' is literal backslash-n, not a newline
+```
+
+## Named Groups
+
+```python
+pattern = r'(?P<year>\d{4})-(?P<month>\d{2})-(?P<day>\d{2})'
+match = re.match(pattern, '2025-06-15')
+match.group('year')   # '2025'
+```
+
+## Verbose Mode
+
+```python
+pattern = re.compile(r"""
+    ^                       # Start of string
+    (?P<protocol>https?)    # Protocol
+    ://                     # Separator
+    (?P<domain>             # Domain group
+        [a-zA-Z0-9.-]+     #   Domain name
+        \.[a-zA-Z]{2,}     #   TLD
+    )
+    (?P<path>/\S*)?         # Optional path
+    $                       # End of string
+""", re.VERBOSE)
+```
+
+## ReDoS Prevention
+
+```python
+# Use the 'regex' package with timeout
+import regex
+try:
+    regex.match(r'(a+)+$', input_string, timeout=1.0)
+except regex.error:
+    pass  # Timed out
+```
+
+## Unicode
+
+```python
+# Python re does NOT support \p{} syntax
+# Use the 'regex' package for Unicode property support:
+import regex
+regex.findall(r'\p{L}+', text)  # All letters (any script)
+```

package/template/.agent/skills/regex-patterns/references/rust.md

@@ -0,0 +1,43 @@
+# Rust Regex Patterns
+
+Language-specific API for the `regex-patterns` skill. Read `SKILL.md` first for universal syntax.
+
+---
+
+## Core API
+
+```rust
+use regex::Regex;
+
+fn main() {
+    // Compile
+    let re = Regex::new(r"^hello\s+(\w+)$").unwrap();
+
+    // Methods
+    let is_match = re.is_match("hello world");               // bool
+    let caps = re.captures("hello world").unwrap();
+    let name = &caps[1];                                      // "world"
+
+    // Named captures
+    let re = Regex::new(r"(?P<year>\d{4})-(?P<month>\d{2})").unwrap();
+    let caps = re.captures("2025-06").unwrap();
+    let year = &caps["year"];   // "2025"
+
+    // Find all matches
+    let re = Regex::new(r"\d+").unwrap();
+    let matches: Vec<&str> = re.find_iter("a1 b2 c3").map(|m| m.as_str()).collect();
+    // ["1", "2", "3"]
+
+    // Replace
+    let result = re.replace_all("foo 123 bar 456", "NUM");
+    // "foo NUM bar NUM"
+}
+```
+
+## Important: Engine Limitations
+
+The `regex` crate uses finite automata (like RE2):
+- ✅ Guaranteed linear-time — immune to ReDoS
+- ❌ No backreferences by default
+- ❌ No lookahead/lookbehind by default
+- Use the **`fancy-regex`** crate for those features (trades ReDoS safety for feature completeness)

package/template/.agent/skills/resolve-ambiguity/SKILL.md

@@ -50,7 +50,7 @@ If these files contain `{{PLACEHOLDER}}` values, the information hasn't been dec
 **Check second — the pipeline's own output**
 
 The answer may already exist in a document written by an earlier pipeline stage:
-- `docs/plans/ideation/ideation-index.md` + domain files — Problem, personas, features, constraints, domain map
+- `docs/plans/ideation/ideation-index.md` + fractal domain tree (folder `*-index.md`, `*-cx.md`, and feature files) — Problem, personas, features, constraints, domain map
 - `docs/plans/*-architecture-design.md` — Tech stack, system design, security model
 - `docs/plans/ENGINEERING-STANDARDS.md` — Quality thresholds, performance budgets
 - `docs/plans/ia/*.md` — IA shards (features, data models, access control, edge cases)

package/template/.agent/skills/session-continuity/SKILL.md

@@ -155,7 +155,7 @@ for complex ones.
    ## Slices
 
    - [ ] **Slice 1**: {{DESCRIPTION}} ({{S|M|L}})
-     - [ ] Contract: Zod schema for {{entity}}
+     - [ ] Contract: {{CONTRACT_LIBRARY}} schema for {{entity}}
      - [ ] `BE` API endpoints for {{entity}}
        - [ ] Subtask 1
        - [ ] Subtask 2
@@ -296,7 +296,7 @@ for complex ones.
 
 3. **Write to `memory/patterns.md`** (only for best-practice or anti-pattern):
    ```markdown
-   ### PAT-007: Zod schema coercion for URL params (2026-02-15)
+   ### PAT-007: Schema coercion for URL params (2026-02-15)
    - **Type**: best-practice
    - **Confidence**: 0.7 (applied 1 time)
    - **Context**: Astro API routes receive all params as strings
@@ -354,7 +354,7 @@ for complex ones.
    - [ ] Phase 2, Slice 4 — Rate limiting (blocked on Redis config)
 
    ## Patterns Learned
-   - PAT-007: Zod coercion for URL params
+   - PAT-007: Schema coercion for URL params
 
    ## Next Session
    - Resolve BLK-003 (Redis config)
@@ -643,7 +643,7 @@ The dependency chain follows strict TDD: Red → Green → Verify.
 
 | Phase | Tag | What Happens | Depends On |
 |-------|-----|-------------|------------|
-| 1. Contract | (untagged) | Orchestrator writes Zod schemas | Nothing |
+| 1. Contract | (untagged) | Orchestrator writes {{CONTRACT_LIBRARY}} schemas | Nothing |
 | 2. QA-RED | `QA` | Write comprehensive failing tests from acceptance criteria | Contract `[x]` |
 | 3. BE + FE | `BE`, `FE` | Implement in parallel to make tests pass | QA-RED `[x]` |
 | 4. QA-GREEN | `QA` | Second pass — verify all tests pass, check for cheating, add integration/E2E | BE `[x]` + FE `[x]` |
@@ -695,23 +695,25 @@ Workflows reference this skill's protocols, not its internals:
 | Workflow | Step | Protocol |
 |----------|------|----------|
 | `instructions/workflow.md` | Step 1 (context) | Session Resumption |
+| `instructions/workflow.md` | Step 5 (learn) | Pattern Extraction + Session Close |
+| `rules/completion-checklist.md` | Definition of Done #5 | Pattern Extraction |
+| `rules/completion-checklist.md` | Definition of Done #6 | Session Close |
+| `/create-prd-stack` | Per-axis tech decisions | Decision Effect Analysis |
+| `/create-prd-architecture` | After system architecture approval | Decision Effect Analysis |
 | `/decompose-architecture` | After creating indexes | Spec Pipeline Generation |
+| `/write-architecture-spec` | During data model + access control design | Decision Effect Analysis |
 | `/write-architecture-spec` | After updating IA index | Spec Pipeline Update |
 | `/write-architecture-spec` | Before request review | Ambiguity Gates (micro + macro) |
-| `/write-architecture-spec` | During design choices | Decision Effect Analysis |
 | `/write-be-spec` | After updating BE index | Spec Pipeline Update |
 | `/write-be-spec` | Before request review | Ambiguity Gates (micro + macro) |
 | `/write-fe-spec` | After updating FE index | Spec Pipeline Update |
 | `/write-fe-spec` | Before request review | Ambiguity Gates (micro + macro) |
 | `/plan-phase` | Step 7 | Progress Generation |
-| `/create-prd` | During design choices | Decision Effect Analysis |
 | `/implement-slice` | Step 0 | Session Resumption |
 | `/implement-slice` | Step 1.5 | Parallel Claim |
 | `/implement-slice` | Step 4 (during impl) | Decision Effect Analysis |
+| `/implement-slice` | Step 6 | Parallel Synthesis |
 | `/implement-slice` | Step 7 | Progress Update (incl. claim release) |
-| `/fix-bug` | End | Pattern Extraction |
-| `/refactor` | End | Pattern Extraction |
-| Any workflow | End | Pattern Extraction + Session Close |
 
 ## DO / DON'T
 

package/template/.agent/skills/session-continuity/protocols/02-progress-generation.md

@@ -37,7 +37,7 @@
    ## Slices
 
    - [ ] **Slice 1**: {{DESCRIPTION}} ({{S|M|L}})
-     - [ ] Contract: Zod schema for {{entity}}
+     - [ ] Contract: {{CONTRACT_LIBRARY}} schema for {{entity}}
      - [ ] `BE` API endpoints for {{entity}}
        - [ ] Subtask 1
        - [ ] Subtask 2
@@ -63,7 +63,7 @@
    **Complexity**: {{S|M|L}}
 
    ## Tasks
-   - [ ] Contract: Zod schema for [entity]
+   - [ ] Contract: {{CONTRACT_LIBRARY}} schema for [entity]
    - [ ] `FE` [entity] page and components
    - [ ] `BE` API endpoints for [entity]
 

package/template/.agent/skills/session-continuity/protocols/04-pattern-extraction.md

@@ -27,7 +27,7 @@
 
 3. **Write to `memory/patterns.md`** (only for best-practice or anti-pattern):
    ```markdown
-   ### PAT-007: Zod schema coercion for URL params (2026-02-15)
+   ### PAT-007: Schema coercion for URL params (2026-02-15)
    - **Type**: best-practice
    - **Confidence**: 0.7 (applied 1 time)
    - **Context**: Astro API routes receive all params as strings

package/template/.agent/skills/session-continuity/protocols/05-session-close.md

@@ -26,7 +26,7 @@
    - [ ] Phase 2, Slice 4 — Rate limiting (blocked on Redis config)
 
    ## Patterns Learned
-   - PAT-007: Zod coercion for URL params
+   - PAT-007: Schema coercion for URL params
 
    ## Next Session
    - Resolve BLK-003 (Redis config)

package/template/.agent/skills/session-continuity/protocols/09-parallel-claim.md

@@ -78,7 +78,7 @@ The dependency chain follows strict TDD: Red → Green → Verify.
 
 | Phase | Tag | What Happens | Depends On |
 |-------|-----|-------------|------------|
-| 1. Contract | (untagged) | Orchestrator writes Zod schemas | Nothing |
+| 1. Contract | (untagged) | Orchestrator writes {{CONTRACT_LIBRARY}} schemas | Nothing |
 | 2. QA-RED | `QA` | Write comprehensive failing tests from acceptance criteria | Contract `[x]` |
 | 3. BE + FE | `BE`, `FE` | Implement in parallel to make tests pass | QA-RED `[x]` |
 | 4. QA-GREEN | `QA` | Second pass — verify all tests pass, check for cheating, add integration/E2E | BE `[x]` + FE `[x]` |

package/template/.agent/skills/session-continuity/protocols/10-placeholder-verification-gate.md

@@ -1,104 +1,83 @@
-> **Framework context required**: This is a protocol excerpt. Before following these steps, read `.agent/skills/session-continuity/SKILL.md` for the complete framework — including the Adaptive Granularity Rule, Level Hierarchy Reference, Frozen Files concept, and Parallel Claim protocol. Protocol files are reference documents for specific steps, not standalone instructions.
+# Protocol 10: Surface Stack Map Verification Gate
 
-# Placeholder Verification Gate Protocol
+## Purpose
 
-## Overview
+Specification and implementation workflows must verify the surface stack map is populated **before** any skill reads. This prevents spec authoring from running with empty map cells, which would produce patterns incompatible with the chosen tech stack.
 
-Specification workflows that read `{{PLACEHOLDER}}`-dependent skill paths must verify those placeholders are filled **before** any skill reads. This prevents spec authoring from running with unfilled stack placeholders, which would produce patterns incompatible with the chosen tech stack.
+> **Note**: As of v3, workflows no longer use `{{PLACEHOLDER}}` values for skill paths. Instead, they read skill names from the surface stack map in `.agent/instructions/tech-stack.md`. This gate verifies map completeness.
 
-## When to Use
+## How to Apply
 
-Add a **Step 0 — Placeholder guard** to any specification workflow that reads `{{PLACEHOLDER}}` values as skill paths. The guard runs before all other steps, including re-run checks and prerequisite validations.
+Add a **Step 0 — Map guard** to any specification or implementation workflow that reads skills from the surface stack map. The guard runs before all other steps, including re-run checks and prerequisite validations.
 
-## Key Constraint
+## Guard Logic
 
-**No auto-refire of bootstrap.** The agent stops and tells the user exactly what to run. The guard does not attempt to call `/bootstrap-agents` itself — it emits a HARD STOP with the exact recovery command.
+### 1. Read the surface stack map
 
-## Four-Part Hard Stop Message Structure
+Read `.agent/instructions/tech-stack.md` and parse both tables:
+- **Per-Surface Skills** — One row per surface
+- **Cross-Cutting Skills** — Project-wide categories
 
-When any placeholder contains literal `{{` characters, emit this message for **each** unfilled placeholder:
+### 2. Determine required cells
 
-> ❌ **Bootstrap incomplete — cannot proceed.**
->
-> **Unfilled placeholder:** `{{PLACEHOLDER_NAME}}`
->
-> **Recovery:** If `docs/plans/*-architecture-design.md` exists, read it and extract the confirmed [tech decision] value, then run `/bootstrap-agents` with `KEY=<confirmed-value>`. If no architecture design document exists, run `/create-prd-stack` first to confirm tech stack decisions.
->
-> **Why this matters:** [specific step] cannot produce correct output without this skill — [concrete consequence of proceeding without it].
+Based on the workflow type, identify which columns/categories must have filled values:
 
----
+| Workflow Type | Required Per-Surface Columns | Required Cross-Cutting Categories |
+|---|---|---|
+| **IA spec** (`write-architecture-spec-*`) | Databases | Security, Surfaces |
+| **BE spec** (`write-be-spec-*`) | Languages, Databases, BE Frameworks, ORMs, Unit Tests | Auth |
+| **FE spec** (`write-fe-spec-*`) | Languages, FE Frameworks, FE Design, State Mgmt | Accessibility |
+| **Implementation** (`implement-slice-*`) | Languages, Unit Tests, E2E Tests + surface-specific | All |
+| **Validation** (`validate-phase`) | All | All |
+| **Architecture** (`create-prd-architecture`) | Databases, ORMs | Hosting |
+| **Security** (`create-prd-security`) | — | Security, Auth |
+| **Compile** (`create-prd-compile`) | Unit Tests, E2E Tests | CI/CD |
 
-## Per-Workflow Placeholder Mappings
+### 3. Check for empty cells
 
-### `create-prd-architecture`
+For each required cell, verify it contains at least one skill name (not `—`, not empty, not a `{{` literal).
 
-**Frontmatter:** `requires_placeholders: [HOSTING_SKILL, ORM_SKILL, DATABASE_SKILLS]`
+### 4. Hard stop on empty cells
 
-| Placeholder | Filled by | Recovery | Why this matters |
-|---|---|---|---|
-| `{{HOSTING_SKILL}}` | `/create-prd-stack` when hosting provider is confirmed | If `docs/plans/*-architecture-design.md` exists, read it and extract the confirmed hosting provider, then run `/bootstrap-agents HOSTING=<confirmed-provider>`. Otherwise run `/create-prd-stack` first. | Data strategy and schema design steps (Steps 4 and 5) cannot run without the hosting skill — deployment topology decisions will lack provider-specific conventions. |
-| `{{ORM_SKILL}}` | `/create-prd-stack` when ORM is confirmed | If `docs/plans/*-architecture-design.md` exists, read it and extract the confirmed ORM, then run `/bootstrap-agents ORM=<confirmed-orm>`. Otherwise run `/create-prd-stack` first. | Migration strategy (Step 5.4) cannot run without the ORM skill — schema conventions and migration patterns will be generic instead of stack-specific. |
-| `{{DATABASE_SKILLS}}` | `/create-prd-stack` when database technology is confirmed | If `docs/plans/*-architecture-design.md` exists, read it and extract the confirmed database, then run `/bootstrap-agents DATABASE=<confirmed-db>`. Otherwise run `/create-prd-stack` first. | Data strategy (Step 5) cannot run without the database skill — schema design patterns will be incompatible with the chosen database. |
+When ANY required cell is empty, emit this message for **each** empty cell:
 
-### `write-architecture-spec-design`
+> **Empty map cell:** `{column}` for surface `{surface}`
+> **Filled by:** `/create-prd-stack` when the {component} is confirmed
+> **Recovery:** Run `/create-prd-stack` first to make tech stack decisions, then `/bootstrap-agents` to populate the map.
+> **Impact:** Without this skill, {downstream impact description}.
 
-**Frontmatter:** `requires_placeholders: [DATABASE_SKILLS, SECURITY_SKILLS]`
+Then emit:
 
-| Placeholder | Filled by | Recovery | Why this matters |
-|---|---|---|---|
-| `{{DATABASE_SKILLS}}` | `/create-prd-stack` when database technology is confirmed | If `docs/plans/*-architecture-design.md` exists, read it and extract the confirmed database, then run `/bootstrap-agents DATABASE=<confirmed-db>`. Otherwise run `/create-prd-stack` first. | Data model design (Step 4) would produce schema patterns incompatible with the chosen database. |
-| `{{SECURITY_SKILLS}}` | `/create-prd-stack` when security tooling is confirmed | If `docs/plans/*-architecture-design.md` exists, read it and extract the confirmed security framework, then run `/bootstrap-agents SECURITY=<confirmed-framework>`. Otherwise run `/create-prd-stack` first. | Edge case and attack surface analysis (Step 7) would run without the project's security skill, missing stack-specific threat vectors. |
+> ⛔ **HARD STOP** — {N} map cell(s) are empty. This workflow cannot proceed without populated stack data. See recovery steps above.
 
-### `write-fe-spec-classify`
+### 5. Timing fallback (create-prd context)
 
-**Frontmatter:** `requires_placeholders: [LANGUAGE_SKILL, FRONTEND_FRAMEWORK_SKILL, FRONTEND_DESIGN_SKILL, ACCESSIBILITY_SKILL, STATE_MANAGEMENT_SKILL]`
+During `/create-prd`, the map is being built incrementally. If a cell is empty but the value was just confirmed in the current conversation (from `/create-prd-stack`), the workflow may proceed using the conversation-confirmed value. Bootstrap will fill the map after `/create-prd` completes.
 
-| Placeholder | Filled by | Recovery | Why this matters |
-|---|---|---|---|
-| `{{LANGUAGE_SKILL}}` | `/create-prd-stack` when the primary language is confirmed | If `docs/plans/*-architecture-design.md` exists, read it and extract the confirmed language, then run `/bootstrap-agents LANGUAGE=<confirmed-language>`. Otherwise run `/create-prd-stack` first. | FE spec components would be written without the correct language skill, producing patterns incompatible with the chosen language. |
-| `{{FRONTEND_FRAMEWORK_SKILL}}` | `/create-prd-stack` when the frontend framework is confirmed | If `docs/plans/*-architecture-design.md` exists, read it and extract the confirmed frontend framework, then run `/bootstrap-agents FRONTEND_FRAMEWORK=<confirmed-framework>`. Otherwise run `/create-prd-stack` first. | FE spec components would be written without the correct framework skill, producing patterns incompatible with the chosen framework. |
-| `{{FRONTEND_DESIGN_SKILL}}` | `/create-prd-stack` when the frontend design system is confirmed | If `docs/plans/*-architecture-design.md` exists, read it and extract the confirmed design system, then run `/bootstrap-agents FRONTEND_DESIGN=<confirmed-design>`. Otherwise run `/create-prd-stack` first. | FE spec components would be written without the correct design skill, producing visual patterns incompatible with the chosen design system. |
-| `{{ACCESSIBILITY_SKILL}}` | `/create-prd-stack` when accessibility tooling is confirmed | If `docs/plans/*-architecture-design.md` exists, read it and extract the confirmed accessibility tooling, then run `/bootstrap-agents ACCESSIBILITY=<confirmed-tooling>`. Otherwise run `/create-prd-stack` first. | FE spec components would lack stack-specific accessibility patterns and WCAG implementation guidance. |
-| `{{STATE_MANAGEMENT_SKILL}}` | `/create-prd-stack` when state management is confirmed | If `docs/plans/*-architecture-design.md` exists, read it and extract the confirmed state management library, then run `/bootstrap-agents STATE_MANAGEMENT=<confirmed-library>`. Otherwise run `/create-prd-stack` first. | FE spec components would be written without the correct state management conventions, producing patterns incompatible with the chosen state library. |
+This fallback **only** applies to workflows invoked within the `/create-prd` orchestrator. Standalone invocations must have the map populated.
 
----
+## Recovery Table
 
-## Reference Implementation
+| Empty Cell (Per-Surface) | Recovery Command |
+|---|---|
+| Languages | `/create-prd-stack` → confirm language |
+| Databases | `/create-prd-stack` → confirm database(s) |
+| BE Frameworks | `/create-prd-stack` → confirm backend framework |
+| FE Frameworks | `/create-prd-stack` → confirm frontend framework |
+| ORMs | `/create-prd-stack` → confirm ORM |
+| Unit Tests | `/create-prd-stack` → confirm unit testing framework |
+| E2E Tests | `/create-prd-stack` → confirm E2E testing framework |
+| FE Design | `/create-prd-stack` → confirm frontend design approach |
+| State Mgmt | `/create-prd-stack` → confirm state management library |
 
-`write-be-spec-classify.md` Step 2.5 is the canonical example of a correctly implemented placeholder guard. It follows the exact four-part message structure and demonstrates the scan-then-stop pattern.
+| Empty Cell (Cross-Cutting) | Recovery Command |
+|---|---|
+| Auth | `/create-prd-stack` → confirm auth provider |
+| Security | `/create-prd-stack` → confirm security framework |
+| CI/CD | `/create-prd-stack` → confirm CI/CD platform |
+| Hosting | `/create-prd-stack` → confirm hosting provider |
+| Accessibility | `/create-prd-stack` → confirm accessibility tooling |
 
----
+## Commands verification
 
-## Additional Per-Workflow Placeholder Mappings
-
-### `create-prd-security`
-
-**Frontmatter:** `requires_placeholders: [SECURITY_SKILLS, AUTH_SKILL]`
-
-| Placeholder | Filled by | Recovery | Why this matters |
-|---|---|---|---|
-| `{{SECURITY_SKILLS}}` | `/create-prd-stack` when security tooling is confirmed | If `docs/plans/*-architecture-design.md` exists, read it and extract the confirmed security framework, then run `/bootstrap-agents SECURITY=<confirmed-framework>`. Otherwise run `/create-prd-stack` first. | Security model (Step 6) cannot produce stack-specific threat analysis without the security skill — the model will miss framework-specific attack vectors. |
-| `{{AUTH_SKILL}}` | `/create-prd-stack` when auth provider is confirmed | If `docs/plans/*-architecture-design.md` exists, read it and extract the confirmed auth provider, then run `/bootstrap-agents AUTH=<confirmed-provider>`. Otherwise run `/create-prd-stack` first. | Authentication design (Step 6.1) cannot produce correct auth flows without the auth skill — identity provider conventions and token handling will be generic. |
-
-### `create-prd-compile`
-
-**Frontmatter:** `requires_placeholders: [UNIT_TESTING_SKILL, E2E_TESTING_SKILL, CI_CD_SKILL]`
-
-| Placeholder | Filled by | Recovery | Why this matters |
-|---|---|---|---|
-| `{{UNIT_TESTING_SKILL}}` | `/create-prd-stack` when the unit testing framework is confirmed | If `docs/plans/*-architecture-design.md` exists, read it and extract the confirmed unit testing framework, then run `/bootstrap-agents UNIT_TESTING=<confirmed-framework>`. Otherwise run `/create-prd-stack` first. | Development methodology (Step 8) cannot document correct test conventions without the unit testing skill — TDD patterns will be generic instead of framework-specific. |
-| `{{E2E_TESTING_SKILL}}` | `/create-prd-stack` when the E2E testing framework is confirmed | If `docs/plans/*-architecture-design.md` exists, read it and extract the confirmed E2E testing framework, then run `/bootstrap-agents E2E_TESTING=<confirmed-framework>`. Otherwise run `/create-prd-stack` first. | Development methodology (Step 8) cannot document correct E2E test conventions without the E2E testing skill — integration test patterns will be generic. |
-| `{{CI_CD_SKILL}}` | `/create-prd-stack` when CI/CD platform is confirmed | If `docs/plans/*-architecture-design.md` exists, read it and extract the confirmed CI/CD platform, then run `/bootstrap-agents CI_CD=<confirmed-platform>`. Otherwise run `/create-prd-stack` first. | Phasing strategy (Step 9) cannot produce correct pipeline configuration without the CI/CD skill — deployment and quality gate patterns will lack platform-specific conventions. |
-
-### `write-be-spec-classify`
-
-**Frontmatter:** `requires_placeholders: [LANGUAGE_SKILL, DATABASE_SKILLS, AUTH_SKILL, BACKEND_FRAMEWORK_SKILL, ORM_SKILL, UNIT_TESTING_SKILL]`
-
-| Placeholder | Filled by | Recovery | Why this matters |
-|---|---|---|---|
-| `{{LANGUAGE_SKILL}}` | `/create-prd-stack` when the primary language is confirmed | If `docs/plans/*-architecture-design.md` exists, read it and extract the confirmed language, then run `/bootstrap-agents LANGUAGE=<confirmed-language>`. Otherwise run `/create-prd-stack` first. | BE spec code conventions would be written without the correct language skill, producing patterns incompatible with the chosen language. |
-| `{{DATABASE_SKILLS}}` | `/create-prd-stack` when database technology is confirmed | If `docs/plans/*-architecture-design.md` exists, read it and extract the confirmed database, then run `/bootstrap-agents DATABASE=<confirmed-db>`. Otherwise run `/create-prd-stack` first. | Schema design and query patterns would be incompatible with the chosen database. |
-| `{{AUTH_SKILL}}` | `/create-prd-stack` when auth provider is confirmed | If `docs/plans/*-architecture-design.md` exists, read it and extract the confirmed auth provider, then run `/bootstrap-agents AUTH=<confirmed-provider>`. Otherwise run `/create-prd-stack` first. | Authentication middleware and token handling would use generic patterns instead of provider-specific conventions. |
-| `{{BACKEND_FRAMEWORK_SKILL}}` | `/create-prd-stack` when the backend framework is confirmed | If `docs/plans/*-architecture-design.md` exists, read it and extract the confirmed backend framework, then run `/bootstrap-agents BACKEND_FRAMEWORK=<confirmed-framework>`. Otherwise run `/create-prd-stack` first. | Route definitions, middleware patterns, and request handling would be framework-agnostic instead of following confirmed framework conventions. |
-| `{{ORM_SKILL}}` | `/create-prd-stack` when ORM is confirmed | If `docs/plans/*-architecture-design.md` exists, read it and extract the confirmed ORM, then run `/bootstrap-agents ORM=<confirmed-orm>`. Otherwise run `/create-prd-stack` first. | Migration patterns and schema conventions would be generic instead of ORM-specific. |
-| `{{UNIT_TESTING_SKILL}}` | `/create-prd-stack` when the unit testing framework is confirmed | If `docs/plans/*-architecture-design.md` exists, read it and extract the confirmed unit testing framework, then run `/bootstrap-agents UNIT_TESTING=<confirmed-framework>`. Otherwise run `/create-prd-stack` first. | Test writing conventions would use generic patterns instead of framework-specific assertions and utilities. |
+Additionally verify that `.agent/instructions/commands.md` has non-template values. If the commands section still contains `{{COMMAND_SECTIONS}}`, run `/bootstrap-agents` to fill it.

package/template/.agent/skills/session-continuity/protocols/11-parallel-synthesis.md

@@ -17,5 +17,5 @@ This gives you a checklist to resume from if the session is interrupted during s
    - Update shared contracts if needed
    - Install any new dependencies
    - Wire cross-surface integrations
-3. **Run full validation** — run `{{VALIDATION_COMMAND}}` after synthesis
+3. **Run full validation** — run the Validation Cmd from `.agent/instructions/commands.md` after synthesis
 4. **Create synthesis report** per the `parallel-agents` skill (Synthesize step)

package/template/.agent/skills/spec-writing/SKILL.md

@@ -21,7 +21,7 @@ Write one section at a time in document order. Before writing section N+1, re-re
 
 - For BE specs, the upstream source is the IA shard
 - For FE specs, the upstream source is the BE spec
-- For IA shards, the upstream sources are `ideation-index.md` (+ domain files) and `architecture-design.md`
+- For IA shards, the upstream sources are `ideation-index.md` (+ the relevant domain folder's `*-index.md`, `*-cx.md`, and feature files) and `architecture-design.md`
 
 **Hard rules:**