Skip to content
Verbara Knowledge Base

Ecosystem methodology audit — Verbara (2026-06-13)

Ecosystem methodology audit — Verbara (2026-06-13)

Section titled “Ecosystem methodology audit — Verbara (2026-06-13)”

Versioned home for the audit that originated this repo and the P0/P1 work. (Condensed; the working record also lives in auto-memory verbara_methodology_audit.)

Verdict

Section titled “Verdict”

The methodology is ahead of the market — spec → ADR → plan → Subagent-Driven → holistic review → cross-repo release is mature spec-driven development; don’t change the core loop. Failures are in automated safeguards + context hygiene, not method.

Benchmarked against

Section titled “Benchmarked against”

Anthropic context-engineering (“smallest set of high-signal tokens”; anti-patterns = context bloat + rot), effective-harnesses-for-long-running-agents, Claude Code best practices; market: spec-driven development (Spec Kit / Kiro), OWASP LLM Top-10 2025.

ECC (affaan-m/ECC) evaluation

Section titled “ECC (affaan-m/ECC) evaluation”

Real, popular cross-repo+cross-IDE methodology repo distributed as a Claude Code plugin + npm. Security risk LOW-MED. Decision: MINE patterns, don’t adopt — installing it whole (64 agents/262 skills) would worsen our context-bloat; its own community says “most people just need a good CLAUDE.md, not an ecosystem.”

Cardinal gaps (verified)

Section titled “Cardinal gaps (verified)”
  • CI/security asymmetry: Verbara.Sdk = gold standard; Platform had no ci.yml at all (most critical repo, never validated PRs); Pro+Platform lacked CodeQL/Dependabot; Web lacked CodeQL.
  • Context bloat / rot: global CLAUDE.md release-narrative; large/inconsistent memory stores; Platform a 201-line CLAUDE.md.
  • Zero verification hooks anywhere; coverage gate only on Web; website orphaned.

P0 — CI + security (SHIPPED 2026-06-13, all 3 PRs merged)

Section titled “P0 — CI + security (SHIPPED 2026-06-13, all 3 PRs merged)”

Platform #58, Pro #4, Web #98 added build/test gates + CodeQL + Dependabot + dependency-review (cloned from the SDK gold standard, tailored per repo). A 4-agent adversarial verification caught a missing build-mode: manual on all C# CodeQL.

The gates immediately caught two real pre-existing breakages on main (strong validation): (1) MessagePack 2.5.187 transitive via SignalR = CVE-2026-48109 HIGH → pinned to 2.5.301; (2) Api.Tests didn’t compile (SchemaBinding.CreatedAt required but unset) → fixed. Pro CodeQL needs GHAS (disabled pending decision); Platform Dependabot needs PACKAGES_PAT in the Dependabot secret store (done).

P1 — context hygiene (IN PROGRESS)

Section titled “P1 — context hygiene (IN PROGRESS)”

See docs/specs/2026-06-13-context-hygiene-design.md. A→B→C: mechanical wins → semantic compaction (reviewed) → durable hygiene standard. The decision to create this repo (verbara-meta) is docs/decisions/0001-cross-repo-methodology-home.md.

Later (audit backlog)

Section titled “Later (audit backlog)”

Shared .claude/ baseline; verification hooks; coverage ratchet on the .NET repos; formalize verbara-website; fix the same build-mode: manual omission in SDK’s CodeQL.