@gethmy/agent 1.7.1 → 1.7.2

package/dist/review-completion.js

@@ -1,475 +0,0 @@
-import { readFileSync, statSync } from "node:fs";
-import { addLabelByName, moveCardToColumn } from "./board-helpers.js";
-import { buildTokenPayload } from "./completion.js";
-import { backfillReviewVerdict, findLatestImplementEpisode, writeEpisode, } from "./episode-writer.js";
-import { createPullRequest, detectGitProvider, getBranchWebUrl, pushBranch, renameRemoteBranch, } from "./git-pr.js";
-import { log } from "./log.js";
-import { NEED_REVIEW_LABEL, NEED_REVIEW_LABEL_COLOR, } from "./types.js";
-import { cleanupWorktree } from "./worktree.js";
-const TAG = "review-completion";
-const MAX_FINDINGS = 10;
-const REVIEW_MARKER = "---\n**Review:";
-const RUN_LOG_TAIL_BYTES = 2048;
-/**
- * Read the last N bytes of a file as UTF-8. Returns null on any IO failure —
- * the parse-error surfacing is best-effort diagnostic, it must not throw.
- */
-function tailRunLog(path, bytes = RUN_LOG_TAIL_BYTES) {
-    try {
-        const size = statSync(path).size;
-        if (size === 0)
-            return null;
-        const start = Math.max(0, size - bytes);
-        const buf = readFileSync(path);
-        return buf.subarray(start).toString("utf-8");
-    }
-    catch {
-        return null;
-    }
-}
-/**
- * Extract structured fields from a parsed JSON object into a ReviewResult.
- */
-function extractResult(parsed) {
-    const verdict = parsed.verdict === "approved" || parsed.verdict === "rejected"
-        ? parsed.verdict
-        : "rejected";
-    const findings = Array.isArray(parsed.findings)
-        ? parsed.findings
-            .filter((f) => typeof f === "object" && f !== null && "title" in f)
-            .map((f) => ({
-            severity: f.severity === "critical"
-                ? "critical"
-                : f.severity === "minor"
-                    ? "minor"
-                    : "major",
-            title: String(f.title ?? "Untitled finding"),
-            description: String(f.description ?? ""),
-            category: f.category ? String(f.category) : undefined,
-            location: f.location ? String(f.location) : undefined,
-        }))
-        : [];
-    const scopeCheck = parsed.scopeCheck &&
-        typeof parsed.scopeCheck === "object" &&
-        "status" in parsed.scopeCheck
-        ? {
-            status: ["clean", "drift", "missing"].includes(parsed.scopeCheck.status)
-                ? parsed.scopeCheck.status
-                : "clean",
-            notes: parsed.scopeCheck.notes
-                ? String(parsed.scopeCheck.notes)
-                : undefined,
-        }
-        : undefined;
-    return {
-        verdict,
-        summary: String(parsed.summary ?? "").slice(0, 2000),
-        scopeCheck,
-        findings,
-    };
-}
-/**
- * Parse Claude's review output into a structured ReviewResult.
- *
- * Tries multiple extraction strategies in order:
- * 1. ```json ... ``` fenced block (what the prompt asks for)
- * 2. Any top-level JSON object containing a "verdict" key (last-wins)
- * 3. Regex for a bare `"verdict": "approved|rejected"` anywhere — lossy
- *    but keeps the pipeline moving
- * 4. Falls back to verdict: "error" — keeps card in Review instead of
- *    bouncing it to To Do for a parse failure that isn't a code quality signal.
- */
-export function parseReviewOutput(stdout) {
-    // Strategy 1: fenced ```json block (greedy-last to handle multiple blocks)
-    const fencedBlocks = [...stdout.matchAll(/```json\s*([\s\S]*?)```/g)];
-    for (let i = fencedBlocks.length - 1; i >= 0; i--) {
-        const raw = fencedBlocks[i][1].trim();
-        try {
-            const parsed = JSON.parse(raw);
-            if (parsed && typeof parsed === "object" && "verdict" in parsed) {
-                log.debug(TAG, "Parsed review output from fenced JSON block");
-                return extractResult(parsed);
-            }
-        }
-        catch {
-            // try next block
-        }
-    }
-    // Strategy 2: scan every top-level { ... } block and take the last one
-    // that parses AND contains "verdict". This handles cases where the output
-    // has multiple stray braces before the real JSON object.
-    const candidates = [];
-    let depth = 0;
-    let start = -1;
-    for (let i = 0; i < stdout.length; i++) {
-        const ch = stdout[i];
-        if (ch === "{") {
-            if (depth === 0)
-                start = i;
-            depth++;
-        }
-        else if (ch === "}") {
-            depth--;
-            if (depth === 0 && start !== -1) {
-                candidates.push(stdout.slice(start, i + 1));
-                start = -1;
-            }
-        }
-    }
-    for (let i = candidates.length - 1; i >= 0; i--) {
-        try {
-            const parsed = JSON.parse(candidates[i]);
-            if (parsed && typeof parsed === "object" && "verdict" in parsed) {
-                log.debug(TAG, "Parsed review output from raw JSON object");
-                return extractResult(parsed);
-            }
-        }
-        catch {
-            // try next
-        }
-    }
-    // Strategy 3: regex for a bare verdict declaration anywhere in the output.
-    // Loses findings/summary but preserves approve/reject signal so the pipeline
-    // can make progress instead of looping on "error".
-    const verdictMatch = stdout.match(/"verdict"\s*:\s*"(approved|rejected)"/i);
-    if (verdictMatch) {
-        log.warn(TAG, `Parsed verdict via regex fallback — findings lost (${verdictMatch[1]})`);
-        return {
-            verdict: verdictMatch[1].toLowerCase(),
-            summary: "Parsed via regex fallback — original JSON was malformed. Check run log.",
-            findings: [],
-        };
-    }
-    // Strategy 4: nothing parseable — return error verdict so the card stays in Review
-    log.warn(TAG, "Failed to parse review JSON output — returning error verdict (card stays in Review)");
-    return {
-        verdict: "error",
-        summary: stdout.slice(0, 500),
-        findings: [],
-    };
-}
-/**
- * Get the current review cycle count from card description.
- * Looks for: Review cycle: N/M
- */
-function getReviewCycle(description) {
-    if (!description)
-        return 0;
-    const match = description.match(/Review cycle:\s*(\d+)/);
-    return match ? parseInt(match[1], 10) : 0;
-}
-/**
- * Update the review cycle marker in the card description.
- */
-function updateReviewCycleMarker(description, cycle, maxCycles) {
-    const marker = `Review cycle: ${cycle}/${maxCycles}`;
-    const existing = description.match(/Review cycle:\s*\d+\/\d+/);
-    if (existing) {
-        return description.replace(/Review cycle:\s*\d+\/\d+/, marker);
-    }
-    return `${description}\n\n${marker}`;
-}
-/**
- * Strip any previous review summary block from the description.
- */
-function stripReviewSummary(description) {
-    const idx = description.indexOf(REVIEW_MARKER);
-    if (idx === -1)
-        return description;
-    return description.slice(0, idx).trimEnd();
-}
-/**
- * Post-review completion pipeline.
- * Handles approved/rejected verdicts, creates subtasks for findings,
- * and moves the card to the appropriate column.
- */
-/**
- * Post a review verdict as a typed comment instead of mutating the card
- * description (card-comments plan, Phase 3). Best-effort — never throws.
- */
-async function postReviewComment(client, card, commentType, body) {
-    try {
-        await client.addComment(card.id, body, { commentType });
-    }
-    catch (err) {
-        log.error(TAG, `Failed to post review comment to #${card.short_id}: ${err instanceof Error ? err.message : err}`);
-    }
-}
-export async function runReviewCompletion(client, card, result, config, worktreePath, branchName, sessionStats, runLogPath, workspaceId, agentSessionId, stateStore) {
-    // Re-fetch card for fresh description (avoids stale data from enqueue time)
-    let freshDesc;
-    try {
-        const { card: fresh } = (await client.getCard(card.id));
-        freshDesc = fresh.description || "";
-    }
-    catch {
-        freshDesc = card.description || "";
-    }
-    const currentCycle = getReviewCycle(freshDesc) + 1;
-    const maxCycles = config.review.maxReviewCycles;
-    if (result.verdict === "error") {
-        // Parse failure — not a code quality signal. Keep card in Review and
-        // add the "Need Review" label so reconcile stops re-enqueueing it.
-        // Without the label, the reconcile loop would respawn the review every
-        // cycle and burn budget on the same unparseable output (see #122).
-        log.warn(TAG, `#${card.short_id} review output unparseable — labelling "${NEED_REVIEW_LABEL}" for manual inspection`);
-        try {
-            await addLabelByName(client, card, NEED_REVIEW_LABEL, NEED_REVIEW_LABEL_COLOR);
-        }
-        catch (err) {
-            log.warn(TAG, `Failed to add "${NEED_REVIEW_LABEL}" label: ${err instanceof Error ? err.message : err}`);
-        }
-        if (config.review.postFindings) {
-            const rawTail = runLogPath ? tailRunLog(runLogPath) : null;
-            // Log content routinely contains ```json fences from Claude's own
-            // output; embedding it inside a 3-backtick fence would break markdown.
-            // Use a 4-backtick fence and downgrade any 4+-backtick runs.
-            const runLogTail = rawTail
-                ? rawTail.replace(/`{4,}/g, () => "`".repeat(3))
-                : null;
-            const runLogHint = runLogPath
-                ? `Run log: \`${runLogPath}\``
-                : "Run log: (not captured)";
-            const body = [
-                "**Review — parse error.**",
-                'The review agent\'s output could not be parsed. Card stays in Review with the "Need Review" label — inspect the run log below to diagnose.',
-                runLogHint,
-                result.summary ? `Raw output (truncated):\n${result.summary}` : "",
-                runLogTail
-                    ? `Run log tail (last ${RUN_LOG_TAIL_BYTES}B):\n\`\`\`\`\n${runLogTail}\n\`\`\`\``
-                    : "",
-            ]
-                .filter(Boolean)
-                .join("\n\n");
-            await postReviewComment(client, card, "blocker", body);
-        }
-        await client.endAgentSession(card.id, {
-            status: "paused",
-            ...buildTokenPayload(sessionStats),
-        });
-        // Cleanup worktree but do NOT move the card
-        if (branchName) {
-            cleanupWorktree(worktreePath, branchName);
-        }
-        return;
-    }
-    if (result.verdict === "approved") {
-        // Ensure branch is pushed (skip in local mode — no branch to push)
-        let prUrl = null;
-        let approvedBranch = branchName;
-        if (branchName) {
-            pushBranch(branchName, worktreePath);
-            // Graduate the branch from `agent-attempts/*` to `agent/*` so the
-            // approved PR opens on a clean ref. Renaming on origin is force-with-
-            // lease + delete-old; the old ref is the same SHA, so no work is lost.
-            const failedPrefix = config.worktree.failedBranchPrefix;
-            const approvedPrefix = config.worktree.approvedBranchPrefix;
-            if (failedPrefix &&
-                approvedPrefix &&
-                branchName.startsWith(failedPrefix)) {
-                const newRef = `${approvedPrefix}${branchName.slice(failedPrefix.length)}`;
-                try {
-                    renameRemoteBranch(branchName, newRef, worktreePath);
-                    approvedBranch = newRef;
-                }
-                catch (err) {
-                    log.warn(TAG, `Branch rename failed (continuing on ${branchName}): ${err instanceof Error ? err.message : err}`);
-                }
-            }
-            // Create PR if configured
-            if (config.review.createPR && approvedBranch) {
-                const provider = detectGitProvider(worktreePath);
-                prUrl = createPullRequest(card, approvedBranch, worktreePath, config, provider);
-            }
-        }
-        // Add "Ready to Merge" label
-        await addLabelByName(client, card, config.review.approvedLabel, config.review.approvedLabelColor);
-        // Post the approval verdict as a decision comment (card stays in Review).
-        if (config.review.postFindings) {
-            const scopeLine = result.scopeCheck
-                ? `Scope: ${result.scopeCheck.status}${result.scopeCheck.notes ? ` — ${result.scopeCheck.notes}` : ""}`
-                : "";
-            const body = [
-                "**Review — approved.**",
-                result.summary || "",
-                scopeLine,
-                result.findings.length > 0
-                    ? `${result.findings.length} minor finding(s) noted.`
-                    : "",
-                prUrl ? `PR: ${prUrl}` : "",
-            ]
-                .filter(Boolean)
-                .join("\n\n");
-            await postReviewComment(client, card, "decision", body);
-        }
-        await client.endAgentSession(card.id, {
-            status: "completed",
-            progressPercent: 100,
-            ...buildTokenPayload(sessionStats),
-        });
-        log.info(TAG, `#${card.short_id} approved${prUrl ? ` — PR: ${prUrl}` : ""} — labeled "${config.review.approvedLabel}"`);
-    }
-    else {
-        // Rejected
-        const criticalFindings = result.findings
-            .filter((f) => f.severity === "critical")
-            .slice(0, MAX_FINDINGS);
-        const majorFindings = result.findings
-            .filter((f) => f.severity === "major")
-            .slice(0, MAX_FINDINGS);
-        const linkedFindings = [...criticalFindings, ...majorFindings];
-        const minorFindings = result.findings
-            .filter((f) => f.severity === "minor")
-            .slice(0, MAX_FINDINGS);
-        // Check if we've exceeded max review cycles
-        if (currentCycle >= maxCycles) {
-            log.warn(TAG, `#${card.short_id} reached max review cycles (${maxCycles}), moving to Done with note`);
-            await moveCardToColumn(client, card, config.review.moveToColumn);
-            const body = [
-                "**Review — needs human review.**",
-                `Reached max review cycles (${maxCycles}). Please review manually.`,
-                result.summary || "",
-            ]
-                .filter(Boolean)
-                .join("\n\n");
-            await postReviewComment(client, card, "blocker", body);
-            await client.endAgentSession(card.id, {
-                status: "completed",
-                ...buildTokenPayload(sessionStats),
-            });
-            // Max-cycles rejection: the verdict still teaches "this approach kept
-            // failing review" — write the episode + back-fill before exiting.
-            if (workspaceId) {
-                const origId = await findLatestImplementEpisode(client, workspaceId, card.project_id, card.short_id);
-                const reviewId = await writeEpisode(client, {
-                    kind: "review",
-                    card,
-                    workspaceId,
-                    verdict: "rejected",
-                    summary: `Reached max review cycles (${maxCycles}). ${result.summary}`,
-                    cost: sessionStats?.cost ?? null,
-                    agentSessionId: agentSessionId ?? null,
-                    originalEpisodeId: origId,
-                });
-                if (origId) {
-                    await backfillReviewVerdict(client, origId, "rejected", reviewId);
-                }
-            }
-            if (branchName) {
-                cleanupWorktree(worktreePath, branchName);
-            }
-            return;
-        }
-        // Post findings
-        if (config.review.postFindings) {
-            // Add critical + major findings as new linked cards (parallel)
-            await Promise.all(linkedFindings.map(async (finding) => {
-                try {
-                    const locationLine = finding.location
-                        ? `\n**Location:** ${finding.location}`
-                        : "";
-                    const newCard = await client.createCard(card.project_id, {
-                        title: `[Review: ${finding.severity}] ${finding.title}`,
-                        description: `Found during review of #${card.short_id} (${finding.severity}):\n\n${finding.description}${locationLine}`,
-                    });
-                    const newCardId = newCard?.card?.id;
-                    if (newCardId) {
-                        await client.addLinkToCard(card.id, newCardId, "relates_to");
-                    }
-                }
-                catch (err) {
-                    log.error(TAG, `Failed to create finding card: ${err instanceof Error ? err.message : err}`);
-                }
-            }));
-            // Add minor findings as subtasks (parallel)
-            await Promise.all(minorFindings.map(async (finding) => {
-                try {
-                    const title = finding.title.length > 120
-                        ? `${finding.title.slice(0, 117)}...`
-                        : finding.title;
-                    await client.createSubtask(card.id, title);
-                }
-                catch (err) {
-                    log.error(TAG, `Failed to create subtask: ${err instanceof Error ? err.message : err}`);
-                }
-            }));
-            // The review cycle counter stays in the description — it is functional
-            // state used to enforce maxReviewCycles, not narrative. (This also strips
-            // any legacy summary block from the description.) The review narrative
-            // goes to a summary comment instead.
-            const baseDesc = stripReviewSummary(freshDesc);
-            const updatedDesc = updateReviewCycleMarker(baseDesc, currentCycle, maxCycles);
-            try {
-                await client.updateCard(card.id, { description: updatedDesc });
-            }
-            catch (err) {
-                log.error(TAG, `Failed to update review cycle marker: ${err instanceof Error ? err.message : err}`);
-            }
-            const scopeLine = result.scopeCheck
-                ? `Scope: ${result.scopeCheck.status}${result.scopeCheck.notes ? ` — ${result.scopeCheck.notes}` : ""}`
-                : "";
-            const body = [
-                "**Review — rejected.**",
-                result.summary || "",
-                scopeLine,
-                `${criticalFindings.length} critical, ${majorFindings.length} major, ${minorFindings.length} minor finding(s).`,
-            ]
-                .filter(Boolean)
-                .join("\n\n");
-            await postReviewComment(client, card, "summary", body);
-        }
-        // Move back to failColumn (To Do) for re-implementation
-        await moveCardToColumn(client, card, config.review.failColumn);
-        const failureSummary = `Review rejected (cycle ${currentCycle}/${maxCycles}): ${criticalFindings.length} critical, ${majorFindings.length} major, ${minorFindings.length} minor`;
-        const recoveryBranch = branchName ?? undefined;
-        const recoveryUrl = branchName
-            ? getBranchWebUrl(branchName, worktreePath)
-            : null;
-        try {
-            await stateStore.recordFailureSummary(card.id, {
-                summary: failureSummary,
-                reason: "review",
-                recoveryBranch,
-            });
-        }
-        catch (err) {
-            log.debug(TAG, `recordFailureSummary failed: ${err instanceof Error ? err.message : err}`);
-        }
-        if (recoveryBranch) {
-            log.info(TAG, `#${card.short_id} recovery branch ${recoveryBranch}${recoveryUrl ? ` (${recoveryUrl})` : ""}`);
-        }
-        await client.endAgentSession(card.id, {
-            status: "failed",
-            failureReason: "review",
-            failureSummary,
-            recoveryBranch,
-            ...buildTokenPayload(sessionStats),
-        });
-        log.info(TAG, `#${card.short_id} rejected (cycle ${currentCycle}/${maxCycles}) — moved to "${config.review.failColumn}"`);
-    }
-    // Episode write + verdict back-fill (Phase 1.5). Runs for approved or
-    // rejected verdicts only — "error" verdicts return early above. Best-effort:
-    // failures are logged by writeEpisode/backfillReviewVerdict and never block
-    // worktree cleanup.
-    if (workspaceId &&
-        (result.verdict === "approved" || result.verdict === "rejected")) {
-        const originalEpisodeId = await findLatestImplementEpisode(client, workspaceId, card.project_id, card.short_id);
-        const reviewEpisodeId = await writeEpisode(client, {
-            kind: "review",
-            card,
-            workspaceId,
-            verdict: result.verdict,
-            summary: result.summary,
-            cost: sessionStats?.cost ?? null,
-            agentSessionId: agentSessionId ?? null,
-            originalEpisodeId,
-        });
-        if (originalEpisodeId) {
-            await backfillReviewVerdict(client, originalEpisodeId, result.verdict, reviewEpisodeId);
-        }
-    }
-    // Cleanup worktree (skip in local mode — no worktree to clean)
-    if (branchName) {
-        cleanupWorktree(worktreePath, branchName);
-    }
-}

package/dist/review-knowledge.d.ts

@@ -1,14 +0,0 @@
-/**
- * Embedded review and QA knowledge for the review worker.
- * Condensed from the /review checklist and /qa skill.
- */
-/**
- * Static system prompt with review methodology.
- * Covers two-pass review categories, suppressions, and severity classification.
- */
-export declare const REVIEW_SYSTEM_PROMPT = "You are a senior code reviewer. Follow this two-pass methodology strictly.\nReport findings; do NOT fix them. This is a read-only review.\n\n## Two-Pass Review\n\n### Pass 1 \u2014 CRITICAL (highest severity)\n\n**SQL & Data Safety**\n- String interpolation in SQL \u2014 use parameterized queries / prepared statements\n- TOCTOU races: check-then-set patterns that should be atomic WHERE + UPDATE\n\n**Race Conditions & Concurrency**\n- Read-check-write without uniqueness constraint or duplicate key handling\n- Status transitions without atomic WHERE old_status UPDATE SET new_status\n- Unsafe HTML rendering (dangerouslySetInnerHTML, v-html) on user-controlled data (XSS)\n\n**LLM Output Trust Boundary**\n- LLM-generated values written to DB without format validation (EMAIL_REGEXP, URI.parse, .trim())\n- Structured tool output accepted without type/shape checks before database writes\n\n**Enum & Value Completeness**\n- When the diff introduces a new enum/status/type value, trace it through every consumer\n- Check allowlists, filter arrays, and case/if-elsif chains for the new value\n- Use Grep to find all references to sibling values and Read each match \u2014 look OUTSIDE the diff\n\n### Pass 2 \u2014 INFORMATIONAL (lower severity)\n\n**Conditional Side Effects**\n- Code paths that branch but forget a side effect on one branch (e.g., promoting without attaching URL)\n\n**Dead Code & Consistency**\n- Variables assigned but never read\n- Comments/docstrings describing old behavior after code changed\n\n**Test Gaps**\n- Missing negative-path tests for new error handling\n- Security enforcement features without integration tests\n\n**Completeness Gaps**\n- Partial enum handling, incomplete error paths, missing edge cases that are straightforward to add\n\n**View/Frontend**\n- O(n*m) lookups in views (Array.find in a loop instead of Map/index)\n- Inline styles re-parsed every render\n\n## Severity Classification\n\n- **critical**: SQL safety, race conditions, XSS, LLM trust boundary violations, enum completeness gaps causing runtime errors\n- **major**: Missing requirements, broken functionality, significant completeness gaps, conditional side effects\n- **minor**: Dead code, stale comments, test gaps, minor view issues, cosmetic completeness gaps\n\n## Suppressions \u2014 DO NOT flag these\n\n- Redundancy that aids readability (e.g., present? redundant with length > 20)\n- \"Add a comment explaining why this threshold was chosen\" \u2014 thresholds change, comments rot\n- Consistency-only changes (wrapping a value to match how another constant is guarded)\n- Regex edge cases when input is constrained and the edge case never occurs in practice\n- Eval threshold changes \u2014 these are tuned empirically\n- Harmless no-ops (e.g., .reject on an element never in the array)\n- ANYTHING already addressed in the diff you are reviewing \u2014 read the FULL diff before flagging";
-/**
- * Visual QA checklist for browser-based verification.
- * Condensed from the /qa skill's per-page exploration checklist.
- */
-export declare const QA_VISUAL_CHECKLIST = "## Visual QA Checklist\n\nFor each page affected by the changes:\n\n1. **Visual scan** \u2014 Screenshot the page. Check for layout breaks, broken images, alignment issues, z-index problems.\n2. **Interactive elements** \u2014 Click every button, link, and control. Does each do what it says?\n3. **Forms** \u2014 Fill and submit. Test empty submission, invalid data, edge cases.\n4. **Navigation** \u2014 Check all paths in/out. Breadcrumbs, back button, deep links.\n5. **States** \u2014 Check empty state, loading state, error state, overflow state.\n6. **Console** \u2014 Check for JS exceptions, failed network requests (4xx/5xx), CORS errors after interactions.\n7. **Responsiveness** \u2014 If the change is visual, check mobile viewport (375px).\n\n### SPA-Specific (React/Vite)\n- Use snapshot for navigation \u2014 client-side routes may not appear in link lists.\n- Check for stale state: navigate away and back \u2014 does data refresh correctly?\n- Test browser back/forward \u2014 does the app handle history correctly?\n- Watch for hydration errors or layout shifts after dynamic content loads.";

package/dist/review-knowledge.js

@@ -1,89 +0,0 @@
-/**
- * Embedded review and QA knowledge for the review worker.
- * Condensed from the /review checklist and /qa skill.
- */
-/**
- * Static system prompt with review methodology.
- * Covers two-pass review categories, suppressions, and severity classification.
- */
-export const REVIEW_SYSTEM_PROMPT = `You are a senior code reviewer. Follow this two-pass methodology strictly.
-Report findings; do NOT fix them. This is a read-only review.
-
-## Two-Pass Review
-
-### Pass 1 — CRITICAL (highest severity)
-
-**SQL & Data Safety**
-- String interpolation in SQL — use parameterized queries / prepared statements
-- TOCTOU races: check-then-set patterns that should be atomic WHERE + UPDATE
-
-**Race Conditions & Concurrency**
-- Read-check-write without uniqueness constraint or duplicate key handling
-- Status transitions without atomic WHERE old_status UPDATE SET new_status
-- Unsafe HTML rendering (dangerouslySetInnerHTML, v-html) on user-controlled data (XSS)
-
-**LLM Output Trust Boundary**
-- LLM-generated values written to DB without format validation (EMAIL_REGEXP, URI.parse, .trim())
-- Structured tool output accepted without type/shape checks before database writes
-
-**Enum & Value Completeness**
-- When the diff introduces a new enum/status/type value, trace it through every consumer
-- Check allowlists, filter arrays, and case/if-elsif chains for the new value
-- Use Grep to find all references to sibling values and Read each match — look OUTSIDE the diff
-
-### Pass 2 — INFORMATIONAL (lower severity)
-
-**Conditional Side Effects**
-- Code paths that branch but forget a side effect on one branch (e.g., promoting without attaching URL)
-
-**Dead Code & Consistency**
-- Variables assigned but never read
-- Comments/docstrings describing old behavior after code changed
-
-**Test Gaps**
-- Missing negative-path tests for new error handling
-- Security enforcement features without integration tests
-
-**Completeness Gaps**
-- Partial enum handling, incomplete error paths, missing edge cases that are straightforward to add
-
-**View/Frontend**
-- O(n*m) lookups in views (Array.find in a loop instead of Map/index)
-- Inline styles re-parsed every render
-
-## Severity Classification
-
-- **critical**: SQL safety, race conditions, XSS, LLM trust boundary violations, enum completeness gaps causing runtime errors
-- **major**: Missing requirements, broken functionality, significant completeness gaps, conditional side effects
-- **minor**: Dead code, stale comments, test gaps, minor view issues, cosmetic completeness gaps
-
-## Suppressions — DO NOT flag these
-
-- Redundancy that aids readability (e.g., present? redundant with length > 20)
-- "Add a comment explaining why this threshold was chosen" — thresholds change, comments rot
-- Consistency-only changes (wrapping a value to match how another constant is guarded)
-- Regex edge cases when input is constrained and the edge case never occurs in practice
-- Eval threshold changes — these are tuned empirically
-- Harmless no-ops (e.g., .reject on an element never in the array)
-- ANYTHING already addressed in the diff you are reviewing — read the FULL diff before flagging`;
-/**
- * Visual QA checklist for browser-based verification.
- * Condensed from the /qa skill's per-page exploration checklist.
- */
-export const QA_VISUAL_CHECKLIST = `## Visual QA Checklist
-
-For each page affected by the changes:
-
-1. **Visual scan** — Screenshot the page. Check for layout breaks, broken images, alignment issues, z-index problems.
-2. **Interactive elements** — Click every button, link, and control. Does each do what it says?
-3. **Forms** — Fill and submit. Test empty submission, invalid data, edge cases.
-4. **Navigation** — Check all paths in/out. Breadcrumbs, back button, deep links.
-5. **States** — Check empty state, loading state, error state, overflow state.
-6. **Console** — Check for JS exceptions, failed network requests (4xx/5xx), CORS errors after interactions.
-7. **Responsiveness** — If the change is visual, check mobile viewport (375px).
-
-### SPA-Specific (React/Vite)
-- Use snapshot for navigation — client-side routes may not appear in link lists.
-- Check for stale state: navigate away and back — does data refresh correctly?
-- Test browser back/forward — does the app handle history correctly?
-- Watch for hydration errors or layout shifts after dynamic content loads.`;

package/dist/review-prompt.d.ts

@@ -1,12 +0,0 @@
-import type { EnrichedCard } from "./types.js";
-/**
- * Build the static system prompt for the review agent.
- * Contains review methodology, checklist, and QA guidance.
- * Passed via --append-system-prompt to Claude CLI.
- */
-export declare function buildReviewSystemPrompt(): string;
-/**
- * Build the card-specific user prompt for the review agent.
- * Contains the diff, requirements, and structured review steps.
- */
-export declare function buildReviewUserPrompt(enriched: EnrichedCard, branchName: string | null, worktreePath: string, previewUrl: string, diff: string, baseBranch: string): string;