claude-code-pilot 3.2.0 → 3.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (93) hide show
  1. package/CHANGELOG.md +67 -0
  2. package/README.md +14 -9
  3. package/bin/install.js +124 -16
  4. package/manifest.json +18 -3
  5. package/package.json +3 -2
  6. package/src/agents/django-build-resolver.md +252 -0
  7. package/src/agents/django-reviewer.md +169 -0
  8. package/src/agents/fastapi-reviewer.md +79 -0
  9. package/src/agents/fsharp-reviewer.md +109 -0
  10. package/src/agents/swift-build-resolver.md +170 -0
  11. package/src/agents/swift-reviewer.md +116 -0
  12. package/src/commands/ccp/cost-report.md +107 -0
  13. package/src/commands/ccp/intel.md +3 -3
  14. package/src/commands/ccp/mvp-phase.md +45 -0
  15. package/src/commands/ccp/plan-prd.md +160 -0
  16. package/src/commands/ccp/pr-ecc.md +184 -0
  17. package/src/commands/ccp/security-scan.md +74 -0
  18. package/src/hooks/ccp-bash-hook-dispatcher.js +96 -0
  19. package/src/hooks/ccp-context-monitor.js +23 -0
  20. package/src/hooks/ccp-doc-file-warning.js +93 -0
  21. package/src/hooks/ccp-pre-bash-dispatcher.js +24 -0
  22. package/src/hooks/ccp-write-gateguard.js +868 -0
  23. package/src/lib/project-detect.js +0 -2
  24. package/src/lib/shell-substitution.js +499 -0
  25. package/src/pilot/references/execute-mvp-tdd.md +81 -0
  26. package/src/pilot/references/mvp-concepts.md +49 -0
  27. package/src/pilot/references/planner-graphify-auto-update.md +67 -0
  28. package/src/pilot/references/planner-human-verify-mode.md +57 -0
  29. package/src/pilot/references/planner-mvp-mode.md +53 -0
  30. package/src/pilot/references/skeleton-template.md +48 -0
  31. package/src/pilot/references/spidr-splitting.md +69 -0
  32. package/src/pilot/references/user-story-template.md +58 -0
  33. package/src/pilot/references/verify-mvp-mode.md +85 -0
  34. package/src/pilot/references/worktree-path-safety.md +89 -0
  35. package/src/pilot/workflows/help.md +5 -0
  36. package/src/pilot/workflows/mvp-phase.md +199 -0
  37. package/src/skills/agent-architecture-audit/SKILL.md +256 -0
  38. package/src/skills/agent-harness-design/SKILL.md +73 -0
  39. package/src/skills/angular-developer/SKILL.md +154 -0
  40. package/src/skills/angular-developer/references/angular-animations.md +160 -0
  41. package/src/skills/angular-developer/references/angular-aria.md +410 -0
  42. package/src/skills/angular-developer/references/cli.md +86 -0
  43. package/src/skills/angular-developer/references/component-harnesses.md +59 -0
  44. package/src/skills/angular-developer/references/component-styling.md +91 -0
  45. package/src/skills/angular-developer/references/components.md +117 -0
  46. package/src/skills/angular-developer/references/creating-services.md +97 -0
  47. package/src/skills/angular-developer/references/data-resolvers.md +69 -0
  48. package/src/skills/angular-developer/references/define-routes.md +67 -0
  49. package/src/skills/angular-developer/references/defining-providers.md +72 -0
  50. package/src/skills/angular-developer/references/di-fundamentals.md +120 -0
  51. package/src/skills/angular-developer/references/e2e-testing.md +56 -0
  52. package/src/skills/angular-developer/references/effects.md +83 -0
  53. package/src/skills/angular-developer/references/hierarchical-injectors.md +43 -0
  54. package/src/skills/angular-developer/references/host-elements.md +80 -0
  55. package/src/skills/angular-developer/references/injection-context.md +63 -0
  56. package/src/skills/angular-developer/references/inputs.md +101 -0
  57. package/src/skills/angular-developer/references/linked-signal.md +59 -0
  58. package/src/skills/angular-developer/references/loading-strategies.md +61 -0
  59. package/src/skills/angular-developer/references/mcp.md +108 -0
  60. package/src/skills/angular-developer/references/navigate-to-routes.md +69 -0
  61. package/src/skills/angular-developer/references/outputs.md +86 -0
  62. package/src/skills/angular-developer/references/reactive-forms.md +122 -0
  63. package/src/skills/angular-developer/references/rendering-strategies.md +44 -0
  64. package/src/skills/angular-developer/references/resource.md +77 -0
  65. package/src/skills/angular-developer/references/route-animations.md +56 -0
  66. package/src/skills/angular-developer/references/route-guards.md +52 -0
  67. package/src/skills/angular-developer/references/router-lifecycle.md +45 -0
  68. package/src/skills/angular-developer/references/router-testing.md +87 -0
  69. package/src/skills/angular-developer/references/show-routes-with-outlets.md +68 -0
  70. package/src/skills/angular-developer/references/signal-forms.md +795 -0
  71. package/src/skills/angular-developer/references/signals-overview.md +94 -0
  72. package/src/skills/angular-developer/references/tailwind-css.md +69 -0
  73. package/src/skills/angular-developer/references/template-driven-forms.md +114 -0
  74. package/src/skills/angular-developer/references/testing-fundamentals.md +65 -0
  75. package/src/skills/error-handling/SKILL.md +376 -0
  76. package/src/skills/fastapi-patterns/SKILL.md +327 -0
  77. package/src/skills/flox-environments/SKILL.md +496 -0
  78. package/src/skills/fsharp-testing/SKILL.md +280 -0
  79. package/src/skills/ios-icon-gen/SKILL.md +157 -0
  80. package/src/skills/ios-icon-gen/scripts/generate_icons.swift +258 -0
  81. package/src/skills/ios-icon-gen/scripts/iconify_gen.sh +235 -0
  82. package/src/skills/make-interfaces-feel-better/SKILL.md +151 -0
  83. package/src/skills/mysql-patterns/SKILL.md +412 -0
  84. package/src/skills/plan-orchestrate/SKILL.md +220 -0
  85. package/src/skills/prisma-patterns/SKILL.md +371 -0
  86. package/src/skills/production-audit/SKILL.md +206 -0
  87. package/src/skills/security-scan/references/agentshield-policy-exception/candidate-playbook.md +49 -0
  88. package/src/skills/security-scan/references/agentshield-policy-exception/report.json +35 -0
  89. package/src/skills/security-scan/references/agentshield-policy-exception/scenario.json +62 -0
  90. package/src/skills/security-scan/references/agentshield-policy-exception/trace.json +45 -0
  91. package/src/skills/security-scan/references/agentshield-policy-exception/verifier-result.json +35 -0
  92. package/src/skills/vite-patterns/SKILL.md +449 -0
  93. package/src/skills/windows-desktop-e2e/SKILL.md +887 -0
@@ -0,0 +1,107 @@
1
+ ---
2
+ description: Generate a local Claude Code cost report from a cost-tracker SQLite database.
3
+ argument-hint: [csv]
4
+ ---
5
+
6
+ # Cost Report
7
+
8
+ Query the local cost-tracking database and present a spending report by day,
9
+ project, tool, and session. This command assumes a cost-tracking hook or plugin
10
+ is already writing usage rows to `~/.claude-cost-tracker/usage.db`.
11
+
12
+ ## What This Command Does
13
+
14
+ 1. Check that `sqlite3` is available.
15
+ 2. Check that `~/.claude-cost-tracker/usage.db` exists.
16
+ 3. Run aggregate queries against the `usage` table.
17
+ 4. Present a compact report, or export recent rows as CSV when the argument is
18
+ `csv`.
19
+
20
+ ## Prerequisites
21
+
22
+ The database must be populated by a local cost tracker. If the file is missing,
23
+ tell the user the tracker is not set up and suggest installing or enabling a
24
+ trusted Claude Code cost-tracking hook/plugin first.
25
+
26
+ ```bash
27
+ test -f ~/.claude-cost-tracker/usage.db && echo "Database found" || echo "Database not found"
28
+ ```
29
+
30
+ ## Summary Query
31
+
32
+ ```bash
33
+ sqlite3 -header -column ~/.claude-cost-tracker/usage.db "
34
+ SELECT
35
+ ROUND(COALESCE(SUM(CASE WHEN date(timestamp) = date('now') THEN cost_usd END), 0), 4) AS today_cost,
36
+ ROUND(COALESCE(SUM(CASE WHEN date(timestamp) = date('now', '-1 day') THEN cost_usd END), 0), 4) AS yesterday_cost,
37
+ ROUND(COALESCE(SUM(cost_usd), 0), 4) AS total_cost,
38
+ COUNT(*) AS total_calls,
39
+ COUNT(DISTINCT session_id) AS sessions
40
+ FROM usage;
41
+ "
42
+ ```
43
+
44
+ ## Project Breakdown
45
+
46
+ ```bash
47
+ sqlite3 -header -column ~/.claude-cost-tracker/usage.db "
48
+ SELECT project, ROUND(SUM(cost_usd), 4) AS cost, COUNT(*) AS calls
49
+ FROM usage
50
+ GROUP BY project
51
+ ORDER BY cost DESC;
52
+ "
53
+ ```
54
+
55
+ ## Tool Breakdown
56
+
57
+ ```bash
58
+ sqlite3 -header -column ~/.claude-cost-tracker/usage.db "
59
+ SELECT tool_name, ROUND(SUM(cost_usd), 4) AS cost, COUNT(*) AS calls
60
+ FROM usage
61
+ GROUP BY tool_name
62
+ ORDER BY cost DESC;
63
+ "
64
+ ```
65
+
66
+ ## Last Seven Days
67
+
68
+ ```bash
69
+ sqlite3 -header -column ~/.claude-cost-tracker/usage.db "
70
+ SELECT date(timestamp) AS date, ROUND(SUM(cost_usd), 4) AS cost, COUNT(*) AS calls
71
+ FROM usage
72
+ GROUP BY date(timestamp)
73
+ ORDER BY date DESC
74
+ LIMIT 7;
75
+ "
76
+ ```
77
+
78
+ ## CSV Export
79
+
80
+ If the user asks for `/cost-report csv`, export the most recent usage rows with
81
+ an explicit column list:
82
+
83
+ ```bash
84
+ sqlite3 -csv -header ~/.claude-cost-tracker/usage.db "
85
+ SELECT timestamp, project, tool_name, input_tokens, output_tokens, cost_usd, session_id, model
86
+ FROM usage
87
+ ORDER BY timestamp DESC
88
+ LIMIT 100;
89
+ "
90
+ ```
91
+
92
+ ## Report Format
93
+
94
+ Format the response as:
95
+
96
+ 1. Summary: today, yesterday, total, calls, sessions.
97
+ 2. By project: projects ranked by total cost.
98
+ 3. By tool: tools ranked by total cost.
99
+ 4. Last seven days: date, cost, call count.
100
+
101
+ Use four decimal places for sub-dollar amounts. Do not estimate pricing from raw
102
+ tokens in this command; rely on the precomputed `cost_usd` values written by the
103
+ tracker.
104
+
105
+ ## Source
106
+
107
+ Salvaged from stale community PR #1304 by `MayurBhavsar`.
@@ -24,7 +24,7 @@ Then proceed to Step 1.
24
24
 
25
25
  Check if intel is enabled by reading `.planning/config.json` directly using the Read tool.
26
26
 
27
- **DO NOT use the gsd-tools config get-value command** -- it hard-exits on missing keys.
27
+ **DO NOT use the config get-value CLI** -- it hard-exits on missing keys. Read `.planning/config.json` directly instead.
28
28
 
29
29
  1. Read `.planning/config.json` using the Read tool
30
30
  2. If the file does not exist: display the disabled message below and **STOP**
@@ -137,7 +137,7 @@ Task(
137
137
  prompt="You are the gsd-intel-updater agent. Your job is to analyze this codebase and write/update intelligence files in .planning/intel/.
138
138
 
139
139
  Project root: ${CWD}
140
- Prefer: gsd-sdk query <subcommand> (installed gsd-sdk on PATH). Legacy: node $HOME/.claude/pilot/bin/gsd-tools.cjs
140
+ Use: node "$HOME/.claude/pilot/bin/ccp-tools.cjs" <subcommand>
141
141
 
142
142
  Instructions:
143
143
  1. Analyze the codebase structure, dependencies, APIs, and architecture
@@ -176,4 +176,4 @@ Display a summary showing:
176
176
  1. DO NOT spawn an agent for query/status/diff operations -- these are inline CLI calls
177
177
  2. DO NOT modify intel files directly -- the agent handles writes during refresh
178
178
  3. DO NOT skip the config gate check
179
- 4. DO NOT use the gsd-tools config get-value CLI for the config gate -- it exits on missing keys
179
+ 4. DO NOT use the config get-value CLI for the config gate -- it exits on missing keys
@@ -0,0 +1,45 @@
1
+ ---
2
+ name: ccp:mvp-phase
3
+ description: Plan a phase as a vertical MVP slice — user story, SPIDR splitting, then plan-phase
4
+ argument-hint: "<phase-number>"
5
+ allowed-tools:
6
+ - Read
7
+ - Write
8
+ - Bash
9
+ - Glob
10
+ - Grep
11
+ - Agent
12
+ - AskUserQuestion
13
+ requires: [new-project, plan-phase]
14
+ ---
15
+ <objective>
16
+ Guide the user through MVP-mode planning for a phase. The command:
17
+
18
+ 1. Prompts for an "As a / I want to / So that" user story (three structured questions)
19
+ 2. Runs SPIDR splitting check — if the story is too large, walks through Spike/Paths/Interfaces/Data/Rules and offers to split into multiple phases
20
+ 3. Writes `**Mode:** mvp` and the reformatted `**Goal:**` to the phase's ROADMAP.md section
21
+ 4. Delegates to `/ccp:plan-phase <N>` which auto-detects MVP mode via the roadmap field
22
+
23
+ Phase 1 of the vertical-mvp-slice PRD shipped the planner-side machinery; this command is the user entry point for it.
24
+ </objective>
25
+
26
+ <execution_context>
27
+ @~/.claude/pilot/workflows/mvp-phase.md
28
+ @~/.claude/pilot/references/spidr-splitting.md
29
+ @~/.claude/pilot/references/user-story-template.md
30
+ </execution_context>
31
+
32
+ <runtime_note>
33
+ **Copilot (VS Code):** Use `vscode_askquestions` wherever this workflow calls `AskUserQuestion`. Equivalent API.
34
+ </runtime_note>
35
+
36
+ <context>
37
+ Phase number: $ARGUMENTS (required — integer or decimal like `2.1`)
38
+
39
+ The phase must already exist in ROADMAP.md (created via `/ccp:new-project`, `/ccp:add-phase`, or `/ccp:insert-phase`). This command does not create new phases — it converts an existing phase to MVP mode.
40
+ </context>
41
+
42
+ <process>
43
+ Execute the mvp-phase workflow from @~/.claude/pilot/workflows/mvp-phase.md end-to-end.
44
+ Preserve all gates: phase existence, status guard (refuse in_progress/completed), user-story format validation, SPIDR splitting check, ROADMAP write confirmation, plan-phase delegation.
45
+ </process>
@@ -0,0 +1,160 @@
1
+ ---
2
+ description: "Generate a lean, problem-first PRD and hand off to /plan for implementation planning."
3
+ argument-hint: "[product/feature idea] (blank = start with questions)"
4
+ ---
5
+
6
+ # PRD Command
7
+
8
+ Produces a **Product Requirements Document** — the requirements-phase artifact of the SDLC. Captures *what* must be true for success and *why*, and stops before *how*. Implementation decomposition is delegated to `/plan`.
9
+
10
+ **Input**: `$ARGUMENTS`
11
+
12
+ ## Scope of this command
13
+
14
+ | This command does | This command does NOT do |
15
+ |---|---|
16
+ | Frame the problem and users | Design the architecture |
17
+ | Capture success criteria and scope | Pick files or write patterns |
18
+ | List open questions and risks | Enumerate implementation tasks |
19
+ | Write `.claude/prds/{name}.prd.md` | Produce an implementation plan — that's `/plan` |
20
+
21
+ If you find yourself writing implementation detail, stop and cut it. It belongs in `/plan`.
22
+
23
+ **Anti-fluff rule**: When information is missing, write `TBD — needs validation via {method}`. Never invent plausible-sounding requirements.
24
+
25
+ ## Workflow
26
+
27
+ Four phases. Each phase is a single gate — ask the questions, wait for the user, then move on. No nested loops, no parallel research ceremony.
28
+
29
+ ### Phase 1 — FRAME
30
+
31
+ If `$ARGUMENTS` is empty, ask:
32
+
33
+ > What do you want to build? One or two sentences.
34
+
35
+ If provided, restate in one sentence and ask:
36
+
37
+ > I understand: *{restated}*. Correct, or should I adjust?
38
+
39
+ Then ask the framing questions in a single set:
40
+
41
+ > 1. **Who** has this problem? (specific role or segment)
42
+ > 2. **What** is the observable pain? (describe behavior, not assumed needs)
43
+ > 3. **Why** can't they solve it with what exists today?
44
+ > 4. **Why now?** — what changed that makes this worth doing?
45
+
46
+ Wait for the user. Do not proceed without answers (or explicit "skip").
47
+
48
+ ### Phase 2 — GROUND
49
+
50
+ Ask for evidence. This is the shortest phase and the most load-bearing:
51
+
52
+ > What evidence do you have that this problem is real and worth solving? (user quotes, support tickets, metrics, observed behavior, failed workarounds — anything concrete)
53
+
54
+ If the user has none, record the PRD's Evidence section as `Assumption — needs validation via {user research | analytics | prototype}`. This keeps the PRD honest.
55
+
56
+ ### Phase 3 — DECIDE
57
+
58
+ Scope and hypothesis in a single set:
59
+
60
+ > 1. **Hypothesis** — Complete: *We believe **{capability}** will **{solve problem}** for **{users}**. We'll know we're right when **{measurable outcome}**.*
61
+ > 2. **MVP** — The minimum needed to test the hypothesis?
62
+ > 3. **Out of scope** — What are you explicitly **not** building (even if users ask)?
63
+ > 4. **Open questions** — Uncertainties that could change the approach?
64
+
65
+ Wait for responses.
66
+
67
+ ### Phase 4 — GENERATE & HAND OFF
68
+
69
+ Create the directory if needed, write the PRD, and report.
70
+
71
+ ```bash
72
+ mkdir -p .claude/prds
73
+ ```
74
+
75
+ **Output path**: `.claude/prds/{kebab-case-name}.prd.md`
76
+
77
+ #### PRD Template
78
+
79
+ ```markdown
80
+ # {Product / Feature Name}
81
+
82
+ ## Problem
83
+ {2–3 sentences: who has what problem, and what's the cost of leaving it unsolved?}
84
+
85
+ ## Evidence
86
+ - {User quote, data point, or observation}
87
+ - {OR: "Assumption — needs validation via {method}"}
88
+
89
+ ## Users
90
+ - **Primary**: {role, context, what triggers the need}
91
+ - **Not for**: {who this explicitly excludes}
92
+
93
+ ## Hypothesis
94
+ We believe **{capability}** will **{solve problem}** for **{users}**.
95
+ We'll know we're right when **{measurable outcome}**.
96
+
97
+ ## Success Metrics
98
+ | Metric | Target | How measured |
99
+ |---|---|---|
100
+ | {primary} | {number} | {method} |
101
+
102
+ ## Scope
103
+ **MVP** — {the minimum to test the hypothesis}
104
+
105
+ **Out of scope**
106
+ - {item} — {why deferred}
107
+
108
+ ## Delivery Milestones
109
+ <!-- Business outcomes, not engineering tasks. /plan turns each into a plan. -->
110
+ <!-- Status: pending | in-progress | complete -->
111
+
112
+ | # | Milestone | Outcome | Status | Plan |
113
+ |---|---|---|---|---|
114
+ | 1 | {name} | {user-visible change} | pending | — |
115
+ | 2 | {name} | {user-visible change} | pending | — |
116
+
117
+ ## Open Questions
118
+ - [ ] {question that could change scope or approach}
119
+
120
+ ## Risks
121
+ | Risk | Likelihood | Impact | Mitigation |
122
+ |---|---|---|---|
123
+
124
+ ---
125
+ *Status: DRAFT — requirements only. Implementation planning pending via /plan.*
126
+ ```
127
+
128
+ #### Report to user
129
+
130
+ ```
131
+ PRD created: .claude/prds/{name}.prd.md
132
+
133
+ Problem: {one line}
134
+ Hypothesis: {one line}
135
+ MVP: {one line}
136
+
137
+ Validation status:
138
+ Problem {validated | assumption}
139
+ Users {concrete | generic — refine}
140
+ Metrics {defined | TBD}
141
+
142
+ Open questions: {count}
143
+
144
+ Next step: /plan .claude/prds/{name}.prd.md
145
+ → /plan will pick the next pending milestone and produce an implementation plan.
146
+ ```
147
+
148
+ ## Integration
149
+
150
+ - `/plan <prd-path>` — consume the PRD and produce an implementation plan for the next pending milestone.
151
+ - `tdd-workflow` skill — implement the plan test-first.
152
+ - `/pr` — open a PR that references the PRD and plan.
153
+
154
+ ## Success criteria
155
+
156
+ - **PROBLEM_CLEAR**: problem is specific and evidenced (or flagged as assumption).
157
+ - **USER_CONCRETE**: primary user is a specific role, not "users".
158
+ - **HYPOTHESIS_TESTABLE**: measurable outcome included.
159
+ - **SCOPE_BOUNDED**: explicit MVP and explicit out-of-scope.
160
+ - **NO_IMPLEMENTATION_DETAIL**: file paths, libraries, or task breakdowns are absent — if they appeared, move them to the `/plan` step.
@@ -0,0 +1,184 @@
1
+ ---
2
+ description: "Create a GitHub PR from current branch with unpushed commits — discovers templates, analyzes changes, pushes"
3
+ argument-hint: "[base-branch] (default: main)"
4
+ ---
5
+
6
+ # Create Pull Request
7
+
8
+ **Input**: `$ARGUMENTS` — optional, may contain a base branch name and/or flags (e.g., `--draft`).
9
+
10
+ **Parse `$ARGUMENTS`**:
11
+ - Extract any recognized flags (`--draft`)
12
+ - Treat remaining non-flag text as the base branch name
13
+ - Default base branch to `main` if none specified
14
+
15
+ ---
16
+
17
+ ## Phase 1 — VALIDATE
18
+
19
+ Check preconditions:
20
+
21
+ ```bash
22
+ git branch --show-current
23
+ git status --short
24
+ git log origin/<base>..HEAD --oneline
25
+ ```
26
+
27
+ | Check | Condition | Action if Failed |
28
+ |---|---|---|
29
+ | Not on base branch | Current branch ≠ base | Stop: "Switch to a feature branch first." |
30
+ | Clean working directory | No uncommitted changes | Warn: "You have uncommitted changes. Commit or stash first." |
31
+ | Has commits ahead | `git log origin/<base>..HEAD` not empty | Stop: "No commits ahead of `<base>`. Nothing to PR." |
32
+ | No existing PR | `gh pr list --head <branch> --json number` is empty | Stop: "PR already exists: #<number>. Use `gh pr view <number> --web` to open it." |
33
+
34
+ If all checks pass, proceed.
35
+
36
+ ---
37
+
38
+ ## Phase 2 — DISCOVER
39
+
40
+ ### PR Template
41
+
42
+ Search for PR template in order:
43
+
44
+ 1. `.github/PULL_REQUEST_TEMPLATE/` directory — if exists, list files and let user choose (or use `default.md`)
45
+ 2. `.github/PULL_REQUEST_TEMPLATE.md`
46
+ 3. `.github/pull_request_template.md`
47
+ 4. `docs/pull_request_template.md`
48
+
49
+ If found, read it and use its structure for the PR body.
50
+
51
+ ### Commit Analysis
52
+
53
+ ```bash
54
+ git log origin/<base>..HEAD --format="%h %s" --reverse
55
+ ```
56
+
57
+ Analyze commits to determine:
58
+ - **PR title**: Use conventional commit format with type prefix — `feat: ...`, `fix: ...`, etc.
59
+ - If multiple types, use the dominant one
60
+ - If single commit, use its message as-is
61
+ - **Change summary**: Group commits by type/area
62
+
63
+ ### File Analysis
64
+
65
+ ```bash
66
+ git diff origin/<base>..HEAD --stat
67
+ git diff origin/<base>..HEAD --name-only
68
+ ```
69
+
70
+ Categorize changed files: source, tests, docs, config, migrations.
71
+
72
+ ### Planning Artifacts
73
+
74
+ Check for related artifacts produced by `/plan-prd`, `/plan`, or the legacy PRP workflow:
75
+ - `.claude/prds/` — PRDs this PR implements a milestone of
76
+ - `.claude/plans/` — Plans executed by this PR
77
+ - `.claude/PRPs/prds/` — legacy PRP PRDs
78
+ - `.claude/PRPs/plans/` — legacy PRP implementation plans
79
+ - `.claude/PRPs/reports/` — legacy PRP implementation reports
80
+
81
+ Reference these in the PR body if they exist.
82
+
83
+ ---
84
+
85
+ ## Phase 3 — PUSH
86
+
87
+ ```bash
88
+ git push -u origin HEAD
89
+ ```
90
+
91
+ If push fails due to divergence:
92
+ ```bash
93
+ git fetch origin
94
+ git rebase origin/<base>
95
+ git push -u origin HEAD
96
+ ```
97
+
98
+ If rebase conflicts occur, stop and inform the user.
99
+
100
+ ---
101
+
102
+ ## Phase 4 — CREATE
103
+
104
+ ### With Template
105
+
106
+ If a PR template was found in Phase 2, fill in each section using the commit and file analysis. Preserve all template sections — leave sections as "N/A" if not applicable rather than removing them.
107
+
108
+ ### Without Template
109
+
110
+ Use this default format:
111
+
112
+ ```markdown
113
+ ## Summary
114
+
115
+ <1-2 sentence description of what this PR does and why>
116
+
117
+ ## Changes
118
+
119
+ <bulleted list of changes grouped by area>
120
+
121
+ ## Files Changed
122
+
123
+ <table or list of changed files with change type: Added/Modified/Deleted>
124
+
125
+ ## Testing
126
+
127
+ <description of how changes were tested, or "Needs testing">
128
+
129
+ ## Related Issues
130
+
131
+ <linked issues with Closes/Fixes/Relates to #N, or "None">
132
+ ```
133
+
134
+ ### Create the PR
135
+
136
+ ```bash
137
+ gh pr create \
138
+ --title "<PR title>" \
139
+ --base <base-branch> \
140
+ --body "<PR body>"
141
+ # Add --draft if the --draft flag was parsed from $ARGUMENTS
142
+ ```
143
+
144
+ ---
145
+
146
+ ## Phase 5 — VERIFY
147
+
148
+ ```bash
149
+ gh pr view --json number,url,title,state,baseRefName,headRefName,additions,deletions,changedFiles
150
+ gh pr checks --json name,status,conclusion 2>/dev/null || true
151
+ ```
152
+
153
+ ---
154
+
155
+ ## Phase 6 — OUTPUT
156
+
157
+ Report to user:
158
+
159
+ ```
160
+ PR #<number>: <title>
161
+ URL: <url>
162
+ Branch: <head> → <base>
163
+ Changes: +<additions> -<deletions> across <changedFiles> files
164
+
165
+ CI Checks: <status summary or "pending" or "none configured">
166
+
167
+ Artifacts referenced:
168
+ - <any PRDs/plans linked in PR body>
169
+
170
+ Next steps:
171
+ - gh pr view <number> --web → open in browser
172
+ - /code-review <number> → review the PR
173
+ - gh pr merge <number> → merge when ready
174
+ ```
175
+
176
+ ---
177
+
178
+ ## Edge Cases
179
+
180
+ - **No `gh` CLI**: Stop with: "GitHub CLI (`gh`) is required. Install: <https://cli.github.com/>"
181
+ - **Not authenticated**: Stop with: "Run `gh auth login` first."
182
+ - **Force push needed**: If remote has diverged and rebase was done, use `git push --force-with-lease` (never `--force`).
183
+ - **Multiple PR templates**: If `.github/PULL_REQUEST_TEMPLATE/` has multiple files, list them and ask user to choose.
184
+ - **Large PR (>20 files)**: Warn about PR size. Suggest splitting if changes are logically separable.
@@ -0,0 +1,74 @@
1
+ ---
2
+ description: Scan your .claude/ configuration for security issues via AgentShield (external, opt-in via npx).
3
+ argument-hint: [path] [--format json|markdown|html] [--min-severity low|medium|high|critical] [--fix]
4
+ ---
5
+
6
+ # Security Scan
7
+
8
+ Scan a project (agents, hooks, MCP servers, permissions, and secrets) for
9
+ security issues. This command is a thin wrapper around the external
10
+ `ecc-agentshield` scanner: nothing is installed at CCP install time — you opt in
11
+ at run time via `npx`, so the scanner is fetched on demand and never vendored.
12
+
13
+ ## Usage
14
+
15
+ `/ccp:security-scan [path] [--format json|markdown|html] [--min-severity low|medium|high|critical] [--fix]`
16
+
17
+ - `path` (optional): defaults to the current project. Use a `.claude/` path, a
18
+ repo root, or a checked-in template directory.
19
+ - `--format`: output format. Use `json` for CI, `markdown` for handoffs, `html`
20
+ for standalone review reports.
21
+ - `--min-severity`: filters lower-priority findings.
22
+ - `--fix`: applies only fixes the scanner explicitly marks safe and auto-fixable.
23
+
24
+ ## Deterministic Engine
25
+
26
+ Run the external scanner against the target path:
27
+
28
+ ```bash
29
+ npx ecc-agentshield scan --path "${TARGET_PATH:-.}"
30
+ ```
31
+
32
+ For a plain-text report instead of the default output:
33
+
34
+ ```bash
35
+ npx ecc-agentshield scan --path "${TARGET_PATH:-.}" --format text
36
+ ```
37
+
38
+ Use AgentShield output as the source of truth; do not invent findings. Keep
39
+ scanner facts separate from your follow-up judgment.
40
+
41
+ ## Remediation
42
+
43
+ For each critical or high finding, return:
44
+
45
+ - file path
46
+ - severity
47
+ - why it matters
48
+ - the exact fix
49
+ - whether `--fix` is safe to apply
50
+
51
+ If `--fix` is requested, state the planned edits before applying them, then
52
+ re-scan and report the before/after grade.
53
+
54
+ ## Full Reference
55
+
56
+ The complete CLI surface, output formats, severity grades, and the policy schema
57
+ live in the skill — read it for anything beyond the invocation above:
58
+
59
+ @.claude/skills/security-scan/SKILL.md
60
+
61
+ The policy schema and example documents are under
62
+ `references/agentshield-policy-exception/` within that skill.
63
+
64
+ ## Arguments
65
+
66
+ $ARGUMENTS:
67
+ - optional target path
68
+ - optional AgentShield flags (`--format`, `--min-severity`, `--fix`)
69
+
70
+ ## Source
71
+
72
+ Thin wrapper for AgentShield (https://github.com/affaan-m/agentshield);
73
+ external, not vendored. Pinned in `manifest.json` under
74
+ `external.agentshield` (1.4.0).
@@ -0,0 +1,96 @@
1
+ #!/usr/bin/env node
2
+ 'use strict';
3
+
4
+ const { isHookEnabled } = require('../lib/hook-flags');
5
+
6
+ const MAX_STDIN = 1024 * 1024;
7
+
8
+ // GateGuard is the sole pre-bash chain member in CCP's minimal dispatcher.
9
+ // It is lazy-required so this file does NOT hard-depend on the GateGuard hook
10
+ // (ccp-write-gateguard, delivered by Plan 04) landing first. If the module is
11
+ // absent, the member is a no-op that returns rawInput unchanged.
12
+ //
13
+ // NOTE: The upstream tmux / git-push / commit-quality / auto-tmux /
14
+ // block-no-verify members are intentionally NOT ported. Those are external
15
+ // workflow opinions; CCP ships a minimal, profile-gated dispatcher whose only
16
+ // job is the GateGuard Bash branch. The runHooks loop below is preserved as an
17
+ // extensible scaffold so future members can be appended to PRE_BASH_HOOKS.
18
+ let _gateguardRun = null;
19
+ try {
20
+ _gateguardRun = require('./ccp-write-gateguard').run;
21
+ } catch (_) {
22
+ _gateguardRun = null;
23
+ }
24
+
25
+ const PRE_BASH_HOOKS = [
26
+ {
27
+ id: 'pre:bash:gateguard-fact-force',
28
+ profiles: 'standard,strict',
29
+ run: rawInput => (_gateguardRun ? _gateguardRun(rawInput) : rawInput),
30
+ },
31
+ ];
32
+
33
+ function normalizeHookResult(previousRaw, output) {
34
+ if (typeof output === 'string' || Buffer.isBuffer(output)) {
35
+ return {
36
+ raw: String(output),
37
+ stderr: '',
38
+ exitCode: 0,
39
+ };
40
+ }
41
+
42
+ if (output && typeof output === 'object') {
43
+ const nextRaw = Object.prototype.hasOwnProperty.call(output, 'stdout')
44
+ ? String(output.stdout ?? '')
45
+ : !Number.isInteger(output.exitCode) || output.exitCode === 0
46
+ ? previousRaw
47
+ : '';
48
+
49
+ return {
50
+ raw: nextRaw,
51
+ stderr: typeof output.stderr === 'string' ? output.stderr : '',
52
+ exitCode: Number.isInteger(output.exitCode) ? output.exitCode : 0,
53
+ };
54
+ }
55
+
56
+ return {
57
+ raw: previousRaw,
58
+ stderr: '',
59
+ exitCode: 0,
60
+ };
61
+ }
62
+
63
+ function runHooks(rawInput, hooks) {
64
+ let currentRaw = rawInput;
65
+ let stderr = '';
66
+
67
+ for (const hook of hooks) {
68
+ if (!isHookEnabled(hook.id, { profiles: hook.profiles })) {
69
+ continue;
70
+ }
71
+
72
+ try {
73
+ const result = normalizeHookResult(currentRaw, hook.run(currentRaw));
74
+ currentRaw = result.raw;
75
+ if (result.stderr) {
76
+ stderr += result.stderr.endsWith('\n') ? result.stderr : `${result.stderr}\n`;
77
+ }
78
+ if (result.exitCode !== 0) {
79
+ return { output: currentRaw, stderr, exitCode: result.exitCode };
80
+ }
81
+ } catch (error) {
82
+ stderr += `[Hook] ${hook.id} failed: ${error.message}\n`;
83
+ }
84
+ }
85
+
86
+ return { output: currentRaw, stderr, exitCode: 0 };
87
+ }
88
+
89
+ function runPreBash(rawInput) {
90
+ return runHooks(rawInput, PRE_BASH_HOOKS);
91
+ }
92
+
93
+ module.exports = { PRE_BASH_HOOKS, runPreBash };
94
+
95
+ // MAX_STDIN is exported indirectly for parity with the entrypoint cap.
96
+ module.exports.MAX_STDIN = MAX_STDIN;