guardian-framework 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (216) hide show
  1. package/LICENSE +21 -0
  2. package/README.md +463 -0
  3. package/dist/cli.js +12958 -0
  4. package/dist/exports.js +12765 -0
  5. package/package.json +61 -0
  6. package/templates/languages/go-patterns.md +411 -0
  7. package/templates/languages/java-patterns.md +545 -0
  8. package/templates/languages/python-patterns.md +312 -0
  9. package/templates/languages/rust-patterns.md +232 -0
  10. package/templates/languages/typescript-patterns.md +313 -0
  11. package/templates/pi/INDEX.md +437 -0
  12. package/templates/pi/agent/AGENTS.md +166 -0
  13. package/templates/pi/agents/architecture-coordinator.md +40 -0
  14. package/templates/pi/agents/architecture-validator.md +36 -0
  15. package/templates/pi/agents/bootstrap-implementer.md +37 -0
  16. package/templates/pi/agents/issue-factory.md +31 -0
  17. package/templates/pi/agents/operations-validator.md +32 -0
  18. package/templates/pi/agents/security-validator.md +33 -0
  19. package/templates/pi/architecture/CHANGELOG.md +78 -0
  20. package/templates/pi/architecture/decisions/ADR-template.md +76 -0
  21. package/templates/pi/architecture/diagrams/system-overview.md +159 -0
  22. package/templates/pi/architecture/modules/module-template.md +152 -0
  23. package/templates/pi/context/checklists.md +91 -0
  24. package/templates/pi/context/domain-workflow.md +180 -0
  25. package/templates/pi/context/output-formats.md +135 -0
  26. package/templates/pi/context/patterns-base.md +47 -0
  27. package/templates/pi/context/patterns.md +38 -0
  28. package/templates/pi/context/project.md +88 -0
  29. package/templates/pi/domain/exploration.md +93 -0
  30. package/templates/pi/domain/ubiquitous-language.md +24 -0
  31. package/templates/pi/extensions/architect-lib/generators.ts +528 -0
  32. package/templates/pi/extensions/architect-lib/helpers.ts +344 -0
  33. package/templates/pi/extensions/architect-lib/types.ts +117 -0
  34. package/templates/pi/extensions/architect.ts +1425 -0
  35. package/templates/pi/extensions/ask-user-question.ts +579 -0
  36. package/templates/pi/extensions/bash-guard.ts +556 -0
  37. package/templates/pi/extensions/config-reload.ts +115 -0
  38. package/templates/pi/extensions/coordinator.ts +304 -0
  39. package/templates/pi/extensions/curator.ts +543 -0
  40. package/templates/pi/extensions/domain-explorer.ts +990 -0
  41. package/templates/pi/extensions/filechanges.ts +656 -0
  42. package/templates/pi/extensions/goal-loop.ts +717 -0
  43. package/templates/pi/extensions/hooks.ts +452 -0
  44. package/templates/pi/extensions/kanban.ts +547 -0
  45. package/templates/pi/extensions/pipeline.ts +1246 -0
  46. package/templates/pi/extensions/plan-mode.ts +209 -0
  47. package/templates/pi/extensions/project-scaffolder.ts +284 -0
  48. package/templates/pi/extensions/read-only-mode.ts +192 -0
  49. package/templates/pi/extensions/redaction.ts +128 -0
  50. package/templates/pi/extensions/session-persistence.ts +174 -0
  51. package/templates/pi/extensions/slash-commands.ts +229 -0
  52. package/templates/pi/extensions/snippets.ts +201 -0
  53. package/templates/pi/extensions/validation-runner.ts +100 -0
  54. package/templates/pi/github/agents/architecture-coordinator.agent.md +27 -0
  55. package/templates/pi/github/agents/architecture-validator.agent.md +20 -0
  56. package/templates/pi/github/agents/bootstrap-implementer.agent.md +20 -0
  57. package/templates/pi/github/agents/epic-planner.agent.md +70 -0
  58. package/templates/pi/github/agents/issue-factory.agent.md +20 -0
  59. package/templates/pi/github/agents/operations-validator.agent.md +20 -0
  60. package/templates/pi/github/agents/security-validator.agent.md +20 -0
  61. package/templates/pi/github/copilot/settings.json +16 -0
  62. package/templates/pi/github/copilot-instructions.md +155 -0
  63. package/templates/pi/github/instructions/architecture.instructions.md +71 -0
  64. package/templates/pi/github/instructions/validation.instructions.md +69 -0
  65. package/templates/pi/github/workflows/01-planning-workflow.md +75 -0
  66. package/templates/pi/github/workflows/02-issue-generation-workflow.md +69 -0
  67. package/templates/pi/github/workflows/03-implementation-workflow.md +80 -0
  68. package/templates/pi/github/workflows/04-validation-workflow.md +68 -0
  69. package/templates/pi/preflight_report.json +99 -0
  70. package/templates/pi/prompts/blueprint-update.md +262 -0
  71. package/templates/pi/prompts/blueprint-validate.md +218 -0
  72. package/templates/pi/prompts/bug-fix.md +50 -0
  73. package/templates/pi/prompts/ci-blueprint.md +131 -0
  74. package/templates/pi/prompts/context-refresh.md +258 -0
  75. package/templates/pi/prompts/epic-plan.md +356 -0
  76. package/templates/pi/prompts/epic-template.md +186 -0
  77. package/templates/pi/prompts/feature-development.md +131 -0
  78. package/templates/pi/prompts/git-issues.md +243 -0
  79. package/templates/pi/prompts/hotfix.md +71 -0
  80. package/templates/pi/prompts/issue-closeout.md +342 -0
  81. package/templates/pi/prompts/issue-draft.md +218 -0
  82. package/templates/pi/prompts/issue-implementation-series.md +173 -0
  83. package/templates/pi/prompts/issue-merge.md +372 -0
  84. package/templates/pi/prompts/issue-template-set.md +392 -0
  85. package/templates/pi/prompts/issue-template.md +207 -0
  86. package/templates/pi/prompts/pattern-extract.md +269 -0
  87. package/templates/pi/prompts/plan-to-issues.md +430 -0
  88. package/templates/pi/prompts/refactoring.md +82 -0
  89. package/templates/pi/prompts/scope-analyzer.md +254 -0
  90. package/templates/pi/prompts/sync-check.md +230 -0
  91. package/templates/pi/scripts/categorize-issues.sh +171 -0
  92. package/templates/pi/scripts/ci/check_architecture_conformance.sh +748 -0
  93. package/templates/pi/scripts/ci/check_planning_packet.py +228 -0
  94. package/templates/pi/scripts/ci/run_hardening_stages.sh +264 -0
  95. package/templates/pi/scripts/ci/run_preflight.sh +649 -0
  96. package/templates/pi/scripts/ci/run_stage.sh +193 -0
  97. package/templates/pi/scripts/ci/stage_docs_policy.sh +82 -0
  98. package/templates/pi/scripts/ci/stage_integration.sh +3 -0
  99. package/templates/pi/scripts/ci/stage_lint.sh +130 -0
  100. package/templates/pi/scripts/ci/stage_migration_verify.sh +3 -0
  101. package/templates/pi/scripts/ci/stage_package_build.sh +3 -0
  102. package/templates/pi/scripts/ci/stage_release_readiness.sh +3 -0
  103. package/templates/pi/scripts/ci/stage_remaining.sh +242 -0
  104. package/templates/pi/scripts/ci/stage_security.sh +3 -0
  105. package/templates/pi/scripts/ci/stage_static_analysis.sh +114 -0
  106. package/templates/pi/scripts/ci/stage_unit.sh +119 -0
  107. package/templates/pi/scripts/ci/validate_agent_output.py +181 -0
  108. package/templates/pi/scripts/ci/validate_agent_output.sh +243 -0
  109. package/templates/pi/scripts/create-feature-branch.sh +136 -0
  110. package/templates/pi/scripts/create-mr.sh +117 -0
  111. package/templates/pi/scripts/fetch-issues.sh +131 -0
  112. package/templates/pi/scripts/generate-architecture.sh +161 -0
  113. package/templates/pi/scripts/git/close-epic.sh +69 -0
  114. package/templates/pi/scripts/git/close-issue.sh +35 -0
  115. package/templates/pi/scripts/git/create-tracking-issue.sh +174 -0
  116. package/templates/pi/scripts/git/link-issue-to-epic.sh +51 -0
  117. package/templates/pi/scripts/git/update-tracking-issue.sh +66 -0
  118. package/templates/pi/scripts/languages/go/validate-architecture.sh +139 -0
  119. package/templates/pi/scripts/languages/go/validate-canonical.sh +129 -0
  120. package/templates/pi/scripts/languages/go/validate-ci.sh +132 -0
  121. package/templates/pi/scripts/languages/go/validate-integration.sh +156 -0
  122. package/templates/pi/scripts/languages/go/validate-operations.sh +146 -0
  123. package/templates/pi/scripts/languages/go/validate-security.sh +135 -0
  124. package/templates/pi/scripts/languages/go/validate-tests.sh +125 -0
  125. package/templates/pi/scripts/languages/java/validate-annotations.sh +185 -0
  126. package/templates/pi/scripts/languages/java/validate-architecture.sh +159 -0
  127. package/templates/pi/scripts/languages/java/validate-canonical.sh +114 -0
  128. package/templates/pi/scripts/languages/java/validate-ci.sh +269 -0
  129. package/templates/pi/scripts/languages/java/validate-integration.sh +149 -0
  130. package/templates/pi/scripts/languages/java/validate-operations.sh +142 -0
  131. package/templates/pi/scripts/languages/java/validate-security.sh +174 -0
  132. package/templates/pi/scripts/languages/java/validate-spring-architecture.sh +227 -0
  133. package/templates/pi/scripts/languages/java/validate-tests.sh +159 -0
  134. package/templates/pi/scripts/languages/python/validate-architecture.sh +99 -0
  135. package/templates/pi/scripts/languages/python/validate-canonical.sh +124 -0
  136. package/templates/pi/scripts/languages/python/validate-ci.sh +130 -0
  137. package/templates/pi/scripts/languages/python/validate-integration.sh +119 -0
  138. package/templates/pi/scripts/languages/python/validate-operations.sh +107 -0
  139. package/templates/pi/scripts/languages/python/validate-security.sh +68 -0
  140. package/templates/pi/scripts/languages/python/validate-tests.sh +102 -0
  141. package/templates/pi/scripts/languages/rust/validate-architecture.sh +188 -0
  142. package/templates/pi/scripts/languages/rust/validate-canonical.sh +146 -0
  143. package/templates/pi/scripts/languages/rust/validate-ci.sh +147 -0
  144. package/templates/pi/scripts/languages/rust/validate-integration.sh +149 -0
  145. package/templates/pi/scripts/languages/rust/validate-operations.sh +154 -0
  146. package/templates/pi/scripts/languages/rust/validate-security.sh +153 -0
  147. package/templates/pi/scripts/languages/rust/validate-tests.sh +150 -0
  148. package/templates/pi/scripts/languages/typescript/validate-architecture.sh +157 -0
  149. package/templates/pi/scripts/languages/typescript/validate-canonical.sh +135 -0
  150. package/templates/pi/scripts/languages/typescript/validate-ci.sh +244 -0
  151. package/templates/pi/scripts/languages/typescript/validate-integration.sh +166 -0
  152. package/templates/pi/scripts/languages/typescript/validate-operations.sh +162 -0
  153. package/templates/pi/scripts/languages/typescript/validate-security.sh +169 -0
  154. package/templates/pi/scripts/languages/typescript/validate-tests.sh +158 -0
  155. package/templates/pi/scripts/merge-mr.sh +95 -0
  156. package/templates/pi/scripts/mr-validation.sh +228 -0
  157. package/templates/pi/scripts/validate-architecture-readiness.sh +153 -0
  158. package/templates/pi/scripts/validate-architecture.sh +22 -0
  159. package/templates/pi/scripts/validate-canonical.sh +22 -0
  160. package/templates/pi/scripts/validate-ci.sh +37 -0
  161. package/templates/pi/scripts/validate-integration.sh +22 -0
  162. package/templates/pi/scripts/validate-operations.sh +22 -0
  163. package/templates/pi/scripts/validate-security.sh +22 -0
  164. package/templates/pi/scripts/validate-tests.sh +22 -0
  165. package/templates/pi/scripts/validate-ubiquitous-language.sh +291 -0
  166. package/templates/pi/scripts/validation-cache.sh +139 -0
  167. package/templates/pi/skills/agents/architecture-coordinator.md +178 -0
  168. package/templates/pi/skills/agents/architecture-generator.md +79 -0
  169. package/templates/pi/skills/agents/architecture-validator.md +74 -0
  170. package/templates/pi/skills/agents/ci-mr-validator.md +46 -0
  171. package/templates/pi/skills/agents/code-developer.md +76 -0
  172. package/templates/pi/skills/agents/commit.md +46 -0
  173. package/templates/pi/skills/agents/curator.md +71 -0
  174. package/templates/pi/skills/agents/debug.md +59 -0
  175. package/templates/pi/skills/agents/documentation-maintainer.md +36 -0
  176. package/templates/pi/skills/agents/goal-loop.md +125 -0
  177. package/templates/pi/skills/agents/hooks.md +122 -0
  178. package/templates/pi/skills/agents/integration-validator.md +35 -0
  179. package/templates/pi/skills/agents/issue-creator.md +75 -0
  180. package/templates/pi/skills/agents/issue-factory.md +143 -0
  181. package/templates/pi/skills/agents/kanban.md +85 -0
  182. package/templates/pi/skills/agents/land.md +59 -0
  183. package/templates/pi/skills/agents/operations-validator.md +43 -0
  184. package/templates/pi/skills/agents/pipeline.md +113 -0
  185. package/templates/pi/skills/agents/plan-mode.md +77 -0
  186. package/templates/pi/skills/agents/pull.md +40 -0
  187. package/templates/pi/skills/agents/push.md +41 -0
  188. package/templates/pi/skills/agents/security-validator.md +85 -0
  189. package/templates/pi/skills/agents/session-persistence.md +119 -0
  190. package/templates/pi/skills/agents/slash-commands.md +117 -0
  191. package/templates/pi/skills/agents/snippets.md +99 -0
  192. package/templates/pi/skills/agents/subagent-registry.md +78 -0
  193. package/templates/pi/skills/agents/test-validator.md +42 -0
  194. package/templates/pi/skills/validators/architecture-validator.md +43 -0
  195. package/templates/pi/skills/validators/ci-validator.md +27 -0
  196. package/templates/pi/skills/validators/context-compaction.md +73 -0
  197. package/templates/pi/skills/validators/integration-validator.md +38 -0
  198. package/templates/pi/skills/validators/model-registry.md +96 -0
  199. package/templates/pi/skills/validators/operations-validator.md +34 -0
  200. package/templates/pi/skills/validators/security-guards.md +72 -0
  201. package/templates/pi/skills/validators/security-validator.md +41 -0
  202. package/templates/pi/skills/validators/system-prompt-tiers.md +69 -0
  203. package/templates/pi/skills/validators/test-validator.md +33 -0
  204. package/templates/pi/types.ts +62 -0
  205. package/templates/pi/validators/README.md +93 -0
  206. package/templates/pi/validators/default.toml +209 -0
  207. package/templates/pi/validators/spring.toml +142 -0
  208. package/templates/pi/workpad.md +53 -0
  209. package/templates/project/java/Dockerfile +14 -0
  210. package/templates/project/java/README.md +40 -0
  211. package/templates/project/java/pom.xml +132 -0
  212. package/templates/project/typescript/Dockerfile +15 -0
  213. package/templates/project/typescript/README.md +29 -0
  214. package/templates/project/typescript/package.json +23 -0
  215. package/templates/project/typescript/tsconfig.json +21 -0
  216. package/templates/workflow.md +123 -0
@@ -0,0 +1,85 @@
1
+ ---
2
+ name: security-validator
3
+ description: Security review skill. Scans code for injection, auth bypass, secret leakage, unsafe deserialization, weak crypto.
4
+ model: inherit
5
+ tools: [Read, Grep, Glob, Bash]
6
+ ---
7
+
8
+ # Security Validator
9
+
10
+ Audits code and configuration for security risks.
11
+
12
+ ## Scope
13
+
14
+ Scan for the following categories:
15
+
16
+ ### 1. Injection Vulnerabilities
17
+ - **SQL injection:** String concatenation in queries, parameterized queries missing
18
+ - **Shell injection:** User input in `exec()`, `system()`, backticks, `${}` without quoting
19
+ - **Path traversal:** `..` in file paths, symlink following, missing path canonicalization
20
+ - **Template injection:** Unescaped user input in HTML/JS templates
21
+
22
+ ### 2. Authentication / Authorization
23
+ - Missing auth checks on sensitive endpoints
24
+ - Hardcoded credentials or API keys
25
+ - Weak password requirements
26
+ - Missing CSRF protection
27
+ - Broken access control (IDOR)
28
+
29
+ ### 3. Secret Leakage
30
+ - Secrets in source code (`.env` files, config files, comments)
31
+ - API keys in client-side code
32
+ - Private keys, certificates in repo
33
+ - Debug/logging of sensitive data (tokens, passwords, PII)
34
+
35
+ ### 4. Unsafe Operations
36
+ - Unsafe deserialization (eval, pickle, yaml.load, JSON.parse with reviver)
37
+ - Weak cryptographic algorithms (MD5, SHA1, DES, ECB mode)
38
+ - Missing certificate validation (TLS skip verify)
39
+ - Insecure random number generation
40
+
41
+ ### 5. Data Handling
42
+ - Missing input validation at trust boundaries
43
+ - XSS via unescaped output
44
+ - Missing Content-Security-Policy headers
45
+ - Sensitive data in URLs or logs
46
+
47
+ ## Tool Restrictions
48
+
49
+ This validator operates in **read-only** mode. It may:
50
+ - Read files
51
+ - Grep for patterns
52
+ - List directories
53
+ - Run non-mutating commands (e.g., `npm audit`, `cargo audit`)
54
+
55
+ It must NOT:
56
+ - Write or modify files
57
+ - Execute destructive commands
58
+ - Spawn subagents
59
+
60
+ ## Output Format
61
+
62
+ For each finding, report:
63
+
64
+ ```
65
+ [CRITICAL/HIGH/MEDIUM/LOW] file:line — issue → recommended fix
66
+ ```
67
+
68
+ Example:
69
+ ```
70
+ [CRITICAL] src/auth.ts:42 — hardcoded JWT secret → move to environment variable or secrets manager
71
+ [HIGH] src/api/users.rs:118 — SQL injection via string concat → use parameterized query
72
+ [MEDIUM] config/deploy.yml:7 — AWS key in plaintext → use IAM roles or vault
73
+ [LOW] src/logger.ts:33 — logging request headers (may contain tokens) → redact Authorization header
74
+ ```
75
+
76
+ If no issues are found, report: **"No security issues found."**
77
+
78
+ ## Priority Rules
79
+
80
+ - **CRITICAL:** Exploitable now, affects production
81
+ - **HIGH:** Exploitable with effort, likely in production
82
+ - **MEDIUM:** Defense-in-depth weakness, may be exploitable
83
+ - **LOW:** Best practice violation, unlikely to be directly exploitable
84
+
85
+ Do NOT report style/formatting issues. Do NOT propose unrelated cleanups.
@@ -0,0 +1,119 @@
1
+ ---
2
+ name: session-persistence
3
+ description: Structured session lifecycle with lazy-loaded message history, auto-derived titles, and per-session state isolation.
4
+ model: inherit
5
+ tools: [Read]
6
+ ---
7
+
8
+ # Session Persistence
9
+
10
+ Sessions provide structured conversation lifecycle with lazy loading, auto-titling, and per-session state isolation.
11
+
12
+ ## Session Storage Format
13
+
14
+ ```json
15
+ {
16
+ "sessions": [
17
+ {
18
+ "id": "s-1a2b3c-x7y8z9",
19
+ "title": "Fix auth token refresh bug",
20
+ "createdAt": 1714000000000,
21
+ "updatedAt": 1714003600000
22
+ }
23
+ ],
24
+ "activeId": "s-1a2b3c-x7y8z9"
25
+ }
26
+ ```
27
+
28
+ ### Per-Session Messages
29
+
30
+ Messages stored under key `messages:{sessionId}`:
31
+ ```json
32
+ {
33
+ "messages:s-1a2b3c-x7y8z9": [
34
+ { "role": "user", "parts": [...] },
35
+ { "role": "assistant", "parts": [...] }
36
+ ]
37
+ }
38
+ ```
39
+
40
+ ## Session ID Format
41
+
42
+ ```
43
+ s-{timestamp-base36}-{random-base36}
44
+ ```
45
+
46
+ Example: `s-m5x7k2-a3b9c1`
47
+
48
+ ## Auto-Derived Titles
49
+
50
+ Title is derived from the **first user message**, stripped of:
51
+ - Terminal context blocks
52
+ - Selection blocks
53
+ - File content blocks
54
+ - Truncated to 40 characters with ellipsis
55
+
56
+ ## Lazy Loading
57
+
58
+ - **Boot:** Load only session list + active ID (single IPC roundtrip)
59
+ - **Open:** Load messages for the opened session on-demand
60
+ - **Memory:** Keep active session messages in a Map; hydrate others on switch
61
+
62
+ ## Per-Session State
63
+
64
+ Each session maintains isolated state:
65
+ - **Todos:** Task list with progress tracking (`todos:{sessionId}`)
66
+ - **Shell session:** Persistent shell with cwd survival
67
+ - **Read cache:** File content cache invalidated per mutation
68
+ - **Agent metadata:** Current step, usage stats, model info
69
+
70
+ ## Session Switching
71
+
72
+ When switching sessions:
73
+ 1. Save current session messages
74
+ 2. Load target session messages from store
75
+ 3. Clear read cache (files may have changed)
76
+ 4. Restore per-session todos
77
+ 5. Update active session ID
78
+
79
+ ## Auto-Save
80
+
81
+ Messages are saved to disk on every assistant turn completion.
82
+ Auto-save interval: 200ms debounce.
83
+
84
+ ## Session Lifecycle
85
+
86
+ ```
87
+ Create → Open → Interact (auto-save) → Switch (save + load) → ... → Delete
88
+ ```
89
+
90
+ ## Storage Keys
91
+
92
+ | Key | Content |
93
+ |-----|---------|
94
+ | `sessions` | Array of SessionMeta |
95
+ | `activeId` | Current session ID |
96
+ | `messages:{id}` | Message array for session |
97
+ | `todos:{id}` | Todo array for session |
98
+
99
+ ## Title Derivation Algorithm
100
+
101
+ ```typescript
102
+ function deriveTitle(messages): string {
103
+ for (const m of messages) {
104
+ if (m.role !== "user") continue;
105
+ const text = m.parts
106
+ .filter(p => p.type === "text")
107
+ .map(p => p.text)
108
+ .join(" ")
109
+ .replace(/<terminal-context[\s\S]*?<\/terminal-context>/g, "")
110
+ .replace(/<selection[\s\S]*?<\/selection>/g, "")
111
+ .replace(/<file[\s\S]*?<\/file>/g, "")
112
+ .trim();
113
+ if (!text) continue;
114
+ const first = text.split("\n")[0].trim();
115
+ return first.length > 40 ? `${first.slice(0, 40)}…` : first;
116
+ }
117
+ return "New chat";
118
+ }
119
+ ```
@@ -0,0 +1,117 @@
1
+ ---
2
+ name: slash-commands
3
+ description: Slash command interception system for plan mode, workspace initialization, and prompt template injection.
4
+ model: inherit
5
+ tools: [Read]
6
+ ---
7
+
8
+ # Slash Commands
9
+
10
+ Slash commands intercept user input starting with `/` (or `#` for snippet references) and transform them into structured actions before sending to the agent.
11
+
12
+ ## Command Outcomes
13
+
14
+ | Outcome | Behavior |
15
+ |---------|----------|
16
+ | `handled` | Command ran; do NOT send a chat message |
17
+ | `send-prompt` | Replace user text with a template prompt, then send |
18
+ | `none` | Not a slash command; send as normal chat message |
19
+
20
+ ## Built-in Commands
21
+
22
+ ### /init — Initialize Workspace
23
+
24
+ **Outcome:** `send-prompt`
25
+
26
+ Sends a workspace scanning prompt that instructs the agent to:
27
+ 1. Explore the codebase structure
28
+ 2. Read key files (package.json, Cargo.toml, etc.)
29
+ 3. Identify build/test/lint commands
30
+ 4. Produce `TERAX.md` / project memory file at workspace root
31
+
32
+ **Prompt Template:**
33
+ ```
34
+ Scan this workspace and produce a project memory file with:
35
+ - One-paragraph project description
36
+ - Build / test / dev commands
37
+ - Architecture overview (subsystems, data flow, key dirs)
38
+ - Conventions worth knowing
39
+ - Paths to entry points
40
+ Cap under 200 lines.
41
+ ```
42
+
43
+ ### /plan — Plan Mode Toggle
44
+
45
+ **Outcome:** `handled`
46
+
47
+ Toggles plan mode on/off:
48
+ - `/plan` or `/plan on` → Enable plan mode
49
+ - `/plan off` or `/plan exit` → Disable plan mode
50
+
51
+ ### /validate — Run Validators
52
+
53
+ **Outcome:** `send-prompt`
54
+
55
+ Sends a validation prompt instructing the agent to run all configured validators.
56
+
57
+ ### /scope — Classify Task Scope
58
+
59
+ **Outcome:** `send-prompt`
60
+
61
+ Sends a scope classification prompt to determine required validators.
62
+
63
+ ## Command Format
64
+
65
+ ```
66
+ /<command> [arguments]
67
+
68
+ Examples:
69
+ /plan on
70
+ /plan off
71
+ /init
72
+ /validate all
73
+ /scope implement auth module with OAuth2
74
+ ```
75
+
76
+ ## Command Marker Protocol
77
+
78
+ Commands are wrapped in XML markers for agent processing:
79
+
80
+ ```xml
81
+ <terax-command name="init" />
82
+
83
+ [expanded prompt follows]
84
+ ```
85
+
86
+ This allows the agent to recognize the command context in the conversation.
87
+
88
+ ## Extending Commands
89
+
90
+ Add new commands by registering in the command registry:
91
+
92
+ ```typescript
93
+ interface SlashCommand {
94
+ name: string; // Command name
95
+ invocation: string; // "/command"
96
+ label: string; // Display label
97
+ icon: IconComponent; // UI icon
98
+ handler: (args: string) => SlashOutcome;
99
+ }
100
+ ```
101
+
102
+ ## Snippet References (#handle)
103
+
104
+ Input starting with `#` that matches a known snippet handle is treated as a snippet expansion:
105
+
106
+ ```
107
+ #security-review — check the auth module
108
+ ```
109
+
110
+ Expands to:
111
+ ```
112
+ <snippet name="security-review">
113
+ [security review instructions]
114
+ </snippet>
115
+
116
+ check the auth module
117
+ ```
@@ -0,0 +1,99 @@
1
+ ---
2
+ name: snippets
3
+ description: Reusable prompt fragments injected via #handle tokens. Compressed skill loading for on-demand context injection without full file reads.
4
+ model: inherit
5
+ tools: [Read]
6
+ ---
7
+
8
+ # Snippets System
9
+
10
+ Snippets are reusable prompt fragments referenced by `#handle` tokens in chat. When the agent (or user) types `#handle`, the snippet body is expanded into an XML block and prepended to the message.
11
+
12
+ ## Handle Format
13
+
14
+ - **Syntax:** `#handle` — lowercase alphanumeric with hyphens
15
+ - **Pattern:** `^[a-z0-9][a-z0-9-]*$`
16
+ - **Examples:** `#security-review`, `#rust-error-handling`, `#api-conventions`
17
+
18
+ ## Expansion
19
+
20
+ `#handle` tokens are replaced with:
21
+
22
+ ```xml
23
+ <snippet name="handle">
24
+ [snippet content]
25
+ </snippet>
26
+ ```
27
+
28
+ Multiple handles expand to multiple `<snippet>` blocks, prepended to the user message. Unknown handles are left as-is (no error).
29
+
30
+ ## Snippet Structure
31
+
32
+ ```typescript
33
+ interface Snippet {
34
+ id: string; // Unique ID: sn-{timestamp}-{random}
35
+ handle: string; // The #handle used to reference it
36
+ name: string; // Human-readable name
37
+ description: string; // One-line description shown in autocomplete
38
+ content: string; // The snippet body (injected as XML)
39
+ }
40
+ ```
41
+
42
+ ## Use Cases
43
+
44
+ ### 1. Skill Quick-Load
45
+
46
+ Instead of loading a full skill file, reference a snippet:
47
+
48
+ ```
49
+ #security-review — check the auth module for vulnerabilities
50
+ ```
51
+
52
+ ### 2. Code Patterns
53
+
54
+ ```
55
+ #rust-result-types — use Result<T, E> with thiserror, never unwrap()
56
+ ```
57
+
58
+ ### 3. Project Conventions
59
+
60
+ ```
61
+ #naming-conventions — use snake_case for functions, PascalCase for types
62
+ ```
63
+
64
+ ### 4. Common Instructions
65
+
66
+ ```
67
+ #no-comments — don't add comments unless the WHY is non-obvious
68
+ ```
69
+
70
+ ## Token Efficiency
71
+
72
+ | Approach | Tokens |
73
+ |----------|--------|
74
+ | Load full skill file | 500–2000 tokens |
75
+ | Reference snippet | 50–300 tokens |
76
+ | **Savings** | **70–90% reduction** |
77
+
78
+ ## Snippet Categories
79
+
80
+ | Category | Handles | Purpose |
81
+ |----------|---------|---------|
82
+ | Security | `#security-review`, `#threat-model` | Security-specific instructions |
83
+ | Patterns | `#rust-errors`, `#ts-strict`, `#go-interfaces` | Language-specific patterns |
84
+ | Conventions | `#naming`, `#no-comments`, `#dry` | Project-wide conventions |
85
+ | Workflow | `#test-first`, `#commit-clean`, `#pr-body` | Process instructions |
86
+ | Quality | `#no-unwrap`, `#validate-input`, `#handle-errors` | Quality gates |
87
+
88
+ ## Persistence
89
+
90
+ Snippets are persisted in `.pi/snippets.json` (JSON array) in the workspace root. They survive sessions and can be managed via `/snippet` commands.
91
+
92
+ ## Slash Commands
93
+
94
+ | Command | Action |
95
+ |---------|--------|
96
+ | `/snippet list` | List all snippets with handles and descriptions |
97
+ | `/snippet add <handle>` | Create a new snippet interactively |
98
+ | `/snippet remove <handle>` | Delete a snippet |
99
+ | `/snippet edit <handle>` | Edit snippet content |
@@ -0,0 +1,78 @@
1
+ ---
2
+ name: subagent-registry
3
+ description: Delegates isolated investigations to scoped subagents with restricted tool access. Supports leaf and orchestrator roles for nested delegation.
4
+ model: inherit
5
+ tools: [Read, Grep, Glob, Bash]
6
+ ---
7
+
8
+ # Subagent Registry
9
+
10
+ Spawn subagents for self-contained investigations without polluting your context. Each subagent has a **restricted tool whitelist**, a **fresh message history**, and a **role** that controls whether it can delegate further.
11
+
12
+ ## Delegation Roles
13
+
14
+ | Role | Can Delegate? | Use Case |
15
+ |------|--------------|----------|
16
+ | `leaf` (default) | No | Single-task investigations, code review, security audit |
17
+ | `orchestrator` | Yes (bounded by `max_spawn_depth`) | Multi-stage workflows: research → synthesis, parallel decomposition |
18
+
19
+ ### Role Rules
20
+ - **`leaf`** (default): Cannot spawn subagents. Identical to original flat-delegation behavior.
21
+ - **`orchestrator`**: Can delegate to leaf children. Gated by `delegation.max_spawn_depth` (default 1 = flat, so orchestrator is a no-op at defaults). Raise to 2 to allow orchestrator children to spawn leaf grandchildren.
22
+ - **Cost warning**: With `max_spawn_depth: 3` and `max_concurrent_children: 3`, the tree can reach 27 concurrent leaf agents. Each extra level multiplies spend.
23
+
24
+ ## Subagent Types
25
+
26
+ ### explore
27
+ - **Tools:** read_file, list_directory, grep, glob (read-only)
28
+ - **Purpose:** Locate files, trace references, summarize architecture
29
+ - **Max steps:** 12
30
+ - **Returns:** Concise summary with file paths, key findings, line numbers
31
+
32
+ ### code-review
33
+ - **Tools:** read_file, list_directory, grep, glob (read-only)
34
+ - **Purpose:** Review code for correctness, architecture, performance
35
+ - **Max steps:** 12
36
+ - **Returns:** ACTIONABLE findings formatted as "[MUST/SHOULD/NIT] file:line — issue → fix"
37
+
38
+ ### security-review
39
+ - **Tools:** read_file, list_directory, grep, glob (read-only)
40
+ - **Purpose:** Audit for injection, auth bypass, secret leakage, unsafe deserialization
41
+ - **Max steps:** 12
42
+ - **Returns:** Concrete findings with file:line and severity
43
+
44
+ ### general-research
45
+ - **Tools:** read_file, list_directory, grep, glob (read-only)
46
+ - **Purpose:** General-purpose multi-step research across many files
47
+ - **Max steps:** 12
48
+ - **Returns:** Tight summary with evidence (paths, line numbers)
49
+
50
+ ## Delegation Rules
51
+
52
+ 1. **Use subagents for:** Large codebase exploration, multi-file code review, security audits, research spanning ≥3 files
53
+ 2. **Do NOT use subagents for:** Single-file edits, trivial lookups, commands you can run yourself
54
+ 3. **Include all context:** Subagents have NO memory of your conversation — include file paths, relevant context, and the exact question in the prompt
55
+ 4. **Pick the right type:** Match subagent type to the job — don't use general-research when explore suffices
56
+
57
+ ## Anti-Recursion
58
+
59
+ By default (`max_spawn_depth: 1`), subagents CANNOT spawn subagents. If a subagent needs to delegate, it returns its findings and the parent agent decides whether to spawn another. When `max_spawn_depth` is raised, only `role: orchestrator` subagents can spawn leaf children.
60
+
61
+ ## Tool Scoping
62
+
63
+ Subagents are scoped to **read-only tools only**. They cannot:
64
+ - Write files
65
+ - Run shell commands
66
+ - Create directories
67
+ - Spawn other subagents
68
+
69
+ ## When to Delegate
70
+
71
+ | Situation | Action |
72
+ |-----------|--------|
73
+ | "Where is X defined?" in a large codebase | → explore subagent |
74
+ | "Review this PR's changes" | → code-review subagent |
75
+ | "Check for security issues in auth module" | → security-review subagent |
76
+ | "How does data flow from A to B?" | → general-research subagent |
77
+ | "Read this one file" | → Do it yourself |
78
+ | "Run the tests" | → Do it yourself |
@@ -0,0 +1,42 @@
1
+ ---
2
+ name: test-validator
3
+ description: Validates test coverage and quality. Use post-implementation.
4
+ model: inherit
5
+ tools: [Read, Grep, Glob, Bash]
6
+ ---
7
+
8
+ # Test Validator
9
+
10
+ You validate test coverage and quality.
11
+
12
+ ## Context
13
+ - `.pi/context/project.md` — project knowledge
14
+ - `.pi/context/checklists.md` — test checklist
15
+ - `.pi/context/output-formats.md` — report format
16
+
17
+ ## Checks
18
+
19
+ 1. **All tests pass** — Run full test suite
20
+ 2. **Coverage ≥ 80%** — Run coverage tool
21
+ 3. **New code tested** — Every new function has tests
22
+ 4. **AAA pattern** — Arrange-Act-Assert structure
23
+ 5. **No flaky tests** — Deterministic, no timing dependencies
24
+
25
+ ## Automated (Run via Script)
26
+
27
+ ```bash
28
+ # Run all tests
29
+ [test command]
30
+
31
+ # Coverage
32
+ [coverage command]
33
+
34
+ # Architecture contracts
35
+ [contract test command]
36
+
37
+ # E2E tests
38
+ [e2e test command]
39
+ ```
40
+
41
+ ## Output
42
+ Use format from `.pi/context/output-formats.md` → "Validation Report"
@@ -0,0 +1,43 @@
1
+ # Architecture Validator Skill
2
+
3
+ Validates architecture compliance. Use for plan review and post-code wiring checks.
4
+
5
+ ## When to Run
6
+
7
+ | Phase | Scope | Checks |
8
+ |-------|-------|--------|
9
+ | Plan review | Moderate+ | Design follows patterns, module organization |
10
+ | Post-code | All | Wiring checks only (callers, duplicates, imports) |
11
+
12
+ ## Context Files
13
+
14
+ - `.pi/context/project.md` — scope classification
15
+ - `.pi/context/checklists.md` — architecture checklist
16
+ - `.pi/context/output-formats.md` — report format
17
+
18
+ ## Post-Code Wiring Checks
19
+
20
+ ```bash
21
+ # 1. Callers exist (not dead code)
22
+ grep -r "new_function" [src paths]
23
+
24
+ # 2. No duplicate types
25
+ grep -r "struct TypeName|class TypeName" [src paths]
26
+
27
+ # 3. Module used
28
+ grep -r "import.*module" [src paths]
29
+
30
+ # 4. Tools registered (if applicable)
31
+ grep -r "register" [registry file]
32
+ ```
33
+
34
+ ## Tools
35
+
36
+ - Read: Read files
37
+ - Grep: Search patterns
38
+ - Glob: Find files
39
+ - Bash: Run validation scripts
40
+
41
+ ## Output
42
+
43
+ Use `.pi/context/output-formats.md` → "Validation Report"
@@ -0,0 +1,27 @@
1
+ # CI Validator Skill
2
+
3
+ Automated CI/merge validator. Runs scripts, minimal LLM reasoning.
4
+
5
+ ## Validation
6
+
7
+ Run `.pi/scripts/validate-ci.sh` for:
8
+ - Build success
9
+ - Tests pass
10
+ - Lint passes
11
+ - Format check
12
+ - Security audit
13
+
14
+ ## Enforcement
15
+
16
+ - **All checks must pass** before merge
17
+ - **No partial approvals**
18
+ - Report failures with specific errors
19
+
20
+ ## Tools
21
+
22
+ - Bash: Run all validation scripts
23
+ - Read: Check CI configuration
24
+
25
+ ## Output
26
+
27
+ Script outputs standardized report. No additional LLM processing needed.
@@ -0,0 +1,73 @@
1
+ ---
2
+ name: context-compaction
3
+ description: Strategies for managing context window limits through intelligent elision and compaction.
4
+ model: inherit
5
+ tools: [Read]
6
+ ---
7
+
8
+ # Context Compaction Strategy
9
+
10
+ When conversations grow large, apply these compaction strategies to stay within context limits.
11
+
12
+ ## Budget-Aware Thresholds
13
+
14
+ | Context Usage | Action |
15
+ |---------------|--------|
16
+ | 0–55% | No compaction needed |
17
+ | 55–70% | Elide superseded read results |
18
+ | 70–90% | Elide all old tool results (keep last 24 messages) |
19
+ | 90%+ | Aggressive compaction — summarize early conversation |
20
+
21
+ ## Superseded Read Elision
22
+
23
+ When a file has been **mutated** (edit, write_file, multi_edit) since it was last read, the old read result no longer provides useful context. Replace it with:
24
+
25
+ ```
26
+ [elided to save context — see prior tool call in history]
27
+ ```
28
+
29
+ **Rule:** Track mutation paths from tool calls. If a `read_file` result's path appears in any subsequent mutation tool call input, elide that read result.
30
+
31
+ ## Tail Preservation
32
+
33
+ Never elide the **last 24 messages**. Recent context is always more valuable than distant history. Keep the conversation tail intact at all cost levels.
34
+
35
+ ## System Message Protection
36
+
37
+ **Never** elide system messages. They contain operating principles, tool descriptions, and behavioral instructions that govern every turn.
38
+
39
+ ## Read Cache Invalidation
40
+
41
+ After any mutation to a file:
42
+ 1. Remove the file from your read cache
43
+ 2. Next `read_file` on that path will return fresh content
44
+ 3. If you read the same file twice without intervening edits, the second call returns `{unchanged: true}` — skip re-reading
45
+
46
+ ## Token Budget Rules
47
+
48
+ - `read_file` defaults to first 2000 lines / 25KB — use `offset`/`limit` for large files
49
+ - One focused `grep` beats three `list_directory` calls
50
+ - Don't re-read files you already have in context unless they were modified
51
+ - Before 5+ tool calls in a row, write a one-line plan via `todo_write`
52
+
53
+ ## Compact Format
54
+
55
+ When space is tight, prefer compact tool results:
56
+
57
+ ```
58
+ # Verbose (200 tokens)
59
+ {
60
+ "path": "/src/auth.ts",
61
+ "content": "import { ... } ... [100 lines of code]"
62
+ }
63
+
64
+ # Compact (8 tokens)
65
+ {
66
+ "path": "/src/auth.ts",
67
+ "size": 2456,
68
+ "lines": 120
69
+ }
70
+ ```
71
+
72
+ Use compact format for: file listings, grep summaries, directory trees.
73
+ Use verbose format only when you need the actual content to reason about changes.