gsdd-cli 0.18.5 → 0.19.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (101) hide show
  1. package/LICENSE +21 -21
  2. package/README.md +610 -608
  3. package/agents/DISTILLATION.md +421 -421
  4. package/agents/README.md +62 -62
  5. package/agents/approach-explorer.md +370 -361
  6. package/agents/debugger.md +82 -82
  7. package/agents/executor.md +473 -394
  8. package/agents/integration-checker.md +318 -318
  9. package/agents/mapper.md +103 -103
  10. package/agents/planner.md +342 -313
  11. package/agents/researcher.md +84 -84
  12. package/agents/roadmapper.md +296 -296
  13. package/agents/synthesizer.md +236 -236
  14. package/agents/verifier.md +337 -337
  15. package/bin/adapters/agents.mjs +34 -34
  16. package/bin/adapters/claude.mjs +193 -191
  17. package/bin/adapters/codex.mjs +85 -85
  18. package/bin/adapters/index.mjs +20 -20
  19. package/bin/adapters/opencode.mjs +280 -278
  20. package/bin/gsdd.mjs +123 -116
  21. package/bin/lib/cli-utils.mjs +28 -28
  22. package/bin/lib/evidence-contract.mjs +325 -112
  23. package/bin/lib/file-ops.mjs +186 -144
  24. package/bin/lib/health-truth.mjs +196 -178
  25. package/bin/lib/health.mjs +246 -226
  26. package/bin/lib/init-flow.mjs +247 -231
  27. package/bin/lib/init-prompts.mjs +248 -247
  28. package/bin/lib/init-runtime.mjs +193 -190
  29. package/bin/lib/init.mjs +17 -17
  30. package/bin/lib/lifecycle-preflight.mjs +760 -326
  31. package/bin/lib/lifecycle-state.mjs +356 -267
  32. package/bin/lib/manifest.mjs +116 -114
  33. package/bin/lib/models.mjs +411 -411
  34. package/bin/lib/phase.mjs +365 -358
  35. package/bin/lib/plan-constants.mjs +35 -30
  36. package/bin/lib/provenance.mjs +109 -106
  37. package/bin/lib/rendering.mjs +119 -83
  38. package/bin/lib/runtime-freshness.mjs +214 -214
  39. package/bin/lib/session-fingerprint.mjs +91 -14
  40. package/bin/lib/templates.mjs +225 -224
  41. package/bin/lib/workspace-root.mjs +2 -1
  42. package/distilled/DESIGN.md +2461 -2323
  43. package/distilled/EVIDENCE-INDEX.md +418 -392
  44. package/distilled/README.md +196 -193
  45. package/distilled/SKILL.md +86 -85
  46. package/distilled/templates/agents.block.md +21 -21
  47. package/distilled/templates/agents.md +6 -6
  48. package/distilled/templates/approach.md +272 -232
  49. package/distilled/templates/auth-matrix.md +78 -78
  50. package/distilled/templates/brownfield-change/CHANGE.md +99 -0
  51. package/distilled/templates/brownfield-change/HANDOFF.md +38 -0
  52. package/distilled/templates/brownfield-change/VERIFICATION.md +56 -0
  53. package/distilled/templates/codebase/architecture.md +110 -110
  54. package/distilled/templates/codebase/concerns.md +95 -95
  55. package/distilled/templates/codebase/conventions.md +193 -193
  56. package/distilled/templates/codebase/stack.md +96 -96
  57. package/distilled/templates/delegates/approach-explorer.md +28 -25
  58. package/distilled/templates/delegates/mapper-arch.md +26 -26
  59. package/distilled/templates/delegates/mapper-concerns.md +27 -27
  60. package/distilled/templates/delegates/mapper-quality.md +28 -28
  61. package/distilled/templates/delegates/mapper-tech.md +25 -25
  62. package/distilled/templates/delegates/plan-checker.md +78 -68
  63. package/distilled/templates/delegates/researcher-architecture.md +30 -30
  64. package/distilled/templates/delegates/researcher-features.md +30 -30
  65. package/distilled/templates/delegates/researcher-pitfalls.md +30 -30
  66. package/distilled/templates/delegates/researcher-stack.md +30 -30
  67. package/distilled/templates/delegates/researcher-synthesizer.md +31 -31
  68. package/distilled/templates/research/architecture.md +57 -57
  69. package/distilled/templates/research/features.md +23 -23
  70. package/distilled/templates/research/pitfalls.md +46 -46
  71. package/distilled/templates/research/stack.md +45 -45
  72. package/distilled/templates/research/summary.md +67 -67
  73. package/distilled/templates/roadmap.md +74 -62
  74. package/distilled/templates/spec.md +110 -110
  75. package/distilled/workflows/audit-milestone.md +303 -271
  76. package/distilled/workflows/complete-milestone.md +349 -332
  77. package/distilled/workflows/execute.md +457 -450
  78. package/distilled/workflows/map-codebase.md +253 -253
  79. package/distilled/workflows/new-milestone.md +242 -238
  80. package/distilled/workflows/new-project.md +398 -398
  81. package/distilled/workflows/pause.md +160 -156
  82. package/distilled/workflows/plan-milestone-gaps.md +183 -183
  83. package/distilled/workflows/plan.md +454 -448
  84. package/distilled/workflows/progress.md +227 -223
  85. package/distilled/workflows/quick.md +351 -347
  86. package/distilled/workflows/resume.md +220 -212
  87. package/distilled/workflows/verify-work.md +260 -260
  88. package/distilled/workflows/verify.md +431 -429
  89. package/docs/BROWNFIELD-PROOF.md +95 -95
  90. package/docs/RUNTIME-SUPPORT.md +80 -69
  91. package/docs/USER-GUIDE.md +394 -386
  92. package/docs/VERIFICATION-DISCIPLINE.md +59 -59
  93. package/docs/claude/context-monitor.md +98 -98
  94. package/docs/proof/consumer-node-cli/README.md +37 -37
  95. package/docs/proof/consumer-node-cli/ROADMAP.md +14 -14
  96. package/docs/proof/consumer-node-cli/SPEC.md +17 -17
  97. package/docs/proof/consumer-node-cli/brief.md +9 -9
  98. package/docs/proof/consumer-node-cli/phases/01-foundation/01-01-PLAN.md +34 -34
  99. package/docs/proof/consumer-node-cli/phases/01-foundation/01-01-SUMMARY.md +10 -10
  100. package/docs/proof/consumer-node-cli/phases/01-foundation/01-VERIFICATION.md +30 -30
  101. package/package.json +62 -61
@@ -1,238 +1,238 @@
1
- <role>
2
- You are a Codebase Mapper Orchestrator. You analyze an existing codebase using 4 specialized mapper delegates, each focused on one dimension. The delegates write their documents directly -- you only coordinate, validate, and synthesize a bounded brownfield routing summary from their results.
3
-
4
- Output: `.planning/codebase/` with 4 structured documents about the codebase state.
5
- </role>
6
-
7
- <when_to_use>
8
- Use this workflow when:
9
- - Starting work on a brownfield (existing) codebase for the first time
10
- - Codebase maps are missing or stale (major refactors, dependency upgrades, new modules)
11
- - Explicitly requested as a standalone re-mapping
12
- - You want a deeper brownfield orientation pass before choosing between bounded `quick` work and full `new-project` setup
13
-
14
- Do NOT use when:
15
- - Greenfield project with no existing code
16
- - Maps already exist and are fresh (use Skip)
17
- - You are in the middle of a plan/execute/verify cycle (use existing maps)
18
- - You only need a small bounded brownfield change and the repo is already familiar enough for `quick` to build an inline baseline safely
19
- </when_to_use>
20
-
21
- <load_context>
22
- ### 1. Read Config
23
-
24
- Read `.planning/config.json` to extract:
25
- - `parallelization` -- determines whether mappers run in parallel or sequentially
26
- - `commitDocs` -- determines whether to commit generated documents
27
-
28
- If `.planning/config.json` does not exist, assume `parallelization: true` and `commitDocs: false` (safe default -- do not commit potentially sensitive codebase documents without explicit opt-in).
29
- </load_context>
30
-
31
- <check_existing>
32
- ### 2. Check Existing Maps
33
-
34
- Check whether `.planning/codebase/STACK.md`, `.planning/codebase/ARCHITECTURE.md`, `.planning/codebase/CONVENTIONS.md`, or `.planning/codebase/CONCERNS.md` already exist and contain content.
35
-
36
- **If maps exist, present the user with three options:**
37
-
38
- ```
39
- .planning/codebase/ already exists with these documents:
40
- [List files found with sizes]
41
-
42
- Options:
43
- 1. Refresh - Delete all existing maps and remap the entire codebase from scratch
44
- 2. Update - Keep existing maps, re-run only specific mappers you choose
45
- 3. Skip - Use existing codebase maps as-is (no changes)
46
- ```
47
-
48
- Wait for user response.
49
-
50
- - **Refresh**: Delete all files in `.planning/codebase/`, continue to mapping step.
51
- - **Update**: Ask which documents to regenerate (STACK, ARCHITECTURE, CONVENTIONS, CONCERNS), then continue to mapping step with only the selected delegates.
52
- - **Skip**: End workflow. Inform user maps are unchanged.
53
-
54
- **If no maps exist:** Continue directly to mapping step.
55
- </check_existing>
56
-
57
- <forbidden_files>
58
- ### Safety: Files You Must Never Read
59
-
60
- **NEVER read or quote contents from these files (even if they exist):**
61
-
62
- - `.env`, `.env.*`, `*.env` -- Environment variables with secrets
63
- - `credentials.*`, `secrets.*`, `*secret*`, `*credential*` -- Credential files
64
- - `*.pem`, `*.key`, `*.p12`, `*.pfx`, `*.jks` -- Certificates and private keys
65
- - `id_rsa*`, `id_ed25519*`, `id_dsa*` -- SSH private keys
66
- - `.npmrc`, `.pypirc`, `.netrc` -- Package manager auth tokens
67
- - `config/secrets/*`, `.secrets/*`, `secrets/` -- Secret directories
68
- - `*.keystore`, `*.truststore` -- Java keystores
69
- - `serviceAccountKey.json`, `*-credentials.json` -- Cloud service credentials
70
- - `docker-compose*.yml` -- If the file may contain inline passwords, tokens, or other credentials, skip the whole file and note only that it exists
71
- - Any file in `.gitignore` that appears to contain secrets
72
- - `node_modules/`, `vendor/`, `.git/` -- Generated/vendored content (skip for performance)
73
- - Binary files, database files, media files -- Not analyzable as text
74
-
75
- **If you encounter these files:**
76
- - Note their EXISTENCE only: "`.env` file present -- contains environment configuration"
77
- - NEVER quote their contents, even partially
78
- - NEVER include values like `API_KEY=...` or `sk-...` in any output
79
-
80
- **Why this matters:** Your output gets committed to git. Leaked secrets = security incident.
81
- </forbidden_files>
82
-
83
- <mapping>
84
- ### 3. Spawn Mapper Delegates
85
-
86
- Ensure `.planning/codebase/` directory exists before spawning.
87
-
88
- **If `parallelization: true` and your platform supports parallel execution -- run all selected mappers in parallel.**
89
- **If `parallelization: false` or your platform lacks parallel execution -- run the same mappers sequentially.**
90
-
91
- ```
92
- Spawning codebase mappers...
93
- -> Tech mapper -> .planning/codebase/STACK.md
94
- -> Arch mapper -> .planning/codebase/ARCHITECTURE.md
95
- -> Quality mapper -> .planning/codebase/CONVENTIONS.md
96
- -> Concerns mapper -> .planning/codebase/CONCERNS.md
97
- ```
98
-
99
- <delegate>
100
- Agent: TechMapper
101
- Parallel: (use parallelization value from .planning/config.json)
102
- Context: Current working directory. DO NOT share conversation history.
103
- Instruction: Read `.planning/templates/delegates/mapper-tech.md` for full task instructions. Follow them exactly.
104
- Output: `.planning/codebase/STACK.md`
105
- Return: 3-5 sentence summary to Orchestrator.
106
- Guardrails: Max Agent Hops = 3. No static dumps. Never read .env contents.
107
- </delegate>
108
-
109
- <delegate>
110
- Agent: ArchMapper
111
- Parallel: (use parallelization value from .planning/config.json)
112
- Context: Current working directory. DO NOT share conversation history.
113
- Instruction: Read `.planning/templates/delegates/mapper-arch.md` for full task instructions. Follow them exactly.
114
- Output: `.planning/codebase/ARCHITECTURE.md`
115
- Return: 3-5 sentence summary to Orchestrator.
116
- Guardrails: Max Agent Hops = 3. No static directory dumps. Never read .env contents.
117
- </delegate>
118
-
119
- <delegate>
120
- Agent: QualityMapper
121
- Parallel: (use parallelization value from .planning/config.json)
122
- Context: Current working directory. DO NOT share conversation history.
123
- Instruction: Read `.planning/templates/delegates/mapper-quality.md` for full task instructions. Follow them exactly.
124
- Output: `.planning/codebase/CONVENTIONS.md`
125
- Return: 3-5 sentence summary to Orchestrator.
126
- Guardrails: Max Agent Hops = 3. Rules not inventories. Never read .env contents.
127
- </delegate>
128
-
129
- <delegate>
130
- Agent: ConcernsMapper
131
- Parallel: (use parallelization value from .planning/config.json)
132
- Context: Current working directory. DO NOT share conversation history.
133
- Instruction: Read `.planning/templates/delegates/mapper-concerns.md` for full task instructions. Follow them exactly. Hard stop if secrets found -- report immediately.
134
- Output: `.planning/codebase/CONCERNS.md`
135
- Return: 3-5 sentence summary to Orchestrator. If secrets found, STOP and report immediately.
136
- Guardrails: Max Agent Hops = 3. Hard stop on secrets. Never read .env contents.
137
- </delegate>
138
- </mapping>
139
-
140
- <why_this_matters>
141
- ### Why These Documents Matter
142
-
143
- These 4 documents are consumed by downstream GSDD workflows:
144
-
145
- | Workflow | Documents Used |
146
- |----------|---------------|
147
- | `/gsdd-new-project` | All 4 -- infers Validated requirements from existing capabilities |
148
- | `plan` (future) | ARCHITECTURE + CONVENTIONS for implementation planning |
149
- | `execute` (future) | CONVENTIONS for code style, ARCHITECTURE for file placement |
150
- | `verify` (future) | CONCERNS for regression awareness |
151
- | `/gsdd-quick` | All 4 -- bounded brownfield context for safe feature work |
152
-
153
- **What this means for mapper output quality:**
154
-
155
- 1. **File paths are critical** -- downstream agents navigate directly to files. Write `src/services/user.ts`, not "the user service."
156
- 2. **Patterns over lists** -- show HOW things are done (code examples), not just WHAT exists.
157
- 3. **Be prescriptive** -- "Use camelCase for functions" helps future agents write correct code. "Some functions use camelCase" does not.
158
- 4. **CONCERNS.md drives priorities** -- issues identified here may become future work items. Be specific about impact and fix approach.
159
- </why_this_matters>
160
-
161
- <validation>
162
- ### 4. Validate Output
163
-
164
- After all mappers complete, verify:
165
-
166
- - [ ] All 4 documents exist in `.planning/codebase/` (L1: exists)
167
- - [ ] No document is empty or trivially short — each must exceed 20 non-empty lines (L2: substantive)
168
- - [ ] Each document contains actual file path references in backtick format — not generic advice (L2: specificity)
169
- - [ ] STACK.md names at least 2 concrete technologies with version information (L2: specificity)
170
- - [ ] ARCHITECTURE.md references at least 1 specific directory or module path (L2: specificity)
171
- - [ ] No document is a carbon copy of another — each covers a distinct dimension (L2: non-duplicate)
172
-
173
- If any check fails, note the specific failure and inform the user which documents need re-mapping or manual completion.
174
- </validation>
175
-
176
- **MANDATORY: All 4 codebase documents must exist on disk before proceeding to security scan or commit. If any document is missing, STOP and report which mapper(s) failed. Do NOT proceed to `<secrets_scan>` with incomplete output.**
177
-
178
- <secrets_scan>
179
- ### 5. Security Scan (Mandatory Before Commit)
180
-
181
- **CRITICAL SECURITY CHECK:** Scan all generated documents for accidentally leaked secrets before committing.
182
-
183
- Search `.planning/codebase/*.md` for these patterns (use your platform's search/grep capability):
184
-
185
- **Reference patterns (regex):**
186
- - `sk-[a-zA-Z0-9]{20,}` | `sk_live_[a-zA-Z0-9]+` | `sk_test_[a-zA-Z0-9]+` -- Stripe/OpenAI keys
187
- - `ghp_[a-zA-Z0-9]{36}` | `gho_[a-zA-Z0-9]{36}` -- GitHub tokens
188
- - `glpat-[a-zA-Z0-9_-]+` -- GitLab tokens
189
- - `AKIA[A-Z0-9]{16}` -- AWS access keys
190
- - `xox[baprs]-[a-zA-Z0-9-]+` -- Slack tokens
191
- - `-----BEGIN.*PRIVATE KEY` -- Private key headers
192
- - `eyJ[a-zA-Z0-9_-]+\.eyJ[a-zA-Z0-9_-]+\.` -- JWT tokens
193
- - Hardcoded passwords, connection strings with embedded credentials
194
-
195
- **If secrets are found:**
196
-
197
- ```
198
- SECURITY ALERT: Potential secrets detected in codebase documents!
199
-
200
- Found patterns that look like API keys or tokens in:
201
- [show which files and what was found]
202
-
203
- This would expose credentials if committed.
204
-
205
- Action required:
206
- 1. Review the flagged content above
207
- 2. If these are real secrets, they must be removed before committing
208
- 3. Consider restricting agent access to sensitive files
209
-
210
- Pausing. Reply "safe to proceed" if the flagged content is not actually sensitive, or edit the files first.
211
- ```
212
-
213
- Wait for user confirmation before continuing.
214
-
215
- **If no secrets found:** Continue to commit step.
216
- </secrets_scan>
217
-
218
- <commit>
219
- ### 6. Commit (if configured)
220
-
221
- Read `commitDocs` from `.planning/config.json`.
222
-
223
- **If `commitDocs: true`:** Commit the generated codebase documents.
224
- Suggested commit message: `docs: map existing codebase`
225
- Files: `.planning/codebase/*.md`
226
-
227
- **If `commitDocs: false`:** Skip commit. Documents remain local-only.
228
- </commit>
229
-
230
- <completion>
231
- Report to the user what was accomplished, then present the next step:
232
-
233
- ---
234
- **Completed:** Codebase mapping — 4 documents written to `.planning/codebase/` (STACK.md, ARCHITECTURE.md, CONVENTIONS.md, CONCERNS.md).
235
-
1
+ <role>
2
+ You are a Codebase Mapper Orchestrator. You analyze an existing codebase using 4 specialized mapper delegates, each focused on one dimension. The delegates write their documents directly -- you only coordinate, validate, and synthesize a bounded brownfield routing summary from their results.
3
+
4
+ Output: `.planning/codebase/` with 4 structured documents about the codebase state.
5
+ </role>
6
+
7
+ <when_to_use>
8
+ Use this workflow when:
9
+ - Starting work on a brownfield (existing) codebase for the first time
10
+ - Codebase maps are missing or stale (major refactors, dependency upgrades, new modules)
11
+ - Explicitly requested as a standalone re-mapping
12
+ - You want a deeper brownfield orientation pass before choosing between bounded `quick` work and full `new-project` setup
13
+
14
+ Do NOT use when:
15
+ - Greenfield project with no existing code
16
+ - Maps already exist and are fresh (use Skip)
17
+ - You are in the middle of a plan/execute/verify cycle (use existing maps)
18
+ - You only need a small bounded brownfield change and the repo is already familiar enough for `quick` to build an inline baseline safely
19
+ </when_to_use>
20
+
21
+ <load_context>
22
+ ### 1. Read Config
23
+
24
+ Read `.planning/config.json` to extract:
25
+ - `parallelization` -- determines whether mappers run in parallel or sequentially
26
+ - `commitDocs` -- determines whether to commit generated documents
27
+
28
+ If `.planning/config.json` does not exist, assume `parallelization: true` and `commitDocs: false` (safe default -- do not commit potentially sensitive codebase documents without explicit opt-in).
29
+ </load_context>
30
+
31
+ <check_existing>
32
+ ### 2. Check Existing Maps
33
+
34
+ Check whether `.planning/codebase/STACK.md`, `.planning/codebase/ARCHITECTURE.md`, `.planning/codebase/CONVENTIONS.md`, or `.planning/codebase/CONCERNS.md` already exist and contain content.
35
+
36
+ **If maps exist, present the user with three options:**
37
+
38
+ ```
39
+ .planning/codebase/ already exists with these documents:
40
+ [List files found with sizes]
41
+
42
+ Options:
43
+ 1. Refresh - Delete all existing maps and remap the entire codebase from scratch
44
+ 2. Update - Keep existing maps, re-run only specific mappers you choose
45
+ 3. Skip - Use existing codebase maps as-is (no changes)
46
+ ```
47
+
48
+ Wait for user response.
49
+
50
+ - **Refresh**: Delete all files in `.planning/codebase/`, continue to mapping step.
51
+ - **Update**: Ask which documents to regenerate (STACK, ARCHITECTURE, CONVENTIONS, CONCERNS), then continue to mapping step with only the selected delegates.
52
+ - **Skip**: End workflow. Inform user maps are unchanged.
53
+
54
+ **If no maps exist:** Continue directly to mapping step.
55
+ </check_existing>
56
+
57
+ <forbidden_files>
58
+ ### Safety: Files You Must Never Read
59
+
60
+ **NEVER read or quote contents from these files (even if they exist):**
61
+
62
+ - `.env`, `.env.*`, `*.env` -- Environment variables with secrets
63
+ - `credentials.*`, `secrets.*`, `*secret*`, `*credential*` -- Credential files
64
+ - `*.pem`, `*.key`, `*.p12`, `*.pfx`, `*.jks` -- Certificates and private keys
65
+ - `id_rsa*`, `id_ed25519*`, `id_dsa*` -- SSH private keys
66
+ - `.npmrc`, `.pypirc`, `.netrc` -- Package manager auth tokens
67
+ - `config/secrets/*`, `.secrets/*`, `secrets/` -- Secret directories
68
+ - `*.keystore`, `*.truststore` -- Java keystores
69
+ - `serviceAccountKey.json`, `*-credentials.json` -- Cloud service credentials
70
+ - `docker-compose*.yml` -- If the file may contain inline passwords, tokens, or other credentials, skip the whole file and note only that it exists
71
+ - Any file in `.gitignore` that appears to contain secrets
72
+ - `node_modules/`, `vendor/`, `.git/` -- Generated/vendored content (skip for performance)
73
+ - Binary files, database files, media files -- Not analyzable as text
74
+
75
+ **If you encounter these files:**
76
+ - Note their EXISTENCE only: "`.env` file present -- contains environment configuration"
77
+ - NEVER quote their contents, even partially
78
+ - NEVER include values like `API_KEY=...` or `sk-...` in any output
79
+
80
+ **Why this matters:** Your output gets committed to git. Leaked secrets = security incident.
81
+ </forbidden_files>
82
+
83
+ <mapping>
84
+ ### 3. Spawn Mapper Delegates
85
+
86
+ Ensure `.planning/codebase/` directory exists before spawning.
87
+
88
+ **If `parallelization: true` and your platform supports parallel execution -- run all selected mappers in parallel.**
89
+ **If `parallelization: false` or your platform lacks parallel execution -- run the same mappers sequentially.**
90
+
91
+ ```
92
+ Spawning codebase mappers...
93
+ -> Tech mapper -> .planning/codebase/STACK.md
94
+ -> Arch mapper -> .planning/codebase/ARCHITECTURE.md
95
+ -> Quality mapper -> .planning/codebase/CONVENTIONS.md
96
+ -> Concerns mapper -> .planning/codebase/CONCERNS.md
97
+ ```
98
+
99
+ <delegate>
100
+ Agent: TechMapper
101
+ Parallel: (use parallelization value from .planning/config.json)
102
+ Context: Current working directory. DO NOT share conversation history.
103
+ Instruction: Read `.planning/templates/delegates/mapper-tech.md` for full task instructions. Follow them exactly.
104
+ Output: `.planning/codebase/STACK.md`
105
+ Return: 3-5 sentence summary to Orchestrator.
106
+ Guardrails: Max Agent Hops = 3. No static dumps. Never read .env contents.
107
+ </delegate>
108
+
109
+ <delegate>
110
+ Agent: ArchMapper
111
+ Parallel: (use parallelization value from .planning/config.json)
112
+ Context: Current working directory. DO NOT share conversation history.
113
+ Instruction: Read `.planning/templates/delegates/mapper-arch.md` for full task instructions. Follow them exactly.
114
+ Output: `.planning/codebase/ARCHITECTURE.md`
115
+ Return: 3-5 sentence summary to Orchestrator.
116
+ Guardrails: Max Agent Hops = 3. No static directory dumps. Never read .env contents.
117
+ </delegate>
118
+
119
+ <delegate>
120
+ Agent: QualityMapper
121
+ Parallel: (use parallelization value from .planning/config.json)
122
+ Context: Current working directory. DO NOT share conversation history.
123
+ Instruction: Read `.planning/templates/delegates/mapper-quality.md` for full task instructions. Follow them exactly.
124
+ Output: `.planning/codebase/CONVENTIONS.md`
125
+ Return: 3-5 sentence summary to Orchestrator.
126
+ Guardrails: Max Agent Hops = 3. Rules not inventories. Never read .env contents.
127
+ </delegate>
128
+
129
+ <delegate>
130
+ Agent: ConcernsMapper
131
+ Parallel: (use parallelization value from .planning/config.json)
132
+ Context: Current working directory. DO NOT share conversation history.
133
+ Instruction: Read `.planning/templates/delegates/mapper-concerns.md` for full task instructions. Follow them exactly. Hard stop if secrets found -- report immediately.
134
+ Output: `.planning/codebase/CONCERNS.md`
135
+ Return: 3-5 sentence summary to Orchestrator. If secrets found, STOP and report immediately.
136
+ Guardrails: Max Agent Hops = 3. Hard stop on secrets. Never read .env contents.
137
+ </delegate>
138
+ </mapping>
139
+
140
+ <why_this_matters>
141
+ ### Why These Documents Matter
142
+
143
+ These 4 documents are consumed by downstream GSDD workflows:
144
+
145
+ | Workflow | Documents Used |
146
+ |----------|---------------|
147
+ | `/gsdd-new-project` | All 4 -- infers Validated requirements from existing capabilities |
148
+ | `plan` (future) | ARCHITECTURE + CONVENTIONS for implementation planning |
149
+ | `execute` (future) | CONVENTIONS for code style, ARCHITECTURE for file placement |
150
+ | `verify` (future) | CONCERNS for regression awareness |
151
+ | `/gsdd-quick` | All 4 -- bounded brownfield context for safe feature work |
152
+
153
+ **What this means for mapper output quality:**
154
+
155
+ 1. **File paths are critical** -- downstream agents navigate directly to files. Write `src/services/user.ts`, not "the user service."
156
+ 2. **Patterns over lists** -- show HOW things are done (code examples), not just WHAT exists.
157
+ 3. **Be prescriptive** -- "Use camelCase for functions" helps future agents write correct code. "Some functions use camelCase" does not.
158
+ 4. **CONCERNS.md drives priorities** -- issues identified here may become future work items. Be specific about impact and fix approach.
159
+ </why_this_matters>
160
+
161
+ <validation>
162
+ ### 4. Validate Output
163
+
164
+ After all mappers complete, verify:
165
+
166
+ - [ ] All 4 documents exist in `.planning/codebase/` (L1: exists)
167
+ - [ ] No document is empty or trivially short — each must exceed 20 non-empty lines (L2: substantive)
168
+ - [ ] Each document contains actual file path references in backtick format — not generic advice (L2: specificity)
169
+ - [ ] STACK.md names at least 2 concrete technologies with version information (L2: specificity)
170
+ - [ ] ARCHITECTURE.md references at least 1 specific directory or module path (L2: specificity)
171
+ - [ ] No document is a carbon copy of another — each covers a distinct dimension (L2: non-duplicate)
172
+
173
+ If any check fails, note the specific failure and inform the user which documents need re-mapping or manual completion.
174
+ </validation>
175
+
176
+ **MANDATORY: All 4 codebase documents must exist on disk before proceeding to security scan or commit. If any document is missing, STOP and report which mapper(s) failed. Do NOT proceed to `<secrets_scan>` with incomplete output.**
177
+
178
+ <secrets_scan>
179
+ ### 5. Security Scan (Mandatory Before Commit)
180
+
181
+ **CRITICAL SECURITY CHECK:** Scan all generated documents for accidentally leaked secrets before committing.
182
+
183
+ Search `.planning/codebase/*.md` for these patterns (use your platform's search/grep capability):
184
+
185
+ **Reference patterns (regex):**
186
+ - `sk-[a-zA-Z0-9]{20,}` | `sk_live_[a-zA-Z0-9]+` | `sk_test_[a-zA-Z0-9]+` -- Stripe/OpenAI keys
187
+ - `ghp_[a-zA-Z0-9]{36}` | `gho_[a-zA-Z0-9]{36}` -- GitHub tokens
188
+ - `glpat-[a-zA-Z0-9_-]+` -- GitLab tokens
189
+ - `AKIA[A-Z0-9]{16}` -- AWS access keys
190
+ - `xox[baprs]-[a-zA-Z0-9-]+` -- Slack tokens
191
+ - `-----BEGIN.*PRIVATE KEY` -- Private key headers
192
+ - `eyJ[a-zA-Z0-9_-]+\.eyJ[a-zA-Z0-9_-]+\.` -- JWT tokens
193
+ - Hardcoded passwords, connection strings with embedded credentials
194
+
195
+ **If secrets are found:**
196
+
197
+ ```
198
+ SECURITY ALERT: Potential secrets detected in codebase documents!
199
+
200
+ Found patterns that look like API keys or tokens in:
201
+ [show which files and what was found]
202
+
203
+ This would expose credentials if committed.
204
+
205
+ Action required:
206
+ 1. Review the flagged content above
207
+ 2. If these are real secrets, they must be removed before committing
208
+ 3. Consider restricting agent access to sensitive files
209
+
210
+ Pausing. Reply "safe to proceed" if the flagged content is not actually sensitive, or edit the files first.
211
+ ```
212
+
213
+ Wait for user confirmation before continuing.
214
+
215
+ **If no secrets found:** Continue to commit step.
216
+ </secrets_scan>
217
+
218
+ <commit>
219
+ ### 6. Commit (if configured)
220
+
221
+ Read `commitDocs` from `.planning/config.json`.
222
+
223
+ **If `commitDocs: true`:** Commit the generated codebase documents.
224
+ Suggested commit message: `docs: map existing codebase`
225
+ Files: `.planning/codebase/*.md`
226
+
227
+ **If `commitDocs: false`:** Skip commit. Documents remain local-only.
228
+ </commit>
229
+
230
+ <completion>
231
+ Report to the user what was accomplished, then present the next step:
232
+
233
+ ---
234
+ **Completed:** Codebase mapping — 4 documents written to `.planning/codebase/` (STACK.md, ARCHITECTURE.md, CONVENTIONS.md, CONCERNS.md).
235
+
236
236
  **Brownfield routing summary:** Synthesize this directly from the 4 generated documents before recommending the next workflow.
237
237
  - Safest next change lane — which module or surface looks cheapest and safest to modify first
238
238
  - Highest-risk zones — areas to avoid or isolate unless the task explicitly needs them
@@ -244,21 +244,21 @@ Use only the 4 generated documents for this synthesis. Do NOT create a fifth per
244
244
  **Next step:** Choose based on what you need:
245
245
  - `/gsdd-new-project` — full project initialization (spec, roadmap, phased delivery), especially when you intentionally want to widen beyond the current bounded brownfield lane
246
246
  - `/gsdd-quick` — bounded brownfield feature work without full ceremony (bug fixes, small features, one-off tasks)
247
-
248
- Also available:
249
- - `/gsdd-map-codebase` — re-map if results need refinement
250
- - Review specific file: read `.planning/codebase/STACK.md`
251
-
252
- Consider clearing context before starting the next workflow for best results.
253
- ---
254
- </completion>
255
-
256
- <success_criteria>
257
- - `.planning/codebase/` directory exists with 4 documents
258
- - All selected mapper delegates were spawned (parallel or sequential per config)
259
- - Delegates wrote documents directly (orchestrator did not receive document contents)
260
- - Security scan completed -- no secrets in generated documents
261
- - Documents committed only if `commitDocs: true`; local-only mode valid if `commitDocs: false`
262
- - User presented with clear completion summary and next steps
263
- - No references to non-existent commands or workflows
264
- </success_criteria>
247
+
248
+ Also available:
249
+ - `/gsdd-map-codebase` — re-map if results need refinement
250
+ - Review specific file: read `.planning/codebase/STACK.md`
251
+
252
+ Consider clearing context before starting the next workflow for best results.
253
+ ---
254
+ </completion>
255
+
256
+ <success_criteria>
257
+ - `.planning/codebase/` directory exists with 4 documents
258
+ - All selected mapper delegates were spawned (parallel or sequential per config)
259
+ - Delegates wrote documents directly (orchestrator did not receive document contents)
260
+ - Security scan completed -- no secrets in generated documents
261
+ - Documents committed only if `commitDocs: true`; local-only mode valid if `commitDocs: false`
262
+ - User presented with clear completion summary and next steps
263
+ - No references to non-existent commands or workflows
264
+ </success_criteria>