@oberion/wildo 0.6.4

package/dist/index.d.ts

@@ -0,0 +1,232 @@
+type PipelineMode = "greenfield" | "feature" | "bugfix";
+type ReviewVerdict = "PASS" | "FAIL";
+type EscalationType = "spec_issue" | "blocked" | "user";
+interface ReviewResult {
+    verdict: ReviewVerdict;
+    rawOutput: string;
+    blockingIssues: string[];
+    roundNumber: number;
+}
+interface EscalationReport {
+    escalationType: EscalationType;
+    phase: string;
+    roundsCompleted: number;
+    history: ReviewResult[];
+    diagnosis: string;
+}
+interface SessionUsage {
+    agentName: string;
+    contextWindow: number;
+    totalInputTokens: number;
+    totalOutputTokens: number;
+    seenMessageIds: Set<string>;
+}
+type AgentRole = "architect" | "reviewer" | "reporter" | "developer" | "tester";
+interface AgentConfig {
+    systemPrompt: string;
+    tools: string[];
+    model: string;
+}
+type RunStatus = "running" | "completed" | "stopped" | "failed" | "crashed";
+interface RunManifest {
+    runId: string;
+    mode: PipelineMode;
+    branch: string;
+    language: string;
+    status: RunStatus;
+    workingDir: string;
+    requirement: string;
+    acknowledged?: boolean;
+}
+interface CleanupDecision {
+    runId: string;
+    action: "keep" | "discard";
+    branch?: string;
+}
+type AuthMode = "subscription" | "api_key";
+interface ProviderAuth {
+    authMode: AuthMode;
+    apiKey?: string;
+}
+interface AuthConfig {
+    claude: ProviderAuth;
+    codex: ProviderAuth;
+}
+interface ModelConfig {
+    architect: string;
+    reviewer: string;
+    reporter: string;
+    developer: string;
+    tester: string;
+    orchestrator: string;
+}
+interface PipelineConfig {
+    auth: AuthConfig;
+    models: ModelConfig;
+    maxAgentTurns: number;
+    maxReviewRounds: number;
+    contextHandoffThreshold: number;
+    codexIdleTimeout: number;
+    permissionMode: string;
+}
+type PipelineEventType = "agent_start" | "agent_done" | "content_block" | "timeline" | "confirm_request" | "cleanup_request" | "pipeline_done" | "pipeline_error";
+interface PipelineEvent {
+    type: PipelineEventType;
+    agent?: string;
+    phase?: string;
+    data?: unknown;
+}
+interface PreflightSummary {
+    workingDir: string;
+    mode: PipelineMode;
+    language: string;
+    requirement: string;
+    hasExistingFiles: boolean;
+}
+
+/**
+ * Orchestrator: TypeScript control flow driving the multi-agent pipeline.
+ *
+ * Agents are workers invoked by deterministic code. State transitions depend on
+ * agent outputs (reviewer PASS/FAIL, escalation diagnosis), not on LLM decisions.
+ *
+ * Claude agents use @anthropic-ai/claude-agent-sdk SDK (direct query sessions).
+ * Codex agents use @openai/codex-sdk (direct API, no MCP dispatcher).
+ */
+
+declare class PipelineStopped extends Error {
+    constructor();
+}
+declare class UserInterventionRequired extends Error {
+    phase: string;
+    diagnosis: string;
+    constructor(phase: string, diagnosis: string, reportsDir?: string);
+}
+declare class Orchestrator {
+    readonly requirement: string;
+    readonly mode: PipelineMode;
+    readonly lang: string;
+    readonly workingDir: string;
+    private config;
+    private sessions;
+    private reviewHistories;
+    private lastQueryTime;
+    private originalBranch;
+    private workBranch;
+    private onEvent;
+    private stopped;
+    private workflowRoot;
+    private knowledgeDir;
+    private modulesDir;
+    private runsDir;
+    private runId;
+    private runDir;
+    private specsDir;
+    private plansDir;
+    private reportsDir;
+    private handoffsDir;
+    private roundsDir;
+    private confirmCallback;
+    private cleanupCallback;
+    constructor(requirement: string, workingDir: string, mode?: PipelineMode, lang?: string);
+    setEventHandler(handler: (event: PipelineEvent) => void): void;
+    setConfirmCallback(cb: (summary: string, warning: string) => Promise<boolean>): void;
+    setCleanupCallback(cb: (crashed: RunInfo[]) => Promise<Record<string, "keep" | "discard">>): void;
+    stop(): void;
+    abort(): void;
+    /** Apply API keys from config to environment so SDKs pick them up. */
+    private applyAuth;
+    run(): Promise<string>;
+    private emit;
+    private checkStopped;
+    private phase;
+    private describeTool;
+    private emitContentBlocks;
+    private timeline;
+    private get langInstruction();
+    private cooldown;
+    private markQueryDone;
+    private initRunDir;
+    private writeManifest;
+    private updateRunsIndex;
+    private finalizeRun;
+    private scanCrashedRuns;
+    private collectCleanupDecisions;
+    private applyCleanupDecisions;
+    private askCleanup;
+    private discardRun;
+    private acknowledgeRun;
+    private removeFromIndex;
+    private updateIndexStatus;
+    private preflightConfirm;
+    private callClaude;
+    private handoffClaude;
+    /**
+     * Call a producer agent (developer/tester) using the SDK matching its
+     * configured model. Claude models → Claude Agent SDK, OpenAI models → Codex SDK.
+     */
+    private callAgent;
+    private callCodexAgent;
+    private getOrCreateSession;
+    private archiveRound;
+    private reviewLoop;
+    private rollbackToArchitect;
+    private formatReviewHistory;
+    private report;
+    private extractExperience;
+    private hasKnowledge;
+    private initKnowledge;
+    private loadKnowledgeContext;
+    private updateKnowledge;
+    private runImplementation;
+    private finalize;
+    private runGreenfield;
+    private runFeature;
+    private runBugfix;
+}
+interface RunInfo {
+    runId: string;
+    mode: string;
+    branch: string;
+    requirement: string;
+    status: string;
+}
+
+interface UserConfigFile {
+    lang?: string;
+    theme?: "dark" | "light" | "auto";
+    auth?: {
+        claude?: Partial<ProviderAuth>;
+        codex?: Partial<ProviderAuth>;
+    };
+    models?: Partial<ModelConfig>;
+    maxAgentTurns?: number;
+    maxReviewRounds?: number;
+    contextHandoffThreshold?: number;
+    codexIdleTimeout?: number;
+    permissionMode?: string;
+}
+/** Detect available auth sources for each provider. */
+declare function detectAuthSources(): {
+    claude: {
+        hasEnvKey: boolean;
+        hasCli: boolean;
+        envKey?: string;
+    };
+    codex: {
+        hasEnvKey: boolean;
+        hasCli: boolean;
+        envKey?: string;
+    };
+};
+/** Check if first-run setup has been completed. */
+declare function isConfigured(): boolean;
+/** Save config to ~/.wildo/config.json. */
+declare function saveConfig(config: UserConfigFile): void;
+/**
+ * Load pipeline config: defaults ← ~/.wildo/config.json ← env vars.
+ * Later sources override earlier ones.
+ */
+declare function loadConfig(): Promise<PipelineConfig>;
+
+export { type AgentConfig, type AgentRole, type AuthConfig, type AuthMode, type CleanupDecision, type EscalationReport, type EscalationType, type ModelConfig, Orchestrator, type PipelineConfig, type PipelineEvent, type PipelineEventType, type PipelineMode, PipelineStopped, type PreflightSummary, type ReviewResult, type ReviewVerdict, type RunManifest, type RunStatus, type SessionUsage, UserInterventionRequired, detectAuthSources, isConfigured, loadConfig, saveConfig };

package/dist/index.js

@@ -0,0 +1 @@
+import{a as o,b as r,c as p}from"./chunk-JXNI22FR.js";import{b as e,c as i,h as t,i as n}from"./chunk-TMJX67JD.js";import"./chunk-TOAEOZEP.js";export{p as Orchestrator,o as PipelineStopped,r as UserInterventionRequired,e as detectAuthSources,i as isConfigured,n as loadConfig,t as saveConfig};

package/dist/server.js

@@ -0,0 +1 @@
+import{a as w,b as S,c as v}from"./chunk-JXNI22FR.js";import{b as f,c as g,h as y,k as h}from"./chunk-TMJX67JD.js";import"./chunk-TOAEOZEP.js";import{createServer as x}from"http";import{execFile as R}from"child_process";import{readFileSync as j,existsSync as k}from"fs";import{join as P,extname as I}from"path";import{WebSocketServer as N,WebSocket as T}from"ws";var c=8420,J=P(import.meta.dirname,"..","static"),r=null,d=!1,u=new Set,a=null,l=null,b=null;function i(t){let e=JSON.stringify(t);for(let n of u)n.readyState===T.OPEN&&n.send(e)}var H={".html":"text/html; charset=utf-8",".css":"text/css",".js":"application/javascript",".json":"application/json",".png":"image/png",".svg":"image/svg+xml",".ico":"image/x-icon"},m=x((t,e)=>{if(t.url==="/api/setup/status"){e.writeHead(200,{"Content-Type":"application/json"}),e.end(JSON.stringify({configured:g(),sources:f()}));return}if(t.url==="/api/setup/save"&&t.method==="POST"){let p="";t.on("data",s=>{p+=s}),t.on("end",()=>{try{let s=JSON.parse(p);y({auth:s.auth,lang:s.lang}),e.writeHead(200,{"Content-Type":"application/json"}),e.end(JSON.stringify({ok:!0}))}catch{e.writeHead(400,{"Content-Type":"application/json"}),e.end(JSON.stringify({error:"Invalid JSON"}))}});return}if(t.url?.startsWith("/api/i18n")){let s=new URL(t.url,"http://localhost").searchParams.get("lang")??"en";e.writeHead(200,{"Content-Type":"application/json"}),e.end(JSON.stringify(h(s)));return}if(t.url==="/api/config"){e.writeHead(200,{"Content-Type":"application/json"}),e.end(JSON.stringify(b??{}));return}let n=t.url==="/"?"/index.html":t.url??"/index.html";if(n=n.split("?")[0],n=P(J,n),!k(n)){e.writeHead(404),e.end("Not Found");return}let o=I(n),C=H[o]??"application/octet-stream",O=j(n);e.writeHead(200,{"Content-Type":C}),e.end(O)}),_=new N({server:m});_.on("connection",t=>{u.add(t),t.on("close",()=>u.delete(t)),t.on("message",e=>{let n;try{n=JSON.parse(e.toString())}catch{return}let o=n.action;o==="start"?W(n):o==="confirm"?a&&(a(n.confirmed??!1),a=null):o==="cleanup"?l&&(l(n.decisions??{}),l=null):o==="stop"?r?.stop():o==="abort"&&r?.abort()})});async function M(t,e){return i({type:"confirm_request",summary:t,warning:e}),new Promise(n=>{a=n})}async function U(t){return i({type:"cleanup_request",crashed:t.map(e=>({run_id:e.runId,mode:e.mode,branch:e.branch,requirement:e.requirement,status:e.status}))}),new Promise(e=>{l=e})}async function W(t){if(d){i({type:"error",message:"Pipeline already running"});return}let e=t.mode??"greenfield";r=new v(t.requirement??"",t.working_dir??".",e,t.lang??"en"),r.setEventHandler(n=>i(n)),r.setConfirmCallback(M),r.setCleanupCallback(U),d=!0;try{let n=await r.run();i({type:"pipeline_done",report:n})}catch(n){n instanceof w?i({type:"pipeline_stopped"}):n instanceof S?i({type:"pipeline_paused",phase:n.phase,diagnosis:n.diagnosis}):i({type:"error",message:String(n)})}finally{d=!1}}function D(t){let e=process.platform==="darwin"?"open":process.platform==="win32"?"cmd":"xdg-open",n=process.platform==="win32"?["/c","start","",t]:[t];R(e,n,()=>{})}function K(t){b=t,m.listen(c,()=>{let e=`http://localhost:${c}`;console.log(`wildo pipeline UI: ${e}`),D(e)})}import.meta.url===`file://${process.argv[1]}`&&m.listen(c,()=>{console.log(`wildo pipeline UI: http://localhost:${c}`)});export{m as httpServer,K as startWebUI};

package/dist/setup-ONOARWXI.js

@@ -0,0 +1,14 @@
+import{b as x,e as L,h as y,j as t}from"./chunk-TMJX67JD.js";import{a as r,d as k,e as A,f,g as l,h as $,i as d,j as M,k as w,m as D}from"./chunk-TOAEOZEP.js";async function P(e,s,o){f(s),process.stdout.write(`
+`),o.hasCli&&d(`${r.green}${t(e,"setup_cli_found")}${r.reset}`),o.hasEnvKey&&d(`${r.green}${t(e,"setup_env_found")}${r.reset} ${r.darkGray}(${o.envKey})${r.reset}`),!o.hasCli&&!o.hasEnvKey&&w(t(e,"setup_no_auth")),process.stdout.write(`
+`);let n=[];o.hasCli&&n.push({value:"subscription",label:t(e,"setup_opt_sub"),hint:t(e,"setup_opt_sub_hint")}),o.hasEnvKey&&n.push({value:"env_key",label:t(e,"setup_opt_env"),hint:o.envKey}),n.push({value:"new_key",label:t(e,"setup_opt_new")});let u=await l({message:`${s} auth`,options:n});if(u==="subscription")return{authMode:"subscription"};if(u==="env_key")return{authMode:"api_key"};let i=await $({message:t(e,"setup_enter_key"),placeholder:"sk-...",password:!0});return i?{authMode:"api_key",apiKey:i}:(w(t(e,"setup_no_key")),{authMode:"api_key"})}var O=["opus","sonnet","haiku"],S=["gpt-5.4"],z=[...O,...S],H={architect:"opus",reviewer:"sonnet",reporter:"haiku",developer:"gpt-5.4",tester:"gpt-5.4"},I={architect:"opus",reviewer:"sonnet",reporter:"haiku",developer:"opus",tester:"opus"},N={architect:"gpt-5.4",reviewer:"gpt-5.4",reporter:"gpt-5.4",developer:"gpt-5.4",tester:"gpt-5.4"},R={en:{architect:"Architect",reviewer:"Reviewer",reporter:"Reporter",developer:"Developer",tester:"Tester"},zh:{architect:"\u67B6\u6784\u5E08",reviewer:"\u8BC4\u5BA1\u5458",reporter:"\u62A5\u544A\u5458",developer:"\u5F00\u53D1\u8005",tester:"\u6D4B\u8BD5\u5458"}};async function X(e="en",s){let o=L(),n=s==="claude_only"?I:s==="codex_only"?N:H,u=s==="claude_only"?O:s==="codex_only"?S:z;process.stdout.write(`
+`),f(t(e,"setup_model_title")),process.stdout.write(`
+`);let i=["architect","reviewer","reporter","developer","tester"],p={},_=t(e,"setup_model_default"),g=t(e,"setup_model_current");for(let a of i){let K=(R[e]??R.en)[a]??a,b=n[a],h=o[a],U=h??b,v=[];for(let c of u){let C=h&&c===h,E=c===b,T=C&&E?`${_} \xB7 ${g}`:C?g:E?_:void 0;v.push({value:c,label:c,hint:T})}let m=v.findIndex(c=>c.value===U),F=await l({message:t(e,"setup_model_msg",{role:K}),options:v,initial:m>=0?m:0});p[a]=F}y({models:p}),process.stdout.write(`
+`),M(t(e,"setup_model_done"))}async function G(){process.stdout.write(`
+`),k();let e=await l({message:"Language / \u8BED\u8A00",options:[{value:"en",label:"English"},{value:"zh",label:"\u4E2D\u6587"}]});e==="zh"&&(process.stdout.write(`
+`),A()),process.stdout.write(`
+`),d(t(e,"setup_intro")),process.stdout.write(`
+`);let s=await l({message:t(e,"setup_provider_msg"),options:[{value:"both",label:t(e,"setup_provider_both"),hint:t(e,"setup_provider_both_hint")},{value:"claude_only",label:t(e,"setup_provider_claude_only"),hint:t(e,"setup_provider_claude_only_hint")},{value:"codex_only",label:t(e,"setup_provider_codex_only"),hint:t(e,"setup_provider_codex_only_hint")}]});process.stdout.write(`
+`);let o=x(),n=s!=="codex_only",u=s!=="claude_only",i={authMode:"subscription"},p={authMode:"subscription"};n&&(i=await P(e,"Claude",o.claude),process.stdout.write(`
+`)),u&&(p=await P(e,"Codex",o.codex),process.stdout.write(`
+`)),y({lang:e,auth:{claude:i,codex:p}}),await X(e,s==="both"?void 0:s),process.stdout.write(`
+`),D(t(e,"setup_saved"),`${r.gray}${t(e,"setup_reconfig")}${r.reset}`)}export{G as runSetup,X as setupModels};

package/dist/tui-MIW7YP2V.js

@@ -0,0 +1 @@
+import{a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u}from"./chunk-TOAEOZEP.js";export{b as ROLE_COLORS,p as agentCard,o as agentStatus,d as banner,e as bannerZh,a as c,t as configSummary,f as divider,l as error,i as info,m as note,n as phaseHeader,s as pipelineDone,q as reviewRound,c as roleColor,g as select,u as spinner,r as statusLine,j as success,h as text,k as warn};

package/package.json

@@ -0,0 +1,45 @@
+{
+  "name": "@oberion/wildo",
+  "version": "0.6.4",
+  "description": "Will do! Multi-agent pipeline — AI agents at your service",
+  "type": "module",
+  "bin": {
+    "wildo": "./dist/cli.js"
+  },
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "files": [
+    "dist",
+    "personas",
+    "static"
+  ],
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsup --watch",
+    "start": "node dist/cli.js"
+  },
+  "keywords": [
+    "wildo",
+    "ai",
+    "agents",
+    "claude",
+    "codex",
+    "pipeline"
+  ],
+  "license": "MIT",
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "dependencies": {
+    "@anthropic-ai/claude-agent-sdk": "^0.2.0",
+    "@openai/codex-sdk": "^0.120.0",
+    "commander": "^13.0.0",
+    "ws": "^8.18.0"
+  },
+  "devDependencies": {
+    "@types/node": "^22.0.0",
+    "@types/ws": "^8.5.0",
+    "tsup": "^8.0.0",
+    "typescript": "^5.7.0"
+  }
+}

package/personas/architect/playbook.md

@@ -0,0 +1,74 @@
+# Architect Playbook
+
+You are a senior software architect. Your job is to turn user requirements
+into clear, actionable specification documents.
+
+## Spec Structure
+
+Your spec must define:
+- Functional requirements (what the system does)
+- Non-functional requirements (performance, security, scalability)
+- System components and their interfaces
+- Data models and API contracts
+- Acceptance criteria for each feature
+
+Output spec to: `workflow/specs/spec.md`
+
+## Design Process
+
+### 1. Requirements Analysis
+- Decompose the requirement into functional and non-functional aspects
+- Identify implicit requirements the user didn't state but will expect
+- Define acceptance criteria that are testable and unambiguous
+
+### 2. Component Design
+- Define clear component boundaries and responsibilities
+- Specify interfaces and contracts precisely — ambiguity causes cascading errors downstream
+- Document data flow between components
+
+### 3. Trade-Off Analysis
+For each significant design decision, document:
+- **Decision**: What was chosen
+- **Rationale**: Why this option
+- **Alternatives considered**: What else was evaluated
+- **Trade-offs**: What we gain vs. what we give up
+
+## System Design Checklist
+
+### Functional
+- [ ] All user stories documented
+- [ ] API contracts defined (endpoints, request/response shapes)
+- [ ] Data models specified (entities, relationships, constraints)
+- [ ] Error cases and edge conditions covered
+
+### Non-Functional
+- [ ] Performance targets defined (latency, throughput)
+- [ ] Security requirements identified (auth, data protection)
+- [ ] Scalability considerations noted (if relevant)
+
+### Technical
+- [ ] Component responsibilities defined
+- [ ] Data flow documented
+- [ ] Integration points identified
+- [ ] Testing strategy outlined (what to test, how)
+
+### Operations
+- [ ] Deployment considerations noted
+- [ ] Monitoring requirements identified (if applicable)
+
+## Rules
+
+- Define WHAT to build, not HOW to implement it. Leave implementation decisions to the developer.
+- Be precise on interfaces and contracts — ambiguity causes cascading errors downstream.
+- Every requirement must have a testable acceptance criterion.
+- When you receive review feedback, address each point specifically. If you disagree, explain your reasoning rather than silently ignoring it.
+
+## Red Flags — Avoid These
+
+- **Over-specification**: Prescribing frameworks, algorithms, or implementation details
+- **Vague criteria**: "should be fast", "user-friendly", "scalable" without measurable targets
+- **Missing error cases**: Only describing happy paths
+- **Assumed context**: Relying on knowledge the developer won't have
+- **God component**: One component doing everything
+- **Tight coupling**: Components with circular or deep dependencies
+- **Premature optimization**: Adding complexity for hypothetical scale

package/personas/developer/playbook.md

@@ -0,0 +1,19 @@
+# Developer Playbook
+
+You are a senior software developer. Your job is to implement production-quality
+code based on specifications and architecture plans.
+
+## Approach
+
+- Read the spec and plan thoroughly before writing code
+- Follow the project's existing conventions (language, style, structure)
+- Write clean, well-structured code — no dead code, no TODO placeholders
+- Handle errors at system boundaries; trust internal invariants
+- Use existing dependencies; only add new ones when justified by the spec
+
+## Output
+
+- Create/modify files as specified in the plan
+- Ensure the code compiles/runs without errors
+- Run any build commands to verify your work
+- If a test suite exists, make sure existing tests still pass

package/personas/reporter/playbook.md

@@ -0,0 +1,38 @@
+# Reporter Playbook
+
+You are a technical report writer. After each development phase completes,
+you produce a concise phase report.
+
+## Report Structure
+
+```
+# Phase Report: [Phase Name]
+Date: [current date]
+
+## Summary
+[2-3 sentences: what was accomplished]
+
+## Key Decisions
+- [Decision]: [Rationale]
+
+## Artifacts Produced
+- [file path]: [description]
+
+## Review Rounds
+- Round N: [PASS/FAIL] - [key feedback points]
+
+## Issues & Risks
+- [Any unresolved concerns]
+
+## Next Phase
+- [What comes next]
+```
+
+Output reports to: `workflow/reports/`
+
+## Rules
+
+- Be factual, not promotional. Report what happened, not what should have happened.
+- Include review round history — how many rounds, what changed.
+- Keep it under 100 lines.
+- Use the actual review history data provided. Do not fabricate round details.

package/personas/reviewer/playbook.md

@@ -0,0 +1,109 @@
+# Reviewer Playbook
+
+You are a rigorous technical reviewer. You review artifacts produced by other
+agents at each phase of the development lifecycle.
+
+## Review Process
+
+1. Read the artifact being reviewed
+2. Read the relevant spec/plan for context: `workflow/specs/`, `workflow/plans/`
+3. Evaluate against the criteria provided in each review request
+4. Output a structured verdict
+
+## Severity Levels
+
+| Level | Meaning | Blocking? |
+|-------|---------|-----------|
+| CRITICAL | System failure, data loss, security breach, or spec violation | Yes |
+| HIGH | Incorrect behavior, missing requirement, contract mismatch | Yes |
+| MEDIUM | Quality issue, will cause problems later | No |
+| LOW | Style, convention, minor improvement | No |
+
+## Confidence-Based Filtering
+
+- Report only when >80% confident it is a real issue
+- Do NOT flood with noise or stylistic preferences
+- Consolidate similar issues (e.g., "5 endpoints missing validation" not 5 separate findings)
+- Prioritize issues that could cause bugs, security vulnerabilities, or data loss
+
+## Review Dimensions
+
+### Spec Review (Architecture Phase)
+- Requirements completeness: all user needs covered?
+- Acceptance criteria: testable and unambiguous?
+- Interface precision: contracts specific enough for implementation?
+- No implementation details leaking into spec
+
+### Code Review (Implementation Phase)
+
+#### Security — flag immediately
+| Pattern | Severity |
+|---------|----------|
+| Hardcoded credentials (API keys, passwords, tokens) | CRITICAL |
+| SQL injection (string concatenation in queries) | CRITICAL |
+| Command injection (user input in shell commands) | CRITICAL |
+| Unvalidated user input at system boundaries | HIGH |
+| Missing auth checks on protected routes | CRITICAL |
+| Sensitive data in logs (tokens, PII) | HIGH |
+
+#### Silent Failures — often missed
+| Pattern | Severity |
+|---------|----------|
+| Empty catch blocks (`catch {}` or `catch { }`) | HIGH |
+| Catch returning empty default (`.catch(() => [])`) | MEDIUM |
+| Error logged but never handled | MEDIUM |
+| Missing timeout on external calls | MEDIUM |
+| Transactions without rollback on error | HIGH |
+
+#### Performance
+| Pattern | Severity |
+|---------|----------|
+| N+1 queries (fetch in loop) | HIGH |
+| Unbounded queries (no LIMIT on user-facing endpoints) | MEDIUM |
+| O(n^2) when O(n) is possible | MEDIUM |
+| Missing cleanup (event listeners, timers, subscriptions) | MEDIUM |
+
+### Test Review (Testing Phase)
+- Coverage: every acceptance criterion has tests?
+- Edge cases: null, empty, invalid, boundary values?
+- Tests verify behavior, not implementation details?
+- Tests are independent (no shared mutable state)?
+
+## Common False Positives — Do NOT Flag
+
+- Environment variables in `.env.example` (not actual secrets)
+- Test credentials in test files (if clearly marked)
+- SHA256/MD5 used for checksums (not passwords)
+- Simplified error handling in prototype/MVP scope
+
+Always verify context before flagging.
+
+## Output Format (strictly follow this)
+
+```
+## Review: [artifact name]
+
+### Verdict: PASS | FAIL
+
+### Criteria Results:
+- [Criterion 1]: PASS | FAIL
+  - [If FAIL: severity, specific issue, exact location, what's wrong, what's expected]
+- [Criterion 2]: PASS | FAIL
+  ...
+
+### Blocking Issues (if FAIL):
+1. [CRITICAL/HIGH] [File/section]: [Exact problem description]
+2. ...
+
+### Suggestions (non-blocking):
+- [MEDIUM/LOW] ...
+```
+
+## Rules
+
+- Never give a PASS when there are blocking issues. Be honest, not lenient.
+- Every FAIL must include: what's wrong, where exactly, and what the correct state should be.
+- "Looks good overall" is not acceptable feedback. Be specific.
+- You are NOT the author. Do not rationalize problems away.
+- If the same issue persists across rounds, escalate its severity.
+- Verify the artifact actually fulfills the criteria, don't just check format.

package/personas/tester/playbook.md

@@ -0,0 +1,19 @@
+# Tester Playbook
+
+You are a senior QA engineer. Your job is to write and execute comprehensive
+tests that verify the implementation meets the specification.
+
+## Approach
+
+- Read the spec to understand acceptance criteria and edge cases
+- Read the implementation to understand what to test
+- Write tests that cover: happy path, edge cases, error scenarios
+- Use the project's existing test framework and conventions
+- If no test framework exists, choose one appropriate for the language/stack
+
+## Output
+
+- Create test files following project conventions
+- Execute all tests and report results
+- If tests fail, report the failures clearly — do not silently skip
+- Ensure both new and existing tests pass