@blundergoat/goat-flow

Version:

AI coding agent harness and local dashboard for Claude Code, OpenAI Codex, Google Antigravity, and GitHub Copilot - setup audits, guardrails, structured skills, deny hooks, and persistent learning loops.

github.com/blundergoat/goat-flow

blundergoat/goat-flow

653 lines (652 loc) • 41.5 kB

JSON

[ { "id": "critique-plan", "name": "Critique a Plan", "desc": "SKEPTIC/ANALYST/STRATEGIST critique of a plan", "prompt": "/goat-critique this plan. Apply the SKEPTIC, ANALYST, and STRATEGIST lenses. Concrete findings, not vibes. Ask which plan to critique if none in context.", "cat": "critique", "route": "goat-critique", "source": "goat-flow-catalog", "globalSafe": true, "internalOnly": false, "qualityMode": false, "requiresGh": false, "requiresPrOrIssue": false, "requiresLocalDiff": false, "requiresUiApp": false, "requiresDependencyFiles": false, "requiresGoatFlowInstall": false, "mayCheckoutBranch": false, "requiresCleanWorktree": false, "mayWriteFiles": false, "artifactRequired": true, "bestTargetSurfaces": ["repo", "docs"], "fallbackPrompt": "", "costTier": "high" }, { "id": "skill-quality-test", "name": "Pressure-Test a Skill", "desc": "RED/GREEN/REFACTOR skill TDD using the quality-testing protocol", "prompt": "Skill Suite Quality Assessment\n\nREPORTING-ONLY ASSESSMENT MODE. Do not edit tracked files. Do not use /goat-critique, /goat-review, or any other goat skill as the wrapper for this assessment; this prompt is the full assessment contract. You may read files, run read-only commands, and write normal gitignored reporting/local-state artifacts if the runner requires them. In this contract, gitignored logs, scratchpad notes, critique snapshots, quality reports, and task-local state do not count as writes; do not report them as read-only violations.\n\nAssess all seven goat-flow skills: /goat, /goat-debug, /goat-plan, /goat-review, /goat-critique, /goat-security, and /goat-qa. Use .goat-flow/skill-docs/skill-quality-testing/README.md plus the relevant files under .goat-flow/skill-docs/skill-quality-testing/. Read the workflow template SKILL.md files and installed mirrors under .claude/skills/, .agents/skills/, and .github/skills/ where relevant.\n\nMethod rule: prefer live skill invocation only when the runner supports it safely. If live invocation or delegated/sub-agent calls are unavailable, perform a file-grounded protocol run against SKILL.md and label the evidence limit. Never imply a dry run is bulletproof TDD evidence.\n\nFor each skill, output exactly these fields: Method used; Evidence limit; Worked; Failed/confusing; Useless ceremony; RED scenario; GREEN result; minimal REFACTOR; Verification command or grep that would prove the fix. Do not stop after one skill and do not ask which skill.\n\nAfter the seven sections, output: Cross-skill patterns; Top 5 skill/system improvements with file or semantic-anchor evidence and expected impact; What was not tested. Prioritize actionable improvements over praise.", "cat": "critique", "route": "goat-critique", "source": "goat-flow-catalog", "globalSafe": false, "internalOnly": true, "qualityMode": true, "requiresGh": false, "requiresPrOrIssue": false, "requiresLocalDiff": false, "requiresUiApp": false, "requiresDependencyFiles": false, "requiresGoatFlowInstall": false, "mayCheckoutBranch": false, "requiresCleanWorktree": false, "mayWriteFiles": false, "artifactRequired": true, "bestTargetSurfaces": ["goat-flow"], "fallbackPrompt": "", "costTier": "high" }, { "id": "error", "name": "Diagnose Error", "desc": "Diagnosis only - stops before proposing a fix", "prompt": "/goat-debug diagnose an error. Ask me to paste the error message, stack trace, and what I was doing when it triggered. Stop before proposing a fix - I want to understand the cause first. Ask questions if the stack trace is ambiguous or the repro steps are unclear. End with 'Root cause: ...' or 'Cannot determine root cause from current evidence; need: ...'", "cat": "debug", "route": "goat-debug", "source": "goat-flow-catalog", "globalSafe": true, "internalOnly": false, "qualityMode": false, "requiresGh": false, "requiresPrOrIssue": false, "requiresLocalDiff": false, "requiresUiApp": false, "requiresDependencyFiles": false, "requiresGoatFlowInstall": false, "mayCheckoutBranch": false, "requiresCleanWorktree": false, "mayWriteFiles": false, "artifactRequired": false, "bestTargetSurfaces": ["repo", "cli", "api", "ui"], "fallbackPrompt": "", "costTier": "low" }, { "id": "explore", "name": "Explore Codebase", "desc": "High-level map of an unfamiliar codebase", "prompt": "/goat-debug investigate this codebase. If I don't tell you where to focus, produce a high-level map in 300 words or less with sections: Entry points, Core domains, External integrations, Test hotspots. Read actual files - don't guess from names. Ask me what area to drill into next.", "cat": "debug", "route": "goat-debug", "source": "goat-flow-catalog", "globalSafe": true, "internalOnly": false, "qualityMode": false, "requiresGh": false, "requiresPrOrIssue": false, "requiresLocalDiff": false, "requiresUiApp": false, "requiresDependencyFiles": false, "requiresGoatFlowInstall": false, "mayCheckoutBranch": false, "requiresCleanWorktree": false, "mayWriteFiles": false, "artifactRequired": false, "bestTargetSurfaces": ["repo", "library", "api", "cli", "ui"], "fallbackPrompt": "", "costTier": "low" }, { "id": "fix-bug", "name": "Fix Bug", "desc": "Diagnosis through to fix and post-fix verification", "prompt": "/goat-debug fix a bug end-to-end. Ask me for expected vs actual behaviour and steps to reproduce. Don't expand scope to \"while we're here\" refactors - fix only what's necessary. Call out any regression risk for related code paths before declaring done.", "cat": "debug", "route": "goat-debug", "source": "goat-flow-catalog", "globalSafe": true, "internalOnly": false, "qualityMode": false, "requiresGh": false, "requiresPrOrIssue": false, "requiresLocalDiff": false, "requiresUiApp": false, "requiresDependencyFiles": false, "requiresGoatFlowInstall": false, "mayCheckoutBranch": false, "requiresCleanWorktree": false, "mayWriteFiles": true, "artifactRequired": false, "bestTargetSurfaces": ["repo", "library", "api", "cli", "ui"], "fallbackPrompt": "", "costTier": "medium" }, { "id": "milestones", "name": "Break Into Milestones", "desc": "Milestone task files with testable exit criteria", "prompt": "/goat-plan break this into milestones. Use the feature plan from context; if none, ask which feature. Each milestone gets: goal (one sentence), exit criteria (testable), key tasks. The first milestone is always a spike validating the riskiest assumption. No milestone longer than 3-5 days of work - split if larger.", "cat": "plan", "route": "goat-plan", "source": "goat-flow-catalog", "globalSafe": true, "internalOnly": false, "qualityMode": false, "requiresGh": false, "requiresPrOrIssue": false, "requiresLocalDiff": false, "requiresUiApp": false, "requiresDependencyFiles": false, "requiresGoatFlowInstall": false, "mayCheckoutBranch": false, "requiresCleanWorktree": false, "mayWriteFiles": true, "artifactRequired": false, "bestTargetSurfaces": ["repo", "docs"], "fallbackPrompt": "", "costTier": "medium" }, { "id": "plan", "name": "Plan Feature", "desc": "Feature brief to structured plan with scope boundaries", "prompt": "/goat-plan a new feature. Ask me for the feature brief (problem being solved, users, success criteria, constraints). Produce a plan with scope boundaries (in vs out), affected files/modules, spike/POC needs, assumption list, and risk callouts. Not a task list yet - that's the next step. Ask questions if the brief is ambiguous.", "cat": "plan", "route": "goat-plan", "source": "goat-flow-catalog", "globalSafe": true, "internalOnly": false, "qualityMode": false, "requiresGh": false, "requiresPrOrIssue": false, "requiresLocalDiff": false, "requiresUiApp": false, "requiresDependencyFiles": false, "requiresGoatFlowInstall": false, "mayCheckoutBranch": false, "requiresCleanWorktree": false, "mayWriteFiles": false, "artifactRequired": false, "bestTargetSurfaces": ["repo", "library", "api", "cli", "ui"], "fallbackPrompt": "", "costTier": "medium" }, { "id": "refactor", "name": "Plan Refactor", "desc": "Sequenced refactor plan with blast-radius analysis", "prompt": "/goat-plan a refactor. Ask me what to restructure and the expected blast radius. Map actual callers, tests, and dependencies - use grep, don't guess. Propose a sequenced plan that preserves behaviour at each step. Flag any API-breaking changes that require caller updates.", "cat": "plan", "route": "goat-plan", "source": "goat-flow-catalog", "globalSafe": true, "internalOnly": false, "qualityMode": false, "requiresGh": false, "requiresPrOrIssue": false, "requiresLocalDiff": false, "requiresUiApp": false, "requiresDependencyFiles": false, "requiresGoatFlowInstall": false, "mayCheckoutBranch": false, "requiresCleanWorktree": false, "mayWriteFiles": false, "artifactRequired": false, "bestTargetSurfaces": ["repo", "library", "api", "cli"], "fallbackPrompt": "", "costTier": "medium" }, { "id": "test-audit", "name": "Coverage Audit", "desc": "Global coverage audit for a codebase area, suitable for libraries, APIs, CLIs, and apps", "prompt": "/goat-qa audit test coverage in a codebase area. Ask which area - default to the most-changed files. Output as a table: File | Existing tests | Assertion depth | Uncovered branches | Risk. Don't conflate 'file has tests' with 'file is well-tested'.", "cat": "qa", "route": "goat-qa", "source": "goat-flow-catalog", "globalSafe": true, "internalOnly": false, "qualityMode": false, "requiresGh": false, "requiresPrOrIssue": false, "requiresLocalDiff": false, "requiresUiApp": false, "requiresDependencyFiles": false, "requiresGoatFlowInstall": false, "mayCheckoutBranch": false, "requiresCleanWorktree": false, "mayWriteFiles": false, "artifactRequired": false, "bestTargetSurfaces": ["repo", "library", "api", "cli", "ui"], "fallbackPrompt": "", "costTier": "medium" }, { "id": "flow-diagram", "name": "Flow Diagram", "desc": "Trace code flow for a feature and produce a Mermaid flowchart from actual code paths", "prompt": "/goat-qa Trace the code flow for a specific feature or ticket and produce a Mermaid flowchart. Ask which feature or ticket to trace if not in context. Read actual code paths (controllers, services, external calls) - don't guess from names.\n\nShow: entry point (controller/route/command), key decision branches (if/else, switch, feature flags), external calls (API, queue, email, cron), error paths (where errors are caught vs where they bubble up unhandled), and success states. Keep the diagram readable - collapse internal helper methods unless they contain branching logic. Label edges with the condition that triggers them. If a branch is inferred rather than verified from the code, mark it INFERRED (dashed edge in Mermaid). Output as a ```mermaid code block.", "cat": "qa", "route": "goat-qa", "source": "goat-flow-catalog", "globalSafe": true, "internalOnly": false, "qualityMode": false, "requiresGh": false, "requiresPrOrIssue": false, "requiresLocalDiff": false, "requiresUiApp": false, "requiresDependencyFiles": false, "requiresGoatFlowInstall": false, "mayCheckoutBranch": false, "requiresCleanWorktree": false, "mayWriteFiles": false, "artifactRequired": false, "bestTargetSurfaces": ["repo", "api", "ui", "cli"], "fallbackPrompt": "", "costTier": "medium" }, { "id": "walkthrough-with-testing", "name": "Pre Walk-Through with Draft Targeted Testing", "desc": "Summary, tester-voice questions, and targeted testing plan in one paste-ready comment", "prompt": "/goat-qa Carefully read the GitHub issue link and all comments using gh, then analyse the code changes in the pull request. Git checkout the branch and read the code locally to understand what was actually built - not just what the PR description claims.\n\nIf I haven't provided the git branch, GitHub issue URL, or PR URL, ask me for them before proceeding. Fallbacks before checkout: if gh is missing, ask for pasted PR/diff context; if there is no open PR, offer local diff or branch comparison; if gh pr diff is too large, use file-list API or chunked local diff; before any checkout, require a clean worktree or explicit user approval. Ask clarifying questions before generating output if the scope is genuinely unclear.\n\nGenerate a single GitHub comment with exactly three sections. The total output should fit in roughly one viewport when rendered - cut questions or tasks rather than cramming more in.\n\n---\n\n**Section 1 - What changed**\nTwo lines max. Plain language describing what changed and what behaviour a tester or user would notice. No file names, no code terms, no list of files. Use assertive language: \"Patient portal behaviour is unchanged\" not \"should be unchanged.\"\n\n**Section 2 - Questions for walk-through (3-6)**\nSharp questions designed to surface risks the developer may have missed. Skip anything the developer already tested or documented in their PR description/dev notes, anything static analysis would catch, and anything existing automated acceptance tests cover.\n\nFirst, identify what TYPE of change this PR makes, then probe where bugs actually hide for that type:\n- Database/migration: nullable columns NULL in production but populated in test data. Legacy records predating the migration. Schema coexistence during rollout.\n- Form/validation: conditionally excluded fields silently nullified on submit. Multi-step abandonment leaving partial records.\n- API/endpoint: entity-level authorization gaps. Inconsistent behaviour across entry points (web, API, background, webhooks).\n- Cron/background: no user context. Full dataset iteration at production scale. Incomplete workflow states.\n- UI/frontend: data-shape-dependent rendering - empty states, single vs multiple, long strings. Production data volume differences.\n- Business logic: rounding/precision compounding. Timezone edge cases. Status transitions and boundary values.\n- Cross-cutting: side effects not triggered for all entry points. Coexisting current vs deprecated paths.\n\nVoice and format rules:\n- NO file paths, line numbers, method names, class names, or variable names inside question text. Analyse the code deeply, but output only plain-English tester questions.\n- Lead with what you found: \"From what I can see...\" or \"I noticed that...\" followed by \"Is that intended?\" or \"Should we be worried about...\"\n- Each question: bold one-line question in propose-and-ask voice, then 1-2 plain-English sentences of context.\n- Use hyphens (-) not em-dashes.\n\n**Section 3 - Targeted testing plan (3-8 tasks)**\nAbove the table: \"Excludes what dev + walk-through already covered, and anything static analysis / automated acceptance tests catch.\"\n\nMarkdown table with three columns: Test Task | Why Important | Result\n- Test Task: concrete step-by-step with arrows (e.g. \"Pin 2+ notes -> change colour -> save -> reload. Pins should remain.\")\n- Why Important: code references encouraged here - file paths and method names help triage\n- Result: leave empty for tester to fill\n\nHard excludes - do NOT create tasks for: DB seeding, multi-tab concurrency (unless code introduces concurrency primitives), address-bar URL manipulation, request tampering/extensions, CLI/cron/shell. UI testing only, on local development. If a real risk falls outside these constraints, flag it in a note below the table.\n\n---\n\nUse a compact one-line Verification Integrity footer. Do NOT output: Change Risk Map, Gap Analysis table, or TL;DR paragraph.\n\n**Self-check before outputting:** Re-read every question in Section 2. If any file path, method name, class name, or line number appears in the question text, rewrite it in plain English. The code stays in your reasoning; only the tester's question appears in the output.", "cat": "qa", "route": "goat-qa", "source": "goat-flow-catalog", "globalSafe": true, "internalOnly": false, "qualityMode": false, "requiresGh": true, "requiresPrOrIssue": true, "requiresLocalDiff": false, "requiresUiApp": true, "requiresDependencyFiles": false, "requiresGoatFlowInstall": false, "mayCheckoutBranch": true, "requiresCleanWorktree": true, "mayWriteFiles": false, "artifactRequired": false, "bestTargetSurfaces": ["ui", "app"], "fallbackPrompt": "If gh is missing, ask for pasted PR/diff context. If there is no open PR, offer local diff or branch comparison. If the PR diff is too large, use file-list API or chunked local diff.", "costTier": "high" }, { "id": "test-regression", "name": "Regression Guard", "desc": "Regression-guard recommendation for the invariant violated by a recent bug", "prompt": "/goat-qa regression guard for a recent bug fix. Ask me for the bug details (what broke, root cause, fix applied) if not in context. Recommend a regression guard without writing test code or generating a patch: state the invariant that was violated, the likely test location based on existing tests, the assertion shape, setup data needed, and the suggested test name. Hand off implementation to a coding agent or human after the plan is accepted.", "cat": "qa", "route": "goat-qa", "source": "goat-flow-catalog", "globalSafe": true, "internalOnly": false, "qualityMode": false, "requiresGh": false, "requiresPrOrIssue": false, "requiresLocalDiff": false, "requiresUiApp": false, "requiresDependencyFiles": false, "requiresGoatFlowInstall": false, "mayCheckoutBranch": false, "requiresCleanWorktree": false, "mayWriteFiles": false, "artifactRequired": false, "bestTargetSurfaces": ["repo", "library", "api", "cli", "ui"], "fallbackPrompt": "", "costTier": "low" }, { "id": "test", "name": "PR UI Testing Plan", "desc": "PR/GitHub UI workflow that drafts targeted local-development test tasks", "prompt": "/goat-qa Use gh to carefully read the GitHub issue link and all comments, then analyse the code changes in the pull request. Git checkout the branch and analyse the code changes locally to determine a highly targeted testing plan.\n\nIf I haven't provided the git branch, GitHub issue URL, or PR URL, ask me for them before proceeding. Fallbacks before checkout: if gh is missing, ask for pasted PR/diff context; if there is no open PR, offer local diff or branch comparison; if gh pr diff is too large, use file-list API or chunked local diff; before any checkout, require a clean worktree or explicit user approval.\n\nFirst, identify what TYPE of change this PR makes, then target where bugs hide for that type (database: nullable columns NULL in production; form: excluded fields nullified on submit; API: entity-level auth gaps; cron: no user context + full dataset iteration; UI: data-dependent rendering; business logic: rounding/timezone/state transitions; cross-cutting: side effects across entry points).\n\nDo NOT include what the developer has already tested, or what will be covered by the project's static analysis or existing automated acceptance tests.\n\nAbove the table: 'Excludes what dev + walk-through already covered, and anything static analysis / automated acceptance tests catch.'\n\nPresent as a markdown table with three columns: Test Task | Why Important | Result\n- Test Task: concrete step-by-step with arrows (e.g. 'Pin 2+ notes -> change colour -> save -> reload. Pins should remain.')\n- Why Important: code references encouraged (file paths, method names help triage)\n- Result: leave empty for tester to fill\n\nHard excludes - do NOT create tasks for: DB seeding, multi-tab concurrency (unless code introduces concurrency primitives), address-bar URL manipulation, request tampering/extensions, CLI/cron/shell. UI testing only on local development. If a real risk falls outside these constraints, flag it in a note below the table.\n\nAim for 3-8 tasks of around 5-10 minutes each. Ask questions if required.", "cat": "qa", "route": "goat-qa", "source": "goat-flow-catalog", "globalSafe": true, "internalOnly": false, "qualityMode": false, "requiresGh": true, "requiresPrOrIssue": true, "requiresLocalDiff": false, "requiresUiApp": true, "requiresDependencyFiles": false, "requiresGoatFlowInstall": false, "mayCheckoutBranch": true, "requiresCleanWorktree": true, "mayWriteFiles": false, "artifactRequired": false, "bestTargetSurfaces": ["ui", "app"], "fallbackPrompt": "If gh is missing, ask for pasted PR/diff context. If there is no open PR, offer local diff or branch comparison. If the PR diff is too large, use file-list API or chunked local diff.", "costTier": "high" }, { "id": "test-vs-code", "name": "Test Plan vs Code Changes", "desc": "Compare your testing plan against actual code changes to find gaps", "prompt": "/goat-qa Compare a testing plan against the actual code changes in a PR or branch. Ask me to paste my testing plan and dev testing notes if not provided. Compare this combined testing coverage against the actual diff. Surface: gaps (code changes neither the dev nor my plan covers), overlaps (areas where my plan duplicates what the dev already tested), suggestions (specific scenarios to add based on actual code), and risk areas (changes that look low-risk but touch shared logic or multiple entry points). Be specific - 'test the edge cases' is not useful. 'Test with a user who has no email address because the notification code does not null-check the email field' is useful. Ask for the PR link or branch name if not provided.", "cat": "qa", "route": "goat-qa", "source": "goat-flow-catalog", "globalSafe": true, "internalOnly": false, "qualityMode": false, "requiresGh": false, "requiresPrOrIssue": true, "requiresLocalDiff": true, "requiresUiApp": false, "requiresDependencyFiles": false, "requiresGoatFlowInstall": false, "mayCheckoutBranch": false, "requiresCleanWorktree": false, "mayWriteFiles": false, "artifactRequired": true, "bestTargetSurfaces": ["repo", "library", "api", "ui"], "fallbackPrompt": "", "costTier": "medium" }, { "id": "browser-verify", "name": "Browser Verification", "desc": "Verify UI state using browser-use - observational only, no writes", "prompt": "/goat-qa Verify UI state using browser-use. Check browser-use is available (`command -v browser-use || command -v browser-use-python`). If missing, offer to install or ask for manual evidence (screenshots, DevTools output) instead.\n\nAsk me what to verify: a URL, a feature, or a specific visual state. If I provide expected behaviour, confirm or deny each expectation with browser evidence. If I don't provide expectations, describe what you see and ask what I want to verify.\n\nWorkflow: open the page (`browser-use open <url>`), capture state (`browser-use state`), take a screenshot (`browser-use screenshot`). Re-run `state` after any navigation or interaction to keep element indices fresh. For each claim: state what is OBSERVED (direct browser output) vs what is INFERRED (your interpretation mapped to code or expectations).\n\nDo not click buttons that mutate state, submit forms, or follow destructive links unless I explicitly ask you to. Close the browser when done (`browser-use close`).", "cat": "qa", "route": "goat-qa", "source": "goat-flow-catalog", "globalSafe": true, "internalOnly": false, "qualityMode": false, "requiresGh": false, "requiresPrOrIssue": false, "requiresLocalDiff": false, "requiresUiApp": true, "requiresDependencyFiles": false, "requiresGoatFlowInstall": false, "mayCheckoutBranch": false, "requiresCleanWorktree": false, "mayWriteFiles": false, "artifactRequired": false, "bestTargetSurfaces": ["ui", "app"], "fallbackPrompt": "No browser-use CLI detected. Install it first (see scripts/install-browser-tools.sh), then retry. Or provide manual evidence: screenshots, DevTools output, console errors.", "costTier": "low" }, { "id": "page-capture", "name": "Batch Page Capture", "desc": "Visit N pages, screenshot each, and produce structured MD records with an index", "prompt": "/goat-qa Batch page capture using the page-capture protocol. Read `.goat-flow/skill-docs/playbooks/page-capture.md` for the full workflow reference.\n\nAsk me for what is missing from: (1) page list - explicit URLs, a route manifest path, or a diff to derive affected pages from; (2) auth requirements - storage state path, login flow, or none; (3) viewport - default 1280x800 unless I specify otherwise; (4) a label for this capture run.\n\nRun the Playwright availability check in tier order (MCP > project-local Node > Python via browser-use-python > browser-use CLI downgrade) and report which tier will be used. Do not silently fall back to a less capable tier.\n\nFor each page: navigate, wait for a content anchor before screenshotting (text > selector > network-idle > time delay as last resort marked INFERRED), capture console error count, and write one MD record per page. Write an index after all pages are processed.\n\nOutput goes to `.goat-flow/logs/sessions/<date>-<label>/`. Record failures honestly - never skip a page silently. Verify every screenshot file exists on disk before claiming the run is complete. Do not click buttons that mutate state or submit forms unless the task explicitly requires it.", "cat": "qa", "route": "goat-qa", "source": "goat-flow-catalog", "globalSafe": false, "internalOnly": false, "qualityMode": false, "requiresGh": false, "requiresPrOrIssue": false, "requiresLocalDiff": false, "requiresUiApp": true, "requiresDependencyFiles": false, "requiresGoatFlowInstall": true, "mayCheckoutBranch": false, "requiresCleanWorktree": false, "mayWriteFiles": false, "artifactRequired": false, "bestTargetSurfaces": ["ui", "app"], "fallbackPrompt": "If no Playwright path (MCP, Node, or Python) is available, ask whether to downgrade to browser-use CLI (no console error capture) or use manual fallback.", "costTier": "medium" }, { "id": "review", "name": "Code Review", "desc": "Two-pass review of recent changes with MUST/SHOULD/MAY severity", "prompt": "/goat-review my recent changes on this branch. Flag findings as MUST (blocks merge), SHOULD (fix before it spreads), or MAY (nitpick - skip if time is tight). Ask questions if the scope is unclear.", "cat": "review", "route": "goat-review", "source": "goat-flow-catalog", "globalSafe": true, "internalOnly": false, "qualityMode": false, "requiresGh": false, "requiresPrOrIssue": false, "requiresLocalDiff": true, "requiresUiApp": false, "requiresDependencyFiles": false, "requiresGoatFlowInstall": false, "mayCheckoutBranch": false, "requiresCleanWorktree": false, "mayWriteFiles": false, "artifactRequired": false, "bestTargetSurfaces": ["repo", "library", "api", "cli", "ui"], "fallbackPrompt": "", "costTier": "medium" }, { "id": "quality-check-goatflow", "name": "Critique GOAT Flow", "desc": "Qualitative read-only audit of the goat-flow installation (not the CLI audit command)", "prompt": "REPORTING-ONLY ASSESSMENT MODE. Do not edit tracked files. Do not use /goat-review or any goat skill as the wrapper for this assessment; this prompt is the full assessment contract. You may read files, run read-only validation commands, and write normal gitignored reporting/local-state artifacts if the runner requires them. In this contract, gitignored logs, scratchpad notes, critique snapshots, quality reports, and task-local state do not count as writes; do not report them as read-only violations.\n\nAssess the goat-flow framework process in the controlling workspace: instruction files, .goat-flow/config.yaml, .goat-flow/architecture.md, .goat-flow/code-map.md, .goat-flow/skill-docs/, .goat-flow/skill-docs/playbooks/, workflow/setup/, workflow/manifest.json, installed skill mirrors, hooks, quality prompt modes, and validation scripts.\n\nGrounding commands to run or explicitly mark skipped: git status --short --untracked-files=all; node --import tsx src/cli/cli.ts stats . --check; node --import tsx src/cli/cli.ts audit . --check-drift --format json; bash scripts/preflight-checks.sh. Command output wins over prose.\n\nUse grep-first retrieval for .goat-flow/learning-loop/footguns/, .goat-flow/learning-loop/lessons/, and .goat-flow/learning-loop/decisions/. Do not broad-load those directories.\n\nAssessment checklist: Pre-check Results; Findings ordered by severity; What works; What is weak or ceremonial; Contradictions and false paths; Top 5 improvements; What was not verified. Use this checklist to decide the saved JSON scores and findings. Each saved finding detail must include action type, exact file or semantic-anchor evidence, why it matters, and a verification command that would prove the fix.", "cat": "review", "route": "goat-review", "source": "goat-flow-catalog", "globalSafe": false, "internalOnly": true, "qualityMode": true, "requiresGh": false, "requiresPrOrIssue": false, "requiresLocalDiff": false, "requiresUiApp": false, "requiresDependencyFiles": false, "requiresGoatFlowInstall": true, "mayCheckoutBranch": false, "requiresCleanWorktree": false, "mayWriteFiles": false, "artifactRequired": false, "bestTargetSurfaces": ["goat-flow"], "fallbackPrompt": "", "costTier": "high" }, { "id": "audit", "name": "Quality Audit", "desc": "Area audit of the most-changed files by commit frequency", "prompt": "/goat-review audit the most-changed files in this repo. Find hotspots by commit frequency, then review for code smells, complexity creep, test gaps, and unclear ownership. Prioritise findings by risk × change frequency - a small smell in a frequently-changed file beats a big one in a stable file.", "cat": "review", "route": "goat-review", "source": "goat-flow-catalog", "globalSafe": false, "internalOnly": false, "qualityMode": false, "requiresGh": false, "requiresPrOrIssue": false, "requiresLocalDiff": false, "requiresUiApp": false, "requiresDependencyFiles": false, "requiresGoatFlowInstall": true, "mayCheckoutBranch": false, "requiresCleanWorktree": false, "mayWriteFiles": false, "artifactRequired": false, "bestTargetSurfaces": ["goat-flow-install"], "fallbackPrompt": "", "costTier": "medium" }, { "id": "review-instructions", "name": "Review Instructions", "desc": "Audit agent instruction files for drift and contradictions", "prompt": "/goat-review audit my agent instruction files (AGENTS.md, CLAUDE.md, .github/copilot-instructions.md) for drift. Check for: stale references, contradictions between files, missing verification gates, broken cross-references. Verify every claim by reading the actual file or running the command - do not assume it's correct because it's written down.", "cat": "review", "route": "goat-review", "source": "goat-flow-catalog", "globalSafe": false, "internalOnly": false, "qualityMode": false, "requiresGh": false, "requiresPrOrIssue": false, "requiresLocalDiff": false, "requiresUiApp": false, "requiresDependencyFiles": false, "requiresGoatFlowInstall": true, "mayCheckoutBranch": false, "requiresCleanWorktree": false, "mayWriteFiles": false, "artifactRequired": false, "bestTargetSurfaces": ["goat-flow-install"], "fallbackPrompt": "", "costTier": "medium" }, { "id": "uncommitted", "name": "Review Uncommitted", "desc": "Pre-commit gate - MUST findings only, no fix suggestions", "prompt": "/goat-review my uncommitted changes as a pre-commit gate. Flag MUST findings only - bugs, security issues, broken tests, missing null checks, regression risks. Skip SHOULD and MAY. Do not offer fixes - I want to decide. Always emit the goat-review Review Integrity section. If there are zero MUST findings, say that no MUST findings surfaced, defend what was checked using goat-review zero-findings discipline, then include Review Integrity instead of only saying ship it.", "cat": "review", "route": "goat-review", "source": "goat-flow-catalog", "globalSafe": true, "internalOnly": false, "qualityMode": false, "requiresGh": false, "requiresPrOrIssue": false, "requiresLocalDiff": true, "requiresUiApp": false, "requiresDependencyFiles": false, "requiresGoatFlowInstall": false, "mayCheckoutBranch": false, "requiresCleanWorktree": false, "mayWriteFiles": false, "artifactRequired": false, "bestTargetSurfaces": ["repo", "library", "api", "cli", "ui"], "fallbackPrompt": "", "costTier": "medium" }, { "id": "access-control", "name": "Access Control Audit", "desc": "Best for web/API/app entry points with authn, authz, and entity access checks", "prompt": "/goat-security audit access control for web/API/app entry points with authentication, authorization, and entity-level access. If this project is a library, CLI, or tooling repo without user-facing entry points, ask whether to switch to the broader security assessment or dependency scan before proceeding. For every route, endpoint, controller action, background job, webhook handler, or equivalent entry point, verify each defense-in-depth layer independently: (1) Authentication - is the caller verified, and can the entry point be reached unauthenticated? (2) Role/permission checks - is the caller authorized for this action, and are checks enforced consistently by framework/middleware or repeated by hand? (3) Entity-level authorization - can the caller access THIS specific record, not just any record of this type? Check for IDOR gaps where a valid user can access another user's data by changing an ID. (4) Feature toggles - are disabled features still reachable via direct URL, API call, job trigger, or webhook? For each gap, name the entry point, missing layer, attacker precondition, and realistic impact.", "cat": "security", "route": "goat-security", "source": "goat-flow-catalog", "globalSafe": true, "internalOnly": false, "qualityMode": false, "requiresGh": false, "requiresPrOrIssue": false, "requiresLocalDiff": false, "requiresUiApp": false, "requiresDependencyFiles": false, "requiresGoatFlowInstall": false, "mayCheckoutBranch": false, "requiresCleanWorktree": false, "mayWriteFiles": false, "artifactRequired": false, "bestTargetSurfaces": ["api", "ui", "app"], "fallbackPrompt": "", "costTier": "high" }, { "id": "compliance-check", "name": "Compliance Gap Check", "desc": "Compliance-mode assessment that requires named framework and clause sources", "prompt": "/goat-security compliance-mode assessment. First require the named framework and authoritative clause/control source (for example SOC 2, HIPAA, ISO 27001, PCI DSS, internal policy text, or a supplied control matrix). If the framework or clause source is absent, ask for it; do not browse, guess, or fabricate clause language silently. Map each supplied applicable control to code/config evidence or absence. For every control, report non-compliant, partially compliant, or not assessed, and use \"not assessed\" when the source or implementation evidence is missing.", "cat": "security", "route": "goat-security", "source": "goat-flow-catalog", "globalSafe": true, "internalOnly": false, "qualityMode": false, "requiresGh": false, "requiresPrOrIssue": false, "requiresLocalDiff": false, "requiresUiApp": false, "requiresDependencyFiles": false, "requiresGoatFlowInstall": false, "mayCheckoutBranch": false, "requiresCleanWorktree": false, "mayWriteFiles": false, "artifactRequired": true, "bestTargetSurfaces": ["repo", "policy"], "fallbackPrompt": "If no framework or authoritative clause source is supplied, ask for it and mark missing controls as not assessed.", "costTier": "high" }, { "id": "dep-scan", "name": "Dependency Scan", "desc": "CVE and supply-chain check on dependencies", "prompt": "/goat-security scan dependencies for known CVEs and supply-chain risks. Use package manager audit/scanner output as leads only, never as confirmed findings by itself. Cross-reference package manifests and lockfiles for exact versions, then manually verify reachability, shipped/runtime exposure, trust boundary, and operational impact before promoting any lead to CONFIRMED or PROBABLE. Flag stale or unmaintained dependencies only with evidence of project use and realistic impact; otherwise list them as follow-up leads.", "cat": "security", "route": "goat-security", "source": "goat-flow-catalog", "globalSafe": true, "internalOnly": false, "qualityMode": false, "requiresGh": false, "requiresPrOrIssue": false, "requiresLocalDiff": false, "requiresUiApp": false, "requiresDependencyFiles": true, "requiresGoatFlowInstall": false, "mayCheckoutBranch": false, "requiresCleanWorktree": false, "mayWriteFiles": false, "artifactRequired": false, "bestTargetSurfaces": ["repo", "library", "api", "cli", "ui"], "fallbackPrompt": "If lockfiles or manifests are absent, ask where dependency versions are defined before assessing scanner leads.", "costTier": "medium" }, { "id": "security", "name": "Security Assessment", "desc": "Full threat assessment with CONFIRMED/PROBABLE/THEORETICAL findings", "prompt": "/goat-security threat assessment of this project. If the requested depth is not clear, ask whether to run a repo/component quick scan or a full assessment before reading broadly. Read the codebase, config, and deployment/runtime surface - not just package manifests. Use repo-appropriate categories: auth/authz, secrets/data exposure, filesystem/path handling, dependency supply chain, CI/CD, agent surfaces, CLI/tooling, and local HTTP/WebSocket/PTY surfaces such as bind address, Host/Origin checks, session IDs, browser-to-terminal input paths, workspace/cwd boundaries, and terminal runner prompts. Classify findings as CONFIRMED (reproduced or clearly exploitable), PROBABLE (strong evidence, needs validation), or THEORETICAL (attack class exists but exploitation path unclear). For each finding, name the asset, attacker model, precondition, trust boundary, and realistic impact.", "cat": "security", "route": "goat-security", "source": "goat-flow-catalog", "globalSafe": true, "internalOnly": false, "qualityMode": false, "requiresGh": false, "requiresPrOrIssue": false, "requiresLocalDiff": false, "requiresUiApp": false, "requiresDependencyFiles": false, "requiresGoatFlowInstall": false, "mayCheckoutBranch": false, "requiresCleanWorktree": false, "mayWriteFiles": false, "artifactRequired": false, "bestTargetSurfaces": ["repo", "library", "api", "cli", "ui"], "fallbackPrompt": "", "costTier": "high" }, { "id": "browser-debug", "name": "Debug UI in Browser", "desc": "Diagnose a browser-visible bug using browser-use for live evidence", "prompt": "/goat-debug diagnose a UI bug using browser evidence. Check browser-use is available (`command -v browser-use`), then ask me for the URL and what's broken. Open the page, capture state and a screenshot, then read the relevant source files and write hypotheses. Use browser evidence to confirm or eliminate each hypothesis - don't guess from code alone. Stop at D2 with the diagnosis and browser evidence before proposing a fix.", "cat": "debug", "route": "goat-debug", "source": "goat-flow-catalog", "globalSafe": false, "internalOnly": false, "qualityMode": false, "requiresGh": false, "requiresPrOrIssue": false, "requiresLocalDiff": false, "requiresUiApp": true, "requiresDependencyFiles": false, "requiresGoatFlowInstall": false, "mayCheckoutBranch": false, "requiresCleanWorktree": false, "mayWriteFiles": false, "artifactRequired": false, "bestTargetSurfaces": ["ui"], "fallbackPrompt": "No browser-use CLI detected. Install it first (see https://github.com/browser-use/browser-use), then retry. Or use /goat-debug without browser evidence and inspect manually.", "costTier": "low" } ]