[ PACK LIBRARY / SOFTWARE DEVELOPMENT ]

CHAINFREE SAMPLETESTED

Delivery chain: architecture plan to build to test to security audit

STAFF KAYLE / THEO / JASON / JERRY · V0.2.0
static-analysis:semgrepstatic-analysis:codeqlwebapp-testingbopen-tools:wait-for-ci

REQUIRES

  • claude plugin install static-analysis@trailofbits — Trail of Bits security marketplace
  • npx skills add webapp-testing (source pinned in the pack setup manifest) — portable SKILL.md skill
  • claude plugin install bopen-tools@b-open-io

WHEN TO REACH FOR THIS

You have one non-trivial feature to ship and you want it carried end to end by named specialists with a clean handoff at each stage. This is the canonical maker-checker delivery chain: Kayle plans, Theo builds, Jason tests, Jerry security-audits. Each link produces a defined artifact and blocks the next until its done-condition is met, so the agent that writes the code is never the one that signs off on it. The structure holds up on changes past a couple hundred lines, where a single broad review prompt starts returning generic feedback.

REQUIRES

  • claude plugin install bopen-tools@b-open-io (provides bopen-tools:wait-for-ci and the roster agents Kayle, Theo, Jason, Jerry)
  • claude plugin install static-analysis@trailofbits (Trail of Bits marketplace — provides static-analysis:semgrep and static-analysis:codeql)
  • npx skills add webapp-testing (portable skill; the pack setup manifest pins the exact source)
  • gh authenticated for the CI wait, and semgrep installed (brew install semgrep or pip install semgrep); CodeQL needs a buildable project
  • A harness that supports subagents (Claude Code or Codex). On a single-agent harness, run each stage as its own session and paste the prior artifact in.

CONTEXT INPUTS

{{FEATURE}}          # one feature, described in 2-3 sentences ; scope it small enough to carry in one chain
{{REPO_PATH}}        # absolute path to the repo
{{BRANCH}}           # feature branch this work lands on
{{ACCEPTANCE}}       # what "the feature works" means, in observable terms

THE PROMPT

PASTE INTO YOUR AGENT
You are the coordinator of a four-stage delivery chain for {{FEATURE}} in {{REPO_PATH}} on branch {{BRANCH}}. Run the stages in order. Each stage hands a named artifact to the next, and a stage does not start until the previous stage's done-condition is met. If any stage fails its done-condition, STOP and report which stage and why. Do not paper over a failed handoff by having the next agent guess.

Stage 1 - PLAN (dispatch Kayle, architecture-reviewer):
- Kayle produces an implementation plan: files to touch, data-flow and interface changes, risks, and a test surface for {{ACCEPTANCE}}.
- Artifact handed forward: the written plan.
- Done when: the plan names concrete files and a testable acceptance surface. If Kayle finds the feature underspecified, stop and report.

Stage 2 - BUILD (dispatch Theo, nextjs):
- Theo receives Kayle's plan and implements exactly that plan on {{BRANCH}}. If reality forces a deviation, Theo notes it against the plan rather than silently diverging.
- Artifact handed forward: the diff plus a short note of any deviation.
- Done when: the code compiles and typechecks clean locally.

Stage 3 - TEST (dispatch Jason, tester):
- Jason receives the diff and the acceptance surface, then writes tests that exercise {{ACCEPTANCE}}, including the edge and error paths Kayle flagged. Pick the test kind that fits the surface: load the webapp-testing skill for a browser/UI acceptance surface; for an API route, library, or pure-logic surface write unit or integration tests with the repo's own runner instead of forcing a browser test.
- Artifact handed forward: the test files and a pass/fail run.
- Done when: tests exist for the acceptance surface and pass. If they cannot pass, hand the failure back to Theo (Stage 2), do not weaken the test to make it green.

Stage 4 - SECURITY AUDIT (dispatch Jerry, code-auditor):
- Jerry reviews only the branch diff. Load static-analysis:semgrep for a fast pattern pass and static-analysis:codeql for interprocedural taint tracking where the diff crosses trust boundaries (input to sink). Produce a severity-rated finding list with specific fixes.
- Artifact handed forward: the severity-rated report.
- Done when: no unresolved high/critical findings remain. Route any real finding back to Theo, then re-run Stage 3 and Stage 4 on the fix.

Gate - VERIFY CI:
- After Stage 4 is clean, load the bopen-tools:wait-for-ci skill, push, and block on CI. Only report the feature done when CI conclusion is success.

Negative prompts:
- Do NOT skip a stage or merge stages to save time. The handoff boundaries are the point.
- Do NOT let a later agent see an earlier agent's confidence framing; pass artifacts, not opinions.
- Do NOT weaken a test or dismiss a real finding to reach "done". Loop back instead.
- Do NOT swap the framework or downgrade dependencies to make the build pass.

EXPECTED OUTPUT

One feature on {{BRANCH}}: implemented to Kayle's plan, covered by passing tests for the acceptance surface, cleared of high/critical security findings by Jerry, and green in CI — with the four artifacts (plan, diff, tests, security report) as the paper trail.

FOLLOW-UP CHAIN

  • sd-ship-safely-chain — Ship-a-feature-safely chain: build to perf audit to test to deploy
  • sd-bug-hunt — Run a three-phase adversarial bug hunt (deeper adversarial pass on the same diff)
  • sd-e2e-ci-gate — Add an e2e suite and a merge-blocking coverage gate

← PACK CONTENTS