octocode-cli 1.3.0 → 1.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +129 -28
- package/out/chunks/chunk-7476PETK.js +309 -0
- package/out/chunks/chunk-CVNNNSMQ.js +26 -0
- package/out/chunks/chunk-OQBJTZWK.js +60 -0
- package/out/chunks/chunk-UCZCF3BQ.js +9 -0
- package/out/chunks/command-help-specs-JZXVSLZ5.js +8 -0
- package/out/chunks/commands-XBFPLHSQ.js +8 -0
- package/out/chunks/help-P7TCOYAJ.js +10 -0
- package/out/chunks/main-help-ULF5PAQY.js +10 -0
- package/out/chunks/prompts-5E6VKRX5.js +8 -0
- package/out/chunks/spinner-URV2OX6O.js +8 -0
- package/out/chunks/tool-command-M6VA7P2F.js +8 -0
- package/out/octocode-cli.js +1 -1
- package/package.json +5 -3
- package/skills/README.md +60 -58
- package/skills/agentic-flow-best-practices/SKILL.md +280 -0
- package/skills/agentic-flow-best-practices/references/agent-collaboration-patterns.md +75 -0
- package/skills/agentic-flow-best-practices/references/pr-review-agent-example.md +47 -0
- package/skills/agentic-flow-best-practices/references/resources.md +112 -0
- package/skills/octocode-brainstorming/.env.example +11 -0
- package/skills/octocode-brainstorming/SKILL.md +262 -0
- package/skills/octocode-brainstorming/scripts/tavily-search.mjs +138 -0
- package/skills/octocode-chrome-devtools/README.md +541 -0
- package/skills/octocode-chrome-devtools/SKILL.md +197 -0
- package/skills/octocode-chrome-devtools/agents/openai.yaml +7 -0
- package/skills/octocode-chrome-devtools/references/CDP_AGENT_REFERENCE.md +401 -0
- package/skills/octocode-chrome-devtools/references/CHROME_FLAGS.md +234 -0
- package/skills/octocode-chrome-devtools/references/INTENTS.md +108 -0
- package/skills/octocode-chrome-devtools/references/INTENTS_AUTH.md +179 -0
- package/skills/octocode-chrome-devtools/references/INTENTS_AUTOMATION.md +214 -0
- package/skills/octocode-chrome-devtools/references/INTENTS_DEBUG.md +329 -0
- package/skills/octocode-chrome-devtools/references/INTENTS_ENVIRONMENT.md +237 -0
- package/skills/octocode-chrome-devtools/references/INTENTS_INSPECT.md +263 -0
- package/skills/octocode-chrome-devtools/references/INTENTS_STORAGE_CONSENT.md +214 -0
- package/skills/octocode-chrome-devtools/references/RECOVERY.md +39 -0
- package/skills/octocode-chrome-devtools/references/SCRIPT_PATTERNS.md +43 -0
- package/skills/octocode-chrome-devtools/references/SCRIPT_PATTERNS_ASYNC_WORKERS.md +345 -0
- package/skills/octocode-chrome-devtools/references/SCRIPT_PATTERNS_BROWSER.md +403 -0
- package/skills/octocode-chrome-devtools/references/SCRIPT_PATTERNS_OBSERVE.md +275 -0
- package/skills/octocode-chrome-devtools/references/SCRIPT_PATTERNS_SPECIAL.md +18 -0
- package/skills/octocode-chrome-devtools/scripts/cdp-runner.mjs +503 -0
- package/skills/octocode-chrome-devtools/scripts/cdp-sandbox.mjs +123 -0
- package/skills/octocode-chrome-devtools/scripts/cdp-template.mjs +81 -0
- package/skills/octocode-chrome-devtools/scripts/octocode-chrome-devtools.vpn.example.json +8 -0
- package/skills/octocode-chrome-devtools/scripts/open-browser.mjs +362 -0
- package/skills/octocode-chrome-devtools/scripts/sourcemap-resolver.mjs +193 -0
- package/skills/octocode-chrome-devtools/scripts/undercover.mjs +226 -0
- package/skills/octocode-design/README.md +2 -2
- package/skills/octocode-documentation-writer/README.md +1 -1
- package/skills/octocode-engineer/README.md +1 -1
- package/skills/octocode-engineer/SKILL.md +137 -306
- package/skills/octocode-engineer/references/cli-reference.md +13 -0
- package/skills/octocode-engineer/references/output-files.md +3 -3
- package/skills/octocode-engineer/scripts/run.js +146 -146
- package/skills/octocode-engineer/src/pipeline/main.ts +1 -17
- package/skills/octocode-engineer/src/pipeline/progress.ts +4 -0
- package/skills/octocode-engineer/src/reporting/summary-md.test.ts +48 -0
- package/skills/octocode-engineer/src/reporting/summary-md.ts +43 -2
- package/skills/octocode-install/SKILL.md +1 -1
- package/skills/octocode-pull-request-reviewer/README.md +5 -5
- package/skills/octocode-pull-request-reviewer/SKILL.md +1 -1
- package/skills/octocode-research/AGENTS.md +1 -1
- package/skills/octocode-research/README.md +2 -2
- package/skills/octocode-research/docs/ARCHITECTURE.md +1 -1
- package/skills/octocode-research/scripts/server.js +184 -239
- package/skills/octocode-research/src/routes/github.ts +4 -21
- package/skills/octocode-research/src/routes/local.ts +4 -21
- package/skills/octocode-research/src/utils/fileContentTransform.ts +44 -0
- package/skills/octocode-search-skill/SKILL.md +337 -0
- package/skills/octocode-search-skill/references/agent-skills-guide.md +177 -0
- package/skills/octocode-search-skill/references/discovery-surfaces.md +162 -0
- package/skills/octocode-search-skill/references/fetch-and-create-locally.md +57 -0
- package/skills/octocode-search-skill/references/install-reference.md +130 -0
- package/skills/octocode-search-skill/references/references-template.md +27 -0
- package/skills/octocode-search-skill/references/references.md +62 -0
- package/skills/octocode-slides/README.md +307 -0
- package/skills/octocode-slides/SKILL.md +410 -0
- package/skills/octocode-slides/references/01-brief.md +156 -0
- package/skills/octocode-slides/references/02-research.md +149 -0
- package/skills/octocode-slides/references/03-outline.md +172 -0
- package/skills/octocode-slides/references/04-design.md +301 -0
- package/skills/octocode-slides/references/05-implementation.md +213 -0
- package/skills/octocode-slides/references/06-review.md +258 -0
- package/skills/octocode-slides/references/animation.md +281 -0
- package/skills/octocode-slides/references/design-system.md +316 -0
- package/skills/octocode-slides/references/html-templates.md +673 -0
- package/skills/octocode-slides/references/image-generation.md +448 -0
- package/skills/octocode-slides/references/resources.md +840 -0
- package/skills/octocode-slides/references/slide-rules.md +541 -0
- package/skills/octocode-slides/references/wireframes.md +727 -0
- package/skills/octocode-slides/scripts/animation.js +182 -0
- package/skills/octocode-slides/scripts/base.css +353 -0
- package/skills/octocode-slides/scripts/base.html +655 -0
- package/skills/octocode-slides/scripts/generate_image.py +221 -0
- package/skills/octocode-slides/scripts/navbridge.js +79 -0
- package/skills/octocode-slides/scripts/presenter.js +316 -0
- package/skills/octocode-slides/scripts/slide.html +248 -0
- package/skills/octocode-stats/SKILL.md +73 -0
- package/skills/octocode-stats/assets/template.html +1332 -0
- package/skills/octocode-stats/scripts/build_dashboard.mjs +407 -0
- package/out/chunks/chunk-LH4AZJPA.js +0 -389
- package/out/chunks/command-help-specs-CQ3RBLP6.js +0 -8
- package/out/chunks/commands-M3QTWKWE.js +0 -51
- package/out/chunks/help-XPXP46ZT.js +0 -10
- package/out/chunks/main-help-HXFAFHPG.js +0 -10
- package/out/chunks/tool-command-VHFLPIHY.js +0 -8
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
---
|
|
2
2
|
name: octocode-engineer
|
|
3
|
-
description: "
|
|
3
|
+
description: "System-engineering skill for codebase understanding, bug investigation, refactors, PR safety, architecture review, and RFC validation. Enforces Clean Architecture and Clean Code with AST, LSP, and scanner evidence. Produces a flows / boundaries / architecture-health artifact with file:line citations before recommending action."
|
|
4
4
|
---
|
|
5
5
|
|
|
6
6
|
# Octocode Engineer
|
|
@@ -9,83 +9,77 @@ Understand, change, and verify a codebase with system awareness. Single-file rea
|
|
|
9
9
|
|
|
10
10
|
## What you get (user view)
|
|
11
11
|
|
|
12
|
-
A structured **understanding artifact**, grounded in evidence,
|
|
12
|
+
A structured **understanding artifact**, grounded in evidence, every claim cited `file:line`:
|
|
13
13
|
|
|
14
|
-
- **System summary**
|
|
15
|
-
- **
|
|
16
|
-
- **
|
|
17
|
-
- **Types & protocols** — authoritative DTOs, schemas, wire contracts, compatibility posture.
|
|
18
|
-
- **Boundaries & ownership** — who owns what, where ports live, which tests prove contracts.
|
|
19
|
-
- **Duplication inventory** — top near-clones and the missing abstraction.
|
|
20
|
-
- **Execution profile** — hot paths, async/sync posture, retries/timeouts/lifecycles, runtime risks.
|
|
21
|
-
- **Architecture health** — one line per Clean-Architecture principle and per analytic dimension, with `confirmed|likely|uncertain`.
|
|
22
|
-
- **Clean-code hotspots** — top findings worth fixing.
|
|
23
|
-
- **Next step** — one sentence.
|
|
14
|
+
- **System summary** (what/who/invariants) · **Control flows** (numbered call paths) · **Data flows** (writers/readers/txn/cache per entity) · **Types & protocols** (DTOs, schemas, wire contracts, compat)
|
|
15
|
+
- **Boundaries & ownership** (owners, ports, contract tests) · **Structure health** (folder bloat, file/folder naming, project-fit) · **Duplication inventory** (near-clones, missing abstraction) · **Execution profile** (hot paths, async/sync, retries/timeouts/lifecycles)
|
|
16
|
+
- **Architecture health** (per-principle + per-dimension, `confirmed|likely|uncertain`) · **Clean-code hotspots** · **Next step** (1 sentence)
|
|
24
17
|
|
|
25
|
-
For a
|
|
26
|
-
|
|
27
|
-
**Safety built in.** Hard gates stop for your explicit decision before public-contract changes, cross-layer edits, destructive actions, or large blast radius.
|
|
18
|
+
For a change: change flow, data-flow impact, contract impact, blast radius, risk vector. **Safety built in** — hard gates stop for your decision before public-contract changes, cross-layer edits, destructive actions, or large blast radius.
|
|
28
19
|
|
|
29
20
|
## How to invoke (user view)
|
|
30
21
|
|
|
31
|
-
Ask in natural language. The skill activates on phrases like: *"understand this codebase"*, *"deep-dive this feature"*, *"review the architecture of X"*, *"why is this slow / flaky / coupled?"*, *"is this PR safe?"*, *"what breaks if I change Y?"*, *"prepare to refactor Z"*, *"validate this RFC against the code"*.
|
|
22
|
+
Ask in natural language. The skill activates on phrases like: *"understand this codebase"*, *"deep-dive this feature"*, *"review the architecture of X"*, *"why is this slow / flaky / coupled?"*, *"is this PR safe?"*, *"what breaks if I change Y?"*, *"prepare to refactor Z"*, *"validate this RFC against the code"*.
|
|
32
23
|
|
|
33
|
-
##
|
|
24
|
+
## Quick decision cheatsheet (agent view)
|
|
34
25
|
|
|
35
|
-
Every
|
|
26
|
+
Use this first to pick the cheapest proof path. Every LSP call needs a `lineHint` from `localSearchCode` — **never guess**.
|
|
36
27
|
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
28
|
+
| Question | Tool chain |
|
|
29
|
+
|---|---|
|
|
30
|
+
| Where is X defined? | `localSearchCode(X)` → `lspGotoDefinition(lineHint=N)` |
|
|
31
|
+
| Who calls function X? | `localSearchCode(X)` → `lspCallHierarchy(incoming, lineHint=N)` |
|
|
32
|
+
| What does X call? | `localSearchCode(X)` → `lspCallHierarchy(outgoing, lineHint=N)` |
|
|
33
|
+
| All usages of a type / var / non-function X? | `localSearchCode(X)` → `lspFindReferences(lineHint=N)` |
|
|
34
|
+
| Is this pattern duplicated? | `scripts/ast/search.js --pattern` → scanner `duplicate-*` findings |
|
|
35
|
+
| Is this shape an antipattern? | `scripts/ast/search.js --preset <name>` (list: `--list-presets`) |
|
|
36
|
+
| Is this module structurally unhealthy? | `scripts/run.js --graph --scope=<path>` → read `scan.json` |
|
|
37
|
+
| Is the project structure healthy? | `localViewStructure` + `localFindFiles` → `scripts/run.js --scope=<path> --graph` → inspect `qualityRating` folder/naming/consistency signals + `mega-folder` findings |
|
|
38
|
+
| Which layer/boundary does this cross? | Scanner layer output + `lspGotoDefinition` across packages |
|
|
39
|
+
| What breaks if I change Y? | `lspFindReferences(Y)` → label consumers by layer |
|
|
40
|
+
| Find files by name / churn / size | `localFindFiles` |
|
|
41
|
+
| Read implementation (last resort) | `localGetFileContent` with `matchString` |
|
|
44
42
|
|
|
45
|
-
|
|
43
|
+
For longer research recipes and end-to-end tool sequences, see [tool-workflows.md](./references/tool-workflows.md).
|
|
46
44
|
|
|
47
|
-
|
|
45
|
+
### References index
|
|
48
46
|
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
47
|
+
| Situation | Reference |
|
|
48
|
+
|---|---|
|
|
49
|
+
| Tool workflows, research recipes | [tool-workflows.md](./references/tool-workflows.md) |
|
|
50
|
+
| Scanner flags, thresholds, scope syntax, exit codes | [cli-reference.md](./references/cli-reference.md) |
|
|
51
|
+
| Reading scan artifacts | [output-files.md](./references/output-files.md) |
|
|
52
|
+
| AST presets, pattern syntax, Python kinds | [ast-reference.md](./references/ast-reference.md) |
|
|
53
|
+
| Confirming / dismissing a finding | [validation-playbooks.md](./references/validation-playbooks.md) |
|
|
54
|
+
| Detector catalog, metrics, severities | [quality-indicators.md](./references/quality-indicators.md) |
|
|
55
|
+
| How to present findings | [output-format.md](./references/output-format.md) |
|
|
56
|
+
| eslint, tsc, knip, ruff, mypy | [externals.md](./references/externals.md) |
|
|
55
57
|
|
|
56
|
-
|
|
58
|
+
## Operating contract (agent view)
|
|
57
59
|
|
|
58
|
-
|
|
60
|
+
Every **non-trivial** task MUST satisfy this contract:
|
|
59
61
|
|
|
60
|
-
1.
|
|
61
|
-
2.
|
|
62
|
-
3.
|
|
63
|
-
4.
|
|
64
|
-
5.
|
|
65
|
-
6.
|
|
66
|
-
7. Attach an explicit confidence marker (`confirmed` / `likely` / `uncertain`) to every conclusion that informs a decision.
|
|
67
|
-
8. Treat the skill prompt as operational policy, not advice.
|
|
68
|
-
9. Stop at every hard gate in **User-Ask Gates**; do not ask outside of gates.
|
|
62
|
+
1. **Scope** — restate the goal and constraints in one line before touching tools.
|
|
63
|
+
2. **Lenses** — apply both required lenses defined in §Clean Architecture & Clean Code: the five Clean-Architecture principles and the six analytic dimensions.
|
|
64
|
+
3. **Evidence** — prove every architectural or code-quality claim with at least one of: Octocode local tools, LSP, AST, scanner. Mark confidence (`confirmed|likely|uncertain`) with source.
|
|
65
|
+
4. **Artifact** — produce the understanding artifact (§Required output) before recommending action.
|
|
66
|
+
5. **Gates** — stop at every hard gate in §User-Ask Gates.
|
|
67
|
+
6. **Tool universe** — never fall back to native Claude Code search tools (`Grep`, `Glob`, `Read`) while Octocode MCP is registered. A warning inside a successful Octocode response is not a failure; see §Fallback Mode for the only legitimate fallback conditions.
|
|
69
68
|
|
|
70
|
-
##
|
|
69
|
+
## When To Use It
|
|
71
70
|
|
|
72
|
-
|
|
71
|
+
Use when the user asks to **understand** a codebase/feature end-to-end, **change** unclear/shared/cross-file code, **review** quality/architecture/tech-debt/dead-code/security/build issues, or **decide** architecture and validate RFCs against real behavior. Any language; strongest on Node/TypeScript and Python. For formal RFCs with migration strategy, pair with [octocode-rfc-generator](https://skills.sh/bgauryy/octocode-mcp/octocode-rfc-generator).
|
|
73
72
|
|
|
74
|
-
|
|
75
|
-
- No consumers (0 references from `lspFindReferences`) or the change is behavior-preserving for every consumer.
|
|
76
|
-
- No contract, schema, protocol, config, or migration touched.
|
|
77
|
-
- ≤ ~20 lines changed.
|
|
78
|
-
- No cross-layer or cross-package edit.
|
|
73
|
+
## Trivial vs. non-trivial — when the contract binds
|
|
79
74
|
|
|
80
|
-
|
|
75
|
+
The contract, lenses, and artifact apply to **non-trivial** tasks. A task is **trivial** only when ALL hold: single file; no public/exported symbol touched; 0 consumers (per `lspFindReferences`) or behavior-preserving for all; no contract/schema/protocol/config/migration touched; ≤ ~20 lines; no cross-layer/cross-package edit. Otherwise non-trivial (default on doubt). Trivial tasks: deliver the one-line next step + verification only.
|
|
81
76
|
|
|
82
77
|
## Clean Architecture & Clean Code (Required Lenses)
|
|
83
78
|
|
|
84
|
-
|
|
79
|
+
Non-trivial investigations MUST go through both lenses. Prove every claim with the listed tools — no unevidenced architectural or code-quality facts.
|
|
85
80
|
|
|
86
81
|
### Clean Architecture — what to enforce, how to verify
|
|
87
82
|
|
|
88
|
-
Principles (enforce, do not merely note):
|
|
89
83
|
1. **Dependency rule** — source code dependencies point inward. Domain never imports infrastructure/UI; use cases never import frameworks.
|
|
90
84
|
2. **Layer boundaries** — entities → use cases → interface adapters → frameworks & drivers. Concerns stay in their layer.
|
|
91
85
|
3. **Stable abstractions** — volatile details depend on stable policy, never the reverse.
|
|
@@ -102,55 +96,19 @@ Principles (enforce, do not merely note):
|
|
|
102
96
|
|
|
103
97
|
### Architect's analytic dimensions
|
|
104
98
|
|
|
105
|
-
|
|
106
|
-
|
|
107
|
-
#### 1. Flows — control flow end-to-end
|
|
108
|
-
|
|
109
|
-
Trace entry → collaborators → side effects → return/emit.
|
|
110
|
-
|
|
111
|
-
- **Verify:** `localSearchCode` (entry + `lineHint`) → `lspCallHierarchy(incoming)` → `lspCallHierarchy(outgoing)` → `scripts/run.js` flow/graph output for hot paths.
|
|
112
|
-
- **Anti-patterns:** hidden jumps (events without a subscriber map), middleware chains nobody can enumerate, untested error branches.
|
|
113
|
-
|
|
114
|
-
#### 2. Duplication — structural and behavioral repetition
|
|
115
|
-
|
|
116
|
-
Same logic in two places drifts. Duplication encodes an unnamed abstraction.
|
|
99
|
+
Cover all six on a full review; on a scoped task, cover those the change touches and mark the rest `N/A` with a one-line reason (`N/A` is a claim, not silence). Mapping to artifact sections is encoded in §Required output. On a change, state which dimensions it stresses — that is the risk vector.
|
|
117
100
|
|
|
118
|
-
|
|
119
|
-
|
|
120
|
-
|
|
121
|
-
|
|
122
|
-
|
|
123
|
-
|
|
124
|
-
|
|
125
|
-
|
|
126
|
-
#### 4. Protocols & schemas — wire-level contracts
|
|
127
|
-
|
|
128
|
-
HTTP/gRPC/GraphQL shapes, event envelopes, message headers, SQL/Prisma/Mongo schemas, config files. Breaking a schema breaks consumers you cannot always see.
|
|
129
|
-
|
|
130
|
-
- **Verify:** `localFindFiles` on `*.proto`, `*.graphql`, `*.sql`, `openapi*`, `schema*`, `migrations/*` → `localGetFileContent` on each authoritative schema → `lspFindReferences` on generated types → `githubSearchPullRequests` for recent schema changes (when external).
|
|
131
|
-
- **Anti-patterns:** schema drift across services, implicit required fields, defaults set in code instead of schema, version bumps without compatibility windows, undefined null vs missing vs empty semantics.
|
|
132
|
-
|
|
133
|
-
#### 5. Data flows — state, ownership, mutation
|
|
134
|
-
|
|
135
|
-
Follow the data: where it lives, who writes it, who reads it, what the transaction boundaries are.
|
|
136
|
-
|
|
137
|
-
- **Verify:** schema files + repository/DAO modules → `lspFindReferences` on write functions (`save`, `update`, `insert`, `publish`) → `scripts/run.js` graph/flow modes for modules on a write path → `scripts/ast/search.js --kind` on mutation patterns.
|
|
138
|
-
- **Anti-patterns:** multiple writers to one field, read-your-writes across async boundaries, cache updates racing with writes, write paths skipping the canonical validator, projections read without consistency guarantees.
|
|
139
|
-
|
|
140
|
-
#### 6. Execution — runtime behavior
|
|
141
|
-
|
|
142
|
-
Sync vs async, serial vs concurrent, blocking I/O, retries, timeouts, startup/shutdown order, background loops, resource lifecycle.
|
|
143
|
-
|
|
144
|
-
- **Verify:** `scripts/ast/search.js` presets (`async-function`, `await-in-loop`, `sync-io`, `promise-all`) → scanner (`await-in-loop`, `sync-io`, `uncleared-timer`, `unbounded-collection`, `startup-risk-hub`, `listener-leak-risk`) → `lspCallHierarchy` along the hot path → tests/benchmarks in the repo.
|
|
145
|
-
- **Anti-patterns:** `await` inside a tight loop, sync I/O on a request path, timers/listeners without lifecycle, startup ordering that assumes initialization, retries without backoff or idempotency.
|
|
146
|
-
|
|
147
|
-
---
|
|
148
|
-
|
|
149
|
-
These dimensions compose the understanding artifact: **Flows + Data flows** feed the "Key flows" section; **Types + Protocols** feed "Boundaries & ownership"; **Duplication + Execution** surface in "Clean-code hotspots" and "Architecture health". On a change, state which dimensions the change stresses — that is your risk vector.
|
|
101
|
+
| # | Dimension | Verify | Anti-patterns |
|
|
102
|
+
|---|-----------|--------|---------------|
|
|
103
|
+
| 1 | **Flows** — entry → collaborators → side effects → return/emit | `localSearchCode`(entry,lineHint) → `lspCallHierarchy` incoming/outgoing → `scripts/run.js` flow/graph on hot paths | hidden event jumps; unenumerable middleware chains; untested error branches |
|
|
104
|
+
| 2 | **Duplication** — same logic in two places drifts | scanner (`duplicate-function-body`, `duplicate-flow-structure`, `similar-function-body`) → `scripts/ast/search.js --pattern` → `lspFindReferences` on canonical version | two sources of truth; drifting copies; per-caller reinvention |
|
|
105
|
+
| 3 | **Types** — in-process contracts | `lspGotoDefinition` on boundary params → `lspFindReferences` on type → `scripts/ast/search.js` presets (`any-type`, `type-assertion`, `non-null-assertion`) → scanner (`unsafe-any`, `type-assertion-escape`, `narrowable-type`) | `any`/`unknown` at public boundary; casts silencing compiler; always-populated "optional" fields |
|
|
106
|
+
| 4 | **Protocols & schemas** — wire contracts (HTTP/gRPC/GraphQL/SQL/events/config) | `localFindFiles` on `*.proto`, `*.graphql`, `*.sql`, `openapi*`, `schema*`, `migrations/*` → `localGetFileContent` → `lspFindReferences` on generated types → `githubSearchPullRequests` for external changes | schema drift; implicit required fields; defaults in code not schema; version bumps without compat windows; null/missing/empty ambiguity |
|
|
107
|
+
| 5 | **Data flows** — state, ownership, mutation | schema + repository/DAO → `lspFindReferences` on write fns (`save`, `update`, `insert`, `publish`) → `scripts/run.js` graph/flow on write paths → `scripts/ast/search.js --kind` on mutations | multi-writers on one field; read-your-writes across async; cache/write races; write paths bypassing validator; projections without consistency guarantees |
|
|
108
|
+
| 6 | **Execution** — runtime (sync/async, I/O, retries, timeouts, startup/shutdown, lifecycles) | `scripts/ast/search.js` presets (`async-function`, `await-in-loop`, `sync-io`, `promise-all`) → scanner (`await-in-loop`, `sync-io`, `uncleared-timer`, `unbounded-collection`, `startup-risk-hub`, `listener-leak-risk`) → `lspCallHierarchy` on hot path → tests/benchmarks | `await` in tight loops; sync I/O on request path; timers/listeners without lifecycle; startup assuming init order; retries without backoff/idempotency |
|
|
150
109
|
|
|
151
110
|
### Clean Code — what to enforce, how to verify
|
|
152
111
|
|
|
153
|
-
Rules (enforce, do not merely note):
|
|
154
112
|
1. **Names reveal intent** — symbols describe what, not how.
|
|
155
113
|
2. **Small, single-purpose functions** — one level of abstraction; short; ≤ ~3 params.
|
|
156
114
|
3. **No dead or duplicated logic** — every branch reachable; each pattern lives in one place.
|
|
@@ -167,9 +125,11 @@ Rules (enforce, do not merely note):
|
|
|
167
125
|
| Intent-revealing names | code read + `lspFindReferences` | widely-used cryptic symbols, abbreviations that spread |
|
|
168
126
|
| Dead / unreachable | scanner + `knip` | `dead-export`, `dead-file`, `unused-import`, `unused-npm-dependency` |
|
|
169
127
|
|
|
128
|
+
For the full detector catalog, metric definitions, and severity rubric, see [quality-indicators.md](./references/quality-indicators.md).
|
|
129
|
+
|
|
170
130
|
### Required output: understanding artifact
|
|
171
131
|
|
|
172
|
-
|
|
132
|
+
Produce before recommending action. **required** sections always appear (use `N/A` + reason if not applicable); **applicable** sections appear only when the task touches that surface. Keep each section ≤ 2 min read.
|
|
173
133
|
|
|
174
134
|
| # | Section | When | Source dimensions |
|
|
175
135
|
|---|---------|------|-------------------|
|
|
@@ -184,7 +144,7 @@ Before concluding any non-trivial investigation, produce a compact artifact. Kee
|
|
|
184
144
|
| 9 | **Clean-code hotspots** — top AST/scanner findings worth fixing, cited `file:line` | applicable (quality work) | — |
|
|
185
145
|
| 10 | **Next step** — one sentence | required | — |
|
|
186
146
|
|
|
187
|
-
|
|
147
|
+
Trivial tasks: section 10 + verification only (see §Trivial vs. non-trivial). Section ordering, phrasing, examples: [output-format.md](./references/output-format.md).
|
|
188
148
|
|
|
189
149
|
If the task involves a change, also include:
|
|
190
150
|
- **Change flow** — the specific call path the change traverses. *(required for any change)*
|
|
@@ -193,20 +153,15 @@ If the task involves a change, also include:
|
|
|
193
153
|
- **Blast radius** — callers and consumers touched, from `lspFindReferences`, labeled by layer. *(required for any change with consumers)*
|
|
194
154
|
- **Risk vector** — which clean-architecture principles and which analytic dimensions the change stresses, and how each is preserved. *(required for any change)*
|
|
195
155
|
|
|
196
|
-
|
|
197
|
-
|
|
198
|
-
Investigations are structured by two stacked lenses, both defined above in the **Clean Architecture & Clean Code** section:
|
|
156
|
+
#### Artifact self-check — before closing
|
|
199
157
|
|
|
200
|
-
|
|
201
|
-
- **Architect's analytic dimensions** — flows, duplication, types, protocols & schemas, data flows, execution.
|
|
202
|
-
|
|
203
|
-
Cross-cutting concerns (reliability, observability, rollout/migration, build & config, docs) surface as sub-questions inside those dimensions; do not treat them as a separate lens stack. Tool routing for each is listed in **Tool Families** below.
|
|
158
|
+
A good artifact answers all of: ownership/boundary; blast radius (consumers, layers); contract safety (types/schemas/protocols); local vs structural vs architectural; build/config involvement; reliability under failure/retry/concurrency; observability sufficiency; rollout/migration reversibility; folder bloat and file/folder naming fitness; modularity trajectory; documented assumptions; safest next move. If the answer only explains one file, it is usually incomplete.
|
|
204
159
|
|
|
205
160
|
## Tool Families And Their Jobs
|
|
206
161
|
|
|
207
162
|
### 1. Local Octocode tools
|
|
208
163
|
|
|
209
|
-
|
|
164
|
+
First tools for workspace mapping — not a fallback.
|
|
210
165
|
|
|
211
166
|
| Tool | Use it for |
|
|
212
167
|
|------|------------|
|
|
@@ -217,29 +172,21 @@ Use local tools first to map the workspace. These are the default first tools, n
|
|
|
217
172
|
|
|
218
173
|
Rules:
|
|
219
174
|
- Do not start with a full-file read when discovery tools can narrow the target first.
|
|
220
|
-
- When `localSearchCode` returns zero matches: (1) widen the pattern (drop regex meta-chars, try a substring), (2) fall back to `localFindFiles` on likely filename patterns, (3) retry with the literal symbol name. Only after that may you broaden to `localViewStructure` for layout reconnaissance.
|
|
175
|
+
- When `localSearchCode` returns zero matches: (1) widen the pattern (drop regex meta-chars, try a substring), (2) fall back to `localFindFiles` on likely filename patterns, (3) retry with the literal symbol name. Only after that may you broaden to `localViewStructure` for layout reconnaissance.
|
|
221
176
|
|
|
222
177
|
### 2. LSP tools
|
|
223
178
|
|
|
224
|
-
Use LSP tools to understand real semantic relationships.
|
|
225
|
-
|
|
226
|
-
Critical rule: every LSP tool needs `lineHint` from `localSearchCode`.
|
|
227
|
-
Never guess it.
|
|
179
|
+
Use LSP tools to understand real semantic relationships. `lineHint` rule stated in §Quick decision cheatsheet — applies to every entry below.
|
|
228
180
|
|
|
229
181
|
| Tool | Use it for |
|
|
230
182
|
|------|------------|
|
|
231
183
|
| `lspGotoDefinition` | What symbol is this really? |
|
|
232
|
-
| `lspFindReferences` | Blast radius, all usages, dead-code checks |
|
|
184
|
+
| `lspFindReferences` | Blast radius, all usages, dead-code checks (types, vars, anything) |
|
|
233
185
|
| `lspCallHierarchy` | Function call flow only: incoming callers and outgoing callees |
|
|
234
186
|
|
|
235
|
-
LSP is the main way to answer:
|
|
236
|
-
- who depends on this?
|
|
237
|
-
- what will break if we change it?
|
|
238
|
-
- what path does execution follow?
|
|
239
|
-
|
|
240
187
|
### 3. AST tools — structural proof
|
|
241
188
|
|
|
242
|
-
|
|
189
|
+
Authoritative proof for code-shape, redundancy, and smell claims; use when text search is too weak.
|
|
243
190
|
|
|
244
191
|
| Script | Role | Example invocation |
|
|
245
192
|
|--------|------|--------------------|
|
|
@@ -247,15 +194,13 @@ Use AST when text search is too weak. AST is the authoritative proof layer for c
|
|
|
247
194
|
| `scripts/ast/search.js` | Project-specific structural claim | `node scripts/ast/search.js --pattern 'if ($C) { return $V }' --json` |
|
|
248
195
|
| `scripts/ast/tree-search.js` | Fast triage over cached AST trees from a prior scan | `node scripts/ast/tree-search.js -i .octocode/scan -k function_declaration --limit 25` |
|
|
249
196
|
|
|
250
|
-
|
|
197
|
+
Rules:
|
|
251
198
|
- Presets cover the common clean-code rules; list them with `node scripts/ast/search.js --list-presets`.
|
|
252
199
|
- Python presets are prefixed `py-` (e.g. `py-bare-except`, `py-mutable-default`).
|
|
253
|
-
- Pair every match with its `file:line` in the summary.
|
|
254
|
-
|
|
255
|
-
Rules:
|
|
256
200
|
- Use `tree-search.js` first to narrow, then `search.js` to confirm on live code.
|
|
257
201
|
- If a structural claim matters to a decision, confirm it with AST before presenting it as fact.
|
|
258
|
-
-
|
|
202
|
+
- Pair every match with its `file:line` in the summary.
|
|
203
|
+
- For preset catalog, pattern syntax, and Python node kinds, see [ast-reference.md](./references/ast-reference.md).
|
|
259
204
|
|
|
260
205
|
### 4. Scanner — architecture and flow
|
|
261
206
|
|
|
@@ -267,22 +212,26 @@ Use `scripts/run.js` when the question is bigger than one symbol or one file. It
|
|
|
267
212
|
| `scripts/run.js --graph` | Architecture graph (cycles, SDP, coupling) | `node scripts/run.js --graph --out .octocode/scan/scan.json` |
|
|
268
213
|
| `scripts/run.js --json` | Machine-readable findings | `node scripts/run.js --json --out .octocode/scan/scan.json` |
|
|
269
214
|
|
|
270
|
-
Use scanner output to reason about: where change risk concentrates, whether a module is structurally unhealthy, whether a local fix ignores a broader architectural problem, which area to refactor first. Flags, thresholds, and
|
|
215
|
+
Use scanner output to reason about: where change risk concentrates, whether a module is structurally unhealthy, whether a local fix ignores a broader architectural problem, which area to refactor first. Flags, thresholds, scope syntax, and exit codes: [cli-reference.md](./references/cli-reference.md). Reading the scan artifacts: [output-files.md](./references/output-files.md).
|
|
216
|
+
|
|
217
|
+
**First-run install.** Scripts auto-install native deps (`tree-search.js` needs none) using the detected package manager (pnpm-lock.yaml → pnpm, yarn.lock → yarn, else npm); on failure they exit non-zero with the manual command. Opt out with `OCTOCODE_NO_AUTO_INSTALL=1`.
|
|
271
218
|
|
|
272
|
-
**
|
|
219
|
+
**Invoking the scripts.** Skill is `private: true` with no `bin` — `npx octocode-engineer-*` is **invalid**. `npx` applies only to externals in [externals.md](./references/externals.md). Forms:
|
|
273
220
|
|
|
274
|
-
|
|
275
|
-
|
|
276
|
-
|
|
277
|
-
|
|
278
|
-
|
|
279
|
-
|
|
221
|
+
| Form | Example | When |
|
|
222
|
+
|---|---|---|
|
|
223
|
+
| Absolute path | `node <SKILL_DIR>/scripts/run.js --scope=packages/my-pkg` | From any cwd (default) |
|
|
224
|
+
| `yarn` alias | `cd <SKILL_DIR> && yarn analyze\|analyze:full\|analyze:graph\|analyze:json` | Idiomatic in-skill shortcut |
|
|
225
|
+
| `yarn` alias (AST) | `cd <SKILL_DIR> && yarn search\|search:json\|search:presets\|search:trees\|search:trees:json` | AST scripts |
|
|
226
|
+
| Raw node (cwd-local) | `cd <SKILL_DIR> && node scripts/run.js [flags]` | When you need flags not covered by an alias |
|
|
280
227
|
|
|
281
|
-
|
|
228
|
+
Full flag catalog + exit codes: [cli-reference.md](./references/cli-reference.md).
|
|
282
229
|
|
|
283
|
-
|
|
230
|
+
**Cost.** Prefer `--scope=<path>` over full-repo; reuse existing artifacts when they answer the question; on staleness re-run only the minimal scope.
|
|
284
231
|
|
|
285
|
-
|
|
232
|
+
### 5. Cross-cutting quality checks
|
|
233
|
+
|
|
234
|
+
The Clean-Architecture principles and the six analytic dimensions already cover naming, cohesion, duplication, layering, contracts, types, data flow, and execution. Use this section only for concerns **not** directly named there:
|
|
286
235
|
|
|
287
236
|
| Check | Focus |
|
|
288
237
|
|------|------|
|
|
@@ -290,117 +239,50 @@ The Clean-Architecture principles and the six analytic dimensions already cover
|
|
|
290
239
|
| Observability & operability | logging quality, metric/tracing coverage, diagnosability, alert/runbook readiness |
|
|
291
240
|
| Rollout & migration | feature flags, backward-compatibility windows, rollback path, migration sequencing |
|
|
292
241
|
| Build & config | ESM/CJS mismatch, module resolution, script wiring, runtime assumptions |
|
|
242
|
+
| Structure health | leaf-folder bloat, vague shared/helper buckets, depth balance, source spread, file and folder naming consistency for the project |
|
|
293
243
|
| Docs | whether critical assumptions, contracts, flows, setup, migrations, and risks are documented |
|
|
294
244
|
| CSS hygiene | selector scope, token reuse, naming clarity, dead styles (when frontend styling is touched) |
|
|
295
245
|
| `knip` | unused exports, files, dependencies, dead integration edges (run on refactors) |
|
|
296
246
|
|
|
297
|
-
Skip items that do not apply
|
|
298
|
-
|
|
299
|
-
### 6. Task and user checkpoints
|
|
300
|
-
|
|
301
|
-
Use task or todo tracking when the work has multiple steps, risks, or follow-ups.
|
|
302
|
-
Track at least:
|
|
303
|
-
- investigation
|
|
304
|
-
- decision or plan
|
|
305
|
-
- implementation
|
|
306
|
-
- verification
|
|
307
|
-
- docs follow-up when needed
|
|
308
|
-
|
|
309
|
-
For when to stop and ask, see the **User-Ask Gates** section below. Hard gates are non-negotiable stops (ambiguous scope, public contract change, cross-layer edits, destructive actions, large blast radius). Soft gates are ask-if-material.
|
|
310
|
-
|
|
311
|
-
Use task tracking whenever the work spans research -> planning -> implementation -> verification -> docs/RFC sync.
|
|
312
|
-
|
|
313
|
-
### 7. Agent execution rules
|
|
314
|
-
|
|
315
|
-
Complements the Operating Contract at the top of this file with reliability rules for how the agent emits reasoning and updates.
|
|
316
|
-
|
|
317
|
-
Per-step:
|
|
318
|
-
- Declare the next tool step and why it is the cheapest proof available.
|
|
319
|
-
- Separate facts from inference in every checkpoint.
|
|
320
|
-
- Carry forward concrete identifiers from tools (`lineHint`, paths, symbols, artifact names).
|
|
321
|
-
- Run explicit verification after edits; do not assume success from static reading.
|
|
322
|
-
|
|
323
|
-
Status updates:
|
|
324
|
-
- Every update names what was checked and what remains. No vague progress.
|
|
325
|
-
- No broad claims ("looks fine", "should be ok") without at least one concrete evidence source.
|
|
326
|
-
- No switching from investigation to edits without a short system/flow summary.
|
|
327
|
-
|
|
328
|
-
Depth control:
|
|
329
|
-
- Skip irrelevant checks when they clearly do not apply (mark `N/A` in the artifact).
|
|
330
|
-
- Go deeper only where risk or uncertainty is meaningful.
|
|
331
|
-
- Choose the lightest evidence path that proves the conclusion.
|
|
332
|
-
|
|
333
|
-
### 8. Token-efficient execution mode
|
|
247
|
+
Skip items that do not apply. For concrete `npx` commands for `eslint`, `tsc`, `knip`, `stylelint`, `type-coverage`, `dep-cruiser`, `ruff`, `mypy`, and related externals, see [externals.md](./references/externals.md) — **ask before running**.
|
|
334
248
|
|
|
335
|
-
|
|
249
|
+
### 6. Execution discipline
|
|
336
250
|
|
|
337
|
-
|
|
338
|
-
-
|
|
339
|
-
-
|
|
340
|
-
-
|
|
341
|
-
-
|
|
342
|
-
- stop research when confidence is sufficient for safe action (`confirmed` or clearly bounded `likely`)
|
|
343
|
-
- when uncertainty remains, ask one precise checkpoint question instead of writing long speculation
|
|
344
|
-
|
|
345
|
-
Output compression rules:
|
|
346
|
-
- summarize findings as: issue -> evidence -> impact -> action
|
|
347
|
-
- keep confidence markers terse (`confirmed` / `likely` / `uncertain`)
|
|
348
|
-
- report only residual risks that affect implementation, rollout, or contracts
|
|
349
|
-
- avoid duplicating tool command details unless reproducibility is needed
|
|
350
|
-
|
|
351
|
-
### 9. Script usage policy (cost-aware)
|
|
352
|
-
|
|
353
|
-
Tool-selection rules for scripts are in §3 (AST) and §4 (Scanner). Additional cost rules:
|
|
354
|
-
|
|
355
|
-
- Scope scan runs (`--scope=...`) before full-repo scans.
|
|
356
|
-
- Do not re-run a scan when the existing artifact already answers the current question.
|
|
357
|
-
- When scan output is stale relative to current edits, re-run only the minimal necessary scope.
|
|
251
|
+
- **Per-step**: declare the next tool and why it is the cheapest proof; separate facts from inference; carry forward concrete identifiers (`lineHint`, paths, symbols); verify explicitly after edits.
|
|
252
|
+
- **Status updates**: say what was checked and what remains — no vague progress, no "looks fine" without evidence, no switching to edits without a short flow summary.
|
|
253
|
+
- **Depth control**: mark `N/A` on irrelevant checks; go deeper only where risk/uncertainty is meaningful; pick the lightest evidence path.
|
|
254
|
+
- **Token efficiency**: one investigation thread at a time; reference prior checkpoints instead of restating evidence; stop research when confidence is sufficient; summarize findings as **issue → evidence → impact → action**.
|
|
255
|
+
- **Task tracking**: use todos when the work spans research → plan → implement → verify → docs. Track investigation, decision, implementation, verification, docs follow-up.
|
|
358
256
|
|
|
359
257
|
## Default Working Order
|
|
360
258
|
|
|
361
|
-
|
|
362
|
-
|
|
363
|
-
1. Clarify the behavior or question.
|
|
364
|
-
2. Create or update tasks/todos if the work is multi-step.
|
|
365
|
-
3. Map the package/module area with local tools.
|
|
366
|
-
4. Trace important symbols with LSP.
|
|
367
|
-
5. Identify critical paths and failure paths (latency/business-risk/error fanout).
|
|
368
|
-
6. Validate and check structural claims with AST tools.
|
|
369
|
-
7. Check architecture, layering/modularity, contracts/protocols, reliability/observability/rollout/data correctness, build/configuration, docs, and flow risk with the scanner and relevant project files.
|
|
370
|
-
8. Read the actual code with context.
|
|
371
|
-
9. If the task touches design docs or RFCs, validate them against current flows, contracts, and boundaries.
|
|
372
|
-
10. Apply the Clean Architecture and Clean Code lenses; record each principle as `confirmed|likely|uncertain` with evidence.
|
|
373
|
-
11. Produce the understanding artifact (system summary, key flows, boundaries, architecture health, clean-code hotspots, next step).
|
|
374
|
-
12. Pause and ask the user if a real decision checkpoint appears.
|
|
375
|
-
13. Decide whether to explain, plan, or edit.
|
|
259
|
+
Non-trivial tasks follow this arc (recommended, not mandatory): clarify the question → create todos if multi-step → map layout with local tools → trace symbols with LSP → identify critical and failure paths → validate structure with AST → check architecture/contracts/reliability/build/docs with the scanner → read the code in context → validate design docs or RFCs against current flows and contracts → apply both lenses (`confirmed|likely|uncertain` with evidence) → produce the artifact → pause at any hard gate → decide to explain, plan, or edit.
|
|
376
260
|
|
|
377
|
-
|
|
378
|
-
`clarify -> track -> layout -> symbols -> structure -> architecture/build/docs -> code -> docs/RFC reality check -> clean-arch/clean-code lenses -> summarize (artifact) -> checkpoint -> action`
|
|
261
|
+
## Task shapes
|
|
379
262
|
|
|
380
|
-
|
|
263
|
+
Same working order; emphasis differs:
|
|
381
264
|
|
|
382
|
-
|
|
383
|
-
|
|
384
|
-
|
|
385
|
-
|
|
386
|
-
|
|
387
|
-
|
|
388
|
-
|
|
389
|
-
- **Implementation duty cycle** — before coding, state root cause + blast radius + target contract; during coding, keep edits in the smallest responsible layer and run narrow checks per batch; after coding, re-sync docs/RFCs and close with residual risk + confidence.
|
|
265
|
+
| Task | Weight on | Notes |
|
|
266
|
+
|------|-----------|-------|
|
|
267
|
+
| **Code understanding** | steps 3–8 (layout → LSP → AST → scoped scanner → read) | Deliverable is the artifact. |
|
|
268
|
+
| **Bug fixing** | Flows + Execution from failing behavior to entry point; adjacent error/retry/contract risk | Fix the smallest layer that solves the root cause; escalate via Smallest-fix vs. safest-fix gate when systemic. |
|
|
269
|
+
| **Refactor** | blast radius (`lspFindReferences`), scoped scan, duplication inventory, then plan | Prefer extracting modules, clarifying contracts, simplifying flows over cosmetic reshuffling. Verify per batch. |
|
|
270
|
+
| **Architecture review** | scanner `--graph` first, then LSP on candidate modules, then read representatives | Report both local and system-level causes. |
|
|
271
|
+
| **RFC / design validation** | map each claim to code ownership; verify flow, contract, and architecture alignment | Mark claims `confirmed|likely|uncertain`; report mismatches as doc or code follow-ups. |
|
|
390
272
|
|
|
391
273
|
## Before / During / After A Change
|
|
392
274
|
|
|
393
|
-
|
|
275
|
+
Operational actions per phase (investigation substance = lenses + artifact):
|
|
394
276
|
|
|
395
277
|
### Before
|
|
396
|
-
- Produce the understanding artifact
|
|
278
|
+
- Produce the understanding artifact.
|
|
397
279
|
- Map design-doc / RFC claims to concrete code ownership when one exists.
|
|
398
280
|
- Look for an existing local pattern before inventing a new one.
|
|
399
281
|
|
|
400
282
|
### During
|
|
401
283
|
- Keep edits in the smallest responsible layer; preserve boundaries unless the plan intentionally changes them.
|
|
402
284
|
- Maintain contract/protocol compatibility unless an explicit migration is in scope.
|
|
403
|
-
-
|
|
285
|
+
- If root cause turns out structural mid-task, stop and hit the Smallest-fix vs. safest-fix gate instead of continuing with a cosmetic patch.
|
|
404
286
|
|
|
405
287
|
### After
|
|
406
288
|
- Run tests, lint, and build/type-check.
|
|
@@ -411,18 +293,11 @@ Investigation substance is covered by the Clean-Architecture principles, the six
|
|
|
411
293
|
|
|
412
294
|
## Confidence Rules
|
|
413
295
|
|
|
414
|
-
|
|
415
|
-
|
|
416
|
-
|
|
|
417
|
-
|
|
418
|
-
| `
|
|
419
|
-
| `likely` | good evidence exists, but one important angle is still missing |
|
|
420
|
-
| `uncertain` | signals conflict, context is incomplete, or only one weak source exists |
|
|
421
|
-
|
|
422
|
-
Examples:
|
|
423
|
-
- `confirmed`: AST proves an empty catch, and LSP shows the function is widely used
|
|
424
|
-
- `likely`: scanner reports a hotspot and code shape agrees, but blast radius is still unverified
|
|
425
|
-
- `uncertain`: text search suggests dead code, but LSP is unavailable
|
|
296
|
+
| Level | Meaning | Example |
|
|
297
|
+
|-------|---------|---------|
|
|
298
|
+
| `confirmed` | ≥2 approaches agree, or one authoritative source | AST proves empty catch + LSP shows function widely used |
|
|
299
|
+
| `likely` | good evidence, one angle still missing | scanner hotspot agrees with code shape, blast radius unverified |
|
|
300
|
+
| `uncertain` | conflicting / incomplete / single weak source | text search suggests dead code, LSP unavailable |
|
|
426
301
|
|
|
427
302
|
### Evidence conflict resolution
|
|
428
303
|
|
|
@@ -438,22 +313,24 @@ When sources disagree on a claim that affects a decision, prefer the source whos
|
|
|
438
313
|
|
|
439
314
|
If the authoritative source contradicts a weaker one, mark the weaker one as "re-verify" in the artifact and note the resolution. Never present conflicting evidence as resolved without a recorded tiebreak.
|
|
440
315
|
|
|
316
|
+
For step-by-step playbooks that confirm or dismiss a finding (dead code, duplicate, unsafe `any`, layer violation, cycle, etc.), see [validation-playbooks.md](./references/validation-playbooks.md).
|
|
317
|
+
|
|
441
318
|
## User-Ask Gates
|
|
442
319
|
|
|
443
|
-
A gate is a **hard stop
|
|
320
|
+
A gate is a **hard stop** — do not proceed without the user's explicit decision.
|
|
444
321
|
|
|
445
322
|
### Hard gates (always stop and ask)
|
|
446
323
|
|
|
447
|
-
|
|
324
|
+
State situation in ≤3 lines, list options, name tradeoff, recommend one.
|
|
448
325
|
|
|
449
326
|
1. **Ambiguous scope** — the task has more than one reasonable interpretation and the right one changes the plan.
|
|
450
327
|
_Ambiguous:_ "fix the login bug". _Unambiguous:_ "fix 500 on /api/login when password field is empty".
|
|
451
328
|
2. **Public contract change** — a public API, exported symbol, event schema, DB schema, CLI flag, or wire protocol would change.
|
|
452
329
|
_Fires:_ renaming an exported function with external consumers. _Does not fire:_ renaming a private helper with no references.
|
|
453
|
-
3. **Cross-layer/cross-package change** — the fix requires editing more than one layer
|
|
330
|
+
3. **Cross-layer/cross-package change** — the fix requires editing more than one layer or crosses a workspace boundary.
|
|
454
331
|
_Fires:_ bug fix needs changes in `packages/domain` AND `packages/http-adapter`. _Does not fire:_ edit contained in one package.
|
|
455
|
-
4. **Dependency-rule violation required** — the cleanest fix would break the dependency rule
|
|
456
|
-
_Fires:_ domain module would need to import the HTTP adapter
|
|
332
|
+
4. **Dependency-rule violation required** — the cleanest fix would break the dependency rule, break a boundary, or introduce a new cycle.
|
|
333
|
+
_Fires:_ domain module would need to import the HTTP adapter. _Does not fire:_ adapter importing domain (correct direction).
|
|
457
334
|
5. **Destructive or irreversible action** — delete/rename shared files, drop tables, reset branches, force-push, publish packages, send messages/PRs on the user's behalf.
|
|
458
335
|
_Fires:_ `git reset --hard`, `rm -rf`, publishing an npm version. _Does not fire:_ local file edits on a feature branch.
|
|
459
336
|
6. **Blast radius > ~5 consumers** — `lspFindReferences` returns many callers and the change alters their behavior.
|
|
@@ -462,12 +339,12 @@ Stop and ask before any of these. State the situation in ≤3 lines, list the vi
|
|
|
462
339
|
_Fires:_ two different search patterns both return empty for a symbol you expected. _Does not fire:_ one failed attempt with a clear next angle.
|
|
463
340
|
8. **Missing gate prerequisite** — no tests exist for the area, no owner documented, no schema available, and the change needs one.
|
|
464
341
|
_Fires:_ user asks for a refactor of untested legacy code. _Does not fire:_ tests exist and cover the change surface.
|
|
465
|
-
9. **Conflicting evidence** — authoritative and corroborating sources (see
|
|
342
|
+
9. **Conflicting evidence** — authoritative and corroborating sources (see §Evidence conflict resolution) disagree on a claim that matters to the decision.
|
|
466
343
|
_Fires:_ LSP says 0 references, AST shows an import of the symbol. _Does not fire:_ scanner is noisy but LSP is clear.
|
|
467
344
|
10. **Smallest-fix vs. safest-fix conflict** — a narrow patch would work but the root cause is structural.
|
|
468
345
|
_Fires:_ bug can be fixed by adding a null check but the real cause is a missing contract between two layers. _Does not fire:_ the narrow patch IS the right layer.
|
|
469
346
|
|
|
470
|
-
### Soft gates (ask if
|
|
347
|
+
### Soft gates (ask if material)
|
|
471
348
|
|
|
472
349
|
Ask when the decision materially changes the outcome; otherwise proceed and note the assumption.
|
|
473
350
|
|
|
@@ -479,8 +356,6 @@ Ask when the decision materially changes the outcome; otherwise proceed and note
|
|
|
479
356
|
|
|
480
357
|
### Ask template
|
|
481
358
|
|
|
482
|
-
When you hit a gate, use this shape:
|
|
483
|
-
|
|
484
359
|
> **Gate:** <what triggered it, 1 line>
|
|
485
360
|
> **Options:**
|
|
486
361
|
> 1. <option A> — tradeoff
|
|
@@ -488,83 +363,39 @@ When you hit a gate, use this shape:
|
|
|
488
363
|
> **Recommendation:** <A or B, 1 line why>
|
|
489
364
|
> **Blocking:** <what I will not do until you decide>
|
|
490
365
|
|
|
491
|
-
Keep it short. The user should be able to respond in one sentence.
|
|
492
|
-
|
|
493
|
-
If the user picks an option you did not recommend (including a riskier one), record the decision and the stated reason in the **Architecture health** / **Risk vector** sections of the artifact and proceed without re-asking. Do not argue against a decided option — raise residual risks once, then execute.
|
|
366
|
+
Keep it short. The user should be able to respond in one sentence. If the user picks an option you did not recommend, record the decision and the stated reason in the **Architecture health** / **Risk vector** sections and proceed without re-asking. Do not argue against a decided option — raise residual risks once, then execute.
|
|
494
367
|
|
|
495
368
|
### Gate discipline
|
|
496
369
|
|
|
497
|
-
- Do not ask when the answer is obvious from the code, CLAUDE.md, or prior context.
|
|
498
|
-
- Do not silently continue past a hard gate because "it seemed fine" — that is the failure
|
|
370
|
+
- Do not ask when the answer is obvious from the code, CLAUDE.md, or prior context.
|
|
371
|
+
- Do not silently continue past a hard gate because "it seemed fine" — that is the failure gates prevent.
|
|
499
372
|
- If a gate fires mid-implementation, stop at a clean checkpoint (commit if appropriate, revert if not) and ask.
|
|
500
|
-
- After
|
|
501
|
-
- Gates bind regardless of fallback state
|
|
373
|
+
- After a decision, record it in the artifact so future steps carry it forward.
|
|
374
|
+
- **Gates bind regardless of fallback state.** If an Octocode tool is unavailable and you are in §Fallback Mode, gates still fire on the same conditions; lower confidence does not weaken the rule.
|
|
502
375
|
|
|
503
|
-
## Hard Rules
|
|
376
|
+
## Hard Rules (recap)
|
|
377
|
+
|
|
378
|
+
Non-negotiable guardrails beyond the §Operating contract (which already binds gates and tool universe):
|
|
504
379
|
|
|
505
|
-
Core guardrails:
|
|
506
380
|
- Do not present raw detector output as unquestioned fact.
|
|
507
|
-
- Do not
|
|
508
|
-
- Do not use `lspCallHierarchy` on non-function symbols.
|
|
381
|
+
- Do not use `lspCallHierarchy` on non-function symbols — use `lspFindReferences` instead.
|
|
509
382
|
- Do not judge shared modules from one file read alone.
|
|
510
383
|
- Do not claim design/RFC compliance without claim-by-claim evidence.
|
|
511
384
|
- Do not ignore build/config evidence when runtime behavior may depend on it.
|
|
512
|
-
- Do not apply a quick patch when the real issue is contracts, boundaries, duplication, or architecture — hit the
|
|
385
|
+
- Do not apply a quick patch when the real issue is contracts, boundaries, duplication, or architecture — hit the Smallest-fix vs. safest-fix gate.
|
|
513
386
|
- Check blast radius before changing shared symbols.
|
|
514
387
|
- Re-sync docs/RFCs when implementation changes architecture, contracts, rollout assumptions, or constraints.
|
|
515
|
-
- Stop at every hard gate in the **User-Ask Gates** section; do not proceed without an explicit user decision.
|
|
516
|
-
- Do not switch to native Claude Code search tools (`Grep`, `Glob`, `Read`) while Octocode MCP is registered (see **Fallback Mode** for the full rule).
|
|
517
388
|
|
|
518
389
|
## Fallback Mode
|
|
519
390
|
|
|
520
|
-
Fallback applies only when an Octocode tool is truly **unavailable**
|
|
521
|
-
|
|
522
|
-
If Octocode tools or LSP are unavailable:
|
|
523
|
-
- continue with AST tools and the scanner
|
|
524
|
-
- rely more on local search and direct code reading within this skill's tool universe
|
|
525
|
-
- reduce confidence on semantic claims
|
|
526
|
-
- say clearly which parts were proven and which parts were inferred
|
|
527
|
-
|
|
528
|
-
If an Octocode tool returns a degradation notice but completed the call:
|
|
529
|
-
- treat the response as valid and use its results
|
|
530
|
-
- if the results are empty or clearly wrong, retry with a simpler input (drop regex meta-characters, switch to literal search, narrow the path)
|
|
531
|
-
- do not switch to native Claude Code tools — that would leave the skill's evidence model
|
|
532
|
-
|
|
533
|
-
## Outcome Standard
|
|
534
|
-
|
|
535
|
-
A good result answers all of these:
|
|
536
|
-
- What is happening?
|
|
537
|
-
- Where is the real ownership or boundary?
|
|
538
|
-
- What is the blast radius?
|
|
539
|
-
- Are the contracts clear and safe?
|
|
540
|
-
- Is the problem local, structural, or architectural?
|
|
541
|
-
- Is build/configuration part of the issue?
|
|
542
|
-
- Is the implementation efficient enough, or is avoidable complexity hurting it?
|
|
543
|
-
- Is reliability acceptable under failure and retry conditions?
|
|
544
|
-
- Is observability sufficient to debug and operate this path?
|
|
545
|
-
- Is rollout/migration safety clear and reversible?
|
|
546
|
-
- Is the system becoming cleaner, more modular, and easier to extend?
|
|
547
|
-
- Are important critical aspects documented?
|
|
548
|
-
- What is the safest next move?
|
|
549
|
-
|
|
550
|
-
If the answer only explains one file, it is usually incomplete.
|
|
391
|
+
Fallback applies only when an Octocode tool is truly **unavailable** — not registered, unreachable, or returning hard errors. A warning inside a successful response is **not** a failure.
|
|
551
392
|
|
|
552
|
-
|
|
393
|
+
**If unavailable:** continue with AST tools and the scanner; rely more on local search and direct code reading within this skill's tool universe; reduce confidence on semantic claims; label proven vs. inferred.
|
|
553
394
|
|
|
554
|
-
|
|
555
|
-
- [octocode-rfc-generator](https://skills.sh/bgauryy/octocode-mcp/octocode-rfc-generator) — generate a smart RFC from validated system evidence.
|
|
395
|
+
**If degraded but completed:** treat the response as valid; on empty/wrong results, retry with a simpler input (drop regex meta-characters, switch to literal search, narrow the path). **Do not** switch to native Claude Code tools — that leaves the skill's evidence model.
|
|
556
396
|
|
|
557
|
-
##
|
|
397
|
+
## Companion Skill
|
|
558
398
|
|
|
559
|
-
|
|
399
|
+
Pair with the RFC skill when architecture options, trade-offs, or migration strategy need a formal proposal before coding:
|
|
560
400
|
|
|
561
|
-
|
|
562
|
-
|-----------|-----------|
|
|
563
|
-
| Which tool to use, what order | [Tool workflows](./references/tool-workflows.md) |
|
|
564
|
-
| Scanner flags, thresholds, scope syntax | [CLI reference](./references/cli-reference.md) |
|
|
565
|
-
| Reading scan artifacts (summary.json, findings.json, etc.) | [Output files](./references/output-files.md) |
|
|
566
|
-
| AST presets, pattern syntax, Python node kinds | [AST reference](./references/ast-reference.md) |
|
|
567
|
-
| Confirming or dismissing a finding | [Validation playbooks](./references/validation-playbooks.md) |
|
|
568
|
-
| Detector catalog, metrics, severity thresholds | [Quality indicators](./references/quality-indicators.md) |
|
|
569
|
-
| How to present findings to the user | [Output format](./references/output-format.md) |
|
|
570
|
-
| eslint, tsc, knip, ruff, mypy, and other external tools | [External tools](./references/externals.md) |
|
|
401
|
+
- [octocode-rfc-generator](https://skills.sh/bgauryy/octocode-mcp/octocode-rfc-generator) — generate a smart RFC from validated system evidence.
|