opencastle 0.7.0 → 0.8.1

package/src/dashboard/src/styles/dashboard.css

@@ -1337,3 +1337,199 @@ body {
     display: none;
   }
 }
+
+/* ---------- Filter Bar ---------- */
+.filter-bar {
+  display: flex;
+  flex-wrap: wrap;
+  gap: 12px;
+  align-items: flex-end;
+  padding: 16px 20px;
+  background: var(--bg-secondary);
+  border: 1px solid var(--border-color);
+  border-radius: 12px;
+}
+
+.filter-group {
+  display: flex;
+  flex-direction: column;
+  gap: 4px;
+  min-width: 0;
+}
+
+.filter-label {
+  font-size: 0.6875rem;
+  font-weight: 500;
+  color: var(--text-tertiary);
+  text-transform: uppercase;
+  letter-spacing: 0.05em;
+}
+
+.filter-input,
+.filter-select {
+  height: 34px;
+  padding: 0 10px;
+  font-size: 0.8125rem;
+  color: var(--text-primary);
+  background: var(--bg-tertiary);
+  border: 1px solid var(--border-color);
+  border-radius: 8px;
+  outline: none;
+  transition: border-color var(--transition-fast);
+  font-family: inherit;
+}
+
+.filter-input:focus,
+.filter-select:focus {
+  border-color: var(--border-accent);
+}
+
+.filter-input {
+  width: 140px;
+  color-scheme: dark;
+}
+
+.filter-select {
+  min-width: 140px;
+  cursor: pointer;
+  appearance: none;
+  -webkit-appearance: none;
+  background-image: url("data:image/svg+xml,%3Csvg width='10' height='6' viewBox='0 0 10 6' fill='none' xmlns='http://www.w3.org/2000/svg'%3E%3Cpath d='M1 1l4 4 4-4' stroke='%235a5a6e' stroke-width='1.5' stroke-linecap='round' stroke-linejoin='round'/%3E%3C/svg%3E");
+  background-repeat: no-repeat;
+  background-position: right 10px center;
+  padding-right: 28px;
+}
+
+.filter-reset {
+  height: 34px;
+  font-size: 0.75rem;
+}
+
+/* ---------- Dashboard Buttons ---------- */
+.dash-btn {
+  display: inline-flex;
+  align-items: center;
+  gap: 6px;
+  padding: 6px 14px;
+  font-size: 0.8125rem;
+  font-weight: 500;
+  font-family: inherit;
+  border: none;
+  border-radius: 8px;
+  cursor: pointer;
+  transition: background var(--transition-fast), color var(--transition-fast);
+}
+
+.dash-btn--ghost {
+  color: var(--text-secondary);
+  background: rgba(255, 255, 255, 0.06);
+}
+
+.dash-btn--ghost:hover {
+  color: var(--text-primary);
+  background: rgba(255, 255, 255, 0.10);
+}
+
+.dash-header__actions {
+  display: flex;
+  align-items: center;
+  gap: 8px;
+}
+
+/* ---------- Mobile Dashboard Responsive ---------- */
+@media (max-width: 480px) {
+  .dash-header__inner {
+    padding: 0 12px;
+  }
+
+  .dash-main {
+    padding: 12px;
+    gap: 12px;
+  }
+
+  .kpi-card {
+    padding: 14px 16px;
+  }
+
+  .chart-card__header {
+    padding: 14px 16px;
+  }
+
+  .chart-card__body {
+    padding: 12px 16px 16px;
+  }
+
+  .filter-bar {
+    padding: 12px;
+    gap: 8px;
+  }
+
+  .filter-input,
+  .filter-select {
+    width: 100%;
+    min-width: unset;
+  }
+
+  .filter-group {
+    flex: 1 1 calc(50% - 4px);
+  }
+
+  .filter-reset {
+    width: 100%;
+  }
+
+  .dash-header__title {
+    font-size: 0.875rem;
+  }
+
+  .exec-step__meta {
+    flex-direction: column;
+    gap: 2px;
+  }
+
+  .sessions-table th:nth-child(5),
+  .sessions-table td:nth-child(5),
+  .sessions-table th:nth-child(6),
+  .sessions-table td:nth-child(6),
+  .sessions-table th:nth-child(7),
+  .sessions-table td:nth-child(7),
+  .sessions-table th:nth-child(8),
+  .sessions-table td:nth-child(8) {
+    display: none;
+  }
+}
+
+@media (max-width: 768px) {
+  .charts-row {
+    grid-template-columns: 1fr;
+  }
+
+  .pipeline {
+    flex-wrap: wrap;
+    gap: 8px;
+  }
+
+  .pipeline-arrow {
+    display: none;
+  }
+
+  .pipeline-stage {
+    flex: 1 1 calc(50% - 4px);
+    min-width: 100px;
+  }
+
+  .tier-chart .donut-container,
+  .donut-container {
+    flex-direction: column;
+    align-items: center;
+  }
+
+  .sessions-table {
+    font-size: 0.75rem;
+  }
+
+  .sessions-table th,
+  .sessions-table td {
+    padding: 8px 6px;
+  }
+}

package/src/orchestrator/agent-workflows/bug-fix.md

@@ -11,7 +11,7 @@ Phase 1: Triage & Reproduce    (sub-agent, inline)
 Phase 2: Root Cause Analysis    (sub-agent, inline)
 Phase 3: Fix Implementation     (sub-agent or background)
 Phase 4: Verification           (sub-agent, inline)
-Phase 5: Compound               (direct, Team Lead)
+Phase 5: Delivery               (direct, Team Lead)
 ```
 
 ---
@@ -123,7 +123,7 @@ Follow the **Delivery Outcome** in `general.instructions.md` and the **Branch Ow
 
 ---
 
-### Phase 5: Delivery (Compound)
+### Phase 5: Delivery
 
 > **See [shared-delivery-phase.md](shared-delivery-phase.md) for the standard delivery steps.**
 >

package/src/orchestrator/agent-workflows/data-pipeline.md

@@ -2,7 +2,7 @@
 
 # Workflow: Data Pipeline
 
-Standard execution plan for crowling, processing, and importing data.
+Standard execution plan for crawling, processing, and importing data.
 
 > **Project config:** For project-specific paths, data schema, CLI commands, and processing rules, see `data-pipeline-config.md`. For data model docs, see `docs-structure.md`.
 
@@ -10,11 +10,11 @@ Standard execution plan for crowling, processing, and importing data.
 
 ```
 Phase 1: Source Analysis    (sub-agent, inline)
-Phase 2: Crowling           (background agent)
+Phase 2: Crawling           (background agent)
 Phase 3: Processing         (sub-agent, sequential)
 Phase 4: Validation         (sub-agent, inline)
 Phase 5: Import             (sub-agent, inline)
-Phase 6: Compound           (direct, Team Lead)
+Phase 6: Delivery           (direct, Team Lead)
 ```
 
 ---
@@ -49,22 +49,22 @@ Follow the **Delivery Outcome** in `general.instructions.md` and the **Branch Ow
 
 ---
 
-## Phase 2: Crowling
+## Phase 2: Crawling
 
 **Agent:** Data Expert
 **Type:** Background agent (may be long-running)
 
 ### Steps
 
-1. Implement crowler following existing patterns (see `data-pipeline-config.md`)
+1. Implement crawler following existing patterns (see `data-pipeline-config.md`)
 2. Output raw data as NDJSON
 3. Handle pagination, rate limiting, and error recovery
-4. Log crowling statistics (pages visited, records extracted, errors)
+4. Log crawling statistics (pages visited, records extracted, errors)
 
 ### Exit Criteria
 
 - [ ] Raw NDJSON file produced
-- [ ] Crowling statistics logged
+- [ ] Crawling statistics logged
 - [ ] No duplicate records
 - [ ] Output contract returned
 
@@ -141,7 +141,7 @@ Follow the **Delivery Outcome** in `general.instructions.md` and the **Branch Ow
 
 ---
 
-### Phase 6: Delivery (Compound)
+### Phase 6: Delivery
 
 > **See [shared-delivery-phase.md](shared-delivery-phase.md) for the standard delivery steps.**
 >

package/src/orchestrator/agent-workflows/database-migration.md

@@ -14,7 +14,7 @@ Phase 2: Migration Implementation (sub-agent or background)
 Phase 3: Type Generation        (sub-agent, sequential)
 Phase 4: Code Integration       (sub-agent, sequential)
 Phase 5: Verification & Rollback Test (sub-agent, inline)
-Phase 6: Compound                     (direct, Team Lead)
+Phase 6: Delivery                     (direct, Team Lead)
 ```
 
 ---
@@ -154,7 +154,7 @@ Follow the **Delivery Outcome** in `general.instructions.md` and the **Branch Ow
 
 ---
 
-### Phase 6: Delivery (Compound)
+### Phase 6: Delivery
 
 > **See [shared-delivery-phase.md](shared-delivery-phase.md) for the standard delivery steps.**
 >

package/src/orchestrator/agent-workflows/feature-implementation.md

@@ -13,7 +13,7 @@ Phase 2: Foundation      (background agents, parallel)
 Phase 3: Integration     (sub-agent, sequential)
 Phase 4: Validation      (background agents, parallel)
 Phase 5: QA Gate         (sub-agent, inline)
-Phase 6: Compound        (direct, Team Lead)
+Phase 6: Delivery        (direct, Team Lead)
 ```
 
 ---
@@ -204,21 +204,28 @@ If there are no open questions, explicitly state: "No open questions — plan is
 3. Verify no files outside partitions were modified
 4. Check all tracker issue acceptance criteria
 5. Run panel review if high-stakes (security, DB, architecture)
-6. Move all issues to Done
-7. Update session checkpoint → delete checkpoint
-8. Update `.github/customizations/project/roadmap.md`
+6. **Final Smoke Test (Gate 10)** — verify the complete feature end-to-end:
+   - Full clean build of all affected projects (not incremental)
+   - End-to-end browser walkthrough of the complete user flow
+   - Verify all states: loading, empty, populated, error, partial
+   - Cross-task integration check (e.g., migration + component + page compose correctly)
+   - Final responsive sweep at all breakpoints (if UI changes)
+7. Move all issues to Done
+8. Update session checkpoint → delete checkpoint
+9. Update `.github/customizations/project/roadmap.md`
 
 ### Exit Criteria
 
 - [ ] All phases verified
 - [ ] All tracker issues Done
 - [ ] Full build passes
+- [ ] **Final smoke test passed** — complete user flow verified end-to-end
 - [ ] Roadmap updated
 - [ ] Delivery Outcome completed (see `general.instructions.md`) — branch pushed, PR opened (not merged), tracker linked
 
 ---
 
-### Phase 6: Delivery (Compound)
+### Phase 6: Delivery
 
 > **See [shared-delivery-phase.md](shared-delivery-phase.md) for the standard delivery steps.**
 >

package/src/orchestrator/agent-workflows/performance-optimization.md

@@ -11,7 +11,7 @@ Phase 1: Baseline Measurement    (sub-agent, inline)
 Phase 2: Analysis                (sub-agent, inline)
 Phase 3: Optimization            (background agents, parallel)
 Phase 4: Verification            (sub-agent, inline)
-Phase 5: Compound                (direct, Team Lead)
+Phase 5: Delivery                (direct, Team Lead)
 ```
 
 ---
@@ -120,7 +120,7 @@ Follow the **Delivery Outcome** in `general.instructions.md` and the **Branch Ow
 
 ---
 
-### Phase 5: Delivery (Compound)
+### Phase 5: Delivery
 
 > **See [shared-delivery-phase.md](shared-delivery-phase.md) for the standard delivery steps.**
 >

package/src/orchestrator/agent-workflows/refactoring.md

@@ -12,7 +12,7 @@ Phase 2: Test Coverage Gap       (sub-agent or background)
 Phase 3: Refactor Implementation (sub-agent or background)
 Phase 4: Verification            (sub-agent, inline)
 Phase 5: Panel Review            (sub-agent, for large refactors)
-Phase 6: Compound                (direct, Team Lead)
+Phase 6: Delivery                (direct, Team Lead)
 ```
 
 ---
@@ -137,7 +137,7 @@ The refactoring agent owns only the scoped files. No changes outside the partiti
 
 ---
 
-### Phase 6: Delivery (Compound)
+### Phase 6: Delivery
 
 > **See [shared-delivery-phase.md](shared-delivery-phase.md) for the standard delivery steps.**
 >

package/src/orchestrator/agent-workflows/schema-changes.md

@@ -14,7 +14,7 @@ Phase 2: Schema Implementation (sub-agent or background)
 Phase 3: Query Updates         (sub-agent, sequential)
 Phase 4: Page Integration      (sub-agent, sequential)
 Phase 5: Verification          (sub-agent, inline)
-Phase 6: Compound              (direct, Team Lead)
+Phase 6: Delivery              (direct, Team Lead)
 ```
 
 ---
@@ -159,7 +159,7 @@ Follow the **Delivery Outcome** in `general.instructions.md` and the **Branch Ow
 
 ---
 
-### Phase 6: Delivery (Compound)
+### Phase 6: Delivery
 
 > **See [shared-delivery-phase.md](shared-delivery-phase.md) for the standard delivery steps.**
 >

package/src/orchestrator/agent-workflows/security-audit.md

@@ -12,7 +12,7 @@ Phase 2: Automated Checks     (sub-agent, inline)
 Phase 3: Manual Review        (background agent)
 Phase 4: Panel Review         (sub-agent, inline)
 Phase 5: Remediation          (sub-agent or background)
-Phase 6: Compound             (direct, Team Lead)
+Phase 6: Delivery             (direct, Team Lead)
 ```
 
 ---
@@ -143,7 +143,7 @@ Follow the **Delivery Outcome** in `general.instructions.md` and the **Branch Ow
 
 ---
 
-### Phase 6: Delivery (Compound)
+### Phase 6: Delivery
 
 > **See [shared-delivery-phase.md](shared-delivery-phase.md) for the standard delivery steps.**
 >

package/src/orchestrator/agents/data-expert.agent.md

@@ -1,5 +1,5 @@
 ---
-description: 'Data engineering expert for ETL pipelines, web crowlers, data processors, CLI tools, and CMS data import.'
+description: 'Data engineering expert for ETL pipelines, web crawlers, data processors, CLI tools, and CMS data import.'
 name: 'Data Expert'
 model: GPT-5.3-Codex
 tools: ['search/changes', 'search/codebase', 'edit/editFiles', 'web/fetch', 'read/problems', 'execute/getTerminalOutput', 'execute/runInTerminal', 'read/terminalLastCommand', 'read/terminalSelection', 'search', 'execute/testFailure', 'search/usages']
@@ -32,7 +32,7 @@ Resolve via [skill-matrix.md](.github/customizations/agents/skill-matrix.md).
 - Idempotent imports with `createOrReplace` and deterministic `_id`
 - Validate with Zod before importing — never import invalid data
 - Respect `robots.txt` and rate limit all scraping requests
-- Use the project's web crawling library for concurrent crowling (see the **data-pipeline** skill)
+- Use the project's web crawling library for concurrent crawling (see the **data-pipeline** skill)
 - Handle errors gracefully — skip bad records, don't halt pipeline
 - Preserve UTF-8 encoding for special characters and diacritics
 - Backup before bulk operations

package/src/orchestrator/agents/researcher.agent.md

@@ -3,22 +3,6 @@ description: 'Codebase exploration specialist for deep research, pattern discove
 name: 'Researcher'
 model: GPT-5 mini
 tools: ['search/codebase', 'search/textSearch', 'search/fileSearch', 'search/usages', 'read/readFile', 'search/listDirectory', 'web/fetch', 'execute/runInTerminal', 'read/terminalLastCommand']
-handoffs:
-  - label: Implement Feature
-    agent: Team Lead
-    prompt: 'Use the implement-feature prompt to implement the following task with full orchestration, validation, and traceability:'
-  - label: Fix Bug
-    agent: Team Lead
-    prompt: 'Use the bug-fix prompt to investigate and fix the following bug with triage, root cause analysis, and verification:'
-  - label: Brainstorm
-    agent: Team Lead
-    prompt: 'Use the brainstorm prompt to explore requirements, approaches, and trade-offs before committing to a plan for:'
-  - label: Quick Refinement
-    agent: Team Lead
-    prompt: 'Use the quick-refinement prompt to handle these follow-up refinements (UI tweaks, polish, adjustments):'
-  - label: Generate Task Spec
-    agent: Team Lead
-    prompt: 'Use the generate-task-spec prompt to create an opencastle.tasks.yml spec for autonomous overnight runs based on:'
 ---
 
 <!-- ⚠️ This file is managed by OpenCastle. Edits will be overwritten on update. Customize in the .github/customizations/ directory instead. -->

package/src/orchestrator/agents/team-lead.agent.md

@@ -45,16 +45,27 @@ You are a **team lead and task orchestrator**. You do **not** implement code you
 
 ### Direct Skills
 
+Skills are split into two loading tiers to reduce upfront token usage. **Load a skill only when its phase is reached** — do not pre-load on-demand skills at session start.
+
+#### Always Load (session start)
+
+These skills are needed in every session regardless of workflow:
+
 - **team-lead-reference** — Model routing, agent registry, pre-delegation checks, cost tracking, DLQ format, deepen-plan protocol
 - **session-checkpoints** — Save and restore session state for multi-session features; enables resume, replay, and fork
-- **task-management** — Task tracker conventions, issue naming, labels, priorities, workflow states (resolved via skill-matrix to `linear-task-management` or `jira-management`)
-- **validation-gates** — Shared validation gates for all workflows (deterministic checks, browser testing, cache management, regression checks)
-- **fast-review** — Mandatory single-reviewer gate after every delegation, with automatic retry and escalation to panel
-- **panel-majority-vote** — 3-reviewer quality gate for high-stakes changes
-- **context-map** — Generate structured file impact maps before complex changes (5+ files)
-- **memory-merger** — Graduate mature lessons from LESSONS-LEARNED.md into permanent skills/instructions
 - **agent-hooks** — Lifecycle hooks (session-start, session-end, pre-delegate, post-delegate) for consistent agent behavior
 
+#### On-Demand (load when needed)
+
+Load these skills only at the workflow phase that requires them:
+
+- **task-management** — Task tracker conventions, issue naming, labels, priorities, workflow states (resolved via skill-matrix). **Load at:** Decompose & Partition phase (Step 2)
+- **context-map** — Generate structured file impact maps before complex changes (5+ files). **Load at:** Decompose & Partition phase, for tasks touching 5+ files
+- **validation-gates** — Shared validation gates for all workflows (deterministic checks, browser testing, cache management, regression checks). **Load at:** Verification phase (Step 4 review loop)
+- **fast-review** — Mandatory single-reviewer gate after every delegation, with automatic retry and escalation to panel. **Load at:** Post-delegation verification
+- **panel-majority-vote** — 3-reviewer quality gate for high-stakes changes. **Load at:** High-stakes verification, or when fast-review fails 3 times
+- **memory-merger** — Graduate mature lessons from LESSONS-LEARNED.md into permanent skills/instructions. **Load at:** Session end, when lessons are ready to merge
+
 ## Specialist Agents
 
 Delegate to these agents via `runSubagent` (inline) or background sessions. `agents: ['*']` gives access to all.

package/src/orchestrator/customizations/AGENT-PERFORMANCE.md

@@ -1,8 +1,6 @@
 ````markdown
 # Agent Performance Tracking
 
-> **Last Updated:** _(auto-updated by metrics-report prompt)_
-
 Tracks agent success rates across panel reviews and delegated tasks to inform model routing and panel reviewer selection.
 
 ## Data Sources
@@ -10,7 +8,7 @@ Tracks agent success rates across panel reviews and delegated tasks to inform mo
 Performance data is collected automatically via NDJSON session logs:
 - **Session data:** `.github/customizations/logs/sessions.ndjson` — appended by every agent after each session
 - **Delegation data:** `.github/customizations/logs/delegations.ndjson` — appended by the Team Lead after each delegation
-- **Full reporting:** Run the **metrics-report** prompt to generate a dashboard from all sources
+- **Dashboard:** Run `npx opencastle dashboard` to visualize agent performance
 
 ## Quick Queries
 

package/src/orchestrator/prompts/bootstrap-customizations.prompt.md

@@ -1,6 +1,6 @@
 ---
 description: 'Bootstrap the .github/customizations/ directory for a new project. Discovers project structure, tech stack, and configuration, then generates all customization files so skills have project-specific context to operate on.'
-agent: Researcher
+agent: Team Lead
 ---
 
 <!-- ⚠️ This file is managed by OpenCastle. Edits will be overwritten on update. Customize in the .github/customizations/ directory instead. -->

package/src/orchestrator/prompts/bug-fix.prompt.md

@@ -107,12 +107,17 @@ Delegate to the appropriate specialist agent via **sub-agent** (inline). For bug
 
 > Load the **validation-gates** skill for detailed steps on each gate.
 
-Every bug fix must pass ALL of these checks:
-
-1. **Deterministic Checks** — run lint, test, and build for all affected projects (see the **codebase-tool** skill for commands) — all zero errors
-2. **Bug-Specific Verification** (mandatory) — start dev server, reproduce original bug (should be gone), verify correct behavior, test edge cases, screenshot before/after, check both apps if shared code
-3. **Regression Check** — run tests for all projects consuming modified files, browser-test adjacent functionality
-4. **Panel Review** (only if needed) — use **panel-majority-vote** skill if fix touches auth/authorization, RLS, security headers/CSP, or sensitive data
+Every bug fix must pass ALL applicable gates:
+
+1. **Gate 1: Secret Scanning** — scan diff for API keys, tokens, passwords, connection strings — block immediately if found
+2. **Gate 2: Deterministic Checks** — run lint, test, and build for all affected projects (see the **codebase-tool** skill for commands) — all zero errors
+3. **Gate 3: Blast Radius Check** — verify the fix is minimal and scoped (bug fixes should be ≤100 lines, ≤3 files; escalate if larger)
+4. **Gate 4: Dependency Audit** (when `package.json` or lockfiles change) — vulnerability scan, license check, bundle size, duplicates
+5. **Gate 5: Fast Review** (MANDATORY) — single reviewer sub-agent validates the fix. No auto-PASS for sensitive files
+6. **Gate 6: Bug-Specific Verification** (MANDATORY) — start dev server, reproduce original bug (should be gone), verify correct behavior, test edge cases, screenshot before/after, check both apps if shared code
+7. **Gate 7: Browser Testing** (for UI-related bugs) — clear cache, start server, verify fix + responsive + screenshots
+8. **Gate 8: Regression Testing** — run tests for all projects consuming modified files, browser-test adjacent functionality
+9. **Gate 9: Panel Review** (only if needed) — use **panel-majority-vote** skill if fix touches auth/authorization, RLS, security headers/CSP, or sensitive data
 
 ### 6. Delivery
 

package/src/orchestrator/prompts/implement-feature.prompt.md

@@ -79,10 +79,15 @@ Include the self-improvement reminder in every delegation prompt (see `general.i
 
 Every subtask must pass ALL gates before being marked Done:
 
-1. **Gate 1: Deterministic Checks** — run lint, test, and build for all affected projects (see the **codebase-tool** skill for commands) — all zero errors
-2. **Gate 2: Browser Testing** (MANDATORY for UI changes) — clear cache, start server, verify features + responsive + screenshots
-3. **Gate 3: Regression Testing** — full test suite for affected projects, browser-test adjacent pages if shared components changed
-4. **Gate 4: Panel Review** (for high-stakes changes) — use **panel-majority-vote** skill for security, DB migrations, architecture
+1. **Gate 1: Secret Scanning** — scan diff for API keys, tokens, passwords, connection strings — block immediately if found
+2. **Gate 2: Deterministic Checks** — run lint, test, and build for all affected projects (see the **codebase-tool** skill for commands) — all zero errors
+3. **Gate 3: Blast Radius Check** — verify scope is expected (≤200 lines, ≤5 files normal; escalate if >500 lines or >10 files)
+4. **Gate 4: Dependency Audit** (when `package.json` changes) — vulnerability scan, license check, bundle size, duplicates
+5. **Gate 5: Fast Review** (MANDATORY) — single reviewer sub-agent validates every delegation output. No auto-PASS for sensitive files
+6. **Gate 6: Browser Testing** (MANDATORY for UI changes) — clear cache, start server, verify features + responsive + screenshots
+7. **Gate 7: Regression Testing** — full test suite for affected projects, browser-test adjacent pages if shared components changed
+8. **Gate 8: Panel Review** (for high-stakes changes) — use **panel-majority-vote** skill for security, DB migrations, architecture
+9. **Gate 9: Final Smoke Test** — after all tasks Done, verify the complete feature end-to-end as a cohesive unit
 
 ### 5. Delivery
 

package/src/orchestrator/prompts/quick-refinement.prompt.md

@@ -98,11 +98,15 @@ Delegate to the appropriate specialist agent(s). Since follow-ups are scoped and
 
 > Load the **validation-gates** skill for detailed steps on each gate.
 
-Every follow-up, no matter how small, must pass these checks:
-
-1. **Deterministic Checks** — run lint, test, and build for all affected projects (see the **codebase-tool** skill for commands) — all zero errors
-2. **Browser Testing** (MANDATORY for any visual change) — clear cache, start server, verify scenario + responsive + screenshot evidence
-3. **Regression Check** — if shared component/library modified, run tests for all consuming projects and browser-test at least one page per affected app
+Every follow-up, no matter how small, must pass these gates:
+
+1. **Gate 1: Secret Scanning** — scan diff for API keys, tokens, passwords, connection strings — block immediately if found
+2. **Gate 2: Deterministic Checks** — run lint, test, and build for all affected projects (see the **codebase-tool** skill for commands) — all zero errors
+3. **Gate 3: Blast Radius Check** — verify scope matches the "small follow-up" expectation (≤100 lines, ≤3 files normal; if larger, escalate to `implement-feature` workflow)
+4. **Gate 4: Dependency Audit** (when `package.json` or lockfiles change) — vulnerability scan, license check, bundle size, duplicates
+5. **Gate 5: Fast Review** (MANDATORY) — single reviewer sub-agent validates the change. No auto-PASS for sensitive files
+6. **Gate 6: Browser Testing** (MANDATORY for any visual change) — clear cache, start server, verify scenario + responsive + screenshot evidence
+7. **Gate 7: Regression Testing** — if shared component/library modified, run tests for all consuming projects and browser-test at least one page per affected app
 
 ### 6. Delivery
 

package/src/orchestrator/prompts/resolve-pr-comments.prompt.md

@@ -57,10 +57,21 @@ Acceptance criteria:
 
 ### Phase 4: Verify & Report
 
-1. **Run verification** — run lint, test, and build for all affected projects (see the **codebase-tool** skill for commands)
-2. **Commit fixes** — Use descriptive commit messages referencing the PR: `TAS-XX: Address PR review — [summary]`
-3. **Push to the same branch** — The PR updates automatically
-4. **Report back** — Provide a structured summary of what was resolved
+> Load the **validation-gates** skill for detailed steps on each gate.
+
+All fixes must pass applicable gates before pushing:
+
+1. **Gate 1: Secret Scanning** — scan diff for API keys, tokens, passwords, connection strings — block immediately if found
+2. **Gate 2: Deterministic Checks** — run lint, test, and build for all affected projects (see the **codebase-tool** skill for commands) — all zero errors
+3. **Gate 3: Blast Radius Check** — verify changes are scoped to commented files only; flag any files modified outside the comment scope
+4. **Gate 4: Fast Review** (MANDATORY) — single reviewer sub-agent validates the combined PR comment fixes
+5. **Gate 5: Regression Testing** — run tests for all projects consuming modified files
+
+After all gates pass:
+
+6. **Commit fixes** — Use descriptive commit messages referencing the PR: `TAS-XX: Address PR review — [summary]`
+7. **Push to the same branch** — The PR updates automatically
+8. **Report back** — Provide a structured summary of what was resolved
 
 ## Output Format
 
@@ -85,9 +96,12 @@ After resolving comments, report:
 | path/to/file.ts | [question/debate] | [your take + options] |
 
 ### Verification
+- Secret Scanning: PASS/FAIL
 - Lint: PASS/FAIL
 - Tests: PASS/FAIL
 - Build: PASS/FAIL
+- Blast Radius: PASS/ESCALATED
+- Fast Review: PASS/FAIL
 
 ### Commits
 - `abc1234` TAS-XX: Address PR review — [summary]

package/src/orchestrator/skills/agent-hooks/SKILL.md

@@ -32,7 +32,8 @@ Session Lifecycle:
 2. **Check for checkpoint** — If `.github/customizations/SESSION-CHECKPOINT.md` exists, read it. Resume from last known state instead of re-analyzing.
 3. **Check pending approvals** — If the checkpoint has a `## Pending Approvals` section, check for replies using the configured messaging provider's MCP tools (e.g., `conversations_replies` for Slack). Read `.opencastle.json` → `stack.teamTools` to determine the provider. If no messaging is configured, skip this step.
 4. **Check dead letter queue** — Scan `.github/customizations/AGENT-FAILURES.md` for pending failures related to the current scope.
-5. **Load domain skills** — Based on the task description, load the appropriate skills before writing code. Don't start coding without the relevant skill loaded.
+5. **Validate skill-matrix bindings** — Open `.github/customizations/agents/skill-matrix.md` and check whether the **Primary Stack** and **Tooling** tables have any filled-in rows (non-empty Technology/Skill columns). If all bindings are empty, **warn the user** that the bootstrap hasn't been run and capability slots will not resolve. Suggest running the *"Bootstrap Customizations"* prompt first. Do NOT silently continue with empty bindings.
+6. **Load domain skills** — Based on the task description, load the appropriate skills before writing code. Don't start coding without the relevant skill loaded.
 
 ### Template for Delegation Prompts
 
@@ -42,6 +43,7 @@ Include this reminder in every delegation:
 **Session Start:** Read `.github/customizations/LESSONS-LEARNED.md` before starting.
 Check `.github/customizations/SESSION-CHECKPOINT.md` for prior state and pending approvals.
 If pending approvals exist, check for replies via the messaging provider.
+Validate `.github/customizations/agents/skill-matrix.md` — warn if skill bindings are empty (bootstrap not run).
 Load relevant skills before writing code.
 ```
 
@@ -149,7 +151,7 @@ Include on-session-start and on-session-end actions in every delegation prompt.
 
 ### For Workflow Templates
 
-Each workflow's **Compound phase** naturally serves as the on-session-end hook for that workflow type. The Compound phase steps should include session logging, lesson verification, and memory merge checks.
+Each workflow's **Delivery phase** naturally serves as the on-session-end hook for that workflow type. The Delivery phase steps should include session logging, lesson verification, and memory merge checks.
 
 ---