Budget tui smoke coverage

.github/ISSUE_TEMPLATE/failed_run.md

@@ -0,0 +1,78 @@
+---
+name: Failed Cortex run
+about: Report a workflow run that failed, stalled, or produced unusable output
+labels: bug, run-failure
+assignees: ''
+---
+
+## Summary
+
+What were you trying to generate or review?
+
+## Command
+
+```bash
+cortex start "..." --auto
+```
+
+Or paste the REPL slash command you used.
+
+## Environment
+
+- Cortex version:
+- OS:
+- Install method: installer / cargo / release binary
+- Workflow: dev / code-review / marketing / prospecting / custom
+- Provider:
+- Model:
+- Web search enabled: yes / no
+
+## Expected result
+
+What did you expect Cortex to create or report?
+
+## Actual result
+
+What happened instead?
+
+## Failure point
+
+- [ ] Provider/auth error
+- [ ] Workflow stalled
+- [ ] Tool execution failed
+- [ ] Build/test failed in generated project
+- [ ] Generated files were missing
+- [ ] Generated files were low quality or inconsistent
+- [ ] TUI/input/resume issue
+- [ ] Other
+
+## Logs and artifacts
+
+Paste the smallest useful excerpt. Redact secrets before posting.
+
+Safe to include:
+
+- Error messages.
+- Final summary.
+- Generated project tree.
+- Non-sensitive command output.
+- `cortex.run.json` after reviewing it for private project details.
+
+Do not include:
+
+- API keys.
+- OAuth tokens.
+- SMTP credentials.
+- Private customer data.
+- Proprietary source code unless you are allowed to share it.
+- Full `cortex.log` output unless you have reviewed and minimized it.
+
+## Reproduction steps
+
+1. Configure provider:
+2. Run command:
+3. Observe:
+
+## Additional context
+
+Any provider limits, unusual project files, custom agents, custom workflows, or resume steps involved?

.github/ISSUE_TEMPLATE/quality_report.md

@@ -0,0 +1,70 @@
+---
+name: Generated project quality report
+about: Report poor quality, inconsistent, or incomplete output from a Cortex workflow
+labels: quality, generated-output
+assignees: ''
+---
+
+## Summary
+
+What was wrong with the generated project?
+
+## Command used
+
+```bash
+cortex start "..." --auto --workflow dev
+```
+
+## Environment
+
+- Cortex version: (`cortex --version`)
+- OS:
+- Provider:
+- Model:
+- Workflow: dev / code-review / marketing / prospecting / custom
+
+## Expected quality
+
+What would a good output look like? (e.g. "a working Rust CLI with tests and a Dockerfile")
+
+## Actual quality
+
+What did Cortex produce instead? Describe the specific problem:
+
+- [ ] Missing files (list them)
+- [ ] Build fails in generated project
+- [ ] Tests fail or are missing
+- [ ] Dockerfile invalid or missing
+- [ ] README missing or wrong instructions
+- [ ] Specs / architecture don't match generated code
+- [ ] Repeated or contradictory content
+- [ ] TODO / placeholder code left in output
+- [ ] Other
+
+## Generated project structure
+
+Paste the output of `find <project-dir> -type f` or a tree listing.
+
+```
+<paste here>
+```
+
+## Error output (if any)
+
+```
+<paste build/test/lint output here>
+```
+
+## Eval checker result (if you ran it)
+
+```bash
+evals/check_dev_output.sh <project-dir>
+```
+
+```
+<paste output here>
+```
+
+## Additional context
+
+Any custom agents, custom workflows, or unusual config involved?

.github/ISSUE_TEMPLATE/security_report.md

@@ -0,0 +1,48 @@
+---
+name: Security report
+about: Report a security vulnerability, secret exposure, or unsafe behavior
+labels: security
+assignees: ''
+---
+
+<!-- IMPORTANT: For critical vulnerabilities (RCE, secret exfiltration, supply chain), consider using GitHub's private Security Advisory feature instead of a public issue. -->
+
+## Summary
+
+A one-sentence description of the security issue.
+
+## Category
+
+- [ ] Prompt injection (LLM output used to construct dangerous commands or paths)
+- [ ] Path traversal (file access outside the project output directory)
+- [ ] Secret exposure (API key, token, or credential leaked in logs, outputs, or generated files)
+- [ ] Unsafe command execution (terminal tool bypass or non-allowlisted command)
+- [ ] Supply chain (dependency vulnerability, binary tampering)
+- [ ] Other
+
+## Environment
+
+- Cortex version: (`cortex --version`)
+- OS:
+- Install method: installer / cargo / release binary
+- Provider used:
+
+## Steps to reproduce
+
+Describe how to trigger the issue. Include the minimum input needed:
+
+1. Configure / install:
+2. Run command:
+3. Observe:
+
+## Impact
+
+What can an attacker do? What data is exposed or what action can be triggered?
+
+## Suggested fix
+
+If you have an idea for a fix, describe it here. Otherwise leave blank.
+
+## Evidence
+
+Paste logs, generated file snippets, or tool outputs that demonstrate the issue. **Redact any real secrets before posting.**

.github/workflows/ci.yml

@@ -60,3 +60,23 @@ jobs:
       - uses: dtolnay/rust-toolchain@stable
       - uses: Swatinem/rust-cache@v2
       - run: cargo build --release
+
+  audit:
+    name: Security audit
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@stable
+      - uses: Swatinem/rust-cache@v2
+      - run: cargo install cargo-audit --locked
+      - run: cargo audit
+
+  deny:
+    name: License & dependency check
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@stable
+      - uses: Swatinem/rust-cache@v2
+      - run: cargo install cargo-deny --locked
+      - run: cargo deny check

.gitignore

@@ -1,4 +1,5 @@
 /target
+.worktrees/
 .claude/worktrees/
 cortex-output/
 cortex.log

CLAUDE.md

@@ -209,3 +209,22 @@ web_search_enabled = false  # enable with /websearch enable in the REPL
 
 ## DOCUMENTATION
 - Updated `README.md` and `site` if we added new features or changed usage instructions.
+
+## Skill routing
+
+When the user's request matches an available skill, invoke it via the Skill tool. When in doubt, invoke the skill.
+
+Key routing rules:
+- Product ideas/brainstorming → invoke /office-hours
+- Strategy/scope → invoke /plan-ceo-review
+- Architecture → invoke /plan-eng-review
+- Design system/plan review → invoke /design-consultation or /plan-design-review
+- Full review pipeline → invoke /autoplan
+- Bugs/errors → invoke /investigate
+- QA/testing site behavior → invoke /qa or /qa-only
+- Code review/diff check → invoke /review
+- Visual polish → invoke /design-review
+- Ship/deploy/PR → invoke /ship or /land-and-deploy
+- Save progress → invoke /context-save
+- Resume context → invoke /context-restore
+- Author a backlog-ready spec/issue → invoke /spec