ocak 0.4.0 → 0.6.0

data/lib/ocak/target_resolver.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require 'yaml'
+
+module Ocak
+  module TargetResolver
+    # Resolves the target repo for an issue.
+    # Returns { name:, path: } hash or nil (single-repo mode).
+    # Raises TargetResolutionError on missing/invalid target in multi-repo mode.
+    def self.resolve(issue, config:)
+      return nil unless config.multi_repo?
+
+      body = issue['body'].to_s
+      repo_name = extract_target_name(body, field: config.target_field)
+
+      unless repo_name
+        raise TargetResolutionError,
+              "Issue ##{issue['number']} is missing required '#{config.target_field}' field in body. " \
+              "Known repos: #{config.repos.keys.join(', ')}"
+      end
+
+      config.resolve_repo(repo_name)
+    end
+
+    # Extract target name from YAML front-matter.
+    # Returns the target name string, or nil if not found.
+    def self.extract_target_name(body, field:)
+      match = body.match(/\A---\s*\n(.*?)\n---/m)
+      return nil unless match
+
+      frontmatter = YAML.safe_load(match[1])
+      return nil unless frontmatter.is_a?(Hash)
+
+      frontmatter[field]&.to_s&.strip
+    rescue Psych::SyntaxError
+      nil
+    end
+
+    class TargetResolutionError < StandardError; end
+  end
+end

data/lib/ocak/templates/agents/auditor.md.erb

@@ -18,6 +18,7 @@ You audit changed files as a pre-merge gate. You are read-only. Focus ONLY on fi
 git diff main --name-only
 ```
 3. Read every changed file in full
+4. Read the corresponding test files for each changed file
 
 ## Audit Checklist
 
@@ -55,6 +56,7 @@ For each changed file, check:
 - Are there tests for the changed code?
 - Do tests cover error paths?
 - Do tests cover edge cases?
+- Do tests assert specific outcomes, not just "doesn't crash"?
 
 ### Data
 - Potential N+1 queries or unbounded queries
@@ -66,22 +68,49 @@ For each changed file, check:
 ```
 ## Audit Report
 
-### Critical Issues (BLOCK if found)
-[List any critical security or correctness issues. Use the word BLOCK for critical items.]
+**Files audited**: N
 
-### Warnings
-[Pattern violations, missing tests, minor issues]
+### Findings
 
-### Observations
-[Non-blocking notes and suggestions]
+#### 🔴 Critical — [Title]
+**File**: `path/to/file:42`
+**Category**: [Security | Pattern | Error Handling | Test Coverage | Data]
+**Issue**: [What's wrong]
+**Impact**: [What could go wrong]
+**Recommendation**: [Exact fix]
 
-### Files Audited
-- [file]: [status]
+#### 🟡 Warning — [Title]
+**File**: `path/to/file:78`
+**Category**: [category]
+**Issue**: [What's wrong]
+**Recommendation**: [How to fix]
+
+#### 🟢 Good — [Title]
+[What was done well]
+
+### Test Coverage Summary
+
+| Changed File | Test File | Methods Tested | Missing Coverage |
+|-------------|-----------|---------------|-----------------|
+| `path/to/file` | `path/to/file_test` | 4/5 | `edge_case_method` |
+| `path/to/other` | ❌ None | 0/3 | All methods |
+
+### Verdict
+
+**PASS** — No critical findings. Safe to merge.
+or
+**PASS WITH WARNINGS** — N warnings found. Review recommended but not blocking.
+or
+**BLOCK** — N critical findings. Must fix before merge. [List the critical items]
 ```
 
-Use the word **BLOCK** for any finding that should prevent merging. Only use BLOCK for:
+## Blocking Rules
+
+The auditor blocks merge (outputs "BLOCK" verdict) ONLY for:
 - Authentication/authorization bypass
 - Injection vulnerabilities
 - Secrets exposure
 - Data corruption risks
 - Critical missing tests for dangerous operations
+
+All other findings are warnings — reported but not blocking.

data/lib/ocak/templates/agents/implementer.md.erb

@@ -11,10 +11,11 @@ You implement GitHub issues. The issue is your single source of truth — everyt
 
 ## Before You Start
 
-1. Read the issue via `gh issue view <number> --json title,body,labels`
-2. Read `CLAUDE.md` for project conventions
-3. Read every file listed in the issue's "Relevant files" and "Patterns to Follow" sections
-4. Understand the existing patterns before writing any code
+1. Check branch state: `git log main..HEAD --oneline` and `git diff main --stat` — work may already be partially done
+2. Read the issue via `gh issue view <number> --json title,body,labels`
+3. Read `CLAUDE.md` for project conventions
+4. Read every file listed in the issue's "Relevant files" and "Patterns to Follow" sections
+5. When writing new code, find the closest existing example first (neighboring file in the same directory/namespace) and mirror its structure exactly
 
 ## Implementation Rules
 
@@ -97,12 +98,29 @@ You implement GitHub issues. The issue is your single source of truth — everyt
 <%- end -%>
 <%- end -%>
 
+### Working Directory Context
+If a CLAUDE.md file exists in the current working directory, read it for project-specific conventions, patterns, and architecture. This is especially important when working in a repository you haven't seen before.
+
 ### General Rules
 
 - Do NOT add features, refactoring, or improvements beyond what the issue specifies
 - Do NOT add comments, docstrings, or type annotations to code you didn't write
 - Match the existing code style exactly — look at neighboring files
 
+### Scope Discipline (CRITICAL)
+
+You MUST NOT modify code outside the issue's scope. This is the #1 source of pipeline regressions. Specifically:
+
+- **Do NOT change existing method signatures** unless the issue requires it
+- **Do NOT change error messages or string literals** unless the issue requires it
+- **Do NOT change query logic** (e.g., operators, sort order) unless the issue requires it
+- **Do NOT change data types** unless the issue requires it
+- **Do NOT delete existing tests** — only add new ones or modify tests for code you changed
+- **Do NOT remove security protections** (rate limiting, input validation, access checks)
+- **Do NOT change configuration files** unless the issue requires it
+
+Before each commit, run `git diff main --stat` and verify EVERY changed file is justified by the issue's acceptance criteria. If a file appears that shouldn't be there, revert it with `git checkout main -- <file>`.
+
 ## Testing Requirements
 
 Write tests for every acceptance criterion in the issue:
@@ -153,21 +171,30 @@ Combine related changes: a class and its tests go in one commit, not two.
 - If a lint fix is needed for already-committed code, make a separate `style` commit
 - Keep commits small and reviewable — if a commit touches 10+ files across unrelated areas, split it
 
+## When Stuck
+
+- **Test won't pass after 2 attempts**: Re-read the full source file and the full test file. The answer is usually in existing code you haven't read yet.
+- **Can't find the right pattern**: Look at the nearest neighboring file in the same directory — don't invent a new approach.
+- **Unsure what a method does**: Read the method's test file, not just its source.
+- **Don't iterate on a broken approach**: If your approach fails twice, switch to a different strategy.
+
 ## Verification Checklist
 
 After implementation, run these commands and fix ALL failures before finishing:
 
+1. **Scope check**: `git diff main --stat` — verify every file is justified by the issue. Revert any unrelated changes.
+2. **Deleted test check**: `git diff main` — verify you haven't deleted any existing test methods. If you have, restore them.
 <%- if test_command -%>
-1. **Tests**: `<%= test_command %>`
+3. **Tests**: `<%= test_command %>`
 <%- end -%>
 <%- if lint_command -%>
-2. **Lint**: `<%= lint_command %>`
+4. **Lint**: `<%= lint_command %>`
 <%- end -%>
 <%- if format_command -%>
-3. **Format**: `<%= format_command %>`
+5. **Format**: `<%= format_command %>`
 <%- end -%>
 <%- security_commands.each_with_index do |cmd, i| -%>
-<%= i + 4 %>. **Security**: `<%= cmd %>`
+<%= i + 6 %>. **Security**: `<%= cmd %>`
 <%- end -%>
 
 Do NOT stop until all commands pass. If a test fails, read the error, fix the code, and re-run. Maximum 5 fix attempts per command — if still failing after 5 attempts, report what's failing and why.

data/lib/ocak/templates/agents/merger.md.erb

@@ -13,21 +13,29 @@ You handle the git workflow for completed issues.
 
 ### 1. Verify Readiness
 
-Before creating a PR, verify:
+Tests and linters were already verified by the implementer. Do NOT re-run the full test suite — it wastes time and money.
 
+Only re-run tests if you had to resolve merge conflicts or edit files:
 ```bash
 <%- if test_command -%>
-# Tests pass
+# ONLY after resolving merge conflicts:
 <%= test_command %>
 <%- end -%>
-
 <%- if lint_command -%>
-# Linter passes
 <%= lint_command %>
 <%- end -%>
+<%- unless test_command || lint_command -%>
+# No specific test/lint commands configured. Detect from project structure:
+# - Gemfile → bundle exec rspec (or bundle exec rake test)
+# - package.json → npm test
+# - Cargo.toml → cargo test
+# - go.mod → go test ./...
+# - pyproject.toml / setup.py → pytest
+# Read the project's CLAUDE.md for additional conventions.
+<%- end -%>
 ```
 
-If anything fails, STOP and report the failures. Do not create a PR with failing checks.
+If anything fails after conflict resolution, STOP and report the failures. Do not create a PR with failing checks.
 
 ### 2. Create Pull Request
 
@@ -64,6 +72,9 @@ Closes #<issue-number>
 <%- if lint_command -%>
 - `<%= lint_command %>` — passed
 <%- end -%>
+<%- unless test_command || lint_command -%>
+- Stack auto-detected from project structure; commands detected at runtime
+<%- end -%>
 EOF
 )"
 ```
@@ -87,6 +98,13 @@ gh pr merge --merge --delete-branch
 gh issue close <number> --comment "Implemented in PR #<pr-number>"
 ```
 
+### 5. Clean Up
+
+```bash
+git checkout main
+git pull origin main
+```
+
 ## Output
 
 ```
@@ -94,4 +112,5 @@ gh issue close <number> --comment "Implemented in PR #<pr-number>"
 - PR: #<number> (<url>)
 - Issue: #<number> closed
 - Branch: <name> (deleted)
+- Merge commit: <sha>
 ```

data/lib/ocak/templates/agents/pipeline.md.erb

@@ -33,6 +33,15 @@ gh issue view <number> --json title,body,labels
 <%- if test_command -%>
    - `<%= test_command %>`
 <%- end -%>
+<%- unless lint_command || test_command -%>
+   - No specific commands configured. Detect from project structure:
+     - Gemfile → bundle exec rspec (or bundle exec rake test)
+     - package.json → npm test
+     - Cargo.toml → cargo test
+     - go.mod → go test ./...
+     - pyproject.toml / setup.py → pytest
+   - Read the project's CLAUDE.md for additional conventions.
+<%- end -%>
 
 ### Phase 2: Self-Review
 
@@ -43,6 +52,10 @@ git diff main --stat
 git diff main
 ```
 
+**Scope check**: Verify EVERY changed file is justified by the issue's acceptance criteria. If a file appears that shouldn't be there, revert it with `git checkout main -- <file>`.
+
+**Deleted test check**: Verify you haven't deleted any existing test methods. If you have, restore them.
+
 For each acceptance criterion, verify:
 - Is it implemented correctly?
 - Is it tested?
@@ -84,6 +97,15 @@ Run the complete check suite one last time:
 <%- if test_command -%>
 <%= test_command %>
 <%- end -%>
+<%- unless lint_command || test_command -%>
+# No specific commands configured. Detect from project structure:
+# - Gemfile → bundle exec rspec (or bundle exec rake test)
+# - package.json → npm test
+# - Cargo.toml → cargo test
+# - go.mod → go test ./...
+# - pyproject.toml / setup.py → pytest
+# Read the project's CLAUDE.md for additional conventions.
+<%- end -%>
 ```
 
 ALL must pass. If anything fails, fix it. Maximum 3 fix cycles — if still failing after 3 attempts, stop and report what's broken.

data/lib/ocak/templates/agents/reviewer.md.erb

@@ -85,8 +85,8 @@ Rate each finding:
 [What was done well]
 
 ### Acceptance Criteria Check
-- [ ] Criterion 1: implemented and tested / missing [details]
-- [ ] Criterion 2: ...
+- [ ] Criterion 1: ✅ Implemented and tested / ❌ Missing [details]
+- [ ] Criterion 2: ✅ / ❌
 
 ### Test Coverage
 - [List any untested paths or missing edge cases]

data/lib/ocak/templates/agents/security_reviewer.md.erb

@@ -10,6 +10,10 @@ model: sonnet
 
 You perform security-focused code review. You are read-only.
 
+## Focus
+
+You run AFTER the code reviewer. Focus on security-specific concerns that a general code reviewer would miss. Do NOT repeat general code quality findings (missing tests, naming, patterns). Your value is catching auth bypasses, injection vectors, data exposure, and business logic integrity issues that require security expertise.
+
 ## Setup
 
 1. Read CLAUDE.md for auth architecture and conventions
@@ -64,6 +68,13 @@ You perform security-focused code review. You are read-only.
 - [ ] Logs don't contain PII or secrets
 - [ ] No secrets in code (API keys, passwords, tokens)
 
+### Business Logic Integrity
+
+- [ ] Domain invariants maintained (e.g., balances sum correctly, state transitions are valid)
+- [ ] Calculations use appropriate precision (no floating-point for monetary/exact values)
+- [ ] Race conditions handled where concurrent access is possible (database locks, transactions)
+- [ ] Multi-tenant data properly scoped — no cross-tenant access paths
+
 ### Dependencies
 
 Run and report results of:

data/lib/ocak/templates/gitignore_additions.txt

@@ -10,3 +10,4 @@
 logs/pipeline/
 .ocak/logs/
 .ocak/reports/
+.ocak/trusted

data/lib/ocak/templates/ocak.yml.erb

@@ -1,3 +1,7 @@
+# WARNING: Commands configured in this file (test_command, lint_command, format_command,
+# setup_command, security_commands) are executed with your user privileges. Treat this
+# file like executable code — review it before running `ocak run` in an unfamiliar repo.
+
 # Ocak pipeline configuration
 # Generated by `ocak init` — customize as needed
 
@@ -27,6 +31,17 @@ stack:
 <%- end -%>
 <%- end -%>
 
+# Multi-repo mode — process issues across multiple local repos
+# Repo path mappings go in ~/.config/ocak/config.yml (machine-specific, not committed)
+# multi_repo: true
+# target_field: target_repo   # YAML front-matter field in issue body
+
+# Issue backend — 'github' (default) or 'local'
+# Local mode stores issues as files in .ocak/issues/ (no gh CLI needed for issues).
+# Auto-detected: if .ocak/issues/ contains .md files, local mode is used automatically.
+# issues:
+#   backend: local
+
 # Pipeline settings
 pipeline:
   max_parallel: 5
@@ -57,29 +72,38 @@ labels:
 steps:
   - agent: implementer
     role: implement
+    model: sonnet
   - agent: reviewer
     role: review
+    model: opus
   - agent: implementer
     role: fix
     condition: has_findings
+    model: sonnet
   - agent: reviewer
     role: verify
     condition: had_fixes
+    model: opus
   - agent: security_reviewer
     role: security
+    model: sonnet
     complexity: full          # skipped for simple issues and --fast mode
   - agent: implementer
     role: fix
     condition: has_findings
     complexity: full          # skipped for simple issues
+    model: sonnet
   - agent: documenter
     role: document
     complexity: full          # skipped for simple issues
+    model: sonnet
   - agent: auditor
     role: audit
     complexity: full          # skipped for simple issues
+    model: sonnet
   - agent: merger
     role: merge
+    model: sonnet
 
 # Agent file paths — override to use custom agents
 agents:

data/lib/ocak/verification.rb

@@ -52,7 +52,12 @@ module Ocak
     end
 
     def run_scoped_lint(logger, chdir:)
-      changed_stdout, = Open3.capture3('git', 'diff', '--name-only', 'main', chdir: chdir)
+      changed_stdout, stderr, status = Open3.capture3('git', 'diff', '--name-only', 'main', chdir: chdir)
+      unless status.success?
+        logger&.warn("Scoped lint skipped — git diff failed: #{stderr[0..200]}")
+        return nil
+      end
+
       changed_files = changed_stdout.lines.map(&:strip).reject(&:empty?)
 
       extensions = lint_extensions_for(@config.language)

data/lib/ocak/worktree_manager.rb

@@ -7,15 +7,18 @@ require 'shellwords'
 
 module Ocak
   class WorktreeManager
-    def initialize(config:, logger: nil)
+    def initialize(config:, repo_dir: nil, logger: nil)
       @config = config
       @logger = logger
-      @worktree_base = File.join(config.project_dir, config.worktree_dir)
+      @repo_dir = repo_dir || config.project_dir
+      @worktree_base = File.join(@repo_dir, config.worktree_dir)
       @mutex = Mutex.new
     end
 
-    def create(issue_number, setup_command: nil)
+    def create(issue_number, setup_command: nil, target_repo: nil)
       @mutex.synchronize do
+        raise ArgumentError, "Invalid issue number: #{issue_number}" unless issue_number.to_s.match?(/\A\d+\z/)
+
         FileUtils.mkdir_p(@worktree_base)
 
         branch = "auto/issue-#{issue_number}-#{SecureRandom.hex(4)}"
@@ -29,7 +32,7 @@ module Ocak
           raise WorktreeError, "Setup command failed: #{stderr}" unless status.success?
         end
 
-        Worktree.new(path: path, branch: branch, issue_number: issue_number)
+        Worktree.new(path: path, branch: branch, issue_number: issue_number, target_repo: target_repo)
       end
     end
 
@@ -66,14 +69,14 @@ module Ocak
       removed
     end
 
-    Worktree = Struct.new(:path, :branch, :issue_number, keyword_init: true) # rubocop:disable Style/RedundantStructKeywordInit
+    Worktree = Struct.new(:path, :branch, :issue_number, :target_repo, keyword_init: true) # rubocop:disable Style/RedundantStructKeywordInit
 
     class WorktreeError < StandardError; end
 
     private
 
     def git(*)
-      Open3.capture3('git', *, chdir: @config.project_dir)
+      Open3.capture3('git', *, chdir: @repo_dir)
     end
 
     def parse_worktree_list(output)

data/lib/ocak.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module Ocak
-  VERSION = '0.4.0'
+  VERSION = '0.6.0'
 
   def self.root
     File.expand_path('..', __dir__)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ocak
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.6.0
 platform: ruby
 authors:
 - Clay Harmon
@@ -36,36 +36,56 @@ files:
 - bin/ocak
 - lib/ocak.rb
 - lib/ocak/agent_generator.rb
+- lib/ocak/batch_processing.rb
 - lib/ocak/claude_runner.rb
 - lib/ocak/cli.rb
+- lib/ocak/command_runner.rb
 - lib/ocak/commands/audit.rb
 - lib/ocak/commands/clean.rb
 - lib/ocak/commands/debt.rb
 - lib/ocak/commands/design.rb
 - lib/ocak/commands/hiz.rb
 - lib/ocak/commands/init.rb
+- lib/ocak/commands/issue/close.rb
+- lib/ocak/commands/issue/create.rb
+- lib/ocak/commands/issue/edit.rb
+- lib/ocak/commands/issue/list.rb
+- lib/ocak/commands/issue/view.rb
 - lib/ocak/commands/resume.rb
 - lib/ocak/commands/run.rb
 - lib/ocak/commands/status.rb
 - lib/ocak/config.rb
+- lib/ocak/conflict_resolution.rb
 - lib/ocak/failure_reporting.rb
 - lib/ocak/git_utils.rb
+- lib/ocak/instance_builders.rb
+- lib/ocak/issue_backend.rb
 - lib/ocak/issue_fetcher.rb
+- lib/ocak/issue_state_machine.rb
+- lib/ocak/local_issue_fetcher.rb
+- lib/ocak/local_merge_manager.rb
 - lib/ocak/logger.rb
 - lib/ocak/merge_manager.rb
 - lib/ocak/merge_orchestration.rb
+- lib/ocak/merge_verification.rb
 - lib/ocak/monorepo_detector.rb
+- lib/ocak/parallel_execution.rb
 - lib/ocak/pipeline_executor.rb
 - lib/ocak/pipeline_runner.rb
 - lib/ocak/pipeline_state.rb
 - lib/ocak/planner.rb
 - lib/ocak/process_registry.rb
 - lib/ocak/process_runner.rb
+- lib/ocak/project_key.rb
 - lib/ocak/reready_processor.rb
 - lib/ocak/run_report.rb
+- lib/ocak/shutdown_handling.rb
 - lib/ocak/stack_detector.rb
+- lib/ocak/state_management.rb
 - lib/ocak/step_comments.rb
+- lib/ocak/step_execution.rb
 - lib/ocak/stream_parser.rb
+- lib/ocak/target_resolver.rb
 - lib/ocak/templates/agents/auditor.md.erb
 - lib/ocak/templates/agents/documenter.md.erb
 - lib/ocak/templates/agents/implementer.md.erb