@kody-ade/kody-engine-lite 0.1.52 → 0.1.54

package/dist/bin/cli.js

@@ -300,7 +300,7 @@ var init_config = __esm({
         repo: ""
       },
       paths: {
-        taskDir: ".tasks"
+        taskDir: ".kody/tasks"
       },
       agent: {
         runner: "claude-code",
@@ -1601,6 +1601,20 @@ function executeShipStage(ctx, _def) {
   try {
     const head = getCurrentBranch(ctx.projectDir);
     const base = getDefaultBranch(ctx.projectDir);
+    try {
+      execFileSync7("git", ["add", ctx.taskDir], {
+        cwd: ctx.projectDir,
+        env: { ...process.env, HUSKY: "0", SKIP_HOOKS: "1" },
+        stdio: "pipe"
+      });
+      execFileSync7("git", ["commit", "--no-gpg-sign", "-m", `chore: add kody task artifacts [skip ci]`], {
+        cwd: ctx.projectDir,
+        env: { ...process.env, HUSKY: "0", SKIP_HOOKS: "1" },
+        stdio: "pipe"
+      });
+      logger.info("  Committed task artifacts");
+    } catch {
+    }
     pushBranch(ctx.projectDir);
     const config = getProjectConfig();
     let owner = config.github?.owner;
@@ -1698,6 +1712,7 @@ Failed: ${msg}
 var init_ship = __esm({
   "src/stages/ship.ts"() {
     "use strict";
+    init_logger();
     init_git_utils();
     init_github_api();
     init_config();
@@ -2526,7 +2541,7 @@ import * as fs16 from "fs";
 import * as path15 from "path";
 import { execFileSync as execFileSync9 } from "child_process";
 function findLatestTaskForIssue(issueNumber, projectDir) {
-  const tasksDir = path15.join(projectDir, ".tasks");
+  const tasksDir = path15.join(projectDir, ".kody", "tasks");
   if (!fs16.existsSync(tasksDir)) return null;
   const allDirs = fs16.readdirSync(tasksDir, { withFileTypes: true }).filter((d) => d.isDirectory()).map((d) => d.name).sort().reverse();
   const prefix = `${issueNumber}-`;
@@ -2587,7 +2602,7 @@ Or comment on the specific PR: \`@kody review\``
 }
 async function runStandaloneReview(input) {
   const taskId = input.taskId ?? `review-${generateTaskId()}`;
-  const taskDir = path16.join(input.projectDir, ".tasks", taskId);
+  const taskDir = path16.join(input.projectDir, ".kody", "tasks", taskId);
   fs17.mkdirSync(taskDir, { recursive: true });
   const taskContent = `# ${input.prTitle}
 
@@ -2830,7 +2845,7 @@ function resolveTaskAction(issueNumber, existingTaskId, existingState) {
 function resolveForIssue(issueNumber, projectDir) {
   const existingTaskId = findLatestTaskForIssue(issueNumber, projectDir);
   if (existingTaskId) {
-    const statusPath = path18.join(projectDir, ".tasks", existingTaskId, "status.json");
+    const statusPath = path18.join(projectDir, ".kody", "tasks", existingTaskId, "status.json");
     let existingState = null;
     if (fs19.existsSync(statusPath)) {
       try {
@@ -2924,7 +2939,7 @@ async function main() {
       process.exit(1);
     }
   }
-  const taskDir = path19.join(projectDir, ".tasks", taskId);
+  const taskDir = path19.join(projectDir, ".kody", "tasks", taskId);
   fs20.mkdirSync(taskDir, { recursive: true });
   if (input.command === "status") {
     printStatus(taskId, taskDir);
@@ -3036,7 +3051,7 @@ ${issue.body ?? ""}`;
     }
   }
   if (!fs20.existsSync(taskMdPath)) {
-    console.error("No task.md found. Provide --task, --issue-number, or ensure .tasks/<id>/task.md exists.");
+    console.error("No task.md found. Provide --task, --issue-number, or ensure .kody/tasks/<id>/task.md exists.");
     process.exit(1);
   }
   if (input.command === "fix" && !input.fromStage) {
@@ -3537,7 +3552,7 @@ Given this project context, output ONLY a JSON object with EXACTLY this structur
     },
     "git": { "defaultBranch": "${basic.defaultBranch}" },
     "github": { "owner": "${basic.owner}", "repo": "${basic.repo}" },
-    "paths": { "taskDir": ".tasks" },
+    "paths": { "taskDir": ".kody/tasks" },
     "agent": {
       "runner": "${"claude-code"}",
       "defaultRunner": "${"claude"}",
@@ -3595,7 +3610,7 @@ ${context}`;
     config.git.defaultBranch = config.git.defaultBranch || basic.defaultBranch;
     config.github.owner = config.github.owner || basic.owner;
     config.github.repo = config.github.repo || basic.repo;
-    config.paths.taskDir = config.paths.taskDir || ".tasks";
+    config.paths.taskDir = config.paths.taskDir || ".kody/tasks";
     config.agent.runner = config.agent.runner || "claude-code";
     config.agent.defaultRunner = config.agent.defaultRunner || "claude";
     if (!config.agent.modelMap) {
@@ -3677,7 +3692,7 @@ function buildFallbackConfig(cwd, basic) {
     },
     git: { defaultBranch: basic.defaultBranch },
     github: { owner: basic.owner, repo: basic.repo },
-    paths: { taskDir: ".tasks" },
+    paths: { taskDir: ".kody/tasks" },
     agent: {
       runner: "claude-code",
       defaultRunner: "claude",
@@ -3719,11 +3734,12 @@ function initCommand(opts) {
   const gitignorePath = path20.join(cwd, ".gitignore");
   if (fs21.existsSync(gitignorePath)) {
     const content = fs21.readFileSync(gitignorePath, "utf-8");
-    if (!content.includes(".tasks/")) {
-      fs21.appendFileSync(gitignorePath, "\n.tasks/\n");
-      console.log("  \u2713 .gitignore (added .tasks/)");
+    if (content.includes(".tasks/")) {
+      const updated = content.replace(/\n?\.tasks\/\n?/g, "\n");
+      fs21.writeFileSync(gitignorePath, updated);
+      console.log("  \u2713 .gitignore (removed legacy .tasks/ \u2014 tasks now committed in .kody/tasks/)");
     } else {
-      console.log("  \u25CB .gitignore (.tasks/ already present)");
+      console.log("  \u25CB .gitignore (ok)");
     }
   }
   console.log("\n\u2500\u2500 Prerequisites \u2500\u2500");

package/kody.config.schema.json

@@ -82,8 +82,8 @@
       "properties": {
         "taskDir": {
           "type": "string",
-          "description": "Directory for pipeline artifacts and state (gitignored)",
-          "default": ".tasks"
+          "description": "Directory for pipeline artifacts and state (committed to branch)",
+          "default": ".kody/tasks"
         }
       },
       "additionalProperties": false

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kody-ade/kody-engine-lite",
-  "version": "0.1.52",
+  "version": "0.1.54",
   "description": "Autonomous SDLC pipeline: Kody orchestration + Claude Code + LiteLLM",
   "license": "MIT",
   "type": "module",
@@ -13,13 +13,6 @@
     "templates",
     "kody.config.schema.json"
   ],
-  "scripts": {
-    "kody": "tsx src/entry.ts",
-    "build": "tsup",
-    "test": "vitest run",
-    "typecheck": "tsc --noEmit",
-    "prepublishOnly": "pnpm build"
-  },
   "dependencies": {
     "dotenv": "^16.4.7"
   },
@@ -32,5 +25,11 @@
   },
   "engines": {
     "node": ">=22"
+  },
+  "scripts": {
+    "kody": "tsx src/entry.ts",
+    "build": "tsup",
+    "test": "vitest run",
+    "typecheck": "tsc --noEmit"
   }
-}
+}

package/prompts/autofix.md

@@ -1,21 +1,39 @@
 ---
 name: autofix
-description: Fix verification errors (typecheck, lint, test failures)
+description: Investigate root cause then fix verification errors (typecheck, lint, test failures)
 mode: primary
 tools: [read, write, edit, bash, glob, grep]
 ---
 
 You are an autofix agent. The verification stage failed. Fix the errors below.
 
-STRATEGY (in order):
-1. Try quick wins first: run `pnpm lint:fix` and `pnpm format:fix` via Bash
-2. Read the error output carefully — understand WHAT failed and WHY
-3. For type errors: Read the affected file, fix the type mismatch
-4. For test failures: Read both the test and the implementation, fix the root cause
-5. For lint errors: Apply the specific fix the linter suggests
+IRON LAW: NO FIXES WITHOUT INVESTIGATION FIRST. Do not jump to changing code. Understand the failure first.
+
+## Phase 1 — Investigate (do this BEFORE any edits)
+1. Read the full error output — what exactly failed?
+2. Identify the affected files — Read them to understand context
+3. Check recent changes: run `git diff HEAD~1` to see what changed
+4. Classify the failure pattern:
+   - **Type error**: mismatched types, missing properties, wrong generics
+   - **Test failure**: assertion mismatch, missing mock, changed behavior
+   - **Lint error**: style violation, unused import, naming convention
+   - **Runtime error**: null reference, missing dependency, config issue
+   - **Integration failure**: API contract mismatch, schema drift
+5. Identify root cause — is this a direct error in new code, or a side effect of a change elsewhere?
+
+## Phase 2 — Fix (only after root cause is clear)
+1. Try quick wins first: run configured lintFix and formatFix commands via Bash
+2. For type errors: fix the type mismatch at its source, not by adding type assertions
+3. For test failures: fix the root cause (implementation or test), not both — determine which is correct
+4. For lint errors: apply the specific fix the linter suggests
+5. For integration failures: trace the contract back to its definition, fix the mismatch at source
 6. After EACH fix, re-run the failing command to verify it passes
-7. Do NOT commit or push — the orchestrator handles git
+7. If a fix introduces new failures, REVERT and try a different approach
+8. Do NOT commit or push — the orchestrator handles git
 
-Do NOT make unrelated changes. Fix ONLY the reported errors.
+## Rules
+- Fix ONLY the reported errors. Do NOT make unrelated changes.
+- Minimal diff — use Edit for surgical changes, not Write for rewrites
+- If the failure is pre-existing (not caused by this PR's changes), document it and move on
 
 {{TASK_CONTEXT}}

package/prompts/review.md

@@ -5,9 +5,10 @@ mode: primary
 tools: [read, glob, grep, bash]
 ---
 
-You are a code review agent. Review all changes made for the task described below.
+You are a code review agent following the Superpowers Structured Review methodology.
 
 Use Bash to run `git diff` to see what changed. Use Read to examine modified files in full context.
+When the diff introduces new enum values, status strings, or type constants — use Grep to trace ALL consumers outside the diff.
 
 CRITICAL: You MUST output a structured review in the EXACT format below. Do NOT output conversational text, status updates, or summaries. Your entire output must be the structured review markdown.
 
@@ -21,28 +22,94 @@ Output markdown with this EXACT structure:
 ## Findings
 
 ### Critical
-<Security vulnerabilities, data loss risks, crashes, broken authentication>
 <If none: "None.">
 
 ### Major
-<Logic errors, missing edge cases, broken tests, significant performance issues, missing error handling>
 <If none: "None.">
 
 ### Minor
-<Style issues, naming improvements, readability, trivial performance, minor refactoring opportunities>
 <If none: "None.">
 
-Severity definitions:
-- **Critical**: Security vulnerability, data loss, application crash, broken authentication, injection risk. MUST fix before merge.
-- **Major**: Logic error, missing edge case, broken test, significant performance issue, missing input validation. SHOULD fix before merge.
-- **Minor**: Style issue, naming improvement, readability, micro-optimization. NICE to fix, not blocking.
-
-Review checklist:
-- [ ] Does the code match the plan?
-- [ ] Are edge cases handled?
-- [ ] Are there security concerns?
-- [ ] Are tests adequate?
-- [ ] Is error handling proper?
-- [ ] Are there any hardcoded values that should be configurable?
+For each finding use: `file:line` — problem description. Suggested fix.
+
+---
+
+## Two-Pass Review
+
+**Pass 1 — CRITICAL (must fix before merge):**
+
+### SQL & Data Safety
+- String interpolation in SQL — use parameterized queries even for `.to_i`/`.to_f` values
+- TOCTOU races: check-then-set patterns that should be atomic `WHERE` + update
+- Bypassing model validations via direct DB writes (e.g., `update_column`, raw queries)
+- N+1 queries: missing eager loading for associations used in loops/views
+
+### Race Conditions & Concurrency
+- Read-check-write without uniqueness constraint or duplicate key handling
+- find-or-create without unique DB index — concurrent calls create duplicates
+- Status transitions without atomic `WHERE old_status = ? UPDATE SET new_status`
+- Unsafe HTML rendering (`dangerouslySetInnerHTML`, `v-html`, `.html_safe`) on user-controlled data (XSS)
+
+### LLM Output Trust Boundary
+- LLM-generated values (emails, URLs, names) written to DB without format validation
+- Structured tool output accepted without type/shape checks before DB writes
+- LLM-generated URLs fetched without allowlist — SSRF risk
+- LLM output stored in vector DBs without sanitization — stored prompt injection risk
+
+### Shell Injection
+- `subprocess.run()` / `os.system()` with `shell=True` AND string interpolation — use argument arrays
+- `eval()` / `exec()` on LLM-generated code without sandboxing
+
+### Enum & Value Completeness
+When the diff introduces a new enum value, status string, tier name, or type constant:
+- Trace it through every consumer (READ each file that switches/filters on that value)
+- Check allowlists/filter arrays containing sibling values
+- Check `case`/`if-elsif` chains — does the new value fall through to a wrong default?
+
+**Pass 2 — INFORMATIONAL (should review, may auto-fix):**
+
+### Conditional Side Effects
+- Code paths that branch but forget a side effect on one branch (e.g., promoted but URL only attached conditionally)
+- Log messages claiming an action happened when it was conditionally skipped
+
+### Test Gaps
+- Negative-path tests asserting type/status but not side effects
+- Security enforcement features (blocking, rate limiting, auth) without integration tests
+- Missing `.expects(:something).never` when a path should NOT call an external service
+
+### Dead Code & Consistency
+- Variables assigned but never read
+- Comments/docstrings describing old behavior after code changed
+- Version mismatch between PR title and VERSION/CHANGELOG
+
+### Crypto & Entropy
+- Truncation instead of hashing — less entropy, easier collisions
+- `rand()` / `Math.random()` for security-sensitive values — use crypto-secure alternatives
+- Non-constant-time comparisons (`==`) on secrets or tokens — timing attack risk
+
+### Performance & Bundle Impact
+- Known-heavy dependencies added: moment.js (→ date-fns), full lodash (→ lodash-es), jquery
+- Images without `loading="lazy"` or explicit dimensions (CLS)
+- `useEffect` fetch waterfalls — combine or parallelize
+- Synchronous `<script>` without async/defer
+
+### Type Coercion at Boundaries
+- Values crossing language/serialization boundaries where type could change (numeric vs string)
+- Hash/digest inputs without `.toString()` normalization before serialization
+
+---
+
+## Severity Definitions
+
+- **Critical**: Security vulnerability, data loss, application crash, broken authentication, injection risk, race condition. MUST fix before merge.
+- **Major**: Logic error, missing edge case, broken test, significant performance issue, missing input validation, enum completeness gap. SHOULD fix before merge.
+- **Minor**: Style issue, naming improvement, readability, micro-optimization, stale comments. NICE to fix, not blocking.
+
+## Suppressions — do NOT flag these:
+- Redundancy that aids readability
+- "Add a comment explaining this threshold" — thresholds change, comments rot
+- Consistency-only changes with no behavioral impact
+- Issues already addressed in the diff you are reviewing — read the FULL diff first
+- devDependencies additions (no production impact)
 
 {{TASK_CONTEXT}}

package/templates/kody.yml

@@ -253,7 +253,7 @@ jobs:
         if: always()
         run: |
           TASK_ID="${{ github.event.inputs.task_id || needs.parse.outputs.task_id }}"
-          STATUS_FILE=".tasks/${TASK_ID}/status.json"
+          STATUS_FILE=".kody/tasks/${TASK_ID}/status.json"
           if [ -f "$STATUS_FILE" ]; then
             STATE=$(jq -r '.state' "$STATUS_FILE")
             ICON="❌"
@@ -282,7 +282,7 @@ jobs:
         uses: actions/upload-artifact@v4
         with:
           name: kody-tasks-${{ github.event.inputs.task_id || needs.parse.outputs.task_id }}
-          path: .tasks/
+          path: .kody/tasks/
           retention-days: 7
 
   # ─── Error Notifications ─────────────────────────────────────────────────────
@@ -345,11 +345,11 @@ jobs:
         run: kody-engine-lite --help
       - name: Dry run
         run: |
-          mkdir -p .tasks/smoke-test
-          echo "Smoke test task" > .tasks/smoke-test/task.md
+          mkdir -p .kody/tasks/smoke-test
+          echo "Smoke test task" > .kody/tasks/smoke-test/task.md
           kody-engine-lite run --task-id smoke-test --dry-run || true
-          if [ -f ".tasks/smoke-test/status.json" ]; then
+          if [ -f ".kody/tasks/smoke-test/status.json" ]; then
             echo "✓ status.json created"
-            cat .tasks/smoke-test/status.json
+            cat .kody/tasks/smoke-test/status.json
           fi
-          rm -rf .tasks/smoke-test
+          rm -rf .kody/tasks/smoke-test