@anthropologies/claudestory 0.1.57 → 0.1.59

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@anthropologies/claudestory",
-  "version": "0.1.57",
+  "version": "0.1.59",
   "license": "PolyForm-Noncommercial-1.0.0",
   "description": "An agentic development framework. Track tickets, issues, and progress for your project so every session builds on the last.",
   "homepage": "https://claudestory.com",

package/src/skill/SKILL.md

@@ -23,6 +23,7 @@ claudestory tracks tickets, issues, roadmap, and handovers in a `.story/` direct
 - `/story settings` -> manage project settings (see Settings section below)
 - `/story design` -> evaluate frontend design (read `design/design.md` in the same directory as this skill file; if not found, tell user to run `claudestory setup-skill`)
 - `/story design <platform>` -> evaluate for specific platform: web, ios, macos, android (read `design/design.md` in the same directory as this skill file)
+- `/story review-lenses` -> run multi-lens review on current diff (read `review-lenses/review-lenses.md` in the same directory as this skill file; if not found, tell user to run `claudestory setup-skill`). Note: the autonomous guide invokes lenses automatically when `reviewBackends` includes `"lenses"` -- this command is for manual/debug use.
 - `/story help` -> show all capabilities (read `reference.md` in the same directory as this skill file; if not found, tell user to run `claudestory setup-skill`)
 
 If the user's intent doesn't match any of these, use the full context load.
@@ -354,7 +355,24 @@ Do NOT search source code for this. The full config.json schema is shown below.
       },
       "LESSON_CAPTURE": { "enabled": "boolean" },
       "ISSUE_SWEEP": { "enabled": "boolean" }
-    }
+    },
+    "lensConfig": {
+      "lenses": "\"auto\" | string[] (default: \"auto\")",
+      "maxLenses": "number (1-8, default: 8)",
+      "lensTimeout": "number | { default: number, opus: number } (default: { default: 60, opus: 120 })",
+      "findingBudget": "number (default: 10)",
+      "confidenceFloor": "number 0-1 (default: 0.6)",
+      "tokenBudgetPerLens": "number (default: 32000)",
+      "hotPaths": "string[] (glob patterns for Performance lens, default: [])",
+      "lensModels": "Record<string, string> (default: { default: sonnet, security: opus, concurrency: opus })"
+    },
+    "blockingPolicy": {
+      "neverBlock": "string[] (lens names that never produce blocking findings, default: [])",
+      "alwaysBlock": "string[] (categories that always block, default: [injection, auth-bypass, hardcoded-secrets])",
+      "planReviewBlockingLenses": "string[] (default: [security, error-handling])"
+    },
+    "requireSecretsGate": "boolean (default: false, require detect-secrets for lens reviews)",
+    "requireAccessibility": "boolean (default: false, make accessibility findings blocking)"
   }
 }
 ```
@@ -367,3 +385,4 @@ Additional skill documentation, loaded on demand:
 - **`autonomous-mode.md`** -- Autonomous mode, review, plan, and guided execution tiers
 - **`reference.md`** -- Full CLI command and MCP tool reference
 - **`design/design.md`** -- Frontend design evaluation and implementation guidance, with platform references in `design/references/`
+- **`review-lenses/review-lenses.md`** -- Multi-lens review orchestrator (8 specialized parallel reviewers), with lens prompts in `review-lenses/references/`

package/src/skill/review-lenses/references/judge.md

@@ -0,0 +1,18 @@
+---
+name: judge
+version: v1
+model: sonnet
+---
+
+# Judge
+
+Synthesis step 2. Receives deduplicated findings and tensions from the Merger. Performs severity calibration, stage-aware verdict generation, and completeness assessment.
+
+Verdict rules:
+- reject: critical + confidence >= 0.8 + blocking (plan review: only security/integrity)
+- revise: major + blocking, or any blocking tension
+- approve: only minor/suggestion/non-blocking remain
+
+Partial review (required lens failed): never approves, maximum is revise.
+
+See `src/autonomous/review-lenses/judge.ts` for the full prompt.

package/src/skill/review-lenses/references/lens-accessibility.md

@@ -0,0 +1,17 @@
+---
+name: accessibility
+version: v1
+model: sonnet
+type: surface-activated
+maxSeverity: major
+scope: web-first
+activation: ".tsx, .jsx, .html, .vue, .svelte, .css, .scss"
+---
+
+# Accessibility Lens
+
+Finds WCAG compliance issues preventing users with disabilities from using the application. Web-first scope. Checks: missing alt text, non-semantic HTML, missing ARIA labels, no keyboard navigation, color contrast, missing focus management, skip-to-content, form labels, ARIA landmarks, auto-playing media, missing live regions, CSS focus removal, hidden-but-focusable elements.
+
+Native mobile/desktop accessibility is out of scope for v1.
+
+See `src/autonomous/review-lenses/lenses/accessibility.ts` for the full prompt.

package/src/skill/review-lenses/references/lens-api-design.md

@@ -0,0 +1,14 @@
+---
+name: api-design
+version: v1
+model: sonnet
+type: surface-activated
+maxSeverity: critical
+activation: "**/api/**", route handlers, controllers, GraphQL resolvers
+---
+
+# API Design Lens
+
+Focuses on REST/GraphQL API quality -- consistency, correctness, backward compatibility, consumer experience. Checks: breaking changes, inconsistent error format, wrong HTTP status codes, non-RESTful patterns, missing pagination, naming inconsistency, missing Content-Type, overfetching/underfetching, missing idempotency, auth inconsistency.
+
+See `src/autonomous/review-lenses/lenses/api-design.ts` for the full prompt.

package/src/skill/review-lenses/references/lens-clean-code.md

@@ -0,0 +1,15 @@
+---
+name: clean-code
+version: v1
+model: sonnet
+type: core
+maxSeverity: major
+---
+
+# Clean Code Lens
+
+Focuses on structural quality, readability, and maintainability. Checks: long functions (>50 lines), SRP violations, naming problems, code duplication (3+ repeats), deep nesting (>3 levels), god classes (>10 public methods or >300 lines), dead code, file organization.
+
+Does NOT flag: stylistic preferences, language idioms, out-of-scope refactoring, test code, generated code.
+
+See `src/autonomous/review-lenses/lenses/clean-code.ts` for the full prompt.

package/src/skill/review-lenses/references/lens-concurrency.md

@@ -0,0 +1,16 @@
+---
+name: concurrency
+version: v1
+model: opus
+type: surface-activated
+maxSeverity: critical
+activation: ".swift, .go, .rs, shared mutable state, worker/thread imports, queue/lock/mutex primitives"
+---
+
+# Concurrency Lens
+
+Finds race conditions, deadlocks, data races, and incorrect concurrent access patterns. Uses Opus for multi-step reasoning about interleaved execution paths. Checks: race conditions, missing locks, deadlock patterns, actor isolation violations, unsafe shared mutable state (including Node.js module-level state), missing atomics, thread-unsafe lazy init, missing cancellation, channel misuse, concurrent collection mutation.
+
+For each finding, describes the specific interleaving that triggers the bug.
+
+See `src/autonomous/review-lenses/lenses/concurrency.ts` for the full prompt.

package/src/skill/review-lenses/references/lens-error-handling.md

@@ -0,0 +1,15 @@
+---
+name: error-handling
+version: v1
+model: sonnet
+type: core
+maxSeverity: critical
+---
+
+# Error Handling Lens
+
+Ensures failures are anticipated, caught, communicated, and recovered from. Checks: missing try/catch on I/O, unhandled promise rejections, swallowed errors, missing null checks, no graceful degradation, leaking internals, missing cleanup, unchecked array access, missing error propagation, inconsistent error types.
+
+Verifies TypeScript strict mode before flagging type-guaranteed values. Checks RULES.md for established error patterns.
+
+See `src/autonomous/review-lenses/lenses/error-handling.ts` for the full prompt.

package/src/skill/review-lenses/references/lens-performance.md

@@ -0,0 +1,16 @@
+---
+name: performance
+version: v1
+model: sonnet
+type: surface-activated
+maxSeverity: critical
+activation: ORM imports, nested loops >= 2, files > 300 lines, hotPaths config
+---
+
+# Performance Lens
+
+Finds patterns causing measurable performance degradation at realistic scale. Checks: N+1 queries, missing indexes, unbounded result sets, sync I/O in hot paths, memory leaks, unnecessary re-renders, large bundle imports, missing memoization, O(n^2+) algorithms, missing pagination.
+
+Does NOT flag: micro-optimizations, test code performance, premature optimization for infrequent code.
+
+See `src/autonomous/review-lenses/lenses/performance.ts` for the full prompt.

package/src/skill/review-lenses/references/lens-security.md

@@ -0,0 +1,17 @@
+---
+name: security
+version: v1
+model: opus
+type: core
+maxSeverity: critical
+---
+
+# Security Lens
+
+Thinks like an attacker -- traces data flow from untrusted input to sensitive operations. Checks: injection (SQL/NoSQL/XSS), CSRF, SSRF, mass assignment, prototype pollution, path traversal, JWT confusion, TOCTOU, hardcoded secrets, insecure deserialization, auth bypass, missing rate limiting, open redirects, prompt injection.
+
+Uses Opus model for deeper reasoning on subtle auth bypass, TOCTOU, and logic-level vulnerabilities.
+
+Requires inputSource/sink fields on every finding. Sets requiresMoreContext when data flow crosses file boundaries.
+
+See `src/autonomous/review-lenses/lenses/security.ts` for the full prompt.

package/src/skill/review-lenses/references/lens-test-quality.md

@@ -0,0 +1,16 @@
+---
+name: test-quality
+version: v1
+model: sonnet
+type: surface-activated
+maxSeverity: major
+activation: "test files changed, or source files changed without corresponding test changes"
+---
+
+# Test Quality Lens
+
+Finds patterns that reduce test reliability, coverage, and signal. Checks: missing assertions, testing implementation not behavior, flaky patterns, missing edge cases, over-mocking, no error path tests, missing integration tests, snapshot abuse, test data coupling, missing cleanup, missing test coverage for changed source files.
+
+When activated by "source-changed-no-tests", primary focus shifts to identifying untested source files.
+
+See `src/autonomous/review-lenses/lenses/test-quality.ts` for the full prompt.

package/src/skill/review-lenses/references/merger.md

@@ -0,0 +1,13 @@
+---
+name: merger
+version: v1
+model: sonnet
+---
+
+# Merger
+
+Synthesis step 1. Receives all validated findings from all lenses. Performs semantic deduplication (using issueKey for deterministic matches + description similarity for cross-lens matches) and conflict identification (preserving tensions without auto-resolving).
+
+Output: deduplicated findings + tensions + merge log.
+
+See `src/autonomous/review-lenses/merger.ts` for the full prompt.

package/src/skill/review-lenses/references/shared-preamble.md

@@ -0,0 +1,10 @@
+---
+name: shared-preamble
+version: v1
+---
+
+# Shared Preamble
+
+Prepended to every lens prompt by the orchestrator. Contains safety rules, output format, identity, tools, context, and false positive suppression.
+
+See the TypeScript implementation at `src/autonomous/review-lenses/shared-preamble.ts` for the canonical template with variable injection.

package/src/skill/review-lenses/review-lenses.md

@@ -0,0 +1,59 @@
+# Multi-Lens Review
+
+The multi-lens review orchestrator runs 8 specialized review agents in parallel, each analyzing the same diff or plan through a focused perspective. Findings are deduplicated semantically by a merger, then calibrated and judged for a final verdict.
+
+## When This Runs
+
+The autonomous guide invokes lenses automatically when `reviewBackends` includes `"lenses"` during CODE_REVIEW or PLAN_REVIEW stages. You don't need to invoke this manually.
+
+## Manual Invocation
+
+For debugging or standalone use:
+
+```
+/story review-lenses
+```
+
+This reads the current diff and runs the full lens pipeline outside the autonomous guide.
+
+## The 8 Lenses
+
+**Core (always run):**
+1. Clean Code -- structural quality, SRP, naming, duplication
+2. Security -- OWASP top 10, injection, auth, secrets (Opus model)
+3. Error Handling -- failure modes, missing catches, null safety
+
+**Surface-activated (based on changed files):**
+4. Performance -- N+1 queries, memory leaks, algorithmic complexity
+5. API Design -- backward compat, REST conventions, error responses
+6. Concurrency -- race conditions, deadlocks, actor isolation (Opus model)
+7. Test Quality -- coverage gaps, flaky patterns, missing assertions
+8. Accessibility -- WCAG, keyboard nav, screen reader support
+
+## Synthesis Pipeline
+
+1. **Merger** -- semantic dedup + conflict identification
+2. **Judge** -- severity calibration + stage-aware verdict
+
+## Configuration
+
+In `.story/config.json` under `recipeOverrides`:
+
+```json
+{
+  "reviewBackends": ["lenses", "codex"],
+  "lensConfig": {
+    "lenses": "auto",
+    "maxLenses": 8,
+    "hotPaths": ["src/engine/**"],
+    "lensModels": {
+      "default": "sonnet",
+      "security": "opus"
+    }
+  }
+}
+```
+
+## Prompt Files
+
+Individual lens prompts are in `references/` in this directory. Each has a version in its filename (e.g., `lens-security-v1.md`). The orchestrator reads these and injects context variables.