All notable changes to devt will be documented in this file.
Format follows Keep a Changelog. Versions follow Semantic Versioning.
- CLAUDE.md docs audit: Added missing
scratchpad.mdartifact to state flow documentation, added 5 undocumentedupdatesubcommands (local-version, install-type, dirty, clear-cache, changelog), expandedupdate.cjsmodule description
- Parameterized SQL in semantic.cjs: Replaced string-interpolated DELETE with
db.prepare().run()in compact — consistent with INSERT which already used prepared statements - syncState consistency: Refactored workflow_type inference to scan INPUT_ARTIFACTS into
foundSet— all artifact checks now go through one mechanism instead of mixingfoundSet.has()with ad-hocexistsSync - Silent skip on malformed state args:
state updatenow warns when key=value pairs lack=instead of silently skipping
- W014 health check: Validates
next.mdrouting table covers every entry inVALID_WORKFLOW_TYPES— prevents drift when adding new workflow types - PHASE_ARTIFACT_MAP / INPUT_ARTIFACTS documentation: Comments now explain the design boundary (phase-ordered vs cross-workflow) and document artifact origins
--tddflag: Test-driven development mode for dev workflow — reverses implement/test phase order, auto-injects tdd-patterns skill into programmer and tester agents--dry-runflag: Preview the workflow pipeline (tier, steps, agents, models) without executing any agents- Acceptance criteria gate: STANDARD+ tiers check for spec.md with acceptance criteria before implementation — options to define now, auto-derive, or skip verification
- Enhanced statusline: Compact format showing tier, phase, iteration, active flags, and task in
UserPromptSubmithook. Idle state shows last workflow context. state prunesubcommand: Remove orphaned artifacts from.devt/state/usingPHASE_ARTIFACT_MAP. Supports--dry-runfor safe preview.- Tier-based context limiting: SIMPLE/STANDARD tiers load only relevant state artifacts into agent prompts, reducing context waste
- JSONC config support:
readJsonSafenow strips//and/* */comments before parsing — config files can include inline documentation - Model alias resolution:
MODEL_ALIAS_MAPmaps short names (opus/sonnet/haiku) to full Anthropic model IDs. New CLI subcommands:models resolve,models list,models table - Strict injection scanning: Shannon entropy analysis for encoded payloads, URL-encoded (
%XX) and HTML entity (</&#xNN;) decode-and-rescan, zero-width Unicode character detection - State sync recovery:
devt-tools state syncreconstructsworkflow.yamlfrom artifact presence on disk — recovery mechanism for corrupted or missing state - Phase control flags:
--to <phase>,--only <phase>,--chainfor granular autonomous workflow control. New state keys:stop_at_phase,only_phase - Read-before-edit guard hook: Advisory
PreToolUsehook reminds agents to read files before editing (async, non-blocking) - Domain probes reference: Structured probing techniques for uncovering domain unknowns, consumed by specify and clarify workflows
- Severity-tagged golden rules:
[CRITICAL],[WARNING],[STYLE]severity levels on all 11 rules for prioritization under turn pressure - Researcher provenance tagging: Every claim requires
[codebase: file:line],[docs: URL], or[inference]source tags - Verifier later-phase awareness: Level 5.5 filters gaps explicitly deferred to later phases, annotated as
[DEFERRED](informational, does not downgrade verdict) - Playwright E2E patterns: Visual regression, accessibility testing, network inspection, locator strategy, and MCP integration sections in typescript-node and vue-bootstrap templates
- Prompt injection scan: URL-encoded injection detection (category 7) and Cyrillic homoglyph/lookalike detection (category 8)
- References directory: New
references/supporting layer documented in CLAUDE.md
PHASE_ARTIFACT_MAParch_health mismatch:arch_healthwas mapped toarch-review.md(belongs toarchitectphase) — corrected toarch-health-scan.mdand addedarchitectentryHTML_NAMED_ENTITIESper-call allocation: Hoisted from function body to module-level constant in security.cjs- Pre-ES2021
split().join()idiom: Replaced withreplaceAll()indecodeHtmlEntities(project requires Node 22+) syncStateredundant early check: RemovedexistsSyncguard that contradicted subsequentensureStateDir()call- Read-before-edit hook blocking: Changed from
async: falsetoasync: true— advisory hooks should not block tool execution
- Vue-bootstrap template: form handling (ref + error object), permission-based rendering (computed + authStore), toast composable wrapper, shallowRef vs ref guidance, multi-env config, legacy Options API migration note
- Vue-bootstrap template: UI/UX quality standards (WCAG 2.2 AA: touch targets, focus states, contrast ratios, reduced-motion), responsive design checklist, diagnostic grep commands
- Vue-bootstrap template: 6 new code smells (div-as-button, missing loading states, stale permission checks, empty states, hardcoded transitions, direct toast calls)
- Vue-bootstrap template: architecture additions (constants 4-file pattern, API client architecture, theme/layout system)
- All 15 skills: "When NOT to Use" sections, time budget hints, concrete examples for edge cases
- State validate/sync:
devt-tools state validatecross-references state claims against actual artifact files — detects drift when sessions drop mid-workflow (W013 health check) - Research gate: planning blocks when research has unresolved open questions — presents them for resolve/defer/proceed decision
- Scope reduction detection: verifier Level 5 extracts every requirement from spec/plan, flags omissions as SCOPE_REDUCED forcing GAPS_FOUND verdict
- Claim provenance tagging: programmer, tester, code-reviewer artifacts now include Agent/Model/Timestamp provenance — verifier treats provenance-tagged claims as self-reported
- Prompt injection defense: 10→20 patterns covering forget-instructions, act-as, system prompt extraction,
<<SYS>>markers, exfiltration, tool manipulation. Added strict mode (zero-width Unicode, prompt stuffing) andsanitizeForDisplay() - Atomics.wait lock: replaced CPU-spinning busy-wait with
Atomics.wait()for lock retry — blocks thread without burning cycles - Config key warnings:
getMergedConfig()warns on unknown keys in.devt/config.json(catches typos likeagent_skils) - Questioning guide: "The Goal" framing, concrete AskUserQuestion examples, option modification tip, expanded freeform rule with wrong/right pairs, decision gate pattern, 2 new anti-patterns
- Model profiles:
devt-tools models table [profile]renders box-drawn agent→model table for diagnostics - Autonomous chain flag:
--autonomousworkflows auto-advance to/devt:shipafter completion; stale flag cleared on manual invocation - Parallel docs + retro: docs-writer and retro agents now dispatch simultaneously (independent outputs), saving ~30-60s per STANDARD workflow
- All 15 skills: optimized descriptions for triggering accuracy with explicit trigger phrases and negative boundaries
- UserPromptSubmit hook error:
workflow-context-injector.shemitted empty line when no workflow was active, causing Claude Code to fail JSON parsing — now outputs nothing when idle - Stale
stopped_at/stopped_phaseon resume: all 10 workflows now clear these fields when settingactive=true, preventing misleading session-start banners and false W006 health alerts next.mdmissing post-implementation routes: added routing for impl-summary without review (→/devt:review) and review with NEEDS_WORK verdict (→ resume/devt:workflow)- Missing
<agent_skills>in 2 dispatch templates:debug.mddebugger andcreate-plan.mdarchitect dispatches now include skill injection tag specify.mddecisions format: extracted decisions now use DEC-xxx ID format matchingclarify-task.md, enabling cross-workflow traceability- Quick-implement stale comment: review iteration comparison updated from "vs 3" to "vs 5 (RETRY/DECOMPOSE/PRUNE)"
- Verifier status enum incomplete: added
DONE_WITH_CONCERNSto formal output format (was already produced via turn-limit awareness but undocumented) next.mdNEEDS_WORK route accuracy: corrected misleading "resume at implement phase" — workflow restarts from context_init, not mid-phasenext.mdAPPROVED_WITH_NOTES: merged with APPROVED route — both are ship-ready verdictsnext.mdunreadable verdict: added route for interrupted/partial review.md with user prompt- Stale
verdict/repair/verify_iterationon fresh workflow: dev-workflow and quick-implement now reset these fields in context_init to prevent carry-over from prior runs - Hook
echoportability: replacedecho "$RESULT"withprintf '%s\n'to avoid flag interpretation risk agent_skillsplaceholder inconsistency: normalized debug.md and create-plan.md to use the standard placeholder text
- Simplify workflow phase (STANDARD + COMPLEX tiers): runs
/simplify(3 parallel review agents for reuse, quality, efficiency) after tests pass, re-runs quality gates to verify, then proceeds to code review - Programmer agent self-review now includes explicit simplification pass (reuse, redundancy, over-engineering, dead code checks) integrated into the
<self_review>section effortfield on all 10 agents:highfor critical agents (programmer, tester, code-reviewer, verifier, architect, debugger),mediumfor support agents (docs-writer, retro, curator, researcher)- State tracking (
active=true,phase,status=IN_PROGRESS/DONE) added to standalone workflows:debug.md,lesson-extraction.md,arch-health-scan.md— enables/devt:statusand/devt:nextresume detection <deviation_rules>block added tocreate-plan.md(was the only workflow missing it)- Programmer agent now reads
guardrails/generative-debt-checklist.md— BEFORE/DURING/AFTER coding gates - Tester agent now reads
guardrails/golden-rules.md— scan-before-implementing applies to test code - Code-reviewer agent now reads
guardrails/golden-rules.md— reviews against universal rules scripts/run-quality-gates.shandscripts/check-docs.shmoved fromharness/toscripts/and wired into quality-gate-verifier
run-hook.jssilent hook bypass: spawn failure or timeout (status=null) now detected viaresult.errorcheck and exits with code 1 instead of silently succeeding. Uses??instead of||for null-safe exit codesemantic.cjscrash on Node < 22.5:require("node:sqlite")wrapped in try/catch with friendly error message showing required versionsecurity.cjsdead code: wired intoinit.cjs— task descriptions are now scanned for prompt injection patterns and sanitized viasanitizeForPrompt()before entering agent promptsstop.shperformance: collapsed 2 node spawns (parse + extract) into 1 withIFSparsing, eliminated intermediateWORKFLOW_STATEvariable. Task descriptions sanitized to prevent newline-based IFS splittingsubagent-status.shrace condition:status.jsonnow uses atomic write (tmp + rename) matching project convention. Switched fromreadFileSync('/dev/stdin')toprocess.argv[1]for consistencystate.cjsVALID_PHASES: addeddebug,arch_health_scan,simplifyphasescode-reviewer.mdnumbering: fixed duplicate item "4." in context_loading listquality-gate-verifier.mdrewritten with correct hook schema (prompt, agent, command options) — was using outdated fields and incorrectly claiming plugins can't register agent-type Stop hooksquality-gates.mdworkflow: removed misleading agent reference list from<available_agent_types>autoskill.mdworkflow: clarified that agent dispatch is conditional, not guaranteed
harness/directory removed — scripts relocated toscripts/(run-quality-gates.sh, check-docs.sh)state/workflow.yamlat plugin root removed (development artifact — runtime state is in.devt/state/)
/devt:helpcommand — full command reference with use cases, organized by experience levelnode devt-tools.cjs health [--repair]— CLI-based health validation with structured JSON output, 17 checks, auto-repair for safe issues, version and update status display- Hook profile system:
DEVT_HOOK_PROFILE=minimal|standard|fullandDEVT_DISABLED_HOOKSenv var for granular hook control - Node.js hook runner (
hooks/run-hook.js) — replaces bash polyglot, resolves plugin root from script location, checks profile flags - Language-specific
review-checklist.mdfor all 5 templates (Python, Go, TypeScript, Vue, blank) api-changelog.mdtemplate for Go and TypeScript (was Python-only)schemas/learning-entry.yaml— formal entry schema for retro/curator agents- Autoskill changelog audit trail (
.devt/autoskill-changelog.md) — records all autoskill modifications - Ship workflow changelog step — conditional API changelog generation when
.devt/rules/api-changelog.mdexists templates/agent-template.mdandtemplates/skill-template.md— authoring templates for extending devt- Command registration via symlink to
~/.claude/commands/devt/for properdevt:namespacing in autocomplete context-monitor.shmade async — no longer blocks tool calls- Health check W009: agent file validation — verifies all plugin agent files exist on disk
- Health check W010: workflow
<available_agent_types>enforcement — prevents post-/clearsilent fallback to general-purpose scripts/prompt-injection-scan.sh— CI security scanner for prompt injection, role manipulation, system boundary injection, base64 obfuscation, and secret detection across all markdown files- Repo-local CLI resolution in
run-hook.js— probes<projectDir>/.claude/devt/before global fallback, persists resolved path to temp file for workflow bash blocks /devt:dosmart router — freeform text dispatched to the right command via intent matching/devt:session-report— post-session summary from git log and workflow artifactsbin/modules/security.cjs— input validation: path traversal prevention, prompt injection detection, safe JSON parsing, shell argument validationreferences/questioning-guide.md— collaborative questioning philosophy for specify and clarify workflows
- Hook exit codes:
workflow-context-injector.shandcontext-monitor.shnow exit 0 (not 2) when inactive — prevents blocking prompts and tool calls - Stop hook output uses correct
stopReasonschema (was usinghookSpecificOutputwhich is invalid for Stop events) CLAUDE_PLUGIN_ROOTpath resolution: session-start hook injects the resolved absolute path so agents can substitute it in workflow bash commandsupdate statustype field collision:dirty.typeno longer overwritesinstall.typefor plugin installstiervscomplexitynaming: workflow now writestier=(notcomplexity=), matching schema, hooks, and cancel script. Legacycomplexitynormalized totieron read.- Non-atomic
stop.sh: merged two separatestate updatecalls into single atomic call findProjectRoot()memoized — eliminates redundant directory traversals per CLI callcheckWorkflowLock(state?)accepts pre-read state to avoid doublereadState()- Default model profile fallback aligned to
"quality"everywhere (was"balanced"in some paths) - Missing
planphase added toVALID_PHASES architecture.mdcorrectly classified as required (was listed as optional in docs)- Stale v0.2.0 migration checks removed from session-start hook
- API changelog template: Before/After labels no longer include version numbers
- Project-init: model profile selection split into own step to prevent batched AskUserQuestion errors
- All project artifacts consolidated under
.devt/directory:.devt.json→.devt/config.json.dev-rules/→.devt/rules/.devt-state/→.devt/state/learning-playbook.md→.devt/learning-playbook.md
- Health workflow rewritten to call CLI (deterministic) instead of agent-interpreted bash
DEFAULTSexported from config.cjs — health and setup use canonical defaultsREQUIRED_DEV_RULESexported from init.cjs — health imports instead of duplicating- Atomic writes in setup.cjs via
atomicWriteJson()helper releaseLockverifies PID ownership before unlinking (ABA prevention)- Plugin install docs updated to
claude --plugin-dir(correct mechanism) - Weekly report workflow rewritten to use
devt-tools.cjs reportCLI (removed dead Python script branches) - Incident runbook modernized — references
/devt:cancel-workflowinstead of raw scripts - Incident runbook wired into dev-workflow.md deviation_rules for failure recovery
research-task.mdnow has deviation_rules (was the only workflow missing them)quick-implement.mdnow writestier=SIMPLEto state (was null, causing hooks to report unknown tier)autonomous=truestate write added to dev-workflow.md when--autonomousflag detected- Code-reviewer agent now reads
.devt/rules/review-checklist.mdfor language-specific review patterns - Retro and curator agents now read
schemas/learning-entry.yamlfor entry format validation
Initial release.
- Command -> Workflow -> Agent three-layer execution model
- 10 agents: programmer, tester, code-reviewer, architect, docs-writer, verifier, researcher, debugger, retro, curator
- 15 skills: codebase-scan, complexity-assessment, tdd-patterns, code-review-guide, architecture-health-scanner, and more
- 28 commands, 26 workflows
- Complexity-tiered pipeline: TRIVIAL, SIMPLE, STANDARD, COMPLEX
- Language-agnostic via
.devt/rules/convention
- All artifacts under
.devt/directory:config.json,rules/,state/,learning-playbook.md - Templates: python-fastapi, go, typescript-node, vue-bootstrap, blank
- 3-level config merge: hardcoded defaults <-
~/.devt/defaults.json(global) <-.devt/config.json(project)
- Compound init: single call returns all workflow context as JSON
- State management with file-level locking and PID-based stale lock detection
- FTS5 full-text search on learning playbook (node:sqlite)
- Version check against GitHub with 4-hour cache
- Stack auto-detection and git remote auto-detection
- Retro agent extracts lessons from each workflow run
- Curator agent deduplicates and compacts the learning playbook
- Semantic search injects relevant lessons into agent dispatches
- Autoskill proposes skill improvements based on accumulated patterns
- 7 lifecycle hooks: SessionStart, Stop, SubagentStart/Stop, PostToolUse, PreToolUse, UserPromptSubmit
- Cross-platform support via polyglot
run-hook.cmd(Windows + Unix) - Session-start injects CLI path resolution and workflow awareness
- Context monitor warns at high tool-call counts
/devt:updatewith GitHub version check, changelog display, install-type detection- Background version check on session start
- Dirty tree detection with stash option for git installs