claude-code-orchestrator-kit 1.4.0 → 1.4.15

package/.claude/skills/run-quality-gate/SKILL.md

@@ -6,25 +6,16 @@ allowed-tools: Bash, Read
 
 # Run Quality Gate
 
-Execute validation commands as quality gates with configurable blocking/non-blocking behavior and structured error reporting.
+Execute validation commands as quality gates with structured error reporting.
 
 ## When to Use
 
-- Type-check validation in pre-flight or quality gates
-- Build validation before releases
-- Test execution as quality gate
-- Lint validation for code quality
-- Custom validation commands
+- Type-check, build, test, lint validation
 - Orchestrator phase validation
 - Worker self-validation
 
-## Instructions
+## Input
 
-### Step 1: Receive Gate Configuration
-
-Accept gate configuration as input.
-
-**Expected Input**:
 ```json
 {
   "gate": "type-check|build|tests|lint|custom",
@@ -33,76 +24,29 @@ Accept gate configuration as input.
 }
 ```
 
-**Parameters**:
-- `gate`: Type of quality gate to run (required)
-- `blocking`: Whether failure should stop workflow (default: true)
-- `custom_command`: Command to run when gate="custom" (required for custom gates)
-
-### Step 2: Map Gate to Command
-
-Determine command to execute based on gate type.
-
-**Gate Commands**:
-- `type-check` → `pnpm type-check`
-- `build` → `pnpm build`
-- `tests` → `pnpm test`
-- `lint` → `pnpm lint`
-- `custom` → Use `custom_command` parameter
-
-**Validation**:
-- If gate="custom", `custom_command` must be provided
-- Command must be valid shell command
-
-### Step 3: Execute Command
-
-Run command via Bash tool with timeout.
-
-**Execution Parameters**:
-- Timeout: 300000ms (5 minutes)
-- Capture stdout and stderr
-- Record exit code
-- Track execution duration
+## Gate Commands
 
-**Tools Used**: Bash
+| Gate | Command |
+|------|---------|
+| type-check | `pnpm type-check` |
+| build | `pnpm build` |
+| tests | `pnpm test` |
+| lint | `pnpm lint` |
+| custom | `custom_command` value |
 
-### Step 4: Parse Exit Code and Output
-
-Determine if gate passed based on exit code.
-
-**Pass/Fail Logic**:
-- Exit code 0 → Passed
-- Exit code non-zero → Failed
-
-**Extract Errors**:
-Look for error patterns in output:
-- Lines containing "error"
-- Lines containing "failed"
-- Lines containing "✗"
-- TypeScript error codes (TS####)
-- Stack traces
-
-### Step 5: Determine Action
-
-Calculate action based on result and blocking flag.
-
-**Action Logic**:
-```
-IF exit_code == 0:
-  action = "continue"
-  passed = true
-ELSE:
-  IF blocking == true:
-    action = "stop"
-  ELSE:
-    action = "warn"
-  passed = false
-```
+## Process
 
-### Step 6: Return Structured Result
+1. **Map gate to command** - Validate custom_command if gate="custom"
+2. **Execute via Bash** - Timeout: 5 minutes, capture stdout/stderr
+3. **Parse result** - Exit code 0 = passed, non-zero = failed
+4. **Extract errors** - Lines with "error", "failed", TS#### codes
+5. **Determine action**:
+   - Passed → action="continue"
+   - Failed + blocking → action="stop"
+   - Failed + non-blocking → action="warn"
 
-Return complete quality gate result.
+## Output
 
-**Expected Output**:
 ```json
 {
   "gate": "type-check",
@@ -117,288 +61,34 @@ Return complete quality gate result.
 }
 ```
 
-**Output Fields**:
-- `gate`: Gate type that was run
-- `passed`: Whether gate passed (boolean)
-- `blocking`: Whether gate was blocking
-- `action`: Action to take (continue|stop|warn)
-- `errors`: Array of error messages extracted
-- `exit_code`: Command exit code
-- `duration_ms`: Execution time in milliseconds
-- `command`: Actual command executed
-- `timestamp`: ISO-8601 timestamp of execution
-
-## Error Handling
-
-- **Timeout (5 minutes)**: Return failed with timeout error
-- **Missing custom_command**: Return error requesting custom_command
-- **Invalid gate type**: Return error listing valid gates
-- **Command not found**: Return failed with command not found error
-- **Empty output but non-zero exit**: Return failed with generic error
-
 ## Examples
 
-### Example 1: Blocking Type-Check that Passes
-
-**Input**:
-```json
-{
-  "gate": "type-check",
-  "blocking": true
-}
-```
-
-**Command Output**:
-```
-$ pnpm type-check
-✓ No type errors found
-Done in 2.3s
-```
-
-**Output**:
-```json
-{
-  "gate": "type-check",
-  "passed": true,
-  "blocking": true,
-  "action": "continue",
-  "errors": [],
-  "exit_code": 0,
-  "duration_ms": 2345,
-  "command": "pnpm type-check",
-  "timestamp": "2025-10-18T14:30:00Z"
-}
-```
-
-### Example 2: Blocking Build that Fails (Should Stop)
-
-**Input**:
-```json
-{
-  "gate": "build",
-  "blocking": true
-}
-```
-
-**Command Output**:
-```
-$ pnpm build
-✗ Build failed
-ERROR in src/app.ts
-Module not found: Error: Can't resolve 'missing-module'
-exit code: 1
-```
-
-**Output**:
-```json
-{
-  "gate": "build",
-  "passed": false,
-  "blocking": true,
-  "action": "stop",
-  "errors": [
-    "ERROR in src/app.ts",
-    "Module not found: Error: Can't resolve 'missing-module'"
-  ],
-  "exit_code": 1,
-  "duration_ms": 5432,
-  "command": "pnpm build",
-  "timestamp": "2025-10-18T14:30:05Z"
-}
-```
-
-### Example 3: Non-Blocking Lint that Fails (Should Warn)
-
-**Input**:
-```json
-{
-  "gate": "lint",
-  "blocking": false
-}
-```
-
-**Command Output**:
-```
-$ pnpm lint
-✗ 12 problems (8 errors, 4 warnings)
-src/utils.ts:10:5 - error - Missing semicolon
-src/app.ts:25:1 - warning - Prefer const over let
-exit code: 1
-```
-
-**Output**:
-```json
-{
-  "gate": "lint",
-  "passed": false,
-  "blocking": false,
-  "action": "warn",
-  "errors": [
-    "src/utils.ts:10:5 - error - Missing semicolon",
-    "src/app.ts:25:1 - warning - Prefer const over let"
-  ],
-  "exit_code": 1,
-  "duration_ms": 1234,
-  "command": "pnpm lint",
-  "timestamp": "2025-10-18T14:30:07Z"
-}
-```
-
-### Example 4: Custom Command Example
-
-**Input**:
-```json
-{
-  "gate": "custom",
-  "blocking": true,
-  "custom_command": "pnpm validate-schemas"
-}
-```
-
-**Command Output**:
-```
-$ pnpm validate-schemas
-✓ All schemas valid
-exit code: 0
-```
-
-**Output**:
-```json
-{
-  "gate": "custom",
-  "passed": true,
-  "blocking": true,
-  "action": "continue",
-  "errors": [],
-  "exit_code": 0,
-  "duration_ms": 876,
-  "command": "pnpm validate-schemas",
-  "timestamp": "2025-10-18T14:30:08Z"
-}
-```
-
-### Example 5: Timeout Example
-
-**Input**:
-```json
-{
-  "gate": "tests",
-  "blocking": true
-}
-```
-
-**Output** (after 5 minutes):
+**Blocking gate passes**:
 ```json
-{
-  "gate": "tests",
-  "passed": false,
-  "blocking": true,
-  "action": "stop",
-  "errors": [
-    "Command timed out after 300000ms (5 minutes)"
-  ],
-  "exit_code": -1,
-  "duration_ms": 300000,
-  "command": "pnpm test",
-  "timestamp": "2025-10-18T14:35:00Z"
-}
+{ "gate": "type-check", "blocking": true }
+→ { "passed": true, "action": "continue", "errors": [] }
 ```
 
-### Example 6: Command Not Found
-
-**Input**:
+**Blocking gate fails** (stops workflow):
 ```json
-{
-  "gate": "build",
-  "blocking": true
-}
+{ "gate": "build", "blocking": true }
+→ { "passed": false, "action": "stop", "errors": ["Module not found: missing-module"] }
 ```
 
-**Command Output**:
-```
-bash: pnpm: command not found
-exit code: 127
-```
-
-**Output**:
+**Non-blocking gate fails** (warns only):
 ```json
-{
-  "gate": "build",
-  "passed": false,
-  "blocking": true,
-  "action": "stop",
-  "errors": [
-    "bash: pnpm: command not found"
-  ],
-  "exit_code": 127,
-  "duration_ms": 45,
-  "command": "pnpm build",
-  "timestamp": "2025-10-18T14:30:09Z"
-}
+{ "gate": "lint", "blocking": false }
+→ { "passed": false, "action": "warn", "errors": ["Missing semicolon"] }
 ```
 
-## Validation
-
-- [ ] Maps all standard gate types to correct commands
-- [ ] Executes commands with 5 minute timeout
-- [ ] Captures exit code correctly
-- [ ] Extracts errors from output
-- [ ] Determines action correctly based on blocking flag
-- [ ] Records execution duration
-- [ ] Handles timeout gracefully
-- [ ] Validates custom_command when gate="custom"
-- [ ] Returns structured JSON output
-
-## Integration with Agents
-
-### Orchestrator Usage
-
-```markdown
-## Quality Gate: Type Check
-
-Use run-quality-gate Skill with gate="type-check" and blocking=true.
-
-If action="stop", halt workflow and report failure.
-If action="continue", proceed to next phase.
-```
-
-### Worker Self-Validation
-
-```markdown
-## Step 5: Self-Validation
-
-Use run-quality-gate Skill to validate changes:
-1. Run type-check (blocking=true)
-2. Run build (blocking=true)
-3. Run tests (blocking=false)
-
-If any blocking gate returns action="stop", rollback changes.
-```
-
-### Quality Gates Orchestrator
-
-```markdown
-## Phase 2: Execute Quality Gates
-
-For each gate in [type-check, build, tests, lint]:
-  result = run-quality-gate(gate, blocking=true)
-
-  if result.action == "stop":
-    HALT and report failure
-
-  if result.action == "warn":
-    LOG warning and continue
-```
-
-## Supporting Files
+## Error Handling
 
-- `gate-mappings.json`: Gate command mappings and configurations (see below)
+- **Timeout (5 min)**: Return failed with timeout error
+- **Missing custom_command**: Return error
+- **Command not found**: Return failed with exit_code=127
 
 ## Notes
 
-- Timeout is fixed at 5 minutes to prevent indefinite hangs
-- Error extraction is best-effort (may not capture all errors)
-- Custom commands must be valid shell commands
-- Exit code 0 always means success regardless of output
-- Non-zero exit code always means failure
+- Exit code 0 always = success regardless of output
 - Blocking flag only affects action, not passed status
+- Error extraction is best-effort

package/.claude/skills/security-health-inline/SKILL.md

@@ -0,0 +1,224 @@
+---
+name: security-health-inline
+description: Inline orchestration workflow for security vulnerability detection and remediation. Provides step-by-step phases for security-scanner detection, priority-based fixing with vulnerability-fixer, and verification cycles.
+version: 2.0.0
+---
+
+# Security Health Check (Inline Orchestration)
+
+You ARE the orchestrator. Execute this workflow directly without spawning a separate orchestrator agent.
+
+## Workflow Overview
+
+```
+Detection → Validate → Fix by Priority → Verify → Repeat if needed
+```
+
+**Max iterations**: 3
+**Priorities**: critical → high → medium → low
+
+---
+
+## Phase 1: Pre-flight
+
+1. **Setup directories**:
+   ```bash
+   mkdir -p .tmp/current/{plans,changes,backups}
+   ```
+
+2. **Validate environment**:
+   - Check `package.json` exists
+   - Check `type-check` and `build` scripts exist
+
+3. **Initialize TodoWrite**:
+   ```json
+   [
+     {"content": "Security scan", "status": "in_progress", "activeForm": "Scanning for vulnerabilities"},
+     {"content": "Fix critical vulnerabilities", "status": "pending", "activeForm": "Fixing critical vulnerabilities"},
+     {"content": "Fix high priority vulnerabilities", "status": "pending", "activeForm": "Fixing high vulnerabilities"},
+     {"content": "Fix medium priority vulnerabilities", "status": "pending", "activeForm": "Fixing medium vulnerabilities"},
+     {"content": "Fix low priority vulnerabilities", "status": "pending", "activeForm": "Fixing low vulnerabilities"},
+     {"content": "Verification scan", "status": "pending", "activeForm": "Verifying fixes"}
+   ]
+   ```
+
+---
+
+## Phase 2: Detection
+
+**Invoke security-scanner** via Task tool:
+
+```
+subagent_type: "security-scanner"
+description: "Detect all vulnerabilities"
+prompt: |
+  Scan the entire codebase for security vulnerabilities:
+  - SQL injection
+  - XSS vulnerabilities
+  - Authentication/authorization issues
+  - RLS policy violations
+  - Hardcoded secrets
+  - Insecure dependencies
+  - Categorize by priority (critical/high/medium/low)
+
+  Generate: security-scan-report.md
+
+  Return summary with vulnerability counts per priority.
+```
+
+**After security-scanner returns**:
+1. Read `security-scan-report.md`
+2. Parse vulnerability counts by priority
+3. If zero vulnerabilities → skip to Final Summary
+4. Update TodoWrite: mark detection complete
+
+---
+
+## Phase 3: Quality Gate (Detection)
+
+Run inline validation:
+
+```bash
+pnpm type-check
+pnpm build
+```
+
+- If both pass → proceed to fixing
+- If fail → report to user, exit
+
+---
+
+## Phase 4: Fixing Loop
+
+**For each priority** (critical → high → medium → low):
+
+1. **Check if vulnerabilities exist** for this priority
+   - If zero → skip to next priority
+
+2. **Update TodoWrite**: mark current priority in_progress
+
+3. **Invoke vulnerability-fixer** via Task tool:
+   ```
+   subagent_type: "vulnerability-fixer"
+   description: "Fix {priority} vulnerabilities"
+   prompt: |
+     Read security-scan-report.md and fix all {priority} priority vulnerabilities.
+
+     For each vulnerability:
+     1. Backup file before editing
+     2. Implement fix
+     3. Log change to .tmp/current/changes/security-changes.json
+
+     Generate/update: security-fixes-implemented.md
+
+     Return: count of fixed vulnerabilities, count of failed fixes.
+   ```
+
+4. **Quality Gate** (inline):
+   ```bash
+   pnpm type-check
+   pnpm build
+   ```
+
+   - If FAIL → report error, suggest rollback, exit
+   - If PASS → continue
+
+5. **Update TodoWrite**: mark priority complete
+
+6. **Repeat** for next priority
+
+---
+
+## Phase 5: Verification
+
+After all priorities fixed:
+
+1. **Update TodoWrite**: mark verification in_progress
+
+2. **Invoke security-scanner** (verification mode):
+   ```
+   subagent_type: "security-scanner"
+   description: "Verification scan"
+   prompt: |
+     Re-scan codebase after fixes.
+     Compare with previous security-scan-report.md.
+
+     Report:
+     - Vulnerabilities fixed (count)
+     - Vulnerabilities remaining (count)
+     - New vulnerabilities introduced (count)
+   ```
+
+3. **Decision**:
+   - If vulnerabilities_remaining == 0 → Final Summary
+   - If iteration < 3 AND vulnerabilities_remaining > 0 → Go to Phase 2
+   - If iteration >= 3 → Final Summary with remaining vulnerabilities
+
+---
+
+## Phase 6: Final Summary
+
+Generate summary for user:
+
+```markdown
+## Security Health Check Complete
+
+**Iterations**: {count}/3
+**Status**: {SUCCESS/PARTIAL}
+
+### Results
+- Found: {total} vulnerabilities
+- Fixed: {fixed} ({percentage}%)
+- Remaining: {remaining}
+
+### By Priority
+- Critical: {fixed}/{total}
+- High: {fixed}/{total}
+- Medium: {fixed}/{total}
+- Low: {fixed}/{total}
+
+### Validation
+- Type Check: {status}
+- Build: {status}
+
+### Artifacts
+- Detection: `security-scan-report.md`
+- Fixes: `security-fixes-implemented.md`
+```
+
+---
+
+## Error Handling
+
+**If quality gate fails**:
+```
+Rollback available: .tmp/current/changes/security-changes.json
+
+To rollback:
+1. Read changes log
+2. Restore files from .tmp/current/backups/
+3. Re-run workflow
+```
+
+**If worker fails**:
+- Report error to user
+- Suggest manual intervention
+- Exit workflow
+
+---
+
+## Key Differences from Old Approach
+
+| Old (Orchestrator Agent) | New (Inline Skill) |
+|--------------------------|-------------------|
+| 9+ orchestrator calls | 0 orchestrator calls |
+| ~1400 lines (cmd + agent) | ~150 lines |
+| Context reload each call | Single session context |
+| Plan files for each phase | Direct execution |
+| ~10,000+ tokens overhead | ~500 tokens |
+
+---
+
+## Worker Prompts
+
+See `references/worker-prompts.md` for detailed prompts.