claude-dev-env 1.32.0 → 1.33.0

package/hooks/blocking/code_rules_enforcer.py

@@ -60,6 +60,13 @@ NOT_INSIDE_TYPE_CHECKING_BLOCK = -1
 MAX_ISSUES_PER_CHECK = 3
 FILE_GLOBAL_UPPER_SNAKE_PATTERN = re.compile(r"^_?[A-Z][A-Z0-9_]*$")
 
+COLLECTION_TYPE_NAMES: frozenset[str] = frozenset({
+    "list", "tuple", "set", "frozenset", "dict",
+    "Iterable", "Sequence", "Mapping", "MutableMapping", "FrozenSet",
+})
+COLLECTION_BY_NAME_PATTERN: re.Pattern[str] = re.compile(r"^[a-z][a-z0-9]*_by_[a-z][a-z0-9_]*$")
+CLI_FILE_PATH_MARKERS: tuple[str, ...] = ("/scripts/", "\\scripts\\", "_cli.py", "/cli.py", "\\cli.py")
+
 
 def get_file_extension(file_path: str) -> str:
     """Extract lowercase file extension."""
@@ -1933,6 +1940,106 @@ def check_unused_optional_parameters(content: str, file_path: str) -> list[str]:
     return issues
 
 
+def _annotation_names_collection(annotation_node: ast.expr | None) -> bool:
+    if annotation_node is None:
+        return False
+    if isinstance(annotation_node, ast.Name):
+        return annotation_node.id in COLLECTION_TYPE_NAMES
+    if isinstance(annotation_node, ast.Subscript):
+        return _annotation_names_collection(annotation_node.value)
+    if isinstance(annotation_node, ast.Attribute):
+        return annotation_node.attr in COLLECTION_TYPE_NAMES
+    return False
+
+
+def check_collection_prefix(content: str, file_path: str) -> list[str]:
+    if is_test_file(file_path):
+        return []
+    if is_workflow_registry_file(file_path) or is_migration_file(file_path):
+        return []
+    try:
+        tree = ast.parse(content)
+    except SyntaxError:
+        return []
+    issues: list[str] = []
+    for node in tree.body:
+        target_name: str | None = None
+        target_line = 0
+        is_collection_value = False
+        if isinstance(node, ast.AnnAssign) and isinstance(node.target, ast.Name):
+            target_name = node.target.id
+            target_line = node.lineno
+            is_collection_value = _annotation_names_collection(node.annotation)
+        elif isinstance(node, ast.Assign) and len(node.targets) == 1 and isinstance(node.targets[0], ast.Name):
+            target_name = node.targets[0].id
+            target_line = node.lineno
+            is_collection_value = isinstance(node.value, (ast.Tuple, ast.List, ast.Set, ast.Dict))
+        if target_name is None or not is_collection_value:
+            continue
+        if not UPPER_SNAKE_CONSTANT_PATTERN.match(target_name):
+            continue
+        if target_name.startswith("ALL_") or COLLECTION_BY_NAME_PATTERN.match(target_name.lower()):
+            continue
+        issues.append(
+            f"Line {target_line}: Collection constant {target_name} - prefix with ALL_ (CODE_RULES §5)"
+        )
+        if len(issues) >= MAX_ISSUES_PER_CHECK:
+            break
+    for node in ast.walk(tree):
+        if not isinstance(node, (ast.FunctionDef, ast.AsyncFunctionDef)):
+            continue
+        for each_arg in _collect_annotated_arguments(node):
+            if not _annotation_names_collection(each_arg.annotation):
+                continue
+            if each_arg.arg in {"self", "cls"}:
+                continue
+            if each_arg.arg.startswith("all_") or COLLECTION_BY_NAME_PATTERN.match(each_arg.arg):
+                continue
+            issues.append(
+                f"Line {each_arg.lineno}: Collection parameter {each_arg.arg} - prefix with all_ (CODE_RULES §5)"
+            )
+            if len(issues) >= MAX_ISSUES_PER_CHECK:
+                return issues
+    return issues
+
+
+def _is_cli_entry_point(file_path: str) -> bool:
+    path_lower = file_path.lower().replace("\\", "/")
+    return any(marker.replace("\\", "/") in path_lower for marker in CLI_FILE_PATH_MARKERS)
+
+
+def check_library_print(content: str, file_path: str) -> list[str]:
+    if is_test_file(file_path) or is_config_file(file_path) or is_hook_infrastructure(file_path):
+        return []
+    if _is_cli_entry_point(file_path):
+        return []
+    if get_file_extension(file_path) not in PYTHON_EXTENSIONS:
+        return []
+    try:
+        tree = ast.parse(content)
+    except SyntaxError:
+        return []
+    issues: list[str] = []
+    for node in ast.walk(tree):
+        if not isinstance(node, ast.Call):
+            continue
+        function_reference = node.func
+        if isinstance(function_reference, ast.Name) and function_reference.id == "print":
+            issues.append(
+                f"Line {node.lineno}: Library print() - route through logger or accept an explicit stream parameter"
+            )
+        elif isinstance(function_reference, ast.Attribute) and function_reference.attr == "write":
+            value_node = function_reference.value
+            if isinstance(value_node, ast.Attribute) and isinstance(value_node.value, ast.Name):
+                if value_node.value.id == "sys" and value_node.attr in {"stdout", "stderr"}:
+                    issues.append(
+                        f"Line {node.lineno}: sys.{value_node.attr}.write - route through logger"
+                    )
+        if len(issues) >= MAX_ISSUES_PER_CHECK:
+            break
+    return issues
+
+
 def validate_content(content: str, file_path: str, old_content: str = "") -> list[str]:
     """Run all applicable validators on content.
 
@@ -1964,6 +2071,8 @@ def validate_content(content: str, file_path: str, old_content: str = "") -> lis
         all_issues.extend(check_existence_check_tests(content, file_path))
         all_issues.extend(check_constant_equality_tests(content, file_path))
         all_issues.extend(check_unused_optional_parameters(content, file_path))
+        all_issues.extend(check_collection_prefix(content, file_path))
+        all_issues.extend(check_library_print(content, file_path))
         check_incomplete_mocks(content, file_path)
         check_duplicated_format_patterns(content, file_path)
 

package/hooks/blocking/test_windows_rmtree_blocker.py

@@ -76,6 +76,12 @@ def test_allows_ignore_errors_false() -> None:
     )
 
 
+def test_blocks_rmtree_with_nested_parens_in_args() -> None:
+    assert payload_contains_unsafe_rmtree(
+        "shutil.rmtree(Path(target).resolve(), ignore_errors=True)"
+    )
+
+
 def test_extract_payload_handles_write_content() -> None:
     extracted = extract_payload_text("Write", {"content": "abc"})
     assert extracted == "abc"
@@ -98,6 +104,7 @@ def test_extract_payload_returns_empty_for_unknown_tool() -> None:
 
 def _run_hook(hook_input: dict) -> tuple[str, int]:
     captured = io.StringIO()
+    exit_code = 0
     sys.stdin = io.StringIO(json.dumps(hook_input))
     try:
         with redirect_stdout(captured):

package/hooks/blocking/windows_rmtree_blocker.py

@@ -16,70 +16,66 @@ import json
 import re
 import sys
 
-_WRITE_EDIT_TOOL_NAMES = {"Write", "Edit"}
-_BASH_TOOL_NAME = "Bash"
-
-_RMTREE_IGNORE_ERRORS_PATTERN = re.compile(
-    r"shutil\s*\.\s*rmtree\s*\([^)]*\bignore_errors\s*=\s*True\b",
-    re.DOTALL,
-)
-
-_CORRECTIVE_MESSAGE = (
-    "BLOCKED [windows-rmtree]: shutil.rmtree(..., ignore_errors=True) silently "
-    "fails on Windows when a file carries the ReadOnly attribute "
-    "(FILE_ATTRIBUTE_READONLY). The PermissionError is swallowed and the tree "
-    "stays on disk -- cleanup looks successful but removes nothing. Linux is "
-    "unaffected because unlink only needs write on the parent directory.\n\n"
-    "Use a Windows-safe handler that strips the attribute and retries the "
-    "syscall:\n\n"
-    "    import os\n"
-    "    import shutil\n"
-    "    import stat\n"
-    "    import sys\n\n"
-    "    def _strip_read_only_and_retry(removal_function, target_path, *_exc_info):\n"
-    "        try:\n"
-    "            os.chmod(target_path, stat.S_IWRITE)\n"
-    "            removal_function(target_path)\n"
-    "        except OSError:\n"
-    "            pass\n\n"
-    "    def force_rmtree(target_path: str) -> None:\n"
-    "        handler_kw = (\n"
-    '            {"onexc": _strip_read_only_and_retry}\n'
-    "            if sys.version_info >= (3, 12)\n"
-    '            else {"onerror": _strip_read_only_and_retry}\n'
-    "        )\n"
-    "        try:\n"
-    "            shutil.rmtree(target_path, **handler_kw)\n"
-    "        except OSError:\n"
-    "            pass\n\n"
-    "Two things to know about the handler:\n"
-    "  - *_exc_info collapses the signature difference. onerror passes "
-    "(type, value, traceback); onexc (Python 3.12+) passes a single exception.\n"
-    "  - removal_function is whichever syscall rmtree was attempting "
-    "(os.unlink for files, os.rmdir for dirs). Re-call it after chmod to finish "
-    "the work that originally failed.\n\n"
-    "See ~/.claude/rules/windows-filesystem-safe.md for full guidance."
-)
-
 
 def payload_contains_unsafe_rmtree(payload_text: str) -> bool:
     if not payload_text:
         return False
-    return bool(_RMTREE_IGNORE_ERRORS_PATTERN.search(payload_text))
+    rmtree_ignore_errors_pattern = re.compile(
+        r"shutil\s*\.\s*rmtree\s*\(.*?\bignore_errors\s*=\s*True\b",
+        re.DOTALL,
+    )
+    return bool(rmtree_ignore_errors_pattern.search(payload_text))
 
 
 def extract_payload_text(tool_name: str, tool_input: dict) -> str:
-    if tool_name in _WRITE_EDIT_TOOL_NAMES:
+    if tool_name in {"Write", "Edit"}:
         return tool_input.get("content", "") or tool_input.get("new_string", "") or ""
-    if tool_name == _BASH_TOOL_NAME:
+    if tool_name == "Bash":
         return tool_input.get("command", "") or ""
     return ""
 
 
 def main() -> None:
+    corrective_message = (
+        "BLOCKED [windows-rmtree]: shutil.rmtree(..., ignore_errors=True) silently "
+        "fails on Windows when a file carries the ReadOnly attribute "
+        "(FILE_ATTRIBUTE_READONLY). The PermissionError is swallowed and the tree "
+        "stays on disk -- cleanup looks successful but removes nothing. Linux is "
+        "unaffected because unlink only needs write on the parent directory.\n\n"
+        "Use a Windows-safe handler that strips the attribute and retries the "
+        "syscall:\n\n"
+        "    import os\n"
+        "    import shutil\n"
+        "    import stat\n"
+        "    import sys\n\n"
+        "    def _strip_read_only_and_retry(removal_function, target_path, *_exc_info):\n"
+        "        try:\n"
+        "            os.chmod(target_path, stat.S_IWRITE)\n"
+        "            removal_function(target_path)\n"
+        "        except OSError:\n"
+        "            pass\n\n"
+        "    def force_rmtree(target_path: str) -> None:\n"
+        "        handler_kw = (\n"
+        '            {"onexc": _strip_read_only_and_retry}\n'
+        "            if sys.version_info >= (3, 12)\n"
+        '            else {"onerror": _strip_read_only_and_retry}\n'
+        "        )\n"
+        "        try:\n"
+        "            shutil.rmtree(target_path, **handler_kw)\n"
+        "        except OSError:\n"
+        "            pass\n\n"
+        "Two things to know about the handler:\n"
+        "  - *_exc_info collapses the signature difference. onerror passes "
+        "(type, value, traceback); onexc (Python 3.12+) passes a single exception.\n"
+        "  - removal_function is whichever syscall rmtree was attempting "
+        "(os.unlink for files, os.rmdir for dirs). Re-call it after chmod to finish "
+        "the work that originally failed.\n\n"
+        "See ~/.claude/rules/windows-filesystem-safe.md for full guidance."
+    )
     try:
         hook_input = json.load(sys.stdin)
     except json.JSONDecodeError:
+        sys.stderr.write("windows_rmtree_blocker: malformed JSON on stdin\n")
         sys.exit(0)
 
     tool_name = hook_input.get("tool_name", "")
@@ -94,7 +90,7 @@ def main() -> None:
         "hookSpecificOutput": {
             "hookEventName": "PreToolUse",
             "permissionDecision": "deny",
-            "permissionDecisionReason": _CORRECTIVE_MESSAGE,
+            "permissionDecisionReason": corrective_message,
         }
     }
     print(json.dumps(deny_response))

package/hooks/config/session_env_cleanup_constants.py

@@ -11,7 +11,9 @@ SECONDS_PER_DAY = 24 * 60 * 60
 STALE_AGE_DAYS = 7
 STALE_AGE_SECONDS = STALE_AGE_DAYS * SECONDS_PER_DAY
 
-RMTREE_ONEXC_PYTHON_VERSION = (3, 12)
+ALL_RMTREE_ONEXC_PYTHON_VERSION_PARTS: tuple[int, int] = (3, 12)
+
+SESSION_ID_PAYLOAD_KEY: str = "session_id"
 
 SESSION_ID_PATTERN = re.compile(r"^[A-Za-z0-9_-]{1,64}$")
 

package/hooks/config/test_session_env_cleanup_constants.py

@@ -11,7 +11,7 @@ for each_sys_path_entry in (str(_CONFIG_DIRECTORY), str(_HOOKS_ROOT)):
     if each_sys_path_entry not in sys.path:
         sys.path.insert(0, each_sys_path_entry)
 
-from config.session_env_cleanup_constants import SESSION_ID_PATTERN
+from config.session_env_cleanup_constants import SESSION_ID_PATTERN, SESSION_ID_PAYLOAD_KEY
 
 
 class TestSessionIdPatternAccepts:
@@ -31,6 +31,11 @@ class TestSessionIdPatternAccepts:
         assert matched.group(0) == underscore_input
 
 
+class TestSessionIdPayloadKey:
+    def test_session_id_payload_key_matches_hook_protocol_field(self) -> None:
+        assert SESSION_ID_PAYLOAD_KEY == "session_id"
+
+
 class TestSessionIdPatternRejects:
     def test_rejects_forward_slash(self) -> None:
         assert SESSION_ID_PATTERN.match("etc/passwd") is None

package/hooks/session/session_env_cleanup.py

@@ -36,9 +36,10 @@ def _insert_hooks_tree_for_imports() -> None:
 _insert_hooks_tree_for_imports()
 
 from config.session_env_cleanup_constants import (
-    RMTREE_ONEXC_PYTHON_VERSION,
+    ALL_RMTREE_ONEXC_PYTHON_VERSION_PARTS,
     SESSION_ENV_DIRECTORY,
     SESSION_ID_PATTERN,
+    SESSION_ID_PAYLOAD_KEY,
     STALE_AGE_SECONDS,
     WINDOWS_PLATFORM_TAG,
 )
@@ -57,7 +58,7 @@ def _strip_read_only_and_retry(
 
 
 def _force_rmtree(target_path: str) -> None:
-    rmtree_onexc_python_version = RMTREE_ONEXC_PYTHON_VERSION
+    rmtree_onexc_python_version = ALL_RMTREE_ONEXC_PYTHON_VERSION_PARTS
     try:
         if sys.version_info >= rmtree_onexc_python_version:
             shutil.rmtree(target_path, onexc=_strip_read_only_and_retry)
@@ -103,10 +104,10 @@ def _read_session_id_from_stdin() -> str:
         return ""
     if not isinstance(payload, dict):
         return ""
-    raw_session_id = payload.get("session_id")
+    raw_session_id = payload.get(SESSION_ID_PAYLOAD_KEY)
     if not isinstance(raw_session_id, str):
         return ""
-    if not session_id_pattern.match(raw_session_id):
+    if not session_id_pattern.fullmatch(raw_session_id):
         return ""
     return raw_session_id
 

package/hooks/session/test_session_env_cleanup.py

@@ -179,6 +179,7 @@ class TestMainReadsSessionIdFromStdin:
         with (
             patch.object(cleanup, "prune_session_env", side_effect=fake_prune),
             patch("sys.stdin", stdin_payload),
+            patch.object(cleanup.sys, "platform", "win32"),
         ):
             cleanup.main()
         assert captured_call["session_id"] == "session-from-stdin"
@@ -197,6 +198,7 @@ class TestMainReadsSessionIdFromStdin:
         with (
             patch.object(cleanup, "prune_session_env", side_effect=fake_prune),
             patch("sys.stdin", stdin_payload),
+            patch.object(cleanup.sys, "platform", "win32"),
         ):
             cleanup.main()
         assert captured_call["session_id"] == ""

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "claude-dev-env",
-    "version": "1.32.0",
+    "version": "1.33.0",
     "description": "Claude Code development standards — rules, hooks, agents, commands, and skills",
     "type": "module",
     "bin": {

package/rules/windows-filesystem-safe.md

@@ -53,9 +53,7 @@ Two things to know about the handler:
 If a skill or runbook genuinely needs a one-line shell invocation, the equivalent without `ignore_errors=True` is:
 
 ```bash
-python -c "import os, shutil, stat, sys; \
-def _h(f, p, *_): os.chmod(p, stat.S_IWRITE); f(p); \
-shutil.rmtree(r'<path>', **({'onexc': _h} if sys.version_info >= (3, 12) else {'onerror': _h}))"
+python -c "import os, shutil, stat, sys; h = lambda f, p, *_: (os.chmod(p, stat.S_IWRITE), f(p)); shutil.rmtree(r'<path>', **({'onexc': h} if sys.version_info >= (3, 12) else {'onerror': h}))"
 ```
 
 Prefer the multi-line `force_rmtree` helper — the one-liner is hard to read and easy to mis-quote.

package/skills/bugteam/PROMPTS.md

@@ -35,8 +35,47 @@ cd into `<worktree_path>` before any git, gh, or file operation.
   H. Security boundaries (injection, path traversal, auth bypass, secret leakage)
   I. Concurrency hazards (race conditions, missing awaits, shared mutable state)
   J. Magic values and configuration drift
+  Copilot-derived addendum (K–N) — verify each one explicitly. Return at
+  least one finding per category OR a verified-clean entry that names the
+  exact files and lines you walked.
+  K. Collection naming. Every tuple, list, set, dict, mapping, or sequence
+     parameter must follow the CODE_RULES.md §5 "Extended naming rules"
+     prefix discipline:
+       - module-level constant whose value is a tuple/list/set/dict/frozenset
+         literal MUST start with `ALL_` (e.g. `ALL_THEMES_INSERT_REQUIRED_COLUMN_NAMES`)
+       - function/method parameter whose annotation is `list[...]`, `tuple[...]`,
+         `set[...]`, `dict[...]`, `Iterable[...]`, `Sequence[...]`, `Mapping[...]`,
+         or `frozenset[...]` MUST start with `all_` (e.g. `all_column_value_pairs`)
+       - exempt: dict/map names that follow the `X_by_Y` pattern (e.g.
+         `price_by_product`)
+  L. Library print / direct stdout. In any module that is not a CLI entry
+     point (`__main__`, `*_cli.py`, `scripts/*.py`), every `print(...)`,
+     `sys.stdout.write(...)`, `sys.stderr.write(...)` call is a finding.
+     The fix is to route through a `logger` call OR to make the output
+     stream an explicit parameter so callers can redirect it.
+  M. String-literal magic values. Treat domain-identifier string literals
+     (database column names, table names, HTTP header names, status enums,
+     environment-variable names) inside a function body as magic values
+     even when the existing number-only check would let them pass. The
+     fix is to extract them into `config/` and reference the imported
+     name. Do not flag plain log messages, error messages, or one-off
+     human-readable strings.
+  N. Wrapper plumb-through. When a public function delegates to an
+     inner function defined in the same package, every optional kwarg
+     accepted by the inner function MUST appear in the public wrapper
+     unless the wrapper docstring explicitly states the kwarg is fixed
+     to a sentinel default. Silently dropping `loud_banner_stream`,
+     `timeout`, `dry_run`, or any similar optional kwarg is a finding.
 </bug_categories>
 
+<copilot_derived_addendum_source>
+  The K–N categories were added after Copilot raised real findings on
+  PR #70 (writer.py / summary.py) and PR #73 (constants.py / writer.py /
+  tracker.py) that converged "0 P0 / 0 P1 / 0 P2" under the original
+  A–J rubric. See ~/.claude/skills/bugteam/reference/copilot-gap-analysis.md
+  for the inventory and the validators that now back categories K and L.
+</copilot_derived_addendum_source>
+
 <constraints>
   - Read-only on source code: the audit does not modify any source file.
   - Cite file:line for every finding.

package/skills/bugteam/SKILL.md

@@ -81,7 +81,9 @@ The fix script removes any non-canonical local-scope override on the active repo
 [ ] Step 0: project permissions granted
 [ ] Step 1: PR scope resolved
 [ ] Step 2: agent team created + loop state set
+[ ] Step 2.6: INITIAL standards review against cumulative PR diff
 [ ] Step 3: cycle complete (converged | cap reached | stuck | error)
+[ ] Step 3.5: FINAL standards review against cumulative PR diff
 [ ] Step 4: team torn down + working tree clean
 [ ] Step 4.5: PR description rewritten (or skip warning logged)
 [ ] Step 5: project permissions revoked
@@ -203,6 +205,23 @@ jq -n \
 
 **Endpoints:** `POST .../pulls/{pull}/reviews`; `POST .../pulls/{pull}/comments/{id}/replies`; fallback `POST .../issues/{issue}/comments` (`issue` = PR number).
 
+### Step 2.6: INITIAL standards review (once, before Loop 1 audit)
+
+Run BEFORE the first pre-audit gate fires. Spawn a fresh `code-quality-agent`
+teammate inside the same team and drive it through the K–N addendum (see
+PROMPTS.md `<copilot_derived_addendum_source>`). The teammate audits the
+cumulative PR diff (`gh pr diff <N>`) instead of a single loop's incremental
+patch; clean-room context is preserved by the same agent-team isolation as
+the per-loop bugfind teammate. Findings are posted using the same Step 2.5
+review-shape with body `## /bugteam INITIAL standards review against PR #<N>
+cumulative diff: <P0>P0 / <P1>P1 / <P2>P2`. Findings advance the audit/fix
+cycle exactly as if they had been raised in Loop 1: the lead increments
+`loop_count` to 1, sets `last_action = "audited"` with the merged
+`last_findings`, and Step 3 begins on the FIX branch. When the INITIAL
+review returns zero findings, `loop_count` stays at 0 and Step 3 begins on
+the AUDIT branch as before. Failure on this phase logs the error and
+proceeds to Step 3 unchanged so the legacy A–J cycle still runs.
+
 ### Step 3: The cycle
 
 Run the AUDIT-FIX cycle for each PR in all_prs, reusing the same team across PRs. The 10-loop cap applies per PR. Exit reasons (converged, cap reached, stuck, error) are tracked per PR; the final report lists one outcome line per PR.
@@ -285,6 +304,19 @@ Pass finding comment URLs/ids from `loop_comment_index` in XML. Replies: `Fixed
 
 [`PROMPTS.md`](PROMPTS.md): fix XML + schema. Verify: `git rev-parse HEAD` advanced; `git fetch origin <branch> && git rev-parse origin/<branch>` matches `HEAD`. Unchanged HEAD → `stuck — bugfix teammate could not address findings`.
 
+### Step 3.5: FINAL standards review (once, after convergence)
+
+Run AFTER Step 3 exits with `converged`, `cap reached`, or `stuck`, and
+BEFORE Step 4 teardown. Spawn one more fresh `code-quality-agent` teammate;
+audit the cumulative PR diff against the K–N addendum a second time. Post
+the review with body `## /bugteam FINAL standards review against PR #<N>
+cumulative diff: <P0>P0 / <P1>P1 / <P2>P2`. When findings remain, the
+exit reason is upgraded to `error: final standards review found <P0>+<P1>+<P2>
+unresolved finding(s)` and the loop log gains an extra `final-review` line.
+A clean FINAL review preserves the existing exit reason. Failure on this
+phase logs the error and continues to Step 4 unchanged so teardown,
+permission revoke, and the final report still run.
+
 ### Step 4: Teardown
 
 1. For each live teammate: `SendMessage(to="<name>", message={"type": "shutdown_request", "reason": "bugteam cycle ending"})`. `approve: false` on cleanup → log and continue.
@@ -329,8 +361,10 @@ Final commit: <current_HEAD_sha7>
 Net change: <total_files> files, +<total_add>/-<total_del>
 
 Loop log:
+  initial standards review: 1P0 0P1 2P2
   1 audit: 3P0 2P1 0P2
   ...
+  final standards review: 0P0 0P1 0P2
 ```
 
 `cap reached` → suggest `/findbugs`. `stuck` → which findings. `error` → detail + loop.