xtrm-tools 0.5.46 → 0.5.48

package/plugins/xtrm-tools/skills/planning/SKILL.md

@@ -62,16 +62,33 @@ If the request is under 8 words or the scope is unclear, ask **one** clarifying
 
 Use GitNexus and Serena to understand the landscape. No file edits.
 
+### GitNexus-first protocol (mandatory when available)
+
 ```bash
-# Find relevant execution flows
+# 1) Find relevant execution flows by concept
 gitnexus_query({query: "<concept related to task>"})
 
-# Understand a specific symbol
+# 2) Get full caller/callee/process context for likely symbols
 gitnexus_context({name: "<affected symbol>"})
 
-# Check blast radius before planning changes
+# 3) Assess blast radius before locking the implementation plan
 gitnexus_impact({target: "<symbol to change>", direction: "upstream"})
+```
+
+### Refactor planning checks (when rename/extract/move is in scope)
+
+```bash
+# Preview safe multi-file rename plan first
+gitnexus_rename({symbol_name: "<old>", new_name: "<new>", dry_run: true})
+
+# Confirm context before extraction/split plans
+gitnexus_context({name: "<symbol to extract/split>"})
+gitnexus_impact({target: "<symbol to extract/split>", direction: "upstream"})
+```
+
+### Serena symbol-level inspection (targeted reads)
 
+```bash
 # Map a file without reading all of it
 get_symbols_overview("path/to/relevant/file.ts")
 
@@ -79,11 +96,44 @@ get_symbols_overview("path/to/relevant/file.ts")
 find_symbol("SymbolName", include_body=true)
 ```
 
+### Fallback when GitNexus MCP tools are unavailable
+
+If MCP GitNexus tools are unavailable, use the GitNexus CLI first, then Serena symbol exploration if needed.
+
+```bash
+# Verify index freshness / repository indexing
+npx gitnexus status
+npx gitnexus list
+
+# Concept and architecture exploration
+npx gitnexus query "<concept or symptom>" --limit 5
+npx gitnexus context "<symbolName>"
+
+# Blast radius before committing to a plan
+npx gitnexus impact "<symbolName>" --direction upstream --depth 3
+
+# If index is stale
+npx gitnexus analyze
+```
+
+Notes:
+- In this environment, `detect_changes` and `rename` are available via MCP tools, not GitNexus CLI subcommands.
+- If both MCP and CLI are unavailable, fall back to Serena search + symbols and state this explicitly in your plan output.
+
+```bash
+search_for_pattern("<concept or symbol>")
+get_symbols_overview("path/to/relevant/file.ts")
+find_symbol("<candidate symbol>", include_body=true)
+find_referencing_symbols("<symbol>", "path/to/file.ts")
+```
+
 **Capture from exploration:**
 - Which files/symbols will be affected
+- Which execution flows/processes are involved (from `gitnexus_query`/`gitnexus_context`)
 - What existing patterns to follow (naming, structure, error handling)
 - Any d=1 dependents that require updates when you change a symbol
-- Risk level: if CRITICAL or HIGH → warn user before proceeding
+- Risk level from impact analysis: if CRITICAL or HIGH → warn user before proceeding
+- If GitNexus fallback path was used, explicitly call it out in the handoff
 
 ---
 
@@ -101,6 +151,7 @@ Think through the plan before writing any bd commands. Use structured CoT:
 3. What are the dependencies? (what must be done before X can start?)
 4. What can run in parallel? (independent tasks → no deps between them)
 5. What are the risks? (complex areas, unclear spec, risky refactors)
+6. What is the blast-radius summary from GitNexus? (direct callers, affected processes, risk level)
 </thinking>
 
 <plan>
@@ -244,7 +295,13 @@ test-planning will:
 
 ## Phase 6 — Handoff
 
-Present the board and transition to implementation:
+Present the board and transition to implementation.
+
+Include a short **Architecture & Impact Summary** in your handoff message:
+- Key execution flows/processes involved
+- Top d=1 dependents to watch
+- Highest observed risk (LOW/MEDIUM/HIGH/CRITICAL)
+- Whether GitNexus-first or fallback exploration was used
 
 ```bash
 # Show the full board
@@ -292,30 +349,26 @@ Then begin work on the first task. The planning phase is complete.
 ### Example 2 — Bug fix with investigation
 
 <example>
-  <scenario>User: "bd close sometimes doesn't auto-commit"</scenario>
+  <scenario>User: "bd close doesn't commit my changes"</scenario>
 
   <exploration>
-    gitnexus_query({query: "bd close auto-commit"})
+    gitnexus_query({query: "bd close commit workflow"})
     → finds: beads-claim-sync.mjs, close event handler
-    find_symbol("handleClose", include_body=true)
-    → discovers: auto-commit only fires if tracked files changed, not untracked
+    find_symbol("main", include_body=true)
+    → discovers: bd close sets closed-this-session KV only; no git commit
   </exploration>
 
   <thinking>
-    Root cause identified: git commit -am skips untracked files.
-    Fix: check git ls-files --others before committing.
-    Risk: LOW — only beads-claim-sync.mjs changes.
-    Single task, no phases needed.
+    bd close does NOT auto-commit (removed in xtrm-wr0o).
+    Correct workflow: bd close <id>, then git add + git commit separately, then xt end.
+    No issue needed — this is expected behavior.
   </thinking>
 
   <bd_command>
-    bd create \
-      --title="Fix bd close auto-commit skips untracked new files" \
-      --description="Context: beads-claim-sync.mjs uses 'git commit -am' which skips
-      untracked files. Fix: add 'git ls-files --others --exclude-standard' check and
-      'git add -A' scoped to expected paths before committing.
-      AC: [ ] auto-commit includes new untracked files [ ] existing behavior preserved"
-      --type=bug --priority=1
+    # No issue needed — explain the correct workflow to the user:
+    # 1. bd close <id> --reason="..."   ← closes issue
+    # 2. git add . && git commit -m "..." ← commit changes manually
+    # 3. xt end                           ← push, PR, merge, worktree cleanup
   </bd_command>
 </example>
 
@@ -343,6 +396,8 @@ Before presenting the plan to the user:
 - [ ] Every issue has context / what / AC / notes
 - [ ] Dependencies are correct (A blocks B when B needs A's output)
 - [ ] No task is more than "one session" of work (split if needed)
+- [ ] GitNexus evidence captured (query/context/impact) or fallback path explicitly stated
+- [ ] If refactor scope exists, rename/extract safety checks were included in plan
 - [ ] test-planning was invoked (or scheduled as next step)
 - [ ] First implementation issue is ready to claim
 

package/plugins/xtrm-tools/skills/test-planning/SKILL.md

@@ -206,3 +206,260 @@ Agent closes a feature issue that was done ad-hoc. No test issue found. Agent:
 2. Picks strategy
 3. Creates test issue as child of same parent
 4. Documents what to assert based on the actual code
+
+## Anti-Pattern Checklist
+
+Run this checklist at both trigger points (planning and closure review). Flag any anti-patterns in the test issue description before closing.
+
+### 1. Assertion-free tests
+**Detect**: Test body calls functions/methods but has no `assert`, `expect`, or equivalent statement.
+**Fix**: Add at least one meaningful assertion. If the goal is "doesn't throw", assert that explicitly — `with pytest.raises(...)` or `expect(() => fn()).not.toThrow()`.
+
+### 2. Tautological assertions
+**Detect**: The assertion can only fail if the test framework itself is broken. E.g. `assert result == result`, `expect(true).toBe(true)`, asserting a value against the same expression used to produce it.
+**Fix**: Assert against a concrete expected value derived independently from the production code. If you can't state what the expected value is without running the code, the test has no falsifiable claim.
+
+### 3. Context leakage / shared mutable state
+**Detect**: Tests share module-level variables, database rows, file state, or global config without reset between runs. Symptoms: tests pass individually but fail in suite order.
+**Fix**: Use fixtures with setup/teardown (`beforeEach`/`afterEach`, pytest fixtures with function scope). Every test starts from a clean slate.
+
+### 4. Over-mocking internal collaborators
+**Detect**: Mocks are patching classes or functions that live in the same module under test — not external services. The test validates that internal wiring was called, not that the observable outcome is correct.
+**Fix**: Only mock at system boundaries (HTTP clients, file I/O, external services). Test internal collaborators by letting them run. If they're hard to instantiate, extract the pure logic and test that directly.
+
+### 5. Tests that cannot fail under realistic regressions
+**Detect**: Remove the core logic being tested and re-read the test — would it still pass? If yes, the test provides no protection. Common form: only testing the happy path of a function whose bug would only appear in error paths.
+**Fix**: Add at least one negative-path or edge-case assertion that would catch the most likely regression. Consult the implementation for obvious failure modes.
+
+## Priority Heuristics
+
+Test issues inherit priority from their implementation issues with bounded adjustment. The table below gives the deterministic mapping.
+
+| Implementation risk | Test issue priority | Examples |
+|---|---|---|
+| Security / auth / protocol compat | P0 (equal) | Auth token validation, schema migration safety, API contract |
+| Regression-critical boundary path | P0–P1 (equal) | Client URL routing, CLI exit codes used by external tooling |
+| High-business-impact core logic | P1 (equal or +0) | Pricing computations, session state transitions |
+| Standard domain logic | P2 (+0 or +1) | Config merge, output formatters, parsers |
+| Low-risk internals / non-critical adapters | P3 (+1) | Helper utilities, optional UI formatting |
+| Polish / test debt cleanup | P4 | Improving existing test coverage, test naming |
+
+**Inheritance rule**: start from the implementation issue's priority. Apply +1 if the test is covering a well-understood path with low regression risk. Never go lower than P2 for boundary or shell layer tests — integration tests are load-bearing.
+
+**Equal priority examples**:
+- Impl is P1 (auth endpoint) → test issue is P1 (auth contract test must ship with the feature)
+- Impl is P0 (critical fix) → test issue is P0 (regression test must land in same PR)
+
+**+1 priority examples**:
+- Impl is P2 (output formatter) → test issue is P3 (unit tests are useful but not blocking)
+- Impl is P3 (optional config key) → test issue is P4 (test debt, tackle in cleanup)
+
+## Definition of Done Templates
+
+Use these templates verbatim in test issue descriptions. Replace `<...>` placeholders.
+
+### Core layer DoD
+
+```
+Layer: core
+Strategy: <unit | property-based | example-based>
+Covers: <impl issue IDs>
+
+Assertions required:
+- [ ] Positive path: <expected output for valid input>
+- [ ] Negative path: <expected error/output for invalid input>
+- [ ] Edge cases explicitly enumerated: <list: empty input, zero, max boundary, ...>
+- [ ] Invariants/properties included: <e.g. "result is always sorted", "output length == input length">
+
+Fixture policy:
+- [ ] No shared mutable state between tests
+- [ ] Deterministic fixtures (no random, no time.now() without injection)
+- [ ] Each test constructs its own input independently
+
+Done when: all assertions above are implemented and passing in CI.
+```
+
+### Boundary layer DoD
+
+```
+Layer: boundary
+Strategy: <live-contract | recorded-fixture | mock (last resort)>
+Covers: <impl issue IDs>
+
+Assertions required:
+- [ ] Schema/contract assertions: <field presence, types, required vs optional>
+- [ ] Error codes and retry/fallback: <e.g. 404→empty list, 500→raises ServiceError>
+- [ ] Drift-safe: assertions check field presence and types, not brittle internal structure
+- [ ] Live-first policy documented: <live | recorded-fixture | mock — reason for choice>
+
+Done when: contract assertions pass against live service (or recorded fixture if live unavailable).
+Fallback documented in issue if live is not accessible.
+```
+
+### Shell layer DoD
+
+```
+Layer: shell
+Strategy: integration (subprocess or function-level wiring test)
+Covers: <impl issue IDs>
+
+Assertions required:
+- [ ] End-to-end observable outcomes: <what the user sees — output format, exit code>
+- [ ] Failure-mode UX: <error messages, non-zero exit codes, stderr vs stdout>
+- [ ] Cross-component wiring: <core + boundary are called and integrated correctly>
+- [ ] At least one real-data scenario (not mocked) if service is accessible
+
+Done when: integration tests run against real components (not mocked internals) and cover
+both success and at least one failure path.
+```
+
+## Critical-Path Coverage
+
+Do not frame test issues around coverage percentages. Frame them around critical paths and risk rationale.
+
+Every test issue description must include a **critical path map**:
+
+```
+Critical paths covered:
+- <path 1 and risk rationale>
+- <path 2 and risk rationale>
+
+Known deferred paths (with follow-up refs):
+- <path not covered yet> → follow-up: <bd issue ID or "to be created">
+```
+
+**Why**: a 90% line-coverage number says nothing about whether the one path that processes payments is tested. A critical path map forces explicit reasoning about what matters and what was skipped.
+
+**What counts as a critical path**:
+- Any path that involves auth, money, data loss, or external contract compliance
+- Any path exercised by the user-facing CLI commands described in the issue
+- Any path explicitly mentioned in the implementation issue's acceptance criteria
+
+**What to do with deferred paths**:
+- Document them — don't silently skip
+- Create a follow-up test issue if the deferred path is P2 or higher risk
+- Reference the follow-up issue ID in the current test issue's description
+
+## Advisory vs Enforcement Boundary
+
+This skill is advisory. It recommends test strategy, creates test issues, and flags anti-patterns. It does not block code execution or enforce pass/fail decisions — that is the job of hooks and quality gates.
+
+| Concern | Who owns it | How enforced |
+|---|---|---|
+| Test strategy selection (TDD vs contract vs unit) | This skill | Recommendation only |
+| Anti-pattern detection in test issues | This skill | Checklist in issue description |
+| Priority assignment | This skill | Heuristics table above |
+| DoD template in issue description | This skill | Template pasted into bd issue |
+| CI test pass/fail | quality-gates hook | PostToolUse hook blocks on test failures |
+| Test file lint/type correctness | quality-gates hook | ESLint + mypy on every edit |
+| Branch not mergeable without tests | Not enforced | Human review — no automated gate today |
+| Claiming work without test issue existing | Not enforced | Human judgment — skill creates test issue at closure if missing |
+
+**Example — advisory boundary in practice**:
+
+You are planning tests for `.14` (async HTTP client). This skill:
+- Classifies as boundary layer ✓
+- Recommends live-contract tests ✓
+- Creates a test issue with DoD template ✓
+- Flags if you try to describe tests that only mock the HTTP layer ✓ (anti-pattern 4)
+
+It does NOT:
+- Block `.14` from closing if the test issue isn't done
+- Fail the build if the test issue is open
+- Require approval before the implementation is merged
+
+The test issue is a tracked commitment, not a gate. Gating is opt-in via `bd dep` dependencies you set up during planning.
+
+## v1.1 Format Examples
+
+### Example A — Planning phase, boundary + shell epic
+
+Epic: "Implement gitnexus MCP sync in xtrm install"
+
+Children: `.1` (MCP config writer), `.2` (sync-on-install integration), `.3` (CLI `xtrm mcp` command)
+
+Classification:
+- `.1` → boundary (writes to `.mcp.json`, file I/O)
+- `.2` → shell (orchestrates install flow)
+- `.3` → shell (CLI command)
+
+Test issues created:
+
+```
+bd create "Test: MCP config writer — contract tests for .mcp.json output" \
+  -t task -p 2 --parent <epic> \
+  -d "Layer: boundary
+Strategy: example-based (file I/O, no external service)
+Covers: .1
+
+Assertions required:
+- [ ] Positive path: valid servers config produces correct .mcp.json structure
+- [ ] Negative path: invalid server entry raises validation error
+- [ ] Edge cases: empty servers list, duplicate server names, existing .mcp.json is merged not overwritten
+- [ ] Drift-safe: assert on field presence (name, command, args), not internal object identity
+
+Critical paths covered:
+- gitnexus server entry written with correct stdio transport — risk: wrong transport breaks MCP
+- existing user entries preserved during merge — risk: data loss
+
+Known deferred paths:
+- test with malformed existing .mcp.json → follow-up: to be created (P3)
+
+Done when: all assertions pass, no shared state between tests."
+```
+
+```
+bd create "Test: xtrm install MCP sync + xtrm mcp CLI — integration tests" \
+  -t task -p 2 --parent <epic> \
+  -d "Layer: shell
+Strategy: integration (subprocess)
+Covers: .2, .3
+
+Assertions required:
+- [ ] End-to-end: xtrm install writes correct .mcp.json in temp project dir
+- [ ] CLI: xtrm mcp list outputs expected server names
+- [ ] Failure-mode: xtrm mcp add with duplicate name exits non-zero with clear error
+- [ ] Cross-component: install flow calls MCP writer with correct config
+
+Critical paths covered:
+- full install → .mcp.json present and readable by Claude Code — risk: MCP servers not available
+- CLI add + list roundtrip — risk: user cannot inspect installed servers
+
+Known deferred paths:
+- test with no write permission on project dir → follow-up: to be created (P4)
+
+Done when: integration tests run against real file system in temp dir, no mocked internals."
+```
+
+---
+
+### Example B — Closure gate, core layer, implementation diverged
+
+Closing `.22` (config merge logic). Existing test issue `.31` was written before implementation.
+
+What `.22` actually built:
+- Added precedence chain: env > file > defaults (original plan had only file > defaults)
+- Added type coercion for boolean env vars ("true"/"false" → bool)
+- Removed support for `.xtrm.yaml` (only `.xtrm/config.json` now)
+
+Updated test issue `.31`:
+
+```
+bd update xtrm-31 --notes "Scope updated after .22 completed:
++ Add test: env var takes precedence over file config (new precedence chain)
++ Add test: 'true'/'false' env vars coerced to bool correctly
++ Add test: 'TRUE', '1', '0' edge cases for bool coercion
++ Remove test: .xtrm.yaml loading (format removed in .22)
+
+Anti-pattern check:
+- [ ] tautological: none detected
+- [ ] over-mocking: env injection via monkeypatch only, no internal mocking
+- [ ] shared state: each test resets env via fixture
+
+Critical paths covered:
+- env > file > defaults chain — risk: wrong precedence silently overrides user config
+- bool coercion — risk: 'false' string treated as truthy in Python
+
+Known deferred paths:
+- test with missing HOME dir (pathlib resolution edge case) → follow-up: xtrm-4x (P4)"
+```

package/plugins/xtrm-tools/skills/using-xtrm/SKILL.md

@@ -78,7 +78,7 @@ gitnexus_impact({target: "parseComposeServices", direction: "upstream"})
 get_symbols_overview("hooks/init.ts")                           # map file
 find_symbol("parseComposeServices", include_body=True)          # read just this
 replace_symbol_body("parseComposeServices", newBody)            # Serena edit
-bd close bd-xyz --reason="Fix YAML parse edge case"            # close + auto-commit
+bd close bd-xyz --reason="Fix YAML parse edge case"            # close issue
 xt end                                                         # push, PR, merge, cleanup
 ```
 

package/plugins/xtrm-tools/skills/xt-debugging/SKILL.md

@@ -0,0 +1,149 @@
+---
+name: xt-debugging
+description: Complete debugging workflow — error analysis, log interpretation, performance profiling, and GitNexus call-chain tracing. Use when investigating bugs, errors, crashes, or performance issues.
+---
+
+# xt-debugging
+
+Systematic debugging using the GitNexus knowledge graph for call-chain tracing, combined with error analysis, log interpretation, and performance profiling.
+
+## When to Use
+
+- "Why is this function failing?"
+- "Trace where this error comes from"
+- "This endpoint returns 500"
+- Investigating crashes, unexpected behavior, or regressions
+- Performance issues
+- Reading logs or stack traces
+
+---
+
+## Prerequisites
+
+GitNexus must be indexed before starting. If you see "index is stale" or no results:
+
+```bash
+npx gitnexus analyze   # re-index the repo (run this, then retry)
+npx gitnexus status    # verify freshness
+```
+
+---
+
+## Phase 1 — Triage
+
+Understand the symptom before touching any code.
+
+1. Read the full error message and stack trace
+2. Identify the suspect symbol (function, class, endpoint)
+3. Check for regressions — what changed recently?
+   ```
+   gitnexus_detect_changes({scope: "compare", base_ref: "main"})
+   ```
+
+---
+
+## Phase 2 — Knowledge Graph Investigation
+
+```
+1. gitnexus_query({query: "<error text or symptom>"})   → Related execution flows + symbols
+2. gitnexus_context({name: "<suspect>"})                → Callers, callees, process participation
+3. READ gitnexus://repo/{name}/process/{processName}    → Full step-by-step execution trace
+4. gitnexus_cypher({...})                               → Custom call chain if needed
+```
+
+### Patterns by Symptom
+
+| Symptom | Approach |
+|---------|----------|
+| Error message | `query` for error text → `context` on throw site |
+| Wrong return value | `context` on function → trace callees for data flow |
+| Intermittent failure | `context` → look for external calls, async deps, race conditions |
+| Performance issue | `context` → find hot-path symbols with many callers |
+| Recent regression | `detect_changes` to see what changed |
+
+### Example — "Payment endpoint returns 500 intermittently"
+
+```
+1. gitnexus_query({query: "payment error handling"})
+   → Processes: CheckoutFlow, ErrorHandling
+   → Symbols: validatePayment, handlePaymentError
+
+2. gitnexus_context({name: "validatePayment"})
+   → Outgoing calls: verifyCard, fetchRates (external API!)
+
+3. READ gitnexus://repo/my-app/process/CheckoutFlow
+   → Step 3: validatePayment → calls fetchRates (external, no timeout)
+
+4. Root cause: fetchRates has no timeout → intermittent failures under load
+```
+
+---
+
+## Phase 3 — Root Cause Analysis
+
+1. **Reproduce** — Identify minimal reproduction steps
+2. **Trace data flow** — Follow the value/control flow from input to error
+3. **Isolate** — Narrow to the smallest failing unit
+4. **Hypothesize** — Form explicit hypothesis before reading more code
+5. **Confirm** — Verify hypothesis against source, not just symptoms
+
+Common root cause categories:
+- **Null/undefined** — missing guard, wrong assumption about data shape
+- **Race condition** — async ordering, missing await, shared mutable state
+- **External dependency** — timeout, API contract change, env difference
+- **Type mismatch** — serialization, casting, implicit coercion
+- **Configuration** — env var missing, wrong default, deployment drift
+
+---
+
+## Phase 4 — Log Analysis
+
+1. Read the full log output (not just the last line)
+2. Identify: timestamps, error levels, request IDs, correlation tokens
+3. Correlate events across log lines to build timeline
+4. Look for: first occurrence, frequency, affected subset, preceding events
+5. Summarize: what happened, when, why, and what was affected
+
+---
+
+## Phase 5 — Performance Profiling
+
+1. **Measure baseline** — Never optimize blind
+   ```bash
+   time <command>
+   ```
+2. **Profile** — Language-appropriate tools:
+   - Node.js: `--prof`, `clinic.js`, `0x`
+   - Python: `cProfile`, `py-spy`, `line_profiler`
+   - Go: `pprof`
+3. **Identify hotspot** — Usually 1–2 functions account for >80% of time; use `gitnexus_context` to confirm call frequency
+4. **Fix the bottleneck** — Minimal targeted change
+5. **Verify** — Measure again, compare against baseline
+
+---
+
+## Phase 6 — Remediation
+
+1. **Fix** — Minimal change that addresses the confirmed root cause
+2. **Verify** — Run the failing case to confirm fix
+3. **Regression test** — Add a test that would have caught this bug
+4. **Check blast radius** — `gitnexus_impact({target: "fixedSymbol", direction: "upstream"})`
+5. **Pre-commit scope check** — `gitnexus_detect_changes({scope: "staged"})`
+
+---
+
+## Checklist
+
+```
+- [ ] Read full error / stack trace
+- [ ] Identify suspect symbol
+- [ ] gitnexus_detect_changes to check for regressions
+- [ ] gitnexus_query for error text or symptom
+- [ ] gitnexus_context on suspect (callers, callees, processes)
+- [ ] Trace execution flow via process resource
+- [ ] Read source files to confirm root cause
+- [ ] Form explicit hypothesis before fixing
+- [ ] Verify fix against failing reproduction
+- [ ] Add regression test
+- [ ] gitnexus_detect_changes() before committing
+```

package/plugins/xtrm-tools/skills/xt-end/SKILL.md

@@ -78,6 +78,33 @@ If changes cannot be classified safely, stop with `BLOCKED_DIRTY_UNCLASSIFIED_CH
 
 ---
 
+## Stage 2.5 — Scope Verification
+
+Before committing or pushing, verify that branch changes match the expected scope of the session's closed issues. **Never skip this step** — unreviewed scope is the primary source of oversized or unintended PRs.
+
+Run:
+```bash
+git diff --stat origin/main..HEAD 2>/dev/null || git diff --stat $(git merge-base HEAD main)..HEAD
+```
+
+For each significantly changed symbol, check blast radius:
+```bash
+npx gitnexus impact <symbol-name>                   # upstream dependants — what else breaks
+npx gitnexus impact <symbol-name> -d downstream    # downstream dependencies
+```
+
+For Claude agents with MCP access, also run:
+```
+gitnexus_detect_changes({scope: "compare", base_ref: "main"})
+```
+
+**Rules:**
+- Changes clearly tied to session issues → continue
+- Files unrelated to session issues → classify as overscoped (handle in Stage 3D)
+- `npx gitnexus impact` returns HIGH or CRITICAL risk on a changed symbol → **stop and report to user** before continuing
+
+---
+
 ## Stage 3 — Dry Run and Anomaly Detection
 
 Run:
@@ -260,6 +287,7 @@ If linkage had to be inferred from commits rather than detected by `xt end`, say
 
 The autonomous rule is simple:
 - normalize the session
+- verify scope with gitnexus before committing
 - dry-run
 - auto-fix predictable anomalies
 - rerun dry-run