orbital-command 0.1.0

package/templates/agents/workflows/full-mode.md

@@ -0,0 +1,218 @@
+---
+name: full-mode
+description: Default workflow for features and significant changes. Runs all triggered agents with complete synthesis.
+tokens: ~2K
+load-when: Default for features and significant changes
+last-verified: 2026-01-11
+---
+
+# Full Mode Workflow
+
+## When to Use
+
+- New features
+- Significant changes
+- Refactoring
+- Any security-sensitive changes
+- **Default mode** - use unless explicitly requesting quick mode
+
+---
+
+## Workflow Steps
+
+### Phase 1: Triage
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│ 🎯 TASK TRIAGE                                              │
+│                                                             │
+│ 1. Analyze task description                                │
+│ 2. Identify files likely to be affected                    │
+│ 3. Determine which agents are triggered                    │
+│ 4. Check for high-signal patterns                          │
+│ 5. Display triage summary                                  │
+└─────────────────────────────────────────────────────────────┘
+```
+
+### Phase 2: Council Review
+
+Run triggered agents **in parallel**:
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│ PARALLEL AGENT EXECUTION                                    │
+│                                                             │
+│ 🏗️ Architect        →  [reviewing architecture impact]      │
+│ [Domain Expert]     →  [analyzing domain impact]            │
+│ 💥 Chaos Agent      →  [imagining failure modes]           │
+│ 🎨 Frontend Designer →  [considering UI implications]       │
+│                                                             │
+│ Waiting for all agents...                                  │
+└─────────────────────────────────────────────────────────────┘
+```
+
+### Phase 3: Synthesis
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│ 📋 AGENT SYNTHESIS                                          │
+│                                                             │
+│ CONSENSUS:                                                  │
+│ - [Points all agents agree on]                             │
+│                                                             │
+│ CONCERNS (by severity):                                    │
+│ 🚫 BLOCKERS:                                                │
+│ - [Must fix before proceeding]                             │
+│                                                             │
+│ ⚠️ WARNINGS:                                                │
+│ - [Should address]                                         │
+│                                                             │
+│ 💡 SUGGESTIONS:                                             │
+│ - [Nice to have]                                           │
+│                                                             │
+│ CONFLICTS:                                                  │
+│ - [If any, present for human decision]                     │
+└─────────────────────────────────────────────────────────────┘
+```
+
+### Phase 4: Review Completion Gate ✓
+
+**Before proceeding to implementation, verify:**
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│ ✓ REVIEW COMPLETION GATE                                    │
+├─────────────────────────────────────────────────────────────┤
+│                                                             │
+│ All triggered agents applied:                              │
+│ □ [Agent 1] - perspective applied                          │
+│ □ [Agent 2] - perspective applied                          │
+│ □ ...                                                      │
+│                                                             │
+│ Critical questions answered:                               │
+│ □ "What happens to resources if this fails?"              │
+│ □ "What user input reaches this code?"                    │
+│ □ "What state are we in if this throws?"                  │
+│ □ "Can user A access user B's resources?"                 │
+│                                                             │
+│ Blockers resolved:                                         │
+│ □ No unresolved 🚫 BLOCKER items                           │
+│                                                             │
+│ ─────────────────────────────────────────────────────────── │
+│ All boxes checked? → Proceed to implementation            │
+│ Missing boxes? → Address before implementing              │
+└─────────────────────────────────────────────────────────────┘
+```
+
+### Phase 5: Implementation
+
+Implement with agent guidance. Domain experts available on-demand for questions.
+
+### Phase 6: Stress Test
+
+After implementation, run red team **in parallel**:
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│ 🔴 RED TEAM STRESS TEST                                     │
+│                                                             │
+│ 🗡️ Attacker  →  [looking for exploits]                      │
+│ 💥 Chaos     →  [finding failure modes + verifying tests]  │
+│                                                             │
+│ Cross-reference prompts:                                   │
+│ - "Given the data flow, can any step be exploited?"      │
+│ - "Given the state transitions, what if crash mid-way?"   │
+│                                                             │
+│ Waiting for red team...                                    │
+└─────────────────────────────────────────────────────────────┘
+```
+
+### Phase 7: Quality Gate
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│ 📋 RULES ENFORCER - Pre-Commit Check                        │
+│                                                             │
+│ ✅ All 20 rules passed                                      │
+│                                                             │
+│ Ready to commit.                                           │
+└─────────────────────────────────────────────────────────────┘
+```
+
+### Phase 8: Post-Review Ritual ✓
+
+**Before committing, always ask:**
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│ 🔄 POST-REVIEW RITUAL                                       │
+├─────────────────────────────────────────────────────────────┤
+│                                                             │
+│ Learning Capture:                                          │
+│                                                             │
+│ 1. Did any agent find a pattern that should become a      │
+│    permanent check?                                        │
+│    → Add to that agent's "Learned Patterns" table         │
+│                                                             │
+│ 2. Did we miss something that was caught later?           │
+│    → Add to relevant agent's "Known [X]" table            │
+│                                                             │
+│ 3. Did any agent flag a false positive repeatedly?        │
+│    → Consider refining that agent's checklist             │
+│                                                             │
+│ Test Gaps:                                                 │
+│                                                             │
+│ 4. Did 💥 Chaos identify failure modes without tests?      │
+│    → Note as test debt or write tests now                 │
+│                                                             │
+│ ─────────────────────────────────────────────────────────── │
+│ Ritual complete? → Commit                                  │
+└─────────────────────────────────────────────────────────────┘
+```
+
+---
+
+## Example Full Flow
+
+```
+USER: "Add ability to set custom retry policy per resource"
+
+SYSTEM:
+┌─────────────────────────────────────────────────────────────┐
+│ TASK TRIAGE                                                 │
+│                                                             │
+│ Task: Add custom retry policy per resource                 │
+│ Mode: FULL                                                 │
+│                                                             │
+│ Files likely affected:                                      │
+│ - src/services/resourceService.ts                          │
+│ - src/types/resource.ts                                    │
+│ - database migration                                        │
+│ - frontend/src/pages/ResourceSetup.tsx                     │
+│                                                             │
+│ Agents triggered:                                          │
+│ - Architect                                                │
+│ - Chaos Agent                                              │
+│ - Frontend Designer                                        │
+│ - Attacker (user input)                                    │
+│                                                             │
+│ Invoking 4 agents...                                       │
+└─────────────────────────────────────────────────────────────┘
+
+[Phase 2: Agents run in parallel]
+[Phase 3: Synthesis shown]
+[Phase 4: Review Completion Gate - all checked]
+[Phase 5: Implementation proceeds]
+[Phase 6: Red team stress test]
+[Phase 7: Rules enforcer runs]
+[Phase 8: Post-review ritual - update Learned Patterns if needed]
+[Commit]
+```
+
+---
+
+## Related
+
+- [quick-mode.md](./quick-mode.md) - For tiny changes
+- [security-mode.md](./security-mode.md) - For security-sensitive changes
+- [../QUICK-REFERENCE.md](../QUICK-REFERENCE.md) - One-page overview

package/templates/agents/workflows/quick-mode.md

@@ -0,0 +1,118 @@
+---
+name: quick-mode
+description: Explicitly requested for tiny changes like typos and comments. Only runs Rules Enforcer.
+tokens: ~0.5K
+load-when: Explicitly requested for tiny changes
+last-verified: 2026-01-11
+---
+
+# Quick Mode Workflow
+
+## When to Use
+
+Request with: `"quick mode: [task]"`
+
+**Valid for:**
+- Typo fixes
+- Comment updates
+- Small documentation changes
+- Trivial bug fixes (< 10 lines)
+- Configuration value tweaks
+
+**CANNOT use for:**
+- Files matching hard triggers (auth, encryption, security-sensitive)
+- New API endpoints
+- Database migrations
+- Any security-related changes
+- Changes affecting security-sensitive operations
+
+---
+
+## Workflow Steps
+
+### Step 1: Eligibility Check
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│ 🎯 QUICK MODE REQUEST                                       │
+│                                                             │
+│ Task: [description]                                        │
+│                                                             │
+│ Eligibility check:                                         │
+│ ✅ Not touching security files                              │
+│ ✅ Not touching auth files                                  │
+│ ✅ Not a new endpoint                                       │
+│ ✅ Not a migration                                          │
+│                                                             │
+│ APPROVED for quick mode                                    │
+└─────────────────────────────────────────────────────────────┘
+```
+
+If NOT eligible:
+```
+┌─────────────────────────────────────────────────────────────┐
+│ 🎯 QUICK MODE REQUEST - DENIED                              │
+│                                                             │
+│ Task: [description]                                        │
+│                                                             │
+│ ❌ Cannot use quick mode: touches auth*.ts                  │
+│                                                             │
+│ Escalating to FULL MODE...                                 │
+└─────────────────────────────────────────────────────────────┘
+```
+
+### Step 2: Implementation
+
+Make the change directly.
+
+### Step 3: Quality Gate
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│ 📋 RULES ENFORCER - Pre-Commit Check                        │
+│                                                             │
+│ ✅ All rules passed                                         │
+│                                                             │
+│ Ready to commit.                                           │
+└─────────────────────────────────────────────────────────────┘
+```
+
+---
+
+## Auto-Escalation
+
+If during implementation you discover the change is more significant:
+
+1. Stop immediately
+2. Re-triage as FULL MODE
+3. Invoke appropriate agents
+4. Continue with full workflow
+
+---
+
+## Example
+
+```
+USER: "quick mode: fix typo in README"
+
+SYSTEM:
+┌─────────────────────────────────────────────────────────────┐
+│ 🎯 QUICK MODE - APPROVED                                    │
+│                                                             │
+│ Task: Fix typo in README                                   │
+│ Only 📋 Rules Enforcer will run                             │
+└─────────────────────────────────────────────────────────────┘
+
+[Make change]
+
+┌─────────────────────────────────────────────────────────────┐
+│ 📋 Rules passed. Ready to commit.                           │
+└─────────────────────────────────────────────────────────────┘
+```
+
+---
+
+## Related
+
+- [full-mode.md](./full-mode.md) - Default workflow
+- [security-mode.md](./security-mode.md) - Security workflow

package/templates/agents/workflows/security-mode.md

@@ -0,0 +1,283 @@
+---
+name: security-mode
+description: Auto-triggered for security-sensitive changes. Runs Attacker agent before AND after implementation.
+tokens: ~2K
+load-when: Auto-triggered for security-sensitive changes
+last-verified: 2026-01-11
+---
+
+# Security Mode Workflow
+
+## When Active
+
+**Auto-triggered for:**
+- New API endpoints
+- Authentication/authorization changes
+- Encryption or secret handling
+- Resource access operations
+- User input handling
+- Multi-tenant data access
+
+**Cannot be bypassed or downgraded.**
+
+---
+
+## Workflow Steps
+
+### Phase 1: Pre-Implementation Security Review (Required Depth)
+
+Before writing ANY code, 🗡️ Attacker MUST complete this analysis:
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│ 🔐 SECURITY MODE - Pre-Implementation Review                │
+├─────────────────────────────────────────────────────────────┤
+│                                                             │
+│ 🗡️ Attacker analyzing planned changes...                    │
+│                                                             │
+│ ═══════════════════════════════════════════════════════════ │
+│                                                             │
+│ ATTACK SURFACE IDENTIFICATION:                             │
+│                                                             │
+│ Endpoints/Functions affected:                              │
+│ - [endpoint/function 1]                                    │
+│ - [endpoint/function 2]                                    │
+│                                                             │
+│ ═══════════════════════════════════════════════════════════ │
+│                                                             │
+│ USER INPUT ANALYSIS:                                       │
+│                                                             │
+│ | Input | Source | Type | Validation Needed |              │
+│ |-------|--------|------|-------------------|              │
+│ | resourceId | URL param | string | UUID format, ownership |│
+│ | limit | body | number | Range 1-1000 |                   │
+│                                                             │
+│ ═══════════════════════════════════════════════════════════ │
+│                                                             │
+│ AUTHORIZATION ANALYSIS:                                    │
+│                                                             │
+│ Resource ownership verification:                           │
+│ - How is user identity established? [JWT/session/etc]     │
+│ - How is resource ownership verified? [DB check/etc]      │
+│ - What happens if verification is skipped? [impact]       │
+│                                                             │
+│ ═══════════════════════════════════════════════════════════ │
+│                                                             │
+│ POTENTIAL ABUSE SCENARIOS:                                 │
+│                                                             │
+│ 1. [Abuse scenario 1]                                      │
+│    Attack: [How attacker exploits this]                   │
+│    Impact: [What they gain]                               │
+│    Prevention: [Required check]                           │
+│                                                             │
+│ 2. [Abuse scenario 2]                                      │
+│    Attack: [How attacker exploits this]                   │
+│    Impact: [What they gain]                               │
+│    Prevention: [Required check]                           │
+│                                                             │
+│ ═══════════════════════════════════════════════════════════ │
+│                                                             │
+│ SECURITY REQUIREMENTS (Must implement):                    │
+│                                                             │
+│ □ [Specific requirement 1]                                 │
+│ □ [Specific requirement 2]                                 │
+│ □ [Specific requirement 3]                                 │
+│                                                             │
+│ ─────────────────────────────────────────────────────────── │
+│                                                             │
+│ Pre-implementation review COMPLETE.                        │
+│ Proceed with implementation using these requirements.      │
+│                                                             │
+│ ⚠️ If any section above is unclear or incomplete:          │
+│ → Clarify design before implementing                       │
+└─────────────────────────────────────────────────────────────┘
+```
+
+**Minimum requirements for Phase 1:**
+- At least 1 endpoint/function identified
+- All user inputs listed with validation needs
+- Authorization flow documented
+- At least 2 abuse scenarios imagined
+- At least 2 security requirements specified
+
+**If these minimums cannot be met, the design is too vague → clarify before proceeding.**
+
+### Phase 2: Implementation
+
+Implement following security requirements from Phase 1.
+
+For each security requirement:
+```
+□ Requirement implemented
+□ Test written to verify
+□ Negative test (attack blocked)
+```
+
+### Phase 3: Post-Implementation Security Audit
+
+After code is written, 🗡️ Attacker performs full audit:
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│ 🔐 SECURITY MODE - Post-Implementation Audit                │
+├─────────────────────────────────────────────────────────────┤
+│                                                             │
+│ 🗡️ Attacker reviewing implementation...                     │
+│                                                             │
+│ FILES REVIEWED:                                            │
+│ - [list of files]                                          │
+│                                                             │
+│ SECURITY REQUIREMENTS VERIFICATION:                        │
+│                                                             │
+│ From Pre-Implementation:                                   │
+│ ✅ Requirement 1: [How it was implemented]                 │
+│ ✅ Requirement 2: [How it was implemented]                 │
+│ 🚫 Requirement 3: [NOT IMPLEMENTED - must fix]             │
+│                                                             │
+│ ADDITIONAL CHECKS:                                         │
+│                                                             │
+│ ✅ Authentication: @requireAuth present                     │
+│ ✅ Authorization: Ownership check on line 45               │
+│ ⚠️ Input validation: Missing max length on field X        │
+│ ✅ Error handling: No sensitive data leaked                │
+│ ✅ Logging: No secrets in logs                             │
+│                                                             │
+│ ISSUES TO FIX:                                             │
+│ - [Issue 1]: [specific fix needed]                         │
+│ - [Issue 2]: [specific fix needed]                         │
+│                                                             │
+└─────────────────────────────────────────────────────────────┘
+```
+
+### Phase 4: Fix Security Issues
+
+Any issues found in Phase 3 must be fixed. No exceptions.
+
+### Phase 5: Re-Audit
+
+If fixes were made, 🗡️ Attacker re-audits the fixes:
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│ 🔐 SECURITY MODE - Fix Verification                         │
+│                                                             │
+│ Changes reviewed:                                          │
+│ - [fix 1]: ✅ Correctly implemented                        │
+│ - [fix 2]: ✅ Correctly implemented                        │
+│                                                             │
+│ No new issues introduced: ✅                                │
+│                                                             │
+│ Security review PASSED.                                    │
+└─────────────────────────────────────────────────────────────┘
+```
+
+### Phase 6: Quality Gate + Post-Review Ritual
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│ 📋 RULES ENFORCER - Pre-Commit Check                        │
+│                                                             │
+│ ✅ All rules passed                                         │
+│                                                             │
+│ Ready to commit.                                           │
+└─────────────────────────────────────────────────────────────┘
+
+┌─────────────────────────────────────────────────────────────┐
+│ 🔄 POST-REVIEW RITUAL                                       │
+│                                                             │
+│ □ New security pattern discovered? → Add to 🗡️ Attacker    │
+│ □ New attack vector for this codebase? → Add to Known     │
+│ □ Test gaps for security scenarios? → Note or write tests │
+│                                                             │
+│ Ritual complete? → Commit                                  │
+└─────────────────────────────────────────────────────────────┘
+```
+
+---
+
+## Security Review Checklist
+
+### New Endpoint
+```
+□ @requireAuth middleware applied
+□ User ownership verified (not just authenticated)
+□ All parameters validated (type, length, range, pattern)
+□ Rate limiting applied
+□ Error responses don't leak internals
+□ Audit logging for sensitive actions
+□ Tested with other user's resource IDs (should fail)
+```
+
+### Resource Operation
+```
+□ User can only access their own resources
+□ Secrets never logged
+□ Encryption used correctly
+□ State changes are atomic
+□ Lock/unlock pattern correct
+```
+
+### User Input
+```
+□ Type validation
+□ Length limits
+□ Range validation (min/max)
+□ Pattern validation (UUID, format checks)
+□ Sanitization if rendered
+□ No SQL injection (using parameterized queries)
+```
+
+---
+
+## Cannot Bypass
+
+Even if you think a security change is "trivial":
+- Security mode STILL activates
+- Both pre AND post reviews STILL run
+- All issues MUST be fixed
+- Post-review ritual MUST complete
+
+No exceptions.
+
+---
+
+## Example
+
+```
+USER: "Add new endpoint to get resource details"
+
+SYSTEM:
+┌─────────────────────────────────────────────────────────────┐
+│ SECURITY MODE ACTIVATED                                     │
+│                                                             │
+│ Reason: New API endpoint                                   │
+│                                                             │
+│ Attacker will review BEFORE and AFTER implementation       │
+└─────────────────────────────────────────────────────────────┘
+
+[Phase 1: Pre-implementation review with required depth]
+  - Attack surface: GET /resources/:resourceId/details
+  - User inputs: resourceId (UUID)
+  - Authorization: Must verify user owns resource
+  - Abuse scenarios:
+    1. User A queries User B's resource (IDOR)
+    2. Enumerate resource IDs to find active ones
+  - Security requirements:
+    □ Verify req.user.id === resource.user_id
+    □ Rate limit to prevent enumeration
+
+[Phase 2: Implementation with requirements]
+[Phase 3: Post-implementation audit]
+[Phase 4: Fix any issues]
+[Phase 5: Verify fixes]
+[Phase 6: Rules enforcer + Post-review ritual]
+[Commit]
+```
+
+---
+
+## Related
+
+- [full-mode.md](./full-mode.md) - Standard workflow
+- [../red-team/attacker.md](../red-team/attacker.md) - Attacker agent spec
+- [../QUICK-REFERENCE.md](../QUICK-REFERENCE.md) - One-page overview