cofin/flow
plugins/flow/skills/flow/SKILL.md
Use when a repository has .agents, when the user asks for Flow lifecycle routing, Beads-backed task memory, spec-first planning, TDD implementation, sync/status, review, finish, archive, or /flow:* help.
$ install --global
skillsauthnpx skillsauth add cofin/flow flowInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 7, 2026, 3:33 AM14.4s21 files scanned
SKILL.md
- name:
- flow
- description:
- Use when a repository has .agents, when the user asks for Flow lifecycle routing, Beads-backed task memory, spec-first planning, TDD implementation, sync/status, review, finish, archive, or /flow:* help.
Flow Router
Flow coordinates Context-Driven Development in .agents/ repositories. Keep this skill small: use it to identify the active lifecycle phase, enforce the Beads-first invariants, and load the matching lifecycle skill.
Flow is a skill, not a CLI. There is no
flowexecutable. Never runflow,flow sync,flow prd, etc. as shell commands. Invoke this skill (or the matching lifecycle skill), or use the/flow:*slash commands where the host supports them.Beads mode: Skip every
bdinvocation when the SessionStart hook reportsBeads Backend: Missing (None)orDisabled via plugin config (useBeads=false). Treatspec.mdmarkers as fallback source of truth and skip/flow:sync. Never halt for missing Beads. Seereferences/discipline.md.
Workflow
- Check hook-provided Flow context first; otherwise detect
.agents/, Beads (bd), git branch, and repo-native commands. - Route the request:
- Setup, validation, install, context initialization: use
flow-setup. - PRD, research, plan, refine, revise, task creation: use
flow-planning. - Implement, claim ready tasks, TDD, commit, task close: use
flow-execution. - Sync, status, refresh, cleanup, context drift: use
flow-sync-status. - Review, finish, archive, revert, docs, phase completion: use
flow-completion.
- Setup, validation, install, context initialization: use
- Record durable discoveries and task state in Beads. Markdown files are synchronized views.
- Prefer repo-native commands from
.agents/workflow.mdor hook context for validation.
Guardrails
- Never edit task markers (
[ ],[~],[x],[!],[-]) manually inspec.md. - Do not run backend export, auto-stage, Dolt push, or git operations through Beads unless
.agents/beads.jsonallows it or the user asks. - Store Flow specs and planning artifacts under
.agents/specs/<flow_id>/. - Make minimal targeted changes and record findings with
bd note <id> "..."when work exceeds a quick fix.
Validation
- For planning: verify the plan is decision-complete before presenting it.
- For implementation: verify red-green-refactor evidence, full relevant tests, and Beads task closure before claiming completion.
- For sync/status: read backend state first and report drift instead of guessing.
- For this repository: run
make validate-skillsandmake validate-codex-manifestafter skill or command changes.
References Index
- Setup
- Planning
- Execution
- Sync and Status
- Completion
- Discipline
Example
User: "Use Flow to implement the current spec."
Action: load flow-execution, claim a ready Beads task, add investigation notes, follow TDD, close the task with evidence, then sync according to policy.
Related Skills
cofin/tracer
development
VerifiedTrustedCommunity
Use when tracing execution paths, mapping dependencies, understanding unfamiliar code, following data flow, investigating end-to-end behavior, debugging call chains, or deciding which files to read next.
12SKILL.mdUpdated Jun 7, 2026
cofin/security-auditor
development
VerifiedTrustedCommunity
Use when reviewing authentication, authorization, user input, secrets, API keys, database queries, file uploads, session management, external API calls, OWASP risks, or data handling attack surface.
12SKILL.mdUpdated Jun 7, 2026
cofin/perspectives
testing
VerifiedTrustedCommunity
Use when analyzing tradeoffs, comparing approaches, weighing options, assessing risks, stress-testing conclusions, identifying blind spots, or applying multiple viewpoints to a decision.
12SKILL.mdUpdated Jun 7, 2026
cofin/performance-analyst
development
VerifiedTrustedCommunity
Use when reviewing hot paths, slow code, database queries, N+1 risks, memory usage, loops, I/O, caching strategy, concurrency, latency-sensitive paths, or resource efficiency.
12SKILL.mdUpdated Jun 7, 2026