@open-agent-toolkit/cli 0.1.12 → 0.1.14

package/assets/skills/oat-project-review-receive-remote/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: oat-project-review-receive-remote
-version: 1.3.0
+version: 1.4.0
 description: Use when processing GitHub PR review comments within project context. Fetches PR comments, creates plan tasks, and updates project artifacts.
 disable-model-invocation: true
 user-invocable: true
@@ -139,11 +139,11 @@ Before prompting dispositions, print:
 
 Disposition options:
 
-- `convert` (default for critical/important/medium)
-- `defer` (default for minor)
+- `convert` (default for critical/important/medium/minor)
+- `defer`
 - `dismiss`
 
-Require rationale for `defer`/`dismiss`.
+Require concrete rationale for `defer`/`dismiss` at any severity, including minor. Small findings are usually cheaper to fix inline than to track as backlog items, so a minor `defer` must be justified just like any other deferral.
 
 ### Step 5: Convert Findings to Plan Tasks
 

package/assets/skills/oat-review-provide-remote/SKILL.md

@@ -0,0 +1,273 @@
+---
+name: oat-review-provide-remote
+version: 1.0.3
+description: Use when reviewing a GitHub PR opened on another machine and posting findings back as a single PR review, outside any OAT project context. Fetches the PR via gh, reviews it, and posts via gh api.
+disable-model-invocation: true
+user-invocable: true
+allowed-tools: Read, Write, Bash, Glob, Grep, AskUserQuestion
+---
+
+# Remote Review Provide (Ad-hoc GitHub PR)
+
+Review a GitHub PR opened by an agent on another machine and post the findings back as a single GitHub PR review — without requiring an active OAT project. GitHub is the source of truth: no local artifact is written and no lifecycle bookkeeping happens here. The posted review carries metadata markers so `oat-review-receive-remote` can round-trip the findings into tasks on the originating machine.
+
+## Prerequisites
+
+- `gh` CLI is installed and authenticated (`gh auth status`).
+- The PR to review exists on GitHub and is reachable from the current repo's remote.
+- Optionally `npx agent-reviews` for posting symmetry (capability-probed at startup; `gh api` is the fallback).
+- User wants an ad-hoc remote review outside the OAT project lifecycle.
+
+## Mode Assertion
+
+**OAT MODE: Remote Review Provide**
+
+**Purpose:** Fetch a GitHub PR, review it inline against the ad-hoc review checklist + severity model, and post a single PR review (summary + severity counts + inline comments + metadata markers) back to GitHub.
+
+**BLOCKED Activities:**
+
+- No `plan.md`, `state.md`, or `implementation.md` lifecycle mutations.
+- No local review artifact written on this machine (GitHub is the source of truth).
+- No mutation of the caller's working tree — all checkout happens in an ephemeral worktree.
+- No implementing fixes, commits, or pushes (this skill reviews; it does not fix).
+- No posting a review to GitHub without explicit user confirmation.
+
+**ALLOWED Activities:**
+
+- Resolve the PR number.
+- Acquire PR content via ephemeral worktree + `gh pr checkout` (or `gh pr diff` fallback).
+- Detect prior provide-remote reviews and narrow re-review scope (with the stale-SHA guard).
+- Run the ad-hoc review inline (no tier model).
+- Build the posted-review body + inline-comment array.
+- Post a single PR review via `agent-reviews` (if probed supported) else `gh api` (with user confirmation).
+
+**Self-Correction Protocol:**
+If you catch yourself:
+
+- Running `gh pr checkout` in the caller's working tree instead of an ephemeral worktree -> STOP, acquire the worktree first, and check out inside it.
+- Writing a review artifact file on this machine -> STOP; the posted PR review is the only output.
+- Editing project lifecycle artifacts (`plan.md`, `state.md`, `implementation.md`) -> STOP and revert to review-and-post only.
+- Posting the review to GitHub without explicit user confirmation -> STOP and present the body + verdict for approval first.
+- Narrowing against a prior review SHA without running the existence + ancestry guard -> STOP and run the guard first.
+- Forgetting to remove the ephemeral worktree after posting (or on failure) -> STOP and release it in a `finally`.
+
+## Progress Indicators (User-Facing)
+
+Print this banner once at start:
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+OAT ▸ REMOTE REVIEW PROVIDE
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+Use step indicators:
+
+- `[1/7] Resolving PR...`
+- `[2/7] Checking out PR (ephemeral worktree)...`
+- `[3/7] Detecting prior reviews + narrowing scope...`
+- `[4/7] Running review...`
+- `[5/7] Mapping inline comments to the diff...`
+- `[6/7] Building review body + verdict...`
+- `[7/7] Posting review + cleanup...`
+
+## Arguments
+
+```
+oat-review-provide-remote [--pr <N>] [--no-checkout] [--narrow|--no-narrow]
+```
+
+- `--pr <N>`: target PR number. When omitted, auto-detect from the current branch.
+- `--no-checkout`: skip the ephemeral worktree and review from `gh pr diff` only (degraded context).
+- `--narrow` / `--no-narrow`: force or forbid re-review narrowing against a prior provide-remote review. When neither is passed, honor `workflow.autoNarrowReReviewScope` (no prompt when `true`; confirm prompt otherwise).
+
+Inputs are CLI-style args parsed from `$ARGUMENTS`. No file inputs. No file outputs on this machine.
+
+## Findings Model
+
+Normalize every finding to this shape (matches the ad-hoc review checklist and the `oat-review-receive-remote` model):
+
+```yaml
+finding:
+  id: "C1" | "I1" | "M1" | "m1"
+  severity: critical | important | medium | minor
+  title: string
+  file: string | null
+  line: number | null
+  body: string
+  fix_guidance: string | null
+```
+
+Severity conventions:
+
+- `critical`: Broken behavior, security risk, or missing P0 requirement.
+- `important`: Missing P1 requirement, major robustness issue.
+- `medium`: Meaningful but non-blocking quality/maintainability issue.
+- `minor`: Cosmetic/style/documentation issue.
+
+Checklist + severity model source of truth: `.agents/skills/oat-review-provide/references/review-artifact-template.md`.
+
+## Process
+
+### Step 1: Resolve PR Number
+
+PR resolution order:
+
+1. `--pr <N>` from `$ARGUMENTS`.
+2. Auto-detect from the current branch: `gh pr view --json number -q .number`.
+
+Confirm `gh auth status` succeeds. Ask the user to confirm the resolved PR number before checkout. Capture the PR HEAD SHA (full 40-char) for the marker block and the narrowing guard:
+
+```bash
+PR_HEAD_SHA=$(gh pr view "$PR" --json headRefOid -q .headRefOid)
+```
+
+### Step 2: Check Out the PR (Hybrid Read)
+
+Acquire an ephemeral worktree FIRST, then run `gh pr checkout` inside it so the caller's working tree is never mutated. Use repo-scoped git commands so the skill works regardless of the caller's CWD (design.md → Data Flow step 2). This shell flow parallels the tested TypeScript helper at `packages/cli/src/review-remote/worktree.ts` (`acquireWorktree` / `runInWorktree` / `releaseWorktree`) — keep the two in sync if you change either:
+
+```bash
+REPO_ROOT=$(git rev-parse --show-toplevel)
+EPHEMERAL_PATH=$(mktemp -d)
+rmdir "$EPHEMERAL_PATH"   # git worktree add requires a non-existent target
+git -C "$REPO_ROOT" worktree add --detach "$EPHEMERAL_PATH" HEAD
+( cd "$EPHEMERAL_PATH" && gh pr checkout "$PR" )
+```
+
+The `-C "$REPO_ROOT"` flag is load-bearing — it lets the command run even when the caller's CWD is not inside the repository.
+
+Fallback to diff-only mode when `--no-checkout` is set, or when worktree creation / `gh pr checkout` fails (capture exit code + stderr; distinguish auth from network from branch-state failures). On checkout failure, clean up the partial worktree (`git -C "$REPO_ROOT" worktree remove --force "$EPHEMERAL_PATH"`), then warn the user that context is degraded and continue with:
+
+```bash
+gh pr diff "$PR" > "$DIFF_FILE"
+gh pr view "$PR" --json title,body,headRefOid,baseRefName,state
+```
+
+### Step 3: Detect Prior Reviews + Narrow Scope
+
+List prior PR reviews and parse each body's marker block. Filter to reviews where `oat_provide_remote: true` AND `oat_review_scope == "ad-hoc"` AND no `oat_project` key — project-rail markers are ignored by the ad-hoc filter.
+
+```bash
+gh api "/repos/{owner}/{repo}/pulls/$PR/reviews"
+```
+
+Take the most recent matching review (by submitted timestamp). Before narrowing to `<prior_sha>..<HEAD>`, run the stale-SHA guard (design.md → Error Handling → Stale prior-review SHA):
+
+Run the guard in the available git context `$GIT_CTX` — `$EPHEMERAL_PATH` in rich-context (checkout) mode, or `$REPO_ROOT` in diff-only mode (where no worktree exists):
+
+1. **Existence:** `git -C "$GIT_CTX" cat-file -e <prior_sha>` (diff-only mode: `git -C "$REPO_ROOT" fetch origin <prior_sha>:refs/oat-prior-review` first, then re-check; if that fetch fails, fall back to full PR scope).
+2. **Ancestry:** `git -C "$GIT_CTX" merge-base --is-ancestor <prior_sha> "$PR_HEAD_SHA"`.
+
+Guard outcomes:
+
+- Both pass -> narrow to `<prior_sha>..<HEAD>`.
+- Either fails -> fall back to full PR scope and warn that the prior SHA is unreachable (likely rebase/force-push).
+- `--narrow` set AND guard fails -> hard error; surface unreachability and stop.
+- `workflow.autoNarrowReReviewScope == true` -> never prompt; guard failure auto-falls back to full scope with the warning as the auto-fallback notice.
+- No matching prior review -> use full PR diff.
+
+### Step 4: Run the Review (Inline)
+
+Review inline (no tier model — matches local `oat-review-provide`) using the ad-hoc review checklist + severity model. Scope to the narrowing range when one was chosen; otherwise the full PR diff. Assign finding IDs per severity bucket (`C1`, `I1`, `M1`, `m1`).
+
+### Step 5: Map Inline Comments to the Diff
+
+For each finding with non-null `file` + `line`, classify it against the PR diff BEFORE adding it to the inline `comments[]` payload (design.md → Error Handling → Inline-comment line mapping):
+
+- Rich-context mode: parse hunk ranges from `gh api /repos/{owner}/{repo}/pulls/$PR/files` (per-file `patch` field).
+- Diff-only mode: parse hunk headers (`@@ -a,b +c,d @@`) from the `gh pr diff` output.
+- `side: RIGHT` for additions/context; `side: LEFT` only when the finding is explicitly about removed code.
+- **Renamed files:** a `gh api .../files` entry carries the pre-rename path in a sibling `previous_filename` field (not in `patch`). When a finding references the pre-rename path, remap it to the entry's post-rename `filename` before classifying, or it will be treated as out-of-diff.
+- If `line` falls outside the diff: downgrade the finding to a top-level "Findings outside the PR diff" subsection with its `file:line` reference. NEVER silently drop it and NEVER shift the line to the nearest in-diff line.
+
+> **Reference implementation:** the canonical, tested logic for this step lives in `packages/cli/src/review-remote/line-mapper.ts` (`parsePullFilesPatch` / `parseUnifiedDiff` / `classifyFinding`). The bash/`jq` flow here mirrors it — keep the two in sync. See `packages/cli/src/review-remote/README.md`; `bl-a7cd` tracks wiring this skill to call the helpers directly. The same applies to the marker block (`marker-parser.ts`), body/verdict (`body-builder.ts`), and re-review narrowing (`narrowing.ts`) used in the steps below.
+
+### Step 6: Build the Review Body + Verdict
+
+Build the posted-review body (design.md → Data Models → Posted-review-body): a leading HTML-comment marker block, then summary, severity counts, the minor-fix "Notes" nudge (only when minor findings are present), and optional verification commands.
+
+Markers (ad-hoc rail):
+
+```
+<!-- oat-review-metadata
+oat_provide_remote: true
+oat_review_head_sha: <PR_HEAD_SHA>
+oat_review_scope: ad-hoc
+oat_review_invocation: manual
+-->
+```
+
+`oat_project` is omitted entirely on the ad-hoc rail. Verdict: `REQUEST_CHANGES` when any critical or important finding exists; `COMMENT` otherwise (including a clean, zero-findings review — never auto-`APPROVE`).
+
+### Step 7: Post the Review + Clean Up
+
+Probe `agent-reviews` for a posting flow with a non-mutating check (`npx agent-reviews --help`), cached for the run:
+
+- If a posting flow is supported -> prefer `agent-reviews` for tooling symmetry.
+- Otherwise (or if the probe is inconclusive) -> post via `gh api`. As of the current `agent-reviews` release there is no review-posting flow, so `gh api` is the expected path.
+
+Present the body + verdict + inline-comment count to the user and get explicit confirmation, then post a single review.
+
+`gh api --field`/`-f`/`-F` only set top-level scalar values; they CANNOT build the nested `comments[]` array of objects the reviews endpoint requires for inline comments. Construct the complete review payload as JSON and pipe it through `--input -` instead (a heredoc or a temp JSON file both work). Each in-diff finding (from Step 5) becomes one `comments[]` entry `{ path, line, side, body }`; out-of-diff findings are NOT added here — they were already downgraded into `$REVIEW_BODY` in Step 5. `event` is the Step 6 verdict (`REQUEST_CHANGES` when any critical/important finding exists, else `COMMENT`). A body-only review (zero in-diff findings) uses an empty `comments` array or omits the key:
+
+```bash
+# Build the payload as JSON. `comments` is the in-diff findings array; jq
+# assembles it safely (escaping body text, numbers as numbers). For a
+# body-only review, COMMENTS_JSON is `[]`.
+jq -n \
+  --arg event "$VERDICT" \
+  --arg body "$REVIEW_BODY" \
+  --argjson comments "$COMMENTS_JSON" \
+  '{event: $event, body: $body, comments: $comments}' \
+| gh api --method POST "/repos/{owner}/{repo}/pulls/$PR/reviews" --input -
+
+# COMMENTS_JSON is a JSON array, one object per in-diff finding, e.g.:
+#   [
+#     { "path": "src/foo.ts", "line": 42, "side": "RIGHT", "body": "..." },
+#     { "path": "src/bar.ts", "line": 17, "side": "LEFT",  "body": "..." }
+#   ]
+# `side` is RIGHT for additions/context, LEFT only for explicit removed-code
+# findings (Step 5). Use `[]` when there are no in-diff findings.
+```
+
+Posting failure handling (design.md → Error Handling → Posting failures): on auth failure, surface `gh auth status` and stop (findings kept in memory). On PR closed/merged, surface a clear message and present findings inline. On inline-comment rejection, re-map against the current file list and retry once; if still rejected, downgrade the offending finding(s) and retry. On rate limit, surface the window and stop. NEVER silently drop a finding.
+
+Always release the ephemeral worktree in a `finally`, even when review or posting fails:
+
+```bash
+git -C "$REPO_ROOT" worktree remove --force "$EPHEMERAL_PATH" || git -C "$REPO_ROOT" worktree prune
+rm -rf "$EPHEMERAL_PATH"
+```
+
+## Troubleshooting
+
+- Auth failure: run `gh auth status`; re-authenticate, then retry.
+- No PR detected: pass explicit `--pr <N>`.
+- Checkout fails: the skill auto-falls back to diff-only mode with a degraded-context warning; pass `--no-checkout` to force it.
+- Prior-review SHA unreachable: re-invoke without `--narrow` to review full scope.
+- Inline comment rejected at a file:line: the finding is downgraded to the top-level body, not dropped.
+- Network / rate-limit errors: retry after backoff; report blocked state if persistent.
+
+## Output Contract
+
+At completion, report:
+
+- PR number and HEAD SHA reviewed.
+- Read mode (worktree checkout vs diff-only).
+- Narrowing decision (full scope vs `<prior_sha>..<HEAD>`, and why).
+- Severity counts and total findings.
+- Inline-comment count posted vs findings downgraded to the body (out-of-diff).
+- Verdict (`REQUEST_CHANGES` or `COMMENT`).
+- Posting mechanism (`agent-reviews` or `gh api`) and whether the review was posted.
+- Confirmation that the ephemeral worktree was removed.
+
+## Success Criteria
+
+- PR scope resolved and confirmed.
+- PR content acquired via ephemeral worktree (or diff-only fallback) without mutating the caller's working tree.
+- Prior provide-remote reviews detected; re-review narrowing applied only after the stale-SHA guard passes.
+- Findings produced with consistent 4-tier severities and file:line references.
+- Inline comments mapped to in-diff positions; out-of-diff findings downgraded to the body, never dropped.
+- Posted-review body carries the marker block first, correct severity counts, and the minor-fix nudge when minors are present.
+- Verdict matches the C/I rule (`REQUEST_CHANGES` vs `COMMENT`; never auto-`APPROVE`).
+- Single PR review posted (with user confirmation) via `agent-reviews` if supported, else `gh api`.
+- Ephemeral worktree removed on success and on failure.
+- No local artifact, no lifecycle bookkeeping, no fixes/commits/pushes on this machine.

package/assets/skills/oat-review-receive/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: oat-review-receive
-version: 1.3.0
+version: 1.4.0
 description: Use when processing review findings outside project context. Converts local review artifacts into actionable task lists.
 disable-model-invocation: true
 user-invocable: true
@@ -41,8 +41,8 @@ If you catch yourself:
 
 - Editing project lifecycle docs in ad-hoc mode -> STOP and revert to task-list output only.
 - Triaging without presenting a findings overview first -> STOP and show overview before disposition prompts.
-- Skipping Medium finding rationale when proposing deferral -> STOP and collect explicit rationale.
-- Auto-deferring Minor findings without checking future cleanup likelihood or fix cost -> STOP and re-evaluate the recommendation.
+- Skipping rationale when proposing deferral at any severity (including Minor) -> STOP and collect explicit rationale.
+- Defaulting a Minor finding to `defer` instead of `convert` -> STOP; the Minor default is `convert` (fix inline), and `defer` requires concrete rationale.
 
 **Recovery:**
 
@@ -182,12 +182,12 @@ Default suggestions:
 - Critical -> `convert`
 - Important -> `convert`
 - Medium -> `convert` (propose `defer` only with concrete rationale)
-- Minor -> `convert` when future cleanup is likely or the fix is trivial; otherwise `defer` with concrete rationale
+- Minor -> `convert` (propose `defer` only with concrete rationale)
 
 Rules:
 
-- Require explicit rationale for `defer` or `dismiss`.
-- Do not recommend `defer` for a Minor finding solely because it does not impact current functionality. If there is a better-than-even chance the team will need to clean it up later, or the fix is `Negligible`/`Minor`, recommend `convert`.
+- Require explicit rationale for `defer` or `dismiss` at any severity, including Minor. Small findings are cheap to fix inline, so deferring a Minor into a backlog item must be justified just like any other deferral.
+- Do not recommend `defer` for a Minor finding solely because it does not impact current functionality — fixing inline is usually cheaper than tracking it. Reserve `defer` for the genuine cases (low-probability cleanup, blocked dependency, duplicated elsewhere, explicitly out of scope, or disproportionate churn now).
 - Do not silently skip findings.
 
 ### Step 5: Generate Task List Output

package/assets/skills/oat-review-receive-remote/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: oat-review-receive-remote
-version: 1.2.0
+version: 1.3.0
 description: Use when processing GitHub PR review comments outside project context. Fetches PR comments via agent-reviews and converts them into actionable task lists.
 disable-model-invocation: true
 user-invocable: true
@@ -145,14 +145,14 @@ Before triage prompts, output:
 
 Disposition options per finding:
 
-- `convert` (default for critical/important/medium)
-- `defer` (default for minor)
+- `convert` (default for critical/important/medium/minor)
+- `defer`
 - `dismiss`
 
 Rules:
 
-- Require rationale for `defer`/`dismiss`.
-- For medium deferral, require concrete rationale (duplicate, dependency, explicit out-of-scope follow-up, risky churn).
+- Require concrete rationale for `defer`/`dismiss` at any severity, including minor. Small findings are usually cheaper to fix inline than to track as backlog items, so a minor `defer` must be justified just like any other deferral.
+- For any deferral (minor included), require a concrete reason (duplicate, dependency, explicit out-of-scope follow-up, risky churn).
 
 ### Step 5: Generate Standalone Task List
 

package/dist/commands/init/tools/shared/skill-manifest.d.ts

@@ -11,7 +11,7 @@ export interface PackMetadata {
 }
 export declare const PACK_METADATA: Record<string, PackMetadata>;
 export declare function resolvePackDefaultScope(packName: string): 'user' | 'project';
-export declare const WORKFLOW_SKILLS: readonly ["oat-project-capture", "oat-project-clear-active", "oat-project-complete", "oat-project-design", "oat-project-discover", "oat-project-document", "oat-project-implement", "oat-project-import-plan", "oat-project-new", "oat-project-next", "oat-project-open", "oat-project-plan", "oat-project-plan-writing", "oat-project-pr-final", "oat-project-pr-progress", "oat-project-progress", "oat-project-promote-spec-driven", "oat-project-quick-start", "oat-project-reconcile", "oat-project-revise", "oat-project-review-provide", "oat-project-review-receive", "oat-project-review-receive-remote", "oat-project-spec", "oat-project-split", "oat-project-summary", "oat-repo-knowledge-index", "oat-worktree-bootstrap", "oat-worktree-bootstrap-auto", "oat-wrap-up"];
+export declare const WORKFLOW_SKILLS: readonly ["oat-project-capture", "oat-project-clear-active", "oat-project-complete", "oat-project-design", "oat-project-discover", "oat-project-document", "oat-project-implement", "oat-project-import-plan", "oat-project-new", "oat-project-next", "oat-project-open", "oat-project-plan", "oat-project-plan-writing", "oat-project-pr-final", "oat-project-pr-progress", "oat-project-progress", "oat-project-promote-spec-driven", "oat-project-quick-start", "oat-project-reconcile", "oat-project-revise", "oat-project-review-provide", "oat-project-review-provide-remote", "oat-project-review-receive", "oat-project-review-receive-remote", "oat-project-spec", "oat-project-split", "oat-project-summary", "oat-repo-knowledge-index", "oat-worktree-bootstrap", "oat-worktree-bootstrap-auto", "oat-wrap-up"];
 export declare const WORKFLOW_AGENTS: readonly ["oat-codebase-mapper.md", "oat-phase-implementer.md", "oat-reviewer.md"];
 export declare const WORKFLOW_TEMPLATES: readonly ["state.md", "discovery.md", "spec.md", "design.md", "plan.md", "implementation.md", "summary.md"];
 export declare const WORKFLOW_SCRIPTS: readonly ["generate-oat-state.sh", "generate-thin-index.sh", "resolve-tracking.sh"];
@@ -19,7 +19,7 @@ export declare const IDEA_SKILLS: readonly ["oat-idea-new", "oat-idea-ideate", "
 export declare const CORE_SKILLS: readonly ["oat-docs", "oat-doctor"];
 export declare const DOCS_SKILLS: readonly ["oat-agent-instructions-analyze", "oat-agent-instructions-apply", "oat-docs-analyze", "oat-docs-apply", "oat-docs-bootstrap"];
 export declare const DOCS_SCRIPTS: readonly ["resolve-tracking.sh"];
-export declare const UTILITY_SKILLS: readonly ["create-agnostic-skill", "oat-repo-maintainability-review", "oat-review-provide", "oat-review-receive", "oat-review-receive-remote"];
+export declare const UTILITY_SKILLS: readonly ["create-agnostic-skill", "oat-repo-maintainability-review", "oat-review-provide", "oat-review-provide-remote", "oat-review-receive", "oat-review-receive-remote"];
 export declare const PROJECT_MANAGEMENT_SKILLS: readonly ["oat-pjm-add-backlog-item", "oat-pjm-update-repo-reference", "oat-pjm-review-backlog"];
 export declare const PROJECT_MANAGEMENT_TEMPLATES: readonly ["backlog-item.md", "roadmap.md"];
 export declare const PROJECT_MANAGEMENT_SCRIPTS: readonly [];

package/dist/commands/init/tools/shared/skill-manifest.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"skill-manifest.d.ts","sourceRoot":"","sources":["../../../../../src/commands/init/tools/shared/skill-manifest.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAgBH,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,EAAE,MAAM,GAAG,SAAS,CAAC;CAClC;AAED,eAAO,MAAM,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,YAAY,CAKtD,CAAC;AAEF,wBAAgB,uBAAuB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAE5E;AAID,eAAO,MAAM,eAAe,wvBA+BlB,CAAC;AAEX,eAAO,MAAM,eAAe,oFAIlB,CAAC;AAEX,eAAO,MAAM,kBAAkB,6GAQrB,CAAC;AAEX,eAAO,MAAM,gBAAgB,qFAInB,CAAC;AAIX,eAAO,MAAM,WAAW,2FAKd,CAAC;AAIX,eAAO,MAAM,WAAW,qCAAsC,CAAC;AAI/D,eAAO,MAAM,WAAW,yIAMd,CAAC;AAEX,eAAO,MAAM,YAAY,kCAAmC,CAAC;AAI7D,eAAO,MAAM,cAAc,gJAMjB,CAAC;AAIX,eAAO,MAAM,yBAAyB,kGAI5B,CAAC;AAEX,eAAO,MAAM,4BAA4B,4CAG/B,CAAC;AAEX,eAAO,MAAM,0BAA0B,aAAc,CAAC;AAItD,eAAO,MAAM,iBAAiB,6BAA8B,CAAC;AAI7D,eAAO,MAAM,eAAe,2EAMlB,CAAC;AAEX,eAAO,MAAM,eAAe,qCAAsC,CAAC"}
+{"version":3,"file":"skill-manifest.d.ts","sourceRoot":"","sources":["../../../../../src/commands/init/tools/shared/skill-manifest.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAgBH,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,EAAE,MAAM,GAAG,SAAS,CAAC;CAClC;AAED,eAAO,MAAM,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,YAAY,CAKtD,CAAC;AAEF,wBAAgB,uBAAuB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAE5E;AAID,eAAO,MAAM,eAAe,6xBAgClB,CAAC;AAEX,eAAO,MAAM,eAAe,oFAIlB,CAAC;AAEX,eAAO,MAAM,kBAAkB,6GAQrB,CAAC;AAEX,eAAO,MAAM,gBAAgB,qFAInB,CAAC;AAIX,eAAO,MAAM,WAAW,2FAKd,CAAC;AAIX,eAAO,MAAM,WAAW,qCAAsC,CAAC;AAI/D,eAAO,MAAM,WAAW,yIAMd,CAAC;AAEX,eAAO,MAAM,YAAY,kCAAmC,CAAC;AAI7D,eAAO,MAAM,cAAc,6KAOjB,CAAC;AAIX,eAAO,MAAM,yBAAyB,kGAI5B,CAAC;AAEX,eAAO,MAAM,4BAA4B,4CAG/B,CAAC;AAEX,eAAO,MAAM,0BAA0B,aAAc,CAAC;AAItD,eAAO,MAAM,iBAAiB,6BAA8B,CAAC;AAI7D,eAAO,MAAM,eAAe,2EAMlB,CAAC;AAEX,eAAO,MAAM,eAAe,qCAAsC,CAAC"}

package/dist/commands/init/tools/shared/skill-manifest.js

@@ -37,6 +37,7 @@ export const WORKFLOW_SKILLS = [
     'oat-project-reconcile',
     'oat-project-revise',
     'oat-project-review-provide',
+    'oat-project-review-provide-remote',
     'oat-project-review-receive',
     'oat-project-review-receive-remote',
     'oat-project-spec',
@@ -89,6 +90,7 @@ export const UTILITY_SKILLS = [
     'create-agnostic-skill',
     'oat-repo-maintainability-review',
     'oat-review-provide',
+    'oat-review-provide-remote',
     'oat-review-receive',
     'oat-review-receive-remote',
 ];

package/dist/config/json.d.ts

@@ -0,0 +1,2 @@
+export declare function parseJsonConfig(raw: string, configPath: string): unknown;
+//# sourceMappingURL=json.d.ts.map

package/dist/config/json.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"json.d.ts","sourceRoot":"","sources":["../../src/config/json.ts"],"names":[],"mappings":"AAYA,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAcxE"}

package/dist/config/json.js

@@ -0,0 +1,29 @@
+import { parse as parseJsonc, printParseErrorCode, } from 'jsonc-parser';
+const JSON_CONFIG_PARSE_OPTIONS = {
+    allowTrailingComma: true,
+    disallowComments: true,
+};
+export function parseJsonConfig(raw, configPath) {
+    const errors = [];
+    const parsed = parseJsonc(raw, errors, JSON_CONFIG_PARSE_OPTIONS);
+    if (errors.length > 0) {
+        const details = errors
+            .map((error) => formatParseError(raw, error))
+            .join('; ');
+        throw new SyntaxError(`Config at ${configPath} is not valid JSON: ${details}`);
+    }
+    return parsed;
+}
+function formatParseError(raw, error) {
+    const location = offsetToLineColumn(raw, error.offset);
+    return `${printParseErrorCode(error.error)} at ${location.line}:${location.column}`;
+}
+function offsetToLineColumn(raw, offset) {
+    const prefix = raw.slice(0, offset);
+    const lines = prefix.split('\n');
+    const lastLine = lines[lines.length - 1] ?? '';
+    return {
+        line: lines.length,
+        column: lastLine.length + 1,
+    };
+}

package/dist/config/oat-config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"oat-config.d.ts","sourceRoot":"","sources":["../../src/config/oat-config.ts"],"names":[],"mappings":"AAOA,MAAM,WAAW,sBAAsB;IACrC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,2BAA2B,CAAC,EAAE,OAAO,CAAC;CACvC;AAED,MAAM,WAAW,YAAY;IAC3B,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,gBAAgB;IAC/B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,MAAM,6BAA6B,GAAG,OAAO,GAAG,OAAO,CAAC;AAC9D,MAAM,MAAM,6BAA6B,GACrC,MAAM,GACN,SAAS,GACT,IAAI,GACJ,SAAS,CAAC;AACd,MAAM,MAAM,4BAA4B,GACpC,UAAU,GACV,QAAQ,GACR,eAAe,CAAC;AACpB,MAAM,MAAM,kBAAkB,GAAG,eAAe,GAAG,WAAW,GAAG,OAAO,CAAC;AACzE,MAAM,MAAM,4BAA4B,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,OAAO,CAAC;AAC/E,MAAM,MAAM,6BAA6B,GAAG,OAAO,GAAG,QAAQ,GAAG,MAAM,CAAC;AACxE,MAAM,MAAM,6BAA6B,GACrC,UAAU,GACV,SAAS,GACT,gBAAgB,CAAC;AAErB,MAAM,WAAW,uBAAuB;IACtC,MAAM,CAAC,EAAE,6BAA6B,CAAC;IACvC,SAAS,CAAC,EAAE;QACV,KAAK,CAAC,EAAE,4BAA4B,CAAC;QACrC,MAAM,CAAC,EAAE,6BAA6B,CAAC;KACxC,CAAC;CACH;AAED,MAAM,WAAW,iBAAiB;IAChC,qBAAqB,CAAC,EAAE,6BAA6B,CAAC;IACtD,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,qBAAqB,CAAC,EAAE,6BAA6B,CAAC;IACtD,oBAAoB,CAAC,EAAE,4BAA4B,CAAC;IACpD,2BAA2B,CAAC,EAAE,OAAO,CAAC;IACtC,uBAAuB,CAAC,EAAE,OAAO,CAAC;IAClC,UAAU,CAAC,EAAE,kBAAkB,CAAC;IAChC,eAAe,CAAC,EAAE,uBAAuB,CAAC;CAC3C;AAgBD,eAAO,MAAM,6BAA6B,EAAE,SAAS,4BAA4B,EAC7C,CAAC;AACrC,eAAO,MAAM,8BAA8B,EAAE,SAAS,6BAA6B,EACtD,CAAC;AAC9B,eAAO,MAAM,8BAA8B,EAAE,SAAS,6BAA6B,EACxC,CAAC;AA8G5C,MAAM,MAAM,cAAc,GAAG,OAAO,CAClC,MAAM,CACF,MAAM,GACN,OAAO,GACP,MAAM,GACN,WAAW,GACX,SAAS,GACT,oBAAoB,GACpB,UAAU,GACV,YAAY,EACd,OAAO,CACR,CACF,CAAC;AAEF,MAAM,WAAW,SAAS;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;IAC7B,QAAQ,CAAC,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;IAC5B,GAAG,CAAC,EAAE,YAAY,CAAC;IACnB,OAAO,CAAC,EAAE,gBAAgB,CAAC;IAC3B,KAAK,CAAC,EAAE,cAAc,CAAC;IACvB,aAAa,CAAC,EAAE,sBAAsB,CAAC;IACvC,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,uBAAuB,CAAC,EAAE,OAAO,CAAC;IAClC,QAAQ,CAAC,EAAE,iBAAiB,CAAC;CAC9B;AAED,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,iBAAiB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAClC,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,QAAQ,CAAC,EAAE,iBAAiB,CAAC;CAC9B;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,QAAQ,CAAC,EAAE,iBAAiB,CAAC;CAC9B;AAED,MAAM,WAAW,uBAAuB;IACtC,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,MAAM,EAAE,QAAQ,GAAG,SAAS,GAAG,OAAO,CAAC;CACxC;AAkRD,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,SAAS,GAAG,MAAM,EAAE,CAE7D;AAED,wBAAsB,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAaxE;AAED,wBAAsB,kBAAkB,CACtC,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,cAAc,CAAC,CAazB;AAED,wBAAsB,cAAc,CAClC,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,SAAS,GAChB,OAAO,CAAC,IAAI,CAAC,CAIf;AAED,wBAAsB,mBAAmB,CACvC,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,cAAc,GACrB,OAAO,CAAC,IAAI,CAAC,CAIf;AAED,wBAAsB,oBAAoB,CACxC,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,uBAAuB,CAAC,CAkBlC;AAED,wBAAsB,gBAAgB,CACpC,QAAQ,EAAE,MAAM,EAChB,mBAAmB,EAAE,MAAM,GAC1B,OAAO,CAAC,IAAI,CAAC,CAaf;AAED,wBAAsB,kBAAkB,CACtC,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;IAAE,UAAU,CAAC,EAAE,MAAM,CAAA;CAAE,GAChC,OAAO,CAAC,IAAI,CAAC,CAYf;AA2BD,wBAAsB,cAAc,CAClC,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,UAAU,CAAC,CAarB;AAED,wBAAsB,eAAe,CACnC,aAAa,EAAE,MAAM,EACrB,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC,IAAI,CAAC,CAIf;AAED,wBAAsB,iBAAiB,CACrC,QAAQ,EAAE,MAAM,EAChB,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAQxB;AAED,wBAAsB,aAAa,CACjC,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,IAAI,CAAC,CAMf;AAED,wBAAsB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAMrE;AAED,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CA6B5D"}
+{"version":3,"file":"oat-config.d.ts","sourceRoot":"","sources":["../../src/config/oat-config.ts"],"names":[],"mappings":"AASA,MAAM,WAAW,sBAAsB;IACrC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,2BAA2B,CAAC,EAAE,OAAO,CAAC;CACvC;AAED,MAAM,WAAW,YAAY;IAC3B,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,gBAAgB;IAC/B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,MAAM,6BAA6B,GAAG,OAAO,GAAG,OAAO,CAAC;AAC9D,MAAM,MAAM,6BAA6B,GACrC,MAAM,GACN,SAAS,GACT,IAAI,GACJ,SAAS,CAAC;AACd,MAAM,MAAM,4BAA4B,GACpC,UAAU,GACV,QAAQ,GACR,eAAe,CAAC;AACpB,MAAM,MAAM,kBAAkB,GAAG,eAAe,GAAG,WAAW,GAAG,OAAO,CAAC;AACzE,MAAM,MAAM,4BAA4B,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,OAAO,CAAC;AAC/E,MAAM,MAAM,6BAA6B,GAAG,OAAO,GAAG,QAAQ,GAAG,MAAM,CAAC;AACxE,MAAM,MAAM,6BAA6B,GACrC,UAAU,GACV,SAAS,GACT,gBAAgB,CAAC;AAErB,MAAM,WAAW,uBAAuB;IACtC,MAAM,CAAC,EAAE,6BAA6B,CAAC;IACvC,SAAS,CAAC,EAAE;QACV,KAAK,CAAC,EAAE,4BAA4B,CAAC;QACrC,MAAM,CAAC,EAAE,6BAA6B,CAAC;KACxC,CAAC;CACH;AAED,MAAM,WAAW,iBAAiB;IAChC,qBAAqB,CAAC,EAAE,6BAA6B,CAAC;IACtD,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,qBAAqB,CAAC,EAAE,6BAA6B,CAAC;IACtD,oBAAoB,CAAC,EAAE,4BAA4B,CAAC;IACpD,2BAA2B,CAAC,EAAE,OAAO,CAAC;IACtC,uBAAuB,CAAC,EAAE,OAAO,CAAC;IAClC,UAAU,CAAC,EAAE,kBAAkB,CAAC;IAChC,eAAe,CAAC,EAAE,uBAAuB,CAAC;CAC3C;AAgBD,eAAO,MAAM,6BAA6B,EAAE,SAAS,4BAA4B,EAC7C,CAAC;AACrC,eAAO,MAAM,8BAA8B,EAAE,SAAS,6BAA6B,EACtD,CAAC;AAC9B,eAAO,MAAM,8BAA8B,EAAE,SAAS,6BAA6B,EACxC,CAAC;AA8G5C,MAAM,MAAM,cAAc,GAAG,OAAO,CAClC,MAAM,CACF,MAAM,GACN,OAAO,GACP,MAAM,GACN,WAAW,GACX,SAAS,GACT,oBAAoB,GACpB,UAAU,GACV,YAAY,EACd,OAAO,CACR,CACF,CAAC;AAEF,MAAM,WAAW,SAAS;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;IAC7B,QAAQ,CAAC,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;IAC5B,GAAG,CAAC,EAAE,YAAY,CAAC;IACnB,OAAO,CAAC,EAAE,gBAAgB,CAAC;IAC3B,KAAK,CAAC,EAAE,cAAc,CAAC;IACvB,aAAa,CAAC,EAAE,sBAAsB,CAAC;IACvC,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,uBAAuB,CAAC,EAAE,OAAO,CAAC;IAClC,QAAQ,CAAC,EAAE,iBAAiB,CAAC;CAC9B;AAED,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,iBAAiB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAClC,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,QAAQ,CAAC,EAAE,iBAAiB,CAAC;CAC9B;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,QAAQ,CAAC,EAAE,iBAAiB,CAAC;CAC9B;AAED,MAAM,WAAW,uBAAuB;IACtC,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,MAAM,EAAE,QAAQ,GAAG,SAAS,GAAG,OAAO,CAAC;CACxC;AAkRD,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,SAAS,GAAG,MAAM,EAAE,CAE7D;AAED,wBAAsB,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAaxE;AAED,wBAAsB,kBAAkB,CACtC,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,cAAc,CAAC,CAazB;AAED,wBAAsB,cAAc,CAClC,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,SAAS,GAChB,OAAO,CAAC,IAAI,CAAC,CAIf;AAED,wBAAsB,mBAAmB,CACvC,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,cAAc,GACrB,OAAO,CAAC,IAAI,CAAC,CAIf;AAED,wBAAsB,oBAAoB,CACxC,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,uBAAuB,CAAC,CAkBlC;AAED,wBAAsB,gBAAgB,CACpC,QAAQ,EAAE,MAAM,EAChB,mBAAmB,EAAE,MAAM,GAC1B,OAAO,CAAC,IAAI,CAAC,CAaf;AAED,wBAAsB,kBAAkB,CACtC,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;IAAE,UAAU,CAAC,EAAE,MAAM,CAAA;CAAE,GAChC,OAAO,CAAC,IAAI,CAAC,CAYf;AA2BD,wBAAsB,cAAc,CAClC,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,UAAU,CAAC,CAarB;AAED,wBAAsB,eAAe,CACnC,aAAa,EAAE,MAAM,EACrB,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC,IAAI,CAAC,CAIf;AAED,wBAAsB,iBAAiB,CACrC,QAAQ,EAAE,MAAM,EAChB,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAQxB;AAED,wBAAsB,aAAa,CACjC,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,IAAI,CAAC,CAMf;AAED,wBAAsB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAMrE;AAED,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CA6B5D"}

package/dist/config/oat-config.js

@@ -3,6 +3,7 @@ import { readFile } from 'node:fs/promises';
 import { basename, isAbsolute, join, relative, resolve, sep } from 'node:path';
 import { atomicWriteJson, dirExists, fileExists } from '../fs/io.js';
 import { normalizeToPosixPath } from '../fs/paths.js';
+import { parseJsonConfig } from './json.js';
 const VALID_HILL_CHECKPOINT_DEFAULTS = ['every', 'final'];
 const VALID_POST_IMPLEMENT_SEQUENCES = ['wait', 'summary', 'pr', 'docs-pr'];
 const VALID_REVIEW_EXECUTION_MODELS = [
@@ -291,7 +292,7 @@ export async function readOatConfig(repoRoot) {
     const configPath = getConfigPath(repoRoot);
     try {
         const raw = await readFile(configPath, 'utf8');
-        return normalizeOatConfig(JSON.parse(raw));
+        return normalizeOatConfig(parseJsonConfig(raw, configPath));
     }
     catch (error) {
         if (isMissingFileError(error)) {
@@ -304,7 +305,7 @@ export async function readOatLocalConfig(repoRoot) {
     const configPath = getLocalConfigPath(repoRoot);
     try {
         const raw = await readFile(configPath, 'utf8');
-        return normalizeOatLocalConfig(repoRoot, JSON.parse(raw));
+        return normalizeOatLocalConfig(repoRoot, parseJsonConfig(raw, configPath));
     }
     catch (error) {
         if (isMissingFileError(error)) {
@@ -384,7 +385,7 @@ export async function readUserConfig(userConfigDir) {
     const configPath = getUserConfigPath(userConfigDir);
     try {
         const raw = await readFile(configPath, 'utf8');
-        return normalizeUserConfig(JSON.parse(raw));
+        return normalizeUserConfig(parseJsonConfig(raw, configPath));
     }
     catch (error) {
         if (isMissingFileError(error)) {

package/dist/config/sync-config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sync-config.d.ts","sourceRoot":"","sources":["../../src/config/sync-config.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,QAAA,MAAM,oBAAoB;;;;;;;;;EAGxB,CAAC;AAEH,eAAO,MAAM,gBAAgB;;;;;;;;;;;;;;;;;;;;;;;;;;;EAI3B,CAAC;AAEH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAEtE,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,GAAG;IAC1D,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAC;CAC/C,CAAC;AAEF,eAAO,MAAM,mBAAmB,EAAE,UAIjC,CAAC;AAoDF,wBAAsB,cAAc,CAClC,UAAU,EAAE,MAAM,EAClB,QAAQ,GAAE,UAAgC,GACzC,OAAO,CAAC,UAAU,CAAC,CA4BrB;AAED,wBAAsB,cAAc,CAClC,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC,UAAU,CAAC,CAWrB;AAED,wBAAsB,kBAAkB,CACtC,UAAU,EAAE,MAAM,EAClB,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE,OAAO,GACf,OAAO,CAAC,UAAU,CAAC,CAcrB"}
+{"version":3,"file":"sync-config.d.ts","sourceRoot":"","sources":["../../src/config/sync-config.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAIxB,QAAA,MAAM,oBAAoB;;;;;;;;;EAGxB,CAAC;AAEH,eAAO,MAAM,gBAAgB;;;;;;;;;;;;;;;;;;;;;;;;;;;EAI3B,CAAC;AAEH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAEtE,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,GAAG;IAC1D,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAC;CAC/C,CAAC;AAEF,eAAO,MAAM,mBAAmB,EAAE,UAIjC,CAAC;AAoDF,wBAAsB,cAAc,CAClC,UAAU,EAAE,MAAM,EAClB,QAAQ,GAAE,UAAgC,GACzC,OAAO,CAAC,UAAU,CAAC,CA4BrB;AAED,wBAAsB,cAAc,CAClC,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC,UAAU,CAAC,CAWrB;AAED,wBAAsB,kBAAkB,CACtC,UAAU,EAAE,MAAM,EAClB,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE,OAAO,GACf,OAAO,CAAC,UAAU,CAAC,CAcrB"}

package/dist/config/sync-config.js

@@ -3,6 +3,7 @@ import { CliError } from '../errors/index.js';
 import { atomicWriteJson } from '../fs/io.js';
 import { SyncStrategySchema } from '../shared/types.js';
 import { z } from 'zod';
+import { parseJsonConfig } from './json.js';
 const ProviderConfigSchema = z.object({
     strategy: SyncStrategySchema.optional(),
     enabled: z.boolean().optional(),
@@ -37,7 +38,7 @@ function normalizeConfig(config, defaults) {
 function parseSyncConfig(raw, configPath) {
     let parsed;
     try {
-        parsed = JSON.parse(raw);
+        parsed = parseJsonConfig(raw, configPath);
     }
     catch {
         throw new CliError(`Sync config at ${configPath} is not valid JSON. Fix the file and retry.`);

package/dist/review-remote/body-builder.d.ts

@@ -0,0 +1,79 @@
+/**
+ * Builder for the posted-review-body (see design.md → Data Models →
+ * Posted-review-body) and the verdict mapper that decides the GitHub review
+ * `event`.
+ *
+ * The body is the durable handoff to `*-receive-remote`: a leading
+ * HTML-comment marker block (parsed back by {@link parseMarkerBlock}) followed
+ * by human-readable prose (summary, severity counts, optional minor-fix nudge,
+ * optional verification commands).
+ */
+import { type ReviewInvocation } from './marker-parser.js';
+export type ReviewVerdict = 'REQUEST_CHANGES' | 'COMMENT';
+export type FindingSeverity = 'critical' | 'important' | 'medium' | 'minor';
+/** Minimal finding shape the builder needs — only severity is required. */
+export interface BuilderFinding {
+    severity: FindingSeverity;
+}
+/**
+ * A finding whose `file:line` is NOT present in the PR diff and therefore
+ * cannot be posted as a GitHub inline comment (see design.md → Error Handling →
+ * Inline-comment line mapping). Such findings must NOT be dropped — they are
+ * downgraded into the top-level body via a "Findings outside the PR diff"
+ * subsection carrying the original `file:line` reference and finding body.
+ *
+ * Field names mirror the `StructuredFindings` finding shape (design.md → Data
+ * Models → StructuredFindings) so callers can pass entries through unchanged;
+ * `line` is `number | null` because a reviewer-level finding may be file-scoped
+ * with no specific line.
+ */
+export interface OutOfDiffFinding {
+    /** Repo-relative path the original finding referenced. */
+    file: string;
+    /** 1-based line the original finding referenced, or `null` if file-scoped. */
+    line: number | null;
+    severity: FindingSeverity;
+    /** Optional short title carried from the structured finding. */
+    title?: string;
+    /** Finding description / rationale — preserved verbatim, never dropped. */
+    body: string;
+}
+export interface BuildInput {
+    /** Full 40-char hex SHA of the reviewed PR HEAD. */
+    headSha: string;
+    /** Scope token (`pNN`, `final`, …) or the `ad-hoc` sentinel. */
+    scope: string;
+    /** Project path — set only on the project rail; omitted on ad-hoc. */
+    project?: string;
+    /** How the review was invoked. */
+    invocation: ReviewInvocation;
+    /** 2-3 sentence human-readable summary. */
+    summary: string;
+    findings: BuilderFinding[];
+    /**
+     * Findings whose `file:line` is not in the PR diff, downgraded into the body
+     * instead of posted inline. Omitted/empty renders no subsection (the body is
+     * byte-identical to a build without the field).
+     *
+     * Count contract: these findings MUST also appear in {@link BuildInput.findings}
+     * so the severity counts stay complete. This field only drives body rendering
+     * — the builder never re-derives severity counts from it.
+     */
+    outOfDiffFindings?: OutOfDiffFinding[];
+    /** Commands the user can run to verify fixes; omitted when absent/empty. */
+    verificationCommands?: string[];
+}
+/**
+ * Map a finding set to the GitHub review verdict: `REQUEST_CHANGES` when any
+ * critical or important finding is present, otherwise `COMMENT` (including the
+ * zero-findings clean-review case). Never auto-`APPROVE`.
+ */
+export declare function mapVerdict(findings: BuilderFinding[]): ReviewVerdict;
+/**
+ * Build the posted-review body and compute its verdict.
+ */
+export declare function buildReviewBody(input: BuildInput): {
+    body: string;
+    verdict: ReviewVerdict;
+};
+//# sourceMappingURL=body-builder.d.ts.map

package/dist/review-remote/body-builder.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"body-builder.d.ts","sourceRoot":"","sources":["../../src/review-remote/body-builder.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAqB,KAAK,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAE3E,MAAM,MAAM,aAAa,GAAG,iBAAiB,GAAG,SAAS,CAAC;AAE1D,MAAM,MAAM,eAAe,GAAG,UAAU,GAAG,WAAW,GAAG,QAAQ,GAAG,OAAO,CAAC;AAE5E,2EAA2E;AAC3E,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,eAAe,CAAC;CAC3B;AAED;;;;;;;;;;;GAWG;AACH,MAAM,WAAW,gBAAgB;IAC/B,0DAA0D;IAC1D,IAAI,EAAE,MAAM,CAAC;IACb,8EAA8E;IAC9E,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,QAAQ,EAAE,eAAe,CAAC;IAC1B,gEAAgE;IAChE,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,2EAA2E;IAC3E,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,UAAU;IACzB,oDAAoD;IACpD,OAAO,EAAE,MAAM,CAAC;IAChB,gEAAgE;IAChE,KAAK,EAAE,MAAM,CAAC;IACd,sEAAsE;IACtE,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,kCAAkC;IAClC,UAAU,EAAE,gBAAgB,CAAC;IAC7B,2CAA2C;IAC3C,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,cAAc,EAAE,CAAC;IAC3B;;;;;;;;OAQG;IACH,iBAAiB,CAAC,EAAE,gBAAgB,EAAE,CAAC;IACvC,4EAA4E;IAC5E,oBAAoB,CAAC,EAAE,MAAM,EAAE,CAAC;CACjC;AAED;;;;GAIG;AACH,wBAAgB,UAAU,CAAC,QAAQ,EAAE,cAAc,EAAE,GAAG,aAAa,CAKpE;AAkED;;GAEG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,UAAU,GAAG;IAClD,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,aAAa,CAAC;CACxB,CAkCA"}