npm - @nano-step/skill-manager - Versions diffs - 5.6.2 → 5.7.0 - Mend

@nano-step/skill-manager 5.6.2 → 5.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/skills/pr-code-reviewer/references/subagent-prompts.md CHANGED Viewed

@@ -4,6 +4,8 @@ Launch ALL 4 subagents simultaneously with `run_in_background: true`.
 **IMPORTANT**: Include the PR Summary in each subagent's context so they understand the overall change.
+**IMPORTANT**: Include `$FRAMEWORK_RULES` (resolved in Phase -2 from `.opencode/code-reviewer.json` stack config) in each subagent prompt. This contains ONLY the framework rules relevant to this project's stack — not all framework rules.
 **IMPORTANT**: If project memory results were gathered in Phase 1, include them as a `## NANO-BRAIN MEMORY` section in each subagent's prompt.
 **IMPORTANT**: Include `$REVIEW_DIR` (the temp clone path from Phase 0) in each subagent's prompt. All file reads, grep searches, and LSP operations MUST target this path — NOT the original workspace repo. This ensures subagents see the actual PR branch code.
@@ -50,9 +52,10 @@ What looks wrong? State the specific concern.
 ### Step 2: TRACE
 Read the surrounding context beyond the changed file. For each concern type:
 - **Error handling**: Trace the throw/error path UP to the HTTP boundary (controller/route handler). Check for try-catch at EVERY layer between the throw and the controller.
-- **Null safety**: Trace the data DOWN to its source (SQL query, API contract, constructor). Check if the source guarantees non-null (e.g., DB primary key, NOT NULL column, JOIN constraint).
+- **Null safety**: Trace the data DOWN to its source (SQL query, API contract, constructor). Check if the source guarantees non-null (e.g., DB primary key, NOT NULL column, JOIN constraint). Verify basic language semantics (e.g., `Array.isArray(null)` returns `false` — no TypeError; `Boolean(undefined)` returns `false`).
 - **Framework patterns**: Check if the specific usage context makes the pattern safe (e.g., Pinia singleton backing a composable, client-only component, intentionally non-reactive value).
 - **Logic errors**: Construct a CONCRETE triggering scenario with specific input values that would cause the bug.
+- **Redundant/unnecessary code**: Find ALL callers of the function before judging its internals. A function called from multiple paths with different inputs may need logic that looks redundant from one caller's perspective but is necessary for another.
 ### Step 3: VERIFY
 Can you PROVE this is a real problem? You need ONE of:
@@ -103,20 +106,26 @@ delegate_task({
     ## TRACED DEPENDENCIES
     ${tracedDependencies}
+    ## AGENTS.MD CONTEXT (workspace domain map + repo relationships)
+    ${agentsContext || "No AGENTS.md found in workspace root"}
     ## NANO-BRAIN MEMORY (past sessions, reviews, decisions)
     ${projectMemory || "No nano-brain memory available for this workspace"}
     ## LINEAR TICKET CONTEXT (from linked Linear ticket)
     ${linearTicketContext || "No Linear ticket linked to this PR"}
     ## CROSS-REPO TRACING (from Phase 2 — backend data flow analysis)
     ${crossRepoTracing || "No cross-repo tracing performed"}
     ## PREMISE CHECK (for DELETION changes — why the code existed)
     ${premiseCheck || "Not a DELETION change — no premise check needed"}
+    ## FRAMEWORK RULES (project-specific — from stack config)
+    ${frameworkRules || "No framework rules configured — run /review --setup to configure"}
     ${FILTERING_RULES}
     ## TASK
     Analyze code quality, patterns, and improvement opportunities
@@ -173,9 +182,12 @@ delegate_task({
     ## PREMISE CHECK (for DELETION changes — why the code existed)
     ${premiseCheck || "Not a DELETION change — no premise check needed"}
+    ## FRAMEWORK RULES (project-specific — from stack config)
+    ${frameworkRules || "No framework rules configured — run /review --setup to configure"}
     ${FILTERING_RULES}
     ## TASK
     Deep security, logic analysis, and logic improvement opportunities
@@ -219,13 +231,16 @@ delegate_task({
     All file reads and searches MUST use this path (temp clone of PR branch):
       ${REVIEW_DIR}
     Do NOT read from the original workspace repo — it may be on a different branch.
     ## PR SUMMARY
     ${prSummary}
     ## CHANGED FILES
     ${changedFilesWithDiff}
+    ## TRACED DEPENDENCIES
+    ${tracedDependencies}
     ## NANO-BRAIN MEMORY (past sessions, reviews, decisions)
     ${projectMemory || "No nano-brain memory available for this workspace"}
@@ -237,14 +252,17 @@ delegate_task({
     ## PREMISE CHECK (for DELETION changes — why the code existed)
     ${premiseCheck || "Not a DELETION change — no premise check needed"}
+    ## FRAMEWORK RULES (project-specific — from stack config)
+    ${frameworkRules || "No framework rules configured — run /review --setup to configure"}
     ${FILTERING_RULES}
     ## TASK
     Best practices review and idiomatic improvement opportunities
     ## CHECK
-    1. Framework anti-patterns (Next.js, React, Express, etc.)
+    1. Framework anti-patterns (check ## FRAMEWORK RULES above for project-specific patterns)
     2. Library misuse — using APIs incorrectly or suboptimally
     3. **Idiomatic improvements** — more idiomatic usage of language/framework features
     4. Missing docs ONLY on public APIs or complex algorithms
@@ -295,9 +313,12 @@ delegate_task({
     ## PREMISE CHECK (for DELETION changes — why the code existed)
     ${premiseCheck || "Not a DELETION change — no premise check needed"}
+    ## FRAMEWORK RULES (project-specific — from stack config)
+    ${frameworkRules || "No framework rules configured — run /review --setup to configure"}
     ${FILTERING_RULES}
     ## TASK
     Test coverage, integration analysis, and performance improvement opportunities

package/skills/pr-code-reviewer/references/verification-protocol.md ADDED Viewed

@@ -0,0 +1,56 @@
+# Verification Protocol (Phase 4.5)
+The orchestrator verifies each finding with severity `critical` or `warning` by reading the actual code at the cited evidence locations in `$REVIEW_DIR`. This catches false positives that survived subagent self-verification.
+## Verification Steps
+For each critical/warning finding:
+1. **Parse the evidence field** — extract file:line references cited by the subagent
+2. **Read the cited files** from `$REVIEW_DIR` at the referenced line numbers
+3. **Verify the claim** based on finding category (see rules below)
+4. **Mark verification status**:
+   - `verified: true` — evidence checks out, issue is real → **KEEP** in report
+   - `verified: false` — evidence is wrong (e.g., try-catch DOES exist) → **DROP** from report
+   - `verified: "unverifiable"` — can't confirm within timeout → **DOWNGRADE** to `suggestion`
+## Category-Specific Verification Rules
+| Category | Verification Method | FALSE if... |
+|----------|---------------------|-------------|
+| **Error handling claims** | Read the controller/route handler that calls this code path | A try-catch exists at the HTTP boundary |
+| **Null safety claims** | Read the data source (SQL query, API contract) | The source guarantees non-null (PK, NOT NULL, JOIN constraint). Also verify basic language semantics first (e.g., `Array.isArray(null)` → `false`, `Boolean(undefined)` → `false`) |
+| **Logic error claims** | Trace the cited execution path | No realistic input triggers the bug |
+| **Framework pattern claims** | Check if the specific usage context makes the pattern safe | The usage context makes the pattern safe |
+| **Redundant/unnecessary code claims** | Find ALL callers of the function (grep/LSP) | The function is called from multiple paths with different inputs — the "redundant" code may be necessary for another path (FALSE or DOWNGRADE to improvement) |
+## Timeout Policy
+30 seconds per finding. If verification takes longer, mark as `unverifiable` and move on.
+## Checkpoint Schema
+Save results to `.checkpoints/phase-4.5-verification.json`:
+```json
+{
+  "findings_checked": 5,
+  "verified_true": 3,
+  "verified_false": 1,
+  "unverifiable": 1,
+  "dropped_findings": [
+    {
+      "original": { "file": "...", "line": 42, "message": "..." },
+      "reason": "try-catch exists at controller.js:28"
+    }
+  ],
+  "downgraded_findings": [
+    {
+      "original": { "file": "...", "line": 99, "message": "..." },
+      "new_severity": "suggestion"
+    }
+  ]
+}
+```
+Update `manifest.json` (`completed_phase: 4.5`, `next_phase: 4.6`).

package/skills/pr-code-reviewer/skill.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
     "name": "pr-code-reviewer",
-    "version": "3.1.0",
-    "description": "Comprehensive code review with 4 parallel subagents, smart tracing, iterative refinement, workspace-aware configuration, and GitHub Copilot-style PR summaries.",
+    "version": "3.3.0",
+    "description": "Review pull requests and staged changes for bugs, security issues, and code quality. Use this skill whenever the user mentions: review PR, code review, check this PR, review my changes, /review, PR #123, look at this diff, is this safe to merge, or provides a GitHub PR URL. Also triggers on: 'what do you think of these changes', 'review --staged', 'check my code before merge'.",
     "compatibility": "OpenCode with nano-brain",
     "agent": null,
     "commands": [],