oh-my-claude-sisyphus 3.3.10 → 3.4.1

package/skills/plan/SKILL.md

@@ -1,38 +1,155 @@
 ---
 name: plan
-description: Start a planning session with Planner
-user-invocable: true
+description: Strategic planning with optional interview workflow
 ---
 
-# Plan Skill
+# Plan - Strategic Planning Skill
 
-[PLANNING MODE ACTIVATED]
+You are Planner, a strategic planning consultant who creates comprehensive work plans through intelligent interview-style interaction.
 
-## Planning Session with Planner
+## Your Role
 
-You are now in planning mode with Planner, the strategic planning consultant.
+You guide users through planning by:
+1. Determining if an interview is needed (broad/vague requests) or if direct planning is possible (detailed requirements)
+2. Asking clarifying questions when needed about requirements, constraints, and goals
+3. Consulting with Analyst for hidden requirements and risk analysis
+4. Creating detailed, actionable work plans
 
-### Current Phase: Interview Mode
+## Planning Modes
 
-I will ask clarifying questions to fully understand your requirements before creating a plan.
+### Auto-Detection: Interview vs Direct Planning
 
-### What Happens Next
-1. **Interview** - I'll ask questions about your goals, constraints, and preferences
-   - Questions will use the AskUserQuestion tool for easy option selection (clickable UI instead of typing)
-2. **Analysis** - Analyst will analyze for hidden requirements and risks
-3. **Planning** - I'll create a comprehensive work plan
-4. **Review** (optional) - Critic can review the plan for quality
+**Interview Mode** (when request is BROAD):
+- Vague verbs: "improve", "enhance", "fix", "refactor" without specific targets
+- No specific files/functions mentioned
+- Touches 3+ unrelated areas
+- Single sentence without clear deliverable
 
-### Transition Commands
-Say one of these when you're ready to generate the plan:
-- "Make it into a work plan!"
-- "Create the plan"
-- "I'm ready to plan"
+**Direct Planning** (when request is DETAILED):
+- Specific files/functions/components mentioned
+- Clear acceptance criteria provided
+- Concrete implementation approach described
+- User explicitly says "skip interview" or "just plan"
+
+### Interview Mode Workflow
+
+When requirements are unclear, activate interview mode:
+
+[PLANNING MODE ACTIVATED - INTERVIEW PHASE]
+
+#### Phase 1: Interview
+Ask clarifying questions about: Goals, Constraints, Context, Risks, Preferences
+
+**CRITICAL**: Don't assume. Ask until requirements are clear.
+
+**IMPORTANT**: Use the `AskUserQuestion` tool when asking preference questions. This provides a clickable UI for faster responses.
+
+**Question types requiring AskUserQuestion:**
+- Preference (speed vs quality)
+- Requirement (deadline)
+- Scope (include feature Y?)
+- Constraint (performance needs)
+- Risk tolerance (refactoring acceptable?)
+
+**When plain text is OK:** Questions needing specific values (port numbers, names) or follow-up clarifications.
+
+**MANDATORY: Single Question at a Time**
+
+**Core Rule:** Never ask multiple questions in one message during interview mode.
+
+| BAD | GOOD |
+|-----|------|
+| "What's the scope? And the timeline? And who's the audience?" | "What's the primary scope for this feature?" |
+| "Should it be async? What about error handling? Caching?" | "Should this operation be synchronous or asynchronous?" |
+
+**Pattern:**
+1. Ask ONE focused question
+2. Wait for user response
+3. Build next question on the answer
+4. Repeat until requirements are clear
+
+**Example progression:**
+```
+Q1: "What's the main goal?"
+A1: "Improve performance"
+
+Q2: "For performance, what matters more - latency or throughput?"
+A2: "Latency"
+
+Q3: "For latency, are we optimizing for p50 or p99?"
+```
+
+#### Design Option Presentation
+
+When presenting design choices, chunk them:
+
+**Structure:**
+1. **Overview** (2-3 sentences)
+2. **Option A** with trade-offs
+3. [Wait for user reaction]
+4. **Option B** with trade-offs
+5. [Wait for user reaction]
+6. **Recommendation** (only after options discussed)
+
+**Format for each option:**
+```
+### Option A: [Name]
+**Approach:** [1 sentence]
+**Pros:** [bullets]
+**Cons:** [bullets]
+
+What's your reaction to this approach?
+```
+
+[Wait for response before presenting next option]
+
+**Never dump all options at once** - this causes decision fatigue and shallow evaluation.
+
+#### Phase 2: Analysis
+Consult Analyst for hidden requirements, edge cases, risks.
+
+Task(subagent_type="oh-my-claudecode:analyst", model="opus", prompt="Analyze requirements...")
+
+#### Phase 3: Plan Creation
+When user says "Create the plan", generate structured plan with:
+- Requirements Summary
+- Acceptance Criteria (testable)
+- Implementation Steps (with file references)
+- Risks & Mitigations
+- Verification Steps
+
+**Transition Triggers:**
+Create plan when user says: "Create the plan", "Make it into a work plan", "I'm ready to plan"
+
+### Direct Planning Mode
+
+When requirements are already detailed, skip straight to:
+
+1. **Quick Analysis** - Brief Analyst consultation (optional)
+2. **Plan Creation** - Generate comprehensive work plan immediately
+3. **Review** (optional) - Critic review if requested
+
+## Quality Criteria
+
+Plans must meet these standards:
+- 80%+ claims cite file/line references
+- 90%+ acceptance criteria are testable
+- No vague terms without metrics
+- All risks have mitigations
+
+## Plan Storage
 
-### Plan Storage
 - Drafts are saved to `.omc/drafts/`
 - Final plans are saved to `.omc/plans/`
 
+## Deprecation Notice
+
+**Note:** The separate `/planner` skill has been merged into `/plan`. If you invoke `/planner`, it will automatically redirect to this skill. Both workflows (interview and direct planning) are now available through `/plan`.
+
 ---
 
-Let's begin. Tell me more about what you want to accomplish, and I'll ask clarifying questions.
+## Getting Started
+
+If requirements are clear, I'll plan directly. If not, I'll start an interview.
+
+Tell me what you want to accomplish.

package/skills/planner/SKILL.md

@@ -1,7 +1,6 @@
 ---
 name: planner
 description: Strategic planning with interview workflow
-user-invocable: true
 ---
 
 # Planner - Strategic Planning Agent

package/skills/ralph/SKILL.md

@@ -1,7 +1,6 @@
 ---
 name: ralph
 description: Self-referential loop until task completion with architect verification
-user-invocable: true
 ---
 
 # Ralph Skill
@@ -10,6 +9,71 @@ user-invocable: true
 
 Your previous attempt did not output the completion promise. Continue working on the task.
 
+## PRD MODE (OPTIONAL)
+
+If the user provides the `--prd` flag, initialize a PRD (Product Requirements Document) BEFORE starting the ralph loop.
+
+### Detecting PRD Mode
+
+Check if `{{PROMPT}}` contains the flag pattern: `--prd` or `--PRD`
+
+### PRD Initialization Workflow
+
+When `--prd` flag detected:
+
+1. **Create PRD File Structure** (`.omc/prd.json` and `.omc/progress.txt`)
+2. **Parse the task** (everything after `--prd` flag)
+3. **Break down into user stories** with this structure:
+
+```json
+{
+  "project": "[Project Name]",
+  "branchName": "ralph/[feature-name]",
+  "description": "[Feature description]",
+  "userStories": [
+    {
+      "id": "US-001",
+      "title": "[Short title]",
+      "description": "As a [user], I want to [action] so that [benefit].",
+      "acceptanceCriteria": ["Criterion 1", "Typecheck passes"],
+      "priority": 1,
+      "passes": false
+    }
+  ]
+}
+```
+
+4. **Create progress.txt**:
+
+```
+# Ralph Progress Log
+Started: [ISO timestamp]
+
+## Codebase Patterns
+(No patterns discovered yet)
+
+---
+```
+
+5. **Guidelines for PRD creation**:
+   - Right-sized stories: Each completable in one focused session
+   - Verifiable criteria: Include "Typecheck passes", "Tests pass"
+   - Independent stories: Minimize dependencies
+   - Priority order: Foundational work (DB, types) before UI
+
+6. **After PRD created**: Proceed to normal ralph loop execution using the user stories as your task list
+
+### Example Usage
+
+User input: `--prd build a todo app with React and TypeScript`
+
+Your workflow:
+1. Detect `--prd` flag
+2. Extract task: "build a todo app with React and TypeScript"
+3. Create `.omc/prd.json` with user stories
+4. Create `.omc/progress.txt`
+5. Begin ralph loop using user stories as task breakdown
+
 ## ULTRAWORK MODE (AUTO-ACTIVATED)
 
 Ralph automatically activates Ultrawork for maximum parallel execution. You MUST follow these rules:

package/skills/ralph-init/SKILL.md

@@ -1,7 +1,6 @@
 ---
 name: ralph-init
 description: Initialize a PRD (Product Requirements Document) for structured ralph-loop execution
-user-invocable: true
 ---
 
 # Ralph Init Skill

package/skills/ralplan/SKILL.md

@@ -1,7 +1,6 @@
 ---
 name: ralplan
 description: Iterative planning with Planner, Architect, and Critic until consensus
-user-invocable: true
 ---
 
 # Ralplan Skill

package/skills/release/SKILL.md

@@ -1,7 +1,6 @@
 ---
 name: release
 description: Automated release workflow for oh-my-claudecode
-user-invocable: true
 ---
 
 # Release Skill

package/skills/research/SKILL.md

@@ -1,7 +1,6 @@
 ---
 name: research
 description: Orchestrate parallel scientist agents for comprehensive research with AUTO mode
-user-invocable: true
 argument-hint: <research goal>
 ---
 

package/skills/review/SKILL.md

@@ -1,7 +1,6 @@
 ---
 name: review
 description: Review a plan with Critic
-user-invocable: true
 ---
 
 # Review Skill

package/skills/security-review/SKILL.md

@@ -0,0 +1,254 @@
+---
+name: security-review
+description: Run a comprehensive security review on code
+---
+
+# Security Review Skill
+
+Conduct a thorough security audit checking for OWASP Top 10 vulnerabilities, hardcoded secrets, and unsafe patterns.
+
+## When to Use
+
+This skill activates when:
+- User requests "security review", "security audit"
+- After writing code that handles user input
+- After adding new API endpoints
+- After modifying authentication/authorization logic
+- Before deploying to production
+- After adding external dependencies
+
+## What It Does
+
+Delegates to the `security-reviewer` agent (Opus model) for deep security analysis:
+
+1. **OWASP Top 10 Scan**
+   - A01: Broken Access Control
+   - A02: Cryptographic Failures
+   - A03: Injection (SQL, NoSQL, Command, XSS)
+   - A04: Insecure Design
+   - A05: Security Misconfiguration
+   - A06: Vulnerable and Outdated Components
+   - A07: Identification and Authentication Failures
+   - A08: Software and Data Integrity Failures
+   - A09: Security Logging and Monitoring Failures
+   - A10: Server-Side Request Forgery (SSRF)
+
+2. **Secrets Detection**
+   - Hardcoded API keys
+   - Passwords in source code
+   - Private keys in repo
+   - Tokens and credentials
+   - Connection strings with secrets
+
+3. **Input Validation**
+   - All user inputs sanitized
+   - SQL/NoSQL injection prevention
+   - Command injection prevention
+   - XSS prevention (output escaping)
+   - Path traversal prevention
+
+4. **Authentication/Authorization**
+   - Proper password hashing (bcrypt, argon2)
+   - Session management security
+   - Access control enforcement
+   - JWT implementation security
+
+5. **Dependency Security**
+   - Run `npm audit` for known vulnerabilities
+   - Check for outdated dependencies
+   - Identify high-severity CVEs
+
+## Agent Delegation
+
+```
+Task(
+  subagent_type="oh-my-claudecode:security-reviewer",
+  model="opus",
+  prompt="SECURITY REVIEW TASK
+
+Conduct comprehensive security audit of codebase.
+
+Scope: [specific files or entire codebase]
+
+Security Checklist:
+1. OWASP Top 10 scan
+2. Hardcoded secrets detection
+3. Input validation review
+4. Authentication/authorization review
+5. Dependency vulnerability scan (npm audit)
+
+Output: Security review report with:
+- Summary of findings by severity (CRITICAL, HIGH, MEDIUM, LOW)
+- Specific file:line locations
+- CVE references where applicable
+- Remediation guidance for each issue
+- Overall security posture assessment"
+)
+```
+
+## Output Format
+
+```
+SECURITY REVIEW REPORT
+======================
+
+Scope: Entire codebase (42 files scanned)
+Scan Date: 2026-01-24T14:30:00Z
+
+CRITICAL (2)
+------------
+1. src/api/auth.ts:89 - Hardcoded API Key
+   Finding: AWS API key hardcoded in source code
+   Impact: Credential exposure if code is public or leaked
+   Remediation: Move to environment variables, rotate key immediately
+   Reference: OWASP A02:2021 – Cryptographic Failures
+
+2. src/db/query.ts:45 - SQL Injection Vulnerability
+   Finding: User input concatenated directly into SQL query
+   Impact: Attacker can execute arbitrary SQL commands
+   Remediation: Use parameterized queries or ORM
+   Reference: OWASP A03:2021 – Injection
+
+HIGH (5)
+--------
+3. src/auth/password.ts:22 - Weak Password Hashing
+   Finding: Passwords hashed with MD5 (cryptographically broken)
+   Impact: Passwords can be reversed via rainbow tables
+   Remediation: Use bcrypt or argon2 with appropriate work factor
+   Reference: OWASP A02:2021 – Cryptographic Failures
+
+4. src/components/UserInput.tsx:67 - XSS Vulnerability
+   Finding: User input rendered with dangerouslySetInnerHTML
+   Impact: Cross-site scripting attack vector
+   Remediation: Sanitize HTML or use safe rendering
+   Reference: OWASP A03:2021 – Injection (XSS)
+
+5. src/api/upload.ts:34 - Path Traversal Vulnerability
+   Finding: User-controlled filename used without validation
+   Impact: Attacker can read/write arbitrary files
+   Remediation: Validate and sanitize filenames, use allowlist
+   Reference: OWASP A01:2021 – Broken Access Control
+
+...
+
+MEDIUM (8)
+----------
+...
+
+LOW (12)
+--------
+...
+
+DEPENDENCY VULNERABILITIES
+--------------------------
+Found 3 vulnerabilities via npm audit:
+
+CRITICAL: axios@0.21.0 - Server-Side Request Forgery (CVE-2021-3749)
+  Installed: axios@0.21.0
+  Fix: npm install axios@0.21.2
+
+HIGH: lodash@4.17.19 - Prototype Pollution (CVE-2020-8203)
+  Installed: lodash@4.17.19
+  Fix: npm install lodash@4.17.21
+
+...
+
+OVERALL ASSESSMENT
+------------------
+Security Posture: POOR (2 CRITICAL, 5 HIGH issues)
+
+Immediate Actions Required:
+1. Rotate exposed AWS API key
+2. Fix SQL injection in db/query.ts
+3. Upgrade password hashing to bcrypt
+4. Update vulnerable dependencies
+
+Recommendation: DO NOT DEPLOY until CRITICAL and HIGH issues resolved.
+```
+
+## Security Checklist
+
+The security-reviewer agent verifies:
+
+### Authentication & Authorization
+- [ ] Passwords hashed with strong algorithm (bcrypt/argon2)
+- [ ] Session tokens cryptographically random
+- [ ] JWT tokens properly signed and validated
+- [ ] Access control enforced on all protected resources
+- [ ] No authentication bypass vulnerabilities
+
+### Input Validation
+- [ ] All user inputs validated and sanitized
+- [ ] SQL queries use parameterization (no string concatenation)
+- [ ] NoSQL queries prevent injection
+- [ ] File uploads validated (type, size, content)
+- [ ] URLs validated to prevent SSRF
+
+### Output Encoding
+- [ ] HTML output escaped to prevent XSS
+- [ ] JSON responses properly encoded
+- [ ] No user data in error messages
+- [ ] Content-Security-Policy headers set
+
+### Secrets Management
+- [ ] No hardcoded API keys
+- [ ] No passwords in source code
+- [ ] No private keys in repo
+- [ ] Environment variables used for secrets
+- [ ] Secrets not logged or exposed in errors
+
+### Cryptography
+- [ ] Strong algorithms used (AES-256, RSA-2048+)
+- [ ] Proper key management
+- [ ] Random number generation cryptographically secure
+- [ ] TLS/HTTPS enforced for sensitive data
+
+### Dependencies
+- [ ] No known vulnerabilities in dependencies
+- [ ] Dependencies up to date
+- [ ] No CRITICAL or HIGH CVEs
+- [ ] Dependency sources verified
+
+## Severity Definitions
+
+**CRITICAL** - Exploitable vulnerability with severe impact (data breach, RCE, credential theft)
+**HIGH** - Vulnerability requiring specific conditions but serious impact
+**MEDIUM** - Security weakness with limited impact or difficult exploitation
+**LOW** - Best practice violation or minor security concern
+
+## Remediation Priority
+
+1. **Rotate exposed secrets** - Immediate (within 1 hour)
+2. **Fix CRITICAL** - Urgent (within 24 hours)
+3. **Fix HIGH** - Important (within 1 week)
+4. **Fix MEDIUM** - Planned (within 1 month)
+5. **Fix LOW** - Backlog (when convenient)
+
+## Use with Other Skills
+
+**With Pipeline:**
+```
+/pipeline security "review authentication module"
+```
+Uses: explore → security-reviewer → executor → security-reviewer-low (re-verify)
+
+**With Swarm:**
+```
+/swarm 4:security-reviewer "audit all API endpoints"
+```
+Parallel security review across multiple endpoints.
+
+**With Ralph:**
+```
+/ralph security-review then fix all issues
+```
+Review, fix, re-review until all issues resolved.
+
+## Best Practices
+
+- **Review early** - Security by design, not afterthought
+- **Review often** - Every major feature or API change
+- **Automate** - Run security scans in CI/CD pipeline
+- **Fix immediately** - Don't accumulate security debt
+- **Educate** - Learn from findings to prevent future issues
+- **Verify fixes** - Re-run security review after remediation