create-claude-cabinet 0.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +196 -0
- package/bin/create-claude-cabinet.js +8 -0
- package/lib/cli.js +624 -0
- package/lib/copy.js +152 -0
- package/lib/db-setup.js +51 -0
- package/lib/metadata.js +42 -0
- package/lib/reset.js +193 -0
- package/lib/settings-merge.js +93 -0
- package/package.json +29 -0
- package/templates/EXTENSIONS.md +311 -0
- package/templates/README.md +485 -0
- package/templates/briefing/_briefing-api-template.md +21 -0
- package/templates/briefing/_briefing-architecture-template.md +16 -0
- package/templates/briefing/_briefing-cabinet-template.md +20 -0
- package/templates/briefing/_briefing-identity-template.md +18 -0
- package/templates/briefing/_briefing-scopes-template.md +39 -0
- package/templates/briefing/_briefing-template.md +148 -0
- package/templates/briefing/_briefing-work-tracking-template.md +18 -0
- package/templates/cabinet/committees-template.yaml +49 -0
- package/templates/cabinet/composition-patterns.md +240 -0
- package/templates/cabinet/eval-protocol.md +208 -0
- package/templates/cabinet/lifecycle.md +93 -0
- package/templates/cabinet/output-contract.md +148 -0
- package/templates/cabinet/prompt-guide.md +266 -0
- package/templates/hooks/cor-upstream-guard.sh +79 -0
- package/templates/hooks/git-guardrails.sh +67 -0
- package/templates/hooks/skill-telemetry.sh +66 -0
- package/templates/hooks/skill-tool-telemetry.sh +54 -0
- package/templates/hooks/stop-hook.md +56 -0
- package/templates/memory/patterns/_pattern-template.md +119 -0
- package/templates/memory/patterns/pattern-intelligence-first.md +41 -0
- package/templates/rules/enforcement-pipeline.md +151 -0
- package/templates/scripts/cor-drift-check.cjs +84 -0
- package/templates/scripts/finding-schema.json +94 -0
- package/templates/scripts/load-triage-history.js +151 -0
- package/templates/scripts/merge-findings.js +126 -0
- package/templates/scripts/pib-db-schema.sql +68 -0
- package/templates/scripts/pib-db.js +365 -0
- package/templates/scripts/triage-server.mjs +98 -0
- package/templates/scripts/triage-ui.html +536 -0
- package/templates/skills/audit/SKILL.md +273 -0
- package/templates/skills/audit/phases/finding-output.md +56 -0
- package/templates/skills/audit/phases/member-execution.md +83 -0
- package/templates/skills/audit/phases/member-selection.md +44 -0
- package/templates/skills/audit/phases/structural-checks.md +54 -0
- package/templates/skills/audit/phases/triage-history.md +45 -0
- package/templates/skills/cabinet-accessibility/SKILL.md +180 -0
- package/templates/skills/cabinet-anti-confirmation/SKILL.md +172 -0
- package/templates/skills/cabinet-architecture/SKILL.md +279 -0
- package/templates/skills/cabinet-boundary-man/SKILL.md +265 -0
- package/templates/skills/cabinet-cor-health/SKILL.md +342 -0
- package/templates/skills/cabinet-data-integrity/SKILL.md +157 -0
- package/templates/skills/cabinet-debugger/SKILL.md +221 -0
- package/templates/skills/cabinet-historian/SKILL.md +253 -0
- package/templates/skills/cabinet-organized-mind/SKILL.md +338 -0
- package/templates/skills/cabinet-process-therapist/SKILL.md +261 -0
- package/templates/skills/cabinet-qa/SKILL.md +205 -0
- package/templates/skills/cabinet-record-keeper/SKILL.md +168 -0
- package/templates/skills/cabinet-roster-check/SKILL.md +297 -0
- package/templates/skills/cabinet-security/SKILL.md +181 -0
- package/templates/skills/cabinet-small-screen/SKILL.md +154 -0
- package/templates/skills/cabinet-speed-freak/SKILL.md +169 -0
- package/templates/skills/cabinet-system-advocate/SKILL.md +194 -0
- package/templates/skills/cabinet-technical-debt/SKILL.md +115 -0
- package/templates/skills/cabinet-usability/SKILL.md +189 -0
- package/templates/skills/cabinet-workflow-cop/SKILL.md +238 -0
- package/templates/skills/cor-upgrade/SKILL.md +302 -0
- package/templates/skills/debrief/SKILL.md +409 -0
- package/templates/skills/debrief/phases/auto-maintenance.md +48 -0
- package/templates/skills/debrief/phases/close-work.md +88 -0
- package/templates/skills/debrief/phases/health-checks.md +54 -0
- package/templates/skills/debrief/phases/inventory.md +40 -0
- package/templates/skills/debrief/phases/loose-ends.md +52 -0
- package/templates/skills/debrief/phases/record-lessons.md +67 -0
- package/templates/skills/debrief/phases/report.md +59 -0
- package/templates/skills/debrief/phases/update-state.md +48 -0
- package/templates/skills/debrief/phases/upstream-feedback.md +129 -0
- package/templates/skills/debrief-quick/SKILL.md +12 -0
- package/templates/skills/execute/SKILL.md +293 -0
- package/templates/skills/execute/phases/cabinet.md +49 -0
- package/templates/skills/execute/phases/commit-and-deploy.md +66 -0
- package/templates/skills/execute/phases/load-plan.md +49 -0
- package/templates/skills/execute/phases/validators.md +50 -0
- package/templates/skills/execute/phases/verification-tools.md +67 -0
- package/templates/skills/extract/SKILL.md +168 -0
- package/templates/skills/investigate/SKILL.md +160 -0
- package/templates/skills/link/SKILL.md +52 -0
- package/templates/skills/menu/SKILL.md +61 -0
- package/templates/skills/onboard/SKILL.md +356 -0
- package/templates/skills/onboard/phases/detect-state.md +79 -0
- package/templates/skills/onboard/phases/generate-briefing.md +127 -0
- package/templates/skills/onboard/phases/generate-session-loop.md +87 -0
- package/templates/skills/onboard/phases/interview.md +233 -0
- package/templates/skills/onboard/phases/modularity-menu.md +162 -0
- package/templates/skills/onboard/phases/options.md +98 -0
- package/templates/skills/onboard/phases/post-onboard-audit.md +121 -0
- package/templates/skills/onboard/phases/summary.md +122 -0
- package/templates/skills/onboard/phases/work-tracking.md +231 -0
- package/templates/skills/orient/SKILL.md +251 -0
- package/templates/skills/orient/phases/auto-maintenance.md +48 -0
- package/templates/skills/orient/phases/briefing.md +53 -0
- package/templates/skills/orient/phases/cabinet.md +46 -0
- package/templates/skills/orient/phases/context.md +63 -0
- package/templates/skills/orient/phases/data-sync.md +35 -0
- package/templates/skills/orient/phases/health-checks.md +50 -0
- package/templates/skills/orient/phases/work-scan.md +69 -0
- package/templates/skills/orient-quick/SKILL.md +12 -0
- package/templates/skills/plan/SKILL.md +358 -0
- package/templates/skills/plan/phases/cabinet-critique.md +47 -0
- package/templates/skills/plan/phases/calibration-examples.md +75 -0
- package/templates/skills/plan/phases/completeness-check.md +44 -0
- package/templates/skills/plan/phases/composition-check.md +36 -0
- package/templates/skills/plan/phases/overlap-check.md +62 -0
- package/templates/skills/plan/phases/plan-template.md +69 -0
- package/templates/skills/plan/phases/present.md +60 -0
- package/templates/skills/plan/phases/research.md +43 -0
- package/templates/skills/plan/phases/work-tracker.md +95 -0
- package/templates/skills/publish/SKILL.md +74 -0
- package/templates/skills/pulse/SKILL.md +242 -0
- package/templates/skills/pulse/phases/auto-fix-scope.md +40 -0
- package/templates/skills/pulse/phases/checks.md +58 -0
- package/templates/skills/pulse/phases/output.md +54 -0
- package/templates/skills/seed/SKILL.md +257 -0
- package/templates/skills/seed/phases/build-member.md +93 -0
- package/templates/skills/seed/phases/evaluate-existing.md +61 -0
- package/templates/skills/seed/phases/maintain.md +92 -0
- package/templates/skills/seed/phases/scan-signals.md +86 -0
- package/templates/skills/triage-audit/SKILL.md +251 -0
- package/templates/skills/triage-audit/phases/apply-verdicts.md +90 -0
- package/templates/skills/triage-audit/phases/load-findings.md +38 -0
- package/templates/skills/triage-audit/phases/triage-ui.md +66 -0
- package/templates/skills/unlink/SKILL.md +35 -0
- package/templates/skills/validate/SKILL.md +116 -0
- package/templates/skills/validate/phases/validators.md +53 -0
|
@@ -0,0 +1,273 @@
|
|
|
1
|
+
---
|
|
2
|
+
model: opus
|
|
3
|
+
name: audit
|
|
4
|
+
description: |
|
|
5
|
+
Convene the full cabinet for a quality review. Each cabinet member examines
|
|
6
|
+
the project from their domain — security, performance, accessibility, and
|
|
7
|
+
so on — and reports what they find. Like calling a cabinet meeting where
|
|
8
|
+
every advisor reviews the state of things and flags what needs attention.
|
|
9
|
+
Use when: "audit", "run an audit", "/audit", scheduled audit trigger,
|
|
10
|
+
or significant milestone.
|
|
11
|
+
related:
|
|
12
|
+
- type: file
|
|
13
|
+
path: .claude/skills/audit/phases/member-selection.md
|
|
14
|
+
role: "Project-specific: which cabinet members to run"
|
|
15
|
+
- type: file
|
|
16
|
+
path: .claude/skills/audit/phases/structural-checks.md
|
|
17
|
+
role: "Project-specific: fast structural checks before full audit"
|
|
18
|
+
- type: file
|
|
19
|
+
path: .claude/skills/audit/phases/triage-history.md
|
|
20
|
+
role: "Project-specific: how to load suppression lists"
|
|
21
|
+
- type: file
|
|
22
|
+
path: .claude/skills/audit/phases/member-execution.md
|
|
23
|
+
role: "Project-specific: how to run cabinet member agents"
|
|
24
|
+
- type: file
|
|
25
|
+
path: .claude/skills/audit/phases/finding-output.md
|
|
26
|
+
role: "Project-specific: how to persist and report findings"
|
|
27
|
+
- type: file
|
|
28
|
+
path: cabinet/output-contract.md
|
|
29
|
+
role: "How cabinet members report their findings"
|
|
30
|
+
- type: file
|
|
31
|
+
path: cabinet/_briefing.md
|
|
32
|
+
role: "Project identity and configuration"
|
|
33
|
+
- type: file
|
|
34
|
+
path: scripts/finding-schema.json
|
|
35
|
+
role: "JSON Schema for finding validation"
|
|
36
|
+
- type: file
|
|
37
|
+
path: scripts/merge-findings.js
|
|
38
|
+
role: "Merges per-member JSON into run-summary.json"
|
|
39
|
+
- type: file
|
|
40
|
+
path: scripts/load-triage-history.js
|
|
41
|
+
role: "Builds suppression lists from triage history"
|
|
42
|
+
- type: file
|
|
43
|
+
path: scripts/pib-db.js
|
|
44
|
+
role: "Reference data layer for finding persistence"
|
|
45
|
+
---
|
|
46
|
+
|
|
47
|
+
# /audit — Convene the Cabinet
|
|
48
|
+
|
|
49
|
+
## Purpose
|
|
50
|
+
|
|
51
|
+
Call a full cabinet meeting. Every cabinet member examines the project
|
|
52
|
+
from their domain and reports what they find — the way a board of
|
|
53
|
+
advisors would review the state of operations. Without this, the only
|
|
54
|
+
learning channel is friction the user notices during active work. But
|
|
55
|
+
some problems accumulate silently — a convention erodes across ten
|
|
56
|
+
commits, a subsystem degrades gradually, an architectural decision's
|
|
57
|
+
consequences only become visible at scale.
|
|
58
|
+
The audit catches what individual sessions miss.
|
|
59
|
+
|
|
60
|
+
This is a **skeleton skill** using the `phases/` directory pattern. The
|
|
61
|
+
orchestration (what to do and in what order) is generic. Your project
|
|
62
|
+
defines the specifics — which cabinet members to run, what fast checks to
|
|
63
|
+
apply, how to persist findings — in phase files under `phases/`.
|
|
64
|
+
|
|
65
|
+
### Phase File Protocol
|
|
66
|
+
|
|
67
|
+
Phase files have three states:
|
|
68
|
+
|
|
69
|
+
| State | Meaning |
|
|
70
|
+
|-------|---------|
|
|
71
|
+
| Absent or empty | Use this skeleton's **default behavior** for the phase |
|
|
72
|
+
| Contains only `skip: true` | **Explicitly opted out** — skip this phase entirely |
|
|
73
|
+
| Contains content | **Custom behavior** — use the file's content instead |
|
|
74
|
+
|
|
75
|
+
The skeleton always does something reasonable when a phase file is absent.
|
|
76
|
+
Phase files customize, not enable. Use `skip: true` when you actively
|
|
77
|
+
don't want a phase to run — not even the default.
|
|
78
|
+
|
|
79
|
+
## Identity
|
|
80
|
+
|
|
81
|
+
You are the auditor. You don't build — you observe, reason, and propose.
|
|
82
|
+
Your job is to surface what the system's daily operators can't see because
|
|
83
|
+
they're inside it. You approach the codebase as an outsider with fresh
|
|
84
|
+
eyes, checking whether what the system claims to be matches what it
|
|
85
|
+
actually is.
|
|
86
|
+
|
|
87
|
+
You are not a linter. You don't flag style violations or enforce
|
|
88
|
+
arbitrary standards. You use cabinet members — named lenses that
|
|
89
|
+
each bring domain knowledge and specific concerns. A cabinet member on
|
|
90
|
+
accessibility looks at the UI differently than a cabinet member on data
|
|
91
|
+
integrity looks at the persistence layer. The combination of
|
|
92
|
+
cabinet members produces a holistic picture that no single viewpoint
|
|
93
|
+
could achieve.
|
|
94
|
+
|
|
95
|
+
Your findings are suggestions. Every one goes through triage where the
|
|
96
|
+
user confirms, defers, or rejects it. A high rejection rate means your
|
|
97
|
+
calibration is off — you're flagging things that don't matter to this
|
|
98
|
+
project. Adjust.
|
|
99
|
+
|
|
100
|
+
## When to Run
|
|
101
|
+
|
|
102
|
+
- On a schedule (weekly, after milestones, before releases)
|
|
103
|
+
- When the user asks for an audit
|
|
104
|
+
- After significant architectural changes
|
|
105
|
+
- When a new cabinet member is adopted (run it once to establish baseline)
|
|
106
|
+
|
|
107
|
+
## Workflow
|
|
108
|
+
|
|
109
|
+
### 1. Select Cabinet Members (core)
|
|
110
|
+
|
|
111
|
+
Read `phases/member-selection.md` for which cabinet members to run.
|
|
112
|
+
|
|
113
|
+
**Default (absent/empty):** Discover all cabinet members from
|
|
114
|
+
`skills/cabinet-*/SKILL.md`. If `cabinet/committees.yaml`
|
|
115
|
+
exists (copied from `committees-template.yaml`), present committees and let the
|
|
116
|
+
user choose which to run. If no committees file exists, run all discovered
|
|
117
|
+
cabinet members.
|
|
118
|
+
|
|
119
|
+
The selection determines what the audit looks at. A full audit runs
|
|
120
|
+
everything; a focused audit runs one committee or a specific set of
|
|
121
|
+
cabinet members.
|
|
122
|
+
|
|
123
|
+
### 2. Fast Structural Checks (core)
|
|
124
|
+
|
|
125
|
+
Read `phases/structural-checks.md` for fast, deterministic checks to run before
|
|
126
|
+
the full cabinet member-based audit. These are things like linters, type
|
|
127
|
+
checkers, validation scripts — anything that gives immediate signal
|
|
128
|
+
without AI interpretation.
|
|
129
|
+
|
|
130
|
+
**Skip (absent/empty).** Most projects start without structural checks
|
|
131
|
+
and add them as they discover invariants worth verifying automatically.
|
|
132
|
+
Structural checks are an optimization, not a prerequisite.
|
|
133
|
+
|
|
134
|
+
### 3. Load Triage Suppression (core)
|
|
135
|
+
|
|
136
|
+
Read `phases/triage-history.md` for how to build the suppression list
|
|
137
|
+
of previously-triaged findings.
|
|
138
|
+
|
|
139
|
+
**Default (absent/empty):** Run `scripts/load-triage-history.js` to
|
|
140
|
+
build suppression lists. This script tries the reference data layer
|
|
141
|
+
(pib-db) first, then falls back to scanning `reviews/*/triage.json`
|
|
142
|
+
files. The result is a JSON object with rejected and deferred finding
|
|
143
|
+
IDs and fingerprints.
|
|
144
|
+
|
|
145
|
+
Pass the suppression list to each cabinet member agent so they skip
|
|
146
|
+
findings that were already rejected or deferred. Without suppression,
|
|
147
|
+
every audit regenerates the same findings the user already dismissed,
|
|
148
|
+
and the triage queue becomes useless.
|
|
149
|
+
|
|
150
|
+
### 4. Execute Cabinet Member Agents (core)
|
|
151
|
+
|
|
152
|
+
Read `phases/member-execution.md` for how to spawn and manage
|
|
153
|
+
cabinet member agents.
|
|
154
|
+
|
|
155
|
+
**Default (absent/empty):** For each selected cabinet member:
|
|
156
|
+
1. Read the cabinet member's `SKILL.md` for domain knowledge and concerns
|
|
157
|
+
2. Read `cabinet/_briefing.md` for project identity
|
|
158
|
+
3. Read `cabinet/output-contract.md` for output format
|
|
159
|
+
4. Pass the suppression list from step 3
|
|
160
|
+
5. Spawn as an agent (parallel when possible)
|
|
161
|
+
|
|
162
|
+
Each cabinet member agent follows a two-phase protocol:
|
|
163
|
+
- **Phase A — Explore:** Read broadly, examine the codebase through this
|
|
164
|
+
cabinet member's lens. Take notes on everything observed.
|
|
165
|
+
- **Phase B — Rank and emit:** From everything observed, select the top
|
|
166
|
+
5-8 findings that matter most. Apply the output contract. Emit JSON.
|
|
167
|
+
|
|
168
|
+
The two-phase protocol prevents premature commitment — the cabinet member
|
|
169
|
+
sees everything before deciding what to report. Without it, the first
|
|
170
|
+
interesting thing found dominates the output.
|
|
171
|
+
|
|
172
|
+
### 5. Merge and Persist Findings (core)
|
|
173
|
+
|
|
174
|
+
Read `phases/finding-output.md` for how to persist and report the
|
|
175
|
+
audit results.
|
|
176
|
+
|
|
177
|
+
**Default (absent/empty):**
|
|
178
|
+
1. Create a timestamped run directory: `reviews/YYYY-MM-DD/HH-MM-SS/`
|
|
179
|
+
2. Write each cabinet member's JSON output to the run directory
|
|
180
|
+
3. Run `scripts/merge-findings.js <run-dir>` to produce `run-summary.json`
|
|
181
|
+
4. Run `scripts/merge-findings.js <run-dir> --db` to also ingest into
|
|
182
|
+
the reference data layer (if pib-db is initialized)
|
|
183
|
+
5. Present findings summary: total count, breakdown by severity, by
|
|
184
|
+
cabinet member, and highlight any critical findings
|
|
185
|
+
|
|
186
|
+
After persisting, remind the user about triage: findings need human
|
|
187
|
+
judgment before they drive action. Use `/triage-audit` to review and
|
|
188
|
+
decide on findings.
|
|
189
|
+
|
|
190
|
+
### 6. Discover Custom Phases
|
|
191
|
+
|
|
192
|
+
After running the core phases above, check for any additional phase
|
|
193
|
+
files in `phases/` that the skeleton doesn't define. These are project-
|
|
194
|
+
specific extensions. Each custom phase file declares its position in
|
|
195
|
+
the workflow. Execute them at their declared position.
|
|
196
|
+
|
|
197
|
+
## Phase Summary
|
|
198
|
+
|
|
199
|
+
| Phase | Absent = | What it customizes |
|
|
200
|
+
|-------|----------|-------------------|
|
|
201
|
+
| `member-selection.md` | Default: discover all, present committees if available | Which cabinet members to run |
|
|
202
|
+
| `structural-checks.md` | Skip | Fast structural checks before full audit |
|
|
203
|
+
| `triage-history.md` | Default: run load-triage-history.js | How to load suppression lists |
|
|
204
|
+
| `member-execution.md` | Default: parallel agents with two-phase protocol | How to run cabinet member agents |
|
|
205
|
+
| `finding-output.md` | Default: timestamped dir + merge + pib-db ingest | How to persist and report findings |
|
|
206
|
+
|
|
207
|
+
## How Audit Connects to Other Skills
|
|
208
|
+
|
|
209
|
+
**Orient** verifies operational state — is the system running, is data
|
|
210
|
+
fresh, are processes alive? **Audit** verifies quality and alignment —
|
|
211
|
+
does the system do what it claims, is it drifting, are conventions
|
|
212
|
+
holding? Orient runs every session; audit runs periodically or on
|
|
213
|
+
demand.
|
|
214
|
+
|
|
215
|
+
**Debrief** captures session-specific lessons — what was learned during
|
|
216
|
+
this work session. **Audit** captures systematic observations from
|
|
217
|
+
cabinet members — what would a specialist notice? Debrief lessons
|
|
218
|
+
come from doing; audit findings come from looking.
|
|
219
|
+
|
|
220
|
+
**Triage-audit** is the audit's partner. Audit generates findings;
|
|
221
|
+
triage presents them for human judgment. Without triage, findings
|
|
222
|
+
accumulate and are never acted on. Without audit, triage has nothing
|
|
223
|
+
to triage. They form a closed loop.
|
|
224
|
+
|
|
225
|
+
**Pulse** watches self-description accuracy — do counts match, do
|
|
226
|
+
documented states match reality? Audit watches quality through domain
|
|
227
|
+
cabinet member lenses. Pulse is fast and embedded; audit is thorough and
|
|
228
|
+
standalone.
|
|
229
|
+
|
|
230
|
+
## Extending
|
|
231
|
+
|
|
232
|
+
To customize a phase: write content in the corresponding `phases/` file.
|
|
233
|
+
To skip a phase: write only `skip: true` in the file.
|
|
234
|
+
To add a phase the skeleton doesn't define: create a new file in
|
|
235
|
+
`phases/` with a description of when it runs relative to the core
|
|
236
|
+
phases. Claude reads whatever phase files exist at runtime.
|
|
237
|
+
|
|
238
|
+
Examples of phases mature projects add:
|
|
239
|
+
- Auto-fix execution (attempt fixes for autoFixable findings after triage)
|
|
240
|
+
- Trend analysis (compare this run to previous runs for improvement/regression)
|
|
241
|
+
- Notification (alert external systems when critical findings appear)
|
|
242
|
+
- Cabinet member evaluation (track which cabinet members consistently produce
|
|
243
|
+
useful findings vs noise)
|
|
244
|
+
|
|
245
|
+
## Calibration
|
|
246
|
+
|
|
247
|
+
**Core failure this targets:** Quality drift that accumulates silently
|
|
248
|
+
between sessions because no one is systematically looking for it.
|
|
249
|
+
|
|
250
|
+
### Without Skill (Bad)
|
|
251
|
+
|
|
252
|
+
The project grows over months. Conventions established early erode as
|
|
253
|
+
new code ignores them. A subsystem that worked at small scale starts
|
|
254
|
+
showing strain. An architectural decision's consequences become visible
|
|
255
|
+
only when the tenth module follows the same broken pattern. No one
|
|
256
|
+
notices because each session focuses on the task at hand, not on the
|
|
257
|
+
whole.
|
|
258
|
+
|
|
259
|
+
Six months later, a refactoring effort reveals a dozen intertwined
|
|
260
|
+
issues that could have been caught individually. The cost of fixing
|
|
261
|
+
them all at once is 10x what incremental fixes would have been.
|
|
262
|
+
|
|
263
|
+
### With Skill (Good)
|
|
264
|
+
|
|
265
|
+
Every two weeks, the audit runs. Cabinet member agents examine the codebase
|
|
266
|
+
through different lenses — architecture, code quality, UX, security,
|
|
267
|
+
process adherence. Findings go through triage: the user fixes what
|
|
268
|
+
matters, defers what can wait, rejects what's noise. Each cabinet member
|
|
269
|
+
learns from rejections (calibration drift). Conventions stay enforced
|
|
270
|
+
because someone is checking. Drift is caught at one commit, not ten.
|
|
271
|
+
|
|
272
|
+
The system maintains quality not through heroic effort but through
|
|
273
|
+
regular, structured observation.
|
|
@@ -0,0 +1,56 @@
|
|
|
1
|
+
# Finding Output — Persisting and Reporting Results
|
|
2
|
+
|
|
3
|
+
Define how to persist audit findings and present the results. The /audit
|
|
4
|
+
skill reads this file after all cabinet member agents have completed.
|
|
5
|
+
|
|
6
|
+
When this file is absent or empty, the default behavior is: write JSON
|
|
7
|
+
to a timestamped run directory, merge with `scripts/merge-findings.js`,
|
|
8
|
+
ingest to pib-db, and present a summary. To explicitly skip output,
|
|
9
|
+
write only `skip: true`.
|
|
10
|
+
|
|
11
|
+
## What to Include
|
|
12
|
+
|
|
13
|
+
Define your output strategy:
|
|
14
|
+
- **Storage** — where findings go (filesystem, database, API, all three)
|
|
15
|
+
- **Merge** — how per-cabinet-member outputs are combined
|
|
16
|
+
- **Reporting** — what to show the user and in what format
|
|
17
|
+
- **Next steps** — what to do after findings are persisted
|
|
18
|
+
|
|
19
|
+
## Default Behavior
|
|
20
|
+
|
|
21
|
+
1. **Create run directory:** `reviews/YYYY-MM-DD/HH-MM-SS/`
|
|
22
|
+
2. **Write cabinet member JSON:** One file per cabinet member in the run directory
|
|
23
|
+
3. **Merge findings:** Run `node scripts/merge-findings.js <run-dir>`
|
|
24
|
+
to produce `run-summary.json` with deduplicated findings and metadata
|
|
25
|
+
4. **Ingest to database:** Run `node scripts/merge-findings.js <run-dir> --db`
|
|
26
|
+
to also store findings in the reference data layer (pib-db). If pib-db
|
|
27
|
+
is not initialized, findings are still saved as JSON files.
|
|
28
|
+
5. **Present summary:**
|
|
29
|
+
- Total finding count and breakdown by severity
|
|
30
|
+
- Findings by cabinet member
|
|
31
|
+
- Any critical findings highlighted
|
|
32
|
+
- Positive findings (healthy subsystems)
|
|
33
|
+
6. **Prompt for triage:** Remind the user that findings need human judgment.
|
|
34
|
+
Use `/triage-audit` to review, approve, defer, or reject findings.
|
|
35
|
+
|
|
36
|
+
## Example Override
|
|
37
|
+
|
|
38
|
+
Uncomment and adapt if your project stores findings elsewhere:
|
|
39
|
+
|
|
40
|
+
<!--
|
|
41
|
+
### External API Storage
|
|
42
|
+
```bash
|
|
43
|
+
curl -X POST https://your-api.example.com/api/audit/findings \
|
|
44
|
+
-H "Content-Type: application/json" \
|
|
45
|
+
-H "Authorization: Bearer $API_TOKEN" \
|
|
46
|
+
-d @run-summary.json
|
|
47
|
+
```
|
|
48
|
+
Post findings to an external API instead of (or in addition to)
|
|
49
|
+
local storage. Useful when audit results need to be visible in
|
|
50
|
+
a dashboard or shared with a team.
|
|
51
|
+
|
|
52
|
+
### Custom Reporting
|
|
53
|
+
Instead of the default summary, generate a markdown report at
|
|
54
|
+
`reviews/YYYY-MM-DD/audit-report.md` with full finding details,
|
|
55
|
+
trend comparisons, and recommended priority order.
|
|
56
|
+
-->
|
|
@@ -0,0 +1,83 @@
|
|
|
1
|
+
# Member Execution — Running Cabinet Member Agents
|
|
2
|
+
|
|
3
|
+
Define how to spawn and manage cabinet member agents during the audit.
|
|
4
|
+
The /audit skill reads this file after loading triage suppression.
|
|
5
|
+
|
|
6
|
+
When this file is absent or empty, the default behavior is: spawn
|
|
7
|
+
each selected cabinet member as a parallel agent following the two-phase
|
|
8
|
+
protocol (explore broadly, then rank and emit top 5-8 findings).
|
|
9
|
+
To explicitly skip execution, write only `skip: true`.
|
|
10
|
+
|
|
11
|
+
## What to Include
|
|
12
|
+
|
|
13
|
+
Define your execution strategy:
|
|
14
|
+
- **Agent spawning** — parallel vs sequential, timeout limits, resource caps
|
|
15
|
+
- **Context loading** — what each agent receives beyond its cabinet member SKILL.md
|
|
16
|
+
- **Protocol** — how agents should approach their audit (explore-then-rank
|
|
17
|
+
vs checklist vs other)
|
|
18
|
+
- **Error handling** — what to do when an agent fails or times out
|
|
19
|
+
|
|
20
|
+
## Briefing Loading
|
|
21
|
+
|
|
22
|
+
Each cabinet member declares which briefing files it needs via a `briefing`
|
|
23
|
+
list in its SKILL.md frontmatter. The loading protocol:
|
|
24
|
+
|
|
25
|
+
1. **Read the cabinet member's `briefing` frontmatter field** to get the list
|
|
26
|
+
of briefing files it needs (e.g., `_briefing-identity.md`,
|
|
27
|
+
`_briefing-architecture.md`).
|
|
28
|
+
2. **Always load `_briefing-identity.md`** regardless of whether it's
|
|
29
|
+
declared — every cabinet member needs project identity.
|
|
30
|
+
3. **Load each declared file** from `cabinet/`.
|
|
31
|
+
4. **Fallback:** If declared files don't exist, or if the cabinet member has
|
|
32
|
+
no `briefing` field in its frontmatter, fall back to reading
|
|
33
|
+
`_briefing.md` directly. This works for both the hub format (which
|
|
34
|
+
indexes split files) and the old monolithic format (which contains
|
|
35
|
+
everything inline).
|
|
36
|
+
|
|
37
|
+
This means existing projects with a single monolithic `_briefing.md`
|
|
38
|
+
continue to work without changes.
|
|
39
|
+
|
|
40
|
+
## Default Protocol
|
|
41
|
+
|
|
42
|
+
Each cabinet member agent receives:
|
|
43
|
+
1. The cabinet member's `SKILL.md` — domain knowledge and specific concerns
|
|
44
|
+
2. Briefing files — loaded per the briefing loading protocol above
|
|
45
|
+
3. `cabinet/output-contract.md` — structured output format
|
|
46
|
+
4. The suppression list — previously-triaged finding IDs and fingerprints
|
|
47
|
+
|
|
48
|
+
The agent follows a two-phase protocol:
|
|
49
|
+
|
|
50
|
+
**Phase A — Explore thoroughly.** Read broadly through the codebase with
|
|
51
|
+
this cabinet member's lens. Take notes on everything observed — patterns,
|
|
52
|
+
concerns, healthy subsystems, potential issues. Don't commit to findings
|
|
53
|
+
yet. The goal is to see the whole picture before deciding what matters.
|
|
54
|
+
|
|
55
|
+
**Phase B — Rank and emit.** From everything observed, select the top
|
|
56
|
+
5-8 findings that matter most to this project right now. Apply the
|
|
57
|
+
output contract (assumption + evidence + question for each). Emit
|
|
58
|
+
structured JSON. Include 1-2 positive findings for healthy subsystems.
|
|
59
|
+
|
|
60
|
+
The two-phase protocol prevents premature commitment. Without it, the
|
|
61
|
+
first interesting thing found dominates the output, and deeper or more
|
|
62
|
+
important issues are missed.
|
|
63
|
+
|
|
64
|
+
## Example Override
|
|
65
|
+
|
|
66
|
+
Uncomment and adapt for your project:
|
|
67
|
+
|
|
68
|
+
<!--
|
|
69
|
+
### Sequential with Timeouts
|
|
70
|
+
Run cabinet members one at a time with a 3-minute timeout each.
|
|
71
|
+
Useful when running on constrained infrastructure.
|
|
72
|
+
|
|
73
|
+
### Checklist Mode
|
|
74
|
+
Instead of explore-then-rank, give each cabinet member a specific
|
|
75
|
+
checklist of things to verify. Faster but less likely to discover
|
|
76
|
+
unexpected issues. Good for regression audits where you know what
|
|
77
|
+
to check.
|
|
78
|
+
|
|
79
|
+
### Grouped Execution
|
|
80
|
+
Run cabinet members in their committees (from committees.yaml), presenting
|
|
81
|
+
results per committee before moving to the next. Allows the user to
|
|
82
|
+
skip remaining committees if early findings need immediate attention.
|
|
83
|
+
-->
|
|
@@ -0,0 +1,44 @@
|
|
|
1
|
+
# Member Selection — Which Cabinet Members to Run
|
|
2
|
+
|
|
3
|
+
Define how the audit selects which cabinet members to run. The /audit skill
|
|
4
|
+
reads this file before spawning cabinet member agents.
|
|
5
|
+
|
|
6
|
+
When this file is absent or empty, the default behavior is: discover all
|
|
7
|
+
cabinet members from `skills/cabinet-*/SKILL.md`, present committees if
|
|
8
|
+
`committees.yaml` exists, otherwise run all. To explicitly skip member
|
|
9
|
+
selection (and run no audit), write only `skip: true`.
|
|
10
|
+
|
|
11
|
+
## What to Include
|
|
12
|
+
|
|
13
|
+
Define your selection strategy:
|
|
14
|
+
- **Discovery** — where to find available cabinet members
|
|
15
|
+
- **Grouping** — how cabinet members are organized (committees, tiers, categories)
|
|
16
|
+
- **Default set** — what runs when no specific request is made
|
|
17
|
+
- **Selection interface** — how the user chooses (menu, flags, auto)
|
|
18
|
+
|
|
19
|
+
## Example Strategies
|
|
20
|
+
|
|
21
|
+
Uncomment and adapt for your project:
|
|
22
|
+
|
|
23
|
+
<!--
|
|
24
|
+
### Run All (simplest)
|
|
25
|
+
Discover all cabinet members in `skills/cabinet-*/SKILL.md`.
|
|
26
|
+
Run every one. Good for small projects with few cabinet members.
|
|
27
|
+
|
|
28
|
+
### Committee-Based Selection
|
|
29
|
+
Read `cabinet/committees.yaml` for committee definitions.
|
|
30
|
+
Present committees to the user:
|
|
31
|
+
1. ux — accessibility, small-screen
|
|
32
|
+
2. code — technical-debt, architecture
|
|
33
|
+
3. health — security, data-integrity, speed-freak
|
|
34
|
+
4. process — workflow-cop, record-keeper
|
|
35
|
+
|
|
36
|
+
Cross-portfolio cabinet members (marked in committees.yaml) always run
|
|
37
|
+
regardless of committee selection.
|
|
38
|
+
|
|
39
|
+
### Targeted Audit
|
|
40
|
+
Accept a cabinet member name or committee as an argument:
|
|
41
|
+
/audit security — run only the security cabinet member
|
|
42
|
+
/audit --committee health — run the health committee
|
|
43
|
+
/audit --all — run everything
|
|
44
|
+
-->
|
|
@@ -0,0 +1,54 @@
|
|
|
1
|
+
# Structural Checks — Fast Deterministic Validation
|
|
2
|
+
|
|
3
|
+
Define fast, deterministic checks to run before the full cabinet member-based
|
|
4
|
+
audit. The /audit skill reads this file after cabinet member selection.
|
|
5
|
+
|
|
6
|
+
When this file is absent or empty, structural checks are skipped. Most
|
|
7
|
+
projects start without them and add checks as they discover invariants
|
|
8
|
+
worth verifying automatically. To explicitly skip, write only `skip: true`.
|
|
9
|
+
|
|
10
|
+
## What to Include
|
|
11
|
+
|
|
12
|
+
For each check, provide:
|
|
13
|
+
- **What** — the command or script to run
|
|
14
|
+
- **Why** — what invariant it verifies
|
|
15
|
+
- **On failure** — how to surface the result (block audit, warn, or note)
|
|
16
|
+
|
|
17
|
+
Structural checks should be fast (seconds, not minutes) and deterministic
|
|
18
|
+
(same input always produces same output). They complement the AI-driven
|
|
19
|
+
cabinet member audit with mechanical verification.
|
|
20
|
+
|
|
21
|
+
## Example Checks
|
|
22
|
+
|
|
23
|
+
Uncomment and adapt for your project:
|
|
24
|
+
|
|
25
|
+
<!--
|
|
26
|
+
### Type Checking
|
|
27
|
+
```bash
|
|
28
|
+
npx tsc --noEmit
|
|
29
|
+
```
|
|
30
|
+
Catches type errors that cabinet members might miss or waste time on.
|
|
31
|
+
On failure: include type errors in the audit report as pre-findings.
|
|
32
|
+
|
|
33
|
+
### Lint
|
|
34
|
+
```bash
|
|
35
|
+
npx eslint src/ --format json
|
|
36
|
+
```
|
|
37
|
+
Catches style violations so cabinet members can focus on deeper issues.
|
|
38
|
+
On failure: summarize violations, don't block audit.
|
|
39
|
+
|
|
40
|
+
### Validation Scripts
|
|
41
|
+
```bash
|
|
42
|
+
node scripts/validate-structure.sh
|
|
43
|
+
```
|
|
44
|
+
Project-specific structural invariants (e.g., every module has tests,
|
|
45
|
+
every API endpoint has documentation, every entity type has a schema).
|
|
46
|
+
On failure: include as findings with source "structural-check".
|
|
47
|
+
|
|
48
|
+
### Dependency Audit
|
|
49
|
+
```bash
|
|
50
|
+
npm audit --json
|
|
51
|
+
```
|
|
52
|
+
Known vulnerability scan before the security cabinet member runs.
|
|
53
|
+
On failure: include as pre-findings for the security cabinet member.
|
|
54
|
+
-->
|
|
@@ -0,0 +1,45 @@
|
|
|
1
|
+
# Triage History — Loading Suppression Lists
|
|
2
|
+
|
|
3
|
+
Define how to load previously-triaged findings so the audit doesn't
|
|
4
|
+
regenerate findings the user already dismissed. The /audit skill reads
|
|
5
|
+
this file before spawning cabinet member agents.
|
|
6
|
+
|
|
7
|
+
When this file is absent or empty, the default behavior is: run
|
|
8
|
+
`scripts/load-triage-history.js` which tries the reference data layer
|
|
9
|
+
(pib-db) first, then falls back to scanning `reviews/*/triage.json`
|
|
10
|
+
files. To explicitly skip suppression (regenerate all findings fresh),
|
|
11
|
+
write only `skip: true`.
|
|
12
|
+
|
|
13
|
+
## What to Include
|
|
14
|
+
|
|
15
|
+
Define your suppression strategy:
|
|
16
|
+
- **Source** — where triage decisions are stored
|
|
17
|
+
- **Format** — what the suppression list looks like
|
|
18
|
+
- **Scope** — how far back to look (all time, last 30 days, etc.)
|
|
19
|
+
|
|
20
|
+
## How Suppression Works
|
|
21
|
+
|
|
22
|
+
The suppression list contains:
|
|
23
|
+
- **Rejected IDs** — findings explicitly marked as not-a-problem
|
|
24
|
+
- **Rejected fingerprints** — cabinet member + title pairs for fuzzy matching
|
|
25
|
+
(catches regenerated findings with new IDs but same content)
|
|
26
|
+
- **Deferred IDs** — findings postponed for later review
|
|
27
|
+
- **Deferred fingerprints** — same fuzzy matching for deferred items
|
|
28
|
+
|
|
29
|
+
Each cabinet member agent receives the full suppression list and skips
|
|
30
|
+
findings that match. This prevents the triage queue from filling with
|
|
31
|
+
previously-dismissed items.
|
|
32
|
+
|
|
33
|
+
## Example Override
|
|
34
|
+
|
|
35
|
+
Uncomment and adapt if your project stores triage decisions elsewhere:
|
|
36
|
+
|
|
37
|
+
<!--
|
|
38
|
+
### External Triage API
|
|
39
|
+
```bash
|
|
40
|
+
curl -s https://your-api.example.com/api/triage/suppression \
|
|
41
|
+
-H "Authorization: Bearer $API_TOKEN"
|
|
42
|
+
```
|
|
43
|
+
Returns JSON in the same format as load-triage-history.js output:
|
|
44
|
+
{ rejectedIds, rejectedFingerprints, deferredIds, deferredFingerprints }
|
|
45
|
+
-->
|