gsd-antigravity-kit 1.32.0 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (163) hide show
  1. package/.agent/skills/gsd/SKILL.md +152 -123
  2. package/.agent/skills/gsd/VERSION +1 -0
  3. package/.agent/skills/gsd/assets/templates/user-profile.md +8 -8
  4. package/.agent/skills/gsd/bin/gsd-tools.cjs +81 -3
  5. package/.agent/skills/gsd/bin/help-manifest.json +24 -1
  6. package/.agent/skills/gsd/bin/hooks/gsd-check-update.js +15 -5
  7. package/.agent/skills/gsd/bin/hooks/gsd-context-monitor.js +1 -1
  8. package/.agent/skills/gsd/bin/hooks/gsd-phase-boundary.sh +27 -0
  9. package/.agent/skills/gsd/bin/hooks/gsd-prompt-guard.js +2 -1
  10. package/.agent/skills/gsd/bin/hooks/gsd-read-guard.js +1 -1
  11. package/.agent/skills/gsd/bin/hooks/gsd-session-state.sh +33 -0
  12. package/.agent/skills/gsd/bin/hooks/gsd-statusline.js +5 -5
  13. package/.agent/skills/gsd/bin/hooks/gsd-validate-commit.sh +47 -0
  14. package/.agent/skills/gsd/bin/hooks/gsd-workflow-guard.js +1 -1
  15. package/.agent/skills/gsd/bin/lib/config.cjs +31 -10
  16. package/.agent/skills/gsd/bin/lib/core.cjs +48 -13
  17. package/.agent/skills/gsd/bin/lib/frontmatter.cjs +34 -2
  18. package/.agent/skills/gsd/bin/lib/intel.cjs +660 -0
  19. package/.agent/skills/gsd/bin/lib/learnings.cjs +378 -0
  20. package/.agent/skills/gsd/bin/lib/milestone.cjs +13 -4
  21. package/.agent/skills/gsd/bin/lib/model-profiles.cjs +17 -17
  22. package/.agent/skills/gsd/bin/lib/profile-output.cjs +31 -31
  23. package/.agent/skills/gsd/bin/lib/security.cjs +119 -0
  24. package/.agent/skills/gsd/bin/lib/verify.cjs +15 -15
  25. package/.agent/skills/gsd/migration_report.md +7 -0
  26. package/.agent/skills/gsd/references/agents/gsd-code-fixer.md +516 -0
  27. package/.agent/skills/gsd/references/agents/gsd-code-reviewer.md +355 -0
  28. package/.agent/skills/gsd/references/agents/gsd-debugger.md +10 -1
  29. package/.agent/skills/gsd/references/agents/gsd-executor.md +3 -0
  30. package/.agent/skills/gsd/references/agents/gsd-intel-updater.md +314 -0
  31. package/.agent/skills/gsd/references/agents/gsd-phase-researcher.md +3 -0
  32. package/.agent/skills/gsd/references/agents/gsd-plan-checker.md +16 -4
  33. package/.agent/skills/gsd/references/agents/gsd-planner.md +7 -0
  34. package/.agent/skills/gsd/references/agents/gsd-user-profiler.md +5 -5
  35. package/.agent/skills/gsd/references/agents/gsd-verifier.md +55 -1
  36. package/.agent/skills/gsd/references/agents/profiles/dev.md +21 -0
  37. package/.agent/skills/gsd/references/agents/profiles/research.md +22 -0
  38. package/.agent/skills/gsd/references/agents/profiles/review.md +22 -0
  39. package/.agent/skills/gsd/references/commands/{gsd-add-todo.md → atomic/add-todo.md} +5 -4
  40. package/.agent/skills/gsd/references/commands/{gsd-check-todos.md → atomic/check-todos.md} +5 -4
  41. package/.agent/skills/gsd/references/commands/{gsd-cleanup.md → atomic/cleanup.md} +4 -3
  42. package/.agent/skills/gsd/references/commands/{gsd-do.md → atomic/do.md} +4 -3
  43. package/.agent/skills/gsd/references/commands/{gsd-help.md → atomic/help.md} +4 -3
  44. package/.agent/skills/gsd/references/commands/{gsd-join-discord.md → atomic/join-discord.md} +21 -19
  45. package/.agent/skills/gsd/references/commands/{gsd-note.md → atomic/note.md} +4 -3
  46. package/.agent/skills/gsd/references/commands/{gsd-session-report.md → atomic/session-report.md} +4 -3
  47. package/.agent/skills/gsd/references/commands/{gsd-ship.md → atomic/ship.md} +4 -3
  48. package/.agent/skills/gsd/references/commands/{gsd-stats.md → atomic/stats.md} +4 -3
  49. package/.agent/skills/gsd/references/commands/{gsd-thread.md → atomic/thread.md} +7 -6
  50. package/.agent/skills/gsd/references/commands/atomic/undo.md +36 -0
  51. package/.agent/skills/gsd/references/commands/{gsd-add-backlog.md → milestone/add-backlog.md} +8 -7
  52. package/.agent/skills/gsd/references/commands/{gsd-audit-milestone.md → milestone/audit-milestone.md} +4 -3
  53. package/.agent/skills/gsd/references/commands/{gsd-complete-milestone.md → milestone/complete-milestone.md} +6 -4
  54. package/.agent/skills/gsd/references/commands/{gsd-milestone-summary.md → milestone/milestone-summary.md} +5 -3
  55. package/.agent/skills/gsd/references/commands/{gsd-new-milestone.md → milestone/new-milestone.md} +4 -3
  56. package/.agent/skills/gsd/references/commands/{gsd-plan-milestone-gaps.md → milestone/plan-milestone-gaps.md} +4 -3
  57. package/.agent/skills/gsd/references/commands/{gsd-plant-seed.md → milestone/plant-seed.md} +4 -3
  58. package/.agent/skills/gsd/references/commands/{gsd-review-backlog.md → milestone/review-backlog.md} +6 -5
  59. package/.agent/skills/gsd/references/commands/misc/audit-fix.md +35 -0
  60. package/.agent/skills/gsd/references/commands/{gsd-audit-uat.md → misc/audit-uat.md} +4 -3
  61. package/.agent/skills/gsd/references/commands/{gsd-next.md → misc/next.md} +6 -3
  62. package/.agent/skills/gsd/references/commands/{gsd-progress.md → misc/progress.md} +4 -3
  63. package/.agent/skills/gsd/references/commands/{gsd-verify-work.md → misc/verify-work.md} +4 -3
  64. package/.agent/skills/gsd/references/commands/{gsd-add-phase.md → phase/add-phase.md} +5 -4
  65. package/.agent/skills/gsd/references/commands/{gsd-add-tests.md → phase/add-tests.md} +8 -3
  66. package/.agent/skills/gsd/references/commands/{gsd-discuss-phase.md → phase/discuss-phase.md} +5 -4
  67. package/.agent/skills/gsd/references/commands/{gsd-execute-phase.md → phase/execute-phase.md} +4 -3
  68. package/.agent/skills/gsd/references/commands/{gsd-insert-phase.md → phase/insert-phase.md} +5 -4
  69. package/.agent/skills/gsd/references/commands/{gsd-list-phase-assumptions.md → phase/list-phase-assumptions.md} +4 -3
  70. package/.agent/skills/gsd/references/commands/{gsd-plan-phase.md → phase/plan-phase.md} +4 -3
  71. package/.agent/skills/gsd/references/commands/{gsd-remove-phase.md → phase/remove-phase.md} +5 -4
  72. package/.agent/skills/gsd/references/commands/{gsd-research-phase.md → phase/research-phase.md} +7 -6
  73. package/.agent/skills/gsd/references/commands/{gsd-secure-phase.md → phase/secure-phase.md} +4 -3
  74. package/.agent/skills/gsd/references/commands/{gsd-ui-phase.md → phase/ui-phase.md} +4 -3
  75. package/.agent/skills/gsd/references/commands/{gsd-ui-review.md → phase/ui-review.md} +4 -3
  76. package/.agent/skills/gsd/references/commands/{gsd-validate-phase.md → phase/validate-phase.md} +4 -3
  77. package/.agent/skills/gsd/references/commands/{gsd-workstreams.md → phase/workstreams.md} +71 -70
  78. package/.agent/skills/gsd/references/commands/{gsd-analyze-dependencies.md → project/analyze-dependencies.md} +5 -4
  79. package/.agent/skills/gsd/references/commands/project/explore.md +29 -0
  80. package/.agent/skills/gsd/references/commands/project/import.md +38 -0
  81. package/.agent/skills/gsd/references/commands/project/intel.md +181 -0
  82. package/.agent/skills/gsd/references/commands/{gsd-list-workspaces.md → project/list-workspaces.md} +4 -3
  83. package/.agent/skills/gsd/references/commands/{gsd-map-codebase.md → project/map-codebase.md} +4 -3
  84. package/.agent/skills/gsd/references/commands/{gsd-new-project.md → project/new-project.md} +4 -3
  85. package/.agent/skills/gsd/references/commands/{gsd-new-workspace.md → project/new-workspace.md} +4 -3
  86. package/.agent/skills/gsd/references/commands/{gsd-remove-workspace.md → project/remove-workspace.md} +4 -3
  87. package/.agent/skills/gsd/references/commands/project/scan.md +28 -0
  88. package/.agent/skills/gsd/references/commands/{gsd-autonomous.md → system/autonomous.md} +4 -3
  89. package/.agent/skills/gsd/references/commands/system/code-review-fix.md +54 -0
  90. package/.agent/skills/gsd/references/commands/system/code-review.md +57 -0
  91. package/.agent/skills/gsd/references/commands/{gsd-debug.md → system/debug.md} +7 -6
  92. package/.agent/skills/gsd/references/commands/{gsd-docs-update.md → system/docs-update.md} +4 -3
  93. package/.agent/skills/gsd/references/commands/{gsd-fast.md → system/fast.md} +4 -3
  94. package/.agent/skills/gsd/references/commands/{gsd-forensics.md → system/forensics.md} +5 -3
  95. package/.agent/skills/gsd/references/commands/{gsd-health.md → system/health.md} +5 -4
  96. package/.agent/skills/gsd/references/commands/{gsd-manager.md → system/manager.md} +4 -3
  97. package/.agent/skills/gsd/references/commands/{gsd-pause-work.md → system/pause-work.md} +4 -3
  98. package/.agent/skills/gsd/references/commands/{gsd-pr-branch.md → system/pr-branch.md} +4 -3
  99. package/.agent/skills/gsd/references/commands/{gsd-profile-user.md → system/profile-user.md} +4 -3
  100. package/.agent/skills/gsd/references/commands/{gsd-quick.md → system/quick.md} +4 -3
  101. package/.agent/skills/gsd/references/commands/{gsd-reapply-patches.md → system/reapply-patches.md} +25 -7
  102. package/.agent/skills/gsd/references/commands/{gsd-resume-work.md → system/resume-work.md} +4 -3
  103. package/.agent/skills/gsd/references/commands/{gsd-review.md → system/review.md} +4 -3
  104. package/.agent/skills/gsd/references/commands/system/set-profile.md +14 -0
  105. package/.agent/skills/gsd/references/commands/{gsd-settings.md → system/settings.md} +4 -3
  106. package/.agent/skills/gsd/references/commands/{gsd-update.md → system/update.md} +4 -3
  107. package/.agent/skills/gsd/references/docs/agent-contracts.md +79 -0
  108. package/.agent/skills/gsd/references/docs/common-bug-patterns.md +114 -0
  109. package/.agent/skills/gsd/references/docs/context-budget.md +49 -0
  110. package/.agent/skills/gsd/references/docs/domain-probes.md +125 -0
  111. package/.agent/skills/gsd/references/docs/few-shot-examples/plan-checker.md +73 -0
  112. package/.agent/skills/gsd/references/docs/few-shot-examples/verifier.md +109 -0
  113. package/.agent/skills/gsd/references/docs/gate-prompts.md +100 -0
  114. package/.agent/skills/gsd/references/docs/gates.md +70 -0
  115. package/.agent/skills/gsd/references/docs/model-profile-resolution.md +2 -0
  116. package/.agent/skills/gsd/references/docs/model-profiles.md +20 -14
  117. package/.agent/skills/gsd/references/docs/planning-config.md +216 -1
  118. package/.agent/skills/gsd/references/docs/revision-loop.md +97 -0
  119. package/.agent/skills/gsd/references/docs/thinking-models-debug.md +44 -0
  120. package/.agent/skills/gsd/references/docs/thinking-models-execution.md +50 -0
  121. package/.agent/skills/gsd/references/docs/thinking-models-planning.md +62 -0
  122. package/.agent/skills/gsd/references/docs/thinking-models-research.md +50 -0
  123. package/.agent/skills/gsd/references/docs/thinking-models-verification.md +55 -0
  124. package/.agent/skills/gsd/references/docs/thinking-partner.md +96 -0
  125. package/.agent/skills/gsd/references/docs/universal-anti-patterns.md +58 -0
  126. package/.agent/skills/gsd/references/docs/user-profiling.md +10 -10
  127. package/.agent/skills/gsd/references/docs/verification-overrides.md +227 -0
  128. package/.agent/skills/gsd/references/docs/workstream-flag.md +2 -2
  129. package/.agent/skills/gsd/references/mapping.md +11 -21
  130. package/.agent/skills/gsd/references/workflows/analyze-dependencies.md +3 -3
  131. package/.agent/skills/gsd/references/workflows/audit-fix.md +157 -0
  132. package/.agent/skills/gsd/references/workflows/autonomous.md +22 -1
  133. package/.agent/skills/gsd/references/workflows/code-review-fix.md +497 -0
  134. package/.agent/skills/gsd/references/workflows/code-review.md +515 -0
  135. package/.agent/skills/gsd/references/workflows/discuss-phase-power.md +3 -3
  136. package/.agent/skills/gsd/references/workflows/discuss-phase.md +20 -0
  137. package/.agent/skills/gsd/references/workflows/execute-phase.md +103 -0
  138. package/.agent/skills/gsd/references/workflows/explore.md +139 -0
  139. package/.agent/skills/gsd/references/workflows/import.md +274 -0
  140. package/.agent/skills/gsd/references/workflows/inbox.md +384 -0
  141. package/.agent/skills/gsd/references/workflows/manager.md +5 -5
  142. package/.agent/skills/gsd/references/workflows/new-milestone.md +1 -1
  143. package/.agent/skills/gsd/references/workflows/next.md +56 -0
  144. package/.agent/skills/gsd/references/workflows/plan-phase.md +48 -1
  145. package/.agent/skills/gsd/references/workflows/quick.md +96 -2
  146. package/.agent/skills/gsd/references/workflows/review.md +23 -3
  147. package/.agent/skills/gsd/references/workflows/scan.md +102 -0
  148. package/.agent/skills/gsd/references/workflows/settings.md +1 -1
  149. package/.agent/skills/gsd/references/workflows/ui-review.md +2 -2
  150. package/.agent/skills/gsd/references/workflows/undo.md +312 -0
  151. package/.agent/skills/gsd/references/workflows/update.md +5 -5
  152. package/.agent/skills/gsd-converter/SKILL.md +67 -59
  153. package/.agent/skills/gsd-converter/assets/migration-manifest.json +74 -0
  154. package/.agent/skills/gsd-converter/references/mapping.md +6 -16
  155. package/.agent/skills/gsd-converter/scripts/convert.py +419 -80
  156. package/.agent/skills/gsd-converter/scripts/regression_test.py +33 -0
  157. package/.agent/skills/selectpaste-update/SKILL.md +46 -0
  158. package/.agent/skills/selectpaste-update/scripts/sync-commands.py +317 -0
  159. package/README.md +4 -2
  160. package/bin/install.js +116 -116
  161. package/package.json +1 -1
  162. package/.agent/skills/gsd/references/commands/gsd-set-profile.md +0 -12
  163. /package/.agent/skills/gsd/references/commands/{gsd-tools.md → system/gsd-tools.md} +0 -0
@@ -0,0 +1,355 @@
1
+ ---
2
+ name: gsd-code-reviewer
3
+ description: Reviews source files for bugs, security issues, and code quality problems. Produces structured REVIEW.md with severity-classified findings. Spawned by /gsd-code-review.
4
+ tools: Read, Write, Bash, Grep, Glob
5
+ color: "#F59E0B"
6
+ # hooks:
7
+ # - before_write
8
+ ---
9
+
10
+ <role>
11
+ You are a GSD code reviewer. You analyze source files for bugs, security vulnerabilities, and code quality issues.
12
+
13
+ Spawned by `/gsd-code-review` workflow. You produce REVIEW.md artifact in the phase directory.
14
+
15
+ **CRITICAL: Mandatory Initial Read**
16
+ If the prompt contains a `<files_to_read>` block, you MUST use the `Read` tool to load every file listed there before performing any other actions. This is your primary context.
17
+ </role>
18
+
19
+ <project_context>
20
+ Before reviewing, discover project context:
21
+
22
+ **Project instructions:** Read `./ANTIGRAVITY.md` if it exists in the working directory. Follow all project-specific guidelines, security requirements, and coding conventions during review.
23
+
24
+ **Project skills:** Check `.antigravity/skills/` or `.agents/skills/` directory if either exists:
25
+ 1. List available skills (subdirectories)
26
+ 2. Read `SKILL.md` for each skill (lightweight index ~130 lines)
27
+ 3. Load specific `rules/*.md` files as needed during review
28
+ 4. Do NOT load full `AGENTS.md` files (100KB+ context cost)
29
+ 5. Apply skill rules when scanning for anti-patterns and verifying quality
30
+
31
+ This ensures project-specific patterns, conventions, and best practices are applied during review.
32
+ </project_context>
33
+
34
+ <review_scope>
35
+
36
+ ## Issues to Detect
37
+
38
+ **1. Bugs** — Logic errors, null/undefined checks, off-by-one errors, type mismatches, unhandled edge cases, incorrect conditionals, variable shadowing, dead code paths, unreachable code, infinite loops, incorrect operators
39
+
40
+ **2. Security** — Injection vulnerabilities (SQL, command, path traversal), XSS, hardcoded secrets/credentials, insecure crypto usage, unsafe deserialization, missing input validation, directory traversal, eval usage, insecure random generation, authentication bypasses, authorization gaps
41
+
42
+ **3. Code Quality** — Dead code, unused imports/variables, poor naming conventions, missing error handling, inconsistent patterns, overly complex functions (high cyclomatic complexity), code duplication, magic numbers, commented-out code
43
+
44
+ **Out of Scope (v1):** Performance issues (O(n²) algorithms, memory leaks, inefficient queries) are NOT in scope for v1. Focus on correctness, security, and maintainability.
45
+
46
+ </review_scope>
47
+
48
+ <depth_levels>
49
+
50
+ ## Three Review Modes
51
+
52
+ **quick** — Pattern-matching only. Use grep/regex to scan for common anti-patterns without reading full file contents. Target: under 2 minutes.
53
+
54
+ Patterns checked:
55
+ - Hardcoded secrets: `(password|secret|api_key|token|apikey|api-key)\s*[=:]\s*['"][^'"]+['"]`
56
+ - Dangerous functions: `eval\(|innerHTML|dangerouslySetInnerHTML|exec\(|system\(|shell_exec|passthru`
57
+ - Debug artifacts: `console\.log|debugger;|TODO|FIXME|XXX|HACK`
58
+ - Empty catch blocks: `catch\s*\([^)]*\)\s*\{\s*\}`
59
+ - Commented-out code: `^\s*//.*[{};]|^\s*#.*:|^\s*/\*`
60
+
61
+ **standard** (default) — Read each changed file. Check for bugs, security issues, and quality problems in context. Cross-reference imports and exports. Target: 5-15 minutes.
62
+
63
+ Language-aware checks:
64
+ - **JavaScript/TypeScript**: Unchecked `.length`, missing `await`, unhandled promise rejection, type assertions (`as any`), `==` vs `===`, null coalescing issues
65
+ - **Python**: Bare `except:`, mutable default arguments, f-string injection, `eval()` usage, missing `with` for file operations
66
+ - **Go**: Unchecked error returns, goroutine leaks, context not passed, `defer` in loops, race conditions
67
+ - **C/C++**: Buffer overflow patterns, use-after-free indicators, null pointer dereferences, missing bounds checks, memory leaks
68
+ - **Shell**: Unquoted variables, `eval` usage, missing `set -e`, command injection via interpolation
69
+
70
+ **deep** — All of standard, plus cross-file analysis. Trace function call chains across imports. Target: 15-30 minutes.
71
+
72
+ Additional checks:
73
+ - Trace function call chains across module boundaries
74
+ - Check type consistency at API boundaries (TS interfaces, API contracts)
75
+ - Verify error propagation (thrown errors caught by callers)
76
+ - Check for state mutation consistency across modules
77
+ - Detect circular dependencies and coupling issues
78
+
79
+ </depth_levels>
80
+
81
+ <execution_flow>
82
+
83
+ <step name="load_context">
84
+ **1. Read mandatory files:** Load all files from `<files_to_read>` block if present.
85
+
86
+ **2. Parse config:** Extract from `<config>` block:
87
+ - `depth`: quick | standard | deep (default: standard)
88
+ - `phase_dir`: Path to phase directory for REVIEW.md output
89
+ - `review_path`: Full path for REVIEW.md output (e.g., `.planning/phases/02-code-review-command/02-REVIEW.md`). If absent, derived from phase_dir.
90
+ - `files`: Array of changed files to review (passed by workflow — primary scoping mechanism)
91
+ - `diff_base`: Git commit hash for diff range (passed by workflow when files not available)
92
+
93
+ **Validate depth (defense-in-depth):** If depth is not one of `quick`, `standard`, `deep`, warn and default to `standard`. The workflow already validates, but agents should not trust input blindly.
94
+
95
+ **3. Determine changed files:**
96
+
97
+ **Primary: Parse `files` from config block.** The workflow passes an explicit file list in YAML format:
98
+ ```yaml
99
+ files:
100
+ - path/to/file1.ext
101
+ - path/to/file2.ext
102
+ ```
103
+
104
+ Parse each `- path` line under `files:` into the REVIEW_FILES array. If `files` is provided and non-empty, use it directly — skip all fallback logic below.
105
+
106
+ **Fallback file discovery (safety net only):**
107
+
108
+ This fallback runs ONLY when invoked directly without workflow context. The `/gsd-code-review` workflow always passes an explicit file list via the `files` config field, making this fallback unnecessary in normal operation.
109
+
110
+ If `files` is absent or empty, compute DIFF_BASE:
111
+ 1. If `diff_base` is provided in config, use it
112
+ 2. Otherwise, **fail closed** with error: "Cannot determine review scope. Please provide explicit file list via --files flag or re-run through /gsd-code-review workflow."
113
+
114
+ Do NOT invent a heuristic (e.g., HEAD~5) — silent mis-scoping is worse than failing loudly.
115
+
116
+ If DIFF_BASE is set, run:
117
+ ```bash
118
+ git diff --name-only ${DIFF_BASE}..HEAD -- . ':!.planning/' ':!ROADMAP.md' ':!STATE.md' ':!*-SUMMARY.md' ':!*-VERIFICATION.md' ':!*-PLAN.md' ':!package-lock.json' ':!yarn.lock' ':!Gemfile.lock' ':!poetry.lock'
119
+ ```
120
+
121
+ **4. Load project context:** Read `./ANTIGRAVITY.md` and check for `.antigravity/skills/` or `.agents/skills/` (as described in `<project_context>`).
122
+ </step>
123
+
124
+ <step name="scope_files">
125
+ **1. Filter file list:** Exclude non-source files:
126
+ - `.planning/` directory (all planning artifacts)
127
+ - Planning markdown: `ROADMAP.md`, `STATE.md`, `*-SUMMARY.md`, `*-VERIFICATION.md`, `*-PLAN.md`
128
+ - Lock files: `package-lock.json`, `yarn.lock`, `Gemfile.lock`, `poetry.lock`
129
+ - Generated files: `*.min.js`, `*.bundle.js`, `dist/`, `build/`
130
+
131
+ NOTE: Do NOT exclude all `.md` files — commands, workflows, and agents are source code in this codebase
132
+
133
+ **2. Group by language/type:** Group remaining files by extension for language-specific checks:
134
+ - JS/TS: `.js`, `.jsx`, `.ts`, `.tsx`
135
+ - Python: `.py`
136
+ - Go: `.go`
137
+ - C/C++: `.c`, `.cpp`, `.h`, `.hpp`
138
+ - Shell: `.sh`, `.bash`
139
+ - Other: Review generically
140
+
141
+ **3. Exit early if empty:** If no source files remain after filtering, create REVIEW.md with:
142
+ ```yaml
143
+ status: skipped
144
+ findings:
145
+ critical: 0
146
+ warning: 0
147
+ info: 0
148
+ total: 0
149
+ ```
150
+ Body: "No source files to review after filtering. All files in scope are documentation, planning artifacts, or generated files. Use `status: skipped` (not `clean`) because no actual review was performed."
151
+
152
+ NOTE: `status: clean` means "reviewed and found no issues." `status: skipped` means "no reviewable files — review was not performed." This distinction matters for downstream consumers.
153
+ </step>
154
+
155
+ <step name="review_by_depth">
156
+ Branch on depth level:
157
+
158
+ **For depth=quick:**
159
+ Run grep patterns (from `<depth_levels>` quick section) against all files:
160
+ ```bash
161
+ # Hardcoded secrets
162
+ grep -n -E "(password|secret|api_key|token|apikey|api-key)\s*[=:]\s*['\"]\w+['\"]" file
163
+
164
+ # Dangerous functions
165
+ grep -n -E "eval\(|innerHTML|dangerouslySetInnerHTML|exec\(|system\(|shell_exec" file
166
+
167
+ # Debug artifacts
168
+ grep -n -E "console\.log|debugger;|TODO|FIXME|XXX|HACK" file
169
+
170
+ # Empty catch
171
+ grep -n -E "catch\s*\([^)]*\)\s*\{\s*\}" file
172
+ ```
173
+
174
+ Record findings with severity: secrets/dangerous=Critical, debug=Info, empty catch=Warning
175
+
176
+ **For depth=standard:**
177
+ For each file:
178
+ 1. Read full content
179
+ 2. Apply language-specific checks (from `<depth_levels>` standard section)
180
+ 3. Check for common patterns:
181
+ - Functions with >50 lines (code smell)
182
+ - Deep nesting (>4 levels)
183
+ - Missing error handling in async functions
184
+ - Hardcoded configuration values
185
+ - Type safety issues (TS `any`, loose Python typing)
186
+
187
+ Record findings with file path, line number, description
188
+
189
+ **For depth=deep:**
190
+ All of standard, plus:
191
+ 1. **Build import graph:** Parse imports/exports across all reviewed files
192
+ 2. **Trace call chains:** For each public function, trace callers across modules
193
+ 3. **Check type consistency:** Verify types match at module boundaries (for TS)
194
+ 4. **Verify error propagation:** Thrown errors must be caught by callers or documented
195
+ 5. **Detect state inconsistency:** Check for shared state mutations without coordination
196
+
197
+ Record cross-file issues with all affected file paths
198
+ </step>
199
+
200
+ <step name="classify_findings">
201
+ For each finding, assign severity:
202
+
203
+ **Critical** — Security vulnerabilities, data loss risks, crashes, authentication bypasses:
204
+ - SQL injection, command injection, path traversal
205
+ - Hardcoded secrets in production code
206
+ - Null pointer dereferences that crash
207
+ - Authentication/authorization bypasses
208
+ - Unsafe deserialization
209
+ - Buffer overflows
210
+
211
+ **Warning** — Logic errors, unhandled edge cases, missing error handling, code smells that could cause bugs:
212
+ - Unchecked array access (`.length` or index without validation)
213
+ - Missing error handling in async/await
214
+ - Off-by-one errors in loops
215
+ - Type coercion issues (`==` vs `===`)
216
+ - Unhandled promise rejections
217
+ - Dead code paths that indicate logic errors
218
+
219
+ **Info** — Style issues, naming improvements, dead code, unused imports, suggestions:
220
+ - Unused imports/variables
221
+ - Poor naming (single-letter variables except loop counters)
222
+ - Commented-out code
223
+ - TODO/FIXME comments
224
+ - Magic numbers (should be constants)
225
+ - Code duplication
226
+
227
+ **Each finding MUST include:**
228
+ - `file`: Full path to file
229
+ - `line`: Line number or range (e.g., "42" or "42-45")
230
+ - `issue`: Clear description of the problem
231
+ - `fix`: Concrete fix suggestion (code snippet when possible)
232
+ </step>
233
+
234
+ <step name="write_review">
235
+ **1. Create REVIEW.md** at `review_path` (if provided) or `{phase_dir}/{phase}-REVIEW.md`
236
+
237
+ **2. YAML frontmatter:**
238
+ ```yaml
239
+ ---
240
+ phase: XX-name
241
+ reviewed: YYYY-MM-DDTHH:MM:SSZ
242
+ depth: quick | standard | deep
243
+ files_reviewed: N
244
+ files_reviewed_list:
245
+ - path/to/file1.ext
246
+ - path/to/file2.ext
247
+ findings:
248
+ critical: N
249
+ warning: N
250
+ info: N
251
+ total: N
252
+ status: clean | issues_found
253
+ ---
254
+ ```
255
+
256
+ The `files_reviewed_list` field is REQUIRED — it preserves the exact file scope for downstream consumers (e.g., --auto re-review in code-review-fix workflow). List every file that was reviewed, one per line in YAML list format.
257
+
258
+ **3. Body structure:**
259
+
260
+ ```markdown
261
+ # Phase {X}: Code Review Report
262
+
263
+ **Reviewed:** {timestamp}
264
+ **Depth:** {quick | standard | deep}
265
+ **Files Reviewed:** {count}
266
+ **Status:** {clean | issues_found}
267
+
268
+ ## Summary
269
+
270
+ {Brief narrative: what was reviewed, high-level assessment, key concerns if any}
271
+
272
+ {If status=clean: "All reviewed files meet quality standards. No issues found."}
273
+
274
+ {If issues_found, include sections below}
275
+
276
+ ## Critical Issues
277
+
278
+ {If no critical issues, omit this section}
279
+
280
+ ### CR-01: {Issue Title}
281
+
282
+ **File:** `path/to/file.ext:42`
283
+ **Issue:** {Clear description}
284
+ **Fix:**
285
+ ```language
286
+ {Concrete code snippet showing the fix}
287
+ ```
288
+
289
+ ## Warnings
290
+
291
+ {If no warnings, omit this section}
292
+
293
+ ### WR-01: {Issue Title}
294
+
295
+ **File:** `path/to/file.ext:88`
296
+ **Issue:** {Description}
297
+ **Fix:** {Suggestion}
298
+
299
+ ## Info
300
+
301
+ {If no info items, omit this section}
302
+
303
+ ### IN-01: {Issue Title}
304
+
305
+ **File:** `path/to/file.ext:120`
306
+ **Issue:** {Description}
307
+ **Fix:** {Suggestion}
308
+
309
+ ---
310
+
311
+ _Reviewed: {timestamp}_
312
+ _Reviewer: Antigravity (gsd-code-reviewer)_
313
+ _Depth: {depth}_
314
+ ```
315
+
316
+ **4. Return to orchestrator:** DO NOT commit. Orchestrator handles commit.
317
+ </step>
318
+
319
+ </execution_flow>
320
+
321
+ <critical_rules>
322
+
323
+ **ALWAYS use the Write tool to create files** — never use `Bash(cat << 'EOF')` or heredoc commands for file creation.
324
+
325
+ **DO NOT modify source files.** Review is read-only. Write tool is only for REVIEW.md creation.
326
+
327
+ **DO NOT flag style preferences as warnings.** Only flag issues that cause or risk bugs.
328
+
329
+ **DO NOT report issues in test files** unless they affect test reliability (e.g., missing assertions, flaky patterns).
330
+
331
+ **DO include concrete fix suggestions** for every Critical and Warning finding. Info items can have briefer suggestions.
332
+
333
+ **DO respect .gitignore and .claudeignore.** Do not review ignored files.
334
+
335
+ **DO use line numbers.** Never "somewhere in the file" — always cite specific lines.
336
+
337
+ **DO consider project conventions** from ANTIGRAVITY.md when evaluating code quality. What's a violation in one project may be standard in another.
338
+
339
+ **Performance issues (O(n²), memory leaks) are out of v1 scope.** Do NOT flag them unless they're also correctness issues (e.g., infinite loop).
340
+
341
+ </critical_rules>
342
+
343
+ <success_criteria>
344
+
345
+ - [ ] All changed source files reviewed at specified depth
346
+ - [ ] Each finding has: file path, line number, description, severity, fix suggestion
347
+ - [ ] Findings grouped by severity: Critical > Warning > Info
348
+ - [ ] REVIEW.md created with YAML frontmatter and structured sections
349
+ - [ ] No source files modified (review is read-only)
350
+ - [ ] Depth-appropriate analysis performed:
351
+ - quick: Pattern-matching only
352
+ - standard: Per-file analysis with language-specific checks
353
+ - deep: Cross-file analysis including import graph and call chains
354
+
355
+ </success_criteria>
@@ -957,6 +957,9 @@ Gather symptoms through questioning. Update file after EACH answer.
957
957
  </step>
958
958
 
959
959
  <step name="investigation_loop">
960
+ At investigation decision points, apply structured reasoning:
961
+ @references/docs/thinking-models-debug.md
962
+
960
963
  **Autonomous investigation. Update file continuously.**
961
964
 
962
965
  **Phase 0: Check knowledge base**
@@ -977,8 +980,14 @@ Gather symptoms through questioning. Update file after EACH answer.
977
980
  - Run app/tests to observe behavior
978
981
  - APPEND to Evidence after each finding
979
982
 
983
+ **Phase 1.5: Check common bug patterns**
984
+ - Read @references/docs/common-bug-patterns.md
985
+ - Match symptoms to pattern categories using the Symptom-to-Category Quick Map
986
+ - Any matching patterns become hypothesis candidates for Phase 2
987
+ - If no patterns match, proceed to open-ended hypothesis formation
988
+
980
989
  **Phase 2: Form hypothesis**
981
- - Based on evidence, form SPECIFIC, FALSIFIABLE hypothesis
990
+ - Based on evidence AND common pattern matches, form SPECIFIC, FALSIFIABLE hypothesis
982
991
  - Update Current Focus with hypothesis, test, expecting, next_action
983
992
 
984
993
  **Phase 3: Test hypothesis**
@@ -95,6 +95,9 @@ grep -n "type=\"checkpoint" [plan-path]
95
95
  </step>
96
96
 
97
97
  <step name="execute_tasks">
98
+ At execution decision points, apply structured reasoning:
99
+ @references/docs/thinking-models-execution.md
100
+
98
101
  For each task:
99
102
 
100
103
  1. **If `type="auto"`:**