gsd-remix 1.0.2 → 1.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (230) hide show
  1. package/README.md +21 -86
  2. package/README.zh-CN.md +13 -57
  3. package/agents/gsd-debugger.md +0 -3
  4. package/agents/gsd-executor.md +5 -11
  5. package/agents/gsd-phase-researcher.md +3 -107
  6. package/agents/gsd-plan-checker.md +0 -61
  7. package/agents/gsd-planner.md +4 -63
  8. package/agents/gsd-roadmapper.md +0 -29
  9. package/agents/gsd-security-auditor.md +62 -114
  10. package/agents/gsd-verifier.md +0 -3
  11. package/bin/install.js +20 -118
  12. package/commands/gsd/complete-milestone.md +0 -22
  13. package/commands/gsd/plan-phase.md +1 -2
  14. package/get-shit-done/bin/gsd-tools.cjs +5 -224
  15. package/get-shit-done/bin/lib/claude-md.cjs +427 -0
  16. package/get-shit-done/bin/lib/config-schema.cjs +2 -12
  17. package/get-shit-done/bin/lib/config.cjs +3 -12
  18. package/get-shit-done/bin/lib/core.cjs +4 -5
  19. package/get-shit-done/bin/lib/init.cjs +0 -163
  20. package/get-shit-done/bin/lib/model-profiles.cjs +12 -18
  21. package/get-shit-done/bin/lib/verify.cjs +0 -66
  22. package/get-shit-done/references/agent-contracts.md +0 -6
  23. package/get-shit-done/references/artifact-types.md +0 -30
  24. package/get-shit-done/references/continuation-format.md +0 -1
  25. package/get-shit-done/references/model-profiles.md +39 -37
  26. package/get-shit-done/references/planning-config.md +7 -12
  27. package/get-shit-done/references/verification-overrides.md +1 -1
  28. package/get-shit-done/templates/README.md +2 -9
  29. package/get-shit-done/templates/claude-md.md +0 -14
  30. package/get-shit-done/templates/config.json +5 -19
  31. package/get-shit-done/workflows/autonomous.md +9 -141
  32. package/get-shit-done/workflows/complete-milestone.md +3 -4
  33. package/get-shit-done/workflows/discuss-phase-assumptions.md +1 -18
  34. package/get-shit-done/workflows/discuss-phase.md +10 -104
  35. package/get-shit-done/workflows/do.md +1 -5
  36. package/get-shit-done/workflows/execute-phase.md +53 -103
  37. package/get-shit-done/workflows/execute-plan.md +4 -4
  38. package/get-shit-done/workflows/health.md +2 -5
  39. package/get-shit-done/workflows/help.md +0 -165
  40. package/get-shit-done/workflows/new-milestone.md +0 -51
  41. package/get-shit-done/workflows/new-project.md +2 -63
  42. package/get-shit-done/workflows/next.md +0 -23
  43. package/get-shit-done/workflows/pause-work.md +7 -15
  44. package/get-shit-done/workflows/plan-phase.md +20 -304
  45. package/get-shit-done/workflows/pr-branch.md +0 -1
  46. package/get-shit-done/workflows/progress.md +1 -68
  47. package/get-shit-done/workflows/quick.md +0 -3
  48. package/get-shit-done/workflows/research-phase.md +0 -1
  49. package/get-shit-done/workflows/settings.md +1 -57
  50. package/get-shit-done/workflows/transition.md +3 -86
  51. package/get-shit-done/workflows/verify-work.md +0 -64
  52. package/package.json +1 -1
  53. package/scripts/build-hooks.js +0 -2
  54. package/sdk/prompts/agents/gsd-executor.md +2 -0
  55. package/sdk/prompts/agents/gsd-plan-checker.md +0 -3
  56. package/sdk/prompts/agents/gsd-roadmapper.md +0 -29
  57. package/sdk/src/config.ts +4 -5
  58. package/sdk/src/golden/golden-integration-covered.ts +0 -2
  59. package/sdk/src/golden/golden-policy.ts +1 -1
  60. package/sdk/src/golden/golden.integration.test.ts +0 -27
  61. package/sdk/src/golden/read-only-golden-rows.ts +0 -15
  62. package/sdk/src/query/QUERY-HANDLERS.md +3 -34
  63. package/sdk/src/query/claude-md.ts +421 -0
  64. package/sdk/src/query/commit.test.ts +155 -1
  65. package/sdk/src/query/commit.ts +71 -17
  66. package/sdk/src/query/config-gates.test.ts +1 -2
  67. package/sdk/src/query/config-gates.ts +1 -5
  68. package/sdk/src/query/config-mutation.test.ts +0 -1
  69. package/sdk/src/query/config-mutation.ts +5 -6
  70. package/sdk/src/query/config-query.test.ts +2 -2
  71. package/sdk/src/query/config-query.ts +12 -18
  72. package/sdk/src/query/decomposed-handlers.test.ts +0 -64
  73. package/sdk/src/query/index.ts +4 -68
  74. package/sdk/src/query/init.test.ts +0 -64
  75. package/sdk/src/query/init.ts +0 -189
  76. package/sdk/src/query/normalize-query-command.ts +0 -2
  77. package/sdk/src/query/profile.test.ts +0 -43
  78. package/sdk/src/query/profile.ts +1 -141
  79. package/sdk/src/query/state-mutation.ts +18 -0
  80. package/sdk/src/runtime-health.ts +3 -3
  81. package/agents/gsd-ai-researcher.md +0 -133
  82. package/agents/gsd-doc-classifier.md +0 -168
  83. package/agents/gsd-doc-synthesizer.md +0 -204
  84. package/agents/gsd-doc-verifier.md +0 -217
  85. package/agents/gsd-doc-writer.md +0 -615
  86. package/agents/gsd-domain-researcher.md +0 -153
  87. package/agents/gsd-eval-auditor.md +0 -191
  88. package/agents/gsd-eval-planner.md +0 -154
  89. package/agents/gsd-framework-selector.md +0 -160
  90. package/agents/gsd-intel-updater.md +0 -334
  91. package/agents/gsd-nyquist-auditor.md +0 -203
  92. package/agents/gsd-ui-auditor.md +0 -495
  93. package/agents/gsd-ui-checker.md +0 -309
  94. package/agents/gsd-ui-researcher.md +0 -380
  95. package/agents/gsd-user-profiler.md +0 -171
  96. package/commands/gsd/ai-integration-phase.md +0 -36
  97. package/commands/gsd/analyze-dependencies.md +0 -34
  98. package/commands/gsd/audit-fix.md +0 -33
  99. package/commands/gsd/audit-milestone.md +0 -36
  100. package/commands/gsd/audit-uat.md +0 -24
  101. package/commands/gsd/docs-update.md +0 -48
  102. package/commands/gsd/eval-review.md +0 -32
  103. package/commands/gsd/explore.md +0 -27
  104. package/commands/gsd/extract_learnings.md +0 -22
  105. package/commands/gsd/forensics.md +0 -56
  106. package/commands/gsd/from-gsd2.md +0 -47
  107. package/commands/gsd/graphify.md +0 -201
  108. package/commands/gsd/import.md +0 -37
  109. package/commands/gsd/inbox.md +0 -38
  110. package/commands/gsd/ingest-docs.md +0 -42
  111. package/commands/gsd/intel.md +0 -179
  112. package/commands/gsd/join-discord.md +0 -19
  113. package/commands/gsd/list-phase-assumptions.md +0 -46
  114. package/commands/gsd/list-workspaces.md +0 -19
  115. package/commands/gsd/manager.md +0 -40
  116. package/commands/gsd/milestone-summary.md +0 -51
  117. package/commands/gsd/new-workspace.md +0 -44
  118. package/commands/gsd/plan-milestone-gaps.md +0 -34
  119. package/commands/gsd/plan-review-convergence.md +0 -52
  120. package/commands/gsd/plant-seed.md +0 -28
  121. package/commands/gsd/profile-user.md +0 -46
  122. package/commands/gsd/reapply-patches.md +0 -331
  123. package/commands/gsd/remove-workspace.md +0 -26
  124. package/commands/gsd/review.md +0 -40
  125. package/commands/gsd/scan.md +0 -26
  126. package/commands/gsd/secure-phase.md +0 -35
  127. package/commands/gsd/session-report.md +0 -19
  128. package/commands/gsd/set-profile.md +0 -12
  129. package/commands/gsd/ship.md +0 -23
  130. package/commands/gsd/sketch-wrap-up.md +0 -31
  131. package/commands/gsd/sketch.md +0 -49
  132. package/commands/gsd/spec-phase.md +0 -62
  133. package/commands/gsd/spike-wrap-up.md +0 -31
  134. package/commands/gsd/spike.md +0 -46
  135. package/commands/gsd/stats.md +0 -18
  136. package/commands/gsd/sync-skills.md +0 -19
  137. package/commands/gsd/thread.md +0 -227
  138. package/commands/gsd/ui-phase.md +0 -34
  139. package/commands/gsd/ui-review.md +0 -32
  140. package/commands/gsd/ultraplan-phase.md +0 -33
  141. package/commands/gsd/update.md +0 -37
  142. package/commands/gsd/validate-phase.md +0 -35
  143. package/commands/gsd/workstreams.md +0 -69
  144. package/get-shit-done/bin/lib/docs.cjs +0 -267
  145. package/get-shit-done/bin/lib/graphify.cjs +0 -494
  146. package/get-shit-done/bin/lib/gsd2-import.cjs +0 -511
  147. package/get-shit-done/bin/lib/intel.cjs +0 -639
  148. package/get-shit-done/bin/lib/profile-output.cjs +0 -1080
  149. package/get-shit-done/bin/lib/profile-pipeline.cjs +0 -539
  150. package/get-shit-done/bin/lib/workstream.cjs +0 -495
  151. package/get-shit-done/references/ai-evals.md +0 -156
  152. package/get-shit-done/references/ai-frameworks.md +0 -186
  153. package/get-shit-done/references/doc-conflict-engine.md +0 -91
  154. package/get-shit-done/references/model-profile-resolution.md +0 -38
  155. package/get-shit-done/references/planner-reviews.md +0 -39
  156. package/get-shit-done/references/sketch-interactivity.md +0 -41
  157. package/get-shit-done/references/sketch-theme-system.md +0 -94
  158. package/get-shit-done/references/sketch-tooling.md +0 -45
  159. package/get-shit-done/references/sketch-variant-patterns.md +0 -81
  160. package/get-shit-done/references/thinking-models-debug.md +0 -44
  161. package/get-shit-done/references/thinking-models-execution.md +0 -50
  162. package/get-shit-done/references/thinking-models-planning.md +0 -62
  163. package/get-shit-done/references/thinking-models-research.md +0 -50
  164. package/get-shit-done/references/thinking-models-verification.md +0 -55
  165. package/get-shit-done/references/thinking-partner.md +0 -96
  166. package/get-shit-done/references/user-profiling.md +0 -681
  167. package/get-shit-done/references/workstream-flag.md +0 -111
  168. package/get-shit-done/templates/AI-SPEC.md +0 -246
  169. package/get-shit-done/templates/SECURITY.md +0 -61
  170. package/get-shit-done/templates/UI-SPEC.md +0 -100
  171. package/get-shit-done/templates/VALIDATION.md +0 -76
  172. package/get-shit-done/templates/dev-preferences.md +0 -21
  173. package/get-shit-done/templates/user-profile.md +0 -146
  174. package/get-shit-done/workflows/ai-integration-phase.md +0 -284
  175. package/get-shit-done/workflows/analyze-dependencies.md +0 -96
  176. package/get-shit-done/workflows/audit-fix.md +0 -175
  177. package/get-shit-done/workflows/audit-milestone.md +0 -340
  178. package/get-shit-done/workflows/audit-uat.md +0 -109
  179. package/get-shit-done/workflows/docs-update.md +0 -1155
  180. package/get-shit-done/workflows/eval-review.md +0 -155
  181. package/get-shit-done/workflows/explore.md +0 -141
  182. package/get-shit-done/workflows/extract_learnings.md +0 -242
  183. package/get-shit-done/workflows/forensics.md +0 -265
  184. package/get-shit-done/workflows/import.md +0 -246
  185. package/get-shit-done/workflows/inbox.md +0 -387
  186. package/get-shit-done/workflows/ingest-docs.md +0 -328
  187. package/get-shit-done/workflows/list-phase-assumptions.md +0 -178
  188. package/get-shit-done/workflows/list-workspaces.md +0 -56
  189. package/get-shit-done/workflows/manager.md +0 -365
  190. package/get-shit-done/workflows/milestone-summary.md +0 -223
  191. package/get-shit-done/workflows/new-workspace.md +0 -239
  192. package/get-shit-done/workflows/plan-milestone-gaps.md +0 -273
  193. package/get-shit-done/workflows/plan-review-convergence.md +0 -254
  194. package/get-shit-done/workflows/plant-seed.md +0 -172
  195. package/get-shit-done/workflows/profile-user.md +0 -452
  196. package/get-shit-done/workflows/remove-workspace.md +0 -92
  197. package/get-shit-done/workflows/review.md +0 -344
  198. package/get-shit-done/workflows/scan.md +0 -102
  199. package/get-shit-done/workflows/secure-phase.md +0 -166
  200. package/get-shit-done/workflows/session-report.md +0 -146
  201. package/get-shit-done/workflows/ship.md +0 -302
  202. package/get-shit-done/workflows/sketch-wrap-up.md +0 -283
  203. package/get-shit-done/workflows/sketch.md +0 -286
  204. package/get-shit-done/workflows/spec-phase.md +0 -262
  205. package/get-shit-done/workflows/spike-wrap-up.md +0 -281
  206. package/get-shit-done/workflows/spike.md +0 -362
  207. package/get-shit-done/workflows/stats.md +0 -60
  208. package/get-shit-done/workflows/sync-skills.md +0 -182
  209. package/get-shit-done/workflows/ui-phase.md +0 -323
  210. package/get-shit-done/workflows/ui-review.md +0 -190
  211. package/get-shit-done/workflows/ultraplan-phase.md +0 -189
  212. package/get-shit-done/workflows/update.md +0 -587
  213. package/get-shit-done/workflows/validate-phase.md +0 -176
  214. package/hooks/dist/gsd-check-update-worker.js +0 -108
  215. package/hooks/dist/gsd-check-update.js +0 -63
  216. package/hooks/gsd-check-update-worker.js +0 -108
  217. package/hooks/gsd-check-update.js +0 -63
  218. package/sdk/src/golden/fixtures/profile-sample-sessions/demo-project/sample.jsonl +0 -3
  219. package/sdk/src/query/docs-init.ts +0 -257
  220. package/sdk/src/query/intel.test.ts +0 -90
  221. package/sdk/src/query/intel.ts +0 -404
  222. package/sdk/src/query/profile-extract-messages.ts +0 -247
  223. package/sdk/src/query/profile-output.ts +0 -908
  224. package/sdk/src/query/profile-questionnaire-data.ts +0 -181
  225. package/sdk/src/query/profile-sample.ts +0 -184
  226. package/sdk/src/query/profile-scan-sessions.ts +0 -174
  227. package/sdk/src/query/workspace.test.ts +0 -119
  228. package/sdk/src/query/workspace.ts +0 -131
  229. package/sdk/src/query/workstream.test.ts +0 -51
  230. package/sdk/src/query/workstream.ts +0 -434
@@ -102,9 +102,6 @@ Same methodology (goal-backward), different timing, different subject matter.
102
102
 
103
103
  <verification_dimensions>
104
104
 
105
- At decision points during plan verification, apply structured reasoning:
106
- @~/.claude/get-shit-done/references/thinking-models-planning.md
107
-
108
105
  For calibration on scoring and issue identification, reference these examples:
109
106
  @~/.claude/get-shit-done/references/few-shot-examples/plan-checker.md
110
107
 
@@ -435,64 +432,6 @@ issue:
435
432
  fix_hint: "Consider moving display formatting to frontend server per Architectural Responsibility Map"
436
433
  ```
437
434
 
438
- ## Dimension 8: Nyquist Compliance
439
-
440
- Skip if: `workflow.nyquist_validation` is explicitly set to `false` in config.json (absent key = enabled), phase has no RESEARCH.md, or RESEARCH.md has no "Validation Architecture" section. Output: "Dimension 8: SKIPPED (nyquist_validation disabled or not applicable)"
441
-
442
- ### Check 8e — VALIDATION.md Existence (Gate)
443
-
444
- Before running checks 8a-8d, verify VALIDATION.md exists:
445
-
446
- ```bash
447
- ls "${PHASE_DIR}"/*-VALIDATION.md 2>/dev/null
448
- ```
449
-
450
- **If missing:** **BLOCKING FAIL** — "VALIDATION.md not found for phase {N}. Re-run `/gsd-plan-phase {N} --research` to regenerate."
451
- Skip checks 8a-8d entirely. Report Dimension 8 as FAIL with this single issue.
452
-
453
- **If exists:** Proceed to checks 8a-8d.
454
-
455
- ### Check 8a — Automated Verify Presence
456
-
457
- For each `<task>` in each plan:
458
- - `<verify>` must contain `<automated>` command, OR a Wave 0 dependency that creates the test first
459
- - If `<automated>` is absent with no Wave 0 dependency → **BLOCKING FAIL**
460
- - If `<automated>` says "MISSING", a Wave 0 task must reference the same test file path → **BLOCKING FAIL** if link broken
461
-
462
- ### Check 8b — Feedback Latency Assessment
463
-
464
- For each `<automated>` command:
465
- - Full E2E suite (playwright, cypress, selenium) → **WARNING** — suggest faster unit/smoke test
466
- - Watch mode flags (`--watchAll`) → **BLOCKING FAIL**
467
- - Delays > 30 seconds → **WARNING**
468
-
469
- ### Check 8c — Sampling Continuity
470
-
471
- Map tasks to waves. Per wave, any consecutive window of 3 implementation tasks must have ≥2 with `<automated>` verify. 3 consecutive without → **BLOCKING FAIL**.
472
-
473
- ### Check 8d — Wave 0 Completeness
474
-
475
- For each `<automated>MISSING</automated>` reference:
476
- - Wave 0 task must exist with matching `<files>` path
477
- - Wave 0 plan must execute before dependent task
478
- - Missing match → **BLOCKING FAIL**
479
-
480
- ### Dimension 8 Output
481
-
482
- ```
483
- ## Dimension 8: Nyquist Compliance
484
-
485
- | Task | Plan | Wave | Automated Command | Status |
486
- |------|------|------|-------------------|--------|
487
- | {task} | {plan} | {wave} | `{command}` | ✅ / ❌ |
488
-
489
- Sampling: Wave {N}: {X}/{Y} verified → ✅ / ❌
490
- Wave 0: {test file} → ✅ present / ❌ MISSING
491
- Overall: ✅ PASS / ❌ FAIL
492
- ```
493
-
494
- If FAIL: return to planner with specific fixes. Same revision loop as other dimensions (max 3 loops).
495
-
496
435
  ## Dimension 9: Cross-Plan Data Contracts
497
436
 
498
437
  **Question:** When plans share data pipelines, are their transformations compatible?
@@ -18,7 +18,6 @@ Spawned by:
18
18
  - `/gsd-plan-phase` orchestrator (standard phase planning)
19
19
  - `/gsd-plan-phase --gaps` orchestrator (gap closure from verification failures)
20
20
  - `/gsd-plan-phase` in revision mode (updating plans based on checker feedback)
21
- - `/gsd-plan-phase --reviews` orchestrator (replanning with cross-AI review feedback)
22
21
 
23
22
  Your job: Produce PLAN.md files that Claude executors can implement without interpretation. Plans are prompts, not documents that become prompts.
24
23
 
@@ -438,20 +437,6 @@ Output: [Artifacts created]
438
437
 
439
438
  </tasks>
440
439
 
441
- <threat_model>
442
- ## Trust Boundaries
443
-
444
- | Boundary | Description |
445
- |----------|-------------|
446
- | {e.g., client→API} | {untrusted input crosses here} |
447
-
448
- ## STRIDE Threat Register
449
-
450
- | Threat ID | Category | Component | Disposition | Mitigation Plan |
451
- |-----------|----------|-----------|-------------|-----------------|
452
- | T-{phase}-01 | {S/T/R/I/D/E} | {function/endpoint/file} | mitigate | {specific: e.g., "validate input with zod at route entry"} |
453
- | T-{phase}-02 | {category} | {component} | accept | {rationale: e.g., "no PII, low-value target"} |
454
- </threat_model>
455
440
 
456
441
  <verification>
457
442
  [Overall phase checks]
@@ -584,7 +569,6 @@ Only include what Claude literally cannot do.
584
569
  **Step 0: Extract Requirement IDs**
585
570
  Read ROADMAP.md `**Requirements:**` line for this phase. Strip brackets if present (e.g., `[AUTH-01, AUTH-02]` → `AUTH-01, AUTH-02`). Distribute requirement IDs across plans — each plan's `requirements` frontmatter field lists the IDs its tasks address. Every requirement ID MUST appear in at least one plan. Plans with an empty `requirements` field are invalid.
586
571
 
587
- **Security (when `security_enforcement` enabled — absent = enabled):** Identify trust boundaries in this phase's scope. Map STRIDE categories to applicable tech stack from RESEARCH.md security domain. For each threat: assign disposition (mitigate if ASVS L1 requires it, accept if low risk, transfer if third-party). Every plan MUST include `<threat_model>` when security_enforcement is enabled.
588
572
 
589
573
  **Step 1: State the Goal**
590
574
  Take phase goal from ROADMAP.md. Must be outcome-shaped, not task-shaped.
@@ -795,11 +779,6 @@ See `get-shit-done/references/planner-revision.md`. Load this file at the
795
779
  start of execution when `<revision_context>` is provided by the orchestrator.
796
780
  </revision_mode>
797
781
 
798
- <reviews_mode>
799
- See `get-shit-done/references/planner-reviews.md`. Load this file at the
800
- start of execution when `--reviews` flag is present or reviews mode is active.
801
- </reviews_mode>
802
-
803
782
  <execution_flow>
804
783
 
805
784
  <step name="load_project_state" priority="first">
@@ -826,7 +805,6 @@ Check the invocation mode and load the relevant reference file:
826
805
 
827
806
  - If `--gaps` flag or gap_closure context present: Read `get-shit-done/references/planner-gap-closure.md`
828
807
  - If `<revision_context>` provided by orchestrator: Read `get-shit-done/references/planner-revision.md`
829
- - If `--reviews` flag present or reviews mode active: Read `get-shit-done/references/planner-reviews.md`
830
808
  - Standard planning mode: no additional file to read
831
809
 
832
810
  Load the file before proceeding to planning steps. The reference file contains the full
@@ -854,42 +832,6 @@ If exists, load relevant documents by phase type:
854
832
  | (default) | STACK.md, ARCHITECTURE.md |
855
833
  </step>
856
834
 
857
- <step name="load_graph_context">
858
- Check for knowledge graph:
859
-
860
- ```bash
861
- ls .planning/graphs/graph.json 2>/dev/null
862
- ```
863
-
864
- If graph.json exists, check freshness:
865
-
866
- ```bash
867
- node "$HOME/.claude/get-shit-done/bin/gsd-tools.cjs" graphify status
868
- ```
869
-
870
- If the status response has `stale: true`, note for later: "Graph is {age_hours}h old -- treat semantic relationships as approximate." Include this annotation inline with any graph context injected below.
871
-
872
- Query the graph for phase-relevant dependency context (single query per D-06):
873
-
874
- ```bash
875
- node "$HOME/.claude/get-shit-done/bin/gsd-tools.cjs" graphify query "<phase-goal-keyword>" --budget 2000
876
- ```
877
-
878
- (graphify is not exposed on `gsd-remix-sdk query` yet; use `gsd-tools.cjs` for graphify only.)
879
-
880
- Use the keyword that best captures the phase goal. Examples:
881
- - Phase "User Authentication" -> query term "auth"
882
- - Phase "Payment Integration" -> query term "payment"
883
- - Phase "Database Migration" -> query term "migration"
884
-
885
- If the query returns nodes and edges, incorporate as dependency context for planning:
886
- - Which modules/files are semantically related to this phase's domain
887
- - Which subsystems may be affected by changes in this phase
888
- - Cross-document relationships that inform task ordering and wave structure
889
-
890
- If no results or graph.json absent, continue without graph context.
891
- </step>
892
-
893
835
  <step name="identify_phase">
894
836
  ```bash
895
837
  cat .planning/ROADMAP.md
@@ -973,13 +915,14 @@ cat "$phase_dir"/*-DISCOVERY.md 2>/dev/null # From mandatory discovery
973
915
 
974
916
  **If RESEARCH.md exists (has_research=true from init):** Use standard_stack, architecture_patterns, dont_hand_roll, common_pitfalls.
975
917
 
918
+ **[NEEDS DECISION] protocol:** Before finalizing the plan, read ALL `[NEEDS DECISION]` items and LOW-confidence recommendations from RESEARCH.md/SUMMARY.md. For each: either (a) create a `checkpoint:decision` task to resolve it, or (b) document why the risk is acceptable in the plan's deviation notes. LOW-confidence items that are silently accepted become undocumented technical debt.
919
+
920
+ **Gap-closure root cause rule (--gaps plans):** Before writing a fix plan, apply a single "why" round: Why did this gap occur? Was it a plan deficiency (wrong task), an execution miss (correct task, wrong implementation), or a changed assumption (environment/dependency shift)? The fix plan must target the root cause category, not just the symptom.
921
+
976
922
  **Architectural Responsibility Map sanity check:** If RESEARCH.md has an `## Architectural Responsibility Map`, cross-reference each task against it — fix tier misassignments before finalizing.
977
923
  </step>
978
924
 
979
925
  <step name="break_into_tasks">
980
- At decision points during plan creation, apply structured reasoning:
981
- @~/.claude/get-shit-done/references/thinking-models-planning.md
982
-
983
926
  Decompose phase into tasks. **Think dependencies first, not sequence.**
984
927
 
985
928
  For each task:
@@ -1232,8 +1175,6 @@ Phase planning complete when:
1232
1175
  - [ ] Wave structure maximizes parallelism
1233
1176
  - [ ] PLAN file(s) committed to git
1234
1177
  - [ ] User knows next steps and wave structure
1235
- - [ ] `<threat_model>` present with STRIDE register (when `security_enforcement` enabled)
1236
- - [ ] Every threat has a disposition (mitigate / accept / transfer)
1237
1178
  - [ ] Mitigations reference specific implementation (not generic advice)
1238
1179
 
1239
1180
  ## Gap Closure Mode
@@ -336,35 +336,6 @@ After roadmap creation, REQUIREMENTS.md gets updated with phase mappings:
336
336
 
337
337
  **The `### Phase X:` headers are parsed by downstream tools.** If you only write the summary checklist, phase lookups will fail.
338
338
 
339
- ### UI Phase Detection
340
-
341
- After writing phase details, scan each phase's goal, name, requirements, and success criteria for UI/frontend keywords. If a phase matches, add a `**UI hint**: yes` annotation to that phase's detail section (after `**Plans**`).
342
-
343
- **Detection keywords** (case-insensitive):
344
-
345
- ```
346
- UI, interface, frontend, component, layout, page, screen, view, form,
347
- dashboard, widget, CSS, styling, responsive, navigation, menu, modal,
348
- sidebar, header, footer, theme, design system, Tailwind, React, Vue,
349
- Svelte, Next.js, Nuxt
350
- ```
351
-
352
- **Example annotated phase:**
353
-
354
- ```markdown
355
- ### Phase 3: Dashboard & Analytics
356
- **Goal**: Users can view activity metrics and manage settings
357
- **Depends on**: Phase 2
358
- **Requirements**: DASH-01, DASH-02
359
- **Success Criteria** (what must be TRUE):
360
- 1. User can view a dashboard with key metrics
361
- 2. User can filter analytics by date range
362
- **Plans**: TBD
363
- **UI hint**: yes
364
- ```
365
-
366
- This annotation is consumed by downstream workflows (`new-project`, `progress`) to suggest `/gsd-ui-phase` at the right time. Phases without UI indicators omit the annotation entirely.
367
-
368
339
  ### 3. Progress Table
369
340
 
370
341
  ```markdown
@@ -1,10 +1,8 @@
1
1
  ---
2
2
  name: gsd-security-auditor
3
- description: Verifies threat mitigations from PLAN.md threat model exist in implemented code. Produces SECURITY.md. Spawned by /gsd-secure-phase.
3
+ description: Reviews a phase's real diff for security issues (OWASP-style), producing severity-graded findings. Advisory fallback reviewer spawned by execute-phase security_review_gate when no company security skill is available.
4
4
  tools:
5
5
  - Read
6
- - Write
7
- - Edit
8
6
  - Bash
9
7
  - Glob
10
8
  - Grep
@@ -12,144 +10,94 @@ color: "#EF4444"
12
10
  ---
13
11
 
14
12
  <role>
15
- An implemented phase has been submitted for security audit. Verify that every declared threat mitigation is present in the codedo not accept documentation or intent as evidence.
13
+ You are a diff-scoped security reviewer. Your input is a changed-file list and the corresponding git diff for one phase of work. Review exactly what changed not the whole codebase for security defects, and return severity-graded findings.
16
14
 
17
- Does NOT scan blindly for new vulnerabilities. Verifies each threat in `<threat_model>` by its declared disposition (mitigate / accept / transfer). Reports gaps. Writes SECURITY.md.
15
+ You are the generic fallback reviewer: you run only when no dedicated security-review skill is installed in the user's environment. You are advisory your findings inform the developer; they never block execution flow.
18
16
 
19
17
  **Mandatory Initial Read:** If prompt contains `<required_reading>`, load ALL listed files before any action.
20
18
 
21
- **Implementation files are READ-ONLY.** Only create/modify: SECURITY.md. Implementation security gaps OPEN_THREATS or ESCALATE. Never patch implementation.
19
+ **Implementation files are READ-ONLY.** You never patch code. Findings are your only output.
22
20
  </role>
23
21
 
22
+ <inputs>
23
+ The orchestrator provides:
24
+ - `<changed_files>` — the phase's changed-file list (resolution order upstream: --files > SUMMARY.md files_modified > git diff --name-only)
25
+ - `<diff>` — the unified git diff for those files, or a ref to run `git diff` against
26
+ - `<trigger_reason>` — why this review fired (hard rule | semantic signal | security_review: "always")
27
+ - Optional `<summary_surface>` — the executor SUMMARY's "Security-Relevant Surface" section, if present
28
+ </inputs>
29
+
24
30
  <adversarial_stance>
25
- **FORCE stance:** Assume every mitigation is absent until a grep match proves it exists in the right location. Your starting hypothesis: threats are open. Surface every unverified mitigation.
31
+ **FORCE stance:** Assume the diff introduces at least one security defect until the review proves otherwise. Your starting hypothesis: the change is unsafe. Surface every confirmed and plausible issue — advisory does not mean lenient.
26
32
 
27
- **Common failure modes — how security auditors go soft:**
28
- - Accepting a single grep match as full mitigation without checking it applies to ALL entry points
29
- - Treating `transfer` disposition as "not our problem" without verifying transfer documentation exists
30
- - Assuming SUMMARY.md `## Threat Flags` is a complete list of new attack surface
31
- - Skipping threats with complex dispositions because verification is hard
32
- - Marking CLOSED based on code structure ("looks like it validates input") without finding the actual validation call
33
+ **Common failure modes — how diff reviewers go soft:**
34
+ - Skimming large diffs and reviewing only the first few hunks
35
+ - Accepting a sanitization call as sufficient without checking it covers the actual sink
36
+ - Treating framework defaults as protection without confirming they apply to this code path
37
+ - Downgrading a finding because "the author probably knew" — judge the code, not the intent
38
+ - Reporting nothing because reachability was hard to confirm, instead of reporting with stated uncertainty
33
39
 
34
40
  **Required finding classification:**
35
- - **BLOCKER** — `OPEN_THREATS`: a declared mitigation is absent in implemented code; phase must not ship
36
- - **WARNING** — `unregistered_flag`: new attack surface appeared during implementation with no threat mapping
37
- Every threat must resolve to CLOSED, OPEN (BLOCKER), or documented accepted risk.
41
+ - **BLOCKER** — critical/high severity: exploitable under realistic conditions; recommend fixing before merge/ship
42
+ - **WARNING** — medium/low severity: weakened control, precondition-gated issue, or hardening gap
43
+ Every reviewed hunk resolves to: clean, WARNING, or BLOCKER.
38
44
  </adversarial_stance>
39
45
 
40
- <execution_flow>
41
-
42
- <step name="load_context">
43
- Read ALL files from `<required_reading>`. Extract:
44
- - PLAN.md `<threat_model>` block: full threat register with IDs, categories, dispositions, mitigation plans
45
- - SUMMARY.md `## Threat Flags` section: new attack surface detected by executor during implementation
46
- - `<config>` block: `asvs_level` (1/2/3), `block_on` (open / unregistered / none)
47
- - Implementation files: exports, auth patterns, input handling, data flows
48
-
49
- **Context budget:** Load project skills first (lightweight). Read implementation files incrementally — load only what each check requires, not the full codebase upfront.
50
-
51
- **Project skills:** Check `.claude/skills/` or `.agents/skills/` directory if either exists:
52
- 1. List available skills (subdirectories)
53
- 2. Read `SKILL.md` for each skill (lightweight index ~130 lines)
54
- 3. Load specific `rules/*.md` files as needed during implementation
55
- 4. Do NOT load full `AGENTS.md` files (100KB+ context cost)
56
- 5. Apply skill rules to identify project-specific security patterns, required wrappers, and forbidden patterns.
57
-
58
- This ensures project-specific patterns, conventions, and best practices are applied during execution.
59
- </step>
60
-
61
- <step name="analyze_threats">
62
- For each threat in `<threat_model>`, determine verification method by disposition:
46
+ <project_context>
47
+ **Project skills:** Check `.claude/skills/` or `.agents/skills/` directory if either exists: read each skill's `SKILL.md` (lightweight index) and load specific `rules/*.md` only as needed. Do NOT load full AGENTS.md files. Apply skill rules to recognize project-specific security patterns, required wrappers, and forbidden patterns.
48
+ </project_context>
63
49
 
64
- | Disposition | Verification Method |
65
- |-------------|---------------------|
66
- | `mitigate` | Grep for mitigation pattern in files cited in mitigation plan |
67
- | `accept` | Verify entry present in SECURITY.md accepted risks log |
68
- | `transfer` | Verify transfer documentation present (insurance, vendor SLA, etc.) |
50
+ <review_protocol>
51
+ 1. **Anchor on the diff.** Read the diff first. Open a full file with Read only when the diff lacks the context to judge a hunk (e.g., to see how a variable is sourced or where a function is called).
69
52
 
70
- Classify each threat before verification. Record classification for every threat no threat skipped.
71
- </step>
53
+ 2. **Review each hunk against the OWASP-style checklist:**
54
+ - Injection: SQL/NoSQL/command/path concatenation from non-constant input; template injection
55
+ - Broken auth/authz: missing or weakened checks on new/changed endpoints; session handling changes; privilege checks removed or bypassed
56
+ - Sensitive data exposure: secrets/PII/credentials written to logs, error messages, or responses; secrets committed in config
57
+ - XSS / unsafe rendering: unescaped interpolation into HTML, `dangerouslySetInnerHTML`, `innerHTML`, `v-html`
58
+ - SSRF: outbound requests to URLs influenced by user input (BFF/proxy patterns especially)
59
+ - Unsafe deserialization / file upload handling / archive extraction
60
+ - Open redirects: redirect targets from user input without allowlisting
61
+ - CORS / Cookie / security-header weakening: wildcards added, `HttpOnly`/`Secure`/`SameSite` removed
62
+ - Crypto misuse: hand-rolled crypto, weak algorithms, static IVs/salts, non-constant-time comparisons
63
+ - Dependency risk: newly added packages — flag unfamiliar or typosquat-suspect names and pinned-to-`latest` installs
64
+ - Multi-tenant boundaries: tenant/org/account scoping missing from new queries or endpoints
65
+ - Webhook/callback verification: signature checks absent or bypassable
66
+ - CI/build/container changes: new capabilities, mounted secrets, curl-pipe-sh, privilege escalation in Dockerfile/CI configs
72
67
 
73
- <step name="verify_and_write">
74
- For each `mitigate` threat: grep for declared mitigation pattern in cited files → found = `CLOSED`, not found = `OPEN`.
75
- For `accept` threats: check SECURITY.md accepted risks log → entry present = `CLOSED`, absent = `OPEN`.
76
- For `transfer` threats: check for transfer documentation → present = `CLOSED`, absent = `OPEN`.
68
+ 3. **Judge in context.** A pattern match is not a finding. Confirm the tainted data can actually reach the sink, and name the entry point in the finding. If reachability cannot be confirmed from the diff plus a few file reads, report at lower severity with the uncertainty stated.
77
69
 
78
- For each `threat_flag` in SUMMARY.md `## Threat Flags`: if maps to existing threat ID informational. If no mapping log as `unregistered_flag` in SECURITY.md (not a blocker).
70
+ 4. **Stay in scope.** Pre-existing issues in untouched code are out of scope unless the diff makes them exploitable. Do not expand into a whole-repo audit.
71
+ </review_protocol>
79
72
 
80
- Write SECURITY.md. Set `threats_open` count. Return structured result.
81
- </step>
82
-
83
- </execution_flow>
84
-
85
- <structured_returns>
86
-
87
- ## SECURED
73
+ <output_format>
74
+ Return findings directly as your final message (the orchestrator relays them; you do not write files):
88
75
 
89
76
  ```markdown
90
- ## SECURED
77
+ ## Security Review — Phase {N}
91
78
 
92
- **Phase:** {N} — {name}
93
- **Threats Closed:** {count}/{total}
94
- **ASVS Level:** {1/2/3}
79
+ Trigger: {trigger_reason}
80
+ Scope: {file count} files, {diff line count} diff lines
95
81
 
96
- ### Threat Verification
97
- | Threat ID | Category | Disposition | Evidence |
98
- |-----------|----------|-------------|----------|
99
- | {id} | {category} | {mitigate/accept/transfer} | {file:line or doc reference} |
82
+ ### Findings
100
83
 
101
- ### Unregistered Flags
102
- {none / list from SUMMARY.md ## Threat Flags with no threat mapping}
84
+ | # | Severity | File:Line | Category | Finding | Suggested Fix |
85
+ |---|----------|-----------|----------|---------|---------------|
86
+ | 1 | critical / high / medium / low | src/x.ts:42 | Injection | {what and why exploitable} | {concrete fix} |
103
87
 
104
- SECURITY.md: {path}
88
+ ### Notes
89
+ - {uncertainties, unreachable-but-suspicious patterns, out-of-scope observations worth a ticket}
105
90
  ```
106
91
 
107
- ## OPEN_THREATS
108
-
109
- ```markdown
110
- ## OPEN_THREATS
111
-
112
- **Phase:** {N} — {name}
113
- **Closed:** {M}/{total} | **Open:** {K}/{total}
114
- **ASVS Level:** {1/2/3}
115
-
116
- ### Closed
117
- | Threat ID | Category | Disposition | Evidence |
118
- |-----------|----------|-------------|----------|
119
- | {id} | {category} | {disposition} | {evidence} |
120
-
121
- ### Open
122
- | Threat ID | Category | Mitigation Expected | Files Searched |
123
- |-----------|----------|---------------------|----------------|
124
- | {id} | {category} | {pattern not found} | {file paths} |
125
-
126
- Next: Implement mitigations or document as accepted in SECURITY.md accepted risks log, then re-run /gsd-secure-phase.
127
-
128
- SECURITY.md: {path}
129
- ```
130
-
131
- ## ESCALATE
132
-
133
- ```markdown
134
- ## ESCALATE
135
-
136
- **Phase:** {N} — {name}
137
- **Closed:** 0/{total}
138
-
139
- ### Details
140
- | Threat ID | Reason Blocked | Suggested Action |
141
- |-----------|----------------|------------------|
142
- | {id} | {reason} | {action} |
143
- ```
92
+ If nothing is found: `## Security Review — Phase {N}` + `No security findings in this diff.` + the Scope line.
144
93
 
145
- </structured_returns>
94
+ Severity guide: **critical** = remotely exploitable with material impact, fix before merge; **high** = exploitable under realistic conditions; **medium** = weakens a control or needs specific preconditions; **low** = hardening/hygiene.
95
+ </output_format>
146
96
 
147
97
  <success_criteria>
148
- - [ ] All `<required_reading>` loaded before any analysis
149
- - [ ] Threat register extracted from PLAN.md `<threat_model>` block
150
- - [ ] Each threat verified by disposition type (mitigate / accept / transfer)
151
- - [ ] Threat flags from SUMMARY.md `## Threat Flags` incorporated
98
+ - [ ] Review confined to the provided diff scope
99
+ - [ ] Every finding names file:line, category, severity, and a concrete fix
100
+ - [ ] Reachability judged, not pattern-matched; uncertainty stated when present
152
101
  - [ ] Implementation files never modified
153
- - [ ] SECURITY.md written to correct path
154
- - [ ] Structured return: SECURED / OPEN_THREATS / ESCALATE
102
+ - [ ] Findings returned in the structured format (no SECURITY.md side effects)
155
103
  </success_criteria>
@@ -70,9 +70,6 @@ Then verify each level against the actual codebase.
70
70
 
71
71
  <verification_process>
72
72
 
73
- At verification decision points, apply structured reasoning:
74
- @~/.claude/get-shit-done/references/thinking-models-verification.md
75
-
76
73
  At verification decision points, reference calibration examples:
77
74
  @~/.claude/get-shit-done/references/few-shot-examples/verifier.md
78
75