@syntesseraai/opencode-feature-factory 0.6.8 → 0.6.10

package/{commands/pipeline/documentation/run-codex.md → command/pipeline/documentation/document.md}

@@ -1,15 +1,13 @@
 ---
-description: Codex documentation implementation pass
+description: Documentation write/update pass
 subtask: true
-agent: ff-building-codex
-model: openai/gpt-5.3-codex
+agent: documenting
 ---
 
 Document the approved code changes and update repository documentation.
 
 Before writing docs, load these skills:
 
-- `ff-context-tracking`
 - `ff-todo-management`
 - `ff-mini-plan`
 
@@ -17,7 +15,7 @@ Requirements:
 
 1. Use the latest approved review outputs and implementation artifacts as source of truth.
 2. Update all affected docs so behavior and operational steps match shipped code.
-3. If this is a rework iteration, incorporate Gemini feedback from the previous documentation review.
+3. If this is a rework iteration, incorporate documentation reviewer feedback from the previous documentation review.
 4. Summarize what docs were changed and why.
 
-Persist to `.feature-factory/agents/ff-documentation-codex-{UUID}-T{N}-iter{I}.md`.
+Return a structured documentation update summary (no file persistence).

package/{commands → command}/pipeline/documentation/gate.md

@@ -1,19 +1,18 @@
 ---
 description: Apply documentation approval gate
 subtask: true
-model: openai/gpt-5.4
 ---
 
-Read the latest Gemini documentation review and apply gate exactly:
+Read the latest documentation review input from `$ARGUMENTS` and apply gate exactly:
 
 Skill requirements:
 
-- ChatGPT gate supervisor must load `ff-context-tracking` before persisting gate decisions.
+- ChatGPT gate supervisor should keep gate decisions explicit and iteration-aware.
 
 - APPROVED when verdict is `APPROVED` and unresolved documentation issues count is `0`
 - REWORK when verdict is `REWORK_REQUIRED` and iteration < 5
 - ESCALATE when iteration == 5 and still not approved
 
-Persist gate decision in pipeline context and output one status line:
+Output one status line:
 
 `DOCUMENTATION_GATE=APPROVED|REWORK|ESCALATE`

package/{commands/pipeline/documentation/run-gemini.md → command/pipeline/documentation/review.md}

@@ -1,7 +1,7 @@
 ---
-description: Gemini documentation review
+description: Documentation review pass
 subtask: true
-agent: ff-reviewing-gemini
+agent: reviewing
 ---
 
 Review the latest Codex documentation pass for completeness, correctness, and repository doc consistency.
@@ -18,4 +18,4 @@ Required output:
 3. explicit rework instructions
 4. confidence score (0-100)
 
-Persist to `.feature-factory/agents/ff-documentation-gemini-{UUID}-T{N}-iter{I}.md`.
+Return a structured documentation review result (no file persistence).

package/command/pipeline/documentation/run.md

@@ -0,0 +1,25 @@
+---
+description: Run documentation loop after review approval
+subtask: true
+loop:
+  max: 5
+  until: documentation updates are approved by DOCUMENTATION_REVIEWER_MODEL with zero unresolved documentation issues
+return:
+  - 'run, replacing arguments with values from $ARGUMENTS: /subtask {agent:general && model:<DEVELOPER_MODEL> && as:doc-pass} /pipeline/documentation/document $ARGUMENTS'
+  - 'run, replacing arguments with values from $ARGUMENTS: /subtask {agent:general && model:<DOCUMENTATION_REVIEWER_MODEL> && as:doc-review} /pipeline/documentation/review $RESULT[doc-pass]'
+  - 'run, replacing arguments with values from $ARGUMENTS: /pipeline/documentation/gate {model:<COORDINATOR_MODEL>} $RESULT[doc-review]'
+  - If `DOCUMENTATION_GATE=REWORK`, continue loop with review feedback for the next document pass.
+---
+
+Execute the documentation stage for the current approved implementation.
+
+Skill requirements:
+
+1. ChatGPT supervisor must load `ff-todo-management` to track documentation actions and rework items per iteration.
+2. Documentation reviewer should use `ff-severity-classification` when reporting documentation issues.
+
+Stop criteria:
+
+- approve when documentation reviewer confirms documentation is complete, accurate, and repository docs are updated
+- continue loop while unresolved documentation issues exist and iteration < 5
+- escalate to user when iteration reaches 5 without approval

package/command/pipeline/planning/gate.md

@@ -0,0 +1,23 @@
+---
+description: Apply planning consensus gate
+subtask: true
+agent: planning
+---
+
+Apply the planning gate to the synthesized consensus input passed in `$ARGUMENTS`:
+
+- `>=75`: APPROVED
+- `50-74`: REWORK
+- `<50`: BLOCKED
+
+Actions:
+
+1. If APPROVED, return the accepted final plan in a `FINAL_PLAN` section.
+2. If REWORK, return explicit divergence feedback so the next planning loop iteration re-plans with clear deltas.
+3. If BLOCKED, return explicit user-decision-needed rationale.
+
+Always include one status line in your final output:
+
+`PLANNING_GATE=APPROVED|REWORK|BLOCKED`
+
+If APPROVED, include a `FINAL_PLAN` section that becomes input to the build phase.

package/command/pipeline/planning/plan.md

@@ -0,0 +1,25 @@
+---
+description: Generate one model-specific planning proposal
+subtask: true
+agent: planning
+---
+
+Create a comprehensive implementation plan from the current pipeline requirements.
+
+Input format:
+
+- Prefix includes model tag as `[MODEL_TAG:<tag>]`
+- Remaining content is the requirements brief
+
+Requirements brief:
+
+$ARGUMENTS
+
+Return a structured proposal (no file persistence) with these sections:
+
+1. `MODEL_TAG`
+2. `REQUIREMENTS_SUMMARY`
+3. `ARCHITECTURE_VALIDATION`
+4. `IMPLEMENTATION_STEPS`
+5. `RISKS_AND_MITIGATIONS`
+6. `TESTING_AND_VALIDATION_STRATEGY`

package/command/pipeline/planning/run.md

@@ -0,0 +1,24 @@
+---
+description: Execute one planning iteration
+subtask: true
+parallel:
+  - 'run, replacing arguments with values from $ARGUMENTS: /subtask {agent:general && model:<REVIEWER_MODEL> && as:plan-reviewer} /pipeline/planning/plan [MODEL_TAG:reviewer] $ARGUMENTS'
+  - 'run, replacing arguments with values from $ARGUMENTS: /subtask {agent:general && model:<ARCHITECT_MODEL> && as:plan-architect} /pipeline/planning/plan [MODEL_TAG:architect] $ARGUMENTS'
+  - 'run, replacing arguments with values from $ARGUMENTS: /subtask {agent:general && model:<DEVELOPER_MODEL> && as:plan-developer} /pipeline/planning/plan [MODEL_TAG:developer] $ARGUMENTS'
+return:
+  - 'run, replacing arguments with values from $ARGUMENTS: /pipeline/planning/synthesize {model:<COORDINATOR_MODEL> && as:plan-consensus} $RESULT[plan-reviewer] $RESULT[plan-architect] $RESULT[plan-developer]'
+  - 'run, replacing arguments with values from $ARGUMENTS: /pipeline/planning/gate {model:<COORDINATOR_MODEL>} $RESULT[plan-consensus]'
+---
+
+Run one complete planning iteration for the active pipeline.
+
+Requirements brief:
+
+$ARGUMENTS
+
+Rules:
+
+1. Keep each planner output structured and concise for synthesis.
+2. Pass outputs using `{as:name}` and `$RESULT[name]` rather than intermediate files.
+3. Each planning model must include architecture validation in its proposal.
+4. Continue only through gate outcomes defined in `/pipeline/planning/gate`.

package/command/pipeline/planning/synthesize.md

@@ -0,0 +1,21 @@
+---
+description: Synthesize planning consensus
+subtask: true
+agent: planning
+---
+
+Synthesize the three model outputs from planning fan-out:
+
+- `$RESULT[plan-reviewer]`
+- `$RESULT[plan-architect]`
+- `$RESULT[plan-developer]`
+
+Produce a consensus report (no file persistence).
+
+Required output sections:
+
+1. `CONSENSUS_SCORE` (0-100)
+2. `AGREED_ELEMENTS`
+3. `DIVERGENT_ELEMENTS`
+4. `SYNTHESIZED_PLAN`
+5. `OPEN_QUESTIONS`

package/{commands → command}/pipeline/reviewing/gate.md

@@ -1,16 +1,15 @@
 ---
 description: Apply review approval gate
 subtask: true
-agent: ff-reviewing-codex
-model: openai/gpt-5.4
+agent: reviewing
 ---
 
-Read latest synthesis report and apply gate exactly:
+Read the synthesized review input from `$ARGUMENTS` and apply gate exactly:
 
 - APPROVED when confidence `>=95` and unresolved issues count is `0`
 - REWORK when below threshold and iteration < 10
 - ESCALATE when iteration == 10 and still not approved
 
-Persist gate decision in pipeline context and output one status line:
+Output one status line:
 
 `REVIEW_GATE=APPROVED|REWORK|ESCALATE`

package/command/pipeline/reviewing/review.md

@@ -0,0 +1,20 @@
+---
+description: Generate one model-specific review report
+subtask: true
+agent: reviewing
+---
+
+Review the current task from triage brief for correctness, quality, architecture validity, testing, security, and edge cases.
+
+Input format:
+
+- Prefix includes model tag as `[MODEL_TAG:<tag>]`
+- Remaining content is optional additional brief context
+
+Context brief:
+
+$ARGUMENTS
+
+Classify findings as critical/high/medium/low and include confidence score.
+
+Return a structured review report (no file persistence).

package/command/pipeline/reviewing/run.md

@@ -0,0 +1,23 @@
+---
+description: Run review loop for completed tasks
+subtask: true
+loop:
+  max: 10
+  until: all tasks in the active batch are approved with confidence >=95 and zero unresolved issues
+return:
+  - 'run, replacing arguments with values from $ARGUMENTS: /pipeline/reviewing/triage {model:<COORDINATOR_MODEL> && as:review-brief} $ARGUMENTS'
+  - 'run, replacing arguments with values from $ARGUMENTS: /subtask {agent:general && model:<REVIEWER_MODEL> && as:review-reviewer} /pipeline/reviewing/review [MODEL_TAG:reviewer] $RESULT[review-brief]'
+  - 'run, replacing arguments with values from $ARGUMENTS: /subtask {agent:general && model:<ARCHITECT_MODEL> && as:review-architect} /pipeline/reviewing/review [MODEL_TAG:architect] $RESULT[review-brief]'
+  - 'run, replacing arguments with values from $ARGUMENTS: /subtask {agent:general && model:<DEVELOPER_MODEL> && as:review-developer} /pipeline/reviewing/review [MODEL_TAG:developer] $RESULT[review-brief]'
+  - 'run, replacing arguments with values from $ARGUMENTS: /pipeline/reviewing/synthesize {model:<COORDINATOR_MODEL> && as:review-synthesis} $RESULT[review-reviewer] $RESULT[review-architect] $RESULT[review-developer]'
+  - 'run, replacing arguments with values from $ARGUMENTS: /pipeline/reviewing/gate {model:<COORDINATOR_MODEL>} $RESULT[review-synthesis]'
+  - If REVIEW_GATE=REWORK, run, replacing arguments with values from $ARGUMENTS: /subtask {agent:general && model:<DEVELOPER_MODEL>} /pipeline/building/implement-batch $RESULT[review-synthesis]
+---
+
+Execute the review loop for the current completed tasks/rework report.
+
+Stop criteria:
+
+- approve when `>=95` confidence and zero unresolved issues
+- continue loop while unresolved issues exist and iteration < 10
+- escalate to user when iteration reaches 10 without approval

package/{commands → command}/pipeline/reviewing/synthesize.md

@@ -1,11 +1,10 @@
 ---
 description: Synthesize independent reviews into one report
 subtask: true
-agent: ff-reviewing-codex
-model: openai/gpt-5.4
+agent: reviewing
 ---
 
-Read the latest three review reports (Opus, Gemini, and Codex) and synthesize a single authoritative output.
+Read the three review inputs passed in `$ARGUMENTS` (reviewer, architect, developer) and synthesize a single authoritative output.
 
 Required output:
 
@@ -15,4 +14,4 @@ Required output:
 4. verdict `APPROVED` or `REWORK_REQUIRED`
 5. explicit rework instructions when needed
 
-Persist to `.feature-factory/agents/ff-reviewing-codex-synthesis-{UUID}-T{N}-iter{I}.md`.
+Return a structured synthesis report (no file persistence).

package/{commands → command}/pipeline/reviewing/triage.md

@@ -1,8 +1,7 @@
 ---
 description: Build review brief from implementation outputs
 subtask: true
-agent: ff-reviewing-codex
-model: openai/gpt-5.4
+agent: reviewing
 ---
 
 Prepare a review brief for the current completed task or rework output.
@@ -13,4 +12,4 @@ Include:
 - files changed
 - focus areas and risk points
 
-Persist to `.feature-factory/agents/ff-reviewing-codex-triage-{UUID}-T{N}.md`.
+Return a structured `REVIEW_BRIEF` output (no file persistence).

package/command/pipeline/start.md

@@ -0,0 +1,29 @@
+---
+description: Pipeline workflow entrypoint
+subtask: true
+return:
+  - 'run, replacing arguments with values from $ARGUMENTS: /pipeline/planning/run {model:<COORDINATOR_MODEL> && as:planning-phase && loop:5 && until:planning gate is APPROVED or planning gate is BLOCKED and waiting for user confirmation} $ARGUMENTS'
+  - If planning is BLOCKED or loop max was reached, stop and ask the user whether to continue planning iterations. Otherwise continue.
+  - 'run, replacing arguments with values from $ARGUMENTS: /pipeline/building/run {model:<COORDINATOR_MODEL> && as:build-phase} $RESULT[planning-phase] COORDINATOR_MODEL=<COORDINATOR_MODEL> DEVELOPER_MODEL=<DEVELOPER_MODEL> ARCHITECT_MODEL=<ARCHITECT_MODEL> REVIEWER_MODEL=<REVIEWER_MODEL> DOCUMENTATION_REVIEWER_MODEL=<DOCUMENTATION_REVIEWER_MODEL>'
+  - 'run, replacing arguments with values from $ARGUMENTS: /pipeline/documentation/run {model:<COORDINATOR_MODEL>} $RESULT[build-phase] COORDINATOR_MODEL=<COORDINATOR_MODEL> DEVELOPER_MODEL=<DEVELOPER_MODEL> ARCHITECT_MODEL=<ARCHITECT_MODEL> REVIEWER_MODEL=<REVIEWER_MODEL> DOCUMENTATION_REVIEWER_MODEL=<DOCUMENTATION_REVIEWER_MODEL>'
+  - 'run, replacing arguments with values from $ARGUMENTS: /pipeline/complete {model:<COORDINATOR_MODEL>}'
+---
+
+Start the deterministic Feature Factory pipeline with this requirements brief:
+
+$ARGUMENTS
+
+Optional runtime model inputs (recommended):
+
+- `COORDINATOR_MODEL=<provider/model>`
+- `DEVELOPER_MODEL=<provider/model>`
+- `ARCHITECT_MODEL=<provider/model>`
+- `REVIEWER_MODEL=<provider/model>`
+- `DOCUMENTATION_REVIEWER_MODEL=<provider/model>`
+
+Execution requirements:
+
+1. Use `{as:name}` and `$RESULT[name]` for phase-to-phase handoff.
+2. Avoid file persistence for intermediate artifacts unless a command explicitly requires audit snapshots.
+3. Use command chaining, parallel fan-out, and loop gates from the `/pipeline/...` command tree.
+4. Do not skip planning, review, and documentation gates.

package/dist/index.d.ts

@@ -3,8 +3,7 @@ import type { Plugin } from '@opencode-ai/plugin';
  * Feature Factory Plugin
  *
  * Provides quality gate checks when the agent becomes idle after editing files,
- * plus a comprehensive set of tools for agent management, learning storage,
- * planning, and file operations.
+ * plus quality and orchestration hooks.
  */
 export declare const FeatureFactoryPlugin: Plugin;
 export type { QualityGateConfig, CommandStep, StepResult, SessionState, PackageManager, } from './types.js';

package/dist/index.js

@@ -3,33 +3,11 @@ import { updateMCPConfig } from './mcp-config.js';
 import { updateAgentConfig } from './agent-config.js';
 import { updatePluginConfig } from './plugin-config.js';
 import { $ } from 'bun';
-// Import tool creator functions
-import { createFFAgentsCurrentTool } from './plugins/ff-agents-current-plugin.js';
-import { createFFAgentsShowTool } from './plugins/ff-agents-show-plugin.js';
-import { createFFAgentsClearTool } from './plugins/ff-agents-clear-plugin.js';
-import { createFFPlanCreateTool } from './plugins/ff-plan-create-plugin.js';
-import { createFFPlanUpdateTool } from './plugins/ff-plan-update-plugin.js';
-import { createFFAgentContextCreateTool } from './plugins/ff-agent-context-create-plugin.js';
-import { createFFAgentContextUpdateTool } from './plugins/ff-agent-context-update-plugin.js';
-import { createFFReviewCreateTool } from './plugins/ff-review-create-plugin.js';
-// File management tools
-import { createFFAgentsGetTool } from './plugins/ff-agents-get-plugin.js';
-import { createFFAgentsUpdateTool } from './plugins/ff-agents-update-plugin.js';
-import { createFFAgentsDeleteTool } from './plugins/ff-agents-delete-plugin.js';
-import { createFFAgentsListTool } from './plugins/ff-agents-list-plugin.js';
-import { createFFPlansGetTool } from './plugins/ff-plans-get-plugin.js';
-import { createFFPlansUpdateTool } from './plugins/ff-plans-update-plugin.js';
-import { createFFPlansDeleteTool } from './plugins/ff-plans-delete-plugin.js';
-import { createFFPlansListTool } from './plugins/ff-plans-list-plugin.js';
-import { createFFReviewsGetTool } from './plugins/ff-reviews-get-plugin.js';
-import { createFFReviewsUpdateTool } from './plugins/ff-reviews-update-plugin.js';
-import { createFFReviewsListTool } from './plugins/ff-reviews-list-plugin.js';
 /**
  * Feature Factory Plugin
  *
  * Provides quality gate checks when the agent becomes idle after editing files,
- * plus a comprehensive set of tools for agent management, learning storage,
- * planning, and file operations.
+ * plus quality and orchestration hooks.
  */
 export const FeatureFactoryPlugin = async (input) => {
     const { directory } = input;
@@ -64,35 +42,8 @@ export const FeatureFactoryPlugin = async (input) => {
     }
     // Load hooks from the quality gate plugin
     const qualityGateHooks = await StopQualityGateHooksPlugin(input).catch(() => ({}));
-    // Create all tools
-    const tools = {
-        // Agent management tools
-        'ff-agents-current': createFFAgentsCurrentTool(),
-        'ff-agents-show': createFFAgentsShowTool(),
-        'ff-agents-clear': createFFAgentsClearTool(),
-        // Plan tools
-        'ff-plan-create': createFFPlanCreateTool(),
-        'ff-plan-update': createFFPlanUpdateTool(),
-        // Agent context tools
-        'ff-agent-context-create': createFFAgentContextCreateTool(),
-        'ff-agent-context-update': createFFAgentContextUpdateTool(),
-        // Review tools
-        'ff-review-create': createFFReviewCreateTool(),
-        // File management - agents
-        'ff-agents-get': createFFAgentsGetTool(),
-        'ff-agents-update': createFFAgentsUpdateTool(),
-        'ff-agents-delete': createFFAgentsDeleteTool(),
-        'ff-agents-list': createFFAgentsListTool(),
-        // File management - plans
-        'ff-plans-get': createFFPlansGetTool(),
-        'ff-plans-update': createFFPlansUpdateTool(),
-        'ff-plans-delete': createFFPlansDeleteTool(),
-        'ff-plans-list': createFFPlansListTool(),
-        // File management - reviews
-        'ff-reviews-get': createFFReviewsGetTool(),
-        'ff-reviews-update': createFFReviewsUpdateTool(),
-        'ff-reviews-list': createFFReviewsListTool(),
-    };
+    // Tool registry intentionally empty after hard removal of ff-* artifact tools.
+    const tools = {};
     // Return combined hooks and tools
     return {
         ...qualityGateHooks,

package/package.json

@@ -1,7 +1,7 @@
 {
   "$schema": "https://json.schemastore.org/package.json",
   "name": "@syntesseraai/opencode-feature-factory",
-  "version": "0.6.8",
+  "version": "0.6.10",
   "type": "module",
   "description": "OpenCode plugin for Feature Factory agents - provides sub-agents and skills for validation, review, security, and architecture assessment",
   "license": "MIT",
@@ -15,7 +15,7 @@
     "assets",
     "skills",
     "agents",
-    "commands",
+    "command",
     "bin"
   ],
   "keywords": [

package/skills/ff-reviewing-architecture/SKILL.md

@@ -0,0 +1,34 @@
+---
+name: ff-reviewing-architecture
+description: Architecture validation checklist for @reviewing using Well-Architected principles.
+license: MIT
+compatibility: opencode
+metadata:
+  audience: agents
+  category: architecture
+---
+
+# Reviewing Architecture Skill
+
+Use this skill when `@reviewing` evaluates architectural quality and system-level trade-offs.
+
+## Focus Areas
+
+- Operational excellence (observability, operability, change safety)
+- Security posture at architecture boundaries
+- Reliability (fault handling, retries, idempotency, recovery)
+- Performance efficiency and cost-awareness
+
+## Checklist
+
+1. Validate interfaces/contracts are explicit and stable.
+2. Check resilience patterns at boundaries (timeouts, retries, fallbacks).
+3. Review coupling/cohesion and blast-radius risks.
+4. Identify scaling/performance bottlenecks from design choices.
+5. Capture pragmatic improvements with risk/effort trade-offs.
+
+## Output Expectations
+
+- Tie architecture concerns to user/system impact.
+- Prefer incremental remediations over broad rewrites.
+- Mark blockers vs improvements clearly.

package/skills/ff-reviewing-code-quality/SKILL.md

@@ -0,0 +1,34 @@
+---
+name: ff-reviewing-code-quality
+description: Code-quality review checklist for @reviewing. Use for correctness, maintainability, and test coverage validation.
+license: MIT
+compatibility: opencode
+metadata:
+  audience: agents
+  category: validation
+---
+
+# Reviewing Code Quality Skill
+
+Use this skill when `@reviewing` is validating implementation quality.
+
+## Focus Areas
+
+- Correctness of control flow and data handling
+- Error handling and edge-case coverage
+- Test adequacy and meaningful assertions
+- Readability, maintainability, and consistency with repository patterns
+
+## Checklist
+
+1. Confirm changed behavior matches stated requirements.
+2. Verify failure paths are handled explicitly.
+3. Check tests cover core success and failure scenarios.
+4. Flag brittle or duplicated logic with concrete recommendations.
+5. Record findings with severity and confidence.
+
+## Output Expectations
+
+- Cite concrete file/path evidence.
+- Provide actionable fixes, not generic advice.
+- Distinguish blocking vs non-blocking issues.

package/skills/ff-reviewing-documentation/SKILL.md

@@ -0,0 +1,34 @@
+---
+name: ff-reviewing-documentation
+description: Documentation validation checklist for @reviewing. Use for accuracy, completeness, and repository consistency checks.
+license: MIT
+compatibility: opencode
+metadata:
+  audience: agents
+  category: documentation
+---
+
+# Reviewing Documentation Skill
+
+Use this skill when `@reviewing` validates documentation-stage outputs.
+
+## Focus Areas
+
+- Behavioral accuracy versus current implementation
+- Completeness of changed workflows/commands/operational steps
+- Consistency across docs and command references
+- Removal of stale or deprecated references
+
+## Checklist
+
+1. Verify docs match shipped behavior and command names.
+2. Confirm all impacted docs are updated (not just one file).
+3. Identify stale references and contradictory guidance.
+4. Require explicit rework instructions for unresolved gaps.
+5. Return verdict `APPROVED` or `REWORK_REQUIRED` with confidence.
+
+## Output Expectations
+
+- Cite exact doc paths/sections with issues.
+- Provide direct replacement wording where possible.
+- Keep verdict binary and actionable.

package/skills/ff-reviewing-security/SKILL.md

@@ -0,0 +1,34 @@
+---
+name: ff-reviewing-security
+description: Security validation checklist for @reviewing. Use for auth, input handling, secret safety, and abuse-path review.
+license: MIT
+compatibility: opencode
+metadata:
+  audience: agents
+  category: security
+---
+
+# Reviewing Security Skill
+
+Use this skill when `@reviewing` performs security-focused validation.
+
+## Focus Areas
+
+- Authentication and authorization boundaries
+- Input validation, sanitization, and injection risks
+- Secret handling and sensitive data exposure
+- Unsafe defaults, missing guards, and privilege escalation paths
+
+## Checklist
+
+1. Verify auth checks exist at all protected boundaries.
+2. Validate untrusted input handling across request/data paths.
+3. Confirm secrets/tokens are not logged, committed, or leaked.
+4. Check dangerous operations have explicit safeguards.
+5. Classify exploitability and business impact clearly.
+
+## Output Expectations
+
+- Include exploit scenario or abuse path when possible.
+- Mark critical/high findings with exact remediation steps.
+- Note confidence and unknowns explicitly.