claude-code-kit 0.9.0__tar.gz → 0.11.0__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (224) hide show
  1. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/.claude-plugin/marketplace.json +1 -1
  2. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/.claude-plugin/plugin.json +1 -1
  3. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/CHANGELOG.md +78 -0
  4. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/PKG-INFO +186 -99
  5. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/README.md +185 -98
  6. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/agents/owasp-reviewer.md +1 -1
  7. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/catalog/mcp.yaml +11 -0
  8. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/catalog/profiles.yaml +1 -1
  9. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/hooks/hooks.json +1 -0
  10. claude_code_kit-0.11.0/hooks/scripts/warn-llm-io.sh +26 -0
  11. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/pyproject.toml +1 -1
  12. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/code-review-and-quality/SKILL.md +16 -0
  13. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/security-and-hardening/SKILL.md +84 -0
  14. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/threat-model/SKILL.md +8 -0
  15. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/src/claude_kit/__init__.py +1 -1
  16. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/src/claude_kit/hooks.py +6 -0
  17. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/.gitignore +0 -0
  18. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/CLAUDE.md +0 -0
  19. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/CONTRIBUTING.md +0 -0
  20. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/LICENSE +0 -0
  21. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/agents/acceptance-reviewer.md +0 -0
  22. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/agents/auditor.md +0 -0
  23. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/agents/dependency-scanner.md +0 -0
  24. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/agents/developer.md +0 -0
  25. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/agents/devils-advocate.md +0 -0
  26. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/agents/devops-engineer.md +0 -0
  27. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/agents/e2e-tester.md +0 -0
  28. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/agents/em-reviewer.md +0 -0
  29. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/agents/incident-responder.md +0 -0
  30. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/agents/merge-reviewer.md +0 -0
  31. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/agents/observability-engineer.md +0 -0
  32. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/agents/orchestrator.md +0 -0
  33. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/agents/policy-validator.md +0 -0
  34. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/agents/pr-raiser.md +0 -0
  35. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/agents/risk-classifier.md +0 -0
  36. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/agents/sdlc-code-reviewer.md +0 -0
  37. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/agents/secret-scanner.md +0 -0
  38. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/agents/security-reviewer.md +0 -0
  39. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/agents/senior-backend-dev.md +0 -0
  40. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/agents/senior-frontend-dev.md +0 -0
  41. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/agents/senior-tester.md +0 -0
  42. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/agents/spec-doc-writer.md +0 -0
  43. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/agents/story-planner.md +0 -0
  44. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/agents/technical-architect.md +0 -0
  45. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/agents/tester.md +0 -0
  46. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/agents/ui-designer.md +0 -0
  47. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/agents/unit-tester.md +0 -0
  48. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/catalog/org.yaml +0 -0
  49. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/catalog/stacks.yaml +0 -0
  50. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/commands/init.md +0 -0
  51. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/commands/sdlc.md +0 -0
  52. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/commands/status.md +0 -0
  53. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/docs/agentic-patterns.md +0 -0
  54. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/docs/agents.md +0 -0
  55. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/docs/architecture.md +0 -0
  56. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/docs/org-capabilities.md +0 -0
  57. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/hooks/scripts/audit-log.sh +0 -0
  58. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/hooks/scripts/guard-secrets.sh +0 -0
  59. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/hooks/scripts/lint-fix.sh +0 -0
  60. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/hooks/scripts/load-autonomy.sh +0 -0
  61. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/hooks/scripts/load-continuity.sh +0 -0
  62. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/hooks/scripts/load-learnings.sh +0 -0
  63. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/hooks/scripts/type-check.sh +0 -0
  64. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/hooks/scripts/validate-frontmatter.sh +0 -0
  65. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/hooks/scripts/validate-settings.sh +0 -0
  66. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/hooks/scripts/warn-large-edits.sh +0 -0
  67. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/hooks/scripts/warn-missing-tests.sh +0 -0
  68. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/hooks/scripts/warn-sensitive-files.sh +0 -0
  69. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/hooks/scripts/warn-shared-modules.sh +0 -0
  70. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/rules/agent-guardrails.md +0 -0
  71. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/rules/agent-memory.md +0 -0
  72. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/rules/agent-resilience.md +0 -0
  73. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/rules/autonomy-levels.md +0 -0
  74. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/rules/code-organization.md +0 -0
  75. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/rules/continuity.md +0 -0
  76. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/rules/design-patterns.md +0 -0
  77. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/rules/devops-observability.md +0 -0
  78. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/rules/documentation.md +0 -0
  79. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/rules/evals.md +0 -0
  80. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/rules/frontend-best-practices.md +0 -0
  81. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/rules/goal-setting-and-monitoring.md +0 -0
  82. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/rules/human-in-the-loop.md +0 -0
  83. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/rules/linting-and-formatting.md +0 -0
  84. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/rules/mandatory-workflow.md +0 -0
  85. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/rules/model-tiers.md +0 -0
  86. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/rules/quality-gates.md +0 -0
  87. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/rules/rarv-cycle.md +0 -0
  88. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/rules/reasoning-techniques.md +0 -0
  89. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/rules/responsive-and-accessibility.md +0 -0
  90. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/rules/risk-classification.md +0 -0
  91. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/rules/testing.md +0 -0
  92. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/rules/tool-design.md +0 -0
  93. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/scripts/init.sh +0 -0
  94. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/_references/accessibility-checklist.md +0 -0
  95. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/_references/orchestration-patterns.md +0 -0
  96. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/_references/performance-checklist.md +0 -0
  97. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/_references/security-checklist.md +0 -0
  98. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/_references/testing-patterns.md +0 -0
  99. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/accessibility-review/SKILL.md +0 -0
  100. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/api-and-interface-design/SKILL.md +0 -0
  101. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/api-integration/SKILL.md +0 -0
  102. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/archive-sprint/SKILL.md +0 -0
  103. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/backlog/SKILL.md +0 -0
  104. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/backlog/item-template.md +0 -0
  105. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/browser-testing-with-devtools/SKILL.md +0 -0
  106. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/ci-cd-and-automation/SKILL.md +0 -0
  107. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/code-simplification/SKILL.md +0 -0
  108. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/component-design/SKILL.md +0 -0
  109. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/consolidate-learnings/SKILL.md +0 -0
  110. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/context-engineering/SKILL.md +0 -0
  111. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/debugging-and-error-recovery/SKILL.md +0 -0
  112. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/decision/SKILL.md +0 -0
  113. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/decision/adr-template.md +0 -0
  114. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/deprecation-and-migration/SKILL.md +0 -0
  115. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/documentation-and-adrs/SKILL.md +0 -0
  116. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/doubt-driven-development/SKILL.md +0 -0
  117. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/execute/SKILL.md +0 -0
  118. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/frontend-ui-engineering/SKILL.md +0 -0
  119. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/git-workflow-and-versioning/SKILL.md +0 -0
  120. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/idea-refine/SKILL.md +0 -0
  121. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/idea-refine/examples.md +0 -0
  122. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/idea-refine/frameworks.md +0 -0
  123. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/idea-refine/refinement-criteria.md +0 -0
  124. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/idea-refine/scripts/idea-refine.sh +0 -0
  125. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/incident-postmortem/SKILL.md +0 -0
  126. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/incremental-implementation/SKILL.md +0 -0
  127. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/interview-me/SKILL.md +0 -0
  128. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/load-testing/SKILL.md +0 -0
  129. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/manual-test/SKILL.md +0 -0
  130. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/over-engineering-review/SKILL.md +0 -0
  131. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/performance-optimization/SKILL.md +0 -0
  132. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/planning-and-task-breakdown/SKILL.md +0 -0
  133. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/playwright-verification/SKILL.md +0 -0
  134. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/refresh-docs/SKILL.md +0 -0
  135. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/remember/SKILL.md +0 -0
  136. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/scope/SKILL.md +0 -0
  137. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/scope/scope-template.md +0 -0
  138. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/sdlc/SKILL.md +0 -0
  139. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/security-verification/SKILL.md +0 -0
  140. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/shipping-and-launch/SKILL.md +0 -0
  141. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/simplification-debt/SKILL.md +0 -0
  142. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/smoke-test/SKILL.md +0 -0
  143. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/source-driven-development/SKILL.md +0 -0
  144. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/spec-driven-development/SKILL.md +0 -0
  145. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/sprint/SKILL.md +0 -0
  146. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/sprint/sprint-template.md +0 -0
  147. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/task-tracker-sync/SKILL.md +0 -0
  148. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/test-driven-development/SKILL.md +0 -0
  149. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/triage/SKILL.md +0 -0
  150. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/ui-ux-design/SKILL.md +0 -0
  151. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/unit-test/SKILL.md +0 -0
  152. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/skills/using-agent-skills/SKILL.md +0 -0
  153. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/src/claude_kit/__main__.py +0 -0
  154. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/src/claude_kit/catalog.py +0 -0
  155. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/src/claude_kit/cli.py +0 -0
  156. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/src/claude_kit/models.py +0 -0
  157. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/src/claude_kit/prompts.py +0 -0
  158. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/src/claude_kit/render.py +0 -0
  159. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/src/claude_kit/scaffold.py +0 -0
  160. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/src/claude_kit/upgrader.py +0 -0
  161. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/src/claude_kit/validator.py +0 -0
  162. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/CLAUDE.md +0 -0
  163. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/CLAUDE.stack.md.tmpl +0 -0
  164. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/CONTINUITY.template.md +0 -0
  165. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/README.claude-sdlc.md.tmpl +0 -0
  166. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/agent-memory/MEMORY.md +0 -0
  167. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/agent-memory/api/.gitkeep +0 -0
  168. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/agent-memory/architecture/.gitkeep +0 -0
  169. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/agent-memory/debugging/.gitkeep +0 -0
  170. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/agent-memory/gotchas/.gitkeep +0 -0
  171. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/agent-memory/patterns/.gitkeep +0 -0
  172. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/agent-memory/performance/.gitkeep +0 -0
  173. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/artifacts/adr.md +0 -0
  174. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/artifacts/feature-spec.md +0 -0
  175. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/artifacts/release-plan.md +0 -0
  176. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/artifacts/runbook.md +0 -0
  177. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/artifacts/security-review.md +0 -0
  178. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/artifacts/test-plan.md +0 -0
  179. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/org/README.md +0 -0
  180. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/org/agents/data-workflow-agent.md +0 -0
  181. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/org/agents/founder-prototype-agent.md +0 -0
  182. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/org/agents/internal-tools-builder.md +0 -0
  183. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/org/agents/pm-copilot.md +0 -0
  184. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/org/agents/support-ticket-engineer.md +0 -0
  185. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/org/packs/devops-and-release/README.md +0 -0
  186. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/org/packs/devops-and-release/pack.yaml +0 -0
  187. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/org/packs/engineering-core/README.md +0 -0
  188. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/org/packs/engineering-core/pack.yaml +0 -0
  189. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/org/packs/non-engineer-builder/README.md +0 -0
  190. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/org/packs/non-engineer-builder/pack.yaml +0 -0
  191. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/org/packs/onboarding-and-docs/README.md +0 -0
  192. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/org/packs/onboarding-and-docs/pack.yaml +0 -0
  193. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/org/packs/product-to-code/README.md +0 -0
  194. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/org/packs/product-to-code/pack.yaml +0 -0
  195. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/org/packs/quality-and-review/README.md +0 -0
  196. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/org/packs/quality-and-review/pack.yaml +0 -0
  197. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/org/packs/security-and-compliance/README.md +0 -0
  198. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/org/packs/security-and-compliance/pack.yaml +0 -0
  199. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/org/rules/ai-working-agreement.md +0 -0
  200. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/org/rules/ambiguity-resolution.md +0 -0
  201. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/org/rules/branch-and-pr-policy.md +0 -0
  202. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/org/rules/compliance-policy.md +0 -0
  203. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/org/rules/non-engineer-safe-coding.md +0 -0
  204. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/org/rules/pii-policy.md +0 -0
  205. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/org/rules/production-data-policy.md +0 -0
  206. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/org/rules/prompt-to-task-conversion.md +0 -0
  207. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/org/rules/prototype-boundaries.md +0 -0
  208. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/org/rules/secrets-policy.md +0 -0
  209. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/org/skills/customer-issue-to-fix/SKILL.md +0 -0
  210. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/org/skills/feature-from-idea/SKILL.md +0 -0
  211. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/org/skills/prompt-to-safe-task/SKILL.md +0 -0
  212. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/org/skills/prototype-to-production/SKILL.md +0 -0
  213. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/org/skills/repo-onboarding/SKILL.md +0 -0
  214. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/settings.json +0 -0
  215. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/stacks/backend/python/fastapi/rules/fastapi-patterns.md +0 -0
  216. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/stacks/db/mongodb/agents/migration-specialist.md +0 -0
  217. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/stacks/db/mongodb/agents/mongodb-specialist.md +0 -0
  218. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/stacks/db/mongodb/rules/mongodb-patterns.md +0 -0
  219. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/stacks/db/postgres/agents/db-performance-reviewer.md +0 -0
  220. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/stacks/db/postgres/agents/migration-specialist.md +0 -0
  221. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/stacks/db/postgres/agents/postgres-specialist.md +0 -0
  222. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/stacks/db/postgres/rules/database-performance.md +0 -0
  223. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/stacks/db/postgres/rules/postgres-patterns.md +0 -0
  224. {claude_code_kit-0.9.0 → claude_code_kit-0.11.0}/templates/stacks/frontend/react/rules/react-patterns.md +0 -0
@@ -10,7 +10,7 @@
10
10
  "name": "claude-kit",
11
11
  "source": "./",
12
12
  "description": "Cookiecutter-style scaffolder for an autonomous Claude Code SDLC config (no app code, no Docker): install CLAUDE.md + .claude/ (rules, the profile's agents/skills, hooks, artifact templates) + optional .mcp.json, then run /sdlc to drive spec → review → build → test → security → ship through profile-aware quality gates, working memory, and a self-improving learnings loop.",
13
- "version": "0.9.0",
13
+ "version": "0.11.0",
14
14
  "license": "MIT",
15
15
  "keywords": ["sdlc", "agents", "orchestration", "quality-gates", "workflow", "scaffold", "cookiecutter"]
16
16
  }
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "claude-kit",
3
- "version": "0.9.0",
3
+ "version": "0.11.0",
4
4
  "description": "Cookiecutter-style scaffolder for an autonomous Claude Code SDLC config (no app code, no Docker). `claude-kit init` asks ordered questions and installs CLAUDE.md + .claude/ (rules, the profile's agents/skills, hooks, artifact templates) + optional .mcp.json; run /sdlc to drive spec → review → build → test → security → ship through profile-aware quality gates with working memory and a self-improving learnings loop.",
5
5
  "author": {
6
6
  "name": "Arjunsingh Yadav",
@@ -4,6 +4,84 @@ All notable changes to claude-kit are documented here. The format follows
4
4
  [Keep a Changelog](https://keepachangelog.com/), and the project uses
5
5
  [semantic versioning](https://semver.org/).
6
6
 
7
+ ## [0.11.0] — 2026-06-15
8
+
9
+ Distils a field review of [repowise](https://github.com/repowise-dev/repowise) (a runtime
10
+ codebase-intelligence engine: dependency graph, git analytics, LLM wiki, code-health biomarkers,
11
+ change-risk, dead code). An adversarial map→verify pass over six candidates found that repowise is
12
+ overwhelmingly a **runtime product** whose config-equivalents claude-kit already ships — so the
13
+ honest, reuse-first result is small: one genuine kit-owned methodology gap and one sanctioned,
14
+ opt-in external-tool reference. No application code, no Docker, nothing bundled.
15
+
16
+ ### Added
17
+ - **`catalog/mcp.yaml`** gains an **opt-in** `repowise` MCP server (codebase intelligence: hotspots,
18
+ change-risk, co-change coupling, dead code). It is **only** written into `.mcp.json` when explicitly
19
+ selected at init — the kit *references* repowise, never bundles it. The label flags that it is
20
+ **AGPL-3.0** and requires installing it separately (`pip install repowise`) and indexing the repo
21
+ once (`repowise init`); the repo path is supplied via the `${REPOWISE_PROJECT_ROOT}` env placeholder
22
+ (same pattern as postgres's `${DATABASE_URL}`), so this is pure catalog data with no resolver change.
23
+
24
+ ### Changed
25
+ - **`skills/code-review-and-quality`** gains a **"Where to Focus: Change Hotspots & Coupling"** section:
26
+ a tool-agnostic, `git log`-only technique for spending review attention where defects cluster —
27
+ churn × complexity hotspots, co-change coupling (hidden dependencies), and single-owner/bus-factor
28
+ files. It notes that a codebase-intelligence MCP (e.g. the optional repowise server) provides the
29
+ same signals precomputed via `get_risk`/`get_health`, but always as **advisory input, never a
30
+ blocking gate**. A matching checklist item was added.
31
+
32
+ ### Not done (deliberately, per the assessment)
33
+ - repowise's engine itself — dependency graph, dashboard (`repowise serve`), deterministic PR bot,
34
+ LLM wiki/RAG, the 25 code-health biomarkers — is runtime and **cannot** be config. Its
35
+ config-equivalents already exist and were **not** duplicated: dead-code hygiene
36
+ (`over-engineering-review` / `code-simplification` / `code-review-and-quality` / `mandatory-workflow`),
37
+ noisy-output compression a.k.a. "distill" (`tool-design` rule + `context-engineering` skill),
38
+ read-an-overview-first (`context-engineering` / `source-driven-development`), ADRs
39
+ (`documentation-and-adrs`), commit provenance (`git-workflow-and-versioning`), and auto-generated
40
+ project instructions (`templates/CLAUDE.md`). No new rule/agent/skill/gate (the hotspot technique is
41
+ advisory, so it enriches a profile-gated skill rather than becoming a mandatory rule).
42
+
43
+ ## [0.10.0] — 2026-06-15
44
+
45
+ Adds **LLM / AI application-security** guidance distilled from a field review of
46
+ [protectai/llm-guard](https://github.com/protectai/llm-guard). An adversarial map→verify pass found a
47
+ real, single gap: claude-kit secured (a) the *agent itself* (`agent-guardrails`, OWASP **Agentic**
48
+ ASI01–10) and (b) *traditional* appsec of the product (`security-and-hardening` / `owasp-reviewer` =
49
+ OWASP Top 10 **2021** web), but **nothing** covered securing the **LLM features a user builds into
50
+ their product** (OWASP **LLM** Top 10 — prompt injection, insecure output handling, sensitive-info
51
+ disclosure, model DoS). Per your steer, the new layer is **opt-in, bypassable, and states the security
52
+ implications of bypassing** — and per golden rule #1 it reuses existing components rather than adding a
53
+ new rule/agent/gate (all of which the verify pass flagged as either over-engineering or, for a new
54
+ `rules/` file, a *mandatory*-framing conflict). No application code, no Docker; llm-guard is named only
55
+ as one reference implementation, never a dependency.
56
+
57
+ ### Added
58
+ - **`hooks/scripts/warn-llm-io.sh`** + the `warn-llm-io` hook (`standard`+, after `warn-shared-modules`):
59
+ an **advisory, non-blocking** PreToolUse(Edit|Write) hook. When an edited file looks like an LLM
60
+ feature (provider SDKs / prompt construction / RAG), it surfaces the LLM guardrails and the explicit
61
+ risks of skipping them (prompt-injection exfiltration, PII leaking to the provider,
62
+ insecure-output-handling XSS/SSRF/RCE), and names the bypass: record a one-line risk acceptance. It
63
+ always exits 0 (never blocks) and degrades to a no-op without `jq`.
64
+
65
+ ### Changed
66
+ - **`skills/security-and-hardening`** gains an **"LLM / AI Feature Security (OWASP LLM Top 10) — opt-in"**
67
+ section: the input→model→output guard architecture; input guardrails (prompt-injection screening,
68
+ secrets scan, PII *anonymise/vault* pattern, token caps, topic limits, unicode canonicalisation);
69
+ output guardrails (treat output as untrusted — no eval/render-raw/auto-run; PII/secret leak scan;
70
+ malicious-URL/SSRF; structured-output validation); least-privilege model tools; an OWASP-LLM-Top-10
71
+ map; a **risk-acceptance/bypass** protocol; and a **security-implications-of-bypassing** table. (The
72
+ `security-reviewer` already reads this skill, so the security stage becomes LLM-aware for free.)
73
+ - **`skills/threat-model`** adds an LLM/AI trigger and a step-6 LLM branch (walk the LLM Top 10; point
74
+ to the guardrails; record any bypass as a residual risk).
75
+ - **`agents/owasp-reviewer`** A08 now states that **model output is untrusted data** — the existing
76
+ no-eval/exec/render-raw rule applies to it (insecure output handling stays a Critical), while the
77
+ broader LLM guardrails are explicitly **advisory** and must not block the gate.
78
+
79
+ ### Not done (deliberately, per the assessment)
80
+ - No new `rules/` file (a rule installs in every profile and reads as *mandatory* — conflicts with the
81
+ opt-in requirement), no new `llm-security` agent, and no new blocking gate. The LLM Top 10 was **not**
82
+ folded into the mandatory `owasp-reviewer`/Security Clear gate (that would make it mandatory and dilute
83
+ a tightly-scoped 2021-web reviewer). LLM security stays a separate, advisory, bypassable path.
84
+
7
85
  ## [0.9.0] — 2026-06-15
8
86
 
9
87
  Distils a field review of GitHub's [spec-kit](https://github.com/github/spec-kit) (Spec-Driven
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.4
2
2
  Name: claude-code-kit
3
- Version: 0.9.0
3
+ Version: 0.11.0
4
4
  Summary: Cookiecutter-style scaffolder for an autonomous Claude Code SDLC configuration (no app code, no Docker). Asks ordered questions and installs CLAUDE.md + .claude/ (rules, the chosen profile's agents/skills, hooks, artifact templates) + optional .mcp.json; run /sdlc to drive spec → review → build → test → security → ship through profile-aware quality gates, working memory, and a self-improving learnings loop.
5
5
  Project-URL: Homepage, https://github.com/ajyadav013/claude-kit
6
6
  Project-URL: Repository, https://github.com/ajyadav013/claude-kit
@@ -31,18 +31,17 @@ Description-Content-Type: text/markdown
31
31
 
32
32
  **A Cookiecutter-style scaffolder for an autonomous SDLC (software-delivery lifecycle) inside [Claude Code](https://www.claude.com/product/claude-code).**
33
33
 
34
- `claude-kit init` asks a few questions and lays down a `CLAUDE.md` + a `.claude/` configuration
35
- rules, a profile-selected set of specialized agents and skills, hooks, and artifact templates — that
36
- turn a one-line request into reviewed, tested, secured, shippable code, with a quality gate between
37
- every phase. **No application code. No Docker. Configuration only.**
34
+ One command turns a one-line request into reviewed, tested, secured, shippable code
35
+ with a quality gate between every phase. **No application code. No Docker. Configuration only.**
38
36
 
39
37
  [![PyPI](https://img.shields.io/pypi/v/claude-code-kit.svg)](https://pypi.org/project/claude-code-kit/)
40
38
  [![Python](https://img.shields.io/pypi/pyversions/claude-code-kit.svg)](https://pypi.org/project/claude-code-kit/)
41
39
  [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
42
40
  [![Built for Claude Code](https://img.shields.io/badge/built%20for-Claude%20Code-d97757.svg)](https://www.claude.com/product/claude-code)
43
41
  [![CI](https://github.com/ajyadav013/claude-kit/actions/workflows/ci.yml/badge.svg)](https://github.com/ajyadav013/claude-kit/actions/workflows/ci.yml)
42
+ [![Changelog](https://img.shields.io/badge/changelog-v0.10.0-blue.svg)](CHANGELOG.md)
44
43
 
45
- [Install](#install) · [The init flow](#the-init-flow) · [How it works](#how-it-works) · [The pipeline](#the-pipeline) · [Agents](#the-agents) · [Catalog](#catalog--extensibility) · [Agent guide](docs/agents.md) · [CLI](#cli-reference)
44
+ 🚀 [Quick start](#quick-start) · 🧭 [How it works](#how-it-works) · 🔁 [The pipeline](#the-pipeline) · 🌱 [What we adopted](#influences--what-we-adopted) · 🤖 [Agents](#the-agents) · 🧩 [Catalog](#catalog--extensibility) · 🛠️ [CLI](#cli-reference) · 📖 [Agent guide](docs/agents.md)
46
45
 
47
46
  </div>
48
47
 
@@ -51,40 +50,36 @@ every phase. **No application code. No Docker. Configuration only.**
51
50
  ## What is this?
52
51
 
53
52
  claude-kit installs a **complete software-delivery lifecycle** into Claude Code. Instead of one
54
- assistant doing everything in one pass, your work flows through a pipeline of focused agents —
55
- a spec writer, story planner, reviewers, a developer, code reviewers, testers, security scanners,
53
+ assistant doing everything in a single pass, your work flows through a pipeline of focused agents —
54
+ a spec writer, a story planner, reviewers, a developer, code reviewers, testers, security scanners,
56
55
  and a PR raiser — coordinated by an **Orchestrator** that runs independent work in parallel and
57
56
  refuses to advance a phase until its **quality gate** passes. You drive it all with one command:
58
- `/sdlc <your task>`.
57
+ **`/sdlc <your task>`**.
59
58
 
60
- It is **stack-agnostic**: the pipeline itself assumes no language or framework. You pick a stack at
61
- `init` time and claude-kit installs matching **overlay rules** (e.g. for React, FastAPI, PostgreSQL,
62
- MongoDB) and fills `CLAUDE.md` with your stack's exact lint/test/build commands — but it never writes
63
- your application code and never requires Docker.
59
+ **At a glance:**
64
60
 
65
- Three things keep it reliable over long runs:
61
+ - 🧱 **Stack-agnostic** the pipeline assumes no language or framework. Pick a stack at `init` and it
62
+ installs matching overlay rules (React · FastAPI · PostgreSQL · MongoDB) and your exact
63
+ lint/test/build commands. It never writes your app code and never needs Docker.
64
+ - 🎚️ **Dial the rigor with profiles** — `lean ⊊ standard ⊊ enterprise` decide how many agents, skills,
65
+ hooks, and gates are active, from "fast track" to "full audit".
66
+ - 👥 **Scope to your team** — `individual` / `team` (default) / `organization`. Org scope adds a
67
+ vibe-coding layer so PMs, designers, QA, support, and founders can drive work safely too.
68
+ - 🧠 **Remembers across sessions** — working memory (`CONTINUITY.md`) survives context compaction, and a
69
+ learnings loop (`agent-memory/`) means the same mistake isn't made twice.
70
+ - 📦 **Two channels, one source** — a first-class Claude Code **plugin** *and* a **pip** scaffolder.
66
71
 
67
- - **Profiles** `lean standard enterprise` decide how many agents, skills, hooks, and gates are
68
- active, so you can dial the rigor from "fast track" to "full audit".
69
- - **Scope** — `individual` / `team` (default) / `organization`. Organization scope adds a
70
- **vibe-coding capability layer** so PMs, designers, QA, support, data, and founders can drive work
71
- safely too — with role-based **packs**, an **autonomy model**, and **risk classification**. See
72
- [`docs/org-capabilities.md`](docs/org-capabilities.md).
73
- - **Working memory (`CONTINUITY.md`)** — the current task state is re-read every turn, so work
74
- survives context compaction and brand-new sessions.
75
- - **A self-improving learnings loop (`agent-memory/`)** — durable lessons are captured and
76
- re-injected into future sessions, so the same mistake isn't made twice.
77
-
78
- > Inspired by the autonomous-SDLC idea, rebuilt from the ground up **for Claude Code** — as a
79
- > first-class plugin **and** a pip-installable scaffolder, both from one source of truth.
72
+ > Inspired by the autonomous-SDLC idea, rebuilt from the ground up **for Claude Code**, and kept small
73
+ > by a **reuse-first** policy see [what we adopted](#influences--what-we-adopted) and from where.
80
74
 
81
75
  ---
82
76
 
83
- ## Install
77
+ ## Quick start
84
78
 
85
- claude-kit ships through two channels from one source of truth. Use either — or both.
79
+ <details open>
80
+ <summary><b>A) As a Claude Code plugin&nbsp; (recommended)</b></summary>
86
81
 
87
- ### A) As a Claude Code plugin (recommended)
82
+ <br>
88
83
 
89
84
  Makes all agents, skills, commands, and hooks available inside Claude Code:
90
85
 
@@ -93,7 +88,7 @@ Makes all agents, skills, commands, and hooks available inside Claude Code:
93
88
  /plugin install claude-kit
94
89
  ```
95
90
 
96
- Then, inside any project you want managed by the pipeline:
91
+ Then, inside any project you want the pipeline to manage:
97
92
 
98
93
  ```text
99
94
  /claude-kit:init # asks the ordered questions, lays down CLAUDE.md + .claude/
@@ -104,27 +99,34 @@ Then, inside any project you want managed by the pipeline:
104
99
  > `/sdlc` is a **project skill** installed by `init`, so it becomes available after the restart. The
105
100
  > plugin also exposes `/claude-kit:sdlc <task>`, which works immediately (no restart needed).
106
101
 
107
- ### B) As a pip package
102
+ </details>
103
+
104
+ <details>
105
+ <summary><b>B) As a pip package&nbsp; (CI, onboarding, non-plugin workflows)</b></summary>
106
+
107
+ <br>
108
108
 
109
- A CLI (`claude-kit`, aliases `ckit` / `claude-sdlc`) that scaffolds the same config into any repo
110
- great for CI, onboarding, or non-plugin workflows:
109
+ A CLI (`claude-kit`, aliases `ckit` / `claude-sdlc`) that scaffolds the same config into any repo:
111
110
 
112
111
  ```bash
113
112
  # Until the first PyPI release, install straight from the repo:
114
113
  pip install "git+https://github.com/ajyadav013/claude-kit.git"
115
114
  # Once published to PyPI this becomes: pip install claude-code-kit
116
115
 
117
- claude-kit init # interactive: prompts for stack, profile, MCP (Model Context Protocol)
116
+ claude-kit init # interactive: prompts for stack, profile, MCP
118
117
  claude-kit init --defaults # non-interactive: React + Python/FastAPI + Postgres + standard
119
118
  ```
120
119
 
120
+ </details>
121
+
121
122
  > **Prerequisites:** [Claude Code](https://www.claude.com/product/claude-code); Python ≥ 3.9 for the
122
- > CLI; `jq` to enable the shell hooks (they no-op without it); Node / `npx` only if you turn on an MCP
123
- > server. Open the project in Claude Code afterwards and the pipeline is active.
123
+ > CLI; `jq` to enable the shell hooks (they no-op without it); Node / `npx` only if you enable an MCP
124
+ > (Model Context Protocol) server.
124
125
 
125
- ---
126
+ <details>
127
+ <summary><b>What the init flow asks &amp; what lands on disk</b></summary>
126
128
 
127
- ## The init flow
129
+ <br>
128
130
 
129
131
  `claude-kit init` asks an ordered set of questions (all with sensible defaults), then writes the
130
132
  config — nothing else:
@@ -134,7 +136,7 @@ config — nothing else:
134
136
  3. **Backend language** (default: Python) → **backend framework** (default: FastAPI)
135
137
  4. **Database** (PostgreSQL · MongoDB)
136
138
  5. **SDLC profile** (`lean` · `standard` · `enterprise`)
137
- 6. **Optional MCP (Model Context Protocol) integrations** (GitHub, Jira/Linear, Postgres/Mongo, Playwright, Docs) — a
139
+ 6. **Optional MCP integrations** (GitHub · Jira/Linear · Postgres/Mongo · Playwright · Docs) — a
138
140
  project-root `.mcp.json` is written **only** if you select any (env placeholders, never secrets)
139
141
 
140
142
  Non-interactive equivalents: `--defaults`, or `--config init.yaml` (flat or nested YAML). What lands:
@@ -154,6 +156,8 @@ README.claude-sdlc.md
154
156
  .mcp.json # only if MCP servers were selected
155
157
  ```
156
158
 
159
+ </details>
160
+
157
161
  ---
158
162
 
159
163
  ## How it works
@@ -168,7 +172,7 @@ flowchart LR
168
172
  H["hooks/"]
169
173
  R["rules/"]
170
174
  T["templates/"]
171
- K["catalog/<br/>(stacks · profiles · mcp)"]
175
+ K["catalog/<br/>(stacks · profiles · mcp · org)"]
172
176
  end
173
177
  SRC -->|"pip install + claude-kit init"| PROJ["Your project<br/>CLAUDE.md + .claude/"]
174
178
  SRC -->|"/plugin install"| CC["Claude Code<br/>(agents · skills · commands · hooks)"]
@@ -179,13 +183,13 @@ flowchart LR
179
183
  Three ideas do the heavy lifting:
180
184
 
181
185
  1. **Quality gates with a shared severity model.** Every finding is classified
182
- Critical / High / Medium / Low / Cosmetic. A gate passes **only** with zero
183
- Critical/High/Medium open. No silent advancement.
184
- 2. **RARV self-check.** Every agent runs **R**eason → **A**ct → **R**eflect → **V**erify and
185
- must show a *green Verify* (real commands run, not imagined) before handing off.
186
- 3. **Blind review + Devil's Advocate.** Parallel reviewers judge independently. A *unanimous*
187
- PASS is treated as suspicious and triggers an adversarial `devils-advocate` pass before the
188
- gate is allowed to close — an explicit guard against agents rubber-stamping each other.
186
+ Critical / High / Medium / Low / Cosmetic. A gate passes **only** with zero Critical/High/Medium
187
+ open. No silent advancement.
188
+ 2. **RARV self-check.** Every agent runs **R**eason → **A**ct → **R**eflect → **V**erify and must show
189
+ a *green Verify* (real commands run, not imagined) before handing off.
190
+ 3. **Blind review + Devil's Advocate.** Parallel reviewers judge independently; a *unanimous* PASS is
191
+ treated as suspicious and triggers an adversarial `devils-advocate` pass before the gate may close —
192
+ an explicit guard against agents rubber-stamping each other.
189
193
 
190
194
  See [`docs/architecture.md`](docs/architecture.md) for the full diagrams.
191
195
 
@@ -221,12 +225,67 @@ A **fast-track** mode collapses small changes (< 5 files) to Developer → Code
221
225
 
222
226
  ---
223
227
 
228
+ ## Influences & what we adopted
229
+
230
+ claude-kit is built **reuse-first**. We periodically review excellent open-source projects and adopt
231
+ **only the genuinely-new ideas** — never duplicating what the kit already does (near-duplicates would
232
+ dilute Claude's ability to auto-select the right skill). Each adoption follows the same method:
233
+ **fetch the real source → adversarially map it against the kit's existing files → ship only the
234
+ non-duplicative gaps**, minimally and catalog-wired.
235
+
236
+ | Source | What we learned | What we shipped | Since |
237
+ |---|---|---|:--:|
238
+ | **Agentic Design Patterns** — A. Gulli ([coverage map](docs/agentic-patterns.md)) | Reasoning, guardrails, resilience, human-in-the-loop, evals, and tool design as first-class agent disciplines | 8 agent-operation rules + [`docs/agentic-patterns.md`](docs/agentic-patterns.md) | `0.4.0` |
239
+ | **[ponytail](https://github.com/DietrichGebert/ponytail)** | YAGNI / anti-over-engineering as an explicit recurring pass; deferral-debt tracking; surfacing the active autonomy level | `over-engineering-review` & `simplification-debt` skills, the `load-autonomy` hook, median-of-N in `evals` | `0.8.0` |
240
+ | **[GitHub spec-kit](https://github.com/github/spec-kit)** | Spec → tasks → **analyze** coverage gate; tasks → tracker issues; stable requirement IDs + assumptions in specs | Wired the (previously orphaned) `story-planner` as the **coverage gate (1f)**, a tracker-agnostic `task-tracker-sync` skill, and enriched the feature-spec template | `0.9.0` |
241
+ | **[protectai/llm-guard](https://github.com/protectai/llm-guard)** | Input→model→output guardrails for LLM features — prompt injection, PII vault, treating model output as untrusted | **Opt-in** "LLM / AI Feature Security" guidance in `security-and-hardening` + the advisory `warn-llm-io` hook (warns, **never blocks**) | `0.10.0` |
242
+
243
+ > Each adoption is detailed in the [CHANGELOG](CHANGELOG.md) — including, for every review, what we
244
+ > deliberately **did not** add because the kit already covered it.
245
+
246
+ <details>
247
+ <summary><b>The latest three reviews, in a bit more depth</b></summary>
248
+
249
+ <br>
250
+
251
+ **🪶 ponytail → minimalism layer (0.8.0).** Most of ponytail's philosophy (YAGNI, stdlib-first,
252
+ surgical diffs) was already enforced by `CLAUDE.md` "Simplicity First" + `code-simplification`, so we
253
+ added only the missing *mechanisms*: `over-engineering-review` (a complexity-only, report-only
254
+ delete-list), `simplification-debt` (harvests `TODO`/`FIXME`/inline `shortcut:` markers into a ledger
255
+ and flags ones that name no upgrade path), and the `load-autonomy` SessionStart hook (surfaces the
256
+ active autonomy level each session).
257
+
258
+ **🧭 GitHub spec-kit → coverage gate + tracker sync (0.9.0).** The headline was *reuse*: the kit
259
+ already had a `story-planner` agent that verifies every acceptance criterion maps to a story, but it
260
+ was **never wired into the pipeline**. We made it **stage 1f** (between EM approval and the developer),
261
+ so implementation can't start until coverage is proven. We also added `task-tracker-sync` (mirrors a
262
+ plan into GitHub / Linear / Jira issues, dependencies preserved) and gave the feature-spec template
263
+ stable requirement IDs + an Assumptions section. We **skipped** spec-kit's `/constitution`,
264
+ `/clarify`, and `/checklist` — all already covered.
265
+
266
+ **🛡️ protectai/llm-guard → opt-in LLM security (0.10.0).** The kit secured the *agent itself* and
267
+ *traditional* web appsec, but nothing covered **the LLM features you build into your product** (the
268
+ OWASP LLM Top 10). Per request, the new layer is **opt-in, bypassable, and states the risk of
269
+ bypassing**: an "LLM / AI Feature Security" section in `security-and-hardening` (input/output
270
+ guardrails, PII vault, untrusted-output handling, a security-implications-of-bypassing table) plus a
271
+ non-blocking `warn-llm-io` hook. We deliberately did **not** add a new rule or fold it into the
272
+ mandatory security gate — that would have made it mandatory.
273
+
274
+ </details>
275
+
276
+ ---
277
+
224
278
  ## The agents
225
279
 
226
- 28 specialized roles in [`agents/`](agents/), each tagged with a `tier` (orchestrator · stage-lead ·
227
- specialist · review) and installed per profile. Plus per-database **overlay agents** added only for
228
- your chosen DB, and **org persona agents** added only in organization scope. See the
229
- **[agent guide](docs/agents.md)** for how to drive them.
280
+ **28 specialized roles** in [`agents/`](agents/), each tagged with a `tier`
281
+ (orchestrator · stage-lead · specialist · review) and installed per profile plus per-database
282
+ **overlay agents** and, in organization scope, **persona agents**. The
283
+ **[agent guide](docs/agents.md)** explains how to drive them.
284
+
285
+ <details>
286
+ <summary><b>See the full roster (28 + overlays + personas)</b></summary>
287
+
288
+ <br>
230
289
 
231
290
  | Agent | Role |
232
291
  |-------|------|
@@ -245,23 +304,58 @@ your chosen DB, and **org persona agents** added only in organization scope. See
245
304
  | `auditor` | Read-only audit for accessibility, performance, responsiveness, console errors |
246
305
  | `devils-advocate` | Anti-sycophancy adversarial reviewer (runs on a unanimous PASS) |
247
306
  | `acceptance-reviewer` | Verifies delivery against acceptance criteria before the human gate |
248
- | `risk-classifier` | Read-only — classifies work as low/medium/high/restricted and names the required gates (enterprise + org) |
307
+ | `risk-classifier` | Read-only — classifies work low/medium/high/restricted and names the required gates (enterprise + org) |
249
308
  | `security-reviewer` | Security stage coordinator — owns the Security Clear gate |
250
309
  | `secret-scanner` · `dependency-scanner` · `owasp-reviewer` · `policy-validator` | The four parallel security sub-scanners |
251
310
  | `devops-engineer` | CI/build/release, env, migrations, runbook — container-optional; owns Pipeline Green |
252
311
  | `observability-engineer` | SLOs, health/readiness, structured logging, alerts — owns Observability Ready |
253
312
  | `incident-responder` | Production-incident triage, mitigation, and postmortem (enterprise scope) |
254
313
  | `pr-raiser` | Final checks, commit hygiene, and PR creation |
255
- | **DB overlays** | `postgres-specialist` · `mongodb-specialist` · `migration-specialist` · `db-performance-reviewer` (installed for the selected database) |
314
+ | **DB overlays** | installed for the selected database — PostgreSQL → `postgres-specialist` · `migration-specialist` · `db-performance-reviewer`; MongoDB `mongodb-specialist` · `migration-specialist` |
256
315
  | **Org personas** | `pm-copilot` · `founder-prototype-agent` · `support-ticket-engineer` · `data-workflow-agent` · `internal-tools-builder` (organization scope only) |
257
316
 
317
+ </details>
318
+
319
+ ---
320
+
321
+ ## Rules & skills
322
+
323
+ **Rules** ([`rules/`](rules/)) are the 23 stack-agnostic contracts every agent obeys — the
324
+ `mandatory-workflow` pipeline, `quality-gates`, `rarv-cycle`, `continuity`, `documentation`,
325
+ `testing`, the eight agent-operation rules (`reasoning-techniques`, `agent-guardrails`,
326
+ `agent-resilience`, `goal-setting-and-monitoring`, `human-in-the-loop`, `model-tiers`, `evals`,
327
+ `tool-design` — see [`docs/agentic-patterns.md`](docs/agentic-patterns.md)), and `autonomy-levels` +
328
+ `risk-classification` (see [`docs/org-capabilities.md`](docs/org-capabilities.md)). Stack **overlay
329
+ rules** (`fastapi-patterns`, `react-patterns`, `postgres-patterns`, …) and, in organization scope,
330
+ **org policy rules** (`secrets-policy`, `pii-policy`, `compliance-policy`, …) layer on top.
331
+
332
+ **Skills** ([`skills/`](skills/)) are on-demand capabilities Claude activates by context — led by the
333
+ `sdlc` entrypoint. Highlights, including this session's additions:
334
+
335
+ | Skill | What it does |
336
+ |---|---|
337
+ | `spec-driven-development` · `planning-and-task-breakdown` | Spec first, then a verifiable task breakdown |
338
+ | `task-tracker-sync` | Mirror a plan/story breakdown into GitHub / Linear / Jira issues (tracker-agnostic, idempotent) |
339
+ | `security-and-hardening` | Traditional appsec **+ opt-in LLM / AI Feature Security** (OWASP LLM Top 10, with a bypass + implications) |
340
+ | `threat-model` | Design-time STRIDE — now with an LLM/AI branch |
341
+ | `over-engineering-review` · `simplification-debt` | Keep the code lean: a complexity-only delete-list, and a deferral-debt ledger |
342
+ | `test-driven-development` · `debugging-and-error-recovery` · `code-review-and-quality` | The build / fix / review staples |
343
+ | `remember` | The self-improving learnings loop into `agent-memory/` |
344
+
345
+ Each profile installs a subset (`lean ⊂ standard ⊂ enterprise`).
346
+
258
347
  ---
259
348
 
260
349
  ## Catalog & extensibility
261
350
 
262
- Everything selectable lives in [`catalog/`](catalog/) as data — **adding a stack, framework,
351
+ Everything selectable lives in [`catalog/`](catalog/) as **data** — adding a stack, framework,
263
352
  database, profile, or MCP server is a YAML edit plus a `templates/stacks/<dir>/` folder, never a code
264
- change**:
353
+ change.
354
+
355
+ <details>
356
+ <summary><b>The four catalog files</b></summary>
357
+
358
+ <br>
265
359
 
266
360
  - **`catalog/stacks.yaml`** — frontend frameworks, backend languages → frameworks, and databases.
267
361
  Live today: React · Python/FastAPI · PostgreSQL/MongoDB. Vue/Svelte/Django/Express are listed as
@@ -269,50 +363,28 @@ change**:
269
363
  - **`catalog/profiles.yaml`** — what each profile activates (`inherit:` composes; `all` = everything).
270
364
  - **`catalog/mcp.yaml`** — ready `.mcp.json` fragments per server, with `${ENV}` placeholders.
271
365
  - **`catalog/org.yaml`** — the **organization layer**: scopes, teams, the autonomy model, review
272
- strictness, and the 7 capability **packs**. Scope-gated content lives under `templates/org/` and
273
- installs only when `scope == organization`. See [`docs/org-capabilities.md`](docs/org-capabilities.md).
366
+ strictness, and the 7 capability **packs**. Scope-gated content under `templates/org/` installs only
367
+ when `scope == organization`. See [`docs/org-capabilities.md`](docs/org-capabilities.md).
274
368
 
275
369
  A third install dimension joins `profile` (a subset) and `stack` (an overlay): **org** (scope-gated).
276
370
  `resolve()` stays branch-free — adding a pack, team, autonomy level, or org rule is a `catalog/org.yaml`
277
- edit plus content under `templates/org/`, never a code change.
371
+ edit plus content under `templates/org/`, never a code change. Run **`claude-kit list-options`** to see
372
+ everything available.
278
373
 
279
- Run `claude-kit list-options` to see everything available.
280
-
281
- ---
282
-
283
- ## Rules & skills
284
-
285
- **Rules** ([`rules/`](rules/)) are the stack-agnostic contracts every agent obeys — 23 files:
286
- `mandatory-workflow`, `quality-gates`, `rarv-cycle`, `continuity`, `agent-memory`, `documentation`,
287
- `design-patterns`, `code-organization`, `linting-and-formatting`, `testing`,
288
- `frontend-best-practices`, `responsive-and-accessibility`, `devops-observability`, the
289
- agent-operation rules `reasoning-techniques`, `agent-guardrails`, `agent-resilience`,
290
- `goal-setting-and-monitoring`, `human-in-the-loop`, `model-tiers`, `evals`, and `tool-design` (how
291
- the agents themselves reason, stay safe, recover, escalate, pick a model tier, run evals, and design
292
- tools — see
293
- [`docs/agentic-patterns.md`](docs/agentic-patterns.md)), plus `autonomy-levels` and
294
- `risk-classification` (how much Claude may do before a human acts, and how work is risk-gated — see
295
- [`docs/org-capabilities.md`](docs/org-capabilities.md)). Selected
296
- **overlay rules** (e.g. `fastapi-patterns`, `react-patterns`, `postgres-patterns`,
297
- `database-performance`) and, in organization scope, **org policy rules** (`secrets-policy`,
298
- `pii-policy`, `production-data-policy`, `branch-and-pr-policy`, `compliance-policy`, …) are layered
299
- on top.
300
-
301
- **Skills** ([`skills/`](skills/)) are on-demand capabilities Claude activates by context — led by the
302
- `sdlc` entrypoint, plus spec-driven development, planning, TDD, debugging, code review, security
303
- hardening, API design, the `remember` learnings loop, and more. Each profile installs a subset.
374
+ </details>
304
375
 
305
376
  ---
306
377
 
307
378
  ## CLI reference
308
379
 
309
- ```text
310
- claude-kit <command> # aliases: ckit · claude-sdlc
311
- ```
380
+ <details>
381
+ <summary><b>All commands</b> (<code>claude-kit</code> · aliases <code>ckit</code> · <code>claude-sdlc</code>)</summary>
382
+
383
+ <br>
312
384
 
313
385
  | Command | Description |
314
386
  |---------|-------------|
315
- | `init [path] [--defaults] [--config FILE] [--force]` | Scaffold `CLAUDE.md` + `.claude/` (interactive, or non-interactive) |
387
+ | `init [path] [--defaults] [--config FILE] [--force]` | Scaffold `CLAUDE.md` + `.claude/` (interactive or non-interactive) |
316
388
  | `validate [path]` | Structurally validate an installed config |
317
389
  | `doctor [path]` | Validate + environment/health checks with fix hints |
318
390
  | `diff [path]` | Preview what an `upgrade` would change (no writes) |
@@ -320,40 +392,53 @@ claude-kit <command> # aliases: ckit · claude-sdlc
320
392
  | `list-options` | List available frontend/backend/database/profile/MCP options |
321
393
  | `status [path]` | Show what's installed, the selection, and working memory |
322
394
  | `version` | Print the version |
323
- | `package-org-pack` · `install-org-pack` | Package / install an organization capability pack (organization scope) |
395
+ | `package-org-pack` · `install-org-pack` | Package / install an organization capability pack (org scope) |
324
396
 
325
397
  Plugin slash commands: `/claude-kit:init`, `/claude-kit:sdlc <task>`, `/claude-kit:status`; and the
326
398
  `/sdlc` skill inside any scaffolded project.
327
399
 
328
- ---
400
+ </details>
329
401
 
330
- ## Safe upgrades
402
+ <details>
403
+ <summary><b>Safe upgrades</b> — how your edits are protected</summary>
404
+
405
+ <br>
331
406
 
332
407
  Every install records per-file checksums and an `owner` (kit / overlay / user-editable) in
333
408
  `.claude/config/init-options.json`. `upgrade` refreshes kit and overlay files to the latest version,
334
- **never clobbers your edits** (a user-modified file is kept and the new version is dropped beside it
335
- as a `.claude-kit` sidecar), backs up anything it changes or removes, and restores files you deleted.
336
- Run `diff` first to preview.
409
+ **never clobbers your edits** (a user-modified file is kept and the new version dropped beside it as a
410
+ `.claude-kit` sidecar), backs up anything it changes or removes, and restores files you deleted. Run
411
+ `diff` first to preview.
337
412
 
338
- ---
413
+ </details>
339
414
 
340
- ## Troubleshooting
415
+ <details>
416
+ <summary><b>Troubleshooting</b></summary>
341
417
 
342
- Run **`claude-kit doctor`** first — it checks your environment (git, `jq`, hook scripts) and prints
343
- fix hints.
418
+ <br>
419
+
420
+ Run **`claude-kit doctor`** first — it checks your environment (git, `jq`, hook scripts) and prints fix
421
+ hints.
344
422
 
345
423
  | Symptom | Likely cause | Fix |
346
424
  |---|---|---|
347
- | `/sdlc`, agents, or skills "not found" right after `init` | Claude Code hasn't loaded the new project config yet | **Restart Claude Code** — or use the plugin command `/claude-kit:sdlc <task>` (works without a restart) |
425
+ | `/sdlc`, agents, or skills "not found" right after `init` | Claude Code hasn't loaded the new project config yet | **Restart Claude Code** — or use `/claude-kit:sdlc <task>` (works without a restart) |
348
426
  | Guard / quality hooks seem to do nothing | `jq` isn't installed (the hooks parse tool input with it) | Install `jq`; without it the hooks degrade to no-ops by design |
349
427
  | A selected MCP server won't start | `node` / `npx` missing (most MCP servers launch via `npx`) | Install Node.js, or remove the server from `.mcp.json` |
350
428
  | `pip install claude-code-kit` fails | Not yet published to PyPI | Use `pip install "git+https://github.com/ajyadav013/claude-kit.git"` |
351
429
  | `validate` reports missing files | Partial or outdated install | Re-run `claude-kit init` (choose **merge**), or `claude-kit upgrade` |
352
430
 
431
+ </details>
432
+
353
433
  ---
354
434
 
355
435
  ## Project structure
356
436
 
437
+ <details>
438
+ <summary><b>Repository layout</b></summary>
439
+
440
+ <br>
441
+
357
442
  ```
358
443
  claude-kit/
359
444
  ├── .claude-plugin/ plugin.json + marketplace.json
@@ -369,6 +454,8 @@ claude-kit/
369
454
  See [`docs/architecture.md`](docs/architecture.md) for the full picture and [`CLAUDE.md`](CLAUDE.md)
370
455
  for how to develop the kit itself.
371
456
 
457
+ </details>
458
+
372
459
  ---
373
460
 
374
461
  ## Contributing