Release: v0.15.6

Test Workflow Alignment: Skeleton-Based Source of Truth

The test planning workflow had evolved from Design Doc-driven to skeleton-driven, but old flow remnants caused LLMs to mix both approaches. This release removes all legacy artifacts and establishes test skeletons as the single source of truth.

Removed (old flow remnants)

• Test Strategy section from Design Doc template
• "Operational Verification Procedures" from Work Plan template
• "E2E verification procedures" from Design Doc integration points and documentation-criteria
• "Copy from Design Doc" patterns in work-planner, task-decomposer, and plan-template

Updated

• work-planner main procedure uses test skeleton placement instead of Design Doc verification
• Fallback defined for when test skeletons are not provided (AC-based test planning)
• technical-designer checklist: E2E verification replaced with testable AC quality gate
• plan-template skeleton items marked conditional (when provided)
• Concrete action verbs replace ambiguous "reference" in skeleton-related instructions

Added

• testing-principles skill to technical-designer-frontend (was missing, caused test strategy to be written without test design knowledge)

Release: v0.15.5

recipe-add-integration-tests: Fullstack Support

The recipe was backend-only, silently excluding frontend documents from test generation scope. Now supports backend, frontend, and fullstack projects.

• Accepts multiple Design Docs (backend + frontend) and UI Specs
• Classifies documents by filename, aligned with monorepo-flow.md patterns
• Task files use *-backend-task-* / *-frontend-task-* naming convention for deterministic agent routing
• Layer-appropriate executor and quality-fixer selection via filename pattern matching
• Added input validation for missing arguments

Release: v0.15.4

Investigation Depth & Consistency Improvements

Addresses investigation depth variance across subagents in reverse-engineering and diagnostic workflows. Replaces vague instructions with concrete verification protocols.

code-verifier

• Section-by-section claim extraction with minimum threshold to prevent shallow verification
• Evidence rules requiring Glob/Grep confirmation for existence claims
• Reverse coverage assessment: enumerates routes, tests, and exports from code and checks against document
• Score stability rule (verifiableClaimCount >= 20)

prd-creator (reverse-engineer mode)

• 7-step investigation protocol: route enumeration, entry point tracing, data model, test discovery, role discovery
• Literal transcription rule — identifiers copied exactly from code
• External scope treated as starting point, allowing expansion when tracing reveals additional files

scope-discoverer

• Unit inventory enumeration (routes, test files, public exports) per discovered unit
• Inventory propagated to downstream agents as completeness baseline

technical-designer / technical-designer-frontend

• New reverse-engineer operation mode with as-is documentation steps
• Mode-separated checklists (all modes / create-only / reverse-engineer-only)
• Reduced redundancy: consolidated 3 integration point sections, removed inline ADR templates and skill-duplicated criteria
• Create-mode specifics (research patterns, boundary contracts) preserved

recipe-reverse-engineer

• Code-verifier now discovers scope independently (no pre-constrained code_paths)
• Unit inventory flows from scope-discoverer through to Design Doc generation
• Strengthened quality gates: claim count and inventory completeness checks
• Technical-designer invoked in reverse-engineer mode

recipe-diagnose

• Investigator prompt includes problem essence and investigation focus from rule-advisor
• Quality check expanded to 6 specific criteria with source type coverage verification

Cross-cutting

• Removed Core Responsibilities sections that duplicated Execution Steps
• Converted negative instructions to positive form
• Language/environment-agnostic patterns throughout

Release: v0.15.3

What's Changed

Stabilize JSON Output for All Agents

• Added explicit "Return JSON Result" as the final execution step across all 15 JSON-returning agents
• Added completion criteria gate to ensure the final response is always JSON
• For agents with multiple exit paths, terminal states are now enumerated:
  • task-executor: completed or escalation_needed
  • quality-fixer: approved or blocked
• Separated intermediate progress reports from final JSON output in quality-fixer agents

Affected Agents

code-verifier, scope-discoverer, investigator, verifier, solver, requirement-analyzer, integration-test-reviewer, security-reviewer, code-reviewer, rule-advisor, document-reviewer, quality-fixer, quality-fixer-frontend, task-executor, task-executor-frontend

Release: v0.15.2

What's Changed

Reverse Engineering Workflow

• scope-discoverer now outputs prdUnits alongside discoveredUnits, grouping implementation-level units into PRD-appropriate user-value units automatically
• Grouping runs as a dedicated step after discovery completes, keeping discovery unbiased
• The orchestrator no longer processes or transforms scope data — it passes prdUnits through as-is

Plugin Agent Alignment

• Removed code-verifier and scope-discoverer from the frontend plugin (unused by any frontend recipe)
• /recipe-update-doc now auto-detects document layer and selects technical-designer-frontend for frontend Design Docs

Other

• Renamed "merge signals" to "cohesion signals" in scope-discoverer to avoid grouping bias during discovery

Release: v0.15.1

Fix: Language-Agnostic Consistency

Removed language-specific references from files that should be language-agnostic.

• security-checks.md: Replaced JS/Python-specific function names (eval(), Function(), pickle.loads(), etc.) with generic descriptions
• Agent examples: Removed .ts file extensions from JSON examples in code-verifier, requirement-analyzer, scope-discoverer
• Type-system terminology: Generalized TS-specific concepts to work across typed and untyped languages
  • "Type errors" → "Type/contract errors"
  • Evidence source "Types" → "Types & Contracts"
  • "Interface Definitions" → "Public Interfaces"
  • "Type/interface definition" → "Data shape, contract, or schema"
  • Removed TS interface keyword from design-sync examples
• skills-only plugin.json: Removed typescript/react from keywords

Release: v0.15.0

New: Security Reviewer Agent

A new security-reviewer agent runs after all implementation tasks complete, reviewing code against Design Doc security considerations and coding-principles.

Finding Classification

Findings use a 4-category model instead of generic severity levels:

Category	Meaning
confirmed_risk	Attack surface exists as-is
defense_gap	Not immediately exploitable, but a defensive layer is thin
hardening	Improvement to reduce exposure
policy	Organizational/operational concern, not a technical vulnerability

Each finding includes a rationale field explaining why it was classified that way, reducing false positives and severity inflation.

Status Determination

Status	Condition
blocked	Committed secret or high-confidence exploitable risk — escalate to user
needs_revision	One or more confirmed_risk, or multiple defense_gap on input boundaries
approved_with_notes	Only hardening / policy findings
approved	No meaningful findings

Workflow Integration

• All implementation recipes (recipe-implement, recipe-build, recipe-front-build, recipe-fullstack-build, recipe-fullstack-implement) run security-reviewer after all tasks complete, before the completion report
• All review recipes (recipe-review, recipe-front-review) now include security review alongside code compliance validation
• approved_with_notes proceeds to completion with notes included in the report

Updated: Security Principles in coding-principles

The Security Principles section has been rewritten with positive, actionable instructions organized into:

• Secure Defaults — secrets management, parameterized queries, cryptographic libraries
• Input and Output Boundaries — validation, encoding, error response content
• Access Control — authentication, authorization, least privilege
• Knowledge Cutoff Supplement — OWASP 2025 changes, AI-generated code patterns

New: Security Detection Patterns Reference

skills/coding-principles/references/security-checks.md provides grep-detectable patterns organized as:

• Stable Patterns — hardcoded secrets, SQL concatenation, eval/dynamic execution, insecure deserialization, path traversal, CORS wildcard, non-TLS URLs
• Trend-Sensitive Patterns — access control gaps in AI-generated code, OWASP A10:2025 (exceptional conditions), supply chain patterns

Review cycle: semi-annual. Update triggers documented for OWASP releases, critical CVEs introducing new patterns, and AI security research.

Updated: Design Doc Template

Security Considerations section now prompts structured evaluation:

• Authentication & Authorization requirements
• Input Validation boundaries
• Sensitive Data Handling policy
• N/A with rationale when no trust boundary exists

Updated: Work Plan Template

Final Phase tasks now include security review checkpoint.

Improved: Agent Definition Quality

Structural improvements to agent definitions for consistent execution:

• code-reviewer: Rewritten from checklist format to actionable verification pipeline (5-step process). Output format now uses acceptanceCriteria array with per-AC status tracking (fulfilled / partially_fulfilled / unfulfilled)
• requirement-analyzer: Rewritten from responsibilities list to verification pipeline (6-step process)
• work-planner: Rewritten from responsibilities list to planning pipeline (6-step process)
• All agents: Required Information sections renamed to Input Parameters for consistency with orchestration guide's Prompt Construction Rule

Improved: Recipe Invocation Consistency

• All recipe agent invocations now use explicit Agent tool format (subagent_type, description, prompt with input parameters)
• Added Prompt Construction Rule to orchestration guide — prompts are built from each agent's Input Parameters section
• Fixed recipe-task field references to match rule-advisor output schema
• Fixed recipe-front-review fix/re-validation flow with explicit invocations

Removed: CLAUDE.md References

Removed CLAUDE.md references from 7 agent definitions — plugin agents should not depend on or reference project-specific configuration files.

Release: v0.14.4

Bug Fix: Fully qualified agent names in recipes

Fixed an issue where recipes specified bare agent names (e.g., "task-executor") as subagent_type values. Claude Code plugins require the fully qualified name with namespace prefix (e.g., "dev-workflows:task-executor"), causing first-attempt invocation failures and unnecessary token usage on retry.

Changes

• Added namespace prefixes to all non-shared recipes — Backend recipes use dev-workflows: prefix, frontend recipes use dev-workflows-frontend: prefix, and fullstack recipes use both based on agent routing.
• Fixed marketplace manifest validation — Removed invalid top-level version field from marketplace.json (not in schema; update detection uses plugin.json versions).

Affected files

recipe-build, recipe-implement, recipe-review, recipe-add-integration-tests, recipe-reverse-engineer, recipe-fullstack-build, recipe-fullstack-implement, recipe-front-build, recipe-front-design, recipe-front-plan, marketplace.json

Release: v0.14.3

Bug Fix: Orchestrator delegation protocol

Fixed an issue where orchestrators could bypass sub-agent delegation and implement code directly.

Changes

• Added permitted tools whitelist — Orchestrators are now explicitly limited to coordination tools (Agent, AskUserQuestion, TaskCreate/TaskUpdate, Bash, Read). Implementation tools (Edit, Write, MultiEdit) are reserved for sub-agents only.
• Unified tool references — Replaced all ambiguous "Task tool" references with "Agent tool" across 13 recipe and guide files.
• Made delegation steps explicit — Task cycle steps now specify exact Agent tool parameters (subagent_type, description, prompt) instead of abstract labels like "INVOKE task-executor".
• Added missing description parameter — All code-block invocation examples now include all 3 required Agent tool parameters.

Affected files

subagents-orchestration-guide, recipe-implement, recipe-build, recipe-fullstack-implement, recipe-fullstack-build, recipe-front-build, recipe-diagnose, recipe-front-design, recipe-front-plan, recipe-add-integration-tests, recipe-review, recipe-update-doc, recipe-reverse-engineer

Release: v0.14.2

Fix deprecated code examples in frontend test reference

• MSW v1 → v2: Replace rest/res(ctx.json(...)) with http/HttpResponse.json(...) to match MSW 2.x API
• fireEvent → userEvent: Replace fireEvent.click() with userEvent.setup() + await user.click() per React Testing Library best practices

These examples directly influence LLM-generated test code, so keeping them current prevents deprecated API usage in output.