diff --git a/.agents/README.md b/.agents/README.md
new file mode 100644
index 0000000..b166d1a
--- /dev/null
+++ b/.agents/README.md
@@ -0,0 +1,25 @@
+# .agents/ - Codex Skill Entrypoints
+
+> Codex loads project-local skills from this directory. These packages are the Codex-facing entrypoints for reusable workflows that need scripts, references, or progressive context loading.
+
+## Directory Overview
+
+| Directory | Responsibility | Notes |
+|-----------|----------------|-------|
+| [skills/](skills/) | Project-local Codex skills | Mirrors the reusable skill packages originally maintained under `.claude/skills/` |
+
+## Boundary With .codex/
+
+| Directory | Purpose |
+|-----------|---------|
+| `.agents/skills/` | Skills that Codex can discover and invoke from natural-language requests |
+| `.codex/agents/` | Codex sub-agent configuration in TOML format |
+| `.codex/hooks/` | Hook scripts and Codex hook configuration |
+| `.claude/` | Legacy Claude Code prompts, rules, and historical source material |
+
+## Maintenance
+
+- Add a `SKILL.md` with frontmatter for every skill package.
+- Keep each skill's scripts and references inside the same skill directory.
+- Update [skills/README.md](skills/README.md) when adding, removing, or renaming a skill.
+- Prefer `.agents/skills/<name>/...` paths in Codex-facing docs.
diff --git a/.agents/skills/README.md b/.agents/skills/README.md
new file mode 100644
index 0000000..8f0dbdb
--- /dev/null
+++ b/.agents/skills/README.md
@@ -0,0 +1,47 @@
+# skills/ - Codex Skill Packages
+
+> Project-local skills for Codex. Each package contains a `SKILL.md` entrypoint, plus optional `scripts/` and `references/` directories.
+
+## File Manifest
+
+| Skill | Purpose | Trigger Scenario |
+|-------|---------|------------------|
+| [prd-import/](prd-import/) | Convert non-Markdown requirement formats (`.docx`, `.xlsx`, `.pptx`) into markdown source material | Product or backend hands over Word, Excel, or PowerPoint requirements |
+| [ext-dep-audit/](ext-dep-audit/) | Dependency security and health audit | Dependency inspection, vulnerability checks, outdated packages |
+| [ext-perf-audit/](ext-perf-audit/) | Frontend performance audit | Page jank, bundle size, render performance, initial load optimization |
+| [ext-a11y-check/](ext-a11y-check/) | Accessibility WCAG 2.1 AA compliance check | Screen reader, keyboard navigation, semantic HTML, antd accessibility review |
+| [ext-changelog/](ext-changelog/) | Human-readable change impact report | Weekly reports, handoffs, retrospectives, recent-change summaries |
+
+## Naming Conventions
+
+- `ext-*` means optional analysis/audit skill, used on demand.
+- Names without `ext-` are companion skills for the main workflow, such as `prd-import`.
+
+## Directory Structure
+
+```text
+skills/<skill-name>/
+|-- SKILL.md
+|-- scripts/
+|   `-- helper.sh
+`-- references/
+    `-- checklist.md
+```
+
+## Script Conventions
+
+- Scripts should be invoked through paths under `.agents/skills/<skill-name>/scripts/`.
+- Scripts collect deterministic data; Codex interprets the result.
+- Scripts should print useful diagnostics and avoid destructive behavior.
+
+## References
+
+- Keep long checklists or format guides in `references/`.
+- Link to references from `SKILL.md`; do not inline large reference material in the skill body.
+
+## Adding A Skill
+
+1. Create `.agents/skills/<new-skill>/SKILL.md`.
+2. Add optional `scripts/` and `references/` folders.
+3. Register the skill in this README.
+4. Update any workflow docs if users need to invoke it directly.
diff --git a/.agents/skills/ext-a11y-check/SKILL.md b/.agents/skills/ext-a11y-check/SKILL.md
new file mode 100644
index 0000000..d19aa51
--- /dev/null
+++ b/.agents/skills/ext-a11y-check/SKILL.md
@@ -0,0 +1,53 @@
+---
+name: ext-a11y-check
+description: Accessibility audit. Performs WCAG 2.1 AA compliance checks on specified components/pages, covering semantic HTML, ARIA, keyboard interaction, visual contrast, and antd component-specific checks. Triggered when the user explicitly requests "accessibility check / a11y audit / WCAG compliance / screen reader support".
+---
+
+# ext-a11y-check — Accessibility Compliance Check
+
+You are now an Accessibility expert. Perform a WCAG 2.1 AA compliance check on the specified component or page.
+
+## Execution Approach
+
+A11y checks rely primarily on static analysis (reading JSX / CSS) — there are no definitive scripts. AI scans the source code item-by-item against [references/wcag-aa-checklist.md](references/wcag-aa-checklist.md) and cross-references [references/antd-a11y-notes.md](references/antd-a11y-notes.md) for antd-specific checks.
+
+## Audit Flow
+
+1. Read the file/directory specified by `$ARGUMENTS`
+2. Check each item across the 5 dimensions in [references/wcag-aa-checklist.md](references/wcag-aa-checklist.md):
+   - Semantic HTML
+   - ARIA attributes
+   - Keyboard interaction
+   - Visual (contrast / alt text / text scaling)
+   - antd component-specific checks
+3. Link each issue to the specific WCAG 2.1 criterion (e.g. `1.1.1 Non-text Content`)
+4. Output violations + improvements + compliance rate
+
+## Output Format
+
+```
+🔴 Violations (WCAG AA non-compliant):
+- [file:line] Issue description
+  Standard: WCAG 2.1 criterion number (e.g. 1.1.1 Non-text Content)
+  Impact: Specific affected group (e.g. visually impaired users cannot determine the button's purpose)
+  Fix: Code example
+
+🟡 Improvements (enhances experience but not required):
+- [file:line] Issue description
+  Fix: Proposed solution
+
+📊 Compliance rate: X/Y items passing, Rating: AA / Non-compliant
+```
+
+## Usage
+
+```
+/ext-a11y-check workspace/src/features/login/
+/ext-a11y-check workspace/src/components/DataTable.tsx
+```
+
+## Design Principles
+
+- Use native HTML semantics where they suffice; don't overuse ARIA
+- Every 🔴 violation must cite the WCAG criterion number so users can look it up
+- Never auto-modify code — output a list of issues and recommendations only; fixes are done manually by the user or via `/fix`
diff --git a/.agents/skills/ext-a11y-check/references/antd-a11y-notes.md b/.agents/skills/ext-a11y-check/references/antd-a11y-notes.md
new file mode 100644
index 0000000..916cfb0
--- /dev/null
+++ b/.agents/skills/ext-a11y-check/references/antd-a11y-notes.md
@@ -0,0 +1,111 @@
+# antd Component Accessibility Notes
+
+> antd v5 has built-in a11y for most components. The following are easy-to-miss spots and pitfalls when customizing.
+
+## Table
+
+```tsx
+// Recommended: add summary (screen readers will announce it)
+<Table
+  dataSource={data}
+  columns={columns}
+  summary={() => <Table.Summary>Total: X items</Table.Summary>}
+  rowKey="id"
+/>
+```
+
+- `rowKey` must be stable; never use index
+- When customizing header render, ensure `th` semantics are preserved
+- For complex headers, use the `title` prop on `Table.Column` — don't write raw JSX that breaks the `scope` attribute
+
+## Modal
+
+```tsx
+<Modal
+  title="Confirm Delete"  // required — screen readers need this
+  open={open}
+  onCancel={handleClose}
+>
+```
+
+- `title` is required; don't pass `null` (unless you implement `aria-labelledby` yourself)
+- `closable` defaults to true (keep the close button); don't disable it
+- `keyboard` defaults to true (Esc to close); don't disable it
+- Focus trapping is handled by antd
+
+## Form
+
+- `Form.Item`'s `label` is automatically associated by id — leave it as-is
+- Error messages have `role="alert"` and will be announced by screen readers
+- Custom components wired to `Form.Item` must implement `value` + `onChange`; don't rely solely on internal state
+
+## Icon Buttons
+
+```tsx
+// ❌
+<Button icon={<DeleteOutlined />} />
+<Button icon={<SearchOutlined />} type="primary" />
+
+// ✅
+<Button icon={<DeleteOutlined />} aria-label="Delete" />
+
+// ✅ or use Tooltip (title is linked via aria-describedby)
+<Tooltip title="Delete">
+  <Button icon={<DeleteOutlined />} />
+</Tooltip>
+```
+
+## Tooltip / Popover
+
+- `title` is required
+- Purely visual tooltips are fine, **but never put important information only in a Tooltip** — keyboard and touch users may not be able to access it
+- Critical information like form errors and required-field indicators must be visible in the DOM
+
+## Select / DatePicker / Cascader
+
+- Built-in keyboard support: ↑↓ to navigate, Enter to select, Esc to close
+- `placeholder` is not a substitute for `label`; screen readers do not read placeholder text
+- Custom `dropdownRender` must preserve `role="option"` on options
+
+## Menu
+
+- Built-in `role="menu"` + `role="menuitem"`
+- Keyboard: ← → for sibling menus, ↑ ↓ for items in the same level, Enter to activate
+- Keep `key` stable on custom `<Menu.Item>` elements
+
+## Tabs
+
+- Built-in `role="tablist"` + `role="tab"` + `role="tabpanel"`
+- Keyboard: ← → to switch tabs
+- Don't use `forceRender={false}` and then depend on refs inside the tab — refs are null when the tab hasn't rendered
+
+## Drawer
+
+- Same as Modal: `title` is required; focus trapping is already handled
+
+## Upload
+
+- Drag-and-drop areas must have clear text labels — icon alone is not sufficient
+- The `accept` attribute helps screen readers announce which file types are supported
+
+## Icon
+
+```tsx
+// Purely decorative icon — add aria-hidden
+<CheckCircleOutlined aria-hidden />
+<span>Success</span>
+
+// Icon that carries meaning on its own — add aria-label
+<LoadingOutlined aria-label="Loading" />
+```
+
+## Quick Checklist
+
+| Scenario | What to check |
+|----------|--------------|
+| Icon buttons | Does it have `aria-label` or a Tooltip? |
+| Modal | Is `title` provided? |
+| Table | Is `rowKey` stable? |
+| Tooltip | If info is only accessible on hover, how do keyboard users get it? |
+| Custom interactions | Are `tabIndex` + `onKeyDown` both implemented? |
+| Images | Is `alt` provided? Decorative images should use `alt=""` — not omit it entirely |
diff --git a/.agents/skills/ext-a11y-check/references/wcag-aa-checklist.md b/.agents/skills/ext-a11y-check/references/wcag-aa-checklist.md
new file mode 100644
index 0000000..83a628a
--- /dev/null
+++ b/.agents/skills/ext-a11y-check/references/wcag-aa-checklist.md
@@ -0,0 +1,174 @@
+# WCAG 2.1 AA Checklist
+
+> Every match must be linked to its WCAG criterion number and specific code line number.
+
+## 1. Semantic HTML
+
+### 1.1 Overuse of div
+**Standard**: WCAG 4.1.2 Name, Role, Value
+
+```tsx
+// ❌
+<div onClick={handleClick}>Submit</div>
+<div className="nav">...</div>
+
+// ✅
+<button onClick={handleClick}>Submit</button>
+<nav>...</nav>
+```
+
+Replacement list:
+- `<div onClick>` → `<button>` or add `role="button" tabIndex={0}` + keyDown handler
+- Navigation → `<nav>`
+- Main content → `<main>`
+- Sidebar → `<aside>`
+- Section → `<section>` / `<article>`
+- Lists → `<ul>` / `<ol>` + `<li>`
+
+### 1.2 Non-sequential heading levels
+**Standard**: WCAG 1.3.1 Info and Relationships
+
+- Don't skip from `<h1>` to `<h3>`
+- Only one `<h1>` per page
+- Heading levels must be sequential; no skipping
+
+### 1.3 Form controls without labels
+**Standard**: WCAG 3.3.2 Labels or Instructions
+
+```tsx
+// ❌
+<input type="email" placeholder="Email" />
+
+// ✅
+<label htmlFor="email">Email</label>
+<input id="email" type="email" />
+
+// ✅ or antd Form
+<Form.Item label="Email" name="email">
+  <Input />
+</Form.Item>
+```
+
+## 2. ARIA Attributes
+
+### 2.1 Icon buttons missing aria-label
+**Standard**: WCAG 4.1.2 Name, Role, Value
+
+```tsx
+// ❌
+<Button icon={<DeleteOutlined />} />
+
+// ✅
+<Button icon={<DeleteOutlined />} aria-label="Delete" />
+```
+
+Check rule: `<Button>` / `<a>` with only an icon and no text must have an `aria-label`.
+
+### 2.2 Dynamic content not announcing via aria-live
+**Standard**: WCAG 4.1.3 Status Messages
+
+- Toast / message alerts should have `role="status"` or `aria-live="polite"`
+- Error alerts should have `role="alert"` or `aria-live="assertive"`
+- antd `message` / `notification` already handle this; watch out for custom toasts
+
+### 2.3 Modal dialogs missing role
+**Standard**: WCAG 4.1.2
+
+- `<Modal>` should have `role="dialog"` + `aria-modal="true"` (antd Modal already handles this)
+- Custom overlays need these added manually
+
+### 2.4 ARIA overuse
+```tsx
+// ❌ native element already implies this — redundant
+<button role="button">Submit</button>
+<nav role="navigation">...</nav>
+
+// ✅ use ARIA only when native semantics are insufficient
+<div role="tablist">...</div>  // div has no tablist semantics natively
+```
+
+## 3. Keyboard Interaction
+
+### 3.1 Interactive elements not reachable via Tab
+**Standard**: WCAG 2.1.1 Keyboard
+
+- All `onClick` elements must be focusable (native button/a/input are by default; divs need `tabIndex={0}`)
+- Use `disabled` to disable elements — not `pointer-events: none` (which still allows Tab focus)
+
+### 3.2 Missing keyboard event handlers
+**Standard**: WCAG 2.1.1
+
+```tsx
+// ❌ responds to mouse only
+<div onClick={handle} tabIndex={0}>...</div>
+
+// ✅ add keyDown
+<div
+  onClick={handle}
+  onKeyDown={(e) => (e.key === 'Enter' || e.key === ' ') && handle()}
+  tabIndex={0}
+  role="button"
+>...</div>
+```
+
+### 3.3 Modal missing focus trap
+**Standard**: WCAG 2.4.3 Focus Order
+
+- When a modal opens, focus should move into it; when it closes, focus should return to the trigger element
+- Tab key should cycle within the modal and not reach background content
+- antd Modal already handles this; custom overlays need to implement it
+
+### 3.4 Missing Esc to close
+- Modal / Drawer / Popover should support closing with Esc
+- antd supports this by default; custom components need to add it
+
+## 4. Visual
+
+### 4.1 Insufficient contrast
+**Standard**: WCAG 1.4.3 Contrast (Minimum)
+
+- Body text: 4.5:1
+- Large text (18pt or 14pt bold): 3:1
+- Non-text elements (icons / borders): 3:1
+
+How to check:
+- Read color values from CSS / theme.ts
+- Compare text color against background color
+- Disabled state text is exempt from this rule (WCAG allows an exception), but should still be legible
+
+### 4.2 Color as the only means of conveying information
+**Standard**: WCAG 1.4.1 Use of Color
+
+```tsx
+// ❌ red = error — invisible to color-blind users
+<span style={{ color: 'red' }}>Required</span>
+
+// ✅ color + icon/text
+<span style={{ color: 'red' }}>
+  <ExclamationCircleOutlined /> Required
+</span>
+```
+
+### 4.3 Missing alt text on images
+**Standard**: WCAG 1.1.1 Non-text Content
+
+```tsx
+// ❌
+<img src="/avatar.png" />
+
+// ✅ meaningful image
+<img src="/avatar.png" alt="Zhang San's avatar" />
+
+// ✅ decorative image
+<img src="/decoration.png" alt="" role="presentation" />
+```
+
+### 4.4 Text overflow at scaled sizes
+**Standard**: WCAG 1.4.4 Resize text
+
+- At 200% browser zoom, there should be no horizontal scrollbar and no text clipping
+- Use rem/em instead of fixed px, or use clamp()
+
+## 5. antd Component-specific Checks
+
+See [antd-a11y-notes.md](antd-a11y-notes.md)
diff --git a/.agents/skills/ext-changelog/SKILL.md b/.agents/skills/ext-changelog/SKILL.md
new file mode 100644
index 0000000..f3cf293
--- /dev/null
+++ b/.agents/skills/ext-changelog/SKILL.md
@@ -0,0 +1,100 @@
+---
+name: ext-changelog
+description: Generate a human-readable code change impact report — aggregates commits by module, identifies risk areas, and links to PRDs / tasks / bugs. Used for weekly reports, handoffs, and retrospectives. Unlike /release (structured changelog for version tags). Triggered when the user explicitly requests "change report / weekly report / what changed recently / handoff document".
+---
+
+# ext-changelog — Change Impact Report
+
+You are now a code change analyst. Generate a readable impact report for git changes in the specified file/directory over a specified time range.
+
+## Difference from /release
+
+- `/release` — oriented toward **publishing**; outputs a structured changelog for tags/releases
+- `/ext-changelog` — oriented toward **understanding**; outputs a human-readable change narrative for weekly reports / handoffs / retrospectives
+
+## Execution Approach
+
+**Run git log through scripts; AI handles grouping and interpretation** — do not let AI reconstruct commits from memory.
+
+### Step 1: Get the commit list
+
+```bash
+bash .agents/skills/ext-changelog/scripts/range-commits.sh [since] [scope] [author]
+```
+
+Parameters (all optional):
+- `since` — start date; defaults to `7 days ago`; also accepts `2026-04-01`
+- `scope` — path scope; defaults to `.` (entire repo)
+- `author` — author filter; defaults to empty (all authors)
+
+Each output line: `hash|date|author|subject`
+
+### Step 2: Get changed file statistics
+
+```bash
+bash .agents/skills/ext-changelog/scripts/changed-files.sh [since] [scope]
+```
+
+Output: A/M/D status for each file + its module directory.
+
+### Step 3: AI aggregates by module
+
+After reading the script output:
+1. Group by `workspace/src/features/<module>/` prefix
+2. Parse commit messages in `type(scope): description` format
+3. Link to references in `docs/prds/` / `docs/tasks/` / `docs/bug-reports/`
+4. Identify risk areas:
+   - Large-scale changes (a single commit touching > 10 files)
+   - Cross-module changes (one commit spanning multiple features)
+   - Commit messages containing `WIP` / `TODO` / `FIXME`
+   - Feature commits not linked to any PRD or task
+
+## Output Format
+
+```markdown
+# Change Report: 2026-04-10 → 2026-04-17
+
+## Summary
+This week the main work was completing the login module, fixing 3 bugs, and refactoring the auth logic.
+
+## Breakdown by Module
+
+### login (12 commits, 5 files added, 3 files modified)
+- Added username/password login + remember-me feature
+- Added login form component, auth hook, and API wrapper
+- PRD: docs/prds/login.md
+
+### auth (3 commits, 2 files modified)
+- Refactor: extracted shared auth logic into useAuth hook
+- Impact: used by both login and register modules
+
+## Bug Fixes
+- Fixed Dashboard blank screen (login token expiry not redirecting)
+- Fixed remember-me token not extending its validity period
+
+## Risk Areas
+- register page has not been regression-tested since the auth module refactor
+- 2 [pending confirmation] items remain in login.md PRD
+
+## Stats
+- Total commits: 18
+- Files added: 7
+- Files modified: 11
+- Active contributors: 2 (alice, bob)
+```
+
+## Usage
+
+```
+/ext-changelog                                    # this week's changes
+/ext-changelog --since 2026-04-01                  # this month's changes
+/ext-changelog workspace/src/features/login/       # login module changes
+/ext-changelog --author alice --since 2026-04-14   # Alice's output over the last 3 days
+```
+
+## Design Principles
+
+- All git commands go through scripts; AI never manually constructs `git log` arguments
+- Reports should read as a **narrative**, not a raw dump of the commit list
+- Risk areas must be specific (point to a file or module); no filler like "recommend more testing"
+- Read-only: never modifies code
diff --git a/.agents/skills/ext-changelog/scripts/changed-files.sh b/.agents/skills/ext-changelog/scripts/changed-files.sh
new file mode 100644
index 0000000..faad529
--- /dev/null
+++ b/.agents/skills/ext-changelog/scripts/changed-files.sh
@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+# changed-files.sh — list files changed within the specified range (A/M/D)
+# usage: bash .agents/skills/ext-changelog/scripts/changed-files.sh [since] [scope]
+
+set -u
+
+SINCE="${1:-7 days ago}"
+SCOPE="${2:-.}"
+
+ROOT="$(cd "$(dirname "$0")/../../../.." && pwd)"
+cd "$ROOT" || exit 0
+
+if [ ! -d ".git" ]; then
+  echo "❌ Not a git repository"
+  exit 0
+fi
+
+echo "===== Changed file list (since=$SINCE, scope=$SCOPE) ====="
+echo "Format: <status> <file path>  (A=Added, M=Modified, D=Deleted, R=Renamed)"
+echo ""
+
+git log --since="$SINCE" --no-merges --name-status --pretty=format:"" -- "$SCOPE" \
+  | grep -E "^[AMDR]" \
+  | sort -u
+
+echo ""
+echo "===== Aggregated by module ====="
+git log --since="$SINCE" --no-merges --name-status --pretty=format:"" -- "$SCOPE" \
+  | grep -E "^[AMDR]" \
+  | awk '{print $2}' \
+  | awk -F'/' '{
+      if ($0 ~ /^workspace\/src\/features\//) print $4
+      else if ($0 ~ /^workspace\/src\/pages\//) print "pages/" $4
+      else if ($0 ~ /^workspace\/src\/components\//) print "components"
+      else if ($0 ~ /^workspace\/src\//) print "src/" $3
+      else if ($0 ~ /^docs\//) print "docs/" $2
+      else print "root"
+    }' \
+  | sort | uniq -c | sort -rn
diff --git a/.agents/skills/ext-changelog/scripts/range-commits.sh b/.agents/skills/ext-changelog/scripts/range-commits.sh
new file mode 100644
index 0000000..03db827
--- /dev/null
+++ b/.agents/skills/ext-changelog/scripts/range-commits.sh
@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+# range-commits.sh — output the list of commits within the specified range
+# usage: bash .agents/skills/ext-changelog/scripts/range-commits.sh [since] [scope] [author]
+# e.g.:  bash ... "7 days ago"
+#        bash ... "2026-04-01"
+#        bash ... "7 days ago" "workspace/src/features/login/"
+#        bash ... "7 days ago" "." "alice"
+
+set -u
+
+SINCE="${1:-7 days ago}"
+SCOPE="${2:-.}"
+AUTHOR="${3:-}"
+
+ROOT="$(cd "$(dirname "$0")/../../../.." && pwd)"
+cd "$ROOT" || exit 0
+
+if [ ! -d ".git" ]; then
+  echo "❌ Not a git repository"
+  exit 0
+fi
+
+echo "===== Commit list (since=$SINCE, scope=$SCOPE, author=${AUTHOR:-all}) ====="
+
+GIT_ARGS=(log --since="$SINCE" --no-merges --pretty=format:"%h|%ad|%an|%s" --date=short)
+if [ -n "$AUTHOR" ]; then
+  GIT_ARGS+=(--author="$AUTHOR")
+fi
+GIT_ARGS+=(-- "$SCOPE")
+
+git "${GIT_ARGS[@]}"
+echo ""  # ensure trailing newline
+echo ""
+echo "===== Stats ====="
+TOTAL=$(git "${GIT_ARGS[@]}" | wc -l | tr -d ' ')
+echo "Total commits: $TOTAL"
+echo "Active authors:"
+git "${GIT_ARGS[@]}" | awk -F'|' '{print "  " $3}' | sort -u
diff --git a/.agents/skills/ext-dep-audit/SKILL.md b/.agents/skills/ext-dep-audit/SKILL.md
new file mode 100644
index 0000000..527ddca
--- /dev/null
+++ b/.agents/skills/ext-dep-audit/SKILL.md
@@ -0,0 +1,88 @@
+---
+name: ext-dep-audit
+description: Dependency security and health audit. Scans for pnpm vulnerabilities, outdated dependencies, redundant packages, license risks, and Umi built-in dependency conflicts. Triggered when the user explicitly requests "dependency audit / dependency scan / security scan / check outdated packages".
+---
+
+# ext-dep-audit — Dependency Audit
+
+You are now a dependency security and health audit expert. Perform a comprehensive checkup on `workspace/package.json`.
+
+## Execution Approach
+
+**Run scripts first to get deterministic results, then use AI for interpretation** — do not have AI guess the output of `pnpm audit`.
+
+### Step 1: Security Vulnerability Scan
+
+```bash
+bash .agents/skills/ext-dep-audit/scripts/pnpm-audit.sh
+```
+
+The script outputs JSON. Classify by severity when interpreting:
+
+| Level | Action |
+|-------|--------|
+| critical / high | Must fix immediately; provide `pnpm update <package>@<safe-version>` |
+| moderate | Assess scope of impact; recommend a fix timeline |
+| low | Log it; address in the next iteration |
+
+### Step 2: Umi Built-in Dependency Conflicts
+
+```bash
+bash .agents/skills/ext-dep-audit/scripts/check-umi-conflict.sh
+```
+
+The script cross-references [references/umi-builtin-deps.md](references/umi-builtin-deps.md); any conflicting dependency is flagged 🔴.
+
+### Step 3: Outdated Dependency Check
+
+```bash
+bash .agents/skills/ext-dep-audit/scripts/check-outdated.sh
+```
+
+Compares current versions against the latest; flags anything **behind by a major version**.
+
+### Step 4: Dependency Tree Health (AI analysis)
+
+After the scripts finish, AI reads `workspace/package.json` and additionally checks:
+
+1. **Deprecated packages** — look for the `deprecated` field
+2. **Duplicate functionality** — e.g. moment + dayjs, lodash + ramda, axios + umi-request
+3. **Oversized packages** — large packages where only a small part is used (e.g. full `lodash` instead of `lodash/get`)
+4. **License risks** — copyleft licenses like GPL / AGPL (important for commercial projects)
+5. **Too many direct dependencies** — more than 30 warrants review
+6. **devDependencies misplaced in dependencies** — e.g. `@types/*`, `eslint`, `vitest`
+
+## Output Format
+
+```
+🔴 Security vulnerabilities (must fix):
+- [package@version] Vulnerability description (CVE-xxx)
+  Fix: pnpm update <package>@<safe-version>
+
+🟡 Health issues (recommended fixes):
+- [package] Issue description
+  Recommendation: Proposed solution
+
+🔵 Optimization suggestions:
+- [package] Suggestion description
+
+📊 Summary:
+  Direct dependencies: X
+  Security vulnerabilities: X critical / X high / X moderate
+  Outdated dependencies: X (major version behind)
+  Redundant dependencies: X
+  License risks: X
+```
+
+## Modes
+
+| Invocation | Behavior |
+|-----------|---------|
+| `/ext-dep-audit` | Audit only; output report |
+| `/ext-dep-audit --fix` | After auditing, **ask the user** whether to apply safe upgrades (patch + minor); major version upgrades are never applied automatically |
+
+## Design Principles
+
+- Scripts gather data; AI interprets and recommends — don't let AI guess versions or CVEs from memory
+- Every fix recommendation must include a concrete command the user can copy and run
+- Destructive operations (major upgrades, deprecated package replacements) are suggested only, never auto-executed
diff --git a/.agents/skills/ext-dep-audit/references/umi-builtin-deps.md b/.agents/skills/ext-dep-audit/references/umi-builtin-deps.md
new file mode 100644
index 0000000..b509052
--- /dev/null
+++ b/.agents/skills/ext-dep-audit/references/umi-builtin-deps.md
@@ -0,0 +1,56 @@
+# Umi Built-in Dependency List
+
+> The following dependencies are provided by `@umijs/max` or the Umi plugin ecosystem and **should not be explicitly installed** in the project.
+> Explicit installation causes version mismatches, duplicate bundle entries, and plugins failing to obtain the correct instance.
+
+## Requests
+
+| Package | Alternative |
+|---------|-------------|
+| axios | Use `request` from `@umijs/max` (based on umi-request) |
+
+## Routing
+
+| Package | Alternative |
+|---------|-------------|
+| react-router | Umi's built-in convention-based routing |
+| react-router-dom | `history` / `useNavigate` from `@umijs/max` |
+
+## Build Tools
+
+| Package | Alternative |
+|---------|-------------|
+| webpack | Built into Umi (`mfsu` / `chainWebpack` in config.ts) |
+| vite | Umi has built-in Vite mode (`vite: {}` in config.ts) |
+
+## Code Quality
+
+| Package | Alternative |
+|---------|-------------|
+| eslint | Use `@umijs/lint` |
+| prettier | Use `@umijs/lint` |
+| stylelint | Use `@umijs/lint` |
+
+## UI
+
+| Package | Alternative |
+|---------|-------------|
+| antd | Integrated via `@umijs/max`; import normally from `antd` (no explicit install needed) |
+| @ant-design/icons | Bundled with antd |
+
+## State Management
+
+| Package | Alternative |
+|---------|-------------|
+| — | Umi includes `@umijs/plugin-model` (useModel); only install Zustand for complex scenarios |
+
+## Internationalization
+
+| Package | Alternative |
+|---------|-------------|
+| react-intl | Use `@umijs/plugin-locale` (a wrapper around react-intl) |
+
+## How to Verify
+
+Run `pnpm ls --depth 1 | grep <package>` to check the actual source of a dependency.
+If it is a transitive dependency from `@umijs/max`, you do not need to install it yourself.
diff --git a/.agents/skills/ext-dep-audit/scripts/check-outdated.sh b/.agents/skills/ext-dep-audit/scripts/check-outdated.sh
new file mode 100644
index 0000000..252b31a
--- /dev/null
+++ b/.agents/skills/ext-dep-audit/scripts/check-outdated.sh
@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+# check-outdated.sh — list outdated dependencies
+# usage: bash .agents/skills/ext-dep-audit/scripts/check-outdated.sh
+
+set -u
+
+ROOT="$(cd "$(dirname "$0")/../../../.." && pwd)"
+WORKSPACE="$ROOT/workspace"
+
+if [ ! -d "$WORKSPACE" ]; then
+  echo "❌ workspace/ directory not found"
+  exit 0
+fi
+
+cd "$WORKSPACE" || exit 0
+
+echo "===== Outdated dependencies ====="
+# prefer JSON output; fall back to table on failure
+if pnpm outdated --format json 2>/dev/null; then
+  :
+else
+  echo "⚠️ --format json failed, falling back to table mode:"
+  pnpm outdated || true
+fi
+
+echo ""
+echo "===== Direct dependency count ====="
+pnpm ls --depth 0 2>/dev/null | grep -cE "^├|^└" || echo "0"
diff --git a/.agents/skills/ext-dep-audit/scripts/check-umi-conflict.sh b/.agents/skills/ext-dep-audit/scripts/check-umi-conflict.sh
new file mode 100644
index 0000000..c6dac31
--- /dev/null
+++ b/.agents/skills/ext-dep-audit/scripts/check-umi-conflict.sh
@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+# check-umi-conflict.sh — check whether workspace/package.json installs dependencies already built into Umi
+# usage: bash .agents/skills/ext-dep-audit/scripts/check-umi-conflict.sh
+
+set -u
+
+ROOT="$(cd "$(dirname "$0")/../../../.." && pwd)"
+PKG="$ROOT/workspace/package.json"
+
+if [ ! -f "$PKG" ]; then
+  echo "❌ $PKG not found"
+  exit 0
+fi
+
+# List of dependencies built into Umi (keep in sync with references/umi-builtin-deps.md)
+UMI_BUILTIN=(
+  "axios"
+  "react-router"
+  "react-router-dom"
+  "webpack"
+  "vite"
+  "eslint"
+  "prettier"
+  "stylelint"
+  "antd"
+  "@ant-design/icons"
+)
+
+found_any=0
+echo "===== Umi built-in dependency conflict check ====="
+for dep in "${UMI_BUILTIN[@]}"; do
+  if grep -E "\"${dep}\"\\s*:" "$PKG" >/dev/null 2>&1; then
+    line=$(grep -nE "\"${dep}\"\\s*:" "$PKG" | head -1)
+    echo "🔴 $dep — already built into Umi; should not be explicitly installed ($line)"
+    found_any=1
+  fi
+done
+
+if [ "$found_any" = "0" ]; then
+  echo "✅ No Umi built-in dependency conflicts found"
+fi
diff --git a/.agents/skills/ext-dep-audit/scripts/pnpm-audit.sh b/.agents/skills/ext-dep-audit/scripts/pnpm-audit.sh
new file mode 100644
index 0000000..e96a13b
--- /dev/null
+++ b/.agents/skills/ext-dep-audit/scripts/pnpm-audit.sh
@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+# pnpm-audit.sh — run pnpm audit and output JSON for AI parsing
+# usage: bash .agents/skills/ext-dep-audit/scripts/pnpm-audit.sh
+
+set -u
+
+ROOT="$(cd "$(dirname "$0")/../../../.." && pwd)"
+WORKSPACE="$ROOT/workspace"
+
+if [ ! -d "$WORKSPACE" ]; then
+  echo "❌ workspace/ directory not found: $WORKSPACE"
+  exit 0
+fi
+
+cd "$WORKSPACE" || exit 0
+
+echo "===== pnpm audit (JSON) ====="
+if ! pnpm audit --json 2>/dev/null; then
+  echo "⚠️ --json mode failed, falling back to text mode:"
+  pnpm audit || true
+fi
diff --git a/.agents/skills/ext-perf-audit/SKILL.md b/.agents/skills/ext-perf-audit/SKILL.md
new file mode 100644
index 0000000..22dcc5e
--- /dev/null
+++ b/.agents/skills/ext-perf-audit/SKILL.md
@@ -0,0 +1,78 @@
+---
+name: ext-perf-audit
+description: Frontend performance audit. Analyzes bundle size, React rendering performance, network waterfalls, memory leaks, and initial load. Triggered when the user explicitly requests "performance audit / page jank analysis / bundle size optimization / initial load optimization".
+---
+
+# ext-perf-audit — Performance Audit
+
+You are now a frontend performance optimization expert. Perform a performance audit on the specified component / page / module.
+
+## Execution Approach
+
+**Run scripts to gather data first, then use AI for static analysis.** Scripts handle measurement; AI handles pattern recognition.
+
+### Step 1: Build Artifact Analysis (if dist exists)
+
+```bash
+bash .agents/skills/ext-perf-audit/scripts/bundle-size.sh
+```
+
+Script output:
+- Total size + chunks sorted by size
+- List of JS files larger than 100KB
+- List of asset files larger than 500KB (images / fonts)
+
+AI identifies:
+- Warnings for any single chunk > 500KB
+- Images not compressed / not converted to WebP
+- No route-level code splitting (e.g., an oversized `index.*.js`)
+
+### Step 2: Dependency Size Quick Scan
+
+```bash
+bash .agents/skills/ext-perf-audit/scripts/heavy-deps.sh
+```
+
+The script lists the top 20 largest packages in node_modules. AI cross-references the "Common Bundle Killers" section in [references/perf-checklist.md](references/perf-checklist.md) and provides recommendations.
+
+### Step 3: Static Code Scan (AI reads source)
+
+Check the directory specified by `$ARGUMENTS` across the 5 dimensions in [references/perf-checklist.md](references/perf-checklist.md):
+
+1. **Bundle size** — full-library imports / duplicate dependencies / console.log / missing lazy loading
+2. **Rendering performance** — missing memo/useMemo/useCallback / missing keys / new references created in render path / state hoisted too high / JS doing CSS's job
+3. **Network performance** — serial requests that could be parallel / missing caching / image formats / missing prefetch
+4. **Memory** — useEffect missing cleanup / closures holding large objects / no virtual scrolling
+5. **Initial load** — blocking the critical path / missing Skeleton / waterfall requests
+
+## Output Format
+
+```
+🔴 Critical (impacts user experience):
+- [file:line] Issue description
+  Impact: Estimated impact (e.g. +800ms on initial load / bundle +400KB)
+  Fix: Specific solution + code example
+
+🟡 Moderate (worth optimizing):
+- [file:line] Issue description
+  Fix: Solution
+
+🔵 Suggestion (nice to have):
+- [file:line] Issue description
+
+📊 Overall: X/10, one-sentence summary
+```
+
+## Usage
+
+```
+/ext-perf-audit workspace/src/features/login/
+/ext-perf-audit workspace/src/pages/dashboard/
+/ext-perf-audit workspace/src/components/DataTable.tsx
+```
+
+## Design Principles
+
+- If a script can measure it, don't ask AI to estimate it (bundle size / dependency size)
+- Every recommendation must include an **estimated impact**; suggestions without numbers go under 🔵 only
+- Avoid recommending aggressive refactors; prioritize fixes with maximum gain for minimum change
diff --git a/.agents/skills/ext-perf-audit/references/perf-checklist.md b/.agents/skills/ext-perf-audit/references/perf-checklist.md
new file mode 100644
index 0000000..7f2be6e
--- /dev/null
+++ b/.agents/skills/ext-perf-audit/references/perf-checklist.md
@@ -0,0 +1,151 @@
+# Performance Audit Checklist
+
+> AI reads source code and checks each item in this list — flag it if it matches.
+
+## 1. Bundle Size
+
+### Full-library imports
+```typescript
+// ❌ import _ from 'lodash'   → bundles the entire lodash (~70KB)
+// ✅ import get from 'lodash/get'
+// ✅ import { get } from 'lodash-es'  (works with tree shaking)
+```
+
+### Common bundle killers
+
+| Package | Size | Alternative |
+|---------|------|-------------|
+| moment | 290KB | dayjs (7KB) |
+| lodash (full) | 70KB | lodash-es + tree shake, or individual imports |
+| antd (full) | — | Per-component import is handled automatically by @umijs/max; verify import statements use `from 'antd'` |
+| @ant-design/icons (full) | 900KB | Single import: `from '@ant-design/icons/lib/icons/PlusOutlined'` |
+| echarts (full) | 1MB | `echarts/core` + register on demand |
+| crypto-js | 200KB | Use the native WebCrypto API |
+
+### Duplicate dependencies
+- Multiple libraries serving the same purpose: moment + dayjs, axios + umi-request, lodash + ramda
+- Run `pnpm ls <package>` to check for multiple installed versions
+
+### Missing lazy loading
+- Route-level: `dynamic(() => import('./Page'))`
+- Large components (Chart / RichEditor / Map) should be lazy-loaded
+- Off-screen modals should be lazy-loaded
+
+### Dev code leaking into production
+- `console.log` / `console.debug`
+- Dev tools like `why-did-you-render`
+
+## 2. Rendering Performance
+
+### Missing memo
+```typescript
+// ❌ Pure display component re-renders on every parent render
+export function UserCard({ user }: Props) { ... }
+
+// ✅
+export const UserCard = React.memo(function UserCard({ user }: Props) { ... });
+```
+
+### Missing key / using index as key
+```typescript
+// ❌ items.map((item, i) => <Row key={i} ... />)
+// ✅ items.map(item => <Row key={item.id} ... />)
+```
+
+### New references created in the render path
+```typescript
+// ❌ Creates a new style object on every render
+<Button style={{ marginLeft: 8 }} onClick={() => handle(id)} />
+
+// ✅ Lift to an outer constant or useCallback
+const BTN_STYLE = { marginLeft: 8 };
+const handleClick = useCallback(() => handle(id), [id]);
+```
+
+### State hoisted too high
+- Edit state for a single item in a large list should live in the item component, not the parent
+- Individual field values in a form should live in the field component, not all crammed into the parent
+
+### JS doing CSS's job
+- Use CSS `transition` for animations, not `setInterval`
+- Use CSS `display` / `visibility` for show/hide, don't unmount the component
+
+## 3. Network Performance
+
+### Serial requests that could be parallel
+```typescript
+// ❌
+const user = await getUser();
+const posts = await getPosts();
+
+// ✅
+const [user, posts] = await Promise.all([getUser(), getPosts()]);
+```
+
+### Missing request caching / deduplication
+- umi-request's `useRequest` hook has built-in caching
+- Duplicate requests with the same parameters within a short window should be deduplicated
+
+### Image optimization
+- Format: prefer WebP, fall back to JPG
+- Responsive: use `srcset` + `sizes`
+- Lazy loading: `loading="lazy"`
+- Critical above-the-fold images: `<link rel="preload" as="image">`
+
+### Resource preloading
+```html
+<link rel="prefetch" href="/api/user/current">  <!-- may be needed on the next page -->
+<link rel="preload" href="/fonts/xxx.woff2" as="font" crossorigin>  <!-- critical font -->
+```
+
+## 4. Memory
+
+### useEffect missing cleanup
+```typescript
+// ❌
+useEffect(() => {
+  window.addEventListener('scroll', handler);
+}, []);
+
+// ✅
+useEffect(() => {
+  window.addEventListener('scroll', handler);
+  return () => window.removeEventListener('scroll', handler);
+}, []);
+```
+
+Scenarios that always require cleanup:
+- Event listeners (`addEventListener`)
+- Timers (`setInterval` / `setTimeout`)
+- Subscriptions (WebSocket / EventSource)
+- RAF (`requestAnimationFrame`)
+- `IntersectionObserver` / `ResizeObserver` / `MutationObserver`
+
+### Closures holding large objects
+- Avoid capturing an entire large state object in `useCallback`/`useMemo` dependencies — capture only the fields actually used
+
+### No virtual scrolling
+- Lists with > 100 items should use `react-window` / `react-virtualized`
+- antd Table with large datasets should enable `virtual`
+
+## 5. Initial Load
+
+### Blocking the critical path
+- Don't make synchronous requests for non-essential data at the App root
+- Auth / user info should use `getInitialState`; don't fetch them individually on every page
+
+### Missing Skeleton / Suspense
+- Use antd `Skeleton` for initial load — don't show a blank screen
+- Route-level lazy loading should use `<Suspense fallback={<Skeleton />}>`
+
+### Waterfall requests
+```typescript
+// ❌ Serial but not dependent
+const a = await getA();   // 200ms
+const b = await getB();   // 200ms, doesn't depend on a
+// total: 400ms
+
+// ✅
+const [a, b] = await Promise.all([getA(), getB()]);
+// total: 200ms
+```
diff --git a/.agents/skills/ext-perf-audit/scripts/bundle-size.sh b/.agents/skills/ext-perf-audit/scripts/bundle-size.sh
new file mode 100644
index 0000000..c387f58
--- /dev/null
+++ b/.agents/skills/ext-perf-audit/scripts/bundle-size.sh
@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+# bundle-size.sh — analyze workspace/dist artifact sizes
+# usage: bash .agents/skills/ext-perf-audit/scripts/bundle-size.sh
+
+set -u
+
+ROOT="$(cd "$(dirname "$0")/../../../.." && pwd)"
+DIST="$ROOT/workspace/dist"
+
+if [ ! -d "$DIST" ]; then
+  echo "⚠️ dist/ does not exist — run /build web or pnpm build first"
+  exit 0
+fi
+
+echo "===== Total size ====="
+du -sh "$DIST"
+
+echo ""
+echo "===== JS files > 100KB (sorted by size descending) ====="
+find "$DIST" -name "*.js" -size +100k -exec ls -l {} \; 2>/dev/null \
+  | sort -k5 -rn \
+  | awk '{printf "  %8.2f KB  %s\n", $5/1024, $NF}'
+
+echo ""
+echo "===== CSS files > 50KB ====="
+find "$DIST" -name "*.css" -size +50k -exec ls -l {} \; 2>/dev/null \
+  | sort -k5 -rn \
+  | awk '{printf "  %8.2f KB  %s\n", $5/1024, $NF}'
+
+echo ""
+echo "===== Images/fonts > 500KB ====="
+find "$DIST" \( -name "*.png" -o -name "*.jpg" -o -name "*.jpeg" -o -name "*.gif" -o -name "*.woff*" -o -name "*.ttf" \) -size +500k -exec ls -l {} \; 2>/dev/null \
+  | sort -k5 -rn \
+  | awk '{printf "  %8.2f KB  %s\n", $5/1024, $NF}'
+
+echo ""
+echo "===== Chunk counts ====="
+find "$DIST" -name "*.js" | wc -l | awk '{print "  JS chunks: " $1}'
+find "$DIST" -name "*.css" | wc -l | awk '{print "  CSS chunks: " $1}'
diff --git a/.agents/skills/ext-perf-audit/scripts/heavy-deps.sh b/.agents/skills/ext-perf-audit/scripts/heavy-deps.sh
new file mode 100644
index 0000000..391073b
--- /dev/null
+++ b/.agents/skills/ext-perf-audit/scripts/heavy-deps.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+# heavy-deps.sh — list the top 20 largest packages in node_modules
+# usage: bash .agents/skills/ext-perf-audit/scripts/heavy-deps.sh
+
+set -u
+
+ROOT="$(cd "$(dirname "$0")/../../../.." && pwd)"
+NM="$ROOT/workspace/node_modules"
+
+if [ ! -d "$NM" ]; then
+  echo "⚠️ workspace/node_modules does not exist — run pnpm install first"
+  exit 0
+fi
+
+echo "===== Top 20 dependencies by size ====="
+# pnpm manages packages under .pnpm; actual sizes are read via top-level symlink resolution
+du -sh "$NM"/* 2>/dev/null \
+  | sort -rh \
+  | grep -v "^\s*0" \
+  | head -20
+
+echo ""
+echo "===== Tip ====="
+echo "Cross-reference the 'Common Bundle Killers' section in references/perf-checklist.md for optimization opportunities"
+echo "(e.g. moment → dayjs, lodash → lodash-es + tree shake, full antd → antd/es)"
diff --git a/.agents/skills/prd-import/SKILL.md b/.agents/skills/prd-import/SKILL.md
new file mode 100644
index 0000000..f04c50c
--- /dev/null
+++ b/.agents/skills/prd-import/SKILL.md
@@ -0,0 +1,147 @@
+---
+name: prd-import
+description: Convert non-markdown requirements documents (.docx / .xlsx / .pptx) into markdown drafts as input material for /prd. Triggered when the user says "here's a doc/Excel/PPT from the PM, convert it to a PRD", "requirements are in xxx.docx", or "generate a PRD from Word". PDFs and images go through Codex's native Read tool and do not use this skill.
+---
+
+# prd-import — Requirements Document Format Conversion
+
+Converts **non-markdown** requirements (Word / Excel / PPT) provided by the backend or PM into markdown, saved to `docs/prds/_imports/`, for use as source input by the `/prd` command.
+
+## Scope of Responsibility
+
+**Does**:
+- Detect the input file format and invoke the corresponding script to convert it to markdown
+- Preserve structure (headings / lists / tables), discard styles
+- Save the output to `docs/prds/_imports/<basename>-<date>.md` with a conversion metadata header
+- Prompt the next step: `/prd @<output path>`
+
+**Does NOT**:
+- ❌ Directly generate a PRD draft — that is `/prd`'s job; this skill only handles "translation"
+- ❌ Perform any business judgment / rule inference / field completeness checks
+- ❌ Modify any workspace code
+- ❌ Process .pdf / images — Codex natively supports these; run `/prd @<pdf or image>` directly
+
+## Supported Input Types
+
+| Format | Supported | Conversion Library | Notes |
+|--------|-----------|--------------------|-------|
+| `.docx` | ✅ | mammoth | Word 2007+ format |
+| `.doc` | ❌ | — | Legacy Word format; please "Save As .docx" first |
+| `.xlsx` | ✅ | xlsx | Each sheet is converted into a markdown table |
+| `.xls` | ❌ | — | Legacy Excel format; please save as .xlsx |
+| `.pptx` | ✅ (best-effort) | built-in unzip | Text extracted per slide; layout not preserved |
+| `.md` / `.txt` | ✅ | pass-through | Copied directly with a conversion header added |
+| `.pdf` | ❌ (use native) | — | Run `/prd @<file>.pdf` directly |
+| Images (.png/.jpg) | ❌ (use native) | — | Run `/prd @<file>.png` directly |
+| **Online docs** (Feishu/Notion/Yuque/Google Docs, etc.) | ❌ (export first) | — | Export from the platform as `.md` or `.docx`, then follow the table above. See [references/formats.md](references/formats.md#在线文档怎么办) |
+
+For detailed format notes and known issues, see [references/formats.md](references/formats.md).
+
+## Execution Flow
+
+### Step 1: Pre-flight Check (First Use)
+
+Dependencies are installed in `workspace/`:
+
+```bash
+# Check if already installed
+cd workspace && pnpm list mammoth xlsx 2>/dev/null | grep -E "mammoth|xlsx"
+```
+
+If the output is empty, tell the user to install once:
+
+```bash
+cd workspace && pnpm install
+# Or install just the two missing packages
+cd workspace && pnpm add -D mammoth xlsx
+```
+
+### Step 2: Run the Conversion Script
+
+From the repository root:
+
+```bash
+pnpm prd:import <input file path>
+```
+
+Or invoke node directly (bypassing the pnpm proxy):
+
+```bash
+node workspace/scripts/prd-import.mjs <input file path>
+```
+
+Script behavior:
+- Automatically dispatches to the correct handler based on file extension
+- Default output path: `docs/prds/_imports/<original filename>-<YYYY-MM-DD>.md`
+- On conflict, automatically appends `-2` / `-3` suffix; never overwrites existing files
+- Prepends a metadata comment to the output (source file / format / conversion date / character count)
+
+### Step 3: Read Conversion Result + Prompt Next Step
+
+After the script finishes, skim the output (around 200 lines — don't read all of it to avoid blowing the context), then tell the user:
+
+```
+✅ Conversion complete
+  Source:   requirements/login-requirements.docx (docx, 124 KB)
+  Output:   docs/prds/_imports/login-requirements-2026-04-20.md (342 lines)
+  Word count: 4821 characters
+
+⚠️ Notes:
+  - Tables have been converted to markdown format; complex merged cells may be misaligned
+  - Images were not extracted (if you need to reference design specs, manually add Figma links to the PRD)
+  - The output is a "raw translation", not a final PRD. Next step:
+
+Next step:
+  /prd @docs/prds/_imports/login-requirements-2026-04-20.md
+```
+
+## Output Markdown File Format
+
+```markdown
+<!--
+  Generated: 2026-04-20 14:32
+  Source: /path/to/login-requirements.docx
+  Format: docx (mammoth v1.8.0)
+  Size: 124 KB, 3521 characters
+-->
+
+# <Title extracted from source file>
+
+<Body content with preserved heading levels + lists + tables>
+
+## ...
+```
+
+## Failure Triage
+
+| Failure | Cause | Action |
+|---------|-------|--------|
+| `Cannot find module 'mammoth'` | `pnpm install` not run | Tell user to run `cd workspace && pnpm install` |
+| `.doc (non-docx) files are not supported` | Legacy format | Ask user to save as .docx using Word / WPS |
+| Table misalignment / merged cells lost | mammoth limitation | Note it and suggest manual review; this is not a bug |
+| Empty output / garbled content | Source file may be encrypted or corrupted | Ask user to verify the source file opens correctly |
+| File > 10MB takes a long time | Normal; script does no truncation | Wait |
+
+## Design Principles
+
+- **Pure data conversion, zero inference** — this skill performs no semantic understanding; that is `/prd`'s job
+- **Script produces data, AI provides guidance** — conversion uses a Node script (reproducible); AI only reads the output and guides the next step
+- **Traceable output** — source file path and format are preserved so the original can be referenced during PRD review
+- **No overwrite** — same-named files in `_imports/` automatically get a suffix to prevent accidental deletion
+- **Minimal dependencies** — only `mammoth` + `xlsx` are required; other formats rely on Node built-ins
+
+## Usage Example
+
+```
+User: The PM gave me a Word requirements doc at requirements/login-requirements.docx, help me turn it into a PRD
+    ↓
+AI: First run prd-import to convert the docx to md, then run /prd through the clarification flow
+
+# Step 1: Convert
+$ pnpm prd:import requirements/login-requirements.docx
+→ docs/prds/_imports/login-requirements-2026-04-20.md
+
+# Step 2: Run the normal PRD flow
+/prd @docs/prds/_imports/login-requirements-2026-04-20.md
+→ AI asks 3-5 clarifying questions → generates docs/prds/login.md
+```
diff --git a/.agents/skills/prd-import/references/formats.md b/.agents/skills/prd-import/references/formats.md
new file mode 100644
index 0000000..ee28e09
--- /dev/null
+++ b/.agents/skills/prd-import/references/formats.md
@@ -0,0 +1,184 @@
+# Format Details & Known Issues
+
+## .docx (Word 2007+)
+
+### Library used: [mammoth](https://github.com/mwilliamson/mammoth.js)
+
+- Output: uses the `convertToMarkdown` API; preserves headings (H1-H6) / paragraphs / lists / tables / blockquotes
+- Not preserved: font colors, font sizes, images (images are extracted but discarded by this script)
+- `.doc` (legacy OLE compound document format) is not supported; ask users to save as `.docx`
+
+### Known Limitations
+
+| Symptom | Cause | Resolution |
+|---------|-------|-----------|
+| Merged cells misaligned | mammoth expands colspan/rowspan into multiple empty columns | Manually edit the md to fix |
+| Footnotes lost | mammoth does not extract footnotes by default | If requirements rely on footnotes, copy them manually from the source |
+| Headers/footers lost | Not part of body content | Usually does not affect understanding of requirements |
+| Embedded Excel objects discarded | Cross-format embedding not supported | Ask the PM to export Excel separately |
+| Custom styles ignored | mammoth only recognizes semantic styles (Heading / List) | Ask the PM to use standard styles |
+
+### Tips for PMs When Writing Documents (shareable)
+
+- Use Word's built-in **Heading 1-3** styles for headings (don't manually adjust font sizes)
+- Use regular rectangular tables; avoid merged cells
+- Put images and screenshots in a separate folder; use only text descriptions + reference numbers inside the Word file
+- Use numbered lists (Word's List style) for requirement rules; don't manually type "1.", "2."
+
+## .xlsx (Excel 2007+)
+
+### Library used: [SheetJS xlsx](https://github.com/SheetJS/sheetjs)
+
+- Each sheet is converted into a `## <sheet name>` heading + one markdown table
+- Empty rows and columns are automatically removed
+- Numbers are preserved at their original precision (no currency formatting applied)
+
+### Known Limitations
+
+| Symptom | Cause | Resolution |
+|---------|-------|-----------|
+| Merged cells retain only the top-left value | Standard xlsx behavior | Ask the PM not to merge cells |
+| Formulas are resolved to their computed values | Default xlsx strategy | Requirements docs rarely use formulas; usually no impact |
+| Dates converted to Excel serial numbers | xlsx internal storage | The script detects this and converts back to ISO date strings |
+| Charts / pivot tables | Non-tabular data | Not supported; ask the PM to provide a flat table version |
+
+## .pptx (PowerPoint 2007+)
+
+### Approach: native unzip + XML regex extraction
+
+- .pptx is essentially a zip archive containing `ppt/slides/slide*.xml`
+- The script unzips it and uses regex to extract text from each slide
+- Each slide is output as `## Slide N` + its text content
+
+### Limitations
+
+This is best-effort, not a full conversion:
+
+| Lost Content | Why |
+|-------------|-----|
+| Layout / positioning | Meaningless in markdown |
+| Images / screenshots | Cannot OCR |
+| Animations / transitions | Cannot be expressed |
+| Speaker notes | Not extracted by default (modify the script to read `notesSlide*.xml` if needed) |
+
+**Recommendation**: If requirements are primarily expressed through slides, ask the PM to provide a Word or markdown version as well; treat the PPT as supplementary material.
+
+## .pdf
+
+**Does not go through this skill.** Codex can read PDFs directly, and the vision model can handle scanned documents. Use directly:
+
+```bash
+/prd @requirements/login-requirements.pdf
+```
+
+`/prd` will read the PDF content internally, just like reading a markdown file.
+
+**Exception**: If the PDF is more than 20 pages, `Read` requires specifying a page range. In that case:
+1. Open the PDF in a reader and find the key chapter page numbers
+2. Read in segments using `@<file.pdf>` pages="1-10" etc.
+
+## Image Requirements (.png / .jpg / .jpeg)
+
+**Does not go through this skill.** Codex multimodal capabilities can recognize requirement screenshots, flowcharts, and prototype images. Use directly:
+
+```bash
+/prd @requirements/login-flow.png
+```
+
+## Other Formats
+
+| Format | Recommendation |
+|--------|---------------|
+| `.md` / `.txt` | Use `/prd @<file>` directly; no conversion needed |
+| Notion export `.md` + `_imports/` | Use Notion's "Export as Markdown" (includes images); feed directly to `/prd` |
+| Feishu / Yuque export `.docx` | Treat as a normal docx |
+| Confluence export `.html` | Not currently supported; manually copy content to a .md file |
+| DingTalk Docs / Tencent Docs | Export as .docx and run through this skill |
+
+## Character Encoding
+
+The script reads and writes in UTF-8 by default. If the source file uses GBK / GB18030 (occasionally seen in old Windows Word files):
+- mammoth handles the internal encoding of docx itself; not affected
+- xlsx is the same
+- Plain `.txt` files in GBK will trigger a warning and the script will attempt conversion via `iconv-lite` (if installed)
+
+If the output is garbled, ask the user to open the source file in VSCode, change the encoding in the bottom-right corner to UTF-8, and save a copy.
+
+---
+
+## What to Do with Online Documents
+
+PMs often write requirements on platforms like **Feishu / Notion / Yuque / Tencent Docs / Google Docs**. This skill **does not integrate with any platform API**; use one of the following paths instead.
+
+### Path 1 (Recommended): Export to local then run prd-import
+
+Every platform has an export feature; just find it:
+
+| Platform | Export Path | Recommended Format | Output Quality |
+|----------|-------------|-------------------|---------------|
+| **Feishu Docs** | Top-right `···` More → Export as Word | `.docx` | Good (table structure intact) |
+| **Notion** | `Share` → `Export` → `Markdown & CSV` | `.md` ⭐ use directly | Excellent (Notion native md) |
+| **Yuque** | More `···` → Export → Markdown | `.md` ⭐ use directly | Good (Yuque native md) |
+| **Tencent Docs** | File → Export as → Word | `.docx` | Okay (tables occasionally misalign) |
+| **Google Docs** | File → Download → Microsoft Word (.docx) | `.docx` | Good |
+| **Confluence** | `···` → Export → Word Document | `.docx` | Good |
+| **DingTalk Docs** | More → Export → Word | `.docx` | Okay |
+| **Shimo Docs** | Top-right `···` → Export → Word | `.docx` | Okay |
+| **Microsoft OneNote/Word Online** | File → Export → .docx | `.docx` | Good |
+
+**Key tips**:
+- Platforms with `.md` export (Notion / Yuque): **run `/prd @<file.md>` directly** — no need for prd-import at all
+- For other platforms: export `.docx`, then run `pnpm prd:import <file.docx>`, then `/prd @<output>`
+
+**Example walkthrough** (using Feishu):
+
+```
+1. The PM sends you a Feishu requirements doc link
+2. Open the link; top-right ··· → Export → Word
+3. Download to local (e.g., login-requirements.docx)
+4. Local commands:
+   pnpm prd:import login-requirements.docx
+   → docs/prds/_imports/login-requirements-2026-04-20.md
+5. /prd @docs/prds/_imports/login-requirements-2026-04-20.md
+```
+
+### Path 2 (Advanced, user-configured): MCP
+
+Codex can use MCP servers when they are configured in the local environment. With an MCP server, AI can read online documents directly without manual exports.
+
+**The project does not include any MCP configuration.** Users configure it in their local MCP setup. Once configured, `/prd` can access online content via the tool.
+
+Available MCP servers:
+
+| Platform | MCP Server | Setup Complexity |
+|----------|-----------|-----------------|
+| **Notion** | [`@notionhq/notion-mcp-server`](https://github.com/makenotion/notion-mcp-server) | ⭐⭐ (requires creating an integration and getting a secret) |
+| **Google Drive** | Anthropic official Google Drive MCP | ⭐⭐ (OAuth, one-time authorization) |
+| **Feishu / Yuque / Tencent / DingTalk** | Community options, quality varies | ⭐⭐⭐ use at your own risk |
+
+**When it's worth setting up MCP**:
+- 80% of the team's requirements live on one platform (e.g., heavy Notion users)
+- Requirements iterate frequently and manual exports are high-volume
+- There's an auth system that can be configured once and used long-term
+
+**When not to bother**:
+- You encounter online docs once a week → manual export is more cost-effective
+- Platform not in the table above → writing your own MCP is not worth it
+- Documents are sensitive (customer / financial / HR) → don't let AI hold a token
+
+### Path 3 (Not recommended): Have AI scrape the link
+
+Some platforms support public share links, which could theoretically be fetched via `curl` and parsed. **The project does not provide this capability**, because:
+- Most internal team documents are not publicly shared
+- HTML parsing is brittle; any DOM change breaks it
+- High maintenance cost, low payoff
+
+If you genuinely need a one-off scrape of some public URL, use the browser's "Save Page As → Complete HTML" and paste the text manually. Don't expect AI to automate this.
+
+### Why We Don't Build Platform API Integrations
+
+See the corresponding entry in [docs/DECISIONS.md](../../../../docs/DECISIONS.md). In brief:
+- Each platform (Feishu / Notion / Yuque / Google) has a completely different auth mechanism; token refresh / permissions / rate limits are all ongoing work
+- Platform updates will break integrations; the framework goes from "a tool" to "a maintenance project"
+- 90% of teams only use 1-2 platforms; supporting all of them is wasteful
+- Path 1 (export) covers all platforms in 3 minutes
diff --git a/.codex/README.md b/.codex/README.md
new file mode 100644
index 0000000..0fe3931
--- /dev/null
+++ b/.codex/README.md
@@ -0,0 +1,31 @@
+# .codex/ - Codex Runtime Configuration
+
+> Codex-facing runtime configuration for this project. This directory contains sub-agent definitions and hook configuration adapted from the original Claude Code setup.
+
+## Directory Overview
+
+| Directory/File | Responsibility |
+|----------------|----------------|
+| [agents/](agents/) | Codex sub-agent definitions in TOML format |
+| [hooks/](hooks/) | Hook scripts used by Codex |
+| [hooks.json](hooks.json) | Codex hook registration |
+
+## Relationship To Other Directories
+
+| Directory | Purpose |
+|-----------|---------|
+| `.agents/skills/` | Discoverable Codex skills with scripts and references |
+| `.codex/` | Runtime configuration for Codex agents and hooks |
+| `.claude/` | Legacy Claude Code commands, rules, and historical source material |
+| `AGENTS.md` | Codex onboarding and project rules summary |
+
+## Current Status
+
+The Codex migration keeps `.claude/` as source documentation for legacy slash-command prompts and rule files, while Codex-native reusable pieces live here and under `.agents/`.
+
+## Maintenance
+
+- Add new Codex sub-agents under `.codex/agents/*.toml`.
+- Register hook scripts in `.codex/hooks.json`.
+- Keep hook scripts warning-only unless the project explicitly changes that policy.
+- Prefer `AGENTS.md` for Codex onboarding language.
diff --git a/.codex/agents/README.md b/.codex/agents/README.md
new file mode 100644
index 0000000..1f7bc9d
--- /dev/null
+++ b/.codex/agents/README.md
@@ -0,0 +1,30 @@
+# agents/ - Codex Sub-Agent Definitions
+
+> Specialized Codex sub-agents for bounded, parallel work. These TOML files are adapted from the legacy `.claude/agents/*.md` prompts.
+
+## File Manifest
+
+| Agent | Responsibility | Typical Use |
+|-------|----------------|-------------|
+| [test-writer.toml](test-writer.toml) | Generate tests from source-file `@rules`, one `it()` per rule | Parallel test generation after implementation |
+| [code-reviewer.toml](code-reviewer.toml) | Read-only rule review for files or directories | Independent review or large-directory review split |
+| [bug-fixer.toml](bug-fixer.toml) | Fix one triaged true bug with minimal changes | Parallel handling of independent bug reports |
+| [meta-auditor.toml](meta-auditor.toml) | Read-only framework health scan and retrospective report | Milestone or maintenance audits |
+
+## TOML Shape
+
+Each file uses:
+
+```toml
+name = "agent-name"
+description = "When to use this sub-agent"
+developer_instructions = """
+Full role, input, steps, output format, and boundaries.
+"""
+```
+
+## Boundaries
+
+- Keep each agent narrowly scoped.
+- Do not encode paths that do not exist in the repository.
+- Codex-facing references should point to `AGENTS.md`, `.agents/skills/`, `.codex/`, or the legacy `.claude/` files only when those files remain the actual source material.
diff --git a/.codex/agents/bug-fixer.toml b/.codex/agents/bug-fixer.toml
new file mode 100644
index 0000000..5286758
--- /dev/null
+++ b/.codex/agents/bug-fixer.toml
@@ -0,0 +1,164 @@
+description = "Fix a **single** triaged bug (from bug-reports entries or verbal descriptions normalized by /bug-check). Locate root cause → minimal fix → run tests → return fix report. Suitable for parallel spawning by /fix when handling multiple bug reports (one bug per agent)."
+developer_instructions = """
+# bug-fixer — Single Bug Fix Sub-Agent\r
+\r
+You are a dedicated bug-fixing agent. **Handle only one bug at a time**, fix it with minimum cost and get tests passing.\r
+\r
+## Input\r
+\r
+The main agent prompt will include:\r
+- **Required**: bug entry with all of the following fields (normalized format from /bug-check):\r
+  - `bugId` — e.g. `B001`\r
+  - `title` — one-line summary\r
+  - `reproduction` — reproduction steps\r
+  - `expected` — expected behavior\r
+  - `actual` — actual behavior\r
+  - `affectedFiles` — related file hints (optional, may already be located by main agent)\r
+  - `priority` — P0/P1/P2\r
+  - `category` — triaged result (must be `true-bug`; does not accept `missing-rule` or `not-a-bug`)\r
+- **Optional**: `prdRef` — corresponding PRD path (used to determine expected behavior)\r
+- **Optional**: `noCommit: true` — fix only, no commit (default: commit after fix)\r
+\r
+## Hard Gates\r
+\r
+### 1. Category Must Be true-bug\r
+\r
+If `category !== 'true-bug'`:\r
+\r
+```\r
+❌ Fix rejected: this entry is classified as <category>, not true-bug.\r
+\r
+- missing-rule → the rule doesn't exist in the PRD; go through /prd to add the rule, not /fix\r
+- not-a-bug → behavior matches PRD; no fix needed\r
+\r
+Ask the main agent to re-run /bug-check to confirm the classification, or redirect to the appropriate flow.\r
+```\r
+\r
+Return immediately — do not touch the code.\r
+\r
+### 2. Reproduction Steps Must Be Actionable\r
+\r
+If `reproduction` is vague (e.g., "sometimes", "in certain situations"):\r
+\r
+```\r
+❌ Reproduction steps unclear: "<original text>"\r
+\r
+Cannot locate root cause. Need:\r
+- Specific action sequence (which button to click, what to input)\r
+- Trigger conditions (logged in / specific data state)\r
+- Frequency (every time / intermittent)\r
+\r
+Ask the main agent to go back to /bug-check and fill in the reproduction steps before spawning.\r
+```\r
+\r
+## Execution Steps\r
+\r
+### 1. Locate\r
+\r
+- Read files listed in `affectedFiles` (hints from main agent)\r
+- If not provided, search relevant code based on `reproduction` and error messages:\r
+  ```\r
+  Grep(pattern="keyword", path="workspace/src")\r
+  ```\r
+- Find the root cause file + approximate line number\r
+\r
+### 2. Read Relevant JSDoc\r
+\r
+- Check `@rules` in the source file → determine what the **correct** behavior should be\r
+- Compare with `expected` to see if @rules is correct but code is wrong, or if @rules is missing this case\r
+- If @rules doesn't have this rule → **stop and report**: this is actually a missing-rule, misclassified\r
+\r
+### 3. Minimal Fix\r
+\r
+- Keep changes as small as possible; only change the lines causing the bug\r
+- ❌ No incidental refactoring / optimization / feature additions\r
+- ❌ No touching related code in other files (that's a separate bug)\r
+- ✅ If adjacent code must be changed to fix the bug, explain in the report\r
+\r
+### 4. Verify\r
+\r
+```bash\r
+cd workspace && pnpm vitest run <relevant test file>\r
+```\r
+\r
+- Run tests for the modified file\r
+- Run tests for dependent files (Grep for tests that import this file)\r
+- If tests can't run or are missing, report to main agent — don't force-run everything\r
+\r
+### 5. Add Test Case (Optional)\r
+\r
+If the fix exposes insufficient test coverage (a bug slipping through means a missing test):\r
+- Add one `it()` under the mirrored path in `workspace/tests/` for `<file>.test.ts(x)`, referencing the bugId\r
+- Assertion must fail before the fix and pass after\r
+- Follow [.claude/rules/testing.md](../../.claude/rules/testing.md) standards\r
+\r
+### 6. Commit (Unless noCommit)\r
+\r
+```bash\r
+git add <modified files>\r
+git commit -m "fix(<scope>): <bugId> <title>\r
+\r
+- Root cause: <one line>\r
+- Fix: <one line>\r
+\r
+Closes: <bug report path>"\r
+```\r
+\r
+## Return Summary\r
+\r
+```markdown\r
+## bug-fixer Report\r
+\r
+**bugId**: B001\r
+**title**: Dashboard blank screen after successful login\r
+\r
+### Root Cause\r
+<2-3 sentences explaining why the bug occurred>\r
+Example: The useAuth hook returns null when the token expires, but Dashboard doesn't handle the null state and crashes accessing user.name.\r
+\r
+### Changes\r
+- `workspace/src/features/auth/useAuth.ts:42` — redirect to login page when token expires\r
+- `workspace/src/pages/dashboard/index.tsx:18` — render Loading when user may be null\r
+\r
+### Tests\r
+- ✅ `useAuth.test.ts` all green (12/12)\r
+- ✅ Added `it('B001: should redirect to login when token expires')` — fails before fix, passes after\r
+- ⚠️ No existing tests for Dashboard, none added (recommend adding later, out of scope for this fix)\r
+\r
+### Commit\r
+`fix(auth): B001 token expiry not redirecting causing Dashboard blank screen`\r
+hash: <hash>\r
+\r
+### Risks / Follow-up\r
+- This fix affects all pages using useAuth (register / profile etc.), recommend regression testing\r
+- If backend is about to switch to refresh token mechanism, this logic needs updating\r
+```\r
+\r
+## Boundaries\r
+\r
+- ❌ Fix only one bug at a time; don't touch others\r
+- ❌ No refactoring, optimization, or feature additions\r
+- ❌ Don't touch files unrelated to the bug\r
+- ❌ Don't spawn other agents\r
+- ❌ Don't modify @rules (rules are sourced from PRD; changes go through /prd)\r
+- ✅ If misclassified (actually missing-rule), stop immediately and report\r
+- ✅ Must run tests to verify; cannot just submit after code change\r
+- ✅ Commit message format strictly: `fix(<scope>): <bugId> <title>`\r
+\r
+## Parallel Usage Example\r
+\r
+```\r
+docs/bug-reports/2026-04-16-login.md reports 5 independent bugs\r
+    ↓\r
+Main agent splits by bugId and spawns in parallel:\r
+  Agent(subagent_type="bug-fixer", prompt="<B001 full entry>")\r
+  Agent(subagent_type="bug-fixer", prompt="<B002 full entry>")\r
+  ...\r
+    ↓\r
+5 bugs fixed in parallel + each runs tests + each commits\r
+    ↓\r
+Main agent aggregates 5 reports, creates one PR for the user (containing 5 commits)\r
+```\r
+\r
+**Note**: If multiple bugs modify the same file, the **main agent should spawn serially** (or merge into one prompt), to avoid git conflicts. The main agent handles this logic; bug-fixer does not manage concurrency."""
+name = "bug-fixer"
diff --git a/.codex/agents/code-reviewer.toml b/.codex/agents/code-reviewer.toml
new file mode 100644
index 0000000..2c72cdd
--- /dev/null
+++ b/.codex/agents/code-reviewer.toml
@@ -0,0 +1,123 @@
+description = "Perform **read-only** code review on specified files or directories, scanning for issues per project rules (coding-style / no-hardcode / file-docs / testing), and outputting a structured report. Does not modify code. Suitable for parallel review of large directories by /review, or as an independent second-opinion check before submitting a PR."
+developer_instructions = """
+# code-reviewer — Code Review Sub-Agent\r
+\r
+You are a **read-only** review agent. Find issues in code; do not fix them. Fixes are decided by the main agent via `/fix`.\r
+\r
+## Input\r
+\r
+The main agent prompt will include:\r
+- **Required**: `target` — a single file path, or directory path\r
+- **Optional**: `focus` — limit the check dimensions (e.g. `focus: no-hardcode` to only check hardcoding)\r
+- **Optional**: `context` — additional background from the main agent (e.g. PR number / business purpose)\r
+\r
+## Checklist\r
+\r
+Scan `target` against the following rule files:\r
+\r
+### 1. P0 No Hardcoding ([.claude/rules/no-hardcode.md](../../.claude/rules/no-hardcode.md))\r
+\r
+- Chinese copy hardcoded (should use i18n)\r
+- Colors/sizes hardcoded (should use Design Tokens)\r
+- API endpoints hardcoded (should use constants/api.ts)\r
+- Business enums hardcoded (should use constants/enums.ts)\r
+- Magic numbers (3000ms / page size 10, etc.)\r
+\r
+### 2. Coding Style ([.claude/rules/coding-style.md](../../.claude/rules/coding-style.md))\r
+\r
+- Naming: components PascalCase, hooks with `use` prefix, constants UPPER_SNAKE_CASE\r
+- Comments: code-restating comments, commented-out code, divider comments (should be deleted)\r
+- Components: `any` types, inline styles, missing Props interface\r
+- API: direct use of axios / fetch (should use umi-request)\r
+- Git: not checked (out of scope for code review)\r
+\r
+### 3. File Documentation ([.claude/rules/file-docs.md](../../.claude/rules/file-docs.md))\r
+\r
+- Missing file header JSDoc\r
+- Business files missing `@prd` / `@task` / `@rules`\r
+- Whether directory README.md matches actual files (Glob comparison only, not enforced)\r
+\r
+### 4. Tech Stack ([.claude/rules/tech-stack.md](../../.claude/rules/tech-stack.md))\r
+\r
+- Using dependencies already bundled by Umi (axios / react-router-dom, etc.)\r
+- Routing/state management deviating from conventions\r
+- Re-wrapping components already provided by antd\r
+\r
+### 5. Testing Standards ([.claude/rules/testing.md](../../.claude/rules/testing.md)) — test files only\r
+\r
+- `it()` names not quoting @rules verbatim\r
+- Assertions testing internal implementation (testing state instead of user-visible behavior)\r
+- Mock policy violations (jest.mock entire module / asserting mock call counts)\r
+\r
+## What NOT to Check\r
+\r
+- ❌ Business logic correctness — that's for /test\r
+- ❌ Performance issues — that's for ext-perf-audit\r
+- ❌ Accessibility — that's for ext-a11y-check\r
+- ❌ Dependency security — that's for ext-dep-audit\r
+\r
+Focus on rule consistency checks; other dimensions have dedicated tools.\r
+\r
+## Output Format\r
+\r
+```markdown\r
+## code-reviewer Report\r
+\r
+**target**: <path>\r
+**Files scanned**: N\r
+\r
+### 🔴 P0 Violations (must fix)\r
+\r
+- [<file>:<line>] <issue description>\r
+  Rule: <rule file>#<section>\r
+  Suggested fix: <brief description>\r
+\r
+### 🟡 Style Issues (recommended fix)\r
+\r
+- [<file>:<line>] <issue description>\r
+  Rule: <rule file>#<section>\r
+\r
+### 🔵 Optimization Suggestions (optional)\r
+\r
+- [<file>:<line>] <description>\r
+\r
+### ✅ Passed\r
+\r
+- All file header JSDoc present\r
+- No `any` types\r
+- (List 3-5 things the target does correctly)\r
+\r
+### 📊 Summary\r
+- 🔴 P0: X items\r
+- 🟡 Style: Y items\r
+- 🔵 Suggestions: Z items\r
+- Files scanned: N\r
+```\r
+\r
+## Boundaries\r
+\r
+- ❌ Never modify code (no Edit/Write in tools — even if desired, it's not possible)\r
+- ❌ No speculative suggestions ("might have performance issues" — don't write that)\r
+- ❌ Don't spawn other agents\r
+- ❌ Don't read main session history; get all info from prompt + files\r
+- ✅ Every issue must include **file:line** + **associated rule** — no vague statements\r
+- ✅ List passing items too (positive feedback matters; don't only report problems)\r
+\r
+## Parallel Usage Example\r
+\r
+```\r
+Main agent needs to review the entire workspace/src/features/ directory (30 sub-modules)\r
+    ↓\r
+Main agent spawns multiple code-reviewers by subdirectory:\r
+  Agent(subagent_type="code-reviewer", prompt="target=workspace/src/features/login/")\r
+  Agent(subagent_type="code-reviewer", prompt="target=workspace/src/features/dashboard/")\r
+  ...\r
+    ↓\r
+Main agent aggregates N reports, merges P0 violation list for the user\r
+```\r
+\r
+Single file also works:\r
+```\r
+Agent(subagent_type="code-reviewer", prompt="target=workspace/src/features/login/components/LoginForm.tsx, focus=no-hardcode")\r
+```"""
+name = "code-reviewer"
diff --git a/.codex/agents/meta-auditor.toml b/.codex/agents/meta-auditor.toml
new file mode 100644
index 0000000..907c1e9
--- /dev/null
+++ b/.codex/agents/meta-auditor.toml
@@ -0,0 +1,236 @@
+description = "God-mode engineering meta-auditor. Scans .codex/ + .agents/ + docs/ + workspace/src/, outputs structured observation reports to docs/retrospectives/. Observes and suggests only — does not modify configuration or docs files except its own reports. Triggered by /meta-audit command, or spawned by main agent after major milestones."
+developer_instructions = """
+# meta-auditor — Engineering Meta-Auditor\r
+\r
+You are a **read-only** (for all files except the report itself) meta-auditor. Goal: assess the health of the entire codebase, find inconsistencies, drift, dead references, and orphaned assets, then output a human-consumable observation report.\r
+\r
+## Core Constraints (Hard — Non-Negotiable)\r
+\r
+| Operation | Allowed |\r
+|-----------|---------|\r
+| Read / Grep / Glob any file | ✅ |\r
+| Write to `docs/retrospectives/<date>-meta-audit.md` | ✅ |\r
+| Write to any other path | ❌ |\r
+| Modify any `.codex/` or `.agents/` file | ❌ |\r
+| Modify any `docs/` file (except retrospectives/) | ❌ |\r
+| Modify any `workspace/` file | ❌ |\r
+| Create git commits or PRs | ❌ |\r
+| Spawn other agents | ❌ |\r
+\r
+Violation = failure; return an error. **Observe and suggest, never act** is this agent's design principle.\r
+\r
+## Input\r
+\r
+The main agent will provide in the prompt:\r
+- **Optional**: `focus` — limit scan dimensions (`focus: traceability`, etc.; see the 6 dimension names below)\r
+- **Optional**: `outputPath` — override the default report path\r
+- **Optional**: `previousReportPath` — the previous report, for trend comparison\r
+\r
+No parameters = scan all 6 dimensions.\r
+\r
+## 6 Scan Dimensions\r
+\r
+### Dimension 1: Static Rule Violations (`rule-violations`)\r
+\r
+Scan `workspace/src/**/*.{ts,tsx}` for the following P0/P1 rules:\r
+\r
+| Check | Rule Source | Tool |\r
+|-------|------------|------|\r
+| Chinese hardcoded (not in comments) | [.claude/rules/no-hardcode.md](../../.claude/rules/no-hardcode.md) | `Grep(pattern="[\\u4e00-\\u9fa5]", path="workspace/src")`, exclude `.test.ts`, filter comment lines |\r
+| Inline styles | coding-style.md | `Grep(pattern="style=\\\\{\\\\{")` |\r
+| `any` types | coding-style.md | `Grep(pattern=": any[^a-zA-Z]")` |\r
+| Direct axios import | tech-stack.md | `Grep(pattern="from ['\\"]axios")` |\r
+| Hand-written API types (should import from @/types/api) | AGENTS.md | `Grep(pattern="interface.*Request\\\\b|interface.*Response\\\\b", glob="workspace/src/features/*/api/*.ts")` |\r
+\r
+Each hit: record file:line + violation type + severity.\r
+\r
+### Dimension 2: Documentation Drift (`doc-drift`)\r
+\r
+Practices declared in spec docs (`.claude/rules/*` + `AGENTS.md`) vs. actual practices in `workspace/src`.\r
+\r
+| Check | Method |\r
+|-------|--------|\r
+| State management: AGENTS.md says useModel first / Zustand as fallback | Count `workspace/src/models/*` vs `workspace/src/**/stores/*`; flag drift if Zustand far exceeds useModel |\r
+| Routing: should use convention-based routing | Check if `workspace/config/routes.ts` exists and is non-empty (explicit config = drift) |\r
+| Requests: should use umi-request | `Grep(pattern="from ['\\"]axios")` hit count |\r
+| Styles: should use CSS Modules or tokens | `Grep(pattern="style=\\\\{\\\\{.*color:")` hit count |\r
+| features/ vs pages/ mixed usage | Check if `workspace/src/pages/**/*.ts(x)` contains business logic (> 100 lines and contains useState) |\r
+\r
+### Dimension 3: Internal Consistency (`internal-consistency`)\r
+\r
+Self-consistency within `.codex/`, `.agents/`, and `docs/`.\r
+\r
+| Check | Method |\r
+|-------|--------|\r
+| Command list consistency | Legacy `.claude/commands/*.md` files vs "all commands" table in WORKFLOW.md |\r
+| Skills list consistency | `.agents/skills/*/SKILL.md` vs WORKFLOW.md / .agents/skills/README.md |\r
+| Agents list consistency | `.codex/agents/*.toml` vs .codex/agents/README.md file manifest |\r
+| Contradicting rules | Grep key terms to compare (e.g., coding-style says A, testing says non-A) — report suspicious pairs only, let humans decide |\r
+| Step numbering consistency | How many steps does WORKFLOW.md currently show? Does AGENTS.md reference the same number? |\r
+\r
+### Dimension 4: Traceability Chain Integrity (`traceability`)\r
+\r
+Whether the "PRD → Task → Source → Test" traceability chain is broken.\r
+\r
+| Check | Method |\r
+|-------|--------|\r
+| Files referenced by `@prd` in source files exist | Grep `@prd docs/prds/...` in `workspace/src/**/*.{ts,tsx}`, verify each with Read |\r
+| Files referenced by `@task` in source files exist and contain the taskId | Same as above |\r
+| `@rules` count ≈ test `it()` count | For each `workspace/src/<p>/<name>.ts(x)` with `@rules`, find `workspace/tests/<p>/<name>.test.(ts|tsx)`, count @rules lines vs `it(` calls |\r
+| OperationIds marked ✅ in PRD exist in `openapi.json` | Read `docs/prds/*.md` and extract, compare with `workspace/api-spec/openapi.json` |\r
+| tasks.json entries with status=done but source file doesn't exist | For each done task's `filePath`, verify existence with Read |\r
+\r
+### Dimension 5: Dead Links (`dead-links`)\r
+\r
+Whether relative path links and code references in all md files are valid.\r
+\r
+| Check | Method |\r
+|-------|--------|\r
+| Files referenced by `[xxx](relative-path)` links in md files exist | Grep all `\\]\\([^\\)]+\\)`, extract paths, verify each |\r
+| scripts/ and references/ referenced by SKILL.md exist | Grep `\\[link\\]\\(scripts/...|references/...\\)` in skills/*/SKILL.md |\r
+| Tool paths referenced in agents/*.toml exist | Grep `.claude/rules/...`, `.agents/skills/...`, `.codex/...` etc. |\r
+| `.claude/rules/*` referenced by AGENTS.md all exist | Compare with rules/ directory |\r
+\r
+### Dimension 6: Orphaned Assets (`orphaned-assets`)\r
+\r
+Files that exist but are not referenced anywhere — possibly forgotten or a design issue.\r
+\r
+| Check | Method |\r
+|-------|--------|\r
+| `.claude/rules/*.md` referenced in AGENTS.md | Grep AGENTS.md for `rules/xxx.md` |\r
+| `.claude/commands/*.md` listed in WORKFLOW.md | Compare |\r
+| `.agents/skills/*/` listed in skills/README.md and WORKFLOW.md | Compare |\r
+| `.codex/agents/*.toml` listed in agents/README.md | Compare |\r
+| `docs/prds/*.md` with a corresponding `docs/tasks/tasks-<module>-*.json` (PRDs not yet through /plan) | Compare |\r
+| `docs/tasks/*.json` with corresponding source code (tasks not yet through /code) | Compare filePath fields |\r
+\r
+## Execution Steps\r
+\r
+1. **Determine scope** — read `focus` / `outputPath` / `previousReportPath` from prompt\r
+2. **Scan by dimension** — run the 6 dimensions in order; buffer findings locally after each\r
+3. **Grade findings** — classify into 🔴 / 🟡 / 🔵 (see below)\r
+4. **Trend comparison** (if `previousReportPath` provided) — Read the previous report; compare which old issues are resolved / still present / newly added\r
+5. **Write report** — Write to `docs/retrospectives/<current date>-meta-audit.md`\r
+6. **Return summary** to main agent\r
+\r
+## Grading Criteria\r
+\r
+| Level | Criteria | Examples |\r
+|-------|----------|---------|\r
+| 🔴 **Must Fix** | Breaks basic consistency / runability | Dead links / broken traceability chain / `@prd` pointing to non-existent file |\r
+| 🟡 **Recommend Fix** | Won't immediately break, but docs/code are drifting | Spec says A, actual does B / rules contradict each other |\r
+| 🔵 **Discuss** | Observation without conclusion; worth human discussion | A command unused for 3 weeks / high rule violation count |\r
+\r
+**Do not** put every finding in 🔴. Most observations should be 🟡/🔵; 🔴 is reserved for truly broken things.\r
+\r
+## Report Format\r
+\r
+Write to `docs/retrospectives/<YYYY-MM-DD>-meta-audit.md`:\r
+\r
+```markdown\r
+# Engineering Meta-Audit Report - 2026-04-17\r
+\r
+> Auto-generated by meta-auditor agent — observations and suggestions only; no files were modified.\r
+> Human review required before deciding which suggestions to adopt. Adopted changes go through normal PR flow.\r
+\r
+## Quick Summary\r
+\r
+- 🔴 Must Fix: X items (⚠️ recommend addressing this week)\r
+- 🟡 Recommend Fix: Y items\r
+- 🔵 Discuss: Z items\r
+- Trend vs last (YYYY-MM-DD): resolved A, added B, ongoing C\r
+\r
+## 🔴 Must Fix (X items)\r
+\r
+### [<type>] <title>\r
+- **Location**: <file:line>\r
+- **Current state**: <one sentence>\r
+- **Rule**: <associated rule file + section>\r
+- **Recommendation**: <specific action>\r
+- **Impact**: <consequence if not fixed>\r
+\r
+(list each item)\r
+\r
+## 🟡 Recommend Fix (Y items)\r
+\r
+(same format)\r
+\r
+## 🔵 Discuss (Z items)\r
+\r
+(same format, but "Recommendation" field becomes "Questions Worth Discussing")\r
+\r
+## ✅ Things Done Well (Positive Feedback)\r
+\r
+(list 3-5 things done correctly; avoid a report that's only negative)\r
+\r
+## Trends\r
+\r
+Compared to last report <YYYY-MM-DD>:\r
+\r
+### Resolved\r
+- <type>: <one sentence> — ✅ no longer present\r
+\r
+### New\r
+- <type>: <one sentence>\r
+\r
+### Ongoing\r
+- <type>: <one sentence> — ⚠️ also reported last time, still unaddressed\r
+\r
+(skip this section on first run)\r
+\r
+## Scan Scope\r
+\r
+- Dimensions: <rule-violations / doc-drift / internal-consistency / traceability / dead-links / orphaned-assets>\r
+- Files scanned: N\r
+- Estimated duration: <estimate>\r
+\r
+## How to Act on Suggestions\r
+\r
+1. Human review of this report\r
+2. For adopted suggestions, solidify through the corresponding flow:\r
+   - Changing rules → edit `.claude/rules/` directly\r
+   - Changing commands → edit `.claude/commands/`\r
+   - Changing code → go through `/fix` or normal development flow\r
+3. Changes go through PR; don't mark "resolved" in this file (this report is a snapshot — immutable)\r
+4. Next `/meta-audit` run will auto-compare; no manual marking needed\r
+```\r
+\r
+## Summary Returned to Main Agent\r
+\r
+After the report is written, return to the main agent in this format:\r
+\r
+```markdown\r
+## meta-auditor Report\r
+\r
+**Report location**: docs/retrospectives/2026-04-17-meta-audit.md\r
+\r
+### Quick Summary\r
+- 🔴 Must Fix: X items\r
+- 🟡 Recommend Fix: Y items\r
+- 🔵 Discuss: Z items\r
+\r
+### 🔴 Top 3 Must Fix\r
+1. [Dead Link] WORKFLOW.md line 710 links to a command or skill path that no longer exists\r
+2. [Traceability] workspace/src/features/login/LoginForm.tsx @prd points to docs/prds/login.md#login-form, that anchor doesn't exist\r
+3. [Dead Link] security-reviewer.md referenced in agents/README.md was never created\r
+\r
+### Full Report\r
+Please open [docs/retrospectives/2026-04-17-meta-audit.md](docs/retrospectives/2026-04-17-meta-audit.md) for all suggestions.\r
+\r
+Recommendation: address 🔴 Must Fix first; 🟡/🔵 can be deferred for discussion.\r
+```\r
+\r
+## Edge Cases\r
+\r
+- **First run** (no previousReportPath): skip the "Trends" section; everything else normal\r
+- **No findings** (very rare): still write the report, show "No issues found in this scan"; positive feedback section still applies\r
+- **Scanning large directory slowly**: don't force-scan all files; prioritize `.codex/`, `.agents/`, and `docs/`; sample `workspace/src/` (max 20 files per subdirectory)\r
+- **Directory doesn't exist**: skip, don't error\r
+\r
+## Why This Design\r
+\r
+1. **Read-only for most files + write only one report** — prevents "self-evolution" from becoming "self-contamination" at the root level\r
+2. **Output reports, not auto-fix** — every change goes through a human brain; avoids endless optimization noise\r
+3. **Trend comparison** — makes "retrospectives" truly closed-loop: were last time's suggestions adopted? If not, why?\r
+4. **Immutable reports** — like an accounting ledger; no retroactive edits; next run generates a new report based on current state"""
+name = "meta-auditor"
diff --git a/.codex/agents/test-writer.toml b/.codex/agents/test-writer.toml
new file mode 100644
index 0000000..523c3cc
--- /dev/null
+++ b/.codex/agents/test-writer.toml
@@ -0,0 +1,135 @@
+description = "Generate Vitest tests for specified source files. Strictly reads business rules from JSDoc @rules — one it() per rule, no expanding or rewriting. Suitable for parallel spawning by /code or /test (generating tests for multiple files/modules simultaneously)."
+developer_instructions = """
+# test-writer — Test Generation Sub-Agent\r
+\r
+You are a dedicated test generation agent. **Do one thing only**: given a source file, output a test file and run it once to verify.\r
+\r
+## Input\r
+\r
+The main agent will provide in the prompt:\r
+- **Required**: `filePath` — absolute path to the source file to test\r
+- **Optional**: `tasksJsonPath` — corresponding tasks.json, for cross-validating businessRules\r
+- **Optional**: `playwrightMode: true` — use Playwright for E2E instead (default: Vitest)\r
+\r
+## Execution Steps\r
+\r
+### 1. Read Source File and Extract Rules\r
+\r
+```\r
+Read(filePath)  → parse JSDoc header\r
+```\r
+\r
+Extract from JSDoc:\r
+- Each rule under `@rules` → test it() checklist\r
+- `@prd` → for traceability (written into test file header JSDoc)\r
+- `@task` → for traceability\r
+- Exported Props interface → prop types for test generation\r
+\r
+### 2. Hard Gate: Reject if No @rules\r
+\r
+If `@rules` is missing or empty:\r
+\r
+```\r
+❌ Cannot generate tests: JSDoc in filePath is missing the @rules field.\r
+\r
+Test assertions must come from @rules verbatim. No rules → assertions become AI guesses about source behavior, which defeats the purpose of testing.\r
+\r
+Please add @rules to the source file header first (format in .claude/rules/file-docs.md), then re-spawn.\r
+```\r
+\r
+Return to main agent immediately — do not generate any files.\r
+\r
+### 3. Choose Test File Location\r
+\r
+All tests go **under `workspace/tests/`, mirroring `workspace/src/` directory structure**. Co-location or `__tests__/` layouts are prohibited.\r
+\r
+| File Type | Test Location (source path `workspace/src/<p>/<name>.xxx`) | Format |\r
+|-----------|-----------------------------------------------------------|--------|\r
+| `.tsx` component | `workspace/tests/<p>/<name>.test.tsx` | Vitest + testing-library |\r
+| `.ts` hook | `workspace/tests/<p>/<name>.test.ts` | Vitest + renderHook |\r
+| `.ts` utils | `workspace/tests/<p>/<name>.test.ts` | Vitest pure unit |\r
+| `.ts` api (request functions) | `workspace/tests/<p>/<name>.test.ts` | Vitest + MSW |\r
+| Playwright mode | `workspace/tests/e2e/<name>.spec.ts` | Playwright |\r
+\r
+Test files must reference business code **using the `@/` alias only** — no relative paths:\r
+\r
+```ts\r
+import SearchForm from '@/features/list/components/SearchForm';\r
+vi.mock('@/features/list/api/listApi', () => ({ ... }));\r
+```\r
+\r
+Rule source: [.claude/rules/testing.md](../../.claude/rules/testing.md) + `docs/DECISIONS.md` 2026-04-20 entry.\r
+\r
+### 4. Generate Test Code\r
+\r
+- Write standard JSDoc header at top (include @prd, @task, @dependencies); `@rules` may be omitted\r
+- `describe()` uses the main exported component/function name from the source file\r
+- Each @rules entry generates one `it()`, name **quotes the rule verbatim + number** (R1/R2/...)\r
+- Assertions prefer `getByRole`; avoid testing internal implementation\r
+- Strictly follow mock strategy from [.claude/rules/testing.md](../../.claude/rules/testing.md)\r
+\r
+### 5. Run Tests to Verify\r
+\r
+```bash\r
+cd workspace && pnpm vitest run <test file path>\r
+```\r
+\r
+**Failure triage** (per the four types in testing.md):\r
+\r
+| Failure Type | Action |\r
+|-------------|--------|\r
+| 1. Test code error (wrong selector, etc.) | Auto-fix |\r
+| 2. Missing environment config / dependency | **Stop and report to main agent**; don't blindly install things |\r
+| 3. Wrong test expectation (AI guessed wrong) | Fix expectation against @rules verbatim |\r
+| 4. Actual source bug | **Do not modify source**; report to main agent for user decision |\r
+\r
+### 6. Return Summary\r
+\r
+Fixed output format for message returned to main agent:\r
+\r
+```markdown\r
+## test-writer Report\r
+\r
+**Source file**: <filePath>\r
+**Test file**: <testPath> (newly created / existing file updated)\r
+**Rule coverage**: N/M @rules covered\r
+\r
+### Test Results\r
+- ✅ Passed: X\r
+- ❌ Failed: Y (see triage below)\r
+\r
+### Failure Triage (if any)\r
+- [R2] Rule verbatim: ...\r
+  Failure type: 3-wrong expectation / 4-source bug\r
+  Action: expectation updated / awaiting user decision\r
+\r
+### TODOs (if any)\r
+- Missing MSW handler for /api/xxx — recommend adding to workspace/tests/mocks/handlers.ts\r
+```\r
+\r
+## Boundaries\r
+\r
+- ❌ Don't read main session history; get all info from prompt + files\r
+- ❌ Don't modify source code (unless main agent explicitly allows)\r
+- ❌ Don't generate test cases beyond what @rules covers (unclear rules → ask product to add the rule)\r
+- ❌ Don't spawn other agents\r
+- ❌ Don't commit to git\r
+- ✅ Responsible for one file only; one file per spawn (multiple files = main agent spawns multiple test-writers in parallel)\r
+\r
+## Parallel Usage Example\r
+\r
+In main agent:\r
+\r
+```\r
+/code completes LoginForm.tsx + useLogin.ts + loginApi.ts\r
+    ↓\r
+Main agent spawns in parallel:\r
+  Agent(subagent_type="test-writer", prompt="file=LoginForm.tsx, tasksJson=...")\r
+  Agent(subagent_type="test-writer", prompt="file=useLogin.ts, tasksJson=...")\r
+  Agent(subagent_type="test-writer", prompt="file=loginApi.ts, tasksJson=...")\r
+    ↓\r
+3 test files generated and verified in parallel\r
+    ↓\r
+Main agent aggregates 3 summaries for the user\r
+```"""
+name = "test-writer"
diff --git a/.codex/hooks.json b/.codex/hooks.json
new file mode 100644
index 0000000..1deebfc
--- /dev/null
+++ b/.codex/hooks.json
@@ -0,0 +1,39 @@
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "'C:\\Users\\hyperchain\\Desktop\\claude-code-workflow\\.codex\\hooks\\pre-commit-check.sh'",
+            "timeout": 5000
+          }
+        ]
+      }
+    ],
+    "PostToolUse": [
+      {
+        "matcher": "Edit|Write",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "'C:\\Users\\hyperchain\\Desktop\\claude-code-workflow\\.codex\\hooks\\check-hardcode.sh'",
+            "timeout": 5000
+          }
+        ]
+      }
+    ],
+    "ConversationStart": [
+      {
+        "hooks": [
+          {
+            "type": "command",
+            "command": "'C:\\Users\\hyperchain\\Desktop\\claude-code-workflow\\.codex\\hooks\\check-tasks-status.sh'",
+            "timeout": 5000
+          }
+        ]
+      }
+    ]
+  }
+}
diff --git a/.codex/hooks/README.md b/.codex/hooks/README.md
new file mode 100644
index 0000000..3ef4f68
--- /dev/null
+++ b/.codex/hooks/README.md
@@ -0,0 +1,31 @@
+# hooks/ - Codex Automation Hooks
+
+> Configured in `.codex/hooks.json`, executed automatically on supported Codex events. Warn only, never block.
+
+## File Manifest
+
+| File | Trigger | Purpose |
+|------|---------|---------|
+| check-hardcode.sh | After each ts/tsx/js/jsx file edit/create | Scans for hardcoded Chinese strings; warns immediately on P0 rule violations |
+| check-tasks-status.sh | At the start of a session, if supported by the host | Lists in-progress tasks; reminds where the last session left off |
+| pre-commit-check.sh | Before git commit shell commands | Checks whether task status was forgotten to be updated to done |
+
+## Adding A New Hook
+
+1. Create a `.sh` script in this directory and make it executable where applicable.
+2. Add a comment at the top of the script stating trigger event and purpose.
+3. Reference it under the corresponding event in `.codex/hooks.json`.
+4. Update the file manifest in this README.
+
+## Available Environment Variables
+
+| Variable | Available In | Description |
+|----------|--------------|-------------|
+| `$CLAUDE_FILE_PATH` | PostToolUse (Edit/Write) | Path of the file just edited; retained for compatibility with migrated scripts |
+| `$CLAUDE_TOOL_INPUT` | PreToolUse | Input content of the tool about to be executed; retained for compatibility with migrated scripts |
+
+## Design Principles
+
+- Warn only, never block.
+- Stay silent when no issues are found.
+- Keep hooks lightweight and bounded by a short timeout.
diff --git a/.codex/hooks/check-hardcode.sh b/.codex/hooks/check-hardcode.sh
new file mode 100644
index 0000000..77406a5
--- /dev/null
+++ b/.codex/hooks/check-hardcode.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# P0 hardcode check.
+# Trigger: PostToolUse (Edit|Write). Scans edited ts/tsx/js/jsx files for Chinese copy that should go through i18n.
+
+filepath="$CLAUDE_FILE_PATH"
+
+[ -z "$filepath" ] && exit 0
+echo "$filepath" | grep -qE '\.(tsx?|jsx?)$' || exit 0
+[ -f "$filepath" ] || exit 0
+
+matches=$(grep -nP '[\x{4e00}-\x{9fff}]' "$filepath" 2>/dev/null \
+  | grep -vE '^[0-9]+:\s*(//|/\*|\*|\*/)' \
+  | head -5)
+
+if [ -n "$matches" ]; then
+  echo "P0 hardcode check: Chinese copy found in $filepath. Please move user-facing text to i18n."
+  echo "$matches"
+fi
diff --git a/.codex/hooks/check-tasks-status.sh b/.codex/hooks/check-tasks-status.sh
new file mode 100644
index 0000000..ad57ba6
--- /dev/null
+++ b/.codex/hooks/check-tasks-status.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+# Incomplete task reminder.
+# Trigger: ConversationStart. Scans docs/tasks for in-progress tasks.
+
+PROJECT_ROOT="$(cd "$(dirname "$0")/../.." && pwd)"
+found=0
+
+for f in "$PROJECT_ROOT"/docs/tasks/tasks-*.json; do
+  [ -f "$f" ] || continue
+
+  if grep -q '"status":\s*"in-progress"' "$f" 2>/dev/null; then
+    if [ $found -eq 0 ]; then
+      echo "Incomplete tasks found:"
+      found=1
+    fi
+    tasks=$(grep -B2 '"in-progress"' "$f" \
+      | grep '"taskId"' \
+      | sed 's/.*"taskId":\s*"\(.*\)".*/\1/' \
+      | tr '\n' ' ')
+    basename=$(basename "$f")
+    echo "  $basename: $tasks"
+  fi
+done
diff --git a/.codex/hooks/pre-commit-check.sh b/.codex/hooks/pre-commit-check.sh
new file mode 100644
index 0000000..6481ca4
--- /dev/null
+++ b/.codex/hooks/pre-commit-check.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+# Pre-commit task status check.
+# Trigger: PreToolUse (Bash). Warns before git commit when tasks are still in-progress.
+
+echo "$CLAUDE_TOOL_INPUT" | grep -q 'git commit' || exit 0
+
+PROJECT_ROOT="$(cd "$(dirname "$0")/../.." && pwd)"
+has_inprogress=0
+
+for f in "$PROJECT_ROOT"/docs/tasks/tasks-*.json; do
+  [ -f "$f" ] || continue
+
+  if grep -q '"status":\s*"in-progress"' "$f" 2>/dev/null; then
+    if [ $has_inprogress -eq 0 ]; then
+      echo "Pre-commit check: the following tasks are still in-progress. Confirm whether they should be marked done:"
+      has_inprogress=1
+    fi
+    tasks=$(grep -B2 '"in-progress"' "$f" \
+      | grep '"taskId"' \
+      | sed 's/.*"taskId":\s*"\(.*\)".*/\1/' \
+      | tr '\n' ' ')
+    basename=$(basename "$f")
+    echo "  $basename: $tasks"
+  fi
+done
diff --git a/AGENTS.md b/AGENTS.md
new file mode 100644
index 0000000..0425c78
--- /dev/null
+++ b/AGENTS.md
@@ -0,0 +1,142 @@
+# Project Configuration - AI Frontend Automation Knowledge Base
+
+> Onboarding for Codex. Detailed rules remain under `.claude/rules/` and are loaded on demand.
+> Codex-facing workflow entrypoints live under `.agents/skills/`; Codex runtime config lives under `.codex/`.
+> The original Claude Code slash-command prompts remain under `.claude/commands/` as legacy source material.
+
+---
+
+## Project Structure
+
+This project has two layers:
+
+| Layer | Directory | Responsibility |
+|-------|-----------|----------------|
+| Root | `.agents/` / `.codex/` / `.claude/` / `docs/` / `AGENTS.md` | AI automation framework: skills, agents, hooks, rules, PRDs, tasks |
+| workspace/ | `workspace/src/` / `workspace/config/` / ... | The actual frontend project (UmiJS) |
+
+Commands like `pnpm dev` / `pnpm gen:api` at the root are expected to proxy into `workspace/`. If `workspace/package.json` is absent, treat the frontend scaffold as not yet installed.
+
+---
+
+## P0 No Hardcoding (Highest Priority)
+
+Every variable value is introduced via config, constants, Design Tokens, or i18n. Never hardcode. Config itself must not duplicate; reuse hierarchically.
+
+Covers: copy/i18n, colors and styles, API endpoints, business enums, sizes and spacing, magic numbers.
+
+Detailed rules and examples: `.claude/rules/no-hardcode.md`
+
+---
+
+## Tech Stack (Summary)
+
+UmiJS 4 + React 18 + TypeScript 5 + Ant Design 5 (`@umijs/max`)
+
+- Routing: Umi convention-based routing.
+- Requests: `@umijs/plugin-request`.
+- State: `useModel` first, Zustand as fallback.
+- Build: Umi + Vite mode.
+- Lint: `@umijs/lint`.
+- Package manager: pnpm.
+- Do not install dependencies that Umi already bundles, such as axios, react-router-dom, or webpack.
+
+Full tech stack and project structure: `.claude/rules/tech-stack.md`
+
+---
+
+## Coding Style (Summary)
+
+- Comments explain why, not what. Delete commented-out code.
+- File-header JSDoc is mandatory for code files.
+- Components use PascalCase; hooks start with `use`; constants use UPPER_SNAKE_CASE; types do not use an `I` prefix.
+- Use function components with exported Props interfaces.
+- Extract logic into hooks; components should primarily render.
+- Requests use umi-request; interceptors live in `app.ts`; do not use axios.
+- State: `useModel` first, Zustand as fallback, and server data never goes in the store.
+- Routing: convention-based first; permissions via `@umijs/plugin-access` and wrappers.
+- Git messages: `type(scope): description`; branch prefixes: `feature/`, `fix/`, `refactor/`.
+
+Full coding style: `.claude/rules/coding-style.md`
+
+---
+
+## File Documentation Convention (Must Follow)
+
+Every time you create or modify a code file, keep these in sync:
+
+1. The `README.md` of its directory (file manifest table).
+2. The JSDoc header of the file (`@description`, `@module`, `@dependencies`, `@prd`, `@task`, `@design`, `@rules`).
+3. The module-level `README.md` of the feature module (business flow and public exports).
+4. The global index `workspace/src/README.md`.
+
+The business anchors (`@prd`, `@task`, `@design`, `@rules`) are the key to the Requirements -> Design -> Code -> Test traceability chain. They let `/test` generate tests from business rules instead of source-code behavior, and let `/review` check consistency against the design spec.
+
+Detailed formats and templates: `.claude/rules/file-docs.md`
+
+---
+
+## Testing (Summary)
+
+- The sole source of test assertions is `@rules` in the file-header JSDoc, not AI guesses.
+- One `it()` per `@rules` entry; the `it` name quotes the rule verbatim.
+- Assertion query priority: `getByRole` > `getByLabelText` > `getByText` > `getByTestId`.
+- Mock policy: HTTP via MSW; do not mock internal modules; do not assert mock call counts.
+- Location: all tests go under `workspace/tests/`, mirroring `workspace/src/` (for example, `workspace/tests/features/login/components/LoginForm.test.tsx`); E2E under `workspace/tests/e2e/`.
+- Test-failure triage order: test code -> environment -> test expectation -> source. Source is the last thing to doubt.
+
+Full testing rules: `.claude/rules/testing.md`
+
+---
+
+## Notes
+
+- Do not use the `any` type; always define explicit types.
+- Do not use inline styles; use CSS Modules or Ant Design component styles.
+- Image assets go under `workspace/public/images/`.
+- Environment variables start with `UMI_APP_`.
+- Every async operation must handle loading and error states.
+- Forms must have validation and error messages using antd Form built-in validation.
+- List pages must handle empty state using antd Empty.
+- Page components live in `workspace/src/pages/`; business logic lives in `workspace/src/features/`; do not mix them.
+- Mock data lives in `workspace/mock/` using Umi's built-in mock feature.
+
+---
+
+## Codex Migration Map
+
+| Capability | Codex-facing location | Legacy/source location |
+|------------|-----------------------|------------------------|
+| Onboarding | `AGENTS.md` | `CLAUDE.md` |
+| Skills | `.agents/skills/` | `.claude/skills/` |
+| Sub-agents | `.codex/agents/*.toml` | `.claude/agents/*.md` |
+| Hooks | `.codex/hooks.json`, `.codex/hooks/` | `.claude/settings.json`, `.claude/hooks/` |
+| Rules | `.claude/rules/` | `.claude/rules/` |
+| Slash-command prompts | `.claude/commands/` | `.claude/commands/` |
+
+---
+
+## Project Workflow Docs
+
+- `docs/WORKFLOW.md`: required operations manual, from one-line requirement to launch.
+- `docs/tasks/`: JSON task manifests generated by `/plan`; one file per feature module.
+- `docs/prds/`: Product Requirements Docs; template at `docs/prds/_template.md`.
+- `workspace/api-spec/`: OpenAPI contract files provided by backend; `pnpm gen:api` generates `workspace/src/types/api.ts`.
+- See `docs/README.md` and `workspace/api-spec/README.md` when those files exist.
+
+---
+
+## API Type Iron Rule
+
+- API types must be imported from `@/types/api`; hand-writing request/response types is forbidden.
+- `workspace/src/types/api.ts` is generated by `pnpm gen:api`; do not edit it by hand.
+- If an OpenAPI field is wrong, ask backend to fix `workspace/api-spec/openapi.json`; do not work around it on the frontend.
+
+---
+
+## Using Task Manifests
+
+- Before coding, read the relevant task manifest: `docs/tasks/tasks-xxx.json`.
+- Execute tasks in `taskId` order and by `dependencies`.
+- When a task is done, update its `status` to `"done"`.
+- Status values: `pending`, `in-progress`, `done`, `blocked`.
diff --git a/README.md b/README.md
index 39e0689..1b31b99 100644
--- a/README.md
+++ b/README.md
@@ -1,250 +1,76 @@
-<div align="center">
+# Codex Workflow
 
-**Language:** [**English**](https://github.com/suntaoTom/claude-code-work/blob/main/README.md) | [简体中文](https://github.com/suntaoTom/claude-code-work/blob/main-zh/README.md)
+An AI-driven R&D workflow framework for turning requirements into traceable PRDs, task manifests, implementation, tests, reviews, builds, deployment notes, and release/change reports.
 
-# Claude Code WorkFlow
+This repository has been migrated toward Codex while keeping the original Claude Code materials as legacy source prompts.
 
-<p><strong>An AI-driven R&D workflow framework</strong></p>
+## Current Codex Entrypoints
 
-<p>
-Breaks the full chain of "Requirements → Breakdown → Implementation → Verification → Review → Delivery → Release" into traceable commands, skills, subagents, and rules.<br />
-AI executes, humans supervise every critical checkpoint · Runs on top of <a href="https://docs.claude.com/en/docs/claude-code">Claude Code</a>
-</p>
+| Area | Location | Purpose |
+|------|----------|---------|
+| Onboarding | [AGENTS.md](AGENTS.md) | Project rules summary for Codex |
+| Skills | [.agents/skills/](.agents/skills/) | Codex-discoverable skill packages |
+| Sub-agents | [.codex/agents/](.codex/agents/) | Codex sub-agent TOML definitions |
+| Hooks | [.codex/hooks.json](.codex/hooks.json), [.codex/hooks/](.codex/hooks/) | Codex hook configuration and scripts |
+| Legacy prompts/rules | [.claude/](.claude/) | Original Claude Code commands and the shared rule files |
+| Workflow docs | [docs/WORKFLOW.md](docs/WORKFLOW.md) | Operations manual |
 
-<p>
-  <a href="LICENSE"><img src="https://img.shields.io/badge/License-MIT-blue.svg" alt="License" /></a>
-  <a href="https://docs.claude.com/en/docs/claude-code"><img src="https://img.shields.io/badge/Powered%20by-Claude%20Code-8A2BE2" alt="Powered by Claude Code" /></a>
-  <img src="https://img.shields.io/badge/status-active-success.svg" alt="Status" />
-  <img src="https://img.shields.io/badge/PRs-welcome-brightgreen.svg" alt="PRs Welcome" />
-  <br />
-  <a href="https://github.com/suntaoTom/claude-code-work/stargazers"><img src="https://img.shields.io/github/stars/suntaoTom/claude-code-work?style=social" alt="Stars" /></a>
-  <a href="https://github.com/suntaoTom/claude-code-work/commits"><img src="https://img.shields.io/github/last-commit/suntaoTom/claude-code-work" alt="Last commit" /></a>
-  <a href="https://github.com/suntaoTom/claude-code-work/issues"><img src="https://img.shields.io/github/issues/suntaoTom/claude-code-work" alt="Issues" /></a>
-  <a href="https://github.com/suntaoTom/claude-code-work/releases"><img src="https://img.shields.io/github/v/release/suntaoTom/claude-code-work?include_prereleases&sort=semver" alt="Release" /></a>
-</p>
-
-<p>
-  <strong><a href="docs/WORKFLOW.md">Operations Manual</a></strong> ·
-  <strong><a href="docs/ADAPTING.md">Cross-Domain Adaptation</a></strong> ·
-  <strong><a href="docs/DECISIONS.md">Architecture Decisions</a></strong> ·
-  <strong><a href=".claude/README.md">Framework Internals</a></strong> ·
-  <strong><a href="#how-to-use">Quick Start</a></strong>
-</p>
-
-</div>
-
----
-
-## Table of Contents
-
-- [What Is This](#what-is-this)
-- [Highlights](#highlights)
-- [Framework Five-Part Architecture](#framework-five-part-architecture)
-- [Eight-Step Workflow Scaffold](#eight-step-workflow-scaffold)
-- [Three Design Principles](#three-design-principles)
-- [Directory Overview](#directory-overview)
-- [How to Use](#how-to-use)
-- [Branch Guide](#branch-guide)
-- [Where to Start](#where-to-start)
-- [License](#license)
-
----
-
-## What Is This
-
-**This repository is the framework core itself — it is domain-agnostic (frontend / backend / data / mobile / DevOps / QA / design / product / writing / research...).** Concrete implementations live under `workspace/` and are swapped out by the user per domain.
-
-The framework uses Gates and Archives to directly address the two classic pain points of AI-collaborative R&D:
-
-| Problem                   | Symptom                                            | How the framework treats it                                                                      |
-| ------------------------- | -------------------------------------------------- | ------------------------------------------------------------------------------------------------ |
-| **AI has no constraints** | Makes things up, edits randomly, works around bugs | Hard Gates (PRD Completeness / `@rules` Traceability Chain / No Hardcoding / Silent Guard Hooks) |
-| **AI has no memory**      | Every session starts from guessing                 | Archive accumulation (ADR / retrospectives / tasks.json) — readable across sessions              |
-
-> The framework is **not tied to a tech stack and not tied to a domain**. Domain specialization lives in `.claude/rules/*.md` and `workspace/`.
-
----
-
-## Highlights
-
-- **Eight-Step SDLC** — `/prd → /plan → /code → /test → /review → /build → /deploy → /release` as a single pipeline, supplemented by `/fix` `/bug-check` `/prd-check` `/plan-check` `/start` `/meta-audit`
-- **Hard Gates** — `prd-check` catches placeholders, `plan-check` catches incomplete tasks; AI cannot silently skip them
-- **Traceability Chain** — PRD anchor → Task ID → artifact `@prd/@rules` → verification `it()`; any link can be scanned downstream when something changes
-- **Five-Part Collaboration** — Commands (decisions) + Skills (scripts) + Subagents (parallel / independent perspective) + Hooks (silent guard) + Rules (long-term constraints), with clear boundaries
-- **Cross-domain portable** — Swap `workspace/` + rewrite the contents of `.claude/rules/` to use for backend / data / mobile / any other domain (see [ADAPTING.md](docs/ADAPTING.md))
-- **Archives carry context** — ADRs record decisions, retrospectives record health, tasks.json records progress; a new session can read the history at a glance
-
----
-
-## Framework Five-Part Architecture
-
-| Part          | Location                               | Trigger                  | Best for                              |
-| ------------- | -------------------------------------- | ------------------------ | ------------------------------------- |
-| **Commands**  | [.claude/commands/](.claude/commands/) | User `/<name>`           | Main workflow (pure thinking)         |
-| **Skills**    | [.claude/skills/](.claude/skills/)     | Explicit or auto         | Running scripts to fetch data         |
-| **Subagents** | [.claude/agents/](.claude/agents/)     | Main command spawn       | Parallel / context isolation          |
-| **Hooks**     | [.claude/hooks/](.claude/hooks/)       | Auto on events           | Silent guard (non-blocking)           |
-| **Rules**     | [.claude/rules/](.claude/rules/)       | AI follows automatically | Long-term stable artifact constraints |
-
-Boundaries and addition conventions — see [.claude/README.md](.claude/README.md).
-
----
-
-## Eight-Step Workflow Scaffold
-
-```text
- /prd       Spoken requirement ──→ Structured PRD (with [TBD])
-    │
-    │  Human review; /prd-check zeroes out placeholders
-    ▼
- /plan      PRD ──→ Task manifest (with prdRef + business rules)
-    │
-    │  /plan-check acceptance
-    ▼
- /code      Task manifest ──→ Artifact (header carries @prd / @task / @rules)
-    ▼
- /test      Artifact @rules ──→ Verification cases (one per rule)
-    ▼
- /review    Independent-perspective audit (can spawn code-reviewer)
-    ▼
- /build     Productization
-    ▼
- /deploy    Deliver to target environment
-    ▼
- /release   Aggregate changelog + cut tag
-```
-
-Each step's **abstract semantics are domain-agnostic**; artifacts are swapped per domain. Full operations manual: [docs/WORKFLOW.md](docs/WORKFLOW.md).
-
----
-
-## Three Design Principles
-
-<table>
-<tr>
-<td width="33%" valign="top">
-
-### Traceable
-
-PRD anchor → Task ID → artifact `@prd/@rules` → verification cases, threaded end to end.
-
-Change any link and the downstream chain can be swept — nothing missed, nothing out of place.
-
-</td>
-<td width="33%" valign="top">
-
-### Human Review at Key Checkpoints
-
-AI handles full execution, but **stops and waits for a human nod** before PRD / breakdown / review / delivery.
-
-AI cannot silently bypass gates. `/prd-check` and `/plan-check` are hard blocks, not reminders.
-
-</td>
-<td width="33%" valign="top">
-
-### Failures Are Visible
-
-No hiding errors, no auto workarounds, no "green" masking real bugs.
-
-When things go red, triage by four categories (tools → environment → expectation → artifact), and **the artifact is the last thing you suspect**.
-
-</td>
-</tr>
-</table>
-
----
-
-## Directory Overview
+## Framework Shape
 
 ```text
-claude-code-work/
-├── README.md                 ← You are here (framework overview)
-├── CLAUDE.md                 ← Project rules (auto-loaded when Claude Code starts)
-├── .claude/                  ← Framework core (domain-agnostic mechanisms)
-│   ├── commands/             ← Eight-step commands + helper commands
-│   ├── skills/               ← Extension skills
-│   ├── agents/               ← Dedicated subagents
-│   ├── hooks/                ← Event hooks
-│   └── rules/                ← Artifact constraints (swap contents per domain, keep structure)
-├── docs/                     ← AI workflow artifacts + historical archives
-│   ├── WORKFLOW.md           ← Eight-step operations manual
-│   ├── ADAPTING.md           ← Cross-domain adaptation checklist (required when forking)
-│   ├── DECISIONS.md          ← Architecture Decision Records (ADR)
-│   ├── prds/                 ← PRDs generated by /prd
-│   ├── tasks/                ← Task manifests generated by /plan (JSON)
-│   ├── bug-reports/          ← Inputs for /fix
-│   └── retrospectives/       ← Read-only snapshots produced by /meta-audit
-└── workspace/                ← Actual project (swap for any domain)
-```
-
-- **Framework core** = `.claude/` + `docs/` + `CLAUDE.md` + `README.md`
-- **Domain specialization** = `workspace/` + the concrete contents of `.claude/rules/*.md`
-
----
-
-## How to Use
-
-### Prerequisites
-
-- [Claude Code CLI](https://docs.claude.com/en/docs/claude-code) installed and signed in
-
-### Three steps to get started
-
-```bash
-# 1. Fork this repo and rename it for your domain
-git clone https://github.com/suntaoTom/claude-code-work.git ai-<domain>-automation
-cd ai-<domain>-automation
-
-# 2. Follow ADAPTING.md to swap in your domain layer
-#    - Replace workspace/ with a project scaffold for your domain
-#    - Rewrite the rule contents in .claude/rules/*.md
-#    - Update the onboarding in CLAUDE.md
-
-# 3. Open Claude Code and run your first requirement
-claude
-> /start                       # Required on first run — AI reads through the project
-> /prd <your requirement description>  # Generate a PRD draft
+claude-code-workflow/
+|-- AGENTS.md
+|-- .agents/
+|   `-- skills/
+|-- .codex/
+|   |-- agents/
+|   |-- hooks/
+|   `-- hooks.json
+|-- .claude/
+|   |-- commands/
+|   |-- rules/
+|   |-- skills/
+|   |-- agents/
+|   `-- hooks/
+|-- docs/
+|   |-- WORKFLOW.md
+|   |-- prds/
+|   |-- tasks/
+|   |-- bug-reports/
+|   `-- retrospectives/
+`-- workspace/
+    `-- scripts/
 ```
 
-The framework core itself **requires no extra installation** — Claude Code CLI is all you need. Dependencies under `workspace/` depend on your domain (frontend `pnpm install`, backend might be `mvn / go mod / pip install`, etc.).
-
----
-
-## Branch Guide
-
-| Branch        | Purpose                                                                     |
-| ------------- | --------------------------------------------------------------------------- |
-| `main`        | Framework core overview (domain-agnostic, you are here)                     |
-| `ai-frontend` | Frontend domain implementation (UmiJS + React + antd + Vitest + Playwright) |
-| `feature`     | Integration branch for development                                          |
-| `Harness`     | Iteration branch for the framework core                                     |
-
-To see a full domain example, check out the corresponding branch (e.g., `git checkout ai-frontend`). `ai-backend` / `ai-data` and other branches will be added over time.
-
----
+## What Is Migrated
 
-## Where to Start
+- `AGENTS.md` is now the Codex onboarding document.
+- Extension skills and `prd-import` have Codex-facing copies under `.agents/skills/`.
+- Four sub-agents have Codex TOML definitions under `.codex/agents/`.
+- Hook scripts and hook registration have Codex-facing copies under `.codex/`.
 
-| I am...                                                      | Open this first                                                                |
-| ------------------------------------------------------------ | ------------------------------------------------------------------------------ |
-| **Picking up the framework for the first time**              | [docs/WORKFLOW.md](docs/WORKFLOW.md) — Eight-Step operations manual            |
-| Wanting to port the framework to a domain                    | [docs/ADAPTING.md](docs/ADAPTING.md) — Cross-domain adaptation checklist       |
-| Modifying framework mechanisms (add command / skill / agent) | [.claude/README.md](.claude/README.md) — Boundaries of the five parts          |
-| Checking how the framework evolved                           | [docs/DECISIONS.md](docs/DECISIONS.md) — Architecture Decision Records (ADR)   |
-| Reviewing past health scans                                  | [docs/retrospectives/](docs/retrospectives/) — `/meta-audit` read-only reports |
-| Enabling GitHub automation                                   | [.github/SETUP.md](.github/SETUP.md)                                           |
+## What Remains Legacy
 
----
+- `.claude/commands/` remains the original slash-command prompt library.
+- `.claude/rules/` remains the shared rule source for coding style, testing, hardcoding, file docs, and tech stack.
+- Some historical docs under `docs/` and `.claude/` intentionally reference Claude Code because they record original decisions.
 
-## Contributing
+## Where To Start
 
-Issues and PRs are welcome. Before submitting:
+| Goal | Open |
+|------|------|
+| Use this project with Codex | [AGENTS.md](AGENTS.md) |
+| Understand the end-to-end workflow | [docs/WORKFLOW.md](docs/WORKFLOW.md) |
+| Inspect Codex runtime configuration | [.codex/README.md](.codex/README.md) |
+| Inspect Codex skills | [.agents/skills/README.md](.agents/skills/README.md) |
+| Understand original framework decisions | [docs/DECISIONS.md](docs/DECISIONS.md) |
 
-1. Run `/meta-audit` to check whether your change introduces health regressions
-2. If you change framework mechanisms, add an ADR entry in [docs/DECISIONS.md](docs/DECISIONS.md) with background
+## Notes
 
----
+- The `workspace/` frontend scaffold is not fully present in this checkout; only `workspace/scripts/prd-import.mjs` exists at the time of migration.
+- Root `pnpm dev`, `pnpm build`, and `pnpm gen:api` expect a populated `workspace/package.json`.
+- The migration preserves legacy `.claude/` files rather than deleting them so future updates can compare Codex-facing files with the original prompts.
 
 ## License
 
-[MIT](LICENSE) © 2026 suntaoTom
+[MIT](LICENSE)
diff --git a/docs/WORKFLOW.md b/docs/WORKFLOW.md
index 776c029..c1926e8 100644
--- a/docs/WORKFLOW.md
+++ b/docs/WORKFLOW.md
@@ -125,9 +125,9 @@ pnpm prd:import requirements/login-requirements.docx
 | `.pdf` | Directly `/prd @<file>.pdf` (Claude Code native support) |
 | Images (`.png` / `.jpg`) | Directly `/prd @<file>.png` (multimodal recognition) |
 | `.doc` / `.xls` / `.ppt` (old formats) | Save as new format (`.docx` etc.) in Word/WPS first, then convert |
-| **Online docs** (Feishu/Notion/Yuque/Tencent Docs/Google Docs) | Export `.md` or `.docx` from the platform, then handle as per the corresponding row above. Notion / Yuque export directly to `.md` is the easiest. See [prd-import/references/formats.md](../.claude/skills/prd-import/references/formats.md#online-docs) |
+| **Online docs** (Feishu/Notion/Yuque/Tencent Docs/Google Docs) | Export `.md` or `.docx` from the platform, then handle as per the corresponding row above. Notion / Yuque export directly to `.md` is the easiest. See [prd-import/references/formats.md](../.agents/skills/prd-import/references/formats.md#online-docs) |
 
-Before using `prd:import` for the first time, install dependencies once: `cd workspace && pnpm install` (automatically installs mammoth + xlsx). See [.claude/skills/prd-import/SKILL.md](../.claude/skills/prd-import/SKILL.md) for details.
+Before using `prd:import` for the first time, install dependencies once: `cd workspace && pnpm install` (automatically installs mammoth + xlsx). See [.agents/skills/prd-import/SKILL.md](../.agents/skills/prd-import/SKILL.md) for the Codex skill entrypoint.
 
 #### When using text / existing md directly
 
@@ -610,32 +610,32 @@ git add workspace/api-spec/openapi.json workspace/src/types/api.ts <affected-fil
 | Release all platforms to production simultaneously | `/deploy all --env production` |
 | Production rollback | `/deploy web --env production --rollback` |
 | First deployment, don't know how to configure | `/deploy` → AI outputs config template |
-| CLAUDE.md changes not taking effect | Ctrl+D to restart claude session |
+| AGENTS.md changes not taking effect | Restart the Codex session |
 | Completely stuck | Exit and restart session, 90% of mysterious issues are solved by restart |
 
 ---
 
 ## 🧰 Extension Skills (ext-* skill packages)
 
-Beyond the main commands of the Eight-Step Method, the project also provides a set of **on-demand** extension skills (distinguished by the `ext-` prefix), organized **as packages** under [`.claude/skills/`](../.claude/skills/), containing SKILL.md + deterministic scripts + reference materials:
+Beyond the main commands of the Eight-Step Method, the project also provides a set of **on-demand** extension skills (distinguished by the `ext-` prefix), organized **as packages** under [`.agents/skills/`](../.agents/skills/), containing SKILL.md + deterministic scripts + reference materials for Codex:
 
 | Skill | Purpose | Typical Scenario |
 |------|------|---------|
-| [ext-perf-audit](../.claude/skills/ext-perf-audit/) | Frontend performance audit (bundle size/rendering/network/memory/first paint) | Page feels sluggish / pre-release optimization |
-| [ext-a11y-check](../.claude/skills/ext-a11y-check/) | Accessibility WCAG 2.1 AA compliance check | Screen reader support / keyboard navigation / compliance requirements |
-| [ext-dep-audit](../.claude/skills/ext-dep-audit/) | Dependency security & health audit (vulnerabilities/outdated/redundant/licenses) | Quarterly dependency audit / security alert response |
-| [ext-changelog](../.claude/skills/ext-changelog/) | Human-readable change impact report (aggregated by module) | Weekly summary / handoff / retrospective (different from `/release`'s versioned changelog) |
+| [ext-perf-audit](../.agents/skills/ext-perf-audit/) | Frontend performance audit (bundle size/rendering/network/memory/first paint) | Page feels sluggish / pre-release optimization |
+| [ext-a11y-check](../.agents/skills/ext-a11y-check/) | Accessibility WCAG 2.1 AA compliance check | Screen reader support / keyboard navigation / compliance requirements |
+| [ext-dep-audit](../.agents/skills/ext-dep-audit/) | Dependency security & health audit (vulnerabilities/outdated/redundant/licenses) | Quarterly dependency audit / security alert response |
+| [ext-changelog](../.agents/skills/ext-changelog/) | Human-readable change impact report (aggregated by module) | Weekly summary / handoff / retrospective (different from `/release`'s versioned changelog) |
 
 **Difference between commands and skill packages**:
 
 | | commands/ single file | skills/ package form |
 |---|---|---|
-| Location | `.claude/commands/*.md` | `.claude/skills/<name>/SKILL.md` (+ scripts/ + references/) |
+| Location | `.claude/commands/*.md` | `.agents/skills/<name>/SKILL.md` (+ scripts/ + references/) |
 | Capability | Pure prompt templates | Can run deterministic scripts (metrics/git/pnpm) + load large reference materials on demand |
 | Trigger | Explicit `/xxx` input | Explicit input or AI auto-invocation based on description |
 | Suitable for | Thinking-type workflows (/prd /plan /code) | Tool-type audits (requires real data) |
 
-**`ext-` naming convention**: Not part of the main Eight-Step flow, use on demand. See [`.claude/skills/README.md`](../.claude/skills/README.md).
+**`ext-` naming convention**: Not part of the main Eight-Step flow, use on demand. See [`.agents/skills/README.md`](../.agents/skills/README.md).
 
 **When to use**:
 - Main commands (`/prd` `/code` `/test` ...) are **required flow** — run per the Eight-Step Method
@@ -649,23 +649,23 @@ The project provides 4 sub-agents, spawned by the main command using the `Agent`
 
 | Agent | Responsibility | Typical Spawn Scenario |
 |------|------|----------------|
-| [test-writer](../.claude/agents/test-writer.md) | Generate tests per `@rules` + run validation | After `/code` completes multiple files / parallel `/test` for multiple modules |
-| [code-reviewer](../.claude/agents/code-reviewer.md) | Read-only review, scan for issues per rules | `/review` splitting large directories / independent second-opinion before PR |
-| [bug-fixer](../.claude/agents/bug-fixer.md) | Fix a single triaged true-bug | `/fix` handling multiple bug reports in parallel |
-| [meta-auditor](../.claude/agents/meta-auditor.md) | God's-eye scan of the entire framework, find inconsistencies/drift/dead links, output read-only observation report | Triggered by `/meta-audit` command |
+| [test-writer](../.codex/agents/test-writer.toml) | Generate tests per `@rules` + run validation | After `/code` completes multiple files / parallel `/test` for multiple modules |
+| [code-reviewer](../.codex/agents/code-reviewer.toml) | Read-only review, scan for issues per rules | `/review` splitting large directories / independent second-opinion before PR |
+| [bug-fixer](../.codex/agents/bug-fixer.toml) | Fix a single triaged true-bug | `/fix` handling multiple bug reports in parallel |
+| [meta-auditor](../.codex/agents/meta-auditor.toml) | God's-eye scan of the entire framework, find inconsistencies/drift/dead links, output read-only observation report | Triggered by `/meta-audit` command |
 
 **When the main agent will spawn**:
 - Tasks can be done in parallel independently (5 bugs fixed in parallel is 5x faster than serial)
 - Afraid of polluting main context (large directory review reads many files)
 - Needs an independent perspective (main agent just wrote the code, let reviewer look independently)
 
-**User perspective**: Usually you don't need to call agents directly — the main command will decide when to spawn. For manual invocation, see [.claude/agents/README.md](../.claude/agents/README.md).
+**User perspective**: Usually you don't need to call agents directly — the main command will decide when to spawn. For manual invocation, see [.codex/agents/README.md](../.codex/agents/README.md).
 
 ---
 
 ## 🪝 Automation Hooks (Silent guardians)
 
-The project has 3 built-in hooks (configured in `.claude/settings.json`) that run automatically in the background — no manual triggering needed:
+The project has 3 built-in hooks for Codex (configured in `.codex/hooks.json`) that run automatically in the background when the host supports the corresponding event — no manual triggering needed:
 
 | Hook | Trigger | What it does | Why it's needed |
 |------|---------|--------|-----------|
@@ -715,8 +715,8 @@ As the project grows, commands/skills/agents/rules reference each other, and rul
 | Dimension | What it scans |
 |------|-------|
 | `rule-violations` | Static rule violations (hardcoded Chinese / inline styles / any types / hand-written API types) |
-| `doc-drift` | Spec docs vs actual code inconsistencies (CLAUDE.md says A but code does B) |
-| `internal-consistency` | Internal consistency in `.claude/` and `docs/` (do command/skill lists match the README?) |
+| `doc-drift` | Spec docs vs actual code inconsistencies (AGENTS.md says A but code does B) |
+| `internal-consistency` | Internal consistency in `.agents/`, `.codex/`, `.claude/`, and `docs/` (do command/skill/agent lists match the README?) |
 | `traceability` | Whether the PRD → task → source → test traceability chain is broken |
 | `dead-links` | Whether md relative links point to non-existent files |
 | `orphaned-assets` | Files that exist but are not referenced by anyone |
@@ -728,7 +728,7 @@ As the project grows, commands/skills/agents/rules reference each other, and rul
 - **Read-only observation, no auto-fix** — agent tool permissions restricted to `[Read, Grep, Glob, Write]`, and Write is only allowed for the report path
 - **Manual trigger, no scheduled runs** — reports no one reads are just noise
 - **Reports are immutable** — next scan auto-compares trends, don't check off "handled" in old reports
-- **Adopting suggestions goes through normal PR flow** — change rules in `.claude/rules/`, change code via `/fix`, open GitHub issues for discussion items
+- **Adopting suggestions goes through normal PR flow** — change rules in `.claude/rules/`, change Codex runtime config in `.codex/`, change skills in `.agents/skills/`, change code via `/fix`, open GitHub issues for discussion items
 
 **Suggested frequency**: After milestones / every 1-2 weeks / after adding new mechanisms. See [retrospectives/README.md](retrospectives/README.md).
 
@@ -818,7 +818,7 @@ One-step shortcut:
 
 | Want to know | Look here |
 |--------|--------|
-| Overall conventions | [../CLAUDE.md](../CLAUDE.md) |
+| Overall conventions | [../AGENTS.md](../AGENTS.md) |
 | How to write a PRD | [prds/_template.md](prds/_template.md) |
 | How to review a PRD | [prds/REVIEW.md](prds/REVIEW.md) |
 | QA AI testing integration | [bug-reports/README.md](bug-reports/README.md) |
@@ -829,11 +829,11 @@ One-step shortcut:
 | No hardcoding rule | [../.claude/rules/no-hardcode.md](../.claude/rules/no-hardcode.md) |
 | Coding style | [../.claude/rules/coding-style.md](../.claude/rules/coding-style.md) |
 | Testing conventions | [../.claude/rules/testing.md](../.claude/rules/testing.md) |
-| Sub-agent conventions | [../.claude/agents/README.md](../.claude/agents/README.md) |
-| .claude master index | [../.claude/README.md](../.claude/README.md) |
+| Codex sub-agent conventions | [../.codex/agents/README.md](../.codex/agents/README.md) |
+| Codex runtime index | [../.codex/README.md](../.codex/README.md) |
 | CI/CD Workflows | [../.github/workflows/](../.github/workflows/) — deploy-web / deploy-ios / deploy-android / deploy-harmony |
 | Tech stack | [../.claude/rules/tech-stack.md](../.claude/rules/tech-stack.md) |
 | Engineering retrospective reports | [retrospectives/README.md](retrospectives/README.md) — read-only observations from `/meta-audit`, immutable snapshots |
 | Architecture Decision Records (ADR) | [DECISIONS.md](DECISIONS.md) — background/rationale/alternatives for major framework decisions |
 | All commands | Main flow [`../.claude/commands/`](../.claude/commands/): `/prd` `/prd-check` `/plan` `/plan-check` `/code` `/test` `/review` `/bug-check` `/fix` `/release` `/build` `/deploy` `/start` `/meta-audit` |
-| Extension skill packages | [`../.claude/skills/`](../.claude/skills/) — `ext-perf-audit` / `ext-a11y-check` / `ext-dep-audit` / `ext-changelog` |
+| Extension skill packages | [`../.agents/skills/`](../.agents/skills/) — `ext-perf-audit` / `ext-a11y-check` / `ext-dep-audit` / `ext-changelog` |
diff --git a/docs/prds/_imports/README.md b/docs/prds/_imports/README.md
index a76e8e6..e93152b 100644
--- a/docs/prds/_imports/README.md
+++ b/docs/prds/_imports/README.md
@@ -4,7 +4,7 @@
 
 ## Purpose
 
-Non-markdown files provided by backend or product teams (`.docx / .xlsx / .pptx`, etc.) are converted to markdown by the [prd-import skill](../../../.claude/skills/prd-import/SKILL.md) and deposited here, serving as input material for the `/prd` command.
+Non-markdown files provided by backend or product teams (`.docx / .xlsx / .pptx`, etc.) are converted to markdown by the [prd-import skill](../../../.agents/skills/prd-import/SKILL.md) and deposited here, serving as input material for the `/prd` command.
 
 ## Flow
 
diff --git a/workspace/scripts/5-13.md b/workspace/scripts/5-13.md
new file mode 100644
index 0000000..fc4115b
--- /dev/null
+++ b/workspace/scripts/5-13.md
@@ -0,0 +1,2 @@
+openclaw,hermes,claude code 做代码开发？
+测试阶段的时候测试的问题？