@nano-step/skill-manager 5.6.1 → 5.7.0

package/skills/pr-code-reviewer/references/report-template.md

@@ -0,0 +1,172 @@
+# Report Template
+
+Save to `.opencode/reviews/{type}_{identifier}_{date}.md`.
+Create `.opencode/reviews/` if it does not exist.
+
+## Design Principle
+
+**Short and meaningful.** People don't read long reports. Every section must earn its place.
+
+- Critical + Warning = full detail (file, line, impact, fix)
+- Improvements = one-liner with code suggestion
+- Suggestions = count only (or brief list if < 3)
+- Empty sections = omit entirely
+- TL;DR at the top so the reader can stop after 3 lines if everything is clean
+
+## Template
+
+```markdown
+# Code Review: PR #{number} — {pr_title}
+
+## TL;DR
+
+**{APPROVE | REQUEST CHANGES | COMMENT}** — {one sentence reason}
+
+| Critical | Warnings | Improvements | Suggestions |
+|----------|----------|--------------|-------------|
+| {count}  | {count}  | {count}      | {count}     |
+
+{If Phase 4.5 dropped findings: "🔍 Verification: {N} finding(s) dropped as false positives"}
+{If Phase 4.5 verified all findings: "🔍 All findings verified"}
+{If Phase 4.5 was skipped (no critical/warning): omit this line entirely}
+
+📊 **Result Confidence: {emoji} {score}/100**
+   Accuracy: {accuracy_rate}% ({false_positives} false positive(s) caught) | Consensus: {consensus_rate}% | Evidence: {evidence_rate}%
+{If score < 80: "⚠️ {gate_message}"}
+{If score >= 80: omit the warning line}
+
+## What This PR Does
+
+{1-3 sentences. Start with action verb. Include business impact if clear.}
+
+**Key Changes:**
+- **{category}**: {brief description}
+- **{category}**: {brief description}
+
+## Ticket Alignment
+
+> Only included when a Linear ticket is linked. Omit entirely if no ticket found.
+
+**Ticket**: [{ticket_id}]({linear_url}) — {ticket_title}
+**Status**: {ticket_status} | **Priority**: {ticket_priority}
+
+### Acceptance Criteria Coverage
+
+| # | Criteria | Status | Notes |
+|---|----------|--------|-------|
+| 1 | {criteria_text} | ✅ Met / ⚠️ Partial / ❌ Missing | {brief note} |
+
+{If all criteria met: "All acceptance criteria addressed."}
+{If gaps found: "**{count} criteria not fully addressed** — see details above."}
+{If criteria are ambiguous: "⚠️ **Ambiguous acceptance criteria** — '{original_text}' can be interpreted as: (a) {interpretation_1}, (b) {interpretation_2}. This PR implements interpretation (a/b). Verify with ticket author."}
+
+## Premise Check (DELETION changes only)
+
+> Only included when the PR deletes existing behavior. Omit for additions/modifications.
+
+| Question | Answer |
+|----------|--------|
+| Why was this code added originally? | {reason} |
+| Is the underlying problem solved? | {yes/no — explanation} |
+| Would fixing the logic be more correct? | {yes/no — explanation} |
+| Cross-repo implications? | {backend config, API contracts, etc.} |
+
+**Verdict**: {REMOVAL CORRECT / SHOULD FIX INSTEAD / NEEDS CLARIFICATION}
+
+## Critical Issues (MUST FIX)
+
+### 1. {Title}
+**`{file}:{line}`** | {Security/Logic/Performance}
+{What's wrong and what could go wrong.}
+**Fix:** {Concrete suggestion or code snippet}
+
+### 2. {Title}
+...
+
+## Warnings (SHOULD FIX)
+
+### 1. {Title}
+**`{file}:{line}`** | {Category}
+{Issue description.}
+**Fix:** {Suggestion}
+
+## Code Improvements
+
+> Opportunities to make the code better — cleaner, faster, more idiomatic.
+
+- **`{file}:{line}`** — {description}. Consider: `{code_suggestion}`
+- **`{file}:{line}`** — {description}
+
+## Suggestions ({count})
+
+{If ≤ 3, list as one-liners. If > 3, just show the count.}
+
+- `{file}:{line}` — {brief}
+
+## Files Changed
+
+| File | Type | Summary |
+|------|------|---------|
+| `{path}` | {LOGIC/DELETION/STYLE/REFACTOR/NEW} | {one-liner} |
+```
+
+**Sections to OMIT unless they contain actionable findings:**
+- Traced Dependencies
+- nano-brain Memory Context
+- Test Coverage Analysis
+- Praise (include only if genuinely noteworthy — one line max)
+- Change Classification table
+
+## PR Summary Generation Guidelines
+
+### What This PR Does (1-3 sentences)
+- Start with action verb: "Adds", "Fixes", "Refactors", "Updates"
+- Mention the feature/bug/improvement
+- Include business impact if clear
+
+### Key Changes categories
+- `Feature`: New functionality
+- `Bugfix`: Fixes broken behavior
+- `Refactor`: Code restructuring without behavior change
+- `Performance`: Speed/memory improvements
+- `Security`: Security fixes or hardening
+- `Docs`: Documentation updates
+- `Tests`: Test additions/modifications
+- `Config`: Configuration changes
+- `Dependencies`: Package updates
+
+### File-by-File Summary
+- **What changed**: Factual description of the code change
+- **Why it matters**: Impact on users, developers, or system
+- **Key modifications**: Specific functions/classes/lines changed
+
+## PR Summary Pseudocode
+
+```javascript
+// Generate PR Summary (GitHub Copilot style)
+const prSummary = `
+## PR Overview
+
+### What This PR Does
+${generateHighLevelSummary(prMetadata, changedFiles)}
+
+### Key Changes
+${categorizeChanges(changedFiles).map(c => `- **${c.category}**: ${c.description}`).join('\n')}
+
+## File-by-File Summary
+
+| File | Change Type | Summary |
+|------|-------------|---------|
+${changedFiles.map(f => `| \`${f.path}\` | ${f.changeType} | ${f.oneLinerSummary} |`).join('\n')}
+
+### Detailed File Changes
+
+${changedFiles.map(f => `
+#### \`${f.path}\` (+${f.additions}/-${f.deletions})
+**What changed**: ${f.whatChanged}
+**Why it matters**: ${f.whyItMatters}
+**Key modifications**:
+${f.keyModifications.map(m => `- ${m}`).join('\n')}
+`).join('\n')}
+`;
+```

package/skills/pr-code-reviewer/references/security-patterns.md

@@ -0,0 +1,31 @@
+# Security Patterns
+
+## OWASP Top 10 Detection
+
+### 1. Injection
+```javascript
+// CRITICAL: SQL Injection
+const query = `SELECT * FROM users WHERE id = ${userId}`;
+
+// SECURE: Parameterized query
+const query = 'SELECT * FROM users WHERE id = ?';
+await db.query(query, [userId]);
+```
+
+### 2. Broken Authentication
+```javascript
+// CRITICAL: Weak hashing
+crypto.createHash('md5').update(password);
+
+// SECURE: Strong hashing
+bcrypt.hash(password, 12);
+```
+
+### 3. XSS
+```javascript
+// CRITICAL: Direct HTML insertion
+element.innerHTML = userInput;
+
+// SECURE: Text content
+element.textContent = userInput;
+```

package/skills/pr-code-reviewer/references/setup-wizard.md

@@ -0,0 +1,207 @@
+# Setup Wizard (Phase -2)
+
+Runs once when no `.opencode/code-reviewer.json` exists, or when user runs `/review --setup`.
+
+## Wizard Flow
+
+Ask each question conversationally. Accept number or name. If the user says "both" or lists multiple, select all that apply.
+
+---
+
+### Question 1: Frontend framework
+
+```
+What frontend framework does this project use?
+
+  1. Nuxt 3
+  2. Next.js
+  3. Vue 3 (SPA, no SSR)
+  4. React (CRA / Vite)
+  5. None (API-only project)
+```
+
+→ Maps to `stack.frontend`: `"nuxt"` | `"nextjs"` | `"vue"` | `"react"` | `null`
+
+---
+
+### Question 2: Backend framework
+
+```
+What backend framework?
+
+  1. Express
+  2. NestJS
+  3. Fastify
+  4. None (frontend-only project)
+```
+
+→ Maps to `stack.backend`: `"express"` | `"nestjs"` | `"fastify"` | `null`
+
+---
+
+### Question 3: ORM / database access
+
+```
+How does the project access the database?
+
+  1. TypeORM
+  2. Prisma
+  3. Sequelize
+  4. Raw SQL / query builder
+  5. No database
+```
+
+→ Maps to `stack.orm`: `"typeorm"` | `"prisma"` | `"sequelize"` | `"raw"` | `null`
+
+---
+
+### Question 4: Language
+
+```
+TypeScript, JavaScript, or mixed?
+
+  1. TypeScript (strict)
+  2. TypeScript (loose / partial)
+  3. JavaScript
+  4. Mixed
+```
+
+→ Maps to `stack.language`: `"typescript-strict"` | `"typescript"` | `"javascript"` | `"mixed"`
+
+---
+
+### Question 5: State management (skip if backend-only)
+
+```
+Frontend state management?
+
+  1. Pinia
+  2. Vuex
+  3. Redux / Zustand
+  4. React hooks only
+  5. None / not applicable
+```
+
+→ Maps to `stack.state`: `"pinia"` | `"vuex"` | `"redux"` | `"hooks"` | `null`
+
+---
+
+---
+
+### Question 6: Agent knowledge base
+
+```
+Does your workspace have an AGENTS.md or a .agents/ knowledge folder?
+
+  1. Yes — I have AGENTS.md + .agents/ folder at workspace root
+  2. Yes — I have only AGENTS.md (no .agents/ folder)
+  3. No — I don't have any of these
+```
+
+If yes:
+- Ask for the **workspace root path** (the folder that contains all repos).
+  Example: `/Users/tamlh/workspaces/NUSTechnology/Projects/zengamingx`
+- Auto-detect by going one level up from the current repo and checking for `AGENTS.md`.
+- Verify: check if `.agents/_repos/` and `.agents/_domains/` directories exist.
+
+→ Maps to `agents.workspace_root`, `agents.has_repos_dir`, `agents.has_domains_dir`
+
+---
+
+## Saving the Config
+
+After all questions, write `.opencode/code-reviewer.json`:
+
+```json
+{
+  "version": "3.3.0",
+  "stack": {
+    "frontend": "nuxt",
+    "backend": "express",
+    "orm": "typeorm",
+    "language": "typescript",
+    "state": "pinia"
+  },
+  "agents": {
+    "workspace_root": "/Users/tamlh/workspaces/NUSTechnology/Projects/zengamingx",
+    "has_agents_md": true,
+    "has_repos_dir": true,
+    "has_domains_dir": true
+  },
+  "workspace": {
+    "name": "",
+    "github": {
+      "owner": "",
+      "default_base": "main"
+    },
+    "linear": {
+      "enabled": true,
+      "extract_from": ["branch_name", "pr_description", "pr_title"],
+      "fetch_comments": true
+    }
+  },
+  "output": {
+    "directory": ".opencode/reviews",
+    "filename_pattern": "{type}_{identifier}_{date}"
+  },
+  "report": {
+    "verbosity": "compact",
+    "show_suggestions": false,
+    "show_improvements": true
+  }
+}
+```
+
+Then show a confirmation:
+
+```
+✅ Setup complete! Code reviewer configured for:
+   Frontend:  Nuxt 3
+   Backend:   Express
+   ORM:       TypeORM
+   Language:  TypeScript
+   State:     Pinia
+
+Knowledge base:
+   ✅ AGENTS.md found at workspace root
+   ✅ .agents/_repos/ — 37 repo files
+   ✅ .agents/_domains/ — 7 domain files
+
+Framework rules that will be applied:
+   • references/framework-rules/vue-nuxt.md
+   • references/framework-rules/express.md
+   • references/framework-rules/typeorm.md
+   • references/framework-rules/typescript.md
+
+Config saved to: .opencode/code-reviewer.json
+Run /review PR#123 to start your first review.
+```
+
+---
+
+## Framework Rule File Mapping
+
+| Stack value | Rule file | Applies to agent |
+|-------------|-----------|-----------------|
+| `frontend: "nuxt"` or `"vue"` | `framework-rules/vue-nuxt.md` | Quality + Security |
+| `frontend: "nextjs"` | `framework-rules/nextjs.md` | Quality + Security |
+| `frontend: "react"` | `framework-rules/react.md` | Quality + Security |
+| `backend: "express"` | `framework-rules/express.md` | Security + Quality |
+| `backend: "nestjs"` | `framework-rules/nestjs.md` | Security + Quality |
+| `orm: "typeorm"` | `framework-rules/typeorm.md` | Security + Quality |
+| `orm: "prisma"` | `framework-rules/prisma.md` | Security + Quality |
+| `language: "typescript*"` | `framework-rules/typescript.md` | Quality |
+
+Load ONLY the files that match the configured stack. Do not load all framework rules.
+
+---
+
+## Re-running Setup
+
+Users can reset at any time:
+
+```
+/review --setup
+```
+
+This overwrites `.opencode/code-reviewer.json` entirely. Warn the user before overwriting existing config.