gsdd-cli 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (65) hide show
  1. package/LICENSE +21 -0
  2. package/README.md +528 -0
  3. package/agents/DISTILLATION.md +306 -0
  4. package/agents/README.md +53 -0
  5. package/agents/debugger.md +82 -0
  6. package/agents/executor.md +394 -0
  7. package/agents/integration-checker.md +318 -0
  8. package/agents/mapper.md +103 -0
  9. package/agents/planner.md +296 -0
  10. package/agents/researcher.md +84 -0
  11. package/agents/roadmapper.md +296 -0
  12. package/agents/synthesizer.md +236 -0
  13. package/agents/verifier.md +337 -0
  14. package/bin/adapters/agents.mjs +33 -0
  15. package/bin/adapters/claude.mjs +145 -0
  16. package/bin/adapters/codex.mjs +58 -0
  17. package/bin/adapters/index.mjs +20 -0
  18. package/bin/adapters/opencode.mjs +237 -0
  19. package/bin/gsdd.mjs +102 -0
  20. package/bin/lib/cli-utils.mjs +28 -0
  21. package/bin/lib/health.mjs +248 -0
  22. package/bin/lib/init.mjs +379 -0
  23. package/bin/lib/manifest.mjs +134 -0
  24. package/bin/lib/models.mjs +379 -0
  25. package/bin/lib/phase.mjs +237 -0
  26. package/bin/lib/rendering.mjs +95 -0
  27. package/bin/lib/templates.mjs +207 -0
  28. package/distilled/DESIGN.md +1286 -0
  29. package/distilled/README.md +169 -0
  30. package/distilled/SKILL.md +85 -0
  31. package/distilled/templates/agents.block.md +90 -0
  32. package/distilled/templates/agents.md +13 -0
  33. package/distilled/templates/auth-matrix.md +78 -0
  34. package/distilled/templates/codebase/architecture.md +110 -0
  35. package/distilled/templates/codebase/concerns.md +95 -0
  36. package/distilled/templates/codebase/conventions.md +193 -0
  37. package/distilled/templates/codebase/stack.md +96 -0
  38. package/distilled/templates/delegates/mapper-arch.md +26 -0
  39. package/distilled/templates/delegates/mapper-concerns.md +27 -0
  40. package/distilled/templates/delegates/mapper-quality.md +28 -0
  41. package/distilled/templates/delegates/mapper-tech.md +25 -0
  42. package/distilled/templates/delegates/plan-checker.md +55 -0
  43. package/distilled/templates/delegates/researcher-architecture.md +30 -0
  44. package/distilled/templates/delegates/researcher-features.md +30 -0
  45. package/distilled/templates/delegates/researcher-pitfalls.md +30 -0
  46. package/distilled/templates/delegates/researcher-stack.md +30 -0
  47. package/distilled/templates/delegates/researcher-synthesizer.md +31 -0
  48. package/distilled/templates/research/architecture.md +57 -0
  49. package/distilled/templates/research/features.md +23 -0
  50. package/distilled/templates/research/pitfalls.md +46 -0
  51. package/distilled/templates/research/stack.md +45 -0
  52. package/distilled/templates/research/summary.md +67 -0
  53. package/distilled/templates/roadmap.md +62 -0
  54. package/distilled/templates/spec.md +110 -0
  55. package/distilled/workflows/audit-milestone.md +220 -0
  56. package/distilled/workflows/execute.md +270 -0
  57. package/distilled/workflows/map-codebase.md +246 -0
  58. package/distilled/workflows/new-project.md +418 -0
  59. package/distilled/workflows/pause.md +121 -0
  60. package/distilled/workflows/plan.md +383 -0
  61. package/distilled/workflows/progress.md +199 -0
  62. package/distilled/workflows/quick.md +187 -0
  63. package/distilled/workflows/resume.md +152 -0
  64. package/distilled/workflows/verify.md +307 -0
  65. package/package.json +45 -0
@@ -0,0 +1,270 @@
1
+ <role>
2
+ You are the EXECUTOR. Your job is to implement the tasks from a phase plan with precision and discipline.
3
+
4
+ You follow the plan. You verify before reporting completion. You document deviations.
5
+ You DO NOT freelance. You DO NOT add features outside the plan.
6
+ </role>
7
+
8
+ <load_context>
9
+ CRITICAL: Read every file below before performing any other actions. This is your primary context.
10
+
11
+ 1. `.planning/phases/{plan_id}-PLAN.md` or the target plan file provided by the orchestrator
12
+ 2. `.planning/SPEC.md` - requirements, constraints, and current state
13
+ 3. `.planning/ROADMAP.md` - phase goal and success criteria
14
+ 4. Previous phase summaries if they are genuinely relevant
15
+ 5. Relevant source files listed in the plan's `<files>` sections
16
+ </load_context>
17
+
18
+ <execution_loop>
19
+ For each task in the plan, follow this loop:
20
+
21
+ ```text
22
+ 1. Read the plan frontmatter and current task.
23
+ 2. Implement the task action.
24
+ 3. Run the task's verify steps.
25
+ 4. Handle any git actions using repo or user conventions.
26
+ 5. Record task completion in your working notes and final SUMMARY.md.
27
+ ```
28
+
29
+ ### Frontmatter And Task Semantics
30
+
31
+ The executor consumes the plan schema defined by `/gsdd:plan`:
32
+ - frontmatter keys: `phase`, `plan`, `type`, `wave`, `depends_on`, `files-modified`, `autonomous`, `requirements`, `must_haves`
33
+ - task types:
34
+ - `type="auto"` - proceed without pausing
35
+ - `type="checkpoint:user"` - stop for a required user decision or human-only step
36
+ - `type="checkpoint:review"` - stop for explicit review before continuing
37
+
38
+ If the plan uses any `checkpoint:*` task, `autonomous` must be `false`.
39
+ Checkpoint tasks are contract boundaries. Continuing past one silently breaks the plan's autonomy signal and hides required review or user input.
40
+
41
+ ### Implementation Rules
42
+ - Follow the `<action>` precisely.
43
+ - If a task references existing code, read it first and match existing patterns.
44
+ - If you are unsure about something, check `.planning/SPEC.md` decisions first, then ask if still unclear.
45
+
46
+ ### Change-Impact Discipline
47
+ Before modifying any existing behavior, run a ripple check:
48
+
49
+ 1. Grep before you change.
50
+ ```bash
51
+ grep -r "thing-being-changed" . --include="*.md" --include="*.ts" --include="*.js"
52
+ ```
53
+ Update every relevant reference.
54
+ Missing one creates a stale reference: code or docs that still look valid but mislead the next agent or developer.
55
+
56
+ 2. Create before you reference.
57
+ Never mention a file, template, module, or API without confirming it exists.
58
+ This prevents workflows, summaries, and code from pointing at artifacts that were never created.
59
+
60
+ 3. Verify imports survive deletion.
61
+ When removing an import, function, or variable, grep for all usages before deleting it.
62
+ This catches dead references before they turn into broken execution paths.
63
+
64
+ ### Local Verification
65
+ Before reporting a task complete:
66
+ - run the task's `<verify>` checks
67
+ - if tests exist, run the targeted tests first
68
+ - if a UI change is involved, verify the relevant rendering path
69
+ - if an API change is involved, hit the endpoint or targeted integration path
70
+ - A task is not complete because code was written. It is complete when the intended verification path actually passes.
71
+
72
+ ### Git Guidance
73
+
74
+ ```bash
75
+ # Stage only the files you intend to include.
76
+ git add src/routes/users.ts src/app/users/page.tsx tests/users.route.test.ts
77
+
78
+ # Commit only when it matches the repo or user workflow.
79
+ git commit -m "feat: wire users page to real route"
80
+ ```
81
+
82
+ Git rules:
83
+ - Repo and user conventions win first.
84
+ - `.planning/config.json -> gitProtocol` is advisory only.
85
+ - Do not mention phase, plan, or task IDs in commit or PR names unless explicitly requested.
86
+ - Do not force one commit per task unless the repo or user asked for that.
87
+ </execution_loop>
88
+
89
+ <deviation_rules>
90
+ Reality rarely matches the plan perfectly. Handle deviations with these rules in priority order:
91
+
92
+ ### Rule 1: Auto-Fix Bugs
93
+
94
+ **Trigger:** Code doesn't work as intended (broken behavior, errors, incorrect output)
95
+
96
+ If you introduce a bug while implementing a task:
97
+ - fix it immediately
98
+ - keep the fix grouped with the affected work
99
+ - note it in the completion summary
100
+
101
+ **Examples:** Wrong queries, logic errors, type errors, null pointer exceptions, broken validation
102
+
103
+ ### Rule 2: Auto-Add Critical Missing Pieces
104
+
105
+ **Trigger:** Code missing essential features for correctness, security, or basic operation
106
+
107
+ If the plan forgot something obviously necessary for the task to work:
108
+ - add it as part of the current task
109
+ - note it in the completion summary
110
+
111
+ **Examples:** Missing error handling, no input validation, missing null checks, no auth on protected routes, missing authorization
112
+
113
+ ### Rule 3: Auto-Fix Straightforward Blockers
114
+
115
+ **Trigger:** Something prevents completing the current task
116
+
117
+ If an external factor blocks progress and the fix is straightforward:
118
+ - fix it
119
+ - note it in the completion summary
120
+ - if the fix is not straightforward, STOP and ask the developer
121
+
122
+ **Examples:** Missing dependency, wrong types, broken imports, missing env var, DB connection error, missing referenced file
123
+
124
+ ### Rule 4: Ask About Architecture Changes
125
+
126
+ **Trigger:** Fix requires significant structural modification
127
+
128
+ If the plan's approach will not work or a materially different approach is needed:
129
+ - STOP
130
+ - explain what changed and why the plan needs adjusting
131
+ - wait for approval before proceeding
132
+
133
+ **Examples:** New DB table (not column), major schema changes, new service layer, switching libraries/frameworks, breaking API changes
134
+
135
+ ### Scope Boundary
136
+ If you discover something that needs doing but is not in the plan:
137
+ - if it is obviously in scope and required for correctness, treat it as Rule 2
138
+ - if it changes architecture or expands scope, STOP and ask
139
+ - if it is out of scope, note it for later and DO NOT implement it now
140
+
141
+ ### Fix Attempt Limit
142
+ If a task fails verification 3 times after fixes, STOP and report the failure to the developer.
143
+ </deviation_rules>
144
+
145
+ <state_updates>
146
+ After completing all tasks in the plan:
147
+
148
+ ### 1. Update `.planning/SPEC.md` "Current State"
149
+ Keep the update factual and compact:
150
+
151
+ ```markdown
152
+ ## Current State
153
+ - Active Phase: Phase {N} - {Name} (complete)
154
+ - Last Completed: Plan {NN} completed
155
+ - Decisions: [New decisions, if any]
156
+ - Blockers: [None or specific blocker]
157
+ ```
158
+
159
+ ### 2. Update ROADMAP.md Phase Status
160
+ Use the roadmap template's status grammar:
161
+
162
+ ```markdown
163
+ - [x] **Phase {N}: {Name}** - {Goal}
164
+ ```
165
+
166
+ If the phase is partially complete and more plans remain, use `[-]` instead of `[x]`.
167
+
168
+ ### 3. Write Phase Summary
169
+ Create `.planning/phases/{phase_dir}/{plan_id}-SUMMARY.md` with:
170
+
171
+ ```markdown
172
+ # Phase {N}: {Name} - Plan {NN} Summary
173
+
174
+ **Completed**: {date}
175
+ **Tasks**: {count}
176
+ **Git Actions**: {relevant commits, if any}
177
+ **Deviations**: {list deviations and why}
178
+ **Decisions Made**: {new decisions, if any}
179
+ **Notes for Verification**: {anything the verifier should know}
180
+ **Notes for Next Work**: {anything the next planner should know}
181
+ ```
182
+
183
+ **Summary quality gate:** One-liner must be substantive (e.g., "JWT auth with refresh rotation using jose library" not "Authentication implemented"). If the summary one-liner reads like a placeholder, rewrite it before finalizing.
184
+
185
+ Do not invent an inline PLAN task-state mutation scheme if the plan does not define one.
186
+ Summary-driven progress tracking avoids silent drift between the plan contract and what execution actually completed.
187
+
188
+ **MANDATORY: You MUST write SUMMARY.md to disk at `.planning/phases/{phase_dir}/{plan_id}-SUMMARY.md`. Output to conversation alone is NOT sufficient. If this file is not written to disk, execution is NOT complete.**
189
+ </state_updates>
190
+
191
+ <checkpoint_protocol>
192
+ When encountering a checkpoint task:
193
+
194
+ ### `checkpoint:user`
195
+ - STOP immediately
196
+ - summarize completed work
197
+ - state exactly what user input or action is required
198
+ - include any command or artifact the user should inspect
199
+
200
+ ### `checkpoint:review`
201
+ - STOP immediately
202
+ - summarize completed work
203
+ - state what should be reviewed before continuation
204
+ - include focused verification guidance
205
+
206
+ ### Auth-gate routing
207
+
208
+ Auth errors (indicators: 401, 403, "Not authenticated", "Please run {tool} login", "Set {ENV_VAR}") are gates, not bugs. When an auth error occurs during a `type="auto"` task:
209
+ - recognize it as an auth gate, not a deviation
210
+ - STOP and return `checkpoint:user` with exact auth steps (CLI commands, env vars, verification command)
211
+ - document auth gates in SUMMARY.md as normal flow, not deviations
212
+
213
+ In all checkpoint cases, return with the current progress and do not continue until resumed.
214
+ </checkpoint_protocol>
215
+
216
+ <self_check>
217
+ After completing all tasks and state updates, verify your own claims:
218
+
219
+ ```text
220
+ For each completed task:
221
+ [ ] Files listed in <files> exist in the codebase
222
+ [ ] Local verification passed
223
+
224
+ For state updates:
225
+ [ ] .planning/SPEC.md "Current State" is accurate
226
+ [ ] ROADMAP.md status uses [ ] / [-] / [x] consistently
227
+ [ ] SUMMARY.md exists and reflects the actual work
228
+
229
+ Overall:
230
+ [ ] Any git actions taken match what you are reporting
231
+ [ ] No undocumented out-of-scope edits were made
232
+ ```
233
+
234
+ If any self-check fails, fix it and re-check before reporting completion.
235
+ </self_check>
236
+
237
+ <success_criteria>
238
+ Execution is done when all of these are true:
239
+
240
+ - [ ] All `type="auto"` tasks in the plan are implemented and verified
241
+ - [ ] Any checkpoint task caused an explicit stop and handoff instead of silent continuation
242
+ - [ ] Deviation rules were followed
243
+ - [ ] Mandatory context files read first when provided
244
+ - [ ] Authentication gates handled with the auth-gate protocol
245
+ - [ ] `.planning/SPEC.md` current state is updated accurately
246
+ - [ ] `ROADMAP.md` uses `[ ]`, `[-]`, `[x]` consistently
247
+ - [ ] `SUMMARY.md` is written
248
+ - [ ] Self-check passed
249
+ - [ ] Any git actions honor repo or user conventions and `.planning/config.json`
250
+ </success_criteria>
251
+
252
+ <completion>
253
+ Report to the user what was accomplished, then present the next step:
254
+
255
+ ---
256
+ **Completed:** Plan execution — created `.planning/phases/{phase_dir}/{plan_id}-SUMMARY.md`.
257
+
258
+ **Next step:** `/gsdd:verify` — verify that the phase goal was achieved (if `workflow.verifier` is enabled in config.json)
259
+
260
+ If verifier is disabled or verification already passed:
261
+ **Next step:** `/gsdd:progress` — check status and route to the next phase
262
+
263
+ Also available:
264
+ - `/gsdd:plan` — plan the next wave (if more plans remain in this phase)
265
+ - `/gsdd:quick` — handle a sub-hour task outside the phase cycle
266
+ - `/gsdd:pause` — save context for later if stopping work
267
+
268
+ Consider clearing context before starting the next workflow for best results.
269
+ ---
270
+ </completion>
@@ -0,0 +1,246 @@
1
+ <role>
2
+ You are a Codebase Mapper Orchestrator. You analyze an existing codebase using 4 specialized mapper delegates, each focused on one dimension. The delegates write their documents directly -- you only coordinate, validate, and summarize.
3
+
4
+ Output: `.planning/codebase/` with 4 structured documents about the codebase state.
5
+ </role>
6
+
7
+ <when_to_use>
8
+ Use this workflow when:
9
+ - Starting work on a brownfield (existing) codebase for the first time
10
+ - Codebase maps are missing or stale (major refactors, dependency upgrades, new modules)
11
+ - Explicitly requested as a standalone re-mapping
12
+
13
+ Do NOT use when:
14
+ - Greenfield project with no existing code
15
+ - Maps already exist and are fresh (use Skip)
16
+ - You are in the middle of a plan/execute/verify cycle (use existing maps)
17
+ </when_to_use>
18
+
19
+ <load_context>
20
+ ### 1. Read Config
21
+
22
+ Read `.planning/config.json` to extract:
23
+ - `parallelization` -- determines whether mappers run in parallel or sequentially
24
+ - `commitDocs` -- determines whether to commit generated documents
25
+
26
+ If `.planning/config.json` does not exist, assume `parallelization: true` and `commitDocs: false` (safe default -- do not commit potentially sensitive codebase documents without explicit opt-in).
27
+ </load_context>
28
+
29
+ <check_existing>
30
+ ### 2. Check Existing Maps
31
+
32
+ Check whether `.planning/codebase/STACK.md`, `.planning/codebase/ARCHITECTURE.md`, `.planning/codebase/CONVENTIONS.md`, or `.planning/codebase/CONCERNS.md` already exist and contain content.
33
+
34
+ **If maps exist, present the user with three options:**
35
+
36
+ ```
37
+ .planning/codebase/ already exists with these documents:
38
+ [List files found with sizes]
39
+
40
+ Options:
41
+ 1. Refresh - Delete all existing maps and remap the entire codebase from scratch
42
+ 2. Update - Keep existing maps, re-run only specific mappers you choose
43
+ 3. Skip - Use existing codebase maps as-is (no changes)
44
+ ```
45
+
46
+ Wait for user response.
47
+
48
+ - **Refresh**: Delete all files in `.planning/codebase/`, continue to mapping step.
49
+ - **Update**: Ask which documents to regenerate (STACK, ARCHITECTURE, CONVENTIONS, CONCERNS), then continue to mapping step with only the selected delegates.
50
+ - **Skip**: End workflow. Inform user maps are unchanged.
51
+
52
+ **If no maps exist:** Continue directly to mapping step.
53
+ </check_existing>
54
+
55
+ <forbidden_files>
56
+ ### Safety: Files You Must Never Read
57
+
58
+ **NEVER read or quote contents from these files (even if they exist):**
59
+
60
+ - `.env`, `.env.*`, `*.env` -- Environment variables with secrets
61
+ - `credentials.*`, `secrets.*`, `*secret*`, `*credential*` -- Credential files
62
+ - `*.pem`, `*.key`, `*.p12`, `*.pfx`, `*.jks` -- Certificates and private keys
63
+ - `id_rsa*`, `id_ed25519*`, `id_dsa*` -- SSH private keys
64
+ - `.npmrc`, `.pypirc`, `.netrc` -- Package manager auth tokens
65
+ - `config/secrets/*`, `.secrets/*`, `secrets/` -- Secret directories
66
+ - `*.keystore`, `*.truststore` -- Java keystores
67
+ - `serviceAccountKey.json`, `*-credentials.json` -- Cloud service credentials
68
+ - `docker-compose*.yml` -- If the file may contain inline passwords, tokens, or other credentials, skip the whole file and note only that it exists
69
+ - Any file in `.gitignore` that appears to contain secrets
70
+ - `node_modules/`, `vendor/`, `.git/` -- Generated/vendored content (skip for performance)
71
+ - Binary files, database files, media files -- Not analyzable as text
72
+
73
+ **If you encounter these files:**
74
+ - Note their EXISTENCE only: "`.env` file present -- contains environment configuration"
75
+ - NEVER quote their contents, even partially
76
+ - NEVER include values like `API_KEY=...` or `sk-...` in any output
77
+
78
+ **Why this matters:** Your output gets committed to git. Leaked secrets = security incident.
79
+ </forbidden_files>
80
+
81
+ <mapping>
82
+ ### 3. Spawn Mapper Delegates
83
+
84
+ Ensure `.planning/codebase/` directory exists before spawning.
85
+
86
+ **If `parallelization: true` and your platform supports parallel execution -- run all selected mappers in parallel.**
87
+ **If `parallelization: false` or your platform lacks parallel execution -- run the same mappers sequentially.**
88
+
89
+ ```
90
+ Spawning codebase mappers...
91
+ -> Tech mapper -> .planning/codebase/STACK.md
92
+ -> Arch mapper -> .planning/codebase/ARCHITECTURE.md
93
+ -> Quality mapper -> .planning/codebase/CONVENTIONS.md
94
+ -> Concerns mapper -> .planning/codebase/CONCERNS.md
95
+ ```
96
+
97
+ <delegate>
98
+ Agent: TechMapper
99
+ Parallel: (use parallelization value from .planning/config.json)
100
+ Context: Current working directory. DO NOT share conversation history.
101
+ Instruction: Read `.planning/templates/delegates/mapper-tech.md` for full task instructions. Follow them exactly.
102
+ Output: `.planning/codebase/STACK.md`
103
+ Return: 3-5 sentence summary to Orchestrator.
104
+ Guardrails: Max Agent Hops = 3. No static dumps. Never read .env contents.
105
+ </delegate>
106
+
107
+ <delegate>
108
+ Agent: ArchMapper
109
+ Parallel: (use parallelization value from .planning/config.json)
110
+ Context: Current working directory. DO NOT share conversation history.
111
+ Instruction: Read `.planning/templates/delegates/mapper-arch.md` for full task instructions. Follow them exactly.
112
+ Output: `.planning/codebase/ARCHITECTURE.md`
113
+ Return: 3-5 sentence summary to Orchestrator.
114
+ Guardrails: Max Agent Hops = 3. No static directory dumps. Never read .env contents.
115
+ </delegate>
116
+
117
+ <delegate>
118
+ Agent: QualityMapper
119
+ Parallel: (use parallelization value from .planning/config.json)
120
+ Context: Current working directory. DO NOT share conversation history.
121
+ Instruction: Read `.planning/templates/delegates/mapper-quality.md` for full task instructions. Follow them exactly.
122
+ Output: `.planning/codebase/CONVENTIONS.md`
123
+ Return: 3-5 sentence summary to Orchestrator.
124
+ Guardrails: Max Agent Hops = 3. Rules not inventories. Never read .env contents.
125
+ </delegate>
126
+
127
+ <delegate>
128
+ Agent: ConcernsMapper
129
+ Parallel: (use parallelization value from .planning/config.json)
130
+ Context: Current working directory. DO NOT share conversation history.
131
+ Instruction: Read `.planning/templates/delegates/mapper-concerns.md` for full task instructions. Follow them exactly. Hard stop if secrets found -- report immediately.
132
+ Output: `.planning/codebase/CONCERNS.md`
133
+ Return: 3-5 sentence summary to Orchestrator. If secrets found, STOP and report immediately.
134
+ Guardrails: Max Agent Hops = 3. Hard stop on secrets. Never read .env contents.
135
+ </delegate>
136
+ </mapping>
137
+
138
+ <why_this_matters>
139
+ ### Why These Documents Matter
140
+
141
+ These 4 documents are consumed by downstream GSDD workflows:
142
+
143
+ | Workflow | Documents Used |
144
+ |----------|---------------|
145
+ | `/gsdd:new-project` | All 4 -- infers Validated requirements from existing capabilities |
146
+ | `plan` (future) | ARCHITECTURE + CONVENTIONS for implementation planning |
147
+ | `execute` (future) | CONVENTIONS for code style, ARCHITECTURE for file placement |
148
+ | `verify` (future) | CONCERNS for regression awareness |
149
+
150
+ **What this means for mapper output quality:**
151
+
152
+ 1. **File paths are critical** -- downstream agents navigate directly to files. Write `src/services/user.ts`, not "the user service."
153
+ 2. **Patterns over lists** -- show HOW things are done (code examples), not just WHAT exists.
154
+ 3. **Be prescriptive** -- "Use camelCase for functions" helps future agents write correct code. "Some functions use camelCase" does not.
155
+ 4. **CONCERNS.md drives priorities** -- issues identified here may become future work items. Be specific about impact and fix approach.
156
+ </why_this_matters>
157
+
158
+ <validation>
159
+ ### 4. Validate Output
160
+
161
+ After all mappers complete, verify:
162
+
163
+ - [ ] All 4 documents exist in `.planning/codebase/`
164
+ - [ ] No document is empty or trivially short (each should have substantive content)
165
+ - [ ] Each document contains actual file path references (backtick-formatted)
166
+
167
+ If any mapper failed, note the failure and inform the user which documents need manual completion.
168
+ </validation>
169
+
170
+ <secrets_scan>
171
+ ### 5. Security Scan (Mandatory Before Commit)
172
+
173
+ **CRITICAL SECURITY CHECK:** Scan all generated documents for accidentally leaked secrets before committing.
174
+
175
+ Search `.planning/codebase/*.md` for these patterns (use your platform's search/grep capability):
176
+
177
+ **Reference patterns (regex):**
178
+ - `sk-[a-zA-Z0-9]{20,}` | `sk_live_[a-zA-Z0-9]+` | `sk_test_[a-zA-Z0-9]+` -- Stripe/OpenAI keys
179
+ - `ghp_[a-zA-Z0-9]{36}` | `gho_[a-zA-Z0-9]{36}` -- GitHub tokens
180
+ - `glpat-[a-zA-Z0-9_-]+` -- GitLab tokens
181
+ - `AKIA[A-Z0-9]{16}` -- AWS access keys
182
+ - `xox[baprs]-[a-zA-Z0-9-]+` -- Slack tokens
183
+ - `-----BEGIN.*PRIVATE KEY` -- Private key headers
184
+ - `eyJ[a-zA-Z0-9_-]+\.eyJ[a-zA-Z0-9_-]+\.` -- JWT tokens
185
+ - Hardcoded passwords, connection strings with embedded credentials
186
+
187
+ **If secrets are found:**
188
+
189
+ ```
190
+ SECURITY ALERT: Potential secrets detected in codebase documents!
191
+
192
+ Found patterns that look like API keys or tokens in:
193
+ [show which files and what was found]
194
+
195
+ This would expose credentials if committed.
196
+
197
+ Action required:
198
+ 1. Review the flagged content above
199
+ 2. If these are real secrets, they must be removed before committing
200
+ 3. Consider restricting agent access to sensitive files
201
+
202
+ Pausing. Reply "safe to proceed" if the flagged content is not actually sensitive, or edit the files first.
203
+ ```
204
+
205
+ Wait for user confirmation before continuing.
206
+
207
+ **If no secrets found:** Continue to commit step.
208
+ </secrets_scan>
209
+
210
+ <commit>
211
+ ### 6. Commit (if configured)
212
+
213
+ Read `commitDocs` from `.planning/config.json`.
214
+
215
+ **If `commitDocs: true`:** Commit the generated codebase documents.
216
+ Suggested commit message: `docs: map existing codebase`
217
+ Files: `.planning/codebase/*.md`
218
+
219
+ **If `commitDocs: false`:** Skip commit. Documents remain local-only.
220
+ </commit>
221
+
222
+ <completion>
223
+ Report to the user what was accomplished, then present the next step:
224
+
225
+ ---
226
+ **Completed:** Codebase mapping — 4 documents written to `.planning/codebase/` (STACK.md, ARCHITECTURE.md, CONVENTIONS.md, CONCERNS.md).
227
+
228
+ **Next step:** `/gsdd:new-project` — initialize the project with spec and roadmap
229
+
230
+ Also available:
231
+ - `/gsdd:map-codebase` — re-map if results need refinement
232
+ - Review specific file: read `.planning/codebase/STACK.md`
233
+
234
+ Consider clearing context before starting the next workflow for best results.
235
+ ---
236
+ </completion>
237
+
238
+ <success_criteria>
239
+ - `.planning/codebase/` directory exists with 4 documents
240
+ - All selected mapper delegates were spawned (parallel or sequential per config)
241
+ - Delegates wrote documents directly (orchestrator did not receive document contents)
242
+ - Security scan completed -- no secrets in generated documents
243
+ - Documents committed only if `commitDocs: true`; local-only mode valid if `commitDocs: false`
244
+ - User presented with clear completion summary and next steps
245
+ - No references to non-existent commands or workflows
246
+ </success_criteria>