pi-maestro-flow 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (179) hide show
  1. package/README.md +124 -0
  2. package/agents/aggregator.md +27 -0
  3. package/agents/cli-explore-agent.md +188 -0
  4. package/agents/cross-role-reviewer.md +171 -0
  5. package/agents/delegate.md +19 -0
  6. package/agents/explorer.md +23 -0
  7. package/agents/impeccable-agent.md +99 -0
  8. package/agents/ralph-executor.md +81 -0
  9. package/agents/reference.md +24 -0
  10. package/agents/role-design-author.md +220 -0
  11. package/agents/team-supervisor.md +143 -0
  12. package/agents/team-worker.md +237 -0
  13. package/agents/ui-design-agent.md +270 -0
  14. package/agents/workflow-analyzer.md +116 -0
  15. package/agents/workflow-codebase-mapper.md +77 -0
  16. package/agents/workflow-collab-planner.md +147 -0
  17. package/agents/workflow-debugger.md +104 -0
  18. package/agents/workflow-executor.md +133 -0
  19. package/agents/workflow-external-researcher.md +86 -0
  20. package/agents/workflow-integration-checker.md +83 -0
  21. package/agents/workflow-nyquist-auditor.md +85 -0
  22. package/agents/workflow-phase-researcher.md +85 -0
  23. package/agents/workflow-plan-checker.md +100 -0
  24. package/agents/workflow-planner.md +200 -0
  25. package/agents/workflow-project-researcher.md +74 -0
  26. package/agents/workflow-research-synthesizer.md +70 -0
  27. package/agents/workflow-reviewer.md +82 -0
  28. package/agents/workflow-roadmapper.md +81 -0
  29. package/agents/workflow-verifier.md +120 -0
  30. package/package.json +58 -0
  31. package/skills/codify-to-knowhow/SKILL.md +167 -0
  32. package/skills/delegation-check/SKILL.md +297 -0
  33. package/skills/domain-add/SKILL.md +75 -0
  34. package/skills/insight-challenge/SKILL.md +226 -0
  35. package/skills/learn-decompose/SKILL.md +124 -0
  36. package/skills/learn-follow/SKILL.md +163 -0
  37. package/skills/learn-investigate/SKILL.md +160 -0
  38. package/skills/learn-second-opinion/SKILL.md +128 -0
  39. package/skills/maestro/SKILL.md +239 -0
  40. package/skills/maestro-amend/SKILL.md +169 -0
  41. package/skills/maestro-analyze/SKILL.md +173 -0
  42. package/skills/maestro-blueprint/SKILL.md +159 -0
  43. package/skills/maestro-brainstorm/SKILL.md +193 -0
  44. package/skills/maestro-collab/SKILL.md +181 -0
  45. package/skills/maestro-companion/SKILL.md +536 -0
  46. package/skills/maestro-composer/SKILL.md +192 -0
  47. package/skills/maestro-execute/SKILL.md +193 -0
  48. package/skills/maestro-fork/SKILL.md +104 -0
  49. package/skills/maestro-grill/SKILL.md +151 -0
  50. package/skills/maestro-guard/SKILL.md +124 -0
  51. package/skills/maestro-help/SKILL.md +328 -0
  52. package/skills/maestro-impeccable/SKILL.md +302 -0
  53. package/skills/maestro-init/SKILL.md +151 -0
  54. package/skills/maestro-merge/SKILL.md +90 -0
  55. package/skills/maestro-milestone-audit/SKILL.md +117 -0
  56. package/skills/maestro-milestone-complete/SKILL.md +133 -0
  57. package/skills/maestro-milestone-release/SKILL.md +131 -0
  58. package/skills/maestro-next/SKILL.md +269 -0
  59. package/skills/maestro-overlay/SKILL.md +203 -0
  60. package/skills/maestro-plan/SKILL.md +194 -0
  61. package/skills/maestro-player/SKILL.md +184 -0
  62. package/skills/maestro-quick/SKILL.md +117 -0
  63. package/skills/maestro-ralph/SKILL.md +905 -0
  64. package/skills/maestro-ralph-cli/SKILL.md +976 -0
  65. package/skills/maestro-ralph-cli-execute/SKILL.md +229 -0
  66. package/skills/maestro-ralph-execute/SKILL.md +409 -0
  67. package/skills/maestro-ralph-v2/SKILL.md +1198 -0
  68. package/skills/maestro-roadmap/SKILL.md +157 -0
  69. package/skills/maestro-swarm-workflow/SKILL.md +272 -0
  70. package/skills/maestro-tools-execute/SKILL.md +143 -0
  71. package/skills/maestro-tools-register/SKILL.md +192 -0
  72. package/skills/maestro-ui-codify/SKILL.md +127 -0
  73. package/skills/maestro-universal-workflow/SKILL.md +622 -0
  74. package/skills/maestro-update/SKILL.md +156 -0
  75. package/skills/manage-codebase-rebuild/SKILL.md +111 -0
  76. package/skills/manage-drift-realign/SKILL.md +159 -0
  77. package/skills/manage-harvest/SKILL.md +121 -0
  78. package/skills/manage-issue/SKILL.md +88 -0
  79. package/skills/manage-issue-discover/SKILL.md +104 -0
  80. package/skills/manage-kg-extractors/SKILL.md +147 -0
  81. package/skills/manage-knowhow/SKILL.md +102 -0
  82. package/skills/manage-knowhow-capture/SKILL.md +109 -0
  83. package/skills/manage-knowledge-audit/SKILL.md +147 -0
  84. package/skills/manage-status/SKILL.md +80 -0
  85. package/skills/manage-wiki/SKILL.md +104 -0
  86. package/skills/odyssey-debug/SKILL.md +344 -0
  87. package/skills/odyssey-improve/SKILL.md +423 -0
  88. package/skills/odyssey-planex/SKILL.md +542 -0
  89. package/skills/odyssey-review-test-fix/SKILL.md +392 -0
  90. package/skills/odyssey-ui/SKILL.md +388 -0
  91. package/skills/prompt-generator/SKILL.md +470 -0
  92. package/skills/quality-auto-test/SKILL.md +168 -0
  93. package/skills/quality-debug/SKILL.md +176 -0
  94. package/skills/quality-refactor/SKILL.md +108 -0
  95. package/skills/quality-retrospective/SKILL.md +134 -0
  96. package/skills/quality-review/SKILL.md +169 -0
  97. package/skills/quality-sync/SKILL.md +90 -0
  98. package/skills/quality-test/SKILL.md +183 -0
  99. package/skills/scholar-anti-ai-writing/SKILL.md +173 -0
  100. package/skills/scholar-anti-ai-writing/references/patterns-chinese.md +242 -0
  101. package/skills/scholar-anti-ai-writing/references/patterns-english.md +242 -0
  102. package/skills/scholar-citation-verify/SKILL.md +166 -0
  103. package/skills/scholar-citation-verify/references/api-usage.md +372 -0
  104. package/skills/scholar-citation-verify/references/common-errors.md +384 -0
  105. package/skills/scholar-citation-verify/references/verification-rules.md +399 -0
  106. package/skills/scholar-experiment/SKILL.md +321 -0
  107. package/skills/scholar-ideation/SKILL.md +288 -0
  108. package/skills/scholar-latex-organizer/SKILL.md +186 -0
  109. package/skills/scholar-publish/SKILL.md +220 -0
  110. package/skills/scholar-rebuttal-pro/README.md +313 -0
  111. package/skills/scholar-rebuttal-pro/SKILL.md +511 -0
  112. package/skills/scholar-review/SKILL.md +227 -0
  113. package/skills/scholar-thesis-docx/README.md +111 -0
  114. package/skills/scholar-thesis-docx/README_EN.md +108 -0
  115. package/skills/scholar-thesis-docx/SKILL.md +212 -0
  116. package/skills/scholar-thesis-docx/references/failure-patterns-and-quality-gates.md +178 -0
  117. package/skills/scholar-thesis-docx/references/figure-and-code-rules.md +33 -0
  118. package/skills/scholar-thesis-docx/references/paper-format-workflow.md +68 -0
  119. package/skills/scholar-thesis-docx/references/script-usage.md +157 -0
  120. package/skills/scholar-thesis-docx/scripts/audit_docx_ooxml.py +429 -0
  121. package/skills/scholar-thesis-docx/scripts/check_word_com.ps1 +50 -0
  122. package/skills/scholar-thesis-docx/scripts/export_word_pdf.ps1 +62 -0
  123. package/skills/scholar-thesis-docx/scripts/normalize_word_styles.ps1 +498 -0
  124. package/skills/scholar-thesis-docx/scripts/render_mermaid_figure.ps1 +148 -0
  125. package/skills/scholar-writing/SKILL.md +296 -0
  126. package/skills/security-audit/SKILL.md +244 -0
  127. package/skills/skill-generator/SKILL.md +472 -0
  128. package/skills/skill-iter-tune/SKILL.md +382 -0
  129. package/skills/skill-simplify/SKILL.md +63 -0
  130. package/skills/skill-tuning/SKILL.md +174 -0
  131. package/skills/spec-add/SKILL.md +105 -0
  132. package/skills/spec-load/SKILL.md +98 -0
  133. package/skills/spec-remove/SKILL.md +74 -0
  134. package/skills/spec-setup/SKILL.md +75 -0
  135. package/skills/team-adversarial-swarm/SKILL.md +233 -0
  136. package/skills/team-adversarial-swarm/scripts/__pycache__/pheromone.cpython-313.pyc +0 -0
  137. package/skills/team-adversarial-swarm/scripts/__pycache__/scoring.cpython-313.pyc +0 -0
  138. package/skills/team-adversarial-swarm/scripts/aco.py +473 -0
  139. package/skills/team-adversarial-swarm/scripts/pheromone.py +144 -0
  140. package/skills/team-adversarial-swarm/scripts/scoring.py +92 -0
  141. package/skills/team-adversarial-swarm/scripts/test_aco.py +475 -0
  142. package/skills/team-arch-opt/SKILL.md +158 -0
  143. package/skills/team-brainstorm/SKILL.md +171 -0
  144. package/skills/team-coordinate/SKILL.md +266 -0
  145. package/skills/team-designer/SKILL.md +160 -0
  146. package/skills/team-executor/SKILL.md +189 -0
  147. package/skills/team-frontend/SKILL.md +136 -0
  148. package/skills/team-frontend-debug/SKILL.md +198 -0
  149. package/skills/team-interactive-craft/SKILL.md +141 -0
  150. package/skills/team-issue/SKILL.md +171 -0
  151. package/skills/team-lifecycle-v4/SKILL.md +209 -0
  152. package/skills/team-motion-design/SKILL.md +142 -0
  153. package/skills/team-perf-opt/SKILL.md +175 -0
  154. package/skills/team-planex/SKILL.md +137 -0
  155. package/skills/team-quality-assurance/SKILL.md +147 -0
  156. package/skills/team-review/SKILL.md +147 -0
  157. package/skills/team-roadmap-dev/SKILL.md +169 -0
  158. package/skills/team-swarm/SKILL.md +178 -0
  159. package/skills/team-swarm/scripts/aco.py +473 -0
  160. package/skills/team-swarm/scripts/pheromone.py +144 -0
  161. package/skills/team-swarm/scripts/scoring.py +92 -0
  162. package/skills/team-swarm/scripts/test_aco.py +475 -0
  163. package/skills/team-tech-debt/SKILL.md +128 -0
  164. package/skills/team-testing/SKILL.md +143 -0
  165. package/skills/team-ui-polish/SKILL.md +141 -0
  166. package/skills/team-uidesign/SKILL.md +144 -0
  167. package/skills/team-ultra-analyze/SKILL.md +173 -0
  168. package/skills/team-ux-improve/SKILL.md +151 -0
  169. package/skills/team-visual-a11y/SKILL.md +156 -0
  170. package/skills/workflow-skill-designer/SKILL.md +496 -0
  171. package/src/extension/index.ts +222 -0
  172. package/src/extension/schemas.ts +131 -0
  173. package/src/providers/cli-tools-loader.ts +74 -0
  174. package/src/providers/provider-registry.ts +130 -0
  175. package/src/tools/delegate.ts +85 -0
  176. package/src/tools/explore.ts +134 -0
  177. package/src/tools/moa.ts +213 -0
  178. package/src/tools/status.ts +99 -0
  179. package/src/tools/wait.ts +166 -0
@@ -0,0 +1,296 @@
1
+ ---
2
+ name: scholar-writing
3
+ description: "End-to-end academic paper writing workflow. Takes a research repository and produces a publication-ready LaTeX manuscript for top ML/AI conferences (NeurIPS, ICML, ICLR, ACL, AAAI, COLM). Covers repo understanding, structure planning, section drafting, citation management, anti-AI polishing, and conference formatting. Triggers on \"write paper\", \"draft paper\", \"scholar writing\", \"paper writing workflow\"."
4
+ allowed-tools: Read Write Edit Bash Glob Grep WebSearch WebFetch TodoWrite AskUserQuestion Task
5
+ ---
6
+
7
+ # Scholar Writing
8
+
9
+ End-to-end workflow for writing publication-ready ML/AI papers from research repositories. Integrates paper writing craft, citation verification, and anti-AI polishing into a structured 6-phase pipeline.
10
+
11
+ ## Pre-load (before execution)
12
+
13
+ 1. **Codebase docs**: If `.workflow/codebase/ARCHITECTURE.md` exists, read for project context
14
+ 2. **Specs**: `maestro load --type spec --category coding` — load coding conventions
15
+ 3. **Wiki knowledge**: `maestro search "academic writing research paper" --json` — top 5 entries as prior context
16
+ 4. All optional — proceed without if unavailable
17
+
18
+ ## Architecture Overview
19
+
20
+ ```
21
+ User: "Write a paper from this repo"
22
+ |
23
+ v
24
+ ┌──────────────────────────────────────────────────────────────────────┐
25
+ │ SKILL.md (Orchestrator) │
26
+ │ Collect preferences → Dispatch phases → Track progress │
27
+ └──────────┬───────────────────────────────────────────────────────────┘
28
+ |
29
+ ┌───────┼───────┬───────────┬──────────┬──────────┬────────────┐
30
+ v v v v v v v
31
+ ┌──────┐┌──────┐┌──────────┐┌──────────┐┌──────────┐┌──────────────┐
32
+ │ P1 ││ P2 ││ P3 ││ P4 ││ P5 ││ P6 │
33
+ │ Repo ││Struct││ Section ││ Citation ││ Anti-AI ││ Conference │
34
+ │ Under││Plan ││ Drafting ││ Manage ││ Polish ││ Formatting │
35
+ └──┬───┘└──┬───┘└────┬─────┘└────┬─────┘└────┬─────┘└──────┬───────┘
36
+ │ │ │ │ │ │
37
+ v v v v v v
38
+ repo outline full draft verified polished paper.tex
39
+ context + plan .bib file prose (camera-ready)
40
+ ```
41
+
42
+ ## Key Design Principles
43
+
44
+ 1. **Proactive drafting**: Deliver complete drafts, then iterate on feedback. Do not block on every section.
45
+ 2. **Never hallucinate citations**: Every citation must be verified via WebSearch and Google Scholar. Mark unverifiable references as `[CITATION NEEDED]`.
46
+ 3. **Narrative-first writing**: A paper is a story with one clear contribution. Define the What/Why/So What before writing.
47
+ 4. **Anti-AI polish is mandatory**: All prose passes through pattern detection and humanization before final output.
48
+ 5. **Conference-aware from start**: Target venue influences page limits, required sections, and framing.
49
+
50
+ ## Interactive Preference Collection
51
+
52
+ Before dispatching to any phase, collect these preferences:
53
+
54
+ ```
55
+ Questions to ask the user:
56
+
57
+ 1. Research Repository
58
+ "Where is the research repo? (path or URL)"
59
+ → repoPath
60
+
61
+ 2. Target Conference
62
+ Options: NeurIPS | ICML | ICLR | ACL | AAAI | COLM | Other
63
+ → targetConference
64
+
65
+ 3. Paper Type
66
+ Options: Full Paper | Short Paper | Workshop Paper
67
+ → paperType
68
+
69
+ 4. Output Directory
70
+ "Where should the paper be written? (default: ./paper/)"
71
+ → outputDir
72
+
73
+ 5. Existing Materials
74
+ "Any existing drafts, notes, or outlines to build on? (path or 'none')"
75
+ → existingMaterials
76
+
77
+ 6. Writing Language
78
+ Options: English | Chinese | Bilingual
79
+ → writingLanguage
80
+ ```
81
+
82
+ Store responses as `paperPreferences` context for all phases.
83
+
84
+ ## Auto Mode Defaults
85
+
86
+ When `workflowPreferences.autoYes === true`:
87
+ - Use detected repo path from cwd
88
+ - Default to NeurIPS format, Full Paper, English
89
+ - Output to `./paper/`
90
+ - Skip confirmation prompts within phases
91
+
92
+ ## Execution Flow
93
+
94
+ > **COMPACT DIRECTIVE**: Context compression MUST check TodoWrite phase status.
95
+ > The phase currently marked `in_progress` is the active execution phase -- preserve its FULL content.
96
+ > Only compress phases marked `completed` or `pending`.
97
+
98
+ ### TodoWrite Setup
99
+
100
+ ```
101
+ Paper Writing Workflow:
102
+ - [ ] Phase 1: Repo Understanding — explore repo, identify contribution
103
+ - [ ] Phase 2: Structure Planning — plan outline, define narrative
104
+ - [ ] Phase 3: Section Drafting — write all sections
105
+ - [ ] Phase 4: Citation Management — find, verify, format citations
106
+ - [ ] Phase 5: Anti-AI Polish — remove AI patterns, humanize prose
107
+ - [ ] Phase 6: Conference Formatting — apply template, compile
108
+ ```
109
+
110
+ ### Phase Sequence
111
+
112
+ ```
113
+ Phase 1: Repo Understanding
114
+ └─ Ref: phases/01-repo-understanding.md
115
+ ├─ Input: repoPath, existingMaterials
116
+ └─ Output: repoContext (contribution, results, existing citations)
117
+
118
+ Phase 2: Structure Planning
119
+ └─ Ref: phases/02-structure-planning.md
120
+ ├─ Input: repoContext, targetConference, paperType
121
+ └─ Output: paperOutline (section plan, narrative arc, page budget)
122
+
123
+ Phase 3: Section Drafting
124
+ └─ Ref: phases/03-section-drafting.md
125
+ ├─ Input: repoContext, paperOutline, writingLanguage
126
+ └─ Output: draftSections (all sections as LaTeX content)
127
+
128
+ Phase 4: Citation Management
129
+ └─ Ref: phases/04-citation-management.md
130
+ ├─ Input: draftSections, repoContext.existingCitations
131
+ └─ Output: verifiedBib (references.bib), updatedDraft (citations resolved)
132
+
133
+ Phase 5: Anti-AI Polish
134
+ └─ Ref: phases/05-anti-ai-polish.md
135
+ ├─ Input: updatedDraft
136
+ └─ Output: polishedDraft (humanized prose, AI patterns removed)
137
+
138
+ Phase 6: Conference Formatting
139
+ └─ Ref: phases/06-conference-formatting.md
140
+ ├─ Input: polishedDraft, verifiedBib, targetConference
141
+ └─ Output: paper.tex (complete manuscript ready for compilation)
142
+ ```
143
+
144
+ **Phase Reference Documents** (read on-demand when phase executes):
145
+
146
+ | Phase | Document | Purpose | Compact |
147
+ |-------|----------|---------|---------|
148
+ | 1 | [phases/01-repo-understanding.md](phases/01-repo-understanding.md) | Explore repo, identify contribution | TodoWrite driven |
149
+ | 2 | [phases/02-structure-planning.md](phases/02-structure-planning.md) | Plan outline, define narrative | TodoWrite driven |
150
+ | 3 | [phases/03-section-drafting.md](phases/03-section-drafting.md) | Write all paper sections | TodoWrite driven + sentinel |
151
+ | 4 | [phases/04-citation-management.md](phases/04-citation-management.md) | Find, verify, format citations | TodoWrite driven + sentinel |
152
+ | 5 | [phases/05-anti-ai-polish.md](phases/05-anti-ai-polish.md) | Remove AI patterns, humanize | TodoWrite driven + sentinel |
153
+ | 6 | [phases/06-conference-formatting.md](phases/06-conference-formatting.md) | Apply template, compile | TodoWrite driven |
154
+
155
+ **Compact Rules**:
156
+ 1. **TodoWrite `in_progress`** → preserve full content, do not compress
157
+ 2. **TodoWrite `completed`** → may compress to summary
158
+ 3. **sentinel fallback** → phases marked with sentinel contain compact sentinel; if only sentinel remains after compression, **must immediately `Read()` to recover before continuing**
159
+
160
+ ## Core Rules
161
+
162
+ 1. **Citation integrity**: NEVER generate BibTeX from memory. Always verify via WebSearch + Google Scholar. Mark unverifiable as `[CITATION NEEDED]`.
163
+ 2. **One contribution**: The paper tells one story. Every section supports the central narrative.
164
+ 3. **Proactive delivery**: Write full drafts, flag uncertainties. Do not block waiting for per-section approval.
165
+ 4. **Conference compliance**: Respect page limits, required sections, and anonymization requirements.
166
+ 5. **Anti-AI mandatory**: All prose must pass anti-AI pattern detection before final output.
167
+
168
+ ## Input Processing
169
+
170
+ User input is parsed into `paperPreferences`:
171
+
172
+ ```
173
+ REPO: [path to research repository]
174
+ CONFERENCE: [NeurIPS | ICML | ICLR | ACL | AAAI | COLM]
175
+ TYPE: [Full | Short | Workshop]
176
+ OUTPUT: [output directory path]
177
+ MATERIALS: [path to existing drafts or 'none']
178
+ LANGUAGE: [English | Chinese | Bilingual]
179
+ ```
180
+
181
+ If user provides free text like "write a paper about my transformer project", extract:
182
+ - Repo path from context or ask
183
+ - Default conference to NeurIPS
184
+ - Default type to Full Paper
185
+ - Default language to English
186
+
187
+ ## Data Flow
188
+
189
+ ```
190
+ Phase 1 ──repoContext──→ Phase 2
191
+ Phase 2 ──paperOutline──→ Phase 3
192
+ Phase 1 ──repoContext──→ Phase 3
193
+ Phase 3 ──draftSections──→ Phase 4
194
+ Phase 4 ──updatedDraft + verifiedBib──→ Phase 5
195
+ Phase 5 ──polishedDraft──→ Phase 6
196
+ Phase 4 ──verifiedBib──→ Phase 6
197
+
198
+ Data persistence: All intermediate outputs written to outputDir/
199
+ outputDir/.writing/
200
+ ├── repo-context.md (Phase 1 output)
201
+ ├── paper-outline.md (Phase 2 output)
202
+ ├── drafts/ (Phase 3 output)
203
+ │ ├── abstract.tex
204
+ │ ├── introduction.tex
205
+ │ ├── methods.tex
206
+ │ ├── experiments.tex
207
+ │ ├── related-work.tex
208
+ │ ├── conclusion.tex
209
+ │ └── appendix.tex
210
+ ├── references.bib (Phase 4 output)
211
+ ├── polished/ (Phase 5 output)
212
+ │ └── (same structure as drafts/)
213
+ └── paper.tex (Phase 6 output)
214
+ ```
215
+
216
+ ## TodoWrite Pattern
217
+
218
+ ### Phase Start (Attach)
219
+ ```
220
+ When Phase N begins:
221
+ → Mark Phase N as in_progress in TodoWrite
222
+ → Add sub-tasks for Phase N steps
223
+ → Execute sub-tasks sequentially
224
+ ```
225
+
226
+ ### Phase End (Collapse)
227
+ ```
228
+ When Phase N completes:
229
+ → Mark all Phase N sub-tasks as completed
230
+ → Collapse to summary: "Phase N complete: [key output]"
231
+ → Mark Phase N+1 as in_progress
232
+ ```
233
+
234
+ ## Post-Phase Updates
235
+
236
+ Between phases, update a running paper-notes document:
237
+
238
+ ```markdown
239
+ # Paper Writing Notes (accumulated)
240
+
241
+ ## Contribution (Phase 1)
242
+ [One-sentence contribution statement]
243
+
244
+ ## Outline (Phase 2)
245
+ [Section structure with page budgets]
246
+
247
+ ## Draft Status (Phase 3)
248
+ [Section completion status]
249
+
250
+ ## Citation Status (Phase 4)
251
+ [Verified count / placeholder count]
252
+
253
+ ## Polish Status (Phase 5)
254
+ [Anti-AI score per section]
255
+ ```
256
+
257
+ Written to: `outputDir/.writing/paper-notes.md`
258
+
259
+ ## Error Handling
260
+
261
+ | Error | Action |
262
+ |-------|--------|
263
+ | Repo path invalid | Ask user for correct path |
264
+ | Cannot identify contribution | Present top 3 candidates, ask user to choose |
265
+ | Citation not found | Mark `[CITATION NEEDED]`, continue, report at end |
266
+ | LaTeX compilation fails | Fix common errors (missing packages, encoding), retry once |
267
+ | Anti-AI score below 35 | Re-polish section, flag for manual review |
268
+ | Page limit exceeded | Suggest specific cuts (move proofs to appendix, condense related work) |
269
+
270
+ ## Coordinator Checklist
271
+
272
+ ### Before Each Phase
273
+ - [ ] Previous phase output exists and is valid
274
+ - [ ] TodoWrite updated (current phase in_progress)
275
+ - [ ] Required inputs available
276
+
277
+ ### After Each Phase
278
+ - [ ] Output files written to outputDir/.writing/
279
+ - [ ] paper-notes.md updated
280
+ - [ ] TodoWrite collapsed (phase completed)
281
+ - [ ] User notified of phase completion and key decisions made
282
+
283
+ ### Final Checklist
284
+ - [ ] All 6 phases completed
285
+ - [ ] paper.tex compiles without errors
286
+ - [ ] All citations verified (no remaining `[CITATION NEEDED]`)
287
+ - [ ] Anti-AI score >= 35 for all sections
288
+ - [ ] Page limit respected
289
+ - [ ] Anonymization applied (for blind review)
290
+ - [ ] Conference checklist completed (if required)
291
+
292
+ ## Related Skills
293
+
294
+ - **scholar-ideation**: Use before this skill to develop research ideas
295
+ - **scholar-experiment**: Use before this skill to run experiments
296
+ - **scholar-review**: Use after this skill to review/revise the paper
@@ -0,0 +1,244 @@
1
+ ---
2
+ name: security-audit
3
+ description: "OWASP Top 10 and STRIDE security auditing with supply chain analysis Arguments: [quick|standard|deep] [--scope <path>]"
4
+ allowed-tools: Read Write Bash Glob Grep Agent AskUserQuestion
5
+ ---
6
+
7
+ <purpose>
8
+ Systematic security audit covering OWASP Top 10, dependency supply chain, secrets detection,
9
+ CI/CD pipeline review, and optional STRIDE threat modeling. Three tiers control depth vs speed.
10
+ </purpose>
11
+
12
+ <required_reading>
13
+ @~/.maestro/workflows/review.md
14
+ </required_reading>
15
+
16
+ <context>
17
+ $ARGUMENTS — Parse tier and scope:
18
+ - Tier: `quick` (default) | `standard` | `deep`
19
+ - `--scope <path>`: Limit scan to directory (default: project root)
20
+
21
+ **Tier coverage:**
22
+
23
+ | Tier | OWASP | Dependencies | Secrets | CI/CD | STRIDE | Git History |
24
+ |------|-------|-------------|---------|-------|--------|-------------|
25
+ | quick | ✓ | ✓ | — | — | — | — |
26
+ | standard | ✓ | ✓ | ✓ | ✓ | — | — |
27
+ | deep | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
28
+
29
+ **Output boundary**: ALL file writes MUST target `.workflow/scratch/{YYYYMMDD}-security-audit-{tier}-{slug}/` or `.workflow/state.json` only. NEVER modify source code, configuration files, or dependencies. Audit is read-only analysis.
30
+ </context>
31
+
32
+ <invariants>
33
+ 1. **Audit is read-only** — NEVER modify source code, configuration, dependencies, or CI/CD files during audit. Security audit produces reports only.
34
+ 2. **Findings require file:line evidence** — every finding MUST reference a specific file:line location and include the vulnerable code pattern. No vague or category-only findings.
35
+ 3. **Severity NEVER downgraded without justification** — if a finding matches a known OWASP category, its severity follows OWASP guidance. Downgrading requires documented rationale (e.g., compensating control exists).
36
+ 4. **Tier coverage is mandatory** — all scan phases required by the selected tier MUST complete. NEVER skip a tier-required phase silently; failures are logged as W00x warnings.
37
+ 5. **False positive marking requires evidence** — marking a finding as false positive MUST include the compensating control or code path that prevents exploitation. NEVER dismiss findings without counter-evidence.
38
+ 6. **Secrets are never logged** — if secrets are discovered, report their location (file:line) and type but NEVER include the actual secret value in the report output.
39
+ </invariants>
40
+
41
+ <execution>
42
+
43
+ ### Phase Gates (MANDATORY, BLOCKING)
44
+
45
+ **GATE 1: Recon → Scan**
46
+ - REQUIRED: Tech stack detected and entry points identified.
47
+ - REQUIRED: Auth/authz modules listed and data flow mapped.
48
+ - BLOCKED if missing: cannot scan without entry points and data flow baseline.
49
+
50
+ **GATE 2: Scan → Report** (tier-gated)
51
+ - REQUIRED: OWASP Top 10 scan completed (all tiers).
52
+ - REQUIRED: Dependency audit completed (all tiers).
53
+ - REQUIRED: Secrets + CI/CD scan completed (standard/deep only).
54
+ - REQUIRED: STRIDE + git history completed (deep only).
55
+ - BLOCKED if tier-required scans incomplete: finish all tier-applicable phases before reporting.
56
+
57
+ **GATE 3: Report → Completion**
58
+ - REQUIRED: Severity matrix produced with file:line references and remediation.
59
+ - REQUIRED: Artifact registered in state.json.
60
+ - BLOCKED if missing: do not emit completion status without severity matrix.
61
+
62
+ **Phase 1: Reconnaissance**
63
+
64
+ 1. Detect tech stack from package.json / go.mod / requirements.txt / Cargo.toml
65
+ 2. Identify entry points: HTTP handlers, API routes, CLI parsers, WebSocket handlers
66
+ 3. List authentication/authorization modules
67
+ 4. Map data flow: user input → processing → storage → output
68
+
69
+ **Phase 2: OWASP Top 10 Scan** (all tiers)
70
+
71
+ For each category, scan relevant source files:
72
+
73
+ | # | Category | What to check |
74
+ |---|----------|--------------|
75
+ | A01 | Broken Access Control | Missing auth middleware, direct object references, path traversal |
76
+ | A02 | Cryptographic Failures | Weak algorithms, hardcoded keys, missing TLS, plaintext storage |
77
+ | A03 | Injection | SQL concatenation, shell exec with user input, template injection |
78
+ | A04 | Insecure Design | Missing rate limits, no CSRF tokens, predictable tokens |
79
+ | A05 | Security Misconfiguration | Debug mode, default credentials, verbose errors, open CORS |
80
+ | A06 | Vulnerable Components | Known CVEs in dependencies |
81
+ | A07 | Auth Failures | Weak password rules, missing brute-force protection, session fixation |
82
+ | A08 | Data Integrity | Deserialization of untrusted data, unsigned updates |
83
+ | A09 | Logging Failures | Missing audit logs, logging sensitive data |
84
+ | A10 | SSRF | Unvalidated URLs in server-side requests |
85
+
86
+ Use `Grep` for pattern matching (e.g., `eval(`, `exec(`, `innerHTML`, `dangerouslySetInnerHTML`,
87
+ `sql.*\+.*req\.`, `process\.env` without validation).
88
+
89
+ **Phase 3: Dependency Audit** (all tiers)
90
+
91
+ ```bash
92
+ # Node.js
93
+ npm audit --json 2>/dev/null || true
94
+ # Check lockfile integrity
95
+ test -f package-lock.json && echo "lockfile present" || echo "WARNING: no lockfile"
96
+ ```
97
+
98
+ Check for:
99
+ - Known vulnerabilities (CVE references)
100
+ - Lockfile presence and integrity
101
+ - Typosquatting risk on critical dependencies (manually check suspicious names)
102
+
103
+ **Phase 4: Secrets Detection** (standard + deep)
104
+
105
+ ```
106
+ Grep({
107
+ pattern: "(password|secret|api.?key|token|credential).*=.*['\"][^'\"]{8,}",
108
+ glob: "*.{ts,js,json,env*}",
109
+ output_mode: "content"
110
+ })
111
+ ```
112
+
113
+ Check `.env.example` for leaked values. Check `.gitignore` for missing `.env` patterns.
114
+
115
+ **Phase 5: CI/CD Audit** (standard + deep)
116
+
117
+ Scan `.github/workflows/*.yml` for:
118
+ - Overly permissive `permissions:` (write-all, contents: write)
119
+ - Unpinned action versions (`uses: actions/checkout@main` vs `@v4.1.0`)
120
+ - Secrets in logs (missing `mask` or `add-mask`)
121
+ - Pull request trigger with `pull_request_target` (code injection risk)
122
+
123
+ **Phase 6: STRIDE Threat Modeling** (deep only)
124
+
125
+ For each critical module identified in Phase 1:
126
+
127
+ | Threat | Question |
128
+ |--------|----------|
129
+ | **S**poofing | Can identity be faked? Is auth per-request? |
130
+ | **T**ampering | Can data be modified in transit/storage? Integrity checks? |
131
+ | **R**epudiation | Are actions logged with user identity? |
132
+ | **I**nformation Disclosure | Can unauthorized data be accessed? |
133
+ | **D**enial of Service | Resource limits? Rate limiting? |
134
+ | **E**levation of Privilege | Can roles be escalated? Input validation on role fields? |
135
+
136
+ **Phase 7: Git History Archaeology** (deep only)
137
+
138
+ ```bash
139
+ # Search for previously committed secrets
140
+ git log --all --diff-filter=D --name-only --pretty=format: -- "*.env" "*.key" "*.pem" 2>/dev/null | head -20
141
+ git log -p --all -S "password" --since="1 year ago" -- "*.ts" "*.js" 2>/dev/null | head -50
142
+ ```
143
+
144
+ **Phase 8: Report**
145
+
146
+ Output severity matrix:
147
+
148
+ ```
149
+ === Security Audit ({tier}) ===
150
+
151
+ CRITICAL ({count}):
152
+ - [A03] SQL injection in {file}:{line} — {description}
153
+ Fix: {remediation}
154
+
155
+ HIGH ({count}):
156
+ ...
157
+
158
+ MEDIUM ({count}):
159
+ ...
160
+
161
+ LOW ({count}):
162
+ ...
163
+
164
+ Summary: {total} findings ({critical} critical, {high} high, {medium} medium, {low} low)
165
+ ```
166
+
167
+ **Register artifact on completion:**
168
+
169
+ Confirm before writing:
170
+ ```
171
+ AskUserQuestion("Register security-audit artifact RVW-{NNN} in state.json? (yes/no)")
172
+ → yes: proceed with write
173
+ → no: skip registration, continue to completion
174
+ ```
175
+
176
+ ```
177
+ Append to state.json.artifacts[]:
178
+ {
179
+ id: nextArtifactId(artifacts, "review"), // RVW-NNN (security-audit reuses review type)
180
+ type: "review",
181
+ subtype: "security-audit",
182
+ milestone: current_milestone || null,
183
+ phase: target_phase || null,
184
+ scope: target_phase ? "phase" : "standalone",
185
+ path: "scratch/{YYYYMMDD}-security-audit-{tier}-{slug}",
186
+ status: critical_count == 0 ? "completed" : "completed_with_concerns",
187
+ tier: tier, // quick|standard|deep
188
+ harvested: false,
189
+ created_at: start_time,
190
+ completed_at: now()
191
+ }
192
+ ```
193
+ Write findings report to the same `path` (severity matrix, file:line refs, remediation).
194
+ </execution>
195
+
196
+ <completion>
197
+ ### Standalone report
198
+
199
+ ```
200
+ --- COMPLETION STATUS ---
201
+ STATUS: DONE|DONE_WITH_CONCERNS
202
+ CONCERNS: {count} critical findings require immediate action
203
+ --- END STATUS ---
204
+ ```
205
+
206
+ Status mapping:
207
+ - **DONE** — No critical/high findings
208
+ - **DONE_WITH_CONCERNS** — Critical/high findings documented with remediation
209
+
210
+ ### Ralph-invoked completion
211
+
212
+ End the step by calling the CLI (no text block output):
213
+ ```
214
+ maestro ralph complete <idx> --status {STATUS} [--evidence {path}]
215
+ ```
216
+
217
+ ### Next-step routing
218
+
219
+ | Condition | Suggestion |
220
+ |-----------|-----------|
221
+ | No critical findings | `/quality-review {phase}` |
222
+ | Critical findings need fix | `/maestro-plan {phase} --gaps` |
223
+ | Need deeper analysis | `/security-audit deep --scope {path}` |
224
+ | Want dependency remediation | Fix vulnerabilities, then re-run `/security-audit` |
225
+ </completion>
226
+
227
+ <error_codes>
228
+ | Code | Severity | Condition | Recovery |
229
+ |------|----------|-----------|----------|
230
+ | E001 | error | No source files found in scope | Verify --scope path exists |
231
+ | E002 | error | Tech stack not detected | Manually specify entry points |
232
+ | W001 | warning | npm audit / dependency tool unavailable | Skip dependency phase, note limitation |
233
+ | W002 | warning | Git history scan failed | Skip Phase 7, note limitation |
234
+ | W003 | warning | Partial scan (some files inaccessible) | Report coverage gap in findings |
235
+ </error_codes>
236
+
237
+ <success_criteria>
238
+ - [ ] Tech stack identified and entry points mapped
239
+ - [ ] OWASP Top 10 categories all checked (tier-appropriate)
240
+ - [ ] Dependency audit completed with CVE listing
241
+ - [ ] Severity matrix produced with file:line references
242
+ - [ ] Each finding includes remediation suggestion
243
+ - [ ] Completion status block emitted
244
+ </success_criteria>