pluidr 0.7.6 → 0.8.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (88) hide show
  1. package/LICENSE +20 -20
  2. package/README.md +409 -399
  3. package/bin/pluidr.js +3 -3
  4. package/package.json +1 -1
  5. package/src/cli/commands/doctor.js +137 -134
  6. package/src/cli/commands/init.js +146 -47
  7. package/src/cli/commands/launch.js +101 -50
  8. package/src/cli/commands/theme.js +91 -0
  9. package/src/cli/commands/theme.test.js +28 -0
  10. package/src/cli/commands/uninstall.js +109 -90
  11. package/src/cli/commands/update.js +9 -9
  12. package/src/cli/index.js +63 -57
  13. package/src/cli/wizard/selectModelTier.js +40 -40
  14. package/src/core/agentPromptWriter.js +49 -32
  15. package/src/core/agentPromptWriter.test.js +56 -56
  16. package/src/core/animation.js +84 -0
  17. package/src/core/animation.test.js +118 -0
  18. package/src/core/backup.js +46 -46
  19. package/src/core/commandsWriter.js +26 -0
  20. package/src/core/commandsWriter.test.js +29 -0
  21. package/src/core/configBuilder.js +32 -32
  22. package/src/core/configBuilder.test.js +93 -93
  23. package/src/core/configWriter.js +10 -10
  24. package/src/core/configWriter.test.js +1 -1
  25. package/src/core/identityHeader.js +8 -8
  26. package/src/core/paths.js +13 -11
  27. package/src/core/paths.test.js +33 -29
  28. package/src/core/pluginWriter.js +43 -29
  29. package/src/core/skillsWriter.js +21 -0
  30. package/src/core/skillsWriter.test.js +30 -0
  31. package/src/core/squeezeInstaller.js +158 -158
  32. package/src/core/squeezeInstaller.test.js +79 -79
  33. package/src/core/themeWriter.js +18 -4
  34. package/src/core/themeWriter.test.js +2 -2
  35. package/src/core/tuiConfigWriter.js +22 -3
  36. package/src/core/tuiConfigWriter.test.js +11 -5
  37. package/src/core/version.js +8 -8
  38. package/src/core/versionCheck.js +44 -44
  39. package/src/plugins/README.md +57 -68
  40. package/src/plugins/pluidr-squeeze.js +77 -77
  41. package/src/templates/agent-prompts/analyze.txt +49 -0
  42. package/src/templates/agent-prompts/builder.txt +10 -0
  43. package/src/templates/agent-prompts/compose.txt +50 -0
  44. package/src/templates/agent-prompts/debug.txt +49 -0
  45. package/src/templates/agent-prompts/explorer.txt +10 -0
  46. package/src/templates/agent-prompts/hierarchy.txt +101 -95
  47. package/src/templates/agent-prompts/reporter.txt +10 -0
  48. package/src/templates/agent-prompts/verifier.txt +10 -0
  49. package/src/templates/commands/squeeze-dashboard.md +5 -0
  50. package/src/templates/commands/squeeze-health.md +10 -0
  51. package/src/templates/commands/squeeze-quick.md +10 -0
  52. package/src/templates/model-defaults.json +59 -73
  53. package/src/templates/opencode.config.json +243 -572
  54. package/src/templates/skills/brooks-lint-rca/SKILL.md +48 -0
  55. package/src/templates/skills/codebase-fact-finding/SKILL.md +39 -0
  56. package/src/templates/skills/diff-review/SKILL.md +42 -0
  57. package/src/templates/skills/general-coding/SKILL.md +44 -0
  58. package/src/templates/skills/minimal-fixing/SKILL.md +25 -0
  59. package/src/templates/skills/plan-checking/SKILL.md +33 -0
  60. package/src/templates/{agent-prompts/patcher.txt → skills/ponytail-patching/SKILL.md} +20 -20
  61. package/src/templates/skills/prd-formatting/SKILL.md +45 -0
  62. package/src/templates/skills/refactoring-patterns/SKILL.md +37 -0
  63. package/src/templates/skills/security-auditing/SKILL.md +35 -0
  64. package/src/templates/skills/security-remediation/SKILL.md +37 -0
  65. package/src/templates/skills/summary-reporting/SKILL.md +83 -0
  66. package/src/templates/skills/test-assurance/SKILL.md +48 -0
  67. package/src/templates/skills/test-mocking-strategy/SKILL.md +18 -0
  68. package/src/templates/skills/ui-design-audit/SKILL.md +23 -0
  69. package/src/templates/skills/ui-design-system/SKILL.md +37 -0
  70. package/src/templates/{agent-prompts/tracer.txt → skills/wstg-recon/SKILL.md} +33 -33
  71. package/src/templates/themes/pluidr-colorful.json +241 -0
  72. package/src/templates/themes/{pluidr-contrast.json → pluidr-dark.json} +68 -68
  73. package/src/templates/themes/pluidr-light.json +241 -0
  74. package/src/templates/agent-prompts/auditor.txt +0 -20
  75. package/src/templates/agent-prompts/coder.txt +0 -88
  76. package/src/templates/agent-prompts/compose-reporter.txt +0 -55
  77. package/src/templates/agent-prompts/composer.txt +0 -414
  78. package/src/templates/agent-prompts/debug-reporter.txt +0 -65
  79. package/src/templates/agent-prompts/debugger.txt +0 -149
  80. package/src/templates/agent-prompts/fixer.txt +0 -66
  81. package/src/templates/agent-prompts/inspector.txt +0 -79
  82. package/src/templates/agent-prompts/plan-checker.txt +0 -45
  83. package/src/templates/agent-prompts/plan-writer.txt +0 -57
  84. package/src/templates/agent-prompts/probe-reporter.txt +0 -62
  85. package/src/templates/agent-prompts/prober.txt +0 -93
  86. package/src/templates/agent-prompts/researcher.txt +0 -48
  87. package/src/templates/agent-prompts/reviewer.txt +0 -57
  88. package/src/templates/agent-prompts/tester.txt +0 -66
@@ -1,44 +1,44 @@
1
- import { execFileSync, execSync } from "node:child_process"
2
- import { confirm, isCancel } from "@clack/prompts"
3
-
4
- export function fetchLatestVersion() {
5
- try {
6
- if (process.platform === "win32") {
7
- return execSync("npm view pluidr version", { stdio: "pipe", timeout: 1500 })
8
- .toString()
9
- .trim()
10
- }
11
- return execFileSync("npm", ["view", "pluidr", "version"], { stdio: "pipe", timeout: 1500 })
12
- .toString()
13
- .trim()
14
- } catch {
15
- return null
16
- }
17
- }
18
-
19
- export async function checkAndPromptUpdate(currentVersion) {
20
- process.stdout.write("Checking for updates... ")
21
-
22
- const latest = fetchLatestVersion()
23
- if (!latest) {
24
- console.log("⚠ Could not reach npm registry — skipping")
25
- return false
26
- }
27
-
28
- if (latest === currentVersion) {
29
- console.log(`✓ Up to date (${currentVersion})`)
30
- return false
31
- }
32
-
33
- console.log(`⚠ pluidr ${latest} available (you have ${currentVersion})`)
34
-
35
- const answer = await confirm({ message: "Update now?", initialValue: true })
36
- if (isCancel(answer) || !answer) return false
37
-
38
- if (process.platform === "win32") {
39
- execSync("npm install -g pluidr", { stdio: "inherit" })
40
- } else {
41
- execFileSync("npm", ["install", "-g", "pluidr"], { stdio: "inherit" })
42
- }
43
- return true
44
- }
1
+ import { execFileSync, execSync } from "node:child_process"
2
+ import { confirm, isCancel } from "@clack/prompts"
3
+
4
+ export function fetchLatestVersion() {
5
+ try {
6
+ if (process.platform === "win32") {
7
+ return execSync("npm view pluidr version", { stdio: "pipe", timeout: 1500 })
8
+ .toString()
9
+ .trim()
10
+ }
11
+ return execFileSync("npm", ["view", "pluidr", "version"], { stdio: "pipe", timeout: 1500 })
12
+ .toString()
13
+ .trim()
14
+ } catch {
15
+ return null
16
+ }
17
+ }
18
+
19
+ export async function checkAndPromptUpdate(currentVersion) {
20
+ process.stdout.write("Checking for updates... ")
21
+
22
+ const latest = fetchLatestVersion()
23
+ if (!latest) {
24
+ console.log("⚠ Could not reach npm registry — skipping")
25
+ return false
26
+ }
27
+
28
+ if (latest === currentVersion) {
29
+ console.log(`✓ Up to date (${currentVersion})`)
30
+ return false
31
+ }
32
+
33
+ console.log(`⚠ pluidr ${latest} available (you have ${currentVersion})`)
34
+
35
+ const answer = await confirm({ message: "Update now?", initialValue: true })
36
+ if (isCancel(answer) || !answer) return false
37
+
38
+ if (process.platform === "win32") {
39
+ execSync("npm install -g pluidr", { stdio: "inherit" })
40
+ } else {
41
+ execFileSync("npm", ["install", "-g", "pluidr"], { stdio: "inherit" })
42
+ }
43
+ return true
44
+ }
@@ -1,68 +1,57 @@
1
- # Bundled plugins
2
-
3
- This folder holds plugin source files that `pluidr init` copies into the
4
- user's OpenCode plugin directory (`~/.config/opencode/plugins/`), giving
5
- subagents cross-session context tools and command output filtering out of
6
- the box.
7
-
8
- ## `pluidr-flow.js` -- cross-session context
9
-
10
- Implementation of the `SessionFlowPlugin`. Exposes three tools for reading
11
- conversation history across related sessions (parent, sibling, or batch):
12
-
13
- - `parent_session_messages` -- read the parent session's full transcript
14
- - `session_messages(sessionId)` -- read any session by ID
15
- - `session_messages_batch(sessionIds)` -- read multiple sessions in one call
16
-
17
- The output is a structured text dump with numbered messages, agent
18
- attribution, and one-line tool-invocation summaries, separated by
19
- `\n\n---\n\n`.
20
-
21
- ## `pluidr-squeeze.js` -- command output filtering
22
-
23
- Implementation of the `PluidrSqueezePlugin`. Hooks into `tool.execute.before`
24
- to rewrite bash commands through the local `squeeze` binary (built on the `rtk`
25
- engine). The binary filters, groups, truncates, and deduplicates command
26
- output -- saving 60–90% of tokens across all agents.
27
-
28
- The plugin is a thin delegator: all rewrite logic lives in the engine binary.
29
- It checks `PATH` first, then falls back to Pluidr's managed location at
30
- `~/.config/opencode/bin/squeeze`. If the binary is not found, the plugin
31
- gracefully disables itself with a warning.
32
-
33
- `pluidr init` downloads the `squeeze` binary automatically during setup.
34
-
35
- ## Why `pluidr-flow` was extracted
36
-
37
- Subagents (Coder, Tester, Reviewer, Inspector, Fixer, etc.) run in fresh
38
- child sessions with no access to the parent orchestrator's conversation
39
- history. When a parent agent dispatches a subagent via the `Task` tool, the
40
- subagent cannot see what was discussed in the parent -- which means it has
41
- to ask the user to re-paste context, or guess. `parent_session_messages`
42
- bridges that gap: the subagent can fetch the parent transcript on demand
43
- and pick up where the parent left off.
44
-
45
- ## Why the identity plugin was dropped
46
-
47
- The original `AgentSelfIdentityPlugin` injected agent identity via
48
- `experimental.chat.*` hooks. Pluidr's 12 agent names are known at install
49
- time, so we prepend a static identity header (`You are the "<name>" agent.`)
50
- to every generated prompt file. This is KISS: no hook evaluation per
51
- request, no dependency on undocumented experimental APIs, single source
52
- of truth in `src/core/identityHeader.js`.
53
-
54
- ## Why the attribution tool was dropped
55
-
56
- The original `AgentAttributionToolPlugin` was designed for a Retrospective
57
- agent that captures post-session observations. Pluidr has no Retrospective
58
- agent in its pipeline, so the tool would have no caller -- YAGNI.
59
-
60
- ## How they are loaded
61
-
62
- `pluidr init` copies both plugins into `~/.config/opencode/plugins/` and
63
- writes a `package.json` declaring `@opencode-ai/plugin: ^1.17.9` as a
64
- dependency. For `pluidr-squeeze`, it also downloads and extracts the `squeeze`
65
- engine binary to `~/.config/opencode/bin/`. On OpenCode's first launch, the
66
- bundled Bun runtime detects the `package.json` and runs `bun install`
67
- automatically -- no user action required. Once installed, both plugins are
68
- available to every agent that has the appropriate permissions.
1
+ # Bundled plugins
2
+
3
+ This folder holds plugin source files that `pluidr init` copies into the
4
+ user's OpenCode plugin directory (`~/.config/opencode/plugins/`), giving
5
+ subagents cross-session context tools and command output filtering out of
6
+ the box.
7
+
8
+ ## `pluidr-flow.js` -- cross-session context
9
+
10
+ Implementation of the `SessionFlowPlugin`. Exposes three tools for reading
11
+ conversation history across related sessions (parent, sibling, or batch):
12
+
13
+ - `parent_session_messages` -- read the parent session's full transcript
14
+ - `session_messages(sessionId)` -- read any session by ID
15
+ - `session_messages_batch(sessionIds)` -- read multiple sessions in one call
16
+
17
+ The output is a structured text dump with numbered messages, agent
18
+ attribution, and one-line tool-invocation summaries, separated by
19
+ `\n\n---\n\n`.
20
+
21
+ ## `pluidr-squeeze.js` -- context quality & session continuity
22
+
23
+ Implementation of the `PluidrSqueezePlugin` (rebranded from `token-optimizer-opencode`). Monitors context fill limits and session health, calculates ResourceHealth and SessionEfficiency metrics, alerts on loop/retry patterns, and enables seamless session continuity/restores for same-project tasks.
24
+
25
+ ## Why `pluidr-flow` was extracted
26
+
27
+ Subagents (Coder, Tester, Reviewer, Inspector, Fixer, etc.) run in fresh
28
+ child sessions with no access to the parent orchestrator's conversation
29
+ history. When a parent agent dispatches a subagent via the `Task` tool, the
30
+ subagent cannot see what was discussed in the parent -- which means it has
31
+ to ask the user to re-paste context, or guess. `parent_session_messages`
32
+ bridges that gap: the subagent can fetch the parent transcript on demand
33
+ and pick up where the parent left off.
34
+
35
+ ## Why the identity plugin was dropped
36
+
37
+ The original `AgentSelfIdentityPlugin` injected agent identity via
38
+ `experimental.chat.*` hooks. Pluidr's 12 agent names are known at install
39
+ time, so we prepend a static identity header (`You are the "<name>" agent.`)
40
+ to every generated prompt file. This is KISS: no hook evaluation per
41
+ request, no dependency on undocumented experimental APIs, single source
42
+ of truth in `src/core/identityHeader.js`.
43
+
44
+ ## Why the attribution tool was dropped
45
+
46
+ The original `AgentAttributionToolPlugin` was designed for a Retrospective
47
+ agent that captures post-session observations. Pluidr has no Retrospective
48
+ agent in its pipeline, so the tool would have no caller -- YAGNI.
49
+
50
+ ## How they are loaded
51
+
52
+ `pluidr init` copies both plugins into `~/.config/opencode/plugins/` and
53
+ writes a `package.json` declaring `@opencode-ai/plugin: ^1.17.9` as a
54
+ dependency. On OpenCode's first launch, the
55
+ bundled Bun runtime detects the `package.json` and runs `bun install`
56
+ automatically -- no user action required. Once installed, both plugins are
57
+ available to every agent that has the appropriate permissions.
@@ -1,77 +1,77 @@
1
- import { existsSync } from "node:fs"
2
- import { homedir } from "node:os"
3
- import { join } from "node:path"
4
-
5
- const BIN_NAME = process.platform === "win32" ? "squeeze.exe" : "squeeze"
6
- const SQUEEZE_BIN = join(homedir(), ".config", "opencode", "bin", BIN_NAME)
7
-
8
- function normalise(p) {
9
- return p.replace(/\\/g, "/")
10
- }
11
-
12
- // Quote a path if it contains spaces so the shell treats it as one token.
13
- export function shellQuote(p) {
14
- return p.includes(" ") ? `"${p}"` : p
15
- }
16
-
17
- // Exported for testing. When binPath is the managed full path (not "squeeze"
18
- // on PATH), the binary may output "rtk <cmd>" or "squeeze <cmd>" depending on
19
- // how it resolves its own name. Replace the leading token with the actual
20
- // binPath (quoted if it contains spaces) so the shell can find it. When
21
- // squeeze is on PATH, normalise any "rtk" prefix to "squeeze".
22
- export function resolveRewritten(rewritten, binPath) {
23
- const m = rewritten.match(/^(rtk|squeeze)(\s|$)/)
24
- if (!m) return rewritten
25
- if (binPath === "squeeze") {
26
- // squeeze is on PATH — normalise any leading binary name to "squeeze"
27
- return "squeeze" + rewritten.slice(m[1].length)
28
- }
29
- // managed path — replace leading binary name with (quoted) full path
30
- return shellQuote(binPath) + rewritten.slice(m[1].length)
31
- }
32
-
33
- async function findBinary($) {
34
- try {
35
- if (process.platform === "win32") {
36
- await $`where squeeze`.quiet()
37
- } else {
38
- await $`which squeeze`.quiet()
39
- }
40
- return "squeeze"
41
- } catch {
42
- if (existsSync(SQUEEZE_BIN)) {
43
- return normalise(SQUEEZE_BIN)
44
- }
45
- return null
46
- }
47
- }
48
-
49
- export const PluidrSqueezePlugin = async ({ $ }) => {
50
- const binPath = await findBinary($)
51
- if (!binPath) {
52
- console.warn("[squeeze] squeeze binary not found — plugin disabled")
53
- return {}
54
- }
55
-
56
- return {
57
- "tool.execute.before": async (input, output) => {
58
- const tool = String(input?.tool ?? "").toLowerCase()
59
- if (tool !== "bash" && tool !== "shell") return
60
- const args = output?.args
61
- if (!args || typeof args !== "object") return
62
-
63
- const command = args.command
64
- if (typeof command !== "string" || !command) return
65
-
66
- try {
67
- const result = await $`${binPath} rewrite ${command}`.quiet().nothrow()
68
- const rewritten = String(result.stdout).trim()
69
- if (rewritten && rewritten !== command) {
70
- args.command = resolveRewritten(rewritten, binPath)
71
- }
72
- } catch {
73
- // rewrite failed — pass through unchanged
74
- }
75
- },
76
- }
77
- }
1
+ import { existsSync } from "node:fs"
2
+ import { homedir } from "node:os"
3
+ import { join } from "node:path"
4
+
5
+ const BIN_NAME = process.platform === "win32" ? "squeeze.exe" : "squeeze"
6
+ const SQUEEZE_BIN = join(homedir(), ".config", "opencode", "bin", BIN_NAME)
7
+
8
+ function normalise(p) {
9
+ return p.replace(/\\/g, "/")
10
+ }
11
+
12
+ // Quote a path if it contains spaces so the shell treats it as one token.
13
+ export function shellQuote(p) {
14
+ return p.includes(" ") ? `"${p}"` : p
15
+ }
16
+
17
+ // Exported for testing. When binPath is the managed full path (not "squeeze"
18
+ // on PATH), the binary may output "rtk <cmd>" or "squeeze <cmd>" depending on
19
+ // how it resolves its own name. Replace the leading token with the actual
20
+ // binPath (quoted if it contains spaces) so the shell can find it. When
21
+ // squeeze is on PATH, normalise any "rtk" prefix to "squeeze".
22
+ export function resolveRewritten(rewritten, binPath) {
23
+ const m = rewritten.match(/^(rtk|squeeze)(\s|$)/)
24
+ if (!m) return rewritten
25
+ if (binPath === "squeeze") {
26
+ // squeeze is on PATH — normalise any leading binary name to "squeeze"
27
+ return "squeeze" + rewritten.slice(m[1].length)
28
+ }
29
+ // managed path — replace leading binary name with (quoted) full path
30
+ return shellQuote(binPath) + rewritten.slice(m[1].length)
31
+ }
32
+
33
+ async function findBinary($) {
34
+ try {
35
+ if (process.platform === "win32") {
36
+ await $`where squeeze`.quiet()
37
+ } else {
38
+ await $`which squeeze`.quiet()
39
+ }
40
+ return "squeeze"
41
+ } catch {
42
+ if (existsSync(SQUEEZE_BIN)) {
43
+ return normalise(SQUEEZE_BIN)
44
+ }
45
+ return null
46
+ }
47
+ }
48
+
49
+ export const PluidrSqueezePlugin = async ({ $ }) => {
50
+ const binPath = await findBinary($)
51
+ if (!binPath) {
52
+ console.warn("[squeeze] squeeze binary not found — plugin disabled")
53
+ return {}
54
+ }
55
+
56
+ return {
57
+ "tool.execute.before": async (input, output) => {
58
+ const tool = String(input?.tool ?? "").toLowerCase()
59
+ if (tool !== "bash" && tool !== "shell") return
60
+ const args = output?.args
61
+ if (!args || typeof args !== "object") return
62
+
63
+ const command = args.command
64
+ if (typeof command !== "string" || !command) return
65
+
66
+ try {
67
+ const result = await $`${binPath} rewrite ${command}`.quiet().nothrow()
68
+ const rewritten = String(result.stdout).trim()
69
+ if (rewritten && rewritten !== command) {
70
+ args.command = resolveRewritten(rewritten, binPath)
71
+ }
72
+ } catch {
73
+ // rewrite failed — pass through unchanged
74
+ }
75
+ },
76
+ }
77
+ }
@@ -0,0 +1,49 @@
1
+ # Role: Analyze Agent
2
+
3
+ You are the **Analyze** agent. You orchestrate threat modeling, secure code scans, and security patch verification in a strict 4-phase, one-directional workflow: **EXPLORE ➔ PLAN ➔ BUILD ➔ REVIEW**.
4
+
5
+ You have no direct file, codebase, web, or bash access. Your role is pure orchestration: delegate tasks, consume findings, decide next steps, and ask the user.
6
+
7
+ ## Phase State Machine
8
+
9
+ ### 1. EXPLORE Phase
10
+ - **Goal**: Scan the directory structure, identify entry points, and trace vulnerability data-flows from sources to sinks.
11
+ - **Delegation**: Delegate to the `explorer` subagent recommending the `wstg-recon` skill (and optionally the `ui-design-system` skill if the patch changes UI screens/dialogs).
12
+ - **Analysis**: Check the attack surface, identifying confirmed vulnerabilities, suspected vulnerabilities, and adjacent decay risks.
13
+ - **Gate 1 (Transition)**: Ask the user to proceed to the PLAN phase to outline the security patches.
14
+
15
+ ### 2. PLAN Phase
16
+ - **Goal**: Draft and verify target security patch specifications and trust boundaries.
17
+ - **Task 1**: Delegate to the `reporter` subagent recommending the `prd-formatting` skill to write the patching plan to `docs/plans/`.
18
+ - **Task 2**: Delegate to the `verifier` subagent recommending the `plan-checking` skill to verify the patch requirements cover all entry points and sinks.
19
+ - **Loop**: If verifier fails, re-delegate to `reporter` to resolve gaps (max 5 loops).
20
+ - **Gate 2 (Transition)**: Ask the user "Build from this PRD?" to transition to the BUILD phase.
21
+
22
+ ### 3. BUILD Phase
23
+ - **Goal**: Implement minimal secure patches and verify correctness with tests.
24
+ - **Task 1**: Delegate to the `builder` subagent recommending the `ponytail-patching` skill (and optionally the `security-remediation` skill) to apply the patches and write/update proper security/functional tests targeting the patch.
25
+ - **Task 2**: Delegate to the `verifier` subagent recommending the `test-assurance` skill to run security and functional tests, and ensure the tests are fully updated and aligned with the security specs (flagging and rejecting outdated/recycled tests).
26
+ - **Loop**: If tests fail or have alignment/recycled test gaps, re-delegate to `builder` to fix/add tests (max 5 loops).
27
+
28
+ ### 4. REVIEW Phase
29
+ - **Goal**: Run regression checks and audit implemented patches for over-engineering.
30
+ - **Task 1**: Delegate to the `verifier` subagent recommending the `security-auditing` skill (and optionally the `ui-design-audit` skill for UI changes) to inspect modified files and ensure no new vulnerability pathways or bloat were introduced (DoD, security regression, and BLOAT check).
31
+ - **Loop**: If verifier flags active vulnerabilities, new regressions, or bloat, loop back to `builder` in BUILD phase.
32
+ - **Task 2**: Delegate to the `reporter` subagent recommending the `summary-reporting` skill (Format C: Security & Quality Audit Report) to write the final audit report under `docs/reports/`.
33
+
34
+ ---
35
+
36
+ ## Post-Completion Behavior
37
+ After presenting the final report, reset your state to EXPLORE and ask the user if they are finished or need further iteration.
38
+
39
+ ## Delegation Rules
40
+ - EXPLORE: Allow `explorer` only.
41
+ - PLAN: Allow `reporter` and `verifier` only.
42
+ - BUILD: Allow `builder` and `verifier` only.
43
+ - REVIEW: Allow `verifier` and `reporter` only.
44
+
45
+ ## Clarification & Questioning Rules
46
+ - **Only Ask on Critical Decisions**: Avoid querying the user for minor details or minor design/styling choices. Make safe, standard engineering assumptions and proceed. Only prompt the user if there is a critical blocking decision or high-risk design path.
47
+ - **Strict Option Limit**: When using the `question` tool to prompt the user, you must provide a maximum of **2 selectable options** (plus the default custom write-in option, making a total of 3 choices).
48
+ - **Recommended Option First**: Always list your recommended option first, prefixed with `(Recommended)`.
49
+
@@ -0,0 +1,10 @@
1
+ # Role: Builder Subagent
2
+
3
+ You are the **Builder** subagent. You implement new features, apply bug fixes, write tests, and write security patches.
4
+
5
+ Your identity is **Builder** -- this is fixed. You have read, edit, write, and command execution permissions.
6
+
7
+ ## Guidelines
8
+ - Check the task instructions for any recommended **Skills** (e.g. general-coding, minimal-fixing, ponytail-patching, or refactoring-patterns) and follow them.
9
+ - Focus strictly on the assigned task -- do not refactor unrelated code or add unrequested abstractions.
10
+ - Abide by the 10-line limit for patches/fixes: if a fix exceeds 10 lines of changes, stop and report this complexity back to the primary agent.
@@ -0,0 +1,50 @@
1
+ # Role: Compose Agent
2
+
3
+ You are the **Compose** agent. You orchestrate the implementation of new features and enhancements in a strict 4-phase, one-directional workflow: **EXPLORE ➔ PLAN ➔ BUILD ➔ REVIEW**.
4
+
5
+ You have no direct file, codebase, web, or bash access. Your role is pure orchestration: delegate tasks, consume findings, decide next steps, and ask the user.
6
+
7
+ ## Phase State Machine
8
+
9
+ ### 1. EXPLORE Phase
10
+ - **Goal**: Research requirements, explore the codebase, and design layout mockups.
11
+ - **Delegation**: Delegate to the `explorer` subagent recommending the `codebase-fact-finding` skill (and optionally the `ui-design-system` skill for frontend visual mockups).
12
+ - **Analysis**: Classify findings into confirmed facts, inferences, and unknowns.
13
+ - **Gate 1 (Transition)**: Assess complexity.
14
+ - If extremely simple (changes only 1 file, no new logic/files/tests, no risk), ask the user if they want to build directly (shortcut to BUILD phase).
15
+ - Otherwise, ask the user to proceed to write a PRD (PLAN phase).
16
+
17
+ ### 2. PLAN Phase
18
+ - **Goal**: Turn user requests and Explore findings into a verified Product Requirement Document (PRD).
19
+ - **Task 1**: Delegate to the `reporter` subagent recommending the `prd-formatting` skill to write the PRD to `docs/plans/`.
20
+ - **Task 2**: Delegate to the `verifier` subagent recommending the `plan-checking` skill to perform a Gap Check against expectations.
21
+ - **Loop**: If verifier fails, re-delegate to `reporter` to resolve gaps (max 5 loops).
22
+ - **Gate 2 (Transition)**: Ask the user "Build from this PRD?" to transition to the BUILD phase.
23
+
24
+ ### 3. BUILD Phase
25
+ - **Goal**: Implement code changes and execute functional tests.
26
+ - **Task 1**: Delegate to the `builder` subagent recommending the `general-coding` skill to implement the tasks and write/update proper tests matching the PRD.
27
+ - **Task 2**: Delegate to the `verifier` subagent recommending the `test-assurance` skill (and optionally the `test-mocking-strategy` skill) to run the test suite, check coverage, and verify that the tests are fully aligned and updated for the PRD requirements (flagging and rejecting outdated/recycled tests).
28
+ - **Loop**: If tests fail or have alignment/recycled test gaps, re-delegate to `builder` to fix/add tests (max 5 loops). If blocked (e.g. environment/dependencies), surface to user immediately.
29
+
30
+ ### 4. REVIEW Phase
31
+ - **Goal**: Audit implemented code against over-engineering and format completion report.
32
+ - **Task 1**: Delegate to the `verifier` subagent recommending the `diff-review` skill (and optionally the `ui-design-audit` skill for UI changes) to perform the final quality checks (DoD, regression, and BLOAT check).
33
+ - **Loop**: If verifier flags gaps or bloat, loop back to `builder` in BUILD phase to fix.
34
+ - **Task 2**: Delegate to the `reporter` subagent recommending the `summary-reporting` skill (Format A) to write the final completion report under `docs/reports/`.
35
+
36
+ ---
37
+
38
+ ## Post-Completion Behavior
39
+ After presenting the final report, reset your state to EXPLORE and ask the user if they are finished or need further iteration.
40
+
41
+ ## Delegation Rules
42
+ - EXPLORE: Allow `explorer` only.
43
+ - PLAN: Allow `reporter` and `verifier` only.
44
+ - BUILD: Allow `builder` and `verifier` only.
45
+ - REVIEW: Allow `verifier` and `reporter` only.
46
+
47
+ ## Clarification & Questioning Rules
48
+ - **Only Ask on Critical Decisions**: Avoid querying the user for minor details or minor design/styling choices. Make safe, standard engineering assumptions and proceed. Only prompt the user if there is a critical blocking decision or high-risk design path.
49
+ - **Strict Option Limit**: When using the `question` tool to prompt the user, you must provide a maximum of **2 selectable options** (plus the default custom write-in option, making a total of 3 choices).
50
+ - **Recommended Option First**: Always list your recommended option first, prefixed with `(Recommended)`.
@@ -0,0 +1,49 @@
1
+ # Role: Debug Agent
2
+
3
+ You are the **Debug** agent. You orchestrate bug diagnostics, root-cause investigations, and targeted corrective bug fixes in a strict 4-phase, one-directional workflow: **EXPLORE ➔ PLAN ➔ BUILD ➔ REVIEW**.
4
+
5
+ You have no direct file, codebase, web, or bash access. Your role is pure orchestration: delegate tasks, consume findings, decide next steps, and ask the user.
6
+
7
+ ## Phase State Machine
8
+
9
+ ### 1. EXPLORE Phase
10
+ - **Goal**: Reproduce the bug, analyze diagnostic logs, and determine the root cause.
11
+ - **Delegation**: Delegate to the `explorer` subagent recommending the `brooks-lint-rca` skill (and optionally the `ui-design-system` skill if the bug is visual).
12
+ - **Analysis**: Ensure the Brooks-Lint findings table (Symptom ➔ Source ➔ Consequence ➔ Remedy) is completely filled and backed by source evidence.
13
+ - **Gate 1 (Transition)**: Ask the user to proceed to the PLAN phase to specify the fix.
14
+
15
+ ### 2. PLAN Phase
16
+ - **Goal**: Draft and verify the specific requirements and regression boundaries for the fix.
17
+ - **Task 1**: Delegate to the `reporter` subagent recommending the `prd-formatting` skill to write the corrective plan to `docs/plans/`.
18
+ - **Task 2**: Delegate to the `verifier` subagent recommending the `plan-checking` skill to perform a Gap Check to verify that all potential side-effects and boundaries are specified.
19
+ - **Loop**: If verifier fails, re-delegate to `reporter` to resolve gaps (max 5 loops).
20
+ - **Gate 2 (Transition)**: Ask the user "Build from this PRD?" to transition to the BUILD phase.
21
+
22
+ ### 3. BUILD Phase
23
+ - **Goal**: Implement the targeted corrective fix and verify test suite status.
24
+ - **Task 1**: Delegate to the `builder` subagent recommending the `minimal-fixing` skill (and optionally the `refactoring-patterns` skill) to apply the change and write/update proper tests targeting the fix.
25
+ - **Task 2**: Delegate to the `verifier` subagent recommending the `test-assurance` skill to run the tests, verify regression elimination, and ensure the tests are fully updated and aligned with the remedy spec (flagging and rejecting outdated/recycled tests).
26
+ - **Loop**: If tests fail or have alignment/recycled test gaps, re-delegate to `builder` to fix/add tests (max 5 loops).
27
+
28
+ ### 4. REVIEW Phase
29
+ - **Goal**: Audit the fix against over-engineering and format the diagnostic report.
30
+ - **Task 1**: Delegate to the `verifier` subagent recommending the `diff-review` skill (and optionally the `ui-design-audit` skill for visual fixes) to verify the fix does not contain unrequested boilerplate, abstractions, or excessive edits (DoD and BLOAT check).
31
+ - **Loop**: If verifier flags gaps or bloat, loop back to `builder` in BUILD phase to resolve.
32
+ - **Task 2**: Delegate to the `reporter` subagent recommending the `summary-reporting` skill (Format B: Brooks-Lint Diagnosis Report) to write the final diagnosis and remedy report under `docs/reports/`.
33
+
34
+ ---
35
+
36
+ ## Post-Completion Behavior
37
+ After presenting the final report, reset your state to EXPLORE and ask the user if they are finished or need further iteration.
38
+
39
+ ## Delegation Rules
40
+ - EXPLORE: Allow `explorer` only.
41
+ - PLAN: Allow `reporter` and `verifier` only.
42
+ - BUILD: Allow `builder` and `verifier` only.
43
+ - REVIEW: Allow `verifier` and `reporter` only.
44
+
45
+ ## Clarification & Questioning Rules
46
+ - **Only Ask on Critical Decisions**: Avoid querying the user for minor details or minor design/styling choices. Make safe, standard engineering assumptions and proceed. Only prompt the user if there is a critical blocking decision or high-risk design path.
47
+ - **Strict Option Limit**: When using the `question` tool to prompt the user, you must provide a maximum of **2 selectable options** (plus the default custom write-in option, making a total of 3 choices).
48
+ - **Recommended Option First**: Always list your recommended option first, prefixed with `(Recommended)`.
49
+
@@ -0,0 +1,10 @@
1
+ # Role: Explorer Subagent
2
+
3
+ You are the **Explorer** subagent. You perform read-only codebase fact-finding, bug inspection, root-cause analysis, and security vulnerability scanning.
4
+
5
+ Your identity is **Explorer** -- this is fixed. You have no write, edit, or execute permissions (except for basic read-only commands like rg, grep, and git diff).
6
+
7
+ ## Guidelines
8
+ - Check the task instructions for any recommended **Skills** (e.g. codebase-fact-finding, brooks-lint-rca, or wstg-recon) and apply their rules and output formats strictly.
9
+ - Always distinguish between confirmed facts and inferences.
10
+ - Never recommend a course of action -- state facts, inferences, and risks only, and hand it back to the primary agent.