From 27d9a659ed32f5e26c54bce9b17cbb83284d714a Mon Sep 17 00:00:00 2001 From: Samuel Carson Date: Thu, 23 Apr 2026 23:27:53 -0500 Subject: [PATCH 1/3] chore(deps): bump pgx to v5.9.2 and Go toolchain to 1.26.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Addresses Dependabot alert #23: pgx SQL injection via placeholder confusion with dollar quoted string literals (GHSA-j88v-2chj-qfwx, severity: low). Fixed in pgx v5.9.2. The Go toolchain patch bump (1.26.0 → 1.26.2) is tag-along maintenance picked up by `go mod tidy`. Co-Authored-By: Claude Opus 4.7 (1M context) --- go.mod | 4 ++-- go.sum | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index 003b55f..57299f9 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/scarson/cvert-ops -go 1.26.0 +go 1.26.2 require ( github.com/KimMachineGun/automemlimit v0.7.5 @@ -16,7 +16,7 @@ require ( github.com/golang-jwt/jwt/v5 v5.3.1 github.com/golang-migrate/migrate/v4 v4.19.1 github.com/google/uuid v1.6.0 - github.com/jackc/pgx/v5 v5.9.1 + github.com/jackc/pgx/v5 v5.9.2 github.com/lib/pq v1.12.3 github.com/pquerna/otp v1.5.0 github.com/prometheus/client_golang v1.23.2 diff --git a/go.sum b/go.sum index 16586b1..1690e6d 100644 --- a/go.sum +++ b/go.sum @@ -111,8 +111,8 @@ github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsI github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg= github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo= github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM= -github.com/jackc/pgx/v5 v5.9.1 h1:uwrxJXBnx76nyISkhr33kQLlUqjv7et7b9FjCen/tdc= -github.com/jackc/pgx/v5 v5.9.1/go.mod h1:mal1tBGAFfLHvZzaYh77YS/eC6IX9OWbRV1QIIM0Jn4= +github.com/jackc/pgx/v5 v5.9.2 h1:3ZhOzMWnR4yJ+RW1XImIPsD1aNSz4T4fyP7zlQb56hw= +github.com/jackc/pgx/v5 v5.9.2/go.mod h1:mal1tBGAFfLHvZzaYh77YS/eC6IX9OWbRV1QIIM0Jn4= github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo= github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4= github.com/jhillyerd/inbucket v2.0.0+incompatible h1:gTmxV077ktqV4ZbFjB/0rjiTrdsKQGXWUqYKWjoNIrE= From c884b1fc0705a4cb9bd82772732df72cae8eb467 Mon Sep 17 00:00:00 2001 From: Samuel Carson Date: Thu, 23 Apr 2026 23:28:07 -0500 Subject: [PATCH 2/3] chore(skills): add plan-review-cycle and writing-plans-enhanced MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Project-scoped skills for implementation plan work: - plan-review-cycle: adversarial review for subagent-readiness across minimum 3 rounds (ambiguity, context gaps, interpretation latitude, cross-task dependencies, pitfall coverage) - writing-plans-enhanced: wraps superpowers:writing-plans with this project's conventions — plan location in dev/plans/, execution strategy recommendation, subagent-proofing, TDD mandate, pitfall review Both are already discovered via the Skill tool registry; this commits the source so they're shared across workspaces. Co-Authored-By: Claude Opus 4.7 (1M context) --- .claude/skills/plan-review-cycle/SKILL.md | 87 +++++++++++++++ .../skills/writing-plans-enhanced/SKILL.md | 100 ++++++++++++++++++ 2 files changed, 187 insertions(+) create mode 100644 .claude/skills/plan-review-cycle/SKILL.md create mode 100644 .claude/skills/writing-plans-enhanced/SKILL.md diff --git a/.claude/skills/plan-review-cycle/SKILL.md b/.claude/skills/plan-review-cycle/SKILL.md new file mode 100644 index 0000000..ac988d3 --- /dev/null +++ b/.claude/skills/plan-review-cycle/SKILL.md @@ -0,0 +1,87 @@ +--- +name: plan-review-cycle +description: Use after writing an implementation plan, before committing. Adversarial review for subagent-readiness — checks ambiguity, context gaps, interpretation drift, cross-task conflicts, and pitfall coverage across minimum 4 rounds. +--- + +# Plan Review Cycle + +Rigorously review an implementation plan for subagent-readiness before +committing. Minimum 3 rounds. If round 3 finds substantive issues, +keep going until clean. + +## How to run + +### Round structure + +Each round reviews the plan against ALL of these dimensions: + +**Ambiguity** — Can a subagent reasonably interpret any task description +two different ways? Eliminate every instance. Look for "handle this +correctly," "fix the issue," "update as needed" — replace with specific +behavioral descriptions. + +**Context gaps** — Would a subagent starting fresh (no conversation +history) have everything it needs? Check for: +- References to "the bug we discussed" (subagent wasn't in that discussion) +- Implicit knowledge of the codebase structure +- Assumptions about what packages are installed or what patterns exist +- Missing file paths or line numbers + +**Interpretation latitude** — Could a subagent "improve" or "enhance" +beyond scope? Look for: +- Tasks that describe a goal without constraining the approach +- Missing "do NOT" boundaries on adjacent code +- Opportunities for a subagent to refactor, rename, or reorganize + +**Cross-task dependencies** — Are ordering constraints explicit? Would +a subagent working on Task 3 know it depends on Task 1? Look for: +- Shared files modified by multiple tasks +- Tasks that create types/interfaces consumed by later tasks +- Test fixtures needed across tasks + +**Testing pitfalls** — Read `docs/pitfalls/testing-pitfalls.md`. Could +any planned test additions fall into documented pitfalls? Add warnings +to relevant tasks. Common traps: +- Testing mock behavior instead of real behavior +- Missing AOT verification +- Substring assertions instead of structural JSON checks + +**Implementation pitfalls** — Read `docs/pitfalls/implementation-pitfalls.md`. +Could any planned implementation fall into documented traps? Common: +- AOT-unsafe types in serialization contexts +- Pre-signed URL auth header leaks +- Hand-built JSON without escaping + +### Round execution + +For each round: +1. Read the plan end-to-end +2. Check every dimension above +3. Note each finding with location (Task N, specific text) +4. Fix all findings in the plan +5. Record the round number and finding count + +### Completion criteria + +- Round 1: expect 5+ findings (plans always have gaps on first review) +- Round 2: expect 2-3 findings (residual from fixes in round 1) +- Round 3: expect 1-2 (second-order effects of prior fixes) +- Round 4: if 0 findings, you're done. If any, keep going. +- Round 5+: continue until a round produces 0 findings + +If round 1 produces 0 findings, you're not looking hard enough. +Re-read the dimensions and try again. + +### After completion + +Log observations about plan quality and recurring patterns: + +``` +/gstack-learn add +``` + +Type: pattern +Key: plan-review-[slug] +Insight: what patterns emerged, what was most commonly wrong + +Commit the reviewed plan. diff --git a/.claude/skills/writing-plans-enhanced/SKILL.md b/.claude/skills/writing-plans-enhanced/SKILL.md new file mode 100644 index 0000000..60fb006 --- /dev/null +++ b/.claude/skills/writing-plans-enhanced/SKILL.md @@ -0,0 +1,100 @@ +--- +name: writing-plans-enhanced +description: Use when writing implementation plans for this project. Wraps superpowers:writing-plans with project-specific conventions — plan location, execution strategy recommendation, subagent-proofing requirements, TDD mandates, and pitfall review. +--- + +# Writing Plans (Enhanced) + +Wraps `/superpowers:writing-plans` with project-specific requirements +that prevent subagent failures during execution. + +## Step 1: Invoke the base skill + +Invoke `/superpowers:writing-plans`. Follow it completely. + +Save the plan to `docs/plans/--plan.md` +(e.g., `docs/plans/2026-04-08-mcp-tools-plan.md`). + +## Step 2: Execution strategy recommendation + +When `/writing-plans` presents execution options, recommend one with +reasoning. The three options: + +1. **Subagent-driven** (`/superpowers:subagent-driven-development`) — + fresh subagent per task, review between tasks. Best for independent + tasks needing quality gates. +2. **Parallel session** (`/superpowers:executing-plans` in a worktree) — + batch execution with checkpoints. Best for tightly coupled sequential + tasks. +3. **Parallel agents** (`/superpowers:dispatching-parallel-agents`) — + concurrent agents on independent workstreams. Best for 3+ independent + tracks with different files. + +Base the recommendation on: +- How much context this session has consumed +- Whether the plan is self-contained enough for a fresh session +- How many tasks are parallelizable vs sequential +- Whether any tasks are risky enough to warrant focused attention + +## Step 3: Subagent-proof the plan + +Subagents start fresh with zero context. The plan MUST prevent their +predictable failure modes: + +### Eliminate ambiguity +For each task, specify: +- Exact files to create or modify +- Exact behavior change (current → desired) +- Exact test to write (input, expected output, edge cases) +- Ordering dependencies with other tasks + +### Prevent context gaps +Each task description must be self-contained: +- Include evidence (file:line, what's wrong or what's needed) +- Include the approach (not just "fix the bug" or "add the feature") +- Include architectural context if the task depends on a design choice +- If the task touches shared code, list other callers that must still work + +### Prevent interpretation drift +- Where there's one correct approach, state it explicitly +- Where there are multiple valid approaches, pick one and specify it +- Add "do NOT" boundaries where a subagent might over-engineer + +### Mandate TDD +Every task MUST include: +``` +BEFORE starting work: +1. Invoke /superpowers:test-driven-development +2. Read docs/pitfalls/testing-pitfalls.md +Follow TDD: write failing test → implement → verify green. +``` + +Every task MUST include: +``` +BEFORE marking this task complete: +1. Review tests against docs/pitfalls/testing-pitfalls.md +2. Verify test coverage (error paths? edge cases?) +3. Run tests and confirm green +``` + +Every logical group of tasks MUST include: +``` +After completing this group: +Review the batch from multiple perspectives. Minimum 3 review rounds. +If round 3 still finds issues, keep going until clean. +``` + +### Review against pitfalls +Read both pitfalls docs and check if any planned work could fall into +documented traps. Add explicit warnings to relevant task descriptions: +- `docs/pitfalls/implementation-pitfalls.md` +- `docs/pitfalls/testing-pitfalls.md` + +### Minimize cross-task conflicts +If two tasks touch the same file, put them in the same task or +explicitly sequence them. Parallel subagents editing the same file +create merge conflicts. + +## Step 4: Run /plan-review-cycle + +After writing the plan, invoke `/plan-review-cycle` before committing. From 1f02946d035b80666483ce95e647b59c2ec59125 Mon Sep 17 00:00:00 2001 From: Samuel Carson Date: Thu, 23 Apr 2026 23:28:12 -0500 Subject: [PATCH 3/3] chore: gitignore .serena/ local MCP state Serena's project directory contains per-developer cache, memories, and a project.local.yml with machine-specific settings. Keep it out of the repo. Co-Authored-By: Claude Opus 4.7 (1M context) --- .gitignore | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.gitignore b/.gitignore index 3c3e8c0..b89fb35 100644 --- a/.gitignore +++ b/.gitignore @@ -53,3 +53,6 @@ chats/ # Git worktrees .worktrees/ .claude/worktrees/ + +# Serena MCP — local project state, cache, and personal memories +.serena/