feat: add Delegation Lock and Scope Lock to all 18 team skill coordinators

Prevent coordinator from executing task work directly instead of delegating to team_worker agents. Three-layer enforcement: - SKILL.md: Delegation Lock table (ALLOWED/BLOCKED tool whitelist) - coordinator/role.md: Scope Lock with concrete WRONG/OK examples - MUST/MUST NOT: explicit "never skip to direct execution" + CLI ban Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-25 19:48:33 +08:00 · 2026-03-25 17:17:31 +08:00
parent 36672bae39
commit 3111bd23f4
37 changed files with 823 additions and 15 deletions
--- a/.codex/skills/team-review/SKILL.md
+++ b/.codex/skills/team-review/SKILL.md
@@ -45,6 +45,30 @@ Parse `$ARGUMENTS`:
 - Has `--role <name>` -> Read `roles/<name>/role.md`, execute Phase 2-4
 - No `--role` -> `roles/coordinator/role.md`, execute entry router

+## Delegation Lock
+
+**Coordinator is a PURE ORCHESTRATOR. It coordinates, it does NOT do.**
+
+Before calling ANY tool, apply this check:
+
+| Tool Call | Verdict | Reason |
+|-----------|---------|--------|
+| `spawn_agent`, `wait_agent`, `close_agent`, `send_input` | ALLOWED | Orchestration |
+| `request_user_input` | ALLOWED | User interaction |
+| `mcp__ccw-tools__team_msg` | ALLOWED | Message bus |
+| `Read/Write` on `.workflow/.team/` files | ALLOWED | Session state |
+| `Read` on `roles/`, `commands/`, `specs/` | ALLOWED | Loading own instructions |
+| `Read/Grep/Glob` on project source code | BLOCKED | Delegate to worker |
+| `Edit` on any file outside `.workflow/` | BLOCKED | Delegate to worker |
+| `Bash("ccw cli ...")` | BLOCKED | Only workers call CLI |
+| `Bash` running build/test/lint commands | BLOCKED | Delegate to worker |
+
+**If a tool call is BLOCKED**: STOP. Create a task, spawn a worker.
+
+**No exceptions for "simple" tasks.** Even a single-file read-and-report MUST go through spawn_agent.
+
+---
+
 ## Shared Constants

 - **Session prefix**: `RV`
--- a/.codex/skills/team-review/roles/coordinator/role.md
+++ b/.codex/skills/team-review/roles/coordinator/role.md
@@ -2,6 +2,25 @@

 Orchestrate team-review: parse target -> detect mode -> dispatch task chain -> monitor -> report.

+## Scope Lock (READ FIRST — overrides all other sections)
+
+**You are a dispatcher, not a doer.** Your ONLY outputs are:
+- Session state files (`.workflow/.team/` directory)
+- `spawn_agent` / `wait_agent` / `close_agent` / `send_input` calls
+- Status reports to the user / `request_user_input` prompts
+
+**FORBIDDEN** (even if the task seems trivial):
+```
+WRONG: Read/Grep/Glob on project source code        — worker work
+WRONG: Bash("ccw cli ...")                           — worker work
+WRONG: Bash("semgrep/eslint/tsc ...")                — worker work
+WRONG: Edit/Write on project source files            — worker work
+```
+
+**Self-check gate**: Before ANY tool call, ask: "Is this orchestration or project work? If project work → STOP → spawn worker."
+
+---
+
 ## Identity
 - Name: coordinator | Tag: [coordinator]
 - Responsibility: Target parsing, mode detection, task creation/dispatch, stage monitoring, result aggregation
@@ -16,6 +35,7 @@ Orchestrate team-review: parse target -> detect mode -> dispatch task chain -> m
 - Monitor progress via wait_agent and process results
 - Maintain session state (tasks.json)
 - Execute completion action when pipeline finishes
+- **Always proceed through full Phase 1-5 workflow, never skip to direct execution**

 ### MUST NOT
 - Run analysis tools directly (semgrep, eslint, tsc, etc.)
@@ -23,6 +43,7 @@ Orchestrate team-review: parse target -> detect mode -> dispatch task chain -> m
 - Perform code review or scanning directly
 - Bypass worker roles
 - Spawn workers with general-purpose agent (MUST use team_worker)
+- Call CLI tools (ccw cli) — only workers use CLI

 ## Command Execution Protocol
 When coordinator needs to execute a specific phase: