gsdd-cli 0.18.5 → 0.19.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (101) hide show
  1. package/LICENSE +21 -21
  2. package/README.md +610 -608
  3. package/agents/DISTILLATION.md +421 -421
  4. package/agents/README.md +62 -62
  5. package/agents/approach-explorer.md +370 -361
  6. package/agents/debugger.md +82 -82
  7. package/agents/executor.md +473 -394
  8. package/agents/integration-checker.md +318 -318
  9. package/agents/mapper.md +103 -103
  10. package/agents/planner.md +342 -313
  11. package/agents/researcher.md +84 -84
  12. package/agents/roadmapper.md +296 -296
  13. package/agents/synthesizer.md +236 -236
  14. package/agents/verifier.md +337 -337
  15. package/bin/adapters/agents.mjs +34 -34
  16. package/bin/adapters/claude.mjs +193 -191
  17. package/bin/adapters/codex.mjs +85 -85
  18. package/bin/adapters/index.mjs +20 -20
  19. package/bin/adapters/opencode.mjs +280 -278
  20. package/bin/gsdd.mjs +123 -116
  21. package/bin/lib/cli-utils.mjs +28 -28
  22. package/bin/lib/evidence-contract.mjs +325 -112
  23. package/bin/lib/file-ops.mjs +186 -144
  24. package/bin/lib/health-truth.mjs +196 -178
  25. package/bin/lib/health.mjs +246 -226
  26. package/bin/lib/init-flow.mjs +247 -231
  27. package/bin/lib/init-prompts.mjs +248 -247
  28. package/bin/lib/init-runtime.mjs +193 -190
  29. package/bin/lib/init.mjs +17 -17
  30. package/bin/lib/lifecycle-preflight.mjs +760 -326
  31. package/bin/lib/lifecycle-state.mjs +356 -267
  32. package/bin/lib/manifest.mjs +116 -114
  33. package/bin/lib/models.mjs +411 -411
  34. package/bin/lib/phase.mjs +365 -358
  35. package/bin/lib/plan-constants.mjs +35 -30
  36. package/bin/lib/provenance.mjs +109 -106
  37. package/bin/lib/rendering.mjs +119 -83
  38. package/bin/lib/runtime-freshness.mjs +214 -214
  39. package/bin/lib/session-fingerprint.mjs +91 -14
  40. package/bin/lib/templates.mjs +225 -224
  41. package/bin/lib/workspace-root.mjs +2 -1
  42. package/distilled/DESIGN.md +2461 -2323
  43. package/distilled/EVIDENCE-INDEX.md +418 -392
  44. package/distilled/README.md +196 -193
  45. package/distilled/SKILL.md +86 -85
  46. package/distilled/templates/agents.block.md +21 -21
  47. package/distilled/templates/agents.md +6 -6
  48. package/distilled/templates/approach.md +272 -232
  49. package/distilled/templates/auth-matrix.md +78 -78
  50. package/distilled/templates/brownfield-change/CHANGE.md +99 -0
  51. package/distilled/templates/brownfield-change/HANDOFF.md +38 -0
  52. package/distilled/templates/brownfield-change/VERIFICATION.md +56 -0
  53. package/distilled/templates/codebase/architecture.md +110 -110
  54. package/distilled/templates/codebase/concerns.md +95 -95
  55. package/distilled/templates/codebase/conventions.md +193 -193
  56. package/distilled/templates/codebase/stack.md +96 -96
  57. package/distilled/templates/delegates/approach-explorer.md +28 -25
  58. package/distilled/templates/delegates/mapper-arch.md +26 -26
  59. package/distilled/templates/delegates/mapper-concerns.md +27 -27
  60. package/distilled/templates/delegates/mapper-quality.md +28 -28
  61. package/distilled/templates/delegates/mapper-tech.md +25 -25
  62. package/distilled/templates/delegates/plan-checker.md +78 -68
  63. package/distilled/templates/delegates/researcher-architecture.md +30 -30
  64. package/distilled/templates/delegates/researcher-features.md +30 -30
  65. package/distilled/templates/delegates/researcher-pitfalls.md +30 -30
  66. package/distilled/templates/delegates/researcher-stack.md +30 -30
  67. package/distilled/templates/delegates/researcher-synthesizer.md +31 -31
  68. package/distilled/templates/research/architecture.md +57 -57
  69. package/distilled/templates/research/features.md +23 -23
  70. package/distilled/templates/research/pitfalls.md +46 -46
  71. package/distilled/templates/research/stack.md +45 -45
  72. package/distilled/templates/research/summary.md +67 -67
  73. package/distilled/templates/roadmap.md +74 -62
  74. package/distilled/templates/spec.md +110 -110
  75. package/distilled/workflows/audit-milestone.md +303 -271
  76. package/distilled/workflows/complete-milestone.md +349 -332
  77. package/distilled/workflows/execute.md +457 -450
  78. package/distilled/workflows/map-codebase.md +253 -253
  79. package/distilled/workflows/new-milestone.md +242 -238
  80. package/distilled/workflows/new-project.md +398 -398
  81. package/distilled/workflows/pause.md +160 -156
  82. package/distilled/workflows/plan-milestone-gaps.md +183 -183
  83. package/distilled/workflows/plan.md +454 -448
  84. package/distilled/workflows/progress.md +227 -223
  85. package/distilled/workflows/quick.md +351 -347
  86. package/distilled/workflows/resume.md +220 -212
  87. package/distilled/workflows/verify-work.md +260 -260
  88. package/distilled/workflows/verify.md +431 -429
  89. package/docs/BROWNFIELD-PROOF.md +95 -95
  90. package/docs/RUNTIME-SUPPORT.md +80 -69
  91. package/docs/USER-GUIDE.md +394 -386
  92. package/docs/VERIFICATION-DISCIPLINE.md +59 -59
  93. package/docs/claude/context-monitor.md +98 -98
  94. package/docs/proof/consumer-node-cli/README.md +37 -37
  95. package/docs/proof/consumer-node-cli/ROADMAP.md +14 -14
  96. package/docs/proof/consumer-node-cli/SPEC.md +17 -17
  97. package/docs/proof/consumer-node-cli/brief.md +9 -9
  98. package/docs/proof/consumer-node-cli/phases/01-foundation/01-01-PLAN.md +34 -34
  99. package/docs/proof/consumer-node-cli/phases/01-foundation/01-01-SUMMARY.md +10 -10
  100. package/docs/proof/consumer-node-cli/phases/01-foundation/01-VERIFICATION.md +30 -30
  101. package/package.json +62 -61
@@ -1,95 +1,95 @@
1
- # Codebase Concerns
2
-
3
- **Analysis Date:** [YYYY-MM-DD]
4
-
5
- <guidelines>
6
- - Every concern must include concrete file paths.
7
- - Be specific with measurements (e.g., "p95 500ms") not adjectives ("slow").
8
- - Include reproduction steps for bugs, and "safe change" advice for fragile areas.
9
- - This document is about risk and leverage: what breaks, where, and how to change safely.
10
- </guidelines>
11
-
12
- ## Tech Debt
13
-
14
- Area/component: [Name]
15
- - Issue: [What's the shortcut/workaround]
16
- - Files: `[file paths]`
17
- - Impact: [What breaks or degrades]
18
- - Fix approach: [How to address it]
19
-
20
- ## Known Bugs
21
-
22
- Bug: [Description]
23
- - Symptoms: [What happens]
24
- - Files: `[file paths]`
25
- - Trigger: [How to reproduce]
26
- - Workaround: [If any]
27
-
28
- ## Security Considerations
29
-
30
- Area: [Name]
31
- - Risk: [What could go wrong]
32
- - Files: `[file paths]`
33
- - Current mitigation: [What's in place]
34
- - Recommendations: [What should be added]
35
-
36
- ## Performance Bottlenecks
37
-
38
- Operation: [Name]
39
- - Problem: [What is slow]
40
- - Files: `[file paths]`
41
- - Measurement: [numbers, if known]
42
- - Suspected cause: [why]
43
- - Improvement path: [how]
44
-
45
- ## Fragile Areas
46
-
47
- Component/module: [Name]
48
- - Files: `[file paths]`
49
- - Why fragile: [what makes it break easily]
50
- - Safe modification: [how to change safely]
51
- - Test coverage: [gaps]
52
-
53
- ## Dependency Risks
54
-
55
- Dependency: [Package/service]
56
- - Risk: [what is wrong]
57
- - Impact: [what breaks]
58
- - Mitigation: [what to do]
59
-
60
- ## Missing Critical Features (If Any)
61
-
62
- Feature gap: [Name]
63
- - Problem: [what is missing]
64
- - Blocks: [what can't be done]
65
-
66
- ## Test Coverage Gaps
67
-
68
- Untested area: [Name]
69
- - What's not tested: [specific functionality]
70
- - Files: `[file paths]`
71
- - Risk: [what could break unnoticed]
72
- - Priority: [High/Medium/Low]
73
-
74
- <good_examples>
75
- Example (good):
76
- - "Auth refresh tokens are stored unencrypted in `src/auth/tokenStore.ts` and logged in `src/auth/logger.ts` (risk: credential leakage). Fix: remove token logging and encrypt at rest. Repro: enable debug logging and observe tokens in logs."
77
- - "Checkout endpoint p95 is 1.8s in staging due to N+1 queries in `src/db/orders.ts` (see `getOrdersForUser`). Fix: batch query and add integration test asserting query count."
78
- </good_examples>
79
-
80
- ## Downstream Impact Ranking
81
-
82
- Rank the top 3 concerns by how much future work they block. Use the Change Routing table in ARCHITECTURE.md as reference: concerns that block multiple change-routing rows rank highest.
83
-
84
- | Rank | Concern | Blocks | Severity | Fix effort |
85
- |------|---------|--------|----------|------------|
86
- | 1 | [Concern name] | [Which change types from ARCHITECTURE.md this blocks] | critical/moderate/minor | [small/medium/large] |
87
- | 2 | [Concern name] | [Blocks] | [Severity] | [Effort] |
88
- | 3 | [Concern name] | [Blocks] | [Severity] | [Effort] |
89
-
90
- Ranking heuristic: a concern that blocks 3 change-routing rows ranks above one that blocks 1, even if the latter is more severe in isolation.
91
-
92
- ---
93
-
94
- *Concerns audit: [date]*
95
-
1
+ # Codebase Concerns
2
+
3
+ **Analysis Date:** [YYYY-MM-DD]
4
+
5
+ <guidelines>
6
+ - Every concern must include concrete file paths.
7
+ - Be specific with measurements (e.g., "p95 500ms") not adjectives ("slow").
8
+ - Include reproduction steps for bugs, and "safe change" advice for fragile areas.
9
+ - This document is about risk and leverage: what breaks, where, and how to change safely.
10
+ </guidelines>
11
+
12
+ ## Tech Debt
13
+
14
+ Area/component: [Name]
15
+ - Issue: [What's the shortcut/workaround]
16
+ - Files: `[file paths]`
17
+ - Impact: [What breaks or degrades]
18
+ - Fix approach: [How to address it]
19
+
20
+ ## Known Bugs
21
+
22
+ Bug: [Description]
23
+ - Symptoms: [What happens]
24
+ - Files: `[file paths]`
25
+ - Trigger: [How to reproduce]
26
+ - Workaround: [If any]
27
+
28
+ ## Security Considerations
29
+
30
+ Area: [Name]
31
+ - Risk: [What could go wrong]
32
+ - Files: `[file paths]`
33
+ - Current mitigation: [What's in place]
34
+ - Recommendations: [What should be added]
35
+
36
+ ## Performance Bottlenecks
37
+
38
+ Operation: [Name]
39
+ - Problem: [What is slow]
40
+ - Files: `[file paths]`
41
+ - Measurement: [numbers, if known]
42
+ - Suspected cause: [why]
43
+ - Improvement path: [how]
44
+
45
+ ## Fragile Areas
46
+
47
+ Component/module: [Name]
48
+ - Files: `[file paths]`
49
+ - Why fragile: [what makes it break easily]
50
+ - Safe modification: [how to change safely]
51
+ - Test coverage: [gaps]
52
+
53
+ ## Dependency Risks
54
+
55
+ Dependency: [Package/service]
56
+ - Risk: [what is wrong]
57
+ - Impact: [what breaks]
58
+ - Mitigation: [what to do]
59
+
60
+ ## Missing Critical Features (If Any)
61
+
62
+ Feature gap: [Name]
63
+ - Problem: [what is missing]
64
+ - Blocks: [what can't be done]
65
+
66
+ ## Test Coverage Gaps
67
+
68
+ Untested area: [Name]
69
+ - What's not tested: [specific functionality]
70
+ - Files: `[file paths]`
71
+ - Risk: [what could break unnoticed]
72
+ - Priority: [High/Medium/Low]
73
+
74
+ <good_examples>
75
+ Example (good):
76
+ - "Auth refresh tokens are stored unencrypted in `src/auth/tokenStore.ts` and logged in `src/auth/logger.ts` (risk: credential leakage). Fix: remove token logging and encrypt at rest. Repro: enable debug logging and observe tokens in logs."
77
+ - "Checkout endpoint p95 is 1.8s in staging due to N+1 queries in `src/db/orders.ts` (see `getOrdersForUser`). Fix: batch query and add integration test asserting query count."
78
+ </good_examples>
79
+
80
+ ## Downstream Impact Ranking
81
+
82
+ Rank the top 3 concerns by how much future work they block. Use the Change Routing table in ARCHITECTURE.md as reference: concerns that block multiple change-routing rows rank highest.
83
+
84
+ | Rank | Concern | Blocks | Severity | Fix effort |
85
+ |------|---------|--------|----------|------------|
86
+ | 1 | [Concern name] | [Which change types from ARCHITECTURE.md this blocks] | critical/moderate/minor | [small/medium/large] |
87
+ | 2 | [Concern name] | [Blocks] | [Severity] | [Effort] |
88
+ | 3 | [Concern name] | [Blocks] | [Severity] | [Effort] |
89
+
90
+ Ranking heuristic: a concern that blocks 3 change-routing rows ranks above one that blocks 1, even if the latter is more severe in isolation.
91
+
92
+ ---
93
+
94
+ *Concerns audit: [date]*
95
+
@@ -1,193 +1,193 @@
1
- # Codebase Conventions
2
-
3
- **Analysis Date:** [YYYY-MM-DD]
4
-
5
- <guidelines>
6
- - This document is durable intent (rules/patterns), not a directory dump.
7
- - Be prescriptive. If 80%+ of the codebase follows a pattern, document it as a rule ("Use X"), not as a survey ("Sometimes X").
8
- - Every non-trivial claim must include at least one concrete file path example.
9
- - Prefer "how to do it here" over general best practices.
10
- - Capture testing and mocking boundaries explicitly ("what NOT to mock"). Missing boundaries cause broken tests and slow CI.
11
- - Capture external integration patterns (webhook verification, auth session management). Missing these causes security vulnerabilities.
12
- </guidelines>
13
-
14
- ## Naming Patterns
15
-
16
- Files:
17
- - [Pattern observed]
18
-
19
- Functions:
20
- - [Pattern observed]
21
-
22
- Variables:
23
- - [Pattern observed]
24
-
25
- Types:
26
- - [Pattern observed]
27
-
28
- ## Code Style
29
-
30
- Formatting:
31
- - Tool: [Tool used]
32
- - Key settings: [Key settings]
33
-
34
- Linting:
35
- - Tool: [Tool used]
36
- - Key rules: [Key rules]
37
-
38
- ## Import Organization
39
-
40
- Order:
41
- 1. [First group]
42
- 2. [Second group]
43
- 3. [Third group]
44
-
45
- Path aliases:
46
- - [Aliases used]
47
-
48
- ## Error Handling
49
-
50
- Patterns:
51
- - [How errors are handled]
52
- - Examples: `[file paths]`
53
-
54
- ## Logging
55
-
56
- Framework:
57
- - [Tool or "console"]
58
-
59
- Patterns:
60
- - [When/how to log]
61
- - Examples: `[file paths]`
62
-
63
- ## Module / Function Design
64
-
65
- Function size:
66
- - [Guidelines]
67
-
68
- Parameters:
69
- - [Pattern]
70
-
71
- Return values:
72
- - [Pattern]
73
-
74
- Exports:
75
- - [Pattern]
76
-
77
- ## Convention Adoption Rates
78
-
79
- For each major convention documented above, estimate adoption rate using grep-counting (count occurrences in production source files, exclude `node_modules`, `vendor`, generated files). Use the format `~N% (stable|rising|declining)`.
80
-
81
- - Pattern requires ≥5 occurrences to estimate; below that, write "prevalence unknown — seen in multiple files."
82
- - Trend signal: stable = consistent across file age, rising = newer files adopt more, declining = older files adopt more.
83
-
84
- Examples:
85
- - Constructor injection: `~84% (declining)` — 37 of 44 service classes; newer files use factory functions
86
- - camelCase exports: `~100% (stable)` — enforced by lint rule, zero violations found
87
- - Inline error handling: `~62% (rising)` — 18 of 29 handlers; recent PRs consistently use this
88
-
89
- Replace examples with findings from this codebase.
90
-
91
- ## Testing And Mocking (High-Leverage)
92
-
93
- Test types used:
94
- - Unit: [yes/no] (runner: [tool]) - examples: `[file paths]`
95
- - Integration: [yes/no] - examples: `[file paths]`
96
- - E2E: [yes/no] - examples: `[file paths]`
97
-
98
- Where tests live:
99
- - Unit tests: `[path pattern]`
100
- - Integration tests: `[path pattern]`
101
- - E2E tests: `[path pattern]`
102
-
103
- Fixtures and factories:
104
- - Where fixtures live: `[path pattern]`
105
- - Preferred factory pattern: [pattern]
106
-
107
- Mocking boundaries (explicit):
108
- - Do mock: [what is safe to mock here]
109
- - Do NOT mock: [what must remain real]
110
- - Why: [rationale grounded in this codebase]
111
- - Examples: `[file paths]`
112
-
113
- External calls:
114
- - Network calls in tests: [allowed/blocked]
115
- - How HTTP is stubbed: [pattern] - examples: `[file paths]`
116
- - DB usage in tests: [pattern] - examples: `[file paths]`
117
-
118
- CI reliability rules:
119
- - Timeouts: [standard value if any]
120
- - Flake policy: [rerun policy or "none"]
121
- - Test parallelism constraints: [if any]
122
-
123
- <good_examples>
124
- Example (good):
125
- - "All HTTP clients must be injected via `src/lib/http/client.ts` and mocked via `test/utils/mockHttp.ts` (do NOT mock `fetch` directly). See `src/services/billing.ts` and `test/services/billing.test.ts`."
126
- - "Integration tests use a real Postgres via Docker Compose. Do NOT mock DB queries; instead use `test/fixtures/dbSeed.ts`. See `test/integration/users.test.ts`."
127
-
128
- Example (bad):
129
- - "We use Jest and sometimes integration tests." (no paths, no boundaries, no rules)
130
- </good_examples>
131
-
132
- ## External Integration Patterns (Security-Critical)
133
-
134
- Capture these only if external integrations exist. Missing these causes subtle security bugs.
135
-
136
- ### Webhook Verification
137
- - Webhook endpoints: `[paths]`
138
- - Signature verification method: [HMAC-SHA256 / provider-specific / none]
139
- - Where verification happens: `[file path]` (middleware? route handler?)
140
- - Verified before or after parsing payload: [before — always verify raw body]
141
- - Do NOT: parse JSON before verifying signature (timing attacks)
142
- - Examples: `[file paths for webhook handlers]`
143
-
144
- ### Authentication and Session Management
145
- - Auth provider: [JWT / session cookie / OAuth / API key / none]
146
- - Token storage (client): [httpOnly cookie / localStorage / memory]
147
- - Token storage (server): [Redis / DB / stateless]
148
- - Refresh logic: [how tokens are refreshed, where that code lives]
149
- - Where auth is enforced: [middleware path / per-route / both]
150
- - Protected vs public routes: [pattern or file]
151
- - Do NOT: store tokens in localStorage for sensitive apps (XSS risk)
152
- - Examples: `[file paths for auth middleware]`
153
-
154
- ### Environment Configuration
155
- - Config loading: `[file path]` (e.g., `src/config/index.ts`)
156
- - Environment-specific overrides: [dev/staging/prod distinction]
157
- - Secrets access pattern: [env var / secrets manager / vault]
158
- - Do NOT: hardcode secrets; do NOT commit `.env` files
159
- - Examples: `[file paths]`
160
-
161
- ### Observability Hooks
162
- - Request logging: [tool + where it's configured]
163
- - Error tracking: [tool + integration file path]
164
- - Performance monitoring: [tool + integration point]
165
- - Health check endpoint: `[path]` (e.g., `/health`)
166
- - Examples: `[file paths]`
167
-
168
- <good_examples>
169
- Example (good):
170
- - "Stripe webhooks are verified via `src/webhooks/stripe.ts:verifyStripeSignature()` using the raw request body before JSON parsing. Do NOT route Stripe events through the JSON body parser middleware. See `src/middleware/webhooks.ts`."
171
- - "Auth tokens are httpOnly cookies (not localStorage). Refresh happens via `src/auth/refresh.ts` called by the global axios interceptor. Token expiry = 15min access, 7-day refresh. See `src/lib/http.ts`."
172
- - "All secrets come from env vars loaded via `src/config/env.ts`. Never read `process.env` directly outside that file. Dev/staging/prod configs are in `.env.example`, `.env.staging`, `.env.production` (secrets redacted, committed)."
173
-
174
- Example (bad):
175
- - "We use JWT and have some webhooks." (no paths, no security rules, no boundaries)
176
- </good_examples>
177
-
178
- ## Golden Files
179
-
180
- Identify 3–5 files that best exemplify this codebase's conventions. Selection algorithm: highest density of documented conventions in production feature files (not scaffolding, not generated code, not test files).
181
-
182
- Format: `file path — what makes it a good example`
183
-
184
- - `[path/to/file.ts]` — [which conventions it demonstrates, e.g., "named exports, constructor injection, custom error class, full test coverage"]
185
- - `[path/to/file.ts]` — [conventions it demonstrates]
186
- - `[path/to/file.ts]` — [conventions it demonstrates]
187
-
188
- If no single file exemplifies multiple conventions, list the best per-category file instead.
189
-
190
- ---
191
-
192
- *Convention analysis: [date]*
193
-
1
+ # Codebase Conventions
2
+
3
+ **Analysis Date:** [YYYY-MM-DD]
4
+
5
+ <guidelines>
6
+ - This document is durable intent (rules/patterns), not a directory dump.
7
+ - Be prescriptive. If 80%+ of the codebase follows a pattern, document it as a rule ("Use X"), not as a survey ("Sometimes X").
8
+ - Every non-trivial claim must include at least one concrete file path example.
9
+ - Prefer "how to do it here" over general best practices.
10
+ - Capture testing and mocking boundaries explicitly ("what NOT to mock"). Missing boundaries cause broken tests and slow CI.
11
+ - Capture external integration patterns (webhook verification, auth session management). Missing these causes security vulnerabilities.
12
+ </guidelines>
13
+
14
+ ## Naming Patterns
15
+
16
+ Files:
17
+ - [Pattern observed]
18
+
19
+ Functions:
20
+ - [Pattern observed]
21
+
22
+ Variables:
23
+ - [Pattern observed]
24
+
25
+ Types:
26
+ - [Pattern observed]
27
+
28
+ ## Code Style
29
+
30
+ Formatting:
31
+ - Tool: [Tool used]
32
+ - Key settings: [Key settings]
33
+
34
+ Linting:
35
+ - Tool: [Tool used]
36
+ - Key rules: [Key rules]
37
+
38
+ ## Import Organization
39
+
40
+ Order:
41
+ 1. [First group]
42
+ 2. [Second group]
43
+ 3. [Third group]
44
+
45
+ Path aliases:
46
+ - [Aliases used]
47
+
48
+ ## Error Handling
49
+
50
+ Patterns:
51
+ - [How errors are handled]
52
+ - Examples: `[file paths]`
53
+
54
+ ## Logging
55
+
56
+ Framework:
57
+ - [Tool or "console"]
58
+
59
+ Patterns:
60
+ - [When/how to log]
61
+ - Examples: `[file paths]`
62
+
63
+ ## Module / Function Design
64
+
65
+ Function size:
66
+ - [Guidelines]
67
+
68
+ Parameters:
69
+ - [Pattern]
70
+
71
+ Return values:
72
+ - [Pattern]
73
+
74
+ Exports:
75
+ - [Pattern]
76
+
77
+ ## Convention Adoption Rates
78
+
79
+ For each major convention documented above, estimate adoption rate using grep-counting (count occurrences in production source files, exclude `node_modules`, `vendor`, generated files). Use the format `~N% (stable|rising|declining)`.
80
+
81
+ - Pattern requires ≥5 occurrences to estimate; below that, write "prevalence unknown — seen in multiple files."
82
+ - Trend signal: stable = consistent across file age, rising = newer files adopt more, declining = older files adopt more.
83
+
84
+ Examples:
85
+ - Constructor injection: `~84% (declining)` — 37 of 44 service classes; newer files use factory functions
86
+ - camelCase exports: `~100% (stable)` — enforced by lint rule, zero violations found
87
+ - Inline error handling: `~62% (rising)` — 18 of 29 handlers; recent PRs consistently use this
88
+
89
+ Replace examples with findings from this codebase.
90
+
91
+ ## Testing And Mocking (High-Leverage)
92
+
93
+ Test types used:
94
+ - Unit: [yes/no] (runner: [tool]) - examples: `[file paths]`
95
+ - Integration: [yes/no] - examples: `[file paths]`
96
+ - E2E: [yes/no] - examples: `[file paths]`
97
+
98
+ Where tests live:
99
+ - Unit tests: `[path pattern]`
100
+ - Integration tests: `[path pattern]`
101
+ - E2E tests: `[path pattern]`
102
+
103
+ Fixtures and factories:
104
+ - Where fixtures live: `[path pattern]`
105
+ - Preferred factory pattern: [pattern]
106
+
107
+ Mocking boundaries (explicit):
108
+ - Do mock: [what is safe to mock here]
109
+ - Do NOT mock: [what must remain real]
110
+ - Why: [rationale grounded in this codebase]
111
+ - Examples: `[file paths]`
112
+
113
+ External calls:
114
+ - Network calls in tests: [allowed/blocked]
115
+ - How HTTP is stubbed: [pattern] - examples: `[file paths]`
116
+ - DB usage in tests: [pattern] - examples: `[file paths]`
117
+
118
+ CI reliability rules:
119
+ - Timeouts: [standard value if any]
120
+ - Flake policy: [rerun policy or "none"]
121
+ - Test parallelism constraints: [if any]
122
+
123
+ <good_examples>
124
+ Example (good):
125
+ - "All HTTP clients must be injected via `src/lib/http/client.ts` and mocked via `test/utils/mockHttp.ts` (do NOT mock `fetch` directly). See `src/services/billing.ts` and `test/services/billing.test.ts`."
126
+ - "Integration tests use a real Postgres via Docker Compose. Do NOT mock DB queries; instead use `test/fixtures/dbSeed.ts`. See `test/integration/users.test.ts`."
127
+
128
+ Example (bad):
129
+ - "We use Jest and sometimes integration tests." (no paths, no boundaries, no rules)
130
+ </good_examples>
131
+
132
+ ## External Integration Patterns (Security-Critical)
133
+
134
+ Capture these only if external integrations exist. Missing these causes subtle security bugs.
135
+
136
+ ### Webhook Verification
137
+ - Webhook endpoints: `[paths]`
138
+ - Signature verification method: [HMAC-SHA256 / provider-specific / none]
139
+ - Where verification happens: `[file path]` (middleware? route handler?)
140
+ - Verified before or after parsing payload: [before — always verify raw body]
141
+ - Do NOT: parse JSON before verifying signature (timing attacks)
142
+ - Examples: `[file paths for webhook handlers]`
143
+
144
+ ### Authentication and Session Management
145
+ - Auth provider: [JWT / session cookie / OAuth / API key / none]
146
+ - Token storage (client): [httpOnly cookie / localStorage / memory]
147
+ - Token storage (server): [Redis / DB / stateless]
148
+ - Refresh logic: [how tokens are refreshed, where that code lives]
149
+ - Where auth is enforced: [middleware path / per-route / both]
150
+ - Protected vs public routes: [pattern or file]
151
+ - Do NOT: store tokens in localStorage for sensitive apps (XSS risk)
152
+ - Examples: `[file paths for auth middleware]`
153
+
154
+ ### Environment Configuration
155
+ - Config loading: `[file path]` (e.g., `src/config/index.ts`)
156
+ - Environment-specific overrides: [dev/staging/prod distinction]
157
+ - Secrets access pattern: [env var / secrets manager / vault]
158
+ - Do NOT: hardcode secrets; do NOT commit `.env` files
159
+ - Examples: `[file paths]`
160
+
161
+ ### Observability Hooks
162
+ - Request logging: [tool + where it's configured]
163
+ - Error tracking: [tool + integration file path]
164
+ - Performance monitoring: [tool + integration point]
165
+ - Health check endpoint: `[path]` (e.g., `/health`)
166
+ - Examples: `[file paths]`
167
+
168
+ <good_examples>
169
+ Example (good):
170
+ - "Stripe webhooks are verified via `src/webhooks/stripe.ts:verifyStripeSignature()` using the raw request body before JSON parsing. Do NOT route Stripe events through the JSON body parser middleware. See `src/middleware/webhooks.ts`."
171
+ - "Auth tokens are httpOnly cookies (not localStorage). Refresh happens via `src/auth/refresh.ts` called by the global axios interceptor. Token expiry = 15min access, 7-day refresh. See `src/lib/http.ts`."
172
+ - "All secrets come from env vars loaded via `src/config/env.ts`. Never read `process.env` directly outside that file. Dev/staging/prod configs are in `.env.example`, `.env.staging`, `.env.production` (secrets redacted, committed)."
173
+
174
+ Example (bad):
175
+ - "We use JWT and have some webhooks." (no paths, no security rules, no boundaries)
176
+ </good_examples>
177
+
178
+ ## Golden Files
179
+
180
+ Identify 3–5 files that best exemplify this codebase's conventions. Selection algorithm: highest density of documented conventions in production feature files (not scaffolding, not generated code, not test files).
181
+
182
+ Format: `file path — what makes it a good example`
183
+
184
+ - `[path/to/file.ts]` — [which conventions it demonstrates, e.g., "named exports, constructor injection, custom error class, full test coverage"]
185
+ - `[path/to/file.ts]` — [conventions it demonstrates]
186
+ - `[path/to/file.ts]` — [conventions it demonstrates]
187
+
188
+ If no single file exemplifies multiple conventions, list the best per-category file instead.
189
+
190
+ ---
191
+
192
+ *Convention analysis: [date]*
193
+