Releases: cham-space/AICAM
Release list
AICAM v1.3.3 Release
AICAM v1.3.3 Release Notes
Release Date: 2026-04-25
Since: v1.3.2
Type: Minor β security hardening + new command
π Security
Anti-Silent-Bypass Gate (P0-1 Fix)
security.gate.md gains Layer 0: Tool Availability Pre-check β executed before any scan:
| Condition | Action |
|---|---|
| β₯1 native tool (gitleaks/semgrep) available | Proceed to actual scan |
| All native tools missing + Docker available | Use Docker fallback commands |
| All tools missing + no Docker | Present user with install options or CONFIRM-SKIP |
| No resolution achieved | β BLOCKED β commit refused |
Docker fallback commands:
- gitleaks:
docker run --rm -v "$(pwd)":/src zricethezav/gitleaks detect --source /src --no-git - semgrep:
docker run --rm -v "$(pwd)":/src returntocorp/semgrep semgrep scan --config=auto --error
commit.md security scan restructured from advisory step to 3-step mandatory hard gate:
- Tool Availability Check (Layer 0)
- Execute Available Scans (run whichever layers are actually executable)
- Gate Decision (read Gate Status Determination table β act on result)
diagnose.md Section 5 adds Security Gate Viability row:
| Condition | Status |
|---|---|
| β₯1 native tool available | β Gate functional |
| Docker available as fallback | |
| No tools + no Docker | β Gate non-functional β commits unprotected |
Tool table expanded: +Docker (fallback) row, +Commit-msg hook symlink check.
.gitleaks.toml Fix
Removed unsupported top-level title key that caused gitleaks 8.x to fail config parsing (toml: expected character =). Replaced with comment to preserve the label.
π New Command
/aicam β Interactive Workflow Guide
In-app reference manual with 6 entry points, callable anytime without arguments for an interactive menu:
| Option | Content |
|---|---|
| 1. Workflow Overview | 5-Phase ASCII diagram + typical scenarios + quick-jump paths |
| 2. Command Reference | 16 commands grouped by Phase, one-line purpose each |
| 3. Navigate by Phase | "I'm at Phase X, what next?" β guidance per phase with gate rules and next-step prompts |
| 4. Skill Reference | 4 workspace skills + 4 superpowers skills, auto-trigger conditions, common traps |
| 5. Gate Reference | 6 gates with blocking conditions, exemption rules, and tool coverage |
| 6. Enablement Paths | L0-L3 with prerequisites, command sets, and guidance ("start with L1, upgrade anytime") |
Direct command lookup: /aicam /execute, /aicam hotfix β shows description, arguments, phase, pre-conditions, trigger type, related skills/gates, artifacts, and typical usage.
16-command reference table in the guide file provides phase association, trigger type, pre-condition, and next-step for every command in the system.
π Documentation
WORKFLOW.md
- Version header updated to v1.3.3
- Version history: +v1.3.3 entry (security anti-bypass + /aicam)
- System components table: commands 15β16,
/aicamadded to command list - Progressive enablement L0:
/hotfixβ/hotfix, /aicam - Directory structure comment: 15β16 commands
- New principle #19: Security scanning must not be silently skipped
README.md / README.en.md / README.zh.md
- All three variants synced to v1.3.3
- Version headers, history tables, system composition tables, L0 enablement paths updated
- Command count: 15β16 across all three files
diagnose.md
- Section 5: +Security Gate Viability assessment, +Docker availability check
- Section 6.5: Chinese annotations translated to English
- Output format: Security section expanded with viability + Docker status
π Files Changed
| File | Action | Lines |
|---|---|---|
.claude/gates/security.gate.md |
Modified | +52 lines β Layer 0 pre-check + Docker fallback + resolution protocol |
.claude/commands/commit.md |
Modified | +36 / β14 β 3-step mandatory security scan flow |
.claude/commands/diagnose.md |
Modified | +20 / β14 β Security Gate Viability + English localization |
.claude/commands/aicam.md |
New | 387 lines β Interactive workflow guide |
.claude/WORKFLOW.md |
Modified | +10 / β8 β v1.3.3 sync + principle #19 |
README.md |
Modified | +4 / β2 β v1.3.3 sync |
README.en.md |
Modified | +16 / β2 β v1.3.3 sync |
README.zh.md |
Modified | +16 / β2 β v1.3.3 sync |
RELEASE-v1.3.3.md |
New | This file |
.gitleaks.toml |
Fixed | 1 line β removed unsupported title key |
π Commit History (since v1.3.2)
| Commit | Message |
|---|---|
d8025ad |
feat(workflow): update to v1.3.3 β security gate anti-silent-bypass + /aicam interactive guide |
81239af |
docs: add AICAM maturity assessment v1.3.2 |
6fe78a6 |
fix: remove unsupported 'title' key from .gitleaks.toml |
c0dd6b7 |
docs: release v1.3.3 β update README and create release notes |
β¬οΈ Upgrade from v1.3.2
# Copy changed files to your project
cp .claude/gates/security.gate.md /path/to/project/.claude/gates/
cp .claude/commands/commit.md /path/to/project/.claude/commands/
cp .claude/commands/diagnose.md /path/to/project/.claude/commands/
cp .claude/commands/aicam.md /path/to/project/.claude/commands/
cp .claude/WORKFLOW.md /path/to/project/.claude/
# Install at least one security tool (recommended):
brew install gitleaks
# Verify:
/diagnoseNo breaking changes. All existing commands and gates continue to work as before.
Full Changelog: v1.3.3...v1.3.3
AICAM v1.3.2 Release
AICAM v1.3.2 Release Notes
Release Date: 2026-04-25
Since: v1.2.1
Assessment: 5 rounds of independent review, scoring 3.6 β 4.0 (L4 maturity)
ποΈ Architecture
Gate Adapter Layer
- New
.claude/gates/directory with 6 independent gate definition files:tdd.gate.mdβ TDD red-green-refactor gate with exemption/non-exemption checklistsmoke.gate.mdβ Smoke test gate with runtime health checkssecurity.gate.mdβ Security scanning gate (gitleaks + semgrep + dependency audit)contract.gate.mdβ API contract/naming consistency gatedestructive-op.gate.mdβ Destructive operation detection (CRITICAL/HIGH/MEDIUM)coverage.gate.mdβ Coverage gate with per-project-type thresholds
- Gates are decoupled from command scripts β reusable, independently maintainable
Eco-Adaptive CI Pipeline
- New
.github/workflows/aicam-gates.ymlβ fully automated quality gates - Preflight job auto-detects ecosystem (npm/python/go/cargo) and project type (web/rest-api/cli/worker/mobile/tauri)
- Conditional steps adapt to detected ecosystem β no manual configuration needed
- Security jobs: secrets-scan (gitleaks), sast-scan (semgrep), dependency-audit (ecosystem-specific)
- Test jobs: unit-tests + coverage per ecosystem, smoke-test with per-type branching
- oasdiff breaking change detection step in unit-tests job
- Mobile smoke generates actionable warning (requires device/emulator β not available in standard CI)
π Security
Three-Layer Security Scanning
- Local (pre-commit):
.githooks/pre-commitruns gitleaks + Spec-Lite existence check + large file detection - CI (PR gate): gitleaks (secrets) + semgrep (SAST) + ecosystem-specific dependency audit (npm/cargo/pip/govulncheck)
- Config files:
.gitleaks.toml(45 lines, 3 custom rules: generic-api-key, private-key, jwt-token),.commitlintrc.yaml
Git Hooks
pre-commitβ gitleaks secrets detection + CLAUDE.md size check + Spec-Lite existence + large file warningcommit-msgβ enforces Conventional Commits viacommitlint, blocks malformed messages- Both installed via
/onboardL3:ln -sf ../../.githooks/{hook} .git/hooks/{hook}
Gitleaks License Documentation
- CI
gitleaks-action@v2configured withcontinue-on-error: trueβ private repo without license degrades to warning /onboardL3 documents the license requirement andtrufflesecurity/trufflehog@mainas free alternative
π New Commands
/diagnose β One-Click Health Check
- Section 1-7: file existence, gate integrity, security tools, skills inventory, reference docs, template health
- Section 5: commit-msg hook symlink check (added v1.3.2)
- Section 6.5: Gate Execution Completeness β cross-references TDD/Smoke Log entries vs expected counts (anti-truncation)
/onboard β Interactive Setup
- Progressive 4-level enablement: L0 (zero-config, <5min) β L1 (minimal, <15min) β L2 (standard, <1hr) β L3 (advanced, <2hr)
- Each level has concrete steps with copy-paste commands
- L3 includes gitleaks/semgrep install, git hooks symlink, CI config, commitlint, MCP setup
/backend-test Skill
- New
.claude/skills/backend-test/SKILL.md - Covers REST API integration tests, database tests, and mock strategies
- Auto-triggers on backend test file creation, API integration test writing, DB fixture setup
π Metrics & Quality
M1-M5 Five-Dimensional Metrics
- M1 Phaseε¨ζ (cycle time) β git log auto-calculation with cross-platform fallback
- M2 δΈζ¬‘ιθΏη (first-pass rate) β formula defined
- M3 ζ΅θ―ε―εΊ¦ (test density) β per-AC coverage calculation
- M4 δΈδΈζεηΌ©ζη (context compression efficiency) β pre/post archive line ratio
- M5 ι¨η¦η»θΏη (gate bypass rate) β βΈοΈ status tracking
Anti-Truncation & Anti-Bypass
/diagnoseΒ§6.5: compares non-exempt task count vs TDD Log entries, Smoke Test checklist vs log entries/verify-phase: mandatory TDD/Smoke entry count vs gate comparison β mismatch blocks phase completion- CLAUDE-template: Known Issues persistent section (excluded from 150-line limit, auto-maintained by
/close-phase)
π Bug Fixes
Python Rest-API Smoke Fallback (v1.3.2)
- Replaced dead
[ -n "$SERVER_PID" ]check withpython -c "import uvicorn"availability detection - Flask/Django projects now correctly fallback to
python app.pyinstead of silently failing - uvicorn absent β falls back to Flask/Django; uvicorn present β uses
python -m uvicorn
CI Needs Chain Completeness (v1.3.1)
- Fixed missing
preflightin jobneedsarrays β eco-adaptive detection was silently returning empty strings - All
needs.preflight.outputs.*references now resolve correctly
Output Key Consistency (v1.3.1)
- Unified
project-type(hyphen) βproject_type(underscore) across outputs declaration and all references
Coverage Gate Heading (v1.3.1)
- Fixed corrupted
##ε°εηHard Rulesβ## Hard Rules
ποΈ Removals
agent-browser Skill Directory Cleaned Up
.claude/skills/agent-browser/removed β had been deprecated and merged intoe2e-testsince v1.3.0- Skills directory now matches WORKFLOW.md declaration exactly (4 skills)
π Documentation
WORKFLOW.md
- Version history extended through v1.3.2 (3 new entries)
- Progressive enablement L0-L3 section added
- System components table: 15 commands, 6 gates, updated skills list
- Full MCP installation guide (serena + typescript-lsp) with hooks config
README.md (Root)
- Rewritten from minimal placeholder to comprehensive project landing page
- Version badge, key features table, quick start, directory structure overview, version history
README.en.md & README.zh.md
- Synced from v1.2.1 to v1.3.2
- Version history updated with v1.3.0 / v1.3.1 / v1.3.2 entries
- System components table: commands 13β15, skills list updated, gates row added
- Progressive enablement L0-L3 section added
CLAUDE-template.md
- Security scanning guidance section added
- Known Issues & Deferred Risks persistent section added
- Skill activation rules:
backend-testadded - Reference docs: coverage.gate + security.gate loading triggers added
Coverage Gate β Ecosystem Tool Table
- 5 rows covering npm (Vitest/Jest), cargo (tarpaulin/llvm-cov), python (pytest-cov/coverage.py), go (built-in)
Contract Gate β oasdiff Protocol
- Spec archival protocol:
cp openapi-current.yaml archive/openapi-phase-{N-1}.yaml - Breaking change detection:
oasdiff breaking <prev> <current>
π§ͺ Test Strategies
- 6 type-specific strategy documents in
.claude/reference/test-strategies/: cli, mobile, rest-api, tauri, web, worker - Web strategy: Environment Variable Isolation with Vitest
vi.stubEnvpattern - Per-project-type coverage thresholds in coverage.gate.md
π Commit History (since v1.2.1)
| Commit | Message |
|---|---|
e784374 |
feat(workflow): upgrade AICAM from v1.2.1 to v1.3.2 β 5 rounds of independent assessment |
Quick Start
git clone https://github.com/cham-space/AICAM.git
cd AICAM
cp -r .claude/ /path/to/your/project/
cp .githooks/ .commitlintrc.yaml .gitleaks.toml /path/to/your/project/
cp -r .github/workflows/ /path/to/your/project/.github/Then in Claude Code, run /onboard for interactive guided setup.
AICAM v1.2.1 Release Notes (2026-04-24)
π New Features
/hotfix Command
- New emergency fix command β skip Phase 1 planning, jump directly to
TDD fix flow - Smoke Test + Code Review gates still apply, ensuring quality is not
compromised - Command count updated 12 β 13 across all documentation
Smoke Test Mandatory Gate in /execute
- After all validation commands pass, Smoke Test Checklist must be
executed before Phase can proceed - Missing ## Smoke Test Checklist in plan β hard STOP, requires user
written confirmation to skip - Any β entry β enters bug fix flow, re-runs full Smoke Test after fix
- Results written to summary.md ## Smoke Test Log
ACβTask Mapping Check in /execute
- Cross-checks Spec-Lite AC list against plan Tasks
- β AC-{N} has no corresponding Task β potential feature gap
- β Task "{name}" not linked to any AC β scope creep risk
- Warning only, does not block execution
Critical Workspace Size Warning in /plan-feature
β 300KB: WARNING β suggests running /close-phase
β 500KB: CRITICAL β planning quality will degrade significantly,
β prompts immediate archival before continuing
Phase Number Automatic Derivation
- /close-phase and /verify-phase now auto-detect Phase number from:
a. Plan filename prefix: phase{N}- β use N
b. Plan content: # Phase N or Phase N: declaration
c. Falls back to asking the user if undetermined - Eliminates manual Phase number input for archive file naming
Flat Archive Structure
- archive/Phase{N}/ subdirectories replaced with flat files:
- archive/PHASE{N}_VERIFICATION_REPORT.md
- archive/phase{n}-code-review.md
- archive/phase{n}-*.md
- Traceability chain updated: plans β .agents/plans/archive/,
reports β archive/
MCP Installation & Configuration Guide
- Added complete setup instructions for serena and typescript-lsp:
- Prerequisites table (uv, Node.js + npm)
- Step-by-step install commands
- serena hooks configuration (PreToolUse, SessionStart, Stop)
- Verification command claude mcp list
π Documentation
TypeScript-LSP Capability Update ...
AICAM v1.2.0 β CLAUDE-template Enhancement, Full English
π New Features
CLAUDE-template Simplicity First Rules
- Added Simplicity First section for Phase 2 implementation β write
minimum code to meet Spec-Lite AC, no speculative features, no
abstractions unless reused β₯2 places - Added Surgical Changes section β touch only what the request
requires, follow existing code style, never silently delete unrelated dead
code
Explicit Skill Activation Rules
- CLAUDE-template now enforces explicit Skill loading (not relying on
auto-match):- Frontend components/pages β
frontend-design - API definition/field mapping β
api-contract-first - Business workflow testing β
e2e-test
- Frontend components/pages β
Test Command Categories
- Test section split into 3 categories: Unit tests / Business workflow
tests / Single file targeted - Strategy documents reference
.claude/reference/test-strategies/{type}.md
Web Test Strategy Enhancement
- Added Environment Variable Isolation section with Vitest
vi.stubEnvpattern to prevent state leakage between tests
ποΈ Removals
ui-ux-pro-max Skill Removed
- Core functionality non-operational (missing
scripts/search.pyand CSV
data files) - Trigger conditions merged into
frontend-design - Reduces workspace skills from 5 β 4
π Documentation
Full English CLAUDE-template
- All remaining Chinese content translated to English
Simplicity Firstheader,Skill ζΏζ΄»θ§εblock fully Englishreference/index.mdalso fully English (local, project-specific)
WORKFLOW.md & READMEs Synced
- CLAUDE-template key features added to WORKFLOW.md
README.zh.mdandREADME.en.mdfully synchronized
π Commit History (since v1.1.0)
| Commit | Message |
|---|---|
6a46bc8 |
docs: translate CLAUDE-template.md remaining Chinese to |
| English | |
c0ac8c0 |
docs: sync CLAUDE-template features into WORKFLOW.md and |
| READMEs | |
06de5f4 |
enhance: CLAUDE-template Simplicity First rules, web test |
| strategy, e2e-test fix | |
2e1c4ba |
remove: ui-ux-pro-max skill (non-functional β missing |
| scripts/search.py + CSV data) |
Quick Start
git clone https://github.com/cham-space/AICAM.git
cp -r AICAM/.claude/ /path/to/your/project/
Then in Claude Code, run /discover to begin.
---AICAM v1.1.0 β Smoke Test Gate, TDD Tightening, TEST_DASHBOARD
π New Features
Smoke Test Gate (Phase 2)
- Added mandatory Smoke Test step in
/executeβ runs after all verification commands pass - Plan files now require
## Smoke Test Checklistsection (operation β expected result format) - Missing checklist β execution STOPs until user confirms or adds one
- Results written to
## Smoke Test Loginsummary.md - Verified in
/verify-phaseas a separate gate with dedicated pass/fail status
TEST_DASHBOARD Tracking (Phase 4)
/close-phasenow automatically updates.agents/reports/TEST_DASHBOARD.md- Tracks per-Phase coverage matrix, cross-Phase trends, and detailed test breakdowns
- Includes Gate summary, unit test details, Smoke Test results, and business workflow test details
- Not loaded into CLAUDE.md context β for human review only
Type-Specific Test Strategies
- Added
.claude/reference/test-strategies/with 6 tailored strategies:cli.mdβ CLI project testingmobile.mdβ Mobile app testingrest-api.mdβ REST API testingtauri.mdβ Tauri desktop app testingweb.mdβ Web app testingworker.mdβ Worker/server-side testing
π Enforcement Improvements
TDD Non-Exempt Scope (Tightened)
Previously, most non-logic changes could be exempted from TDD. Now the following require TDD
without exception:
- Cross-boundary integration layers (IPC commands, REST endpoints, event pub/sub, message queue
consumers) - Frontend/UI components with conditional logic, state management, or data transformation
- Any serialization/deserialization logic
- Error handling paths
Exemption requests for these types must include an alternative verification method. "Manual
runtime inspection" is no longer an acceptable answer.
βΈοΈ State Hard Rule
βΈοΈ Requires manual verification is now treated as β failed in any gate. This prevents
deferring verification indefinitely. Specific rules:
- Business Workflow Tests at βΈοΈ must provide executable automated scripts (using mock/fixture), or
explicit written user confirmation with risk noted in report - Smoke Test Log missing or containing βΈοΈ entries β Smoke Test Gate = β, blocks Phase closure
Phase Closure Prerequisites
/close-phase now performs mandatory pre-conditions checks before any archival:
- Verification Report must exist with status β or β
- Smoke Test Log must be all β (no β or βΈοΈ )
- No βΈοΈ unclosed Gate items
- All P0 bugs must be resolved
π Documentation Updates
WORKFLOW.md v1.1.0
- Added Node 2-E: Smoke Test
- Added Node 4-B: TEST_DASHBOARD update
- Updated Mermaid workflow diagram with new nodes
- Added
frontend-designskill to the skills list (replacesskill-creator) - Updated reference docs section with
test-strategies/directory - Updated key principles with Smoke Test gate, βΈοΈ hard rule, TDD non-exempt scope
Bilingual README
README.zh.mdandREADME.en.mdsynchronized with all v1.1.0 changesREADME.mdserves as a bilingual index linking both versions
π Full Commit History (since v1.0.0)
50ebdc7β enhance(workflow): v1.1.0 β Smoke Test gate, TDD tightening, TEST_DASHBOARD5fcd46aβ enhance(workflow): add smoke test, strict gates, and TDD exemptions40b575cβ ιε―Ήcodereview ε’ε εΌΊεΆζ°δΌθ―ιΏε δΈδΈζ汑ζbfc464fβ docs: add bilingual README and remove .DS_Store filesa9fa7aeβ docs: add README.md with AICAM workflow documentation
Quick Start
git clone https://github.com/cham-space/AICAM.git
cp -r AICAM/.claude/ /path/to/your/project/
Then in Claude Code, run /discover to begin.
--- AICAM v1.0.0
Features
- 5-Phase Lifecycle: Requirements β Planning β Implementation β Verification β Archival
- 12 Slash Commands:
/discover,/create-prd,/ref-research,/create-rules,
/init-project,/prime,/plan-feature,/execute,/code-review,/verify-phase,
/close-phase,/commit - 5 Domain Skills:
agent-browser,api-contract-first,e2e-test,ui-ux-pro-max,
skill-creator - TDD Iron Rule: Tests must fail before business logic is implemented
- Dual-Layer Test Gates: Unit tests + business workflow tests required for Phase
completion - API Contract First: Spec-Lite + naming mapping table for all API features
- Progressive Disclosure: Context loaded on demand to avoid context inflation
- Self-Maintaining Context: Auto-compress historical knowledge during archival
- Bilingual Docs: Full workflow documentation in English and Chinese
Quick Start
git clone https://github.com/cham-space/AICAM.git
cp -r AICAM/.claude/ /path/to/your/project/
Then in Claude Code, run /discover to begin.'