awesome-slash 3.0.2 → 3.1.0

package/.claude-plugin/marketplace.json

@@ -1,7 +1,7 @@
 {
   "name": "awesome-slash",
   "description": "7 specialized plugins for AI workflow automation - task orchestration, PR workflow, slop detection, code review, drift detection, enhancement analysis, and documentation sync",
-  "version": "3.0.2",
+  "version": "3.1.0",
   "owner": {
     "name": "Avi Fenesh",
     "url": "https://github.com/avifenesh"
@@ -13,49 +13,49 @@
       "name": "next-task",
       "source": "./plugins/next-task",
       "description": "Master workflow orchestrator: autonomous workflow with model optimization (opus/sonnet/haiku), two-file state management, workflow enforcement gates, 14 specialist agents",
-      "version": "3.0.2",
+      "version": "3.1.0",
       "category": "productivity"
     },
     {
       "name": "ship",
       "source": "./plugins/ship",
       "description": "Complete PR workflow: commit to production, skips review when called from next-task, removes task from registry on cleanup, automatic rollback",
-      "version": "3.0.2",
+      "version": "3.1.0",
       "category": "deployment"
     },
     {
       "name": "deslop",
       "source": "./plugins/deslop",
       "description": "3-phase AI slop detection: regex patterns (HIGH), multi-pass analyzers (MEDIUM), CLI tools (LOW)",
-      "version": "3.0.2",
+      "version": "3.1.0",
       "category": "development"
     },
     {
       "name": "audit-project",
       "source": "./plugins/audit-project",
       "description": "Multi-agent iterative code review until zero issues remain",
-      "version": "3.0.2",
+      "version": "3.1.0",
       "category": "development"
     },
     {
       "name": "drift-detect",
       "source": "./plugins/drift-detect",
       "description": "Deep repository analysis to realign project plans with code reality - detects drift, gaps, and creates prioritized reconstruction plans",
-      "version": "3.0.2",
+      "version": "3.1.0",
       "category": "productivity"
     },
     {
       "name": "enhance",
       "source": "./plugins/enhance",
       "description": "Master enhancement orchestrator: parallel analyzer execution for plugins, agents, docs, CLAUDE.md, and prompts with unified reporting",
-      "version": "3.0.2",
+      "version": "3.1.0",
       "category": "development"
     },
     {
       "name": "sync-docs",
       "source": "./plugins/sync-docs",
       "description": "Standalone documentation sync: find outdated refs, update CHANGELOG, flag stale examples based on code changes",
-      "version": "3.0.2",
+      "version": "3.1.0",
       "category": "development"
     }
   ],

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "awesome-slash",
-  "version": "3.0.2",
+  "version": "3.1.0",
   "description": "Professional-grade slash commands for Claude Code with cross-platform support",
   "keywords": [
     "workflow",

package/CHANGELOG.md

@@ -7,6 +7,32 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [3.1.0] - 2026-01-26
+
+### Added
+- **Queue-Based Review Loop** - Multi-pass review with resume support, stall detection, and decision-gate overrides
+- **CI Consistency Validation** - Repository validator for version/mapping/agent-count alignment (`npm run validate`)
+- **Pre-Release Channels** - `rc`/`beta` tag support for npm dist-tags and GitHub prereleases
+
+### Fixed
+- **MCP Path Scoping** - MCP tools now reject paths outside the repo (custom tasks, review_code, slop_detect)
+- **MCP Responsiveness** - Review and slop pipelines run in a worker thread with sync fallback
+- **Slop Pipeline IO** - Cached file reads reduce repeated disk access
+
+### Changed
+- **Complexity Analysis** - Caps escomplex runs to reduce process spawn overhead
+- **GitHub Actions** - Actions pinned to commit SHAs for supply-chain hardening
+
+## [3.0.3-rc.1] - 2026-01-26
+
+### Added
+- **Queue-Based Review Loop** - Multi-pass review with resume support, stall detection, and decision gate overrides in /next-task and /audit-project
+- **CI Consistency Validation** - New repository validator for version/mapping/agent-count alignment in `npm run validate`
+- **Pre-Release Channels** - `rc`/`beta` tag support for npm dist-tags and GitHub prereleases
+
+### Changed
+- **Review Passes** - Integrated security/performance/test coverage passes and conditional specialists for audit/review workflows
+
 ## [3.0.2] - 2025-01-24
 
 ### Fixed
@@ -1021,4 +1047,3 @@ Initial release with full feature set.
 - MIT License
 - Security policy
 - Contributing guidelines
-

package/README.md

@@ -72,9 +72,9 @@ Every finding is tagged with a certainty level:
 
 This means you can run `/deslop apply` and trust that it won't break things.
 
-### 2. Review Loops Without Limits
+### 2. Review Loops With Safeguards
 
-The review-orchestrator agent doesn't have a max iteration count. It keeps running code-reviewer, silent-failure-hunter, and test-analyzer until there are zero critical or high-severity issues. Then it runs deslop-work on its own fixes to catch any AI artifacts it introduced.
+The review-orchestrator agent runs core review passes (code quality, security, performance, test coverage) plus conditional specialists until there are no open issues. Then it runs deslop-work on its own fixes to catch any AI artifacts it introduced.
 
 ### 3. Workflow Enforcement
 
@@ -358,26 +358,29 @@ Three phases run in sequence:
 
 **What happens when you run it:**
 
-Up to 8 specialized role-based agents run based on your project:
+Up to 10 specialized role-based agents run based on your project: <!-- AGENT_COUNT_ROLE_BASED: 10 -->
 
 | Agent | When Active | Focus Area |
 |-------|-------------|------------|
+| code-quality-reviewer | Always | Code quality, error handling |
 | security-expert | Always | Vulnerabilities, auth, secrets |
 | performance-engineer | Always | N+1 queries, memory, blocking ops |
-| test-quality-guardian | If tests exist | Coverage, edge cases, mocking |
+| test-quality-guardian | Always | Coverage, edge cases, mocking |
 | architecture-reviewer | If 50+ files | Modularity, patterns, SOLID |
 | database-specialist | If DB detected | Queries, indexes, transactions |
 | api-designer | If API detected | REST, errors, pagination |
 | frontend-specialist | If frontend detected | Components, state, UX |
+| backend-specialist | If backend detected | Services, domain logic |
 | devops-reviewer | If CI/CD detected | Pipelines, configs, secrets |
 
-Findings are collected and categorized by severity (critical/high/medium/low). Critical and high issues get fixed automatically. The loop repeats until no critical or high issues remain.
+Findings are collected and categorized by severity (critical/high/medium/low). All non-false-positive issues get fixed automatically. The loop repeats until no open issues remain.
 
 **Usage:**
 
 ```bash
 /audit-project                   # Full review
 /audit-project --quick           # Single pass
+/audit-project --resume          # Resume from queue file
 /audit-project --domain security # Security focus only
 /audit-project --recent          # Only recent changes
 ```

package/adapters/codex/README.md

@@ -68,13 +68,14 @@ codex
 > /audit-project
 > /audit-project --recent
 > /audit-project --domain security
+> /audit-project --resume
 ```
 
 **What it does:**
-- Deploys 8 specialized agents
+- Deploys 10 specialized agents
 - Adapts to your tech stack
 - Finds bugs, security issues, performance problems
-- Iterates until zero critical issues
+- Iterates until no open issues remain
 
 ---
 

package/adapters/opencode/README.md

@@ -68,13 +68,14 @@ opencode
 > /audit-project
 > /audit-project --recent
 > /audit-project --domain security
+> /audit-project --resume
 ```
 
 **What it does:**
-- Deploys 8 specialized agents
+- Deploys 10 specialized agents
 - Adapts to your tech stack
 - Finds bugs, security issues, performance problems
-- Iterates until zero critical issues
+- Iterates until no open issues remain
 
 ---
 

package/mcp-server/index.js

@@ -22,6 +22,7 @@ const fs = require('fs').promises;
 const fsSync = require('fs');
 const { promisify } = require('util');
 const { exec } = require('child_process');
+const { Worker } = require('worker_threads');
 const execAsync = promisify(exec);
 const workflowState = require('../lib/state/workflow-state.js');
 const { runPipeline, formatHandoffPrompt, CERTAINTY, THOROUGHNESS } = require('../lib/patterns/pipeline.js');
@@ -30,6 +31,77 @@ const enhance = require('../lib/enhance/index.js');
 
 // Plugin root for relative paths
 const PLUGIN_ROOT = process.env.PLUGIN_ROOT || path.join(__dirname, '..');
+const REPO_ROOT = process.cwd();
+
+function resolveRepoPath(inputPath) {
+  if (!inputPath) return null;
+  const resolved = path.resolve(REPO_ROOT, inputPath);
+  const withinRepo = resolved === REPO_ROOT || resolved.startsWith(REPO_ROOT + path.sep);
+  return withinRepo ? resolved : null;
+}
+
+function toRepoRelative(resolvedPath) {
+  const relative = path.relative(REPO_ROOT, resolvedPath);
+  if (!relative) return '.';
+  return relative.split(path.sep).join('/');
+}
+
+function filterRepoFiles(files) {
+  const allowed = [];
+  const rejected = [];
+
+  for (const file of files) {
+    if (!file) continue;
+    const resolved = resolveRepoPath(file);
+    if (!resolved) {
+      rejected.push(file);
+      continue;
+    }
+    allowed.push(toRepoRelative(resolved));
+  }
+
+  return { allowed, rejected };
+}
+
+function runPipelineAsync(repoPath, options) {
+  const pipelinePath = path.join(PLUGIN_ROOT, 'lib', 'patterns', 'pipeline.js');
+  return new Promise((resolve, reject) => {
+    const worker = new Worker(
+      `const { parentPort, workerData } = require('worker_threads');
+       try {
+         const { runPipeline } = require(workerData.pipelinePath);
+         const result = runPipeline(workerData.repoPath, workerData.options);
+         parentPort.postMessage({ ok: true, result });
+       } catch (error) {
+         parentPort.postMessage({ ok: false, error: { message: error.message, stack: error.stack } });
+       }`,
+      {
+        eval: true,
+        workerData: {
+          repoPath,
+          options,
+          pipelinePath
+        }
+      }
+    );
+
+    worker.once('message', (message) => {
+      worker.terminate();
+      if (message.ok) {
+        resolve(message.result);
+      } else {
+        const err = new Error(message.error?.message || 'Pipeline worker failed');
+        err.stack = message.error?.stack;
+        reject(err);
+      }
+    });
+
+    worker.once('error', (error) => {
+      worker.terminate();
+      reject(error);
+    });
+  });
+}
 
 // MCP_TOOLS_ARRAY - Define available tools
 const TOOLS = [
@@ -106,7 +178,7 @@ const TOOLS = [
         },
         customFile: {
           type: 'string',
-          description: 'Path to custom task file (required when source is "custom"). Parses markdown checkboxes.'
+          description: 'Repo-relative path to custom task file (required when source is "custom"). Parses markdown checkboxes.'
         }
       },
       required: []
@@ -121,7 +193,7 @@ const TOOLS = [
         files: {
           type: 'array',
           items: { type: 'string' },
-          description: 'Files to review (defaults to git diff)'
+          description: 'Repo-relative files to review (defaults to git diff)'
         },
         thoroughness: {
           type: 'string',
@@ -144,7 +216,7 @@ const TOOLS = [
       properties: {
         path: {
           type: 'string',
-          description: 'Directory or file to scan (default: current directory)'
+          description: 'Repo-relative directory or file to scan (default: repo root)'
         },
         mode: {
           type: 'string',
@@ -492,12 +564,19 @@ const toolHandlers = {
           };
         }
 
-        // Validate file path - prevent path traversal
-        const normalizedPath = path.normalize(customFile);
-        // Note: absolute paths and '..' are allowed but monitored via file access
+        const resolvedCustomFile = resolveRepoPath(customFile);
+        if (!resolvedCustomFile) {
+          return {
+            content: [{
+              type: 'text',
+              text: `Error: customFile must be within the repository. Received "${customFile}".`
+            }],
+            isError: true
+          };
+        }
 
         try {
-          const content = await fs.readFile(customFile, 'utf-8');
+          const content = await fs.readFile(resolvedCustomFile, 'utf-8');
           const lines = content.split('\n');
           const taskLines = lines.filter(line => /^[-*]\s+\[\s*\]\s+/.test(line));
 
@@ -512,7 +591,7 @@ const toolHandlers = {
               title: text,
               type: isSecurity ? 'security' : isBug ? 'bug' : isFeature ? 'feature' : 'task',
               labels: [],
-              source: customFile
+              source: toRepoRelative(resolvedCustomFile)
             };
           });
 
@@ -597,12 +676,34 @@ const toolHandlers = {
         return crossPlatform.successResponse('No files to review. No changes detected.');
       }
 
+      const { allowed, rejected } = filterRepoFiles(filesToReview);
+      if (rejected.length > 0) {
+        return crossPlatform.errorResponse(
+          `Invalid file path(s) outside the repository: ${rejected.join(', ')}`
+        );
+      }
+      filesToReview = allowed;
+
+      if (!filesToReview.length) {
+        return crossPlatform.errorResponse('No valid files to review after path validation.');
+      }
+
       // Use the full pipeline for detection
-      const result = runPipeline(process.cwd(), {
-        thoroughness: thoroughness || THOROUGHNESS.NORMAL,
-        targetFiles: filesToReview,
-        mode: 'report'
-      });
+      let result;
+      try {
+        result = await runPipelineAsync(process.cwd(), {
+          thoroughness: thoroughness || THOROUGHNESS.NORMAL,
+          targetFiles: filesToReview,
+          mode: 'report'
+        });
+      } catch (error) {
+        console.warn(`Pipeline worker failed, falling back to sync run: ${error.message}`);
+        result = runPipeline(process.cwd(), {
+          thoroughness: thoroughness || THOROUGHNESS.NORMAL,
+          targetFiles: filesToReview,
+          mode: 'report'
+        });
+      }
 
       // Use compact format by default for MCP (token efficiency)
       const useCompact = compact !== false;
@@ -626,20 +727,34 @@ const toolHandlers = {
 
   async slop_detect({ path: scanPath, mode, thoroughness, compact }) {
     try {
-      const targetPath = scanPath || process.cwd();
+      const resolvedTargetPath = resolveRepoPath(scanPath || REPO_ROOT);
+      if (!resolvedTargetPath) {
+        return crossPlatform.errorResponse(
+          `Invalid path outside repository: ${scanPath}`
+        );
+      }
 
       // Validate path exists
       try {
-        await fs.access(targetPath);
+        await fs.access(resolvedTargetPath);
       } catch (e) {
-        return crossPlatform.errorResponse(`Path not found: ${targetPath}`);
+        return crossPlatform.errorResponse(`Path not found: ${resolvedTargetPath}`);
       }
 
       // Run the 3-phase pipeline
-      const result = runPipeline(targetPath, {
-        thoroughness: thoroughness || THOROUGHNESS.NORMAL,
-        mode: mode || 'report'
-      });
+      let result;
+      try {
+        result = await runPipelineAsync(resolvedTargetPath, {
+          thoroughness: thoroughness || THOROUGHNESS.NORMAL,
+          mode: mode || 'report'
+        });
+      } catch (error) {
+        console.warn(`Pipeline worker failed, falling back to sync run: ${error.message}`);
+        result = runPipeline(resolvedTargetPath, {
+          thoroughness: thoroughness || THOROUGHNESS.NORMAL,
+          mode: mode || 'report'
+        });
+      }
 
       // Use compact format by default for MCP (60% fewer tokens)
       const useCompact = compact !== false;
@@ -650,7 +765,7 @@ const toolHandlers = {
 
       // Return structured result
       return crossPlatform.successResponse({
-        path: targetPath,
+        path: toRepoRelative(resolvedTargetPath),
         mode: mode || 'report',
         thoroughness: thoroughness || 'normal',
         filesAnalyzed: result.metadata.filesAnalyzed,
@@ -816,7 +931,7 @@ async function main() {
 const server = new Server(
     {
       name: 'awesome-slash',
-      version: '3.0.2',
+      version: '3.1.0',
     },
     {
       capabilities: {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "awesome-slash",
-  "version": "3.0.2",
+  "version": "3.1.0",
   "description": "6 specialized plugins for AI workflow automation - works with Claude Code, OpenCode, and Codex CLI",
   "main": "lib/platform/detect-platform.js",
   "type": "commonjs",
@@ -26,9 +26,10 @@
     "test": "jest",
     "test:watch": "jest --watch",
     "test:coverage": "jest --coverage",
-    "validate": "npm run validate:plugins && npm run validate:cross-platform",
+    "validate": "npm run validate:plugins && npm run validate:cross-platform && npm run validate:consistency",
     "validate:plugins": "node scripts/validate-plugins.js",
     "validate:cross-platform": "node scripts/validate-cross-platform.js",
+    "validate:consistency": "node scripts/validate-repo-consistency.js",
     "detect": "node lib/platform/detect-platform.js",
     "verify": "node lib/platform/verify-tools.js",
     "prepare": "node scripts/setup-hooks.js"

package/plugins/audit-project/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "audit-project",
-  "version": "3.0.2",
+  "version": "3.1.0",
   "description": "Multi-agent iterative code review until zero issues remain",
   "author": {
     "name": "Avi Fenesh",