gsdd-cli 0.18.4 → 0.19.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (100) hide show
  1. package/LICENSE +21 -21
  2. package/README.md +625 -607
  3. package/agents/DISTILLATION.md +421 -421
  4. package/agents/README.md +62 -62
  5. package/agents/approach-explorer.md +361 -361
  6. package/agents/debugger.md +82 -82
  7. package/agents/executor.md +394 -394
  8. package/agents/integration-checker.md +318 -318
  9. package/agents/mapper.md +103 -103
  10. package/agents/planner.md +313 -313
  11. package/agents/researcher.md +84 -84
  12. package/agents/roadmapper.md +296 -296
  13. package/agents/synthesizer.md +236 -236
  14. package/agents/verifier.md +337 -337
  15. package/bin/adapters/agents.mjs +34 -34
  16. package/bin/adapters/claude.mjs +191 -191
  17. package/bin/adapters/codex.mjs +85 -85
  18. package/bin/adapters/index.mjs +20 -20
  19. package/bin/adapters/opencode.mjs +278 -278
  20. package/bin/gsdd.mjs +123 -116
  21. package/bin/lib/cli-utils.mjs +28 -28
  22. package/bin/lib/evidence-contract.mjs +112 -112
  23. package/bin/lib/file-ops.mjs +209 -161
  24. package/bin/lib/health-truth.mjs +181 -178
  25. package/bin/lib/health.mjs +265 -235
  26. package/bin/lib/init-flow.mjs +252 -236
  27. package/bin/lib/init-prompts.mjs +248 -247
  28. package/bin/lib/init-runtime.mjs +225 -212
  29. package/bin/lib/init.mjs +17 -17
  30. package/bin/lib/lifecycle-preflight.mjs +360 -333
  31. package/bin/lib/lifecycle-state.mjs +351 -267
  32. package/bin/lib/manifest.mjs +116 -114
  33. package/bin/lib/models.mjs +411 -411
  34. package/bin/lib/phase.mjs +397 -378
  35. package/bin/lib/plan-constants.mjs +30 -30
  36. package/bin/lib/provenance.mjs +109 -106
  37. package/bin/lib/rendering.mjs +178 -130
  38. package/bin/lib/runtime-freshness.mjs +221 -219
  39. package/bin/lib/templates.mjs +225 -224
  40. package/bin/lib/workspace-root.mjs +132 -0
  41. package/distilled/DESIGN.md +2347 -2327
  42. package/distilled/EVIDENCE-INDEX.md +397 -394
  43. package/distilled/README.md +196 -193
  44. package/distilled/SKILL.md +86 -85
  45. package/distilled/templates/agents.block.md +21 -21
  46. package/distilled/templates/agents.md +6 -6
  47. package/distilled/templates/approach.md +232 -232
  48. package/distilled/templates/auth-matrix.md +78 -78
  49. package/distilled/templates/brownfield-change/CHANGE.md +99 -0
  50. package/distilled/templates/brownfield-change/HANDOFF.md +38 -0
  51. package/distilled/templates/brownfield-change/VERIFICATION.md +56 -0
  52. package/distilled/templates/codebase/architecture.md +110 -110
  53. package/distilled/templates/codebase/concerns.md +95 -95
  54. package/distilled/templates/codebase/conventions.md +193 -193
  55. package/distilled/templates/codebase/stack.md +96 -96
  56. package/distilled/templates/delegates/approach-explorer.md +25 -25
  57. package/distilled/templates/delegates/mapper-arch.md +26 -26
  58. package/distilled/templates/delegates/mapper-concerns.md +27 -27
  59. package/distilled/templates/delegates/mapper-quality.md +28 -28
  60. package/distilled/templates/delegates/mapper-tech.md +25 -25
  61. package/distilled/templates/delegates/plan-checker.md +68 -68
  62. package/distilled/templates/delegates/researcher-architecture.md +30 -30
  63. package/distilled/templates/delegates/researcher-features.md +30 -30
  64. package/distilled/templates/delegates/researcher-pitfalls.md +30 -30
  65. package/distilled/templates/delegates/researcher-stack.md +30 -30
  66. package/distilled/templates/delegates/researcher-synthesizer.md +31 -31
  67. package/distilled/templates/research/architecture.md +57 -57
  68. package/distilled/templates/research/features.md +23 -23
  69. package/distilled/templates/research/pitfalls.md +46 -46
  70. package/distilled/templates/research/stack.md +45 -45
  71. package/distilled/templates/research/summary.md +67 -67
  72. package/distilled/templates/roadmap.md +74 -62
  73. package/distilled/templates/spec.md +110 -110
  74. package/distilled/workflows/audit-milestone.md +275 -271
  75. package/distilled/workflows/complete-milestone.md +336 -332
  76. package/distilled/workflows/execute.md +454 -449
  77. package/distilled/workflows/map-codebase.md +253 -253
  78. package/distilled/workflows/new-milestone.md +242 -238
  79. package/distilled/workflows/new-project.md +398 -398
  80. package/distilled/workflows/pause.md +160 -156
  81. package/distilled/workflows/plan-milestone-gaps.md +183 -183
  82. package/distilled/workflows/plan.md +451 -447
  83. package/distilled/workflows/progress.md +227 -223
  84. package/distilled/workflows/quick.md +351 -347
  85. package/distilled/workflows/resume.md +220 -212
  86. package/distilled/workflows/verify-work.md +260 -260
  87. package/distilled/workflows/verify.md +431 -429
  88. package/docs/BROWNFIELD-PROOF.md +95 -95
  89. package/docs/RUNTIME-SUPPORT.md +93 -75
  90. package/docs/USER-GUIDE.md +440 -399
  91. package/docs/VERIFICATION-DISCIPLINE.md +59 -59
  92. package/docs/claude/context-monitor.md +98 -98
  93. package/docs/proof/consumer-node-cli/README.md +37 -37
  94. package/docs/proof/consumer-node-cli/ROADMAP.md +14 -14
  95. package/docs/proof/consumer-node-cli/SPEC.md +17 -17
  96. package/docs/proof/consumer-node-cli/brief.md +9 -9
  97. package/docs/proof/consumer-node-cli/phases/01-foundation/01-01-PLAN.md +34 -34
  98. package/docs/proof/consumer-node-cli/phases/01-foundation/01-01-SUMMARY.md +10 -10
  99. package/docs/proof/consumer-node-cli/phases/01-foundation/01-VERIFICATION.md +30 -30
  100. package/package.json +62 -61
@@ -0,0 +1,99 @@
1
+ ---
2
+ change: CHANGE-001
3
+ status: active
4
+ type: medium_scope_brownfield
5
+ ---
6
+
7
+ # Brownfield Change: [Short Title]
8
+
9
+ > This folder is the bounded medium-scope lane.
10
+ > It represents one active medium-scope change only.
11
+ > Do not add phase numbering, roadmap checkboxes, or milestone state here.
12
+ > Instantiate the live operational artifact at `.planning/brownfield-change/CHANGE.md`.
13
+ > `progress` and `resume` read this file first for status, scope, integration surface, and the authoritative next action.
14
+ > If this lane no longer fits one active stream, widen explicitly through `/gsdd-new-project` (first milestone) or `/gsdd-new-milestone` (subsequent milestone) using this folder as the preserved input surface. Do not invent a separate promotion artifact.
15
+
16
+ ## Goal
17
+
18
+ State the single cohesive outcome this change is meant to achieve.
19
+
20
+ ## Why This Exists
21
+
22
+ - Why this work matters now.
23
+ - What user, operator, or repo problem it solves.
24
+
25
+ ## In Scope
26
+
27
+ - What this change includes.
28
+ - Which surfaces are allowed to move.
29
+
30
+ ## Out of Scope
31
+
32
+ - What this change explicitly does not include.
33
+ - Work that should promote into milestone planning instead of widening this folder.
34
+
35
+ ## Structural Promotion Triggers
36
+
37
+ Widen into milestone planning only when one or more of these become true:
38
+
39
+ - The work no longer fits one active stream with one shared goal and closeout path.
40
+ - The change needs roadmap-owned lifecycle state, multiple planned phases, or milestone-level requirement tracking.
41
+ - Independent slices can no longer keep disjoint write ownership under one bounded change.
42
+ - The proof or review burden has grown beyond what one `CHANGE.md` / `HANDOFF.md` / `VERIFICATION.md` chain can carry honestly.
43
+
44
+ Choose the widening surface case-by-case:
45
+
46
+ - Use `/gsdd-new-project` when the repo has no shipped milestone history yet.
47
+ - Use `/gsdd-new-milestone` when the repo already has shipped milestone history and this change now needs the next milestone cycle.
48
+
49
+ ## Done When
50
+
51
+ - Observable outcomes that prove the change is complete.
52
+ - Conditions that must be true before closeout.
53
+
54
+ ## Current Status
55
+
56
+ - Current posture: `active | blocked | ready_for_verification | closed`
57
+ - Current branch / integration surface:
58
+ - Current owner / runtime:
59
+
60
+ Keep these labels concrete and current. This section is the canonical operational continuity surface for the active change.
61
+
62
+ ## Next Action
63
+
64
+ - The single best next move from repo truth.
65
+ - If blocked, name the blocker and the exact unblock step.
66
+
67
+ Keep the first bullet as the authoritative next action. `HANDOFF.md` may explain why, but it must not become a competing operational source.
68
+
69
+ ## PR Slice Ownership
70
+
71
+ Use this only when the change spans multiple PRs or working slices.
72
+ Every slice must have disjoint write ownership and still roll up to the same goal and closeout path.
73
+ When possible, list repo-relative paths or module roots in `Owned files / modules` so continuity checks can compare the declared write scope to the live worktree.
74
+
75
+ | Slice | Scope | Owned files / modules | Status |
76
+ | --- | --- | --- | --- |
77
+ | A | [What this slice does] | [Disjoint write set] | planned |
78
+
79
+ ## Dependencies And Risks
80
+
81
+ - External dependencies or repo assumptions.
82
+ - Cross-cut risks that would force promotion into milestone planning.
83
+
84
+ ## Widening Handoff
85
+
86
+ If this bounded change needs milestone planning, reuse this folder directly instead of rediscovering the work:
87
+
88
+ - `CHANGE.md` carries the active goal, scope, done-when, next action, and declared write scope.
89
+ - `HANDOFF.md` carries the active constraints, unresolved uncertainty, decision posture, and anti-regression rules.
90
+ - `VERIFICATION.md` carries the proof and gap state gathered so far, even when that proof is only partial.
91
+
92
+ Promotion should preserve this context. Do not create a second durable handoff file before milestone setup begins.
93
+
94
+ ## Closeout Path
95
+
96
+ 1. Update `HANDOFF.md` so the latest decision context is recoverable from disk.
97
+ 2. Record closeout evidence in `VERIFICATION.md`.
98
+ 3. Close this folder only after the verification surface says the goal is satisfied.
99
+ 4. If the work widens instead of closing, keep this folder as the promotion input and move into `/gsdd-new-project` or `/gsdd-new-milestone` explicitly.
@@ -0,0 +1,38 @@
1
+ ---
2
+ change: CHANGE-001
3
+ updated: 2026-04-21
4
+ ---
5
+
6
+ # Brownfield Change Handoff
7
+
8
+ Use this file for rolling judgment and cross-session continuity on the active change.
9
+ Do not duplicate milestone roadmap state here.
10
+ Operational state still lives in `CHANGE.md`.
11
+ This file explains constraints, uncertainty, posture, and anti-regression context; it must not become a second status or routing authority.
12
+ If this change widens into milestone planning, this file remains the preserved judgment input to `/gsdd-new-project` or `/gsdd-new-milestone`; do not copy it into a second promotion artifact.
13
+
14
+ ## Active Constraints
15
+
16
+ - Boundaries that the next session must keep.
17
+ - Explicit no-touch surfaces or approval gates.
18
+
19
+ ## Unresolved Uncertainty
20
+
21
+ - Open questions that still affect execution or verification.
22
+ - Unknowns that are safe to keep open for now.
23
+
24
+ ## Decision Posture
25
+
26
+ - What approach was chosen and why.
27
+ - What was intentionally deferred.
28
+
29
+ ## Anti-Regression
30
+
31
+ - Invariants future work must not break.
32
+ - Contract rules that keep this lane bounded.
33
+
34
+ ## Next Action
35
+
36
+ - Record only the decision context behind the `CHANGE.md` next action.
37
+ - If the work is blocked, name the unblock path exactly, but keep the authoritative operational next step in `CHANGE.md`.
38
+ - If the work widens into milestone planning, keep the why/why-not context here so the milestone workflow can reuse it without rediscovery.
@@ -0,0 +1,56 @@
1
+ ---
2
+ change: CHANGE-001
3
+ verified: 2026-04-21
4
+ status: pending
5
+ delivery_posture: repo_only
6
+ required_evidence:
7
+ - code
8
+ recommended_evidence:
9
+ - test
10
+ ---
11
+
12
+ # Brownfield Change Verification
13
+
14
+ Use this file as the existing proof surface even when the bounded change widens before closeout.
15
+ Milestone-init workflows should read it for preserved proof and remaining gaps instead of forcing the user to restate what is already verified.
16
+
17
+ ## Goal Verification
18
+
19
+ - Restate the change goal in observable terms.
20
+ - Say whether the goal is verified, partially verified, or blocked.
21
+
22
+ ## Evidence
23
+
24
+ List the evidence used to support closure. Use the shared evidence vocabulary:
25
+ - `code`
26
+ - `test`
27
+ - `runtime`
28
+ - `delivery`
29
+ - `human`
30
+
31
+ ## Artifact Checks
32
+
33
+ | Artifact | Exists | Substantive | Wired | Notes |
34
+ | --- | --- | --- | --- | --- |
35
+ | [path] | yes | yes | yes | [notes] |
36
+
37
+ ## Gaps
38
+
39
+ - Missing proof, missing behavior, or unresolved blockers.
40
+ - If required evidence is missing, say so explicitly.
41
+
42
+ ## Widening Reuse
43
+
44
+ - Preserve already-confirmed proof when the change widens into milestone planning.
45
+ - Carry partial verification or known gaps forward so the milestone workflow can plan from current truth.
46
+ - Do not reset this evidence surface just because the work is moving into a larger lifecycle.
47
+
48
+ ## Human Verification
49
+
50
+ - Manual checks still needed before closure, if any.
51
+
52
+ ## Closeout Decision
53
+
54
+ - `passed` when the bounded change is proven complete.
55
+ - `gaps_found` when implementation or proof is still missing.
56
+ - `human_needed` when machine checks pass but human confirmation remains.
@@ -1,110 +1,110 @@
1
- # Codebase Architecture
2
-
3
- **Analysis Date:** [YYYY-MM-DD]
4
-
5
- <guidelines>
6
- - This document is durable intent: boundaries, layering, entrypoints, and change-routing rules.
7
- - Do NOT write a static directory tree. It rots. Instead: reference a few canonical entrypoints and show "where changes go".
8
- - Every layer/abstraction must include concrete file paths.
9
- - Include "where to add new code" rules. This prevents downstream agents from scattering logic across random files.
10
- </guidelines>
11
-
12
- ## Pattern Overview
13
-
14
- Overall:
15
- - [Pattern name]
16
-
17
- Key characteristics:
18
- - [Characteristic 1]
19
- - [Characteristic 2]
20
- - [Characteristic 3]
21
-
22
- ## Layers (Boundaries)
23
-
24
- Layer: [Layer name]
25
- - Purpose: [What this layer does]
26
- - Location: `[path(s)]`
27
- - Owns: [What it is responsible for]
28
- - Does NOT own: [Explicit non-responsibilities]
29
- - Depends on: [What it uses]
30
- - Used by: [What uses it]
31
-
32
- ## Entry Points
33
-
34
- Entrypoint: [Name]
35
- - Location: `[path]`
36
- - Triggers: [What invokes it]
37
- - Responsibilities: [What it does]
38
-
39
- ## Data Flow (One Or Two Canonical Flows)
40
-
41
- Flow: [Name]
42
- 1. [Step 1]
43
- 2. [Step 2]
44
- 3. [Step 3]
45
-
46
- State management:
47
- - [How state is handled]
48
-
49
- ## Key Abstractions
50
-
51
- Abstraction: [Name]
52
- - Purpose: [What it represents]
53
- - Examples: `[file paths]`
54
- - Pattern: [Pattern used]
55
-
56
- ## Error Handling Strategy
57
-
58
- Strategy:
59
- - [Approach]
60
- - Examples: `[file paths]`
61
-
62
- ## Cross-Cutting Concerns
63
-
64
- Logging:
65
- - [Approach] - examples: `[file paths]`
66
-
67
- Validation:
68
- - [Approach] - examples: `[file paths]`
69
-
70
- Authentication/Authorization:
71
- - [Approach] - examples: `[file paths]`
72
-
73
- ## Change Routing (Where To Add New Code)
74
-
75
- When making a change, follow these rules:
76
-
77
- | Change type | Add/modify here | Do NOT do this | Example paths |
78
- |---|---|---|---|
79
- | New API endpoint / handler | [file or folder pattern] | [anti-pattern] | `[paths]` |
80
- | New domain capability / business rule | [location] | [anti-pattern] | `[paths]` |
81
- | New UI page / screen | [location] | [anti-pattern] | `[paths]` |
82
- | New background job / worker | [location] | [anti-pattern] | `[paths]` |
83
- | DB schema change / migration | [location] | [anti-pattern] | `[paths]` |
84
- | New external integration | [location] | [anti-pattern] | `[paths]` |
85
- | Adding a new module/package | [location] | [anti-pattern] | `[paths]` |
86
-
87
- <good_examples>
88
- Example (good):
89
- - "New routes live in `src/server/routes/*.ts` and are registered in `src/server/app.ts`. Business rules never go in route handlers; they live in `src/domain/*`. See `src/server/routes/users.ts` and `src/domain/user/createUser.ts`."
90
-
91
- Example (bad):
92
- - "Add routes wherever it makes sense."
93
- </good_examples>
94
-
95
- ## Golden Files Per Layer
96
-
97
- For each architectural layer, identify the single most-instructive file using inbound import frequency as the signal: the most-imported file in a layer is the most stable and most understood.
98
-
99
- | Layer | Golden File | Why |
100
- |-------|-------------|-----|
101
- | [Layer name] | `[path/to/file.ts]` | [Why it's the most-imported / most-instructive for this layer] |
102
- | [Layer name] | `[path/to/file.ts]` | [Why] |
103
- | [Layer name] | `[path/to/file.ts]` | [Why] |
104
-
105
- To find the most-imported file in a layer: grep for imports of each candidate file and count occurrences. The highest count is the golden file.
106
-
107
- ---
108
-
109
- *Architecture analysis: [date]*
110
-
1
+ # Codebase Architecture
2
+
3
+ **Analysis Date:** [YYYY-MM-DD]
4
+
5
+ <guidelines>
6
+ - This document is durable intent: boundaries, layering, entrypoints, and change-routing rules.
7
+ - Do NOT write a static directory tree. It rots. Instead: reference a few canonical entrypoints and show "where changes go".
8
+ - Every layer/abstraction must include concrete file paths.
9
+ - Include "where to add new code" rules. This prevents downstream agents from scattering logic across random files.
10
+ </guidelines>
11
+
12
+ ## Pattern Overview
13
+
14
+ Overall:
15
+ - [Pattern name]
16
+
17
+ Key characteristics:
18
+ - [Characteristic 1]
19
+ - [Characteristic 2]
20
+ - [Characteristic 3]
21
+
22
+ ## Layers (Boundaries)
23
+
24
+ Layer: [Layer name]
25
+ - Purpose: [What this layer does]
26
+ - Location: `[path(s)]`
27
+ - Owns: [What it is responsible for]
28
+ - Does NOT own: [Explicit non-responsibilities]
29
+ - Depends on: [What it uses]
30
+ - Used by: [What uses it]
31
+
32
+ ## Entry Points
33
+
34
+ Entrypoint: [Name]
35
+ - Location: `[path]`
36
+ - Triggers: [What invokes it]
37
+ - Responsibilities: [What it does]
38
+
39
+ ## Data Flow (One Or Two Canonical Flows)
40
+
41
+ Flow: [Name]
42
+ 1. [Step 1]
43
+ 2. [Step 2]
44
+ 3. [Step 3]
45
+
46
+ State management:
47
+ - [How state is handled]
48
+
49
+ ## Key Abstractions
50
+
51
+ Abstraction: [Name]
52
+ - Purpose: [What it represents]
53
+ - Examples: `[file paths]`
54
+ - Pattern: [Pattern used]
55
+
56
+ ## Error Handling Strategy
57
+
58
+ Strategy:
59
+ - [Approach]
60
+ - Examples: `[file paths]`
61
+
62
+ ## Cross-Cutting Concerns
63
+
64
+ Logging:
65
+ - [Approach] - examples: `[file paths]`
66
+
67
+ Validation:
68
+ - [Approach] - examples: `[file paths]`
69
+
70
+ Authentication/Authorization:
71
+ - [Approach] - examples: `[file paths]`
72
+
73
+ ## Change Routing (Where To Add New Code)
74
+
75
+ When making a change, follow these rules:
76
+
77
+ | Change type | Add/modify here | Do NOT do this | Example paths |
78
+ |---|---|---|---|
79
+ | New API endpoint / handler | [file or folder pattern] | [anti-pattern] | `[paths]` |
80
+ | New domain capability / business rule | [location] | [anti-pattern] | `[paths]` |
81
+ | New UI page / screen | [location] | [anti-pattern] | `[paths]` |
82
+ | New background job / worker | [location] | [anti-pattern] | `[paths]` |
83
+ | DB schema change / migration | [location] | [anti-pattern] | `[paths]` |
84
+ | New external integration | [location] | [anti-pattern] | `[paths]` |
85
+ | Adding a new module/package | [location] | [anti-pattern] | `[paths]` |
86
+
87
+ <good_examples>
88
+ Example (good):
89
+ - "New routes live in `src/server/routes/*.ts` and are registered in `src/server/app.ts`. Business rules never go in route handlers; they live in `src/domain/*`. See `src/server/routes/users.ts` and `src/domain/user/createUser.ts`."
90
+
91
+ Example (bad):
92
+ - "Add routes wherever it makes sense."
93
+ </good_examples>
94
+
95
+ ## Golden Files Per Layer
96
+
97
+ For each architectural layer, identify the single most-instructive file using inbound import frequency as the signal: the most-imported file in a layer is the most stable and most understood.
98
+
99
+ | Layer | Golden File | Why |
100
+ |-------|-------------|-----|
101
+ | [Layer name] | `[path/to/file.ts]` | [Why it's the most-imported / most-instructive for this layer] |
102
+ | [Layer name] | `[path/to/file.ts]` | [Why] |
103
+ | [Layer name] | `[path/to/file.ts]` | [Why] |
104
+
105
+ To find the most-imported file in a layer: grep for imports of each candidate file and count occurrences. The highest count is the golden file.
106
+
107
+ ---
108
+
109
+ *Architecture analysis: [date]*
110
+
@@ -1,95 +1,95 @@
1
- # Codebase Concerns
2
-
3
- **Analysis Date:** [YYYY-MM-DD]
4
-
5
- <guidelines>
6
- - Every concern must include concrete file paths.
7
- - Be specific with measurements (e.g., "p95 500ms") not adjectives ("slow").
8
- - Include reproduction steps for bugs, and "safe change" advice for fragile areas.
9
- - This document is about risk and leverage: what breaks, where, and how to change safely.
10
- </guidelines>
11
-
12
- ## Tech Debt
13
-
14
- Area/component: [Name]
15
- - Issue: [What's the shortcut/workaround]
16
- - Files: `[file paths]`
17
- - Impact: [What breaks or degrades]
18
- - Fix approach: [How to address it]
19
-
20
- ## Known Bugs
21
-
22
- Bug: [Description]
23
- - Symptoms: [What happens]
24
- - Files: `[file paths]`
25
- - Trigger: [How to reproduce]
26
- - Workaround: [If any]
27
-
28
- ## Security Considerations
29
-
30
- Area: [Name]
31
- - Risk: [What could go wrong]
32
- - Files: `[file paths]`
33
- - Current mitigation: [What's in place]
34
- - Recommendations: [What should be added]
35
-
36
- ## Performance Bottlenecks
37
-
38
- Operation: [Name]
39
- - Problem: [What is slow]
40
- - Files: `[file paths]`
41
- - Measurement: [numbers, if known]
42
- - Suspected cause: [why]
43
- - Improvement path: [how]
44
-
45
- ## Fragile Areas
46
-
47
- Component/module: [Name]
48
- - Files: `[file paths]`
49
- - Why fragile: [what makes it break easily]
50
- - Safe modification: [how to change safely]
51
- - Test coverage: [gaps]
52
-
53
- ## Dependency Risks
54
-
55
- Dependency: [Package/service]
56
- - Risk: [what is wrong]
57
- - Impact: [what breaks]
58
- - Mitigation: [what to do]
59
-
60
- ## Missing Critical Features (If Any)
61
-
62
- Feature gap: [Name]
63
- - Problem: [what is missing]
64
- - Blocks: [what can't be done]
65
-
66
- ## Test Coverage Gaps
67
-
68
- Untested area: [Name]
69
- - What's not tested: [specific functionality]
70
- - Files: `[file paths]`
71
- - Risk: [what could break unnoticed]
72
- - Priority: [High/Medium/Low]
73
-
74
- <good_examples>
75
- Example (good):
76
- - "Auth refresh tokens are stored unencrypted in `src/auth/tokenStore.ts` and logged in `src/auth/logger.ts` (risk: credential leakage). Fix: remove token logging and encrypt at rest. Repro: enable debug logging and observe tokens in logs."
77
- - "Checkout endpoint p95 is 1.8s in staging due to N+1 queries in `src/db/orders.ts` (see `getOrdersForUser`). Fix: batch query and add integration test asserting query count."
78
- </good_examples>
79
-
80
- ## Downstream Impact Ranking
81
-
82
- Rank the top 3 concerns by how much future work they block. Use the Change Routing table in ARCHITECTURE.md as reference: concerns that block multiple change-routing rows rank highest.
83
-
84
- | Rank | Concern | Blocks | Severity | Fix effort |
85
- |------|---------|--------|----------|------------|
86
- | 1 | [Concern name] | [Which change types from ARCHITECTURE.md this blocks] | critical/moderate/minor | [small/medium/large] |
87
- | 2 | [Concern name] | [Blocks] | [Severity] | [Effort] |
88
- | 3 | [Concern name] | [Blocks] | [Severity] | [Effort] |
89
-
90
- Ranking heuristic: a concern that blocks 3 change-routing rows ranks above one that blocks 1, even if the latter is more severe in isolation.
91
-
92
- ---
93
-
94
- *Concerns audit: [date]*
95
-
1
+ # Codebase Concerns
2
+
3
+ **Analysis Date:** [YYYY-MM-DD]
4
+
5
+ <guidelines>
6
+ - Every concern must include concrete file paths.
7
+ - Be specific with measurements (e.g., "p95 500ms") not adjectives ("slow").
8
+ - Include reproduction steps for bugs, and "safe change" advice for fragile areas.
9
+ - This document is about risk and leverage: what breaks, where, and how to change safely.
10
+ </guidelines>
11
+
12
+ ## Tech Debt
13
+
14
+ Area/component: [Name]
15
+ - Issue: [What's the shortcut/workaround]
16
+ - Files: `[file paths]`
17
+ - Impact: [What breaks or degrades]
18
+ - Fix approach: [How to address it]
19
+
20
+ ## Known Bugs
21
+
22
+ Bug: [Description]
23
+ - Symptoms: [What happens]
24
+ - Files: `[file paths]`
25
+ - Trigger: [How to reproduce]
26
+ - Workaround: [If any]
27
+
28
+ ## Security Considerations
29
+
30
+ Area: [Name]
31
+ - Risk: [What could go wrong]
32
+ - Files: `[file paths]`
33
+ - Current mitigation: [What's in place]
34
+ - Recommendations: [What should be added]
35
+
36
+ ## Performance Bottlenecks
37
+
38
+ Operation: [Name]
39
+ - Problem: [What is slow]
40
+ - Files: `[file paths]`
41
+ - Measurement: [numbers, if known]
42
+ - Suspected cause: [why]
43
+ - Improvement path: [how]
44
+
45
+ ## Fragile Areas
46
+
47
+ Component/module: [Name]
48
+ - Files: `[file paths]`
49
+ - Why fragile: [what makes it break easily]
50
+ - Safe modification: [how to change safely]
51
+ - Test coverage: [gaps]
52
+
53
+ ## Dependency Risks
54
+
55
+ Dependency: [Package/service]
56
+ - Risk: [what is wrong]
57
+ - Impact: [what breaks]
58
+ - Mitigation: [what to do]
59
+
60
+ ## Missing Critical Features (If Any)
61
+
62
+ Feature gap: [Name]
63
+ - Problem: [what is missing]
64
+ - Blocks: [what can't be done]
65
+
66
+ ## Test Coverage Gaps
67
+
68
+ Untested area: [Name]
69
+ - What's not tested: [specific functionality]
70
+ - Files: `[file paths]`
71
+ - Risk: [what could break unnoticed]
72
+ - Priority: [High/Medium/Low]
73
+
74
+ <good_examples>
75
+ Example (good):
76
+ - "Auth refresh tokens are stored unencrypted in `src/auth/tokenStore.ts` and logged in `src/auth/logger.ts` (risk: credential leakage). Fix: remove token logging and encrypt at rest. Repro: enable debug logging and observe tokens in logs."
77
+ - "Checkout endpoint p95 is 1.8s in staging due to N+1 queries in `src/db/orders.ts` (see `getOrdersForUser`). Fix: batch query and add integration test asserting query count."
78
+ </good_examples>
79
+
80
+ ## Downstream Impact Ranking
81
+
82
+ Rank the top 3 concerns by how much future work they block. Use the Change Routing table in ARCHITECTURE.md as reference: concerns that block multiple change-routing rows rank highest.
83
+
84
+ | Rank | Concern | Blocks | Severity | Fix effort |
85
+ |------|---------|--------|----------|------------|
86
+ | 1 | [Concern name] | [Which change types from ARCHITECTURE.md this blocks] | critical/moderate/minor | [small/medium/large] |
87
+ | 2 | [Concern name] | [Blocks] | [Severity] | [Effort] |
88
+ | 3 | [Concern name] | [Blocks] | [Severity] | [Effort] |
89
+
90
+ Ranking heuristic: a concern that blocks 3 change-routing rows ranks above one that blocks 1, even if the latter is more severe in isolation.
91
+
92
+ ---
93
+
94
+ *Concerns audit: [date]*
95
+