npm - claude-code-workflow - Versions diffs - 7.2.23 → 7.2.25 - Mend

claude-code-workflow 7.2.23 → 7.2.25

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (212) hide show

package/.codex/skills/team-review/roles/scanner/role.md CHANGED Viewed

@@ -1,71 +1,71 @@
----
-role: scanner
-prefix: SCAN
-inner_loop: false
-message_types:
-  success: scan_complete
-  error: error
----
-# Code Scanner
-Toolchain + LLM semantic scan producing structured findings. Static analysis tools in parallel, then LLM for issues tools miss. Read-only -- never modifies source code. 4-dimension system: security (SEC), correctness (COR), performance (PRF), maintainability (MNT).
-## Phase 2: Context & Toolchain Detection
-| Input | Source | Required |
-|-------|--------|----------|
-| Task description | From task subject/description | Yes |
-| Session path | Extracted from task description | Yes |
-| .msg/meta.json | <session>/.msg/meta.json | No |
-1. Extract session path, target, dimensions, quick flag from task description
-2. Resolve target files (glob pattern or directory -> `**/*.{ts,tsx,js,jsx,py,go,java,rs}`)
-3. If no source files found -> report empty, complete task cleanly
-4. Detect toolchain availability:
-| Tool | Detection | Dimension |
-|------|-----------|-----------|
-| tsc | `tsconfig.json` exists | COR |
-| eslint | `.eslintrc*` or `eslint` in package.json | COR/MNT |
-| semgrep | `.semgrep.yml` exists | SEC |
-| ruff | `pyproject.toml` + ruff available | SEC/COR/MNT |
-| mypy | mypy available + `pyproject.toml` | COR |
-| npmAudit | `package-lock.json` exists | SEC |
-5. Load wisdom files from `<session>/wisdom/` if they exist
-## Phase 3: Scan Execution
-**Quick mode**: Single CLI call with analysis mode, max 20 findings, skip toolchain.
-**Standard mode** (sequential):
-### 3A: Toolchain Scan
-Run detected tools in parallel via Bash backgrounding. Each tool writes to `<session>/scan/tmp/<tool>.{json|txt}`. After `wait`, parse each output into normalized findings:
-- tsc: `file(line,col): error TSxxxx: msg` -> dimension=correctness, source=tool:tsc
-- eslint: JSON array -> severity 2=correctness/high, else=maintainability/medium
-- semgrep: `{results[]}` -> dimension=security, severity from extra.severity
-- ruff: `[{code,message,filename}]` -> S*=security, F*/B*=correctness, else=maintainability
-- mypy: `file:line: error: msg [code]` -> dimension=correctness
-- npm audit: `{vulnerabilities:{}}` -> dimension=security, category=dependency
-Write `<session>/scan/toolchain-findings.json`.
-### 3B: Semantic Scan (LLM via CLI)
-Build prompt with target file patterns, toolchain dedup summary, and per-dimension focus areas:
-- SEC: Business logic vulnerabilities, privilege escalation, sensitive data flow, auth bypass
-- COR: Logic errors, unhandled exception paths, state management bugs, race conditions
-- PRF: Algorithm complexity, N+1 queries, unnecessary sync, memory leaks, missing caching
-- MNT: Architectural coupling, abstraction leaks, convention violations, dead code
-Execute via `ccw cli --tool gemini --mode analysis --rule analysis-review-code-quality` (fallback: qwen -> codex). Parse JSON array response, validate required fields (dimension, title, location.file), enforce per-dimension limit (max 5 each), filter minimum severity (medium+). Write `<session>/scan/semantic-findings.json`.
-## Phase 4: Aggregate & Output
-1. Merge toolchain + semantic findings, deduplicate (same file + line + dimension = duplicate)
-2. Assign dimension-prefixed IDs: SEC-001, COR-001, PRF-001, MNT-001
-3. Write `<session>/scan/scan-results.json` with schema: `{scan_date, target, dimensions, quick_mode, total_findings, by_severity, by_dimension, findings[]}`
-4. Each finding: `{id, dimension, category, severity, title, description, location:{file,line}, source, suggested_fix, effort, confidence}`
-5. Update `<session>/.msg/meta.json` with scan summary (findings_count, by_severity, by_dimension)
-6. Contribute discoveries to `<session>/wisdom/` files
+---
+role: scanner
+prefix: SCAN
+inner_loop: false
+message_types:
+  success: scan_complete
+  error: error
+---
+# Code Scanner
+Toolchain + LLM semantic scan producing structured findings. Static analysis tools in parallel, then LLM for issues tools miss. Read-only -- never modifies source code. 4-dimension system: security (SEC), correctness (COR), performance (PRF), maintainability (MNT).
+## Phase 2: Context & Toolchain Detection
+| Input | Source | Required |
+|-------|--------|----------|
+| Task description | From task subject/description | Yes |
+| Session path | Extracted from task description | Yes |
+| .msg/meta.json | <session>/.msg/meta.json | No |
+1. Extract session path, target, dimensions, quick flag from task description
+2. Resolve target files (glob pattern or directory -> `**/*.{ts,tsx,js,jsx,py,go,java,rs}`)
+3. If no source files found -> report empty, complete task cleanly
+4. Detect toolchain availability:
+| Tool | Detection | Dimension |
+|------|-----------|-----------|
+| tsc | `tsconfig.json` exists | COR |
+| eslint | `.eslintrc*` or `eslint` in package.json | COR/MNT |
+| semgrep | `.semgrep.yml` exists | SEC |
+| ruff | `pyproject.toml` + ruff available | SEC/COR/MNT |
+| mypy | mypy available + `pyproject.toml` | COR |
+| npmAudit | `package-lock.json` exists | SEC |
+5. Load wisdom files from `<session>/wisdom/` if they exist
+## Phase 3: Scan Execution
+**Quick mode**: Single CLI call with analysis mode, max 20 findings, skip toolchain.
+**Standard mode** (sequential):
+### 3A: Toolchain Scan
+Run detected tools in parallel via Bash backgrounding. Each tool writes to `<session>/scan/tmp/<tool>.{json|txt}`. After `wait`, parse each output into normalized findings:
+- tsc: `file(line,col): error TSxxxx: msg` -> dimension=correctness, source=tool:tsc
+- eslint: JSON array -> severity 2=correctness/high, else=maintainability/medium
+- semgrep: `{results[]}` -> dimension=security, severity from extra.severity
+- ruff: `[{code,message,filename}]` -> S*=security, F*/B*=correctness, else=maintainability
+- mypy: `file:line: error: msg [code]` -> dimension=correctness
+- npm audit: `{vulnerabilities:{}}` -> dimension=security, category=dependency
+Write `<session>/scan/toolchain-findings.json`.
+### 3B: Semantic Scan (LLM via CLI)
+Build prompt with target file patterns, toolchain dedup summary, and per-dimension focus areas:
+- SEC: Business logic vulnerabilities, privilege escalation, sensitive data flow, auth bypass
+- COR: Logic errors, unhandled exception paths, state management bugs, race conditions
+- PRF: Algorithm complexity, N+1 queries, unnecessary sync, memory leaks, missing caching
+- MNT: Architectural coupling, abstraction leaks, convention violations, dead code
+Execute via `ccw cli --tool gemini --mode analysis --rule analysis-review-code-quality` (fallback: qwen -> codex). Parse JSON array response, validate required fields (dimension, title, location.file), enforce per-dimension limit (max 5 each), filter minimum severity (medium+). Write `<session>/scan/semantic-findings.json`.
+## Phase 4: Aggregate & Output
+1. Merge toolchain + semantic findings, deduplicate (same file + line + dimension = duplicate)
+2. Assign dimension-prefixed IDs: SEC-001, COR-001, PRF-001, MNT-001
+3. Write `<session>/scan/scan-results.json` with schema: `{scan_date, target, dimensions, quick_mode, total_findings, by_severity, by_dimension, findings[]}`
+4. Each finding: `{id, dimension, category, severity, title, description, location:{file,line}, source, suggested_fix, effort, confidence}`
+5. Update `<session>/.msg/meta.json` with scan summary (findings_count, by_severity, by_dimension)
+6. Contribute discoveries to `<session>/wisdom/` files

package/.codex/skills/team-review/specs/pipelines.md CHANGED Viewed

@@ -1,102 +1,102 @@
-# Review Pipelines
-Pipeline definitions and task registry for team-review.
-## Pipeline Modes
-| Mode | Description | Tasks |
-|------|-------------|-------|
-| default | Scan + review | SCAN -> REV |
-| full | Scan + review + fix | SCAN -> REV -> [confirm] -> FIX |
-| fix-only | Fix from existing manifest | FIX |
-| quick | Quick scan only | SCAN (quick=true) |
-## Pipeline Definitions
-### default Mode (2 tasks, linear)
-```
-SCAN-001 -> REV-001
-```
-| Task ID | Role | Dependencies | Description |
-|---------|------|-------------|-------------|
-| SCAN-001 | scanner | (none) | Multi-dimension code scan (toolchain + LLM) |
-| REV-001 | reviewer | SCAN-001 | Deep finding analysis and review report |
-### full Mode (3 tasks, linear with user checkpoint)
-```
-SCAN-001 -> REV-001 -> [user confirm] -> FIX-001
-```
-| Task ID | Role | Dependencies | Description |
-|---------|------|-------------|-------------|
-| SCAN-001 | scanner | (none) | Multi-dimension code scan (toolchain + LLM) |
-| REV-001 | reviewer | SCAN-001 | Deep finding analysis and review report |
-| FIX-001 | fixer | REV-001 + user confirm | Plan + execute + verify fixes |
-### fix-only Mode (1 task)
-```
-FIX-001
-```
-| Task ID | Role | Dependencies | Description |
-|---------|------|-------------|-------------|
-| FIX-001 | fixer | (none) | Execute fixes from existing manifest |
-### quick Mode (1 task)
-```
-SCAN-001 (quick=true)
-```
-| Task ID | Role | Dependencies | Description |
-|---------|------|-------------|-------------|
-| SCAN-001 | scanner | (none) | Quick scan, max 20 findings, skip toolchain |
-## Review Dimensions (4-Dimension System)
-| Dimension | Code | Focus |
-|-----------|------|-------|
-| Security | SEC | Vulnerabilities, auth, data exposure |
-| Correctness | COR | Bugs, logic errors, type safety |
-| Performance | PRF | N+1, memory leaks, blocking ops |
-| Maintainability | MNT | Coupling, complexity, dead code |
-## Fix Scope Options
-| Scope | Description |
-|-------|-------------|
-| all | Fix all findings |
-| critical,high | Fix critical and high severity only |
-| skip | Skip fix phase |
-## Session Directory
-```
-.workflow/.team/RV-<slug>-<YYYY-MM-DD>/
-├── .msg/messages.jsonl          # Message bus log
-├── .msg/meta.json               # Session state + cross-role state
-├── wisdom/                     # Cross-task knowledge
-│   ├── learnings.md
-│   ├── decisions.md
-│   ├── conventions.md
-│   └── issues.md
-├── scan/                       # Scanner output
-│   ├── toolchain-findings.json
-│   ├── semantic-findings.json
-│   └── scan-results.json
-├── review/                     # Reviewer output
-│   ├── enriched-findings.json
-│   ├── review-report.json
-│   └── review-report.md
-└── fix/                        # Fixer output
-    ├── fix-manifest.json
-    ├── fix-plan.json
-    ├── execution-results.json
-    ├── verify-results.json
-    ├── fix-summary.json
-    └── fix-summary.md
-```
+# Review Pipelines
+Pipeline definitions and task registry for team-review.
+## Pipeline Modes
+| Mode | Description | Tasks |
+|------|-------------|-------|
+| default | Scan + review | SCAN -> REV |
+| full | Scan + review + fix | SCAN -> REV -> [confirm] -> FIX |
+| fix-only | Fix from existing manifest | FIX |
+| quick | Quick scan only | SCAN (quick=true) |
+## Pipeline Definitions
+### default Mode (2 tasks, linear)
+```
+SCAN-001 -> REV-001
+```
+| Task ID | Role | Dependencies | Description |
+|---------|------|-------------|-------------|
+| SCAN-001 | scanner | (none) | Multi-dimension code scan (toolchain + LLM) |
+| REV-001 | reviewer | SCAN-001 | Deep finding analysis and review report |
+### full Mode (3 tasks, linear with user checkpoint)
+```
+SCAN-001 -> REV-001 -> [user confirm] -> FIX-001
+```
+| Task ID | Role | Dependencies | Description |
+|---------|------|-------------|-------------|
+| SCAN-001 | scanner | (none) | Multi-dimension code scan (toolchain + LLM) |
+| REV-001 | reviewer | SCAN-001 | Deep finding analysis and review report |
+| FIX-001 | fixer | REV-001 + user confirm | Plan + execute + verify fixes |
+### fix-only Mode (1 task)
+```
+FIX-001
+```
+| Task ID | Role | Dependencies | Description |
+|---------|------|-------------|-------------|
+| FIX-001 | fixer | (none) | Execute fixes from existing manifest |
+### quick Mode (1 task)
+```
+SCAN-001 (quick=true)
+```
+| Task ID | Role | Dependencies | Description |
+|---------|------|-------------|-------------|
+| SCAN-001 | scanner | (none) | Quick scan, max 20 findings, skip toolchain |
+## Review Dimensions (4-Dimension System)
+| Dimension | Code | Focus |
+|-----------|------|-------|
+| Security | SEC | Vulnerabilities, auth, data exposure |
+| Correctness | COR | Bugs, logic errors, type safety |
+| Performance | PRF | N+1, memory leaks, blocking ops |
+| Maintainability | MNT | Coupling, complexity, dead code |
+## Fix Scope Options
+| Scope | Description |
+|-------|-------------|
+| all | Fix all findings |
+| critical,high | Fix critical and high severity only |
+| skip | Skip fix phase |
+## Session Directory
+```
+.workflow/.team/RV-<slug>-<YYYY-MM-DD>/
+├── .msg/messages.jsonl          # Message bus log
+├── .msg/meta.json               # Session state + cross-role state
+├── wisdom/                     # Cross-task knowledge
+│   ├── learnings.md
+│   ├── decisions.md
+│   ├── conventions.md
+│   └── issues.md
+├── scan/                       # Scanner output
+│   ├── toolchain-findings.json
+│   ├── semantic-findings.json
+│   └── scan-results.json
+├── review/                     # Reviewer output
+│   ├── enriched-findings.json
+│   ├── review-report.json
+│   └── review-report.md
+└── fix/                        # Fixer output
+    ├── fix-manifest.json
+    ├── fix-plan.json
+    ├── execution-results.json
+    ├── verify-results.json
+    ├── fix-summary.json
+    └── fix-summary.md
+```

package/.codex/skills/team-roadmap-dev/SKILL.md CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 name: team-roadmap-dev
 description: Unified team skill for roadmap-driven development workflow. Coordinator discusses roadmap with user, then dispatches phased execution pipeline (plan -> execute -> verify). All roles invoke this skill with --role arg. Triggers on "team roadmap-dev".
-allowed-tools: spawn_agent(*), wait_agent(*), send_input(*), close_agent(*), report_agent_job_result(*), request_user_input(*), Read(*), Write(*), Edit(*), Bash(*), Glob(*), Grep(*)
+allowed-tools: spawn_agent(*), wait_agent(*), send_message(*), assign_task(*), close_agent(*), list_agents(*), report_agent_job_result(*), request_user_input(*), Read(*), Write(*), Edit(*), Bash(*), Glob(*), Grep(*)
 ---
 # Team Roadmap Dev
@@ -59,7 +59,8 @@ Before calling ANY tool, apply this check:
 | Tool Call | Verdict | Reason |
 |-----------|---------|--------|
-| `spawn_agent`, `wait_agent`, `close_agent`, `send_input` | ALLOWED | Orchestration |
+| `spawn_agent`, `wait_agent`, `close_agent`, `send_message`, `assign_task` | ALLOWED | Orchestration |
+| `list_agents` | ALLOWED | Agent health check |
 | `request_user_input` | ALLOWED | User interaction |
 | `mcp__ccw-tools__team_msg` | ALLOWED | Message bus |
 | `Read/Write` on `.workflow/.team/` files | ALLOWED | Session state |
@@ -90,6 +91,8 @@ Coordinator spawns workers using this template:
 ```
 spawn_agent({
   agent_type: "team_worker",
+  task_name: "<task-id>",
+  fork_context: false,
   items: [
     { type: "text", text: `## Role Assignment
 role: <role>
@@ -113,10 +116,23 @@ pipeline_phase: <pipeline-phase>` },
 })
 ```
-After spawning, use `wait_agent({ ids: [...], timeout_ms: 900000 })` to collect results, then `close_agent({ id })` each worker.
+After spawning, use `wait_agent({ targets: [...], timeout_ms: 900000 })` to collect results, then `close_agent({ target })` each worker.
 **All worker roles** (planner, executor, verifier): Set `inner_loop: true`.
+### Model Selection Guide
+Roadmap development is context-heavy with multi-phase execution. All roles use inner_loop and need high reasoning for complex planning/execution.
+| Role | reasoning_effort | Rationale |
+|------|-------------------|-----------|
+| planner | high | Phase planning requires understanding full roadmap context |
+| executor | high | Implementation must align with phase plan precisely |
+| verifier | high | Gap detection requires thorough verification against plan |
+All roles are inner_loop=true, enabling coordinator to send additional context via `assign_task` as phases progress.
 ## User Commands
 | Command | Action |
@@ -150,6 +166,42 @@ After spawning, use `wait_agent({ ids: [...], timeout_ms: 900000 })` to collect
     +-- meta.json               # Session metadata + shared state
 ```
+## v4 Agent Coordination
+### Message Semantics
+| Intent | API | Example |
+|--------|-----|---------|
+| Queue supplementary info (don't interrupt) | `send_message` | Send phase context to running executor |
+| Assign phase work / gap closure | `assign_task` | Assign gap closure iteration to executor after verify |
+| Check running agents | `list_agents` | Verify agent health during resume |
+### Agent Health Check
+Use `list_agents({})` in handleResume and handleComplete:
+```
+// Reconcile session state with actual running agents
+const running = list_agents({})
+// Compare with state.md and config.json active tasks
+// Reset orphaned tasks (in_progress but agent gone) to pending
+```
+### Named Agent Targeting
+Workers are spawned with `task_name: "<task-id>"` enabling direct addressing:
+- `send_message({ target: "EXEC-N01", items: [...] })` -- send supplementary context to executor
+- `assign_task({ target: "PLAN-N01", items: [...] })` -- assign next phase planning
+- `close_agent({ target: "VERIFY-N01" })` -- cleanup after verification
+### Multi-Phase Context Accumulation
+Each phase builds on previous phase results. Coordinator accumulates context across phases:
+- Phase N planner receives: roadmap.md + state.md + all previous phase summaries
+- Phase N executor receives: phase plan + previous phase implementation context
+- Phase N verifier receives: phase plan + executor results + success criteria from roadmap
+- On gap closure: verifier findings are sent back to executor via `assign_task` (max 3 iterations)
 ## Completion Action
 When the pipeline completes:

package/.codex/skills/team-roadmap-dev/roles/coordinator/commands/analyze.md CHANGED Viewed

@@ -1,61 +1,61 @@
-# Analyze Task
-Parse user task description for roadmap-dev domain signals. Detect phase count, depth preference, gate configuration, and pipeline mode.
-**CONSTRAINT**: Text-level analysis only. NO source code reading, NO codebase exploration.
-## Signal Detection
-### Phase Count
-| Keywords | Inferred Phase Count |
-|----------|---------------------|
-| "phase 1", "phase 2", ... | Explicit phase count from numbers |
-| "milestone", "milestone 1/2/3" | Count milestones |
-| "first ... then ... finally" | 3 phases |
-| "step 1/2/3" | Count steps |
-| No phase keywords | Default: 1 phase |
-### Depth Setting
-| Keywords | Depth |
-|----------|-------|
-| "quick", "fast", "simple", "minimal" | quick |
-| "thorough", "comprehensive", "complete", "full" | comprehensive |
-| default | standard |
-### Gate Configuration
-| Keywords | Gate |
-|----------|------|
-| "review each plan", "approve plan", "check before execute" | plan_check: true |
-| "review each phase", "approve phase", "check between phases" | phase_check: true |
-| "auto", "automated", "no review", "fully automated" | all gates: false |
-| default | plan_check: false, phase_check: false |
-### Pipeline Mode
-| Keywords | Mode |
-|----------|------|
-| "interactive", "step by step", "with approval" | interactive |
-| default | auto |
-## Output
-Write coordinator state to memory (not a file). Structure:
-```json
-{
-  "pipeline_mode": "auto | interactive",
-  "phase_count": 1,
-  "depth": "quick | standard | comprehensive",
-  "gates": {
-    "plan_check": false,
-    "phase_check": false
-  },
-  "task_description": "<original task text>",
-  "notes": ["<any detected constraints or special requirements>"]
-}
-```
-This state is passed to `commands/dispatch.md` and written to `config.json` in the session directory.
+# Analyze Task
+Parse user task description for roadmap-dev domain signals. Detect phase count, depth preference, gate configuration, and pipeline mode.
+**CONSTRAINT**: Text-level analysis only. NO source code reading, NO codebase exploration.
+## Signal Detection
+### Phase Count
+| Keywords | Inferred Phase Count |
+|----------|---------------------|
+| "phase 1", "phase 2", ... | Explicit phase count from numbers |
+| "milestone", "milestone 1/2/3" | Count milestones |
+| "first ... then ... finally" | 3 phases |
+| "step 1/2/3" | Count steps |
+| No phase keywords | Default: 1 phase |
+### Depth Setting
+| Keywords | Depth |
+|----------|-------|
+| "quick", "fast", "simple", "minimal" | quick |
+| "thorough", "comprehensive", "complete", "full" | comprehensive |
+| default | standard |
+### Gate Configuration
+| Keywords | Gate |
+|----------|------|
+| "review each plan", "approve plan", "check before execute" | plan_check: true |
+| "review each phase", "approve phase", "check between phases" | phase_check: true |
+| "auto", "automated", "no review", "fully automated" | all gates: false |
+| default | plan_check: false, phase_check: false |
+### Pipeline Mode
+| Keywords | Mode |
+|----------|------|
+| "interactive", "step by step", "with approval" | interactive |
+| default | auto |
+## Output
+Write coordinator state to memory (not a file). Structure:
+```json
+{
+  "pipeline_mode": "auto | interactive",
+  "phase_count": 1,
+  "depth": "quick | standard | comprehensive",
+  "gates": {
+    "plan_check": false,
+    "phase_check": false
+  },
+  "task_description": "<original task text>",
+  "notes": ["<any detected constraints or special requirements>"]
+}
+```
+This state is passed to `commands/dispatch.md` and written to `config.json` in the session directory.