curdx-flow

Systematic debugging — 4-phase methodology (root cause → pattern → hypothesis → fix); ≥3 failures triggers architectural questioning. Dispatches flow-debugger.

Ultra-fast execution — skip all spec phases and implement directly per the description. Suited for one-shot small tasks.

Show CurDX-Flow command list, workflow overview, or troubleshooting guide. With a command name, show that command's detail.

Execute spec tasks — the Strategy Router picks linear/subagent/stop-hook/wave based on task characteristics. Atomic commit per task.

Initialize the CurDX-Flow project structure (create the .flow/ directory and core files)

Two-stage code review — Stage 1 spec compliance, Stage 2 code quality. Optional flags add adversarial review or edge-case hunting.

Generate or refresh a feature specification. By default runs research → requirements → design → tasks in sequence. Flags let you target a single phase, stop early, regenerate, or tack on a multi-dimensional planning review.

Smart entry point — create a new spec, resume an existing one, or switch between specs. Replaces v1's /start + /switch.

Goal-backward verification — trace from every FR / AC / AD in the spec to the code and tests, detect stubs and fake completions. The differentiator command. Optionally adds multi-source coverage audit with --strict.

Adversarial review agent — forced to find problems. "Zero findings" triggers re-analysis. Core of Enterprise mode.

Architecture design agent — uses sequential-thinking proportional to the genuine tradeoff surface to decide technology selection, component boundaries, and error path design. Produces design.md.

Systematic debugging agent — 4-phase methodology (root cause → pattern → hypothesis → fix); repeated failures (typically after a few attempts probing different hypotheses) trigger architectural questioning. Inherited from superpowers.

Edge case hunter — specifically searches for non-happy-paths. Systematic check via a 7-category taxonomy. Produces edge-cases.md.

Task execution agent — runs a single task from tasks.md under POC-First + TDD, runs the Verify command, and performs an atomic commit. Follows Karpathy's surgical principles.

Task breakdown agent — turns design into an auto-verifiable task list under POC-First 5 Phases. Performs multi-source coverage audit to ensure nothing is missed. Produces tasks.md.

Product design agent — translates research's technical direction into user stories + acceptance criteria + FR/NFR. Produces requirements.md.

QA engineer agent — uses chrome-devtools MCP to run user flows in a real Chrome, capturing errors/performance/accessibility issues. Produces qa-report.md.

Research analysis agent — uses WebSearch + context7 + claude-mem + sequential-thinking for deep exploration of a problem. Produces research.md. Dispatched during a spec's research phase.

Code review agent — runs Two-Stage Review (Stage 1 spec compliance + Stage 2 code quality). Applies all enabled Gates. Produces review-report.md.

Security audit agent — OWASP Top 10 + STRIDE threat modeling + dependency CVE scan. Produces security-audit.md.

Epic decomposition agent — decomposes large features into vertical slices by user value, generating a dependency graph + multiple sub-specs. Produces epic.md.

UI pattern research agent — analyzes reference sites / competitors, scans the codebase for UI patterns. Uses chrome-devtools screenshots + WebSearch.

UX design agent — invokes the frontend-design skill to generate tasteful UI. Outputs HTML sketches + design decisions.

Goal-backward verification agent — starts from spec FR/AC/AD to verify the code truly implements them. Detects stubs / fake completion. Produces verification-report.md.

Invoke when the user is new to an unfamiliar / legacy / brownfield codebase and wants a structural understanding — module map, component inventory, API surface, data flow. Triggers on "legacy code", "brownfield", "unfamiliar", "new to this code", "new to this project", "just joined", "inherited codebase", "explore codebase", "understand structure", "index code", "map modules", "tour", "onboard", "what is this project".

Invoke when the user wants to test a UI/frontend in a real browser — accessibility, performance, console errors, network traffic, visual regression. Triggers on "browser test", "test in browser", "UI test", "e2e test", "frontend test", "accessibility", "a11y", "WCAG", "lighthouse", "performance audit", "console error", "network request", "cross-browser", "responsive", "mobile test", "visual regression", "screenshot".

Invoke when user wants to break a large feature into multiple smaller specs with a dependency graph. Triggers on "epic", "big feature", "too big", "decompose", "break down", "break into", "split into", "multi-spec", "multiple features", "sub-features", "vertical slice", "parent feature", "large scope", "won't fit in one sprint", "needs splitting".

Invoke when the user wants a security review — OWASP Top 10, STRIDE threat modeling, credential handling, injection, secrets, sensitive data handling. Triggers on "security", "auth", "authentication", "credential", "password", "secret", "API key", "token", "OWASP", "STRIDE", "CVE", "vulnerability", "injection", "XSS", "CSRF", "SSRF", "SQL injection", "hardcoded secret", "sensitive data", "leak", "will my API key leak", "is this safe".

Invoke when the user wants UI design drafts — components, layouts, variants, mockups, CSS/theme/styling decisions. Triggers on "design UI", "UI design", "component layout", "variants", "wireframe", "mockup", "prototype", "sketch", "draft layout", "visual design", "styling", "CSS", "theming", "dark mode", "responsive design", "color scheme", "build me a UI", "show several variants", "try different colors".

4 hooks across 3 events