devlyn-cli 1.0.0 → 1.1.0

package/CLAUDE.md

@@ -56,13 +56,14 @@ For hands-free build-evaluate-polish cycles — works for bugs, features, refact
 /devlyn:auto-resolve [task description]
 ```
 
-This runs the full pipeline automatically: **Build → Evaluate → Fix Loop → Simplify → Review → Clean → Docs**. Each phase runs as a separate subagent with its own context. Communication between phases happens via files (`.claude/done-criteria.md`, `.claude/EVAL-FINDINGS.md`).
+This runs the full pipeline automatically: **Build → Evaluate → Fix Loop → Simplify → Review → Security Review → Clean → Docs**. Each phase runs as a separate subagent with its own context. Communication between phases happens via files (`.claude/done-criteria.md`, `.claude/EVAL-FINDINGS.md`).
 
 Optional flags:
 - `--max-rounds 3` — increase max evaluate-fix iterations (default: 2)
 - `--skip-review` — skip team-review phase
 - `--skip-clean` — skip clean phase
 - `--skip-docs` — skip update-docs phase
+- `--with-codex [evaluate|review|both]` — use OpenAI Codex as cross-model evaluator/reviewer (requires codex-mcp-server)
 
 ## Manual Pipeline (Step-by-Step Control)
 

package/README.md

@@ -76,7 +76,7 @@ Slash commands are invoked directly in Claude Code conversations (e.g., type `/d
 |---|---|
 | `/devlyn:resolve` | Systematic bug fixing with root-cause analysis and test-driven validation |
 | `/devlyn:team-resolve` | Spawns a full agent team — root cause analyst, test engineer, security auditor — to investigate complex issues |
-| `/devlyn:auto-resolve` | Fully automated pipeline for any task — bugs, features, refactors, chores. Build → evaluate → fix loop → simplify → review → clean → docs. One command, zero human intervention |
+| `/devlyn:auto-resolve` | Fully automated pipeline for any task — bugs, features, refactors, chores. Build → evaluate → fix loop → simplify → review → clean → docs. One command, zero human intervention. Supports `--with-codex` for cross-model evaluation via OpenAI Codex |
 
 ### Code Review & Quality
 
@@ -142,10 +142,11 @@ One command runs the full cycle — no human intervention needed:
 | **Fix Loop** | If evaluation fails, fixes findings and re-evaluates (up to N rounds) |
 | **Simplify** | Quick cleanup pass for reuse and efficiency |
 | **Review** | Multi-perspective team review |
+| **Security** | Dedicated OWASP-focused audit (auto-detects when changes touch auth, secrets, APIs) |
 | **Clean** | Remove dead code and unused dependencies |
 | **Docs** | Sync documentation with changes |
 
-Each phase runs as a separate subagent (fresh context), communicates via files, and commits a git checkpoint for rollback safety. Skip phases with flags: `--skip-review`, `--skip-clean`, `--skip-docs`, `--max-rounds 3`.
+Each phase runs as a separate subagent (fresh context), communicates via files, and commits a git checkpoint for rollback safety. Skip phases with flags: `--skip-review`, `--skip-clean`, `--skip-docs`, `--max-rounds 3`, `--with-codex` (cross-model evaluation via OpenAI Codex).
 
 ### Manual Workflow
 
@@ -207,6 +208,9 @@ Copied directly into your `.claude/skills/` directory.
 | `prompt-engineering` | Claude 4 prompt optimization using official Anthropic best practices |
 | `better-auth-setup` | Production-ready Better Auth + Hono + Drizzle + PostgreSQL auth setup |
 | `pyx-scan` | Check whether an AI agent skill is safe before installing |
+| `dokkit` | Document template filling for DOCX/HWPX — ingest, fill, review, export |
+| `devlyn:pencil-pull` | Pull Pencil designs into code with exact visual fidelity |
+| `devlyn:pencil-push` | Push codebase UI to Pencil canvas for design sync |
 
 ### Community Packs
 
@@ -218,6 +222,7 @@ Installed via the [skills CLI](https://github.com/anthropics/skills) (`npx skill
 | `supabase/agent-skills` | Supabase integration patterns |
 | `coreyhaines31/marketingskills` | Marketing automation and content skills |
 | `anthropics/skills` | Official Anthropic skill-creator with eval framework and description optimizer |
+| `Leonxlnx/taste-skill` | Premium frontend design skills — modern layouts, animations, and visual refinement |
 
 > **Want to add a pack?** Open a PR adding your pack to the `OPTIONAL_ADDONS` array in [`bin/devlyn.js`](bin/devlyn.js).
 

package/config/skills/devlyn:auto-resolve/SKILL.md

@@ -17,23 +17,27 @@ $ARGUMENTS
 2. Determine optional flags from the input (defaults in parentheses):
    - `--max-rounds N` (2) — max evaluate-fix loops before stopping with a report
    - `--skip-review` (false) — skip team-review phase
+   - `--security-review` (auto) — run dedicated security audit. Auto-detects: runs when changes touch auth, secrets, user data, API endpoints, env/config, or crypto. Force with `--security-review always` or skip with `--security-review skip`
    - `--skip-clean` (false) — skip clean phase
    - `--skip-docs` (false) — skip update-docs phase
+   - `--with-codex` (false) — use OpenAI Codex as a cross-model evaluator/reviewer via `mcp__codex-cli__*` MCP tools. Accepts: `evaluate`, `review`, or `both` (default when flag is present without value). When enabled, Codex provides an independent second opinion from a different model family, creating a GAN-like dynamic where Claude builds and Codex critiques.
 
    Flags can be passed naturally: `/devlyn:auto-resolve fix the auth bug --max-rounds 3 --skip-docs`
+   Codex examples: `--with-codex` (both), `--with-codex evaluate`, `--with-codex review`
    If no flags are present, use defaults.
 
 3. Announce the pipeline plan:
 ```
 Auto-resolve pipeline starting
 Task: [extracted task description]
-Phases: Build → Evaluate → [Fix loop if needed] → Simplify → [Review] → [Clean] → [Docs]
+Phases: Build → Evaluate → [Fix loop if needed] → Simplify → [Review] → [Security] → [Clean] → [Docs]
 Max evaluation rounds: [N]
+Cross-model evaluation (Codex): [evaluate / review / both / disabled]
 ```
 
 ## PHASE 1: BUILD
 
-Spawn a subagent using the Agent tool to investigate and implement the fix. The subagent does NOT have access to skills, so include all necessary instructions inline.
+Spawn a subagent using the Agent tool with `mode: "bypassPermissions"` to investigate and implement the fix. The subagent does NOT have access to skills, so include all necessary instructions inline.
 
 Agent prompt — pass this to the Agent tool:
 
@@ -71,7 +75,7 @@ The task is: [paste the task description here]
 
 ## PHASE 2: EVALUATE
 
-Spawn a subagent using the Agent tool to evaluate the work. Include all evaluation instructions inline.
+Spawn a subagent using the Agent tool with `mode: "bypassPermissions"` to evaluate the work. Include all evaluation instructions inline.
 
 Agent prompt — pass this to the Agent tool:
 
@@ -119,18 +123,19 @@ Do NOT delete `.claude/done-criteria.md` or `.claude/EVAL-FINDINGS.md` — the o
 **After the agent completes**:
 1. Read `.claude/EVAL-FINDINGS.md`
 2. Extract the verdict
-3. Branch on verdict:
+3. **If `--with-codex` includes `evaluate` or `both`**: Read `references/codex-integration.md` and follow the "PHASE 2-CODEX: CROSS-MODEL EVALUATE" section. This runs Codex as a second evaluator and merges findings into `EVAL-FINDINGS.md`.
+4. Branch on verdict (from the merged findings if Codex was used):
    - `PASS` → skip to PHASE 3
    - `PASS WITH ISSUES` → skip to PHASE 3 (issues are shippable)
    - `NEEDS WORK` → go to PHASE 2.5 (fix loop)
    - `BLOCKED` → go to PHASE 2.5 (fix loop)
-4. If `.claude/EVAL-FINDINGS.md` was not created, treat as PASS WITH ISSUES and log a warning
+5. If `.claude/EVAL-FINDINGS.md` was not created, treat as PASS WITH ISSUES and log a warning
 
 ## PHASE 2.5: FIX LOOP (conditional)
 
 Track the current round number. If `round >= max-rounds`, stop the loop and proceed to PHASE 3 with a warning that unresolved findings remain.
 
-Spawn a subagent using the Agent tool to fix the evaluation findings.
+Spawn a subagent using the Agent tool with `mode: "bypassPermissions"` to fix the evaluation findings.
 
 Agent prompt — pass this to the Agent tool:
 
@@ -147,7 +152,7 @@ For each finding: read the referenced file:line, understand the issue, implement
 
 ## PHASE 3: SIMPLIFY
 
-Spawn a subagent using the Agent tool for a quick cleanup pass.
+Spawn a subagent using the Agent tool with `mode: "bypassPermissions"` for a quick cleanup pass.
 
 Agent prompt — pass this to the Agent tool:
 
@@ -160,7 +165,7 @@ Review the recently changed files (use `git diff HEAD~1` to see what changed). L
 
 Skip if `--skip-review` was set.
 
-Spawn a subagent using the Agent tool for a multi-perspective review.
+Spawn a subagent using the Agent tool with `mode: "bypassPermissions"` for a multi-perspective review.
 
 Agent prompt — pass this to the Agent tool:
 
@@ -170,15 +175,51 @@ Each reviewer evaluates from their perspective, sends findings with file:line ev
 
 Clean up the team after completion.
 
-**After the agent completes**:
+**If `--with-codex` includes `review` or `both`**: Read `references/codex-integration.md` and follow the "PHASE 4B: CODEX REVIEW" section. This runs Codex's independent code review and reconciles findings with the Claude team review.
+
+**After the review phase completes**:
 1. If CRITICAL issues remain unfixed, log a warning in the final report
 2. **Checkpoint**: Run `git add -A && git commit -m "chore(pipeline): review fixes complete"` if there are changes
 
-## PHASE 5: CLEAN (skippable)
+## PHASE 5: SECURITY REVIEW (conditional)
+
+Determine whether to run this phase:
+- If `--security-review always` → run
+- If `--security-review skip` → skip
+- If `--security-review auto` (default) → auto-detect by scanning changed files for security-sensitive patterns:
+  - Run `git diff main --name-only` and check for files matching: `*auth*`, `*login*`, `*session*`, `*token*`, `*secret*`, `*crypt*`, `*password*`, `*api*`, `*middleware*`, `*env*`, `*config*`, `*permission*`, `*role*`, `*access*`
+  - Also run `git diff main` and scan for patterns: `API_KEY`, `SECRET`, `TOKEN`, `PASSWORD`, `PRIVATE_KEY`, `Bearer`, `jwt`, `bcrypt`, `crypto`, `env.`, `process.env`
+  - If any match → run. If no matches → skip and note "Security review skipped — no security-sensitive changes detected."
+
+Spawn a subagent using the Agent tool with `mode: "bypassPermissions"` for a dedicated security audit.
+
+Agent prompt — pass this to the Agent tool:
+
+You are a security auditor performing a dedicated security review. This is NOT a general code review — focus exclusively on security concerns.
+
+Examine all recent changes (use `git diff main` to see what changed). For every changed file:
+
+1. **Input validation**: Trace every user input from entry point to storage/output. Check for: SQL injection, XSS, command injection, path traversal, SSRF.
+2. **Authentication & authorization**: Are new endpoints properly protected? Are auth checks consistent with existing patterns? Any privilege escalation paths?
+3. **Secrets & credentials**: Grep for hardcoded API keys, tokens, passwords, private keys. Check that secrets come from env vars, not source code. Verify .gitignore covers sensitive files.
+4. **Data exposure**: Are error messages leaking internal details? Are logs capturing sensitive data? Are API responses returning more data than needed?
+5. **Dependencies**: If package.json/requirements.txt changed, run the package manager's audit command (npm audit, pip-audit, etc.).
+6. **CSRF/CORS**: For new endpoints with side effects, verify CSRF protection. Check CORS configuration for overly permissive origins.
+
+For each finding, provide: severity (CRITICAL/HIGH/MEDIUM), file:line, OWASP category, description, and suggested fix.
+
+Fix any CRITICAL findings directly. For HIGH findings, fix if straightforward, otherwise document clearly.
+
+**After the agent completes**:
+1. If CRITICAL issues were found and fixed, this is expected — continue
+2. If CRITICAL issues remain unfixed, log a warning in the final report
+3. **Checkpoint**: Run `git add -A && git commit -m "chore(pipeline): security review complete"` if there are changes
+
+## PHASE 6: CLEAN (skippable)
 
 Skip if `--skip-clean` was set.
 
-Spawn a subagent using the Agent tool.
+Spawn a subagent using the Agent tool with `mode: "bypassPermissions"`.
 
 Agent prompt — pass this to the Agent tool:
 
@@ -187,11 +228,11 @@ Scan the codebase for dead code, unused dependencies, and code hygiene issues in
 **After the agent completes**:
 1. **Checkpoint**: Run `git add -A && git commit -m "chore(pipeline): cleanup complete"` if there are changes
 
-## PHASE 6: DOCS (skippable)
+## PHASE 7: DOCS (skippable)
 
 Skip if `--skip-docs` was set.
 
-Spawn a subagent using the Agent tool.
+Spawn a subagent using the Agent tool with `mode: "bypassPermissions"`.
 
 Agent prompt — pass this to the Agent tool:
 
@@ -200,7 +241,7 @@ Synchronize documentation with recent code changes. Use `git log --oneline -20`
 **After the agent completes**:
 1. **Checkpoint**: Run `git add -A && git commit -m "chore(pipeline): docs updated"` if there are changes
 
-## PHASE 7: FINAL REPORT
+## PHASE 8: FINAL REPORT
 
 After all phases complete:
 
@@ -221,10 +262,13 @@ After all phases complete:
 | Phase | Status | Notes |
 |-------|--------|-------|
 | Build (team-resolve) | [completed] | [brief summary] |
-| Evaluate | [PASS/NEEDS WORK after N rounds] | [verdict + key findings] |
+| Evaluate (Claude) | [PASS/NEEDS WORK after N rounds] | [verdict + key findings] |
+| Evaluate (Codex) | [completed / skipped] | [Codex-only findings count, merged verdict] |
 | Fix rounds | [N rounds / skipped] | [what was fixed] |
 | Simplify | [completed / skipped] | [changes made] |
-| Review (team-review) | [completed / skipped] | [findings summary] |
+| Review (Claude team) | [completed / skipped] | [findings summary] |
+| Review (Codex) | [completed / skipped] | [Codex-only findings, agreed findings] |
+| Security review | [completed / skipped / auto-skipped] | [findings or "no security-sensitive changes"] |
 | Clean | [completed / skipped] | [items cleaned] |
 | Docs (update-docs) | [completed / skipped] | [docs updated] |
 

package/config/skills/devlyn:auto-resolve/references/codex-integration.md

@@ -0,0 +1,82 @@
+# Codex Cross-Model Integration
+
+Instructions for using OpenAI Codex as an independent evaluator/reviewer in the auto-resolve pipeline. Only read this file when `--with-codex` is enabled.
+
+Codex is accessed via `mcp__codex-cli__*` MCP tools (provided by codex-mcp-server). This creates a GAN-like adversarial dynamic — Claude builds and Codex critiques, reducing shared blind spots between model families.
+
+---
+
+## PHASE 2-CODEX: CROSS-MODEL EVALUATE
+
+Run after the Claude evaluator (Phase 2) completes, only if `--with-codex` includes `evaluate` or `both`.
+
+### Step 1 — Get Codex's evaluation
+
+Call `mcp__codex-cli__codex` with:
+- `prompt`: Include the full content of `.claude/done-criteria.md` and the output of `git diff HEAD~1`. Ask Codex to evaluate the changes against the done criteria and report issues by severity (CRITICAL, HIGH, MEDIUM, LOW) with file:line references.
+- `workingDirectory`: the project root
+- `sandbox`: `"read-only"` (Codex should only read, not modify files)
+- `reasoningEffort`: `"high"`
+
+Example prompt to pass:
+```
+You are an independent code evaluator. Grade the following code changes against the done criteria below. Be strict — when in doubt, flag it.
+
+## Done Criteria
+[paste contents of .claude/done-criteria.md]
+
+## Code Changes
+[paste output of git diff HEAD~1]
+
+For each criterion, mark VERIFIED (with evidence) or FAILED (with file:line and what's wrong).
+Then list all issues found grouped by severity: CRITICAL, HIGH, MEDIUM, LOW.
+For each issue provide: file:line, description, and suggested fix.
+End with a verdict: PASS, PASS WITH ISSUES, NEEDS WORK, or BLOCKED.
+```
+
+### Step 2 — Merge findings
+
+Spawn a subagent using the Agent tool with `mode: "bypassPermissions"` to merge Claude's and Codex's evaluations.
+
+Agent prompt:
+
+Read `.claude/EVAL-FINDINGS.md` (Claude's evaluation) and the Codex evaluation output below. Merge them into a single unified `.claude/EVAL-FINDINGS.md` following the existing format. Rules:
+- Take the MORE SEVERE verdict between the two evaluators
+- Deduplicate findings that reference the same file:line or describe the same issue
+- When both evaluators flag the same issue, keep the more detailed description
+- Prefix Codex-only findings with `[codex]` so the fix loop knows the source
+- Preserve the exact structure: Verdict, Done Criteria Results, Findings Requiring Action (CRITICAL/HIGH), Cross-Cutting Patterns
+
+Codex evaluation:
+[paste Codex's response here]
+
+---
+
+## PHASE 4B: CODEX REVIEW
+
+Run after the Claude team review (Phase 4A) completes, only if `--with-codex` includes `review` or `both`.
+
+### Step 1 — Run Codex review
+
+Call `mcp__codex-cli__review` with:
+- `base`: `"main"` — review all changes since main
+- `workingDirectory`: the project root
+- `title`: `"Cross-model review (Codex)"`
+
+This runs OpenAI Codex's built-in code review against the diff. The review tool returns structured findings automatically — no custom prompt needed.
+
+### Step 2 — Reconcile both reviews
+
+Spawn a subagent using the Agent tool with `mode: "bypassPermissions"` to reconcile both reviews.
+
+Agent prompt:
+
+Two independent reviews have been conducted on recent changes — one by a Claude team review and one by OpenAI Codex. Reconcile them:
+
+Claude team review findings: [paste Phase 4A agent's output summary]
+Codex review findings: [paste mcp__codex-cli__review output]
+
+1. Deduplicate findings that describe the same issue
+2. For unique Codex findings not caught by Claude's team, prefix with `[codex]` and assess severity
+3. Fix any CRITICAL issues directly. For HIGH issues, fix if straightforward.
+4. Write a brief reconciliation summary to stdout listing: findings from both (agreed), Claude-only, Codex-only, and what was fixed

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "devlyn-cli",
-  "version": "1.0.0",
+  "version": "1.1.0",
   "description": "Claude Code configuration toolkit for teams",
   "bin": {
     "devlyn": "bin/devlyn.js"