[ PACK LIBRARY / SOFTWARE DEVELOPMENT ]
Delivery chain: architecture plan to build to test to security audit
REQUIRES
- claude plugin install static-analysis@trailofbits — Trail of Bits security marketplace
- npx skills add webapp-testing (source pinned in the pack setup manifest) — portable SKILL.md skill
- claude plugin install bopen-tools@b-open-io
WHEN TO REACH FOR THIS
You have one non-trivial feature to ship and you want it carried end to end by named specialists with a clean handoff at each stage. This is the canonical maker-checker delivery chain: Kayle plans, Theo builds, Jason tests, Jerry security-audits. Each link produces a defined artifact and blocks the next until its done-condition is met, so the agent that writes the code is never the one that signs off on it. The structure holds up on changes past a couple hundred lines, where a single broad review prompt starts returning generic feedback.
REQUIRES
claude plugin install bopen-tools@b-open-io(providesbopen-tools:wait-for-ciand the roster agents Kayle, Theo, Jason, Jerry)claude plugin install static-analysis@trailofbits(Trail of Bits marketplace — providesstatic-analysis:semgrepandstatic-analysis:codeql)npx skills add webapp-testing(portable skill; the pack setup manifest pins the exact source)ghauthenticated for the CI wait, andsemgrepinstalled (brew install semgreporpip install semgrep); CodeQL needs a buildable project- A harness that supports subagents (Claude Code or Codex). On a single-agent harness, run each stage as its own session and paste the prior artifact in.
CONTEXT INPUTS
{{FEATURE}} # one feature, described in 2-3 sentences ; scope it small enough to carry in one chain
{{REPO_PATH}} # absolute path to the repo
{{BRANCH}} # feature branch this work lands on
{{ACCEPTANCE}} # what "the feature works" means, in observable terms
THE PROMPT
You are the coordinator of a four-stage delivery chain for {{FEATURE}} in {{REPO_PATH}} on branch {{BRANCH}}. Run the stages in order. Each stage hands a named artifact to the next, and a stage does not start until the previous stage's done-condition is met. If any stage fails its done-condition, STOP and report which stage and why. Do not paper over a failed handoff by having the next agent guess.
Stage 1 - PLAN (dispatch Kayle, architecture-reviewer):
- Kayle produces an implementation plan: files to touch, data-flow and interface changes, risks, and a test surface for {{ACCEPTANCE}}.
- Artifact handed forward: the written plan.
- Done when: the plan names concrete files and a testable acceptance surface. If Kayle finds the feature underspecified, stop and report.
Stage 2 - BUILD (dispatch Theo, nextjs):
- Theo receives Kayle's plan and implements exactly that plan on {{BRANCH}}. If reality forces a deviation, Theo notes it against the plan rather than silently diverging.
- Artifact handed forward: the diff plus a short note of any deviation.
- Done when: the code compiles and typechecks clean locally.
Stage 3 - TEST (dispatch Jason, tester):
- Jason receives the diff and the acceptance surface, then writes tests that exercise {{ACCEPTANCE}}, including the edge and error paths Kayle flagged. Pick the test kind that fits the surface: load the webapp-testing skill for a browser/UI acceptance surface; for an API route, library, or pure-logic surface write unit or integration tests with the repo's own runner instead of forcing a browser test.
- Artifact handed forward: the test files and a pass/fail run.
- Done when: tests exist for the acceptance surface and pass. If they cannot pass, hand the failure back to Theo (Stage 2), do not weaken the test to make it green.
Stage 4 - SECURITY AUDIT (dispatch Jerry, code-auditor):
- Jerry reviews only the branch diff. Load static-analysis:semgrep for a fast pattern pass and static-analysis:codeql for interprocedural taint tracking where the diff crosses trust boundaries (input to sink). Produce a severity-rated finding list with specific fixes.
- Artifact handed forward: the severity-rated report.
- Done when: no unresolved high/critical findings remain. Route any real finding back to Theo, then re-run Stage 3 and Stage 4 on the fix.
Gate - VERIFY CI:
- After Stage 4 is clean, load the bopen-tools:wait-for-ci skill, push, and block on CI. Only report the feature done when CI conclusion is success.
Negative prompts:
- Do NOT skip a stage or merge stages to save time. The handoff boundaries are the point.
- Do NOT let a later agent see an earlier agent's confidence framing; pass artifacts, not opinions.
- Do NOT weaken a test or dismiss a real finding to reach "done". Loop back instead.
- Do NOT swap the framework or downgrade dependencies to make the build pass.EXPECTED OUTPUT
One feature on {{BRANCH}}: implemented to Kayle's plan, covered by passing tests for the acceptance surface, cleared of high/critical security findings by Jerry, and green in CI — with the four artifacts (plan, diff, tests, security report) as the paper trail.
FOLLOW-UP CHAIN
sd-ship-safely-chain— Ship-a-feature-safely chain: build to perf audit to test to deploysd-bug-hunt— Run a three-phase adversarial bug hunt (deeper adversarial pass on the same diff)sd-e2e-ci-gate— Add an e2e suite and a merge-blocking coverage gate