devlyn-cli 1.15.0 → 2.1.0

package/config/skills/devlyn:auto-resolve/SKILL.md

@@ -1,252 +0,0 @@
----
-name: devlyn:auto-resolve
-description: Fully automated build-evaluate-ship pipeline for any task type — bug fixes, new features, refactors, chores. Use this as the default starting point when the user wants hands-free implementation with zero human intervention. Runs a minimal goal-driven loop — build, evaluate, fix, critic, docs — as a single command. Use when the user says "auto resolve", "build this", "implement this feature", "fix this", "run the full pipeline", "refactor this", or wants to walk away and come back to finished work.
----
-
-Orchestrator for the hands-free implementation pipeline. One subagent per phase, file-based handoff, unified fix loop on evaluation feedback until the work passes or `max_rounds` is reached. The orchestrator itself does not write code — it parses input, spawns phases, reads handoff artifacts, runs git commands, branches on verdicts, and emits the final report.
-
-<pipeline_config>
-$ARGUMENTS
-</pipeline_config>
-
-<orchestrator_context>
-Long-horizon agentic work. Context auto-compacts — do not stop early on token-budget concerns. All durable state lives in `.devlyn/pipeline.state.json` (control plane: pointers, criteria, verdicts) plus `<phase>.findings.jsonl` + `<phase>.log.md` for phases that emit findings. `state.json` is the **single authoritative verdict source** — branch on `phases.<name>.verdict` directly, never parse artifact files. At PHASE 5, the run's `.devlyn/*` artifacts are **archived** to `.devlyn/runs/<run_id>/` (last 10 kept, best-effort). Schemas: `references/pipeline-state.md`, `references/findings-schema.md`. Best results with `xhigh` reasoning.
-</orchestrator_context>
-
-<autonomy_contract>
-This pipeline runs hands-free. Measured by how far it gets without human intervention.
-
-1. **Never prompt the user mid-pipeline.** When you'd otherwise ask, pick the safe default, proceed, and log it in the final report.
-2. **Codex availability**: on `--engine auto`/`codex`, call `mcp__codex-cli__ping` at the start. On failure, silently fall back to `--engine claude` and log `engine downgraded: codex-ping failed` in the final report. Do NOT present a menu. Do NOT abort.
-3. **Run only the phases defined below, in order.** Doc updates belong in PHASE 4 (DOCS). Don't insert them earlier.
-4. **Delegate all file changes to spawned subagents.** Orchestrator actions: parse input, spawn phase agents, read handoff files, run `git`, branch on verdicts, emit report, archive.
-5. **Continue by default.** Stop only for: (a) unrecoverable subagent failure, (b) PHASE 1 producing zero code changes, (c) build-gate / browser fix-loop exhausting `max_rounds` (halt → FINAL REPORT). EVAL/CRITIC exhaustion proceeds with warning — never halts.
-</autonomy_contract>
-
-<harness_principles>
-Goal-first. Verify state, source integrity, diff base, artifact contracts. Prefer deletion or reuse over new machinery. Change only files the task requires. Each phase optimizes for its declared success criteria, not a checklist. Fix root causes only — no `any`, `@ts-ignore`, silent catches, hardcoded values. Label hypotheses explicitly; back claims with file:line evidence.
-</harness_principles>
-
-<engine_routing_convention>
-Every phase routes to the optimal model per `references/engine-routing.md`:
-
-- Phase prompt bodies (in `references/phases/`) are engine-agnostic.
-- Phases routed to **Codex**: call `mcp__codex-cli__codex` per spawn patterns in `engine-routing.md`.
-- Phases routed to **Claude**: spawn an `Agent` subagent with `mode: "bypassPermissions"`, passing the phase body verbatim.
-- **Dual** (CRITIC security sub-pass on `--engine auto`): spawn both in parallel; orchestrator merges findings.
-- `--engine claude` forces all phases to Claude. `--engine codex` forces implementation to Codex, orchestration/Chrome MCP stays Claude. `--engine auto` (default) uses the routing table.
-</engine_routing_convention>
-
-<post_eval_invariant>
-Once `state.eval_passed_sha` is non-null (PHASE 2 returned PASS or PASS_WITH_ISSUES), the post-EVAL phases (CRITIC, DOCS) run **findings-only / doc-only** — they never write code. DOCS is the only phase allowed to commit after EVAL, and only for doc files.
-
-**Orchestrator enforcement (per-phase, NOT cumulative)**: before each post-EVAL phase, capture `state.phases.<phase>.pre_sha = git rev-parse HEAD`. After the subagent completes, run `git diff --name-only <pre_sha> -- ':!.devlyn/**'`:
-- CRITIC (findings-only) → any diff → `git reset --hard <pre_sha>`, emit `rule_id: "invariant.post-eval-code-mutation"` + `severity: HIGH` into `.devlyn/invariant.findings.jsonl`, route to FIX LOOP with `triggered_by: "critic"`.
-- DOCS → check against allowlist; non-allowlisted paths trigger the revert-and-find flow.
-
-Per-phase (not cumulative) baseline is correct because fix-loop commits between one post-EVAL phase and the next are legitimate.
-
-Doc-file allowlist (DOCS): `*.md`, `.mdx`, files under `docs/`, `README*`, `CHANGELOG*`, `CLAUDE.md`, frontmatter in spec files under `docs/roadmap/phase-*/`. Any other path triggers revert-and-find.
-</post_eval_invariant>
-
-<perf_opt_in>
-Optional: pass `--perf` to record per-phase `{wall_ms, tokens, engine, round, triggered_by}` into `state.perf.per_phase` and totals at PHASE 5. Off by default. Harness efficiency claims can be measured when needed; mandatory meta-measurement was retired in v3.4.
-</perf_opt_in>
-
-## PHASE 0: PARSE + PREFLIGHT + ROUTE
-
-1. **Parse flags** from `<pipeline_config>`:
-   - `--max-rounds N` (4)
-   - `--route MODE` (auto) — per `references/pipeline-routing.md`
-   - `--engine MODE` (auto) — per `references/engine-routing.md`
-   - `--team` — force team-assembled BUILD even on non-strict routes (default: solo).
-   - `--bypass <phase>[,<phase>...]` — skip specific phases. Valid: `build-gate`, `browser`, `critic`, `docs`. Deprecated aliases (`--skip-*`, `--security-review skip`, `--bypass simplify|review|clean|security|challenge`) map to `--bypass critic` where applicable; log `deprecated flag — use --bypass <phase>` once.
-   - `--build-gate MODE` (auto) — `auto` / `strict` / `no-docker`.
-   - `--perf` — opt in to per-phase timing/token accounting.
-
-2. **Engine pre-flight** (unless `--engine claude`): call `mcp__codex-cli__ping`. On failure, silent fallback to `--engine claude`, log `engine downgraded`. Never prompt.
-
-3. **Initialize `pipeline.state.json`** per `references/pipeline-state.md`:
-   - `version: "1.2"`, `run_id: "ar-$(date -u +%Y%m%dT%H%M%SZ)-<12-hex>"`, `started_at`, `engine`, `base_ref.{branch, sha}`, `rounds.max_rounds`, `eval_passed_sha: null`, `route.bypasses: [...]`, empty `phases`, `criteria`, `route.selected`.
-
-4. **Spec preflight** (if `<pipeline_config>` contains `docs/roadmap/phase-\d+/[^\s"'`)]+\.md`):
-   - Read the spec. Missing → `BLOCKED`.
-   - Verify internal deps (each entry under `## Dependencies → Internal` resolves to a `status: done` spec). Unmet → `BLOCKED`.
-   - Populate `state.source`: `type: "spec"`, `spec_path`, `spec_sha256 = sha256(spec)`, `criteria_anchors: ["spec://requirements", "spec://out-of-scope", "spec://verification", "spec://constraints", "spec://architecture-notes", "spec://dependencies"]`.
-   - Populate `state.criteria[]`: one per `- [ ]` in `## Requirements`, `status: pending`.
-
-   No spec path found → `source.type: "generated"`, `source.criteria_path: ".devlyn/criteria.generated.md"` (PHASE 1 creates it), `criteria_anchors: ["criteria.generated://requirements", "criteria.generated://out-of-scope", "criteria.generated://verification"]`, `criteria: []`.
-
-5. **Compute Stage A route** per `references/pipeline-routing.md#stage-a`. Write to `state.route.{selected, user_override, stage_a}`.
-
-6. **Announce** (single line):
-```
-Auto-resolve starting — run <run_id> — task: <desc>
-Engine: <engine>, Route: <selected> (<stage_a_reasons>), Bypasses: <bypasses|none>, Max rounds: <N>
-```
-
-## PHASE 1: BUILD
-
-**Engine**: BUILD row. Spawn per `<engine_routing_convention>`. Prompt body: **`references/phases/phase-1-build.md`** (verbatim) + task description.
-
-**Team assembly rule** (simplified from v3.2): BUILD spawns as **team** ONLY when `--team` flag passed OR `state.route.selected == "strict"`. Otherwise solo. Keyword-match auto-trigger removed — Claude/Codex base SWE capability is the default.
-
-**After the agent completes**:
-1. Verify `criteria[]` has ≥1 entry with `status != "pending"`. If not, re-spawn with reminder.
-2. `git diff --stat` — if no changes, halt with failure.
-3. Checkpoint: `git add -A && git commit -m "chore(pipeline): phase 1 — build complete"`.
-
-## PHASE 1.4: BUILD GATE
-
-Skip if `build-gate` in `state.route.bypasses`. Deterministic — same commands CI/Docker/production run.
-
-Spawn Claude `Agent` (`mode: "bypassPermissions"`): "Read `references/build-gate.md` (detection matrix, commands, package manager, monorepo, strict, Docker) and `references/findings-schema.md`. Run all matched gates. Apply strict flags if `--build-gate strict` OR `state.route.selected == "strict"`. Run Docker unless `--build-gate no-docker`. Emit `.devlyn/build_gate.findings.jsonl` + `.devlyn/build_gate.log.md`; update `state.phases.build_gate`."
-
-**After the agent completes**:
-1. Read `state.phases.build_gate.verdict`.
-2. **Stage B LITE** (only if `verdict == "PASS"` AND `state.route.user_override == false`): apply the single escalation rule from `references/pipeline-routing.md#stage-b-lite`. If it fires, write `state.route.stage_b.{at, escalated_from, reasons}`.
-3. Branch: `PASS` → PHASE 1.5; `FAIL` → PHASE 2.5 with `triggered_by: "build_gate"`.
-
-## PHASE 1.5: BROWSER VALIDATE (conditional)
-
-Skip if `browser` in `state.route.bypasses`. Skip if `git diff --name-only <state.base_ref.sha>` has no `*.tsx`, `*.jsx`, `*.vue`, `*.svelte`, `*.css`, `*.html`, `page.*`, `layout.*`, `route.*` matches.
-
-Spawn Claude `Agent` (`mode: "bypassPermissions"`): "Read `.claude/skills/devlyn:browser-validate/SKILL.md` (tiered Chrome MCP → Playwright → curl) and `references/findings-schema.md`. Start dev server, test the implemented feature end-to-end against `pipeline.state.json:criteria[]`, leave server running (`--keep-server`). Emit `.devlyn/browser_validate.findings.jsonl` + `.devlyn/browser_validate.log.md`; update `state.phases.browser_validate`."
-
-**After the agent completes**:
-1. **Sanity check**: if verdict is `PASS`/`PASS_WITH_ISSUES` but log shows zero screenshots AND zero navigations, treat as unverified — re-run at `--tier 2`/`3`. Code-level verdict is not browser validation.
-2. Branch: `PASS`/`PASS_WITH_ISSUES`/`PARTIALLY_VERIFIED` → PHASE 2; `NEEDS_WORK`/`BLOCKED` → PHASE 2.5 with `triggered_by: "browser_validate"`.
-
-## PHASE 2: EVALUATE
-
-**Engine**: EVAL row — always Claude. Prompt body: **`references/phases/phase-2-evaluate.md`**.
-
-**After the agent completes**:
-1. Read `state.phases.evaluate.verdict`.
-2. **First-time PASS or PASS_WITH_ISSUES** with `state.eval_passed_sha == null` → set `state.eval_passed_sha = git rev-parse HEAD` (activates `<post_eval_invariant>`).
-3. Branch:
-   - `PASS` → PHASE 3 (CRITIC) per route; `fast` → PHASE 5 (FINAL REPORT).
-   - `PASS_WITH_ISSUES` → **terminal for this phase** (LOW-only findings do not re-trigger fix loop). Proceed to next phase.
-   - `NEEDS_WORK` / `BLOCKED` → PHASE 2.5 with `triggered_by: "evaluate"`.
-
-## PHASE 2.5: UNIFIED FIX LOOP
-
-Single fix loop for every trigger (`build_gate` / `browser_validate` / `evaluate` / `critic`). `state.rounds.global` shared counter.
-
-**Exhaustion check first**: if `state.rounds.global >= state.rounds.max_rounds`:
-- `build_gate` / `browser_validate` → **halt** → PHASE 5 with exhaustion banner.
-- `evaluate` / `critic` → **proceed_with_warning** → skip to next phase; final report shows banner.
-
-**Fix-batch packet assembly**: read the trigger's `.findings.jsonl` (plus browser_validate if `triggered_by == "evaluate"` or `"browser_validate"` and browser has open findings — see pipeline-routing.md), filter `status == "open"`, write `.devlyn/fix-batch.round-<N>.json`:
-```json
-{
-  "round": <N>, "max_rounds": <N>, "base_ref_sha": "...", "criteria_source": "...",
-  "triggered_by": "<trigger>", "findings": [ /* id, rule_id, severity, file, line, message, fix_hint, criterion_ref */ ],
-  "failed_criteria": ["<C ids>"], "acceptance": {"build_gate_cmd": "...", "test_cmd": "..."}
-}
-```
-
-**Engine**: FIX LOOP row (Codex on `auto`/`codex`, Claude on `claude`). Fresh Codex call each round (no `sessionId` reuse).
-
-Spawn per `<engine_routing_convention>`. Prompt:
-
-> Read `.devlyn/fix-batch.round-<N>.json` and `pipeline.state.json`.
->
-> **First, re-ground on the contract.** Open `source.spec_path` (or `source.criteria_path`) and read the sections/anchors referenced by each finding's `criterion_ref`. **Spec/criteria are higher authority than findings** — do not narrow or reinterpret required behavior to satisfy a finding. If a finding hint conflicts with explicit spec text (e.g., a glob/pattern like `**/SKILL.md`, a cardinality, a flag's documented behavior), preserve the spec semantics and fix only the implementation defect. Non-contradictory, backward-compatible enhancements that preserve required default behavior are allowed (e.g., respecting `NO_COLOR` while still defaulting to colored when unset). If a finding **truly contradicts** the spec, halt that finding's fix, log the conflict in `.devlyn/fix-batch.round-<N>.log.md`, and leave the finding `open` — the conflict surfaces in the final report rather than silently narrowing the contract.
->
-> **Then fix every listed finding at the root cause.** If multiple findings touch the same symbol, produce **one consolidated change**. Prefer editing/replacing existing code over adding new machinery; **do not leave parallel near-duplicate helpers/functions**. When return-shape pressure appears (one finding needs a richer return value than another), broaden the existing helper's return object — don't create a second variant.
->
-> Read each referenced `file:line`, implement the fix, run tests. No workarounds (`any`, `@ts-ignore`, silent catches, hardcoded values). Raw failure detail: `.devlyn/build_gate.log.md` / `.devlyn/browser_validate.log.md`. When a previously-failed criterion is now satisfied, clear `failed_by_finding_ids`, set `status: "implemented"`, append an `evidence` record.
-
-**After the agent completes**:
-1. Checkpoint: `git add -A && git commit -m "chore(pipeline): fix round <N> (<triggered_by>)"`.
-2. Increment `state.rounds.global`.
-3. Route back: `build_gate` → PHASE 1.4; `browser_validate` → PHASE 1.5; **`evaluate` / `critic` → PHASE 2 (re-EVAL)**. All post-EVAL findings flow back through EVAL.
-4. **After re-EVAL returns PASS/PASS_WITH_ISSUES with `triggered_by == "critic"`**: re-run PHASE 3 CRITIC once before proceeding to DOCS. This verifies the fix didn't introduce new design/security issues the first CRITIC would have caught. Subsequent fix-loop rounds triggered from this re-CRITIC follow the same rule (bounded by `state.rounds.max_rounds`).
-
-## PHASE 3: CRITIC (findings-only, route-gated)
-
-Skip if `state.route.selected == "fast"` OR `critic` in `state.route.bypasses`.
-
-One post-EVAL critic pass with two sub-concerns:
-- **Design sub-pass** — "would a staff engineer block this PR?" (cold read, any finding → `NEEDS_WORK`). Always Claude.
-- **Security sub-pass** — OWASP-style audit with mandatory dependency audit when any dep manifest OR lockfile changed (`package.json`, `requirements.txt`, `package-lock.json`, `pnpm-lock.yaml`, `yarn.lock`, `Pipfile.lock`, `poetry.lock`, `Cargo.toml`, `Cargo.lock`, `go.mod`, `go.sum`). On `--engine auto`: **Dual** (Claude + Codex parallel, merged). On others: single model per route.
-
-Hygiene concerns (unused imports, dead code) live in EVAL's `hygiene.*` findings at LOW severity, not a separate sub-pass here.
-
-**Before spawn**: capture `phase_pre_sha = git rev-parse HEAD` → `state.phases.critic.pre_sha`.
-
-**Spawn**: per `<engine_routing_convention>`. Prompt body: **`references/phases/phase-3-critic.md`**.
-
-**After the agent completes**:
-1. Enforce `<post_eval_invariant>`: `git diff --name-only <phase_pre_sha> -- ':!.devlyn/**'` — non-empty → revert + emit invariant finding + route to fix loop.
-2. Read `state.phases.critic.verdict` (WORSE of design/security sub-verdicts):
-   - `PASS` → PHASE 4.
-   - `PASS_WITH_ISSUES` (security LOW only; design must be zero) → terminal; PHASE 4.
-   - `NEEDS_WORK` / `BLOCKED` → PHASE 2.5 with `triggered_by: "critic"`.
-
-## PHASE 4: DOCS (doc-file mutations only)
-
-Skip if `docs` in `state.route.bypasses` OR `state.route.selected == "fast"`.
-
-Spawn Claude `Agent` (`mode: "bypassPermissions"`). Include original task description. Prompt: "Two jobs:
-
-**Job 1 — Roadmap sync**: if task matched `docs/roadmap/phase-\d+/[^\s\"']+\.md` and `git diff <state.base_ref.sha> --stat` touches non-doc files:
-1. Read the spec. If `status: done` already, skip to Job 2.
-2. Set `status: done` + `completed: <today>` in frontmatter. Do not touch body.
-3. Update `docs/ROADMAP.md`: find row matching spec id; change Status to `Done`.
-4. If phase now fully Done: archive to `## Completed <details>` block at bottom (format per `devlyn:ideate#context-archiving`). Item spec files stay on disk.
-
-**Job 2 — General doc sync**: update docs referencing changed APIs/features/behaviors. Use `git log --oneline -20` + `git diff <state.base_ref.sha>`. Preserve forward-looking content.
-
-**Safety**: never flip a spec `done` without a non-empty non-doc diff; never flip multiple specs in one run; never touch files outside the doc-file allowlist."
-
-**Before spawn**: capture `phase_pre_sha = git rev-parse HEAD` → `state.phases.docs.pre_sha`.
-
-**After the agent completes**:
-1. Enforce allowlist: `git diff --name-only <phase_pre_sha> -- ':!.devlyn/**'` — any non-allowlisted path → revert + emit `invariant.post-eval-code-mutation` + route to PHASE 2.5 with `triggered_by: "docs"`.
-2. If allowlist honored and diff non-empty: `git add -A && git commit -m "chore(pipeline): docs updated"`.
-
-## PHASE 5: FINAL REPORT + ARCHIVE
-
-1. **Terminal verdict**: run `python3 scripts/terminal_verdict.py` (implements the precedence in `references/pipeline-routing.md#terminal-state-algorithm`; prints verdict, exits 0/1/2/3 for PASS/PASS_WITH_ISSUES/NEEDS_WORK/BLOCKED).
-
-2. **Render report**:
-```
-### Auto-Resolve Complete — run <run_id>
-
-Task: <original task>
-Engine: <engine> (downgraded: <reason or no>)
-Route: <selected> (user_override: <t/f>)
-  Stage A: <reasons>
-  Stage B LITE: <no escalation | escalated from X — reason>
-
-Terminal verdict: <PASS / PASS_WITH_ISSUES / NEEDS_WORK / BLOCKED>
-<banner if applicable: "⚠ BUILD GATE EXHAUSTED" / "⚠ EVAL EXHAUSTED — open findings: <list file:line>" />
-
-Pipeline summary:
-| Phase | Verdict | Notes |
-|-------|---------|-------|
-| BUILD | <v> | <engine, solo/team> |
-| BUILD GATE | <v> | <project types, commands> |
-| BROWSER | <v / skipped — no web> | <tier, flow> |
-| EVAL (round <N>) | <v> | <finding count by severity> |
-| FIX ROUNDS | <N of max> | <triggered_by history> |
-| CRITIC | <v / skipped-route / skipped-bypass> | <design: N, security: N, dep-audit: ran/skipped> |
-| DOCS | <completed / skipped> | <specs flipped, roadmap archived> |
-
-Guardrails bypassed: <state.route.bypasses or "none">
-
-Commits: <git log --oneline from state.base_ref.sha>
-
-Audit trail: .devlyn/runs/<run_id>/
-
-Next steps:
-- Review: git diff <base_ref.sha>
-- Squash: git rebase -i <base_ref.sha>
-- Re-run fixes: /devlyn:auto-resolve "<narrower task>"
-```
-
-3. **Archive**: run `python3 scripts/archive_run.py` (implements `references/pipeline-state.md#archive-contract`; moves per-run artifacts into `.devlyn/runs/<run_id>/`, best-effort prunes to last 10 completed runs).
-
-4. Kill dev server from PHASE 1.5 if still running.

package/config/skills/devlyn:auto-resolve/evals/evals.json

@@ -1,21 +0,0 @@
-{
-  "skill_name": "devlyn:auto-resolve",
-  "note": "Real regression fixtures from measured A/B runs. Each eval is a task we have actually driven through the pipeline and scored blind against a bare-prompt baseline. Expand only with real runs, not synthesized prompts.",
-  "evals": [
-    {
-      "id": 1,
-      "name": "doctor-subcommand",
-      "route": "standard",
-      "complexity": "medium",
-      "prompt": "Implement per spec at evals/task-doctor-subcommand.md",
-      "spec": "evals/task-doctor-subcommand.md",
-      "expected_output": "Single-file CLI change adding a `doctor` subcommand to bin/devlyn.js with node-version, HOME/.claude, plugins, and skills checks, TTY-gated color, exit-code semantics, help integration. Zero new npm dependencies. No silent error catches.",
-      "baseline_source": "bare prompt (no skill pipeline) — see benchmark history commit 2d9a5f0..51a8aeb",
-      "historical_scores": {
-        "v3.4":   { "skill": 57, "bare": 45, "margin": 12, "judge": "codex gpt-5.3-codex blind" },
-        "v3.4.1": { "skill": 59, "bare": 43, "margin": 16, "judge": "codex gpt-5.3-codex blind" }
-      },
-      "files": []
-    }
-  ]
-}

package/config/skills/devlyn:auto-resolve/evals/task-doctor-subcommand.md

@@ -1,42 +0,0 @@
-# Task: `devlyn doctor` subcommand
-
-Add a new `doctor` subcommand to `bin/devlyn.js`. When the user runs `npx devlyn-cli doctor` (or `node bin/devlyn.js doctor`), it diagnoses the local devlyn-cli installation and prints a status report.
-
-## Requirements
-
-1. **Node version check** — `process.version >= v18.0.0`. Emit a status line. If below, mark FAIL.
-2. **`$HOME/.claude/` check** — exists as directory AND is writable. Missing → FAIL. Exists but not writable (EACCES) → FAIL with a distinct "permission" message.
-3. **Installed plugins scan** — read subdirectories of `$HOME/.claude/plugins/cache/` and print a summary line with the count. `--verbose` lists names.
-4. **Installed skills scan** — count files matching `$HOME/.claude/skills/**/SKILL.md`. Print count; `--verbose` lists relative paths.
-5. **Colored output** — each line prefixed with `[OK]` (green), `[WARN]` (yellow), `[FAIL]` (red) using ANSI escape codes, **only when `process.stdout.isTTY` is true**. Non-TTY → no color codes.
-6. **Summary line** — e.g., `doctor: 3 ok, 1 warn, 0 fail`.
-7. **Exit code** — `0` if zero fails, `1` if any fail.
-8. **`--verbose` flag** — expands details for plugins/skills scans.
-9. **Help integration** —
-   - `node bin/devlyn.js doctor --help` prints a short help block and exits 0.
-   - `node bin/devlyn.js --help` / `node bin/devlyn.js help` lists `doctor` as an available subcommand.
-
-## Constraints
-
-- **Zero new dependencies.** Use only Node.js built-ins (`fs`, `path`, `os`, `process`).
-- **No silent error catches.** Per project CLAUDE.md error-handling philosophy, do not wrap operations in `try { … } catch { return fallbackValue }`. All errors visible to the user with actionable messages.
-- **HOME guard.** If `process.env.HOME` is undefined or empty, emit a clear FAIL line ("HOME environment variable is not set") and exit 1. Do not attempt to read arbitrary paths.
-- **EACCES handling.** If `readdirSync` fails with EACCES, emit a permission-specific message quoting the offending path. Do not silently return an empty list.
-
-## Acceptance verification
-
-Run each of these and they must behave as described:
-
-- `node bin/devlyn.js doctor` — produces the status report, exits 0 on a clean machine.
-- `HOME=/nonexistent node bin/devlyn.js doctor` — prints a FAIL line clearly referencing the missing `/nonexistent/.claude`, exits 1.
-- `node bin/devlyn.js doctor | cat` — piped output contains no ANSI escape codes (`\x1b[`).
-- `node bin/devlyn.js doctor --help` — prints help, exits 0.
-- `node bin/devlyn.js --help` — mentions `doctor` in the list of subcommands.
-- `git diff -- package.json` — no new entries under `dependencies`.
-- `node bin/devlyn.js doctor --verbose` — lists each plugin directory and each skill path.
-
-## Out of Scope
-
-- Auto-repair (don't offer to fix detected problems; just report).
-- Checking remote/registry state (npm, GitHub).
-- Any feature requiring a new npm dependency.

package/config/skills/devlyn:auto-resolve/references/build-gate.md

@@ -1,130 +0,0 @@
-# Build Gate — Project Type Detection & Commands
-
-Reference for PHASE 1.4 (Build Gate). The build gate agent reads this file to determine which commands to run.
-
----
-
-## Project Type Detection Matrix
-
-Inspect the repository root and subdirectories (up to 2 levels). A repo can match **multiple** signals — run ALL matching gates. Do not pick "the main one"; a monorepo with a Next.js dashboard + Rust service needs both.
-
-| Signal file(s) | Project type | Gate commands (run in order) |
-|---|---|---|
-| `package.json` with `next` dep | Next.js | `npx tsc --noEmit` → `npx next build` |
-| `package.json` with `nuxt` dep | Nuxt | `npx nuxi typecheck` → `npx nuxi build` |
-| `package.json` with `vite` + `tsconfig.json` | Vite+TS | `npx tsc --noEmit` → `npm run build` (if script exists) |
-| `package.json` with `expo` dep | Expo (React Native) | `npx tsc --noEmit` → `npx expo-doctor` |
-| `package.json` with `react-native` (no expo) | React Native | `npx tsc --noEmit` |
-| `package.json` with `svelte` + `@sveltejs/kit` | SvelteKit | `npm run check` → `npm run build` |
-| `package.json` only, has `build` script | Generic Node | `npm run build` |
-| `package.json` only, has `tsconfig.json` but no `build` | TS library | `npx tsc --noEmit` |
-| `pnpm-workspace.yaml` / `turbo.json` / `lerna.json` | Monorepo | `pnpm -r build` or `turbo run build typecheck lint` — **workspace-wide**, NOT just the changed package |
-| `Cargo.toml` | Rust | `cargo check --all-targets` → `cargo clippy -- -D warnings` |
-| `go.mod` | Go | `go build ./...` → `go vet ./...` |
-| `foundry.toml` | Foundry (Solidity) | `forge build` |
-| `hardhat.config.{js,ts,cjs}` | Hardhat (Solidity) | `npx hardhat compile` |
-| `Anchor.toml` | Anchor (Solana) | `anchor build` |
-| `Move.toml` | Move (Sui/Aptos) | `sui move build` or `aptos move compile` |
-| `pyproject.toml` / `setup.py` + mypy config | Python+mypy | `mypy .` |
-| `pyproject.toml` with `ruff` | Python+Ruff | `ruff check .` |
-| `Package.swift` | Swift package | `swift build` |
-| `*.xcodeproj` / `*.xcworkspace` | iOS/macOS (Xcode) | Skip by default — log "Xcode project detected, manual build gate recommended". Too project-specific without knowing the scheme. |
-| `build.gradle*` / `settings.gradle*` | Gradle/Android | `./gradlew assembleDebug` (debug, not release — keep it fast) |
-| `CMakeLists.txt` | C/C++ (CMake) | `cmake -B build && cmake --build build` |
-| `Makefile` (with no other signals) | Generic Make | `make` (only if no other type matched — Makefiles are too generic) |
-| `Unity/ProjectSettings/` or `ProjectSettings/ProjectVersion.txt` | Unity | Skip by default — log "Unity project detected, manual build gate recommended" |
-| `project.godot` | Godot | Skip by default — log "Godot project detected, manual build gate recommended" |
-| `Dockerfile*` | Docker | `docker build -f <dockerfile> -t _pipeline_gate_test .` — included by default in `auto` mode. Skip with `--build-gate no-docker`. |
-
-## Package Manager Detection
-
-Respect the project's package manager. Check in order:
-1. `packageManager` field in root `package.json` → use that
-2. `pnpm-lock.yaml` exists → `pnpm`
-3. `yarn.lock` exists → `yarn`
-4. `bun.lockb` / `bun.lock` exists → `bun`
-5. Default → `npm`
-
-Replace `npm run build` / `npx` accordingly: `pnpm build` / `pnpm exec`, `yarn build` / `yarn`, `bun run build` / `bunx`.
-
-## Monorepo Handling
-
-Monorepo is the most critical case — cross-package type drift is the #1 source of "tests pass locally, build fails in CI."
-
-1. Detect workspace root markers: `pnpm-workspace.yaml`, `turbo.json`, `lerna.json`, `workspaces` in root `package.json`
-2. Run gates at the **workspace root** level, not per-changed-package:
-   - Turbo: `turbo run build typecheck lint` (respects dependency graph)
-   - pnpm: `pnpm -r build` (runs in topological order)
-   - yarn workspaces: `yarn workspaces foreach -A run build`
-   - npm workspaces: `npm run build --workspaces`
-3. This ensures Package A's type change that breaks Package B's consumer is caught, even if only Package A was directly modified.
-
-## Strict Mode (`--build-gate strict`)
-
-When strict mode is set, treat warnings as failures:
-- TypeScript: add `--strict` if not already in tsconfig (or verify it's set)
-- Clippy: `-D warnings` (already default in the matrix)
-- ESLint: `--max-warnings 0`
-- Go vet: already treats warnings as errors
-- Foundry: `--deny-warnings`
-
-In default (auto) mode, only hard errors (non-zero exit code from the tool's perspective) block.
-
-## Docker Build (default in `auto` mode)
-
-When `Dockerfile*` files are detected AND `--build-gate no-docker` is NOT set:
-1. Run all non-Docker gates first (they're faster and catch most errors before the slow Docker step)
-2. Then run `docker build -f <dockerfile> -t _pipeline_gate_test .` for each Dockerfile found in the repo root and subdirectories (up to 2 levels)
-3. If Docker daemon is not available, log the skip with a warning but do NOT fail — developers without Docker should not be blocked. The warning should note: "Docker builds were skipped because the Docker daemon is unavailable. Use `--build-gate no-docker` to suppress this warning, or ensure Docker is running to catch Dockerfile-specific issues."
-4. This catches Dockerfile-specific issues that no other gate can: COPY paths referencing files excluded by .dockerignore, multi-stage build failures, production-only dependency resolution, and environment differences between dev and container builds
-
-Use `--build-gate no-docker` to skip Docker builds for faster iteration during development — the language-level gates (tsc, cargo check, etc.) still run and catch the majority of issues. Docker builds are most valuable as a final gate before shipping.
-
-## Output Format
-
-Emit two files plus one state update (schemas: `references/findings-schema.md`, `references/pipeline-state.md`).
-
-### 1. `.devlyn/build_gate.findings.jsonl`
-
-One JSON line per failing command's extracted root cause. Do NOT emit findings for PASSING commands. Each line follows the canonical findings schema:
-
-```jsonl
-{"id":"BGATE-0001","rule_id":"build.type-error","level":"error","severity":"HIGH","confidence":0.99,"message":"Property 'config' does not exist on type 'SettingsTabsProps'","file":"dashboard/app/(dashboard)/settings/page.tsx","line":90,"phase":"build_gate","criterion_ref":null,"fix_hint":"Read dashboard/app/(dashboard)/settings/page.tsx:88-93 and dashboard/components/settings/SettingsTabs.tsx (the SettingsTabsProps type definition). Either add 'config' to SettingsTabsProps or remove the prop from the parent.","blocking":true,"status":"open"}
-```
-
-Dedup key is `(rule_id, file, line)` per `findings-schema.md` — no fingerprint bookkeeping (removed in v3.4).
-
-Suggested `rule_id` values: `build.type-error`, `build.lint-violation`, `build.dep-missing`, `build.docker-copy-mismatch`, `build.module-not-found`, `build.compile-error`.
-
-### 2. `.devlyn/build_gate.log.md`
-
-Human-readable run log. This is where the FULL raw stderr/stdout lives — not in the JSONL `message`. Structure:
-
-```markdown
-# Build Gate Run Log
-## Detected Project Types
-- [type] ([path/])
-
-## Commands
-| # | Command | Dir | Exit | Time |
-|---|---|---|---|---|
-| 1 | `npx tsc --noEmit` | dashboard/ | 0 | 4.2s |
-| 2 | `npx next build` | dashboard/ | 1 | 9.8s |
-
-## Raw Output — failing commands only
-
-### #2: `npx next build` (dashboard/, exit 1)
-\`\`\`
-[full raw output — keep for debugging]
-\`\`\`
-```
-
-### 3. Update `pipeline.state.json`
-
-Set `phases.build_gate`:
-- `verdict`: `PASS` if all exit codes == 0, else `FAIL`. If no gates detected, `PASS` with a note in log.md ("No build gate detected — project type unknown; consider adding `--build-gate deploy` if Dockerfiles are present.")
-- `engine: "bash"`, `model: null`
-- `started_at`, `completed_at`, `duration_ms`, `round`
-- `artifacts.findings_file: ".devlyn/build_gate.findings.jsonl"`, `artifacts.log_file: ".devlyn/build_gate.log.md"`
-
-The orchestrator branches on `phases.build_gate.verdict` — it does NOT re-read the findings or log file for routing decisions.

package/config/skills/devlyn:auto-resolve/references/engine-routing.md

@@ -1,82 +0,0 @@
-# Engine Routing: Intelligent Model Selection
-
-Routing rules for Claude / Codex / Dual per role and phase. Only read when `--engine` is `auto` or `codex`.
-
-Codex call defaults: `model: "gpt-5.4"`, `reasoningEffort: "xhigh"`, `sandbox` per role (below), `workingDirectory: <project root>`.
-
----
-
-## Pipeline Phase Routing (auto-resolve)
-
-| Phase | `--engine auto` | `--engine codex` | `--engine claude` |
-|-------|--------------|----------------|-----------------|
-| BUILD | **Codex** | Codex | Claude |
-| BUILD GATE | bash | bash | bash |
-| BROWSER VALIDATE | Claude (Chrome MCP) | Claude | Claude |
-| EVALUATE | **Claude** | Claude | Claude |
-| FIX LOOP | **Codex** | Codex | Claude |
-| CRITIC (design sub-pass) | Claude | Claude | Claude |
-| CRITIC (security sub-pass) | **Dual** | Codex | Claude |
-| DOCS | Claude | Codex | Claude |
-
-Rationale:
-- BUILD/FIX: Codex — SWE-bench Pro advantage on hard coding.
-- EVALUATE/CRITIC design sub-pass: Claude — long-context retrieval + skeptical reasoning; different model family from builder for GAN dynamic.
-- BROWSER: Claude — Chrome MCP tools session-bound.
-- CRITIC security: Dual on `auto` — Semgrep study shows each model finds unique vulnerabilities; for security, coverage trumps cost.
-
----
-
-## Pipeline Phase Routing (ideate)
-
-| Phase | `--engine auto` | `--engine codex` | `--engine claude` |
-|-------|--------------|----------------|-----------------|
-| FRAME | Claude | Codex | Claude |
-| EXPLORE | Claude | Codex | Claude |
-| CONVERGE | Claude | Codex | Claude |
-| CHALLENGE | **Codex** (rubric critic) | Claude (role reversal) | Claude |
-| DOCUMENT | Claude | Codex | Claude |
-
-CHALLENGE: when `--engine auto`, Codex runs the rubric as critic (builder and critic always different models).
-
----
-
-## Pipeline Phase Routing (preflight)
-
-| Phase | `--engine auto` | `--engine codex` | `--engine claude` |
-|-------|--------------|----------------|-----------------|
-| EXTRACT | Claude | Codex | Claude |
-| AUDIT (code) | **Codex** | Codex | Claude |
-| AUDIT (docs) | **Claude** | Claude | Claude |
-| AUDIT (browser) | Claude | Claude | Claude |
-| SYNTHESIZE | Claude | Claude | Claude |
-
-Docs auditor is always Claude (writing-quality strength for prose-drift detection). Browser is always Claude (Chrome MCP session-bound).
-
----
-
-## Team-role routing (when `--team` is on OR route == strict in auto-resolve, OR team-review in standalone)
-
-| Role | Engine | Sandbox | Rationale |
-|------|--------|---------|-----------|
-| root-cause-analyst | Claude | — | Git-history traversal + tool access beats SWE-bench Pro for this role |
-| test-engineer | Codex | workspace-write | HumanEval edge, needs file write |
-| security-auditor | Dual | read-only | Semgrep: each finds unique vulns |
-| implementation-planner | Codex | read-only | SWE-bench Pro +11.7pp |
-| architecture-reviewer | Claude | — | Codebase-wide pattern review = MRCR strength |
-| performance-engineer | Codex | read-only | Terminal-Bench edge |
-| api-designer / api-reviewer | Dual | read-only | Both find unique API issues |
-| quality-reviewer | Dual | read-only | Measured ~36–73% coverage gain from dual |
-| ux/ui/accessibility-* | Claude | — | Ambiguity handling + WCAG domain depth |
-
-For Codex roles: `mcp__codex-cli__codex` with `model: "gpt-5.4"`, `reasoningEffort: "xhigh"`, sandbox per table. Include full role prompt inline; Codex has no access to TeamCreate/SendMessage/TaskCreate.
-
-For Dual roles: run both in parallel, merge findings. Same finding from both → keep more detailed wording, mark "confirmed by both". Codex-only → prefix `[codex]`. Conflicts → keep both.
-
----
-
-## Override behavior
-
-- `--engine claude` → all roles/phases use Claude (no Codex calls).
-- `--engine codex` → all phases use Codex for implementation/analysis, Claude only for orchestration/Chrome MCP.
-- `--engine auto` (default) → each role/phase routes per this table.

package/config/skills/devlyn:auto-resolve/references/findings-schema.md

@@ -1,103 +0,0 @@
-# Findings Schema — `.devlyn/<phase>.findings.jsonl`
-
-Structured findings format for phase outputs. One JSON object per line (JSONL). Written by Evaluate, Build Gate, Browser Validate, Critic, and any other phase that emits structured findings.
-
-## Purpose
-
-Separate structured findings from prose summaries. The orchestrator and fix-loop need machine-readable data for:
-- Filtering by severity / blocking / status.
-- Cross-round dedup (single primary key — see below).
-- Packing into fix-batch packets for the fix-loop subagent.
-- Final report aggregation.
-
-## Canonical schema (per line)
-
-```json
-{
-  "id": "<PHASE>-<4digit>",
-  "rule_id": "<category>.<kebab-name>",
-  "level": "note" | "warning" | "error",
-  "severity": "LOW" | "MEDIUM" | "HIGH" | "CRITICAL",
-  "confidence": <float 0.0..1.0>,
-  "message": "<one-line human description>",
-  "file": "<path relative to repo root>",
-  "line": <int, 1-based>,
-  "phase": "<phase name, e.g. 'evaluate'>",
-  "criterion_ref": "<anchor, e.g. 'spec://requirements/2'>" | null,
-  "fix_hint": "<concrete action quoting file:line to change>",
-  "blocking": true | false,
-  "status": "open" | "resolved" | "suppressed"
-}
-```
-
-## Field semantics
-
-### Identity
-
-- `id` — stable within a single run. Format: `<PHASE>-<4digit>` zero-padded. Examples: `EVAL-0007`, `BUILD-0001`, `CRIT-0003`, `BGATE-0004`.
-- `rule_id` — stable across runs. Format: `<category>.<kebab-case-name>`. Use existing rule_ids before inventing new ones — keeps dedup working. Common categories:
-  - `correctness.*` — logic errors, silent failures, null access, wrong API contracts
-  - `design.*` — staff-engineer ship/no-ship concerns (non-atomic transactions, hidden assumptions, unidiomatic patterns)
-  - `security.*` — OWASP-anchored (sql-injection, xss, hardcoded-credential, missing-input-validation, missing-auth-check, insecure-dependency, permissive-cors, missing-csrf, privilege-escalation, data-exposure, path-traversal, ssrf)
-  - `ux.*` — missing error/loading/empty states
-  - `architecture.*` — pattern violations, duplication, missing integration
-  - `hygiene.*` — unused imports, dead code, unused deps (typically LOW)
-  - `types.*` — any-cast escapes, unsafe casts
-  - `scope.*` — out-of-scope violations (e.g. `scope.out-of-scope-violation`)
-  - `performance.*`, `style.*` — typically LOW
-
-### Severity and level
-
-- `level` — SARIF-style coarse bucket: `error` blocks ship, `warning` should fix, `note` informational.
-- `severity` — finer granularity for pipeline logic.
-
-  | severity | level | blocking default |
-  |----------|-------|------------------|
-  | `CRITICAL` | `error` | always true |
-  | `HIGH` | `error` | usually true |
-  | `MEDIUM` | `warning` | true (stricter for `security.*` — see pipeline-routing terminal state) |
-  | `LOW` | `note` | false |
-
-- `confidence` — reporter's self-rating, `0.0`–`1.0`. Fix-loop prioritizes high-confidence HIGH findings first.
-
-### Message and location
-
-- `message` — one line. NAME the issue, not the symptom. Good: `"Token validated on read path but not write path"`. Bad: `"Potential security issue"`.
-- `file` — repo-relative path. No leading `./`, no absolute paths. Forward slashes.
-- `line` — 1-based line number. Multi-line spans → primary (first) line.
-
-### Dedup primary key
-
-The primary key is `(rule_id, file, line)`. Two findings with identical coordinates are the same issue. If EVAL runs again after a fix and the finding re-appears at the same spot, it's still unresolved. If the line shifted after a fix, the next EVAL regenerates the finding with the new line — cross-round drift heals naturally via re-evaluation, no hash-normalization bookkeeping.
-
-### Pipeline linkage
-
-- `phase` — the phase that produced this finding (redundant with filename but keeps records self-describing when concatenated for fix-batch packets).
-- `criterion_ref` — anchor to the criterion this finding affects, or `null` if cross-cutting.
-- `fix_hint` — concrete action with file:line. Not "improve error handling" — e.g. `"Wrap read+write in db.transaction() at src/auth/session.ts:84-92; re-check order.status === 'pending' inside transaction before updating"`.
-
-### Lifecycle
-
-- `blocking` — does this block ship?
-- `status`:
-  - `open` — reported, awaiting action
-  - `resolved` — a fix-loop round applied a fix AND subsequent evaluation confirms the finding is gone (via `(rule_id, file, line)` absence in the new EVAL run)
-  - `suppressed` — intentionally not fixed with justification in the phase's `log.md`; requires user override or Out-of-Scope mapping in the spec
-
-## Dedup and round handling
-
-Each phase writes a fresh `.findings.jsonl` on each execution. Fix rounds re-run EVAL, which produces a new file.
-
-**Cross-round reconciliation** (fix-loop rounds only):
-1. Read prior round's `<phase>.findings.jsonl` (if any).
-2. For each finding in the new file: if prior open finding has same `(rule_id, file, line)` → reuse the prior `id`, keep `status: open`. Otherwise → new `id`.
-3. For each prior open finding not matched by the new file → set `status: resolved` in the prior file.
-
-Fix-batch packet: orchestrator concatenates all phases' `.findings.jsonl`, filters `status == "open"`, drops `blocking == false` when round budget is tight, writes to `.devlyn/fix-batch.round-<N>.json`.
-
-## Non-goals
-
-- Full SARIF 2.1.0 export (can derive later by mapping our fields to SARIF).
-- Cross-project aggregation.
-- Rule metadata catalogs.
-- Code fix patches — `fix_hint` is prose; fix-loop subagent writes the patch.