{"id":49107514,"url":"https://github.com/adityaarsharma/orbit","last_synced_at":"2026-05-30T07:02:05.280Z","repository":{"id":352571675,"uuid":"1215680038","full_name":"adityaarsharma/orbit","owner":"adityaarsharma","description":"🪐 10-agent WordPress Plugin QA team for Claude Code. 116 runtime-evergreen skills · CTO→PM→Dev→UAT→Security→Release · MCP discovery · Docker wp-env · WP.org zero-rejection · Brain-connected memory.","archived":false,"fork":false,"pushed_at":"2026-05-20T12:05:26.000Z","size":1429,"stargazers_count":1,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-20T16:44:22.645Z","etag":null,"topics":["agentic","ai-agents","automated-testing","claude-code","docker","elementor","gutenberg","lighthouse","mcp","phpcs","playwright","qa","testing","uat","visual-regression","wordpress","wordpress-plugin","wordpress-qa","wp-env","wpcs"],"latest_commit_sha":null,"homepage":"https://github.com/adityaarsharma/orbit","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/adityaarsharma.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-20T06:39:27.000Z","updated_at":"2026-05-20T12:05:31.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/adityaarsharma/orbit","commit_stats":null,"previous_names":["adityaarsharma/wordpress-qa-master","adityaarsharma/orbit"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/adityaarsharma/orbit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adityaarsharma%2Forbit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adityaarsharma%2Forbit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adityaarsharma%2Forbit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adityaarsharma%2Forbit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/adityaarsharma","download_url":"https://codeload.github.com/adityaarsharma/orbit/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adityaarsharma%2Forbit/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33682998,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-30T02:00:06.278Z","response_time":92,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["agentic","ai-agents","automated-testing","claude-code","docker","elementor","gutenberg","lighthouse","mcp","phpcs","playwright","qa","testing","uat","visual-regression","wordpress","wordpress-plugin","wordpress-qa","wp-env","wpcs"],"created_at":"2026-04-21T02:18:02.363Z","updated_at":"2026-05-30T07:02:05.274Z","avatar_url":"https://github.com/adityaarsharma.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n\n# 🪐 Orbit\n\n### **Complete UAT for WordPress Plugins — Now Agentic**\n\n*A Claude Code plugin · **116 runtime-evergreen `/orbit-*` skills** · **10-agent QA team** · CTO → PM → Dev → QA → Security → Release*\n\n**v3.0 — Orbit Agentic.** Orbit is no longer just a skill suite. It's a 10-agent QA team connected to a shared brain (`brain-posimyth`). CTO's brain is the team's constitution — every agent reads it first. Approved patterns get remembered. Cold starts become warm starts.\n\n**The one-command audit:**\n\n```bash\n/orbit-do-it ~/plugins/my-plugin\n```\n\nAuto-detects plugin type. Picks the right pipeline. Runs core audits + UAT + perf + security + compat in parallel. Writes a one-page TL;DR + a master HTML report. Walks away. Comes back to a verdict.\n\n\u003cbr /\u003e\n\n![PHP](https://img.shields.io/badge/PHP-7.4%20→%208.5-777BB4?style=for-the-badge\u0026logo=php\u0026logoColor=white)\n![WordPress](https://img.shields.io/badge/WordPress-6.3%20→%207.0-21759B?style=for-the-badge\u0026logo=wordpress\u0026logoColor=white)\n![Playwright](https://img.shields.io/badge/Playwright-E2E-2EAD33?style=for-the-badge\u0026logo=playwright\u0026logoColor=white)\n![Stagehand](https://img.shields.io/badge/Stagehand-AI%20UAT-7C3AED?style=for-the-badge)\n![Lighthouse](https://img.shields.io/badge/Lighthouse-Performance-F44B21?style=for-the-badge\u0026logo=lighthouse\u0026logoColor=white)\n![Claude Code](https://img.shields.io/badge/Claude%20Code-116%20Skills-CC785C?style=for-the-badge)\n![Agentic](https://img.shields.io/badge/v3.0-Orbit%20Agentic-6366F1?style=for-the-badge)\n\n\u003cbr /\u003e\n\n**👨‍💻 Dev** · zero-regression releases \u0026nbsp;·\u0026nbsp; **🧪 QA** · structured coverage + auto-generated specs \u0026nbsp;·\u0026nbsp; **📊 PM** · flow maps + RICE backlog + release notes \u0026nbsp;·\u0026nbsp; **🎨 Designer** · visual diffs + token audits + dark mode \u0026nbsp;·\u0026nbsp; **🚀 Release Ops** · WP.org gates + EU CRA compliance \u0026nbsp;·\u0026nbsp; **👤 End User** · real browser, real flows, AI-resolved tests\n\n📖 **[VISION.md](VISION.md)** \u0026nbsp;·\u0026nbsp; 🚀 **[Skills Reference](SKILLS.md)** \u0026nbsp;·\u0026nbsp; 🌱 **[Runtime-Evergreen Pattern](EVERGREEN.md)** \u0026nbsp;·\u0026nbsp; 🛡️ **[Evergreen Security](docs/21-evergreen-security.md)** \u0026nbsp;·\u0026nbsp; 🤖 **[Orbit Agentic](docs/BLUEPRINT-ORBIT-V3.md)** \u0026nbsp;·\u0026nbsp; 📓 **[Changelog](CHANGELOG.md)**\n\n[Install in 60s](#install-in-60-seconds) · [Orbit Agentic — v3.0](#orbit-agentic--v30) · [The brainless agent](#the-brainless-team-agent) · [The 116 skills](#the-116-orbit-skills) · [Runtime-evergreen, explained](#runtime-evergreen-the-philosophy) · [Role guide](docs/onboarding-by-role.md) · [GitHub](https://github.com/adityaarsharma/orbit)\n\n\u003c/div\u003e\n\n---\n\n## What Orbit Is\n\nA **Claude Code plugin** that gives a WordPress plugin team — dev, QA, PM, designer, release ops — a single command (`/orbit-do-it`) that audits everything that matters before a release: code standards, security, performance, accessibility, UAT, visual regression, hosting compatibility, EU CRA compliance, and 100+ other concerns.\n\nIt's **not a SaaS**. Runs locally via Docker (`wp-env`) + Claude Code. No accounts, no subscriptions, no cloud. The whole stack — 116 skills, all the scripts, the installer, this README — lives in one Git repo.\n\nIt's **runtime-evergreen**. When a skill runs, it fetches the canonical source-of-truth doc (e.g. Elementor's changelog, NVD's CVE feed, Kinsta's banned-plugins page) and applies *today's rules* — not a snapshot from when the skill was written. The same `/orbit-elementor-compat` SKILL.md handles V4 today, V5 next year, V6 the year after. Without anyone editing it.\n\nIt **composes with `WordPress/agent-skills`** — WP core's official AI agent skills (Brandon Payton, January 2026). Orbit's installer chains `npx openskills install WordPress/agent-skills`, so users get both: WP core's runtime/Playground primitives + Orbit's QA/UAT/audit suite.\n\n---\n\n## How it works — 3 layers\n\n```\nYOU\n │ \"UAT audit NexterWP v2.5\" ← natural language in Claude Code\n ▼\nAGENT (05-uat.md)\n │ Step 1: Brain Prime ← 5 searches on brain-posimyth\n │ \"What did the last UAT find?\"\n │ \"Are there known flaky tests?\"\n │ \"What WP standards apply here?\"\n │ Step 2: Spin Docker WP env\n │ Step 3: Playwright E2E\n │ Step 4: Dispatch 07-Security + 06-Perf + 04-Designer in parallel\n │ Step 5: Severity triage → CLEAR or BLOCKED\n │ Step 6: Ingest findings to brain ← [uat, bug, nexterwp, High, ...]\n ▼\nSKILLS invoked by the agent automatically\n │ /orbit-playwright → runs E2E browser tests\n │ /orbit-visual-regression → screenshots, diffs\n │ /orbit-wp-security → XSS/CSRF/SQLi scan (via 07-Security)\n │ /orbit-lighthouse → Lighthouse score (via 06-Performance)\n ▼\nMCP + TOOLS that skills use\n brain-posimyth ← read history, write findings\n wp-env (Docker) ← clean WP install for testing\n Playwright + Chrome ← real browser, real flows\n gh CLI ← open issues, create PRs\n```\n\n**The brain is what makes it a team, not just a tool.** Every finding is ingested. Every approved pattern is remembered. Every redline is surfaced the next time the same task runs. The agents get smarter every sprint — without you changing any files.\n\n---\n\n## Orbit Agentic — v3.0\n\n\u003e \"Skills are easy. Process is harder. Brain is evergrowing — like onboarding a new person who's however smart, but still needs to learn YOUR products.\"\n\n**v3.0 turns Orbit into a 10-agent QA team** where each agent has a defined role, written SOPs, a dedicated brain collection, and the MCP access to act on what they find. The more you use it, the smarter the whole team gets.\n\n---\n\n### The 10-Agent Team\n\n| # | Agent | Role in one line |\n|---|---|---|\n| **00** | **CTO** | Strategic advisor. Reads all 10 brains. Sets direction — never executes. Sole writer to the shared brain. |\n| **01** | **PM** | Daily coordinator. RICE scoring, feedback mining, sprint health. Routes every task to the right specialist. |\n| **02** | **Code Reviewer** | Senior + skeptical. PHP, Gutenberg, Elementor, compat. APPROVE / REQUEST CHANGES / NITPICK — with file:line. |\n| **03** | **Senior Dev** | Builds features, fixes UAT bugs. Runs WP standards before done. Never self-merges. |\n| **04** | **Dev Designer** | WCAG 2.2 AA, RTL, dark mode, empty/error states. Writes design specs — 03 implements them. |\n| **05** | **UAT** | Docker WP env, Playwright E2E, visual regression. Orchestrates 06 + 07 + 04 in parallel. Severity gates releases. |\n| **06** | **Performance** | Hook weight, DB queries, bundle analysis, Lighthouse. Sets perf budgets. Enforces regression thresholds. |\n| **07** | **Security** | XSS, SQLi, CSRF, supply chain, CVE, Stripe/EDD/Freemius, GDPR, PCI, premium gating. NEVER tests production. |\n| **08** | **Release** | 7-step gate, WP.org Plugin Check, zip hygiene, release notes (POSIMYTH voice), cross-channel announce. |\n| **09** | **Docs** | README, feature docs, hook reference, in-code comments, changelog language. Ships with release — never after. |\n\n---\n\n### The shared brain — CTO is the head\n\n`orbit/00-cto` is the team's constitution. Every agent reads it **first** — before their own collection. The CTO agent is the only one that writes to it. What lives there:\n\n```\nbrain-posimyth\n└── orbit/\n ├── 00-cto/\n │ ├── hard-rules/ ← WP coding standards, security patterns, release rules\n │ ├── decisions/ ← Technology + product direction decisions\n │ ├── competitor-intel/ ← Competitor moves, market signals\n │ ├── risks/ ← Unstable APIs, CVE trends, deprecation warnings\n │ └── approved-patterns/← Patterns promoted from any agent to team-wide\n │\n ├── 01-pm/ ← Roadmap, RICE decisions, sprint history\n ├── 02-code-reviewer/ ← Review patterns, approvals, redlines\n ├── 03-senior-dev/ ← Build patterns, fix history\n ├── 04-dev-designer/ ← WCAG findings, RTL patterns, token decisions\n ├── 05-uat/ ← Bug reports, UAT results, flaky test registry\n ├── 06-performance/ ← Benchmarks, perf budgets, regression history\n ├── 07-security/ ← CVE findings, vuln patterns, payment audit history\n ├── 08-release/ ← Release history, WP.org rejections, announce templates\n └── 09-docs/ ← Freshness tracking, API doc history, voice patterns\n```\n\n```bash\n# First install — seed 40 knowledge drawers into orbit/00-cto/hard-rules/\nbash brain/seed-brain.sh --key \u003cyour-orbit-admin-key\u003e\n```\n\nDay-one intelligence in the CTO brain: WP escaping rules, block.json required fields, WCAG 2.2 AA checklist, Stripe webhook security, readme.txt rejection patterns, N+1 DB query patterns, and 34 more. No cold starts for any agent.\n\n**Two keys:**\n- **Team key** — read `orbit/00-cto` + own collection. Agents recall past findings, approved patterns, known issues.\n- **Admin key** — full read + write. Ingest findings, promote patterns, announce cross-channel. EDD ops: Admin only.\n\n---\n\n### Brain Prime — what every agent does first\n\nBefore touching any code or producing any output, every agent runs 5 brain searches and writes a **Brain Prime block**:\n\n```\nBRAIN PRIME — NexterWP v2.5 (UAT)\n• CTO rules: Never ship unescaped output. RTL mandatory. Lighthouse target ≥ 85.\n• Bug history: v2.4 block reorder crash (orbit/05-uat/nexterwp). Fixed in v2.4.1.\n• Patterns that worked: Docker WP 6.8 + Gutenberg 18.x env. Playwright --project=chromium first.\n• Patterns to avoid: waitForTimeout() — caused 3 flaky tests in v2.3 audit.\n• Open question: Is scroll-animation block new in v2.5? (brain silent — will check changelog)\n```\n\nThis block is pinned before any skill invocation. The agent never re-asks for context that's already in brain.\n\n---\n\n### The approval loop\n\nEvery `approve` and `revise` from the operator teaches the brain:\n\n```\nyou: approve → agent asks \"Save as approved pattern?\" → ingests to own collection\nyou: revise: \u003cwhy\u003e → agent auto-ingests redline → surfaces this FIRST next time same task runs\nyou: skip → ingests as deprioritised — agent won't suggest it again\n```\n\n**CTO promotes team-wide:** When a pattern is strong enough for the whole team (not just one agent), Admin runs:\n```bash\n# Example: promote a new nonce pattern to team-wide hard rule\n# Admin ingests to orbit/00-cto with [cto, hard-rule, ...] tag\n# Every agent picks it up on next Brain Prime\n```\n\n---\n\n### How agents collaborate — 5 real scenarios\n\n#### Scenario 1 — New feature, end-to-end\n\nA feature request (\"Add scroll animation block to NexterWP\") flows through the whole team:\n\n```\n01-PM → RICE score: Impact 8 / Confidence 7 / Effort 5 → score 112 → APPROVED\n Routes to: 03-SrDev (build) + 04-DevDesigner (spec first)\n\n04-DevDesigner → Brain Prime: loads WCAG rules from orbit/00-cto, past RTL findings from orbit/04\n → DESIGN SPEC: RTL mirror required. Reduced motion variant required. Touch target ≥ 44px.\n → Routes spec to: 03-SrDev\n\n03-SrDev → Brain Prime: loads WP standards from orbit/00-cto, past build patterns from orbit/03\n → Builds. Runs /orbit-wp-standards before PR.\n → Handoff brief to: 02-CodeReviewer (via 01-PM)\n\n02-CodeReviewer → Brain Prime: loads PHP hard rules, past TPA redlines from orbit/02\n → Reviews PHP + block.json + Gutenberg + compat\n → REQUEST CHANGES: \"save() uses SSR — must declare RenderCallback in block.json\"\n → 03-SrDev fixes → re-review → APPROVE\n\n05-UAT → Brain Prime: loads severity rules, v2.4 bug history from orbit/05\n → Playwright E2E + visual regression. Dispatches 07-Security + 06-Perf + 04-Designer in parallel.\n → All pass → UAT CLEAR. Routes to: 08-Release\n\n08-Release → 7-step gate. All pass.\n → Release notes drafted. Cross-channel announce.\n → Routes to: 09-Docs (same day publish)\n\n09-Docs → Freshness audit. Feature documented. API hook reference updated. Publish same day as release.\n```\n\n#### Scenario 2 — Critical security found mid-sprint\n\n```\n07-Security → Scanning NexterWP v2.5 RC\n → CRITICAL: Settings page — /wp-admin/admin.php?page=nxtwp echoes ?search= without esc_html()\n → ESCALATING CRITICAL immediately to 01-PM. Stopping scan.\n → Ingests to orbit/07-security/nexterwp: [security, nexterwp, Critical, xss-settings-page, v2.5-rc]\n\n01-PM → Receives escalation. Blocks sprint. Routes to 03-SrDev as Priority 0.\n → Notifies 08-Release: release gate will not run until Critical is resolved.\n\n03-SrDev → Fixes: esc_html( sanitize_text_field( $_GET['search'] ) )\n → Routes back to 07-Security for re-scan.\n\n07-Security → Re-scans. Clean. Confirms fix.\n → Ingests: [security, nexterwp, fixed, xss-settings-page, v2.5]\n → Routes to 05-UAT for regression test.\n\n05-UAT → 08-Release → 09-Docs (normal flow resumes)\n```\n\n#### Scenario 3 — WP.org rejection: the brain learns forever\n\n```\n08-Release → Submitted NexterWP v2.4.0 to WP.org.\n → REJECTED: \"Plugin is loading scripts/styles on all admin pages\"\n\n08-Release → Ingests rejection to orbit/08-release:\n [release, nexterwp, wp-org-rejection, scripts-all-admin-pages, v2.4.0]\n → Routes to 00-CTO: \"This may be a team-wide pattern issue\"\n\n00-CTO → Checks orbit/02-code-reviewer — same pattern in TPA code too.\n → Decision: promote to hard rule.\n → Ingests to orbit/00-cto/hard-rules/:\n [cto, hard-rule, no-scripts-all-admin-pages, wp-org-requirement, 2026-05-20]\n\nFrom now on: Every agent reads this rule on Brain Prime.\n 02-CodeReviewer blocks any PR that loads scripts on all admin pages.\n 08-Release checks for it in the 7-step gate.\n One rejection — zero repeats, across all 3 plugins, forever.\n```\n\n#### Scenario 4 — Performance regression caught before release\n\n```\n06-Performance → Benchmark NexterWP v2.5 vs v2.4 baseline (orbit/06-performance/nexterwp/budget)\n → REGRESSION: DB queries 11 (was 4). Bundle +38KB. Lighthouse 71 (was 83). All HIGH.\n\n06-Performance → Routes to 01-PM with regression report.\n\n01-PM → Creates ticket. Routes to 03-SrDev with context from orbit/06.\n\n03-SrDev → Brain Prime: loads orbit/06 regression context + orbit/03 past performance fixes\n → Fixes: N+1 in get_posts() loop → single WP_Query with post__in\n → Fixes: tree-shaking config for scroll-animation bundle\n → Routes back to 06-Performance\n\n06-Performance → Re-run. DB queries: 3. Bundle: +2KB. Lighthouse: 86. All pass.\n → Updates orbit/06-performance/nexterwp/budget for v2.5 baseline\n → Routes to 05-UAT\n```\n\n#### Scenario 5 — Competitor ships a feature → CTO brief → PM decision\n\n```\n00-CTO → Monthly competitor pulse (via /orbit-pm-competitor-pulse)\n → Elementor Kit shipped: \"AI Copilot inside block editor\"\n → Assesses: High opportunity — our users want this too.\n\n00-CTO BRIEF — Elementor Kit AI Copilot\n Signal: Kit shipped AI block generation inside editor. WP.org reviews +320 this week.\n Assessment: Medium threat — users already asking in NexterWP support.\n Recommendation: Differentiate, not copy. Our angle: AI block config, not AI block generation.\n Owner: 01-PM runs RICE. 03-SrDev estimates effort.\n Confidence: Medium\n\n00-CTO → Ingests to orbit/00-cto:\n [cto, competitor, elementorkit, ai-copilot, differentiate-with-config, 2026-05]\n\n01-PM → RICE: Reach 9 / Impact 7 / Confidence 5 / Effort 7 → score 45 → Q3 roadmap\n → Routes to backlog. Monitors competitor reviews monthly.\n```\n\n---\n\n### Skills → agents — who uses what\n\nEvery agent invokes specific Orbit skills. The routing is declared in `routes/routes.yaml`. Quick reference:\n\n| Agent | Key skills they invoke |\n|---|---|\n| **02 — Code Reviewer** | `/orbit-wp-standards` `/orbit-elementor-compat` `/orbit-gutenberg-dev` `/orbit-compat-matrix` |\n| **03 — Senior Dev** | `/orbit-wp-standards` `/orbit-scaffold-tests` `/orbit-block-json-validate` `/orbit-i18n` |\n| **04 — Dev Designer** | `/orbit-accessibility` `/orbit-designer-rtl` `/orbit-designer-dark-mode` `/orbit-designer-empty-error` |\n| **05 — UAT** | `/orbit-playwright` `/orbit-visual-regression` `/orbit-user-flow` `/orbit-uat-gutenberg` `/orbit-uat-elementor` `/orbit-qa-regression-pack` |\n| **06 — Performance** | `/orbit-lighthouse` `/orbit-db-profile` `/orbit-bundle-analysis` `/orbit-editor-perf` `/orbit-perf-stress-test` |\n| **07 — Security** | `/orbit-wp-security` `/orbit-broken-access-control` `/orbit-sec-secrets-leak` `/orbit-cve-check` `/orbit-pay-stripe` `/orbit-gdpr` |\n| **08 — Release** | `/orbit-release-gate` `/orbit-plugin-check` `/orbit-release-meta` `/orbit-zip-hygiene` `/orbit-changelog-test` `/orbit-version-compare` |\n| **09 — Docs** | `/orbit-release-meta` `/orbit-i18n` `/orbit-pm-release-notes` `/orbit-abilities-api` `/api-documentation` |\n\nFull routing: `routes/routes.yaml`\n\n---\n\n### Always-on agents (Phase 2)\n\nAgent files support two operating modes:\n\n- **Mode A (now)** — Operator-invoked in Claude Code. Open an agent, describe the task, it runs its SOP.\n- **Mode B (Phase 2)** — API runner Autonomous runner. 9 AM–6 PM IST. Autonomous scheduled dispatch. No agent file changes needed.\n\nWhen Phase 2 activates, 5 always-on agents will run on schedule: 00-CTO (competitor pulse weekly), 01-PM (daily sprint routing), 06-Performance (benchmark on every commit), 07-Security (CVE feed daily), 08-Release (release gate on tag push).\n\n→ Full architecture: [docs/BLUEPRINT-ORBIT-V3.md](docs/BLUEPRINT-ORBIT-V3.md)\n\n---\n\n## Install in 60 seconds\n\n```bash\ncurl -fsSL https://raw.githubusercontent.com/adityaarsharma/orbit/main/install.sh | bash\n```\n\nThat installs:\n\n1. Orbit cloned to `~/Claude/orbit`\n2. **10 AI agents** symlinked into `~/.claude/agents/` — available in every Claude Code session\n3. **116 `/orbit-*` skills** symlinked into `~/.claude/skills/` — agents invoke these automatically\n4. **WordPress/agent-skills** via `npx openskills install WordPress/agent-skills` (WP core's official skills)\n5. Power tools: PHPCS + WPCS + VIP + PHPCompatibility, PHPStan, Playwright + Chromium/Firefox/WebKit, Lighthouse, axe-core, WP-CLI, wp-env, wp-now, source-map-explorer, PurgeCSS\n\nAfter install:\n\n```bash\n# 1. Quit Claude Code fully (Cmd+Q) and reopen — agents + skills register\n\n# 2. Seed the starter brain (one-time, requires Admin key):\nbash brain/seed-brain.sh --key \u003corbit-admin-key\u003e\n\n# 3. Talk to an agent:\n\"UAT audit ~/plugins/my-plugin for v2.5\"\n\"Security scan the new AJAX handler in settings.php\"\n\"Run release gate for my-plugin v2.5\"\n\n# Or use skills directly (no brain key needed):\n/orbit-do-it ~/plugins/my-plugin\n```\n\n### What's the difference — agents vs skills?\n\n| | Agents | Skills |\n|---|---|---|\n| **What they are** | SOP-driven specialists. Read brain, follow process, ingest findings. | Markdown instructions — Claude runs bash/PHP/Playwright |\n| **How you invoke** | Natural language: \"UAT audit this plugin\" | Slash command: `/orbit-playwright` |\n| **Skills vs agents** | Agents invoke skills automatically | Skills are tools — you or an agent calls them |\n| **Brain access** | Yes — reads history, ingests findings | No — stateless per invocation |\n| **When to use** | When you want the full workflow done right | When you want one specific check |\n\n**Use agents for releases.** Use skills for quick one-off checks during development.\n\n### Update later\n\n```bash\n/orbit-update # refreshes both agents + skills, ~20 seconds\n```\n\n### From a clone (offline-capable)\n\n```bash\ngit clone https://github.com/adityaarsharma/orbit ~/Claude/orbit\ncd ~/Claude/orbit\nbash install.sh\n```\n\n---\n\n## The brainless team agent\n\nThe whole vision distilled into one command:\n\n```bash\n/orbit-do-it ~/plugins/my-plugin\n```\n\nWhat happens:\n\n1. **Auto-detects** plugin type — Elementor addon, Gutenberg block plugin, WooCommerce extension, form plugin, membership/LMS, theme, or generic\n2. **Picks the right pipeline** — core 6 audits + type-specific add-ons + UAT + live security feeds + perf + a11y + i18n\n3. **Runs in parallel** with CPU throttle (auto-detects M1 / M2 / workstation)\n4. **For UAT** — uses `/orbit-uat-agent` (Stagehand-style natural-language tests; no selectors to write)\n5. **Generates** the master HTML report + a one-page TL;DR\n6. **Verdict** — **SHIP**, **WARN**, or **BLOCK** with the top 3 things to fix\n\nTotal: **~10–15 minutes**, zero questions after the path. Designed for non-technical team members + dev leads who want the audit done, not configured.\n\n```\n$ /orbit-do-it ~/plugins/my-new-plugin\n\n🪐 Detected: Elementor addon (PHP 8.1+, 14 widgets)\n Pipeline: 6 core audits + Elementor (dev/controls/compat/skins/V4)\n + UAT (natural-language) + live CVE feeds + Lighthouse\n ETA: 12 min.\n\n[12 min later]\n\n✅ Verdict: BLOCK release — 2 Critical findings.\n\n Top 3 to fix:\n 1. Settings page — XSS in ?search= (active probe found it)\n 2. widget-3 — render() echoes attribute without esc_html\n 3. widget-7 — insert time 1.4s (target \u003c 300ms)\n\n Full report: ~/plugins/my-new-plugin/reports/index.html\n```\n\nWant even less friction? **`/orbit-uat-agent`** alone — describe flows in English (\"log in → open Settings → fill API Key → save → verify saved\"), the agent generates Playwright + AI-resolved selectors, runs them, self-heals on UI changes. ~$0.01–0.05 per test. Designed so a designer or PM can run UAT without writing a selector.\n\n---\n\n## Runtime-evergreen, the philosophy\n\nSoftware-quality tooling shouldn't freeze in the year it was written. WordPress, Elementor, Stripe, the CVE landscape — all evolve continuously. A skill that hardcodes \"use apiVersion 3\" is a time bomb.\n\nOrbit's pattern, top of every SKILL.md:\n\n```markdown\n## Runtime — fetch live before auditing (DO THIS FIRST)\n\nWhen this skill is invoked:\n\n1. Fetch in parallel (these are source-of-truth):\n - https://elementor.com/pro/changelog/\n - https://developers.elementor.com/docs/deprecations/\n - https://github.com/elementor/elementor/releases\n\n2. Synthesize current state:\n - \"What's the current major Elementor version as of today?\"\n - \"What APIs were deprecated in the last 2 minor releases?\"\n\n3. Audit against synthesized current rules — NOT against embedded text below.\n\n4. Cite, in every finding: source URL + fetch timestamp.\n Example: `Per elementor.com/pro/changelog (fetched 2026-04-30 14:32 UTC):\n foo() deprecated in 3.22.`\n```\n\nThat section is **executable instructions for Claude**, not documentation. When the skill runs, Claude reads it → fetches → uses live data.\n\n| | Old pattern (snapshot) | Runtime-evergreen (v2.7) |\n|---|---|---|\n| `/orbit-elementor-compat` | \"Test 3.18 / 3.20 / 3.22 / latest\" hardcoded | Fetches changelog → tests latest 3 minors of TODAY |\n| `/orbit-host-kinsta` | \"Banned plugins as of April 2026\" | Fetches Kinsta's banned-plugins page on every run |\n| `/orbit-cve-check` | Pulls NVD weekly via cron | Pulls NVD + Patchstack + WPScan + GitHub Advisory + MITRE per invocation |\n| `/orbit-pay-stripe` | \"Use PaymentIntents API\" (today's recommendation) | Fetches Stripe API ref → uses today's recommendation |\n\nWebFetch caches for 15 minutes, so back-to-back runs in `/orbit-do-it` don't fire 100 fetches — unique URLs are de-duped + reused. Total overhead: ~10–30 sec on cold cache, sub-second after.\n\nIf WebFetch fails (no network), every skill has `## Embedded fallback rules` for offline mode + a clear `⚠ Live source fetch failed — using fallback. Findings may be stale.` notice.\n\nFull pattern: [EVERGREEN.md](EVERGREEN.md). Drift-checks across the suite: `/orbit-skill-improver --check` (action-mode meta-skill that fetches all skills' sources, diffs rules, opens PRs).\n\n---\n\n## The 116 Orbit skills\n\n| Category | Count | Sample |\n|---|---|---|\n| **Master + Brainless** | 4 | `/orbit` `/orbit-do-it` `/orbit-skill-add` `/orbit-skill-improver` |\n| **Setup \u0026 Environment** | 6 | `/orbit-setup` `/orbit-update` `/orbit-install` `/orbit-docker-site` `/orbit-wp-playground` `/orbit-pre-commit` |\n| **Pipeline** | 3 | `/orbit-gauntlet` `/orbit-release-gate` `/orbit-multi-plugin` |\n| **Code Audits** | 14 | `/orbit-wp-{standards,security,performance,database}` `/orbit-{accessibility,i18n,code-quality,pm-ux-audit,compat-matrix,cve-check,abilities-api,rtc-compat,broken-access-control,scaffold-tests}` |\n| **Gutenberg / Block Editor Dev** | 8 | `/orbit-gutenberg-dev` `/orbit-block-{render-test,edit-test,patterns,bindings,variations}` `/orbit-fse-test` `/orbit-interactivity-api` |\n| **Elementor Dev** | 6 | `/orbit-elementor-{dev,controls,compat,pro,skins,dynamic-tags}` |\n| **UAT Templates + Agent** | 6 | `/orbit-uat-agent` (natural-language) + `/orbit-uat-{elementor,gutenberg,woo,forms,membership}` |\n| **QA Specialised** | 5 | `/orbit-qa-{flaky-detector,mutation,coverage,snapshot-cleanup,regression-pack}` |\n| **PM Specialised** | 5 | `/orbit-pm-{rice,release-notes,feedback-mining,roadmap,competitor-pulse}` |\n| **Designer Specialised** | 5 | `/orbit-designer-{tokens,empty-error,icons,rtl,dark-mode}` |\n| **Browser Testing** | 4 | `/orbit-playwright` `/orbit-visual-regression` `/orbit-user-flow` `/orbit-conflict-matrix` |\n| **Performance** | 7 | `/orbit-{lighthouse,editor-perf,db-profile,bundle-analysis}` `/orbit-perf-{stress-test,memory-leak,cdn}` |\n| **Comparison** | 4 | `/orbit-{uat,version,competitor}-compare` `/orbit-changelog-test` |\n| **Release** | 5 | `/orbit-{release-meta,zip-hygiene,plugin-check,block-json-validate,reports}` |\n| **WP Edge Cases** | 7 | `/orbit-{multisite,uninstall-test,gdpr,cron-audit,cache-compat,rest-fuzzer,ajax-fuzzer}` |\n| **Lifecycle** | 3 | `/orbit-life-{activation,upgrade,rollback}` |\n| **Hosting Compat** | 5 | `/orbit-host-{wpengine,kinsta,cloudways,shared,pantheon}` |\n| **Plugin Compat** | 5 | `/orbit-compat-{yoast,rankmath,wpml,polylang,acf}` |\n| **Payment Integration** | 4 | `/orbit-pay-{stripe,paypal,edd,freemius}` |\n| **Security Specialised** | 3 | `/orbit-sec-{xss-active,supply-chain,secrets-leak}` |\n| **EU CRA + Premium** | 2 | `/orbit-vdp` (EU mandate) `/orbit-premium-audit` (Patchstack: 76% Pro vulns exploitable) |\n| **SEO** | 3 | `/orbit-seo-{schema,sitemap,page-speed}` |\n\n**Full skill reference** with trigger phrases + descriptions: [SKILLS.md](SKILLS.md).\n\n---\n\n## Composition with `WordPress/agent-skills`\n\nWP core ships its own AI agent skills via [WordPress/agent-skills](https://github.com/WordPress/agent-skills) ([announcement, January 2026](https://wordpress.org/news/2026/01/new-ai-agent-skill/)). The flagship skill is `wp-playground` — spins up WordPress in seconds via Playground CLI, gives AI agents a fast feedback loop for code iteration.\n\n**Orbit wraps; it doesn't reinvent.** `install.sh` runs `npx openskills install WordPress/agent-skills` automatically. `/orbit-wp-playground` is a thin doc-only skill that points at WP core's runtime primitives.\n\n| Concern | Owned by |\n|---|---|\n| Spin up WordPress for testing | **WP core** (`wp-playground`) |\n| Plugin code-quality audit | Orbit (`/orbit-wp-standards` etc.) |\n| Natural-language UAT | Orbit (`/orbit-uat-agent`) |\n| Live security feeds | Orbit (`/orbit-cve-check`) |\n| Multi-version matrix | Orbit (`/orbit-compat-matrix`) |\n| WP 7.0 Abilities API | **WP core** runtime + Orbit audit (`/orbit-abilities-api`) |\n\nWhen WP core ships more agent skills, Orbit picks them up via the same `npx openskills install` chain — no Orbit code change needed.\n\n---\n\n## Vision\n\n### Why this exists\n\nMost WordPress plugin issues that reach users fall into five categories:\n\n1. **Code that was never wrong, just untested** — a widget that renders fine on the dev's machine breaks on PHP 8.2 or with WPML active or on Kinsta's edge cache\n2. **Performance regressions nobody noticed** — a new feature adds 40 extra DB queries per page load, or 80KB to the bundle\n3. **Design debt** — settings UI that confuses users because it was built dev-first, not user-first\n4. **Flow blindness** — nobody mapped whether a first-time user can actually complete setup without a tutorial\n5. **No comparison baseline** — \"our Mega Menu is better than ElementKit\" stated without any data\n\nUAT (User Acceptance Testing) is the practice of validating a product from every perspective before it ships — not just \"does the code run\" but \"will a real user get stuck, is the UI regressed, does the PM have evidence it's better than competitors.\" **Orbit automates that entire layer for WordPress plugins.**\n\n### What top teams do that most don't\n\n- Automattic / WordPress VIP run every commit through PHP linting + VIP coding standards before merge\n- 10up uses AI-powered visual regression — catches when something *looks* different without being *technically* broken\n- WordPress.org plugin team added 15+ automated security checks in 2025 alone\n- Leading Elementor addon teams run Playwright E2E suites across 3 WP versions before release\n\nOrbit brings that same discipline to any plugin team, with a single command.\n\n### The three rules\n\n1. **Local-first, not CI-first.** Real MySQL, real PHP, real browsers — already on your Mac. CI is optional plumbing.\n2. **Skills are senior reviewers, scripts are junior QA.** Claude Code skills read the code the way an experienced senior developer would. Scripts handle deterministic checks.\n3. **Skills must be runtime-evergreen.** No quarterly maintenance. Every skill fetches its canonical source on every run.\n\n### What's coming next\n\n- **WP 7.0 readiness** (ships May 20, 2026) — already covered by `/orbit-abilities-api` + `/orbit-rtc-compat` + the runtime-fetch pattern\n- **EU Cyber Resilience Act compliance** — `/orbit-vdp` is mandatory; `/orbit-premium-audit` covers the 76% premium-exploitability gap\n- **Elementor V4 Atomic** (default for new sites April 2026) — `/orbit-elementor-compat` auto-handles via runtime-fetch\n- **Cloud-hosted runs** (orbit.run, future) — gauntlet on a PR via GitHub Action, no local Docker\n- **Community contributions** — `/orbit-skill-add` is a meta-skill that scaffolds new skills in the Orbit pattern. Anyone can add a skill via PR; the community catalogue grows.\n\n---\n\n## Severity model\n\nEvery Orbit skill applies this triage:\n\n| Level | Action before release |\n|---|---|\n| **Critical** | Block release. Fix immediately. |\n| **High** | Block release. Fix in this PR. |\n| **Medium** | Fix if under 30 min. Otherwise log + defer. |\n| **Low / Info** | Log in tech debt. Defer. |\n\n`/orbit-do-it` reads these consistently and produces a single SHIP / WARN / BLOCK verdict at the top of every report.\n\n---\n\n## Reports\n\nEvery audit run drops everything into `reports/`:\n\n```\nreports/\n├── qa-report-\u003ctimestamp\u003e.md ← markdown summary\n├── tldr-\u003ctimestamp\u003e.md ← one-page verdict\n├── index.html ← master HTML (PM-friendly)\n├── playwright-html/index.html ← visual test report\n├── skill-audits/index.html ← tabbed AI audit\n├── uat-report-\u003ctimestamp\u003e.html ← UAT comparison + videos\n├── pm-ux/pm-ux-report-*.html ← PM-friendly UX report\n└── lighthouse/lh-\u003ctimestamp\u003e.json ← Core Web Vitals\n```\n\nOpen the master index:\n\n```bash\nopen ~/plugins/my-plugin/reports/index.html\n```\n\nDesigned to be shared with PMs / managers / customers without terminal access.\n\n---\n\n## Standards this follows\n\n- [WordPress Coding Standards](https://github.com/WordPress/WordPress-Coding-Standards) — WPCS phpcs ruleset\n- [WordPress VIP Coding Standards](https://github.com/Automattic/VIP-Coding-Standards) — enterprise-grade rules\n- [10up Open Source Best Practices](https://10up.github.io/Open-Source-Best-Practices/testing/) — coverage targets, E2E approach\n- [WordPress Plugin Check](https://github.com/WordPress/plugin-check) — the official WP.org submission tool\n- [WordPress Playground Guide](https://wordpress.github.io/wordpress-playground/) — CI browser testing\n- [OWASP Top 10](https://owasp.org/www-project-top-ten/) — security baseline\n- [WCAG 2.2 AA](https://www.w3.org/WAI/WCAG22/quickref/) — accessibility\n- [Patchstack 2026 Security Whitepaper](https://patchstack.com/whitepaper/state-of-wordpress-security-in-2026/) — current threat model\n\n---\n\n## Contributing\n\nOpen to:\n\n- **New skills** — fork, run `/orbit-skill-add`, follow the runtime-evergreen pattern, open a PR\n- **Skill improvements** — every skill has `Sources \u0026 Evergreen References`. If a source moved or a rule needs updating, `/orbit-skill-improver --pr` opens a draft for review\n- **Edge-case reports** — file a GitHub issue with `[skill]` or `[bug]` tag and a minimal repro\n\nKeep contributions research-first. Every check should link to the standard or incident that motivated it.\n\n---\n\n## Built by\n\n[Aditya Sharma](https://adityaarsharma.com) · POSIMYTH Innovation\ngithub.com/adityaarsharma/orbit\n\n**The discipline:** Software-quality tooling shouldn't freeze in the year it was written. It should know what *today* looks like by re-reading the canonical sources every time it runs. That's runtime-evergreen. That's Orbit.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadityaarsharma%2Forbit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fadityaarsharma%2Forbit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadityaarsharma%2Forbit/lists"}