@wrongstack/core 0.260.0 → 0.265.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (99) hide show
  1. package/dist/{agent-bridge-BbskZ7HH.d.ts → agent-bridge-DrkBxszZ.d.ts} +1 -1
  2. package/dist/{agent-subagent-runner-BNIGZx18.d.ts → agent-subagent-runner-DM2pP-B6.d.ts} +116 -12
  3. package/dist/{brain-C2yDd7Lw.d.ts → brain-BXd_61kQ.d.ts} +32 -3
  4. package/dist/{compactor-t0R_AIt_.d.ts → compactor-B8pOf45Y.d.ts} +1 -1
  5. package/dist/{config-FG6As4H5.d.ts → config-BMCj_XDs.d.ts} +86 -12
  6. package/dist/{context-JFOVvu6z.d.ts → context-MRk5PhNv.d.ts} +26 -1
  7. package/dist/coordination/index.d.ts +1737 -15
  8. package/dist/coordination/index.js +3152 -494
  9. package/dist/coordination/index.js.map +1 -1
  10. package/dist/{default-config-CXsDvOmP.d.ts → default-config-B0cj-Hry.d.ts} +11 -1
  11. package/dist/defaults/index.d.ts +28 -28
  12. package/dist/defaults/index.js +1804 -1363
  13. package/dist/defaults/index.js.map +1 -1
  14. package/dist/dispatcher-types.d-BBeXBQgS.d.ts +66 -0
  15. package/dist/execution/index.d.ts +16 -16
  16. package/dist/execution/index.js +933 -672
  17. package/dist/execution/index.js.map +1 -1
  18. package/dist/execution/prompt-enhancer.d.ts +1 -1
  19. package/dist/execution/prompt-enhancer.js +7 -1
  20. package/dist/execution/prompt-enhancer.js.map +1 -1
  21. package/dist/extension/index.d.ts +6 -6
  22. package/dist/extension/index.js.map +1 -1
  23. package/dist/{goal-preamble-B1IXJtLX.d.ts → goal-preamble-DvHDSKSe.d.ts} +26 -10
  24. package/dist/{goal-store-CPXz6Mml.d.ts → goal-store-DtLMySNb.d.ts} +1 -1
  25. package/dist/{index-CebbJB94.d.ts → index-B-ch8K9C.d.ts} +8 -8
  26. package/dist/{index-BPcg4N3M.d.ts → index-CEDeNodM.d.ts} +5 -5
  27. package/dist/index.d.ts +189 -104
  28. package/dist/index.js +24693 -21162
  29. package/dist/index.js.map +1 -1
  30. package/dist/infrastructure/index.d.ts +6 -6
  31. package/dist/infrastructure/index.js +12 -8
  32. package/dist/infrastructure/index.js.map +1 -1
  33. package/dist/kernel/index.d.ts +9 -9
  34. package/dist/kernel/index.js +7 -2
  35. package/dist/kernel/index.js.map +1 -1
  36. package/dist/{llm-selector-DXxI2tlu.d.ts → llm-selector-C0tfTCUe.d.ts} +14 -2
  37. package/dist/{mcp-servers-OwNHo43-.d.ts → mcp-servers-2x4w6Jn9.d.ts} +3 -3
  38. package/dist/models/index.d.ts +5 -5
  39. package/dist/models/index.js +80 -31
  40. package/dist/models/index.js.map +1 -1
  41. package/dist/{models-registry-Djlmq4uB.d.ts → models-registry-DmJlKuNp.d.ts} +1 -1
  42. package/dist/{multi-agent-coordinator-CEmrSCMJ.d.ts → multi-agent-coordinator-DyCkCZnU.d.ts} +2 -2
  43. package/dist/{null-fleet-bus-DT92xqgJ.d.ts → null-fleet-bus-CG9QY2aP.d.ts} +6 -6
  44. package/dist/observability/index.d.ts +2 -2
  45. package/dist/observability/index.js +8 -3
  46. package/dist/observability/index.js.map +1 -1
  47. package/dist/{parallel-eternal-engine-0SItuq5r.d.ts → parallel-eternal-engine-Jw9uhEoT.d.ts} +9 -9
  48. package/dist/{path-resolver-DKBh6Jlo.d.ts → path-resolver-Dy2ej-gE.d.ts} +3 -3
  49. package/dist/{permission-BJ7eO9Vl.d.ts → permission-B9SB45lp.d.ts} +1 -1
  50. package/dist/{permission-policy-DEXOfnpm.d.ts → permission-policy-CkjSXabK.d.ts} +2 -2
  51. package/dist/{pipeline-zflkI2dp.d.ts → pipeline-DPDxH_7m.d.ts} +59 -4
  52. package/dist/{plan-templates-BFXyRkEK.d.ts → plan-templates-CzD9GnAU.d.ts} +32 -8
  53. package/dist/{provider-runner-BC-uywtT.d.ts → provider-runner-DMa70ODu.d.ts} +3 -3
  54. package/dist/{retry-policy-Cavrzmtk.d.ts → retry-policy-CN0khdlj.d.ts} +1 -1
  55. package/dist/sdd/index.d.ts +8 -8
  56. package/dist/sdd/index.js +313 -122
  57. package/dist/sdd/index.js.map +1 -1
  58. package/dist/{secret-vault-CDvDYXWX.d.ts → secret-vault-B2yw84VT.d.ts} +43 -4
  59. package/dist/secret-vault-BAKpgFw_.d.ts +57 -0
  60. package/dist/security/index.d.ts +5 -5
  61. package/dist/security/index.js +411 -225
  62. package/dist/security/index.js.map +1 -1
  63. package/dist/{selector-B7AivHsu.d.ts → selector-CzHh_igB.d.ts} +1 -1
  64. package/dist/{session-event-bridge-BmIDxdJd.d.ts → session-event-bridge-BUI6Jf-4.d.ts} +8 -2
  65. package/dist/{session-reader-DtofsB-2.d.ts → session-reader-CMgdMSRP.d.ts} +1 -1
  66. package/dist/skills/index.js +67 -64
  67. package/dist/skills/index.js.map +1 -1
  68. package/dist/storage/index.d.ts +132 -16
  69. package/dist/storage/index.js +851 -432
  70. package/dist/storage/index.js.map +1 -1
  71. package/dist/tools/index.d.ts +57 -0
  72. package/dist/tools/index.js +411 -0
  73. package/dist/tools/index.js.map +1 -0
  74. package/dist/types/index.d.ts +21 -21
  75. package/dist/types/index.js +928 -711
  76. package/dist/types/index.js.map +1 -1
  77. package/dist/utils/error.d.ts +7 -0
  78. package/dist/utils/error.js +8 -0
  79. package/dist/utils/error.js.map +1 -0
  80. package/dist/utils/index.d.ts +8 -68
  81. package/dist/utils/index.js +20 -10
  82. package/dist/utils/index.js.map +1 -1
  83. package/dist/{wstack-paths-CJjEwPXn.d.ts → wstack-paths-hOpNLmvf.d.ts} +2 -0
  84. package/package.json +5 -1
  85. package/skills/api-design/SKILL.md +1 -1
  86. package/skills/audit-log/SKILL.md +6 -6
  87. package/skills/bug-hunter/SKILL.md +5 -5
  88. package/skills/chimera/SKILL.md +4 -4
  89. package/skills/docker-deploy/SKILL.md +1 -1
  90. package/skills/git-flow/SKILL.md +3 -3
  91. package/skills/multi-agent/SKILL.md +3 -3
  92. package/skills/node-modern/SKILL.md +1 -0
  93. package/skills/observability/SKILL.md +2 -2
  94. package/skills/output-standards/SKILL.md +51 -28
  95. package/skills/refactor-planner/SKILL.md +3 -3
  96. package/skills/security-scanner/SKILL.md +4 -3
  97. package/skills/tech-stack/SKILL.md +1 -2
  98. package/dist/package-outdated-watcher-C70ag2G9.d.ts +0 -581
  99. package/dist/secret-vault-BJDY28ev.d.ts +0 -25
@@ -81,6 +81,8 @@ interface WstackPaths {
81
81
  projectAutophase: string;
82
82
  /** ~/.wrongstack/sync.json — CloudSync configuration */
83
83
  syncConfig: string;
84
+ /** Function to get the status.json path for a project given its hash. */
85
+ projectStatus: (projectHash: string) => string;
84
86
  }
85
87
  declare function projectHash(absRoot: string): string;
86
88
  /**
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@wrongstack/core",
3
- "version": "0.260.0",
3
+ "version": "0.265.1",
4
4
  "license": "MIT",
5
5
  "description": "WrongStack core: kernel, types, defaults, and shared utilities for the WrongStack CLI agent.",
6
6
  "repository": {
@@ -40,6 +40,10 @@
40
40
  "types": "./dist/utils/expect-defined.d.ts",
41
41
  "import": "./dist/utils/expect-defined.js"
42
42
  },
43
+ "./utils/error": {
44
+ "types": "./dist/utils/error.d.ts",
45
+ "import": "./dist/utils/error.js"
46
+ },
43
47
  "./execution": {
44
48
  "types": "./dist/execution/index.d.ts",
45
49
  "import": "./dist/execution/index.js"
@@ -74,7 +74,7 @@ Response.json({ error: '...' }, { status: 200 }); // lies about outcome
74
74
 
75
75
  ```
76
76
  POST /sessions
77
- Body: { "provider": "anthropic", "model": "claude-3-5-sonnet" }
77
+ Body: { "provider": "anthropic", "model": "<model-id>" }
78
78
  201: { "id": "sess_abc", "provider": "anthropic", ... }
79
79
  400: { "error": { "code": "VALIDATION_ERROR", "message": "model is required" } }
80
80
  ```
@@ -20,7 +20,7 @@ Parses WrongStack session JSONL files to extract tool usage patterns, error dist
20
20
  1. Always parse from the source JSONL — never summarize what you didn't read.
21
21
  2. Analyze one session at a time, or aggregate with clear labeling per session.
22
22
  3. Cite specific data in reports: iteration numbers, tool names, error messages.
23
- 4. Flag repeated failures (same tool,5+ times) as a real issue, not noise.
23
+ 4. Flag repeated failures (same tool, 5+ times) as a real issue, not noise.
24
24
  5. Report cost trends in context of iteration count — a spike means context growth.
25
25
 
26
26
  ## Patterns
@@ -77,7 +77,7 @@ const errorsByType = events
77
77
  - **Tool entropy**: too many different tools in one iteration = unfocused task
78
78
 
79
79
  ### Error patterns
80
- - **Same error repeating**: `ToolExecutionError`47x across iterations = systemic issue
80
+ - **Same error repeating**: `ToolExecutionError` 47x across iterations = systemic issue
81
81
  - **Error clustering**: all errors in `bash` tool = command timeout pattern
82
82
  - **Error rate by type**: which error type is most common?
83
83
  - **Error distribution**: are errors clustered in specific packages or tools?
@@ -85,7 +85,7 @@ const errorsByType = events
85
85
  ### Cost patterns
86
86
  - **Token growth**: tokens/iteration trending up = context bloat
87
87
  - **Provider cost**: which model is most expensive per call?
88
- - **Cost spikes**: sudden3x increase = large file reads or excessive tool calls
88
+ - **Cost spikes**: sudden 3x increase = large file reads or excessive tool calls
89
89
  - **Iteration cost variance**: avg $0.04/iter → $0.11/iter = context growing
90
90
 
91
91
  ### Context management
@@ -154,10 +154,10 @@ When reading a session file:
154
154
  - Iteration 11-20: avg $0.11/iteration (context growth)
155
155
 
156
156
  <next_steps>
157
- 1. Investigate bash failures command timeout pattern in iterations 14-20
158
- 2. Review tool call count in iteration 14 — 50+ tool calls suggests loop
159
- 3. Run `pnpm test` to verify fixes for identified issues
157
+ 1. Run the session tests and the type checker
160
158
  </next_steps>
159
+
160
+ Investigate iterations 14–20 in the session log for the bash command timeout pattern. Review iteration 14's tool call count for loop behavior.
161
161
  ```
162
162
 
163
163
  ## Anti-patterns
@@ -17,7 +17,7 @@ Grep/read across target files to surface bugs, anti-patterns, and quality issues
17
17
 
18
18
  ## Rules
19
19
 
20
- 1. Always include `file:line` in every findingno line reference = can't be fixed.
20
+ 1. Always include a `file:line` you have actually read verify the line exists; never invent, guess, or extrapolate a reference. No line reference = can't be fixed.
21
21
  2. Never scan `node_modules` — waste of time, false positives.
22
22
  3. Don't report style issues as bugs — those are lint findings.
23
23
  4. If >30% of findings are noise, note the false positive rate in the report.
@@ -127,10 +127,10 @@ const data: any = response.json();
127
127
  Total: 16 findings in 12 files
128
128
 
129
129
  <next_steps>
130
- 1. [SHELL-INJ] `tools/shell.ts:42` — replace exec() with execFile()
131
- 2. [SECRET] `lib/config.ts:8` — move API key to environment variable
132
- 3. [MEMORY] `tools/pool.ts:89` — add cleanup in component unmount
133
- 4. [TYPE] `core/agent.ts:103` — replace `as any` with proper type
130
+ 1. Fix the shell injection in tools/shell.ts:42
131
+ 2. Fix the hardcoded API key in lib/config.ts:8
132
+ 3. Fix the memory leak in tools/pool.ts:89
133
+ 4. Fix the unsafe any cast in core/agent.ts:103
134
134
  </next_steps>
135
135
  ```
136
136
 
@@ -22,7 +22,7 @@ issues the session agent may have missed.
22
22
 
23
23
  1. **Only review changed files.** The list of files is provided to you — do not
24
24
  expand scope.
25
- 2. **Read before judging.** Always read the file before flagging an issue.
25
+ 2. **Read before judging.** Read the file and confirm the exact line before flagging never cite a `file:line` you haven't read.
26
26
  3. **Be surgical.** Flag real bugs, not style preferences. If it compiles and
27
27
  the logic is sound, it's fine.
28
28
  4. **No re-litigation.** Do not re-raise issues already discussed in the session
@@ -57,9 +57,9 @@ Write your report as a single message appended to the chat. Use this structure:
57
57
  - Clean files: N
58
58
 
59
59
  <next_steps>
60
- 1. [CRITICAL] `path/file.ts:42` — add null guard for `user`
61
- 2. [HIGH] `path/config.ts:8` — move API key to environment variable
62
- 3. [MEDIUM] `path/helper.ts:15` — replace `as any` with `as unknown as T`
60
+ 1. Fix null deref in path/file.ts:42
61
+ 2. Fix plaintext API key in path/config.ts:8
62
+ 3. Fix unsafe any cast in path/helper.ts:15
63
63
  </next_steps>
64
64
  ```
65
65
 
@@ -119,7 +119,7 @@ WRONGSTACK_SESSION_ROOT=/app/sessions
119
119
 
120
120
  # Optional
121
121
  WRONGSTACK_PROVIDER=anthropic
122
- WRONGSTACK_MODEL=claude-3-5-sonnet-20241022
122
+ WRONGSTACK_MODEL=<model-id>
123
123
  WRONGSTACK_API_KEY=${ANTHROPIC_API_KEY} # from secrets manager
124
124
  ```
125
125
 
@@ -146,10 +146,10 @@ git rebase main && git merge --ff-only feature
146
146
  3. Open PR with description linking to issue
147
147
 
148
148
  <next_steps>
149
- 1. `git checkout -b fix/session-leak` from `main`
150
- 2. Commit with: `fix: correct race condition in token refresh`
151
- 3. Open PR with description linking to issue #123
149
+ 1. Create a branch fix/session-leak, commit the token refresh fix, and push it
152
150
  </next_steps>
151
+
152
+ Open a PR at GitHub linking to issue #123 with the commit message describing the fix.
153
153
  ```
154
154
 
155
155
  ## Skills in scope
@@ -127,9 +127,9 @@ When a leader synthesizes results from subagents:
127
127
  [Deduplicated and prioritized action items]
128
128
 
129
129
  <next_steps>
130
- 1. [Priority] Action item 1 file:line reference
131
- 2. [Priority] Action item 2 file:line reference
132
- 3. [Priority] Action item 3 file:line reference
130
+ 1. Fix critical issue in <file:line>
131
+ 2. Fix high-priority issue in <file:line>
132
+ 3. Fix remaining issue in <file:line>
133
133
  </next_steps>
134
134
  ```
135
135
 
@@ -113,6 +113,7 @@ setTimeout(handler, 1000, { signal: userSignal });
113
113
  ```ts
114
114
  // ✅ Atomic write pattern
115
115
  import { rename, writeFile } from 'node:fs/promises';
116
+ import { randomBytes } from 'node:crypto';
116
117
  const tmp = `${target}.${randomBytes(4).toString('hex')}.tmp`;
117
118
  await writeFile(tmp, data);
118
119
  await rename(tmp, target);
@@ -53,7 +53,7 @@ console.log(JSON.stringify({
53
53
  }));
54
54
 
55
55
  // ✅ Trace span around a tool call
56
- import { trace } from 'node:opentelemetry/api';
56
+ import { trace, SpanStatusCode } from '@opentelemetry/api';
57
57
  const span = trace.getTracer('wrongstack').startSpan('bash');
58
58
  try {
59
59
  const result = await bash(cmd);
@@ -90,7 +90,7 @@ console.log(JSON.stringify({ event: 'tool_executed' })); // no correlation
90
90
  |-------|-------------|---------|
91
91
  | `DEBUG` | Dev-only detail | "entering parseArgs with 3 args" |
92
92
  | `INFO` | Normal flow | "tool executed", "session started" |
93
- | `WARN` | Recoverable issue | "retry attempt2/3", "cache miss" |
93
+ | `WARN` | Recoverable issue | "retry attempt 2/3", "cache miss" |
94
94
  | `ERROR` | Needs attention | "tool timeout", "auth failure" |
95
95
 
96
96
  ## Structured log schema
@@ -15,26 +15,25 @@ extract structured data from agent responses.
15
15
 
16
16
  ## Rules
17
17
 
18
- 1. **Only the leader agent's final message MUST include `<next_steps>` tag** — subagents report findings only. If nothing is pending, write "No pending actions."
19
- 2. **Tags must be properly closed** `<next_steps>...</next_steps>` with exact tag names.
20
- 3. **No markdown inside tags** — plain text only, one action per line.
21
- 4. **Use imperative mood** — "Fix X", "Run Y", not "Fixed X" or "Running Y".
22
- 5. **Be specific** — mention file paths, tool names, or exact commands.
23
- 6. **Keep concise** — max 5 items unless the task genuinely requires more.
24
- 7. **Items must be concrete actionable commands** — something another agent or the user can immediately execute. Never write declarations of intent ("we should fix X", "consider refactoring Y") or manual execution suggestions ("manually review file Z", "check if X is correct").
18
+ 1. **Only the leader agent's final message SHOULD include `<next_steps>`** — subagents report findings only. If nothing is pending, omit the tag and say "No pending actions."
19
+ 2. **`<next_steps>` is for prompt options only** — every item must be something the user can type into the prompt and submit. If a step is a human-only action (e.g., "open DevTools", "check the browser console"), put it outside the tag as informational text instead.
20
+ 3. **Tags must be properly closed** — `<next_steps>...</next_steps>` with exact tag names.
21
+ 4. **No markdown inside tags** — plain text only, one item per line.
22
+ 5. **Items are prompt inputs** — not imperative instructions. Write what the user would type, not what they should do.
23
+ 6. **Items marked `auto="true"` must include input content** — the user can copy and submit it directly.
24
+ 7. **Keep concise** — max 5 items unless the task genuinely requires more.
25
25
 
26
26
  ## Output Format
27
27
 
28
- Every agent's final message MUST end with this structure:
29
-
30
28
  ```
31
29
  [... task results ...]
32
30
 
33
31
  <next_steps>
34
- 1. First actionable next stepimperative, specific
35
- 2. Second actionable next step
36
- 3. Third actionable next step (if needed)
32
+ 1. Prompt option the user can enter phrased as what to type, not what to do
33
+ 2. Another prompt option
37
34
  </next_steps>
35
+
36
+ Informational text for human-only actions (outside the tag, no tag wrapper).
38
37
  ```
39
38
 
40
39
  ### Format Requirements
@@ -44,29 +43,31 @@ Every agent's final message MUST end with this structure:
44
43
  | Opening tag | `<next_steps>` on its own line | `<next_steps>` |
45
44
  | Numbered items | `1. ` prefix, one per line | `1. Fix auth bug in core/session.ts` |
46
45
  | Closing tag | `</next_steps>` on its own line | `</next_steps>` |
47
- | Blank line before | Optional but recommended | Improves readability |
48
- | Blank line after | Not required | — |
46
+ | `auto="true"` items | Include the full input content | `1. fix in core/auth.ts:42 auto="true"` |
49
47
 
50
48
  ### ✅ Correct Examples
51
49
 
52
50
  ```
53
- Task completed successfully.
51
+ Bug Hunt complete. Found 3 critical issues.
54
52
 
55
53
  <next_steps>
56
- 1. Fix shell injection in packages/cli/src/slash-commands/dev.ts:15
57
- 2. Replace Math.random() with randomUUID() in 4 files
58
- 3. Run pnpm run typecheck to verify fixes
54
+ 1. Fix the shell injection in packages/cli/src/slash-commands/dev.ts:15
55
+ 2. Replace Math.random() with randomUUID() in the affected files
56
+ 3. Run the type checker
59
57
  </next_steps>
58
+
59
+ Open browser DevTools → Network tab to verify the WebSocket
60
+ connection is established before testing.
60
61
  ```
61
62
 
62
63
  ```
63
- Analysis finished. Found 3 critical issues.
64
+ Audit complete. Found bash command timeout pattern in iterations 14–20.
64
65
 
65
66
  <next_steps>
66
- 1. [CRITICAL] packages/cli/src/slash-commands/dev.ts:15 exec() execFile()
67
- 2. [HIGH] packages/core/src/session-registry.ts:145 — remove ! assertion
68
- 3. [HIGH] packages/core/src/session-registry.ts:169 — remove ! assertion
67
+ 1. Run the session tests and the type checker
69
68
  </next_steps>
69
+
70
+ Review iterations 14–20 in the session log to characterize the loop.
70
71
  ```
71
72
 
72
73
  ### ❌ Incorrect Examples
@@ -102,15 +103,35 @@ Next steps:
102
103
  # ❌ Missing opening/closing tags
103
104
  ```
104
105
 
106
+ ```
107
+ <next_steps>
108
+ 1. Open the browser console and check for errors # ❌ Human-only action, not a prompt
109
+ </next_steps>
110
+ ```
111
+
112
+ ## `auto="true"` Format
113
+
114
+ Items that should be auto-submitted (the user can copy-paste and send) use `auto="true"`:
115
+
116
+ ```
117
+ <next_steps>
118
+ 1. Run the type checker auto="true"
119
+ 2. Fix the shell injection in packages/cli/src/slash-commands/dev.ts:15
120
+ </next_steps>
121
+ ```
122
+
123
+ The text before `auto="true"` is the exact prompt the user would type. Items without `auto="true"` are suggestions the user can select manually.
124
+
105
125
  ## Subagent Requirements
106
126
 
107
127
  When a **leader agent** synthesizes output from **subagents**, the leader MUST:
108
128
 
109
129
  1. Collect findings from subagents (they return results, not `<next_steps>`)
110
- 2. Based on findings, produce a unified `<next_steps>` section
130
+ 2. Based on findings, produce a unified `<next_steps>` section with prompt options
111
131
  3. Remove duplicates (dedupe by file path + action)
112
132
  4. Re-prioritize if needed (critical > high > medium > low)
113
- 5. Keep the unified list within the 5-item guideline, but no hard cap
133
+ 5. Human-only findings (e.g., "check the browser console") go outside the tag
134
+ 6. Keep the unified list within the 5-item guideline, but no hard cap
114
135
 
115
136
  When a **subagent** completes its task, it MUST:
116
137
 
@@ -120,13 +141,15 @@ When a **subagent** completes its task, it MUST:
120
141
 
121
142
  ## Anti-patterns
122
143
 
144
+ - **Don't put human-only actions in `<next_steps>`** — those belong outside the tag as plain text
145
+ - **Don't write imperative instructions** — write what the user would type, not what they should do
123
146
  - **Don't use markdown inside `<next_steps>`** — plain text only
124
- - **Don't skip the tag** — the leader's final message always needs one
147
+ - **Don't skip the tag when there are prompt options** — the tag enables the `/next` workflow
125
148
  - **Don't use dashes or asterisks** — use `1.`, `2.`, `3.` numbering
126
- - **Don't be vague** — "fix bugs" is useless, "fix auth/session.ts:42" is actionable
149
+ - **Don't be vague** — "fix bugs" is useless, "fix auth/session.ts:42" is a valid prompt
127
150
  - **Don't exceed 5 items without reason** — if >5, it's probably not a single task
128
- - **Don't write declarations of intent** — "we should refactor X" is not actionable; "Extract the parseConfig function in core/config.ts:88" is
129
- - **Don't suggest manual review** — "manually check if X is correct" is not a next step; "Run pnpm typecheck to verify" is
151
+ - **Don't write declarations of intent** — "we should refactor X" is not a prompt; "refactor core/config.ts" is
152
+ - **Don't suggest manual review as a prompt** — "manually check if X is correct" is not a valid LLM prompt; instead put it outside the tag
130
153
  - **Don't include `<next_steps>` in subagent output** — subagents report findings, leaders produce next steps
131
154
 
132
155
  ## Skills in scope
@@ -157,9 +157,9 @@ config.ts → logger.ts → path-resolver.ts
157
157
  - [ ] `Context` interface < 20 methods
158
158
 
159
159
  <next_steps>
160
- 1. [Phase 1] Extract `ToolExecutor` interface in core/tool-executor.ts
161
- 2. [Phase 1] Decouple `SessionStore` from Agent in core/session-store.ts
162
- 3. [Phase 2] Break circular dep: Config Logger in core/config.ts
160
+ 1. Extract ToolExecutor interface in core/tool-executor.ts
161
+ 2. Decouple SessionStore from Agent in core/session-store.ts
162
+ 3. Break circular dep between Config and Logger in core/config.ts
163
163
  </next_steps>
164
164
  ```
165
165
 
@@ -21,6 +21,7 @@ Scans code, configs, and dependencies for security issues. Reports with severity
21
21
  4. Don't flag test fixtures — mock credentials in tests are acceptable.
22
22
  5. Always run dependency audit — supply chain is a real attack vector.
23
23
  6. Flag config issues (TLS disabled, HTTP in production) as CRITICAL.
24
+ 7. Never echo a full secret into the report — redact it (short prefix + char count, e.g. `ghp_…36 chars`). Cite `file:line` you have read; don't flag from a pattern guess.
24
25
 
25
26
  ## Patterns
26
27
 
@@ -157,9 +158,9 @@ element.textContent = userInput;
157
158
  - [ ] Add rate limiting to `src/api/` routes
158
159
 
159
160
  <next_steps>
160
- 1. [CRITICAL] `src/config.ts` — remove hardcoded API key, use env var
161
- 2. [HIGH] `src/auth/login.ts` — replace exec() with execFile()
162
- 3. [MEDIUM] `src/api/routes.ts` — add rate limiting middleware
161
+ 1. Fix the hardcoded API key in src/config.ts
162
+ 2. Fix the shell injection in src/auth/login.ts
163
+ 3. Fix the missing rate limiting in src/api/routes.ts
163
164
  </next_steps>
164
165
  ```
165
166
 
@@ -105,8 +105,7 @@ When APPROVED:
105
105
  **Note**: <any caveats about the version, semver range, or compatibility>
106
106
 
107
107
  <next_steps>
108
- 1. [APPROVED/REJECTED] Package decision with rationale
109
- 2. [If rejected] Migration step to the recommended alternative
108
+ 1. Add <package>@<version> to the project auto="true"
110
109
  </next_steps>
111
110
  ```
112
111