@kodrunhq/opencode-autopilot 0.1.0

package/src/orchestrator/state.ts

@@ -0,0 +1,80 @@
+import { readFile, rename, writeFile } from "node:fs/promises";
+import { join } from "node:path";
+import { ensureDir, isEnoentError } from "../utils/fs-helpers";
+import { PHASES, pipelineStateSchema } from "./schemas";
+import type { PipelineState } from "./types";
+
+const STATE_FILE = "state.json";
+
+export function createInitialState(idea: string): PipelineState {
+	const now = new Date().toISOString();
+	return pipelineStateSchema.parse({
+		schemaVersion: 2,
+		status: "IN_PROGRESS",
+		idea,
+		currentPhase: "RECON",
+		startedAt: now,
+		lastUpdatedAt: now,
+		phases: PHASES.map((name, i) => ({
+			name,
+			status: i === 0 ? "IN_PROGRESS" : "PENDING",
+		})),
+		decisions: [],
+		confidence: [],
+		tasks: [],
+		arenaConfidence: null,
+		exploreTriggered: false,
+	});
+}
+
+export async function loadState(artifactDir: string): Promise<PipelineState | null> {
+	const statePath = join(artifactDir, STATE_FILE);
+	try {
+		const raw = await readFile(statePath, "utf-8");
+		const parsed = JSON.parse(raw);
+		return pipelineStateSchema.parse(parsed);
+	} catch (error: unknown) {
+		if (isEnoentError(error)) {
+			return null;
+		}
+		throw error;
+	}
+}
+
+export async function saveState(state: PipelineState, artifactDir: string): Promise<void> {
+	const validated = pipelineStateSchema.parse(state);
+	await ensureDir(artifactDir);
+	const statePath = join(artifactDir, STATE_FILE);
+	const tmpPath = `${statePath}.tmp.${Date.now()}`;
+	await writeFile(tmpPath, JSON.stringify(validated, null, 2), "utf-8");
+	await rename(tmpPath, statePath);
+}
+
+export function patchState(
+	current: Readonly<PipelineState>,
+	updates: Partial<PipelineState>,
+): PipelineState {
+	const merged = {
+		...current,
+		...updates,
+		lastUpdatedAt: new Date().toISOString(),
+	};
+	return pipelineStateSchema.parse(merged);
+}
+
+export function appendDecision(
+	current: Readonly<PipelineState>,
+	decision: { phase: string; agent: string; decision: string; rationale: string },
+): PipelineState {
+	return {
+		...current,
+		decisions: [
+			...current.decisions,
+			{
+				...decision,
+				timestamp: new Date().toISOString(),
+			},
+		],
+		lastUpdatedAt: new Date().toISOString(),
+	};
+}

package/src/orchestrator/types.ts

@@ -0,0 +1,20 @@
+import type { z } from "zod";
+import type {
+	buildProgressSchema,
+	confidenceEntrySchema,
+	decisionEntrySchema,
+	failureContextSchema,
+	phaseSchema,
+	phaseStatusSchema,
+	pipelineStateSchema,
+	taskSchema,
+} from "./schemas";
+
+export type PipelineState = z.infer<typeof pipelineStateSchema>;
+export type Phase = z.infer<typeof phaseSchema>;
+export type PhaseStatus = z.infer<typeof phaseStatusSchema>;
+export type DecisionEntry = z.infer<typeof decisionEntrySchema>;
+export type ConfidenceEntry = z.infer<typeof confidenceEntrySchema>;
+export type Task = z.infer<typeof taskSchema>;
+export type BuildProgress = z.infer<typeof buildProgressSchema>;
+export type FailureContext = z.infer<typeof failureContextSchema>;

package/src/review/agent-catalog.ts

@@ -0,0 +1,439 @@
+import type { AgentCategory, AgentDefinition } from "./types";
+
+/**
+ * NOTE: This catalog is reference data and is NOT yet wired into the review pipeline.
+ * The pipeline uses the agent definitions from src/review/agents/*.ts directly.
+ * This file may be integrated in a future milestone to drive dynamic agent selection.
+ *
+ * Complete registry of review agents ported from the ace review engine.
+ * Core squad always runs. Parallel specialists run based on stack gate.
+ * Sequenced specialists run after all prior findings are collected.
+ */
+export const AGENT_CATALOG: readonly AgentDefinition[] = Object.freeze([
+	// --- Core Squad (always runs) ---
+	Object.freeze({
+		name: "logic-auditor",
+		category: "core" as const,
+		domain: "Control flow, null safety, async correctness, boundary conditions",
+		catches: Object.freeze([
+			"Off-by-one errors",
+			"Null dereference",
+			"Missing await",
+			"Race conditions",
+			"Incorrect boundary comparisons",
+		]),
+		triggerSignals: Object.freeze(["Any code change"]),
+		stackAffinity: Object.freeze(["universal"]),
+		hardGatesSummary:
+			"Traces happy + error path per function, checks loops for termination, verifies null safety",
+	}),
+	Object.freeze({
+		name: "test-interrogator",
+		category: "core" as const,
+		domain: "Test quality, assertion coverage, edge case gaps",
+		catches: Object.freeze([
+			"Tests without assertions",
+			"Over-broad mocks",
+			"Missing edge case coverage",
+			"Tests that pass by accident",
+		]),
+		triggerSignals: Object.freeze(["Any code change"]),
+		stackAffinity: Object.freeze(["universal"]),
+		hardGatesSummary:
+			"Reads each test + tested code, identifies hiding bugs, verifies assertions exist",
+	}),
+	Object.freeze({
+		name: "contract-verifier",
+		category: "core" as const,
+		domain: "API boundary correctness, request/response shape alignment",
+		catches: Object.freeze([
+			"Mismatched request/response shapes",
+			"Wrong HTTP methods",
+			"Missing error handling on boundaries",
+			"URL path mismatches",
+		]),
+		triggerSignals: Object.freeze(["Any code change"]),
+		stackAffinity: Object.freeze(["universal"]),
+		hardGatesSummary:
+			"Reads both sides of every API boundary, compares shapes/methods/URLs/error codes",
+	}),
+
+	// --- Parallel Specialists ---
+	Object.freeze({
+		name: "wiring-inspector",
+		category: "parallel" as const,
+		domain: "End-to-end connectivity (UI -> API -> DB -> response -> UI)",
+		catches: Object.freeze([
+			"Disconnected flows",
+			"Wrong endpoint URLs",
+			"Mismatched request/response shapes",
+			"Missing error propagation across layers",
+			"Orphaned handlers",
+		]),
+		triggerSignals: Object.freeze([
+			"Changes span 2+ architectural layers",
+			"New API endpoints",
+			"New UI components that fetch data",
+		]),
+		stackAffinity: Object.freeze(["universal"]),
+		hardGatesSummary:
+			"Traces every feature path from UI event to DB write and back, documents each verified link",
+	}),
+	Object.freeze({
+		name: "dead-code-scanner",
+		category: "parallel" as const,
+		domain: "Unused code, imports, unreachable branches",
+		catches: Object.freeze([
+			"Unused imports",
+			"Orphaned functions",
+			"TODO/FIXME",
+			"Console.log/debugger",
+			"Hardcoded secrets",
+			"Commented-out code",
+		]),
+		triggerSignals: Object.freeze([
+			"Refactors",
+			"Feature removals",
+			"Large diffs",
+			"File deletions with remaining references",
+		]),
+		stackAffinity: Object.freeze(["universal"]),
+		hardGatesSummary:
+			"Checks all changed files for unused imports, orphaned functions, debug artifacts, hardcoded secrets",
+	}),
+	Object.freeze({
+		name: "spec-checker",
+		category: "parallel" as const,
+		domain: "Requirements alignment with issue/spec context",
+		catches: Object.freeze([
+			"Missing requirements",
+			"Partial implementations",
+			"Ungoverned changes",
+			"Extra features not in spec",
+		]),
+		triggerSignals: Object.freeze([
+			"Linked GitHub issue exists",
+			"PR description references requirements",
+			"Changes touch feature code",
+		]),
+		stackAffinity: Object.freeze(["universal"]),
+		hardGatesSummary: "Maps each requirement to implementation status (done/partial/missing/extra)",
+	}),
+	Object.freeze({
+		name: "database-auditor",
+		category: "parallel" as const,
+		domain: "Migrations, query performance, schema design, connection management",
+		catches: Object.freeze([
+			"Destructive migrations without rollback",
+			"Missing indexes on FKs",
+			"N+1 queries",
+			"Raw SQL injection",
+			"Wrong column types",
+		]),
+		triggerSignals: Object.freeze([
+			"Migration files in diff",
+			"Schema changes",
+			"ORM model changes without corresponding migrations",
+		]),
+		stackAffinity: Object.freeze(["universal"]),
+		hardGatesSummary:
+			"Verifies rollback path, checks index coverage, detects N+1 patterns, checks for SQL injection",
+	}),
+	Object.freeze({
+		name: "auth-flow-verifier",
+		category: "parallel" as const,
+		domain: "Auth/authz correctness, middleware guards, token handling",
+		catches: Object.freeze([
+			"Unprotected routes",
+			"Privilege escalation",
+			"Token validation gaps",
+			"Session fixation",
+			"Plaintext password storage",
+		]),
+		triggerSignals: Object.freeze([
+			"Changes to auth middleware",
+			"Login/logout handlers",
+			"Role/permission checks",
+			"JWT/session code",
+		]),
+		stackAffinity: Object.freeze(["universal"]),
+		hardGatesSummary:
+			"Traces every protected route to verify guard, checks token validation flow end-to-end",
+	}),
+	Object.freeze({
+		name: "type-soundness",
+		category: "parallel" as const,
+		domain: "Type correctness, invariant design, encapsulation, generics",
+		catches: Object.freeze([
+			"Unsafe any usage",
+			"Incorrect type narrowing",
+			"Meaningless generic constraints",
+			"Unsafe type assertions",
+			"Violated invariants",
+		]),
+		triggerSignals: Object.freeze([
+			"New type definitions",
+			"Complex generics",
+			"Type assertion usage",
+			"any in diff",
+		]),
+		stackAffinity: Object.freeze(["typescript", "kotlin", "rust", "go"]),
+		hardGatesSummary:
+			"Flags every any usage, verifies type narrowing correctness, evaluates invariant enforcement",
+	}),
+	Object.freeze({
+		name: "state-mgmt-auditor",
+		category: "parallel" as const,
+		domain: "UI state consistency, reactivity bugs, stale state, race conditions in UI",
+		catches: Object.freeze([
+			"Stale closures",
+			"Infinite re-render loops",
+			"Derived state stored instead of computed",
+			"Missing optimistic update rollback",
+		]),
+		triggerSignals: Object.freeze([
+			"React useState/useReducer",
+			"Redux/Zustand/Pinia store changes",
+			"Vue reactive state",
+			"Svelte stores",
+		]),
+		stackAffinity: Object.freeze(["react", "vue", "svelte", "angular"]),
+		hardGatesSummary:
+			"Traces state flow from update to render, verifies no stale closures in hooks",
+	}),
+	Object.freeze({
+		name: "concurrency-checker",
+		category: "parallel" as const,
+		domain: "Thread/async/goroutine safety, deadlocks, resource leaks",
+		catches: Object.freeze([
+			"Goroutine leaks",
+			"Mutex misuse",
+			"Race conditions",
+			"Missing context cancellation",
+			"Missing await",
+		]),
+		triggerSignals: Object.freeze([
+			"Goroutine creation",
+			"Mutex/lock usage",
+			"Async/await patterns",
+			"Worker threads",
+			"Promise.all usage",
+		]),
+		stackAffinity: Object.freeze(["universal"]),
+		hardGatesSummary:
+			"Verifies every goroutine/thread has a termination path, checks lock/unlock pairs",
+	}),
+	Object.freeze({
+		name: "code-quality-auditor",
+		category: "parallel" as const,
+		domain: "Readability, modularity, naming, file organization",
+		catches: Object.freeze([
+			"Overly long functions (>100 lines)",
+			"Overly large files (>800 lines)",
+			"Deep nesting (>4 levels)",
+			"Poor naming",
+			"Code duplication",
+		]),
+		triggerSignals: Object.freeze([
+			"Large diffs",
+			"New files",
+			"Refactors",
+			"Substantial function additions",
+		]),
+		stackAffinity: Object.freeze(["universal"]),
+		hardGatesSummary:
+			"Measures function length, file length, nesting depth; checks naming conventions",
+	}),
+	Object.freeze({
+		name: "security-auditor",
+		category: "parallel" as const,
+		domain: "Systematic OWASP auditing, secrets, injection, crypto",
+		catches: Object.freeze([
+			"Hardcoded secrets",
+			"SQL/NoSQL/command injection",
+			"XSS",
+			"CSRF gaps",
+			"Insecure crypto",
+			"SSRF",
+			"Sensitive data in logs",
+		]),
+		triggerSignals: Object.freeze([
+			"User input handling",
+			"API endpoint changes",
+			"Database query construction",
+			"Crypto usage",
+		]),
+		stackAffinity: Object.freeze(["universal"]),
+		hardGatesSummary: "Checks OWASP Top 10 categories systematically, scans for hardcoded secrets",
+	}),
+	Object.freeze({
+		name: "scope-intent-verifier",
+		category: "parallel" as const,
+		domain: "Scope creep, project alignment, feature coherence",
+		catches: Object.freeze([
+			"Features not in any spec/issue",
+			"Changes conflicting with project philosophy",
+			"Unnecessary dependencies",
+		]),
+		triggerSignals: Object.freeze([
+			"New capabilities added",
+			"New dependencies",
+			"Changes to core architecture",
+		]),
+		stackAffinity: Object.freeze(["universal"]),
+		hardGatesSummary:
+			"Reads project docs to understand purpose, maps each change to a user need or spec requirement",
+	}),
+	Object.freeze({
+		name: "silent-failure-hunter",
+		category: "parallel" as const,
+		domain: "Error handling quality, swallowed errors, empty catches, silent fallbacks",
+		catches: Object.freeze([
+			"Empty catch blocks",
+			"Generic error swallowing",
+			"Console.log-only error handling",
+			"Optional chaining masking nulls",
+			"Fallbacks hiding failures",
+		]),
+		triggerSignals: Object.freeze([
+			"New/modified try-catch blocks",
+			"Error callbacks",
+			"Fallback logic",
+			"Default values on failure paths",
+		]),
+		stackAffinity: Object.freeze(["universal"]),
+		hardGatesSummary: "Every catch block must log with context and surface actionable feedback",
+	}),
+	Object.freeze({
+		name: "react-patterns-auditor",
+		category: "parallel" as const,
+		domain: "React/Next.js specific bug classes",
+		catches: Object.freeze([
+			"Hooks rules violations",
+			"Stale closures",
+			"Missing useEffect deps",
+			"Server/client boundary violations",
+			"Hydration mismatches",
+		]),
+		triggerSignals: Object.freeze([
+			"React component files in diff",
+			"Hooks usage",
+			"Next.js page/layout files",
+		]),
+		stackAffinity: Object.freeze(["react", "nextjs"]),
+		hardGatesSummary:
+			"Checks every hook call for rules compliance, verifies every useEffect deps array",
+	}),
+	Object.freeze({
+		name: "go-idioms-auditor",
+		category: "parallel" as const,
+		domain: "Go-specific bug classes",
+		catches: Object.freeze([
+			"defer-in-loop",
+			"Goroutine leaks",
+			"Nil interface traps",
+			"Error shadowing with :=",
+			"Context misuse",
+		]),
+		triggerSignals: Object.freeze([
+			"Go files in diff",
+			"Goroutine creation",
+			"Defer statements",
+			"Context.Context usage",
+		]),
+		stackAffinity: Object.freeze(["go"]),
+		hardGatesSummary:
+			"Checks every defer for loop placement, every goroutine for cancellation path",
+	}),
+	Object.freeze({
+		name: "python-django-auditor",
+		category: "parallel" as const,
+		domain: "Python/Django-specific bug classes",
+		catches: Object.freeze([
+			"N+1 in templates",
+			"Unvalidated ModelForms",
+			"Missing CSRF",
+			"Lazy eval traps",
+			"Mutable default args",
+		]),
+		triggerSignals: Object.freeze([
+			"Django view/model/form/template files",
+			"Python files with ORM queries",
+			"settings.py changes",
+		]),
+		stackAffinity: Object.freeze(["django", "fastapi"]),
+		hardGatesSummary:
+			"Checks every queryset for select_related/prefetch_related, every ModelForm for explicit fields",
+	}),
+	Object.freeze({
+		name: "rust-safety-auditor",
+		category: "parallel" as const,
+		domain: "Rust-specific bug classes",
+		catches: Object.freeze([
+			"Unjustified unsafe blocks",
+			".unwrap() in non-test code",
+			"Lifetime correctness issues",
+			"Send/Sync violations",
+			"mem::forget misuse",
+		]),
+		triggerSignals: Object.freeze([
+			"Rust files in diff",
+			"Unsafe blocks",
+			".unwrap()/.expect() calls",
+			"Lifetime annotations",
+		]),
+		stackAffinity: Object.freeze(["rust"]),
+		hardGatesSummary:
+			"Every unsafe block must have a SAFETY comment, every .unwrap() in non-test code is flagged",
+	}),
+
+	// --- Sequenced Specialists (run after all prior findings) ---
+	Object.freeze({
+		name: "product-thinker",
+		category: "sequenced" as const,
+		domain: "UX/product impact, feature completeness",
+		catches: Object.freeze([
+			"Dead-end user flows",
+			"Missing CRUD operations",
+			"Incomplete features",
+			"Poor UX",
+		]),
+		triggerSignals: Object.freeze([
+			"User-facing changes",
+			"New UI components",
+			"New API endpoints for user features",
+		]),
+		stackAffinity: Object.freeze(["universal"]),
+		hardGatesSummary:
+			"Traces complete user journey, checks CRUD completeness, verifies no dead ends. Requires ALL Phase 1-2 findings.",
+	}),
+	Object.freeze({
+		name: "red-team",
+		category: "sequenced" as const,
+		domain: "Adversarial review, inter-domain gap analysis",
+		catches: Object.freeze([
+			"Bugs hiding between agent domains",
+			"Assumption conflicts",
+			"User abuse scenarios",
+			"Concurrency issues",
+		]),
+		triggerSignals: Object.freeze(["Any changes that survived Phase 1-3 review"]),
+		stackAffinity: Object.freeze(["universal"]),
+		hardGatesSummary:
+			"Reads ALL other agents' reports, constructs attack scenarios, checks inter-domain gaps. Requires ALL Phase 1-3 findings.",
+	}),
+]);
+
+/**
+ * The three core squad agents that always run regardless of stack or scoring.
+ */
+export const CORE_SQUAD: readonly AgentDefinition[] = Object.freeze(
+	AGENT_CATALOG.filter((a) => a.category === "core"),
+);
+
+/**
+ * Filter agents by category.
+ */
+export function getAgentsByCategory(category: AgentCategory): readonly AgentDefinition[] {
+	return AGENT_CATALOG.filter((a) => a.category === category);
+}

package/src/review/agents/auth-flow-verifier.ts

@@ -0,0 +1,47 @@
+import type { ReviewAgent } from "../types";
+
+export const authFlowVerifier: Readonly<ReviewAgent> = Object.freeze({
+	name: "auth-flow-verifier",
+	description:
+		"Verifies authentication and authorization flows including route guards, token validation, privilege escalation prevention, and password storage.",
+	relevantStacks: [] as readonly string[],
+	severityFocus: ["CRITICAL", "HIGH"] as const,
+	prompt: `You are the Auth Flow Verifier. You verify that every protected resource has correct authentication and authorization, and that credential handling follows security best practices. Every finding must describe the specific attack vector.
+
+## Instructions
+
+Trace every authentication and authorization path in the changed code. Do not assume middleware is correctly applied -- verify it.
+
+Check each category systematically:
+
+1. **Route Protection** -- For every route or endpoint that accesses user data, modifies state, or returns sensitive information, verify an auth guard (middleware, decorator, or check) is present. Flag any protected resource accessible without authentication.
+2. **Token Validation** -- For every token check (JWT verification, session lookup, API key validation), verify the validation is complete: signature check, expiry check, issuer check, and audience check where applicable. Flag partial validation.
+3. **Privilege Escalation** -- Trace every operation that uses a user ID or role. Verify the ID comes from the authenticated session, not from request parameters. Flag any path where a user could access or modify another user's data by changing an ID in the request.
+4. **Session Fixation** -- Verify that session IDs are regenerated after login. Flag login handlers that reuse existing session tokens.
+5. **Password Storage** -- Verify passwords are hashed with bcrypt, scrypt, or argon2 before storage. Flag any plaintext password storage, MD5/SHA1 hashing, or missing salt.
+6. **Token Expiry** -- Verify that access tokens have a finite TTL and that expired tokens are rejected. Flag missing expiry checks or tokens with no expiration.
+
+For each finding, describe the attack: "An attacker could [action] because [vulnerability], resulting in [impact]."
+
+Do not comment on code style or business logic -- only auth/authz correctness.
+
+## Diff
+
+{{DIFF}}
+
+## Prior Findings (for cross-verification)
+
+{{PRIOR_FINDINGS}}
+
+## Project Memory (false positive suppression)
+
+{{MEMORY}}
+
+## Output
+
+For each finding, output a JSON object:
+{"severity": "CRITICAL|HIGH|MEDIUM|LOW", "domain": "auth", "title": "short title", "file": "path/to/file.ts", "line": 42, "agent": "auth-flow-verifier", "source": "phase1", "evidence": "what was found", "problem": "why it is an issue", "fix": "how to fix it"}
+
+If no findings: {"findings": []}
+Wrap all findings in: {"findings": [...]}`,
+});

package/src/review/agents/code-quality-auditor.ts

@@ -0,0 +1,51 @@
+import type { ReviewAgent } from "../types";
+
+export const codeQualityAuditor: Readonly<ReviewAgent> = Object.freeze({
+	name: "code-quality-auditor",
+	description:
+		"Audits code readability, modularity, and naming conventions including function length, file size, nesting depth, and duplication.",
+	relevantStacks: [] as readonly string[],
+	severityFocus: ["MEDIUM", "LOW"] as const,
+	prompt: `You are the Code Quality Auditor. You review readability, structure, and maintainability of changed code.
+
+## Instructions
+
+### Quantitative Checks
+1. **Function Length** -- Flag functions longer than 50 lines. Extract logical blocks into well-named helpers.
+2. **File Size** -- Flag files longer than 800 lines. Large files indicate multiple responsibilities.
+3. **Nesting Depth** -- Flag nesting deeper than 4 levels. Use early returns, guard clauses, or extracted functions to flatten.
+4. **Duplication** -- Flag near-identical logic in multiple places. Extract into a shared utility.
+5. **Magic Numbers** -- Flag hardcoded numeric/string literals. Extract to named constants or config.
+
+### Abstraction & Design
+6. **Conditional Dispatch** -- Flag if/else-if chains or switch statements dispatching on type strings. Use strategy pattern or registry.
+7. **God Functions** -- Flag functions performing multiple unrelated actions in sequence (validate -> transform -> save -> notify). Each responsibility should be separate.
+8. **Primitive Obsession** -- Flag passing raw strings/numbers for domain concepts (user IDs as strings, amounts as numbers) instead of typed wrappers.
+9. **Dead Code** -- Flag unused variables, unreachable branches, commented-out code blocks.
+
+### Naming & Readability
+10. **Self-Documenting Names** -- Function and variable names should describe what they do. Flag cryptic abbreviations.
+11. **Single Responsibility** -- Each function/class/module should have one clear purpose. Flag mixed concerns.
+
+Do not comment on business logic correctness -- only readability, structure, and maintainability.
+
+## Diff
+
+{{DIFF}}
+
+## Prior Findings (for cross-verification)
+
+{{PRIOR_FINDINGS}}
+
+## Project Memory (false positive suppression)
+
+{{MEMORY}}
+
+## Output
+
+For each finding, output a JSON object:
+{"severity": "CRITICAL|HIGH|MEDIUM|LOW", "domain": "quality", "title": "short title", "file": "path/to/file.ts", "line": 42, "agent": "code-quality-auditor", "source": "phase1", "evidence": "what was found", "problem": "why it is an issue", "fix": "how to fix it"}
+
+If no findings: {"findings": []}
+Wrap all findings in: {"findings": [...]}`,
+});

package/src/review/agents/concurrency-checker.ts

@@ -0,0 +1,47 @@
+import type { ReviewAgent } from "../types";
+
+export const concurrencyChecker: Readonly<ReviewAgent> = Object.freeze({
+	name: "concurrency-checker",
+	description:
+		"Audits concurrent code for goroutine/thread leaks, lock safety, shared mutable state, missing context cancellation, and async/await correctness.",
+	relevantStacks: [] as readonly string[],
+	severityFocus: ["CRITICAL", "HIGH"] as const,
+	prompt: `You are the Concurrency Checker. You verify that concurrent code is safe, terminates correctly, and has no race conditions or resource leaks. Every finding must describe the specific concurrency hazard.
+
+## Instructions
+
+Trace every concurrent operation in the changed code: goroutines, threads, async functions, workers, and promises. Do not assume frameworks handle synchronization automatically.
+
+Check each category systematically:
+
+1. **Termination Paths** -- For every goroutine, thread, or worker spawned, verify there is a clear termination condition (context cancellation, channel close, signal, or timeout). Flag any concurrent operation that can run indefinitely with no shutdown mechanism.
+2. **Lock Balance** -- For every lock acquisition (mutex.Lock, synchronized, semaphore.acquire), verify a corresponding unlock exists on every code path including error paths. Flag lock acquisitions without guaranteed release (missing defer/finally).
+3. **Shared Mutable State** -- For every variable accessed from multiple concurrent contexts, verify it is protected by a mutex, atomic operation, or channel. Flag raw reads/writes to shared state without synchronization.
+4. **Context Cancellation** -- For every function that receives a context parameter, verify cancellation is checked and propagated. Flag functions that ignore context cancellation or create contexts without cancellation.
+5. **Missing Await** -- For every async function call, verify the returned promise is awaited or explicitly handled (then/catch, Promise.all, void operator with comment). Flag fire-and-forget async calls that silently drop errors.
+6. **Promise.all Error Handling** -- For every Promise.all or Promise.allSettled call, verify error handling covers partial failure. Flag Promise.all without a catch that would lose the other results on any single rejection.
+
+Show your traces: "I traced goroutine at line N: spawned with go func() -> reads shared map 'cache' at line M -> no mutex protection. Another goroutine writes to 'cache' at line K -> data race."
+
+Do not comment on code style, naming, or architecture -- only concurrency correctness.
+
+## Diff
+
+{{DIFF}}
+
+## Prior Findings (for cross-verification)
+
+{{PRIOR_FINDINGS}}
+
+## Project Memory (false positive suppression)
+
+{{MEMORY}}
+
+## Output
+
+For each finding, output a JSON object:
+{"severity": "CRITICAL|HIGH|MEDIUM|LOW", "domain": "concurrency", "title": "short title", "file": "path/to/file.ts", "line": 42, "agent": "concurrency-checker", "source": "phase1", "evidence": "what was found", "problem": "why it is an issue", "fix": "how to fix it"}
+
+If no findings: {"findings": []}
+Wrap all findings in: {"findings": [...]}`,
+});