@jigyasudham/veto 0.8.3 → 1.0.0

package/src/council/product-manager.ts

@@ -1,102 +0,0 @@
-// Product Manager — ship value fast, cut scope ruthlessly
-import type { AgentVote } from './types.js';
-
-const BLOCK_RULES: Array<{ pattern: RegExp; reason: string; recommendation: string }> = [
-  {
-    pattern: /rewrite.{0,20}from.{0,10}scratch/i,
-    reason: 'Rewriting from scratch abandons working code and delays users by months.',
-    recommendation: 'Incremental refactor using Strangler Fig. Split only when bottleneck is proven.',
-  },
-  {
-    pattern: /build.{0,20}(our own|custom).{0,20}(framework|orm|database|auth.?system|message.?queue)/i,
-    reason: 'Building custom infrastructure has a 12+ month cost before it provides value.',
-    recommendation: 'Use battle-tested existing solutions. Build what differentiates you, not plumbing.',
-  },
-];
-
-const WARN_RULES: Array<{ pattern: RegExp; concern: string; recommendation: string }> = [
-  {
-    pattern: /\bmicroservice/i,
-    concern: 'Microservices add 10x operational complexity. Justified only at Netflix/Amazon scale.',
-    recommendation: 'Start modular monolith. Extract services only when a specific bottleneck demands it.',
-  },
-  {
-    pattern: /enterprise.{0,20}(grade|pattern|architecture|solution)/i,
-    concern: 'Enterprise patterns optimize for 10,000-person orgs, not fast-moving products.',
-    recommendation: 'Ship the simple version. Add enterprise complexity when customers pay for it.',
-  },
-  {
-    pattern: /future.{0,20}proof|build.{0,20}for.{0,20}(scale|growth|million)/i,
-    concern: 'Optimizing for imaginary future scale delays value to users you have today.',
-    recommendation: "YAGNI. Build for 10x current scale, not 1000x. You'll know when you need more.",
-  },
-  {
-    pattern: /\bperfect\b|\bflawless\b|fully.{0,10}generic|completely.{0,10}flexible/i,
-    concern: 'Perfect is the enemy of shipped. What is the minimum version that solves the problem?',
-    recommendation: 'Define a specific "done" criterion. Timebox perfection work to 20% of total.',
-  },
-  {
-    pattern: /build.{0,20}(framework|platform|engine|layer|system)\b.{0,20}first/i,
-    concern: 'Building infrastructure before product delays user value. Products fund platforms.',
-    recommendation: 'Build product features. Extract the framework only when the pattern is proven.',
-  },
-  {
-    pattern: /abstrac|generic.{0,20}(solution|framework|wrapper|handler)/i,
-    concern: 'Premature abstraction bets on requirements that may never come.',
-    recommendation: 'Three concrete implementations before extracting an abstraction.',
-  },
-  {
-    pattern: /add.{0,20}feature.{0,30}(not.{0,10}ask|nobody.{0,10}request|just.{0,10}in.{0,10}case)/i,
-    concern: 'Building unrequested features is scope creep. Validate demand first.',
-    recommendation: 'Ship what was asked. Add features after user feedback confirms demand.',
-  },
-  {
-    pattern: /v2|v3|version\s+[23]/i,
-    concern: 'Designing v2/v3 before v1 ships is a classic focus trap.',
-    recommendation: 'Ship v1. Learn from real users. Then plan v2 with real data.',
-  },
-];
-
-const TRIVIAL = /^(rename|fix typo|reorder|reformat|format|update comment|add comment)\b/i;
-
-export function analyze(task: string): AgentVote {
-  if (TRIVIAL.test(task.trim())) {
-    return { verdict: 'approve', reason: 'Trivial change — no product concerns.', concerns: [] };
-  }
-
-  const blocks: Array<{ reason: string; recommendation: string }> = [];
-  const concerns: string[] = [];
-  const recommendations: string[] = [];
-
-  for (const rule of BLOCK_RULES) {
-    if (rule.pattern.test(task)) {
-      blocks.push({ reason: rule.reason, recommendation: rule.recommendation });
-    }
-  }
-  for (const rule of WARN_RULES) {
-    if (rule.pattern.test(task)) {
-      concerns.push(rule.concern);
-      recommendations.push(rule.recommendation);
-    }
-  }
-
-  if (blocks.length > 0) {
-    return {
-      verdict: 'block',
-      reason: blocks[0].reason,
-      concerns: blocks.slice(1).map(b => b.reason),
-      recommendation: blocks.map(b => b.recommendation).join(' | '),
-    };
-  }
-
-  if (concerns.length > 0) {
-    return {
-      verdict: 'warn',
-      reason: `${concerns.length} product risk${concerns.length > 1 ? 's' : ''} — scope or complexity concern.`,
-      concerns,
-      recommendation: recommendations[0],
-    };
-  }
-
-  return { verdict: 'approve', reason: 'Reasonable scope. Ship it.', concerns: [] };
-}

package/src/council/security.ts

@@ -1,172 +0,0 @@
-// Security — threat modeling, attack surface analysis, auth weaknesses, CVE patterns
-import type { AgentVote } from './types.js';
-
-const BLOCK_RULES: Array<{ pattern: RegExp; reason: string; recommendation: string }> = [
-  {
-    pattern: /(no.{0,25}rate.?limit|(auth|login|password|signin|otp|2fa|token|reset).{0,50}no.{0,20}rate.?limit|no.{0,25}rate.?limit.{0,50}(auth|login|password|signin|otp|2fa))/i,
-    reason: 'Auth endpoint without rate limiting is wide open to brute-force and credential stuffing.',
-    recommendation: 'Rate limit: 5 attempts / 15 min / IP. Exponential backoff. Lock account after 10 failures.',
-  },
-  {
-    pattern: /jwt.{0,35}(no|without|missing).{0,20}expir|token.{0,20}never.{0,15}expir/i,
-    reason: 'JWTs without expiry are permanent access tokens — a stolen token never becomes invalid.',
-    recommendation: 'Set JWT exp to 15 min. Issue refresh tokens in httpOnly, Secure, SameSite=Strict cookies.',
-  },
-  {
-    pattern: /localStorage.{0,30}(token|jwt|session|auth|secret)|(token|jwt|session|auth|secret).{0,30}localStorage/i,
-    reason: 'Tokens in localStorage are readable by any script — XSS vulnerability gives full account takeover.',
-    recommendation: 'Store tokens only in httpOnly Secure SameSite=Strict cookies. Never localStorage.',
-  },
-  {
-    pattern: /no.{0,20}csrf|skip.{0,20}csrf|disable.{0,20}csrf|without.{0,20}csrf/i,
-    reason: 'Missing CSRF protection enables cross-site request forgery — attackers can act as authenticated users.',
-    recommendation: 'Use CSRF tokens for form submissions. Set SameSite=Strict on session cookies as baseline.',
-  },
-  {
-    pattern: /run.{0,20}(as\s+)?root|user\s+root.{0,20}(docker|container|image)/i,
-    reason: 'Running containers as root means any exploit has full host access.',
-    recommendation: 'Add `USER 1001` in Dockerfile. Use rootless containers. Drop all capabilities.',
-  },
-  {
-    pattern: /admin.{0,35}(route|endpoint|panel|api).{0,35}(no|without|skip|missing).{0,20}auth/i,
-    reason: 'Admin routes without authentication check expose privileged operations to any unauthenticated caller.',
-    recommendation: 'Guard all admin routes with both authentication AND role/permission authorization check.',
-  },
-  {
-    pattern: /\b(mass.?assign|accept.{0,20}(all|any).{0,20}(field|body|param|input))\b/i,
-    reason: 'Mass assignment lets attackers inject internal fields (isAdmin: true) through the request body.',
-    recommendation: 'Whitelist allowed fields explicitly. Never spread req.body into DB operations.',
-  },
-  {
-    pattern: /\.\.\/|\.\.\\|path.{0,20}traversal|(file|path).{0,20}(user|input|param).{0,20}(read|open|access)/i,
-    reason: 'Path traversal vulnerability — attacker can read arbitrary server files by manipulating path input.',
-    recommendation: 'Use path.resolve() and verify result starts with your allowed base directory.',
-  },
-  {
-    pattern: /deserializ.{0,30}(user|external|untrusted|input)/i,
-    reason: 'Deserializing untrusted data enables remote code execution via gadget chains.',
-    recommendation: 'Never deserialize untrusted data. Use JSON.parse() with schema validation (zod).',
-  },
-  {
-    pattern: /xml.{0,30}(user|input|external).{0,30}(parse|process)/i,
-    reason: 'Parsing user-supplied XML without XXE protection enables XML External Entity injection.',
-    recommendation: 'Disable external entity processing in your XML parser. Prefer JSON over XML for APIs.',
-  },
-  {
-    pattern: /\bshell\b.{0,30}(user|input|param)|exec\s*\(.{0,30}(req\.|input|param)/i,
-    reason: 'Passing user input to shell commands enables OS command injection — full server compromise.',
-    recommendation: 'Use execFile() with args as array. Never concatenate user input into shell commands.',
-  },
-  {
-    pattern: /no.{0,20}(auth|authentication|authorization).{0,30}(internal|service.?to.?service|microservice)/i,
-    reason: 'Service-to-service calls without auth allows any internal service to impersonate another.',
-    recommendation: 'Use mutual TLS or service tokens for internal API calls. Never trust internal network alone.',
-  },
-];
-
-const WARN_RULES: Array<{ pattern: RegExp; concern: string; recommendation: string }> = [
-  {
-    pattern: /no.{0,25}(content.?security.?policy|\bcsp\b)/i,
-    concern: 'Missing Content-Security-Policy header — no browser-level XSS mitigation.',
-    recommendation: "Set CSP: default-src 'self'; script-src 'self'. Use helmet.js for Express.",
-  },
-  {
-    pattern: /verbose.{0,20}error|stack.?trace.{0,25}(user|client|return|response|send)/i,
-    concern: 'Verbose error messages expose file paths, library versions, and stack traces to attackers.',
-    recommendation: 'Log full errors server-side only. Return generic messages to clients.',
-  },
-  {
-    pattern: /no.{0,20}(audit|security).{0,15}log/i,
-    concern: 'No security audit log — impossible to detect or investigate breaches after the fact.',
-    recommendation: 'Log: auth events, admin actions, data exports, permission denials, with IP + user + timestamp.',
-  },
-  {
-    pattern: /no.{0,20}(dependency|package|npm|pip).{0,20}(audit|scan|update)/i,
-    concern: 'Unaudited dependencies may contain known CVEs actively exploited in the wild.',
-    recommendation: 'Run npm audit / snyk in CI pipeline. Block builds with critical severity CVEs.',
-  },
-  {
-    pattern: /no.{0,20}(payload|body|request).{0,20}(size|limit|max)/i,
-    concern: 'No payload size limit — attackers can exhaust server memory with large request bodies.',
-    recommendation: 'Set body size limit (1MB JSON, 10MB uploads). Return 413 on excess. Use streaming for large files.',
-  },
-  {
-    pattern: /\bregex\b.{0,30}(user|input|param|untrusted)/i,
-    concern: 'Complex regex on user input can cause ReDoS — catastrophic backtracking is a DoS vector.',
-    recommendation: 'Test regex with ReDoS checker (vuln-regex-detector). Set match timeout for user input.',
-  },
-  {
-    pattern: /server.?version|x-powered-by|expose.{0,20}(version|framework)/i,
-    concern: 'Disclosing server/framework version in headers helps attackers target known CVEs.',
-    recommendation: 'Remove X-Powered-By. Set Server: header to empty string. Use helmet.js.',
-  },
-  {
-    pattern: /upload.{0,30}(any|all|every).{0,20}(type|extension|format|file)/i,
-    concern: 'Accepting any file type enables upload of malicious executables or web shells.',
-    recommendation: 'Whitelist allowed MIME types. Validate magic bytes (not extension). Scan with ClamAV.',
-  },
-  {
-    pattern: /\bidor\b|direct.{0,20}object.{0,20}ref|user.?id.{0,20}(param|query|url|path)/i,
-    concern: 'Potential IDOR — user can access other users\' resources by changing an ID in the request.',
-    recommendation: 'Always verify ownership: resource.userId === req.user.id before returning/mutating.',
-  },
-  {
-    pattern: /compare.{0,20}(secret|token|hash|hmac|signature|password).{0,20}===|===.{0,20}(secret|token|hmac)/i,
-    concern: 'String === comparison of secrets is vulnerable to timing attacks.',
-    recommendation: 'Use crypto.timingSafeEqual() for all secret and HMAC comparisons.',
-  },
-  {
-    pattern: /no.{0,20}hsts|http.{0,20}(only|no.?https)/i,
-    concern: 'Without HSTS, browsers may connect over HTTP — credentials can be intercepted.',
-    recommendation: 'Set HSTS: max-age=31536000; includeSubDomains; preload. Redirect all HTTP to HTTPS.',
-  },
-  {
-    pattern: /secret.{0,20}(env|environment|config).{0,20}(log|print|console|output)/i,
-    concern: 'Logging secrets or config values leaks credentials to anyone with log access.',
-    recommendation: 'Never log secrets. Redact sensitive fields in structured logs. Audit log pipelines.',
-  },
-];
-
-const TRIVIAL = /^(rename|fix typo|reorder|reformat|format|update comment|add comment)\b/i;
-
-export function analyze(task: string): AgentVote {
-  if (TRIVIAL.test(task.trim())) {
-    return { verdict: 'approve', reason: 'Trivial change — no security concerns.', concerns: [] };
-  }
-
-  const blocks: Array<{ reason: string; recommendation: string }> = [];
-  const concerns: string[] = [];
-  const recommendations: string[] = [];
-
-  for (const rule of BLOCK_RULES) {
-    if (rule.pattern.test(task)) {
-      blocks.push({ reason: rule.reason, recommendation: rule.recommendation });
-    }
-  }
-  for (const rule of WARN_RULES) {
-    if (rule.pattern.test(task)) {
-      concerns.push(rule.concern);
-      recommendations.push(rule.recommendation);
-    }
-  }
-
-  if (blocks.length > 0) {
-    return {
-      verdict: 'block',
-      reason: blocks[0].reason,
-      concerns: blocks.slice(1).map(b => b.reason),
-      recommendation: blocks.map(b => b.recommendation).join(' | '),
-    };
-  }
-
-  if (concerns.length > 0) {
-    return {
-      verdict: 'warn',
-      reason: `${concerns.length} security concern${concerns.length > 1 ? 's' : ''} — threat model flagged issues.`,
-      concerns,
-      recommendation: recommendations[0],
-    };
-  }
-
-  return { verdict: 'approve', reason: 'No security threats identified in threat model.', concerns: [] };
-}

package/src/council/system-architect.ts

@@ -1,132 +0,0 @@
-// System Architect — scalability, failure modes, structural integrity
-import type { AgentVote } from './types.js';
-
-const BLOCK_RULES: Array<{ pattern: RegExp; reason: string; recommendation: string }> = [
-  {
-    pattern: /\bdrop\s+table\b/i,
-    reason: 'DROP TABLE is irreversible. No rollback possible after execution.',
-    recommendation: 'Write a down-migration. Verify backup. Test on staging. Run in maintenance window.',
-  },
-  {
-    pattern: /\btruncate\b/i,
-    reason: 'TRUNCATE deletes all rows instantly — no transaction, no rollback.',
-    recommendation: 'Use DELETE with WHERE in a transaction. Backup first. Verify on staging.',
-  },
-  {
-    pattern: /\bdelete\s+from\b(?!.*where)/i,
-    reason: 'DELETE without WHERE clause wipes the entire table.',
-    recommendation: 'Always add a WHERE clause. Wrap in transaction. Test on staging.',
-  },
-  {
-    pattern: /sqlite.{0,50}(concurrent|multi.?user|high.?traffic|production|scale)/i,
-    reason: 'SQLite serializes writes — breaks at >10 concurrent writers.',
-    recommendation: 'Use PostgreSQL for multi-user or high-traffic applications.',
-  },
-  {
-    pattern: /(payment|billing|charge|transfer|transaction).{0,40}no.{0,15}(transaction|rollback|atomic)/i,
-    reason: 'Financial operations without database transactions risk data inconsistency.',
-    recommendation: 'Wrap all financial mutations in explicit BEGIN/COMMIT/ROLLBACK transactions.',
-  },
-  {
-    pattern: /store.{0,20}(password|credit.?card|ssn|social.?security).{0,20}plain/i,
-    reason: 'Storing sensitive data in plaintext is a catastrophic data breach risk.',
-    recommendation: 'Hash passwords (bcrypt). Encrypt PII at rest (AES-256). Never store raw card data.',
-  },
-];
-
-const WARN_RULES: Array<{ pattern: RegExp; concern: string; recommendation: string }> = [
-  {
-    pattern: /select\s+\*/i,
-    concern: 'SELECT * fetches all columns — wasted memory and network on large tables.',
-    recommendation: 'Select only needed columns explicitly.',
-  },
-  {
-    pattern: /\bfor\b.{0,80}(query|select|db\.|\.find|\.get|fetch)/i,
-    concern: 'Query inside a loop creates N+1 problem — DB gets hammered at scale.',
-    recommendation: 'Batch the query outside the loop using IN clause or JOIN.',
-  },
-  {
-    pattern: /no.{0,15}index\b/i,
-    concern: 'Missing index on search/filter columns causes full table scans.',
-    recommendation: 'Add indexes on FK columns and any WHERE/ORDER BY columns.',
-  },
-  {
-    pattern: /synchronous|blocking.{0,20}(i\/o|read|write|call)/i,
-    concern: 'Synchronous I/O blocks the Node.js event loop under concurrent load.',
-    recommendation: 'Use async/await with fs.promises, not fs.readFileSync.',
-  },
-  {
-    pattern: /no.{0,15}cache\b/i,
-    concern: 'No caching on repeated reads hammers the database unnecessarily.',
-    recommendation: 'Cache hot read paths with Redis or in-memory TTL cache.',
-  },
-  {
-    pattern: /no.{0,15}(timeout|time.?out)\b/i,
-    concern: 'External calls without timeout hang indefinitely when the dependency fails.',
-    recommendation: 'Set explicit timeouts (3-5s for APIs). Add retry with exponential backoff.',
-  },
-  {
-    pattern: /single.{0,25}(point|server|node|instance).{0,25}(fail|crash|down)/i,
-    concern: 'Single point of failure with no redundancy — one crash = full outage.',
-    recommendation: 'Add health checks. Consider redundancy or graceful degradation.',
-  },
-  {
-    pattern: /no.{0,15}(migration|schema.?version)/i,
-    concern: 'Database changes without versioned migrations cannot be safely rolled back.',
-    recommendation: 'Use a migration tool (Knex, Prisma migrate, Flyway).',
-  },
-  {
-    pattern: /global\s+(state|variable|singleton)/i,
-    concern: 'Global mutable state causes unpredictable behavior under concurrent requests.',
-    recommendation: 'Scope state to request context. Use dependency injection.',
-  },
-  {
-    pattern: /\bregex\b.{0,30}(user.?input|unvalidated|untrusted)/i,
-    concern: 'Complex regex on untrusted input can cause ReDoS (catastrophic backtracking).',
-    recommendation: 'Use simple regex patterns. Set timeout on regex evaluation for user input.',
-  },
-];
-
-const TRIVIAL = /^(rename|fix typo|reorder|reformat|format|update comment|add comment)\b/i;
-
-export function analyze(task: string): AgentVote {
-  if (TRIVIAL.test(task.trim())) {
-    return { verdict: 'approve', reason: 'Trivial change — no architectural concerns.', concerns: [] };
-  }
-
-  const blocks: Array<{ reason: string; recommendation: string }> = [];
-  const concerns: string[] = [];
-  const recommendations: string[] = [];
-
-  for (const rule of BLOCK_RULES) {
-    if (rule.pattern.test(task)) {
-      blocks.push({ reason: rule.reason, recommendation: rule.recommendation });
-    }
-  }
-  for (const rule of WARN_RULES) {
-    if (rule.pattern.test(task)) {
-      concerns.push(rule.concern);
-      recommendations.push(rule.recommendation);
-    }
-  }
-
-  if (blocks.length > 0) {
-    return {
-      verdict: 'block',
-      reason: blocks[0].reason,
-      concerns: blocks.slice(1).map(b => b.reason),
-      recommendation: blocks.map(b => b.recommendation).join(' | '),
-    };
-  }
-
-  if (concerns.length > 0) {
-    return {
-      verdict: 'warn',
-      reason: `${concerns.length} structural concern${concerns.length > 1 ? 's' : ''} — review before building.`,
-      concerns,
-      recommendation: recommendations[0],
-    };
-  }
-
-  return { verdict: 'approve', reason: 'Architecture looks sound. No structural concerns.', concerns: [] };
-}

package/src/council/types.ts

@@ -1,33 +0,0 @@
-export type AgentVerdict = 'approve' | 'warn' | 'block';
-export type CouncilVerdict = 'GREEN' | 'YELLOW' | 'RED' | 'DEADLOCK';
-
-export interface AgentVote {
-  verdict: AgentVerdict;
-  reason: string;
-  concerns: string[];
-  recommendation?: string;
-}
-
-export interface DebateInput {
-  task: string;
-  context?: string;
-}
-
-export interface DebateResult {
-  task: string;
-  final_verdict: CouncilVerdict;
-  votes: {
-    lead_dev: AgentVote;
-    pm: AgentVote;
-    architect: AgentVote;
-    ux: AgentVote;
-    devil: AgentVote;
-    legal: AgentVote;
-    security: AgentVote;
-  };
-  recommended: string;
-  block_reasons: string[];
-  warnings: string[];
-  debated_at: string;
-  formatted_output: string;
-}

package/src/council/ux-designer.ts

@@ -1,121 +0,0 @@
-// UX Designer — user flows, simplicity, real-user experience
-import type { AgentVote } from './types.js';
-
-// Backend-only tasks: UX approves without friction
-const BACKEND_ONLY = /\b(api|backend|server|database|db|query|schema|migration|auth.*middleware|jwt|oauth|cron|cli|script|worker|queue|cache|redis|sql|index|trigger|webhook)\b/i;
-const FRONTEND_SIGNALS = /\b(ui|ux|form|button|modal|page|screen|component|view|layout|menu|nav|input|field|label|error.?message|loading|user.?interface|frontend|react|vue|svelte|html|css)\b/i;
-
-const BLOCK_RULES: Array<{ pattern: RegExp; reason: string; recommendation: string }> = [
-  {
-    pattern: /window\.alert\s*\(|window\.confirm\s*\(/i,
-    reason: 'window.alert/confirm blocks the page and cannot be styled. Users hate it.',
-    recommendation: 'Replace with toast notifications (react-hot-toast) or inline dialogs.',
-  },
-  {
-    pattern: /no.{0,20}error.{0,20}(message|state|feedback).{0,30}(form|submit|input)/i,
-    reason: 'Forms without error feedback leave users confused and drive support tickets.',
-    recommendation: 'Add inline validation messages for every field that can fail.',
-  },
-  {
-    pattern: /(?:7|8|9|10|eleven|twelve).{0,15}step/i,
-    reason: 'More than 6 steps in a flow loses 70%+ of users before completion.',
-    recommendation: 'Break into smaller flows or use progressive disclosure.',
-  },
-];
-
-const WARN_RULES: Array<{ pattern: RegExp; concern: string; recommendation: string }> = [
-  {
-    pattern: /no.{0,15}(mobile|responsive|viewport)/i,
-    concern: '60%+ of users are on mobile. Responsive is baseline, not a bonus.',
-    recommendation: 'Mobile-first CSS. Test breakpoints: 375px, 768px, 1280px.',
-  },
-  {
-    pattern: /no.{0,15}(loading|spinner|progress|skeleton)/i,
-    concern: 'Missing loading state — users cannot tell if their action registered.',
-    recommendation: 'Show loading indicator for any operation that takes >300ms.',
-  },
-  {
-    pattern: /\bmodal\b|\bpopup\b|\bdialog\b/i,
-    concern: 'Modals interrupt flow and fail on small screens. Use sparingly.',
-    recommendation: 'Reserve modals for destructive confirmations only. Use inline for everything else.',
-  },
-  {
-    pattern: /no.{0,15}(accessib|aria|a11y|wcag)/i,
-    concern: 'Missing accessibility — 15% of users cannot use the product.',
-    recommendation: 'Add aria-labels, keyboard nav, focus management. Test with VoiceOver.',
-  },
-  {
-    pattern: /color.{0,20}only|rely.{0,15}on.{0,15}color/i,
-    concern: '8% of users are colorblind — color-only signals are invisible to them.',
-    recommendation: 'Add icons, patterns, or text alongside color to convey meaning.',
-  },
-  {
-    pattern: /no.{0,15}(empty.?state|zero.?state|first.?time)/i,
-    concern: 'No empty state — first-time users see a blank screen that looks broken.',
-    recommendation: 'Design empty state that explains what goes here and how to start.',
-  },
-  {
-    pattern: /no.{0,15}(confirm|confirmation|undo|undo.?redo)/i,
-    concern: 'Destructive action without confirmation leads to user data loss.',
-    recommendation: 'Add confirmation dialog for destructive actions. Provide undo where possible.',
-  },
-  {
-    pattern: /auto.?submit|submit.{0,10}without.{0,10}(confirm|review)/i,
-    concern: 'Auto-submitting without user review removes user agency.',
-    recommendation: 'Always let users review before final submission.',
-  },
-];
-
-const TRIVIAL = /^(rename|fix typo|reorder|reformat|format|update comment|add comment)\b/i;
-
-export function analyze(task: string): AgentVote {
-  if (TRIVIAL.test(task.trim())) {
-    return { verdict: 'approve', reason: 'Trivial change — no UX concerns.', concerns: [] };
-  }
-
-  // Pure backend tasks get a light pass
-  const isBackend = BACKEND_ONLY.test(task) && !FRONTEND_SIGNALS.test(task);
-  if (isBackend) {
-    return {
-      verdict: 'approve',
-      reason: 'Backend task — no direct UX concerns. Ensure API errors surface clearly to users.',
-      concerns: [],
-    };
-  }
-
-  const blocks: Array<{ reason: string; recommendation: string }> = [];
-  const concerns: string[] = [];
-  const recommendations: string[] = [];
-
-  for (const rule of BLOCK_RULES) {
-    if (rule.pattern.test(task)) {
-      blocks.push({ reason: rule.reason, recommendation: rule.recommendation });
-    }
-  }
-  for (const rule of WARN_RULES) {
-    if (rule.pattern.test(task)) {
-      concerns.push(rule.concern);
-      recommendations.push(rule.recommendation);
-    }
-  }
-
-  if (blocks.length > 0) {
-    return {
-      verdict: 'block',
-      reason: blocks[0].reason,
-      concerns: blocks.slice(1).map(b => b.reason),
-      recommendation: blocks.map(b => b.recommendation).join(' | '),
-    };
-  }
-
-  if (concerns.length > 0) {
-    return {
-      verdict: 'warn',
-      reason: `${concerns.length} UX concern${concerns.length > 1 ? 's' : ''} — real users will notice this.`,
-      concerns,
-      recommendation: recommendations[0],
-    };
-  }
-
-  return { verdict: 'approve', reason: 'UX looks solid. No user experience concerns.', concerns: [] };
-}