@atlashub/smartstack-cli 1.37.0 → 2.1.0

package/templates/skills/efcore/steps/shared/step-00-init.md

@@ -46,21 +46,24 @@ detect_efcore_project() {
 
 ```bash
 detect_dbcontext() {
-  # Priority 1: SmartStack.Domain exists → CoreDbContext
+  # Priority 1: SmartStack.Domain exists → SmartStack source project (Core only)
   if find . -type d -name "SmartStack.Domain" | grep -q .; then
     DBCONTEXT="CoreDbContext"
     DBCONTEXT_TYPE="core"
     SCHEMA="core"
+    RUN_BOTH=false
     echo "DbContext: CoreDbContext (SmartStack.Domain found)"
     return
   fi
 
-  # Priority 2: Client with SmartStack NuGet → ExtensionsDbContext
+  # Priority 2: Client with SmartStack NuGet → BOTH contexts (Core from NuGet + Extensions local)
   if find . -name "*.csproj" -exec grep -l "SmartStack\." {} \; | grep -qv "SmartStack\."; then
-    DBCONTEXT="ExtensionsDbContext"
-    DBCONTEXT_TYPE="extensions"
-    SCHEMA="extensions"
-    echo "DbContext: ExtensionsDbContext (SmartStack NuGet reference)"
+    DBCONTEXT="CoreDbContext"
+    DBCONTEXT_TYPE="both"
+    SCHEMA="core"
+    RUN_BOTH=true
+    echo "DbContext: Both (Core from SmartStack NuGet + Extensions local)"
+    echo "  Deploy order: CoreDbContext → ExtensionsDbContext"
     return
   fi
 
@@ -68,19 +71,28 @@ detect_dbcontext() {
   CORE_CTX=$(find . -name "*.cs" -exec grep -l "CoreDbContext" {} \; 2>/dev/null | head -1)
   EXT_CTX=$(find . -name "*.cs" -exec grep -l "ExtensionsDbContext" {} \; 2>/dev/null | head -1)
 
-  if [ -n "$CORE_CTX" ] && [ -z "$EXT_CTX" ]; then
+  if [ -n "$CORE_CTX" ] && [ -n "$EXT_CTX" ]; then
+    DBCONTEXT="CoreDbContext"
+    DBCONTEXT_TYPE="both"
+    SCHEMA="core"
+    RUN_BOTH=true
+    echo "DbContext: Both (CoreDbContext + ExtensionsDbContext found)"
+  elif [ -n "$CORE_CTX" ] && [ -z "$EXT_CTX" ]; then
     DBCONTEXT="CoreDbContext"
     DBCONTEXT_TYPE="core"
     SCHEMA="core"
+    RUN_BOTH=false
   elif [ -z "$CORE_CTX" ] && [ -n "$EXT_CTX" ]; then
     DBCONTEXT="ExtensionsDbContext"
     DBCONTEXT_TYPE="extensions"
     SCHEMA="extensions"
+    RUN_BOTH=false
   else
     # Priority 4: Ask user
     DBCONTEXT=""
     DBCONTEXT_TYPE=""
     SCHEMA=""
+    RUN_BOTH=false
   fi
 }
 ```
@@ -204,6 +216,7 @@ block_production() {
 EF CORE CONTEXT
 ├── Project:    {PROJECT_NAME}
 ├── DbContext:  {DBCONTEXT} ({DBCONTEXT_TYPE})
+├── Run Both:   {RUN_BOTH} (Core → Extensions)
 ├── Schema:     {SCHEMA}
 ├── Migrations: {MIGRATIONS_DIR}
 ├── Environment:{SELECTED_ENV}
@@ -229,6 +242,7 @@ After this step, these variables are available:
 | `{branch_type}` | feature |
 | `{current_branch}` | feature/multitenant |
 | `{selected_env}` | Local |
+| `{run_both}` | true |
 
 ---
 

package/templates/skills/explore/SKILL.md

@@ -2,10 +2,15 @@
 name: explore
 description: Deep codebase exploration to answer specific questions
 argument-hint: <question>
+context: fork
+agent: Explore
+allowed-tools: Read, Grep, Glob, WebSearch, WebFetch
 ---
 
 <objective>
-Answer questions about the codebase through systematic investigation using parallel exploration agents.
+Answer questions about the codebase through systematic investigation using direct search tools.
+
+**Note:** This skill runs in an isolated context. Use Grep, Glob, and Read directly - do NOT launch Task agents.
 </objective>
 
 <quick_start>
@@ -16,57 +21,48 @@ Answer questions about the codebase through systematic investigation using paral
 ```
 </quick_start>
 
+## Task
+Research the following question: $ARGUMENTS
+
 <workflow>
 
 ## 1. Parse Question
 
-- Extract key terms and concepts from question
+- Extract key terms and concepts from the question
 - Identify file types, patterns, or areas to search
 - Determine if web research is needed
 
-## 2. Search Codebase (Parallel Agents)
+## 2. Search Codebase (Direct Tools)
 
-Launch multiple exploration agents **in parallel**:
+Use direct search tools **in parallel** where possible:
 
-**Agent 1: Codebase Exploration** (`explore-codebase`)
+**File discovery:**
 ```
-Find existing code related to: {question}
-
-Report ONLY what exists:
-1. Files that contain related code (with paths and line numbers)
-2. Existing patterns used for similar features
-3. Utility functions that might be relevant
-4. How similar features are currently structured
-5. Test file locations and patterns
-
-DO NOT suggest what to build. Just report what's there.
+Glob: pattern="**/*{keyword}*" to find related files
 ```
 
-**Agent 2: Documentation Research** (`explore-docs`)
+**Code search:**
 ```
-Research documentation for libraries used in: {question}
-
-Find:
-1. How the relevant libraries/frameworks work
-2. API documentation for tools being used
-3. Best practices from official docs
+Grep: pattern="{keyword}" to find content matches
+Grep: pattern="class {Name}" or "function {name}" for implementations
 ```
 
-**Agent 3: Web Research** (`websearch`) - *if external context needed*
+**Targeted reading:**
+```
+Read: the most relevant 3-5 files discovered
 ```
-Search for context about: {question}
 
-Find:
-1. How this is typically implemented
-2. Common patterns and approaches
-3. Known pitfalls or gotchas
+**Web research** (if external context needed):
+```
+WebSearch: "{question} best practices"
+WebFetch: documentation URLs found in the codebase
 ```
 
-**CRITICAL**: Launch agents in a SINGLE message for parallel execution.
+**CRITICAL**: Run independent searches in parallel for speed.
 
 ## 3. Analyze Findings
 
-- Read relevant files found by agents
+- Read relevant files found by searches
 - Trace relationships between files
 - Identify patterns and conventions
 - Note file paths with line numbers (e.g., `src/app.ts:42`)
@@ -83,11 +79,11 @@ Provide comprehensive response:
 
 <execution_rules>
 
-- **PARALLEL SEARCH**: Launch multiple agents simultaneously
+- **PARALLEL SEARCH**: Run independent Grep/Glob searches simultaneously
 - **CITE SOURCES**: Always reference file paths and line numbers
 - **STAY FOCUSED**: Only explore what's needed to answer the question
 - **BE THOROUGH**: Don't stop at first match - gather complete context
-- **ULTRA THINK**: Consider relationships between discovered elements
+- **NO TASK AGENTS**: Use Grep, Glob, Read, WebSearch, WebFetch directly
 
 </execution_rules>
 

package/templates/skills/feature-full/SKILL.md

@@ -8,6 +8,7 @@ description: |
   - Creating a module with notifications, workflows and/or AI
   - Need for complete user experience
   Scope: Domain → Application → Infrastructure → API → Web + Notifications + Workflows + AI
+disable-model-invocation: true
 ---
 
 # Skill Feature Full SmartStack

package/templates/skills/gitflow/SKILL.md

@@ -2,8 +2,16 @@
 name: gitflow
 description: GitFlow workflow with versioning, worktrees, and EF Core migration management. Progressive step loading for minimal context usage.
 argument-hint: "[-a] [-f|-r|-h] <action> [name]"
+disable-model-invocation: true
 ---
 
+## Current state (auto-injected)
+- Branch: !`git branch --show-current`
+- Status: !`git status --short`
+- Recent commits: !`git log --oneline -5`
+- Worktrees: !`git worktree list 2>/dev/null`
+- Config: !`cat .gitflow/config.json 2>/dev/null || echo "no config found"`
+
 <objective>
 Execute GitFlow workflows with automatic versioning, worktree management, and EF Core migration validation. Uses progressive step loading to minimize context and maintain fresh state at each phase.
 </objective>

package/templates/skills/gitflow/steps/step-start.md

@@ -207,6 +207,11 @@ DB_NAME=$(echo "${PROJECT_NAME}_${branch_type}_${BRANCH_NAME}" | cut -c1-63)
   "ConnectionStrings": {
     "DefaultConnection": "Server=localhost;Database=${DB_NAME};Trusted_Connection=true;TrustServerCertificate=true"
   },
+  "SmartStack": {
+    "AutoMigrate": true,
+    "FailOnMigrationError": true,
+    "EnableDevSeeding": true
+  },
   "Authentication": {
     "FrontendUrl": "http://localhost:${WEB_PORT}"
   },
@@ -261,14 +266,40 @@ EOF
 }
 ```
 
-#### 7c. Summary of local config
+#### 7c. Backend: launchSettings.json Local Profile
+
+**If API project detected and Properties/launchSettings.json exists:**
+```bash
+LAUNCH_SETTINGS="$API_DIR/Properties/launchSettings.json"
+[ -n "$API_DIR" ] && [ -f "$LAUNCH_SETTINGS" ] && {
+  # Use Node.js to safely add/update Local profile in launchSettings.json
+  node -e "
+    const fs = require('fs');
+    const ls = JSON.parse(fs.readFileSync('$LAUNCH_SETTINGS', 'utf8'));
+    ls.profiles = ls.profiles || {};
+    ls.profiles.Local = {
+      commandName: 'Project',
+      dotnetRunMessages: true,
+      launchBrowser: false,
+      applicationUrl: 'http://localhost:${API_PORT}',
+      environmentVariables: {
+        ASPNETCORE_ENVIRONMENT: 'Local'
+      }
+    };
+    fs.writeFileSync('$LAUNCH_SETTINGS', JSON.stringify(ls, null, 2) + '\n');
+    console.log('Updated: launchSettings.json Local profile (Port: ${API_PORT})');
+  "
+}
+```
+
+#### 7d. Summary of local config
 
 ```
 ┌─────────────────────────────────────────────────────────────┐
 │  LOCAL ENVIRONMENT CONFIGURED                               │
 ├─────────────────────────────────────────────────────────────┤
 │  Database:  ${DB_NAME}                                      │
-│  API Port:  ${API_PORT}  →  dotnet run --environment Local  │
+│  API Port:  ${API_PORT}  →  dotnet run --launch-profile Local│
 │  Web Port:  ${WEB_PORT}  →  npm run local                   │
 └─────────────────────────────────────────────────────────────┘
 ```
@@ -315,19 +346,22 @@ EOF
 ║  1. Go to worktree:                                               ║
 ║     cd {WORKTREE_PATH}                                            ║
 ║                                                                    ║
-║  2. Start local environment:                                      ║
-║     # Terminal 1 - Backend:                                       ║
-║     cd src/SmartStack.Api && dotnet run --environment Local       ║
-║     # Terminal 2 - Frontend:                                      ║
-║     cd web/smartstack-web && npm run local                        ║
+║  2. Start backend (auto-migrates Core + Extensions DB):           ║
+║     dotnet run --project src/{Project}.Api --launch-profile Local ║
+║                                                                    ║
+║  3. Reset admin password:                                         ║
+║     ss admin reset                                                ║
+║                                                                    ║
+║  4. Start frontend (other terminal):                              ║
+║     cd web/{project}-web && npm run local                         ║
 ║                                                                    ║
-║  3. Make changes and commit:                                      ║
+║  5. Make changes and commit:                                      ║
 ║     /gitflow commit                                               ║
 ║                                                                    ║
-║  4. Create pull request:                                          ║
+║  6. Create pull request:                                          ║
 ║     /gitflow pr                                                   ║
 ║                                                                    ║
-║  5. After PR merged, finalize:                                    ║
+║  7. After PR merged, finalize:                                    ║
 ║     /gitflow finish                                               ║
 ╚══════════════════════════════════════════════════════════════════╝
 ```
@@ -351,6 +385,7 @@ EOF
 - **Branch pushed to remote (AUTOMATIC)**
 - Worktree set up (if enabled)
 - Backend local config created: `appsettings.Local.json` (if .NET API detected)
+- Backend launch profile created: `launchSettings.json` Local profile with unique port (if .NET API detected)
 - Frontend local config created: `.env.local` + `npm run local` script (if web project detected)
 - Ports synchronized between backend and frontend (unique per branch)
 - State stored for subsequent steps

package/templates/skills/mcp/SKILL.md

@@ -8,12 +8,19 @@ description: |
   - Before any MCP-dependent operation fails
   - After MCP configuration changes
   Subcommands: healthcheck, tools
+model: haiku
+allowed-tools: Read, Bash, Glob
 ---
 
+## Current state (auto-injected)
+- MCP cache: !`cat .claude/mcp-status.json 2>/dev/null || echo "no cache"`
+
 # Skill MCP SmartStack
 
 Manages MCP server connectivity and health verification.
 
+> **Note:** The MCP server is now bundled inside `@atlashub/smartstack-cli`. There is no separate `@atlashub/smartstack-mcp` package.
+
 ## SUBCOMMANDS
 
 | Command | Description |
@@ -37,7 +44,7 @@ Performs a complete MCP health check and updates the cache.
 │     └─▶ Call mcp__smartstack__validate_conventions          │
 │                                                             │
 │  2. Get MCP Version                                         │
-│     └─▶ Read SmartStack.mcp/package.json                    │
+│     └─▶ smartstack --version (bundled in CLI)               │
 │                                                             │
 │  3. List Available Tools                                    │
 │     └─▶ Enumerate mcp__smartstack__* tools                  │
@@ -65,16 +72,16 @@ mcp__smartstack__validate_conventions({
    Error: <error_message>
 
    Actions:
-   1. Verify MCP is configured in Claude Code settings
-   2. Check SmartStack.mcp path: D:\01 - projets\SmartStack.mcp
+   1. Verify MCP is configured: claude mcp list
+   2. Re-register: claude mcp add smartstack -- npx -p @atlashub/smartstack-cli smartstack-mcp
    3. Restart Claude Code
 ```
 
 ### Step 2: Get Version
 
 ```bash
-# Read MCP version
-cat "D:\01 - projets\SmartStack.mcp\package.json" | grep '"version"'
+# Read CLI package version (MCP is bundled inside)
+npx smartstack --version 2>/dev/null || smartstack --version
 ```
 
 ### Step 3: List Tools
@@ -97,7 +104,7 @@ Write to `.claude/mcp-status.json`:
 {
   "lastCheck": "<ISO_DATE>",
   "mcpVersion": "<VERSION>",
-  "mcpPath": "D:\\01 - projets\\SmartStack.mcp",
+  "bundled": true,
   "status": "ok",
   "toolsAvailable": [
     "validate_conventions",
@@ -116,9 +123,8 @@ Write to `.claude/mcp-status.json`:
 MCP HEALTH CHECK ✓
 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
   Status      : OK
-  Version     : 1.5.0
-  Path        : D:\01 - projets\SmartStack.mcp
-  Tools       : 12 available
+  Version     : 2.0.0 (bundled)
+  Tools       : 19 available
   Cache       : Updated (.claude/mcp-status.json)
 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
   Next check  : in 7 days (auto)
@@ -129,9 +135,9 @@ MCP HEALTH CHECK ✓
 MCP HEALTH CHECK ⚠️
 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
   Status      : UPDATE AVAILABLE
-  Current     : 1.4.0
-  Latest      : 1.5.0
-  Action      : cd SmartStack.mcp && git pull
+  Current     : 1.38.0
+  Latest      : 2.0.0
+  Action      : npm update -g @atlashub/smartstack-cli
 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 ```
 
@@ -143,9 +149,9 @@ MCP HEALTH CHECK ❌
   Issue       : MCP server not responding
 
   Troubleshooting:
-  1. Check Claude Code MCP configuration
-  2. Verify path: D:\01 - projets\SmartStack.mcp
-  3. Run: cd SmartStack.mcp && npm install
+  1. Check registration: claude mcp list
+  2. Re-register: claude mcp add smartstack -- npx -p @atlashub/smartstack-cli smartstack-mcp
+  3. Update CLI: npm update -g @atlashub/smartstack-cli
   4. Restart Claude Code
 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 ```
@@ -160,8 +166,8 @@ MCP HEALTH CHECK ❌
 ```json
 {
   "lastCheck": "2024-01-15T10:30:00.000Z",
-  "mcpVersion": "1.5.0",
-  "mcpPath": "D:\\01 - projets\\SmartStack.mcp",
+  "mcpVersion": "2.0.0",
+  "bundled": true,
   "status": "ok" | "error",
   "toolsAvailable": ["tool1", "tool2", ...],
   "errors": ["error1", ...] // only if status = error
@@ -214,6 +220,14 @@ Lists all available MCP tools with their descriptions.
 | `scaffold_frontend_extension` | Generate frontend extension infrastructure (types, slots, contexts) |
 | `analyze_extension_points` | Analyze React components for extension points |
 
+### Security & Quality Tools (4)
+| Tool | Description |
+|------|-------------|
+| `validate_security` | Validate OWASP security patterns |
+| `analyze_code_quality` | Analyze code quality metrics |
+| `analyze_hierarchy_patterns` | Analyze entity hierarchy patterns |
+| `review_code` | Comprehensive code review with security, performance, a11y checks |
+
 ### Output Format
 
 ```
@@ -241,6 +255,12 @@ FRONTEND TOOLS (5)
   scaffold_frontend_extension  Generate extension infrastructure
   analyze_extension_points  Analyze React extension points
 
+SECURITY & QUALITY TOOLS (4)
+  validate_security       Validate OWASP patterns
+  analyze_code_quality    Analyze code quality
+  analyze_hierarchy_patterns  Analyze hierarchy patterns
+  review_code             Comprehensive code review
+
 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-Total: 15 tools available
+Total: 19 tools available
 ```

package/templates/skills/quick-search/SKILL.md

@@ -2,12 +2,19 @@
 name: quick-search
 description: Lightning-fast search to answer specific questions - optimized for speed
 argument-hint: <question>
-allowed-tools: Grep, Glob, Read
+context: fork
+agent: Explore
 model: haiku
+allowed-tools: Grep, Glob, Read
 ---
 
+## Question
+$ARGUMENTS
+
 <objective>
 Answer questions at maximum speed using direct search tools. No agents, no deep analysis - just fast answers with citations.
+
+**Note:** This skill runs in an isolated context. Use Grep, Glob, and Read directly.
 </objective>
 
 <quick_start>

package/templates/skills/ralph-loop/SKILL.md

@@ -2,6 +2,7 @@
 name: ralph-loop
 description: Iterative AI development loop with MCP validation, progress tracking, and completion promises.
 argument-hint: "[-m N] [-c TEXT] [-v] <task description>"
+disable-model-invocation: true
 ---
 
 <objective>
@@ -245,7 +246,6 @@ Before ANY work, verify MCP servers:
 > - `task.category`: `domain` | `application` | `infrastructure` | `api` | `frontend` | `i18n` | `test` | `validation` | `other`
 > - `task.dependencies`: Array of task IDs that must be `completed` before this task can start
 > - `history`: Structured iteration journal (replaces unstructured progress.txt for traceability)
-> - **Backward compatibility**: step-00 auto-migrates v1 prd.json (with `passes` boolean) to v2 format
 </file_structure>
 
 <execution_rules>

package/templates/skills/ralph-loop/steps/step-00-init.md

@@ -1,6 +1,6 @@
 ---
 name: step-00-init
-description: Initialize Ralph loop - parse args, verify MCP, setup state, migrate v1
+description: Initialize Ralph loop - parse args, verify MCP, setup state
 next_step: steps/step-01-task.md
 ---
 
@@ -13,7 +13,7 @@ next_step: steps/step-01-task.md
 - ONLY check for resume if -r flag is set
 - YOU ARE AN INITIALIZER, not an executor
 - FORBIDDEN to load step-01 until init is complete
-- ALWAYS check prd.json version and migrate if v1
+- ALWAYS check prd.json version is v2
 
 ## YOUR TASK:
 
@@ -120,71 +120,11 @@ STOP - Do not proceed.
 ```javascript
 const prd = readJSON('.ralph/prd.json');
 
-// v1 detection: has "passes" field in tasks or no "$version"
-const isV1 = !prd.$version || prd.tasks?.some(t => 'passes' in t);
-
-if (isV1) {
-  // AUTO-MIGRATE v1 → v2
-  migrateV1toV2(prd);
-}
-```
-
-**v1 → v2 Migration logic:**
-
-```javascript
-function migrateV1toV2(prd) {
-  prd.$version = "2.0.0";
-  prd.status = prd.tasks.every(t => t.passes) ? "completed" : "in_progress";
-  prd.updated_at = new Date().toISOString();
-
-  // Migrate source field
-  if (typeof prd.source === 'string') {
-    prd.source = { type: "ba-handoff", handoff_path: prd.source, frd_path: null, brd_path: null };
-  } else if (prd.source === null || prd.source === undefined) {
-    prd.source = null;
-  }
-
-  // Group flat config fields
-  prd.config = {
-    max_iterations: prd.max_iterations || 50,
-    completion_promise: prd.completion_promise || "COMPLETE",
-    current_iteration: prd.current_iteration || 1
-  };
-  delete prd.max_iterations;
-  delete prd.completion_promise;
-  delete prd.current_iteration;
-
-  // Add metadata
-  prd.metadata = {
-    cli_version: "unknown (migrated)",
-    branch: getCurrentBranch(),
-    project_path: process.cwd(),
-    mcp_servers: { smartstack: {mcp_smartstack}, context7: {mcp_context7} }
-  };
-
-  // Migrate tasks
-  prd.tasks = prd.tasks.map(t => ({
-    id: t.id,
-    description: t.description,
-    status: t.passes ? "completed" : "pending",
-    category: "other",
-    dependencies: [],
-    acceptance_criteria: null,
-    started_at: null,
-    completed_at: t.passes ? prd.updated_at : null,
-    iteration: null,
-    commit_hash: null,
-    files_changed: { created: [], modified: [] },
-    validation: null,
-    error: null
-  }));
-
-  // Initialize history
-  prd.history = [];
-
-  // Write migrated file
-  writeJSON('.ralph/prd.json', prd);
-  echo "✅ Migrated prd.json from v1 to v2";
+if (prd.$version !== "2.0.0") {
+  echo "❌ prd.json schema version unsupported: ${prd.$version || 'missing'}";
+  echo "   Expected: 2.0.0";
+  echo "   Re-run /business-analyse to generate a fresh prd.json";
+  STOP;
 }
 ```
 
@@ -331,7 +271,7 @@ Branch: {CURRENT_BRANCH}
 - .ralph/ directory structure created
 - Completion promise defined
 - Metadata collected (branch, version, MCP status)
-- v1 prd.json migrated to v2 (if resume)
+- prd.json v2 schema validated (if resume)
 - Branch integrity validated (if resume)
 - Output is COMPACT
 - Proceeded to step-01 immediately after summary

package/templates/skills/ralph-loop/steps/step-04-check.md

@@ -8,7 +8,7 @@ next_step: steps/step-05-report.md OR steps/step-01-task.md
 
 ## YOUR TASK:
 
-Check if all tasks are complete and decide whether to output completion promise or continue to next task. Uses v2 status-based checks instead of boolean `passes`.
+Check if all tasks are complete and decide whether to output completion promise or continue to next task.
 
 ---
 

package/templates/skills/refactor/SKILL.md

@@ -2,6 +2,7 @@
 name: refactor
 description: Refactor code by finding files, grouping them, and launching parallel Snipper agents
 argument-hint: <search-pattern-or-description>
+disable-model-invocation: true
 ---
 
 <objective>

package/templates/skills/review-code/SKILL.md

@@ -1,8 +1,14 @@
 ---
 name: review-code
-description: This skill should be used when the user asks to "review code", "review this PR", "code review", "audit this code", or mentions reviewing pull requests, security checks, or code quality. Covers security (OWASP), clean code (SOLID), code smells, complexity metrics, and high-value feedback patterns. Focuses on impactful issues, not nitpicks.
+description: Expert code review covering security (OWASP), architecture, clean code (SOLID), performance, and SmartStack conventions via MCP. Use for PR reviews, security audits, and code quality checks.
+model: sonnet
 ---
 
+## Files to review (auto-injected)
+- Changed files: !`git diff --name-only HEAD~1 2>/dev/null || git diff --name-only --staged 2>/dev/null || echo "no changes detected"`
+- Diff stats: !`git diff --stat HEAD~1 2>/dev/null || git diff --stat --staged 2>/dev/null || echo "no stats"`
+- SmartStack detected: !`test -f "*.sln" && grep -l "SmartStack" *.sln 2>/dev/null && echo "YES" || echo "NO"`
+
 <objective>
 Provide expert-level code review guidance that focuses on high-impact issues: security vulnerabilities, logic errors, maintainability problems, and architectural concerns. Skip nitpicks and style issues that should be automated.
 
@@ -145,7 +151,8 @@ The MCP tool returns a structured report. Display it as-is or integrate key find
 - Authorization checks on every endpoint
 - No `eval()`, `exec()`, dangerous functions
 
-See [references/security-checklist.md](references/security-checklist.md) for OWASP Top 10 patterns.
+See [references/security-checklist.md](references/security-checklist.md) for OWASP Top 10 patterns (web application vulnerabilities).
+See [references/owasp-api-top10.md](references/owasp-api-top10.md) for OWASP API Security Top 10 (API-specific threats: BOLA, mass assignment, SSRF, resource consumption).
 </category>
 
 <category name="logic" priority="critical">
@@ -316,7 +323,8 @@ A good code review:
 <reference_guides>
 For detailed guidance and patterns:
 
-- **`references/security-checklist.md`** - OWASP Top 10, authentication patterns, input validation, common vulnerabilities
+- **`references/security-checklist.md`** - OWASP Top 10, authentication patterns, input validation, rate limiting, security headers
+- **`references/owasp-api-top10.md`** - OWASP API Security Top 10: BOLA, mass assignment, SSRF, resource consumption, SmartStack-specific detection patterns
 - **`references/clean-code-principles.md`** - SOLID principles, naming conventions, function design, code smell detection
 - **`references/feedback-patterns.md`** - Valuable vs wasteful feedback patterns, communication strategies, priority labeling
 - **`references/code-quality-metrics.md`** - Complexity calculations, maintainability index, measurement techniques