@anthropologies/claudestory 0.1.58 → 0.1.60

package/src/skill/review-lenses/references/lens-clean-code.md

@@ -0,0 +1,15 @@
+---
+name: clean-code
+version: v1
+model: sonnet
+type: core
+maxSeverity: major
+---
+
+# Clean Code Lens
+
+Focuses on structural quality, readability, and maintainability. Checks: long functions (>50 lines), SRP violations, naming problems, code duplication (3+ repeats), deep nesting (>3 levels), god classes (>10 public methods or >300 lines), dead code, file organization.
+
+Does NOT flag: stylistic preferences, language idioms, out-of-scope refactoring, test code, generated code.
+
+See `src/autonomous/review-lenses/lenses/clean-code.ts` for the full prompt.

package/src/skill/review-lenses/references/lens-concurrency.md

@@ -0,0 +1,16 @@
+---
+name: concurrency
+version: v1
+model: opus
+type: surface-activated
+maxSeverity: critical
+activation: ".swift, .go, .rs, shared mutable state, worker/thread imports, queue/lock/mutex primitives"
+---
+
+# Concurrency Lens
+
+Finds race conditions, deadlocks, data races, and incorrect concurrent access patterns. Uses Opus for multi-step reasoning about interleaved execution paths. Checks: race conditions, missing locks, deadlock patterns, actor isolation violations, unsafe shared mutable state (including Node.js module-level state), missing atomics, thread-unsafe lazy init, missing cancellation, channel misuse, concurrent collection mutation.
+
+For each finding, describes the specific interleaving that triggers the bug.
+
+See `src/autonomous/review-lenses/lenses/concurrency.ts` for the full prompt.

package/src/skill/review-lenses/references/lens-error-handling.md

@@ -0,0 +1,15 @@
+---
+name: error-handling
+version: v1
+model: sonnet
+type: core
+maxSeverity: critical
+---
+
+# Error Handling Lens
+
+Ensures failures are anticipated, caught, communicated, and recovered from. Checks: missing try/catch on I/O, unhandled promise rejections, swallowed errors, missing null checks, no graceful degradation, leaking internals, missing cleanup, unchecked array access, missing error propagation, inconsistent error types.
+
+Verifies TypeScript strict mode before flagging type-guaranteed values. Checks RULES.md for established error patterns.
+
+See `src/autonomous/review-lenses/lenses/error-handling.ts` for the full prompt.

package/src/skill/review-lenses/references/lens-performance.md

@@ -0,0 +1,16 @@
+---
+name: performance
+version: v1
+model: sonnet
+type: surface-activated
+maxSeverity: critical
+activation: ORM imports, nested loops >= 2, files > 300 lines, hotPaths config
+---
+
+# Performance Lens
+
+Finds patterns causing measurable performance degradation at realistic scale. Checks: N+1 queries, missing indexes, unbounded result sets, sync I/O in hot paths, memory leaks, unnecessary re-renders, large bundle imports, missing memoization, O(n^2+) algorithms, missing pagination.
+
+Does NOT flag: micro-optimizations, test code performance, premature optimization for infrequent code.
+
+See `src/autonomous/review-lenses/lenses/performance.ts` for the full prompt.

package/src/skill/review-lenses/references/lens-security.md

@@ -0,0 +1,17 @@
+---
+name: security
+version: v1
+model: opus
+type: core
+maxSeverity: critical
+---
+
+# Security Lens
+
+Thinks like an attacker -- traces data flow from untrusted input to sensitive operations. Checks: injection (SQL/NoSQL/XSS), CSRF, SSRF, mass assignment, prototype pollution, path traversal, JWT confusion, TOCTOU, hardcoded secrets, insecure deserialization, auth bypass, missing rate limiting, open redirects, prompt injection.
+
+Uses Opus model for deeper reasoning on subtle auth bypass, TOCTOU, and logic-level vulnerabilities.
+
+Requires inputSource/sink fields on every finding. Sets requiresMoreContext when data flow crosses file boundaries.
+
+See `src/autonomous/review-lenses/lenses/security.ts` for the full prompt.

package/src/skill/review-lenses/references/lens-test-quality.md

@@ -0,0 +1,16 @@
+---
+name: test-quality
+version: v1
+model: sonnet
+type: surface-activated
+maxSeverity: major
+activation: "test files changed, or source files changed without corresponding test changes"
+---
+
+# Test Quality Lens
+
+Finds patterns that reduce test reliability, coverage, and signal. Checks: missing assertions, testing implementation not behavior, flaky patterns, missing edge cases, over-mocking, no error path tests, missing integration tests, snapshot abuse, test data coupling, missing cleanup, missing test coverage for changed source files.
+
+When activated by "source-changed-no-tests", primary focus shifts to identifying untested source files.
+
+See `src/autonomous/review-lenses/lenses/test-quality.ts` for the full prompt.

package/src/skill/review-lenses/references/merger.md

@@ -0,0 +1,13 @@
+---
+name: merger
+version: v1
+model: sonnet
+---
+
+# Merger
+
+Synthesis step 1. Receives all validated findings from all lenses. Performs semantic deduplication (using issueKey for deterministic matches + description similarity for cross-lens matches) and conflict identification (preserving tensions without auto-resolving).
+
+Output: deduplicated findings + tensions + merge log.
+
+See `src/autonomous/review-lenses/merger.ts` for the full prompt.

package/src/skill/review-lenses/references/shared-preamble.md

@@ -0,0 +1,10 @@
+---
+name: shared-preamble
+version: v1
+---
+
+# Shared Preamble
+
+Prepended to every lens prompt by the orchestrator. Contains safety rules, output format, identity, tools, context, and false positive suppression.
+
+See the TypeScript implementation at `src/autonomous/review-lenses/shared-preamble.ts` for the canonical template with variable injection.

package/src/skill/review-lenses/review-lenses.md

@@ -0,0 +1,59 @@
+# Multi-Lens Review
+
+The multi-lens review orchestrator runs 8 specialized review agents in parallel, each analyzing the same diff or plan through a focused perspective. Findings are deduplicated semantically by a merger, then calibrated and judged for a final verdict.
+
+## When This Runs
+
+The autonomous guide invokes lenses automatically when `reviewBackends` includes `"lenses"` during CODE_REVIEW or PLAN_REVIEW stages. You don't need to invoke this manually.
+
+## Manual Invocation
+
+For debugging or standalone use:
+
+```
+/story review-lenses
+```
+
+This reads the current diff and runs the full lens pipeline outside the autonomous guide.
+
+## The 8 Lenses
+
+**Core (always run):**
+1. Clean Code -- structural quality, SRP, naming, duplication
+2. Security -- OWASP top 10, injection, auth, secrets (Opus model)
+3. Error Handling -- failure modes, missing catches, null safety
+
+**Surface-activated (based on changed files):**
+4. Performance -- N+1 queries, memory leaks, algorithmic complexity
+5. API Design -- backward compat, REST conventions, error responses
+6. Concurrency -- race conditions, deadlocks, actor isolation (Opus model)
+7. Test Quality -- coverage gaps, flaky patterns, missing assertions
+8. Accessibility -- WCAG, keyboard nav, screen reader support
+
+## Synthesis Pipeline
+
+1. **Merger** -- semantic dedup + conflict identification
+2. **Judge** -- severity calibration + stage-aware verdict
+
+## Configuration
+
+In `.story/config.json` under `recipeOverrides`:
+
+```json
+{
+  "reviewBackends": ["lenses", "codex"],
+  "lensConfig": {
+    "lenses": "auto",
+    "maxLenses": 8,
+    "hotPaths": ["src/engine/**"],
+    "lensModels": {
+      "default": "sonnet",
+      "security": "opus"
+    }
+  }
+}
+```
+
+## Prompt Files
+
+Individual lens prompts are in `references/` in this directory. Each has a version in its filename (e.g., `lens-security-v1.md`). The orchestrator reads these and injects context variables.