@in-the-loop-labs/pair-review 1.4.1 → 1.4.3

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@in-the-loop-labs/pair-review",
-  "version": "1.4.1",
+  "version": "1.4.3",
   "description": "Your AI-powered code review partner - Close the feedback loop with AI coding agents",
   "main": "src/server.js",
   "bin": {

package/plugin/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "pair-review",
-  "version": "1.4.1",
+  "version": "1.4.3",
   "description": "pair-review app integration — Open PRs and local changes in the pair-review web UI, run server-side AI analysis, and address review feedback. Requires the pair-review MCP server.",
   "author": {
     "name": "in-the-loop-labs",

package/plugin-code-critic/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "code-critic",
-  "version": "1.4.1",
+  "version": "1.4.3",
   "description": "AI-powered code review analysis — Run three-level AI analysis and implement-review-fix loops directly in your coding agent. Works standalone, no server required.",
   "author": {
     "name": "in-the-loop-labs",

package/public/js/index.js

@@ -460,7 +460,9 @@
   // ─── Local Review Start ─────────────────────────────────────────────────────
 
   /**
-   * Handle start local review form submission
+   * Handle start local review form submission.
+   * Navigates to the setup page which shows step-by-step progress,
+   * matching the flow used when reviews are started from the MCP/CLI.
    * @param {Event} event - Form submit event
    */
   async function handleStartLocal(event) {
@@ -479,29 +481,9 @@
       return;
     }
 
-    setFormLoading('local', true, 'Starting local review...');
-
-    try {
-      const response = await fetch('/api/local/start', {
-        method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
-        body: JSON.stringify({ path: pathValue })
-      });
-
-      const data = await response.json();
-
-      if (!response.ok) {
-        throw new Error(data.error || 'Failed to start local review');
-      }
-
-      setFormLoading('local', true, 'Redirecting to review...');
-      window.location.href = data.reviewUrl;
-
-    } catch (error) {
-      console.error('Error starting local review:', error);
-      setFormLoading('local', false);
-      showError('local', error.message || 'An unexpected error occurred. Please try again.');
-    }
+    // Navigate to the setup page which shows step-by-step progress
+    // The /local?path= route serves setup.html which handles the full setup flow
+    window.location.href = '/local?path=' + encodeURIComponent(pathValue);
   }
 
   // ─── Browse Directory ──────────────────────────────────────────────────────
@@ -849,7 +831,10 @@
   }
 
   /**
-   * Handle start review form submission
+   * Handle start review form submission.
+   * Parses the PR URL, then navigates to the PR route which serves the
+   * setup page with step-by-step progress for new PRs, or the review page
+   * directly for PRs that already exist in the database.
    * @param {Event} event - Form submit event
    */
   async function handleStartReview(event) {
@@ -881,44 +866,9 @@
       return;
     }
 
-    // Update loading state
-    setFormLoading('pr', true, 'Fetching PR data from GitHub...');
-
-    try {
-      // Call the API to create the worktree
-      const response = await fetch('/api/worktrees/create', {
-        method: 'POST',
-        headers: {
-          'Content-Type': 'application/json'
-        },
-        body: JSON.stringify({
-          owner: parsed.owner,
-          repo: parsed.repo,
-          prNumber: parsed.prNumber
-        })
-      });
-
-      const data = await response.json();
-
-      if (!response.ok) {
-        throw new Error(data.error || 'Failed to create worktree');
-      }
-
-      if (!data.success) {
-        throw new Error(data.error || 'Failed to create worktree');
-      }
-
-      // Update loading text before redirect
-      setFormLoading('pr', true, 'Redirecting to review...');
-
-      // Redirect to the review page
-      window.location.href = data.reviewUrl;
-
-    } catch (error) {
-      console.error('Error starting review:', error);
-      setFormLoading('pr', false);
-      showError('pr', error.message || 'An unexpected error occurred. Please try again.');
-    }
+    // Navigate to the PR route which serves setup.html (with step-by-step progress)
+    // for new PRs, or pr.html directly for PRs already in the database
+    window.location.href = '/pr/' + encodeURIComponent(parsed.owner) + '/' + encodeURIComponent(parsed.repo) + '/' + encodeURIComponent(parsed.prNumber);
   }
 
   // ─── Config & Command Examples ──────────────────────────────────────────────
@@ -1068,4 +1018,17 @@
     // natively triggers form submission.
   });
 
+  // ─── bfcache Restoration ───────────────────────────────────────────────────
+
+  // When the browser restores this page from bfcache (e.g. user hits the back
+  // button after navigating away), any in-progress loading state on the forms
+  // will still be visible because the DOM snapshot is preserved as-is.  Reset
+  // both forms so the user is not stuck with a disabled input and spinner.
+  window.addEventListener('pageshow', function (event) {
+    if (event.persisted) {
+      setFormLoading('pr', false);
+      setFormLoading('local', false);
+    }
+  });
+
 })();

package/public/js/local.js

@@ -650,7 +650,7 @@ class LocalManager {
                 data-file="${fileName}"
                 data-line="${lineStart}"
                 data-line-end="${lineEnd}"
-                ${side ? `data-side="${side}"` : ''}
+                data-side="${side || 'RIGHT'}"
               >${manager.escapeHtml(currentText)}</textarea>
               <div class="comment-edit-actions">
                 <button class="btn btn-sm btn-primary save-edit-btn">Save</button>

package/public/js/modules/comment-manager.js

@@ -245,12 +245,14 @@ class CommentManager {
     const rows = targetWrapper.querySelectorAll('tr[data-line-number]');
     const codeLines = [];
 
+    // Always filter by side to prevent including both OLD and NEW versions of modified lines.
+    // Default to 'RIGHT' because suggestions target the NEW version of code.
+    // This is the definitive fix: even if callers fail to propagate side, we never return both versions.
+    const effectiveSide = side || 'RIGHT';
+
     for (const row of rows) {
       const lineNum = parseInt(row.dataset.lineNumber, 10);
-      // Filter by line number, file name, and side (if provided)
-      // Side filtering prevents including both deleted and added versions of modified lines
-      const matchesSide = !side || row.dataset.side === side;
-      if (lineNum >= startLine && lineNum <= endLine && row.dataset.fileName === fileName && matchesSide) {
+      if (lineNum >= startLine && lineNum <= endLine && row.dataset.fileName === fileName && row.dataset.side === effectiveSide) {
         // Get the code content cell
         const codeCell = row.querySelector('.d2h-code-line-ctn');
         if (codeCell) {
@@ -279,6 +281,9 @@ class CommentManager {
     const startLine = parseInt(textarea.dataset.line, 10);
     const endLine = parseInt(textarea.dataset.lineEnd, 10) || startLine;
     const side = textarea.dataset.side;
+    if (!side) {
+      console.warn('[Suggestion] textarea missing data-side attribute, defaulting to RIGHT');
+    }
 
     // Get the code from the selected lines (pass side to avoid including both deleted and added lines)
     const code = this.getCodeFromLines(fileName, startLine, endLine, side);
@@ -587,7 +592,7 @@ class CommentManager {
             data-file="${comment.file}"
             data-line="${comment.line_start}"
             data-line-end="${comment.line_end || comment.line_start}"
-            ${comment.side ? `data-side="${comment.side}"` : ''}
+            data-side="${comment.side || 'RIGHT'}"
           >${escapeHtml(comment.body)}</textarea>
           <div class="comment-edit-actions">
             <button class="btn btn-sm btn-primary save-edit-btn">

package/public/js/modules/diff-renderer.js

@@ -517,6 +517,8 @@ class DiffRenderer {
 
     const headerContent = functionContext
       ? `<span class="hunk-context-icon" aria-label="Function context">f</span><span class="hunk-context-text">${DiffRenderer.escapeHtml(functionContext)}</span>`
+      // "..." dividers act as visual separators between non-contiguous code
+      // sections when git couldn't identify a surrounding function/class scope.
       : '<span class="hunk-divider" aria-label="Code section divider">...</span>';
 
     headerRow.innerHTML = `<td colspan="2" class="d2h-info">${headerContent}</td>`;
@@ -554,6 +556,62 @@ class DiffRenderer {
            trimmedLine.includes(trimmedContext + ' ');
   }
 
+  /**
+   * Handle hunk header rows that are no longer at a gap boundary.
+   * A hunk header (d2h-info row) should only be visible when:
+   *   1. It is the first row in the tbody (file-level context), OR
+   *   2. Its immediately preceding sibling is a gap row (context-expand-row)
+   *
+   * When a header with function context (_f_ marker) becomes stranded after
+   * upward expansion, it is relocated to the nearest gap row above within the
+   * same hunk section. This preserves the function context indicator for the
+   * remaining gap, whether or not the function definition is now visible below.
+   *
+   * Headers without function context (... dividers) or those with no reachable
+   * gap above are removed.
+   * @param {HTMLElement} tbody - The table body containing the diff
+   */
+  static removeStrandedHunkHeaders(tbody) {
+    if (!tbody) return;
+
+    const infoRows = tbody.querySelectorAll('tr.d2h-info');
+    for (const row of infoRows) {
+      const prev = row.previousElementSibling;
+      // Keep if this is the first row in the tbody (provides file-level context)
+      if (!prev) continue;
+      // Keep if preceded by a gap row (the header marks the boundary)
+      if (prev.classList.contains('context-expand-row')) continue;
+
+      // Header is stranded between visible code lines.
+      // If it has function context, try to relocate it to the nearest gap above
+      // so the gap retains its function context indicator.
+      if (row.dataset.functionContext) {
+        let sibling = row.previousElementSibling;
+        let nearestGap = null;
+        while (sibling) {
+          if (sibling.classList.contains('context-expand-row')) {
+            nearestGap = sibling;
+            break;
+          }
+          // Stop at another hunk header - don't cross hunk boundaries.
+          // (This also means only the nearest stranded header in DOM order
+          // gets relocated to a given gap; subsequent ones are removed.)
+          if (sibling.classList.contains('d2h-info')) break;
+          sibling = sibling.previousElementSibling;
+        }
+
+        if (nearestGap) {
+          // Relocate: move the header to right after the gap row
+          nearestGap.insertAdjacentElement('afterend', row);
+          continue;
+        }
+      }
+
+      // No gap found above or no function context - remove the stranded header
+      row.remove();
+    }
+  }
+
   /**
    * Update function context visibility for all hunk headers in a file's tbody
    * Called once after any expansion in a file - checks all headers efficiently

package/public/js/pr.js

@@ -1455,9 +1455,10 @@ class PRManager {
       gapRow.parentNode.insertBefore(fragment, gapRow);
       gapRow.remove();
 
-      // Check all function context markers in this file and remove any whose
-      // function definitions are now visible
+      // Remove hunk headers that are no longer at a gap boundary,
+      // then check remaining headers for visible function definitions
       if (window.DiffRenderer) {
+        window.DiffRenderer.removeStrandedHunkHeaders(tbody);
         window.DiffRenderer.updateFunctionContextVisibility(tbody);
       }
 
@@ -1478,6 +1479,7 @@ class PRManager {
     const hasExplicitEndLineNew = !isNaN(parseInt(controls.dataset.endLineNew));
 
     const fileName = controls.dataset.fileName;
+    const position = controls.dataset.position || 'between';
     const tbody = gapRow.closest('tbody');
 
     if (!tbody) return;
@@ -1488,6 +1490,13 @@ class PRManager {
 
       const fragment = document.createDocumentFragment();
 
+      // Compute positions for each remnant based on file boundary proximity.
+      // The upper remnant keeps 'above' only if the original gap was at the file start;
+      // the lower remnant keeps 'below' only if the original gap was at the file end.
+      // Inner remnants become 'between' since they're sandwiched between visible content.
+      const gapAbovePosition = position === 'above' ? 'above' : 'between';
+      const gapBelowPosition = position === 'below' ? 'below' : 'between';
+
       // Create gap above if needed
       const gapAboveSize = expandStart - gapStart;
       if (gapAboveSize > 0) {
@@ -1496,7 +1505,7 @@ class PRManager {
           gapStart,
           expandStart - 1,
           gapAboveSize,
-          'above',
+          gapAbovePosition,
           (controls, dir, cnt) => this.expandGapContext(controls, dir, cnt),
           gapStartNew  // Preserve the NEW line number offset
         );
@@ -1537,7 +1546,7 @@ class PRManager {
           expandEnd + 1,
           gapEnd,
           gapBelowSize,
-          'below',
+          gapBelowPosition,
           (controls, dir, cnt) => this.expandGapContext(controls, dir, cnt),
           belowGapStartNew  // Updated NEW line number for gap below
         );
@@ -1553,9 +1562,10 @@ class PRManager {
       gapRow.parentNode.insertBefore(fragment, gapRow);
       gapRow.remove();
 
-      // Check all function context markers in this file and remove any whose
-      // function definitions are now visible
+      // Remove hunk headers that are no longer at a gap boundary,
+      // then check remaining headers for visible function definitions
       if (window.DiffRenderer) {
+        window.DiffRenderer.removeStrandedHunkHeaders(tbody);
         window.DiffRenderer.updateFunctionContextVisibility(tbody);
       }
 
@@ -1718,10 +1728,6 @@ class PRManager {
     this.commentManager.updateSuggestionButtonState(textarea, button);
   }
 
-  getCodeFromLines(fileName, startLine, endLine) {
-    return this.commentManager.getCodeFromLines(fileName, startLine, endLine);
-  }
-
   insertSuggestionBlock(textarea, button) {
     this.commentManager.insertSuggestionBlock(textarea, button);
   }
@@ -1783,7 +1789,7 @@ class PRManager {
             data-file="${fileName}"
             data-line="${lineStart}"
             data-line-end="${lineEnd}"
-            ${side ? `data-side="${side}"` : ''}
+            data-side="${side || 'RIGHT'}"
           >${this.escapeHtml(currentText)}</textarea>
           <div class="comment-edit-actions">
             <button class="btn btn-sm btn-primary save-edit-btn">Save</button>

package/src/ai/claude-provider.js

@@ -7,7 +7,7 @@
 
 const path = require('path');
 const { spawn } = require('child_process');
-const { AIProvider, registerProvider } = require('./provider');
+const { AIProvider, registerProvider, quoteShellArgs } = require('./provider');
 const logger = require('../utils/logger');
 const { extractJSON } = require('../utils/json-extractor');
 const { CancellationError, isAnalysisCancelled } = require('../routes/shared');
@@ -178,7 +178,7 @@ class ClaudeProvider extends AIProvider {
 
     if (this.useShell) {
       const allArgs = [...baseArgs, ...extraArgs];
-      this.command = `${claudeCmd} ${this._quoteShellArgs(allArgs).join(' ')}`;
+      this.command = `${claudeCmd} ${quoteShellArgs(allArgs).join(' ')}`;
       this.args = [];
     } else {
       this.command = claudeCmd;
@@ -186,28 +186,6 @@ class ClaudeProvider extends AIProvider {
     }
   }
 
-  /**
-   * Quote shell-sensitive arguments for safe shell execution.
-   * Any arg containing characters that could be interpreted by the shell
-   * (brackets, parentheses, commas, etc.) is wrapped in single quotes
-   * with internal single quotes escaped using the POSIX pattern.
-   *
-   * @param {string[]} args - Array of CLI arguments
-   * @returns {string[]} Args with shell-sensitive values quoted
-   * @private
-   */
-  _quoteShellArgs(args) {
-    return args.map((arg, i) => {
-      const prevArg = args[i - 1];
-      if (prevArg === '--allowedTools' || prevArg === '--model') {
-        if (/[][*?(){}$!&|;<>,\s']/.test(arg)) {
-          return `'${arg.replace(/'/g, "'\\''")}'`;
-        }
-      }
-      return arg;
-    });
-  }
-
   /**
    * Resolve model configuration by looking up built-in and config override definitions.
    * Consolidates the CLAUDE_MODELS.find() and configOverrides.models.find() lookups
@@ -486,7 +464,7 @@ class ClaudeProvider extends AIProvider {
     const args = ['-p', ...cliModelArgs, ...extraArgs];
 
     if (useShell) {
-      const quotedArgs = this._quoteShellArgs(args);
+      const quotedArgs = quoteShellArgs(args);
       return {
         command: `${claudeCmd} ${quotedArgs.join(' ')}`,
         args: [],

package/src/ai/codex-provider.js

@@ -8,7 +8,7 @@
 
 const path = require('path');
 const { spawn } = require('child_process');
-const { AIProvider, registerProvider } = require('./provider');
+const { AIProvider, registerProvider, quoteShellArgs } = require('./provider');
 const logger = require('../utils/logger');
 const { extractJSON } = require('../utils/json-extractor');
 const { CancellationError, isAnalysisCancelled } = require('../routes/shared');
@@ -22,8 +22,8 @@ const BIN_DIR = path.join(__dirname, '..', '..', 'bin');
  *
  * Based on OpenAI Codex Models guide (developers.openai.com/codex/models)
  * - gpt-5.1-codex-mini: Smaller, cost-effective variant for quick scans
- * - gpt-5.1-codex-max: Optimized for long-horizon agentic coding tasks
- * - gpt-5.2-codex: Most advanced agentic coding model for real-world engineering
+ * - gpt-5.2-codex: Advanced coding model for everyday reviews, good reasoning/cost balance
+ * - gpt-5.3-codex: Most capable agentic coding model with frontier performance and reasoning
  */
 const CODEX_MODELS = [
   {
@@ -36,21 +36,21 @@ const CODEX_MODELS = [
     badgeClass: 'badge-speed'
   },
   {
-    id: 'gpt-5.1-codex-max',
-    name: 'GPT-5.1 Max',
+    id: 'gpt-5.2-codex',
+    name: 'GPT-5.2 Codex',
     tier: 'balanced',
     tagline: 'Best Balance',
-    description: 'Strong everyday reviewer—quality + speed for PR-sized changes and practical suggestions.',
+    description: 'Strong everyday reviewer—good reasoning and code understanding for PR-sized changes without top-tier cost.',
     badge: 'Recommended',
     badgeClass: 'badge-recommended',
     default: true
   },
   {
-    id: 'gpt-5.2-codex',
-    name: 'GPT-5.2',
+    id: 'gpt-5.3-codex',
+    name: 'GPT-5.3 Codex',
     tier: 'thorough',
     tagline: 'Deep Review',
-    description: 'Most capable for complex diffs—finds subtle issues, reasons across files, and proposes step-by-step fixes.',
+    description: 'Most capable agentic coding model—combines frontier coding performance with stronger reasoning for deep cross-file analysis.',
     badge: 'Most Thorough',
     badgeClass: 'badge-power'
   }
@@ -65,7 +65,7 @@ class CodexProvider extends AIProvider {
    * @param {Object} configOverrides.env - Additional environment variables
    * @param {Object[]} configOverrides.models - Custom model definitions
    */
-  constructor(model = 'gpt-5.1-codex-max', configOverrides = {}) {
+  constructor(model = 'gpt-5.2-codex', configOverrides = {}) {
     super(model);
 
     // Command precedence: ENV > config > default
@@ -116,7 +116,7 @@ class CodexProvider extends AIProvider {
 
     if (this.useShell) {
       // In shell mode, build full command string with args
-      this.command = `${codexCmd} ${[...baseArgs, ...providerArgs, ...modelArgs].join(' ')}`;
+      this.command = `${codexCmd} ${quoteShellArgs([...baseArgs, ...providerArgs, ...modelArgs]).join(' ')}`;
       this.args = [];
     } else {
       this.command = codexCmd;
@@ -577,7 +577,7 @@ class CodexProvider extends AIProvider {
 
     if (useShell) {
       return {
-        command: `${codexCmd} ${args.join(' ')}`,
+        command: `${codexCmd} ${quoteShellArgs(args).join(' ')}`,
         args: [],
         useShell: true,
         promptViaStdin: true
@@ -676,7 +676,7 @@ class CodexProvider extends AIProvider {
   }
 
   static getDefaultModel() {
-    return 'gpt-5.1-codex-max';
+    return 'gpt-5.2-codex';
   }
 
   static getInstallInstructions() {

package/src/ai/copilot-provider.js

@@ -8,7 +8,7 @@
 
 const path = require('path');
 const { spawn } = require('child_process');
-const { AIProvider, registerProvider } = require('./provider');
+const { AIProvider, registerProvider, quoteShellArgs } = require('./provider');
 const logger = require('../utils/logger');
 const { extractJSON } = require('../utils/json-extractor');
 const { CancellationError, isAnalysisCancelled } = require('../routes/shared');
@@ -21,42 +21,63 @@ const BIN_DIR = path.join(__dirname, '..', '..', 'bin');
  *
  * GitHub Copilot CLI supports multiple AI models including OpenAI,
  * Anthropic, and Google models via the --model flag.
+ * Available models (as of Feb 2026): claude-haiku-4.5, claude-sonnet-4.5,
+ * gemini-3-pro-preview, gpt-5.2-codex, claude-opus-4.5,
+ * claude-opus-4.6. Default is claude-sonnet-4.5.
  */
 const COPILOT_MODELS = [
   {
-    id: 'gpt-5.1-codex-mini',
-    name: 'GPT-5.1 Mini',
+    id: 'claude-haiku-4.5',
+    name: 'Claude Haiku 4.5',
     tier: 'fast',
     tagline: 'Quick Scan',
-    description: 'Rapid feedback for obvious issues and style checks',
+    description: 'Rapid feedback for obvious issues, style checks, and simple logic errors',
     badge: 'Speedy',
     badgeClass: 'badge-speed'
   },
   {
-    id: 'gemini-3-pro-preview',
-    name: 'Gemini 3 Pro',
+    id: 'claude-sonnet-4.5',
+    name: 'Claude Sonnet 4.5',
     tier: 'balanced',
     tagline: 'Reliable Review',
-    description: 'Solid everyday reviews with good coverage',
+    description: 'Copilot default—strong code understanding with excellent quality-to-cost ratio',
     badge: 'Recommended',
     badgeClass: 'badge-recommended',
     default: true
   },
   {
-    id: 'gpt-5.1-codex-max',
-    name: 'GPT-5.1 Max',
-    tier: 'thorough',
-    tagline: 'Deep Analysis',
-    description: 'Comprehensive reviews for complex changes',
-    badge: 'Thorough',
-    badgeClass: 'badge-power'
+    id: 'gemini-3-pro-preview',
+    name: 'Gemini 3 Pro',
+    tier: 'balanced',
+    tagline: 'Strong Alternative',
+    description: "Google's most capable model—strong reasoning for cross-file analysis",
+    badge: 'Balanced',
+    badgeClass: 'badge-balanced'
+  },
+  {
+    id: 'gpt-5.2-codex',
+    name: 'GPT-5.2 Codex',
+    tier: 'balanced',
+    tagline: 'Alternative View',
+    description: 'OpenAI code-specialized model—different perspective for cross-file analysis',
+    badge: 'Balanced',
+    badgeClass: 'badge-balanced'
   },
   {
     id: 'claude-opus-4.5',
     name: 'Claude Opus 4.5',
-    tier: 'premium',
-    tagline: 'Ultimate Review',
-    description: 'The most capable model for critical code reviews',
+    tier: 'thorough',
+    tagline: 'Deep Analysis',
+    description: 'Highly capable model for critical code reviews—strong reasoning for security and architecture',
+    badge: 'Premium',
+    badgeClass: 'badge-premium'
+  },
+  {
+    id: 'claude-opus-4.6',
+    name: 'Claude Opus 4.6',
+    tier: 'thorough',
+    tagline: 'Most Capable',
+    description: 'Most capable model for critical code reviews—deep reasoning for security and architecture',
     badge: 'Premium',
     badgeClass: 'badge-premium'
   }
@@ -71,7 +92,7 @@ class CopilotProvider extends AIProvider {
    * @param {Object} configOverrides.env - Additional environment variables
    * @param {Object[]} configOverrides.models - Custom model definitions
    */
-  constructor(model = 'gemini-3-pro-preview', configOverrides = {}) {
+  constructor(model = 'claude-sonnet-4.5', configOverrides = {}) {
     super(model);
 
     // Command precedence: ENV > config > default
@@ -191,7 +212,7 @@ class CopilotProvider extends AIProvider {
         // Escape the prompt for shell
         const escapedPrompt = prompt.replace(/'/g, "'\\''");
         // Build: copilot --model X --deny-tool ... -s -p 'prompt'
-        fullCommand = `${this.command} ${this.baseArgs.join(' ')} -p '${escapedPrompt}'`;
+        fullCommand = `${this.command} ${quoteShellArgs(this.baseArgs).join(' ')} -p '${escapedPrompt}'`;
         fullArgs = [];
       } else {
         // Build args array: --model X --deny-tool ... -s -p <prompt>
@@ -359,7 +380,7 @@ class CopilotProvider extends AIProvider {
     // Use stdin for prompt - safer than command args for arbitrary content
     if (useShell) {
       return {
-        command: `${copilotCmd} ${args.join(' ')}`,
+        command: `${copilotCmd} ${quoteShellArgs(args).join(' ')}`,
         args: [],
         useShell: true,
         promptViaStdin: true
@@ -441,7 +462,7 @@ class CopilotProvider extends AIProvider {
   }
 
   static getDefaultModel() {
-    return 'gemini-3-pro-preview';
+    return 'claude-sonnet-4.5';
   }
 
   static getInstallInstructions() {

package/src/ai/cursor-agent-provider.js

@@ -16,7 +16,7 @@
 
 const path = require('path');
 const { spawn } = require('child_process');
-const { AIProvider, registerProvider } = require('./provider');
+const { AIProvider, registerProvider, quoteShellArgs } = require('./provider');
 const logger = require('../utils/logger');
 const { extractJSON } = require('../utils/json-extractor');
 const { CancellationError, isAnalysisCancelled } = require('../routes/shared');
@@ -30,9 +30,9 @@ const BIN_DIR = path.join(__dirname, '..', '..', 'bin');
  *
  * Tier structure:
  * - free (auto): Cursor's default auto-routing model
- * - fast (gpt-5.2-codex-fast): Quick code-specialized analysis
- * - balanced (sonnet-4.5-thinking, gemini-3-pro): Recommended for most reviews
- * - thorough (gpt-5.2-codex-high, opus-4.5-thinking): Deep analysis for complex code
+ * - fast (composer-1, gpt-5.3-codex-fast, gemini-3-flash): Quick analysis
+ * - balanced (composer-1.5, sonnet-4.5-thinking, gemini-3-pro): Recommended for most reviews
+ * - thorough (gpt-5.3-codex-high, opus-4.5-thinking, opus-4.6-thinking): Deep analysis for complex code
  */
 const CURSOR_AGENT_MODELS = [
   {
@@ -45,20 +45,47 @@ const CURSOR_AGENT_MODELS = [
     badgeClass: 'badge-speed'
   },
   {
-    id: 'gpt-5.2-codex-fast',
-    name: 'GPT-5.2 Codex Fast',
+    id: 'composer-1.5',
+    name: 'Composer 1.5',
+    tier: 'balanced',
+    tagline: 'Latest Composer',
+    description: 'Cursor Composer model—positioned between Sonnet and Opus for multi-file edits',
+    badge: 'Balanced',
+    badgeClass: 'badge-balanced'
+  },
+  {
+    id: 'composer-1',
+    name: 'Composer 1',
+    tier: 'fast',
+    tagline: 'Original Composer',
+    description: 'Cursor Composer model—good for quick multi-file editing workflows',
+    badge: 'Fast',
+    badgeClass: 'badge-speed'
+  },
+  {
+    id: 'gpt-5.3-codex-fast',
+    name: 'GPT-5.3 Codex Fast',
     tier: 'fast',
     tagline: 'Lightning Fast',
-    description: 'Quick code-specialized analysis for simple changes',
+    description: 'Latest code-specialized model optimized for speed—quick scans for obvious issues',
     badge: 'Fastest',
     badgeClass: 'badge-speed'
   },
+  {
+    id: 'gemini-3-flash',
+    name: 'Gemini 3 Flash',
+    tier: 'fast',
+    tagline: 'Fast & Capable',
+    description: 'High SWE-bench scores at a fraction of the cost—great for quick reviews',
+    badge: 'Fast',
+    badgeClass: 'badge-speed'
+  },
   {
     id: 'sonnet-4.5-thinking',
     name: 'Claude 4.5 Sonnet (Thinking)',
     tier: 'balanced',
     tagline: 'Best Balance',
-    description: 'Extended thinking for thorough analysis',
+    description: 'Extended thinking for thorough analysis with excellent quality-to-cost ratio',
     badge: 'Recommended',
     badgeClass: 'badge-recommended',
     default: true
@@ -68,16 +95,16 @@ const CURSOR_AGENT_MODELS = [
     name: 'Gemini 3 Pro',
     tier: 'balanced',
     tagline: 'Strong Alternative',
-    description: "Google's flagship model for code review",
+    description: "Google's flagship model for code review—strong agentic and vibe coding capabilities",
     badge: 'Balanced',
     badgeClass: 'badge-balanced'
   },
   {
-    id: 'gpt-5.2-codex-high',
-    name: 'GPT-5.2 Codex High',
+    id: 'gpt-5.3-codex-high',
+    name: 'GPT-5.3 Codex High',
     tier: 'thorough',
     tagline: 'Deep Code Analysis',
-    description: "OpenAI's best for complex code review",
+    description: "OpenAI's latest and most capable for complex code review with deep reasoning",
     badge: 'Thorough',
     badgeClass: 'badge-power'
   },
@@ -85,8 +112,17 @@ const CURSOR_AGENT_MODELS = [
     id: 'opus-4.5-thinking',
     name: 'Claude 4.5 Opus (Thinking)',
     tier: 'thorough',
+    tagline: 'Deep Analysis',
+    description: 'Deep analysis with extended thinking for complex code reviews',
+    badge: 'Thorough',
+    badgeClass: 'badge-power'
+  },
+  {
+    id: 'opus-4.6-thinking',
+    name: 'Claude 4.6 Opus (Thinking)',
+    tier: 'thorough',
     tagline: 'Most Capable',
-    description: 'Deep analysis with extended thinking for complex code',
+    description: 'Deep analysis with extended thinking—Cursor default for maximum review quality',
     badge: 'Most Thorough',
     badgeClass: 'badge-power'
   }
@@ -159,7 +195,7 @@ class CursorAgentProvider extends AIProvider {
 
     if (this.useShell) {
       // In shell mode, build full command string with args
-      this.command = `${agentCmd} ${[...baseArgs, ...providerArgs, ...modelArgs].join(' ')}`;
+      this.command = `${agentCmd} ${quoteShellArgs([...baseArgs, ...providerArgs, ...modelArgs]).join(' ')}`;
       this.args = [];
     } else {
       this.command = agentCmd;
@@ -662,7 +698,7 @@ class CursorAgentProvider extends AIProvider {
     // For extraction, we pass the prompt via stdin
     if (useShell) {
       return {
-        command: `${agentCmd} ${args.join(' ')}`,
+        command: `${agentCmd} ${quoteShellArgs(args).join(' ')}`,
         args: [],
         useShell: true,
         promptViaStdin: true

package/src/ai/gemini-provider.js

@@ -7,7 +7,7 @@
 
 const path = require('path');
 const { spawn } = require('child_process');
-const { AIProvider, registerProvider } = require('./provider');
+const { AIProvider, registerProvider, quoteShellArgs } = require('./provider');
 const logger = require('../utils/logger');
 const { extractJSON } = require('../utils/json-extractor');
 const { CancellationError, isAnalysisCancelled } = require('../routes/shared');
@@ -25,7 +25,7 @@ const GEMINI_MODELS = [
     name: '3.0 Flash',
     tier: 'fast',
     tagline: 'Rapid Sanity Check',
-    description: 'Best for catching syntax, typos, and simple logic errors',
+    description: 'Fast and capable at a fraction of the cost of larger models',
     badge: 'Quick Look',
     badgeClass: 'badge-speed'
   },
@@ -34,7 +34,7 @@ const GEMINI_MODELS = [
     name: '2.5 Pro',
     tier: 'balanced',
     tagline: 'Standard PR Review',
-    description: 'Reliable feedback on code style, features, and refactoring',
+    description: 'Strong reasoning with large context window—reliable for everyday code reviews',
     badge: 'Daily Driver',
     badgeClass: 'badge-recommended',
     default: true
@@ -44,7 +44,7 @@ const GEMINI_MODELS = [
     name: '3.0 Pro',
     tier: 'thorough',
     tagline: 'Architectural Audit',
-    description: 'Deep analysis for race conditions, security, and edge cases',
+    description: 'Most intelligent Gemini model—advanced reasoning for deep architectural analysis',
     badge: 'Deep Dive',
     badgeClass: 'badge-power'
   }
@@ -156,16 +156,9 @@ class GeminiProvider extends AIProvider {
 
     if (this.useShell) {
       // In shell mode, build full command string with args
-      // Quote the allowed-tools value to prevent shell interpretation of special characters
+      // Quote all args to prevent shell interpretation of special characters
       // (commas, parentheses in patterns like "run_shell_command(git diff)")
-      const quotedBaseArgs = baseArgs.map((arg, i) => {
-        // The allowed-tools value follows the --allowed-tools flag
-        if (baseArgs[i - 1] === '--allowed-tools') {
-          return `'${arg}'`;
-        }
-        return arg;
-      });
-      this.command = `${geminiCmd} ${[...quotedBaseArgs, ...providerArgs, ...modelArgs].join(' ')}`;
+      this.command = `${geminiCmd} ${quoteShellArgs([...baseArgs, ...providerArgs, ...modelArgs]).join(' ')}`;
       this.args = [];
     } else {
       this.command = geminiCmd;
@@ -616,7 +609,7 @@ class GeminiProvider extends AIProvider {
     // For extraction, we pass the prompt via stdin
     if (useShell) {
       return {
-        command: `${geminiCmd} ${args.join(' ')}`,
+        command: `${geminiCmd} ${quoteShellArgs(args).join(' ')}`,
         args: [],
         useShell: true,
         promptViaStdin: true

package/src/ai/opencode-provider.js

@@ -13,7 +13,7 @@
 
 const path = require('path');
 const { spawn } = require('child_process');
-const { AIProvider, registerProvider } = require('./provider');
+const { AIProvider, registerProvider, quoteShellArgs } = require('./provider');
 const logger = require('../utils/logger');
 const { extractJSON } = require('../utils/json-extractor');
 const { CancellationError, isAnalysisCancelled } = require('../routes/shared');
@@ -114,7 +114,7 @@ class OpenCodeProvider extends AIProvider {
       let fullArgs;
 
       if (this.useShell) {
-        fullCommand = `${this.opencodeCmd} ${this.baseArgs.join(' ')}`;
+        fullCommand = `${this.opencodeCmd} ${quoteShellArgs(this.baseArgs).join(' ')}`;
         fullArgs = [];
       } else {
         fullCommand = this.opencodeCmd;
@@ -554,7 +554,7 @@ class OpenCodeProvider extends AIProvider {
     // OpenCode reads from stdin when no positional message arguments are provided
     if (useShell) {
       return {
-        command: `${opencodeCmd} ${args.join(' ')}`,
+        command: `${opencodeCmd} ${quoteShellArgs(args).join(' ')}`,
         args: [],
         useShell: true,
         promptViaStdin: true

package/src/ai/pi-provider.js

@@ -18,7 +18,7 @@
 
 const path = require('path');
 const { spawn } = require('child_process');
-const { AIProvider, registerProvider } = require('./provider');
+const { AIProvider, registerProvider, quoteShellArgs } = require('./provider');
 const logger = require('../utils/logger');
 const { extractJSON } = require('../utils/json-extractor');
 const { CancellationError, isAnalysisCancelled } = require('../routes/shared');
@@ -253,7 +253,7 @@ class PiProvider extends AIProvider {
       let fullArgs;
 
       if (this.useShell) {
-        fullCommand = `${this.piCmd} ${this.baseArgs.join(' ')}`;
+        fullCommand = `${this.piCmd} ${quoteShellArgs(this.baseArgs).join(' ')}`;
         fullArgs = [];
       } else {
         fullCommand = this.piCmd;
@@ -745,7 +745,7 @@ class PiProvider extends AIProvider {
     // Pi reads from stdin when using -p with no positional message arguments
     if (useShell) {
       return {
-        command: `${piCmd} ${args.join(' ')}`,
+        command: `${piCmd} ${quoteShellArgs(args).join(' ')}`,
         args: [],
         useShell: true,
         promptViaStdin: true,

package/src/ai/provider.js

@@ -14,6 +14,24 @@ const { extractJSON } = require('../utils/json-extractor');
 // Directory containing bin scripts (git-diff-lines, etc.)
 const BIN_DIR = path.join(__dirname, '..', '..', 'bin');
 
+/**
+ * Quote shell-sensitive arguments for safe shell execution.
+ * Any arg containing characters that could be interpreted by the shell
+ * (brackets, parentheses, commas, etc.) is wrapped in single quotes
+ * with internal single quotes escaped using the POSIX pattern.
+ *
+ * @param {string[]} args - Array of CLI arguments
+ * @returns {string[]} Args with shell-sensitive values quoted
+ */
+function quoteShellArgs(args) {
+  return args.map(arg => {
+    if (/[[\]*?(){}$!&|;<>,\s'"\\`#~]/.test(arg)) {
+      return `'${arg.replace(/'/g, "'\\''")}'`;
+    }
+    return arg;
+  });
+}
+
 /**
  * Model tier definitions - provider-agnostic tiers that map to specific models
  */
@@ -639,6 +657,7 @@ async function testProviderAvailability(providerId, timeout = 10000) {
 module.exports = {
   AIProvider,
   MODEL_TIERS,
+  quoteShellArgs,
   registerProvider,
   getProviderClass,
   getRegisteredProviderIds,