eai-cli 0.0.0-bootstrap.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (690) hide show
  1. package/LICENSE +183 -0
  2. package/NOTICE +4 -0
  3. package/README.md +14 -0
  4. package/dist/commands/agent.d.ts +3 -0
  5. package/dist/commands/agent.d.ts.map +1 -0
  6. package/dist/commands/agent.js +69 -0
  7. package/dist/commands/agent.js.map +1 -0
  8. package/dist/commands/blocks.d.ts +3 -0
  9. package/dist/commands/blocks.d.ts.map +1 -0
  10. package/dist/commands/blocks.js +249 -0
  11. package/dist/commands/blocks.js.map +1 -0
  12. package/dist/commands/chat.d.ts +6 -0
  13. package/dist/commands/chat.d.ts.map +1 -0
  14. package/dist/commands/chat.js +105 -0
  15. package/dist/commands/chat.js.map +1 -0
  16. package/dist/commands/deploy.d.ts +36 -0
  17. package/dist/commands/deploy.d.ts.map +1 -0
  18. package/dist/commands/deploy.js +712 -0
  19. package/dist/commands/deploy.js.map +1 -0
  20. package/dist/commands/dev.d.ts +15 -0
  21. package/dist/commands/dev.d.ts.map +1 -0
  22. package/dist/commands/dev.js +133 -0
  23. package/dist/commands/dev.js.map +1 -0
  24. package/dist/commands/docs.d.ts +6 -0
  25. package/dist/commands/docs.d.ts.map +1 -0
  26. package/dist/commands/docs.js +118 -0
  27. package/dist/commands/docs.js.map +1 -0
  28. package/dist/commands/env.d.ts +10 -0
  29. package/dist/commands/env.d.ts.map +1 -0
  30. package/dist/commands/env.js +200 -0
  31. package/dist/commands/env.js.map +1 -0
  32. package/dist/commands/errors.d.ts +3 -0
  33. package/dist/commands/errors.d.ts.map +1 -0
  34. package/dist/commands/errors.js +72 -0
  35. package/dist/commands/errors.js.map +1 -0
  36. package/dist/commands/gofer.d.ts +3 -0
  37. package/dist/commands/gofer.d.ts.map +1 -0
  38. package/dist/commands/gofer.js +134 -0
  39. package/dist/commands/gofer.js.map +1 -0
  40. package/dist/commands/init.d.ts +14 -0
  41. package/dist/commands/init.d.ts.map +1 -0
  42. package/dist/commands/init.js +1437 -0
  43. package/dist/commands/init.js.map +1 -0
  44. package/dist/commands/login.d.ts +7 -0
  45. package/dist/commands/login.d.ts.map +1 -0
  46. package/dist/commands/login.js +117 -0
  47. package/dist/commands/login.js.map +1 -0
  48. package/dist/commands/provision.d.ts +6 -0
  49. package/dist/commands/provision.d.ts.map +1 -0
  50. package/dist/commands/provision.js +855 -0
  51. package/dist/commands/provision.js.map +1 -0
  52. package/dist/commands/publicapi.d.ts +6 -0
  53. package/dist/commands/publicapi.d.ts.map +1 -0
  54. package/dist/commands/publicapi.js +184 -0
  55. package/dist/commands/publicapi.js.map +1 -0
  56. package/dist/commands/resources.d.ts +38 -0
  57. package/dist/commands/resources.d.ts.map +1 -0
  58. package/dist/commands/resources.js +1010 -0
  59. package/dist/commands/resources.js.map +1 -0
  60. package/dist/commands/runtime.d.ts +3 -0
  61. package/dist/commands/runtime.d.ts.map +1 -0
  62. package/dist/commands/runtime.js +78 -0
  63. package/dist/commands/runtime.js.map +1 -0
  64. package/dist/commands/template.d.ts +3 -0
  65. package/dist/commands/template.d.ts.map +1 -0
  66. package/dist/commands/template.js +365 -0
  67. package/dist/commands/template.js.map +1 -0
  68. package/dist/commands/tenant.d.ts +45 -0
  69. package/dist/commands/tenant.d.ts.map +1 -0
  70. package/dist/commands/tenant.js +1036 -0
  71. package/dist/commands/tenant.js.map +1 -0
  72. package/dist/commands/types.d.ts +130 -0
  73. package/dist/commands/types.d.ts.map +1 -0
  74. package/dist/commands/types.js +1636 -0
  75. package/dist/commands/types.js.map +1 -0
  76. package/dist/commands/update.d.ts +13 -0
  77. package/dist/commands/update.d.ts.map +1 -0
  78. package/dist/commands/update.js +163 -0
  79. package/dist/commands/update.js.map +1 -0
  80. package/dist/commands/user.d.ts +6 -0
  81. package/dist/commands/user.d.ts.map +1 -0
  82. package/dist/commands/user.js +359 -0
  83. package/dist/commands/user.js.map +1 -0
  84. package/dist/commands/verify.d.ts +40 -0
  85. package/dist/commands/verify.d.ts.map +1 -0
  86. package/dist/commands/verify.js +1442 -0
  87. package/dist/commands/verify.js.map +1 -0
  88. package/dist/commands/vertical.d.ts +24 -0
  89. package/dist/commands/vertical.d.ts.map +1 -0
  90. package/dist/commands/vertical.js +301 -0
  91. package/dist/commands/vertical.js.map +1 -0
  92. package/dist/commands/whoami.d.ts +6 -0
  93. package/dist/commands/whoami.d.ts.map +1 -0
  94. package/dist/commands/whoami.js +73 -0
  95. package/dist/commands/whoami.js.map +1 -0
  96. package/dist/commands/workflow.d.ts +6 -0
  97. package/dist/commands/workflow.d.ts.map +1 -0
  98. package/dist/commands/workflow.js +400 -0
  99. package/dist/commands/workflow.js.map +1 -0
  100. package/dist/index.d.ts +10 -0
  101. package/dist/index.d.ts.map +1 -0
  102. package/dist/index.js +272 -0
  103. package/dist/index.js.map +1 -0
  104. package/dist/lib/agent-guide.d.ts +24 -0
  105. package/dist/lib/agent-guide.d.ts.map +1 -0
  106. package/dist/lib/agent-guide.js +155 -0
  107. package/dist/lib/agent-guide.js.map +1 -0
  108. package/dist/lib/api.d.ts +338 -0
  109. package/dist/lib/api.d.ts.map +1 -0
  110. package/dist/lib/api.js +991 -0
  111. package/dist/lib/api.js.map +1 -0
  112. package/dist/lib/auth.d.ts +65 -0
  113. package/dist/lib/auth.d.ts.map +1 -0
  114. package/dist/lib/auth.js +592 -0
  115. package/dist/lib/auth.js.map +1 -0
  116. package/dist/lib/azure-cli.d.ts +6 -0
  117. package/dist/lib/azure-cli.d.ts.map +1 -0
  118. package/dist/lib/azure-cli.js +13 -0
  119. package/dist/lib/azure-cli.js.map +1 -0
  120. package/dist/lib/block-catalog-normalize.d.ts +47 -0
  121. package/dist/lib/block-catalog-normalize.d.ts.map +1 -0
  122. package/dist/lib/block-catalog-normalize.js +355 -0
  123. package/dist/lib/block-catalog-normalize.js.map +1 -0
  124. package/dist/lib/block-catalog-types.d.ts +111 -0
  125. package/dist/lib/block-catalog-types.d.ts.map +1 -0
  126. package/dist/lib/block-catalog-types.js +41 -0
  127. package/dist/lib/block-catalog-types.js.map +1 -0
  128. package/dist/lib/block-catalog-utils.d.ts +7 -0
  129. package/dist/lib/block-catalog-utils.d.ts.map +1 -0
  130. package/dist/lib/block-catalog-utils.js +47 -0
  131. package/dist/lib/block-catalog-utils.js.map +1 -0
  132. package/dist/lib/block-catalog-validation.d.ts +5 -0
  133. package/dist/lib/block-catalog-validation.d.ts.map +1 -0
  134. package/dist/lib/block-catalog-validation.js +112 -0
  135. package/dist/lib/block-catalog-validation.js.map +1 -0
  136. package/dist/lib/block-catalog.d.ts +3 -0
  137. package/dist/lib/block-catalog.d.ts.map +1 -0
  138. package/dist/lib/block-catalog.js +284 -0
  139. package/dist/lib/block-catalog.js.map +1 -0
  140. package/dist/lib/cloud-env.d.ts +25 -0
  141. package/dist/lib/cloud-env.d.ts.map +1 -0
  142. package/dist/lib/cloud-env.js +79 -0
  143. package/dist/lib/cloud-env.js.map +1 -0
  144. package/dist/lib/config.d.ts +116 -0
  145. package/dist/lib/config.d.ts.map +1 -0
  146. package/dist/lib/config.js +195 -0
  147. package/dist/lib/config.js.map +1 -0
  148. package/dist/lib/context.d.ts +43 -0
  149. package/dist/lib/context.d.ts.map +1 -0
  150. package/dist/lib/context.js +68 -0
  151. package/dist/lib/context.js.map +1 -0
  152. package/dist/lib/error-codes.d.ts +56 -0
  153. package/dist/lib/error-codes.d.ts.map +1 -0
  154. package/dist/lib/error-codes.js +211 -0
  155. package/dist/lib/error-codes.js.map +1 -0
  156. package/dist/lib/error-guidance/catalog.d.ts +648 -0
  157. package/dist/lib/error-guidance/catalog.d.ts.map +1 -0
  158. package/dist/lib/error-guidance/catalog.js +940 -0
  159. package/dist/lib/error-guidance/catalog.js.map +1 -0
  160. package/dist/lib/error-guidance/match.d.ts +3 -0
  161. package/dist/lib/error-guidance/match.d.ts.map +1 -0
  162. package/dist/lib/error-guidance/match.js +46 -0
  163. package/dist/lib/error-guidance/match.js.map +1 -0
  164. package/dist/lib/error-guidance/render.d.ts +5 -0
  165. package/dist/lib/error-guidance/render.d.ts.map +1 -0
  166. package/dist/lib/error-guidance/render.js +92 -0
  167. package/dist/lib/error-guidance/render.js.map +1 -0
  168. package/dist/lib/error-guidance/types.d.ts +76 -0
  169. package/dist/lib/error-guidance/types.d.ts.map +1 -0
  170. package/dist/lib/error-guidance/types.js +2 -0
  171. package/dist/lib/error-guidance/types.js.map +1 -0
  172. package/dist/lib/error-guidance/validate.d.ts +3 -0
  173. package/dist/lib/error-guidance/validate.d.ts.map +1 -0
  174. package/dist/lib/error-guidance/validate.js +59 -0
  175. package/dist/lib/error-guidance/validate.js.map +1 -0
  176. package/dist/lib/gofer-installer.d.ts +32 -0
  177. package/dist/lib/gofer-installer.d.ts.map +1 -0
  178. package/dist/lib/gofer-installer.js +589 -0
  179. package/dist/lib/gofer-installer.js.map +1 -0
  180. package/dist/lib/gofer-refresh.d.ts +46 -0
  181. package/dist/lib/gofer-refresh.d.ts.map +1 -0
  182. package/dist/lib/gofer-refresh.js +536 -0
  183. package/dist/lib/gofer-refresh.js.map +1 -0
  184. package/dist/lib/next-route-exports.d.ts +6 -0
  185. package/dist/lib/next-route-exports.d.ts.map +1 -0
  186. package/dist/lib/next-route-exports.js +127 -0
  187. package/dist/lib/next-route-exports.js.map +1 -0
  188. package/dist/lib/npm.d.ts +2 -0
  189. package/dist/lib/npm.d.ts.map +1 -0
  190. package/dist/lib/npm.js +4 -0
  191. package/dist/lib/npm.js.map +1 -0
  192. package/dist/lib/object-type-defaults.d.ts +4 -0
  193. package/dist/lib/object-type-defaults.d.ts.map +1 -0
  194. package/dist/lib/object-type-defaults.js +72 -0
  195. package/dist/lib/object-type-defaults.js.map +1 -0
  196. package/dist/lib/output.d.ts +35 -0
  197. package/dist/lib/output.d.ts.map +1 -0
  198. package/dist/lib/output.js +166 -0
  199. package/dist/lib/output.js.map +1 -0
  200. package/dist/lib/profile.d.ts +52 -0
  201. package/dist/lib/profile.d.ts.map +1 -0
  202. package/dist/lib/profile.js +116 -0
  203. package/dist/lib/profile.js.map +1 -0
  204. package/dist/lib/project-manifest.d.ts +42 -0
  205. package/dist/lib/project-manifest.d.ts.map +1 -0
  206. package/dist/lib/project-manifest.js +191 -0
  207. package/dist/lib/project-manifest.js.map +1 -0
  208. package/dist/lib/resourceapi-bundle.d.ts +33 -0
  209. package/dist/lib/resourceapi-bundle.d.ts.map +1 -0
  210. package/dist/lib/resourceapi-bundle.js +79 -0
  211. package/dist/lib/resourceapi-bundle.js.map +1 -0
  212. package/dist/lib/runtime-contract.d.ts +84 -0
  213. package/dist/lib/runtime-contract.d.ts.map +1 -0
  214. package/dist/lib/runtime-contract.js +318 -0
  215. package/dist/lib/runtime-contract.js.map +1 -0
  216. package/dist/lib/schema-builder.d.ts +28 -0
  217. package/dist/lib/schema-builder.d.ts.map +1 -0
  218. package/dist/lib/schema-builder.js +69 -0
  219. package/dist/lib/schema-builder.js.map +1 -0
  220. package/dist/lib/tenant-context.d.ts +127 -0
  221. package/dist/lib/tenant-context.d.ts.map +1 -0
  222. package/dist/lib/tenant-context.js +573 -0
  223. package/dist/lib/tenant-context.js.map +1 -0
  224. package/dist/lib/update-check.d.ts +52 -0
  225. package/dist/lib/update-check.d.ts.map +1 -0
  226. package/dist/lib/update-check.js +271 -0
  227. package/dist/lib/update-check.js.map +1 -0
  228. package/dist/lib/update-maintenance.d.ts +15 -0
  229. package/dist/lib/update-maintenance.d.ts.map +1 -0
  230. package/dist/lib/update-maintenance.js +187 -0
  231. package/dist/lib/update-maintenance.js.map +1 -0
  232. package/dist/lib/utils.d.ts +23 -0
  233. package/dist/lib/utils.d.ts.map +1 -0
  234. package/dist/lib/utils.js +48 -0
  235. package/dist/lib/utils.js.map +1 -0
  236. package/dist/lib/workflow-provisioning.d.ts +54 -0
  237. package/dist/lib/workflow-provisioning.d.ts.map +1 -0
  238. package/dist/lib/workflow-provisioning.js +281 -0
  239. package/dist/lib/workflow-provisioning.js.map +1 -0
  240. package/package.json +51 -0
  241. package/resources/gofer/.gofer-version +7 -0
  242. package/resources/gofer/agents-skills/0_gofer_start/SKILL.md +1287 -0
  243. package/resources/gofer/agents-skills/0a_problem_validation/SKILL.md +429 -0
  244. package/resources/gofer/agents-skills/10_gofer_cloud/SKILL.md +635 -0
  245. package/resources/gofer/agents-skills/1_gofer_research/SKILL.md +1159 -0
  246. package/resources/gofer/agents-skills/2_gofer_specify/SKILL.md +860 -0
  247. package/resources/gofer/agents-skills/3_gofer_plan/SKILL.md +886 -0
  248. package/resources/gofer/agents-skills/4_gofer_tasks/SKILL.md +748 -0
  249. package/resources/gofer/agents-skills/5_gofer_implement/SKILL.md +924 -0
  250. package/resources/gofer/agents-skills/6_gofer_validate/SKILL.md +2269 -0
  251. package/resources/gofer/agents-skills/7_gofer_save/SKILL.md +423 -0
  252. package/resources/gofer/agents-skills/7a_stakeholder_comms/SKILL.md +508 -0
  253. package/resources/gofer/agents-skills/8_gofer_branding/SKILL.md +315 -0
  254. package/resources/gofer/agents-skills/9_gofer_tests/SKILL.md +558 -0
  255. package/resources/gofer/agents-skills/gofer_bootstrap_workspace/SKILL.md +148 -0
  256. package/resources/gofer/agents-skills/gofer_check_workspace/SKILL.md +119 -0
  257. package/resources/gofer/agents-skills/gofer_constitution/SKILL.md +612 -0
  258. package/resources/gofer/agents-skills/gofer_diagnose/SKILL.md +114 -0
  259. package/resources/gofer/agents-skills/gofer_eai_first_run/SKILL.md +397 -0
  260. package/resources/gofer/agents-skills/gofer_hydrate/SKILL.md +561 -0
  261. package/resources/gofer/agents-skills/gofer_personality/SKILL.md +44 -0
  262. package/resources/gofer/agents-skills/gofer_plan/SKILL.md +40 -0
  263. package/resources/gofer/agents-skills/gofer_side/SKILL.md +45 -0
  264. package/resources/gofer/agents-skills/gofer_spec_summary/SKILL.md +112 -0
  265. package/resources/gofer/agents-skills/gofer_tdd/SKILL.md +112 -0
  266. package/resources/gofer/agents-skills/gofer_vocabulary/SKILL.md +112 -0
  267. package/resources/gofer/agents-skills/gofer_zoom_out/SKILL.md +112 -0
  268. package/resources/gofer/bash-scripts/check-context-health.sh +365 -0
  269. package/resources/gofer/bash-scripts/check-persona-pack.sh +81 -0
  270. package/resources/gofer/bash-scripts/check-prerequisites.sh +168 -0
  271. package/resources/gofer/bash-scripts/common.sh +192 -0
  272. package/resources/gofer/bash-scripts/create-new-feature.sh +260 -0
  273. package/resources/gofer/bash-scripts/install-optional-tools.sh +270 -0
  274. package/resources/gofer/bash-scripts/log-stage.sh +224 -0
  275. package/resources/gofer/bash-scripts/mark-task-complete.sh +74 -0
  276. package/resources/gofer/bash-scripts/pipeline-state.sh +306 -0
  277. package/resources/gofer/bash-scripts/read-failed-approaches.sh +114 -0
  278. package/resources/gofer/bash-scripts/read-session-memories.sh +96 -0
  279. package/resources/gofer/bash-scripts/save-checkpoint.sh +407 -0
  280. package/resources/gofer/bash-scripts/setup-plan.sh +62 -0
  281. package/resources/gofer/bash-scripts/sync-implementation-status.sh +47 -0
  282. package/resources/gofer/bash-scripts/update-agent-context.sh +772 -0
  283. package/resources/gofer/bash-scripts/validate-artifact.sh +335 -0
  284. package/resources/gofer/bash-scripts/verify-task.sh +384 -0
  285. package/resources/gofer/bash-scripts/write-failed-approach.sh +110 -0
  286. package/resources/gofer/bash-scripts/write-periodic-checkpoint.sh +128 -0
  287. package/resources/gofer/bash-scripts/write-session-memory.sh +118 -0
  288. package/resources/gofer/claude-agents/assumption-tracker.md +168 -0
  289. package/resources/gofer/claude-agents/business-metrics-analyzer.md +169 -0
  290. package/resources/gofer/claude-agents/business-problem-validator.md +168 -0
  291. package/resources/gofer/claude-agents/codebase-analyzer.md +124 -0
  292. package/resources/gofer/claude-agents/codebase-locator.md +95 -0
  293. package/resources/gofer/claude-agents/codebase-pattern-finder.md +180 -0
  294. package/resources/gofer/claude-agents/comms-writer.md +158 -0
  295. package/resources/gofer/claude-agents/engineer-review.md +169 -0
  296. package/resources/gofer/claude-agents/implement-bug-triangulator.md +94 -0
  297. package/resources/gofer/claude-agents/implement-code-review-council.md +89 -0
  298. package/resources/gofer/claude-agents/implement-doc-writer.md +89 -0
  299. package/resources/gofer/claude-agents/implement-error-hardener.md +84 -0
  300. package/resources/gofer/claude-agents/implement-performance-explorer.md +95 -0
  301. package/resources/gofer/claude-agents/implement-test-diversifier.md +82 -0
  302. package/resources/gofer/claude-agents/implement-variant-generator.md +80 -0
  303. package/resources/gofer/claude-agents/multi-perspective-judge.md +114 -0
  304. package/resources/gofer/claude-agents/plan-api-comparator.md +90 -0
  305. package/resources/gofer/claude-agents/plan-architecture-diverger.md +100 -0
  306. package/resources/gofer/claude-agents/plan-data-model-stress-tester.md +95 -0
  307. package/resources/gofer/claude-agents/plan-migration-path-finder.md +95 -0
  308. package/resources/gofer/claude-agents/plan-refactor-rewrite-advisor.md +97 -0
  309. package/resources/gofer/claude-agents/research-dependency-evaluator.md +106 -0
  310. package/resources/gofer/claude-agents/research-horizon-scanner.md +100 -0
  311. package/resources/gofer/claude-agents/research-market-scanner.md +137 -0
  312. package/resources/gofer/claude-agents/research-perspective-multiplier.md +102 -0
  313. package/resources/gofer/claude-agents/scope-creep-detector.md +152 -0
  314. package/resources/gofer/claude-agents/specify-ambiguity-detector.md +95 -0
  315. package/resources/gofer/claude-agents/specify-journey-stress-tester.md +92 -0
  316. package/resources/gofer/claude-agents/tasks-cross-cutting-scanner.md +91 -0
  317. package/resources/gofer/claude-agents/tasks-rollback-planner.md +89 -0
  318. package/resources/gofer/claude-agents/validate-security-red-team.md +102 -0
  319. package/resources/gofer/claude-agents/validation-correctness.md +103 -0
  320. package/resources/gofer/claude-agents/validation-integration.md +129 -0
  321. package/resources/gofer/claude-agents/validation-performance.md +120 -0
  322. package/resources/gofer/claude-agents/validation-security.md +115 -0
  323. package/resources/gofer/claude-agents/validation-standards.md +151 -0
  324. package/resources/gofer/claude-agents/validation-test-quality.md +146 -0
  325. package/resources/gofer/claude-agents/visual-bounded-context-writer.md +40 -0
  326. package/resources/gofer/claude-agents/visual-c4-writer.md +45 -0
  327. package/resources/gofer/claude-agents/visual-erd-writer.md +34 -0
  328. package/resources/gofer/claude-agents/visual-heatmap-writer.md +63 -0
  329. package/resources/gofer/claude-agents/visual-risk-writer.md +64 -0
  330. package/resources/gofer/claude-commands/0_gofer_start.md +1282 -0
  331. package/resources/gofer/claude-commands/0a_problem_validation.md +424 -0
  332. package/resources/gofer/claude-commands/10_gofer_cloud.md +630 -0
  333. package/resources/gofer/claude-commands/1_gofer_research.md +1154 -0
  334. package/resources/gofer/claude-commands/2_gofer_specify.md +855 -0
  335. package/resources/gofer/claude-commands/3_gofer_plan.md +881 -0
  336. package/resources/gofer/claude-commands/4_gofer_tasks.md +743 -0
  337. package/resources/gofer/claude-commands/5_gofer_implement.md +919 -0
  338. package/resources/gofer/claude-commands/6_gofer_validate.md +2264 -0
  339. package/resources/gofer/claude-commands/7_gofer_save.md +418 -0
  340. package/resources/gofer/claude-commands/7a_stakeholder_comms.md +503 -0
  341. package/resources/gofer/claude-commands/8_gofer_branding.md +310 -0
  342. package/resources/gofer/claude-commands/9_gofer_tests.md +553 -0
  343. package/resources/gofer/claude-commands/gofer_bootstrap_workspace.md +143 -0
  344. package/resources/gofer/claude-commands/gofer_check_workspace.md +114 -0
  345. package/resources/gofer/claude-commands/gofer_constitution.md +607 -0
  346. package/resources/gofer/claude-commands/gofer_diagnose.md +109 -0
  347. package/resources/gofer/claude-commands/gofer_eai_first_run.md +392 -0
  348. package/resources/gofer/claude-commands/gofer_hydrate.md +556 -0
  349. package/resources/gofer/claude-commands/gofer_personality.md +39 -0
  350. package/resources/gofer/claude-commands/gofer_plan.md +35 -0
  351. package/resources/gofer/claude-commands/gofer_side.md +40 -0
  352. package/resources/gofer/claude-commands/gofer_spec_summary.md +107 -0
  353. package/resources/gofer/claude-commands/gofer_tdd.md +107 -0
  354. package/resources/gofer/claude-commands/gofer_vocabulary.md +107 -0
  355. package/resources/gofer/claude-commands/gofer_zoom_out.md +107 -0
  356. package/resources/gofer/claude-skills/eai-gofer/SKILL.md +56 -0
  357. package/resources/gofer/commands/.gitkeep +0 -0
  358. package/resources/gofer/commands/0_gofer_start.md +1299 -0
  359. package/resources/gofer/commands/0a_problem_validation.md +405 -0
  360. package/resources/gofer/commands/10_gofer_cloud.md +611 -0
  361. package/resources/gofer/commands/1_gofer_research.md +1135 -0
  362. package/resources/gofer/commands/2_gofer_specify.md +836 -0
  363. package/resources/gofer/commands/3_gofer_plan.md +862 -0
  364. package/resources/gofer/commands/4_gofer_tasks.md +724 -0
  365. package/resources/gofer/commands/5_gofer_implement.md +900 -0
  366. package/resources/gofer/commands/6_gofer_validate.md +2245 -0
  367. package/resources/gofer/commands/7_gofer_save.md +399 -0
  368. package/resources/gofer/commands/7a_stakeholder_comms.md +484 -0
  369. package/resources/gofer/commands/8_gofer_branding.md +291 -0
  370. package/resources/gofer/commands/9_gofer_tests.md +534 -0
  371. package/resources/gofer/commands/gofer_bootstrap_workspace.md +159 -0
  372. package/resources/gofer/commands/gofer_check_workspace.md +130 -0
  373. package/resources/gofer/commands/gofer_constitution.md +588 -0
  374. package/resources/gofer/commands/gofer_diagnose.md +89 -0
  375. package/resources/gofer/commands/gofer_eai_first_run.md +392 -0
  376. package/resources/gofer/commands/gofer_hydrate.md +537 -0
  377. package/resources/gofer/commands/gofer_personality.md +61 -0
  378. package/resources/gofer/commands/gofer_plan.md +51 -0
  379. package/resources/gofer/commands/gofer_side.md +56 -0
  380. package/resources/gofer/commands/gofer_spec_summary.md +87 -0
  381. package/resources/gofer/commands/gofer_tdd.md +87 -0
  382. package/resources/gofer/commands/gofer_vocabulary.md +87 -0
  383. package/resources/gofer/commands/gofer_zoom_out.md +87 -0
  384. package/resources/gofer/copilot-instructions/gofer-cost.instructions.md +13 -0
  385. package/resources/gofer/copilot-instructions/language-server.instructions.md +49 -0
  386. package/resources/gofer/copilot-instructions/typescript.instructions.md +47 -0
  387. package/resources/gofer/copilot-instructions/vscode-extension.instructions.md +46 -0
  388. package/resources/gofer/copilot-prompts/0_gofer_start.prompt.md +1308 -0
  389. package/resources/gofer/copilot-prompts/0a_problem_validation.prompt.md +429 -0
  390. package/resources/gofer/copilot-prompts/10_gofer_cloud.prompt.md +644 -0
  391. package/resources/gofer/copilot-prompts/1_gofer_research.prompt.md +1177 -0
  392. package/resources/gofer/copilot-prompts/2_gofer_specify.prompt.md +878 -0
  393. package/resources/gofer/copilot-prompts/3_gofer_plan.prompt.md +904 -0
  394. package/resources/gofer/copilot-prompts/4_gofer_tasks.prompt.md +766 -0
  395. package/resources/gofer/copilot-prompts/5_gofer_implement.prompt.md +942 -0
  396. package/resources/gofer/copilot-prompts/6_gofer_validate.prompt.md +2277 -0
  397. package/resources/gofer/copilot-prompts/7_gofer_save.prompt.md +433 -0
  398. package/resources/gofer/copilot-prompts/7a_stakeholder_comms.prompt.md +516 -0
  399. package/resources/gofer/copilot-prompts/8_gofer_branding.prompt.md +323 -0
  400. package/resources/gofer/copilot-prompts/9_gofer_tests.prompt.md +566 -0
  401. package/resources/gofer/copilot-prompts/gofer_bootstrap_workspace.prompt.md +161 -0
  402. package/resources/gofer/copilot-prompts/gofer_check_workspace.prompt.md +132 -0
  403. package/resources/gofer/copilot-prompts/gofer_constitution.prompt.md +621 -0
  404. package/resources/gofer/copilot-prompts/gofer_diagnose.prompt.md +127 -0
  405. package/resources/gofer/copilot-prompts/gofer_eai_first_run.prompt.md +410 -0
  406. package/resources/gofer/copilot-prompts/gofer_hydrate.prompt.md +571 -0
  407. package/resources/gofer/copilot-prompts/gofer_personality.prompt.md +57 -0
  408. package/resources/gofer/copilot-prompts/gofer_plan.prompt.md +53 -0
  409. package/resources/gofer/copilot-prompts/gofer_side.prompt.md +58 -0
  410. package/resources/gofer/copilot-prompts/gofer_spec_summary.prompt.md +125 -0
  411. package/resources/gofer/copilot-prompts/gofer_tdd.prompt.md +125 -0
  412. package/resources/gofer/copilot-prompts/gofer_vocabulary.prompt.md +125 -0
  413. package/resources/gofer/copilot-prompts/gofer_zoom_out.prompt.md +125 -0
  414. package/resources/gofer/gemini/agents/assumption-tracker.md +171 -0
  415. package/resources/gofer/gemini/agents/business-metrics-analyzer.md +172 -0
  416. package/resources/gofer/gemini/agents/business-problem-validator.md +171 -0
  417. package/resources/gofer/gemini/agents/codebase-analyzer.md +127 -0
  418. package/resources/gofer/gemini/agents/codebase-locator.md +98 -0
  419. package/resources/gofer/gemini/agents/codebase-pattern-finder.md +183 -0
  420. package/resources/gofer/gemini/agents/comms-writer.md +161 -0
  421. package/resources/gofer/gemini/agents/engineer-review.md +172 -0
  422. package/resources/gofer/gemini/agents/implement-bug-triangulator.md +97 -0
  423. package/resources/gofer/gemini/agents/implement-code-review-council.md +92 -0
  424. package/resources/gofer/gemini/agents/implement-doc-writer.md +92 -0
  425. package/resources/gofer/gemini/agents/implement-error-hardener.md +87 -0
  426. package/resources/gofer/gemini/agents/implement-performance-explorer.md +98 -0
  427. package/resources/gofer/gemini/agents/implement-test-diversifier.md +85 -0
  428. package/resources/gofer/gemini/agents/implement-variant-generator.md +83 -0
  429. package/resources/gofer/gemini/agents/multi-perspective-judge.md +117 -0
  430. package/resources/gofer/gemini/agents/plan-api-comparator.md +93 -0
  431. package/resources/gofer/gemini/agents/plan-architecture-diverger.md +103 -0
  432. package/resources/gofer/gemini/agents/plan-data-model-stress-tester.md +98 -0
  433. package/resources/gofer/gemini/agents/plan-migration-path-finder.md +98 -0
  434. package/resources/gofer/gemini/agents/plan-refactor-rewrite-advisor.md +100 -0
  435. package/resources/gofer/gemini/agents/research-dependency-evaluator.md +109 -0
  436. package/resources/gofer/gemini/agents/research-horizon-scanner.md +103 -0
  437. package/resources/gofer/gemini/agents/research-market-scanner.md +140 -0
  438. package/resources/gofer/gemini/agents/research-perspective-multiplier.md +105 -0
  439. package/resources/gofer/gemini/agents/scope-creep-detector.md +155 -0
  440. package/resources/gofer/gemini/agents/specify-ambiguity-detector.md +98 -0
  441. package/resources/gofer/gemini/agents/specify-journey-stress-tester.md +95 -0
  442. package/resources/gofer/gemini/agents/tasks-cross-cutting-scanner.md +94 -0
  443. package/resources/gofer/gemini/agents/tasks-rollback-planner.md +92 -0
  444. package/resources/gofer/gemini/agents/validate-security-red-team.md +105 -0
  445. package/resources/gofer/gemini/agents/validation-correctness.md +106 -0
  446. package/resources/gofer/gemini/agents/validation-integration.md +132 -0
  447. package/resources/gofer/gemini/agents/validation-performance.md +123 -0
  448. package/resources/gofer/gemini/agents/validation-security.md +118 -0
  449. package/resources/gofer/gemini/agents/validation-standards.md +154 -0
  450. package/resources/gofer/gemini/agents/validation-test-quality.md +149 -0
  451. package/resources/gofer/gemini/agents/visual-bounded-context-writer.md +40 -0
  452. package/resources/gofer/gemini/agents/visual-c4-writer.md +44 -0
  453. package/resources/gofer/gemini/agents/visual-erd-writer.md +36 -0
  454. package/resources/gofer/gemini/agents/visual-heatmap-writer.md +63 -0
  455. package/resources/gofer/gemini/agents/visual-risk-writer.md +64 -0
  456. package/resources/gofer/gemini/commands/gofer/.gitkeep +0 -0
  457. package/resources/gofer/gemini/commands/gofer/0_gofer_start.md +1282 -0
  458. package/resources/gofer/gemini/commands/gofer/0_gofer_start.toml +2 -0
  459. package/resources/gofer/gemini/commands/gofer/0a_problem_validation.md +424 -0
  460. package/resources/gofer/gemini/commands/gofer/0a_problem_validation.toml +2 -0
  461. package/resources/gofer/gemini/commands/gofer/10_gofer_cloud.md +630 -0
  462. package/resources/gofer/gemini/commands/gofer/10_gofer_cloud.toml +2 -0
  463. package/resources/gofer/gemini/commands/gofer/1_gofer_research.md +1154 -0
  464. package/resources/gofer/gemini/commands/gofer/1_gofer_research.toml +2 -0
  465. package/resources/gofer/gemini/commands/gofer/2_gofer_specify.md +855 -0
  466. package/resources/gofer/gemini/commands/gofer/2_gofer_specify.toml +2 -0
  467. package/resources/gofer/gemini/commands/gofer/3_gofer_plan.md +881 -0
  468. package/resources/gofer/gemini/commands/gofer/3_gofer_plan.toml +2 -0
  469. package/resources/gofer/gemini/commands/gofer/4_gofer_tasks.md +743 -0
  470. package/resources/gofer/gemini/commands/gofer/4_gofer_tasks.toml +2 -0
  471. package/resources/gofer/gemini/commands/gofer/5_gofer_implement.md +919 -0
  472. package/resources/gofer/gemini/commands/gofer/5_gofer_implement.toml +2 -0
  473. package/resources/gofer/gemini/commands/gofer/6_gofer_validate.md +2264 -0
  474. package/resources/gofer/gemini/commands/gofer/6_gofer_validate.toml +2 -0
  475. package/resources/gofer/gemini/commands/gofer/7_gofer_save.md +418 -0
  476. package/resources/gofer/gemini/commands/gofer/7_gofer_save.toml +2 -0
  477. package/resources/gofer/gemini/commands/gofer/7a_stakeholder_comms.md +503 -0
  478. package/resources/gofer/gemini/commands/gofer/7a_stakeholder_comms.toml +2 -0
  479. package/resources/gofer/gemini/commands/gofer/8_gofer_branding.md +310 -0
  480. package/resources/gofer/gemini/commands/gofer/8_gofer_branding.toml +2 -0
  481. package/resources/gofer/gemini/commands/gofer/9_gofer_tests.md +553 -0
  482. package/resources/gofer/gemini/commands/gofer/9_gofer_tests.toml +2 -0
  483. package/resources/gofer/gemini/commands/gofer/gofer_bootstrap_workspace.md +143 -0
  484. package/resources/gofer/gemini/commands/gofer/gofer_bootstrap_workspace.toml +2 -0
  485. package/resources/gofer/gemini/commands/gofer/gofer_check_workspace.md +114 -0
  486. package/resources/gofer/gemini/commands/gofer/gofer_check_workspace.toml +2 -0
  487. package/resources/gofer/gemini/commands/gofer/gofer_constitution.md +607 -0
  488. package/resources/gofer/gemini/commands/gofer/gofer_constitution.toml +2 -0
  489. package/resources/gofer/gemini/commands/gofer/gofer_diagnose.md +109 -0
  490. package/resources/gofer/gemini/commands/gofer/gofer_diagnose.toml +2 -0
  491. package/resources/gofer/gemini/commands/gofer/gofer_eai_first_run.md +392 -0
  492. package/resources/gofer/gemini/commands/gofer/gofer_eai_first_run.toml +2 -0
  493. package/resources/gofer/gemini/commands/gofer/gofer_hydrate.md +556 -0
  494. package/resources/gofer/gemini/commands/gofer/gofer_hydrate.toml +2 -0
  495. package/resources/gofer/gemini/commands/gofer/gofer_personality.md +39 -0
  496. package/resources/gofer/gemini/commands/gofer/gofer_personality.toml +2 -0
  497. package/resources/gofer/gemini/commands/gofer/gofer_plan.md +35 -0
  498. package/resources/gofer/gemini/commands/gofer/gofer_plan.toml +2 -0
  499. package/resources/gofer/gemini/commands/gofer/gofer_side.md +40 -0
  500. package/resources/gofer/gemini/commands/gofer/gofer_side.toml +2 -0
  501. package/resources/gofer/gemini/commands/gofer/gofer_spec_summary.md +107 -0
  502. package/resources/gofer/gemini/commands/gofer/gofer_spec_summary.toml +2 -0
  503. package/resources/gofer/gemini/commands/gofer/gofer_tdd.md +107 -0
  504. package/resources/gofer/gemini/commands/gofer/gofer_tdd.toml +2 -0
  505. package/resources/gofer/gemini/commands/gofer/gofer_vocabulary.md +107 -0
  506. package/resources/gofer/gemini/commands/gofer/gofer_vocabulary.toml +2 -0
  507. package/resources/gofer/gemini/commands/gofer/gofer_zoom_out.md +107 -0
  508. package/resources/gofer/gemini/commands/gofer/gofer_zoom_out.toml +2 -0
  509. package/resources/gofer/gemini/commands/gofer/manifest.json +32 -0
  510. package/resources/gofer/gemini/extension.json +16 -0
  511. package/resources/gofer/github-agents/gofer-business.agent.md +20 -0
  512. package/resources/gofer/github-agents/gofer-implement.agent.md +15 -0
  513. package/resources/gofer/github-agents/gofer-plan.agent.md +15 -0
  514. package/resources/gofer/github-agents/gofer-research.agent.md +15 -0
  515. package/resources/gofer/github-agents/gofer-validate.agent.md +10 -0
  516. package/resources/gofer/github-skills/eai-gofer/SKILL.md +56 -0
  517. package/resources/gofer/hook-scripts/agent-stop.mjs +655 -0
  518. package/resources/gofer/hook-scripts/log-stage-launch-time.mjs +77 -0
  519. package/resources/gofer/hook-scripts/post-tool-use.mjs +333 -0
  520. package/resources/gofer/hook-scripts/queued-input.mjs +188 -0
  521. package/resources/gofer/hook-scripts/session-lifecycle.mjs +93 -0
  522. package/resources/gofer/hook-scripts/user-prompt-submit.mjs +228 -0
  523. package/resources/gofer/instruction-templates/base/agents-base.md +37 -0
  524. package/resources/gofer/instruction-templates/base/claude-base.md +7 -0
  525. package/resources/gofer/instruction-templates/base/copilot-base.md +26 -0
  526. package/resources/gofer/instruction-templates/gofer/gofer-claude.md +5 -0
  527. package/resources/gofer/instruction-templates/gofer/gofer-copilot.md +9 -0
  528. package/resources/gofer/instruction-templates/languages/generic.md +7 -0
  529. package/resources/gofer/instruction-templates/languages/go.md +8 -0
  530. package/resources/gofer/instruction-templates/languages/java.md +8 -0
  531. package/resources/gofer/instruction-templates/languages/python.md +9 -0
  532. package/resources/gofer/instruction-templates/languages/rust.md +9 -0
  533. package/resources/gofer/instruction-templates/languages/typescript.md +19 -0
  534. package/resources/gofer/instruction-templates/workflow/principles.md +52 -0
  535. package/resources/gofer/memory/constitution.md +391 -0
  536. package/resources/gofer/memory/context-profiles.yaml +74 -0
  537. package/resources/gofer/memory/decisions/000-use-adr-for-decisions.md +67 -0
  538. package/resources/gofer/memory/decisions/001-di-framework.md +190 -0
  539. package/resources/gofer/memory/decisions/002-module-extraction.md +305 -0
  540. package/resources/gofer/memory/decisions/003-error-handling.md +368 -0
  541. package/resources/gofer/memory/decisions/004-cache-eviction.md +436 -0
  542. package/resources/gofer/memory/decisions/005-constants-management.md +520 -0
  543. package/resources/gofer/memory/decisions/README.md +129 -0
  544. package/resources/gofer/memory/diagrams/di-container.mmd +321 -0
  545. package/resources/gofer/memory/diagrams/extension-activation.mmd +184 -0
  546. package/resources/gofer/memory/diagrams/module-dependencies.mmd +264 -0
  547. package/resources/gofer/memory/gofer-model-policy.yaml +97 -0
  548. package/resources/gofer/memory/lessons.md +46 -0
  549. package/resources/gofer/node-scripts/canonical-descriptions.mjs +86 -0
  550. package/resources/gofer/node-scripts/check-version-alignment.mjs +131 -0
  551. package/resources/gofer/node-scripts/codex-doctor.mjs +425 -0
  552. package/resources/gofer/node-scripts/generate-commands.mjs +1366 -0
  553. package/resources/gofer/node-scripts/generate-issues.js +563 -0
  554. package/resources/gofer/node-scripts/gofer-closed-loop-audit.mjs +893 -0
  555. package/resources/gofer/node-scripts/gofer-loop-audit.mjs +541 -0
  556. package/resources/gofer/node-scripts/gofer-performance-report.mjs +306 -0
  557. package/resources/gofer/node-scripts/gofer-workspace-bootstrap.mjs +56 -0
  558. package/resources/gofer/node-scripts/gofer-workspace-check.mjs +56 -0
  559. package/resources/gofer/node-scripts/lib/ai-leverage-tagger.mjs +103 -0
  560. package/resources/gofer/node-scripts/lib/assemble-stakeholder-pack.mjs +114 -0
  561. package/resources/gofer/node-scripts/lib/marp-deck.mjs +87 -0
  562. package/resources/gofer/node-scripts/lib/mermaid-tabular-fallback.mjs +264 -0
  563. package/resources/gofer/node-scripts/lib/render-visual.mjs +54 -0
  564. package/resources/gofer/node-scripts/lib/validate-aliases.mjs +85 -0
  565. package/resources/gofer/node-scripts/lib/visual-counts.mjs +44 -0
  566. package/resources/gofer/node-scripts/lib/visual-pass-pipeline.mjs +134 -0
  567. package/resources/gofer/node-scripts/mermaid-export.mjs +72 -0
  568. package/resources/gofer/node-scripts/package-agent-plugin.mjs +940 -0
  569. package/resources/gofer/node-scripts/parse-stage-command.mjs +211 -0
  570. package/resources/gofer/node-scripts/schemas/.gitkeep +0 -0
  571. package/resources/gofer/node-scripts/schemas/stage-command.schema.json +72 -0
  572. package/resources/gofer/node-scripts/sync-extension-resources.mjs +110 -0
  573. package/resources/gofer/node-scripts/workspace-bootstrap-lib.mjs +1166 -0
  574. package/resources/gofer/powershell-scripts/install-optional-tools.ps1 +214 -0
  575. package/resources/gofer/references/platform/README.md +17 -0
  576. package/resources/gofer/references/platform/deployment-repo.md +9 -0
  577. package/resources/gofer/references/platform/eai-app-template.md +45 -0
  578. package/resources/gofer/references/platform/eai-config-driven-ui.md +156 -0
  579. package/resources/gofer/references/platform/eai-error-catalog.yaml +197 -0
  580. package/resources/gofer/references/platform/eai-repo-contract.md +134 -0
  581. package/resources/gofer/references/platform/eai-service-patterns.md +56 -0
  582. package/resources/gofer/references/platform/eai.md +85 -0
  583. package/resources/gofer/references/platform/vertical-template.md +49 -0
  584. package/resources/gofer/specify-commands/.gitkeep +0 -0
  585. package/resources/gofer/specify-commands/0_gofer_start.md +1299 -0
  586. package/resources/gofer/specify-commands/0a_problem_validation.md +405 -0
  587. package/resources/gofer/specify-commands/10_gofer_cloud.md +611 -0
  588. package/resources/gofer/specify-commands/1_gofer_research.md +1135 -0
  589. package/resources/gofer/specify-commands/2_gofer_specify.md +836 -0
  590. package/resources/gofer/specify-commands/3_gofer_plan.md +862 -0
  591. package/resources/gofer/specify-commands/4_gofer_tasks.md +724 -0
  592. package/resources/gofer/specify-commands/5_gofer_implement.md +900 -0
  593. package/resources/gofer/specify-commands/6_gofer_validate.md +2245 -0
  594. package/resources/gofer/specify-commands/7_gofer_save.md +399 -0
  595. package/resources/gofer/specify-commands/7a_stakeholder_comms.md +484 -0
  596. package/resources/gofer/specify-commands/8_gofer_branding.md +291 -0
  597. package/resources/gofer/specify-commands/9_gofer_tests.md +534 -0
  598. package/resources/gofer/specify-commands/gofer_bootstrap_workspace.md +159 -0
  599. package/resources/gofer/specify-commands/gofer_check_workspace.md +130 -0
  600. package/resources/gofer/specify-commands/gofer_constitution.md +588 -0
  601. package/resources/gofer/specify-commands/gofer_diagnose.md +89 -0
  602. package/resources/gofer/specify-commands/gofer_eai_first_run.md +392 -0
  603. package/resources/gofer/specify-commands/gofer_hydrate.md +537 -0
  604. package/resources/gofer/specify-commands/gofer_personality.md +61 -0
  605. package/resources/gofer/specify-commands/gofer_plan.md +51 -0
  606. package/resources/gofer/specify-commands/gofer_side.md +56 -0
  607. package/resources/gofer/specify-commands/gofer_spec_summary.md +87 -0
  608. package/resources/gofer/specify-commands/gofer_tdd.md +87 -0
  609. package/resources/gofer/specify-commands/gofer_vocabulary.md +87 -0
  610. package/resources/gofer/specify-commands/gofer_zoom_out.md +87 -0
  611. package/resources/gofer/system-skills/0_gofer_start/SKILL.md +1287 -0
  612. package/resources/gofer/system-skills/0a_problem_validation/SKILL.md +429 -0
  613. package/resources/gofer/system-skills/10_gofer_cloud/SKILL.md +635 -0
  614. package/resources/gofer/system-skills/1_gofer_research/SKILL.md +1159 -0
  615. package/resources/gofer/system-skills/2_gofer_specify/SKILL.md +860 -0
  616. package/resources/gofer/system-skills/3_gofer_plan/SKILL.md +886 -0
  617. package/resources/gofer/system-skills/4_gofer_tasks/SKILL.md +748 -0
  618. package/resources/gofer/system-skills/5_gofer_implement/SKILL.md +924 -0
  619. package/resources/gofer/system-skills/6_gofer_validate/SKILL.md +2269 -0
  620. package/resources/gofer/system-skills/7_gofer_save/SKILL.md +423 -0
  621. package/resources/gofer/system-skills/7a_stakeholder_comms/SKILL.md +508 -0
  622. package/resources/gofer/system-skills/8_gofer_branding/SKILL.md +315 -0
  623. package/resources/gofer/system-skills/9_gofer_tests/SKILL.md +558 -0
  624. package/resources/gofer/system-skills/gofer_bootstrap_workspace/SKILL.md +148 -0
  625. package/resources/gofer/system-skills/gofer_check_workspace/SKILL.md +119 -0
  626. package/resources/gofer/system-skills/gofer_constitution/SKILL.md +612 -0
  627. package/resources/gofer/system-skills/gofer_diagnose/SKILL.md +114 -0
  628. package/resources/gofer/system-skills/gofer_eai_first_run/SKILL.md +397 -0
  629. package/resources/gofer/system-skills/gofer_hydrate/SKILL.md +561 -0
  630. package/resources/gofer/system-skills/gofer_personality/SKILL.md +44 -0
  631. package/resources/gofer/system-skills/gofer_plan/SKILL.md +40 -0
  632. package/resources/gofer/system-skills/gofer_side/SKILL.md +45 -0
  633. package/resources/gofer/system-skills/gofer_spec_summary/SKILL.md +112 -0
  634. package/resources/gofer/system-skills/gofer_tdd/SKILL.md +112 -0
  635. package/resources/gofer/system-skills/gofer_vocabulary/SKILL.md +112 -0
  636. package/resources/gofer/system-skills/gofer_zoom_out/SKILL.md +112 -0
  637. package/resources/gofer/templates/agent-file-template.md +28 -0
  638. package/resources/gofer/templates/assumptions-template.md +94 -0
  639. package/resources/gofer/templates/audit-history-template.md +35 -0
  640. package/resources/gofer/templates/brand/brand-profile-template.json +45 -0
  641. package/resources/gofer/templates/brand/document-style-template.md +50 -0
  642. package/resources/gofer/templates/brand/marp-theme-template.css +58 -0
  643. package/resources/gofer/templates/brownfield-analysis.md +44 -0
  644. package/resources/gofer/templates/business-metrics-template.md +120 -0
  645. package/resources/gofer/templates/business-owner-summary-template.md +83 -0
  646. package/resources/gofer/templates/checklist-template.md +40 -0
  647. package/resources/gofer/templates/ciso-security-summary-template.md +70 -0
  648. package/resources/gofer/templates/context-bundle-template.md +76 -0
  649. package/resources/gofer/templates/contract-pack-template.md +109 -0
  650. package/resources/gofer/templates/cto-architecture-summary-template.md +83 -0
  651. package/resources/gofer/templates/discovery-template.md +92 -0
  652. package/resources/gofer/templates/eai-preflight-template.md +144 -0
  653. package/resources/gofer/templates/goal-ledger-template.json +69 -0
  654. package/resources/gofer/templates/gofer-model-policy.yaml +97 -0
  655. package/resources/gofer/templates/issues-template.md +106 -0
  656. package/resources/gofer/templates/journey/base-journey.md +95 -0
  657. package/resources/gofer/templates/journey/industry-variants.yaml +277 -0
  658. package/resources/gofer/templates/loop-contract-template.json +68 -0
  659. package/resources/gofer/templates/plan-template.md +215 -0
  660. package/resources/gofer/templates/problem-brief-template.md +85 -0
  661. package/resources/gofer/templates/proposal-review-template.md +79 -0
  662. package/resources/gofer/templates/research-template.md +222 -0
  663. package/resources/gofer/templates/reuse-scan-template.md +43 -0
  664. package/resources/gofer/templates/sequence-diagrams/option-spectrum.yaml +178 -0
  665. package/resources/gofer/templates/service-fit-matrix-template.md +29 -0
  666. package/resources/gofer/templates/session-handoff-template.md +172 -0
  667. package/resources/gofer/templates/spec-summary-template.md +118 -0
  668. package/resources/gofer/templates/spec-template.md +196 -0
  669. package/resources/gofer/templates/stakeholder-comms-template.md +330 -0
  670. package/resources/gofer/templates/stakeholder-review-index-template.md +54 -0
  671. package/resources/gofer/templates/tasks-template.md +323 -0
  672. package/resources/gofer/templates/ui-approval-template.md +32 -0
  673. package/resources/gofer/templates/ui-preview-brief-template.md +65 -0
  674. package/resources/gofer/templates/ui-review-log-template.md +11 -0
  675. package/resources/gofer/templates/visuals/.gitkeep +0 -0
  676. package/resources/gofer/templates/visuals/bounded-context-map.md +19 -0
  677. package/resources/gofer/templates/visuals/bounded-context-template.md +47 -0
  678. package/resources/gofer/templates/visuals/c4-container-template.md +38 -0
  679. package/resources/gofer/templates/visuals/c4-container.md +20 -0
  680. package/resources/gofer/templates/visuals/c4-context-template.md +46 -0
  681. package/resources/gofer/templates/visuals/capability-heatmap-template.md +54 -0
  682. package/resources/gofer/templates/visuals/data-model-erd-template.md +41 -0
  683. package/resources/gofer/templates/visuals/erd.md +19 -0
  684. package/resources/gofer/templates/visuals/impact-canvas.md +40 -0
  685. package/resources/gofer/templates/visuals/risk-heatmap-template.md +51 -0
  686. package/resources/gofer/templates/visuals/roi-projection.md +17 -0
  687. package/resources/gofer/templates/visuals/value-stream-asis.md +16 -0
  688. package/resources/gofer/templates/visuals/value-stream-tobe.md +18 -0
  689. package/resources/gofer/templates/working-backwards-prfaq-template.md +165 -0
  690. package/resources/linked-sources.json +25 -0
@@ -0,0 +1,2245 @@
1
+ ---
2
+ name: 6_gofer_validate
3
+ description: "Validate implemented work with evidence-backed scoring, blast-radius analysis, and engineering review."
4
+ title: "Gofer Validate"
5
+ category: pipeline
6
+ surfaces:
7
+ - claude
8
+ - claude-mirror
9
+ - copilot
10
+ - vscode
11
+ - codex
12
+ - gemini
13
+ - github-prompts
14
+ - agents-skills
15
+ - system-skills
16
+ aliases: [gofer:validate]
17
+ ---
18
+ ---
19
+ description:
20
+ Unified validation, blast-radius analysis, and engineering review (3 phases,
21
+ 110-point rubric)
22
+ ---
23
+
24
+ # Gofer Validate
25
+
26
+ ## EAI Platform Session Preflight
27
+
28
+ Before any Gofer stage/helper command does pipeline work:
29
+
30
+ 1. Treat durable delivery as EAI Platform delivery by default, with Azure second
31
+ and every other stack only by explicit exception.
32
+ 2. Run `eai whoami` and confirm the EAI CLI is installed, the user is logged in,
33
+ and an active tenant is visible.
34
+ 3. If `eai` is missing, `eai whoami` fails, the token is expired, or no active
35
+ tenant is available, stop and run `/gofer:eai-first-run` or ask the user to
36
+ approve login/setup before continuing.
37
+ 4. For EAI app delivery, do not continue into research, specification, planning,
38
+ tasks, implementation, or validation until
39
+ `.specify/specs/{feature}/eai-preflight.md` records login, tenant, template,
40
+ app-readiness, and next-action evidence.
41
+ 5. Do not write tokens, secrets, private tenant IDs, or local `.env` values into
42
+ Gofer artifacts; record only product-safe readiness status and evidence.
43
+
44
+ ## Token And Cost Policy
45
+ <!-- gofer:token-cost-policy:start -->
46
+
47
+ Before spawning agents, calling tools, or loading large files:
48
+
49
+ 1. Treat `.specify/memory/gofer-model-policy.yaml` as the repo-owned source of truth for simple, medium, hard, and arbiter model routing. If it is missing, run `/gofer:bootstrap-workspace` before continuing.
50
+ 2. Use the cheapest capable model first.
51
+ - Claude: Haiku for scouting/extraction; Sonnet for normal implementation, synthesis, validation, and security; Opus for high-risk arbitration or release-critical failures.
52
+ - Codex/OpenAI: GPT mini for simple coding; GPT nano only for locate/classify/summarize/mechanical work; GPT-5.3-Codex or flagship GPT for tool-heavy coding, architecture, and release-critical validation.
53
+ - Gemini: Flash-Lite for cheap large-context scan/summarize; Flash for default research synthesis; Pro for large-context architecture or high-risk arbitration.
54
+ - Copilot: prefer Auto for simple and default work; ask the user before choosing a paid/high-tier picker model for hard security, architecture, or release gates.
55
+ 3. Keep raw tool output out of the main conversation context. Save stable findings to `.specify/specs/{feature}/context-bundle.md`, then work from summaries.
56
+ 4. Use provider prompt/context caching only for stable, non-secret prefixes: Gofer scaffold, AGENTS/CLAUDE/Copilot instructions, constitution, repo map, stage contracts, and validation rubric.
57
+ 5. Before continuing after large research, planning, implementation, or validation bursts, checkpoint the durable artifacts and compact/clear/resume context when the host supports it.
58
+ 6. Escalate model tier only when a cheaper pass is low-confidence, contradictory, security-sensitive, or blocking release quality.
59
+ <!-- gofer:token-cost-policy:end -->
60
+
61
+ ## User Input
62
+
63
+ ```text
64
+ $ARGUMENTS
65
+ ```
66
+
67
+ You **MUST** consider the user input before proceeding (if not empty).
68
+
69
+ ## Execution Profile And Validation Cost
70
+
71
+ Validation must respect the final risk label:
72
+
73
+ - **fast**: for `docs-only` or very small low-risk changes, run focused checks
74
+ and verify no unnecessary artifact churn or unrelated files were changed.
75
+ - **standard**: run the normal rubric, focused build/test/lint/typecheck
76
+ evidence, and traceability checks.
77
+ - **full**: preserve the existing blast-radius, evidence gates, review loop,
78
+ scoring, and release-readiness checks; require evidence for contract,
79
+ security, data, infra/config, rollback, and cross-repository claims.
80
+ - **dynamic**: preserve the full validation behavior, then also verify
81
+ `execution-profile.md`, `workflow-dag.md`, shard outputs, reducer synthesis,
82
+ verifier/refuter evidence, budget/stop-condition evidence, and any explicit
83
+ user confirmation required before broad fanout work.
84
+
85
+ Archived specs under `.specify/specs/_*/` are historical context and must not
86
+ inflate active context-health estimates or current blast-radius manifests.
87
+
88
+ ## Prerequisites
89
+
90
+ This command expects in `.specify/specs/{feature}/`:
91
+
92
+ - `research.md` - Codebase analysis (from /1_gofer_research)
93
+ - `spec.md` - Feature specification (from /2_gofer_specify)
94
+ - `plan.md` - Implementation plan (from /3_gofer_plan)
95
+ - `tasks.md` - Task breakdown (from /4_gofer_tasks)
96
+ - `goal-ledger.json` - Goal, metric, delivery-state, and re-loop contract
97
+ - `loop-contract.json` - Bounded eval commands and stop rules
98
+ - `loop-ledger.jsonl` - Implementation and validation loop evidence
99
+ - `traceability.md` - Requirement -> task -> code -> test matrix
100
+ - Implemented code (from /5_gofer_implement)
101
+
102
+ ---
103
+
104
+ ## Spec Artifact Guard
105
+
106
+ Before validation, `.specify/scripts/bash/check-prerequisites.sh --json
107
+ --require-tasks` must confirm that `{FEATURE_DIR}/spec.md` exists, is
108
+ non-empty, and is not the unfilled spec template. If the helper reports
109
+ `spec.md` as missing, empty, or `template`, stop and run `/2_gofer_specify`.
110
+ Validation cannot score functional correctness, traceability, or objective
111
+ outcomes without a real specification.
112
+
113
+ ## Outline
114
+
115
+ 1. Context health check
116
+ 2. Load implementation context
117
+ 3. Closed-loop objective audit
118
+ 4. **Phase A** — Spawn 6 specialist rubric validation agents in parallel
119
+ 4. Evidence gate pre-check and pending-gate tracking
120
+ 5. **Phase B** — Spawn 5 blast-radius analysis agents in parallel
121
+ 7. Blast-radius synthesis (change graph, interface diff, observability,
122
+ dependency/submodule impact, rollback readiness, release checklist)
123
+ 8. Run automated checks (build, test, lint, typecheck)
124
+ 9. Mutation testing gate
125
+ 10. Mock ratio analysis
126
+ 11. Semantic slop detection
127
+ 12. Score the 11-category rubric (110 points)
128
+ 13. Generate enhanced validation report + blast-radius report
129
+ 14. Determine rubric PASS/FAIL outcome
130
+ 15. Brownfield restart on failure
131
+ 16. **Phase C** — Engineering review loop (3 agents × up to 5 cycles with
132
+ auto-fix)
133
+ 17. Generate engineering review report
134
+ 18. Attribution logging to JSONL
135
+ 19. Memory update check
136
+
137
+ ---
138
+
139
+ ## Execution Strategy by Platform
140
+
141
+ | Platform | Validation Execution Strategy |
142
+ | -------------------------------------- | --------------------------------------------------------------------------------------------- |
143
+ | Claude Code CLI | Run all validation agents in parallel using the Task tool |
144
+ | GitHub Copilot Chat (2026+) | Use multi-agent delegation to run validation in parallel |
145
+ | GitHub Copilot Chat (2025 and earlier) | Run validation checks sequentially using the **Legacy Workflow** in `docs/legacy-workflow.md` |
146
+
147
+ For pre-2026 Copilot environments, execute the validation phases
148
+ **sequentially** instead of parallel spawning.
149
+
150
+ ---
151
+
152
+ ## The Engineering Quality Rubric
153
+
154
+ ### 11-Category Scoring (110 Points)
155
+
156
+ | # | Category | Points | Pass Criteria | Agent |
157
+ | --- | ---------------------------- | ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------- |
158
+ | 1 | Functional Correctness | 15 | Every acceptance criterion in spec.md has a passing test exercising real code | validation-correctness |
159
+ | 2 | Test Authenticity | 15 | Zero skips, zero placeholders, zero mock-only assertions. Mutation score >= 60% if Stryker available | validation-test-quality |
160
+ | 3 | UI/E2E Verification | 10 | If feature has UI: real rendering tests pass. If no UI: points redistribute | N/A (automated check) |
161
+ | 4 | Security Posture | 10 | Zero hardcoded secrets, no disabled security features, no client-side keys | validation-security |
162
+ | 5 | Integration Reality | 10 | Integration tests use real dependencies where possible. Contract tests validate boundaries | validation-integration |
163
+ | 6 | Error Path Coverage | 10 | Public functions tested for failure modes. No empty catch blocks | validation-correctness + validation-standards |
164
+ | 7 | Architecture Compliance | 10 | File structure, patterns, visual explanations, and human-facing document summaries match plan.md and research.md. Required visuals are simple, rendered or fallback-safe, and traceable to requirements, code, and EAI Platform decisions | validation-standards |
165
+ | 8 | Performance Baseline | 5 | No synchronous I/O in async paths, no unbounded loops, no N+1 patterns | validation-performance |
166
+ | 9 | Code Hygiene | 10 | Zero AI slop: no TODO placeholders, no redundant comments, no magic numbers | validation-standards |
167
+ | 10 | Specification Traceability | 5 | Every user story maps to tests, every test maps to code | validation-correctness |
168
+ | 11 | **Blast Radius Containment** | 10 | No unmitigated breaking API changes, full-surface consumer/import audit, new error paths log, no new High/Critical CVEs, rollback/feature-flag path exists, release checklist complete | codebase-analyzer + validation-integration + validation-standards + research-dependency-evaluator + tasks-rollback-planner |
169
+
170
+ ### Point Redistribution (No-UI Features)
171
+
172
+ When a feature has **no UI component** (no web pages, no frontend, no visual
173
+ interface), the 10 points from UI/E2E Verification are redistributed:
174
+
175
+ - **+5 to Functional Correctness** (total: 20 points)
176
+ - **+5 to Test Authenticity** (total: 20 points)
177
+
178
+ Total remains **110/110** across all 11 categories.
179
+
180
+ **Detection**: Check plan.md tech stack. If no UI framework (React, Vue,
181
+ Angular, Svelte) and no Playwright/Cypress tests exist, this is a no-UI feature.
182
+
183
+ ### Scoring Rules
184
+
185
+ - Each category scores **full points** or **0**. There is no partial credit.
186
+ - A category scores 0 if its agent reports any **Red (blocking)** finding.
187
+ - A category scores 0 if its automated check fails.
188
+ - **Total score** = sum of all category scores (max **110**, was 100).
189
+ - **PASS** = 110/110 and a passing objective outcome gate. Anything less = FAIL.
190
+ - Legacy consumers reading `status: PASS` / `score: 100` from historical reports
191
+ should migrate to the 110-point scale. The report keeps the `score` field as
192
+ the numerator and `score_max` to disambiguate.
193
+
194
+ **Honest-scoring rule (FR-012)**: If an agent reports `EVIDENCE ABSENT:`, the
195
+ orchestrating stage MUST score that category 0 regardless of other findings.
196
+ Phrases like `likely correct`, `appears wired`, or `should be passing` are NOT
197
+ evidence and MUST NOT contribute to any score. Any rubric category where
198
+ evidence is absent, unverifiable, fabricated, or implied scores exactly 0 — no
199
+ partial credit.
200
+
201
+ ---
202
+
203
+ ## Step 0: Context Health Check
204
+
205
+ Before starting validation, assess context window health:
206
+
207
+ ```bash
208
+ .specify/scripts/bash/check-context-health.sh
209
+ ```
210
+
211
+ - If **< 50%**: Proceed normally
212
+ - If **50-70%**: Use sub-agents heavily, minimize main context
213
+ - If **> 70%**: Run `/7_gofer_save`, start a fresh session, read the
214
+ checkpoint, and continue validation
215
+
216
+ Validation loads all artifacts and spawns 6 agents — context pressure is high.
217
+
218
+ ---
219
+
220
+ ## Step 1: Load Context
221
+
222
+ 1. **Run setup script**:
223
+
224
+ ```bash
225
+ .specify/scripts/bash/check-prerequisites.sh --json --require-tasks
226
+ ```
227
+
228
+ Parse JSON for FEATURE_DIR
229
+
230
+ 2. **Load all artifacts**:
231
+ - spec.md (user stories, acceptance criteria)
232
+ - plan.md (architecture, file structure, tech stack)
233
+ - tasks.md (task completion status)
234
+ - goal-ledger.json (goal IDs, metrics, delivery states, re-loop triggers)
235
+ - loop-contract.json (loop objective, eval commands, max iterations, stop conditions)
236
+ - loop-ledger.jsonl (implementation and validation loop evidence)
237
+ - traceability.md (requirement-to-code/test evidence matrix)
238
+ - research.md (codebase patterns to follow)
239
+
240
+ 3. **Detect iteration count**:
241
+ - Check if `{FEATURE_DIR}/remediation-report.md` exists
242
+ - If yes, read the iteration count from it
243
+ - Track: `ITERATION = [1|2|3]` (first run = 1)
244
+
245
+ 4. **Determine UI presence**:
246
+ - Read plan.md tech stack
247
+ - If UI framework present AND Playwright/Cypress tests exist: `HAS_UI = true`
248
+ - Otherwise: `HAS_UI = false` → apply point redistribution
249
+
250
+ **Deployment/Render Scope Detection** (FR-011):
251
+
252
+ Scan `spec.md`, `plan.md`, `contract-pack.md`, and `quickstart.md` (when
253
+ present) for the following signals:
254
+
255
+ - `DEPLOY_SIGNAL_1`: any acceptance criterion contains: `rendered`,
256
+ `live route`, `live API`, `deployed`, `production`, `staging`,
257
+ `SharePoint`, `Azure`, `smoke`, `E2E`, `browser`
258
+ - `DEPLOY_SIGNAL_2`: `plan.md`, `contract-pack.md`, or `quickstart.md`
259
+ names a deployment target: SharePoint, Azure, staging, production, Vercel,
260
+ Netlify, Docker, Kubernetes, or any server/environment referenced in the
261
+ acceptance chain
262
+ - `DEPLOY_SIGNAL_3`: `plan.md` declares a UI/rendered experience AND at least
263
+ one acceptance criterion uses: `sees`, `displays`, `shows`, `renders`,
264
+ `navigates to`
265
+
266
+ Set `DEPLOY_IN_SCOPE = true` if ANY signal is present.
267
+ Set `DEPLOY_IN_SCOPE = false` if NO signal is present.
268
+ Record the determination in the validation report preamble.
269
+
270
+ ## Step 1.5: Closed-Loop Objective And Loop Evidence Audit
271
+
272
+ Before rubric scoring, run the closed-loop audit and write a fresh rebaseline
273
+ report:
274
+
275
+ ```bash
276
+ node .specify/scripts/node/gofer-closed-loop-audit.mjs --feature-dir {FEATURE_DIR} --json --strict
277
+ ```
278
+
279
+ Also write/update `{FEATURE_DIR}/goal-rebaseline-report.md`.
280
+
281
+ Then run the bounded loop audit:
282
+
283
+ ```bash
284
+ node .specify/scripts/node/gofer-loop-audit.mjs --feature-dir {FEATURE_DIR} --stage 6_validate --json --strict
285
+ ```
286
+
287
+ This writes/updates `{FEATURE_DIR}/loop-audit-report.md`.
288
+
289
+ Validation MUST treat the closed-loop and loop audits as objective gates:
290
+
291
+ - If the audit reports missing goal coverage, missing code/test evidence,
292
+ expired assumptions, or invalid goal-ledger structure, validation FAILS.
293
+ - If the loop audit reports a missing/invalid loop contract, missing
294
+ `loop-ledger.jsonl` evidence, maxIterations breach, or required human
295
+ escalation, validation FAILS.
296
+ - If the audit recommends reopening `/2_gofer_specify`, `/3_gofer_plan`,
297
+ `/4_gofer_tasks`, or `/6_gofer_validate`, record that as a blocking drift
298
+ finding and FAIL the run. The feature is no longer in a closed state even if
299
+ the code still compiles.
300
+ - If the audit only reports low-severity warnings with no recommended reopen
301
+ stage, continue but record them in the validation report.
302
+
303
+ ---
304
+
305
+ # Phase A — Rubric Validation
306
+
307
+ Phase A runs the 10-category engineering rubric (Categories 1-10, up to 100
308
+ points before Category 11 is added).
309
+
310
+ ## Step 2: Spawn 6 Specialist Validation Agents
311
+
312
+ **CRITICAL**: You **MUST** launch all 6 agents **in parallel** using the Task
313
+ tool. Do NOT perform validation work inline in the main context. The main
314
+ context should only orchestrate, score the rubric, and review agent outputs.
315
+ Each agent receives the feature context and returns structured findings.
316
+
317
+ ### Agent 1: Correctness Validator
318
+
319
+ ```
320
+ Task: subagent_type="validation-correctness", model="sonnet"
321
+ Prompt: "Validate functional correctness for feature [FEATURE_NAME].
322
+
323
+ Feature directory: {FEATURE_DIR}
324
+ Spec: {FEATURE_DIR}/spec.md
325
+ Plan: {FEATURE_DIR}/plan.md
326
+
327
+ Check every acceptance criterion in spec.md.
328
+ For each criterion, find the test that exercises it and verify it tests real code.
329
+ Return findings in your standard report format (<2000 tokens)."
330
+ ```
331
+
332
+ ### Agent 2: Security Validator
333
+
334
+ ```
335
+ Task: subagent_type="validation-security", model="sonnet"
336
+ Prompt: "Validate security posture for feature [FEATURE_NAME].
337
+
338
+ Scan all new/modified files (from tasks.md file paths).
339
+ Check for: hardcoded secrets, disabled security, auth bypass, client-side keys.
340
+ Return findings with Red/Yellow/Gray severity (<2000 tokens)."
341
+ ```
342
+
343
+ ### Agent 3: Performance Validator
344
+
345
+ ```
346
+ Task: subagent_type="validation-performance", model="haiku"
347
+ Prompt: "Validate performance characteristics for feature [FEATURE_NAME].
348
+
349
+ Scan all new/modified source files (from tasks.md file paths).
350
+ Check for: sync I/O in async paths, cyclomatic complexity > 12, unbounded loops.
351
+ Build scripts and test files are exempt.
352
+ Return findings with complexity scores (<2000 tokens)."
353
+ ```
354
+
355
+ ### Agent 4: Test Quality Validator
356
+
357
+ ```
358
+ Task: subagent_type="validation-test-quality", model="haiku"
359
+ Prompt: "Validate test quality for feature [FEATURE_NAME].
360
+
361
+ Scan test files related to the feature.
362
+ Check for: placeholder assertions, skipped tests, mock ratio, mock-only tests.
363
+ VSCode API mocks marked '// mock-justified: VSCode API' are exempt from ratio.
364
+ Return findings with mock ratio calculation (<2000 tokens)."
365
+ ```
366
+
367
+ ### Agent 5: Integration Validator
368
+
369
+ ```
370
+ Task: subagent_type="validation-integration", model="sonnet"
371
+ Prompt: "Validate integration contracts for feature [FEATURE_NAME].
372
+
373
+ Feature directory: {FEATURE_DIR}
374
+ Check contracts/ directory if it exists.
375
+ Verify cross-component boundaries, type compatibility, integration test coverage.
376
+ Return findings with contract compliance status (<2000 tokens)."
377
+ ```
378
+
379
+ ### Agent 6: Standards Validator
380
+
381
+ ```
382
+ Task: subagent_type="validation-standards", model="sonnet"
383
+ Prompt: "Validate standards compliance for feature [FEATURE_NAME].
384
+
385
+ Feature directory: {FEATURE_DIR}
386
+ Check against constitution.md (if exists) and research.md patterns.
387
+ Detect AI slop: redundant comments, over-engineered abstractions, silent failures.
388
+ Check code hygiene: TODO/FIXME, magic numbers, unused imports.
389
+ Return findings with severity tiers (<2000 tokens)."
390
+ ```
391
+
392
+ ### Agent 7: Security Red Team (Optional — Multi-Perspective)
393
+
394
+ When the feature involves security-sensitive code (authentication,
395
+ authorization, user input handling, external APIs), run the security red team
396
+ strategy (#13):
397
+
398
+ ```
399
+ # Diverge: 3 attack perspectives
400
+ Task: subagent_type="validate-security-red-team", model="opus"
401
+ Prompt: "Perspective 1: OWASP Top 10 attack analysis for feature [FEATURE_NAME].
402
+ Scan all new/modified files from tasks.md. Attack from OWASP perspective.
403
+ Return findings with exploit steps (<2000 tokens)."
404
+
405
+ Task: subagent_type="validate-security-red-team", model="opus"
406
+ Prompt: "Perspective 2: Business logic abuse analysis for feature [FEATURE_NAME].
407
+ Scan all new/modified files from tasks.md. Attack business logic.
408
+ Return findings with exploit steps (<2000 tokens)."
409
+
410
+ Task: subagent_type="validate-security-red-team", model="opus"
411
+ Prompt: "Perspective 3: CVE search for feature [FEATURE_NAME].
412
+ Check package.json dependencies for known CVEs.
413
+ Return findings with advisory references (<2000 tokens)."
414
+
415
+ # Converge: Judge synthesizes attack findings
416
+ Task: subagent_type="multi-perspective-judge", model="opus"
417
+ Prompt: "Synthesize 3 security red team perspectives for [FEATURE_NAME].
418
+ Perspective 1 (OWASP): [result]. Perspective 2 (Business Logic): [result].
419
+ Perspective 3 (CVE): [result].
420
+ Identify confirmed vulnerabilities vs false positives. Prioritize by exploitability."
421
+ ```
422
+
423
+ **Run all 6 core agents in parallel.** Run Agent 7 (if applicable) in parallel
424
+ with the core agents.
425
+
426
+ ## Step 2.2: Evidence Gate Pre-Check
427
+
428
+ Evaluate the truthfulness gates before final scoring. If a gate is still
429
+ pending here, re-check it after Step 3 automated checks complete and before the
430
+ PASS/FAIL synthesis.
431
+
432
+ ```
433
+ GATE-1 (Integration Proof — Category 5):
434
+ Require: runtime wiring artifact OR integration-test execution output
435
+ present in the current session context by final scoring time.
436
+ If absent during Step 2.2, record GATE-1 as pending and re-check it after
437
+ Step 3 automated checks complete.
438
+ Still absent after Step 3 → Category 5 score = 0; mark GATE_FAIL = true
439
+
440
+ GATE-2 (Test Execution — Categories 1 and 2):
441
+ Require: real, executed npm test output with pass/fail count already present
442
+ or produced by Step 3 automated checks before final scoring.
443
+ If absent during Step 2.2, record GATE-2 as pending and re-check it after
444
+ Step 3 automated checks complete.
445
+ Still absent after Step 3 → Categories 1 and 2 score = 0; mark GATE_FAIL = true
446
+
447
+ GATE-3 (Render/Deployment Proof — Category 3):
448
+ IF HAS_UI = false:
449
+ Record "N/A — HAS_UI=false" in evidence table.
450
+ Record a matching not-in-scope reason in `Absent / Reason for 0`.
451
+ Apply existing no-UI point redistribution.
452
+ IF HAS_UI = true AND DEPLOY_IN_SCOPE = false:
453
+ Require: local render proof (screenshot, component render assertion,
454
+ headless browser assertion, or local smoke-check output) present by final
455
+ scoring time.
456
+ If absent during Step 2.2, record GATE-3 as pending and re-check before
457
+ final PASS/FAIL synthesis.
458
+ Still absent → Category 3 score = 0; mark GATE_FAIL = true
459
+ If present, record "Render proof only — deployment target not in scope" in
460
+ the evidence table and do not redistribute Category 3 points.
461
+ IF HAS_UI = true AND DEPLOY_IN_SCOPE = true:
462
+ Require: screenshot, curl/HTTP transcript, deployment log, headless browser
463
+ assertion, or smoke-check output present by final scoring time, with at
464
+ least one artifact proving rendered/live behavior on the declared route or
465
+ deployment target.
466
+ If absent during Step 2.2, record GATE-3 as pending and re-check before
467
+ final PASS/FAIL synthesis.
468
+ Still absent → Category 3 score = 0; mark GATE_FAIL = true
469
+
470
+ If any GATE_FAIL = true:
471
+ - Any agent that would have scored the gated category is still run
472
+ - The category score remains 0 unless the missing evidence appears before
473
+ final scoring
474
+ ```
475
+
476
+ Collect all results before proceeding.
477
+
478
+ ---
479
+
480
+ # Phase B — Blast Radius Analysis
481
+
482
+ Phase B quantifies the **ripple effect** of the implementation. It assesses risk
483
+ to code outside the feature boundary, interface-contract stability,
484
+ observability preservation, dependency / submodule impact, rollback readiness,
485
+ and release-checklist compliance. Phase B results score **Category 11 (10
486
+ points)** and produce a separate `blast-radius-report.md` artifact.
487
+
488
+ Phase B runs **after** Phase A agents have returned (Step 2 complete) and
489
+ **before** automated checks in Step 3, because breaking-change detection informs
490
+ how to interpret failing tests/types.
491
+
492
+ ## Step 2.5: Pre-Flight Change Surface Discovery
493
+
494
+ Before spawning Phase B agents, build a **change manifest** the agents can
495
+ reference. This is a cheap main-context pass, not an agent task.
496
+
497
+ 1. **Modified file list** — from `tasks.md` completed tasks and git:
498
+
499
+ ```bash
500
+ git diff --name-only $(git merge-base HEAD main 2>/dev/null || echo HEAD~1) HEAD
501
+ ```
502
+
503
+ 2. **Submodule inventory** — detect repo submodules and workspace packages:
504
+
505
+ ```bash
506
+ git submodule status 2>/dev/null
507
+ cat package.json 2>/dev/null | grep -E '"workspaces"' -A 20
508
+ ls -d */package.json 2>/dev/null | xargs -I {} dirname {}
509
+ ```
510
+
511
+ Record which submodules/workspaces contain modified files. For this repo the
512
+ canonical submodules are `extension/`, `language-server/`, `docs/`.
513
+
514
+ 3. **Public-surface detection** — identify exported symbols at risk:
515
+ - `index.ts` / `index.js` files in modified directories
516
+ - `*.d.ts` files in modified directories
517
+ - Entries in the `exports` / `main` / `types` fields of modified
518
+ `package.json` files
519
+ - Files under `contracts/` or `.specify/specs/{feature}/contracts/`
520
+
521
+ 4. **Dependency manifest diff** — capture dependency churn:
522
+
523
+ ```bash
524
+ git diff $(git merge-base HEAD main 2>/dev/null || echo HEAD~1) HEAD -- package.json package-lock.json extension/package.json language-server/package.json 2>/dev/null
525
+ ```
526
+
527
+ 5. **Rollback-relevant assets** — flag anything that needs a reverse path:
528
+ - Files under `migrations/`, `db/migrations/`, `prisma/migrations/`
529
+ - Files named `*.sql`, `schema.*`
530
+ - Feature-flag definitions (search for `featureFlag`, `growthbook`,
531
+ `launchdarkly`, `flags.`)
532
+ - `CHANGELOG.md`, `RELEASES.md`, version fields in `package.json`
533
+
534
+ Record these into `CHANGE_MANIFEST` for the Phase B prompts.
535
+
536
+ ---
537
+
538
+ ## Step 2.6: Spawn 5 Blast-Radius Analysis Agents
539
+
540
+ Launch all 5 agents **in parallel** using the Task tool. Pass the
541
+ `CHANGE_MANIFEST` from Step 2.5 into each prompt so agents see the same ground
542
+ truth.
543
+
544
+ ### Agent 8: Change Graph / Ripple Analyzer
545
+
546
+ ```
547
+ Task: subagent_type="codebase-analyzer", model="sonnet"
548
+ Prompt: "Blast-radius change-graph analysis for feature [FEATURE_NAME].
549
+
550
+ Feature directory: {FEATURE_DIR}
551
+ Change manifest (modified files): {CHANGE_MANIFEST.modifiedFiles}
552
+ Submodules: {CHANGE_MANIFEST.submodules}
553
+
554
+ Build a change-graph table for EVERY modified symbol (function, class, type,
555
+ const) in the modified files:
556
+ 1. List every direct importer/caller (file:line references).
557
+ 2. Classify each as Direct (imports the symbol) or Transitive (imports a
558
+ re-export of it) or Runtime (dynamic require / reflection).
559
+ 3. Flag any cross-submodule ripple (symbol defined in submodule A, consumed
560
+ in submodule B) — this is Red if unplanned.
561
+ 4. Flag any consumer whose tests do NOT exercise the changed code path —
562
+ Yellow.
563
+ 5. Count orphan changes (modified code with zero importers) — Gray.
564
+
565
+ Return findings with Red/Yellow/Gray severity and a concise ripple summary
566
+ (<2500 tokens). Output sections: 'Ripple Summary', 'Cross-submodule Crossings',
567
+ 'Consumer Coverage Gaps', 'Orphans'."
568
+ ```
569
+
570
+ ### Agent 9: Interface Contract Diff
571
+
572
+ ```
573
+ Task: subagent_type="validation-integration", model="sonnet"
574
+ Prompt: "Interface contract blast-radius analysis for feature [FEATURE_NAME].
575
+
576
+ Feature directory: {FEATURE_DIR}
577
+ Public-surface manifest: {CHANGE_MANIFEST.publicSurface}
578
+ Contracts directory: {FEATURE_DIR}/contracts (if present)
579
+
580
+ For every public export, package.json exports field entry, contract file,
581
+ and .d.ts symbol that was modified, deleted, or added:
582
+ 1. Diff old signature vs new signature (parameters, return types, generics,
583
+ optional vs required, default values).
584
+ 2. Classify each change:
585
+ - BREAKING: removed export, renamed export, narrowed return type, widened
586
+ required-param set, removed optional param callers rely on.
587
+ - ADDITIVE: new export, new optional param, widened return type.
588
+ - NEUTRAL: implementation change with identical signature.
589
+ 3. Red = any BREAKING change without a corresponding entry in CHANGELOG.md
590
+ or a migration note in the spec.
591
+ 4. Yellow = BREAKING change with CHANGELOG entry but no migration guide.
592
+ 5. Gray = ADDITIVE changes for informational tracking.
593
+
594
+ Verify contract tests still cover all pre-existing contract clauses (no
595
+ silent coverage regression). Return findings (<2000 tokens) with sections:
596
+ 'Breaking Changes', 'Additive Changes', 'Contract Coverage Regression'."
597
+ ```
598
+
599
+ ### Agent 10: Error Logging & Observability Integrity
600
+
601
+ ```
602
+ Task: subagent_type="validation-standards", model="sonnet"
603
+ Prompt: "Observability blast-radius analysis for feature [FEATURE_NAME].
604
+
605
+ Feature directory: {FEATURE_DIR}
606
+ Modified files: {CHANGE_MANIFEST.modifiedFiles}
607
+
608
+ Assess whether observability was preserved, degraded, or improved:
609
+ 1. For every new/modified catch block: does it log? Use the same structured
610
+ logger used elsewhere in the repo (detect the logger by scanning for
611
+ common imports: winston, pino, bunyan, console, vscode.window.showError,
612
+ telemetry module). Red if any catch swallows silently in production code.
613
+ 2. For every removed log statement: is removal justified by a comment or
614
+ spec? Red if production-relevant logs disappeared without justification.
615
+ 3. Log-level hygiene: no `console.log` in production code (test files
616
+ exempt); no debug-level logs left at info/warn level.
617
+ 4. PII / secrets leakage in new log messages — Red if detected.
618
+ 5. Telemetry/metrics coverage: if the feature touched hot paths that
619
+ previously emitted metrics, verify emission is preserved.
620
+ 6. Correlation IDs / trace context propagation: if the repo uses them,
621
+ verify new code paths propagate them.
622
+
623
+ Return findings (<2000 tokens) with sections: 'Silent Failures', 'Removed
624
+ Logs', 'PII Risk', 'Metric Coverage Delta', 'Trace Propagation'."
625
+ ```
626
+
627
+ ### Agent 11: Dependency & Submodule Impact (with npm audit delta)
628
+
629
+ ```
630
+ Task: subagent_type="research-dependency-evaluator", model="haiku"
631
+ Prompt: "Dependency and submodule blast-radius analysis for feature
632
+ [FEATURE_NAME].
633
+
634
+ Dependency manifest diff: {CHANGE_MANIFEST.dependencyDiff}
635
+ Submodules affected: {CHANGE_MANIFEST.submodules}
636
+
637
+ 1. New dependencies: list each with source (npm / git / local), license, and
638
+ bundle-size impact (approx). Red if license is incompatible (GPL/AGPL in
639
+ a permissive-licensed repo), or if the package is unmaintained (>2 years
640
+ since last release, <1000 weekly downloads).
641
+ 2. Version bumps: classify as major / minor / patch. Red for major bumps
642
+ without migration notes.
643
+ 3. Lockfile churn: if package.json is unchanged but package-lock.json
644
+ changed materially (>20 lines), flag as Yellow (indirect dep drift).
645
+ 4. npm audit delta: run `npm audit --json 2>/dev/null` on the current branch
646
+ and compare vulnerability counts vs baseline (main). Red if the branch
647
+ adds any new High or Critical CVE. Yellow for new Moderate. Gray for new
648
+ Low.
649
+ 5. Submodule boundary crossings: if the feature modifies code in multiple
650
+ submodules (extension/, language-server/, docs/), verify each submodule
651
+ independently builds and tests. Red if a cross-submodule change breaks
652
+ any submodule's standalone build.
653
+
654
+ Return findings (<2500 tokens) with sections: 'New Dependencies', 'Version
655
+ Bumps', 'Lockfile Drift', 'CVE Delta', 'Submodule Boundary Crossings'."
656
+ ```
657
+
658
+ ### Agent 12: Rollback Readiness & Release Checklist
659
+
660
+ ```
661
+ Task: subagent_type="tasks-rollback-planner", model="haiku"
662
+ Prompt: "Rollback readiness + release-checklist review for feature
663
+ [FEATURE_NAME].
664
+
665
+ Feature directory: {FEATURE_DIR}
666
+ Rollback assets: {CHANGE_MANIFEST.rollbackAssets}
667
+
668
+ Assess reversibility and release readiness:
669
+ 1. DB migrations: is every forward migration paired with a down/reverse
670
+ migration? Red if any irreversible migration lacks explicit justification
671
+ in the spec or plan.
672
+ 2. Feature flags: if the feature is risky, is it gated behind a flag? Is the
673
+ flag default-off? Is the pre-flag code path preserved so disabling the
674
+ flag restores prior behavior? Red if a risky change is unflagged and
675
+ irreversible.
676
+ 3. Data-shape changes: detect schema changes that cannot be rolled back
677
+ without data loss (column drops, type narrowings). Red if no backfill or
678
+ dual-write strategy.
679
+ 4. Release checklist for user-visible changes:
680
+ - CHANGELOG.md updated for this feature — Red if missing and feature is
681
+ user-visible.
682
+ - Version bump planned (semver correct for breaking/additive/patch) — Red
683
+ if breaking change present without major bump plan.
684
+ - Migration guide present for breaking changes — Red if missing.
685
+ - Documentation updated (docs/ or README.md) for new user-facing
686
+ capabilities — Yellow if missing.
687
+ 5. Rollback runbook: is there a documented 'how to revert' path? Yellow if
688
+ absent for non-trivial changes.
689
+
690
+ Return findings (<2000 tokens) with sections: 'Migration Reversibility',
691
+ 'Feature Flag Coverage', 'Data-Shape Rollback Risk', 'Release Checklist',
692
+ 'Rollback Runbook'."
693
+ ```
694
+
695
+ **Run all 5 Phase B agents in parallel.** Collect results before synthesis.
696
+
697
+ ---
698
+
699
+ ## Step 2.7: Blast Radius Synthesis
700
+
701
+ Aggregate Phase B agent findings into a single blast-radius verdict.
702
+
703
+ ### Consolidated Finding Table
704
+
705
+ ```
706
+ | # | Dimension | Finding | Severity | Agent | File | Line |
707
+ |---|-----------|---------|----------|-------|------|------|
708
+ | 1 | Change graph | [desc] | Red | codebase-analyzer | [file] | [line] |
709
+ | 2 | Interface contract | [desc] | Red | validation-integration | [file] | [line] |
710
+ | 3 | Observability | [desc] | Yellow | validation-standards | [file] | [line] |
711
+ | 4 | Dependency | [desc] | Yellow | research-dependency-evaluator | [file] | [line] |
712
+ | 5 | Rollback | [desc] | Red | tasks-rollback-planner | [file] | [line] |
713
+ ```
714
+
715
+ ### Severity Rollup
716
+
717
+ ```
718
+ BLAST_RADIUS_RED = count of Red findings across all 5 agents
719
+ BLAST_RADIUS_YELLOW = count of Yellow findings
720
+ BLAST_RADIUS_GRAY = count of Gray findings
721
+ ```
722
+
723
+ ### Write `blast-radius-report.md`
724
+
725
+ Write to `{FEATURE_DIR}/blast-radius-report.md`:
726
+
727
+ ```markdown
728
+ ---
729
+ feature: [Feature Name]
730
+ generated: [ISO timestamp]
731
+ reviewer: Claude
732
+ GeneratedAt: [ISO timestamp]
733
+ SourceCommandId: /6_gofer_validate
734
+ SourceInputs: [spec.md, plan.md, tasks.md, research.md, blast-radius inputs]
735
+ OverwriteNoticeWhenApplicable: [new file or overwrite note]
736
+ dimensions_checked:
737
+ [
738
+ change_graph,
739
+ interface_contract,
740
+ observability,
741
+ dependency_submodule,
742
+ rollback_release,
743
+ ]
744
+ red_count: [N]
745
+ yellow_count: [N]
746
+ gray_count: [N]
747
+ verdict: [CONTAINED | BREACHED]
748
+ ---
749
+
750
+ # Blast Radius Report: [Feature Name]
751
+
752
+ ## Changed Surfaces
753
+
754
+ - Modified files: [N]
755
+ - Submodules touched: [list]
756
+ - Public-surface symbols affected: [N]
757
+ - New dependencies: [N]
758
+ - Version bumps: [list]
759
+ - Migration files: [list]
760
+ - Feature flags introduced/modified: [list]
761
+
762
+ ## Risk Vectors
763
+
764
+ ### 1. Change Graph / Ripple (Agent: codebase-analyzer)
765
+
766
+ - Cross-submodule crossings: [list or "none"]
767
+ - Consumer coverage gaps: [N]
768
+ - Orphan changes: [N]
769
+ - Red findings: [table]
770
+
771
+ ### 2. Interface Contracts (Agent: validation-integration)
772
+
773
+ - Breaking changes: [N] ([list])
774
+ - Additive changes: [N]
775
+ - Contract coverage regressions: [list]
776
+ - Red findings: [table]
777
+
778
+ ### 3. Error Logging & Observability (Agent: validation-standards)
779
+
780
+ - Silent failures introduced: [N]
781
+ - Logs removed without justification: [N]
782
+ - PII/secret leakage risk: [list]
783
+ - Metric/trace coverage delta: [summary]
784
+ - Red findings: [table]
785
+
786
+ ### 4. Dependencies & Submodules (Agent: research-dependency-evaluator)
787
+
788
+ - New dependencies: [table with license/size/maintenance]
789
+ - Version bumps: [list]
790
+ - Lockfile drift: [summary]
791
+ - CVE delta: Critical +[N], High +[N], Moderate +[N], Low +[N]
792
+ - Submodule boundary crossings: [list]
793
+ - Red findings: [table]
794
+
795
+ ### 5. Rollback Readiness & Release Checklist (Agent: tasks-rollback-planner)
796
+
797
+ - Migration reversibility: [OK / BREACHED]
798
+ - Feature flag coverage: [OK / BREACHED / N/A]
799
+ - Data-shape rollback risk: [OK / BREACHED]
800
+ - Release checklist:
801
+ - CHANGELOG updated: [Yes / No / N/A]
802
+ - Version bump planned: [patch / minor / major / N/A]
803
+ - Migration guide: [Yes / No / N/A]
804
+ - Docs updated: [Yes / No / N/A]
805
+ - Rollback runbook: [Present / Absent / N/A]
806
+ - Red findings: [table]
807
+
808
+ ## Containment Summary
809
+
810
+ - **CONTAINED** if `BLAST_RADIUS_RED == 0` — Category 11 scores full 10 pts.
811
+ - **BREACHED** if `BLAST_RADIUS_RED > 0` — Category 11 scores 0.
812
+
813
+ Yellow findings do NOT fail Category 11 but are reported to the engineering
814
+ review loop (Phase C) for mandatory attention.
815
+ ```
816
+
817
+ Proceed to Step 3 (automated checks) with blast-radius results attached to the
818
+ context.
819
+
820
+ ---
821
+
822
+ # End of Phase B
823
+
824
+ ---
825
+
826
+ ## Step 3: Run Automated Checks
827
+
828
+ Execute verification commands and capture results:
829
+
830
+ ### Build Check
831
+
832
+ ```bash
833
+ npm run build # or appropriate build command
834
+ ```
835
+
836
+ ### Test Check
837
+
838
+ ```bash
839
+ npm test # or appropriate test command
840
+ ```
841
+
842
+ ### Lint Check
843
+
844
+ ```bash
845
+ npm run lint # or appropriate lint command
846
+ ```
847
+
848
+ ### Type Check (if TypeScript)
849
+
850
+ ```bash
851
+ npm run typecheck # or tsc --noEmit
852
+ ```
853
+
854
+ Record results:
855
+
856
+ ```
857
+ | Check | Command | Result |
858
+ |-----------|------------------|---------------|
859
+ | Build | npm run build | PASS / FAIL |
860
+ | Tests | npm test | PASS / FAIL |
861
+ | Lint | npm run lint | PASS / FAIL |
862
+ | TypeCheck | tsc --noEmit | PASS / FAIL |
863
+ ```
864
+
865
+ **If Build or Tests FAIL**: Mark Functional Correctness as 0 immediately.
866
+
867
+ ---
868
+
869
+ ## Step 4: Mutation Testing Gate
870
+
871
+ Check if mutation testing tools are available:
872
+
873
+ ```bash
874
+ npx stryker --version 2>/dev/null
875
+ ```
876
+
877
+ ### If Stryker is available:
878
+
879
+ 1. Run mutation testing:
880
+ ```bash
881
+ npx stryker run --reporters clear-text 2>&1 | tail -50
882
+ ```
883
+ 2. Parse mutation score from output
884
+ 3. Record: `MUTATION_SCORE = [N]%`
885
+ 4. If score < 60%: contributes to Test Authenticity scoring 0
886
+
887
+ ### If Stryker is NOT available:
888
+
889
+ 1. Record: `MUTATION_SCORE = "unavailable"`
890
+ 2. Log recommendation: "Install @stryker-mutator/core for mutation testing"
891
+ 3. Test Authenticity is scored based on other criteria only (placeholders,
892
+ skips, mock ratio)
893
+ 4. Do NOT block on mutation score when Stryker is absent
894
+
895
+ ---
896
+
897
+ ## Step 5: Mock Ratio Analysis
898
+
899
+ Count mocking patterns vs real assertions across feature test files:
900
+
901
+ ### Count Mock Calls
902
+
903
+ Use Grep to count in test files related to the feature:
904
+
905
+ - `vi.mock(` — module-level mocks
906
+ - `vi.fn(` — individual function mocks
907
+ - `jest.mock(` — Jest module mocks
908
+ - `jest.fn(` — Jest function mocks
909
+ - `.mockReturnValue(` — mock configurations
910
+ - `.mockResolvedValue(` — async mock configurations
911
+
912
+ ### Count Real Assertions
913
+
914
+ Use Grep to count:
915
+
916
+ - `expect(` followed by `.toBe(`, `.toEqual(`, `.toContain(`, `.toThrow(`,
917
+ `.toMatch(`, `.toBeGreaterThan(`, `.toBeLessThan(`, `.toBeDefined(`,
918
+ `.toBeNull(`, `.toHaveLength(`, `.toHaveProperty(`
919
+
920
+ ### Exclude Justified Mocks
921
+
922
+ Lines containing `// mock-justified:` are excluded from the mock count. This
923
+ allows VSCode API mocks and other unavoidable mocks to be documented and exempt.
924
+
925
+ ### Calculate Ratio
926
+
927
+ ```
928
+ MOCK_RATIO = mock_calls / (mock_calls + real_assertions)
929
+ ```
930
+
931
+ ### Evaluate
932
+
933
+ - If `MOCK_RATIO > 0.30` (30%): contributes to Test Authenticity scoring 0
934
+ - Report per-file ratios for the worst offenders
935
+
936
+ ---
937
+
938
+ ## Step 6: Semantic Slop Detection
939
+
940
+ ### Automated Pattern Detection (Grep-based)
941
+
942
+ Run these checks on new/modified source files (not test files):
943
+
944
+ #### Red Severity (Blocks)
945
+
946
+ ```
947
+ Pattern: expect(true).toBe(true)
948
+ Also: expect(1).toBe(1), expect('a').toBe('a')
949
+ Method: Grep for tautological assertions in test files
950
+ ```
951
+
952
+ ```
953
+ Pattern: test.skip / it.skip / describe.skip / xit / xdescribe
954
+ Method: Grep for skip patterns in feature-related test files
955
+ ```
956
+
957
+ #### Yellow Severity (Must Address)
958
+
959
+ ```
960
+ Pattern: TODO / FIXME / XXX / HACK in source code (not test helpers)
961
+ Method: Grep in new/modified .ts/.js/.py files
962
+ ```
963
+
964
+ ```
965
+ Pattern: Empty catch blocks — catch (e) {} or catch { }
966
+ Method: Grep for catch blocks with empty or whitespace-only bodies
967
+ ```
968
+
969
+ #### Gray Severity (Informational)
970
+
971
+ Gray-level findings are reported by the specialist agents (Standards and Test
972
+ Quality). They include:
973
+
974
+ - Redundant comments restating code (agent: validation-standards)
975
+ - Over-engineered abstractions for one-time use (agent: validation-standards)
976
+ - Magic numbers without named constants (agent: validation-standards)
977
+ - Mock-only tests that verify wiring not behavior (agent:
978
+ validation-test-quality)
979
+
980
+ ### Consolidate Slop Findings
981
+
982
+ Combine automated Grep results with agent findings:
983
+
984
+ ```
985
+ | # | Pattern | Severity | Source | Description | File | Line |
986
+ |---|---------|----------|--------|-------------|------|------|
987
+ | 1 | Placeholder test | Red | Grep | expect(true).toBe(true) | test.ts | 45 |
988
+ | 2 | Skipped test | Red | Grep | it.skip('should...') | spec.ts | 12 |
989
+ | 3 | TODO placeholder | Yellow | Grep | // TODO: implement | service.ts | 89 |
990
+ | 4 | Redundant comment | Yellow | Agent | "// create user" above createUser() | user.ts | 23 |
991
+ ```
992
+
993
+ ---
994
+
995
+ ## Step 7: Score the 10-Category Rubric
996
+
997
+ Using agent reports, automated checks, and analysis from Steps 3-6, score each
998
+ category:
999
+
1000
+ ### Scoring Logic
1001
+
1002
+ **Category 1: Functional Correctness** ({15 or 20 if no UI} pts)
1003
+
1004
+ - Input: validation-correctness agent report + `GATE-2` + automated test results
1005
+ - Score 0 if: `GATE-2` fails, OR any Red finding from correctness agent, OR
1006
+ build/tests fail, OR tests fail to import
1007
+ - Score full if: All acceptance criteria verified with real tests
1008
+
1009
+ **Category 2: Test Authenticity** ({15 or 20 if no UI} pts)
1010
+
1011
+ - Input: validation-test-quality agent report + `GATE-2` + mutation score +
1012
+ mock ratio
1013
+ - Score 0 if: Any placeholder assertion found, OR any test.skip found, OR mock
1014
+ ratio > 30%, OR mutation score < 60% (when Stryker available), OR
1015
+ `GATE-2` fails
1016
+ - Score full if: Zero placeholders, zero skips, mock ratio <= 30%
1017
+
1018
+ **Category 3: UI/E2E Verification** (10 pts, or 0 if redistributed)
1019
+
1020
+ - If `HAS_UI = false`: Record `N/A — HAS_UI=false` plus an explicit not-in-scope
1021
+ reason in the evidence table and apply the existing no-UI redistribution.
1022
+ - If `HAS_UI = true` and `DEPLOY_IN_SCOPE = false`: Check `GATE-3` for local
1023
+ render proof and record `Render proof only — deployment target not in scope`
1024
+ when that proof exists. Score 0 if `GATE-3` fails or no local render proof
1025
+ exists. Do not redistribute Category 3 points.
1026
+ - If `HAS_UI = true` and `DEPLOY_IN_SCOPE = true`: Check `GATE-3` for
1027
+ screenshot, curl/HTTP transcript, deployment log, headless browser
1028
+ assertion, or smoke-check output with proof of rendered/live behavior on the
1029
+ declared route or target. Score 0 if `GATE-3` fails or no real render/deploy
1030
+ proof exists.
1031
+
1032
+ **Category 4: Security Posture** (10 pts)
1033
+
1034
+ - Input: validation-security agent report
1035
+ - Score 0 if: Any Red finding from security agent
1036
+ - Score full if: No Red or Yellow findings
1037
+
1038
+ **Category 5: Integration Reality** (10 pts)
1039
+
1040
+ - Input: validation-integration agent report + `GATE-1`
1041
+ - Score 0 if: `GATE-1` fails, OR any contract violation, OR critical boundary
1042
+ with zero tests
1043
+ - Score full if: All contracts satisfied, integration tests use real deps
1044
+
1045
+ **Category 6: Error Path Coverage** (10 pts)
1046
+
1047
+ - Input: validation-correctness agent (error paths) + validation-standards agent
1048
+ (empty catch blocks)
1049
+ - Score 0 if: Empty catch blocks found, OR public functions lack error path
1050
+ tests
1051
+ - Score full if: Error paths tested, catch blocks handle errors properly
1052
+
1053
+ **Category 7: Architecture Compliance** (10 pts)
1054
+
1055
+ - Input: validation-standards agent report (architecture section)
1056
+ - Score 0 if: File structure deviates from plan.md without justification, OR
1057
+ required diagrams/pictures are stale, unreadable, unrendered without fallback,
1058
+ disconnected from the requirements/code/EAI Platform evidence they explain, OR
1059
+ human-facing artifacts lack a plain-language executive summary
1060
+ - Score full if: All files in expected locations, patterns followed
1061
+
1062
+ **Visual And Document Comprehension Gate** (part of Category 7, no extra points):
1063
+
1064
+ Use this gate whenever the feature has architecture, process, security,
1065
+ workflow, data, UI, or EAI Platform behavior that a human reviewer or future AI
1066
+ loop must understand. This is benchmarked against C4-style abstraction levels,
1067
+ diagram-as-code/source-controlled visuals, 8090-style requirement/blueprint
1068
+ alignment, Marp-style narrative decks, and UI proof practices such as screenshot
1069
+ or visual-test evidence.
1070
+
1071
+ - Executive summaries: every human-facing document starts with three to five
1072
+ plain-language bullets that cover the decision, value, risk, evidence, and next
1073
+ ask. Technical detail comes after the summary.
1074
+ - Purpose clarity: every visual states the question it answers, audience,
1075
+ source inputs, and how to read it in plain language.
1076
+ - Simplicity: each diagram focuses on one decision or flow, keeps primary
1077
+ nodes/steps to about seven or fewer where practical, and splits crowded
1078
+ diagrams instead of making a spaghetti map.
1079
+ - Correct visual type: use context/container C4 views for system boundaries,
1080
+ sequence/state diagrams for flows, ERD for data, value stream for process,
1081
+ heatmaps for capability/risk priority, and screenshot/storyboard evidence for
1082
+ UI behavior.
1083
+ - Renderability: Mermaid/D2/Structurizr-style source must render locally or
1084
+ provide a markdown-table/text fallback; Marp decks must be valid Markdown with
1085
+ slide frontmatter; UI visuals need screenshot, Storybook/component,
1086
+ Playwright, or equivalent render proof.
1087
+ - Traceability: each visual links to the requirement, plan, contract, code/test,
1088
+ EAI service/template asset, or validation evidence it summarizes.
1089
+ - Freshness: validation must check whether visuals changed or were reapproved
1090
+ after spec, plan, code, tenant/auth, or validation changes; stale visuals fail
1091
+ Category 7 even when the code passes.
1092
+ - Public safety: visuals must not expose tenant-private data, secrets, customer
1093
+ identifiers, internal-only architecture names, or screenshots containing
1094
+ private content.
1095
+
1096
+ **Category 8: Performance Baseline** (5 pts)
1097
+
1098
+ - Input: validation-performance agent report
1099
+ - Score 0 if: Sync I/O in async paths, OR complexity > 12, OR unbounded loops
1100
+ - Score full if: No blocking performance findings
1101
+
1102
+ **Category 9: Code Hygiene** (10 pts)
1103
+
1104
+ - Input: validation-standards agent report (hygiene section) + slop detection
1105
+ - Score 0 if: TODO placeholders in production code, OR > 5 redundant comments,
1106
+ OR silent error swallowing found
1107
+ - Score full if: Clean code, no slop findings above Gray
1108
+
1109
+ **Category 10: Specification Traceability** (5 pts)
1110
+
1111
+ - Input: validation-correctness agent (criteria mapping)
1112
+ - Score 0 if: User stories cannot be traced to tests and code
1113
+ - Score full if: Every US has tests, every test maps to implementing code
1114
+
1115
+ **Category 11: Blast Radius Containment** (10 pts) — NEW
1116
+
1117
+ - Input: Phase B blast-radius-report.md (Agents 8-12)
1118
+ - Score 0 if **any** of:
1119
+ - `BLAST_RADIUS_RED > 0` (verdict BREACHED in blast-radius-report.md), OR
1120
+ - Interface Contract Diff found a BREAKING change without CHANGELOG entry, OR
1121
+ - Observability agent found a silent failure in production code, OR
1122
+ - Dependency agent reports a new High or Critical CVE, OR
1123
+ - Rollback agent reports an irreversible migration without justification, OR
1124
+ - Cross-submodule ripple detected that was not planned in plan.md
1125
+ - Score full (10) if: `BLAST_RADIUS_RED == 0` — verdict CONTAINED in
1126
+ blast-radius-report.md. Yellow/Gray findings do not block the category but are
1127
+ forwarded to Phase C for attention.
1128
+
1129
+ ### Calculate Total Score
1130
+
1131
+ ```
1132
+ TOTAL = Cat1 + Cat2 + Cat3 + ... + Cat10 + Cat11
1133
+ ```
1134
+
1135
+ Must equal **110** to PASS (no-UI features: Cat3 redistributes +5 to Cat1 and +5
1136
+ to Cat2; total is still 110).
1137
+
1138
+ ---
1139
+
1140
+ ## Step 7.4: Two-Pass Canvas Refresh (Impact Canvas)
1141
+
1142
+ After the validation council completes, refresh the Impact Canvas with
1143
+ validation findings. This is a SURGICAL update: only the `topThreeRisks` slot of
1144
+ `impact-canvas.md` is replaced; all other canvas content (header, problem
1145
+ statement, personas, AI-leverage pie, outcomes) is preserved byte-for-byte. The
1146
+ frontmatter `pass:` marker is bumped from 1 to 2 so downstream consumers can
1147
+ tell which pass produced the artefact.
1148
+
1149
+ ```
1150
+ Task: subagent_type="visual-canvas-writer", model="haiku"
1151
+ Prompt: "Pass-2 refresh for {FEATURE_DIR}/visuals/impact-canvas.md.
1152
+ Read validation council output from {FEATURE_DIR}/validation.md.
1153
+ Replace ONLY the topThreeRisks section with the council's top three risks.
1154
+ Preserve all other content byte-for-byte.
1155
+
1156
+ Use the runPass2() helper at .specify/scripts/node/lib/visual-pass-pipeline.mjs
1157
+ which implements the surgical replacement (regex-bounded swap of the
1158
+ '## Top Three Risks' section + frontmatter pass: 1 -> 2 bump).
1159
+
1160
+ Return: absolute path of file written and the three risk strings used."
1161
+ ```
1162
+
1163
+ The `runPass2()` function in
1164
+ `.specify/scripts/node/lib/visual-pass-pipeline.mjs` already implements the
1165
+ surgical replacement; the writer agent only needs to provide the three
1166
+ council-validated risk strings. This satisfies FR-016 (two-pass canvas refresh)
1167
+ and the locked decision recorded in `plan.md:912-919`.
1168
+
1169
+ ---
1170
+
1171
+ ## Step 7.5: Refresh Risk Heatmap (Persona Pack — US4)
1172
+
1173
+ After the rubric is scored and validation council findings are available,
1174
+ dispatch `visual-risk-writer` in **pass-2 mode** to refresh the risk heatmap
1175
+ with critical risks identified by the council. This replaces the heuristic
1176
+ top-quadrant entries that pass-1 (run from this same stage before validation)
1177
+ populated from the spec NFR / Out-of-Scope sections.
1178
+
1179
+ ```
1180
+ Task: subagent_type="visual-risk-writer", model="haiku"
1181
+ Prompt: "Pass 2: refresh risk heatmap for feature [FEATURE_NAME].
1182
+
1183
+ Feature directory: {FEATURE_DIR}
1184
+ Spec: {FEATURE_DIR}/spec.md
1185
+ Validation council findings: {FEATURE_DIR}/validation-report.md (in-progress)
1186
+ Existing heatmap (pass-1): {FEATURE_DIR}/visuals/risk-heatmap.md
1187
+ Template: .specify/templates/visuals/risk-heatmap-template.md
1188
+
1189
+ Replace top-quadrant risks with the validation council's critical findings.
1190
+ Preserve pass-1 risks that did not surface in validation.
1191
+ Honour ≥30 ≤200 word plain-language preamble (NFR-010).
1192
+
1193
+ Return: absolute path of file written and risk counts per quadrant."
1194
+ ```
1195
+
1196
+ The validation report (Step 8) MUST link to the refreshed risk heatmap under its
1197
+ `## Risk Posture` section. If the Mermaid renderer fails for a downstream
1198
+ consumer, the `mermaid-tabular-fallback.mjs` helper provides a markdown-table
1199
+ fallback for the `quadrantChart` block.
1200
+
1201
+ ---
1202
+
1203
+ ## Step 8: Generate Validation Report
1204
+
1205
+ Write to `{FEATURE_DIR}/validation-report.md`:
1206
+
1207
+ ```markdown
1208
+ ---
1209
+ feature: [Feature Name]
1210
+ validated: [ISO timestamp]
1211
+ validator: Claude
1212
+ status: [PASS/FAIL]
1213
+ score: [N]
1214
+ score_max: 110
1215
+ iteration: [N]
1216
+ has_ui: [true/false]
1217
+ deploy_in_scope: [true/false]
1218
+ objective_gate_status: [PASS/FAIL]
1219
+ goal_rebaseline_report: goal-rebaseline-report.md
1220
+ loop_audit_report: loop-audit-report.md
1221
+ blast_radius_verdict: [CONTAINED | BREACHED]
1222
+ blast_radius_report: blast-radius-report.md
1223
+ GeneratedAt: [ISO timestamp]
1224
+ SourceCommandId: /6_gofer_validate
1225
+ SourceInputs: [spec.md, plan.md, tasks.md, research.md, automated checks, agent findings]
1226
+ OverwriteNoticeWhenApplicable: [new file or overwrite note]
1227
+ ---
1228
+
1229
+ # Validation Report: [Feature Name]
1230
+
1231
+ ## Objective Outcome Gate
1232
+
1233
+ - Goal ledger: `goal-ledger.json`
1234
+ - Rebaseline report: `goal-rebaseline-report.md`
1235
+ - Loop contract: `loop-contract.json`
1236
+ - Loop ledger: `loop-ledger.jsonl`
1237
+ - Loop audit report: `loop-audit-report.md`
1238
+ - Outcome gate status: [PASS/FAIL]
1239
+ - Recommended reopen stage: [none | 2_specify | 3_plan | 4_tasks | 6_validate]
1240
+ - Summary: [why objectives remain aligned or why the loop must reopen]
1241
+
1242
+ ## Rubric Score
1243
+
1244
+ | # | Category | Points | Score | Status | Evidence |
1245
+ | --- | -------------------------- | ------- | ---------- | --------------- | --------- |
1246
+ | 1 | Functional Correctness | [15/20] | [0/15/20] | PASS/FAIL | [summary] |
1247
+ | 2 | Test Authenticity | [15/20] | [0/15/20] | PASS/FAIL | [summary] |
1248
+ | 3 | UI/E2E Verification | [10/0] | [0/10/N/A] | PASS/FAIL/SKIP | [summary] |
1249
+ | 4 | Security Posture | 10 | [0/10] | PASS/FAIL | [summary] |
1250
+ | 5 | Integration Reality | 10 | [0/10] | PASS/FAIL | [summary] |
1251
+ | 6 | Error Path Coverage | 10 | [0/10] | PASS/FAIL | [summary] |
1252
+ | 7 | Architecture Compliance | 10 | [0/10] | PASS/FAIL | [summary] |
1253
+ | 8 | Performance Baseline | 5 | [0/5] | PASS/FAIL | [summary] |
1254
+ | 9 | Code Hygiene | 10 | [0/10] | PASS/FAIL | [summary] |
1255
+ | 10 | Specification Traceability | 5 | [0/5] | PASS/FAIL | [summary] |
1256
+ | 11 | Blast Radius Containment | 10 | [0/10] | PASS/FAIL | [summary] |
1257
+ | | **TOTAL** | **110** | **[N]** | **[PASS/FAIL]** | |
1258
+
1259
+ ## Automated Check Results
1260
+
1261
+ | Check | Command | Result |
1262
+ | --------- | ------------- | ------------------- |
1263
+ | Build | npm run build | [PASS/FAIL] |
1264
+ | Tests | npm test | [PASS/FAIL] |
1265
+ | Lint | npm run lint | [PASS/FAIL + count] |
1266
+ | TypeCheck | tsc --noEmit | [PASS/FAIL] |
1267
+
1268
+ ## Closed-Loop Traceability
1269
+
1270
+ | Requirement ID | Goal ID | Code Evidence | Test Evidence | Status |
1271
+ | -------------- | ------- | ------------- | ------------- | ------ |
1272
+ | [FR-001] | [G1] | [path] | [path] | [PASS/FAIL] |
1273
+
1274
+ ## Mutation Testing
1275
+
1276
+ - **Stryker available**: [Yes/No]
1277
+ - **Mutation score**: [N]% (target: >= 60%)
1278
+
1279
+ ## Mock Ratio Analysis
1280
+
1281
+ - **Total mock calls**: [N]
1282
+ - **Total real assertions**: [N]
1283
+ - **Mock ratio**: [N]% (target: <= 30%)
1284
+ - **Justified mocks excluded**: [N]
1285
+
1286
+ ### Worst Offenders by File
1287
+
1288
+ | File | Mocks | Assertions | Ratio | Status |
1289
+ | ------ | ----- | ---------- | ----- | ------- |
1290
+ | [file] | [N] | [N] | [N]% | OK/FAIL |
1291
+
1292
+ ## Specialist Agent Findings
1293
+
1294
+ ### Red (Blocking)
1295
+
1296
+ | # | Category | Finding | File | Line |
1297
+ | --- | ---------- | ------------- | ------ | ------ |
1298
+ | [N] | [category] | [description] | [file] | [line] |
1299
+
1300
+ ### Yellow (Must Address)
1301
+
1302
+ | # | Category | Finding | File | Line |
1303
+ | --- | ---------- | ------------- | ------ | ------ |
1304
+ | [N] | [category] | [description] | [file] | [line] |
1305
+
1306
+ ### Gray (Informational)
1307
+
1308
+ | # | Category | Finding | File | Line |
1309
+ | --- | ---------- | ------------- | ------ | ------ |
1310
+ | [N] | [category] | [description] | [file] | [line] |
1311
+
1312
+ ## AI Slop Detection Summary
1313
+
1314
+ | Pattern | Count | Severity |
1315
+ | ---------------------------- | ----- | -------- |
1316
+ | Placeholder assertions | [N] | Red |
1317
+ | Skipped tests | [N] | Red |
1318
+ | TODO/FIXME placeholders | [N] | Yellow |
1319
+ | Empty catch blocks | [N] | Yellow |
1320
+ | Redundant comments | [N] | Yellow |
1321
+ | Over-engineered abstractions | [N] | Gray |
1322
+ | Magic numbers | [N] | Gray |
1323
+
1324
+ ## Blast Radius Summary (Phase B)
1325
+
1326
+ See `{FEATURE_DIR}/blast-radius-report.md` for the full dimension report.
1327
+
1328
+ | Dimension | Agent | Red | Yellow | Gray | Verdict |
1329
+ | ----------------------------------- | ----------------------------- | --- | ------ | ---- | ------------------------ |
1330
+ | Change graph / ripple | codebase-analyzer | [N] | [N] | [N] | [OK/BREACHED] |
1331
+ | Interface contracts | validation-integration | [N] | [N] | [N] | [OK/BREACHED] |
1332
+ | Error logging & observability | validation-standards | [N] | [N] | [N] | [OK/BREACHED] |
1333
+ | Dependency & submodule impact | research-dependency-evaluator | [N] | [N] | [N] | [OK/BREACHED] |
1334
+ | Rollback readiness & release chklst | tasks-rollback-planner | [N] | [N] | [N] | [OK/BREACHED] |
1335
+ | | **TOTAL** | [N] | [N] | [N] | **[CONTAINED/BREACHED]** |
1336
+
1337
+ **Change Surface Summary**
1338
+
1339
+ - Modified files: [N]
1340
+ - Submodules touched: [list]
1341
+ - Public-surface symbols modified: [N]
1342
+ - Breaking API changes: [N]
1343
+ - New dependencies: [N]
1344
+ - New High/Critical CVEs: [N]
1345
+ - Irreversible migrations: [N]
1346
+ - CHANGELOG updated: [Yes/No/N/A]
1347
+
1348
+ **Phase B Gate**: Cat 11 scores 10 only if verdict is **CONTAINED**.
1349
+
1350
+ ## Spec Compliance
1351
+
1352
+ ### [US1 Name]
1353
+
1354
+ - [x/] Acceptance criterion 1
1355
+ - [x/] Acceptance criterion 2
1356
+
1357
+ ### [US2 Name]
1358
+
1359
+ - [x/] Acceptance criterion 1
1360
+
1361
+ ## Recommendations
1362
+
1363
+ ### Before Merge (Must Fix)
1364
+
1365
+ - [Red and Yellow findings requiring action]
1366
+
1367
+ ### Future Improvements (Informational)
1368
+
1369
+ - [Gray findings and suggestions]
1370
+
1371
+ ## Evidence Table
1372
+
1373
+ | Category | Score | Evidence Artifact / Command Output | Absent / Reason for 0 |
1374
+ | --- | --- | --- | --- |
1375
+ | 1 — Functional Correctness | [0/15/20] | [file path, executed `npm test` output with timestamp, or agent citation] | [reason if 0] |
1376
+ | 2 — Test Authenticity | [0/15/20] | [file path, mutation output, or agent citation] | [reason if 0] |
1377
+ | 3 — UI/E2E Verification | [0/10/N/A] | [`N/A — HAS_UI=false`, `Render proof only — deployment target not in scope`, or render/deploy artifact] | [reason if 0 or not in scope] |
1378
+ | 4 — Security Posture | [0/10] | [agent finding citation] | [reason if 0] |
1379
+ | 5 — Integration Reality | [0/10] | [runtime wiring proof, integration-test output, or agent citation] | [reason if 0] |
1380
+ | 6 — Error Path Coverage | [0/10] | [agent finding citation] | [reason if 0] |
1381
+ | 7 — Architecture Compliance | [0/10] | [agent finding citation] | [reason if 0] |
1382
+ | 8 — Performance Baseline | [0/5] | [agent finding citation] | [reason if 0] |
1383
+ | 9 — Code Hygiene | [0/10] | [agent finding citation] | [reason if 0] |
1384
+ | 10 — Specification Traceability | [0/5] | [agent finding citation] | [reason if 0] |
1385
+ | 11 — Blast Radius Containment | [0/10] | [blast-radius-report.md reference] | [reason if 0] |
1386
+ | **Total** | **[N]/110** | | |
1387
+ ```
1388
+
1389
+ This evidence table is required on **EVERY run (PASS and FAIL)**.
1390
+
1391
+ Each `Evidence Artifact / Command Output` cell MUST contain at least one of:
1392
+
1393
+ - A file path visible in the current session
1394
+ - An executed command and its real output (with timestamp)
1395
+ - A sub-agent finding citation (agent name + finding ID)
1396
+
1397
+ An empty evidence cell or a cell containing only inferences/assumptions MUST
1398
+ cause that category to score 0.
1399
+
1400
+ Category 11's evidence cell MUST cite `blast-radius-report.md`.
1401
+
1402
+ When Category 3 is not in scope, the report preamble or row text MUST make the
1403
+ redistribution explicit enough that normalization/effective contribution remains
1404
+ derivable from the persisted report, and `Absent / Reason for 0` must record
1405
+ the matching not-in-scope reason.
1406
+
1407
+ ---
1408
+
1409
+ ## Step 9: Determine Outcome
1410
+
1411
+ ### If TOTAL = 110 and objective_gate_status = PASS: PASS (Phase A + B)
1412
+
1413
+ ```
1414
+ ════════════════════════════════════════════════════════════════
1415
+ RUBRIC PASSED: [Feature Name]
1416
+ ════════════════════════════════════════════════════════════════
1417
+
1418
+ Score: 110/110
1419
+
1420
+ Rubric:
1421
+ ✓ Functional Correctness [15/20]/[15/20]
1422
+ ✓ Test Authenticity [15/20]/[15/20]
1423
+ ✓ UI/E2E Verification [10/10 or N/A]
1424
+ ✓ Security Posture 10/10
1425
+ ✓ Integration Reality 10/10
1426
+ ✓ Error Path Coverage 10/10
1427
+ ✓ Architecture Compliance 10/10
1428
+ ✓ Performance Baseline 5/5
1429
+ ✓ Code Hygiene 10/10
1430
+ ✓ Specification Traceability 5/5
1431
+ ✓ Blast Radius Containment 10/10
1432
+
1433
+ Reports:
1434
+ {FEATURE_DIR}/validation-report.md
1435
+ {FEATURE_DIR}/blast-radius-report.md
1436
+
1437
+ ════════════════════════════════════════════════════════════════
1438
+ ```
1439
+
1440
+ Proceed to **Phase C: Engineering Review Loop** (inline, Step 10a below), then
1441
+ **Step 11: Attribution Logging** and **Step 12: Memory Update Check**.
1442
+
1443
+ **No external auto-chain is needed** — Phase C runs inline in this command.
1444
+ After Phase C completes, the feature pipeline is complete.
1445
+
1446
+ ### If TOTAL < 110 or objective_gate_status = FAIL: FAIL
1447
+
1448
+ Proceed to **Step 10: Brownfield Restart** (Phase C does not run when the rubric
1449
+ fails — fix the rubric first).
1450
+
1451
+ ---
1452
+
1453
+ ## Step 10: Brownfield Restart Loop
1454
+
1455
+ When validation fails (score < score_max), generate a remediation report and signal
1456
+ the orchestrator to restart the pipeline focused on failed areas.
1457
+
1458
+ ### 10.1 Check Iteration Count
1459
+
1460
+ - If `ITERATION >= 3`: Generate **escalation report** instead (see 10.4)
1461
+ - If `ITERATION < 3`: Generate **remediation report** and signal restart
1462
+
1463
+ ### 10.2 Generate Remediation Report
1464
+
1465
+ Write to `{FEATURE_DIR}/remediation-report.md`:
1466
+
1467
+ ```markdown
1468
+ ---
1469
+ feature: [Feature Name]
1470
+ iteration: [N]
1471
+ score: [N]
1472
+ score_max: 110
1473
+ generated: [ISO timestamp]
1474
+ failed_categories: [list]
1475
+ ---
1476
+
1477
+ # Remediation Report: [Feature Name]
1478
+
1479
+ ## Iteration [N] of 3
1480
+
1481
+ **Score**: [N]/110 **Status**: FAIL — Remediation Required
1482
+
1483
+ ## Failed Categories
1484
+
1485
+ ### [Category Name] (0/[points])
1486
+
1487
+ **Evidence**: [Specific findings from agent reports]
1488
+
1489
+ **Required Actions**:
1490
+
1491
+ 1. [Specific action to fix this category]
1492
+ 2. [Another specific action]
1493
+
1494
+ **Files to modify**:
1495
+
1496
+ - `path/to/file.ts:line` — [what to change]
1497
+
1498
+ ### [Next Failed Category]
1499
+
1500
+ ...
1501
+
1502
+ ## Remediation Scope
1503
+
1504
+ The following pipeline stages should re-run focused on these areas:
1505
+
1506
+ - **Research**: [Any new research needed, or "Not needed"]
1507
+ - **Plan**: [Any plan updates, or "Not needed"]
1508
+ - **Implement**: [Specific tasks to re-implement]
1509
+ - **Validate**: Re-run after fixes
1510
+
1511
+ ## Previous Iterations
1512
+
1513
+ | Iteration | Score | Failed Categories | Date |
1514
+ | --------- | ------- | ----------------- | ------ |
1515
+ | 1 | [N]/110 | [list] | [date] |
1516
+ | 2 | [N]/110 | [list] | [date] |
1517
+ ```
1518
+
1519
+ ### 10.3 Signal Orchestrator
1520
+
1521
+ Output the routing instruction:
1522
+
1523
+ ```
1524
+ ════════════════════════════════════════════════════════════════
1525
+ VALIDATION FAILED: [Feature Name]
1526
+ ════════════════════════════════════════════════════════════════
1527
+
1528
+ Score: [N]/110
1529
+ Iteration: [N] of 3
1530
+
1531
+ Failed categories:
1532
+ ✗ [Category] — 0/[points]: [brief reason]
1533
+ ✗ [Category] — 0/[points]: [brief reason]
1534
+
1535
+ Remediation report: {FEATURE_DIR}/remediation-report.md
1536
+
1537
+ REMEDIATION REQUIRED: [feature-name]
1538
+ Failed categories: [list]
1539
+ Iteration: [N] of 3
1540
+ Route: /5_gofer_implement → focused on [failed areas]
1541
+
1542
+ ════════════════════════════════════════════════════════════════
1543
+ ```
1544
+
1545
+ Then proceed to **Step 11: Attribution Logging**.
1546
+
1547
+ ### 10.4 Escalation (Iteration 3 Failure)
1548
+
1549
+ If this is the 3rd iteration and validation still fails, generate
1550
+ `{FEATURE_DIR}/escalation-report.md`:
1551
+
1552
+ ```markdown
1553
+ ---
1554
+ feature: [Feature Name]
1555
+ iteration: 3
1556
+ final_score: [N]/110
1557
+ escalated: [ISO timestamp]
1558
+ ---
1559
+
1560
+ # Escalation Report: [Feature Name]
1561
+
1562
+ ## Human Review Required
1563
+
1564
+ After 3 remediation attempts, the following categories still fail:
1565
+
1566
+ ### [Category] — All 3 attempts failed
1567
+
1568
+ **Iteration history**:
1569
+
1570
+ 1. Score [N] — [what was tried]
1571
+ 2. Score [N] — [what was tried]
1572
+ 3. Score [N] — [what was tried]
1573
+
1574
+ **Root cause assessment**: [Why automated remediation isn't working]
1575
+
1576
+ **Recommended human action**: [What a developer should do]
1577
+
1578
+ ## Full Score History
1579
+
1580
+ | Iteration | Total | Cat1 | Cat2 | Cat3 | Cat4 | Cat5 | Cat6 | Cat7 | Cat8 | Cat9 | Cat10 | Cat11 |
1581
+ | --------- | ----- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ----- | ----- |
1582
+ | 1 | [N] | [N] | [N] | [N] | [N] | [N] | [N] | [N] | [N] | [N] | [N] | [N] |
1583
+ | 2 | [N] | [N] | [N] | [N] | [N] | [N] | [N] | [N] | [N] | [N] | [N] | [N] |
1584
+ | 3 | [N] | [N] | [N] | [N] | [N] | [N] | [N] | [N] | [N] | [N] | [N] | [N] |
1585
+ ```
1586
+
1587
+ Output:
1588
+
1589
+ ```
1590
+ ════════════════════════════════════════════════════════════════
1591
+ ESCALATION: [Feature Name]
1592
+ ════════════════════════════════════════════════════════════════
1593
+
1594
+ After 3 remediation attempts, validation still fails.
1595
+ Score: [N]/110
1596
+
1597
+ Escalation report: {FEATURE_DIR}/escalation-report.md
1598
+
1599
+ This feature requires human review before proceeding.
1600
+ The automated pipeline cannot resolve the remaining issues.
1601
+
1602
+ ════════════════════════════════════════════════════════════════
1603
+ ```
1604
+
1605
+ ---
1606
+
1607
+ # Phase C — Engineering Review Loop
1608
+
1609
+ Phase C runs **only when the rubric passes** (110/110). It performs 1-5
1610
+ iterative review→fix→re-review cycles using 3 additional review agents per
1611
+ cycle, catching issues that the rubric-based validation might miss (edge cases,
1612
+ race conditions, API-contract drift against the as-implemented code, spec spirit
1613
+ violations).
1614
+
1615
+ Phase C is the terminal stage of `/6_gofer_validate`. After Phase C completes,
1616
+ the feature pipeline is complete.
1617
+
1618
+ ## Step 10a: Initialize Phase C
1619
+
1620
+ 1. **Guard**: only proceed if rubric `status == PASS` and the objective outcome
1621
+ gate passes (Step 9 TOTAL = 110 and Step 1.5 PASS). If
1622
+ FAIL, skip Phase C entirely — brownfield restart (Step 10) already triggered.
1623
+
1624
+ 2. **Initialize cycle counter**: `CYCLE = 1`
1625
+
1626
+ 3. **Initialize findings history**: Empty array to accumulate across cycles.
1627
+
1628
+ 4. **Seed findings from Phase B Yellow/Gray**: All Yellow findings from the
1629
+ blast-radius report are added to the Phase C finding list for mandatory
1630
+ attention. Gray findings are logged but not auto-fixed.
1631
+
1632
+ ## Step 10b: Spawn 3 Parallel Review Agents (Cycle N of 5)
1633
+
1634
+ Launch all 3 agents **in parallel** using the Task tool. Each agent receives the
1635
+ feature context and returns structured findings.
1636
+
1637
+ ### Agent 13: Engineer Review (Spec↔Plan↔Tasks↔Research Alignment)
1638
+
1639
+ ```
1640
+ Task: subagent_type="engineer-review", model="sonnet"
1641
+ Prompt: "Post-implementation engineering review for feature [FEATURE_NAME].
1642
+
1643
+ Feature directory: {FEATURE_DIR}
1644
+ Spec: {FEATURE_DIR}/spec.md
1645
+ Plan: {FEATURE_DIR}/plan.md
1646
+ Tasks: {FEATURE_DIR}/tasks.md
1647
+ Research: {FEATURE_DIR}/research.md
1648
+
1649
+ This is a POST-IMPLEMENTATION review (code is already written).
1650
+ In addition to your standard spec↔plan↔tasks alignment checks:
1651
+ 1. Verify spec completeness against research.md — are all research findings addressed?
1652
+ 2. Check all acceptance criteria are addressed in the actual code (not just tasks)
1653
+ 3. Verify research.md patterns were followed in implementation
1654
+
1655
+ Return findings in your standard report format (<2000 tokens)."
1656
+ ```
1657
+
1658
+ ### Agent 14: Codebase Analyzer (Code↔Tasks Verification)
1659
+
1660
+ ```
1661
+ Task: subagent_type="codebase-analyzer", model="sonnet"
1662
+ Prompt: "Post-implementation code verification for feature [FEATURE_NAME].
1663
+
1664
+ Feature directory: {FEATURE_DIR}
1665
+ Tasks: {FEATURE_DIR}/tasks.md
1666
+
1667
+ Verify the following:
1668
+ 1. Every task marked [x] in tasks.md has corresponding code changes — check file paths
1669
+ 2. Search for TODO/FIXME/HACK comments in files listed in tasks.md
1670
+ 3. Check for dead code or unused imports in changed files
1671
+ 4. Verify any API contracts/interfaces match their actual implementations
1672
+ 5. Check for inconsistencies between task descriptions and what was implemented
1673
+
1674
+ Return findings with Red/Yellow/Gray severity (<2000 tokens).
1675
+ Red = task marked complete but no code found, or API contract mismatch
1676
+ Yellow = TODO/FIXME comments, unused imports, minor inconsistencies
1677
+ Gray = style suggestions, optional improvements"
1678
+ ```
1679
+
1680
+ ### Agent 15: Correctness Re-verification
1681
+
1682
+ ```
1683
+ Task: subagent_type="validation-correctness", model="sonnet"
1684
+ Prompt: "Post-implementation correctness re-verification for feature [FEATURE_NAME].
1685
+
1686
+ Feature directory: {FEATURE_DIR}
1687
+ Spec: {FEATURE_DIR}/spec.md
1688
+ Plan: {FEATURE_DIR}/plan.md
1689
+
1690
+ This is a focused re-check after validation passed. Look for issues that
1691
+ rubric-based validation might miss:
1692
+ 1. Edge cases from spec that may not have explicit tests
1693
+ 2. Error handling completeness — are all failure modes covered?
1694
+ 3. Race conditions or concurrency issues in async code
1695
+ 4. Input validation at system boundaries
1696
+ 5. Any acceptance criteria that are technically 'covered' by tests but
1697
+ the implementation doesn't fully satisfy the spirit of the requirement
1698
+
1699
+ Return findings with Red/Yellow/Gray severity (<2000 tokens).
1700
+ Red = acceptance criterion not genuinely satisfied, critical error path missing
1701
+ Yellow = edge case not covered, partial error handling
1702
+ Gray = potential improvement, defensive coding suggestion"
1703
+ ```
1704
+
1705
+ **Run all 3 agents in parallel.** Collect all results before proceeding.
1706
+
1707
+ ## Step 10c: Run Build/Test/Lint Verification
1708
+
1709
+ Execute verification commands and capture results:
1710
+
1711
+ ### Build Check
1712
+
1713
+ ```bash
1714
+ cd extension && npm run compile
1715
+ ```
1716
+
1717
+ ### Test Check
1718
+
1719
+ ```bash
1720
+ cd extension && npm test
1721
+ ```
1722
+
1723
+ ### Lint Check
1724
+
1725
+ ```bash
1726
+ cd extension && npm run lint
1727
+ ```
1728
+
1729
+ Record results:
1730
+
1731
+ ```
1732
+ | Check | Command | Result |
1733
+ |--------|----------------------|-------------|
1734
+ | Build | npm run compile | PASS / FAIL |
1735
+ | Tests | npm test | PASS / FAIL |
1736
+ | Lint | npm run lint | PASS / FAIL |
1737
+ ```
1738
+
1739
+ **If any check FAILS**: Record as a Red finding.
1740
+
1741
+ ## Step 10d: Synthesize Findings
1742
+
1743
+ Collect all agent reports and build/test/lint results. Merge with Phase B
1744
+ Yellow/Gray carryovers. Classify each finding:
1745
+
1746
+ - **Red** (blocking): Task marked complete but no code, API contract mismatch,
1747
+ acceptance criterion not genuinely satisfied, build/test/lint failure,
1748
+ critical error path missing
1749
+ - **Yellow** (should fix): TODO/FIXME comments, unused imports, edge cases not
1750
+ covered, partial error handling, minor inconsistencies, Phase B Yellows
1751
+ - **Gray** (informational): Style suggestions, optional improvements, defensive
1752
+ coding suggestions, Phase B Grays
1753
+
1754
+ ### Compile Finding Table
1755
+
1756
+ ```
1757
+ | # | Finding | Severity | Source | File | Line | Status |
1758
+ |---|---------|----------|---------------------------|--------|--------|--------|
1759
+ | 1 | [desc] | Red | engineer-review | [file] | [line] | OPEN |
1760
+ | 2 | [desc] | Yellow | codebase-analyzer | [file] | [line] | OPEN |
1761
+ | 3 | [desc] | Yellow | phase-b:observability | [file] | [line] | OPEN |
1762
+ ```
1763
+
1764
+ ### Decision Logic
1765
+
1766
+ - If **NO Red or Yellow findings** → PASS → proceed to Step 10g (Report)
1767
+ - If **Red or Yellow findings exist** → proceed to Step 10e (Fix)
1768
+
1769
+ ## Step 10e: Fix Findings
1770
+
1771
+ For each Red and Yellow finding from the current cycle:
1772
+
1773
+ 1. **Read the affected file** at the specified line
1774
+ 2. **Apply the fix** directly using Edit tool
1775
+ 3. **Mark the finding as FIXED** in the finding table
1776
+
1777
+ ### Fix Priority
1778
+
1779
+ 1. Red findings first (blocking issues)
1780
+ 2. Yellow findings second (should fix)
1781
+ 3. Gray findings are logged but NOT auto-fixed
1782
+
1783
+ ### After Fixing
1784
+
1785
+ Re-run build/test/lint to verify fixes don't introduce regressions:
1786
+
1787
+ ```bash
1788
+ cd extension && npm run compile && npm test && npm run lint
1789
+ ```
1790
+
1791
+ If the verification fails after fixes, record new failures as Red findings for
1792
+ the next cycle.
1793
+
1794
+ ## Step 10f: Loop or Complete
1795
+
1796
+ ### Increment Cycle
1797
+
1798
+ ```
1799
+ CYCLE = CYCLE + 1
1800
+ ```
1801
+
1802
+ ### Decision
1803
+
1804
+ - If `CYCLE <= 5` AND findings were fixed in the previous cycle → **Go to Step
1805
+ 10b** (re-review with fresh agent runs to verify fixes and catch any new
1806
+ issues)
1807
+ - If `CYCLE > 5` AND Red/Yellow findings still remain → **Generate escalation
1808
+ section** in the report, declare pipeline complete with warnings
1809
+ - If **all findings resolved** (no Red or Yellow) → **Declare pipeline
1810
+ complete** (proceed to Step 10g)
1811
+
1812
+ ## Step 10g: Generate Engineering Review Report
1813
+
1814
+ Write to `{FEATURE_DIR}/engineering-review-report.md`:
1815
+
1816
+ ```markdown
1817
+ ---
1818
+ feature: [Feature Name]
1819
+ reviewed: [ISO timestamp]
1820
+ reviewer: Claude
1821
+ status: [PASS/PASS_WITH_WARNINGS/ESCALATED]
1822
+ cycles: [N]
1823
+ total_findings: [N]
1824
+ resolved_findings: [N]
1825
+ blast_radius_carryovers: [N]
1826
+ ---
1827
+
1828
+ # Engineering Review Report: [Feature Name]
1829
+
1830
+ ## Summary
1831
+
1832
+ - **Status**: [PASS / PASS_WITH_WARNINGS / ESCALATED]
1833
+ - **Review cycles**: [N] of 5 max
1834
+ - **Total findings**: [N] (Red: [N], Yellow: [N], Gray: [N])
1835
+ - **Resolved**: [N] findings fixed across [N] cycles
1836
+ - **Remaining**: [N] findings (if any)
1837
+ - **Phase B carryovers addressed**: [N] of [N]
1838
+
1839
+ ## Cycle History
1840
+
1841
+ ### Cycle 1
1842
+
1843
+ **Agents**: engineer-review, codebase-analyzer, validation-correctness
1844
+ **Build/Test/Lint**: [PASS/FAIL details]
1845
+
1846
+ | # | Finding | Severity | Source | File | Line | Resolution |
1847
+ | --- | ------- | -------- | ------ | ------ | ------ | ------------ |
1848
+ | 1 | [desc] | [sev] | [src] | [file] | [line] | [FIXED/OPEN] |
1849
+
1850
+ ### Cycle 2 (if applicable)
1851
+
1852
+ ...
1853
+
1854
+ ## Remaining Findings (if any)
1855
+
1856
+ | # | Finding | Severity | Source | File | Line | Reason Not Fixed |
1857
+ | --- | ------- | -------- | ------ | ------ | ------ | ---------------- |
1858
+ | 1 | [desc] | [sev] | [src] | [file] | [line] | [why] |
1859
+
1860
+ ## Recommendations
1861
+
1862
+ ### Must Address Before Merge
1863
+
1864
+ - [Any remaining Red/Yellow findings]
1865
+
1866
+ ### Future Improvements
1867
+
1868
+ - [Gray findings and suggestions]
1869
+ ```
1870
+
1871
+ ## Step 10g.5: Final Working Backwards PR/FAQ And CISO Summary
1872
+
1873
+ After the validation report, blast-radius report, loop audit, and engineering
1874
+ review report are written:
1875
+
1876
+ 1. Update `{FEATURE_DIR}/working-backwards-prfaq.md`.
1877
+ - Mark each Press Release claim as validated, changed, or unvalidated based
1878
+ on `validation-report.md`, `blast-radius-report.md`,
1879
+ `goal-rebaseline-report.md`, and `loop-audit-report.md`.
1880
+ - Fill Internal FAQ CISO / Risk with data handled, identity controls,
1881
+ tenant boundaries, secrets handling, residual risks, validation evidence,
1882
+ and launch gates.
1883
+ - Update "What happens if something goes wrong?" with rollback/support
1884
+ evidence from validation and blast-radius analysis.
1885
+ 2. Write `{FEATURE_DIR}/prfaq-history/06-validate.md` as an immutable final
1886
+ validation snapshot.
1887
+ 3. Create or update `{FEATURE_DIR}/ciso-security-summary.md` from
1888
+ `.specify/templates/ciso-security-summary-template.md` using
1889
+ `validation-report.md`, `blast-radius-report.md`, `audit-history.md`,
1890
+ `visuals/risk-heatmap.md`, auth/tenant evidence, secrets/data handling
1891
+ evidence, and loop audit evidence.
1892
+ 4. Refresh `{FEATURE_DIR}/business-owner-summary.md` with final validation
1893
+ status, business value confidence, and any validated/disproven assumptions.
1894
+ 5. Refresh `{FEATURE_DIR}/cto-architecture-summary.md` with validation status,
1895
+ blast-radius verdict, and any architecture/security exceptions.
1896
+ 6. Update `{FEATURE_DIR}/stakeholder-review-index.md` and make the final
1897
+ approve/revise/defer asks explicit:
1898
+ - Business Owner: release value, user/process impact, assumptions.
1899
+ - CTO / Architecture: platform/architecture evidence and exceptions.
1900
+ - CISO / Risk: controls, residual risks, security posture, launch gate.
1901
+ - Delivery: rollout, rollback, support, and evidence completeness.
1902
+
1903
+ If any validation gate failed, write these documents honestly with `FAIL`,
1904
+ `Pending`, or `Blocked` status; do not polish a failed feature as ready.
1905
+
1906
+ ## Step 10h: Output Completion Banner
1907
+
1908
+ ### If PASS (all findings resolved or no findings):
1909
+
1910
+ ```
1911
+ ════════════════════════════════════════════════════════════════
1912
+ ENGINEERING REVIEW PASSED: [Feature Name]
1913
+ ════════════════════════════════════════════════════════════════
1914
+
1915
+ Cycles: [N] of 5 max
1916
+ Findings: [N] found, [N] resolved
1917
+ Report: {FEATURE_DIR}/engineering-review-report.md
1918
+ Working Backwards PR/FAQ: {FEATURE_DIR}/working-backwards-prfaq.md
1919
+ CISO summary: {FEATURE_DIR}/ciso-security-summary.md
1920
+ Stakeholder review index: {FEATURE_DIR}/stakeholder-review-index.md
1921
+
1922
+ ════════════════════════════════════════════════════════════════
1923
+ FEATURE PIPELINE COMPLETE!
1924
+
1925
+ All Gofer stages finished:
1926
+ 1. /1_gofer_research ✓
1927
+ 2. /2_gofer_specify ✓
1928
+ 3. /3_gofer_plan ✓
1929
+ 4. /4_gofer_tasks ✓
1930
+ 5. /5_gofer_implement ✓
1931
+ 6. /6_gofer_validate ✓ (Phase A ✓, Phase B ✓, Phase C ✓)
1932
+
1933
+ The feature is ready for review and merge.
1934
+ Stakeholder PR/FAQ and persona summaries are ready for Business Owner,
1935
+ CTO/Architecture, CISO/Risk, and Delivery review.
1936
+ ════════════════════════════════════════════════════════════════
1937
+ ```
1938
+
1939
+ ### If PASS_WITH_WARNINGS (5 cycles exhausted, only Gray remaining):
1940
+
1941
+ ```
1942
+ ════════════════════════════════════════════════════════════════
1943
+ ENGINEERING REVIEW PASSED (WITH WARNINGS): [Feature Name]
1944
+ ════════════════════════════════════════════════════════════════
1945
+
1946
+ Cycles: 5 of 5 max
1947
+ Findings: [N] found, [N] resolved, [N] Gray remaining
1948
+ Report: {FEATURE_DIR}/engineering-review-report.md
1949
+ Working Backwards PR/FAQ: {FEATURE_DIR}/working-backwards-prfaq.md
1950
+ CISO summary: {FEATURE_DIR}/ciso-security-summary.md
1951
+ Stakeholder review index: {FEATURE_DIR}/stakeholder-review-index.md
1952
+
1953
+ ⚠ Gray findings remain — see report for details.
1954
+
1955
+ ════════════════════════════════════════════════════════════════
1956
+ FEATURE PIPELINE COMPLETE!
1957
+
1958
+ All Gofer stages finished:
1959
+ 1. /1_gofer_research ✓
1960
+ 2. /2_gofer_specify ✓
1961
+ 3. /3_gofer_plan ✓
1962
+ 4. /4_gofer_tasks ✓
1963
+ 5. /5_gofer_implement ✓
1964
+ 6. /6_gofer_validate ✓ (Phase A ✓, Phase B ✓, Phase C ⚠)
1965
+
1966
+ The feature is ready for review and merge (review Gray findings).
1967
+ ════════════════════════════════════════════════════════════════
1968
+ ```
1969
+
1970
+ ### If ESCALATED (5 cycles exhausted, Red/Yellow remain):
1971
+
1972
+ ```
1973
+ ════════════════════════════════════════════════════════════════
1974
+ ENGINEERING REVIEW ESCALATED: [Feature Name]
1975
+ ════════════════════════════════════════════════════════════════
1976
+
1977
+ Cycles: 5 of 5 max (exhausted)
1978
+ Findings: [N] found, [N] resolved, [N] Red/Yellow remaining
1979
+
1980
+ Remaining issues:
1981
+ ✗ [Finding] — [severity]: [brief reason]
1982
+
1983
+ Report: {FEATURE_DIR}/engineering-review-report.md
1984
+ Working Backwards PR/FAQ: {FEATURE_DIR}/working-backwards-prfaq.md
1985
+ CISO summary: {FEATURE_DIR}/ciso-security-summary.md
1986
+ Stakeholder review index: {FEATURE_DIR}/stakeholder-review-index.md
1987
+
1988
+ This feature requires human review of remaining findings
1989
+ before merging.
1990
+
1991
+ ════════════════════════════════════════════════════════════════
1992
+ ```
1993
+
1994
+ ---
1995
+
1996
+ # End of Phase C
1997
+
1998
+ ---
1999
+
2000
+ ## Step 11: Attribution Logging
2001
+
2002
+ Log every finding to `.specify/logs/validation-findings.jsonl`.
2003
+ For EnterpriseAI runs, also mirror the same finding lifecycle to
2004
+ `{FEATURE_DIR}/audit-history.md` so executive, architecture, CISO, data, CIO,
2005
+ delivery, finance, operations, and risk/compliance stakeholders can see stable
2006
+ finding IDs, recurrence, disposition, owner, expiry, and review cadence.
2007
+
2008
+ ### Finding Format
2009
+
2010
+ For each finding from all agents and automated checks, append a JSON line:
2011
+
2012
+ ```json
2013
+ {
2014
+ "finding_id": "F[NNN]",
2015
+ "timestamp": "[ISO timestamp]",
2016
+ "feature": "[feature-name]",
2017
+ "category": "[rubric_category_snake_case]",
2018
+ "severity": "[red|yellow|gray]",
2019
+ "description": "[finding description]",
2020
+ "file": "[file path]",
2021
+ "line": [line number or null],
2022
+ "agent": "[agent name or 'automated']",
2023
+ "resolution": null,
2024
+ "iteration": [N]
2025
+ }
2026
+ ```
2027
+
2028
+ ### Categories for `category` field
2029
+
2030
+ - `functional_correctness`
2031
+ - `test_authenticity`
2032
+ - `ui_e2e_verification`
2033
+ - `security_posture`
2034
+ - `integration_reality`
2035
+ - `error_path_coverage`
2036
+ - `architecture_compliance`
2037
+ - `performance_baseline`
2038
+ - `code_hygiene`
2039
+ - `specification_traceability`
2040
+ - `blast_radius_containment` — **NEW** (Cat 11, Phase B)
2041
+ - Sub-dimensions for the `dimension` sub-field: `change_graph`,
2042
+ `interface_contract`, `observability`, `dependency_submodule`,
2043
+ `rollback_release`
2044
+ - `engineering_review` — Phase C findings (agent-specific sub-dimensions:
2045
+ `spec_alignment`, `code_verification`, `correctness_reverify`)
2046
+
2047
+ ### EnterpriseAI Persistent Audit Requirements
2048
+
2049
+ `audit-history.md` MUST include:
2050
+
2051
+ | Field | Requirement |
2052
+ | ----- | ----------- |
2053
+ | Finding ID | Stable across validation cycles; never renumber existing findings |
2054
+ | Source | Rubric category, agent, automated check, or stakeholder gate |
2055
+ | Status | Open, fixed, accepted, or escalated |
2056
+ | Recurrence | Count and prior cycle references for repeated findings |
2057
+ | Owner | Named accountable role or team |
2058
+ | Expiry | Required for accepted exceptions |
2059
+ | Evidence | Links to validation report, tests, contract pack, or code references |
2060
+
2061
+ Recurring red findings must escalate to the relevant decision owner and block
2062
+ launch unless explicitly accepted with owner, expiry, and review cadence.
2063
+
2064
+ For application delivery, validation MUST also check
2065
+ `{FEATURE_DIR}/journeys/base-journey.md` against the delivered implementation:
2066
+
2067
+ - The app process has four user-facing steps or fewer, or an approved exception
2068
+ explains why extra steps could not be combined, automated, or handled by
2069
+ generative AI assistance.
2070
+ - Each journey step preserves its business goal, AI assistance mode, data/context
2071
+ used, completion signal, human controls, evidence/confidence display, audit
2072
+ trail, and fallback/escalation path.
2073
+ - `{FEATURE_DIR}/ui-review-log.md` contains at least one pre-presentation
2074
+ self-review entry for each preview round that was shown to the stakeholder,
2075
+ with screenshot, local render proof, Playwright-style evidence, or an
2076
+ explicit reasoned exception.
2077
+ - `{FEATURE_DIR}/ui-approval.md` records the approved preview, approved
2078
+ branding/logo decisions, any approved EAI App Template exceptions, the
2079
+ approver, and approval timestamp.
2080
+ - `{FEATURE_DIR}/service-fit-matrix.md` records each desired platform
2081
+ capability, the evidence source used to evaluate it, and whether it is
2082
+ accessible now, purchasable but unavailable now, or unavailable without new
2083
+ platform work.
2084
+ - The delivered app uses EAI Platform, including the EAI app template, as the
2085
+ primary app substrate and Azure as the preferred cloud/supporting substrate.
2086
+ Any Firebase, Supabase, Vercel primary runtime, AWS, GCP, bespoke backend,
2087
+ unmanaged database, or unrelated SaaS dependency is rejected unless it is
2088
+ recorded as an approved integration/migration/exception with rationale, owner,
2089
+ expiry, and validation evidence.
2090
+ - The approved external/internal/hybrid profile choice, package lane, coupling
2091
+ status, Storybook story IDs, theme override points, public-readiness target,
2092
+ and custom-block exceptions are present in the preview/approval/service-fit
2093
+ artifacts and match the delivered implementation.
2094
+ - Validation confirms that app-delivery runs used EAI App Template blocks by
2095
+ default and that any create-new UI concept was explicitly approved rather
2096
+ than silently introduced.
2097
+ - Validation confirms that block-porting tasks produced the expected package
2098
+ surface and that public or hybrid lanes do not directly depend on source platform
2099
+ internals unless an approved restricted-source exception is recorded.
2100
+ - Chatbot, voice, accessibility, translation, contextual prefill, validation,
2101
+ and step-goal assistance claims are covered by acceptance tests where they are
2102
+ in scope.
2103
+
2104
+ For explicit non-app work, validation MUST treat `ui-preview-brief.md`,
2105
+ `ui-review-log.md`, `ui-approval.md`, and `service-fit-matrix.md` as
2106
+ **not applicable** rather than as missing blocking artifacts.
2107
+
2108
+ ### Log Summary Entry
2109
+
2110
+ After all findings, append a summary entry:
2111
+
2112
+ ```json
2113
+ {
2114
+ "finding_id": "SUMMARY",
2115
+ "timestamp": "[ISO timestamp]",
2116
+ "feature": "[feature-name]",
2117
+ "category": "summary",
2118
+ "severity": "info",
2119
+ "description": "Validation score: [N]/110. Categories failed: [list or 'none']",
2120
+ "file": null,
2121
+ "line": null,
2122
+ "agent": "rubric",
2123
+ "resolution": "[PASS|FAIL|ESCALATED]",
2124
+ "iteration": [N]
2125
+ }
2126
+ ```
2127
+
2128
+ ### Historical Reference
2129
+
2130
+ Before logging, read existing entries in `validation-findings.jsonl` for the
2131
+ same feature. If the same finding (same file, same line, same category) appears
2132
+ in a previous iteration, note it as a **repeat finding** in the description:
2133
+
2134
+ ```
2135
+ "description": "[REPEAT from iteration 1] expect(true).toBe(true) still present"
2136
+ ```
2137
+
2138
+ This enables tracking of findings that persist across remediation attempts.
2139
+
2140
+ ---
2141
+
2142
+ ## Step 12: Memory Update Check
2143
+
2144
+ After validation, assess whether learnings should be persisted.
2145
+
2146
+ ### 12.1 Memory Update Decision Matrix
2147
+
2148
+ | Learning Type | Update Location | When to Update |
2149
+ | ---------------------------- | ---------------------------- | ----------------------------------------- |
2150
+ | **Project-wide patterns** | `CLAUDE.md` | New conventions affecting all future work |
2151
+ | **Architectural decisions** | `.specify/memory/decisions/` | Significant design choices with rationale |
2152
+ | **Feature-specific context** | `{FEATURE_DIR}/research.md` | Discoveries relevant only to this feature |
2153
+ | **Reusable code patterns** | `CLAUDE.md` or constitution | Patterns other features should follow |
2154
+ | **Bug workarounds** | `.specify/memory/decisions/` | Issues that may recur |
2155
+
2156
+ ### 12.2 CLAUDE.md Update Criteria
2157
+
2158
+ **DO update CLAUDE.md when**:
2159
+
2160
+ - Discovered a new coding convention used across the codebase
2161
+ - Identified a critical dependency or integration pattern
2162
+ - Found a gotcha that affects multiple features
2163
+ - Established a new testing or build pattern
2164
+
2165
+ **DO NOT update CLAUDE.md when**:
2166
+
2167
+ - Learning is specific to one feature
2168
+ - Information will become stale quickly
2169
+ - Pattern is already documented elsewhere
2170
+ - Change is experimental/temporary
2171
+
2172
+ ### 12.3 Memory Update Checklist
2173
+
2174
+ Before completing validation, verify:
2175
+
2176
+ - [ ] Any project-wide patterns discovered -> added to CLAUDE.md?
2177
+ - [ ] Any significant decisions made -> recorded in decisions/?
2178
+ - [ ] Any gotchas or workarounds -> documented for future reference?
2179
+ - [ ] Feature-specific learnings -> captured in research.md?
2180
+
2181
+ ---
2182
+
2183
+ ## Observability Logging
2184
+
2185
+ At stage completion, log metrics:
2186
+
2187
+ ```bash
2188
+ .specify/scripts/bash/log-stage.sh 6_validate --complete --tokens [N] --compactions [N]
2189
+ ```
2190
+
2191
+ This also logs quality metrics (rubric scores, finding counts) to:
2192
+ `.specify/logs/quality-metrics.jsonl`
2193
+
2194
+ ---
2195
+
2196
+ ## Key Rules
2197
+
2198
+ ### Phase A (Rubric)
2199
+
2200
+ - **110/110 is the only passing score** — there is no "close enough"
2201
+ - **Agents run in parallel** — spawn all 6 (or 7 with red team) at once, do not
2202
+ serialize
2203
+ - **Red findings block** — any Red finding in any agent zeroes that category
2204
+ - **Mutation testing is optional** — gracefully degrade when Stryker absent
2205
+ - **Mock ratio excludes justified mocks** — mark with `// mock-justified:`
2206
+ comment
2207
+ - **Maximum 3 remediation iterations** — then escalate to human
2208
+
2209
+ ### Phase B (Blast Radius)
2210
+
2211
+ - **5 blast-radius agents run in parallel** — do not serialize across dimensions
2212
+ - **The change manifest is ground truth** — build it once in Step 2.5, pass the
2213
+ same manifest to every Phase B agent
2214
+ - **Breaking change + no CHANGELOG entry = Red** — always. Release-checklist
2215
+ compliance is mandatory for user-visible changes.
2216
+ - **New High/Critical CVE = Red** — block before merge; Moderate is Yellow; Low
2217
+ is Gray
2218
+ - **Cross-submodule ripple requires explicit plan.md approval** — otherwise Red
2219
+ - **Blast-radius verdict CONTAINED gives Cat 11 = 10**; BREACHED gives Cat 11 =
2220
+ 0 — this is the only way Cat 11 scores
2221
+ - **Phase B writes `blast-radius-report.md`** alongside `validation-report.md`
2222
+ - **Phase B Yellows seed Phase C** — Phase C must address them
2223
+
2224
+ ### Phase C (Engineering Review Loop)
2225
+
2226
+ - **3 review agents per cycle** — spawn all in parallel, do not serialize
2227
+ - **5 cycles maximum** — hard cap to prevent infinite loops
2228
+ - **Fix Red before Yellow** — priority ordering matters
2229
+ - **Re-verify after fixes** — always re-run build/test/lint after changes
2230
+ - **Gray findings are logged, not auto-fixed** — they go in the report
2231
+ - **Phase C only runs if the rubric passes** — a failing rubric triggers
2232
+ brownfield restart instead
2233
+ - **This stage is the pipeline terminal** — "PIPELINE COMPLETE" only appears at
2234
+ the end of Phase C
2235
+ - **Engineering review is inline** — there is no separate follow-up stage after
2236
+ validation
2237
+
2238
+ ### Across All Phases
2239
+
2240
+ - **Attribution logging is mandatory** — every finding (A, B, C) gets logged to
2241
+ JSONL with its phase and sub-dimension
2242
+ - **Be specific** — cite file paths and line numbers for all findings
2243
+ - **Score the rubric honestly** — the goal is to catch real problems, not to
2244
+ pass
2245
+ - Log stage completion for observability tracking