@in-the-loop-labs/pair-review 1.4.0 → 1.4.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@in-the-loop-labs/pair-review",
-  "version": "1.4.0",
+  "version": "1.4.2",
   "description": "Your AI-powered code review partner - Close the feedback loop with AI coding agents",
   "main": "src/server.js",
   "bin": {

package/plugin/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "pair-review",
-  "version": "1.4.0",
+  "version": "1.4.2",
   "description": "pair-review app integration — Open PRs and local changes in the pair-review web UI, run server-side AI analysis, and address review feedback. Requires the pair-review MCP server.",
   "author": {
     "name": "in-the-loop-labs",

package/plugin-code-critic/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "code-critic",
-  "version": "1.4.0",
+  "version": "1.4.2",
   "description": "AI-powered code review analysis — Run three-level AI analysis and implement-review-fix loops directly in your coding agent. Works standalone, no server required.",
   "author": {
     "name": "in-the-loop-labs",

package/public/index.html

@@ -1176,7 +1176,12 @@
   "port": 7247,
   "theme": "light"
 }</code></pre>
-                <p>Generate a token at <a href="https://github.com/settings/tokens" target="_blank" rel="noopener" style="color: var(--color-text-link);">GitHub Settings &rarr; Developer settings &rarr; Personal access tokens</a>.</p>
+                <p>Create a <a href="https://github.com/settings/tokens/new" target="_blank" rel="noopener" style="color: var(--color-text-link);">GitHub Personal Access Token</a> with the following scopes:</p>
+                <ul style="margin: 0.5em 0; padding-left: 1.5em;">
+                    <li><code>repo</code> &mdash; required for private repositories</li>
+                    <li><code>public_repo</code> &mdash; sufficient for public repositories only</li>
+                </ul>
+                <p style="margin-top: 0.5em;">You can also provide the token via the <code>GITHUB_TOKEN</code> environment variable, which takes precedence over the config file.</p>
             </div>
         </div>
     </div>

package/public/js/index.js

@@ -460,7 +460,9 @@
   // ─── Local Review Start ─────────────────────────────────────────────────────
 
   /**
-   * Handle start local review form submission
+   * Handle start local review form submission.
+   * Navigates to the setup page which shows step-by-step progress,
+   * matching the flow used when reviews are started from the MCP/CLI.
    * @param {Event} event - Form submit event
    */
   async function handleStartLocal(event) {
@@ -479,29 +481,9 @@
       return;
     }
 
-    setFormLoading('local', true, 'Starting local review...');
-
-    try {
-      const response = await fetch('/api/local/start', {
-        method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
-        body: JSON.stringify({ path: pathValue })
-      });
-
-      const data = await response.json();
-
-      if (!response.ok) {
-        throw new Error(data.error || 'Failed to start local review');
-      }
-
-      setFormLoading('local', true, 'Redirecting to review...');
-      window.location.href = data.reviewUrl;
-
-    } catch (error) {
-      console.error('Error starting local review:', error);
-      setFormLoading('local', false);
-      showError('local', error.message || 'An unexpected error occurred. Please try again.');
-    }
+    // Navigate to the setup page which shows step-by-step progress
+    // The /local?path= route serves setup.html which handles the full setup flow
+    window.location.href = '/local?path=' + encodeURIComponent(pathValue);
   }
 
   // ─── Browse Directory ──────────────────────────────────────────────────────
@@ -849,7 +831,10 @@
   }
 
   /**
-   * Handle start review form submission
+   * Handle start review form submission.
+   * Parses the PR URL, then navigates to the PR route which serves the
+   * setup page with step-by-step progress for new PRs, or the review page
+   * directly for PRs that already exist in the database.
    * @param {Event} event - Form submit event
    */
   async function handleStartReview(event) {
@@ -881,44 +866,9 @@
       return;
     }
 
-    // Update loading state
-    setFormLoading('pr', true, 'Fetching PR data from GitHub...');
-
-    try {
-      // Call the API to create the worktree
-      const response = await fetch('/api/worktrees/create', {
-        method: 'POST',
-        headers: {
-          'Content-Type': 'application/json'
-        },
-        body: JSON.stringify({
-          owner: parsed.owner,
-          repo: parsed.repo,
-          prNumber: parsed.prNumber
-        })
-      });
-
-      const data = await response.json();
-
-      if (!response.ok) {
-        throw new Error(data.error || 'Failed to create worktree');
-      }
-
-      if (!data.success) {
-        throw new Error(data.error || 'Failed to create worktree');
-      }
-
-      // Update loading text before redirect
-      setFormLoading('pr', true, 'Redirecting to review...');
-
-      // Redirect to the review page
-      window.location.href = data.reviewUrl;
-
-    } catch (error) {
-      console.error('Error starting review:', error);
-      setFormLoading('pr', false);
-      showError('pr', error.message || 'An unexpected error occurred. Please try again.');
-    }
+    // Navigate to the PR route which serves setup.html (with step-by-step progress)
+    // for new PRs, or pr.html directly for PRs already in the database
+    window.location.href = '/pr/' + encodeURIComponent(parsed.owner) + '/' + encodeURIComponent(parsed.repo) + '/' + encodeURIComponent(parsed.prNumber);
   }
 
   // ─── Config & Command Examples ──────────────────────────────────────────────
@@ -1068,4 +1018,17 @@
     // natively triggers form submission.
   });
 
+  // ─── bfcache Restoration ───────────────────────────────────────────────────
+
+  // When the browser restores this page from bfcache (e.g. user hits the back
+  // button after navigating away), any in-progress loading state on the forms
+  // will still be visible because the DOM snapshot is preserved as-is.  Reset
+  // both forms so the user is not stuck with a disabled input and spinner.
+  window.addEventListener('pageshow', function (event) {
+    if (event.persisted) {
+      setFormLoading('pr', false);
+      setFormLoading('local', false);
+    }
+  });
+
 })();

package/public/js/local.js

@@ -304,14 +304,62 @@ class LocalManager {
         return;
       }
 
-      // Check staleness FIRST, before showing config modal
+      // Run stale check and settings fetch in parallel to minimize dialog delay.
+      // Use AbortController so the fetch is truly cancelled on timeout,
+      // freeing the HTTP connection for subsequent requests.
+      const STALE_TIMEOUT = 2000;
+      const staleAbort = new AbortController();
+      const staleTimer = setTimeout(() => {
+        console.debug(`[Analyze] stale-check timed out after ${STALE_TIMEOUT}ms, aborting`);
+        staleAbort.abort();
+      }, STALE_TIMEOUT);
+      const staleCheckPromise = fetch(`/api/local/${reviewId}/check-stale`, { signal: staleAbort.signal })
+        .then(r => {
+          clearTimeout(staleTimer);
+          if (!r.ok) {
+            console.warn(`Stale check failed with status ${r.status}`);
+            return { _fetchError: true, status: r.status };
+          }
+          return r.json();
+        })
+        .catch(err => {
+          clearTimeout(staleTimer);
+          if (err.name === 'AbortError') {
+            console.debug('[Analyze] stale-check aborted (timeout)');
+          } else {
+            console.warn('[Analyze] stale-check fetch error:', err);
+          }
+          return null;
+        });
+
       try {
-        const staleResponse = await fetch(`/api/local/${reviewId}/check-stale`);
-        if (staleResponse.ok) {
-          const staleData = await staleResponse.json();
+        // Show analysis config modal
+        if (!manager.analysisConfigModal) {
+          clearTimeout(staleTimer);
+          console.warn('AnalysisConfigModal not initialized, proceeding without config');
+          await self.startLocalAnalysis(btn, {});
+          return;
+        }
 
-          if (staleData.isStale === true) {
-            // Working directory has changed - show dialog with options
+        // Fetch stale check, repo settings, and last instructions in parallel
+        const [staleResult, repoSettings, lastInstructions] = await Promise.all([
+          staleCheckPromise,
+          manager.fetchRepoSettings().catch(() => null),
+          manager.fetchLastCustomInstructions().catch(() => '')
+        ]);
+
+        // Process stale check result
+        try {
+          if (staleResult === null) {
+            // Timed out or network error — fail open
+            if (window.toast) {
+              window.toast.showWarning('Could not verify working directory is current.');
+            }
+          } else if (staleResult._fetchError) {
+            if (window.toast) {
+              window.toast.showWarning(`Could not verify working directory is current (${staleResult.status}).`);
+            }
+          } else if (staleResult.isStale === true) {
             if (window.confirmDialog) {
               const choice = await window.confirmDialog.show({
                 title: 'Files Have Changed',
@@ -323,40 +371,22 @@ class LocalManager {
               });
 
               if (choice === 'confirm') {
-                // User wants to refresh first, then continue to analysis
                 await self.refreshDiff();
-                // Continue to config modal after refresh (don't return)
               } else if (choice !== 'secondary') {
-                // User cancelled
                 return;
               }
-              // Both 'confirm' (after refresh) and 'secondary' continue to config modal
             }
-          } else if (staleData.isStale === null && staleData.error) {
-            // Couldn't verify - show toast warning
+          } else if (staleResult.isStale === null && staleResult.error) {
             if (window.toast) {
               window.toast.showWarning('Could not verify working directory is current.');
             }
           }
+        } catch (staleError) {
+          console.warn('[Local] Error processing staleness:', staleError);
+          if (window.toast) {
+            window.toast.showWarning('Could not verify working directory is current.');
+          }
         }
-      } catch (staleError) {
-        console.warn('[Local] Error checking staleness:', staleError);
-        if (window.toast) {
-          window.toast.showWarning('Could not verify working directory is current.');
-        }
-      }
-
-      try {
-        // Show analysis config modal
-        if (!manager.analysisConfigModal) {
-          console.warn('AnalysisConfigModal not initialized, proceeding without config');
-          await self.startLocalAnalysis(btn, {});
-          return;
-        }
-
-        // Get repo settings for default instructions
-        const repoSettings = await manager.fetchRepoSettings().catch(() => null);
-        const lastInstructions = await manager.fetchLastCustomInstructions().catch(() => '');
 
         // Determine model and provider
         const modelStorageKey = `pair-review-model:local-${reviewId}`;

package/public/js/pr.js

@@ -3432,37 +3432,74 @@ class PRManager {
     }
 
     try {
-      // Check if PR has new commits before analysis
+      // Run stale check and settings fetch in parallel to minimize dialog delay.
+      // Use AbortController so the fetch is truly cancelled on timeout,
+      // freeing the HTTP connection for subsequent requests.
+      const STALE_TIMEOUT = 2000;
+      const staleAbort = new AbortController();
+      const staleTimer = setTimeout(() => {
+        console.debug(`[Analyze] stale-check timed out after ${STALE_TIMEOUT}ms, aborting`);
+        staleAbort.abort();
+      }, STALE_TIMEOUT);
+      const staleCheckPromise = fetch(`/api/pr/${owner}/${repo}/${number}/check-stale`, { signal: staleAbort.signal })
+        .then(r => {
+          clearTimeout(staleTimer);
+          if (!r.ok) {
+            console.warn(`Stale check failed with status ${r.status}`);
+            return { _fetchError: true, status: r.status };
+          }
+          return r.json();
+        })
+        .catch(err => {
+          clearTimeout(staleTimer);
+          if (err.name === 'AbortError') {
+            console.debug('[Analyze] stale-check aborted (timeout)');
+          } else {
+            console.warn('[Analyze] stale-check fetch error:', err);
+          }
+          return null;
+        });
+
+      // Show analysis config modal
+      if (!this.analysisConfigModal) {
+        clearTimeout(staleTimer);
+        console.warn('AnalysisConfigModal not initialized, proceeding without config');
+        await this.startAnalysis(owner, repo, number, btn, {});
+        return;
+      }
+
+      // Fetch stale check, repo settings, and last instructions in parallel
+      const [staleResult, repoSettings, lastInstructions] = await Promise.all([
+        staleCheckPromise,
+        this.fetchRepoSettings().catch(() => null),
+        this.fetchLastCustomInstructions().catch(() => '')
+      ]);
+
+      // Process stale check result
       try {
-        const staleResponse = await fetch(`/api/pr/${owner}/${repo}/${number}/check-stale`);
-        if (!staleResponse.ok) {
-          // Handle non-OK responses (401/403/500 etc)
-          const errorText = await staleResponse.text().catch(() => 'Unknown error');
-          console.warn(`Stale check failed with status ${staleResponse.status}:`, errorText);
+        if (staleResult === null) {
+          // Timed out or network error — fail open
+          if (window.toast) {
+            window.toast.showWarning('Could not verify PR is current. Proceeding with analysis.');
+          }
+        } else if (staleResult._fetchError) {
           if (window.toast) {
-            window.toast.showWarning(`Could not verify PR is current (${staleResponse.status}). Proceeding with analysis.`);
+            window.toast.showWarning(`Could not verify PR is current (${staleResult.status}). Proceeding with analysis.`);
           }
-          // Fall through to continue with analysis
         } else {
-          const staleData = await staleResponse.json();
-
           // Handle PR state - show info for closed/merged PRs but still allow analysis
-          if (staleData.prState && (staleData.prState !== 'open' || staleData.merged)) {
-            const stateLabel = staleData.merged ? 'merged' : 'closed';
+          if (staleResult.prState && (staleResult.prState !== 'open' || staleResult.merged)) {
+            const stateLabel = staleResult.merged ? 'merged' : 'closed';
             if (window.toast) {
               window.toast.showWarning(`This PR is ${stateLabel}. Analysis will proceed on the existing data.`);
             }
           }
 
-          // Handle isStale === null (unknown - couldn't check)
-          if (staleData.isStale === null) {
-            // Couldn't verify - show toast and proceed
+          if (staleResult.isStale === null) {
             if (window.toast) {
               window.toast.showWarning('Could not verify PR is current. Proceeding with analysis.');
             }
-            // Continue with analysis
-          } else if (staleData.isStale === true) {
-            // PR is stale - show single dialog with 3 options
+          } else if (staleResult.isStale === true) {
             if (!window.confirmDialog) {
               console.warn('ConfirmDialog not available for stale PR check');
             } else {
@@ -3476,40 +3513,22 @@ class PRManager {
               });
 
               if (choice === 'confirm') {
-                // User wants to refresh first
                 await this.refreshPR();
-                // After refresh, continue with analysis
               } else if (choice === 'secondary') {
-                // User chose to analyze anyway - continue with stale data
+                // User chose to analyze anyway
               } else {
-                // User cancelled
                 return;
               }
             }
           }
-          // If isStale === false, PR is up-to-date, just continue
         }
       } catch (staleError) {
-        // Fail-open: show toast warning and continue with analysis
-        console.warn('Error checking PR staleness:', staleError);
+        console.warn('Error processing PR staleness:', staleError);
         if (window.toast) {
           window.toast.showWarning('Could not verify PR is current. Proceeding with analysis.');
         }
       }
 
-      // Show analysis config modal
-      if (!this.analysisConfigModal) {
-        console.warn('AnalysisConfigModal not initialized, proceeding without config');
-        await this.startAnalysis(owner, repo, number, btn, {});
-        return;
-      }
-
-      // Fetch repo settings and last used instructions in parallel
-      const [repoSettings, lastInstructions] = await Promise.all([
-        this.fetchRepoSettings(),
-        this.fetchLastCustomInstructions()
-      ]);
-
       // Determine the model and provider to use (priority: remembered > repo default > defaults)
       const modelStorageKey = PRManager.getRepoStorageKey('pair-review-model', owner, repo);
       const providerStorageKey = PRManager.getRepoStorageKey('pair-review-provider', owner, repo);

package/src/ai/claude-provider.js

@@ -7,7 +7,7 @@
 
 const path = require('path');
 const { spawn } = require('child_process');
-const { AIProvider, registerProvider } = require('./provider');
+const { AIProvider, registerProvider, quoteShellArgs } = require('./provider');
 const logger = require('../utils/logger');
 const { extractJSON } = require('../utils/json-extractor');
 const { CancellationError, isAnalysisCancelled } = require('../routes/shared');
@@ -178,7 +178,7 @@ class ClaudeProvider extends AIProvider {
 
     if (this.useShell) {
       const allArgs = [...baseArgs, ...extraArgs];
-      this.command = `${claudeCmd} ${this._quoteShellArgs(allArgs).join(' ')}`;
+      this.command = `${claudeCmd} ${quoteShellArgs(allArgs).join(' ')}`;
       this.args = [];
     } else {
       this.command = claudeCmd;
@@ -186,28 +186,6 @@ class ClaudeProvider extends AIProvider {
     }
   }
 
-  /**
-   * Quote shell-sensitive arguments for safe shell execution.
-   * Any arg containing characters that could be interpreted by the shell
-   * (brackets, parentheses, commas, etc.) is wrapped in single quotes
-   * with internal single quotes escaped using the POSIX pattern.
-   *
-   * @param {string[]} args - Array of CLI arguments
-   * @returns {string[]} Args with shell-sensitive values quoted
-   * @private
-   */
-  _quoteShellArgs(args) {
-    return args.map((arg, i) => {
-      const prevArg = args[i - 1];
-      if (prevArg === '--allowedTools' || prevArg === '--model') {
-        if (/[][*?(){}$!&|;<>,\s']/.test(arg)) {
-          return `'${arg.replace(/'/g, "'\\''")}'`;
-        }
-      }
-      return arg;
-    });
-  }
-
   /**
    * Resolve model configuration by looking up built-in and config override definitions.
    * Consolidates the CLAUDE_MODELS.find() and configOverrides.models.find() lookups
@@ -486,7 +464,7 @@ class ClaudeProvider extends AIProvider {
     const args = ['-p', ...cliModelArgs, ...extraArgs];
 
     if (useShell) {
-      const quotedArgs = this._quoteShellArgs(args);
+      const quotedArgs = quoteShellArgs(args);
       return {
         command: `${claudeCmd} ${quotedArgs.join(' ')}`,
         args: [],

package/src/ai/codex-provider.js

@@ -8,7 +8,7 @@
 
 const path = require('path');
 const { spawn } = require('child_process');
-const { AIProvider, registerProvider } = require('./provider');
+const { AIProvider, registerProvider, quoteShellArgs } = require('./provider');
 const logger = require('../utils/logger');
 const { extractJSON } = require('../utils/json-extractor');
 const { CancellationError, isAnalysisCancelled } = require('../routes/shared');
@@ -22,8 +22,8 @@ const BIN_DIR = path.join(__dirname, '..', '..', 'bin');
  *
  * Based on OpenAI Codex Models guide (developers.openai.com/codex/models)
  * - gpt-5.1-codex-mini: Smaller, cost-effective variant for quick scans
- * - gpt-5.1-codex-max: Optimized for long-horizon agentic coding tasks
- * - gpt-5.2-codex: Most advanced agentic coding model for real-world engineering
+ * - gpt-5.2-codex: Advanced coding model for everyday reviews, good reasoning/cost balance
+ * - gpt-5.3-codex: Most capable agentic coding model with frontier performance and reasoning
  */
 const CODEX_MODELS = [
   {
@@ -36,21 +36,21 @@ const CODEX_MODELS = [
     badgeClass: 'badge-speed'
   },
   {
-    id: 'gpt-5.1-codex-max',
-    name: 'GPT-5.1 Max',
+    id: 'gpt-5.2-codex',
+    name: 'GPT-5.2 Codex',
     tier: 'balanced',
     tagline: 'Best Balance',
-    description: 'Strong everyday reviewer—quality + speed for PR-sized changes and practical suggestions.',
+    description: 'Strong everyday reviewer—good reasoning and code understanding for PR-sized changes without top-tier cost.',
     badge: 'Recommended',
     badgeClass: 'badge-recommended',
     default: true
   },
   {
-    id: 'gpt-5.2-codex',
-    name: 'GPT-5.2',
+    id: 'gpt-5.3-codex',
+    name: 'GPT-5.3 Codex',
     tier: 'thorough',
     tagline: 'Deep Review',
-    description: 'Most capable for complex diffs—finds subtle issues, reasons across files, and proposes step-by-step fixes.',
+    description: 'Most capable agentic coding model—combines frontier coding performance with stronger reasoning for deep cross-file analysis.',
     badge: 'Most Thorough',
     badgeClass: 'badge-power'
   }
@@ -65,7 +65,7 @@ class CodexProvider extends AIProvider {
    * @param {Object} configOverrides.env - Additional environment variables
    * @param {Object[]} configOverrides.models - Custom model definitions
    */
-  constructor(model = 'gpt-5.1-codex-max', configOverrides = {}) {
+  constructor(model = 'gpt-5.2-codex', configOverrides = {}) {
     super(model);
 
     // Command precedence: ENV > config > default
@@ -116,7 +116,7 @@ class CodexProvider extends AIProvider {
 
     if (this.useShell) {
       // In shell mode, build full command string with args
-      this.command = `${codexCmd} ${[...baseArgs, ...providerArgs, ...modelArgs].join(' ')}`;
+      this.command = `${codexCmd} ${quoteShellArgs([...baseArgs, ...providerArgs, ...modelArgs]).join(' ')}`;
       this.args = [];
     } else {
       this.command = codexCmd;
@@ -577,7 +577,7 @@ class CodexProvider extends AIProvider {
 
     if (useShell) {
       return {
-        command: `${codexCmd} ${args.join(' ')}`,
+        command: `${codexCmd} ${quoteShellArgs(args).join(' ')}`,
         args: [],
         useShell: true,
         promptViaStdin: true
@@ -676,7 +676,7 @@ class CodexProvider extends AIProvider {
   }
 
   static getDefaultModel() {
-    return 'gpt-5.1-codex-max';
+    return 'gpt-5.2-codex';
   }
 
   static getInstallInstructions() {

package/src/ai/copilot-provider.js

@@ -8,7 +8,7 @@
 
 const path = require('path');
 const { spawn } = require('child_process');
-const { AIProvider, registerProvider } = require('./provider');
+const { AIProvider, registerProvider, quoteShellArgs } = require('./provider');
 const logger = require('../utils/logger');
 const { extractJSON } = require('../utils/json-extractor');
 const { CancellationError, isAnalysisCancelled } = require('../routes/shared');
@@ -21,42 +21,63 @@ const BIN_DIR = path.join(__dirname, '..', '..', 'bin');
  *
  * GitHub Copilot CLI supports multiple AI models including OpenAI,
  * Anthropic, and Google models via the --model flag.
+ * Available models (as of Feb 2026): claude-haiku-4.5, claude-sonnet-4.5,
+ * gemini-3-pro-preview, gpt-5.2-codex, claude-opus-4.5,
+ * claude-opus-4.6. Default is claude-sonnet-4.5.
  */
 const COPILOT_MODELS = [
   {
-    id: 'gpt-5.1-codex-mini',
-    name: 'GPT-5.1 Mini',
+    id: 'claude-haiku-4.5',
+    name: 'Claude Haiku 4.5',
     tier: 'fast',
     tagline: 'Quick Scan',
-    description: 'Rapid feedback for obvious issues and style checks',
+    description: 'Rapid feedback for obvious issues, style checks, and simple logic errors',
     badge: 'Speedy',
     badgeClass: 'badge-speed'
   },
   {
-    id: 'gemini-3-pro-preview',
-    name: 'Gemini 3 Pro',
+    id: 'claude-sonnet-4.5',
+    name: 'Claude Sonnet 4.5',
     tier: 'balanced',
     tagline: 'Reliable Review',
-    description: 'Solid everyday reviews with good coverage',
+    description: 'Copilot default—strong code understanding with excellent quality-to-cost ratio',
     badge: 'Recommended',
     badgeClass: 'badge-recommended',
     default: true
   },
   {
-    id: 'gpt-5.1-codex-max',
-    name: 'GPT-5.1 Max',
-    tier: 'thorough',
-    tagline: 'Deep Analysis',
-    description: 'Comprehensive reviews for complex changes',
-    badge: 'Thorough',
-    badgeClass: 'badge-power'
+    id: 'gemini-3-pro-preview',
+    name: 'Gemini 3 Pro',
+    tier: 'balanced',
+    tagline: 'Strong Alternative',
+    description: "Google's most capable model—strong reasoning for cross-file analysis",
+    badge: 'Balanced',
+    badgeClass: 'badge-balanced'
+  },
+  {
+    id: 'gpt-5.2-codex',
+    name: 'GPT-5.2 Codex',
+    tier: 'balanced',
+    tagline: 'Alternative View',
+    description: 'OpenAI code-specialized model—different perspective for cross-file analysis',
+    badge: 'Balanced',
+    badgeClass: 'badge-balanced'
   },
   {
     id: 'claude-opus-4.5',
     name: 'Claude Opus 4.5',
-    tier: 'premium',
-    tagline: 'Ultimate Review',
-    description: 'The most capable model for critical code reviews',
+    tier: 'thorough',
+    tagline: 'Deep Analysis',
+    description: 'Highly capable model for critical code reviews—strong reasoning for security and architecture',
+    badge: 'Premium',
+    badgeClass: 'badge-premium'
+  },
+  {
+    id: 'claude-opus-4.6',
+    name: 'Claude Opus 4.6',
+    tier: 'thorough',
+    tagline: 'Most Capable',
+    description: 'Most capable model for critical code reviews—deep reasoning for security and architecture',
     badge: 'Premium',
     badgeClass: 'badge-premium'
   }
@@ -71,7 +92,7 @@ class CopilotProvider extends AIProvider {
    * @param {Object} configOverrides.env - Additional environment variables
    * @param {Object[]} configOverrides.models - Custom model definitions
    */
-  constructor(model = 'gemini-3-pro-preview', configOverrides = {}) {
+  constructor(model = 'claude-sonnet-4.5', configOverrides = {}) {
     super(model);
 
     // Command precedence: ENV > config > default
@@ -191,7 +212,7 @@ class CopilotProvider extends AIProvider {
         // Escape the prompt for shell
         const escapedPrompt = prompt.replace(/'/g, "'\\''");
         // Build: copilot --model X --deny-tool ... -s -p 'prompt'
-        fullCommand = `${this.command} ${this.baseArgs.join(' ')} -p '${escapedPrompt}'`;
+        fullCommand = `${this.command} ${quoteShellArgs(this.baseArgs).join(' ')} -p '${escapedPrompt}'`;
         fullArgs = [];
       } else {
         // Build args array: --model X --deny-tool ... -s -p <prompt>
@@ -359,7 +380,7 @@ class CopilotProvider extends AIProvider {
     // Use stdin for prompt - safer than command args for arbitrary content
     if (useShell) {
       return {
-        command: `${copilotCmd} ${args.join(' ')}`,
+        command: `${copilotCmd} ${quoteShellArgs(args).join(' ')}`,
         args: [],
         useShell: true,
         promptViaStdin: true
@@ -441,7 +462,7 @@ class CopilotProvider extends AIProvider {
   }
 
   static getDefaultModel() {
-    return 'gemini-3-pro-preview';
+    return 'claude-sonnet-4.5';
   }
 
   static getInstallInstructions() {

package/src/ai/cursor-agent-provider.js

@@ -16,7 +16,7 @@
 
 const path = require('path');
 const { spawn } = require('child_process');
-const { AIProvider, registerProvider } = require('./provider');
+const { AIProvider, registerProvider, quoteShellArgs } = require('./provider');
 const logger = require('../utils/logger');
 const { extractJSON } = require('../utils/json-extractor');
 const { CancellationError, isAnalysisCancelled } = require('../routes/shared');
@@ -30,9 +30,9 @@ const BIN_DIR = path.join(__dirname, '..', '..', 'bin');
  *
  * Tier structure:
  * - free (auto): Cursor's default auto-routing model
- * - fast (gpt-5.2-codex-fast): Quick code-specialized analysis
- * - balanced (sonnet-4.5-thinking, gemini-3-pro): Recommended for most reviews
- * - thorough (gpt-5.2-codex-high, opus-4.5-thinking): Deep analysis for complex code
+ * - fast (composer-1, gpt-5.3-codex-fast, gemini-3-flash): Quick analysis
+ * - balanced (composer-1.5, sonnet-4.5-thinking, gemini-3-pro): Recommended for most reviews
+ * - thorough (gpt-5.3-codex-high, opus-4.5-thinking, opus-4.6-thinking): Deep analysis for complex code
  */
 const CURSOR_AGENT_MODELS = [
   {
@@ -45,20 +45,47 @@ const CURSOR_AGENT_MODELS = [
     badgeClass: 'badge-speed'
   },
   {
-    id: 'gpt-5.2-codex-fast',
-    name: 'GPT-5.2 Codex Fast',
+    id: 'composer-1.5',
+    name: 'Composer 1.5',
+    tier: 'balanced',
+    tagline: 'Latest Composer',
+    description: 'Cursor Composer model—positioned between Sonnet and Opus for multi-file edits',
+    badge: 'Balanced',
+    badgeClass: 'badge-balanced'
+  },
+  {
+    id: 'composer-1',
+    name: 'Composer 1',
+    tier: 'fast',
+    tagline: 'Original Composer',
+    description: 'Cursor Composer model—good for quick multi-file editing workflows',
+    badge: 'Fast',
+    badgeClass: 'badge-speed'
+  },
+  {
+    id: 'gpt-5.3-codex-fast',
+    name: 'GPT-5.3 Codex Fast',
     tier: 'fast',
     tagline: 'Lightning Fast',
-    description: 'Quick code-specialized analysis for simple changes',
+    description: 'Latest code-specialized model optimized for speed—quick scans for obvious issues',
     badge: 'Fastest',
     badgeClass: 'badge-speed'
   },
+  {
+    id: 'gemini-3-flash',
+    name: 'Gemini 3 Flash',
+    tier: 'fast',
+    tagline: 'Fast & Capable',
+    description: 'High SWE-bench scores at a fraction of the cost—great for quick reviews',
+    badge: 'Fast',
+    badgeClass: 'badge-speed'
+  },
   {
     id: 'sonnet-4.5-thinking',
     name: 'Claude 4.5 Sonnet (Thinking)',
     tier: 'balanced',
     tagline: 'Best Balance',
-    description: 'Extended thinking for thorough analysis',
+    description: 'Extended thinking for thorough analysis with excellent quality-to-cost ratio',
     badge: 'Recommended',
     badgeClass: 'badge-recommended',
     default: true
@@ -68,16 +95,16 @@ const CURSOR_AGENT_MODELS = [
     name: 'Gemini 3 Pro',
     tier: 'balanced',
     tagline: 'Strong Alternative',
-    description: "Google's flagship model for code review",
+    description: "Google's flagship model for code review—strong agentic and vibe coding capabilities",
     badge: 'Balanced',
     badgeClass: 'badge-balanced'
   },
   {
-    id: 'gpt-5.2-codex-high',
-    name: 'GPT-5.2 Codex High',
+    id: 'gpt-5.3-codex-high',
+    name: 'GPT-5.3 Codex High',
     tier: 'thorough',
     tagline: 'Deep Code Analysis',
-    description: "OpenAI's best for complex code review",
+    description: "OpenAI's latest and most capable for complex code review with deep reasoning",
     badge: 'Thorough',
     badgeClass: 'badge-power'
   },
@@ -85,8 +112,17 @@ const CURSOR_AGENT_MODELS = [
     id: 'opus-4.5-thinking',
     name: 'Claude 4.5 Opus (Thinking)',
     tier: 'thorough',
+    tagline: 'Deep Analysis',
+    description: 'Deep analysis with extended thinking for complex code reviews',
+    badge: 'Thorough',
+    badgeClass: 'badge-power'
+  },
+  {
+    id: 'opus-4.6-thinking',
+    name: 'Claude 4.6 Opus (Thinking)',
+    tier: 'thorough',
     tagline: 'Most Capable',
-    description: 'Deep analysis with extended thinking for complex code',
+    description: 'Deep analysis with extended thinking—Cursor default for maximum review quality',
     badge: 'Most Thorough',
     badgeClass: 'badge-power'
   }
@@ -159,7 +195,7 @@ class CursorAgentProvider extends AIProvider {
 
     if (this.useShell) {
       // In shell mode, build full command string with args
-      this.command = `${agentCmd} ${[...baseArgs, ...providerArgs, ...modelArgs].join(' ')}`;
+      this.command = `${agentCmd} ${quoteShellArgs([...baseArgs, ...providerArgs, ...modelArgs]).join(' ')}`;
       this.args = [];
     } else {
       this.command = agentCmd;
@@ -662,7 +698,7 @@ class CursorAgentProvider extends AIProvider {
     // For extraction, we pass the prompt via stdin
     if (useShell) {
       return {
-        command: `${agentCmd} ${args.join(' ')}`,
+        command: `${agentCmd} ${quoteShellArgs(args).join(' ')}`,
         args: [],
         useShell: true,
         promptViaStdin: true

package/src/ai/gemini-provider.js

@@ -7,7 +7,7 @@
 
 const path = require('path');
 const { spawn } = require('child_process');
-const { AIProvider, registerProvider } = require('./provider');
+const { AIProvider, registerProvider, quoteShellArgs } = require('./provider');
 const logger = require('../utils/logger');
 const { extractJSON } = require('../utils/json-extractor');
 const { CancellationError, isAnalysisCancelled } = require('../routes/shared');
@@ -25,7 +25,7 @@ const GEMINI_MODELS = [
     name: '3.0 Flash',
     tier: 'fast',
     tagline: 'Rapid Sanity Check',
-    description: 'Best for catching syntax, typos, and simple logic errors',
+    description: 'Fast and capable at a fraction of the cost of larger models',
     badge: 'Quick Look',
     badgeClass: 'badge-speed'
   },
@@ -34,7 +34,7 @@ const GEMINI_MODELS = [
     name: '2.5 Pro',
     tier: 'balanced',
     tagline: 'Standard PR Review',
-    description: 'Reliable feedback on code style, features, and refactoring',
+    description: 'Strong reasoning with large context window—reliable for everyday code reviews',
     badge: 'Daily Driver',
     badgeClass: 'badge-recommended',
     default: true
@@ -44,7 +44,7 @@ const GEMINI_MODELS = [
     name: '3.0 Pro',
     tier: 'thorough',
     tagline: 'Architectural Audit',
-    description: 'Deep analysis for race conditions, security, and edge cases',
+    description: 'Most intelligent Gemini model—advanced reasoning for deep architectural analysis',
     badge: 'Deep Dive',
     badgeClass: 'badge-power'
   }
@@ -156,16 +156,9 @@ class GeminiProvider extends AIProvider {
 
     if (this.useShell) {
       // In shell mode, build full command string with args
-      // Quote the allowed-tools value to prevent shell interpretation of special characters
+      // Quote all args to prevent shell interpretation of special characters
       // (commas, parentheses in patterns like "run_shell_command(git diff)")
-      const quotedBaseArgs = baseArgs.map((arg, i) => {
-        // The allowed-tools value follows the --allowed-tools flag
-        if (baseArgs[i - 1] === '--allowed-tools') {
-          return `'${arg}'`;
-        }
-        return arg;
-      });
-      this.command = `${geminiCmd} ${[...quotedBaseArgs, ...providerArgs, ...modelArgs].join(' ')}`;
+      this.command = `${geminiCmd} ${quoteShellArgs([...baseArgs, ...providerArgs, ...modelArgs]).join(' ')}`;
       this.args = [];
     } else {
       this.command = geminiCmd;
@@ -616,7 +609,7 @@ class GeminiProvider extends AIProvider {
     // For extraction, we pass the prompt via stdin
     if (useShell) {
       return {
-        command: `${geminiCmd} ${args.join(' ')}`,
+        command: `${geminiCmd} ${quoteShellArgs(args).join(' ')}`,
         args: [],
         useShell: true,
         promptViaStdin: true

package/src/ai/opencode-provider.js

@@ -13,7 +13,7 @@
 
 const path = require('path');
 const { spawn } = require('child_process');
-const { AIProvider, registerProvider } = require('./provider');
+const { AIProvider, registerProvider, quoteShellArgs } = require('./provider');
 const logger = require('../utils/logger');
 const { extractJSON } = require('../utils/json-extractor');
 const { CancellationError, isAnalysisCancelled } = require('../routes/shared');
@@ -114,7 +114,7 @@ class OpenCodeProvider extends AIProvider {
       let fullArgs;
 
       if (this.useShell) {
-        fullCommand = `${this.opencodeCmd} ${this.baseArgs.join(' ')}`;
+        fullCommand = `${this.opencodeCmd} ${quoteShellArgs(this.baseArgs).join(' ')}`;
         fullArgs = [];
       } else {
         fullCommand = this.opencodeCmd;
@@ -554,7 +554,7 @@ class OpenCodeProvider extends AIProvider {
     // OpenCode reads from stdin when no positional message arguments are provided
     if (useShell) {
       return {
-        command: `${opencodeCmd} ${args.join(' ')}`,
+        command: `${opencodeCmd} ${quoteShellArgs(args).join(' ')}`,
         args: [],
         useShell: true,
         promptViaStdin: true

package/src/ai/pi-provider.js

@@ -18,7 +18,7 @@
 
 const path = require('path');
 const { spawn } = require('child_process');
-const { AIProvider, registerProvider } = require('./provider');
+const { AIProvider, registerProvider, quoteShellArgs } = require('./provider');
 const logger = require('../utils/logger');
 const { extractJSON } = require('../utils/json-extractor');
 const { CancellationError, isAnalysisCancelled } = require('../routes/shared');
@@ -253,7 +253,7 @@ class PiProvider extends AIProvider {
       let fullArgs;
 
       if (this.useShell) {
-        fullCommand = `${this.piCmd} ${this.baseArgs.join(' ')}`;
+        fullCommand = `${this.piCmd} ${quoteShellArgs(this.baseArgs).join(' ')}`;
         fullArgs = [];
       } else {
         fullCommand = this.piCmd;
@@ -745,7 +745,7 @@ class PiProvider extends AIProvider {
     // Pi reads from stdin when using -p with no positional message arguments
     if (useShell) {
       return {
-        command: `${piCmd} ${args.join(' ')}`,
+        command: `${piCmd} ${quoteShellArgs(args).join(' ')}`,
         args: [],
         useShell: true,
         promptViaStdin: true,

package/src/ai/provider.js

@@ -14,6 +14,24 @@ const { extractJSON } = require('../utils/json-extractor');
 // Directory containing bin scripts (git-diff-lines, etc.)
 const BIN_DIR = path.join(__dirname, '..', '..', 'bin');
 
+/**
+ * Quote shell-sensitive arguments for safe shell execution.
+ * Any arg containing characters that could be interpreted by the shell
+ * (brackets, parentheses, commas, etc.) is wrapped in single quotes
+ * with internal single quotes escaped using the POSIX pattern.
+ *
+ * @param {string[]} args - Array of CLI arguments
+ * @returns {string[]} Args with shell-sensitive values quoted
+ */
+function quoteShellArgs(args) {
+  return args.map(arg => {
+    if (/[[\]*?(){}$!&|;<>,\s'"\\`#~]/.test(arg)) {
+      return `'${arg.replace(/'/g, "'\\''")}'`;
+    }
+    return arg;
+  });
+}
+
 /**
  * Model tier definitions - provider-agnostic tiers that map to specific models
  */
@@ -639,6 +657,7 @@ async function testProviderAvailability(providerId, timeout = 10000) {
 module.exports = {
   AIProvider,
   MODEL_TIERS,
+  quoteShellArgs,
   registerProvider,
   getProviderClass,
   getRegisteredProviderIds,