maestro-flow 0.4.2 → 0.4.3

package/.claude/commands/maestro-analyze.md

@@ -1,6 +1,6 @@
 ---
 name: maestro-analyze
-description: Multi-angle analysis with CLI-assisted exploration
+description: Use when a topic needs structured multi-dimensional investigation before planning or decision-making
 argument-hint: "[phase|topic] [-y] [-c] [-q] [--gaps [ISS-ID]]"
 allowed-tools:
   - Read

package/.claude/commands/maestro-brainstorm.md

@@ -1,6 +1,6 @@
 ---
 name: maestro-brainstorm
-description: Brainstorm with auto pipeline or single-role analysis
+description: Use when exploring ideas, evaluating approaches, or needing multi-perspective analysis before implementation
 argument-hint: "[topic|role-name] [--yes] [--count N] [--session ID] [--update] [--skip-questions] [--include-questions] [--style-skill PKG]"
 allowed-tools:
   - Read

package/.claude/commands/maestro-collab.md

@@ -1,6 +1,6 @@
 ---
 name: maestro-collab
-description: Multi-CLI collaborative analysis -- fan-out to multiple CLI tools, cross-verify, synthesize
+description: Use when a question needs cross-verification from multiple CLI tools or diverse analytical perspectives
 argument-hint: "\"<requirement>\" [--tools gemini,qwen,claude] [--mode analysis|write] [--rule <template>] [-y]"
 allowed-tools:
   - Read

package/.claude/commands/maestro-execute.md

@@ -1,6 +1,6 @@
 ---
 name: maestro-execute
-description: Execute plan with parallel waves and atomic commits
+description: Use when a confirmed plan is ready for implementation
 argument-hint: "[phase] [--auto-commit] [--method agent|cli|auto] [--executor <tool>] [--dir <path>] [-y]"
 allowed-tools:
   - Read
@@ -98,6 +98,15 @@ Next steps:
   /manage-status               -- View project dashboard
 ```
 
+**Completion status:**
+```
+--- COMPLETION STATUS ---
+STATUS: DONE|DONE_WITH_CONCERNS|NEEDS_RETRY
+CONCERNS: {failed_count} tasks failed (if any)
+NEXT: /maestro-verify
+--- END STATUS ---
+```
+
 If failed tasks exist, suggest /quality-debug for investigation.
 </execution>
 

package/.claude/commands/maestro-guard.md

@@ -0,0 +1,101 @@
+---
+name: maestro-guard
+description: Manage editing boundary restrictions
+argument-hint: "<on|off|status|allow <path>|deny <path>>"
+allowed-tools:
+  - Read
+  - Write
+  - Bash
+  - Glob
+---
+<purpose>
+Configure directory-level write boundaries enforced by the workflow-guard PreToolUse hook.
+When enabled, Write and Edit tool calls targeting files outside allowed paths are blocked.
+
+Subcommands:
+- **on** — Enable path guard (defaults to `src/` if no paths configured)
+- **off** — Disable path guard (preserves path list)
+- **status** — Show current guard configuration
+- **allow `<path>`** — Add a directory to the allowed paths list
+- **deny `<path>`** — Switch to deny mode and add path to deny list
+</purpose>
+
+<context>
+$ARGUMENTS — Parse subcommand and optional path argument.
+
+**Config location:** `.workflow/config.json` → `guard` section
+
+```json
+{
+  "guard": {
+    "enabled": false,
+    "mode": "allow",
+    "paths": []
+  }
+}
+```
+
+**Enforcement:** The `workflow-guard` hook (PreToolUse on Write/Edit) reads this config
+and blocks operations targeting files outside boundaries. Requires hooks level >= `full`.
+</context>
+
+<execution>
+
+**Step 1: Parse subcommand**
+
+Extract from $ARGUMENTS:
+- `on` / `off` / `status` / `allow <path>` / `deny <path>`
+- If no subcommand, default to `status`
+
+**Step 2: Read config**
+
+Read `.workflow/config.json`. If file missing, initialize with empty guard section.
+
+**Step 3: Execute subcommand**
+
+**`status`:**
+- Display: enabled/disabled, mode (allow/deny), paths list
+- Check if workflow-guard hook is active (read `.claude/settings.json` for hook presence)
+- If guard enabled but hook not active, warn: "⚠ PathGuard enabled but workflow-guard hook not installed. Run `maestro hooks level full` to activate."
+
+**`on`:**
+- Set `guard.enabled = true`
+- If `guard.paths` is empty, set default: `["src/", "tests/", ".workflow/"]`
+- Check hook level, warn if < full
+- Write config
+
+**`off`:**
+- Set `guard.enabled = false`
+- Preserve existing paths and mode
+- Write config
+
+**`allow <path>`:**
+- Normalize path to forward slashes, ensure trailing slash for directories
+- If `guard.mode` is `deny`, switch to `allow` and clear paths with warning
+- Add path to `guard.paths` (deduplicate)
+- Set `guard.enabled = true` if not already
+- Write config
+
+**`deny <path>`:**
+- Normalize path to forward slashes
+- Set `guard.mode = "deny"`
+- Add path to `guard.paths` (deduplicate)
+- Set `guard.enabled = true` if not already
+- Write config
+
+**Step 4: Confirm**
+
+Display updated guard configuration.
+
+</execution>
+
+<error_codes>
+- E001: `.workflow/config.json` not found and cannot be created (not a maestro project)
+- W001: PathGuard enabled but workflow-guard hook not installed
+</error_codes>
+
+<success_criteria>
+- [ ] Config read/written correctly
+- [ ] Hook level warning displayed when applicable
+- [ ] Updated configuration shown after changes
+</success_criteria>

package/.claude/commands/maestro-impeccable.md

@@ -1,6 +1,6 @@
 ---
 name: maestro-impeccable
-description: Production-grade UI design — 24 commands + chain orchestration with quality gates + design search
+description: Use when designing, auditing, polishing, or improving frontend UI — websites, dashboards, landing pages, components
 argument-hint: "<command|chain|intent> [target] [flags]"
 allowed-tools:
   - Read

package/.claude/commands/maestro-plan.md

@@ -1,7 +1,7 @@
 ---
 name: maestro-plan
-description: Plan phase execution with exploration and verification
-argument-hint: "[phase] [--collab] [--spec SPEC-xxx] [-y] [--gaps] [--dir <path>] [--revise [instructions]] [--check <plan-dir>]"
+description: Use when creating, revising, or verifying an execution plan for a phase or task
+argument-hint: "[phase] [--collab] [--spec SPEC-xxx] [-y] [--gaps] [--tdd] [--dir <path>] [--revise [instructions]] [--check <plan-dir>]"
 allowed-tools:
   - Read
   - Write
@@ -122,6 +122,19 @@ Next steps:
   /maestro-plan {phase}         -- Re-plan with modifications
 ```
 
+**Completion status:**
+```
+--- COMPLETION STATUS ---
+STATUS: DONE|NEEDS_CONTEXT
+CONCERNS: {description if applicable}
+NEXT: /maestro-execute
+--- END STATUS ---
+```
+
+Status mapping:
+- **DONE** — Plan created/revised and confirmed → NEXT: /maestro-execute
+- **NEEDS_CONTEXT** — Ambiguous requirements, insufficient context to produce plan
+
 ### Mode: Revise / Check
 
 Follow workflow plan.md § "Revise Mode" and § "Check Mode" respectively. These modes bypass the standard P1-P5 create pipeline.

package/.claude/commands/maestro-ralph-execute.md

@@ -180,8 +180,15 @@ Write enriched args back to status.json (resume-safe).
    - `PHASE: N` → session.phase
    - `scratch_dir: path` → context.scratch_dir
    - `SPEC-xxx` → context.spec_session_id
-3. Write status.json
-4. Display: `[{index}/{total}] ✓ {skill} completed`
+3. Scan output for `--- COMPLETION STATUS ---` block. If found, parse and map:
+   - `STATUS: DONE` → `step.status = "completed"`
+   - `STATUS: DONE_WITH_CONCERNS` → `step.status = "completed"`, `step.concerns = CONCERNS value`
+   - `STATUS: NEEDS_RETRY` → trigger retry: set `step.status = "pending"`, `step.retried = true` → S_HANDLE_FAIL
+   - `STATUS: BLOCKED` → `session.status = "paused"`, display blocker reason from CONCERNS
+   - `STATUS: NEEDS_CONTEXT` → `session.status = "paused"`, display context gap from CONCERNS
+   - If no `--- COMPLETION STATUS ---` block found → fall back to existing heuristic (backward compatible)
+4. Write status.json
+5. Display: `[{index}/{total}] ✓ {skill} completed`
 
 ### A_RETRY
 

package/.claude/commands/maestro-ralph.md

@@ -1,6 +1,6 @@
 ---
 name: maestro-ralph
-description: Adaptive lifecycle engine — infer state, build command chain
+description: Use when the optimal command sequence is unclear and needs automated state-based determination
 argument-hint: "[-y] \"intent\" | status | continue"
 allowed-tools:
   - Read
@@ -238,6 +238,13 @@ Build rules: start from position, skip completed, insert decision nodes with `{
    ```
 6. On callback: parse verdict; if parse fails → fallback STATUS="fix"
 7. Confidence adjustment: <60 + proceed → fix; >95 + fix + retry>0 → suggest proceed
+8. **Decision log**: Append to `{session_dir}/decisions.ndjson`:
+   ```json
+   { "id": "DEC-{timestamp}", "timestamp": "{ISO}", "source": "ralph",
+     "node_id": "{step.decision}", "type": "quality-gate",
+     "verdict": "{adjusted_verdict}", "confidence_score": {N},
+     "close_call": {N>=50 && N<=70}, "summary": "{REASON}" }
+   ```
 
 ### A_STRUCTURAL_EVALUATE
 

package/.claude/commands/maestro-verify.md

@@ -1,6 +1,6 @@
 ---
 name: maestro-verify
-description: Verify goals with must-have checks and test coverage validation
+description: Use after execution to verify goals are actually achieved with evidence-based structural checks
 argument-hint: "[phase] [--skip-tests] [--skip-antipattern] [--dir <path>]"
 allowed-tools:
   - Read
@@ -70,6 +70,20 @@ On confirm → `Skill("spec-add", "<category> <content>")`.
 
 **Gap-fix closure loop:**
 Gaps found → maestro-plan --gaps → maestro-execute → maestro-verify (re-run)
+
+**Completion status:**
+```
+--- COMPLETION STATUS ---
+STATUS: DONE|DONE_WITH_CONCERNS|NEEDS_RETRY
+CONCERNS: {description if applicable}
+NEXT: /quality-review
+--- END STATUS ---
+```
+
+Status mapping:
+- **DONE** — All checks pass, no gaps → NEXT: /quality-review
+- **DONE_WITH_CONCERNS** — Gaps found (must-have failures or anti-pattern blockers) → NEXT: /maestro-execute (after /maestro-plan --gaps)
+- **NEEDS_RETRY** — Verification could not complete (missing artifacts, corrupt data)
 </execution>
 
 <error_codes>

package/.claude/commands/quality-auto-test.md

@@ -1,6 +1,6 @@
 ---
 name: quality-auto-test
-description: Auto-generate and run tests from specs or coverage gaps
+description: Use when test coverage needs automated expansion or existing tests need iterative convergence
 argument-hint: "<phase> [-y] [-c N] [--max-iter <N>] [--layer <L0-L3>] [--strategy <name>] [--dry-run] [--re-run]"
 allowed-tools:
   - spawn_agents_on_csv

package/.claude/commands/quality-debug.md

@@ -1,6 +1,6 @@
 ---
 name: quality-debug
-description: Debug with parallel hypotheses and root cause analysis
+description: Use when bugs, test failures, or unexpected behavior need systematic root cause investigation
 argument-hint: "[issue description] [--from-uat <phase>] [--parallel]"
 allowed-tools:
   - Read

package/.claude/commands/quality-refactor.md

@@ -1,6 +1,6 @@
 ---
 name: quality-refactor
-description: Reduce tech debt with reflection-driven iteration
+description: Use when accumulated tech debt needs systematic identification and safe reduction
 argument-hint: "[<scope>]"
 allowed-tools:
   - Read

package/.claude/commands/quality-retrospective.md

@@ -1,6 +1,6 @@
 ---
 name: quality-retrospective
-description: Phase retrospective with insight routing to specs and knowhow
+description: Use after completing a phase to extract lessons, patterns, and improvement opportunities
 argument-hint: "[phase|N..M] [--lens technical|process|quality|decision] [--all] [--no-route] [--compare N] [-y]"
 allowed-tools:
   - Read

package/.claude/commands/quality-review.md

@@ -1,6 +1,6 @@
 ---
 name: quality-review
-description: Tiered code review with severity classification
+description: Use after execution to evaluate code quality across correctness, security, performance, and architecture
 argument-hint: "<phase> [--level quick|standard|deep] [--dimensions security,architecture,...] [--skip-specs]"
 allowed-tools:
   - Read
@@ -87,6 +87,20 @@ Report format and next-step routing by verdict defined in workflow review.md Rep
 - PASS → `/quality-test {phase}`
 - WARN → `/quality-test {phase}` (proceed with caveats)
 - BLOCK → `/maestro-plan {phase} --gaps` (fix critical findings first)
+
+**Completion status:**
+```
+--- COMPLETION STATUS ---
+STATUS: DONE|DONE_WITH_CONCERNS|NEEDS_RETRY
+CONCERNS: {description if applicable}
+NEXT: /quality-refactor
+--- END STATUS ---
+```
+
+Status mapping:
+- **DONE** — PASS verdict, no critical findings → NEXT: /quality-refactor
+- **DONE_WITH_CONCERNS** — WARN verdict, issues found but non-blocking → NEXT: /maestro-verify
+- **NEEDS_RETRY** — BLOCK verdict, critical findings require fix first
 </execution>
 
 <error_codes>

package/.claude/commands/quality-test.md

@@ -1,6 +1,6 @@
 ---
 name: quality-test
-description: Conversational UAT with auto-diagnosis and gap closure
+description: Use when implementation needs user acceptance testing with interactive verification and gap closure
 argument-hint: "[phase] [--smoke] [--auto-fix]"
 allowed-tools:
   - Read

package/.claude/commands/security-audit.md

@@ -0,0 +1,154 @@
+---
+name: security-audit
+description: OWASP Top 10 and STRIDE security auditing with supply chain analysis
+argument-hint: "[quick|standard|deep] [--scope <path>]"
+allowed-tools:
+  - Read
+  - Bash
+  - Glob
+  - Grep
+  - Agent
+  - AskUserQuestion
+---
+<purpose>
+Systematic security audit covering OWASP Top 10, dependency supply chain, secrets detection,
+CI/CD pipeline review, and optional STRIDE threat modeling. Three tiers control depth vs speed.
+</purpose>
+
+<context>
+$ARGUMENTS — Parse tier and scope:
+- Tier: `quick` (default) | `standard` | `deep`
+- `--scope <path>`: Limit scan to directory (default: project root)
+
+**Tier coverage:**
+
+| Tier | OWASP | Dependencies | Secrets | CI/CD | STRIDE | Git History |
+|------|-------|-------------|---------|-------|--------|-------------|
+| quick | ✓ | ✓ | — | — | — | — |
+| standard | ✓ | ✓ | ✓ | ✓ | — | — |
+| deep | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
+</context>
+
+<execution>
+
+**Phase 1: Reconnaissance**
+
+1. Detect tech stack from package.json / go.mod / requirements.txt / Cargo.toml
+2. Identify entry points: HTTP handlers, API routes, CLI parsers, WebSocket handlers
+3. List authentication/authorization modules
+4. Map data flow: user input → processing → storage → output
+
+**Phase 2: OWASP Top 10 Scan** (all tiers)
+
+For each category, scan relevant source files:
+
+| # | Category | What to check |
+|---|----------|--------------|
+| A01 | Broken Access Control | Missing auth middleware, direct object references, path traversal |
+| A02 | Cryptographic Failures | Weak algorithms, hardcoded keys, missing TLS, plaintext storage |
+| A03 | Injection | SQL concatenation, shell exec with user input, template injection |
+| A04 | Insecure Design | Missing rate limits, no CSRF tokens, predictable tokens |
+| A05 | Security Misconfiguration | Debug mode, default credentials, verbose errors, open CORS |
+| A06 | Vulnerable Components | Known CVEs in dependencies |
+| A07 | Auth Failures | Weak password rules, missing brute-force protection, session fixation |
+| A08 | Data Integrity | Deserialization of untrusted data, unsigned updates |
+| A09 | Logging Failures | Missing audit logs, logging sensitive data |
+| A10 | SSRF | Unvalidated URLs in server-side requests |
+
+Use `Grep` for pattern matching (e.g., `eval(`, `exec(`, `innerHTML`, `dangerouslySetInnerHTML`,
+`sql.*\+.*req\.`, `process\.env` without validation).
+
+**Phase 3: Dependency Audit** (all tiers)
+
+```bash
+# Node.js
+npm audit --json 2>/dev/null || true
+# Check lockfile integrity
+test -f package-lock.json && echo "lockfile present" || echo "WARNING: no lockfile"
+```
+
+Check for:
+- Known vulnerabilities (CVE references)
+- Lockfile presence and integrity
+- Typosquatting risk on critical dependencies (manually check suspicious names)
+
+**Phase 4: Secrets Detection** (standard + deep)
+
+```bash
+# Current codebase
+grep -rn --include="*.ts" --include="*.js" --include="*.json" --include="*.env*" \
+  -E "(password|secret|api.?key|token|credential).*=.*['\"][^'\"]{8,}" . || true
+```
+
+Check `.env.example` for leaked values. Check `.gitignore` for missing `.env` patterns.
+
+**Phase 5: CI/CD Audit** (standard + deep)
+
+Scan `.github/workflows/*.yml` for:
+- Overly permissive `permissions:` (write-all, contents: write)
+- Unpinned action versions (`uses: actions/checkout@main` vs `@v4.1.0`)
+- Secrets in logs (missing `mask` or `add-mask`)
+- Pull request trigger with `pull_request_target` (code injection risk)
+
+**Phase 6: STRIDE Threat Modeling** (deep only)
+
+For each critical module identified in Phase 1:
+
+| Threat | Question |
+|--------|----------|
+| **S**poofing | Can identity be faked? Is auth per-request? |
+| **T**ampering | Can data be modified in transit/storage? Integrity checks? |
+| **R**epudiation | Are actions logged with user identity? |
+| **I**nformation Disclosure | Can unauthorized data be accessed? |
+| **D**enial of Service | Resource limits? Rate limiting? |
+| **E**levation of Privilege | Can roles be escalated? Input validation on role fields? |
+
+**Phase 7: Git History Archaeology** (deep only)
+
+```bash
+# Search for previously committed secrets
+git log --all --diff-filter=D --name-only --pretty=format: -- "*.env" "*.key" "*.pem" 2>/dev/null | head -20
+git log -p --all -S "password" --since="1 year ago" -- "*.ts" "*.js" 2>/dev/null | head -50
+```
+
+**Phase 8: Report**
+
+Output severity matrix:
+
+```
+=== Security Audit ({tier}) ===
+
+CRITICAL ({count}):
+  - [A03] SQL injection in {file}:{line} — {description}
+    Fix: {remediation}
+
+HIGH ({count}):
+  ...
+
+MEDIUM ({count}):
+  ...
+
+LOW ({count}):
+  ...
+
+Summary: {total} findings ({critical} critical, {high} high, {medium} medium, {low} low)
+```
+
+Emit completion status:
+```
+--- COMPLETION STATUS ---
+STATUS: DONE|DONE_WITH_CONCERNS
+CONCERNS: {count} critical findings require immediate action
+NEXT: /quality-review
+--- END STATUS ---
+```
+</execution>
+
+<success_criteria>
+- [ ] Tech stack identified and entry points mapped
+- [ ] OWASP Top 10 categories all checked (tier-appropriate)
+- [ ] Dependency audit completed with CVE listing
+- [ ] Severity matrix produced with file:line references
+- [ ] Each finding includes remediation suggestion
+- [ ] Completion status block emitted
+</success_criteria>

package/.claude/skills/maestro-help/index/catalog.json

@@ -23,6 +23,7 @@
     {"name": "maestro-milestone-complete", "command": "/maestro-milestone-complete", "category": "milestone", "description": "里程碑完成 — 归档里程碑并推进下一个", "source": "../../commands/maestro-milestone-complete.md"},
     {"name": "maestro-milestone-release", "command": "/maestro-milestone-release", "category": "milestone", "description": "里程碑发布 — 生成发布说明和变更日志", "source": "../../commands/maestro-milestone-release.md"},
     {"name": "maestro-composer", "command": "/maestro-composer", "category": "core", "description": "编排器 — compose + play 工作流组合执行", "source": "../../commands/maestro-composer.md"},
+    {"name": "maestro-guard", "command": "/maestro-guard", "category": "core", "description": "编辑边界治理", "source": "../../commands/maestro-guard.md"},
     {"name": "maestro-player", "command": "/maestro-player", "category": "core", "description": "播放器 — 执行已编排的工作流", "source": "../../commands/maestro-player.md"},
     {"name": "maestro-ralph", "command": "/maestro-ralph", "category": "ralph", "description": "Ralph 引擎 — 自适应生命周期决策节点管理", "source": "../../commands/maestro-ralph.md"},
     {"name": "maestro-ralph-execute", "command": "/maestro-ralph-execute", "category": "ralph", "description": "Ralph 执行 — 运行自适应决策链", "source": "../../commands/maestro-ralph-execute.md"},
@@ -45,6 +46,7 @@
     {"name": "quality-review", "command": "/quality-review", "category": "quality", "description": "代码审查 — 多维度代码质量检查", "source": "../../commands/quality-review.md"},
     {"name": "quality-auto-test", "command": "/quality-auto-test", "category": "quality", "description": "自动测试 — 智能路由 spec/gap/code 测试", "source": "../../commands/quality-auto-test.md"},
     {"name": "quality-test", "command": "/quality-test", "category": "quality", "description": "业务测试 — 会话式 UAT 验证", "source": "../../commands/quality-test.md"},
+    {"name": "security-audit", "command": "/security-audit", "category": "quality", "description": "OWASP/STRIDE 安全审计", "source": "../../commands/security-audit.md"},
     {"name": "quality-debug", "command": "/quality-debug", "category": "quality", "description": "质量调试 — 诊断测试失败并提供修复方案", "source": "../../commands/quality-debug.md"},
     {"name": "quality-refactor", "command": "/quality-refactor", "category": "quality", "description": "代码重构 — 结构优化和模式改进", "source": "../../commands/quality-refactor.md"},
     {"name": "quality-sync", "command": "/quality-sync", "category": "quality", "description": "质量同步 — 跨 Phase 质量状态对齐", "source": "../../commands/quality-sync.md"},

package/.codex/skills/maestro-analyze/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: maestro-analyze
-description: Multi-angle analysis with CLI-assisted exploration
+description: Use when a topic needs structured multi-dimensional investigation before planning or decision-making
 argument-hint: "[-y|--yes] [-c|--concurrency N] [--continue] \"<phase|topic> [-q|--quick] [--gaps [ISS-ID]]\""
 allowed-tools: spawn_agents_on_csv, Read, Write, Edit, Bash, Glob, Grep, AskUserQuestion
 ---
@@ -158,6 +158,17 @@ Gray area detection: domain-aware (things users SEE/CALL/RUN/READ), phase-specif
 4. Spec enrichment: Locked decisions -> `maestro spec add arch`; code patterns -> `maestro spec add coding`
 5. Register artifact in state.json (type: analyze)
 6. Copy outputs to scratchDir, display summary
+7. **Next-step routing**:
+
+   | Scope | Condition | Next |
+   |-------|-----------|------|
+   | Phase/Milestone | Go + UI work needed | `$maestro-impeccable build {target}` |
+   | Phase/Milestone | Go + ready to plan | `$maestro-plan` or `$maestro-plan {phase}` |
+   | Phase/Milestone | No-Go | `$maestro-brainstorm {topic}` |
+   | Adhoc/Standalone | Ready to plan | `$maestro-plan --dir {scratch_dir}` |
+   | Adhoc/Standalone | Need more exploration | `$maestro-analyze {topic} --continue` |
+   | Gaps | Issues analyzed | `$maestro-plan --gaps` |
+   | Gaps | Need more context | `$maestro-analyze --gaps {ISS-ID}` |
 
 </actions>
 
@@ -192,9 +203,15 @@ Protocol: read before analysis, append-only, dedup by type+key.
 <success_criteria>
 - [ ] All waves executed in order (or skipped per mode)
 - [ ] context.md produced (all modes); analysis.md + conclusions.json (full mode)
+- [ ] context.md contains all decisions classified as Locked/Free/Deferred
+- [ ] Decision Recording Protocol applied to all decisions
 - [ ] Confidence scored per dimension with factor-based model (full mode)
+- [ ] Readiness gate checked before synthesis (wave 3)
+- [ ] Pressure pass completed ≥ 1 time on highest-risk dimension before synthesis
 - [ ] Deferred items auto-created as issues
+- [ ] Scope creep redirected to Deferred section
 - [ ] Artifact registered in state.json
 - [ ] discoveries.ndjson append-only throughout
+- [ ] Next step routed (plan for Go, brainstorm for No-Go, plan --gaps for Gaps)
 </success_criteria>
 </output>

package/.codex/skills/maestro-brainstorm/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: maestro-brainstorm
-description: Brainstorm with auto pipeline or single-role analysis
+description: Use when exploring ideas, evaluating approaches, or needing multi-perspective analysis before implementation
 argument-hint: "[topic] [-y|--yes] [-c|--concurrency N] [--continue] [--count N] [--skip-questions]"
 allowed-tools: spawn_agents_on_csv, Read, Write, Edit, Bash, Glob, Grep, request_user_input
 ---
@@ -17,6 +17,11 @@ $ARGUMENTS — topic text and optional flags.
 
 **9 valid roles**: data-architect, product-manager, product-owner, scrum-master, subject-matter-expert, system-architect, test-strategist, ui-designer, ux-expert
 
+### Pre-load specs
+1. **Architecture specs**: `maestro spec load --category arch` — load architecture constraints as context for multi-role analysis (roles respect documented decisions).
+2. **Role Knowledge**: `maestro wiki list --category arch` → identify relevant entries → `maestro wiki load <id1> [id2...]`
+3. Both optional — proceed without if unavailable.
+
 **Session**: `.workflow/.csv-wave/{YYYYMMDD}-brainstorm-{slug}/`
 **Output**: tasks.csv, results.csv, discoveries.ndjson, context.md, `.brainstorming/` (guidance-specification.md, feature-index.json, synthesis-changelog.md, feature-specs/, {role}/analysis*.md)
 </context>
@@ -139,8 +144,16 @@ Protocol: read before analysis, append-only, dedup by type+key.
 
 <success_criteria>
 - [ ] 3 waves executed: guidance → parallel roles → synthesis
-- [ ] guidance-specification.md + role analyses + synthesis artifacts produced
-- [ ] feature-index.json + context.md generated
+- [ ] guidance-specification.md with RFC 2119 keywords, terminology, non-goals, feature decomposition
+- [ ] Role analysis files for each selected NON-UI role
+- [ ] If ui-designer selected: DESIGN.md established via impeccable explore; analysis.md with UX analysis
+- [ ] Feature specs in `.brainstorming/feature-specs/` or synthesis-specification.md
+- [ ] UI-bearing feature specs reference DESIGN.md for visual constraints
+- [ ] feature-index.json + synthesis-changelog.md + context.md generated
+- [ ] All user decisions captured with Decision Recording Protocol
+- [ ] Confidence scored per role and after cross-role analysis
+- [ ] Readiness gate checked before spec generation (wave 3)
+- [ ] Pressure pass completed on at least 1 feature spec
 - [ ] discoveries.ndjson append-only throughout
-- [ ] Confidence scored, conflict quality gate evaluated
+- [ ] Conflict quality gate: >3 UNRESOLVED → warn
 </success_criteria>

package/.codex/skills/maestro-collab/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: maestro-collab
-description: Multi-CLI collaborative analysis -- fan-out to multiple CLI tools, cross-verify, synthesize
+description: Use when a question needs cross-verification from multiple CLI tools or diverse analytical perspectives
 argument-hint: "\"<requirement>\" [--tools gemini,qwen,claude] [--mode analysis|write] [--rule <template>] [-y]"
 allowed-tools: spawn_agents_on_csv, Read, Write, Edit, Bash, Glob, Grep, request_user_input
 ---
@@ -216,3 +216,9 @@ Protocol: read before analysis, append-only, dedup by type+key.
 - [ ] CLB artifact registered, outputs copied to scratchDir
 - [ ] Partial degradation: continued if 1+ tools succeeded
 </success_criteria>
+
+<next_step_routing>
+- Deep feasibility analysis → `$maestro-analyze "{topic}"`
+- Plan from conclusions → `$maestro-plan --dir {dir}`
+- Expand exploration → `$maestro-brainstorm "{topic}"`
+</next_step_routing>