haiku-method 2.3.0 → 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (27) hide show
  1. package/.claude-plugin/plugin.json +1 -1
  2. package/.mcp.json +6 -6
  3. package/CHANGELOG.md +13 -0
  4. package/VALIDATION.md +9 -6
  5. package/bin/haiku +504 -454
  6. package/data/archetypes.json +172 -172
  7. package/harnesses/cursor.json +7 -7
  8. package/harnesses/gemini-cli.json +7 -7
  9. package/harnesses/windsurf.json +7 -7
  10. package/hooks/hooks.json +72 -72
  11. package/lib/capture-playwright-worker.js +118 -112
  12. package/package.json +1 -1
  13. package/schemas/providers/hubspot.schema.json +10 -8
  14. package/schemas/providers/jira.schema.json +3 -1
  15. package/schemas/providers/openpencil.schema.json +10 -1
  16. package/schemas/providers/salesforce.schema.json +10 -8
  17. package/schemas/providers/stack-alerting.schema.json +7 -1
  18. package/schemas/providers/stack-monitoring.schema.json +8 -1
  19. package/schemas/settings.schema.json +112 -22
  20. package/skills/migrate/SKILL.md +20 -3
  21. package/studios/software/examples/add-oauth-login/sequence.ts +1164 -119
  22. package/studios/software/examples/add-oauth-login/stages/design/state.json +5 -8
  23. package/studios/software/examples/add-oauth-login/stages/development/state.json +9 -9
  24. package/studios/software/examples/add-oauth-login/stages/inception/state.json +10 -10
  25. package/studios/software/examples/add-oauth-login/stages/operations/state.json +5 -7
  26. package/studios/software/examples/add-oauth-login/stages/product/state.json +5 -7
  27. package/studios/software/examples/add-oauth-login/stages/security/state.json +5 -8
package/studios/software/examples/add-oauth-login/sequence.ts CHANGED
@@ -3,135 +3,1180 @@ import type { DemoConfig } from "@/lib/demo/types"
3
3
  const P = ".haiku/intents/add-oauth-login"
4
4
 
5
5
  export const config: DemoConfig = {
6
- title: "software",
7
- studio: "software",
8
- stages: ["inception", "design", "product", "development", "operations", "security"],
9
- completionText: "All 6 stages passed. add-oauth-login delivered.",
10
- steps: [
11
- // Step 1: User invokes /haiku:start
12
- { delay: 800, actions: [{ type: "msg", role: "user", label: "you", text: "/haiku:start" }] },
13
- { delay: 1200, actions: [{ type: "typing" }] },
14
- { delay: 1000, actions: [{ type: "removeTyping" }, { type: "msg", role: "agent", label: "agent", text: "What do you want to accomplish?" }] },
15
- { delay: 1500, actions: [{ type: "msg", role: "user", label: "you", text: "Add OAuth login to the app" }] },
6
+ title: "software",
7
+ studio: "software",
8
+ stages: [
9
+ "inception",
10
+ "design",
11
+ "product",
12
+ "development",
13
+ "operations",
14
+ "security",
15
+ ],
16
+ completionText: "All 6 stages passed. add-oauth-login delivered.",
17
+ steps: [
18
+ // Step 1: User invokes /haiku:start
19
+ {
20
+ delay: 800,
21
+ actions: [
22
+ { type: "msg", role: "user", label: "you", text: "/haiku:start" },
23
+ ],
24
+ },
25
+ { delay: 1200, actions: [{ type: "typing" }] },
26
+ {
27
+ delay: 1000,
28
+ actions: [
29
+ { type: "removeTyping" },
30
+ {
31
+ type: "msg",
32
+ role: "agent",
33
+ label: "agent",
34
+ text: "What do you want to accomplish?",
35
+ },
36
+ ],
37
+ },
38
+ {
39
+ delay: 1500,
40
+ actions: [
41
+ {
42
+ type: "msg",
43
+ role: "user",
44
+ label: "you",
45
+ text: "Add OAuth login to the app",
46
+ },
47
+ ],
48
+ },
16
49
 
17
- // Step 2: Intent created
18
- { delay: 800, actions: [{ type: "typing" }] },
19
- { delay: 1200, actions: [{ type: "removeTyping" }, { type: "msg", role: "agent", label: "agent", text: "Creating intent: add-oauth-login..." }, { type: "file", path: `${P}/intent.md` }] },
20
- { delay: 800, actions: [{ type: "msg", role: "system", label: "system", text: "Intent created. Studio: software. 6 stages: inception \u2192 design \u2192 product \u2192 development \u2192 operations \u2192 security" }] },
50
+ // Step 2: Intent created
51
+ { delay: 800, actions: [{ type: "typing" }] },
52
+ {
53
+ delay: 1200,
54
+ actions: [
55
+ { type: "removeTyping" },
56
+ {
57
+ type: "msg",
58
+ role: "agent",
59
+ label: "agent",
60
+ text: "Creating intent: add-oauth-login...",
61
+ },
62
+ { type: "file", path: `${P}/intent.md` },
63
+ ],
64
+ },
65
+ {
66
+ delay: 800,
67
+ actions: [
68
+ {
69
+ type: "msg",
70
+ role: "system",
71
+ label: "system",
72
+ text: "Intent created. Studio: software. 6 stages: inception \u2192 design \u2192 product \u2192 development \u2192 operations \u2192 security",
73
+ },
74
+ ],
75
+ },
21
76
 
22
- // Step 3: Inception - elaborate (collaborative)
23
- { delay: 1000, actions: [{ type: "activateStage", stage: "inception" }, { type: "msg", role: "agent", label: "agent", text: "Entering inception stage. Hat: elaborator." }, { type: "file", path: `${P}/stages/inception/state.json` }] },
24
- { delay: 1200, actions: [{ type: "msg", role: "agent", label: "agent", text: "What OAuth providers do you need to support?" }] },
25
- { delay: 2000, actions: [{ type: "msg", role: "user", label: "you", text: "Google and GitHub. Maybe Apple later." }] },
26
- { delay: 800, actions: [{ type: "typing" }] },
27
- { delay: 1200, actions: [{ type: "removeTyping" }, { type: "msg", role: "agent", label: "agent", text: "I\u2019ll set up the provider abstraction to make adding Apple easy. Here\u2019s the breakdown:" }] },
28
- { delay: 1000, actions: [{ type: "msg", role: "agent", label: "agent", text: "3 units: OAuth provider setup, callback handler, session management" }, { type: "file", path: `${P}/stages/inception/units/unit-01-oauth-provider-setup.md` }, { type: "file", path: `${P}/stages/inception/units/unit-02-callback-handler.md` }, { type: "file", path: `${P}/stages/inception/units/unit-03-session-management.md` }, { type: "card", stage: "inception", name: "oauth-provider-setup", status: "in-progress" }, { type: "card", stage: "inception", name: "callback-handler", status: "" }, { type: "card", stage: "inception", name: "session-management", status: "" }] },
29
- { delay: 2200, actions: [{ type: "msg", role: "user", label: "you", text: "Split the callback into its own unit \u2014 it has complex error handling" }] },
30
- { delay: 800, actions: [{ type: "typing" }] },
31
- { delay: 1000, actions: [{ type: "removeTyping" }, { type: "msg", role: "agent", label: "agent", text: "Good call. Updated to 4 units." }, { type: "file", path: `${P}/stages/inception/units/unit-04-callback-error-handling.md` }, { type: "card", stage: "inception", name: "callback-errors", status: "" }] },
77
+ // Step 3: Inception - elaborate (collaborative)
78
+ {
79
+ delay: 1000,
80
+ actions: [
81
+ { type: "activateStage", stage: "inception" },
82
+ {
83
+ type: "msg",
84
+ role: "agent",
85
+ label: "agent",
86
+ text: "Entering inception stage. Hat: elaborator.",
87
+ },
88
+ { type: "file", path: `${P}/stages/inception/state.json` },
89
+ ],
90
+ },
91
+ {
92
+ delay: 1200,
93
+ actions: [
94
+ {
95
+ type: "msg",
96
+ role: "agent",
97
+ label: "agent",
98
+ text: "What OAuth providers do you need to support?",
99
+ },
100
+ ],
101
+ },
102
+ {
103
+ delay: 2000,
104
+ actions: [
105
+ {
106
+ type: "msg",
107
+ role: "user",
108
+ label: "you",
109
+ text: "Google and GitHub. Maybe Apple later.",
110
+ },
111
+ ],
112
+ },
113
+ { delay: 800, actions: [{ type: "typing" }] },
114
+ {
115
+ delay: 1200,
116
+ actions: [
117
+ { type: "removeTyping" },
118
+ {
119
+ type: "msg",
120
+ role: "agent",
121
+ label: "agent",
122
+ text: "I\u2019ll set up the provider abstraction to make adding Apple easy. Here\u2019s the breakdown:",
123
+ },
124
+ ],
125
+ },
126
+ {
127
+ delay: 1000,
128
+ actions: [
129
+ {
130
+ type: "msg",
131
+ role: "agent",
132
+ label: "agent",
133
+ text: "3 units: OAuth provider setup, callback handler, session management",
134
+ },
135
+ {
136
+ type: "file",
137
+ path: `${P}/stages/inception/units/unit-01-oauth-provider-setup.md`,
138
+ },
139
+ {
140
+ type: "file",
141
+ path: `${P}/stages/inception/units/unit-02-callback-handler.md`,
142
+ },
143
+ {
144
+ type: "file",
145
+ path: `${P}/stages/inception/units/unit-03-session-management.md`,
146
+ },
147
+ {
148
+ type: "card",
149
+ stage: "inception",
150
+ name: "oauth-provider-setup",
151
+ status: "in-progress",
152
+ },
153
+ {
154
+ type: "card",
155
+ stage: "inception",
156
+ name: "callback-handler",
157
+ status: "",
158
+ },
159
+ {
160
+ type: "card",
161
+ stage: "inception",
162
+ name: "session-management",
163
+ status: "",
164
+ },
165
+ ],
166
+ },
167
+ {
168
+ delay: 2200,
169
+ actions: [
170
+ {
171
+ type: "msg",
172
+ role: "user",
173
+ label: "you",
174
+ text: "Split the callback into its own unit \u2014 it has complex error handling",
175
+ },
176
+ ],
177
+ },
178
+ { delay: 800, actions: [{ type: "typing" }] },
179
+ {
180
+ delay: 1000,
181
+ actions: [
182
+ { type: "removeTyping" },
183
+ {
184
+ type: "msg",
185
+ role: "agent",
186
+ label: "agent",
187
+ text: "Good call. Updated to 4 units.",
188
+ },
189
+ {
190
+ type: "file",
191
+ path: `${P}/stages/inception/units/unit-04-callback-error-handling.md`,
192
+ },
193
+ {
194
+ type: "card",
195
+ stage: "inception",
196
+ name: "callback-errors",
197
+ status: "",
198
+ },
199
+ ],
200
+ },
32
201
 
33
- // Step 4: Inception - execute
34
- { delay: 800, actions: [{ type: "msg", role: "agent", label: "agent", text: "Hat: researcher. Starting OAuth provider setup \u2014 mapping provider abstraction layer..." }] },
35
- { delay: 600, actions: [{ type: "fastForward", seconds: "30" }] },
36
- { delay: 2000, actions: [{ type: "removeFastForward" }, { type: "msg", role: "agent", label: "agent", text: "Provider setup complete. Abstraction layer supports Google and GitHub with a clean interface for adding Apple later." }, { type: "file", path: `${P}/knowledge/DISCOVERY.md` }, { type: "updateCard", stage: "inception", name: "oauth-provider-setup", status: "completed" }, { type: "updateCard", stage: "inception", name: "callback-handler", status: "in-progress" }] },
37
- { delay: 500, actions: [{ type: "fastForward", seconds: "25" }] },
38
- { delay: 1500, actions: [{ type: "removeFastForward" }, { type: "msg", role: "agent", label: "agent", text: "Callback handler analysis done. Google uses server-side code exchange, GitHub\u2019s token endpoint differs. Both mapped." }, { type: "updateCard", stage: "inception", name: "callback-handler", status: "completed" }, { type: "updateCard", stage: "inception", name: "session-management", status: "in-progress" }] },
39
- { delay: 500, actions: [{ type: "fastForward", seconds: "20" }] },
40
- { delay: 1200, actions: [{ type: "removeFastForward" }, { type: "updateCard", stage: "inception", name: "session-management", status: "completed" }, { type: "updateCard", stage: "inception", name: "callback-errors", status: "in-progress" }] },
41
- { delay: 500, actions: [{ type: "fastForward", seconds: "20" }] },
42
- { delay: 1200, actions: [{ type: "removeFastForward" }, { type: "msg", role: "agent", label: "agent", text: "All 4 units complete. Callback error handling confirmed your instinct \u2014 the two providers need separate error paths due to different failure modes." }, { type: "updateCard", stage: "inception", name: "callback-errors", status: "completed" }] },
202
+ // Step 4: Inception - execute
203
+ {
204
+ delay: 800,
205
+ actions: [
206
+ {
207
+ type: "msg",
208
+ role: "agent",
209
+ label: "agent",
210
+ text: "Hat: researcher. Starting OAuth provider setup \u2014 mapping provider abstraction layer...",
211
+ },
212
+ ],
213
+ },
214
+ { delay: 600, actions: [{ type: "fastForward", seconds: "30" }] },
215
+ {
216
+ delay: 2000,
217
+ actions: [
218
+ { type: "removeFastForward" },
219
+ {
220
+ type: "msg",
221
+ role: "agent",
222
+ label: "agent",
223
+ text: "Provider setup complete. Abstraction layer supports Google and GitHub with a clean interface for adding Apple later.",
224
+ },
225
+ { type: "file", path: `${P}/knowledge/DISCOVERY.md` },
226
+ {
227
+ type: "updateCard",
228
+ stage: "inception",
229
+ name: "oauth-provider-setup",
230
+ status: "completed",
231
+ },
232
+ {
233
+ type: "updateCard",
234
+ stage: "inception",
235
+ name: "callback-handler",
236
+ status: "in-progress",
237
+ },
238
+ ],
239
+ },
240
+ { delay: 500, actions: [{ type: "fastForward", seconds: "25" }] },
241
+ {
242
+ delay: 1500,
243
+ actions: [
244
+ { type: "removeFastForward" },
245
+ {
246
+ type: "msg",
247
+ role: "agent",
248
+ label: "agent",
249
+ text: "Callback handler analysis done. Google uses server-side code exchange, GitHub\u2019s token endpoint differs. Both mapped.",
250
+ },
251
+ {
252
+ type: "updateCard",
253
+ stage: "inception",
254
+ name: "callback-handler",
255
+ status: "completed",
256
+ },
257
+ {
258
+ type: "updateCard",
259
+ stage: "inception",
260
+ name: "session-management",
261
+ status: "in-progress",
262
+ },
263
+ ],
264
+ },
265
+ { delay: 500, actions: [{ type: "fastForward", seconds: "20" }] },
266
+ {
267
+ delay: 1200,
268
+ actions: [
269
+ { type: "removeFastForward" },
270
+ {
271
+ type: "updateCard",
272
+ stage: "inception",
273
+ name: "session-management",
274
+ status: "completed",
275
+ },
276
+ {
277
+ type: "updateCard",
278
+ stage: "inception",
279
+ name: "callback-errors",
280
+ status: "in-progress",
281
+ },
282
+ ],
283
+ },
284
+ { delay: 500, actions: [{ type: "fastForward", seconds: "20" }] },
285
+ {
286
+ delay: 1200,
287
+ actions: [
288
+ { type: "removeFastForward" },
289
+ {
290
+ type: "msg",
291
+ role: "agent",
292
+ label: "agent",
293
+ text: "All 4 units complete. Callback error handling confirmed your instinct \u2014 the two providers need separate error paths due to different failure modes.",
294
+ },
295
+ {
296
+ type: "updateCard",
297
+ stage: "inception",
298
+ name: "callback-errors",
299
+ status: "completed",
300
+ },
301
+ ],
302
+ },
43
303
 
44
- // Step 5: Inception gate - auto
45
- { delay: 1000, actions: [{ type: "msg", role: "system", label: "system", text: "Inception complete. Review gate: auto. All criteria met \u2014 advancing." }, { type: "msg", role: "agent", label: "agent", text: "Advancing to design stage." }] },
304
+ // Step 5: Inception gate - auto
305
+ {
306
+ delay: 1000,
307
+ actions: [
308
+ {
309
+ type: "msg",
310
+ role: "system",
311
+ label: "system",
312
+ text: "Inception complete. Review gate: auto. All criteria met \u2014 advancing.",
313
+ },
314
+ {
315
+ type: "msg",
316
+ role: "agent",
317
+ label: "agent",
318
+ text: "Advancing to design stage.",
319
+ },
320
+ ],
321
+ },
46
322
 
47
- // Step 6: Design - elaborate
48
- { delay: 1000, actions: [{ type: "activateStage", stage: "design" }, { type: "msg", role: "agent", label: "agent", text: "Entering design stage. Hat: designer.\nElaborating design work..." }, { type: "file", path: `${P}/stages/design/state.json` }] },
49
- { delay: 800, actions: [{ type: "file", path: `${P}/stages/design/units/unit-01-login-screen.md` }, { type: "file", path: `${P}/stages/design/units/unit-02-oauth-flow.md` }, { type: "card", stage: "design", name: "login-screen", status: "in-progress" }, { type: "card", stage: "design", name: "oauth-flow", status: "" }, { type: "msg", role: "agent", label: "agent", text: "2 units: login-screen and oauth-flow." }] },
323
+ // Step 6: Design - elaborate
324
+ {
325
+ delay: 1000,
326
+ actions: [
327
+ { type: "activateStage", stage: "design" },
328
+ {
329
+ type: "msg",
330
+ role: "agent",
331
+ label: "agent",
332
+ text: "Entering design stage. Hat: designer.\nElaborating design work...",
333
+ },
334
+ { type: "file", path: `${P}/stages/design/state.json` },
335
+ ],
336
+ },
337
+ {
338
+ delay: 800,
339
+ actions: [
340
+ {
341
+ type: "file",
342
+ path: `${P}/stages/design/units/unit-01-login-screen.md`,
343
+ },
344
+ {
345
+ type: "file",
346
+ path: `${P}/stages/design/units/unit-02-oauth-flow.md`,
347
+ },
348
+ {
349
+ type: "card",
350
+ stage: "design",
351
+ name: "login-screen",
352
+ status: "in-progress",
353
+ },
354
+ { type: "card", stage: "design", name: "oauth-flow", status: "" },
355
+ {
356
+ type: "msg",
357
+ role: "agent",
358
+ label: "agent",
359
+ text: "2 units: login-screen and oauth-flow.",
360
+ },
361
+ ],
362
+ },
50
363
 
51
- // Step 7: Design - execute (collaborative)
52
- { delay: 1200, actions: [{ type: "msg", role: "agent", label: "agent", text: "For the login screen \u2014 modal overlay or full page?" }] },
53
- { delay: 2200, actions: [{ type: "msg", role: "user", label: "you", text: "Full page with the app logo. Social buttons prominent." }] },
54
- { delay: 800, actions: [{ type: "typing" }] },
55
- { delay: 1200, actions: [{ type: "removeTyping" }, { type: "msg", role: "agent", label: "agent", text: "Opening visual review..." }] },
56
- { delay: 500, actions: [{ type: "fastForward", seconds: "45" }] },
57
- { delay: 2000, actions: [{ type: "removeFastForward" }, { type: "msg", role: "agent", label: "agent", text: "Wireframe ready. Presenting for review." }, { type: "showDesignReview", title: "Design", intent: "add-oauth-login" }] },
58
- { delay: 2500, actions: [{ type: "hideReview" }, { type: "msg", role: "user", label: "you", text: "Add a 'forgot password' link below the form" }] },
59
- { delay: 800, actions: [{ type: "typing" }] },
60
- { delay: 1000, actions: [{ type: "removeTyping" }, { type: "msg", role: "agent", label: "agent", text: "Added. Design brief updated." }, { type: "updateCard", stage: "design", name: "login-screen", status: "completed" }, { type: "updateCard", stage: "design", name: "oauth-flow", status: "in-progress" }] },
61
- { delay: 500, actions: [{ type: "fastForward", seconds: "30" }] },
62
- { delay: 1500, actions: [{ type: "removeFastForward" }, { type: "updateCard", stage: "design", name: "oauth-flow", status: "completed" }, { type: "file", path: `${P}/stages/design/DESIGN-BRIEF.md` }, { type: "msg", role: "agent", label: "agent", text: "Design brief and mockups complete. Desktop and mobile login screens plus OAuth flow diagram committed as design artifacts. All breakpoints, interactive states, accessible color contrast verified." }] },
364
+ // Step 7: Design - execute (collaborative)
365
+ {
366
+ delay: 1200,
367
+ actions: [
368
+ {
369
+ type: "msg",
370
+ role: "agent",
371
+ label: "agent",
372
+ text: "For the login screen \u2014 modal overlay or full page?",
373
+ },
374
+ ],
375
+ },
376
+ {
377
+ delay: 2200,
378
+ actions: [
379
+ {
380
+ type: "msg",
381
+ role: "user",
382
+ label: "you",
383
+ text: "Full page with the app logo. Social buttons prominent.",
384
+ },
385
+ ],
386
+ },
387
+ { delay: 800, actions: [{ type: "typing" }] },
388
+ {
389
+ delay: 1200,
390
+ actions: [
391
+ { type: "removeTyping" },
392
+ {
393
+ type: "msg",
394
+ role: "agent",
395
+ label: "agent",
396
+ text: "Opening visual review...",
397
+ },
398
+ ],
399
+ },
400
+ { delay: 500, actions: [{ type: "fastForward", seconds: "45" }] },
401
+ {
402
+ delay: 2000,
403
+ actions: [
404
+ { type: "removeFastForward" },
405
+ {
406
+ type: "msg",
407
+ role: "agent",
408
+ label: "agent",
409
+ text: "Wireframe ready. Presenting for review.",
410
+ },
411
+ {
412
+ type: "showDesignReview",
413
+ title: "Design",
414
+ intent: "add-oauth-login",
415
+ },
416
+ ],
417
+ },
418
+ {
419
+ delay: 2500,
420
+ actions: [
421
+ { type: "hideReview" },
422
+ {
423
+ type: "msg",
424
+ role: "user",
425
+ label: "you",
426
+ text: "Add a 'forgot password' link below the form",
427
+ },
428
+ ],
429
+ },
430
+ { delay: 800, actions: [{ type: "typing" }] },
431
+ {
432
+ delay: 1000,
433
+ actions: [
434
+ { type: "removeTyping" },
435
+ {
436
+ type: "msg",
437
+ role: "agent",
438
+ label: "agent",
439
+ text: "Added. Design brief updated.",
440
+ },
441
+ {
442
+ type: "updateCard",
443
+ stage: "design",
444
+ name: "login-screen",
445
+ status: "completed",
446
+ },
447
+ {
448
+ type: "updateCard",
449
+ stage: "design",
450
+ name: "oauth-flow",
451
+ status: "in-progress",
452
+ },
453
+ ],
454
+ },
455
+ { delay: 500, actions: [{ type: "fastForward", seconds: "30" }] },
456
+ {
457
+ delay: 1500,
458
+ actions: [
459
+ { type: "removeFastForward" },
460
+ {
461
+ type: "updateCard",
462
+ stage: "design",
463
+ name: "oauth-flow",
464
+ status: "completed",
465
+ },
466
+ { type: "file", path: `${P}/stages/design/DESIGN-BRIEF.md` },
467
+ {
468
+ type: "msg",
469
+ role: "agent",
470
+ label: "agent",
471
+ text: "Design brief and mockups complete. Desktop and mobile login screens plus OAuth flow diagram committed as design artifacts. All breakpoints, interactive states, accessible color contrast verified.",
472
+ },
473
+ ],
474
+ },
63
475
 
64
- // Step 8: Design gate - ask (visual review)
65
- { delay: 1000, actions: [{ type: "msg", role: "system", label: "system", text: "Design stage complete. Review gate: ask." }, { type: "msg", role: "agent", label: "agent", text: "Opening visual review for stage approval..." }] },
66
- { delay: 800, actions: [{ type: "showDesignReview", title: "Design", intent: "add-oauth-login" }] },
67
- { delay: 2000, actions: [{ type: "highlightApprove" }] },
68
- { delay: 1200, actions: [{ type: "hideReview" }, { type: "msg", role: "agent", label: "agent", text: "Approved via visual review. Advancing to product stage." }] },
476
+ // Step 8: Design gate - ask (visual review)
477
+ {
478
+ delay: 1000,
479
+ actions: [
480
+ {
481
+ type: "msg",
482
+ role: "system",
483
+ label: "system",
484
+ text: "Design stage complete. Review gate: ask.",
485
+ },
486
+ {
487
+ type: "msg",
488
+ role: "agent",
489
+ label: "agent",
490
+ text: "Opening visual review for stage approval...",
491
+ },
492
+ ],
493
+ },
494
+ {
495
+ delay: 800,
496
+ actions: [
497
+ {
498
+ type: "showDesignReview",
499
+ title: "Design",
500
+ intent: "add-oauth-login",
501
+ },
502
+ ],
503
+ },
504
+ { delay: 2000, actions: [{ type: "highlightApprove" }] },
505
+ {
506
+ delay: 1200,
507
+ actions: [
508
+ { type: "hideReview" },
509
+ {
510
+ type: "msg",
511
+ role: "agent",
512
+ label: "agent",
513
+ text: "Approved via visual review. Advancing to product stage.",
514
+ },
515
+ ],
516
+ },
69
517
 
70
- // Step 9: Product stage (collaborative)
71
- { delay: 1000, actions: [{ type: "activateStage", stage: "product" }, { type: "msg", role: "agent", label: "agent", text: "Entering product stage. Hat: product.\nLoading design stage outputs as inputs..." }, { type: "file", path: `${P}/stages/product/state.json` }] },
72
- { delay: 800, actions: [{ type: "msg", role: "system", label: "system", text: "Resolved inputs \u2192 inception/discovery (knowledge/DISCOVERY.md), design/design-brief (stages/design/DESIGN-BRIEF.md)" }, { type: "msg", role: "agent", label: "agent", text: "Design brief specifies full-page login with social buttons and forgot-password link.\nElaborating product work from design artifacts..." }, { type: "file", path: `${P}/stages/product/units/unit-01-auth-spec.md` }, { type: "card", stage: "product", name: "auth-spec", status: "in-progress" }] },
73
- { delay: 500, actions: [{ type: "fastForward", seconds: "40" }] },
74
- { delay: 1800, actions: [{ type: "removeFastForward" }, { type: "msg", role: "agent", label: "agent", text: "Here are the acceptance criteria for the callback flow:" }] },
75
- { delay: 1000, actions: [{ type: "msg", role: "agent", label: "agent", text: "1. Valid code \u2192 token exchange \u2192 session created\n2. Invalid code \u2192 400 error\n3. Expired code \u2192 redirect to login" }] },
76
- { delay: 2500, actions: [{ type: "msg", role: "user", label: "you", text: "Add a rate limiting scenario \u2014 what happens at 100 requests/minute?" }] },
77
- { delay: 800, actions: [{ type: "typing" }] },
78
- { delay: 1200, actions: [{ type: "removeTyping" }, { type: "msg", role: "agent", label: "agent", text: "Added: rate limit returns 429 with retry-after header." }, { type: "updateCard", stage: "product", name: "auth-spec", status: "completed" }] },
79
- { delay: 800, actions: [{ type: "msg", role: "system", label: "system", text: "Product stage complete. Review gate: external." }, { type: "msg", role: "agent", label: "agent", text: "Sharing browse URL for external review..." }] },
80
- { delay: 1000, actions: [{ type: "showReview", title: "Product", intent: "add-oauth-login", criteria: ["Valid code \u2192 token exchange \u2192 session created", "Invalid code \u2192 400 error with message", "Expired code \u2192 redirect to login", "Rate limit at 100 req/min \u2192 429 + retry-after"] }] },
81
- { delay: 800, actions: [{ type: "animateCheckmarks" }] },
82
- { delay: 2200, actions: [{ type: "highlightApprove" }] },
83
- { delay: 1200, actions: [{ type: "hideReview" }, { type: "msg", role: "system", label: "system", text: "External review approved via browse page." }, { type: "msg", role: "agent", label: "agent", text: "Advancing to development stage." }] },
518
+ // Step 9: Product stage (collaborative)
519
+ {
520
+ delay: 1000,
521
+ actions: [
522
+ { type: "activateStage", stage: "product" },
523
+ {
524
+ type: "msg",
525
+ role: "agent",
526
+ label: "agent",
527
+ text: "Entering product stage. Hat: product.\nLoading design stage outputs as inputs...",
528
+ },
529
+ { type: "file", path: `${P}/stages/product/state.json` },
530
+ ],
531
+ },
532
+ {
533
+ delay: 800,
534
+ actions: [
535
+ {
536
+ type: "msg",
537
+ role: "system",
538
+ label: "system",
539
+ text: "Resolved inputs \u2192 inception/discovery (knowledge/DISCOVERY.md), design/design-brief (stages/design/DESIGN-BRIEF.md)",
540
+ },
541
+ {
542
+ type: "msg",
543
+ role: "agent",
544
+ label: "agent",
545
+ text: "Design brief specifies full-page login with social buttons and forgot-password link.\nElaborating product work from design artifacts...",
546
+ },
547
+ {
548
+ type: "file",
549
+ path: `${P}/stages/product/units/unit-01-auth-spec.md`,
550
+ },
551
+ {
552
+ type: "card",
553
+ stage: "product",
554
+ name: "auth-spec",
555
+ status: "in-progress",
556
+ },
557
+ ],
558
+ },
559
+ { delay: 500, actions: [{ type: "fastForward", seconds: "40" }] },
560
+ {
561
+ delay: 1800,
562
+ actions: [
563
+ { type: "removeFastForward" },
564
+ {
565
+ type: "msg",
566
+ role: "agent",
567
+ label: "agent",
568
+ text: "Here are the acceptance criteria for the callback flow:",
569
+ },
570
+ ],
571
+ },
572
+ {
573
+ delay: 1000,
574
+ actions: [
575
+ {
576
+ type: "msg",
577
+ role: "agent",
578
+ label: "agent",
579
+ text: "1. Valid code \u2192 token exchange \u2192 session created\n2. Invalid code \u2192 400 error\n3. Expired code \u2192 redirect to login",
580
+ },
581
+ ],
582
+ },
583
+ {
584
+ delay: 2500,
585
+ actions: [
586
+ {
587
+ type: "msg",
588
+ role: "user",
589
+ label: "you",
590
+ text: "Add a rate limiting scenario \u2014 what happens at 100 requests/minute?",
591
+ },
592
+ ],
593
+ },
594
+ { delay: 800, actions: [{ type: "typing" }] },
595
+ {
596
+ delay: 1200,
597
+ actions: [
598
+ { type: "removeTyping" },
599
+ {
600
+ type: "msg",
601
+ role: "agent",
602
+ label: "agent",
603
+ text: "Added: rate limit returns 429 with retry-after header.",
604
+ },
605
+ {
606
+ type: "updateCard",
607
+ stage: "product",
608
+ name: "auth-spec",
609
+ status: "completed",
610
+ },
611
+ ],
612
+ },
613
+ {
614
+ delay: 800,
615
+ actions: [
616
+ {
617
+ type: "msg",
618
+ role: "system",
619
+ label: "system",
620
+ text: "Product stage complete. Review gate: external.",
621
+ },
622
+ {
623
+ type: "msg",
624
+ role: "agent",
625
+ label: "agent",
626
+ text: "Sharing browse URL for external review...",
627
+ },
628
+ ],
629
+ },
630
+ {
631
+ delay: 1000,
632
+ actions: [
633
+ {
634
+ type: "showReview",
635
+ title: "Product",
636
+ intent: "add-oauth-login",
637
+ criteria: [
638
+ "Valid code \u2192 token exchange \u2192 session created",
639
+ "Invalid code \u2192 400 error with message",
640
+ "Expired code \u2192 redirect to login",
641
+ "Rate limit at 100 req/min \u2192 429 + retry-after",
642
+ ],
643
+ },
644
+ ],
645
+ },
646
+ { delay: 800, actions: [{ type: "animateCheckmarks" }] },
647
+ { delay: 2200, actions: [{ type: "highlightApprove" }] },
648
+ {
649
+ delay: 1200,
650
+ actions: [
651
+ { type: "hideReview" },
652
+ {
653
+ type: "msg",
654
+ role: "system",
655
+ label: "system",
656
+ text: "External review approved via browse page.",
657
+ },
658
+ {
659
+ type: "msg",
660
+ role: "agent",
661
+ label: "agent",
662
+ text: "Advancing to development stage.",
663
+ },
664
+ ],
665
+ },
84
666
 
85
- // Step 10: Development stage (bolt loop, collaborative)
86
- { delay: 1000, actions: [{ type: "activateStage", stage: "development" }, { type: "msg", role: "agent", label: "agent", text: "Entering development stage. Hat: planner.\nLoading upstream stage outputs..." }, { type: "file", path: `${P}/stages/development/state.json` }] },
87
- { delay: 800, actions: [{ type: "msg", role: "system", label: "system", text: "Resolved inputs \u2192 inception/discovery, design/design-brief, product/auth-spec" }, { type: "msg", role: "agent", label: "agent", text: "Design brief: full-page login with social buttons + forgot-password link. Product spec: OAuth callback flow with 429 rate limiting.\nElaborating into implementation units..." }, { type: "file", path: `${P}/stages/development/units/unit-01-oauth-provider.md` }, { type: "file", path: `${P}/stages/development/units/unit-02-login-ui.md` }, { type: "file", path: `${P}/stages/development/units/unit-03-session-mgmt.md` }, { type: "card", stage: "development", name: "oauth-provider", status: "in-progress" }, { type: "card", stage: "development", name: "login-ui", status: "" }, { type: "card", stage: "development", name: "session-mgmt", status: "" }] },
88
- // Bolt 1
89
- { delay: 800, actions: [{ type: "msg", role: "agent", label: "agent", text: "Unit: oauth-provider. Bolt 1. Hat: builder.\nImplementing OAuth provider integration for Google and GitHub..." }] },
90
- { delay: 500, actions: [{ type: "fastForward", seconds: "60" }] },
91
- { delay: 2000, actions: [{ type: "removeFastForward" }, { type: "msg", role: "agent", label: "agent", text: "Bolt 1 complete. Hat: reviewer. Running code review..." }] },
92
- { delay: 1200, actions: [{ type: "msg", role: "agent", label: "agent", text: "Review found 1 issue: race condition in concurrent token exchanges" }] },
93
- { delay: 2200, actions: [{ type: "msg", role: "user", label: "you", text: "Good catch. Use a mutex on the token store." }] },
94
- { delay: 800, actions: [{ type: "msg", role: "agent", label: "agent", text: "Fixed \u2014 added lock on token write. Re-running review..." }] },
95
- { delay: 500, actions: [{ type: "fastForward", seconds: "20" }] },
96
- { delay: 1200, actions: [{ type: "removeFastForward" }, { type: "msg", role: "agent", label: "agent", text: "Review passed. All criteria met." }, { type: "updateCard", stage: "development", name: "oauth-provider", status: "completed" }, { type: "updateCard", stage: "development", name: "login-ui", status: "in-progress" }] },
97
- // Unit 2
98
- { delay: 800, actions: [{ type: "msg", role: "agent", label: "agent", text: "Unit: login-ui. Hat: builder. Building login components with the forgot-password link from the design brief..." }] },
99
- { delay: 500, actions: [{ type: "fastForward", seconds: "45" }] },
100
- { delay: 1500, actions: [{ type: "removeFastForward" }, { type: "msg", role: "agent", label: "agent", text: "Login UI complete. Review passed on first bolt." }, { type: "updateCard", stage: "development", name: "login-ui", status: "completed" }, { type: "updateCard", stage: "development", name: "session-mgmt", status: "in-progress" }] },
101
- // Unit 3
102
- { delay: 800, actions: [{ type: "msg", role: "agent", label: "agent", text: "Unit: session-mgmt. Hat: builder. Implementing session lifecycle with the rate limiting from the product spec..." }] },
103
- { delay: 500, actions: [{ type: "fastForward", seconds: "50" }] },
104
- { delay: 1500, actions: [{ type: "removeFastForward" }, { type: "msg", role: "agent", label: "agent", text: "Session management complete \u2014 includes the 429 rate limiting on the callback endpoint. All 3 units delivered." }, { type: "updateCard", stage: "development", name: "session-mgmt", status: "completed" }] },
105
- { delay: 800, actions: [{ type: "msg", role: "agent", label: "agent", text: "Running design consistency and accessibility review agents..." }] },
106
- { delay: 1000, actions: [{ type: "msg", role: "agent", label: "agent", text: "Review agents passed: design consistency OK, accessibility OK." }] },
107
- { delay: 800, actions: [{ type: "msg", role: "system", label: "system", text: "Development stage complete. Review gate: ask. Awaiting your approval." }] },
108
- { delay: 1500, actions: [{ type: "msg", role: "user", label: "you", text: "Approved." }, { type: "msg", role: "agent", label: "agent", text: "Advancing to operations stage." }] },
667
+ // Step 10: Development stage (bolt loop, collaborative)
668
+ {
669
+ delay: 1000,
670
+ actions: [
671
+ { type: "activateStage", stage: "development" },
672
+ {
673
+ type: "msg",
674
+ role: "agent",
675
+ label: "agent",
676
+ text: "Entering development stage. Hat: planner.\nLoading upstream stage outputs...",
677
+ },
678
+ { type: "file", path: `${P}/stages/development/state.json` },
679
+ ],
680
+ },
681
+ {
682
+ delay: 800,
683
+ actions: [
684
+ {
685
+ type: "msg",
686
+ role: "system",
687
+ label: "system",
688
+ text: "Resolved inputs \u2192 inception/discovery, design/design-brief, product/auth-spec",
689
+ },
690
+ {
691
+ type: "msg",
692
+ role: "agent",
693
+ label: "agent",
694
+ text: "Design brief: full-page login with social buttons + forgot-password link. Product spec: OAuth callback flow with 429 rate limiting.\nElaborating into implementation units...",
695
+ },
696
+ {
697
+ type: "file",
698
+ path: `${P}/stages/development/units/unit-01-oauth-provider.md`,
699
+ },
700
+ {
701
+ type: "file",
702
+ path: `${P}/stages/development/units/unit-02-login-ui.md`,
703
+ },
704
+ {
705
+ type: "file",
706
+ path: `${P}/stages/development/units/unit-03-session-mgmt.md`,
707
+ },
708
+ {
709
+ type: "card",
710
+ stage: "development",
711
+ name: "oauth-provider",
712
+ status: "in-progress",
713
+ },
714
+ { type: "card", stage: "development", name: "login-ui", status: "" },
715
+ {
716
+ type: "card",
717
+ stage: "development",
718
+ name: "session-mgmt",
719
+ status: "",
720
+ },
721
+ ],
722
+ },
723
+ // Bolt 1
724
+ {
725
+ delay: 800,
726
+ actions: [
727
+ {
728
+ type: "msg",
729
+ role: "agent",
730
+ label: "agent",
731
+ text: "Unit: oauth-provider. Bolt 1. Hat: builder.\nImplementing OAuth provider integration for Google and GitHub...",
732
+ },
733
+ ],
734
+ },
735
+ { delay: 500, actions: [{ type: "fastForward", seconds: "60" }] },
736
+ {
737
+ delay: 2000,
738
+ actions: [
739
+ { type: "removeFastForward" },
740
+ {
741
+ type: "msg",
742
+ role: "agent",
743
+ label: "agent",
744
+ text: "Bolt 1 complete. Hat: reviewer. Running code review...",
745
+ },
746
+ ],
747
+ },
748
+ {
749
+ delay: 1200,
750
+ actions: [
751
+ {
752
+ type: "msg",
753
+ role: "agent",
754
+ label: "agent",
755
+ text: "Review found 1 issue: race condition in concurrent token exchanges",
756
+ },
757
+ ],
758
+ },
759
+ {
760
+ delay: 2200,
761
+ actions: [
762
+ {
763
+ type: "msg",
764
+ role: "user",
765
+ label: "you",
766
+ text: "Good catch. Use a mutex on the token store.",
767
+ },
768
+ ],
769
+ },
770
+ {
771
+ delay: 800,
772
+ actions: [
773
+ {
774
+ type: "msg",
775
+ role: "agent",
776
+ label: "agent",
777
+ text: "Fixed \u2014 added lock on token write. Re-running review...",
778
+ },
779
+ ],
780
+ },
781
+ { delay: 500, actions: [{ type: "fastForward", seconds: "20" }] },
782
+ {
783
+ delay: 1200,
784
+ actions: [
785
+ { type: "removeFastForward" },
786
+ {
787
+ type: "msg",
788
+ role: "agent",
789
+ label: "agent",
790
+ text: "Review passed. All criteria met.",
791
+ },
792
+ {
793
+ type: "updateCard",
794
+ stage: "development",
795
+ name: "oauth-provider",
796
+ status: "completed",
797
+ },
798
+ {
799
+ type: "updateCard",
800
+ stage: "development",
801
+ name: "login-ui",
802
+ status: "in-progress",
803
+ },
804
+ ],
805
+ },
806
+ // Unit 2
807
+ {
808
+ delay: 800,
809
+ actions: [
810
+ {
811
+ type: "msg",
812
+ role: "agent",
813
+ label: "agent",
814
+ text: "Unit: login-ui. Hat: builder. Building login components with the forgot-password link from the design brief...",
815
+ },
816
+ ],
817
+ },
818
+ { delay: 500, actions: [{ type: "fastForward", seconds: "45" }] },
819
+ {
820
+ delay: 1500,
821
+ actions: [
822
+ { type: "removeFastForward" },
823
+ {
824
+ type: "msg",
825
+ role: "agent",
826
+ label: "agent",
827
+ text: "Login UI complete. Review passed on first bolt.",
828
+ },
829
+ {
830
+ type: "updateCard",
831
+ stage: "development",
832
+ name: "login-ui",
833
+ status: "completed",
834
+ },
835
+ {
836
+ type: "updateCard",
837
+ stage: "development",
838
+ name: "session-mgmt",
839
+ status: "in-progress",
840
+ },
841
+ ],
842
+ },
843
+ // Unit 3
844
+ {
845
+ delay: 800,
846
+ actions: [
847
+ {
848
+ type: "msg",
849
+ role: "agent",
850
+ label: "agent",
851
+ text: "Unit: session-mgmt. Hat: builder. Implementing session lifecycle with the rate limiting from the product spec...",
852
+ },
853
+ ],
854
+ },
855
+ { delay: 500, actions: [{ type: "fastForward", seconds: "50" }] },
856
+ {
857
+ delay: 1500,
858
+ actions: [
859
+ { type: "removeFastForward" },
860
+ {
861
+ type: "msg",
862
+ role: "agent",
863
+ label: "agent",
864
+ text: "Session management complete \u2014 includes the 429 rate limiting on the callback endpoint. All 3 units delivered.",
865
+ },
866
+ {
867
+ type: "updateCard",
868
+ stage: "development",
869
+ name: "session-mgmt",
870
+ status: "completed",
871
+ },
872
+ ],
873
+ },
874
+ {
875
+ delay: 800,
876
+ actions: [
877
+ {
878
+ type: "msg",
879
+ role: "agent",
880
+ label: "agent",
881
+ text: "Running design consistency and accessibility review agents...",
882
+ },
883
+ ],
884
+ },
885
+ {
886
+ delay: 1000,
887
+ actions: [
888
+ {
889
+ type: "msg",
890
+ role: "agent",
891
+ label: "agent",
892
+ text: "Review agents passed: design consistency OK, accessibility OK.",
893
+ },
894
+ ],
895
+ },
896
+ {
897
+ delay: 800,
898
+ actions: [
899
+ {
900
+ type: "msg",
901
+ role: "system",
902
+ label: "system",
903
+ text: "Development stage complete. Review gate: ask. Awaiting your approval.",
904
+ },
905
+ ],
906
+ },
907
+ {
908
+ delay: 1500,
909
+ actions: [
910
+ { type: "msg", role: "user", label: "you", text: "Approved." },
911
+ {
912
+ type: "msg",
913
+ role: "agent",
914
+ label: "agent",
915
+ text: "Advancing to operations stage.",
916
+ },
917
+ ],
918
+ },
109
919
 
110
- // Step 11: Operations stage (collaborative)
111
- { delay: 1000, actions: [{ type: "activateStage", stage: "operations" }, { type: "msg", role: "agent", label: "agent", text: "Entering operations stage. Hat: ops-engineer.\nI see you\u2019re on Kubernetes with Helm charts. For the OAuth secrets (client IDs, client secrets), do you want me to use your existing Vault setup or Kubernetes secrets?" }, { type: "file", path: `${P}/stages/operations/state.json` }, { type: "file", path: `${P}/stages/operations/units/unit-01-deploy-config.md` }, { type: "card", stage: "operations", name: "deploy-config", status: "in-progress" }] },
112
- { delay: 2000, actions: [{ type: "msg", role: "user", label: "you", text: "Use Vault. We\u2019re migrating everything there. Kubernetes secrets are being phased out." }] },
113
- { delay: 800, actions: [{ type: "msg", role: "agent", label: "agent", text: "Got it. I\u2019ll wire the OAuth secrets through Vault with the existing injector sidecar pattern. Updating the Helm values and adding the Vault policy." }] },
114
- { delay: 500, actions: [{ type: "fastForward", seconds: "35" }] },
115
- { delay: 1500, actions: [{ type: "removeFastForward" }, { type: "msg", role: "agent", label: "agent", text: "Hat: sre. Vault policies configured, health checks added for both provider endpoints, rollback plan documented with secret rotation procedure." }, { type: "updateCard", stage: "operations", name: "deploy-config", status: "completed" }] },
116
- { delay: 800, actions: [{ type: "msg", role: "system", label: "system", text: "Operations complete. Review gate: auto. Advancing." }, { type: "msg", role: "agent", label: "agent", text: "Advancing to security stage." }] },
920
+ // Step 11: Operations stage (collaborative)
921
+ {
922
+ delay: 1000,
923
+ actions: [
924
+ { type: "activateStage", stage: "operations" },
925
+ {
926
+ type: "msg",
927
+ role: "agent",
928
+ label: "agent",
929
+ text: "Entering operations stage. Hat: ops-engineer.\nI see you\u2019re on Kubernetes with Helm charts. For the OAuth secrets (client IDs, client secrets), do you want me to use your existing Vault setup or Kubernetes secrets?",
930
+ },
931
+ { type: "file", path: `${P}/stages/operations/state.json` },
932
+ {
933
+ type: "file",
934
+ path: `${P}/stages/operations/units/unit-01-deploy-config.md`,
935
+ },
936
+ {
937
+ type: "card",
938
+ stage: "operations",
939
+ name: "deploy-config",
940
+ status: "in-progress",
941
+ },
942
+ ],
943
+ },
944
+ {
945
+ delay: 2000,
946
+ actions: [
947
+ {
948
+ type: "msg",
949
+ role: "user",
950
+ label: "you",
951
+ text: "Use Vault. We\u2019re migrating everything there. Kubernetes secrets are being phased out.",
952
+ },
953
+ ],
954
+ },
955
+ {
956
+ delay: 800,
957
+ actions: [
958
+ {
959
+ type: "msg",
960
+ role: "agent",
961
+ label: "agent",
962
+ text: "Got it. I\u2019ll wire the OAuth secrets through Vault with the existing injector sidecar pattern. Updating the Helm values and adding the Vault policy.",
963
+ },
964
+ ],
965
+ },
966
+ { delay: 500, actions: [{ type: "fastForward", seconds: "35" }] },
967
+ {
968
+ delay: 1500,
969
+ actions: [
970
+ { type: "removeFastForward" },
971
+ {
972
+ type: "msg",
973
+ role: "agent",
974
+ label: "agent",
975
+ text: "Hat: sre. Vault policies configured, health checks added for both provider endpoints, rollback plan documented with secret rotation procedure.",
976
+ },
977
+ {
978
+ type: "updateCard",
979
+ stage: "operations",
980
+ name: "deploy-config",
981
+ status: "completed",
982
+ },
983
+ ],
984
+ },
985
+ {
986
+ delay: 800,
987
+ actions: [
988
+ {
989
+ type: "msg",
990
+ role: "system",
991
+ label: "system",
992
+ text: "Operations complete. Review gate: auto. Advancing.",
993
+ },
994
+ {
995
+ type: "msg",
996
+ role: "agent",
997
+ label: "agent",
998
+ text: "Advancing to security stage.",
999
+ },
1000
+ ],
1001
+ },
117
1002
 
118
- // Step 12: Security stage (collaborative)
119
- { delay: 1000, actions: [{ type: "activateStage", stage: "security" }, { type: "msg", role: "agent", label: "agent", text: "Entering security stage. Running review agents in parallel:\n \u2022 Hat: threat-modeler \u2014 STRIDE analysis\n \u2022 Hat: red-team \u2014 attack surface scan\n \u2022 Hat: blue-team \u2014 defense validation" }, { type: "file", path: `${P}/stages/security/state.json` }, { type: "file", path: `${P}/stages/security/units/unit-01-threat-model.md` }, { type: "file", path: `${P}/stages/security/units/unit-02-pen-test.md` }, { type: "card", stage: "security", name: "threat-model", status: "in-progress" }, { type: "card", stage: "security", name: "pen-test", status: "in-progress" }] },
120
- { delay: 500, actions: [{ type: "fastForward", seconds: "60" }] },
121
- { delay: 2000, actions: [{ type: "removeFastForward" }, { type: "msg", role: "agent", label: "agent", text: "Threat model found 2 medium-risk items:\n 1. GitHub OAuth doesn\u2019t support PKCE \u2014 relying on state param + client_secret only\n 2. Token stored in localStorage on one code path (should be httpOnly cookie everywhere)\n\nItem 2 is a code fix. Item 1 is an accepted limitation \u2014 want me to document it as a known risk or is there a mitigation you prefer?" }] },
122
- { delay: 2200, actions: [{ type: "msg", role: "user", label: "you", text: "Document it as a known risk. GitHub doesn\u2019t support PKCE, that\u2019s on them. Fix the localStorage issue though \u2014 that should never have been there." }] },
123
- { delay: 800, actions: [{ type: "msg", role: "agent", label: "agent", text: "Agreed. Fixing the localStorage path now and documenting GitHub\u2019s PKCE gap as accepted risk with compensating controls (strict state validation + short-lived tokens)." }] },
124
- { delay: 500, actions: [{ type: "fastForward", seconds: "15" }] },
125
- { delay: 1200, actions: [{ type: "removeFastForward" }, { type: "msg", role: "agent", label: "agent", text: "Fixed. All token storage now uses httpOnly cookies. CSRF protection verified across both providers." }, { type: "updateCard", stage: "security", name: "threat-model", status: "completed" }, { type: "updateCard", stage: "security", name: "pen-test", status: "completed" }] },
126
- { delay: 1000, actions: [{ type: "msg", role: "agent", label: "agent", text: "Hat: security-reviewer. Final review... All findings addressed. No critical or high-risk issues remain." }] },
127
- { delay: 800, actions: [{ type: "msg", role: "system", label: "system", text: "Security stage complete. Review gate: external." }, { type: "msg", role: "agent", label: "agent", text: "Sharing browse URL for external security review..." }] },
128
- { delay: 1000, actions: [{ type: "showReview", title: "Security", intent: "add-oauth-login", criteria: ["STRIDE threat model complete", "No critical/high-risk findings remain", "Token storage uses httpOnly cookies only", "CSRF protection verified both providers", "GitHub PKCE gap documented as accepted risk"] }] },
129
- { delay: 800, actions: [{ type: "animateCheckmarks" }] },
130
- { delay: 2400, actions: [{ type: "highlightApprove" }] },
131
- { delay: 1200, actions: [{ type: "hideReview" }, { type: "msg", role: "system", label: "system", text: "External security review approved via browse page." }] },
1003
+ // Step 12: Security stage (collaborative)
1004
+ {
1005
+ delay: 1000,
1006
+ actions: [
1007
+ { type: "activateStage", stage: "security" },
1008
+ {
1009
+ type: "msg",
1010
+ role: "agent",
1011
+ label: "agent",
1012
+ text: "Entering security stage. Running review agents in parallel:\n \u2022 Hat: threat-modeler \u2014 STRIDE analysis\n \u2022 Hat: red-team \u2014 attack surface scan\n \u2022 Hat: blue-team \u2014 defense validation",
1013
+ },
1014
+ { type: "file", path: `${P}/stages/security/state.json` },
1015
+ {
1016
+ type: "file",
1017
+ path: `${P}/stages/security/units/unit-01-threat-model.md`,
1018
+ },
1019
+ {
1020
+ type: "file",
1021
+ path: `${P}/stages/security/units/unit-02-pen-test.md`,
1022
+ },
1023
+ {
1024
+ type: "card",
1025
+ stage: "security",
1026
+ name: "threat-model",
1027
+ status: "in-progress",
1028
+ },
1029
+ {
1030
+ type: "card",
1031
+ stage: "security",
1032
+ name: "pen-test",
1033
+ status: "in-progress",
1034
+ },
1035
+ ],
1036
+ },
1037
+ { delay: 500, actions: [{ type: "fastForward", seconds: "60" }] },
1038
+ {
1039
+ delay: 2000,
1040
+ actions: [
1041
+ { type: "removeFastForward" },
1042
+ {
1043
+ type: "msg",
1044
+ role: "agent",
1045
+ label: "agent",
1046
+ text: "Threat model found 2 medium-risk items:\n 1. GitHub OAuth doesn\u2019t support PKCE \u2014 relying on state param + client_secret only\n 2. Token stored in localStorage on one code path (should be httpOnly cookie everywhere)\n\nItem 2 is a code fix. Item 1 is an accepted limitation \u2014 want me to document it as a known risk or is there a mitigation you prefer?",
1047
+ },
1048
+ ],
1049
+ },
1050
+ {
1051
+ delay: 2200,
1052
+ actions: [
1053
+ {
1054
+ type: "msg",
1055
+ role: "user",
1056
+ label: "you",
1057
+ text: "Document it as a known risk. GitHub doesn\u2019t support PKCE, that\u2019s on them. Fix the localStorage issue though \u2014 that should never have been there.",
1058
+ },
1059
+ ],
1060
+ },
1061
+ {
1062
+ delay: 800,
1063
+ actions: [
1064
+ {
1065
+ type: "msg",
1066
+ role: "agent",
1067
+ label: "agent",
1068
+ text: "Agreed. Fixing the localStorage path now and documenting GitHub\u2019s PKCE gap as accepted risk with compensating controls (strict state validation + short-lived tokens).",
1069
+ },
1070
+ ],
1071
+ },
1072
+ { delay: 500, actions: [{ type: "fastForward", seconds: "15" }] },
1073
+ {
1074
+ delay: 1200,
1075
+ actions: [
1076
+ { type: "removeFastForward" },
1077
+ {
1078
+ type: "msg",
1079
+ role: "agent",
1080
+ label: "agent",
1081
+ text: "Fixed. All token storage now uses httpOnly cookies. CSRF protection verified across both providers.",
1082
+ },
1083
+ {
1084
+ type: "updateCard",
1085
+ stage: "security",
1086
+ name: "threat-model",
1087
+ status: "completed",
1088
+ },
1089
+ {
1090
+ type: "updateCard",
1091
+ stage: "security",
1092
+ name: "pen-test",
1093
+ status: "completed",
1094
+ },
1095
+ ],
1096
+ },
1097
+ {
1098
+ delay: 1000,
1099
+ actions: [
1100
+ {
1101
+ type: "msg",
1102
+ role: "agent",
1103
+ label: "agent",
1104
+ text: "Hat: security-reviewer. Final review... All findings addressed. No critical or high-risk issues remain.",
1105
+ },
1106
+ ],
1107
+ },
1108
+ {
1109
+ delay: 800,
1110
+ actions: [
1111
+ {
1112
+ type: "msg",
1113
+ role: "system",
1114
+ label: "system",
1115
+ text: "Security stage complete. Review gate: external.",
1116
+ },
1117
+ {
1118
+ type: "msg",
1119
+ role: "agent",
1120
+ label: "agent",
1121
+ text: "Sharing browse URL for external security review...",
1122
+ },
1123
+ ],
1124
+ },
1125
+ {
1126
+ delay: 1000,
1127
+ actions: [
1128
+ {
1129
+ type: "showReview",
1130
+ title: "Security",
1131
+ intent: "add-oauth-login",
1132
+ criteria: [
1133
+ "STRIDE threat model complete",
1134
+ "No critical/high-risk findings remain",
1135
+ "Token storage uses httpOnly cookies only",
1136
+ "CSRF protection verified both providers",
1137
+ "GitHub PKCE gap documented as accepted risk",
1138
+ ],
1139
+ },
1140
+ ],
1141
+ },
1142
+ { delay: 800, actions: [{ type: "animateCheckmarks" }] },
1143
+ { delay: 2400, actions: [{ type: "highlightApprove" }] },
1144
+ {
1145
+ delay: 1200,
1146
+ actions: [
1147
+ { type: "hideReview" },
1148
+ {
1149
+ type: "msg",
1150
+ role: "system",
1151
+ label: "system",
1152
+ text: "External security review approved via browse page.",
1153
+ },
1154
+ ],
1155
+ },
132
1156
 
133
- // Step 13: Intent complete
134
- { delay: 1200, actions: [{ type: "complete" }, { type: "msg", role: "agent", label: "agent", text: "All 6 stages complete for add-oauth-login.\n\nDelivered:\n \u2022 OAuth provider integration (Google, GitHub) with separate callback handlers\n \u2022 Login UI with forgot-password link, 3-breakpoint responsive design\n \u2022 Session management with 429 rate limiting on callback endpoint\n \u2022 Race-condition-safe token refresh with distributed mutex lock\n \u2022 Deploy config with Vault secret management and rollback plan\n \u2022 Security review with STRIDE threat model, localStorage fix applied\n\nIntent status: complete." }] },
135
- { delay: 1500, actions: [{ type: "msg", role: "system", label: "system", text: "__SHOW_COMPLETION__" }] },
136
- ],
1157
+ // Step 13: Intent complete
1158
+ {
1159
+ delay: 1200,
1160
+ actions: [
1161
+ { type: "complete" },
1162
+ {
1163
+ type: "msg",
1164
+ role: "agent",
1165
+ label: "agent",
1166
+ text: "All 6 stages complete for add-oauth-login.\n\nDelivered:\n \u2022 OAuth provider integration (Google, GitHub) with separate callback handlers\n \u2022 Login UI with forgot-password link, 3-breakpoint responsive design\n \u2022 Session management with 429 rate limiting on callback endpoint\n \u2022 Race-condition-safe token refresh with distributed mutex lock\n \u2022 Deploy config with Vault secret management and rollback plan\n \u2022 Security review with STRIDE threat model, localStorage fix applied\n\nIntent status: complete.",
1167
+ },
1168
+ ],
1169
+ },
1170
+ {
1171
+ delay: 1500,
1172
+ actions: [
1173
+ {
1174
+ type: "msg",
1175
+ role: "system",
1176
+ label: "system",
1177
+ text: "__SHOW_COMPLETION__",
1178
+ },
1179
+ ],
1180
+ },
1181
+ ],
137
1182
  }