rune

Rune skill ecosystem — interconnected workflows for the full project lifecycle. Use /rune <action> to invoke skills.

Build safety nets BEFORE refactoring — characterization tests capturing current behavior, boundary markers, config freeze, rollback tags. MUST run before surgeon.

Static analysis tool runner — unified wrapper for ESLint, Semgrep, Bandit, Clippy, govulncheck. Normalized severity output (BLOCK/WARN/INFO). Use for deep security analysis beyond lint.

Autonomous project bootstrapper — 0 to production-ready. Orchestrates ba → plan → design → fix → test → docs → git → verify in one pipeline. Generated projects MUST build and pass tests.

Fast codebase scanner for file discovery and pattern matching. Spawned by scout, onboard, and other skills needing project structure analysis. Read-only, max 10 file reads.

Passive scope monitor — compares git changes against plan, flags out-of-scope files. Advisory only (does not block). Auto-triggered by L1 orchestrators when changes exceed plan.

Fast codebase scanner — finds files, patterns, dependencies, project structure. Pure read-only. Use BEFORE planning, fixing, reviewing, or refactoring.

Environment pre-flight check — validates OS, runtime versions, tools, ports, env vars, disk space BEFORE coding. Prevents 'works on my machine' failures. Like sentinel but for the environment.

Security gatekeeper — blocks unsafe code BEFORE commit. Secret scanning, OWASP top 10, dependency audit, destructive command detection. BLOCK verdict stops pipeline.

Multi-variable analysis where factors are interdependent — evaluates in dependency order, checks second-order effects. Use when >3 interacting variables with cascading downstream effects.

Cross-session context persistence — auto-saves decisions, conventions, progress, instincts to .rune/ files. Loads + integrity-checks at session start. Auto-triggered before compaction.

The skill that builds skills — TDD-driven: baseline test → write skill → verify → refactor → integrate into mesh. Use for creating or editing Rune skills.

Meta-enforcement layer — routes EVERY agent action through the correct skill before any code is written. Always active. Prevents 'just this once' bypasses.

Generate Marp-compatible slide decks from structured JSON schema. Tech talks, sprint demos, tutorials. Outputs presentation-ready markdown via build-deck.js.

Incremental refactorer — ONE module per session, tests after EVERY edit, max 5 files blast radius. Requires safeguard to have run first. Use within rescue workflow.

Multi-agent meta-orchestrator for large tasks (5+ files or 3+ modules). Decomposes work into parallel workstreams with worktree isolation. Use when task is too big for a single cook session.

TDD test writer — writes FAILING tests FIRST (RED), then verifies they pass after implementation (GREEN). Iron Law: code before test = DELETE and restart.

Market intelligence — competitor analysis, technology trends, community sentiment. Scans Product Hunt, GitHub Trending, HN, Reddit. Use for positioning, not API docs.

Universal verification runner — lint, type-check, tests, build. 3-level file quality: EXISTS → SUBSTANTIVE → WIRED. Use after any code change, before commit.

Video content PLANNING — narration scripts with timing, storyboards, shot lists, asset checklists. Plans only, not actual video production. Platform-aware (YouTube/Twitter/TikTok/Loom).

Post-deploy monitoring — HTTP health checks, response time measurement, error detection. Called by deploy/launch to verify live site. Precision over recall (no false alarms).

Git worktree lifecycle — create isolated workspaces for parallel development, manage branches, cleanup. Max 3 active worktrees. Called by team for parallel streams.

Pre-implementation red-team analysis. Challenges plans BEFORE code is written — edge cases, security holes, scalability bottlenecks, error propagation. Catches flaws at plan time (10x cheaper).

Architecture and planning agent. Spawned by plan, brainstorm, team, autopsy for strategic analysis, system design, and trade-off evaluation.

Creates code-based visual assets — SVG icons, OG image HTML, social banners, icon sets. Code-only output (not raster PNG/JPG). Use browser-pilot + screenshot for raster.

Comprehensive 8-dimension project health audit — dependencies, security, code quality, architecture, performance, infrastructure, documentation, mesh analytics. Produces AUDIT-REPORT.md.

Full codebase health assessment — quantified health scores (0-100) per module across 6 dimensions. Identifies highest tech debt. Use for rescue RECON or project diagnosis.

Business Analyst — deep requirement elicitation BEFORE planning or coding. Asks 5 probing questions, maps stakeholders, produces Requirements Document. Use when task is non-trivial or vague.

Creative ideation — generates 2-3 approaches with trade-offs. Use when multiple valid paths exist or current approach has failed. Hands off to plan.

Playwright browser automation — navigate URLs, screenshot, interact with UI, check accessibility, capture console errors. Max 20 interactions. MUST close browser when done.

Code writing and editing agent. Spawned by fix, test, surgeon when they need to write actual code. Follows parent skill instructions precisely.

Lie detector for agent claims — validates every completion claim has actual evidence. Default-FAIL mindset. Use as final gate before merge/commit.

Internal affairs auditor — checks whether HARD-GATEs and constraints were actually followed during workflow. Uses tool call ordering, not agent self-report.

Context window management — tracks tool call count, auto-detects when context fills up, triggers state save + compaction. Artifact folding for large outputs (>4000 chars → file + preview).

Creates structured handoff briefings between agents. Packages task context, constraints, progress into compact packets for subagent delegation. Prevents 'lost context' in multi-agent workflows.

Feature implementation orchestrator — handles 70% of requests. Full TDD cycle: understand → plan → test → implement → verify → commit. Use for ANY code modification (features, bugs, refactors, security).

Database workflow specialist — migration generation (up + down), breaking change detection, index recommendations, SQL injection scanning. Use when schema changes detected.

Root cause analysis ONLY — investigates errors, traces stack traces, forms/tests hypotheses. Does NOT fix code. Hands diagnosis to fix. Use when root cause is unknown.

Dependency health management — outdated packages, vulnerabilities (CVE), breaking change risk for major bumps. Health score 0-100. Prioritized update plan: CRITICAL → SECURITY → PATCH → MINOR → MAJOR.

Deploy to target platform — Vercel, Netlify, Fly.io, AWS, VPS. Pre-deploy verification + security gates. Tests and sentinel MUST pass first.

Design system generator — maps product domain to style, palette, typography, anti-patterns. Creates .rune/design-system.md. Use BEFORE any frontend code generation.

Generate and parse office documents — PDF, DOCX, XLSX, PPTX, CSV. Pure format utility for creating reports, exporting data, processing uploaded documents.

Documentation lookup — API signatures, examples, deprecation status. Priority: Context7 → llms.txt → WebSearch. Use for API reference, not general research.

Auto-generate and maintain project documentation — README, API docs, architecture docs, changelogs. Keeps docs in sync with code. The 'docs are never outdated' skill.

Apply code changes from diagnosis or review findings. Locate → change → verify → report. Does NOT investigate — that's debug's job. Use after debug diagnosis or review findings.

Specialized git operations — semantic commits, PR descriptions, branch naming, changelog generation, release tagging. Convention-aware utility replacing ad-hoc git commands.

Post-generation validation — catches hallucinated imports, phantom functions, non-existent packages, typosquatting. Use after code generation, before commit.

Structured incident response — triage (P1/P2/P3), contain, verify, root-cause, postmortem. Use when production is down or degraded. Contain BEFORE investigating.

Detect adversarial content in .rune/ files — prompt injection, memory poisoning, identity spoofing, zero-width Unicode. Verdict: CLEAN/SUSPICIOUS/TAINTED.

Persistent state tracking across sessions — records decisions with rationale, progress, risks, ADRs to .rune/ files. Called by surgeon, deploy, rescue for cross-session continuity.

Deploy + marketing orchestrator. Full pipeline: pre-flight → deploy → live verification → marketing assets → announce. Use when shipping to production.

Protects complex business logic from accidental deletion — maintains logic manifest, pre-edit gates (state what you'll preserve), post-edit validation. Use on trading bots, payment systems, state machines.

Create marketing assets — landing copy, social posts, SEO meta, video scripts, slides. Based on actual product capabilities, never aspirational claims.

Build MCP servers from specs — generates tool definitions, resource handlers, test suites. Supports TypeScript (official SDK) and Python (FastMCP). Multi-provider adapter pattern.

Cross-session cognitive persistence via Neural Memory MCP. Captures decisions, patterns, errors, insights with semantic links. Bridges file-based state (session-bridge) with semantic graph.

Auto-generate project context — scans codebase, creates CLAUDE.md + .rune/ directory so every future AI session starts with full context. Use on first session.

Performance regression gate — detects N+1 queries, sync-in-async, missing indexes, memory leaks, bundle bloat. Investigate only, does NOT fix. Use before commit or deploy.

Create structured implementation plans. Produces master plan + phase files for non-trivial work (3+ phases, 5+ files). Use before multi-phase implementation.

Pre-commit quality gate — catches 'almost right' code. Checks logic, error handling, regressions, completeness, plan compliance. BLOCK verdict stops commit.

Structured reasoning — applies McKinsey-grade frameworks (5 Whys, Fishbone, First Principles, SCAMPER) with mandatory bias detection. Use for complex multi-factor problems, not simple linear analysis.

Legacy refactoring orchestrator for messy codebases (health <40). Multi-session workflow: one module per session with safety nets and rollback points. Use for modernization, not features.

Web research — gathers data on technologies, libraries, best practices. Min 3 sources per conclusion, max 5 WebFetch calls. Use for external data gathering, not API docs (use docs-seeker).

Web research and documentation agent. Spawned by research, docs-seeker, trend-scout for external information gathering. Min 3 sources per conclusion.

Engineering retrospective — analyzes commit history, work patterns, code quality metrics. Per-person breakdowns, shipping streaks, actionable improvements. READ-ONLY, never modifies code.

Process external review feedback — read ALL items first, verify claims against codebase, then implement in priority order. Use when receiving PR comments or code review.

Code quality review — checks correctness, security, performance, conventions, coverage. Every finding needs file:line. Triggers fix or test for issues found.

Code review and security analysis agent. Spawned by review, sentinel, preflight for quality and security checks. Every finding must have file:line evidence.

Meta-validator for HARD-GATEs. Use when auditing whether a skill's mandatory constraints were actually followed during a workflow (not just claimed). Called by cook, team, and audit for discipline compliance.

Git worktree lifecycle management. Use when team needs parallel isolated workspaces for multi-stream development, or when an experiment must not touch the main working tree. Creates isolated workspaces, manages branches, handles cleanup. Called by team and cook.

Validates agent claims against evidence trail. Use when verifying an agent has actually done what it claims — auto-fires at workflow end. Catches 'done' without proof, 'tests pass' without output, 'fixed' without verification. Called by cook and team.

Generate and parse office documents — PDF, DOCX, XLSX, PPTX, CSV. Use when creating reports, exporting tabular data, or processing uploaded office files. NOT for project documentation (use docs).

Find documentation for APIs, libraries, and error messages. Looks up official docs, changelog entries, and migration guides.

Auto-generate and maintain project documentation. Creates README, API docs, architecture docs, changelogs, and keeps them in sync with code changes. The "docs are never outdated" skill.

Apply code changes and fixes. Writes implementation code, applies bug fixes, and verifies changes with tests. Core action hub in the development mesh.

Specialized git operations — semantic commits, PR descriptions, branch management, conflict resolution guidance. Replaces ad-hoc git commands with a dedicated, convention-aware utility.

Video content planning. Writes narration scripts, storyboards, shot lists, and asset checklists. Saves plan to marketing/video-plan.md.

Post-deploy monitoring. Use when verifying a deployed app is healthy after deploy or launch — auto-fires from launch/deploy. Checks HTTP status, response times, error detection, and smoke test report.

Business Analyst agent. Use when starting a new feature requiring requirements elicitation BEFORE plan or cook. Asks probing questions, identifies hidden requirements, maps stakeholders, defines scope boundaries, and produces a structured Requirements Document that plan and cook consume.

Playwright browser automation. Navigates URLs, takes screenshots, checks accessibility tree, interacts with UI elements, and reports findings.

Pre-implementation red-team analysis. Use when a plan is high-risk, critical path, or expensive to reverse. Challenges plans before code is written — finds edge cases, security holes, scalability bottlenecks, error propagation risks, and integration conflicts. Catches flaws at plan time (10x cheaper than post-implementation).

Creates code-based visual assets — SVG icons, OG image HTML templates, social banners, and icon sets. Outputs files with usage instructions.

Comprehensive project audit — security, dependencies, code quality, architecture, performance, infra, docs, and mesh analytics. Delegates to specialist skills and generates an 8-dimension health score.

Full codebase health assessment. Use when diagnosing project health or starting a rescue workflow on legacy code. Analyzes complexity, dependencies, dead code, tech debt, and git hotspots. Produces a health score and rescue plan.

Creative ideation and solution exploration. Generates multiple approaches with trade-offs, uses structured frameworks (SCAMPER, First Principles), and hands off to plan for structuring.

Context window management. Auto-triggered when context is filling up. Triggers smart compaction and preserves critical information across compaction boundaries. Called by L1 orchestrators at context thresholds.

Creates structured handoff briefings between agents. Use when delegating complex work to subagents that would otherwise lose context. Packages task context, constraints, and progress into a compact packet that subagents can consume without re-reading the full conversation. Prevents the 'lost context' problem in multi-agent delegation.

Feature implementation orchestrator. ALWAYS use this skill for ANY code change — implement, build, add feature, create, fix bug, or any task that modifies source code. This is the default route for 70% of all requests. Runs full TDD cycle: understand → plan → test → implement → quality → verify → commit.

Database workflow specialist. Generates migration files with rollback scripts, detects breaking schema changes, and validates query parameterization.

Root cause analysis for bugs and unexpected behavior. Traces errors through code, uses structured reasoning, and hands off to fix when cause is found. Core of the debug↔fix mesh.

Dependency health management. Detects package manager, checks outdated packages and vulnerabilities, and produces a prioritized update plan.

Deploy application to target platform. Use when user explicitly says 'deploy', 'push to production', 'ship it'. Handles Vercel, Netlify, AWS, GCP, DigitalOcean, and VPS with pre-deploy verification and health checks.

Design system reasoning. Maps product domain to style, palette, typography, and platform-specific patterns. Generates .rune/design-system.md as the shared design contract for all UI-generating skills.

Clone, port, or convert features from any GitHub repo into your project. Use when stealing patterns from external repos or porting proven code. Understand before copy, challenge before implement. 4 modes: port (rewrite), compare (analysis), copy (transplant), improve (copy + optimize).

Verify AI-generated imports, API calls, and packages actually exist. Use when finishing AI-generated code that introduces new imports or external API calls — auto-fires after fix/cook to catch phantom functions, non-existent packages, and slopsquatting attacks.

Find architectural friction in a codebase and propose deepening opportunities. Use when user wants to improve architecture, find refactor candidates, consolidate shallow modules, or make a codebase more testable. Outputs scored proposals (depth/leverage/locality) that surgeon and review can consume.

Structured incident response. Use when user reports an outage, production error, or says 'incident', 'something is down', 'users are affected'. Triage severity, contain blast radius, root-cause, document timeline, generate postmortem.

Verify integrity of persisted state, skill outputs, and context bus data. Use when validating .rune/ files or sub-agent outputs against prompt injection, memory poisoning, identity spoofing, or adversarial payloads. Called by sentinel, team, session-bridge.

Persistent state tracking and Architecture Decision Records across sessions. Use when recording a decision, ADR, or progress that must survive session boundaries. Manages progress state, module health, dependency graphs, and ADRs for any workflow.

Deploy + marketing orchestrator. Use when user says 'launch', 'ship to production', 'deploy and announce', or 'go live'. Runs the full pipeline — pre-flight tests, deployment, live verification, marketing asset creation, and announcement.

Protects complex business logic from accidental deletion or overwrite. Use when editing payment, trading, state-machine, or other load-bearing business logic where a single deleted line can cause silent data corruption. Maintains a logic manifest, enforces pre-edit gates, validates post-edit diffs.

Create marketing assets and execute launch strategy. Generates landing copy, social banners, SEO meta, blog posts, and video scripts.

Build Model Context Protocol servers from specifications. Use when creating an MCP server for a tool, resource, or service that AI agents should access. Generates tool definitions, resource handlers, and test suites in TypeScript or Python (FastMCP).

Cross-session cognitive persistence via Neural Memory MCP. Captures decisions, patterns, errors, and insights with rich semantic links. Provides recall, hypothesis tracking, and evidence-based reasoning across projects.

Auto-generate project context for AI sessions. Use when starting on a new repo for the first time, or when CLAUDE.md / .rune/ context is missing or stale. Scans codebase and creates the setup so every future session starts with full context.

Performance regression gate. Detects N+1 queries, sync-in-async, missing indexes, memory leaks, and bundle bloat before they reach production.

Create structured implementation plans from requirements. Produces master plan + phase files for enterprise-scale project management. Master plan = overview (<80 lines). Phase files = execution detail (<150 lines each). Each session handles 1 phase. Uses opus for deep reasoning.

Pre-commit quality gate that catches 'almost right' code. Use when about to commit — auto-fires before commit to validate logic correctness, error handling, regressions, and completeness. Goes beyond linting.

Structured reasoning frameworks for complex problems. 19 analytical frameworks, 12 cognitive bias detectors, 10 decomposition methods, 10 mental models, Cynefin domain classification, ethical dimension check, and 6 communication patterns. McKinsey-grade problem solving for AI coding assistants.

Legacy refactoring orchestrator. Use when user says 'refactor', 'modernize', 'clean up this mess', 'rescue', or when dealing with old/messy/legacy code. Multi-session workflow — autopsy, safety net, incremental surgery, progress tracking.

Web search and external knowledge lookup. Gathers data on technologies, libraries, best practices, and competitor solutions.

Engineering retrospective. Analyzes commit history, work patterns, and code quality metrics with trend tracking. Per-person breakdowns, shipping streaks, and actionable improvements. Use when asked for "retro", "weekly review", "what did we ship", or "engineering retrospective".

Use when receiving external input that needs structured intake before action — PR review feedback, code review comments, OR issue tracker items (bug reports, feature requests). PR Review Mode (default) verifies suggestions before implementing. Issue Triage Mode classifies issues into a state machine (ready-for-agent / ready-for-human / needs-info / wontfix) and emits AGENT-BRIEFs for AFK execution. Prevents blind implementation, enforces verification-first discipline.

Code quality review — patterns, security, performance, correctness. Finds bugs, suggests improvements, triggers fix for issues found. Escalates to opus for security-critical code.

Build safety nets before refactoring. Use when running surgeon or any risky refactor that needs a rollback point. Creates characterization tests, boundary markers, config freezes, and rollback points.

Static analysis tool runner. Wraps ESLint, Semgrep, Bandit, Clippy, and language-specific analyzers with unified severity output. Use when deeper code analysis needed beyond pattern matching.

Autonomous project bootstrapper. Generates complete project from a description — structure, code, tests, docs, config. Orchestrates ba → plan → design → fix → test → docs → git in one pipeline. The "0 to production-ready" skill.

Detects scope creep by quantifying drift percentage. Auto-triggered by L1 orchestrators when files exceed the original plan. Compares git changes against plan, classifies drift into 4 tiers: ON_TRACK, MINOR_DRIFT, SIGNIFICANT_DRIFT, OUT_OF_CONTROL.

Fast codebase scanner. Use when any skill needs codebase context. Finds files, patterns, dependencies, project structure. Pure read-only — never modifies files.

Environment-aware pre-flight check. Use when starting work in a new environment, switching machines, or when 'works on my machine' bugs surface. Validates OS, runtime versions, installed tools, port availability, env vars, and disk space BEFORE coding starts. Like sentinel but for the environment, not the code.

Scan market trends, competitor activity, and emerging patterns. Monitors Product Hunt, GitHub Trending, HackerNews, and social platforms.

Universal verification runner. Runs lint, type-check, tests, and build. Use after any code change to verify nothing is broken.

Automated security gatekeeper. Blocks unsafe code before commit — secret scanning, OWASP top 10, dependency audit, permission checks. A GATE, not a suggestion.

Step-by-step complex reasoning for multi-variable problems. Breaks interconnected decisions into ordered logical steps with bias detection, reversibility classification, and second-order effect tracking.

Universal context persistence across sessions. Auto-saves decisions, conventions, and progress to .rune/ files. Loads state at session start. Use when any skill makes architectural decisions or establishes patterns that must survive session boundaries.

Use when creating new Rune skills, editing existing skills, or verifying skill quality before deployment. Applies TDD discipline to skill authoring — test before write, verify before ship.

Meta-enforcement layer that routes EVERY agent action through the correct skill. MUST check this routing table before ANY response involving code, files, or technical decisions. Default: route to rune:cook for code tasks. Prevents rationalization, enforces check-before-act discipline.

Generate Marp-compatible slide decks from structured JSON schema. Converts context into presentations for tech talks, sprint demos, and tutorials.

Incremental refactorer. Use within a rescue workflow after safeguard has set up safety nets. Refactors ONE module per session using proven patterns — Strangler Fig, Branch by Abstraction, Expand-Migrate-Contract.

Multi-agent meta-orchestrator. Use when task spans 5+ files or 3+ modules, or when user says 'parallel', 'split this up', 'do all of these'. Decomposes large tasks into parallel workstreams, assigns to isolated cook instances, coordinates merging.

TDD test writer. Writes failing tests FIRST (red), then verifies they pass after implementation (green). Covers unit, integration, and e2e tests.

10 hooks across 6 events