create-agentic-pdlc 2.3.0 → 2.4.0

package/docs/superpowers/plans/2026-05-29-qa-gate-enforcement.md

@@ -0,0 +1,354 @@
+# QA Gate Enforcement Implementation Plan
+
+> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
+
+**Goal:** Block PR merges when QA Agent failed or hasn't run, by (A) making `qa-agent.yml` emit a failing exit code on infra/parse errors and (C) adding a dedicated `qa-gate.yml` status check that enforces label-based QA state — backed by branch protection configured automatically during `npx create-agentic-pdlc`.
+
+**Architecture:** Two independent layers. Layer A: `qa-agent.yml` stops signalling success (`exit 0`) when it can't reach GitHub Models — now exits 1, making the check red. Layer C: `qa-gate.yml` is a separate required check that reads PR labels and blocks merge unless `qa:approved` is present. Branch protection wires both checks as required, enforced automatically in `cli.js` during scaffold.
+
+**Tech Stack:** GitHub Actions YAML (bash), Node.js (cli.js)
+
+---
+
+## File Map
+
+| Action | File | Responsibility |
+|--------|------|----------------|
+| Modify | `.github/workflows/qa-agent.yml:66-69` and `:82-84` | Change `exit 0` → `exit 1` on API error and parse error |
+| Modify | `templates/.github/workflows/qa-agent.yml:63-66` and `:79-81` | Same fix in template |
+| Create | `.github/workflows/qa-gate.yml` | Blocking check — reads PR labels, fails unless `qa:approved` |
+| Create | `templates/.github/workflows/qa-gate.yml` | Template mirror of above |
+| Modify | `bin/cli.js` | Add branch protection setup step after PAT provisioning |
+
+---
+
+### Task 1: Fix `qa-agent.yml` exit codes (repo + template)
+
+**Files:**
+- Modify: `.github/workflows/qa-agent.yml`
+- Modify: `templates/.github/workflows/qa-agent.yml`
+
+Currently both files call `exit 0` when the GitHub Models API is unreachable or when the response can't be parsed. This makes the CI check green, hiding the failure.
+
+- [ ] **Step 1: Fix exit code on API_ERROR in `.github/workflows/qa-agent.yml`**
+
+Find this block (around line 63-69):
+```yaml
+          if [ "$RESPONSE" = "API_ERROR" ]; then
+            GH_TOKEN="$PROJECT_TOKEN" gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/labels" --method POST -f 'labels[]=infra:qa-broken'
+            gh pr comment "$PR_NUMBER" --body "🤖 **QA Agent:** Could not reach GitHub Models API. Manual review required."
+            exit 0
+          fi
+```
+
+Change to:
+```yaml
+          if [ "$RESPONSE" = "API_ERROR" ]; then
+            GH_TOKEN="$PROJECT_TOKEN" gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/labels" --method POST -f 'labels[]=infra:qa-broken'
+            gh pr comment "$PR_NUMBER" --body "🤖 **QA Agent:** Could not reach GitHub Models API. Manual review required."
+            exit 1
+          fi
+```
+
+- [ ] **Step 2: Fix exit code on parse error in `.github/workflows/qa-agent.yml`**
+
+Find this block (around line 82-84):
+```yaml
+          else
+            GH_TOKEN="$PROJECT_TOKEN" gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/labels" --method POST -f 'labels[]=infra:qa-broken'
+            gh pr comment "$PR_NUMBER" --body "🤖 **QA Agent:** Could not parse GitHub Models response. Manual review required."
+          fi
+```
+
+Change to:
+```yaml
+          else
+            GH_TOKEN="$PROJECT_TOKEN" gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/labels" --method POST -f 'labels[]=infra:qa-broken'
+            gh pr comment "$PR_NUMBER" --body "🤖 **QA Agent:** Could not parse GitHub Models response. Manual review required."
+            exit 1
+          fi
+```
+
+- [ ] **Step 3: Apply the same two fixes to `templates/.github/workflows/qa-agent.yml`**
+
+The template uses `PROJECT_PAT` instead of `PROJECT_TOKEN` in the `GH_TOKEN=` prefix. The exit code change is identical.
+
+In `templates/.github/workflows/qa-agent.yml`, find API_ERROR block (around line 63-66):
+```yaml
+          if [ "$RESPONSE" = "API_ERROR" ]; then
+            GH_TOKEN="$PROJECT_PAT" gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/labels" --method POST -f 'labels[]=infra:qa-broken'
+            gh pr comment "$PR_NUMBER" --body "🤖 **QA Agent:** Could not reach GitHub Models API. Manual review required."
+            exit 0
+          fi
+```
+
+Change to:
+```yaml
+          if [ "$RESPONSE" = "API_ERROR" ]; then
+            GH_TOKEN="$PROJECT_PAT" gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/labels" --method POST -f 'labels[]=infra:qa-broken'
+            gh pr comment "$PR_NUMBER" --body "🤖 **QA Agent:** Could not reach GitHub Models API. Manual review required."
+            exit 1
+          fi
+```
+
+Find parse error block (around line 79-81):
+```yaml
+          else
+            GH_TOKEN="$PROJECT_PAT" gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/labels" --method POST -f 'labels[]=infra:qa-broken'
+            gh pr comment "$PR_NUMBER" --body "🤖 **QA Agent:** Could not parse GitHub Models response. Manual review required."
+          fi
+```
+
+Change to:
+```yaml
+          else
+            GH_TOKEN="$PROJECT_PAT" gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/labels" --method POST -f 'labels[]=infra:qa-broken'
+            gh pr comment "$PR_NUMBER" --body "🤖 **QA Agent:** Could not parse GitHub Models response. Manual review required."
+            exit 1
+          fi
+```
+
+- [ ] **Step 4: Commit**
+
+```bash
+git add .github/workflows/qa-agent.yml templates/.github/workflows/qa-agent.yml
+git commit -m "fix(qa-agent): exit 1 on infra error and parse failure instead of exit 0"
+```
+
+---
+
+### Task 2: Create `qa-gate.yml` — dedicated blocking check
+
+**Files:**
+- Create: `.github/workflows/qa-gate.yml`
+- Create: `templates/.github/workflows/qa-gate.yml`
+
+This is a new, independent status check. It triggers on PR events (including `labeled`/`unlabeled` so it re-evaluates when qa-agent adds labels). It reads PR labels and blocks merge unless `qa:approved` is present. Hotfix PRs bypass the gate (same pattern as `pdlc-stage-gate.yml`).
+
+The GitHub Actions check name exposed to branch protection is derived from the `name:` field of the job: **`QA Gate`**.
+
+- [ ] **Step 5: Create `.github/workflows/qa-gate.yml`**
+
+Write this exact content:
+
+```yaml
+name: QA Gate
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, labeled, unlabeled]
+
+permissions:
+  pull-requests: read
+
+jobs:
+  qa-gate:
+    name: QA Gate
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check QA status label
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -e
+          PR_NUMBER="${{ github.event.pull_request.number }}"
+          REPO="${{ github.repository }}"
+
+          PR_LABELS=$(gh pr view "$PR_NUMBER" --repo "$REPO" --json labels --jq '[.labels[].name] | join(" ")')
+
+          if echo "$PR_LABELS" | grep -qw "hotfix"; then
+            echo "✅ QA Gate: hotfix label — bypassed."
+            exit 0
+          fi
+
+          if echo "$PR_LABELS" | grep -qw "qa:approved"; then
+            echo "✅ QA Gate: qa:approved — merge allowed."
+            exit 0
+          fi
+
+          if echo "$PR_LABELS" | grep -qw "infra:qa-broken"; then
+            echo "❌ QA Gate: infra:qa-broken — GitHub Models API unreachable. Manual QA review required before merge."
+            exit 1
+          fi
+
+          if echo "$PR_LABELS" | grep -qw "qa:needs-work"; then
+            echo "❌ QA Gate: qa:needs-work — acceptance criteria not fully met. Fix required before merge."
+            exit 1
+          fi
+
+          echo "❌ QA Gate: no QA label found — AC Coverage Verification has not completed. Wait for the check to finish."
+          exit 1
+```
+
+- [ ] **Step 6: Create `templates/.github/workflows/qa-gate.yml`**
+
+Write the exact same content as Step 5. The template is identical — it uses `GITHUB_TOKEN` only (no extra secrets needed for the gate check).
+
+- [ ] **Step 7: Commit**
+
+```bash
+git add .github/workflows/qa-gate.yml templates/.github/workflows/qa-gate.yml
+git commit -m "feat(qa-gate): add dedicated QA Gate blocking check for PR merges"
+```
+
+---
+
+### Task 3: Add branch protection setup to `cli.js`
+
+**Files:**
+- Modify: `bin/cli.js`
+
+Without branch protection, the new checks are informational only — engineers can still click "Merge". This task wires the two required checks (`PDLC Stage Gate` and `QA Gate`) automatically during `npx create-agentic-pdlc`.
+
+The branch protection API call uses `gh api PUT repos/{repo}/branches/main/protection --input -` which reads a JSON payload from stdin. `execFileSync` with the `input` option handles this correctly. The call is non-fatal: if it fails (e.g., org policy restrictions, insufficient permissions), a warning is printed with manual instructions.
+
+- [ ] **Step 8: Add i18n strings to `bin/cli.js`**
+
+In the `i18n` object (around line 34), after the `update_sentinel_ask` entry, add:
+
+```javascript
+  configuring_protection: t('[3/3] Configuring branch protection...', '[3/3] Configurando proteção de branch...', '[3/3] Configurando protección de rama...'),
+  protection_ok: t('✅ Branch protection set — required checks: PDLC Stage Gate, QA Gate.', '✅ Proteção de branch configurada — checks obrigatórios: PDLC Stage Gate, QA Gate.', '✅ Protección de rama configurada — checks requeridos: PDLC Stage Gate, QA Gate.'),
+  protection_warn: t('⚠️  Branch protection could not be set automatically.\n     Set required checks manually: Settings → Branches → main → Required status checks.\n     Required: "PDLC Stage Gate" and "QA Gate"', '⚠️  Proteção de branch não pôde ser configurada automaticamente.\n     Configure manualmente: Settings → Branches → main → Required status checks.\n     Obrigatórios: "PDLC Stage Gate" e "QA Gate"', '⚠️  No se pudo configurar la protección de rama automáticamente.\n     Configúralo en: Settings → Branches → main → Required status checks.\n     Requeridos: "PDLC Stage Gate" y "QA Gate"'),
+```
+
+- [ ] **Step 9: Update step counters in `bin/cli.js`**
+
+Find:
+```javascript
+  creating_labels: t('[1/2] Creating repository labels...', '[1/2] Criando labels no repositório...', '[1/2] Creando etiquetas (labels) en el repositorio...'),
+```
+Change to:
+```javascript
+  creating_labels: t('[1/3] Creating repository labels...', '[1/3] Criando labels no repositório...', '[1/3] Creando etiquetas (labels) en el repositorio...'),
+```
+
+Find:
+```javascript
+  creating_project: t('[2/2] Creating Project V2 Board...', '[2/2] Criando Project V2 Board...', '[2/2] Creando Project V2 Board...'),
+```
+Change to:
+```javascript
+  creating_project: t('[2/3] Creating Project V2 Board...', '[2/3] Criando Project V2 Board...', '[2/3] Creando Project V2 Board...'),
+```
+
+- [ ] **Step 10: Add branch protection setup block to `bin/cli.js`**
+
+Find the block that starts with the PAT auto-provision section and ends before the scaffolding section. After the closing brace of the PAT block (around line 356, after `} else if (projectId && isOrg) { ... }`), add:
+
+```javascript
+  // Branch protection — require PDLC Stage Gate + QA Gate on main
+  console.log(`\n${cyan}${i18n.configuring_protection}${reset}`);
+  try {
+    const protectionPayload = JSON.stringify({
+      required_status_checks: {
+        strict: false,
+        contexts: ['PDLC Stage Gate', 'QA Gate']
+      },
+      enforce_admins: false,
+      required_pull_request_reviews: null,
+      restrictions: null
+    });
+    execFileSync('gh', [
+      'api', `repos/${repo}/branches/main/protection`,
+      '--method', 'PUT',
+      '--input', '-'
+    ], { input: protectionPayload, stdio: ['pipe', 'ignore', 'pipe'] });
+    console.log(`  ${green}${i18n.protection_ok}${reset}`);
+  } catch (_) {
+    console.log(`  ${yellow}${i18n.protection_warn}${reset}`);
+  }
+```
+
+- [ ] **Step 11: Verify cli.js changes compile (no syntax errors)**
+
+```bash
+node --check bin/cli.js
+```
+
+Expected: no output (exit 0).
+
+- [ ] **Step 12: Commit**
+
+```bash
+git add bin/cli.js
+git commit -m "feat(cli): auto-configure branch protection with required QA Gate + PDLC Stage Gate checks"
+```
+
+---
+
+### Task 4: Enable branch protection on this repo (verification)
+
+**Files:** none — GitHub API call only.
+
+This repo was already not protected (`404 Branch not protected`). Task 3 adds the automation for new installs; this task activates it for the existing repo.
+
+- [ ] **Step 13: Apply branch protection to this repo**
+
+```bash
+gh api repos/rafaeltcosta86/agentic-pdlc/branches/main/protection \
+  --method PUT \
+  --input - <<'EOF'
+{
+  "required_status_checks": {
+    "strict": false,
+    "contexts": ["PDLC Stage Gate", "QA Gate"]
+  },
+  "enforce_admins": false,
+  "required_pull_request_reviews": null,
+  "restrictions": null
+}
+EOF
+```
+
+Expected: JSON response with `url` field containing `branches/main/protection`.
+
+- [ ] **Step 14: Verify branch protection is active**
+
+```bash
+gh api repos/rafaeltcosta86/agentic-pdlc/branches/main/protection \
+  --jq '.required_status_checks.contexts'
+```
+
+Expected output:
+```json
+[
+  "PDLC Stage Gate",
+  "QA Gate"
+]
+```
+
+- [ ] **Step 15: Open a test PR to verify end-to-end behavior**
+
+Create a scratch branch, open a draft PR against main without `qa:approved` label:
+
+```bash
+git checkout -b test/qa-gate-verification
+git commit --allow-empty -m "test: verify qa gate enforcement"
+gh pr create --title "test: QA Gate verification" --body "Closes #136" --draft
+```
+
+Expected: `QA Gate` check appears and fails with "no QA label found". `AC Coverage Verification (GitHub Models)` check runs; if API is reachable it adds `qa:approved` automatically and QA Gate re-evaluates to pass. Merge button should be disabled until QA Gate passes.
+
+- [ ] **Step 16: Close the test PR and delete the branch**
+
+```bash
+gh pr close --delete-branch
+```
+
+---
+
+## Self-Review
+
+**Spec coverage:**
+- ✅ `infra:qa-broken` no longer allows silent bypass — Task 1 (exit 1) + Task 2 (qa-gate fails on that label)
+- ✅ `qa:needs-work` also blocked — qa-gate checks for it explicitly
+- ✅ "no QA label" state blocked — qa-gate fails if no QA label present
+- ✅ Hotfix bypass preserved — same `grep -qw "hotfix"` pattern as pdlc-stage-gate
+- ✅ Template updated — Tasks 1 and 2 update both repo + template files
+- ✅ Enforcement mechanism (branch protection) included — Task 3 + Task 4
+- ✅ New installs get protection automatically — cli.js step in Task 3
+
+**Placeholder scan:** None found. All code blocks are complete and runnable.
+
+**Type consistency:** No functions/types defined across tasks — all changes are self-contained YAML and JS.

package/docs/superpowers/specs/2026-05-29-agentic-pulse-rework-taxonomy-design.md

@@ -0,0 +1,122 @@
+# Agentic Pulse — Rework Taxonomy with Review-Actor Attribution and Stage Correlation
+
+**Date:** 2026-05-29
+**Issue:** [#142](https://github.com/rafaeltcosta86/agentic-pdlc/issues/142)
+**Status:** stage:approval — awaiting spec:approved
+
+## Problem
+
+Current rework signal detects extra commit sessions but cannot distinguish cause. All rework produces the same generic recommendation: "incomplete specs or requirement changes."
+
+Three distinct causes exist, each pointing to a different fix:
+
+| Cause | Root stage | Fix |
+|---|---|---|
+| Code reviewer caught a defect | stage:development — DoD too weak | Tighten implementation checklist |
+| QA agent caught a functional gap | stage:detailing — spec incomplete | Add acceptance criteria |
+| Self-correction (pre-review) | Unknown | Not auto-determinable |
+
+## Design Decision
+
+**Option C selected:** Review-Actor Taxonomy + Stage Correlation
+- Auto-only (zero user friction)
+- Actors are configurable — not locked to any specific bot
+- Stage correlation provides upstream attribution when N≥3 data points available
+
+## Architecture
+
+### Files Changed
+
+- `.github/workflows/agentic-metrics.yml`
+- `templates/.github/workflows/agentic-metrics.yml` (mirror)
+
+No new files. No new dependencies.
+
+### Configuration
+
+```yaml
+env:
+  AGENTIC_PULSE_REVIEWERS: |
+    code_reviewer=gemini-code-assist[bot]
+    qa_agent=github-actions[bot]
+```
+
+Format: `role=login1,login2` per line. If absent/empty → taxonomy skipped, existing behavior unchanged.
+
+## Detection Logic
+
+### Review-Actor Rework Detection
+
+For each merged PR in the week window (up to 10 — consistent with existing rework block):
+
+1. Get commit timestamps (reuse existing fetch)
+2. If single commit session: skip
+3. `GET /repos/{owner}/{repo}/pulls/{pr}/reviews`
+4. For each review where `reviewer.login` is in the actor map:
+   - Record first review timestamp for that role
+   - Count commits with `timestamp > first_review_at`
+   - If count > 0: mark as `{role}`-triggered rework
+5. If multi-session but no configured actor review found before them: `self_correction`
+6. For reviewer-triggered PRs: extract `Closes #N` → store `{ pr_number, issue_number, role }` for stage correlation
+
+A PR can count in multiple role buckets if multiple roles triggered rework. Total rework % = unique PRs with any rework / total PRs. Role breakdown counts per role (sum can exceed total %).
+
+### Stage Correlation
+
+Load `stage:detailing` durations from `weekKey.jsonl` → `Map<issueNumber, durationDays>`
+
+Group:
+- `reviewer_rework_group`: issues linked to reviewer-triggered rework PRs with known detailing time
+- `clean_group`: issues linked to PRs with zero reviewer-triggered rework (single session OR only self-correction) with known detailing time
+
+Emit correlation signal only if both groups have N≥3. Otherwise skip.
+
+## Output Format
+
+### Rework signal (taxonomy active)
+
+```
+🟡 **Rework rate: 60%** — 6 de 10 PRs tiveram commits extras
+   ↳ Code reviewer: **4 PRs** → revisar DoD em stage:development
+   ↳ QA Agent: **1 PR** → spec com lacunas funcionais em stage:detailing
+   ↳ Self-correction: **1 PR** (causa não determinada automaticamente)
+```
+
+### Stage correlation signal (when N≥3 both groups)
+
+```
+💡 **Stage correlation:** PRs com reviewer rework tiveram Detailing médio de 0.2d vs 0.8d (N=4 vs N=6)
+   → Specs rápidas correlacionam com mais rework de review
+```
+
+### Signal levels
+
+| Condition | Level |
+|---|---|
+| `code_reviewer` rework ≥ 80% of total | 🔴 |
+| `code_reviewer` rework ≥ 50% of total | 🟡 |
+| `qa_agent` rework > 0 | 🟡 |
+| Stage correlation present | 🔵 (informational) |
+
+## Recommendations
+
+| Trigger | Recommendation |
+|---|---|
+| `code_reviewer` dominant | Revisar Definition of Done em stage:development. Considere checklist de qualidade antes de abrir PR. |
+| `qa_agent` > 0 | Spec tem lacunas funcionais. Revisar critérios de aceitação em stage:detailing. |
+| Stage correlation fires (rework detailing < clean detailing) | Specs rápidas correlacionam com mais rework. Invista mais tempo em stage:detailing. |
+| All self-correction | Configure AGENTIC_PULSE_REVIEWERS para attribution mais precisa. |
+
+## Backward Compatibility
+
+- `AGENTIC_PULSE_REVIEWERS` absent → taxonomy skipped, no regression
+- JSONL absent → correlation skipped, taxonomy still runs
+- N < 3 either group → correlation skipped
+- `listReviews` API error → catch, skip PR, continue
+
+## Out of Scope
+
+- Manual rework classification
+- Self-correction cause detection
+- Changes to Stage Residence Time collection
+- Changes to any other signal

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-agentic-pdlc",
-  "version": "2.3.0",
+  "version": "2.4.0",
   "description": "Agentic PDLC Framework - Conversational setup for your AI coding assistants",
   "type": "commonjs",
   "bin": {

package/templates/.github/ISSUE_TEMPLATE/bug.md

@@ -0,0 +1,53 @@
+---
+name: Bug
+about: Broken behavior with root cause and fix criteria
+title: 'bug: '
+labels: type:bug
+assignees: ''
+---
+
+## Problem
+
+<!-- What fails. Who affected. Measured impact. -->
+
+## Root Cause
+
+<!-- Why it fails. Link to code/config if known. -->
+
+## Reproduction Steps
+
+1. 
+2. 
+3. 
+
+**Expected:** 
+**Actual:** 
+
+## Acceptance Criteria
+
+<!-- agent fills during detailing -->
+
+**AC1 — [name]**
+- Given 
+- When 
+- Then 
+
+## Edge Cases
+
+<!-- agent fills during detailing -->
+- EC1: [condition] → [expected behavior]
+
+## Out of Scope
+
+<!-- agent fills during detailing -->
+- 
+
+## Non-Functional Requirements
+
+<!-- agent fills during detailing — omit if pure docs/markdown -->
+- Reliability: idempotent — safe to re-run
+
+## Files to Modify
+
+<!-- agent fills during detailing -->
+- `path/to/file` — what changes

package/templates/.github/ISSUE_TEMPLATE/feature.md

@@ -0,0 +1,54 @@
+---
+name: Feature
+about: New capability with spec scaffold for detailing agent
+title: 'feat: '
+labels: type:feature
+assignees: ''
+---
+
+## Problem
+
+<!-- What fails or is missing. Who affected. Measured impact. -->
+
+## Sprint Goal / Success Metrics
+
+<!-- agent fills during detailing -->
+
+| Metric | Baseline | Target | When |
+|--------|----------|--------|------|
+|  |  |  |  |
+
+## Solution
+
+<!-- agent fills during detailing — behavioral description, no implementation details -->
+
+## Acceptance Criteria
+
+<!-- agent fills during detailing -->
+
+**AC1 — [name]**
+- Given 
+- When 
+- Then 
+
+## Edge Cases
+
+<!-- agent fills during detailing -->
+- EC1: [condition] → [expected behavior]
+
+## Out of Scope
+
+<!-- agent fills during detailing -->
+- 
+
+## Non-Functional Requirements
+
+<!-- agent fills during detailing — omit if pure docs/markdown -->
+- Performance: 
+- Security: 
+- Reliability: 
+
+## Files to Modify
+
+<!-- agent fills during detailing -->
+- `path/to/file` — what changes

package/templates/.github/ISSUE_TEMPLATE/task.md

@@ -0,0 +1,33 @@
+---
+name: Task
+about: Defined work unit with clear done criteria
+title: 'task: '
+labels: type:task
+assignees: ''
+---
+
+## Objective
+
+<!-- What must be done and why. -->
+
+## Steps
+
+<!-- agent fills during detailing -->
+1. 
+2. 
+
+## Acceptance Criteria
+
+<!-- agent fills during detailing -->
+- [ ] 
+- [ ] 
+
+## Out of Scope
+
+<!-- agent fills during detailing -->
+- 
+
+## Files to Modify
+
+<!-- agent fills during detailing -->
+- `path/to/file` — what changes

package/templates/.github/workflows/add-to-board.yml

@@ -14,13 +14,13 @@ jobs:
     name: Auto-add new issue to board
     runs-on: ubuntu-latest
     env:
-      PROJECT_PAT: ${{ secrets.PROJECT_PAT }}
+      PROJECT_TOKEN: ${{ secrets.PROJECT_TOKEN }}
     steps:
       - name: Add issue to project board
-        if: ${{ env.PROJECT_PAT != '' && env.PROJECT_ID != '{{PROJECT_ID}}' }}
-        uses: actions/github-script@v7
+        if: ${{ env.PROJECT_TOKEN != '' && env.PROJECT_ID != '{{PROJECT_ID}}' }}
+        uses: actions/github-script@v8
         with:
-          github-token: ${{ env.PROJECT_PAT }}
+          github-token: ${{ env.PROJECT_TOKEN }}
           script: |
             const nodeId = context.payload.issue.node_id;
             const number = context.payload.issue.number;