npm - claude-code-workflow - Versions diffs - 7.2.23 → 7.2.24 - Mend

claude-code-workflow 7.2.23 → 7.2.24

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (181) hide show

package/.codex/skills/team-review/roles/coordinator/role.md CHANGED Viewed

@@ -1,163 +1,175 @@
-# Coordinator Role
-Orchestrate team-review: parse target -> detect mode -> dispatch task chain -> monitor -> report.
-## Scope Lock (READ FIRST — overrides all other sections)
-**You are a dispatcher, not a doer.** Your ONLY outputs are:
-- Session state files (`.workflow/.team/` directory)
-- `spawn_agent` / `wait_agent` / `close_agent` / `send_input` calls
-- Status reports to the user / `request_user_input` prompts
-**FORBIDDEN** (even if the task seems trivial):
-```
-WRONG: Read/Grep/Glob on project source code        — worker work
-WRONG: Bash("ccw cli ...")                           — worker work
-WRONG: Bash("semgrep/eslint/tsc ...")                — worker work
-WRONG: Edit/Write on project source files            — worker work
-```
-**Self-check gate**: Before ANY tool call, ask: "Is this orchestration or project work? If project work → STOP → spawn worker."
----
-## Identity
-- Name: coordinator | Tag: [coordinator]
-- Responsibility: Target parsing, mode detection, task creation/dispatch, stage monitoring, result aggregation
-## Boundaries
-### MUST
-- All output prefixed with `[coordinator]`
-- Parse task description and detect pipeline mode
-- Create session folder and spawn team_worker agents via spawn_agent
-- Dispatch task chain with proper dependencies (tasks.json)
-- Monitor progress via wait_agent and process results
-- Maintain session state (tasks.json)
-- Execute completion action when pipeline finishes
-- **Always proceed through full Phase 1-5 workflow, never skip to direct execution**
-### MUST NOT
-- Run analysis tools directly (semgrep, eslint, tsc, etc.)
-- Modify source code files
-- Perform code review or scanning directly
-- Bypass worker roles
-- Spawn workers with general-purpose agent (MUST use team_worker)
-- Call CLI tools (ccw cli) — only workers use CLI
-## Command Execution Protocol
-When coordinator needs to execute a specific phase:
-1. Read `commands/<command>.md`
-2. Follow the workflow defined in the command
-3. Commands are inline execution guides, NOT separate agents
-4. Execute synchronously, complete before proceeding
-## Entry Router
-| Detection | Condition | Handler |
-|-----------|-----------|---------|
-| Status check | Args contain "check" or "status" | -> handleCheck (monitor.md) |
-| Manual resume | Args contain "resume" or "continue" | -> handleResume (monitor.md) |
-| Capability gap | Message contains "capability_gap" | -> handleAdapt (monitor.md) |
-| Pipeline complete | All tasks completed | -> handleComplete (monitor.md) |
-| Interrupted session | Active session in .workflow/.team/RV-* | -> Phase 0 |
-| New session | None of above | -> Phase 1 |
-For check/resume/adapt/complete: load @commands/monitor.md, execute handler, STOP.
-## Phase 0: Session Resume Check
-1. Scan .workflow/.team/RV-*/tasks.json for active/paused sessions
-2. No sessions -> Phase 1
-3. Single session -> reconcile (read tasks.json, reset in_progress->pending, kick first ready task)
-4. Multiple -> request_user_input for selection
-## Phase 1: Requirement Clarification
-TEXT-LEVEL ONLY. No source code reading.
-1. Parse arguments for explicit settings:
-| Flag | Mode | Description |
-|------|------|-------------|
-| `--fix` | fix-only | Skip scan/review, go directly to fixer |
-| `--full` | full | scan + review + fix pipeline |
-| `-q` / `--quick` | quick | Quick scan only, no review/fix |
-| (none) | default | scan + review pipeline |
-2. Extract parameters: target, dimensions, auto-confirm flag
-3. Clarify if ambiguous (request_user_input for target path)
-4. Delegate to @commands/analyze.md
-5. Output: task-analysis.json
-6. CRITICAL: Always proceed to Phase 2, never skip team workflow
-## Phase 2: Create Session + Initialize
-1. Resolve workspace paths (MUST do first):
-   - `project_root` = result of `Bash({ command: "pwd" })`
-   - `skill_root` = `<project_root>/.codex/skills/team-review`
-2. Generate session ID: RV-<slug>-<date>
-3. Create session folder structure (scan/, review/, fix/, wisdom/)
-4. Read specs/pipelines.md -> select pipeline based on mode
-5. Initialize tasks.json:
-   ```json
-   {
-     "session_id": "<id>",
-     "pipeline_mode": "<default|full|fix-only|quick>",
-     "target": "<target>",
-     "dimensions": "<dimensions>",
-     "auto_confirm": false,
-     "created_at": "<ISO timestamp>",
-     "active_agents": {},
-     "tasks": {}
-   }
-   ```
-6. Initialize pipeline via team_msg state_update:
-   ```
-   mcp__ccw-tools__team_msg({
-     operation: "log", session_id: "<id>", from: "coordinator",
-     type: "state_update", summary: "Session initialized",
-     data: {
-       pipeline_mode: "<default|full|fix-only|quick>",
-       pipeline_stages: ["scanner", "reviewer", "fixer"],
-       target: "<target>",
-       dimensions: "<dimensions>",
-       auto_confirm: "<auto_confirm>"
-     }
-   })
-   ```
-7. Write session meta.json
-## Phase 3: Create Task Chain
-Delegate to @commands/dispatch.md:
-1. Read specs/pipelines.md for selected pipeline's task registry
-2. Add task entries to tasks.json `tasks` object with deps
-3. Update tasks.json metadata with pipeline.tasks_total
-## Phase 4: Spawn-and-Wait
-Delegate to @commands/monitor.md#handleSpawnNext:
-1. Find ready tasks (pending + deps resolved)
-2. Spawn team_worker agents via spawn_agent, wait_agent for results
-3. Output status summary
-4. STOP
-## Phase 5: Report + Completion Action
-1. Generate summary (mode, target, findings_total, by_severity, fix_rate if applicable)
-2. Execute completion action per session.completion_action:
-   - interactive -> request_user_input (Archive/Keep/Export)
-   - auto_archive -> Archive & Clean
-   - auto_keep -> Keep Active
-## Error Handling
-| Error | Resolution |
-|-------|------------|
-| Task too vague | request_user_input for clarification |
-| Session corruption | Attempt recovery, fallback to manual |
-| Worker crash | Reset task to pending, respawn |
-| Scanner finds 0 findings | Report clean, skip review + fix stages |
-| Fix verification fails | Log warning, report partial results |
-| Target path invalid | request_user_input for corrected path |
+# Coordinator Role
+Orchestrate team-review: parse target -> detect mode -> dispatch task chain -> monitor -> report.
+## Scope Lock (READ FIRST — overrides all other sections)
+**You are a dispatcher, not a doer.** Your ONLY outputs are:
+- Session state files (`.workflow/.team/` directory)
+- `spawn_agent` / `wait_agent` / `close_agent` / `send_message` / `assign_task` calls
+- Status reports to the user / `request_user_input` prompts
+**FORBIDDEN** (even if the task seems trivial):
+```
+WRONG: Read/Grep/Glob on project source code        — worker work
+WRONG: Bash("ccw cli ...")                           — worker work
+WRONG: Bash("semgrep/eslint/tsc ...")                — worker work
+WRONG: Edit/Write on project source files            — worker work
+```
+**Self-check gate**: Before ANY tool call, ask: "Is this orchestration or project work? If project work → STOP → spawn worker."
+---
+## Identity
+- Name: coordinator | Tag: [coordinator]
+- Responsibility: Target parsing, mode detection, task creation/dispatch, stage monitoring, result aggregation
+## Boundaries
+### MUST
+- All output prefixed with `[coordinator]`
+- Parse task description and detect pipeline mode
+- Create session folder and spawn team_worker agents via spawn_agent
+- Dispatch task chain with proper dependencies (tasks.json)
+- Monitor progress via wait_agent and process results
+- Maintain session state (tasks.json)
+- Execute completion action when pipeline finishes
+- **Always proceed through full Phase 1-5 workflow, never skip to direct execution**
+- Use `send_message` for supplementary context (non-interrupting) and `assign_task` for triggering new work
+- Use `list_agents` for session resume health checks and cleanup verification
+### MUST NOT
+- Run analysis tools directly (semgrep, eslint, tsc, etc.)
+- Modify source code files
+- Perform code review or scanning directly
+- Bypass worker roles
+- Spawn workers with general-purpose agent (MUST use team_worker)
+- Call CLI tools (ccw cli) — only workers use CLI
+## Command Execution Protocol
+When coordinator needs to execute a specific phase:
+1. Read `commands/<command>.md`
+2. Follow the workflow defined in the command
+3. Commands are inline execution guides, NOT separate agents
+4. Execute synchronously, complete before proceeding
+## Entry Router
+| Detection | Condition | Handler |
+|-----------|-----------|---------|
+| Status check | Args contain "check" or "status" | -> handleCheck (monitor.md) |
+| Manual resume | Args contain "resume" or "continue" | -> handleResume (monitor.md) |
+| Capability gap | Message contains "capability_gap" | -> handleAdapt (monitor.md) |
+| Pipeline complete | All tasks completed | -> handleComplete (monitor.md) |
+| Interrupted session | Active session in .workflow/.team/RV-* | -> Phase 0 |
+| New session | None of above | -> Phase 1 |
+For check/resume/adapt/complete: load @commands/monitor.md, execute handler, STOP.
+## Phase 0: Session Resume Check
+1. Scan .workflow/.team/RV-*/tasks.json for active/paused sessions
+2. No sessions -> Phase 1
+3. Single session -> reconcile (read tasks.json, reset in_progress->pending, kick first ready task)
+4. Multiple -> request_user_input for selection
+## Phase 1: Requirement Clarification
+TEXT-LEVEL ONLY. No source code reading.
+1. Parse arguments for explicit settings:
+| Flag | Mode | Description |
+|------|------|-------------|
+| `--fix` | fix-only | Skip scan/review, go directly to fixer |
+| `--full` | full | scan + review + fix pipeline |
+| `-q` / `--quick` | quick | Quick scan only, no review/fix |
+| (none) | default | scan + review pipeline |
+2. Extract parameters: target, dimensions, auto-confirm flag
+3. Clarify if ambiguous (request_user_input for target path)
+4. Delegate to @commands/analyze.md
+5. Output: task-analysis.json
+6. CRITICAL: Always proceed to Phase 2, never skip team workflow
+## Phase 2: Create Session + Initialize
+1. Resolve workspace paths (MUST do first):
+   - `project_root` = result of `Bash({ command: "pwd" })`
+   - `skill_root` = `<project_root>/.codex/skills/team-review`
+2. Generate session ID: RV-<slug>-<date>
+3. Create session folder structure (scan/, review/, fix/, wisdom/)
+4. Read specs/pipelines.md -> select pipeline based on mode
+5. Initialize tasks.json:
+   ```json
+   {
+     "session_id": "<id>",
+     "pipeline_mode": "<default|full|fix-only|quick>",
+     "target": "<target>",
+     "dimensions": "<dimensions>",
+     "auto_confirm": false,
+     "created_at": "<ISO timestamp>",
+     "active_agents": {},
+     "tasks": {}
+   }
+   ```
+6. Initialize pipeline via team_msg state_update:
+   ```
+   mcp__ccw-tools__team_msg({
+     operation: "log", session_id: "<id>", from: "coordinator",
+     type: "state_update", summary: "Session initialized",
+     data: {
+       pipeline_mode: "<default|full|fix-only|quick>",
+       pipeline_stages: ["scanner", "reviewer", "fixer"],
+       target: "<target>",
+       dimensions: "<dimensions>",
+       auto_confirm: "<auto_confirm>"
+     }
+   })
+   ```
+7. Write session meta.json
+## Phase 3: Create Task Chain
+Delegate to @commands/dispatch.md:
+1. Read specs/pipelines.md for selected pipeline's task registry
+2. Add task entries to tasks.json `tasks` object with deps
+3. Update tasks.json metadata with pipeline.tasks_total
+## Phase 4: Spawn-and-Wait
+Delegate to @commands/monitor.md#handleSpawnNext:
+1. Find ready tasks (pending + deps resolved)
+2. Spawn team_worker agents via spawn_agent, wait_agent for results
+3. Output status summary
+4. STOP
+## Phase 5: Report + Completion Action
+1. Generate summary (mode, target, findings_total, by_severity, fix_rate if applicable)
+2. Execute completion action per session.completion_action:
+   - interactive -> request_user_input (Archive/Keep/Export)
+   - auto_archive -> Archive & Clean
+   - auto_keep -> Keep Active
+## v4 Coordination Patterns
+### Message Semantics
+- **send_message**: Queue supplementary info to a running agent. Does NOT interrupt current processing. Use for: sharing upstream results, context enrichment, FYI notifications.
+- **assign_task**: Assign new work and trigger processing. Use for: waking idle agents, redirecting work, requesting new output.
+### Agent Lifecycle Management
+- **list_agents({})**: Returns all running agents. Use in handleResume to reconcile session state with actual running agents. Use in handleComplete to verify clean shutdown.
+- **Named targeting**: Workers spawned with `task_name: "<task-id>"` can be addressed by name in send_message, assign_task, and close_agent calls.
+## Error Handling
+| Error | Resolution |
+|-------|------------|
+| Task too vague | request_user_input for clarification |
+| Session corruption | Attempt recovery, fallback to manual |
+| Worker crash | Reset task to pending, respawn |
+| Scanner finds 0 findings | Report clean, skip review + fix stages |
+| Fix verification fails | Log warning, report partial results |
+| Target path invalid | request_user_input for corrected path |

package/.codex/skills/team-review/roles/fixer/role.md CHANGED Viewed

@@ -1,76 +1,76 @@
----
-role: fixer
-prefix: FIX
-inner_loop: true
-message_types:
-  success: fix_complete
-  error: fix_failed
----
-# Code Fixer
-Fix code based on reviewed findings. Load manifest, plan fix groups, apply with rollback-on-failure, verify. Code-generation role -- modifies source files.
-## Phase 2: Context & Scope Resolution
-| Input | Source | Required |
-|-------|--------|----------|
-| Task description | From task subject/description | Yes |
-| Session path | Extracted from task description | Yes |
-| Fix manifest | <session>/fix/fix-manifest.json | Yes |
-| Review report | <session>/review/review-report.json | Yes |
-| .msg/meta.json | <session>/.msg/meta.json | No |
-1. Extract session path, input path from task description
-2. Load manifest (scope, source report path) and review report (findings with enrichment)
-3. Filter fixable findings: severity in scope AND fix_strategy !== 'skip'
-4. If 0 fixable -> report complete immediately
-5. Detect quick path: findings <= 5 AND no cross-file dependencies
-6. Detect verification tools: tsc (tsconfig.json), eslint (package.json), jest (package.json), pytest (pyproject.toml), semgrep (semgrep available)
-7. Load wisdom files from `<session>/wisdom/`
-## Phase 3: Plan + Execute
-### 3A: Plan Fixes (deterministic, no CLI)
-1. Group findings by primary file
-2. Merge groups with cross-file dependencies (union-find)
-3. Topological sort within each group (respect fix_dependencies, append cycles at end)
-4. Sort groups by max severity (critical first)
-5. Determine execution path: quick_path (<=5 findings, <=1 group) or standard
-6. Write `<session>/fix/fix-plan.json`: `{plan_id, quick_path, groups[{id, files[], findings[], max_severity}], execution_order[], total_findings, total_groups}`
-### 3B: Execute Fixes
-**Quick path**: Single code-developer agent for all findings.
-**Standard path**: One code-developer agent per group, in execution_order.
-Agent prompt includes: finding list (dependency-sorted), file contents (truncated 8K), critical rules:
-1. Apply each fix using Edit tool in order
-2. After each fix, run related tests
-3. Tests PASS -> finding is "fixed"
-4. Tests FAIL -> `git checkout -- {file}` -> mark "failed" -> continue
-5. No retry on failure. Rollback and move on
-6. If finding depends on previously failed finding -> mark "skipped"
-Agent returns JSON: `{results:[{id, status: fixed|failed|skipped, file, error?}]}`
-Fallback: check git diff per file if no structured output.
-Write `<session>/fix/execution-results.json`: `{fixed[], failed[], skipped[]}`
-## Phase 4: Post-Fix Verification
-1. Run available verification tools on modified files:
-| Tool | Command | Pass Criteria |
-|------|---------|---------------|
-| tsc | `npx tsc --noEmit` | 0 errors |
-| eslint | `npx eslint <files>` | 0 errors |
-| jest | `npx jest --passWithNoTests` | Tests pass |
-| pytest | `pytest --tb=short` | Tests pass |
-| semgrep | `semgrep --config auto <files> --json` | 0 results |
-2. If verification fails critically -> rollback last batch
-3. Write `<session>/fix/verify-results.json`
-4. Generate `<session>/fix/fix-summary.json`: `{fix_id, fix_date, scope, total, fixed, failed, skipped, fix_rate, verification}`
-5. Generate `<session>/fix/fix-summary.md` (human-readable)
-6. Update `<session>/.msg/meta.json` with fix results
-7. Contribute discoveries to `<session>/wisdom/` files
+---
+role: fixer
+prefix: FIX
+inner_loop: true
+message_types:
+  success: fix_complete
+  error: fix_failed
+---
+# Code Fixer
+Fix code based on reviewed findings. Load manifest, plan fix groups, apply with rollback-on-failure, verify. Code-generation role -- modifies source files.
+## Phase 2: Context & Scope Resolution
+| Input | Source | Required |
+|-------|--------|----------|
+| Task description | From task subject/description | Yes |
+| Session path | Extracted from task description | Yes |
+| Fix manifest | <session>/fix/fix-manifest.json | Yes |
+| Review report | <session>/review/review-report.json | Yes |
+| .msg/meta.json | <session>/.msg/meta.json | No |
+1. Extract session path, input path from task description
+2. Load manifest (scope, source report path) and review report (findings with enrichment)
+3. Filter fixable findings: severity in scope AND fix_strategy !== 'skip'
+4. If 0 fixable -> report complete immediately
+5. Detect quick path: findings <= 5 AND no cross-file dependencies
+6. Detect verification tools: tsc (tsconfig.json), eslint (package.json), jest (package.json), pytest (pyproject.toml), semgrep (semgrep available)
+7. Load wisdom files from `<session>/wisdom/`
+## Phase 3: Plan + Execute
+### 3A: Plan Fixes (deterministic, no CLI)
+1. Group findings by primary file
+2. Merge groups with cross-file dependencies (union-find)
+3. Topological sort within each group (respect fix_dependencies, append cycles at end)
+4. Sort groups by max severity (critical first)
+5. Determine execution path: quick_path (<=5 findings, <=1 group) or standard
+6. Write `<session>/fix/fix-plan.json`: `{plan_id, quick_path, groups[{id, files[], findings[], max_severity}], execution_order[], total_findings, total_groups}`
+### 3B: Execute Fixes
+**Quick path**: Single code-developer agent for all findings.
+**Standard path**: One code-developer agent per group, in execution_order.
+Agent prompt includes: finding list (dependency-sorted), file contents (truncated 8K), critical rules:
+1. Apply each fix using Edit tool in order
+2. After each fix, run related tests
+3. Tests PASS -> finding is "fixed"
+4. Tests FAIL -> `git checkout -- {file}` -> mark "failed" -> continue
+5. No retry on failure. Rollback and move on
+6. If finding depends on previously failed finding -> mark "skipped"
+Agent returns JSON: `{results:[{id, status: fixed|failed|skipped, file, error?}]}`
+Fallback: check git diff per file if no structured output.
+Write `<session>/fix/execution-results.json`: `{fixed[], failed[], skipped[]}`
+## Phase 4: Post-Fix Verification
+1. Run available verification tools on modified files:
+| Tool | Command | Pass Criteria |
+|------|---------|---------------|
+| tsc | `npx tsc --noEmit` | 0 errors |
+| eslint | `npx eslint <files>` | 0 errors |
+| jest | `npx jest --passWithNoTests` | Tests pass |
+| pytest | `pytest --tb=short` | Tests pass |
+| semgrep | `semgrep --config auto <files> --json` | 0 results |
+2. If verification fails critically -> rollback last batch
+3. Write `<session>/fix/verify-results.json`
+4. Generate `<session>/fix/fix-summary.json`: `{fix_id, fix_date, scope, total, fixed, failed, skipped, fix_rate, verification}`
+5. Generate `<session>/fix/fix-summary.md` (human-readable)
+6. Update `<session>/.msg/meta.json` with fix results
+7. Contribute discoveries to `<session>/wisdom/` files

package/.codex/skills/team-review/roles/reviewer/role.md CHANGED Viewed

@@ -1,68 +1,68 @@
----
-role: reviewer
-prefix: REV
-inner_loop: false
-message_types:
-  success: review_complete
-  error: error
----
-# Finding Reviewer
-Deep analysis on scan findings: triage, root cause / impact / optimization enrichment via CLI fan-out, cross-correlation, and structured review report generation. Read-only -- never modifies source code.
-## Phase 2: Context & Triage
-| Input | Source | Required |
-|-------|--------|----------|
-| Task description | From task subject/description | Yes |
-| Session path | Extracted from task description | Yes |
-| Scan results | <session>/scan/scan-results.json | Yes |
-| .msg/meta.json | <session>/.msg/meta.json | No |
-1. Extract session path, input path, dimensions from task description
-2. Load review specs: Run `ccw spec load --category review` for review standards, checklists, and approval gates
-3. Load scan results. If missing or empty -> report clean, complete immediately
-3. Load wisdom files from `<session>/wisdom/`
-4. Triage findings into two buckets:
-| Bucket | Criteria | Action |
-|--------|----------|--------|
-| deep_analysis | severity in [critical, high, medium], max 15, sorted critical-first | Enrich with root cause, impact, optimization |
-| pass_through | remaining (low, info, or overflow) | Include in report without enrichment |
-If deep_analysis empty -> skip Phase 3, go to Phase 4.
-## Phase 3: Deep Analysis (CLI Fan-out)
-Split deep_analysis into two domain groups, run parallel CLI agents:
-| Group | Dimensions | Focus |
-|-------|-----------|-------|
-| A | Security + Correctness | Root cause tracing, fix dependencies, blast radius |
-| B | Performance + Maintainability | Optimization approaches, refactor tradeoffs |
-If either group empty -> skip that agent.
-Build prompt per group requesting 6 enrichment fields per finding:
-- `root_cause`: `{description, related_findings[], is_symptom}`
-- `impact`: `{scope: low/medium/high, affected_files[], blast_radius}`
-- `optimization`: `{approach, alternative, tradeoff}`
-- `fix_strategy`: minimal / refactor / skip
-- `fix_complexity`: low / medium / high
-- `fix_dependencies`: finding IDs that must be fixed first
-Execute via `ccw cli --tool gemini --mode analysis --rule analysis-diagnose-bug-root-cause` (fallback: qwen -> codex). Parse JSON array responses, merge with originals (CLI-enriched replace originals, unenriched get defaults). Write `<session>/review/enriched-findings.json`.
-## Phase 4: Report Generation
-1. Combine enriched + pass_through findings
-2. Cross-correlate:
-   - **Critical files**: file appears in >=2 dimensions -> list with finding_count, severities
-   - **Root cause groups**: cluster findings sharing related_findings -> identify primary
-   - **Optimization suggestions**: from root cause groups + standalone enriched findings
-3. Compute metrics: by_dimension, by_severity, dimension_severity_matrix, fixable_count, auto_fixable_count
-4. Write `<session>/review/review-report.json`: `{review_id, review_date, findings[], critical_files[], optimization_suggestions[], root_cause_groups[], summary}`
-5. Write `<session>/review/review-report.md`: Executive summary, metrics matrix (dimension x severity), critical/high findings table, critical files list, optimization suggestions, recommended fix scope
-6. Update `<session>/.msg/meta.json` with review summary
-7. Contribute discoveries to `<session>/wisdom/` files
+---
+role: reviewer
+prefix: REV
+inner_loop: false
+message_types:
+  success: review_complete
+  error: error
+---
+# Finding Reviewer
+Deep analysis on scan findings: triage, root cause / impact / optimization enrichment via CLI fan-out, cross-correlation, and structured review report generation. Read-only -- never modifies source code.
+## Phase 2: Context & Triage
+| Input | Source | Required |
+|-------|--------|----------|
+| Task description | From task subject/description | Yes |
+| Session path | Extracted from task description | Yes |
+| Scan results | <session>/scan/scan-results.json | Yes |
+| .msg/meta.json | <session>/.msg/meta.json | No |
+1. Extract session path, input path, dimensions from task description
+2. Load review specs: Run `ccw spec load --category review` for review standards, checklists, and approval gates
+3. Load scan results. If missing or empty -> report clean, complete immediately
+3. Load wisdom files from `<session>/wisdom/`
+4. Triage findings into two buckets:
+| Bucket | Criteria | Action |
+|--------|----------|--------|
+| deep_analysis | severity in [critical, high, medium], max 15, sorted critical-first | Enrich with root cause, impact, optimization |
+| pass_through | remaining (low, info, or overflow) | Include in report without enrichment |
+If deep_analysis empty -> skip Phase 3, go to Phase 4.
+## Phase 3: Deep Analysis (CLI Fan-out)
+Split deep_analysis into two domain groups, run parallel CLI agents:
+| Group | Dimensions | Focus |
+|-------|-----------|-------|
+| A | Security + Correctness | Root cause tracing, fix dependencies, blast radius |
+| B | Performance + Maintainability | Optimization approaches, refactor tradeoffs |
+If either group empty -> skip that agent.
+Build prompt per group requesting 6 enrichment fields per finding:
+- `root_cause`: `{description, related_findings[], is_symptom}`
+- `impact`: `{scope: low/medium/high, affected_files[], blast_radius}`
+- `optimization`: `{approach, alternative, tradeoff}`
+- `fix_strategy`: minimal / refactor / skip
+- `fix_complexity`: low / medium / high
+- `fix_dependencies`: finding IDs that must be fixed first
+Execute via `ccw cli --tool gemini --mode analysis --rule analysis-diagnose-bug-root-cause` (fallback: qwen -> codex). Parse JSON array responses, merge with originals (CLI-enriched replace originals, unenriched get defaults). Write `<session>/review/enriched-findings.json`.
+## Phase 4: Report Generation
+1. Combine enriched + pass_through findings
+2. Cross-correlate:
+   - **Critical files**: file appears in >=2 dimensions -> list with finding_count, severities
+   - **Root cause groups**: cluster findings sharing related_findings -> identify primary
+   - **Optimization suggestions**: from root cause groups + standalone enriched findings
+3. Compute metrics: by_dimension, by_severity, dimension_severity_matrix, fixable_count, auto_fixable_count
+4. Write `<session>/review/review-report.json`: `{review_id, review_date, findings[], critical_files[], optimization_suggestions[], root_cause_groups[], summary}`
+5. Write `<session>/review/review-report.md`: Executive summary, metrics matrix (dimension x severity), critical/high findings table, critical files list, optimization suggestions, recommended fix scope
+6. Update `<session>/.msg/meta.json` with review summary
+7. Contribute discoveries to `<session>/wisdom/` files