create-claude-cabinet 0.37.0 → 0.38.0

package/lib/cli.js

@@ -486,7 +486,7 @@ const MODULES = {
     mandatory: false,
     default: true,
     lean: true,
-    templates: ['skills/plan', 'skills/execute', 'skills/execute/phases/post-impl-checklist.md', 'skills/debrief/phases/checklist-feedback.md', 'skills/checklist-discover', 'skills/generate-plan-groups', 'skills/execute-group', 'workflows/execute-group-implement.js', 'workflows/execute-group-complete.js', 'skills/investigate', 'cabinet/checkpoint-protocol.md', 'cabinet/qa-dimensions-template.yaml'],
+    templates: ['skills/plan', 'skills/execute', 'skills/execute/phases/post-impl-checklist.md', 'skills/debrief/phases/checklist-feedback.md', 'skills/checklist-discover', 'skills/generate-plan-groups', 'skills/execute-group', 'workflows/execute-group-implement.js', 'workflows/execute-group-complete.js', 'skills/investigate', 'cabinet/checkpoint-protocol.md', 'cabinet/qa-dimensions-template.yaml', 'scripts/qa-dimensions-validator.cjs', 'skills/orient/phases/checklist-status.md'],
   },
   'compliance': {
     name: 'Compliance Stack (rules + enforcement)',
@@ -595,7 +595,7 @@ const MODULES = {
   },
   engagement: {
     name: 'Engagement management (with secure credential handoff)',
-    description: 'Ongoing client-engagement management built on pib-db: per-recipient packets (rendered projections of the work backlog), role-gated billing, client feedback flowing back as events, and secure credential handoff (encrypted capture via OS dialog, pluggable email/MCP/file transport). Seven skills across consultant and client sides. Requires work-tracking (the pib-db adapter is the engine\'s data source).',
+    description: 'Ongoing client-engagement management built on pib-db: per-recipient packets (rendered projections of the work backlog), role-gated billing, client feedback flowing back as events, and secure credential handoff (encrypted capture via OS dialog, pluggable email/MCP/file transport). Three primary skills across consultant and client sides, plus redirect stubs. Requires work-tracking (the pib-db adapter is the engine\'s data source).',
     mandatory: false,
     default: false,
     lean: false,
@@ -613,6 +613,7 @@ const MODULES = {
       'skills/engagement-add',
       'skills/engagement-status',
       'skills/engagement-sync',
+      'skills/setup-accounts',
       'skills/guide',
       'engagement',
     ],

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-claude-cabinet",
-  "version": "0.37.0",
+  "version": "0.38.0",
   "description": "Claude Cabinet — opinionated process scaffolding for Claude Code projects",
   "bin": {
     "create-claude-cabinet": "bin/create-claude-cabinet.js"

package/templates/cabinet/qa-dimensions-template.yaml

@@ -42,11 +42,17 @@
 # The examples below are illustrative. Delete or replace them.
 
 dimensions:
+  # ── Replace the example paths below with your project's real paths. ──
+  # The dimension *concepts* are broadly useful; the glob patterns are
+  # placeholders. Run /checklist-discover to auto-detect your project's
+  # paths and generate a tailored qa-dimensions.yaml.
+
   data-coherence:
     paths:
-      - "**/pib-db*.mjs"
       - "**/*schema*"
       - "**/*migration*"
+      - "**/*.sql"
+      - "**/models/**"
     severity: high
     checks:
       - tag: run
@@ -58,8 +64,10 @@ dimensions:
 
   api-drift:
     paths:
+      - "**/routes*"
+      - "**/api/**"
+      - "src/**"
       - "**/index.mjs"
-      - "lib/*.js"
     severity: high
     checks:
       - tag: run
@@ -67,11 +75,29 @@ dimensions:
       - tag: review
         check: "Check downstream consumers of any changed or removed export."
 
+  test-staleness:
+    paths:
+      - "**/test*/**"
+      - "**/*.test.*"
+      - "**/*.spec.*"
+      - "**/factories/**"
+      - "**/fixtures/**"
+    severity: high
+    checks:
+      - tag: run
+        check: "Run the test suite if any test, factory, or fixture file changed."
+      - tag: review
+        check: "If a model's validations or associations changed, verify factories still produce valid records."
+      - tag: review
+        check: "If behavior changed, check whether existing specs assert on the old behavior."
+
   knowledge-layer:
     paths:
-      - "templates/skills/**"
-      - "templates/engagement/**"
+      - "**/docs/**"
+      - "**/*guide*"
+      - "**/README*"
+      - "**/CHANGELOG*"
     severity: moderate
     checks:
       - tag: review
-        check: "If user-facing behavior or vocabulary changed, check whether app-guide.md needs updating."
+        check: "If user-facing behavior or vocabulary changed, check whether docs or guides need updating."

package/templates/engagement/engagement-schema.md

@@ -438,12 +438,13 @@ not a filter boundary.
 
 ## 10. Skills
 
-Two primary skills, plus redirect stubs for backward compatibility:
+Three primary skills, plus redirect stubs for backward compatibility:
 
 | Skill | Side | Subcommands |
 | ----- | ---- | ----------- |
 | `/collab-client` | Client | (default) full review, `progress`, `message`, `delegate`, `help` |
 | `/collab-consultant` | Consultant | (default) dashboard, `create`, `sync`, `add`, `edit`, `message`, `help` |
+| `/setup-accounts` | Client | Interactive account-setup walkthrough with self/delegate/later modes |
 
 The 9 old `/engagement-*` skills are redirect stubs pointing to `/collab-*`.
 
@@ -494,6 +495,182 @@ edit the guide file directly.
 
 ---
 
+## 12. Setup-walkthrough item fields
+
+Checklist items in `engagement.yaml` sections support optional fields
+used by the `/setup-accounts` skill for guided account-creation
+walkthroughs. These fields extend the base item schema (key, prompt,
+kind, help, options, visibility) — all are optional and the skill
+degrades gracefully without them.
+
+| Field | Type | Purpose |
+| ----- | ---- | ------- |
+| `signup_url` | string | Landing/signup page URL — opened in the client's default browser at item entry |
+| `billing` | string or object | Cost context. String: `"$20/mo (your app server)"`. Object: `{ cost, payment_required, at_scale }` |
+| `permissions` | string or object | Access scope. String: `"Member role"`. Object: `{ role, can, cannot, revoke }` |
+| `time_estimate` | string | How long the setup takes — e.g., "10 minutes" |
+| `screenshots` | string[] | URLs (typically Google Drive shareable links) to reference screenshots |
+| `delegate_instructions` | string | Pre-written delegation email body text |
+| `defer_consequence` | string | What won't work without this item — shown when client defers |
+| `depends_on` | string | Flat dependency — item key that must be answered before this item appears |
+
+`content_version` is an **engagement-level** field (under the
+`engagement:` block), not a per-item field. Bumped when the content
+changes materially; used as a sync guard between root and plugin copies.
+
+### `billing` field formats
+
+**String (simple):**
+```yaml
+billing: "$20/mo Pro plan (includes 8GB RAM, covers expected traffic)"
+```
+
+**Object (structured):**
+```yaml
+billing:
+  cost: "$20/month minimum (Pro plan)"
+  payment_required: "Yes — credit card required at signup"
+  at_scale: "Expect $20-35/month for typical traffic"
+```
+
+The skill renders string billing in the overview table directly. For
+object billing, it uses `cost` in the overview table and shows
+`payment_required` and `at_scale` in the per-item detail view.
+
+### `permissions` field formats
+
+**String (simple):**
+```yaml
+permissions: "Member role — can deploy and view logs, cannot delete the project"
+```
+
+**Object (structured):**
+```yaml
+permissions:
+  role: "Member"
+  can: "deploy, view logs, manage environment variables"
+  cannot: "delete the project, manage billing"
+  revoke: "Remove from People page after project handoff"
+```
+
+### `depends_on` field
+
+Flat sequential dependency. The item is hidden from the walkthrough
+until its dependency has an answer in state. Different from the nested
+`visibility: { depends_on, value_in }` format — flat `depends_on`
+gates on any answer (not a specific value).
+
+```yaml
+- key: railway_github_access
+  prompt: "Connect GitHub to Railway"
+  kind: confirm
+  depends_on: railway_account
+```
+
+### `signup_url` field
+
+The landing or signup page for the service being created. When present,
+the `/setup-accounts` skill opens this URL in the client's **default
+browser** (via the OS open command) at item entry — before the step
+loop begins. This is a navigation aid only; the skill never types,
+clicks, submits, or auto-fills in the browser.
+
+```yaml
+signup_url: "https://railway.com"
+```
+
+### `help` field formats
+
+The `help` field doubles as step-by-step instructions. Two formats are
+supported:
+
+**String form (original):** A block scalar with numbered lines. The
+skill parses numbered lines as individual walkthrough steps.
+
+```yaml
+help: |
+  1. Go to railway.com (not railway.app)
+  2. Click "Sign in" and enter your email
+  3. Check your inbox for a 6-digit code
+```
+
+**Structured list form:** Each entry is a step object with required
+`text` and optional `url`. Per-step `url` is opened in the client's
+default browser when that step is presented.
+
+```yaml
+help:
+  - text: "Click 'Sign in' (not 'Sign Up') and enter your email"
+  - text: "Check your inbox for a 6-digit code and enter it"
+  - text: "Accept the Terms of Service (two-step)"
+  - text: "Go to People in the sidebar"
+    url: "https://railway.com/project/settings/members"
+  - text: "Click Invite → enter consultant email → set role to Member"
+```
+
+Per-step `url` works best for post-login destinations with stable
+addressable pages (People/Invite, API-tokens, Billing settings). Steps
+within a wizard flow (e.g. "enter the 6-digit code") typically have no
+addressable URL and should omit `url`. Auth-gated deep-links may
+redirect to login if the client hasn't signed in yet — this is expected
+and the skill handles it gracefully (the client signs in, then arrives
+at the target page).
+
+### Browser navigation (optional)
+
+URLs from `signup_url` and per-step `url` fields open in the client's
+**default browser** via the OS open command (`open` on macOS,
+`xdg-open` on Linux, `start ""` on Windows). This is never an
+automation-controlled browser — the client uses their own browser with
+their own cookies, fingerprint, and login state. No Playwright, no
+MCP server, no Chromium download, no client-side dependency.
+
+If the open command is unavailable or errors, the skill falls back to
+displaying the URL as a clickable link — zero breakage.
+
+The skill only opens pages. It never types, clicks, submits, or
+auto-fills in the browser. The client performs every interaction. This
+constraint is intentional: automation-controlled browsers on third-party
+signup pages trigger anti-bot detection (Cloudflare Turnstile,
+reCAPTCHA) and risk leaking on-screen secrets into the conversation
+transcript via page snapshots.
+
+### Full example
+
+```yaml
+- key: railway_account
+  prompt: "Create a Railway hosting account"
+  kind: credential
+  signup_url: "https://railway.com"
+  help:
+    - text: "Click 'Sign in' (not 'Sign Up') and enter your email"
+    - text: "Check your inbox for a 6-digit code and enter it"
+    - text: "Accept the Terms of Service (two-step)"
+    - text: "Go to People in the sidebar"
+      url: "https://railway.com/project/settings/members"
+    - text: "Click Invite → enter consultant email → set role to Member"
+  billing:
+    cost: "$20/month minimum (Pro plan)"
+    payment_required: "Yes — credit card required at signup"
+    at_scale: "Expect $20-35/month for typical traffic"
+  permissions:
+    role: "Member"
+    can: "deploy, view logs, manage environment variables"
+    cannot: "delete the project, manage billing"
+  time_estimate: "10 minutes"
+  screenshots:
+    - "https://drive.google.com/file/d/abc123/view"
+    - "https://drive.google.com/file/d/def456/view"
+  delegate_instructions: |
+    Create a Railway account at railway.com. Use your work email.
+    After signup, go to People in the sidebar and invite
+    oren.michael.magid@gmail.com as a Member.
+    Give the API token to Ed directly — do not email it.
+  defer_consequence: "The web application cannot be deployed without hosting."
+```
+
+---
+
 ## Known limitations
 
 - **Single machine, single session.** The engagement store is one local

package/templates/scripts/pib-db-lib.mjs

@@ -99,53 +99,6 @@ export function init(db, { schemaPath }) {
   return { message: `Database initialized` };
 }
 
-// ---------------------------------------------------------------------------
-// Data migration — extract client-facing copy from notes into columns
-// ---------------------------------------------------------------------------
-const CLIENT_COPY_RE = /<!--\s*client-facing\s*\n([\s\S]*?)-->/;
-const CC_GENERATED_RE = /<!--\s*cc-generated:(\S+)\s+status:(\S+)\s*-->/;
-
-export function migrateClientCopy(db) {
-  const rows = db.prepare(
-    "SELECT fid, notes FROM actions WHERE notes LIKE '%client-facing%' AND client_title IS NULL AND client_body IS NULL AND client_generated_at IS NULL"
-  ).all();
-  const projRows = db.prepare(
-    "SELECT fid, notes FROM projects WHERE notes LIKE '%client-facing%' AND client_title IS NULL AND client_body IS NULL AND client_generated_at IS NULL"
-  ).all();
-
-  let migrated = 0;
-  const update = db.prepare(
-    "UPDATE actions SET client_title = ?, client_body = ?, client_generated_at = ?, client_generated_status = ? WHERE fid = ?"
-  );
-  const updateProj = db.prepare(
-    "UPDATE projects SET client_title = ?, client_body = ?, client_generated_at = ?, client_generated_status = ? WHERE fid = ?"
-  );
-
-  for (const { fid, notes } of [...rows, ...projRows]) {
-    if (!notes) continue;
-    const copyMatch = notes.match(CLIENT_COPY_RE);
-    const genMatch = notes.match(CC_GENERATED_RE);
-    if (!copyMatch && !genMatch) continue;
-
-    let title = null, body = null, genAt = null, genStatus = null;
-
-    if (copyMatch) {
-      const lines = copyMatch[1].split('\n').map(l => l.trim()).filter(Boolean);
-      title = lines[0] || null;
-      body = lines.slice(1).join('\n').trim() || null;
-    }
-    if (genMatch) {
-      genAt = genMatch[1] || null;
-      genStatus = genMatch[2] || null;
-    }
-
-    const stmt = rows.some(r => r.fid === fid) ? update : updateProj;
-    stmt.run(title, body, genAt, genStatus, fid);
-    migrated++;
-  }
-  return { migrated };
-}
-
 // ---------------------------------------------------------------------------
 // Query — run arbitrary SQL
 // ---------------------------------------------------------------------------

package/templates/scripts/qa-dimensions-validator.cjs

@@ -0,0 +1,102 @@
+#!/usr/bin/env node
+'use strict';
+
+// Structural validator for qa-dimensions.yaml.
+// Checks: file parses, has dimensions: map, each dimension has
+// paths (list, >=1), severity (high|moderate|info), checks (list, >=1).
+// No npm YAML parser — hand-parses the constrained schema.
+
+const { readFileSync, existsSync } = require('node:fs');
+const { join } = require('node:path');
+
+const candidates = [
+  join(process.cwd(), '.claude', 'cabinet', 'qa-dimensions.yaml'),
+];
+
+const file = candidates.find(existsSync);
+if (!file) {
+  // No yaml = no error. Checklist engine is opt-in.
+  process.exit(0);
+}
+
+const lines = readFileSync(file, 'utf-8').split('\n');
+const errors = [];
+
+let foundDimensions = false;
+let currentDim = null;
+const dimensions = {};
+
+for (let i = 0; i < lines.length; i++) {
+  const line = lines[i];
+  const num = i + 1;
+
+  if (line.match(/^dimensions:\s*$/)) {
+    foundDimensions = true;
+    continue;
+  }
+
+  if (!foundDimensions) continue;
+
+  // Top-level dimension name (2-space indent, ends with colon)
+  const dimMatch = line.match(/^  ([a-z][a-z0-9_-]+):\s*$/);
+  if (dimMatch) {
+    currentDim = dimMatch[1];
+    dimensions[currentDim] = { paths: 0, severity: null, checks: 0, line: num };
+    continue;
+  }
+
+  if (!currentDim) continue;
+
+  // paths list item (6-space indent + dash)
+  if (line.match(/^      - /)) {
+    const parent = lines.slice(0, i).reverse().find(l => l.match(/^    (paths|checks):/));
+    if (parent && parent.includes('paths:')) {
+      dimensions[currentDim].paths++;
+    }
+    if (parent && parent.includes('checks:')) {
+      dimensions[currentDim].checks++;
+    }
+  }
+
+  // severity field
+  const sevMatch = line.match(/^    severity:\s*(\S+)/);
+  if (sevMatch) {
+    const val = sevMatch[1];
+    if (!['high', 'moderate', 'info'].includes(val)) {
+      errors.push(`Line ${num}: severity "${val}" must be high|moderate|info`);
+    }
+    dimensions[currentDim].severity = val;
+  }
+
+  // check item with tag
+  const tagMatch = line.match(/^      - tag:\s*(\S+)/);
+  if (tagMatch) {
+    const val = tagMatch[1];
+    if (!['run', 'review'].includes(val)) {
+      errors.push(`Line ${num}: tag "${val}" must be run|review`);
+    }
+  }
+}
+
+if (!foundDimensions) {
+  errors.push('Missing top-level "dimensions:" key');
+}
+
+const dimNames = Object.keys(dimensions);
+if (foundDimensions && dimNames.length === 0) {
+  errors.push('"dimensions:" map is empty — at least one dimension required');
+}
+
+for (const [name, d] of Object.entries(dimensions)) {
+  if (d.paths === 0) errors.push(`Dimension "${name}" (line ${d.line}): needs at least one path`);
+  if (!d.severity) errors.push(`Dimension "${name}" (line ${d.line}): missing severity`);
+  if (d.checks === 0) errors.push(`Dimension "${name}" (line ${d.line}): needs at least one check`);
+}
+
+if (errors.length > 0) {
+  console.error(`qa-dimensions.yaml: ${errors.length} error(s)`);
+  errors.forEach(e => console.error(`  ${e}`));
+  process.exit(1);
+}
+
+console.log(`qa-dimensions.yaml: ${dimNames.length} dimensions, all valid.`);

package/templates/skills/cc-upgrade/SKILL.md

@@ -409,6 +409,24 @@ If the upstream schema has new columns or tables:
 If the upgrade added modules the project hadn't installed before,
 walk through what they do and whether to keep them.
 
+#### Plugin Staleness Check
+
+If the project has a plugin (detected by `plugin.json` in the project
+root, `.claude-plugin/plugin.json`, or a plugin repo reference in
+`_briefing.md` or `engagement.yaml`), surface a reminder:
+
+> This project has a plugin. CC skill patterns may have changed in this
+> upgrade — check whether plugin skills need updating to match.
+
+If the plugin path or repo is discoverable (e.g., from `plugin.json`
+or cc-registry), name it specifically:
+
+> Plugin at `[path or repo]` has N skills built on CC conventions.
+> Review them for compatibility with the changes above.
+
+This is advisory only — don't block the upgrade. The user decides
+whether to check the plugin now or later.
+
 #### patterns-project.md Deduplication
 
 After installing updated cabinet member SKILL.md files, check for

package/templates/skills/checklist-discover/SKILL.md

@@ -46,7 +46,26 @@ Copy `.claude/cabinet/qa-dimensions-template.yaml` to
 tell the user to run `npx create-claude-cabinet` with the planning
 module first.
 
-### 2. Scan for structural signals
+### 2. Review template dimensions
+
+Before scanning, read the template's existing dimensions. For each
+dimension in the template, evaluate whether the **concept** applies to
+this project — even if the specific paths need updating:
+
+1. Read `qa-dimensions-template.yaml` and list its dimensions.
+2. For each template dimension, scan for files matching the concept
+   (not just the template's paths). Example: `knowledge-layer` watches
+   `**/docs/**` and `**/README*` in the template, but this project may
+   have equivalent files in `deliverables/`, `correspondence/`, or `wiki/`.
+3. If the concept applies with different paths, carry it forward as a
+   proposal with updated paths (mark it as "adapted from template").
+4. If the concept genuinely doesn't apply (no matching files at all),
+   propose it for Skip so the user sees the decision explicitly.
+
+**Never silently drop a template dimension.** The template's accumulated
+wisdom should be evaluated, not replaced sight-unseen.
+
+### 3. Scan for structural signals
 
 Analyze the codebase systematically. For each signal category below,
 look for real files — don't guess or hallucinate. Read directory listings,
@@ -56,20 +75,20 @@ check imports, look at actual file contents.
 
 | Signal | Files to look for | Suggested dimension |
 |--------|------------------|-------------------|
-| Database/schema | `**/schema*`, `**/migration*`, `**/pib-db*`, `**/*.sql`, ORM models | `data-coherence` — migration safety, referential integrity, schema changes |
-| API surface | Exported functions in `lib/`, `src/api/`, route files, MCP server definitions | `api-drift` — export surface changes, downstream consumer impact |
+| Database/schema | `**/schema*`, `**/migration*`, `**/*.sql`, `**/models/**`, ORM models | `data-coherence` — migration safety, referential integrity, schema changes |
+| API surface | Exported functions in `src/`, route files, API controllers, MCP server definitions | `api-drift` — export surface changes, downstream consumer impact |
 | Crypto/auth/security | `**/crypto*`, `**/auth*`, `**/secure*`, JWT/token handling, key files | `security-review` — credential handling, encryption correctness, auth flow changes |
 | UI components | `**/components/**`, `*.tsx`, `*.vue`, `*.svelte`, template files | `render-correctness` — visual regressions, prop changes, layout breaks |
 | Configuration | `**/config*`, `**/.env*`, `**/settings*`, deployment configs | `config-drift` — env parity, missing variables, deployment config sync |
 | User-facing docs | App guides, README, help text, onboarding content | `knowledge-layer` — documentation staleness when behavior changes |
-| Test infrastructure | `**/test*`, `**/*.test.*`, `**/*.spec.*`, fixture files | `test-health` — fixture staleness, coverage gaps for changed code |
+| Test infrastructure | `**/test*`, `**/*.test.*`, `**/*.spec.*`, fixture/factory files | `test-staleness` — factory validity after model changes, specs asserting stale behavior |
 | Build/deploy | `Dockerfile`, `railway.toml`, CI configs, build scripts | `deploy-safety` — build breaks, deployment config changes, infra drift |
 
 Don't force-fit every category. If the codebase has no crypto code,
 don't suggest a security-review dimension. Only suggest dimensions
 backed by real files you found.
 
-### 3. For each discovered signal, look deeper
+### 4. For each discovered signal, look deeper
 
 Don't stop at filenames. For the files you find:
 
@@ -81,33 +100,50 @@ Don't stop at filenames. For the files you find:
 - **Count and characterize** the files. "8 schema files across 3
   directories" is a stronger signal than "1 schema file."
 
-### 4. Present suggestions one at a time
+### 5. Present suggestions one at a time
 
-For each suggested dimension, present it conversationally:
+For each suggested dimension (including those adapted from the template
+in step 2), first output the evidence and proposed config as text:
 
-> I found 8 files matching `**/schema*` and `**/*.sql` across 3 directories
-> (scripts/, templates/engagement/, templates/scripts/). This suggests a
-> **data-coherence** dimension.
+> I found 6 files matching `**/schema*` and `**/*.sql` across 2 directories
+> (db/, app/models/). This suggests a **data-coherence** dimension.
 >
-> Suggested paths: `["**/schema*", "**/*.sql", "**/pib-db*.mjs"]`
+> Suggested paths: `["**/schema*", "**/*.sql", "**/models/**"]`
 > Suggested severity: `high`
 > Suggested checks:
 > - `[run] Run schema validation if schema or migration files changed`
 > - `[review] Verify migration handles existing data, not just fresh installs`
 > - `[review] Check referential integrity for any new foreign keys`
->
-> **Accept / Edit / Skip?**
 
-If the user says **Edit**: ask what to change (paths, severity, checks),
-apply their changes, re-present for confirmation.
+Then use **AskUserQuestion** with a single-select question for the
+user's decision:
+
+```
+AskUserQuestion({
+  questions: [{
+    question: "Accept the <dimension-name> dimension as proposed?",
+    header: "Dimension",
+    options: [
+      { label: "Accept", description: "Add this dimension as shown above" },
+      { label: "Edit", description: "Modify paths, severity, or checks before adding" },
+      { label: "Skip", description: "Don't include this dimension" }
+    ],
+    multiSelect: false
+  }]
+})
+```
+
+If the user selects **Edit**: ask what to change (paths, severity,
+checks), apply their changes, re-present for confirmation with
+another AskUserQuestion.
 
-If the user says **Accept**: note it — write after all suggestions.
+If the user selects **Accept**: note it — write after all suggestions.
 
-If the user says **Skip**: move to the next suggestion.
+If the user selects **Skip**: move to the next suggestion.
 
 **Never batch.** One dimension at a time.
 
-### 5. Write the yaml
+### 6. Write the yaml
 
 If the user skipped ALL suggestions (zero accepted), don't write.
 Say: "No dimensions accepted. The template is at
@@ -146,25 +182,36 @@ Read `.claude/cabinet/qa-dimensions.yaml`. Summarize what's there:
 
 ### 2. Offer two paths
 
-> Want me to:
-> 1. **Check for gaps** — scan the codebase for signals not covered
->    by existing dimensions
-> 2. **Review existing** — walk through each dimension and check if
->    paths and checks are still accurate
->
-> Or name a specific dimension to edit.
+Use **AskUserQuestion** to let the user choose:
+
+```
+AskUserQuestion({
+  questions: [{
+    question: "How would you like to review your checklist?",
+    header: "Review mode",
+    options: [
+      { label: "Check for gaps", description: "Scan the codebase for signals not covered by existing dimensions" },
+      { label: "Review existing", description: "Walk through each dimension and check if paths and checks are still accurate" }
+    ],
+    multiSelect: false
+  }]
+})
+```
+
+If the user selects "Other" and names a specific dimension, jump to
+that dimension's review directly.
 
 ### 3a. Gap analysis
 
-Run the same structural scan as scaffold mode (step 2), but filter out
+Run the same structural scan as scaffold mode (step 3), but filter out
 signals already covered by existing dimensions. For each uncovered
 signal, suggest a new dimension using the same one-at-a-time flow.
 
 Also check: do existing glob patterns still match files that exist
 today? Are there new files in matched directories that the patterns miss?
 
-> Your `api-drift` dimension watches `lib/*.js` but I also found
-> exports in `src/api/routes.mjs` and `templates/scripts/pib-db-lib.mjs`.
+> Your `api-drift` dimension watches `src/**` but I also found
+> route definitions in `app/routes/` and exported helpers in `utils/`.
 > Want to add those paths?
 
 ### 3b. Existing dimension review

package/templates/skills/orient/phases/checklist-status.md

@@ -0,0 +1,42 @@
+# Checklist Status
+
+**Runs:** after work-scan, before briefing. Lightweight status line only.
+
+## What this phase does
+
+Surfaces the change-impact checklist state during orient so the user
+knows whether the engine is active without having to check files.
+
+## Logic
+
+1. Check if `.claude/cabinet/qa-dimensions.yaml` exists.
+
+2. If **absent**, check if `.claude/cabinet/qa-dimensions-template.yaml`
+   exists:
+   - **Template exists, yaml absent** → the checklist engine is installed
+     but not configured. Surface a one-time nudge in the briefing's
+     **Attention Items** section:
+
+     > Checklist engine installed but not configured. Run
+     > `/checklist-discover` to set up QA dimensions for your project.
+
+     This condition is self-resolving: once the user runs
+     `/checklist-discover`, the yaml is created and the nudge stops.
+   - **Neither exists** → skip silently. The planning module isn't
+     installed or the template wasn't copied.
+
+3. If **present**: count the dimensions and total checks. Output one
+   line in the briefing's **Project State** section:
+
+   > Checklist active: N dimensions, M checks total.
+
+   If the file exists but is malformed (no `dimensions:` key or empty),
+   output a warning instead:
+
+   > ⚠ qa-dimensions.yaml exists but appears malformed. Run `/validate`
+   > to diagnose.
+
+## What this phase does NOT do
+
+- It does not validate structure beyond presence — /validate does that.
+- It does not list individual dimensions. Keep it to one line.

package/templates/skills/setup-accounts/SKILL.md

@@ -0,0 +1,502 @@
+---
+name: setup-accounts
+description: |
+  Interactive account-setup walkthrough for any engagement. Reads
+  engagement.yaml sections, walks the client through creating accounts
+  step by step with self/delegate/later modes, structured error recovery,
+  credential capture via secure OS dialog, and delegation via Gmail MCP.
+  Progress persists across sessions. Use when: "setup accounts",
+  "/setup-accounts", "create my accounts", "walk me through the setup".
+manual: true
+argument-hint: "section key — e.g., 'go_live', or empty for all account-setup items"
+---
+
+# /setup-accounts — Interactive Account Setup Walkthrough
+
+## Purpose
+
+Walk a client through creating third-party service accounts needed for
+their engagement. Each item gets a guided walkthrough with three
+choices: do it yourself (step-by-step), delegate to someone else (Gmail
+draft), or defer (with consequences explained). Credentials are captured
+via a secure OS dialog and never enter the conversation.
+
+The skill is content-agnostic — it reads engagement.yaml for the items
+and their instructions. Project-specific content (which accounts, what
+steps, billing details) lives in the YAML, not here.
+
+## Locate Engagement Directory
+
+Search for `engagement.yaml` starting from the current working directory:
+1. `./engagement.yaml`
+2. `./engagement/engagement.yaml`
+3. Walk up parent directories (max 3 levels), checking both patterns
+
+Store the resolved directory (the directory containing the found
+`engagement.yaml`) as `ENGAGEMENT_DIR`. All relative paths in
+engagement.yaml resolve from there.
+
+If engagement.yaml is not found, tell the user and stop.
+
+## Load State
+
+Read checklist state from `ENGAGEMENT_DIR/setup-accounts-state.json`
+using the `loadState` / `createState` pattern from
+`engagement-checklist.mjs`. If no state file exists, create one.
+
+## Select Items
+
+Parse engagement.yaml. Collect items from the section specified in
+`$ARGUMENTS`, or from all sections if no argument given.
+
+**Invalid section key guard:** If `$ARGUMENTS` specifies a section key
+that doesn't exist in engagement.yaml, list the available section keys
+and stop: "Section '[key]' not found. Available sections: [list]. Run
+`/setup-accounts` with no argument to walk through all items."
+
+### Dependency Resolution
+
+Items may declare dependencies in two formats:
+
+1. **Nested visibility** (`visibility: { depends_on, value_in }`) —
+   handled by `computeVisibility()` from `engagement-checklist.mjs`.
+2. **Flat depends_on** (`depends_on: <key>`) — a sequential ordering
+   hint not read by `computeVisibility()`.
+
+Apply both filters in order:
+1. Run `computeVisibility()` with current state answers to filter
+   nested-visibility items.
+2. For remaining items with flat `depends_on`: check whether the
+   dependency key has an answer in state. If not, exclude the item
+   from this session's walkthrough (it will appear once its dependency
+   is completed). Show a note in the overview table: "Waiting on
+   [dependency item prompt]".
+
+The skill operates on items of any `kind` — the walkthrough UX applies
+to `credential`, `provide`, `confirm`, and `decide` items alike.
+
+**Empty result guard:** If the filtered item set is empty (no items
+match the section or all are gated by dependencies), tell the user and
+stop.
+
+## Present Overview Table
+
+Show all items in a single overview table before starting the
+walkthrough:
+
+```
+## Account Setup — [engagement title]
+
+| # | Service | Status | Est. Time | Cost |
+|---|---------|--------|-----------|------|
+| 1 | Railway hosting | ⬜ Not started | 10 min | $20/mo (your app server) |
+| 2 | Postmark email | ⬜ Not started | 15 min | Free → $15/mo at scale |
+| 3 | Sentry errors | ✅ Done | — | $0 |
+| 4 | Cloudflare DNS | 🔄 Delegated to Sydney | — | $0 |
+| 5 | GitHub access | ⏳ Waiting on Railway | — | — |
+
+5 items: 2 remaining, 1 done, 1 delegated, 1 waiting
+```
+
+**Status icons:**
+- ⬜ Not started
+- ✅ Done (or handled by consultant)
+- 🔄 Delegated to [name]
+- ⏸️ Deferred
+- 🚫 Blocked
+- ⏳ Waiting on [dependency]
+
+**Cost column:** Use the item's `billing` field if present. If `billing`
+is a string, display it directly. If `billing` is an object (with `cost`,
+`payment_required`, `at_scale` sub-keys), render the `cost` value in the
+table and show `payment_required` and `at_scale` in the per-item detail.
+If no `billing` field on any item, omit the Cost column entirely.
+
+**Time column:** Use the item's `time_estimate` field if present.
+
+**Permissions** are shown in the per-item detail view (Step 1), not in
+the overview table.
+
+### Item Selection (for lists > 5 items)
+
+If there are more than 5 incomplete items, present the overview table
+first, then ask which items the user wants to tackle this session
+rather than walking through all of them sequentially:
+
+Use `AskUserQuestion`:
+- header: "This session"
+- question: "Which items do you want to work on now? You can always
+  come back for the rest."
+- multiSelect: true
+- options: one per incomplete item (label: item prompt, description:
+  cost/time summary)
+
+For 5 or fewer incomplete items, proceed directly to the per-item
+walkthrough without asking.
+
+## Per-Item Walkthrough
+
+For each selected incomplete item, in order:
+
+### Step 1: Present the Item
+
+```
+### Item 1 of 4: Railway Hosting Account
+
+Railway runs your web application. Here's what we need to set up.
+
+**Cost:** $20/month (includes 8GB RAM, covers your expected traffic)
+**Payment required:** Yes — credit card needed at signup
+**At scale:** Expect $20-35/month for your traffic levels
+**Permissions needed:** Member role — can deploy and view logs, cannot delete the project
+**Time:** ~10 minutes
+```
+
+Show `billing` fields (rendering object sub-keys if present),
+`permissions` fields (rendering object sub-keys if present), and
+`time_estimate` if present.
+
+### Step 2: Ask How to Proceed
+
+The base menu always has exactly 3 options. For items that are
+**blocked or have evidence of prior completion**, show a different
+3-option menu instead.
+
+**Base menu** (not started, deferred, or first attempt):
+
+Use `AskUserQuestion`:
+- header: "Mode"
+- question: "How would you like to handle [item prompt]?"
+- options:
+  - label: "I'll do it now", description: "Walk me through the steps"
+  - label: "Someone else will handle this", description: "Draft instructions for a delegate"
+  - label: "Skip for now", description: "Come back to this later"
+
+**Recovery menu** (item is blocked, or user says it's already done,
+or consultant may have handled it):
+
+Use `AskUserQuestion`:
+- header: "Mode"
+- question: "[Item] was previously [blocked at step N / started].
+  How would you like to proceed?"
+- options:
+  - label: "Try again", description: "Re-attempt the walkthrough from where I left off"
+  - label: "Already handled", description: "I or my consultant already took care of this"
+  - label: "Skip for now", description: "Come back to this later"
+
+If the user selects "Already handled", ask a follow-up to determine
+Path D vs Path E:
+
+Use `AskUserQuestion`:
+- header: "Who"
+- question: "Who completed this?"
+- options:
+  - label: "I did it myself", description: "I'll provide the credential/info now"
+  - label: "My consultant handled it", description: "Mark it as done"
+
+### Path A: "I'll do it now"
+
+**Open signup page (if available):** If the item has a `signup_url`
+field, open it in the client's default browser before starting the
+step loop. See **Browser Navigation (optional)** below for the open
+command and fallback behavior.
+
+**Parse the `help` field into steps.** Two formats are supported:
+
+- **String form:** Parse numbered lines into steps (each line's text
+  becomes the step content). This is the original format.
+- **Structured list form:** `help` is an array of `{ text, url? }`
+  objects. Each entry's `text` is the step content. If `url` is
+  present, open it in the client's browser when the step is presented
+  (before the AskUserQuestion).
+
+Present one step at a time with progress:
+
+```
+**Step 2 of 6:** Click "Sign in" (not "Sign Up") and enter your email.
+Railway will send a 6-digit code to your inbox.
+
+[screenshot: Railway sign-in page]
+```
+
+**Screenshots:** If the item has a `screenshots` field (array of URLs),
+reference the relevant screenshot at each step. If Google Drive MCP
+tools are available (e.g., `mcp__claude_ai_Google_Drive__read_file_content`),
+use them to fetch the screenshot by file ID extracted from the URL.
+Otherwise, display the URL as a clickable link.
+
+**After each step**, ask:
+
+Use `AskUserQuestion`:
+- header: "Step"
+- question: "Step [N] of [M]: [step description summary]"
+- options:
+  - label: "Done, next step", description: "Move to the next step"
+  - label: "This isn't working", description: "I need help with this step"
+
+**If "This isn't working":**
+
+1. Show the relevant screenshot if available.
+
+2. Ask a structured diagnostic:
+
+   Use `AskUserQuestion`:
+   - header: "Symptom"
+   - question: "What do you see on your screen right now?"
+   - options:
+     - label: "Page looks different", description: "The page doesn't match what I expected"
+     - label: "Error message", description: "I see an error on the page"
+     - label: "Can't find it", description: "The button or link isn't there"
+
+   (The harness auto-adds an "Other" option for free-text input.)
+
+3. Based on the answer, provide targeted guidance.
+
+4. If still stuck after one round of diagnosis, offer:
+
+   Use `AskUserQuestion`:
+   - header: "Next"
+   - question: "Still stuck. What would you like to do?"
+   - options:
+     - label: "Message my consultant", description: "I'll draft a message describing the issue"
+     - label: "Skip for now", description: "Come back to this later"
+     - label: "Try again", description: "Let me retry this step"
+
+   **If "Message my consultant":**
+
+   Read `transport.consultant` from engagement.yaml for the recipient
+   email address.
+
+   Draft via Gmail MCP (`create_draft` tool — search available MCP
+   tools for one matching `Gmail` and `create_draft`). Set the `to`
+   field to the `transport.consultant` email. Include the step number,
+   what the client sees, the diagnostic answers, and the screenshot
+   URL if available.
+
+   Tell the client explicitly: **"I've saved a draft in your Gmail
+   — please review and send it."**
+
+   **If Gmail MCP is unavailable:** Display the full message text
+   and say: "Copy this and email it to [consultant name] at
+   [transport.consultant email]."
+
+   Mark item as `blocked`:
+   `recordAnswer(state, key, { mode: 'blocked', step_number: N, symptom: '<diagnostic answer>', blocked_at: new Date().toISOString() })`
+   Then call `saveState()`.
+
+   **If "Skip for now":**
+   Mark as deferred (not blocked — the client chose to skip, they
+   weren't stuck):
+   `recordAnswer(state, key, { mode: 'deferred', step_number: N, deferred_at: new Date().toISOString() })`
+   Then call `saveState()`.
+
+**After the last step**, if the item's `kind` is `credential`:
+
+Prep the client: "I'm about to show a secure input dialog — this is
+a separate window from our conversation, so the value stays private.
+Paste the [token/key/credential] you just copied."
+
+Invoke `capture-and-encrypt.mjs` via Bash. First resolve the paths:
+
+1. Read the public key relative path from `engagement.public_key`
+   (v2 format) or `meta.public_key` (v1 format) in engagement.yaml.
+2. Join it to the resolved ENGAGEMENT_DIR to get the absolute path.
+
+Then run (substituting the resolved absolute paths, quoted):
+```bash
+node "/absolute/path/to/engagement/capture-and-encrypt.mjs" \
+  --prompt "Paste your [service] [credential type]" \
+  --public-key "/absolute/path/to/engagement/consultant.pub.jwk"
+```
+
+**Handle each exit code:**
+- **Exit 0 (success):** The script writes a base64-encoded envelope to
+  stdout. Capture the stdout output, base64-decode it, parse the JSON,
+  and extract the `envelope_id` field. Then call:
+  `recordCredentialSent(state, key, envelopeId)`
+  Confirm to the client: "Credential captured and encrypted securely."
+- **Exit 2 (user cancelled):** "No problem — you can capture this
+  later." Leave the item incomplete.
+- **Exit 3 (dialog unavailable):** The secure input dialog is not
+  available on this device. Tell the client: "Secure input isn't
+  available on this device. You can capture this credential from a
+  Mac, or your consultant can help you enter it securely." Mark as
+  blocked with `{ mode: 'blocked', step_number: 'credential_capture', symptom: 'dialog_unavailable' }`.
+- **Exit 4 (encryption failed):** Log the error. Mark as needing retry
+  with `{ mode: 'blocked', step_number: 'credential_capture', symptom: 'encryption_error' }`.
+
+For non-credential items, record completion:
+- `kind: confirm` → `recordAnswer(state, key, { mode: 'confirmed', confirmed_at: new Date().toISOString() })`
+- `kind: provide` → `recordAnswer(state, key, { mode: 'provided', value: '<user input>', provided_at: new Date().toISOString() })`
+- `kind: decide` → `recordAnswer(state, key, { mode: 'decided', value: '<selected option>', decided_at: new Date().toISOString() })`
+
+### Path B: "Someone else will handle this"
+
+1. Ask: "Who should handle this?" — collect name and email.
+
+2. Draft a delegation email. Read `transport.consultant` from
+   engagement.yaml for the consultant's contact info.
+
+   Search available MCP tools for one matching `Gmail` and
+   `create_draft`. Use it to create the draft:
+
+   **Subject:** `[Engagement title] — [Service] account setup`
+
+   **Body:** Use the item's `delegate_instructions` field if present.
+   Otherwise, compose from the item's `help` field:
+   - What account to create and why
+   - Step-by-step instructions (from `help`)
+   - Screenshots (Drive links from `screenshots` field if present)
+   - What to give back: "Once you've created the account, give the
+     [credential] to [client name] directly — they'll enter it
+     securely." **Never ask the delegate to email credentials.**
+   - "If something isn't working, contact [transport.consultant email]"
+
+3. Tell the client: **"I've saved a draft in your Gmail — please
+   review it and send it to [name]."**
+
+4. **If Gmail MCP is unavailable:** Display the full email text and say
+   "Copy this and email it to [name] at [email]."
+
+5. Record:
+   `recordAnswer(state, key, { mode: 'delegated', delegate_name: '<name>', delegate_email: '<email>', delegated_at: new Date().toISOString() })`
+
+### Path C: "Skip for now"
+
+1. Explain the consequence of deferring this item — what won't work
+   without it. Use the `defer_consequence` field if present. Otherwise,
+   infer the impact from the item's `prompt` and `help` fields.
+
+2. Confirm: "Got it, we'll come back to this. Moving on."
+
+3. Record:
+   `recordAnswer(state, key, { mode: 'deferred', deferred_at: new Date().toISOString() })`
+
+### Path D: "I did it myself" (recovery — via "Already handled")
+
+1. Ask: "Do you have the [credential/info] handy?"
+
+2. If `kind: credential`: run the secure capture flow (same as Path A
+   final step — prep message, invoke capture-and-encrypt.mjs, capture
+   stdout, extract envelope_id, call recordCredentialSent).
+
+3. If `kind: provide`: ask for the value directly.
+   Record: `recordAnswer(state, key, { mode: 'provided', value: '<input>', provided_at: new Date().toISOString() })`
+
+3b. If `kind: decide`: ask the user to choose from the item's `options`.
+   Record: `recordAnswer(state, key, { mode: 'decided', value: '<selected option>', decided_at: new Date().toISOString() })`
+
+4. If `kind: confirm`: mark as confirmed.
+   Record: `recordAnswer(state, key, { mode: 'confirmed', confirmed_at: ... })`
+
+### Path E: "My consultant handled it" (recovery — via "Already handled")
+
+1. Confirm: "Noted — marking this as done."
+2. Record:
+   `recordAnswer(state, key, { mode: 'handled_by_consultant', noted_at: new Date().toISOString() })`
+
+## Save State After Each Item
+
+Call `saveState()` after every item completion, delegation, deferral,
+or block. State must survive session interruption — if the client
+closes mid-walkthrough, re-entry picks up where they left off.
+
+## Re-Entry Behavior
+
+When the skill is invoked and state already exists:
+
+1. Show the updated overview table (reflects current state).
+2. Summarize current status: "You've completed N items, N are
+   delegated, N are deferred, N are blocked."
+3. Offer: "Want to continue with the remaining items?"
+4. Resume from the first incomplete item.
+
+Items previously marked `blocked` get special treatment — use the
+recovery menu (Step 2) which offers "Try again":
+"Last time, [Service] was blocked at step N. Want to try again?"
+
+Items previously marked `deferred` get a gentle nudge, then the
+**base menu** (not the recovery menu):
+"You deferred [Service] last time. Ready to tackle it now?"
+
+## Summary
+
+After all items are addressed (or the client chooses to stop):
+
+```
+## Setup Summary
+
+✅ Done (3): Railway, Sentry, GA4
+🔄 Delegated (1): Cloudflare → Sydney
+⏸️ Deferred (1): GTM (not needed until marketing hire)
+🚫 Blocked (1): Postmark (waiting for account approval)
+
+**Monthly cost:** ~$35/month ($20 Railway + $15 Postmark)
+[Only if billing fields were present on items]
+
+**Next steps:**
+- Check your Gmail for the Cloudflare delegation draft — send it to Sydney
+- Postmark: your consultant will follow up about the account approval
+- GTM: revisit when you're ready to add marketing tags
+```
+
+## Browser Navigation (optional)
+
+When an item has a `signup_url` or a step has a `url`, open it in the
+client's **default browser** using the OS open command. This is a
+navigation aid only — the skill never types, clicks, submits, or
+auto-fills in the browser. The client performs every interaction.
+
+**Detect the open command:**
+- macOS: `open "<url>"`
+- Linux: `xdg-open "<url>"`
+- Windows: `start "" "<url>"`
+
+Detect the platform from `process.platform` (or `uname`) and pick the
+command. If the command errors or the platform is unrecognized, fall
+back to displaying the URL as a clickable link in the conversation.
+Do not block or warn — just continue with text-only.
+
+**When to open:**
+- **Item entry (Path A):** If `signup_url` is present, open it before
+  the step loop.
+- **Per step:** If the current step object has a `url`, open it when
+  the step is presented (before the AskUserQuestion).
+- **Paths B, C, D, E:** Do not open URLs — these paths don't involve
+  guided step-by-step interaction.
+
+**Why not an automation browser:** An automation-controlled browser
+(Playwright, Puppeteer) sets `navigator.webdriver=true`, triggering
+anti-bot detection on signup pages (Cloudflare Turnstile, reCAPTCHA).
+Page snapshots leak on-screen API keys into the conversation transcript
+— defeating the secure-dialog design. Opening the client's own browser
+avoids both risks.
+
+## Rules
+
+- **Never** accept or display credential plaintext in the conversation.
+- **Never** ask a delegate to email credentials. Credentials go through
+  the client via the secure OS dialog, always.
+- **Never** type, click, submit, or auto-fill in the client's browser.
+  The skill only opens pages. The client performs every interaction.
+- **Never** use browser automation tools (`browser_snapshot`,
+  `browser_click`, `browser_type`, `@playwright/mcp`, or similar) in
+  this skill. URLs open via the OS open command only.
+- **Never** mention other skills in the walkthrough. This is the
+  client's only interface.
+- **Always** prep the client before the secure input dialog appears.
+- **Always** tell the client explicitly to send Gmail drafts — drafts
+  are not sent automatically.
+- **Always** save state after each item. Session interruption must not
+  lose progress.
+- **Always** quote file paths when invoking Bash commands.
+- **Always** read `transport.consultant` from engagement.yaml for
+  consultant email — never fabricate an address.
+- Handle missing optional fields gracefully — billing, permissions,
+  screenshots, delegate_instructions, time_estimate, signup_url, and
+  defer_consequence are all optional. The skill works without them,
+  just with less context.
+- Handle both string and object formats for billing and permissions
+  fields — both are valid.
+- Handle both string and structured list formats for the `help` field
+  — both are valid. See Path A for parsing details.

package/templates/skills/validate/phases/validators.md

@@ -135,6 +135,18 @@ protocol, its checkpoints have either been re-inlined or dropped — both
 are drift. Skips silently if the protocol file isn't present (e.g., a
 project that hasn't adopted the split yet).
 
+### qa-dimensions
+
+```bash
+node scripts/qa-dimensions-validator.cjs
+```
+
+Catches malformed qa-dimensions.yaml: missing `dimensions:` key, empty
+map, dimensions without paths or severity or checks, invalid severity
+values (must be high|moderate|info), invalid tags (must be run|review).
+Exits 0 silently if qa-dimensions.yaml doesn't exist (the checklist
+engine is opt-in).
+
 ## Example Validators (commented — enable for your project)
 
 <!--