feat: rewrite workflow skills with --agent and cross-step retrieval

All 4 workflow skills now use --agent and teach agents to reuse ref_ids
across steps via sync-ctl retrieve. Security gate in deploy pipeline uses
compressed output status field instead of raw JSON parsing.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: 2 people

skills/workflows/syncable-deploy-pipeline.md

@@ -47,22 +47,25 @@ sync-ctl env select <ENV_ID>
 ### Step 2: Analyze the project
 
 ```bash
-sync-ctl analyze <PATH> --json
+sync-ctl analyze <PATH> --agent
 ```
 
+Save the `full_data_ref` from the analyze output — do not re-run analyze in later steps; use `sync-ctl retrieve` with this ref_id instead.
+
 ### Step 3: Pre-deploy security audit
 
 Execute the `syncable-security-audit` workflow inline (all its steps and decision logic). **Note:** Step 2's analyze output is reused here — do not re-run analyze.
 
-1. `sync-ctl security <PATH> --mode paranoid --format json`
-2. `sync-ctl vulnerabilities <PATH> --format json`
+1. `sync-ctl security <PATH> --mode paranoid --agent`
+2. `sync-ctl vulnerabilities <PATH> --agent`
 3. `sync-ctl validate <PATH>` (if IaC files exist per Step 2's analysis)
 
-**CRITICAL GATE:** If the security audit finds **critical** findings:
-- Present all critical findings to the user
-- Explicitly warn: "Critical security findings detected. Deploying with these issues is not recommended."
-- Ask the user whether to proceed or abort
-- **Never deploy silently when critical findings exist**
+**CRITICAL GATE:** Check the security output's `status` field:
+- If `status` is "CRITICAL_ISSUES_FOUND": present findings to user, warn, require confirmation
+- If `status` is "HIGH_ISSUES_FOUND": warn but allow deployment
+- If `status` is "CLEAN": proceed to deploy
+
+All critical findings are in the `critical_issues` array of the compressed output — no retrieval needed for the gate decision.
 
 ### Step 4: Deploy
 
@@ -90,3 +93,23 @@ sync-ctl deploy status <TASK_ID> --watch
 - **Never deploy without the security gate.** Even if the user says "just deploy", run at least a fast security scan.
 - **Always confirm with the user before triggering deployment.** Show them what will be deployed, to which environment.
 - **Monitor deployment status** after triggering — don't fire-and-forget.
+
+## Cross-Step Retrieval
+
+Each step produces a `full_data_ref` in its output. You can retrieve details from any previous step at any time:
+
+```bash
+# Check what data is available from all steps
+sync-ctl retrieve --list
+
+# Get framework details from Step 2 (analyze)
+sync-ctl retrieve <analyze_ref_id> --query "section:frameworks"
+
+# Get critical security findings from Step 3
+sync-ctl retrieve <security_ref_id> --query "severity:critical"
+
+# Get vulnerability details from Step 3
+sync-ctl retrieve <vuln_ref_id> --query "severity:high"
+```
+
+Do NOT re-run a command just to get more detail — use `sync-ctl retrieve` instead.

skills/workflows/syncable-iac-pipeline.md

@@ -18,13 +18,15 @@ Validate all infrastructure-as-code files in a project by chaining IaC linting w
 ### Step 1: Analyze the project
 
 ```bash
-sync-ctl analyze <PATH> --json
+sync-ctl analyze <PATH> --agent
 ```
 
 Parse the output to determine:
 - Which IaC types exist (Dockerfile, Compose, Terraform, K8s manifests)
 - Whether K8s manifests are present — needed for step 3
 
+Save the `full_data_ref` from the analyze output — the ref_id from this step can be reused in later steps to retrieve IaC file details without re-running analyze.
+
 ### Step 2: Validate IaC files
 
 ```bash
@@ -41,7 +43,7 @@ sync-ctl validate <PATH> --types dockerfile,compose,terraform
 **Decision point:** Only run if step 1 detected Kubernetes manifests or Helm charts.
 
 ```bash
-sync-ctl optimize <PATH> --full --format json
+sync-ctl optimize <PATH> --full --agent
 ```
 
 The `--full` flag includes kubelint security checks and helmlint validation on top of resource optimization.
@@ -62,3 +64,23 @@ Produce an IaC validation report:
 3. **Terraform Issues** — validation errors
 4. **Kubernetes Issues** — kubelint security findings and resource optimization recommendations (if step 3 ran)
 5. **Actionable Fixes** — which issues can be auto-fixed with `--fix`
+
+## Cross-Step Retrieval
+
+Each step produces a `full_data_ref` in its output. You can retrieve details from any previous step at any time:
+
+```bash
+# Check what data is available from all steps
+sync-ctl retrieve --list
+
+# Get framework details from Step 1 (analyze)
+sync-ctl retrieve <analyze_ref_id> --query "section:frameworks"
+
+# Get critical security findings from Step 2
+sync-ctl retrieve <security_ref_id> --query "severity:critical"
+
+# Get vulnerability details from Step 3
+sync-ctl retrieve <vuln_ref_id> --query "severity:high"
+```
+
+Do NOT re-run a command just to get more detail — use `sync-ctl retrieve` instead.

skills/workflows/syncable-project-assessment.md

@@ -17,34 +17,36 @@ Run a comprehensive project health check by chaining multiple Syncable CLI comma
 ### Step 1: Analyze the project stack
 
 ```bash
-sync-ctl analyze <PATH> --json
+sync-ctl analyze <PATH> --agent
 ```
 
 Parse the output to understand:
 - What languages and frameworks are present
 - Whether dependencies exist (needed for steps 3 and 4)
 - Whether secrets-capable files exist (affects step 2 mode)
 
+Save the `full_data_ref` from the analyze output — you'll use it to retrieve details without re-running analyze.
+
 ### Step 2: Security scan
 
 ```bash
-sync-ctl security <PATH> --mode balanced --format json
+sync-ctl security <PATH> --mode balanced --agent
 ```
 
 **Decision point:** If step 1 shows no config files, secrets files, or environment files, use `--mode lightning` instead of `--mode balanced` to save time.
 
 ### Step 3: Vulnerability scan
 
 ```bash
-sync-ctl vulnerabilities <PATH> --format json
+sync-ctl vulnerabilities <PATH> --agent
 ```
 
 **Decision point:** If step 1 detected no dependencies (no package.json, requirements.txt, Cargo.toml, go.mod, etc.), **skip this step entirely** and note "No dependencies detected" in the report.
 
 ### Step 4: Dependency audit
 
 ```bash
-sync-ctl dependencies <PATH> --licenses --format json
+sync-ctl dependencies <PATH> --licenses --agent
 ```
 
 **Decision point:** Same as step 3 — skip if no dependencies detected.
@@ -74,10 +76,30 @@ After all steps complete, synthesize a unified report for the user:
 The agent runs these commands in sequence, skipping steps based on decision points:
 
 ```bash
-sync-ctl analyze . --json
-sync-ctl security . --mode balanced --format json
-sync-ctl vulnerabilities . --format json
-sync-ctl dependencies . --licenses --format json
+sync-ctl analyze . --agent
+sync-ctl security . --mode balanced --agent
+sync-ctl vulnerabilities . --agent
+sync-ctl dependencies . --licenses --agent
 ```
 
 Then synthesizes the results into a single report for the user.
+
+## Cross-Step Retrieval
+
+Each step produces a `full_data_ref` in its output. You can retrieve details from any previous step at any time:
+
+```bash
+# Check what data is available from all steps
+sync-ctl retrieve --list
+
+# Get framework details from Step 1 (analyze)
+sync-ctl retrieve <analyze_ref_id> --query "section:frameworks"
+
+# Get critical security findings from Step 2
+sync-ctl retrieve <security_ref_id> --query "severity:critical"
+
+# Get vulnerability details from Step 3
+sync-ctl retrieve <vuln_ref_id> --query "severity:high"
+```
+
+Do NOT re-run a command just to get more detail — use `sync-ctl retrieve` instead.

skills/workflows/syncable-security-audit.md

@@ -17,31 +17,33 @@ Perform a deep, multi-layered security review suitable for pre-deployment gates
 ### Step 1: Analyze the project
 
 ```bash
-sync-ctl analyze <PATH> --json
+sync-ctl analyze <PATH> --agent
 ```
 
 Parse the output to determine:
 - What IaC files exist (Dockerfiles, Compose, Terraform, K8s manifests) — needed for step 4
 - What dependencies exist — needed for step 3
 
+Save the `full_data_ref` from the analyze output — you'll use it to retrieve details without re-running analyze.
+
 ### Step 2: Deep security scan
 
 Choose mode based on context:
 
 **For PR reviews / pre-merge:**
 ```bash
-sync-ctl security <PATH> --mode thorough --format json
+sync-ctl security <PATH> --mode thorough --agent
 ```
 
 **For production deployment / compliance:**
 ```bash
-sync-ctl security <PATH> --mode paranoid --format json
+sync-ctl security <PATH> --mode paranoid --agent
 ```
 
 ### Step 3: Vulnerability scan
 
 ```bash
-sync-ctl vulnerabilities <PATH> --format json
+sync-ctl vulnerabilities <PATH> --agent
 ```
 
 ### Step 4: IaC validation
@@ -77,3 +79,23 @@ Produce a security audit report:
 5. **Remediation Priority** — ordered list of actions to resolve findings
 
 **If critical findings exist:** Explicitly warn the user. If this audit is part of a deploy pipeline, recommend blocking deployment until critical issues are resolved.
+
+## Cross-Step Retrieval
+
+Each step produces a `full_data_ref` in its output. You can retrieve details from any previous step at any time:
+
+```bash
+# Check what data is available from all steps
+sync-ctl retrieve --list
+
+# Get framework details from Step 1 (analyze)
+sync-ctl retrieve <analyze_ref_id> --query "section:frameworks"
+
+# Get critical security findings from Step 2
+sync-ctl retrieve <security_ref_id> --query "severity:critical"
+
+# Get vulnerability details from Step 3
+sync-ctl retrieve <vuln_ref_id> --query "severity:high"
+```
+
+Do NOT re-run a command just to get more detail — use `sync-ctl retrieve` instead.