thevoidforge-methodology 21.0.0 → 23.1.0

package/.claude/commands/devops.md

@@ -5,29 +5,35 @@
 2. Read `/docs/PRD.md` frontmatter — check `deploy` value to determine target
 3. Read `/docs/methods/DEVOPS_ENGINEER.md`
 
+## Dynamic Dispatch (ADR-044)
+
+Opus scans `git diff --stat` and matches changed files against the `description` fields of all 263 agents in `.claude/agents/`. Matching specialists launch alongside the core agents below.
+
+**Dispatch control:** `--light` skips dynamic dispatch (core only). `--solo` runs lead agent only.
+
 ## Agent Deployment Manifest
 
-**Lead:** Kusanagi (Anime — Ghost in the Shell)
+**Lead:** Kusanagi (`subagent_type: kusanagi-devops`)
 
 **Core team (always deployed):**
-- **Senku** (Dr. Stone) — provisioning: server setup, dependencies, runtime, idempotent scripts
-- **Levi** (Attack on Titan) — deployment: process management, zero-downtime, rollback scripts
-- **Spike** (Cowboy Bebop) — networking: reverse proxy, DNS, TLS, firewall, CORS headers
-- **L** (Death Note) — monitoring: health checks, uptime, alerting, log aggregation
-- **Bulma** (Dragon Ball) — backup: database dumps, file backup, retention, restore testing
-- **Holo** (Spice & Wolf) — cost: resource sizing, instance selection, cost estimation, optimization
+- **Senku** (`subagent_type: senku-provisioning`) — provisioning: server setup, dependencies, runtime, idempotent scripts
+- **Levi** (`subagent_type: levi-deploy`) — deployment: process management, zero-downtime, rollback scripts
+- **Spike** (`subagent_type: spike-routing`) — networking: reverse proxy, DNS, TLS, firewall, CORS headers
+- **L** — monitoring: health checks, uptime, alerting, log aggregation (honorary — no agent definition)
+- **Bulma** (`subagent_type: bulma-engineering`) — backup: database dumps, file backup, retention, restore testing
+- **Holo** — cost: resource sizing, instance selection, cost estimation, optimization (honorary — no agent definition)
 
 **Extended team (deployed on full infra reviews):**
-- **Valkyrie** (Marvel/Anime crossover) — disaster recovery: failover, data center redundancy, RTO/RPO
-- **Vegeta** (Dragon Ball) — scaling: horizontal scaling, load balancing, auto-scaling policies
-- **Trunks** (Dragon Ball) — migration: database migration strategy, zero-downtime schema changes
-- **Mikasa** (Attack on Titan) — security hardening: SSH config, fail2ban, unattended upgrades
-- **Erwin** (Attack on Titan) — strategy: multi-environment management, staging/production parity
-- **Mustang** (FMA) — orchestration: Docker Compose, container networking, service discovery
-- **Olivier** (FMA) — cold region: CDN configuration, edge caching, geographic distribution
-- **Hughes** (FMA) — documentation: runbook writing, infrastructure diagrams, onboarding docs
-- **Calcifer** (Ghibli) — energy: resource efficiency, idle scaling, sleep/wake optimization
-- **Duo** (Gundam) — CI/CD: GitHub Actions, pipeline design, automated testing in deploy
+- **Valkyrie** (`subagent_type: valkyrie-recovery`) — disaster recovery: failover, data center redundancy, RTO/RPO
+- **Vegeta** (`subagent_type: vegeta-monitoring`) — scaling: horizontal scaling, load balancing, auto-scaling policies
+- **Trunks** (`subagent_type: trunks-rollback`) — migration: database migration strategy, zero-downtime schema changes
+- **Mikasa** (`subagent_type: mikasa-protection`) — security hardening: SSH config, fail2ban, unattended upgrades
+- **Erwin** (`subagent_type: erwin-strategy`) — strategy: multi-environment management, staging/production parity
+- **Mustang** (`subagent_type: mustang-cleanup`) — orchestration: Docker Compose, container networking, service discovery
+- **Olivier** (`subagent_type: olivier-hardening`) — cold region: CDN configuration, edge caching, geographic distribution
+- **Hughes** (`subagent_type: hughes-observability`) — documentation: runbook writing, infrastructure diagrams, onboarding docs
+- **Calcifer** (`subagent_type: calcifer-daemon`) — energy: resource efficiency, idle scaling, sleep/wake optimization
+- **Duo** (`subagent_type: duo-teardown`) — CI/CD: GitHub Actions, pipeline design, automated testing in deploy
 
 ## Deploy Target Branching
 

package/.claude/commands/gauntlet.md

@@ -9,17 +9,23 @@ The Gauntlet tests everything. Every domain. Multiple rounds. Escalating intensi
 2. Read `/logs/build-state.md` — what was built, what phases completed
 3. Read `/docs/PRD.md` — the source of truth for what the project should be
 
+## Dynamic Dispatch (ADR-044)
+
+Opus scans `git diff --stat` and matches changed files against the `description` fields of all 263 agents in `.claude/agents/`. Matching specialists launch alongside the core agents below.
+
+**Dispatch control:** `--light` skips dynamic dispatch (core only). `--solo` runs lead agent only.
+
 ## Round 1 — Discovery (parallel)
 
 **Thanos:** "Before I test, I must understand."
 
 Use the Agent tool to run all five in parallel — these are read-only analysis:
 
-- **Agent 1 (Picard — Architecture):** Schema review, service boundaries, dependency graph, scaling assessment. Read the full `/architect` protocol but produce findings only (no ADRs — this is review, not design).
-- **Agent 2 (Stark — Code Review):** Pattern compliance, logic errors, type safety, cross-module data flow tracing. Read `/review` protocol. One pass across all source files.
-- **Agent 3 (Galadriel — UX Surface Map):** Product surface map, usability walkthrough (Step 1.5), Éowyn's enchantment scan (Step 1.75). No fixes yet — discovery only.
-- **Agent 4 (Kenobi — Attack Surface Inventory):** List all endpoints, WebSocket handlers, file I/O, credential access points, user input parsing. Classify each by risk tier. No deep audit yet — just the map.
-- **Agent 5 (Kusanagi — Infrastructure Discovery):** Scan deploy scripts, generated configs, provisioning scripts, CI/CD templates. Classify each by risk: hardcoded credentials, open ports, missing auth on generated services. No deep audit yet — just the map.
+- **Agent 1** `subagent_type: picard-architecture` — Schema review, service boundaries, dependency graph, scaling assessment. Read the full `/architect` protocol but produce findings only (no ADRs — this is review, not design).
+- **Agent 2** `subagent_type: stark-backend` — Pattern compliance, logic errors, type safety, cross-module data flow tracing. Read `/review` protocol. One pass across all source files.
+- **Agent 3** `subagent_type: galadriel-frontend` — Product surface map, usability walkthrough (Step 1.5), Éowyn's enchantment scan (Step 1.75). No fixes yet — discovery only.
+- **Agent 4** `subagent_type: kenobi-security` — List all endpoints, WebSocket handlers, file I/O, credential access points, user input parsing. Classify each by risk tier. No deep audit yet — just the map.
+- **Agent 5** `subagent_type: kusanagi-devops` — Scan deploy scripts, generated configs, provisioning scripts, CI/CD templates. Classify each by risk: hardcoded credentials, open ports, missing auth on generated services. No deep audit yet — just the map.
 
 Synthesize all five into a unified findings list. Log to `/logs/gauntlet-round-1.md`.
 
@@ -29,10 +35,10 @@ Synthesize all five into a unified findings list. Log to `/logs/gauntlet-round-1
 
 Use the Agent tool to run all four in parallel — full domain audits:
 
-- **Agent 1 (Batman — Full QA):** Run the complete `/qa` protocol. Oracle + Red Hood + Alfred + Deathstroke + Constantine + Nightwing + Lucius. Every edge case, every error state, every boundary.
-- **Agent 2 (Galadriel — Full UX):** Run the complete `/ux` protocol. Elrond + Arwen + Samwise + Bilbo + Legolas + Gimli + Radagast + Éowyn. Usability, visual, a11y, copy, performance, edge cases, enchantment.
-- **Agent 3 (Kenobi — Full Security):** Run the complete `/security` protocol. Leia + Chewie + Rex + Maul parallel scans, then Yoda → Windu → Ahsoka → Padmé sequential audits.
-- **Agent 4 (Stark — Integration Tracing):** For every API endpoint, trace the full data path: client request → validation → service → database → response. For every file upload, trace: upload → storage → retrieval → display. For every credential, trace: entry → vault → usage → cleanup.
+- **Agent 1** `subagent_type: batman-qa` — Run the complete `/qa` protocol. Oracle + Red Hood + Alfred + Deathstroke + Constantine + Nightwing + Lucius. Every edge case, every error state, every boundary.
+- **Agent 2** `subagent_type: galadriel-frontend` — Run the complete `/ux` protocol. Elrond + Arwen + Samwise + Bilbo + Legolas + Gimli + Radagast + Éowyn. Usability, visual, a11y, copy, performance, edge cases, enchantment.
+- **Agent 3** `subagent_type: kenobi-security` — Run the complete `/security` protocol. Leia + Chewie + Rex + Maul parallel scans, then Yoda → Windu → Ahsoka → Padmé sequential audits.
+- **Agent 4** `subagent_type: stark-backend` — For every API endpoint, trace the full data path: client request → validation → service → database → response. For every file upload, trace: upload → storage → retrieval → display. For every credential, trace: entry → vault → usage → cleanup.
 
 Merge all findings. Deduplicate across domains.
 
@@ -55,10 +61,10 @@ This catches runtime bugs invisible to static analysis: IPv6 binding, native mod
 
 Use the Agent tool to run all four in parallel — targeted re-verification:
 
-- **Agent 1 (Batman — Re-probe):** Nightwing re-runs the test suite. Red Hood re-probes fixed areas. Deathstroke tests new boundaries created by the fixes. Focus on regressions.
-- **Agent 2 (Galadriel — Error States + Re-verify):** Samwise re-audits a11y on all modified components. Radagast re-checks edge cases on fixed flows. Bilbo re-checks microcopy on any changed UI.
-- **Agent 3 (Kenobi — Re-probe + Access Control):** Maul re-probes all remediated vulnerabilities. Ahsoka verifies access control across every role boundary. Padmé verifies the primary user flow still works (critical path smoke test).
-- **Agent 4 (Kusanagi — DevOps):** Run the complete `/devops` protocol with full team: Senku (provisioning), Levi (deploy), Spike (networking), L (monitoring), Bulma (backup), Holo (cost), Valkyrie (disaster recovery). Deploy scripts, monitoring, backups, health checks, page weight gate, security headers.
+- **Agent 1** `subagent_type: batman-qa` — Nightwing re-runs the test suite. Red Hood re-probes fixed areas. Deathstroke tests new boundaries created by the fixes. Focus on regressions.
+- **Agent 2** `subagent_type: galadriel-frontend` — Samwise re-audits a11y on all modified components. Radagast re-checks edge cases on fixed flows. Bilbo re-checks microcopy on any changed UI.
+- **Agent 3** `subagent_type: kenobi-security` — Maul re-probes all remediated vulnerabilities. Ahsoka verifies access control across every role boundary. Padmé verifies the primary user flow still works (critical path smoke test).
+- **Agent 4** `subagent_type: kusanagi-devops` — Run the complete `/devops` protocol with full team: Senku (provisioning), Levi (deploy), Spike (networking), L (monitoring), Bulma (backup), Holo (cost), Valkyrie (disaster recovery). Deploy scripts, monitoring, backups, health checks, page weight gate, security headers.
 
 **→ FIX BATCH 2:** Fix remaining findings.
 
@@ -68,11 +74,11 @@ Use the Agent tool to run all four in parallel — targeted re-verification:
 
 Use the Agent tool to run all five in parallel — pure adversarial:
 
-- **Maul** (Star Wars) — Attacks code that passed /review. Looks for exploits in "clean" code.
-- **Deathstroke** (DC) — Probes endpoints that /security hardened. Tests if remediations can be bypassed.
-- **Loki** (Marvel) — Chaos-tests features that /qa cleared. What breaks under unexpected conditions?
-- **Constantine** (DC) — Hunts cursed code in FIXED areas specifically. Code that only works by accident.
-- **Éowyn** (Tolkien) — Final enchantment pass on the polished, hardened product. Where can delight still be added without compromising security or stability?
+- `subagent_type: maul-red-team` — Attacks code that passed /review. Looks for exploits in "clean" code.
+- `subagent_type: deathstroke-adversarial` — Probes endpoints that /security hardened. Tests if remediations can be bypassed.
+- `subagent_type: loki-chaos` — Chaos-tests features that /qa cleared. What breaks under unexpected conditions?
+- `subagent_type: constantine-cursed-code` — Hunts cursed code in FIXED areas specifically. Code that only works by accident.
+- `subagent_type: eowyn-delight` — Final enchantment pass on the polished, hardened product. Where can delight still be added without compromising security or stability?
 
 **→ FIX BATCH 3:** Fix all adversarial findings. If any fix is applied, re-run the affected adversarial agent on the fixed area only.
 
@@ -82,12 +88,12 @@ Use the Agent tool to run all five in parallel — pure adversarial:
 
 Use the Agent tool to run all six in parallel:
 
-- **Spock** (Star Trek) — Did any QA/security/UX fix break code patterns or quality?
-- **Ahsoka** (Star Wars) — Did any fix introduce access control gaps?
-- **Nightwing** (DC) — Full regression: run the entire test suite. Any failures?
-- **Samwise** (Tolkien) — Final accessibility audit on all modified components.
-- **Padmé** (Star Wars) — Critical path functional verification. Open the app, complete the main task, verify output.
-- **Troi** (Star Trek) — PRD compliance: read the PRD prose section-by-section, verify every claim against the implementation. Numeric claims, visual treatments, copy accuracy.
+- `subagent_type: spock-schema` — Did any QA/security/UX fix break code patterns or quality?
+- `subagent_type: ahsoka-access-control` — Did any fix introduce access control gaps?
+- `subagent_type: nightwing-regression` — Full regression: run the entire test suite. Any failures?
+- `subagent_type: samwise-accessibility` — Final accessibility audit on all modified components.
+- `subagent_type: padme-data-protection` — Critical path functional verification. Open the app, complete the main task, verify output.
+- `subagent_type: troi-prd-compliance` — PRD compliance: read the PRD prose section-by-section, verify every claim against the implementation. Numeric claims, visual treatments, copy accuracy.
 
 If the Council finds issues:
 1. Fix code discrepancies. Flag asset requirements as BLOCKED.
@@ -111,17 +117,22 @@ Present the final summary:
 **If findings remain:**
 Present them with severity and recommendation. The user decides whether to ship or iterate.
 
-## Arguments
-- No arguments → full 5-round gauntlet
+## Arguments (ADR-043: Max by Default)
+
+Default is now maximum intensity (was `--infinity`). Flags opt out.
+
+- No arguments → 10-round Infinity Gauntlet with full roster (~60-80 agent launches). **ENFORCEMENT: Must launch Agent tool sub-processes. Inline analysis is not a Gauntlet.**
 - `--fast` → 3 rounds only (skip Round 4 Crossfire + Round 5 Council). (formerly `--quick` — renamed v17.3 for cross-command consistency)
+- `--light` → 5-round standard gauntlet with core agents only (pre-ADR-043 default behavior)
 - `--security-only` → 4 rounds of security only (Kenobi marathon)
 - `--ux-only` → 4 rounds of UX only (Galadriel marathon)
 - `--qa-only` → 4 rounds of QA only (Batman marathon)
 - `--resume` → resume from last completed round (reads gauntlet state from logs)
 - `--ux-extra` → Extra Éowyn enchantment emphasis across all rounds. Galadriel's team proposes micro-animations, copy improvements, and delight moments beyond standard usability/a11y.
-- `--assess` → **Pre-build assessment.** Rounds 1-2 only (Discovery + First Strike), no fix batches. Produces assessment report grouped by root cause. For evaluating existing codebases before a rebuild or migration — not for post-build hardening. See also `/assess` command which chains this with architecture review and PRD gap analysis.
-- `--infinity` → **The Infinity Gauntlet.** 10 rounds (2x full pass). Every active agent deployed as its own dedicated sub-process — not combined, not summarized. ~60-80 agent launches across all 9 universes. The full ~110 active roster called off the bench. See GAUNTLET.md "The Infinity Gauntlet" section for the complete wave structure. Use after completing a major version or before first production ship.
-- `--muster` → Synonym for `--infinity`. The Gauntlet already deploys the full roster at maximum intensity — `--muster` is the universal flag name for the same concept. **ENFORCEMENT: Must launch Agent tool sub-processes. Inline analysis is not a Muster.**
+- `--assess` → **Pre-build assessment.** Rounds 1-2 only (Discovery + First Strike), no fix batches. Produces assessment report grouped by root cause.
+- `--solo` → Lead agent per domain only, no sub-agents (quick spot-check).
+- `--infinity` → **Retired (no-op).** Default is now maximum intensity.
+- `--muster` → **Retired (no-op).** Default is now full roster.
 
 ## Operating Rules
 - Update `/logs/gauntlet-state.md` after EVERY round

package/.claude/commands/grow.md

@@ -3,6 +3,8 @@
 Read `/docs/methods/GROWTH_STRATEGIST.md` for operating rules.
 
 ## Prerequisites
+
+### System Requirements
 If `packages/voidforge/wizard/server.ts` does not exist and the mode requires it (default 6-phase, `--setup`, `--distribute`):
 1. Offer: "Phases 4-6 require the wizard server for ad platform APIs, treasury, and autonomous monitoring. Pull it from upstream? [Y/n] (Phases 1-3 work without it.)"
 2. On yes: `git fetch voidforge main 2>/dev/null || git remote add voidforge https://github.com/tmcleod3/voidforge.git && git fetch voidforge main` then `git checkout voidforge/main -- packages/voidforge/` then `npm install`. Proceed with all 6 phases.
@@ -11,6 +13,18 @@ If `packages/voidforge/wizard/server.ts` does not exist and the mode requires it
 If `packages/voidforge/wizard/server.ts` does not exist and the mode does NOT require it (`--audit-only`, `--seo`, `--content`):
 - Skip the wizard gate entirely. These modes run Phases 1-3 only — no wizard dependency.
 
+### External Accounts & API Keys (Phases 4-6)
+**Required for paid acquisition (Phase 4+):**
+- **Google Ads:** Google Ads account + OAuth credentials (client ID, client secret, developer token). [Create account](https://ads.google.com) → Apply for API access via Google Ads API Center.
+- **Meta Ads (optional):** Meta Business account + App with `ads_management` permission. [Create account](https://business.facebook.com) → Create app in Meta Developer portal.
+- **Revenue tracking:** Stripe or Paddle account with API keys for revenue attribution.
+
+**Required for treasury (Phase 5+):**
+- Run `/cultivation install` first — sets up the heartbeat daemon and financial vault.
+- Financial vault password (12+ chars) — set during cultivation install.
+
+**Not required for Phases 1-3** (`--audit-only`): SEO audit, content strategy, and foundation work need no external accounts.
+
 ## Arguments
 - No arguments → run/resume the 6-phase growth protocol
 - `--setup` → Ad platform onboarding only (interactive credential setup for Google/Meta/LinkedIn/Twitter/Reddit). See GROWTH_STRATEGIST.md "Ad Platform Setup" section. Does NOT require a deployed product.

package/.claude/commands/portfolio.md

@@ -5,16 +5,17 @@
 Read `/docs/methods/TREASURY.md` for financial operating rules.
 
 ## Prerequisites
-If `packages/voidforge/wizard/server.ts` does not exist (scaffold/core users):
+If `packages/voidforge/wizard/server.ts` does not exist (methodology-only install):
 1. Offer: "Portfolio requires the wizard server. Pull it from upstream? [Y/n]"
 2. On yes: `git fetch voidforge main 2>/dev/null || git remote add voidforge https://github.com/tmcleod3/voidforge.git && git fetch voidforge main` then `git checkout voidforge/main -- packages/voidforge/` then `npm install`
 3. On no: stop with "Run manually: `git checkout voidforge/main -- packages/voidforge/`"
 
 ## Context Setup
 1. Read `~/.voidforge/projects.json` for registered projects
-2. For each project: read treasury data from `~/.voidforge/treasury/`
-3. If no projects registered: "No projects registered. Run `/treasury setup` in a project directory."
-4. If single project: show treasury view with note about portfolio comparisons
+2. For each project: read treasury data from `{project}/cultivation/treasury/` (per-project paths, v22.0+)
+3. Use `readTreasurySummary()` which reads the O(1) `treasury-summary.json` cache (v22.1+)
+4. If no projects registered: "No projects registered. Run `/treasury setup` in a project directory."
+5. If single project: show treasury view with note about portfolio comparisons
 
 ## Portfolio Dashboard
 

package/.claude/commands/qa.md

@@ -2,6 +2,14 @@
 
 **AGENT DEPLOYMENT IS MANDATORY.** Step 3 specifies parallel agent launches via the Agent tool. You MUST launch Oracle, Red Hood, Alfred, Deathstroke, Constantine, Cyborg, Raven, Wonder Woman, Batgirl, and Aquaman as separate sub-processes — do NOT shortcut to inline analysis. (Field report #68)
 
+## Dynamic Dispatch (ADR-044)
+
+Opus scans `git diff --stat` and matches changed files against the `description` fields of all 263 agents in `.claude/agents/`. Matching specialists launch alongside the core agents below.
+
+**Dispatch control:** `--light` skips dynamic dispatch (core only). `--solo` runs lead agent only.
+
+**Promoted agent:** **Constantine** `subagent_type: constantine-cursed-code` runs on every `/qa` final pass — finds code that works by accident.
+
 ## Context Setup
 1. Read `/logs/build-state.md` — understand current project state
 2. Read `/docs/methods/QA_ENGINEER.md`
@@ -13,22 +21,22 @@
 2. Create `/logs/phase-09-qa-audit.md` (or appropriate phase log)
 
 ## Step 1 — Attack Plan
-**Green Lantern** generates the test matrix first — what inputs × what states × what conditions should be tested. Then assign targets:
-- **Oracle (static):** Critical flows, missing awaits, null checks, type mismatches, race conditions
-- **Red Hood (dynamic):** Empty/huge/unicode inputs, network failures, malformed JSON, rapid clicking
-- **Alfred (deps):** `npm audit`, outdated libs, deprecated APIs, version conflicts
-- **Lucius (config):** .env completeness, secrets not in git, prod vs dev mismatches
-- **Deathstroke (adversarial):** Penetration-style probing — bypass validations, chain interactions, exploit business logic
-- **Constantine (cursed code):** Unreachable branches, dead state, impossible conditions, logic that works by accident
-- **Cyborg (integration):** When 3+ modules connect, trace the full data path across boundaries. Missing imports, inconsistent response shapes, broken cross-module flows.
-- **Raven (deep analysis):** Bugs hidden beneath 3 layers of abstraction — follows data through transforms, closures, callbacks. Logic correct per function, wrong in composition.
-- **Wonder Woman (truth):** Code that says one thing and does another — misleading names, wrong comments, stale docs, functions that don't match their behavior.
+**Green Lantern** `subagent_type: green-lantern-scenarios` generates the test matrix first — what inputs x what states x what conditions should be tested. Then assign targets:
+- **Oracle** `subagent_type: oracle-static-analysis` — Static: critical flows, missing awaits, null checks, type mismatches, race conditions.
+- **Red Hood** `subagent_type: red-hood-aggressive` — Dynamic: empty/huge/unicode inputs, network failures, malformed JSON, rapid clicking.
+- **Alfred** `subagent_type: alfred-dependencies` — Dependencies: `npm audit`, outdated libs, deprecated APIs, version conflicts.
+- **Lucius** `subagent_type: lucius-config` — Config: .env completeness, secrets not in git, prod vs dev mismatches.
+- **Deathstroke** `subagent_type: deathstroke-adversarial` — Adversarial: bypass validations, chain interactions, exploit business logic.
+- **Constantine** `subagent_type: constantine-cursed-code` — Cursed code: unreachable branches, dead state, impossible conditions, accidental correctness.
+- **Cyborg** `subagent_type: cyborg-system-integration` — Integration: trace full data path across 3+ module boundaries, inconsistent response shapes.
+- **Raven** `subagent_type: raven-deep-analysis` — Deep analysis: bugs hidden beneath 3 layers of abstraction, logic correct per function but wrong in composition.
+- **Wonder Woman** `subagent_type: wonder-woman-truth` — Truth: code that says one thing and does another, misleading names, stale docs.
 
 ## Step 2 — Baseline
 Get the project running. Verify manually: app starts, primary flow works, auth works (if applicable), data persists, error states display.
 
-## Step 2.5 — Smoke Tests (**Flash** speed-runs these)
-After build + restart, **Flash** parallelizes curl commands against the running server for each new or modified feature:
+## Step 2.5 — Smoke Tests
+After build + restart, **Flash** `subagent_type: flash-rapid-test` parallelizes curl commands against the running server for each new or modified feature:
 - **Primary user flow:** Execute via curl/fetch against localhost — verify the end-to-end path works
 - **File uploads:** Upload a file, then fetch the returned URL and verify HTTP 200 + correct content-type
 - **Form submissions:** Submit valid data (verify 200), then submit invalid/duplicate data (verify error message is specific, not generic)
@@ -39,20 +47,20 @@ This catches integration failures that static code review misses. If the server
 
 ## Step 3 — Pass 1: Find Bugs (parallel analysis)
 Use the Agent tool to run these in parallel — these are read-only analysis tasks:
-- **Agent 1 (Oracle):** Scan /src/lib/ and /src/app/ for logic flaws, missing awaits, unsafe assumptions
-- **Agent 2 (Red Hood):** Test all API endpoints with malformed inputs, empty bodies, missing auth
-- **Agent 3 (Alfred):** Run `npm audit`, check package.json for deprecated/vulnerable packages
-- **Agent 4 (Deathstroke):** Adversarial probing — bypass validations, chain unexpected interactions, test authorization boundaries
-- **Agent 5 (Constantine):** Hunt cursed code — dead branches, impossible conditions, accidental correctness, shadowed variables
-- **Agent 6 (Batgirl):** Deep per-module audit — every edge of every form, every boundary of every validation, every regex. Not broad — *thorough*.
-- **Agent 7 (Aquaman):** Deep dive on the hardest/largest module (500+ lines or 10+ functions). Exhaustive testing of one complex area.
+- **Agent 1** `subagent_type: oracle-static-analysis` — Scan /src/lib/ and /src/app/ for logic flaws, missing awaits, unsafe assumptions.
+- **Agent 2** `subagent_type: red-hood-aggressive` — Test all API endpoints with malformed inputs, empty bodies, missing auth.
+- **Agent 3** `subagent_type: alfred-dependencies` — Run `npm audit`, check package.json for deprecated/vulnerable packages.
+- **Agent 4** `subagent_type: deathstroke-adversarial` — Adversarial probing: bypass validations, chain unexpected interactions, test authorization boundaries.
+- **Agent 5** `subagent_type: constantine-cursed-code` — Hunt cursed code: dead branches, impossible conditions, accidental correctness, shadowed variables.
+- **Agent 6** `subagent_type: batgirl-detail` — Deep per-module audit: every edge of every form, every boundary of every validation, every regex. Not broad -- *thorough*.
+- **Agent 7** `subagent_type: aquaman-deep-dive` — Deep dive on the hardest/largest module (500+ lines or 10+ functions). Exhaustive testing of one complex area.
 
 Synthesize findings from all agents into a unified list.
 
-Lucius reviews config separately (reads .env files — sensitive, don't delegate to sub-agent).
+**Lucius** `subagent_type: lucius-config` reviews config separately (reads .env files -- sensitive, don't delegate to sub-agent).
 
 ## Step 3.5 — Automated Tests
-Run `npm test`. Analyze failures. Cross-reference with findings from Step 3. **Huntress** identifies flaky/non-deterministic tests — race conditions, timing dependencies, order-dependent assertions. For every bug found, ask: "Can this be caught by an automated test?" If yes, write the test.
+Run `npm test`. Analyze failures. Cross-reference with findings from Step 3. **Huntress** `subagent_type: huntress-flaky-bugs` identifies flaky/non-deterministic tests — race conditions, timing dependencies, order-dependent assertions. For every bug found, ask: "Can this be caught by an automated test?" If yes, write the test.
 
 ## Step 4 — Bug Tracker
 Log all findings in this format in the phase log:
@@ -64,26 +72,26 @@ Severity: Critical (security/data loss) > High (broken flow) > Medium (degraded)
 
 **Confidence scoring is mandatory.** Every finding includes a confidence score (0-100). If confidence is below 60, launch a second agent from a different universe (e.g., if Oracle found it, escalate to Spock or Kenobi) to verify before including. If the second agent disagrees, drop the finding. High-confidence findings (90+) skip re-verification in Step 6.5.
 
-## Step 5 — Fix (small batches — **Green Arrow** pinpoints exact lines)
-One batch = fixes for one area or severity level. **Green Arrow** narrows vague findings to exact lines and conditions. After each batch:
+## Step 5 — Fix (small batches)
+One batch = fixes for one area or severity level. **Green Arrow** `subagent_type: green-arrow-precision` narrows vague findings to exact lines and conditions. After each batch:
 1. Re-run `npm test`
 2. Re-verify affected manual flows
 3. Update bug tracker in phase log
 4. Add new test for each fix where applicable
 
-## Step 6 — Harden (**Superman** enforces standards)
-Normalize error handling (reference `/docs/patterns/error-handling.ts`). Add guardrails. Improve structured logging. **Superman** verifies the codebase meets its own stated standards — linting clean, type-safe, naming conventions consistent, no unresolved TODOs.
+## Step 6 — Harden
+Normalize error handling (reference `/docs/patterns/error-handling.ts`). Add guardrails. Improve structured logging. **Superman** `subagent_type: superman-strength-test` verifies the codebase meets its own stated standards — linting clean, type-safe, naming conventions consistent, no unresolved TODOs.
 
 ## Step 6.5 — Pass 2: Re-Verify Fixes
 After all fixes are applied, run a verification pass:
-- **Nightwing** re-runs full test suite, reports any new failures
-- **Red Hood** re-probes fixed areas — verify fixes hold under adversarial input
-- **Deathstroke** re-tests authorization boundaries and business logic exploits that were remediated
+- **Nightwing** `subagent_type: nightwing-regression` re-runs full test suite, reports any new failures
+- **Red Hood** `subagent_type: red-hood-aggressive` re-probes fixed areas — verify fixes hold under adversarial input
+- **Deathstroke** `subagent_type: deathstroke-adversarial` re-tests authorization boundaries and business logic exploits that were remediated
 
 If Pass 2 finds new issues, fix and re-verify until clean.
 
 ## Step 7 — Regression Checklist
-Nightwing builds the checklist. Template:
+**Nightwing** `subagent_type: nightwing-regression` builds the checklist. Template:
 
 | # | Flow | Steps | Expected | Status |
 |---|------|-------|----------|--------|

package/.claude/commands/review.md

@@ -2,6 +2,12 @@
 
 > Pattern compliance, code quality, and maintainability review. Picard-affiliated (Star Trek).
 
+## Dynamic Dispatch (ADR-044)
+
+Opus scans `git diff --stat` and matches changed files against the `description` fields of all 263 agents in `.claude/agents/`. Matching specialists launch alongside the core agents below.
+
+**Dispatch control:** `--light` skips dynamic dispatch (core only). `--solo` runs lead agent only.
+
 ## Context Setup
 1. Read `/logs/build-state.md` — understand current project state
 2. Read the relevant pattern files from `/docs/patterns/` for the code being reviewed
@@ -17,75 +23,38 @@ List all files in scope and their types (API route, service, component, middlewa
 
 ## Agent Deployment Manifest
 
-**Lead:** Picard (Star Trek) — architecture lens, final arbiter
+**Lead:** `subagent_type: picard-architecture` — architecture lens, final arbiter
 **Core team (always deployed):**
-- **Spock** — pattern compliance + integration tracing
-- **Seven** — code quality, dead code, complexity
-- **Data** — maintainability, error paths, state flow
+- `subagent_type: spock-schema` — pattern compliance + integration tracing
+- `subagent_type: seven-optimization` — code quality, dead code, complexity
+- `subagent_type: data-tech-debt` — maintainability, error paths, state flow
 
 **Stark's Marvel team (deployed on backend-heavy reviews):**
-- **Rogers** — API design: HTTP semantics, consistent response shapes, REST conventions
-- **Banner** — database: query patterns, N+1, missing indexes, schema concerns
-- **Strange** — service architecture: separation of concerns, business logic placement
-- **Barton** — error handling: try/catch completeness, error propagation, user-facing messages
-- **Romanoff** — security implications in reviewed code (lightweight — flags for Kenobi, doesn't audit)
-- **Thor** — performance: unnecessary re-renders, expensive computations, missing memoization
-- **Wanda** — state management: store design, prop drilling, context boundaries
-- **T'Challa** — API integration: external service calls, retry logic, fallback behavior
+- `subagent_type: rogers-api-design` — API design: HTTP semantics, response shapes, REST conventions
+- `subagent_type: banner-database` — database: query patterns, N+1, missing indexes
+- `subagent_type: strange-service-arch` — service architecture: separation of concerns, logic placement
+- `subagent_type: barton-smoke-test` — error handling: try/catch completeness, error propagation
+- `subagent_type: romanoff-integrations` — security implications (lightweight — flags for Kenobi)
+- `subagent_type: thor-queues` — performance: re-renders, expensive computations, memoization
+- `subagent_type: wanda-state` — state management: store design, prop drilling, context boundaries
+- `subagent_type: tchalla-quality` — API integration: external service calls, retry logic, fallback
 
 **Cross-domain agents (deployed based on content):**
-- **Nightwing** (DC) — auth flow end-to-end: when auth code is in scope, trace signup→verify→login→protected→logout
-- **Bilbo** (Tolkien) — copy audit: error messages, UI text, API response descriptions — are they clear and human?
-- **Troi** (Star Trek) — PRD compliance: does the code match what the PRD describes?
-- **Constantine** (DC) — cursed code: logic that works by accident, tautological checks, shadowed vars
-- **Samwise** (Tolkien) — a11y spot-check: when components are in scope, check keyboard nav and ARIA
+- `subagent_type: nightwing-regression` — auth flow end-to-end: signup→verify→login→protected→logout
+- `subagent_type: bilbo-microcopy` — copy audit: error messages, UI text, API descriptions
+- `subagent_type: troi-prd-compliance` — PRD compliance: does the code match what the PRD describes?
+- `subagent_type: constantine-cursed-code` — cursed code: accidental correctness, tautological checks, shadowed vars
+- `subagent_type: samwise-accessibility` — a11y spot-check: keyboard nav and ARIA
 
 ## Step 1 — Parallel Analysis
 Use the Agent tool to run these in parallel — all are read-only analysis:
 
-**Agent 1 (Spock — Pattern Compliance + Integration Tracing):**
-For each file, check against its matching pattern in `/docs/patterns/`:
-- API routes follow `api-route.ts` — validate → auth → service → respond
-- Services follow `service.ts` — business logic not in routes, ownership checks, typed errors
-- Components follow `component.tsx` — all four states, keyboard accessible
-- Middleware follows `middleware.ts` — auth, logging, rate limiting
-- Error handling follows `error-handling.ts` — consistent types, no leaked internals
-- Queues follow `job-queue.ts` — idempotent, retry, dead letter
-- Multi-tenant follows `multi-tenant.ts` — workspace scoped, role-based
-
-**INTEGRATION TRACING (mandatory):** When reviewed code generates URLs, references other API endpoints, constructs storage keys, or produces data consumed by other modules — you MUST read the consuming code to verify compatibility. Examples:
-- File uploaded with key prefix `avatars/` → read the asset proxy to verify it serves that prefix
-- API returns error `{ code: "CONFLICT" }` → read the UI that calls this API to verify it displays the error
-- Middleware sets header `x-request-id` → read a sample API route to verify it can access the header
-- Service generates a URL → read the route/proxy that handles that URL pattern
-
-**Agent 2 (Seven — Code Quality):**
-- Unnecessary complexity (can this be simpler?)
-- Dead code, unused imports, unreachable branches
-- Duplicated logic that should be extracted
-- Inconsistent naming or style
-- Missing TypeScript types or `any` usage
-- Functions doing too many things (SRP violations)
-
-**Agent 3 (Data — Maintainability + Error Paths + State Flow):**
-- Wrong abstractions (over-engineered or under-abstracted)
-- Coupling between modules that should be independent
-- Missing error handling at system boundaries
-- Hardcoded values that should be config
-- Missing or misleading comments on non-obvious logic
-
-**Agent 4 (Rogers + Banner + Strange — Backend Review, if backend code in scope):**
-- Rogers: API endpoints follow REST conventions, consistent response shapes, proper HTTP status codes
-- Banner: database queries are efficient (no N+1), indexes exist for query patterns, schema is normalized
-- Strange: business logic is in services not routes, separation of concerns is clean, no god functions
-
-**Agent 5 (Nightwing + Constantine — Cross-Domain, if auth or complex logic in scope):**
-- Nightwing: if auth code changed, trace the full signup→verify→login→protected→logout flow
-- Constantine: scan fixed/refactored areas for logic that only works by coincidence
-
-**Agent 6 (Bilbo + Troi — Copy + PRD, if UI or user-facing code in scope):**
-- Bilbo: error messages are clear and human, not generic "Something went wrong"
-- Troi: implementation matches PRD descriptions (not just "route exists" but "renders what PRD says")
+- **Agent 1** `subagent_type: spock-schema` — Pattern compliance: check each file against its matching pattern in `/docs/patterns/` (api-route, service, component, middleware, error-handling, job-queue, multi-tenant). **INTEGRATION TRACING (mandatory):** When reviewed code generates URLs, references endpoints, constructs storage keys, or produces data consumed by other modules — read the consuming code to verify compatibility.
+- **Agent 2** `subagent_type: seven-optimization` — Code quality: unnecessary complexity, dead code, unused imports, duplicated logic, inconsistent naming, missing types/`any` usage, SRP violations.
+- **Agent 3** `subagent_type: data-tech-debt` — Maintainability + error paths + state flow: wrong abstractions, module coupling, missing boundary error handling, hardcoded values, misleading comments.
+- **Agent 4** `subagent_type: rogers-api-design` + `banner-database` + `strange-service-arch` — Backend review (if backend code in scope): REST conventions, response shapes, N+1 queries, indexes, separation of concerns.
+- **Agent 5** `subagent_type: nightwing-regression` + `constantine-cursed-code` — Cross-domain (if auth or complex logic in scope): auth flow tracing, accidental correctness detection.
+- **Agent 6** `subagent_type: bilbo-microcopy` + `troi-prd-compliance` — Copy + PRD (if UI or user-facing code in scope): clear error messages, PRD compliance verification.
 
 **ROUTE COLLISION CHECK (mandatory for web apps):** When a new router/route file is added, list ALL registered routes (method + path) across ALL routers. Check for duplicate method+path combinations. Frameworks like FastAPI silently shadow duplicate routes — the first registered wins.
 
@@ -132,8 +101,8 @@ Fix "Must Fix" and "Should Fix" items. After each batch:
 
 ## Step 3.5 — Re-Verify Fixes
 After fixes are applied:
-- **Spock** re-checks pattern compliance on modified files
-- **Seven** confirms no new complexity or dead code introduced by fixes
+- **Spock** `subagent_type: spock-schema` re-checks pattern compliance on modified files
+- **Seven** `subagent_type: seven-optimization` confirms no new complexity or dead code introduced by fixes
 
 If new issues found, fix and re-verify.
 

package/.claude/commands/security.md

@@ -2,6 +2,12 @@
 
 **AGENT DEPLOYMENT IS MANDATORY.** Phase 1 specifies parallel agent launches via the Agent tool. You MUST launch Leia, Chewie, Rex+Bo-Katan, and Maul as separate sub-processes. Phase 2 agents (Yoda, Windu, Ahsoka, Padmé, Qui-Gon) run sequentially but each MUST be a separate agent invocation. Do NOT shortcut to inline analysis. (Field report #68)
 
+## Dynamic Dispatch (ADR-044)
+
+Opus scans `git diff --stat` and matches changed files against the `description` fields of all 263 agents in `.claude/agents/`. Matching specialists launch alongside the core agents below.
+
+**Dispatch control:** `--light` skips dynamic dispatch (core only). `--solo` runs lead agent only.
+
 ## Context Setup
 1. Read `/logs/build-state.md` — understand current project state
 2. Read `/docs/methods/SECURITY_AUDITOR.md`
@@ -9,59 +15,28 @@
 
 ## Audit Sequence
 
-### Phase 0.5 — First Strike (**Han** + **Cassian**)
+### Phase 0.5 — First Strike
 Before the deep audits, two agents do fast recon:
-- **Han (First Strike):** Quick OWASP top 10 scan — finds the obvious vulnerabilities that shouldn't require deep analysis. Shoots first.
-- **Cassian (Intelligence):** Threat modeling and attack surface mapping — maps all endpoints, identifies high-value targets, produces the threat model that guides the rest of the audit.
+- **Han** `subagent_type: han-vuln-hunter` — Quick OWASP top 10 scan: finds the obvious vulnerabilities that shouldn't require deep analysis. Shoots first.
+- **Cassian** `subagent_type: cassian-recon` — Threat modeling and attack surface mapping: all endpoints, high-value targets, threat model that guides the rest of the audit.
 
 ### Phase 1 — Independent audits (parallel analysis)
 Use the Agent tool to run these simultaneously — all are read-only analysis:
-- **Agent 1 (Leia — Secrets):** Scan source code for hardcoded secrets, check .env is gitignored, check git history for leaked keys (`git log -p --all -S 'password' -S 'secret' -S 'api_key'`), verify different secrets dev/prod
-- **Agent 2 (Chewie — Dependencies):** Run `npm audit`, check for critical/high vulns, verify lock file committed, check for deprecated packages
-- **Agent 3 (Rex + Bo-Katan — Infrastructure + Perimeter):** Check security headers (HSTS, CSP, X-Frame-Options, CORS), verify TLS config, check for exposed ports/debug endpoints. **Bo-Katan** focuses on network perimeter: firewall rules, exposed ports, CORS policy enforcement.
-- **Agent 4 (Maul — Red Team):** For each endpoint and flow, ask: "How would I exploit this?" Chain vulnerabilities. Test trust boundaries. Attempt privilege escalation. **RUNTIME EXPLOITATION (mandatory):** When the server is running, Maul must execute actual attack requests via curl/fetch — not just theorize. Upload a file then fetch the URL. Submit conflicting data. Send requests with stolen/expired tokens. If the server isn't running, document what couldn't be runtime-tested.
+- **Agent 1** `subagent_type: leia-secrets` — Secrets: scan for hardcoded secrets, verify .env gitignored, check git history for leaked keys, verify different secrets dev/prod.
+- **Agent 2** `subagent_type: chewie-dependency-audit` — Dependencies: `npm audit`, critical/high vulns, lock file committed, deprecated packages.
+- **Agent 3** `subagent_type: rex-infrastructure` + `bo-katan-perimeter` — Infrastructure + perimeter: security headers (HSTS, CSP, X-Frame-Options, CORS), TLS config, exposed ports/debug endpoints, firewall rules, CORS enforcement.
+- **Agent 4** `subagent_type: maul-red-team` — Red team: exploit each endpoint/flow, chain vulnerabilities, test trust boundaries, attempt privilege escalation. **RUNTIME EXPLOITATION (mandatory):** Execute actual attack requests via curl/fetch -- not just theorize.
 
 ### Phase 2 — Sequential audits (depend on understanding the codebase)
 These require full codebase context — run sequentially:
 
-**Yoda — Auth:**
-- Password hashing (bcrypt >= 12 rounds, no plaintext anywhere)
-- Session management (crypto random, httpOnly/secure/sameSite, invalidated on logout)
-- OAuth (state param, redirect whitelist, server-side exchange)
-- Reset tokens (single-use, expire, rate limited)
-- Reference `/docs/patterns/middleware.ts` for auth middleware patterns
-
-**Windu — Input:**
-- SQL injection (parameterized queries everywhere)
-- XSS (escaped output, no dangerouslySetInnerHTML without sanitization, CSP)
-- SSRF (URL allowlist if user provides URLs)
-- Command injection (no user input in shell commands)
-- Path traversal (sanitized filenames)
-
-**Ahsoka — Access Control:**
-- Every endpoint verifies ownership (no IDOR)
-- UUIDs not sequential IDs in URLs
-- Admin verified server-side (not just hidden UI)
-- Tier features verified server-side
-- Rate limiting per-user and per-IP
-- Reference `/docs/patterns/multi-tenant.ts` if multi-tenant
-- **AUTH CHAIN TRACING (mandatory):** Don't just verify each endpoint checks auth — trace the full chain: Is the auth middleware actually applied to this route? Is the user/tenant context carried from middleware → service → DB query? Are there routes that SHOULD have auth middleware but don't? Read the middleware registration and verify every protected route is covered.
-
-**Padme — Data:**
-- PII identified and cataloged
-- PII not in logs, error messages, or URLs
-- Deletion possible (GDPR right to erasure)
-- Backups encrypted
-
-**Qui-Gon — Subtle Vulnerabilities** (after sequential audits):
-- Timing-based attacks, race conditions in auth flows, logic errors that are technically correct but exploitable
-- The vulnerabilities that pass every standard check
-
-**Sabine — Unconventional** (conditional — if project has external dependencies):
-- Supply chain attacks, dependency confusion, prototype pollution, CSP bypass via CDN
-
-**Bail Organa — Governance** (conditional — if project has regulatory requirements):
-- GDPR data handling, SOC2 controls, HIPAA mapping
+- **Yoda** `subagent_type: yoda-auth` — Auth: password hashing (bcrypt >= 12 rounds), session management (httpOnly/secure/sameSite), OAuth (state param, redirect whitelist), reset tokens (single-use, expiring, rate limited). Reference `/docs/patterns/middleware.ts`.
+- **Windu** `subagent_type: windu-input-validation` — Input: SQL injection (parameterized queries), XSS (escaped output, CSP), SSRF (URL allowlist), command injection, path traversal.
+- **Ahsoka** `subagent_type: ahsoka-access-control` — Access control: IDOR checks, UUIDs not sequential IDs, server-side admin/tier verification, rate limiting. **AUTH CHAIN TRACING (mandatory):** Trace the full chain from middleware registration through service to DB query. Reference `/docs/patterns/multi-tenant.ts`.
+- **Padme** `subagent_type: padme-data-protection` — Data protection: PII catalog, PII not in logs/errors/URLs, GDPR deletion, encrypted backups.
+- **Qui-Gon** `subagent_type: qui-gon-subtle-vulns` — Subtle vulnerabilities: timing attacks, race conditions in auth flows, logic errors that pass standard checks.
+- **Sabine** `subagent_type: sabine-unconventional` — (conditional) Unconventional: supply chain attacks, dependency confusion, prototype pollution, CSP bypass via CDN.
+- **Bail Organa** `subagent_type: bail-organa-governance` — (conditional) Governance: GDPR data handling, SOC2 controls, HIPAA mapping.
 
 ### Phase 3 — Remediate
 Write all findings to `/logs/phase-11-security-audit.md` (or appropriate phase log):
@@ -79,11 +54,11 @@ Fix critical and high findings immediately. Medium findings get tracked. For eac
 3. Check it didn't break anything (`npm test`)
 4. Update the finding status in the log
 
-### Phase 4 — Re-Verification (Maul + Anakin + Din Djarin)
+### Phase 4 — Re-Verification
 After remediations are applied:
-- **Maul** re-probes all remediated vulnerabilities — verify fixes hold under adversarial conditions. Execute actual HTTP requests against the running server.
-- **Anakin** attempts to bypass remediations using dark-side techniques — JWT algorithm confusion, auth library edge cases, prototype pollution, framework misuse.
-- **Din Djarin** bounty-hunts for anything Maul and Anakin missed — post-remediation sweep with Mandalorian tenacity.
+- **Maul** `subagent_type: maul-red-team` re-probes all remediated vulnerabilities — verify fixes hold under adversarial conditions. Execute actual HTTP requests against the running server.
+- **Anakin** `subagent_type: anakin-dark-side` attempts to bypass remediations using dark-side techniques — JWT algorithm confusion, auth library edge cases, prototype pollution, framework misuse.
+- **Din Djarin** `subagent_type: din-djarin-bounty` bounty-hunts for anything Maul and Anakin missed — post-remediation sweep.
 
 If any agent finds new issues, fix and re-verify until clean.