gaia-framework 1.57.0 → 1.57.2

package/_gaia/lifecycle/workflows/4-implementation/qa-generate-tests/workflow.yaml

@@ -1,20 +0,0 @@
-name: qa-generate-tests
-description: 'Generate automated E2E and API tests'
-module: lifecycle
-agent: qa
-config_resolved: "{installed_path}/.resolved/qa-generate-tests.yaml"
-config_source: "{project-root}/_gaia/lifecycle/config.yaml"
-installed_path: "{project-root}/_gaia/lifecycle/workflows/4-implementation/qa-generate-tests"
-instructions: "{installed_path}/instructions.xml"
-validation: "{installed_path}/checklist.md"
-quality_gates:
-  pre_start:
-    - check: "story_status == 'review'"
-      on_fail: "HALT: Story must be in review status before QA testing. Complete /gaia-dev-story first."
-on_error:
-  missing_file: "ask_user"
-  unresolved_variable: "halt"
-
-output:
-  primary: "{test_artifacts}/{story_key}-qa-tests.md"
-  secondary: "{implementation_artifacts}/{story_key}-*.md"

package/_gaia/lifecycle/workflows/4-implementation/retrospective/checklist.md

@@ -1,15 +0,0 @@
----
-title: 'Retrospective Validation'
-validation-target: 'Retrospective report'
----
-## Content
-- [ ] Sprint metrics included
-- [ ] Positives documented
-- [ ] Improvements identified
-- [ ] Action items defined with ownership
-## Tech Debt
-- [ ] Debt trend reviewed (if dashboard exists)
-- [ ] Debt impact on velocity discussed
-- [ ] Debt-related action items captured
-## Output Verification
-- [ ] Retro file exists at {implementation_artifacts}/retro-{sprint_id}.md

package/_gaia/lifecycle/workflows/4-implementation/retrospective/instructions.xml

@@ -1,164 +0,0 @@
-<workflow name="retrospective">
-<critical>
-  <mandate>Focus on actionable improvements, not blame</mandate>
-  <mandate>Always write velocity data to sm-sidecar — this enables sprint-over-sprint tracking</mandate>
-  <mandate>Check for recurring patterns across retros — systemic issues need escalation, not repetition</mandate>
-  <mandate>Steps 2-4 are DATA-DRIVEN — mine artifacts first, present findings with evidence, then let user confirm or add context. Do NOT ask open-ended questions without data backing.</mandate>
-</critical>
-<step n="1" title="Load Sprint Data">
-  <action>Read sprint-status.yaml for completed sprint — extract sprint_id, all story keys, planned points</action>
-  <action>Calculate: stories completed, stories invalid, stories carried over, velocity (points delivered vs planned)</action>
-  <action>Read ALL story files for this sprint (from sprint-status.yaml story list). For each story extract:
-    - Status (done, review, in-progress, invalid)
-    - Review Gate table results (which reviews PASSED/FAILED/PENDING)
-    - Findings table (count and types of findings)
-    - Definition of Done checklist results</action>
-  <action>Read {memory_path}/validator-sidecar/decision-log.md — extract all entries for this sprint's stories (validation attempts, findings counts, pass/fail results)</action>
-  <action>Read review reports if they exist: {story_key}-review.md, {story_key}-security-review.md, {story_key}-qa-tests.md, {story_key}-performance-review.md — extract verdicts and key issues found</action>
-  <action>Read {implementation_artifacts}/tech-debt-dashboard.md if it exists — extract summary metrics and trend</action>
-  <action>Build a sprint data summary:
-    - Completion rate: {completed}/{total} stories ({percentage}%)
-    - Velocity: {delivered}/{planned} points
-    - First-pass review rate: stories that passed all 6 reviews without going back to in-progress
-    - Val validation stats: average attempts per story, zero-finding rate
-    - Findings stats: total findings generated, triaged count, untriaged count
-    - Blocked stories: count and duration
-    - Carryover stories: list with reasons</action>
-</step>
-<step n="2" title="What Went Well (Data-Driven)">
-  <action>Analyze sprint artifacts to identify positive outcomes. Check for:
-    - Stories that passed all 6 reviews on first try → "Clean implementations: {list of story keys}"
-    - Velocity met or exceeded plan → "Strong execution: delivered {X}/{Y} points ({ratio}%)"
-    - Stories with zero Val findings → "High quality specs: {list} passed validation first try"
-    - Stories with no REQUEST_CHANGES in code review → "Clean code: {list} had no review rework"
-    - No blocked stories (or blocks resolved quickly) → "Good dependency management"
-    - Debt ratio decreased vs previous sprint (from tech-debt-dashboard) → "Debt under control: ratio dropped from {X}% to {Y}%"
-    - Any review that found zero issues across all stories → "{review_name} found no issues across the sprint"</action>
-  <action>Present: "## What Went Well (from sprint data)" with each finding and its evidence (story keys, numbers, sources)</action>
-  <action if="yolo_mode">In YOLO mode: auto-confirm the data-driven findings and proceed.</action>
-  <ask>These are the positive findings from sprint data. Confirm, or add anything the data doesn't capture. [confirm / add context]</ask>
-</step>
-<step n="3" title="What Could Improve (Data-Driven)">
-  <action>Analyze sprint artifacts to identify improvement areas. Check for:
-    - Stories that had review failures (went from review → in-progress) → "Review rework: {list} failed review and cycled back — check {review_name} reports for patterns"
-    - Stories that needed 2-3 Val validation attempts → "Story spec issues: {list} needed multiple validation passes"
-    - Untriaged findings still in story files → "Unresolved findings: {count} findings from {stories} not yet triaged"
-    - Blocked stories and their duration → "Blockers: {list} blocked for {N} days — dependency/planning issue"
-    - Carryover stories (not completed this sprint) → "Carryover: {list} not completed — estimation or scope issue"
-    - Review reports with REQUEST_CHANGES → "Code quality patterns: {summary of common review feedback across stories}"
-    - New debt items added this sprint (from tech-debt-dashboard) → "Debt growth: {N} new items added this sprint"
-    - Security review failures → "Security gaps: {list} failed security review — see reports"</action>
-  <action>Present: "## What Could Improve (from sprint data)" with each finding, evidence, and source references</action>
-  <action if="yolo_mode">In YOLO mode: auto-confirm the data-driven findings and proceed.</action>
-  <ask>These are the improvement areas from sprint data. Confirm, or add anything the data doesn't capture. [confirm / add context]</ask>
-</step>
-<step n="4" title="Tech Debt Reflection (Data-Driven)">
-  <action>If {implementation_artifacts}/tech-debt-dashboard.md exists, auto-analyze:
-    - Debt items added vs resolved this sprint
-    - FIX NOW items that were NOT addressed → "Missed priorities: {count} FIX NOW items still open"
-    - Auto-escalated items from aging → "Aging debt: {count} items auto-escalated due to age"
-    - Debt ratio trend (up/down/stable) compared to previous dashboard run
-    - If any FIX NOW + OVERDUE items exist → "Velocity risk: {count} overdue FIX NOW items may slow next sprint"
-    - Category breakdown: which category (DESIGN/CODE/TEST/INFRASTRUCTURE) grew most</action>
-  <action>If no tech-debt-dashboard.md exists: note "No tech debt dashboard available — run /gaia-tech-debt-review to generate one."</action>
-  <action>Present: "## Tech Debt Reflection" with analysis and data</action>
-  <action if="yolo_mode">In YOLO mode: auto-confirm the debt analysis and proceed.</action>
-  <ask>This is the debt analysis from the dashboard. Any additional context the data doesn't show? [confirm / add context]</ask>
-</step>
-<step n="5" title="Agent Memory Updates">
-  <action>For each improvement or lesson learned from Steps 2-4, identify which agent's domain it belongs to:
-    - Architecture/tech stack issues → {memory_path}/architect-sidecar/architecture-decisions.md
-    - Testing/quality issues → {memory_path}/test-architect-sidecar/test-decisions.md
-    - Security issues → {memory_path}/security-sidecar/threat-model-decisions.md
-    - Infrastructure/deployment issues → {memory_path}/devops-sidecar/infrastructure-decisions.md
-    - Process/velocity issues → {memory_path}/sm-sidecar/velocity-data.md
-    - Requirements/scope issues → {memory_path}/pm-sidecar/product-decisions.md</action>
-  <action>For each identified lesson, append to the relevant sidecar file:
-    Format: "- {date} [RETRO-{sprint_id}]: {lesson learned}. Context: {what happened}. Recommendation: {what to do differently}."</action>
-  <action>ALWAYS append sprint velocity data to {memory_path}/sm-sidecar/velocity-data.md:
-    ### Sprint {sprint_id}
-    - Planned: {X} points ({N} stories)
-    - Completed: {Y} points ({M} stories)
-    - Velocity: {Y} pts
-    - Blocked days: {Z}
-    - Carryover: {list of incomplete stories}</action>
-</step>
-<step n="6" title="Skill Improvement Proposals">
-  <action>Review the "what could improve" findings from Step 3. For each finding, check if it relates to a shared skill:
-    - Code quality issues → code-review-standards.md
-    - Testing failures/flakiness → testing-patterns.md
-    - Git/branching problems → git-workflow.md
-    - API design issues → api-design.md
-    - Security gaps → security-basics.md
-    - Database problems → database-design.md
-    - Deployment issues → docker-workflow.md
-    - Documentation gaps → documentation-standards.md</action>
-  <action>For each related skill, propose a concrete addition or modification: what section should change, what content to add, and why (link back to the retro finding)</action>
-  <action if="yolo_mode">In YOLO mode: auto-approve all recommended skill improvements. Skip the user prompt below.</action>
-  <ask>Here are the proposed skill improvements based on this sprint's findings. Approve, modify, or skip each. [approve all / select / skip]</ask>
-  <action>If approved: append to the relevant skill file with comment: "<!-- Added from retro-{sprint_id}: {reason} -->"</action>
-  <action>If no skill improvements identified, state: "No skill improvements identified this sprint."</action>
-</step>
-<step n="7" title="Cross-Retro Pattern Detection">
-  <action>Scan {implementation_artifacts}/ for all previous retro-*.md files</action>
-  <action>If previous retros exist:
-    - Extract "what could improve" sections from each
-    - Identify recurring themes (same category of problem appearing in 2+ sprints)
-    - For each recurring pattern: flag it as a SYSTEMIC ISSUE with sprint history
-    - Present to user: "The following issues have appeared in multiple sprints:"
-      | Pattern | Sprints Affected | Times Reported | Status |</action>
-  <action if="yolo_mode">In YOLO mode: auto-escalate all systemic issues (appearing in 2+ sprints) to action items with higher priority. Skip the user prompt below.</action>
-  <ask>Would you like to escalate any systemic issues to action items with higher priority?</ask>
-  <action>If this is the first retro: skip pattern detection, note "First retrospective — pattern detection will begin after Sprint 2."</action>
-</step>
-<step n="8" title="Action Items">
-  <action>Define concrete improvements for next sprint</action>
-  <action>Include any escalated systemic issues from Step 7</action>
-  <action>Assign ownership for each action item</action>
-  <action>Write each action item to {implementation_artifacts}/action-items.yaml:
-    1. Read action-items.yaml (create with header if doesn't exist:
-       "# Action Items — centralized tracker\nlast_updated: {timestamp}\nitems: []")
-    2. For each action item, generate auto-incremented ID (A-{NNN}, increment from highest existing)
-    3. Classify type: clarification | implementation | process | automation
-    4. Set priority based on escalation count: items flagged in 2+ sprints = high, new items = medium by default
-    5. Write entry with: id, title, source_workflow: "retrospective", source_sprint: {sprint_id},
-       source_ref: "retro-{sprint_id}.md", created: {date}, type, priority, status: "open",
-       assignee (from ownership), target_sprint: next sprint, resolution: null,
-       resolved_date: null, related_stories: [], escalation_count: {count from cross-retro detection}
-    6. Update last_updated timestamp</action>
-</step>
-<step n="9" title="Generate Output">
-  <template-output file="{implementation_artifacts}/retro-{sprint_id}.md">
-    Generate retrospective report with: sprint metrics, what went well (data-driven), improvements (data-driven), tech debt reflection, agent memory updates made, skill improvement proposals (approved/skipped), cross-retro patterns detected, and action items with ownership.
-  </template-output>
-</step>
-<step n="10" title="Save to Val Memory">
-  <action>Auto-save retrospective summary to Val's memory sidecar (no user prompt required):
-
-  1. Append to {memory_path}/validator-sidecar/decision-log.md:
-     ### [YYYY-MM-DD] Retrospective: {sprint_id}
-
-     - **Agent:** validator
-     - **Workflow:** retrospective
-     - **Sprint:** {sprint_id}
-     - **Status:** recorded
-
-     Sprint {sprint_id} retro complete.
-     Velocity: {planned} planned → {completed} completed ({ratio}%).
-     Went well: {count} items. Key: {top 2-3 findings}.
-     Improvements: {count} items. Key: {top 2-3 findings}.
-     Debt trend: {up/down/stable} ({ratio}%).
-     Systemic issues: {count} ({list if any}).
-     Skill updates: {count} approved.
-     Action items: {count} for next sprint.
-     Memory sidecars updated: {list of updated sidecars}.
-
-  2. Replace body of {memory_path}/validator-sidecar/conversation-context.md (preserve header above first ---):
-     Last session: Retrospective for {sprint_id}.
-     Date: {YYYY-MM-DD}. Velocity: {completed}/{planned} pts.
-     Went well: {count}. Improvements: {count}. Action items: {count}.
-
-  If _memory/validator-sidecar/ directory or files don't exist, create them with standard headers.
-  If writing fails, log warning and continue — memory save is non-blocking.</action>
-</step>
-</workflow>

package/_gaia/lifecycle/workflows/4-implementation/retrospective/workflow.yaml

@@ -1,30 +0,0 @@
-name: retrospective
-description: 'Post-sprint retrospective with learning loop'
-module: lifecycle
-agent: sm
-template_output_prompt: "auto"
-config_resolved: "{installed_path}/.resolved/retrospective.yaml"
-config_source: "{project-root}/_gaia/lifecycle/config.yaml"
-installed_path: "{project-root}/_gaia/lifecycle/workflows/4-implementation/retrospective"
-instructions: "{installed_path}/instructions.xml"
-validation: "{installed_path}/checklist.md"
-input_file_patterns:
-  status:
-    whole: "{implementation_artifacts}/sprint-status.yaml"
-    load_strategy: "FULL_LOAD"
-  previous_retros:
-    whole: "{implementation_artifacts}/retro-*.md"
-    load_strategy: "INDEX_GUIDED"
-  tech_debt:
-    whole: "{implementation_artifacts}/tech-debt-dashboard.md"
-    load_strategy: "FULL_LOAD"
-on_error:
-  missing_file: "ask_user"
-  unresolved_variable: "halt"
-
-output:
-  primary: "{implementation_artifacts}/retro-{sprint_id}.md"
-  sidecar_updates:
-    - "{memory_path}/*-sidecar/*.md"
-  skill_updates:
-    - "{project-root}/_gaia/dev/skills/*.md"

package/_gaia/lifecycle/workflows/4-implementation/run-all-reviews/checklist.md

@@ -1,14 +0,0 @@
----
-title: 'Run All Reviews Validation'
-validation-target: 'Review orchestration'
----
-## Pre-conditions
-- [ ] Story identified and in 'review' status
-- [ ] Review Gate table initialized with 6 rows
-## Execution
-- [ ] Each pending review dispatched to subagent
-- [ ] Already-passed reviews skipped
-- [ ] Story file re-read after each review completes
-## Completion
-- [ ] Review summary generated with all 6 verdicts
-- [ ] Story status reflects gate outcome (done or still review)

package/_gaia/lifecycle/workflows/4-implementation/run-all-reviews/instructions.xml

@@ -1,78 +0,0 @@
-<workflow name="run-all-reviews">
-<critical>
-  <mandate>Run each review in a SEPARATE subagent context using the Agent tool</mandate>
-  <mandate>Run reviews SEQUENTIALLY — never in parallel (they write to the same story file)</mandate>
-  <mandate>Do NOT write to sprint-status.yaml — story file is authoritative</mandate>
-  <mandate>If any review returns FAILED, continue running remaining reviews — do NOT halt</mandate>
-  <mandate>Individual review subagents MUST NOT change story status — only this orchestrator manages status transitions after all reviews complete</mandate>
-</critical>
-
-<step n="1" title="Identify Story">
-  <action>Ask user which story to review (story key, e.g., STORY-001)</action>
-  <action>Read story file: search {implementation_artifacts}/ for {story_key}-*.md (if not found, try {story_key}.md). Use the resolved path for all subsequent updates.</action>
-  <action>Verify story status is 'review'. If not: HALT — story must be in review status</action>
-  <action>Read the Review Gate table — note which reviews are already PASSED (skip those)</action>
-  <action>Show user: "Running reviews for {story_key}. Already passed: {list}. Will run: {remaining_list}."</action>
-</step>
-
-<step n="2" title="Run Code Review">
-  <action>Skip if Code Review row already shows PASSED</action>
-  <action>Spawn a subagent using the Agent tool with this prompt:
-    "Load {project-root}/_gaia/core/engine/workflow.xml, then process {project-root}/_gaia/lifecycle/workflows/4-implementation/code-review/workflow.yaml as workflow-config. The story key is {story_key}. Run in YOLO mode — auto-proceed past all template-outputs. Follow the workflow engine instructions EXACTLY."
-  </action>
-  <action>When subagent returns: read story file, check Code Review row status. Log result.</action>
-</step>
-
-<step n="3" title="Run Security Review">
-  <action>Skip if Security Review row already shows PASSED</action>
-  <action>Spawn a subagent using the Agent tool with this prompt:
-    "Load {project-root}/_gaia/core/engine/workflow.xml, then process {project-root}/_gaia/lifecycle/workflows/4-implementation/security-review/workflow.yaml as workflow-config. The story key is {story_key}. Run in YOLO mode — auto-proceed past all template-outputs. Follow the workflow engine instructions EXACTLY."
-  </action>
-  <action>When subagent returns: read story file, check Security Review row status. Log result.</action>
-</step>
-
-<step n="4" title="Run QA Tests">
-  <action>Skip if QA Tests row already shows PASSED</action>
-  <action>Spawn a subagent using the Agent tool with this prompt:
-    "Load {project-root}/_gaia/core/engine/workflow.xml, then process {project-root}/_gaia/lifecycle/workflows/4-implementation/qa-generate-tests/workflow.yaml as workflow-config. The story key is {story_key}. Run in YOLO mode — auto-proceed past all template-outputs. Follow the workflow engine instructions EXACTLY."
-  </action>
-  <action>When subagent returns: read story file, check QA Tests row status. Log result.</action>
-</step>
-
-<step n="5" title="Run Test Automation">
-  <action>Skip if Test Automation row already shows PASSED</action>
-  <action>Spawn a subagent using the Agent tool with this prompt:
-    "Load {project-root}/_gaia/core/engine/workflow.xml, then process {project-root}/_gaia/testing/workflows/test-automation/workflow.yaml as workflow-config. The story key is {story_key}. Run in YOLO mode — auto-proceed past all template-outputs. Follow the workflow engine instructions EXACTLY."
-  </action>
-  <action>When subagent returns: read story file, check Test Automation row status. Log result.</action>
-</step>
-
-<step n="6" title="Run Test Review">
-  <action>Skip if Test Review row already shows PASSED</action>
-  <action>Spawn a subagent using the Agent tool with this prompt:
-    "Load {project-root}/_gaia/core/engine/workflow.xml, then process {project-root}/_gaia/testing/workflows/test-review/workflow.yaml as workflow-config. The story key is {story_key}. Run in YOLO mode — auto-proceed past all template-outputs. Follow the workflow engine instructions EXACTLY."
-  </action>
-  <action>When subagent returns: read story file, check Test Review row status. Log result.</action>
-</step>
-
-<step n="7" title="Run Performance Review">
-  <action>Skip if Performance Review row already shows PASSED</action>
-  <action>Spawn a subagent using the Agent tool with this prompt:
-    "Load {project-root}/_gaia/core/engine/workflow.xml, then process {project-root}/_gaia/lifecycle/workflows/anytime/performance-review/workflow.yaml as workflow-config. The story key is {story_key}. Run in YOLO mode — auto-proceed past all template-outputs. Follow the workflow engine instructions EXACTLY."
-  </action>
-  <action>When subagent returns: read story file, check Performance Review row status. Log result.</action>
-</step>
-
-<step n="8" title="Review Summary and Status Transition">
-  <action>Read story file — parse full Review Gate table</action>
-  <action>Generate summary table: review name | verdict | report link</action>
-  <action>If ALL 6 PASSED: invoke the review-gate-check protocol to evaluate DoD and transition story to 'done' if appropriate.</action>
-  <action>If any FAILED:
-    <invoke-protocol ref="status-sync" story_key="{story_key}" new_status="in-progress" source_workflow="run-all-reviews" />
-    List failed reviews with report links. Report: "Story {story_key} moved to in-progress — fix issues and re-run failed reviews."</action>
-  <invoke-protocol name="review-gate-check" file="{project-root}/_gaia/core/protocols/review-gate-check.xml" />
-  <template-output file="{implementation_artifacts}/{story_key}-review-summary.md">
-    Generate review summary: story key, date, all 6 review verdicts with report links, final story status, and next actions if any reviews failed.
-  </template-output>
-</step>
-</workflow>

package/_gaia/lifecycle/workflows/4-implementation/run-all-reviews/workflow.yaml

@@ -1,16 +0,0 @@
-# Run All Reviews — Sequential Orchestrator
-# Runs all 6 review workflows sequentially via subagents
-
-name: run-all-reviews
-display_name: "Run All Reviews — Sequential Orchestrator"
-description: "Runs all 6 review workflows sequentially via subagents, each in a separate context window"
-module: lifecycle
-agent: orchestrator
-
-instructions: "{installed_path}/lifecycle/workflows/4-implementation/run-all-reviews/instructions.xml"
-validation: "{installed_path}/lifecycle/workflows/4-implementation/run-all-reviews/checklist.md"
-
-config_source: "{installed_path}/lifecycle/config.yaml"
-
-output:
-  primary: "{implementation_artifacts}/{story_key}-review-summary.md"

package/_gaia/lifecycle/workflows/4-implementation/security-review/checklist.md

@@ -1,29 +0,0 @@
----
-title: 'Security Review Validation'
-validation-target: 'Security review report'
-required-inputs:
-  - '{implementation_artifacts}/{{story_key}}-*.md'
----
-## OWASP Coverage
-- [ ] All 10 OWASP categories checked
-- [ ] Findings are specific with code locations
-## Secrets
-- [ ] No hardcoded secrets detected
-- [ ] Secrets management approach verified
-## Authentication
-- [ ] Auth flow reviewed
-- [ ] Authorization checks at access points
-- [ ] Session management validated
-## Findings
-- [ ] Each finding has severity level
-- [ ] Each finding has remediation suggestion
-- [ ] Overall risk assessment provided
-## Verdict
-- [ ] PASSED or FAILED verdict clearly stated in report
-## Review Gate
-- [ ] Review Gate table updated in story file
-- [ ] If PASSED: Security Review row shows PASSED with report link
-- [ ] If FAILED: Security Review row shows FAILED, story status set to in-progress
-- [ ] Review gate check protocol invoked
-## Output Verification
-- [ ] Report generated with findings table

package/_gaia/lifecycle/workflows/4-implementation/security-review/instructions.xml

@@ -1,80 +0,0 @@
-<workflow name="security-review">
-<critical>
-  <mandate>Story must be in review status before security review</mandate>
-  <mandate>Check against all OWASP Top 10 categories</mandate>
-  <mandate>Flag hardcoded secrets, API keys, credentials</mandate>
-  <mandate>Verify authentication and authorization patterns</mandate>
-  <mandate>Produce findings with severity levels</mandate>
-  <mandate>Output must include machine-readable PASSED or FAILED verdict</mandate>
-  <mandate>When reading or running application source code, use {project-path} as the base directory — NOT {project-root}. {project-path} is resolved by the engine from global.yaml.</mandate>
-</critical>
-<step n="1" title="Load Context">
-  <action>Resolve story file: search for {story_key}-*.md in {implementation_artifacts}/ using glob pattern to match the full filename ({story_key}-{title_slug}.md)</action>
-  <action>Read the story file to understand what was built</action>
-  <action>Read {planning_artifacts}/threat-model.md if available — understand applicable threats</action>
-  <action>Identify code files changed or created by this story</action>
-</step>
-<step n="2" title="Status Gate">
-  <action>Verify story is in 'review' status</action>
-  <check if="status != review">HALT: Story must be in review status before security review</check>
-</step>
-<step n="3" title="OWASP Top 10 Scan">
-  <action>Check code changes against each OWASP category:</action>
-  <action>A01: Broken Access Control — authorization checks, RBAC, CORS</action>
-  <action>A02: Cryptographic Failures — encryption, hashing, key management</action>
-  <action>A03: Injection — SQL, XSS, command injection, input validation</action>
-  <action>A04: Insecure Design — missing security controls in design</action>
-  <action>A05: Security Misconfiguration — default configs, unnecessary features</action>
-  <action>A06: Vulnerable Components — outdated dependencies, known CVEs</action>
-  <action>A07: Auth Failures — password policies, session management, MFA</action>
-  <action>A08: Data Integrity Failures — deserialization, CI/CD integrity</action>
-  <action>A09: Logging Failures — insufficient logging, missing audit trail</action>
-  <action>A10: SSRF — server-side request forgery vectors</action>
-</step>
-<step n="4" title="Secrets Scan">
-  <action>Check for hardcoded secrets, API keys, credentials in code</action>
-  <action>Verify secrets are loaded from environment or secrets manager</action>
-  <action>Check .gitignore covers sensitive files (.env, credentials, keys)</action>
-</step>
-<step n="5" title="Auth Pattern Review">
-  <action>Verify authentication flow follows security best practices</action>
-  <action>Check authorization at every access point (not just UI)</action>
-  <action>Validate session management and token handling</action>
-  <action>Check for privilege escalation paths</action>
-</step>
-<step n="5b" title="Data Privacy and Compliance">
-  <action>Identify if the story handles PII (names, emails, addresses, phone numbers, payment data, health data, authentication tokens, user-generated content with metadata)</action>
-  <action>If PII is handled:
-    - GDPR applicability: check for consent mechanisms, right-to-delete support, data portability, lawful basis for processing
-    - Data encryption: verify PII is encrypted at rest (database-level or field-level) and in transit (TLS)
-    - Data retention: check if retention policies are defined — flag if no retention period or deletion mechanism exists
-    - Data minimization: flag collection of PII fields not required for the feature's purpose
-    - Cross-border transfer: flag if PII may be stored or processed in different jurisdictions without safeguards
-  </action>
-  <action>If no PII detected: record "No PII handling identified in this story" for auditability</action>
-</step>
-<step n="6" title="Generate Findings">
-  <action>Classify each finding by severity: critical, high, medium, low, info</action>
-  <action>Include: finding description, location, OWASP category, remediation suggestion</action>
-  <action>Provide overall security risk assessment</action>
-</step>
-<step n="7" title="Verdict">
-  <action>If NO critical or high severity findings: verdict is PASSED</action>
-  <action>If ANY critical or high severity finding exists: verdict is FAILED — list blocking findings</action>
-</step>
-<step n="8" title="Generate Output">
-  <template-output file="{implementation_artifacts}/{story_key}-security-review.md">
-    Generate security review report with: summary, OWASP findings table, secrets scan results, auth review results, data privacy and compliance assessment, overall risk assessment, and machine-readable verdict (PASSED/FAILED).
-  </template-output>
-</step>
-<step n="9" title="Update Review Gate and Transition">
-  <action>Read story file, locate Review Gate table</action>
-  <action>If PASSED: update Security Review row status to PASSED, link report file</action>
-  <action>If FAILED: update Security Review row status to FAILED, link report file. Do NOT change story status — the review-gate-check protocol or run-all-reviews orchestrator handles status transitions.</action>
-  <template-output file="{implementation_artifacts}/{story_key}-*.md">
-    Update story file Review Gate table with security review result and report link.
-  </template-output>
-  <action>Inform user: "Note: sprint-status.yaml may now be out of sync. Run /gaia-sprint-status to reconcile."</action>
-  <invoke-protocol name="review-gate-check" file="{project-root}/_gaia/core/protocols/review-gate-check.xml" />
-</step>
-</workflow>

package/_gaia/lifecycle/workflows/4-implementation/security-review/workflow.yaml

@@ -1,27 +0,0 @@
-name: security-review
-description: 'Pre-merge security review: OWASP, secrets, auth patterns'
-module: lifecycle
-agent: security
-config_resolved: "{installed_path}/.resolved/security-review.yaml"
-config_source: "{project-root}/_gaia/lifecycle/config.yaml"
-installed_path: "{project-root}/_gaia/lifecycle/workflows/4-implementation/security-review"
-instructions: "{installed_path}/instructions.xml"
-validation: "{installed_path}/checklist.md"
-quality_gates:
-  pre_start:
-    - check: "story_status == 'review'"
-      on_fail: "HALT: Story must be in review status before security review. Complete /gaia-dev-story first."
-input_file_patterns:
-  story:
-    whole: "{implementation_artifacts}/{{story_key}}-*.md"
-    load_strategy: "FULL_LOAD"
-  threat_model:
-    whole: "{planning_artifacts}/threat-model.md"
-    load_strategy: "FULL_LOAD"
-on_error:
-  missing_file: "ask_user"
-  unresolved_variable: "halt"
-
-output:
-  primary: "{implementation_artifacts}/{story_key}-security-review.md"
-  secondary: "{implementation_artifacts}/{story_key}-*.md"

package/_gaia/lifecycle/workflows/4-implementation/sprint-planning/checklist.md

@@ -1,29 +0,0 @@
----
-title: 'Sprint Planning Validation'
-validation-target: 'Sprint plan and status files'
----
-## Sprint Setup
-- [ ] Sprint duration defined
-- [ ] Velocity estimate set
-- [ ] Sprint ID assigned
-- [ ] Memory hygiene prompt shown to user (even when sidecars empty)
-## Story Selection
-- [ ] Only stories with status 'ready-for-dev' are selectable
-- [ ] T-shirt-to-points mapping read from global.yaml sizing_map
-- [ ] Stories selected within velocity
-- [ ] Dependencies respected — stories with unresolved depends_on blocked
-- [ ] P0 stories not selected are flagged with warning
-- [ ] Priority ordering applied
-- [ ] Selected story files updated with sprint_id
-## Testing Readiness
-- [ ] test-plan.md checked (warn if missing)
-- [ ] High-risk stories identified from risk_level field
-- [ ] ATDD file status noted for each high-risk story
-- [ ] Sprint plan includes Testing Readiness section
-## Status
-- [ ] sprint-status.yaml generated
-- [ ] All stories set to 'backlog'
-- [ ] Sprint ID tracked
-## Output Verification
-- [ ] Sprint plan file exists
-- [ ] sprint-status.yaml exists and valid