learnship 2.3.6 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (36) hide show
  1. package/.claude-plugin/plugin.json +1 -1
  2. package/.cursor-plugin/plugin.json +1 -1
  3. package/README.md +34 -17
  4. package/SKILL.md +32 -11
  5. package/agents/learnship-challenger.md +9 -0
  6. package/agents/learnship-executor.md +9 -0
  7. package/agents/learnship-ideation-agent.md +9 -0
  8. package/agents/learnship-research-synthesizer.md +9 -0
  9. package/agents/learnship-roadmapper.md +9 -0
  10. package/agents/learnship-security-auditor.md +20 -1
  11. package/agents/learnship-solution-writer.md +9 -0
  12. package/agents/learnship-verifier.md +1 -1
  13. package/bin/install.js +95 -25
  14. package/cursor-rules/learnship.mdc +32 -4
  15. package/gemini-extension.json +1 -1
  16. package/hooks/learnship-context-monitor.js +6 -3
  17. package/hooks/learnship-prompt-guard.js +1 -1
  18. package/hooks/learnship-session-state.js +1 -1
  19. package/hooks/learnship-statusline.js +8 -3
  20. package/learnship/agents/challenger.md +7 -0
  21. package/learnship/agents/executor.md +7 -0
  22. package/learnship/agents/ideation-agent.md +7 -0
  23. package/learnship/agents/research-synthesizer.md +7 -0
  24. package/learnship/agents/roadmapper.md +7 -0
  25. package/learnship/agents/security-auditor.md +28 -0
  26. package/learnship/agents/solution-writer.md +7 -0
  27. package/learnship/agents/verifier.md +1 -1
  28. package/learnship/references/model-profiles.md +20 -13
  29. package/learnship/workflows/execute-phase.md +4 -3
  30. package/learnship/workflows/health.md +32 -4
  31. package/learnship/workflows/new-project.md +36 -4
  32. package/learnship/workflows/review.md +106 -10
  33. package/learnship/workflows/secure-phase.md +2 -0
  34. package/learnship/workflows/ship.md +43 -0
  35. package/learnship/workflows/verify-work.md +33 -0
  36. package/package.json +1 -1
@@ -1,15 +1,16 @@
1
1
  ---
2
- description: Multi-persona code review — correctness, testing, security, performance, maintainability
2
+ description: Two-pass code review — spec compliance then multi-persona quality review
3
3
  ---
4
4
 
5
5
  # Review
6
6
 
7
- Multi-persona code review that examines changes through six lenses: correctness, testing, security, performance, maintainability, and adversarial. Produces a severity-ranked findings report with confidence scores.
7
+ Two-pass code review. **Pass 1** confirms the change matches its spec (planned deliverables). **Pass 2** examines quality through six lenses: correctness, testing, security, performance, maintainability, and adversarial. Produces a severity-ranked findings report with confidence scores.
8
8
 
9
9
  **Usage:** `review` — review current branch changes
10
10
  **Usage:** `review [mode]` — modes: `interactive` (default), `report-only`, `autofix`
11
+ **Usage:** `review --quality-only` — skip spec compliance pass, run quality review only
11
12
 
12
- **Sequencing:** Run after `verify-work` (spec compliance) and before `/ship` (deploy pipeline).
13
+ **Sequencing:** Run after `verify-work` (acceptance testing) and before `/ship` (deploy pipeline).
13
14
 
14
15
  ## Step 1: Determine Scope
15
16
 
@@ -48,9 +49,89 @@ Combined with conversation context and any SUMMARY.md files from the current pha
48
49
  Intent: [what the changes are trying to accomplish]
49
50
  ```
50
51
 
51
- ## Step 3: Select Personas
52
+ ## Step 3: Pass 1 — Spec Compliance
52
53
 
53
- Read the diff and file list. Select which review personas to activate:
54
+ > Skip this pass entirely if `--quality-only` flag was given.
55
+
56
+ Check whether the diff actually delivers what was planned. This is the "did we build the right thing?" gate — it runs before quality review because a spec failure is more important than any quality finding.
57
+
58
+ ### 3a. Load the Spec
59
+
60
+ Try to find the spec in order of precedence:
61
+
62
+ ```bash
63
+ # 1. Current phase PLAN.md files
64
+ find .planning/phases -name "*-PLAN.md" -newer .git/refs/heads/$(git rev-parse --abbrev-ref HEAD 2>/dev/null) 2>/dev/null | head -5
65
+
66
+ # 2. Most recently modified phase
67
+ ls -t .planning/phases/ 2>/dev/null | head -3
68
+
69
+ # 3. Commit messages as fallback spec
70
+ git log --oneline ${BASE}..HEAD
71
+ ```
72
+
73
+ If PLAN.md files found: read their `must_haves` frontmatter fields — these are the spec.
74
+ If no PLAN.md: use commit message summaries as a lightweight spec.
75
+ If no commits at all: spec compliance is N/A — skip to Pass 2.
76
+
77
+ ### 3b. Check Spec Coverage
78
+
79
+ For each must-have deliverable or commit-described feature:
80
+
81
+ 1. Does the diff contain files that plausibly implement it?
82
+ 2. Are there test files covering it?
83
+ 3. Is it mentioned in any SUMMARY.md for the current phase?
84
+
85
+ Classify each item as:
86
+ - **COVERED** — evidence in diff matches the deliverable
87
+ - **PARTIAL** — diff touches the right area but coverage seems incomplete
88
+ - **MISSING** — no evidence in diff that this was implemented
89
+
90
+ ### 3c. Report Spec Compliance
91
+
92
+ ```
93
+ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
94
+ learnship ► PASS 1: SPEC COMPLIANCE
95
+ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
96
+
97
+ Spec source: [PLAN.md path | commit messages]
98
+
99
+ | Deliverable | Status | Evidence |
100
+ |-------------|--------|----------|
101
+ | [item 1] | COVERED | [file/lines] |
102
+ | [item 2] | PARTIAL | [what's missing] |
103
+ | [item 3] | MISSING | — |
104
+
105
+ Result: PASS | PARTIAL | FAIL
106
+ ```
107
+
108
+ **If FAIL or PARTIAL:**
109
+ ```
110
+ AskUserQuestion([
111
+ {
112
+ header: "Spec Gap",
113
+ question: "[N] planned deliverable(s) not found in this diff. Continue to quality review anyway?",
114
+ multiSelect: false,
115
+ options: [
116
+ { label: "Continue anyway", description: "Run quality review on what exists — spec gaps noted in report" },
117
+ { label: "Stop — fix spec gaps first", description: "Come back and re-run /review after completing missing deliverables" }
118
+ ]
119
+ }
120
+ ])
121
+ ```
122
+
123
+ > 🛑 STOP. Wait for reply before continuing.
124
+
125
+ If "Stop": output the missing items as a task list and stop.
126
+ If "Continue": add spec gap findings to the final report as P1 items.
127
+
128
+ **If PASS:** continue directly to Pass 2.
129
+
130
+ ---
131
+
132
+ ## Step 4: Pass 2 — Select Quality Personas
133
+
134
+ Read the diff and file list. Select which quality review personas to activate:
54
135
 
55
136
  **Always-on (every review):**
56
137
 
@@ -81,7 +162,7 @@ Review team:
81
162
  - adversarial — [justification if selected]
82
163
  ```
83
164
 
84
- ## Step 4: Run Review
165
+ ## Step 5: Run Quality Review
85
166
 
86
167
  Read `parallelization` from `.planning/config.json` (defaults to `false`).
87
168
 
@@ -138,7 +219,7 @@ Read `@./agents/code-reviewer.md` for the full persona definition. Run each sele
138
219
  2. Read the diff through that lens
139
220
  3. Record findings with severity and confidence
140
221
 
141
- ## Step 5: Merge & Deduplicate Findings
222
+ ## Step 6: Merge & Deduplicate Findings
142
223
 
143
224
  Combine findings from all personas:
144
225
 
@@ -147,7 +228,7 @@ Combine findings from all personas:
147
228
  3. **Cross-persona agreement** — when 2+ personas flag the same issue, boost confidence by 0.10 (capped at 1.0).
148
229
  4. **Sort** — order by severity (P0 first) → confidence (descending) → file path → line number.
149
230
 
150
- ## Step 6: Present Report
231
+ ## Step 7: Present Report
151
232
 
152
233
  ### Severity Scale
153
234
 
@@ -165,6 +246,7 @@ Display:
165
246
  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
166
247
 
167
248
  Intent: [intent summary]
249
+ Spec compliance: PASS | PARTIAL ([N] gaps carried as P1) | SKIPPED (--quality-only)
168
250
  Reviewers: [list]
169
251
  Mode: [interactive | report-only | autofix]
170
252
 
@@ -195,7 +277,7 @@ Mode: [interactive | report-only | autofix]
195
277
  Total: [N] findings ([P0 count] critical, [P1 count] high, [P2 count] moderate, [P3 count] low)
196
278
  ```
197
279
 
198
- ## Step 7: Handle Mode
280
+ ## Step 8: Handle Mode
199
281
 
200
282
  **Interactive (default):**
201
283
  For each P0/P1 finding, ask: "Fix this now, or defer?"
@@ -212,7 +294,7 @@ git add [files]
212
294
  git commit -m "fix([scope]): [description from finding]"
213
295
  ```
214
296
 
215
- ## Step 8: Suggest Next Steps
297
+ ## Step 9: Suggest Next Steps
216
298
 
217
299
  ```
218
300
  ▶ Next steps:
@@ -230,6 +312,20 @@ git commit -m "fix([scope]): [description from finding]"
230
312
 
231
313
  ---
232
314
 
315
+ ## Design Quality Gate (UI changes only)
316
+
317
+ If the review touched any user-facing UI files (frontend components, templates, stylesheets, public HTML), suggest running a design pass as a final lens — code correctness does not catch design regressions:
318
+
319
+ > 🎨 **Design pass:** This review touched UI files. Run one of these `impeccable` actions on the changed views to catch issues code review misses (visual hierarchy, accessibility, motion, copy):
320
+ >
321
+ > - `@impeccable critique [component or view]` — Multi-frame critique (typography, color, spatial, motion, copy)
322
+ > - `@impeccable polish [component or view]` — Apply small refinements before shipping
323
+ > - `@impeccable audit [view]` — Scan for accessibility, contrast, and layout issues
324
+ >
325
+ > Skip if no UI files changed.
326
+
327
+ ---
328
+
233
329
  ## Learning Checkpoint
234
330
 
235
331
  Read `learning_mode` from `.planning/config.json`.
@@ -55,6 +55,8 @@ For each file, check for:
55
55
  - Hardcoded credentials
56
56
  - Insecure defaults
57
57
 
58
+ **OWASP Top 10 surface scan:** As part of codebase analysis, note which OWASP categories are relevant to this phase's changes (see security-auditor agent for the full checklist). The SECURITY.md output must include an OWASP coverage table — marking each category as Relevant/N/A/Found. This makes the audit exhaustive and audit-trail-friendly.
59
+
58
60
  ## Step 3: Build Threat Register
59
61
 
60
62
  For each identified concern, create a threat entry:
@@ -208,6 +208,49 @@ or patterns while context is fresh.
208
208
 
209
209
  ---
210
210
 
211
+ ## Pre-Ship Design Pass (UI changes only)
212
+
213
+ Before opening the PR, if the staged changes touch any user-facing UI files, run a final design pass — this catches issues that tests and code review don't:
214
+
215
+ ```bash
216
+ git diff --name-only --cached | grep -E '\.(tsx?|jsx?|vue|svelte|html|css|scss|less)$' | head -5
217
+ ```
218
+
219
+ If UI files appear in the diff, suggest:
220
+
221
+ > 🎨 **Design pass before ship:** Staged changes include UI files. Run one of these to catch design regressions before opening the PR:
222
+ >
223
+ > - `@impeccable polish [view]` — Quick refinement pass: typography, spacing, color, copy
224
+ > - `@impeccable audit [view]` — Accessibility + contrast + layout scan
225
+ > - `@impeccable harden [view]` — Edge-case resilience (small viewport, RTL, screen reader)
226
+ >
227
+ > Skip on non-UI changes.
228
+
229
+ ---
230
+
231
+ ## Live Smoke Test Before PR (when Playwright MCP is available)
232
+
233
+ **Supported on:** Any platform with MCP support configured (Claude Code, OpenCode, Cursor, Windsurf, Codex CLI, Gemini CLI).
234
+
235
+ If `mcp__playwright__*` tools are available and the staged changes touch a web UI, run a quick smoke test before creating the PR — catches rendering failures that tests don't:
236
+
237
+ ```bash
238
+ # Check server is running
239
+ curl -s -o /dev/null -w "%{http_code}" http://localhost:3000 2>/dev/null || echo "not-running"
240
+ ```
241
+
242
+ If the server is running and Playwright is available:
243
+ 1. Navigate to the primary page
244
+ 2. Walk the changed flow once (the golden path for this change)
245
+ 3. Take a screenshot — verify it matches expectations
246
+ 4. Check the browser console — zero JS errors required
247
+
248
+ **If smoke test fails:** Stop the ship pipeline. Fix before pushing.
249
+
250
+ If Playwright is not configured or the server is not running: skip this step and note it in the PR description. To configure: see the `verify-work` workflow for Playwright MCP setup instructions per platform.
251
+
252
+ ---
253
+
211
254
  ## Learning Checkpoint
212
255
 
213
256
  Read `learning_mode` from `.planning/config.json`.
@@ -351,6 +351,39 @@ Present when ready:
351
351
 
352
352
  ---
353
353
 
354
+ ## Live UI Smoke Test (when Playwright MCP is available)
355
+
356
+ **Supported on:** Any platform with MCP support configured (Claude Code, OpenCode, Cursor, Windsurf, Codex CLI, Gemini CLI). Optional enhancement layer — the conversational UAT above is the primary mechanism on all platforms.
357
+
358
+ After UAT passes, if the tested deliverables include any user-facing UI **and** your tool list includes `mcp__playwright__*` tools (or equivalents), run a quick live smoke test before committing the UAT as complete:
359
+
360
+ **1. Find the entry point:**
361
+ ```bash
362
+ # Check common dev server patterns
363
+ grep -E '"(dev|start|serve)"' package.json 2>/dev/null | head -3
364
+ cat README.md 2>/dev/null | grep -i "http://localhost" | head -3
365
+ ```
366
+
367
+ **2. Verify the server is running:**
368
+ ```bash
369
+ curl -s -o /dev/null -w "%{http_code}" http://localhost:3000 2>/dev/null || \
370
+ curl -s -o /dev/null -w "%{http_code}" http://localhost:8080 2>/dev/null || \
371
+ echo "not-running"
372
+ ```
373
+
374
+ **3. Walk the golden path via Playwright:**
375
+ - Navigate to the primary entry point
376
+ - Walk through each UI deliverable from the UAT list once
377
+ - Take a screenshot at each key step
378
+ - Check the browser console for JS errors
379
+
380
+ **4. Record the result:**
381
+ If any Playwright step fails (HTTP error, JS exception, visual regression), treat it as a UAT issue with severity `blocker` and add it to the Gaps section.
382
+
383
+ > **Platform note:** Playwright MCP is supported wherever MCP is available — Claude Code, OpenCode, Cursor, Windsurf, Codex CLI, and Gemini CLI all support MCP servers. To enable it: install `@playwright/mcp` and add it to your platform's MCP config. On Claude Code: `claude mcp add playwright npx @playwright/mcp`. On Cursor/Windsurf: add `@playwright/mcp` as an MCP server in your IDE settings. Once configured, learnship workflows detect and use it automatically.
384
+
385
+ ---
386
+
354
387
  ## Learning Checkpoint
355
388
 
356
389
  Read `learning_mode` from `.planning/config.json`.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "learnship",
3
- "version": "2.3.6",
3
+ "version": "2.4.0",
4
4
  "description": "Learn as you build. Build with intent. — A multi-platform agentic engineering system for Windsurf, Claude Code, Cursor, OpenCode, Gemini CLI, and Codex: 57 spec-driven workflows, 17 specialist agent personas, integrated learning, and production-grade design.",
5
5
  "keywords": [
6
6
  "agentic",