claude-code-pilot 3.0.0 → 3.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +76 -97
- package/bin/install.js +14 -14
- package/manifest.json +1 -1
- package/package.json +17 -5
- package/src/agents/doc-updater.md +1 -1
- package/src/agents/gan-evaluator.md +209 -0
- package/src/agents/gan-generator.md +131 -0
- package/src/agents/gan-planner.md +99 -0
- package/src/agents/harness-optimizer.md +35 -0
- package/src/agents/loop-operator.md +36 -0
- package/src/agents/opensource-forker.md +198 -0
- package/src/agents/opensource-packager.md +249 -0
- package/src/agents/opensource-sanitizer.md +188 -0
- package/src/agents/performance-optimizer.md +446 -0
- package/src/available-rules/README.md +1 -1
- package/src/commands/{aside.md → ccp/aside.md} +14 -13
- package/src/commands/{build-fix.md → ccp/build-fix.md} +5 -0
- package/src/commands/{checkpoint.md → ccp/checkpoint.md} +12 -7
- package/src/commands/{code-review.md → ccp/code-review.md} +5 -0
- package/src/commands/{context-budget.md → ccp/context-budget.md} +2 -1
- package/src/commands/{cpp-build.md → ccp/cpp-build.md} +6 -5
- package/src/commands/{cpp-review.md → ccp/cpp-review.md} +7 -6
- package/src/commands/{cpp-test.md → ccp/cpp-test.md} +6 -5
- package/src/commands/ccp/docs-update.md +48 -0
- package/src/commands/{docs.md → ccp/docs.md} +4 -3
- package/src/commands/{e2e.md → ccp/e2e.md} +7 -6
- package/src/commands/{eval.md → ccp/eval.md} +10 -5
- package/src/commands/{evolve.md → ccp/evolve.md} +3 -3
- package/src/commands/{go-build.md → ccp/go-build.md} +6 -5
- package/src/commands/{go-review.md → ccp/go-review.md} +7 -6
- package/src/commands/{go-test.md → ccp/go-test.md} +6 -5
- package/src/commands/{gradle-build.md → ccp/gradle-build.md} +1 -0
- package/src/commands/{harness-audit.md → ccp/harness-audit.md} +6 -1
- package/src/commands/{kotlin-build.md → ccp/kotlin-build.md} +6 -5
- package/src/commands/{kotlin-review.md → ccp/kotlin-review.md} +7 -6
- package/src/commands/{kotlin-test.md → ccp/kotlin-test.md} +6 -5
- package/src/commands/{learn.md → ccp/learn.md} +7 -2
- package/src/commands/{model-route.md → ccp/model-route.md} +6 -1
- package/src/commands/{orchestrate.md → ccp/orchestrate.md} +4 -3
- package/src/commands/{plan.md → ccp/plan.md} +6 -5
- package/src/commands/ccp/profile-user.md +46 -0
- package/src/commands/{prompt-optimize.md → ccp/prompt-optimize.md} +3 -2
- package/src/commands/{prune.md → ccp/prune.md} +4 -4
- package/src/commands/{python-review.md → ccp/python-review.md} +7 -6
- package/src/commands/{quality-gate.md → ccp/quality-gate.md} +6 -1
- package/src/commands/{refactor-clean.md → ccp/refactor-clean.md} +5 -0
- package/src/commands/{resume-session.md → ccp/resume-session.md} +9 -8
- package/src/commands/ccp/review.md +37 -0
- package/src/commands/{rules-distill.md → ccp/rules-distill.md} +2 -1
- package/src/commands/{rust-build.md → ccp/rust-build.md} +6 -5
- package/src/commands/{rust-review.md → ccp/rust-review.md} +7 -6
- package/src/commands/{rust-test.md → ccp/rust-test.md} +6 -5
- package/src/commands/{save-session.md → ccp/save-session.md} +2 -1
- package/src/commands/ccp/secure-phase.md +35 -0
- package/src/commands/{sessions.md → ccp/sessions.md} +29 -24
- package/src/commands/{setup-pm.md → ccp/setup-pm.md} +1 -0
- package/src/commands/{setup-refresh.md → ccp/setup-refresh.md} +4 -3
- package/src/commands/{setup.md → ccp/setup.md} +24 -23
- package/src/commands/{skill-create.md → ccp/skill-create.md} +8 -8
- package/src/commands/{skill-health.md → ccp/skill-health.md} +5 -5
- package/src/commands/{tdd.md → ccp/tdd.md} +9 -8
- package/src/commands/{test-coverage.md → ccp/test-coverage.md} +5 -0
- package/src/commands/{tool-guide.md → ccp/tool-guide.md} +2 -1
- package/src/commands/{update-codemaps.md → ccp/update-codemaps.md} +5 -0
- package/src/commands/{update-docs.md → ccp/update-docs.md} +5 -0
- package/src/commands/{verify.md → ccp/verify.md} +5 -0
- package/src/commands/ccp/workstreams.md +68 -0
- package/src/examples/CLAUDE.md +4 -4
- package/src/examples/django-api-CLAUDE.md +5 -5
- package/src/examples/go-microservice-CLAUDE.md +6 -6
- package/src/examples/rust-api-CLAUDE.md +4 -4
- package/src/examples/saas-nextjs-CLAUDE.md +8 -8
- package/src/hooks/session-start.js +1 -1
- package/src/pilot/references/mcp-servers.json +1 -1
- package/src/pilot/workflows/docs-update.md +1165 -0
- package/src/pilot/workflows/help.md +48 -56
- package/src/pilot/workflows/profile-user.md +452 -0
- package/src/pilot/workflows/review.md +244 -0
- package/src/pilot/workflows/secure-phase.md +164 -0
- package/src/rules/common/code-review.md +124 -0
- package/src/rules/zh/README.md +108 -0
- package/src/rules/zh/agents.md +50 -0
- package/src/rules/zh/code-review.md +124 -0
- package/src/rules/zh/coding-style.md +48 -0
- package/src/rules/zh/development-workflow.md +44 -0
- package/src/rules/zh/git-workflow.md +24 -0
- package/src/rules/zh/hooks.md +30 -0
- package/src/rules/zh/patterns.md +31 -0
- package/src/rules/zh/performance.md +55 -0
- package/src/rules/zh/security.md +29 -0
- package/src/rules/zh/testing.md +29 -0
- package/src/skills/autonomous-agent-harness/SKILL.md +267 -0
- package/src/skills/autonomous-loops/SKILL.md +610 -0
- package/src/skills/bun-runtime/SKILL.md +84 -0
- package/src/skills/content-hash-cache-pattern/SKILL.md +161 -0
- package/src/skills/context-budget/SKILL.md +3 -3
- package/src/skills/continuous-learning-v2/SKILL.md +4 -4
- package/src/skills/continuous-learning-v2/agents/observer.md +1 -1
- package/src/skills/cost-aware-llm-pipeline/SKILL.md +183 -0
- package/src/skills/design-system/SKILL.md +82 -0
- package/src/skills/eval-harness/SKILL.md +270 -0
- package/src/skills/flutter-dart-code-review/SKILL.md +435 -0
- package/src/skills/gan-style-harness/SKILL.md +278 -0
- package/src/skills/git-workflow/SKILL.md +715 -0
- package/src/skills/hexagonal-architecture/SKILL.md +276 -0
- package/src/skills/iterative-retrieval/SKILL.md +211 -0
- package/src/skills/laravel-plugin-discovery/SKILL.md +229 -0
- package/src/skills/nextjs-turbopack/SKILL.md +44 -0
- package/src/skills/nuxt4-patterns/SKILL.md +100 -0
- package/src/skills/opensource-pipeline/SKILL.md +255 -0
- package/src/skills/perl-security/SKILL.md +503 -0
- package/src/skills/project-flow-ops/SKILL.md +111 -0
- package/src/skills/project-guidelines-example/SKILL.md +349 -0
- package/src/skills/prompt-optimizer/SKILL.md +38 -38
- package/src/skills/pytorch-patterns/SKILL.md +396 -0
- package/src/skills/regex-vs-llm-structured-text/SKILL.md +220 -0
- package/src/skills/repo-scan/SKILL.md +78 -0
- package/src/skills/rules-distill/SKILL.md +264 -0
- package/src/skills/rules-distill/scripts/scan-rules.sh +58 -0
- package/src/skills/rules-distill/scripts/scan-skills.sh +129 -0
- package/src/skills/swift-concurrency-6-2/SKILL.md +216 -0
- package/src/skills/token-budget-advisor/SKILL.md +133 -0
- package/src/skills/verification-loop/SKILL.md +1 -1
- package/src/skills/workspace-surface-audit/SKILL.md +125 -0
|
@@ -0,0 +1,244 @@
|
|
|
1
|
+
<purpose>
|
|
2
|
+
Cross-AI peer review — invoke external AI CLIs to independently review phase plans.
|
|
3
|
+
Each CLI gets the same prompt (PROJECT.md context, phase plans, requirements) and
|
|
4
|
+
produces structured feedback. Results are combined into REVIEWS.md for the planner
|
|
5
|
+
to incorporate via --reviews flag.
|
|
6
|
+
|
|
7
|
+
This implements adversarial review: different AI models catch different blind spots.
|
|
8
|
+
A plan that survives review from 2-3 independent AI systems is more robust.
|
|
9
|
+
</purpose>
|
|
10
|
+
|
|
11
|
+
<process>
|
|
12
|
+
|
|
13
|
+
<step name="detect_clis">
|
|
14
|
+
Check which AI CLIs are available on the system:
|
|
15
|
+
|
|
16
|
+
```bash
|
|
17
|
+
# Check each CLI
|
|
18
|
+
command -v gemini >/dev/null 2>&1 && echo "gemini:available" || echo "gemini:missing"
|
|
19
|
+
command -v claude >/dev/null 2>&1 && echo "claude:available" || echo "claude:missing"
|
|
20
|
+
command -v codex >/dev/null 2>&1 && echo "codex:available" || echo "codex:missing"
|
|
21
|
+
command -v coderabbit >/dev/null 2>&1 && echo "coderabbit:available" || echo "coderabbit:missing"
|
|
22
|
+
```
|
|
23
|
+
|
|
24
|
+
Parse flags from `$ARGUMENTS`:
|
|
25
|
+
- `--gemini` → include Gemini
|
|
26
|
+
- `--claude` → include Claude
|
|
27
|
+
- `--codex` → include Codex
|
|
28
|
+
- `--coderabbit` → include CodeRabbit
|
|
29
|
+
- `--all` → include all available
|
|
30
|
+
- No flags → include all available
|
|
31
|
+
|
|
32
|
+
If no CLIs are available:
|
|
33
|
+
```
|
|
34
|
+
No external AI CLIs found. Install at least one:
|
|
35
|
+
- gemini: https://github.com/google-gemini/gemini-cli
|
|
36
|
+
- codex: https://github.com/openai/codex
|
|
37
|
+
- claude: https://github.com/anthropics/claude-code
|
|
38
|
+
|
|
39
|
+
Then run /ccp:review again.
|
|
40
|
+
```
|
|
41
|
+
Exit.
|
|
42
|
+
|
|
43
|
+
If only one CLI is the current runtime (e.g. running inside Claude), skip it for the review
|
|
44
|
+
to ensure independence. At least one DIFFERENT CLI must be available.
|
|
45
|
+
</step>
|
|
46
|
+
|
|
47
|
+
<step name="gather_context">
|
|
48
|
+
Collect phase artifacts for the review prompt:
|
|
49
|
+
|
|
50
|
+
```bash
|
|
51
|
+
INIT=$(node "$HOME/.claude/pilot/bin/ccp-tools.cjs" init phase-op "${PHASE_ARG}")
|
|
52
|
+
if [[ "$INIT" == @file:* ]]; then INIT=$(cat "${INIT#@file:}"); fi
|
|
53
|
+
```
|
|
54
|
+
|
|
55
|
+
Read from init: `phase_dir`, `phase_number`, `padded_phase`.
|
|
56
|
+
|
|
57
|
+
Then read:
|
|
58
|
+
1. `.planning/PROJECT.md` (first 80 lines — project context)
|
|
59
|
+
2. Phase section from `.planning/ROADMAP.md`
|
|
60
|
+
3. All `*-PLAN.md` files in the phase directory
|
|
61
|
+
4. `*-CONTEXT.md` if present (user decisions)
|
|
62
|
+
5. `*-RESEARCH.md` if present (domain research)
|
|
63
|
+
6. `.planning/REQUIREMENTS.md` (requirements this phase addresses)
|
|
64
|
+
</step>
|
|
65
|
+
|
|
66
|
+
<step name="build_prompt">
|
|
67
|
+
Build a structured review prompt:
|
|
68
|
+
|
|
69
|
+
```markdown
|
|
70
|
+
# Cross-AI Plan Review Request
|
|
71
|
+
|
|
72
|
+
You are reviewing implementation plans for a software project phase.
|
|
73
|
+
Provide structured feedback on plan quality, completeness, and risks.
|
|
74
|
+
|
|
75
|
+
## Project Context
|
|
76
|
+
{first 80 lines of PROJECT.md}
|
|
77
|
+
|
|
78
|
+
## Phase {N}: {phase name}
|
|
79
|
+
### Roadmap Section
|
|
80
|
+
{roadmap phase section}
|
|
81
|
+
|
|
82
|
+
### Requirements Addressed
|
|
83
|
+
{requirements for this phase}
|
|
84
|
+
|
|
85
|
+
### User Decisions (CONTEXT.md)
|
|
86
|
+
{context if present}
|
|
87
|
+
|
|
88
|
+
### Research Findings
|
|
89
|
+
{research if present}
|
|
90
|
+
|
|
91
|
+
### Plans to Review
|
|
92
|
+
{all PLAN.md contents}
|
|
93
|
+
|
|
94
|
+
## Review Instructions
|
|
95
|
+
|
|
96
|
+
Analyze each plan and provide:
|
|
97
|
+
|
|
98
|
+
1. **Summary** — One-paragraph assessment
|
|
99
|
+
2. **Strengths** — What's well-designed (bullet points)
|
|
100
|
+
3. **Concerns** — Potential issues, gaps, risks (bullet points with severity: HIGH/MEDIUM/LOW)
|
|
101
|
+
4. **Suggestions** — Specific improvements (bullet points)
|
|
102
|
+
5. **Risk Assessment** — Overall risk level (LOW/MEDIUM/HIGH) with justification
|
|
103
|
+
|
|
104
|
+
Focus on:
|
|
105
|
+
- Missing edge cases or error handling
|
|
106
|
+
- Dependency ordering issues
|
|
107
|
+
- Scope creep or over-engineering
|
|
108
|
+
- Security considerations
|
|
109
|
+
- Performance implications
|
|
110
|
+
- Whether the plans actually achieve the phase goals
|
|
111
|
+
|
|
112
|
+
Output your review in markdown format.
|
|
113
|
+
```
|
|
114
|
+
|
|
115
|
+
Write to a temp file: `/tmp/ccp-review-prompt-{phase}.md`
|
|
116
|
+
</step>
|
|
117
|
+
|
|
118
|
+
<step name="invoke_reviewers">
|
|
119
|
+
For each selected CLI, invoke in sequence (not parallel — avoid rate limits):
|
|
120
|
+
|
|
121
|
+
**Gemini:**
|
|
122
|
+
```bash
|
|
123
|
+
gemini -p "$(cat /tmp/ccp-review-prompt-{phase}.md)" 2>/dev/null > /tmp/ccp-review-gemini-{phase}.md
|
|
124
|
+
```
|
|
125
|
+
|
|
126
|
+
**Claude (separate session):**
|
|
127
|
+
```bash
|
|
128
|
+
claude -p "$(cat /tmp/ccp-review-prompt-{phase}.md)" --no-input 2>/dev/null > /tmp/ccp-review-claude-{phase}.md
|
|
129
|
+
```
|
|
130
|
+
|
|
131
|
+
**Codex:**
|
|
132
|
+
```bash
|
|
133
|
+
codex exec --skip-git-repo-check "$(cat /tmp/ccp-review-prompt-{phase}.md)" 2>/dev/null > /tmp/ccp-review-codex-{phase}.md
|
|
134
|
+
```
|
|
135
|
+
|
|
136
|
+
**CodeRabbit:**
|
|
137
|
+
|
|
138
|
+
Note: CodeRabbit reviews the current git diff/working tree — it does not accept a prompt. It may take up to 5 minutes. Use `timeout: 360000` on the Bash tool call.
|
|
139
|
+
|
|
140
|
+
```bash
|
|
141
|
+
coderabbit review --prompt-only 2>/dev/null > /tmp/ccp-review-coderabbit-{phase}.md
|
|
142
|
+
```
|
|
143
|
+
|
|
144
|
+
If a CLI fails, log the error and continue with remaining CLIs.
|
|
145
|
+
|
|
146
|
+
Display progress:
|
|
147
|
+
```
|
|
148
|
+
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
|
|
149
|
+
CCP > CROSS-AI REVIEW — Phase {N}
|
|
150
|
+
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
|
|
151
|
+
|
|
152
|
+
◆ Reviewing with {CLI}... done ✓
|
|
153
|
+
◆ Reviewing with {CLI}... done ✓
|
|
154
|
+
```
|
|
155
|
+
</step>
|
|
156
|
+
|
|
157
|
+
<step name="write_reviews">
|
|
158
|
+
Combine all review responses into `{phase_dir}/{padded_phase}-REVIEWS.md`:
|
|
159
|
+
|
|
160
|
+
```markdown
|
|
161
|
+
---
|
|
162
|
+
phase: {N}
|
|
163
|
+
reviewers: [gemini, claude, codex, coderabbit]
|
|
164
|
+
reviewed_at: {ISO timestamp}
|
|
165
|
+
plans_reviewed: [{list of PLAN.md files}]
|
|
166
|
+
---
|
|
167
|
+
|
|
168
|
+
# Cross-AI Plan Review — Phase {N}
|
|
169
|
+
|
|
170
|
+
## Gemini Review
|
|
171
|
+
|
|
172
|
+
{gemini review content}
|
|
173
|
+
|
|
174
|
+
---
|
|
175
|
+
|
|
176
|
+
## Claude Review
|
|
177
|
+
|
|
178
|
+
{claude review content}
|
|
179
|
+
|
|
180
|
+
---
|
|
181
|
+
|
|
182
|
+
## Codex Review
|
|
183
|
+
|
|
184
|
+
{codex review content}
|
|
185
|
+
|
|
186
|
+
---
|
|
187
|
+
|
|
188
|
+
## CodeRabbit Review
|
|
189
|
+
|
|
190
|
+
{coderabbit review content}
|
|
191
|
+
|
|
192
|
+
---
|
|
193
|
+
|
|
194
|
+
## Consensus Summary
|
|
195
|
+
|
|
196
|
+
{synthesize common concerns across all reviewers}
|
|
197
|
+
|
|
198
|
+
### Agreed Strengths
|
|
199
|
+
{strengths mentioned by 2+ reviewers}
|
|
200
|
+
|
|
201
|
+
### Agreed Concerns
|
|
202
|
+
{concerns raised by 2+ reviewers — highest priority}
|
|
203
|
+
|
|
204
|
+
### Divergent Views
|
|
205
|
+
{where reviewers disagreed — worth investigating}
|
|
206
|
+
```
|
|
207
|
+
|
|
208
|
+
Commit:
|
|
209
|
+
```bash
|
|
210
|
+
node "$HOME/.claude/pilot/bin/ccp-tools.cjs" commit "docs: cross-AI review for phase {N}" --files {phase_dir}/{padded_phase}-REVIEWS.md
|
|
211
|
+
```
|
|
212
|
+
</step>
|
|
213
|
+
|
|
214
|
+
<step name="present_results">
|
|
215
|
+
Display summary:
|
|
216
|
+
|
|
217
|
+
```
|
|
218
|
+
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
|
|
219
|
+
CCP > REVIEW COMPLETE
|
|
220
|
+
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
|
|
221
|
+
|
|
222
|
+
Phase {N} reviewed by {count} AI systems.
|
|
223
|
+
|
|
224
|
+
Consensus concerns:
|
|
225
|
+
{top 3 shared concerns}
|
|
226
|
+
|
|
227
|
+
Full review: {padded_phase}-REVIEWS.md
|
|
228
|
+
|
|
229
|
+
To incorporate feedback into planning:
|
|
230
|
+
/ccp:plan-phase {N} --reviews
|
|
231
|
+
```
|
|
232
|
+
|
|
233
|
+
Clean up temp files.
|
|
234
|
+
</step>
|
|
235
|
+
|
|
236
|
+
</process>
|
|
237
|
+
|
|
238
|
+
<success_criteria>
|
|
239
|
+
- [ ] At least one external CLI invoked successfully
|
|
240
|
+
- [ ] REVIEWS.md written with structured feedback
|
|
241
|
+
- [ ] Consensus summary synthesized from multiple reviewers
|
|
242
|
+
- [ ] Temp files cleaned up
|
|
243
|
+
- [ ] User knows how to use feedback (/ccp:plan-phase --reviews)
|
|
244
|
+
</success_criteria>
|
|
@@ -0,0 +1,164 @@
|
|
|
1
|
+
<purpose>
|
|
2
|
+
Verify threat mitigations for a completed phase. Confirm PLAN.md threat register dispositions are resolved. Update SECURITY.md.
|
|
3
|
+
</purpose>
|
|
4
|
+
|
|
5
|
+
<required_reading>
|
|
6
|
+
@~/.claude/pilot/references/ui-brand.md
|
|
7
|
+
</required_reading>
|
|
8
|
+
|
|
9
|
+
<available_agent_types>
|
|
10
|
+
Valid CCP subagent types (use exact names — do not fall back to 'general-purpose'):
|
|
11
|
+
- ccp-security-auditor — Verifies threat mitigation coverage
|
|
12
|
+
</available_agent_types>
|
|
13
|
+
|
|
14
|
+
<process>
|
|
15
|
+
|
|
16
|
+
## 0. Initialize
|
|
17
|
+
|
|
18
|
+
```bash
|
|
19
|
+
INIT=$(node "$HOME/.claude/pilot/bin/ccp-tools.cjs" init phase-op "${PHASE_ARG}")
|
|
20
|
+
if [[ "$INIT" == @file:* ]]; then INIT=$(cat "${INIT#@file:}"); fi
|
|
21
|
+
AGENT_SKILLS_AUDITOR=$(node "$HOME/.claude/pilot/bin/ccp-tools.cjs" agent-skills ccp-security-auditor 2>/dev/null)
|
|
22
|
+
```
|
|
23
|
+
|
|
24
|
+
Parse: `phase_dir`, `phase_number`, `phase_name`, `phase_slug`, `padded_phase`.
|
|
25
|
+
|
|
26
|
+
```bash
|
|
27
|
+
AUDITOR_MODEL=$(node "$HOME/.claude/pilot/bin/ccp-tools.cjs" resolve-model ccp-security-auditor --raw)
|
|
28
|
+
SECURITY_CFG=$(node "$HOME/.claude/pilot/bin/ccp-tools.cjs" config-get workflow.security_enforcement --raw 2>/dev/null || echo "true")
|
|
29
|
+
```
|
|
30
|
+
|
|
31
|
+
If `SECURITY_CFG` is `false`: exit with "Security enforcement disabled. Enable via /ccp:settings."
|
|
32
|
+
|
|
33
|
+
Display banner: `CCP > SECURE PHASE {N}: {name}`
|
|
34
|
+
|
|
35
|
+
## 1. Detect Input State
|
|
36
|
+
|
|
37
|
+
```bash
|
|
38
|
+
SECURITY_FILE=$(ls "${PHASE_DIR}"/*-SECURITY.md 2>/dev/null | head -1)
|
|
39
|
+
PLAN_FILES=$(ls "${PHASE_DIR}"/*-PLAN.md 2>/dev/null)
|
|
40
|
+
SUMMARY_FILES=$(ls "${PHASE_DIR}"/*-SUMMARY.md 2>/dev/null)
|
|
41
|
+
```
|
|
42
|
+
|
|
43
|
+
- **State A** (`SECURITY_FILE` non-empty): Audit existing
|
|
44
|
+
- **State B** (`SECURITY_FILE` empty, `PLAN_FILES` and `SUMMARY_FILES` non-empty): Run from artifacts
|
|
45
|
+
- **State C** (`SUMMARY_FILES` empty): Exit — "Phase {N} not executed. Run /ccp:execute-phase {N} first."
|
|
46
|
+
|
|
47
|
+
## 2. Discovery
|
|
48
|
+
|
|
49
|
+
### 2a. Read Phase Artifacts
|
|
50
|
+
|
|
51
|
+
Read PLAN.md — extract `<threat_model>` block: trust boundaries, STRIDE register (`threat_id`, `category`, `component`, `disposition`, `mitigation_plan`).
|
|
52
|
+
|
|
53
|
+
### 2b. Read Summary Threat Flags
|
|
54
|
+
|
|
55
|
+
Read SUMMARY.md — extract `## Threat Flags` entries.
|
|
56
|
+
|
|
57
|
+
### 2c. Build Threat Register
|
|
58
|
+
|
|
59
|
+
Per threat: `{ threat_id, category, component, disposition, mitigation_pattern, files_to_check }`
|
|
60
|
+
|
|
61
|
+
## 3. Threat Classification
|
|
62
|
+
|
|
63
|
+
Classify each threat:
|
|
64
|
+
|
|
65
|
+
| Status | Criteria |
|
|
66
|
+
|--------|----------|
|
|
67
|
+
| CLOSED | mitigation found OR accepted risk documented in SECURITY.md OR transfer documented |
|
|
68
|
+
| OPEN | none of the above |
|
|
69
|
+
|
|
70
|
+
Build: `{ threat_id, category, component, disposition, status, evidence }`
|
|
71
|
+
|
|
72
|
+
If `threats_open: 0` → skip to Step 6 directly.
|
|
73
|
+
|
|
74
|
+
## 4. Present Threat Plan
|
|
75
|
+
|
|
76
|
+
Call AskUserQuestion with threat table and options:
|
|
77
|
+
1. "Verify all open threats" → Step 5
|
|
78
|
+
2. "Accept all open — document in accepted risks log" → add to SECURITY.md accepted risks, set all CLOSED, Step 6
|
|
79
|
+
3. "Cancel" → exit
|
|
80
|
+
|
|
81
|
+
## 5. Spawn ccp-security-auditor
|
|
82
|
+
|
|
83
|
+
```
|
|
84
|
+
Task(
|
|
85
|
+
prompt="Read ./.claude/agents/ccp-security-auditor.md for instructions.\n\n" +
|
|
86
|
+
"<files_to_read>{PLAN, SUMMARY, impl files, SECURITY.md}</files_to_read>" +
|
|
87
|
+
"<threat_register>{threat register}</threat_register>" +
|
|
88
|
+
"<config>asvs_level: {SECURITY_ASVS}, block_on: {SECURITY_BLOCK_ON}</config>" +
|
|
89
|
+
"<constraints>Never modify implementation files. Verify mitigations exist — do not scan for new threats. Escalate implementation gaps.</constraints>" +
|
|
90
|
+
"${AGENT_SKILLS_AUDITOR}",
|
|
91
|
+
subagent_type="ccp-security-auditor",
|
|
92
|
+
model="{AUDITOR_MODEL}",
|
|
93
|
+
description="Verify threat mitigations for Phase {N}"
|
|
94
|
+
)
|
|
95
|
+
```
|
|
96
|
+
|
|
97
|
+
Handle return:
|
|
98
|
+
- `## SECURED` → record closures → Step 6
|
|
99
|
+
- `## OPEN_THREATS` → record closed + open, present user with accept/block choice → Step 6
|
|
100
|
+
- `## ESCALATE` → present to user → Step 6
|
|
101
|
+
|
|
102
|
+
## 6. Write/Update SECURITY.md
|
|
103
|
+
|
|
104
|
+
**State B (create):**
|
|
105
|
+
1. Read template from `./.claude/pilot/templates/SECURITY.md`
|
|
106
|
+
2. Fill: frontmatter, threat register, accepted risks, audit trail
|
|
107
|
+
3. Write to `${PHASE_DIR}/${PADDED_PHASE}-SECURITY.md`
|
|
108
|
+
|
|
109
|
+
**State A (update):**
|
|
110
|
+
1. Update threat register statuses, append to audit trail:
|
|
111
|
+
|
|
112
|
+
```markdown
|
|
113
|
+
## Security Audit {date}
|
|
114
|
+
| Metric | Count |
|
|
115
|
+
|--------|-------|
|
|
116
|
+
| Threats found | {N} |
|
|
117
|
+
| Closed | {M} |
|
|
118
|
+
| Open | {K} |
|
|
119
|
+
```
|
|
120
|
+
|
|
121
|
+
**ENFORCING GATE:** If `threats_open > 0` after all options exhausted (user did not accept, not all verified closed):
|
|
122
|
+
|
|
123
|
+
```
|
|
124
|
+
CCP > PHASE {N} SECURITY BLOCKED
|
|
125
|
+
{K} threats open — phase advancement blocked until threats_open: 0
|
|
126
|
+
▶ Fix mitigations then re-run: /ccp:secure-phase {N}
|
|
127
|
+
▶ Or document accepted risks in SECURITY.md and re-run.
|
|
128
|
+
```
|
|
129
|
+
|
|
130
|
+
Do NOT emit next-phase routing. Stop here.
|
|
131
|
+
|
|
132
|
+
## 7. Commit
|
|
133
|
+
|
|
134
|
+
```bash
|
|
135
|
+
node "$HOME/.claude/pilot/bin/ccp-tools.cjs" commit "docs(phase-${PHASE}): add/update security threat verification"
|
|
136
|
+
```
|
|
137
|
+
|
|
138
|
+
## 8. Results + Routing
|
|
139
|
+
|
|
140
|
+
**Secured (threats_open: 0):**
|
|
141
|
+
```
|
|
142
|
+
CCP > PHASE {N} THREAT-SECURE
|
|
143
|
+
threats_open: 0 — all threats have dispositions.
|
|
144
|
+
▶ /ccp:validate-phase {N} validate test coverage
|
|
145
|
+
▶ /ccp:verify-work {N} run UAT
|
|
146
|
+
```
|
|
147
|
+
|
|
148
|
+
Display `/clear` reminder.
|
|
149
|
+
|
|
150
|
+
</process>
|
|
151
|
+
|
|
152
|
+
<success_criteria>
|
|
153
|
+
- [ ] Security enforcement checked — exit if false
|
|
154
|
+
- [ ] Input state detected (A/B/C) — state C exits cleanly
|
|
155
|
+
- [ ] PLAN.md threat model parsed, register built
|
|
156
|
+
- [ ] SUMMARY.md threat flags incorporated
|
|
157
|
+
- [ ] threats_open: 0 → skip directly to Step 6
|
|
158
|
+
- [ ] User gate with threat table presented
|
|
159
|
+
- [ ] Auditor spawned with complete context
|
|
160
|
+
- [ ] All three return formats (SECURED/OPEN_THREATS/ESCALATE) handled
|
|
161
|
+
- [ ] SECURITY.md created or updated
|
|
162
|
+
- [ ] threats_open > 0 BLOCKS advancement (no next-phase routing emitted)
|
|
163
|
+
- [ ] Results with routing presented on success
|
|
164
|
+
</success_criteria>
|
|
@@ -0,0 +1,124 @@
|
|
|
1
|
+
# Code Review Standards
|
|
2
|
+
|
|
3
|
+
## Purpose
|
|
4
|
+
|
|
5
|
+
Code review ensures quality, security, and maintainability before code is merged. This rule defines when and how to conduct code reviews.
|
|
6
|
+
|
|
7
|
+
## When to Review
|
|
8
|
+
|
|
9
|
+
**MANDATORY review triggers:**
|
|
10
|
+
|
|
11
|
+
- After writing or modifying code
|
|
12
|
+
- Before any commit to shared branches
|
|
13
|
+
- When security-sensitive code is changed (auth, payments, user data)
|
|
14
|
+
- When architectural changes are made
|
|
15
|
+
- Before merging pull requests
|
|
16
|
+
|
|
17
|
+
**Pre-Review Requirements:**
|
|
18
|
+
|
|
19
|
+
Before requesting review, ensure:
|
|
20
|
+
|
|
21
|
+
- All automated checks (CI/CD) are passing
|
|
22
|
+
- Merge conflicts are resolved
|
|
23
|
+
- Branch is up to date with target branch
|
|
24
|
+
|
|
25
|
+
## Review Checklist
|
|
26
|
+
|
|
27
|
+
Before marking code complete:
|
|
28
|
+
|
|
29
|
+
- [ ] Code is readable and well-named
|
|
30
|
+
- [ ] Functions are focused (<50 lines)
|
|
31
|
+
- [ ] Files are cohesive (<800 lines)
|
|
32
|
+
- [ ] No deep nesting (>4 levels)
|
|
33
|
+
- [ ] Errors are handled explicitly
|
|
34
|
+
- [ ] No hardcoded secrets or credentials
|
|
35
|
+
- [ ] No console.log or debug statements
|
|
36
|
+
- [ ] Tests exist for new functionality
|
|
37
|
+
- [ ] Test coverage meets 80% minimum
|
|
38
|
+
|
|
39
|
+
## Security Review Triggers
|
|
40
|
+
|
|
41
|
+
**STOP and use security-reviewer agent when:**
|
|
42
|
+
|
|
43
|
+
- Authentication or authorization code
|
|
44
|
+
- User input handling
|
|
45
|
+
- Database queries
|
|
46
|
+
- File system operations
|
|
47
|
+
- External API calls
|
|
48
|
+
- Cryptographic operations
|
|
49
|
+
- Payment or financial code
|
|
50
|
+
|
|
51
|
+
## Review Severity Levels
|
|
52
|
+
|
|
53
|
+
| Level | Meaning | Action |
|
|
54
|
+
|-------|---------|--------|
|
|
55
|
+
| CRITICAL | Security vulnerability or data loss risk | **BLOCK** - Must fix before merge |
|
|
56
|
+
| HIGH | Bug or significant quality issue | **WARN** - Should fix before merge |
|
|
57
|
+
| MEDIUM | Maintainability concern | **INFO** - Consider fixing |
|
|
58
|
+
| LOW | Style or minor suggestion | **NOTE** - Optional |
|
|
59
|
+
|
|
60
|
+
## Agent Usage
|
|
61
|
+
|
|
62
|
+
Use these agents for code review:
|
|
63
|
+
|
|
64
|
+
| Agent | Purpose |
|
|
65
|
+
|-------|---------|
|
|
66
|
+
| **code-reviewer** | General code quality, patterns, best practices |
|
|
67
|
+
| **security-reviewer** | Security vulnerabilities, OWASP Top 10 |
|
|
68
|
+
| **typescript-reviewer** | TypeScript/JavaScript specific issues |
|
|
69
|
+
| **python-reviewer** | Python specific issues |
|
|
70
|
+
| **go-reviewer** | Go specific issues |
|
|
71
|
+
| **rust-reviewer** | Rust specific issues |
|
|
72
|
+
|
|
73
|
+
## Review Workflow
|
|
74
|
+
|
|
75
|
+
```
|
|
76
|
+
1. Run git diff to understand changes
|
|
77
|
+
2. Check security checklist first
|
|
78
|
+
3. Review code quality checklist
|
|
79
|
+
4. Run relevant tests
|
|
80
|
+
5. Verify coverage >= 80%
|
|
81
|
+
6. Use appropriate agent for detailed review
|
|
82
|
+
```
|
|
83
|
+
|
|
84
|
+
## Common Issues to Catch
|
|
85
|
+
|
|
86
|
+
### Security
|
|
87
|
+
|
|
88
|
+
- Hardcoded credentials (API keys, passwords, tokens)
|
|
89
|
+
- SQL injection (string concatenation in queries)
|
|
90
|
+
- XSS vulnerabilities (unescaped user input)
|
|
91
|
+
- Path traversal (unsanitized file paths)
|
|
92
|
+
- CSRF protection missing
|
|
93
|
+
- Authentication bypasses
|
|
94
|
+
|
|
95
|
+
### Code Quality
|
|
96
|
+
|
|
97
|
+
- Large functions (>50 lines) - split into smaller
|
|
98
|
+
- Large files (>800 lines) - extract modules
|
|
99
|
+
- Deep nesting (>4 levels) - use early returns
|
|
100
|
+
- Missing error handling - handle explicitly
|
|
101
|
+
- Mutation patterns - prefer immutable operations
|
|
102
|
+
- Missing tests - add test coverage
|
|
103
|
+
|
|
104
|
+
### Performance
|
|
105
|
+
|
|
106
|
+
- N+1 queries - use JOINs or batching
|
|
107
|
+
- Missing pagination - add LIMIT to queries
|
|
108
|
+
- Unbounded queries - add constraints
|
|
109
|
+
- Missing caching - cache expensive operations
|
|
110
|
+
|
|
111
|
+
## Approval Criteria
|
|
112
|
+
|
|
113
|
+
- **Approve**: No CRITICAL or HIGH issues
|
|
114
|
+
- **Warning**: Only HIGH issues (merge with caution)
|
|
115
|
+
- **Block**: CRITICAL issues found
|
|
116
|
+
|
|
117
|
+
## Integration with Other Rules
|
|
118
|
+
|
|
119
|
+
This rule works with:
|
|
120
|
+
|
|
121
|
+
- [testing.md](testing.md) - Test coverage requirements
|
|
122
|
+
- [security.md](security.md) - Security checklist
|
|
123
|
+
- [git-workflow.md](git-workflow.md) - Commit standards
|
|
124
|
+
- [agents.md](agents.md) - Agent delegation
|
|
@@ -0,0 +1,108 @@
|
|
|
1
|
+
# 规则
|
|
2
|
+
|
|
3
|
+
## 结构
|
|
4
|
+
|
|
5
|
+
规则按**通用**层和**语言特定**目录组织:
|
|
6
|
+
|
|
7
|
+
```
|
|
8
|
+
rules/
|
|
9
|
+
├── common/ # 语言无关的原则(始终安装)
|
|
10
|
+
│ ├── coding-style.md
|
|
11
|
+
│ ├── git-workflow.md
|
|
12
|
+
│ ├── testing.md
|
|
13
|
+
│ ├── performance.md
|
|
14
|
+
│ ├── patterns.md
|
|
15
|
+
│ ├── hooks.md
|
|
16
|
+
│ ├── agents.md
|
|
17
|
+
│ ├── security.md
|
|
18
|
+
│ ├── code-review.md
|
|
19
|
+
│ └── development-workflow.md
|
|
20
|
+
├── zh/ # 中文翻译版本
|
|
21
|
+
│ ├── coding-style.md
|
|
22
|
+
│ ├── git-workflow.md
|
|
23
|
+
│ ├── testing.md
|
|
24
|
+
│ ├── performance.md
|
|
25
|
+
│ ├── patterns.md
|
|
26
|
+
│ ├── hooks.md
|
|
27
|
+
│ ├── agents.md
|
|
28
|
+
│ ├── security.md
|
|
29
|
+
│ ├── code-review.md
|
|
30
|
+
│ └── development-workflow.md
|
|
31
|
+
├── typescript/ # TypeScript/JavaScript 特定
|
|
32
|
+
├── python/ # Python 特定
|
|
33
|
+
├── golang/ # Go 特定
|
|
34
|
+
├── swift/ # Swift 特定
|
|
35
|
+
└── php/ # PHP 特定
|
|
36
|
+
```
|
|
37
|
+
|
|
38
|
+
- **common/** 包含通用原则 — 无语言特定的代码示例。
|
|
39
|
+
- **zh/** 包含 common 目录的中文翻译版本。
|
|
40
|
+
- **语言目录** 扩展通用规则,包含框架特定的模式、工具和代码示例。每个文件引用其对应的通用版本。
|
|
41
|
+
|
|
42
|
+
## 安装
|
|
43
|
+
|
|
44
|
+
### 选项 1:安装脚本(推荐)
|
|
45
|
+
|
|
46
|
+
```bash
|
|
47
|
+
# 安装通用 + 一个或多个语言特定的规则集
|
|
48
|
+
./install.sh typescript
|
|
49
|
+
./install.sh python
|
|
50
|
+
./install.sh golang
|
|
51
|
+
./install.sh swift
|
|
52
|
+
./install.sh php
|
|
53
|
+
|
|
54
|
+
# 同时安装多种语言
|
|
55
|
+
./install.sh typescript python
|
|
56
|
+
```
|
|
57
|
+
|
|
58
|
+
### 选项 2:手动安装
|
|
59
|
+
|
|
60
|
+
> **重要提示:** 复制整个目录 — 不要使用 `/*` 展开。
|
|
61
|
+
> 通用和语言特定目录包含同名文件。
|
|
62
|
+
> 将它们展开到一个目录会导致语言特定文件覆盖通用规则,
|
|
63
|
+
> 并破坏语言特定文件使用的 `../common/` 相对引用。
|
|
64
|
+
|
|
65
|
+
```bash
|
|
66
|
+
# 创建目标目录
|
|
67
|
+
mkdir -p ~/.claude/rules
|
|
68
|
+
|
|
69
|
+
# 安装通用规则(所有项目必需)
|
|
70
|
+
cp -r rules/common ~/.claude/rules/common
|
|
71
|
+
|
|
72
|
+
# 安装中文翻译版本(可选)
|
|
73
|
+
cp -r rules/zh ~/.claude/rules/zh
|
|
74
|
+
|
|
75
|
+
# 根据项目技术栈安装语言特定规则
|
|
76
|
+
cp -r rules/typescript ~/.claude/rules/typescript
|
|
77
|
+
cp -r rules/python ~/.claude/rules/python
|
|
78
|
+
cp -r rules/golang ~/.claude/rules/golang
|
|
79
|
+
cp -r rules/swift ~/.claude/rules/swift
|
|
80
|
+
cp -r rules/php ~/.claude/rules/php
|
|
81
|
+
```
|
|
82
|
+
|
|
83
|
+
## 规则 vs 技能
|
|
84
|
+
|
|
85
|
+
- **规则** 定义广泛适用的标准、约定和检查清单(如"80% 测试覆盖率"、"禁止硬编码密钥")。
|
|
86
|
+
- **技能**(`skills/` 目录)为特定任务提供深入、可操作的参考材料(如 `python-patterns`、`golang-testing`)。
|
|
87
|
+
|
|
88
|
+
语言特定的规则文件在适当的地方引用相关技能。规则告诉你*做什么*;技能告诉你*怎么做*。
|
|
89
|
+
|
|
90
|
+
## 规则优先级
|
|
91
|
+
|
|
92
|
+
当语言特定规则与通用规则冲突时,**语言特定规则优先**(特定覆盖通用)。这遵循标准的分层配置模式(类似于 CSS 特异性或 `.gitignore` 优先级)。
|
|
93
|
+
|
|
94
|
+
- `rules/common/` 定义适用于所有项目的通用默认值。
|
|
95
|
+
- `rules/golang/`、`rules/python/`、`rules/swift/`、`rules/php/`、`rules/typescript/` 等在语言习惯不同时覆盖这些默认值。
|
|
96
|
+
- `rules/zh/` 是通用规则的中文翻译,与英文版本内容一致。
|
|
97
|
+
|
|
98
|
+
### 示例
|
|
99
|
+
|
|
100
|
+
`common/coding-style.md` 推荐不可变性作为默认原则。语言特定的 `golang/coding-style.md` 可以覆盖这一点:
|
|
101
|
+
|
|
102
|
+
> 惯用的 Go 使用指针接收器进行结构体变更 — 参见 [common/coding-style.md](../common/coding-style.md) 了解通用原则,但这里首选符合 Go 习惯的变更方式。
|
|
103
|
+
|
|
104
|
+
### 带覆盖说明的通用规则
|
|
105
|
+
|
|
106
|
+
`rules/common/` 中可能被语言特定文件覆盖的规则会被标记:
|
|
107
|
+
|
|
108
|
+
> **语言说明**:此规则可能会被语言特定规则覆盖;对于某些语言,该模式可能并不符合惯用写法。
|
|
@@ -0,0 +1,50 @@
|
|
|
1
|
+
# 代理编排
|
|
2
|
+
|
|
3
|
+
## 可用代理
|
|
4
|
+
|
|
5
|
+
位于 `~/.claude/agents/`:
|
|
6
|
+
|
|
7
|
+
| 代理 | 用途 | 何时使用 |
|
|
8
|
+
|-------|---------|------------|
|
|
9
|
+
| planner | 实现规划 | 复杂功能、重构 |
|
|
10
|
+
| architect | 系统设计 | 架构决策 |
|
|
11
|
+
| tdd-guide | 测试驱动开发 | 新功能、bug 修复 |
|
|
12
|
+
| code-reviewer | 代码审查 | 编写代码后 |
|
|
13
|
+
| security-reviewer | 安全分析 | 提交前 |
|
|
14
|
+
| build-error-resolver | 修复构建错误 | 构建失败时 |
|
|
15
|
+
| e2e-runner | E2E 测试 | 关键用户流程 |
|
|
16
|
+
| refactor-cleaner | 死代码清理 | 代码维护 |
|
|
17
|
+
| doc-updater | 文档 | 更新文档 |
|
|
18
|
+
| rust-reviewer | Rust 代码审查 | Rust 项目 |
|
|
19
|
+
|
|
20
|
+
## 立即使用代理
|
|
21
|
+
|
|
22
|
+
无需用户提示:
|
|
23
|
+
1. 复杂功能请求 - 使用 **planner** 代理
|
|
24
|
+
2. 刚编写/修改的代码 - 使用 **code-reviewer** 代理
|
|
25
|
+
3. Bug 修复或新功能 - 使用 **tdd-guide** 代理
|
|
26
|
+
4. 架构决策 - 使用 **architect** 代理
|
|
27
|
+
|
|
28
|
+
## 并行任务执行
|
|
29
|
+
|
|
30
|
+
对独立操作始终使用并行 Task 执行:
|
|
31
|
+
|
|
32
|
+
```markdown
|
|
33
|
+
# 好:并行执行
|
|
34
|
+
同时启动 3 个代理:
|
|
35
|
+
1. 代理 1:认证模块安全分析
|
|
36
|
+
2. 代理 2:缓存系统性能审查
|
|
37
|
+
3. 代理 3:工具类型检查
|
|
38
|
+
|
|
39
|
+
# 坏:不必要的顺序
|
|
40
|
+
先代理 1,然后代理 2,然后代理 3
|
|
41
|
+
```
|
|
42
|
+
|
|
43
|
+
## 多视角分析
|
|
44
|
+
|
|
45
|
+
对于复杂问题,使用分角色子代理:
|
|
46
|
+
- 事实审查者
|
|
47
|
+
- 高级工程师
|
|
48
|
+
- 安全专家
|
|
49
|
+
- 一致性审查者
|
|
50
|
+
- 冗余检查者
|