@sylphx/flow 2.8.0 → 2.10.0

package/assets/slash-commands/review-observability.md

@@ -0,0 +1,55 @@
+---
+name: review-observability
+description: Review observability - logs, Sentry, correlation IDs, alerting
+agent: coder
+---
+
+# Observability Review
+
+## Mandate
+
+* Perform a **deep, thorough review** of observability in this codebase.
+* **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
+* Deliverables must be stated as **findings, gaps, and actionable recommendations**.
+* **Single-pass delivery**: no deferrals; deliver a complete assessment.
+
+## Review Scope
+
+### Observability and Alerting (Mandatory)
+
+* Structured logs and correlation IDs must exist end-to-end (request/job/webhook) with consistent traceability
+* Define critical-path SLO/SLI posture
+* Define actionable alerts for:
+  * Webhook failures
+  * Ledger/entitlement drift
+  * Authentication attacks
+  * Abuse spikes
+  * Drift detection
+
+### Logging Best Practices
+
+* Structured JSON logs
+* Correlation ID in all logs
+* Request ID propagation
+* User context (anonymized where needed)
+* Error stack traces
+* Performance timing
+* No PII in logs
+
+### Monitoring
+
+* Sentry for error tracking
+* PostHog for product analytics
+* Server metrics (latency, throughput, errors)
+* Database query performance
+* External service health
+
+## Verification Checklist
+
+- [ ] Structured logging implemented
+- [ ] Correlation IDs propagate
+- [ ] Sentry configured
+- [ ] SLO/SLI defined
+- [ ] Alerts for critical failures
+- [ ] No PII in logs
+- [ ] Dashboards for key metrics

package/assets/slash-commands/review-operability.md

@@ -0,0 +1,54 @@
+---
+name: review-operability
+description: Review operability - async workflows, DLQ, retries, drift detection
+agent: coder
+---
+
+# Operability Review
+
+## Mandate
+
+* Perform a **deep, thorough review** of operability in this codebase.
+* **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
+* Deliverables must be stated as **findings, gaps, and actionable recommendations**.
+* **Single-pass delivery**: no deferrals; deliver a complete assessment.
+
+## Review Scope
+
+### Async/Workflows Governance (Hard Requirement)
+
+* Define idempotency and deduplication posture
+* Define controlled retries/backoff
+* **Dead-letter handling must exist and be observable and operable**
+* **Safe replay must be supported**
+* Side-effects (email/billing/ledger/entitlements) must be governed such that they are either proven effectively-once or safely re-entrant without duplicated economic/security consequences
+
+### Drift Detection (Hard Requirement)
+
+* Drift alerts must have a defined remediation playbook (automated fix or operator workflow)
+* Each remediation must be auditable and support post-incident traceability
+
+### Release Safety
+
+* Define safe rollout posture with backward compatibility
+* Rollback expectations for billing/ledger/auth changes
+
+### Operability Best Practices
+
+* Health check endpoints
+* Graceful shutdown
+* Circuit breakers for external services
+* Timeout configuration
+* Retry with exponential backoff
+* Bulk operation controls
+* Maintenance mode capability
+
+## Verification Checklist
+
+- [ ] Async jobs idempotent
+- [ ] DLQ exists and observable
+- [ ] Safe replay supported
+- [ ] Drift detection implemented
+- [ ] Remediation playbooks exist
+- [ ] Rollback strategy defined
+- [ ] Health checks present

package/assets/slash-commands/review-performance.md

@@ -0,0 +1,56 @@
+---
+name: review-performance
+description: Review performance - budgets, Core Web Vitals, caching
+agent: coder
+---
+
+# Performance Review
+
+## Mandate
+
+* Perform a **deep, thorough review** of performance in this codebase.
+* **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
+* Deliverables must be stated as **findings, gaps, and actionable recommendations**.
+* **Single-pass delivery**: no deferrals; deliver a complete assessment.
+
+## Review Scope
+
+### Performance Requirements
+
+* Performance must be **measurable and regression-resistant**:
+  * Define and enforce performance budgets for key journeys
+  * Define caching boundaries and correctness requirements across SSR/ISR/static and service worker behavior
+  * Monitor Core Web Vitals and server latency
+  * Alert on regressions
+
+### Performance Budget Verification
+
+* **Performance budget verification** for key journeys (including Core Web Vitals-related thresholds) with release-blocking regression detection
+
+### Core Web Vitals
+
+* LCP (Largest Contentful Paint) < 2.5s
+* FID (First Input Delay) < 100ms
+* CLS (Cumulative Layout Shift) < 0.1
+* INP (Interaction to Next Paint) < 200ms
+
+### Performance Best Practices
+
+* Image optimization (WebP, lazy loading)
+* Code splitting
+* Tree shaking
+* Bundle size monitoring
+* Font optimization
+* Critical CSS
+* Preloading key resources
+* Server response time < 200ms
+
+## Verification Checklist
+
+- [ ] Performance budgets defined
+- [ ] Core Web Vitals within targets
+- [ ] Regression detection active
+- [ ] Caching boundaries defined
+- [ ] Images optimized
+- [ ] Bundle size acceptable
+- [ ] No render-blocking resources

package/assets/slash-commands/review-pricing.md

@@ -0,0 +1,48 @@
+---
+name: review-pricing
+description: Review pricing - pricing governance, grandfathering, migrations
+agent: coder
+---
+
+# Pricing Review
+
+## Mandate
+
+* Perform a **deep, thorough review** of pricing governance in this codebase.
+* **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
+* Deliverables must be stated as **findings, gaps, and actionable recommendations**.
+* **Single-pass delivery**: no deferrals; deliver a complete assessment.
+
+## Review Scope
+
+### Stripe Pricing Governance (Stripe-first, not Dashboard-first)
+
+* Stripe is the system-of-record for products, prices, subscriptions, invoices, and disputes; internal systems must not contradict Stripe truth.
+* Pricing changes must be performed by creating new Stripe Prices and updating the "active sellable price" policy; historical prices must remain immutable for existing subscriptions unless an approved migration is executed.
+* Default pricing change policy is **grandfathering**: existing subscribers keep their current price; new customers use the currently active sellable price.
+
+### Pricing Admin Requirements
+
+* An operational-grade Pricing Admin must exist to manage:
+  * Creation of new Stripe Prices
+  * Activation/deactivation of sellable prices
+  * Controlled bulk subscription migrations (optional)
+* All actions must be governed by RBAC, step-up controls, and audit logs.
+* Stripe Dashboard is treated as monitoring/emergency access; non-admin Stripe changes must be detectable (drift), alertable, and remediable.
+
+### Pricing Strategy
+
+* Clear tier differentiation
+* Feature gating by plan
+* Upgrade/downgrade paths defined
+* Proration handling
+* Trial-to-paid conversion flow
+
+## Verification Checklist
+
+- [ ] Stripe is system-of-record
+- [ ] New prices don't mutate existing
+- [ ] Grandfathering policy implemented
+- [ ] Pricing admin exists with RBAC
+- [ ] Stripe Dashboard drift detectable
+- [ ] Upgrade/downgrade paths work

package/assets/slash-commands/review-privacy.md

@@ -0,0 +1,50 @@
+---
+name: review-privacy
+description: Review privacy - consent, PII handling, data lifecycle, GDPR
+agent: coder
+---
+
+# Privacy Review
+
+## Mandate
+
+* Perform a **deep, thorough review** of privacy controls in this codebase.
+* **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
+* Deliverables must be stated as **findings, gaps, and actionable recommendations**.
+* **Single-pass delivery**: no deferrals; deliver a complete assessment.
+
+## Review Scope
+
+### Consent Governance (Release-Blocking)
+
+* Analytics (PostHog) and marketing/newsletter communications (Resend) must be governed by consent and user preferences.
+* Marketing tags (including GTM and Google Ads) must not load or fire without the appropriate consent.
+* Without consent, tracking and marketing sends must not occur, except for strictly necessary service communications.
+* Event schemas and attributes must follow data minimization, with explicit PII classification and handling rules.
+
+### PII and Sensitive Data Controls (Hard Requirement)
+
+* PII rules apply to logs, Sentry, PostHog, support tooling, email systems, and marketing tags/conversion payloads.
+* A consistent scrubbing/redaction standard must exist, and must be covered by automated tests to prevent leakage to third parties.
+
+### Data Lifecycle
+
+* Define deletion/deactivation semantics
+* Deletion propagation to third parties
+* Export where applicable
+* DR/backup posture aligned with retention
+* **Define data classification, retention periods, deletion propagation to third-party processors, and explicit exceptions** (legal/tax/anti-fraud)
+* Ensure external disclosures match behavior
+
+### Behavioral Consistency
+
+* **Behavioral consistency is required**: policy and disclosures must match actual behavior across UI, data handling, logging/observability, analytics, support operations, and marketing tags; mismatches are release-blocking.
+
+## Verification Checklist
+
+- [ ] Consent gates analytics/marketing
+- [ ] No tracking without consent
+- [ ] PII scrubbed from logs/Sentry/PostHog
+- [ ] Data deletion flow works
+- [ ] Deletion propagates to third parties
+- [ ] Privacy policy matches actual behavior

package/assets/slash-commands/review-pwa.md

@@ -0,0 +1,51 @@
+---
+name: review-pwa
+description: Review PWA - manifest, service worker, caching, push notifications
+agent: coder
+---
+
+# PWA Review
+
+## Mandate
+
+* Perform a **deep, thorough review** of PWA implementation in this codebase.
+* **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
+* Deliverables must be stated as **findings, gaps, and actionable recommendations**.
+* **Single-pass delivery**: no deferrals; deliver a complete assessment.
+
+## Review Scope
+
+### PWA Requirements
+
+* Manifest file complete and valid
+* Service worker with explicit cache correctness
+* Push notifications using VAPID where applicable
+
+### Service Worker Caching Boundary (Mandatory)
+
+* Service worker must not cache personalized/sensitive/authorized content
+* Authenticated and entitlement-sensitive routes must have explicit cache-control and SW rules
+* Must be validated by tests to prevent stale or unauthorized state exposure
+
+### PWA Best Practices
+
+* Installable (meets PWA criteria)
+* Offline fallback page
+* App icons (all sizes)
+* Splash screen configured
+* Theme color defined
+* Start URL configured
+* Display mode appropriate
+* Cache versioning strategy
+* Cache invalidation on deploy
+
+## Verification Checklist
+
+- [ ] Valid manifest.json
+- [ ] Service worker registered
+- [ ] SW doesn't cache auth content
+- [ ] Cache-control headers correct
+- [ ] Push notifications work (if applicable)
+- [ ] Installable on mobile
+- [ ] Offline fallback exists
+- [ ] Cache invalidation tested

package/assets/slash-commands/review-referral.md

@@ -0,0 +1,54 @@
+---
+name: review-referral
+description: Review referral - attribution, anti-fraud, rewards, clawback
+agent: coder
+---
+
+# Referral Review
+
+## Mandate
+
+* Perform a **deep, thorough review** of the referral system in this codebase.
+* **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
+* Deliverables must be stated as **findings, gaps, and actionable recommendations**.
+* **Single-pass delivery**: no deferrals; deliver a complete assessment.
+
+## Review Scope
+
+### Referral (Anti-Abuse Baseline Required)
+
+* Referral must be measurable, abuse-resistant, and governed:
+  * Attribution semantics
+  * Reward lifecycle governance (including revocation/clawbacks)
+  * Anti-fraud measures
+  * Admin reporting/audit
+  * Localized and instrumented
+
+### Referral Anti-Fraud Minimum Baseline (Mandatory)
+
+* Define a minimum set of risk signals and enforcement measures, including:
+  * Velocity controls
+  * Account/device linkage posture
+  * Risk-tiered enforcement
+  * Reward delay/hold/freeze
+  * Clawback conditions
+  * Auditable manual review/appeal posture where applicable
+
+### Referral Best Practices
+
+* Clear attribution window
+* Reward triggers well-defined
+* Double-sided rewards (referrer + referee)
+* Fraud detection signals
+* Admin visibility into referral chains
+* Automated clawback on refund/chargeback
+
+## Verification Checklist
+
+- [ ] Attribution tracking works
+- [ ] Reward lifecycle defined
+- [ ] Velocity controls implemented
+- [ ] Device/account linkage checked
+- [ ] Clawback on fraud/refund
+- [ ] Admin can review referrals
+- [ ] Localized referral messaging

package/assets/slash-commands/review-security.md

@@ -0,0 +1,53 @@
+---
+name: review-security
+description: Review security - OWASP, CSP/HSTS, CSRF, anti-bot, rate limiting
+agent: coder
+---
+
+# Security Review
+
+## Mandate
+
+* Perform a **deep, thorough review** of security controls in this codebase.
+* **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
+* Deliverables must be stated as **findings, gaps, and actionable recommendations**.
+* **Single-pass delivery**: no deferrals; deliver a complete assessment.
+
+## Review Scope
+
+### Security Baseline
+
+* OWASP Top 10:2025 taxonomy; OWASP ASVS (L2/L3) verification baseline.
+* Password UX masked + temporary reveal; no plaintext passwords in logs/returns/storage/telemetry.
+* MFA for Admin/SUPER_ADMIN; step-up for high-risk.
+* Risk-based anti-bot for auth and high-cost endpoints; integrate rate limits + consent gating.
+
+### Baseline Controls
+
+* CSP/HSTS/headers
+* CSRF where applicable
+* Upstash-backed rate limiting
+* PII scrubbing
+* Supply-chain hygiene
+* Measurable security
+
+### Verification Requirements
+
+* **Security controls must be verifiable**: CSP/HSTS/security headers and CSRF (where applicable) must be covered by automated checks or security tests and included in release gates.
+
+### Configuration and Secrets Governance
+
+* Required configuration must fail-fast at build/startup
+* Strict environment isolation (dev/stage/prod)
+* Rotation and incident remediation posture must be auditable and exercisable
+
+## Verification Checklist
+
+- [ ] OWASP Top 10:2025 addressed
+- [ ] CSP headers configured
+- [ ] HSTS enabled
+- [ ] CSRF protection where needed
+- [ ] Rate limiting implemented
+- [ ] No plaintext passwords anywhere
+- [ ] MFA for admin roles
+- [ ] Security headers tested in CI

package/assets/slash-commands/review-seo.md

@@ -0,0 +1,60 @@
+---
+name: review-seo
+description: Review SEO - metadata, Open Graph, canonical, hreflang, sitemap
+agent: coder
+---
+
+# SEO Review
+
+## Mandate
+
+* Perform a **deep, thorough review** of SEO in this codebase.
+* **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
+* Deliverables must be stated as **findings, gaps, and actionable recommendations**.
+* **Single-pass delivery**: no deferrals; deliver a complete assessment.
+
+## Review Scope
+
+### SEO Requirements
+
+* SEO-first + SSR-first for indexable/discovery
+* Required elements:
+  * Metadata (title, description)
+  * Open Graph tags
+  * Favicon (all sizes)
+  * Canonical URLs
+  * hreflang + x-default
+  * schema.org structured data
+  * sitemap.xml
+  * robots.txt
+
+### SEO/i18n/Canonicalization Verification
+
+* `/en/*` non-existence (must redirect)
+* hreflang/x-default correct
+* Sitemap containing only true variants
+* UGC canonical redirects
+* Locale routing invariants
+
+### SEO Best Practices
+
+* Unique titles per page
+* Meta descriptions present
+* Heading hierarchy (single H1)
+* Image alt text
+* Internal linking structure
+* Page speed optimization
+* Mobile-friendly
+* No duplicate content
+
+## Verification Checklist
+
+- [ ] All pages have unique titles
+- [ ] Meta descriptions present
+- [ ] Open Graph tags complete
+- [ ] Canonical URLs correct
+- [ ] hreflang implemented
+- [ ] sitemap.xml exists and valid
+- [ ] robots.txt configured
+- [ ] schema.org markup present
+- [ ] SSR for indexable content

package/assets/slash-commands/review-storage.md

@@ -0,0 +1,41 @@
+---
+name: review-storage
+description: Review storage - Vercel Blob upload governance, intent-based uploads
+agent: coder
+---
+
+# Storage Review
+
+## Mandate
+
+* Perform a **deep, thorough review** of file storage and uploads in this codebase.
+* **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
+* Deliverables must be stated as **findings, gaps, and actionable recommendations**.
+* **Single-pass delivery**: no deferrals; deliver a complete assessment.
+
+## Review Scope
+
+### Vercel Blob Upload Governance (Hard Requirement)
+
+* All uploads must be **intent-based and server-verified**.
+* The client must upload to Vercel Blob first using short-lived, server-issued authorization (e.g., signed upload URL / token), then call a server finalize endpoint to persist the resulting Blob URL/key.
+* The server must validate the Blob URL/key ownership and namespace, and must match it against the originating upload intent (who/what/where/expiry/constraints) before attaching it to any resource.
+* The system must support safe retries and idempotent finalize; expired/abandoned intents must be cleanable and auditable.
+
+### Storage Best Practices
+
+* No direct client-to-storage writes without server authorization
+* Upload size limits enforced server-side
+* File type validation (not just extension, actual content)
+* Malware scanning if applicable
+* Cleanup of orphaned/abandoned uploads
+* CDN caching strategy defined
+
+## Verification Checklist
+
+- [ ] Intent-based upload flow implemented
+- [ ] Server-issued short-lived authorization
+- [ ] Server validates blob ownership before attach
+- [ ] Idempotent finalize endpoint
+- [ ] Abandoned uploads cleanable
+- [ ] File type/size validation server-side

package/assets/slash-commands/review-support.md

@@ -0,0 +1,55 @@
+---
+name: review-support
+description: Review support - contact, communications, newsletter
+agent: coder
+---
+
+# Support Review
+
+## Mandate
+
+* Perform a **deep, thorough review** of support and communications in this codebase.
+* **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
+* Deliverables must be stated as **findings, gaps, and actionable recommendations**.
+* **Single-pass delivery**: no deferrals; deliver a complete assessment.
+
+## Review Scope
+
+### Support and Communications
+
+* Support/Contact surface must be:
+  * Discoverable
+  * Localized
+  * WCAG AA compliant
+  * SEO-complete
+  * Privacy-safe
+  * Auditable where relevant
+* Newsletter subscription/preferences must be consent-aware
+* Unsubscribe enforcement must be reliable
+
+### Support Best Practices
+
+* Clear contact methods
+* Response time expectations
+* Help center / FAQ
+* Ticket tracking
+* Escalation paths
+* Support-assisted account recovery (with audit)
+
+### Communications
+
+* Transactional emails (Resend)
+* Marketing emails (consent-gated)
+* In-app notifications
+* Push notifications (consent-gated)
+* Email templates localized
+
+## Verification Checklist
+
+- [ ] Contact page discoverable
+- [ ] Contact page localized
+- [ ] WCAG AA compliant
+- [ ] Newsletter consent-aware
+- [ ] Unsubscribe works reliably
+- [ ] Transactional emails work
+- [ ] Support recovery audited

package/assets/slash-commands/review-uiux.md

@@ -0,0 +1,56 @@
+---
+name: review-uiux
+description: Review UI/UX - design system, tokens, accessibility, guidance
+agent: coder
+---
+
+# UI/UX Review
+
+## Mandate
+
+* Perform a **deep, thorough review** of UI/UX in this codebase.
+* **Delegate to multiple workers** to research different aspects in parallel; you act as the **final gate** to synthesize and verify quality.
+* Deliverables must be stated as **findings, gaps, and actionable recommendations**.
+* **Single-pass delivery**: no deferrals; deliver a complete assessment.
+
+## Review Scope
+
+### UX, Design System, and Guidance
+
+* Design-system driven UI (tokens)
+* Dark/light theme support
+* WCAG AA compliance
+* CLS-safe (no layout shifts)
+* Responsive design (mobile-first, desktop-second)
+* Iconify for icons; no emoji in UI content
+
+### Guidance Requirements
+
+* Guidance is mandatory for all user-facing features and monetization flows:
+  * Discoverable
+  * Clear
+  * Dismissible with re-entry
+  * Localized and measurable
+  * Governed by eligibility and frequency controls
+
+### Design System Best Practices
+
+* Consistent spacing scale
+* Typography scale defined
+* Color tokens (semantic, not hardcoded)
+* Component library documented
+* Motion/animation guidelines
+* Error state patterns
+* Loading state patterns
+* Empty state patterns
+
+## Verification Checklist
+
+- [ ] Design tokens used consistently
+- [ ] Dark/light theme works
+- [ ] WCAG AA verified
+- [ ] No CLS issues
+- [ ] Mobile-first responsive
+- [ ] No emoji in UI
+- [ ] Guidance present on key flows
+- [ ] Guidance is dismissible + re-entrable

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@sylphx/flow",
-	"version": "2.8.0",
+	"version": "2.10.0",
 	"description": "One CLI to rule them all. Unified orchestration layer for Claude Code, OpenCode, Cursor and all AI development tools. Auto-detection, auto-installation, auto-upgrade.",
 	"type": "module",
 	"bin": {