claude-code-pilot 3.0.0 → 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (124) hide show
  1. package/README.md +76 -97
  2. package/bin/install.js +13 -13
  3. package/manifest.json +1 -1
  4. package/package.json +1 -1
  5. package/src/agents/doc-updater.md +1 -1
  6. package/src/agents/gan-evaluator.md +209 -0
  7. package/src/agents/gan-generator.md +131 -0
  8. package/src/agents/gan-planner.md +99 -0
  9. package/src/agents/harness-optimizer.md +35 -0
  10. package/src/agents/loop-operator.md +36 -0
  11. package/src/agents/opensource-forker.md +198 -0
  12. package/src/agents/opensource-packager.md +249 -0
  13. package/src/agents/opensource-sanitizer.md +188 -0
  14. package/src/agents/performance-optimizer.md +446 -0
  15. package/src/available-rules/README.md +1 -1
  16. package/src/commands/{aside.md → ccp/aside.md} +14 -13
  17. package/src/commands/{build-fix.md → ccp/build-fix.md} +5 -0
  18. package/src/commands/{checkpoint.md → ccp/checkpoint.md} +12 -7
  19. package/src/commands/{code-review.md → ccp/code-review.md} +5 -0
  20. package/src/commands/{context-budget.md → ccp/context-budget.md} +2 -1
  21. package/src/commands/{cpp-build.md → ccp/cpp-build.md} +6 -5
  22. package/src/commands/{cpp-review.md → ccp/cpp-review.md} +7 -6
  23. package/src/commands/{cpp-test.md → ccp/cpp-test.md} +6 -5
  24. package/src/commands/ccp/docs-update.md +48 -0
  25. package/src/commands/{docs.md → ccp/docs.md} +4 -3
  26. package/src/commands/{e2e.md → ccp/e2e.md} +7 -6
  27. package/src/commands/{eval.md → ccp/eval.md} +10 -5
  28. package/src/commands/{evolve.md → ccp/evolve.md} +3 -3
  29. package/src/commands/{go-build.md → ccp/go-build.md} +6 -5
  30. package/src/commands/{go-review.md → ccp/go-review.md} +7 -6
  31. package/src/commands/{go-test.md → ccp/go-test.md} +6 -5
  32. package/src/commands/{gradle-build.md → ccp/gradle-build.md} +1 -0
  33. package/src/commands/{harness-audit.md → ccp/harness-audit.md} +6 -1
  34. package/src/commands/{kotlin-build.md → ccp/kotlin-build.md} +6 -5
  35. package/src/commands/{kotlin-review.md → ccp/kotlin-review.md} +7 -6
  36. package/src/commands/{kotlin-test.md → ccp/kotlin-test.md} +6 -5
  37. package/src/commands/{learn.md → ccp/learn.md} +7 -2
  38. package/src/commands/{model-route.md → ccp/model-route.md} +6 -1
  39. package/src/commands/{orchestrate.md → ccp/orchestrate.md} +4 -3
  40. package/src/commands/{plan.md → ccp/plan.md} +6 -5
  41. package/src/commands/ccp/profile-user.md +46 -0
  42. package/src/commands/{prompt-optimize.md → ccp/prompt-optimize.md} +3 -2
  43. package/src/commands/{prune.md → ccp/prune.md} +4 -4
  44. package/src/commands/{python-review.md → ccp/python-review.md} +7 -6
  45. package/src/commands/{quality-gate.md → ccp/quality-gate.md} +6 -1
  46. package/src/commands/{refactor-clean.md → ccp/refactor-clean.md} +5 -0
  47. package/src/commands/{resume-session.md → ccp/resume-session.md} +9 -8
  48. package/src/commands/ccp/review.md +37 -0
  49. package/src/commands/{rules-distill.md → ccp/rules-distill.md} +2 -1
  50. package/src/commands/{rust-build.md → ccp/rust-build.md} +6 -5
  51. package/src/commands/{rust-review.md → ccp/rust-review.md} +7 -6
  52. package/src/commands/{rust-test.md → ccp/rust-test.md} +6 -5
  53. package/src/commands/{save-session.md → ccp/save-session.md} +2 -1
  54. package/src/commands/ccp/secure-phase.md +35 -0
  55. package/src/commands/{sessions.md → ccp/sessions.md} +29 -24
  56. package/src/commands/{setup-pm.md → ccp/setup-pm.md} +1 -0
  57. package/src/commands/{setup-refresh.md → ccp/setup-refresh.md} +4 -3
  58. package/src/commands/{setup.md → ccp/setup.md} +24 -23
  59. package/src/commands/{skill-create.md → ccp/skill-create.md} +8 -8
  60. package/src/commands/{skill-health.md → ccp/skill-health.md} +5 -5
  61. package/src/commands/{tdd.md → ccp/tdd.md} +9 -8
  62. package/src/commands/{test-coverage.md → ccp/test-coverage.md} +5 -0
  63. package/src/commands/{tool-guide.md → ccp/tool-guide.md} +2 -1
  64. package/src/commands/{update-codemaps.md → ccp/update-codemaps.md} +5 -0
  65. package/src/commands/{update-docs.md → ccp/update-docs.md} +5 -0
  66. package/src/commands/{verify.md → ccp/verify.md} +5 -0
  67. package/src/commands/ccp/workstreams.md +68 -0
  68. package/src/examples/CLAUDE.md +4 -4
  69. package/src/examples/django-api-CLAUDE.md +5 -5
  70. package/src/examples/go-microservice-CLAUDE.md +6 -6
  71. package/src/examples/rust-api-CLAUDE.md +4 -4
  72. package/src/examples/saas-nextjs-CLAUDE.md +8 -8
  73. package/src/hooks/session-start.js +1 -1
  74. package/src/pilot/references/mcp-servers.json +1 -1
  75. package/src/pilot/workflows/docs-update.md +1165 -0
  76. package/src/pilot/workflows/help.md +48 -56
  77. package/src/pilot/workflows/profile-user.md +452 -0
  78. package/src/pilot/workflows/review.md +244 -0
  79. package/src/pilot/workflows/secure-phase.md +164 -0
  80. package/src/rules/common/code-review.md +124 -0
  81. package/src/rules/zh/README.md +108 -0
  82. package/src/rules/zh/agents.md +50 -0
  83. package/src/rules/zh/code-review.md +124 -0
  84. package/src/rules/zh/coding-style.md +48 -0
  85. package/src/rules/zh/development-workflow.md +44 -0
  86. package/src/rules/zh/git-workflow.md +24 -0
  87. package/src/rules/zh/hooks.md +30 -0
  88. package/src/rules/zh/patterns.md +31 -0
  89. package/src/rules/zh/performance.md +55 -0
  90. package/src/rules/zh/security.md +29 -0
  91. package/src/rules/zh/testing.md +29 -0
  92. package/src/skills/autonomous-agent-harness/SKILL.md +267 -0
  93. package/src/skills/autonomous-loops/SKILL.md +610 -0
  94. package/src/skills/bun-runtime/SKILL.md +84 -0
  95. package/src/skills/content-hash-cache-pattern/SKILL.md +161 -0
  96. package/src/skills/context-budget/SKILL.md +3 -3
  97. package/src/skills/continuous-learning-v2/SKILL.md +4 -4
  98. package/src/skills/continuous-learning-v2/agents/observer.md +1 -1
  99. package/src/skills/cost-aware-llm-pipeline/SKILL.md +183 -0
  100. package/src/skills/design-system/SKILL.md +82 -0
  101. package/src/skills/eval-harness/SKILL.md +270 -0
  102. package/src/skills/flutter-dart-code-review/SKILL.md +435 -0
  103. package/src/skills/gan-style-harness/SKILL.md +278 -0
  104. package/src/skills/git-workflow/SKILL.md +715 -0
  105. package/src/skills/hexagonal-architecture/SKILL.md +276 -0
  106. package/src/skills/iterative-retrieval/SKILL.md +211 -0
  107. package/src/skills/laravel-plugin-discovery/SKILL.md +229 -0
  108. package/src/skills/nextjs-turbopack/SKILL.md +44 -0
  109. package/src/skills/nuxt4-patterns/SKILL.md +100 -0
  110. package/src/skills/opensource-pipeline/SKILL.md +255 -0
  111. package/src/skills/perl-security/SKILL.md +503 -0
  112. package/src/skills/project-flow-ops/SKILL.md +111 -0
  113. package/src/skills/project-guidelines-example/SKILL.md +349 -0
  114. package/src/skills/prompt-optimizer/SKILL.md +38 -38
  115. package/src/skills/pytorch-patterns/SKILL.md +396 -0
  116. package/src/skills/regex-vs-llm-structured-text/SKILL.md +220 -0
  117. package/src/skills/repo-scan/SKILL.md +78 -0
  118. package/src/skills/rules-distill/SKILL.md +264 -0
  119. package/src/skills/rules-distill/scripts/scan-rules.sh +58 -0
  120. package/src/skills/rules-distill/scripts/scan-skills.sh +129 -0
  121. package/src/skills/swift-concurrency-6-2/SKILL.md +216 -0
  122. package/src/skills/token-budget-advisor/SKILL.md +133 -0
  123. package/src/skills/verification-loop/SKILL.md +1 -1
  124. package/src/skills/workspace-surface-audit/SKILL.md +125 -0
@@ -0,0 +1,244 @@
1
+ <purpose>
2
+ Cross-AI peer review — invoke external AI CLIs to independently review phase plans.
3
+ Each CLI gets the same prompt (PROJECT.md context, phase plans, requirements) and
4
+ produces structured feedback. Results are combined into REVIEWS.md for the planner
5
+ to incorporate via --reviews flag.
6
+
7
+ This implements adversarial review: different AI models catch different blind spots.
8
+ A plan that survives review from 2-3 independent AI systems is more robust.
9
+ </purpose>
10
+
11
+ <process>
12
+
13
+ <step name="detect_clis">
14
+ Check which AI CLIs are available on the system:
15
+
16
+ ```bash
17
+ # Check each CLI
18
+ command -v gemini >/dev/null 2>&1 && echo "gemini:available" || echo "gemini:missing"
19
+ command -v claude >/dev/null 2>&1 && echo "claude:available" || echo "claude:missing"
20
+ command -v codex >/dev/null 2>&1 && echo "codex:available" || echo "codex:missing"
21
+ command -v coderabbit >/dev/null 2>&1 && echo "coderabbit:available" || echo "coderabbit:missing"
22
+ ```
23
+
24
+ Parse flags from `$ARGUMENTS`:
25
+ - `--gemini` → include Gemini
26
+ - `--claude` → include Claude
27
+ - `--codex` → include Codex
28
+ - `--coderabbit` → include CodeRabbit
29
+ - `--all` → include all available
30
+ - No flags → include all available
31
+
32
+ If no CLIs are available:
33
+ ```
34
+ No external AI CLIs found. Install at least one:
35
+ - gemini: https://github.com/google-gemini/gemini-cli
36
+ - codex: https://github.com/openai/codex
37
+ - claude: https://github.com/anthropics/claude-code
38
+
39
+ Then run /ccp:review again.
40
+ ```
41
+ Exit.
42
+
43
+ If only one CLI is the current runtime (e.g. running inside Claude), skip it for the review
44
+ to ensure independence. At least one DIFFERENT CLI must be available.
45
+ </step>
46
+
47
+ <step name="gather_context">
48
+ Collect phase artifacts for the review prompt:
49
+
50
+ ```bash
51
+ INIT=$(node "$HOME/.claude/pilot/bin/ccp-tools.cjs" init phase-op "${PHASE_ARG}")
52
+ if [[ "$INIT" == @file:* ]]; then INIT=$(cat "${INIT#@file:}"); fi
53
+ ```
54
+
55
+ Read from init: `phase_dir`, `phase_number`, `padded_phase`.
56
+
57
+ Then read:
58
+ 1. `.planning/PROJECT.md` (first 80 lines — project context)
59
+ 2. Phase section from `.planning/ROADMAP.md`
60
+ 3. All `*-PLAN.md` files in the phase directory
61
+ 4. `*-CONTEXT.md` if present (user decisions)
62
+ 5. `*-RESEARCH.md` if present (domain research)
63
+ 6. `.planning/REQUIREMENTS.md` (requirements this phase addresses)
64
+ </step>
65
+
66
+ <step name="build_prompt">
67
+ Build a structured review prompt:
68
+
69
+ ```markdown
70
+ # Cross-AI Plan Review Request
71
+
72
+ You are reviewing implementation plans for a software project phase.
73
+ Provide structured feedback on plan quality, completeness, and risks.
74
+
75
+ ## Project Context
76
+ {first 80 lines of PROJECT.md}
77
+
78
+ ## Phase {N}: {phase name}
79
+ ### Roadmap Section
80
+ {roadmap phase section}
81
+
82
+ ### Requirements Addressed
83
+ {requirements for this phase}
84
+
85
+ ### User Decisions (CONTEXT.md)
86
+ {context if present}
87
+
88
+ ### Research Findings
89
+ {research if present}
90
+
91
+ ### Plans to Review
92
+ {all PLAN.md contents}
93
+
94
+ ## Review Instructions
95
+
96
+ Analyze each plan and provide:
97
+
98
+ 1. **Summary** — One-paragraph assessment
99
+ 2. **Strengths** — What's well-designed (bullet points)
100
+ 3. **Concerns** — Potential issues, gaps, risks (bullet points with severity: HIGH/MEDIUM/LOW)
101
+ 4. **Suggestions** — Specific improvements (bullet points)
102
+ 5. **Risk Assessment** — Overall risk level (LOW/MEDIUM/HIGH) with justification
103
+
104
+ Focus on:
105
+ - Missing edge cases or error handling
106
+ - Dependency ordering issues
107
+ - Scope creep or over-engineering
108
+ - Security considerations
109
+ - Performance implications
110
+ - Whether the plans actually achieve the phase goals
111
+
112
+ Output your review in markdown format.
113
+ ```
114
+
115
+ Write to a temp file: `/tmp/ccp-review-prompt-{phase}.md`
116
+ </step>
117
+
118
+ <step name="invoke_reviewers">
119
+ For each selected CLI, invoke in sequence (not parallel — avoid rate limits):
120
+
121
+ **Gemini:**
122
+ ```bash
123
+ gemini -p "$(cat /tmp/ccp-review-prompt-{phase}.md)" 2>/dev/null > /tmp/ccp-review-gemini-{phase}.md
124
+ ```
125
+
126
+ **Claude (separate session):**
127
+ ```bash
128
+ claude -p "$(cat /tmp/ccp-review-prompt-{phase}.md)" --no-input 2>/dev/null > /tmp/ccp-review-claude-{phase}.md
129
+ ```
130
+
131
+ **Codex:**
132
+ ```bash
133
+ codex exec --skip-git-repo-check "$(cat /tmp/ccp-review-prompt-{phase}.md)" 2>/dev/null > /tmp/ccp-review-codex-{phase}.md
134
+ ```
135
+
136
+ **CodeRabbit:**
137
+
138
+ Note: CodeRabbit reviews the current git diff/working tree — it does not accept a prompt. It may take up to 5 minutes. Use `timeout: 360000` on the Bash tool call.
139
+
140
+ ```bash
141
+ coderabbit review --prompt-only 2>/dev/null > /tmp/ccp-review-coderabbit-{phase}.md
142
+ ```
143
+
144
+ If a CLI fails, log the error and continue with remaining CLIs.
145
+
146
+ Display progress:
147
+ ```
148
+ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
149
+ CCP > CROSS-AI REVIEW — Phase {N}
150
+ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
151
+
152
+ ◆ Reviewing with {CLI}... done ✓
153
+ ◆ Reviewing with {CLI}... done ✓
154
+ ```
155
+ </step>
156
+
157
+ <step name="write_reviews">
158
+ Combine all review responses into `{phase_dir}/{padded_phase}-REVIEWS.md`:
159
+
160
+ ```markdown
161
+ ---
162
+ phase: {N}
163
+ reviewers: [gemini, claude, codex, coderabbit]
164
+ reviewed_at: {ISO timestamp}
165
+ plans_reviewed: [{list of PLAN.md files}]
166
+ ---
167
+
168
+ # Cross-AI Plan Review — Phase {N}
169
+
170
+ ## Gemini Review
171
+
172
+ {gemini review content}
173
+
174
+ ---
175
+
176
+ ## Claude Review
177
+
178
+ {claude review content}
179
+
180
+ ---
181
+
182
+ ## Codex Review
183
+
184
+ {codex review content}
185
+
186
+ ---
187
+
188
+ ## CodeRabbit Review
189
+
190
+ {coderabbit review content}
191
+
192
+ ---
193
+
194
+ ## Consensus Summary
195
+
196
+ {synthesize common concerns across all reviewers}
197
+
198
+ ### Agreed Strengths
199
+ {strengths mentioned by 2+ reviewers}
200
+
201
+ ### Agreed Concerns
202
+ {concerns raised by 2+ reviewers — highest priority}
203
+
204
+ ### Divergent Views
205
+ {where reviewers disagreed — worth investigating}
206
+ ```
207
+
208
+ Commit:
209
+ ```bash
210
+ node "$HOME/.claude/pilot/bin/ccp-tools.cjs" commit "docs: cross-AI review for phase {N}" --files {phase_dir}/{padded_phase}-REVIEWS.md
211
+ ```
212
+ </step>
213
+
214
+ <step name="present_results">
215
+ Display summary:
216
+
217
+ ```
218
+ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
219
+ CCP > REVIEW COMPLETE
220
+ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
221
+
222
+ Phase {N} reviewed by {count} AI systems.
223
+
224
+ Consensus concerns:
225
+ {top 3 shared concerns}
226
+
227
+ Full review: {padded_phase}-REVIEWS.md
228
+
229
+ To incorporate feedback into planning:
230
+ /ccp:plan-phase {N} --reviews
231
+ ```
232
+
233
+ Clean up temp files.
234
+ </step>
235
+
236
+ </process>
237
+
238
+ <success_criteria>
239
+ - [ ] At least one external CLI invoked successfully
240
+ - [ ] REVIEWS.md written with structured feedback
241
+ - [ ] Consensus summary synthesized from multiple reviewers
242
+ - [ ] Temp files cleaned up
243
+ - [ ] User knows how to use feedback (/ccp:plan-phase --reviews)
244
+ </success_criteria>
@@ -0,0 +1,164 @@
1
+ <purpose>
2
+ Verify threat mitigations for a completed phase. Confirm PLAN.md threat register dispositions are resolved. Update SECURITY.md.
3
+ </purpose>
4
+
5
+ <required_reading>
6
+ @~/.claude/pilot/references/ui-brand.md
7
+ </required_reading>
8
+
9
+ <available_agent_types>
10
+ Valid CCP subagent types (use exact names — do not fall back to 'general-purpose'):
11
+ - ccp-security-auditor — Verifies threat mitigation coverage
12
+ </available_agent_types>
13
+
14
+ <process>
15
+
16
+ ## 0. Initialize
17
+
18
+ ```bash
19
+ INIT=$(node "$HOME/.claude/pilot/bin/ccp-tools.cjs" init phase-op "${PHASE_ARG}")
20
+ if [[ "$INIT" == @file:* ]]; then INIT=$(cat "${INIT#@file:}"); fi
21
+ AGENT_SKILLS_AUDITOR=$(node "$HOME/.claude/pilot/bin/ccp-tools.cjs" agent-skills ccp-security-auditor 2>/dev/null)
22
+ ```
23
+
24
+ Parse: `phase_dir`, `phase_number`, `phase_name`, `phase_slug`, `padded_phase`.
25
+
26
+ ```bash
27
+ AUDITOR_MODEL=$(node "$HOME/.claude/pilot/bin/ccp-tools.cjs" resolve-model ccp-security-auditor --raw)
28
+ SECURITY_CFG=$(node "$HOME/.claude/pilot/bin/ccp-tools.cjs" config-get workflow.security_enforcement --raw 2>/dev/null || echo "true")
29
+ ```
30
+
31
+ If `SECURITY_CFG` is `false`: exit with "Security enforcement disabled. Enable via /ccp:settings."
32
+
33
+ Display banner: `CCP > SECURE PHASE {N}: {name}`
34
+
35
+ ## 1. Detect Input State
36
+
37
+ ```bash
38
+ SECURITY_FILE=$(ls "${PHASE_DIR}"/*-SECURITY.md 2>/dev/null | head -1)
39
+ PLAN_FILES=$(ls "${PHASE_DIR}"/*-PLAN.md 2>/dev/null)
40
+ SUMMARY_FILES=$(ls "${PHASE_DIR}"/*-SUMMARY.md 2>/dev/null)
41
+ ```
42
+
43
+ - **State A** (`SECURITY_FILE` non-empty): Audit existing
44
+ - **State B** (`SECURITY_FILE` empty, `PLAN_FILES` and `SUMMARY_FILES` non-empty): Run from artifacts
45
+ - **State C** (`SUMMARY_FILES` empty): Exit — "Phase {N} not executed. Run /ccp:execute-phase {N} first."
46
+
47
+ ## 2. Discovery
48
+
49
+ ### 2a. Read Phase Artifacts
50
+
51
+ Read PLAN.md — extract `<threat_model>` block: trust boundaries, STRIDE register (`threat_id`, `category`, `component`, `disposition`, `mitigation_plan`).
52
+
53
+ ### 2b. Read Summary Threat Flags
54
+
55
+ Read SUMMARY.md — extract `## Threat Flags` entries.
56
+
57
+ ### 2c. Build Threat Register
58
+
59
+ Per threat: `{ threat_id, category, component, disposition, mitigation_pattern, files_to_check }`
60
+
61
+ ## 3. Threat Classification
62
+
63
+ Classify each threat:
64
+
65
+ | Status | Criteria |
66
+ |--------|----------|
67
+ | CLOSED | mitigation found OR accepted risk documented in SECURITY.md OR transfer documented |
68
+ | OPEN | none of the above |
69
+
70
+ Build: `{ threat_id, category, component, disposition, status, evidence }`
71
+
72
+ If `threats_open: 0` → skip to Step 6 directly.
73
+
74
+ ## 4. Present Threat Plan
75
+
76
+ Call AskUserQuestion with threat table and options:
77
+ 1. "Verify all open threats" → Step 5
78
+ 2. "Accept all open — document in accepted risks log" → add to SECURITY.md accepted risks, set all CLOSED, Step 6
79
+ 3. "Cancel" → exit
80
+
81
+ ## 5. Spawn ccp-security-auditor
82
+
83
+ ```
84
+ Task(
85
+ prompt="Read ./.claude/agents/ccp-security-auditor.md for instructions.\n\n" +
86
+ "<files_to_read>{PLAN, SUMMARY, impl files, SECURITY.md}</files_to_read>" +
87
+ "<threat_register>{threat register}</threat_register>" +
88
+ "<config>asvs_level: {SECURITY_ASVS}, block_on: {SECURITY_BLOCK_ON}</config>" +
89
+ "<constraints>Never modify implementation files. Verify mitigations exist — do not scan for new threats. Escalate implementation gaps.</constraints>" +
90
+ "${AGENT_SKILLS_AUDITOR}",
91
+ subagent_type="ccp-security-auditor",
92
+ model="{AUDITOR_MODEL}",
93
+ description="Verify threat mitigations for Phase {N}"
94
+ )
95
+ ```
96
+
97
+ Handle return:
98
+ - `## SECURED` → record closures → Step 6
99
+ - `## OPEN_THREATS` → record closed + open, present user with accept/block choice → Step 6
100
+ - `## ESCALATE` → present to user → Step 6
101
+
102
+ ## 6. Write/Update SECURITY.md
103
+
104
+ **State B (create):**
105
+ 1. Read template from `./.claude/pilot/templates/SECURITY.md`
106
+ 2. Fill: frontmatter, threat register, accepted risks, audit trail
107
+ 3. Write to `${PHASE_DIR}/${PADDED_PHASE}-SECURITY.md`
108
+
109
+ **State A (update):**
110
+ 1. Update threat register statuses, append to audit trail:
111
+
112
+ ```markdown
113
+ ## Security Audit {date}
114
+ | Metric | Count |
115
+ |--------|-------|
116
+ | Threats found | {N} |
117
+ | Closed | {M} |
118
+ | Open | {K} |
119
+ ```
120
+
121
+ **ENFORCING GATE:** If `threats_open > 0` after all options exhausted (user did not accept, not all verified closed):
122
+
123
+ ```
124
+ CCP > PHASE {N} SECURITY BLOCKED
125
+ {K} threats open — phase advancement blocked until threats_open: 0
126
+ ▶ Fix mitigations then re-run: /ccp:secure-phase {N}
127
+ ▶ Or document accepted risks in SECURITY.md and re-run.
128
+ ```
129
+
130
+ Do NOT emit next-phase routing. Stop here.
131
+
132
+ ## 7. Commit
133
+
134
+ ```bash
135
+ node "$HOME/.claude/pilot/bin/ccp-tools.cjs" commit "docs(phase-${PHASE}): add/update security threat verification"
136
+ ```
137
+
138
+ ## 8. Results + Routing
139
+
140
+ **Secured (threats_open: 0):**
141
+ ```
142
+ CCP > PHASE {N} THREAT-SECURE
143
+ threats_open: 0 — all threats have dispositions.
144
+ ▶ /ccp:validate-phase {N} validate test coverage
145
+ ▶ /ccp:verify-work {N} run UAT
146
+ ```
147
+
148
+ Display `/clear` reminder.
149
+
150
+ </process>
151
+
152
+ <success_criteria>
153
+ - [ ] Security enforcement checked — exit if false
154
+ - [ ] Input state detected (A/B/C) — state C exits cleanly
155
+ - [ ] PLAN.md threat model parsed, register built
156
+ - [ ] SUMMARY.md threat flags incorporated
157
+ - [ ] threats_open: 0 → skip directly to Step 6
158
+ - [ ] User gate with threat table presented
159
+ - [ ] Auditor spawned with complete context
160
+ - [ ] All three return formats (SECURED/OPEN_THREATS/ESCALATE) handled
161
+ - [ ] SECURITY.md created or updated
162
+ - [ ] threats_open > 0 BLOCKS advancement (no next-phase routing emitted)
163
+ - [ ] Results with routing presented on success
164
+ </success_criteria>
@@ -0,0 +1,124 @@
1
+ # Code Review Standards
2
+
3
+ ## Purpose
4
+
5
+ Code review ensures quality, security, and maintainability before code is merged. This rule defines when and how to conduct code reviews.
6
+
7
+ ## When to Review
8
+
9
+ **MANDATORY review triggers:**
10
+
11
+ - After writing or modifying code
12
+ - Before any commit to shared branches
13
+ - When security-sensitive code is changed (auth, payments, user data)
14
+ - When architectural changes are made
15
+ - Before merging pull requests
16
+
17
+ **Pre-Review Requirements:**
18
+
19
+ Before requesting review, ensure:
20
+
21
+ - All automated checks (CI/CD) are passing
22
+ - Merge conflicts are resolved
23
+ - Branch is up to date with target branch
24
+
25
+ ## Review Checklist
26
+
27
+ Before marking code complete:
28
+
29
+ - [ ] Code is readable and well-named
30
+ - [ ] Functions are focused (<50 lines)
31
+ - [ ] Files are cohesive (<800 lines)
32
+ - [ ] No deep nesting (>4 levels)
33
+ - [ ] Errors are handled explicitly
34
+ - [ ] No hardcoded secrets or credentials
35
+ - [ ] No console.log or debug statements
36
+ - [ ] Tests exist for new functionality
37
+ - [ ] Test coverage meets 80% minimum
38
+
39
+ ## Security Review Triggers
40
+
41
+ **STOP and use security-reviewer agent when:**
42
+
43
+ - Authentication or authorization code
44
+ - User input handling
45
+ - Database queries
46
+ - File system operations
47
+ - External API calls
48
+ - Cryptographic operations
49
+ - Payment or financial code
50
+
51
+ ## Review Severity Levels
52
+
53
+ | Level | Meaning | Action |
54
+ |-------|---------|--------|
55
+ | CRITICAL | Security vulnerability or data loss risk | **BLOCK** - Must fix before merge |
56
+ | HIGH | Bug or significant quality issue | **WARN** - Should fix before merge |
57
+ | MEDIUM | Maintainability concern | **INFO** - Consider fixing |
58
+ | LOW | Style or minor suggestion | **NOTE** - Optional |
59
+
60
+ ## Agent Usage
61
+
62
+ Use these agents for code review:
63
+
64
+ | Agent | Purpose |
65
+ |-------|---------|
66
+ | **code-reviewer** | General code quality, patterns, best practices |
67
+ | **security-reviewer** | Security vulnerabilities, OWASP Top 10 |
68
+ | **typescript-reviewer** | TypeScript/JavaScript specific issues |
69
+ | **python-reviewer** | Python specific issues |
70
+ | **go-reviewer** | Go specific issues |
71
+ | **rust-reviewer** | Rust specific issues |
72
+
73
+ ## Review Workflow
74
+
75
+ ```
76
+ 1. Run git diff to understand changes
77
+ 2. Check security checklist first
78
+ 3. Review code quality checklist
79
+ 4. Run relevant tests
80
+ 5. Verify coverage >= 80%
81
+ 6. Use appropriate agent for detailed review
82
+ ```
83
+
84
+ ## Common Issues to Catch
85
+
86
+ ### Security
87
+
88
+ - Hardcoded credentials (API keys, passwords, tokens)
89
+ - SQL injection (string concatenation in queries)
90
+ - XSS vulnerabilities (unescaped user input)
91
+ - Path traversal (unsanitized file paths)
92
+ - CSRF protection missing
93
+ - Authentication bypasses
94
+
95
+ ### Code Quality
96
+
97
+ - Large functions (>50 lines) - split into smaller
98
+ - Large files (>800 lines) - extract modules
99
+ - Deep nesting (>4 levels) - use early returns
100
+ - Missing error handling - handle explicitly
101
+ - Mutation patterns - prefer immutable operations
102
+ - Missing tests - add test coverage
103
+
104
+ ### Performance
105
+
106
+ - N+1 queries - use JOINs or batching
107
+ - Missing pagination - add LIMIT to queries
108
+ - Unbounded queries - add constraints
109
+ - Missing caching - cache expensive operations
110
+
111
+ ## Approval Criteria
112
+
113
+ - **Approve**: No CRITICAL or HIGH issues
114
+ - **Warning**: Only HIGH issues (merge with caution)
115
+ - **Block**: CRITICAL issues found
116
+
117
+ ## Integration with Other Rules
118
+
119
+ This rule works with:
120
+
121
+ - [testing.md](testing.md) - Test coverage requirements
122
+ - [security.md](security.md) - Security checklist
123
+ - [git-workflow.md](git-workflow.md) - Commit standards
124
+ - [agents.md](agents.md) - Agent delegation
@@ -0,0 +1,108 @@
1
+ # 规则
2
+
3
+ ## 结构
4
+
5
+ 规则按**通用**层和**语言特定**目录组织:
6
+
7
+ ```
8
+ rules/
9
+ ├── common/ # 语言无关的原则(始终安装)
10
+ │ ├── coding-style.md
11
+ │ ├── git-workflow.md
12
+ │ ├── testing.md
13
+ │ ├── performance.md
14
+ │ ├── patterns.md
15
+ │ ├── hooks.md
16
+ │ ├── agents.md
17
+ │ ├── security.md
18
+ │ ├── code-review.md
19
+ │ └── development-workflow.md
20
+ ├── zh/ # 中文翻译版本
21
+ │ ├── coding-style.md
22
+ │ ├── git-workflow.md
23
+ │ ├── testing.md
24
+ │ ├── performance.md
25
+ │ ├── patterns.md
26
+ │ ├── hooks.md
27
+ │ ├── agents.md
28
+ │ ├── security.md
29
+ │ ├── code-review.md
30
+ │ └── development-workflow.md
31
+ ├── typescript/ # TypeScript/JavaScript 特定
32
+ ├── python/ # Python 特定
33
+ ├── golang/ # Go 特定
34
+ ├── swift/ # Swift 特定
35
+ └── php/ # PHP 特定
36
+ ```
37
+
38
+ - **common/** 包含通用原则 — 无语言特定的代码示例。
39
+ - **zh/** 包含 common 目录的中文翻译版本。
40
+ - **语言目录** 扩展通用规则,包含框架特定的模式、工具和代码示例。每个文件引用其对应的通用版本。
41
+
42
+ ## 安装
43
+
44
+ ### 选项 1:安装脚本(推荐)
45
+
46
+ ```bash
47
+ # 安装通用 + 一个或多个语言特定的规则集
48
+ ./install.sh typescript
49
+ ./install.sh python
50
+ ./install.sh golang
51
+ ./install.sh swift
52
+ ./install.sh php
53
+
54
+ # 同时安装多种语言
55
+ ./install.sh typescript python
56
+ ```
57
+
58
+ ### 选项 2:手动安装
59
+
60
+ > **重要提示:** 复制整个目录 — 不要使用 `/*` 展开。
61
+ > 通用和语言特定目录包含同名文件。
62
+ > 将它们展开到一个目录会导致语言特定文件覆盖通用规则,
63
+ > 并破坏语言特定文件使用的 `../common/` 相对引用。
64
+
65
+ ```bash
66
+ # 创建目标目录
67
+ mkdir -p ~/.claude/rules
68
+
69
+ # 安装通用规则(所有项目必需)
70
+ cp -r rules/common ~/.claude/rules/common
71
+
72
+ # 安装中文翻译版本(可选)
73
+ cp -r rules/zh ~/.claude/rules/zh
74
+
75
+ # 根据项目技术栈安装语言特定规则
76
+ cp -r rules/typescript ~/.claude/rules/typescript
77
+ cp -r rules/python ~/.claude/rules/python
78
+ cp -r rules/golang ~/.claude/rules/golang
79
+ cp -r rules/swift ~/.claude/rules/swift
80
+ cp -r rules/php ~/.claude/rules/php
81
+ ```
82
+
83
+ ## 规则 vs 技能
84
+
85
+ - **规则** 定义广泛适用的标准、约定和检查清单(如"80% 测试覆盖率"、"禁止硬编码密钥")。
86
+ - **技能**(`skills/` 目录)为特定任务提供深入、可操作的参考材料(如 `python-patterns`、`golang-testing`)。
87
+
88
+ 语言特定的规则文件在适当的地方引用相关技能。规则告诉你*做什么*;技能告诉你*怎么做*。
89
+
90
+ ## 规则优先级
91
+
92
+ 当语言特定规则与通用规则冲突时,**语言特定规则优先**(特定覆盖通用)。这遵循标准的分层配置模式(类似于 CSS 特异性或 `.gitignore` 优先级)。
93
+
94
+ - `rules/common/` 定义适用于所有项目的通用默认值。
95
+ - `rules/golang/`、`rules/python/`、`rules/swift/`、`rules/php/`、`rules/typescript/` 等在语言习惯不同时覆盖这些默认值。
96
+ - `rules/zh/` 是通用规则的中文翻译,与英文版本内容一致。
97
+
98
+ ### 示例
99
+
100
+ `common/coding-style.md` 推荐不可变性作为默认原则。语言特定的 `golang/coding-style.md` 可以覆盖这一点:
101
+
102
+ > 惯用的 Go 使用指针接收器进行结构体变更 — 参见 [common/coding-style.md](../common/coding-style.md) 了解通用原则,但这里首选符合 Go 习惯的变更方式。
103
+
104
+ ### 带覆盖说明的通用规则
105
+
106
+ `rules/common/` 中可能被语言特定文件覆盖的规则会被标记:
107
+
108
+ > **语言说明**:此规则可能会被语言特定规则覆盖;对于某些语言,该模式可能并不符合惯用写法。
@@ -0,0 +1,50 @@
1
+ # 代理编排
2
+
3
+ ## 可用代理
4
+
5
+ 位于 `~/.claude/agents/`:
6
+
7
+ | 代理 | 用途 | 何时使用 |
8
+ |-------|---------|------------|
9
+ | planner | 实现规划 | 复杂功能、重构 |
10
+ | architect | 系统设计 | 架构决策 |
11
+ | tdd-guide | 测试驱动开发 | 新功能、bug 修复 |
12
+ | code-reviewer | 代码审查 | 编写代码后 |
13
+ | security-reviewer | 安全分析 | 提交前 |
14
+ | build-error-resolver | 修复构建错误 | 构建失败时 |
15
+ | e2e-runner | E2E 测试 | 关键用户流程 |
16
+ | refactor-cleaner | 死代码清理 | 代码维护 |
17
+ | doc-updater | 文档 | 更新文档 |
18
+ | rust-reviewer | Rust 代码审查 | Rust 项目 |
19
+
20
+ ## 立即使用代理
21
+
22
+ 无需用户提示:
23
+ 1. 复杂功能请求 - 使用 **planner** 代理
24
+ 2. 刚编写/修改的代码 - 使用 **code-reviewer** 代理
25
+ 3. Bug 修复或新功能 - 使用 **tdd-guide** 代理
26
+ 4. 架构决策 - 使用 **architect** 代理
27
+
28
+ ## 并行任务执行
29
+
30
+ 对独立操作始终使用并行 Task 执行:
31
+
32
+ ```markdown
33
+ # 好:并行执行
34
+ 同时启动 3 个代理:
35
+ 1. 代理 1:认证模块安全分析
36
+ 2. 代理 2:缓存系统性能审查
37
+ 3. 代理 3:工具类型检查
38
+
39
+ # 坏:不必要的顺序
40
+ 先代理 1,然后代理 2,然后代理 3
41
+ ```
42
+
43
+ ## 多视角分析
44
+
45
+ 对于复杂问题,使用分角色子代理:
46
+ - 事实审查者
47
+ - 高级工程师
48
+ - 安全专家
49
+ - 一致性审查者
50
+ - 冗余检查者