claude-code-pilot 3.2.0 → 3.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (93) hide show
  1. package/CHANGELOG.md +57 -0
  2. package/README.md +14 -9
  3. package/bin/install.js +113 -15
  4. package/manifest.json +18 -3
  5. package/package.json +3 -2
  6. package/src/agents/django-build-resolver.md +252 -0
  7. package/src/agents/django-reviewer.md +169 -0
  8. package/src/agents/fastapi-reviewer.md +79 -0
  9. package/src/agents/fsharp-reviewer.md +109 -0
  10. package/src/agents/swift-build-resolver.md +170 -0
  11. package/src/agents/swift-reviewer.md +116 -0
  12. package/src/commands/ccp/cost-report.md +107 -0
  13. package/src/commands/ccp/intel.md +3 -3
  14. package/src/commands/ccp/mvp-phase.md +45 -0
  15. package/src/commands/ccp/plan-prd.md +160 -0
  16. package/src/commands/ccp/pr-ecc.md +184 -0
  17. package/src/commands/ccp/security-scan.md +74 -0
  18. package/src/hooks/ccp-bash-hook-dispatcher.js +96 -0
  19. package/src/hooks/ccp-context-monitor.js +23 -0
  20. package/src/hooks/ccp-doc-file-warning.js +93 -0
  21. package/src/hooks/ccp-pre-bash-dispatcher.js +24 -0
  22. package/src/hooks/ccp-write-gateguard.js +868 -0
  23. package/src/lib/project-detect.js +0 -2
  24. package/src/lib/shell-substitution.js +499 -0
  25. package/src/pilot/references/execute-mvp-tdd.md +81 -0
  26. package/src/pilot/references/mvp-concepts.md +49 -0
  27. package/src/pilot/references/planner-graphify-auto-update.md +67 -0
  28. package/src/pilot/references/planner-human-verify-mode.md +57 -0
  29. package/src/pilot/references/planner-mvp-mode.md +53 -0
  30. package/src/pilot/references/skeleton-template.md +48 -0
  31. package/src/pilot/references/spidr-splitting.md +69 -0
  32. package/src/pilot/references/user-story-template.md +58 -0
  33. package/src/pilot/references/verify-mvp-mode.md +85 -0
  34. package/src/pilot/references/worktree-path-safety.md +89 -0
  35. package/src/pilot/workflows/help.md +5 -0
  36. package/src/pilot/workflows/mvp-phase.md +199 -0
  37. package/src/skills/agent-architecture-audit/SKILL.md +256 -0
  38. package/src/skills/agent-harness-design/SKILL.md +73 -0
  39. package/src/skills/angular-developer/SKILL.md +154 -0
  40. package/src/skills/angular-developer/references/angular-animations.md +160 -0
  41. package/src/skills/angular-developer/references/angular-aria.md +410 -0
  42. package/src/skills/angular-developer/references/cli.md +86 -0
  43. package/src/skills/angular-developer/references/component-harnesses.md +59 -0
  44. package/src/skills/angular-developer/references/component-styling.md +91 -0
  45. package/src/skills/angular-developer/references/components.md +117 -0
  46. package/src/skills/angular-developer/references/creating-services.md +97 -0
  47. package/src/skills/angular-developer/references/data-resolvers.md +69 -0
  48. package/src/skills/angular-developer/references/define-routes.md +67 -0
  49. package/src/skills/angular-developer/references/defining-providers.md +72 -0
  50. package/src/skills/angular-developer/references/di-fundamentals.md +120 -0
  51. package/src/skills/angular-developer/references/e2e-testing.md +56 -0
  52. package/src/skills/angular-developer/references/effects.md +83 -0
  53. package/src/skills/angular-developer/references/hierarchical-injectors.md +43 -0
  54. package/src/skills/angular-developer/references/host-elements.md +80 -0
  55. package/src/skills/angular-developer/references/injection-context.md +63 -0
  56. package/src/skills/angular-developer/references/inputs.md +101 -0
  57. package/src/skills/angular-developer/references/linked-signal.md +59 -0
  58. package/src/skills/angular-developer/references/loading-strategies.md +61 -0
  59. package/src/skills/angular-developer/references/mcp.md +108 -0
  60. package/src/skills/angular-developer/references/navigate-to-routes.md +69 -0
  61. package/src/skills/angular-developer/references/outputs.md +86 -0
  62. package/src/skills/angular-developer/references/reactive-forms.md +122 -0
  63. package/src/skills/angular-developer/references/rendering-strategies.md +44 -0
  64. package/src/skills/angular-developer/references/resource.md +77 -0
  65. package/src/skills/angular-developer/references/route-animations.md +56 -0
  66. package/src/skills/angular-developer/references/route-guards.md +52 -0
  67. package/src/skills/angular-developer/references/router-lifecycle.md +45 -0
  68. package/src/skills/angular-developer/references/router-testing.md +87 -0
  69. package/src/skills/angular-developer/references/show-routes-with-outlets.md +68 -0
  70. package/src/skills/angular-developer/references/signal-forms.md +795 -0
  71. package/src/skills/angular-developer/references/signals-overview.md +94 -0
  72. package/src/skills/angular-developer/references/tailwind-css.md +69 -0
  73. package/src/skills/angular-developer/references/template-driven-forms.md +114 -0
  74. package/src/skills/angular-developer/references/testing-fundamentals.md +65 -0
  75. package/src/skills/error-handling/SKILL.md +376 -0
  76. package/src/skills/fastapi-patterns/SKILL.md +327 -0
  77. package/src/skills/flox-environments/SKILL.md +496 -0
  78. package/src/skills/fsharp-testing/SKILL.md +280 -0
  79. package/src/skills/ios-icon-gen/SKILL.md +157 -0
  80. package/src/skills/ios-icon-gen/scripts/generate_icons.swift +258 -0
  81. package/src/skills/ios-icon-gen/scripts/iconify_gen.sh +235 -0
  82. package/src/skills/make-interfaces-feel-better/SKILL.md +151 -0
  83. package/src/skills/mysql-patterns/SKILL.md +412 -0
  84. package/src/skills/plan-orchestrate/SKILL.md +220 -0
  85. package/src/skills/prisma-patterns/SKILL.md +371 -0
  86. package/src/skills/production-audit/SKILL.md +206 -0
  87. package/src/skills/security-scan/references/agentshield-policy-exception/candidate-playbook.md +49 -0
  88. package/src/skills/security-scan/references/agentshield-policy-exception/report.json +35 -0
  89. package/src/skills/security-scan/references/agentshield-policy-exception/scenario.json +62 -0
  90. package/src/skills/security-scan/references/agentshield-policy-exception/trace.json +45 -0
  91. package/src/skills/security-scan/references/agentshield-policy-exception/verifier-result.json +35 -0
  92. package/src/skills/vite-patterns/SKILL.md +449 -0
  93. package/src/skills/windows-desktop-e2e/SKILL.md +887 -0
@@ -0,0 +1,412 @@
1
+ ---
2
+ name: mysql-patterns
3
+ description: MySQL and MariaDB schema, query, indexing, transaction, replication, and connection-pool patterns for production backends.
4
+ origin: ECC
5
+ ---
6
+
7
+ # MySQL Patterns
8
+
9
+ Use this skill when working on MySQL or MariaDB schema design, migrations,
10
+ slow-query investigation, queue-style transactions, connection pools, or
11
+ production database configuration. Prefer exact version checks before applying a
12
+ feature-specific pattern because MySQL and MariaDB have diverged in several SQL
13
+ details.
14
+
15
+ ## Activation
16
+
17
+ - Designing MySQL or MariaDB tables, indexes, and constraints
18
+ - Reviewing migrations before they run on large production tables
19
+ - Debugging slow queries, lock waits, deadlocks, or connection exhaustion
20
+ - Adding keyset pagination, upserts, full-text search, JSON columns, or queues
21
+ - Configuring application connection pools, read replicas, TLS, or slow logs
22
+
23
+ ## Version Check
24
+
25
+ Start by identifying the engine and version:
26
+
27
+ ```sql
28
+ SELECT VERSION();
29
+ SHOW VARIABLES LIKE 'version_comment';
30
+ ```
31
+
32
+ Keep MySQL and MariaDB guidance separate when syntax differs:
33
+
34
+ - MySQL documents row aliases as the replacement for `VALUES(col)` in
35
+ `ON DUPLICATE KEY UPDATE`; `VALUES(col)` is deprecated there.
36
+ - MariaDB documents `VALUES(col)` as the supported way to reference inserted
37
+ values in `ON DUPLICATE KEY UPDATE`; use it for cross-engine compatibility.
38
+ - `SKIP LOCKED` is appropriate for queue-like work only. It skips locked rows
39
+ and can return an inconsistent view, so do not use it for general accounting
40
+ or integrity-sensitive reads.
41
+
42
+ ## Schema Defaults
43
+
44
+ ```sql
45
+ CREATE TABLE orders (
46
+ id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT,
47
+ account_id BIGINT UNSIGNED NOT NULL,
48
+ status VARCHAR(32) NOT NULL,
49
+ total DECIMAL(15, 2) NOT NULL,
50
+ created_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
51
+ updated_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
52
+ deleted_at DATETIME NULL,
53
+ PRIMARY KEY (id),
54
+ KEY idx_orders_account_status_created (account_id, status, created_at),
55
+ KEY idx_orders_active (account_id, deleted_at)
56
+ ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
57
+ ```
58
+
59
+ Default choices:
60
+
61
+ | Use Case | Prefer | Avoid |
62
+ | --- | --- | --- |
63
+ | Surrogate primary keys | `BIGINT UNSIGNED AUTO_INCREMENT` | `INT` for tables that can grow beyond 2B rows |
64
+ | UUID lookup keys | `BINARY(16)` with conversion helpers | `VARCHAR(36)` primary keys on hot tables |
65
+ | Money and exact quantities | `DECIMAL(p, s)` | `FLOAT` or `DOUBLE` |
66
+ | User-facing text | `utf8mb4` tables and indexes | MySQL `utf8` / `utf8mb3` defaults |
67
+ | Application timestamps | `DATETIME` with UTC managed by the app | Assuming `DATETIME` stores time zone metadata |
68
+ | Soft deletes | `deleted_at DATETIME NULL` plus scoped indexes | Filtering soft-deleted rows without an index |
69
+ | Extensible status values | lookup table or constrained `VARCHAR` | `ENUM` when values change often |
70
+
71
+ ## Indexing
72
+
73
+ Composite index order usually follows equality predicates first, then range or
74
+ sort columns:
75
+
76
+ ```sql
77
+ CREATE INDEX idx_orders_account_status_created
78
+ ON orders (account_id, status, created_at);
79
+
80
+ SELECT id, total
81
+ FROM orders
82
+ WHERE account_id = ?
83
+ AND status = 'pending'
84
+ AND created_at >= ?
85
+ ORDER BY created_at DESC
86
+ LIMIT 50;
87
+ ```
88
+
89
+ Use `EXPLAIN` before adding or changing an index:
90
+
91
+ ```sql
92
+ EXPLAIN
93
+ SELECT id, total
94
+ FROM orders
95
+ WHERE account_id = 123 AND status = 'pending'
96
+ ORDER BY created_at DESC
97
+ LIMIT 50;
98
+ ```
99
+
100
+ Signals to investigate:
101
+
102
+ | Field | Risk Signal |
103
+ | --- | --- |
104
+ | `type` | `ALL` on a large table |
105
+ | `key` | `NULL` when a selective predicate exists |
106
+ | `rows` | Very high row estimate for an interactive path |
107
+ | `Extra` | `Using temporary`, `Using filesort`, or broad `Using where` |
108
+
109
+ Avoid adding indexes blindly. Each index increases write cost, migration time,
110
+ backup size, and buffer-pool pressure.
111
+
112
+ ## Query Patterns
113
+
114
+ ### Upsert
115
+
116
+ Cross-engine-compatible form:
117
+
118
+ ```sql
119
+ INSERT INTO user_settings (user_id, setting_key, setting_value)
120
+ VALUES (?, ?, ?)
121
+ ON DUPLICATE KEY UPDATE
122
+ setting_value = VALUES(setting_value),
123
+ updated_at = CURRENT_TIMESTAMP;
124
+ ```
125
+
126
+ MySQL row-alias form:
127
+
128
+ ```sql
129
+ INSERT INTO user_settings (user_id, setting_key, setting_value)
130
+ VALUES (?, ?, ?) AS new
131
+ ON DUPLICATE KEY UPDATE
132
+ setting_value = new.setting_value,
133
+ updated_at = CURRENT_TIMESTAMP;
134
+ ```
135
+
136
+ Use the row-alias form only after confirming the target is MySQL. Use
137
+ `VALUES(col)` for MariaDB or mixed MySQL/MariaDB fleets.
138
+
139
+ ### Keyset Pagination
140
+
141
+ ```sql
142
+ SELECT id, name, created_at
143
+ FROM products
144
+ WHERE (created_at, id) < (?, ?)
145
+ ORDER BY created_at DESC, id DESC
146
+ LIMIT 50;
147
+ ```
148
+
149
+ Back it with an index that matches the cursor:
150
+
151
+ ```sql
152
+ CREATE INDEX idx_products_created_id ON products (created_at, id);
153
+ ```
154
+
155
+ Do not use deep `OFFSET` pagination on large tables; it makes the server scan
156
+ and discard rows before returning the page.
157
+
158
+ ### JSON Fields
159
+
160
+ Use JSON columns for extension data, not for fields that need heavy relational
161
+ filtering or constraints.
162
+
163
+ ```sql
164
+ CREATE TABLE events (
165
+ id BIGINT UNSIGNED AUTO_INCREMENT PRIMARY KEY,
166
+ payload JSON NOT NULL,
167
+ event_type VARCHAR(64)
168
+ GENERATED ALWAYS AS (JSON_UNQUOTE(JSON_EXTRACT(payload, '$.type'))) STORED,
169
+ KEY idx_events_type (event_type)
170
+ ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
171
+ ```
172
+
173
+ For frequently queried JSON paths, expose a generated column and index that
174
+ column. Keep foreign keys, ownership, tenancy, and lifecycle fields relational.
175
+
176
+ ### Full-Text Search
177
+
178
+ ```sql
179
+ ALTER TABLE articles ADD FULLTEXT KEY ft_articles_title_body (title, body);
180
+
181
+ SELECT id, title, MATCH(title, body) AGAINST (? IN NATURAL LANGUAGE MODE) AS score
182
+ FROM articles
183
+ WHERE MATCH(title, body) AGAINST (? IN NATURAL LANGUAGE MODE)
184
+ ORDER BY score DESC
185
+ LIMIT 20;
186
+ ```
187
+
188
+ Use external search when you need typo tolerance, complex ranking, cross-table
189
+ facets, or language-specific analysis beyond built-in full-text behavior.
190
+
191
+ ## Transactions
192
+
193
+ Keep transactions short and lock rows in a consistent order:
194
+
195
+ ```sql
196
+ START TRANSACTION;
197
+
198
+ SELECT id, balance
199
+ FROM accounts
200
+ WHERE id IN (?, ?)
201
+ ORDER BY id
202
+ FOR UPDATE;
203
+
204
+ UPDATE accounts SET balance = balance - ? WHERE id = ?;
205
+ UPDATE accounts SET balance = balance + ? WHERE id = ?;
206
+
207
+ COMMIT;
208
+ ```
209
+
210
+ Deadlock and lock-wait checklist:
211
+
212
+ - Lock rows in a deterministic order across code paths.
213
+ - Do external API calls before opening the transaction, not inside it.
214
+ - Add indexes for predicates used in `UPDATE`, `DELETE`, and locking reads.
215
+ - On deadlock, roll back and retry the whole transaction with a bounded retry
216
+ budget.
217
+ - Capture `SHOW ENGINE INNODB STATUS\G` soon after a deadlock; it is overwritten
218
+ by later events.
219
+
220
+ Queue-style worker claim:
221
+
222
+ ```sql
223
+ START TRANSACTION;
224
+
225
+ SELECT id
226
+ FROM jobs
227
+ WHERE status = 'pending'
228
+ ORDER BY created_at
229
+ LIMIT 1
230
+ FOR UPDATE SKIP LOCKED;
231
+
232
+ UPDATE jobs
233
+ SET status = 'processing', started_at = CURRENT_TIMESTAMP
234
+ WHERE id = ?;
235
+
236
+ COMMIT;
237
+ ```
238
+
239
+ Use `SKIP LOCKED` only for queue-like workloads where skipping a locked row is
240
+ acceptable. It is not a replacement for normal transactional consistency.
241
+
242
+ ## Connection Pools
243
+
244
+ SQLAlchemy example:
245
+
246
+ ```python
247
+ from sqlalchemy import create_engine
248
+
249
+ engine = create_engine(
250
+ "mysql+mysqlconnector://app:secret@db.internal/app",
251
+ pool_size=10,
252
+ max_overflow=5,
253
+ pool_timeout=30,
254
+ pool_recycle=240,
255
+ pool_pre_ping=True,
256
+ connect_args={"connect_timeout": 5},
257
+ )
258
+ ```
259
+
260
+ Node.js `mysql2` example:
261
+
262
+ ```javascript
263
+ import mysql from 'mysql2/promise';
264
+
265
+ const pool = mysql.createPool({
266
+ host: process.env.DB_HOST,
267
+ user: process.env.DB_USER,
268
+ password: process.env.DB_PASSWORD,
269
+ database: process.env.DB_NAME,
270
+ waitForConnections: true,
271
+ connectionLimit: 10,
272
+ queueLimit: 0,
273
+ enableKeepAlive: true,
274
+ keepAliveInitialDelay: 30000,
275
+ });
276
+
277
+ const [rows] = await pool.execute(
278
+ 'SELECT id, total FROM orders WHERE account_id = ? LIMIT 50',
279
+ [accountId],
280
+ );
281
+ ```
282
+
283
+ Keep application pool recycling below the server `wait_timeout`. If the server
284
+ uses `wait_timeout = 300`, a `pool_recycle` around 240 seconds is coherent;
285
+ `pool_pre_ping` still helps recover from network and failover events.
286
+
287
+ ## Diagnostics
288
+
289
+ Useful first-pass commands:
290
+
291
+ ```sql
292
+ SHOW FULL PROCESSLIST;
293
+ SHOW ENGINE INNODB STATUS\G;
294
+ SHOW VARIABLES LIKE 'slow_query_log';
295
+ SHOW VARIABLES LIKE 'long_query_time';
296
+ ```
297
+
298
+ Enable the slow log in a controlled environment:
299
+
300
+ ```sql
301
+ SET GLOBAL slow_query_log = 'ON';
302
+ SET GLOBAL long_query_time = 1;
303
+ SET GLOBAL log_queries_not_using_indexes = 'ON';
304
+ ```
305
+
306
+ Use `EXPLAIN ANALYZE` only when it is safe to execute the query. It runs the
307
+ statement and can be expensive on production-sized data.
308
+
309
+ ## Replication
310
+
311
+ Read replicas can lag. Do not route read-your-own-write paths, checkout flows,
312
+ permission checks, or idempotency-key reads to a replica immediately after a
313
+ write.
314
+
315
+ ```sql
316
+ -- MySQL legacy terminology, still common in existing fleets
317
+ SHOW SLAVE STATUS\G;
318
+
319
+ -- Newer terminology where supported
320
+ SHOW REPLICA STATUS\G;
321
+ ```
322
+
323
+ Check the engine/version before standardizing on one command. Monitor replica
324
+ SQL thread health, IO thread health, and lag, not just whether the TCP
325
+ connection is alive.
326
+
327
+ ## Security
328
+
329
+ ```sql
330
+ CREATE USER 'app'@'%' IDENTIFIED BY 'use-a-secret-manager';
331
+ GRANT SELECT, INSERT, UPDATE, DELETE ON appdb.* TO 'app'@'%';
332
+
333
+ ALTER USER 'app'@'%' REQUIRE SSL;
334
+
335
+ SELECT user, host
336
+ FROM mysql.user
337
+ WHERE user = '';
338
+
339
+ DROP USER IF EXISTS ''@'localhost';
340
+ DROP USER IF EXISTS ''@'%';
341
+ ```
342
+
343
+ Security review points:
344
+
345
+ - Do not grant `ALL PRIVILEGES` or `*.*` to application users.
346
+ - Require TLS for application users when traffic crosses hosts or networks.
347
+ - Store credentials in the platform secret manager, not in examples, scripts, or
348
+ repository files.
349
+ - Separate migration/admin users from runtime application users.
350
+ - Audit public network exposure and bind addresses before tuning performance.
351
+
352
+ ## Configuration
353
+
354
+ Example starting point for a dedicated database host:
355
+
356
+ ```ini
357
+ [mysqld]
358
+ innodb_buffer_pool_size = 4G
359
+ innodb_flush_log_at_trx_commit = 1
360
+ sync_binlog = 1
361
+
362
+ max_connections = 300
363
+ thread_cache_size = 50
364
+
365
+ wait_timeout = 300
366
+ interactive_timeout = 300
367
+ innodb_lock_wait_timeout = 10
368
+
369
+ slow_query_log = ON
370
+ long_query_time = 1
371
+ log_queries_not_using_indexes = ON
372
+
373
+ log_bin = mysql-bin
374
+ binlog_format = ROW
375
+ binlog_expire_logs_seconds = 604800
376
+ ```
377
+
378
+ Treat configuration values as a prompt for review, not a universal preset. Size
379
+ memory, connections, log retention, and durability settings from workload,
380
+ hardware, backup policy, and recovery objectives.
381
+
382
+ ## Anti-Patterns
383
+
384
+ | Anti-Pattern | Risk | Better Pattern |
385
+ | --- | --- | --- |
386
+ | `SELECT *` in hot paths | Over-fetching and brittle clients | Select explicit columns |
387
+ | Deep `OFFSET` pagination | Linear scans and slow pages | Keyset pagination |
388
+ | No index on foreign-key joins | Slow joins and lock-heavy deletes | Index FK columns intentionally |
389
+ | Long transactions | Lock waits and large undo history | Commit small units of work |
390
+ | Direct DML against `mysql.user` | Grant-table corruption risk | Use `CREATE USER`, `ALTER USER`, `DROP USER` |
391
+ | Application user with admin grants | High blast radius | Least-privilege runtime user |
392
+ | Pool recycle above `wait_timeout` | Stale pooled connections | Recycle below timeout and pre-ping |
393
+ | Replica reads after writes | Stale user-facing state | Pin read-after-write flows to primary |
394
+
395
+ ## Output Expectations
396
+
397
+ When this skill is used for review, return:
398
+
399
+ 1. Engine/version assumptions.
400
+ 2. Highest-risk correctness, lock, security, and migration issues.
401
+ 3. Exact SQL or code changes for the safe path.
402
+ 4. Validation plan: `EXPLAIN`, migration dry run, lock/deadlock check, and
403
+ rollback criteria.
404
+ 5. Any MySQL/MariaDB syntax differences that affect the recommendation.
405
+
406
+ ## Related
407
+
408
+ - Skill: `postgres-patterns` - PostgreSQL-specific schema and query patterns
409
+ - Skill: `database-migrations` - migration planning and rollout safety
410
+ - Skill: `backend-patterns` - API and service-layer patterns
411
+ - Skill: `security-review` - secret handling, auth, and least privilege
412
+ - Agent: `database-reviewer` - broader database review workflow
@@ -0,0 +1,220 @@
1
+ ---
2
+ name: plan-orchestrate
3
+ description: Read a plan document, decompose it into steps, design a per-step agent chain from the CCP catalogue, and emit ready-to-paste /orchestrate custom prompts. Generative only — never invokes /orchestrate itself. Use when the user has a multi-step plan and wants to drive it through orchestrate without composing chains by hand.
4
+ origin: ECC
5
+ ---
6
+
7
+ # Plan Orchestrate
8
+
9
+ Bridge a plan document to `/orchestrate custom` by emitting one ready-to-paste invocation per step. The skill is generative only — it never executes `/orchestrate`. The user pastes each line when ready.
10
+
11
+ ## When to Activate
12
+
13
+ - User has a multi-step plan document (PRD, RFC, implementation plan) and wants to drive it through `/orchestrate`.
14
+ - User says "orchestrate this plan", "give me orchestrate prompts for each step", "compose chains for this plan".
15
+ - A step-by-step plan exists but the user does not want to manually pick agents per step.
16
+
17
+ Skip when:
18
+ - The work is one ad-hoc step → call `/orchestrate custom` directly.
19
+ - The plan is unreadable or empty. Lack of explicit numbering alone is not a skip condition — see the "No clear steps" edge case below.
20
+
21
+ ## Inputs
22
+
23
+ ```
24
+ <plan-doc-path> [--lang=python|typescript|go|rust|cpp|java|kotlin|flutter|auto] [--scope=all|step:<n>|range:<a>-<b>] [--dry-run]
25
+ ```
26
+
27
+ - `<plan-doc-path>` — required; relative or absolute path (`@docs/...` accepted).
28
+ - `--lang` — reviewer language variant; defaults to `auto` (detected from project).
29
+ - `--scope` — limits emitted steps; defaults to `all`.
30
+ - `--dry-run` — print decomposition + chain rationale only; do not emit final prompts.
31
+
32
+ ## Authoritative `/orchestrate` shape (do not deviate)
33
+
34
+ ```
35
+ /orchestrate custom "<agent1>,<agent2>,...,<agentN>" "<task description>"
36
+ ```
37
+
38
+ - `custom` is a sequential chain; each agent's HANDOFF feeds the next.
39
+ - Comma-separated agent list. No spaces preferred; one space tolerated.
40
+ - No `--mode` / `--gate` / `--agents=...` flags exist — never invent them.
41
+ - Agent names come from the catalogue in this skill. Embedded double quotes in the task description are escaped as `\"`.
42
+ - Agent names are bare (`<name>`), matching how CCP installs them into `<claude-home>/agents/`.
43
+
44
+ ## Available agent catalogue (must pick from these)
45
+
46
+ General:
47
+ - `planner` — requirement restatement, risk decomposition, step planning
48
+ - `architect` — architecture, system design, refactor proposals
49
+ - `tdd-guide` — write tests → implement → 80%+ coverage
50
+ - `code-reviewer` — generic code review
51
+ - `security-reviewer` — security audit, OWASP, secret leakage
52
+ - `refactor-cleaner` — dead code, duplicates, knip-class cleanup
53
+ - `doc-updater` — documentation, codemap, README
54
+ - `docs-lookup` — third-party library API lookups (Context7)
55
+ - `e2e-runner` — end-to-end test orchestration
56
+ - `database-reviewer` — PostgreSQL schema, migration, performance
57
+ - `harness-optimizer` — local agent harness configuration
58
+ - `loop-operator` — long-running autonomous loops
59
+ - `chief-of-staff` — multi-channel triage (rarely a fit for plan steps)
60
+
61
+ Build error resolvers:
62
+ - `build-error-resolver` (generic) / `cpp-build-resolver` / `go-build-resolver` / `java-build-resolver` / `kotlin-build-resolver` / `rust-build-resolver` / `pytorch-build-resolver`
63
+
64
+ Code reviewers:
65
+ - `python-reviewer` / `typescript-reviewer` / `go-reviewer` / `rust-reviewer` / `cpp-reviewer` / `java-reviewer` / `kotlin-reviewer` / `flutter-reviewer`
66
+
67
+ A misspelled agent name fails `/orchestrate`. Cross-check against this list before emitting.
68
+
69
+ ## How It Works
70
+
71
+ ### Phase 0 — Detect language
72
+
73
+ 1. Read `<plan-doc-path>`. If missing or empty, report and stop.
74
+ 2. Resolve `--lang`. When `auto`, run a polyglot-aware detection:
75
+ - Probe markers: `pyproject.toml` / `uv.lock` / `requirements.txt` → python; `package.json` → typescript; `go.mod` → go; `Cargo.toml` → rust; `CMakeLists.txt` or top-level `*.cpp` → cpp; `pom.xml` / `build.gradle` (Java) → java; `build.gradle.kts` or top-level Kotlin → kotlin; `pubspec.yaml` → flutter.
76
+ - **Polyglot tie-break**: if more than one marker matches, pick the language whose source files outnumber the others (count via `git ls-files`, excluding `vendor/`, `node_modules/`, `dist/`, `build/`, `.venv/`, generated files, and obvious test fixtures). On a tie or when no language exceeds 60% of source files, set `lang=unknown`.
77
+ - No marker matched → set `lang=unknown`.
78
+ - `lang=unknown` is a sentinel — it is **not** an agent name. Phase 2 rules 4 and 5 turn it into `code-reviewer` / `build-error-resolver` at chain composition time.
79
+ 4. Detect a **PyTorch sub-profile**: when `lang=python` and any of `pyproject.toml` / `requirements.txt` / `uv.lock` declares a dependency on `torch`, set `pytorch=true`. This only affects `build` chain selection (Phase 2 rule below); the reviewer remains `python-reviewer`.
80
+ 5. **Normalize any agent names declared in the plan**: if the plan text references agents by a plugin-prefixed form (e.g. `<namespace>:tdd-guide`), strip the prefix to get the bare catalogue name before validating or composing chains. CCP emits bare names only; never let a pre-prefixed name flow into the output.
81
+
82
+ ### Phase 1 — Decompose steps
83
+
84
+ Identify "step units" in priority order:
85
+
86
+ 1. Explicit numbering: `## Step N` / `### Phase N` / `## N. ...` / top-level ordered list.
87
+ 2. A "Step" column in a table.
88
+ 3. `---`-separated blocks with verb-led headings.
89
+ 4. Otherwise treat each H2 as one step.
90
+
91
+ Per step extract `id` (1-based), `title` (≤ 80 chars), `intent` (1–3 sentences), `tags`.
92
+
93
+ ### Phase 2 — Tag and pick chain
94
+
95
+ Tag by intent (multi-tag allowed; chain built from primary + stacked secondaries):
96
+
97
+ Trigger words below are matched case-insensitively. Multilingual plans are supported by matching the word stems in any language as long as the meaning aligns with the listed English trigger words.
98
+
99
+ | Tag | Trigger words | Default chain |
100
+ |---|---|---|
101
+ | `design` | architecture, design, choose, evaluate, RFC | `planner,architect` |
102
+ | `plan` | plan, breakdown, milestone | `planner` |
103
+ | `impl` | implement, build, add, create, port | `tdd-guide,<lang>-reviewer` |
104
+ | `test` | test, coverage, e2e, integration | `tdd-guide,e2e-runner` |
105
+ | `refactor` | refactor, cleanup, dedupe, split | `architect,refactor-cleaner,<lang>-reviewer` |
106
+ | `migration` | migrate, upgrade, rewrite, port | `architect,tdd-guide,<lang>-reviewer` |
107
+ | `db` | schema, migration, index, SQL, Postgres, alembic, sqlmodel | `database-reviewer,<lang>-reviewer` |
108
+ | `security` | encrypt, auth, secret, OWASP, PII | `security-reviewer,<lang>-reviewer` |
109
+ | `build` | build, compile, lint failure, CI | `<lang>-build-resolver` (falls back to `build-error-resolver`) |
110
+ | `docs` | docs, readme, codemap, changelog | `doc-updater` |
111
+ | `lookup` | lookup, reference, API usage | `docs-lookup` |
112
+ | `review` | review, audit, verify | `<lang>-reviewer,code-reviewer` |
113
+ | `loop` | loop, autonomous, watchdog | `loop-operator` |
114
+
115
+ Chain composition rules:
116
+ 1. **Primary tag selection**: when a step matches multiple tags, the **first one in table order** (top of the table = highest priority) is the primary; the rest are secondaries. Composition rules 2 and 3 below handle specific multi-tag combinations explicitly; otherwise, append secondary chains in tag table order.
117
+ 2. `impl` + `security` → `tdd-guide,<lang>-reviewer,security-reviewer`.
118
+ 3. `impl` + `db` → `tdd-guide,database-reviewer,<lang>-reviewer`.
119
+ 4. **Deduplicate** the resulting chain (preserve first occurrence). E.g. `review` + `lang=unknown` would yield `code-reviewer,code-reviewer` after rule 5; deduplication collapses it to `code-reviewer`.
120
+ 5. `<lang>-reviewer` resolves to `code-reviewer` when `lang=unknown`.
121
+ 6. `<lang>-build-resolver` resolves to `build-error-resolver` when `lang=unknown`. **Special case**: if Phase 0 set `pytorch=true`, use `pytorch-build-resolver` for `build` chains regardless of `<lang>`. There is no `python-build-resolver`; `--lang=python` without `pytorch=true` resolves to `build-error-resolver`.
122
+ 7. **Zero-tag steps**: if no trigger word matches, set chain to `code-reviewer` and write `no tag matched; default review-only chain` under "Chain rationale".
123
+ 8. Chain length ≤ 4 after deduplication. If exceeded, drop weakest tag (`lookup` and `docs` first).
124
+ 9. Do not pair `planner` and `architect` in an `impl` chain (token waste). Pair them only on `design` steps.
125
+ 10. Steps tagged `impl`, `refactor`, or `migration` end with a **reviewer-class** agent — any of `<lang>-reviewer`, `code-reviewer`, `security-reviewer`, or `database-reviewer`. The most domain-specific reviewer wins the tail position (e.g. rule 2's `impl+security` ends with `security-reviewer`; rule 3's `impl+db` ends with `<lang>-reviewer` because `database-reviewer` already gates the migration earlier in the chain). `test` and `build` steps are gated by their own validators (`e2e-runner` and the build resolver respectively) and do not require an additional reviewer.
126
+
127
+ ### Phase 3 — Compress task description
128
+
129
+ Each emitted `<task description>` must:
130
+ - Be self-contained (the first agent does not need the plan document open).
131
+ - Start with `[Plan: <path>#step-<id>]`.
132
+ - Include 1–3 verifiable Acceptance criteria.
133
+ - Include a Scope guard (`Out of scope: ...`) **only if the plan declares one for this step**. Inherit verbatim. If the plan has no out-of-scope statement, omit the clause entirely — do not invent one.
134
+ - Be 200–600 characters; one line; embedded `"` escaped as `\"`; no literal newlines.
135
+
136
+ ### Phase 4 — Output
137
+
138
+ Emit Markdown using the bare-name form. The slash command is always `/orchestrate` and every agent name is rendered as a bare catalogue name (no namespace prefix).
139
+
140
+ Output structure:
141
+
142
+ ````markdown
143
+ # Plan-Orchestrate Result
144
+
145
+ **Plan**: `<path>`
146
+ **Lang**: `<detected-or-given>`
147
+ **Steps**: <N>
148
+ **Scope**: <all | step:n | range:a-b>
149
+
150
+ ## Steps overview
151
+
152
+ | # | Title | Tags | Chain |
153
+ |---|---|---|---|
154
+ | 1 | ... | impl, db | `tdd-guide,database-reviewer,python-reviewer` |
155
+ | ... | | | |
156
+
157
+ ---
158
+
159
+ ## Step 1 — <title>
160
+
161
+ **Intent**: <1–3 sentences>
162
+ **Tags**: <a, b>
163
+ **Chain rationale**: <why this chain; which agent closes the loop>
164
+
165
+ ```bash
166
+ /orchestrate custom "tdd-guide,database-reviewer,python-reviewer" "[Plan: docs/foo.md#step-1] <compressed task description>; Acceptance: <1–3 items>; Out of scope: <…>"
167
+ ```
168
+ ````
169
+
170
+ Append a final "Batch execution" block aggregating every step's command in order so the user can paste them all at once. **Skip the Batch block in overview-only mode** (see "Large plan" edge case): when only the overview table is being emitted, there are no per-step commands to aggregate.
171
+
172
+ ### Phase 5 — Self-check (run before emitting)
173
+
174
+ - [ ] Every agent in every chain comes from the catalogue (after stripping any plugin namespace prefix that appeared in the plan; see Phase 0 step 5).
175
+ - [ ] All emitted agent names are bare (no namespace prefix) and the slash command is `/orchestrate`.
176
+ - [ ] No invented `--mode` / `--gate` / `--agents=...` fields.
177
+ - [ ] Each task description is single-line, double-quoted, with embedded `"` escaped.
178
+ - [ ] Each task description begins with `[Plan: <path>#step-<id>]` and includes Acceptance (1–3 items). The `Out of scope:` clause is present only when inherited from the plan.
179
+ - [ ] No duplicate agent in any chain after Phase 2 dedup.
180
+ - [ ] Chain length ≤ 4.
181
+ - [ ] Steps tagged `impl`/`refactor`/`migration` end with a reviewer-class agent (`<lang>-reviewer`, `code-reviewer`, `security-reviewer`, or `database-reviewer`). `test` and `build` are exempt — see Phase 2 rule 10.
182
+ - [ ] Zero-tag steps emit `code-reviewer` with the rationale `no tag matched; default review-only chain`.
183
+ - [ ] Overview table lists every step in the plan, regardless of `--scope`.
184
+ - [ ] Per-step detail block count matches the resolved `--scope` (full plan when `--scope=all`; one block for `step:n`; range size for `range:a-b`). In overview-only mode, no per-step blocks and no Batch block are emitted.
185
+
186
+ ## Edge cases
187
+
188
+ - **No clear steps**: prefer H2/H3 splitting; if still ambiguous, report "no structured steps detected" with the document outline and ask the user to confirm running by outline.
189
+ - **Large plan (>1500 lines)**: enter **overview-only mode** — emit only the overview table and ask the user to narrow with `--scope` before re-running for details. In this mode, skip per-step detail blocks and skip the Batch execution block.
190
+ - **Step too broad** (e.g. "complete all backend work"): do not force a single chain. Suggest splitting into N.a and N.b and propose a split.
191
+ - **Plan declares agents** (rare): first **strip any plugin namespace prefix** (e.g. `<namespace>:tdd-guide`) to get the bare catalogue name (Phase 0 step 5), then validate against the catalogue. Replace invalid agents and explain under "Chain rationale".
192
+ - **Polyglot project where `--lang=auto` cannot pick a winner**: set `lang=unknown`; reviewer resolves to `code-reviewer` and build resolver to `build-error-resolver`. Mention the fallback under "Chain rationale".
193
+
194
+ ## Examples
195
+
196
+ ### Example — Python plan
197
+
198
+ Input:
199
+ ```
200
+ plan-orchestrate @docs/plan/example-feature.md --lang=python
201
+ ```
202
+
203
+ Excerpt of expected output:
204
+ ````markdown
205
+ ## Step 2 — Encrypt sensitive UserProfile fields
206
+
207
+ **Intent**: Introduce an `EncryptedString` SQLAlchemy type and AES-GCM encrypt `birth_datetime` / `location` before persistence; load the key from an environment variable.
208
+ **Tags**: impl, security, db
209
+ **Chain rationale**: Security-sensitive write path, so `security-reviewer` closes the chain; `database-reviewer` validates the alembic migration; `python-reviewer` covers typing and PEP 8.
210
+
211
+ ```bash
212
+ /orchestrate custom "tdd-guide,database-reviewer,python-reviewer,security-reviewer" "[Plan: docs/plan/example-feature.md#step-2] Implement EncryptedString SQLAlchemy type and migrate UserProfile.birth_datetime/location columns; key from ENV APP_DB_KEY; Acceptance: encrypt/decrypt roundtrip tests pass; alembic upgrade/downgrade clean on empty DB; no plaintext in DB after migrate; Out of scope: cross-tenant profile sharing logic"
213
+ ```
214
+ ````
215
+
216
+ ## Notes
217
+
218
+ - Generative only. Never invoke `/orchestrate` from inside this skill.
219
+ - Match the language of the plan document for task descriptions (agent names always remain English).
220
+ - Do not insert "Co-Authored-By" lines or emoji in the output unless the user explicitly asks.