@fro.bot/systematic 2.24.0 → 2.26.0

package/skills/ce-review/references/validator-template.md

@@ -0,0 +1,96 @@
+# Validator Subagent Prompt Template
+
+This template is used by the Stage 5b orchestrator to spawn one independent validator per gated finding. Variable substitution slots are filled at dispatch time.
+
+A finding is **gated** (eligible for validation) when it is P0 or P1 severity, or when `requires_verification: true`. Findings outside this band pass through to Stage 6 unvalidated and unfiltered — no validator is dispatched for them.
+
+---
+
+## Template
+
+```
+You are an independent finding validator for a code review.
+
+Your sole job is to answer three questions about one specific finding and return a JSON verdict. You do NOT add new findings, suggest fixes, or produce any output other than the JSON object below.
+
+<output-contract>
+Return ONLY valid JSON matching this schema. No prose, no markdown, no explanation outside the JSON object.
+
+{
+  "validated": <boolean>,
+  "reason": "<one sentence explaining why the finding is validated or not>"
+}
+
+Rules:
+- You are a leaf validator inside an already-running review workflow. Do not invoke systematic skills or agents. Perform your analysis directly and return the JSON verdict only.
+- You are operationally read-only. You may use non-mutating inspection tools (file reads, glob, grep, git log, git diff, git show, git blame, gh pr view) to examine the code. Do not edit project files, change branches, commit, push, create PRs, or otherwise mutate the checkout or repository state.
+- Answer the three validation questions below. Set `validated: true` only when all three answers are YES. Set `validated: false` when any answer is NO.
+- The `reason` field must be one sentence. State the specific code evidence that drove your verdict (file name, function name, or line reference when relevant). Do not repeat the finding title verbatim.
+- Be conservative: when evidence is ambiguous, prefer `validated: true` (keep the finding in the actioned set). A false negative that lets a real bug through is worse than a false positive that the human reviewer can dismiss.
+- Do not validate based on general coding principles alone. Ground your verdict in the actual code as written in this diff and the surrounding context.
+</output-contract>
+
+<validation-questions>
+Answer each question YES or NO based on the code evidence you find.
+
+1. **Is the issue real in the code as written?**
+   Read the cited file and line. Does the problem the finding describes actually exist in the current code? A finding is not real if the code already handles the case, the cited line does not contain the described issue, or the issue is in a comment or dead code path.
+
+2. **Was this issue introduced by THIS diff?**
+   Check whether the cited code is new or changed in this diff, or whether it existed before. A finding is not introduced by this diff if the code is unchanged (pre-existing). Exception: if the diff makes a pre-existing issue newly reachable or newly relevant (e.g., a new call site, a removed guard), the finding is still valid — mark it as introduced by this diff.
+
+3. **Is the issue already handled elsewhere?**
+   Check whether the problem is already mitigated by a guard, middleware, framework behavior, type constraint, or other mechanism not visible at the cited line. A finding is not valid if the issue is fully handled at a higher or lower layer that the reviewer missed.
+
+Set `validated: true` only when: the issue is real (Q1 YES), introduced by this diff or newly relevant (Q2 YES), and not already handled elsewhere (Q3 YES).
+Set `validated: false` when any question is NO, and state which question failed and why in `reason`.
+</validation-questions>
+
+<finding>
+Title: {finding_title}
+Severity: {finding_severity}
+File: {finding_file}
+Line: {finding_line}
+Reviewer(s): {finding_reviewers}
+Confidence: {finding_confidence}
+requires_verification: {finding_requires_verification}
+Suggested fix: {finding_suggested_fix}
+</finding>
+
+<review-context>
+Intent: {intent_summary}
+
+Changed files: {file_list}
+
+Diff:
+{diff}
+</review-context>
+```
+
+---
+
+## Variable Reference
+
+| Variable | Source | Description |
+|----------|--------|-------------|
+| `{finding_title}` | Stage 5 merged finding | The finding's title field |
+| `{finding_severity}` | Stage 5 merged finding | P0, P1, P2, or P3 |
+| `{finding_file}` | Stage 5 merged finding | File path cited by the finding |
+| `{finding_line}` | Stage 5 merged finding | Line number cited by the finding |
+| `{finding_reviewers}` | Stage 5 merged finding | Reviewer(s) that flagged this finding |
+| `{finding_confidence}` | Stage 5 merged finding | Confidence score (0.0–1.0) |
+| `{finding_requires_verification}` | Stage 5 merged finding | Boolean from the merged finding |
+| `{finding_suggested_fix}` | Stage 5 merged finding | Suggested fix text, or "none" |
+| `{intent_summary}` | Stage 2 output | 2–3 line description of what the change is trying to accomplish |
+| `{file_list}` | Stage 1 output | List of changed files from the scope step |
+| `{diff}` | Stage 1 output | The actual diff content to review |
+
+---
+
+## Dispatch Notes
+
+- Dispatch one validator subagent per gated finding **in parallel** to keep latency bounded.
+- Pass the full diff and file list so the validator can inspect surrounding context, not just the cited line.
+- The validator returns `{validated, reason}`. Attach both fields to the finding before Stage 6.
+- **Never drop a finding based on the validator verdict.** A finding with `validated: false` moves to the "Filtered (not validated)" presentation group in Stage 6. It is never removed from the report.
+- If a validator subagent fails or times out, treat the finding as `validated: true` (conservative fallback — keep it in the actioned set) and note the validator failure in the Coverage section.

package/skills/claude-permissions-optimizer/scripts/extract-commands.mjs

@@ -93,7 +93,7 @@ function matchGlob(pattern, command) {
   if (normalized.endsWith(' *')) {
     const base = normalized.slice(0, -2)
     const escaped = base.replace(/[.+^${}()|[\]\\]/g, '\\$&')
-    regexStr = '^' + escaped + '($| .*)'
+    regexStr = `^${escaped}($| .*)`
   } else {
     regexStr =
       '^' +
@@ -530,7 +530,7 @@ for (const [command, data] of commands) {
     continue
   }
 
-  const pattern = 'Bash(' + normalize(command) + ')'
+  const pattern = `Bash(${normalize(command)})`
   const { tier, reason } = classify(command)
 
   const existing = patternGroups.get(pattern)

package/skills/claude-permissions-optimizer/scripts/normalize.mjs

@@ -47,20 +47,20 @@ export function normalize(command) {
 
   // Handle pnpm --filter <pkg> <subcommand> specially
   const pnpmFilter = command.match(/^pnpm\s+--filter\s+\S+\s+(\S+)/)
-  if (pnpmFilter) return 'pnpm --filter * ' + pnpmFilter[1] + ' *'
+  if (pnpmFilter) return `pnpm --filter * ${pnpmFilter[1]} *`
 
   // Handle sed specially -- preserve the mode flag to keep safe patterns narrow.
   // sed -i (in-place) is destructive; sed -n, sed -e, bare sed are read-only.
   if (/^sed\s/.test(command)) {
     if (/\s-i\b/.test(command)) return 'sed -i *'
     const sedFlag = command.match(/^sed\s+(-[a-zA-Z])\s/)
-    return sedFlag ? 'sed ' + sedFlag[1] + ' *' : 'sed *'
+    return sedFlag ? `sed ${sedFlag[1]} *` : 'sed *'
   }
 
   // Handle ast-grep specially -- preserve --rewrite flag.
   if (/^(ast-grep|sg)\s/.test(command)) {
     const base = command.startsWith('sg') ? 'sg' : 'ast-grep'
-    return /\s--rewrite\b/.test(command) ? base + ' --rewrite *' : base + ' *'
+    return /\s--rewrite\b/.test(command) ? `${base} --rewrite *` : `${base} *`
   }
 
   // Handle find specially -- preserve key action flags.
@@ -70,12 +70,12 @@ export function normalize(command) {
     if (/\s-exec\s/.test(command)) return 'find -exec *'
     // Extract the first predicate flag for a narrower safe pattern
     const findFlag = command.match(/\s(-(?:name|type|path|iname))\s/)
-    return findFlag ? 'find ' + findFlag[1] + ' *' : 'find *'
+    return findFlag ? `find ${findFlag[1]} *` : 'find *'
   }
 
   // Handle git -C <dir> <subcommand> -- strip the -C <dir> and normalize the git subcommand
   const gitC = command.match(/^git\s+-C\s+\S+\s+(.+)$/)
-  if (gitC) return normalize('git ' + gitC[1])
+  if (gitC) return normalize(`git ${gitC[1]}`)
 
   // Split on compound operators -- normalize the first command only
   const compoundMatch = command.match(/^(.+?)\s*(&&|\|\||;)\s*(.+)$/)
@@ -123,7 +123,7 @@ export function normalize(command) {
   let argStart = 1
 
   if (multiWordBases.includes(base) && parts.length > 1) {
-    prefix = base + ' ' + parts[1]
+    prefix = `${base} ${parts[1]}`
     argStart = 2
   }
 
@@ -141,11 +141,11 @@ export function normalize(command) {
   }
 
   const flagStr =
-    preservedFlags.length > 0 ? ' ' + preservedFlags.join(' ') : ''
+    preservedFlags.length > 0 ? ` ${preservedFlags.join(' ')}` : ''
   const hasVaryingArgs = parts.length > argStart + preservedFlags.length
 
   if (hasVaryingArgs) {
-    return prefix + flagStr + ' *'
+    return `${prefix + flagStr} *`
   }
   return prefix + flagStr
 }

package/skills/onboarding/scripts/inventory.mjs

@@ -120,7 +120,7 @@ async function listDirNames(dir) {
   const entries = await listDir(dir)
   return entries
     .filter((e) => e.isDirectory() && !EXCLUDED_DIRS.has(e.name))
-    .map((e) => e.name + '/')
+    .map((e) => `${e.name}/`)
 }
 
 async function listFileNames(dir, opts) {
@@ -511,7 +511,7 @@ async function getStructure() {
   for (const entry of entries) {
     if (EXCLUDED_DIRS.has(entry.name)) continue
     if (entry.isDirectory()) {
-      topLevel.push(entry.name + '/')
+      topLevel.push(`${entry.name}/`)
     } else {
       topLevel.push(entry.name)
     }

package/skills/writing-skills/scripts/render-graphs.js

@@ -19,9 +19,9 @@
  * Requires: graphviz (dot) installed on system
  */
 
-const fs = require('fs')
-const path = require('path')
-const { execSync } = require('child_process')
+const fs = require('node:fs')
+const path = require('node:path')
+const { execSync } = require('node:child_process')
 
 function extractDotBlocks(markdown) {
   const blocks = []
@@ -61,7 +61,7 @@ function combineGraphs(blocks, skillName) {
     label="${block.name}";
     ${body
       .split('\n')
-      .map((line) => '  ' + line)
+      .map((line) => `  ${line}`)
       .join('\n')}
   }`
   })