Merge remote-tracking branch 'origin/main' into worktree-20260415-182323

Author: Test

.claude/hooks/pre-commit/plugin-boundary-allowlist.conf

@@ -28,6 +28,7 @@ plugins/dso/tests/**
 plugins/dso/docs/adapters/**
 plugins/dso/docs/contracts/**
 plugins/dso/docs/decisions/**
+plugins/dso/docs/designs/**
 plugins/dso/docs/templates/**
 plugins/dso/docs/workflows/**
 plugins/dso/docs/prompts/**

.test-index

@@ -168,15 +168,15 @@ plugins/dso/skills/onboarding/SKILL.md:tests/skills/test-onboarding-e2e.sh
 plugins/dso/skills/onboarding/SKILL.md:tests/skills/test-onboarding-ux-validation.sh
 plugins/dso/scripts/check-skill-refs.sh:tests/scripts/test-check-skill-refs.sh
 plugins/dso/scripts/scan-docs.sh:tests/skills/test-onboarding-scan-docs.sh
-docs/onboarding.md:tests/skills/test-nextjs-starter-docs.sh [test_onboarding_doc_exists]
+docs/onboarding.md:tests/skills/test-nextjs-starter-docs.sh
 plugins/dso/skills/onboarding/SKILL.md:tests/hooks/test-onboarding-batch-groups.sh
 plugins/dso/skills/onboarding/SKILL.md:tests/skills/test-onboarding-confidence-assignment.sh
 plugins/dso/skills/architect-foundation/SKILL.md:tests/skills/test-architect-foundation-skill.sh
-plugins/dso/skills/architect-foundation/SKILL.md:tests/skills/test-architect-foundation-skill.sh
-plugins/dso/skills/architect-foundation/SKILL.md:tests/skills/test-architect-foundation-skill.sh
-plugins/dso/skills/architect-foundation/SKILL.md:tests/skills/test-architect-foundation-skill.sh
-plugins/dso/skills/architect-foundation/SKILL.md:tests/skills/test-architect-foundation-skill.sh
 plugins/dso/skills/onboarding/SKILL.md:tests/skills/test-onboarding-skill.sh
 plugins/dso/skills/onboarding/SKILL.md:tests/skills/test-onboarding-e2e.sh
-plugins/dso/skills/onboarding/SKILL.md:tests/skills/test-onboarding-skill.sh
 plugins/dso/scripts/check-skill-refs.sh: tests/scripts/test-check-skill-refs.sh
+docs/onboarding.md:tests/skills/test-nextjs-starter-docs.sh
+plugins/dso/README.md:tests/skills/test-nextjs-starter-docs.sh
+CLAUDE.md:tests/skills/test-nextjs-starter-docs.sh
+plugins/dso/docs/designs/dso-nextjs-starter-plugin-install.md:tests/scripts/test-dso-nextjs-starter-plugin-install.sh [test_plugin_consent_doc_has_required_sections]
+plugins/dso/scripts/create-dso-app.sh:tests/scripts/test-create-dso-app.sh

CLAUDE.md

@@ -39,6 +39,7 @@
 | Review event stats | `.claude/scripts/dso review-stats.sh` |
 | Run a recipe transform | `.claude/scripts/dso recipe-executor.sh <recipe-name> [--param key=value ...]` |
 | Sync stale host-project artifacts to current plugin version | `.claude/scripts/dso update-artifacts` |
+| Bootstrap a NextJS project | `bash <(curl -fsSL https://raw.githubusercontent.com/<org>/digital-service-orchestra/HEAD/plugins/dso/scripts/create-dso-app.sh)` or `/dso:nextjs-starter` |
 
 Less common: `check-skill-refs.sh`, `qualify-skill-refs.sh`.
 

docs/onboarding.md

@@ -0,0 +1,24 @@
+# DSO Onboarding
+
+## Bootstrapping a New NextJS Project
+
+Use the DSO NextJS Starter to scaffold a fully-configured project with one command:
+
+```bash
+bash <(curl -fsSL https://raw.githubusercontent.com/<org>/digital-service-orchestra/HEAD/plugins/dso/scripts/create-dso-app.sh)
+```
+
+> **Note**: Replace `<org>` with your GitHub organization name once the template repository has been set up. See the DSO NextJS Starter README for more details.
+
+## What the installer does
+
+1. Checks and installs required dependencies (Homebrew, Node 20.x, pre-commit, Claude Code)
+2. Clones the DSO NextJS template repository
+3. Substitutes your project name throughout the template
+4. Installs npm dependencies
+5. Launches Claude Code with DSO pre-configured
+
+## Prerequisites
+
+- macOS with internet access
+- Homebrew will be installed if not present

plugins/dso/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "dso",
-  "version": "1.12.25",
+  "version": "1.12.27",
   "description": "Workflow infrastructure plugin for Claude Code projects",
   "commands": "./commands/",
   "skills": "./skills/",

plugins/dso/README.md

@@ -0,0 +1,25 @@
+# DSO (Digital Service Orchestrator) Plugin
+
+DSO is a Claude Code plugin that provides AI-assisted development workflows for government digital services teams.
+
+## DSO NextJS Starter
+
+A one-command bootstrap for non-engineer NextJS prototyping. The nextjs-starter installer sets up a complete DSO-configured NextJS project with all required infrastructure files.
+
+**Quick start**: See [`docs/onboarding.md`](../../docs/onboarding.md) for the full bootstrap command.
+
+To install the nextjs-starter scaffolding, run the `create-dso-app.sh` installer script from the `scripts/` directory.
+
+## Features
+
+- Sprint orchestration and task management
+- TDD-driven implementation workflows
+- Code review and quality gates
+- Architecture enforcement
+
+## Documentation
+
+- **Installation**: See `docs/INSTALL.md`
+- **Configuration**: See `docs/CONFIGURATION-REFERENCE.md`
+- **Worktree Guide**: See `docs/WORKTREE-GUIDE.md`
+- **Ticket CLI Reference**: See `docs/ticket-cli-reference.md`

plugins/dso/docs/designs/dso-nextjs-starter-plugin-install.md

@@ -0,0 +1,180 @@
+# DSO NextJS Starter: Plugin Install Consent Design
+
+## Overview
+
+This document investigates whether placing `extraKnownMarketplaces` and `enabledPlugins` in a
+project's `.claude/settings.json` will trigger a consent/install dialog when a developer first
+opens the project in Claude Code — enabling the DSO plugin to be auto-installed without any
+manual `claude plugin install` step.
+
+The use case is the **DSO NextJS Starter template**: a scaffolded project that ships with a
+pre-populated `.claude/settings.json` pointing to the DSO plugin marketplace. The question is
+whether a first-time user who clones the template and runs `claude` will be automatically
+prompted to install the DSO plugin.
+
+---
+
+## Research Findings
+
+### Official Documentation (code.claude.com/docs/en/settings — April 2026)
+
+The authoritative Claude Code settings reference describes `extraKnownMarketplaces` behavior
+under **Plugin settings**:
+
+> **When a repository includes `extraKnownMarketplaces`**:
+> 1. Team members are prompted to install the marketplace when they trust the folder
+> 2. Team members are then prompted to install plugins from that marketplace
+> 3. Users can skip unwanted marketplaces or plugins (stored in user settings)
+> 4. Installation respects trust boundaries and requires explicit consent
+
+This is a two-step flow: marketplace registration consent, then plugin install consent. Both are
+interactive prompts that appear at the workspace trust moment.
+
+### GitHub Issue #13097: Interactive-Only Constraint
+
+Issue [#13097](https://github.com/anthropics/claude-code/issues/13097) ("Clarify that
+extraKnownMarketplaces requires interactive trust dialog") documents that:
+
+- The `extraKnownMarketplaces` feature **only activates during interactive mode**
+- In headless/print mode (`-p` flag), the trust dialog is skipped entirely and
+  `extraKnownMarketplaces` is not processed
+- This is intentional: consent requires a human at the keyboard
+
+An independent investigation (gist linked in the issue) confirmed:
+
+> "Two separate systems exist: project-level `extraKnownMarketplaces` (ignored by plugin
+> commands) and user-level `known_marketplaces.json` (actually consulted). The auto-installation
+> bridge between them only engages during the interactive trust moment."
+
+This means the mechanism works in the exact scenario we care about — a developer running
+`claude` interactively in a newly cloned repo — and does not apply to CI or headless runs.
+
+### GitHub Issue #32607: Silent Failure for Uninstalled Enabled Plugins
+
+Issue [#32607](https://github.com/anthropics/claude-code/issues/32607) ("No warning when
+enabledPlugins references a plugin that is not installed") identifies a current gap:
+
+- If `enabledPlugins` lists a plugin but the user skips installation or the marketplace prompt
+  doesn't fire, Claude Code **silently does nothing** — no error, no warning
+- Users see `Unknown skill: dso:sprint` with no diagnostic path
+
+This does not affect the primary consent flow (which does present a prompt), but it matters
+for the degraded-path experience documented below.
+
+### GitHub Issue #23737: Auto-Install Feature Request
+
+Issue [#23737](https://github.com/anthropics/claude-code/issues/23737) ("Auto-install plugins
+from enabledPlugins in shared settings.json") was filed requesting fully automatic installation
+without a consent prompt. It was **closed as a duplicate** of an existing open feature request.
+
+Key implication: as of April 2026, fully silent auto-install (no dialog at all) is **not
+implemented**. The consent prompt approach documented in the official docs is the current
+mechanism.
+
+### Platform Consistency Note
+
+Issue [#32268](https://github.com/anthropics/claude-code/issues/32268) documents that the
+official Anthropic marketplace (`claude-plugins-official`) is pre-registered on macOS but
+**not** on Windows. For a custom DSO marketplace, `extraKnownMarketplaces` registration is
+required on all platforms, making the `.claude/settings.json` approach consistently necessary
+regardless of OS.
+
+---
+
+## Success Path
+
+**When `extraKnownMarketplaces` + `enabledPlugins` is used in project settings:**
+
+A developer clones the DSO NextJS Starter and runs `claude` in interactive mode:
+
+1. Claude Code detects a new (untrusted) project directory and presents the workspace trust dialog
+2. Developer selects "Yes, proceed" (trust the folder)
+3. Claude Code reads `.claude/settings.json`, finds `extraKnownMarketplaces` pointing to the
+   DSO plugin marketplace
+4. A second prompt appears: "This project recommends the [DSO] marketplace — install it?"
+5. Developer confirms; the marketplace catalog is fetched
+6. A third prompt (or sequential continuation) appears for each plugin listed in
+   `enabledPlugins`: "Install [digital-service-orchestra]?"
+7. Developer confirms; the DSO plugin installs and is available immediately
+
+The user experience is a guided sequence of two or three consent dialogs, not a manual
+`claude plugin install` invocation. From the developer's perspective, opening a new project
+*just works* after clicking through the prompts.
+
+**Limitations of this path:**
+
+- Requires interactive mode — the prompts do not appear in `claude -p` (headless) runs
+- Users can skip each prompt (stored as "dismissed" in their local settings)
+- If skipped, the plugin is silently absent with no follow-up warning (see Issue #32607)
+- Does not apply in CI/CD pipelines — the template's README should document the manual
+  `claude plugin marketplace add` + `claude plugin install` commands for CI contexts
+
+---
+
+## Failure Path
+
+**Conditions under which the consent flow does not trigger:**
+
+1. **Headless/CI mode** (`claude -p`): Trust dialog is skipped; `extraKnownMarketplaces` is
+   never processed. This is intentional, not a bug.
+2. **Already-trusted directory**: If the developer has previously trusted the directory (e.g.,
+   ran `claude` before the template's `.claude/settings.json` was committed), the trust dialog
+   may not re-appear. The marketplace prompt fires only on the first trust event.
+3. **User dismisses the prompt**: Dismissed marketplaces and plugins are recorded in the user's
+   `~/.claude/settings.json` and will not prompt again on subsequent runs.
+4. **Plugin listed in `enabledPlugins` is not yet installed**: If the marketplace prompt fires
+   but the user skips the plugin install step, subsequent skill invocations fail silently
+   (Issue #32607 — no warning is shown).
+
+The failure path does not mean the configuration is wrong; it means the feature has clear
+interactive-only scope and a silent-degradation gap that operators should anticipate.
+
+---
+
+## Recommendation
+
+This document declares the **Success Path** as **authoritative**.
+
+The `extraKnownMarketplaces` field **does** trigger a consent/install prompt sequence when a
+developer opens a project for the first time in interactive Claude Code. This behavior is
+documented in the official settings reference and confirmed by community investigation.
+
+**Template fork recommendation: include `.claude/settings.json` with these fields.**
+
+The DSO NextJS Starter template should ship with a `.claude/settings.json` that declares:
+
+```json
+{
+  "extraKnownMarketplaces": {
+    "digital-service-orchestra": {
+      "source": {
+        "source": "github",
+        "repo": "navapbc/digital-service-orchestra"
+      }
+    }
+  },
+  "enabledPlugins": {
+    "digital-service-orchestra@digital-service-orchestra": true
+  }
+}
+```
+
+This delivers the onboarding goal: first-time users are guided through plugin installation
+without needing to know about the installer script `create-dso-app.sh` or the plugin system
+internals.
+
+**Additional steps for a complete experience:**
+
+1. **README callout**: Document that Claude Code will prompt to install the DSO marketplace on
+   first launch; explain what to do if the prompt was skipped (run
+   `/plugin marketplace add navapbc/digital-service-orchestra` then
+   `/plugin install digital-service-orchestra@digital-service-orchestra`)
+2. **CI guidance**: For teams running `claude -p` in CI, document the explicit install commands
+   since the consent flow does not run in headless mode
+3. **Trust re-trigger caveat**: If a developer has run `claude` in the project directory
+   before the settings file was added, they may need to run the manual install; the trust event
+   only fires once per directory
+
+The recommendation does **not** depend on the silent auto-install feature requested in
+Issue #23737 (not yet implemented). The consent-dialog path is sufficient for interactive
+developer onboarding.

plugins/dso/hooks/record-test-status.sh

@@ -226,6 +226,7 @@ count_centrality() {
 
     # Escape regex metacharacters in module_name to prevent injection (Bug 5 fix).
     local escaped_module_name
+    # shellcheck disable=SC2016  # single quotes are intentional: \& is sed syntax, not shell expansion
     escaped_module_name=$(printf '%s' "$module_name" | sed 's/[.[\*^$()+?{|\\]/\\&/g')
 
     # Hardcoded default patterns (fallback when no config patterns are present).
@@ -655,10 +656,21 @@ DIFF_HASH=$("$HOOK_DIR/compute-diff-hash.sh")
 # Uses grep-based fan-in counting (no external tools required).
 # When ast-grep (sg) is not installed, emits a diagnostic note but still
 # performs centrality scoring via grep (the primary counting method).
+
+# _is_astgrep_sg: returns 0 only when the sg binary in PATH is ast-grep.
+# Ubuntu ships shadow-utils' sg (switch-group) at /usr/bin/sg; that binary
+# also satisfies `command -v sg` but is not ast-grep. We verify by checking
+# that `sg --version` produces a version line starting with "sg <digit>",
+# which ast-grep does and shadow-utils' sg does not.
+_is_astgrep_sg() {
+    command -v sg >/dev/null 2>&1 || return 1
+    sg --version 2>/dev/null | grep -qE '^(sg|ast-grep) [0-9]' || return 1
+}
+
 FULL_SUITE=false
 _max_centrality=0
 _CENTRALITY_LOG="$ARTIFACTS_DIR/centrality-log.jsonl"
-if ! command -v sg >/dev/null 2>&1; then
+if ! _is_astgrep_sg; then
     echo "NOTE: ast-grep (sg) not installed — centrality scoring uses grep-based fan-in counting" >&2
 fi
 
@@ -727,7 +739,7 @@ else
         _ts_log=$(date -u +"%Y-%m-%dT%H:%M:%SZ" 2>/dev/null || echo "unknown")
         if [[ "$_centrality" -gt "$_CENTRALITY_THRESHOLD" ]] 2>/dev/null; then
             _decision="full_suite"
-        elif ! command -v sg >/dev/null 2>&1; then
+        elif ! _is_astgrep_sg; then
             _decision="skipped_no_sg"
         else
             _decision="associated_only"
@@ -811,6 +823,7 @@ FAILED_TESTS_LIST=""
 # Write "partial" (not STATUS) to test-gate-status so the pre-commit test
 # gate never accepts a mid-run snapshot as a valid pass — STATUS may still
 # be "passed" while untested files remain in the queue.
+# shellcheck disable=SC2329  # invoked indirectly via: trap '_write_partial_status' URG
 _write_partial_status() {
     local _ts
     _ts=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
@@ -853,7 +866,7 @@ if [[ "$FULL_SUITE" == true ]]; then
             while IFS= read -r _tf; do
                 [[ -z "$_tf" ]] && continue
                 _discovered_test_files+=("$_tf")
-                _rel="${_tf#$REPO_ROOT/}"
+                _rel="${_tf#"$REPO_ROOT"/}"
                 if [[ -n "$_all_test_files" ]]; then
                     _all_test_files="${_all_test_files},${_rel}"
                 else
@@ -964,6 +977,7 @@ if ms_is_merge_in_progress || ms_is_rebase_in_progress; then
     _rts_isolation_dir=$(mktemp -d /tmp/rts-git-isolation-XXXXXX)
     git init -q "$_rts_isolation_dir" 2>/dev/null
     export _MERGE_STATE_GIT_DIR="$_rts_isolation_dir/.git"
+    # shellcheck disable=SC2329  # invoked indirectly via: trap '_rts_cleanup_isolation' EXIT
     _rts_cleanup_isolation() { rm -rf "$_rts_isolation_dir" 2>/dev/null; }
     trap '_rts_cleanup_isolation' EXIT
 fi

plugins/dso/scripts/bridge-outbound.py

@@ -235,10 +235,25 @@ def detect_status_flap(
     if not all_status_events:
         return False
 
-    # Filter to events within window_seconds of the most recent event
-    max_ts = max(ts for ts, _ in all_status_events)
-    cutoff = max_ts - window_seconds
-    status_events = [(ts, s) for ts, s in all_status_events if ts >= cutoff]
+    # Normalize all timestamps to nanoseconds before comparison so that
+    # mixed-precision events (seconds ~1.7e9 from old code, nanoseconds ~1.78e18
+    # from new code) can be compared correctly during the migration window.
+    # A threshold of 1e12 safely distinguishes nanoseconds from seconds because
+    # the Unix epoch in seconds is ~1.7e9 (well below 1e12) while in nanoseconds
+    # it is ~1.78e18 (well above 1e12).
+    _NS_THRESHOLD = 1_000_000_000_000  # 1e12: values above this are nanoseconds
+    _NS_PER_SEC = 1_000_000_000
+
+    def _to_ns(ts: int) -> int:
+        """Normalize a timestamp to nanoseconds regardless of original precision."""
+        return ts if ts > _NS_THRESHOLD else ts * _NS_PER_SEC
+
+    # Normalize all events to nanoseconds so cutoff math is consistent
+    all_status_events_ns = [(_to_ns(ts), s) for ts, s in all_status_events]
+    max_ts_ns = max(ts for ts, _ in all_status_events_ns)
+    window_ns = window_seconds * _NS_PER_SEC
+    cutoff = max_ts_ns - window_ns
+    status_events = [(ts, s) for ts, s in all_status_events_ns if ts >= cutoff]
 
     # Sort by timestamp
     status_events.sort(key=lambda x: x[0])