claude-code-kit 0.11.3__tar.gz → 0.13.0__tar.gz

{claude_code_kit-0.11.3 → claude_code_kit-0.13.0}/.claude-plugin/marketplace.json

@@ -10,7 +10,7 @@
       "name": "claude-kit",
       "source": "./",
       "description": "Cookiecutter-style scaffolder for an autonomous Claude Code SDLC config (no app code, no Docker): install CLAUDE.md + .claude/ (rules, the profile's agents/skills, hooks, artifact templates) + optional .mcp.json, then run /sdlc to drive spec → review → build → test → security → ship through profile-aware quality gates, working memory, and a self-improving learnings loop.",
-      "version": "0.11.3",
+      "version": "0.13.0",
       "license": "MIT",
       "keywords": ["sdlc", "agents", "orchestration", "quality-gates", "workflow", "scaffold", "cookiecutter"]
     }

{claude_code_kit-0.11.3 → claude_code_kit-0.13.0}/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-kit",
-  "version": "0.11.3",
+  "version": "0.13.0",
   "description": "Cookiecutter-style scaffolder for an autonomous Claude Code SDLC config (no app code, no Docker). `claude-kit init` asks ordered questions and installs CLAUDE.md + .claude/ (rules, the profile's agents/skills, hooks, artifact templates) + optional .mcp.json; run /sdlc to drive spec → review → build → test → security → ship through profile-aware quality gates with working memory and a self-improving learnings loop.",
   "author": {
     "name": "Arjunsingh Yadav",

{claude_code_kit-0.11.3 → claude_code_kit-0.13.0}/CHANGELOG.md

@@ -4,6 +4,174 @@ All notable changes to claude-kit are documented here. The format follows
 [Keep a Changelog](https://keepachangelog.com/), and the project uses
 [semantic versioning](https://semver.org/).
 
+## [0.13.0] — 2026-06-15
+
+A **second improvement brief** (external self-review, post-0.12.0) — Item 0 (a covered-vs-gated audit)
++ P0-1/P0-2, P1-1/P1-2/P1-3, and six P2 items — run through the kit's mandated **adversarial
+reuse-first map→verify** (a 24-agent map→verify pass). The decisive finding repeated from last time:
+several premises were **overstated** against the live files (migration safety was already largely
+enforced; the README "no PyPI yet" text was simply stale; the README is already progressively
+disclosed). The result is a mix of **two new gates wired as data, one new live backend stack, and
+targeted extensions** — **zero new agents/skills/rules** beyond what already existed (core counts
+unchanged: 28 agents · 50 skills · 23 rules).
+
+### Added
+- **Item 0 — `docs/coverage-audit.md`.** The justification record the briefs kept eliding: every
+  "already covered" capability classified **GATED (enforced) / RULE (always-on) / SKILL-DOC
+  (advisory)** with file evidence. Verifies rollback (GATED enterprise-only; RULE elsewhere), cost
+  (DOC by design), migration safety (overlay-advisory + enterprise rollback), accessibility, and
+  flags the one *looks-enforced-but-isn't* trap (the `accessibility-review` skill's internal "Quality
+  gates" heading is **not** a gate token).
+- **P0-1 — `contract-clear` reaches the default `standard` profile** (API stacks), not just
+  enterprise (`catalog/profiles.yaml`). It still self-skips when the stack exposes no API contract
+  surface, so non-API projects are unaffected. *(Deliberate posture change: 0.12.0 placed it in
+  enterprise under golden-rule-#6 "heavyweight gates default to enterprise"; the brief explicitly
+  authorizes promoting it because breaking-change detection is table-stakes for the headline FastAPI
+  backend. Documented, not silent.)* Owned by `merge-reviewer`; quality-gates §4 + mandatory-workflow
+  §2d + the api-change-report template updated to say "standard+".
+- **P1-1 — a live Go backend stack** (Go · stdlib **net/http**): a pure `catalog/stacks.yaml` entry +
+  `templates/stacks/backend/go/net-http/rules/go-patterns.md` overlay + exact `go` commands
+  (`go build ./...`, `go test ./...`, `go vet`, `gofmt`). Chosen over Node/Express precisely because
+  its build/test command shapes differ most from npm/pip — the strongest test of the stack-agnostic
+  claim. The one supporting code change: a **`build`** key added to `_BACKEND_CMD_KEYS` (compiled
+  backends surface a build command; interpreted ones leave it empty). No `resolve()` branch.
+- **P1-2 — `accessibility-clear` gate** at organization scope, **`regulated` strictness only**
+  (`catalog/org.yaml` `extra_gates`). Owned by `acceptance-reviewer` (read-only, already present at
+  standard+), drives the existing `accessibility-review` skill over changed UI (WCAG-AA), self-skips
+  when no UI surface. Wired in `org.yaml` only, so the `lean⊊standard⊊enterprise` profile invariant is
+  untouched.
+- **`examples/react-fastapi-postgres-feature/`** (P2-2) — a clearly-labelled **synthetic** end-to-end
+  walkthrough: request → feature-spec → story breakdown (coverage gate) → gate verdicts (incl. one
+  defect-loop cycle and a Devil's-Advocate CONFIRMED line) → sample PR diff. Repo reference (like
+  `docs/`), **not** bundled into the wheel.
+- **`docs/eval-harness.md`** (P2-4) — a fill-in template to measure the pipeline with vs without the
+  gates (which gate caught which defect), built on `rules/evals.md` §6 median-of-N. Ships **no**
+  numbers by design (an eval result is environment-specific); honesty rules included.
+- **Self-test matrix** (P2-5) — a parametrized test sweeping **every live frontend × backend ×
+  database × profile × scope** (now 24 combos incl. Go), each resolved + installed + validated +
+  Docker-checked. Driven off `catalog.list_options`, so new live stacks auto-join with no test edit.
+
+### Changed
+- **P0-2 — migration safety made explicit.** Both `migration-specialist` overlays (postgres + mongodb)
+  already mandated expand/contract, reversible down-path, and idempotent backfill *as agent guidance*;
+  added the explicit hard rule **"no destructive drop in the same release as the code that stops using
+  the old shape"** with **severity** to the always-on overlay RULES (`postgres-patterns.md`,
+  `mongodb-patterns.md`) — so it lives in a rule, not only an agent prompt. (Same-release destruction
+  = at least **High**.)
+- **P1-3 — the PyPI story reconciled.** `claude-code-kit` **is** published (latest 0.12.0); the README
+  install block, troubleshooting row, and a stale `changelog-v0.10.0` badge said otherwise. Install is
+  now `pip install claude-code-kit`; the changelog badge is de-versioned (self-healing); the CI
+  publish machinery (`publish.yml`) was correct and left untouched.
+- **P2-3 (on-ramp, minimal)** — added an **Examples** nav link + pipeline pointer only; the proposed
+  full README restructure was **rejected** (see below). Pipeline gate table + `docs/architecture.md`
+  diagram updated for `contract-clear` (standard+) and the Go stack.
+
+### Not adopted (deliberately — premise overstated or against the kit's design)
+- **A dedicated migration GATE token (P0-2).** Migrations are overlay-conditioned and not every-run;
+  `resolve()` can't emit stack gates without a branch. Strengthened the always-on overlay rules +
+  reviewer agents instead — enforcement via review + the enterprise rollback gate (`pipeline-green`),
+  per the coverage audit.
+- **Node/Express as the new backend (P1-1).** Chose **Go** instead — its command shapes differ more
+  from the existing npm/pip stacks, which is the whole point of the breadth test. Express/Vue/Svelte/
+  Django remain `planned`.
+- **A full README restructure + GIF (P2-3).** The README already uses progressive disclosure
+  (`<details>`); a big move-to-`docs/` churn is negative-value and a GIF can't be produced here. Added
+  only the example link. (Recording a demo GIF is a human follow-up.)
+- **Relocating the CHANGELOG "Not adopted" blocks to `docs/decision-log.md` (P2-6).** Those blocks are
+  a **marketed feature** the README links to; moving them would break that cross-reference for low
+  value. Added a forward-looking note in `CONTRIBUTING.md` instead (split later *only if* the README
+  link is updated in the same change).
+- **Repo About-box metadata (P2-1)** — host config outside the payload; `gh` is unavailable here.
+  Human follow-up: `gh repo edit ajyadav013/claude-kit --description "Config-only, stack-agnostic
+  autonomous-SDLC scaffolder for Claude Code (plugin + pip)" --add-topic claude-code --add-topic
+  claude-code-plugins --add-topic sdlc --add-topic ai-agents --add-topic agentic-coding --add-topic
+  claude-skills`.
+
+## [0.12.0] — 2026-06-15
+
+An **improvement brief** (external self-review, no repo access) proposed ~15 changes — four P0, five
+P1, six P2. Run through the kit's own mandated **adversarial reuse-first mapping** (an 18-agent
+map→verify pass), **every substantive (P0/P1) item resolved to _extend an existing component_, not add
+a new one** — the brief, written without the repo, repeatedly proposed agents/gates/skills that already
+ship. The result is **one new quality gate, one new artifact template, one new slash command, and a set
+of surgical edits to existing files — zero new agents, skills, or rules** (counts unchanged: 28 core
+agents · 50 skills · 23 rules). Config-only, stack-agnostic, no Docker, no new `resolve()` branches.
+
+### Added
+- **`contract-clear` quality gate** (enterprise profile; API-exposing backend stacks only). A
+  pre-merge **API backward-compatibility** gate **owned by the existing `merge-reviewer`** (not a new
+  agent): it diffs the API contract against the base branch (`git show <base>:<contract>`), classifies
+  each delta by the kit's severity model (removed/renamed endpoint or field, narrowed type, new
+  required field, removed status code = **Critical/High**), and blocks a breaking change that lacks an
+  approved migration note + version bump. **Self-skips** when the stack has no contract surface, so it
+  is inert for non-API projects. Wired as **data** in `catalog/profiles.yaml` (enterprise gate list),
+  documented in `rules/quality-gates.md` §4, and sequenced as the mechanical counterpart to
+  `mandatory-workflow.md` §2d. Builds **on** §2d's existing manual breaking-change check rather than
+  replacing it.
+- **`templates/artifacts/api-change-report.md`** — the `contract-clear` gate's output artifact
+  (contract source · base ref · added/changed/removed tables with per-row severity · backward-compat
+  verdict · affected consumers). Installs with the other artifact templates.
+- **`/claude-kit:abort`** slash command (`commands/abort.md`) — a guided, **reversible** mid-pipeline
+  cleanup: confirm a run is in progress, remove **only the worktrees this run created**, mark
+  `CONTINUITY.md` aborted. Deliberately **not** a `claude-kit abort` CLI subcommand (a destructive
+  one-shot CLI for "remove worktrees" is exactly the kind of irreversible action the kit gates).
+
+### Changed (surgical extensions to existing components)
+- **`skills/ci-cd-and-automation`** — named **Blue/Green vs Canary** as an explicit deployment-strategy
+  subsection (blue/green was never named anywhere in the kit; cross-refs the existing Rollout Decision
+  Thresholds). *(P0-1 — the only real gap; see "Not adopted" for the rest of P0-1.)*
+- **`rules/devops-observability.md` + `agents/observability-engineer.md`** — Observability Ready now
+  requires, **for a hot / SLO-bearing backend path**, an empirical load run (drive the existing
+  `load-testing` skill) that meets its p95/p99 latency, error-rate, and throughput budgets; a budget
+  breach is **High**. Recorded in the `quality-gates.md` §4 row. No new gate, no new agent. *(P0-3)*
+- **`agents/dependency-scanner.md`** — added a **Cadence Mode** (a whole-project, scheduled
+  supply-chain maintenance pass: batch grouped upgrades, defer triage to `security-and-hardening`,
+  re-run the existing gates on applied upgrades). Scheduling is left to org CI (the kit has no
+  time-driven hook). No new skill. *(P0-4)*
+- **`rules/model-tiers.md`** — added a **profile cost expectations** subsection (relative, non-currency
+  ballpark: lean cheapest → enterprise heaviest, noting enterprise still runs only four opus agents).
+  *(P1-1)*
+- **`skills/sdlc` + `agents/orchestrator.md`** — `/sdlc` now **detects an in-progress run** from
+  `CONTINUITY.md` and offers **resume** (re-enter at the first gate after the last PASS, read from the
+  orchestrator's `PIPELINE:` state line) **vs restart**; the orchestrator's Stage-7 summary now reports
+  per-gate PASS/FAIL + severity + PR-or-ABORTED and **tears down this run's worktrees**. *(P1-2, P1-3)*
+- **`rules/mandatory-workflow.md`** — §2a now states the **worktree lifecycle** (one per lane → merge
+  after gates pass → remove after the PR is raised or the run is aborted); §2d gained a note pointing
+  at the mechanical `contract-clear` counterpart. *(P1-3)*
+- **`rules/continuity.md`** — added a **Concurrency** subsection (one live `CONTINUITY.md` per working
+  dir; use a worktree per concurrent `/sdlc`; `agent-memory` is intentionally shared, not namespaced).
+  *(P1-4)*
+- **`src/claude_kit/validator.py` + README** — `claude-kit doctor` now reports **platform visibility**:
+  on Windows without `jq` it WARNs (actionable: run under WSL/Git Bash; config + CLI work natively
+  regardless) and on Windows *with* `jq` it confirms a POSIX shell is providing the hooks — **never a
+  failure**. README gained a Windows prerequisites note + troubleshooting row. *(P1-5)*
+
+### Not adopted (deliberately — the kit already covers these)
+- **P0-1 `release-manager`/`release-ready`/`rollback-safety` (new agent + gate + rule).** Release &
+  rollback are **already owned by `devops-engineer`** (and the Pipeline Green gate already requires a
+  *verified* rollback + runbook); canary, feature flags, staged rollout, and rollback are already
+  covered in depth by the `shipping-and-launch` skill. Only "blue/green was never named" was a genuine
+  gap — fixed above as one subsection, no new components.
+- **P0-2 `contract-reviewer` agent in the _standard_ profile.** Reused `merge-reviewer` instead of a
+  new agent, and placed the gate in **enterprise** (heavyweight gates default to enterprise per the
+  profile policy), not standard. It also **builds on** `mandatory-workflow.md` §2d rather than
+  duplicating it.
+- **P0-3 `performance-engineer` agent + standalone performance gate.** Folded into the existing
+  Observability Ready gate + `observability-engineer` + `load-testing` skill.
+- **P0-4 `dependency-maintenance` skill.** Folded into the existing `dependency-scanner` agent as a
+  mode; no competing skill.
+- **P1-1 `cost-estimate` skill + a per-run cost hook.** A doc subsection in `model-tiers.md` conveys
+  the expectation without a runtime token-accounting surface the kit can't reliably measure.
+- **P1-3 a `run-report` subsystem / structured run trace.** Already covered by `CONTINUITY.md` working
+  memory + the orchestrator's Stage-7 summary; only the genuine gaps (worktree teardown + clean abort)
+  were added.
+- **P1-5 a PowerShell hook port.** The hooks stay POSIX `.sh`; `doctor` now tells Windows users to run
+  under WSL/Git Bash. Porting every guard to PowerShell would double the maintenance surface for a
+  shell most users already have via WSL/Git Bash.
+- **The P2 items** (repo metadata, PyPI publish, listing submissions) that require a human / `gh` are
+  left as follow-ups; the **E2E worked example**, **positioning section**, and **README on-ramp** were
+  partly addressed (a "How claude-kit compares" positioning block + the adoption row were added).
+
 ## [0.11.3] — 2026-06-15
 
 A field review of a **reference table of ecosystem repos** — official + community **MCP-server

{claude_code_kit-0.11.3 → claude_code_kit-0.13.0}/CLAUDE.md

@@ -29,8 +29,9 @@ distributed two ways from one source of truth:
 | `templates/org/` | **Org overlay** content (scope-gated, organization only): `skills/`, `agents/` (personas), `rules/` (policy/vibe), `packs/<pack>/{pack.yaml,README.md}`, `README.md`. Wired via `catalog/org.yaml`. The only place org-specific content lives. |
 | `scripts/init.sh` | Thin no-pip fallback scaffolder (copies the full payload; no catalog resolution) |
 | `src/claude_kit/` | The pip CLI (Typer): `cli.py`, `catalog.py` (resolver), `prompts.py`, `models.py`, `scaffold.py` (installer), `render.py` (Jinja2), `hooks.py`, `validator.py`, `upgrader.py` |
-| `tests/` | pytest suite (catalog, render, scaffold, validator, upgrader, CLI) |
-| `docs/architecture.md` · `docs/agents.md` | Architecture diagrams · agent guide |
+| `tests/` | pytest suite (catalog, render, scaffold, validator, upgrader, CLI; incl. the profile×stack×scope self-test matrix) |
+| `examples/` | Synthetic end-to-end `/sdlc` worked example (repo reference; **not** bundled into the wheel) |
+| `docs/architecture.md` · `docs/agents.md` · `docs/coverage-audit.md` · `docs/eval-harness.md` | Architecture diagrams · agent guide · the GATED-vs-RULE-vs-SKILL enforcement audit · the with/without eval template |
 | `pyproject.toml` | Packaging (deps: typer/jinja2/pyyaml); `[tool.hatch...force-include]` bundles the payload into the wheel |
 
 **One source of truth:** `agents/ skills/ commands/ hooks/ rules/ templates/ catalog/` at the repo

{claude_code_kit-0.11.3 → claude_code_kit-0.13.0}/CONTRIBUTING.md

@@ -83,9 +83,14 @@ a specific stack — `pytest` enforces the no-Docker invariant on a scaffolded p
 
 1. Bump the version in **all four** places: `pyproject.toml`, `.claude-plugin/plugin.json`, the
    `.claude-plugin/marketplace.json` entry, and `src/claude_kit/__init__.py`.
-2. Add a `CHANGELOG.md` entry.
+2. Add a `CHANGELOG.md` entry, including a **"Not adopted (deliberately)"** block stating what you
+   chose *not* to add and why — this is a marketed feature of the changelog (the README links to it),
+   so keep it. If those blocks ever grow unwieldy they may later split into `docs/decision-log.md`,
+   but **only if** the README's CHANGELOG cross-reference is updated in the same change; until then
+   they stay in `CHANGELOG.md` by design.
 3. `pytest` green, then `python3 -m build && python3 -m twine check dist/*`.
-4. `python3 -m twine upload dist/*` (PyPI).
+4. CI auto-publishes to PyPI on merge to `main` when the version is new (`.github/workflows/publish.yml`,
+   OIDC trusted publishing). Manual `python3 -m twine upload dist/*` is the fallback.
 5. Tag the release and push so plugin users get the update.
 
 ## License

{claude_code_kit-0.11.3 → claude_code_kit-0.13.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: claude-code-kit
-Version: 0.11.3
+Version: 0.13.0
 Summary: Cookiecutter-style scaffolder for an autonomous Claude Code SDLC configuration (no app code, no Docker). Asks ordered questions and installs CLAUDE.md + .claude/ (rules, the chosen profile's agents/skills, hooks, artifact templates) + optional .mcp.json; run /sdlc to drive spec → review → build → test → security → ship through profile-aware quality gates, working memory, and a self-improving learnings loop.
 Project-URL: Homepage, https://github.com/ajyadav013/claude-kit
 Project-URL: Repository, https://github.com/ajyadav013/claude-kit
@@ -39,9 +39,9 @@ with a quality gate between every phase. **No application code. No Docker. Confi
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
 [![Built for Claude Code](https://img.shields.io/badge/built%20for-Claude%20Code-d97757.svg)](https://www.claude.com/product/claude-code)
 [![CI](https://github.com/ajyadav013/claude-kit/actions/workflows/ci.yml/badge.svg)](https://github.com/ajyadav013/claude-kit/actions/workflows/ci.yml)
-[![Changelog](https://img.shields.io/badge/changelog-v0.10.0-blue.svg)](CHANGELOG.md)
+[![Changelog](https://img.shields.io/badge/changelog-md-blue.svg)](CHANGELOG.md)
 
-🚀 [Quick start](#quick-start) · 🧭 [How it works](#how-it-works) · 🔁 [The pipeline](#the-pipeline) · 🌱 [What we adopted](#influences--what-we-adopted) · 🤖 [Agents](#the-agents) · 🧩 [Catalog](#catalog--extensibility) · 🛠️ [CLI](#cli-reference) · 📖 [Agent guide](docs/agents.md)
+🚀 [Quick start](#quick-start) · 🧭 [How it works](#how-it-works) · 🔁 [The pipeline](#the-pipeline) · 🧪 [Example](examples/) · 🌱 [What we adopted](#influences--what-we-adopted) · 🤖 [Agents](#the-agents) · 🧩 [Catalog](#catalog--extensibility) · 🛠️ [CLI](#cli-reference) · 📖 [Agent guide](docs/agents.md)
 
 </div>
 
@@ -59,7 +59,7 @@ refuses to advance a phase until its **quality gate** passes. You drive it all w
 **At a glance:**
 
 - 🧱 **Stack-agnostic** — the pipeline assumes no language or framework. Pick a stack at `init` and it
-  installs matching overlay rules (React · FastAPI · PostgreSQL · MongoDB) and your exact
+  installs matching overlay rules (React · FastAPI · Go/net-http · PostgreSQL · MongoDB) and your exact
   lint/test/build commands. It never writes your app code and never needs Docker.
 - 🎚️ **Dial the rigor with profiles** — `lean ⊊ standard ⊊ enterprise` decide how many agents, skills,
   hooks, and gates are active, from "fast track" to "full audit".
@@ -109,9 +109,9 @@ Then, inside any project you want the pipeline to manage:
 A CLI (`claude-kit`, aliases `ckit` / `claude-sdlc`) that scaffolds the same config into any repo:
 
 ```bash
-# Until the first PyPI release, install straight from the repo:
-pip install "git+https://github.com/ajyadav013/claude-kit.git"
-# Once published to PyPI this becomes:  pip install claude-code-kit
+pip install claude-code-kit
+# or, for the bleeding edge straight from the repo:
+#   pip install "git+https://github.com/ajyadav013/claude-kit.git"
 
 claude-kit init                 # interactive: prompts for stack, profile, MCP
 claude-kit init --defaults      # non-interactive: React + Python/FastAPI + Postgres + standard
@@ -122,6 +122,11 @@ claude-kit init --defaults      # non-interactive: React + Python/FastAPI + Post
 > **Prerequisites:** [Claude Code](https://www.claude.com/product/claude-code); Python ≥ 3.9 for the
 > CLI; `jq` to enable the shell hooks (they no-op without it); Node / `npx` only if you enable an MCP
 > (Model Context Protocol) server.
+>
+> **Windows:** the config (agents · skills · rules) and the `claude-kit` CLI work natively. The shell
+> hooks (`guard-*`, `warn-*`) need a POSIX shell + `jq`, so run inside **WSL or Git Bash** to enable
+> them — `claude-kit doctor` detects Windows and tells you which case you're in. Without a POSIX shell
+> the hooks silently no-op (the kit still functions; you just lose the deterministic guards).
 
 <details>
 <summary><b>What the init flow asks &amp; what lands on disk</b></summary>
@@ -218,10 +223,16 @@ flowchart TD
 | Profile | Gates that run |
 |---|---|
 | **lean** | code-review · build-green |
-| **standard** | spec-complete · em-approved · code-review · build-green · test-coverage · security-clear |
+| **standard** | spec-complete · em-approved · code-review · build-green · test-coverage · security-clear · contract-clear\* |
 | **enterprise** | standard + pipeline-green · observability-ready · acceptance |
 
-A **fast-track** mode collapses small changes (< 5 files) to Developer → Code Reviewer → Tester → PR.
+\* `contract-clear` (API breaking-change diff) self-skips when the stack exposes no API surface, so it
+is inert for non-API projects. Organization scope at `regulated` strictness adds `accessibility-clear`
+(WCAG-AA on changed UI). A **fast-track** mode collapses small changes (< 5 files) to Developer →
+Code Reviewer → Tester → PR.
+
+See [`examples/`](examples/) for a synthetic end-to-end walkthrough — request → spec → story breakdown
+→ gate verdicts (with one defect-loop cycle) → sample PR diff.
 
 ---
 
@@ -239,6 +250,8 @@ non-duplicative gaps**, minimally and catalog-wired.
 | **[ponytail](https://github.com/DietrichGebert/ponytail)** | YAGNI / anti-over-engineering as an explicit recurring pass; deferral-debt tracking; surfacing the active autonomy level | `over-engineering-review` & `simplification-debt` skills, the `load-autonomy` hook, median-of-N in `evals` | `0.8.0` |
 | **[GitHub spec-kit](https://github.com/github/spec-kit)** | Spec → tasks → **analyze** coverage gate; tasks → tracker issues; stable requirement IDs + assumptions in specs | Wired the (previously orphaned) `story-planner` as the **coverage gate (1f)**, a tracker-agnostic `task-tracker-sync` skill, and enriched the feature-spec template | `0.9.0` |
 | **[protectai/llm-guard](https://github.com/protectai/llm-guard)** | Input→model→output guardrails for LLM features — prompt injection, PII vault, treating model output as untrusted | **Opt-in** "LLM / AI Feature Security" guidance in `security-and-hardening` + the advisory `warn-llm-io` hook (warns, **never blocks**) | `0.10.0` |
+| **Improvement brief** (external self-review) | API backward-compat as a gate; load-against-SLO as a release criterion; supply-chain maintenance cadence; pipeline resumability, clean abort, and worktree lifecycle; pipeline cost/concurrency/cross-platform transparency | The enterprise **`contract-clear`** gate (owned by `merge-reviewer`) + `api-change-report` template; a load-vs-SLO criterion in Observability Ready; dependency **Cadence Mode**; `/sdlc` resume-vs-restart, `/claude-kit:abort`, worktree teardown; cost/concurrency/Windows notes — **9 surgical extensions, 0 new agents/skills/rules** | `0.12.0` |
+| **Improvement brief #2** (external self-review) | The covered-vs-**gated** distinction (a skill ≠ a gate); enforce API breaking-changes by default; expand/contract migration safety; back the stack-agnostic claim with a compiled backend; WCAG as a regulated gate; reconcile the PyPI story; ship a worked example + a self-test matrix | [`docs/coverage-audit.md`](docs/coverage-audit.md); **`contract-clear` promoted to `standard`**; a live **Go/net-http** backend; the **`accessibility-clear`** regulated gate; explicit migration-drop rules; a synthetic [`examples/`](examples/) run; an eval-harness template; a profile×stack×scope self-test matrix — **2 gates wired + 1 stack, 0 new agents/skills/rules** | `0.13.0` |
 
 > Each adoption is detailed in the [CHANGELOG](CHANGELOG.md) — including, for every review, what we
 > deliberately **did not** add because the kit already covered it.
@@ -273,6 +286,28 @@ mandatory security gate — that would have made it mandatory.
 
 </details>
 
+<details>
+<summary><b>How claude-kit compares (positioning)</b></summary>
+
+<br>
+
+claude-kit is a **config-only, stack-agnostic SDLC scaffolder** — it installs a governed pipeline
+(agents · skills · rules · gates · hooks) into your project's `.claude/` and then gets out of the way.
+It is **not** a runtime, an orchestration engine, or a code library. That framing is the difference:
+
+| Project | What it is | How claude-kit differs |
+|---|---|---|
+| **[wshobson/agents](https://github.com/wshobson/agents)** & similar agent collections | Large libraries of individual subagent prompts you pick from | claude-kit ships a **smaller, opinionated set wired into a sequenced pipeline with owned quality gates** — agents aren't a menu, they're stages that hand off and block on each other. Adopt-by-reuse, not by accumulation. |
+| **[GitHub spec-kit](https://github.com/github/spec-kit)** | A spec-driven workflow (constitution → spec → tasks → analyze) | claude-kit **absorbed spec-kit's coverage-gate idea** (the `story-planner` 1f gate + `task-tracker-sync`) into a **broader** lifecycle that also covers review, security, build, test, release, and observability gates. Complementary, wider scope. |
+| **claude-flow / multi-agent runtimes** | Runtime orchestrators that *execute* swarms of agents | claude-kit produces **portable configuration**, not a running process — the orchestration is described in rules the host (Claude Code) executes. No daemon, no lock-in, no app code. |
+| **dotfiles / `CLAUDE.md` starters** | A single rules file or settings snippet | claude-kit is a **catalog-driven generator**: it resolves your stack/profile/scope into the right subset of 23 rules, ~28 agents, ~50 skills, gates, and hooks, and keeps them **upgradeable** (`claude-kit upgrade` preserves your edits via owner + checksum). |
+
+**Choose claude-kit when** you want a consistent, reviewable, **gate-enforced** autonomous-SDLC setup
+that's the same across every repo and stack, installs in seconds, ships nothing you have to run, and
+**evolves reuse-first** rather than by piling on near-duplicate agents.
+
+</details>
+
 ---
 
 ## The agents
@@ -358,8 +393,8 @@ change.
 <br>
 
 - **`catalog/stacks.yaml`** — frontend frameworks, backend languages → frameworks, and databases.
-  Live today: React · Python/FastAPI · PostgreSQL/MongoDB. Vue/Svelte/Django/Express are listed as
-  `planned` (offered by `list-options`, not yet selectable).
+  Live today: React · Python/FastAPI · **Go/net-http** · PostgreSQL/MongoDB. Vue/Svelte/Django/Express
+  are listed as `planned` (offered by `list-options`, not yet selectable).
 - **`catalog/profiles.yaml`** — what each profile activates (`inherit:` composes; `all` = everything).
 - **`catalog/mcp.yaml`** — ready `.mcp.json` fragments per server, with `${ENV}` placeholders.
 - **`catalog/org.yaml`** — the **organization layer**: scopes, teams, the autonomy model, review
@@ -424,8 +459,9 @@ hints.
 |---|---|---|
 | `/sdlc`, agents, or skills "not found" right after `init` | Claude Code hasn't loaded the new project config yet | **Restart Claude Code** — or use `/claude-kit:sdlc <task>` (works without a restart) |
 | Guard / quality hooks seem to do nothing | `jq` isn't installed (the hooks parse tool input with it) | Install `jq`; without it the hooks degrade to no-ops by design |
+| Hooks do nothing on **Windows** | No POSIX shell — `.sh` hooks can't run under `cmd`/PowerShell | Run claude-kit inside **WSL or Git Bash** (with `jq`); `claude-kit doctor` confirms. Config + CLI work natively regardless |
 | A selected MCP server won't start | `node` / `npx` missing (most MCP servers launch via `npx`) | Install Node.js, or remove the server from `.mcp.json` |
-| `pip install claude-code-kit` fails | Not yet published to PyPI | Use `pip install "git+https://github.com/ajyadav013/claude-kit.git"` |
+| `pip install claude-code-kit` fails | Outdated `pip`, or you want an unreleased change | Upgrade pip (`pip install -U pip`); for unreleased changes use `pip install "git+https://github.com/ajyadav013/claude-kit.git"` |
 | `validate` reports missing files | Partial or outdated install | Re-run `claude-kit init` (choose **merge**), or `claude-kit upgrade` |
 
 </details>

{claude_code_kit-0.11.3 → claude_code_kit-0.13.0}/README.md

@@ -12,9 +12,9 @@ with a quality gate between every phase. **No application code. No Docker. Confi
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
 [![Built for Claude Code](https://img.shields.io/badge/built%20for-Claude%20Code-d97757.svg)](https://www.claude.com/product/claude-code)
 [![CI](https://github.com/ajyadav013/claude-kit/actions/workflows/ci.yml/badge.svg)](https://github.com/ajyadav013/claude-kit/actions/workflows/ci.yml)
-[![Changelog](https://img.shields.io/badge/changelog-v0.10.0-blue.svg)](CHANGELOG.md)
+[![Changelog](https://img.shields.io/badge/changelog-md-blue.svg)](CHANGELOG.md)
 
-🚀 [Quick start](#quick-start) · 🧭 [How it works](#how-it-works) · 🔁 [The pipeline](#the-pipeline) · 🌱 [What we adopted](#influences--what-we-adopted) · 🤖 [Agents](#the-agents) · 🧩 [Catalog](#catalog--extensibility) · 🛠️ [CLI](#cli-reference) · 📖 [Agent guide](docs/agents.md)
+🚀 [Quick start](#quick-start) · 🧭 [How it works](#how-it-works) · 🔁 [The pipeline](#the-pipeline) · 🧪 [Example](examples/) · 🌱 [What we adopted](#influences--what-we-adopted) · 🤖 [Agents](#the-agents) · 🧩 [Catalog](#catalog--extensibility) · 🛠️ [CLI](#cli-reference) · 📖 [Agent guide](docs/agents.md)
 
 </div>
 
@@ -32,7 +32,7 @@ refuses to advance a phase until its **quality gate** passes. You drive it all w
 **At a glance:**
 
 - 🧱 **Stack-agnostic** — the pipeline assumes no language or framework. Pick a stack at `init` and it
-  installs matching overlay rules (React · FastAPI · PostgreSQL · MongoDB) and your exact
+  installs matching overlay rules (React · FastAPI · Go/net-http · PostgreSQL · MongoDB) and your exact
   lint/test/build commands. It never writes your app code and never needs Docker.
 - 🎚️ **Dial the rigor with profiles** — `lean ⊊ standard ⊊ enterprise` decide how many agents, skills,
   hooks, and gates are active, from "fast track" to "full audit".
@@ -82,9 +82,9 @@ Then, inside any project you want the pipeline to manage:
 A CLI (`claude-kit`, aliases `ckit` / `claude-sdlc`) that scaffolds the same config into any repo:
 
 ```bash
-# Until the first PyPI release, install straight from the repo:
-pip install "git+https://github.com/ajyadav013/claude-kit.git"
-# Once published to PyPI this becomes:  pip install claude-code-kit
+pip install claude-code-kit
+# or, for the bleeding edge straight from the repo:
+#   pip install "git+https://github.com/ajyadav013/claude-kit.git"
 
 claude-kit init                 # interactive: prompts for stack, profile, MCP
 claude-kit init --defaults      # non-interactive: React + Python/FastAPI + Postgres + standard
@@ -95,6 +95,11 @@ claude-kit init --defaults      # non-interactive: React + Python/FastAPI + Post
 > **Prerequisites:** [Claude Code](https://www.claude.com/product/claude-code); Python ≥ 3.9 for the
 > CLI; `jq` to enable the shell hooks (they no-op without it); Node / `npx` only if you enable an MCP
 > (Model Context Protocol) server.
+>
+> **Windows:** the config (agents · skills · rules) and the `claude-kit` CLI work natively. The shell
+> hooks (`guard-*`, `warn-*`) need a POSIX shell + `jq`, so run inside **WSL or Git Bash** to enable
+> them — `claude-kit doctor` detects Windows and tells you which case you're in. Without a POSIX shell
+> the hooks silently no-op (the kit still functions; you just lose the deterministic guards).
 
 <details>
 <summary><b>What the init flow asks &amp; what lands on disk</b></summary>
@@ -191,10 +196,16 @@ flowchart TD
 | Profile | Gates that run |
 |---|---|
 | **lean** | code-review · build-green |
-| **standard** | spec-complete · em-approved · code-review · build-green · test-coverage · security-clear |
+| **standard** | spec-complete · em-approved · code-review · build-green · test-coverage · security-clear · contract-clear\* |
 | **enterprise** | standard + pipeline-green · observability-ready · acceptance |
 
-A **fast-track** mode collapses small changes (< 5 files) to Developer → Code Reviewer → Tester → PR.
+\* `contract-clear` (API breaking-change diff) self-skips when the stack exposes no API surface, so it
+is inert for non-API projects. Organization scope at `regulated` strictness adds `accessibility-clear`
+(WCAG-AA on changed UI). A **fast-track** mode collapses small changes (< 5 files) to Developer →
+Code Reviewer → Tester → PR.
+
+See [`examples/`](examples/) for a synthetic end-to-end walkthrough — request → spec → story breakdown
+→ gate verdicts (with one defect-loop cycle) → sample PR diff.
 
 ---
 
@@ -212,6 +223,8 @@ non-duplicative gaps**, minimally and catalog-wired.
 | **[ponytail](https://github.com/DietrichGebert/ponytail)** | YAGNI / anti-over-engineering as an explicit recurring pass; deferral-debt tracking; surfacing the active autonomy level | `over-engineering-review` & `simplification-debt` skills, the `load-autonomy` hook, median-of-N in `evals` | `0.8.0` |
 | **[GitHub spec-kit](https://github.com/github/spec-kit)** | Spec → tasks → **analyze** coverage gate; tasks → tracker issues; stable requirement IDs + assumptions in specs | Wired the (previously orphaned) `story-planner` as the **coverage gate (1f)**, a tracker-agnostic `task-tracker-sync` skill, and enriched the feature-spec template | `0.9.0` |
 | **[protectai/llm-guard](https://github.com/protectai/llm-guard)** | Input→model→output guardrails for LLM features — prompt injection, PII vault, treating model output as untrusted | **Opt-in** "LLM / AI Feature Security" guidance in `security-and-hardening` + the advisory `warn-llm-io` hook (warns, **never blocks**) | `0.10.0` |
+| **Improvement brief** (external self-review) | API backward-compat as a gate; load-against-SLO as a release criterion; supply-chain maintenance cadence; pipeline resumability, clean abort, and worktree lifecycle; pipeline cost/concurrency/cross-platform transparency | The enterprise **`contract-clear`** gate (owned by `merge-reviewer`) + `api-change-report` template; a load-vs-SLO criterion in Observability Ready; dependency **Cadence Mode**; `/sdlc` resume-vs-restart, `/claude-kit:abort`, worktree teardown; cost/concurrency/Windows notes — **9 surgical extensions, 0 new agents/skills/rules** | `0.12.0` |
+| **Improvement brief #2** (external self-review) | The covered-vs-**gated** distinction (a skill ≠ a gate); enforce API breaking-changes by default; expand/contract migration safety; back the stack-agnostic claim with a compiled backend; WCAG as a regulated gate; reconcile the PyPI story; ship a worked example + a self-test matrix | [`docs/coverage-audit.md`](docs/coverage-audit.md); **`contract-clear` promoted to `standard`**; a live **Go/net-http** backend; the **`accessibility-clear`** regulated gate; explicit migration-drop rules; a synthetic [`examples/`](examples/) run; an eval-harness template; a profile×stack×scope self-test matrix — **2 gates wired + 1 stack, 0 new agents/skills/rules** | `0.13.0` |
 
 > Each adoption is detailed in the [CHANGELOG](CHANGELOG.md) — including, for every review, what we
 > deliberately **did not** add because the kit already covered it.
@@ -246,6 +259,28 @@ mandatory security gate — that would have made it mandatory.
 
 </details>
 
+<details>
+<summary><b>How claude-kit compares (positioning)</b></summary>
+
+<br>
+
+claude-kit is a **config-only, stack-agnostic SDLC scaffolder** — it installs a governed pipeline
+(agents · skills · rules · gates · hooks) into your project's `.claude/` and then gets out of the way.
+It is **not** a runtime, an orchestration engine, or a code library. That framing is the difference:
+
+| Project | What it is | How claude-kit differs |
+|---|---|---|
+| **[wshobson/agents](https://github.com/wshobson/agents)** & similar agent collections | Large libraries of individual subagent prompts you pick from | claude-kit ships a **smaller, opinionated set wired into a sequenced pipeline with owned quality gates** — agents aren't a menu, they're stages that hand off and block on each other. Adopt-by-reuse, not by accumulation. |
+| **[GitHub spec-kit](https://github.com/github/spec-kit)** | A spec-driven workflow (constitution → spec → tasks → analyze) | claude-kit **absorbed spec-kit's coverage-gate idea** (the `story-planner` 1f gate + `task-tracker-sync`) into a **broader** lifecycle that also covers review, security, build, test, release, and observability gates. Complementary, wider scope. |
+| **claude-flow / multi-agent runtimes** | Runtime orchestrators that *execute* swarms of agents | claude-kit produces **portable configuration**, not a running process — the orchestration is described in rules the host (Claude Code) executes. No daemon, no lock-in, no app code. |
+| **dotfiles / `CLAUDE.md` starters** | A single rules file or settings snippet | claude-kit is a **catalog-driven generator**: it resolves your stack/profile/scope into the right subset of 23 rules, ~28 agents, ~50 skills, gates, and hooks, and keeps them **upgradeable** (`claude-kit upgrade` preserves your edits via owner + checksum). |
+
+**Choose claude-kit when** you want a consistent, reviewable, **gate-enforced** autonomous-SDLC setup
+that's the same across every repo and stack, installs in seconds, ships nothing you have to run, and
+**evolves reuse-first** rather than by piling on near-duplicate agents.
+
+</details>
+
 ---
 
 ## The agents
@@ -331,8 +366,8 @@ change.
 <br>
 
 - **`catalog/stacks.yaml`** — frontend frameworks, backend languages → frameworks, and databases.
-  Live today: React · Python/FastAPI · PostgreSQL/MongoDB. Vue/Svelte/Django/Express are listed as
-  `planned` (offered by `list-options`, not yet selectable).
+  Live today: React · Python/FastAPI · **Go/net-http** · PostgreSQL/MongoDB. Vue/Svelte/Django/Express
+  are listed as `planned` (offered by `list-options`, not yet selectable).
 - **`catalog/profiles.yaml`** — what each profile activates (`inherit:` composes; `all` = everything).
 - **`catalog/mcp.yaml`** — ready `.mcp.json` fragments per server, with `${ENV}` placeholders.
 - **`catalog/org.yaml`** — the **organization layer**: scopes, teams, the autonomy model, review
@@ -397,8 +432,9 @@ hints.
 |---|---|---|
 | `/sdlc`, agents, or skills "not found" right after `init` | Claude Code hasn't loaded the new project config yet | **Restart Claude Code** — or use `/claude-kit:sdlc <task>` (works without a restart) |
 | Guard / quality hooks seem to do nothing | `jq` isn't installed (the hooks parse tool input with it) | Install `jq`; without it the hooks degrade to no-ops by design |
+| Hooks do nothing on **Windows** | No POSIX shell — `.sh` hooks can't run under `cmd`/PowerShell | Run claude-kit inside **WSL or Git Bash** (with `jq`); `claude-kit doctor` confirms. Config + CLI work natively regardless |
 | A selected MCP server won't start | `node` / `npx` missing (most MCP servers launch via `npx`) | Install Node.js, or remove the server from `.mcp.json` |
-| `pip install claude-code-kit` fails | Not yet published to PyPI | Use `pip install "git+https://github.com/ajyadav013/claude-kit.git"` |
+| `pip install claude-code-kit` fails | Outdated `pip`, or you want an unreleased change | Upgrade pip (`pip install -U pip`); for unreleased changes use `pip install "git+https://github.com/ajyadav013/claude-kit.git"` |
 | `validate` reports missing files | Partial or outdated install | Re-run `claude-kit init` (choose **merge**), or `claude-kit upgrade` |
 
 </details>

{claude_code_kit-0.11.3 → claude_code_kit-0.13.0}/agents/acceptance-reviewer.md

@@ -53,6 +53,25 @@ Run the **RARV** cycle (`.claude/rules/rarv-cycle.md`) with a green Verify (you
 checks) before issuing the verdict, and update `.claude/CONTINUITY.md`. This gate is **Acceptance**
 in the enterprise profile and runs before the PR is handed to a human.
 
+## Join Point: Accessibility (accessibility-clear gate)
+
+> Active **only** under organization scope at **`regulated`** review strictness (where WCAG is
+> commonly a legal requirement). You own the **accessibility-clear** gate. **Degrade to a no-op**
+> (PASS, note "no UI surface") when the change touches no frontend/UI files — detect with `Bash`
+> (`git diff --name-only <base>` against the frontend stack dir / component globs); never block a
+> back-end-only or API-only change.
+
+When a UI surface is present:
+
+1. **Drive `.claude/skills/accessibility-review`** over the changed views/components (and the standards
+   in `.claude/rules/responsive-and-accessibility.md`) — keyboard operability, focus management,
+   semantics/ARIA, color contrast (WCAG AA), motion, and screen-reader labels.
+2. **Classify each finding** by `.claude/rules/quality-gates.md` §1. A WCAG-AA failure on a
+   legally-required surface is at least **High** (per `accessibility-review`'s risk note); a missing
+   label, focus trap, or sub-threshold contrast is **High/Medium**; cosmetic spacing is **Low**.
+3. **Verdict** — *accessibility-clear* PASSes only at zero Critical/High/Medium, consistent with every
+   other gate. Record findings in the acceptance report.
+
 ## Escalation
 
 Escalate to the human when acceptance criteria themselves are ambiguous or untestable, when the spec

{claude_code_kit-0.11.3 → claude_code_kit-0.13.0}/agents/dependency-scanner.md

@@ -82,3 +82,21 @@ Backend deps: {N} · Frontend deps: {N} · Vulns: Critical {N} / High {N} / Medi
 ## HANDOFF
 
 Return counts by severity + the finding table to `security-reviewer`. If a CVE has no patch, recommend a workaround or replacement and mark it for an allowlist-with-review-date decision (route to the human via the Orchestrator). Log durable findings to `.claude/CONTINUITY.md`.
+
+## CADENCE MODE (whole-project maintenance pass)
+
+The same audit can be dispatched **standalone** — outside any one feature — as a recurring
+maintenance pass over the *whole* project (the ongoing CVE-remediation loop):
+
+- Run the **same METHOD** across every manifest in the repo, not just one feature's dependencies.
+- **Batch** the findings into grouped upgrade proposals — group by ecosystem and by major-vs-minor,
+  and keep **security** patches separate from routine bumps — ordered by the
+  `.claude/rules/quality-gates.md` severity model.
+- **Triage stays in** `.claude/skills/security-and-hardening` §"Triaging Dependency Audit Results"
+  (reachability → fix-timing); cite it, do not restate it. Reuse the same recommend→apply split: you
+  **recommend**; the **developer lane applies** (manifest edits need user approval).
+- Posture is **advisory** — you propose; the human/Orchestrator decides what to schedule and apply.
+  Every applied upgrade re-runs the existing **security-clear + build-green + test-coverage** gates
+  (no new gate logic, no new skill).
+- **Scheduling** (cron/CI) is the consuming project's CI concern, not the kit's — claude-kit hooks are
+  event-driven (no time trigger). Wire a periodic job in the project's CI to invoke this pass.

{claude_code_kit-0.11.3 → claude_code_kit-0.13.0}/agents/merge-reviewer.md

@@ -168,6 +168,32 @@ Frontend code reviewed: ✓ | Build/tests: ✓
 
 ---
 
+## Join Point: API Backward-Compatibility (contract-clear gate)
+
+> **Extends** `.claude/rules/mandatory-workflow.md` §2d (Breaking Changes + Impact Check). §2d is the
+> Developer's manual consumer/signature check for *internal* exports; this is its **mechanical
+> counterpart for the externally-exposed contract** — a base-branch surface diff. It runs **only**
+> when the selected stack exposes an API surface (a committed OpenAPI/GraphQL schema, or typed routes
+> a generator can emit). **Degrade to a no-op** (PASS, note "no API contract surface") when no schema
+> source is found — mirror the hooks' detect-then-skip pattern; never block a project that has no
+> contract.
+
+Owns the **contract-clear** gate (runs in **standard and enterprise** — any profile that includes the
+`merge-reviewer` — whenever the selected stack exposes an API surface). With `Bash`:
+
+1. **Locate or generate the contract** — a committed `openapi.(json|yaml)` / GraphQL SDL, or generate it from the framework's typed routes.
+2. **Diff against the base branch** — `git show <base>:<contract-path>` vs the working copy.
+3. **Classify each delta** by `.claude/rules/quality-gates.md` §1:
+   - **Critical/High** — a removed or renamed endpoint/field, a narrowed type, a new **required** request field, or a removed status code clients branch on (backward-incompatible for already-shipped consumers).
+   - **Medium** — an undocumented additive change, or a deprecation with no migration note.
+   - **Low/Cosmetic** — an additive **optional** field, or a doc-only change.
+4. **Require a migration path** — any Critical/High breaking delta needs an approved migration note (cross-ref `.claude/skills/deprecation-and-migration`) **and** a version bump before PASS.
+5. **Emit** `docs/api/{feature-name}_api-change-report.md` from the `api-change-report.md` artifact template.
+
+**Rule:** *contract-clear* PASSes only at zero Critical/High/Medium per the severity model; a breaking change shipped without an approved migration note + version bump is **auto-High**.
+
+---
+
 ## Defect Loop Integration
 
 When the Tester or Senior Tester finds defects after your verification:

{claude_code_kit-0.11.3 → claude_code_kit-0.13.0}/agents/observability-engineer.md

@@ -45,6 +45,7 @@ You are the **Observability Engineer** agent. You make a feature **operable in p
 ### 1. SLOs / SLIs
 - For each critical journey the feature adds, define a measurable objective: latency (p95/p99), availability/success-rate, or error budget.
 - Record them where the project keeps them (e.g., `docs/observability/{feature}-slo.md`); reference the spec's NFR targets.
+- When the feature adds a **hot / concurrency-sensitive backend path**, don't stop at *defining* the SLO — drive `.claude/skills/load-testing` against it, attach the run to the SLO doc (record under `docs/performance/`), and confirm it **meets** the budget. A budget breach (p95/p99 latency, error rate, or throughput) is **High** per `.claude/rules/quality-gates.md`. Skip (note why in `CONTINUITY.md`) for changes with no concurrency-sensitive surface.
 
 ### 2. Health & Readiness
 - Liveness endpoint stays trivial and dependency-free (always 200 if the process is up).

{claude_code_kit-0.11.3 → claude_code_kit-0.13.0}/agents/orchestrator.md

@@ -392,7 +392,8 @@ For backend-only or frontend-only tasks, spawn a single tester in `full` mode
 
 ### Stage 7: Pipeline Complete
 - Report PR URL to the human.
-- Summarize: specs, dev docs, design, reviews (senior dev + tech architect + EM per lane), code reviewed, merge verified, testing validated + verified, Devil's Advocate (if unanimous), DevOps + Observability (where applicable), PR raised.
+- Summarize: specs, dev docs, design, reviews (senior dev + tech architect + EM per lane), code reviewed, merge verified, testing validated + verified, Devil's Advocate (if unanimous), DevOps + Observability (where applicable), PR raised. State the summary as **per-gate PASS/FAIL**, open findings by **Critical/High/Medium**, and **PR-or-ABORTED** status (`.claude/rules/quality-gates.md` severity model).
+- **Tear down this run's worktrees.** Once the PR is raised (or the run is abandoned), remove the per-lane worktrees this run created via the Agent tool's `isolation: "worktree"` — they auto-clean when unchanged; for merged lanes confirm removal with `git worktree remove`. **Only** remove worktrees this run created — never the user's other worktrees or the primary checkout. If a run must be cancelled mid-pipeline before this stage, use `/claude-kit:abort`.
 
 ---
 

{claude_code_kit-0.11.3 → claude_code_kit-0.13.0}/catalog/org.yaml

@@ -77,7 +77,10 @@ strictness:
     regulated:
       label: "Regulated — compliance-grade gates"
       hooks: [validate-frontmatter, validate-settings]
-      extra_gates: [security-clear, acceptance]
+      # accessibility-clear (brief #2 P1-2): a WCAG gate owned by acceptance-reviewer, driving the
+      # accessibility-review skill. Regulated-strictness only (WCAG is often a legal requirement there);
+      # self-skips when the change touches no UI surface, so API/back-end-only work is unaffected.
+      extra_gates: [security-clear, acceptance, accessibility-clear]
 
 # --- core agents the org layer activates regardless of profile ---------------------------------------
 # These live in the core agents/ dir (installed via the normal agent path); listing them here unions