npm - create-hq - Versions diffs - 5.0.0 - Mend

create-hq 5.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (310) hide show

package/template/workers/dev-team/task-executor/worker.yaml ADDED Viewed

@@ -0,0 +1,110 @@
+worker:
+  id: task-executor
+  name: "Task Executor"
+  type: OpsWorker
+  version: "1.0"
+execution:
+  mode: on_demand
+  max_runtime: 30m
+  retry_attempts: 2
+context:
+  base:
+    - workers/public/dev-team/task-executor/
+    - workers/public/dev-team/task-executor/skills/
+    - knowledge/public/dev-team/workflows/
+  dynamic:
+    - pattern: "projects/{project}/"
+      when: always
+    - pattern: "{target_repo}/"
+      when: "task.has_repo"
+  exclude:
+    - node_modules/
+    - dist/
+    - "*.log"
+verification:
+  post_execute:
+    - check: typescript
+      command: npm run typecheck
+  approval_required: true
+output:
+  destination: workspace/reports/dev-team/
+  format: both
+  naming: "{date}-task-executor-{issue}.{ext}"
+mcp:
+  server:
+    command: node
+    args:
+      - dist/mcp-server.js
+    cwd: workers/public/dev-team/task-executor
+  tools:
+    - execute
+    - analyze_issue
+    - validate_completion
+    - report_learnings
+# State Machine (Loom pattern)
+state_machine:
+  enabled: true
+  max_retries: 1
+  hooks:
+    post_execute:
+      - auto_checkpoint
+      - log_metrics
+    on_error:
+      - log_error
+      - checkpoint_error_state
+instructions: |
+  # Task Executor
+  Executes individual issues by routing to appropriate workers and managing the execution loop.
+  ## Skills
+  | Skill | Description |
+  |-------|-------------|
+  | execute | Execute issue end-to-end: analyze → spawn workers → validate → report |
+  | analyze-issue | Analyze issue to determine worker sequence |
+  | validate-completion | Run back pressure checks on completed work |
+  | report-learnings | Extract and format learnings from execution |
+  ## CLI Usage
+  ```bash
+  cd workers/public/dev-team/task-executor
+  node dist/index.js execute --issue US-001 --project my-feature
+  node dist/index.js analyze-issue --issue US-001 --project my-feature
+  ```
+  ## Execution Flow
+  1. Analyze issue → determine worker sequence
+  2. Present plan to human → get approval
+  3. For each worker phase:
+     a. Show: "Spawning {worker} for {phase}"
+     b. Wait for human approval
+     c. Spawn worker via Task tool
+     d. Show results, run validation
+     e. Human approves or requests changes
+  4. On completion: extract learnings, mark issue done
+  5. Return learnings to project-manager
+  ## Worker Sequence Selection
+  Based on issue analysis:
+  - API/backend changes → architect → backend-dev → qa-tester
+  - Database schema → architect → database-dev → backend-dev → qa-tester
+  - UI changes → architect → frontend-dev → motion-designer → qa-tester
+  - Full-stack → architect → database-dev → backend-dev → frontend-dev → qa-tester
+  ## Human-in-the-loop
+  Every phase requires human approval:
+  - Before: Show plan, get approval
+  - During: Surface any ambiguity
+  - After: Show changes, validate, confirm

package/template/workers/registry.yaml ADDED Viewed

@@ -0,0 +1,171 @@
+# Workers Registry
+# Index of all workers in this HQ
+# Worker Types:
+# - CodeWorker: Implements features, fixes bugs, refactors
+# - ContentWorker: Drafts content, maintains voice consistency
+# - SocialWorker: Social media posting, engagement
+# - ResearchWorker: Analysis, market research, competitive intel
+# - OpsWorker: Reports, monitoring, automation
+# - Library: Shared utilities (not executable)
+version: "4.0"
+updated: "2026-01-31"
+workers:
+  # ===================
+  # Dev Team (12 workers)
+  # ===================
+  # Full development team for autonomous project execution
+  # See workers/dev-team/README.md for workflow
+  - id: project-manager
+    path: workers/dev-team/project-manager/
+    type: CodeWorker
+    visibility: public
+    team: dev-team
+    status: active
+    description: "PRD lifecycle, issue selection, learning aggregation"
+  - id: task-executor
+    path: workers/dev-team/task-executor/
+    type: CodeWorker
+    visibility: public
+    team: dev-team
+    status: active
+    description: "Analyze issue, route to workers, validate completion"
+  - id: architect
+    path: workers/dev-team/architect/
+    type: CodeWorker
+    visibility: public
+    team: dev-team
+    status: active
+    description: "System design, API design, architecture decisions"
+  - id: backend-dev
+    path: workers/dev-team/backend-dev/
+    type: CodeWorker
+    visibility: public
+    team: dev-team
+    status: active
+    description: "API endpoints, business logic, backend implementation"
+  - id: database-dev
+    path: workers/dev-team/database-dev/
+    type: CodeWorker
+    visibility: public
+    team: dev-team
+    status: active
+    description: "Schema design, migrations, query optimization"
+  - id: dev-qa-tester
+    path: workers/dev-team/qa-tester/
+    type: CodeWorker
+    visibility: public
+    team: dev-team
+    status: active
+    description: "Testing, browser automation, accessibility, demo accounts"
+  - id: frontend-dev
+    path: workers/dev-team/frontend-dev/
+    type: CodeWorker
+    visibility: public
+    team: dev-team
+    status: active
+    description: "React/Next components, pages, UI implementation"
+  - id: motion-designer
+    path: workers/dev-team/motion-designer/
+    type: CodeWorker
+    visibility: public
+    team: dev-team
+    status: active
+    description: "Animations, transitions, visual polish, image generation"
+  - id: infra-dev
+    path: workers/dev-team/infra-dev/
+    type: CodeWorker
+    visibility: public
+    team: dev-team
+    status: active
+    description: "CI/CD pipelines, deployment, monitoring"
+  - id: code-reviewer
+    path: workers/dev-team/code-reviewer/
+    type: CodeWorker
+    visibility: public
+    team: dev-team
+    status: active
+    description: "PR review, merge management, code quality gating"
+  - id: knowledge-curator
+    path: workers/dev-team/knowledge-curator/
+    type: CodeWorker
+    visibility: public
+    team: dev-team
+    status: active
+    description: "Process learnings, update knowledge bases, documentation"
+  - id: product-planner
+    path: workers/dev-team/product-planner/
+    type: CodeWorker
+    visibility: public
+    team: dev-team
+    status: active
+    description: "PRD creation, technical specs, API contracts"
+  # ===================
+  # Standalone Workers
+  # ===================
+  - id: security-scanner
+    path: workers/security-scanner/
+    type: OpsWorker
+    visibility: public
+    status: active
+    description: "Security scanning and vulnerability detection"
+  # ===================
+  # Content Team (5 workers)
+  # ===================
+  - id: content-brand
+    path: workers/content-brand/
+    type: ContentWorker
+    visibility: public
+    team: content-team
+    status: active
+    description: "Brand voice, messaging, tone analysis"
+  - id: content-sales
+    path: workers/content-sales/
+    type: ContentWorker
+    visibility: public
+    team: content-team
+    status: active
+    description: "Conversion copy, CTAs, value props"
+  - id: content-product
+    path: workers/content-product/
+    type: ContentWorker
+    visibility: public
+    team: content-team
+    status: active
+    description: "Feature accuracy, technical claims verification"
+  - id: content-legal
+    path: workers/content-legal/
+    type: ContentWorker
+    visibility: public
+    team: content-team
+    status: active
+    description: "Regulatory compliance, claim verification"
+  - id: content-shared
+    path: workers/content-shared/
+    type: Library
+    visibility: public
+    team: content-team
+    status: active
+    description: "Shared utilities for content analysis workers (types, parser, scorer, reporter)"

package/template/workers/security-scanner/README.md ADDED Viewed

@@ -0,0 +1,73 @@
+# Security Scanner Worker
+Pre-deployment security scanner for public repositories. Detects PII, credentials, and sensitive data before pushing to public repos.
+## Skills
+| Skill | Description |
+|-------|-------------|
+| `pre-deploy-check` | Full scan of repo for sensitive data |
+| `scan-file` | Scan a specific file |
+| `generate-report` | Generate detailed security report |
+## Usage
+```bash
+# Scan current repo before deployment
+/run security-scanner pre-deploy-check
+# Scan specific path
+/run security-scanner pre-deploy-check repos/public/my-project
+# Scan with fix suggestions
+/run security-scanner pre-deploy-check --fix
+```
+## What It Detects
+### Credentials & Secrets
+- API keys (OpenAI, Anthropic, AWS, etc.)
+- Private keys (RSA, SSH)
+- Tokens and bearer auth
+- Passwords in configs
+### PII (Personally Identifiable Information)
+- Personal email addresses
+- Phone numbers
+- Hardcoded user paths (`/Users/yourname/`)
+- Real names in author fields
+### Company-Specific Data
+- Internal company names
+- Internal URLs/IPs
+- Project codenames
+## Configuration
+Create `.security-scanner.yaml` in your repo:
+```yaml
+ignore_patterns:
+  - "example@example.com"
+  - "test-api-key"
+custom_patterns:
+  - name: "Company Name"
+    pattern: "MyCompanyInc"
+    severity: high
+skip_paths:
+  - "docs/examples/"
+  - "test/fixtures/"
+```
+## Git Hook Integration
+Add to `.git/hooks/pre-push` to automatically scan before pushing to public repos.
+## Best Practices
+1. **Run before every public push** - Make it part of your workflow
+2. **Configure ignore patterns** - Reduce false positives
+3. **Use placeholders** - `{your-name}`, `{api-key}`, `/path/to/your/hq/`
+4. **Separate configs** - Keep real credentials in `.env` files (gitignored)

package/template/workers/security-scanner/skills/pre-deploy-check.md ADDED Viewed

@@ -0,0 +1,205 @@
+# Pre-Deploy Security Check
+Scan a repository for PII, credentials, and sensitive data before public deployment.
+## Usage
+```
+/run security-scanner pre-deploy-check [repo-path]
+```
+If no path provided, scans current working directory.
+## Scan Patterns
+### 1. Credentials & Secrets
+```bash
+# API Keys (various formats)
+grep -r -E "(api[_-]?key|apikey)\s*[:=]\s*['\"]?[a-zA-Z0-9_-]{20,}" --include="*.{ts,js,json,yaml,yml,md,env}"
+# AWS Keys
+grep -r -E "AKIA[0-9A-Z]{16}" --include="*.{ts,js,json,yaml,yml,env}"
+# OpenAI/Anthropic Keys
+grep -r -E "(sk-[a-zA-Z0-9]{48}|sk-ant-[a-zA-Z0-9-]{90,})" --include="*.{ts,js,json,yaml,yml,env}"
+# Generic Secrets
+grep -r -E "(secret|password|token|bearer|auth)\s*[:=]\s*['\"]?[a-zA-Z0-9_/-]{8,}" --include="*.{ts,js,json,yaml,yml,env}"
+# Private Keys
+grep -r -E "-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----" --include="*"
+```
+### 2. PII Patterns
+```bash
+# Email addresses (personal domains)
+grep -r -E "[a-zA-Z0-9._%+-]+@(gmail|yahoo|hotmail|outlook|icloud|protonmail)\.(com|net|org)" --include="*.{ts,js,json,yaml,yml,md}"
+# Phone numbers
+grep -r -E "\b\d{3}[-.]?\d{3}[-.]?\d{4}\b" --include="*.{ts,js,json,yaml,yml,md}"
+# SSN patterns
+grep -r -E "\b\d{3}-\d{2}-\d{4}\b" --include="*.{ts,js,json,yaml,yml,md}"
+# Credit card patterns
+grep -r -E "\b\d{4}[-\s]?\d{4}[-\s]?\d{4}[-\s]?\d{4}\b" --include="*.{ts,js,json,yaml,yml,md}"
+```
+### 3. Hardcoded Paths
+```bash
+# Home directory paths
+grep -r -E "/Users/[a-zA-Z0-9_-]+/" --include="*.{ts,js,json,yaml,yml,md}"
+grep -r -E "/home/[a-zA-Z0-9_-]+/" --include="*.{ts,js,json,yaml,yml,md}"
+grep -r -E "C:\\\\Users\\\\[a-zA-Z0-9_-]+" --include="*.{ts,js,json,yaml,yml,md}"
+```
+### 4. Company/Personal Names
+```bash
+# Check against known personal identifiers (configure in .security-scanner.yaml)
+# Default: scan for patterns that look like real names in configs
+grep -r -E "(author|name|owner)\s*[:=]\s*['\"]?[A-Z][a-z]+ [A-Z][a-z]+" --include="*.{ts,js,json,yaml,yml}"
+```
+### 5. Internal URLs/IPs
+```bash
+# Internal IPs
+grep -r -E "\b(192\.168|10\.|172\.(1[6-9]|2[0-9]|3[01]))\.\d+\.\d+\b" --include="*.{ts,js,json,yaml,yml,md}"
+# Localhost with ports (may indicate dev configs)
+grep -r -E "localhost:\d{4,5}" --include="*.{ts,js,json,yaml,yml,md}"
+# Internal domain patterns
+grep -r -E "\.(local|internal|corp|lan)\b" --include="*.{ts,js,json,yaml,yml,md}"
+```
+## Exclusions
+Skip these paths:
+- `node_modules/`
+- `.git/`
+- `*.lock`
+- `dist/`
+- `build/`
+- `.next/`
+## Configuration
+Create `.security-scanner.yaml` in repo root:
+```yaml
+# Patterns to ignore (false positives)
+ignore_patterns:
+  - "example@example.com"
+  - "test-api-key"
+  - "placeholder"
+# Additional patterns to scan for
+custom_patterns:
+  - name: "Company Name"
+    pattern: "YourCompanyName"
+    severity: high
+# Paths to skip
+skip_paths:
+  - "docs/examples/"
+  - "test/fixtures/"
+# Known safe files
+safe_files:
+  - "README.md"  # May contain example patterns
+```
+## Output Format
+```
+Security Scan Report
+====================
+Repository: /path/to/repo
+Scanned: 2026-01-25T10:00:00Z
+Files scanned: 156
+Files skipped: 42
+CRITICAL (2)
+------------
+[CRED] workers/config.ts:15
+  Found: api_key = "sk-ant-..."
+[CRED] .env.example:3
+  Found: OPENAI_KEY=sk-...
+HIGH (3)
+--------
+[PII] commands/setup.md:45
+  Found: /Users/johnsmith/Documents/
+[PII] package.json:8
+  Found: author: "John Smith <john@gmail.com>"
+[PATH] knowledge/thread-schema.md:12
+  Found: workspace_root: "/Users/dev/hq"
+MEDIUM (1)
+----------
+[NAME] workers/cfo/worker.yaml:2
+  Found: "CFO Worker for AcmeCorp"
+Summary
+-------
+Critical: 2 (MUST FIX before deploy)
+High: 3 (Should fix)
+Medium: 1 (Review recommended)
+Low: 0
+Run with --fix to see suggested replacements.
+```
+## Suggested Fixes
+When run with `--fix`, suggest replacements:
+| Found | Replace With |
+|-------|--------------|
+| `/Users/johnsmith/` | `/path/to/your/hq/` |
+| `john@gmail.com` | `your-email@example.com` |
+| `"John Smith"` | `"Your Name"` |
+| `AcmeCorp` | `example-company` |
+| `sk-ant-...` | `{ANTHROPIC_API_KEY}` |
+## Integration
+### Git Pre-Push Hook
+Add to `.git/hooks/pre-push`:
+```bash
+#!/bin/bash
+# Run security scan before pushing to public remote
+remote="$1"
+url="$2"
+# Only scan for public remotes
+if [[ "$url" == *"github.com"* ]] && [[ "$url" != *"private"* ]]; then
+  echo "Running security scan for public repo..."
+  /run security-scanner pre-deploy-check
+  if [ $? -ne 0 ]; then
+    echo "Security scan failed. Fix issues before pushing."
+    exit 1
+  fi
+fi
+```
+### CI/CD Integration
+```yaml
+# GitHub Actions
+- name: Security Scan
+  run: |
+    claude --print "/run security-scanner pre-deploy-check"
+```

package/template/workers/security-scanner/worker.yaml ADDED Viewed

@@ -0,0 +1,26 @@
+worker:
+  id: security-scanner
+  name: "Security Scanner"
+  type: OpsWorker
+  status: active
+description: |
+  Pre-deployment security scanner for public repositories.
+  Detects PII, credentials, and sensitive data before pushing to public repos.
+context:
+  base:
+    - knowledge/public/ai-security-framework/
+skills:
+  - name: pre-deploy-check
+    description: "Scan repo for PII, credentials, and sensitive data before public deployment"
+  - name: scan-file
+    description: "Scan a specific file for sensitive patterns"
+  - name: generate-report
+    description: "Generate a security scan report"
+verification:
+  post_execute:
+    - check: no_secrets_detected
+    - check: no_pii_detected

package/template/workspace/checkpoints/.gitkeep ADDED Viewed

File without changes

package/template/workspace/content-ideas/inbox.jsonl ADDED Viewed

File without changes

package/template/workspace/drafts/.gitkeep ADDED Viewed

File without changes

package/template/workspace/learnings/.gitkeep ADDED Viewed

@@ -0,0 +1,3 @@
+# Learning files captured during project execution
+# Format: {project}/{task-id}.json
+# Contains insights for knowledge base updates

package/template/workspace/orchestrator/.gitkeep ADDED Viewed

File without changes

package/template/workspace/ralph-test/COMPLETE.md ADDED Viewed

@@ -0,0 +1,18 @@
+# Ralph Loop Test Complete
+## Summary
+The Pure Ralph Loop test executed successfully. All three tasks completed autonomously:
+1. **TEST-001: Create test file** - Created `hello.txt` with greeting message
+2. **TEST-002: Add timestamp** - Appended execution timestamp to the file
+3. **TEST-003: Create completion marker** - Created this summary file
+## Test Results
+- All tasks executed in sequence
+- Dependencies respected (each task waited for its dependency)
+- Git commits made with proper format `feat(TASK-ID): description`
+- PRD updated with pass status after each task
+The Pure Ralph Loop is working as designed.

package/template/workspace/ralph-test/hello.txt ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ Hello from Ralph Loop!
2	+ Executed at: 2026-01-26T19:15:00Z

package/template/workspace/reports/.gitkeep ADDED Viewed

File without changes

package/template/workspace/scratch/.gitkeep ADDED Viewed

File without changes

package/template/workspace/threads/.gitkeep ADDED Viewed

@@ -0,0 +1,3 @@
+# Thread files are auto-generated by HQ
+# Format: T-{timestamp}-{slug}.json
+# Contains session state for continuity