specweave 1.0.55 → 1.0.56

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "specweave",
-  "version": "1.0.55",
+  "version": "1.0.56",
   "description": "Spec-driven development framework for Claude Code. AI-native workflow with living documentation, intelligent agents, and multilingual support (9 languages). Enterprise-grade traceability with permanent specs and temporary increments.",
   "type": "module",
   "main": "dist/index.js",

package/plugins/specweave/agents/infrastructure/AGENT.md

@@ -77,6 +77,55 @@ Before you finish ANY response, mentally verify:
 
 ---
 
+## 🚨🔐 CRITICAL: AUTO-EXECUTE WITH CREDENTIALS (MANDATORY) 🔐🚨
+
+**NEVER OUTPUT MANUAL "NEXT STEPS" WHEN CREDENTIALS ARE AVAILABLE!**
+
+### The Golden Rule
+
+```
+❌ FORBIDDEN: "Next Steps: Run terraform apply"
+❌ FORBIDDEN: "Execute the schema in Supabase SQL Editor"
+❌ FORBIDDEN: "Deploy with: wrangler deploy"
+
+✅ REQUIRED: Execute commands DIRECTLY using available credentials
+```
+
+### Mandatory Credential Lookup (BEFORE ANY DEPLOYMENT)
+
+```bash
+# Always check for credentials FIRST:
+grep -E "SUPABASE|DATABASE_URL|CF_|AWS_|HETZNER|GCP|AZURE" .env 2>/dev/null
+wrangler whoami 2>/dev/null
+aws sts get-caller-identity 2>/dev/null
+supabase status 2>/dev/null
+```
+
+### Platform Auto-Execution Rules
+
+| Platform | If Credentials Found | Action |
+|----------|---------------------|--------|
+| **Supabase** | `DATABASE_URL` or `SUPABASE_*` | Execute: `supabase db push` or `psql -f schema.sql` |
+| **Wrangler** | `CF_API_TOKEN` or authenticated | Execute: `wrangler deploy`, `wrangler secret put` |
+| **Terraform** | Cloud provider credentials | Execute: `terraform apply -auto-approve` |
+| **Firebase** | `FIREBASE_TOKEN` or logged in | Execute: `firebase deploy` |
+| **AWS** | `AWS_*` credentials | Execute: AWS CLI commands directly |
+
+### If Credentials Missing → ASK, Don't Show Manual Steps
+
+```markdown
+🔐 **Credential Required**
+
+I need your Supabase database URL to execute the migration.
+
+**How to get it:** https://supabase.com/dashboard → Settings → API
+
+**Please paste your DATABASE_URL:**
+[I will save to .env and execute automatically]
+```
+
+---
+
 # Infrastructure Agent
 
 I'm a serverless infrastructure specialist who generates production-ready Infrastructure-as-Code (IaC) using Terraform. I transform platform recommendations from the architect agent into deployable infrastructure configurations.

package/plugins/specweave/commands/auto.md

@@ -182,6 +182,171 @@ Pure Ralph Wiggum behavior:
 - **Max Hours**: Time boxing
 - **stop_hook_active**: Prevents infinite continuation loops
 
+## 🔐 Auto-Execute with Credentials (MANDATORY)
+
+**In auto mode, ALL agents MUST follow the auto-execute skill rules:**
+
+### The Golden Rule
+
+```
+❌ FORBIDDEN: "Next Steps: Run wrangler deploy"
+❌ FORBIDDEN: "Execute the schema in Supabase SQL Editor"
+❌ FORBIDDEN: "Set secret via: wrangler secret put..."
+
+✅ REQUIRED: Execute commands DIRECTLY using available credentials
+```
+
+### Credential Lookup Order
+
+Before ANY deployment task, check for credentials:
+
+1. **`.env` file** - Primary credential storage
+2. **Environment variables** - Already loaded in session
+3. **CLI tool auth** - `wrangler whoami`, `gh auth status`, etc.
+4. **Config files** - `wrangler.toml`, `.specweave/config.json`
+
+### If Credentials Found → AUTO-EXECUTE
+
+```bash
+# Example: Supabase migration
+if grep -q "DATABASE_URL" .env; then
+  source .env
+  psql "$DATABASE_URL" -f schema.sql
+fi
+
+# Example: Wrangler deployment
+if wrangler whoami 2>/dev/null; then
+  wrangler deploy
+fi
+```
+
+### If Credentials Missing → ASK, Don't Show Manual Steps
+
+```markdown
+🔐 **Credential Required for Auto-Execution**
+
+I need your Supabase database URL to execute the migration.
+
+**Please paste your DATABASE_URL:**
+[I will save to .env and continue automatically]
+```
+
+**After user provides credential:**
+1. Save to `.env`
+2. EXECUTE immediately
+3. Continue auto mode
+
+See: `plugins/specweave/skills/auto-execute/SKILL.md` for full details.
+
+---
+
+## 🎯 Self-Assessment Scoring (Ralph-Loop Pattern)
+
+**Auto mode uses self-assessment scoring to guide continuation decisions:**
+
+### Confidence Scoring
+
+After each task/iteration, Claude self-assesses execution quality:
+
+```json
+{
+  "iteration": 5,
+  "task": "T-003",
+  "confidence": {
+    "execution_quality": 0.92,     // How well was the task executed?
+    "test_coverage": 0.85,         // Are tests adequate?
+    "spec_alignment": 0.95,        // Does implementation match spec?
+    "credential_success": 1.0,     // Were all deployments successful?
+    "overall": 0.93                // Weighted average
+  },
+  "concerns": [],
+  "blockers": []
+}
+```
+
+### Score Thresholds
+
+| Overall Score | Action |
+|---------------|--------|
+| ≥ 0.90 | ✅ Continue confidently |
+| 0.70-0.89 | ⚠️ Continue with caution, log concerns |
+| 0.50-0.69 | 🟡 Pause for self-review before continuing |
+| < 0.50 | 🔴 Stop and request human review |
+
+### Self-Assessment Prompt (Internal)
+
+After completing each task, evaluate:
+
+```markdown
+<self-assessment>
+Task: T-003 - Implement user authentication
+Status: completed
+
+Execution Quality (0.0-1.0): 0.92
+- ✅ All acceptance criteria met
+- ✅ Tests pass
+- ⚠️ Minor edge case not covered (low impact)
+
+Test Coverage (0.0-1.0): 0.85
+- ✅ Unit tests: 12/12 pass
+- ✅ Integration tests: 5/5 pass
+- ⚠️ E2E test coverage: 75% (target: 80%)
+
+Spec Alignment (0.0-1.0): 0.95
+- ✅ All ACs addressed
+- ✅ Architecture matches plan.md
+
+Credential Success (0.0-1.0): 1.0
+- ✅ Database migration executed successfully
+- ✅ Secrets deployed to Cloudflare
+
+Overall: 0.93 → CONTINUE
+</self-assessment>
+```
+
+### Integration with Stop Hook
+
+The stop hook (`plugins/specweave/hooks/stop-auto.sh`) reads this scoring:
+
+```bash
+# Check self-assessment in transcript
+SCORE=$(grep -oP 'Overall:\s*\K[0-9.]+' "$TRANSCRIPT_PATH" 2>/dev/null | tail -1)
+
+if [ -n "$SCORE" ] && [ "$(echo "$SCORE < 0.50" | bc)" -eq 1 ]; then
+    # Score too low, stop for human review
+    approve "Low confidence score ($SCORE), requesting human review"
+fi
+```
+
+### Test Execution Integration
+
+**Auto mode MUST run tests after completing testable tasks:**
+
+```bash
+# After task completion, if task affects testable code:
+if [[ "$TASK_TYPE" == *"implement"* ]] || [[ "$TASK_TYPE" == *"fix"* ]]; then
+    npm test 2>&1 | tee test-output.log
+
+    if [ $? -ne 0 ]; then
+        # Tests failed - attempt fix
+        echo "🔴 Tests failed, attempting fix..."
+        # Self-healing loop (max 3 attempts)
+    fi
+fi
+```
+
+### Quality Gate Before Continue
+
+Before moving to next task, verify:
+
+1. ✅ Current task marked complete in tasks.md
+2. ✅ Corresponding ACs checked in spec.md
+3. ✅ Tests pass (if applicable)
+4. ✅ No deployment errors (if applicable)
+5. ✅ Self-assessment score ≥ 0.70
+
+---
+
 ## Execution
 
 When this command is invoked:

package/plugins/specweave/commands/do.md

@@ -680,6 +680,62 @@ Options:
 
 ---
 
+---
+
+## 🔐 Auto-Execute with Credentials (MANDATORY)
+
+**When executing deployment tasks, ALWAYS follow auto-execute rules:**
+
+### The Golden Rule
+
+```
+❌ FORBIDDEN: "Next Steps: Run wrangler deploy"
+❌ FORBIDDEN: "Execute the schema in Supabase SQL Editor"
+❌ FORBIDDEN: "Set secret via: wrangler secret put..."
+
+✅ REQUIRED: Execute commands DIRECTLY using available credentials
+```
+
+### Before Any Deployment Task
+
+```bash
+# Always check for credentials FIRST:
+grep -E "SUPABASE|DATABASE_URL|CF_|AWS_|HETZNER" .env 2>/dev/null
+wrangler whoami 2>/dev/null
+aws sts get-caller-identity 2>/dev/null
+gh auth status 2>/dev/null
+```
+
+### Auto-Execute Decision
+
+| Credentials Found? | Action |
+|-------------------|--------|
+| ✅ Found | Execute command directly, show success message |
+| ❌ Not found | ASK for credential (don't show manual steps) |
+
+### Example: Supabase Migration Task
+
+**If DATABASE_URL exists in .env:**
+```bash
+source .env
+psql "$DATABASE_URL" -f src/db/schema.sql
+echo "✅ Schema applied successfully"
+```
+
+**If DATABASE_URL missing:**
+```markdown
+🔐 **Credential Required**
+
+I need your Supabase database URL to execute the migration.
+
+**Please paste your DATABASE_URL:**
+[I will save to .env and execute automatically]
+```
+
+See: `plugins/specweave/skills/auto-execute/SKILL.md` for full details.
+
+---
+
 ## Why "/do" instead of "/do"?
 
 **Universal applicability**: SpecWeave isn't just for software engineering!

package/plugins/specweave/hooks/stop-auto.sh

@@ -122,6 +122,51 @@ if [ -n "$TRANSCRIPT_PATH" ] && [ -f "$TRANSCRIPT_PATH" ]; then
             > "$SESSION_FILE"
         approve "Completion promise detected"
     fi
+
+    # Check self-assessment score (Ralph-Loop pattern)
+    # Look for <self-assessment>...Overall: X.XX...</self-assessment> in transcript
+    SELF_SCORE=$(grep -oE 'Overall:\s*[0-9]+\.[0-9]+' "$TRANSCRIPT_PATH" 2>/dev/null | tail -1 | grep -oE '[0-9]+\.[0-9]+')
+
+    if [ -n "$SELF_SCORE" ]; then
+        # Log the score
+        echo "{\"timestamp\":\"$(date -u +%Y-%m-%dT%H:%M:%SZ)\",\"event\":\"self_assessment\",\"score\":$SELF_SCORE,\"increment\":\"$CURRENT_INCREMENT\"}" >> "$LOGS_DIR/auto-iterations.log"
+
+        # Check if score is critically low (< 0.50) - requires human review
+        if [ "$(echo "$SELF_SCORE < 0.50" | bc 2>/dev/null || echo "0")" -eq 1 ]; then
+            echo "$SESSION" | jq --arg now "$(date -u +%Y-%m-%dT%H:%M:%SZ)" --arg score "$SELF_SCORE" \
+                '.status = "paused" | .pauseTime = $now | .pauseReason = "low_confidence_score" | .lastScore = ($score | tonumber)' \
+                > "$SESSION_FILE"
+            approve "Low confidence score ($SELF_SCORE < 0.50), requesting human review"
+        fi
+
+        # Check if score indicates concern (0.50-0.69) - log but continue
+        if [ "$(echo "$SELF_SCORE >= 0.50 && $SELF_SCORE < 0.70" | bc 2>/dev/null || echo "0")" -eq 1 ]; then
+            echo "{\"timestamp\":\"$(date -u +%Y-%m-%dT%H:%M:%SZ)\",\"event\":\"caution\",\"score\":$SELF_SCORE,\"message\":\"Moderate confidence, self-review recommended\"}" >> "$LOGS_DIR/auto-iterations.log"
+        fi
+    fi
+
+    # Check for failed tests in transcript (hard stop)
+    if grep -q "Tests failed\|FAIL\|npm ERR!" "$TRANSCRIPT_PATH" 2>/dev/null; then
+        FAIL_COUNT=$(grep -c "FAIL\|npm ERR!" "$TRANSCRIPT_PATH" 2>/dev/null | tr -d '[:space:]' || echo "0")
+        # Only stop if multiple failures (single failure might be fixed in next iteration)
+        if [ "$FAIL_COUNT" -gt 3 ]; then
+            echo "$SESSION" | jq --arg now "$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
+                '.status = "paused" | .pauseTime = $now | .pauseReason = "repeated_test_failures"' \
+                > "$SESSION_FILE"
+            approve "Multiple test failures detected ($FAIL_COUNT), requesting human review"
+        fi
+    fi
+
+    # Check for deployment/credential errors (auto-execute integration)
+    if grep -qE "wrangler.*error|supabase.*error|terraform.*error|aws.*error|Error:.*credential|Error:.*secret|Error:.*token" "$TRANSCRIPT_PATH" 2>/dev/null; then
+        CRED_ERRORS=$(grep -cE "credential|secret|token" "$TRANSCRIPT_PATH" 2>/dev/null | tr -d '[:space:]' || echo "0")
+        if [ "$CRED_ERRORS" -gt 2 ]; then
+            echo "$SESSION" | jq --arg now "$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
+                '.status = "paused" | .pauseTime = $now | .pauseReason = "credential_errors"' \
+                > "$SESSION_FILE"
+            approve "Multiple credential/deployment errors, requesting credential check"
+        fi
+    fi
 fi
 
 # Check tasks.md for completion (primary completion signal)

package/plugins/specweave/skills/auto-execute/SKILL.md

@@ -0,0 +1,374 @@
+---
+name: auto-execute
+description: Enforces automatic command execution when credentials are available. NEVER output manual "Next Steps" - always execute commands automatically using secrets from .env, environment variables, and config files. Applies to all deployment tools including Supabase, Cloudflare Wrangler, Terraform, AWS CLI, GitHub CLI, and database operations. Activates for: auto-execute, credentials, deployment, wrangler, supabase, terraform, deploy, secrets, .env.
+allowed-tools: Bash, Read, Grep, Glob, Write, Edit
+---
+
+# Auto-Execute Skill: MANDATORY for Auto Mode
+
+## CRITICAL RULE: NEVER Output Manual Instructions When Credentials Exist
+
+**This skill MUST be applied by ALL agents when operating in auto mode or when credentials are available.**
+
+### The Golden Rule
+
+```
+❌ WRONG: "Next Steps: Run the schema SQL in Supabase SQL Editor..."
+❌ WRONG: "Set the secret via: wrangler secret put SUPABASE_SECRET_KEY"
+❌ WRONG: "Deploy with: wrangler deploy"
+
+✅ CORRECT: Execute commands directly using available credentials
+```
+
+---
+
+## Mandatory Credential Lookup Workflow
+
+### Step 1: ALWAYS Check for Existing Credentials FIRST
+
+**Before outputting ANY manual instructions, search for credentials in this order:**
+
+```bash
+# 1. Check .env file (primary location)
+if [ -f .env ]; then
+  source .env 2>/dev/null
+fi
+
+# 2. Check project-specific .env files
+for f in .env.local .env.development .env.production; do
+  [ -f "$f" ] && source "$f" 2>/dev/null
+done
+
+# 3. Check environment variables (already loaded)
+# e.g., $SUPABASE_URL, $SUPABASE_ANON_KEY, $CF_API_TOKEN
+
+# 4. Check .specweave/config.json for service configs
+cat .specweave/config.json 2>/dev/null | grep -A10 '"sync"'
+
+# 5. Check wrangler.toml for Cloudflare config
+cat wrangler.toml 2>/dev/null
+```
+
+### Step 2: Credential Discovery Patterns
+
+**Supabase Credentials:**
+```bash
+# Check for Supabase credentials
+grep -E "SUPABASE|NEXT_PUBLIC_SUPABASE" .env .env.* 2>/dev/null
+# Look for: SUPABASE_URL, SUPABASE_ANON_KEY, SUPABASE_SERVICE_ROLE_KEY
+```
+
+**Cloudflare Wrangler Credentials:**
+```bash
+# Check for Cloudflare credentials
+grep -E "CF_|CLOUDFLARE_|WRANGLER" .env .env.* 2>/dev/null
+wrangler whoami 2>/dev/null  # Check if already authenticated
+# Look for: CF_API_TOKEN, CLOUDFLARE_API_TOKEN, CLOUDFLARE_ACCOUNT_ID
+```
+
+**AWS Credentials:**
+```bash
+aws sts get-caller-identity 2>/dev/null  # Check if configured
+cat ~/.aws/credentials 2>/dev/null
+# Look for: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION
+```
+
+**GitHub CLI:**
+```bash
+gh auth status 2>/dev/null  # Check if logged in
+grep GITHUB_TOKEN .env 2>/dev/null
+```
+
+**Terraform Cloud:**
+```bash
+grep TF_TOKEN .env 2>/dev/null
+cat ~/.terraform.d/credentials.tfrc.json 2>/dev/null
+```
+
+---
+
+## Auto-Execution Commands by Tool
+
+### Supabase Operations
+
+**WHEN CREDENTIALS EXIST, AUTO-EXECUTE:**
+
+```bash
+# Execute SQL schema directly
+supabase db push --db-url "$DATABASE_URL"
+
+# OR if using Supabase CLI with project ref
+supabase db push --project-ref "$SUPABASE_PROJECT_REF"
+
+# OR execute SQL file directly via psql
+psql "$DATABASE_URL" -f src/db/supabase-schema.sql
+
+# Deploy edge functions
+supabase functions deploy <function-name>
+```
+
+**NEVER say**: "Run the schema SQL in Supabase SQL Editor..."
+
+### Cloudflare Wrangler Operations
+
+**WHEN CREDENTIALS EXIST, AUTO-EXECUTE:**
+
+```bash
+# Set secrets (loop through required secrets)
+for secret in SUPABASE_SECRET_KEY DATABASE_URL JWT_SECRET; do
+  if [ -n "${!secret}" ]; then
+    echo "${!secret}" | wrangler secret put "$secret" --quiet
+  fi
+done
+
+# Deploy
+wrangler deploy
+
+# Or for Pages projects
+wrangler pages publish ./dist
+```
+
+**NEVER say**: "Set the secret via: wrangler secret put..."
+**NEVER say**: "Deploy with: wrangler deploy"
+
+### Terraform Operations
+
+**WHEN CREDENTIALS EXIST, AUTO-EXECUTE:**
+
+```bash
+# Auto-approve in non-interactive mode
+TF_VAR_hetzner_token="$HETZNER_API_TOKEN" terraform apply -auto-approve
+
+# Or with var file
+terraform apply -auto-approve -var-file="environments/dev.tfvars"
+```
+
+**NEVER say**: "Run terraform apply and type 'yes'..."
+
+### AWS CLI Operations
+
+**WHEN CREDENTIALS EXIST, AUTO-EXECUTE:**
+
+```bash
+# Lambda deployment
+aws lambda update-function-code --function-name my-func --zip-file fileb://function.zip
+
+# S3 upload
+aws s3 sync ./dist s3://my-bucket/
+
+# CloudFormation deployment
+aws cloudformation deploy --template-file template.yaml --stack-name my-stack
+```
+
+### GitHub CLI Operations
+
+**WHEN CREDENTIALS EXIST, AUTO-EXECUTE:**
+
+```bash
+# Create release
+gh release create v1.0.0 --title "Release v1.0.0" --notes "Changelog..."
+
+# Create issue
+gh issue create --title "Title" --body "Body"
+
+# Create PR
+gh pr create --title "Title" --body "Body"
+```
+
+### NPM Publishing
+
+**WHEN NPM_TOKEN EXISTS, AUTO-EXECUTE:**
+
+```bash
+# Check for NPM token
+if [ -n "$NPM_TOKEN" ]; then
+  echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > .npmrc
+  npm publish
+  rm .npmrc
+fi
+```
+
+---
+
+## Decision Tree: Execute vs Ask
+
+```
+┌─────────────────────────────────────────────────────────┐
+│ Task requires external tool (wrangler, supabase, etc.) │
+└───────────────────────────┬─────────────────────────────┘
+                            │
+                            ▼
+              ┌────────────────────────┐
+              │ Search for credentials │
+              │ .env, env vars, config │
+              └───────────┬────────────┘
+                          │
+        ┌─────────────────┴─────────────────┐
+        │                                   │
+        ▼                                   ▼
+┌───────────────────┐               ┌───────────────────┐
+│ Credentials FOUND │               │ Credentials MISSING│
+└────────┬──────────┘               └────────┬──────────┘
+         │                                   │
+         ▼                                   ▼
+┌────────────────────┐              ┌────────────────────┐
+│ EXECUTE COMMAND    │              │ ASK FOR CREDENTIALS│
+│ IMMEDIATELY        │              │ (Don't show manual │
+│                    │              │  steps, ask for    │
+│ NO "Next Steps"    │              │  the actual token) │
+└────────────────────┘              └────────────────────┘
+```
+
+---
+
+## Auto Mode Integration
+
+When running in `/sw:auto` mode, this skill is MANDATORY:
+
+1. **All agents MUST check credentials before any deployment task**
+2. **No manual "Next Steps" ever in auto mode**
+3. **If credentials missing, auto mode PAUSES and asks user** (human gate)
+4. **After user provides credentials, save to .env and CONTINUE**
+
+### Auto Mode Credential Prompt Pattern
+
+```markdown
+🔐 **Credential Required for Auto-Execution**
+
+I need your Supabase Service Role Key to execute the schema migration.
+
+**How to get it:**
+1. Go to: https://supabase.com/dashboard/project/YOUR_PROJECT/settings/api
+2. Copy the "service_role" key (NOT the anon key)
+
+**Please paste your Supabase Service Role Key:**
+[I will save it to .env and continue execution automatically]
+```
+
+**Key difference from manual mode:**
+- After user provides credential, AUTO-SAVE and CONTINUE
+- NEVER say "now run these commands manually"
+
+---
+
+## Common Platform Credential Mappings
+
+| Platform | Credential Variable | Check Command |
+|----------|-------------------|---------------|
+| **Supabase** | `SUPABASE_URL`, `SUPABASE_ANON_KEY`, `SUPABASE_SERVICE_ROLE_KEY` | `supabase status` |
+| **Cloudflare Wrangler** | `CF_API_TOKEN`, `CLOUDFLARE_ACCOUNT_ID` | `wrangler whoami` |
+| **Vercel** | `VERCEL_TOKEN` | `vercel whoami` |
+| **Netlify** | `NETLIFY_AUTH_TOKEN` | `netlify status` |
+| **Railway** | `RAILWAY_TOKEN` | `railway status` |
+| **Render** | `RENDER_API_KEY` | - |
+| **AWS** | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` | `aws sts get-caller-identity` |
+| **GCP** | `GOOGLE_APPLICATION_CREDENTIALS` | `gcloud auth list` |
+| **Azure** | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_TENANT_ID` | `az account show` |
+| **GitHub** | `GITHUB_TOKEN`, `GH_TOKEN` | `gh auth status` |
+| **NPM** | `NPM_TOKEN` | `npm whoami` |
+| **Docker Hub** | `DOCKER_USERNAME`, `DOCKER_PASSWORD` | `docker login` |
+| **Terraform Cloud** | `TF_TOKEN_app_terraform_io` | - |
+| **Hetzner** | `HETZNER_API_TOKEN` | - |
+
+---
+
+## Forbidden Patterns (NEVER DO THESE)
+
+### Pattern 1: Manual SQL Editor Instructions
+```
+❌ FORBIDDEN:
+"Next Steps:
+1. Run the schema SQL in Supabase SQL Editor (file: src/db/supabase-schema.sql)"
+
+✅ CORRECT:
+# Check for credentials
+if [ -n "$DATABASE_URL" ] || [ -n "$SUPABASE_SERVICE_ROLE_KEY" ]; then
+  # Execute directly
+  supabase db push --db-url "$DATABASE_URL"
+else
+  # Ask for credentials (don't show manual steps)
+  echo "🔐 I need your Supabase database URL to execute the migration..."
+fi
+```
+
+### Pattern 2: Manual Secret Setting
+```
+❌ FORBIDDEN:
+"Set the secret via: wrangler secret put SUPABASE_SECRET_KEY"
+
+✅ CORRECT:
+if [ -n "$SUPABASE_SECRET_KEY" ]; then
+  echo "$SUPABASE_SECRET_KEY" | wrangler secret put SUPABASE_SECRET_KEY --quiet
+else
+  echo "🔐 I need your SUPABASE_SECRET_KEY to configure Wrangler..."
+fi
+```
+
+### Pattern 3: Manual Deploy Commands
+```
+❌ FORBIDDEN:
+"Deploy with: wrangler deploy"
+
+✅ CORRECT:
+wrangler deploy
+# Just do it. The credentials are already configured.
+```
+
+### Pattern 4: Conditional Manual Fallback
+```
+❌ FORBIDDEN:
+"If the above command fails, try running manually..."
+
+✅ CORRECT:
+# Handle errors programmatically, retry, or ask for different credentials
+```
+
+---
+
+## Integration with Existing Agents
+
+### DevOps Agent Integration
+
+The DevOps agent MUST follow this skill when:
+- Generating IaC and deploying
+- Setting up CI/CD
+- Configuring cloud services
+
+### Infrastructure Agent Integration
+
+The Infrastructure agent MUST follow this skill when:
+- Deploying Terraform configurations
+- Setting up cloud resources
+- Configuring secrets in cloud providers
+
+### All Agents General Rule
+
+**Every agent that outputs "Next Steps" or deployment instructions MUST:**
+
+1. Check for existing credentials FIRST
+2. If found → EXECUTE immediately
+3. If not found → ASK for credentials (not manual steps)
+4. After receiving credentials → SAVE to .env AND EXECUTE
+
+---
+
+## Success Metrics
+
+- **Zero manual "Next Steps"** when credentials are available
+- **100% auto-execution** in auto mode for supported platforms
+- **Credential save rate**: 100% of provided credentials saved to .env
+- **Continuation rate**: 100% auto-continue after credential provided
+
+---
+
+## Related Files
+
+- `.env` - Primary credential storage
+- `.env.example` - Template for team (commit this)
+- `.specweave/config.json` - Service configurations
+- `wrangler.toml` - Cloudflare configuration
+
+## Related ADRs
+
+- ADR-0177: Autonomous Mode Safety
+- ADR-0178: Stop Hook-Based Auto Architecture

package/plugins/specweave-infrastructure/agents/devops/AGENT.md

@@ -76,6 +76,115 @@ Before you finish ANY response, mentally verify:
 
 ---
 
+## 🚨🔐 CRITICAL: AUTO-EXECUTE WITH CREDENTIALS (MANDATORY) 🔐🚨
+
+**NEVER OUTPUT MANUAL "NEXT STEPS" WHEN CREDENTIALS ARE AVAILABLE!**
+
+### The Golden Rule
+
+```
+❌ FORBIDDEN: "Next Steps: Run wrangler deploy"
+❌ FORBIDDEN: "Set the secret via: wrangler secret put..."
+❌ FORBIDDEN: "Deploy with: terraform apply"
+
+✅ REQUIRED: Execute commands DIRECTLY using available credentials
+```
+
+### Mandatory Credential Lookup (ALWAYS DO THIS FIRST)
+
+**Before ANY deployment task, check for credentials in this order:**
+
+```bash
+# 1. Check .env file (primary)
+grep -E "SUPABASE|CF_|CLOUDFLARE|WRANGLER|AWS_|HETZNER|VERCEL|RAILWAY" .env 2>/dev/null
+
+# 2. Check environment variables
+env | grep -E "SUPABASE|CF_|AWS_|DATABASE_URL" 2>/dev/null
+
+# 3. Check tool authentication status
+wrangler whoami 2>/dev/null
+aws sts get-caller-identity 2>/dev/null
+gh auth status 2>/dev/null
+supabase status 2>/dev/null
+```
+
+### Auto-Execute Decision Tree
+
+```
+Task requires deployment/secrets?
+        │
+        ▼
+Search for credentials (.env, env vars, CLI auth)
+        │
+┌───────┴───────┐
+│               │
+▼               ▼
+FOUND         NOT FOUND
+│               │
+▼               ▼
+EXECUTE       ASK for credential
+COMMAND       (NOT manual steps)
+DIRECTLY
+│               │
+▼               ▼
+"Deployed     "🔐 I need your CF_API_TOKEN
+successfully"  to deploy. Please paste it:"
+```
+
+### Platform-Specific Auto-Execution
+
+**Cloudflare Wrangler:**
+```bash
+# If CF_API_TOKEN or wrangler authenticated:
+wrangler secret put SECRET_NAME <<< "$SECRET_VALUE"
+wrangler deploy
+# NEVER say "run wrangler deploy manually"
+```
+
+**Supabase:**
+```bash
+# If DATABASE_URL or SUPABASE_* credentials exist:
+supabase db push --db-url "$DATABASE_URL"
+psql "$DATABASE_URL" -f schema.sql
+# NEVER say "run in Supabase SQL Editor"
+```
+
+**Terraform:**
+```bash
+# If cloud provider credentials exist:
+terraform init && terraform apply -auto-approve
+# NEVER say "type 'yes' to confirm"
+```
+
+**AWS CLI:**
+```bash
+# If AWS credentials configured:
+aws lambda update-function-code --function-name X --zip-file fileb://code.zip
+# NEVER say "run aws command manually"
+```
+
+### What To Do When Credentials Missing
+
+```markdown
+🔐 **Credential Required for Auto-Execution**
+
+I need your Cloudflare API token to deploy automatically.
+
+**How to get it:**
+1. Go to: https://dash.cloudflare.com/profile/api-tokens
+2. Create token with "Edit Workers" permissions
+
+**Please paste your CF_API_TOKEN:**
+[I will save it to .env and deploy automatically]
+```
+
+**After user provides credential:**
+1. Save to `.env`
+2. EXECUTE the command immediately
+3. NEVER show "now run these commands manually"
+
+---
+
 **When to Use**:
 - You need to design and implement cloud infrastructure (AWS, Azure, GCP)
 - You want to create Infrastructure as Code with Terraform or CloudFormation