contract-driven-delivery 2.0.19 → 2.0.20

package/CHANGELOG.md

@@ -1,5 +1,18 @@
 # Changelog
 
+## [2.0.20] - 2026-05-15
+
+Patch release for UTF-8 BOM handling in Claude agent metadata files.
+
+### Fixed
+
+- Removed UTF-8 BOM bytes from packaged Claude agent and skill sources so YAML
+  frontmatter starts at `---` and Claude Code can mount subagents reliably.
+- `cdd-kit lint-agents` now rejects agent files that start with `U+FEFF`, since
+  frontmatter parsers may otherwise treat the first key as invalid.
+- Added package-source and generated-assets regression coverage to prevent BOM
+  bytes from being shipped again.
+
 ## [2.0.19] - 2026-05-15
 
 Design ownership patch for the implementation-planning flow.

package/README.md

@@ -1,4 +1,4 @@
-# Contract-Driven Delivery Kit
+# Contract-Driven Delivery Kit
 
 **cdd-kit** is a contract-driven delivery kit for AI coding agents. It started with Claude Code skills and now keeps the core workflow provider-neutral: contracts-first, test-first, spec-first. Every change goes through classification, contract review, TDD, implementation, and gate verification, with deterministic context indexes to keep agent work targeted.
 

package/assets/agents/backend-engineer.md

@@ -1,4 +1,4 @@
----
+---
 name: backend-engineer
 description: Implement backend changes only after specs, contracts, tests, and CI gates are defined; maintain thin controllers, service boundaries, validation, and error handling.
 tools: Read, Grep, Glob, Edit, MultiEdit, Bash

package/assets/agents/change-classifier.md

@@ -1,4 +1,4 @@
----
+---
 name: change-classifier
 description: Classify incoming requests into change types and decide required artifacts, contracts, tests, and review gates before implementation.
 tools: Read, Grep, Glob

package/assets/agents/ci-cd-gatekeeper.md

@@ -1,4 +1,4 @@
----
+---
 name: ci-cd-gatekeeper
 description: Enforce CI/CD as a required delivery artifact; design and implement required, informational, nightly, weekly, and manual gates with promotion policy.
 tools: Read, Grep, Glob, Edit, MultiEdit, Bash

package/assets/agents/contract-reviewer.md

@@ -1,4 +1,4 @@
----
+---
 name: contract-reviewer
 description: Review and maintain API, CSS/UI, env, data-shape, business-rule, and CI/CD contracts for every change. Dependency and migration contracts are recorded here at contract level only; the active audit lives in dependency-security-reviewer.
 tools: Read, Grep, Glob

package/assets/agents/dependency-security-reviewer.md

@@ -1,4 +1,4 @@
----
+---
 name: dependency-security-reviewer
 description: Reviews dependency CVE risk, license compliance (GPL/AGPL copyleft vs proprietary), lockfile changes, and database migrations whenever lockfiles, dependency manifests, or database migrations are touched.
 tools: Read, Grep, Glob, Bash

package/assets/agents/e2e-resilience-engineer.md

@@ -1,4 +1,4 @@
----
+---
 name: e2e-resilience-engineer
 description: Design and implement E2E, browser-behavior, failure-injection, data-boundary, and resilience tests for production-like user journeys.
 tools: Read, Grep, Glob, Edit, MultiEdit, Bash

package/assets/agents/frontend-engineer.md

@@ -1,4 +1,4 @@
----
+---
 name: frontend-engineer
 description: Implement frontend changes under API, CSS, UI/UX, accessibility, E2E, and visual review contracts.
 tools: Read, Grep, Glob, Edit, MultiEdit, Bash

package/assets/agents/monkey-test-engineer.md

@@ -1,4 +1,4 @@
----
+---
 name: monkey-test-engineer
 description: Design preventive specs and structured exploratory tests for invalid user operations, adversarial inputs, malformed data, rapid UI actions, and production misuse. Not random fuzzing -- every monkey scenario is mapped to a known failure mode or hardening goal.
 tools: Read, Grep, Glob, Edit, MultiEdit, Bash

package/assets/agents/qa-reviewer.md

@@ -1,4 +1,4 @@
----
+---
 name: qa-reviewer
 description: Execute quality gates, verify evidence, route failures back to the correct agent, and decide release readiness.
 tools: Read, Grep, Glob, Bash

package/assets/agents/repo-context-scanner.md

@@ -1,4 +1,4 @@
----
+---
 name: repo-context-scanner
 description: Scan a repository and summarize its project profile, commands, contracts, tests, CI/CD, and missing standardization surfaces.
 tools: Read, Grep, Glob, Bash

package/assets/agents/spec-architect.md

@@ -1,4 +1,4 @@
----
+---
 name: spec-architect
 description: Evaluate architectural impact, compatibility, data flow, module boundaries, and whether a change requires ADR-like design decisions. Author ADRs when required.
 tools: Read, Grep, Glob, Edit, MultiEdit

package/assets/agents/spec-drift-auditor.md

@@ -1,4 +1,4 @@
----
+---
 name: spec-drift-auditor
 description: Audit drift between live contracts, implementation code, tests, and CI gates. Does NOT read historical specs/changes ??contracts/ is the single source of truth.
 tools: Read, Grep, Glob, Bash

package/assets/agents/stress-soak-engineer.md

@@ -1,4 +1,4 @@
----
+---
 name: stress-soak-engineer
 description: Design stress, load, soak, and long-running stability tests for reporting systems, queues, caches, auto-refresh, and data-heavy features.
 tools: Read, Grep, Glob, Edit, MultiEdit, Bash

package/assets/agents/test-strategist.md

@@ -1,4 +1,4 @@
----
+---
 name: test-strategist
 description: Convert specs and acceptance criteria into TDD-oriented test plans covering unit, contract, integration, E2E, resilience, monkey, stress, and soak tests.
 tools: Read, Grep, Glob, Edit, Write

package/assets/agents/ui-ux-reviewer.md

@@ -1,4 +1,4 @@
----
+---
 name: ui-ux-reviewer
 description: Review interaction design, information hierarchy, copy, accessibility, empty/error/loading state semantics, and user journey quality. Does not cover pixel-level visuals or CSS -- those go to visual-reviewer.
 tools: Read, Grep, Glob

package/assets/agents/visual-reviewer.md

@@ -1,4 +1,4 @@
----
+---
 name: visual-reviewer
 description: Review pixel-level visual output, layout, responsive viewport behavior, screenshot diffs, CSS contract compliance, and component visual state coverage. Does not cover interaction or copy -- those go to ui-ux-reviewer.
 tools: Read, Grep, Glob, Bash

package/assets/skills/cdd-new/SKILL.md

@@ -1,4 +1,4 @@
----
+---
 name: cdd-new
 description: Start a new tracked change. Scaffolds all required artifacts, classifies the change by risk tier, commissions the right agents in order, and runs cdd-kit gate. Args: <change description in natural language>
 ---

package/dist/cli/index.js

@@ -10058,6 +10058,15 @@ async function lintAgents(opts) {
       });
       continue;
     }
+    if (content.charCodeAt(0) === 65279) {
+      violations.push({
+        file: filename,
+        rule: "Meta",
+        message: "file starts with UTF-8 BOM (U+FEFF); frontmatter parsers may treat the first key as invalid",
+        level: "error"
+      });
+      content = content.slice(1);
+    }
     const artifactsSection = extractRequiredArtifactsSection(content);
     if (!artifactsSection) {
       violations.push({

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "contract-driven-delivery",
-  "version": "2.0.19",
+  "version": "2.0.20",
   "description": "Contract-driven delivery kit for AI coding agents with deterministic context indexes, manifest-backed read-scope governance, and orchestrated contracts-first delivery.",
   "keywords": [
     "contract-driven",