@kody-ade/kody-engine-lite 0.1.55 → 0.1.56

package/prompts/review.md

@@ -5,10 +5,9 @@ mode: primary
 tools: [read, glob, grep, bash]
 ---
 
-You are a code review agent following the Superpowers Structured Review methodology.
+You are a code review agent. Review all changes made for the task described below.
 
 Use Bash to run `git diff` to see what changed. Use Read to examine modified files in full context.
-When the diff introduces new enum values, status strings, or type constants — use Grep to trace ALL consumers outside the diff.
 
 CRITICAL: You MUST output a structured review in the EXACT format below. Do NOT output conversational text, status updates, or summaries. Your entire output must be the structured review markdown.
 
@@ -22,94 +21,28 @@ Output markdown with this EXACT structure:
 ## Findings
 
 ### Critical
+<Security vulnerabilities, data loss risks, crashes, broken authentication>
 <If none: "None.">
 
 ### Major
+<Logic errors, missing edge cases, broken tests, significant performance issues, missing error handling>
 <If none: "None.">
 
 ### Minor
+<Style issues, naming improvements, readability, trivial performance, minor refactoring opportunities>
 <If none: "None.">
 
-For each finding use: `file:line` — problem description. Suggested fix.
-
----
-
-## Two-Pass Review
-
-**Pass 1 — CRITICAL (must fix before merge):**
-
-### SQL & Data Safety
-- String interpolation in SQL — use parameterized queries even for `.to_i`/`.to_f` values
-- TOCTOU races: check-then-set patterns that should be atomic `WHERE` + update
-- Bypassing model validations via direct DB writes (e.g., `update_column`, raw queries)
-- N+1 queries: missing eager loading for associations used in loops/views
-
-### Race Conditions & Concurrency
-- Read-check-write without uniqueness constraint or duplicate key handling
-- find-or-create without unique DB index — concurrent calls create duplicates
-- Status transitions without atomic `WHERE old_status = ? UPDATE SET new_status`
-- Unsafe HTML rendering (`dangerouslySetInnerHTML`, `v-html`, `.html_safe`) on user-controlled data (XSS)
-
-### LLM Output Trust Boundary
-- LLM-generated values (emails, URLs, names) written to DB without format validation
-- Structured tool output accepted without type/shape checks before DB writes
-- LLM-generated URLs fetched without allowlist — SSRF risk
-- LLM output stored in vector DBs without sanitization — stored prompt injection risk
-
-### Shell Injection
-- `subprocess.run()` / `os.system()` with `shell=True` AND string interpolation — use argument arrays
-- `eval()` / `exec()` on LLM-generated code without sandboxing
-
-### Enum & Value Completeness
-When the diff introduces a new enum value, status string, tier name, or type constant:
-- Trace it through every consumer (READ each file that switches/filters on that value)
-- Check allowlists/filter arrays containing sibling values
-- Check `case`/`if-elsif` chains — does the new value fall through to a wrong default?
-
-**Pass 2 — INFORMATIONAL (should review, may auto-fix):**
-
-### Conditional Side Effects
-- Code paths that branch but forget a side effect on one branch (e.g., promoted but URL only attached conditionally)
-- Log messages claiming an action happened when it was conditionally skipped
-
-### Test Gaps
-- Negative-path tests asserting type/status but not side effects
-- Security enforcement features (blocking, rate limiting, auth) without integration tests
-- Missing `.expects(:something).never` when a path should NOT call an external service
-
-### Dead Code & Consistency
-- Variables assigned but never read
-- Comments/docstrings describing old behavior after code changed
-- Version mismatch between PR title and VERSION/CHANGELOG
-
-### Crypto & Entropy
-- Truncation instead of hashing — less entropy, easier collisions
-- `rand()` / `Math.random()` for security-sensitive values — use crypto-secure alternatives
-- Non-constant-time comparisons (`==`) on secrets or tokens — timing attack risk
-
-### Performance & Bundle Impact
-- Known-heavy dependencies added: moment.js (→ date-fns), full lodash (→ lodash-es), jquery
-- Images without `loading="lazy"` or explicit dimensions (CLS)
-- `useEffect` fetch waterfalls — combine or parallelize
-- Synchronous `<script>` without async/defer
-
-### Type Coercion at Boundaries
-- Values crossing language/serialization boundaries where type could change (numeric vs string)
-- Hash/digest inputs without `.toString()` normalization before serialization
-
----
-
-## Severity Definitions
-
-- **Critical**: Security vulnerability, data loss, application crash, broken authentication, injection risk, race condition. MUST fix before merge.
-- **Major**: Logic error, missing edge case, broken test, significant performance issue, missing input validation, enum completeness gap. SHOULD fix before merge.
-- **Minor**: Style issue, naming improvement, readability, micro-optimization, stale comments. NICE to fix, not blocking.
-
-## Suppressions — do NOT flag these:
-- Redundancy that aids readability
-- "Add a comment explaining this threshold" — thresholds change, comments rot
-- Consistency-only changes with no behavioral impact
-- Issues already addressed in the diff you are reviewing — read the FULL diff first
-- devDependencies additions (no production impact)
+Severity definitions:
+- **Critical**: Security vulnerability, data loss, application crash, broken authentication, injection risk. MUST fix before merge.
+- **Major**: Logic error, missing edge case, broken test, significant performance issue, missing input validation. SHOULD fix before merge.
+- **Minor**: Style issue, naming improvement, readability, micro-optimization. NICE to fix, not blocking.
+
+Review checklist:
+- [ ] Does the code match the plan?
+- [ ] Are edge cases handled?
+- [ ] Are there security concerns?
+- [ ] Are tests adequate?
+- [ ] Is error handling proper?
+- [ ] Are there any hardcoded values that should be configurable?
 
 {{TASK_CONTEXT}}

package/templates/kody.yml

@@ -109,7 +109,7 @@ jobs:
 
           # Validate mode
           case "$MODE" in
-            full|rerun|fix|status|approve|review) ;;
+            full|rerun|fix|status|approve|review|bootstrap) ;;
             *)
               # If first arg isn't a mode, it might be a task-id or nothing
               if [ -n "$MODE" ] && [ "$MODE" != "" ]; then
@@ -139,6 +139,11 @@ jobs:
             # Leave TASK_ID empty — entry.ts finds latest task for issue
           fi
 
+          # Bootstrap mode: set task-id and skip normal pipeline
+          if [ "$MODE" = "bootstrap" ]; then
+            TASK_ID="bootstrap-$(date +%y%m%d-%H%M%S)"
+          fi
+
           # Auto-generate task-id if not provided (only for full mode)
           if [ -z "$TASK_ID" ] && [ "$MODE" = "full" ]; then
             TASK_ID="${ISSUE_NUM}-$(date +%y%m%d-%H%M%S)"
@@ -237,23 +242,28 @@ jobs:
           DRY_RUN: ${{ github.event.inputs.dry_run || 'false' }}
           RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
         run: |
-          CMD="run"
-          [ "$MODE" = "rerun" ] && CMD="rerun"
-          [ "$MODE" = "fix" ] && CMD="fix"
-          [ "$MODE" = "review" ] && CMD="review"
-          ARGS="--issue-number $ISSUE_NUMBER"
-          [ -n "$TASK_ID" ] && ARGS="$ARGS --task-id $TASK_ID"
-          [ -n "$PR_NUMBER" ] && ARGS="$ARGS --pr-number $PR_NUMBER"
-          [ -n "$FROM_STAGE" ] && ARGS="$ARGS --from $FROM_STAGE"
-          [ -n "$FEEDBACK" ] && ARGS="$ARGS --feedback \"$FEEDBACK\""
-          [ "$DRY_RUN" = "true" ] && ARGS="$ARGS --dry-run"
-          kody-engine-lite $CMD $ARGS
+          if [ "$MODE" = "bootstrap" ]; then
+            echo "Running bootstrap..."
+            kody-engine-lite bootstrap
+          else
+            CMD="run"
+            [ "$MODE" = "rerun" ] && CMD="rerun"
+            [ "$MODE" = "fix" ] && CMD="fix"
+            [ "$MODE" = "review" ] && CMD="review"
+            ARGS="--issue-number $ISSUE_NUMBER"
+            [ -n "$TASK_ID" ] && ARGS="$ARGS --task-id $TASK_ID"
+            [ -n "$PR_NUMBER" ] && ARGS="$ARGS --pr-number $PR_NUMBER"
+            [ -n "$FROM_STAGE" ] && ARGS="$ARGS --from $FROM_STAGE"
+            [ -n "$FEEDBACK" ] && ARGS="$ARGS --feedback \"$FEEDBACK\""
+            [ "$DRY_RUN" = "true" ] && ARGS="$ARGS --dry-run"
+            kody-engine-lite $CMD $ARGS
+          fi
 
       - name: Pipeline summary
         if: always()
         run: |
           TASK_ID="${{ github.event.inputs.task_id || needs.parse.outputs.task_id }}"
-          STATUS_FILE=".kody/tasks/${TASK_ID}/status.json"
+          STATUS_FILE=".tasks/${TASK_ID}/status.json"
           if [ -f "$STATUS_FILE" ]; then
             STATE=$(jq -r '.state' "$STATUS_FILE")
             ICON="❌"
@@ -282,7 +292,7 @@ jobs:
         uses: actions/upload-artifact@v4
         with:
           name: kody-tasks-${{ github.event.inputs.task_id || needs.parse.outputs.task_id }}
-          path: .kody/tasks/
+          path: .tasks/
           retention-days: 7
 
   # ─── Error Notifications ─────────────────────────────────────────────────────
@@ -345,11 +355,11 @@ jobs:
         run: kody-engine-lite --help
       - name: Dry run
         run: |
-          mkdir -p .kody/tasks/smoke-test
-          echo "Smoke test task" > .kody/tasks/smoke-test/task.md
+          mkdir -p .tasks/smoke-test
+          echo "Smoke test task" > .tasks/smoke-test/task.md
           kody-engine-lite run --task-id smoke-test --dry-run || true
-          if [ -f ".kody/tasks/smoke-test/status.json" ]; then
+          if [ -f ".tasks/smoke-test/status.json" ]; then
             echo "✓ status.json created"
-            cat .kody/tasks/smoke-test/status.json
+            cat .tasks/smoke-test/status.json
           fi
-          rm -rf .kody/tasks/smoke-test
+          rm -rf .tasks/smoke-test