forgehive 0.6.0

package/dist/confirm.d.ts

@@ -0,0 +1 @@
+export declare function confirm(projectRoot: string): void;

package/dist/confirm.js

@@ -0,0 +1,15 @@
+import fs from "node:fs";
+import path from "node:path";
+import yaml from "js-yaml";
+export function confirm(projectRoot) {
+    const capFile = path.join(projectRoot, ".claude", "capabilities.yaml");
+    if (!fs.existsSync(capFile)) {
+        throw new Error("capabilities.yaml nicht gefunden — führe zuerst `framework-os init` aus");
+    }
+    const doc = yaml.load(fs.readFileSync(capFile, "utf8"));
+    if (doc.status === "confirmed") {
+        throw new Error("capabilities.yaml ist bereits confirmed");
+    }
+    doc.status = "confirmed";
+    fs.writeFileSync(capFile, "# Confirmed by framework-os confirm\n" + yaml.dump(doc), "utf8");
+}

package/dist/fulfillment-catalog.d.ts

@@ -0,0 +1,10 @@
+export interface FulfillmentDef {
+    check: string;
+    fulfill: {
+        intent: string;
+        preferred?: string;
+        constraints: string[];
+        verify: string;
+    };
+}
+export declare const FULFILLMENT_CATALOG: Record<string, FulfillmentDef>;

package/dist/fulfillment-catalog.js

@@ -0,0 +1,119 @@
+export const FULFILLMENT_CATALOG = {
+    nodejs: {
+        check: "node --version",
+        fulfill: {
+            intent: "Ensure Node.js is installed",
+            preferred: "nvm install --lts",
+            constraints: ["must not change system Node version without nvm"],
+            verify: "node --version",
+        },
+    },
+    vitest: {
+        check: "npx vitest --version",
+        fulfill: {
+            intent: "Set up Vitest as the test runner",
+            preferred: "npm install vitest --save-dev",
+            constraints: ["must match existing package manager", "must not break existing test scripts"],
+            verify: "npx vitest --version",
+        },
+    },
+    jest: {
+        check: "npx jest --version",
+        fulfill: {
+            intent: "Set up Jest as the test runner",
+            preferred: "npm install jest @types/jest --save-dev",
+            constraints: ["must match existing package manager", "must not break existing test scripts"],
+            verify: "npx jest --version",
+        },
+    },
+    playwright: {
+        check: "npx playwright --version",
+        fulfill: {
+            intent: "Set up Playwright for end-to-end testing",
+            preferred: "npm install @playwright/test --save-dev && npx playwright install",
+            constraints: ["must not overwrite existing playwright.config"],
+            verify: "npx playwright --version",
+        },
+    },
+    eslint: {
+        check: "npx eslint --version",
+        fulfill: {
+            intent: "Set up ESLint for code linting",
+            preferred: "npm install eslint --save-dev",
+            constraints: ["must match project's existing eslint config if present"],
+            verify: "npx eslint --version",
+        },
+    },
+    typescript: {
+        check: "npx tsc --version",
+        fulfill: {
+            intent: "Add TypeScript to the project",
+            preferred: "npm install typescript --save-dev && npx tsc --init",
+            constraints: ["must not overwrite existing tsconfig.json"],
+            verify: "npx tsc --version",
+        },
+    },
+    prisma: {
+        check: "npx prisma --version",
+        fulfill: {
+            intent: "Set up Prisma ORM",
+            preferred: "npm install prisma @prisma/client && npx prisma init",
+            constraints: ["must not overwrite existing prisma/schema.prisma"],
+            verify: "npx prisma --version",
+        },
+    },
+    tailwind: {
+        check: "npx tailwindcss --version",
+        fulfill: {
+            intent: "Set up Tailwind CSS",
+            preferred: "npm install tailwindcss --save-dev && npx tailwindcss init",
+            constraints: ["must not overwrite existing tailwind.config"],
+            verify: "npx tailwindcss --version",
+        },
+    },
+    docker: {
+        check: "docker --version",
+        fulfill: {
+            intent: "Ensure Docker is available",
+            preferred: "Install Docker Desktop from https://docker.com",
+            constraints: ["do not auto-install system-level tools"],
+            verify: "docker --version",
+        },
+    },
+    "github-actions": {
+        check: "test -d .github/workflows",
+        fulfill: {
+            intent: "Set up GitHub Actions CI/CD",
+            preferred: "mkdir -p .github/workflows && create basic ci.yml",
+            constraints: ["must not overwrite existing workflow files"],
+            verify: "test -d .github/workflows",
+        },
+    },
+    "pre-commit": {
+        check: "pre-commit --version",
+        fulfill: {
+            intent: "Set up pre-commit hooks",
+            preferred: "pip install pre-commit && pre-commit install",
+            constraints: ["must not overwrite existing .pre-commit-config.yaml"],
+            verify: "pre-commit --version",
+        },
+    },
+    fastapi: {
+        check: "python -c 'import fastapi'",
+        fulfill: {
+            intent: "Install FastAPI",
+            preferred: "pip install fastapi uvicorn",
+            constraints: ["must use active virtualenv if present"],
+            verify: "python -c 'import fastapi; print(fastapi.__version__)'",
+        },
+    },
+    django: {
+        check: "python -m django --version",
+        fulfill: {
+            intent: "Install Django",
+            preferred: "pip install django",
+            constraints: ["must use active virtualenv if present"],
+            verify: "python -m django --version",
+        },
+    },
+};

package/dist/lookup-table.d.ts

@@ -0,0 +1,16 @@
+import type { FoundSignal } from "./types.ts";
+export interface Capability {
+    id: string;
+    source: string;
+    confidence: "confirmed" | "inferred";
+}
+export interface CapabilityMap {
+    confirmed: Capability[];
+    inferred: Capability[];
+}
+interface SignalInput {
+    signals: FoundSignal[];
+    packages: string[];
+}
+export declare function mapSignalsToCapabilities(input: SignalInput): CapabilityMap;
+export {};

package/dist/lookup-table.js

@@ -0,0 +1,128 @@
+// Filename → capability IDs
+const FILENAME_TO_IDS = {
+    "package.json": ["nodejs", "javascript"],
+    "pyproject.toml": ["python"],
+    "Cargo.toml": ["rust"],
+    "go.mod": ["golang"],
+    "pom.xml": ["java", "maven"],
+    "Gemfile": ["ruby"],
+    "composer.json": ["php"],
+    "Dockerfile": ["docker"],
+    "docker-compose.yml": ["docker-compose"],
+    ".gitlab-ci.yml": ["gitlab-ci", "ci-cd"],
+    "pytest.ini": ["pytest"],
+    "openapi.yaml": ["openapi"],
+    "openapi.yml": ["openapi"],
+    "openapi.json": ["openapi"],
+    ".pre-commit-config.yaml": ["pre-commit"],
+};
+const TIER2_DIR_PREFIX_TO_IDS = {
+    ".github/workflows": ["github-actions", "ci-cd"],
+    "terraform": ["terraform", "infrastructure-as-code"],
+    "k8s": ["kubernetes"],
+};
+const FILENAME_PREFIX_TO_IDS = [
+    [/^jest\.config\./, ["jest", "unit-testing"]],
+    [/^vitest\.config\./, ["vitest", "unit-testing"]],
+    [/^\.eslintrc/, ["eslint", "linting"]],
+];
+// npm/pip/cargo package name → capability IDs
+const PACKAGE_TO_IDS = {
+    // JS Frameworks
+    "react": ["react"],
+    "react-dom": ["react"],
+    "next": ["nextjs"],
+    "nuxt": ["nuxt"],
+    "vue": ["vue"],
+    "@vue/core": ["vue"],
+    "svelte": ["svelte"],
+    "@sveltejs/kit": ["sveltekit"],
+    "remix": ["remix"],
+    "@remix-run/react": ["remix"],
+    "gatsby": ["gatsby"],
+    "astro": ["astro"],
+    // Backend JS
+    "express": ["express"],
+    "fastify": ["fastify"],
+    "hono": ["hono"],
+    "koa": ["koa"],
+    "nestjs": ["nestjs"],
+    "@nestjs/core": ["nestjs"],
+    // Database / ORM
+    "@prisma/client": ["prisma"],
+    "prisma": ["prisma"],
+    "drizzle-orm": ["drizzle"],
+    "typeorm": ["typeorm"],
+    "mongoose": ["mongoose"],
+    "sequelize": ["sequelize"],
+    // Testing JS
+    "vitest": ["vitest"],
+    "jest": ["jest"],
+    "@playwright/test": ["playwright"],
+    "playwright": ["playwright"],
+    "cypress": ["cypress"],
+    "storybook": ["storybook"],
+    "@storybook/react": ["storybook"],
+    // Build / Tooling
+    "vite": ["vite"],
+    "webpack": ["webpack"],
+    "esbuild": ["esbuild"],
+    "turbo": ["turborepo"],
+    "nx": ["nx"],
+    // Auth
+    "next-auth": ["next-auth"],
+    "@auth/core": ["auth-js"],
+    "lucia": ["lucia"],
+    // Styling
+    "tailwindcss": ["tailwind"],
+    "@tailwindcss/vite": ["tailwind"],
+    "styled-components": ["styled-components"],
+    // State
+    "zustand": ["zustand"],
+    "jotai": ["jotai"],
+    "@reduxjs/toolkit": ["redux"],
+    "redux": ["redux"],
+    // Python frameworks (from pip, often in pyproject.toml — detected via name in packages)
+    "fastapi": ["fastapi"],
+    "django": ["django"],
+    "flask": ["flask"],
+    "sqlalchemy": ["sqlalchemy"],
+    "pydantic": ["pydantic"],
+    "alembic": ["alembic"],
+};
+export function mapSignalsToCapabilities(input) {
+    const seen = new Set();
+    const confirmed = [];
+    const add = (id, source) => {
+        if (seen.has(id))
+            return;
+        seen.add(id);
+        confirmed.push({ id, source, confidence: "confirmed" });
+    };
+    for (const sig of input.signals) {
+        for (const id of resolveSignalIds(sig)) {
+            add(id, sig.path);
+        }
+    }
+    for (const pkg of input.packages) {
+        const ids = PACKAGE_TO_IDS[pkg];
+        if (ids) {
+            for (const id of ids)
+                add(id, "package.json");
+        }
+    }
+    return { confirmed, inferred: [] };
+}
+function resolveSignalIds(sig) {
+    if (FILENAME_TO_IDS[sig.filename])
+        return FILENAME_TO_IDS[sig.filename];
+    for (const [prefix, ids] of Object.entries(TIER2_DIR_PREFIX_TO_IDS)) {
+        if (sig.path.startsWith(prefix + "/"))
+            return ids;
+    }
+    for (const [pattern, ids] of FILENAME_PREFIX_TO_IDS) {
+        if (pattern.test(sig.filename))
+            return ids;
+    }
+    return [];
+}

package/dist/rollback.d.ts

@@ -0,0 +1 @@
+export declare function rollback(projectRoot: string): void;

package/dist/rollback.js

@@ -0,0 +1,9 @@
+import fs from "node:fs";
+import path from "node:path";
+export function rollback(projectRoot) {
+    const claudeDir = path.join(projectRoot, ".claude");
+    if (!fs.existsSync(claudeDir)) {
+        throw new Error(".claude/ nicht gefunden — nichts zum Rückgängigmachen");
+    }
+    fs.rmSync(claudeDir, { recursive: true, force: true });
+}

package/dist/scanner.d.ts

@@ -0,0 +1,2 @@
+import type { ScanResult } from "./types.ts";
+export declare function scan(projectRoot: string): ScanResult;

package/dist/scanner.js

@@ -0,0 +1,87 @@
+import fs from "node:fs";
+import path from "node:path";
+const TIER1 = [
+    "package.json",
+    "pyproject.toml",
+    "Cargo.toml",
+    "go.mod",
+    "pom.xml",
+    "Gemfile",
+    "composer.json",
+];
+const TIER2_FILES = [
+    "Dockerfile",
+    "docker-compose.yml",
+    ".gitlab-ci.yml",
+];
+const TIER2_DIRS = [
+    ".github/workflows",
+    "terraform",
+    "k8s",
+];
+const TIER3_PATTERNS = [
+    /^\.eslintrc(\.(json|js|yml|yaml|cjs))?$/,
+    /^jest\.config\.(js|ts|mjs|cjs|json)$/,
+    /^vitest\.config\.(js|ts|mjs)$/,
+    /^pytest\.ini$/,
+    /^openapi\.(yaml|yml|json)$/,
+    /^\.pre-commit-config\.yaml$/,
+];
+export function scan(projectRoot) {
+    const signals = [];
+    for (const filename of TIER1) {
+        if (fs.existsSync(path.join(projectRoot, filename))) {
+            signals.push(signal(1, filename, filename));
+        }
+    }
+    for (const filename of TIER2_FILES) {
+        if (fs.existsSync(path.join(projectRoot, filename))) {
+            signals.push(signal(2, filename, path.basename(filename)));
+        }
+    }
+    for (const dir of TIER2_DIRS) {
+        const abs = path.join(projectRoot, dir);
+        if (!fs.existsSync(abs) || !fs.statSync(abs).isDirectory())
+            continue;
+        for (const child of fs.readdirSync(abs)) {
+            const rel = path.join(dir, child);
+            signals.push(signal(2, rel, child));
+        }
+    }
+    for (const entry of fs.readdirSync(projectRoot)) {
+        const abs = path.join(projectRoot, entry);
+        if (!fs.statSync(abs).isFile())
+            continue;
+        for (const pattern of TIER3_PATTERNS) {
+            if (pattern.test(entry)) {
+                signals.push(signal(3, entry, entry));
+                break;
+            }
+        }
+    }
+    return {
+        scanned_at: new Date().toISOString(),
+        project_root: projectRoot,
+        signals,
+        packages: extractPackages(projectRoot),
+    };
+}
+function extractPackages(projectRoot) {
+    const pkgPath = path.join(projectRoot, "package.json");
+    if (!fs.existsSync(pkgPath))
+        return [];
+    try {
+        const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf8"));
+        const all = new Set([
+            ...Object.keys(pkg.dependencies ?? {}),
+            ...Object.keys(pkg.devDependencies ?? {}),
+        ]);
+        return [...all];
+    }
+    catch {
+        return [];
+    }
+}
+function signal(tier, filePath, filename) {
+    return { tier, path: filePath, filename, exists: true };
+}

package/dist/types.d.ts

@@ -0,0 +1,13 @@
+export type Tier = 1 | 2 | 3;
+export interface FoundSignal {
+    tier: Tier;
+    path: string;
+    filename: string;
+    exists: true;
+}
+export interface ScanResult {
+    scanned_at: string;
+    project_root: string;
+    signals: FoundSignal[];
+    packages: string[];
+}

package/dist/types.js

@@ -0,0 +1 @@
+export {};

package/dist/update.d.ts

@@ -0,0 +1,7 @@
+import type { Capability, CapabilityMap } from "./lookup-table.ts";
+export declare function computeHash(projectRoot: string): string;
+export interface CapabilityDiff {
+    added: Capability[];
+    removed: Capability[];
+}
+export declare function scanDiff(oldMap: CapabilityMap, newMap: CapabilityMap): CapabilityDiff;

package/dist/update.js

@@ -0,0 +1,42 @@
+import fs from "node:fs";
+import path from "node:path";
+import crypto from "node:crypto";
+const HASH_TARGETS = [
+    "package.json", "pyproject.toml", "Cargo.toml", "go.mod",
+    "pom.xml", "Gemfile", "composer.json",
+    "Dockerfile", "docker-compose.yml", ".gitlab-ci.yml",
+    ".eslintrc", ".eslintrc.json", ".eslintrc.js", ".eslintrc.yml",
+    "pytest.ini", "openapi.yaml", "openapi.yml", ".pre-commit-config.yaml",
+];
+const HASH_DIRS = [".github/workflows", "terraform", "k8s"];
+export function computeHash(projectRoot) {
+    const hash = crypto.createHash("sha256");
+    for (const filename of HASH_TARGETS) {
+        const abs = path.join(projectRoot, filename);
+        if (fs.existsSync(abs) && fs.statSync(abs).isFile()) {
+            hash.update(filename);
+            hash.update(fs.readFileSync(abs));
+        }
+    }
+    for (const dir of HASH_DIRS) {
+        const abs = path.join(projectRoot, dir);
+        if (!fs.existsSync(abs) || !fs.statSync(abs).isDirectory())
+            continue;
+        for (const child of fs.readdirSync(abs).sort()) {
+            const childAbs = path.join(abs, child);
+            if (fs.statSync(childAbs).isFile()) {
+                hash.update(path.join(dir, child));
+                hash.update(fs.readFileSync(childAbs));
+            }
+        }
+    }
+    return hash.digest("hex");
+}
+export function scanDiff(oldMap, newMap) {
+    const oldIds = new Set(oldMap.confirmed.map(c => c.id));
+    const newIds = new Set(newMap.confirmed.map(c => c.id));
+    return {
+        added: newMap.confirmed.filter(c => !oldIds.has(c.id)),
+        removed: oldMap.confirmed.filter(c => !newIds.has(c.id)),
+    };
+}

package/dist/writer.d.ts

@@ -0,0 +1,3 @@
+import type { ScanResult } from "./types.ts";
+import type { CapabilityMap } from "./lookup-table.ts";
+export declare function writeClaudeDir(projectRoot: string, scanResult: ScanResult, capMap: CapabilityMap): void;

package/dist/writer.js

@@ -0,0 +1,63 @@
+import fs from "node:fs";
+import path from "node:path";
+import yaml from "js-yaml";
+import { FULFILLMENT_CATALOG } from "./fulfillment-catalog.ts";
+const CLAUDE_MD = `# framework-os Instructions
+
+This project uses **framework-os** for structured AI-assisted development.
+
+## Mandatory Behavior
+
+**At the start of every session:**
+1. Read \`.claude/capabilities.yaml\`
+2. If \`status: draft\` → tell the user: "Run \`framework-os confirm\` to activate capabilities."
+3. If \`status: confirmed\` → load the capabilities silently and apply them throughout the session
+
+**During the session:**
+- Only suggest tools, patterns, and libraries listed in \`capabilities.yaml\`
+- If a capability has a \`check\` field: verify it before using it
+- If a capability has a \`fulfill\` field and the check fails: fulfill it (intent + constraints + verify)
+- Persist per-session notes to \`.claude/state/<YYYY-MM-DD>.md\`
+- Never write files outside the project root
+
+**Stack awareness:**
+- Trust the detected stack in capabilities.yaml as ground truth
+- When the user asks about setup, refer to the capabilities rather than guessing
+- If the user adds a new dependency that seems important, suggest running \`framework-os scan --update\`
+
+## Capability Reference
+
+See \`.claude/capabilities.yaml\` for detected stack and fulfillment procedures.
+See \`.claude/scan-result.yaml\` for raw scanner output.
+Run \`framework-os scan --check\` to verify capabilities are up to date.
+
+## Prohibited
+
+- Writing to paths outside project root
+- Modifying \`.claude/scan-result.yaml\` manually
+- Skipping the session-start capability check
+- Suggesting tools not in capabilities.yaml without explicitly noting they are outside the declared stack
+`;
+export function writeClaudeDir(projectRoot, scanResult, capMap) {
+    const claudeDir = path.join(projectRoot, ".claude");
+    fs.mkdirSync(claudeDir, { recursive: true });
+    fs.mkdirSync(path.join(claudeDir, "state"), { recursive: true });
+    fs.writeFileSync(path.join(claudeDir, "scan-result.yaml"), "# Generated by framework-os init — do not edit manually\n" +
+        yaml.dump(scanResult), "utf8");
+    fs.writeFileSync(path.join(claudeDir, "capabilities.yaml"), "# DRAFT — generated by framework-os init\n" +
+        "# Review each entry, then run: framework-os confirm\n" +
+        yaml.dump({
+            status: "draft",
+            capabilities: {
+                confirmed: capMap.confirmed.map(enrichWithFulfillment),
+                inferred: capMap.inferred,
+            },
+        }), "utf8");
+    fs.writeFileSync(path.join(claudeDir, "CLAUDE.md"), CLAUDE_MD, "utf8");
+}
+function enrichWithFulfillment(cap) {
+    const def = FULFILLMENT_CATALOG[cap.id];
+    if (!def)
+        return cap;
+    return { ...cap, check: def.check, fulfill: def.fulfill };
+}

package/forgehive/agents/eli.yaml

@@ -0,0 +1,8 @@
+id: eli
+name: Eli
+title: Documentation Architect
+icon: "📐"
+description: |
+  Turns complex systems into navigable knowledge structures. Believes documentation is
+  product, not afterthought — every word earns its place. Speaks like a patient
+  cartographer: every map earns its legend, every path its signpost.

package/forgehive/agents/kai.yaml

@@ -0,0 +1,8 @@
+id: kai
+name: Kai
+title: Principal Engineer
+icon: "⚙"
+description: |
+  Test-first discipline, ship-ready code, zero tolerance for ambiguity. 100% passing
+  before any review. Speaks like a commit message — precise file paths, exact
+  assertions, no interpretation required.

package/forgehive/agents/nora.yaml

@@ -0,0 +1,8 @@
+id: nora
+name: Nora
+title: Senior Research Analyst
+icon: "🔍"
+description: |
+  Applies structured evidence frameworks to every finding, surfaces what stakeholders
+  can't articulate, grounds every recommendation in verifiable data. Speaks with the
+  precision of a forensic investigator — every claim citable, every gap named.

package/forgehive/agents/remy.yaml

@@ -0,0 +1,8 @@
+id: remy
+name: Remy
+title: Product Strategist
+icon: "🎯"
+description: |
+  Jobs-to-be-done over feature lists, user value over technical elegance. Drives every
+  decision back to a genuine problem worth solving. Speaks like a sharp detective —
+  three questions and the real constraint surfaces.

package/forgehive/agents/sam.yaml

@@ -0,0 +1,8 @@
+id: sam
+name: Sam
+title: Quality Architect
+icon: "🧪"
+description: |
+  Risk-based testing strategy, fixture architecture, automation across the full stack.
+  Speaks in risk calculations and impact assessments — strong opinions, weakly held,
+  always with a reproducible test case.

package/forgehive/agents/suki.yaml

@@ -0,0 +1,8 @@
+id: suki
+name: Suki
+title: Experience Designer
+icon: "✦"
+description: |
+  Empathy-first, edge-case relentless. Designs with users, not for them. Starts with
+  the friction before the wireframe. Speaks in user scenarios that make you feel the
+  problem before a line of code is written.

package/forgehive/agents/vera.yaml

@@ -0,0 +1,24 @@
+id: vera
+name: Vera
+title: Security Analyst
+icon: "🔒"
+description: |
+  Vera ist spezialisiert auf Application Security und Compliance.
+  Sie reviewed generierten Code auf OWASP Top 10 Vulnerabilities,
+  prüft Auth-Flows, Datenschutz-Anforderungen und Audit-Trails.
+  Vera arbeitet mit dem Security-Report und Permissions-System von forgehive.
+focus:
+  - OWASP Top 10 vulnerability scanning
+  - Authentication & authorization review
+  - GDPR / SOC2 / HIPAA compliance checks
+  - Secrets detection and remediation
+  - Dependency vulnerability assessment
+  - Security audit trail generation
+instructions: |
+  Du bist Vera, Security Analyst. Bei jeder Code-Review:
+  1. Prüfe auf OWASP Top 10 Patterns (Injection, XSS, IDOR, etc.)
+  2. Stelle sicher dass Authentifizierung korrekt implementiert ist
+  3. Prüfe auf hardcoded Secrets oder unsichere Konfigurationen
+  4. Dokumentiere Findings in .forgehive/security-report.md
+  5. Gib konkrete Fixes mit Codebeispielen
+  Nutze `fh security scan` und `fh security report` als deine Tools.

package/forgehive/agents/viktor.yaml

@@ -0,0 +1,8 @@
+id: viktor
+name: Viktor
+title: Systems Architect
+icon: "🏛"
+description: |
+  Favors proven technology, treats developer experience as architecture, ties every
+  structural decision to a business constraint. Speaks like a seasoned engineer at the
+  whiteboard — measured, always laying out trade-offs rather than verdicts.

package/forgehive/commands/fh-hotfix.md

@@ -0,0 +1,16 @@
+You are running the ForgeHive hotfix protocol.
+
+## Hotfix Rules
+
+**Constraint:** A hotfix changes as few lines as possible. If the fix requires > 50 lines, it's a feature, not a hotfix.
+
+## Steps
+
+1. **Identify** — `git log --oneline -20` — find the commit that introduced the bug
+2. **Branch** — `git checkout -b hotfix/<short-description> main`
+3. **Minimal fix** — fix only the bug, no refactoring, no cleanup
+4. **Regression test** — write one test that fails before the fix and passes after
+5. **Verify** — run full test suite
+6. **Ship** — use `/fh-ship` when ready
+
+If this turns out to be more than 50 lines: stop, switch to `/fh-start-task` for a proper feature branch.

package/forgehive/commands/fh-review.md

@@ -0,0 +1,16 @@
+You are running a ForgeHive code review. Load the review skill first.
+
+## Review Process
+
+1. Read `.forgehive/skills/expert/code-review.md`
+2. Get the diff: `git diff main...HEAD`
+3. Review in priority order:
+
+**[BUG]** Correctness issues — will this break in production?
+**[DESIGN]** Architecture issues — does it follow existing patterns?
+**[NIT]** Minor style issues — use sparingly
+**[Q]** Questions — non-blocking, want to understand intent
+**[+]** Good work — acknowledge what's done well
+
+4. For PRs > 400 lines: flag as too large, suggest how to split
+5. End with: overall verdict (approve / request changes) and count of blocking issues