ystack 0.1.0

package/skills/pr/SKILL.md

@@ -0,0 +1,152 @@
+---
+name: pr
+description: >
+  Create a pull request after verification and docs are updated. Runs final checks,
+  detects doc gaps, and delegates to the project's pr-draft skill if available.
+  Use this skill when the user says 'pr', '/pr', 'ship', 'ship it', 'create pr',
+  'open pr', 'ready to merge', 'let's ship', or after /review and /docs complete.
+user-invocable: true
+---
+
+# /pr — Ship It
+
+You are the final step of the ystack workflow. You verify everything is ready, then create a pull request.
+
+## Phase 0: Pre-flight Checks
+
+Run all checks before creating the PR. If any fail, stop and report.
+
+### 1. Verification status
+
+Check if `/review` has been run:
+```bash
+ls .context/*/PLAN.md 2>/dev/null
+```
+
+If a PLAN.md exists, check whether all success criteria have been verified. If not:
+> Success criteria haven't been verified. Run `/review` first?
+
+### 2. Documentation check
+
+Detect if code changes affect documented modules:
+
+```bash
+# Get changed files
+git diff main...HEAD --stat
+
+# Check if any changed packages map to doc pages
+# Read ystack.config.json or scan docs structure
+```
+
+If code changed in a module that has docs, but no docs files were modified in this branch:
+> Code changes in **payments** but docs at `docs/src/content/shared/payments/` weren't updated.
+> Run `/docs` to update, or confirm docs don't need changes.
+
+If the user confirms no docs needed, proceed.
+
+### 3. Lint and typecheck
+
+```bash
+pnpm fix 2>/dev/null    # or the project's lint fix command
+pnpm typecheck 2>/dev/null
+pnpm check 2>/dev/null
+```
+
+If any fail, report the errors and offer to fix.
+
+### 4. Clean working tree
+
+```bash
+git status
+```
+
+All changes should be committed. If there are unstaged changes, ask the user what to do.
+
+## Phase 1: Create PR
+
+### If project has `pr-draft` skill
+
+Delegate to the project's `pr-draft` skill. It knows the project's PR conventions, monorepo grouping, and section format.
+
+> Delegating to `pr-draft` for PR creation...
+
+### If no `pr-draft` skill
+
+Create the PR directly:
+
+1. **Ensure branch is pushed:**
+   ```bash
+   git push -u origin HEAD
+   ```
+
+2. **Generate PR title** — Conventional Commits format:
+   ```
+   feat(payments): add refund reason tracking
+   ```
+
+3. **Generate PR body** from the plan and changes:
+
+   ```markdown
+   ## Summary
+
+   - [What was built and why, 1-3 bullets from DECISIONS.md]
+
+   ## Changes
+
+   - [Grouped by package/module from the diff]
+
+   ## Verification
+
+   - [Success criteria from PLAN.md, marked as checked]
+
+   ## Test Plan
+
+   - [ ] `pnpm typecheck` passes
+   - [ ] `pnpm check` passes
+   - [ ] [Feature-specific manual test steps]
+   ```
+
+4. **Ask about PR status:**
+   > Create as **draft** or **ready for review**?
+
+5. **Create the PR:**
+   ```bash
+   gh pr create --title "<title>" --body "<body>" [--draft]
+   ```
+
+## Phase 2: Clean Up
+
+After the PR is created:
+
+1. **Close beads** (if Beads is available):
+   ```bash
+   # Verify all feature beads are closed
+   bd show <bead-id>
+   ```
+
+2. **Archive `.context/`** — don't delete, just note it's done:
+   ```
+   Feature context at .context/<feature-id>/ can be cleaned up.
+   ```
+
+3. **Report:**
+   ```
+   PR created: <URL>
+
+   ## Summary
+   - Feature: <name>
+   - Commits: N
+   - Files changed: N
+   - Docs updated: yes/no
+   - All criteria verified: yes
+   ```
+
+---
+
+## What This Skill Does NOT Do
+
+- **Does not write code.** That's `/go`.
+- **Does not review code.** That's `/review`.
+- **Does not update docs.** That's `/docs`. But it DOES check if docs need updating.
+- **Does not force-push.** Ever.
+- **Does not merge.** Only creates the PR. Merging is a human decision.

package/skills/review/SKILL.md

@@ -0,0 +1,184 @@
+---
+name: review
+description: >
+  Code review and goal-backward verification against success criteria from PLAN.md.
+  Use this skill when the user says 'review', '/review', 'check my work', 'verify',
+  'did it work', 'is it done', 'review the changes', or after /go completes and
+  the user wants to verify the implementation before shipping.
+user-invocable: true
+---
+
+# /review — Code Review + Verification
+
+You are the quality gate of the ystack agent harness. You do two things:
+
+1. **Goal-backward verification** — check that the codebase delivers what the plan promised
+2. **Code review** — check the diff against project standards
+
+You do NOT trust summaries or task completion claims. You check the actual code.
+
+## Phase 0: Load Context
+
+1. Find the active plan and summary:
+   ```bash
+   ls .context/*/PLAN.md 2>/dev/null
+   ```
+
+2. If multiple features exist, ask which to review. If only one, proceed.
+
+3. Read:
+   - `.context/<feature-id>/PLAN.md` — the success criteria
+   - `.context/<feature-id>/DECISIONS.md` — the locked decisions
+   - `.context/<feature-id>/SUMMARY.md` — what `/go` claims it did (if exists)
+
+4. Get the diff — all changes since before `/go` ran:
+   ```bash
+   git diff main...HEAD --stat
+   git diff main...HEAD
+   ```
+   If not on a feature branch, use the commits from `/go` (check SUMMARY.md for commit hashes).
+
+## Phase 1: Goal-Backward Verification
+
+For each success criterion in PLAN.md, verify it against the actual codebase. Do NOT read the SUMMARY.md and trust it — check the code yourself.
+
+**For each criterion, run a concrete check:**
+
+| Criterion type | How to verify |
+|---------------|--------------|
+| "Column X exists on table Y" | Read the schema file, grep for the column name |
+| "Endpoint accepts field X" | Read the route handler, check the Zod schema or request parsing |
+| "Component renders X" | Read the component file, check it imports and renders the element |
+| "Types exported from package" | Read the package's index.ts or types file, check the export |
+| "Tests pass" | Run `pnpm test --filter=<package>` |
+| "Typecheck passes" | Run `pnpm typecheck` |
+| "Lint passes" | Run `pnpm check` or `pnpm fix` |
+
+**Output a verification table:**
+
+```markdown
+## Verification
+
+| # | Criterion | Status | Evidence |
+|---|-----------|--------|----------|
+| 1 | `refundReason` column exists on `transactions` table | PASS | `packages/db/src/schema.ts:47` — `refundReason: pgEnum(...)` |
+| 2 | POST /api/payments/refund accepts `reason` field | PASS | `apps/api/src/routes/payments.ts:92` — `reason: z.enum([...])` |
+| 3 | Admin transaction detail shows refund reason badge | FAIL | Component exists at `apps/admin/src/components/RefundReasonBadge.tsx` but not imported in `page.tsx` |
+| 4 | Types exported from `@acme/shared` | PASS | `packages/shared/src/types/payments.ts:23` — `export type RefundReason` |
+```
+
+**Include file path and line number as evidence.** "PASS" without evidence is not acceptable.
+
+## Phase 2: Code Review
+
+Read the full diff and check against project standards.
+
+### What to check
+
+**Security:**
+- SQL injection (raw queries, unsanitized input)
+- XSS (dangerouslySetInnerHTML, unescaped user content)
+- Auth bypass (missing middleware, unchecked permissions)
+- Secrets in code (API keys, tokens, passwords)
+- `target="_blank"` without `rel="noopener"`
+
+**Type safety:**
+- Usage of `any` (should be `unknown` or a specific type)
+- Missing return types on exported functions
+- Type assertions (`as`) that could be avoided with narrowing
+
+**Code quality:**
+- Matches existing patterns in the modified files
+- No unnecessary abstractions or premature generalization
+- No dead code, unused imports, or commented-out blocks
+- Error handling where needed (API boundaries, user input)
+- No `console.log` or `debugger` left in
+
+**Accessibility** (for UI changes):
+- Semantic HTML (`<button>` not `<div onClick>`)
+- ARIA labels on interactive elements
+- Alt text on images
+- Keyboard navigation support
+
+**Project conventions:**
+- Read `.claude/rules/` and `CLAUDE.md` for project-specific rules
+- Read `docs/src/content/contributing/` if it exists
+- Check: naming conventions, import patterns, file organization
+
+### What NOT to check
+
+- Things the linter already catches (formatting, semicolons, bracket style)
+- Code that wasn't changed in this feature
+- Style preferences that aren't in the project rules
+
+## Phase 3: Report
+
+Output the full review:
+
+```markdown
+## Review Results
+
+### Verification: X/Y PASS
+
+[Verification table from Phase 1]
+
+### Code Review
+
+#### Issues (N found)
+
+- **[SEVERITY]** `file/path.ts:LINE`
+  Description of the issue.
+  Suggested fix: ...
+
+- **[SEVERITY]** `file/path.ts:LINE`
+  Description of the issue.
+
+#### No Issues Found In
+- Security
+- Type safety
+- Accessibility
+
+### Overall Verdict
+
+**PASS** — All criteria met, no blocking issues.
+
+or
+
+**NEEDS FIX** — N criteria failed, M issues found.
+[List specific fixes needed]
+```
+
+**Severity levels:**
+- **BLOCK** — Must fix before shipping. Security issues, failed success criteria, broken types.
+- **WARN** — Should fix. Missing accessibility, weak error handling, style violations.
+- **NOTE** — Consider fixing. Minor improvements, not blocking.
+
+## Phase 4: Offer Fixes
+
+If there are BLOCK or WARN issues:
+
+> Found N issues. Want me to fix them?
+>
+> **Blocking:**
+> 1. RefundReasonBadge not imported in page.tsx
+>
+> **Warnings:**
+> 1. Missing aria-label on badge component
+>
+> I can fix these now, or you can address them manually.
+
+If the user says yes, fix the issues directly — make the changes, run verification again, and commit. Use a `fix(<scope>): <description>` commit message.
+
+If all criteria PASS and no BLOCK issues:
+
+> All clear. Ready for `/docs` and `/pr`.
+
+---
+
+## What This Skill Does NOT Do
+
+- **Does not trust SUMMARY.md.** It reads the actual code.
+- **Does not review code outside the feature.** Only the current diff.
+- **Does not update docs.** That's `/docs`.
+- **Does not create PRs.** That's `/pr`.
+- **Does not rewrite working code.** If it passes criteria and has no issues, it's done.