@fro.bot/systematic 2.0.3 → 2.1.0

package/skills/ce-work/SKILL.md

@@ -150,6 +150,7 @@ This command takes a work document (plan, specification, or todo file) and execu
 
    **When this matters most:** Any change that touches models with callbacks, error handling with fallback/retry, or functionality exposed through multiple interfaces.
 
+
 2. **Incremental Commits**
 
    After completing each task, evaluate whether to create an incremental commit:
@@ -234,11 +235,9 @@ This command takes a work document (plan, specification, or todo file) and execu
    # Use linting-agent before pushing to origin
    ```
 
-2. **Consider Reviewer Agents** (Optional)
-
-   Use for complex, risky, or large changes. Read agents from `systematic.local.md` frontmatter (`review_agents`). If no settings file, invoke the `setup` skill to create one.
+2. **Consider Code Review** (Optional)
 
-   Run configured agents in parallel with task tool. Present findings and address critical issues.
+   Use for complex, risky, or large changes. Load the `ce:review` skill with `mode:autofix` to fix safe issues and flag the rest before shipping.
 
 3. **Final Validation**
    - All tasks marked completed
@@ -370,6 +369,7 @@ This command takes a work document (plan, specification, or todo file) and execu
 
    ---
 
+   [![Systematic v[VERSION]](https://img.shields.io/badge/Systematic-v[VERSION]-6366f1)](https://github.com/marcusrbrown/systematic)
    🤖 Generated with [MODEL] ([CONTEXT] context, [THINKING]) via [HARNESS](HARNESS_URL)
    EOF
    )"
@@ -487,3 +487,4 @@ For most features: tests + linting + following patterns is sufficient.
 - **Forgetting to track progress** - Update task status as you go or lose track of what's done
 - **80% done syndrome** - Finish the feature, don't move on early
 - **Over-reviewing simple changes** - Save reviewer agents for complex work
+

package/skills/ce-work-beta/SKILL.md

@@ -151,6 +151,7 @@ This command takes a work document (plan, specification, or todo file) and execu
 
    **When this matters most:** Any change that touches models with callbacks, error handling with fallback/retry, or functionality exposed through multiple interfaces.
 
+
 2. **Incremental Commits**
 
    After completing each task, evaluate whether to create an incremental commit:
@@ -243,11 +244,9 @@ This command takes a work document (plan, specification, or todo file) and execu
    # Use linting-agent before pushing to origin
    ```
 
-2. **Consider Reviewer Agents** (Optional)
-
-   Use for complex, risky, or large changes. Read agents from `systematic.local.md` frontmatter (`review_agents`). If no settings file, invoke the `setup` skill to create one.
+2. **Consider Code Review** (Optional)
 
-   Run configured agents in parallel with task tool. Present findings and address critical issues.
+   Use for complex, risky, or large changes. Load the `ce:review` skill with `mode:autofix` to fix safe issues and flag the rest before shipping.
 
 3. **Final Validation**
    - All tasks marked completed
@@ -379,6 +378,7 @@ This command takes a work document (plan, specification, or todo file) and execu
 
    ---
 
+   [![Systematic v[VERSION]](https://img.shields.io/badge/Systematic-v[VERSION]-6366f1)](https://github.com/marcusrbrown/systematic)
    🤖 Generated with [MODEL] ([CONTEXT] context, [THINKING]) via [HARNESS](HARNESS_URL)
    EOF
    )"
@@ -468,7 +468,7 @@ When external delegation is active, follow this workflow for each tagged task. D
 
    Verify the delegate CLI is installed. If not found, print "Delegate CLI not installed - continuing with standard mode." and proceed normally.
 
-2. **Build prompt** — For each task, assemble a prompt from the plan's implementation unit (Goal, Files, Approach, Conventions from `systematic.local.md`). Include rules: no git commits, no PRs, run `git status` and `git diff --stat` when done. Never embed credentials or tokens in the prompt - pass auth through environment variables.
+2. **Build prompt** — For each task, assemble a prompt from the plan's implementation unit (Goal, Files, Approach, Conventions from project AGENTS.md/AGENTS.md). Include rules: no git commits, no PRs, run `git status` and `git diff --stat` when done. Never embed credentials or tokens in the prompt - pass auth through environment variables.
 
 3. **Write prompt to file** — Save the assembled prompt to a unique temporary file to avoid shell quoting issues and cross-task races. Use a unique filename per task.
 
@@ -560,3 +560,4 @@ For most features: tests + linting + following patterns is sufficient.
 - **Forgetting to track progress** - Update task status as you go or lose track of what's done
 - **80% done syndrome** - Finish the feature, don't move on early
 - **Over-reviewing simple changes** - Save reviewer agents for complex work
+

package/skills/claude-permissions-optimizer/scripts/extract-commands.mjs

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 
-// Extracts, normalizes, and pre-classifies Bash commands from OpenCode sessions.
+// Extracts, normalizes, and pre-classifies Bash commands from Claude Code sessions.
 // Filters against the current allowlist, groups by normalized pattern, and classifies
 // each pattern as green/yellow/red so the model can review rather than classify from scratch.
 //
@@ -15,6 +15,7 @@
 import { readdir, readFile, stat } from 'node:fs/promises'
 import { homedir } from 'node:os'
 import { join } from 'node:path'
+import { normalize } from './normalize.mjs'
 
 const args = process.argv.slice(2)
 
@@ -42,9 +43,8 @@ const maxSessions = parseInt(flag('max-sessions', '500'), 10)
 const minCount = parseInt(flag('min-count', '5'), 10)
 const projectSlugFilter = flag('project-slug', null)
 const settingsPaths = flagAll('settings')
-const opencodeDir =
-  process.env.OPENCODE_CONFIG_DIR || join(homedir(), '.config', 'opencode')
-const projectsDir = join(opencodeDir, 'projects')
+const claudeDir = process.env.CLAUDE_CONFIG_DIR || join(homedir(), '.claude')
+const projectsDir = join(claudeDir, 'projects')
 const cutoff = Date.now() - days * 24 * 60 * 60 * 1000
 
 // ── Allowlist loading ──────────────────────────────────────────────────────
@@ -70,9 +70,9 @@ async function loadAllowlist(filePath) {
 }
 
 if (settingsPaths.length === 0) {
-  settingsPaths.push(join(opencodeDir, 'settings.json'))
-  settingsPaths.push(join(process.cwd(), '.opencode', 'settings.json'))
-  settingsPaths.push(join(process.cwd(), '.opencode', 'settings.local.json'))
+  settingsPaths.push(join(claudeDir, 'settings.json'))
+  settingsPaths.push(join(process.cwd(), '.claude', 'settings.json'))
+  settingsPaths.push(join(process.cwd(), '.claude', 'settings.local.json'))
 }
 
 for (const p of settingsPaths) {
@@ -320,7 +320,7 @@ const GREEN_COMPOUND = [
   /\b--dry-run\b/,
   /^git\s+clean\s+.*(-[a-z]*n|--dry-run)\b/, // git clean dry run
   // NOTE: find is intentionally NOT green. Bash(find *) would also match
-  // find -delete and find -exec rm in OpenCode's allowlist glob matching.
+  // find -delete and find -exec rm in Claude Code's allowlist glob matching.
   // Commands with mode-switching flags: only green when the normalized pattern
   // is narrow enough that the allowlist glob can't match the destructive form.
   // Bash(sed -n *) is safe; Bash(sed *) would also match sed -i.
@@ -410,156 +410,7 @@ function classify(command) {
   return { tier: 'unknown' }
 }
 
-// ── Normalization ──────────────────────────────────────────────────────────
-
-// Risk-modifying flags that must NOT be collapsed into wildcards.
-// Global flags are always preserved; context-specific flags only matter
-// for certain base commands.
-const GLOBAL_RISK_FLAGS = new Set([
-  '--force',
-  '--hard',
-  '-rf',
-  '--privileged',
-  '--no-verify',
-  '--system',
-  '--force-with-lease',
-  '-D',
-  '--force-if-includes',
-  '--volumes',
-  '--rmi',
-  '--rewrite',
-  '--delete',
-])
-
-// Flags that are only risky for specific base commands.
-// -f means force-push in git, force-remove in docker, but pattern-file in grep.
-// -v means remove-volumes in docker-compose, but verbose everywhere else.
-const CONTEXTUAL_RISK_FLAGS = {
-  '-f': new Set(['git', 'docker', 'rm']),
-  '-v': new Set(['docker', 'docker-compose']),
-}
-
-function isRiskFlag(token, base) {
-  if (GLOBAL_RISK_FLAGS.has(token)) return true
-  // Check context-specific flags
-  const contexts = CONTEXTUAL_RISK_FLAGS[token]
-  if (contexts && base && contexts.has(base)) return true
-  // Combined short flags containing risk chars: -rf, -fr, -fR, etc.
-  if (/^-[a-zA-Z]*[rf][a-zA-Z]*$/.test(token) && token.length <= 4) return true
-  return false
-}
-
-// biome-ignore lint/complexity/noExcessiveCognitiveComplexity: command normalization intentionally centralizes risk checks and pattern shaping.
-function normalize(command) {
-  // Don't normalize shell injection patterns
-  if (/\|\s*(sh|bash|zsh)\b/.test(command)) return command
-  // Don't normalize sudo -- keep as-is
-  if (/^sudo\s/.test(command)) return 'sudo *'
-
-  // Handle pnpm --filter <pkg> <subcommand> specially
-  const pnpmFilter = command.match(/^pnpm\s+--filter\s+\S+\s+(\S+)/)
-  if (pnpmFilter) return `pnpm --filter * ${pnpmFilter[1]} *`
-
-  // Handle sed specially -- preserve the mode flag to keep safe patterns narrow.
-  // sed -i (in-place) is destructive; sed -n, sed -e, bare sed are read-only.
-  if (/^sed\s/.test(command)) {
-    if (/\s-i\b/.test(command)) return 'sed -i *'
-    const sedFlag = command.match(/^sed\s+(-[a-zA-Z])\s/)
-    return sedFlag ? `sed ${sedFlag[1]} *` : 'sed *'
-  }
-
-  // Handle ast-grep specially -- preserve --rewrite flag.
-  if (/^(ast-grep|sg)\s/.test(command)) {
-    const base = command.startsWith('sg') ? 'sg' : 'ast-grep'
-    return /\s--rewrite\b/.test(command) ? `${base} --rewrite *` : `${base} *`
-  }
-
-  // Handle find specially -- preserve key action flags.
-  // find -delete and find -exec rm are destructive; find -name/-type are safe.
-  if (/^find\s/.test(command)) {
-    if (/\s-delete\b/.test(command)) return 'find -delete *'
-    if (/\s-exec\s/.test(command)) return 'find -exec *'
-    // Extract the first predicate flag for a narrower safe pattern
-    const findFlag = command.match(/\s(-(?:name|type|path|iname))\s/)
-    return findFlag ? `find ${findFlag[1]} *` : 'find *'
-  }
-
-  // Handle git -C <dir> <subcommand> -- strip the -C <dir> and normalize the git subcommand
-  const gitC = command.match(/^git\s+-C\s+\S+\s+(.+)$/)
-  if (gitC) return normalize(`git ${gitC[1]}`)
-
-  // Split on compound operators -- normalize the first command only
-  const compoundMatch = command.match(/^(.+?)\s*(&&|\|\||;)\s*(.+)$/)
-  if (compoundMatch) {
-    return normalize(compoundMatch[1].trim())
-  }
-
-  // Strip trailing pipe chains for normalization (e.g., `cmd | tail -5`)
-  // but preserve pipe-to-shell (already handled by shell injection check above)
-  const pipeMatch = command.match(/^(.+?)\s*\|\s*(.+)$/)
-  if (pipeMatch) {
-    return normalize(pipeMatch[1].trim())
-  }
-
-  // Strip trailing redirections (2>&1, > file, >> file)
-  const cleaned = command
-    .replace(/\s*[12]?>>?\s*\S+\s*$/, '')
-    .replace(/\s*2>&1\s*$/, '')
-    .trim()
-
-  const parts = cleaned.split(/\s+/)
-  if (parts.length === 0) return command
-
-  const base = parts[0]
-
-  // For git/docker/gh/npm etc, include the subcommand
-  const multiWordBases = [
-    'git',
-    'docker',
-    'docker-compose',
-    'gh',
-    'npm',
-    'bun',
-    'pnpm',
-    'yarn',
-    'cargo',
-    'pip',
-    'pip3',
-    'bundle',
-    'systemctl',
-    'kubectl',
-  ]
-
-  let prefix = base
-  let argStart = 1
-
-  if (multiWordBases.includes(base) && parts.length > 1) {
-    prefix = `${base} ${parts[1]}`
-    argStart = 2
-  }
-
-  // Preserve risk-modifying flags in the remaining args
-  const preservedFlags = []
-  for (let i = argStart; i < parts.length; i++) {
-    if (isRiskFlag(parts[i], base)) {
-      preservedFlags.push(parts[i])
-    }
-  }
-
-  // Build the normalized pattern
-  if (parts.length <= argStart && preservedFlags.length === 0) {
-    return prefix // no args, no flags: e.g., "git status"
-  }
-
-  const flagStr =
-    preservedFlags.length > 0 ? ` ${preservedFlags.join(' ')}` : ''
-  const hasVaryingArgs = parts.length > argStart + preservedFlags.length
-
-  if (hasVaryingArgs) {
-    return `${prefix + flagStr} *`
-  }
-  return prefix + flagStr
-}
+// ── Normalization (see ./normalize.mjs) ────────────────────────────────────
 
 // ── Session file scanning ──────────────────────────────────────────────────
 
@@ -587,7 +438,6 @@ async function listJsonlFiles(dir) {
   }
 }
 
-// biome-ignore lint/complexity/noExcessiveCognitiveComplexity: transcript parsing requires defensive guards for heterogeneous session data.
 async function processFile(filePath, sessionId) {
   try {
     filesScanned++

package/skills/claude-permissions-optimizer/scripts/normalize.mjs

@@ -0,0 +1,151 @@
+// Normalization helpers extracted from extract-commands.mjs for testability.
+
+// Risk-modifying flags that must NOT be collapsed into wildcards.
+// Global flags are always preserved; context-specific flags only matter
+// for certain base commands.
+const GLOBAL_RISK_FLAGS = new Set([
+  '--force',
+  '--hard',
+  '-rf',
+  '--privileged',
+  '--no-verify',
+  '--system',
+  '--force-with-lease',
+  '-D',
+  '--force-if-includes',
+  '--volumes',
+  '--rmi',
+  '--rewrite',
+  '--delete',
+])
+
+// Flags that are only risky for specific base commands.
+// -f means force-push in git, force-remove in docker, but pattern-file in grep.
+// -v means remove-volumes in docker-compose, but verbose everywhere else.
+const CONTEXTUAL_RISK_FLAGS = {
+  '-f': new Set(['git', 'docker', 'rm']),
+  '-v': new Set(['docker', 'docker-compose']),
+}
+
+export function isRiskFlag(token, base) {
+  if (GLOBAL_RISK_FLAGS.has(token)) return true
+  // Check context-specific flags
+  const contexts = Object.hasOwn(CONTEXTUAL_RISK_FLAGS, token)
+    ? CONTEXTUAL_RISK_FLAGS[token]
+    : undefined
+  if (contexts && base && contexts.has(base)) return true
+  // Combined short flags containing risk chars: -rf, -fr, -fR, etc.
+  if (/^-[a-zA-Z]*[rf][a-zA-Z]*$/.test(token) && token.length <= 4) return true
+  return false
+}
+
+export function normalize(command) {
+  // Don't normalize shell injection patterns
+  if (/\|\s*(sh|bash|zsh)\b/.test(command)) return command
+  // Don't normalize sudo -- keep as-is
+  if (/^sudo\s/.test(command)) return 'sudo *'
+
+  // Handle pnpm --filter <pkg> <subcommand> specially
+  const pnpmFilter = command.match(/^pnpm\s+--filter\s+\S+\s+(\S+)/)
+  if (pnpmFilter) return `pnpm --filter * ${pnpmFilter[1]} *`
+
+  // Handle sed specially -- preserve the mode flag to keep safe patterns narrow.
+  // sed -i (in-place) is destructive; sed -n, sed -e, bare sed are read-only.
+  if (/^sed\s/.test(command)) {
+    if (/\s-i\b/.test(command)) return 'sed -i *'
+    const sedFlag = command.match(/^sed\s+(-[a-zA-Z])\s/)
+    return sedFlag ? `sed ${sedFlag[1]} *` : 'sed *'
+  }
+
+  // Handle ast-grep specially -- preserve --rewrite flag.
+  if (/^(ast-grep|sg)\s/.test(command)) {
+    const base = command.startsWith('sg') ? 'sg' : 'ast-grep'
+    return /\s--rewrite\b/.test(command) ? `${base} --rewrite *` : `${base} *`
+  }
+
+  // Handle find specially -- preserve key action flags.
+  // find -delete and find -exec rm are destructive; find -name/-type are safe.
+  if (/^find\s/.test(command)) {
+    if (/\s-delete\b/.test(command)) return 'find -delete *'
+    if (/\s-exec\s/.test(command)) return 'find -exec *'
+    // Extract the first predicate flag for a narrower safe pattern
+    const findFlag = command.match(/\s(-(?:name|type|path|iname))\s/)
+    return findFlag ? `find ${findFlag[1]} *` : 'find *'
+  }
+
+  // Handle git -C <dir> <subcommand> -- strip the -C <dir> and normalize the git subcommand
+  const gitC = command.match(/^git\s+-C\s+\S+\s+(.+)$/)
+  if (gitC) return normalize(`git ${gitC[1]}`)
+
+  // Split on compound operators -- normalize the first command only
+  const compoundMatch = command.match(/^(.+?)\s*(&&|\|\||;)\s*(.+)$/)
+  if (compoundMatch) {
+    return normalize(compoundMatch[1].trim())
+  }
+
+  // Strip trailing pipe chains for normalization (e.g., `cmd | tail -5`)
+  // but preserve pipe-to-shell (already handled by shell injection check above)
+  const pipeMatch = command.match(/^(.+?)\s*\|\s*(.+)$/)
+  if (pipeMatch) {
+    return normalize(pipeMatch[1].trim())
+  }
+
+  // Strip trailing redirections (2>&1, > file, >> file)
+  const cleaned = command
+    .replace(/\s*[12]?>>?\s*\S+\s*$/, '')
+    .replace(/\s*2>&1\s*$/, '')
+    .trim()
+
+  const parts = cleaned.split(/\s+/)
+  if (parts.length === 0) return command
+
+  const base = parts[0]
+
+  // For git/docker/gh/npm etc, include the subcommand
+  const multiWordBases = [
+    'git',
+    'docker',
+    'docker-compose',
+    'gh',
+    'npm',
+    'bun',
+    'pnpm',
+    'yarn',
+    'cargo',
+    'pip',
+    'pip3',
+    'bundle',
+    'systemctl',
+    'kubectl',
+  ]
+
+  let prefix = base
+  let argStart = 1
+
+  if (multiWordBases.includes(base) && parts.length > 1) {
+    prefix = `${base} ${parts[1]}`
+    argStart = 2
+  }
+
+  // Preserve risk-modifying flags in the remaining args
+  const preservedFlags = []
+  for (let i = argStart; i < parts.length; i++) {
+    if (isRiskFlag(parts[i], base)) {
+      preservedFlags.push(parts[i])
+    }
+  }
+
+  // Build the normalized pattern
+  if (parts.length <= argStart && preservedFlags.length === 0) {
+    return prefix // no args, no flags: e.g., "git status"
+  }
+
+  const flagStr =
+    preservedFlags.length > 0 ? ` ${preservedFlags.join(' ')}` : ''
+  const hasVaryingArgs = parts.length > argStart + preservedFlags.length
+
+  if (hasVaryingArgs) {
+    return `${prefix + flagStr} *`
+  }
+  return prefix + flagStr
+}

package/skills/git-worktree/scripts/worktree-manager.sh

@@ -65,6 +65,137 @@ copy_env_files() {
   echo -e "  ${GREEN}✓ Copied $copied environment file(s)${NC}"
 }
 
+# Resolve the repository default branch, falling back to main when origin/HEAD
+# is unavailable (for example in single-branch clones).
+get_default_branch() {
+  local head_ref
+  head_ref=$(git symbolic-ref refs/remotes/origin/HEAD 2>/dev/null || true)
+
+  if [[ -n "$head_ref" ]]; then
+    echo "${head_ref#refs/remotes/origin/}"
+  else
+    echo "main"
+  fi
+}
+
+# Auto-trust is only safe when the worktree is created from a long-lived branch
+# the developer already controls. Review/PR branches should fall back to the
+# default branch baseline and require manual direnv approval.
+is_trusted_base_branch() {
+  local branch="$1"
+  local default_branch="$2"
+
+  [[ "$branch" == "$default_branch" ]] && return 0
+
+  case "$branch" in
+    develop|dev|trunk|staging|release/*)
+      return 0
+      ;;
+    *)
+      return 1
+      ;;
+  esac
+}
+
+# Trust development tool configs in a new worktree.
+# Worktrees get a new filesystem path that tools like mise and direnv
+# have never seen. Without trusting, these tools block with interactive
+# prompts or refuse to load configs, which breaks hooks and scripts.
+#
+# Safety: auto-trusts only configs unchanged from a trusted baseline branch.
+# Review/PR branches fall back to the default-branch baseline, and direnv
+# auto-allow is limited to trusted base branches because .envrc can source
+# additional files that direnv does not validate.
+#
+# TOCTOU between hash-check and trust is acceptable for local dev use.
+trust_dev_tools() {
+  local worktree_path="$1"
+  local base_ref="$2"
+  local allow_direnv_auto="$3"
+  local trusted=0
+  local skipped_messages=()
+  local manual_commands=()
+
+  # mise: trust the specific config file if present and unchanged
+  if command -v mise &>/dev/null; then
+    for f in .mise.toml mise.toml .tool-versions; do
+      if [[ -f "$worktree_path/$f" ]]; then
+        if _config_unchanged "$f" "$base_ref" "$worktree_path"; then
+          if (cd "$worktree_path" && mise trust "$f" --quiet); then
+            trusted=$((trusted + 1))
+          else
+            echo -e "  ${YELLOW}Warning: 'mise trust $f' failed -- run manually in $worktree_path${NC}"
+          fi
+        else
+          skipped_messages+=("mise trust $f (config differs from $base_ref)")
+          manual_commands+=("mise trust $f")
+        fi
+        break
+      fi
+    done
+  fi
+
+  # direnv: allow .envrc
+  if command -v direnv &>/dev/null; then
+    if [[ -f "$worktree_path/.envrc" ]]; then
+      if [[ "$allow_direnv_auto" != "true" ]]; then
+        skipped_messages+=("direnv allow (.envrc auto-allow is disabled for non-trusted base branches)")
+        manual_commands+=("direnv allow")
+      elif _config_unchanged ".envrc" "$base_ref" "$worktree_path"; then
+        if (cd "$worktree_path" && direnv allow); then
+          trusted=$((trusted + 1))
+        else
+          echo -e "  ${YELLOW}Warning: 'direnv allow' failed -- run manually in $worktree_path${NC}"
+        fi
+      else
+        skipped_messages+=("direnv allow (.envrc differs from $base_ref)")
+        manual_commands+=("direnv allow")
+      fi
+    fi
+  fi
+
+  if [[ $trusted -gt 0 ]]; then
+    echo -e "  ${GREEN}✓ Trusted $trusted dev tool config(s)${NC}"
+  fi
+
+  if [[ ${#skipped_messages[@]} -gt 0 ]]; then
+    echo -e "  ${YELLOW}Skipped auto-trust for config(s) requiring manual review:${NC}"
+    for item in "${skipped_messages[@]}"; do
+      echo -e "    - $item"
+    done
+    if [[ ${#manual_commands[@]} -gt 0 ]]; then
+      local joined
+      joined=$(printf ' && %s' "${manual_commands[@]}")
+      echo -e "  ${BLUE}Review the diff, then run manually: cd $worktree_path${joined}${NC}"
+    fi
+  fi
+}
+
+# Check if a config file is unchanged from the base branch.
+# Returns 0 (true) if the file is identical to the base branch version.
+# Returns 1 (false) if the file was added or modified by this branch.
+#
+# Note: rev-parse returns the stored blob hash; hash-object on a path applies
+# gitattributes filters. A mismatch causes a false negative (trust skipped),
+# which is the safe direction.
+_config_unchanged() {
+  local file="$1"
+  local base_ref="$2"
+  local worktree_path="$3"
+
+  # Reject symlinks -- trust only regular files with verifiable content
+  [[ -L "$worktree_path/$file" ]] && return 1
+
+  # Get the blob hash directly from git's object database via rev-parse
+  local base_hash
+  base_hash=$(git rev-parse "$base_ref:$file" 2>/dev/null) || return 1
+
+  local worktree_hash
+  worktree_hash=$(git hash-object "$worktree_path/$file") || return 1
+
+  [[ "$base_hash" == "$worktree_hash" ]]
+}
+
 # Create a new worktree
 create_worktree() {
   local branch_name="$1"
@@ -107,6 +238,29 @@ create_worktree() {
   # Copy environment files
   copy_env_files "$worktree_path"
 
+  # Trust dev tool configs (mise, direnv) so hooks and scripts work immediately.
+  # Long-lived integration branches can use themselves as the trust baseline,
+  # while review/PR branches fall back to the default branch and require manual
+  # direnv approval.
+  local default_branch
+  default_branch=$(get_default_branch)
+  local trust_branch="$default_branch"
+  local allow_direnv_auto="false"
+  if is_trusted_base_branch "$from_branch" "$default_branch"; then
+    trust_branch="$from_branch"
+    allow_direnv_auto="true"
+  fi
+
+  if ! git fetch origin "$trust_branch" --quiet; then
+    echo -e "  ${YELLOW}Warning: could not fetch origin/$trust_branch -- trust check may use stale data${NC}"
+  fi
+  # Skip trust entirely if the baseline ref doesn't exist locally.
+  if git rev-parse --verify "origin/$trust_branch" &>/dev/null; then
+    trust_dev_tools "$worktree_path" "origin/$trust_branch" "$allow_direnv_auto"
+  else
+    echo -e "  ${YELLOW}Skipping dev tool trust -- origin/$trust_branch not found locally${NC}"
+  fi
+
   echo -e "${GREEN}✓ Worktree created successfully!${NC}"
   echo ""
   echo "To switch to this worktree:"
@@ -321,6 +475,15 @@ Environment Files:
   - Creates .backup files if destination already exists
   - Use 'copy-env' to refresh env files after main repo changes
 
+Dev Tool Trust:
+  - Trusts mise config (.mise.toml, mise.toml, .tool-versions) and direnv (.envrc)
+  - Uses trusted base branches directly (main, develop, dev, trunk, staging, release/*)
+  - Other branches fall back to the default branch as the trust baseline
+  - direnv auto-allow is skipped on non-trusted base branches; review manually first
+  - Modified configs are flagged for manual review
+  - Only runs if the tool is installed and config exists
+  - Prevents hooks/scripts from hanging on interactive trust prompts
+
 Examples:
   worktree-manager.sh create feature-login
   worktree-manager.sh create feature-auth develop

package/skills/lfg/SKILL.md

@@ -23,9 +23,9 @@ CRITICAL: You MUST execute every step below IN ORDER. Do NOT skip any required s
 
    GATE: STOP. Verify that implementation work was performed - files were created or modified beyond the plan. Do NOT proceed to step 5 if no code changes were made.
 
-5. `/ce:review`
+5. `/ce:review mode:autofix`
 
-6. `/systematic:resolve-todo-parallel`
+6. `/systematic:todo-resolve`
 
 7. `/systematic:test-browser`
 

package/skills/orchestrating-swarms/SKILL.md

@@ -314,7 +314,7 @@ task({
 
 ## Plugin Agent Types
 
-From the `compound-engineering` plugin (examples):
+From the Systematic plugin (examples):
 
 ### Review Agents
 ```javascript