feat(skills): add aidd-delegate and aidd-pipeline

[orionnye]

Summary

• Add aidd-delegate: delegate a single task to an isolated subagent via the Cursor Task tool with a self-contained prompt (subagent types, prompt packaging, invoke/summarize flow).
• Add aidd-pipeline: read a markdown task list and delegate each step sequentially using /aidd-delegate.
• Register both in aidd-agent-orchestrator Agents and aidd-please Commands; update ai/skills/index.md.
• Use 📤 for /aidd-delegate so it does not collide with 🤖 /run-test.

Notes

• Skills are Cursor/Task-tool oriented (compatibility in frontmatter).
• No runtime code changes; documentation-only under ai/skills/.

Made with Cursor

[orionnye]

@cursoragent /aidd-review

[cursor]

Now I have enough context to provide a comprehensive review. Let me compile my findings:

🔬 Code Review Report

🎯 Restate

Reviewing PR that adds two new agent orchestration skills (aidd-delegate and aidd-pipeline) for Cursor IDE subagent delegation. Changes are documentation-only (no runtime code), introducing 2 new SKILL.md files and updating the agent orchestrator registry, please command list, and skills index.

💡 Analysis

Changed Files:

• ai/skills/aidd-delegate/SKILL.md (new, 71 lines)
• ai/skills/aidd-pipeline/SKILL.md (new, 78 lines)
• ai/skills/aidd-agent-orchestrator/SKILL.md (updated)
• ai/skills/aidd-please/SKILL.md (updated)
• ai/skills/index.md (updated)

Commits:

1. d009d42 - Initial feature addition
2. 49782c7 - Emoji collision fix (🤖 → 📤)

🪞 Critical Reflection

✅ Strengths

1. Clear Purpose: Both skills have well-defined, focused responsibilities
2. SudoLang Compliance: Proper use of Competencies, Constraints, Commands blocks and => function signatures
3. Integration: Properly registered in orchestrator and please command lists
4. Emoji Fix: Addressed collision between /aidd-delegate and /run-test
5. Consistency: Follows established patterns from other skills (frontmatter, structure, naming)
6. Documentation Quality: Clear step-by-step process definitions with proper function composition syntax

⚠️ Issues Found

CRITICAL - Missing README.md Files

Both new skills are missing README.md files. Pattern analysis shows that most skills in this project include a README.md alongside SKILL.md:

  📤 /aidd-delegate - delegate a task to an isolated subagent

Evidence from codebase:

• aidd-fix/ has both SKILL.md (92 lines) and README.md
• aidd-churn/ has both SKILL.md (104 lines) and README.md
• aidd-task-creator/ has both SKILL.md (173 lines) and README.md
• aidd-review/ has both SKILL.md and README.md

The README.md pattern provides:

• Why section explaining the problem being solved
• Usage section with practical examples
• When to use section with clear trigger conditions

MEDIUM - No Test Coverage

No tests found for the new skills:

• No unit tests (no *delegate*.test.js or *pipeline*.test.js)
• No AI evaluation tests in ai-evals/ directory
• Comparison: aidd-parallel (similar skill) has ai-evals/aidd-parallel/prompt-generation-test.sudo

MEDIUM - Index.md Files Missing

Historical pattern shows skills with subdirectories include index.md:

• Commit e29b134 for aidd-parallel added ai/skills/aidd-parallel/index.md
• However, checking the current codebase shows only one index.md at ai/skills/index.md

This may be an outdated pattern, but worth verifying.

LOW - Potential Documentation Gaps

1. No usage examples: Unlike aidd-churn README which shows CLI examples, these skills lack concrete usage examples
2. No reference to related skills: aidd-pipeline references /aidd-delegate but not vice versa
3. Subagent type documentation: Lists 4 types but doesn't explain when to use each beyond pattern matching

🔭 Orthogonal Expansion

Related Skills Comparison

aidd-parallel vs aidd-delegate/pipeline:

• aidd-parallel: Focuses on parallel delegation with dependency graphs and branch targeting
• aidd-delegate: Single-task delegation (simpler, more focused)
• aidd-pipeline: Sequential delegation from markdown lists

These skills complement each other but could benefit from cross-references explaining when to use which.

Architecture Considerations

The skills correctly use the Cursor Task tool API but don't document:

• Error handling strategies
• Retry logic
• Timeout considerations
• Resource cleanup

⚖️ OWASP Top 10:2021 Security Review

Since these are documentation-only changes with no runtime code, security analysis focuses on the guidance provided:

A01 - Broken Access Control: ✅ N/A (no access control in documentation)
A02 - Cryptographic Failures: ✅ N/A (no cryptography)
A03 - Injection: ✅ Safe - No dynamic code execution, SQL, or command injection vectors
A04 - Insecure Design: ✅ Good - Promotes isolation via subagents, self-contained prompts
A05 - Security Misconfiguration: ✅ Mentions readonly: true for analysis-only work
A06 - Vulnerable and Outdated Components: ✅ N/A (no dependencies)
A07 - Identification and Authentication Failures: ✅ N/A (no auth)
A08 - Software and Data Integrity Failures: ⚠️ CONCERN - No validation of markdown input in pipeline parsing; could be exploited if malicious markdown is processed
A09 - Security Logging and Monitoring Failures: ⚠️ No guidance on logging subagent failures or security events
A10 - Server-Side Request Forgery (SSRF): ✅ N/A (no network requests)

Security Recommendations:

1. Add input validation guidance for pipeline markdown parsing
2. Document security considerations when delegating tasks with sensitive data
3. Mention logging/auditing of subagent invocations

💬 Recommendations

Must Fix (Blocking)

1. Add README.md files for both skills following the established pattern:

# aidd-delegate

Delegates a single task to an isolated subagent via the Cursor Task tool with a
self-contained prompt.

## Why

[Explain the problem this solves]

## Usage

[Provide concrete examples]

## When to use

[List clear trigger conditions]

Should Fix (High Priority)

2. Add AI evaluation tests in ai-evals/ directory, similar to aidd-parallel/prompt-generation-test.sudo
3. Add security guidance about input validation for pipeline markdown parsing
4. Add cross-references between related skills (delegate ↔ pipeline ↔ parallel)

Nice to Have (Low Priority)

5. Add usage examples showing actual invocation patterns
6. Document error scenarios and recovery strategies
7. Add model selection guidance - when to use fast vs default model with more detail

📊 Scoring

Criterion	Score	Notes
Code Quality	9/10	Clean, well-structured SudoLang
Documentation	6/10	Missing READMEs, lacks examples
Test Coverage	2/10	No tests provided
Security	7/10	Safe design, minor input validation concerns
Architecture	8/10	Good separation of concerns
Adherence to Standards	7/10	Follows most patterns, missing READMEs
Overall	6.5/10	Good foundation, needs documentation completion

🎯 Verdict

CONDITIONAL APPROVAL - The code changes are solid and follow project conventions, but the PR is incomplete without README.md files that match the established pattern in this codebase. The missing test coverage is also concerning for skills that will be used by other agents.

Required before merge:

• Add README.md for aidd-delegate
• Add README.md for aidd-pipeline

Recommended before merge:

• Add at least one AI evaluation test
• Add security guidance for input validation

---

Commit Quality: ✅ Both commits follow conventional commit format with clear, descriptive messages and proper scoping.