detections/.cursor/skills/autopilot/protocols.md

# Autopilot Protocols

## User Interaction Protocol

Every time the autopilot or a sub-skill needs a user decision, use the **Choose A / B / C / D** format. This applies to:

- State transitions where multiple valid next actions exist
- Sub-skill BLOCKING gates that require user judgment
- Any fork where the autopilot cannot confidently pick the right path
- Trade-off decisions (tech choices, scope, risk acceptance)

### When to Ask (MUST ask)

- The next action is ambiguous (e.g., "another research round or proceed?")
- The decision has irreversible consequences (e.g., architecture choices, skipping a step)
- The user's intent or preference cannot be inferred from existing artifacts
- A sub-skill's BLOCKING gate explicitly requires user confirmation
- Multiple valid approaches exist with meaningfully different trade-offs

### When NOT to Ask (auto-transition)

- Only one logical next step exists (e.g., Problem complete → Research is the only option)
- The transition is deterministic from the state (e.g., Plan complete → Decompose)
- The decision is low-risk and reversible
- Existing artifacts or prior decisions already imply the answer

### Choice Format

Always present decisions in this format:

```
══════════════════════════════════════
 DECISION REQUIRED: [brief context]
══════════════════════════════════════
 A) [Option A — short description]
 B) [Option B — short description]
 C) [Option C — short description, if applicable]
 D) [Option D — short description, if applicable]
══════════════════════════════════════
 Recommendation: [A/B/C/D] — [one-line reason]
══════════════════════════════════════
```

Rules:
1. Always provide 2–4 concrete options (never open-ended questions)
2. Always include a recommendation with a brief justification
3. Keep option descriptions to one line each
4. If only 2 options make sense, use A/B only — do not pad with filler options
5. Play the notification sound (per `.cursor/rules/human-attention-sound.mdc`) before presenting the choice
6. After the user picks, proceed immediately — no follow-up confirmation unless the choice was destructive

## Work Item Tracker Authentication

Several workflow steps create work items (epics, tasks, links). The system requires some task tracker MCP as interchangeable backend.

### Tracker Detection

1. If there is no task tracker MCP or it is not authorized, ask the user about it
3. Record the choice in the state file: `tracker: jira` or `tracker: ado`
4. If neither is available, set `tracker: local` and proceed without external tracking

### Steps That Require Work Item Tracker

| Flow | Step | Sub-Step | Tracker Action |
|------|------|----------|----------------|
| greenfield | 3 (Plan) | Step 6 — Epics | Create epics for each component |
| greenfield | 5 (Decompose) | Step 1–3 — All tasks | Create ticket per task, link to epic |
| existing-code | 3 (Decompose Tests) | Step 1t + Step 3 — All test tasks | Create ticket per task, link to epic |
| existing-code | 7 (New Task) | Step 7 — Ticket | Create ticket per task, link to epic |

### Authentication Gate

Before entering a step that requires work item tracking (see table above) for the first time, the autopilot must:

1. Call `mcp_auth` on the detected tracker's MCP server
2. If authentication succeeds → proceed normally
3. If the user **skips** or authentication fails → present using Choose format:

```
══════════════════════════════════════
 Tracker authentication failed
══════════════════════════════════════
 A) Retry authentication (retry mcp_auth)
 B) Continue without tracker (tasks saved locally only)
══════════════════════════════════════
 Recommendation: A — Tracker IDs drive task referencing,
 dependency tracking, and implementation batching.
 Without tracker, task files use numeric prefixes instead.
══════════════════════════════════════
```

If user picks **B** (continue without tracker):
- Set a flag in the state file: `tracker: local`
- All skills that would create tickets instead save metadata locally in the task/epic files with `Tracker: pending` status
- Task files keep numeric prefixes (e.g., `01_initial_structure.md`) instead of tracker ID prefixes
- The workflow proceeds normally in all other respects

### Re-Authentication

If the tracker MCP was already authenticated in a previous invocation (verify by listing available tools beyond `mcp_auth`), skip the auth gate.

## Error Handling

All error situations that require user input MUST use the **Choose A / B / C / D** format.

| Situation | Action |
|-----------|--------|
| State detection is ambiguous (artifacts suggest two different steps) | Present findings and use Choose format with the candidate steps as options |
| Sub-skill fails or hits an unrecoverable blocker | Use Choose format: A) retry, B) skip with warning, C) abort and fix manually |
| User wants to skip a step | Use Choose format: A) skip (with dependency warning), B) execute the step |
| User wants to go back to a previous step | Use Choose format: A) re-run (with overwrite warning), B) stay on current step |
| User asks "where am I?" without wanting to continue | Show Status Summary only, do not start execution |

## Skill Failure Retry Protocol

Sub-skills can return a **failed** result. Failures are often caused by missing user input, environment issues, or transient errors that resolve on retry. The autopilot auto-retries before escalating.

### Retry Flow

```
Skill execution → FAILED
  │
  ├─ retry_count < 3 ?
  │    YES → increment retry_count in state file
  │         → re-read the sub-skill's SKILL.md
  │         → re-execute from the current sub_step
  │         → (loop back to check result)
  │
  │    NO (retry_count = 3) →
  │         → set status: failed in Current Step
  │         → present warning to user (see Escalation below)
  │         → do NOT auto-retry again until user intervenes
```

### Retry Rules

1. **Auto-retry immediately**: when a skill fails, retry it without asking the user — the failure is often transient (missing user confirmation in a prior step, docker not running, file lock, etc.)
2. **Preserve sub_step**: retry from the last recorded `sub_step`, not from the beginning of the skill — unless the failure indicates corruption, in which case restart from sub_step 1
3. **Increment `retry_count`**: update `retry_count` in the state file's `Current Step` section on each retry attempt
4. **Reset on success**: when the skill eventually succeeds, reset `retry_count: 0`

### Escalation (after 3 consecutive failures)

After 3 failed auto-retries of the same skill, the failure is likely not user-related. Stop retrying and escalate:

1. Update the state file: set `status: failed` and `retry_count: 3` in `Current Step`
2. Play notification sound (per `.cursor/rules/human-attention-sound.mdc`)
3. Present using Choose format:

```
══════════════════════════════════════
 SKILL FAILED: [Skill Name] — 3 consecutive failures
══════════════════════════════════════
 Step: [N] — [Name]
 SubStep: [M] — [sub-step name]
 Last failure reason: [reason]
══════════════════════════════════════
 A) Retry with fresh context (new conversation)
 B) Skip this step with warning
 C) Abort — investigate and fix manually
══════════════════════════════════════
 Recommendation: A — fresh context often resolves
 persistent failures
══════════════════════════════════════
```

### Re-Entry After Failure

On the next autopilot invocation (new conversation), if the state file shows `status: failed` and `retry_count: 3`:

- Present the blocker to the user before attempting execution
- If the user chooses to retry → reset `retry_count: 0`, set `status: in_progress`, and re-execute
- If the user chooses to skip → mark step as `skipped`, proceed to next step
- Do NOT silently auto-retry — the user must acknowledge the persistent failure first

## Error Recovery Protocol

### Stuck Detection

When executing a sub-skill, monitor for these signals:

- Same artifact overwritten 3+ times without meaningful change
- Sub-skill repeatedly asks the same question after receiving an answer
- No new artifacts saved for an extended period despite active execution

### Recovery Actions (ordered)

1. **Re-read state**: read `_docs/_autopilot_state.md` and cross-check against `_docs/` folders
2. **Retry current sub-step**: re-read the sub-skill's SKILL.md and restart from the current sub-step
3. **Escalate**: after 2 failed retries, present diagnostic summary to user using Choose format:

```
══════════════════════════════════════
 RECOVERY: [skill name] stuck at [sub-step]
══════════════════════════════════════
 A) Retry with fresh context (new conversation)
 B) Skip this sub-step with warning
 C) Abort and fix manually
══════════════════════════════════════
 Recommendation: A — fresh context often resolves stuck loops
══════════════════════════════════════
```

### Circuit Breaker

If the same autopilot step fails 3 consecutive times across conversations:

- Do NOT auto-retry on next invocation
- Present the failure pattern and ask user for guidance before attempting again

## Context Management Protocol

### Principle

Disk is memory. Never rely on in-context accumulation — read from `_docs/` artifacts, not from conversation history.

### Minimal Re-Read Set Per Skill

When re-entering a skill (new conversation or context refresh):

- Always read: `_docs/_autopilot_state.md`
- Always read: the active skill's `SKILL.md`
- Conditionally read: only the `_docs/` artifacts the current sub-step requires (listed in each skill's Context Resolution section)
- Never bulk-read: do not load all `_docs/` files at once

### Mid-Skill Interruption

If context is filling up during a long skill (e.g., document, implement):

1. Save current sub-step progress to the skill's artifact directory
2. Update `_docs/_autopilot_state.md` with exact sub-step position
3. Suggest a new conversation: "Context is getting long — recommend continuing in a fresh conversation for better results"
4. On re-entry, the skill's resumability protocol picks up from the saved sub-step

### Large Artifact Handling

When a skill needs to read large files (e.g., full solution.md, architecture.md):

- Read only the sections relevant to the current sub-step
- Use search tools (Grep, SemanticSearch) to find specific sections rather than reading entire files
- Summarize key decisions from prior steps in the state file so they don't need to be re-read

### Context Budget Heuristic

Agents cannot programmatically query context window usage. Use these heuristics to avoid degradation:

| Zone | Indicators | Action |
|------|-----------|--------|
| **Safe** | State file + SKILL.md + 2–3 focused artifacts loaded | Continue normally |
| **Caution** | 5+ artifacts loaded, or 3+ large files (architecture, solution, discovery), or conversation has 20+ tool calls | Complete current sub-step, then suggest session break |
| **Danger** | Repeated truncation in tool output, tool calls failing unexpectedly, responses becoming shallow or repetitive | Save immediately, update state file, force session boundary |

**Skill-specific guidelines**:

| Skill | Recommended session breaks |
|-------|---------------------------|
| **document** | After every ~5 modules in Step 1; between Step 4 (Verification) and Step 5 (Solution Extraction) |
| **implement** | Each batch is a natural checkpoint; if more than 2 batches completed in one session, suggest break |
| **plan** | Between Step 5 (Test Specifications) and Step 6 (Epics) for projects with many components |
| **research** | Between Mode A rounds; between Mode A and Mode B |

**How to detect caution/danger zone without API**:

1. Count tool calls made so far — if approaching 20+, context is likely filling up
2. If reading a file returns truncated content, context is under pressure
3. If the agent starts producing shorter or less detailed responses than earlier in the conversation, context quality is degrading
4. When in doubt, save and suggest a new conversation — re-entry is cheap thanks to the state file

## Rollback Protocol

### Implementation Steps (git-based)

Handled by `/implement` skill — each batch commit is a rollback checkpoint via `git revert`.

### Planning/Documentation Steps (artifact-based)

For steps that produce `_docs/` artifacts (problem, research, plan, decompose, document):

1. **Before overwriting**: if re-running a step that already has artifacts, the sub-skill's prerequisite check asks the user (resume/overwrite/skip)
2. **Rollback to previous step**: use Choose format:

```
══════════════════════════════════════
 ROLLBACK: Re-run [step name]?
══════════════════════════════════════
 A) Re-run the step (overwrites current artifacts)
 B) Stay on current step
══════════════════════════════════════
 Warning: This will overwrite files in _docs/[folder]/
══════════════════════════════════════
```

3. **Git safety net**: artifacts are committed with each autopilot step completion. To roll back: `git log --oneline _docs/` to find the commit, then `git checkout <commit> -- _docs/<folder>/`
4. **State file rollback**: when rolling back artifacts, also update `_docs/_autopilot_state.md` to reflect the rolled-back step (set it to `in_progress`, clear completed date)

## Debug / Error Recovery Protocol

When the implement skill's auto-fix loop fails (code review FAIL after 2 auto-fix attempts) or an implementer subagent reports a blocker, the user is asked to intervene. This protocol guides the recovery process.

### Structured Debugging Workflow

When escalated to the user after implementation failure:

1. **Classify the failure** — determine the category:
   - **Missing dependency**: a package, service, or module the task needs but isn't available
   - **Logic error**: code runs but produces wrong results (assertion failures, incorrect output)
   - **Integration mismatch**: interfaces between components don't align (type errors, missing methods, wrong signatures)
   - **Environment issue**: Docker, database, network, or configuration problem
   - **Spec ambiguity**: the task spec is unclear or contradictory

2. **Reproduce** — isolate the failing behavior:
   - Run the specific failing test(s) in isolation
   - Check whether the failure is deterministic or intermittent
   - Capture the exact error message, stack trace, and relevant file:line

3. **Narrow scope** — focus on the minimal reproduction:
   - For logic errors: trace the data flow from input to the point of failure
   - For integration mismatches: compare the caller's expectations against the callee's actual interface
   - For environment issues: verify Docker services are running, DB is accessible, env vars are set

4. **Fix and verify** — apply the fix and confirm:
   - Make the minimal change that fixes the root cause
   - Re-run the failing test(s) to confirm the fix
   - Run the full test suite to check for regressions
   - If the fix changes a shared interface, check all consumers

5. **Report** — update the batch report with:
   - Root cause category
   - Fix applied (file:line, description)
   - Tests that now pass

### Common Recovery Patterns

| Failure Pattern | Typical Root Cause | Recovery Action |
|----------------|-------------------|----------------|
| ImportError / ModuleNotFoundError | Missing dependency or wrong path | Install dependency or fix import path |
| TypeError on method call | Interface mismatch between tasks | Align caller with callee's actual signature |
| AssertionError in test | Logic bug or wrong expected value | Fix logic or update test expectations |
| ConnectionRefused | Service not running | Start Docker services, check docker-compose |
| Timeout | Blocking I/O or infinite loop | Add timeout, fix blocking call |
| FileNotFoundError | Hardcoded path or missing fixture | Make path configurable, add fixture |

### Escalation

If debugging does not resolve the issue after 2 focused attempts:

```
══════════════════════════════════════
 DEBUG ESCALATION: [failure description]
══════════════════════════════════════
 Root cause category: [category]
 Attempted fixes: [list]
 Current state: [what works, what doesn't]
══════════════════════════════════════
 A) Continue debugging with more context
 B) Revert this batch and skip the task (move to backlog)
 C) Simplify the task scope and retry
══════════════════════════════════════
```

## Status Summary

On every invocation, before executing any skill, present a status summary built from the state file (with folder scan fallback). Use the Status Summary Template from the active flow file (`flows/greenfield.md` or `flows/existing-code.md`).

For re-entry (state file exists), cross-check the current step against `_docs/` folder structure and present any `status: failed` state to the user before continuing.