@ai-support-agent/cli 0.1.32 → 0.1.33-beta.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (62) hide show
  1. package/dist/commands/claude-code-args.d.ts +1 -0
  2. package/dist/commands/claude-code-args.d.ts.map +1 -1
  3. package/dist/commands/claude-code-args.js +3 -0
  4. package/dist/commands/claude-code-args.js.map +1 -1
  5. package/dist/commands/claude-code-runner.d.ts.map +1 -1
  6. package/dist/commands/claude-code-runner.js +2 -1
  7. package/dist/commands/claude-code-runner.js.map +1 -1
  8. package/dist/commands/plugin-dir.d.ts +20 -0
  9. package/dist/commands/plugin-dir.d.ts.map +1 -0
  10. package/dist/commands/plugin-dir.js +71 -0
  11. package/dist/commands/plugin-dir.js.map +1 -0
  12. package/dist/plugin/.claude-plugin/plugin.json +9 -0
  13. package/dist/plugin/LICENSE +26 -0
  14. package/dist/plugin/README.md +86 -0
  15. package/dist/plugin/SYNC.md +113 -0
  16. package/dist/plugin/agents/build-error-resolver.md +159 -0
  17. package/dist/plugin/agents/code-reviewer.md +277 -0
  18. package/dist/plugin/agents/django-reviewer.md +159 -0
  19. package/dist/plugin/agents/infra-reviewer.md +172 -0
  20. package/dist/plugin/agents/investigator.md +75 -0
  21. package/dist/plugin/agents/nextjs-reviewer.md +191 -0
  22. package/dist/plugin/agents/php-reviewer.md +167 -0
  23. package/dist/plugin/agents/planner.md +184 -0
  24. package/dist/plugin/agents/python-reviewer.md +161 -0
  25. package/dist/plugin/agents/react-reviewer.md +150 -0
  26. package/dist/plugin/agents/silent-failure-hunter.md +158 -0
  27. package/dist/plugin/agents/typescript-reviewer.md +179 -0
  28. package/dist/plugin/agents/ui-reviewer.md +203 -0
  29. package/dist/plugin/commands/add-feature.md +301 -0
  30. package/dist/plugin/commands/build-fix.md +47 -0
  31. package/dist/plugin/commands/code-review.md +228 -0
  32. package/dist/plugin/commands/fix-defect.md +393 -0
  33. package/dist/plugin/commands/learn-eval.md +94 -0
  34. package/dist/plugin/commands/learn.md +84 -0
  35. package/dist/plugin/commands/plan.md +211 -0
  36. package/dist/plugin/commands/test-coverage.md +64 -0
  37. package/dist/plugin/commands/update-docs.md +98 -0
  38. package/dist/plugin/hooks/hooks.json +59 -0
  39. package/dist/plugin/hooks/scripts/auto-format.sh +63 -0
  40. package/dist/plugin/hooks/scripts/check-secrets-before-commit.sh +50 -0
  41. package/dist/plugin/hooks/scripts/guard-dangerous-commands.sh +55 -0
  42. package/dist/plugin/hooks/scripts/on-command-resume.sh +112 -0
  43. package/dist/plugin/hooks/scripts/on-command-stop.sh +200 -0
  44. package/dist/plugin/hooks/scripts/protect-sensitive-files.sh +58 -0
  45. package/dist/plugin/rules/common/coding-guidelines.md +73 -0
  46. package/dist/plugin/rules/documentation/api-docs.md +46 -0
  47. package/dist/plugin/rules/documentation/docs-site.md +60 -0
  48. package/dist/plugin/rules/documentation/source-docs.md +89 -0
  49. package/dist/plugin/rules/documentation/test-docs.md +39 -0
  50. package/dist/plugin/rules/logging/logging-rules.md +83 -0
  51. package/dist/plugin/rules/php/coding-rules.md +40 -0
  52. package/dist/plugin/rules/python/coding-rules.md +40 -0
  53. package/dist/plugin/rules/typescript/coding-rules.md +45 -0
  54. package/dist/plugin/skills/api-design/SKILL.md +269 -0
  55. package/dist/plugin/skills/backend-patterns/SKILL.md +312 -0
  56. package/dist/plugin/skills/database-migrations/SKILL.md +323 -0
  57. package/dist/plugin/skills/docker-patterns/SKILL.md +308 -0
  58. package/dist/plugin/skills/docs-site/SKILL.md +341 -0
  59. package/dist/plugin/skills/e2e-testing/SKILL.md +334 -0
  60. package/dist/plugin/skills/frontend-patterns/SKILL.md +318 -0
  61. package/dist/plugin/skills/integration-testing/SKILL.md +273 -0
  62. package/package.json +2 -2
@@ -0,0 +1,228 @@
1
+ ---
2
+ description: Run a code review across your stack and post a report and verdict to the PR/MR
3
+ argument-hint: "[PR/MR number or URL] (omit to review local uncommitted changes)"
4
+ ---
5
+
6
+ # /code-review
7
+
8
+ This command lives in this plugin's namespace and is invoked as `/<plugin>:code-review` (which is distinct, by
9
+ namespace, from Claude Code's built-in `/code-review` and `/review` — an unprefixed `/code-review` may refer to
10
+ the built-in version). Where the built-in command does a general-purpose diff review, this command's added value
11
+ is applying review criteria specific to your stack (TypeScript / Python / PHP / React / Next.js / Vue / Django /
12
+ Laravel / CakePHP / IaC, etc.) and recording the review as a structured report that gets posted back. If a
13
+ general-purpose review is all you need, the built-in command works fine.
14
+
15
+ ## Determining the mode
16
+
17
+ Check the `$ARGUMENTS` value to decide which mode to run in.
18
+
19
+ - No argument → Mode A (local review)
20
+ - A number (e.g. `123`) or a PR/MR URL → Mode B (PR/MR review)
21
+
22
+ ## Selecting reviewers (both modes)
23
+
24
+ Look at the paths of the changed files and use the table below to decide which reviewers to run.
25
+ `code-reviewer` and `silent-failure-hunter` are always included.
26
+
27
+ | File-type condition | Reviewer to add |
28
+ |---|---|
29
+ | Includes `.ts` / `.tsx` / `.js` / `.jsx` / `.mjs` / `.cjs` | `typescript-reviewer` |
30
+ | `.tsx` / `.jsx` with component definitions | `react-reviewer` (alongside `typescript-reviewer`) |
31
+ | Touches `app/` / `pages/` / `next.config` / `middleware.ts` / a Server Action | `nextjs-reviewer` |
32
+ | Includes `.py` | `python-reviewer` |
33
+ | Touches Django-style files (`models.py` / `views.py` / `serializers.py` / `migrations/`, etc.) | `django-reviewer` (alongside `python-reviewer`) |
34
+ | Includes `.php` | `php-reviewer` |
35
+ | Touches UI components or layout | `ui-reviewer` |
36
+ | Includes `*.ts` (CDK) / `serverless.yml` / `template.yaml` / CloudFormation-style files | `infra-reviewer` |
37
+
38
+ This table matches the "delegating to other agents" routing table used by code-reviewer.
39
+ Treat the code-reviewer agent's routing table as the source of truth when adding or changing reviewers, and mirror the change here too.
40
+
41
+ ## Workflow script (both modes)
42
+
43
+ Once the reviewer list is finalized, pass the script below to the Workflow tool's `script` parameter and run it in parallel.
44
+ Pass the selected reviewer names as `args.reviewers`, and the mode-specific review instructions (described below) as `args.reviewContext`.
45
+
46
+ ```javascript
47
+ export const meta = {
48
+ name: 'code-review-parallel',
49
+ description: 'Run stack-specific reviewers in parallel to speed up code review',
50
+ phases: [
51
+ { title: 'Review' },
52
+ { title: 'Merge' }
53
+ ]
54
+ }
55
+
56
+ const SEVERITY_ORDER = { CRITICAL: 0, HIGH: 1, MEDIUM: 2, LOW: 3 }
57
+
58
+ const FINDINGS_SCHEMA = {
59
+ type: 'object',
60
+ properties: {
61
+ findings: {
62
+ type: 'array',
63
+ items: {
64
+ type: 'object',
65
+ properties: {
66
+ severity: { type: 'string', enum: ['CRITICAL', 'HIGH', 'MEDIUM', 'LOW'] },
67
+ file: { type: 'string' },
68
+ line: { type: 'string' },
69
+ description: { type: 'string' },
70
+ suggestion: { type: 'string' }
71
+ },
72
+ required: ['severity', 'description']
73
+ }
74
+ }
75
+ },
76
+ required: ['findings']
77
+ }
78
+
79
+ phase('Review')
80
+ const results = await parallel(args.reviewers.map(name => () =>
81
+ agent(args.reviewContext, {
82
+ label: name,
83
+ phase: 'Review',
84
+ agentType: name,
85
+ schema: FINDINGS_SCHEMA
86
+ })
87
+ ))
88
+
89
+ phase('Merge')
90
+ const all = results.filter(Boolean).flatMap(r => r.findings || [])
91
+ const sorted = all.sort((a, b) =>
92
+ (SEVERITY_ORDER[a.severity] ?? 4) - (SEVERITY_ORDER[b.severity] ?? 4)
93
+ )
94
+ return { findings: sorted }
95
+ ```
96
+
97
+ Use the `findings` returned by the Workflow (already sorted by severity) in the steps that follow.
98
+
99
+ ## Mode A: local review (no argument)
100
+
101
+ Review the uncommitted changes (both staged and unstaged).
102
+
103
+ 1. Identify the changed files with `git diff HEAD --name-only` and select reviewers (see "Selecting reviewers" above).
104
+ 2. Run the Workflow in parallel, passing the following as `args.reviewContext`:
105
+ ```
106
+ Review the current uncommitted changes (git diff HEAD, or the combination of git diff --staged and git diff).
107
+ Read the full content of each changed file and its surrounding code (callers, type definitions, middleware,
108
+ etc.) and report issues from your area of expertise. Don't judge from the diff alone.
109
+ ```
110
+ 3. Group the `findings` returned by the Workflow by severity (CRITICAL / HIGH / MEDIUM / LOW) and report them to the user.
111
+ Don't post anything remotely in this mode.
112
+
113
+ ## Mode B: PR/MR review (number or URL)
114
+
115
+ ### Determining the host
116
+
117
+ Pick the CLI to use with the following rule.
118
+
119
+ - If the argument is a URL: use the `gh` CLI for `github.com`, the `glab` CLI for `gitlab.com`.
120
+ - If the argument is a bare number: check `git remote get-url origin` — use `gh` if it contains `github.com`, `glab` if it contains `gitlab.com`.
121
+ - For self-hosted setups that match neither, show the user the remote URL and ask which CLI to use.
122
+
123
+ ### Steps
124
+
125
+ 1. **Fetch metadata and changed files**
126
+ - GitHub: `gh pr view <number> --json title,body,author,baseRefName,headRefName,isDraft,files` to get the list of changed files.
127
+ - GitLab: `glab mr view <number>` to get the list of changed files.
128
+ 2. **Build context**
129
+ - Read the project's CLAUDE.md (or equivalent) to understand coding conventions and background.
130
+ - If the PR/MR description references a plan file or an issue, read that too.
131
+ 3. **Select reviewers and run the Workflow**
132
+ - Select reviewers from the changed-file list obtained in step 1 (see "Selecting reviewers" above).
133
+ - Run the Workflow in parallel, passing the following as `args.reviewContext` (substitute `<number>` and `<CLI>` with the actual values):
134
+ ```
135
+ Review PR/MR #<number>. Fetch the diff with `<CLI> pr/mr diff <number>`, and read the full content of
136
+ each changed file along with its surrounding code (callers, type definitions, middleware, etc.). Don't
137
+ judge from the diff alone. Report issues from your area of expertise, and for each finding include the
138
+ severity, file, line, a description of the problem, and a suggested fix.
139
+ ```
140
+ - Use the `findings` returned by the Workflow (already sorted by severity) for the verdict step below.
141
+ 4. **Run verification**
142
+ - Detect the project type and run whatever applies.
143
+ - Node-based: type checking (tsc, etc.), lint, tests, build. Check `package.json` scripts to pick the right ones.
144
+ - Python-based: mypy / ruff / pytest, etc., for whichever config files are present. If a virtual environment exists (`.venv/` / `venv/`), use the tools inside it (e.g. `.venv/bin/pytest`; for poetry/uv-managed projects, run through `poetry run` / `uv run`).
145
+ - PHP-based: phpstan / php-cs-fixer / phpunit, etc., for whichever config files are present.
146
+ - E2E: if `playwright.config.*` (or `cypress.config.*`) exists, **always include E2E tests in the run**
147
+ (`npx playwright test`; if the config has a `webServer`, the app starts automatically). Skip only if the
148
+ environment can't support it, and always record why. On failure, distinguish code-caused failures from
149
+ environment-caused ones (external service not running, missing credentials, etc.); code-caused failures
150
+ count as a verification failure.
151
+ - Record the results (pass/fail/skip reason) for each check.
152
+ 5. **Verdict**
153
+
154
+ Apply the shared verdict rule across all reviewers, evaluated top to bottom.
155
+
156
+ | Condition | Verdict |
157
+ |---|---|
158
+ | Any CRITICAL findings | Blocked (post as change request, with BLOCKING stated at the top) |
159
+ | Any HIGH findings, or verification failed | Changes requested |
160
+ | MEDIUM only (verification passed) | Approve with warnings |
161
+ | No findings / LOW only (verification passed) | Approve |
162
+
163
+ When posting remotely: both "approve" and "approve with warnings" post as an approval; for the latter, include
164
+ the MEDIUM findings and recommended follow-ups in the report body. If the target is a draft PR/MR, post a
165
+ comment only regardless of verdict — don't approve or request changes.
166
+
167
+ 6. **Save the review record**
168
+ - Save it under `.claude/reviews/` as `<date>-<PR/MR number>.md` (template below).
169
+ 7. **Post remotely**
170
+ - GitHub: `gh pr review <number> --approve | --request-changes | --comment --body "<report>"`
171
+ - GitLab: approve with `glab mr approve <number>`; post the report body with `glab mr note <number> --message "<report>"`.
172
+ GitLab has no direct equivalent of "request changes," so for a changes-requested or blocked verdict, skip
173
+ approval and instead state "Changes requested" or "Blocked" at the top of the note.
174
+ 8. **Summarize for the user**
175
+ - Report the verdict, finding counts by severity, verification results, the link to where it was posted, and the record file path, concisely.
176
+
177
+ ## Review record template
178
+
179
+ ```markdown
180
+ # Review record: <PR/MR title or "local changes">
181
+
182
+ - Date: <YYYY-MM-DD HH:MM>
183
+ - Target: <PR/MR number and URL, or branch name>
184
+ - Verdict: <Approve | Approve with warnings | Changes requested | Blocked | Comment only (draft)>
185
+
186
+ ## Summary
187
+
188
+ <2-3 sentence summary of the change>
189
+
190
+ ## Findings
191
+
192
+ ### CRITICAL
193
+ - <file:line> <description of the problem and suggested fix> (or "None")
194
+
195
+ ### HIGH
196
+ - None
197
+
198
+ ### MEDIUM
199
+ - None
200
+
201
+ ### LOW
202
+ - None
203
+
204
+ ## Verification results
205
+
206
+ | Item | Command | Result |
207
+ |---|---|---|
208
+ | Type check | <command run> | <Pass/Fail/Skipped> |
209
+ | Lint | <command run> | <Pass/Fail/Skipped> |
210
+ | Tests | <command run> | <Pass/Fail/Skipped> |
211
+ | E2E | <command run> | <Pass/Fail/Skipped (reason)> |
212
+ | Build | <command run> | <Pass/Fail/Skipped> |
213
+
214
+ ## Notes
215
+
216
+ <rebase recommendation, scope limitations, any fallback used, etc.>
217
+ ```
218
+
219
+ ## Edge cases
220
+
221
+ - **CLI unavailable**: if `gh` / `glab` isn't installed or authenticated, say so and fall back to a local review
222
+ (equivalent to Mode A — diff against the checked-out target branch if available) without posting anything.
223
+ - **Very large PR/MR**: if the changed files number roughly 30+ or the diff is roughly 3000+ lines, warn that
224
+ full coverage may not be possible, prioritize the highest-impact files (core logic, security-sensitive code,
225
+ public APIs), and record the actual scope covered in both the saved record and the summary.
226
+ - **Branch diverged from base**: if the base branch has moved on and the target branch is stale, flag the risk
227
+ of conflicts or inconsistent verification results and suggest a rebase (or merging in the latest base). Judge
228
+ the verdict against the code as it currently stands.
@@ -0,0 +1,393 @@
1
+ ---
2
+ description: Fix a bug through a gated pipeline that's reproduction-test-first, proving the fix with a red-to-green transition
3
+ argument-hint: "[bug description / repro steps / issue number]"
4
+ resumable: true
5
+ ---
6
+
7
+ # Fix-defect pipeline
8
+
9
+ Fix a reported bug through a disciplined, gated pipeline. Three things are non-negotiable:
10
+
11
+ 1. **Not one line of fix code gets written until the root cause is identified.**
12
+ 2. **If the code under test doesn't have adequate coverage, build that up first before going test-first.**
13
+ 3. **Write a failing test that reproduces the bug before touching the fix (red), and prove the fix by
14
+ making that same test pass (green).**
15
+
16
+ A bug that can't be reproduced can't be fixed, and a test that never went red proves nothing.
17
+ A fix without a root cause is just a symptom hidden away — and that's a failure.
18
+
19
+ Target bug: $ARGUMENTS
20
+
21
+ ## Scope
22
+
23
+ - In scope: fixing "broken behavior" — something not working as expected.
24
+ - Out of scope: spec changes or new features — use /add-feature for those.
25
+ If partway through the work it turns out this is actually a spec change rather than a bug fix,
26
+ report that to the user and switch commands.
27
+
28
+ ## Two gates
29
+
30
+ This pipeline has two gates that must never be crossed early.
31
+
32
+ 1. Plan-approval gate: for standard-or-larger changes, don't write fix code until the user
33
+ has approved the plan.
34
+ 2. Commit gate: never commit without the user's confirmation, under any circumstances.
35
+
36
+ Even when it's tempting to push forward autonomously, always stop at the gate and get confirmation.
37
+
38
+ ## Completion Marker Convention
39
+
40
+ This command runs under `claude -p` (non-interactive), which restarts as a fresh process every turn — past turn 1, this command body is not guaranteed to be re-expanded, so gate discipline (the two gates above) can silently erode across turns. To compensate, a hooks-based mechanism re-injects a digest of this command's must-obey constraints on the next turn whenever the pipeline is left incomplete.
41
+
42
+ If this command's flow is **not yet complete** (e.g. mid root-cause investigation, stopped at the plan-approval gate, awaiting the regression test's red confirmation, mid-fix, awaiting review fixes, or stopped at the commit gate), your response **MUST end** with a line that is an exact match of:
43
+
44
+ `<!-- ai-support-agent:resume name="fix-defect" -->`
45
+
46
+ If the flow **is complete** (fix finished, committed with user confirmation, and the post-commit options were handled), do **not** output this marker.
47
+
48
+ Never output this marker inside a code block or as an illustrative example — only emit it as the actual last line of real output when the flow is genuinely incomplete.
49
+
50
+ <!-- RESUME_DIGEST_START -->
51
+ When resuming this command on turn 2+ without the full command body re-expanded, obey these constraints:
52
+
53
+ - **Two gates, never crossed early**:
54
+ 1. Plan-approval gate (standard-or-larger changes): no fix code until the user has approved the fix plan.
55
+ 2. Commit gate: never commit without the user's explicit confirmation, under any circumstances.
56
+ - **Root cause before any fix code**: never write fix code on a hunch of "probably here." State the hypothesis as "X is the cause, because Y," verify it with the smallest possible change, and don't layer a new fix on top of a failed hypothesis — start over.
57
+ - **Regression test must go red before green**: write a test that reproduces the bug and confirm it fails (red) before touching fix code. If you accidentally wrote fix code first, discard it (`git restore`) and start over from the test. After fixing, confirm that same test goes green.
58
+ - Never self-interpret "roughly agreed to," silence, or an unrelated follow-up as plan approval or as commit confirmation.
59
+ - **Don't hide the symptom**: no swallowed exceptions, no special-casing around the failing scenario, no loosened test expectations just to go green.
60
+ - **Step 8 verification requires evidence, not speculation**: never claim "tests pass" / "build passes" / "the bug is fixed" without having actually run the command in this conversation and read its output. A stale or previous run's result does not count as evidence.
61
+ - **Review gate (Step 7)**: every CRITICAL / HIGH finding from the code-reviewer / silent-failure-hunter review must be resolved, followed by a re-run of Step 6's checks (regression test green, no regressions), before moving on.
62
+ - Follow the Step 9 commit-gate flow exactly: present the diff + proposed commit message, wait for confirmation, commit only after confirmation, then present the four post-commit options and execute the chosen one in the correct order (never remove a worktree before merge/PR is settled).
63
+ <!-- RESUME_DIGEST_END -->
64
+
65
+ ## Procedure
66
+
67
+ ### 1. Declare the size classification
68
+
69
+ Before starting work, declare which of the following applies.
70
+
71
+ - Trivial: a change of one file, a few lines, with an obvious cause.
72
+ - Small: a change of one or two files, where identifying the cause takes a bit of investigation.
73
+ - Standard or larger: a change spanning multiple files, or where the cause is unclear.
74
+
75
+ Regardless of the size of the change, fixes touching authentication/authorization, input handling,
76
+ databases, external service integrations, or anything money-related are always treated as
77
+ "standard or larger."
78
+
79
+ ### 2. Create a worktree
80
+
81
+ Create a dedicated branch and worktree for the work, and do everything from here on inside that worktree.
82
+
83
+ First check the existing isolation state.
84
+
85
+ ```bash
86
+ MAIN_ROOT=$(git rev-parse --show-toplevel)
87
+ GIT_DIR=$(cd "$(git rev-parse --git-dir)" 2>/dev/null && pwd -P)
88
+ GIT_COMMON=$(cd "$(git rev-parse --git-common-dir)" 2>/dev/null && pwd -P)
89
+ SUPERPROJECT=$(git rev-parse --show-superproject-working-tree 2>/dev/null)
90
+ echo "MAIN_ROOT=$MAIN_ROOT"
91
+ echo "GIT_DIR=$GIT_DIR"
92
+ echo "GIT_COMMON=$GIT_COMMON"
93
+ echo "SUPERPROJECT=${SUPERPROJECT:-(none)}"
94
+ ```
95
+
96
+ Use the output above to determine which of three states applies.
97
+
98
+ | Condition | State | Action |
99
+ |---|---|---|
100
+ | `SUPERPROJECT` has a value | Inside a submodule | Don't create a worktree — work directly |
101
+ | `SUPERPROJECT` is empty and `GIT_DIR != GIT_COMMON` | Already inside a worktree | Don't create a new one — keep working in the existing worktree |
102
+ | `SUPERPROJECT` is empty and `GIT_DIR == GIT_COMMON` | Regular repository | Create a worktree (steps below) |
103
+
104
+ Create the worktree.
105
+
106
+ ```bash
107
+ git worktree add -b <branch-name> <path>
108
+ # e.g. git worktree add -b fix/login-error ../worktrees/fix-login-error
109
+ ```
110
+
111
+ - Name the branch after the bug (a `fix/` prefix is recommended).
112
+ - A sibling directory outside the repo is usually the most convenient path (e.g. `../worktrees/<name>`).
113
+ - If placing it inside the project (`.worktrees/`), confirm it's in `.gitignore` before creating it (`git check-ignore -q .worktrees`). If it's not listed, add it and commit that first.
114
+ - Working inside a worktree keeps the main working directory clean, and rolling back is as simple as deleting the whole directory.
115
+
116
+ Once created, run the test suite to confirm a clean baseline. If there are pre-existing failures, report them to the user and confirm whether to proceed.
117
+
118
+ ### 3. Investigate the root cause (four phases)
119
+
120
+ **Iron rule: not one line of fix code until the root cause is identified.**
121
+
122
+ Don't start fixing on a hunch of "probably here." A guessed fix tends to create a different bug.
123
+
124
+ #### Phase 1: Gather facts
125
+
126
+ - **Read the error message carefully**: read the stack trace to the end.
127
+ Record line numbers, file paths, and error codes. Don't skim.
128
+ - **Confirm the reproduction is consistent**: pin down the repro steps and check whether it
129
+ happens every time. If it's not reproducible, gather more data instead of guessing at a fix.
130
+ - **Check recent changes**: review `git diff`, recent commits, dependency changes, and
131
+ any configuration or environment differences.
132
+ - **In multi-layer systems, gather evidence at each boundary**: for architectures like
133
+ API → service → DB, measure and log "input, output, state" at each component boundary to
134
+ identify which layer is broken before digging into the cause. Don't make sweeping changes across every layer at once.
135
+ - **Trace the data flow backward**: when the error surfaces deep in the call stack, walk the
136
+ callers back to where the bad value originated. Fix the source, not the symptom.
137
+
138
+ #### Phase 2: Pattern analysis
139
+
140
+ - Look for a working, similar implementation elsewhere in the same codebase.
141
+ - List the differences between the broken code and the working code (don't overlook small ones).
142
+ - When consulting an external library's docs or a spec, read it in full rather than skimming a section.
143
+
144
+ #### Phase 3: Hypothesize and verify
145
+
146
+ - State the hypothesis in one clear sentence: "X is the cause, because Y."
147
+ - Make the **smallest possible change** to test the hypothesis (one variable at a time).
148
+ - Don't apply multiple fixes at once — you'll lose the ability to isolate what worked.
149
+ - If the hypothesis is wrong, **form a new hypothesis from scratch** rather than layering another fix on top of the failed one.
150
+
151
+ #### Plan-approval gate (standard or larger)
152
+
153
+ Once the Phase 1-3 investigation is complete, for standard-or-larger changes, draft a fix plan,
154
+ present it to the user, and get approval. Don't write fix code before approval.
155
+ Use the planner subagent or /plan.
156
+
157
+ #### If you get stuck
158
+
159
+ - **After 3 or more failed fix attempts**: stop trying individual fixes and question the
160
+ architecture itself. If "every fix creates a problem somewhere else" or "the fix would require
161
+ major refactoring," that's an architectural problem. Report the situation to the user and
162
+ propose a fundamental design review.
163
+
164
+ #### Excuses to watch for (all of them are off-limits)
165
+
166
+ | Excuse | Reality |
167
+ |---|---|
168
+ | "It's a simple bug, the process is overkill" | Even simple bugs have a root cause |
169
+ | "We're in a hurry, let's just guess a fix" | Guessing causes rework — systematic investigation is actually faster |
170
+ | "Probably here, let me try it" | Looking at the symptom isn't the same as understanding the root cause |
171
+ | "Fix it now, investigate later" | Fixing first contaminates the investigation |
172
+ | "One more fix attempt" (on the 3rd+ try) | Question the architecture instead |
173
+
174
+ ### 4. Check test coverage of the affected code
175
+
176
+ Before starting the fix, check whether the affected code already has adequate test coverage.
177
+ Going test-first against inadequate coverage risks "I thought I made it red, but I just tripped
178
+ over a pre-existing defect." Proving the fix requires a test foundation that guarantees the
179
+ pre-bug, correct behavior.
180
+
181
+ What to check:
182
+
183
+ | Layer | What to confirm |
184
+ |---|---|
185
+ | Unit tests | Do they cover the normal and error paths of the affected function/method/class? |
186
+ | Integration tests | Is the affected code's interaction with external dependencies (DB, API, filesystem, etc.) verified? |
187
+ | Regression tests | Do tests exist for past, similar bugs? |
188
+
189
+ **If coverage is adequate**, move to the next step.
190
+
191
+ **If coverage is inadequate**, do the following before moving to the next step.
192
+
193
+ 1. Implement the missing tests (don't write fix code yet).
194
+ 2. Run the new tests and confirm they all **pass (green)**.
195
+ If any don't pass, they may be tripping over a separate pre-existing bug, or encoding a buggy
196
+ spec as the expected value — report this to the user and get a decision.
197
+ 3. Get the added tests reviewed (see "Test review" below).
198
+ 4. Resolve every CRITICAL / HIGH finding before moving to the next step.
199
+
200
+ #### Test review (only when coverage was inadequate)
201
+
202
+ Run a review using the same parallel Workflow execution as `/code-review` (Mode A).
203
+
204
+ 1. Identify the added test files, and select reviewers per `/code-review`'s "Selecting reviewers" table (`code-reviewer` is always included).
205
+ 2. Invoke the Workflow script described in `/code-review` and run the selected reviewers in parallel.
206
+ 3. Resolve every CRITICAL / HIGH finding, and re-run the tests to confirm they're all green.
207
+
208
+ ### 5. Write a regression test and confirm it fails (red)
209
+
210
+ **Iron rule: fix code must never be written before the test.**
211
+
212
+ If you accidentally write fix code before the test, **discard it immediately** and start over from writing the test.
213
+
214
+ ```bash
215
+ git restore <the file you accidentally fixed>
216
+ ```
217
+
218
+ "It was just a small change," "I'll write the test right after" are not acceptable excuses. A fix without a test is an unproven claim.
219
+
220
+ ---
221
+
222
+ - Write a regression test that reproduces the bug, at whichever layer best reproduces it
223
+ (a logic bug calls for a unit test; a bug involving DB reads/writes, queries, or transactions
224
+ calls for an integration test against a real database; a bug in a cross-screen flow may call
225
+ for an E2E test).
226
+ - Run the test and **confirm it fails**.
227
+ - Check that the failure (error message, expected vs. actual value) matches the reported bug.
228
+ If it doesn't match, your understanding of the root cause is likely wrong — go back to step 3.
229
+
230
+ #### Test anti-patterns (avoid these)
231
+
232
+ - **Testing that a mock was called**: a test that only confirms a mock exists proves nothing
233
+ about actual behavior. Test the implementation.
234
+ - **Using a mock without understanding it**: understand the side effects of the method being
235
+ mocked before mocking it. Mocking "just in case" strips out the side effects it depends on and
236
+ makes the test meaningless.
237
+ - **Incomplete mock objects**: include every field the real API actually returns. A mock missing
238
+ some fields lets code that depends on those fields slip through untested.
239
+ - **Adding test-only methods to production code**: put test cleanup helpers and the like in test
240
+ utilities. Don't pollute production classes with them.
241
+
242
+ ### 6. Fix the root cause (green)
243
+
244
+ - Fix the root cause identified in step 3.
245
+ - **Don't hide the symptom**: don't swallow exceptions, special-case around the failing
246
+ scenario with a conditional, or loosen a test's expected value just to make it pass.
247
+ - Confirm the regression test goes green.
248
+ - Run the existing test suite and confirm there's no regression. Include E2E tests
249
+ (`playwright.config.*` etc., if present). If they can't run due to environment constraints,
250
+ report that to the user.
251
+ - If the fix spans multiple repositories, run the test suite in every repository that was
252
+ changed and confirm there's no regression.
253
+ - If the build breaks, restore it with /build-fix before continuing.
254
+
255
+ #### Defense-in-depth validation
256
+
257
+ If the bug was caused by invalid data flowing through the system, consider not just fixing the
258
+ one spot but adding validation at every layer the data passes through, making the bug
259
+ **structurally impossible** rather than merely patched.
260
+
261
+ | Layer | What to add |
262
+ |---|---|
263
+ | Entry point | Reject invalid values early at the API/endpoint |
264
+ | Business logic | Add a guard at the entry of the processing function too |
265
+ | Environment guard | Block dangerous operations in specific contexts, like test runs |
266
+ | Debug logging | Log the stack trace and input values to make future investigation easier |
267
+
268
+ Each layer catches a different code path or a different mock-based bypass.
269
+ Whether every layer is needed depends on the nature of the bug. Include which layers you applied and why in the change.
270
+
271
+ #### Logging considerations (for projects that follow a logging convention)
272
+
273
+ Alongside the fix, check the following.
274
+
275
+ - If **ERROR/WARN logging was missing** at the point that caused the bug, add it now
276
+ (ask yourself: would this log have caught the bug earlier?).
277
+ - Confirm ERROR logs include the exception, `request_id`, and the ID of the affected resource.
278
+ - Confirm the correlation ID for requests passing through the fixed code is consistent end-to-end across the logs.
279
+ - See your project's logging conventions doc for details.
280
+
281
+ ### 7. Get a review
282
+
283
+ Run a review using the same parallel Workflow execution as `/code-review` (Mode A).
284
+
285
+ 1. Identify the changed files with `git diff HEAD --name-only`, and select reviewers per `/code-review`'s
286
+ "Selecting reviewers" table (`code-reviewer` and `silent-failure-hunter` are always included).
287
+ 2. Invoke the Workflow script described in `/code-review` and run the selected reviewers in parallel.
288
+ 3. Review the returned `findings` and resolve every CRITICAL / HIGH finding.
289
+ After making the fixes, re-run step 6's checks (regression test green, no regressions).
290
+
291
+ ### 8. Verify before declaring done (no claims without evidence)
292
+
293
+ **Iron rule: run the verification commands and read the output before claiming completion.**
294
+
295
+ "Should pass," "probably fine," "I don't think there's a problem" are guesses, not claims.
296
+ Before crossing the commit gate, actually run the following **in this conversation** and confirm:
297
+
298
+ | Claim | Required evidence |
299
+ |---|---|
300
+ | Tests pass | Ran the test command and saw zero failures in the output |
301
+ | Regression test went red then green | Ran both the pre-fix red and the post-fix green and confirmed each |
302
+ | Build passes | Ran the build command and saw exit code 0 |
303
+ | The bug is fixed | Confirmed the operation/test that reproduces the original symptom now passes |
304
+ | No regressions | Ran the existing test suite and confirmed no failures |
305
+
306
+ All of the following are prohibited:
307
+
308
+ - Claiming completion with phrases like "should pass," "probably," "I believe"
309
+ - Claiming something "passes" based on a previous run (a stale result is not evidence)
310
+ - Trusting a subagent's "done successfully" report without verifying it yourself
311
+ - Reporting partial verification (only some tests) as complete verification
312
+ - Skipping verification because you're tired or in a hurry
313
+
314
+ ### 9. Commit and clean up the worktree (commit gate)
315
+
316
+ - Present a summary of the diff and a proposed commit message, and wait for the user's confirmation.
317
+ - Commit only once confirmation is given.
318
+ - Follow the project's existing conventions (commit log style, etc.) for message format and granularity.
319
+
320
+ After committing, present the user with these four options.
321
+
322
+ ```
323
+ The fix is complete. What would you like to do with this change?
324
+
325
+ 1. Merge it into <base branch> locally
326
+ 2. Push and open a Pull Request
327
+ 3. Keep this branch as-is (handle it later)
328
+ 4. Discard this work
329
+ ```
330
+
331
+ Handle each choice as follows.
332
+
333
+ **1. Local merge**
334
+
335
+ ```bash
336
+ # Move out of the worktree (to the main repo root) before running this
337
+ cd "$MAIN_ROOT"
338
+ git checkout <base-branch>
339
+ git pull
340
+ git merge <fix-branch>
341
+ # Run the test suite after merging to confirm no regression
342
+ git worktree remove <worktree-path>
343
+ git worktree prune
344
+ git branch -d <fix-branch>
345
+ ```
346
+
347
+ **2. Open a PR**
348
+
349
+ ```bash
350
+ git push -u origin <fix-branch>
351
+ gh pr create --base <base-branch> --head <fix-branch> \
352
+ --title "<fix title>" --body "<summary of the fix and root cause>"
353
+ # Don't remove the worktree — it's needed for handling PR feedback
354
+ ```
355
+
356
+ **3. Keep as-is**
357
+
358
+ Leave both the worktree and the branch in place. Tell the user the path and stop.
359
+
360
+ **4. Discard**
361
+
362
+ Ask the user to type `discard` first, and only proceed once confirmed.
363
+
364
+ ```bash
365
+ cd "$MAIN_ROOT"
366
+ git worktree remove <worktree-path>
367
+ git worktree prune
368
+ git branch -D <fix-branch>
369
+ ```
370
+
371
+ **Order and prohibitions to observe**
372
+
373
+ - Never run `git worktree remove` from inside the worktree (always move to the main repo root first).
374
+ - Run `git branch -d` **after** `git worktree remove` (the reverse order fails).
375
+ - Don't remove the worktree before the merge (confirm the merge succeeded first).
376
+ - Don't remove the worktree after creating a PR (option 2).
377
+
378
+ ## Verification checklist
379
+
380
+ Before reporting completion, confirm all of the following.
381
+
382
+ - [ ] Identified the root cause at the code level before fixing (not a guess).
383
+ - [ ] Checked the affected code's test coverage. If it was inadequate, added tests first, got them reviewed, and only then moved to the next step.
384
+ - [ ] Wrote the test before writing the fix code (if the fix was accidentally written first, it was discarded and redone).
385
+ - [ ] Confirmed the regression test was red before the fix and green after.
386
+ - [ ] No regressions in the existing test suite (including E2E tests, if present).
387
+ - [ ] If the fix spans multiple repositories, ran the test suite in every changed repository and confirmed no regression.
388
+ - [ ] Fixed the root cause rather than hiding the symptom.
389
+ - [ ] Resolved every CRITICAL / HIGH review finding.
390
+ - [ ] Ran verification commands and read the output before claiming completion (didn't guess "should pass").
391
+ - [ ] Committed only after the user's confirmation (left uncommitted if not yet confirmed).
392
+ - [ ] Presented the four-option worktree cleanup and executed it in the correct order (remove worktree → delete branch) for the chosen option.
393
+ - [ ] If a logging convention applies: filled in logging that was missing at the point of the bug, and confirmed ERROR logs include the correlation ID and affected resource ID.