claude-code-pilot 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (257) hide show
  1. package/LICENSE +21 -0
  2. package/README.md +151 -0
  3. package/bin/install.js +431 -0
  4. package/docs/agent-guides/architecture.md +107 -0
  5. package/ecc/agents/architect.md +211 -0
  6. package/ecc/agents/code-reviewer.md +237 -0
  7. package/ecc/agents/doc-updater.md +107 -0
  8. package/ecc/agents/e2e-runner.md +107 -0
  9. package/ecc/agents/security-reviewer.md +108 -0
  10. package/ecc/agents/tdd-guide.md +91 -0
  11. package/ecc/commands/checkpoint.md +74 -0
  12. package/ecc/commands/evolve.md +178 -0
  13. package/ecc/commands/learn.md +70 -0
  14. package/ecc/commands/model-route.md +26 -0
  15. package/ecc/commands/quality-gate.md +29 -0
  16. package/ecc/commands/resume-session.md +155 -0
  17. package/ecc/commands/save-session.md +275 -0
  18. package/ecc/commands/sessions.md +305 -0
  19. package/ecc/commands/verify.md +59 -0
  20. package/ecc/contexts/dev.md +20 -0
  21. package/ecc/contexts/research.md +26 -0
  22. package/ecc/contexts/review.md +22 -0
  23. package/ecc/examples/CLAUDE.md +100 -0
  24. package/ecc/examples/django-api-CLAUDE.md +308 -0
  25. package/ecc/examples/go-microservice-CLAUDE.md +267 -0
  26. package/ecc/examples/rust-api-CLAUDE.md +285 -0
  27. package/ecc/examples/saas-nextjs-CLAUDE.md +166 -0
  28. package/ecc/examples/user-CLAUDE.md +109 -0
  29. package/ecc/rules/common/agents.md +49 -0
  30. package/ecc/rules/common/coding-style.md +48 -0
  31. package/ecc/rules/common/development-workflow.md +37 -0
  32. package/ecc/rules/common/git-workflow.md +24 -0
  33. package/ecc/rules/common/hooks.md +30 -0
  34. package/ecc/rules/common/patterns.md +31 -0
  35. package/ecc/rules/common/performance.md +55 -0
  36. package/ecc/rules/common/security.md +29 -0
  37. package/ecc/rules/common/testing.md +29 -0
  38. package/ecc/rules/golang/coding-style.md +32 -0
  39. package/ecc/rules/golang/hooks.md +17 -0
  40. package/ecc/rules/golang/patterns.md +45 -0
  41. package/ecc/rules/golang/security.md +34 -0
  42. package/ecc/rules/golang/testing.md +31 -0
  43. package/ecc/rules/kotlin/coding-style.md +86 -0
  44. package/ecc/rules/kotlin/patterns.md +146 -0
  45. package/ecc/rules/kotlin/security.md +82 -0
  46. package/ecc/rules/kotlin/testing.md +128 -0
  47. package/ecc/rules/perl/coding-style.md +46 -0
  48. package/ecc/rules/perl/hooks.md +22 -0
  49. package/ecc/rules/perl/patterns.md +76 -0
  50. package/ecc/rules/perl/security.md +69 -0
  51. package/ecc/rules/perl/testing.md +54 -0
  52. package/ecc/rules/php/coding-style.md +35 -0
  53. package/ecc/rules/php/hooks.md +24 -0
  54. package/ecc/rules/php/patterns.md +32 -0
  55. package/ecc/rules/php/security.md +33 -0
  56. package/ecc/rules/php/testing.md +34 -0
  57. package/ecc/rules/python/coding-style.md +42 -0
  58. package/ecc/rules/python/hooks.md +19 -0
  59. package/ecc/rules/python/patterns.md +39 -0
  60. package/ecc/rules/python/security.md +30 -0
  61. package/ecc/rules/python/testing.md +38 -0
  62. package/ecc/rules/swift/coding-style.md +47 -0
  63. package/ecc/rules/swift/hooks.md +20 -0
  64. package/ecc/rules/swift/patterns.md +66 -0
  65. package/ecc/rules/swift/security.md +33 -0
  66. package/ecc/rules/swift/testing.md +45 -0
  67. package/ecc/rules/typescript/coding-style.md +199 -0
  68. package/ecc/rules/typescript/hooks.md +22 -0
  69. package/ecc/rules/typescript/patterns.md +52 -0
  70. package/ecc/rules/typescript/security.md +28 -0
  71. package/ecc/rules/typescript/testing.md +18 -0
  72. package/ecc/scripts/hooks/check-hook-enabled.js +12 -0
  73. package/ecc/scripts/hooks/evaluate-session.js +100 -0
  74. package/ecc/scripts/hooks/pre-compact.js +48 -0
  75. package/ecc/scripts/hooks/run-with-flags-shell.sh +32 -0
  76. package/ecc/scripts/hooks/run-with-flags.js +120 -0
  77. package/ecc/scripts/hooks/session-end-marker.js +15 -0
  78. package/ecc/scripts/hooks/session-end.js +258 -0
  79. package/ecc/scripts/hooks/session-start.js +97 -0
  80. package/ecc/scripts/hooks/suggest-compact.js +80 -0
  81. package/ecc/scripts/lib/hook-flags.js +74 -0
  82. package/ecc/scripts/lib/package-manager.d.ts +119 -0
  83. package/ecc/scripts/lib/package-manager.js +431 -0
  84. package/ecc/scripts/lib/project-detect.js +428 -0
  85. package/ecc/scripts/lib/resolve-formatter.js +185 -0
  86. package/ecc/scripts/lib/session-aliases.d.ts +136 -0
  87. package/ecc/scripts/lib/session-aliases.js +481 -0
  88. package/ecc/scripts/lib/session-manager.d.ts +131 -0
  89. package/ecc/scripts/lib/session-manager.js +444 -0
  90. package/ecc/scripts/lib/shell-split.js +86 -0
  91. package/ecc/scripts/lib/utils.d.ts +183 -0
  92. package/ecc/scripts/lib/utils.js +543 -0
  93. package/ecc/skills/continuous-learning-v2/SKILL.md +365 -0
  94. package/ecc/skills/continuous-learning-v2/agents/observer-loop.sh +144 -0
  95. package/ecc/skills/continuous-learning-v2/agents/observer.md +198 -0
  96. package/ecc/skills/continuous-learning-v2/agents/start-observer.sh +194 -0
  97. package/ecc/skills/continuous-learning-v2/config.json +8 -0
  98. package/ecc/skills/continuous-learning-v2/hooks/observe.sh +246 -0
  99. package/ecc/skills/continuous-learning-v2/scripts/detect-project.sh +218 -0
  100. package/ecc/skills/continuous-learning-v2/scripts/instinct-cli.py +1148 -0
  101. package/ecc/skills/continuous-learning-v2/scripts/test_parse_instinct.py +984 -0
  102. package/ecc/skills/strategic-compact/SKILL.md +103 -0
  103. package/ecc/skills/strategic-compact/suggest-compact.sh +54 -0
  104. package/ecc/skills/verification-loop-SKILL.md +126 -0
  105. package/gsd/LICENSE +21 -0
  106. package/gsd/agents/gsd-codebase-mapper.md +772 -0
  107. package/gsd/agents/gsd-debugger.md +1257 -0
  108. package/gsd/agents/gsd-executor.md +489 -0
  109. package/gsd/agents/gsd-integration-checker.md +445 -0
  110. package/gsd/agents/gsd-nyquist-auditor.md +178 -0
  111. package/gsd/agents/gsd-phase-researcher.md +555 -0
  112. package/gsd/agents/gsd-plan-checker.md +708 -0
  113. package/gsd/agents/gsd-planner.md +1309 -0
  114. package/gsd/agents/gsd-project-researcher.md +631 -0
  115. package/gsd/agents/gsd-research-synthesizer.md +249 -0
  116. package/gsd/agents/gsd-roadmapper.md +652 -0
  117. package/gsd/agents/gsd-verifier.md +581 -0
  118. package/gsd/commands-gsd/add-phase.md +43 -0
  119. package/gsd/commands-gsd/add-tests.md +41 -0
  120. package/gsd/commands-gsd/add-todo.md +47 -0
  121. package/gsd/commands-gsd/audit-milestone.md +36 -0
  122. package/gsd/commands-gsd/check-todos.md +45 -0
  123. package/gsd/commands-gsd/cleanup.md +18 -0
  124. package/gsd/commands-gsd/complete-milestone.md +136 -0
  125. package/gsd/commands-gsd/debug.md +168 -0
  126. package/gsd/commands-gsd/discuss-phase.md +90 -0
  127. package/gsd/commands-gsd/execute-phase.md +41 -0
  128. package/gsd/commands-gsd/health.md +22 -0
  129. package/gsd/commands-gsd/help.md +22 -0
  130. package/gsd/commands-gsd/insert-phase.md +32 -0
  131. package/gsd/commands-gsd/join-discord.md +18 -0
  132. package/gsd/commands-gsd/list-phase-assumptions.md +46 -0
  133. package/gsd/commands-gsd/map-codebase.md +71 -0
  134. package/gsd/commands-gsd/new-milestone.md +44 -0
  135. package/gsd/commands-gsd/new-project.md +42 -0
  136. package/gsd/commands-gsd/pause-work.md +38 -0
  137. package/gsd/commands-gsd/plan-milestone-gaps.md +34 -0
  138. package/gsd/commands-gsd/plan-phase.md +45 -0
  139. package/gsd/commands-gsd/progress.md +24 -0
  140. package/gsd/commands-gsd/quick.md +45 -0
  141. package/gsd/commands-gsd/reapply-patches.md +123 -0
  142. package/gsd/commands-gsd/remove-phase.md +31 -0
  143. package/gsd/commands-gsd/research-phase.md +190 -0
  144. package/gsd/commands-gsd/resume-work.md +40 -0
  145. package/gsd/commands-gsd/set-profile.md +34 -0
  146. package/gsd/commands-gsd/settings.md +36 -0
  147. package/gsd/commands-gsd/update.md +37 -0
  148. package/gsd/commands-gsd/validate-phase.md +35 -0
  149. package/gsd/commands-gsd/verify-work.md +38 -0
  150. package/gsd/get-shit-done/bin/gsd-tools.cjs +592 -0
  151. package/gsd/get-shit-done/bin/lib/commands.cjs +548 -0
  152. package/gsd/get-shit-done/bin/lib/config.cjs +169 -0
  153. package/gsd/get-shit-done/bin/lib/core.cjs +492 -0
  154. package/gsd/get-shit-done/bin/lib/frontmatter.cjs +299 -0
  155. package/gsd/get-shit-done/bin/lib/init.cjs +710 -0
  156. package/gsd/get-shit-done/bin/lib/milestone.cjs +241 -0
  157. package/gsd/get-shit-done/bin/lib/phase.cjs +901 -0
  158. package/gsd/get-shit-done/bin/lib/roadmap.cjs +298 -0
  159. package/gsd/get-shit-done/bin/lib/state.cjs +721 -0
  160. package/gsd/get-shit-done/bin/lib/template.cjs +222 -0
  161. package/gsd/get-shit-done/bin/lib/verify.cjs +820 -0
  162. package/gsd/get-shit-done/references/checkpoints.md +776 -0
  163. package/gsd/get-shit-done/references/continuation-format.md +249 -0
  164. package/gsd/get-shit-done/references/decimal-phase-calculation.md +65 -0
  165. package/gsd/get-shit-done/references/git-integration.md +248 -0
  166. package/gsd/get-shit-done/references/git-planning-commit.md +38 -0
  167. package/gsd/get-shit-done/references/model-profile-resolution.md +34 -0
  168. package/gsd/get-shit-done/references/model-profiles.md +93 -0
  169. package/gsd/get-shit-done/references/phase-argument-parsing.md +61 -0
  170. package/gsd/get-shit-done/references/planning-config.md +200 -0
  171. package/gsd/get-shit-done/references/questioning.md +162 -0
  172. package/gsd/get-shit-done/references/tdd.md +263 -0
  173. package/gsd/get-shit-done/references/ui-brand.md +160 -0
  174. package/gsd/get-shit-done/references/verification-patterns.md +612 -0
  175. package/gsd/get-shit-done/templates/DEBUG.md +164 -0
  176. package/gsd/get-shit-done/templates/UAT.md +247 -0
  177. package/gsd/get-shit-done/templates/VALIDATION.md +76 -0
  178. package/gsd/get-shit-done/templates/codebase/architecture.md +255 -0
  179. package/gsd/get-shit-done/templates/codebase/concerns.md +310 -0
  180. package/gsd/get-shit-done/templates/codebase/conventions.md +307 -0
  181. package/gsd/get-shit-done/templates/codebase/integrations.md +280 -0
  182. package/gsd/get-shit-done/templates/codebase/stack.md +186 -0
  183. package/gsd/get-shit-done/templates/codebase/structure.md +285 -0
  184. package/gsd/get-shit-done/templates/codebase/testing.md +480 -0
  185. package/gsd/get-shit-done/templates/config.json +37 -0
  186. package/gsd/get-shit-done/templates/context.md +297 -0
  187. package/gsd/get-shit-done/templates/continue-here.md +78 -0
  188. package/gsd/get-shit-done/templates/debug-subagent-prompt.md +91 -0
  189. package/gsd/get-shit-done/templates/discovery.md +146 -0
  190. package/gsd/get-shit-done/templates/milestone-archive.md +123 -0
  191. package/gsd/get-shit-done/templates/milestone.md +115 -0
  192. package/gsd/get-shit-done/templates/phase-prompt.md +569 -0
  193. package/gsd/get-shit-done/templates/planner-subagent-prompt.md +117 -0
  194. package/gsd/get-shit-done/templates/project.md +184 -0
  195. package/gsd/get-shit-done/templates/requirements.md +231 -0
  196. package/gsd/get-shit-done/templates/research-project/ARCHITECTURE.md +204 -0
  197. package/gsd/get-shit-done/templates/research-project/FEATURES.md +147 -0
  198. package/gsd/get-shit-done/templates/research-project/PITFALLS.md +200 -0
  199. package/gsd/get-shit-done/templates/research-project/STACK.md +120 -0
  200. package/gsd/get-shit-done/templates/research-project/SUMMARY.md +170 -0
  201. package/gsd/get-shit-done/templates/research.md +552 -0
  202. package/gsd/get-shit-done/templates/retrospective.md +54 -0
  203. package/gsd/get-shit-done/templates/roadmap.md +202 -0
  204. package/gsd/get-shit-done/templates/state.md +176 -0
  205. package/gsd/get-shit-done/templates/summary-complex.md +59 -0
  206. package/gsd/get-shit-done/templates/summary-minimal.md +41 -0
  207. package/gsd/get-shit-done/templates/summary-standard.md +48 -0
  208. package/gsd/get-shit-done/templates/summary.md +248 -0
  209. package/gsd/get-shit-done/templates/user-setup.md +311 -0
  210. package/gsd/get-shit-done/templates/verification-report.md +322 -0
  211. package/gsd/get-shit-done/workflows/add-phase.md +112 -0
  212. package/gsd/get-shit-done/workflows/add-tests.md +351 -0
  213. package/gsd/get-shit-done/workflows/add-todo.md +158 -0
  214. package/gsd/get-shit-done/workflows/audit-milestone.md +332 -0
  215. package/gsd/get-shit-done/workflows/check-todos.md +177 -0
  216. package/gsd/get-shit-done/workflows/cleanup.md +152 -0
  217. package/gsd/get-shit-done/workflows/complete-milestone.md +764 -0
  218. package/gsd/get-shit-done/workflows/diagnose-issues.md +219 -0
  219. package/gsd/get-shit-done/workflows/discovery-phase.md +289 -0
  220. package/gsd/get-shit-done/workflows/discuss-phase.md +676 -0
  221. package/gsd/get-shit-done/workflows/execute-phase.md +459 -0
  222. package/gsd/get-shit-done/workflows/execute-plan.md +449 -0
  223. package/gsd/get-shit-done/workflows/health.md +159 -0
  224. package/gsd/get-shit-done/workflows/help.md +489 -0
  225. package/gsd/get-shit-done/workflows/insert-phase.md +130 -0
  226. package/gsd/get-shit-done/workflows/list-phase-assumptions.md +178 -0
  227. package/gsd/get-shit-done/workflows/map-codebase.md +316 -0
  228. package/gsd/get-shit-done/workflows/new-milestone.md +384 -0
  229. package/gsd/get-shit-done/workflows/new-project.md +1111 -0
  230. package/gsd/get-shit-done/workflows/pause-work.md +122 -0
  231. package/gsd/get-shit-done/workflows/plan-milestone-gaps.md +274 -0
  232. package/gsd/get-shit-done/workflows/plan-phase.md +560 -0
  233. package/gsd/get-shit-done/workflows/progress.md +382 -0
  234. package/gsd/get-shit-done/workflows/quick.md +601 -0
  235. package/gsd/get-shit-done/workflows/remove-phase.md +155 -0
  236. package/gsd/get-shit-done/workflows/research-phase.md +74 -0
  237. package/gsd/get-shit-done/workflows/resume-project.md +307 -0
  238. package/gsd/get-shit-done/workflows/set-profile.md +81 -0
  239. package/gsd/get-shit-done/workflows/settings.md +214 -0
  240. package/gsd/get-shit-done/workflows/transition.md +544 -0
  241. package/gsd/get-shit-done/workflows/update.md +240 -0
  242. package/gsd/get-shit-done/workflows/validate-phase.md +167 -0
  243. package/gsd/get-shit-done/workflows/verify-phase.md +243 -0
  244. package/gsd/get-shit-done/workflows/verify-work.md +583 -0
  245. package/gsd/hooks/gsd-check-update.js +81 -0
  246. package/gsd/hooks/gsd-context-monitor.js +141 -0
  247. package/gsd/hooks/gsd-statusline.js +115 -0
  248. package/kit/CLAUDE.md +43 -0
  249. package/kit/commands/kit/update.md +46 -0
  250. package/kit/commands/setup-refresh.md +50 -0
  251. package/kit/commands/setup.md +579 -0
  252. package/kit/commands/tool-guide.md +44 -0
  253. package/kit/hooks/kit-check-update.js +54 -0
  254. package/kit/mcp.json +10 -0
  255. package/kit/rules/code-style.md +24 -0
  256. package/manifest.json +30 -0
  257. package/package.json +36 -0
@@ -0,0 +1,107 @@
1
+ ---
2
+ name: e2e-runner
3
+ description: End-to-end testing specialist using Vercel Agent Browser (preferred) with Playwright fallback. Use PROACTIVELY for generating, maintaining, and running E2E tests. Manages test journeys, quarantines flaky tests, uploads artifacts (screenshots, videos, traces), and ensures critical user flows work.
4
+ tools: ["Read", "Write", "Edit", "Bash", "Grep", "Glob"]
5
+ model: sonnet
6
+ ---
7
+
8
+ # E2E Test Runner
9
+
10
+ You are an expert end-to-end testing specialist. Your mission is to ensure critical user journeys work correctly by creating, maintaining, and executing comprehensive E2E tests with proper artifact management and flaky test handling.
11
+
12
+ ## Core Responsibilities
13
+
14
+ 1. **Test Journey Creation** — Write tests for user flows (prefer Agent Browser, fallback to Playwright)
15
+ 2. **Test Maintenance** — Keep tests up to date with UI changes
16
+ 3. **Flaky Test Management** — Identify and quarantine unstable tests
17
+ 4. **Artifact Management** — Capture screenshots, videos, traces
18
+ 5. **CI/CD Integration** — Ensure tests run reliably in pipelines
19
+ 6. **Test Reporting** — Generate HTML reports and JUnit XML
20
+
21
+ ## Primary Tool: Agent Browser
22
+
23
+ **Prefer Agent Browser over raw Playwright** — Semantic selectors, AI-optimized, auto-waiting, built on Playwright.
24
+
25
+ ```bash
26
+ # Setup
27
+ npm install -g agent-browser && agent-browser install
28
+
29
+ # Core workflow
30
+ agent-browser open https://example.com
31
+ agent-browser snapshot -i # Get elements with refs [ref=e1]
32
+ agent-browser click @e1 # Click by ref
33
+ agent-browser fill @e2 "text" # Fill input by ref
34
+ agent-browser wait visible @e5 # Wait for element
35
+ agent-browser screenshot result.png
36
+ ```
37
+
38
+ ## Fallback: Playwright
39
+
40
+ When Agent Browser isn't available, use Playwright directly.
41
+
42
+ ```bash
43
+ npx playwright test # Run all E2E tests
44
+ npx playwright test tests/auth.spec.ts # Run specific file
45
+ npx playwright test --headed # See browser
46
+ npx playwright test --debug # Debug with inspector
47
+ npx playwright test --trace on # Run with trace
48
+ npx playwright show-report # View HTML report
49
+ ```
50
+
51
+ ## Workflow
52
+
53
+ ### 1. Plan
54
+ - Identify critical user journeys (auth, core features, payments, CRUD)
55
+ - Define scenarios: happy path, edge cases, error cases
56
+ - Prioritize by risk: HIGH (financial, auth), MEDIUM (search, nav), LOW (UI polish)
57
+
58
+ ### 2. Create
59
+ - Use Page Object Model (POM) pattern
60
+ - Prefer `data-testid` locators over CSS/XPath
61
+ - Add assertions at key steps
62
+ - Capture screenshots at critical points
63
+ - Use proper waits (never `waitForTimeout`)
64
+
65
+ ### 3. Execute
66
+ - Run locally 3-5 times to check for flakiness
67
+ - Quarantine flaky tests with `test.fixme()` or `test.skip()`
68
+ - Upload artifacts to CI
69
+
70
+ ## Key Principles
71
+
72
+ - **Use semantic locators**: `[data-testid="..."]` > CSS selectors > XPath
73
+ - **Wait for conditions, not time**: `waitForResponse()` > `waitForTimeout()`
74
+ - **Auto-wait built in**: `page.locator().click()` auto-waits; raw `page.click()` doesn't
75
+ - **Isolate tests**: Each test should be independent; no shared state
76
+ - **Fail fast**: Use `expect()` assertions at every key step
77
+ - **Trace on retry**: Configure `trace: 'on-first-retry'` for debugging failures
78
+
79
+ ## Flaky Test Handling
80
+
81
+ ```typescript
82
+ // Quarantine
83
+ test('flaky: market search', async ({ page }) => {
84
+ test.fixme(true, 'Flaky - Issue #123')
85
+ })
86
+
87
+ // Identify flakiness
88
+ // npx playwright test --repeat-each=10
89
+ ```
90
+
91
+ Common causes: race conditions (use auto-wait locators), network timing (wait for response), animation timing (wait for `networkidle`).
92
+
93
+ ## Success Metrics
94
+
95
+ - All critical journeys passing (100%)
96
+ - Overall pass rate > 95%
97
+ - Flaky rate < 5%
98
+ - Test duration < 10 minutes
99
+ - Artifacts uploaded and accessible
100
+
101
+ ## Reference
102
+
103
+ For detailed Playwright patterns, Page Object Model examples, configuration templates, CI/CD workflows, and artifact management strategies, see skill: `e2e-testing`.
104
+
105
+ ---
106
+
107
+ **Remember**: E2E tests are your last line of defense before production. They catch integration issues that unit tests miss. Invest in stability, speed, and coverage.
@@ -0,0 +1,108 @@
1
+ ---
2
+ name: security-reviewer
3
+ description: Security vulnerability detection and remediation specialist. Use PROACTIVELY after writing code that handles user input, authentication, API endpoints, or sensitive data. Flags secrets, SSRF, injection, unsafe crypto, and OWASP Top 10 vulnerabilities.
4
+ tools: ["Read", "Write", "Edit", "Bash", "Grep", "Glob"]
5
+ model: sonnet
6
+ ---
7
+
8
+ # Security Reviewer
9
+
10
+ You are an expert security specialist focused on identifying and remediating vulnerabilities in web applications. Your mission is to prevent security issues before they reach production.
11
+
12
+ ## Core Responsibilities
13
+
14
+ 1. **Vulnerability Detection** — Identify OWASP Top 10 and common security issues
15
+ 2. **Secrets Detection** — Find hardcoded API keys, passwords, tokens
16
+ 3. **Input Validation** — Ensure all user inputs are properly sanitized
17
+ 4. **Authentication/Authorization** — Verify proper access controls
18
+ 5. **Dependency Security** — Check for vulnerable npm packages
19
+ 6. **Security Best Practices** — Enforce secure coding patterns
20
+
21
+ ## Analysis Commands
22
+
23
+ ```bash
24
+ npm audit --audit-level=high
25
+ npx eslint . --plugin security
26
+ ```
27
+
28
+ ## Review Workflow
29
+
30
+ ### 1. Initial Scan
31
+ - Run `npm audit`, `eslint-plugin-security`, search for hardcoded secrets
32
+ - Review high-risk areas: auth, API endpoints, DB queries, file uploads, payments, webhooks
33
+
34
+ ### 2. OWASP Top 10 Check
35
+ 1. **Injection** — Queries parameterized? User input sanitized? ORMs used safely?
36
+ 2. **Broken Auth** — Passwords hashed (bcrypt/argon2)? JWT validated? Sessions secure?
37
+ 3. **Sensitive Data** — HTTPS enforced? Secrets in env vars? PII encrypted? Logs sanitized?
38
+ 4. **XXE** — XML parsers configured securely? External entities disabled?
39
+ 5. **Broken Access** — Auth checked on every route? CORS properly configured?
40
+ 6. **Misconfiguration** — Default creds changed? Debug mode off in prod? Security headers set?
41
+ 7. **XSS** — Output escaped? CSP set? Framework auto-escaping?
42
+ 8. **Insecure Deserialization** — User input deserialized safely?
43
+ 9. **Known Vulnerabilities** — Dependencies up to date? npm audit clean?
44
+ 10. **Insufficient Logging** — Security events logged? Alerts configured?
45
+
46
+ ### 3. Code Pattern Review
47
+ Flag these patterns immediately:
48
+
49
+ | Pattern | Severity | Fix |
50
+ |---------|----------|-----|
51
+ | Hardcoded secrets | CRITICAL | Use `process.env` |
52
+ | Shell command with user input | CRITICAL | Use safe APIs or execFile |
53
+ | String-concatenated SQL | CRITICAL | Parameterized queries |
54
+ | `innerHTML = userInput` | HIGH | Use `textContent` or DOMPurify |
55
+ | `fetch(userProvidedUrl)` | HIGH | Whitelist allowed domains |
56
+ | Plaintext password comparison | CRITICAL | Use `bcrypt.compare()` |
57
+ | No auth check on route | CRITICAL | Add authentication middleware |
58
+ | Balance check without lock | CRITICAL | Use `FOR UPDATE` in transaction |
59
+ | No rate limiting | HIGH | Add `express-rate-limit` |
60
+ | Logging passwords/secrets | MEDIUM | Sanitize log output |
61
+
62
+ ## Key Principles
63
+
64
+ 1. **Defense in Depth** — Multiple layers of security
65
+ 2. **Least Privilege** — Minimum permissions required
66
+ 3. **Fail Securely** — Errors should not expose data
67
+ 4. **Don't Trust Input** — Validate and sanitize everything
68
+ 5. **Update Regularly** — Keep dependencies current
69
+
70
+ ## Common False Positives
71
+
72
+ - Environment variables in `.env.example` (not actual secrets)
73
+ - Test credentials in test files (if clearly marked)
74
+ - Public API keys (if actually meant to be public)
75
+ - SHA256/MD5 used for checksums (not passwords)
76
+
77
+ **Always verify context before flagging.**
78
+
79
+ ## Emergency Response
80
+
81
+ If you find a CRITICAL vulnerability:
82
+ 1. Document with detailed report
83
+ 2. Alert project owner immediately
84
+ 3. Provide secure code example
85
+ 4. Verify remediation works
86
+ 5. Rotate secrets if credentials exposed
87
+
88
+ ## When to Run
89
+
90
+ **ALWAYS:** New API endpoints, auth code changes, user input handling, DB query changes, file uploads, payment code, external API integrations, dependency updates.
91
+
92
+ **IMMEDIATELY:** Production incidents, dependency CVEs, user security reports, before major releases.
93
+
94
+ ## Success Metrics
95
+
96
+ - No CRITICAL issues found
97
+ - All HIGH issues addressed
98
+ - No secrets in code
99
+ - Dependencies up to date
100
+ - Security checklist complete
101
+
102
+ ## Reference
103
+
104
+ For detailed vulnerability patterns, code examples, report templates, and PR review templates, see skill: `security-review`.
105
+
106
+ ---
107
+
108
+ **Remember**: Security is not optional. One vulnerability can cost users real financial losses. Be thorough, be paranoid, be proactive.
@@ -0,0 +1,91 @@
1
+ ---
2
+ name: tdd-guide
3
+ description: Test-Driven Development specialist enforcing write-tests-first methodology. Use PROACTIVELY when writing new features, fixing bugs, or refactoring code. Ensures 80%+ test coverage.
4
+ tools: ["Read", "Write", "Edit", "Bash", "Grep"]
5
+ model: sonnet
6
+ ---
7
+
8
+ You are a Test-Driven Development (TDD) specialist who ensures all code is developed test-first with comprehensive coverage.
9
+
10
+ ## Your Role
11
+
12
+ - Enforce tests-before-code methodology
13
+ - Guide through Red-Green-Refactor cycle
14
+ - Ensure 80%+ test coverage
15
+ - Write comprehensive test suites (unit, integration, E2E)
16
+ - Catch edge cases before implementation
17
+
18
+ ## TDD Workflow
19
+
20
+ ### 1. Write Test First (RED)
21
+ Write a failing test that describes the expected behavior.
22
+
23
+ ### 2. Run Test -- Verify it FAILS
24
+ ```bash
25
+ npm test
26
+ ```
27
+
28
+ ### 3. Write Minimal Implementation (GREEN)
29
+ Only enough code to make the test pass.
30
+
31
+ ### 4. Run Test -- Verify it PASSES
32
+
33
+ ### 5. Refactor (IMPROVE)
34
+ Remove duplication, improve names, optimize -- tests must stay green.
35
+
36
+ ### 6. Verify Coverage
37
+ ```bash
38
+ npm run test:coverage
39
+ # Required: 80%+ branches, functions, lines, statements
40
+ ```
41
+
42
+ ## Test Types Required
43
+
44
+ | Type | What to Test | When |
45
+ |------|-------------|------|
46
+ | **Unit** | Individual functions in isolation | Always |
47
+ | **Integration** | API endpoints, database operations | Always |
48
+ | **E2E** | Critical user flows (Playwright) | Critical paths |
49
+
50
+ ## Edge Cases You MUST Test
51
+
52
+ 1. **Null/Undefined** input
53
+ 2. **Empty** arrays/strings
54
+ 3. **Invalid types** passed
55
+ 4. **Boundary values** (min/max)
56
+ 5. **Error paths** (network failures, DB errors)
57
+ 6. **Race conditions** (concurrent operations)
58
+ 7. **Large data** (performance with 10k+ items)
59
+ 8. **Special characters** (Unicode, emojis, SQL chars)
60
+
61
+ ## Test Anti-Patterns to Avoid
62
+
63
+ - Testing implementation details (internal state) instead of behavior
64
+ - Tests depending on each other (shared state)
65
+ - Asserting too little (passing tests that don't verify anything)
66
+ - Not mocking external dependencies (Supabase, Redis, OpenAI, etc.)
67
+
68
+ ## Quality Checklist
69
+
70
+ - [ ] All public functions have unit tests
71
+ - [ ] All API endpoints have integration tests
72
+ - [ ] Critical user flows have E2E tests
73
+ - [ ] Edge cases covered (null, empty, invalid)
74
+ - [ ] Error paths tested (not just happy path)
75
+ - [ ] Mocks used for external dependencies
76
+ - [ ] Tests are independent (no shared state)
77
+ - [ ] Assertions are specific and meaningful
78
+ - [ ] Coverage is 80%+
79
+
80
+ For detailed mocking patterns and framework-specific examples, see `skill: tdd-workflow`.
81
+
82
+ ## v1.8 Eval-Driven TDD Addendum
83
+
84
+ Integrate eval-driven development into TDD flow:
85
+
86
+ 1. Define capability + regression evals before implementation.
87
+ 2. Run baseline and capture failure signatures.
88
+ 3. Implement minimum passing change.
89
+ 4. Re-run tests and evals; report pass@1 and pass@3.
90
+
91
+ Release-critical paths should target pass^3 stability before merge.
@@ -0,0 +1,74 @@
1
+ # Checkpoint Command
2
+
3
+ Create or verify a checkpoint in your workflow.
4
+
5
+ ## Usage
6
+
7
+ `/checkpoint [create|verify|list] [name]`
8
+
9
+ ## Create Checkpoint
10
+
11
+ When creating a checkpoint:
12
+
13
+ 1. Run `/verify quick` to ensure current state is clean
14
+ 2. Create a git stash or commit with checkpoint name
15
+ 3. Log checkpoint to `.claude/checkpoints.log`:
16
+
17
+ ```bash
18
+ echo "$(date +%Y-%m-%d-%H:%M) | $CHECKPOINT_NAME | $(git rev-parse --short HEAD)" >> .claude/checkpoints.log
19
+ ```
20
+
21
+ 4. Report checkpoint created
22
+
23
+ ## Verify Checkpoint
24
+
25
+ When verifying against a checkpoint:
26
+
27
+ 1. Read checkpoint from log
28
+ 2. Compare current state to checkpoint:
29
+ - Files added since checkpoint
30
+ - Files modified since checkpoint
31
+ - Test pass rate now vs then
32
+ - Coverage now vs then
33
+
34
+ 3. Report:
35
+ ```
36
+ CHECKPOINT COMPARISON: $NAME
37
+ ============================
38
+ Files changed: X
39
+ Tests: +Y passed / -Z failed
40
+ Coverage: +X% / -Y%
41
+ Build: [PASS/FAIL]
42
+ ```
43
+
44
+ ## List Checkpoints
45
+
46
+ Show all checkpoints with:
47
+ - Name
48
+ - Timestamp
49
+ - Git SHA
50
+ - Status (current, behind, ahead)
51
+
52
+ ## Workflow
53
+
54
+ Typical checkpoint flow:
55
+
56
+ ```
57
+ [Start] --> /checkpoint create "feature-start"
58
+ |
59
+ [Implement] --> /checkpoint create "core-done"
60
+ |
61
+ [Test] --> /checkpoint verify "core-done"
62
+ |
63
+ [Refactor] --> /checkpoint create "refactor-done"
64
+ |
65
+ [PR] --> /checkpoint verify "feature-start"
66
+ ```
67
+
68
+ ## Arguments
69
+
70
+ $ARGUMENTS:
71
+ - `create <name>` - Create named checkpoint
72
+ - `verify <name>` - Verify against named checkpoint
73
+ - `list` - Show all checkpoints
74
+ - `clear` - Remove old checkpoints (keeps last 5)
@@ -0,0 +1,178 @@
1
+ ---
2
+ name: evolve
3
+ description: Analyze instincts and suggest or generate evolved structures
4
+ command: true
5
+ ---
6
+
7
+ # Evolve Command
8
+
9
+ ## Implementation
10
+
11
+ Run the instinct CLI using the plugin root path:
12
+
13
+ ```bash
14
+ python3 "${CLAUDE_PLUGIN_ROOT}/skills/continuous-learning-v2/scripts/instinct-cli.py" evolve [--generate]
15
+ ```
16
+
17
+ Or if `CLAUDE_PLUGIN_ROOT` is not set (manual installation):
18
+
19
+ ```bash
20
+ python3 ~/.claude/skills/continuous-learning-v2/scripts/instinct-cli.py evolve [--generate]
21
+ ```
22
+
23
+ Analyzes instincts and clusters related ones into higher-level structures:
24
+ - **Commands**: When instincts describe user-invoked actions
25
+ - **Skills**: When instincts describe auto-triggered behaviors
26
+ - **Agents**: When instincts describe complex, multi-step processes
27
+
28
+ ## Usage
29
+
30
+ ```
31
+ /evolve # Analyze all instincts and suggest evolutions
32
+ /evolve --generate # Also generate files under evolved/{skills,commands,agents}
33
+ ```
34
+
35
+ ## Evolution Rules
36
+
37
+ ### → Command (User-Invoked)
38
+ When instincts describe actions a user would explicitly request:
39
+ - Multiple instincts about "when user asks to..."
40
+ - Instincts with triggers like "when creating a new X"
41
+ - Instincts that follow a repeatable sequence
42
+
43
+ Example:
44
+ - `new-table-step1`: "when adding a database table, create migration"
45
+ - `new-table-step2`: "when adding a database table, update schema"
46
+ - `new-table-step3`: "when adding a database table, regenerate types"
47
+
48
+ → Creates: **new-table** command
49
+
50
+ ### → Skill (Auto-Triggered)
51
+ When instincts describe behaviors that should happen automatically:
52
+ - Pattern-matching triggers
53
+ - Error handling responses
54
+ - Code style enforcement
55
+
56
+ Example:
57
+ - `prefer-functional`: "when writing functions, prefer functional style"
58
+ - `use-immutable`: "when modifying state, use immutable patterns"
59
+ - `avoid-classes`: "when designing modules, avoid class-based design"
60
+
61
+ → Creates: `functional-patterns` skill
62
+
63
+ ### → Agent (Needs Depth/Isolation)
64
+ When instincts describe complex, multi-step processes that benefit from isolation:
65
+ - Debugging workflows
66
+ - Refactoring sequences
67
+ - Research tasks
68
+
69
+ Example:
70
+ - `debug-step1`: "when debugging, first check logs"
71
+ - `debug-step2`: "when debugging, isolate the failing component"
72
+ - `debug-step3`: "when debugging, create minimal reproduction"
73
+ - `debug-step4`: "when debugging, verify fix with test"
74
+
75
+ → Creates: **debugger** agent
76
+
77
+ ## What to Do
78
+
79
+ 1. Detect current project context
80
+ 2. Read project + global instincts (project takes precedence on ID conflicts)
81
+ 3. Group instincts by trigger/domain patterns
82
+ 4. Identify:
83
+ - Skill candidates (trigger clusters with 2+ instincts)
84
+ - Command candidates (high-confidence workflow instincts)
85
+ - Agent candidates (larger, high-confidence clusters)
86
+ 5. Show promotion candidates (project -> global) when applicable
87
+ 6. If `--generate` is passed, write files to:
88
+ - Project scope: `~/.claude/homunculus/projects/<project-id>/evolved/`
89
+ - Global fallback: `~/.claude/homunculus/evolved/`
90
+
91
+ ## Output Format
92
+
93
+ ```
94
+ ============================================================
95
+ EVOLVE ANALYSIS - 12 instincts
96
+ Project: my-app (a1b2c3d4e5f6)
97
+ Project-scoped: 8 | Global: 4
98
+ ============================================================
99
+
100
+ High confidence instincts (>=80%): 5
101
+
102
+ ## SKILL CANDIDATES
103
+ 1. Cluster: "adding tests"
104
+ Instincts: 3
105
+ Avg confidence: 82%
106
+ Domains: testing
107
+ Scopes: project
108
+
109
+ ## COMMAND CANDIDATES (2)
110
+ /adding-tests
111
+ From: test-first-workflow [project]
112
+ Confidence: 84%
113
+
114
+ ## AGENT CANDIDATES (1)
115
+ adding-tests-agent
116
+ Covers 3 instincts
117
+ Avg confidence: 82%
118
+ ```
119
+
120
+ ## Flags
121
+
122
+ - `--generate`: Generate evolved files in addition to analysis output
123
+
124
+ ## Generated File Format
125
+
126
+ ### Command
127
+ ```markdown
128
+ ---
129
+ name: new-table
130
+ description: Create a new database table with migration, schema update, and type generation
131
+ command: /new-table
132
+ evolved_from:
133
+ - new-table-migration
134
+ - update-schema
135
+ - regenerate-types
136
+ ---
137
+
138
+ # New Table Command
139
+
140
+ [Generated content based on clustered instincts]
141
+
142
+ ## Steps
143
+ 1. ...
144
+ 2. ...
145
+ ```
146
+
147
+ ### Skill
148
+ ```markdown
149
+ ---
150
+ name: functional-patterns
151
+ description: Enforce functional programming patterns
152
+ evolved_from:
153
+ - prefer-functional
154
+ - use-immutable
155
+ - avoid-classes
156
+ ---
157
+
158
+ # Functional Patterns Skill
159
+
160
+ [Generated content based on clustered instincts]
161
+ ```
162
+
163
+ ### Agent
164
+ ```markdown
165
+ ---
166
+ name: debugger
167
+ description: Systematic debugging agent
168
+ model: sonnet
169
+ evolved_from:
170
+ - debug-check-logs
171
+ - debug-isolate
172
+ - debug-reproduce
173
+ ---
174
+
175
+ # Debugger Agent
176
+
177
+ [Generated content based on clustered instincts]
178
+ ```
@@ -0,0 +1,70 @@
1
+ # /learn - Extract Reusable Patterns
2
+
3
+ Analyze the current session and extract any patterns worth saving as skills.
4
+
5
+ ## Trigger
6
+
7
+ Run `/learn` at any point during a session when you've solved a non-trivial problem.
8
+
9
+ ## What to Extract
10
+
11
+ Look for:
12
+
13
+ 1. **Error Resolution Patterns**
14
+ - What error occurred?
15
+ - What was the root cause?
16
+ - What fixed it?
17
+ - Is this reusable for similar errors?
18
+
19
+ 2. **Debugging Techniques**
20
+ - Non-obvious debugging steps
21
+ - Tool combinations that worked
22
+ - Diagnostic patterns
23
+
24
+ 3. **Workarounds**
25
+ - Library quirks
26
+ - API limitations
27
+ - Version-specific fixes
28
+
29
+ 4. **Project-Specific Patterns**
30
+ - Codebase conventions discovered
31
+ - Architecture decisions made
32
+ - Integration patterns
33
+
34
+ ## Output Format
35
+
36
+ Create a skill file at `~/.claude/skills/learned/[pattern-name].md`:
37
+
38
+ ```markdown
39
+ # [Descriptive Pattern Name]
40
+
41
+ **Extracted:** [Date]
42
+ **Context:** [Brief description of when this applies]
43
+
44
+ ## Problem
45
+ [What problem this solves - be specific]
46
+
47
+ ## Solution
48
+ [The pattern/technique/workaround]
49
+
50
+ ## Example
51
+ [Code example if applicable]
52
+
53
+ ## When to Use
54
+ [Trigger conditions - what should activate this skill]
55
+ ```
56
+
57
+ ## Process
58
+
59
+ 1. Review the session for extractable patterns
60
+ 2. Identify the most valuable/reusable insight
61
+ 3. Draft the skill file
62
+ 4. Ask user to confirm before saving
63
+ 5. Save to `~/.claude/skills/learned/`
64
+
65
+ ## Notes
66
+
67
+ - Don't extract trivial fixes (typos, simple syntax errors)
68
+ - Don't extract one-time issues (specific API outages, etc.)
69
+ - Focus on patterns that will save time in future sessions
70
+ - Keep skills focused - one pattern per skill
@@ -0,0 +1,26 @@
1
+ # Model Route Command
2
+
3
+ Recommend the best model tier for the current task by complexity and budget.
4
+
5
+ ## Usage
6
+
7
+ `/model-route [task-description] [--budget low|med|high]`
8
+
9
+ ## Routing Heuristic
10
+
11
+ - `haiku`: deterministic, low-risk mechanical changes
12
+ - `sonnet`: default for implementation and refactors
13
+ - `opus`: architecture, deep review, ambiguous requirements
14
+
15
+ ## Required Output
16
+
17
+ - recommended model
18
+ - confidence level
19
+ - why this model fits
20
+ - fallback model if first attempt fails
21
+
22
+ ## Arguments
23
+
24
+ $ARGUMENTS:
25
+ - `[task-description]` optional free-text
26
+ - `--budget low|med|high` optional
@@ -0,0 +1,29 @@
1
+ # Quality Gate Command
2
+
3
+ Run the ECC quality pipeline on demand for a file or project scope.
4
+
5
+ ## Usage
6
+
7
+ `/quality-gate [path|.] [--fix] [--strict]`
8
+
9
+ - default target: current directory (`.`)
10
+ - `--fix`: allow auto-format/fix where configured
11
+ - `--strict`: fail on warnings where supported
12
+
13
+ ## Pipeline
14
+
15
+ 1. Detect language/tooling for target.
16
+ 2. Run formatter checks.
17
+ 3. Run lint/type checks when available.
18
+ 4. Produce a concise remediation list.
19
+
20
+ ## Notes
21
+
22
+ This command mirrors hook behavior but is operator-invoked.
23
+
24
+ ## Arguments
25
+
26
+ $ARGUMENTS:
27
+ - `[path|.]` optional target path
28
+ - `--fix` optional
29
+ - `--strict` optional