@kodrunhq/opencode-autopilot 1.17.0 → 1.19.0

package/src/review/agent-catalog.ts

@@ -1,16 +1,6 @@
 import type { AgentCategory, AgentDefinition } from "./types";
 
-/**
- * NOTE: This catalog is reference data and is NOT yet wired into the review pipeline.
- * The pipeline uses the agent definitions from src/review/agents/*.ts directly.
- * This file may be integrated in a future milestone to drive dynamic agent selection.
- *
- * Complete registry of review agents ported from the ace review engine.
- * Core squad always runs. Parallel specialists run based on stack gate.
- * Sequenced specialists run after all prior findings are collected.
- */
 export const AGENT_CATALOG: readonly AgentDefinition[] = Object.freeze([
-	// --- Core Squad (always runs) ---
 	Object.freeze({
 		name: "logic-auditor",
 		category: "core" as const,
@@ -57,171 +47,143 @@ export const AGENT_CATALOG: readonly AgentDefinition[] = Object.freeze([
 		hardGatesSummary:
 			"Reads both sides of every API boundary, compares shapes/methods/URLs/error codes",
 	}),
-
-	// --- Parallel Specialists ---
 	Object.freeze({
-		name: "wiring-inspector",
+		name: "security-auditor",
 		category: "parallel" as const,
-		domain: "End-to-end connectivity (UI -> API -> DB -> response -> UI)",
+		domain: "Systematic OWASP auditing, auth/authz correctness, secrets, injection, crypto",
 		catches: Object.freeze([
-			"Disconnected flows",
-			"Wrong endpoint URLs",
-			"Mismatched request/response shapes",
-			"Missing error propagation across layers",
-			"Orphaned handlers",
+			"Hardcoded secrets",
+			"SQL/NoSQL/command injection",
+			"XSS",
+			"CSRF gaps",
+			"Broken route protection",
+			"Privilege escalation",
+			"Token validation gaps",
+			"Insecure crypto",
+			"SSRF",
+			"Sensitive data in logs",
 		]),
 		triggerSignals: Object.freeze([
-			"Changes span 2+ architectural layers",
-			"New API endpoints",
-			"New UI components that fetch data",
+			"User input handling",
+			"API endpoint changes",
+			"Auth middleware or session code",
+			"Database query construction",
+			"Crypto usage",
 		]),
 		stackAffinity: Object.freeze(["universal"]),
 		hardGatesSummary:
-			"Traces every feature path from UI event to DB write and back, documents each verified link",
+			"Checks OWASP Top 10 categories systematically and verifies auth guard, token, and password-handling flows end-to-end",
 	}),
 	Object.freeze({
-		name: "dead-code-scanner",
+		name: "code-hygiene-auditor",
 		category: "parallel" as const,
-		domain: "Unused code, imports, unreachable branches",
+		domain: "Unused code, unreachable branches, debug artifacts, and silent failure patterns",
 		catches: Object.freeze([
 			"Unused imports",
 			"Orphaned functions",
-			"TODO/FIXME",
+			"Unreachable branches",
+			"Empty catch blocks",
+			"Silent fallbacks that hide failures",
 			"Console.log/debugger",
-			"Hardcoded secrets",
 			"Commented-out code",
 		]),
 		triggerSignals: Object.freeze([
 			"Refactors",
 			"Feature removals",
 			"Large diffs",
-			"File deletions with remaining references",
+			"New error handling or fallback logic",
 		]),
 		stackAffinity: Object.freeze(["universal"]),
 		hardGatesSummary:
-			"Checks all changed files for unused imports, orphaned functions, debug artifacts, hardcoded secrets",
+			"Checks all changed files for dead code, production leftovers, and error paths that fail silently instead of surfacing problems",
 	}),
 	Object.freeze({
-		name: "spec-checker",
+		name: "architecture-verifier",
 		category: "parallel" as const,
-		domain: "Requirements alignment with issue/spec context",
+		domain: "End-to-end connectivity, scope and intent alignment, and requirement compliance",
 		catches: Object.freeze([
-			"Missing requirements",
+			"Disconnected flows",
+			"Broken cross-layer shape alignment",
+			"Missing error propagation across layers",
 			"Partial implementations",
-			"Ungoverned changes",
-			"Extra features not in spec",
-		]),
-		triggerSignals: Object.freeze([
-			"Linked GitHub issue exists",
-			"PR description references requirements",
-			"Changes touch feature code",
-		]),
-		stackAffinity: Object.freeze(["universal"]),
-		hardGatesSummary: "Maps each requirement to implementation status (done/partial/missing/extra)",
-	}),
-	Object.freeze({
-		name: "database-auditor",
-		category: "parallel" as const,
-		domain: "Migrations, query performance, schema design, connection management",
-		catches: Object.freeze([
-			"Destructive migrations without rollback",
-			"Missing indexes on FKs",
-			"N+1 queries",
-			"Raw SQL injection",
-			"Wrong column types",
+			"Scope creep and unguided architectural surface area",
 		]),
 		triggerSignals: Object.freeze([
-			"Migration files in diff",
-			"Schema changes",
-			"ORM model changes without corresponding migrations",
-		]),
-		stackAffinity: Object.freeze(["universal"]),
-		hardGatesSummary:
-			"Verifies rollback path, checks index coverage, detects N+1 patterns, checks for SQL injection",
-	}),
-	Object.freeze({
-		name: "auth-flow-verifier",
-		category: "parallel" as const,
-		domain: "Auth/authz correctness, middleware guards, token handling",
-		catches: Object.freeze([
-			"Unprotected routes",
-			"Privilege escalation",
-			"Token validation gaps",
-			"Session fixation",
-			"Plaintext password storage",
-		]),
-		triggerSignals: Object.freeze([
-			"Changes to auth middleware",
-			"Login/logout handlers",
-			"Role/permission checks",
-			"JWT/session code",
+			"Changes span 2+ architectural layers",
+			"New API endpoints",
+			"Requirements-driven feature work",
+			"New dependencies or architectural changes",
 		]),
 		stackAffinity: Object.freeze(["universal"]),
 		hardGatesSummary:
-			"Traces every protected route to verify guard, checks token validation flow end-to-end",
+			"Traces feature paths end-to-end, maps each change to the requested scope, and flags missing or extra architectural work",
 	}),
 	Object.freeze({
-		name: "type-soundness",
+		name: "correctness-auditor",
 		category: "parallel" as const,
-		domain: "Type correctness, invariant design, encapsulation, generics",
+		domain: "Type correctness, invariant design, async safety, concurrency safety",
 		catches: Object.freeze([
 			"Unsafe any usage",
 			"Incorrect type narrowing",
-			"Meaningless generic constraints",
 			"Unsafe type assertions",
-			"Violated invariants",
+			"Race conditions",
+			"Missing await or dropped promises",
+			"Missing cancellation or cleanup",
 		]),
 		triggerSignals: Object.freeze([
 			"New type definitions",
-			"Complex generics",
+			"Complex async or concurrency code",
 			"Type assertion usage",
-			"any in diff",
+			"Shared mutable state",
 		]),
-		stackAffinity: Object.freeze(["typescript", "kotlin", "rust", "go"]),
+		stackAffinity: Object.freeze(["universal"]),
 		hardGatesSummary:
-			"Flags every any usage, verifies type narrowing correctness, evaluates invariant enforcement",
+			"Flags type escape hatches, traces async and concurrent execution paths, and verifies cleanup on every code path",
 	}),
 	Object.freeze({
-		name: "state-mgmt-auditor",
+		name: "frontend-auditor",
 		category: "parallel" as const,
-		domain: "UI state consistency, reactivity bugs, stale state, race conditions in UI",
+		domain: "Frontend framework rules, hooks/reactivity, state management, stale closures",
 		catches: Object.freeze([
+			"Hooks or lifecycle rule violations",
 			"Stale closures",
-			"Infinite re-render loops",
-			"Derived state stored instead of computed",
+			"Infinite re-render or reactive loops",
+			"Derived state anti-patterns",
+			"Hydration or server/client boundary mismatches",
 			"Missing optimistic update rollback",
 		]),
 		triggerSignals: Object.freeze([
-			"React useState/useReducer",
-			"Redux/Zustand/Pinia store changes",
-			"Vue reactive state",
-			"Svelte stores",
+			"React/Next.js component changes",
+			"Vue/Svelte/Angular reactive state changes",
+			"Hooks, watchers, or store updates",
 		]),
-		stackAffinity: Object.freeze(["react", "vue", "svelte", "angular"]),
+		stackAffinity: Object.freeze(["react", "nextjs", "vue", "svelte", "angular"]),
 		hardGatesSummary:
-			"Traces state flow from update to render, verifies no stale closures in hooks",
+			"Traces state from update to render, verifies framework rule compliance, and catches stale closures and hydration risks",
 	}),
 	Object.freeze({
-		name: "concurrency-checker",
+		name: "language-idioms-auditor",
 		category: "parallel" as const,
-		domain: "Thread/async/goroutine safety, deadlocks, resource leaks",
+		domain: "Go idioms, Python or Django or FastAPI patterns, and Rust safety conventions",
 		catches: Object.freeze([
-			"Goroutine leaks",
-			"Mutex misuse",
-			"Race conditions",
-			"Missing context cancellation",
-			"Missing await",
+			"defer-in-loop and goroutine leaks",
+			"Nil interface or context misuse",
+			"N+1 queries in templates or handlers",
+			"Mutable default arguments",
+			"Missing CSRF on cookie-based auth flows",
+			"Unsafe Rust blocks without justification",
+			"unwrap/expect in non-test Rust code",
+			"Send/Sync or resource lifecycle misuse",
 		]),
 		triggerSignals: Object.freeze([
-			"Goroutine creation",
-			"Mutex/lock usage",
-			"Async/await patterns",
-			"Worker threads",
-			"Promise.all usage",
+			"Go files in diff",
+			"Django/FastAPI files in diff",
+			"Rust files in diff",
+			"Language-specific framework or runtime primitives",
 		]),
-		stackAffinity: Object.freeze(["universal"]),
+		stackAffinity: Object.freeze(["go", "django", "fastapi", "rust"]),
 		hardGatesSummary:
-			"Verifies every goroutine/thread has a termination path, checks lock/unlock pairs",
+			"Applies stack-specific correctness checks for Go, Python web frameworks, and Rust that generic reviewers often miss",
 	}),
 	Object.freeze({
 		name: "code-quality-auditor",
@@ -245,149 +207,25 @@ export const AGENT_CATALOG: readonly AgentDefinition[] = Object.freeze([
 			"Measures function length, file length, nesting depth; checks naming conventions",
 	}),
 	Object.freeze({
-		name: "security-auditor",
-		category: "parallel" as const,
-		domain: "Systematic OWASP auditing, secrets, injection, crypto",
-		catches: Object.freeze([
-			"Hardcoded secrets",
-			"SQL/NoSQL/command injection",
-			"XSS",
-			"CSRF gaps",
-			"Insecure crypto",
-			"SSRF",
-			"Sensitive data in logs",
-		]),
-		triggerSignals: Object.freeze([
-			"User input handling",
-			"API endpoint changes",
-			"Database query construction",
-			"Crypto usage",
-		]),
-		stackAffinity: Object.freeze(["universal"]),
-		hardGatesSummary: "Checks OWASP Top 10 categories systematically, scans for hardcoded secrets",
-	}),
-	Object.freeze({
-		name: "scope-intent-verifier",
+		name: "database-auditor",
 		category: "parallel" as const,
-		domain: "Scope creep, project alignment, feature coherence",
+		domain: "Migrations, query performance, schema design, connection management",
 		catches: Object.freeze([
-			"Features not in any spec/issue",
-			"Changes conflicting with project philosophy",
-			"Unnecessary dependencies",
+			"Destructive migrations without rollback",
+			"Missing indexes on FKs",
+			"N+1 queries",
+			"Raw SQL injection",
+			"Wrong column types",
 		]),
 		triggerSignals: Object.freeze([
-			"New capabilities added",
-			"New dependencies",
-			"Changes to core architecture",
+			"Migration files in diff",
+			"Schema changes",
+			"ORM model changes without corresponding migrations",
 		]),
 		stackAffinity: Object.freeze(["universal"]),
 		hardGatesSummary:
-			"Reads project docs to understand purpose, maps each change to a user need or spec requirement",
-	}),
-	Object.freeze({
-		name: "silent-failure-hunter",
-		category: "parallel" as const,
-		domain: "Error handling quality, swallowed errors, empty catches, silent fallbacks",
-		catches: Object.freeze([
-			"Empty catch blocks",
-			"Generic error swallowing",
-			"Console.log-only error handling",
-			"Optional chaining masking nulls",
-			"Fallbacks hiding failures",
-		]),
-		triggerSignals: Object.freeze([
-			"New/modified try-catch blocks",
-			"Error callbacks",
-			"Fallback logic",
-			"Default values on failure paths",
-		]),
-		stackAffinity: Object.freeze(["universal"]),
-		hardGatesSummary: "Every catch block must log with context and surface actionable feedback",
-	}),
-	Object.freeze({
-		name: "react-patterns-auditor",
-		category: "parallel" as const,
-		domain: "React/Next.js specific bug classes",
-		catches: Object.freeze([
-			"Hooks rules violations",
-			"Stale closures",
-			"Missing useEffect deps",
-			"Server/client boundary violations",
-			"Hydration mismatches",
-		]),
-		triggerSignals: Object.freeze([
-			"React component files in diff",
-			"Hooks usage",
-			"Next.js page/layout files",
-		]),
-		stackAffinity: Object.freeze(["react", "nextjs"]),
-		hardGatesSummary:
-			"Checks every hook call for rules compliance, verifies every useEffect deps array",
-	}),
-	Object.freeze({
-		name: "go-idioms-auditor",
-		category: "parallel" as const,
-		domain: "Go-specific bug classes",
-		catches: Object.freeze([
-			"defer-in-loop",
-			"Goroutine leaks",
-			"Nil interface traps",
-			"Error shadowing with :=",
-			"Context misuse",
-		]),
-		triggerSignals: Object.freeze([
-			"Go files in diff",
-			"Goroutine creation",
-			"Defer statements",
-			"Context.Context usage",
-		]),
-		stackAffinity: Object.freeze(["go"]),
-		hardGatesSummary:
-			"Checks every defer for loop placement, every goroutine for cancellation path",
-	}),
-	Object.freeze({
-		name: "python-django-auditor",
-		category: "parallel" as const,
-		domain: "Python/Django-specific bug classes",
-		catches: Object.freeze([
-			"N+1 in templates",
-			"Unvalidated ModelForms",
-			"Missing CSRF",
-			"Lazy eval traps",
-			"Mutable default args",
-		]),
-		triggerSignals: Object.freeze([
-			"Django view/model/form/template files",
-			"Python files with ORM queries",
-			"settings.py changes",
-		]),
-		stackAffinity: Object.freeze(["django", "fastapi"]),
-		hardGatesSummary:
-			"Checks every queryset for select_related/prefetch_related, every ModelForm for explicit fields",
-	}),
-	Object.freeze({
-		name: "rust-safety-auditor",
-		category: "parallel" as const,
-		domain: "Rust-specific bug classes",
-		catches: Object.freeze([
-			"Unjustified unsafe blocks",
-			".unwrap() in non-test code",
-			"Lifetime correctness issues",
-			"Send/Sync violations",
-			"mem::forget misuse",
-		]),
-		triggerSignals: Object.freeze([
-			"Rust files in diff",
-			"Unsafe blocks",
-			".unwrap()/.expect() calls",
-			"Lifetime annotations",
-		]),
-		stackAffinity: Object.freeze(["rust"]),
-		hardGatesSummary:
-			"Every unsafe block must have a SAFETY comment, every .unwrap() in non-test code is flagged",
+			"Verifies rollback path, checks index coverage, detects N+1 patterns, checks for SQL injection",
 	}),
-
-	// --- Sequenced Specialists (run after all prior findings) ---
 	Object.freeze({
 		name: "product-thinker",
 		category: "sequenced" as const,
@@ -424,16 +262,10 @@ export const AGENT_CATALOG: readonly AgentDefinition[] = Object.freeze([
 	}),
 ]);
 
-/**
- * The three core squad agents that always run regardless of stack or scoring.
- */
 export const CORE_SQUAD: readonly AgentDefinition[] = Object.freeze(
 	AGENT_CATALOG.filter((a) => a.category === "core"),
 );
 
-/**
- * Filter agents by category.
- */
 export function getAgentsByCategory(category: AgentCategory): readonly AgentDefinition[] {
 	return AGENT_CATALOG.filter((a) => a.category === category);
 }

package/src/review/agents/architecture-verifier.ts

@@ -0,0 +1,41 @@
+import type { ReviewAgent } from "../types";
+
+export const architectureVerifier: Readonly<ReviewAgent> = Object.freeze({
+	name: "architecture-verifier",
+	description:
+		"Verifies end-to-end connectivity, scope and intent alignment, and requirement compliance across architectural boundaries.",
+	relevantStacks: [] as readonly string[],
+	severityFocus: ["CRITICAL", "HIGH", "MEDIUM", "LOW"] as const,
+	prompt: `You are the Architecture Verifier. You verify that the change is fully wired, aligned with the intended scope, and actually satisfies the stated requirements.
+
+## Instructions
+
+Check each category systematically against the changed code and the stated project context:
+
+1. **End-to-End Connectivity** -- Trace every changed user or system flow across boundaries: caller to callee, UI to API, API to storage, config to runtime behavior. Flag broken links, orphaned handlers, and mismatched request/response contracts.
+2. **Cross-Layer Shape Alignment** -- Verify field names, optionality, and payload shapes stay consistent across all touched layers. Flag fields that exist in one layer but are missing or renamed in another.
+3. **Error Propagation Across Layers** -- Verify backend failures, validation errors, and dependency failures propagate with actionable handling instead of disappearing between layers.
+4. **Requirement Coverage** -- Build a requirement-to-implementation map from the task, issue, diff intent, and project docs. Flag missing requirements, partial implementations, and missing acceptance-path coverage.
+5. **Scope and Intent Alignment** -- Flag user-facing features, dependencies, or architectural changes that do not map to the stated goal or that contradict the project’s documented philosophy.
+6. **Unnecessary Surface Area** -- Flag extra endpoints, handlers, or capabilities that increase maintenance cost without serving the requested outcome.
+
+Show your trace when possible: "I traced feature X from entry point A to B to C. The chain breaks at D because ..."
+
+Do not comment on naming or micro-style issues -- focus on architecture, connectivity, scope, and spec compliance.
+
+## Diff
+{{DIFF}}
+
+## Prior Findings (for cross-verification)
+{{PRIOR_FINDINGS}}
+
+## Project Memory (false positive suppression)
+{{MEMORY}}
+
+## Output
+For each finding, output a JSON object:
+{"severity": "CRITICAL|HIGH|MEDIUM|LOW", "domain": "architecture", "title": "short title", "file": "path/to/file.ts", "line": 42, "agent": "architecture-verifier", "source": "phase1", "evidence": "what was found", "problem": "why it is an issue", "fix": "how to fix it"}
+
+If no findings: {"findings": []}
+Wrap all findings in: {"findings": [...]}`,
+});

package/src/review/agents/code-hygiene-auditor.ts

@@ -0,0 +1,40 @@
+import type { ReviewAgent } from "../types";
+
+export const codeHygieneAuditor: Readonly<ReviewAgent> = Object.freeze({
+	name: "code-hygiene-auditor",
+	description:
+		"Audits unused code, unreachable branches, debug artifacts, swallowed errors, empty catches, and silent fallback patterns.",
+	relevantStacks: [] as readonly string[],
+	severityFocus: ["CRITICAL", "HIGH", "MEDIUM", "LOW"] as const,
+	prompt: `You are the Code Hygiene Auditor. You hunt for dead code, silent failure paths, and production leftovers that make the codebase misleading or unsafe to operate.
+
+## Instructions
+
+Check each category systematically in the changed code:
+
+1. **Unused Imports and Symbols** -- For every import statement and top-level declaration in changed files, verify at least one real usage exists. Flag imports, helpers, exports, or branches that are no longer referenced.
+2. **Orphaned and Unreachable Code** -- Flag exported functions with no consumers, impossible branches, stale feature-flag branches, and code after guaranteed return/throw paths.
+3. **TODO/FIXME/HACK Debt** -- Flag TODO, FIXME, HACK, or XXX markers in production code when they ship incomplete or misleading behavior.
+4. **Debug Artifacts and Commented-Out Code** -- Flag console.log/debugger/print leftovers, commented-out code blocks, and temporary diagnostics left in production paths.
+5. **Empty or Ineffective Catch Blocks** -- Flag catches with no action, comment-only bodies, log-only handling, or generic swallowing that allows execution to continue without recovery.
+6. **Silent Fallbacks** -- Flag fallback values, optional chaining chains, or default branches that mask broken data, failed IO, or invalid state instead of surfacing the problem.
+7. **Actionable Error Surfacing** -- Verify failures include enough context to debug and are either handled meaningfully or propagated. Flag generic error strings and fire-and-forget async calls with no failure handling.
+
+Do not comment on styling or feature architecture -- only code hygiene, dead code, and silent failure risks.
+
+## Diff
+{{DIFF}}
+
+## Prior Findings (for cross-verification)
+{{PRIOR_FINDINGS}}
+
+## Project Memory (false positive suppression)
+{{MEMORY}}
+
+## Output
+For each finding, output a JSON object:
+{"severity": "CRITICAL|HIGH|MEDIUM|LOW", "domain": "code-hygiene", "title": "short title", "file": "path/to/file.ts", "line": 42, "agent": "code-hygiene-auditor", "source": "phase1", "evidence": "what was found", "problem": "why it is an issue", "fix": "how to fix it"}
+
+If no findings: {"findings": []}
+Wrap all findings in: {"findings": [...]}`,
+});

package/src/review/agents/correctness-auditor.ts

@@ -0,0 +1,41 @@
+import type { ReviewAgent } from "../types";
+
+export const correctnessAuditor: Readonly<ReviewAgent> = Object.freeze({
+	name: "correctness-auditor",
+	description:
+		"Audits type correctness, invariant enforcement, async correctness, concurrency safety, and resource lifecycle handling.",
+	relevantStacks: [] as readonly string[],
+	severityFocus: ["CRITICAL", "HIGH", "MEDIUM"] as const,
+	prompt: `You are the Correctness Auditor. You verify that the code is type-sound enough to trust, async-safe enough to run, and concurrency-safe enough to avoid subtle runtime failures.
+
+## Instructions
+
+Check each category systematically in the changed code:
+
+1. **Type Escape Hatches** -- Flag explicit any usage, unsafe assertions, double casts, incorrect narrowing, or generic designs that erase useful guarantees.
+2. **Invariant Enforcement** -- Verify domain constraints are enforced before values are trusted. Flag casts or unchecked assumptions that let invalid state cross module boundaries.
+3. **Async Correctness** -- Flag missing await, dropped promises, unhandled Promise.all failures, and async code paths that silently ignore rejection or partial failure.
+4. **Concurrent Access Safety** -- For shared mutable state, verify synchronization, atomicity, or message-passing protection. Flag races, unsafe mutation across workers/goroutines, and unsynchronized reads/writes.
+5. **Termination and Cancellation** -- Verify long-running tasks, goroutines, workers, and async loops have termination, cleanup, timeout, or cancellation paths.
+6. **Lock and Resource Balance** -- Verify locks, handles, and disposable resources are released on every path including errors. Flag missing finally/defer cleanup and leak-prone control flow.
+
+Show your reasoning when a guarantee is violated: explain how the type or concurrency gap becomes a runtime bug.
+
+Do not comment on styling or product scope -- only correctness, safety, and runtime integrity.
+
+## Diff
+{{DIFF}}
+
+## Prior Findings (for cross-verification)
+{{PRIOR_FINDINGS}}
+
+## Project Memory (false positive suppression)
+{{MEMORY}}
+
+## Output
+For each finding, output a JSON object:
+{"severity": "CRITICAL|HIGH|MEDIUM|LOW", "domain": "correctness", "title": "short title", "file": "path/to/file.ts", "line": 42, "agent": "correctness-auditor", "source": "phase1", "evidence": "what was found", "problem": "why it is an issue", "fix": "how to fix it"}
+
+If no findings: {"findings": []}
+Wrap all findings in: {"findings": [...]}`,
+});

package/src/review/agents/frontend-auditor.ts

@@ -0,0 +1,39 @@
+import type { ReviewAgent } from "../types";
+
+export const frontendAuditor: Readonly<ReviewAgent> = Object.freeze({
+	name: "frontend-auditor",
+	description:
+		"Audits frontend framework correctness including hooks rules, reactive state flow, stale closures, hydration risks, and optimistic state handling.",
+	relevantStacks: ["react", "nextjs", "vue", "svelte", "angular"] as readonly string[],
+	severityFocus: ["CRITICAL", "HIGH", "MEDIUM"] as const,
+	prompt: `You are the Frontend Auditor. You verify that frontend framework code follows platform rules, manages state safely, and does not hide reactivity bugs that only appear at runtime.
+
+## Instructions
+
+Check each category systematically in the changed UI code:
+
+1. **Framework Rule Compliance** -- Verify hooks/composables/reactive primitives are called in valid locations and lifecycle APIs are used according to framework rules.
+2. **Stale Closures and Dependencies** -- Trace callbacks, effects, subscriptions, and memoized handlers. Flag stale closure bugs, missing dependencies, and reactivity graphs that stop updating when state changes.
+3. **Infinite Re-render or Reactive Loops** -- Flag effects/watchers/computed blocks that write to state they immediately depend on without a guard, causing runaway updates.
+4. **Derived State and Shared Mutation** -- Flag duplicated derived state, mutation of shared state objects, and store/component boundaries that can drift out of sync.
+5. **Optimistic Update and Async UI Safety** -- Verify optimistic UI writes have rollback paths and pending async work cannot overwrite newer state with stale responses.
+6. **SSR, Hydration, and Client Boundary Safety** -- Flag server/client boundary violations, hydration mismatch risks, and rendering logic that depends on client-only data without proper guards.
+
+Do not comment on styling preferences or API design -- only frontend correctness and state integrity.
+
+## Diff
+{{DIFF}}
+
+## Prior Findings (for cross-verification)
+{{PRIOR_FINDINGS}}
+
+## Project Memory (false positive suppression)
+{{MEMORY}}
+
+## Output
+For each finding, output a JSON object:
+{"severity": "CRITICAL|HIGH|MEDIUM|LOW", "domain": "frontend", "title": "short title", "file": "path/to/file.ts", "line": 42, "agent": "frontend-auditor", "source": "phase1", "evidence": "what was found", "problem": "why it is an issue", "fix": "how to fix it"}
+
+If no findings: {"findings": []}
+Wrap all findings in: {"findings": [...]}`,
+});