awesome-slash 2.4.2 → 2.4.4

package/CHANGELOG.md

@@ -7,9 +7,41 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [2.4.4] - 2026-01-18
+
+### Added
+- **PR Auto-Review Process** - Added mandatory workflow for 4 auto-reviewers (Copilot, Claude, Gemini, Codex)
+- **Agent Responsibilities** - Documented required tools and MUST-CALL agents for /next-task and /ship
+- **CLAUDE.md Enhancement** - Comprehensive agent workflow documentation with tool restrictions
+
+### Changed
+- Updated ci-monitor.md with 4-reviewer process details
+- Updated ship-ci-review-loop.md with PR auto-review section
+
+## [2.4.3] - 2026-01-18
+
+### Added
+- **CLAUDE.md** - Project guidelines with release process and PR auto-review workflow
+- **npm installation option** - Added npm as primary installation method to INSTALLATION.md
+
+### Fixed
+- **Documentation sync** - Fixed outdated references across all documentation:
+  - Fixed plugin install commands in adapters/README.md (`deslop-around` → `awesome-slash`)
+  - Updated phase counts in CROSS_PLATFORM.md (`17-phase` → `13/12-phase`)
+  - Completed agent list in CROSS_PLATFORM.md (8 → 18 agents)
+  - Updated version references throughout docs
+
+### Changed
+- Reorganized INSTALLATION.md with npm as Option 1 (Recommended)
+
 ## [2.4.2] - 2026-01-18
 
 ### Fixed
+- **Security**: Addressed 32 technical debt issues from multi-agent review (#84)
+  - Fixed command injection vulnerabilities in context-optimizer.js
+  - Addressed path traversal risks in workflow-state.js
+  - Enhanced input validation across core libraries
+  - Added 255 new tests (total: 180 → 435 tests)
 - **Renamed package** from `awsome-slash` to `awesome-slash` (fixed typo)
 - Updated all internal references, repository URLs, and environment variable names
 

package/README.md

@@ -6,17 +6,17 @@ A cross-platform plugin providing powerful, zero-configuration slash commands fo
 
 [![npm](https://img.shields.io/npm/v/awesome-slash?color=red)](https://www.npmjs.com/package/awesome-slash)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
-[![Version](https://img.shields.io/badge/version-2.4.2-blue)](https://github.com/avifenesh/awesome-slash/releases)
+[![Version](https://img.shields.io/badge/version-2.4.4-blue)](https://github.com/avifenesh/awesome-slash/releases)
 [![GitHub stars](https://img.shields.io/github/stars/awesome-slash?style=flat&color=yellow)](https://github.com/avifenesh/awesome-slash/stargazers)
 [![Claude Code](https://img.shields.io/badge/Claude-Code%20Plugin-blue)](https://docs.anthropic.com/en/docs/claude-code)
 [![Codex CLI](https://img.shields.io/badge/Codex-CLI%20Compatible-green)](https://developers.openai.com/codex/cli)
 [![OpenCode](https://img.shields.io/badge/OpenCode-Compatible-orange)](https://opencode.ai)
 
-## What's New in v2.4.0
+## What's New in v2.4.4
 
-- **Reality Check Plugin** - Deep repository analysis to detect plan drift and gaps
-- **Multi-Agent Parallel Scanning** - Issue scanner, doc analyzer, code explorer run simultaneously
-- **Prioritized Reconstruction Plans** - Automated drift detection with priority-weighted action items
+- **PR Auto-Review Process** - Added mandatory workflow for 4 auto-reviewers (Copilot, Claude, Gemini, Codex)
+- **Agent Responsibilities** - Documented required tools and MUST-CALL agents for /next-task and /ship
+- **CLAUDE.md Enhancement** - Comprehensive agent workflow documentation
 
 ---
 
@@ -96,7 +96,7 @@ Complete task-to-production automation with state management and resume capabili
 **Features:**
 - **Fully autonomous** after plan approval - no human in the loop
 - Resume capability with `.claude/.workflow-state.json`
-- 14 specialist agents with model optimization (opus/sonnet)
+- 18 specialist agents with model optimization (opus/sonnet)
 - Quality gates: deslop-work, test-coverage-checker, delivery-validator, docs-updater
 - SubagentStop hooks for automatic workflow transitions
 - Policy-based stopping points (pr-created, merged, deployed, production)
@@ -274,7 +274,7 @@ Workflows persist state in `.claude/.workflow-state.json`:
 }
 ```
 
-### Specialist Agents (12 Total)
+### Specialist Agents (18 Total)
 
 **Core Workflow (Opus - Complex Tasks):**
 | Agent | Purpose |
@@ -300,6 +300,14 @@ Workflows persist state in `.claude/.workflow-state.json`:
 | worktree-manager | Create isolated worktrees |
 | ci-monitor | Monitor CI/PR status with sleep loops |
 
+**Reality Check (Sonnet + Opus - Plan Drift Detection):**
+| Agent | Purpose |
+|-------|---------|
+| issue-scanner | Analyze GitHub issues, PRs, milestones |
+| doc-analyzer | Examine documentation for plans and roadmaps |
+| code-explorer | Deep codebase structure analysis |
+| plan-synthesizer | Combine findings into prioritized plan (opus) |
+
 ---
 
 ## Repository Structure
@@ -311,11 +319,12 @@ awesome-slash/
 ├── plugins/
 │   ├── next-task/           # Master workflow orchestrator
 │   │   ├── commands/        # next-task, update-docs-around, delivery-approval
-│   │   ├── agents/          # 14 specialist agents
+│   │   ├── agents/          # 18 specialist agents
 │   │   └── hooks/           # SubagentStop hooks for workflow automation
 │   ├── ship/                # PR workflow
 │   ├── deslop-around/       # AI slop cleanup
-│   └── project-review/      # Multi-agent review
+│   ├── project-review/      # Multi-agent review
+│   └── reality-check/       # Plan drift detection
 ├── lib/
 │   ├── state/               # Workflow state management
 │   ├── platform/            # Auto-detection

package/adapters/README.md

@@ -8,7 +8,7 @@ This directory contains adapters for using awesome-slash commands with different
 The primary target. Install via marketplace:
 ```bash
 claude plugin marketplace add avifenesh/awesome-slash
-claude plugin install deslop-around@awesome-slash
+claude plugin install awesome-slash@awesome-slash
 ```
 
 See main [README.md](../README.md) for details.
@@ -130,7 +130,7 @@ Installers automatically handle these substitutions.
 ```bash
 # Via marketplace (easiest)
 claude plugin marketplace add avifenesh/awesome-slash
-claude plugin install deslop-around@awesome-slash
+claude plugin install awesome-slash@awesome-slash
 ```
 
 **Pros:**

package/lib/index.js

@@ -0,0 +1,127 @@
+/**
+ * Awesome-Slash Core Library
+ *
+ * Unified entry point for all core library modules.
+ * Provides platform detection, pattern matching, workflow state management,
+ * and context optimization utilities.
+ *
+ * @module awesome-slash/lib
+ * @author Avi Fenesh
+ * @license MIT
+ */
+
+const detectPlatform = require('./platform/detect-platform');
+const verifyTools = require('./platform/verify-tools');
+const reviewPatterns = require('./patterns/review-patterns');
+const slopPatterns = require('./patterns/slop-patterns');
+const workflowState = require('./state/workflow-state');
+const contextOptimizer = require('./utils/context-optimizer');
+
+/**
+ * Platform detection and verification utilities
+ */
+const platform = {
+  /**
+   * Detect project platform configuration
+   * @see module:platform/detect-platform
+   */
+  detect: detectPlatform.detect,
+  detectAsync: detectPlatform.detectAsync,
+  detectCI: detectPlatform.detectCI,
+  detectDeployment: detectPlatform.detectDeployment,
+  detectProjectType: detectPlatform.detectProjectType,
+  detectPackageManager: detectPlatform.detectPackageManager,
+  detectBranchStrategy: detectPlatform.detectBranchStrategy,
+  detectMainBranch: detectPlatform.detectMainBranch,
+  invalidateCache: detectPlatform.invalidateCache,
+
+  /**
+   * Verify tool availability
+   * @see module:platform/verify-tools
+   */
+  verifyTools: verifyTools.verify,
+  verifyToolsAsync: verifyTools.verifyAsync,
+  checkTool: verifyTools.checkTool,
+  checkToolAsync: verifyTools.checkToolAsync,
+  TOOL_DEFINITIONS: verifyTools.TOOL_DEFINITIONS
+};
+
+/**
+ * Code pattern matching utilities
+ */
+const patterns = {
+  /**
+   * Review patterns for code quality analysis
+   * @see module:patterns/review-patterns
+   */
+  review: reviewPatterns,
+
+  /**
+   * Slop patterns for AI-generated code detection
+   * @see module:patterns/slop-patterns
+   */
+  slop: slopPatterns
+};
+
+/**
+ * Workflow state management
+ * @see module:state/workflow-state
+ */
+const state = {
+  // Constants
+  SCHEMA_VERSION: workflowState.SCHEMA_VERSION,
+  PHASES: workflowState.PHASES,
+  DEFAULT_POLICY: workflowState.DEFAULT_POLICY,
+
+  // Core functions
+  generateWorkflowId: workflowState.generateWorkflowId,
+  getStatePath: workflowState.getStatePath,
+  ensureStateDir: workflowState.ensureStateDir,
+
+  // CRUD operations
+  createState: workflowState.createState,
+  readState: workflowState.readState,
+  writeState: workflowState.writeState,
+  updateState: workflowState.updateState,
+  deleteState: workflowState.deleteState,
+
+  // Phase management
+  startPhase: workflowState.startPhase,
+  completePhase: workflowState.completePhase,
+  failPhase: workflowState.failPhase,
+  skipToPhase: workflowState.skipToPhase,
+
+  // Workflow lifecycle
+  completeWorkflow: workflowState.completeWorkflow,
+  abortWorkflow: workflowState.abortWorkflow,
+  hasActiveWorkflow: workflowState.hasActiveWorkflow,
+  getWorkflowSummary: workflowState.getWorkflowSummary,
+
+  // Agent management
+  updateAgentResult: workflowState.updateAgentResult,
+  incrementIteration: workflowState.incrementIteration
+};
+
+/**
+ * Git command optimization utilities
+ * @see module:utils/context-optimizer
+ */
+const utils = {
+  contextOptimizer
+};
+
+// Main exports
+module.exports = {
+  platform,
+  patterns,
+  state,
+  utils,
+
+  // Direct module access for backward compatibility
+  detectPlatform,
+  verifyTools,
+  reviewPatterns,
+  slopPatterns,
+  workflowState,
+  contextOptimizer
+};

package/lib/patterns/slop-patterns.js

@@ -24,8 +24,14 @@ function deepFreeze(obj) {
 const MAX_PATTERN_CACHE_SIZE = 50;
 const _compiledExcludePatterns = new Map();
 
+/**
+ * Maximum allowed wildcards in a glob pattern to prevent ReDoS
+ */
+const MAX_GLOB_WILDCARDS = 10;
+
 /**
  * Get a compiled regex for an exclude pattern (cached)
+ * Uses safe regex construction to prevent catastrophic backtracking
  * @param {string} pattern - Glob pattern to compile
  * @returns {RegExp} Compiled regex
  */
@@ -36,9 +42,27 @@ function getCompiledPattern(pattern) {
       const firstKey = _compiledExcludePatterns.keys().next().value;
       _compiledExcludePatterns.delete(firstKey);
     }
-    // Escape all regex metacharacters except *, then replace * with .*
+
+    // Count wildcards to prevent overly complex patterns
+    const wildcardCount = (pattern.match(/\*/g) || []).length;
+    if (wildcardCount > MAX_GLOB_WILDCARDS) {
+      // Too many wildcards - use a safe fallback that matches nothing dangerous
+      _compiledExcludePatterns.set(pattern, /^$/);
+      return _compiledExcludePatterns.get(pattern);
+    }
+
+    // Escape all regex metacharacters except *
     const escaped = pattern.replace(/[.+?^${}()|[\]\\]/g, '\\$&');
-    const regexStr = '^' + escaped.replace(/\*/g, '.*') + '$';
+
+    // Convert glob patterns to regex:
+    // - Both * and ** use .* for backward compatibility (patterns match anywhere in path)
+    // - ReDoS protection is provided by MAX_GLOB_WILDCARDS limit above
+    let regexStr = escaped
+      .replace(/\*\*/g, '\0GLOBSTAR\0')  // Temporarily mark globstar
+      .replace(/\*/g, '.*')              // Single star: match anything (backward compatible)
+      .replace(/\0GLOBSTAR\0/g, '.*');   // Globstar: match anything
+
+    regexStr = '^' + regexStr + '$';
     _compiledExcludePatterns.set(pattern, new RegExp(regexStr));
   }
   return _compiledExcludePatterns.get(pattern);
@@ -240,9 +264,12 @@ const slopPatterns = {
 
   /**
    * Hardcoded credentials patterns (expanded for comprehensive detection)
+   * Excludes common false positives:
+   * - Template placeholders: ${VAR}, {{VAR}}, <VAR>
+   * - Masked/example values: xxxxxxxx, ********
    */
   hardcoded_secrets: {
-    pattern: /(password|secret|api[_-]?key|token|credential|auth)[_-]?(key|token|secret|pass)?\s*[:=]\s*["'`][^"'`\s]{8,}["'`]/i,
+    pattern: /(password|secret|api[_-]?key|token|credential|auth)[_-]?(key|token|secret|pass)?\s*[:=]\s*["'`](?!\$\{)(?!\{\{)(?!<[A-Z_])(?![x*#]{8,})(?![X*#]{8,})[^"'`\s]{8,}["'`]/i,
     exclude: ['*.test.*', '*.spec.*', '*.example.*', '*.sample.*', 'README.*', '*.md'],
     severity: 'critical',
     autoFix: 'flag',

package/lib/platform/detect-platform.js

@@ -17,6 +17,68 @@ const { promisify } = require('util');
 const execAsync = promisify(exec);
 const fsPromises = fs.promises;
 
+/**
+ * Default timeout for async operations (5 seconds)
+ */
+const DEFAULT_ASYNC_TIMEOUT_MS = 5000;
+
+/**
+ * Maximum JSON file size to parse (1MB) - prevents DoS via large files
+ */
+const MAX_JSON_SIZE_BYTES = 1024 * 1024;
+
+/**
+ * Safely parse JSON content with size limit
+ * @param {string} content - JSON string to parse
+ * @param {string} filename - Filename for error messages
+ * @returns {Object|null} Parsed object or null if invalid/too large
+ */
+function safeJSONParse(content, filename = 'unknown') {
+  if (!content || typeof content !== 'string') {
+    return null;
+  }
+  if (content.length > MAX_JSON_SIZE_BYTES) {
+    // File too large - skip parsing to prevent DoS
+    return null;
+  }
+  try {
+    return JSON.parse(content);
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Wrap a promise with a timeout
+ * @param {Promise} promise - Promise to wrap
+ * @param {number} timeoutMs - Timeout in milliseconds
+ * @param {string} operation - Operation name for error message
+ * @returns {Promise} Promise that rejects on timeout
+ */
+function withTimeout(promise, timeoutMs = DEFAULT_ASYNC_TIMEOUT_MS, operation = 'operation') {
+  let timeoutId;
+  const timeoutPromise = new Promise((_, reject) => {
+    timeoutId = setTimeout(() => {
+      reject(new Error(`${operation} timed out after ${timeoutMs}ms`));
+    }, timeoutMs);
+  });
+
+  return Promise.race([promise, timeoutPromise]).finally(() => {
+    clearTimeout(timeoutId);
+  });
+}
+
+/**
+ * Execute a command with timeout protection
+ * @param {string} cmd - Command to execute
+ * @param {Object} options - exec options
+ * @param {number} timeoutMs - Timeout in milliseconds
+ * @returns {Promise<{stdout: string, stderr: string}>}
+ */
+async function execAsyncWithTimeout(cmd, options = {}, timeoutMs = DEFAULT_ASYNC_TIMEOUT_MS) {
+  return withTimeout(execAsync(cmd, options), timeoutMs, `exec: ${cmd.substring(0, 50)}`);
+}
+
 // Detection cache for performance (platform rarely changes during session)
 let _cachedDetection = null;
 let _cacheExpiry = 0;
@@ -25,18 +87,22 @@ const CACHE_TTL_MS = 60000; // 1 minute cache
 // File read cache to avoid reading the same file multiple times (#17)
 // Limited to prevent unbounded memory growth in long-running processes
 const MAX_CACHE_SIZE = 100;
+const MAX_CACHED_FILE_SIZE = 64 * 1024; // 64KB max per cached file
 const _fileCache = new Map();
 const _existsCache = new Map();
 
 /**
- * Enforce cache size limits using FIFO eviction
+ * Enforce cache size limits using O(1) FIFO eviction
+ * Uses Map's insertion order guarantee for efficient eviction
  * @param {Map} cache - Cache to limit
  * @param {number} maxSize - Maximum entries
  */
 function enforceMaxCacheSize(cache, maxSize = MAX_CACHE_SIZE) {
-  if (cache.size > maxSize) {
-    const keysToDelete = Array.from(cache.keys()).slice(0, cache.size - maxSize);
-    keysToDelete.forEach(key => cache.delete(key));
+  // O(1) eviction: delete oldest entries one at a time
+  // Map maintains insertion order, so first key is oldest
+  while (cache.size > maxSize) {
+    const firstKey = cache.keys().next().value;
+    cache.delete(firstKey);
   }
 }
 
@@ -78,6 +144,7 @@ async function existsCachedAsync(filepath) {
 
 /**
  * Read file contents (cached)
+ * Only caches files smaller than MAX_CACHED_FILE_SIZE to prevent memory bloat
  * @param {string} filepath - Path to read
  * @returns {string|null}
  */
@@ -87,10 +154,14 @@ function readFileCached(filepath) {
   }
   try {
     const content = fs.readFileSync(filepath, 'utf8');
-    _fileCache.set(filepath, content);
-    enforceMaxCacheSize(_fileCache);
+    // Only cache small files to prevent memory bloat
+    if (content.length <= MAX_CACHED_FILE_SIZE) {
+      _fileCache.set(filepath, content);
+      enforceMaxCacheSize(_fileCache);
+    }
     return content;
   } catch {
+    // Cache null for missing files (small memory footprint)
     _fileCache.set(filepath, null);
     enforceMaxCacheSize(_fileCache);
     return null;
@@ -99,6 +170,7 @@ function readFileCached(filepath) {
 
 /**
  * Read file contents (cached, async)
+ * Only caches files smaller than MAX_CACHED_FILE_SIZE to prevent memory bloat
  * @param {string} filepath - Path to read
  * @returns {Promise<string|null>}
  */
@@ -108,10 +180,14 @@ async function readFileCachedAsync(filepath) {
   }
   try {
     const content = await fsPromises.readFile(filepath, 'utf8');
-    _fileCache.set(filepath, content);
-    enforceMaxCacheSize(_fileCache);
+    // Only cache small files to prevent memory bloat
+    if (content.length <= MAX_CACHED_FILE_SIZE) {
+      _fileCache.set(filepath, content);
+      enforceMaxCacheSize(_fileCache);
+    }
     return content;
   } catch {
+    // Cache null for missing files (small memory footprint)
     _fileCache.set(filepath, null);
     enforceMaxCacheSize(_fileCache);
     return null;
@@ -298,7 +374,7 @@ function detectBranchStrategy() {
       try {
         const content = readFileCached('railway.json');
         if (content) {
-          const config = JSON.parse(content);
+          const config = safeJSONParse(content, 'railway.json');
           // Validate JSON structure before accessing properties
           if (config &&
               typeof config === 'object' &&
@@ -323,10 +399,10 @@ function detectBranchStrategy() {
  */
 async function detectBranchStrategyAsync() {
   try {
-    // Run git commands in parallel
+    // Run git commands in parallel with timeout protection
     const [localResult, remoteResult] = await Promise.all([
-      execAsync('git branch', { encoding: 'utf8' }).catch(() => ({ stdout: '' })),
-      execAsync('git branch -r', { encoding: 'utf8' }).catch(() => ({ stdout: '' }))
+      execAsyncWithTimeout('git branch', { encoding: 'utf8' }).catch(() => ({ stdout: '' })),
+      execAsyncWithTimeout('git branch -r', { encoding: 'utf8' }).catch(() => ({ stdout: '' }))
     ]);
 
     const allBranches = (localResult.stdout || '') + (remoteResult.stdout || '');
@@ -343,7 +419,7 @@ async function detectBranchStrategyAsync() {
       try {
         const content = await readFileCachedAsync('railway.json');
         if (content) {
-          const config = JSON.parse(content);
+          const config = safeJSONParse(content, 'railway.json');
           if (config &&
               typeof config === 'object' &&
               typeof config.environments === 'object' &&
@@ -394,12 +470,12 @@ function detectMainBranch() {
  */
 async function detectMainBranchAsync() {
   try {
-    const { stdout } = await execAsync('git symbolic-ref refs/remotes/origin/HEAD', { encoding: 'utf8' });
+    const { stdout } = await execAsyncWithTimeout('git symbolic-ref refs/remotes/origin/HEAD', { encoding: 'utf8' });
     return stdout.trim().replace('refs/remotes/origin/', '');
   } catch {
     // Fallback: check common names
     try {
-      await execAsync('git rev-parse --verify main', { encoding: 'utf8' });
+      await execAsyncWithTimeout('git rev-parse --verify main', { encoding: 'utf8' });
       return 'main';
     } catch {
       return 'master';

package/lib/state/workflow-state.js

@@ -13,6 +13,118 @@ const SCHEMA_VERSION = '2.0.0';
 const STATE_DIR = '.claude';
 const STATE_FILE = 'workflow-state.json';
 
+/**
+ * State cache configuration
+ */
+const STATE_CACHE_TTL_MS = 200; // Cache TTL for rapid successive reads
+const _stateCache = new Map(); // Cache keyed by resolved base directory
+
+/**
+ * Get cached state if valid
+ * @param {string} cacheKey - Cache key (resolved base path)
+ * @returns {Object|null} Cached state or null if expired/missing
+ */
+function getCachedState(cacheKey) {
+  const cached = _stateCache.get(cacheKey);
+  if (cached && Date.now() < cached.expiry) {
+    return cached.state;
+  }
+  return null;
+}
+
+/**
+ * Set state cache
+ * @param {string} cacheKey - Cache key (resolved base path)
+ * @param {Object} state - State to cache
+ */
+function setCachedState(cacheKey, state) {
+  _stateCache.set(cacheKey, {
+    state,
+    expiry: Date.now() + STATE_CACHE_TTL_MS
+  });
+}
+
+/**
+ * Invalidate state cache for a directory
+ * @param {string} cacheKey - Cache key (resolved base path)
+ */
+function invalidateStateCache(cacheKey) {
+  _stateCache.delete(cacheKey);
+}
+
+/**
+ * Clear all state caches (useful for testing)
+ */
+function clearAllStateCaches() {
+  _stateCache.clear();
+}
+
+/**
+ * Validate and normalize base directory path to prevent path traversal
+ * @param {string} baseDir - Base directory path
+ * @returns {string} Validated absolute path
+ * @throws {Error} If path is invalid or potentially dangerous
+ */
+function validateBasePath(baseDir) {
+  if (typeof baseDir !== 'string' || baseDir.length === 0) {
+    throw new Error('Base directory must be a non-empty string');
+  }
+
+  // Resolve to absolute path
+  const resolvedPath = path.resolve(baseDir);
+
+  // Check for null bytes (path traversal via null byte injection)
+  if (resolvedPath.includes('\0')) {
+    throw new Error('Path contains invalid null byte');
+  }
+
+  // Ensure the path exists and is a directory
+  try {
+    const stats = fs.statSync(resolvedPath);
+    if (!stats.isDirectory()) {
+      throw new Error('Path is not a directory');
+    }
+  } catch (error) {
+    if (error.code === 'ENOENT') {
+      // Directory doesn't exist yet - that's OK, it will be created
+      // But the parent must exist and be a directory
+      const parentDir = path.dirname(resolvedPath);
+      try {
+        const parentStats = fs.statSync(parentDir);
+        if (!parentStats.isDirectory()) {
+          throw new Error('Parent path is not a directory');
+        }
+      } catch (parentError) {
+        if (parentError.code === 'ENOENT') {
+          throw new Error('Parent directory does not exist');
+        }
+        throw parentError;
+      }
+    } else if (error.message) {
+      throw error;
+    }
+  }
+
+  return resolvedPath;
+}
+
+/**
+ * Validate that the final state path is within the base directory
+ * @param {string} statePath - The full state file path
+ * @param {string} baseDir - The validated base directory
+ * @throws {Error} If path traversal is detected
+ */
+function validateStatePathWithinBase(statePath, baseDir) {
+  const resolvedStatePath = path.resolve(statePath);
+  const resolvedBaseDir = path.resolve(baseDir);
+
+  // Ensure state path is within base directory
+  if (!resolvedStatePath.startsWith(resolvedBaseDir + path.sep) &&
+      resolvedStatePath !== resolvedBaseDir) {
+    throw new Error('Path traversal detected: state path is outside base directory');
+  }
+}
+
 const PHASES = [
   'policy-selection',
   'task-discovery',
@@ -34,6 +146,27 @@ const PHASES = [
   'complete'
 ];
 
+// Pre-computed phase index map for O(1) lookup (vs O(n) array indexOf)
+const PHASE_INDEX = new Map(PHASES.map((phase, index) => [phase, index]));
+
+/**
+ * Check if a phase name is valid (O(1) lookup)
+ * @param {string} phaseName - Phase to check
+ * @returns {boolean} True if valid phase
+ */
+function isValidPhase(phaseName) {
+  return PHASE_INDEX.has(phaseName);
+}
+
+/**
+ * Get the index of a phase (O(1) lookup)
+ * @param {string} phaseName - Phase name
+ * @returns {number} Phase index or -1 if invalid
+ */
+function getPhaseIndex(phaseName) {
+  return PHASE_INDEX.has(phaseName) ? PHASE_INDEX.get(phaseName) : -1;
+}
+
 const DEFAULT_POLICY = {
   taskSource: 'gh-issues',
   priorityFilter: 'continue',
@@ -57,20 +190,33 @@ function generateWorkflowId() {
 }
 
 /**
- * Get the state file path
+ * Get the state file path with validation
  * @param {string} [baseDir=process.cwd()] - Base directory
  * @returns {string} Full path to state file
+ * @throws {Error} If path validation fails
  */
 function getStatePath(baseDir = process.cwd()) {
-  return path.join(baseDir, STATE_DIR, STATE_FILE);
+  const validatedBase = validateBasePath(baseDir);
+  const statePath = path.join(validatedBase, STATE_DIR, STATE_FILE);
+
+  // Verify the state path is still within the base directory
+  validateStatePathWithinBase(statePath, validatedBase);
+
+  return statePath;
 }
 
 /**
- * Ensure state directory exists
+ * Ensure state directory exists with validation
  * @param {string} [baseDir=process.cwd()] - Base directory
+ * @throws {Error} If path validation fails
  */
 function ensureStateDir(baseDir = process.cwd()) {
-  const stateDir = path.join(baseDir, STATE_DIR);
+  const validatedBase = validateBasePath(baseDir);
+  const stateDir = path.join(validatedBase, STATE_DIR);
+
+  // Verify the state dir path is still within the base directory
+  validateStatePathWithinBase(stateDir, validatedBase);
+
   if (!fs.existsSync(stateDir)) {
     fs.mkdirSync(stateDir, { recursive: true });
   }
@@ -122,12 +268,24 @@ function createState(type = 'next-task', policy = {}) {
 }
 
 /**
- * Read workflow state from file
+ * Read workflow state from file (with caching for rapid successive reads)
  * @param {string} [baseDir=process.cwd()] - Base directory
+ * @param {Object} [options={}] - Options
+ * @param {boolean} [options.skipCache=false] - Skip cache and read from file
  * @returns {Object|Error|null} Workflow state, Error if corrupted, or null if not found
  */
-function readState(baseDir = process.cwd()) {
+function readState(baseDir = process.cwd(), options = {}) {
   const statePath = getStatePath(baseDir);
+  const cacheKey = path.resolve(baseDir);
+
+  // Check cache first (unless skipCache is true)
+  if (!options.skipCache) {
+    const cached = getCachedState(cacheKey);
+    if (cached !== null) {
+      // Return a deep copy to prevent mutations affecting cache
+      return JSON.parse(JSON.stringify(cached));
+    }
+  }
 
   if (!fs.existsSync(statePath)) {
     return null;
@@ -143,6 +301,9 @@ function readState(baseDir = process.cwd()) {
       // Future: Add migration logic here
     }
 
+    // Cache the state
+    setCachedState(cacheKey, state);
+
     return state;
   } catch (error) {
     const corrupted = new Error(`Corrupted workflow state: ${error.message}`);
@@ -154,7 +315,7 @@ function readState(baseDir = process.cwd()) {
 }
 
 /**
- * Write workflow state to file
+ * Write workflow state to file (invalidates cache)
  * @param {Object} state - Workflow state
  * @param {string} [baseDir=process.cwd()] - Base directory
  * @returns {boolean} Success status
@@ -162,6 +323,7 @@ function readState(baseDir = process.cwd()) {
 function writeState(state, baseDir = process.cwd()) {
   ensureStateDir(baseDir);
   const statePath = getStatePath(baseDir);
+  const cacheKey = path.resolve(baseDir);
 
   try {
     // Update timestamp
@@ -169,8 +331,14 @@ function writeState(state, baseDir = process.cwd()) {
 
     const content = JSON.stringify(state, null, 2);
     fs.writeFileSync(statePath, content, 'utf8');
+
+    // Update cache with new state
+    setCachedState(cacheKey, state);
+
     return true;
   } catch (error) {
+    // Invalidate cache on write error
+    invalidateStateCache(cacheKey);
     console.error(`Error writing state: ${error.message}`);
     return false;
   }
@@ -205,12 +373,24 @@ function updateState(updates, baseDir = process.cwd()) {
 }
 
 /**
- * Deep merge two objects (with prototype pollution protection)
+ * Maximum recursion depth for deepMerge to prevent stack overflow attacks
+ */
+const MAX_MERGE_DEPTH = 50;
+
+/**
+ * Deep merge two objects (with prototype pollution and stack overflow protection)
  * @param {Object} target - Target object
  * @param {Object} source - Source object
+ * @param {number} [depth=0] - Current recursion depth (internal)
  * @returns {Object} Merged object
+ * @throws {Error} If recursion depth exceeds MAX_MERGE_DEPTH
  */
-function deepMerge(target, source) {
+function deepMerge(target, source, depth = 0) {
+  // Protect against stack overflow from deeply nested objects
+  if (depth > MAX_MERGE_DEPTH) {
+    throw new Error(`Maximum merge depth (${MAX_MERGE_DEPTH}) exceeded - possible circular reference or attack`);
+  }
+
   // Handle null/undefined cases
   if (!source || typeof source !== 'object') return target;
   if (!target || typeof target !== 'object') return source;
@@ -234,9 +414,9 @@ function deepMerge(target, source) {
     else if (sourceVal === null) {
       result[key] = null;
     }
-    // Recursively merge plain objects
+    // Recursively merge plain objects (with depth tracking)
     else if (sourceVal && typeof sourceVal === 'object' && !Array.isArray(sourceVal)) {
-      result[key] = deepMerge(targetVal || {}, sourceVal);
+      result[key] = deepMerge(targetVal || {}, sourceVal, depth + 1);
     }
     // Replace arrays and primitives
     else {
@@ -254,7 +434,7 @@ function deepMerge(target, source) {
  * @returns {Object|null} Updated state or null on error
  */
 function startPhase(phaseName, baseDir = process.cwd()) {
-  if (!PHASES.includes(phaseName)) {
+  if (!isValidPhase(phaseName)) {
     console.error(`Invalid phase: ${phaseName}`);
     return null;
   }
@@ -324,7 +504,7 @@ function completePhase(result = {}, baseDir = process.cwd()) {
   if (!state) return null;
 
   const history = finalizePhaseEntry(state, 'completed', result);
-  const currentIndex = PHASES.indexOf(state.phases.current);
+  const currentIndex = getPhaseIndex(state.phases.current);
   const nextPhase = currentIndex < PHASES.length - 1 ? PHASES[currentIndex + 1] : 'complete';
 
   return updateState({
@@ -369,7 +549,7 @@ function failPhase(reason, context = {}, baseDir = process.cwd()) {
  * @returns {Object|null} Updated state or null on error
  */
 function skipToPhase(phaseName, reason = 'manual skip', baseDir = process.cwd()) {
-  if (!PHASES.includes(phaseName)) {
+  if (!isValidPhase(phaseName)) {
     console.error(`Invalid phase: ${phaseName}`);
     return null;
   }
@@ -381,8 +561,8 @@ function skipToPhase(phaseName, reason = 'manual skip', baseDir = process.cwd())
   }
   if (!state) return null;
 
-  const currentIndex = PHASES.indexOf(state.phases.current);
-  const targetIndex = PHASES.indexOf(phaseName);
+  const currentIndex = getPhaseIndex(state.phases.current);
+  const targetIndex = getPhaseIndex(phaseName);
 
   // Add skipped entries for phases we're jumping over
   const history = [...(state.phases.history || [])];
@@ -603,7 +783,13 @@ module.exports = {
   // Constants
   SCHEMA_VERSION,
   PHASES,
+  PHASE_INDEX,
   DEFAULT_POLICY,
+  MAX_MERGE_DEPTH,
+
+  // Phase helpers (O(1) lookup)
+  isValidPhase,
+  getPhaseIndex,
 
   // Core functions
   generateWorkflowId,
@@ -631,5 +817,19 @@ module.exports = {
 
   // Agent management
   updateAgentResult,
-  incrementIteration
+  incrementIteration,
+
+  // Cache management
+  clearAllStateCaches,
+
+  // Internal functions for testing
+  _internal: {
+    validateBasePath,
+    validateStatePathWithinBase,
+    deepMerge,
+    getCachedState,
+    setCachedState,
+    invalidateStateCache,
+    STATE_CACHE_TTL_MS
+  }
 };

package/lib/utils/context-optimizer.js

@@ -45,6 +45,79 @@ function sanitizeExtension(ext) {
   return safe || 'ts';
 }
 
+/**
+ * Validate git branch name to prevent command injection
+ * @param {string} branch - Branch name to validate
+ * @returns {string} Validated branch name
+ * @throws {Error} If branch name contains invalid characters
+ */
+function validateBranchName(branch) {
+  if (typeof branch !== 'string' || branch.length === 0) {
+    throw new Error('Branch name must be a non-empty string');
+  }
+  if (branch.length > 255) {
+    throw new Error('Branch name too long (max 255 characters)');
+  }
+  // Allow alphanumeric, underscore, hyphen, forward slash, and dot
+  if (!/^[a-zA-Z0-9/_.-]+$/.test(branch)) {
+    throw new Error('Branch name contains invalid characters');
+  }
+  // Prevent git option injection
+  if (branch.startsWith('-')) {
+    throw new Error('Branch name cannot start with hyphen');
+  }
+  return branch;
+}
+
+/**
+ * Validate git reference to prevent command injection
+ * @param {string} ref - Git reference to validate
+ * @returns {string} Validated reference
+ * @throws {Error} If reference contains invalid characters
+ */
+function validateGitRef(ref) {
+  if (typeof ref !== 'string' || ref.length === 0) {
+    throw new Error('Git reference must be a non-empty string');
+  }
+  if (ref.length > 255) {
+    throw new Error('Git reference too long (max 255 characters)');
+  }
+  // Allow alphanumeric, tilde, caret, dot, hyphen, underscore, forward slash
+  if (!/^[a-zA-Z0-9~^._/-]+$/.test(ref)) {
+    throw new Error('Git reference contains invalid characters');
+  }
+  // Prevent git option injection
+  if (ref.startsWith('-')) {
+    throw new Error('Git reference cannot start with hyphen');
+  }
+  return ref;
+}
+
+/**
+ * Validate numeric limit parameter
+ * @param {number} limit - Limit value to validate
+ * @param {number} max - Maximum allowed value (default: 1000)
+ * @returns {number} Validated limit
+ * @throws {Error} If limit is invalid
+ */
+function validateLimit(limit, max = 1000) {
+  // Strict type check - must be number or numeric string
+  if (typeof limit === 'string') {
+    // Only allow pure numeric strings
+    if (!/^\d+$/.test(limit)) {
+      throw new Error('Limit must be a positive integer');
+    }
+  }
+  const num = typeof limit === 'number' ? limit : parseInt(limit, 10);
+  if (!Number.isInteger(num) || num < 1) {
+    throw new Error('Limit must be a positive integer');
+  }
+  if (num > max) {
+    throw new Error(`Limit cannot exceed ${max}`);
+  }
+  return num;
+}
+
 /**
  * Git command optimization utilities for context efficiency
  */
@@ -54,8 +127,10 @@ const contextOptimizer = {
    * @param {number} limit - Number of commits to retrieve (default: 10)
    * @returns {string} Git command
    */
-  recentCommits: (limit = 10) =>
-    `git log --oneline --no-decorate -${limit} --format="%h %s"`,
+  recentCommits: (limit = 10) => {
+    const safeLimit = validateLimit(limit);
+    return `git log --oneline --no-decorate -${safeLimit} --format="%h %s"`;
+  },
 
   /**
    * Get compact git status (untracked files excluded)
@@ -69,8 +144,10 @@ const contextOptimizer = {
    * @param {string} ref - Reference to compare from (default: 'HEAD~5')
    * @returns {string} Git command
    */
-  fileChanges: (ref = 'HEAD~5') =>
-    `git diff ${ref}..HEAD --name-status`,
+  fileChanges: (ref = 'HEAD~5') => {
+    const safeRef = validateGitRef(ref);
+    return `git diff ${safeRef}..HEAD --name-status`;
+  },
 
   /**
    * Get current branch name
@@ -107,11 +184,15 @@ const contextOptimizer = {
    * @returns {string} Git command
    */
   lineAge: (file, line) => {
-    // Validate line is a positive integer
+    // Validate line is a positive integer with reasonable bounds
     const lineNum = parseInt(line, 10);
+    const MAX_LINE_NUMBER = 10000000; // 10 million lines - reasonable upper bound
     if (!Number.isInteger(lineNum) || lineNum < 1) {
       throw new Error('Line must be a positive integer');
     }
+    if (lineNum > MAX_LINE_NUMBER) {
+      throw new Error(`Line number cannot exceed ${MAX_LINE_NUMBER}`);
+    }
     // Escape file path for safe shell usage
     const safeFile = escapeShell(file);
     return `git blame -L ${lineNum},${lineNum} "${safeFile}" --porcelain | grep '^committer-time' | cut -d' ' -f2`;
@@ -132,8 +213,10 @@ const contextOptimizer = {
    * @param {string} ref - Reference to compare from (default: 'HEAD~5')
    * @returns {string} Git command
    */
-  diffStat: (ref = 'HEAD~5') =>
-    `git diff ${ref}..HEAD --stat | head -20`,
+  diffStat: (ref = 'HEAD~5') => {
+    const safeRef = validateGitRef(ref);
+    return `git diff ${safeRef}..HEAD --stat | head -20`;
+  },
 
   /**
    * Get contributors list (limited to top 10)
@@ -161,24 +244,30 @@ const contextOptimizer = {
    * @param {number} limit - Number of branches (default: 10)
    * @returns {string} Git command
    */
-  branches: (limit = 10) =>
-    `git branch --format='%(refname:short)' | head -${limit}`,
+  branches: (limit = 10) => {
+    const safeLimit = validateLimit(limit);
+    return `git branch --format='%(refname:short)' | head -${safeLimit}`;
+  },
 
   /**
    * Get tags list (limited)
    * @param {number} limit - Number of tags (default: 10)
    * @returns {string} Git command
    */
-  tags: (limit = 10) =>
-    `git tag --sort=-creatordate | head -${limit}`,
+  tags: (limit = 10) => {
+    const safeLimit = validateLimit(limit);
+    return `git tag --sort=-creatordate | head -${safeLimit}`;
+  },
 
   /**
    * Get count of commits on current branch since branching from main
    * @param {string} mainBranch - Main branch name (default: 'main')
    * @returns {string} Git command
    */
-  commitsSinceBranch: (mainBranch = 'main') =>
-    `git rev-list --count ${mainBranch}..HEAD`,
+  commitsSinceBranch: (mainBranch = 'main') => {
+    const safeBranch = validateBranchName(mainBranch);
+    return `git rev-list --count ${safeBranch}..HEAD`;
+  },
 
   /**
    * Check if working directory is clean
@@ -192,16 +281,20 @@ const contextOptimizer = {
    * @param {string} mainBranch - Main branch name (default: 'main')
    * @returns {string} Git command
    */
-  mergeBase: (mainBranch = 'main') =>
-    `git merge-base ${mainBranch} HEAD`,
+  mergeBase: (mainBranch = 'main') => {
+    const safeBranch = validateBranchName(mainBranch);
+    return `git merge-base ${safeBranch} HEAD`;
+  },
 
   /**
    * Get files modified in current branch (since branching)
    * @param {string} mainBranch - Main branch name (default: 'main')
    * @returns {string} Git command
    */
-  branchChangedFiles: (mainBranch = 'main') =>
-    `git diff ${mainBranch}...HEAD --name-only`,
+  branchChangedFiles: (mainBranch = 'main') => {
+    const safeBranch = validateBranchName(mainBranch);
+    return `git diff ${safeBranch}...HEAD --name-only`;
+  },
 
   /**
    * Get commit count by author
@@ -224,4 +317,15 @@ const contextOptimizer = {
   }
 };
 
+// Export main API
 module.exports = contextOptimizer;
+
+// Export internal functions for testing
+module.exports._internal = {
+  escapeShell,
+  escapeSingleQuotes,
+  sanitizeExtension,
+  validateBranchName,
+  validateGitRef,
+  validateLimit
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "awesome-slash",
-  "version": "2.4.2",
+  "version": "2.4.4",
   "description": "Professional-grade slash commands for Claude Code that work across any project",
   "main": "lib/platform/detect-platform.js",
   "type": "commonjs",

package/plugins/next-task/agents/ci-monitor.md

@@ -15,6 +15,25 @@ and focused on observation and coordination, not complex reasoning.
 - This agent (haiku): Poll status, detect issues, report findings
 - ci-fixer (sonnet): Diagnose and fix CI failures, address PR comments
 
+## PR Auto-Review Process
+
+> **CRITICAL**: Every PR receives automatic reviews from **4 agents**:
+> - **Copilot** - GitHub's AI reviewer
+> - **Claude** - Anthropic's AI reviewer
+> - **Gemini** - Google's AI reviewer
+> - **Codex** - OpenAI's AI reviewer
+
+**Mandatory workflow:**
+1. After PR creation, wait **at least 3 minutes** for first review round
+2. Read **ALL comments** from all 4 reviewers
+3. Address **EVERY comment** - no exceptions
+4. Iterate until **zero unresolved threads** (typically 2-4 rounds)
+
+**Rules:**
+- ALWAYS address all comments, including "minor" or "nit" suggestions
+- NEVER skip a comment unless factually wrong or user-approved
+- Treat all feedback as **required changes**, not suggestions
+
 ## Configuration
 
 ```javascript

package/plugins/ship/commands/ship-ci-review-loop.md

@@ -4,6 +4,25 @@ This file contains detailed implementation for the CI & Review Monitor Loop phas
 
 **Parent document**: `ship.md`
 
+## PR Auto-Review Process
+
+> **CRITICAL**: Every PR receives automatic reviews from **4 agents**:
+> - **Copilot** - GitHub's AI reviewer
+> - **Claude** - Anthropic's AI reviewer
+> - **Gemini** - Google's AI reviewer
+> - **Codex** - OpenAI's AI reviewer
+
+**Mandatory workflow:**
+1. After PR creation, wait **at least 3 minutes** for first review round
+2. Read **ALL comments** from all 4 reviewers
+3. Address **EVERY comment** - no exceptions
+4. Iterate until **zero unresolved threads** (typically 2-4 rounds)
+
+**Rules:**
+- ALWAYS address all comments, including "minor" or "nit" suggestions
+- NEVER skip a comment unless factually wrong or user-approved
+- Treat all feedback as **required changes**, not suggestions
+
 ## Overview
 
 The monitor loop waits for: