code-crispies/.wave/pipelines/audit-dual.yaml

# Independent Parallel Tracks Pattern
#
# This pipeline demonstrates two fully independent analysis tracks
# running simultaneously and converging at a final merge step.
# Unlike the fan-out pattern (used in ops-pr-review.yaml), these tracks
# have NO shared upstream step — they start independently and converge
# only at the end.
#
# Execution flow:
#
#   quality-scan     security-scan      ← both start immediately (no deps)
#       │                  │
#   quality-detail   security-detail    ← each track continues independently
#       └────────┬─────────┘
#             merge                     ← converges results from both tracks

kind: WavePipeline
metadata:
  name: audit-dual
  description: "Parallel code-quality and security analysis with independent tracks"
  release: true

skills:
  - software-design

input:
  source: cli
  example: "analyze the authentication module"

steps:
  # ── Track A: Code Quality ──────────────────────────────────────────
  - id: quality-scan
    persona: navigator
    model: claude-haiku
    workspace:
      mount:
        - source: ./
          target: /project
          mode: readonly
    exec:
      type: prompt
      source: |
        Perform a code quality scan of: {{ input }}

        Identify:
        1. Code duplication and copy-paste patterns
        2. Functions exceeding 50 lines or high cyclomatic complexity
        3. Naming inconsistencies and style violations
        4. Missing or outdated documentation
        5. Unused exports, dead code, and unreachable branches

        Output a structured JSON report matching the contract schema.
    output_artifacts:
      - name: quality_scan
        path: .wave/output/quality-scan.json
        type: json

  - id: quality-detail
    persona: navigator
    model: claude-haiku
    dependencies: [quality-scan]
    memory:
      strategy: fresh
      inject_artifacts:
        - step: quality-scan
          artifact: quality_scan
          as: scan_results
    workspace:
      mount:
        - source: ./
          target: /project
          mode: readonly
    exec:
      type: prompt
      source: |
        Deepen the code quality analysis from the scan results.

        For each finding in .wave/artifacts/scan_results:
        1. Verify the finding by reading the source code
        2. Assess severity and impact on maintainability
        3. Suggest specific refactoring with code examples
        4. Search for similar patterns elsewhere in the codebase

        Produce a markdown report with prioritized recommendations.
    output_artifacts:
      - name: quality_report
        path: .wave/output/quality-detail.md
        type: markdown
    handover:
      contract:
        type: non_empty_file
        source: .wave/output/quality-detail.md

  # ── Track B: Security ──────────────────────────────────────────────
  - id: security-scan
    persona: navigator
    model: claude-haiku
    workspace:
      mount:
        - source: ./
          target: /project
          mode: readonly
    exec:
      type: prompt
      source: |
        Perform a security scan of: {{ input }}

        Check for:
        1. Injection vulnerabilities (SQL, command, path traversal)
        2. Authentication and authorization gaps
        3. Hardcoded secrets or credentials
        4. Insecure data handling (missing encryption, logging sensitive data)
        5. Input validation gaps at system boundaries

        Output a structured JSON report matching the contract schema.
    output_artifacts:
      - name: security_scan
        path: .wave/output/security-scan.json
        type: json

  - id: security-detail
    persona: navigator
    model: claude-haiku
    dependencies: [security-scan]
    memory:
      strategy: fresh
      inject_artifacts:
        - step: security-scan
          artifact: security_scan
          as: scan_results
    workspace:
      mount:
        - source: ./
          target: /project
          mode: readonly
    exec:
      type: prompt
      source: |
        Deepen the security analysis from the scan results.

        For each finding in .wave/artifacts/scan_results:
        1. Verify by reading the actual source code
        2. Trace data flow from entry point to sink
        3. Assess exploitability and real-world impact
        4. Propose specific remediation with code examples

        Produce a markdown report with severity-ordered findings.
    output_artifacts:
      - name: security_report
        path: .wave/output/security-detail.md
        type: markdown
    handover:
      contract:
        type: non_empty_file
        source: .wave/output/security-detail.md

  # ── Merge: Converge both tracks ────────────────────────────────────
  - id: merge
    persona: summarizer
    model: claude-haiku
    dependencies: [quality-detail, security-detail]
    memory:
      strategy: fresh
      inject_artifacts:
        - step: quality-detail
          artifact: quality_report
          as: quality_findings
        - step: security-detail
          artifact: security_report
          as: security_findings
    exec:
      type: prompt
      source: |
        Synthesize the quality and security analysis reports into a
        unified assessment.

        Read both reports:
        - .wave/artifacts/quality_findings (code quality)
        - .wave/artifacts/security_findings (security)

        Produce a final report with:
        1. Executive summary with overall health rating
        2. Critical issues requiring immediate attention
        3. Top recommendations ordered by impact
        4. Positive observations and strengths
    output_artifacts:
      - name: report
        path: .wave/output/dual-analysis-report.md
        type: markdown
    handover:
      contract:
        type: non_empty_file
        source: .wave/output/dual-analysis-report.md