mindforge-cc 11.4.0 → 11.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (98) hide show
  1. package/.agent/CLAUDE.md +13 -0
  2. package/.agent/hooks/lib/hook-flags.js +78 -0
  3. package/.agent/hooks/lib/pretooluse-visible-output.js +46 -0
  4. package/.agent/hooks/mindforge-block-no-verify.js +552 -0
  5. package/.agent/hooks/mindforge-config-protection.js +144 -0
  6. package/.agent/hooks/run-with-flags.js +207 -0
  7. package/.agent/mindforge/checkpoint.md +76 -0
  8. package/.agent/mindforge/harness-audit.md +59 -0
  9. package/.agent/mindforge/instinct.md +46 -0
  10. package/.agent/mindforge/orch-add-feature.md +43 -0
  11. package/.agent/mindforge/orch-build-mvp.md +48 -0
  12. package/.agent/mindforge/orch-change-feature.md +45 -0
  13. package/.agent/mindforge/orch-fix-defect.md +43 -0
  14. package/.agent/mindforge/orch-refine-code.md +43 -0
  15. package/.claude/CLAUDE.md +13 -0
  16. package/.claude/commands/mindforge/checkpoint.md +76 -0
  17. package/.claude/commands/mindforge/execute-phase.md +47 -6
  18. package/.claude/commands/mindforge/harness-audit.md +59 -0
  19. package/.claude/commands/mindforge/instinct.md +46 -0
  20. package/.claude/commands/mindforge/orch-add-feature.md +43 -0
  21. package/.claude/commands/mindforge/orch-build-mvp.md +48 -0
  22. package/.claude/commands/mindforge/orch-change-feature.md +45 -0
  23. package/.claude/commands/mindforge/orch-fix-defect.md +43 -0
  24. package/.claude/commands/mindforge/orch-refine-code.md +43 -0
  25. package/.claude/commands/mindforge/plan-write.md +11 -0
  26. package/.claude/commands/mindforge/product-spec.md +76 -0
  27. package/.mindforge/config.json +2 -2
  28. package/.mindforge/engine/instincts/instinct-schema.md +17 -9
  29. package/.mindforge/imported-agents.jsonl +10 -0
  30. package/.mindforge/manifests/install-components.json +36 -0
  31. package/.mindforge/manifests/install-modules.json +193 -0
  32. package/.mindforge/manifests/install-profiles.json +57 -0
  33. package/.mindforge/memory/sync-manifest.json +1 -1
  34. package/.mindforge/personas/gan-evaluator.md +226 -0
  35. package/.mindforge/personas/gan-generator.md +151 -0
  36. package/.mindforge/personas/gan-planner.md +118 -0
  37. package/.mindforge/personas/harness-optimizer.md +55 -0
  38. package/.mindforge/personas/loop-operator.md +58 -0
  39. package/.mindforge/schemas/hooks.schema.json +199 -0
  40. package/.mindforge/schemas/install-modules.schema.json +44 -0
  41. package/.mindforge/schemas/install-state.schema.json +95 -0
  42. package/.mindforge/schemas/plugin.schema.json +75 -0
  43. package/.mindforge/schemas/provenance.schema.json +31 -0
  44. package/.mindforge/skills/agent-architecture-audit/SKILL.md +272 -0
  45. package/.mindforge/skills/continuous-learning/SKILL.md +16 -0
  46. package/.mindforge/skills/orch-pipeline/SKILL.md +284 -0
  47. package/.mindforge/skills/writing-plans/SKILL.md +76 -0
  48. package/CHANGELOG.md +120 -0
  49. package/MINDFORGE.md +3 -3
  50. package/README.md +0 -1
  51. package/RELEASENOTES.md +131 -0
  52. package/SECURITY.md +16 -0
  53. package/bin/autonomous/auto-runner.js +46 -5
  54. package/bin/autonomous/handoff-schema.js +114 -0
  55. package/bin/autonomous/session-guardian.sh +138 -0
  56. package/bin/autonomous/supervisor.js +98 -0
  57. package/bin/change-classifier.js +19 -5
  58. package/bin/dashboard/api-router.js +10 -1
  59. package/bin/governance/approve.js +65 -28
  60. package/bin/governance/config-manager.js +3 -1
  61. package/bin/governance/rbac-manager.js +14 -6
  62. package/bin/harness-audit.js +520 -0
  63. package/bin/hooks/instinct-capture-hook.js +16 -1
  64. package/bin/hooks/lib/detect-project.js +72 -0
  65. package/bin/installer/harness-adapter-compliance.js +321 -0
  66. package/bin/installer/install-manifests.js +200 -0
  67. package/bin/installer/install-state.js +243 -0
  68. package/bin/installer-core.js +1 -1
  69. package/bin/learning/instinct-cli.js +359 -0
  70. package/bin/learning/lib/ssrf-guard.js +252 -0
  71. package/bin/memory/eis-client.js +31 -10
  72. package/bin/memory/federated-sync.js +11 -2
  73. package/bin/memory/knowledge-capture.js +10 -1
  74. package/bin/memory/pillar-health-tracker.js +9 -1
  75. package/bin/models/llm-errors.js +79 -0
  76. package/bin/models/model-client.js +39 -4
  77. package/bin/models/ollama-provider.js +115 -0
  78. package/bin/models/openai-provider.js +40 -9
  79. package/bin/models/profiles-loader.js +147 -0
  80. package/bin/models/provider-registry.js +59 -0
  81. package/bin/review/ads-engine.js +2 -2
  82. package/bin/revops/market-evaluator.js +23 -2
  83. package/bin/revops/router-steering-v2.js +17 -2
  84. package/bin/security/trust-boundaries.js +20 -3
  85. package/bin/utils/readiness-gate.js +169 -0
  86. package/bin/worktree/engine.js +497 -0
  87. package/package.json +8 -2
  88. package/subagents/categories/04-quality-security/.claude-plugin/plugin.json +10 -0
  89. package/subagents/categories/04-quality-security/go-build-resolver.md +105 -0
  90. package/subagents/categories/04-quality-security/go-reviewer.md +87 -0
  91. package/subagents/categories/04-quality-security/python-reviewer.md +109 -0
  92. package/subagents/categories/04-quality-security/react-build-resolver.md +215 -0
  93. package/subagents/categories/04-quality-security/react-reviewer.md +167 -0
  94. package/subagents/categories/04-quality-security/rust-build-resolver.md +159 -0
  95. package/subagents/categories/04-quality-security/rust-reviewer.md +105 -0
  96. package/subagents/categories/04-quality-security/silent-failure-hunter.md +67 -0
  97. package/subagents/categories/04-quality-security/type-design-analyzer.md +58 -0
  98. package/subagents/categories/04-quality-security/typescript-reviewer.md +126 -0
@@ -0,0 +1,144 @@
1
+ #!/usr/bin/env node
2
+ /**
3
+ * Config Protection Hook
4
+ *
5
+ * Blocks modifications to existing linter/formatter/tsconfig files. Agents
6
+ * frequently weaken these to make checks pass instead of fixing the actual code.
7
+ * This guard steers the agent back to fixing the source — directly reinforcing
8
+ * the repo's own "no gate weakening" posture (commit 10de9c1).
9
+ *
10
+ * Ported from ECC (scripts/hooks/config-protection.js). Already exports
11
+ * run(rawInput) so it runs in-process via run-with-flags.js. Pair with hook-flags
12
+ * so a `standard`/`strict` profile can disable it during legitimate config
13
+ * bootstrap (MINDFORGE_DISABLED_HOOKS=mindforge-config-protection).
14
+ *
15
+ * Exit codes:
16
+ * 0 = allow (not a config file, or first-time creation of one)
17
+ * 2 = block (existing config file modification attempted)
18
+ */
19
+
20
+ 'use strict';
21
+
22
+ const fs = require('fs');
23
+ const path = require('path');
24
+
25
+ const MAX_STDIN = 1024 * 1024;
26
+ let raw = '';
27
+
28
+ const PROTECTED_FILES = new Set([
29
+ // ESLint (legacy + v9 flat config, JS/TS/MJS/CJS)
30
+ '.eslintrc', '.eslintrc.js', '.eslintrc.cjs', '.eslintrc.json', '.eslintrc.yml', '.eslintrc.yaml',
31
+ 'eslint.config.js', 'eslint.config.mjs', 'eslint.config.cjs', 'eslint.config.ts', 'eslint.config.mts', 'eslint.config.cts',
32
+ // Prettier
33
+ '.prettierrc', '.prettierrc.js', '.prettierrc.cjs', '.prettierrc.json', '.prettierrc.yml', '.prettierrc.yaml',
34
+ 'prettier.config.js', 'prettier.config.cjs', 'prettier.config.mjs',
35
+ // Biome
36
+ 'biome.json', 'biome.jsonc',
37
+ // Ruff (Python)
38
+ '.ruff.toml', 'ruff.toml',
39
+ // Note: pyproject.toml intentionally NOT included — it carries project metadata
40
+ // alongside linter config; blocking it would prevent legitimate dependency edits.
41
+ // TypeScript compiler config (agents weaken strictness to silence type errors)
42
+ 'tsconfig.json', 'tsconfig.base.json',
43
+ // Shell / Style / Markdown
44
+ '.shellcheckrc', '.stylelintrc', '.stylelintrc.json', '.stylelintrc.yml',
45
+ '.markdownlint.json', '.markdownlint.yaml', '.markdownlintrc',
46
+ // MindForge governance configs — must never be silently weakened by an agent.
47
+ // commitlint guards conventional commits; .czrc the commit tooling.
48
+ 'commitlint.config.js', '.czrc',
49
+ ]);
50
+
51
+ function parseInput(inputOrRaw) {
52
+ if (typeof inputOrRaw === 'string') {
53
+ try {
54
+ return inputOrRaw.trim() ? JSON.parse(inputOrRaw) : {};
55
+ } catch {
56
+ return {};
57
+ }
58
+ }
59
+ return inputOrRaw && typeof inputOrRaw === 'object' ? inputOrRaw : {};
60
+ }
61
+
62
+ /**
63
+ * Exportable run() for in-process execution via run-with-flags.js.
64
+ */
65
+ function run(inputOrRaw, options = {}) {
66
+ if (options.truncated) {
67
+ return {
68
+ exitCode: 2,
69
+ stderr:
70
+ `BLOCKED: Hook input exceeded ${options.maxStdin || MAX_STDIN} bytes. ` +
71
+ 'Refusing to bypass config-protection on a truncated payload. ' +
72
+ 'Retry with a smaller edit or disable the config-protection hook temporarily.'
73
+ };
74
+ }
75
+
76
+ const input = parseInput(inputOrRaw);
77
+ const filePath = input?.tool_input?.file_path || input?.tool_input?.file || '';
78
+ if (!filePath) return { exitCode: 0 };
79
+
80
+ const basename = path.basename(filePath);
81
+ if (PROTECTED_FILES.has(basename)) {
82
+ // Allow first-time creation — there's no existing config to weaken. Fail
83
+ // closed on any stat error other than ENOENT. lstatSync so a (possibly
84
+ // dangling) symlink at the protected path is treated as present.
85
+ let exists = true;
86
+ try {
87
+ fs.lstatSync(filePath);
88
+ } catch (err) {
89
+ if (err && err.code === 'ENOENT') {
90
+ exists = false;
91
+ }
92
+ // Any other error (EACCES, EPERM, ELOOP) leaves exists=true — never weaken.
93
+ }
94
+
95
+ if (!exists) {
96
+ return { exitCode: 0 };
97
+ }
98
+
99
+ return {
100
+ exitCode: 2,
101
+ stderr:
102
+ `BLOCKED: Modifying ${basename} is not allowed. ` +
103
+ 'Fix the source code to satisfy linter/formatter/tsconfig rules instead ' +
104
+ 'of weakening the config. If this is a legitimate config change, disable ' +
105
+ 'the config-protection hook temporarily (MINDFORGE_DISABLED_HOOKS).'
106
+ };
107
+ }
108
+
109
+ return { exitCode: 0 };
110
+ }
111
+
112
+ module.exports = { run };
113
+
114
+ // Stdin fallback for spawnSync execution (when invoked directly, not via require)
115
+ if (require.main === module) {
116
+ let truncated = /^(1|true|yes)$/i.test(String(process.env.MINDFORGE_HOOK_INPUT_TRUNCATED || ''));
117
+ process.stdin.setEncoding('utf8');
118
+ process.stdin.on('data', chunk => {
119
+ if (raw.length < MAX_STDIN) {
120
+ const remaining = MAX_STDIN - raw.length;
121
+ raw += chunk.substring(0, remaining);
122
+ if (chunk.length > remaining) truncated = true;
123
+ } else {
124
+ truncated = true;
125
+ }
126
+ });
127
+
128
+ process.stdin.on('end', () => {
129
+ const result = run(raw, {
130
+ truncated,
131
+ maxStdin: Number(process.env.MINDFORGE_HOOK_INPUT_MAX_BYTES) || MAX_STDIN
132
+ });
133
+
134
+ if (result.stderr) {
135
+ process.stderr.write(result.stderr + '\n');
136
+ }
137
+
138
+ if (result.exitCode === 2) {
139
+ process.exit(2);
140
+ }
141
+
142
+ process.stdout.write(raw);
143
+ });
144
+ }
@@ -0,0 +1,207 @@
1
+ #!/usr/bin/env node
2
+ /**
3
+ * Executes a MindForge hook script only when enabled by hook profile flags.
4
+ *
5
+ * Ported/adapted from ECC (scripts/hooks/run-with-flags.js):
6
+ * - env vars renamed ECC_* -> MINDFORGE_*
7
+ * - getHookRoot() resolves the MindForge .agent root (parent of hooks/) instead
8
+ * of CLAUDE_PLUGIN_ROOT, with CLAUDE_PLUGIN_ROOT honored as an override for
9
+ * plugin-install layouts.
10
+ *
11
+ * Hooks that export run(rawInput) are require()'d in-process (saves a process
12
+ * spawn). Legacy module-scope stdin hooks (most mindforge-* hooks) take the
13
+ * spawnSync path.
14
+ *
15
+ * Usage:
16
+ * node .agent/hooks/run-with-flags.js <hookId> <scriptRelativePath> [profilesCsv]
17
+ */
18
+
19
+ 'use strict';
20
+
21
+ const fs = require('fs');
22
+ const path = require('path');
23
+ const { spawnSync } = require('child_process');
24
+ const { isHookEnabled } = require('./lib/hook-flags');
25
+ const { buildPreToolUseAdditionalContext } = require('./lib/pretooluse-visible-output');
26
+
27
+ const MAX_STDIN = 1024 * 1024;
28
+
29
+ function readStdinRaw() {
30
+ return new Promise(resolve => {
31
+ let raw = '';
32
+ let truncated = false;
33
+ process.stdin.setEncoding('utf8');
34
+ process.stdin.on('data', chunk => {
35
+ if (raw.length < MAX_STDIN) {
36
+ const remaining = MAX_STDIN - raw.length;
37
+ raw += chunk.substring(0, remaining);
38
+ if (chunk.length > remaining) {
39
+ truncated = true;
40
+ }
41
+ } else {
42
+ truncated = true;
43
+ }
44
+ });
45
+ process.stdin.on('end', () => resolve({ raw, truncated }));
46
+ process.stdin.on('error', () => resolve({ raw, truncated }));
47
+ });
48
+ }
49
+
50
+ function writeStderr(stderr) {
51
+ if (typeof stderr !== 'string' || stderr.length === 0) {
52
+ return;
53
+ }
54
+
55
+ process.stderr.write(stderr.endsWith('\n') ? stderr : `${stderr}\n`);
56
+ }
57
+
58
+ function emitHookResult(raw, output) {
59
+ if (typeof output === 'string' || Buffer.isBuffer(output)) {
60
+ process.stdout.write(String(output));
61
+ return 0;
62
+ }
63
+
64
+ if (output && typeof output === 'object') {
65
+ writeStderr(output.stderr);
66
+
67
+ if (Object.prototype.hasOwnProperty.call(output, 'additionalContext')) {
68
+ process.stdout.write(buildPreToolUseAdditionalContext(output.additionalContext));
69
+ } else if (Object.prototype.hasOwnProperty.call(output, 'stdout')) {
70
+ process.stdout.write(String(output.stdout ?? ''));
71
+ } else if (!Number.isInteger(output.exitCode) || output.exitCode === 0) {
72
+ process.stdout.write(raw);
73
+ }
74
+
75
+ return Number.isInteger(output.exitCode) ? output.exitCode : 0;
76
+ }
77
+
78
+ process.stdout.write(raw);
79
+ return 0;
80
+ }
81
+
82
+ function writeLegacySpawnOutput(raw, result) {
83
+ const stdout = typeof result.stdout === 'string' ? result.stdout : '';
84
+ if (stdout) {
85
+ process.stdout.write(stdout);
86
+ return;
87
+ }
88
+
89
+ if (Number.isInteger(result.status) && result.status === 0) {
90
+ process.stdout.write(raw);
91
+ }
92
+ }
93
+
94
+ /**
95
+ * Resolve the MindForge install root. In a plugin-install layout CLAUDE_PLUGIN_ROOT
96
+ * points at the plugin root; otherwise we resolve the repo/.agent root from this
97
+ * file's location (.agent/hooks/ -> repo root two levels up).
98
+ */
99
+ function getHookRoot() {
100
+ if (process.env.CLAUDE_PLUGIN_ROOT && process.env.CLAUDE_PLUGIN_ROOT.trim()) {
101
+ return process.env.CLAUDE_PLUGIN_ROOT;
102
+ }
103
+ // .agent/hooks/run-with-flags.js -> repo root is two dirs up.
104
+ return path.resolve(__dirname, '..', '..');
105
+ }
106
+
107
+ async function main() {
108
+ const [, , hookId, relScriptPath, profilesCsv] = process.argv;
109
+ const { raw, truncated } = await readStdinRaw();
110
+
111
+ if (!hookId || !relScriptPath) {
112
+ process.stdout.write(raw);
113
+ process.exit(0);
114
+ }
115
+
116
+ if (!isHookEnabled(hookId, { profiles: profilesCsv })) {
117
+ process.stdout.write(raw);
118
+ process.exit(0);
119
+ }
120
+
121
+ const hookRoot = getHookRoot();
122
+ const resolvedRoot = path.resolve(hookRoot);
123
+ const scriptPath = path.resolve(hookRoot, relScriptPath);
124
+
125
+ // Prevent path traversal outside the install root
126
+ if (!scriptPath.startsWith(resolvedRoot + path.sep)) {
127
+ process.stderr.write(`[Hook] Path traversal rejected for ${hookId}: ${scriptPath}\n`);
128
+ process.stdout.write(raw);
129
+ process.exit(0);
130
+ }
131
+
132
+ if (!fs.existsSync(scriptPath)) {
133
+ process.stderr.write(`[Hook] Script not found for ${hookId}: ${scriptPath}\n`);
134
+ process.stdout.write(raw);
135
+ process.exit(0);
136
+ }
137
+
138
+ // Prefer direct require() when the hook exports run(rawInput). Eliminates one
139
+ // Node process spawn (~50-100ms). Only require() hooks that export run();
140
+ // legacy hooks run side effects at module scope (stdin listeners, process.exit)
141
+ // which would interfere with the parent process.
142
+ let hookModule;
143
+ const src = fs.readFileSync(scriptPath, 'utf8');
144
+ const hasRunExport = /\bmodule\.exports\b/.test(src) && /\brun\b/.test(src);
145
+
146
+ if (hasRunExport) {
147
+ try {
148
+ hookModule = require(scriptPath);
149
+ } catch (requireErr) {
150
+ process.stderr.write(`[Hook] require() failed for ${hookId}: ${requireErr.message}\n`);
151
+ // Fall through to legacy spawnSync path
152
+ }
153
+ }
154
+
155
+ if (hookModule && typeof hookModule.run === 'function') {
156
+ try {
157
+ const output = hookModule.run(raw, {
158
+ hookId,
159
+ hookRoot,
160
+ scriptPath,
161
+ truncated,
162
+ maxStdin: MAX_STDIN
163
+ });
164
+ process.exit(emitHookResult(raw, output));
165
+ } catch (runErr) {
166
+ process.stderr.write(`[Hook] run() error for ${hookId}: ${runErr.message}\n`);
167
+ process.stdout.write(raw);
168
+ }
169
+ process.exit(0);
170
+ }
171
+
172
+ // Legacy path: spawn a child Node process for hooks without run() export
173
+ const result = spawnSync(process.execPath, [scriptPath], {
174
+ input: raw,
175
+ encoding: 'utf8',
176
+ env: {
177
+ ...process.env,
178
+ CLAUDE_PLUGIN_ROOT: hookRoot,
179
+ MINDFORGE_HOOK_ROOT: hookRoot,
180
+ MINDFORGE_HOOK_ID: hookId,
181
+ MINDFORGE_HOOK_INPUT_TRUNCATED: truncated ? '1' : '0',
182
+ MINDFORGE_HOOK_INPUT_MAX_BYTES: String(MAX_STDIN)
183
+ },
184
+ cwd: process.cwd(),
185
+ timeout: 30000
186
+ });
187
+
188
+ writeLegacySpawnOutput(raw, result);
189
+ if (result.stderr) process.stderr.write(result.stderr);
190
+
191
+ if (result.error || result.signal || result.status === null) {
192
+ const failureDetail = result.error
193
+ ? result.error.message
194
+ : result.signal
195
+ ? `terminated by signal ${result.signal}`
196
+ : 'missing exit status';
197
+ writeStderr(`[Hook] legacy hook execution failed for ${hookId}: ${failureDetail}`);
198
+ process.exit(1);
199
+ }
200
+
201
+ process.exit(Number.isInteger(result.status) ? result.status : 0);
202
+ }
203
+
204
+ main().catch(err => {
205
+ process.stderr.write(`[Hook] run-with-flags error: ${err.message}\n`);
206
+ process.exit(0);
207
+ });
@@ -0,0 +1,76 @@
1
+ ---
2
+ description: "Create, verify, or list lightweight workflow checkpoints — name + timestamp + git SHA + a metrics delta between two points."
3
+ ---
4
+
5
+ # MindForge — Checkpoint Command
6
+ # Usage: /mindforge:checkpoint [create|verify|list|clear] [name]
7
+
8
+ Lightweight progress markers for a work session. A checkpoint records a name,
9
+ timestamp, git SHA, and a metrics snapshot (files changed, test pass-rate,
10
+ coverage, build status), so you can measure forward progress and catch regressions
11
+ between two points. Distinct from milestones (project lifecycle) — checkpoints are
12
+ intra-session.
13
+
14
+ ## Create Checkpoint
15
+
16
+ 1. Run `/mindforge:verify-loop` (or `verify-phase`) to confirm current state is clean.
17
+ 2. Capture the marker:
18
+
19
+ ```bash
20
+ echo "$(date +%Y-%m-%d-%H:%M) | $CHECKPOINT_NAME | $(git rev-parse --short HEAD)" >> .planning/CHECKPOINTS.log
21
+ ```
22
+
23
+ 3. Snapshot metrics: changed-file count, test pass-rate, coverage %, build status.
24
+ 4. Report checkpoint created.
25
+
26
+ ## Verify Checkpoint
27
+
28
+ 1. Read the named checkpoint from `.planning/CHECKPOINTS.log`.
29
+ 2. Compare current state to the checkpoint:
30
+
31
+ ```
32
+ CHECKPOINT COMPARISON: $NAME
33
+ ============================
34
+ Files changed: X
35
+ Tests: +Y passed / -Z failed
36
+ Coverage: +X% / -Y%
37
+ Build: [PASS/FAIL]
38
+ ```
39
+
40
+ 3. If any metric regressed (tests down, coverage down, build broken), flag it loudly
41
+ — a checkpoint verify that shows regression is a stop signal.
42
+
43
+ ## List Checkpoints
44
+
45
+ Show all checkpoints with name, timestamp, git SHA, and status (current / behind /
46
+ ahead relative to HEAD).
47
+
48
+ ## Clear
49
+
50
+ Remove old checkpoints, keeping the last 5.
51
+
52
+ ## Workflow
53
+
54
+ ```
55
+ [Start] -> /mindforge:checkpoint create "feature-start"
56
+ [Implement] -> /mindforge:checkpoint create "core-done"
57
+ [Test] -> /mindforge:checkpoint verify "core-done"
58
+ [Refactor] -> /mindforge:checkpoint create "refactor-done"
59
+ [PR] -> /mindforge:checkpoint verify "feature-start"
60
+ ```
61
+
62
+ ## AUDIT linkage
63
+
64
+ Each create/verify optionally writes a Merkle-linked AUDIT.jsonl entry:
65
+
66
+ ```json
67
+ { "event": "checkpoint_created", "name": "core-done", "sha": "abc1234", "tests_pass_rate": 1.0, "coverage": 0.0 }
68
+ ```
69
+
70
+ ## Arguments
71
+
72
+ $ARGUMENTS:
73
+ - `create <name>` — create a named checkpoint
74
+ - `verify <name>` — verify current state against a named checkpoint
75
+ - `list` — show all checkpoints
76
+ - `clear` — remove old checkpoints (keeps last 5)
@@ -0,0 +1,59 @@
1
+ ---
2
+ description: "Run the deterministic harness-audit scorecard (0-10 per category) over the MindForge tree, with an optional LLM soft-signal layer."
3
+ ---
4
+
5
+ # MindForge — Harness Audit Command
6
+ # Usage: /mindforge:harness-audit [scope] [--format text|json]
7
+ # Scopes: repo (default) | hooks | skills | commands | agents | security
8
+
9
+ Two-layer harness health check. The DETERMINISTIC layer is `bin/harness-audit.js`
10
+ (explicit file/config checks, reproducible, CI-gateable). The optional LLM layer
11
+ adds soft signals the deterministic checks cannot see (quality, drift, coherence).
12
+
13
+ ## Step 1 — Run the deterministic scorecard
14
+
15
+ ```bash
16
+ node bin/harness-audit.js # text scorecard, repo scope
17
+ node bin/harness-audit.js --format json # machine-readable (for CI / dashboards)
18
+ node bin/harness-audit.js --scope security
19
+ ```
20
+
21
+ The JSON contract is stable: `overall_score`, `max_score`, `categories`,
22
+ `applicable_categories`, `rubric_version`, `checks[]`, `top_actions[]`. Categories:
23
+ Tool Coverage, Context Efficiency, Quality Gates, Memory & Learning, Eval Coverage,
24
+ Security Guardrails, Cost Efficiency, Governance & Identity.
25
+
26
+ ## Step 2 — (Optional) LLM soft-signal layer
27
+
28
+ For each category scoring below 10/10, inspect the failing checks in `top_actions`
29
+ and assess severity in context. The deterministic layer says *what* is missing; the
30
+ LLM layer judges *whether it matters here* and proposes the highest-leverage fix.
31
+
32
+ ## Step 3 — Report + AUDIT entry
33
+
34
+ Summarize the scorecard, then write a Merkle-linked AUDIT.jsonl entry:
35
+
36
+ ```json
37
+ {
38
+ "event": "harness_audit_completed",
39
+ "scope": "repo",
40
+ "overall_score": 0,
41
+ "max_score": 0,
42
+ "rubric_version": "2026-06-10",
43
+ "failing_categories": [],
44
+ "top_actions": []
45
+ }
46
+ ```
47
+
48
+ ## Relationship to /mindforge:health
49
+
50
+ `/mindforge:health` calls this command as its deterministic layer. A regression
51
+ (e.g. the `permissions.deny` baseline removed, the Gemini settings mirror desynced,
52
+ the threat-model doc deleted) drops the Security Guardrails score and surfaces in
53
+ `top_actions` — making harness drift visible and CI-blockable.
54
+
55
+ ## Related: cross-harness compliance
56
+
57
+ `npm run harness:compliance` (`bin/installer/harness-adapter-compliance.js --check`)
58
+ validates the per-harness support matrix and gates documentation drift — distinct
59
+ from this scorecard, which audits the repo's own harness health.
@@ -0,0 +1,46 @@
1
+ ---
2
+ description: "Manage the instinct store via the deterministic instinct-CLI - list/projects/export/import/promote/prune. Usage - /mindforge:instinct <list|projects|export|import|promote|prune> [options]"
3
+ ---
4
+
5
+ <objective>
6
+ Inspect and maintain the project-scoped instinct store with the deterministic
7
+ CLI (bin/learning/instinct-cli.js). Read-only views (list/projects) are always
8
+ safe; mutating actions (import/promote/prune) require --force and support
9
+ --dry-run. Promotion to a full skill stays with /mindforge:evolve-skills and
10
+ /mindforge:cluster-instincts — this command only LISTS candidates.
11
+ </objective>
12
+
13
+ <execution_context>
14
+ @.mindforge/engine/instincts/instinct-schema.md
15
+ @.mindforge/skills/continuous-learning/SKILL.md
16
+ </execution_context>
17
+
18
+ <context>
19
+ $ARGUMENTS
20
+ </context>
21
+
22
+ <process>
23
+ 1. Parse the subcommand + flags from $ARGUMENTS and shell out to the CLI:
24
+ `node bin/learning/instinct-cli.js <subcommand> [flags]`
25
+ - `list [--project <id>|--all] [--status active|promoted|deprecated|pruned] [--json]`
26
+ — defaults to the current project's instincts plus `global`.
27
+ - `projects [--json]` — per-project counts, active count, avg confidence, last-applied.
28
+ - `export [--project <id>|--all] [--status <s>] [--min-confidence N] [-o file]`
29
+ — emits a JSONL subset (portable interchange) to stdout or a file.
30
+ - `import <file|https-url> [--scope project|global] [--min-confidence N] [--dry-run] [--force]`
31
+ — https-only + SSRF-guarded for URLs; dedups by id keeping higher confidence;
32
+ stamps project_id + source:imported. Default lists what WOULD import; --force writes.
33
+ - `promote [<id>] [--project <id>|--all] [--dry-run] [--force]`
34
+ — LISTS instincts meeting confidence ≥ threshold AND applied ≥ min; does NOT
35
+ create skills (run /mindforge:evolve-skills for that). --force only flags.
36
+ - `prune [--max-age <days>] [--dry-run] [--force]`
37
+ — flags low-confidence/high-applied or stale instincts as pruned; --force writes.
38
+ 2. Relay the CLI output. For mutating actions, prefer running --dry-run first and
39
+ showing the user the diff before re-running with --force.
40
+ 3. The CLI writes atomically under an advisory lock, so it is safe to run while
41
+ the capture hook is appending. It spawns no model and incurs no token cost.
42
+ 4. Optionally log an AUDIT entry for a mutating action (import/promote/prune).
43
+
44
+ NOTE: this command and its .agent/mindforge/ mirror MUST be edited together —
45
+ they are kept byte-identical.
46
+ </process>
@@ -0,0 +1,43 @@
1
+ ---
2
+ description: Orchestrate building a brand-new feature end to end — research, plan, TDD, review, gated commit. Thin wrapper over the orch-pipeline skill.
3
+ ---
4
+
5
+ # MindForge — Orch: Add Feature
6
+ # Usage: /mindforge:orch-add-feature <what to add>
7
+
8
+ Manually launch the **add-feature** orchestration: a gated
9
+ Research → Plan → TDD → Review → Commit pipeline for net-new capability.
10
+
11
+ ## Usage
12
+
13
+ ```
14
+ /mindforge:orch-add-feature <what to add>
15
+ ```
16
+
17
+ Examples:
18
+
19
+ ```
20
+ /mindforge:orch-add-feature add OAuth2 login to the auth service
21
+ /mindforge:orch-add-feature support CSV export in the dashboard
22
+ ```
23
+
24
+ ## What It Does
25
+
26
+ Activate the `orch-pipeline` skill (`.mindforge/skills/orch-pipeline/SKILL.md`)
27
+ with `$ARGUMENTS` as the request and `operation = add-feature`. The engine will:
28
+
29
+ 1. **Step 0 — size classifier**: classify size on blast radius and state the tier
30
+ in one line (no floor; classify on the three signals). The user may override.
31
+ 2. Research existing libraries/patterns (Search-Before-Building), then plan a
32
+ MindForge XML `<action>` task_list under `.planning/` via
33
+ `/mindforge:plan-write`. → **GATE 1** (approve plan).
34
+ 3. TDD each task via `mindforge-tdd_extended` (new failing tests → green), then
35
+ `/mindforge:review` (+ the `quick.md` security auto-trigger / `security-reviewer`
36
+ if a security trigger is touched).
37
+ 4. Commit as conventional `feat(...)` commits, each writing a Merkle-linked
38
+ AUDIT.jsonl entry. → **GATE 2** (confirm before commit).
39
+
40
+ Honor both gates — do not write implementation before Gate 1, do not commit
41
+ before Gate 2.
42
+
43
+ If `$ARGUMENTS` is empty, ask the user what capability to add.
@@ -0,0 +1,48 @@
1
+ ---
2
+ description: Orchestrate bootstrapping a working MVP from a design/spec doc — ingest, slice, scaffold, TDD, review, gated commit. Thin wrapper over the orch-pipeline skill (build loop delegates to the swarm; GAN harness deferred).
3
+ ---
4
+
5
+ # MindForge — Orch: Build MVP
6
+ # Usage: /mindforge:orch-build-mvp <path to design/spec doc>
7
+
8
+ Manually launch the **build-mvp** orchestration: turn an SDD/PRD/system-design
9
+ document into a running vertical slice.
10
+
11
+ ## Usage
12
+
13
+ ```
14
+ /mindforge:orch-build-mvp <path to design/spec doc>
15
+ ```
16
+
17
+ Examples:
18
+
19
+ ```
20
+ /mindforge:orch-build-mvp docs/SDD-v0.6.md
21
+ /mindforge:orch-build-mvp .planning/REQUIREMENTS.md
22
+ ```
23
+
24
+ ## What It Does
25
+
26
+ Activate the `orch-pipeline` skill (`.mindforge/skills/orch-pipeline/SKILL.md`)
27
+ with `$ARGUMENTS` as the doc path and `operation = build-mvp` (default floor:
28
+ **large**, full pipeline incl. Scaffold). The engine will:
29
+
30
+ 1. **Step 0 — size classifier** (floor large). Read the spec; extract scope,
31
+ locked decisions, and a feature list ordered as **thin vertical slices** (one
32
+ end-to-end path first), written as MindForge XML under `.planning/` via
33
+ `/mindforge:plan-write`. → **GATE 1** (approve slice plan).
34
+ 2. Scaffold the first end-to-end slice.
35
+ 3. **Build loop — delegate to the swarm.** Drive each vertical slice through
36
+ `WaveExecutor` / the `mindforge-swarm-execution` protocol
37
+ (`.mindforge/engine/wave-executor.md`), with `SwarmController`
38
+ (`.mindforge/engine/swarm-controller.md`) selecting the cluster, gated by
39
+ `mindforge-tdd_extended` (Red-Green) and `/mindforge:cross-review`.
40
+ > **GAN harness is deferred** — the ECC GAN generate/evaluate inner loop
41
+ > (`/gan-build`, generator → evaluator) is NOT ported. See the DESCOPE note in
42
+ > the orch-pipeline skill.
43
+ 4. `/mindforge:review` (+ the `quick.md` security auto-trigger / `security-reviewer`
44
+ on any security-trigger slice), then commit the scaffold and each slice as
45
+ separate conventional `feat(...)` commits, each writing a Merkle-linked
46
+ AUDIT.jsonl entry. → **GATE 2**.
47
+
48
+ If `$ARGUMENTS` is empty, ask the user for the path to the design/spec doc.
@@ -0,0 +1,45 @@
1
+ ---
2
+ description: Orchestrate altering an existing, working feature to new desired behavior — update tests to the new spec, change impl, review, gated commit. Thin wrapper over the orch-pipeline skill.
3
+ ---
4
+
5
+ # MindForge — Orch: Change Feature
6
+ # Usage: /mindforge:orch-change-feature <the new desired behavior>
7
+
8
+ Manually launch the **change-feature** orchestration: change behavior that
9
+ already works to a new desired spec, tests-first.
10
+
11
+ ## Usage
12
+
13
+ ```
14
+ /mindforge:orch-change-feature <the new desired behavior>
15
+ ```
16
+
17
+ Examples:
18
+
19
+ ```
20
+ /mindforge:orch-change-feature alert at 2 warnings instead of 3
21
+ /mindforge:orch-change-feature instead of sorting by date, sort by priority
22
+ ```
23
+
24
+ ## What It Does
25
+
26
+ Activate the `orch-pipeline` skill (`.mindforge/skills/orch-pipeline/SKILL.md`)
27
+ with `$ARGUMENTS` as the request and `operation = change-feature`. The engine will:
28
+
29
+ 1. **Step 0 — size classifier**: classify size (default floor: **small**) and
30
+ state the tier in one line.
31
+ 2. Light plan only if the new behavior needs research, written as MindForge XML
32
+ under `.planning/` via `/mindforge:plan-write`. → **GATE 1** (approve
33
+ changed-test plan).
34
+ 3. **Update the existing tests** to express the new behavior, then change the
35
+ implementation until green via `mindforge-tdd_extended`. (Changing the tests
36
+ first is what makes this a tweak, not a fix.)
37
+ 4. `/mindforge:review` (+ the `quick.md` security auto-trigger / `security-reviewer`
38
+ on a security trigger), then commit as conventional `feat(...)` / `refactor(...)`
39
+ + Merkle-linked AUDIT.jsonl entry. → **GATE 2**.
40
+
41
+ Use this only when the feature **works** but should behave differently — not for
42
+ bugs (`/mindforge:orch-fix-defect`) or net-new capability
43
+ (`/mindforge:orch-add-feature`).
44
+
45
+ If `$ARGUMENTS` is empty, ask the user what behavior should change.