gsd-antigravity-kit 2.0.1 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (251) hide show
  1. package/.agent/skills/gsd/SKILL.md +26 -4
  2. package/.agent/skills/gsd/VERSION +1 -1
  3. package/.agent/skills/gsd/assets/templates/AI-SPEC.md +246 -0
  4. package/.agent/skills/gsd/assets/templates/DEBUG.md +7 -2
  5. package/.agent/skills/gsd/assets/templates/config.json +56 -48
  6. package/.agent/skills/gsd/assets/templates/research.md +40 -0
  7. package/.agent/skills/gsd/assets/templates/spec.md +307 -0
  8. package/.agent/skills/gsd/assets/templates/state.md +8 -0
  9. package/.agent/skills/gsd/bin/gsd-tools.cjs +212 -11
  10. package/.agent/skills/gsd/bin/help-manifest.json +8 -2
  11. package/.agent/skills/gsd/bin/hooks/gsd-check-update-worker.js +108 -0
  12. package/.agent/skills/gsd/bin/hooks/gsd-check-update.js +14 -89
  13. package/.agent/skills/gsd/bin/hooks/gsd-context-monitor.js +34 -5
  14. package/.agent/skills/gsd/bin/hooks/gsd-phase-boundary.sh +1 -0
  15. package/.agent/skills/gsd/bin/hooks/gsd-prompt-guard.js +1 -1
  16. package/.agent/skills/gsd/bin/hooks/gsd-read-guard.js +6 -1
  17. package/.agent/skills/gsd/bin/hooks/gsd-session-state.sh +1 -0
  18. package/.agent/skills/gsd/bin/hooks/gsd-statusline.js +150 -16
  19. package/.agent/skills/gsd/bin/hooks/gsd-validate-commit.sh +1 -0
  20. package/.agent/skills/gsd/bin/hooks/gsd-workflow-guard.js +1 -1
  21. package/.agent/skills/gsd/bin/lib/audit.cjs +757 -0
  22. package/.agent/skills/gsd/bin/lib/commands.cjs +17 -7
  23. package/.agent/skills/gsd/bin/lib/config.cjs +66 -20
  24. package/.agent/skills/gsd/bin/lib/core.cjs +212 -12
  25. package/.agent/skills/gsd/bin/lib/frontmatter.cjs +6 -8
  26. package/.agent/skills/gsd/bin/lib/graphify.cjs +494 -0
  27. package/.agent/skills/gsd/bin/lib/gsd2-import.cjs +511 -0
  28. package/.agent/skills/gsd/bin/lib/init.cjs +371 -18
  29. package/.agent/skills/gsd/bin/lib/intel.cjs +9 -30
  30. package/.agent/skills/gsd/bin/lib/milestone.cjs +18 -17
  31. package/.agent/skills/gsd/bin/lib/model-profiles.cjs +1 -0
  32. package/.agent/skills/gsd/bin/lib/phase.cjs +225 -98
  33. package/.agent/skills/gsd/bin/lib/profile-output.cjs +17 -5
  34. package/.agent/skills/gsd/bin/lib/roadmap.cjs +12 -5
  35. package/.agent/skills/gsd/bin/lib/state.cjs +394 -129
  36. package/.agent/skills/gsd/bin/lib/template.cjs +8 -4
  37. package/.agent/skills/gsd/bin/lib/uat.cjs +2 -1
  38. package/.agent/skills/gsd/bin/lib/verify.cjs +111 -42
  39. package/.agent/skills/gsd/migration_report.md +2 -2
  40. package/.agent/skills/gsd/references/agents/gsd-advisor-researcher.md +23 -0
  41. package/.agent/skills/gsd/references/agents/gsd-ai-researcher.md +133 -0
  42. package/.agent/skills/gsd/references/agents/gsd-code-fixer.md +11 -10
  43. package/.agent/skills/gsd/references/agents/gsd-code-reviewer.md +2 -2
  44. package/.agent/skills/gsd/references/agents/gsd-codebase-mapper.md +13 -2
  45. package/.agent/skills/gsd/references/agents/gsd-debug-session-manager.md +314 -0
  46. package/.agent/skills/gsd/references/agents/gsd-debugger.md +147 -76
  47. package/.agent/skills/gsd/references/agents/gsd-doc-verifier.md +1 -1
  48. package/.agent/skills/gsd/references/agents/gsd-doc-writer.md +615 -602
  49. package/.agent/skills/gsd/references/agents/gsd-domain-researcher.md +153 -0
  50. package/.agent/skills/gsd/references/agents/gsd-eval-auditor.md +175 -0
  51. package/.agent/skills/gsd/references/agents/gsd-eval-planner.md +154 -0
  52. package/.agent/skills/gsd/references/agents/gsd-executor.md +108 -38
  53. package/.agent/skills/gsd/references/agents/gsd-framework-selector.md +160 -0
  54. package/.agent/skills/gsd/references/agents/gsd-integration-checker.md +454 -443
  55. package/.agent/skills/gsd/references/agents/gsd-intel-updater.md +40 -20
  56. package/.agent/skills/gsd/references/agents/gsd-nyquist-auditor.md +187 -176
  57. package/.agent/skills/gsd/references/agents/gsd-pattern-mapper.md +335 -0
  58. package/.agent/skills/gsd/references/agents/gsd-phase-researcher.md +112 -13
  59. package/.agent/skills/gsd/references/agents/gsd-plan-checker.md +104 -10
  60. package/.agent/skills/gsd/references/agents/gsd-planner.md +125 -167
  61. package/.agent/skills/gsd/references/agents/gsd-project-researcher.md +25 -2
  62. package/.agent/skills/gsd/references/agents/gsd-research-synthesizer.md +3 -3
  63. package/.agent/skills/gsd/references/agents/gsd-roadmapper.md +12 -1
  64. package/.agent/skills/gsd/references/agents/gsd-security-auditor.md +139 -128
  65. package/.agent/skills/gsd/references/agents/gsd-ui-auditor.md +3 -3
  66. package/.agent/skills/gsd/references/agents/gsd-ui-checker.md +11 -2
  67. package/.agent/skills/gsd/references/agents/gsd-ui-researcher.md +27 -4
  68. package/.agent/skills/gsd/references/agents/gsd-verifier.md +13 -19
  69. package/.agent/skills/gsd/references/commands/atomic/add-todo.md +2 -2
  70. package/.agent/skills/gsd/references/commands/atomic/check-todos.md +2 -2
  71. package/.agent/skills/gsd/references/commands/atomic/cleanup.md +2 -2
  72. package/.agent/skills/gsd/references/commands/atomic/do.md +2 -2
  73. package/.agent/skills/gsd/references/commands/atomic/help.md +2 -2
  74. package/.agent/skills/gsd/references/commands/atomic/join-discord.md +2 -2
  75. package/.agent/skills/gsd/references/commands/atomic/note.md +2 -2
  76. package/.agent/skills/gsd/references/commands/atomic/session-report.md +2 -2
  77. package/.agent/skills/gsd/references/commands/atomic/ship.md +2 -2
  78. package/.agent/skills/gsd/references/commands/atomic/stats.md +2 -2
  79. package/.agent/skills/gsd/references/commands/atomic/thread.md +141 -41
  80. package/.agent/skills/gsd/references/commands/atomic/undo.md +2 -2
  81. package/.agent/skills/gsd/references/commands/milestone/add-backlog.md +15 -12
  82. package/.agent/skills/gsd/references/commands/milestone/audit-milestone.md +2 -2
  83. package/.agent/skills/gsd/references/commands/milestone/complete-milestone.md +2 -2
  84. package/.agent/skills/gsd/references/commands/milestone/milestone-summary.md +2 -2
  85. package/.agent/skills/gsd/references/commands/milestone/new-milestone.md +2 -2
  86. package/.agent/skills/gsd/references/commands/milestone/plan-milestone-gaps.md +2 -2
  87. package/.agent/skills/gsd/references/commands/milestone/plant-seed.md +2 -2
  88. package/.agent/skills/gsd/references/commands/milestone/review-backlog.md +4 -4
  89. package/.agent/skills/gsd/references/commands/misc/ai-integration-phase.md +38 -0
  90. package/.agent/skills/gsd/references/commands/misc/audit-fix.md +2 -2
  91. package/.agent/skills/gsd/references/commands/misc/audit-uat.md +2 -2
  92. package/.agent/skills/gsd/references/commands/misc/eval-review.md +34 -0
  93. package/.agent/skills/gsd/references/commands/misc/extract_learnings.md +24 -0
  94. package/.agent/skills/gsd/references/commands/misc/from-gsd2.md +49 -0
  95. package/.agent/skills/gsd/references/commands/misc/graphify.md +203 -0
  96. package/.agent/skills/gsd/references/commands/misc/inbox.md +40 -0
  97. package/.agent/skills/gsd/references/commands/misc/next.md +5 -3
  98. package/.agent/skills/gsd/references/commands/misc/progress.md +4 -3
  99. package/.agent/skills/gsd/references/commands/misc/sketch-wrap-up.md +33 -0
  100. package/.agent/skills/gsd/references/commands/misc/sketch.md +47 -0
  101. package/.agent/skills/gsd/references/commands/misc/spec-phase.md +64 -0
  102. package/.agent/skills/gsd/references/commands/misc/spike-wrap-up.md +33 -0
  103. package/.agent/skills/gsd/references/commands/misc/spike.md +43 -0
  104. package/.agent/skills/gsd/references/commands/misc/verify-work.md +2 -2
  105. package/.agent/skills/gsd/references/commands/phase/add-phase.md +2 -2
  106. package/.agent/skills/gsd/references/commands/phase/add-tests.md +2 -2
  107. package/.agent/skills/gsd/references/commands/phase/discuss-phase.md +5 -5
  108. package/.agent/skills/gsd/references/commands/phase/execute-phase.md +4 -4
  109. package/.agent/skills/gsd/references/commands/phase/insert-phase.md +2 -2
  110. package/.agent/skills/gsd/references/commands/phase/list-phase-assumptions.md +2 -2
  111. package/.agent/skills/gsd/references/commands/phase/plan-phase.md +3 -3
  112. package/.agent/skills/gsd/references/commands/phase/remove-phase.md +2 -2
  113. package/.agent/skills/gsd/references/commands/phase/research-phase.md +5 -5
  114. package/.agent/skills/gsd/references/commands/phase/secure-phase.md +2 -2
  115. package/.agent/skills/gsd/references/commands/phase/ui-phase.md +2 -2
  116. package/.agent/skills/gsd/references/commands/phase/ui-review.md +2 -2
  117. package/.agent/skills/gsd/references/commands/phase/validate-phase.md +2 -2
  118. package/.agent/skills/gsd/references/commands/phase/workstreams.md +9 -9
  119. package/.agent/skills/gsd/references/commands/project/analyze-dependencies.md +2 -2
  120. package/.agent/skills/gsd/references/commands/project/explore.md +2 -2
  121. package/.agent/skills/gsd/references/commands/project/import.md +2 -2
  122. package/.agent/skills/gsd/references/commands/project/intel.md +10 -10
  123. package/.agent/skills/gsd/references/commands/project/list-workspaces.md +2 -2
  124. package/.agent/skills/gsd/references/commands/project/map-codebase.md +2 -2
  125. package/.agent/skills/gsd/references/commands/project/new-project.md +2 -2
  126. package/.agent/skills/gsd/references/commands/project/new-workspace.md +2 -2
  127. package/.agent/skills/gsd/references/commands/project/remove-workspace.md +2 -2
  128. package/.agent/skills/gsd/references/commands/project/scan.md +2 -2
  129. package/.agent/skills/gsd/references/commands/system/autonomous.md +4 -3
  130. package/.agent/skills/gsd/references/commands/system/code-review-fix.md +3 -3
  131. package/.agent/skills/gsd/references/commands/system/code-review.md +3 -3
  132. package/.agent/skills/gsd/references/commands/system/debug.md +177 -100
  133. package/.agent/skills/gsd/references/commands/system/docs-update.md +2 -2
  134. package/.agent/skills/gsd/references/commands/system/fast.md +2 -2
  135. package/.agent/skills/gsd/references/commands/system/forensics.md +2 -2
  136. package/.agent/skills/gsd/references/commands/system/gsd-tools.md +153 -6
  137. package/.agent/skills/gsd/references/commands/system/health.md +2 -2
  138. package/.agent/skills/gsd/references/commands/system/manager.md +3 -3
  139. package/.agent/skills/gsd/references/commands/system/pause-work.md +2 -2
  140. package/.agent/skills/gsd/references/commands/system/pr-branch.md +2 -2
  141. package/.agent/skills/gsd/references/commands/system/profile-user.md +2 -2
  142. package/.agent/skills/gsd/references/commands/system/quick.md +127 -3
  143. package/.agent/skills/gsd/references/commands/system/reapply-patches.md +45 -6
  144. package/.agent/skills/gsd/references/commands/system/resume-work.md +2 -2
  145. package/.agent/skills/gsd/references/commands/system/review.md +6 -4
  146. package/.agent/skills/gsd/references/commands/system/set-profile.md +3 -3
  147. package/.agent/skills/gsd/references/commands/system/settings.md +2 -2
  148. package/.agent/skills/gsd/references/commands/system/update.md +2 -2
  149. package/.agent/skills/gsd/references/docs/ai-evals.md +156 -0
  150. package/.agent/skills/gsd/references/docs/ai-frameworks.md +186 -0
  151. package/.agent/skills/gsd/references/docs/artifact-types.md +18 -0
  152. package/.agent/skills/gsd/references/docs/autonomous-smart-discuss.md +277 -0
  153. package/.agent/skills/gsd/references/docs/checkpoints.md +30 -0
  154. package/.agent/skills/gsd/references/docs/common-bug-patterns.md +49 -49
  155. package/.agent/skills/gsd/references/docs/continuation-format.md +11 -7
  156. package/.agent/skills/gsd/references/docs/debugger-philosophy.md +76 -0
  157. package/.agent/skills/gsd/references/docs/decimal-phase-calculation.md +64 -64
  158. package/.agent/skills/gsd/references/docs/executor-examples.md +110 -0
  159. package/.agent/skills/gsd/references/docs/git-integration.md +4 -4
  160. package/.agent/skills/gsd/references/docs/git-planning-commit.md +40 -38
  161. package/.agent/skills/gsd/references/docs/ios-scaffold.md +123 -0
  162. package/.agent/skills/gsd/references/docs/mandatory-initial-read.md +2 -0
  163. package/.agent/skills/gsd/references/docs/phase-argument-parsing.md +61 -61
  164. package/.agent/skills/gsd/references/docs/planner-antipatterns.md +89 -0
  165. package/.agent/skills/gsd/references/docs/planner-revision.md +87 -87
  166. package/.agent/skills/gsd/references/docs/planner-source-audit.md +73 -0
  167. package/.agent/skills/gsd/references/docs/planning-config.md +33 -8
  168. package/.agent/skills/gsd/references/docs/project-skills-discovery.md +19 -0
  169. package/.agent/skills/gsd/references/docs/sketch-interactivity.md +41 -0
  170. package/.agent/skills/gsd/references/docs/sketch-theme-system.md +94 -0
  171. package/.agent/skills/gsd/references/docs/sketch-tooling.md +45 -0
  172. package/.agent/skills/gsd/references/docs/sketch-variant-patterns.md +81 -0
  173. package/.agent/skills/gsd/references/docs/tdd.md +67 -0
  174. package/.agent/skills/gsd/references/docs/universal-anti-patterns.md +5 -0
  175. package/.agent/skills/gsd/references/docs/workstream-flag.md +11 -11
  176. package/.agent/skills/gsd/references/mapping.md +1 -1
  177. package/.agent/skills/gsd/references/workflows/add-phase.md +112 -112
  178. package/.agent/skills/gsd/references/workflows/add-tests.md +6 -3
  179. package/.agent/skills/gsd/references/workflows/add-todo.md +5 -3
  180. package/.agent/skills/gsd/references/workflows/ai-integration-phase.md +284 -0
  181. package/.agent/skills/gsd/references/workflows/audit-fix.md +157 -157
  182. package/.agent/skills/gsd/references/workflows/audit-milestone.md +340 -340
  183. package/.agent/skills/gsd/references/workflows/audit-uat.md +109 -109
  184. package/.agent/skills/gsd/references/workflows/autonomous.md +20 -288
  185. package/.agent/skills/gsd/references/workflows/check-todos.md +4 -2
  186. package/.agent/skills/gsd/references/workflows/cleanup.md +3 -1
  187. package/.agent/skills/gsd/references/workflows/code-review-fix.md +497 -497
  188. package/.agent/skills/gsd/references/workflows/code-review.md +515 -515
  189. package/.agent/skills/gsd/references/workflows/complete-milestone.md +97 -24
  190. package/.agent/skills/gsd/references/workflows/diagnose-issues.md +238 -238
  191. package/.agent/skills/gsd/references/workflows/discovery-phase.md +2 -0
  192. package/.agent/skills/gsd/references/workflows/discuss-phase-assumptions.md +11 -11
  193. package/.agent/skills/gsd/references/workflows/discuss-phase.md +143 -19
  194. package/.agent/skills/gsd/references/workflows/do.md +8 -2
  195. package/.agent/skills/gsd/references/workflows/docs-update.md +5 -3
  196. package/.agent/skills/gsd/references/workflows/eval-review.md +155 -0
  197. package/.agent/skills/gsd/references/workflows/execute-phase.md +338 -54
  198. package/.agent/skills/gsd/references/workflows/execute-plan.md +80 -104
  199. package/.agent/skills/gsd/references/workflows/explore.md +3 -1
  200. package/.agent/skills/gsd/references/workflows/extract_learnings.md +232 -0
  201. package/.agent/skills/gsd/references/workflows/forensics.md +3 -3
  202. package/.agent/skills/gsd/references/workflows/health.md +2 -2
  203. package/.agent/skills/gsd/references/workflows/help.md +59 -1
  204. package/.agent/skills/gsd/references/workflows/import.md +3 -1
  205. package/.agent/skills/gsd/references/workflows/inbox.md +387 -384
  206. package/.agent/skills/gsd/references/workflows/insert-phase.md +130 -130
  207. package/.agent/skills/gsd/references/workflows/list-workspaces.md +56 -56
  208. package/.agent/skills/gsd/references/workflows/manager.md +5 -3
  209. package/.agent/skills/gsd/references/workflows/map-codebase.md +19 -5
  210. package/.agent/skills/gsd/references/workflows/milestone-summary.md +6 -6
  211. package/.agent/skills/gsd/references/workflows/new-milestone.md +63 -9
  212. package/.agent/skills/gsd/references/workflows/new-project.md +126 -22
  213. package/.agent/skills/gsd/references/workflows/new-workspace.md +6 -4
  214. package/.agent/skills/gsd/references/workflows/next.md +220 -153
  215. package/.agent/skills/gsd/references/workflows/note.md +2 -0
  216. package/.agent/skills/gsd/references/workflows/pause-work.md +11 -7
  217. package/.agent/skills/gsd/references/workflows/plan-milestone-gaps.md +273 -273
  218. package/.agent/skills/gsd/references/workflows/plan-phase.md +281 -62
  219. package/.agent/skills/gsd/references/workflows/plant-seed.md +4 -1
  220. package/.agent/skills/gsd/references/workflows/pr-branch.md +41 -13
  221. package/.agent/skills/gsd/references/workflows/profile-user.md +15 -13
  222. package/.agent/skills/gsd/references/workflows/progress.md +133 -21
  223. package/.agent/skills/gsd/references/workflows/quick.md +67 -27
  224. package/.agent/skills/gsd/references/workflows/remove-phase.md +155 -155
  225. package/.agent/skills/gsd/references/workflows/remove-workspace.md +4 -2
  226. package/.agent/skills/gsd/references/workflows/research-phase.md +3 -3
  227. package/.agent/skills/gsd/references/workflows/resume-project.md +3 -3
  228. package/.agent/skills/gsd/references/workflows/review.md +71 -8
  229. package/.agent/skills/gsd/references/workflows/scan.md +102 -102
  230. package/.agent/skills/gsd/references/workflows/secure-phase.md +7 -5
  231. package/.agent/skills/gsd/references/workflows/settings.md +24 -7
  232. package/.agent/skills/gsd/references/workflows/ship.md +71 -6
  233. package/.agent/skills/gsd/references/workflows/sketch-wrap-up.md +283 -0
  234. package/.agent/skills/gsd/references/workflows/sketch.md +263 -0
  235. package/.agent/skills/gsd/references/workflows/spec-phase.md +262 -0
  236. package/.agent/skills/gsd/references/workflows/spike-wrap-up.md +273 -0
  237. package/.agent/skills/gsd/references/workflows/spike.md +270 -0
  238. package/.agent/skills/gsd/references/workflows/stats.md +60 -60
  239. package/.agent/skills/gsd/references/workflows/transition.md +671 -671
  240. package/.agent/skills/gsd/references/workflows/ui-phase.md +33 -12
  241. package/.agent/skills/gsd/references/workflows/ui-review.md +6 -4
  242. package/.agent/skills/gsd/references/workflows/undo.md +3 -1
  243. package/.agent/skills/gsd/references/workflows/update.md +113 -2
  244. package/.agent/skills/gsd/references/workflows/validate-phase.md +7 -5
  245. package/.agent/skills/gsd/references/workflows/verify-phase.md +93 -10
  246. package/.agent/skills/gsd/references/workflows/verify-work.md +50 -10
  247. package/.agent/skills/gsd-converter/references/mapping.md +1 -1
  248. package/.agent/skills/gsd-converter/scripts/convert.py +36 -17
  249. package/.agent/skills/gsd-converter/scripts/regression_test.py +68 -33
  250. package/README.md +3 -2
  251. package/package.json +1 -1
@@ -1,515 +1,515 @@
1
- <purpose>
2
- Review source files changed during a phase for bugs, security issues, and code quality problems. Computes file scope (--files override > SUMMARY.md > git diff fallback), checks config gate, spawns gsd-code-reviewer agent, commits REVIEW.md, and presents results to user.
3
- </purpose>
4
-
5
- <required_reading>
6
- Read all files referenced by the invoking prompt's execution_context before starting.
7
- </required_reading>
8
-
9
- <available_agent_types>
10
- - gsd-code-reviewer: Reviews source files for bugs and quality issues
11
- </available_agent_types>
12
-
13
- <process>
14
-
15
- <step name="initialize">
16
- Parse arguments and load project state:
17
-
18
- ```bash
19
- PHASE_ARG="${1}"
20
- .agent/skills/gsd/bin/gsd-tools.cjs" init phase-op "${PHASE_ARG}")
21
- if [[ "$INIT" == @file:* ]]; then INIT=$(cat "${INIT#@file:}"); fi
22
- ```
23
-
24
- Parse from init JSON: `phase_found`, `phase_dir`, `phase_number`, `phase_name`, `padded_phase`, `commit_docs`.
25
-
26
- **Input sanitization (defense-in-depth):**
27
- ```bash
28
- # Validate PADDED_PHASE contains only digits and optional dot (e.g., "02", "03.1")
29
- if ! [[ "$PADDED_PHASE" =~ ^[0-9]+(\.[0-9]+)?$ ]]; then
30
- echo "Error: Invalid phase number format: '${PADDED_PHASE}'. Expected digits (e.g., 02, 03.1)."
31
- # Exit workflow
32
- fi
33
- ```
34
-
35
- **Phase validation (before config gate):**
36
- If `phase_found` is false, report error and exit:
37
- ```
38
- Error: Phase ${PHASE_ARG} not found. Run /gsd-status to see available phases.
39
- ```
40
-
41
- This runs BEFORE config gate check so user errors are surfaced immediately regardless of config state.
42
-
43
- Parse optional flags from $ARGUMENTS:
44
-
45
- **--depth flag:**
46
- ```bash
47
- DEPTH_OVERRIDE=""
48
- for arg in "$@"; do
49
- if [[ "$arg" == --depth=* ]]; then
50
- DEPTH_OVERRIDE="${arg#--depth=}"
51
- fi
52
- done
53
- ```
54
-
55
- **--files flag:**
56
- ```bash
57
- FILES_OVERRIDE=""
58
- for arg in "$@"; do
59
- if [[ "$arg" == --files=* ]]; then
60
- FILES_OVERRIDE="${arg#--files=}"
61
- fi
62
- done
63
- ```
64
-
65
- If FILES_OVERRIDE is set, split by comma into array:
66
- ```bash
67
- if [ -n "$FILES_OVERRIDE" ]; then
68
- IFS=',' read -ra FILES_ARRAY <<< "$FILES_OVERRIDE"
69
- fi
70
- ```
71
- </step>
72
-
73
- <step name="check_config_gate">
74
- Check if code review is enabled via config:
75
-
76
- ```bash
77
- .agent/skills/gsd/bin/gsd-tools.cjs" config-get workflow.code_review 2>/dev/null || echo "true")
78
- ```
79
-
80
- If CODE_REVIEW_ENABLED is "false":
81
- ```
82
- Code review skipped (workflow.code_review=false in config)
83
- ```
84
- Exit workflow.
85
-
86
- Default is true — only skip on explicit false. This check runs AFTER phase validation so invalid phase errors are shown first.
87
- </step>
88
-
89
- <step name="resolve_depth">
90
- Determine review depth with priority order:
91
-
92
- 1. DEPTH_OVERRIDE from --depth flag (highest priority)
93
- .agent/skills/gsd/bin/gsd-tools.cjs" config-get workflow.code_review_depth 2>/dev/null`
94
- 3. Default: "standard"
95
-
96
- ```bash
97
- if [ -n "$DEPTH_OVERRIDE" ]; then
98
- REVIEW_DEPTH="$DEPTH_OVERRIDE"
99
- else
100
- .agent/skills/gsd/bin/gsd-tools.cjs" config-get workflow.code_review_depth 2>/dev/null || echo "")
101
- REVIEW_DEPTH="${CONFIG_DEPTH:-standard}"
102
- fi
103
- ```
104
-
105
- **Validate depth value:**
106
- ```bash
107
- case "$REVIEW_DEPTH" in
108
- quick|standard|deep)
109
- # Valid
110
- ;;
111
- *)
112
- echo "Warning: Invalid depth '${REVIEW_DEPTH}'. Valid values: quick, standard, deep. Using 'standard'."
113
- REVIEW_DEPTH="standard"
114
- ;;
115
- esac
116
- ```
117
- </step>
118
-
119
- <step name="compute_file_scope">
120
- Three-tier scoping with explicit precedence:
121
-
122
- **Tier 1 — --files override (highest precedence per D-08):**
123
-
124
- If FILES_OVERRIDE is set (from --files flag):
125
- ```bash
126
- if [ -n "$FILES_OVERRIDE" ]; then
127
- REVIEW_FILES=()
128
- REPO_ROOT=$(git rev-parse --show-toplevel 2>/dev/null)
129
-
130
- for file_path in "${FILES_ARRAY[@]}"; do
131
- # Security: validate path is within repository (prevent path traversal)
132
- ABS_PATH=$(realpath -m "${file_path}" 2>/dev/null || echo "${file_path}")
133
- if [[ "$ABS_PATH" != "$REPO_ROOT"* ]]; then
134
- echo "Error: File path outside repository, skipping: ${file_path}"
135
- continue
136
- fi
137
-
138
- # Validate path exists (relative to repo root)
139
- if [ -f "${REPO_ROOT}/${file_path}" ] || [ -f "${file_path}" ]; then
140
- REVIEW_FILES+=("$file_path")
141
- else
142
- echo "Warning: File not found, skipping: ${file_path}"
143
- fi
144
- done
145
-
146
- echo "File scope: ${#REVIEW_FILES[@]} files from --files override"
147
- fi
148
- ```
149
-
150
- Skip SUMMARY/git scoping entirely when --files is provided.
151
-
152
- **Tier 2 — SUMMARY.md extraction (primary per D-01):**
153
-
154
- If --files NOT provided:
155
- ```bash
156
- if [ -z "$FILES_OVERRIDE" ]; then
157
- SUMMARIES=$(ls "${PHASE_DIR}"/*-SUMMARY.md 2>/dev/null)
158
- REVIEW_FILES=()
159
-
160
- if [ -n "$SUMMARIES" ]; then
161
- for summary in $SUMMARIES; do
162
- # Extract key_files.created and key_files.modified using node for reliable YAML parsing
163
- # This avoids fragile awk parsing that breaks on indentation differences
164
- EXTRACTED=$(node -e "
165
- const fs = require('fs');
166
- const content = fs.readFileSync('$summary', 'utf-8');
167
- const match = content.match(/^---\n([\s\S]*?)\n---/);
168
- if (!match) { process.exit(0); }
169
- const yaml = match[1];
170
- const files = [];
171
- let inSection = null;
172
- for (const line of yaml.split('\n')) {
173
- if (/^\s+created:/.test(line)) { inSection = 'created'; continue; }
174
- if (/^\s+modified:/.test(line)) { inSection = 'modified'; continue; }
175
- if (/^\s+\w+:/.test(line) && !/^\s+-/.test(line)) { inSection = null; continue; }
176
- if (inSection && /^\s+-\s+(.+)/.test(line)) {
177
- files.push(line.match(/^\s+-\s+(.+)/)[1].trim());
178
- }
179
- }
180
- if (files.length) console.log(files.join('\n'));
181
- " 2>/dev/null)
182
-
183
- # Add extracted files to REVIEW_FILES array
184
- if [ -n "$EXTRACTED" ]; then
185
- while IFS= read -r file; do
186
- if [ -n "$file" ]; then
187
- REVIEW_FILES+=("$file")
188
- fi
189
- done <<< "$EXTRACTED"
190
- fi
191
- done
192
-
193
- if [ ${#REVIEW_FILES[@]} -eq 0 ]; then
194
- echo "Warning: SUMMARY artifacts found but contained no file paths. Falling back to git diff."
195
- fi
196
- fi
197
- fi
198
- ```
199
-
200
- **Tier 3 — Git diff fallback (per D-02):**
201
-
202
- If no SUMMARY.md files found OR no files extracted from them:
203
- ```bash
204
- if [ ${#REVIEW_FILES[@]} -eq 0 ]; then
205
- # Compute diff base from phase commits — fail closed if no reliable base found
206
- PHASE_COMMITS=$(git log --oneline --all --grep="${PADDED_PHASE}" --format="%H" 2>/dev/null)
207
-
208
- if [ -n "$PHASE_COMMITS" ]; then
209
- DIFF_BASE=$(echo "$PHASE_COMMITS" | tail -1)^
210
-
211
- # Verify the parent commit exists (first commit in repo has no parent)
212
- if ! git rev-parse "${DIFF_BASE}" >/dev/null 2>&1; then
213
- DIFF_BASE=$(echo "$PHASE_COMMITS" | tail -1)
214
- fi
215
-
216
- # Run git diff with specific exclusions (per D-03)
217
- DIFF_FILES=$(git diff --name-only "${DIFF_BASE}..HEAD" -- . \
218
- ':!.planning/' ':!ROADMAP.md' ':!STATE.md' \
219
- ':!*-SUMMARY.md' ':!*-VERIFICATION.md' ':!*-PLAN.md' \
220
- ':!package-lock.json' ':!yarn.lock' ':!Gemfile.lock' ':!poetry.lock' 2>/dev/null)
221
-
222
- while IFS= read -r file; do
223
- [ -n "$file" ] && REVIEW_FILES+=("$file")
224
- done <<< "$DIFF_FILES"
225
-
226
- echo "File scope: ${#REVIEW_FILES[@]} files from git diff (base: ${DIFF_BASE})"
227
- else
228
- # Fail closed — no reliable diff base found. Do not use arbitrary HEAD~N.
229
- echo "Warning: No phase commits found for '${PADDED_PHASE}'. Cannot determine reliable diff scope."
230
- echo "Use --files flag to specify files explicitly: /gsd-code-review ${PHASE_ARG} --files=file1,file2,..."
231
- fi
232
- fi
233
- ```
234
-
235
- **Post-processing (all tiers):**
236
-
237
- 1. **Apply exclusions (per D-03):** Remove paths matching planning artifacts
238
- ```bash
239
- FILTERED_FILES=()
240
- for file in "${REVIEW_FILES[@]}"; do
241
- # Skip planning directory and specific artifacts
242
- if [[ "$file" == .planning/* ]] || \
243
- [[ "$file" == ROADMAP.md ]] || \
244
- [[ "$file" == STATE.md ]] || \
245
- [[ "$file" == *-SUMMARY.md ]] || \
246
- [[ "$file" == *-VERIFICATION.md ]] || \
247
- [[ "$file" == *-PLAN.md ]]; then
248
- continue
249
- fi
250
- FILTERED_FILES+=("$file")
251
- done
252
- REVIEW_FILES=("${FILTERED_FILES[@]}")
253
- ```
254
-
255
- 2. **Filter deleted files:** Remove paths that don't exist on disk
256
- ```bash
257
- EXISTING_FILES=()
258
- DELETED_COUNT=0
259
- for file in "${REVIEW_FILES[@]}"; do
260
- if [ -f "$file" ]; then
261
- EXISTING_FILES+=("$file")
262
- else
263
- DELETED_COUNT=$((DELETED_COUNT + 1))
264
- fi
265
- done
266
- REVIEW_FILES=("${EXISTING_FILES[@]}")
267
-
268
- if [ $DELETED_COUNT -gt 0 ]; then
269
- echo "Filtered $DELETED_COUNT deleted files from review scope"
270
- fi
271
- ```
272
-
273
- 3. **Deduplicate:** Remove duplicate paths (portable — bash 3.2+ compatible, handles spaces in paths)
274
- ```bash
275
- DEDUPED=()
276
- while IFS= read -r line; do
277
- [ -n "$line" ] && DEDUPED+=("$line")
278
- done < <(printf '%s\n' "${REVIEW_FILES[@]}" | sort -u)
279
- REVIEW_FILES=("${DEDUPED[@]}")
280
- ```
281
-
282
- 4. **Sort:** Alphabetical sort for reproducible agent input (already sorted by sort -u above)
283
-
284
- **Log final scope and warn if large:**
285
- ```bash
286
- if [ -n "$FILES_OVERRIDE" ]; then
287
- TIER="--files override"
288
- elif [ -n "$SUMMARIES" ] && [ ${#REVIEW_FILES[@]} -gt 0 ]; then
289
- TIER="SUMMARY.md"
290
- else
291
- TIER="git diff"
292
- fi
293
- echo "File scope: ${#REVIEW_FILES[@]} files from ${TIER}"
294
-
295
- # Warn if file count is very large — may exceed agent context or produce superficial review
296
- if [ ${#REVIEW_FILES[@]} -gt 50 ]; then
297
- echo "Warning: ${#REVIEW_FILES[@]} files is a large review scope."
298
- echo "Consider using --files to narrow scope, or --depth=quick for a faster pass."
299
- if [ "$REVIEW_DEPTH" = "deep" ]; then
300
- echo "Switching from deep to standard depth for large file count."
301
- REVIEW_DEPTH="standard"
302
- fi
303
- fi
304
- ```
305
- </step>
306
-
307
- <step name="check_empty_scope">
308
- If REVIEW_FILES is empty:
309
- ```
310
- No source files changed in phase ${PHASE_ARG}. Skipping review.
311
- ```
312
- Exit workflow. Do NOT spawn agent or create REVIEW.md.
313
- </step>
314
-
315
- <step name="spawn_reviewer">
316
- Compute the review output path:
317
- ```bash
318
- REVIEW_PATH="${PHASE_DIR}/${PADDED_PHASE}-REVIEW.md"
319
- ```
320
-
321
- Compute DIFF_BASE for agent context (in case agent needs it):
322
- ```bash
323
- PHASE_COMMITS=$(git log --oneline --all --grep="${PADDED_PHASE}" --format="%H" 2>/dev/null)
324
- if [ -n "$PHASE_COMMITS" ]; then
325
- DIFF_BASE=$(echo "$PHASE_COMMITS" | tail -1)^
326
- else
327
- DIFF_BASE=""
328
- fi
329
- ```
330
-
331
- Build files_to_read block for agent:
332
- ```bash
333
- FILES_TO_READ=""
334
- for file in "${REVIEW_FILES[@]}"; do
335
- FILES_TO_READ+="- ${file}\n"
336
- done
337
- ```
338
-
339
- Build config block for agent:
340
- ```bash
341
- CONFIG_FILES=""
342
- for file in "${REVIEW_FILES[@]}"; do
343
- CONFIG_FILES+=" - ${file}\n"
344
- done
345
- ```
346
-
347
- Spawn the gsd-code-reviewer agent:
348
-
349
- ```
350
- Task(subagent_type="gsd-code-reviewer", prompt="
351
- <files_to_read>
352
- ${FILES_TO_READ}
353
- </files_to_read>
354
-
355
- <config>
356
- depth: ${REVIEW_DEPTH}
357
- phase_dir: ${PHASE_DIR}
358
- review_path: ${REVIEW_PATH}
359
- ${DIFF_BASE:+diff_base: ${DIFF_BASE}}
360
- files:
361
- ${CONFIG_FILES}
362
- </config>
363
-
364
- Review the listed source files at ${REVIEW_DEPTH} depth. Write findings to ${REVIEW_PATH}.
365
- Do NOT commit the output — the orchestrator handles that.
366
- ")
367
- ```
368
-
369
- **Agent failure handling:**
370
-
371
- If the Task() call fails (agent error, timeout, or exception):
372
- ```
373
- Error: Code review agent failed: ${error_message}
374
-
375
- No REVIEW.md created. You can retry with /gsd-code-review ${PHASE_ARG} or check agent logs.
376
- ```
377
-
378
- Do NOT proceed to commit_review step. Do NOT create a partial or empty REVIEW.md. Exit workflow.
379
- </step>
380
-
381
- <step name="commit_review">
382
- After agent completes successfully, verify REVIEW.md was created and has valid structure:
383
-
384
- ```bash
385
- if [ -f "${REVIEW_PATH}" ]; then
386
- # Validate REVIEW.md has valid YAML frontmatter with status field
387
- HAS_STATUS=$(REVIEW_PATH="${REVIEW_PATH}" node -e "
388
- const fs = require('fs');
389
- const content = fs.readFileSync(process.env.REVIEW_PATH, 'utf-8');
390
- const match = content.match(/^---\n([\s\S]*?)\n---/);
391
- if (match && /status:/.test(match[1])) { console.log('valid'); } else { console.log('invalid'); }
392
- " 2>/dev/null)
393
-
394
- if [ "$HAS_STATUS" = "valid" ]; then
395
- echo "REVIEW.md created at ${REVIEW_PATH}"
396
-
397
- if [ "$COMMIT_DOCS" = "true" ]; then
398
- .agent/skills/gsd/bin/gsd-tools.cjs" commit \
399
- "docs(${PADDED_PHASE}): add code review report" \
400
- --files "${REVIEW_PATH}"
401
- fi
402
- else
403
- echo "Warning: REVIEW.md exists but has invalid or missing frontmatter (no status field)."
404
- echo "Agent may have produced malformed output. Not committing. Review manually: ${REVIEW_PATH}"
405
- fi
406
- else
407
- echo "Warning: Agent completed but REVIEW.md not found at ${REVIEW_PATH}. This may indicate an agent issue."
408
- echo "No REVIEW.md to commit. Please retry with /gsd-code-review ${PHASE_ARG}"
409
- fi
410
- ```
411
- </step>
412
-
413
- <step name="present_results">
414
- Read the REVIEW.md YAML frontmatter to extract finding counts.
415
-
416
- Extract frontmatter between `---` delimiters first to avoid matching values in the review body:
417
-
418
- ```bash
419
- # Extract only the YAML frontmatter block (between first two --- lines)
420
- FRONTMATTER=$(REVIEW_PATH="${REVIEW_PATH}" node -e "
421
- const fs = require('fs');
422
- const content = fs.readFileSync(process.env.REVIEW_PATH, 'utf-8');
423
- const match = content.match(/^---\n([\s\S]*?)\n---/);
424
- if (match) process.stdout.write(match[1]);
425
- " 2>/dev/null)
426
-
427
- # Parse fields from frontmatter only (not full file)
428
- STATUS=$(echo "$FRONTMATTER" | grep "^status:" | cut -d: -f2 | xargs)
429
- FILES_REVIEWED=$(echo "$FRONTMATTER" | grep "^files_reviewed:" | cut -d: -f2 | xargs)
430
- CRITICAL=$(echo "$FRONTMATTER" | grep "critical:" | head -1 | cut -d: -f2 | xargs)
431
- WARNING=$(echo "$FRONTMATTER" | grep "warning:" | head -1 | cut -d: -f2 | xargs)
432
- INFO=$(echo "$FRONTMATTER" | grep "info:" | head -1 | cut -d: -f2 | xargs)
433
- TOTAL=$(echo "$FRONTMATTER" | grep "total:" | head -1 | cut -d: -f2 | xargs)
434
- ```
435
-
436
- Display inline summary to user:
437
-
438
- ```
439
- ═══════════════════════════════════════════════════════════════
440
-
441
- Code Review Complete: Phase ${PHASE_NUMBER} (${PHASE_NAME})
442
-
443
- ───────────────────────────────────────────────────────────────
444
-
445
- Depth: ${REVIEW_DEPTH}
446
- Files Reviewed: ${FILES_REVIEWED}
447
-
448
- Findings:
449
- Critical: ${CRITICAL}
450
- Warning: ${WARNING}
451
- Info: ${INFO}
452
- ──────────
453
- Total: ${TOTAL}
454
-
455
- ───────────────────────────────────────────────────────────────
456
- ```
457
-
458
- If status is "clean":
459
- ```
460
- ✓ No issues found. All ${FILES_REVIEWED} files pass review at ${REVIEW_DEPTH} depth.
461
-
462
- Full report: ${REVIEW_PATH}
463
- ```
464
-
465
- If total findings > 0:
466
- ```
467
- ⚠ Issues found. Review the report for details.
468
-
469
- Full report: ${REVIEW_PATH}
470
-
471
- Next steps:
472
- /gsd-code-review-fix ${PHASE_NUMBER} — Auto-fix issues
473
- cat ${REVIEW_PATH} — View full report
474
- ```
475
-
476
- If critical > 0 or warning > 0, list top 3 issues inline:
477
- ```bash
478
- echo "Top issues:"
479
- grep -A 3 "^### CR-\|^### WR-" "${REVIEW_PATH}" | head -n 12
480
- ```
481
-
482
- **Note on tests:** Automated tests for this command and workflow are planned for Phase 4 (Pipeline Integration & Testing, requirement INFR-03). Phase 2 focuses on correct implementation; Phase 4 adds regression coverage across platforms.
483
-
484
- ═══════════════════════════════════════════════════════════════
485
- </step>
486
-
487
- </process>
488
-
489
- <platform_notes>
490
- **Windows:** This workflow uses bash features (arrays, process substitution). On Windows, it requires
491
- Git Bash or WSL. Native PowerShell is not supported. The CI matrix (Ubuntu/macOS/Windows)
492
- runs under Git Bash on Windows runners, which provides bash compatibility.
493
-
494
- **macOS:** macOS ships with bash 3.2 (GPL licensing). This workflow does NOT use `mapfile` (bash 4+
495
- only) — all array construction uses portable `while IFS= read -r` loops compatible with bash 3.2.
496
- The `--files` path validation uses `realpath -m` which requires GNU coreutils (install via
497
- `brew install coreutils`). Without coreutils, the path guard falls back to fail-closed behavior
498
- (rejects paths it cannot verify), so security is maintained but valid relative paths may be rejected.
499
- If `--files` validation fails unexpectedly on macOS, install coreutils or use absolute paths.
500
- </platform_notes>
501
-
502
- <success_criteria>
503
- - [ ] Phase validated before config gate check
504
- - [ ] Config gate checked (workflow.code_review)
505
- - [ ] Depth resolved with validation (quick|standard|deep)
506
- - [ ] File scope computed with 3 tiers: --files > SUMMARY.md > git diff
507
- - [ ] Malformed/missing SUMMARY.md handled gracefully with fallback
508
- - [ ] Deleted files filtered from scope
509
- - [ ] Files deduplicated and sorted
510
- - [ ] Empty scope results in skip (no agent spawn)
511
- - [ ] Agent spawned with explicit file list, depth, review_path, diff_base
512
- - [ ] Agent failure handled without partial commits
513
- - [ ] REVIEW.md committed if created
514
- - [ ] Results presented inline with next step suggestion
515
- </success_criteria>
1
+ <purpose>
2
+ Review source files changed during a phase for bugs, security issues, and code quality problems. Computes file scope (--files override > SUMMARY.md > git diff fallback), checks config gate, spawns gsd-code-reviewer agent, commits REVIEW.md, and presents results to user.
3
+ </purpose>
4
+
5
+ <required_reading>
6
+ Read all files referenced by the invoking prompt's execution_context before starting.
7
+ </required_reading>
8
+
9
+ <available_agent_types>
10
+ - gsd-code-reviewer: Reviews source files for bugs and quality issues
11
+ </available_agent_types>
12
+
13
+ <process>
14
+
15
+ <step name="initialize">
16
+ Parse arguments and load project state:
17
+
18
+ ```bash
19
+ PHASE_ARG="${1}"
20
+ INIT=$(gsd-sdk query init.phase-op "${PHASE_ARG}")
21
+ if [[ "$INIT" == @file:* ]]; then INIT=$(cat "${INIT#@file:}"); fi
22
+ ```
23
+
24
+ Parse from init JSON: `phase_found`, `phase_dir`, `phase_number`, `phase_name`, `padded_phase`, `commit_docs`.
25
+
26
+ **Input sanitization (defense-in-depth):**
27
+ ```bash
28
+ # Validate PADDED_PHASE contains only digits and optional dot (e.g., "02", "03.1")
29
+ if ! [[ "$PADDED_PHASE" =~ ^[0-9]+(\.[0-9]+)?$ ]]; then
30
+ echo "Error: Invalid phase number format: '${PADDED_PHASE}'. Expected digits (e.g., 02, 03.1)."
31
+ # Exit workflow
32
+ fi
33
+ ```
34
+
35
+ **Phase validation (before config gate):**
36
+ If `phase_found` is false, report error and exit:
37
+ ```
38
+ Error: Phase ${PHASE_ARG} not found. Run /gsd-status to see available phases.
39
+ ```
40
+
41
+ This runs BEFORE config gate check so user errors are surfaced immediately regardless of config state.
42
+
43
+ Parse optional flags from $ARGUMENTS:
44
+
45
+ **--depth flag:**
46
+ ```bash
47
+ DEPTH_OVERRIDE=""
48
+ for arg in "$@"; do
49
+ if [[ "$arg" == --depth=* ]]; then
50
+ DEPTH_OVERRIDE="${arg#--depth=}"
51
+ fi
52
+ done
53
+ ```
54
+
55
+ **--files flag:**
56
+ ```bash
57
+ FILES_OVERRIDE=""
58
+ for arg in "$@"; do
59
+ if [[ "$arg" == --files=* ]]; then
60
+ FILES_OVERRIDE="${arg#--files=}"
61
+ fi
62
+ done
63
+ ```
64
+
65
+ If FILES_OVERRIDE is set, split by comma into array:
66
+ ```bash
67
+ if [ -n "$FILES_OVERRIDE" ]; then
68
+ IFS=',' read -ra FILES_ARRAY <<< "$FILES_OVERRIDE"
69
+ fi
70
+ ```
71
+ </step>
72
+
73
+ <step name="check_config_gate">
74
+ Check if code review is enabled via config:
75
+
76
+ ```bash
77
+ CODE_REVIEW_ENABLED=$(gsd-sdk query config-get workflow.code_review 2>/dev/null || echo "true")
78
+ ```
79
+
80
+ If CODE_REVIEW_ENABLED is "false":
81
+ ```
82
+ Code review skipped (workflow.code_review=false in config)
83
+ ```
84
+ Exit workflow.
85
+
86
+ Default is true — only skip on explicit false. This check runs AFTER phase validation so invalid phase errors are shown first.
87
+ </step>
88
+
89
+ <step name="resolve_depth">
90
+ Determine review depth with priority order:
91
+
92
+ 1. DEPTH_OVERRIDE from --depth flag (highest priority)
93
+ 2. Config value: `gsd-sdk query config-get workflow.code_review_depth 2>/dev/null`
94
+ 3. Default: "standard"
95
+
96
+ ```bash
97
+ if [ -n "$DEPTH_OVERRIDE" ]; then
98
+ REVIEW_DEPTH="$DEPTH_OVERRIDE"
99
+ else
100
+ CONFIG_DEPTH=$(gsd-sdk query config-get workflow.code_review_depth 2>/dev/null || echo "")
101
+ REVIEW_DEPTH="${CONFIG_DEPTH:-standard}"
102
+ fi
103
+ ```
104
+
105
+ **Validate depth value:**
106
+ ```bash
107
+ case "$REVIEW_DEPTH" in
108
+ quick|standard|deep)
109
+ # Valid
110
+ ;;
111
+ *)
112
+ echo "Warning: Invalid depth '${REVIEW_DEPTH}'. Valid values: quick, standard, deep. Using 'standard'."
113
+ REVIEW_DEPTH="standard"
114
+ ;;
115
+ esac
116
+ ```
117
+ </step>
118
+
119
+ <step name="compute_file_scope">
120
+ Three-tier scoping with explicit precedence:
121
+
122
+ **Tier 1 — --files override (highest precedence per D-08):**
123
+
124
+ If FILES_OVERRIDE is set (from --files flag):
125
+ ```bash
126
+ if [ -n "$FILES_OVERRIDE" ]; then
127
+ REVIEW_FILES=()
128
+ REPO_ROOT=$(git rev-parse --show-toplevel 2>/dev/null)
129
+
130
+ for file_path in "${FILES_ARRAY[@]}"; do
131
+ # Security: validate path is within repository (prevent path traversal)
132
+ ABS_PATH=$(realpath -m "${file_path}" 2>/dev/null || echo "${file_path}")
133
+ if [[ "$ABS_PATH" != "$REPO_ROOT"* ]]; then
134
+ echo "Error: File path outside repository, skipping: ${file_path}"
135
+ continue
136
+ fi
137
+
138
+ # Validate path exists (relative to repo root)
139
+ if [ -f "${REPO_ROOT}/${file_path}" ] || [ -f "${file_path}" ]; then
140
+ REVIEW_FILES+=("$file_path")
141
+ else
142
+ echo "Warning: File not found, skipping: ${file_path}"
143
+ fi
144
+ done
145
+
146
+ echo "File scope: ${#REVIEW_FILES[@]} files from --files override"
147
+ fi
148
+ ```
149
+
150
+ Skip SUMMARY/git scoping entirely when --files is provided.
151
+
152
+ **Tier 2 — SUMMARY.md extraction (primary per D-01):**
153
+
154
+ If --files NOT provided:
155
+ ```bash
156
+ if [ -z "$FILES_OVERRIDE" ]; then
157
+ SUMMARIES=$(ls "${PHASE_DIR}"/*-SUMMARY.md 2>/dev/null)
158
+ REVIEW_FILES=()
159
+
160
+ if [ -n "$SUMMARIES" ]; then
161
+ for summary in $SUMMARIES; do
162
+ # Extract key_files.created and key_files.modified using node for reliable YAML parsing
163
+ # This avoids fragile awk parsing that breaks on indentation differences
164
+ EXTRACTED=$(node -e "
165
+ const fs = require('fs');
166
+ const content = fs.readFileSync('$summary', 'utf-8');
167
+ const match = content.match(/^---\n([\s\S]*?)\n---/);
168
+ if (!match) { process.exit(0); }
169
+ const yaml = match[1];
170
+ const files = [];
171
+ let inSection = null;
172
+ for (const line of yaml.split('\n')) {
173
+ if (/^\s+created:/.test(line)) { inSection = 'created'; continue; }
174
+ if (/^\s+modified:/.test(line)) { inSection = 'modified'; continue; }
175
+ if (/^\s*\w+:/.test(line) && !/^\s*-/.test(line)) { inSection = null; continue; }
176
+ if (inSection && /^\s+-\s+(.+)/.test(line)) {
177
+ files.push(line.match(/^\s+-\s+(.+)/)[1].trim());
178
+ }
179
+ }
180
+ if (files.length) console.log(files.join('\n'));
181
+ " 2>/dev/null)
182
+
183
+ # Add extracted files to REVIEW_FILES array
184
+ if [ -n "$EXTRACTED" ]; then
185
+ while IFS= read -r file; do
186
+ if [ -n "$file" ]; then
187
+ REVIEW_FILES+=("$file")
188
+ fi
189
+ done <<< "$EXTRACTED"
190
+ fi
191
+ done
192
+
193
+ if [ ${#REVIEW_FILES[@]} -eq 0 ]; then
194
+ echo "Warning: SUMMARY artifacts found but contained no file paths. Falling back to git diff."
195
+ fi
196
+ fi
197
+ fi
198
+ ```
199
+
200
+ **Tier 3 — Git diff fallback (per D-02):**
201
+
202
+ If no SUMMARY.md files found OR no files extracted from them:
203
+ ```bash
204
+ if [ ${#REVIEW_FILES[@]} -eq 0 ]; then
205
+ # Compute diff base from phase commits — fail closed if no reliable base found
206
+ PHASE_COMMITS=$(git log --oneline --all --grep="${PADDED_PHASE}" --format="%H" 2>/dev/null)
207
+
208
+ if [ -n "$PHASE_COMMITS" ]; then
209
+ DIFF_BASE=$(echo "$PHASE_COMMITS" | tail -1)^
210
+
211
+ # Verify the parent commit exists (first commit in repo has no parent)
212
+ if ! git rev-parse "${DIFF_BASE}" >/dev/null 2>&1; then
213
+ DIFF_BASE=$(echo "$PHASE_COMMITS" | tail -1)
214
+ fi
215
+
216
+ # Run git diff with specific exclusions (per D-03)
217
+ DIFF_FILES=$(git diff --name-only "${DIFF_BASE}..HEAD" -- . \
218
+ ':!.planning/' ':!ROADMAP.md' ':!STATE.md' \
219
+ ':!*-SUMMARY.md' ':!*-VERIFICATION.md' ':!*-PLAN.md' \
220
+ ':!package-lock.json' ':!yarn.lock' ':!Gemfile.lock' ':!poetry.lock' 2>/dev/null)
221
+
222
+ while IFS= read -r file; do
223
+ [ -n "$file" ] && REVIEW_FILES+=("$file")
224
+ done <<< "$DIFF_FILES"
225
+
226
+ echo "File scope: ${#REVIEW_FILES[@]} files from git diff (base: ${DIFF_BASE})"
227
+ else
228
+ # Fail closed — no reliable diff base found. Do not use arbitrary HEAD~N.
229
+ echo "Warning: No phase commits found for '${PADDED_PHASE}'. Cannot determine reliable diff scope."
230
+ echo "Use --files flag to specify files explicitly: /gsd-code-review ${PHASE_ARG} --files=file1,file2,..."
231
+ fi
232
+ fi
233
+ ```
234
+
235
+ **Post-processing (all tiers):**
236
+
237
+ 1. **Apply exclusions (per D-03):** Remove paths matching planning artifacts
238
+ ```bash
239
+ FILTERED_FILES=()
240
+ for file in "${REVIEW_FILES[@]}"; do
241
+ # Skip planning directory and specific artifacts
242
+ if [[ "$file" == .planning/* ]] || \
243
+ [[ "$file" == ROADMAP.md ]] || \
244
+ [[ "$file" == STATE.md ]] || \
245
+ [[ "$file" == *-SUMMARY.md ]] || \
246
+ [[ "$file" == *-VERIFICATION.md ]] || \
247
+ [[ "$file" == *-PLAN.md ]]; then
248
+ continue
249
+ fi
250
+ FILTERED_FILES+=("$file")
251
+ done
252
+ REVIEW_FILES=("${FILTERED_FILES[@]}")
253
+ ```
254
+
255
+ 2. **Filter deleted files:** Remove paths that don't exist on disk
256
+ ```bash
257
+ EXISTING_FILES=()
258
+ DELETED_COUNT=0
259
+ for file in "${REVIEW_FILES[@]}"; do
260
+ if [ -f "$file" ]; then
261
+ EXISTING_FILES+=("$file")
262
+ else
263
+ DELETED_COUNT=$((DELETED_COUNT + 1))
264
+ fi
265
+ done
266
+ REVIEW_FILES=("${EXISTING_FILES[@]}")
267
+
268
+ if [ $DELETED_COUNT -gt 0 ]; then
269
+ echo "Filtered $DELETED_COUNT deleted files from review scope"
270
+ fi
271
+ ```
272
+
273
+ 3. **Deduplicate:** Remove duplicate paths (portable — bash 3.2+ compatible, handles spaces in paths)
274
+ ```bash
275
+ DEDUPED=()
276
+ while IFS= read -r line; do
277
+ [ -n "$line" ] && DEDUPED+=("$line")
278
+ done < <(printf '%s\n' "${REVIEW_FILES[@]}" | sort -u)
279
+ REVIEW_FILES=("${DEDUPED[@]}")
280
+ ```
281
+
282
+ 4. **Sort:** Alphabetical sort for reproducible agent input (already sorted by sort -u above)
283
+
284
+ **Log final scope and warn if large:**
285
+ ```bash
286
+ if [ -n "$FILES_OVERRIDE" ]; then
287
+ TIER="--files override"
288
+ elif [ -n "$SUMMARIES" ] && [ ${#REVIEW_FILES[@]} -gt 0 ]; then
289
+ TIER="SUMMARY.md"
290
+ else
291
+ TIER="git diff"
292
+ fi
293
+ echo "File scope: ${#REVIEW_FILES[@]} files from ${TIER}"
294
+
295
+ # Warn if file count is very large — may exceed agent context or produce superficial review
296
+ if [ ${#REVIEW_FILES[@]} -gt 50 ]; then
297
+ echo "Warning: ${#REVIEW_FILES[@]} files is a large review scope."
298
+ echo "Consider using --files to narrow scope, or --depth=quick for a faster pass."
299
+ if [ "$REVIEW_DEPTH" = "deep" ]; then
300
+ echo "Switching from deep to standard depth for large file count."
301
+ REVIEW_DEPTH="standard"
302
+ fi
303
+ fi
304
+ ```
305
+ </step>
306
+
307
+ <step name="check_empty_scope">
308
+ If REVIEW_FILES is empty:
309
+ ```
310
+ No source files changed in phase ${PHASE_ARG}. Skipping review.
311
+ ```
312
+ Exit workflow. Do NOT spawn agent or create REVIEW.md.
313
+ </step>
314
+
315
+ <step name="spawn_reviewer">
316
+ Compute the review output path:
317
+ ```bash
318
+ REVIEW_PATH="${PHASE_DIR}/${PADDED_PHASE}-REVIEW.md"
319
+ ```
320
+
321
+ Compute DIFF_BASE for agent context (in case agent needs it):
322
+ ```bash
323
+ PHASE_COMMITS=$(git log --oneline --all --grep="${PADDED_PHASE}" --format="%H" 2>/dev/null)
324
+ if [ -n "$PHASE_COMMITS" ]; then
325
+ DIFF_BASE=$(echo "$PHASE_COMMITS" | tail -1)^
326
+ else
327
+ DIFF_BASE=""
328
+ fi
329
+ ```
330
+
331
+ Build files_to_read block for agent:
332
+ ```bash
333
+ FILES_TO_READ=""
334
+ for file in "${REVIEW_FILES[@]}"; do
335
+ FILES_TO_READ+="- ${file}\n"
336
+ done
337
+ ```
338
+
339
+ Build config block for agent:
340
+ ```bash
341
+ CONFIG_FILES=""
342
+ for file in "${REVIEW_FILES[@]}"; do
343
+ CONFIG_FILES+=" - ${file}\n"
344
+ done
345
+ ```
346
+
347
+ Spawn the gsd-code-reviewer agent:
348
+
349
+ ```
350
+ Task(subagent_type="gsd-code-reviewer", prompt="
351
+ <files_to_read>
352
+ ${FILES_TO_READ}
353
+ </files_to_read>
354
+
355
+ <config>
356
+ depth: ${REVIEW_DEPTH}
357
+ phase_dir: ${PHASE_DIR}
358
+ review_path: ${REVIEW_PATH}
359
+ ${DIFF_BASE:+diff_base: ${DIFF_BASE}}
360
+ files:
361
+ ${CONFIG_FILES}
362
+ </config>
363
+
364
+ Review the listed source files at ${REVIEW_DEPTH} depth. Write findings to ${REVIEW_PATH}.
365
+ Do NOT commit the output — the orchestrator handles that.
366
+ ")
367
+ ```
368
+
369
+ **Agent failure handling:**
370
+
371
+ If the Task() call fails (agent error, timeout, or exception):
372
+ ```
373
+ Error: Code review agent failed: ${error_message}
374
+
375
+ No REVIEW.md created. You can retry with /gsd-code-review ${PHASE_ARG} or check agent logs.
376
+ ```
377
+
378
+ Do NOT proceed to commit_review step. Do NOT create a partial or empty REVIEW.md. Exit workflow.
379
+ </step>
380
+
381
+ <step name="commit_review">
382
+ After agent completes successfully, verify REVIEW.md was created and has valid structure:
383
+
384
+ ```bash
385
+ if [ -f "${REVIEW_PATH}" ]; then
386
+ # Validate REVIEW.md has valid YAML frontmatter with status field
387
+ HAS_STATUS=$(REVIEW_PATH="${REVIEW_PATH}" node -e "
388
+ const fs = require('fs');
389
+ const content = fs.readFileSync(process.env.REVIEW_PATH, 'utf-8');
390
+ const match = content.match(/^---\n([\s\S]*?)\n---/);
391
+ if (match && /status:/.test(match[1])) { console.log('valid'); } else { console.log('invalid'); }
392
+ " 2>/dev/null)
393
+
394
+ if [ "$HAS_STATUS" = "valid" ]; then
395
+ echo "REVIEW.md created at ${REVIEW_PATH}"
396
+
397
+ if [ "$COMMIT_DOCS" = "true" ]; then
398
+ gsd-sdk query commit \
399
+ "docs(${PADDED_PHASE}): add code review report" \
400
+ --files "${REVIEW_PATH}"
401
+ fi
402
+ else
403
+ echo "Warning: REVIEW.md exists but has invalid or missing frontmatter (no status field)."
404
+ echo "Agent may have produced malformed output. Not committing. Review manually: ${REVIEW_PATH}"
405
+ fi
406
+ else
407
+ echo "Warning: Agent completed but REVIEW.md not found at ${REVIEW_PATH}. This may indicate an agent issue."
408
+ echo "No REVIEW.md to commit. Please retry with /gsd-code-review ${PHASE_ARG}"
409
+ fi
410
+ ```
411
+ </step>
412
+
413
+ <step name="present_results">
414
+ Read the REVIEW.md YAML frontmatter to extract finding counts.
415
+
416
+ Extract frontmatter between `---` delimiters first to avoid matching values in the review body:
417
+
418
+ ```bash
419
+ # Extract only the YAML frontmatter block (between first two --- lines)
420
+ FRONTMATTER=$(REVIEW_PATH="${REVIEW_PATH}" node -e "
421
+ const fs = require('fs');
422
+ const content = fs.readFileSync(process.env.REVIEW_PATH, 'utf-8');
423
+ const match = content.match(/^---\n([\s\S]*?)\n---/);
424
+ if (match) process.stdout.write(match[1]);
425
+ " 2>/dev/null)
426
+
427
+ # Parse fields from frontmatter only (not full file)
428
+ STATUS=$(echo "$FRONTMATTER" | grep "^status:" | cut -d: -f2 | xargs)
429
+ FILES_REVIEWED=$(echo "$FRONTMATTER" | grep "^files_reviewed:" | cut -d: -f2 | xargs)
430
+ CRITICAL=$(echo "$FRONTMATTER" | grep "critical:" | head -1 | cut -d: -f2 | xargs)
431
+ WARNING=$(echo "$FRONTMATTER" | grep "warning:" | head -1 | cut -d: -f2 | xargs)
432
+ INFO=$(echo "$FRONTMATTER" | grep "info:" | head -1 | cut -d: -f2 | xargs)
433
+ TOTAL=$(echo "$FRONTMATTER" | grep "total:" | head -1 | cut -d: -f2 | xargs)
434
+ ```
435
+
436
+ Display inline summary to user:
437
+
438
+ ```
439
+ ═══════════════════════════════════════════════════════════════
440
+
441
+ Code Review Complete: Phase ${PHASE_NUMBER} (${PHASE_NAME})
442
+
443
+ ───────────────────────────────────────────────────────────────
444
+
445
+ Depth: ${REVIEW_DEPTH}
446
+ Files Reviewed: ${FILES_REVIEWED}
447
+
448
+ Findings:
449
+ Critical: ${CRITICAL}
450
+ Warning: ${WARNING}
451
+ Info: ${INFO}
452
+ ──────────
453
+ Total: ${TOTAL}
454
+
455
+ ───────────────────────────────────────────────────────────────
456
+ ```
457
+
458
+ If status is "clean":
459
+ ```
460
+ ✓ No issues found. All ${FILES_REVIEWED} files pass review at ${REVIEW_DEPTH} depth.
461
+
462
+ Full report: ${REVIEW_PATH}
463
+ ```
464
+
465
+ If total findings > 0:
466
+ ```
467
+ ⚠ Issues found. Review the report for details.
468
+
469
+ Full report: ${REVIEW_PATH}
470
+
471
+ Next steps:
472
+ /gsd-code-review-fix ${PHASE_NUMBER} — Auto-fix issues
473
+ cat ${REVIEW_PATH} — View full report
474
+ ```
475
+
476
+ If critical > 0 or warning > 0, list top 3 issues inline:
477
+ ```bash
478
+ echo "Top issues:"
479
+ grep -A 3 "^### CR-\|^### WR-" "${REVIEW_PATH}" | head -n 12
480
+ ```
481
+
482
+ **Note on tests:** Automated tests for this command and workflow are planned for Phase 4 (Pipeline Integration & Testing, requirement INFR-03). Phase 2 focuses on correct implementation; Phase 4 adds regression coverage across platforms.
483
+
484
+ ═══════════════════════════════════════════════════════════════
485
+ </step>
486
+
487
+ </process>
488
+
489
+ <platform_notes>
490
+ **Windows:** This workflow uses bash features (arrays, process substitution). On Windows, it requires
491
+ Git Bash or WSL. Native PowerShell is not supported. The CI matrix (Ubuntu/macOS/Windows)
492
+ runs under Git Bash on Windows runners, which provides bash compatibility.
493
+
494
+ **macOS:** macOS ships with bash 3.2 (GPL licensing). This workflow does NOT use `mapfile` (bash 4+
495
+ only) — all array construction uses portable `while IFS= read -r` loops compatible with bash 3.2.
496
+ The `--files` path validation uses `realpath -m` which requires GNU coreutils (install via
497
+ `brew install coreutils`). Without coreutils, the path guard falls back to fail-closed behavior
498
+ (rejects paths it cannot verify), so security is maintained but valid relative paths may be rejected.
499
+ If `--files` validation fails unexpectedly on macOS, install coreutils or use absolute paths.
500
+ </platform_notes>
501
+
502
+ <success_criteria>
503
+ - [ ] Phase validated before config gate check
504
+ - [ ] Config gate checked (workflow.code_review)
505
+ - [ ] Depth resolved with validation (quick|standard|deep)
506
+ - [ ] File scope computed with 3 tiers: --files > SUMMARY.md > git diff
507
+ - [ ] Malformed/missing SUMMARY.md handled gracefully with fallback
508
+ - [ ] Deleted files filtered from scope
509
+ - [ ] Files deduplicated and sorted
510
+ - [ ] Empty scope results in skip (no agent spawn)
511
+ - [ ] Agent spawned with explicit file list, depth, review_path, diff_base
512
+ - [ ] Agent failure handled without partial commits
513
+ - [ ] REVIEW.md committed if created
514
+ - [ ] Results presented inline with next step suggestion
515
+ </success_criteria>