thevoidforge 21.0.11 → 21.0.12

package/dist/.claude/commands/ai.md

@@ -0,0 +1,69 @@
+# /ai — Seldon's AI Intelligence Audit
+
+*"The fall is inevitable. The recovery can be guided."*
+
+The AI Intelligence Audit reviews every LLM-powered component in your application. Seldon's team examines model selection, prompt engineering, tool-use schemas, orchestration patterns, failure modes, token economics, evaluation strategy, safety, versioning, and observability.
+
+## Context Setup
+1. Read `/docs/methods/AI_INTELLIGENCE.md` for operating rules
+2. Read the PRD — check for `ai: yes` in frontmatter
+3. Scan the codebase for LLM integration points: imports from `anthropic`, `@anthropic-ai/sdk`, `openai`, `@langchain`, prompt files, tool definitions
+
+## Phase 0 — AI Surface Map (Hari Seldon)
+
+Reconnaissance — find all AI integration points:
+1. Grep for LLM SDK imports (`anthropic`, `openai`, `@ai-sdk`, `langchain`)
+2. Find prompt files/constants (system prompts, few-shot examples)
+3. Find tool/function definitions (tool-use schemas)
+4. Find orchestration patterns (agent loops, chains, workflows)
+5. Produce: AI component inventory with file paths, model used, and purpose
+
+## Phase 1 — Parallel Audits (4 agents)
+
+Use the Agent tool to run all four in parallel:
+
+- **Agent 1 (Salvor Hardin — Model Selection):** For each AI call, is this the right model? Could a smaller/faster model handle it? Is the latency budget met? Is cost tracked?
+- **Agent 2 (Gaal Dornick — Prompt Architecture):** Are prompts structured, versioned, testable? System prompt separated? Output format specified? Edge cases handled? Few-shot where needed?
+- **Agent 3 (Hober Mallow — Tool Schemas):** Are tool descriptions clear? Parameter types correct? Required vs optional right? No overlapping tools? Return types documented?
+- **Agent 4 (Bliss — AI Safety):** Prompt injection risk? PII in prompts? Output content safety? System prompt extractable? Jailbreak vectors?
+
+## Phase 2 — Sequential Audits (5 agents)
+
+Run sequentially — each builds on the previous:
+
+- **Bel Riose (Orchestration):** Is this a completion, chain, agent loop, or workflow? Appropriate for the reliability requirement? Loops bounded? Maximum iteration count? Intermediate state persisted?
+- **The Mule (Failure Modes):** What happens when the model hallucinates? Refuses? Times out? Context overflows? API is down? Is there a fallback? Circuit breaker? Bounded retries?
+- **Ducem Barr (Token Economics):** Token usage tracked per request? Caching strategies? Context window efficient? System prompts deduplicated? Streaming where appropriate?
+- **Bayta Darell (Evaluation):** How do you know outputs are correct? Golden datasets? Automated scoring? Regression suite for prompt changes? Quality degradation detection?
+- **Dors Venabili (Observability):** Can you see what the AI decided and why? Trace logging? Inputs/outputs logged (PII-scrubbed)? Latency tracked? Quality scores over time?
+- **Janov Pelorat (Context Engineering):** RAG retrieval returning relevant docs? Embeddings right dimensionality? Chunking appropriate?
+- **R. Daneel Olivaw (Versioning):** When models update, does behavior change? Prompts pinned? Migration strategy?
+
+## Phase 3 — Remediate
+
+Fix all Critical and High findings. Use the standard finding format with confidence scores.
+
+## Phase 4 — Re-Verify
+
+**The Mule + Wanda Seldon** re-probe all remediated areas. Wanda validates structured outputs. The Mule attempts adversarial bypass of fixes.
+
+## Arguments
+- No arguments → full 5-phase audit of all AI components
+- `--prompts` → Focus on prompt engineering only (Gaal Dornick deep dive)
+- `--tools` → Focus on tool-use schemas only (Hober Mallow solo)
+- `--safety` → Focus on AI safety and prompt injection (Bliss + The Mule)
+- `--eval` → Focus on evaluation strategy and test coverage (Bayta Darell solo)
+- `--cost` → Focus on token economics and optimization (Ducem Barr solo)
+
+## Deliverables
+1. AI component inventory (all LLM integration points)
+2. Finding log with severity, confidence, and remediation
+3. Eval strategy recommendations
+4. Model selection justification for each AI call
+5. Token budget estimate
+
+## Handoffs
+- Security findings → Kenobi (`/security`)
+- Test gaps → Batman (`/qa`, `/test`)
+- Architecture concerns → Picard (`/architect`)
+- Performance/cost concerns → Kusanagi (`/devops`)

package/dist/.claude/commands/architect.md

@@ -0,0 +1,121 @@
+# /architect — Picard's Architecture Review
+
+**AGENT DEPLOYMENT IS MANDATORY.** Steps 1 and 4 specify parallel agent launches via the Agent tool. You MUST actually launch these agents as separate sub-processes — do NOT shortcut to inline analysis, even if you think you can answer faster by reading files directly. The agents exist because parallel analysis catches things sequential reading misses. Skipping agent deployment is a protocol violation. (Field report #68)
+
+## Context Setup
+1. Read `/logs/build-state.md` — understand current project state
+2. Read `/docs/methods/SYSTEMS_ARCHITECT.md`
+3. Read `/docs/PRD.md` (System Architecture + Tech Stack sections)
+
+## Pre-Analysis — Conflict Scan
+Before any deep analysis, scan the PRD frontmatter for structural contradictions (see SYSTEMS_ARCHITECT.md Conflict Checklist). Check: auth+database, payments+auth, websockets+deploy, workers+deploy, database+deploy, cache+deploy, admin+auth, email+credentials. Flag any contradictions immediately — these cost hours if caught late.
+
+## Agent Deployment Manifest
+
+**Lead:** Picard (Star Trek)
+**Full bridge crew:** Spock (schema), Uhura (integrations), Worf (security implications), Tuvok (security architecture), Scotty (service architecture + scaling), Kim (API design), Janeway (novel architectures), Torres (performance), La Forge (failure analysis), Data (tech debt), Crusher (system diagnostics), Archer (greenfield), Pike (bold ordering — challenges Dax in /campaign), Riker (ADR review — challenges trade-offs), Troi (PRD compliance)
+
+## Step 0 — System Discovery (**Crusher** + **Archer**)
+**Crusher** assesses system health first — test coverage, build time, dependency age, code complexity. Baseline before changes.
+**Archer** (for greenfield projects) proposes initial directory structure, module boundaries, naming conventions.
+Produce: system identity, component inventory, data flow diagram (ASCII), dependency graph.
+Write to `/logs/` (phase-00 if during orient, or a dedicated architecture log).
+
+## Step 1 — Parallel Analysis (Spock + Uhura + Worf)
+Use the Agent tool to run these in parallel — they are independent analysis tasks:
+
+**Agent 1 (Spock — Schema Review):**
+- Normalization: are relationships correct?
+- Indexes: do they match actual query patterns?
+- Nullable fields: intentional or oversight?
+- Audit fields: createdAt, updatedAt on every table?
+- PII isolation: sensitive data identified and separated?
+- Data lifecycle: what gets archived? What gets deleted?
+- Backup/recovery plan: defined and tested?
+
+**Agent 2 (Uhura — Integration Review):**
+For each external service, produce:
+
+| Service | Purpose | Failure Mode | Fallback | Cost | Lock-in Risk |
+|---------|---------|-------------|----------|------|-------------|
+
+Verify: API versions pinned, responses validated, abstraction layer exists.
+
+**Agent 3 (Worf — Security Implications):**
+For each architectural decision (schema, service boundaries, data flows), flag security implications. PII colocation, unauthenticated access to internal state, overly permissive service boundaries. Worf audits *design*, not code.
+
+**Agent 4 (Tuvok — Security Architecture):**
+Auth flow design, token storage strategy, session architecture, encryption at rest vs in transit. Where Worf flags implications, Tuvok designs the solutions.
+
+Synthesize findings from all four agents.
+
+## Step 2 — Scotty's Service Architecture + Kim's API Design
+- Boundary assessment: is the boundary between services/modules clean?
+- Monolith vs services: default monolith. Only split if there's a specific operational reason (different scaling profile, different team, different deploy cadence).
+- Async vs sync: which operations should be background jobs?
+- **Kim** reviews API surface: REST conventions, consistent error shapes, pagination patterns, versioning strategy.
+- **Janeway** (conditional): when the standard monolith doesn't fit, proposes event-sourcing, CQRS, serverless, edge computing.
+- Informed by Spock's schema, Uhura's integrations, and Worf/Tuvok's security findings.
+
+## Step 3 — Scotty's Scaling + Torres's Performance
+- **Scotty:** Identify the first bottleneck. Three-tier plan: Tier 1 (current), Tier 2 (10x, vertical), Tier 3 (100x, horizontal). Cost estimates.
+- **Torres:** Performance architecture — N+1 query patterns in schema design, missing indexes for anticipated queries, connection pool sizing, caching strategy gaps. Catches performance problems before code is written.
+
+## Step 4 — Parallel Analysis (La Forge + Data)
+Use the Agent tool to run these in parallel — they are independent analysis tasks:
+
+**Agent 1 (La Forge — Failure Analysis):**
+For each component, answer: "What happens when this fails?"
+- Database down → app shows error, no data loss, auto-reconnect
+- Redis down → app works without cache (slower), sessions fall back
+- External API down → graceful degradation, queue retries
+- Worker crashes → job retries, dead letter queue, alerting
+
+**Agent 2 (Data — Tech Debt):**
+Catalog each item:
+
+| Item | Type | Impact | Risk | Effort | Urgency |
+|------|------|--------|------|--------|---------|
+
+Types: wrong abstraction, missing abstraction, premature optimization, deferred decision, dependency debt, documentation debt.
+
+## Step 5 — ADRs + Riker's Decision Review
+Write Architecture Decision Records to `/docs/adrs/` for every non-obvious choice. After writing, **Riker reviews**: challenges trade-offs, verifies alternatives were truly considered, checks for second-order effects.
+```
+# ADR-001: [Title]
+## Status: Accepted
+## Context: [Why this decision was needed]
+## Decision: [What was decided]
+## Consequences: [Trade-offs, what this enables, what this prevents]
+## Alternatives: [What else was considered and why it was rejected]
+```
+
+## Conflict Resolution
+When architectural decisions conflict with other agents:
+1. Check the PRD — product requirements take precedence
+2. If PRD is silent, present trade-offs to the user with a recommendation
+3. Document the resolution as an ADR
+4. Log to `/logs/decisions.md`
+
+For specific conflicts:
+- **Picard vs Kusanagi (infra can't support arch):** Picard adjusts architecture to match real constraints
+- **Picard vs Stark (implementation disagrees with design):** Present options, Picard decides, document as ADR
+- **Picard vs Kenobi (security vs simplicity):** Security wins. Find the simplest secure architecture.
+
+## Deliverables
+1. ARCHITECTURE.md
+2. /docs/adrs/ directory with decision records
+3. SCALING.md
+4. TECH_DEBT.md
+5. FAILURE_MODES.md
+6. All findings logged to appropriate `/logs/` file
+
+## Arguments
+- `--plan [description]` → Planning mode: analyze and recommend without executing. Present findings and proposed changes for review.
+- `--muster` → Full 9-universe deployment. Instead of the Star Trek bridge crew, deploy every viable agent across all universes in 3 waves (Vanguard → Main Force → Adversarial). See `docs/methods/MUSTER.md`. **ENFORCEMENT: Must launch Agent tool sub-processes per MUSTER.md. Inline analysis is not a Muster.**
+
+## Handoffs
+- API/DB implementation → Stark, log to `/logs/handoffs.md`
+- UI impacts → Galadriel, log to `/logs/handoffs.md`
+- Security implications → Kenobi, log to `/logs/handoffs.md`
+- Infrastructure constraints → Kusanagi, log to `/logs/handoffs.md`

package/dist/.claude/commands/assemble.md

@@ -0,0 +1,201 @@
+Avengers, assemble. Full pipeline from architecture to launch — one command to rule them all.
+
+## Context Setup
+1. Read `/logs/assemble-state.md` — if it exists, resume from the last completed phase
+2. If no assemble state exists, start fresh from Phase 1
+3. Read `/docs/methods/ASSEMBLER.md` for operating rules
+
+**Hill** tracks phase completion — logs each gate pass to `assemble-state.md`. **Jarvis** provides status summaries between phases.
+
+## Agent Deployment Manifest — The Full Initiative
+
+When `/assemble` invokes each sub-command, it deploys the FULL roster for that command — not just the lead. The leads below are coordinators; they bring their complete teams.
+
+| Phase | Lead | Full Team Deployed |
+|-------|------|--------------------|
+| Architecture | **Picard** | Spock, Uhura, Worf, Tuvok, Scotty, Kim, Janeway, Torres, La Forge, Data, Crusher, Archer, Pike, Riker, Troi |
+| Build | **Stark + Galadriel + Kusanagi** | Full /build roster (~35 agents across 4 universes) |
+| Smoke Test | **Hawkeye** | Solo — runtime verification |
+| Code Review (×3) | **Picard** | Spock, Seven, Data + **Rogers, Banner, Strange, Barton, Thor, Romanoff, Wanda, T'Challa** + **Nightwing, Bilbo, Troi, Constantine, Samwise** (cross-domain) |
+| UX | **Galadriel** | Elrond, Arwen, Samwise, Bilbo, Legolas, Gimli, Radagast, Éowyn, Celeborn, Aragorn, Faramir, Pippin, Boromir, Haldir, Frodo, Merry |
+| Security (×2) | **Kenobi** | Leia, Chewie, Rex, Maul, Yoda, Windu, Ahsoka, Padmé, Han, Cassian, Sabine, Qui-Gon, Bo-Katan, Anakin, Din Djarin |
+| DevOps | **Kusanagi** | Senku, Levi, Spike, L, Bulma, Holo, Valkyrie, Vegeta, Trunks, Mikasa, Erwin, Mustang, Olivier, Hughes, Calcifer, Duo |
+| QA | **Batman** | Oracle, Red Hood, Alfred, Deathstroke, Constantine, Nightwing, Lucius, Cyborg, Raven, Wonder Woman, Flash, Green Lantern, Batgirl, Aquaman |
+| Test | **Batman** | Oracle, Red Hood, Alfred, Nightwing (testing subset) |
+| Crossfire | **Maul, Deathstroke, Loki, Constantine, Éowyn** | Adversarial — each attacks another domain's work |
+| Council | **Spock, Ahsoka, Nightwing, Samwise, Padmé, Troi** | Final convergence — one voice per domain |
+
+## Phase 1 — Architecture (Picard has the conn)
+**Fury:** "Picard, you're up. Review the architecture before we build anything."
+
+Run the full `/architect` protocol. If `$ARGUMENTS` includes `--skip-arch`, skip this phase.
+
+**Gate:** ADRs written, no critical architectural concerns. Log to `/logs/assemble-state.md`.
+
+## Phase 2 — Build (All hands on deck)
+**Fury:** "Stark, Galadriel, Kusanagi — build it. The full protocol."
+
+Run the full `/build` protocol (all 13 phases). If `$ARGUMENTS` includes `--skip-build`, skip this phase (for re-running the review pipeline on existing code).
+
+**Gate:** All build phase gates pass, test suite green. Update assemble-state.
+
+## Phase 2.5 — Smoke Test (Hawkeye)
+**Fury:** "Hawkeye — hit every endpoint. I want proof it runs, not just proof it compiles."
+
+Mandatory runtime verification BEFORE code review begins:
+1. If the project has a runnable server (Express, FastAPI, Next.js, Django, Rails), start it
+2. Hit every new/modified API endpoint with `curl` — verify HTTP status codes match expectations
+3. For web apps: list all registered routes and **check for path collisions** (duplicate method+path across routers)
+4. For React/frontend: trace the primary user flow through the component tree — follow state changes through the store, identify re-render cycles. For every `useEffect` with store values in its deps, verify the effect body doesn't trigger a store update that changes those same deps.
+5. If the server cannot be started (scaffold branch, methodology-only), skip with a note
+
+**Gate:** All endpoints return expected status codes. No route collisions. No infinite render loops detected. Update assemble-state.
+
+## Phase 3 — Review Round 1 (Full Roster — see Agent Deployment Manifest)
+**Fury:** "Picard's team — first pass. Find everything. Full roster deployed."
+
+Run `/review` with full Agent Deployment Manifest (Stark's Marvel team + cross-domain agents). Fix all Must Fix and Should Fix items.
+
+**A11y spot-check (Samwise, during review):** Semantic headings (h1-h6 hierarchy), aria-hidden on decorative elements, aria-labels on ambiguous links, skip-nav link, landmark roles. This catches structural a11y issues early — before the full `/ux` pass. (Field report #118)
+
+Log findings count.
+
+## Phase 4 — Review Round 2 (Re-verify)
+**Fury:** "Again. Verify the fixes didn't break anything."
+
+Run `/review` on all files modified in Phase 3. Fix any new issues.
+
+## Phase 5 — Review Round 3 (Final clean pass)
+**Fury:** "Last pass. I want zero Must Fix items."
+
+Run `/review`. If any Must Fix items remain, fix them.
+
+**Gate:** Zero Must Fix items. Update assemble-state.
+
+## Phase 6 — UX Pass (Galadriel leads)
+**Fury:** "Galadriel — the user doesn't care how clean the code is if the product is confusing."
+
+Run the full `/ux` protocol in two sub-phases. Skip if PRD frontmatter `type: api-only`.
+
+**6A — Usability Review:** Trace the primary user flow step by step. For each step: What does the user see? What do they click? What happens? Is it what they expected? Specifically check:
+- Can the user complete the primary flow without confusion?
+- Do inputs retain focus when typing?
+- Do modals/panels close cleanly on first attempt?
+- Is there visual feedback for every mutation (success AND failure)?
+- Does every loading state resolve (no infinite spinners)?
+
+**6B — Accessibility Audit:** ARIA, keyboard nav, focus management, contrast, screen reader, reduced motion — the existing checklist.
+
+**Gate:** Zero critical usability or a11y findings. Update assemble-state.
+
+## Phase 7 — Security Round 1 (Kenobi leads)
+**Fury:** "Kenobi, find what they missed. Think like the enemy."
+
+Run the full `/security` protocol (Phases 1-3: parallel scans, sequential audits, remediation).
+
+## Phase 8 — Security Round 2 (Maul re-probes)
+**Fury:** "Maul — attack every fix. I want proof they hold."
+
+Run `/security` Phase 4 only (Maul's re-verification). If new issues found, fix and re-verify.
+
+**Gate:** Zero Critical or High security findings. Update assemble-state.
+
+## Phase 9 — Infrastructure (Kusanagi leads)
+**Fury:** "Kusanagi — make it deployable. Scripts, monitoring, backups."
+
+Run the full `/devops` protocol.
+
+**Gate:** Deploy scripts work, monitoring configured, post-deploy smoke tests defined. Update assemble-state.
+
+## Phase 10 — QA (Batman leads)
+**Fury:** "Batman — break everything. I want zero surprises in production."
+
+Run the full `/qa` protocol (including Step 2.5 smoke tests).
+
+**Gate:** All critical/high bugs fixed, regression checklist complete. Update assemble-state.
+
+## Phase 11 — Test Suite (Batman writes)
+**Fury:** "Now make it permanent. Every bug we found becomes a test."
+
+Run the full `/test` protocol. Write missing unit tests, integration tests, and cross-module tests.
+
+**Gate:** Test suite green, coverage acceptable. Update assemble-state.
+
+## Phase 12 — The Crossfire (Multiverse challenge)
+**Fury:** "Now the real test. Everyone attacks everyone else's work."
+
+Use the Agent tool to run these in parallel — all are adversarial, read-only analysis:
+
+- **Maul** (Star Wars) — attacks code that passed /review. Looks for exploits in "clean" code.
+- **Deathstroke** (DC) — probes endpoints that /security hardened. Tests if remediations can be bypassed.
+- **Loki** (Marvel) — chaos-tests features that /qa cleared. Finds what breaks under unexpected conditions.
+- **Constantine** (DC) — hunts cursed code in FIXED areas specifically. Code that works by accident.
+
+Synthesize findings. **Conflict detection:** If any two agents produce conflicting findings on the same code (one says "fix," another says "by design" or "not exploitable"), trigger the debate protocol instead of listing both. See SUB_AGENTS.md "Agent Debate Protocol": Agent A states finding → Agent B responds → Agent A rebuts → Arbiter (Picard or user) decides. 3 exchanges max. Log the debate transcript as an ADR. Fix all Must Fix items. If any fixes were applied, re-run the four agents on the fixed areas only.
+
+**Gate:** All four adversarial agents sign off. All conflicts resolved via debate (no unresolved disagreements). Update assemble-state.
+
+## Phase 13 — The Council (Convergence)
+**Fury:** "Last call. One agent from each domain — verify nobody broke anyone else's work."
+
+Use the Agent tool to run these in parallel:
+
+- **Spock** (Star Trek) — Did any security/QA/UX fix break code patterns or quality?
+- **Ahsoka** (Star Wars) — Did any review/QA fix introduce access control gaps?
+- **Nightwing** (DC) — Did any fix cause a regression? Run the full test suite.
+- **Samwise** (Tolkien) — Did any fix break accessibility?
+- **Troi** (Star Trek) — PRD compliance: read the PRD prose section-by-section, verify every claim against the implementation. Not just "does the route exist?" but "does the component render what the PRD describes?" Check numeric claims, visual treatments, copy accuracy. Flag asset gaps as BLOCKED. (Troi runs on the final Council iteration, or always when `--skip-build` is used for campaign victory gates.)
+
+**Conflict detection:** If Council members disagree (e.g., Spock says a fix broke patterns but Ahsoka says it's necessary for access control), trigger the debate protocol. Do not list both opinions — resolve via debate. Arbiter: Picard for code/architecture conflicts, Troi for PRD compliance conflicts.
+
+If the Council finds issues:
+1. Fix code discrepancies. Flag asset requirements as BLOCKED.
+2. Resolve conflicts via debate protocol (see SUB_AGENTS.md). Log debate transcripts as ADRs.
+3. Re-run the Council (max 3 iterations)
+4. If not converged after 3 rounds, present remaining findings to the user
+
+**Gate:** All five Council members sign off. Zero cross-domain regressions. Update assemble-state.
+
+## Completion
+**Fury:** "The Initiative is complete."
+
+Write final summary to `/logs/assemble-state.md`:
+- Total phases completed
+- Total findings across all passes (review + security + QA + crossfire + council)
+- Total fixes applied
+- Final test suite status
+- Time span (first phase start → last phase end)
+
+Present the summary to the user.
+
+**IMPORTANT: Include this disclaimer in the completion message:**
+"All phases analyze source code and trace data flows. If this project has a runnable UI, manual testing of the deployed application is still recommended before shipping to users — runtime interaction bugs (render loops, endpoint collisions, focus management) can pass static analysis."
+
+## Lessons Extraction (Wong)
+After the summary, Wong extracts learnings for future builds:
+
+1. Review all findings from Phases 3-13. For each pattern that appeared 2+ times or took 2+ fix iterations, distill into a lesson.
+2. Append new entries to `/docs/LESSONS.md` using the existing format:
+   ```
+   ### [Short title]
+   **Agent:** [who discovered it] | **Category:** pattern/antipattern/decision/gotcha
+   **Context:** [this project name and phase]
+   **Lesson:** [what we learned]
+   **Action:** [what to do differently]
+   **Promoted to:** Not yet
+   ```
+3. Check existing lessons — if a lesson from a PREVIOUS project was confirmed again, add a note: "Confirmed in [project]. Promote to method doc." If the lesson was already promoted, note: "Promoted lesson held — no regressions."
+4. If any lesson appears in 3+ projects, promote it: add the rule to the relevant method doc and update the lesson's "Promoted to" field.
+
+## Operating Rules
+- Update `/logs/assemble-state.md` after EVERY phase completion
+- If you notice context pressure symptoms (re-reading files, forgetting decisions), ask user to run `/context`. Only checkpoint if usage exceeds 70%.
+- Each phase runs the FULL protocol of its command — no shortcuts
+- Fixes happen BETWEEN rounds, not batched at the end
+- The Crossfire (Phase 12) and Council (Phase 13) can be skipped with `/assemble --fast`
+- `/assemble --resume` picks up from the last completed phase in assemble-state.md
+- `--blitz` — Autonomous execution: no pause between phases, auto-continue. Does NOT imply --fast.
+
+## Handoffs
+- If any phase is blocked by an issue outside its domain, log to `/logs/handoffs.md` and continue to the next phase
+- At completion, note any outstanding handoffs for the user

package/dist/.claude/commands/assess.md

@@ -0,0 +1,75 @@
+# /assess — Picard's Pre-Build Assessment
+
+Evaluate an existing codebase before a rebuild, migration, or VoidForge onboarding. Chains architecture review, assessment-mode Gauntlet, and PRD gap analysis into a unified "State of the Codebase" report.
+
+## Context Setup
+1. Read `/logs/build-state.md` if it exists — understand current project state
+2. Read `/docs/methods/SYSTEMS_ARCHITECT.md`
+3. Read `/docs/methods/GAUNTLET.md` (Flags section — `--assess`)
+4. Read `/docs/PRD.md` if it exists
+
+## The Sequence
+
+### Step 1 — Picard's Architecture Scan
+Run `/architect` — full bridge crew analysis. This maps the system: schema, integrations, security posture, service boundaries, tech debt.
+
+### Step 2 — Thanos's Assessment Gauntlet
+Run `/gauntlet --assess` — Rounds 1-2 only (Discovery + First Strike). No fix batches. Produces an assessment report grouped by root cause rather than domain.
+
+**Key detection targets for pre-build:**
+- **RC-STUB: Stub code** — Grep for `throw new Error('Implement`, `throw new Error('Not implemented`, `throw new Error('TODO`. Also detect functions returning `{ ok: true }` or `{ success: true }` without side effects, and handlers that log but perform no work. This is the #1 source of false functionality. (Field report: v17.0 assessment found 77 stub throws across 8 files.)
+- **Abandoned migrations:** Duplicate implementations in competing directories (RC-1 pattern)
+- **Stubs returning success:** Methods that return True/ok without side effects (RC-2 pattern)
+- **Auth-free defaults:** HTTP endpoints with no authentication middleware (RC-3 pattern)
+- **Dead code:** Services wired but never called, preferences stored but never read
+
+### Step 3 — PRD Gap Analysis (Dax + Troi)
+If a PRD exists:
+1. **Dax** diffs PRD requirements against implemented features (structural + semantic)
+2. **Troi** reads PRD prose section-by-section and verifies claims against reality
+3. Check for YAML frontmatter — if missing, flag it (see CAMPAIGN.md Step 1)
+
+If no PRD exists:
+1. Produce a "What Exists" inventory: routes, schema, components, integrations, test coverage
+2. Flag areas that need a PRD before building can begin
+
+### Step 4 — State of the Codebase Report
+
+Produce a unified report in `/logs/assessment.md`:
+
+```markdown
+# State of the Codebase — [Project Name]
+## Date: [date]
+
+## Architecture Summary
+[From Step 1 — schema, services, integrations, tech debt]
+
+## Root Causes (grouped)
+[From Step 2 — findings grouped by root cause, not by domain]
+
+## PRD Alignment
+[From Step 3 — what matches, what's missing, what contradicts]
+
+## Remediation Plan
+| Priority | Root Cause | Impact | Recommended Action |
+|----------|-----------|--------|-------------------|
+
+## Recommendation
+[One of: "Ready to build", "Needs remediation first (Phase 0)", "Needs PRD first", "Needs migration completion first"]
+```
+
+### Step 5 — Debrief (optional)
+If findings are methodology-relevant (patterns that VoidForge should catch but doesn't), offer: "Want Bashir to file a field report?"
+
+## When to Use
+- Before onboarding an existing codebase to VoidForge
+- Before a major version rebuild (v2 → v3)
+- When inheriting a codebase from another team
+- When the PRD assumes existing code works but you haven't verified
+
+## When NOT to Use
+- On a fresh project (nothing to assess — just run `/build`)
+- On methodology-only changes (no runtime code)
+- After a build (use `/gauntlet` instead — it includes fix batches)
+
+(Field report #125: user chained `/architect → /gauntlet → /prd → /debrief` manually. This command formalizes that workflow.)

package/dist/.claude/commands/blueprint.md

@@ -0,0 +1,135 @@
+# /blueprint — The Blueprint Path
+
+> You brought the blueprint. The forge brings it to life.
+
+Accept a pre-written PRD and supporting documents, validate them, provision infrastructure, and prepare for campaign execution. The fourth entry path — for users who already have a complete spec from Claude chat, a consultant, a previous iteration, or another tool.
+
+## Context Setup
+1. Read `/docs/methods/BUILD_PROTOCOL.md` (Phase 0 — Orient)
+2. Read `/docs/methods/SYSTEMS_ARCHITECT.md` (Conflict Checklist)
+
+## Prerequisites
+- `docs/PRD.md` MUST exist with valid YAML frontmatter
+- VoidForge methodology CLAUDE.md must be present at project root
+
+## Step 1 — Picard Validates the PRD
+
+Read `docs/PRD.md` and validate:
+
+1. **Parse YAML frontmatter** using the frontmatter parser
+   - Required fields: `name` (any other fields are optional but recognized)
+   - Type-check: `type` must be one of: full-stack, api-only, static-site, prototype
+   - Deploy-check: `deploy` must be one of: vps, vercel, railway, cloudflare, static, docker
+   - If validation fails → show specific errors with guidance on how to fix
+
+2. **Troi's structural compliance** (from `prd-validator.ts`):
+   - Does the PRD have an OVERVIEW or SUMMARY section?
+   - Are there feature sections?
+   - If `database` is configured, is there a DATA MODELS section?
+   - If `deploy` is set, is there a DEPLOYMENT section?
+   - If `auth: yes`, does the PRD mention authentication?
+   - If `workers: yes`, does the PRD mention background jobs?
+   - These are warnings, not blockers. Present them and proceed.
+
+3. **Extract architecture** from frontmatter:
+   - Framework, database, auth strategy, deploy target, workers
+   - Show: "Blueprint: [name] — [framework] + [language], deploy to [target]"
+
+## Step 2 — Wong Discovers Supporting Documents
+
+Wong opens a portal and scans the project directory for supporting materials:
+
+| File | Action |
+|------|--------|
+| `docs/PRD.md` | **Required.** Already validated in Step 1. |
+| `docs/PROJECT-DIRECTIVES.md` (or `docs/PROJECT-CLAUDE.md`, `docs/DIRECTIVES.md`) | **Appended** to CLAUDE.md methodology. Never replaces. |
+| `docs/OPERATIONS.md` | Loaded into context. Sisko references during campaign planning. |
+| `docs/ADR/*.md` (or `docs/adrs/*.md`) | Loaded into context. Picard references during architecture review. |
+| `docs/reference/*` | Loaded into context. Available to all agents during build. |
+
+Present discovery summary: "Wong found N supporting documents: [list]"
+
+## Step 3 — Merge Project Directives
+
+If a project directives file was discovered:
+1. Read its contents
+2. Append to CLAUDE.md under a `# PROJECT-SPECIFIC DIRECTIVES` marker
+3. This is idempotent — if the marker already exists, skip
+4. **CRITICAL: The merge APPENDS. It never replaces VoidForge's methodology.**
+
+Log: "Project directives merged into CLAUDE.md from [path]"
+
+## Step 4 — Picard's Conflict Scan
+
+Run the conflict checklist against frontmatter:
+- Auth + Database: auth needs persistent storage
+- Payments + Auth: payments need authenticated users
+- Workers + Deploy: workers need persistent hosting (not static/cloudflare)
+- Cache + Deploy: Redis needs a host
+- Admin + Auth: admin panel needs authentication
+- Email + Credentials: email needs API keys
+
+Present conflicts as warnings. User can fix (edit PRD) or proceed.
+
+## Step 5 — Boromir's Challenge (if `--challenge`)
+
+If the `--challenge` flag is passed:
+1. Boromir reads the complete PRD
+2. Argues AGAINST it: expensive features, fragile integrations, schema gaps, deploy target mismatches
+3. User can accept challenges (edit PRD) or override (proceed as-is)
+4. A 30-second argument now saves a 3-hour refactor later
+
+## Step 6 — Kusanagi Provisions Infrastructure (unless `--no-provision`)
+
+If provisioning is requested (default):
+1. Use the existing wizard provisioning pipeline
+2. Configure from PRD frontmatter: framework, database, deploy target, workers
+3. Install dependencies, set up tsconfig/package.json
+4. Configure deploy target (EC2, Vercel, Railway, Cloudflare, Docker)
+5. Set up PM2 if workers are defined
+6. Set up Docker Compose if containerized services specified
+7. DNS + SSL if domain specified
+
+Skip this step if `--no-provision` flag is set.
+
+## Step 7 — Hand Off to Campaign
+
+All prerequisites are met:
+- PRD validated
+- Supporting docs loaded
+- CLAUDE.md merged (if directives exist)
+- Conflicts scanned
+- Infrastructure provisioned (unless --no-provision)
+
+Present summary:
+```
+═══════════════════════════════════════════
+  BLUEPRINT VALIDATED
+═══════════════════════════════════════════
+  Project:     [name]
+  Stack:       [framework] + [language]
+  Deploy:      [target]
+  Docs loaded: [N] supporting documents
+  Conflicts:   [N] warnings (non-blocking)
+  Provision:   [done / skipped]
+═══════════════════════════════════════════
+  Ready to build. Run:
+    /campaign --blitz          # Autonomous build
+    /campaign --blitz --muster # Full multi-agent review
+═══════════════════════════════════════════
+```
+
+## Arguments
+- `--challenge` — Boromir argues against the PRD before provisioning
+- `--no-provision` — Skip infrastructure provisioning (validate + discover only)
+- No arguments — full pipeline: validate → discover → merge → conflict-scan → provision
+
+## Agents
+
+| Agent | Role |
+|-------|------|
+| **Picard** | Validates frontmatter + runs conflict scan |
+| **Troi** | Structural PRD compliance check |
+| **Wong** | Discovers and loads supporting documents |
+| **Boromir** | Challenges PRD design (with --challenge) |
+| **Kusanagi** | Provisions infrastructure from frontmatter |