its-magic 0.1.2-9 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (232) hide show
  1. package/README.md +1602 -755
  2. package/bin/its-magic.js +121 -11
  3. package/bin/postinstall.js +21 -0
  4. package/installer.ps1 +759 -0
  5. package/installer.py +981 -0
  6. package/installer.sh +649 -0
  7. package/package.json +18 -14
  8. package/scripts/check_intake_template_parity.py +284 -0
  9. package/scripts/doc_profile_lib.py +415 -0
  10. package/scripts/guard_installer_publish.py +88 -0
  11. package/scripts/intake_bug_routing_guard.py +67 -0
  12. package/scripts/intake_evidence_lib.py +802 -0
  13. package/scripts/intake_evidence_validate.py +73 -0
  14. package/scripts/materialize_codebase_map.py +184 -0
  15. package/scripts/remote_config_summary.py +243 -0
  16. package/template/.cursor/agents/curator.mdc +35 -0
  17. package/template/.cursor/agents/dev.mdc +29 -0
  18. package/template/.cursor/agents/po.mdc +141 -0
  19. package/template/.cursor/agents/qa.mdc +28 -0
  20. package/template/.cursor/agents/release.mdc +28 -0
  21. package/template/.cursor/agents/security.mdc +98 -0
  22. package/template/.cursor/agents/tech-lead.mdc +57 -0
  23. package/template/.cursor/commands/architecture.md +127 -0
  24. package/template/.cursor/commands/ask.md +55 -0
  25. package/template/.cursor/commands/auto.md +533 -0
  26. package/template/.cursor/commands/discovery.md +47 -0
  27. package/template/.cursor/commands/execute.md +343 -0
  28. package/template/.cursor/commands/intake.md +323 -0
  29. package/template/.cursor/commands/map-codebase.md +46 -0
  30. package/template/.cursor/commands/memory-audit.md +175 -0
  31. package/template/.cursor/commands/milestone-complete.md +51 -0
  32. package/template/.cursor/commands/milestone-start.md +59 -0
  33. package/template/.cursor/commands/pause.md +64 -0
  34. package/{.cursor/commands/gsd-phase-context.md → template/.cursor/commands/phase-context.md} +6 -2
  35. package/template/.cursor/commands/plan-verify.md +34 -0
  36. package/template/.cursor/commands/qa.md +226 -0
  37. package/template/.cursor/commands/quick.md +41 -0
  38. package/template/.cursor/commands/refresh-context.md +82 -0
  39. package/template/.cursor/commands/release.md +505 -0
  40. package/template/.cursor/commands/research.md +49 -0
  41. package/template/.cursor/commands/resume.md +67 -0
  42. package/template/.cursor/commands/security-review.md +81 -0
  43. package/template/.cursor/commands/sprint-plan.md +103 -0
  44. package/template/.cursor/commands/status-reconcile.md +95 -0
  45. package/template/.cursor/commands/verify-work.md +152 -0
  46. package/template/.cursor/dev-environment.json.example +22 -0
  47. package/{.cursor → template/.cursor}/hooks/README.md +3 -2
  48. package/{.cursor/hooks/gsd-hook.py → template/.cursor/hooks/hook.py} +15 -6
  49. package/template/.cursor/hooks.json +26 -0
  50. package/template/.cursor/remote.json +31 -0
  51. package/template/.cursor/rules/caveman.mdc +184 -0
  52. package/template/.cursor/rules/coding-standards.mdc +39 -0
  53. package/template/.cursor/rules/core.mdc +111 -0
  54. package/template/.cursor/rules/handoffs.mdc +27 -0
  55. package/template/.cursor/rules/quality.mdc +49 -0
  56. package/template/.cursor/scratchpad.local.example.md +323 -0
  57. package/template/.cursor/scratchpad.md +324 -0
  58. package/{.cursor/skills/gsd-team → template/.cursor/skills/its-magic}/SKILL.md +2 -2
  59. package/template/.cursorignore +6 -0
  60. package/template/.env.example +28 -0
  61. package/template/.github/workflows/ci.yml +194 -0
  62. package/{.github → template/.github}/workflows/deploy.yml +5 -2
  63. package/template/.its-magic-version +1 -0
  64. package/template/README.md +1602 -0
  65. package/template/decisions/DEC-0001.md +11 -0
  66. package/template/decisions/DEC-0002.md +11 -0
  67. package/template/docs/developer/README.md +44 -0
  68. package/template/docs/engineering/architecture.md +9 -0
  69. package/template/docs/engineering/artifact-ordering-policy.md +48 -0
  70. package/template/docs/engineering/artifact-ownership-policy.md +57 -0
  71. package/template/docs/engineering/auto-orchestration-reference.md +1211 -0
  72. package/{docs → template/docs}/engineering/codebase-map.md +0 -5
  73. package/template/docs/engineering/compatibility-report.md +20 -0
  74. package/template/docs/engineering/compatibility-signals.md +7 -0
  75. package/template/docs/engineering/component-scope-report.md +16 -0
  76. package/template/docs/engineering/component-scope.md +19 -0
  77. package/template/docs/engineering/context/installer-owned-paths.manifest +96 -0
  78. package/template/docs/engineering/context/readme-section-affinity.json +30 -0
  79. package/template/docs/engineering/decisions.md +16 -0
  80. package/template/docs/engineering/legacy-drift-audit.md +21 -0
  81. package/template/docs/engineering/manifests/components/api-gateway.manifest.yaml +12 -0
  82. package/template/docs/engineering/manifests/registry.manifest.yaml +20 -0
  83. package/template/docs/engineering/manifests/repo.manifest.yaml +11 -0
  84. package/template/docs/engineering/phase-context.md +16 -0
  85. package/template/docs/engineering/release-targets.json +123 -0
  86. package/template/docs/engineering/research.md +29 -0
  87. package/template/docs/engineering/runbook.md +2320 -0
  88. package/template/docs/engineering/runtime-connectivity.md +81 -0
  89. package/template/docs/engineering/security-review.md +33 -0
  90. package/template/docs/engineering/spec-pack/README.md +20 -0
  91. package/template/docs/engineering/state-archive/README.md +15 -0
  92. package/template/docs/engineering/state.md +20 -0
  93. package/template/docs/engineering/status-normalization-report.md +19 -0
  94. package/template/docs/engineering/token-cost-parity-manifest.md +16 -0
  95. package/template/docs/engineering/us-0084-remote-e2e.md +44 -0
  96. package/template/docs/product/acceptance.md +1 -0
  97. package/template/docs/product/backlog.md +5 -0
  98. package/template/docs/product/vision.md +11 -0
  99. package/template/docs/user-guides/README.md +40 -0
  100. package/{handoffs → template/handoffs}/dev_to_qa.md +0 -3
  101. package/{handoffs → template/handoffs}/po_to_tl.md +0 -3
  102. package/{handoffs → template/handoffs}/qa_to_dev.md +1 -2
  103. package/template/handoffs/release_notes.md +51 -0
  104. package/template/handoffs/release_queue.md +47 -0
  105. package/template/handoffs/release_to_dev.md +31 -0
  106. package/template/handoffs/releases/Sxxxx-release-notes.md +62 -0
  107. package/template/handoffs/resume_brief.md +14 -0
  108. package/{handoffs → template/handoffs}/tl_to_dev.md +0 -2
  109. package/template/handoffs/token_cost_runs/README.md +26 -0
  110. package/template/its_magic/.its-magic-version +1 -0
  111. package/template/its_magic/README.md +9 -0
  112. package/template/scripts/auto_outer_driver.py +521 -0
  113. package/template/scripts/caveman_compress_input.py +903 -0
  114. package/template/scripts/check_downstream_ci_guard.py +67 -0
  115. package/template/scripts/check_intake_template_parity.py +284 -0
  116. package/template/scripts/check_token_cost_parity.py +69 -0
  117. package/template/scripts/dev_environment_lib.py +463 -0
  118. package/template/scripts/doc_profile_lib.py +415 -0
  119. package/template/scripts/downstream_ci_guard_lib.py +222 -0
  120. package/template/scripts/enforce-triad-hot-surface.py +753 -0
  121. package/template/scripts/guard_installer_publish.py +88 -0
  122. package/template/scripts/intake_bug_resume_brief_refresh.py +303 -0
  123. package/template/scripts/intake_bug_routing_guard.py +67 -0
  124. package/template/scripts/intake_evidence_lib.py +802 -0
  125. package/template/scripts/intake_evidence_validate.py +73 -0
  126. package/template/scripts/materialize_codebase_map.py +184 -0
  127. package/template/scripts/pack_json_validate.py +130 -0
  128. package/template/scripts/project_readme_coverage_lib.py +417 -0
  129. package/template/scripts/readme_feature_coverage_lib.py +608 -0
  130. package/template/scripts/remote_config_summary.py +243 -0
  131. package/template/scripts/sync_push_gates.py +198 -0
  132. package/template/scripts/token_cost_compare.py +40 -0
  133. package/template/scripts/token_cost_lib.py +108 -0
  134. package/template/scripts/uat_probe_lib.py +868 -0
  135. package/template/scripts/validate-and-push.ps1 +280 -0
  136. package/template/scripts/validate-and-push.sh +243 -0
  137. package/template/scripts/validate_doc_profile.py +103 -0
  138. package/template/scripts/validate_project_readme_coverage.py +151 -0
  139. package/template/scripts/validate_readme_feature_coverage.py +140 -0
  140. package/template/sprints/S0001/progress.md +1 -0
  141. package/template/sprints/S0001/qa-findings.md +9 -0
  142. package/template/sprints/S0001/release-findings.md +24 -0
  143. package/template/sprints/S0001/sprint.md +9 -0
  144. package/template/sprints/S0001/summary.md +7 -0
  145. package/template/sprints/S0001/tasks.md +1 -0
  146. package/template/sprints/S0001/uat.json +6 -0
  147. package/template/sprints/S0001/uat.md +5 -0
  148. package/template/sprints/quick/Q0001/summary.md +1 -0
  149. package/{sprints → template/sprints}/quick/Q0001/task.json +0 -1
  150. package/.cursor/agents/curator.mdc +0 -21
  151. package/.cursor/agents/dev.mdc +0 -20
  152. package/.cursor/agents/po.mdc +0 -19
  153. package/.cursor/agents/qa.mdc +0 -19
  154. package/.cursor/agents/release.mdc +0 -19
  155. package/.cursor/agents/tech-lead.mdc +0 -21
  156. package/.cursor/commands/gsd-architecture.md +0 -29
  157. package/.cursor/commands/gsd-auto.md +0 -27
  158. package/.cursor/commands/gsd-discovery.md +0 -27
  159. package/.cursor/commands/gsd-execute.md +0 -32
  160. package/.cursor/commands/gsd-intake.md +0 -28
  161. package/.cursor/commands/gsd-map-codebase.md +0 -25
  162. package/.cursor/commands/gsd-milestone-complete.md +0 -24
  163. package/.cursor/commands/gsd-milestone-start.md +0 -26
  164. package/.cursor/commands/gsd-pause.md +0 -25
  165. package/.cursor/commands/gsd-plan-verify.md +0 -26
  166. package/.cursor/commands/gsd-qa.md +0 -28
  167. package/.cursor/commands/gsd-quick.md +0 -24
  168. package/.cursor/commands/gsd-refresh-context.md +0 -26
  169. package/.cursor/commands/gsd-release.md +0 -29
  170. package/.cursor/commands/gsd-research.md +0 -28
  171. package/.cursor/commands/gsd-resume.md +0 -26
  172. package/.cursor/commands/gsd-sprint-plan.md +0 -30
  173. package/.cursor/commands/gsd-verify-work.md +0 -25
  174. package/.cursor/hooks.json +0 -26
  175. package/.cursor/plans/cursor-gsd-team-kit_8cfee9b8.plan.md +0 -57
  176. package/.cursor/remote.json +0 -18
  177. package/.cursor/rules/gsd-core.mdc +0 -18
  178. package/.cursor/rules/gsd-handoffs.mdc +0 -10
  179. package/.cursor/rules/gsd-quality.mdc +0 -15
  180. package/.cursor/scratchpad.md +0 -34
  181. package/.github/workflows/ci.yml +0 -47
  182. package/decisions/DEC-0001.md +0 -21
  183. package/decisions/DEC-0002.md +0 -21
  184. package/docs/engineering/architecture.md +0 -354
  185. package/docs/engineering/decisions.md +0 -6
  186. package/docs/engineering/research.md +0 -11
  187. package/docs/engineering/runbook.md +0 -32
  188. package/docs/engineering/state.md +0 -33
  189. package/docs/product/acceptance.md +0 -6
  190. package/docs/product/backlog.md +0 -7
  191. package/docs/product/vision.md +0 -46
  192. package/gsd-installer.ps1 +0 -189
  193. package/gsd-installer.py +0 -195
  194. package/gsd-installer.sh +0 -201
  195. package/handoffs/release_notes.md +0 -14
  196. package/handoffs/resume_brief.md +0 -8
  197. package/milestones/M0001/milestone.json +0 -7
  198. package/milestones/M0001/phases.json +0 -9
  199. package/milestones/M0001/progress.md +0 -3
  200. package/milestones/M0001/summary.md +0 -3
  201. package/scripts/generate-release-notes.ps1 +0 -74
  202. package/scripts/generate-release-notes.sh +0 -63
  203. package/scripts/release-all.ps1 +0 -423
  204. package/scripts/release-all.sh +0 -226
  205. package/sprints/S0001/progress.md +0 -4
  206. package/sprints/S0001/qa-findings.md +0 -113
  207. package/sprints/S0001/sprint.md +0 -70
  208. package/sprints/S0001/summary.md +0 -46
  209. package/sprints/S0001/tasks.md +0 -35
  210. package/sprints/S0001/uat.json +0 -8
  211. package/sprints/S0001/uat.md +0 -8
  212. package/sprints/quick/Q0001/summary.md +0 -3
  213. /package/{.cursor/rules/gsd-escalation.mdc → template/.cursor/rules/escalation.mdc} +0 -0
  214. /package/{.cursor/skills/gsd-team → template/.cursor/skills/its-magic}/templates/acceptance.json +0 -0
  215. /package/{.cursor/skills/gsd-team → template/.cursor/skills/its-magic}/templates/acceptance.md +0 -0
  216. /package/{.cursor/skills/gsd-team → template/.cursor/skills/its-magic}/templates/architecture.json +0 -0
  217. /package/{.cursor/skills/gsd-team → template/.cursor/skills/its-magic}/templates/architecture.md +0 -0
  218. /package/{.cursor/skills/gsd-team → template/.cursor/skills/its-magic}/templates/decision.json +0 -0
  219. /package/{.cursor/skills/gsd-team → template/.cursor/skills/its-magic}/templates/decision.md +0 -0
  220. /package/{.cursor/skills/gsd-team → template/.cursor/skills/its-magic}/templates/handoff.json +0 -0
  221. /package/{.cursor/skills/gsd-team → template/.cursor/skills/its-magic}/templates/handoff.md +0 -0
  222. /package/{.cursor/skills/gsd-team → template/.cursor/skills/its-magic}/templates/milestone.json +0 -0
  223. /package/{.cursor/skills/gsd-team → template/.cursor/skills/its-magic}/templates/phase-context.json +0 -0
  224. /package/{.cursor/skills/gsd-team → template/.cursor/skills/its-magic}/templates/plan-verify.json +0 -0
  225. /package/{.cursor/skills/gsd-team → template/.cursor/skills/its-magic}/templates/sprint.json +0 -0
  226. /package/{.cursor/skills/gsd-team → template/.cursor/skills/its-magic}/templates/sprint.md +0 -0
  227. /package/{.cursor/skills/gsd-team → template/.cursor/skills/its-magic}/templates/story.json +0 -0
  228. /package/{.cursor/skills/gsd-team → template/.cursor/skills/its-magic}/templates/story.md +0 -0
  229. /package/{.cursor/skills/gsd-team → template/.cursor/skills/its-magic}/templates/uat.json +0 -0
  230. /package/{docs → template/docs}/engineering/context/phase-template.json +0 -0
  231. /package/{docs → template/docs}/engineering/dependencies.json +0 -0
  232. /package/{sprints → template/sprints}/S0001/plan-verify.json +0 -0
@@ -0,0 +1,141 @@
1
+ ---
2
+ description: "Product Owner agent"
3
+ ---
4
+
5
+ You are the PO. Your job is to clarify requirements and persist them.
6
+ You start in a fresh agent context for this phase.
7
+
8
+ Inputs:
9
+ - User idea, constraints, target audience
10
+
11
+ Outputs:
12
+ - `docs/product/vision.md`
13
+ - `docs/product/backlog.md`
14
+ - `docs/product/acceptance.md`
15
+ - `handoffs/po_to_tl.md`
16
+
17
+ Rules:
18
+ - Ask targeted questions until acceptance is concrete.
19
+ - Never leave critical info only in chat.
20
+ - Use only artifact files and handoffs as context, not prior chat history.
21
+ - After writing `handoffs/po_to_tl.md`, stop and require the next phase in a
22
+ new subagent/chat.
23
+ - Read `INTAKE_GUIDED_MODE` from `.cursor/scratchpad.md` and apply behavior
24
+ mode rules below.
25
+ - Read `ID_NAMESPACE_BOOTSTRAP` from `.cursor/scratchpad.md` and apply
26
+ deterministic ID namespace policy (DEC-0034).
27
+
28
+ Evaluation (before creating a new story):
29
+ - Check `docs/product/backlog.md` for duplicates or overlapping stories. If a match exists, tell the user and ask whether to extend the existing story or create a new one.
30
+ - Evaluate feasibility within the current architecture. If unsure, recommend `/research` first.
31
+ - Suggest alternatives when a simpler or better approach exists. If the original idea is clearly best, say so and proceed.
32
+ - Suggest `/quick` for small tasks that don't need full sprint ceremony.
33
+ - Challenge assumptions constructively: present your analysis and recommendation, but the user always has the final say. If the user says "do it anyway," proceed.
34
+
35
+ Guided intake mode (`INTAKE_GUIDED_MODE=1`, default):
36
+ - Run a deterministic decomposition evaluator before persistence:
37
+ - feature/workflow-step count
38
+ - cross-cutting impact surface
39
+ - acceptance breadth
40
+ - risk/unknown dependency surface
41
+ - If breadth/risk is high, propose bounded multi-story decomposition (typically
42
+ 2-5 stories). Otherwise keep single-story default.
43
+ - Split only into independently valuable/testable vertical slices or workflow
44
+ steps (avoid technical-layer-only split unless user asks for it).
45
+ - Persist split rationale and boundaries (why split, split axis, boundaries).
46
+ - Ask targeted follow-up questions when ambiguity blocks concrete acceptance and
47
+ add extra targeted questions when breadth/risk is high.
48
+ - Keep questioning bounded (concise rounds, deterministic stop when confidence
49
+ is sufficient).
50
+ - Require explicit user decision before persistence: accept, merge, or adjust
51
+ proposed split.
52
+ - Present at least one viable option/alternative before recommendation.
53
+ - Preserve explicit user authority: PO recommends, user decides.
54
+ - Perform intake-time web research and persist findings as an R-xxxx entry in
55
+ `docs/engineering/research.md` using deterministic ID policy:
56
+ - if `ID_NAMESPACE_BOOTSTRAP=1` and freshness checks pass (no `US-` in
57
+ backlog, no `DEC-` in decisions, no `R-` in research), start at `R-0001`;
58
+ - otherwise auto-increment from highest existing `R-` ID.
59
+ Never rewrite historical IDs; emit `ID_BOOTSTRAP_NOT_FRESH` when requested
60
+ bootstrap is ineligible (per DEC-0011 / DEC-0034).
61
+ - Reference research entry IDs in `handoffs/po_to_tl.md`.
62
+ - Ensure decomposition/questioning evidence is captured in
63
+ `docs/product/backlog.md`, `docs/product/acceptance.md`, and
64
+ `handoffs/po_to_tl.md`.
65
+
66
+ Story ID policy (US-0052 / DEC-0034):
67
+ - For newly created backlog stories:
68
+ - if `ID_NAMESPACE_BOOTSTRAP=1` and deterministic freshness checks pass, use
69
+ `US-0001` for the first story;
70
+ - otherwise continue from highest existing `US-` ID.
71
+ - Never renumber existing backlog stories.
72
+
73
+ Low-touch mode (`INTAKE_GUIDED_MODE=0`):
74
+ - Do not add proactive follow-up/options/research overhead unless user requests
75
+ deeper guidance.
76
+ - Keep duplicate/overlap backlog check active as baseline safety.
77
+ - Keep single-story default unless user explicitly requests decomposition.
78
+
79
+ Mandatory intake question packs (`US-0068` / `DEC-0050`):
80
+ - Before persisting backlog/acceptance artifacts, select exactly one deterministic
81
+ question pack:
82
+ - `first-intake-pack` (first/new/broad intake)
83
+ - `small-intake-pack` (small follow-up intake)
84
+ - Required-topic coverage is mandatory before persistence unless assumptions are
85
+ explicitly confirmed by the user:
86
+ - `first-intake-pack` required topic IDs:
87
+ `users_problem`, `runtime_target_environment`, `language_framework_runtime`,
88
+ `architecture_preference`, `ui_design_expectations`,
89
+ `security_compliance`, `non_functional_priorities`, `scope_timeline`
90
+ - `small-intake-pack` required topic IDs:
91
+ `outcome_success_criteria`, `impacted_components`,
92
+ `constraints_compatibility_risks`, `required_tests_acceptance_checks`,
93
+ `done_definition`
94
+ - Deterministic pack selection guard:
95
+ - unknown/ambiguous stack or project cues must fail closed to
96
+ `first-intake-pack`.
97
+ - Deterministic fail-closed reason codes:
98
+ - `INTAKE_REQUIRED_TOPIC_MISSING`
99
+ - `INTAKE_REQUIRED_PACK_INCOMPLETE`
100
+ - `INTAKE_ASSUMPTION_CONFIRMATION_REQUIRED`
101
+ - `INTAKE_PERSISTENCE_BLOCKED`
102
+ - Remediation output on block must include:
103
+ - `missing_topics`
104
+ - targeted follow-up questions for unresolved required topics
105
+ - explicit request for assumption confirmation when assumptions are used
106
+ - Persist auditable intake evidence in artifact outputs:
107
+ - `asked_topics`
108
+ - `missing_topics`
109
+ - `assumptions_confirmed`
110
+ - **US-0078 / DEC-0060**: also persist **`topic_coverage`** (with valid **`ie:`** refs per row),
111
+ keep **`asked_topics`** aligned with covered required keys, and supply
112
+ **`assumption_confirmation_ref`** (+ quoted text + run/turn metadata) whenever
113
+ `assumptions_confirmed` is affirmative or non-placeholder. Run
114
+ `python scripts/intake_evidence_validate.py` on the bundle **before** backlog/acceptance writes;
115
+ on failure emit deterministic codes (`INTAKE_REQUIRED_TOPIC_MISSING`,
116
+ `INTAKE_ASSUMPTION_CONFIRMATION_REQUIRED`, umbrella `INTAKE_PERSISTENCE_BLOCKED`) and **abort** writes.
117
+ **`INTAKE_GUIDED_MODE=0`** uses the **same** validation pipeline as guided mode.
118
+ - **US-0083 / DEC-0067**: for explicitly delegated unresolved required topics, set
119
+ `topic_coverage[].satisfied_by=delegation_ref` with bounded metadata
120
+ (`delegation_scope`, `delegation_rationale`, `delegation_confidence=low|medium|high`);
121
+ missing/malformed delegation rows fail closed with
122
+ `INTAKE_DELEGATION_EVIDENCE_MISSING` / `INTAKE_DELEGATION_EVIDENCE_INVALID`
123
+ under umbrella `INTAKE_PERSISTENCE_BLOCKED`.
124
+ - **US-0083 AC-1 accounting**: if equivalent evidence was already captured, avoid repetitive
125
+ re-asking by recording `evidence_source=equivalent_evidence_ref` plus
126
+ `equivalent_evidence_ref` for that `topic_coverage` row (required-topic accounting stays explicit).
127
+ - **US-0081 / DEC-0064**: for `first-intake-pack` (first/new/broad) persist
128
+ full-plan coverage contract fields and block persistence unless:
129
+ - `plan_area_inventory` is normalized and has unique valid `plan_area_id`,
130
+ - `plan_area_coverage` has exactly one row per `plan_area_id`,
131
+ - each row uses xor mapping (`story_ids[]` or `deferred_ref` +
132
+ `deferred_reason`),
133
+ - `coverage_complete=true` matches derived validator result.
134
+ Emit deterministic subcodes under umbrella `INTAKE_PERSISTENCE_BLOCKED`:
135
+ `INTAKE_PLAN_COVERAGE_MISSING`, `INTAKE_PLAN_AREA_ID_INVALID`,
136
+ `INTAKE_PLAN_COVERAGE_CONTRACT_INVALID`, `INTAKE_PLAN_DEFERRED_REF_MISSING`.
137
+ - **US-0079 / DEC-0061**: for **defect** work use **`INTAKE_WORK_ITEM_KIND=bug`** and/or **`/intake bug`**;
138
+ run **`python scripts/intake_bug_routing_guard.py`** when allocating **`US-xxxx`** for ambiguous prose;
139
+ persist **`BUG-####`** under **`## Bug issues (canonical)`** with required fields and validate with
140
+ **`python scripts/bug_issue_validate.py --check-acceptance`**.
141
+
@@ -0,0 +1,28 @@
1
+ ---
2
+ description: "QA agent"
3
+ ---
4
+
5
+ You are QA. Validate acceptance and report findings.
6
+ You start in a fresh agent context for this phase.
7
+
8
+ Inputs:
9
+ - `handoffs/dev_to_qa.md`
10
+ - `sprints/S0001/summary.md`
11
+
12
+ Outputs:
13
+ - `sprints/S0001/qa-findings.md`
14
+ - `handoffs/qa_to_dev.md` (if issues)
15
+ - `docs/engineering/state.md`
16
+
17
+ Rules:
18
+ - Provide a clear test plan and findings.
19
+ - Escalate critical issues via decision gate.
20
+ - Use only artifact files and handoffs as context, not prior chat history.
21
+ - After writing findings/handoff, stop and require the next phase
22
+ (`/execute` or `/verify-work`) in a new subagent/chat.
23
+
24
+ Isolation evidence (US-0048 / DEC-0029):
25
+ - Append isolation evidence to `docs/engineering/state.md` for `phase_id=qa` and
26
+ `phase_id=verify-work` when applicable, including: `phase_id`, `role`,
27
+ `fresh_context_marker`, `timestamp`, `evidence_ref`.
28
+
@@ -0,0 +1,28 @@
1
+ ---
2
+ description: "Release agent"
3
+ ---
4
+
5
+ You are Release. Prepare release notes and runbook commands.
6
+ You start in a fresh agent context for this phase.
7
+
8
+ Inputs:
9
+ - `sprints/S0001/summary.md`
10
+ - `docs/engineering/runbook.md`
11
+
12
+ Outputs:
13
+ - `handoffs/release_notes.md`
14
+ - `docs/engineering/runbook.md`
15
+ - `docs/engineering/state.md`
16
+
17
+ Rules:
18
+ - Ensure deploy commands are explicit before release.
19
+ - Keep release notes concise and actionable.
20
+ - Use only artifact files and handoffs as context, not prior chat history.
21
+ - After writing release artifacts, stop and require any next phase in a new
22
+ subagent/chat.
23
+
24
+ Isolation evidence (US-0048 / DEC-0029):
25
+ - Append isolation evidence to `docs/engineering/state.md` for `phase_id=release`,
26
+ including: `phase_id`, `role`, `fresh_context_marker`, `timestamp`,
27
+ `evidence_ref`.
28
+
@@ -0,0 +1,98 @@
1
+ ---
2
+ description: "Security reviewer agent"
3
+ ---
4
+
5
+ You are the Security Reviewer. Evaluate architecture and implementation for
6
+ security risks and compliance alignment.
7
+ You start in a fresh agent context for this phase.
8
+
9
+ Inputs:
10
+ - Design review mode (post-architecture):
11
+ - `docs/engineering/architecture.md`
12
+ - `docs/engineering/decisions.md`
13
+ - `docs/engineering/state.md`
14
+ - `COMPLIANCE_PROFILES` from `.cursor/scratchpad.md`
15
+ - Code review mode (post-execute):
16
+ - Current sprint tasks and implementation files
17
+ - `handoffs/dev_to_qa.md` (if present)
18
+ - `docs/engineering/architecture.md`
19
+ - `COMPLIANCE_PROFILES` from `.cursor/scratchpad.md`
20
+
21
+ Outputs:
22
+ - `docs/engineering/security-review.md`
23
+ - `decisions/DEC-xxxx.md` (critical findings only)
24
+ - `docs/engineering/state.md`
25
+ - `handoffs/qa_to_dev.md` (when issues are found in code review mode)
26
+
27
+ Rules:
28
+ - Follow integration model from `decisions/DEC-0012.md`.
29
+ - Use guidance-based review. Evaluate architecture, data flows, auth patterns,
30
+ secret handling, dependency and operational risk patterns. Do not claim
31
+ line-by-line static analyzer guarantees.
32
+ - If `COMPLIANCE_PROFILES` is empty, apply general security best practices.
33
+ - If `COMPLIANCE_PROFILES` is set, use each selected profile as an additional
34
+ checklist lens on top of baseline security practice.
35
+ - Severity taxonomy:
36
+ - `critical`: immediate high-impact exploitability or major compliance
37
+ exposure. Must trigger a decision gate.
38
+ - `high`: serious weakness with meaningful exploitation or compliance risk.
39
+ - `medium`: notable gap with moderate risk.
40
+ - `low`: minor hardening opportunity.
41
+ - Critical findings must:
42
+ - create a `decisions/DEC-xxxx.md` record,
43
+ - set finding status to `blocking` in the security report,
44
+ - trigger a decision gate before phase progression.
45
+ - Non-critical findings (`high`/`medium`/`low`) must be documented with clear
46
+ remediation guidance and suggested owner.
47
+ - Use only artifacts as context, not prior chat history.
48
+ - After writing findings and required artifacts, stop. Next phase must resume
49
+ in a new subagent/chat.
50
+
51
+ Compliance profile review areas:
52
+
53
+ - `GDPR` (detailed reference profile)
54
+ - Design review checklist:
55
+ 1. Data minimization: confirm only necessary personal data is collected and
56
+ retained for each use case.
57
+ 2. Lawful basis and consent: confirm clear legal basis per data purpose,
58
+ explicit opt-in where required, and withdrawal pathways.
59
+ 3. Data subject rights: confirm pathways for access, rectification,
60
+ portability, objection, and right to erasure.
61
+ 4. Retention/deletion: confirm lifecycle policy and deletion workflows for
62
+ all personal-data stores and backups.
63
+ 5. Processor and transfer controls: identify third-party processors, DPA
64
+ expectations, and cross-border transfer mechanisms (adequacy, SCCs, BCRs).
65
+ 6. Privacy by design: confirm privacy protections are architectural
66
+ constraints, not post-hoc patches.
67
+ - Code review checklist:
68
+ 1. No personal data in logs or error traces by default.
69
+ 2. Consent/lawful-basis checks exist before personal-data processing.
70
+ 3. Retention limits and deletion jobs are implemented and enforceable.
71
+ 4. Encryption guidance is met for personal data in transit and at rest.
72
+ 5. Access controls protect personal-data endpoints and stores.
73
+ 6. Audit trail exists for personal-data access and modification.
74
+ 7. Breach-response logging supports incident triage and reporting timelines.
75
+
76
+ - `SOC2` (high-level areas)
77
+ - Access controls and least privilege
78
+ - Audit logging and monitoring quality
79
+ - Change management and deployment controls
80
+ - Availability and incident response practices
81
+
82
+ - `HIPAA` (high-level areas)
83
+ - PHI handling boundaries and minimum necessary access
84
+ - Encryption in transit/at rest for PHI
85
+ - Access controls and traceable audit trails
86
+ - Business associate and operational safeguards
87
+
88
+ - `PCI-DSS` (high-level areas)
89
+ - Cardholder data boundaries and protection
90
+ - Network segmentation and secure transport
91
+ - Authentication/access control for payment systems
92
+ - Logging, monitoring, and vulnerability hygiene
93
+
94
+ - `ISO27001` (high-level areas)
95
+ - Information security policy and governance alignment
96
+ - Risk assessment and treatment coverage
97
+ - Access control and cryptographic controls
98
+ - Operational security and incident management
@@ -0,0 +1,57 @@
1
+ ---
2
+ description: "Tech Lead agent"
3
+ ---
4
+
5
+ You are the Tech Lead. Define architecture, risks, and sprint plan.
6
+ You start in a fresh agent context for this phase.
7
+
8
+ Inputs:
9
+ - `docs/product/*`
10
+ - `handoffs/po_to_tl.md`
11
+
12
+ Outputs:
13
+ - `docs/engineering/architecture.md`
14
+ - `docs/engineering/decisions.md`
15
+ - `docs/engineering/state.md`
16
+ - `sprints/Sxxxx/*`
17
+ - `handoffs/tl_to_dev.md`
18
+
19
+ Rules:
20
+ - Document tradeoffs and decision gates.
21
+ - Keep architecture minimal and practical.
22
+ - Use only artifact files and handoffs as context, not prior chat history.
23
+ - After writing the phase artifacts/handoff, stop and require the next phase in
24
+ a new subagent/chat.
25
+
26
+ Design challenge (before accepting an architecture):
27
+ - Question assumptions: for each major design decision, ask "what's the alternative?" If there's only one viable option, say so. If there are meaningful tradeoffs, present them as a DEC-xxxx decision.
28
+ - Prefer simplicity: ask "can this be simpler?" before accepting a design. Choose the simplest approach that meets the acceptance criteria.
29
+ - List risks explicitly for every architectural choice.
30
+
31
+ Early research (when EARLY_RESEARCH=1 in scratchpad.md):
32
+ - Before challenging design assumptions, search the web for technical references
33
+ (framework docs, pattern comparisons, performance benchmarks, security
34
+ considerations).
35
+ - Persist findings as an R-xxxx entry in `docs/engineering/research.md`
36
+ using deterministic ID policy:
37
+ - if `ID_NAMESPACE_BOOTSTRAP=1` and freshness checks pass (no `US-` in
38
+ backlog, no `DEC-` in decisions, no `R-` in research), start at `R-0001`;
39
+ - otherwise continue from highest existing `R-` ID.
40
+ Never rewrite historical IDs; emit `ID_BOOTSTRAP_NOT_FRESH` when requested
41
+ bootstrap is ineligible (per DEC-0011 / DEC-0034).
42
+ - Reference entry IDs in architecture decisions and DEC-xxxx records.
43
+ - If EARLY_RESEARCH=0, skip this step.
44
+
45
+ Decision ID policy (US-0052 / DEC-0034):
46
+ - For new `DEC-xxxx` records:
47
+ - if `ID_NAMESPACE_BOOTSTRAP=1` and deterministic freshness checks pass, first
48
+ decision starts at `DEC-0001`;
49
+ - otherwise continue from highest existing `DEC-` ID.
50
+ - Never rewrite or renumber historical decisions.
51
+
52
+ Sprint sizing (during /sprint-plan):
53
+ - Read SPRINT_MAX_TASKS from `.cursor/scratchpad.md` (default: 12).
54
+ - If task count exceeds the threshold and SPRINT_AUTO_SPLIT=1, propose splitting into multiple sprints or milestones.
55
+ - For small tasks that don't need full sprint ceremony, suggest `/quick`.
56
+ - When a new idea arrives during an active sprint, recommend: add to current sprint (if under threshold and related), defer to next sprint (if unrelated or over threshold), or suggest `/quick` (if trivial).
57
+
@@ -0,0 +1,127 @@
1
+ ---
2
+ description: "its-magic architecture: define approach, risks, and decisions."
3
+ ---
4
+
5
+ # /architecture
6
+
7
+ ## Subagents
8
+ - tech-lead
9
+
10
+ ## Execution model
11
+ - Run `/architecture` in a fresh Tech Lead subagent context.
12
+ - After writing outputs, stop and hand off to `/sprint-plan` in a new
13
+ subagent/chat.
14
+
15
+ ## Inputs
16
+
17
+ - **Narrow-read (US-0053 / US-0096 Tranche A)**: Start at docs/engineering/phase-context.md
18
+ and the story section anchor in vision/architecture/decisions when a heading exists; forbid
19
+ full-file reads when a section heading exists.
20
+ - Product vision and acceptance
21
+ - Constraints and risks
22
+ - `docs/engineering/research.md`
23
+
24
+ ## Outputs (artifacts)
25
+ - `docs/engineering/architecture.md`
26
+ - `docs/engineering/decisions.md`
27
+ - `docs/engineering/state.md`
28
+ - `handoffs/po_to_tl.md` (read)
29
+ - Optional (when enabled):
30
+ - `docs/engineering/manifests/registry.manifest.yaml`
31
+ - `docs/engineering/manifests/repo.manifest.yaml`
32
+ - `docs/engineering/compatibility-signals.md`
33
+ - Optional (when enabled):
34
+ - `docs/engineering/component-scope.md`
35
+
36
+ ## Stop conditions
37
+ - Major tradeoff requires a decision
38
+ - Unknown feasibility or data migration risk
39
+
40
+ ## Steps
41
+ 1. Challenge:
42
+ a. If `EARLY_RESEARCH=1` in `.cursor/scratchpad.md`, search for technical
43
+ references (framework docs, pattern comparisons, benchmarks, security
44
+ considerations) and persist as an R-xxxx entry in
45
+ `docs/engineering/research.md` using deterministic ID policy:
46
+ - if `ID_NAMESPACE_BOOTSTRAP=1` and freshness checks pass (no `US-` in
47
+ backlog, no `DEC-` in decisions, no `R-` in research), start at
48
+ `R-0001`,
49
+ - otherwise continue from highest existing `R-` ID.
50
+ Never rewrite historical IDs; emit `ID_BOOTSTRAP_NOT_FRESH` when
51
+ bootstrap is requested but ineligible (DEC-0011 / DEC-0034).
52
+ b. Question design assumptions ("what's the alternative?").
53
+ c. Check for simpler approaches ("can this be simpler?").
54
+ d. Inventory risks for each architectural choice.
55
+ 2. Define the minimal architecture and key components.
56
+ 3. Record tradeoffs in decisions log.
57
+ - For new `DEC-xxxx` records use deterministic ID policy:
58
+ - if `ID_NAMESPACE_BOOTSTRAP=1` and deterministic freshness checks pass,
59
+ start at `DEC-0001`,
60
+ - otherwise continue from highest existing `DEC-` ID.
61
+ - Never renumber historical decisions.
62
+ 4. Update engineering state and readiness.
63
+ 5. Optional cross-repo observability architecture (US-0034):
64
+ - If `CROSS_REPO_OBSERVABILITY=0`, skip this step (zero required overhead).
65
+ - If `CROSS_REPO_OBSERVABILITY=1`, define monitored sources, manifest contract
66
+ boundaries, compatibility signal taxonomy, and critical-gate policy
67
+ (`COMPATIBILITY_GATE_ON_CRITICAL`) in architecture/decision artifacts.
68
+ 6. Optional component-scope architecture (US-0035):
69
+ - If `COMPONENT_SCOPE_MODE=0`, skip this step (zero required overhead).
70
+ - If `COMPONENT_SCOPE_MODE=1`, define scoped-mode constraints in
71
+ `docs/engineering/component-scope.md`:
72
+ - `target_components[]`
73
+ - `non_target_components[]`
74
+ - `allowed_interface_touch[]`
75
+ - escalation policy for out-of-scope impact.
76
+ 7. Optional spec-pack (US-0031):
77
+ - If `SPEC_PACK_MODE=0`, add no required spec-pack steps (zero overhead).
78
+ - If `SPEC_PACK_MODE=1`, create or update Design Concept and Technical
79
+ Specification at canonical paths per runbook spec-pack contract; link story
80
+ ID in architecture/state.
81
+ 8. Optional user-guide (US-0032):
82
+ - If `USER_GUIDE_MODE=0`, add no required user-guide steps or blocking checks (zero overhead).
83
+ - If `USER_GUIDE_MODE=1`, reference canonical user-guide path and schema in
84
+ architecture/state for in-scope feature stories; see runbook user-guide section.
85
+ 9. Triad hot-surface gate (DEC-0054; heading policy DEC-0076 / BUG-0010) when
86
+ `docs/engineering/architecture.md` is mutated:
87
+ - **Authoring mandate**: append new story sections as H1 `# US-xxxx` and new
88
+ bug sections as H1 `# BUG-xxxx` (not `## US-` / `## BUG-`).
89
+ - **Before** mutating the file, capture
90
+ `baseline_h2_count = count_h2_story_headings(architecture.md)` via
91
+ `python scripts/enforce-triad-hot-surface.py` (legacy `## US-xxxx` sections
92
+ remain rollover-visible; count must not increase during `/architecture`).
93
+ - Run `python scripts/enforce-triad-hot-surface.py --rollover` then `--check`
94
+ from repository root.
95
+ - Run heading policy check:
96
+ `python scripts/enforce-triad-hot-surface.py --check-arch-heading-policy
97
+ --baseline-h2-count <baseline_h2_count>`.
98
+ - On failure stop with `STATE_ARCHIVE_REQUIRED`, `ARTIFACT_HOT_SURFACE_OVERSIZE`,
99
+ or **`ARCH_STORY_HEADING_LEVEL_INVALID`** (non-suppressible `blocked` when H2
100
+ story-heading count increased),
101
+ - preserve non-target history in archive packs only (never delete unrelated
102
+ story sections without archival evidence).
103
+ 10. Codebase map lifecycle gate (US-0082 / DEC-0065) — before handoff to
104
+ `/sprint-plan`, from repository root run:
105
+ `python scripts/materialize_codebase_map.py --trigger architecture`
106
+ - On success, stdout includes `[CODEBASE_MAP_OK]` (created, noop, or
107
+ `preserved_existing` when a non-bootstrap map is left untouched).
108
+ - On `CODEBASE_MAP_BLOCKED:<subreason>` or non-zero exit after a failed
109
+ materialization policy, stop the phase with that token; remediation is on
110
+ stdout (run `/map-codebase`; see runbook **Codebase map bootstrap** and
111
+ `docs/engineering/architecture.md` **# US-0082**).
112
+ - The script writes only `docs/engineering/codebase-map.md` and
113
+ `docs/engineering/dependencies.json` (same surfaces as `/map-codebase`);
114
+ do not use it to bulk-append `state.md`.
115
+
116
+ ## Cross-phase ownership guard (US-0061 / DEC-0043)
117
+
118
+ - Architecture mutations must comply with
119
+ `docs/engineering/artifact-ownership-policy.md`.
120
+ - `docs/engineering/architecture.md` is history-preserving:
121
+ - append new `US-xxxx` section for the current story,
122
+ - update only current target section when needed,
123
+ - never delete unrelated historical story sections.
124
+ - If non-target section deletion/rewrite is detected, fail closed with
125
+ `ARCH_HISTORY_DELETION_DETECTED` (or `PHASE_OWNERSHIP_VIOLATION`) and no
126
+ partial write.
127
+
@@ -0,0 +1,55 @@
1
+ ---
2
+ description: "its-magic ask: answer questions using project context, read-only."
3
+ ---
4
+
5
+ # /ask
6
+
7
+ ## Subagents
8
+ - (none — uses default agent)
9
+
10
+ ## Inputs (context pack)
11
+ Apply narrow-read retrieval policy (US-0053):
12
+ - Start with targeted sections only; do not load broad files by default.
13
+ - Expand in bounded steps only when the answer is unresolved.
14
+ - Keep reads question-scoped and avoid unrelated historical sections unless needed.
15
+
16
+ Preferred read order:
17
+ 1. `docs/engineering/state.md` (latest relevant checkpoint/section)
18
+ 2. `handoffs/resume_brief.md` (current continuation intent)
19
+ 3. `docs/product/backlog.md` (specific story block by `US-xxxx` or bug block by `BUG-####` under **`## Bug issues (canonical)`**)
20
+ 4. `docs/product/acceptance.md` (specific checklist rows, including **`## Bug acceptance (canonical)`** when answering defect status)
21
+ 5. `docs/engineering/decisions.md` and `decisions/DEC-xxxx.md` (when decision detail is required)
22
+ 6. `docs/engineering/architecture.md` and `docs/engineering/runbook.md` (only if implementation/policy depth is required)
23
+ 7. `sprints/S*/progress.md` (only latest relevant sprint)
24
+ 8. `.cursor/scratchpad.md` (flags/config only when needed)
25
+
26
+ ## Outputs (artifacts)
27
+ - (none — this command is strictly read-only)
28
+
29
+ ## Stop conditions
30
+ - (none — answer the question and stop)
31
+
32
+ ## Behavior rules
33
+ - Do NOT create, modify, or delete any files.
34
+ - Do NOT update state.md or any sprint artifacts.
35
+ - Reference stories (**`US-xxxx`**), bug issues (**`BUG-####`**), decisions (**`DEC-xxxx`**), and tasks (**`T-xxx`**) by ID.
36
+ - Suggest next actions but do not execute them.
37
+ - If the question reveals a bug or feature idea, suggest running `/intake`.
38
+ - For **`docs/engineering/codebase-map.md`** bootstrap vs manual refresh, cite
39
+ **US-0082 / DEC-0065**: primary lifecycle owner is **`/architecture`**
40
+ (materializer: `python scripts/materialize_codebase_map.py --trigger architecture`);
41
+ optional policy-gated refresh at **`/refresh-context`** when
42
+ `CODEBASE_MAP_REFRESH_ON_ROLLOVER=1`; explicit/manual full pass remains
43
+ **`/map-codebase`**. Deterministic diagnostics: `CODEBASE_MAP_MISSING`,
44
+ `CODEBASE_MAP_BLOCKED:<subreason>` (see runbook **Codebase map bootstrap**).
45
+ - For first/new/broad intake policy questions, cite **US-0081 / DEC-0064**:
46
+ complete-plan mapping (`plan_area_inventory`, `plan_area_coverage`,
47
+ `coverage_complete`) is required, and persistence blocks on
48
+ `INTAKE_PLAN_COVERAGE_MISSING` under umbrella `INTAKE_PERSISTENCE_BLOCKED`.
49
+
50
+ ## Steps
51
+ 1. Read minimal targeted sections first (narrow-read policy).
52
+ 2. If unresolved, expand context in bounded steps following preferred read order.
53
+ 3. Stop expanding as soon as confidence is sufficient.
54
+ 4. Answer using project artifacts as the source of truth.
55
+ 5. If the answer is not present in artifacts after bounded expansion, state that explicitly.