tribunal-kit 3.0.0 → 4.0.0

package/.agent/skills/plan-writing/SKILL.md

@@ -1,118 +1,92 @@
----
-name: plan-writing
-description: Technical design and implementation planning mastery. Writing structured execution checklists, dependency mapping, establishing rollback protocols, segmenting monolithic tasks, writing ADRs (Architecture Decision Records), and defining verification criteria. Use when transitioning from ideation to coordinated execution.
-allowed-tools: Read, Write, Edit, Glob, Grep
-version: 2.0.0
-last-updated: 2026-04-02
-applies-to-model: gemini-2.5-pro, claude-3-7-sonnet
----
-
-# Plan Writing — Execution Blueprints Mastery
-
-> A flawless execution of a terrible plan leads to catastrophic success.
-> Write planes with dependencies explicitly mapped. Treat it like a topological sort.
-
----
-
-## 1. The Implementation Plan Structure (ADR-Lite)
-
-Before altering multiple files or introducing a new system architecture, a rigid `implementation_plan.md` MUST be generated and approved. 
-
-**Core Sections:**
-1. **Objective Context:** 2-sentence summary of the requested goal.
-2. **Architectural Handoff:** (What stack, what libraries, what constraints).
-3. **Dependency Tree Execution Order:** (Cannot build frontend UI until backend API exists).
-4. **File Blueprint:** Exact files expected to be touched (`[NEW] src/api/user.ts`, `[MODIFY] src/db/schema.prisma`).
-5. **Verification Protocol:** Exactly how the agent/human will prove the task is completed successfully.
-
----
-
-## 2. Segmenting Monolithic Tasks (Chunking)
-
-LLMs degrade significantly when asked to process >10 file alterations across multiple directories simultaneously. The Plan Writer must break work into logical, isolated "Waves."
-
-```markdown
-### Wave 1: Data Layer (The Foundation)
-1. Add `Subscription` model to Prisma schema.
-2. Generate migration (`npx prisma migrate dev`).
-3. Add mock seed data.
-
-### Wave 2: API Layer (The Bridge)
-1. Build `/api/subscriptions/route.ts` with explicit Zod validation.
-2. Write Vitest logic enforcing authorization roles.
-
-### Wave 3: UI Layer (The Implementation)
-1. Build `SubscriptionCard.tsx`.
-2. Connect to API using MSW mocked tests first.
-3. Integrate into main dashboard.
-```
-
-*Crucial:* Each wave MUST be executable and testable independently. Do not begin Wave 2 until Wave 1 passes Verification Protocols.
-
----
-
-## 3. Rollback & Contingency Planning
-
-No plan survives first contact with the compiler. The plan must implicitly include safe-fail procedures.
-
-- **Non-Destructive Defaults:** If a schema migration fails, how do we revert? (e.g., explicit instruction to backup SQLite DB locally before operations).
-- **Graceful Feature Toggles:** Is the new feature walled behind an environment variable (`ENABLE_NEW_DASHBOARD=true`) so it can be disabled instantly if it crashes in production?
-
----
-
-## 4. The `task.md` Execution Ledger
-
-Unlike the high-level `implementation_plan.md`, the `task.md` serves as the live, mutating execution state.
-
-```markdown
-# Current Objective: Upgrade Authentication
-
-## Pre-Flight
-- [x] Dump existing environment variables locally
-- [x] Verify current tests pass (Baseline health)
-
-## Wave 1 (OAuth Scaffold)
-- [/] Install auth.js dependencies
-- [ ] Connect Google Provider inside `[...nextauth].ts`
-
-## Wave 2 (Database Mappings)
-- [ ] Update Users table to handle polymorphic OAuth links
-```
-
-*Rules:*
-- `[ ]` = Unstarted
-- `[/]` = In Progress (Current Focus)
-- `[x]` = Verified Complete
-
----
-
-## 🤖 LLM-Specific Traps (Plan Writing)
-
-1. **Topological Chaos:** Recommending the creation of a frontend React component fetching an API endpoint that has not yet been scheduled for creation, resulting in immediate compilation/linting crashes.
-2. **Missing File Paths:** Writing "Update the configuration file" instead of explicitly declaring `[MODIFY] .github/workflows/deploy.yml`. Vague boundaries invite shotgun surgery.
-3. **Execution Masking:** The AI receives the instruction to "Write a plan," but decides to also write 450 lines of execution code spanning 6 files simultaneously in the same reply. Demarcate Planning from Execution permanently.
-4. **Over-Engineering the MVP:** Recommending a 4-wave, 12-step Kubernetes microservice deployment schedule for a localized "Add a 'Contact Us' form" user request.
-5. **No Verification Baseline:** Failing to establish a "Does the code currently work?" baseline constraint before beginning the sequence of alterations.
-6. **Task Blobbing:** Creating a massive, single 25-step list without breaking it up into isolated, independently testable Waves/Phases. If the list is monolithic, the failure debugging will be chaotic.
-7. **Silent Dependencies:** Failing to explicitly list new NPM packages or system libraries required by the plan (e.g., executing Prisma logic without adding a `npm install @prisma/client` step).
-8. **Assumption of Success:** Failing to establish Rollback protocols (e.g., `git reset --hard`) when planning risky, highly destructive file alterations.
-9. **Ignoring the Environment:** Planning major API changes without ensuring the required environment variables (`STRIPE_API_KEY`) are documented for addition.
-10. **Refusal to Update Ledger:** Operating as an autonomous executor but failing to edit the `task.md` tracking ledger synchronously, destroying the system's memory continuity upon suspension.
-
----
-
-## 🏛️ Tribunal Integration
-
-### ✅ Pre-Flight Self-Audit
-```
-✅ Are execution sequences strictly ordered by Topological Dependencies (DB → API → UI)?
-✅ Are monolith tasks deliberately chunked into isolated, independently testable Waves?
-✅ Is the `task.md` execution ledger cleanly parameterized with exact file paths `[NEW], [MODIFY]`?
-✅ Have I explicitly separated the Planning Phase response from raw Code Generation?
-✅ Are verification protocols explicitly tied to terminal logs, test results, or manual checks?
-✅ Are required NPM package installations/dependency injections explicitly mapped in Wave 1?
-✅ Is there a defined Rollback/Snapshot strategy to recover from catastrophic compilation failure?
-✅ Are environmental secrets (.env variables) outlined as requirements before execution?
-✅ Has the complexity of the plan been correctly scaled to the simplicity of the user's objective?
-✅ Does the plan establish a baseline system health check before executing destructive mutations?
-```
+---
+name: plan-writing
+description: Technical design and implementation planning mastery. Writing structured execution checklists, dependency mapping, establishing rollback protocols, segmenting monolithic tasks, writing ADRs (Architecture Decision Records), and defining verification criteria. Use when transitioning from ideation to coordinated execution.
+allowed-tools: Read, Write, Edit, Glob, Grep
+version: 2.0.0
+last-updated: 2026-04-02
+applies-to-model: gemini-2.5-pro, claude-3-7-sonnet
+---
+
+## Hallucination Traps (Read First)
+- ❌ Writing plans without verification criteria -> ✅ Every plan needs a 'How to verify this worked' section
+- ❌ Planning at the wrong granularity (too high or too low) -> ✅ Plans should be at the component/feature level, not line-by-line or system-wide
+- ❌ Skipping the 'What could go wrong' section -> ✅ Identifying failure modes before implementation prevents costly rework
+
+---
+
+
+# Plan Writing — Execution Blueprints Mastery
+
+---
+
+## 1. The Implementation Plan Structure (ADR-Lite)
+
+Before altering multiple files or introducing a new system architecture, a rigid `implementation_plan.md` MUST be generated and approved. 
+
+**Core Sections:**
+1. **Objective Context:** 2-sentence summary of the requested goal.
+2. **Architectural Handoff:** (What stack, what libraries, what constraints).
+3. **Dependency Tree Execution Order:** (Cannot build frontend UI until backend API exists).
+4. **File Blueprint:** Exact files expected to be touched (`[NEW] src/api/user.ts`, `[MODIFY] src/db/schema.prisma`).
+5. **Verification Protocol:** Exactly how the agent/human will prove the task is completed successfully.
+
+---
+
+## 2. Segmenting Monolithic Tasks (Chunking)
+
+LLMs degrade significantly when asked to process >10 file alterations across multiple directories simultaneously. The Plan Writer must break work into logical, isolated "Waves."
+
+```markdown
+### Wave 1: Data Layer (The Foundation)
+1. Add `Subscription` model to Prisma schema.
+2. Generate migration (`npx prisma migrate dev`).
+3. Add mock seed data.
+
+### Wave 2: API Layer (The Bridge)
+1. Build `/api/subscriptions/route.ts` with explicit Zod validation.
+2. Write Vitest logic enforcing authorization roles.
+
+### Wave 3: UI Layer (The Implementation)
+1. Build `SubscriptionCard.tsx`.
+2. Connect to API using MSW mocked tests first.
+3. Integrate into main dashboard.
+```
+
+*Crucial:* Each wave MUST be executable and testable independently. Do not begin Wave 2 until Wave 1 passes Verification Protocols.
+
+---
+
+## 3. Rollback & Contingency Planning
+
+No plan survives first contact with the compiler. The plan must implicitly include safe-fail procedures.
+
+- **Non-Destructive Defaults:** If a schema migration fails, how do we revert? (e.g., explicit instruction to backup SQLite DB locally before operations).
+- **Graceful Feature Toggles:** Is the new feature walled behind an environment variable (`ENABLE_NEW_DASHBOARD=true`) so it can be disabled instantly if it crashes in production?
+
+---
+
+## 4. The `task.md` Execution Ledger
+
+Unlike the high-level `implementation_plan.md`, the `task.md` serves as the live, mutating execution state.
+
+```markdown
+# Current Objective: Upgrade Authentication
+
+## Pre-Flight
+- [x] Dump existing environment variables locally
+- [x] Verify current tests pass (Baseline health)
+
+## Wave 1 (OAuth Scaffold)
+- [/] Install auth.js dependencies
+- [ ] Connect Google Provider inside `[...nextauth].ts`
+
+## Wave 2 (Database Mappings)
+- [ ] Update Users table to handle polymorphic OAuth links
+```
+
+*Rules:*
+- `[ ]` = Unstarted
+- `[/]` = In Progress (Current Focus)
+- `[x]` = Verified Complete
+
+---

package/.agent/skills/platform-engineer/SKILL.md

@@ -1,123 +1,97 @@
----
-name: platform-engineer
-description: Platform Engineering and Internal Developer Portal (IDP) mastery. Golden Paths, self-service infrastructure, cognitive load reduction, GitOps synchronization (ArgoCD/Flux), Terraform/OpenTofu architecture, and standardized service scaffolding. Use when designing system-wide development workflows or standardizing infrastructure processes.
-allowed-tools: Read, Write, Edit, Glob, Grep
-version: 2.0.0
-last-updated: 2026-04-02
-applies-to-model: gemini-2.5-pro, claude-3-7-sonnet
----
-
-# Platform Engineering — Developer Experience Mastery
-
-> DevOps is a culture. Platform Engineering is a product.
-> The product's customer is the internal software engineer. The goal is removing friction and standardizing security.
-
----
-
-## 1. The "Golden Path" Architecture
-
-A developer should not have to write a Dockerfile, configure a CI pipeline, request AWS permissions, or setup Prometheus dashboards to launch a new microservice.
-
-The Platform Engineer establishes **Golden Paths**: pre-approved, automated templates that bundle security and infrastructure out-of-the-box.
-
-**Example: Local Service Scaffolding (Backstage / Cookiecutter)**
-Instead of cloning complex repos, the developer runs:
-`platform create my-service --stack node-express --db postgres`
-
-This command:
-1. Generates the standard Node/Express repo.
-2. Applies the unified corporate CI/CD GitHub Action.
-3. Configures default Datadog/OpenTelemetry observability metrics.
-4. Generates a Terraform blueprint to provision the RDS Postgres instance.
-
----
-
-## 2. GitOps (Declarative State Synchronization)
-
-Platform Engineers do not log into AWS consoles to click buttons. They do not run `kubectl apply` from their laptops.
-
-They push code to Git. A continuous reconciliation loop (e.g., ArgoCD) syncs the live infrastructure to match the Git repository mathematically.
-
-```yaml
-# GitOps standard architecture (ArgoCD)
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: auth-service
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: 'https://github.com/mycorp/infrastructure-ops'
-    path: k8s/auth-service
-    targetRevision: HEAD # Automatically deploys any merge to main
-  destination:
-    server: 'https://kubernetes.default.svc'
-    namespace: auth-prod
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true # If manual changes occur on cluster, force-reverts back to Git state
-```
-
----
-
-## 3. Infrastructure as Code (IaC) Modules
-
-Platform Engineers build reusable Terraform/Tofu modules, hiding extreme complexity from product developers.
-
-```hcl
-# The Platform Engineer writes the complex module (e.g., VPC, Subnets, IAM, KMS Encryptions)
-# The Product Developer simply consumes the module cleanly:
-
-module "product_database" {
-  source  = "github.com/mycorp/tf-modules/secure-rds"
-  version = "v1.2.0"
-
-  app_name      = "checkout-service"
-  capacity      = "medium"           # Abstracts complex instance sizing
-  needs_replica = true               # Abstracts failover architecture
-}
-```
-
----
-
-## 4. Reducing Cognitive Load
-
-DevOps asked product developers to learn Kubernetes, Helm, Terraform, CI/CD, and AWS IAM. The load was too high.
-Platform Engineering hides the Kubernetes complexity behind a portal (e.g., Backstage) or a declarative wrapper (e.g., Score).
-
-Ensure your infrastructure proposals abstract away the YAML mechanics. Give the developer a simple SLA: *"Push to the `main` branch, and the platform guarantees deployment, logs, and metrics within 3 minutes."*
-
----
-
-## 🤖 LLM-Specific Traps (Platform Engineering)
-
-1. **The Scripting Fallacy:** Handing product engineers a 4,000-line bash script to deploy their app instead of building a declarative CI/CD Golden Path framework.
-2. **Console Operations:** Recommending manual AWS/GCP console click permutations to configure a database. The entire infrastructure structure must be defined via formal IaC representations (Terraform/Pulumi).
-3. **Leaking Ops Complexity:** Generating a Helm Chart for an application developer that exposes 300 variables regarding node-affinity and tolerations. Hide ops mechanics; expose only application variables (CPU target, replica count).
-4. **Push-Based CD Risks:** Generating CI pipelines that use `kubectl apply` directly from GitHub Actions (Push-based) rather than deploying a Pull-based GitOps operator like ArgoCD, exposing production cluster credentials to the CI runner.
-5. **Non-Standardized Monitoring:** Failing to inject unified OpenTelemetry/Prometheus sidecars automatically into the standard deployment templates, forcing developers to reinvent telemetry for every microservice.
-6. **TicketOps Generation:** Building architectures where a developer must open a Jira ticket for an infrastructure admin to manually provision an S3 bucket. Emphasize self-service terraform modules.
-7. **Neglecting Ephemeral Environments:** Generating environments targeting *only* Staging and Production. Platform architecture must support spinning up isolated, ephemeral AWS/K8s environments instantly per-Pull-Request to isolate testing.
-8. **Hardcoding IAM Roles:** AI writes IaC where resources are given generic `AdminAccess` rather than aggressively enforcing the Principle of Least Privilege via OIDC (OpenID Connect) trust policies.
-9. **Missing the "Paved Road":** Ignoring the socio-technical aspect of the job. Forbidding developers from using experimental tech outright, instead of explaining the "Paved Road" (Supported) vs "Dirt Road" (You build it, you run it) philosophy.
-10. **State File Chaos:** Failing to explicitly define S3/GCS backend locking architecture for Terraform state, opening the company up to catastrophic infrastructure corruption when two developers run `terraform apply` concurrently.
-
----
-
-## 🏛️ Tribunal Integration
-
-### ✅ Pre-Flight Self-Audit
-```
-✅ Are infrastructural patterns provided as automated, self-service "Golden Path" templates?
-✅ Has infrastructure been codified securely in declarative formats (Terraform, Tofu, Pulumi)?
-✅ Is the CI/CD pipeline architected specifically around Pull-based GitOps (e.g., ArgoCD/Flux)?
-✅ Were the complexities of Kubernetes/AWS deliberately abstracted away from the product developers?
-✅ Does the architectural plan integrate telemetry (logs/metrics) seamlessly by default?
-✅ Was the IaC environment actively secured by enforcing an S3/Remote backend state locking mechanism?
-✅ Are IAM and trust boundaries scoped to absolute Least Privilege methodologies?
-✅ Did I reject manual UI configuration (ClickOps) in favor of automated procedural representations?
-✅ Is the pipeline resilient enough to generate ephemeral environments isolated to specific Pull Requests?
-✅ Has the "Platform as a Product" mindset been established, prioritizing high developer UX?
-```
+---
+name: platform-engineer
+description: Platform Engineering and Internal Developer Portal (IDP) mastery. Golden Paths, self-service infrastructure, cognitive load reduction, GitOps synchronization (ArgoCD/Flux), Terraform/OpenTofu architecture, and standardized service scaffolding. Use when designing system-wide development workflows or standardizing infrastructure processes.
+allowed-tools: Read, Write, Edit, Glob, Grep
+version: 2.0.0
+last-updated: 2026-04-02
+applies-to-model: gemini-2.5-pro, claude-3-7-sonnet
+---
+
+## Hallucination Traps (Read First)
+- ❌ Building internal platforms without talking to developers -> ✅ Platform engineering exists to reduce developer cognitive load; ask them what hurts
+- ❌ Creating golden paths that are mandatory -> ✅ Golden paths should be the easiest option, not the only option
+- ❌ Over-automating before the process is understood -> ✅ Manual first, then script, then platform; premature automation bakes in bad processes
+
+---
+
+
+# Platform Engineering — Developer Experience Mastery
+
+---
+
+## 1. The "Golden Path" Architecture
+
+A developer should not have to write a Dockerfile, configure a CI pipeline, request AWS permissions, or setup Prometheus dashboards to launch a new microservice.
+
+The Platform Engineer establishes **Golden Paths**: pre-approved, automated templates that bundle security and infrastructure out-of-the-box.
+
+**Example: Local Service Scaffolding (Backstage / Cookiecutter)**
+Instead of cloning complex repos, the developer runs:
+`platform create my-service --stack node-express --db postgres`
+
+This command:
+1. Generates the standard Node/Express repo.
+2. Applies the unified corporate CI/CD GitHub Action.
+3. Configures default Datadog/OpenTelemetry observability metrics.
+4. Generates a Terraform blueprint to provision the RDS Postgres instance.
+
+---
+
+## 2. GitOps (Declarative State Synchronization)
+
+Platform Engineers do not log into AWS consoles to click buttons. They do not run `kubectl apply` from their laptops.
+
+They push code to Git. A continuous reconciliation loop (e.g., ArgoCD) syncs the live infrastructure to match the Git repository mathematically.
+
+```yaml
+# GitOps standard architecture (ArgoCD)
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: auth-service
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: 'https://github.com/mycorp/infrastructure-ops'
+    path: k8s/auth-service
+    targetRevision: HEAD # Automatically deploys any merge to main
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: auth-prod
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true # If manual changes occur on cluster, force-reverts back to Git state
+```
+
+---
+
+## 3. Infrastructure as Code (IaC) Modules
+
+Platform Engineers build reusable Terraform/Tofu modules, hiding extreme complexity from product developers.
+
+```hcl
+# The Platform Engineer writes the complex module (e.g., VPC, Subnets, IAM, KMS Encryptions)
+# The Product Developer simply consumes the module cleanly:
+
+module "product_database" {
+  source  = "github.com/mycorp/tf-modules/secure-rds"
+  version = "v1.2.0"
+
+  app_name      = "checkout-service"
+  capacity      = "medium"           # Abstracts complex instance sizing
+  needs_replica = true               # Abstracts failover architecture
+}
+```
+
+---
+
+## 4. Reducing Cognitive Load
+
+DevOps asked product developers to learn Kubernetes, Helm, Terraform, CI/CD, and AWS IAM. The load was too high.
+Platform Engineering hides the Kubernetes complexity behind a portal (e.g., Backstage) or a declarative wrapper (e.g., Score).
+
+Ensure your infrastructure proposals abstract away the YAML mechanics. Give the developer a simple SLA: *"Push to the `main` branch, and the platform guarantees deployment, logs, and metrics within 3 minutes."*
+
+---