npm - wogiflow - Versions diffs - 2.6.4 → 2.7.0 - Mend

wogiflow 2.6.4 → 2.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (29) hide show

package/.claude/settings.json +0 -1
package/lib/workspace-changelog.js +182 -0
package/lib/workspace-channel-server.js +75 -2
package/lib/workspace-contracts.js +151 -1
package/lib/workspace-events.js +383 -0
package/lib/workspace-gates.js +740 -0
package/lib/workspace-integration-tests.js +299 -0
package/lib/workspace-intelligence.js +486 -1
package/lib/workspace-locks.js +371 -0
package/lib/workspace-messages.js +203 -3
package/lib/workspace-routing.js +144 -0
package/package.json +1 -1
package/scripts/flow-done-gates.js +70 -0
package/.claude/rules/_internal/README.md +0 -64
package/.claude/rules/_internal/document-structure.md +0 -77
package/.claude/rules/_internal/dual-repo-management.md +0 -174
package/.claude/rules/_internal/feature-refactoring-cleanup.md +0 -87
package/.claude/rules/_internal/github-releases.md +0 -71
package/.claude/rules/_internal/model-management.md +0 -35
package/.claude/rules/_internal/self-maintenance.md +0 -87
package/.claude/rules/architecture/component-reuse.md +0 -38
package/.claude/rules/code-style/naming-conventions.md +0 -107
package/.claude/rules/operations/git-workflows.md +0 -92
package/.claude/rules/operations/scratch-directory.md +0 -54
package/.claude/rules/security/security-patterns.md +0 -176
package/.claude/skills/figma-analyzer/knowledge/learnings.md +0 -11
package/.workflow/specs/architecture.md.template +0 -24
package/.workflow/specs/stack.md.template +0 -33
package/.workflow/specs/testing.md.template +0 -36

package/.claude/rules/_internal/github-releases.md DELETED Viewed

@@ -1,71 +0,0 @@
----
-description: "GitHub release workflow - prevents race conditions in npm publish"
-alwaysApply: false
-globs: package.json
----
-# GitHub Release Workflow
-**Source**: Repeated failures (10+ times) in npm publish automation
-**Priority**: Critical - prevents wasted releases and broken npm versions
-## Problem
-Running `git push` followed immediately by `gh release create` causes a race condition. The release tag gets created on the remote's HEAD before the push fully propagates, pointing to an old commit.
-## Pre-Release Quality Gate (MANDATORY)
-Before ANY release, verify the codebase is in a releasable state:
-1. **Check outstanding findings**: Read `.workflow/state/last-review.json` — if unresolved critical/high findings exist, STOP and fix them first
-2. **Run lint** (if configured): `npm run lint`
-3. **Run typecheck** (if configured): `npm run typecheck`
-4. **Verify no uncommitted changes**: `git status` should be clean
-The `preRelease` and `outstandingFindings` quality gates in `flow-done.js` enforce this automatically for `release` type tasks. For manual releases, check these yourself.
-## Correct Procedure
-```bash
-# 0. Verify codebase is releasable (pre-release gate)
-# (automated by flow-done.js for release-type tasks)
-# 1. Push commits first
-git push origin master
-# 2. Create tag LOCALLY on the correct commit
-git tag vX.Y.Z HEAD
-# 3. Push the tag explicitly
-git push origin vX.Y.Z
-# 4. THEN create the release (it will use the existing tag)
-gh release create vX.Y.Z --title "vX.Y.Z" --notes "..."
-```
-## Never Do This
-```bash
-# BAD - race condition, tag may point to wrong commit
-git push origin master && gh release create vX.Y.Z ...
-```
-## Recovery Procedure
-If a release fails with wrong version:
-1. Delete the bad release: `gh release delete vX.Y.Z --yes`
-2. Delete the bad remote tag: `git push origin --delete vX.Y.Z`
-3. Delete local tag if exists: `git tag -d vX.Y.Z`
-4. Follow the correct procedure above
-## Verification
-Before creating the release, verify:
-```bash
-git show vX.Y.Z --quiet --format="%H"  # Should match HEAD
-git show vX.Y.Z:package.json | grep version  # Should show X.Y.Z
-```
----
-Last updated: 2026-01-30

package/.claude/rules/_internal/model-management.md DELETED Viewed

@@ -1,35 +0,0 @@
----
-globs: scripts/flow-model*.js
-alwaysApply: false
-description: "Model management architecture - two separate systems for different purposes"
----
-# Model Management Architecture
-**Context**: Phase 1 introduced model registry and stats system alongside existing model-adapter.
-## Two Model Systems
-### 1. flow-model-adapter.js - Prompt Adaptation
-- `getCurrentModel()` returns normalized model name (string)
-- Focus: Per-model prompt adjustments, learning, and corrections
-- Imports: Used by flow-knowledge-router.js
-### 2. flow-models.js - Registry and Stats
-- `getCurrentModel()` returns `{name, info, source}` object
-- Focus: Model listing, routing recommendations, cost tracking
-- Standalone CLI commands: `flow models [subcommand]`
-## Design Decision
-**Keep them separate** because:
-- Different return types serve different consumers
-- Adapter system needs just the name for pattern matching
-- Registry system needs full model metadata for display/routing
-- Merging would create unnecessary coupling
-## Future Consideration
-Could extract shared model detection logic into a common utility if they drift apart, but avoid premature abstraction.

package/.claude/rules/_internal/self-maintenance.md DELETED Viewed

@@ -1,87 +0,0 @@
----
-description: "Patterns for modifying WogiFlow itself (scripts, templates, config)"
-alwaysApply: false
-globs: "scripts/**,*.workflow/**,.claude/**,templates/**,agents/**,lib/**"
----
-# WogiFlow Self-Maintenance Patterns
-When modifying WogiFlow's own code (scripts/, templates/, config, hooks), follow these patterns.
-## 1. Template-First Changes
-CLAUDE.md is **generated**, not hand-edited. Changes must go through the template system:
-```
-.workflow/templates/claude-md.hbs       # Main template
-.workflow/templates/partials/*.hbs      # Partial templates
-```
-After editing templates, regenerate:
-```bash
-node scripts/flow-bridge.js sync claude-code
-```
-**Never edit CLAUDE.md directly** - changes will be overwritten on next sync.
-## 2. Three-Layer Hook Architecture
-All hooks follow: Entry → Core → Adapter
-```
-scripts/hooks/entry/claude-code/<name>.js  # CLI-specific entry point
-scripts/hooks/core/<name>.js               # CLI-agnostic logic
-scripts/hooks/adapters/claude-code.js      # Transform results
-```
-When adding/modifying hooks:
-- Logic goes in `core/` (not entry)
-- Entry files only parse input and call core
-- Register hook in `.claude/settings.local.json`
-- Add config toggle in `.workflow/config.json` under `hooks.rules`
-## 3. Config Changes Need Documentation
-When adding config keys:
-- Use `_comment_<keyName>` for inline documentation of non-obvious settings
-- Update config.schema.json if it exists
-- Ensure `lib/installer.js` handles the new key for fresh installs
-## 4. State File Templates
-For files in `.workflow/state/` that target projects need:
-- Create both the file AND a `.template` version
-- Templates go in `.workflow/state/<name>.template` (for init/onboard)
-- Also add to `templates/` directory (for npm distribution)
-## 5. Slash Commands Are Flat Files
-Slash commands in `.claude/commands/` must be flat `.md` files:
-```
-.claude/commands/wogi-start.md     ← Correct (flat file)
-.claude/commands/wogi-start/       ← Wrong (directory)
-```
-## 6. Two Agent Directories
-| Directory | Purpose | Used By |
-|-----------|---------|---------|
-| `agents/` | 11 persona files | Health checks, CLI |
-| `.workflow/agents/` | Review checklists | wogi-review |
-Don't confuse them. `agents/security.md` (persona) is different from `.workflow/agents/security.md` (OWASP checklist).
-## 7. Regression Prevention
-When modifying flow-*.js scripts:
-- Run `node --check scripts/<file>.js` after edits
-- WogiFlow has no test suite - syntax checking is the safety net
-- Check for circular dependencies when moving shared functions
-## 8. Feature Refactoring Cleanup
-When renaming/replacing a feature, follow the full checklist in `.claude/rules/architecture/feature-refactoring-cleanup.md`. Key steps:
-- Remove old script files
-- Update config keys
-- Update documentation references
-- Search all `.md` files for old name

package/.claude/rules/architecture/component-reuse.md DELETED Viewed

@@ -1,38 +0,0 @@
----
-globs: src/components/**/*
-alwaysApply: false
-description: "Component reuse policy - always check app-map.md before creating components"
----
-# Component Reuse Policy
-**Rule**: Always check `app-map.md` before creating any component.
-## Priority Order
-1. **Use existing** - Check if component already exists in app-map
-2. **Add variant** - Extend existing component with a new variant
-3. **Extend** - Create a wrapper/HOC around existing component
-4. **Create new** - Only as last resort
-## Before Creating Components
-```bash
-# Check app-map first
-cat .workflow/state/app-map.md | grep -i "button"
-# Or search codebase
-grep -r "Button" src/components/
-```
-## Variant vs New Component
-Prefer variants when:
-- Same base functionality, different appearance
-- Same HTML structure, different styling
-- Same component, different size/color/state
-Create new component when:
-- Fundamentally different functionality
-- Different DOM structure
-- Different state management

package/.claude/rules/code-style/naming-conventions.md DELETED Viewed

@@ -1,107 +0,0 @@
----
-alwaysApply: true
-description: "Naming conventions for files and code variants"
-globs: "**/*.{js,ts,jsx,tsx,mjs,cjs}"
----
-# Naming Conventions
-## File Names
-Use **kebab-case** for all file names in this project.
-Examples:
-- `flow-health.js` (correct)
-- `flowHealth.js` (incorrect)
-- `flow_health.js` (incorrect)
-## Variant Names (UI Projects Only)
-When working on projects with UI components, use consistent variant names:
-| Category | Values |
-|----------|--------|
-| Size | `sm`, `md`, `lg`, `xl` |
-| Intent | `primary`, `secondary`, `danger`, `success`, `warning` |
-| State | `default`, `hover`, `active`, `disabled` |
-Skip this section for backend-only or library projects (no UI components).
-## Catch Block Variables
-Use `err` for all catch blocks in this codebase.
-**Avoid**: `e`, `error`, `ex`, `exception` - these cause confusion with loop variables.
-```javascript
-// Good
-try {
-  doSomething();
-} catch (err) {
-  console.error(err.message);
-}
-// Bad - 'e' conflicts with common iterator variables
-try {
-  items.map(e => e.value);  // 'e' used as iterator
-} catch (e) {
-  console.error(e.message);  // Easy to confuse with iterator 'e'
-}
-```
-**Reason**: Standardizing on `err` prevents mix-ups when `.map(e => ...)` is used nearby.
-### Unused Catch Variables
-When the catch block intentionally ignores the error, prefix with underscore: `_err`.
-```javascript
-// Good - _err signals "intentionally unused"
-try {
-  JSON.parse(input);
-} catch (_err) {
-  return defaultValue;
-}
-// Bad - looks like a bug (unused variable without underscore)
-try {
-  JSON.parse(input);
-} catch (err) {
-  return defaultValue;
-}
-```
-This convention is used across 100+ files in the codebase and satisfies no-unused-vars lint rules.
-## Default Value Operators: `||` vs `??`
-Use **nullish coalescing (`??`)** for defaults where the left operand could legitimately be `0`, `false`, or `""`.
-Use **logical OR (`||`)** only when falsy values (0, false, empty string) should genuinely fall through to the default.
-```javascript
-// Use ?? — timeout=0 is valid (means "no timeout"), not "use default"
-this.timeout = options.timeout ?? TIMEOUTS.HTTP_DEFAULT;
-// Use ?? — numeric config values where 0 is meaningful
-const retries = config.maxRetries ?? 3;
-const threshold = config.similarityThreshold ?? 0.5;
-// Use ?? — boolean config where false is the intended value
-const strictMode = config.enforcement?.strictMode ?? false;
-// Use ?? — array/object defaults guarding against null/undefined
-const items = data.inProgress ?? [];
-const settings = config.hybrid ?? {};
-// Use || — empty string should fall through to a display default
-const branch = status.git.branch || 'unknown';
-// Use || — lookup fallback where undefined means "not found"
-const name = cliNames[type] || type;
-// Use || — join() returns "" for empty arrays, want a fallback message
-const summary = facts.join('; ') || 'No data available';
-```
-**Rule of thumb**: If you are defaulting a config value, numeric parameter, boolean flag, or array/object from a potentially-null source, use `??`. If you are providing a display fallback where empty string should show a placeholder, use `||`.

package/.claude/rules/operations/git-workflows.md DELETED Viewed

@@ -1,92 +0,0 @@
----
-alwaysApply: true
-description: "Git workflow rules for merge conflicts, conventional commits, and branch management"
----
-# Git Workflow Rules
-## Merge Conflict Resolution
-When encountering merge conflicts:
-1. **Understand both sides** before resolving. Read the full context of both changes.
-2. **Prefer the newer implementation** when both sides modify the same logic, unless the older version has test coverage the newer lacks.
-3. **Never silently discard changes** — if unsure, ask the user which side to keep.
-4. **After resolving**: Run lint and typecheck on resolved files before committing.
-5. **Conflict markers**: If you see `<<<<<<<`, `=======`, `>>>>>>>` in any file, resolve them before any other work.
-```bash
-# Check for unresolved conflicts
-git diff --check
-# After resolving
-git add <resolved-files>
-git commit -m "fix: resolve merge conflicts in <description>"
-```
-## Conventional Commit Format
-All commits MUST use conventional commit format:
-```
-<type>(<scope>): <description>
-[optional body]
-[optional footer]
-```
-### Types
-| Type | When to use |
-|------|------------|
-| `feat` | New feature or capability |
-| `fix` | Bug fix |
-| `docs` | Documentation only |
-| `style` | Formatting, whitespace (no logic change) |
-| `refactor` | Code change that neither fixes a bug nor adds a feature |
-| `perf` | Performance improvement |
-| `test` | Adding or updating tests |
-| `chore` | Build process, tooling, dependencies |
-### Examples
-```
-feat(hooks): add InstructionsLoaded hook for rule conflict detection
-fix(routing): clear routing flag when user invokes /wogi-* commands
-docs(readme): update installation instructions for v1.8
-refactor(bridge): extract hash comparison to shared utility
-chore(deps): bump eslint to v9.x
-```
-### Scope
-Use the module or feature area: `hooks`, `bridge`, `routing`, `skills`, `plugins`, `config`, `cli`, `docs`.
-## Pre-Commit Review
-Before committing, always:
-1. Run `git diff --staged` to review what you're about to commit
-2. Verify no secrets, credentials, or `.env` files are staged
-3. Verify no debug/console.log statements left in production code
-4. Run validation (lint, typecheck) on changed files
-## Stash Usage
-Use `git stash` when:
-- Switching context to a different task mid-work
-- Pulling changes that might conflict with local work
-- Testing something on a clean working tree
-```bash
-git stash push -m "WIP: description of work"  # Save with message
-git stash pop                                   # Restore and remove
-git stash list                                  # See all stashes
-```
-## Branch Naming
-When creating branches (outside worktrees):
-- Feature: `feat/<short-description>`
-- Bugfix: `fix/<short-description>`
-- WogiFlow worktrees use `wogi-task-<taskId>` automatically

package/.claude/rules/operations/scratch-directory.md DELETED Viewed

@@ -1,54 +0,0 @@
----
-alwaysApply: true
-description: "Temp files, prompts, instructions, and scratch content must go in .workflow/scratch/"
----
-# Scratch Directory for Temporary Files
-## Rule
-When creating temporary, scratch, or ephemeral files — such as prompts for other projects, instructions, notes, drafts, exported configs, or any content that is NOT a permanent part of the codebase — **always write them to `.workflow/scratch/`**.
-## Why
-Without this rule, Claude creates .md files, .txt files, and other scratch content in random locations (project root, src/, docs/, etc.). This pollutes the project with files that:
-- Have no designated location, so users don't know where to find them
-- Don't get cleaned up, accumulating over time
-- May accidentally get committed to version control
-- Make `git status` noisy with untracked files
-## How
-```javascript
-// Use PATHS.scratch for temp file locations
-const { PATHS } = require('./flow-paths');
-const outputPath = path.join(PATHS.scratch, 'my-temp-file.md');
-```
-Or in natural language: "Save this to `.workflow/scratch/filename.md`"
-## Auto-Cleanup
-The `.workflow/scratch/` directory is **automatically cleaned at session end** by the session-end hook. Files in this directory are ephemeral — they survive the current session but are removed when the session ends.
-If a file needs to persist beyond a session, it belongs somewhere else:
-- Specs → `.workflow/specs/`
-- Changes → `.workflow/changes/`
-- Documentation → project docs directory
-- Configuration → `.workflow/` root
-## What Goes in Scratch
-- Prompts or instructions generated for other projects
-- Draft content being reviewed before placement
-- Temporary analysis output
-- Export/import staging files
-- Any file the user explicitly asks to "save somewhere" without specifying a location
-## What Does NOT Go in Scratch
-- Task specs (use `.workflow/specs/` or `.workflow/changes/`)
-- Configuration files (use `.workflow/`)
-- Source code (use the project's source directories)
-- Documentation (use the project's docs directory)
-- State files (use `.workflow/state/`)

package/.claude/rules/security/security-patterns.md DELETED Viewed

@@ -1,176 +0,0 @@
----
-alwaysApply: true
-description: "Security patterns for file operations, JSON parsing, and path handling"
----
-# Security Patterns
-Critical security patterns for this project.
-## 1. File Read Safety
-Always wrap `fs.readFileSync()` in try-catch, even after `fileExists()` check.
-**Reason**: Race conditions, permission changes, symlink issues can still cause failures.
-```javascript
-// Good
-try {
-  const content = fs.readFileSync(path, 'utf-8');
-} catch (err) {
-  // Handle gracefully
-}
-// Bad - can still throw even if file existed
-if (fs.existsSync(path)) {
-  const content = fs.readFileSync(path, 'utf-8');
-}
-```
-## 2. JSON Parsing Safety
-Use `safeJsonParse()` from flow-utils.js instead of raw `JSON.parse()`.
-- Check for `__proto__`, `constructor`, `prototype` injection
-- Validate parsed structure has expected fields before use
-- Located in: `scripts/flow-utils.js`
-```javascript
-// Good
-const config = safeJsonParse(filePath, {});
-// Bad - vulnerable to prototype pollution
-const config = JSON.parse(fs.readFileSync(filePath));
-```
-## 3. Template Substitution Safety
-When implementing template substitution:
-- Block access to `__proto__`, `constructor`, `prototype` keys
-- Use `Object.prototype.hasOwnProperty.call()` for property access
-- Example: See `applyTemplate()` in flow-prompt-composer.js
-## 4. Path Safety
-- Validate patterns before `path.join()` with user/config data
-- Use `isPathWithinProject()` for defense-in-depth
-- Glob-to-regex: Use `[^/]*` not `.*` to prevent path separator matching
-```javascript
-// Good
-if (!isPathWithinProject(targetPath)) {
-  throw new Error('Path outside project');
-}
-// Bad - allows path traversal
-const fullPath = path.join(baseDir, userInput);
-```
-## 5. Module Dependencies
-- Check for circular dependencies when refactoring shared functions
-- Node.js handles circular deps but can cause undefined exports during load
-## 6. Claude Code Permission Patterns (2.1.7+)
-When configuring permission rules in Claude Code, avoid overly permissive wildcards.
-**Vulnerability fixed in 2.1.7**: Wildcard permission rules could match compound commands containing shell operators (`;`, `&&`, `||`, `|`).
-**Destructive git commands** must NOT be auto-allowed. WogiFlow's `generateSettings()` scopes these to safe variants:
-```javascript
-// DANGEROUS - auto-allows destructive operations
-"allow": "Bash(git reset *)"    // matches git reset --hard
-"allow": "Bash(git restore *)"  // matches git restore . (discard all)
-"allow": "Bash(git clean *)"    // matches git clean -f
-// SAFE - only non-destructive variants auto-allowed
-"allow": "Bash(git reset HEAD *)"       // unstage files only
-"allow": "Bash(git reset --soft *)"     // soft reset, preserves changes
-"allow": "Bash(git restore --staged *)" // unstage files only
-// git reset --hard, git restore ., git clean -f require manual approval
-```
-**Best practices:**
-- Scope destructive commands to safe variants instead of blanket wildcards
-- `git reset --hard`, `git restore .`, `git clean -f` should always require user approval
-- Prefer semantic permission prompts over literal command matching
-- Never allow broad patterns like `rm *` or `git *`
-- Review permission rules after Claude Code updates
-## 7. Windows Path Safety
-On Windows, be aware of path-related issues:
-- Temp directory paths may contain characters like `\t` or `\n` that could be misinterpreted as escape sequences
-- Use raw strings or proper escaping when constructing paths
-- Cloud sync tools (OneDrive, Dropbox) and antivirus may touch file timestamps without changing content
-```javascript
-// Good - use path.join() which handles platform differences
-const tempPath = path.join(os.tmpdir(), 'myfile.txt');
-// Bad - manual concatenation can break on Windows
-const tempPath = os.tmpdir() + '/myfile.txt';
-```
-## 8. Shell Command Parameter Validation
-When executing shell commands with dynamic parameters, always validate inputs.
-**Risk**: Command injection via unvalidated parameters passed to execSync/spawn.
-```javascript
-// DANGEROUS - lang parameter not validated
-execSync(`sg --pattern "${pattern}" --lang ${lang} --json "${path}"`);
-// SAFER - validate against whitelist
-const ALLOWED_LANGUAGES = new Set(['typescript', 'javascript', 'python', 'go']);
-if (!ALLOWED_LANGUAGES.has(lang)) {
-  throw new Error(`Unsupported language: ${lang}`);
-}
-// BEST - use execFile with array arguments (no shell interpretation)
-const { execFileSync } = require('child_process');
-execFileSync('sg', ['--pattern', pattern, '--lang', lang, '--json', path]);
-```
-**Best practices:**
-- Validate all dynamic parameters against allowlists
-- Prefer `execFile`/`execFileSync` with array arguments over `exec`/`execSync` with template strings
-- When using template strings, escape all user-controlled values
-- Never interpolate user input directly into shell commands
-## 9. Temp Directory Isolation (Claude Code 2.1.23+)
-On shared systems (CI servers, multi-user machines), use per-user temp directories to prevent permission conflicts.
-**Fixed in Claude Code 2.1.23**: Per-user temp directory isolation prevents permission conflicts.
-```javascript
-// Good - per-user isolation
-const userId = process.getuid?.() ?? process.env.USER ?? process.env.USERNAME ?? 'default';
-const tempDir = path.join(os.tmpdir(), `myapp-${userId}`);
-// Bad - global temp path on shared systems
-const tempDir = path.join(os.tmpdir(), 'myapp');
-```
-**Best practices:**
-- Use UID on Unix systems (`process.getuid()`)
-- Fall back to username environment variables on Windows
-- Always provide a 'default' fallback for edge cases
-- This pattern is used in `flow-worktree.js` for worktree isolation
-## 10. Search/Grep Timeout Handling (Claude Code 2.1.23+)
-**Fixed in Claude Code 2.1.23**: Ripgrep search timeouts now report errors instead of silently returning empty results.
-**Impact on WogiFlow:** Component detection, auto-context loading, and pattern matching rely on search operations. Before 2.1.23, search timeouts could cause false negatives.
-**Best practices:**
-- Handle empty search results gracefully - they may indicate timeout
-- Add retry logic for search-dependent operations
-- Log warnings when searches return unexpectedly empty
-- Consider fallback strategies (glob-based search if grep fails)

package/.claude/skills/figma-analyzer/knowledge/learnings.md DELETED Viewed

@@ -1,11 +0,0 @@
-# Figma Analyzer Learnings
-Learnings captured from using the Figma Analyzer skill.
----
-## Patterns Learned
-<!-- Learnings will be captured automatically during skill usage -->
----