Merge remote-tracking branch 'origin/main' into worktree-20260322-120216

# Conflicts:
#	.tickets/.index.json

Author: JoeOakhartNava

.test-index

@@ -67,7 +67,7 @@ plugins/dso/skills/plan-review/SKILL.md:plugins/dso/tests/test-sprint-skill-step
 plugins/dso/skills/playwright-debug/SKILL.md:plugins/dso/tests/test-sprint-skill-step10-no-merge-to-main.sh,tests/plugin/test-audit-skill-resolution.sh,tests/hooks/test-fix-bug-skill.sh,tests/hooks/test-generate-claude-md-skill.sh,tests/hooks/test-init-skill.sh,tests/scripts/test-qualify-skill-refs.sh,tests/scripts/test-skill-path-refs.sh,tests/scripts/test-check-skill-refs.sh,tests/skills/test_end_skill_final_verification_step.py,tests/skills/test_implementation_plan_skill_tdd_enforcement.py,tests/skills/test-quick-ref-skill.sh,tests/skills/test_project_setup_skill_conditional_prompts.py,tests/skills/test_fix_bug_skill.py,tests/skills/test_end_skill_summary_displays_stored_learnings.py,tests/skills/test_end_skill_learnings_step_before_commit.py,tests/skills/test-design-skills-cross-stack.sh,tests/skills/test_end_skill_dirty_worktree_resolution.py,tests/skills/test_fix_bug_skill_escalated_section.py,tests/skills/test_end_skill_bug_tickets_before_commit.py
 plugins/dso/skills/preplanning/docs/reviewers/performance.md:tests/hooks/test-performance-validation.sh
 plugins/dso/skills/preplanning/SKILL.md:plugins/dso/tests/test-sprint-skill-step10-no-merge-to-main.sh,tests/plugin/test-audit-skill-resolution.sh,tests/hooks/test-fix-bug-skill.sh,tests/hooks/test-generate-claude-md-skill.sh,tests/hooks/test-init-skill.sh,tests/scripts/test-qualify-skill-refs.sh,tests/scripts/test-skill-path-refs.sh,tests/scripts/test-check-skill-refs.sh,tests/skills/test_end_skill_final_verification_step.py,tests/skills/test_implementation_plan_skill_tdd_enforcement.py,tests/skills/test-quick-ref-skill.sh,tests/skills/test_project_setup_skill_conditional_prompts.py,tests/skills/test_fix_bug_skill.py,tests/skills/test_end_skill_summary_displays_stored_learnings.py,tests/skills/test_end_skill_learnings_step_before_commit.py,tests/skills/test-design-skills-cross-stack.sh,tests/skills/test_end_skill_dirty_worktree_resolution.py,tests/skills/test_fix_bug_skill_escalated_section.py,tests/skills/test_end_skill_bug_tickets_before_commit.py
-plugins/dso/skills/project-setup/SKILL.md:plugins/dso/tests/test-sprint-skill-step10-no-merge-to-main.sh,tests/plugin/test-audit-skill-resolution.sh,tests/hooks/test-fix-bug-skill.sh,tests/hooks/test-generate-claude-md-skill.sh,tests/hooks/test-init-skill.sh,tests/scripts/test-qualify-skill-refs.sh,tests/scripts/test-skill-path-refs.sh,tests/scripts/test-check-skill-refs.sh,tests/skills/test_end_skill_final_verification_step.py,tests/skills/test_implementation_plan_skill_tdd_enforcement.py,tests/skills/test-quick-ref-skill.sh,tests/skills/test_project_setup_skill_conditional_prompts.py,tests/skills/test_fix_bug_skill.py,tests/skills/test_end_skill_summary_displays_stored_learnings.py,tests/skills/test_end_skill_learnings_step_before_commit.py,tests/skills/test-design-skills-cross-stack.sh,tests/skills/test_end_skill_dirty_worktree_resolution.py,tests/skills/test_fix_bug_skill_escalated_section.py,tests/skills/test_end_skill_bug_tickets_before_commit.py
+plugins/dso/skills/project-setup/SKILL.md:plugins/dso/tests/test-sprint-skill-step10-no-merge-to-main.sh,tests/plugin/test-audit-skill-resolution.sh,tests/hooks/test-fix-bug-skill.sh,tests/hooks/test-generate-claude-md-skill.sh,tests/hooks/test-init-skill.sh,tests/scripts/test-qualify-skill-refs.sh,tests/scripts/test-skill-path-refs.sh,tests/scripts/test-check-skill-refs.sh,tests/skills/test_end_skill_final_verification_step.py,tests/skills/test_implementation_plan_skill_tdd_enforcement.py,tests/skills/test-quick-ref-skill.sh,tests/skills/test_project_setup_skill_conditional_prompts.py,tests/skills/test_fix_bug_skill.py,tests/skills/test_end_skill_summary_displays_stored_learnings.py,tests/skills/test_end_skill_learnings_step_before_commit.py,tests/skills/test-design-skills-cross-stack.sh,tests/skills/test_end_skill_dirty_worktree_resolution.py,tests/skills/test_fix_bug_skill_escalated_section.py,tests/skills/test_end_skill_bug_tickets_before_commit.py,tests/skills/test_project_setup_suite_placement.py,tests/skills/test-project-setup-ci-generation.sh
 plugins/dso/skills/quick-ref/SKILL.md:plugins/dso/tests/test-sprint-skill-step10-no-merge-to-main.sh,tests/plugin/test-audit-skill-resolution.sh,tests/hooks/test-fix-bug-skill.sh,tests/hooks/test-generate-claude-md-skill.sh,tests/hooks/test-init-skill.sh,tests/scripts/test-qualify-skill-refs.sh,tests/scripts/test-skill-path-refs.sh,tests/scripts/test-check-skill-refs.sh,tests/skills/test_end_skill_final_verification_step.py,tests/skills/test_implementation_plan_skill_tdd_enforcement.py,tests/skills/test-quick-ref-skill.sh,tests/skills/test_project_setup_skill_conditional_prompts.py,tests/skills/test_fix_bug_skill.py,tests/skills/test_end_skill_summary_displays_stored_learnings.py,tests/skills/test_end_skill_learnings_step_before_commit.py,tests/skills/test-design-skills-cross-stack.sh,tests/skills/test_end_skill_dirty_worktree_resolution.py,tests/skills/test_fix_bug_skill_escalated_section.py,tests/skills/test_end_skill_bug_tickets_before_commit.py
 plugins/dso/skills/resolve-conflicts/SKILL.md:plugins/dso/tests/test-sprint-skill-step10-no-merge-to-main.sh,tests/plugin/test-audit-skill-resolution.sh,tests/hooks/test-fix-bug-skill.sh,tests/hooks/test-generate-claude-md-skill.sh,tests/hooks/test-init-skill.sh,tests/scripts/test-qualify-skill-refs.sh,tests/scripts/test-skill-path-refs.sh,tests/scripts/test-check-skill-refs.sh,tests/skills/test_end_skill_final_verification_step.py,tests/skills/test_implementation_plan_skill_tdd_enforcement.py,tests/skills/test-quick-ref-skill.sh,tests/skills/test_project_setup_skill_conditional_prompts.py,tests/skills/test_fix_bug_skill.py,tests/skills/test_end_skill_summary_displays_stored_learnings.py,tests/skills/test_end_skill_learnings_step_before_commit.py,tests/skills/test-design-skills-cross-stack.sh,tests/skills/test_end_skill_dirty_worktree_resolution.py,tests/skills/test_fix_bug_skill_escalated_section.py,tests/skills/test_end_skill_bug_tickets_before_commit.py
 plugins/dso/skills/retro/SKILL.md:plugins/dso/tests/test-sprint-skill-step10-no-merge-to-main.sh,tests/plugin/test-audit-skill-resolution.sh,tests/hooks/test-fix-bug-skill.sh,tests/hooks/test-generate-claude-md-skill.sh,tests/hooks/test-init-skill.sh,tests/scripts/test-qualify-skill-refs.sh,tests/scripts/test-skill-path-refs.sh,tests/scripts/test-check-skill-refs.sh,tests/skills/test_end_skill_final_verification_step.py,tests/skills/test_implementation_plan_skill_tdd_enforcement.py,tests/skills/test-quick-ref-skill.sh,tests/skills/test_project_setup_skill_conditional_prompts.py,tests/skills/test_fix_bug_skill.py,tests/skills/test_end_skill_summary_displays_stored_learnings.py,tests/skills/test_end_skill_learnings_step_before_commit.py,tests/skills/test-design-skills-cross-stack.sh,tests/skills/test_end_skill_dirty_worktree_resolution.py,tests/skills/test_fix_bug_skill_escalated_section.py,tests/skills/test_end_skill_bug_tickets_before_commit.py
@@ -91,3 +91,5 @@ plugins/dso/scripts/ticket-bridge-status.sh:tests/scripts/test_bridge_status.py
 plugins/dso/scripts/ticket-show.sh:tests/scripts/test-ticket-show.sh,tests/scripts/test_bridge_alert_display.py
 plugins/dso/scripts/ticket-list.sh:tests/scripts/test-ticket-list.sh,tests/scripts/test_bridge_alert_display.py
 plugins/dso/scripts/ticket-lib.sh:tests/scripts/test_revert_event.py,tests/scripts/test-ticket-lib.sh
+plugins/dso/scripts/ci-generator.sh:tests/scripts/test-ci-generator.sh,tests/scripts/test-ci-generator-integration.sh
+plugins/dso/scripts/project-detect.sh:tests/scripts/test-ci-generator-integration.sh

.tickets/.index.json

@@ -87,13 +87,6 @@
     "title": "Display BRIDGE_ALERT health warning in ticket-show.sh and ticket-list.sh output",
     "type": "task"
   },
-  "dso-2bmc": {
-    "deps": [],
-    "priority": 1,
-    "status": "open",
-    "title": "Add descriptive agent name guidance to /dso:debug-everything dispatch points",
-    "type": "task"
-  },
   "dso-2dxt": {
     "deps": [],
     "parent": "w22-ns6l",
@@ -189,22 +182,6 @@
     "title": "Conditional Security & Performance Review Overlays",
     "type": "epic"
   },
-  "dso-5rya": {
-    "deps": [],
-    "priority": 1,
-    "status": "open",
-    "title": "Add descriptive agent name guidance to /dso:sprint dispatch points",
-    "type": "task"
-  },
-  "dso-6026": {
-    "deps": [
-      "dso-917w"
-    ],
-    "priority": 2,
-    "status": "open",
-    "title": "As a DSO practitioner, deprecated sub-agent templates have consistent anti-cover-up guidance",
-    "type": "story"
-  },
   "dso-60uy": {
     "deps": [
       "dso-ed01",
@@ -216,18 +193,11 @@
     "title": "Add REVERT to ticket-lib.sh allowed event_type enum and create ticket-revert.sh",
     "type": "task"
   },
-  "dso-6r3o": {
-    "deps": [],
-    "priority": 1,
-    "status": "closed",
-    "title": "As a developer, the CI auto-ticket-creation pattern is fully removed",
-    "type": "story"
-  },
   "dso-6x8o": {
     "deps": [],
     "priority": 1,
     "status": "closed",
-    "title": "Bug: record-test-status.sh allows re-recording with stale test results — hash updated without re-running tests",
+    "title": "Bug: record-test-status.sh allows re-recording with stale test results \u2014 hash updated without re-running tests",
     "type": "bug"
   },
   "dso-7n6c": {
@@ -265,13 +235,6 @@
     "title": "Extract review and evaluation sub-agents into dedicated plugin agents",
     "type": "epic"
   },
-  "dso-917w": {
-    "deps": [],
-    "priority": 1,
-    "status": "open",
-    "title": "As a DSO practitioner, sub-agents receive comprehensive anti-cover-up guidance in active prompt templates",
-    "type": "story"
-  },
   "dso-94ya": {
     "deps": [],
     "priority": 2,
@@ -514,15 +477,6 @@
     "title": "Implement bridge-inbound.py: inbound Jira comment pull with dual-key dedup",
     "type": "task"
   },
-  "dso-fqye": {
-    "deps": [
-      "dso-6r3o"
-    ],
-    "priority": 2,
-    "status": "closed",
-    "title": "Update project docs to reflect CI ticket removal",
-    "type": "story"
-  },
   "dso-fucm": {
     "deps": [],
     "priority": 4,
@@ -668,13 +622,6 @@
     "title": "GREEN: Add abbreviated clarification loop to HOOK-INJECTION.md",
     "type": "task"
   },
-  "dso-jjli": {
-    "deps": [],
-    "priority": 2,
-    "status": "open",
-    "title": "merge-to-main.sh 'merge' phase name misleads agents into thinking code is on main",
-    "type": "bug"
-  },
   "dso-khl2": {
     "deps": [],
     "priority": 2,
@@ -697,7 +644,7 @@
     ],
     "priority": 2,
     "status": "open",
-    "title": "Optimize /dso:sprint skill — prune bloat, merge phases, remove Task tracking",
+    "title": "Optimize /dso:sprint skill \u2014 prune bloat, merge phases, remove Task tracking",
     "type": "epic"
   },
   "dso-lm92": {
@@ -802,13 +749,6 @@
     "title": "Fix: add test for source-file-is-test-file edge case in fuzzy-match tests",
     "type": "bug"
   },
-  "dso-pcgh": {
-    "deps": [],
-    "priority": 1,
-    "status": "open",
-    "title": "Sub-agents create tickets with type 'task' instead of 'bug' when tracking discovered bugs",
-    "type": "bug"
-  },
   "dso-psan": {
     "deps": [
       "w22-45i1",
@@ -823,14 +763,7 @@
     "deps": [],
     "priority": 1,
     "status": "closed",
-    "title": "Bug: stat -f || stat -c fallback pattern broken on Linux — stat -f succeeds with wrong semantics",
-    "type": "bug"
-  },
-  "dso-ptzz": {
-    "deps": [],
-    "priority": 2,
-    "status": "open",
-    "title": "sprint-next-batch.sh treats tk dep blockers as file conflicts, preventing non-overlapping tasks from batching",
+    "title": "Bug: stat -f || stat -c fallback pattern broken on Linux \u2014 stat -f succeeds with wrong semantics",
     "type": "bug"
   },
   "dso-pwt7": {
@@ -840,7 +773,7 @@
     ],
     "priority": 2,
     "status": "open",
-    "title": "Integration test: full discover → generate → validate → write workflow for new project",
+    "title": "Integration test: full discover \u2192 generate \u2192 validate \u2192 write workflow for new project",
     "type": "task"
   },
   "dso-pxos": {
@@ -1138,7 +1071,7 @@
     "deps": [],
     "priority": 1,
     "status": "closed",
-    "title": "test-batched.sh state file not isolated by repo/worktree — causes cross-session interference",
+    "title": "test-batched.sh state file not isolated by repo/worktree \u2014 causes cross-session interference",
     "type": "bug"
   },
   "w20-fxpu": {
@@ -1153,7 +1086,7 @@
     "parent": "w22-ku13",
     "priority": 3,
     "status": "open",
-    "title": "generate-test-index.sh broader scan is O(n*m) — extremely slow on repos with many files",
+    "title": "generate-test-index.sh broader scan is O(n*m) \u2014 extremely slow on repos with many files",
     "type": "task"
   },
   "w20-keta": {
@@ -1167,7 +1100,7 @@
     "deps": [],
     "priority": 2,
     "status": "open",
-    "title": "Multiple [LOCK] tickets for debug-everything — no cleanup after session ends",
+    "title": "Multiple [LOCK] tickets for debug-everything \u2014 no cleanup after session ends",
     "type": "bug"
   },
   "w20-w7pm": {
@@ -1208,7 +1141,7 @@
     "deps": [],
     "priority": 1,
     "status": "open",
-    "title": "Ticket system v3 — migration from tk and cutover",
+    "title": "Ticket system v3 \u2014 migration from tk and cutover",
     "type": "epic"
   },
   "w21-25mq": {
@@ -1307,7 +1240,7 @@
     ],
     "priority": 1,
     "status": "closed",
-    "title": "Ticket system v3 — dependency management, cross-worktree sync, and conflict resolution",
+    "title": "Ticket system v3 \u2014 dependency management, cross-worktree sync, and conflict resolution",
     "type": "epic"
   },
   "w21-5mr1": {
@@ -1410,7 +1343,7 @@
     ],
     "priority": 1,
     "status": "closed",
-    "title": "Ticket system v3 — Jira bridge and LLM-optimized output",
+    "title": "Ticket system v3 \u2014 Jira bridge and LLM-optimized output",
     "type": "epic"
   },
   "w21-chse": {
@@ -1485,7 +1418,7 @@
     "parent": "dso-9xnr",
     "priority": 3,
     "status": "open",
-    "title": "dso-setup.sh supplement_template_file uses cat for append — not in _make_tool_path fake PATH",
+    "title": "dso-setup.sh supplement_template_file uses cat for append \u2014 not in _make_tool_path fake PATH",
     "type": "bug"
   },
   "w21-epz2": {

.tickets/archive/dso-0ey5.md

@@ -0,0 +1,83 @@
+---
+id: dso-0ey5
+status: closed
+deps: [dso-9mvn, dso-1dws]
+links: []
+created: 2026-03-22T15:44:28Z
+type: task
+priority: 2
+assignee: Joe Oakhart
+parent: w22-ond9
+---
+# Add YAML validation, command sanitization, and edge-case handling to ci-generator.sh
+
+
+## Description
+
+Extend plugins/dso/scripts/ci-generator.sh with YAML validation, command sanitization, and edge-case robustness.
+
+Implementation steps:
+1. Command sanitization: apply allowlist filter (alphanumeric, space, '-', '_', '/', '.', ':', '=') to suite command strings before embedding in YAML. Reject/strip anything else.
+2. YAML validation: after generating YAML to a temp path:
+   a. If actionlint is on PATH: run actionlint <temp_file>; non-zero = exit 2, do not write
+   b. Else: python3 -c "import yaml; yaml.safe_load(open('<temp_file>').read())" ; exception = exit 2
+   c. On validation success: move temp file to final destination
+3. Edge cases:
+   - Empty suite list: write no files, exit 0
+   - Special characters in suite name: normalize to valid job ID (lowercase, replace non-alphanumeric with '-', collapse repeated '-')
+   - All-unknown suites in --non-interactive: write all to ci-slow.yml
+4. Interactive speed_class prompting:
+   - For each unknown suite: prompt "Is [name] a fast test (<30s) or slow test? [fast/slow/skip] (default: slow): "
+   - On Enter with no input: treat as slow
+   - 'skip': omit this suite from generated workflows
+
+TDD REQUIREMENT: Depends on dso-9mvn RED tests. All tests added in dso-9mvn must pass GREEN after this task. Also depends on dso-1dws (base generator).
+
+Security note: [Security] tag from story — suite commands come from user project config and could contain injection attempts. The allowlist sanitization prevents shell injection in generated YAML.
+
+## ACCEPTANCE CRITERIA
+
+- [ ] bash tests/run-all.sh passes (exit 0)
+  Verify: cd $(git rev-parse --show-toplevel) && bash tests/run-all.sh
+- [ ] ruff check passes (exit 0)
+  Verify: ruff check plugins/dso/scripts/*.py tests/**/*.py
+- [ ] ruff format --check passes (exit 0)
+  Verify: ruff format --check plugins/dso/scripts/*.py tests/**/*.py
+- [ ] test_command_sanitization_strips_metacharacters passes
+  Verify: cd $(git rev-parse --show-toplevel) && bash tests/scripts/test-ci-generator.sh 2>&1 | grep -q 'PASS.*test_command_sanitization'
+- [ ] test_yaml_validation_blocks_invalid_yaml passes
+  Verify: cd $(git rev-parse --show-toplevel) && bash tests/scripts/test-ci-generator.sh 2>&1 | grep -q 'PASS.*test_yaml_validation_blocks_invalid_yaml'
+- [ ] test_temp_then_move_pattern passes
+  Verify: cd $(git rev-parse --show-toplevel) && bash tests/scripts/test-ci-generator.sh 2>&1 | grep -q 'PASS.*test_temp_then_move'
+- [ ] All test-ci-generator.sh tests pass
+  Verify: cd $(git rev-parse --show-toplevel) && bash tests/scripts/test-ci-generator.sh; test $? -eq 0
+
+## Notes
+
+**2026-03-22T17:04:53Z**
+
+CHECKPOINT 1/6: Task context loaded ✓
+
+**2026-03-22T17:05:26Z**
+
+CHECKPOINT 2/6: Code patterns understood ✓
+
+**2026-03-22T17:05:36Z**
+
+CHECKPOINT 3/6: Tests written (RED tests pre-exist) ✓
+
+**2026-03-22T17:06:50Z**
+
+CHECKPOINT 4/6: Implementation complete ✓
+
+**2026-03-22T17:07:00Z**
+
+CHECKPOINT 5/6: Validation passed ✓
+
+**2026-03-22T17:07:38Z**
+
+CHECKPOINT 6/6: Done ✓ — Note: AC grep patterns use 'PASS.*test_name' but output format is 'test_name ... PASS'; underlying tests all pass (28 PASSED, 0 FAILED, exit 0)
+
+**2026-03-22T17:09:56Z**
+
+CHECKPOINT 6/6: Done ✓ — Files: plugins/dso/scripts/ci-generator.sh. Tests: 28 GREEN.