devflow-kit 1.4.0 → 1.5.0

package/CHANGELOG.md

@@ -5,6 +5,18 @@ All notable changes to DevFlow will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.5.0] - 2026-03-13
+
+### Added
+- **Search-first skill** (#111) — New skill enforcing research before building custom utility code. 4-phase loop: Need Analysis → Search (via Explore subagent) → Evaluate → Decide (Adopt/Extend/Compose/Build)
+- **Reviewer confidence thresholds** (#113) — Each review finding now includes a visible confidence score (0-100%). Only ≥80% findings appear in main sections; lower-confidence items go to a capped Suggestions section. Adds consolidation rules to group similar issues and skip stylistic preferences
+- **Version manifest** (#91) — Tracks installed version, plugins, and features in `manifest.json`. Enables upgrade detection during `devflow init` and shows install status in `devflow list`
+
+### Fixed
+- **Synthesizer review glob** — Fixed `${REVIEW_BASE_DIR}/*-report.*.md` glob that matched zero reviewer files; now uses `${REVIEW_BASE_DIR}/*.md` with self-exclusion
+
+---
+
 ## [1.4.0] - 2026-03-09
 
 ### Added
@@ -853,6 +865,8 @@ devflow init
 
 ---
 
+[Unreleased]: https://github.com/dean0x/devflow/compare/v1.4.0...HEAD
+[1.5.0]: https://github.com/dean0x/devflow/compare/v1.4.0...v1.5.0
 [1.4.0]: https://github.com/dean0x/devflow/compare/v1.3.3...v1.4.0
 [1.3.3]: https://github.com/dean0x/devflow/compare/v1.3.2...v1.3.3
 [1.3.2]: https://github.com/dean0x/devflow/compare/v1.3.1...v1.3.2

package/README.md

@@ -24,7 +24,7 @@ DevFlow adds structured commands that handle the full lifecycle: specify feature
 - **Full-lifecycle implementation** — spec, explore, plan, code, validate, refine in one command
 - **Automatic session memory** — survives restarts, `/clear`, and context compaction
 - **Parallel debugging** — competing hypotheses investigated simultaneously
-- **30 quality skills** — 8 auto-activating core, 8 optional language/ecosystem, plus specialized review and agent skills
+- **31 quality skills** — 9 auto-activating core, 8 optional language/ecosystem, plus specialized review and agent skills
 
 ## Quick Start
 
@@ -120,6 +120,7 @@ The `devflow-core-skills` plugin provides quality enforcement skills that activa
 | `test-driven-development` | Implementing new features (RED-GREEN-REFACTOR) |
 | `test-patterns` | Writing or modifying tests |
 | `input-validation` | Creating API endpoints |
+| `search-first` | Adding utilities, helpers, or infrastructure code |
 
 ## Language & Ecosystem Plugins
 

package/dist/commands/init.js

@@ -15,6 +15,7 @@ import { detectPlatform, detectShell, getProfilePath, getSafeDeleteInfo, hasSafe
 import { generateSafeDeleteBlock, installToProfile, removeFromProfile, getInstalledVersion, SAFE_DELETE_BLOCK_VERSION } from '../utils/safe-delete-install.js';
 import { addAmbientHook } from './ambient.js';
 import { addMemoryHooks, removeMemoryHooks } from './memory.js';
+import { readManifest, writeManifest, resolvePluginList, detectUpgrade } from '../utils/manifest.js';
 // Re-export pure functions for tests (canonical source is post-install.ts)
 export { substituteSettingsTemplate, computeGitignoreAppend, applyTeamsConfig, stripTeamsConfig, mergeDenyList } from '../utils/post-install.js';
 export { addAmbientHook, removeAmbientHook, hasAmbientHook } from './ambient.js';
@@ -238,6 +239,17 @@ export const initCommand = new Command('init')
         p.log.error(`Path configuration error: ${error instanceof Error ? error.message : error}`);
         process.exit(1);
     }
+    // Check existing manifest for upgrade detection
+    const existingManifest = await readManifest(devflowDir);
+    if (existingManifest) {
+        const upgrade = detectUpgrade(version, existingManifest.version);
+        if (upgrade.isUpgrade) {
+            s.message(`Upgrading from v${upgrade.previousVersion} to v${version}`);
+        }
+        else if (upgrade.isSameVersion) {
+            s.message('Reinstalling same version');
+        }
+    }
     // Validate target directory
     s.message('Validating target directory');
     if (scope === 'local') {
@@ -519,6 +531,23 @@ export const initCommand = new Command('init')
         p.log.info(`Deduplication: ${skillsMap.size} unique skills (from ${totalSkillDeclarations} declarations)`);
         p.log.info(`Deduplication: ${agentsMap.size} unique agents (from ${totalAgentDeclarations} declarations)`);
     }
+    // Write installation manifest for upgrade tracking (non-fatal — install already succeeded)
+    const installedPluginNames = pluginsToInstall.map(pl => pl.name);
+    const now = new Date().toISOString();
+    const manifestData = {
+        version,
+        plugins: resolvePluginList(installedPluginNames, existingManifest, !!options.plugin),
+        scope,
+        features: { teams: teamsEnabled, ambient: ambientEnabled, memory: memoryEnabled },
+        installedAt: existingManifest?.installedAt ?? now,
+        updatedAt: now,
+    };
+    try {
+        await writeManifest(devflowDir, manifestData);
+    }
+    catch (error) {
+        p.log.warn(`Failed to write installation manifest (install succeeded): ${error instanceof Error ? error.message : error}`);
+    }
     p.outro(color.green('Ready! Run any command in Claude Code to get started.'));
 });
 //# sourceMappingURL=init.js.map

package/dist/commands/list.d.ts

@@ -1,3 +1,24 @@
 import { Command } from 'commander';
+import { type ManifestData } from '../utils/manifest.js';
+/**
+ * Format manifest feature flags into a human-readable comma-separated string.
+ * Returns 'none' when no features are enabled.
+ */
+export declare function formatFeatures(features: ManifestData['features']): string;
+/**
+ * Determine effective installation scope based on which manifest was found.
+ * Local scope takes precedence when a local manifest exists.
+ */
+export declare function resolveScope(localManifest: ManifestData | null): 'user' | 'local';
+/**
+ * Compute the install status indicator for a plugin.
+ * Returns 'installed', 'not_installed', or 'unknown' (when no manifest exists).
+ */
+export declare function getPluginInstallStatus(pluginName: string, installedPlugins: ReadonlySet<string>, hasManifest: boolean): 'installed' | 'not_installed' | 'unknown';
+/**
+ * Format the commands portion of a plugin entry.
+ * Returns the comma-separated command list or '(skills only)' for skill-only plugins.
+ */
+export declare function formatPluginCommands(commands: string[]): string;
 export declare const listCommand: Command;
 //# sourceMappingURL=list.d.ts.map

package/dist/commands/list.js

@@ -2,19 +2,87 @@ import { Command } from 'commander';
 import * as p from '@clack/prompts';
 import color from 'picocolors';
 import { DEVFLOW_PLUGINS } from '../plugins.js';
+import { getDevFlowDirectory } from '../utils/paths.js';
+import { getGitRoot } from '../utils/git.js';
+import { readManifest } from '../utils/manifest.js';
+import * as path from 'path';
+/**
+ * Format manifest feature flags into a human-readable comma-separated string.
+ * Returns 'none' when no features are enabled.
+ */
+export function formatFeatures(features) {
+    return [
+        features.teams ? 'teams' : null,
+        features.ambient ? 'ambient' : null,
+        features.memory ? 'memory' : null,
+    ].filter(Boolean).join(', ') || 'none';
+}
+/**
+ * Determine effective installation scope based on which manifest was found.
+ * Local scope takes precedence when a local manifest exists.
+ */
+export function resolveScope(localManifest) {
+    return localManifest ? 'local' : 'user';
+}
+/**
+ * Compute the install status indicator for a plugin.
+ * Returns 'installed', 'not_installed', or 'unknown' (when no manifest exists).
+ */
+export function getPluginInstallStatus(pluginName, installedPlugins, hasManifest) {
+    if (!hasManifest)
+        return 'unknown';
+    return installedPlugins.has(pluginName) ? 'installed' : 'not_installed';
+}
+/**
+ * Format the commands portion of a plugin entry.
+ * Returns the comma-separated command list or '(skills only)' for skill-only plugins.
+ */
+export function formatPluginCommands(commands) {
+    return commands.length > 0 ? commands.join(', ') : '(skills only)';
+}
 export const listCommand = new Command('list')
     .description('List available DevFlow plugins')
-    .action(() => {
+    .action(async () => {
     p.intro(color.bgCyan(color.black(' DevFlow Plugins ')));
+    // Resolve user manifest and git root in parallel (independent I/O)
+    const userDevflowDir = getDevFlowDirectory();
+    const [gitRoot, userManifest] = await Promise.all([
+        getGitRoot(),
+        readManifest(userDevflowDir),
+    ]);
+    const localDevflowDir = gitRoot ? path.join(gitRoot, '.devflow') : null;
+    const localManifest = localDevflowDir ? await readManifest(localDevflowDir) : null;
+    const manifest = localManifest ?? userManifest;
+    // Show install status if manifest exists
+    if (manifest) {
+        const installedAt = new Date(manifest.installedAt).toLocaleDateString();
+        const updatedAt = new Date(manifest.updatedAt).toLocaleDateString();
+        const scope = resolveScope(localManifest);
+        const features = formatFeatures(manifest.features);
+        p.note(`${color.dim('Version:')}  ${color.cyan(`v${manifest.version}`)}\n` +
+            `${color.dim('Scope:')}    ${scope}\n` +
+            `${color.dim('Features:')} ${features}\n` +
+            `${color.dim('Installed:')} ${installedAt}` +
+            (installedAt !== updatedAt ? `  ${color.dim('Updated:')} ${updatedAt}` : ''), 'Installation');
+    }
+    const installedPlugins = new Set(manifest?.plugins ?? []);
+    const hasManifest = manifest !== null;
     const maxNameLen = Math.max(...DEVFLOW_PLUGINS.map(p => p.name.length));
     const pluginList = DEVFLOW_PLUGINS
         .map(plugin => {
-        const cmds = plugin.commands.length > 0 ? plugin.commands.join(', ') : '(skills only)';
+        const cmds = formatPluginCommands(plugin.commands);
         const optionalTag = plugin.optional ? color.dim(' (optional)') : '';
-        return `${color.cyan(plugin.name.padEnd(maxNameLen + 2))}${color.dim(plugin.description)}${optionalTag}\n${' '.repeat(maxNameLen + 2)}${color.yellow(cmds)}`;
+        const status = getPluginInstallStatus(plugin.name, installedPlugins, hasManifest);
+        const installedTag = status === 'installed' ? color.green(' ✓')
+            : status === 'not_installed' ? color.dim(' ✗')
+                : '';
+        return `${color.cyan(plugin.name.padEnd(maxNameLen + 2))}${color.dim(plugin.description)}${optionalTag}${installedTag}\n${' '.repeat(maxNameLen + 2)}${color.yellow(cmds)}`;
     })
         .join('\n\n');
     p.note(pluginList, 'Available plugins');
+    if (!manifest) {
+        p.log.info(color.dim('Run `devflow init` for install tracking'));
+    }
     p.outro(color.dim('Install with: npx devflow-kit init --plugin=<name>'));
 });
 //# sourceMappingURL=list.js.map

package/dist/plugins.js

@@ -10,7 +10,7 @@ export const DEVFLOW_PLUGINS = [
         description: 'Auto-activating quality enforcement (foundation layer)',
         commands: [],
         agents: [],
-        skills: ['core-patterns', 'docs-framework', 'git-safety', 'git-workflow', 'github-patterns', 'input-validation', 'test-driven-development', 'test-patterns'],
+        skills: ['core-patterns', 'docs-framework', 'git-safety', 'git-workflow', 'github-patterns', 'input-validation', 'search-first', 'test-driven-development', 'test-patterns'],
     },
     {
         name: 'devflow-specify',

package/dist/utils/manifest.d.ts

@@ -0,0 +1,45 @@
+/**
+ * Manifest data tracked for each DevFlow installation.
+ */
+export interface ManifestData {
+    version: string;
+    plugins: string[];
+    scope: 'user' | 'local';
+    features: {
+        teams: boolean;
+        ambient: boolean;
+        memory: boolean;
+    };
+    installedAt: string;
+    updatedAt: string;
+}
+/**
+ * Read and parse the manifest file. Returns null if missing or corrupt.
+ */
+export declare function readManifest(devflowDir: string): Promise<ManifestData | null>;
+/**
+ * Write manifest to disk. Creates parent directory if needed.
+ */
+export declare function writeManifest(devflowDir: string, data: ManifestData): Promise<void>;
+/**
+ * Merge new plugins into existing plugin list (union, no duplicates).
+ * Preserves order: existing plugins first, then new ones appended.
+ */
+export declare function mergeManifestPlugins(existing: string[], newPlugins: string[]): string[];
+/**
+ * Detect upgrade/downgrade/same version status.
+ */
+export interface UpgradeInfo {
+    isUpgrade: boolean;
+    isDowngrade: boolean;
+    isSameVersion: boolean;
+    previousVersion: string | null;
+}
+/**
+ * Resolve the final plugin list for a manifest write.
+ * On partial installs (--plugin flag), merge newly installed plugins into
+ * the existing manifest's plugin list. On full installs, replace entirely.
+ */
+export declare function resolvePluginList(installedPluginNames: string[], existingManifest: ManifestData | null, isPartialInstall: boolean): string[];
+export declare function detectUpgrade(currentVersion: string, installedVersion: string | null): UpgradeInfo;
+//# sourceMappingURL=manifest.d.ts.map

package/dist/utils/manifest.js

@@ -0,0 +1,100 @@
+import { promises as fs } from 'fs';
+import * as path from 'path';
+/**
+ * Read and parse the manifest file. Returns null if missing or corrupt.
+ */
+export async function readManifest(devflowDir) {
+    const manifestPath = path.join(devflowDir, 'manifest.json');
+    try {
+        const content = await fs.readFile(manifestPath, 'utf-8');
+        const data = JSON.parse(content);
+        if (!data.version ||
+            !Array.isArray(data.plugins) ||
+            !data.scope ||
+            typeof data.features !== 'object' ||
+            data.features === null ||
+            typeof data.features.teams !== 'boolean' ||
+            typeof data.features.ambient !== 'boolean' ||
+            typeof data.features.memory !== 'boolean' ||
+            typeof data.installedAt !== 'string' ||
+            typeof data.updatedAt !== 'string') {
+            return null;
+        }
+        return data;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Write manifest to disk. Creates parent directory if needed.
+ */
+export async function writeManifest(devflowDir, data) {
+    await fs.mkdir(devflowDir, { recursive: true });
+    const manifestPath = path.join(devflowDir, 'manifest.json');
+    await fs.writeFile(manifestPath, JSON.stringify(data, null, 2) + '\n', 'utf-8');
+}
+/**
+ * Merge new plugins into existing plugin list (union, no duplicates).
+ * Preserves order: existing plugins first, then new ones appended.
+ */
+export function mergeManifestPlugins(existing, newPlugins) {
+    const merged = [...existing];
+    for (const plugin of newPlugins) {
+        if (!merged.includes(plugin)) {
+            merged.push(plugin);
+        }
+    }
+    return merged;
+}
+/**
+ * Compare two semver strings. Returns -1, 0, or 1.
+ * Handles simple x.y.z versions; returns null for unparseable input.
+ *
+ * Note: Pre-release suffixes (e.g., `-beta.1`, `-rc.2`) are silently ignored.
+ * `1.0.0-beta.1` and `1.0.0` compare as equal. Build metadata is also ignored.
+ */
+function compareSemver(a, b) {
+    const parse = (v) => {
+        const match = v.match(/^v?(\d+)\.(\d+)\.(\d+)/);
+        return match ? [Number(match[1]), Number(match[2]), Number(match[3])] : [];
+    };
+    const pa = parse(a);
+    const pb = parse(b);
+    if (pa.length === 0 || pb.length === 0)
+        return null;
+    for (let i = 0; i < 3; i++) {
+        if (pa[i] > pb[i])
+            return 1;
+        if (pa[i] < pb[i])
+            return -1;
+    }
+    return 0;
+}
+/**
+ * Resolve the final plugin list for a manifest write.
+ * On partial installs (--plugin flag), merge newly installed plugins into
+ * the existing manifest's plugin list. On full installs, replace entirely.
+ */
+export function resolvePluginList(installedPluginNames, existingManifest, isPartialInstall) {
+    if (existingManifest && isPartialInstall) {
+        return mergeManifestPlugins(existingManifest.plugins, installedPluginNames);
+    }
+    return installedPluginNames;
+}
+export function detectUpgrade(currentVersion, installedVersion) {
+    if (!installedVersion) {
+        return { isUpgrade: false, isDowngrade: false, isSameVersion: false, previousVersion: null };
+    }
+    const cmp = compareSemver(currentVersion, installedVersion);
+    if (cmp === null) {
+        return { isUpgrade: false, isDowngrade: false, isSameVersion: false, previousVersion: installedVersion };
+    }
+    return {
+        isUpgrade: cmp > 0,
+        isDowngrade: cmp < 0,
+        isSameVersion: cmp === 0,
+        previousVersion: installedVersion,
+    };
+}
+//# sourceMappingURL=manifest.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "devflow-kit",
-  "version": "1.4.0",
+  "version": "1.5.0",
   "description": "Agentic Development Toolkit for Claude Code - Enhance AI-assisted development with intelligent commands and workflows",
   "type": "module",
   "bin": {

package/plugins/devflow-accessibility/.claude-plugin/plugin.json

@@ -4,7 +4,7 @@
   "author": {
     "name": "Dean0x"
   },
-  "version": "1.4.0",
+  "version": "1.5.0",
   "homepage": "https://github.com/dean0x/devflow",
   "repository": "https://github.com/dean0x/devflow",
   "license": "MIT",

package/plugins/devflow-ambient/.claude-plugin/plugin.json

@@ -4,7 +4,7 @@
   "author": {
     "name": "Dean0x"
   },
-  "version": "1.4.0",
+  "version": "1.5.0",
   "agents": [],
   "skills": [
     "ambient-router"

package/plugins/devflow-ambient/skills/ambient-router/SKILL.md

@@ -54,7 +54,7 @@ Based on classified intent, read the following skills to inform your response.
 
 | Intent | Primary Skills | Secondary (if file type matches) |
 |--------|---------------|----------------------------------|
-| **BUILD** | test-driven-development, implementation-patterns | typescript (.ts), react (.tsx/.jsx), go (.go), java (.java), python (.py), rust (.rs), frontend-design (CSS/UI), input-validation (forms/API), security-patterns (auth/crypto) |
+| **BUILD** | test-driven-development, implementation-patterns, search-first | typescript (.ts), react (.tsx/.jsx), go (.go), java (.java), python (.py), rust (.rs), frontend-design (CSS/UI), input-validation (forms/API), security-patterns (auth/crypto) |
 | **DEBUG** | test-patterns, core-patterns | git-safety (if git operations involved) |
 | **REVIEW** | self-review, core-patterns | test-patterns |
 | **PLAN** | implementation-patterns | core-patterns |

package/plugins/devflow-ambient/skills/ambient-router/references/skill-catalog.md

@@ -12,6 +12,7 @@ These skills may be loaded during GUIDED-depth ambient routing.
 |-------|-------------|---------------|
 | test-driven-development | Always for BUILD | `*.ts`, `*.tsx`, `*.js`, `*.jsx`, `*.py` |
 | implementation-patterns | Always for BUILD | Any code file |
+| search-first | Always for BUILD | Any code file |
 | typescript | TypeScript files in scope | `*.ts`, `*.tsx` |
 | react | React components in scope | `*.tsx`, `*.jsx` |
 | frontend-design | UI/styling work | `*.css`, `*.scss`, `*.tsx` with styling keywords |

package/plugins/devflow-audit-claude/.claude-plugin/plugin.json

@@ -4,7 +4,7 @@
   "author": {
     "name": "Dean0x"
   },
-  "version": "1.4.0",
+  "version": "1.5.0",
   "agents": [],
   "skills": []
 }

package/plugins/devflow-code-review/.claude-plugin/plugin.json

@@ -4,7 +4,7 @@
   "author": {
     "name": "Dean0x"
   },
-  "version": "1.4.0",
+  "version": "1.5.0",
   "homepage": "https://github.com/dean0x/devflow",
   "repository": "https://github.com/dean0x/devflow",
   "license": "MIT",

package/plugins/devflow-code-review/agents/reviewer.md

@@ -46,8 +46,33 @@ The orchestrator provides:
 3. **Apply 3-category classification** - Sort issues by where they occur
 4. **Apply focus-specific analysis** - Use pattern skill detection rules from the loaded skill file
 5. **Assign severity** - CRITICAL, HIGH, MEDIUM, LOW based on impact
-6. **Generate report** - File:line references with suggested fixes
-7. **Determine merge recommendation** - Based on blocking issues
+6. **Assess confidence** - Assign 0-100% confidence to each finding (see Confidence Scale below)
+7. **Filter by confidence** - Only report findings ≥80% in main sections; lower-confidence items go to Suggestions
+8. **Consolidate similar issues** - Group related findings to reduce noise (see Consolidation Rules)
+9. **Generate report** - File:line references with suggested fixes
+10. **Determine merge recommendation** - Based on blocking issues
+
+## Confidence Scale
+
+Assess how certain you are that each finding is a real issue (not a false positive):
+
+| Range | Label | Meaning |
+|-------|-------|---------|
+| 90-100% | Certain | Clearly a bug, vulnerability, or violation — no ambiguity |
+| 80-89% | High | Very likely an issue, but minor chance of false positive |
+| 60-79% | Medium | Plausible issue, but depends on context you may not fully see |
+| < 60% | Low | Possible concern, but likely a matter of style or interpretation |
+
+<!-- Confidence threshold also in: shared/agents/synthesizer.md, plugins/devflow-code-review/commands/code-review.md -->
+**Threshold**: Only report findings with ≥80% confidence in Blocking, Should-Fix, and Pre-existing sections. Findings with 60-79% confidence go to the Suggestions section. Findings < 60% are dropped entirely.
+
+## Consolidation Rules
+
+Before writing your report, apply these noise reduction rules:
+
+1. **Group similar issues** — If 3+ instances of the same pattern appear (e.g., "missing error handling" in multiple functions), consolidate into 1 finding listing all locations rather than N separate findings
+2. **Skip stylistic preferences** — Do not flag formatting, naming style, or code organization choices unless they violate explicit project conventions found in CLAUDE.md, .editorconfig, or linter configs
+3. **Skip issues in unchanged code** — Pre-existing issues in lines you did NOT change should only be reported if CRITICAL severity (security vulnerabilities, data loss risks)
 
 ## Issue Categories (from review-methodology)
 
@@ -76,17 +101,29 @@ Report format for `{output_path}`:
 
 ### CRITICAL
 **{Issue}** - `file.ts:123`
+**Confidence**: {n}%
 - Problem: {description}
 - Fix: {suggestion with code}
 
+**{Issue Title} ({N} occurrences)** — Confidence: {n}%
+- `file1.ts:12`, `file2.ts:45`, `file3.ts:89`
+- Problem: {description of the shared pattern}
+- Fix: {suggestion that applies to all occurrences}
+
 ### HIGH
-{issues...}
+{issues with **Confidence**: {n}% each...}
 
 ## Issues in Code You Touched (Should Fix)
-{issues with file:line...}
+{issues with file:line and **Confidence**: {n}% each...}
 
 ## Pre-existing Issues (Not Blocking)
-{informational issues...}
+{informational issues with **Confidence**: {n}% each...}
+
+## Suggestions (Lower Confidence)
+
+{Max 3 items with 60-79% confidence. Brief description only — no code fixes.}
+
+- **{Issue}** - `file.ts:456` (Confidence: {n}%) — {brief description}
 
 ## Summary
 | Category | CRITICAL | HIGH | MEDIUM | LOW |

package/plugins/devflow-code-review/agents/synthesizer.md

@@ -128,10 +128,14 @@ Analyze 3 axes to determine strategy:
 Synthesize outputs from multiple Reviewer agents. Apply strict merge rules.
 
 **Process:**
-1. Read all review reports from `${REVIEW_BASE_DIR}/*-report.*.md`
-2. Categorize issues into 3 buckets (from review-methodology)
-3. Count by severity (CRITICAL, HIGH, MEDIUM, LOW)
-4. Determine merge recommendation based on blocking issues
+1. Read all review reports from `${REVIEW_BASE_DIR}/*.md` (exclude your own output `review-summary.*.md`)
+2. Extract confidence percentages from each finding
+3. Apply confidence-aware aggregation: when multiple reviewers flag the same file:line, boost confidence by 10% per additional reviewer (cap at 100%)
+<!-- Confidence threshold also in: shared/agents/reviewer.md, plugins/devflow-code-review/commands/code-review.md -->
+4. Maintain ≥80% confidence threshold in final output
+5. Categorize issues into 3 buckets (from review-methodology)
+6. Count by severity (CRITICAL, HIGH, MEDIUM, LOW)
+7. Determine merge recommendation based on blocking issues
 
 **Issue Categories:**
 - **Blocking** (Category 1): Issues in YOUR changes - CRITICAL/HIGH must block
@@ -172,7 +176,10 @@ Report format:
 | Pre-existing | - | - | {n} | {n} | {n} |
 
 ## Blocking Issues
-{List with file:line and suggested fix}
+{List with file:line, confidence %, and suggested fix}
+
+## Suggestions (Lower Confidence)
+{Max 5 items across all reviewers with 60-79% confidence. Brief descriptions only.}
 
 ## Action Plan
 1. {Priority fix}

package/plugins/devflow-code-review/commands/code-review.md

@@ -95,7 +95,10 @@ IMPORTANT: Write report to .docs/reviews/{branch-slug}/{focus}.md using Write to
 Task(subagent_type="Git", run_in_background=false):
 "OPERATION: comment-pr
 Read reviews from .docs/reviews/{branch-slug}/
-Create inline PR comments, deduplicate, consolidate skipped into summary"
+<!-- Confidence threshold also in: shared/agents/reviewer.md, shared/agents/synthesizer.md -->
+Create inline PR comments for findings with ≥80% confidence only.
+Lower-confidence suggestions (60-79%) go in the summary comment, not as inline comments.
+Deduplicate findings across reviewers, consolidate skipped into summary."
 ```
 
 **Synthesizer Agent**:

package/plugins/devflow-core-skills/.claude-plugin/plugin.json

@@ -4,7 +4,7 @@
   "author": {
     "name": "Dean0x"
   },
-  "version": "1.4.0",
+  "version": "1.5.0",
   "homepage": "https://github.com/dean0x/devflow",
   "repository": "https://github.com/dean0x/devflow",
   "license": "MIT",
@@ -24,6 +24,7 @@
     "git-workflow",
     "github-patterns",
     "input-validation",
+    "search-first",
     "test-driven-development",
     "test-patterns"
   ]