@sylphx/flow 2.15.2 → 2.16.0

package/CHANGELOG.md

@@ -1,5 +1,24 @@
 # @sylphx/flow
 
+## 2.16.0 (2025-12-17)
+
+### ✨ Features
+
+- **commands:** add closed-loop to /continue ([dca7b76](https://github.com/SylphxAI/flow/commit/dca7b7612c65febef242549ad965289a189ce5e4))
+- **commands:** enhance /continue with role-based simulation ([ca3ebfe](https://github.com/SylphxAI/flow/commit/ca3ebfe06a73f3db722ff8f88c353202067e18f6))
+- **commands:** add /continue slash command for finishing incomplete work ([16c8aaf](https://github.com/SylphxAI/flow/commit/16c8aaf22337713c39395e4465d5bcdf1bfaafd9))
+
+### ♻️ Refactoring
+
+- **commands:** split review into mandate + guidelines ([16754bc](https://github.com/SylphxAI/flow/commit/16754bc7403d13dd329b2097c3c8f25e360a7c59))
+
+## 2.15.3 (2025-12-17)
+
+### ⚡️ Performance
+
+- **auto-upgrade:** simplify - no TTL, always background check ([5621a21](https://github.com/SylphxAI/flow/commit/5621a21ab2a3eeb54f3fecadd32c19269bd22312))
+- **auto-upgrade:** cache target current version too ([229a400](https://github.com/SylphxAI/flow/commit/229a4002bde6da3540c014eb39e8a941e072a4db))
+
 ## 2.15.2 (2025-12-17)
 
 ### ⚡️ Performance

package/assets/slash-commands/continue.md

@@ -0,0 +1,160 @@
+---
+name: continue
+description: Continue incomplete work - finish features, fix bugs, complete TODOs
+agent: coder
+---
+
+# Continue Incomplete Work
+
+Scan codebase for incomplete work. Prioritize. Finish.
+
+## Mandate
+
+* Perform a **deep, thorough scan** of incomplete work in this codebase.
+* **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
+* **Research then Act**: understand full scope first, then **implement fixes directly**. Don't just report — finish.
+* **Single-pass delivery**: no deferrals; deliver complete implementation.
+* **Be thorough**: incomplete work hides in comments, stubs, error messages, and "temporary" solutions.
+
+## Discovery Approach
+
+### Phase 1: Code Analysis
+Scan for explicit incomplete markers:
+- `TODO`, `FIXME`, `XXX`, `HACK`, `BUG`, `@todo`
+- `NotImplementedError`, `throw new Error('not implemented')`
+- Stub implementations (hardcoded returns, empty catches, `pass`)
+- `test.skip`, `it.skip`, empty test files
+- Commented-out code, debug statements
+
+### Phase 2: Role-Based Simulation
+
+**👤 User Perspective** — Walk through every user-facing flow:
+- Onboarding: Can a new user complete setup without confusion?
+- Happy path: Does the core feature work end-to-end?
+- Error states: What happens when things go wrong? Are messages helpful?
+- Edge cases: Empty states, first-time use, account limits, expired sessions
+- Accessibility: Keyboard nav, screen readers, color contrast
+- Mobile/responsive: Does it work on all devices?
+
+**🔧 Developer Perspective** — Evaluate DX and maintainability:
+- Setup: Can someone clone and run in < 5 minutes?
+- Documentation: Are APIs documented? Examples provided?
+- Error messages: Do stack traces help identify root cause?
+- Debugging: Are there logs at appropriate levels?
+- Testing: Can tests run locally? Are mocks available?
+- Dependencies: Any outdated, deprecated, or vulnerable packages?
+
+**🛡️ Admin/Ops Perspective** — Consider operational readiness:
+- Monitoring: Can you tell if the system is healthy?
+- Logging: Is there enough info to debug production issues?
+- Configuration: Can settings be changed without code deploy?
+- Backup/Recovery: Can data be restored if something fails?
+- Security: Are admin actions audited? Permissions enforced?
+- Scaling: What happens under 10x load?
+
+### Phase 3: Scenario Simulation
+
+Run through these scenarios mentally or via code paths:
+
+| Scenario | Questions to Answer |
+|----------|---------------------|
+| New user signup | Every step works? Validation clear? Email sent? |
+| Returning user login | Session handling? Password reset works? |
+| Core action fails | Error shown? User knows what to do? Data preserved? |
+| Network offline | Graceful degradation? Retry logic? |
+| Concurrent users | Race conditions? Locks? Optimistic updates? |
+| Bad actor attempts | Input sanitized? Rate limited? Logged? |
+| Admin intervention | Can support help user? Audit trail exists? |
+
+## Execution Process
+
+1. **Parallel Discovery** (delegate to workers):
+   - Worker 1: Code markers & stubs (grep TODO, FIXME, placeholders)
+   - Worker 2: User journey simulation (trace main flows, find dead ends)
+   - Worker 3: Developer experience audit (setup, docs, error messages)
+   - Worker 4: Ops readiness check (logging, monitoring, config)
+   - Worker 5: Test coverage & edge cases (skipped tests, missing scenarios)
+
+2. **Synthesize & Prioritize**:
+   - Collect all findings
+   - Group by severity: Critical → High → Medium → Low
+   - Critical: Security issues, data loss risks, broken features
+   - High: User-facing bugs, incomplete core features
+   - Medium: Code quality, missing tests
+   - Low: Documentation, style issues
+
+3. **Implement Fixes**:
+   - Start with Critical items
+   - Complete each fix fully before moving on
+   - Run tests after each significant change
+   - Commit atomically per logical fix
+
+4. **Deep Dive with /review** (when needed):
+   If issues cluster in a specific domain, invoke `/review <domain>` for thorough analysis:
+
+   | Domain | When to Invoke |
+   |--------|----------------|
+   | `auth` | Auth flow issues, session bugs, SSO problems |
+   | `security` | Validation gaps, injection risks, secrets exposure |
+   | `billing` | Payment bugs, subscription issues, webhook failures |
+   | `performance` | Slow pages, bundle bloat, unnecessary re-renders |
+   | `database` | Schema issues, missing indexes, N+1 queries |
+   | `observability` | Missing logs, no alerts, debugging blind spots |
+   | `i18n` | Hardcoded strings, locale issues, RTL bugs |
+
+   Full domain list: auth, account-security, privacy, billing, pricing, ledger, security, trust-safety, uiux, seo, pwa, performance, i18n, database, data-architecture, storage, observability, operability, delivery, growth, referral, support, admin, discovery, code-quality
+
+5. **Loop: Re-invoke /continue**:
+   After completing fixes, **invoke `/continue` again** to:
+   - Verify fixes didn't introduce new issues
+   - Discover issues that were hidden by previous bugs
+   - Continue until no Critical/High items remain
+
+   **Exit condition**: No Critical or High severity items found.
+
+## Output Format
+
+### Discovery Summary
+```
+## Incomplete Work Found
+
+### Critical (X items)
+- [ ] File:line - Description
+
+### High (X items)
+- [ ] File:line - Description
+
+### Medium (X items)
+- [ ] File:line - Description
+
+### Low (X items)
+- [ ] File:line - Description
+```
+
+### Progress Updates
+```
+✓ Fixed: [description] (file:line)
+⚠ Blocked: [description] - needs [reason]
+→ Deep dive: invoking /review [domain]
+↻ Loop: re-invoking /continue
+```
+
+### Completion
+```
+## Continue Complete
+
+✓ X issues fixed
+⚠ X issues need manual intervention
+→ Invoked /review for: [domains]
+
+Next: [/continue again | no further action needed]
+```
+
+## Driving Questions
+
+1. **User**: What flows break or confuse real users? Where do they get stuck?
+2. **Developer**: What would frustrate someone onboarding to this codebase?
+3. **Admin/Ops**: What would make a 3am incident harder to debug?
+4. **Security**: What incomplete validation could be exploited?
+5. **Quality**: What "temporary" solutions became permanent debt?
+6. **Scale**: What works now but will break at 10x growth?

package/assets/slash-commands/{review-account-security.md → guideline-account-security.md}

@@ -1,18 +1,10 @@
 ---
-name: review-account-security
-description: Review account security - sessions, MFA, devices, security events
+name: guideline-account-security
+description: Guideline: account security - sessions, MFA, devices, security events
 agent: coder
 ---
 
-# Account Security Review
-
-## Mandate
-
-* Perform a **deep, thorough review** of account security in this codebase.
-* **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
-* **Review then Act**: identify issues, then **implement fixes directly**. Don't just report — fix.
-* **Single-pass delivery**: no deferrals; deliver complete implementation.
-* **Explore beyond the spec**: identify threats users can't protect themselves from.
+# Account Security Guideline
 
 ## Tech Stack
 

package/assets/slash-commands/{review-admin.md → guideline-admin.md}

@@ -1,18 +1,10 @@
 ---
-name: review-admin
-description: Review admin - RBAC, bootstrap, audit, operational tools
+name: guideline-admin
+description: Guideline: admin - RBAC, bootstrap, audit, operational tools
 agent: coder
 ---
 
-# Admin Platform Review
-
-## Mandate
-
-* Perform a **deep, thorough review** of the admin platform in this codebase.
-* **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
-* **Review then Act**: identify issues, then **implement fixes directly**. Don't just report — fix.
-* **Single-pass delivery**: no deferrals; deliver complete implementation.
-* **Explore beyond the spec**: identify operational gaps and safety improvements.
+# Admin Guideline
 
 ## Tech Stack
 

package/assets/slash-commands/{review-auth.md → guideline-auth.md}

@@ -1,18 +1,10 @@
 ---
-name: review-auth
-description: Review authentication - sign-in, SSO, passkeys, verification
+name: guideline-auth
+description: Guideline: authentication - sign-in, SSO, passkeys, verification
 agent: coder
 ---
 
-# Authentication Review
-
-## Mandate
-
-* Perform a **deep, thorough review** of authentication in this codebase.
-* **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
-* **Review then Act**: identify issues, then **implement fixes directly**. Don't just report — fix.
-* **Single-pass delivery**: no deferrals; deliver complete implementation.
-* **Explore beyond the spec**: identify security gaps and UX friction in auth flows.
+# Auth Guideline
 
 ## Tech Stack
 

package/assets/slash-commands/{review-billing.md → guideline-billing.md}

@@ -1,18 +1,10 @@
 ---
-name: review-billing
-description: Review billing - Stripe integration, webhooks, subscription state
+name: guideline-billing
+description: Guideline: billing - Stripe integration, webhooks, subscription state
 agent: coder
 ---
 
-# Billing Review
-
-## Mandate
-
-* Perform a **deep, thorough review** of billing and payments in this codebase.
-* **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
-* **Review then Act**: identify issues, then **implement fixes directly**. Don't just report — fix.
-* **Single-pass delivery**: no deferrals; deliver complete implementation.
-* **Explore beyond the spec**: identify revenue leakage and reliability improvements.
+# Billing Guideline
 
 ## Tech Stack
 

package/assets/slash-commands/{review-code-quality.md → guideline-code-quality.md}

@@ -1,18 +1,10 @@
 ---
-name: review-code-quality
-description: Review code quality - architecture, types, testing, maintainability
+name: guideline-code-quality
+description: Guideline: code quality - architecture, types, testing, maintainability
 agent: coder
 ---
 
-# Code Quality Review
-
-## Mandate
-
-* Perform a **deep, thorough review** of code quality in this codebase.
-* **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
-* **Review then Act**: identify issues, then **implement fixes directly**. Don't just report — fix.
-* **Single-pass delivery**: no deferrals; deliver complete implementation.
-* **Explore beyond the spec**: identify code that works but shouldn't exist in its current form.
+# Code Quality Guideline
 
 ## Tech Stack
 

package/assets/slash-commands/{review-data-architecture.md → guideline-data-architecture.md}

@@ -1,18 +1,10 @@
 ---
-name: review-data-architecture
-description: Review data architecture - boundaries, consistency, state machines
+name: guideline-data-architecture
+description: Guideline: data architecture - boundaries, consistency, state machines
 agent: coder
 ---
 
-# Data Architecture Review
-
-## Mandate
-
-* Perform a **deep, thorough review** of data architecture in this codebase.
-* **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
-* **Review then Act**: identify issues, then **implement fixes directly**. Don't just report — fix.
-* **Single-pass delivery**: no deferrals; deliver complete implementation.
-* **Explore beyond the spec**: identify architectural weaknesses that will cause problems at scale.
+# Data Architecture Guideline
 
 ## Tech Stack
 

package/assets/slash-commands/{review-database.md → guideline-database.md}

@@ -1,18 +1,10 @@
 ---
-name: review-database
-description: Review database - schema, migrations, performance, reliability
+name: guideline-database
+description: Guideline: database - schema, migrations, performance, reliability
 agent: coder
 ---
 
-# Database Review
-
-## Mandate
-
-* Perform a **deep, thorough review** of the database in this codebase.
-* **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
-* **Review then Act**: identify issues, then **implement fixes directly**. Don't just report — fix.
-* **Single-pass delivery**: no deferrals; deliver complete implementation.
-* **Explore beyond the spec**: identify schema problems that will hurt at scale.
+# Database Guideline
 
 ## Tech Stack
 

package/assets/slash-commands/{review-delivery.md → guideline-delivery.md}

@@ -1,18 +1,10 @@
 ---
-name: review-delivery
-description: Review delivery - CI gates, automated verification, release safety
+name: guideline-delivery
+description: Guideline: delivery - CI gates, automated verification, release safety
 agent: coder
 ---
 
-# Delivery Review
-
-## Mandate
-
-* Perform a **deep, thorough review** of delivery gates in this codebase.
-* **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
-* **Review then Act**: identify issues, then **implement fixes directly**. Don't just report — fix.
-* **Single-pass delivery**: no deferrals; deliver complete implementation.
-* **Explore beyond the spec**: identify what could go wrong in production that we're not catching.
+# Delivery Guideline
 
 ## Tech Stack
 

package/assets/slash-commands/{review-discovery.md → guideline-discovery.md}

@@ -1,18 +1,10 @@
 ---
-name: review-discovery
-description: Review discovery - competitive research, opportunities, market positioning
+name: guideline-discovery
+description: Guideline: discovery - competitive research, opportunities, market positioning
 agent: coder
 ---
 
-# Discovery Review
-
-## Mandate
-
-* Perform a **deep, thorough review** to discover opportunities for this product.
-* **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
-* **Review then Act**: identify opportunities, then **implement improvements directly**. Don't just report — build.
-* **Single-pass delivery**: no deferrals; deliver complete implementation.
-* **This review IS exploration** — think broadly and creatively about what could be.
+# Discovery Guideline
 
 ## Tech Stack
 

package/assets/slash-commands/{review-growth.md → guideline-growth.md}

@@ -1,18 +1,10 @@
 ---
-name: review-growth
-description: Review growth - activation, retention, virality
+name: guideline-growth
+description: Guideline: growth - activation, retention, virality
 agent: coder
 ---
 
-# Growth Review
-
-## Mandate
-
-* Perform a **deep, thorough review** of growth systems in this codebase.
-* **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
-* **Review then Act**: identify issues, then **implement fixes directly**. Don't just report — fix.
-* **Single-pass delivery**: no deferrals; deliver complete implementation.
-* **Explore beyond the spec**: identify growth opportunities that don't yet exist.
+# Growth Guideline
 
 ## Tech Stack
 

package/assets/slash-commands/{review-i18n.md → guideline-i18n.md}

@@ -1,18 +1,10 @@
 ---
-name: review-i18n
-description: Review i18n - localization, routing, translation quality
+name: guideline-i18n
+description: Guideline: i18n - localization, routing, translation quality
 agent: coder
 ---
 
-# Internationalization Review
-
-## Mandate
-
-* Perform a **deep, thorough review** of internationalization in this codebase.
-* **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
-* **Review then Act**: identify issues, then **implement fixes directly**. Don't just report — fix.
-* **Single-pass delivery**: no deferrals; deliver complete implementation.
-* **Explore beyond the spec**: identify what would make the product feel native to each locale.
+# i18n Guideline
 
 ## Tech Stack
 

package/assets/slash-commands/{review-ledger.md → guideline-ledger.md}

@@ -1,18 +1,10 @@
 ---
-name: review-ledger
-description: Review ledger - balance systems, financial integrity, reconciliation
+name: guideline-ledger
+description: Guideline: ledger - balance systems, financial integrity, reconciliation
 agent: coder
 ---
 
-# Ledger Review
-
-## Mandate
-
-* Perform a **deep, thorough review** of any balance/credits/wallet system in this codebase.
-* **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
-* **Review then Act**: identify issues, then **implement fixes directly**. Don't just report — fix.
-* **Single-pass delivery**: no deferrals; deliver complete implementation.
-* **Explore beyond the spec**: identify financial integrity risks before they become real problems.
+# Ledger Guideline
 
 ## Tech Stack
 

package/assets/slash-commands/{review-observability.md → guideline-observability.md}

@@ -1,18 +1,10 @@
 ---
-name: review-observability
-description: Review observability - logging, tracing, alerting, debugging
+name: guideline-observability
+description: Guideline: observability - logging, tracing, alerting, debugging
 agent: coder
 ---
 
-# Observability Review
-
-## Mandate
-
-* Perform a **deep, thorough review** of observability in this codebase.
-* **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
-* **Review then Act**: identify issues, then **implement fixes directly**. Don't just report — fix.
-* **Single-pass delivery**: no deferrals; deliver complete implementation.
-* **Explore beyond the spec**: identify the production issues we can't debug today.
+# Observability Guideline
 
 ## Tech Stack
 

package/assets/slash-commands/{review-operability.md → guideline-operability.md}

@@ -1,18 +1,10 @@
 ---
-name: review-operability
-description: Review operability - workflows, retries, DLQ, incident response
+name: guideline-operability
+description: Guideline: operability - workflows, retries, DLQ, incident response
 agent: coder
 ---
 
-# Operability Review
-
-## Mandate
-
-* Perform a **deep, thorough review** of operability in this codebase.
-* **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
-* **Review then Act**: identify issues, then **implement fixes directly**. Don't just report — fix.
-* **Single-pass delivery**: no deferrals; deliver complete implementation.
-* **Explore beyond the spec**: identify what will break at 3am and how we'd fix it.
+# Operability Guideline
 
 ## Tech Stack
 

package/assets/slash-commands/{review-performance.md → guideline-performance.md}

@@ -1,18 +1,10 @@
 ---
-name: review-performance
-description: Review performance - speed, Core Web Vitals, bottlenecks
+name: guideline-performance
+description: Guideline: performance - speed, Core Web Vitals, bottlenecks
 agent: coder
 ---
 
-# Performance Review
-
-## Mandate
-
-* Perform a **deep, thorough review** of performance in this codebase.
-* **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
-* **Review then Act**: identify issues, then **implement fixes directly**. Don't just report — fix.
-* **Single-pass delivery**: no deferrals; deliver complete implementation.
-* **Explore beyond the spec**: identify what's making the product feel slow.
+# Performance Guideline
 
 ## Tech Stack
 

package/assets/slash-commands/{review-pricing.md → guideline-pricing.md}

@@ -1,18 +1,10 @@
 ---
-name: review-pricing
-description: Review pricing - strategy, packaging, monetization
+name: guideline-pricing
+description: Guideline: pricing - strategy, packaging, monetization
 agent: coder
 ---
 
-# Pricing Review
-
-## Mandate
-
-* Perform a **deep, thorough review** of pricing in this codebase.
-* **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
-* **Review then Act**: identify issues, then **implement fixes directly**. Don't just report — fix.
-* **Single-pass delivery**: no deferrals; deliver complete implementation.
-* **Explore beyond the spec**: identify monetization opportunities and pricing friction.
+# Pricing Guideline
 
 ## Tech Stack
 

package/assets/slash-commands/{review-privacy.md → guideline-privacy.md}

@@ -1,18 +1,10 @@
 ---
-name: review-privacy
-description: Review privacy - consent, PII, data lifecycle, compliance
+name: guideline-privacy
+description: Guideline: privacy - consent, PII, data lifecycle, compliance
 agent: coder
 ---
 
-# Privacy Review
-
-## Mandate
-
-* Perform a **deep, thorough review** of privacy controls in this codebase.
-* **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
-* **Review then Act**: identify issues, then **implement fixes directly**. Don't just report — fix.
-* **Single-pass delivery**: no deferrals; deliver complete implementation.
-* **Explore beyond the spec**: identify compliance gaps and privacy improvements.
+# Privacy Guideline
 
 ## Tech Stack
 

package/assets/slash-commands/{review-pwa.md → guideline-pwa.md}

@@ -1,18 +1,10 @@
 ---
-name: review-pwa
-description: Review PWA - offline experience, installation, engagement
+name: guideline-pwa
+description: Guideline: PWA - offline experience, installation, engagement
 agent: coder
 ---
 
-# PWA Review
-
-## Mandate
-
-* Perform a **deep, thorough review** of PWA implementation in this codebase.
-* **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
-* **Review then Act**: identify issues, then **implement fixes directly**. Don't just report — fix.
-* **Single-pass delivery**: no deferrals; deliver complete implementation.
-* **Explore beyond the spec**: identify what would make the web experience feel native.
+# PWA Guideline
 
 ## Tech Stack
 

package/assets/slash-commands/{review-referral.md → guideline-referral.md}

@@ -1,18 +1,10 @@
 ---
-name: review-referral
-description: Review referral - attribution, rewards, fraud prevention
+name: guideline-referral
+description: Guideline: referral - attribution, rewards, fraud prevention
 agent: coder
 ---
 
-# Referral Review
-
-## Mandate
-
-* Perform a **deep, thorough review** of the referral system in this codebase.
-* **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
-* **Review then Act**: identify issues, then **implement fixes directly**. Don't just report — fix.
-* **Single-pass delivery**: no deferrals; deliver complete implementation.
-* **Explore beyond the spec**: identify growth opportunities and fraud vectors.
+# Referral Guideline
 
 ## Tech Stack
 

package/assets/slash-commands/{review-security.md → guideline-security.md}

@@ -1,18 +1,10 @@
 ---
-name: review-security
-description: Review security - OWASP, headers, authentication, secrets
+name: guideline-security
+description: Guideline: security - OWASP, headers, authentication, secrets
 agent: coder
 ---
 
-# Security Review
-
-## Mandate
-
-* Perform a **deep, thorough review** of security in this codebase.
-* **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
-* **Review then Act**: identify issues, then **implement fixes directly**. Don't just report — fix.
-* **Single-pass delivery**: no deferrals; deliver complete implementation.
-* **Explore beyond the spec**: identify vulnerabilities and hardening opportunities not listed here.
+# Security Guideline
 
 ## Tech Stack
 

package/assets/slash-commands/{review-seo.md → guideline-seo.md}

@@ -1,18 +1,10 @@
 ---
-name: review-seo
-description: Review SEO - discoverability, metadata, search rankings
+name: guideline-seo
+description: Guideline: SEO - discoverability, metadata, search rankings
 agent: coder
 ---
 
-# SEO Review
-
-## Mandate
-
-* Perform a **deep, thorough review** of SEO in this codebase.
-* **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
-* **Review then Act**: identify issues, then **implement fixes directly**. Don't just report — fix.
-* **Single-pass delivery**: no deferrals; deliver complete implementation.
-* **Explore beyond the spec**: identify what would make this product dominate search results.
+# SEO Guideline
 
 ## Tech Stack
 

package/assets/slash-commands/{review-storage.md → guideline-storage.md}

@@ -1,18 +1,10 @@
 ---
-name: review-storage
-description: Review storage - uploads, file handling, security
+name: guideline-storage
+description: Guideline: storage - uploads, file handling, security
 agent: coder
 ---
 
-# Storage Review
-
-## Mandate
-
-* Perform a **deep, thorough review** of file storage and uploads in this codebase.
-* **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
-* **Review then Act**: identify issues, then **implement fixes directly**. Don't just report — fix.
-* **Single-pass delivery**: no deferrals; deliver complete implementation.
-* **Explore beyond the spec**: identify security risks and cost optimization opportunities.
+# Storage Guideline
 
 ## Tech Stack
 

package/assets/slash-commands/{review-support.md → guideline-support.md}

@@ -1,18 +1,10 @@
 ---
-name: review-support
-description: Review support - help experience, communications, user satisfaction
+name: guideline-support
+description: Guideline: support - help experience, communications, user satisfaction
 agent: coder
 ---
 
-# Support Review
-
-## Mandate
-
-* Perform a **deep, thorough review** of support and communications in this codebase.
-* **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
-* **Review then Act**: identify issues, then **implement fixes directly**. Don't just report — fix.
-* **Single-pass delivery**: no deferrals; deliver complete implementation.
-* **Explore beyond the spec**: identify what would make users feel genuinely supported.
+# Support Guideline
 
 ## Tech Stack
 

package/assets/slash-commands/{review-trust-safety.md → guideline-trust-safety.md}

@@ -1,18 +1,10 @@
 ---
-name: review-trust-safety
-description: Review trust & safety - abuse prevention, moderation, user protection
+name: guideline-trust-safety
+description: Guideline: trust & safety - abuse prevention, moderation, user protection
 agent: coder
 ---
 
-# Trust & Safety Review
-
-## Mandate
-
-* Perform a **deep, thorough review** of trust and safety in this codebase.
-* **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
-* **Review then Act**: identify issues, then **implement fixes directly**. Don't just report — fix.
-* **Single-pass delivery**: no deferrals; deliver complete implementation.
-* **Explore beyond the spec**: identify abuse vectors before bad actors find them.
+# Trust Safety Guideline
 
 ## Tech Stack
 

package/assets/slash-commands/{review-uiux.md → guideline-uiux.md}

@@ -1,18 +1,10 @@
 ---
-name: review-uiux
-description: Review UI/UX - design system, accessibility, user experience
+name: guideline-uiux
+description: Guideline: UI/UX - design system, accessibility, user experience
 agent: coder
 ---
 
-# UI/UX Review
-
-## Mandate
-
-* Perform a **deep, thorough review** of UI/UX in this codebase.
-* **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
-* **Review then Act**: identify issues, then **implement fixes directly**. Don't just report — fix.
-* **Single-pass delivery**: no deferrals; deliver complete implementation.
-* **Explore beyond the spec**: if the current design needs fundamental rethinking, propose it.
+# UI/UX Guideline
 
 ## Tech Stack
 

package/assets/slash-commands/review.md

@@ -0,0 +1,94 @@
+---
+name: review
+description: Review codebase by domain - usage: /review auth, /review billing, etc.
+agent: coder
+args:
+  - name: domain
+    description: Domain to review (auth, billing, security, etc.)
+    required: true
+---
+
+# Review: $ARGS
+
+Perform a focused review of the specified domain(s) in this codebase.
+
+## Mandate
+
+* **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
+* **Deep, thorough analysis**: don't skim — understand root causes and systemic patterns.
+* **Review then Act**: identify issues, then **implement fixes directly**. Don't just report — fix.
+* **Single-pass delivery**: no deferrals; deliver complete implementation.
+* **Explore beyond the spec**: identify gaps, inefficiencies, and opportunities the checklist doesn't cover.
+
+## Guidelines Reference
+
+Based on the domain(s) requested, read the relevant guideline(s) below. You may read multiple guidelines in parallel if the review spans multiple domains.
+
+| Domain | Guideline | Description |
+|--------|-----------|-------------|
+| **Identity & Auth** |||
+| `auth` | `/guideline-auth` | Sign-in, SSO, passkeys, verification |
+| `account-security` | `/guideline-account-security` | MFA, session management, account recovery |
+| `privacy` | `/guideline-privacy` | Data handling, consent, GDPR/CCPA |
+| **Billing & Revenue** |||
+| `billing` | `/guideline-billing` | Stripe integration, webhooks, subscriptions |
+| `pricing` | `/guideline-pricing` | Pricing models, tiers, feature gating |
+| `ledger` | `/guideline-ledger` | Transaction records, audit trails, reconciliation |
+| **Security** |||
+| `security` | `/guideline-security` | OWASP, input validation, secrets management |
+| `trust-safety` | `/guideline-trust-safety` | Abuse prevention, rate limiting, fraud |
+| **Frontend & UX** |||
+| `uiux` | `/guideline-uiux` | Design system, accessibility, interactions |
+| `seo` | `/guideline-seo` | Meta tags, structured data, crawlability |
+| `pwa` | `/guideline-pwa` | Service workers, offline, installability |
+| `performance` | `/guideline-performance` | Core Web Vitals, bundle size, caching |
+| `i18n` | `/guideline-i18n` | Localization, routing, hreflang |
+| **Data** |||
+| `database` | `/guideline-database` | Schema design, indexes, migrations |
+| `data-architecture` | `/guideline-data-architecture` | Data models, relationships, integrity |
+| `storage` | `/guideline-storage` | File uploads, CDN, blob storage |
+| **Operations** |||
+| `observability` | `/guideline-observability` | Logging, metrics, tracing, alerts |
+| `operability` | `/guideline-operability` | Deployment, rollback, feature flags |
+| `delivery` | `/guideline-delivery` | CI/CD, testing, release process |
+| **Growth & Support** |||
+| `growth` | `/guideline-growth` | Onboarding, activation, retention |
+| `referral` | `/guideline-referral` | Referral programs, viral loops |
+| `support` | `/guideline-support` | Help systems, tickets, documentation |
+| **Admin & Discovery** |||
+| `admin` | `/guideline-admin` | Admin panel, RBAC, config management |
+| `discovery` | `/guideline-discovery` | Feature discovery, competitive analysis |
+| **Code Quality** |||
+| `code-quality` | `/guideline-code-quality` | Patterns, testing, maintainability |
+
+## Execution
+
+1. Parse the `$ARGS` to identify which domain(s) to review
+2. Read the corresponding guideline file(s) — **read in parallel** if multiple domains
+3. Use the guideline's Tech Stack, Non-Negotiables, Context, and Driving Questions to guide your review
+4. Delegate workers to investigate different aspects simultaneously
+5. Synthesize findings and implement fixes
+
+## Multi-Domain Reviews
+
+You can review multiple domains at once:
+- `/review auth security` — Review both auth and security
+- `/review billing pricing ledger` — Full revenue stack review
+- `/review performance seo pwa` — Frontend optimization review
+
+When reviewing multiple domains, look for **cross-cutting concerns** and **gaps between domains**.
+
+## Output Format
+
+```
+## Review: [domain(s)]
+
+### Critical Issues
+- [ ] Issue description → Fix implemented
+
+### Improvements Made
+- ✓ What was fixed/improved
+
+### Recommendations
+- Future considerations (if can't fix now)
+```

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@sylphx/flow",
-	"version": "2.15.2",
+	"version": "2.16.0",
 	"description": "One CLI to rule them all. Unified orchestration layer for Claude Code, OpenCode, Cursor and all AI development tools. Auto-detection, auto-installation, auto-upgrade.",
 	"type": "module",
 	"bin": {

package/src/services/auto-upgrade.ts

@@ -19,14 +19,13 @@ import { TargetInstaller } from './target-installer.js';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 
-// Cache file for version checks (24 hour TTL)
-const CACHE_FILE = path.join(os.homedir(), '.sylphx-flow', 'version-cache.json');
-const CACHE_TTL_MS = 24 * 60 * 60 * 1000; // 24 hours
+// Version info file (stores last background check result)
+const VERSION_FILE = path.join(os.homedir(), '.sylphx-flow', 'versions.json');
 
-interface VersionCache {
+interface VersionInfo {
   flowLatest?: string;
   targetLatest?: Record<string, string>;
-  checkedAt: number;
+  targetCurrent?: Record<string, string>;
 }
 
 const execAsync = promisify(exec);
@@ -56,14 +55,14 @@ export class AutoUpgrade {
   }
 
   /**
-   * Read version cache (instant, no network)
+   * Read version info from last background check
    */
-  private async readCache(): Promise<VersionCache | null> {
+  private async readVersionInfo(): Promise<VersionInfo | null> {
     try {
-      if (!existsSync(CACHE_FILE)) {
+      if (!existsSync(VERSION_FILE)) {
         return null;
       }
-      const data = await fs.readFile(CACHE_FILE, 'utf-8');
+      const data = await fs.readFile(VERSION_FILE, 'utf-8');
       return JSON.parse(data);
     } catch {
       return null;
@@ -71,13 +70,13 @@ export class AutoUpgrade {
   }
 
   /**
-   * Write version cache
+   * Write version info
    */
-  private async writeCache(cache: VersionCache): Promise<void> {
+  private async writeVersionInfo(info: VersionInfo): Promise<void> {
     try {
-      const dir = path.dirname(CACHE_FILE);
+      const dir = path.dirname(VERSION_FILE);
       await fs.mkdir(dir, { recursive: true });
-      await fs.writeFile(CACHE_FILE, JSON.stringify(cache, null, 2));
+      await fs.writeFile(VERSION_FILE, JSON.stringify(info, null, 2));
     } catch {
       // Silent fail
     }
@@ -97,18 +96,18 @@ export class AutoUpgrade {
   }
 
   /**
-   * Check for available upgrades using CACHE (instant, no network)
-   * Returns cached results from previous background check
+   * Check for available upgrades (instant, reads from last background check)
+   * Background check runs every time for fresh data next run
    */
   async checkForUpgrades(targetId?: string): Promise<UpgradeStatus> {
-    const cache = await this.readCache();
+    const info = await this.readVersionInfo();
     const currentVersion = await this.getCurrentFlowVersion();
 
-    // Trigger background check for next run (non-blocking)
+    // Trigger background check for next run (non-blocking, every time)
     this.checkInBackground(targetId);
 
-    // No cache or expired = no upgrade info yet
-    if (!cache) {
+    // No previous check = no upgrade info yet
+    if (!info) {
       return {
         flowNeedsUpgrade: false,
         targetNeedsUpgrade: false,
@@ -117,26 +116,19 @@ export class AutoUpgrade {
       };
     }
 
-    // Check if Flow needs upgrade based on cache
+    // Check if Flow needs upgrade
     const flowVersion =
-      cache.flowLatest && cache.flowLatest !== currentVersion
-        ? { current: currentVersion, latest: cache.flowLatest }
+      info.flowLatest && info.flowLatest !== currentVersion
+        ? { current: currentVersion, latest: info.flowLatest }
         : null;
 
-    // Check if target needs upgrade based on cache
+    // Check if target needs upgrade
     let targetVersion: { current: string; latest: string } | null = null;
-    if (targetId && cache.targetLatest?.[targetId]) {
-      const installation = this.targetInstaller.getInstallationInfo(targetId);
-      if (installation) {
-        try {
-          const { stdout } = await execAsync(installation.checkCommand);
-          const match = stdout.match(/v?(\d+\.\d+\.\d+)/);
-          if (match && match[1] !== cache.targetLatest[targetId]) {
-            targetVersion = { current: match[1], latest: cache.targetLatest[targetId] };
-          }
-        } catch {
-          // Silent
-        }
+    if (targetId && info.targetLatest?.[targetId] && info.targetCurrent?.[targetId]) {
+      const current = info.targetCurrent[targetId];
+      const latest = info.targetLatest[targetId];
+      if (current !== latest) {
+        targetVersion = { current, latest };
       }
     }
 
@@ -150,7 +142,7 @@ export class AutoUpgrade {
 
   /**
    * Check versions in background (non-blocking)
-   * Updates cache for next run
+   * Runs every time, updates info for next run
    */
   private checkInBackground(targetId?: string): void {
     // Fire and forget - don't await
@@ -163,44 +155,52 @@ export class AutoUpgrade {
    * Perform the actual version check (called in background)
    */
   private async performBackgroundCheck(targetId?: string): Promise<void> {
-    const cache = await this.readCache();
+    const oldInfo = await this.readVersionInfo();
 
-    // Skip if checked recently (within TTL)
-    if (cache && Date.now() - cache.checkedAt < CACHE_TTL_MS) {
-      return;
-    }
-
-    const newCache: VersionCache = {
-      checkedAt: Date.now(),
-      targetLatest: cache?.targetLatest || {},
+    const newInfo: VersionInfo = {
+      targetLatest: oldInfo?.targetLatest || {},
+      targetCurrent: oldInfo?.targetCurrent || {},
     };
 
     // Check Flow version from npm (with timeout)
     try {
       const { stdout } = await execAsync('npm view @sylphx/flow version', { timeout: 5000 });
-      newCache.flowLatest = stdout.trim();
+      newInfo.flowLatest = stdout.trim();
     } catch {
-      // Keep old cache value if check fails
-      newCache.flowLatest = cache?.flowLatest;
+      // Keep old value if check fails
+      newInfo.flowLatest = oldInfo?.flowLatest;
     }
 
-    // Check target version from npm (with timeout)
+    // Check target version from npm and local (with timeout)
     if (targetId) {
       const installation = this.targetInstaller.getInstallationInfo(targetId);
       if (installation) {
+        // Check latest version from npm
         try {
           const { stdout } = await execAsync(`npm view ${installation.package} version`, {
             timeout: 5000,
           });
-          newCache.targetLatest = newCache.targetLatest || {};
-          newCache.targetLatest[targetId] = stdout.trim();
+          newInfo.targetLatest = newInfo.targetLatest || {};
+          newInfo.targetLatest[targetId] = stdout.trim();
+        } catch {
+          // Keep old value
+        }
+
+        // Check current installed version (local command)
+        try {
+          const { stdout } = await execAsync(installation.checkCommand, { timeout: 5000 });
+          const match = stdout.match(/v?(\d+\.\d+\.\d+)/);
+          if (match) {
+            newInfo.targetCurrent = newInfo.targetCurrent || {};
+            newInfo.targetCurrent[targetId] = match[1];
+          }
         } catch {
-          // Keep old cache value
+          // Keep old value
         }
       }
     }
 
-    await this.writeCache(newCache);
+    await this.writeVersionInfo(newInfo);
   }
 
   /**