@hasna/terminal 2.0.5 → 2.3.0

package/src/output-store.ts

@@ -0,0 +1,65 @@
+// Output store — saves full raw output to disk when AI compresses it
+// Agents can read the file for full detail. Rotates to cap disk usage.
+
+import { existsSync, mkdirSync, writeFileSync, readdirSync, statSync, unlinkSync } from "fs";
+import { join } from "path";
+import { createHash } from "crypto";
+
+const OUTPUTS_DIR = join(process.env.HOME ?? "~", ".terminal", "outputs");
+const MAX_FILES = 50;
+const MAX_TOTAL_SIZE = 5 * 1024 * 1024; // 5MB
+
+/** Ensure outputs directory exists */
+function ensureDir() {
+  if (!existsSync(OUTPUTS_DIR)) mkdirSync(OUTPUTS_DIR, { recursive: true });
+}
+
+/** Generate a short hash for an output */
+function hashOutput(command: string, output: string): string {
+  return createHash("md5").update(command + output.slice(0, 1000)).digest("hex").slice(0, 12);
+}
+
+/** Rotate old files to stay within limits */
+function rotate() {
+  try {
+    const files = readdirSync(OUTPUTS_DIR)
+      .map(f => ({ name: f, path: join(OUTPUTS_DIR, f), mtime: statSync(join(OUTPUTS_DIR, f)).mtimeMs, size: statSync(join(OUTPUTS_DIR, f)).size }))
+      .sort((a, b) => b.mtime - a.mtime); // newest first
+
+    // Remove excess files
+    let totalSize = 0;
+    for (let i = 0; i < files.length; i++) {
+      totalSize += files[i].size;
+      if (i >= MAX_FILES || totalSize > MAX_TOTAL_SIZE) {
+        try { unlinkSync(files[i].path); } catch {}
+      }
+    }
+  } catch {}
+}
+
+/** Save full output to disk, return the file path */
+export function saveOutput(command: string, rawOutput: string): string {
+  ensureDir();
+
+  const hash = hashOutput(command, rawOutput);
+  const filename = `${hash}.txt`;
+  const filepath = join(OUTPUTS_DIR, filename);
+
+  // Write with command header
+  const content = `$ ${command}\n${"─".repeat(60)}\n${rawOutput}`;
+  writeFileSync(filepath, content, "utf8");
+
+  rotate();
+
+  return filepath;
+}
+
+/** Format the hint line that tells agents where to find full output */
+export function formatOutputHint(filepath: string): string {
+  return `[full output: ${filepath}]`;
+}
+
+/** Get the outputs directory path */
+export function getOutputsDir(): string {
+  return OUTPUTS_DIR;
+}

package/src/providers/base.ts

@@ -24,9 +24,11 @@ export interface LLMProvider {
 }
 
 export interface ProviderConfig {
-  provider: "cerebras" | "anthropic" | "auto";
+  provider: "cerebras" | "anthropic" | "groq" | "xai" | "auto";
   cerebrasModel?: string;
   anthropicModel?: string;
+  groqModel?: string;
+  xaiModel?: string;
 }
 
 export const DEFAULT_PROVIDER_CONFIG: ProviderConfig = {

package/src/providers/groq.ts

@@ -0,0 +1,108 @@
+// Groq provider — uses OpenAI-compatible API
+// Ultra-fast inference. Supports Llama, Qwen, Kimi models.
+
+import type { LLMProvider, ProviderOptions, StreamCallbacks } from "./base.js";
+
+const GROQ_BASE_URL = "https://api.groq.com/openai/v1";
+const DEFAULT_MODEL = "openai/gpt-oss-120b";
+
+export class GroqProvider implements LLMProvider {
+  readonly name = "groq";
+  private apiKey: string;
+
+  constructor() {
+    this.apiKey = process.env.GROQ_API_KEY ?? "";
+  }
+
+  isAvailable(): boolean {
+    return !!process.env.GROQ_API_KEY;
+  }
+
+  async complete(prompt: string, options: ProviderOptions): Promise<string> {
+    const model = options.model ?? DEFAULT_MODEL;
+    const res = await fetch(`${GROQ_BASE_URL}/chat/completions`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${this.apiKey}`,
+      },
+      body: JSON.stringify({
+        model,
+        max_tokens: options.maxTokens ?? 256,
+        messages: [
+          { role: "system", content: options.system },
+          { role: "user", content: prompt },
+        ],
+      }),
+    });
+
+    if (!res.ok) {
+      const text = await res.text();
+      throw new Error(`Groq API error ${res.status}: ${text}`);
+    }
+
+    const json = (await res.json()) as any;
+    return (json.choices?.[0]?.message?.content ?? "").trim();
+  }
+
+  async stream(prompt: string, options: ProviderOptions, callbacks: StreamCallbacks): Promise<string> {
+    const model = options.model ?? DEFAULT_MODEL;
+    const res = await fetch(`${GROQ_BASE_URL}/chat/completions`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${this.apiKey}`,
+      },
+      body: JSON.stringify({
+        model,
+        max_tokens: options.maxTokens ?? 256,
+        stream: true,
+        messages: [
+          { role: "system", content: options.system },
+          { role: "user", content: prompt },
+        ],
+      }),
+    });
+
+    if (!res.ok) {
+      const text = await res.text();
+      throw new Error(`Groq API error ${res.status}: ${text}`);
+    }
+
+    let result = "";
+    const reader = res.body?.getReader();
+    if (!reader) throw new Error("No response body");
+
+    const decoder = new TextDecoder();
+    let buffer = "";
+
+    while (true) {
+      const { done, value } = await reader.read();
+      if (done) break;
+
+      buffer += decoder.decode(value, { stream: true });
+      const lines = buffer.split("\n");
+      buffer = lines.pop() ?? "";
+
+      for (const line of lines) {
+        const trimmed = line.trim();
+        if (!trimmed.startsWith("data: ")) continue;
+        const data = trimmed.slice(6);
+        if (data === "[DONE]") break;
+
+        try {
+          const parsed = JSON.parse(data) as any;
+          const delta = parsed.choices?.[0]?.delta?.content;
+          if (delta) {
+            result += delta;
+            callbacks.onToken(result.trim());
+          }
+        } catch {
+          // skip malformed chunks
+        }
+      }
+    }
+
+    return result.trim();
+  }
+}

package/src/providers/index.ts

@@ -4,6 +4,8 @@ import type { LLMProvider, ProviderConfig } from "./base.js";
 import { DEFAULT_PROVIDER_CONFIG } from "./base.js";
 import { AnthropicProvider } from "./anthropic.js";
 import { CerebrasProvider } from "./cerebras.js";
+import { GroqProvider } from "./groq.js";
+import { XaiProvider } from "./xai.js";
 
 export type { LLMProvider, ProviderOptions, StreamCallbacks, ProviderConfig } from "./base.js";
 export { DEFAULT_PROVIDER_CONFIG } from "./base.js";
@@ -37,17 +39,37 @@ function resolveProvider(config: ProviderConfig): LLMProvider {
     return p;
   }
 
-  // auto: prefer Cerebras (open-source friendly), fall back to Anthropic
+  if (config.provider === "groq") {
+    const p = new GroqProvider();
+    if (!p.isAvailable()) throw new Error("GROQ_API_KEY not set. Run: export GROQ_API_KEY=your-key");
+    return p;
+  }
+
+  if (config.provider === "xai") {
+    const p = new XaiProvider();
+    if (!p.isAvailable()) throw new Error("XAI_API_KEY not set. Run: export XAI_API_KEY=your-key");
+    return p;
+  }
+
+  // auto: prefer Cerebras (qwen-235b, fast + accurate), then xAI, then Groq, then Anthropic
   const cerebras = new CerebrasProvider();
   if (cerebras.isAvailable()) return cerebras;
 
+  const xai = new XaiProvider();
+  if (xai.isAvailable()) return xai;
+
+  const groq = new GroqProvider();
+  if (groq.isAvailable()) return groq;
+
   const anthropic = new AnthropicProvider();
   if (anthropic.isAvailable()) return anthropic;
 
   throw new Error(
     "No API key found. Set one of:\n" +
     "  export CEREBRAS_API_KEY=your-key  (free, open-source)\n" +
-    "  export ANTHROPIC_API_KEY=your-key (Claude)"
+    "  export GROQ_API_KEY=your-key      (free, fast)\n" +
+    "  export XAI_API_KEY=your-key       (Grok, code-optimized)\n" +
+    "  export ANTHROPIC_API_KEY=your-key  (Claude)"
   );
 }
 
@@ -55,6 +77,8 @@ function resolveProvider(config: ProviderConfig): LLMProvider {
 export function availableProviders(): { name: string; available: boolean }[] {
   return [
     { name: "cerebras", available: new CerebrasProvider().isAvailable() },
+    { name: "groq", available: new GroqProvider().isAvailable() },
+    { name: "xai", available: new XaiProvider().isAvailable() },
     { name: "anthropic", available: new AnthropicProvider().isAvailable() },
   ];
 }

package/src/providers/providers.test.ts

@@ -4,9 +4,11 @@ import { availableProviders, resetProvider } from "./index.js";
 describe("providers", () => {
   it("lists available providers", () => {
     const providers = availableProviders();
-    expect(providers.length).toBe(2);
+    expect(providers.length).toBe(4);
     expect(providers[0].name).toBe("cerebras");
-    expect(providers[1].name).toBe("anthropic");
+    expect(providers[1].name).toBe("groq");
+    expect(providers[2].name).toBe("xai");
+    expect(providers[3].name).toBe("anthropic");
   });
 
   it("resetProvider clears cache", () => {

package/src/providers/xai.ts

@@ -0,0 +1,108 @@
+// xAI/Grok provider — uses OpenAI-compatible API
+// grok-code-fast-1 for code tasks, grok-4-fast for general queries.
+
+import type { LLMProvider, ProviderOptions, StreamCallbacks } from "./base.js";
+
+const XAI_BASE_URL = "https://api.x.ai/v1";
+const DEFAULT_MODEL = "grok-code-fast-1";
+
+export class XaiProvider implements LLMProvider {
+  readonly name = "xai";
+  private apiKey: string;
+
+  constructor() {
+    this.apiKey = process.env.XAI_API_KEY ?? "";
+  }
+
+  isAvailable(): boolean {
+    return !!process.env.XAI_API_KEY;
+  }
+
+  async complete(prompt: string, options: ProviderOptions): Promise<string> {
+    const model = options.model ?? DEFAULT_MODEL;
+    const res = await fetch(`${XAI_BASE_URL}/chat/completions`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${this.apiKey}`,
+      },
+      body: JSON.stringify({
+        model,
+        max_tokens: options.maxTokens ?? 256,
+        messages: [
+          { role: "system", content: options.system },
+          { role: "user", content: prompt },
+        ],
+      }),
+    });
+
+    if (!res.ok) {
+      const text = await res.text();
+      throw new Error(`xAI API error ${res.status}: ${text}`);
+    }
+
+    const json = (await res.json()) as any;
+    return (json.choices?.[0]?.message?.content ?? "").trim();
+  }
+
+  async stream(prompt: string, options: ProviderOptions, callbacks: StreamCallbacks): Promise<string> {
+    const model = options.model ?? DEFAULT_MODEL;
+    const res = await fetch(`${XAI_BASE_URL}/chat/completions`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${this.apiKey}`,
+      },
+      body: JSON.stringify({
+        model,
+        max_tokens: options.maxTokens ?? 256,
+        stream: true,
+        messages: [
+          { role: "system", content: options.system },
+          { role: "user", content: prompt },
+        ],
+      }),
+    });
+
+    if (!res.ok) {
+      const text = await res.text();
+      throw new Error(`xAI API error ${res.status}: ${text}`);
+    }
+
+    let result = "";
+    const reader = res.body?.getReader();
+    if (!reader) throw new Error("No response body");
+
+    const decoder = new TextDecoder();
+    let buffer = "";
+
+    while (true) {
+      const { done, value } = await reader.read();
+      if (done) break;
+
+      buffer += decoder.decode(value, { stream: true });
+      const lines = buffer.split("\n");
+      buffer = lines.pop() ?? "";
+
+      for (const line of lines) {
+        const trimmed = line.trim();
+        if (!trimmed.startsWith("data: ")) continue;
+        const data = trimmed.slice(6);
+        if (data === "[DONE]") break;
+
+        try {
+          const parsed = JSON.parse(data) as any;
+          const delta = parsed.choices?.[0]?.delta?.content;
+          if (delta) {
+            result += delta;
+            callbacks.onToken(result.trim());
+          }
+        } catch {
+          // skip malformed chunks
+        }
+      }
+    }
+
+    return result.trim();
+  }
+}

package/src/sessions-db.ts

@@ -45,6 +45,32 @@ function getDb(): Database {
 
     CREATE INDEX IF NOT EXISTS idx_interactions_session ON interactions(session_id);
     CREATE INDEX IF NOT EXISTS idx_sessions_started ON sessions(started_at);
+
+    CREATE TABLE IF NOT EXISTS corrections (
+      id INTEGER PRIMARY KEY AUTOINCREMENT,
+      prompt TEXT NOT NULL,
+      failed_command TEXT NOT NULL,
+      error_output TEXT,
+      corrected_command TEXT NOT NULL,
+      worked INTEGER DEFAULT 1,
+      error_type TEXT,
+      created_at INTEGER NOT NULL
+    );
+
+    CREATE TABLE IF NOT EXISTS outputs (
+      id INTEGER PRIMARY KEY AUTOINCREMENT,
+      session_id TEXT,
+      command TEXT NOT NULL,
+      raw_output_path TEXT,
+      compressed_summary TEXT,
+      tokens_raw INTEGER DEFAULT 0,
+      tokens_compressed INTEGER DEFAULT 0,
+      provider TEXT,
+      model TEXT,
+      created_at INTEGER NOT NULL
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_corrections_prompt ON corrections(prompt);
   `);
 
   return db;
@@ -186,6 +212,61 @@ export function getSessionStats(): SessionStats {
   };
 }
 
+// ── Corrections ─────────────────────────────────────────────────────────────
+
+/** Record a correction: command failed, then AI retried with a better one */
+export function recordCorrection(
+  prompt: string,
+  failedCommand: string,
+  errorOutput: string,
+  correctedCommand: string,
+  worked: boolean,
+  errorType?: string,
+): void {
+  getDb().prepare(
+    "INSERT INTO corrections (prompt, failed_command, error_output, corrected_command, worked, error_type, created_at) VALUES (?, ?, ?, ?, ?, ?, ?)"
+  ).run(prompt, failedCommand, errorOutput?.slice(0, 2000) ?? "", correctedCommand, worked ? 1 : 0, errorType ?? null, Date.now());
+}
+
+/** Find similar corrections for a prompt — used to inject as negative examples */
+export function findSimilarCorrections(prompt: string, limit: number = 5): { failed_command: string; corrected_command: string; error_type: string }[] {
+  // Simple keyword matching — extract significant words from prompt
+  const words = prompt.toLowerCase().split(/\s+/).filter(w => w.length > 3);
+  if (words.length === 0) return [];
+
+  // Search corrections where the prompt shares keywords
+  const all = getDb().prepare(
+    "SELECT prompt, failed_command, corrected_command, error_type FROM corrections WHERE worked = 1 ORDER BY created_at DESC LIMIT 100"
+  ).all() as any[];
+
+  return all
+    .filter(c => {
+      const cWords = c.prompt.toLowerCase().split(/\s+/);
+      const overlap = words.filter((w: string) => cWords.some((cw: string) => cw.includes(w) || w.includes(cw)));
+      return overlap.length >= Math.min(2, words.length);
+    })
+    .slice(0, limit)
+    .map(c => ({ failed_command: c.failed_command, corrected_command: c.corrected_command, error_type: c.error_type ?? "unknown" }));
+}
+
+// ── Output tracking ─────────────────────────────────────────────────────────
+
+/** Record a compressed output for audit trail */
+export function recordOutput(
+  command: string,
+  rawOutputPath: string | null,
+  compressedSummary: string,
+  tokensRaw: number,
+  tokensCompressed: number,
+  provider?: string,
+  model?: string,
+  sessionId?: string,
+): void {
+  getDb().prepare(
+    "INSERT INTO outputs (session_id, command, raw_output_path, compressed_summary, tokens_raw, tokens_compressed, provider, model, created_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)"
+  ).run(sessionId ?? null, command, rawOutputPath ?? null, compressedSummary?.slice(0, 5000) ?? "", tokensRaw, tokensCompressed, provider ?? null, model ?? null, Date.now());
+}
+
 /** Close the database connection */
 export function closeDb(): void {
   if (db) { db.close(); db = null; }

package/temp/rtk/.claude/agents/code-reviewer.md

@@ -0,0 +1,221 @@
+---
+name: code-reviewer
+description: Use this agent when you need comprehensive code quality assurance, security vulnerability detection, or performance optimization analysis. This agent should be invoked PROACTIVELY after completing logical chunks of code implementation, before committing changes, or when preparing pull requests. Examples:\n\n<example>\nContext: User has just implemented a new filter for RTK.\nuser: "I've finished implementing the cargo test filter"\nassistant: "Great work on the cargo test filter! Let me use the code-reviewer agent to ensure it follows Rust best practices and token savings claims."\n<uses code-reviewer agent via Task tool>\n</example>\n\n<example>\nContext: User has completed a performance optimization.\nuser: "Here's the optimized lazy_static regex compilation"\nassistant: "Excellent! Now let me invoke the code-reviewer agent to analyze this for potential memory leaks and startup time impact."\n<uses code-reviewer agent via Task tool>\n</example>\n\n<example>\nContext: User has written a new cross-platform shell escaping function.\nuser: "I've created the escape_for_shell function with Windows support"\nassistant: "Perfect! I'm going to use the code-reviewer agent to check for shell injection vulnerabilities and cross-platform compatibility."\n<uses code-reviewer agent via Task tool>\n</example>\n\n<example>\nContext: User has modified RTK hooks for Claude Code integration.\nuser: "Updated the rtk-rewrite.sh hook"\nassistant: "Important changes! Let me immediately use the code-reviewer agent to verify hook integration security and command routing correctness."\n<uses code-reviewer agent via Task tool>\n</example>\n\n<example>\nContext: User mentions they're done with a filter implementation.\nuser: "The git log filter is complete"\nassistant: "Excellent progress! Since filters are core to RTK's value, I'm going to proactively use the code-reviewer agent to verify token savings and regex patterns."\n<uses code-reviewer agent via Task tool>\n</example>
+model: sonnet
+color: red
+skills:
+  - security-guardian
+  - backend-architect
+---
+
+You are an elite code review expert specializing in modern AI-powered code analysis, security vulnerabilities, performance optimization, and production reliability. You master static analysis tools, security scanning, and configuration review with 2024/2025 best practices.
+
+## Your Core Mission
+
+You provide comprehensive, production-grade code reviews that prevent bugs, security vulnerabilities, and production incidents. You combine deep technical expertise with modern AI-assisted review processes to deliver actionable feedback that improves code quality, security, and maintainability.
+
+## Your Review Process
+
+1. **Context Analysis**: Understand the code's purpose, scope, and business requirements. Identify the technology stack, frameworks, and architectural patterns in use.
+
+2. **Automated Analysis**: Apply appropriate static analysis tools and AI-powered review techniques:
+   - Security scanning (OWASP Top 10, vulnerability detection)
+   - Performance analysis (complexity, resource usage, bottlenecks)
+   - Code quality metrics (maintainability, technical debt)
+   - Dependency vulnerability scanning
+   - Configuration security assessment
+
+3. **Manual Expert Review**: Conduct deep analysis of:
+   - Business logic correctness and edge cases
+   - Security implications and attack vectors
+   - Performance and scalability considerations
+   - Architecture and design pattern adherence
+   - Error handling and resilience patterns
+   - Test coverage and quality
+
+4. **Structured Feedback Delivery**: Organize findings by severity:
+   - 🔴 **CRITICAL**: Security vulnerabilities, data loss risks, production-breaking issues
+   - 🟡 **IMPORTANT**: Performance problems, maintainability issues, technical debt
+   - 🟢 **RECOMMENDED**: Best practice improvements, optimization opportunities, style refinements
+
+5. **Actionable Recommendations**: For each issue:
+   - Explain WHY it's a problem (impact and consequences)
+   - Provide SPECIFIC code examples showing the fix
+   - Suggest alternative approaches when applicable
+   - Reference relevant documentation or best practices
+
+## Your Expertise Areas
+
+**Security Review**:
+
+- OWASP Top 10 vulnerability detection
+- Input validation and sanitization
+- Shell injection prevention (critical for CLI tools)
+- Command injection vulnerabilities
+- Cryptographic practices and key management
+- Secrets and credential management
+- API security and rate limiting
+
+**Performance Analysis**:
+
+- Startup time optimization (<10ms target for RTK)
+- Memory leak and resource management
+- Regex compilation overhead (lazy_static patterns)
+- Caching strategy effectiveness
+- Asynchronous programming patterns (when applicable)
+- Connection pooling and resource limits
+- Scalability bottleneck identification
+
+**Code Quality**:
+
+- SOLID principles and design patterns
+- Code duplication and refactoring opportunities
+- Naming conventions and readability
+- Technical debt assessment
+- Test coverage and quality (snapshot tests, token accuracy)
+- Documentation completeness
+
+**Configuration & Infrastructure**:
+
+- Production configuration security
+- CI/CD pipeline security
+- Environment-specific validation
+- Monitoring and observability setup
+
+## Your Communication Style
+
+- **Constructive and Educational**: Focus on teaching, not just finding faults
+- **Specific and Actionable**: Provide concrete examples and fixes
+- **Prioritized**: Clearly distinguish critical issues from nice-to-haves
+- **Balanced**: Acknowledge good practices while identifying improvements
+- **Pragmatic**: Consider development velocity and deadlines
+- **Professional**: Maintain respectful, mentor-like tone
+
+## Your Response Format
+
+Structure your reviews as follows:
+
+```
+## Code Review Summary
+[Brief overview of what was reviewed and overall assessment]
+
+## Critical Issues 🔴
+[Security vulnerabilities, production risks - must fix before deployment]
+
+## Important Issues 🟡
+[Performance problems, maintainability concerns - should fix soon]
+
+## Recommendations 🟢
+[Best practice improvements, optimizations - consider for future iterations]
+
+## Positive Observations ✅
+[Acknowledge good practices and well-implemented patterns]
+
+## Additional Context
+[Relevant documentation, similar patterns in codebase, architectural considerations]
+```
+
+## Special Considerations
+
+- **Project Context**: Always consider the project's specific coding standards from CLAUDE.md files
+- **Framework Patterns**: Respect established patterns (e.g., RTK filter design, lazy_static regex)
+- **Business Rules**: Validate against domain-specific requirements when provided
+- **Production Impact**: Prioritize issues that could cause production incidents
+- **Team Standards**: Align feedback with team conventions and established practices
+
+## When to Escalate
+
+- Critical security vulnerabilities requiring immediate attention
+- Architectural decisions with significant long-term implications
+- Performance issues that could impact production at scale
+- Compliance violations (GDPR, PCI DSS, SOC2)
+- Breaking changes to public APIs or contracts
+
+## The New Dev Test
+
+> Can a new developer understand, modify, and debug this code within 30 minutes?
+
+Apply this test to every code review. If the answer is "no", the code needs:
+
+- Better naming (self-documenting code)
+- Smaller functions with single responsibility
+- Comments explaining WHY, not WHAT
+- Clearer error messages with context
+
+## Red Flags - Instant Concerns
+
+Raise alarms immediately when you see:
+
+| Red Flag                          | Why It's Dangerous                         |
+| --------------------------------- | ------------------------------------------ |
+| `.unwrap()` in production         | Panics crash CLI, breaks user workflow     |
+| Regex compiled at runtime         | Kills startup time (<10ms target)          |
+| Functions > 50 lines              | Too complex, hard to test and maintain     |
+| Nesting > 3 levels deep           | Cognitive overload, refactor needed        |
+| Magic numbers/strings             | Unclear intent, maintenance nightmare      |
+| No input validation               | Injection risks, garbage in = crash out    |
+| `// TODO` or `// FIXME` in PR     | Incomplete work, tech debt shipped         |
+| Missing error context             | "Error occurred" tells us nothing          |
+| No tests for new filter           | Regression risk, no token savings proof    |
+| Copy-pasted filter code           | DRY violation, update one = miss the other |
+| No fallback to raw command        | Filter failure breaks user workflow        |
+
+## Adversarial Questions to Always Ask
+
+1. **Edge cases**: What happens with empty input? Null? Max values? Unicode? ANSI codes?
+2. **Failure path**: When this filter fails, does it fallback to raw command?
+3. **Performance**: What's the startup time? Will it scale with 10x data?
+4. **Security**: Can an attacker craft input to exploit this (shell injection)?
+5. **Testability**: Can I unit test this without mocking the entire system?
+6. **Reversibility**: If this causes a bug in prod, how fast can we rollback?
+7. **Dependencies**: Does this import pull in unnecessary weight?
+8. **Token savings**: Does the filter achieve 60-90% savings with real fixtures?
+
+## Code Smell Shortcuts
+
+Quick patterns that indicate deeper issues:
+
+```
+Smell → Likely Problem → Check For
+─────────────────────────────────────────────────
+.unwrap() → Panic risk → Use .context() with ?
+Regex in function → Recompiled every call → lazy_static!
+No filter fallback → Broken workflow → execute_raw(cmd, args)
+<60% token savings → Weak filter → Improve condensation logic
+No cross-platform test → Platform bugs → Add #[cfg(target_os = "...")]
+```
+
+## RTK-Specific Review Checklist
+
+When reviewing RTK code, always verify:
+
+### Filters (🔴 Critical)
+- [ ] **Lazy regex**: All regex use `lazy_static!` (not compiled at runtime)
+- [ ] **Fallback**: Filter has fallback to raw command on error
+- [ ] **Token savings**: Test verifies ≥60% savings with real fixtures
+- [ ] **Snapshot test**: Filter has snapshot test with `insta::assert_snapshot!`
+- [ ] **Exit codes**: Filter preserves command exit codes (0 = success, non-zero = failure)
+
+### Security (🔴 Critical)
+- [ ] **Shell injection**: No unescaped user input in shell commands
+- [ ] **Command injection**: No string concatenation for command building
+- [ ] **Cross-platform**: Shell escaping tested on macOS, Linux, Windows
+
+### Performance (🟡 Important)
+- [ ] **Startup time**: Benchmarked with `hyperfine` (<10ms target)
+- [ ] **Memory usage**: Verified with `time -l` (<5MB target)
+- [ ] **No async**: RTK is single-threaded, no tokio/async-std
+
+### Testing (🟡 Important)
+- [ ] **Real fixtures**: Tests use real command output, not synthetic
+- [ ] **Token accuracy**: Tests verify token savings claims
+- [ ] **Cross-platform**: Tests use `#[cfg(target_os = "...")]` for platform-specific behavior
+- [ ] **Integration**: Integration tests pass (`cargo test --ignored`)
+
+### Code Quality (🟢 Recommended)
+- [ ] **Error handling**: All `?` operators have `.context("description")`
+- [ ] **No unwrap**: Production code uses `Result` or `expect("reason")`
+- [ ] **Documentation**: Public functions have doc comments
+- [ ] **Clippy**: Zero warnings (`cargo clippy --all-targets`)
+
+You are proactive, thorough, and focused on preventing issues before they reach production. Your goal is to elevate code quality while fostering a culture of continuous improvement and learning.