npm - maestro-flow - Versions diffs - 0.4.2 → 0.4.4 - Mend

maestro-flow 0.4.2 → 0.4.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (302) hide show

package/.claude/commands/maestro-analyze.md CHANGED Viewed

@@ -1,6 +1,6 @@
 ---
 name: maestro-analyze
-description: Multi-angle analysis with CLI-assisted exploration
+description: Use when a topic needs structured multi-dimensional investigation before planning or decision-making
 argument-hint: "[phase|topic] [-y] [-c] [-q] [--gaps [ISS-ID]]"
 allowed-tools:
   - Read

package/.claude/commands/maestro-brainstorm.md CHANGED Viewed

@@ -1,6 +1,6 @@
 ---
 name: maestro-brainstorm
-description: Brainstorm with auto pipeline or single-role analysis
+description: Use when exploring ideas, evaluating approaches, or needing multi-perspective analysis before implementation
 argument-hint: "[topic|role-name] [--yes] [--count N] [--session ID] [--update] [--skip-questions] [--include-questions] [--style-skill PKG]"
 allowed-tools:
   - Read

package/.claude/commands/maestro-collab.md CHANGED Viewed

@@ -1,6 +1,6 @@
 ---
 name: maestro-collab
-description: Multi-CLI collaborative analysis -- fan-out to multiple CLI tools, cross-verify, synthesize
+description: Use when a question needs cross-verification from multiple CLI tools or diverse analytical perspectives
 argument-hint: "\"<requirement>\" [--tools gemini,qwen,claude] [--mode analysis|write] [--rule <template>] [-y]"
 allowed-tools:
   - Read

package/.claude/commands/maestro-execute.md CHANGED Viewed

@@ -1,6 +1,6 @@
 ---
 name: maestro-execute
-description: Execute plan with parallel waves and atomic commits
+description: Use when a confirmed plan is ready for implementation
 argument-hint: "[phase] [--auto-commit] [--method agent|cli|auto] [--executor <tool>] [--dir <path>] [-y]"
 allowed-tools:
   - Read
@@ -98,6 +98,15 @@ Next steps:
   /manage-status               -- View project dashboard
 ```
+**Completion status:**
+```
+--- COMPLETION STATUS ---
+STATUS: DONE|DONE_WITH_CONCERNS|NEEDS_RETRY
+CONCERNS: {failed_count} tasks failed (if any)
+NEXT: /maestro-verify
+--- END STATUS ---
+```
 If failed tasks exist, suggest /quality-debug for investigation.
 </execution>

package/.claude/commands/maestro-guard.md ADDED Viewed

@@ -0,0 +1,101 @@
+---
+name: maestro-guard
+description: Manage editing boundary restrictions
+argument-hint: "<on|off|status|allow <path>|deny <path>>"
+allowed-tools:
+  - Read
+  - Write
+  - Bash
+  - Glob
+---
+<purpose>
+Configure directory-level write boundaries enforced by the workflow-guard PreToolUse hook.
+When enabled, Write and Edit tool calls targeting files outside allowed paths are blocked.
+Subcommands:
+- **on** — Enable path guard (defaults to `src/` if no paths configured)
+- **off** — Disable path guard (preserves path list)
+- **status** — Show current guard configuration
+- **allow `<path>`** — Add a directory to the allowed paths list
+- **deny `<path>`** — Switch to deny mode and add path to deny list
+</purpose>
+<context>
+$ARGUMENTS — Parse subcommand and optional path argument.
+**Config location:** `.workflow/config.json` → `guard` section
+```json
+{
+  "guard": {
+    "enabled": false,
+    "mode": "allow",
+    "paths": []
+  }
+}
+```
+**Enforcement:** The `workflow-guard` hook (PreToolUse on Write/Edit) reads this config
+and blocks operations targeting files outside boundaries. Requires hooks level >= `full`.
+</context>
+<execution>
+**Step 1: Parse subcommand**
+Extract from $ARGUMENTS:
+- `on` / `off` / `status` / `allow <path>` / `deny <path>`
+- If no subcommand, default to `status`
+**Step 2: Read config**
+Read `.workflow/config.json`. If file missing, initialize with empty guard section.
+**Step 3: Execute subcommand**
+**`status`:**
+- Display: enabled/disabled, mode (allow/deny), paths list
+- Check if workflow-guard hook is active (read `.claude/settings.json` for hook presence)
+- If guard enabled but hook not active, warn: "⚠ PathGuard enabled but workflow-guard hook not installed. Run `maestro hooks level full` to activate."
+**`on`:**
+- Set `guard.enabled = true`
+- If `guard.paths` is empty, set default: `["src/", "tests/", ".workflow/"]`
+- Check hook level, warn if < full
+- Write config
+**`off`:**
+- Set `guard.enabled = false`
+- Preserve existing paths and mode
+- Write config
+**`allow <path>`:**
+- Normalize path to forward slashes, ensure trailing slash for directories
+- If `guard.mode` is `deny`, switch to `allow` and clear paths with warning
+- Add path to `guard.paths` (deduplicate)
+- Set `guard.enabled = true` if not already
+- Write config
+**`deny <path>`:**
+- Normalize path to forward slashes
+- Set `guard.mode = "deny"`
+- Add path to `guard.paths` (deduplicate)
+- Set `guard.enabled = true` if not already
+- Write config
+**Step 4: Confirm**
+Display updated guard configuration.
+</execution>
+<error_codes>
+- E001: `.workflow/config.json` not found and cannot be created (not a maestro project)
+- W001: PathGuard enabled but workflow-guard hook not installed
+</error_codes>
+<success_criteria>
+- [ ] Config read/written correctly
+- [ ] Hook level warning displayed when applicable
+- [ ] Updated configuration shown after changes
+</success_criteria>

package/.claude/commands/maestro-impeccable.md CHANGED Viewed

@@ -1,6 +1,6 @@
 ---
 name: maestro-impeccable
-description: Production-grade UI design — 24 commands + chain orchestration with quality gates + design search
+description: Use when designing, auditing, polishing, or improving frontend UI — websites, dashboards, landing pages, components
 argument-hint: "<command|chain|intent> [target] [flags]"
 allowed-tools:
   - Read

package/.claude/commands/maestro-plan.md CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 name: maestro-plan
-description: Plan phase execution with exploration and verification
-argument-hint: "[phase] [--collab] [--spec SPEC-xxx] [-y] [--gaps] [--dir <path>] [--revise [instructions]] [--check <plan-dir>]"
+description: Use when creating, revising, or verifying an execution plan for a phase or task
+argument-hint: "[phase] [--collab] [--spec SPEC-xxx] [-y] [--gaps] [--tdd] [--dir <path>] [--revise [instructions]] [--check <plan-dir>]"
 allowed-tools:
   - Read
   - Write
@@ -122,6 +122,19 @@ Next steps:
   /maestro-plan {phase}         -- Re-plan with modifications
 ```
+**Completion status:**
+```
+--- COMPLETION STATUS ---
+STATUS: DONE|NEEDS_CONTEXT
+CONCERNS: {description if applicable}
+NEXT: /maestro-execute
+--- END STATUS ---
+```
+Status mapping:
+- **DONE** — Plan created/revised and confirmed → NEXT: /maestro-execute
+- **NEEDS_CONTEXT** — Ambiguous requirements, insufficient context to produce plan
 ### Mode: Revise / Check
 Follow workflow plan.md § "Revise Mode" and § "Check Mode" respectively. These modes bypass the standard P1-P5 create pipeline.

package/.claude/commands/maestro-ralph-execute.md CHANGED Viewed

@@ -180,8 +180,15 @@ Write enriched args back to status.json (resume-safe).
    - `PHASE: N` → session.phase
    - `scratch_dir: path` → context.scratch_dir
    - `SPEC-xxx` → context.spec_session_id
-3. Write status.json
-4. Display: `[{index}/{total}] ✓ {skill} completed`
+3. Scan output for `--- COMPLETION STATUS ---` block. If found, parse and map:
+   - `STATUS: DONE` → `step.status = "completed"`
+   - `STATUS: DONE_WITH_CONCERNS` → `step.status = "completed"`, `step.concerns = CONCERNS value`
+   - `STATUS: NEEDS_RETRY` → trigger retry: set `step.status = "pending"`, `step.retried = true` → S_HANDLE_FAIL
+   - `STATUS: BLOCKED` → `session.status = "paused"`, display blocker reason from CONCERNS
+   - `STATUS: NEEDS_CONTEXT` → `session.status = "paused"`, display context gap from CONCERNS
+   - If no `--- COMPLETION STATUS ---` block found → fall back to existing heuristic (backward compatible)
+4. Write status.json
+5. Display: `[{index}/{total}] ✓ {skill} completed`
 ### A_RETRY

package/.claude/commands/maestro-ralph.md CHANGED Viewed

@@ -1,6 +1,6 @@
 ---
 name: maestro-ralph
-description: Adaptive lifecycle engine — infer state, build command chain
+description: Use when the optimal command sequence is unclear and needs automated state-based determination
 argument-hint: "[-y] \"intent\" | status | continue"
 allowed-tools:
   - Read
@@ -238,6 +238,13 @@ Build rules: start from position, skip completed, insert decision nodes with `{
    ```
 6. On callback: parse verdict; if parse fails → fallback STATUS="fix"
 7. Confidence adjustment: <60 + proceed → fix; >95 + fix + retry>0 → suggest proceed
+8. **Decision log**: Append to `{session_dir}/decisions.ndjson`:
+   ```json
+   { "id": "DEC-{timestamp}", "timestamp": "{ISO}", "source": "ralph",
+     "node_id": "{step.decision}", "type": "quality-gate",
+     "verdict": "{adjusted_verdict}", "confidence_score": {N},
+     "close_call": {N>=50 && N<=70}, "summary": "{REASON}" }
+   ```
 ### A_STRUCTURAL_EVALUATE

package/.claude/commands/maestro-verify.md CHANGED Viewed

@@ -1,6 +1,6 @@
 ---
 name: maestro-verify
-description: Verify goals with must-have checks and test coverage validation
+description: Use after execution to verify goals are actually achieved with evidence-based structural checks
 argument-hint: "[phase] [--skip-tests] [--skip-antipattern] [--dir <path>]"
 allowed-tools:
   - Read
@@ -70,6 +70,20 @@ On confirm → `Skill("spec-add", "<category> <content>")`.
 **Gap-fix closure loop:**
 Gaps found → maestro-plan --gaps → maestro-execute → maestro-verify (re-run)
+**Completion status:**
+```
+--- COMPLETION STATUS ---
+STATUS: DONE|DONE_WITH_CONCERNS|NEEDS_RETRY
+CONCERNS: {description if applicable}
+NEXT: /quality-review
+--- END STATUS ---
+```
+Status mapping:
+- **DONE** — All checks pass, no gaps → NEXT: /quality-review
+- **DONE_WITH_CONCERNS** — Gaps found (must-have failures or anti-pattern blockers) → NEXT: /maestro-execute (after /maestro-plan --gaps)
+- **NEEDS_RETRY** — Verification could not complete (missing artifacts, corrupt data)
 </execution>
 <error_codes>

package/.claude/commands/quality-auto-test.md CHANGED Viewed

@@ -1,6 +1,6 @@
 ---
 name: quality-auto-test
-description: Auto-generate and run tests from specs or coverage gaps
+description: Use when test coverage needs automated expansion or existing tests need iterative convergence
 argument-hint: "<phase> [-y] [-c N] [--max-iter <N>] [--layer <L0-L3>] [--strategy <name>] [--dry-run] [--re-run]"
 allowed-tools:
   - spawn_agents_on_csv

package/.claude/commands/quality-debug.md CHANGED Viewed

@@ -1,6 +1,6 @@
 ---
 name: quality-debug
-description: Debug with parallel hypotheses and root cause analysis
+description: Use when bugs, test failures, or unexpected behavior need systematic root cause investigation
 argument-hint: "[issue description] [--from-uat <phase>] [--parallel]"
 allowed-tools:
   - Read

package/.claude/commands/quality-refactor.md CHANGED Viewed

@@ -1,6 +1,6 @@
 ---
 name: quality-refactor
-description: Reduce tech debt with reflection-driven iteration
+description: Use when accumulated tech debt needs systematic identification and safe reduction
 argument-hint: "[<scope>]"
 allowed-tools:
   - Read

package/.claude/commands/quality-retrospective.md CHANGED Viewed

@@ -1,6 +1,6 @@
 ---
 name: quality-retrospective
-description: Phase retrospective with insight routing to specs and knowhow
+description: Use after completing a phase to extract lessons, patterns, and improvement opportunities
 argument-hint: "[phase|N..M] [--lens technical|process|quality|decision] [--all] [--no-route] [--compare N] [-y]"
 allowed-tools:
   - Read

package/.claude/commands/quality-review.md CHANGED Viewed

@@ -1,6 +1,6 @@
 ---
 name: quality-review
-description: Tiered code review with severity classification
+description: Use after execution to evaluate code quality across correctness, security, performance, and architecture
 argument-hint: "<phase> [--level quick|standard|deep] [--dimensions security,architecture,...] [--skip-specs]"
 allowed-tools:
   - Read
@@ -87,6 +87,20 @@ Report format and next-step routing by verdict defined in workflow review.md Rep
 - PASS → `/quality-test {phase}`
 - WARN → `/quality-test {phase}` (proceed with caveats)
 - BLOCK → `/maestro-plan {phase} --gaps` (fix critical findings first)
+**Completion status:**
+```
+--- COMPLETION STATUS ---
+STATUS: DONE|DONE_WITH_CONCERNS|NEEDS_RETRY
+CONCERNS: {description if applicable}
+NEXT: /quality-refactor
+--- END STATUS ---
+```
+Status mapping:
+- **DONE** — PASS verdict, no critical findings → NEXT: /quality-refactor
+- **DONE_WITH_CONCERNS** — WARN verdict, issues found but non-blocking → NEXT: /maestro-verify
+- **NEEDS_RETRY** — BLOCK verdict, critical findings require fix first
 </execution>
 <error_codes>

package/.claude/commands/quality-test.md CHANGED Viewed

@@ -1,6 +1,6 @@
 ---
 name: quality-test
-description: Conversational UAT with auto-diagnosis and gap closure
+description: Use when implementation needs user acceptance testing with interactive verification and gap closure
 argument-hint: "[phase] [--smoke] [--auto-fix]"
 allowed-tools:
   - Read

package/.claude/commands/security-audit.md ADDED Viewed

@@ -0,0 +1,154 @@
+---
+name: security-audit
+description: OWASP Top 10 and STRIDE security auditing with supply chain analysis
+argument-hint: "[quick|standard|deep] [--scope <path>]"
+allowed-tools:
+  - Read
+  - Bash
+  - Glob
+  - Grep
+  - Agent
+  - AskUserQuestion
+---
+<purpose>
+Systematic security audit covering OWASP Top 10, dependency supply chain, secrets detection,
+CI/CD pipeline review, and optional STRIDE threat modeling. Three tiers control depth vs speed.
+</purpose>
+<context>
+$ARGUMENTS — Parse tier and scope:
+- Tier: `quick` (default) | `standard` | `deep`
+- `--scope <path>`: Limit scan to directory (default: project root)
+**Tier coverage:**
+| Tier | OWASP | Dependencies | Secrets | CI/CD | STRIDE | Git History |
+|------|-------|-------------|---------|-------|--------|-------------|
+| quick | ✓ | ✓ | — | — | — | — |
+| standard | ✓ | ✓ | ✓ | ✓ | — | — |
+| deep | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
+</context>
+<execution>
+**Phase 1: Reconnaissance**
+1. Detect tech stack from package.json / go.mod / requirements.txt / Cargo.toml
+2. Identify entry points: HTTP handlers, API routes, CLI parsers, WebSocket handlers
+3. List authentication/authorization modules
+4. Map data flow: user input → processing → storage → output
+**Phase 2: OWASP Top 10 Scan** (all tiers)
+For each category, scan relevant source files:
+| # | Category | What to check |
+|---|----------|--------------|
+| A01 | Broken Access Control | Missing auth middleware, direct object references, path traversal |
+| A02 | Cryptographic Failures | Weak algorithms, hardcoded keys, missing TLS, plaintext storage |
+| A03 | Injection | SQL concatenation, shell exec with user input, template injection |
+| A04 | Insecure Design | Missing rate limits, no CSRF tokens, predictable tokens |
+| A05 | Security Misconfiguration | Debug mode, default credentials, verbose errors, open CORS |
+| A06 | Vulnerable Components | Known CVEs in dependencies |
+| A07 | Auth Failures | Weak password rules, missing brute-force protection, session fixation |
+| A08 | Data Integrity | Deserialization of untrusted data, unsigned updates |
+| A09 | Logging Failures | Missing audit logs, logging sensitive data |
+| A10 | SSRF | Unvalidated URLs in server-side requests |
+Use `Grep` for pattern matching (e.g., `eval(`, `exec(`, `innerHTML`, `dangerouslySetInnerHTML`,
+`sql.*\+.*req\.`, `process\.env` without validation).
+**Phase 3: Dependency Audit** (all tiers)
+```bash
+# Node.js
+npm audit --json 2>/dev/null || true
+# Check lockfile integrity
+test -f package-lock.json && echo "lockfile present" || echo "WARNING: no lockfile"
+```
+Check for:
+- Known vulnerabilities (CVE references)
+- Lockfile presence and integrity
+- Typosquatting risk on critical dependencies (manually check suspicious names)
+**Phase 4: Secrets Detection** (standard + deep)
+```bash
+# Current codebase
+grep -rn --include="*.ts" --include="*.js" --include="*.json" --include="*.env*" \
+  -E "(password|secret|api.?key|token|credential).*=.*['\"][^'\"]{8,}" . || true
+```
+Check `.env.example` for leaked values. Check `.gitignore` for missing `.env` patterns.
+**Phase 5: CI/CD Audit** (standard + deep)
+Scan `.github/workflows/*.yml` for:
+- Overly permissive `permissions:` (write-all, contents: write)
+- Unpinned action versions (`uses: actions/checkout@main` vs `@v4.1.0`)
+- Secrets in logs (missing `mask` or `add-mask`)
+- Pull request trigger with `pull_request_target` (code injection risk)
+**Phase 6: STRIDE Threat Modeling** (deep only)
+For each critical module identified in Phase 1:
+| Threat | Question |
+|--------|----------|
+| **S**poofing | Can identity be faked? Is auth per-request? |
+| **T**ampering | Can data be modified in transit/storage? Integrity checks? |
+| **R**epudiation | Are actions logged with user identity? |
+| **I**nformation Disclosure | Can unauthorized data be accessed? |
+| **D**enial of Service | Resource limits? Rate limiting? |
+| **E**levation of Privilege | Can roles be escalated? Input validation on role fields? |
+**Phase 7: Git History Archaeology** (deep only)
+```bash
+# Search for previously committed secrets
+git log --all --diff-filter=D --name-only --pretty=format: -- "*.env" "*.key" "*.pem" 2>/dev/null | head -20
+git log -p --all -S "password" --since="1 year ago" -- "*.ts" "*.js" 2>/dev/null | head -50
+```
+**Phase 8: Report**
+Output severity matrix:
+```
+=== Security Audit ({tier}) ===
+CRITICAL ({count}):
+  - [A03] SQL injection in {file}:{line} — {description}
+    Fix: {remediation}
+HIGH ({count}):
+  ...
+MEDIUM ({count}):
+  ...
+LOW ({count}):
+  ...
+Summary: {total} findings ({critical} critical, {high} high, {medium} medium, {low} low)
+```
+Emit completion status:
+```
+--- COMPLETION STATUS ---
+STATUS: DONE|DONE_WITH_CONCERNS
+CONCERNS: {count} critical findings require immediate action
+NEXT: /quality-review
+--- END STATUS ---
+```
+</execution>
+<success_criteria>
+- [ ] Tech stack identified and entry points mapped
+- [ ] OWASP Top 10 categories all checked (tier-appropriate)
+- [ ] Dependency audit completed with CVE listing
+- [ ] Severity matrix produced with file:line references
+- [ ] Each finding includes remediation suggestion
+- [ ] Completion status block emitted
+</success_criteria>

package/.claude/skills/maestro-help/index/catalog.json CHANGED Viewed

@@ -23,6 +23,7 @@
     {"name": "maestro-milestone-complete", "command": "/maestro-milestone-complete", "category": "milestone", "description": "里程碑完成 — 归档里程碑并推进下一个", "source": "../../commands/maestro-milestone-complete.md"},
     {"name": "maestro-milestone-release", "command": "/maestro-milestone-release", "category": "milestone", "description": "里程碑发布 — 生成发布说明和变更日志", "source": "../../commands/maestro-milestone-release.md"},
     {"name": "maestro-composer", "command": "/maestro-composer", "category": "core", "description": "编排器 — compose + play 工作流组合执行", "source": "../../commands/maestro-composer.md"},
+    {"name": "maestro-guard", "command": "/maestro-guard", "category": "core", "description": "编辑边界治理", "source": "../../commands/maestro-guard.md"},
     {"name": "maestro-player", "command": "/maestro-player", "category": "core", "description": "播放器 — 执行已编排的工作流", "source": "../../commands/maestro-player.md"},
     {"name": "maestro-ralph", "command": "/maestro-ralph", "category": "ralph", "description": "Ralph 引擎 — 自适应生命周期决策节点管理", "source": "../../commands/maestro-ralph.md"},
     {"name": "maestro-ralph-execute", "command": "/maestro-ralph-execute", "category": "ralph", "description": "Ralph 执行 — 运行自适应决策链", "source": "../../commands/maestro-ralph-execute.md"},
@@ -45,6 +46,7 @@
     {"name": "quality-review", "command": "/quality-review", "category": "quality", "description": "代码审查 — 多维度代码质量检查", "source": "../../commands/quality-review.md"},
     {"name": "quality-auto-test", "command": "/quality-auto-test", "category": "quality", "description": "自动测试 — 智能路由 spec/gap/code 测试", "source": "../../commands/quality-auto-test.md"},
     {"name": "quality-test", "command": "/quality-test", "category": "quality", "description": "业务测试 — 会话式 UAT 验证", "source": "../../commands/quality-test.md"},
+    {"name": "security-audit", "command": "/security-audit", "category": "quality", "description": "OWASP/STRIDE 安全审计", "source": "../../commands/security-audit.md"},
     {"name": "quality-debug", "command": "/quality-debug", "category": "quality", "description": "质量调试 — 诊断测试失败并提供修复方案", "source": "../../commands/quality-debug.md"},
     {"name": "quality-refactor", "command": "/quality-refactor", "category": "quality", "description": "代码重构 — 结构优化和模式改进", "source": "../../commands/quality-refactor.md"},
     {"name": "quality-sync", "command": "/quality-sync", "category": "quality", "description": "质量同步 — 跨 Phase 质量状态对齐", "source": "../../commands/quality-sync.md"},

package/.codex/skills/maestro-analyze/SKILL.md CHANGED Viewed

@@ -1,6 +1,6 @@
 ---
 name: maestro-analyze
-description: Multi-angle analysis with CLI-assisted exploration
+description: Use when a topic needs structured multi-dimensional investigation before planning or decision-making
 argument-hint: "[-y|--yes] [-c|--concurrency N] [--continue] \"<phase|topic> [-q|--quick] [--gaps [ISS-ID]]\""
 allowed-tools: spawn_agents_on_csv, Read, Write, Edit, Bash, Glob, Grep, AskUserQuestion
 ---
@@ -158,6 +158,17 @@ Gray area detection: domain-aware (things users SEE/CALL/RUN/READ), phase-specif
 4. Spec enrichment: Locked decisions -> `maestro spec add arch`; code patterns -> `maestro spec add coding`
 5. Register artifact in state.json (type: analyze)
 6. Copy outputs to scratchDir, display summary
+7. **Next-step routing**:
+   | Scope | Condition | Next |
+   |-------|-----------|------|
+   | Phase/Milestone | Go + UI work needed | `$maestro-impeccable build {target}` |
+   | Phase/Milestone | Go + ready to plan | `$maestro-plan` or `$maestro-plan {phase}` |
+   | Phase/Milestone | No-Go | `$maestro-brainstorm {topic}` |
+   | Adhoc/Standalone | Ready to plan | `$maestro-plan --dir {scratch_dir}` |
+   | Adhoc/Standalone | Need more exploration | `$maestro-analyze {topic} --continue` |
+   | Gaps | Issues analyzed | `$maestro-plan --gaps` |
+   | Gaps | Need more context | `$maestro-analyze --gaps {ISS-ID}` |
 </actions>
@@ -192,9 +203,15 @@ Protocol: read before analysis, append-only, dedup by type+key.
 <success_criteria>
 - [ ] All waves executed in order (or skipped per mode)
 - [ ] context.md produced (all modes); analysis.md + conclusions.json (full mode)
+- [ ] context.md contains all decisions classified as Locked/Free/Deferred
+- [ ] Decision Recording Protocol applied to all decisions
 - [ ] Confidence scored per dimension with factor-based model (full mode)
+- [ ] Readiness gate checked before synthesis (wave 3)
+- [ ] Pressure pass completed ≥ 1 time on highest-risk dimension before synthesis
 - [ ] Deferred items auto-created as issues
+- [ ] Scope creep redirected to Deferred section
 - [ ] Artifact registered in state.json
 - [ ] discoveries.ndjson append-only throughout
+- [ ] Next step routed (plan for Go, brainstorm for No-Go, plan --gaps for Gaps)
 </success_criteria>
 </output>

package/.codex/skills/maestro-brainstorm/SKILL.md CHANGED Viewed

@@ -1,6 +1,6 @@
 ---
 name: maestro-brainstorm
-description: Brainstorm with auto pipeline or single-role analysis
+description: Use when exploring ideas, evaluating approaches, or needing multi-perspective analysis before implementation
 argument-hint: "[topic] [-y|--yes] [-c|--concurrency N] [--continue] [--count N] [--skip-questions]"
 allowed-tools: spawn_agents_on_csv, Read, Write, Edit, Bash, Glob, Grep, request_user_input
 ---
@@ -17,6 +17,11 @@ $ARGUMENTS — topic text and optional flags.
 **9 valid roles**: data-architect, product-manager, product-owner, scrum-master, subject-matter-expert, system-architect, test-strategist, ui-designer, ux-expert
+### Pre-load specs
+1. **Architecture specs**: `maestro spec load --category arch` — load architecture constraints as context for multi-role analysis (roles respect documented decisions).
+2. **Role Knowledge**: `maestro wiki list --category arch` → identify relevant entries → `maestro wiki load <id1> [id2...]`
+3. Both optional — proceed without if unavailable.
 **Session**: `.workflow/.csv-wave/{YYYYMMDD}-brainstorm-{slug}/`
 **Output**: tasks.csv, results.csv, discoveries.ndjson, context.md, `.brainstorming/` (guidance-specification.md, feature-index.json, synthesis-changelog.md, feature-specs/, {role}/analysis*.md)
 </context>
@@ -139,8 +144,16 @@ Protocol: read before analysis, append-only, dedup by type+key.
 <success_criteria>
 - [ ] 3 waves executed: guidance → parallel roles → synthesis
-- [ ] guidance-specification.md + role analyses + synthesis artifacts produced
-- [ ] feature-index.json + context.md generated
+- [ ] guidance-specification.md with RFC 2119 keywords, terminology, non-goals, feature decomposition
+- [ ] Role analysis files for each selected NON-UI role
+- [ ] If ui-designer selected: DESIGN.md established via impeccable explore; analysis.md with UX analysis
+- [ ] Feature specs in `.brainstorming/feature-specs/` or synthesis-specification.md
+- [ ] UI-bearing feature specs reference DESIGN.md for visual constraints
+- [ ] feature-index.json + synthesis-changelog.md + context.md generated
+- [ ] All user decisions captured with Decision Recording Protocol
+- [ ] Confidence scored per role and after cross-role analysis
+- [ ] Readiness gate checked before spec generation (wave 3)
+- [ ] Pressure pass completed on at least 1 feature spec
 - [ ] discoveries.ndjson append-only throughout
-- [ ] Confidence scored, conflict quality gate evaluated
+- [ ] Conflict quality gate: >3 UNRESOLVED → warn
 </success_criteria>

package/.codex/skills/maestro-collab/SKILL.md CHANGED Viewed

@@ -1,6 +1,6 @@
 ---
 name: maestro-collab
-description: Multi-CLI collaborative analysis -- fan-out to multiple CLI tools, cross-verify, synthesize
+description: Use when a question needs cross-verification from multiple CLI tools or diverse analytical perspectives
 argument-hint: "\"<requirement>\" [--tools gemini,qwen,claude] [--mode analysis|write] [--rule <template>] [-y]"
 allowed-tools: spawn_agents_on_csv, Read, Write, Edit, Bash, Glob, Grep, request_user_input
 ---
@@ -216,3 +216,9 @@ Protocol: read before analysis, append-only, dedup by type+key.
 - [ ] CLB artifact registered, outputs copied to scratchDir
 - [ ] Partial degradation: continued if 1+ tools succeeded
 </success_criteria>
+<next_step_routing>
+- Deep feasibility analysis → `$maestro-analyze "{topic}"`
+- Plan from conclusions → `$maestro-plan --dir {dir}`
+- Expand exploration → `$maestro-brainstorm "{topic}"`
+</next_step_routing>