fix(ci): correct image digest separator

.wave/pipelines/audit-dual.yaml

@@ -0,0 +1,193 @@
+# Independent Parallel Tracks Pattern
+#
+# This pipeline demonstrates two fully independent analysis tracks
+# running simultaneously and converging at a final merge step.
+# Unlike the fan-out pattern (used in ops-pr-review.yaml), these tracks
+# have NO shared upstream step — they start independently and converge
+# only at the end.
+#
+# Execution flow:
+#
+#   quality-scan     security-scan      ← both start immediately (no deps)
+#       │                  │
+#   quality-detail   security-detail    ← each track continues independently
+#       └────────┬─────────┘
+#             merge                     ← converges results from both tracks
+
+kind: WavePipeline
+metadata:
+  name: audit-dual
+  description: "Parallel code-quality and security analysis with independent tracks"
+  release: true
+
+skills:
+  - software-design
+
+input:
+  source: cli
+  example: "analyze the authentication module"
+
+steps:
+  # ── Track A: Code Quality ──────────────────────────────────────────
+  - id: quality-scan
+    persona: navigator
+    model: claude-haiku
+    workspace:
+      mount:
+        - source: ./
+          target: /project
+          mode: readonly
+    exec:
+      type: prompt
+      source: |
+        Perform a code quality scan of: {{ input }}
+
+        Identify:
+        1. Code duplication and copy-paste patterns
+        2. Functions exceeding 50 lines or high cyclomatic complexity
+        3. Naming inconsistencies and style violations
+        4. Missing or outdated documentation
+        5. Unused exports, dead code, and unreachable branches
+
+        Output a structured JSON report matching the contract schema.
+    output_artifacts:
+      - name: quality_scan
+        path: .wave/output/quality-scan.json
+        type: json
+
+  - id: quality-detail
+    persona: navigator
+    model: claude-haiku
+    dependencies: [quality-scan]
+    memory:
+      strategy: fresh
+      inject_artifacts:
+        - step: quality-scan
+          artifact: quality_scan
+          as: scan_results
+    workspace:
+      mount:
+        - source: ./
+          target: /project
+          mode: readonly
+    exec:
+      type: prompt
+      source: |
+        Deepen the code quality analysis from the scan results.
+
+        For each finding in .wave/artifacts/scan_results:
+        1. Verify the finding by reading the source code
+        2. Assess severity and impact on maintainability
+        3. Suggest specific refactoring with code examples
+        4. Search for similar patterns elsewhere in the codebase
+
+        Produce a markdown report with prioritized recommendations.
+    output_artifacts:
+      - name: quality_report
+        path: .wave/output/quality-detail.md
+        type: markdown
+    handover:
+      contract:
+        type: non_empty_file
+        source: .wave/output/quality-detail.md
+
+  # ── Track B: Security ──────────────────────────────────────────────
+  - id: security-scan
+    persona: navigator
+    model: claude-haiku
+    workspace:
+      mount:
+        - source: ./
+          target: /project
+          mode: readonly
+    exec:
+      type: prompt
+      source: |
+        Perform a security scan of: {{ input }}
+
+        Check for:
+        1. Injection vulnerabilities (SQL, command, path traversal)
+        2. Authentication and authorization gaps
+        3. Hardcoded secrets or credentials
+        4. Insecure data handling (missing encryption, logging sensitive data)
+        5. Input validation gaps at system boundaries
+
+        Output a structured JSON report matching the contract schema.
+    output_artifacts:
+      - name: security_scan
+        path: .wave/output/security-scan.json
+        type: json
+
+  - id: security-detail
+    persona: navigator
+    model: claude-haiku
+    dependencies: [security-scan]
+    memory:
+      strategy: fresh
+      inject_artifacts:
+        - step: security-scan
+          artifact: security_scan
+          as: scan_results
+    workspace:
+      mount:
+        - source: ./
+          target: /project
+          mode: readonly
+    exec:
+      type: prompt
+      source: |
+        Deepen the security analysis from the scan results.
+
+        For each finding in .wave/artifacts/scan_results:
+        1. Verify by reading the actual source code
+        2. Trace data flow from entry point to sink
+        3. Assess exploitability and real-world impact
+        4. Propose specific remediation with code examples
+
+        Produce a markdown report with severity-ordered findings.
+    output_artifacts:
+      - name: security_report
+        path: .wave/output/security-detail.md
+        type: markdown
+    handover:
+      contract:
+        type: non_empty_file
+        source: .wave/output/security-detail.md
+
+  # ── Merge: Converge both tracks ────────────────────────────────────
+  - id: merge
+    persona: summarizer
+    model: claude-haiku
+    dependencies: [quality-detail, security-detail]
+    memory:
+      strategy: fresh
+      inject_artifacts:
+        - step: quality-detail
+          artifact: quality_report
+          as: quality_findings
+        - step: security-detail
+          artifact: security_report
+          as: security_findings
+    exec:
+      type: prompt
+      source: |
+        Synthesize the quality and security analysis reports into a
+        unified assessment.
+
+        Read both reports:
+        - .wave/artifacts/quality_findings (code quality)
+        - .wave/artifacts/security_findings (security)
+
+        Produce a final report with:
+        1. Executive summary with overall health rating
+        2. Critical issues requiring immediate attention
+        3. Top recommendations ordered by impact
+        4. Positive observations and strengths
+    output_artifacts:
+      - name: report
+        path: .wave/output/dual-analysis-report.md
+        type: markdown
+    handover:
+      contract:
+        type: non_empty_file
+        source: .wave/output/dual-analysis-report.md