pi-maestro-flow 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +124 -0
- package/agents/aggregator.md +27 -0
- package/agents/cli-explore-agent.md +188 -0
- package/agents/cross-role-reviewer.md +171 -0
- package/agents/delegate.md +19 -0
- package/agents/explorer.md +23 -0
- package/agents/impeccable-agent.md +99 -0
- package/agents/ralph-executor.md +81 -0
- package/agents/reference.md +24 -0
- package/agents/role-design-author.md +220 -0
- package/agents/team-supervisor.md +143 -0
- package/agents/team-worker.md +237 -0
- package/agents/ui-design-agent.md +270 -0
- package/agents/workflow-analyzer.md +116 -0
- package/agents/workflow-codebase-mapper.md +77 -0
- package/agents/workflow-collab-planner.md +147 -0
- package/agents/workflow-debugger.md +104 -0
- package/agents/workflow-executor.md +133 -0
- package/agents/workflow-external-researcher.md +86 -0
- package/agents/workflow-integration-checker.md +83 -0
- package/agents/workflow-nyquist-auditor.md +85 -0
- package/agents/workflow-phase-researcher.md +85 -0
- package/agents/workflow-plan-checker.md +100 -0
- package/agents/workflow-planner.md +200 -0
- package/agents/workflow-project-researcher.md +74 -0
- package/agents/workflow-research-synthesizer.md +70 -0
- package/agents/workflow-reviewer.md +82 -0
- package/agents/workflow-roadmapper.md +81 -0
- package/agents/workflow-verifier.md +120 -0
- package/package.json +58 -0
- package/skills/codify-to-knowhow/SKILL.md +167 -0
- package/skills/delegation-check/SKILL.md +297 -0
- package/skills/domain-add/SKILL.md +75 -0
- package/skills/insight-challenge/SKILL.md +226 -0
- package/skills/learn-decompose/SKILL.md +124 -0
- package/skills/learn-follow/SKILL.md +163 -0
- package/skills/learn-investigate/SKILL.md +160 -0
- package/skills/learn-second-opinion/SKILL.md +128 -0
- package/skills/maestro/SKILL.md +239 -0
- package/skills/maestro-amend/SKILL.md +169 -0
- package/skills/maestro-analyze/SKILL.md +173 -0
- package/skills/maestro-blueprint/SKILL.md +159 -0
- package/skills/maestro-brainstorm/SKILL.md +193 -0
- package/skills/maestro-collab/SKILL.md +181 -0
- package/skills/maestro-companion/SKILL.md +536 -0
- package/skills/maestro-composer/SKILL.md +192 -0
- package/skills/maestro-execute/SKILL.md +193 -0
- package/skills/maestro-fork/SKILL.md +104 -0
- package/skills/maestro-grill/SKILL.md +151 -0
- package/skills/maestro-guard/SKILL.md +124 -0
- package/skills/maestro-help/SKILL.md +328 -0
- package/skills/maestro-impeccable/SKILL.md +302 -0
- package/skills/maestro-init/SKILL.md +151 -0
- package/skills/maestro-merge/SKILL.md +90 -0
- package/skills/maestro-milestone-audit/SKILL.md +117 -0
- package/skills/maestro-milestone-complete/SKILL.md +133 -0
- package/skills/maestro-milestone-release/SKILL.md +131 -0
- package/skills/maestro-next/SKILL.md +269 -0
- package/skills/maestro-overlay/SKILL.md +203 -0
- package/skills/maestro-plan/SKILL.md +194 -0
- package/skills/maestro-player/SKILL.md +184 -0
- package/skills/maestro-quick/SKILL.md +117 -0
- package/skills/maestro-ralph/SKILL.md +905 -0
- package/skills/maestro-ralph-cli/SKILL.md +976 -0
- package/skills/maestro-ralph-cli-execute/SKILL.md +229 -0
- package/skills/maestro-ralph-execute/SKILL.md +409 -0
- package/skills/maestro-ralph-v2/SKILL.md +1198 -0
- package/skills/maestro-roadmap/SKILL.md +157 -0
- package/skills/maestro-swarm-workflow/SKILL.md +272 -0
- package/skills/maestro-tools-execute/SKILL.md +143 -0
- package/skills/maestro-tools-register/SKILL.md +192 -0
- package/skills/maestro-ui-codify/SKILL.md +127 -0
- package/skills/maestro-universal-workflow/SKILL.md +622 -0
- package/skills/maestro-update/SKILL.md +156 -0
- package/skills/manage-codebase-rebuild/SKILL.md +111 -0
- package/skills/manage-drift-realign/SKILL.md +159 -0
- package/skills/manage-harvest/SKILL.md +121 -0
- package/skills/manage-issue/SKILL.md +88 -0
- package/skills/manage-issue-discover/SKILL.md +104 -0
- package/skills/manage-kg-extractors/SKILL.md +147 -0
- package/skills/manage-knowhow/SKILL.md +102 -0
- package/skills/manage-knowhow-capture/SKILL.md +109 -0
- package/skills/manage-knowledge-audit/SKILL.md +147 -0
- package/skills/manage-status/SKILL.md +80 -0
- package/skills/manage-wiki/SKILL.md +104 -0
- package/skills/odyssey-debug/SKILL.md +344 -0
- package/skills/odyssey-improve/SKILL.md +423 -0
- package/skills/odyssey-planex/SKILL.md +542 -0
- package/skills/odyssey-review-test-fix/SKILL.md +392 -0
- package/skills/odyssey-ui/SKILL.md +388 -0
- package/skills/prompt-generator/SKILL.md +470 -0
- package/skills/quality-auto-test/SKILL.md +168 -0
- package/skills/quality-debug/SKILL.md +176 -0
- package/skills/quality-refactor/SKILL.md +108 -0
- package/skills/quality-retrospective/SKILL.md +134 -0
- package/skills/quality-review/SKILL.md +169 -0
- package/skills/quality-sync/SKILL.md +90 -0
- package/skills/quality-test/SKILL.md +183 -0
- package/skills/scholar-anti-ai-writing/SKILL.md +173 -0
- package/skills/scholar-anti-ai-writing/references/patterns-chinese.md +242 -0
- package/skills/scholar-anti-ai-writing/references/patterns-english.md +242 -0
- package/skills/scholar-citation-verify/SKILL.md +166 -0
- package/skills/scholar-citation-verify/references/api-usage.md +372 -0
- package/skills/scholar-citation-verify/references/common-errors.md +384 -0
- package/skills/scholar-citation-verify/references/verification-rules.md +399 -0
- package/skills/scholar-experiment/SKILL.md +321 -0
- package/skills/scholar-ideation/SKILL.md +288 -0
- package/skills/scholar-latex-organizer/SKILL.md +186 -0
- package/skills/scholar-publish/SKILL.md +220 -0
- package/skills/scholar-rebuttal-pro/README.md +313 -0
- package/skills/scholar-rebuttal-pro/SKILL.md +511 -0
- package/skills/scholar-review/SKILL.md +227 -0
- package/skills/scholar-thesis-docx/README.md +111 -0
- package/skills/scholar-thesis-docx/README_EN.md +108 -0
- package/skills/scholar-thesis-docx/SKILL.md +212 -0
- package/skills/scholar-thesis-docx/references/failure-patterns-and-quality-gates.md +178 -0
- package/skills/scholar-thesis-docx/references/figure-and-code-rules.md +33 -0
- package/skills/scholar-thesis-docx/references/paper-format-workflow.md +68 -0
- package/skills/scholar-thesis-docx/references/script-usage.md +157 -0
- package/skills/scholar-thesis-docx/scripts/audit_docx_ooxml.py +429 -0
- package/skills/scholar-thesis-docx/scripts/check_word_com.ps1 +50 -0
- package/skills/scholar-thesis-docx/scripts/export_word_pdf.ps1 +62 -0
- package/skills/scholar-thesis-docx/scripts/normalize_word_styles.ps1 +498 -0
- package/skills/scholar-thesis-docx/scripts/render_mermaid_figure.ps1 +148 -0
- package/skills/scholar-writing/SKILL.md +296 -0
- package/skills/security-audit/SKILL.md +244 -0
- package/skills/skill-generator/SKILL.md +472 -0
- package/skills/skill-iter-tune/SKILL.md +382 -0
- package/skills/skill-simplify/SKILL.md +63 -0
- package/skills/skill-tuning/SKILL.md +174 -0
- package/skills/spec-add/SKILL.md +105 -0
- package/skills/spec-load/SKILL.md +98 -0
- package/skills/spec-remove/SKILL.md +74 -0
- package/skills/spec-setup/SKILL.md +75 -0
- package/skills/team-adversarial-swarm/SKILL.md +233 -0
- package/skills/team-adversarial-swarm/scripts/__pycache__/pheromone.cpython-313.pyc +0 -0
- package/skills/team-adversarial-swarm/scripts/__pycache__/scoring.cpython-313.pyc +0 -0
- package/skills/team-adversarial-swarm/scripts/aco.py +473 -0
- package/skills/team-adversarial-swarm/scripts/pheromone.py +144 -0
- package/skills/team-adversarial-swarm/scripts/scoring.py +92 -0
- package/skills/team-adversarial-swarm/scripts/test_aco.py +475 -0
- package/skills/team-arch-opt/SKILL.md +158 -0
- package/skills/team-brainstorm/SKILL.md +171 -0
- package/skills/team-coordinate/SKILL.md +266 -0
- package/skills/team-designer/SKILL.md +160 -0
- package/skills/team-executor/SKILL.md +189 -0
- package/skills/team-frontend/SKILL.md +136 -0
- package/skills/team-frontend-debug/SKILL.md +198 -0
- package/skills/team-interactive-craft/SKILL.md +141 -0
- package/skills/team-issue/SKILL.md +171 -0
- package/skills/team-lifecycle-v4/SKILL.md +209 -0
- package/skills/team-motion-design/SKILL.md +142 -0
- package/skills/team-perf-opt/SKILL.md +175 -0
- package/skills/team-planex/SKILL.md +137 -0
- package/skills/team-quality-assurance/SKILL.md +147 -0
- package/skills/team-review/SKILL.md +147 -0
- package/skills/team-roadmap-dev/SKILL.md +169 -0
- package/skills/team-swarm/SKILL.md +178 -0
- package/skills/team-swarm/scripts/aco.py +473 -0
- package/skills/team-swarm/scripts/pheromone.py +144 -0
- package/skills/team-swarm/scripts/scoring.py +92 -0
- package/skills/team-swarm/scripts/test_aco.py +475 -0
- package/skills/team-tech-debt/SKILL.md +128 -0
- package/skills/team-testing/SKILL.md +143 -0
- package/skills/team-ui-polish/SKILL.md +141 -0
- package/skills/team-uidesign/SKILL.md +144 -0
- package/skills/team-ultra-analyze/SKILL.md +173 -0
- package/skills/team-ux-improve/SKILL.md +151 -0
- package/skills/team-visual-a11y/SKILL.md +156 -0
- package/skills/workflow-skill-designer/SKILL.md +496 -0
- package/src/extension/index.ts +222 -0
- package/src/extension/schemas.ts +131 -0
- package/src/providers/cli-tools-loader.ts +74 -0
- package/src/providers/provider-registry.ts +130 -0
- package/src/tools/delegate.ts +85 -0
- package/src/tools/explore.ts +134 -0
- package/src/tools/moa.ts +213 -0
- package/src/tools/status.ts +99 -0
- package/src/tools/wait.ts +166 -0
|
@@ -0,0 +1,296 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: scholar-writing
|
|
3
|
+
description: "End-to-end academic paper writing workflow. Takes a research repository and produces a publication-ready LaTeX manuscript for top ML/AI conferences (NeurIPS, ICML, ICLR, ACL, AAAI, COLM). Covers repo understanding, structure planning, section drafting, citation management, anti-AI polishing, and conference formatting. Triggers on \"write paper\", \"draft paper\", \"scholar writing\", \"paper writing workflow\"."
|
|
4
|
+
allowed-tools: Read Write Edit Bash Glob Grep WebSearch WebFetch TodoWrite AskUserQuestion Task
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
# Scholar Writing
|
|
8
|
+
|
|
9
|
+
End-to-end workflow for writing publication-ready ML/AI papers from research repositories. Integrates paper writing craft, citation verification, and anti-AI polishing into a structured 6-phase pipeline.
|
|
10
|
+
|
|
11
|
+
## Pre-load (before execution)
|
|
12
|
+
|
|
13
|
+
1. **Codebase docs**: If `.workflow/codebase/ARCHITECTURE.md` exists, read for project context
|
|
14
|
+
2. **Specs**: `maestro load --type spec --category coding` — load coding conventions
|
|
15
|
+
3. **Wiki knowledge**: `maestro search "academic writing research paper" --json` — top 5 entries as prior context
|
|
16
|
+
4. All optional — proceed without if unavailable
|
|
17
|
+
|
|
18
|
+
## Architecture Overview
|
|
19
|
+
|
|
20
|
+
```
|
|
21
|
+
User: "Write a paper from this repo"
|
|
22
|
+
|
|
|
23
|
+
v
|
|
24
|
+
┌──────────────────────────────────────────────────────────────────────┐
|
|
25
|
+
│ SKILL.md (Orchestrator) │
|
|
26
|
+
│ Collect preferences → Dispatch phases → Track progress │
|
|
27
|
+
└──────────┬───────────────────────────────────────────────────────────┘
|
|
28
|
+
|
|
|
29
|
+
┌───────┼───────┬───────────┬──────────┬──────────┬────────────┐
|
|
30
|
+
v v v v v v v
|
|
31
|
+
┌──────┐┌──────┐┌──────────┐┌──────────┐┌──────────┐┌──────────────┐
|
|
32
|
+
│ P1 ││ P2 ││ P3 ││ P4 ││ P5 ││ P6 │
|
|
33
|
+
│ Repo ││Struct││ Section ││ Citation ││ Anti-AI ││ Conference │
|
|
34
|
+
│ Under││Plan ││ Drafting ││ Manage ││ Polish ││ Formatting │
|
|
35
|
+
└──┬───┘└──┬───┘└────┬─────┘└────┬─────┘└────┬─────┘└──────┬───────┘
|
|
36
|
+
│ │ │ │ │ │
|
|
37
|
+
v v v v v v
|
|
38
|
+
repo outline full draft verified polished paper.tex
|
|
39
|
+
context + plan .bib file prose (camera-ready)
|
|
40
|
+
```
|
|
41
|
+
|
|
42
|
+
## Key Design Principles
|
|
43
|
+
|
|
44
|
+
1. **Proactive drafting**: Deliver complete drafts, then iterate on feedback. Do not block on every section.
|
|
45
|
+
2. **Never hallucinate citations**: Every citation must be verified via WebSearch and Google Scholar. Mark unverifiable references as `[CITATION NEEDED]`.
|
|
46
|
+
3. **Narrative-first writing**: A paper is a story with one clear contribution. Define the What/Why/So What before writing.
|
|
47
|
+
4. **Anti-AI polish is mandatory**: All prose passes through pattern detection and humanization before final output.
|
|
48
|
+
5. **Conference-aware from start**: Target venue influences page limits, required sections, and framing.
|
|
49
|
+
|
|
50
|
+
## Interactive Preference Collection
|
|
51
|
+
|
|
52
|
+
Before dispatching to any phase, collect these preferences:
|
|
53
|
+
|
|
54
|
+
```
|
|
55
|
+
Questions to ask the user:
|
|
56
|
+
|
|
57
|
+
1. Research Repository
|
|
58
|
+
"Where is the research repo? (path or URL)"
|
|
59
|
+
→ repoPath
|
|
60
|
+
|
|
61
|
+
2. Target Conference
|
|
62
|
+
Options: NeurIPS | ICML | ICLR | ACL | AAAI | COLM | Other
|
|
63
|
+
→ targetConference
|
|
64
|
+
|
|
65
|
+
3. Paper Type
|
|
66
|
+
Options: Full Paper | Short Paper | Workshop Paper
|
|
67
|
+
→ paperType
|
|
68
|
+
|
|
69
|
+
4. Output Directory
|
|
70
|
+
"Where should the paper be written? (default: ./paper/)"
|
|
71
|
+
→ outputDir
|
|
72
|
+
|
|
73
|
+
5. Existing Materials
|
|
74
|
+
"Any existing drafts, notes, or outlines to build on? (path or 'none')"
|
|
75
|
+
→ existingMaterials
|
|
76
|
+
|
|
77
|
+
6. Writing Language
|
|
78
|
+
Options: English | Chinese | Bilingual
|
|
79
|
+
→ writingLanguage
|
|
80
|
+
```
|
|
81
|
+
|
|
82
|
+
Store responses as `paperPreferences` context for all phases.
|
|
83
|
+
|
|
84
|
+
## Auto Mode Defaults
|
|
85
|
+
|
|
86
|
+
When `workflowPreferences.autoYes === true`:
|
|
87
|
+
- Use detected repo path from cwd
|
|
88
|
+
- Default to NeurIPS format, Full Paper, English
|
|
89
|
+
- Output to `./paper/`
|
|
90
|
+
- Skip confirmation prompts within phases
|
|
91
|
+
|
|
92
|
+
## Execution Flow
|
|
93
|
+
|
|
94
|
+
> **COMPACT DIRECTIVE**: Context compression MUST check TodoWrite phase status.
|
|
95
|
+
> The phase currently marked `in_progress` is the active execution phase -- preserve its FULL content.
|
|
96
|
+
> Only compress phases marked `completed` or `pending`.
|
|
97
|
+
|
|
98
|
+
### TodoWrite Setup
|
|
99
|
+
|
|
100
|
+
```
|
|
101
|
+
Paper Writing Workflow:
|
|
102
|
+
- [ ] Phase 1: Repo Understanding — explore repo, identify contribution
|
|
103
|
+
- [ ] Phase 2: Structure Planning — plan outline, define narrative
|
|
104
|
+
- [ ] Phase 3: Section Drafting — write all sections
|
|
105
|
+
- [ ] Phase 4: Citation Management — find, verify, format citations
|
|
106
|
+
- [ ] Phase 5: Anti-AI Polish — remove AI patterns, humanize prose
|
|
107
|
+
- [ ] Phase 6: Conference Formatting — apply template, compile
|
|
108
|
+
```
|
|
109
|
+
|
|
110
|
+
### Phase Sequence
|
|
111
|
+
|
|
112
|
+
```
|
|
113
|
+
Phase 1: Repo Understanding
|
|
114
|
+
└─ Ref: phases/01-repo-understanding.md
|
|
115
|
+
├─ Input: repoPath, existingMaterials
|
|
116
|
+
└─ Output: repoContext (contribution, results, existing citations)
|
|
117
|
+
|
|
118
|
+
Phase 2: Structure Planning
|
|
119
|
+
└─ Ref: phases/02-structure-planning.md
|
|
120
|
+
├─ Input: repoContext, targetConference, paperType
|
|
121
|
+
└─ Output: paperOutline (section plan, narrative arc, page budget)
|
|
122
|
+
|
|
123
|
+
Phase 3: Section Drafting
|
|
124
|
+
└─ Ref: phases/03-section-drafting.md
|
|
125
|
+
├─ Input: repoContext, paperOutline, writingLanguage
|
|
126
|
+
└─ Output: draftSections (all sections as LaTeX content)
|
|
127
|
+
|
|
128
|
+
Phase 4: Citation Management
|
|
129
|
+
└─ Ref: phases/04-citation-management.md
|
|
130
|
+
├─ Input: draftSections, repoContext.existingCitations
|
|
131
|
+
└─ Output: verifiedBib (references.bib), updatedDraft (citations resolved)
|
|
132
|
+
|
|
133
|
+
Phase 5: Anti-AI Polish
|
|
134
|
+
└─ Ref: phases/05-anti-ai-polish.md
|
|
135
|
+
├─ Input: updatedDraft
|
|
136
|
+
└─ Output: polishedDraft (humanized prose, AI patterns removed)
|
|
137
|
+
|
|
138
|
+
Phase 6: Conference Formatting
|
|
139
|
+
└─ Ref: phases/06-conference-formatting.md
|
|
140
|
+
├─ Input: polishedDraft, verifiedBib, targetConference
|
|
141
|
+
└─ Output: paper.tex (complete manuscript ready for compilation)
|
|
142
|
+
```
|
|
143
|
+
|
|
144
|
+
**Phase Reference Documents** (read on-demand when phase executes):
|
|
145
|
+
|
|
146
|
+
| Phase | Document | Purpose | Compact |
|
|
147
|
+
|-------|----------|---------|---------|
|
|
148
|
+
| 1 | [phases/01-repo-understanding.md](phases/01-repo-understanding.md) | Explore repo, identify contribution | TodoWrite driven |
|
|
149
|
+
| 2 | [phases/02-structure-planning.md](phases/02-structure-planning.md) | Plan outline, define narrative | TodoWrite driven |
|
|
150
|
+
| 3 | [phases/03-section-drafting.md](phases/03-section-drafting.md) | Write all paper sections | TodoWrite driven + sentinel |
|
|
151
|
+
| 4 | [phases/04-citation-management.md](phases/04-citation-management.md) | Find, verify, format citations | TodoWrite driven + sentinel |
|
|
152
|
+
| 5 | [phases/05-anti-ai-polish.md](phases/05-anti-ai-polish.md) | Remove AI patterns, humanize | TodoWrite driven + sentinel |
|
|
153
|
+
| 6 | [phases/06-conference-formatting.md](phases/06-conference-formatting.md) | Apply template, compile | TodoWrite driven |
|
|
154
|
+
|
|
155
|
+
**Compact Rules**:
|
|
156
|
+
1. **TodoWrite `in_progress`** → preserve full content, do not compress
|
|
157
|
+
2. **TodoWrite `completed`** → may compress to summary
|
|
158
|
+
3. **sentinel fallback** → phases marked with sentinel contain compact sentinel; if only sentinel remains after compression, **must immediately `Read()` to recover before continuing**
|
|
159
|
+
|
|
160
|
+
## Core Rules
|
|
161
|
+
|
|
162
|
+
1. **Citation integrity**: NEVER generate BibTeX from memory. Always verify via WebSearch + Google Scholar. Mark unverifiable as `[CITATION NEEDED]`.
|
|
163
|
+
2. **One contribution**: The paper tells one story. Every section supports the central narrative.
|
|
164
|
+
3. **Proactive delivery**: Write full drafts, flag uncertainties. Do not block waiting for per-section approval.
|
|
165
|
+
4. **Conference compliance**: Respect page limits, required sections, and anonymization requirements.
|
|
166
|
+
5. **Anti-AI mandatory**: All prose must pass anti-AI pattern detection before final output.
|
|
167
|
+
|
|
168
|
+
## Input Processing
|
|
169
|
+
|
|
170
|
+
User input is parsed into `paperPreferences`:
|
|
171
|
+
|
|
172
|
+
```
|
|
173
|
+
REPO: [path to research repository]
|
|
174
|
+
CONFERENCE: [NeurIPS | ICML | ICLR | ACL | AAAI | COLM]
|
|
175
|
+
TYPE: [Full | Short | Workshop]
|
|
176
|
+
OUTPUT: [output directory path]
|
|
177
|
+
MATERIALS: [path to existing drafts or 'none']
|
|
178
|
+
LANGUAGE: [English | Chinese | Bilingual]
|
|
179
|
+
```
|
|
180
|
+
|
|
181
|
+
If user provides free text like "write a paper about my transformer project", extract:
|
|
182
|
+
- Repo path from context or ask
|
|
183
|
+
- Default conference to NeurIPS
|
|
184
|
+
- Default type to Full Paper
|
|
185
|
+
- Default language to English
|
|
186
|
+
|
|
187
|
+
## Data Flow
|
|
188
|
+
|
|
189
|
+
```
|
|
190
|
+
Phase 1 ──repoContext──→ Phase 2
|
|
191
|
+
Phase 2 ──paperOutline──→ Phase 3
|
|
192
|
+
Phase 1 ──repoContext──→ Phase 3
|
|
193
|
+
Phase 3 ──draftSections──→ Phase 4
|
|
194
|
+
Phase 4 ──updatedDraft + verifiedBib──→ Phase 5
|
|
195
|
+
Phase 5 ──polishedDraft──→ Phase 6
|
|
196
|
+
Phase 4 ──verifiedBib──→ Phase 6
|
|
197
|
+
|
|
198
|
+
Data persistence: All intermediate outputs written to outputDir/
|
|
199
|
+
outputDir/.writing/
|
|
200
|
+
├── repo-context.md (Phase 1 output)
|
|
201
|
+
├── paper-outline.md (Phase 2 output)
|
|
202
|
+
├── drafts/ (Phase 3 output)
|
|
203
|
+
│ ├── abstract.tex
|
|
204
|
+
│ ├── introduction.tex
|
|
205
|
+
│ ├── methods.tex
|
|
206
|
+
│ ├── experiments.tex
|
|
207
|
+
│ ├── related-work.tex
|
|
208
|
+
│ ├── conclusion.tex
|
|
209
|
+
│ └── appendix.tex
|
|
210
|
+
├── references.bib (Phase 4 output)
|
|
211
|
+
├── polished/ (Phase 5 output)
|
|
212
|
+
│ └── (same structure as drafts/)
|
|
213
|
+
└── paper.tex (Phase 6 output)
|
|
214
|
+
```
|
|
215
|
+
|
|
216
|
+
## TodoWrite Pattern
|
|
217
|
+
|
|
218
|
+
### Phase Start (Attach)
|
|
219
|
+
```
|
|
220
|
+
When Phase N begins:
|
|
221
|
+
→ Mark Phase N as in_progress in TodoWrite
|
|
222
|
+
→ Add sub-tasks for Phase N steps
|
|
223
|
+
→ Execute sub-tasks sequentially
|
|
224
|
+
```
|
|
225
|
+
|
|
226
|
+
### Phase End (Collapse)
|
|
227
|
+
```
|
|
228
|
+
When Phase N completes:
|
|
229
|
+
→ Mark all Phase N sub-tasks as completed
|
|
230
|
+
→ Collapse to summary: "Phase N complete: [key output]"
|
|
231
|
+
→ Mark Phase N+1 as in_progress
|
|
232
|
+
```
|
|
233
|
+
|
|
234
|
+
## Post-Phase Updates
|
|
235
|
+
|
|
236
|
+
Between phases, update a running paper-notes document:
|
|
237
|
+
|
|
238
|
+
```markdown
|
|
239
|
+
# Paper Writing Notes (accumulated)
|
|
240
|
+
|
|
241
|
+
## Contribution (Phase 1)
|
|
242
|
+
[One-sentence contribution statement]
|
|
243
|
+
|
|
244
|
+
## Outline (Phase 2)
|
|
245
|
+
[Section structure with page budgets]
|
|
246
|
+
|
|
247
|
+
## Draft Status (Phase 3)
|
|
248
|
+
[Section completion status]
|
|
249
|
+
|
|
250
|
+
## Citation Status (Phase 4)
|
|
251
|
+
[Verified count / placeholder count]
|
|
252
|
+
|
|
253
|
+
## Polish Status (Phase 5)
|
|
254
|
+
[Anti-AI score per section]
|
|
255
|
+
```
|
|
256
|
+
|
|
257
|
+
Written to: `outputDir/.writing/paper-notes.md`
|
|
258
|
+
|
|
259
|
+
## Error Handling
|
|
260
|
+
|
|
261
|
+
| Error | Action |
|
|
262
|
+
|-------|--------|
|
|
263
|
+
| Repo path invalid | Ask user for correct path |
|
|
264
|
+
| Cannot identify contribution | Present top 3 candidates, ask user to choose |
|
|
265
|
+
| Citation not found | Mark `[CITATION NEEDED]`, continue, report at end |
|
|
266
|
+
| LaTeX compilation fails | Fix common errors (missing packages, encoding), retry once |
|
|
267
|
+
| Anti-AI score below 35 | Re-polish section, flag for manual review |
|
|
268
|
+
| Page limit exceeded | Suggest specific cuts (move proofs to appendix, condense related work) |
|
|
269
|
+
|
|
270
|
+
## Coordinator Checklist
|
|
271
|
+
|
|
272
|
+
### Before Each Phase
|
|
273
|
+
- [ ] Previous phase output exists and is valid
|
|
274
|
+
- [ ] TodoWrite updated (current phase in_progress)
|
|
275
|
+
- [ ] Required inputs available
|
|
276
|
+
|
|
277
|
+
### After Each Phase
|
|
278
|
+
- [ ] Output files written to outputDir/.writing/
|
|
279
|
+
- [ ] paper-notes.md updated
|
|
280
|
+
- [ ] TodoWrite collapsed (phase completed)
|
|
281
|
+
- [ ] User notified of phase completion and key decisions made
|
|
282
|
+
|
|
283
|
+
### Final Checklist
|
|
284
|
+
- [ ] All 6 phases completed
|
|
285
|
+
- [ ] paper.tex compiles without errors
|
|
286
|
+
- [ ] All citations verified (no remaining `[CITATION NEEDED]`)
|
|
287
|
+
- [ ] Anti-AI score >= 35 for all sections
|
|
288
|
+
- [ ] Page limit respected
|
|
289
|
+
- [ ] Anonymization applied (for blind review)
|
|
290
|
+
- [ ] Conference checklist completed (if required)
|
|
291
|
+
|
|
292
|
+
## Related Skills
|
|
293
|
+
|
|
294
|
+
- **scholar-ideation**: Use before this skill to develop research ideas
|
|
295
|
+
- **scholar-experiment**: Use before this skill to run experiments
|
|
296
|
+
- **scholar-review**: Use after this skill to review/revise the paper
|
|
@@ -0,0 +1,244 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: security-audit
|
|
3
|
+
description: "OWASP Top 10 and STRIDE security auditing with supply chain analysis Arguments: [quick|standard|deep] [--scope <path>]"
|
|
4
|
+
allowed-tools: Read Write Bash Glob Grep Agent AskUserQuestion
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
<purpose>
|
|
8
|
+
Systematic security audit covering OWASP Top 10, dependency supply chain, secrets detection,
|
|
9
|
+
CI/CD pipeline review, and optional STRIDE threat modeling. Three tiers control depth vs speed.
|
|
10
|
+
</purpose>
|
|
11
|
+
|
|
12
|
+
<required_reading>
|
|
13
|
+
@~/.maestro/workflows/review.md
|
|
14
|
+
</required_reading>
|
|
15
|
+
|
|
16
|
+
<context>
|
|
17
|
+
$ARGUMENTS — Parse tier and scope:
|
|
18
|
+
- Tier: `quick` (default) | `standard` | `deep`
|
|
19
|
+
- `--scope <path>`: Limit scan to directory (default: project root)
|
|
20
|
+
|
|
21
|
+
**Tier coverage:**
|
|
22
|
+
|
|
23
|
+
| Tier | OWASP | Dependencies | Secrets | CI/CD | STRIDE | Git History |
|
|
24
|
+
|------|-------|-------------|---------|-------|--------|-------------|
|
|
25
|
+
| quick | ✓ | ✓ | — | — | — | — |
|
|
26
|
+
| standard | ✓ | ✓ | ✓ | ✓ | — | — |
|
|
27
|
+
| deep | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
|
|
28
|
+
|
|
29
|
+
**Output boundary**: ALL file writes MUST target `.workflow/scratch/{YYYYMMDD}-security-audit-{tier}-{slug}/` or `.workflow/state.json` only. NEVER modify source code, configuration files, or dependencies. Audit is read-only analysis.
|
|
30
|
+
</context>
|
|
31
|
+
|
|
32
|
+
<invariants>
|
|
33
|
+
1. **Audit is read-only** — NEVER modify source code, configuration, dependencies, or CI/CD files during audit. Security audit produces reports only.
|
|
34
|
+
2. **Findings require file:line evidence** — every finding MUST reference a specific file:line location and include the vulnerable code pattern. No vague or category-only findings.
|
|
35
|
+
3. **Severity NEVER downgraded without justification** — if a finding matches a known OWASP category, its severity follows OWASP guidance. Downgrading requires documented rationale (e.g., compensating control exists).
|
|
36
|
+
4. **Tier coverage is mandatory** — all scan phases required by the selected tier MUST complete. NEVER skip a tier-required phase silently; failures are logged as W00x warnings.
|
|
37
|
+
5. **False positive marking requires evidence** — marking a finding as false positive MUST include the compensating control or code path that prevents exploitation. NEVER dismiss findings without counter-evidence.
|
|
38
|
+
6. **Secrets are never logged** — if secrets are discovered, report their location (file:line) and type but NEVER include the actual secret value in the report output.
|
|
39
|
+
</invariants>
|
|
40
|
+
|
|
41
|
+
<execution>
|
|
42
|
+
|
|
43
|
+
### Phase Gates (MANDATORY, BLOCKING)
|
|
44
|
+
|
|
45
|
+
**GATE 1: Recon → Scan**
|
|
46
|
+
- REQUIRED: Tech stack detected and entry points identified.
|
|
47
|
+
- REQUIRED: Auth/authz modules listed and data flow mapped.
|
|
48
|
+
- BLOCKED if missing: cannot scan without entry points and data flow baseline.
|
|
49
|
+
|
|
50
|
+
**GATE 2: Scan → Report** (tier-gated)
|
|
51
|
+
- REQUIRED: OWASP Top 10 scan completed (all tiers).
|
|
52
|
+
- REQUIRED: Dependency audit completed (all tiers).
|
|
53
|
+
- REQUIRED: Secrets + CI/CD scan completed (standard/deep only).
|
|
54
|
+
- REQUIRED: STRIDE + git history completed (deep only).
|
|
55
|
+
- BLOCKED if tier-required scans incomplete: finish all tier-applicable phases before reporting.
|
|
56
|
+
|
|
57
|
+
**GATE 3: Report → Completion**
|
|
58
|
+
- REQUIRED: Severity matrix produced with file:line references and remediation.
|
|
59
|
+
- REQUIRED: Artifact registered in state.json.
|
|
60
|
+
- BLOCKED if missing: do not emit completion status without severity matrix.
|
|
61
|
+
|
|
62
|
+
**Phase 1: Reconnaissance**
|
|
63
|
+
|
|
64
|
+
1. Detect tech stack from package.json / go.mod / requirements.txt / Cargo.toml
|
|
65
|
+
2. Identify entry points: HTTP handlers, API routes, CLI parsers, WebSocket handlers
|
|
66
|
+
3. List authentication/authorization modules
|
|
67
|
+
4. Map data flow: user input → processing → storage → output
|
|
68
|
+
|
|
69
|
+
**Phase 2: OWASP Top 10 Scan** (all tiers)
|
|
70
|
+
|
|
71
|
+
For each category, scan relevant source files:
|
|
72
|
+
|
|
73
|
+
| # | Category | What to check |
|
|
74
|
+
|---|----------|--------------|
|
|
75
|
+
| A01 | Broken Access Control | Missing auth middleware, direct object references, path traversal |
|
|
76
|
+
| A02 | Cryptographic Failures | Weak algorithms, hardcoded keys, missing TLS, plaintext storage |
|
|
77
|
+
| A03 | Injection | SQL concatenation, shell exec with user input, template injection |
|
|
78
|
+
| A04 | Insecure Design | Missing rate limits, no CSRF tokens, predictable tokens |
|
|
79
|
+
| A05 | Security Misconfiguration | Debug mode, default credentials, verbose errors, open CORS |
|
|
80
|
+
| A06 | Vulnerable Components | Known CVEs in dependencies |
|
|
81
|
+
| A07 | Auth Failures | Weak password rules, missing brute-force protection, session fixation |
|
|
82
|
+
| A08 | Data Integrity | Deserialization of untrusted data, unsigned updates |
|
|
83
|
+
| A09 | Logging Failures | Missing audit logs, logging sensitive data |
|
|
84
|
+
| A10 | SSRF | Unvalidated URLs in server-side requests |
|
|
85
|
+
|
|
86
|
+
Use `Grep` for pattern matching (e.g., `eval(`, `exec(`, `innerHTML`, `dangerouslySetInnerHTML`,
|
|
87
|
+
`sql.*\+.*req\.`, `process\.env` without validation).
|
|
88
|
+
|
|
89
|
+
**Phase 3: Dependency Audit** (all tiers)
|
|
90
|
+
|
|
91
|
+
```bash
|
|
92
|
+
# Node.js
|
|
93
|
+
npm audit --json 2>/dev/null || true
|
|
94
|
+
# Check lockfile integrity
|
|
95
|
+
test -f package-lock.json && echo "lockfile present" || echo "WARNING: no lockfile"
|
|
96
|
+
```
|
|
97
|
+
|
|
98
|
+
Check for:
|
|
99
|
+
- Known vulnerabilities (CVE references)
|
|
100
|
+
- Lockfile presence and integrity
|
|
101
|
+
- Typosquatting risk on critical dependencies (manually check suspicious names)
|
|
102
|
+
|
|
103
|
+
**Phase 4: Secrets Detection** (standard + deep)
|
|
104
|
+
|
|
105
|
+
```
|
|
106
|
+
Grep({
|
|
107
|
+
pattern: "(password|secret|api.?key|token|credential).*=.*['\"][^'\"]{8,}",
|
|
108
|
+
glob: "*.{ts,js,json,env*}",
|
|
109
|
+
output_mode: "content"
|
|
110
|
+
})
|
|
111
|
+
```
|
|
112
|
+
|
|
113
|
+
Check `.env.example` for leaked values. Check `.gitignore` for missing `.env` patterns.
|
|
114
|
+
|
|
115
|
+
**Phase 5: CI/CD Audit** (standard + deep)
|
|
116
|
+
|
|
117
|
+
Scan `.github/workflows/*.yml` for:
|
|
118
|
+
- Overly permissive `permissions:` (write-all, contents: write)
|
|
119
|
+
- Unpinned action versions (`uses: actions/checkout@main` vs `@v4.1.0`)
|
|
120
|
+
- Secrets in logs (missing `mask` or `add-mask`)
|
|
121
|
+
- Pull request trigger with `pull_request_target` (code injection risk)
|
|
122
|
+
|
|
123
|
+
**Phase 6: STRIDE Threat Modeling** (deep only)
|
|
124
|
+
|
|
125
|
+
For each critical module identified in Phase 1:
|
|
126
|
+
|
|
127
|
+
| Threat | Question |
|
|
128
|
+
|--------|----------|
|
|
129
|
+
| **S**poofing | Can identity be faked? Is auth per-request? |
|
|
130
|
+
| **T**ampering | Can data be modified in transit/storage? Integrity checks? |
|
|
131
|
+
| **R**epudiation | Are actions logged with user identity? |
|
|
132
|
+
| **I**nformation Disclosure | Can unauthorized data be accessed? |
|
|
133
|
+
| **D**enial of Service | Resource limits? Rate limiting? |
|
|
134
|
+
| **E**levation of Privilege | Can roles be escalated? Input validation on role fields? |
|
|
135
|
+
|
|
136
|
+
**Phase 7: Git History Archaeology** (deep only)
|
|
137
|
+
|
|
138
|
+
```bash
|
|
139
|
+
# Search for previously committed secrets
|
|
140
|
+
git log --all --diff-filter=D --name-only --pretty=format: -- "*.env" "*.key" "*.pem" 2>/dev/null | head -20
|
|
141
|
+
git log -p --all -S "password" --since="1 year ago" -- "*.ts" "*.js" 2>/dev/null | head -50
|
|
142
|
+
```
|
|
143
|
+
|
|
144
|
+
**Phase 8: Report**
|
|
145
|
+
|
|
146
|
+
Output severity matrix:
|
|
147
|
+
|
|
148
|
+
```
|
|
149
|
+
=== Security Audit ({tier}) ===
|
|
150
|
+
|
|
151
|
+
CRITICAL ({count}):
|
|
152
|
+
- [A03] SQL injection in {file}:{line} — {description}
|
|
153
|
+
Fix: {remediation}
|
|
154
|
+
|
|
155
|
+
HIGH ({count}):
|
|
156
|
+
...
|
|
157
|
+
|
|
158
|
+
MEDIUM ({count}):
|
|
159
|
+
...
|
|
160
|
+
|
|
161
|
+
LOW ({count}):
|
|
162
|
+
...
|
|
163
|
+
|
|
164
|
+
Summary: {total} findings ({critical} critical, {high} high, {medium} medium, {low} low)
|
|
165
|
+
```
|
|
166
|
+
|
|
167
|
+
**Register artifact on completion:**
|
|
168
|
+
|
|
169
|
+
Confirm before writing:
|
|
170
|
+
```
|
|
171
|
+
AskUserQuestion("Register security-audit artifact RVW-{NNN} in state.json? (yes/no)")
|
|
172
|
+
→ yes: proceed with write
|
|
173
|
+
→ no: skip registration, continue to completion
|
|
174
|
+
```
|
|
175
|
+
|
|
176
|
+
```
|
|
177
|
+
Append to state.json.artifacts[]:
|
|
178
|
+
{
|
|
179
|
+
id: nextArtifactId(artifacts, "review"), // RVW-NNN (security-audit reuses review type)
|
|
180
|
+
type: "review",
|
|
181
|
+
subtype: "security-audit",
|
|
182
|
+
milestone: current_milestone || null,
|
|
183
|
+
phase: target_phase || null,
|
|
184
|
+
scope: target_phase ? "phase" : "standalone",
|
|
185
|
+
path: "scratch/{YYYYMMDD}-security-audit-{tier}-{slug}",
|
|
186
|
+
status: critical_count == 0 ? "completed" : "completed_with_concerns",
|
|
187
|
+
tier: tier, // quick|standard|deep
|
|
188
|
+
harvested: false,
|
|
189
|
+
created_at: start_time,
|
|
190
|
+
completed_at: now()
|
|
191
|
+
}
|
|
192
|
+
```
|
|
193
|
+
Write findings report to the same `path` (severity matrix, file:line refs, remediation).
|
|
194
|
+
</execution>
|
|
195
|
+
|
|
196
|
+
<completion>
|
|
197
|
+
### Standalone report
|
|
198
|
+
|
|
199
|
+
```
|
|
200
|
+
--- COMPLETION STATUS ---
|
|
201
|
+
STATUS: DONE|DONE_WITH_CONCERNS
|
|
202
|
+
CONCERNS: {count} critical findings require immediate action
|
|
203
|
+
--- END STATUS ---
|
|
204
|
+
```
|
|
205
|
+
|
|
206
|
+
Status mapping:
|
|
207
|
+
- **DONE** — No critical/high findings
|
|
208
|
+
- **DONE_WITH_CONCERNS** — Critical/high findings documented with remediation
|
|
209
|
+
|
|
210
|
+
### Ralph-invoked completion
|
|
211
|
+
|
|
212
|
+
End the step by calling the CLI (no text block output):
|
|
213
|
+
```
|
|
214
|
+
maestro ralph complete <idx> --status {STATUS} [--evidence {path}]
|
|
215
|
+
```
|
|
216
|
+
|
|
217
|
+
### Next-step routing
|
|
218
|
+
|
|
219
|
+
| Condition | Suggestion |
|
|
220
|
+
|-----------|-----------|
|
|
221
|
+
| No critical findings | `/quality-review {phase}` |
|
|
222
|
+
| Critical findings need fix | `/maestro-plan {phase} --gaps` |
|
|
223
|
+
| Need deeper analysis | `/security-audit deep --scope {path}` |
|
|
224
|
+
| Want dependency remediation | Fix vulnerabilities, then re-run `/security-audit` |
|
|
225
|
+
</completion>
|
|
226
|
+
|
|
227
|
+
<error_codes>
|
|
228
|
+
| Code | Severity | Condition | Recovery |
|
|
229
|
+
|------|----------|-----------|----------|
|
|
230
|
+
| E001 | error | No source files found in scope | Verify --scope path exists |
|
|
231
|
+
| E002 | error | Tech stack not detected | Manually specify entry points |
|
|
232
|
+
| W001 | warning | npm audit / dependency tool unavailable | Skip dependency phase, note limitation |
|
|
233
|
+
| W002 | warning | Git history scan failed | Skip Phase 7, note limitation |
|
|
234
|
+
| W003 | warning | Partial scan (some files inaccessible) | Report coverage gap in findings |
|
|
235
|
+
</error_codes>
|
|
236
|
+
|
|
237
|
+
<success_criteria>
|
|
238
|
+
- [ ] Tech stack identified and entry points mapped
|
|
239
|
+
- [ ] OWASP Top 10 categories all checked (tier-appropriate)
|
|
240
|
+
- [ ] Dependency audit completed with CVE listing
|
|
241
|
+
- [ ] Severity matrix produced with file:line references
|
|
242
|
+
- [ ] Each finding includes remediation suggestion
|
|
243
|
+
- [ ] Completion status block emitted
|
|
244
|
+
</success_criteria>
|