refactor: formulas use YAML instead of JSON (gt-8tmz)

- Convert .formula.json files to .formula.yaml
- Update molecule-algebra.md to specify YAML format
- Update molecular-chemistry.md proto examples
- Add Safety Constraints section: cycle detection, aspect
  self-matching prevention, max expansion depth, graceful degradation

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

.beads/formulas/rule-of-five.formula.json

@@ -1,32 +0,0 @@
-{
-  "formula": "rule-of-five",
-  "type": "expansion",
-  "description": "Jeffrey Emanuel's discovery: LLM agents produce best work through 4-5 iterative refinements. Breadth-first exploration, then editorial passes.",
-  "version": 1,
-  "template": [
-    {
-      "id": "{target}.draft",
-      "description": "Initial attempt at: {target.description}. Don't aim for perfection. Get the shape right. Breadth over depth."
-    },
-    {
-      "id": "{target}.refine-1",
-      "description": "First refinement pass. Focus: CORRECTNESS. Fix errors, bugs, mistakes. Is the logic sound?",
-      "needs": ["{target}.draft"]
-    },
-    {
-      "id": "{target}.refine-2",
-      "description": "Second refinement pass. Focus: CLARITY. Can someone else understand this? Simplify. Remove jargon.",
-      "needs": ["{target}.refine-1"]
-    },
-    {
-      "id": "{target}.refine-3",
-      "description": "Third refinement pass. Focus: EDGE CASES. What could go wrong? What's missing? Handle the unusual.",
-      "needs": ["{target}.refine-2"]
-    },
-    {
-      "id": "{target}.refine-4",
-      "description": "Final polish. Focus: EXCELLENCE. This is the last pass. Make it shine. Is this something you'd be proud to ship?",
-      "needs": ["{target}.refine-3"]
-    }
-  ]
-}

.beads/formulas/rule-of-five.formula.yaml

@@ -0,0 +1,35 @@
+formula: rule-of-five
+type: expansion
+description: >
+  Jeffrey Emanuel's discovery: LLM agents produce best work through 4-5
+  iterative refinements. Breadth-first exploration, then editorial passes.
+version: 1
+template:
+  - id: "{target}.draft"
+    description: >
+      Initial attempt at: {target.description}. Don't aim for perfection.
+      Get the shape right. Breadth over depth.
+
+  - id: "{target}.refine-1"
+    description: >
+      First refinement pass. Focus: CORRECTNESS. Fix errors, bugs, mistakes.
+      Is the logic sound?
+    needs: ["{target}.draft"]
+
+  - id: "{target}.refine-2"
+    description: >
+      Second refinement pass. Focus: CLARITY. Can someone else understand
+      this? Simplify. Remove jargon.
+    needs: ["{target}.refine-1"]
+
+  - id: "{target}.refine-3"
+    description: >
+      Third refinement pass. Focus: EDGE CASES. What could go wrong?
+      What's missing? Handle the unusual.
+    needs: ["{target}.refine-2"]
+
+  - id: "{target}.refine-4"
+    description: >
+      Final polish. Focus: EXCELLENCE. This is the last pass. Make it shine.
+      Is this something you'd be proud to ship?
+    needs: ["{target}.refine-3"]

.beads/formulas/security-audit.formula.json

@@ -1,35 +0,0 @@
-{
-  "formula": "security-audit",
-  "type": "aspect",
-  "description": "Cross-cutting security concern. Applies security scanning before and after implementation steps.",
-  "version": 1,
-  "pointcuts": [
-    {"glob": "*.implement"},
-    {"glob": "*.submit"}
-  ],
-  "advice": {
-    "around": {
-      "before": [
-        {
-          "id": "security-prescan",
-          "description": "Pre-implementation security check. Review for secrets/credentials in scope. Check dependencies for known vulnerabilities.",
-          "args": {"target": "{step.id}"}
-        }
-      ],
-      "after": [
-        {
-          "id": "security-postscan",
-          "description": "Post-implementation security scan. Scan new code for vulnerabilities (SAST). Check for hardcoded secrets. Review for OWASP Top 10 issues.",
-          "args": {"target": "{step.id}"},
-          "output": {"approved": "boolean", "findings": "list"}
-        },
-        {
-          "gate": {
-            "condition": "security-postscan.output.approved == true",
-            "message": "Security approval required before proceeding"
-          }
-        }
-      ]
-    }
-  }
-}

.beads/formulas/security-audit.formula.yaml

@@ -0,0 +1,31 @@
+formula: security-audit
+type: aspect
+description: >
+  Cross-cutting security concern. Applies security scanning before and
+  after implementation steps.
+version: 1
+pointcuts:
+  - glob: "*.implement"
+  - glob: "*.submit"
+advice:
+  around:
+    before:
+      - id: security-prescan
+        description: >
+          Pre-implementation security check. Review for secrets/credentials
+          in scope. Check dependencies for known vulnerabilities.
+        args:
+          target: "{step.id}"
+    after:
+      - id: security-postscan
+        description: >
+          Post-implementation security scan. Scan new code for vulnerabilities
+          (SAST). Check for hardcoded secrets. Review for OWASP Top 10 issues.
+        args:
+          target: "{step.id}"
+        output:
+          approved: boolean
+          findings: list
+      - gate:
+          condition: "security-postscan.output.approved == true"
+          message: Security approval required before proceeding

.beads/formulas/shiny-enterprise.formula.json

@@ -1,53 +0,0 @@
-{
-  "formula": "shiny-enterprise",
-  "extends": "shiny",
-  "description": "Enterprise-grade engineering workflow. Shiny + Rule of Five + Security + Performance Testing + Review Loop.",
-  "version": 1,
-  "compose": [
-    {
-      "expand": {
-        "target": "implement",
-        "with": "rule-of-five"
-      }
-    },
-    {
-      "aspect": {
-        "pointcut": "implement.*",
-        "with": "security-audit"
-      }
-    },
-    {
-      "gate": {
-        "before": "submit",
-        "condition": "security-postscan.approved == true",
-        "message": "Cannot submit without security approval"
-      }
-    },
-    {
-      "branch": {
-        "from": "implement.refine-4",
-        "steps": [
-          {"id": "perf-test", "description": "Run performance benchmarks"},
-          {"id": "load-test", "description": "Run load/stress tests"},
-          {"id": "chaos-test", "description": "Run chaos engineering tests"}
-        ],
-        "join": "review"
-      }
-    },
-    {
-      "loop": {
-        "step": "review",
-        "until": "review.output.approved == true",
-        "max": 3,
-        "on-max": "escalate"
-      }
-    },
-    {
-      "advice": {
-        "target": "*",
-        "before": {"id": "log-start", "description": "Log: Starting {step.id}"},
-        "after": {"id": "log-end", "description": "Log: Completed {step.id}"}
-      }
-    }
-  ]
-}

.beads/formulas/shiny-enterprise.formula.yaml

@@ -0,0 +1,45 @@
+formula: shiny-enterprise
+extends: shiny
+description: >
+  Enterprise-grade engineering workflow. Shiny + Rule of Five + Security +
+  Performance Testing + Review Loop.
+version: 1
+compose:
+  - expand:
+      target: implement
+      with: rule-of-five
+
+  - aspect:
+      pointcut: "implement.*"
+      with: security-audit
+
+  - gate:
+      before: submit
+      condition: "security-postscan.approved == true"
+      message: Cannot submit without security approval
+
+  - branch:
+      from: implement.refine-4
+      steps:
+        - id: perf-test
+          description: Run performance benchmarks
+        - id: load-test
+          description: Run load/stress tests
+        - id: chaos-test
+          description: Run chaos engineering tests
+      join: review
+
+  - loop:
+      step: review
+      until: "review.output.approved == true"
+      max: 3
+      on-max: escalate
+
+  - advice:
+      target: "*"
+      before:
+        id: log-start
+        description: "Log: Starting {step.id}"
+      after:
+        id: log-end
+        description: "Log: Completed {step.id}"

.beads/formulas/shiny.formula.json

@@ -1,35 +0,0 @@
-{
-  "formula": "shiny",
-  "description": "Engineer in a Box - the canonical right way. Design before you code. Review before you ship. Test before you submit.",
-  "version": 1,
-  "vars": {
-    "feature": "{{feature}}",
-    "assignee": "{{assignee}}"
-  },
-  "steps": [
-    {
-      "id": "design",
-      "description": "Think carefully about architecture before writing code. Consider: How does this fit into the existing system? What are the edge cases? What could go wrong? Is there a simpler approach?"
-    },
-    {
-      "id": "implement",
-      "description": "Write the code for {{feature}}. Follow the design. Keep it simple. Don't gold-plate.",
-      "needs": ["design"]
-    },
-    {
-      "id": "review",
-      "description": "Review the implementation. Check for: Does it match the design? Are there obvious bugs? Is it readable and maintainable? Are there security concerns?",
-      "needs": ["implement"]
-    },
-    {
-      "id": "test",
-      "description": "Write and run tests. Unit tests for new code, integration tests if needed, run the full test suite, fix any regressions.",
-      "needs": ["review"]
-    },
-    {
-      "id": "submit",
-      "description": "Submit for merge. Final check: git status, git diff. Commit with clear message. Push and create PR.",
-      "needs": ["test"]
-    }
-  ]
-}

.beads/formulas/shiny.formula.yaml

@@ -0,0 +1,39 @@
+formula: shiny
+description: >
+  Engineer in a Box - the canonical right way. Design before you code.
+  Review before you ship. Test before you submit.
+version: 1
+vars:
+  feature: "{{feature}}"
+  assignee: "{{assignee}}"
+steps:
+  - id: design
+    description: >
+      Think carefully about architecture before writing code. Consider:
+      How does this fit into the existing system? What are the edge cases?
+      What could go wrong? Is there a simpler approach?
+
+  - id: implement
+    description: >
+      Write the code for {{feature}}. Follow the design. Keep it simple.
+      Don't gold-plate.
+    needs: [design]
+
+  - id: review
+    description: >
+      Review the implementation. Check for: Does it match the design?
+      Are there obvious bugs? Is it readable and maintainable?
+      Are there security concerns?
+    needs: [implement]
+
+  - id: test
+    description: >
+      Write and run tests. Unit tests for new code, integration tests
+      if needed, run the full test suite, fix any regressions.
+    needs: [review]
+
+  - id: submit
+    description: >
+      Submit for merge. Final check: git status, git diff. Commit with
+      clear message. Push and create PR.
+    needs: [test]