dw-kit 1.3.6 → 1.4.0

package/.claude/skills/dw-archive/SKILL.md

@@ -54,6 +54,20 @@ mv {paths.tasks}/[task-name] {paths.tasks}/archive/[YYYY-MM]/
 
 Tổ chức theo tháng hoàn thành để dễ tìm kiếm sau.
 
+### 4a. Clean up review render artifacts (ADR-0007)
+
+Nếu `.dw/reviews/[task-name]/` hoặc `.dw/reviews/[task-slug]/` tồn tại:
+
+```bash
+# Local-only ephemeral artifacts (gitignored) — safe to remove on archive.
+# User can regenerate via /dw:review --visual nếu cần lại.
+rm -rf .dw/reviews/[task-name]/
+```
+
+Báo cáo trong output Bước 6: "Đã dọn .dw/reviews/[task-name]/ (regenerate via /dw:review --visual nếu cần)."
+
+Nếu task có scope_slug khác task-name (kiểm tra `.dw/reviews/*/manifest.json` có `task_id` matching), dọn cả slug đó.
+
 ## Bước 5: Cập nhật archive index
 
 Ghi/cập nhật `{paths.tasks}/archive/README.md`:

package/.claude/skills/dw-review/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: dw:review
-description: "Review code thay đổi gần đây hoặc cả task. Kiểm tra correctness, security, conventions, test coverage. Tạo báo cáo phân loại Critical/Warning/Suggestion."
-argument-hint: "[task-name | branch | file]"
+description: "Review code thay đổi gần đây hoặc cả task. Kiểm tra correctness, security, conventions, test coverage. Tạo báo cáo phân loại Critical/Warning/Suggestion. Pass --visual để emit manifest cho visual artifacts (ADR-0007)."
+argument-hint: "[task-name | branch | file] [--visual]"
 context: fork
 agent: reviewer
 allowed-tools:
@@ -11,6 +11,8 @@ allowed-tools:
   - "Bash(git diff *)"
   - "Bash(git log *)"
   - "Bash(git show *)"
+  - "Bash(dw review render *)"
+  - "Write(.dw/reviews/**/manifest.json)"
 ---
 
 # Code Review
@@ -57,6 +59,35 @@ Nếu có plan file (`{paths.tasks}/$ARGUMENTS/$ARGUMENTS-plan.md`):
 
 Tạo báo cáo đầy đủ theo format của reviewer agent.
 
+### 5-alt. `--visual` flag (ADR-0007)
+
+Nếu user pass `--visual`, KHÔNG in báo cáo inline. Thay vào đó:
+
+1. **Tạo manifest JSON** tuân thủ `src/lib/review/manifest-schema.json` (schema_version 1):
+   - `scope`: nhãn review (branch name, task slug, hoặc free-form từ argument)
+   - `scope_slug`: sanitize qua `scope-slug` util — KHÔNG dùng scope thô làm tên thư mục
+   - `generated_at`: ISO timestamp hiện tại
+   - `task_id` (optional): nếu review thuộc một task — link tới `.dw/tasks/{id}/`
+   - `review_meta`: `{reviewer: "dw-review", depth, diff_base, files_reviewed}`
+   - `findings[]`: mỗi finding có `id, severity (critical|warning|suggestion), title, location {file, line_start, line_end}, rule_ref?, body, fix?, code_snippet (≤50 lines quanh finding), language?`
+
+2. **Ghi manifest** ra `.dw/reviews/{scope_slug}/manifest.json` qua Write tool. Đây là file DUY NHẤT skill được phép viết.
+
+3. **Gọi renderer**:
+   ```bash
+   dw review render .dw/reviews/{scope_slug}/manifest.json
+   ```
+   CLI sẽ:
+   - Validate manifest qua schema
+   - Phát hiện `dw-kit-render` package (optional sub-package)
+   - Nếu có: render SVG + PNG per finding → `.dw/reviews/{scope_slug}/finding-{id}.svg` + `.png`
+   - Nếu thiếu: ghi `summary.md` markdown + prompt user install `dw-kit-render`
+   - Luôn ghi `summary.md` tổng hợp với links tới artifacts
+
+4. **Surface kết quả**: in danh sách artifact paths cho user; gợi ý mở `summary.md` hoặc embed image vào PR comment.
+
+KHÔNG fallback inline report — manifest + render là contract của `--visual`.
+
 ## Sau Review
 
 - Nếu có Critical issues: "Cần fix trước khi merge"

package/.dw/config/config.schema.json

@@ -1,121 +1,149 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "title": "dw-kit Configuration Schema",
-  "description": "Schema for config/dw.config.yml",
-  "type": "object",
-  "additionalProperties": false,
-  "properties": {
-    "project": {
-      "type": "object",
-      "additionalProperties": false,
-      "required": ["name"],
-      "properties": {
-        "name":     { "type": "string", "minLength": 1 },
-        "language": { "type": "string", "enum": ["vi", "en"], "default": "vi" }
-      }
-    },
-    "workflow": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "default_depth": {
-          "type": "string",
-          "enum": ["quick", "standard", "thorough"],
-          "default": "standard"
-        }
-      }
-    },
-    "team": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "roles": {
-          "type": "array",
-          "items": {
-            "type": "string",
-            "enum": ["dev", "techlead", "ba", "qc", "pm"]
-          },
-          "minItems": 1,
-          "contains": { "const": "dev" },
-          "description": "dev is always required"
-        }
-      }
-    },
-    "quality": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "test_command":  { "type": "string", "default": "" },
-        "lint_command":  { "type": "string", "default": "" },
-        "block_on_fail": { "type": "boolean", "default": false }
-      }
-    },
-    "tracking": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "estimation":      { "type": "boolean", "default": false },
-        "log_work":        { "type": "boolean", "default": false },
-        "estimation_unit": {
-          "type": "string",
-          "enum": ["hours", "story-points", "t-shirt"],
-          "default": "hours"
-        }
-      }
-    },
-    "paths": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "tasks": { "type": "string", "default": ".dw/tasks" },
-        "docs":  { "type": "string", "default": ".dw/docs" }
-      }
-    },
-    "claude": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "models": {
-          "type": "object",
-          "additionalProperties": false,
-          "properties": {
-            "plan":    { "type": "string", "default": "" },
-            "execute": { "type": "string", "default": "" },
-            "review":  { "type": "string", "default": "" }
-          }
-        },
-        "structured_output":  { "type": "boolean", "default": true },
-        "worktree_execution": { "type": "boolean", "default": false },
-        "mcp": {
-          "type": "array",
-          "items": {
-            "type": "object",
-            "required": ["name", "command"],
-            "additionalProperties": false,
-            "properties": {
-              "name":    { "type": "string" },
-              "command": { "type": "string" },
-              "args":    { "type": "array", "items": { "type": "string" } },
-              "env": {
-                "type": "object",
-                "additionalProperties": { "type": "string" }
-              }
-            }
-          }
-        }
-      }
-    },
-    "_toolkit": {
-      "type": "object",
-      "additionalProperties": true,
-      "properties": {
-        "core_version":     { "type": "string" },
-        "platform_version": { "type": "string" },
-        "capability_version": { "type": "string" },
-        "installed":        { "type": "string" },
-        "last_upgrade":     { "type": "string" },
-        "migrated_from":    { "type": "string" }
-      }
-    }
-  }
-}
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "dw-kit Configuration Schema",
+  "description": "Schema for config/dw.config.yml",
+  "type": "object",
+  "additionalProperties": false,
+  "properties": {
+    "project": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["name"],
+      "properties": {
+        "name":     { "type": "string", "minLength": 1 },
+        "language": { "type": "string", "enum": ["vi", "en"], "default": "vi" }
+      }
+    },
+    "workflow": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "default_depth": {
+          "type": "string",
+          "enum": ["quick", "standard", "thorough"],
+          "default": "standard"
+        }
+      }
+    },
+    "team": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "roles": {
+          "type": "array",
+          "items": {
+            "type": "string",
+            "enum": ["dev", "techlead", "ba", "qc", "pm"]
+          },
+          "minItems": 1,
+          "contains": { "const": "dev" },
+          "description": "dev is always required"
+        }
+      }
+    },
+    "quality": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "test_command":  { "type": "string", "default": "" },
+        "lint_command":  { "type": "string", "default": "" },
+        "block_on_fail": { "type": "boolean", "default": false }
+      }
+    },
+    "tracking": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "estimation":      { "type": "boolean", "default": false },
+        "log_work":        { "type": "boolean", "default": false },
+        "estimation_unit": {
+          "type": "string",
+          "enum": ["hours", "story-points", "t-shirt"],
+          "default": "hours"
+        }
+      }
+    },
+    "paths": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "tasks": { "type": "string", "default": ".dw/tasks" },
+        "docs":  { "type": "string", "default": ".dw/docs" }
+      }
+    },
+    "claude": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "models": {
+          "type": "object",
+          "additionalProperties": false,
+          "properties": {
+            "plan":    { "type": "string", "default": "" },
+            "execute": { "type": "string", "default": "" },
+            "review":  { "type": "string", "default": "" }
+          }
+        },
+        "structured_output":  { "type": "boolean", "default": true },
+        "worktree_execution": { "type": "boolean", "default": false },
+        "review": {
+          "type": "object",
+          "additionalProperties": false,
+          "description": "Review render pipeline (ADR-0007).",
+          "properties": {
+            "renderer": {
+              "type": "object",
+              "additionalProperties": false,
+              "properties": {
+                "strategy": {
+                  "type": "string",
+                  "enum": ["auto", "plugin", "markdown-only"],
+                  "default": "auto"
+                },
+                "theme":  { "type": "string", "default": "github-dark" },
+                "font":   { "type": "string", "default": "JetBrains Mono" },
+                "formats": {
+                  "type": "array",
+                  "items": { "type": "string", "enum": ["svg", "png"] },
+                  "minItems": 1,
+                  "uniqueItems": true,
+                  "default": ["svg", "png"]
+                },
+                "output_dir": { "type": "string", "default": ".dw/reviews" }
+              }
+            }
+          }
+        },
+        "mcp": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "required": ["name", "command"],
+            "additionalProperties": false,
+            "properties": {
+              "name":    { "type": "string" },
+              "command": { "type": "string" },
+              "args":    { "type": "array", "items": { "type": "string" } },
+              "env": {
+                "type": "object",
+                "additionalProperties": { "type": "string" }
+              }
+            }
+          }
+        }
+      }
+    },
+    "_toolkit": {
+      "type": "object",
+      "additionalProperties": true,
+      "properties": {
+        "core_version":     { "type": "string" },
+        "platform_version": { "type": "string" },
+        "capability_version": { "type": "string" },
+        "installed":        { "type": "string" },
+        "last_upgrade":     { "type": "string" },
+        "migrated_from":    { "type": "string" }
+      }
+    }
+  }
+}

package/.dw/config/dw.config.yml

@@ -59,6 +59,20 @@ claude:
   # Isolate execution trong git worktree (cho risky refactors)
   worktree_execution: false
 
+  # --- Review render pipeline (ADR-0007) ------------------------------------
+  # /dw:review --visual produces a manifest.json then invokes `dw review render`.
+  # Output goes to .dw/reviews/{scope-slug}/ — see ADR-0007.
+  review:
+    renderer:
+      # auto: try dw-kit-render package, fall back to markdown summary if missing
+      # plugin: require dw-kit-render to be installed (fail if missing)
+      # markdown-only: never invoke a renderer, emit markdown summary only
+      strategy: "auto"
+      theme: "github-dark"          # any shiki theme name
+      font: "JetBrains Mono"        # font family for code in SVG
+      formats: ["svg", "png"]       # outputs produced per finding
+      output_dir: ".dw/reviews"
+
   # MCP servers — Claude Code sẽ load các servers này
   mcp: []
   # Ví dụ:

package/README.md

@@ -36,6 +36,7 @@ It’s designed for collaboration (Dev / Tech Lead / QA / PM) and keeps work aud
 
 ## Release notes
 
+- **v1.4 (in progress)** — Optional **Review Render Pipeline** ([ADR-0007](.dw/decisions/0007-decoupled-review-render-pipeline.md)): `/dw:review --visual` plus a separate `dw-kit-render` package turn findings into SVG + PNG cards for PR comments / Slack / stakeholders. Pure JS + WASM, universal `npm install`, no system deps. See [`docs/review-renderer.md`](docs/review-renderer.md).
 - **v1.3.6** (2026-05-14) — Supply-Chain Guard upgraded to 3-pillar architecture: OSV snapshot + curated IoC fixture (version-aware, wired into default scan) + **AI-Native NEW-package heuristic** that catches zero-day-ish risk at the AI-edit boundary. See [`CHANGELOG.md#v136--2026-05-14`](CHANGELOG.md#v136--2026-05-14) and [ADR-0006](.dw/decisions/0006-supply-chain-guard-heuristic.md).
 - v1.3.5 (2026-05-12) — AI-Native Supply-Chain Guard: `dw security-scan` CLI + OSV.dev auto-sync + Edit-lockfile hook + scoped `.gitignore` for end-user projects. See [ADR-0005](.dw/decisions/0005-supply-chain-guard.md). Public 90-day sunset review committed for 2026-08-12.
 - v1.3.4 (2026-04-21) — `/dw:plan` Quick Debate (red/blue self-critique), depth-driven activation

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "dw-kit",
-  "version": "1.3.6",
+  "version": "1.4.0",
   "description": "AI development workflow toolkit — structured, quality-assured, team-ready. From requirements to dashboard.",
   "type": "module",
   "bin": {
@@ -56,6 +56,7 @@
   },
   "scripts": {
     "test": "node src/smoke-test.mjs",
+    "test:renderer": "cd packages/dw-kit-render && npm test",
     "link": "npm link",
     "test:e2e-local": "bash scripts/e2e-local-check.sh"
   },

package/src/cli.mjs

@@ -131,6 +131,21 @@ export function run(argv) {
       await securityScanCommand(opts);
     });
 
+  const reviewCmd = program
+    .command('review')
+    .description('Review subcommands (ADR-0007)');
+
+  reviewCmd
+    .command('render <manifest>')
+    .description('Render a /dw:review --visual manifest into SVG/PNG (requires dw-kit-render) or markdown summary fallback')
+    .option('-f, --format <kind>', 'Override output formats: svg | png | both', null)
+    .option('-s, --strategy <name>', 'Override strategy: auto | plugin | markdown-only', null)
+    .option('-q, --quiet', 'Suppress info logs (still exits non-zero on hard errors)')
+    .action(async (manifest, opts) => {
+      const { reviewRenderCommand } = await import('./commands/review-render.mjs');
+      await reviewRenderCommand(manifest, opts);
+    });
+
   program
     .command('claude-vn-fix')
     .description('Patch Claude CLI to fix Vietnamese IME (local, with backup/restore)')

package/src/commands/doctor.mjs

@@ -1,12 +1,29 @@
 import { existsSync, readFileSync } from 'node:fs';
+import { createRequire } from 'node:module';
 import { join, resolve } from 'node:path';
 import { fileURLToPath } from 'node:url';
 import { header, ok, warn, err, info, log } from '../lib/ui.mjs';
-import { loadConfig, getToolkitVersions } from '../lib/config.mjs';
+import { loadConfig, getToolkitVersions, getReviewRendererConfig } from '../lib/config.mjs';
 import { detectPlatform, platformLabel } from '../lib/platform.mjs';
 import { snapshotInfo } from '../lib/sc-sync.mjs';
 
 const TOOLKIT_ROOT = resolve(fileURLToPath(import.meta.url), '..', '..', '..');
+const RENDER_PACKAGE = 'dw-kit-render';
+
+function tryResolveRenderer(projectDir) {
+  if (process.env.DW_REVIEW_NO_RENDERER === '1') return { ok: false, reason: 'disabled by DW_REVIEW_NO_RENDERER=1' };
+  const reqProject = createRequire(join(projectDir, 'package.json'));
+  for (const req of [reqProject, createRequire(import.meta.url)]) {
+    try {
+      const pkgPath = req.resolve(`${RENDER_PACKAGE}/package.json`);
+      const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
+      return { ok: true, version: pkg.version };
+    } catch {
+      // try next
+    }
+  }
+  return { ok: false };
+}
 
 const CORE_FILES = [
   '.dw/core/WORKFLOW.md',
@@ -151,6 +168,29 @@ export async function doctorCommand() {
     }
   }
 
+  info('Review Render Pipeline (ADR-0007, opt-in)');
+  const rendererCfg = existsSync(configPath) ? getReviewRendererConfig(loadConfig(configPath) || {}) : getReviewRendererConfig({});
+  log(`  Strategy    : ${rendererCfg.strategy}`);
+  log(`  Formats     : ${rendererCfg.formats.join(', ')}`);
+  log(`  Theme/Font  : ${rendererCfg.theme} / ${rendererCfg.font}`);
+
+  if (rendererCfg.strategy === 'markdown-only') {
+    log('  Renderer    : skipped (strategy=markdown-only)');
+  } else {
+    const r = tryResolveRenderer(projectDir);
+    if (r.ok) {
+      ok(`Renderer    : dw-kit-render v${r.version || '?'} resolvable`);
+    } else if (rendererCfg.strategy === 'plugin') {
+      err("Renderer    : 'dw-kit-render' NOT installed but strategy='plugin'");
+      log(`  Install:  npm install -g dw-kit-render`);
+      issues++;
+    } else {
+      warn(`Renderer    : 'dw-kit-render' not installed — /dw:review --visual will fall back to markdown`);
+      log(`  Install (optional):  npm install -g dw-kit-render`);
+      warnings++;
+    }
+  }
+
   info('Supply-Chain Guard (ADR-0005, opt-in)');
   const sc = snapshotInfo(projectDir);
   if (!sc.exists) {

package/src/commands/review-render.mjs

@@ -0,0 +1,255 @@
+import { createRequire } from 'node:module';
+import { existsSync, mkdirSync, writeFileSync } from 'node:fs';
+import { dirname, join, resolve, isAbsolute } from 'node:path';
+import { pathToFileURL } from 'node:url';
+import { performance } from 'node:perf_hooks';
+import chalk from 'chalk';
+import { header, ok, info, log, warn, err } from '../lib/ui.mjs';
+import { loadConfigWithLocal, getReviewRendererConfig } from '../lib/config.mjs';
+import { readManifest } from '../lib/review/manifest-validator.mjs';
+import { logEvent } from '../lib/telemetry.mjs';
+
+const RENDER_PACKAGE = 'dw-kit-render';
+const INSTALL_HINT = `  Install renderer with: ${chalk.cyan('npm install -g dw-kit-render')}\n  Or run: ${chalk.cyan('dw doctor')} for environment check.`;
+
+/**
+ * `dw review render <manifest>` — invoked by /dw:review --visual after writing manifest.
+ * See ADR-0007 for architecture.
+ *
+ * @param {string} manifestPath - path to manifest.json (relative or absolute)
+ * @param {{format?: string, strategy?: string, quiet?: boolean}} opts
+ */
+export async function reviewRenderCommand(manifestPath, opts = {}) {
+  const projectDir = process.cwd();
+  const absManifest = isAbsolute(manifestPath) ? manifestPath : resolve(projectDir, manifestPath);
+  const startedAt = performance.now();
+
+  if (!opts.quiet) header('dw review render');
+
+  // 1. Load + validate manifest.
+  const parseResult = readManifest(absManifest);
+  if (!parseResult.ok) {
+    err(`Manifest invalid: ${absManifest}`);
+    for (const e of parseResult.errors.slice(0, 10)) {
+      log(`  ${chalk.dim(e.path || '/')} — ${e.message}`);
+    }
+    logEvent({ event: 'review_render', action: 'fail', fallback_reason: 'invalid-manifest' }, projectDir);
+    process.exit(1);
+  }
+  const manifest = parseResult.manifest;
+
+  // 2. Resolve config + strategy.
+  const config = loadConfigWithLocal(join(projectDir, '.dw', 'config')) || {};
+  const rendererCfg = getReviewRendererConfig(config);
+  const strategy = opts.strategy || rendererCfg.strategy;
+  const formats = parseFormats(opts.format) || rendererCfg.formats;
+
+  // 3. Resolve output directory.
+  const outDir = resolveOutputDir(rendererCfg.output_dir, manifest, projectDir);
+  if (!existsSync(outDir)) mkdirSync(outDir, { recursive: true });
+
+  if (!opts.quiet) {
+    info('Render context');
+    log(`  Manifest    : ${absManifest}`);
+    log(`  Scope       : ${manifest.scope} (slug: ${manifest.scope_slug || '—'})`);
+    log(`  Findings    : ${manifest.findings.length}`);
+    log(`  Strategy    : ${strategy}`);
+    log(`  Formats     : ${formats.join(', ')}`);
+    log(`  Output dir  : ${outDir}`);
+  }
+
+  // 4. Resolve renderer (dw-kit-render package).
+  const rendererResolved = strategy === 'markdown-only' ? null : await tryResolveRenderer(projectDir);
+  const finalStrategy = strategy === 'markdown-only'
+    ? 'markdown-only'
+    : (rendererResolved ? 'plugin' : (strategy === 'plugin' ? 'plugin-missing' : 'fallback-markdown'));
+
+  // Plugin strategy was requested but package is missing — fail loudly.
+  if (strategy === 'plugin' && !rendererResolved) {
+    err(`Strategy 'plugin' requested but '${RENDER_PACKAGE}' is not installed.`);
+    log(INSTALL_HINT);
+    logEvent({ event: 'review_render', action: 'fail', fallback_reason: 'no-renderer', strategy, formats }, projectDir);
+    process.exit(1);
+  }
+
+  let artifacts = { svg: [], png: [] };
+  let renderErrors = [];
+
+  if (rendererResolved) {
+    try {
+      if (!opts.quiet) info('Rendering with dw-kit-render');
+      const result = await rendererResolved.render({
+        manifest,
+        outDir,
+        formats,
+        theme: rendererCfg.theme,
+        font: rendererCfg.font,
+      });
+      artifacts = {
+        svg: Array.isArray(result?.svgPaths) ? result.svgPaths : [],
+        png: Array.isArray(result?.pngPaths) ? result.pngPaths : [],
+      };
+    } catch (e) {
+      renderErrors.push(e.message || String(e));
+      warn(`Renderer error: ${e.message || e}`);
+      warn('Falling back to markdown-only summary.');
+    }
+  } else if (strategy !== 'markdown-only') {
+    if (!opts.quiet) {
+      warn(`'${RENDER_PACKAGE}' not found — emitting markdown summary only.`);
+      log(INSTALL_HINT);
+    }
+  }
+
+  // 5. Write summary.md (always — works without renderer too).
+  const summaryPath = join(outDir, 'summary.md');
+  writeFileSync(summaryPath, buildSummaryMarkdown(manifest, artifacts, { outDir, projectDir }), 'utf-8');
+
+  const durationMs = Math.round(performance.now() - startedAt);
+
+  if (!opts.quiet) {
+    console.log();
+    info('Artifacts');
+    log(`  Summary     : ${summaryPath}`);
+    if (artifacts.svg.length) log(`  SVG         : ${artifacts.svg.length} file(s)`);
+    if (artifacts.png.length) log(`  PNG         : ${artifacts.png.length} file(s)`);
+    if (!artifacts.svg.length && !artifacts.png.length) log(`  ${chalk.dim('(markdown only — install dw-kit-render for images)')}`);
+    console.log();
+    if (renderErrors.length) {
+      warn(`${renderErrors.length} render error(s) — see above`);
+    } else {
+      ok(`Done in ${durationMs}ms`);
+    }
+  }
+
+  logEvent({
+    event: 'review_render',
+    action: renderErrors.length ? 'partial' : 'success',
+    strategy: finalStrategy,
+    formats,
+    findings: manifest.findings.length,
+    duration_ms: durationMs,
+    fallback_reason: rendererResolved ? null : (strategy === 'markdown-only' ? 'config-markdown-only' : 'no-renderer'),
+  }, projectDir);
+
+  process.exit(0);
+}
+
+function parseFormats(value) {
+  if (!value) return null;
+  if (value === 'both') return ['svg', 'png'];
+  if (value === 'svg' || value === 'png') return [value];
+  return null;
+}
+
+function resolveOutputDir(configDir, manifest, projectDir) {
+  const baseDir = isAbsolute(configDir) ? configDir : join(projectDir, configDir);
+  const slug = manifest.scope_slug || manifest.scope || 'review';
+  return join(baseDir, slug);
+}
+
+async function tryResolveRenderer(projectDir) {
+  // Test-only escape hatch: tests use this to force the markdown fallback even
+  // when a local renderer is dev-linked from a sibling packages/ dir.
+  if (process.env.DW_REVIEW_NO_RENDERER === '1') return null;
+
+  // Resolution order: project node_modules → CLI's own node_modules (global -g case).
+  // We use createRequire to get a *resolution* path, then dynamic-import that URL
+  // so the renderer can be ESM-only (Phase 1 ships ESM only).
+  for (const anchor of [join(projectDir, 'package.json'), import.meta.url]) {
+    try {
+      const req = createRequire(anchor);
+      const entry = req.resolve(RENDER_PACKAGE);
+      const mod = await import(pathToFileURL(entry).href);
+      const render = mod?.render || mod?.default?.render;
+      if (typeof render !== 'function') {
+        throw new Error("dw-kit-render module did not export a 'render' function");
+      }
+      return { render };
+    } catch {
+      // try next anchor
+    }
+  }
+  return null;
+}
+
+function buildSummaryMarkdown(manifest, artifacts, { outDir, projectDir }) {
+  const lines = [];
+  const counts = countBySeverity(manifest.findings);
+  const slug = manifest.scope_slug || manifest.scope;
+
+  lines.push(`# Review summary — ${manifest.scope}`);
+  lines.push('');
+  lines.push(`- Generated: ${manifest.generated_at}`);
+  if (manifest.review_meta?.diff_base) lines.push(`- Diff base: ${manifest.review_meta.diff_base}`);
+  if (manifest.review_meta?.files_reviewed != null) lines.push(`- Files reviewed: ${manifest.review_meta.files_reviewed}`);
+  if (manifest.task_id) lines.push(`- Task: \`${manifest.task_id}\``);
+  lines.push('');
+  lines.push(`**Severity counts:** critical=${counts.critical}, warning=${counts.warning}, suggestion=${counts.suggestion}`);
+  lines.push('');
+
+  if (!manifest.findings.length) {
+    lines.push('No findings.');
+    lines.push('');
+    return lines.join('\n');
+  }
+
+  lines.push('## Findings');
+  lines.push('');
+  for (const f of manifest.findings) {
+    const loc = formatLocation(f.location);
+    lines.push(`### [${f.severity.toUpperCase()}] ${f.title}`);
+    lines.push('');
+    lines.push(`- File: \`${loc}\``);
+    if (f.rule_ref) lines.push(`- Rule: ${f.rule_ref}`);
+
+    const svg = artifacts.svg.find((p) => p.endsWith(`finding-${f.id}.svg`));
+    const png = artifacts.png.find((p) => p.endsWith(`finding-${f.id}.png`));
+    if (svg) lines.push(`- SVG: \`${relativeTo(svg, outDir)}\``);
+    if (png) lines.push(`- PNG: \`${relativeTo(png, outDir)}\``);
+    lines.push('');
+    lines.push(f.body);
+    lines.push('');
+    if (f.code_snippet) {
+      const lang = f.language || '';
+      lines.push('```' + lang);
+      lines.push(f.code_snippet);
+      lines.push('```');
+      lines.push('');
+    }
+    if (f.fix) {
+      lines.push(`**Fix:** ${f.fix}`);
+      lines.push('');
+    }
+    lines.push('---');
+    lines.push('');
+  }
+
+  lines.push(`*Manifest: \`${relativeTo(join(outDir, 'manifest.json'), projectDir)}\`*`);
+  lines.push('');
+  return lines.join('\n');
+}
+
+function countBySeverity(findings) {
+  const out = { critical: 0, warning: 0, suggestion: 0 };
+  for (const f of findings) {
+    if (out[f.severity] != null) out[f.severity]++;
+  }
+  return out;
+}
+
+function formatLocation(loc) {
+  if (!loc) return '?';
+  if (loc.line_start && loc.line_end && loc.line_start !== loc.line_end) {
+    return `${loc.file}:${loc.line_start}-${loc.line_end}`;
+  }
+  if (loc.line_start) return `${loc.file}:${loc.line_start}`;
+  return loc.file;
+}
+
+function relativeTo(target, base) {
+  const t = target.replace(/\\/g, '/');
+  const b = base.replace(/\\/g, '/').replace(/\/$/, '');
+  if (t.startsWith(b + '/')) return t.slice(b.length + 1);
+  return t;
+}

package/src/lib/config.mjs

@@ -1,104 +1,120 @@
-import { readFileSync, writeFileSync, existsSync } from 'node:fs';
-import yaml from 'js-yaml';
-
-export function loadConfig(configPath) {
-  if (!existsSync(configPath)) return null;
-  const content = readFileSync(configPath, 'utf-8');
-  return yaml.load(content);
-}
-
-/**
- * Load config với local override (v1.2+).
- * dw.config.yml  — shared, committed
- * dw.config.local.yml — machine-specific, gitignored
- * Local values win over base values (shallow merge per top-level key).
- */
-export function loadConfigWithLocal(configDir) {
-  const basePath = `${configDir}/dw.config.yml`;
-  const localPath = `${configDir}/dw.config.local.yml`;
-
-  const base = loadConfig(basePath);
-  if (!base) return null;
-
-  if (!existsSync(localPath)) return base;
-
-  const local = loadConfig(localPath);
-  if (!local) return base;
-
-  const merged = { ...base };
-  for (const key of Object.keys(local)) {
-    if (typeof local[key] === 'object' && !Array.isArray(local[key]) && local[key] !== null) {
-      merged[key] = { ...(merged[key] || {}), ...local[key] };
-    } else {
-      merged[key] = local[key];
-    }
-  }
-  return merged;
-}
-
-export function writeConfig(configPath, data) {
-  const content = yaml.dump(data, {
-    indent: 2,
-    lineWidth: -1,
-    quotingType: '"',
-    forceQuotes: false,
-    noRefs: true,
-  });
-  writeFileSync(configPath, content, 'utf-8');
-}
-
-export function loadSchema(schemaPath) {
-  if (!existsSync(schemaPath)) return null;
-  return JSON.parse(readFileSync(schemaPath, 'utf-8'));
-}
-
-export function buildConfig({ projectName, language, depth, roles }) {
-  const today = new Date().toISOString().split('T')[0];
-  return {
-    project: {
-      name: projectName,
-      language: language,
-    },
-    workflow: {
-      default_depth: depth,
-    },
-    team: {
-      roles: roles,
-    },
-    quality: {
-      test_command: '',
-      lint_command: '',
-      block_on_fail: false,
-    },
-    tracking: {
-      estimation: depth !== 'quick',
-      log_work: depth === 'thorough',
-      estimation_unit: 'hours',
-    },
-    paths: {
-      tasks: '.dw/tasks',
-      docs: '.dw/docs',
-    },
-    claude: {
-      models: { plan: '', execute: '', review: '' },
-      structured_output: depth !== 'quick',
-      worktree_execution: false,
-      mcp: [],
-    },
-    _toolkit: {
-      core_version: '1.2',
-      platform_version: '1.0',
-      capability_version: '1.2',
-      installed: today,
-      last_upgrade: today,
-    },
-  };
-}
-
-export function getToolkitVersions(config) {
-  return {
-    core: config?._toolkit?.core_version || 'unknown',
-    platform: config?._toolkit?.platform_version || 'unknown',
-    capability: config?._toolkit?.capability_version || 'unknown',
-  };
-}
+import { readFileSync, writeFileSync, existsSync } from 'node:fs';
+import yaml from 'js-yaml';
+
+export function loadConfig(configPath) {
+  if (!existsSync(configPath)) return null;
+  const content = readFileSync(configPath, 'utf-8');
+  return yaml.load(content);
+}
+
+/**
+ * Load config với local override (v1.2+).
+ * dw.config.yml  — shared, committed
+ * dw.config.local.yml — machine-specific, gitignored
+ * Local values win over base values (shallow merge per top-level key).
+ */
+export function loadConfigWithLocal(configDir) {
+  const basePath = `${configDir}/dw.config.yml`;
+  const localPath = `${configDir}/dw.config.local.yml`;
+
+  const base = loadConfig(basePath);
+  if (!base) return null;
+
+  if (!existsSync(localPath)) return base;
+
+  const local = loadConfig(localPath);
+  if (!local) return base;
+
+  const merged = { ...base };
+  for (const key of Object.keys(local)) {
+    if (typeof local[key] === 'object' && !Array.isArray(local[key]) && local[key] !== null) {
+      merged[key] = { ...(merged[key] || {}), ...local[key] };
+    } else {
+      merged[key] = local[key];
+    }
+  }
+  return merged;
+}
+
+export function writeConfig(configPath, data) {
+  const content = yaml.dump(data, {
+    indent: 2,
+    lineWidth: -1,
+    quotingType: '"',
+    forceQuotes: false,
+    noRefs: true,
+  });
+  writeFileSync(configPath, content, 'utf-8');
+}
+
+export function loadSchema(schemaPath) {
+  if (!existsSync(schemaPath)) return null;
+  return JSON.parse(readFileSync(schemaPath, 'utf-8'));
+}
+
+export function buildConfig({ projectName, language, depth, roles }) {
+  const today = new Date().toISOString().split('T')[0];
+  return {
+    project: {
+      name: projectName,
+      language: language,
+    },
+    workflow: {
+      default_depth: depth,
+    },
+    team: {
+      roles: roles,
+    },
+    quality: {
+      test_command: '',
+      lint_command: '',
+      block_on_fail: false,
+    },
+    tracking: {
+      estimation: depth !== 'quick',
+      log_work: depth === 'thorough',
+      estimation_unit: 'hours',
+    },
+    paths: {
+      tasks: '.dw/tasks',
+      docs: '.dw/docs',
+    },
+    claude: {
+      models: { plan: '', execute: '', review: '' },
+      structured_output: depth !== 'quick',
+      worktree_execution: false,
+      mcp: [],
+    },
+    _toolkit: {
+      core_version: '1.2',
+      platform_version: '1.0',
+      capability_version: '1.2',
+      installed: today,
+      last_upgrade: today,
+    },
+  };
+}
+
+export function getToolkitVersions(config) {
+  return {
+    core: config?._toolkit?.core_version || 'unknown',
+    platform: config?._toolkit?.platform_version || 'unknown',
+    capability: config?._toolkit?.capability_version || 'unknown',
+  };
+}
+
+/**
+ * Renderer config for /dw:review --visual + `dw review render` (ADR-0007).
+ * Falls back to defaults when keys are absent so existing projects work
+ * without re-running `dw init`.
+ */
+export function getReviewRendererConfig(config) {
+  const r = config?.claude?.review?.renderer || {};
+  return {
+    strategy: r.strategy || 'auto',
+    theme: r.theme || 'github-dark',
+    font: r.font || 'JetBrains Mono',
+    formats: Array.isArray(r.formats) && r.formats.length ? r.formats : ['svg', 'png'],
+    output_dir: r.output_dir || '.dw/reviews',
+  };
+}

package/src/lib/review/manifest-schema.json

@@ -0,0 +1,149 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "$id": "https://github.com/dv-workflow/dv-workflow/schemas/review-manifest.json",
+  "title": "dw-kit Review Render Manifest",
+  "description": "Structured findings manifest produced by /dw:review --visual and consumed by `dw review render` + dw-kit-render. Versioned public API surface — see ADR-0007.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": ["schema_version", "scope", "generated_at", "findings"],
+  "properties": {
+    "schema_version": {
+      "type": "integer",
+      "const": 1,
+      "description": "Manifest schema version. Renderer rejects mismatched versions with clear error."
+    },
+    "scope": {
+      "type": "string",
+      "minLength": 1,
+      "maxLength": 200,
+      "description": "Review scope identifier (branch slug, task slug, or arbitrary label). NOT used directly as path — caller must sanitize via scope-slug util."
+    },
+    "scope_slug": {
+      "type": "string",
+      "minLength": 1,
+      "maxLength": 80,
+      "pattern": "^[a-zA-Z0-9._-]+$",
+      "description": "Sanitized scope used as directory name under .dw/reviews/. Filesystem-safe on Windows + POSIX."
+    },
+    "generated_at": {
+      "type": "string",
+      "format": "date-time",
+      "description": "ISO-8601 timestamp when manifest was produced."
+    },
+    "task_id": {
+      "type": "string",
+      "description": "Optional link to .dw/tasks/{task_id}/ — enables /dw:execute to load findings as fix targets."
+    },
+    "review_meta": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "reviewer": { "type": "string", "description": "Skill or agent name that produced this manifest (e.g. 'dw-review')." },
+        "depth": { "type": "string", "enum": ["quick", "standard", "thorough"] },
+        "diff_base": { "type": "string", "description": "Git ref the review was computed against (e.g. 'main', 'origin/dev')." },
+        "files_reviewed": { "type": "integer", "minimum": 0 }
+      }
+    },
+    "findings": {
+      "type": "array",
+      "minItems": 0,
+      "items": { "$ref": "#/definitions/finding" }
+    }
+  },
+  "definitions": {
+    "finding": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["id", "severity", "title", "location", "body"],
+      "properties": {
+        "id": {
+          "type": "string",
+          "pattern": "^[a-zA-Z0-9._-]+$",
+          "minLength": 1,
+          "maxLength": 64,
+          "description": "Unique finding ID within the manifest. Used as artifact filename: finding-{id}.svg / .png."
+        },
+        "severity": {
+          "type": "string",
+          "enum": ["critical", "warning", "suggestion"],
+          "description": "Drives banner color in rendered artifact."
+        },
+        "title": {
+          "type": "string",
+          "minLength": 1,
+          "maxLength": 200,
+          "description": "One-line summary shown as the card heading."
+        },
+        "location": {
+          "type": "object",
+          "additionalProperties": false,
+          "required": ["file"],
+          "properties": {
+            "file": {
+              "type": "string",
+              "minLength": 1,
+              "description": "Repo-relative path. Forward slashes regardless of OS."
+            },
+            "line_start": {
+              "type": "integer",
+              "minimum": 1,
+              "description": "First relevant line (1-indexed)."
+            },
+            "line_end": {
+              "type": "integer",
+              "minimum": 1,
+              "description": "Last relevant line (1-indexed, inclusive)."
+            }
+          }
+        },
+        "rule_ref": {
+          "type": "string",
+          "maxLength": 200,
+          "description": "Optional rule/standard reference shown in card subhead."
+        },
+        "body": {
+          "type": "string",
+          "minLength": 1,
+          "maxLength": 4000,
+          "description": "Finding explanation (markdown allowed in rendered output, plain text safe fallback)."
+        },
+        "fix": {
+          "type": "string",
+          "maxLength": 4000,
+          "description": "Optional concrete fix suggestion shown as action banner."
+        },
+        "code_snippet": {
+          "type": "string",
+          "maxLength": 8000,
+          "description": "Raw code lines from `location` range. Pulled by the LLM during manifest generation; renderer does not re-read source files. Cap at ~50 lines around finding."
+        },
+        "language": {
+          "type": "string",
+          "maxLength": 32,
+          "description": "Language identifier for syntax highlighting (e.g. javascript, python, go). Defaults to plain text in renderer if absent or unknown."
+        }
+      },
+      "allOf": [
+        {
+          "if": {
+            "properties": {
+              "location": {
+                "required": ["line_start", "line_end"]
+              }
+            }
+          },
+          "then": {
+            "properties": {
+              "location": {
+                "properties": {
+                  "line_end": { "type": "integer" },
+                  "line_start": { "type": "integer" }
+                }
+              }
+            }
+          }
+        }
+      ]
+    }
+  }
+}

package/src/lib/review/manifest-validator.mjs

@@ -0,0 +1,93 @@
+import { readFileSync } from 'node:fs';
+import { fileURLToPath } from 'node:url';
+import { dirname, resolve } from 'node:path';
+import Ajv from 'ajv';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const SCHEMA_PATH = resolve(__dirname, 'manifest-schema.json');
+
+let _schema = null;
+let _ajv = null;
+let _validate = null;
+
+export const CURRENT_SCHEMA_VERSION = 1;
+
+const ISO_DATE_TIME = /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(\.\d+)?(Z|[+-]\d{2}:?\d{2})?$/;
+
+function getSchema() {
+  if (!_schema) {
+    _schema = JSON.parse(readFileSync(SCHEMA_PATH, 'utf-8'));
+  }
+  return _schema;
+}
+
+function getValidator() {
+  if (_validate) return _validate;
+  _ajv = new Ajv({ allErrors: true, strict: false });
+  _ajv.addFormat('date-time', ISO_DATE_TIME);
+  _validate = _ajv.compile(getSchema());
+  return _validate;
+}
+
+/**
+ * Validate a manifest object against the schema.
+ *
+ * @param {object} manifest - parsed manifest JSON
+ * @returns {{ok: boolean, errors: Array<{path: string, message: string}>}}
+ */
+export function validateManifest(manifest) {
+  if (manifest == null || typeof manifest !== 'object') {
+    return { ok: false, errors: [{ path: '', message: 'manifest must be an object' }] };
+  }
+  if (Number.isInteger(manifest.schema_version) && manifest.schema_version !== CURRENT_SCHEMA_VERSION) {
+    return {
+      ok: false,
+      errors: [{
+        path: '/schema_version',
+        message: `unsupported schema_version=${manifest.schema_version}; renderer supports ${CURRENT_SCHEMA_VERSION}. Upgrade dw-kit or regenerate manifest.`,
+      }],
+    };
+  }
+  const validate = getValidator();
+  const valid = validate(manifest);
+  if (valid) return { ok: true, errors: [] };
+  const errors = (validate.errors || []).map((e) => ({
+    path: e.instancePath || '/',
+    message: `${e.message}${e.params && Object.keys(e.params).length ? ' (' + JSON.stringify(e.params) + ')' : ''}`,
+  }));
+  return { ok: false, errors };
+}
+
+/**
+ * Parse + validate from JSON string.
+ *
+ * @param {string} jsonText
+ * @returns {{ok: boolean, manifest?: object, errors: Array}}
+ */
+export function parseManifest(jsonText) {
+  let manifest;
+  try {
+    manifest = JSON.parse(jsonText);
+  } catch (e) {
+    return { ok: false, errors: [{ path: '', message: `invalid JSON: ${e.message}` }] };
+  }
+  const result = validateManifest(manifest);
+  if (!result.ok) return { ok: false, errors: result.errors };
+  return { ok: true, manifest, errors: [] };
+}
+
+/**
+ * Read + validate manifest file from disk.
+ *
+ * @param {string} manifestPath
+ * @returns {{ok: boolean, manifest?: object, errors: Array}}
+ */
+export function readManifest(manifestPath) {
+  let text;
+  try {
+    text = readFileSync(manifestPath, 'utf-8');
+  } catch (e) {
+    return { ok: false, errors: [{ path: '', message: `cannot read manifest: ${e.message}` }] };
+  }
+  return parseManifest(text);
+}

package/src/lib/review/scope-slug.mjs

@@ -0,0 +1,68 @@
+/**
+ * Sanitize an arbitrary scope string (branch name, task name, free-form label)
+ * into a filesystem-safe directory slug usable on Windows + POSIX.
+ *
+ * Rules:
+ *   - Strip filesystem-illegal chars on Windows (NTFS): / \ : * ? " < > |
+ *   - Collapse whitespace + control chars to single dash
+ *   - Collapse runs of dashes/underscores/dots
+ *   - Trim leading/trailing dashes, underscores, dots
+ *   - Forbid reserved Windows device names (CON, PRN, AUX, NUL, COM1-9, LPT1-9)
+ *     by prefixing with `_` if matched
+ *   - Cap length at maxLength (default 80)
+ *   - Lowercase optional (default keeps case; renderer config can opt-in)
+ *
+ * Examples:
+ *   "fix/sc-guard-v1.3.6"     → "fix-sc-guard-v1.3.6"
+ *   "feat: thêm tính năng"     → "feat-thêm-tính-năng" (Unicode preserved)
+ *   "  multiple   spaces  "    → "multiple-spaces"
+ *   "CON"                      → "_CON"
+ *   "../../etc/passwd"         → "etc-passwd"
+ *
+ * @param {string} scope - raw scope string
+ * @param {{maxLength?: number, lowercase?: boolean}} [opts]
+ * @returns {string} sanitized slug
+ * @throws {Error} if input is empty after sanitization
+ */
+export function scopeSlug(scope, opts = {}) {
+  const { maxLength = 80, lowercase = false } = opts;
+
+  if (typeof scope !== 'string') {
+    throw new Error('scope must be a string');
+  }
+
+  let s = scope;
+
+  // Strip Windows-illegal chars + control chars (0x00-0x1F, 0x7F).
+  s = s.replace(/[\\/:*?"<>|\x00-\x1F\x7F]+/g, '-');
+
+  // Strip path traversal segments.
+  s = s.replace(/\.\.+/g, '-');
+
+  // Collapse whitespace runs to single dash.
+  s = s.replace(/\s+/g, '-');
+
+  // Collapse runs of separators (dash/underscore/dot) — keep one.
+  s = s.replace(/[-_.]{2,}/g, (m) => m[0]);
+
+  // Trim leading/trailing separators.
+  s = s.replace(/^[-_.]+|[-_.]+$/g, '');
+
+  if (lowercase) s = s.toLowerCase();
+
+  // Reserved Windows device names (case-insensitive).
+  if (/^(CON|PRN|AUX|NUL|COM[1-9]|LPT[1-9])$/i.test(s)) {
+    s = `_${s}`;
+  }
+
+  // Cap length.
+  if (s.length > maxLength) {
+    s = s.slice(0, maxLength).replace(/[-_.]+$/g, '');
+  }
+
+  if (s.length === 0) {
+    throw new Error('scope sanitization produced empty slug — provide a non-empty alphanumeric scope');
+  }
+
+  return s;
+}