wb-flow 1.0.0-r01

package/templates/commands/wbSecure/wbSecure_template.md

@@ -0,0 +1,157 @@
+# /wbSecure: Execution Template
+
+
+<!-- HELP_GATE_START -->
+## Help intercept (handle FIRST — before any other action)
+
+**If `$ARGUMENTS` contains `--help`, `-h`, or `--h`** (case-insensitive, anywhere in the args), DO NOT execute the command's normal procedure. Instead:
+
+1. Output the **HELP BLOCK** below verbatim (rendered as markdown).
+2. Stop. Do not perform any file reads, writes, or other tool calls.
+3. Do not generate any reports under `.wb/workflows/reports/`.
+
+Otherwise, ignore this section and proceed to the rest of the template.
+
+### HELP BLOCK — `/wbSecure`
+
+## Two forms
+
+```
+/wbSecure <target>                       # full security scan
+/wbSecure <target> --focus="<area>"      # narrowed (e.g., auth, xss, deps)
+```
+
+## When to run
+
+- **Before `/wbDeploy`** of any user-facing app. Mandatory if the app handles user input.
+- **Before `/wbPublish`** of a package that handles untrusted input.
+- **After dependency updates** — `npm update` can introduce vulnerable transitive deps.
+- **Periodically** (monthly) on production apps.
+- **After any security-adjacent code change** — auth, sessions, input handling, anything user-controlled.
+
+## When *not* to run
+
+- On a feature branch you'll throw away.
+- Mid-development before the surface is stable.
+- As a substitute for proper backend security (server-side validation, real pentests).
+- Without server-side equivalent — `/wbSecure` only checks client; real security is server.
+
+## Reading the output
+
+Three severity levels:
+
+- **🔴 CRITICAL** — fix before any further deploy. Blocks `/wbDeploy`.
+- **🟡 WARNING** — fix soon. Doesn't block deploy but should be tracked.
+- **🟢 SAFE** — verified clean.
+
+CRITICAL findings include immediate action items (revoke this token NOW, sanitize this v-html before next deploy).
+
+## The integration with /wbDeploy
+
+`/wbDeploy` reads the latest `/wbSecure` report and refuses if CRITICAL findings exist. This is automatic. To override (rare, dangerous), you'd need to run `/wbDeploy --force-past-security`, which requires explicit user override.
+
+WARNING findings don't block. They show in the deploy preview as advisory.
+
+## What /wbSecure cannot detect
+
+- **Server-side vulnerabilities** — out of scope; client scan only.
+- **Logic bugs that allow privilege escalation** — these need domain understanding.
+- **Supply-chain attacks** — `npm audit` is the right tool.
+- **Runtime tampering** — DevTools can flip flags; client gating is convenience, not security.
+- **Zero-days not yet in CVE databases** — the scanner only knows public vulnerabilities.
+- **Authentication design flaws** — needs human security review.
+
+Every report names these limits in its "did NOT check" section.
+
+## When /wbSecure is the wrong command
+
+- Generic code quality → `/wbAudit`.
+- Tier-gate consistency → `/wbLicense`.
+- Dead code / leftovers → `/wbClean`.
+- Pure dep CVE check → `npm audit` directly.
+
+`/wbSecure` answers: *"can this be exploited?"* Specifically.
+
+## The mistake to avoid
+
+**Treating `/wbSecure` SAFE as "secure."** A SAFE result means: no obvious findings under the scanner's checklist. It does not mean: nothing is wrong. Real-world security requires human judgment, threat modeling, and ongoing pentests. `/wbSecure` is the *cheap* layer of security work, not the *complete* one.
+
+> For deeper reading: [`docs_claude/commands/wbSecure/wbSecure_practical_claude.md`](../../docs/docs_claude/commands/wbSecure/wbSecure_practical_claude.md) (or the `_eli5_`, `_expert_`, `_examples_` siblings).
+
+<!-- FLAGS_TABLE_START -->
+## Flags & shortcuts
+
+Both forms are equivalent — pass either:
+
+| Long form | Shortcut |
+|---|---|
+| `--focus` | `-f` |
+| `--force-past-security` | `-F` |
+
+`-h` / `--help` / `--h` (any command) prints this help block instead of executing.
+## Self-correct mode (dual-mode invocation)
+
+```
+/wbSecure <scope_folder>           # normal mode — produce a fresh output file
+/wbSecure <previous_output_file>   # self-correct mode — verify & repair the file in place
+```
+
+When the first arg is an existing output file from a prior `/wbSecure` run (detected by its first H1 — see this template's **Detection** section), the command runs in **verify-and-repair** mode: gap-fills missing fields, normalizes links, ticks done/valid checkboxes whose reports exist, never rewrites authored content. See [`../_shared/output_conventions.md`](../_shared/output_conventions.md) §3.
+
+<!-- FLAGS_TABLE_END -->
+<!-- HELP_GATE_END -->
+
+<!-- FLAG_NORMALIZE_START -->
+## Flag normalization (apply BEFORE parsing args)
+
+Before processing `$ARGUMENTS`, normalize these short-form flags to their long equivalents:
+
+- `-f` → `--focus`
+- `-F` → `--force-past-security`
+
+The rest of this template documents only the long forms; the substitution above is the only place short forms are mentioned.
+<!-- FLAG_NORMALIZE_END -->
+
+
+
+**ROLE:** The Guard
+**TARGET:** The provided component or package path.
+**Read first:** [`../_shared/output_conventions.md`](../_shared/output_conventions.md) — applies to the security report (relative links, full-syntax commands, self-correct mode).
+
+---
+
+## ━━━ DETECTION (Self-Correct Mode) ━━━
+
+Trigger self-correct when the input file's first H1 matches:
+`# Security: <scope> — <YYYY-MM-DD>` *(or the legacy `# Security Entry #N` header).*
+
+Behavior is defined in [`../_shared/output_conventions.md`](../_shared/output_conventions.md) §3.
+
+Security-specific gap-fills:
+
+- Plain-text vulnerable file paths → relative markdown links per §1.
+- Bare `/wbAudit` / `/wbTest` cited → full-syntax form per §2.
+- Missing CVE / severity classification → infer from `npm audit` output if available.
+
+---
+
+## ━━━ OBJECTIVE ━━━
+Your job is to act as a Red Team security scanner. You must actively hunt for vulnerabilities in the target code before it is deployed to production.
+
+## ━━━ PHASE 1: VULNERABILITY SCAN ━━━
+1. Scan the target files specifically looking for:
+   - Hardcoded secrets or API keys.
+   - Cross-Site Scripting (XSS) vulnerabilities (e.g., raw HTML injection in Vue).
+   - Insecure direct object references or missing tier checks (cross-referencing `monorepo_rules.md`).
+
+## ━━━ PHASE 2: DEPENDENCY AUDIT ━━━
+1. Check the `package.json` for notoriously insecure or outdated libraries.
+
+## ━━━ PHASE 3: REPORTING ━━━
+Generate a security report: `.wb/workflows/reports/<YYYY>/<MM>/<DD>/security/security_<target>_<YYYYMMDD>.md` (create-or-append; tag your entry `*(ModelName — HH:MM)*`). Categorize findings as [CRITICAL], [WARNING], or [SAFE]. Apply output_conventions.md §1 (relative links for every vulnerable file) and §2 (full-syntax for any /wb* command cited).
+
+End the report with:
+
+## 🧭 What's Next?
+
+Run `/wbNext <target_folder>` to get a current, ranked list of next actions (typically `/wbPlan <target> "fix critical findings"` for [CRITICAL] items).

package/templates/commands/wbSetup/wbSetup_template.md

@@ -0,0 +1,203 @@
+# wbSetup Template v2.0
+
+
+<!-- HELP_GATE_START -->
+## Help intercept (handle FIRST — before any other action)
+
+**If `$ARGUMENTS` contains `--help`, `-h`, or `--h`** (case-insensitive, anywhere in the args), DO NOT execute the command's normal procedure. Instead:
+
+1. Output the **HELP BLOCK** below verbatim (rendered as markdown).
+2. Stop. Do not perform any file reads, writes, or other tool calls.
+3. Do not generate any reports under `.wb/workflows/reports/`.
+
+Otherwise, ignore this section and proceed to the rest of the template.
+
+### HELP BLOCK — `/wbSetup`
+
+## When to run it
+
+- **New package** — run immediately after `mkdir`, before writing any code.
+- **Acquired package** — if you inherited something that never had `/wbSetup`, run it now.
+- **Big rename/restructure** — if you moved the folder, re-run so context.md reflects the new reality.
+
+Do NOT run it "to refresh" an existing, working package. That's `/wbContext`, not `/wbSetup`. Running `/wbSetup` on a package that already has a tuned `dev.md` risks overwriting hand-authored rules.
+
+## The three forms
+
+```
+/wbSetup <pkg-path>                          # standard: context.md + dev.md
+/wbSetup <pkg-path> --focus="<subsystem>"    # + focused deep-dive file
+/wbSetup core2/ --scope=global               # monorepo_rules.md only
+```
+
+## What to check after it runs
+
+1. Open `context.md` — does it actually match what the package is? Fix misreads.
+2. Open `dev.md` — every rule should be a *refusal* ("never X", "do not Y"). Prose descriptions = rewrite.
+3. Check the `dist/` vs `dist-dev/` rule is there if the package publishes. If not, add it.
+4. If this is wb-press (Vue 2) — check that `dev.md` forbids Vue 3 syntax.
+
+## The mistake to avoid
+
+Running `/wbSetup` and not reading the output. The AI's inferences are fallible. A 2-minute read of `dev.md` catches 90% of mistaken rules before they cause damage.
+
+> For deeper reading: [`docs_claude/commands/wbSetup/wbSetup_practical_claude.md`](../../docs/docs_claude/commands/wbSetup/wbSetup_practical_claude.md) (or the `_eli5_`, `_expert_`, `_examples_` siblings).
+
+<!-- FLAGS_TABLE_START -->
+## Flags & shortcuts
+
+Both forms are equivalent — pass either:
+
+| Long form | Shortcut |
+|---|---|
+| `--focus` | `-f` |
+| `--scope` | `-s` |
+
+`-h` / `--help` / `--h` (any command) prints this help block instead of executing.
+## Self-correct mode (dual-mode invocation)
+
+```
+/wbSetup <scope_folder>           # normal mode — produce a fresh output file
+/wbSetup <previous_output_file>   # self-correct mode — verify & repair the file in place
+```
+
+When the first arg is an existing output file from a prior `/wbSetup` run (detected by its first H1 — see this template's **Detection** section), the command runs in **verify-and-repair** mode: gap-fills missing fields, normalizes links, ticks done/valid checkboxes whose reports exist, never rewrites authored content. See [`../_shared/output_conventions.md`](../_shared/output_conventions.md) §3.
+
+<!-- FLAGS_TABLE_END -->
+<!-- HELP_GATE_END -->
+
+<!-- FLAG_NORMALIZE_START -->
+## Flag normalization (apply BEFORE parsing args)
+
+Before processing `$ARGUMENTS`, normalize these short-form flags to their long equivalents:
+
+- `-f` → `--focus`
+- `-s` → `--scope`
+
+The rest of this template documents only the long forms; the substitution above is the only place short forms are mentioned.
+<!-- FLAG_NORMALIZE_END -->
+
+
+
+> **How to use**: Copy the prompt below, replace `__TARGET_PATH__`, and paste to your AI Agent (Cline, OpenCode, or Antigravity). 
+> This is the "Day 0" command that breathes life into a new directory by establishing its agentic identity.
+
+---
+
+## Filename & Folder Convention (v2 — Universal Daily File)
+
+**Path:** `<target_path>/.wb/workflows/reports/<YYYY>/<MM>/<DD>/setup/setup_<target>_<YYYYMMDD>.md`
+
+> **No `<model>/` subfolder.** All models contribute to ONE setup file per day per scope.
+> **No timestamp in filename.** Filename uses only the date.
+
+**Create-or-Append Rule:**
+- **File does NOT exist →** CREATE the file with a header and your setup log as Entry #1.
+- **File ALREADY exists →** READ it, then APPEND your setup corrections/additions as Entry #N.
+- **Every entry tagged:** `*(ModelName via Client — HH:MM)*`
+
+---
+
+## Detection (Self-Correct Mode)
+
+Trigger self-correct when the input file's first H1 matches:
+`# Setup Report: <scope> — <YYYY-MM-DD>`
+
+Behavior is defined in [`../_shared/output_conventions.md`](../_shared/output_conventions.md) §3.
+Setup-specific gap-fills:
+- Broken relative links → recompute from the file's actual directory depth (common error: using `../../../../` when the file is deeper than 4 levels from target).
+- Plain-text file references (`context.md`, `dev.md`, `dev_reference.md`) → convert to relative markdown links per §1.
+- Missing `dev_reference.md` mention → add if the file exists.
+- Missing or stale `## 📂 Generated Files` footer → regenerate per §5.
+- Missing `> _Self-corrected:` timestamp → append at bottom.
+
+---
+
+## 🚀 The Initialization Prompt (copy from here ↓)
+
+```
+━━━━━━━━━━━━━ /wbSetup ━━━━━━━━━━━━━
+
+📁 TARGET: __TARGET_PATH__
+📅 DATE: __TODAY__
+🤖 MODEL: __YOUR_MODEL_NAME__
+🖥️ CLIENT: __YOUR_CLIENT__
+
+━━━ INSTRUCTIONS ━━━
+
+**[TEMPORAL MEMORY]**: Before executing your main task, you MUST scan the `.wb/workflows/reports/` directory of your target scope. Look for recent `audits/`, `reviews/`, or `tests/` reports. Use these past reports to understand recent failures, technical debt, or architectural decisions that affect your current execution.
+
+
+You are the **Lead Architect Agent**. Your task is to initialize the "Agentic Brain" for the target folder. This folder currently lacks standardized context.
+
+1. **Environmental Discovery**:
+   - Perform a `list_dir` on `__TARGET_PATH__`.
+   - Read `package.json` (if present) to extract:
+     - Package Name & Version
+     - Dependencies (Internal @wbc-ui2 vs External)
+     - Build/Dev Scripts
+   - Identify the primary language (Vue 2.7, TypeScript, Node.js).
+
+2. **Generate Core Workflow Files**:
+   - Create `__TARGET_PATH__/.wb/workflows/context.md`:
+     - **Identity**: 1-sentence purpose of this folder.
+     - **API Surface**: List key exported functions or components.
+     - **Dependencies**: Explicitly list monorepo peers this folder depends on.
+   - Create `__TARGET_PATH__/.wb/workflows/dev.md`:
+     - Define 3-5 specific coding rules for this folder (e.g., "Use Vuetify colors", "No direct DOM access").
+   - Create `__TARGET_PATH__/.wb/workflows/dev_reference.md`:
+     - List the exact terminal commands for `build`, `test`, and `serve` based on your discovery.
+
+3. **Sub-Contexts & Planning (Focus Mode)**:
+   - If the user provides a focus (e.g., `--focus="renderer"`):
+     - Analyze the specific sub-system code deeply.
+     - Create specialized context files (e.g., `context_renderer.md`).
+     - Automatically generate a `/wbPlan` blueprint (`wbplan_setup.md`) so Worker agents can validate and refine the architecture.
+
+4. **Global Synchronization**:
+   - Read `core2/.wb/workflows/monorepo_rules.md`.
+   - Ensure local `dev.md` rules align with the monorepo's shared standards.
+
+5. **Audit Trail** — SAVE using the Universal Daily File pattern:
+
+   CHECK if this file exists:
+   `__TARGET_PATH__/.wb/workflows/reports/__YYYY__/__MM__/__DD__/setup/setup___FOLDER_NAME_____YYYYMMDD__.md`
+
+   - If it does NOT exist → CREATE the file with header + your setup log as Entry #1
+   - If it ALREADY exists → APPEND your setup as the next Entry #N
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+━━━ AUTO-APPEND FOOTER ━━━
+
+At the VERY END of the file (after "What's Next?"), you MUST append the `## 📂 Generated Files (__YYYYMMDD__)` cross-link footer. Do NOT use simple tables. You MUST use the rich "Tier 1" layout from `_shared/output_conventions.md` §5.
+
+Format required:
+```markdown
+---
+## 📂 Generated Files (__YYYYMMDD__)
+> Auto-appended per `_shared/output_conventions.md` §5. Same-level snapshot of top-level command outputs at write time.
+
+### 📚 Base Reference Files
+| Type | File | Description |
+|---|---|---|
+| Foundational | [context.md](../../../../../context.md) | Permanent Identity and Architecture (Source of Truth) |
+| Snapshot | [context_<scope>_<date>.md](../contexts/context_<scope>_<date>.md) | Daily snapshot used for current session context |
+| Foundational | [dev.md](../../../../../dev.md) | Permanent Development Commands and Status |
+
+### Global Files (`core2/` monorepo root)
+| Category | File | Source Command |
+|---|---|---|
+| Reports | [audit_core2_<date>.md](../../../../../../../../../../.wb/workflows/reports/<YYYY>/<MM>/<DD>/audits/audit_core2_<date>.md) | `/wbAudit core2/` |
+| Reports | [plan_core2_<date>.md](../../../../../../../../../../.wb/workflows/reports/<YYYY>/<MM>/<DD>/plans/plan_core2_<date>.md) | `/wbPlan core2/` |
+| Tracks | [track_core2_<date>.md](../../../../../../../../../../.wb/workflows/tracks/<YYYY>/<MM>/<DD>/track_core2_<date>.md) | `/wbTrack core2/` |
+
+<details>
+  <summary>📂 Sub-Package: [Active Package Name]</summary>
+
+| Category | File | Source Command |
+|---|---|---|
+| Reports | [audit_subpkg_<date>.md](../../../../../../../../../../apps/wb-core/subpkg/.wb/workflows/reports/<YYYY>/<MM>/<DD>/audits/audit_subpkg_<date>.md) | `/wbAudit` |
+
+</details>
+```
+```

package/templates/commands/wbStandup/wbStandup_template.md

@@ -0,0 +1,198 @@
+# /wbStandup: Execution Template
+
+
+<!-- HELP_GATE_START -->
+## Help intercept (handle FIRST — before any other action)
+
+**If `$ARGUMENTS` contains `--help`, `-h`, or `--h`** (case-insensitive, anywhere in the args), DO NOT execute the command's normal procedure. Instead:
+
+1. Output the **HELP BLOCK** below verbatim (rendered as markdown).
+2. Stop. Do not perform any file reads, writes, or other tool calls.
+3. Do not generate any reports under `.wb/workflows/reports/`.
+
+Otherwise, ignore this section and proceed to the rest of the template.
+
+### HELP BLOCK — `/wbStandup`
+
+## Two forms
+
+```
+/wbStandup core2/              # monorepo-wide — morning default
+/wbStandup <package>/          # package-scoped — afternoon re-orient
+```
+
+## When to run
+
+- **Every morning.** Literally first thing. Before `/wbContext`.
+- **After interruptions.** Back from lunch, back from a meeting, returning to a branch you haven't touched in a week.
+- **Before starting a new feature.** Clear the backlog view first, so you don't forget an open blocker.
+
+## When *not* to run
+
+- Multiple times per hour. It's a fresh-pair-of-eyes command; reading the same standup twice adds no value.
+- Right after you've done 10 commits. Your memory is still hot; you don't need the standup to remind you.
+
+## Reading the output
+
+Four sections, ranked by what should grab your attention:
+
+1. **Unresolved findings** (BLOCKERs / CRITICAL) — top priority
+2. **Stale reports** (🔨 in progress > 24h) — verify before continuing
+3. **Open plans** — ongoing work you can resume
+4. **Suggested next action** — AI opinion, you decide
+
+## The value is in the surface
+
+`/wbStandup` doesn't add information. Every finding it lists already exists in `reports/`. Its value is making you *see* it, at the moment you're choosing what to do next. Without the standup, you'd probably forget the 8-day-old security finding.
+
+## The `/wbStandup` → `/wbContext` handoff
+
+Standup is *breadth*. Context is *depth*. Sequence:
+
+1. `/wbStandup core2/` — tells you which package needs attention.
+2. `/wbContext <that-package>` — loads the AI's detailed knowledge of that package.
+3. Execute.
+
+Skipping the first → you work on the wrong package. Skipping the second → the AI works on the right package with stale context.
+
+## When /wbStandup is the wrong command
+
+- "What does package X do?" → `/wbContext <x>`.
+- "Is package X good?" → `/wbAudit <x>`.
+- "What should I build next?" → `/wbVision`, not standup (standup reconciles existing work).
+- "Did the AI finish its plan?" → `/wbReview <plan>`.
+
+> For deeper reading: [`docs_claude/commands/wbStandup/wbStandup_practical_claude.md`](../../docs/docs_claude/commands/wbStandup/wbStandup_practical_claude.md) (or the `_eli5_`, `_expert_`, `_examples_` siblings).
+
+<!-- FLAGS_TABLE_START -->
+## Flags & shortcuts
+
+Both forms are equivalent — pass either:
+
+| Long form | Shortcut |
+|---|---|
+| `--act` | `-a` |
+| `--wbPlan` | `-P` |
+
+`-h` / `--help` / `--h` (any command) prints this help block instead of executing.
+## Self-correct mode (dual-mode invocation)
+
+```
+/wbStandup <scope_folder>           # normal mode — produce a fresh output file
+/wbStandup <previous_output_file>   # self-correct mode — verify & repair the file in place
+```
+
+When the first arg is an existing output file from a prior `/wbStandup` run (detected by its first H1 — see this template's **Detection** section), the command runs in **verify-and-repair** mode: gap-fills missing fields, normalizes links, ticks done/valid checkboxes whose reports exist, never rewrites authored content. See [`../_shared/output_conventions.md`](../_shared/output_conventions.md) §3.
+
+<!-- FLAGS_TABLE_END -->
+<!-- HELP_GATE_END -->
+
+<!-- FLAG_NORMALIZE_START -->
+## Flag normalization (apply BEFORE parsing args)
+
+Before processing `$ARGUMENTS`, normalize these short-form flags to their long equivalents:
+
+- `-a` → `--act`
+- `-P` → `--wbPlan`
+
+The rest of this template documents only the long forms; the substitution above is the only place short forms are mentioned.
+<!-- FLAG_NORMALIZE_END -->
+
+
+
+**ROLE:** The Scrum Master
+**TARGET:** The entire monorepo or a specific package.
+**Read first:** [`../_shared/output_conventions.md`](../_shared/output_conventions.md) — applies to the standup file (relative links, full-syntax commands, self-correct mode, **§9 Action Type Tagging** — declare `type:` + `emits:` in YAML front-matter, add a plain-text `Requires` column to every "next actions" table, include a `## 🔗 Action Types` legend; standups are typically `emits: mixed`).
+
+---
+
+## ━━━ DETECTION (Self-Correct Mode) ━━━
+
+Trigger self-correct when the input file's first H1 matches:
+`# Standup: <scope> — <YYYY-MM-DD>` *(or the legacy `# Standup Entry #N` header).*
+
+Behavior is defined in [`../_shared/output_conventions.md`](../_shared/output_conventions.md) §3.
+
+Standup-specific gap-fills:
+
+- Plain-text mentions of plan/audit files → relative markdown links per §1.
+- Bare `/wbXxx` in the recommendation table → full-syntax `/wbXxx <target>` per §2.
+- Missing `Recommended Models` cells → fill from [`../model_recommendations.md`](../model_recommendations.md).
+
+---
+
+## ━━━ OBJECTIVE ━━━
+Your job is to cure "Choice Paralysis." Scan the monorepo for unfinished work, consolidate it into a single agenda, and explicitly tell the human developer what command they should run next — **including which model to use**.
+
+## ━━━ PHASE 1: THE GLOBAL SCAN ━━━
+1. Perform a recursive scan of the target directory looking for `reports/<YYYY>/<MM>/<DD>/plans/plan_*.md` and `reports/<YYYY>/<MM>/<DD>/audits/audit_*.md`.
+2. Extract all tasks that have an empty checkbox (`⬜`) or audits marked as `FAIL`. Ignore anything marked with `✅`.
+   > **Note (v2):** Report files are now at `reports/<date>/<type>/<type>_<target>_<date>.md` — no `<model>/` subfolder.
+
+## ━━━ PHASE 2: AGGREGATION ━━━
+
+### Filename & Folder Convention (v2 — Universal Daily File)
+
+**Path:** `.wb/workflows/reports/<YYYY>/<MM>/<DD>/standups/standup_<target>_<YYYYMMDD>.md`
+
+> **No `<model>/` subfolder.** All models contribute to ONE standup file per day per scope.
+> **No timestamp in filename.** Filename uses only the date.
+
+**Create-or-Append Rule:**
+- **File does NOT exist →** CREATE the file with a header and your standup entry as Entry #1.
+- **File ALREADY exists →** READ it, then APPEND your standup as the next Entry #N.
+- **Every entry tagged:** `*(ModelName via Client — HH:MM)*`
+
+**Entry header format (use `---` only when appending, NEVER as the very first line of the file):**
+```markdown
+# Standup Entry #N — *(ModelName via Client — HH:MM)*
+
+> **Model:** ModelName
+> **Client:** Cline / Antigravity / OpenCode / Gemini CLI
+> **Time:** YYYY-MM-DD HH:MM
+
+[... standup content: open plans, unresolved findings, resolved findings, audit trajectory, suggested next action ...]
+```
+
+**Format:** Group the open tickets by Package/Folder. Order them by priority (e.g., Audit Debt comes before Feature tasks).
+
+## ━━━ PHASE 3: THE RECOMMENDATION ━━━
+At the bottom of the report, you MUST provide a definitive recommendation with **model suggestions**.
+
+**For each suggested next action, recommend 2-3 models** from `commands/model_recommendations.md`, ordered best → budget.
+
+Use a table format:
+
+| Priority | Requires | Action | Recommended Models (ordered) | Why |
+|----------|---|--------|------------------------------|-----|
+| 🔴 1st | 🔨 Worker | `/wbXxx target` — [what to do] | 💻 Model1 / Model2 / Model3 | [reason + why this model] |
+| 🟡 2nd | 📋 Mechanical | `/wbYyy target` — [what to do] | ⚡ Model1 / Model2 | [reason] |
+| 🟢 3rd | 🧠 Planner | `/wbZzz target` — [what to do] | 🧠 Model1 / Model2 | [reason] |
+
+> **`Requires` column** (mandatory per `_shared/output_conventions.md` §9.3): plain-text action-type tag (`🧠 Planner` / `✅ Validator` / `🔨 Worker` / `📋 Mechanical`). The file MUST also include a `## 🔗 Action Types` legend before the Generated Files footer.
+
+**Role → Model mapping (quick reference):**
+
+| Role | 🏆 1st Pick | 🥈 2nd Pick | 💰 Budget |
+|---|---|---|---|
+| 🧠 Planning/Audit | Claude Opus 4.6 | DeepSeek V4 Pro (free) | Gemini 3.1 Pro |
+| 💻 Code Worker | DeepSeek V4 Pro (free) | Claude Sonnet 4.6 ($3) | GLM-5.1 (free) |
+| ✅ Validator | Claude Sonnet 4.6 ($3) | DeepSeek V4 Pro (free) | — |
+| ⚡ Mechanical | Gemini 3 Flash ($0.50) | DeepSeek V4 Flash (free) | GPT 5 Nano (free) |
+
+*Example: "You have 3 open P0 tickets in wb-core. I recommend running `/wbRefactor packages/wb-core §1` with **💻 DeepSeek V4 Pro** (free, strong coder) or **Claude Sonnet 4.6** ($3, better for security reasoning)."*
+
+**Apply output conventions to every cell:**
+
+- All file/folder references in the standup → relative markdown links from the standup file's directory (output_conventions.md §1).
+- Action column: full-syntax invocable command per §2 (e.g., `/wbRefactor packages/wb-core/src/WBC.js`, not bare `/wbRefactor`).
+
+---
+
+## ━━━ PHASE 4: WHAT'S NEXT ━━━
+
+End the standup file with:
+
+## 🧭 What's Next?
+
+Run `/wbNext <target_folder>` to get a current, ranked, dynamic list of next actions. The standup is a *snapshot* of where things stand; `/wbNext` is the *forward-looking* recommendation.