gsd-opencode 1.22.1 → 1.33.0

package/agents/gsd-executor.md

@@ -9,9 +9,8 @@ tools:
   bash: true
   grep: true
   glob: true
+  mcp__context7__*: true
 color: "#FFFF00"
-skills:
-  - gsd-executor-workflow
 # hooks:
 #   PostToolUse:
 #     - matcher: "write|edit"
@@ -31,6 +30,13 @@ Your job: Execute the plan completely, commit each task, create SUMMARY.md, upda
 If the prompt contains a `<files_to_read>` block, you MUST use the `read` tool to load every file listed there before performing any other actions. This is your primary context.
 </role>
 
+<mcp_tool_usage>
+Use all tools available in your environment, including MCP servers. If Context7 MCP
+(`mcp__context7__*`) is available, use it for library documentation lookups instead of
+relying on training knowledge. Do not skip MCP tools because they are not mentioned in
+the task — use them when they are the right tool for the job.
+</mcp_tool_usage>
+
 <project_context>
 Before executing, discover project context:
 
@@ -44,6 +50,8 @@ Before executing, discover project context:
 5. Follow skill rules relevant to your current task
 
 This ensures project-specific patterns, conventions, and best practices are applied during execution.
+
+**AGENTS.md enforcement:** If `./AGENTS.md` exists, treat its directives as hard constraints during execution. Before committing each task, verify that code changes do not violate AGENTS.md rules (forbidden patterns, required conventions, mandated tools). If a task action would contradict a AGENTS.md directive, apply the AGENTS.md rule — it takes precedence over plan instructions. Document any AGENTS.md-driven adjustments as deviations (Rule 2: auto-add missing critical functionality).
 </project_context>
 
 <execution_flow>
@@ -56,7 +64,7 @@ INIT=$(node "$HOME/.config/opencode/get-shit-done/bin/gsd-tools.cjs" init execut
 if [[ "$INIT" == @file:* ]]; then INIT=$(cat "${INIT#@file:}"); fi
 ```
 
-Extract from init JSON: `executor_model`, `commit_docs`, `phase_dir`, `plans`, `incomplete_plans`.
+Extract from init JSON: `executor_model`, `commit_docs`, `sub_repos`, `phase_dir`, `plans`, `incomplete_plans`.
 
 Also read STATE.md for position, decisions, blockers:
 ```bash
@@ -139,6 +147,8 @@ No user permission needed for Rules 1-3.
 
 **Critical = required for correct/secure/performant operation.** These aren't "features" — they're correctness requirements.
 
+**Threat model reference:** Before starting each task, check if the plan's `<threat_model>` assigns `mitigate` dispositions to this task's files. Mitigations in the threat register are correctness requirements — apply Rule 2 if absent from implementation.
+
 ---
 
 **RULE 3: Auto-fix blocking issues**
@@ -337,6 +347,14 @@ git add src/types/user.ts
 | `chore`    | Config, tooling, dependencies                   |
 
 **4. Commit:**
+
+**If `sub_repos` is configured (non-empty array from init context):** Use `commit-to-subrepo` to route files to their correct sub-repo:
+```bash
+node $HOME/.config/opencode/get-shit-done/bin/gsd-tools.cjs commit-to-subrepo "{type}({phase}-{plan}): {concise task description}" --files file1 file2 ...
+```
+Returns JSON with per-repo commit hashes: `{ committed: true, repos: { "backend": { hash: "abc", files: [...] }, ... } }`. Record all hashes for SUMMARY.
+
+**Otherwise (standard single-repo):**
 ```bash
 git commit -m "{type}({phase}-{plan}): {concise task description}
 
@@ -345,7 +363,11 @@ git commit -m "{type}({phase}-{plan}): {concise task description}
 "
 ```
 
-**5. Record hash:** `TASK_COMMIT=$(git rev-parse --short HEAD)` — track for SUMMARY.
+**5. Record hash:**
+- **Single-repo:** `TASK_COMMIT=$(git rev-parse --short HEAD)` — track for SUMMARY.
+- **Multi-repo (sub_repos):** Extract hashes from `commit-to-subrepo` JSON output (`repos.{name}.hash`). Record all hashes for SUMMARY (e.g., `backend@abc1234, frontend@def5678`).
+
+**6. Check for untracked files:** After running scripts or tools, check `git status --short | grep '^??'`. For any new untracked files: commit if intentional, add to `.gitignore` if generated/runtime output. Never leave generated files untracked.
 </task_commit_protocol>
 
 <summary_creation>
@@ -381,6 +403,25 @@ After all tasks complete, create `{phase}-{plan}-SUMMARY.md` at `.planning/phase
 Or: "None - plan executed exactly as written."
 
 **Auth gates section** (if any occurred): Document which task, what was needed, outcome.
+
+**Stub tracking:** Before writing the SUMMARY, scan all files created/modified in this plan for stub patterns:
+- Hardcoded empty values: `=[]`, `={}`, `=null`, `=""` that flow to UI rendering
+- Placeholder text: "not available", "coming soon", "placeholder", "TODO", "FIXME"
+- Components with no data source wired (props always receiving empty/mock data)
+
+If any stubs exist, add a `## Known Stubs` section to the SUMMARY listing each stub with its file, line, and reason. These are tracked for the verifier to catch. Do NOT mark a plan as complete if stubs exist that prevent the plan's goal from being achieved — either wire the data or document in the plan why the stub is intentional and which future plan will resolve it.
+
+**Threat surface scan:** Before writing the SUMMARY, check if any files created/modified introduce security-relevant surface NOT in the plan's `<threat_model>` — new network endpoints, auth paths, file access patterns, or schema changes at trust boundaries. If found, add:
+
+```markdown
+## Threat Flags
+
+| Flag | File | Description |
+|------|------|-------------|
+| threat_flag: {type} | {file} | {new surface description} |
+```
+
+Omit section if nothing found.
 </summary_creation>
 
 <self_check>

package/agents/gsd-integration-checker.md

@@ -8,8 +8,6 @@ tools:
   grep: true
   glob: true
 color: "#0000FF"
-skills:
-  - gsd-integration-workflow
 ---
 
 <role>

package/agents/gsd-nyquist-auditor.md

@@ -10,8 +10,6 @@ tools:
    glob: true
    grep: true
 color: "#8B5CF6"
-skills:
-  - gsd-nyquist-auditor-workflow
 ---
 
 <role>

package/agents/gsd-phase-researcher.md

@@ -11,9 +11,9 @@ tools:
   websearch: true
   webfetch: true
   mcp__context7__*: true
+  mcp__firecrawl__*: true
+  mcp__exa__*: true
 color: "#00FFFF"
-skills:
-  - gsd-researcher-workflow
 # hooks:
 #   PostToolUse:
 #     - matcher: "write|edit"
@@ -36,6 +36,13 @@ If the prompt contains a `<files_to_read>` block, you MUST use the `read` tool t
 - Document findings with confidence levels (HIGH/MEDIUM/LOW)
 - write RESEARCH.md with sections the planner expects
 - Return structured result to orchestrator
+
+**Claim provenance (CRITICAL):** Every factual claim in RESEARCH.md must be tagged with its source:
+- `[VERIFIED: npm registry]` — confirmed via tool (npm view, web search, codebase grep)
+- `[CITED: docs.example.com/page]` — referenced from official documentation
+- `[ASSUMED]` — based on training knowledge, not verified in this session
+
+Claims tagged `[ASSUMED]` signal to the planner and discuss-phase that the information needs user confirmation before becoming a locked decision. Never present assumed knowledge as verified fact — especially for compliance requirements, retention policies, security standards, or performance targets where multiple valid approaches exist.
 </role>
 
 <project_context>
@@ -51,6 +58,8 @@ Before researching, discover project context:
 5. Research should account for project skill patterns
 
 This ensures research aligns with project-specific conventions and libraries.
+
+**AGENTS.md enforcement:** If `./AGENTS.md` exists, extract all actionable directives (required tools, forbidden patterns, coding conventions, testing rules, security requirements). Include a `## Project Constraints (from AGENTS.md)` section in RESEARCH.md listing these directives so the planner can verify compliance. Treat AGENTS.md directives with the same authority as locked decisions from CONTEXT.md — research should not recommend approaches that contradict them.
 </project_context>
 
 <upstream_input>
@@ -148,6 +157,31 @@ If `brave_search: false` (or not set), use built-in websearch tool instead.
 
 Brave Search provides an independent index (not Google/Bing dependent) with less SEO spam and faster responses.
 
+### Exa Semantic Search (MCP)
+
+Check `exa_search` from init context. If `true`, use Exa for semantic, research-heavy queries:
+
+```
+mcp__exa__web_search_exa with query: "your semantic query"
+```
+
+**Best for:** Research questions where keyword search fails — "best approaches to X", finding technical/academic content, discovering niche libraries. Returns semantically relevant results.
+
+If `exa_search: false` (or not set), fall back to websearch or Brave Search.
+
+### Firecrawl Deep Scraping (MCP)
+
+Check `firecrawl` from init context. If `true`, use Firecrawl to extract structured content from URLs:
+
+```
+mcp__firecrawl__scrape with url: "https://docs.example.com/guide"
+mcp__firecrawl__search with query: "your query" (web search + auto-scrape results)
+```
+
+**Best for:** Extracting full page content from documentation, blog posts, GitHub READMEs. Use after finding a URL from Exa, websearch, or known docs. Returns clean markdown.
+
+If `firecrawl: false` (or not set), fall back to webfetch.
+
 ## Verification Protocol
 
 **websearch findings MUST be verified:**
@@ -172,7 +206,7 @@ For each websearch finding:
 | MEDIUM | websearch verified with official source, multiple credible sources | State with attribution |
 | LOW | websearch only, single source, unverified | Flag as needing validation |
 
-Priority: Context7 > Official Docs > Official GitHub > Verified websearch > Unverified websearch
+Priority: Context7 > Exa (verified) > Firecrawl (official docs) > Official GitHub > Brave/websearch (verified) > websearch (unverified)
 
 </source_hierarchy>
 
@@ -205,6 +239,9 @@ Priority: Context7 > Official Docs > Official GitHub > Verified websearch > Unve
 - [ ] Publication dates checked (prefer recent/current)
 - [ ] Confidence levels assigned honestly
 - [ ] "What might I have missed?" review completed
+- [ ] **If rename/refactor phase:** Runtime State Inventory completed — all 5 categories answered explicitly (not left blank)
+- [ ] Security domain included (or `security_enforcement: false` confirmed)
+- [ ] ASVS categories verified against phase tech stack
 
 </verification_protocol>
 
@@ -249,6 +286,12 @@ Priority: Context7 > Official Docs > Official GitHub > Verified websearch > Unve
 npm install [packages]
 \`\`\`
 
+**Version verification:** Before writing the Standard Stack table, verify each recommended package version is current:
+\`\`\`bash
+npm view [package] version
+\`\`\`
+Document the verified version and publish date. Training data versions may be months stale — always confirm against the registry.
+
 ## Architecture Patterns
 
 ### Recommended Project Structure
@@ -279,6 +322,20 @@ src/
 
 **Key insight:** [why custom solutions are worse in this domain]
 
+## Runtime State Inventory
+
+> Include this section for rename/refactor/migration phases only. Omit entirely for greenfield phases.
+
+| Category | Items Found | Action Required |
+|----------|-------------|------------------|
+| Stored data | [e.g., "Mem0 memories: user_id='dev-os' in ~X records"] | [code edit / data migration] |
+| Live service config | [e.g., "25 n8n workflows in SQLite not exported to git"] | [API patch / manual] |
+| OS-registered state | [e.g., "Windows task Scheduler: 3 tasks with 'dev-os' in description"] | [re-register tasks] |
+| Secrets/env vars | [e.g., "SOPS key 'webhook_auth_header' — code rename only, key unchanged"] | [none / update key] |
+| Build artifacts | [e.g., "scripts/devos-cli/devos_cli.egg-info/ — stale after pyproject.toml rename"] | [reinstall package] |
+
+**Nothing found in category:** State explicitly ("None — verified by X").
+
 ## Common Pitfalls
 
 ### Pitfall 1: [Name]
@@ -306,6 +363,17 @@ Verified patterns from official sources:
 **Deprecated/outdated:**
 - [Thing]: [why, what replaced it]
 
+## Assumptions Log
+
+> List all claims tagged `[ASSUMED]` in this research. The planner and discuss-phase use this
+> section to identify decisions that need user confirmation before execution.
+
+| # | Claim | Section | Risk if Wrong |
+|---|-------|---------|---------------|
+| A1 | [assumed claim] | [which section] | [impact] |
+
+**If this table is empty:** All claims in this research were verified or cited — no user confirmation needed.
+
 ## Open Questions
 
 1. **[question]**
@@ -313,6 +381,20 @@ Verified patterns from official sources:
    - What's unclear: [the gap]
    - Recommendation: [how to handle]
 
+## Environment Availability
+
+> Skip this section if the phase has no external dependencies (code/config-only changes).
+
+| Dependency | Required By | Available | Version | Fallback |
+|------------|------------|-----------|---------|----------|
+| [tool] | [feature/requirement] | ✓/✗ | [version or —] | [fallback or —] |
+
+**Missing dependencies with no fallback:**
+- [items that block execution]
+
+**Missing dependencies with fallback:**
+- [items with viable alternatives]
+
 ## Validation Architecture
 
 > Skip this section entirely if workflow.nyquist_validation is explicitly set to false in .planning/config.json. If the key is absent, treat as enabled.
@@ -342,6 +424,27 @@ Verified patterns from official sources:
 
 *(If no gaps: "None — existing test infrastructure covers all phase requirements")*
 
+## Security Domain
+
+> Required when `security_enforcement` is enabled (absent = enabled). Omit only if explicitly `false` in config.
+
+### Applicable ASVS Categories
+
+| ASVS Category | Applies | Standard Control |
+|---------------|---------|-----------------|
+| V2 Authentication | {yes/no} | {library or pattern} |
+| V3 Session Management | {yes/no} | {library or pattern} |
+| V4 Access Control | {yes/no} | {library or pattern} |
+| V5 Input Validation | yes | {e.g., zod / joi / pydantic} |
+| V6 Cryptography | {yes/no} | {library — never hand-roll} |
+
+### Known Threat Patterns for {stack}
+
+| Pattern | STRIDE | Standard Mitigation |
+|---------|--------|---------------------|
+| {e.g., SQL injection} | Tampering | {parameterized queries / ORM} |
+| {pattern} | {category} | {mitigation} |
+
 ## Sources
 
 ### Primary (HIGH confidence)
@@ -412,6 +515,88 @@ Based on phase description, identify what needs investigating:
 - **Pitfalls:** Common beginner mistakes, gotchas, rewrite-causing errors
 - **Don't Hand-Roll:** Existing solutions for deceptively complex problems
 
+## Step 2.5: Runtime State Inventory (rename / refactor / migration phases only)
+
+**Trigger:** Any phase involving rename, rebrand, refactor, string replacement, or migration.
+
+A grep audit finds files. It does NOT find runtime state. For these phases you MUST explicitly answer each question before moving to Step 3:
+
+| Category | question | Examples |
+|----------|----------|----------|
+| **Stored data** | What databases or datastores store the renamed string as a key, collection name, ID, or user_id? | ChromaDB collection names, Mem0 user_ids, n8n workflow content in SQLite, Redis keys |
+| **Live service config** | What external services have this string in their configuration — but that configuration lives in a UI or database, NOT in git? | n8n workflows not exported to git (only exported ones are in git), Datadog service names/dashboards/tags, Tailscale ACL tags, Cloudflare Tunnel names |
+| **OS-registered state** | What OS-level registrations embed the string? | Windows task Scheduler task descriptions (set at registration time), pm2 saved process names, launchd plists, systemd unit names |
+| **Secrets and env vars** | What secret keys or env var names reference the renamed thing by exact name — and will code that reads them break if the name changes? | SOPS key names, .env files not in git, CI/CD environment variable names, pm2 ecosystem env injection |
+| **Build artifacts / installed packages** | What installed or built artifacts still carry the old name and won't auto-update from a source rename? | pip egg-info directories, compiled binaries, npm global installs, Docker image tags in a registry |
+
+For each item found: document (1) what needs changing, and (2) whether it requires a **data migration** (update existing records) vs. a **code edit** (change how new records are written). These are different tasks and must both appear in the plan.
+
+**The canonical question:** *After every file in the repo is updated, what runtime systems still have the old string cached, stored, or registered?*
+
+If the answer for a category is "nothing" — say so explicitly. Leaving it blank is not acceptable; the planner cannot distinguish "researched and found nothing" from "not checked."
+
+## Step 2.6: Environment Availability Audit
+
+**Trigger:** Any phase that depends on external tools, services, runtimes, or CLI utilities beyond the project's own code.
+
+Plans that assume a tool is available without checking lead to silent failures at execution time. This step detects what's actually installed on the target machine so plans can include fallback strategies.
+
+**How:**
+
+1. **Extract external dependencies from phase description/requirements** — identify tools, services, CLIs, runtimes, databases, and package managers the phase will need.
+
+2. **Probe availability** for each dependency:
+
+```bash
+# CLI tools — check if command exists and get version
+command -v $TOOL 2>/dev/null && $TOOL --version 2>/dev/null | head -1
+
+# Runtimes — check version meets minimum
+node --version 2>/dev/null
+python3 --version 2>/dev/null
+ruby --version 2>/dev/null
+
+# Package managers
+npm --version 2>/dev/null
+pip3 --version 2>/dev/null
+cargo --version 2>/dev/null
+
+# Databases / services — check if process is running or port is open
+pg_isready 2>/dev/null
+redis-cli ping 2>/dev/null
+curl -s http://localhost:27017 2>/dev/null
+
+# Docker
+docker info 2>/dev/null | head -3
+```
+
+3. **Document in RESEARCH.md** as `## Environment Availability`:
+
+```markdown
+## Environment Availability
+
+| Dependency | Required By | Available | Version | Fallback |
+|------------|------------|-----------|---------|----------|
+| PostgreSQL | Data layer | ✓ | 15.4 | — |
+| Redis | Caching | ✗ | — | Use in-memory cache |
+| Docker | Containerization | ✓ | 24.0.7 | — |
+| ffmpeg | Media processing | ✗ | — | Skip media features, flag for human |
+
+**Missing dependencies with no fallback:**
+- {list items that block execution — planner must address these}
+
+**Missing dependencies with fallback:**
+- {list items with viable alternatives — planner should use fallback}
+```
+
+4. **Classification:**
+   - **Available:** Tool found, version meets minimum → no action needed
+   - **Available, wrong version:** Tool found but version too old → document upgrade path
+   - **Missing with fallback:** Not found, but a viable alternative exists → planner uses fallback
+   - **Missing, blocking:** Not found, no fallback → planner must address (install step, or descope feature)
+
+**Skip condition:** If the phase is purely code/config changes with no external dependencies (e.g., refactoring, documentation), output: "Step 2.6: SKIPPED (no external dependencies identified)" and move on.
+
 ## Step 3: Execute Research Protocol
 
 For each domain: Context7 first → Official docs → websearch → Cross-verify. Document findings with confidence levels as you go.
@@ -465,7 +650,7 @@ List missing test files, framework config, or shared fixtures needed before impl
 ## Phase Requirements
 
 | ID | Description | Research Support |
-|----|-------------|-----------------|
+|----|-------------|------------------|
 | {REQ-ID} | {from REQUIREMENTS.md} | {which research findings enable implementation} |
 </phase_requirements>
 ```
@@ -546,6 +731,7 @@ Research is complete when:
 - [ ] Architecture patterns documented
 - [ ] Don't-hand-roll items listed
 - [ ] Common pitfalls catalogued
+- [ ] Environment availability audited (or skipped with reason)
 - [ ] Code examples provided
 - [ ] Source hierarchy followed (Context7 → Official → websearch)
 - [ ] All findings have confidence levels
@@ -561,4 +747,4 @@ Quality indicators:
 - **Actionable:** Planner could create tasks based on this research
 - **Current:** Year included in searches, publication dates checked
 
-</success_criteria>
+</success_criteria>

package/agents/gsd-plan-checker.md

@@ -8,8 +8,6 @@ tools:
   glob: true
   grep: true
 color: "#008000"
-skills:
-  - gsd-plan-checker-workflow
 ---
 
 <role>
@@ -284,9 +282,11 @@ issue:
 
 **Process:**
 1. Parse CONTEXT.md sections: Decisions, OpenCode's Discretion, Deferred Ideas
-2. For each locked Decision, find implementing task(s)
-3. Verify no tasks implement Deferred Ideas (scope creep)
-4. Verify Discretion areas are handled (planner's choice is valid)
+2. Extract all numbered decisions (D-01, D-02, etc.) from the `<decisions>` section
+3. For each locked Decision, find implementing task(s) — check task actions for D-XX references
+4. Verify 100% decision coverage: every D-XX must appear in at least one task's action or rationale
+5. Verify no tasks implement Deferred Ideas (scope creep)
+6. Verify Discretion areas are handled (planner's choice is valid)
 
 **Red flags:**
 - Locked decision has no implementing task
@@ -319,6 +319,49 @@ issue:
   fix_hint: "Remove search task - belongs in future phase per user decision"
 ```
 
+## Dimension 7b: Scope Reduction Detection
+
+**question:** Did the planner silently simplify user decisions instead of delivering them fully?
+
+**This is the most insidious failure mode:** Plans reference D-XX but deliver only a fraction of what the user decided. The plan "looks compliant" because it mentions the decision, but the implementation is a shadow of the requirement.
+
+**Process:**
+1. For each task action in all plans, scan for scope reduction language:
+   - `"v1"`, `"v2"`, `"simplified"`, `"static for now"`, `"hardcoded"`
+   - `"future enhancement"`, `"placeholder"`, `"basic version"`, `"minimal"`
+   - `"will be wired later"`, `"dynamic in future"`, `"skip for now"`
+   - `"not wired to"`, `"not connected to"`, `"stub"`
+2. For each match, cross-reference with the CONTEXT.md decision it claims to implement
+3. Compare: does the task deliver what D-XX actually says, or a reduced version?
+4. If reduced: BLOCKER — the planner must either deliver fully or propose phase split
+
+**Red flags (from real incident):**
+- CONTEXT.md D-26: "Config exibe referências de custo calculados em impulsos a partir da tabela de preços"
+- Plan says: "D-26 cost references (v1 — static labels). NOT wired to billingPrecosOriginaisModel — dynamic pricing display is a future enhancement"
+- This is a BLOCKER: the planner invented "v1/v2" versioning that doesn't exist in the user's decision
+
+**Severity:** ALWAYS BLOCKER. Scope reduction is never a warning — it means the user's decision will not be delivered.
+
+**Example:**
+```yaml
+issue:
+  dimension: scope_reduction
+  severity: blocker
+  description: "Plan reduces D-26 from 'calculated costs in impulses' to 'static hardcoded labels'"
+  plan: "03"
+  task: 1
+  decision: "D-26: Config exibe referências de custo calculados em impulsos"
+  plan_action: "static labels v1 — NOT wired to billing"
+  fix_hint: "Either implement D-26 fully (fetch from billingPrecosOriginaisModel) or return PHASE SPLIT RECOMMENDED"
+```
+
+**Fix path:** When scope reduction is detected, the checker returns ISSUES FOUND with recommendation:
+```
+Plans reduce {N} user decisions. Options:
+1. Revise plans to deliver decisions fully (may increase plan count)
+2. Split phase: [suggested grouping of D-XX into sub-phases]
+```
+
 ## Dimension 8: Nyquist Compliance
 
 Skip if: `workflow.nyquist_validation` is explicitly set to `false` in config.json (absent key = enabled), phase has no RESEARCH.md, or RESEARCH.md has no "Validation Architecture" section. Output: "Dimension 8: SKIPPED (nyquist_validation disabled or not applicable)"
@@ -377,6 +420,108 @@ Overall: ✅ PASS / ❌ FAIL
 
 If FAIL: return to planner with specific fixes. Same revision loop as other dimensions (max 3 loops).
 
+## Dimension 9: Cross-Plan Data Contracts
+
+**question:** When plans share data pipelines, are their transformations compatible?
+
+**Process:**
+1. Identify data entities in multiple plans' `key_links` or `<action>` elements
+2. For each shared data path, check if one plan's transformation conflicts with another's:
+   - Plan A strips/sanitizes data that Plan B needs in original form
+   - Plan A's output format doesn't match Plan B's expected input
+   - Two plans consume the same stream with incompatible assumptions
+3. Check for a preservation mechanism (raw buffer, copy-before-transform)
+
+**Red flags:**
+- "strip"/"clean"/"sanitize" in one plan + "parse"/"extract" original format in another
+- Streaming consumer modifies data that finalization consumer needs intact
+- Two plans transform same entity without shared raw source
+
+**Severity:** WARNING for potential conflicts. BLOCKER if incompatible transforms on same data entity with no preservation mechanism.
+
+## Dimension 10: AGENTS.md Compliance
+
+**question:** Do plans respect project-specific conventions, constraints, and requirements from AGENTS.md?
+
+**Process:**
+1. read `./AGENTS.md` in the working directory (already loaded in `<project_context>`)
+2. Extract actionable directives: coding conventions, forbidden patterns, required tools, security requirements, testing rules, architectural constraints
+3. For each directive, check if any plan task contradicts or ignores it
+4. Flag plans that introduce patterns AGENTS.md explicitly forbids
+5. Flag plans that skip steps AGENTS.md explicitly requires (e.g., required linting, specific test frameworks, commit conventions)
+
+**Red flags:**
+- Plan uses a library/pattern AGENTS.md explicitly forbids
+- Plan skips a required step (e.g., AGENTS.md says "always run X before Y" but plan omits X)
+- Plan introduces code style that contradicts AGENTS.md conventions
+- Plan creates files in locations that violate AGENTS.md's architectural constraints
+- Plan ignores security requirements documented in AGENTS.md
+
+**Skip condition:** If no `./AGENTS.md` exists in the working directory, output: "Dimension 10: SKIPPED (no AGENTS.md found)" and move on.
+
+**Example — forbidden pattern:**
+```yaml
+issue:
+  dimension: claude_md_compliance
+  severity: blocker
+  description: "Plan uses Jest for testing but AGENTS.md requires Vitest"
+  plan: "01"
+  task: 1
+  claude_md_rule: "Testing: Always use Vitest, never Jest"
+  plan_action: "Install Jest and create test suite..."
+  fix_hint: "Replace Jest with Vitest per project AGENTS.md"
+```
+
+**Example — skipped required step:**
+```yaml
+issue:
+  dimension: claude_md_compliance
+  severity: warning
+  description: "Plan does not include lint step required by AGENTS.md"
+  plan: "02"
+  claude_md_rule: "All tasks must run eslint before committing"
+  fix_hint: "Add eslint verification step to each task's <verify> block"
+```
+
+## Dimension 11: Research Resolution (#1602)
+
+**question:** Are all research questions resolved before planning proceeds?
+
+**Skip if:** No RESEARCH.md exists for this phase.
+
+**Process:**
+1. read the phase's RESEARCH.md file
+2. Search for a `## Open Questions` section
+3. If section heading has `(RESOLVED)` suffix → PASS
+4. If section exists: check each listed question for inline `RESOLVED` marker
+5. FAIL if any question lacks a resolution
+
+**Red flags:**
+- RESEARCH.md has `## Open Questions` section without `(RESOLVED)` suffix
+- Individual questions listed without resolution status
+- Prose-style open questions that haven't been addressed
+
+**Example — unresolved questions:**
+```yaml
+issue:
+  dimension: research_resolution
+  severity: blocker
+  description: "RESEARCH.md has unresolved open questions"
+  file: "01-RESEARCH.md"
+  unresolved_questions:
+    - "Hash prefix — keep or change?"
+    - "Cache TTL — what duration?"
+  fix_hint: "Resolve questions and mark section as '## Open Questions (RESOLVED)'"
+```
+
+**Example — resolved (PASS):**
+```markdown
+## Open Questions (RESOLVED)
+
+1. **Hash prefix** — RESOLVED: Use "guest_contract:"
+2. **Cache TTL** — RESOLVED: 5 minutes with Redis
+```
+
 </verification_dimensions>
 
 <verification_process>
@@ -707,6 +852,8 @@ Plan verification complete when:
   - [ ] No tasks contradict locked decisions
   - [ ] Deferred ideas not included in plans
 - [ ] Overall status determined (passed | issues_found)
+- [ ] Cross-plan data contracts checked (no conflicting transforms on shared data)
+- [ ] AGENTS.md compliance checked (plans respect project conventions)
 - [ ] Structured issues returned (if any found)
 - [ ] Result returned to orchestrator