npm - @sylphx/flow - Versions diffs - 2.10.0 → 2.11.0 - Mend

@sylphx/flow 2.10.0 → 2.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (26) hide show

package/CHANGELOG.md +6 -0
package/assets/slash-commands/review-account-security.md +13 -16
package/assets/slash-commands/review-admin.md +17 -13
package/assets/slash-commands/review-auth.md +12 -17
package/assets/slash-commands/review-billing.md +14 -9
package/assets/slash-commands/review-code-quality.md +17 -36
package/assets/slash-commands/review-data-architecture.md +14 -7
package/assets/slash-commands/review-database.md +13 -16
package/assets/slash-commands/review-delivery.md +23 -37
package/assets/slash-commands/review-discovery.md +9 -24
package/assets/slash-commands/review-growth.md +14 -19
package/assets/slash-commands/review-i18n.md +12 -8
package/assets/slash-commands/review-ledger.md +14 -16
package/assets/slash-commands/review-observability.md +15 -27
package/assets/slash-commands/review-operability.md +16 -20
package/assets/slash-commands/review-performance.md +16 -25
package/assets/slash-commands/review-pricing.md +12 -15
package/assets/slash-commands/review-privacy.md +15 -9
package/assets/slash-commands/review-pwa.md +14 -22
package/assets/slash-commands/review-referral.md +13 -17
package/assets/slash-commands/review-security.md +14 -13
package/assets/slash-commands/review-seo.md +13 -22
package/assets/slash-commands/review-storage.md +13 -16
package/assets/slash-commands/review-support.md +13 -25
package/assets/slash-commands/review-uiux.md +14 -21
package/package.json +1 -1

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,11 @@
 # @sylphx/flow
+## 2.11.0 (2025-12-17)
+### ✨ Features
+- **commands:** add tech stack and replace checklists with exploration questions ([0772b1d](https://github.com/SylphxAI/flow/commit/0772b1d788ddf2074729d04e67ef3d94b138de10))
 ## 2.10.0 (2025-12-17)
 Replace saas-* commands with 24 focused /review-* commands.

package/assets/slash-commands/review-account-security.md CHANGED Viewed

@@ -12,6 +12,12 @@ agent: coder
 * **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
 * Deliverables must be stated as **findings, gaps, and actionable recommendations**.
 * **Single-pass delivery**: no deferrals; deliver a complete assessment.
+* **Explore beyond the spec**: identify improvements for user safety and threat detection.
+## Tech Stack
+* **Auth**: better-auth
+* **Framework**: Next.js
 ## Review Scope
@@ -26,26 +32,17 @@ agent: coder
   * Key security event visibility (and export where applicable)
   * All server-enforced and auditable
-### Security Event Management
-* Login attempts (success/failure) logged
-* Password changes logged
-* MFA enrollment/removal logged
-* Session creation/revocation logged
-* Suspicious activity detection
-* Security event notifications
 ### Recovery Governance
 * Account recovery flow secure
 * Support-assisted recovery with strict audit logging
 * Step-up verification for sensitive actions
-## Verification Checklist
+## Key Areas to Explore
-- [ ] Session/device visibility exists
-- [ ] Session revocation works
-- [ ] MFA management available
-- [ ] Identity provider linking visible
-- [ ] Security events logged and visible
-- [ ] Recovery flow is secure and audited
+* What visibility do users have into their active sessions and devices?
+* How robust is the MFA implementation and enrollment flow?
+* What security events are logged and how accessible are they to users?
+* How does the account recovery flow prevent social engineering attacks?
+* What step-up authentication exists for sensitive actions?
+* How are compromised accounts detected and handled?

package/assets/slash-commands/review-admin.md CHANGED Viewed

@@ -12,6 +12,13 @@ agent: coder
 * **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
 * Deliverables must be stated as **findings, gaps, and actionable recommendations**.
 * **Single-pass delivery**: no deferrals; deliver a complete assessment.
+* **Explore beyond the spec**: identify operational improvements and safety enhancements.
+## Tech Stack
+* **Framework**: Next.js
+* **API**: tRPC
+* **Database**: Neon (Postgres)
 ## Review Scope
@@ -35,20 +42,17 @@ agent: coder
 ### Admin Analytics and Reporting (Mandatory)
 * Provide comprehensive dashboards/reports for business, growth, billing, referral, support, and security/abuse signals, governed by RBAC.
-* Reporting must be consistent with system-of-record truth and auditable when derived from privileged actions.
 ### Admin Operational Management (Mandatory)
 * Tools for user/account management, entitlements/access management, lifecycle actions, and issue resolution workflows.
-* Actions affecting access, money/credits, or security posture require appropriate step-up controls and must be fully auditable; reversibility must follow domain rules.
-## Verification Checklist
-- [ ] RBAC implemented (least privilege)
-- [ ] Admin bootstrap secure (not file seeding)
-- [ ] Bootstrap disables after completion
-- [ ] Config management with history
-- [ ] Feature flags governed
-- [ ] Admin dashboards exist
-- [ ] Impersonation has safeguards
-- [ ] All admin actions audited
+* Actions affecting access, money/credits, or security posture require appropriate step-up controls and must be fully auditable.
+## Key Areas to Explore
+* How secure is the admin bootstrap process?
+* What RBAC gaps exist that could lead to privilege escalation?
+* How comprehensive is the audit logging for sensitive operations?
+* What admin workflows are missing or painful?
+* How does impersonation work and what safeguards exist?
+* What visibility do admins have into system health and issues?

package/assets/slash-commands/review-auth.md CHANGED Viewed

@@ -12,6 +12,12 @@ agent: coder
 * **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
 * Deliverables must be stated as **findings, gaps, and actionable recommendations**.
 * **Single-pass delivery**: no deferrals; deliver a complete assessment.
+* **Explore beyond the spec**: identify improvements for security, usability, and reliability.
+## Tech Stack
+* **Auth**: better-auth
+* **Framework**: Next.js
 ## Review Scope
@@ -27,21 +33,10 @@ agent: coder
 * **Email verification is mandatory** baseline for high-impact capabilities.
 * **Phone verification is optional** and used as risk-based step-up (anti-abuse, higher-trust flows, recovery); consent-aware and data-minimizing.
-### Authentication Best Practices
-* Secure session management
-* Token rotation and expiry
-* Brute force protection
-* Account enumeration prevention
-* Secure password reset flow
-* Remember me functionality (secure)
-## Verification Checklist
+## Key Areas to Explore
-- [ ] All SSO providers implemented
-- [ ] Missing provider secrets hide UI option
-- [ ] Multi-provider linking works safely
-- [ ] Passkeys (WebAuthn) supported
-- [ ] Email verification enforced
-- [ ] Phone verification optional/step-up
-- [ ] Session management secure
+* How does the current auth implementation compare to best practices?
+* What security vulnerabilities exist in the sign-in flows?
+* How can the user experience be improved while maintaining security?
+* What edge cases are not handled (account recovery, provider outages, etc.)?
+* How does session management handle concurrent devices?

package/assets/slash-commands/review-billing.md CHANGED Viewed

@@ -12,6 +12,12 @@ agent: coder
 * **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
 * Deliverables must be stated as **findings, gaps, and actionable recommendations**.
 * **Single-pass delivery**: no deferrals; deliver a complete assessment.
+* **Explore beyond the spec**: identify revenue leakage and billing reliability improvements.
+## Tech Stack
+* **Payments**: Stripe
+* **Workflows**: Upstash Workflows + QStash
 ## Review Scope
@@ -28,7 +34,7 @@ agent: coder
 * **Webhook trust is mandatory**: webhook origin must be verified (signature verification and replay resistance)
 * The Stripe **event id** must be used as the idempotency and audit correlation key
 * Unverifiable events must be rejected and must trigger alerting
-* **Out-of-order behavior must be explicit**: all webhook handlers must define and enforce a clear out-of-order strategy (event ordering is not guaranteed even for the same subscription)
+* **Out-of-order behavior must be explicit**: all webhook handlers must define and enforce a clear out-of-order strategy
 ### State Machine
@@ -36,12 +42,11 @@ agent: coder
 * Handle: trial, past_due, unpaid, canceled, refund, dispute
 * UI only shows interpretable, non-ambiguous states
-## Verification Checklist
+## Key Areas to Explore
-- [ ] Billing state machine defined
-- [ ] Webhook signature verification
-- [ ] Idempotent webhook handling (event id)
-- [ ] Out-of-order handling defined
-- [ ] All Stripe states mapped
-- [ ] UI reflects server-truth only
-- [ ] Refund/dispute handling works
+* How robust is the webhook handling for all Stripe events?
+* What happens when webhooks arrive out of order?
+* How does the UI handle ambiguous billing states?
+* What revenue leakage exists (failed renewals, dunning, etc.)?
+* How are disputes and chargebacks handled end-to-end?
+* What is the testing strategy for billing edge cases?

package/assets/slash-commands/review-code-quality.md CHANGED Viewed

@@ -12,6 +12,14 @@ agent: coder
 * **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
 * Deliverables must be stated as **findings, gaps, and actionable recommendations**.
 * **Single-pass delivery**: no deferrals; deliver a complete assessment.
+* **Explore beyond the spec**: identify maintainability issues and technical debt.
+## Tech Stack
+* **Runtime**: Bun
+* **Linting/Formatting**: Biome
+* **Testing**: Bun test
+* **Language**: TypeScript (strict)
 ## Review Scope
@@ -25,39 +33,12 @@ agent: coder
 * Precise naming; remove dead/unused code.
 * Upgrade all packages to latest stable; avoid deprecated patterns.
-### Tooling Baseline
-* **Bun** for runtime
-* **Biome** for linting/formatting
-* **Bun test** for testing
-* Strict TypeScript
-### CI Requirements
-* Biome lint/format passes
-* Strict TS typecheck passes
-* Unit + E2E tests pass
-* Build succeeds
-### Code Quality Best Practices
-* Consistent code style
-* Meaningful variable/function names
-* Single responsibility principle
-* DRY (Don't Repeat Yourself)
-* SOLID principles
-* No circular dependencies
-* Reasonable file sizes
-* Clear module boundaries
-## Verification Checklist
-- [ ] Biome lint passes
-- [ ] Biome format passes
-- [ ] TypeScript strict mode
-- [ ] No type errors
-- [ ] Tests exist and pass
-- [ ] Build succeeds
-- [ ] No TODOs/hacks
-- [ ] No dead code
-- [ ] Packages up to date
+## Key Areas to Explore
+* What areas of the codebase have the most technical debt?
+* Where are types weak or using `any` inappropriately?
+* What test coverage gaps exist for critical paths?
+* What code patterns are inconsistent across the codebase?
+* What dependencies are outdated or have known vulnerabilities?
+* Where do "god files" or overly complex modules exist?
+* What naming inconsistencies make the code harder to understand?

package/assets/slash-commands/review-data-architecture.md CHANGED Viewed

@@ -12,6 +12,14 @@ agent: coder
 * **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
 * Deliverables must be stated as **findings, gaps, and actionable recommendations**.
 * **Single-pass delivery**: no deferrals; deliver a complete assessment.
+* **Explore beyond the spec**: identify improvements for consistency, reliability, and scalability.
+## Tech Stack
+* **API**: tRPC
+* **Framework**: Next.js
+* **Database**: Neon (Postgres)
+* **ORM**: Drizzle
 ## Review Scope
@@ -26,11 +34,10 @@ agent: coder
 * **Server-truth is authoritative**: UI state must never contradict server-truth. Where asynchronous confirmation exists, UI must represent that state unambiguously and remain explainable.
 * **Auditability chain is mandatory** for any high-value mutation: who/when/why, before/after state, and correlation to the triggering request/job/webhook must be recorded and queryable.
-## Verification Checklist
+## Key Areas to Explore
-- [ ] Clear domain boundaries defined
-- [ ] Server enforcement for all authorization
-- [ ] Explicit consistency model documented
-- [ ] State machine for billing/entitlements exists
-- [ ] No dual-write violations
-- [ ] Auditability chain implemented
+* How well are domain boundaries defined and enforced?
+* Where does client-side trust leak into authorization decisions?
+* What consistency guarantees exist and are they sufficient?
+* How does the system handle eventual consistency edge cases?
+* What would break if a webhook is processed out of order?

package/assets/slash-commands/review-database.md CHANGED Viewed

@@ -12,6 +12,12 @@ agent: coder
 * **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
 * Deliverables must be stated as **findings, gaps, and actionable recommendations**.
 * **Single-pass delivery**: no deferrals; deliver a complete assessment.
+* **Explore beyond the spec**: identify improvements for performance, reliability, and maintainability.
+## Tech Stack
+* **Database**: Neon (Postgres)
+* **ORM**: Drizzle
 ## Review Scope
@@ -21,20 +27,11 @@ agent: coder
 * Deterministic, reproducible, environment-safe; linear/auditable history; no drift.
 * CI must fail if schema changes are not represented by migrations.
-### Database Best Practices
-* Schema design follows normalization principles where appropriate
-* Indexes exist for commonly queried columns
-* Foreign key constraints are properly defined
-* No orphaned tables or columns
-* Proper use of data types (no stringly-typed data)
-* Timestamps use consistent timezone handling
-## Verification Checklist
+## Key Areas to Explore
-- [ ] All migrations committed and complete
-- [ ] No schema drift detected
-- [ ] CI blocks on migration integrity
-- [ ] Indexes cover common queries
-- [ ] Foreign keys properly defined
-- [ ] Data types appropriate
+* Is the schema well-designed for the domain requirements?
+* Are there missing indexes that could improve query performance?
+* How are database connections pooled and managed?
+* What is the backup and disaster recovery strategy?
+* Are there any N+1 query problems or inefficient access patterns?
+* How does the schema handle soft deletes, auditing, and data lifecycle?

package/assets/slash-commands/review-delivery.md CHANGED Viewed

@@ -12,6 +12,14 @@ agent: coder
 * **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
 * Deliverables must be stated as **findings, gaps, and actionable recommendations**.
 * **Single-pass delivery**: no deferrals; deliver a complete assessment.
+* **Explore beyond the spec**: identify gaps in automated verification and release safety.
+## Tech Stack
+* **CI**: GitHub Actions
+* **Testing**: Bun test
+* **Linting**: Biome
+* **Platform**: Vercel
 ## Review Scope
@@ -19,34 +27,12 @@ agent: coder
 CI must block merges/deploys when failing:
-#### Code Quality Gates
-- [ ] Biome lint/format passes
-- [ ] Strict TS typecheck passes
-- [ ] Unit + E2E tests pass (Bun test)
-- [ ] Build succeeds
-#### Data Integrity Gates
-- [ ] Migration integrity checks pass
-- [ ] No schema drift
-#### i18n Gates
-- [ ] Missing translation keys fail build
-- [ ] `/en/*` returns 301 redirect
-- [ ] hreflang/x-default correct
-- [ ] Sitemap contains only true variants
-#### Performance Gates
-- [ ] Performance budget verification for key journeys
-- [ ] Core Web Vitals within thresholds
-- [ ] Release-blocking regression detection
-#### Security Gates
-- [ ] CSP/HSTS/security headers verified
-- [ ] CSRF protection tested
-#### Consent Gates
-- [ ] Analytics/marketing consent gating verified
-- [ ] Newsletter eligibility and firing rules tested
+* Code Quality: Biome lint/format, strict TS typecheck, unit + E2E tests, build
+* Data Integrity: Migration integrity checks, no schema drift
+* i18n: Missing translation keys fail build, `/en/*` redirects, hreflang correct
+* Performance: Budget verification, Core Web Vitals thresholds, regression detection
+* Security: CSP/HSTS/headers verified, CSRF protection tested
+* Consent: Analytics/marketing consent gating verified
 ### Automation Requirement
@@ -54,18 +40,18 @@ CI must block merges/deploys when failing:
 ### Configuration Gates
-* Build/startup must fail-fast when required configuration/secrets are missing or invalid for the target environment.
+* Build/startup must fail-fast when required configuration/secrets are missing or invalid.
 ### Operability Gates
 * Observability and alerting configured for critical anomalies
-* Workflow dead-letter handling is operable, visible, and supports controlled replay
+* Workflow dead-letter handling is operable and supports controlled replay
-## Verification Checklist
+## Key Areas to Explore
-- [ ] All gates automated (no manual)
-- [ ] CI blocks on failures
-- [ ] Config fail-fast works
-- [ ] Operability gates met
-- [ ] No TODOs/hacks/workarounds
-- [ ] No dead/unused code
+* What release gates are missing or insufficient?
+* Where does manual verification substitute for automation?
+* How fast is the CI pipeline and what slows it down?
+* What flaky tests exist and how do they affect reliability?
+* How does the deployment process handle rollbacks?
+* What post-deployment verification exists?

package/assets/slash-commands/review-discovery.md CHANGED Viewed

@@ -12,6 +12,7 @@ agent: coder
 * **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
 * Deliverables must be stated as **findings, gaps, and actionable recommendations**.
 * **Single-pass delivery**: no deferrals; deliver a complete assessment.
+* **Explore beyond the spec**: this review IS the exploration—think broadly and creatively.
 ## Review Scope
@@ -21,29 +22,13 @@ agent: coder
 * **Pricing/monetization review**: packaging/entitlements, lifecycle semantics, legal/tax/invoice implications; propose conversion/churn improvements within constraints.
 * **Competitive research**: features, extensibility, guidance patterns, pricing/packaging norms; convert insights into testable acceptance criteria.
-### Discovery Areas
+## Key Areas to Explore
 * What features are competitors offering that we lack?
-* What pricing models are common in the market?
-* What UX patterns are users expecting?
-* What integrations would add value?
-* What automation opportunities exist?
-* What self-service capabilities are missing?
-### Analysis Framework
-* Market positioning
-* Feature gap analysis
-* Pricing benchmarking
-* User journey optimization
-* Technical debt opportunities
-* Scalability considerations
-## Verification Checklist
-- [ ] Competitor analysis completed
-- [ ] Feature gaps identified
-- [ ] Pricing reviewed
-- [ ] UX patterns researched
-- [ ] Integration opportunities listed
-- [ ] Recommendations prioritized
+* What pricing models are common in the market and how do we compare?
+* What UX patterns are users expecting based on industry standards?
+* What integrations would add significant value?
+* What automation opportunities exist to reduce manual work?
+* What self-service capabilities are users asking for?
+* What technical capabilities could enable new business models?
+* Where are the biggest gaps between current state and market expectations?

package/assets/slash-commands/review-growth.md CHANGED Viewed

@@ -12,6 +12,12 @@ agent: coder
 * **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
 * Deliverables must be stated as **findings, gaps, and actionable recommendations**.
 * **Single-pass delivery**: no deferrals; deliver a complete assessment.
+* **Explore beyond the spec**: identify growth opportunities and conversion improvements.
+## Tech Stack
+* **Analytics**: PostHog
+* **Framework**: Next.js
 ## Review Scope
@@ -41,22 +47,11 @@ agent: coder
   * Monitored
   * Protected against regressions
-### Growth Best Practices
-* Clear value proposition on landing
-* Frictionless signup
-* Time-to-value optimization
-* Activation milestones defined
-* Re-engagement campaigns
-* Churn prediction/prevention
-* NPS/satisfaction tracking
-## Verification Checklist
-- [ ] Onboarding flow exists
-- [ ] Onboarding instrumented
-- [ ] Sharing mechanisms work
-- [ ] Sharing is consent-aware
-- [ ] Retention metrics tracked
-- [ ] Re-engagement exists
-- [ ] Growth metrics dashboarded
+## Key Areas to Explore
+* What is the current activation rate and where do users drop off?
+* How can time-to-value be reduced for new users?
+* What viral mechanics exist and how effective are they?
+* What retention patterns exist and what predicts churn?
+* How does the product re-engage dormant users?
+* What experiments could drive meaningful growth improvements?

package/assets/slash-commands/review-i18n.md CHANGED Viewed

@@ -12,6 +12,12 @@ agent: coder
 * **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
 * Deliverables must be stated as **findings, gaps, and actionable recommendations**.
 * **Single-pass delivery**: no deferrals; deliver a complete assessment.
+* **Explore beyond the spec**: identify improvements for coverage, quality, and user experience.
+## Tech Stack
+* **i18n**: next-intl
+* **Framework**: Next.js
 ## Review Scope
@@ -39,12 +45,10 @@ agent: coder
 * No indexable locale-prefixed duplicates unless primary content is truly localized; otherwise redirect to canonical.
 * Canonical/hreflang/sitemap must reflect only true localized variants.
-## Verification Checklist
+## Key Areas to Explore
-- [ ] All locales supported
-- [ ] `/en/*` returns 301 redirect
-- [ ] Missing keys fail build
-- [ ] No hardcoded strings
-- [ ] Intl formatting used
-- [ ] UGC has single canonical URL
-- [ ] hreflang tags correct
+* How complete and consistent are the translations across all locales?
+* What user-facing strings are hardcoded and missing from localization?
+* How does the routing handle edge cases (unknown locales, malformed URLs)?
+* What is the translation workflow and how can it be improved?
+* How does the system handle RTL languages if needed in the future?

package/assets/slash-commands/review-ledger.md CHANGED Viewed

@@ -12,6 +12,13 @@ agent: coder
 * **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
 * Deliverables must be stated as **findings, gaps, and actionable recommendations**.
 * **Single-pass delivery**: no deferrals; deliver a complete assessment.
+* **Explore beyond the spec**: identify improvements for accuracy, auditability, and reconciliation.
+## Tech Stack
+* **Payments**: Stripe
+* **Database**: Neon (Postgres)
+* **ORM**: Drizzle
 ## Review Scope
@@ -21,20 +28,11 @@ agent: coder
 * Deterministic precision (no floats), idempotent posting, concurrency safety, transactional integrity, and auditability are required.
 * Monetary flows must be currency-based and reconcilable with Stripe; credits (if used) must be governed as non-cash entitlements.
-### Ledger Requirements
-* Append-only transaction log
-* Double-entry bookkeeping where applicable
-* Idempotent transaction posting (idempotency keys)
-* Concurrency-safe balance calculations
-* Audit trail for all mutations
-* Reconciliation with external systems (Stripe)
-## Verification Checklist
+## Key Areas to Explore
-- [ ] Immutable ledger pattern used (not mutable balance)
-- [ ] No floating point for money
-- [ ] Idempotent posting implemented
-- [ ] Concurrency safety verified
-- [ ] Full audit trail exists
-- [ ] Reconciliation with Stripe possible
+* Is there a balance/credits system and how is it implemented?
+* If mutable balances exist, what are the risks and how to migrate to immutable ledger?
+* How does the system handle concurrent transactions?
+* What is the reconciliation process with Stripe?
+* How are edge cases handled (refunds, disputes, partial payments)?
+* What audit trail exists for financial mutations?

package/assets/slash-commands/review-observability.md CHANGED Viewed

@@ -12,6 +12,13 @@ agent: coder
 * **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
 * Deliverables must be stated as **findings, gaps, and actionable recommendations**.
 * **Single-pass delivery**: no deferrals; deliver a complete assessment.
+* **Explore beyond the spec**: identify blind spots and debugging improvements.
+## Tech Stack
+* **Error Tracking**: Sentry
+* **Analytics**: PostHog
+* **Platform**: Vercel
 ## Review Scope
@@ -26,30 +33,11 @@ agent: coder
   * Abuse spikes
   * Drift detection
-### Logging Best Practices
-* Structured JSON logs
-* Correlation ID in all logs
-* Request ID propagation
-* User context (anonymized where needed)
-* Error stack traces
-* Performance timing
-* No PII in logs
-### Monitoring
-* Sentry for error tracking
-* PostHog for product analytics
-* Server metrics (latency, throughput, errors)
-* Database query performance
-* External service health
-## Verification Checklist
-- [ ] Structured logging implemented
-- [ ] Correlation IDs propagate
-- [ ] Sentry configured
-- [ ] SLO/SLI defined
-- [ ] Alerts for critical failures
-- [ ] No PII in logs
-- [ ] Dashboards for key metrics
+## Key Areas to Explore
+* How easy is it to debug a production issue end-to-end?
+* What blind spots exist where errors go unnoticed?
+* How effective are the current alerts (signal vs noise)?
+* What SLOs/SLIs are defined and are they meaningful?
+* How does log correlation work across async boundaries?
+* What dashboards exist and do they answer the right questions?

package/assets/slash-commands/review-operability.md CHANGED Viewed

@@ -12,6 +12,13 @@ agent: coder
 * **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
 * Deliverables must be stated as **findings, gaps, and actionable recommendations**.
 * **Single-pass delivery**: no deferrals; deliver a complete assessment.
+* **Explore beyond the spec**: identify operational risks and reliability improvements.
+## Tech Stack
+* **Workflows**: Upstash Workflows + QStash
+* **Cache**: Upstash Redis
+* **Platform**: Vercel
 ## Review Scope
@@ -21,7 +28,7 @@ agent: coder
 * Define controlled retries/backoff
 * **Dead-letter handling must exist and be observable and operable**
 * **Safe replay must be supported**
-* Side-effects (email/billing/ledger/entitlements) must be governed such that they are either proven effectively-once or safely re-entrant without duplicated economic/security consequences
+* Side-effects (email/billing/ledger/entitlements) must be governed such that they are either proven effectively-once or safely re-entrant
 ### Drift Detection (Hard Requirement)
@@ -33,22 +40,11 @@ agent: coder
 * Define safe rollout posture with backward compatibility
 * Rollback expectations for billing/ledger/auth changes
-### Operability Best Practices
-* Health check endpoints
-* Graceful shutdown
-* Circuit breakers for external services
-* Timeout configuration
-* Retry with exponential backoff
-* Bulk operation controls
-* Maintenance mode capability
-## Verification Checklist
-- [ ] Async jobs idempotent
-- [ ] DLQ exists and observable
-- [ ] Safe replay supported
-- [ ] Drift detection implemented
-- [ ] Remediation playbooks exist
-- [ ] Rollback strategy defined
-- [ ] Health checks present
+## Key Areas to Explore
+* How does the system handle job failures and retries?
+* What happens to messages that fail permanently (DLQ)?
+* How are operators notified of and able to resolve stuck workflows?
+* What drift can occur between systems and how is it detected?
+* How safe is the deployment process for critical paths?
+* What runbooks exist for common operational issues?

package/assets/slash-commands/review-performance.md CHANGED Viewed

@@ -12,6 +12,13 @@ agent: coder
 * **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
 * Deliverables must be stated as **findings, gaps, and actionable recommendations**.
 * **Single-pass delivery**: no deferrals; deliver a complete assessment.
+* **Explore beyond the spec**: identify bottlenecks and optimization opportunities.
+## Tech Stack
+* **Framework**: Next.js (SSR/ISR/Static)
+* **Platform**: Vercel
+* **Tooling**: Bun
 ## Review Scope
@@ -23,34 +30,18 @@ agent: coder
   * Monitor Core Web Vitals and server latency
   * Alert on regressions
-### Performance Budget Verification
-* **Performance budget verification** for key journeys (including Core Web Vitals-related thresholds) with release-blocking regression detection
-### Core Web Vitals
+### Core Web Vitals Targets
 * LCP (Largest Contentful Paint) < 2.5s
 * FID (First Input Delay) < 100ms
 * CLS (Cumulative Layout Shift) < 0.1
 * INP (Interaction to Next Paint) < 200ms
-### Performance Best Practices
-* Image optimization (WebP, lazy loading)
-* Code splitting
-* Tree shaking
-* Bundle size monitoring
-* Font optimization
-* Critical CSS
-* Preloading key resources
-* Server response time < 200ms
-## Verification Checklist
-- [ ] Performance budgets defined
-- [ ] Core Web Vitals within targets
-- [ ] Regression detection active
-- [ ] Caching boundaries defined
-- [ ] Images optimized
-- [ ] Bundle size acceptable
-- [ ] No render-blocking resources
+## Key Areas to Explore
+* What are the current Core Web Vitals scores and where do they fall short?
+* Which pages or components are the biggest performance bottlenecks?
+* How effective is the current caching strategy?
+* What opportunities exist for code splitting and lazy loading?
+* How does the bundle size compare to industry benchmarks?
+* What database queries are slow and how can they be optimized?

package/assets/slash-commands/review-pricing.md CHANGED Viewed

@@ -12,6 +12,11 @@ agent: coder
 * **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
 * Deliverables must be stated as **findings, gaps, and actionable recommendations**.
 * **Single-pass delivery**: no deferrals; deliver a complete assessment.
+* **Explore beyond the spec**: identify monetization opportunities and pricing strategy improvements.
+## Tech Stack
+* **Payments**: Stripe
 ## Review Scope
@@ -30,19 +35,11 @@ agent: coder
 * All actions must be governed by RBAC, step-up controls, and audit logs.
 * Stripe Dashboard is treated as monitoring/emergency access; non-admin Stripe changes must be detectable (drift), alertable, and remediable.
-### Pricing Strategy
-* Clear tier differentiation
-* Feature gating by plan
-* Upgrade/downgrade paths defined
-* Proration handling
-* Trial-to-paid conversion flow
-## Verification Checklist
+## Key Areas to Explore
-- [ ] Stripe is system-of-record
-- [ ] New prices don't mutate existing
-- [ ] Grandfathering policy implemented
-- [ ] Pricing admin exists with RBAC
-- [ ] Stripe Dashboard drift detectable
-- [ ] Upgrade/downgrade paths work
+* How does the pricing model compare to competitors?
+* What friction exists in the upgrade/downgrade paths?
+* How is grandfathering implemented and communicated?
+* What tools exist for pricing experimentation (A/B tests)?
+* How are pricing changes rolled out safely?
+* What analytics exist for pricing optimization decisions?

package/assets/slash-commands/review-privacy.md CHANGED Viewed

@@ -12,6 +12,14 @@ agent: coder
 * **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
 * Deliverables must be stated as **findings, gaps, and actionable recommendations**.
 * **Single-pass delivery**: no deferrals; deliver a complete assessment.
+* **Explore beyond the spec**: identify compliance gaps and privacy improvements.
+## Tech Stack
+* **Analytics**: PostHog
+* **Email**: Resend
+* **Tag Management**: GTM (marketing only)
+* **Observability**: Sentry
 ## Review Scope
@@ -32,19 +40,17 @@ agent: coder
 * Define deletion/deactivation semantics
 * Deletion propagation to third parties
 * Export where applicable
-* DR/backup posture aligned with retention
 * **Define data classification, retention periods, deletion propagation to third-party processors, and explicit exceptions** (legal/tax/anti-fraud)
-* Ensure external disclosures match behavior
 ### Behavioral Consistency
 * **Behavioral consistency is required**: policy and disclosures must match actual behavior across UI, data handling, logging/observability, analytics, support operations, and marketing tags; mismatches are release-blocking.
-## Verification Checklist
+## Key Areas to Explore
-- [ ] Consent gates analytics/marketing
-- [ ] No tracking without consent
-- [ ] PII scrubbed from logs/Sentry/PostHog
-- [ ] Data deletion flow works
-- [ ] Deletion propagates to third parties
-- [ ] Privacy policy matches actual behavior
+* Does the consent implementation actually block tracking before consent?
+* Where does PII leak into logs, analytics, or error tracking?
+* How does account deletion propagate to all third-party services?
+* Does the privacy policy accurately reflect actual data practices?
+* What data retention policies exist and are they enforced?
+* How would the system handle a GDPR data subject access request?

package/assets/slash-commands/review-pwa.md CHANGED Viewed

@@ -12,6 +12,12 @@ agent: coder
 * **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
 * Deliverables must be stated as **findings, gaps, and actionable recommendations**.
 * **Single-pass delivery**: no deferrals; deliver a complete assessment.
+* **Explore beyond the spec**: identify engagement opportunities and offline capabilities.
+## Tech Stack
+* **Framework**: Next.js
+* **Platform**: Vercel
 ## Review Scope
@@ -27,25 +33,11 @@ agent: coder
 * Authenticated and entitlement-sensitive routes must have explicit cache-control and SW rules
 * Must be validated by tests to prevent stale or unauthorized state exposure
-### PWA Best Practices
-* Installable (meets PWA criteria)
-* Offline fallback page
-* App icons (all sizes)
-* Splash screen configured
-* Theme color defined
-* Start URL configured
-* Display mode appropriate
-* Cache versioning strategy
-* Cache invalidation on deploy
-## Verification Checklist
-- [ ] Valid manifest.json
-- [ ] Service worker registered
-- [ ] SW doesn't cache auth content
-- [ ] Cache-control headers correct
-- [ ] Push notifications work (if applicable)
-- [ ] Installable on mobile
-- [ ] Offline fallback exists
-- [ ] Cache invalidation tested
+## Key Areas to Explore
+* Does the PWA meet installation criteria on all platforms?
+* What is the offline experience and how can it be improved?
+* How does the service worker handle cache invalidation on deploys?
+* What push notification capabilities exist and how are they used?
+* Are there any caching bugs that expose stale or unauthorized content?
+* How does the PWA experience compare to native app expectations?

package/assets/slash-commands/review-referral.md CHANGED Viewed

@@ -12,6 +12,12 @@ agent: coder
 * **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
 * Deliverables must be stated as **findings, gaps, and actionable recommendations**.
 * **Single-pass delivery**: no deferrals; deliver a complete assessment.
+* **Explore beyond the spec**: identify growth opportunities and fraud prevention improvements.
+## Tech Stack
+* **Analytics**: PostHog
+* **Database**: Neon (Postgres)
 ## Review Scope
@@ -34,21 +40,11 @@ agent: coder
   * Clawback conditions
   * Auditable manual review/appeal posture where applicable
-### Referral Best Practices
-* Clear attribution window
-* Reward triggers well-defined
-* Double-sided rewards (referrer + referee)
-* Fraud detection signals
-* Admin visibility into referral chains
-* Automated clawback on refund/chargeback
-## Verification Checklist
+## Key Areas to Explore
-- [ ] Attribution tracking works
-- [ ] Reward lifecycle defined
-- [ ] Velocity controls implemented
-- [ ] Device/account linkage checked
-- [ ] Clawback on fraud/refund
-- [ ] Admin can review referrals
-- [ ] Localized referral messaging
+* How effective is the current referral program at driving growth?
+* What fraud patterns have been observed and how are they mitigated?
+* How does the attribution model handle edge cases (multiple touches, expired links)?
+* What is the reward fulfillment process and where can it fail?
+* How do users discover and share referral links?
+* What analytics exist to measure referral program ROI?

package/assets/slash-commands/review-security.md CHANGED Viewed

@@ -12,6 +12,13 @@ agent: coder
 * **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
 * Deliverables must be stated as **findings, gaps, and actionable recommendations**.
 * **Single-pass delivery**: no deferrals; deliver a complete assessment.
+* **Explore beyond the spec**: identify vulnerabilities and hardening opportunities.
+## Tech Stack
+* **Rate Limiting**: Upstash Redis
+* **Framework**: Next.js
+* **Platform**: Vercel
 ## Review Scope
@@ -31,23 +38,17 @@ agent: coder
 * Supply-chain hygiene
 * Measurable security
-### Verification Requirements
-* **Security controls must be verifiable**: CSP/HSTS/security headers and CSRF (where applicable) must be covered by automated checks or security tests and included in release gates.
 ### Configuration and Secrets Governance
 * Required configuration must fail-fast at build/startup
 * Strict environment isolation (dev/stage/prod)
 * Rotation and incident remediation posture must be auditable and exercisable
-## Verification Checklist
+## Key Areas to Explore
-- [ ] OWASP Top 10:2025 addressed
-- [ ] CSP headers configured
-- [ ] HSTS enabled
-- [ ] CSRF protection where needed
-- [ ] Rate limiting implemented
-- [ ] No plaintext passwords anywhere
-- [ ] MFA for admin roles
-- [ ] Security headers tested in CI
+* What OWASP Top 10 vulnerabilities exist in the current implementation?
+* How comprehensive are the security headers (CSP, HSTS, etc.)?
+* Where is rate limiting missing or insufficient?
+* How are secrets managed and what is the rotation strategy?
+* What attack vectors exist for the authentication flows?
+* How does the system detect and respond to security incidents?

package/assets/slash-commands/review-seo.md CHANGED Viewed

@@ -12,6 +12,11 @@ agent: coder
 * **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
 * Deliverables must be stated as **findings, gaps, and actionable recommendations**.
 * **Single-pass delivery**: no deferrals; deliver a complete assessment.
+* **Explore beyond the spec**: identify improvements for discoverability and search rankings.
+## Tech Stack
+* **Framework**: Next.js (SSR-first for indexable/discovery)
 ## Review Scope
@@ -36,25 +41,11 @@ agent: coder
 * UGC canonical redirects
 * Locale routing invariants
-### SEO Best Practices
-* Unique titles per page
-* Meta descriptions present
-* Heading hierarchy (single H1)
-* Image alt text
-* Internal linking structure
-* Page speed optimization
-* Mobile-friendly
-* No duplicate content
-## Verification Checklist
-- [ ] All pages have unique titles
-- [ ] Meta descriptions present
-- [ ] Open Graph tags complete
-- [ ] Canonical URLs correct
-- [ ] hreflang implemented
-- [ ] sitemap.xml exists and valid
-- [ ] robots.txt configured
-- [ ] schema.org markup present
-- [ ] SSR for indexable content
+## Key Areas to Explore
+* How does the site perform in search engine results currently?
+* What pages are missing proper metadata or structured data?
+* How does the sitemap handle dynamic content and pagination?
+* Are there duplicate content issues or canonicalization problems?
+* What opportunities exist for featured snippets or rich results?
+* How does page load performance affect SEO rankings?

package/assets/slash-commands/review-storage.md CHANGED Viewed

@@ -12,6 +12,12 @@ agent: coder
 * **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
 * Deliverables must be stated as **findings, gaps, and actionable recommendations**.
 * **Single-pass delivery**: no deferrals; deliver a complete assessment.
+* **Explore beyond the spec**: identify improvements for security, reliability, and cost efficiency.
+## Tech Stack
+* **Storage**: Vercel Blob
+* **Platform**: Vercel
 ## Review Scope
@@ -22,20 +28,11 @@ agent: coder
 * The server must validate the Blob URL/key ownership and namespace, and must match it against the originating upload intent (who/what/where/expiry/constraints) before attaching it to any resource.
 * The system must support safe retries and idempotent finalize; expired/abandoned intents must be cleanable and auditable.
-### Storage Best Practices
-* No direct client-to-storage writes without server authorization
-* Upload size limits enforced server-side
-* File type validation (not just extension, actual content)
-* Malware scanning if applicable
-* Cleanup of orphaned/abandoned uploads
-* CDN caching strategy defined
-## Verification Checklist
+## Key Areas to Explore
-- [ ] Intent-based upload flow implemented
-- [ ] Server-issued short-lived authorization
-- [ ] Server validates blob ownership before attach
-- [ ] Idempotent finalize endpoint
-- [ ] Abandoned uploads cleanable
-- [ ] File type/size validation server-side
+* How are uploads currently implemented and do they follow intent-based pattern?
+* What security vulnerabilities exist in the upload flow?
+* How are abandoned/orphaned uploads handled?
+* What is the cost implication of current storage patterns?
+* How does the system handle large files and upload failures?
+* What content validation (type, size, malware) exists?

package/assets/slash-commands/review-support.md CHANGED Viewed

@@ -12,6 +12,12 @@ agent: coder
 * **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
 * Deliverables must be stated as **findings, gaps, and actionable recommendations**.
 * **Single-pass delivery**: no deferrals; deliver a complete assessment.
+* **Explore beyond the spec**: identify user satisfaction improvements and support efficiency gains.
+## Tech Stack
+* **Email**: Resend
+* **Framework**: Next.js
 ## Review Scope
@@ -27,29 +33,11 @@ agent: coder
 * Newsletter subscription/preferences must be consent-aware
 * Unsubscribe enforcement must be reliable
-### Support Best Practices
-* Clear contact methods
-* Response time expectations
-* Help center / FAQ
-* Ticket tracking
-* Escalation paths
-* Support-assisted account recovery (with audit)
-### Communications
-* Transactional emails (Resend)
-* Marketing emails (consent-gated)
-* In-app notifications
-* Push notifications (consent-gated)
-* Email templates localized
-## Verification Checklist
+## Key Areas to Explore
-- [ ] Contact page discoverable
-- [ ] Contact page localized
-- [ ] WCAG AA compliant
-- [ ] Newsletter consent-aware
-- [ ] Unsubscribe works reliably
-- [ ] Transactional emails work
-- [ ] Support recovery audited
+* How do users find help when they need it?
+* What self-service support options exist (FAQ, help center)?
+* How are support requests tracked and resolved?
+* What is the email deliverability and engagement rate?
+* How does the newsletter system handle bounces and complaints?
+* What support tools do agents have for helping users?

package/assets/slash-commands/review-uiux.md CHANGED Viewed

@@ -12,6 +12,12 @@ agent: coder
 * **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
 * Deliverables must be stated as **findings, gaps, and actionable recommendations**.
 * **Single-pass delivery**: no deferrals; deliver a complete assessment.
+* **Explore beyond the spec**: identify usability improvements and design inconsistencies.
+## Tech Stack
+* **Framework**: Next.js
+* **Icons**: Iconify
 ## Review Scope
@@ -33,24 +39,11 @@ agent: coder
   * Localized and measurable
   * Governed by eligibility and frequency controls
-### Design System Best Practices
-* Consistent spacing scale
-* Typography scale defined
-* Color tokens (semantic, not hardcoded)
-* Component library documented
-* Motion/animation guidelines
-* Error state patterns
-* Loading state patterns
-* Empty state patterns
-## Verification Checklist
-- [ ] Design tokens used consistently
-- [ ] Dark/light theme works
-- [ ] WCAG AA verified
-- [ ] No CLS issues
-- [ ] Mobile-first responsive
-- [ ] No emoji in UI
-- [ ] Guidance present on key flows
-- [ ] Guidance is dismissible + re-entrable
+## Key Areas to Explore
+* How consistent is the design system across the application?
+* What accessibility issues exist and affect real users?
+* Where do users get confused or drop off in key flows?
+* How does the mobile experience compare to desktop?
+* What guidance/onboarding is missing for complex features?
+* How does the dark/light theme implementation handle edge cases?

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
 	"name": "@sylphx/flow",
-	"version": "2.10.0",
+	"version": "2.11.0",
 	"description": "One CLI to rule them all. Unified orchestration layer for Claude Code, OpenCode, Cursor and all AI development tools. Auto-detection, auto-installation, auto-upgrade.",
 	"type": "module",
 	"bin": {