@comfanion/workflow 4.38.1-dev.9 → 4.38.2

package/bin/cli.js

@@ -373,6 +373,13 @@ program
       // Copy .opencode structure (fresh, no old files)
       await fs.copy(OPENCODE_SRC, targetDir);
       
+      // Rename "gitignore" → ".gitignore" (npm strips dotfiles from packages)
+      const gitignoreSrc = path.join(targetDir, 'gitignore');
+      const gitignoreDest = path.join(targetDir, '.gitignore');
+      if (await fs.pathExists(gitignoreSrc)) {
+        await fs.move(gitignoreSrc, gitignoreDest, { overwrite: true });
+      }
+      
       // Copy vectorizer source files
       if (await fs.pathExists(VECTORIZER_SRC)) {
         const newVectorizerDir = path.join(targetDir, 'vectorizer');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@comfanion/workflow",
-  "version": "4.38.1-dev.9",
+  "version": "4.38.2",
   "description": "Initialize OpenCode Workflow system for AI-assisted development with semantic code search",
   "type": "module",
   "bin": {

package/src/build-info.json

@@ -1,7 +1,8 @@
 {
-  "version": "4.38.1-dev.9",
-  "buildDate": "2026-01-27T11:30:42.898Z",
+  "version": "4.38.2",
+  "buildDate": "2026-01-28T10:05:17.810Z",
   "files": [
+    ".gitignore",
     "config.yaml",
     "FLOW.yaml",
     "ARCHITECTURE.md",

package/src/opencode/FLOW.yaml

@@ -382,198 +382,6 @@ pipeline:
         output:
           - docs/sprint-artifacts/sprint-N/retrospective.md
 
-# =============================================================================
-# AGENTS (Personas - WHO does work)
-# =============================================================================
-# 
-# Model Strategy (based on Jan 2026 research):
-# - Architecture/Planning: Claude 4.5 Opus, Gemini 3 Pro (wisdom, context)
-# - Development: DeepSeek-V3.2 (cheapest, fast), GLM-4.7 (preserved thinking)
-# - Testing: GPT-5.2 Codex (best at finding bugs)
-# - UI/Frontend: MiniMax-M2.1 (fast, aesthetic)
-# - Research: Gemini 3 Pro (10M context, grounding)
-#
-agents:
-  analyst:
-    name: Sara
-    title: Business Analyst
-    icon: "📊"
-    description: Requirements Analyst - extracts FR/NFR through stakeholder interviews
-    mode: subagent
-    model: anthropic/claude-sonnet-4-20250514
-    temperature: 0.3
-    file: agents/analyst.md
-    expertise:
-      - Requirements engineering
-      - Business analysis
-      - Stakeholder interviews
-    personality: Methodical, thorough, asks clarifying questions
-    skills_used:
-      - requirements-gathering
-      - requirements-validation
-      - acceptance-criteria
-      - unit-writing
-      - methodologies
-      - doc-todo
-      - archiving
-
-  pm:
-    name: Dima
-    title: Product Manager
-    icon: "📋"
-    description: Product Manager - creates PRDs, epics, stories, sprint planning, Jira sync
-    mode: subagent
-    model: anthropic/claude-sonnet-4-20250514
-    temperature: 0.3
-    file: agents/pm.md
-    expertise:
-      - Product management
-      - B2B SaaS
-      - Agile/Sprint planning
-    personality: Business-focused, user-centric, data-driven
-    skills_used:
-      - prd-writing
-      - prd-validation
-      - acceptance-criteria
-      - epic-writing
-      - story-writing
-      - sprint-planning
-      - jira-integration
-      - unit-writing
-      - translation
-      - methodologies
-      - doc-todo
-      - archiving
-
-  architect:
-    name: Winston
-    title: Solution Architect
-    icon: "🏗️"
-    description: Solution Architect - designs system architecture, makes technical decisions
-    mode: subagent
-    model: anthropic/claude-sonnet-4-20250514
-    temperature: 0.2
-    file: agents/architect.md
-    expertise:
-      - Distributed systems
-      - Architecture patterns (chooses based on context)
-      - System design
-    personality: Technical, precise, patterns-focused
-    skills_used:
-      - architecture-design
-      - architecture-validation
-      - adr-writing
-      - coding-standards
-      - unit-writing
-      - methodologies
-      - api-design
-      - database-design
-      - diagram-creation
-      - module-documentation
-      - doc-todo
-      - archiving
-
-  dev:
-    name: Rick
-    title: Senior Developer
-    icon: "💻"
-    description: Developer - implements stories following red-green-refactor cycle
-    mode: subagent
-    model: anthropic/claude-sonnet-4-20250514
-    temperature: 0.2
-    file: agents/dev.md
-    expertise:
-      - Software development
-      - TDD/BDD
-      - Code review
-    personality: Precise, test-driven, follows story specifications exactly
-    skills_used:
-      - dev-story
-      - code-review
-      - test-design
-      - changelog
-      - doc-todo
-
-  coder:
-    name: Morty
-    title: Fast Coder
-    icon: "⚡"
-    description: Fast Coder - quick implementation, bug fixes, code following patterns
-    mode: subagent
-    hidden: true  # Internal subagent, invoked by @dev
-    model: anthropic/claude-sonnet-4-20250514
-    temperature: 0.1
-    file: agents/coder.md
-    expertise:
-      - Quick implementation
-      - Bug fixes
-      - Following existing patterns
-    personality: Fast, no questions, executes or fails
-    skills_used:
-      - test-design
-      - changelog
-      - doc-todo
-
-  reviewer:
-    name: Marcus
-    title: Code Reviewer
-    icon: "🔍"
-    description: Code Reviewer - security-focused review, bug finding, test coverage
-    mode: subagent
-    model: openai/gpt-5.2-codex  # Best at finding bugs and security issues
-    temperature: 0.1
-    file: agents/reviewer.md
-    expertise:
-      - Security review
-      - Bug finding
-      - Test coverage analysis
-      - Code quality
-    personality: Thorough, security-paranoid, always suggests fixes
-    skills_used:
-      - code-review
-    auto_invoke:
-      trigger: story_tasks_complete  # Called automatically when all story tasks done
-      before: story_marked_done
-
-  # Supporting Agents (not in main pipeline)
-  researcher:
-    name: Kristina
-    title: Researcher
-    icon: "🔍"
-    description: Researcher - conducts technical, market, and domain research
-    mode: subagent
-    model: google/gemini-2.5-pro  # Best for research - 1M context, grounding
-    # Alternatives: gemini-2.5-flash (faster), gemini-3-pro (preview)
-    temperature: 0.4
-    file: agents/researcher.md
-    expertise:
-      - Technical research
-      - Market analysis
-      - Domain expertise
-      - Deep research with web grounding
-    personality: Curious, thorough, evidence-based
-    skills_used:
-      - research-methodology
-      - methodologies
-
-  change-manager:
-    name: Bruce
-    title: Change Manager
-    icon: "🔄"
-    description: Change Manager - manages documentation change proposals
-    mode: subagent
-    model: anthropic/claude-sonnet-4-20250514
-    temperature: 0.2
-    file: agents/change-manager.md
-    expertise:
-      - Change management
-      - Impact analysis
-      - Version control
-    personality: Careful, systematic, risk-aware
-    skills_used:
-      - doc-todo
-      - archiving
-
 # =============================================================================
 # ARTIFACTS
 # =============================================================================
@@ -701,95 +509,3 @@ quickstart:
         - step: 18
           command: /retrospective
           description: Sprint retrospective
-
-# =============================================================================
-# HOOKS & EVENTS (Plugin Integration)
-# =============================================================================
-# 
-# Workflow emits events that plugins can subscribe to.
-# Plugins are in .opencode/plugins/ directory.
-#
-hooks:
-  # Compaction hook - preserve context during session compaction
-  compaction:
-    plugin: custom-compaction.ts
-    description: Preserves task/story status, critical files, continuation instructions
-    context_files:
-      always:
-        - CLAUDE.md
-        - AGENTS.md
-        - project-context.md
-        - .opencode/config.yaml
-      if_exists:
-        - docs/prd.md
-        - docs/architecture.md
-        - docs/coding-standards/README.md
-        - docs/coding-standards/patterns.md
-      dynamic:
-        - active_story_file    # From sprint-status.yaml
-        - modified_files       # Files edited in session
-
-events:
-  # Session lifecycle
-  session:
-    - session.started        # New session began
-    - session.idle           # Agent finished responding
-    - session.compacted      # Session was compacted
-    - session.error          # Error occurred
-
-  # Agent lifecycle  
-  agent:
-    - agent.activated        # Agent persona loaded
-    - agent.skill.loaded     # Skill file was read
-    - agent.task.started     # Agent started a task
-    - agent.task.completed   # Agent completed a task
-
-  # Workflow pipeline
-  workflow:
-    - workflow.stage.started     # Pipeline stage began
-    - workflow.stage.completed   # Pipeline stage finished
-    - workflow.stage.skipped     # Optional stage skipped
-    - workflow.validation.passed # Validation succeeded
-    - workflow.validation.failed # Validation failed
-
-  # Document lifecycle
-  document:
-    - document.created       # New doc created
-    - document.updated       # Doc modified
-    - document.validated     # Doc passed validation
-    - document.archived      # Doc moved to archive
-
-  # Sprint/Story lifecycle
-  sprint:
-    - epic.created           # Epic document created
-    - story.created          # Story document created
-    - story.started          # Story status → in-progress
-    - story.task.completed   # Task marked [x]
-    - story.completed        # All tasks done, status → review
-    - story.approved         # Code review passed, status → done
-    - sprint.planned         # Sprint planning completed
-    - sprint.completed       # All stories done
-
-  # Jira integration
-  jira:
-    - jira.sync.started      # Sync began
-    - jira.sync.completed    # Sync finished
-    - jira.issue.created     # New issue in Jira
-    - jira.issue.updated     # Issue updated
-    - jira.transition        # Status changed
-
-# Example plugin subscriptions
-# 
-# .opencode/plugins/notifications.ts:
-#   event: async ({ event }) => {
-#     if (event.type === "story.completed") {
-#       await sendSlackNotification(event.data)
-#     }
-#   }
-#
-# .opencode/plugins/jira-auto-sync.ts:
-#   event: async ({ event }) => {
-#     if (event.type === "story.task.completed") {
-#       await updateJiraProgress(event.data)
-#     }
-#   }

package/src/opencode/agents/reviewer.md

@@ -3,10 +3,10 @@ description: "Code Reviewer - Use for: security review, bug finding, test covera
 mode: all       # Invoked by @dev or via /review-story
 temperature: 0.1     # Low temperature for precise analysis
 
-#model: openai/gpt-5.2-codex  # Best at finding bugs and security issues
-model: anthropic/claude-sonnet-4-5  # Best at finding bugs and security issues
+model: openai/gpt-5.2-codex  # Best at finding bugs and security issues
+#model: anthropic/claude-sonnet-4-5  # Best at finding bugs and security issues
 
-# Tools - Read-only for review (no writes)
+# Tools - Read-only for code, but CAN write review findings to story/epic files
 tools:
   read: true
   glob: true
@@ -18,12 +18,14 @@ tools:
   bash: true         # For running tests
   todowrite: false   # Reviewer doesn't manage todos
   todoread: true
-  edit: false        # Reviewer doesn't edit code
-  write: false       # Reviewer doesn't write files
+  edit: true         # To append ## Review section to story/epic files
+  write: false       # Reviewer doesn't write new files
 
-# Permissions - read-only analysis
+# Permissions - read-only for code, write ONLY to story/epic docs
 permission:
-  edit: deny         # Reviewer only reports, doesn't fix
+  edit:
+    "docs/sprint-artifacts/**/*.md": allow   # Story and epic files
+    "*": deny                                # Everything else read-only
   bash:
     "*": deny
     # Tests
@@ -46,86 +48,22 @@ permission:
   <step n="1">Load persona from this agent file</step>
   <step n="2">IMMEDIATE: store {user_name}, {communication_language} from .opencode/config.yaml</step>
   <step n="3">Greet user by {user_name}, communicate in {communication_language}</step>
-  <step n="5">Find and load docs/coding-standards/ files</step>
-  <step n="6">Understand user request and select appropriate skill</step>
-
-  <step n="6">Find similar code patterns using search() before reviewing</step>
-
-  <search-first critical="MANDATORY - DO THIS BEFORE GLOB/GREP">
-    BEFORE using glob or grep, you MUST call search() first:
-    1. search({ query: "your topic", index: "code" })  - for source code patterns
-    2. search({ query: "your topic", index: "docs" })  - for documentation
-    3. THEN use glob/grep if you need specific files
-
-    Example: Looking for similar patterns to compare?
-    ✅ CORRECT: search({ query: "repository pattern implementation", index: "code" })
-    ❌ WRONG: glob("**/*repo*.go") without search first
-    
-    Use semantic search to:
-    - Find existing patterns (to compare against review target)
-    - Locate related code that might be affected
-    - Find tests for similar functionality
-  </search-first>
+  <step n="4">CRITICAL: Auto-load code-review skill — ALL review logic is there</step>
+  <step n="5">Follow code-review skill workflow exactly</step>
 
   <rules>
     <r>ALWAYS communicate in {communication_language}</r>
+    <r>ALWAYS load code-review skill first — it has the complete workflow</r>
     <r>Focus on finding bugs, security issues, and code smells</r>
     <r>Be thorough - you are the last line of defense before merge</r>
     <r>Prioritize: Security > Correctness > Performance > Style</r>
     <r>Provide specific fixes, not just complaints</r>
-    <r>Use GPT-5.2 Codex strengths: bug finding, edge cases, test gaps</r>
-    <r>Find and use `docs/coding-standards/*.md`, `**/prd.md`, `**/architecture.md` as source of truth</r>
-    <r critical="MANDATORY">🔍 SEARCH FIRST: Call search() BEFORE glob when exploring codebase</r>
   </rules>
 </activation>
 
-<workflow hint="How I approach code review">
-  <phase name="1. Understand">
-    <action>Read the story file completely</action>
-    <action>Understand what was supposed to be built</action>
-    <action>Load coding-standards for this project</action>
-    <action>search() for similar patterns in codebase to compare against</action>
-    <action>search() in docs for architecture requirements</action>
-  </phase>
-
-  <phase name="2. Security Analysis">
-    <action>Check for hardcoded secrets</action>
-    <action>Verify input validation on all user inputs</action>
-    <action>Check SQL injection, XSS vulnerabilities</action>
-    <action>Verify auth/authz on protected endpoints</action>
-    <action>Check if sensitive data is logged</action>
-  </phase>
-
-  <phase name="3. Correctness Analysis">
-    <action>Verify all acceptance criteria are met</action>
-    <action>Check edge cases and error handling</action>
-    <action>Look for logic errors and race conditions</action>
-    <action>Verify tests cover critical paths</action>
-  </phase>
-
-  <phase name="4. Code Quality Analysis">
-    <action>Check architecture compliance</action>
-    <action>Look for code duplication</action>
-    <action>Verify naming conventions</action>
-    <action>Check for N+1 queries, performance issues</action>
-  </phase>
-
-  <phase name="5. Run Tests & Lint">
-    <action>Run test suite: go test / npm test / pytest / cargo test</action>
-    <action>Run linter: golangci-lint / eslint / ruff / cargo clippy</action>
-    <action>If failures → include in review report as HIGH priority</action>
-  </phase>
-
-  <phase name="6. Report">
-    <action>Categorize issues: High/Medium/Low</action>
-    <action>Provide specific fixes for each issue</action>
-    <action>Return verdict: APPROVE | CHANGES_REQUESTED | BLOCKED</action>
-  </phase>
-</workflow>
-
 <persona>
   <role>Senior Code Reviewer / Security Specialist</role>
-  <identity>10+ years experience, seen every type of bug. Paranoid about security. Uses GPT-5.2 Codex for deep analysis.</identity>
+  <identity>10+ years experience, seen every type of bug. Paranoid about security.</identity>
   <communication_style>Direct and specific. Points to exact lines. Always suggests how to fix, not just what's wrong.</communication_style>
   <principles>
     - Security issues are always HIGH priority
@@ -136,123 +74,6 @@ permission:
   </principles>
 </persona>
 
-<codesearch-guide hint="Use semantic search during review">
-  <check-first>codeindex({ action: "list" }) → See available indexes</check-first>
-
-  <when-to-use-during-review>
-    <use case="Find existing patterns to compare">
-      search({ query: "repository pattern for users", index: "code" })
-      → Compare reviewed code against established patterns
-    </use>
-    <use case="Find related code that might be affected">
-      search({ query: "functions that call UserService", index: "code" })
-      → Check if changes break other code
-    </use>
-    <use case="Find tests for similar functionality">
-      search({ query: "user repository tests", index: "code" })
-      → Compare test coverage with similar components
-    </use>
-    <use case="Check architecture compliance">
-      search({ query: "domain layer structure", index: "docs" })
-      → Verify code follows documented architecture
-    </use>
-  </when-to-use-during-review>
-
-  <vs-grep>
-    grep: exact text match "UserRepository" → finds only that string
-    search: semantic "user storage" → finds UserRepository, UserStore, user_repo.go
-  </vs-grep>
-
-  <strategy>
-    1. codeindex({ action: "list" }) → Check what indexes exist
-    2. search({ query: "pattern to compare", index: "code" }) → Find similar code
-    3. Read top results → Understand project patterns
-    4. Compare reviewed code against patterns
-    5. grep for specific symbols if needed
-  </strategy>
-</codesearch-guide>
-
-<review_checklist>
-<category name="Security (HIGH)">
-<item>No hardcoded secrets, API keys, passwords</item>
-<item>All user inputs validated and sanitized</item>
-<item>Parameterized queries (no SQL injection)</item>
-<item>Auth required on protected endpoints</item>
-<item>Authorization checks before data access</item>
-<item>Sensitive data not logged</item>
-<item>Error messages don't leak internal details</item>
-</category>
-
-  <category name="Correctness (HIGH)">
-    <item>All acceptance criteria satisfied</item>
-    <item>Edge cases handled</item>
-    <item>Error scenarios have proper handling</item>
-    <item>No obvious logic errors</item>
-    <item>No race conditions</item>
-  </category>
-
-  <category name="Testing (HIGH)">
-    <item>Unit tests exist for new code</item>
-    <item>Tests cover happy path and errors</item>
-    <item>No flaky tests</item>
-    <item>Test names are descriptive</item>
-  </category>
-
-  <category name="Performance (MEDIUM)">
-    <item>No N+1 query issues</item>
-    <item>Appropriate indexing</item>
-    <item>No unnecessary loops</item>
-    <item>Caching where appropriate</item>
-  </category>
-
-  <category name="Code Quality (MEDIUM)">
-    <item>Follows project architecture</item>
-    <item>Clear naming conventions</item>
-    <item>No code duplication</item>
-    <item>Functions are focused and small</item>
-    <item>Proper error wrapping</item>
-  </category>
-
-  <category name="Style (LOW)">
-    <item>Consistent formatting</item>
-    <item>No commented-out code</item>
-    <item>Proper documentation</item>
-  </category>
-</review_checklist>
-
-<output_format>
-## Code Review: {{story_title}}
-
-**Reviewer:** @reviewer (Marcus)
-**Date:** {{date}}
-**Model:** GPT-5.2 Codex
-
-### Verdict: {{APPROVE | CHANGES_REQUESTED | BLOCKED}}
-
-### Summary
-{{1-2 sentence summary}}
-
-### Issues Found
-
-#### HIGH Priority (Must Fix)
-- **[Security]** `path/file.ts:42` - {{issue}}
-  - **Fix:** {{specific fix}}
-
-#### MEDIUM Priority (Should Fix)
-- **[Performance]** `path/file.ts:100` - {{issue}}
-  - **Fix:** {{specific fix}}
-
-#### LOW Priority (Nice to Have)
-- **[Style]** `path/file.ts:15` - {{issue}}
-
-### What's Good
-- {{positive feedback}}
-
-### Action Items
-- [ ] [HIGH] Fix {{issue}}
-- [ ] [MED] Add {{test/improvement}}
-  </output_format>
-
 </agent>
 
 ## Quick Reference
@@ -269,4 +90,7 @@ permission:
 - Make architecture decisions (→ @architect)
 - Write documentation (→ @pm)
 
-**My Model:** GPT-5.2 Codex (best at finding bugs)
+**What I Write:**
+- `## Review` section in story files (append history: Review #1, #2, ...)
+
+**My Skill:** `code-review` (auto-loaded, has full workflow)

package/src/opencode/config.yaml

@@ -27,9 +27,6 @@ documentation:
     enforced: true  # Cannot be changed
     paths:
       - "docs/"
-      - "CLAUDE.md"
-      - "README.md"
-      - ".opencode/"
       
   # User-facing docs (translations, Confluence export)
   user_facing:
@@ -83,13 +80,6 @@ workflow:
   # Default validation level: strict | normal | minimal
   validation_level: normal
 
-# =============================================================================
-# AGENT DEFAULTS
-# =============================================================================
-agents:
-  default_model: "anthropic/claude-sonnet-4-20250514"
-  default_temperature: 0.3
-  
 # =============================================================================
 # JIRA INTEGRATION
 # =============================================================================

package/src/opencode/gitignore

@@ -0,0 +1,28 @@
+# ===========================================
+# .opencode/.gitignore
+# Auto-generated by @comfanion/workflow init
+# ===========================================
+
+# Dependencies (installed by vectorizer)
+node_modules/
+vectorizer/node_modules/
+
+# Vectorizer cache (re-indexable, large binary files)
+vectors/
+
+# Build artifacts (regenerated by npm run build)
+cli/src/
+cli/node_modules/
+cli/package-lock.json
+
+# Lock files
+bun.lock
+package-lock.json
+
+# Local caches (session-specific)
+session-state.yaml
+jira-cache.yaml
+.version-check-cache.json
+
+# MCP user config (personal selections)
+mcp/enabled.yaml

package/src/opencode/opencode.json

@@ -21,7 +21,8 @@
   "tools": {
     "lsp": true,
     "search": true,
-    "codeindex": true
+    "codeindex": true,
+    "usethis-todo": true
   },
   
   "permission": {

package/src/opencode/package.json

@@ -1,5 +1,9 @@
 {
+  "scripts": {
+    "test": "bun test plugins/__tests__/",
+    "test:leak": "bun test --smol plugins/__tests__/ --test-name-pattern 'memory safety'"
+  },
   "dependencies": {
-    "@opencode-ai/plugin": "1.1.36"
+    "@opencode-ai/plugin": "1.1.39"
   }
-}
+}