devrites 1.19.0

package/pack/.claude/skills/rite-temper/reference/strategy-template.md

@@ -0,0 +1,90 @@
+# `strategy.md` template + fold-back rules
+
+`/rite-temper` produces two kinds of output. The `strategy.md` artifact is the durable
+**record** of the review; the **fold-back edits** are what the build actually follows. The
+record without the fold-back is dead prose — the build reads `spec.md`, not `strategy.md`.
+
+## `strategy.md` — the record
+Write to `.devrites/work/<slug>/strategy.md`. If one exists for the slug, **update** it, don't
+clobber.
+
+```markdown
+# Strategy: <slug>
+Tempered: <iso>
+
+## 1. Significance
+full | skipped — low stakes (<trigger>)        # if skipped, stop here (see significance.md)
+
+## 2. Scope mode
+Mode: expand | selective | hold-rigor | reduce-to-MVP
+Rationale: <why this mode>
+Hinge: <what evidence/answer would change the call>
+
+## 3. Forward pass (ambition)
+10-star outcome (the deliberate overshoot): <one or two lines>
+Premises challenged: <load-bearing assumption(s) + verdict>
+Converged sweet spot: <where we landed and why — this, not the overshoot, is what folds in>
+
+## 4. Pre-mortem (inversion)
+| Failure mode (past tense) | Likelihood | Mitigation | Owning slice/criterion |
+|---|---|---|---|
+| It shipped and <…> | high/med/low | <mitigation> | <slice or FR it binds to> |
+
+## 5. YAGNI ledger
+| Candidate scope item | later-refactor cost | Verdict |
+|---|---|---|
+| <item> | trivial / large | build-now / defer (revisit: <trigger>) |
+
+## 6. Cross-cutting coverage
+| Concern | Addressed? |
+|---|---|
+| Security / trust boundary | <how | N/A — why> |
+| Data & migration | <… | N/A> |
+| Observability | <… | N/A> |
+| Modifiability | <… | N/A> |
+
+## 7. Dimension scores (floor-gate)
+| Dimension | Band | Evidence |
+|---|---|---|
+| Problem altitude & ambition | strong/adequate/thin/broken | <spec line / absence> |
+| … (all 9) | … | … |
+Floor verdict: <weakest band> on <dimension> → pass | blocked
+
+## 8. Deferred / Won't-have-this-time
+- <item> — <one-line reason> (revisit when: <trigger>)
+
+## 9. Reviewer loop
+- iter 1: <findings → resolution> · iter 2: … (≤3)
+- Final: floor = <band>; unresolved → <none | blocking qid>
+```
+
+## Fold-back — the part the build follows
+Apply through the **Spec Drift Guard** (these are spec changes, not free edits). If a plan
+already exists, record in `drift.md` and route via `/rite-plan repair` instead of editing
+`spec.md` blind.
+
+- **`spec.md`** (these are the spec template's actual section headings — edit each named one,
+  don't collapse pairs):
+  - *Success criteria* **and** *Acceptance criteria* (separate sections) — add to **both** for
+    every opt-in **expansion**; remove (via the Guard) from both for every **reduction**. Each
+    must stay measurable + technology-agnostic.
+  - *Non-goals* — append every deferred item (from the YAGNI ledger + the Deferred register), so
+    it is neither silently dropped nor silently re-injected mid-build.
+  - *Constraints* **and** *Risks* (separate sections) — tighten *Constraints* where the pre-mortem
+    demands; add the top failure modes + mitigations to *Risks*.
+  - *Gaps, issues & decisions* table — one row per scope call (options offered → decision → owner).
+  - **Re-run the Readiness gate** at the bottom of the spec after edits; it must still pass, and
+    **every folded scope delta must trace to a recorded decision** (a `questions.md` qid or a
+    `decisions.md` ADR) — an untraceable change is the batch-dump failure.
+- **`decisions.md`** — one ADR-style entry per scope call and accepted trade-off:
+  `context · decision · why-not-the-alternative · what-would-change-it`.
+- **`assumptions.md`** — every "we'll probably need X" demoted to an explicit
+  **assumption-to-verify**, never smuggled into scope as a fact.
+
+## Write discipline
+- **Single canonical writer.** The skill writes `strategy.md` and edits the canonical files; the
+  `devrites-strategy-reviewer` agent is **read-only** and only returns findings + bands.
+- **No silent scope.** An expansion that the human didn't opt into, or a reduction that drops an
+  acceptance criterion without a recorded decision, is a defect — not a convenience.
+- Add `strategy.md` to the workspace between `spec.md` and `plan.md`; `/rite-define`,
+  `/rite-review`, and `/rite-seal` read it.

package/pack/.claude/skills/rite-vet/SKILL.md

@@ -0,0 +1,155 @@
+---
+name: rite-vet
+description: Engineering review of a defined plan before any code — challenge implementation scope, then review architecture / code-quality / test-coverage / performance through senior-engineer lenses, confidence-banding each finding; harden `plan.md` / `tasks.md` and write `eng-review.md` + the build-readable `test-plan.md`. Use when the user says "vet the plan", "engineering review", "review the architecture", "lock in the plan", or before building a feature. Not for the spec's strategy (`/rite-temper`), a mid-build decision (`devrites-doubt`), a code diff (`/rite-review`), or the final gate (`/rite-seal`).
+argument-hint: "[slug] [--cross-model] [--full]"
+user-invocable: true
+---
+
+# /rite-vet — vet the plan before you build
+
+Take a defined plan and **vet** it the way a senior staff engineer would in a plan review:
+challenge the scope, walk architecture / plan code-quality / test-coverage / performance,
+calibrate every finding by confidence (and refuse to emit one you can't trace to a quoted
+line), design the test coverage the build will target, and map the failure modes and
+parallel lanes — *before* `/rite-build` writes a line. The one DevRites step that hardens
+the **implementation plan** at the engineering level and folds the result into the canonical
+contract, so the build follows a reviewed plan. Runs on **every** plan (depth scales to
+stakes; never skipped) and is always part of `/rite-autocomplete`; `--cross-model` adds a
+different-model second opinion. **Read the active workspace first**; if there's no
+`plan.md`, tell the user to run `/rite-define`.
+
+This is the engineering counterpart to `/rite-temper` (which is strategic, on the *spec*).
+Temper decides *the right thing*; vet decides *the right way to build it*.
+
+## Rules consulted (read on demand from `.claude/rules/`)
+**Step 0:** Read `.claude/rules/core.md` first. Pull on demand: `patterns.md` +
+`coding-style.md` (the over-engineering / reuse-first / YAGNI rubric — reuse the pack's
+standard), `testing.md` (the test-coverage axis), `performance.md` (the perf axis),
+`error-handling.md` (failure-mode coverage), `development-workflow.md` (parallel lanes,
+definition of done), `afk-hitl.md` (irreversible-risk list + gate ceiling).
+
+## Operating rules
+- **Review the plan, not the spec's ambition.** The spec's scope/ambition is `/rite-temper`'s
+  job and is treated as settled here. Vet asks *given this scope, is this the right, simplest,
+  best-tested, lowest-risk way to build it* — and challenges only implementation scope creep.
+- **You harden the plan directly; the reviewer judges.** Vet *is* the plan-hardening phase, so
+  behavior-preserving plan refinements (test requirements, tightened scope boundaries, ordering,
+  parallel lanes, error-handling + failure-mode coverage) are written straight into
+  `plan.md` / `tasks.md` / `test-plan.md` — you are the single canonical writer. A finding that
+  changes **acceptance criteria or product behavior** is *not* a plan refinement: it routes
+  through the **Spec Drift Guard** (record in `drift.md`, recorded decision, then `/rite-plan
+  repair` for any structural reslice). Nothing that grows the build's scope lands without a
+  recorded human decision.
+- **Confidence over assertion.** Every finding carries a confidence band; a finding you cannot
+  back by quoting the plan/spec line (or the code it references) is forced to low confidence and
+  suppressed from the main report — see the verification gate in [`reference/review-axes.md`](reference/review-axes.md).
+- **Bound rigor by reversibility.** Auth / migration / public-API / data-model touches get
+  maximum conservatism and always pause (irreversible-risk list), regardless of run mode.
+- **Honest verdict, gated on the floor.** Never round "thin" up to "ready"; the axis verdict is
+  the weakest finding, not an average. Record every call's *why*.
+
+## Workflow
+0. **Read `.claude/rules/core.md`** first.
+   Then **run the shared orientation preamble** — it prints `state.md`, the artifacts present,
+   the run mode (HITL/AFK), and the open-question tally by gate, so you orient deterministically
+   instead of re-deriving state from raw Markdown:
+   ```bash
+   P=.claude/skills/devrites-lib/scripts/preamble.sh
+   [ -f "$P" ] || P="${CLAUDE_SKILL_DIR:-}/../devrites-lib/scripts/preamble.sh"
+   [ -f "$P" ] || P=pack/.claude/skills/devrites-lib/scripts/preamble.sh
+   [ -f "$P" ] && bash "$P" || echo "(orientation preamble unavailable on this install — read state.md directly to orient)"
+   ```
+   Then the workspace: `plan.md`, `tasks.md`, `spec.md`
+   (for intent + acceptance), `strategy.md` (if `/rite-temper` ran), `decisions.md`,
+   `assumptions.md`, `design-brief.md` (if UI), `state.md`. Require a `plan.md` whose
+   Readiness gate passes (or `Plan approved`) — else STOP → `/rite-define`. Prefer a
+   code-intelligence index if available — codebase-memory-mcp first, cross-checked with codegraph + graphify, else standard methods (LSP / Read/Grep/Glob)
+   (see `.claude/rules/tooling.md`) — for placement / blast-radius / reuse checks.
+1. **Calibrate depth — never skip** — [`reference/depth.md`](reference/depth.md). Every plan is
+   vetted; what scales is the *depth*. A simple, single-module, reversible plan with no
+   irreversible-risk / data-model / new-pattern trigger → **light pass** (brief scope check + a
+   one-line scan per axis + the acceptance→test map). Any full-pass trigger (or `--full`) → the
+   **full pass** below. There is no skip: every feature leaves a recorded engineering verdict and
+   a `test-plan.md` coverage map.
+2. **Scope Challenge (blocking gate)** — [`reference/review-axes.md`](reference/review-axes.md)
+   §0. What already exists that solves a sub-problem (reuse vs rebuild)? The minimum diff for the
+   stated acceptance? Complexity smell (the plan touches **>8 files** or adds **>2 new
+   services/modules**) → **STOP and ask** before any axis. Verify each new pattern / infra choice
+   against a built-in (dispatch `devrites-source-driven`); completeness check (with AI, full
+   coverage is ~100× cheaper than the human-hours saved by a shortcut — prefer complete); and a
+   distribution check for any new artifact.
+2a. **Cross-artifact analyze gate + charter/conventions gate.** Before the axes, run one read-only
+   consistency+coverage pass over `spec.md` + `plan.md` + `tasks.md` (+ `coverage.md` if present);
+   any **CRITICAL** — an acceptance criterion with no slice, a slice satisfying no criterion, a
+   contradiction across artifacts — **blocks `/rite-build`** until resolved. Then score the anti-slop
+   charter (`coding-style.md` + `prose-style.md`) and the conventions ledger
+   (`.devrites/conventions.md`) as an explicit **pass/fail** on the planned approach — a plan that
+   bakes in a god-module, a speculative abstraction with no second caller, or a dependency where an
+   in-repo option exists is a **top-severity** violation, walked first. **Re-check both after the
+   axes harden the plan** (post-design). Write the result to `analysis.md`.
+   ```bash
+   A=.claude/skills/devrites-lib/scripts/analyze.sh
+   [ -f "$A" ] || A="${CLAUDE_SKILL_DIR:-}/../devrites-lib/scripts/analyze.sh"
+   [ -f "$A" ] || A=pack/.claude/skills/devrites-lib/scripts/analyze.sh
+   [ -f "$A" ] && { bash "$A"; echo "analyze rc=$?"; } || echo "(analyze.sh unavailable — do the cross-artifact pass by hand: every AC↔slice mapped, no contradiction across spec/plan/tasks)"
+   ```
+3. **Four-axis review** — [`reference/review-axes.md`](reference/review-axes.md), through the
+   senior-engineer lenses in [`reference/eng-lenses.md`](reference/eng-lenses.md): **Architecture
+   → Plan code-quality → Test-coverage design → Performance**, ≤8 findings per axis, each
+   `[severity] (confidence: N/10) <ref> — finding`. **Walk findings WITH the human, one at a
+   time** via `AskUserQuestion` (best-guess + why + options with effort/risk/maintenance, mapped
+   to a rule) — the artifact is the *output* of the review, not a substitute for it. (AFK ceiling
+   single-sourced in [`reference/depth.md`](reference/depth.md): hardening /
+   coverage-increasing findings auto-apply; **anything that grows scope or changes acceptance is a
+   blocking pause**; irreversible-risk always pauses.)
+4. **Required outputs** — the test-coverage diagram + per-gap test requirements (the **regression
+   rule** is mandatory, no question), failure-mode table, "NOT in scope", "What already exists",
+   and the worktree parallelization strategy. Shapes in [`reference/review-axes.md`](reference/review-axes.md).
+   Also a **PRP one-pass-implementable check** per slice brief (the build's pre-flight): confirm each
+   slice's Consumes/Produces, Known-Gotchas, validation commands, and reuse targets are present and
+   concrete — a brief that can't be built in one pass is a finding; harden the slice until it clears,
+   before `/rite-build`.
+5. **Write `eng-review.md` + `test-plan.md`, fold back** — [`reference/artifacts.md`](reference/artifacts.md).
+   `eng-review.md` is the durable record; `test-plan.md` is the build-readable coverage target
+   (`/rite-build` and `/rite-prove` read it). Harden `plan.md` / `tasks.md` directly for
+   behavior-preserving refinements; route every acceptance/behavior-changing delta through the
+   **Spec Drift Guard** (`drift.md` + recorded decision + `/rite-plan repair`). Append
+   `decisions.md` (one ADR per material call) and `assumptions.md`. Update `state.md`:
+   `Phase: vet`, `Next step: /rite-build`; on a blocking pause write the `Awaiting human` block +
+   `Status: awaiting_human` before stopping.
+6. **Adversarial verification loop (full pass)** — dispatch [`devrites-plan-reviewer`](../../agents/devrites-plan-reviewer.md)
+   (fresh context, **only** `plan.md` + `tasks.md` + `spec.md` + the rubric — no authoring
+   reasoning). Resolve actionable findings, re-dispatch; **cap ≤3 iterations**. An axis still
+   below bar after 3 → blocking question (HITL) or AFK gate-ceiling entry. On a **light pass**
+   the fresh-context loop is skipped — the per-axis scan + the `test-plan.md` coverage map are the
+   verdict (escalate to this loop if the light scan surfaces a real finding). With `--cross-model`,
+   add one genuinely different-model pass — [`reference/cross-model.md`](reference/cross-model.md)
+   (informational until the human approves each finding). If sub-agents are unavailable, do the
+   independent rubric pass yourself in a separate read, discarding the authoring reasoning (a
+   flagged fallback, not an independent review).
+7. **STOP.** Report the scope verdict, the per-axis floor, the coverage gaps closed, and the
+   failure-mode criticals; recommend `/rite-build`.
+
+> **Mid-flight discipline.** When tempted to batch-dump findings into `eng-review.md` and skip
+> the walk-through, harden the plan past a finding that actually changes acceptance, score before
+> quoting the source, or wave through a complexity smell "to keep moving" — see
+> [`reference/anti-patterns.md`](reference/anti-patterns.md).
+
+## Output
+
+**Footer first** — render the slice meter + flow ribbon by running the progress footer (`progress.sh`, resolved like the step-0 preamble — canonical snippet in `devrites-lib/SKILL.md`); keep the fact lines below it terse (`key value · key value`). Then:
+```
+Vetted: <slug>
+Depth: light | full (<trigger that escalated it>)
+Scope: reuse <n found> / minimum-diff <ok|trimmed N> / complexity <ok|smell: N files, M new services → asked>
+Axes (floor → verdict):  Architecture <band> · Code-quality <band> · Tests <band> · Performance <band>
+Findings: <Critical n / Important n / Suggestion n>   (suppressed low-confidence: n)
+Coverage: <x/y paths> planned · GAPS closed <n> · regressions flagged <n>  → test-plan.md
+Failure modes: <n> mapped (<n critical: no test + no handling + silent>)
+Parallelization: <n lanes — n parallel / n sequential> | sequential (no opportunity)
+Reviewer loop: <n> iter · cross-model: ran (codex) | off
+Plan: hardened in place | <n> deltas routed via Spec Drift Guard → /rite-plan repair
+Next: /rite-build   (builds the vetted plan)
+↻ Hygiene: /clear before /rite-build (eng-review.md + test-plan.md + plan edits + decisions.md captured). See rules/context-hygiene.md.
+```
+**DO NOT write code, slice, or run the build here** — that's `/rite-build`. Vet reviews and hardens the plan; it never implements.

package/pack/.claude/skills/rite-vet/reference/anti-patterns.md

@@ -0,0 +1,29 @@
+# /rite-vet — anti-patterns
+
+Universal rationalizations + red flags live in
+[`../../../rules/anti-patterns.md`](../../../rules/anti-patterns.md) — read it when the
+reluctance is broader than this phase. Below are the vet-specific ones.
+
+## Phase rationalizations
+
+| Excuse | Rebuttal |
+|---|---|
+| "I'll write all the findings into `eng-review.md` and let the user read it." | The artifact is the *output* of an interactive review, not a substitute for it. A material finding's path to "done" goes **through `AskUserQuestion`**, one at a time, with a recommendation + why. Dumping findings into one write and moving on is the exact failure this skill exists to prevent. |
+| "The plan doesn't handle X — flag it." (without checking) | Quote the line first. If you can't quote where the plan handles X, you also can't be sure it doesn't — force confidence ≤4 and suppress. The "field/case doesn't exist" finding is the most common false positive; the verification gate exists to kill it. |
+| "It's an obvious fix — I'll just edit the plan." | An obvious *plan refinement* (a test requirement, an error path, tighter scope) you write directly — that's vet's job. A fix that **changes an acceptance criterion or product behavior** is not obvious enough to skip the human: route it through the Spec Drift Guard with a recorded decision. |
+| "This dimension is thin but the others are strong — net it's fine." | The gate is the **floor**, not the average. A plan `broken` on test-coverage does not pass because it's `strong` on architecture. |
+| "I can see it's adequate — I'll note the band, the evidence is obvious." | Cite the quoted evidence **before** the band. Score-first-justify-later is how a reviewer waves through a plan it already likes. |
+| "8+ files but it all needs to change — proceed." | The complexity smell is a **STOP-and-ask**, not a note. Name the overbuilt part, propose the smaller version that still meets acceptance, and let the human decide before any axis runs. Maybe it's justified — record *why* — but the gate fires first. |
+| "There's no test for this, but the user can add one later." | Coverage is designed **now**, before the code, so the build writes tests alongside it. A deferred test is a test that misses the boundary cases writing-it-now would expose. Regressions are non-negotiable — Critical, no question. |
+| "Performance looks fine." | "Looks fine" is not a measurement. A perf finding is "measure X against budget Y" or it's nothing — don't recommend speculative tuning, and don't wave past an N+1 you can quote. |
+| "Cross-model agrees, so apply it." | Cross-model consensus is a strong *signal*, not an approval. Every cross-model finding is informational until the human approves it (or, in AFK, until the gate ceiling clears a hardening-only change). |
+
+## Red flags
+- `eng-review.md` / `test-plan.md` written but `plan.md` / `tasks.md` **not** hardened — the build
+  follows the plan, so the review changed nothing.
+- A finding raised with confidence ≥7 but **no quoted source line** — that defeats the verification gate.
+- A scope-growing finding auto-applied in AFK (it must pause), or any irreversible-risk touch that didn't pause.
+- A failure-mode table with rows but no verdict column filled — a "no test + no handling + silent" row not marked Critical.
+- The reviewer loop running past 3 iterations, or the reviewer / cross-model being handed the author's reasoning (defeats the fresh-context point).
+- The skill writing code, implementing a slice, or running the build — that's `/rite-build`. Vet reviews and hardens the plan; it never implements.
+- Re-litigating the **spec's** scope/ambition — that was `/rite-temper`. Vet challenges *implementation* scope only.

package/pack/.claude/skills/rite-vet/reference/artifacts.md

@@ -0,0 +1,135 @@
+# `eng-review.md` + `test-plan.md` templates + fold-back rules
+
+`/rite-vet` produces two artifacts and a set of fold-back edits. `eng-review.md` is the durable
+**record** of the review; `test-plan.md` is the build-readable **coverage target**; the
+fold-back edits to `plan.md` / `tasks.md` are what the build actually follows. The record
+without the fold-back is dead prose — the build reads `plan.md` + `test-plan.md`, not `eng-review.md`.
+
+## `eng-review.md` — the record
+Write to `.devrites/work/<slug>/eng-review.md`. If one exists for the slug, **update** it, don't
+clobber.
+
+```markdown
+# Eng review: <slug>
+Vetted: <iso>   Cross-model: ran (codex) | off
+
+## 1. Depth
+light | full (<trigger that escalated it>)     # every plan is vetted — light or full, never skipped (see depth.md)
+
+## 2. Scope challenge
+- What already exists (reuse vs rebuild): <findings — each reuse the plan should adopt>
+- Minimum diff: scope accepted as-is | trimmed <n items, listed in NOT-in-scope>
+- Complexity: ok | smell (<n files, m new services) → asked → <reduce|proceed, why>
+- Built-in / completeness / distribution: <flags, with source citations>
+
+## 3. Axis findings (floor-gated)
+| Axis | Floor band | Findings (sev · confidence) |
+|---|---|---|
+| Architecture | strong/adequate/thin/broken | [Critical](9) … |
+| Plan code-quality | … | … |
+| Test-coverage design | … | see test-plan.md |
+| Performance | … | … |
+Suppressed (confidence ≤4, unverified): <count — one line each>
+
+## 4. Failure modes
+| New codepath | Realistic failure | Test? | Handling? | Silent? | Verdict |
+|---|---|---|---|---|---|
+| <path> | timeout / nil / race / stale | y/n | y/n | y/n | ok / **CRITICAL gap** |
+
+## 5. Parallelization
+Sequential — no opportunity   # OR the dependency table + lanes + order + conflict flags
+
+## 6. Reviewer loop
+- iter 1: <findings → resolution> · iter 2: … (≤3)
+- Cross-model (if --cross-model): <overlap / unique findings — informational until approved>
+- Final: floor = <band>; unresolved → <none | blocking qid>
+
+## 7. Completion summary
+- Scope: accepted | reduced   · Architecture: <n>   · Code-quality: <n>
+- Coverage: <x/y> planned, <n> gaps, <n> regressions (Critical)
+- Failure modes: <n> mapped, <n> critical gaps
+- NOT in scope: written   · What already exists: written
+- Plan: hardened in place | <n> deltas via Spec Drift Guard
+```
+
+## `test-plan.md` — the build-readable coverage target
+Write to `.devrites/work/<slug>/test-plan.md`. `/rite-build` (the slice-wright) reads it to write
+tests alongside the code; `/rite-prove` walks it against `evidence.md`. Keep it about *what to
+test and where*, not implementation detail.
+
+```markdown
+# Test plan: <slug>
+From /rite-vet on <iso>. Runner + conventions: <detected framework + command>.
+
+## Coverage diagram
+<the ASCII code-paths + user-flows diagram from review-axes.md, with COVERAGE / GAPS / REGRESSIONS line>
+
+## Per-gap test requirements
+| ID | Path / flow | Test file (match conventions) | Asserts (input → expected) | Kind | Slice | Priority |
+|---|---|---|---|---|---|---|
+| T1 | <path> | <path/to.test> | <empty list → 200 + []> | unit / E2E / eval | <slice> | P1 / **Regression-Critical** |
+
+## Interaction inventory (UI slices — every element + flow gets an asserting test)
+Enumerate every interactive element and user flow the feature exposes; one row each, none
+skipped. Level per `testing.md` "Completeness": elements/fields → unit/component, critical
+journeys → one E2E (never one-per-field). `/rite-build` must cover every row; `/rite-prove`
+fails any row with no passing result — an unverified element is a NO-GO, like an unproven criterion.
+```markdown
+| Element / flow | Kind (field/checkbox/select/radio/toggle/button/link/flow) | Level | Test file | Asserts (action → expected) |
+|---|---|---|---|---|
+| email field   | field    | unit      | <form.test>  | invalid → error shown; valid → accepted |
+| 'remember me' | checkbox | unit      | <form.test>  | toggles the persisted flag |
+| country       | select   | unit      | <form.test>  | options load; change fires handler |
+| submit        | button   | component | <form.test>  | disabled until valid; click → submits once |
+| login         | flow ★★★ | E2E       | <login.e2e>  | enter → submit → lands on dashboard |
+```
+Omit the whole section only for a slice with **no** interactive surface (pure backend/logic).
+
+## Acceptance → test map
+- <spec acceptance criterion> → <T1, T3>   # every criterion maps to ≥1 test
+```
+
+## Parallelization table (in `eng-review.md` §5 when there's an opportunity)
+```markdown
+| Step / workstream | Modules touched (dir-level) | Depends on |
+|---|---|---|
+| API endpoints | controllers/, serializers/ | — |
+| Worker | jobs/, lib/queue/ | API endpoints |
+
+Lanes:  A: API → Worker (sequential, shared lib/)   ·   B: migration (independent)
+Order:  launch A + B in parallel worktrees → merge → C
+Conflicts: Lanes A and B both touch models/ — sequential or coordinate.
+```
+
+## Fold-back — the part the build follows
+Vet *is* the plan-hardening phase, so behavior-preserving refinements are written **directly**;
+acceptance/behavior changes route through the **Spec Drift Guard**.
+
+- **Write directly into `plan.md` / `tasks.md`** (single canonical writer — you, not the reviewer):
+  - `plan.md` §Scope boundaries ← "NOT in scope" items.
+  - `plan.md` §Architecture decisions ← reuse-over-rebuild calls + named failure scenarios.
+  - `plan.md` §Dependency graph / §Implementation order ← the parallel lanes + any ordering fix
+    (e.g. refactor-before-feature split).
+  - `plan.md` §Complexity & deviations gate ← any deviation the §0 challenge surfaced + its justification.
+  - `tasks.md` slices ← added test requirements (point at `test-plan.md`), added error-handling /
+    failure-mode coverage, tightened slice scope, a split of a refactor+behavior slice into two.
+    Adjust a slice's `Gate:` upward when vet reveals higher stakes (e.g. an unflagged migration).
+  - Re-run the `plan.md` Readiness gate after edits; it must still pass.
+- **Route through the Spec Drift Guard** (record `drift.md` + a recorded decision, then `/rite-plan
+  repair` for any structural reslice) for anything that **changes an acceptance criterion, product
+  behavior, or the spec** — including a scope reduction that drops a criterion. A folded change with
+  no recorded decision is the batch-dump failure.
+- **`decisions.md`** — one ADR per material call: `context · decision · why-not-the-alternative ·
+  what-would-change-it`.
+- **`assumptions.md`** — every "we'll probably need X" demoted to an explicit assumption-to-verify,
+  never smuggled into scope as a fact.
+
+## Write discipline
+- **Single canonical writer.** The skill writes `eng-review.md` / `test-plan.md` and edits
+  `plan.md` / `tasks.md`; `devrites-plan-reviewer` is **read-only** and only returns findings + bands.
+- **No silent scope.** A plan refinement that grows acceptance without a recorded decision, or a
+  deferral that drops a criterion without the Guard, is a defect — not a convenience.
+- Add `eng-review.md` + `test-plan.md` to the workspace between `tasks.md` and `state.md`.
+  `/rite-build` (the slice-wright) and `/rite-prove` **read `test-plan.md`** as the coverage
+  target; `/rite-review` and `/rite-seal` may consult `eng-review.md` for the failure-mode +
+  scope record.

package/pack/.claude/skills/rite-vet/reference/cross-model.md

@@ -0,0 +1,41 @@
+# `--cross-model` — the outside voice (a genuinely different model)
+
+`devrites-plan-reviewer` gives an *independent* read (fresh context, no authoring reasoning) —
+but it's still the same model family. `--cross-model` adds a second opinion from a **different**
+AI system, because two models agreeing on a plan is stronger signal than one model reviewing it
+thoroughly. It is **opt-in** for `/rite-vet` (the flag) and **off by default in
+`/rite-autocomplete`** unless the flag was armed — it costs latency and a second runtime.
+
+## When it runs
+Only when `$ARGUMENTS` contains `--cross-model` **and** a different-model reviewer is available.
+The default path (no flag) relies on `devrites-plan-reviewer` for independence — that is a
+complete review on its own; cross-model is an enhancement, not a requirement.
+
+## Dispatch
+After the in-model reviewer loop converges (or in parallel with its final iteration), hand the
+**same fresh inputs** to a different model — preferentially the `codex:codex-rescue` agent (it
+runs Codex through the shared runtime). Give it only the contract, never the authoring reasoning:
+
+> Independent engineering review of a defined implementation plan, before any code.
+> Read only `.devrites/work/<slug>/plan.md`, `tasks.md`, and `spec.md`. Judge: architecture &
+> boundaries, scope discipline & reuse, test-coverage design, performance, reversibility, and
+> failure-mode coverage. For every finding, quote the line that motivates it and give a 1-10
+> confidence; suppress anything you can't quote. Return labeled findings (Critical / Important /
+> Suggestion) with a concrete fix. Do not edit anything. Do not approve — find what will cost a redo.
+
+If the agent / runtime is unavailable, **skip and say so** in `eng-review.md` ("cross-model:
+requested but unavailable — in-model review only"); do not block on it and do not silently treat
+the absence as a pass.
+
+## Integration rule (the important one)
+Cross-model findings are **informational until the human approves each one** — even when you
+agree with them, even when they overlap the in-model reviewer. Cross-model **consensus** is a
+strong signal: surface it as such ("both reviewers flagged Slice 3's missing timeout test"), but
+the human still makes the call via `AskUserQuestion`. In AFK, the same gate ceiling applies:
+a cross-model finding that *hardens* the plan auto-applies and is recorded; one that *grows
+scope* or changes acceptance is a blocking pause.
+
+## Recording
+In `eng-review.md` §6, note: which model ran, the overlap with the in-model reviewer (consensus
+findings), and any **unique** findings the outside voice caught that the in-model pass missed —
+those are the highest-value output of running it at all.

package/pack/.claude/skills/rite-vet/reference/depth.md

@@ -0,0 +1,53 @@
+# Depth calibration — always vet, scale the rigor (never skip)
+
+`/rite-vet` runs on **every** plan — every feature deserves a correct engineering plan, not
+just the big ones. What changes with stakes is the *depth*, never *whether* it runs: a simple,
+reversible plan gets a fast **light pass**; a big or risky one gets the **full pass**. There is
+no skip. This shared definition is used by both the standalone `/rite-vet` and the always-run
+`/rite-autocomplete` step, so they agree on how deep to go.
+
+A four-section deep-dive on a one-file reversible plan is wasteful; rubber-stamping a
+migration-touching plan is dangerous. Match the effort to the stakes — but **always** leave a
+recorded engineering verdict and a coverage plan.
+
+## Full pass when ANY trips
+- **Irreversible-risk contact** — the plan touches anything on the `afk-hitl.md` irreversible-risk
+  list: destructive data migration, auth/authz boundary, public-API break, external-service
+  contract, filesystem destruction outside the workspace.
+- **Data model** — new/changed entities, relationships, or persistence shape.
+- **Cross-module blast radius** — the impact (from a code-intelligence index if available — see
+  `../../../rules/tooling.md` — or an honest estimate) crosses
+  module/service boundaries or has many dependents.
+- **Complexity** — `plan.md` touches **>8 files** or adds **>2 new services/modules/classes**.
+- **Multi-slice / multi-day**, or a new dependency / pattern / second design system.
+- **The user asked**, or `--full`.
+
+Full pass = §0 scope challenge + all four axes (each walked finding-by-finding) + the failure-mode
+table + parallelization + the reviewer loop. See [`review-axes.md`](review-axes.md).
+
+## Light pass otherwise (the default for simple plans — still never a skip)
+When none of the full-pass triggers fire, run the **light pass**: a fast but real engineering
+check that still leaves a verdict and a coverage plan. In a handful of lines:
+- **§0 scope challenge, in brief** — confirm minimum diff + reuse (one line each); if a complexity
+  smell or missed reuse appears, escalate that to the full treatment.
+- **One-line scan per axis** (architecture / plan code-quality / test-coverage / performance) —
+  "No issues" is a valid result, but you must look and say so per axis, not assume.
+- **Always** produce the acceptance→test map + any regression-Criticals in `test-plan.md`. This is
+  the part that makes "a correct engineering plan for *everything*" real — it never downgrades,
+  light or full.
+- Write the short `eng-review.md` (`Depth: light`) and harden `tasks.md` with the test requirements.
+
+A light-pass finding that turns out to be real **escalates that axis to full treatment** (walk it
+with the human, confidence-banded). Light means *less ceremony*, never *less honesty*.
+
+## In `/rite-autocomplete`
+Autocomplete runs `/rite-vet` after `/rite-define` on **every** feature — light or full per the
+triggers above, **never skipped**. Under the AFK gate ceiling:
+- **Auto-apply (no pause):** hardening findings — added test requirements, error-handling /
+  failure-mode coverage, tightened scope, reuse-over-rebuild, dependency-order / parallel-lane fixes
+  (these never grow acceptance). Record the rationale in `decisions.md`.
+- **Blocking pause:** any finding that **grows scope, adds a slice, changes an acceptance
+  criterion, or alters product behavior**.
+- **Always pause:** irreversible-risk findings, and any axis still below bar after the
+  ≤3-iteration reviewer loop.
+- **Cross-model** is off by default; it runs only if `--cross-model` was explicitly armed.

package/pack/.claude/skills/rite-vet/reference/eng-lenses.md

@@ -0,0 +1,48 @@
+# Senior-engineer lenses — how to *see* the findings
+
+These are not extra checklist items. They are the instincts an experienced staff engineer
+applies while reading a plan — the pattern recognition that separates "read the plan" from
+"caught the landmine". Apply them across all four axes in [`review-axes.md`](review-axes.md):
+each lens turns a vague unease into a concrete, quotable finding.
+
+## The lenses
+
+1. **Boring by default.** A team gets a few innovation tokens; everything else should be proven
+   technology. When the plan introduces something novel (a new datastore, a hand-rolled queue, a
+   bespoke pattern), ask whether this is a wise token to spend or whether a boring built-in does
+   it. → Architecture / Scope axes.
+2. **Blast radius.** For every decision: what's the worst case, and how many systems / callers /
+   users does it touch? A change with wide blast radius and no rollback is a different risk class
+   than a leaf change. → Architecture / Reversibility.
+3. **Reversibility preference.** Prefer the choice that's cheap to undo — feature flag, additive
+   migration, incremental rollout — over the one that's right only if you're right the first time.
+   Make the cost of being wrong low. → Architecture / Reversibility.
+4. **Incremental over revolutionary.** Strangler-fig, not big-bang rewrite; refactor first, then
+   change behavior — never both in one slice. If the plan does a structural rewrite and a behavior
+   change together, split them. → Plan code-quality / slice shape.
+5. **Systems over heroes.** Design for a tired engineer at 3am, not your sharpest engineer on
+   their best day. A plan that only works if every step is done perfectly is fragile. Favor
+   guard rails, explicit errors, and obvious failure paths. → Code-quality / Failure modes.
+6. **Essential vs accidental complexity.** Before anything the plan adds, ask Brooks's question:
+   is this solving a real problem, or one we created? Accidental complexity is the cheapest thing
+   to cut. → Scope / Code-quality.
+7. **Make the change easy, then make the easy change.** If a slice is hard because the surrounding
+   structure fights it, the first move is a (separate, behavior-preserving) refactor — call it out
+   so the plan sequences it before the feature work, not tangled into it. → Plan code-quality.
+8. **Failure is information.** Every new codepath fails *somehow* in production — timeout, nil,
+   race, stale data, partial write. The plan should name the failure and decide: test it, handle
+   it, or accept it loudly (never silently). → Failure-mode coverage.
+9. **DX is product quality.** Slow CI, painful local dev, untestable seams → worse software over
+   time. If the plan makes the code harder to test or run locally, that's a real finding, not a nit.
+   → Test-coverage / Code-quality.
+10. **Trust boundary discipline.** Every untrusted input crosses an explicit validation + authz
+    boundary before it reaches trusted core logic. A plan that lets a value skip the boundary is a
+    security finding even pre-code. → Architecture / Security seam.
+
+## Using them
+- A lens is a *prompt*, not a verdict. It turns "something's off here" into a finding you can
+  quote and band. If a lens fires, follow it to the specific plan line, then run it through the
+  confidence + verification gate.
+- Don't recite the lenses in the output — recite the *findings* they produced.
+- When a plan is genuinely clean against a lens, that's worth one line of evidence ("Reversibility:
+  additive migration + flag — strong"), not silence; it shows the lens was applied.