kenmark-skills 1.0.0

package/skills/user-skills/issues-list/SKILL.md

@@ -0,0 +1,180 @@
+---
+name: issues-list
+preamble-tier: 2
+version: 1.0.0
+description: |
+  Display all open issues from brain/issues/ in a table grouped by area/type,
+  with columns for ID, Priority, and Title. Use when asked to "list issues",
+  "show issues", "issues dashboard", or "show all issues by type".
+allowed-tools:
+  - Bash
+  - Read
+  - Grep
+  - Glob
+triggers:
+  - list issues
+  - show issues
+  - issues dashboard
+  - show all issues by type
+  - issues by area
+  - issues by priority
+---
+
+# Issues List — Grouped by Area/Type
+
+## Purpose
+
+Read all open issues from `brain/issues/INDEX.md` and display them in a
+well-structured table grouped by area (api, database, security, ui, worker,
+testing, maintainability, connectors, oauth, dsl), sorted by priority within
+each group.
+
+---
+
+## Step 1 — Read INDEX.md
+
+```bash
+ISSUES_DIR="$(git rev-parse --show-toplevel 2>/dev/null)/brain/issues"
+cat "$ISSUES_DIR/INDEX.md"
+```
+
+Parse:
+- Each issue's ID, severity (P0/P1/P2), area, and title
+- Completed count from the overview table
+
+---
+
+## Step 2 — Display grouped table
+
+Group issues by `area` tag. Within each area group, sort by priority
+(P0 → P1 → P2), then by ID ascending.
+
+Output format:
+
+```
+ISSUES DASHBOARD — {date}
+════════════════════════════════════════════════════════════════════
+
+🔴 api (1 P0 | 0 P1 | 0 P2)
+─────────────────────────────────────────────────────────────────
+ ID   Prio  Title
+───  ────  ───────────────────────────────────────────────────────
+001  P0    Client UI still calls deleted /api/connections routes
+
+🟡 database (1 P0 | 3 P1 | 0 P2)
+─────────────────────────────────────────────────────────────────
+ ID   Prio  Title
+───  ────  ───────────────────────────────────────────────────────
+013  P0    Prisma Credential model has no migration from legacy Connection table
+014  P1    connector_poll_state migration uses connectionId; schema uses credentialId
+021  P1    connector_event_deliveries migration indexes connectionId not credentialId
+
+🔴 security (2 P0 | 5 P1 | 2 P2)
+─────────────────────────────────────────────────────────────────
+ ID   Prio  Title
+───  ────  ───────────────────────────────────────────────────────
+016  P0    Connector-event HTTP ingest accepts unauthenticated POST when signatureScheme: 'none'
+017  P0    Google OAuth callback allows open redirect via returnTo in signed state
+018  P1    Connector-event HMAC verification stub always returns false
+019  P1    connector-event verifyHmacSha256 weaker than webhook-service
+020  P1    Connector-event ingest allows unbounded replay without Idempotency-Key
+023  P2 Credential test API returns raw err.message in 500 responses
+024  P1    Google OAuth callback always creates new credential (no dedupe by Google sub)
+026  P2    Public connector-event ingest has no rate limiting beyond 5MB
+
+🟡 worker (0 P0 | 3 P1 | 1 P2)
+─────────────────────────────────────────────────────────────────
+ ID   Prio  Title
+───  ────  ───────────────────────────────────────────────────────
+012  P1    Worker still queries removed Prisma Connection model and encryptedCredentials
+022  P1    Worker poller parses connectionId; web stores credentialId
+025  P1    Worker FakePrisma still mocks connection; tests pass while typecheck fails
+027  P2    Worker README and registry errors still describe Connection model
+
+🟡 testing (1 P0 | 6 P1 | 3 P2)
+─────────────────────────────────────────────────────────────────
+ ID   Prio  Title
+───  ────  ───────────────────────────────────────────────────────
+030  P0    E2E connections.spec.ts still calls deleted /api/connections
+031  P1    Missing API route tests for GET/POST /api/credentials
+032  P1    Missing API route tests for credentials/[id] DELETE and test POST
+033  P1    credential-service.test.ts missing listCredentials/getCredential/setStatus/validate coverage
+034  P1    FakePrisma credential.findMany ignores id: { in } filter
+035  P2    connector-event ingest test passes connectionId not credentialId
+036  P1    Missing HTTP tests for connector-events credentialId ingest route
+037  P1    Missing route tests for Google OAuth callback and Sheets credential APIs
+028  P2    credential-service update/test use Prisma where id only (defense in depth)
+
+🟡 ui (1 P0 | 1 P1 | 22 P2)
+─────────────────────────────────────────────────────────────────
+ ID   Prio  Title
+───  ────  ───────────────────────────────────────────────────────
+003  P0    CTAs link to /credentials/new but no App Router page exists
+007  P1    App shell nav still labeled "Connections" with /connections href
+008  P2    Workflow triggers empty state links to non-existent /credentials
+009  P2    UI still uses Connection* component and type names for credentials
+010  P2    Stale "connections" comments in OAuth routes and GoogleSheetsPicker
+011  P2    connector-event-service retains ConnectionRow internal naming
+038  P2    Event delivery run links use unsupported /runs?run= query
+039  P2    Dashboard and connectors status chips use legacy "Connection" wording
+040  P2    Dashboard connector library rows lack credential navigation
+041  P2    Connectors catalog rows lack per-connector credential actions
+042  P2    Google Sheets import picker Selects lack accessible labels
+043  P2    Credential delete dialog confirm field has aria-label only
+044  P2    Credential test button loses accessible name while loading
+045  P2    Event deliveries panel sits outside credential detail layout shell
+046  P2    Agent conversation tabs nest close buttons inside tab labels
+047  P2    Credentials list page missing breadcrumb trail
+048  P2    Dashboard hero CTA uses full-bleed primary card styling
+049  P2    Dashboard misstates connector catalogue completeness
+050  P2    List pages use CercliDataGrid vs raw table decision needed
+051  P2    Runs table displays opaque UUIDs instead of friendly identifiers
+052  P2    Trigger row icon buttons lack aria labels
+053  P2    Agent page skips PageHeader breadcrumb
+054  P2    Nav group labels appear below overline per spec
+055  P2    Governance tables use icon-only actions without labels
+056  P2    Dashboard runs display ISO timestamps instead of relative time
+057  P2    Runs filter chips confusing remove vs navigate behavior
+058  P2    Credentials empty state shows orphan card
+
+🟡 dsl (0 P0 | 1 P1 | 0 P2)
+─────────────────────────────────────────────────────────────────
+ ID   Prio  Title
+───  ────  ───────────────────────────────────────────────────────
+015  P1    Workflow DSL still uses connectionRef and missing_connection for credential IDs
+
+🟡 connectors (0 P0 | 0 P1 | 1 P2)
+─────────────────────────────────────────────────────────────────
+ ID   Prio  Title
+───  ────  ───────────────────────────────────────────────────────
+029  P2    Google Workspace connector comments reference removed Connection model
+
+════════════════════════════════════════════════════════════════════
+Total open: 54 |  Completed: 4
+```
+
+**Area color coding:**
+- 🔴 = area has any P0 issues (critical — fix first)
+- 🟡 = area has P1/P2 only (high/medium priority)
+- ⚪ = area has no open issues
+
+---
+
+## Step 3 — Workstream summary
+
+At the bottom, show a compact workstream view grouping cross-area issues
+by root cause:
+
+```
+WORKSTREAMS
+─────────────────────────────────────────────────────────────────
+ Security (HMAC, open redirect, error leaks)     016, 017, 018, 019, 023, 024, 026
+ Worker package (stale model, poller mismatch)   012, 022, 025, 027
+ Database migrations (connectionId→credentialId) 013, 014, 021
+ DSL vocabulary (connectionRef rename)            015
+ UI rename (connections→credentials pages)      001, 003, 007, 008, 038, 039, 040, 041, 047, 048, 049, 050, 051, 052, 053, 054, 055, 056, 057, 058
+ UI component naming (stale Connection* names)   009, 010, 011
+ Test gaps (missing API, service, route tests)    028, 030, 031, 032, 033, 034, 035, 036, 037
+ Accessibility (a11y labels, contrast, layout)   042, 043, 044, 045, 046, 052, 054, 055
+════════════════════════════════════════════════════════════════════
+```

package/skills/user-skills/issues-maintenance/SKILL.md

@@ -0,0 +1,252 @@
+---
+name: issues-maintenance
+preamble-tier: 2
+version: 1.0.0
+description: |
+  Audit brain/issues/ for structural health: missing files, duplicate IDs across
+  open/completed, stale frontmatter (wrong status), INDEX.md drift from reality,
+  and orphaned completed issues never added to INDEX. Use when asked to
+  "check issues health", "audit issues", "fix issues tracking", or "issues maintenance".
+allowed-tools:
+  - Bash
+  - Read
+  - Glob
+  - Grep
+triggers:
+  - issues health
+  - check issues tracking
+  - audit issues
+  - fix issues tracking
+  - issues maintenance
+  - fix duplicate issues
+  - issues cleanup
+---
+
+# Issues Maintenance — Health Check & Repair
+
+## Purpose
+
+Audit and fix structural problems in `brain/issues/` tracking. This skill
+catches the four categories of drift that accumulate over time:
+
+1. **Duplicates** — same issue ID exists in both `brain/issues/` (open) and
+   `brain/issues/completed/` (completed) — one must be removed
+2. **INDEX drift** — INDEX.md says an issue is completed but the file is still
+   in `brain/issues/`, or says open but file only exists in `completed/`
+3. **Missing fronts matter** — issue files missing required frontmatter fields
+   (id, title, severity, area, status) or with invalid values
+4. **Orphan completed** — files in `completed/` not listed in INDEX.md
+   Completed table
+
+---
+
+## Step 1 — Enumerate all issue IDs
+
+```bash
+ISSUES_DIR="$(git rev-parse --show-toplevel 2>/dev/null)/brain/issues"
+
+# All IDs in open folder
+ls "$ISSUES_DIR"/[0-9]*.md 2>/dev/null | xargs -I{} basename {} .md | \
+  sed 's/-.*//' | sort -n > /tmp/open_ids.txt
+
+# All IDs in completed folder
+ls "$ISSUES_DIR/completed"/[0-9]*.md 2>/dev/null | xargs -I{} basename {} .md | \
+  sed 's/-.*//' | sort -n > /tmp/completed_ids.txt
+
+# IDs marked completed in INDEX.md
+grep '^\[0' "$ISSUES_DIR/INDEX.md" | sed 's/.*\[\(.*\)\](.*/\1/' | \
+  sed 's/^0*//' | grep '^[0-9]' | sort -n > /tmp/index_completed_ids.txt
+
+echo "OPEN count: $(wc -l < /tmp/open_ids.txt)"
+echo "COMPLETED count: $(wc -l < /tmp/completed_ids.txt)"
+echo "INDEX completed count: $(wc -l < /tmp/index_completed_ids.txt)"
+```
+
+---
+
+## Step 2 — Detect duplicate IDs (open AND completed)
+
+```bash
+comm -12 /tmp/open_ids.txt /tmp/completed_ids.txt
+```
+
+Any output = that issue ID exists in both folders. This is the most common
+drift. For each duplicate:
+- If the issue is truly **completed**: the open file in `brain/issues/` is
+  wrong — delete it with `rm brain/issues/<file>`
+- If the issue is truly **open**: the completed copy is wrong — delete it with
+  `rm brain/issues/completed/<file>`
+- When in doubt, check the file's frontmatter `status:` field
+
+If duplicates are found, after fixing run:
+
+```bash
+git add -u brain/issues/completed/
+git commit -m "fix(brain): remove duplicate completed issue files
+
+The brain/issues/completed/ folder had accumulated duplicate copies of
+issues that already existed in brain/issues/ (open issues being tracked).
+Keep only truly completed issues in completed/; open issues remain in
+brain/issues/ per the established structure."
+```
+
+---
+
+## Step 3 — Check INDEX drift
+
+Find IDs that INDEX says are completed but still have an open file:
+
+```bash
+comm -12 /tmp/index_completed_ids.txt /tmp/open_ids.txt
+```
+
+Find IDs that INDEX says are open but only exist in completed/ (forgot to
+move to completed/ folder):
+
+```bash
+comm -23 /tmp/index_completed_ids.txt /tmp/open_ids.txt | \
+  while read id; do
+    if ! ls brain/issues/${id}*.md 2>/dev/null | grep -q .; then
+      echo "$id — in INDEX as completed but no open file (OK to leave)"
+    fi
+  done
+```
+
+Find IDs in the open folder that are NOT in INDEX's active list (forgot to
+close or add to completed):
+
+```bash
+# Get active IDs from INDEX P0/P1/P2 tables
+grep '^\[0' "$ISSUES_DIR/INDEX.md" | grep -v 'completed/' | \
+  sed 's/.*\[\(.*\)\](.*/\1/' | sed 's/^0*//' | grep '^[0-9]' | \
+  sort -n > /tmp/index_active_ids.txt
+
+comm -23 /tmp/open_ids.txt /tmp/index_active_ids.txt
+```
+
+These IDs are in the open folder but not listed as active in INDEX — either
+they were completed and not moved to `completed/`, or they're brand new and
+need adding to INDEX.
+
+---
+
+## Step 4 — Frontmatter validation
+
+For each issue file (both `brain/issues/` and `brain/issues/completed/`),
+validate the frontmatter has required fields and valid values.
+
+```bash
+for f in brain/issues/[0-9]*.md brain/issues/completed/[0-9]*.md; do
+  id=$(basename "$f" .md | sed 's/-.*//')
+  status=$(grep '^status:' "$f" 2>/dev/null | awk '{print $2}')
+  severity=$(grep '^severity:' "$f" 2>/dev/null | awk '{print $2}')
+  area=$(grep '^area:' "$f" 2>/dev/null | awk '{print $2}')
+
+  # Check for missing fields
+  if [ -z "$status" ]; then echo "MISSING status: $f"; fi
+  if [ -z "$severity" ]; then echo "MISSING severity: $f"; fi
+  if [ -z "$area" ]; then echo "MISSING area: $f"; fi
+
+  # Validate severity values
+  if [ -n "$severity" ] && ! echo "$severity" | grep -qE '^(P0|P1|P2)$'; then
+    echo "INVALID severity '$severity': $f"
+  fi
+
+  # Validate status values
+  if [ -n "$status" ] && ! echo "$status" | grep -qE '^(open|completed)$'; then
+    echo "INVALID status '$status': $f"
+  fi
+
+  # Cross-check: files in brain/issues/ should have status: open
+  if [[ "$f" == brain/issues/[0-9]*.md ]] && [ "$status" = "completed" ]; then
+    echo "STALE status=completed but in open folder: $f"
+  fi
+
+  # Cross-check: files in brain/issues/completed/ should have status: completed
+  if [[ "$f" == brain/issues/completed/* ]]; then
+    if [ "$status" != "completed" ]; then
+      echo "WRONG status=$status (expected completed) in completed folder: $f"
+    fi
+  fi
+done
+```
+
+For each finding:
+- **MISSING**: Add the required frontmatter field
+- **INVALID**: Fix the invalid value
+- **STALE**: Move the file to `completed/` and update INDEX.md
+- **WRONG**: Fix status to `completed`
+
+---
+
+## Step 5 — Orphan completed check (in INDEX but not in folder)
+
+```bash
+comm -23 /tmp/index_completed_ids.txt /tmp/completed_ids.txt
+```
+
+Each ID in this list appears in INDEX.md as completed but has no file in
+`completed/`. This means the file was deleted or never migrated. Either:
+- Create the completed issue file by moving from open (if it was fixed but
+  file not moved)
+- Or the issue was already fixed and the completed file was deleted — no action
+
+---
+
+## Step 6 — Summary report
+
+After all checks, print a structured summary:
+
+```
+ISSUES MAINTENANCE REPORT — {date}
+════════════════════════════════════════════════════════════════════
+Open issues:      {N}  (brain/issues/)
+Completed issues: {N}  (brain/issues/completed/)
+INDEX active:     {N}  (from INDEX.md P0/P1/P2 tables)
+INDEX completed:  {N}  (from INDEX.md completed table)
+
+HEALTH:
+  Duplicates (open+completed): {N} — FIX or IGNORE
+  INDEX drift (open but marked completed): {N} — FIX
+  Missing frontmatter fields: {N} — FIX
+  Invalid field values:       {N} — FIX
+  Orphan completed (in INDEX, no file): {N} — REVIEW
+  Untracked open (not in INDEX): {N} — ADD TO INDEX or COMPLETE
+
+RECOMMENDED ACTIONS:
+  1. [list of specific fix commands or file-level actions]
+════════════════════════════════════════════════════════════════════
+```
+
+---
+
+## Step 7 — Apply fixes
+
+For each fixable issue from the report:
+
+- **Duplicate removal**: `rm brain/issues/<file>` or `rm brain/issues/completed/<file>`
+- **Status fix**: Edit the frontmatter `status:` field
+- **Move to completed**: `mv brain/issues/<file> brain/issues/completed/`
+- **INDEX update**: Edit `brain/issues/INDEX.md` to move issue ID from active table
+  to completed table (add completed date)
+
+After fixing, commit with:
+
+```bash
+git add -u brain/issues/
+git commit -m "fix(brain): issues maintenance — {brief description of what was fixed}"
+```
+
+---
+
+## Hard Rules
+
+1. **Never delete an issue file without understanding why it exists** — if an
+   ID appears in both folders, one is wrong, not both
+2. **INDEX.md is the source of truth for counts** — if the INDEX and reality
+   disagree, trust what you observe in the files and fix INDEX to match
+3. **Always commit completed issue file moves separately** from code fixes so
+   the brain/ history is clean and reviewable
+4. **Do not touch open issue files** — the maintenance skill only moves,
+   renames, or updates completed issues; open issues are owned by whoever is
+   actively working on them

package/skills/user-skills/issues-scan/SKILL.md

@@ -0,0 +1,226 @@
+---
+name: issues-scan
+preamble-tier: 2
+version: 1.0.0
+description: |
+  Scan the codebase for new issues matching the connections→credentials migration
+  pattern. Detect bugs, gaps, and inconsistencies and create new issue files in
+  brain/issues/ with unique IDs. Use when asked to "scan for new issues",
+  "find new issues", or "discover issues".
+allowed-tools:
+  - Bash
+  - Read
+  - Write
+  - Edit
+  - Grep
+  - Glob
+  - AskUserQuestion
+triggers:
+  - scan for new issues
+  - find new issues
+  - discover issues
+  - new issues
+  - scan issues
+---
+
+# Issues Scan — Discover New Issues from Codebase
+
+## Purpose
+
+Scan the codebase for bugs, gaps, and inconsistencies that warrant new issues.
+Assign unique IDs (next available in the 3-digit sequence), populate with
+evidence, and optionally update INDEX.md.
+
+---
+
+## Step 1 — Read existing issues to avoid duplicates
+
+```bash
+ISSUES_DIR="$(git rev-parse --show-toplevel 2>/dev/null)/brain/issues"
+echo "=== Existing issue IDs ==="
+find "$ISSUES_DIR" -maxdepth 1 -name "*.md" -not -name "INDEX.md" -not -path "*/completed/*" | \
+ sed 's/.*\///' | sed 's/-.*//' | sort -n
+echo "=== Highest ID ==="
+find "$ISSUES_DIR" -maxdepth 1 -name "*.md" -not -name "INDEX.md" -not -path "*/completed/*" | \
+  sed 's/.*\///' | sed 's/-.*//' | sort -n | tail -1
+```
+
+The next ID is the highest existing ID + 1, zero-padded to 3 digits.
+
+---
+
+## Step 2 — Scan patterns by workstream
+
+Run targeted Grep searches for common issue patterns. For each search,
+check if the finding matches an already-filed issue before creating a new one.
+
+### 2a — API routes (stale /connections references)
+
+```bash
+# Returns lines referencing old connection API paths
+grep -rn "/api/connections" --include="*.ts" --include="*.tsx" \
+  "$(git rev-parse --show-toplevel)/apps"2>/dev/null | grep -v "node_modules"
+```
+
+### 2b — Worker package (old Connection model references)
+
+```bash
+grep -rn "connection\|Connection" --include="*.ts" \
+  "$(git rev-parse --show-toplevel)/apps/worker/src"2>/dev/null | \
+  grep -v "connectionId\|ConnectionRow\|connections\|test" | head -30
+```
+
+### 2c — DSL/schema (connectionRef vocabulary)
+
+```bash
+grep -rn "connectionRef\|missing_connection\|connection_ref" --include="*.ts" \
+  "$(git rev-parse --show-toplevel)/packages/dsl" 2>/dev/null
+```
+
+### 2d — UI components (stale naming)
+
+```bash
+grep -rn "Connection\|connection" --include="*.tsx" \
+  "$(git rev-parse --show-toplevel)/apps/web/src/app"2>/dev/null | \
+  grep -v "connectionId\|ConnectionRow\|test\|connectionString\|ConnectionsTable\|NewConnectionForm\|ConnectionDetail" | head -30
+```
+
+### 2e — Database migrations (connectionId vs credentialId)
+
+```bash
+grep -rn "connectionId\|connection_id" --include="*.sql" \
+  "$(git rev-parse --show-toplevel)/packages/db" 2>/dev/null
+```
+
+### 2f — Security patterns (HMAC, rate limiting, error messages)
+
+```bash
+# HMAC stub always returns false
+grep -rn "verifyHmac\|hmac\|HMAC" --include="*.ts" \
+  "$(git rev-parse --show-toplevel)/apps/web/src"2>/dev/null | head -20
+
+# Raw error.message in 500 responses
+grep -rn "err\.message\|error\.message" --include="*.ts" \
+  "$(git rev-parse --show-toplevel)/apps/web/src/app/api" 2>/dev/null | head -20
+
+# Missing rate limiting
+grep -rn "rateLimit\|rate_limit\|RateLimit" --include="*.ts" \
+  "$(git rev-parse --show-toplevel)/apps/web/src" 2>/dev/null | head -10
+```
+
+### 2g — Missing test coverage
+
+```bash
+# API routes without test files
+find "$(git rev-parse --show-toplevel)/apps/web/src/app/api" -name "route.ts" | sort | \
+ while read route; do
+    test_file="${route%.ts}.test.ts"
+    [ -f "$test_file" ] || echo "NO TEST: $route"
+  done
+```
+
+### 2h — OAuth flows
+
+```bash
+grep -rn "returnTo\|redirect\|oauth\|OAuth" --include="*.ts" \
+  "$(git rev-parse --show-toplevel)/apps/web/src/app/api/oauth" 2>/dev/null | head -20
+```
+
+---
+
+## Step 3 — Deduplicate against existing issues
+
+Before creating any new issue, cross-check against existing titles and evidence:
+
+```bash
+ISSUES_DIR="$(git rev-parse --show-toplevel 2>/dev/null)/brain/issues"
+# List all existing issue titles
+grep -h "^title:" "$ISSUES_DIR"/*.md 2>/dev/null | sort -u
+```
+
+If a finding matches an existing issue (same file, same bug pattern), skip it.
+
+---
+
+## Step 4 — Create new issue files
+
+For each unique finding, create a file at `brain/issues/{id}-{slug}.md`:
+
+```markdown
+---
+id: {next-id}
+title: {concise one-liner}
+severity: P0|P1|P2
+area: api|database|security|ui|worker|testing|maintainability|connectors|oauth|dsl
+source: issues-scan
+status: open
+created: {YYYY-MM-DD}
+files:
+  - path/to/file1
+  - path/to/file2
+related:
+  - related-issue-id
+---
+
+## Summary
+
+{2-3 sentences: what is wrong, where, and why it matters.}
+
+## Evidence
+
+- `file:line` — description of the finding
+- `file:line` — description of the finding
+
+## Suggested fix
+
+{Concrete steps to fix the issue.}
+
+## Acceptance criteria
+
+- [ ] {criterion 1}
+- [ ] {criterion 2}
+```
+
+**Slug rules:** lowercase, hyphens, no numbers in the slug part.
+**ID sequence:** 001, 002, ... 058, 059, ... (always 3 digits, zero-padded).
+
+---
+
+## Step 4.5 — Closing completed issues
+
+When an issue is resolved, **move it to `brain/issues/completed/` instead of deleting it**.
+This preserves the audit trail and allows the INDEX.md completed table to link to the file.
+
+```bash
+# Move a resolved issue to completed/
+mv brain/issues/042-google-sheets-picker-selects-missing-accessible-labels.md \
+   brain/issues/completed/042-google-sheets-picker-selects-missing-accessible-labels.md
+```
+
+Then update `brain/issues/INDEX.md`:
+1. Move the issue entry from the active priority table to the Completed table
+2. Add `completed: YYYY-MM-DD` to the issue frontmatter (edit the file directly)
+3. Decrement "Active issues" count, increment "Completed" count
+
+**Rule: Never delete an issue file. Always move it to completed/.**
+
+---
+
+## Step 5 — Update INDEX.md
+
+After creating new issues or closing completed ones, update `brain/issues/INDEX.md`:
+
+1. Increment "Active issues" count (new issues) or decrement (closed issues)
+2. Add new issues to the correct priority table (P0/P1/P2)
+3. Move closed issues to the Completed table with today's date
+4. Re-sort by ID within each priority section
+
+---
+
+## Step 6 — Report
+
+Report:
+- How many scans performed
+- How many new issues created
+- Which IDs were assigned
+- Any findings that were deduplicated against existing issues