cfsa-antigravity 2.4.0 → 2.5.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cfsa-antigravity",
-  "version": "2.4.0",
+  "version": "2.5.0",
   "description": "CFSA Pipeline — Constraint-First Specification Architecture for AI agents. Production-grade from line one.",
   "scripts": {
     "changeset": "changeset",

package/template/.agent/kit-sync.md

@@ -1,6 +1,6 @@
 # Kit Sync State
 
 upstream: https://github.com/RepairYourTech/cfsa-antigravity
-last_synced_commit: d5fb37b9e886719e436a6ca52bb9c94ab839acb6
-last_synced_at: 2026-03-16T23:22:30Z
-kit_version: 2.4.0
+last_synced_commit: dcc4be60e1815572706beb831a87daed6d7b0f14
+last_synced_at: 2026-03-17T00:12:26Z
+kit_version: 2.5.0

package/template/.agent/workflows/create-prd-compile.md

@@ -53,6 +53,8 @@ Document the agreed approach:
 4. **Spec layers** — IA → BE → FE pipeline
 5. **Quality gates** — What must pass before merge
 
+Write the completed `## Development Methodology` section to `docs/plans/architecture-draft.md` immediately after user confirmation.
+
 ## 9. Phasing strategy
 
 Load the CI/CD skill(s) from the cross-cutting section per the skill loading protocol.
@@ -77,6 +79,8 @@ Each phase should have a rough timeline estimate and must pass the full validati
 
 Refine based on discussion before proceeding.
 
+Write the completed `## Phasing Strategy` section to `docs/plans/architecture-draft.md` immediately after user confirmation.
+
 ## 9.5. Lock project directory structure
 
 Based on the locked tech stack, generate a canonical directory tree.

package/template/.agent/workflows/create-prd-security.md

@@ -76,6 +76,8 @@ Refine based on discussion before proceeding.
 
 If the security model confirmed a specific security framework or compliance approach (e.g., crypto patterns, custom HSM approach), read `.agent/workflows/bootstrap-agents.md` and invoke `/bootstrap-agents SECURITY=[confirmed value]` to provision additional skills. Note: surface-triggered security skills (`owasp-web-security`, `csp-cors-headers`, `input-sanitization`, `api-security-checklist`, `dependency-auditing`, `desktop-security-sandboxing`) are provisioned automatically by bootstrap when surfaces are confirmed in `/create-prd-stack` — no manual fire needed for those.
 
+Write the completed `## Security Model` section to `docs/plans/architecture-draft.md` immediately after user confirmation. Do not wait for later steps.
+
 ## 6.5. Attack Surface Review
 
 Read .agent/skills/security-scanning-security-hardening/SKILL.md and follow its Attack Surface Review Protocol for each surface confirmed in /create-prd-stack. Apply Universal checks to all projects, then surface-specific checks conditionally.
@@ -84,6 +86,8 @@ Read .agent/skills/security-scanning-security-hardening/SKILL.md and follow its
 - "Are there any attack vectors I've missed for your specific domain?"
 - "Do the OWASP mechanisms look correct, or are any of them actually handled differently?"
 
+Write the completed `## Security — Attack Surface` section to `docs/plans/architecture-draft.md` immediately after user confirmation.
+
 ## 7. Integration points
 
 For each external service:
@@ -93,6 +97,8 @@ For each external service:
 3. **Fallback strategy** — Graceful degradation plan
 4. **Cost model** — Pricing tier, expected usage
 
+Write the completed `## Integration Points` section to `docs/plans/architecture-draft.md` immediately after user confirmation.
+
 ## 7.5. Observability Architecture
 
 Read .agent/skills/logging-best-practices/SKILL.md and follow its Observability Architecture Interview — all 5 decisions (logging, tracing, alerting, dashboards, retention) must be confirmed. Fire bootstrap per the skill's instructions for each confirmed tool.
@@ -101,7 +107,7 @@ Read .agent/skills/logging-best-practices/SKILL.md and follow its Observability
 - "Are these logging levels and PII exclusions correct for your compliance requirements?"
 - "Are the alerting thresholds appropriate for your expected traffic?"
 
-After the security model (Step 6) is completed and confirmed, write the `## Security Model` section to `docs/plans/architecture-draft.md`. After the attack surface review (Step 6.5) is completed and confirmed, write the `## Security — Attack Surface` section to `docs/plans/architecture-draft.md`. After the integration points (Step 7) are completed and confirmed, write the `## Integration Points` section to `docs/plans/architecture-draft.md`. After the observability architecture (Step 7.5) is completed and confirmed, write the `## Observability Architecture` section to `docs/plans/architecture-draft.md`. Do not wait until the end — write each section as it is completed.
+Write the completed `## Observability Architecture` section to `docs/plans/architecture-draft.md` immediately after user confirmation.
 
 ### Propose next step
 

package/template/.agent/workflows/write-architecture-spec-design.md

@@ -82,6 +82,9 @@ Read `.agent/skills/brainstorming/SKILL.md` and use it to explore any remaining
 
 > **Authoring pattern for Steps 2–7**: After designing each section, (1) present it to the user with the targeted review questions listed below, (2) refine based on their feedback, (3) write the completed section to `docs/plans/ia/[shard-name].md` immediately — do not batch writes until Step 8.
 
+> [!IMPORTANT]
+> **Write-as-you-go is mandatory.** Each section (Steps 2–7) must be written to `docs/plans/ia/[shard-name].md` immediately after user confirmation. If the conversation truncates, all confirmed sections must survive on disk. Never hold confirmed content in-memory waiting for a later write step.
+
 ## 2. Map all interactions
 
 For each feature in the shard, document:
@@ -92,6 +95,8 @@ For each feature in the shard, document:
 
 **Review questions**: "Does this capture all the ways a user touches this domain?" / "Are there admin/system-initiated actions I'm missing?" / "What happens in each failure case?"
 
+Write the completed `## Interactions` section to `docs/plans/ia/[shard-name].md` immediately after user confirmation.
+
 ## 3. Define contracts
 
 Read `.agent/skills/prd-templates/references/skill-loading-protocol.md` and load the API Design skill(s) from the cross-cutting section.
@@ -104,6 +109,8 @@ For each interaction, define the contract shape:
 
 **Review questions**: "Are there fields I'm missing from these requests/responses?" / "Are these error codes specific enough?"
 
+Write the completed `## Contracts` section to `docs/plans/ia/[shard-name].md` immediately after user confirmation.
+
 ## 4. Design data models
 
 Read `.agent/skills/prd-templates/references/skill-loading-protocol.md` and load the Databases skill(s) for this shard's surface. Also load:
@@ -115,6 +122,8 @@ Define for each entity: tables/collections, fields, types, relationships, indexe
 
 **Review questions**: "Does this schema capture everything this domain needs to store?" / "Are the relationships and cardinalities correct?" / "Are there derived/computed fields I should account for?"
 
+Write the completed `## Data Models` section to `docs/plans/ia/[shard-name].md` immediately after user confirmation.
+
 > **Decision recording**: For non-trivial data model decisions (schema approach, denormalization trade-offs, index strategy), read `.agent/skills/session-continuity/protocols/06-decision-analysis.md` and follow the **Decision Effect Analysis Protocol**.
 
 ## 5. Design access control
@@ -129,6 +138,8 @@ Read .agent/skills/security-scanning-security-hardening/SKILL.md and apply its a
 
 **Review questions**: "Can you think of a scenario where a user should be blocked that this matrix allows?" / "Can you think of a scenario where a user should be allowed that this matrix blocks?"
 
+Write the completed `## Access Control` section to `docs/plans/ia/[shard-name].md` immediately after user confirmation.
+
 > **Decision recording**: For access control architecture decisions (role hierarchy, ownership model, escalation paths), read `.agent/skills/session-continuity/protocols/06-decision-analysis.md` and follow the **Decision Effect Analysis Protocol**. Record to `memory/decisions.md`.
 
 ## 5.5. Accessibility specifications
@@ -139,12 +150,16 @@ Read `.agent/skills/accessibility/references/ia-spec-checklist.md` and follow it
 
 **If surfaces are `api`, `cli`, or `extension` only:** Write `"Not applicable — no visual surfaces"` in the `## Accessibility` section.
 
+Write the completed `## Accessibility` section to `docs/plans/ia/[shard-name].md` immediately after user confirmation.
+
 ## 6. Design event schemas (if applicable)
 
 - Event name, payload shape, emitter, consumers
 - Async vs sync processing
 - Retry semantics
 
+Write the completed `## Event Schemas` section to `docs/plans/ia/[shard-name].md` immediately after user confirmation (if applicable).
+
 ## 7. Document edge cases
 
 Read .agent/skills/resolve-ambiguity/SKILL.md and follow its methodology.

package/template/AGENTS.md

@@ -154,6 +154,7 @@ Rules in `.agent/rules/` are **always active** — they apply to every task, eve
 3. **Contract-first** — `{{CONTRACT_LIBRARY}}` schema → failing test → implementation (never reverse)
 4. **TDD: failing test before code** — Red → Green → Refactor, every slice, every surface
 5. **Security-first** — PII never leaks, inputs validated, secrets server-side only
+6. **Write decisions to disk immediately** — Every confirmed decision is written to its output file the moment the user confirms it. Never batch decisions in-memory across a long conversation. If the conversation truncates, all confirmed work must survive on disk.
 
 ### Decision Tree
 

package/template/GEMINI.md

@@ -155,6 +155,7 @@ Rules in `.agent/rules/` are **always active** — they apply to every task, eve
 3. **Contract-first** — `{{CONTRACT_LIBRARY}}` schema → failing test → implementation (never reverse)
 4. **TDD: failing test before code** — Red → Green → Refactor, every slice, every surface
 5. **Security-first** — PII never leaks, inputs validated, secrets server-side only
+6. **Write decisions to disk immediately** — Every confirmed decision is written to its output file the moment the user confirms it. Never batch decisions in-memory across a long conversation. If the conversation truncates, all confirmed work must survive on disk.
 
 ### Decision Tree