@inteeka/task-cli 0.2.25 → 0.2.27

package/dist/cli.js

@@ -171,6 +171,17 @@ var CLI_ALLOWED_TOOLS = Object.freeze([
   "Bash(pnpm typecheck*)",
   "Bash(pnpm lint*)"
 ]);
+var CLI_REVIEW_ALLOWED_TOOLS = Object.freeze([
+  "Read",
+  "Glob",
+  "Grep",
+  "Bash(git diff:*)",
+  "Bash(git log:*)",
+  "Bash(git show:*)",
+  "Bash(git status)",
+  "Bash(git branch:*)",
+  "Bash(gh pr view:*)"
+]);
 var CLI_DEVICE_POLL_INTERVAL_SECONDS = 5;
 var CLI_DEVICE_POLL_SLOW_DOWN_INCREMENT_SECONDS = 5;
 var CLI_ACCESS_TOKEN_TTL_SECONDS = 60 * 60;
@@ -193,6 +204,13 @@ var CLI_AUDIT_ACTIONS = Object.freeze([
   "cli.run.pr_failed",
   "cli.run.push_failed",
   "cli.run.resumed",
+  "cli.run.auto_review_passed",
+  "cli.run.auto_review_failed",
+  "cli.run.auto_review_errored",
+  // Server-side audit actions for the auto-review verdict path. Emitted
+  // by /api/v1/cli/me/tickets/[id]/pull-requests/[prNumber]/auto-review-verdict.
+  "git.pr.auto_review_passed",
+  "git.pr.auto_review_failed",
   "cli.work.pr_recovered",
   "cli.schedule.created",
   "cli.schedule.paused",
@@ -1523,6 +1541,10 @@ var ALLOWED_TOOLS = CLI_ALLOWED_TOOLS;
 function allowedToolsFlag() {
   return ALLOWED_TOOLS.join(",");
 }
+var REVIEW_ALLOWED_TOOLS = CLI_REVIEW_ALLOWED_TOOLS;
+function reviewAllowedToolsFlag() {
+  return REVIEW_ALLOWED_TOOLS.join(",");
+}
 
 // src/agent/system-prompt.ts
 function buildSystemPrompt(args) {
@@ -1581,7 +1603,7 @@ async function runAgent(args) {
     logHandle = createWriteStream(outputLogPath, { flags: "a" });
   }
   let stderrBuffer = "";
-  const STDERR_KEEP = 4e3;
+  const STDERR_KEEP2 = 4e3;
   return new Promise((resolve2, reject) => {
     const child = spawn(claude, cliArgs, {
       cwd: args.cwd,
@@ -1605,7 +1627,7 @@ async function runAgent(args) {
       } else {
         process.stderr.write(chunk);
       }
-      stderrBuffer = (stderrBuffer + chunk.toString("utf8")).slice(-STDERR_KEEP);
+      stderrBuffer = (stderrBuffer + chunk.toString("utf8")).slice(-STDERR_KEEP2);
     });
     child.on("close", (code) => {
       logHandle?.end();
@@ -1615,6 +1637,297 @@ async function runAgent(args) {
   });
 }
 
+// src/agent/pr-review-service.ts
+import { spawn as spawn2 } from "child_process";
+import { mkdir as mkdir7, writeFile as writeFile8 } from "fs/promises";
+import { homedir as homedir5 } from "os";
+import { join as join8 } from "path";
+
+// src/agent/pr-review-prompt.ts
+var QA_BLOCK = `# /qa lens \u2014 final quality gate
+
+You are acting as the QA lead reviewer. Score the diff against these checks:
+
+1. Contract integrity \u2014 does the change honour the public API / UI contract that callers depend on? Any breaking change without a migration is an automatic NO-GO.
+2. Multi-tenant safety \u2014 every query touching tenant data must filter by organisation_id. Any new query missing this filter is a NO-GO.
+3. Validation \u2014 every new mutation endpoint has a Zod schema with .strict() on updates, max-lengths on free text, UUID validation on path params. Missing \u2192 NO-GO.
+4. Soft delete \u2014 never hard-delete user-facing entities. Hard delete \u2192 NO-GO.
+5. UI accessibility \u2014 new interactive elements have semantic markup (button, role, aria-label as needed). Raw <div onClick> on a logical control \u2192 NO-GO.
+6. Test coverage \u2014 meaningful new logic should have a test in the same PR. Untested critical path \u2192 CONDITIONAL (not NO-GO unless the path is a security boundary).
+
+QA verdict scale:
+  GO          \u2014 all checks pass, ready to merge
+  CONDITIONAL \u2014 non-blocking gaps (e.g. missing test, small a11y nit). Merge is acceptable but findings should be filed.
+  NO-GO       \u2014 at least one blocking check failed
+`;
+var SECURITY_BLOCK = `# /security lens \u2014 Security Review Gate
+
+You are acting as the security agent. Apply the 5 Non-Negotiables and the 5 Security Layers.
+
+5 Non-Negotiables (any failure \u2192 FAIL):
+  1. RLS / organisation_id \u2014 every tenant table query filters by organisation_id; every insert sets it. No bypass via service-role client unless the file is a documented background job.
+  2. Zod validation \u2014 every mutation endpoint validates inputs; update schemas use .strict().
+  3. Secrets \u2014 no secrets in code, no NEXT_PUBLIC_ leakage of server-only env vars, no console.log of tokens / cookies / session ids.
+  4. Audit chain \u2014 mutations on audited resources call writeAuditLog; system_audit_log and ticket_activity_log are never UPDATEd or DELETEd.
+  5. CSRF / auth \u2014 dashboard mutations require session auth; widget endpoints require API key; webhook endpoints verify HMAC signature.
+
+5 Security Layers to review independently:
+  - authentication       (session vs api_key vs HMAC selected correctly?)
+  - tenant_resolution    (organisation_id resolved from membership / api_key \u2192 project, never from request body?)
+  - authorisation        (role check matches endpoint sensitivity?)
+  - rls                  (queries filtered by organisation_id?)
+  - audit                (mutations recorded with writeAuditLog?)
+
+Security verdict scale:
+  PASS                  \u2014 all five layers pass, no findings above 'low'
+  PASS_WITH_CONDITIONS  \u2014 only 'low' findings; no critical/high/medium issues
+  FAIL                  \u2014 at least one critical, high, or medium finding, OR any 'fail' in the five layers
+`;
+var OUTPUT_CONTRACT = `# Output contract \u2014 REQUIRED
+
+After your analysis, end your reply with exactly ONE fenced \`\`\`json block matching this schema. No prose after the closing fence.
+
+\`\`\`json
+{
+  "overall": "pass" | "fail",
+  "summary": "<one sentence \u2014 what the PR does and the headline verdict>",
+  "qa": {
+    "verdict": "GO" | "CONDITIONAL" | "NO-GO",
+    "failed_checks": ["<short label>", ...]
+  },
+  "security": {
+    "verdict": "PASS" | "PASS_WITH_CONDITIONS" | "FAIL",
+    "layers_reviewed": {
+      "authentication": "PASS" | "FAIL",
+      "tenant_resolution": "PASS" | "FAIL",
+      "authorisation": "PASS" | "FAIL",
+      "rls": "PASS" | "FAIL",
+      "audit": "PASS" | "FAIL"
+    }
+  },
+  "findings": [
+    {
+      "lens": "qa" | "security",
+      "severity": "critical" | "high" | "medium" | "low",
+      "file": "<repo-relative path or null>",
+      "description": "<what is wrong>",
+      "recommendation": "<what to change>"
+    }
+  ]
+}
+\`\`\`
+
+Rules:
+  - "overall": "pass" ONLY when qa.verdict === "GO" AND security.verdict === "PASS". Anything else \u2192 "fail".
+  - "findings" is an array (may be empty on a clean pass).
+  - Keep total response under 4000 tokens \u2014 be concise and actionable.
+`;
+function buildPrReviewSystemPrompt(_args) {
+  return [
+    "You are a paranoid senior reviewer auditing a pull request that was generated by an AI agent. Treat every line of the diff as if it were written by an attacker who knows your blind spots.",
+    "",
+    "You have read-only tools (git diff, git log, Read, Grep, Glob, gh pr view). Do NOT attempt to edit or write files; the toolset will refuse.",
+    "",
+    "Two lenses, applied independently then combined. Be evidence-driven \u2014 cite file paths in findings.",
+    "",
+    QA_BLOCK,
+    "",
+    SECURITY_BLOCK,
+    "",
+    OUTPUT_CONTRACT
+  ].join("\n");
+}
+function buildPrReviewUserPrompt(args) {
+  return [
+    `PR #${args.prNumber} (${args.prUrl})`,
+    `Branch: ${args.branchName} \u2192 ${args.baseBranch}`,
+    "",
+    `Run \`git diff ${args.baseBranch}...${args.branchName}\` to see every changed line. If the diff is large, also run \`git diff ${args.baseBranch}...${args.branchName} --stat\` first to orient yourself, then drill into files that look risky.`,
+    "",
+    "Read referenced files in full if a finding depends on surrounding context (RLS policies, validation schemas, audit-log helpers).",
+    "",
+    "When ready, emit your verdict as the fenced JSON block specified in the system prompt. No prose after the closing fence."
+  ].join("\n");
+}
+
+// src/agent/pr-review-service.ts
+var PrReviewError = class extends Error {
+  code;
+  excerpt;
+  constructor(code, message, excerpt = "") {
+    super(message);
+    this.name = "PrReviewError";
+    this.code = code;
+    this.excerpt = excerpt;
+  }
+};
+var STDERR_KEEP = 4e3;
+async function runPrReview(args) {
+  const systemPrompt = buildPrReviewSystemPrompt(args);
+  const userPrompt = buildPrReviewUserPrompt(args);
+  const claude = args.claudePath ?? "claude";
+  const cliArgs = [
+    "--allowedTools",
+    reviewAllowedToolsFlag(),
+    "--system-prompt",
+    systemPrompt,
+    ...args.modelId ? ["--model", args.modelId] : [],
+    userPrompt
+  ];
+  const logDir = join8(homedir5(), ".cache", "task", "runs");
+  await mkdir7(logDir, { recursive: true }).catch(() => {
+  });
+  const logPath = join8(logDir, `${args.runId}.review.log`);
+  await writeFile8(logPath, "").catch(() => {
+  });
+  const { createWriteStream } = await import("fs");
+  const logHandle = createWriteStream(logPath, { flags: "a" });
+  let stdoutBuffer = "";
+  let stderrTail = "";
+  const exitCode = await new Promise((resolve2, reject) => {
+    const child = spawn2(claude, cliArgs, {
+      cwd: args.cwd,
+      stdio: ["ignore", "pipe", "pipe"],
+      env: { ...process.env, FORCE_COLOR: args.silent ? "0" : "1" }
+    });
+    child.on("error", (err) => {
+      logHandle.end();
+      reject(new PrReviewError("spawn_failed", `Could not spawn claude: ${err.message}`));
+    });
+    child.stdout?.on("data", (chunk) => {
+      stdoutBuffer += chunk.toString("utf8");
+      if (args.silent) {
+        logHandle.write(chunk);
+      } else {
+        process.stdout.write(chunk);
+        logHandle.write(chunk);
+      }
+    });
+    child.stderr?.on("data", (chunk) => {
+      if (args.silent) {
+        logHandle.write(chunk);
+      } else {
+        process.stderr.write(chunk);
+        logHandle.write(chunk);
+      }
+      stderrTail = (stderrTail + chunk.toString("utf8")).slice(-STDERR_KEEP);
+    });
+    child.on("close", (code) => {
+      logHandle.end();
+      resolve2(code ?? 0);
+    });
+  });
+  if (exitCode !== 0) {
+    throw new PrReviewError(
+      "nonzero_exit",
+      `claude review subprocess exited with code ${exitCode}`,
+      stderrTail
+    );
+  }
+  return parseVerdict(stdoutBuffer, logPath);
+}
+function parseVerdict(stdout, logPath) {
+  const blocks = extractJsonBlocks(stdout);
+  if (blocks.length === 0) {
+    throw new PrReviewError(
+      "no_json_block",
+      "Could not find a fenced ```json block in the review subprocess output",
+      stdout.slice(-2e3)
+    );
+  }
+  const rawJson = blocks[blocks.length - 1];
+  let parsed;
+  try {
+    parsed = JSON.parse(rawJson);
+  } catch (err) {
+    throw new PrReviewError(
+      "invalid_json",
+      `JSON.parse failed: ${err.message}`,
+      rawJson.slice(0, 2e3)
+    );
+  }
+  const verdict = normaliseVerdict(parsed, rawJson, logPath);
+  return verdict;
+}
+function extractJsonBlocks(text) {
+  const re = /```(?:json|JSON|jsonc)\s*\n([\s\S]*?)\n```/g;
+  const out = [];
+  let match;
+  while ((match = re.exec(text)) !== null) {
+    if (match[1] !== void 0) out.push(match[1]);
+  }
+  return out;
+}
+var QA_VERDICTS = /* @__PURE__ */ new Set(["GO", "CONDITIONAL", "NO-GO"]);
+var SECURITY_VERDICTS = /* @__PURE__ */ new Set(["PASS", "PASS_WITH_CONDITIONS", "FAIL"]);
+var SECURITY_LAYER_VERDICTS = /* @__PURE__ */ new Set(["PASS", "FAIL"]);
+var SEVERITIES = /* @__PURE__ */ new Set(["critical", "high", "medium", "low"]);
+var LAYER_KEYS = [
+  "authentication",
+  "tenant_resolution",
+  "authorisation",
+  "rls",
+  "audit"
+];
+function normaliseVerdict(raw, rawJson, logPath) {
+  if (raw === null || typeof raw !== "object") {
+    throw new PrReviewError(
+      "schema_mismatch",
+      "Verdict JSON is not an object",
+      rawJson.slice(0, 1e3)
+    );
+  }
+  const r = raw;
+  const qaRaw = r["qa"] ?? {};
+  const secRaw = r["security"] ?? {};
+  const layersRaw = secRaw["layers_reviewed"] ?? {};
+  const qaVerdict = String(qaRaw["verdict"] ?? "");
+  if (!QA_VERDICTS.has(qaVerdict)) {
+    throw new PrReviewError(
+      "schema_mismatch",
+      `qa.verdict is "${qaVerdict}", expected one of GO / CONDITIONAL / NO-GO`,
+      rawJson.slice(0, 1e3)
+    );
+  }
+  const securityVerdict = String(secRaw["verdict"] ?? "");
+  if (!SECURITY_VERDICTS.has(securityVerdict)) {
+    throw new PrReviewError(
+      "schema_mismatch",
+      `security.verdict is "${securityVerdict}", expected PASS / PASS_WITH_CONDITIONS / FAIL`,
+      rawJson.slice(0, 1e3)
+    );
+  }
+  const layers = {};
+  for (const key of LAYER_KEYS) {
+    const val = String(layersRaw[key] ?? "");
+    layers[key] = SECURITY_LAYER_VERDICTS.has(val) ? val : "FAIL";
+  }
+  const findingsRaw = Array.isArray(r["findings"]) ? r["findings"] : [];
+  const findings = findingsRaw.slice(0, 50).map((f) => {
+    const fr = f ?? {};
+    const severity = String(fr["severity"] ?? "low");
+    const lensRaw = String(fr["lens"] ?? "qa");
+    return {
+      lens: lensRaw === "security" ? "security" : "qa",
+      severity: SEVERITIES.has(severity) ? severity : "low",
+      file: typeof fr["file"] === "string" ? fr["file"].slice(0, 500) : null,
+      description: String(fr["description"] ?? "").slice(0, 2e3),
+      recommendation: String(fr["recommendation"] ?? "").slice(0, 2e3)
+    };
+  });
+  const failedChecks = Array.isArray(qaRaw["failed_checks"]) ? qaRaw["failed_checks"].map((s) => String(s).slice(0, 200)).slice(0, 20) : [];
+  const overall = qaVerdict === "GO" && securityVerdict === "PASS" ? "pass" : "fail";
+  return {
+    overall,
+    summary: String(r["summary"] ?? "").slice(0, 1e3) || (overall === "pass" ? "Review passed." : "Review failed."),
+    qa: { verdict: qaVerdict, failed_checks: failedChecks },
+    security: { verdict: securityVerdict, layers_reviewed: layers },
+    findings,
+    rawJson: rawJson.slice(0, 5e4),
+    logPath
+  };
+}
+
 // src/guardrail/diff-check.ts
 import { execFileSync as execFileSync4 } from "child_process";
 
@@ -1705,7 +2018,7 @@ function discardWorkingTreeChanges(cwd) {
 }
 
 // src/test-runner/run-tests.ts
-import { spawn as spawn2 } from "child_process";
+import { spawn as spawn3 } from "child_process";
 var ALLOWED_EXECUTABLES = /* @__PURE__ */ new Set(["pnpm", "npm", "yarn", "bun", "node", "npx"]);
 var DEFAULT_COMMAND = "pnpm typecheck";
 var TIMEOUT_MS = 10 * 60 * 1e3;
@@ -1733,7 +2046,7 @@ async function runProjectTest(args) {
   const [exe, ...rest] = argv;
   const startedAt = Date.now();
   return new Promise((resolve2) => {
-    const child = spawn2(exe, rest, {
+    const child = spawn3(exe, rest, {
       cwd: args.cwd,
       stdio: ["ignore", "pipe", "pipe"],
       shell: false,
@@ -1778,16 +2091,16 @@ async function runProjectTest(args) {
 }
 
 // src/test-runner/auto-install.ts
-import { spawn as spawn3 } from "child_process";
+import { spawn as spawn4 } from "child_process";
 import { stat as stat2 } from "fs/promises";
-import { dirname as dirname4, join as join8 } from "path";
+import { dirname as dirname4, join as join9 } from "path";
 var INSTALL_TIMEOUT_MS = 10 * 60 * 1e3;
 var TAIL_BYTES2 = 4e3;
 async function findPnpmWorkspaceRoot(start) {
   let cur = start;
   for (; ; ) {
     try {
-      await stat2(join8(cur, "pnpm-lock.yaml"));
+      await stat2(join9(cur, "pnpm-lock.yaml"));
       return cur;
     } catch {
     }
@@ -1817,8 +2130,8 @@ async function ensureWorkspaceInstalled(args) {
       tail: ""
     };
   }
-  const lockMtime = await mtimeMs(join8(workspaceRoot, "pnpm-lock.yaml"));
-  const markerMtime = await mtimeMs(join8(workspaceRoot, "node_modules", ".modules.yaml"));
+  const lockMtime = await mtimeMs(join9(workspaceRoot, "pnpm-lock.yaml"));
+  const markerMtime = await mtimeMs(join9(workspaceRoot, "node_modules", ".modules.yaml"));
   if (lockMtime !== null && markerMtime !== null && markerMtime >= lockMtime) {
     return {
       ok: true,
@@ -1832,7 +2145,7 @@ async function ensureWorkspaceInstalled(args) {
   }
   const reason = markerMtime === null ? "node_modules missing \u2014 cold install" : "pnpm-lock.yaml newer than install marker";
   return new Promise((resolve2) => {
-    const child = spawn3("pnpm", ["install", "--frozen-lockfile"], {
+    const child = spawn4("pnpm", ["install", "--frozen-lockfile"], {
       cwd: workspaceRoot,
       stdio: ["ignore", "pipe", "pipe"],
       shell: false,
@@ -1878,10 +2191,10 @@ async function ensureWorkspaceInstalled(args) {
 }
 
 // src/util/progress.ts
-import { mkdir as mkdir7, writeFile as writeFile8, rename as rename2, unlink as unlink3, readdir, stat as stat3 } from "fs/promises";
+import { mkdir as mkdir8, writeFile as writeFile9, rename as rename2, unlink as unlink3, readdir, stat as stat3 } from "fs/promises";
 import { tmpdir } from "os";
-import { join as join9 } from "path";
-var PROGRESS_DIR = join9(tmpdir(), "task-progress");
+import { join as join10 } from "path";
+var PROGRESS_DIR = join10(tmpdir(), "task-progress");
 var STALE_MAX_AGE_MS = 24 * 60 * 60 * 1e3;
 var ProgressWriter = class {
   path;
@@ -1894,7 +2207,7 @@ var ProgressWriter = class {
     this.ticketId = ticketId;
     const deliveryId = process.env["TASK_DELIVERY_ID"]?.trim();
     const fileBase = deliveryId && deliveryId.length > 0 ? deliveryId : `manual-${process.pid}`;
-    this.path = join9(PROGRESS_DIR, `${fileBase}.json`);
+    this.path = join10(PROGRESS_DIR, `${fileBase}.json`);
   }
   /** Switch the in-flight ticket between phases (used by `task scan` which iterates). */
   setTicketId(ticketId) {
@@ -1928,12 +2241,12 @@ var ProgressWriter = class {
     });
   }
   async writeAtomic(payload) {
-    await mkdir7(PROGRESS_DIR, { recursive: true }).catch(() => {
+    await mkdir8(PROGRESS_DIR, { recursive: true }).catch(() => {
     });
     const body = JSON.stringify(payload);
     const tmp = `${this.path}.tmp`;
     try {
-      await writeFile8(tmp, body, { encoding: "utf8", mode: 384 });
+      await writeFile9(tmp, body, { encoding: "utf8", mode: 384 });
       await rename2(tmp, this.path);
     } catch {
       await unlink3(tmp).catch(() => {
@@ -1950,7 +2263,7 @@ var ProgressWriter = class {
       const cutoff = Date.now() - STALE_MAX_AGE_MS;
       await Promise.all(
         entries.filter((name) => name.endsWith(".json") || name.endsWith(".json.tmp")).map(async (name) => {
-          const p = join9(PROGRESS_DIR, name);
+          const p = join10(PROGRESS_DIR, name);
           try {
             const s = await stat3(p);
             if (s.mtimeMs < cutoff) {
@@ -1992,6 +2305,9 @@ function registerWork(program2) {
   ).option(
     "--confirm",
     "Confirm --reset in non-TTY (silent / scheduled-task) contexts. Has no effect without --reset."
+  ).option(
+    "--no-auto-review",
+    "Skip the post-PR /qa + /security auto-review. The PR is left open for a human to review and merge."
   ).option("--schedule-id <id>", "Internal: schedule id when invoked from a scheduled task").action(async (ticketId, opts) => {
     await runWork(ticketId, opts);
   });
@@ -2515,6 +2831,86 @@ Claude session: ${runId}
     if (err instanceof CliError) err.phase = "post_push";
     throw err;
   }
+  const autoReviewEnabled = opts.autoReview !== false;
+  if (autoReviewEnabled && prNumber !== void 0 && prUrl !== void 0 && !opts.dryRun) {
+    await progress.setPhase("auto_reviewing");
+    if (!silent) {
+      process.stdout.write(c.dim("  Auto-reviewing PR \u2014 /qa + /security\u2026\n"));
+    }
+    try {
+      const verdict = await runPrReview({
+        cwd,
+        runId,
+        silent,
+        baseBranch: ticketBaseBranch,
+        branchName,
+        prNumber,
+        prUrl,
+        ...ctx.localCfg.claude_path ? { claudePath: ctx.localCfg.claude_path } : {}
+      });
+      const verdictResp = await apiCallOrThrow(
+        "POST",
+        `/api/v1/cli/me/tickets/${detail.id}/pull-requests/${prNumber}/auto-review-verdict`,
+        {
+          body: {
+            overall: verdict.overall,
+            summary: verdict.summary,
+            qa: verdict.qa,
+            security: verdict.security,
+            findings: verdict.findings,
+            raw_json: verdict.rawJson,
+            claude_session_id: runId
+          }
+        }
+      );
+      await apiCall("POST", "/api/v1/cli/me/runs", {
+        body: {
+          ticket_id: detail.id,
+          schedule_id: opts.scheduleId,
+          event: verdict.overall === "pass" ? "auto_review_passed" : "auto_review_failed",
+          claude_session_id: runId,
+          output_excerpt: `qa=${verdict.qa.verdict} security=${verdict.security.verdict}` + (verdict.findings.length > 0 ? ` | ${verdict.findings.length} finding(s)` : "")
+        }
+      });
+      if (!silent) {
+        const icon = verdict.overall === "pass" ? c.ok("\u2713 Auto-review PASS") : c.warn("\u2717 Auto-review FAIL");
+        process.stdout.write(
+          `${icon} qa=${verdict.qa.verdict} security=${verdict.security.verdict}
+`
+        );
+        if (verdict.overall === "pass") {
+          process.stdout.write(
+            c.dim(
+              verdictResp.status === "queued_for_merge" ? "  PR approved \u2014 queued for merge to " : "  Verdict recorded; merge queue update: "
+            ) + c.cyan(`${ticketBaseBranch}
+`)
+          );
+        } else {
+          process.stdout.write(
+            c.dim(`  ${verdict.findings.length} finding(s) posted as PR comment; PR left open.
+`)
+          );
+        }
+      }
+    } catch (err) {
+      const excerpt = err instanceof PrReviewError ? `${err.code}: ${err.message.slice(0, 1e3)}` : err.message.slice(0, 1e3);
+      await apiCall("POST", "/api/v1/cli/me/runs", {
+        body: {
+          ticket_id: detail.id,
+          schedule_id: opts.scheduleId,
+          event: "auto_review_errored",
+          claude_session_id: runId,
+          output_excerpt: excerpt
+        }
+      });
+      if (!silent) {
+        process.stdout.write(
+          `${c.warn("! Auto-review skipped")} ${c.dim(excerpt.slice(0, 200))}
+` + c.dim("  PR left open for manual review.\n")
+        );
+      }
+    }
+  }
   try {
     checkoutBranch(cwd, baseBranch);
   } catch {
@@ -3431,10 +3827,10 @@ function autopilotExitCode(code, status) {
 }
 
 // src/scan/llm.ts
-import { spawn as spawn4 } from "child_process";
-import { mkdir as mkdir8, writeFile as writeFile9 } from "fs/promises";
-import { homedir as homedir5 } from "os";
-import { join as join10 } from "path";
+import { spawn as spawn5 } from "child_process";
+import { mkdir as mkdir9, writeFile as writeFile10 } from "fs/promises";
+import { homedir as homedir6 } from "os";
+import { join as join11 } from "path";
 var FIX_PROMPT_JSON_SCHEMA = {
   type: "object",
   // Phase 3 — confidence_reason is REQUIRED unconditionally so the
@@ -3523,7 +3919,7 @@ async function generateFixPromptJson(args) {
   return new Promise((resolve2, reject) => {
     let child;
     try {
-      child = spawn4(claude, cliArgs, {
+      child = spawn5(claude, cliArgs, {
         stdio: ["pipe", "pipe", "pipe"],
         signal: args.signal
       });
@@ -3649,10 +4045,10 @@ function readEnvelopeTokens(raw, userPrompt, innerText) {
 async function maybeDumpDebug(ticketId, stdout, stderr) {
   if (!DEBUG && stdout.length === 0 && stderr.length === 0) return null;
   try {
-    const dir = join10(homedir5(), ".cache", "task", "scan-debug");
-    await mkdir8(dir, { recursive: true });
-    const path = join10(dir, `${ticketId}-${Date.now()}.log`);
-    await writeFile9(
+    const dir = join11(homedir6(), ".cache", "task", "scan-debug");
+    await mkdir9(dir, { recursive: true });
+    const path = join11(dir, `${ticketId}-${Date.now()}.log`);
+    await writeFile10(
       path,
       ["## ticket_id", ticketId, "", "## stdout", stdout, "", "## stderr", stderr].join("\n")
     );
@@ -3997,6 +4393,239 @@ function clampInt(raw, min, max, fallback) {
   return Math.min(v, max);
 }
 
+// src/commands/slack-import.ts
+import { spawn as spawn6 } from "child_process";
+import { request as request5 } from "undici";
+var BULLET_TYPES = ["bug", "feature", "task", "question", "improvement"];
+var BULLET_PRIORITIES = ["critical", "high", "medium", "low", "none"];
+var CLASSIFICATIONS = ["code", "physical"];
+var BULLETS_SCHEMA = {
+  type: "object",
+  required: ["bullets"],
+  additionalProperties: false,
+  properties: {
+    bullets: {
+      type: "array",
+      maxItems: 200,
+      items: {
+        type: "object",
+        required: ["title", "description", "type", "priority", "classification"],
+        additionalProperties: false,
+        properties: {
+          title: { type: "string", minLength: 1, maxLength: 500 },
+          description: { type: "string", minLength: 1, maxLength: 8e3 },
+          type: { type: "string", enum: BULLET_TYPES },
+          priority: { type: "string", enum: BULLET_PRIORITIES },
+          classification: { type: "string", enum: CLASSIFICATIONS },
+          reason: { type: "string", maxLength: 500 }
+        }
+      }
+    }
+  }
+};
+var SYSTEM_PROMPT = `You convert raw Slack call notes into a list of actionable tickets, one per concrete action item.
+
+For each bullet decide:
+- classification = "code" if the item requires changes to the team's software (bug fixes, feature work, refactors, deploys, infra/config changes that a developer would do).
+- classification = "physical" if it is a human action that doesn't touch the codebase (sending an email, calling a vendor, booking a meeting, writing a non-code doc, scheduling someone's time, follow-ups, status updates).
+
+When in doubt, prefer "physical". A false-positive "code" ticket wastes AI budget and pollutes the dev queue. A false-positive "physical" ticket still gets tracked and a human can re-classify.
+
+For each ticket also choose:
+- type: bug | feature | task | question | improvement (task is the safe default)
+- priority: critical | high | medium | low | none (medium is the safe default)
+
+The "reason" field is a brief 1-sentence explanation of WHY you classified the bullet this way \u2014 useful for the team reviewing the import. Keep it under 500 chars.
+
+Drop greetings, social chatter, recaps that aren't actionable, and anything that is purely informational. Each bullet must be a concrete action someone has to do.
+
+Return JSON only, matching the supplied schema. No prose, no markdown fences, no commentary.`;
+var SLACK_IMPORT_MODEL = "claude-sonnet-4-6";
+function sanitiseNotes(raw) {
+  return raw.replace(/ignore\s+(all\s+)?previous\s+instructions/gi, "[REDACTED]").replace(/system\s*:\s*/gi, "[REDACTED]");
+}
+function registerSlackImport(program2) {
+  program2.command("slack-import").description(
+    "Internal: parse Slack call notes (from stdin) into classified bullets and PATCH them back to a slack_imports row. Spawned by the listener \u2014 not for direct human use."
+  ).requiredOption("--import-id <uuid>", "Slack-import row id (from the webhook payload)").requiredOption("--organisation-id <uuid>", "Organisation id of the import").requiredOption("--project-id <uuid>", "Project id of the import").requiredOption("--update-url <url>", "Absolute callback URL for PATCH status updates").option(
+    "--notes-stdin",
+    "Read raw notes from stdin (default; the listener passes them this way)"
+  ).option("--notes <text>", "Inline notes for local testing (mutually exclusive with stdin)").option("--claude-path <path>", "Override the claude binary path").action(async (opts) => {
+    await runSlackImport(opts);
+  });
+}
+async function runSlackImport(opts) {
+  let creds = await readCredentials();
+  if (!creds) {
+    throw new CliError(
+      CLI_EXIT_CODES.MISCONFIGURATION,
+      "Not signed in",
+      "Run 'task login' on this host so the listener can PATCH back."
+    );
+  }
+  creds = await ensureFreshAccessToken(creds);
+  await patchStatus(opts.updateUrl, creds.access_token, { status: "processing" }).catch((err) => {
+    process.stderr.write(`[slack-import] processing PATCH failed: ${err.message}
+`);
+  });
+  const rawNotes = await readNotes(opts);
+  if (!rawNotes.trim()) {
+    await patchStatus(opts.updateUrl, creds.access_token, {
+      status: "failed",
+      error_message: "No notes provided on stdin"
+    });
+    throw new CliError(CLI_EXIT_CODES.GENERIC_ERROR, "No notes provided");
+  }
+  let bullets;
+  try {
+    bullets = await generateBullets({
+      notes: sanitiseNotes(rawNotes),
+      claudePath: opts.claudePath
+    });
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    await patchStatus(opts.updateUrl, creds.access_token, {
+      status: "failed",
+      error_message: msg.slice(0, 2e3)
+    }).catch(() => void 0);
+    throw new CliError(CLI_EXIT_CODES.GENERIC_ERROR, `Bullet generation failed: ${msg}`);
+  }
+  const result = await patchStatus(opts.updateUrl, creds.access_token, {
+    status: "completed",
+    bullets
+  });
+  process.stdout.write(
+    `${c.ok("\u2713")} slack-import ${opts.importId.slice(0, 8)}\u2026 \u2014 ${bullets.length} bullets (${result.code_count ?? 0} code, ${result.physical_count ?? 0} physical)
+`
+  );
+}
+async function readNotes(opts) {
+  if (opts.notes !== void 0) return opts.notes;
+  const chunks = [];
+  let total = 0;
+  for await (const chunk of process.stdin) {
+    const buf = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk);
+    total += buf.length;
+    if (total > 6e4) {
+      throw new CliError(CLI_EXIT_CODES.GENERIC_ERROR, "Notes exceed 60KB");
+    }
+    chunks.push(buf);
+  }
+  return Buffer.concat(chunks).toString("utf8");
+}
+async function generateBullets(args) {
+  const claude = args.claudePath ?? "claude";
+  const cliArgs = [
+    "--print",
+    "--output-format",
+    "json",
+    "--tools",
+    "",
+    "--system-prompt",
+    SYSTEM_PROMPT,
+    "--model",
+    SLACK_IMPORT_MODEL,
+    "--json-schema",
+    JSON.stringify(BULLETS_SCHEMA)
+  ];
+  return new Promise((resolve2, reject) => {
+    let child;
+    try {
+      child = spawn6(claude, cliArgs, { stdio: ["pipe", "pipe", "pipe"] });
+    } catch (err) {
+      reject(new Error(`Could not invoke claude: ${err.message}`));
+      return;
+    }
+    let stdoutBuf = "";
+    let stderrBuf = "";
+    child.stdout?.on("data", (b) => stdoutBuf += b.toString("utf8"));
+    child.stderr?.on("data", (b) => stderrBuf += b.toString("utf8"));
+    child.on("error", (err) => reject(err));
+    child.on("close", (code) => {
+      if (code !== 0) {
+        reject(
+          new Error(
+            `claude exited ${code}${stderrBuf.trim() ? ": " + stderrBuf.trim().slice(0, 500) : ""}`
+          )
+        );
+        return;
+      }
+      const extracted = extractStructured(stdoutBuf);
+      if (!extracted.ok) {
+        reject(new Error(extracted.error));
+        return;
+      }
+      const list = extracted.value.bullets;
+      if (!Array.isArray(list)) {
+        reject(new Error("claude returned no bullets array"));
+        return;
+      }
+      const out = [];
+      for (const b of list) {
+        const cls = b["classification"];
+        if (cls !== "code" && cls !== "physical") continue;
+        const title = typeof b["title"] === "string" ? b["title"].slice(0, 500) : "";
+        const description = typeof b["description"] === "string" ? b["description"].slice(0, 8e3) : "";
+        if (!title || !description) continue;
+        const type2 = BULLET_TYPES.includes(b["type"]) ? b["type"] : "task";
+        const priority = BULLET_PRIORITIES.includes(b["priority"]) ? b["priority"] : "medium";
+        const item = { title, description, type: type2, priority, classification: cls };
+        if (typeof b["reason"] === "string") item.reason = b["reason"].slice(0, 500);
+        out.push(item);
+      }
+      resolve2(out);
+    });
+    child.stdin?.write(args.notes);
+    child.stdin?.end();
+  });
+}
+function extractStructured(raw) {
+  const trimmed = raw.trim();
+  if (!trimmed) return { ok: false, error: "claude returned empty stdout" };
+  try {
+    const env = JSON.parse(trimmed);
+    if (env.is_error === true) {
+      const code = typeof env.error_code === "string" ? env.error_code : "unknown";
+      const result = typeof env.result === "string" ? env.result.slice(0, 400) : "";
+      return { ok: false, error: `claude is_error (${code}): ${result || "no detail"}` };
+    }
+    if (env.structured_output && typeof env.structured_output === "object") {
+      return { ok: true, value: env.structured_output };
+    }
+    if (typeof env.result === "string") {
+      const m = env.result.match(/\{[\s\S]*\}/);
+      if (m) return { ok: true, value: JSON.parse(m[0]) };
+    }
+  } catch {
+  }
+  try {
+    const m = trimmed.match(/\{[\s\S]*\}/);
+    if (m) return { ok: true, value: JSON.parse(m[0]) };
+  } catch {
+  }
+  return { ok: false, error: "claude returned no parseable JSON" };
+}
+async function patchStatus(url, bearer, body) {
+  const res = await request5(url, {
+    method: "PATCH",
+    headers: {
+      "Content-Type": "application/json",
+      Authorization: `Bearer ${bearer}`
+    },
+    body: JSON.stringify(body)
+  });
+  const text = await res.body.text();
+  if (res.statusCode >= 400) {
+    throw new Error(`PATCH ${url} \u2192 ${res.statusCode}: ${text.slice(0, 400)}`);
+  }
+  try {
+    const parsed = JSON.parse(text);
+    return parsed.data ?? {};
+  } catch {
+    return {};
+  }
+}
+
 // src/commands/fast-track.ts
 import { randomUUID as randomUUID3 } from "crypto";
 import ora3 from "ora";
@@ -4006,7 +4635,10 @@ function registerFastTrack(program2) {
   ).option("--max <n>", "Process up to N tickets in this invocation", "1").option("--api-url <url>", "Override TASK_API_URL").option("--silent", "Suppress per-ticket progress chrome").option("--dry-run", "Run scan + approve + agent + tests but do not commit, push, or open a PR").option(
     "--reset",
     "DESTRUCTIVE: discard local working-tree changes before the first ticket. Requires --confirm in non-TTY contexts."
-  ).option("--confirm", "Confirm --reset in non-TTY (silent / scheduled-task) contexts").option("--schedule-id <id>", "Internal: schedule id when invoked from a scheduled task").action(async (opts) => {
+  ).option("--confirm", "Confirm --reset in non-TTY (silent / scheduled-task) contexts").option(
+    "--no-auto-review",
+    "Skip the post-PR /qa + /security auto-review. Each PR is left open for a human to review and merge."
+  ).option("--schedule-id <id>", "Internal: schedule id when invoked from a scheduled task").action(async (opts) => {
     await runFastTrack(opts);
   });
 }
@@ -4047,7 +4679,11 @@ async function runFastTrack(opts) {
       ...opts.dryRun ? { dryRun: true } : {},
       ...opts.scheduleId ? { scheduleId: opts.scheduleId } : {},
       ...firstIteration && opts.reset ? { reset: true } : {},
-      ...firstIteration && opts.confirm ? { confirm: true } : {}
+      ...firstIteration && opts.confirm ? { confirm: true } : {},
+      // Commander sets opts.autoReview to `false` only when --no-auto-review
+      // is passed; otherwise it's `undefined` and processOneTicketImpl
+      // treats `undefined` as "auto-review enabled" (opts.autoReview !== false).
+      ...opts.autoReview === false ? { autoReview: false } : {}
     };
     const outcome = await fastTrackOneTicket({
       api,
@@ -4387,10 +5023,10 @@ import { randomUUID as randomUUID4 } from "crypto";
 import { platform as platform2 } from "os";
 
 // src/scheduler/launchd.ts
-import { mkdir as mkdir9, readFile as readFile5, writeFile as writeFile10, unlink as unlink4, readdir as readdir2 } from "fs/promises";
-import { homedir as homedir6 } from "os";
-import { join as join11 } from "path";
-import { execFileSync as execFileSync9, spawn as spawn5 } from "child_process";
+import { mkdir as mkdir10, readFile as readFile5, writeFile as writeFile11, unlink as unlink4, readdir as readdir2 } from "fs/promises";
+import { homedir as homedir7 } from "os";
+import { join as join12 } from "path";
+import { execFileSync as execFileSync9, spawn as spawn7 } from "child_process";
 
 // src/scheduler/cron-translate.ts
 function translateToLaunchd(cron) {
@@ -4491,14 +5127,14 @@ function expandField(field, min, max) {
 }
 
 // src/scheduler/launchd.ts
-var PLIST_DIR = join11(homedir6(), "Library", "LaunchAgents");
+var PLIST_DIR = join12(homedir7(), "Library", "LaunchAgents");
 var LABEL_PREFIX = "com.inteeka.task.cli.";
 var SAFE_ID_RE = /^[0-9a-zA-Z._-]+$/;
 function plistPath(id) {
   if (!SAFE_ID_RE.test(id) || id.includes("..")) {
     throw new Error(`Refusing to compute plist path for unsafe id: ${id}`);
   }
-  return join11(PLIST_DIR, `${LABEL_PREFIX}${id}.plist`);
+  return join12(PLIST_DIR, `${LABEL_PREFIX}${id}.plist`);
 }
 function buildPlist(entry) {
   const calendars = translateToLaunchd(entry.cron);
@@ -4534,9 +5170,9 @@ ${fields}
     `    <string>/usr/local/bin:/usr/bin:/bin:/opt/homebrew/bin</string>`,
     `  </dict>`,
     `  <key>StandardOutPath</key>`,
-    `  <string>${escapeXml(join11(homedir6(), ".cache", "task", "launchd-stdout.log"))}</string>`,
+    `  <string>${escapeXml(join12(homedir7(), ".cache", "task", "launchd-stdout.log"))}</string>`,
     `  <key>StandardErrorPath</key>`,
-    `  <string>${escapeXml(join11(homedir6(), ".cache", "task", "launchd-stderr.log"))}</string>`,
+    `  <string>${escapeXml(join12(homedir7(), ".cache", "task", "launchd-stderr.log"))}</string>`,
     !entry.enabled ? `  <key>Disabled</key>
   <true/>` : "",
     "</dict>",
@@ -4554,9 +5190,9 @@ function bootstrapDomain() {
 }
 var launchdAdapter = {
   async upsert(entry) {
-    await mkdir9(PLIST_DIR, { recursive: true });
+    await mkdir10(PLIST_DIR, { recursive: true });
     const path = plistPath(entry.id);
-    await writeFile10(path, buildPlist(entry));
+    await writeFile11(path, buildPlist(entry));
     try {
       execFileSync9("launchctl", ["bootout", bootstrapDomain(), path], { stdio: "ignore" });
     } catch {
@@ -4585,7 +5221,7 @@ var launchdAdapter = {
       for (const file of ours) {
         const id = file.slice(LABEL_PREFIX.length, -".plist".length);
         try {
-          const xml = await readFile5(join11(PLIST_DIR, file), "utf8");
+          const xml = await readFile5(join12(PLIST_DIR, file), "utf8");
           const cron = xml.match(/<key>StartCalendarInterval<\/key>[\s\S]*?<\/array>/)?.[0] ?? "";
           const command = xml.match(/<key>ProgramArguments<\/key>\s*<array>([\s\S]*?)<\/array>/)?.[1] ?? "";
           const disabled = /<key>Disabled<\/key>\s*<true\/>/.test(xml);
@@ -4608,7 +5244,7 @@ var launchdAdapter = {
     return new Promise((resolve2) => {
       const args = entry.command.match(/(?:[^\s"]+|"[^"]*")+/g) ?? [entry.command];
       const cmd = args.shift() ?? entry.command;
-      const child = spawn5(cmd, args, { stdio: ["ignore", "pipe", "pipe"] });
+      const child = spawn7(cmd, args, { stdio: ["ignore", "pipe", "pipe"] });
       let stdoutTail = "";
       let stderrTail = "";
       child.stdout?.on("data", (chunk) => {
@@ -4631,7 +5267,7 @@ var launchdAdapter = {
     }
     if (enabled) {
       xml = xml.replace(/\s*<key>Disabled<\/key>\s*<true\/>/, "");
-      await writeFile10(path, xml);
+      await writeFile11(path, xml);
       try {
         execFileSync9("launchctl", ["bootout", bootstrapDomain(), path], { stdio: "ignore" });
       } catch {
@@ -4643,7 +5279,7 @@ var launchdAdapter = {
           "</dict>\n</plist>",
           "  <key>Disabled</key>\n  <true/>\n</dict>\n</plist>"
         );
-        await writeFile10(path, xml);
+        await writeFile11(path, xml);
       }
       try {
         execFileSync9("launchctl", ["bootout", bootstrapDomain(), path], { stdio: "ignore" });
@@ -4654,7 +5290,7 @@ var launchdAdapter = {
 };
 
 // src/scheduler/cron.ts
-import { execFileSync as execFileSync10, spawn as spawn6 } from "child_process";
+import { execFileSync as execFileSync10, spawn as spawn8 } from "child_process";
 
 // src/scheduler/safe-command.ts
 var FORBIDDEN = /[;&|`$()<>\\]/;
@@ -4715,7 +5351,7 @@ function readCrontab() {
   }
 }
 function writeCrontab(text) {
-  const child = spawn6("crontab", ["-"], { stdio: ["pipe", "inherit", "inherit"] });
+  const child = spawn8("crontab", ["-"], { stdio: ["pipe", "inherit", "inherit"] });
   child.stdin.write(text);
   child.stdin.end();
 }
@@ -4796,7 +5432,7 @@ var cronAdapter = {
       return Promise.resolve({ exitCode: 1, stdoutTail: "", stderrTail: `rejected: ${reason}` });
     }
     return new Promise((resolve2) => {
-      const child = spawn6(parsed.bin, parsed.args, { stdio: ["ignore", "pipe", "pipe"] });
+      const child = spawn8(parsed.bin, parsed.args, { stdio: ["ignore", "pipe", "pipe"] });
       let stdoutTail = "";
       let stderrTail = "";
       child.stdout?.on(
@@ -4824,7 +5460,7 @@ var cronAdapter = {
 };
 
 // src/scheduler/windows.ts
-import { execFileSync as execFileSync11, spawn as spawn7 } from "child_process";
+import { execFileSync as execFileSync11, spawn as spawn9 } from "child_process";
 var TASK_PREFIX = "TaskCLI_";
 function taskName(id) {
   return `${TASK_PREFIX}${id.replace(/[^A-Za-z0-9_-]/g, "_")}`;
@@ -4937,7 +5573,7 @@ var windowsAdapter = {
       return Promise.resolve({ exitCode: 1, stdoutTail: "", stderrTail: `rejected: ${reason}` });
     }
     return new Promise((resolve2) => {
-      const child = spawn7(parsed.bin, parsed.args, { stdio: ["ignore", "pipe", "pipe"] });
+      const child = spawn9(parsed.bin, parsed.args, { stdio: ["ignore", "pipe", "pipe"] });
       let stdoutTail = "";
       let stderrTail = "";
       child.stdout?.on(
@@ -4996,10 +5632,10 @@ var unsupportedAdapter = {
 };
 
 // src/scheduler/registry.ts
-import { mkdir as mkdir10, readFile as readFile6, writeFile as writeFile11 } from "fs/promises";
-import { homedir as homedir7 } from "os";
-import { dirname as dirname5, join as join12 } from "path";
-var REGISTRY_PATH = join12(homedir7(), ".config", "task", "schedules.json");
+import { mkdir as mkdir11, readFile as readFile6, writeFile as writeFile12 } from "fs/promises";
+import { homedir as homedir8 } from "os";
+import { dirname as dirname5, join as join13 } from "path";
+var REGISTRY_PATH = join13(homedir8(), ".config", "task", "schedules.json");
 var UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
 function looksLikeRegistryRow(value) {
   if (!value || typeof value !== "object") return false;
@@ -5019,8 +5655,8 @@ async function readRegistry() {
   }
 }
 async function writeRegistry(rows) {
-  await mkdir10(dirname5(REGISTRY_PATH), { recursive: true });
-  await writeFile11(REGISTRY_PATH, JSON.stringify(rows, null, 2));
+  await mkdir11(dirname5(REGISTRY_PATH), { recursive: true });
+  await writeFile12(REGISTRY_PATH, JSON.stringify(rows, null, 2));
 }
 async function upsertRegistry(row) {
   if (!UUID_RE.test(row.id)) {
@@ -5260,8 +5896,8 @@ function stripAnsi(s) {
 
 // src/commands/runs.ts
 import { readFile as readFile7 } from "fs/promises";
-import { homedir as homedir8 } from "os";
-import { join as join13 } from "path";
+import { homedir as homedir9 } from "os";
+import { join as join14 } from "path";
 function registerRuns(program2) {
   const cmd = program2.command("runs").description("Inspect agentic CLI run history");
   cmd.command("list").description("List recent runs").option("--limit <n>", "Max rows", "50").option("--ticket <id>", "Filter by ticket").option("--schedule <id>", "Filter by schedule").action(async (opts) => {
@@ -5290,7 +5926,7 @@ function registerRuns(program2) {
     process.stdout.write(JSON.stringify(row, null, 2) + "\n");
   });
   cmd.command("logs <id>").description("Show captured agent output for a run, if available").action(async (id) => {
-    const localPath = join13(homedir8(), ".cache", "task", "runs", `${id}.log`);
+    const localPath = join14(homedir9(), ".cache", "task", "runs", `${id}.log`);
     try {
       const text = await readFile7(localPath, "utf8");
       process.stdout.write(text);
@@ -5363,9 +5999,9 @@ function registerConfig(program2) {
 
 // src/commands/doctor.ts
 import { execFileSync as execFileSync12 } from "child_process";
-import { readFile as readFile8, writeFile as writeFile12 } from "fs/promises";
-import { join as join14 } from "path";
-import { request as request5 } from "undici";
+import { readFile as readFile8, writeFile as writeFile13 } from "fs/promises";
+import { join as join15 } from "path";
+import { request as request6 } from "undici";
 var ALLOWED_TEST_EXECUTABLES = /* @__PURE__ */ new Set(["pnpm", "npm", "yarn", "bun", "node", "npx"]);
 var DEFAULT_TEST_COMMAND = "pnpm typecheck";
 function registerDoctor(program2) {
@@ -5406,7 +6042,7 @@ function registerDoctor(program2) {
     });
     const apiUrl = creds?.api_url ?? cfg.api_url;
     try {
-      const res = await request5(apiUrl, {
+      const res = await request6(apiUrl, {
         method: "GET",
         headersTimeout: 5e3,
         bodyTimeout: 5e3
@@ -5578,7 +6214,7 @@ async function checkPrePushTest(root, configuredCommand, fix) {
       detail: `${command} (non-script executable, not statically verifiable)`
     };
   }
-  const pkgPath = join14(root, "package.json");
+  const pkgPath = join15(root, "package.json");
   let pkgRaw;
   try {
     pkgRaw = await readFile8(pkgPath, "utf8");
@@ -5614,7 +6250,7 @@ async function checkPrePushTest(root, configuredCommand, fix) {
     pkg.scripts = { ...scripts, typecheck: "tsc --noEmit" };
     const indent = detectIndent(pkgRaw);
     const trailingNewline = pkgRaw.endsWith("\n") ? "\n" : "";
-    await writeFile12(pkgPath, JSON.stringify(pkg, null, indent) + trailingNewline);
+    await writeFile13(pkgPath, JSON.stringify(pkg, null, indent) + trailingNewline);
     return {
       name: "pre-push test",
       ok: true,
@@ -5663,7 +6299,7 @@ function checkBinary(name, command) {
 }
 
 // src/commands/version.ts
-var CLI_VERSION = true ? "0.2.25" : "0.0.0-dev";
+var CLI_VERSION = true ? "0.2.27" : "0.0.0-dev";
 function registerVersion(program2) {
   program2.command("version").description("Print the CLI version").action(() => {
     process.stdout.write(CLI_VERSION + "\n");
@@ -5690,6 +6326,7 @@ registerMultiWork(program);
 registerResume(program);
 registerReset(program);
 registerScan(program);
+registerSlackImport(program);
 registerFastTrack(program);
 registerPrTest(program);
 registerScheduledTask(program);