create-issflow 1.2.0 → 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -25,9 +25,9 @@ Flags:
25
25
  The portable kit (every tool) in `<project>/.claude/`:
26
26
 
27
27
  - `agents/` — planner · researcher · implementer · test-author · debugger · e2e-runner · synthesizer
28
- - `commands/` — `/overview` `/propose` `/phase` `/ui-audit` `/qa-audit` `/security-audit` `/change-request` `/replan` `/quick` `/synthesize` `/store-wisdom` `/log-issue` `/log-decision` `/unstuck`
29
- - `skills/` — caveman · grill-me · karpathy-guidelines · ux-design
30
- - `hooks/` — session-start · pre-compact · subagent-stop
28
+ - `commands/` — `/overview` `/propose` `/phase` `/sprint` `/ui-audit` `/qa-audit` `/security-audit` `/release` `/uat` `/change-request` `/replan` `/quick` `/synthesize` `/runbook` `/store-wisdom` `/log-issue` `/log-decision` `/unstuck`
29
+ - `skills/` — caveman · grill-me · karpathy-guidelines · ux-design · security · code-standards
30
+ - `hooks/` — session-start · context-guard · pre-compact · subagent-stop
31
31
  - `istartsoft-flow/METHODOLOGY.md` — the full methodology (single source of truth)
32
32
 
33
33
  Plus a root `AGENTS.md` (the open standard) and the per-tool adapter:
package/bin/cli.js CHANGED
@@ -107,8 +107,21 @@ function copyTemplateCommands(destDir) {
107
107
  // ---- adapters (keep the methodology single-source — these POINT at it) ------
108
108
 
109
109
  function adapterClaude() {
110
+ // Claude Code auto-loads CLAUDE.md only — NOT AGENTS.md. Without a CLAUDE.md
111
+ // the methodology never enters context on its own (the SessionStart hook still
112
+ // injects the per-session summary, but the full single-source doc would not
113
+ // load). A one-line `@AGENTS.md` import gives Claude Code the full baseline
114
+ // while keeping ONE source of truth — no rule is restated here (anti-drift).
115
+ const c0 = conflicts;
116
+ writeFile('CLAUDE.md', claudeMd());
117
+ if (conflicts > c0) warnings.push('claude: you already keep a CLAUDE.md — ours was written as CLAUDE.md.issflow-new. Add a line `@AGENTS.md` to your CLAUDE.md so the methodology auto-loads.');
118
+ // Context-budget watchdog config (consumed by .claude/hooks/context-guard.js).
119
+ // Shipped default window:0 = auto-detect; flow-config.json lives at .claude root,
120
+ // outside build.js's copied DIRS, so the installer writes it here.
121
+ writeFile('.claude/flow-config.json', flowConfig());
110
122
  const HOOKS = {
111
123
  SessionStart: [{ matcher: 'startup|clear|compact', hooks: [{ type: 'command', command: 'node .claude/hooks/session-start.js' }] }],
124
+ PreToolUse: [{ matcher: '*', hooks: [{ type: 'command', command: 'node .claude/hooks/context-guard.js' }] }],
112
125
  PreCompact: [{ matcher: 'auto|manual', hooks: [{ type: 'command', command: 'node .claude/hooks/pre-compact.js' }] }],
113
126
  SubagentStop: [{ hooks: [{ type: 'command', command: 'node .claude/hooks/subagent-stop.js' }] }],
114
127
  };
@@ -176,7 +189,7 @@ function adapterAider() {
176
189
  const ADAPTERS = { claude: adapterClaude, codex: adapterCodex, cursor: adapterCursor, gemini: adapterGemini, aider: adapterAider };
177
190
 
178
191
  const NEXT_STEPS = {
179
- claude: 'Open Claude Code — the SessionStart hook fires automatically. Run /overview to bootstrap.',
192
+ claude: 'Open Claude Code — CLAUDE.md (@AGENTS.md) loads the methodology and the SessionStart hook fires automatically. Run /overview to bootstrap.',
180
193
  codex: 'Open Codex CLI — it reads AGENTS.md. Start by running the /overview procedure (.claude/commands/overview.md).',
181
194
  cursor: 'Open Cursor — the rule applies automatically. Run the /overview command to bootstrap.',
182
195
  gemini: 'Open Gemini CLI — it reads GEMINI.md. Run the SESSION-OPEN ritual, then the overview procedure.',
@@ -198,9 +211,9 @@ function agentsMd() {
198
211
  '## Roles — `.claude/agents/`', '',
199
212
  'planner · researcher · implementer · test-author · debugger · e2e-runner · synthesizer', '',
200
213
  '## Procedures — `.claude/commands/` (run as `/name`)', '',
201
- '/overview · /propose · /phase · /ui-audit · /qa-audit · /security-audit ·',
202
- '/change-request · /replan · /quick · /synthesize · /store-wisdom · /log-issue ·',
203
- '/log-decision · /unstuck', '',
214
+ '/overview · /propose · /phase · /sprint · /ui-audit · /qa-audit · /security-audit · /release ·',
215
+ '/uat · /change-request · /replan · /quick · /synthesize · /runbook · /store-wisdom ·',
216
+ '/log-issue · /log-decision · /unstuck', '',
204
217
  '## Skills — `.claude/skills/` (loaded on demand)', '',
205
218
  'caveman · grill-me · karpathy-guidelines · ux-design · security (Secure SDLC) · code-standards', '',
206
219
  '## Autonomy', '',
@@ -217,7 +230,8 @@ function agentsMd() {
217
230
  'change · 9 UI conforms to the `ux-design` cookbook + wireframe frame · 10 no-rationalization ·',
218
231
  '11 Secure SDLC: threat-model → secure coding → SAST/SCA/secrets each phase → pentest',
219
232
  'gate + security review before deploy (`security` skill) · 12 code-standards gate:',
220
- 'lint/format clean + naming per language idiom + declared architecture (`code-standards`).', '',
233
+ 'lint/format clean + naming per language idiom + declared architecture (`code-standards`) ·',
234
+ '13 PLAN-APPROVAL gate: no phase/sprint starts until `docs/PLAN.md` is human-approved.', '',
221
235
  '## Your stack', '',
222
236
  'Declare your stack (language, framework, infra, auth, test + E2E runner,',
223
237
  'planning source) once in `docs/OVERVIEW.md`. Every rule references *your declared',
@@ -225,6 +239,40 @@ function agentsMd() {
225
239
  ].join('\n');
226
240
  }
227
241
 
242
+ function claudeMd() {
243
+ return [
244
+ '# CLAUDE.md — iStartSoftFlow (Claude Code entry)', '',
245
+ '@AGENTS.md', '',
246
+ 'The import above is the single source of truth — it points to',
247
+ '`.claude/istartsoft-flow/METHODOLOGY.md` (read on demand). Do NOT restate any',
248
+ 'rule here; this file only wires Claude-native mechanisms (anti-drift invariant).', '',
249
+ '## Claude-native wiring (automatic — see `.claude/settings.json`)', '',
250
+ '- **SessionStart** hook injects git state + `docs/STATE.md` + open `docs/ISSUES.md`',
251
+ ' + the rule summary each session — read those first.',
252
+ '- **PreCompact** + **SubagentStop** hooks run their rituals automatically.',
253
+ '- Commands in `.claude/commands/` run as `/name`; agents in `.claude/agents/` are',
254
+ ' native subagents.', '',
255
+ ].join('\n');
256
+ }
257
+
258
+ function flowConfig() {
259
+ return JSON.stringify({
260
+ context: {
261
+ window: 0,
262
+ warnPct: 60,
263
+ gatePct: 78,
264
+ _note: 'Context-budget watchdog (.claude/hooks/context-guard.js, PreToolUse hook). '
265
+ + 'window 0 = auto-detect from the model id (200000 for standard models). '
266
+ + 'Some 1M-context models report their id WITHOUT a [1m] tag, so auto-detect '
267
+ + 'assumes 200000 and may false-gate around 156k — if you run a 1M model, set '
268
+ + 'window:1000000 here by hand. warnPct = soft non-blocking nudge; gatePct = hard '
269
+ + 'block on NEW build work (Edit/Write-to-source/feature Task). Checkpoint paths '
270
+ + '(docs/**, STATE/ISSUES/snapshots), the synthesizer subagent, and all Bash are '
271
+ + 'never blocked.',
272
+ },
273
+ }, null, 2) + '\n';
274
+ }
275
+
228
276
  // ---- main -------------------------------------------------------------------
229
277
 
230
278
  function main() {
@@ -243,6 +291,13 @@ function main() {
243
291
  writeFile(rel, fs.readFileSync(src, 'utf8'));
244
292
  }
245
293
 
294
+ // 1b. integrity: confirm the methodology resolved on disk (load-bearing sentinel).
295
+ const methPath = path.join(CWD, '.claude', 'istartsoft-flow', 'METHODOLOGY.md');
296
+ const SENTINEL = 'ISTARTSOFTFLOW-AGENTS-SENTINEL-v2.0';
297
+ if (!DRY && (!fs.existsSync(methPath) || !fs.readFileSync(methPath, 'utf8').includes(SENTINEL))) {
298
+ warnings.push(`integrity: ${SENTINEL} not found in installed METHODOLOGY.md — the kit may be incomplete; re-run create-issflow (or npm run build from source).`);
299
+ }
300
+
246
301
  // 2. AGENTS.md — the open-standard entry point.
247
302
  writeFile('AGENTS.md', agentsMd());
248
303
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "create-issflow",
3
- "version": "1.2.0",
3
+ "version": "1.4.0",
4
4
  "description": "Scaffold the iStartSoftFlow AI-coding workflow into a project. Stack-agnostic, tool-agnostic (Claude Code, Codex, Cursor, Gemini, Aider), non-destructive.",
5
5
  "bin": {
6
6
  "create-issflow": "bin/cli.js"
@@ -1,5 +1,6 @@
1
1
  ---
2
2
  name: e2e-runner
3
+ description: Writes and runs functional browser E2E (your declared E2E runner, e.g. Playwright) BLIND — reads only the acceptance spec + docs/ENDPOINTS.md, never the implementation. Writes a trace to docs/research/e2e-<phase-slug>.md; returns a terse summary.
3
4
  tools: Read, Grep, Glob, Write, Bash
4
5
  model: opus
5
6
  ---
@@ -43,6 +43,12 @@ window. If a phase feels big, split it.
43
43
  money, or PII), add a `security:` note: threat-model it (STRIDE) and fold abuse
44
44
  cases into the acceptance criteria as negative cases; set the ASVS level (default
45
45
  L2). This is the design stage of the Secure SDLC (`security` skill).
46
+ - SPRINT-READY (so the optional `/sprint` layer needs no rework): give every phase a
47
+ relative effort estimate `[N pts]` (Fibonacci 1/2/3/5/8) in its header, and group
48
+ consecutive phases under `## Sprint <n>: <name> [goal: <one-line increment>]`
49
+ headers — each sprint a coherent, demoable theme of a few phases. If you cannot
50
+ size a sprint yet, still tag the points; `/sprint plan` will do the grouping from
51
+ the points + capacity. A phase that feels `>8 pts` is too big — split it.
46
52
 
47
53
  LAST PHASE RULE — the final code phase (the highest-numbered phase you write)
48
54
  MUST contain a deployment task block:
@@ -61,11 +67,19 @@ docs/PLAN.md format:
61
67
 
62
68
  # Plan: <project>
63
69
  <!-- infra: managed (Phase 0 N/A) | self-managed (Phase 0 below) -->
70
+ > Approval: PENDING (hard rule 13 — PLAN-APPROVAL gate; no phase/sprint runs until a human signs this off via the `/overview` gate)
71
+
72
+ Keep the header VALUE a single leading token — `PENDING` here, later
73
+ `approved <date> v<n>` — so the gate readers (`/phase`, `/sprint`) match the first
74
+ token unambiguously. Do not put prose containing the word `approved` after a
75
+ `PENDING` value, or a substring check could false-pass the gate.
64
76
 
65
77
  ## Phase 0: infra setup [status: pending] ← omit entirely if infra is managed
66
78
 
67
79
 
68
- ## Phase 1: <name> [status: pending]
80
+ ## Sprint 1: <name> [goal: <one-line user-visible increment>] ← sprint headers optional; group a few phases
81
+
82
+ ## Phase 1: <name> [5 pts] [status: pending]
69
83
 
70
84
  - slice: <what works end-to-end after this phase>
71
85
  - rationale: <why this slice, why now — the user / business value (from the PRD)>
@@ -90,4 +104,5 @@ docs/PLAN.md format:
90
104
 
91
105
  ```
92
106
  Order phases by dependency. Phase 0 first IF infra is self-managed; otherwise
93
- start at Phase 1. Stop. Do not implement.
107
+ start at Phase 1. Always write the `> Approval: PENDING` header — the plan is unapproved
108
+ until the `/overview` PLAN-APPROVAL gate stamps it (hard rule 13). Stop. Do not implement.
@@ -21,6 +21,9 @@ Do NOT touch docs/ENDPOINTS.md — owned by implementer.
21
21
  - what was just completed (1-3 bullets)
22
22
  - the immediate next action
23
23
  - any open blocker
24
+ PRESERVE verbatim (never blank on rewrite): the `plan:` line (the PLAN-APPROVAL
25
+ sign-off record, hard rule 13) and the `sprint:` line (active-sprint marker) if
26
+ present — load-bearing gate/standup state, not transient progress.
24
27
  Target: under 25 lines.
25
28
 
26
29
  2. ISSUES.md — dedup + compress:
@@ -31,8 +31,12 @@ peek at, your blindness is STRUCTURAL, not honor-system.
31
31
 
32
32
  ## TWO SUITES — write BOTH
33
33
 
34
- 1. MOCK suite — fast, no external dependency. Mocks ONLY the external boundary.
35
- No mocks on the external boundary. Code/API-level — not browser E2E.
34
+ 1. MOCK suite — fast, no external dependency. Mocks ONLY the external boundary
35
+ (the network / 3rd-party seam). Code/API-level — not browser E2E.
36
+ 2. REAL API suite — the SAME tests with no mocks, hitting the real external
37
+ boundary. The phase gate runs against THIS suite (rules 5–6); a green mock
38
+ suite alone can never close a phase. Mock vs real is a fixture/env FLAG on the
39
+ same test (see Test placement), not a duplicated file.
36
40
 
37
41
  ## Test placement (regression layout)
38
42
 
@@ -44,7 +44,10 @@ gate — always interactive).
44
44
  - **Approved** -> set CR status `approved`; bump PROPOSAL.md to a new version (vN+1)
45
45
  with the delta folded in; re-render `docs/proposal.html` from it (same template +
46
46
  language); then dispatch `/replan` to apply the phase changes to PLAN.md (done
47
- phases stay frozen). Update STATE.md.
47
+ phases stay frozen). Update STATE.md. NOTE: `/replan` reverts PLAN.md to
48
+ `> Approval: PENDING` and re-runs the PLAN-APPROVAL gate (hard rule 13) — the
49
+ commercial CR sign-off is SEPARATE from the plan sign-off, so `/phase` and
50
+ `/sprint` stay blocked until you also re-approve the revised plan.
48
51
  - **Rejected** -> set CR status `rejected`; PLAN + PROPOSAL unchanged.
49
52
 
50
53
  ## STEP 6 — RECORD
@@ -75,6 +75,20 @@ Store the round-1 answers as working context — do NOT write OVERVIEW.md yet.
75
75
 
76
76
  ---
77
77
 
78
+ ### Foundations sign-off (confirm BEFORE planning)
79
+
80
+ 5b. Before the `planner` runs, present the FOUNDATIONS for explicit human confirmation
81
+ — the whole plan is built on these, so lock them first. Show a concise summary and
82
+ STOP for sign-off (planning always asks, both modes):
83
+ - **Tech stack** — language · framework · infra · auth · datastore · test + E2E runner
84
+ - **Architecture** — the pattern (Feature-Based by default) + the folder layout
85
+ - **UX direction** — design system / tokens + the wireframe baseline (the frame)
86
+ - **Data & integrations** — core data model + external services + their limits
87
+ - **Conventions** — naming idiom (`code-standards`) + autonomy mode (AUTO / GUIDED)
88
+ - **Estimation config** — unit · rate card · currency · contingency (if quoting)
89
+ On any "change X" → revise OVERVIEW.md and re-confirm. Only a signed-off foundation
90
+ proceeds to the planner. (This is the planning confirmation gate.)
91
+
78
92
  ### Plan
79
93
 
80
94
  6. Hand OVERVIEW.md + design-research findings to the `planner` subagent.
@@ -89,6 +103,7 @@ Store the round-1 answers as working context — do NOT write OVERVIEW.md yet.
89
103
  # STATE
90
104
 
91
105
  phase: 0 (pending)
106
+ plan: PENDING
92
107
  completed: project bootstrapped — design research done, double grill done
93
108
  blocker: none
94
109
 
@@ -97,17 +112,31 @@ blocker: none
97
112
 
98
113
  9. Create empty docs/HISTORY.md.
99
114
 
100
-
101
- 11. Create docs/ENDPOINTS.md:
115
+ 10. Create docs/ENDPOINTS.md:
102
116
  ```
103
117
  # Endpoints — <project name>
104
118
  > Maintained by implementer. Updated each phase.
105
119
  > Base URL: (populated after deployment phase)
106
120
  ```
107
121
 
108
- Then stop and show me PLAN.md for approval before any phase starts. Planning ends
109
- with a human sign-off in both modes; AUTO only governs the development loop that
110
- runs AFTER the plan is approved.
122
+ ---
123
+
124
+ ### PLAN-APPROVAL gate (hard rule 13 — always interactive, both modes)
125
+
126
+ 11. The plan is the contract the whole AUTO dev loop builds against, so it ends with a
127
+ human sign-off — the planning twin of the `/propose` commercial gate.
128
+
129
+ - SHOW me PLAN.md (and note any open risks the planner flagged). **STOP for approval.**
130
+ - On **approval**: record the sign-off in three places —
131
+ 1. stamp the PLAN.md header `> Approval: approved <YYYY-MM-DD> v1`;
132
+ 2. set `plan: approved <YYYY-MM-DD>` in docs/STATE.md;
133
+ 3. append `<YYYY-MM-DD> plan v1 approved` to docs/HISTORY.md (date-first, to
134
+ match the other HISTORY lines).
135
+ Only now may `/phase` / `/sprint` run.
136
+ - On **rejection / change**: revise (re-run the `planner`, or `/replan`), bump the
137
+ version, and re-show. The header stays `PENDING` until I approve.
138
+
139
+ AUTO governs the development loop that runs AFTER this gate, never the gate itself.
111
140
 
112
141
  Optional next step (client / quoted work only): run `/propose` to turn this
113
142
  OVERVIEW + PLAN into a proposal + estimate for sign-off before building. Internal or
@@ -14,12 +14,17 @@ Target phase: $ARGUMENTS (default: the phase marked pending in docs/PLAN.md)
14
14
 
15
15
  ## 0. PRE-FLIGHT
16
16
 
17
- a. INFRA CHECK (phases > 0): Read the declared infra in docs/OVERVIEW.md.
17
+ a. PLAN-APPROVAL CHECK (hard rule 13): Read the docs/PLAN.md `> Approval:` header.
18
+ Still `PENDING` (or no header) -> STOP. The plan is not signed off; no phase may
19
+ start. Route me to the `/overview` PLAN-APPROVAL gate (or `/replan` then re-approve).
20
+ Approved -> continue.
21
+
22
+ b. INFRA CHECK (phases > 0): Read the declared infra in docs/OVERVIEW.md.
18
23
  - Managed infra -> confirm it is reachable; no provisioning step is needed.
19
24
  - Self-managed infra -> confirm Phase 0 (infra) ran and is healthy.
20
25
  Surface infra + auth status before any work. Blocked infra -> STOP.
21
26
 
22
- b. PHASE STATE CHECK: Read docs/STATE.md and docs/PLAN.md.
27
+ c. PHASE STATE CHECK: Read docs/STATE.md and docs/PLAN.md.
23
28
  - No phase in progress, requested is next pending -> START at step 1.
24
29
  - Same phase in-progress -> RESUME from STATE.md "next action".
25
30
  - Different phase in-progress -> STOP. Tell me which phase is open.
@@ -27,7 +32,7 @@ b. PHASE STATE CHECK: Read docs/STATE.md and docs/PLAN.md.
27
32
  phase in PLAN order. GUIDED: STOP, warn, proceed only if I confirm.
28
33
  - Phase not in PLAN.md -> STOP. Suggest /overview or /replan.
29
34
 
30
- c. FINAL PHASE CHECK: Read docs/PLAN.md. Is this the last phase (no further
35
+ d. FINAL PHASE CHECK: Read docs/PLAN.md. Is this the last phase (no further
31
36
  pending phases after this one)? Record this as IS_FINAL_PHASE=true/false.
32
37
 
33
38
 
@@ -181,6 +186,12 @@ SECURITY GATE (rule 11 — Secure SDLC build stage):
181
186
 
182
187
  Mark phase `done` in docs/PLAN.md.
183
188
 
189
+ SPRINT STANDUP (if a sprint is active — STATE.md shows `sprint: <n> (active)`):
190
+ fire the `/sprint standup` tick — append the one-line standup to
191
+ docs/sprints/sprint-<n>.md and update the burndown (rule: SPRINT-STANDUP ritual).
192
+ If all the sprint's committed phases are now done/blocked, recommend `/sprint review`
193
+ (or, under `/sprint run`, the driver proceeds to review automatically).
194
+
184
195
  ARCHITECTURE SELF-CHECK: did this phase add/remove/rename an agent, hook, or
185
196
  command, or change a workflow rule? YES -> run `/log-decision`. NO -> state why not.
186
197
 
@@ -221,10 +232,12 @@ After each step, update docs/STATE.md:
221
232
  ```
222
233
 
223
234
  phase: <n> (in progress)
235
+ plan: approved <date> ← carry forward; never drop the rule-13 sign-off record
224
236
  tdd: <true|false>
225
237
  completed: <steps done so far>
226
238
  next: <exact next step>
227
239
  blocker: <none or open issue>
228
240
 
229
241
  ```
230
- Keep STATE.md small — overwrite, do not append.
242
+ Keep STATE.md small — overwrite, do not append. Preserve the `plan:` line on every
243
+ overwrite (the PLAN-APPROVAL record, hard rule 13); do not blank it.
@@ -13,6 +13,12 @@ A proposal is a commercial gate: always interactive (both AUTO and GUIDED).
13
13
  Read `docs/OVERVIEW.md` (scope, stack, success criteria) and `docs/PRD.md` if
14
14
  present (else the PRD in your BMAD/iSSM). No OVERVIEW -> run `/overview` first.
15
15
 
16
+ PLAN-APPROVAL CHECK (hard rule 13): the proposal prices the *approved* phases, so
17
+ the plan is signed off first (lifecycle: plan → proposal). If `docs/PLAN.md` exists
18
+ and its `> Approval:` header still reads `PENDING` (or is missing), STOP and route me
19
+ to the `/overview` PLAN-APPROVAL gate before quoting — pricing an unapproved plan
20
+ re-prices on every revision.
21
+
16
22
  ## STEP 1 — SCOPE
17
23
  List the deliverables (features / epics) from OVERVIEW / PRD. Mark each
18
24
  **in-scope** or **out-of-scope** explicitly — naming out-of-scope items now is what
@@ -57,12 +63,13 @@ change-orders re-price against.
57
63
  ## Sign-off — approved by: ___ date: ___ version: v1
58
64
  ```
59
65
  2. RENDER a client-facing `docs/proposal.html` from `.claude/templates/proposal.html`:
60
- copy it, replace every `{{PLACEHOLDER}}`, and LOCALISE all labels + content to the
61
- declared language (natural Thai for Thai projects; keep tech terms in English).
62
- Fill `{{COMPANY}}` / `{{LOGO}}` from the ISSUING company's brand declared in
63
- OVERVIEW (or ask once) the template is white-label, never hardcode the kit's
64
- name. It is print-ready (Save as PDF). Keep PROPOSAL.md and proposal.html in sync —
65
- the markdown is the source, the HTML is the deliverable you send the client.
66
+ copy it, replace every `{{PLACEHOLDER}}`, and fill the CONTENT in the declared
67
+ language (the section labels are already bilingual TH / EN). It must fit ONE A4
68
+ page be terse (≈ 3–6 phase rows, 4 assumptions, short scope items); trim before
69
+ it spills to a second page. Fill `{{COMPANY}}` / `{{COMPANY_TAGLINE}}` / `{{LOGO}}`
70
+ from the ISSUING company's brand declared in OVERVIEW (or ask once) white-label,
71
+ never hardcode the kit's name. Print-ready (Ctrl/Cmd-P A4 Save as PDF). Keep
72
+ PROPOSAL.md (source) and proposal.html (deliverable) in sync.
66
73
 
67
74
  ## STEP 6 — SIGN-OFF GATE
68
75
  Show me the proposal. **STOP for approval** (commercial gate — always interactive).
@@ -14,7 +14,7 @@ Use `/quick` when ALL hold:
14
14
  - not mid-phase
15
15
 
16
16
  If any fail -> STOP, tell me, recommend `/phase`.
17
- (Hard rule 11: never route phase-worthy work through `/quick` to dodge the RED gate.)
17
+ (Hard rule 10: never route phase-worthy work through `/quick` to dodge the RED gate.)
18
18
 
19
19
  Steps:
20
20
  1. grep docs/ISSUES.md for anything related.
@@ -0,0 +1,51 @@
1
+ ---
2
+ description: Pre-production release pipeline — after all build phases, run the full automated gauntlet (full regression: functional / integration / e2e · all audits: UI / QA / security / code · smoke test), then hand off to manual UAT, drive the defect loop to green, produce a sign-off document, and promote to production. The automated SDLC backbone; production deploy is a human-signed hard-stop.
3
+ argument-hint: [optional: target env]
4
+ ---
5
+
6
+ Caveman ULTRA mode. You are the ORCHESTRATOR.
7
+
8
+ Run this AFTER every build `/phase` is done (the candidate is on staging/preview).
9
+ AUTO runs all AUTOMATED stages without stopping; it STOPS only at the human gates —
10
+ UAT execution, sign-off, and the production promote (security/irreversible hard-stops).
11
+ Record progress in STATE.md so a resumed session continues mid-pipeline.
12
+
13
+ ## STAGE 1 — FULL REGRESSION (auto)
14
+ Run the whole REAL corpus end-to-end: **functional + integration + e2e**
15
+ (`scripts/regression.sh --real`, then the declared E2E runner via `e2e-runner`).
16
+ Any red → `debugger` (cap 3) → fix → re-run. Must be 100% green to proceed.
17
+
18
+ ## STAGE 2 — AUTO AUDITS (auto)
19
+ Run every whole-product audit and fold results together:
20
+ - `/ui-audit` · `/qa-audit` · `/security-audit`
21
+ - **code cleaning**: lint + format (the language's standard tool) must be clean
22
+ - **code optimization**: a pass for dead code, obvious N+1 / perf, bundle bloat
23
+ Collect every BLOCKER / HIGH / CRITICAL. Open blocker → fix → re-audit. (Security
24
+ fixes surface for sign-off — security is an autonomy hard-stop.)
25
+
26
+ ## STAGE 3 — SMOKE TEST (auto)
27
+ Deploy the candidate to staging/preview; run the **smoke suite**: app boots, health
28
+ endpoint 200, the critical happy paths load, no console/server errors. Fail → STOP, fix.
29
+
30
+ ## STAGE 4 — UAT HANDOFF (human)
31
+ Dispatch `/uat`: generate the all-case scenario document, hand it to the testers, and
32
+ WAIT. Capture their pasted results into `docs/UAT-<date>.md`. (UAT is a human gate.)
33
+
34
+ ## STAGE 5 — UAT DEFECT LOOP
35
+ For each issue/bug reported: log to `docs/ISSUES.md` (repro from the scenario), fix
36
+ (`implementer`/`debugger`), re-run STAGE 1–3 for the touched area, then resubmit ONLY
37
+ the failed scenarios via `/uat`. Loop until ALL scenarios PASS.
38
+
39
+ ## STAGE 6 — SIGN-OFF (human)
40
+ Produce `docs/SIGNOFF-<date>.md`: scope delivered · test + audit results summary · UAT
41
+ pass confirmation · known limitations · the approver/date line. **STOP for human
42
+ sign-off** — a release gate, always interactive in both modes.
43
+
44
+ ## STAGE 7 — PROMOTE TO PRODUCTION (hard-stop)
45
+ On a SIGNED sign-off only: deploy to production, smoke-test prod (health 200), update
46
+ `docs/ENDPOINTS.md` base URL, tag the release. HISTORY line: `released v<n> (<date>)`.
47
+
48
+ ## STAGE 8 — GO-LIVE & SUPPORT
49
+ Enter after-go-live support (hypercare): watch for incidents, keep the issue log live.
50
+ New scope → `/change-request` (impact + re-price + sign-off). The project is live; the
51
+ loop continues through change requests.
@@ -58,8 +58,13 @@ commercial impact (split/merge/reorder, a discovered technical re-slice).
58
58
  reconciled corpus still passes against live services. A failure -> surface it
59
59
  and stop before approval.
60
60
 
61
- 6. SHOW ME the revised phase list + the regression-corpus changes, and STOP for
62
- approval.
61
+ 6. PLAN-APPROVAL gate (hard rule 13). A re-plan reshapes UNBUILT scope, so it reverts
62
+ the plan to unapproved: set the PLAN.md `> Approval:` header back to `PENDING`, SHOW
63
+ ME the revised phase list + the regression-corpus changes, and STOP for approval.
64
+ On approval: re-stamp the header `approved <date> v<n+1>`, update STATE.md `plan:`,
65
+ and append `<date> plan v<n+1> approved (replan)` to docs/HISTORY.md (date-first,
66
+ matching the other HISTORY lines). `/phase` and `/sprint` stay blocked until this
67
+ re-stamp.
63
68
 
64
69
  7. ARCHITECTURE SELF-CHECK: re-planning is not normally a kit-architecture
65
70
  change. Only run /log-decision if the workflow itself changed (rare).
@@ -0,0 +1,38 @@
1
+ ---
2
+ description: Capture an operational/incident scenario in docs/RUNBOOK.md — one grep-able markdown so prod-debug knowledge isn't re-derived under pressure.
3
+ argument-hint: [scenario, or "from the incident we just solved"]
4
+ ---
5
+
6
+ Caveman ULTRA mode.
7
+
8
+ Distill an operational scenario into docs/RUNBOOK.md. Scenario: $ARGUMENTS
9
+
10
+ This is the runbook pattern Anthropic's Security + Data-Infra teams converged on
11
+ independently: consolidate stack traces, dashboard signals, and the exact
12
+ remediation commands into ONE searchable file so the next incident is a lookup,
13
+ not a re-investigation.
14
+
15
+ If $ARGUMENTS says "from the incident we just solved" (or similar), distill the
16
+ debugging session in context — symptom, the REAL root cause, the commands that
17
+ fixed it — instead of asking the user to re-type it.
18
+
19
+ Append an entry to docs/RUNBOOK.md (create the file if missing). Canonical format:
20
+ ```
21
+
22
+ ### <scenario title — searchable, literal symptom keywords>
23
+
24
+ - trigger: <what you observe first — alert, error string, dashboard signal>
25
+ - diagnose: <steps/commands to confirm the real root cause>
26
+ - remediate: <the exact commands/actions that fix it>
27
+ - verify: <how to confirm recovery — what "healthy" looks like>
28
+ - refs: <dashboard URLs, docs, related docs/ISSUES.md titles>
29
+
30
+ ```
31
+ Rules:
32
+ - title carries literal symptom keywords -> grep finds it mid-incident.
33
+ - remediate must be runnable as-is; no "investigate further".
34
+ - mark any step that is irreversible / PROD-writing with ⚠ so it's never run blind.
35
+ - cross-link the matching docs/ISSUES.md entry instead of duplicating root-cause prose.
36
+ - newest scenario at the TOP.
37
+
38
+ Confirm the entry back in 2 lines.