npm - mstro-app - Versions diffs - 0.4.29 → 0.4.33 - Mend

mstro-app 0.4.29 → 0.4.33

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (105) hide show

package/server/services/websocket/git-handlers.ts CHANGED Viewed

@@ -1,6 +1,8 @@
 // Copyright (c) 2025-present Mstro, Inc. All rights reserved.
 // Licensed under the MIT License. See LICENSE file for details.
+import { resolve } from 'node:path';
+import { loadSkillPrompt } from '../plan/agent-loader.js';
 import { handleGitCheckout, handleGitCreateBranch, handleGitDeleteBranch, handleGitListBranches } from './git-branch-handlers.js';
 import { handleGitCommitDiff, handleGitDiff, handleGitShowCommit } from './git-diff-handlers.js';
 import { handleGitDiscoverRepos, handleGitLog, handleGitSetDirectory } from './git-log-handlers.js';
@@ -119,6 +121,16 @@ async function handleGitStage(ctx: HandlerContext, ws: WSContext, msg: WebSocket
     return;
   }
+  if (!stageAll && paths) {
+    const resolvedRoot = resolve(workingDir);
+    for (const p of paths) {
+      if (!resolve(workingDir, p).startsWith(resolvedRoot)) {
+        ctx.send(ws, { type: 'gitError', tabId, data: { error: `Path traversal not allowed: ${p}` } });
+        return;
+      }
+    }
+  }
   try {
     const args = stageAll ? ['add', '-A'] : ['add', '--', ...paths!];
     const result = await executeGitCommand(args, workingDir);
@@ -153,12 +165,18 @@ async function handleGitUnstage(ctx: HandlerContext, ws: WSContext, msg: WebSock
   }
 }
+const MAX_COMMIT_MESSAGE_LENGTH = 10_000;
 async function handleGitCommit(ctx: HandlerContext, ws: WSContext, msg: WebSocketMessage, tabId: string, workingDir: string): Promise<void> {
   const message = msg.data?.message as string | undefined;
   if (!message) {
     ctx.send(ws, { type: 'gitError', tabId, data: { error: 'Commit message is required' } });
     return;
   }
+  if (message.length > MAX_COMMIT_MESSAGE_LENGTH) {
+    ctx.send(ws, { type: 'gitError', tabId, data: { error: `Commit message too long (${message.length} chars, max ${MAX_COMMIT_MESSAGE_LENGTH})` } });
+    return;
+  }
   try {
     const result = await executeGitCommand(['commit', '-m', message], workingDir);
@@ -195,25 +213,12 @@ async function handleGitCommitWithAI(ctx: HandlerContext, ws: WSContext, msg: We
     const diffResult = await executeGitCommand(['diff', '--cached'], workingDir);
     const logResult = await executeGitCommand(['log', '--oneline', '-5'], workingDir);
-    const prompt = `You are generating a git commit message for the following staged changes.
-RECENT COMMIT MESSAGES (for style reference):
-${logResult.stdout.trim() || 'No recent commits'}
-STAGED FILES:
-${staged.map(f => `${f.status} ${f.path}`).join('\n')}
-DIFF OF STAGED CHANGES:
-${truncateDiff(diffResult.stdout)}
-Generate a commit message following these rules:
-1. First line: imperative mood, max 72 characters (e.g., "Add user authentication", "Fix memory leak in parser")
-2. If the changes are complex, add a blank line then bullet points explaining the key changes
-3. Focus on the "why" not just the "what"
-4. Match the style of recent commits if possible
-5. No emojis unless the repo already uses them
+    const recentCommits = logResult.stdout.trim() || 'No recent commits';
+    const stagedFiles = staged.map(f => `${f.status} ${f.path}`).join('\n');
+    const diff = truncateDiff(diffResult.stdout);
-Respond with ONLY the commit message, nothing else.`;
+    const prompt = loadSkillPrompt('commit-message', { recentCommits, stagedFiles, diff }, workingDir)
+      ?? `You are generating a git commit message for the following staged changes.\n\nRECENT COMMIT MESSAGES (for style reference):\n${recentCommits}\n\nSTAGED FILES:\n${stagedFiles}\n\nDIFF OF STAGED CHANGES:\n${diff}\n\nGenerate a commit message: imperative mood, max 72 characters, focus on "why". Respond with ONLY the commit message.`;
     const result = await spawnHaikuWithPrompt(
       prompt,

package/server/services/websocket/git-pr-handlers.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 // Copyright (c) 2025-present Mstro, Inc. All rights reserved.
 // Licensed under the MIT License. See LICENSE file for details.
+import { loadSkillPrompt } from '../plan/agent-loader.js';
 import { getPrBaseBranch, setPrBaseBranch } from '../settings.js';
 import { detectGitProvider, executeGitCommand, spawnCheck, spawnHaikuWithPrompt, spawnWithOutput, stripCoauthorLines, truncateDiff } from './git-handlers.js';
 import type { HandlerContext } from './handler-context.js';
@@ -272,27 +273,11 @@ async function handleGitGeneratePRDescription(ctx: HandlerContext, ws: WSContext
     const diffResult = await executeGitCommand(['diff', `${compareRef}...HEAD`], workingDir);
     const statResult = await executeGitCommand(['diff', `${compareRef}...HEAD`, '--stat'], workingDir);
-    const prompt = `You are generating a pull request title and description for the following changes.
+    const filesChanged = statResult.exitCode === 0 ? statResult.stdout.trim() : '';
+    const diff = truncateDiff(diffResult.exitCode === 0 ? diffResult.stdout : '');
-COMMITS (${baseBranch}..HEAD):
-${commits}
-FILES CHANGED:
-${statResult.exitCode === 0 ? statResult.stdout.trim() : ''}
-DIFF:
-${truncateDiff(diffResult.exitCode === 0 ? diffResult.stdout : '')}
-Generate a pull request title and description following these rules:
-1. TITLE: First line must be the PR title — imperative mood, under 70 characters
-2. Leave a blank line after the title
-3. BODY: Write a concise description in markdown with:
-   - A "## Summary" section with 1-3 bullet points explaining what changed and why
-   - Optionally a "## Details" section if the changes are complex
-4. Focus on the "why" not just the "what"
-5. No emojis
-Respond with ONLY the title and description, nothing else.`;
+    const prompt = loadSkillPrompt('pr-description', { baseBranch, commits, filesChanged, diff }, workingDir)
+      ?? `You are generating a pull request title and description.\n\nCOMMITS (${baseBranch}..HEAD):\n${commits}\n\nFILES CHANGED:\n${filesChanged}\n\nDIFF:\n${diff}\n\nGenerate PR title (imperative, <70 chars) then body with ## Summary (1-3 bullets). No emojis. Respond with ONLY the title and description.`;
     const result = await spawnHaikuWithPrompt(
       prompt,

package/server/services/websocket/handler.ts CHANGED Viewed

@@ -25,6 +25,7 @@ import { handleQualityMessage } from './quality-handlers.js';
 import { handleHistoryMessage, handleSessionMessage, initializeTab, resumeHistoricalSession } from './session-handlers.js';
 import { SessionRegistry } from './session-registry.js';
 import { generateNotificationSummary, handleGetSettings, handleUpdateSettings } from './settings-handlers.js';
+import { handleListSkills } from './skill-handlers.js';
 import { handleCreateTab, handleGetActiveTabs, handleMarkTabViewed, handleRemoveTab, handleReorderTabs, handleSyncPromptText, handleSyncTabMeta } from './tab-handlers.js';
 import { cleanupTerminalSubscribers, handleTerminalMessage } from './terminal-handlers.js';
 import type { FrecencyData, WebSocketMessage, WebSocketResponse, WSContext } from './types.js';
@@ -53,6 +54,9 @@ export class WebSocketImproviseHandler implements HandlerContext {
   }
   getRegistry(workingDir: string): SessionRegistry {
+    if (!this.sessionRegistry && workingDir) {
+      this.sessionRegistry = new SessionRegistry(workingDir);
+    }
     if (!this.sessionRegistry) {
       this.sessionRegistry = new SessionRegistry(workingDir);
     }
@@ -87,9 +91,16 @@ export class WebSocketImproviseHandler implements HandlerContext {
     }
   }
+  private frecencySaveTimer: ReturnType<typeof setTimeout> | null = null;
   recordFileSelection(filePath: string): void {
     this.autocompleteService.recordFileSelection(filePath);
-    this.saveFrecencyData();
+    if (!this.frecencySaveTimer) {
+      this.frecencySaveTimer = setTimeout(() => {
+        this.frecencySaveTimer = null;
+        this.saveFrecencyData();
+      }, 2000);
+    }
   }
   handleConnection(ws: WSContext, _workingDir: string): void {
@@ -175,6 +186,8 @@ export class WebSocketImproviseHandler implements HandlerContext {
         return handleGetSettings(this, ws);
       case 'updateSettings':
         return handleUpdateSettings(this, ws, msg);
+      case 'listSkills':
+        return handleListSkills(this, ws, workingDir);
     }
     // Dispatch table lookup for domain handlers
@@ -222,28 +235,14 @@ export class WebSocketImproviseHandler implements HandlerContext {
   }
   handleClose(ws: WSContext): void {
-    // Destroy sessions owned by this connection to free interval timers
     const tabMap = this.connections.get(ws);
     if (tabMap) {
-      const sessionIds = new Set(tabMap.values());
-      for (const sessionId of sessionIds) {
-        const session = this.sessions.get(sessionId);
-        if (session) {
-          session.destroy();
-          this.sessions.delete(sessionId);
-        }
-      }
+      this.cleanupConnectionResources(tabMap);
     }
     this.connections.delete(ws);
     this.allConnections.delete(ws);
     cleanupTerminalSubscribers(this, ws);
-    // Kill any active search processes to prevent resource leaks
-    for (const [key, process] of this.activeSearches) {
-      try { process.kill(); } catch { /* ignore */ }
-      this.activeSearches.delete(key);
-    }
     // Clean up file upload handler when no connections remain
     if (this.allConnections.size === 0 && this.fileUploadHandler) {
       this.fileUploadHandler.destroy();
@@ -251,6 +250,26 @@ export class WebSocketImproviseHandler implements HandlerContext {
     }
   }
+  private cleanupConnectionResources(tabMap: Map<string, string>): void {
+    // Destroy sessions owned by this connection
+    const sessionIds = new Set(tabMap.values());
+    for (const sessionId of sessionIds) {
+      const session = this.sessions.get(sessionId);
+      if (session) {
+        session.destroy();
+        this.sessions.delete(sessionId);
+      }
+    }
+    // Kill search processes owned by this connection's tabs
+    for (const tabId of tabMap.keys()) {
+      const searchProcess = this.activeSearches.get(tabId);
+      if (searchProcess) {
+        try { searchProcess.kill(); } catch { /* ignore */ }
+        this.activeSearches.delete(tabId);
+      }
+    }
+  }
   send(ws: WSContext, response: WebSocketResponse): void {
     try {
       ws.send(JSON.stringify(response));

package/server/services/websocket/handlers/deploy-handlers.ts CHANGED Viewed

@@ -111,6 +111,35 @@ function sendChunkedResponse(
   }
 }
+/** Validate the incoming deploy HTTP request data. Returns an error response body string or null if valid. */
+function validateDeployRequest(
+  data: DeployHttpRequestData,
+): { status: number; body: string } | null {
+  if (!data?.requestId || !data?.method || !data?.url || !data?.port) {
+    return { status: 400, body: 'Bad Request: missing required fields (requestId, method, url, port)' };
+  }
+  if (data.headers && containsHeaderInjection(data.headers)) {
+    return { status: 400, body: 'Bad Request: headers contain null bytes or CRLF injection' };
+  }
+  if (data.headers && calculateHeaderSize(data.headers) > MAX_HEADER_SIZE_BYTES) {
+    return { status: 431, body: 'Request Header Fields Too Large: total headers exceed 16KB' };
+  }
+  return null;
+}
+/** Classify a fetch error into an HTTP status code and message. */
+function classifyFetchError(error: unknown): { status: number; body: string } {
+  if (error instanceof Error) {
+    if (error.name === 'AbortError') {
+      return { status: 504, body: 'Gateway Timeout' };
+    }
+    if (isConnectionRefused(error)) {
+      return { status: 502, body: 'Bad Gateway: target server is not running' };
+    }
+  }
+  return { status: 502, body: 'Bad Gateway' };
+}
 export async function handleDeployHttpRequest(
   ctx: HandlerContext,
   ws: WSContext,
@@ -118,34 +147,13 @@ export async function handleDeployHttpRequest(
 ): Promise<void> {
   const data = msg.data as DeployHttpRequestData;
-  if (!data?.requestId || !data?.method || !data?.url || !data?.port) {
+  const validationError = validateDeployRequest(data);
+  if (validationError) {
     sendDeployHttpResponse(ctx, ws, {
       requestId: data?.requestId || 'unknown',
-      status: 400,
-      headers: {},
-      body: 'Bad Request: missing required fields (requestId, method, url, port)',
-    });
-    return;
-  }
-  // Reject headers with null bytes or CRLF injection
-  if (data.headers && containsHeaderInjection(data.headers)) {
-    sendDeployHttpResponse(ctx, ws, {
-      requestId: data.requestId,
-      status: 400,
-      headers: {},
-      body: 'Bad Request: headers contain null bytes or CRLF injection',
-    });
-    return;
-  }
-  // Enforce header size limit
-  if (data.headers && calculateHeaderSize(data.headers) > MAX_HEADER_SIZE_BYTES) {
-    sendDeployHttpResponse(ctx, ws, {
-      requestId: data.requestId,
-      status: 431,
+      status: validationError.status,
       headers: {},
-      body: 'Request Header Fields Too Large: total headers exceed 16KB',
+      body: validationError.body,
     });
     return;
   }
@@ -201,18 +209,7 @@ export async function handleDeployHttpRequest(
       body: bodyBuffer.toString('utf-8'),
     });
   } catch (error: unknown) {
-    let status = 502;
-    let body = 'Bad Gateway';
-    if (error instanceof Error) {
-      if (error.name === 'AbortError') {
-        status = 504;
-        body = 'Gateway Timeout';
-      } else if (isConnectionRefused(error)) {
-        status = 502;
-        body = 'Bad Gateway: target server is not running';
-      }
-    }
+    const { status, body } = classifyFetchError(error);
     sendDeployHttpResponse(ctx, ws, {
       requestId: data.requestId,

package/server/services/websocket/plan-board-handlers.ts CHANGED Viewed

@@ -97,6 +97,40 @@ paused: false
   }
 }
+/** Update front-matter fields in the board.md file. */
+function applyBoardFieldUpdates(
+  boardMdPath: string,
+  fields: Record<string, unknown>,
+): void {
+  let content = readFileSync(boardMdPath, 'utf-8');
+  for (const [key, value] of Object.entries(fields)) {
+    const yamlKey = key.replace(/([A-Z])/g, '_$1').toLowerCase();
+    content = replaceFrontMatterField(content, yamlKey, formatYamlValue(value));
+  }
+  writeFileSync(boardMdPath, content, 'utf-8');
+}
+/** Sync the review-custom agent file when review criteria change. */
+function syncReviewCriteriaAgent(
+  fields: Record<string, unknown>,
+  pmDir: string,
+  boardId: string,
+): void {
+  if (!('reviewCriteria' in fields)) return;
+  const boardDir = join(pmDir, 'boards', boardId);
+  const agentsDir = join(boardDir, 'agents');
+  const agentPath = join(agentsDir, 'review-custom.md');
+  const criteriaValue = String(fields.reviewCriteria ?? '').trim();
+  if (criteriaValue) {
+    if (!existsSync(agentsDir)) mkdirSync(agentsDir, { recursive: true });
+    writeFileSync(agentPath, buildBoardReviewAgent(criteriaValue), 'utf-8');
+  } else if (existsSync(agentPath)) {
+    try { unlinkSync(agentPath); } catch { /* non-fatal */ }
+  }
+}
 export function handleUpdateBoard(
   ctx: HandlerContext, ws: WSContext, msg: WebSocketMessage,
   workingDir: string, permission?: 'view',
@@ -118,30 +152,11 @@ export function handleUpdateBoard(
     return;
   }
-  let content = readFileSync(boardMdPath, 'utf-8');
-  for (const [key, value] of Object.entries(fields as Record<string, unknown>)) {
-    const yamlKey = key.replace(/([A-Z])/g, '_$1').toLowerCase();
-    content = replaceFrontMatterField(content, yamlKey, formatYamlValue(value));
-  }
-  writeFileSync(boardMdPath, content, 'utf-8');
+  applyBoardFieldUpdates(boardMdPath, fields as Record<string, unknown>);
   // When review criteria are set, also write a board-level review agent file
   // so users can discover and edit the full prompt as markdown.
-  const typedFields = fields as Record<string, unknown>;
-  if ('reviewCriteria' in typedFields) {
-    const boardDir = join(pmDir, 'boards', boardId);
-    const agentsDir = join(boardDir, 'agents');
-    const agentPath = join(agentsDir, 'review-custom.md');
-    const criteriaValue = String(typedFields.reviewCriteria ?? '').trim();
-    if (criteriaValue) {
-      if (!existsSync(agentsDir)) mkdirSync(agentsDir, { recursive: true });
-      writeFileSync(agentPath, buildBoardReviewAgent(criteriaValue), 'utf-8');
-    } else if (existsSync(agentPath)) {
-      // Clear the agent file when criteria are removed
-      try { unlinkSync(agentPath); } catch { /* non-fatal */ }
-    }
-  }
+  syncReviewCriteriaAgent(fields as Record<string, unknown>, pmDir, boardId);
   const boardState = parseBoardDirectory(pmDir, boardId);
   if (boardState) {

package/server/services/websocket/quality-fix-agent.ts CHANGED Viewed

@@ -10,6 +10,7 @@
 import { runWithFileLogger } from '../../cli/headless/headless-logger.js';
 import { HeadlessRunner } from '../../cli/headless/index.js';
 import type { ToolUseEvent } from '../../cli/headless/types.js';
+import { loadSkillPrompt } from '../plan/agent-loader.js';
 import type { HandlerContext } from './handler-context.js';
 import type { QualityPersistence } from './quality-persistence.js';
 import { detectTools, runQualityScan } from './quality-service.js';
@@ -58,7 +59,7 @@ export function createToolProgressCallback(ctx: HandlerContext, ws: WSContext, r
 // ── Prompt ────────────────────────────────────────────────────
-function buildFixPrompt(findings: FindingForFix[], section?: string): string {
+function buildFixPrompt(findings: FindingForFix[], section?: string, workingDir?: string): string {
   const filtered = section ? findings.filter((f) => f.category === section) : findings;
   const sorted = filtered.sort((a, b) => {
     const order: Record<string, number> = { critical: 0, high: 1, medium: 2, low: 3 };
@@ -73,22 +74,14 @@ function buildFixPrompt(findings: FindingForFix[], section?: string): string {
     return parts.join('\n');
   }).join('\n\n');
-  return `You are a code quality fix agent. Fix the following quality issues in the codebase.
+  const fromSkill = loadSkillPrompt('fix-quality', {
+    issueList,
+    issueCount: String(sorted.length),
+    showCount: String(Math.min(30, sorted.length)),
+  }, workingDir);
+  if (fromSkill) return fromSkill;
-## Issues to Fix (${sorted.length} total, showing top ${Math.min(30, sorted.length)})
-${issueList}
-## Rules
-- Fix each issue by editing the relevant file at the specified location.
-- For complexity issues: refactor into smaller functions. For long files: split or extract modules. For long functions: break into smaller functions.
-- For security issues: apply the suggested fix or use secure coding best practices.
-- For bugs: fix the root cause, not just the symptom.
-- For linting/formatting: apply the standard for the project.
-- Do NOT introduce new issues. Make minimal, focused changes.
-- After fixing, verify the changes compile/pass linting if tools are available.
-- Work through the issues systematically from most to least severe.`;
+  return `You are a code quality fix agent. Fix the following quality issues in the codebase.\n\n## Issues to Fix (${sorted.length} total, showing top ${Math.min(30, sorted.length)})\n\n${issueList}\n\nFix each issue by editing the relevant file. Work from most to least severe. Do NOT introduce new issues.`;
 }
 // ── Handler ───────────────────────────────────────────────────
@@ -128,7 +121,7 @@ export async function handleFixIssues(
       data: { path: reportPath, message: 'Starting Claude Code to fix issues...' },
     });
-    const prompt = buildFixPrompt(findings, section);
+    const prompt = buildFixPrompt(findings, section, workingDir);
     const runner = new HeadlessRunner({
       workingDir: dirPath,

package/server/services/websocket/quality-review-agent.ts CHANGED Viewed

@@ -12,6 +12,7 @@ import { isAbsolute, join } from 'node:path';
 import { runWithFileLogger } from '../../cli/headless/headless-logger.js';
 import { HeadlessRunner } from '../../cli/headless/index.js';
 import type { ToolUseEvent } from '../../cli/headless/types.js';
+import { loadSkillPrompt } from '../plan/agent-loader.js';
 import type { HandlerContext } from './handler-context.js';
 import type { QualityPersistence } from './quality-persistence.js';
 import { recomputeWithAiReview } from './quality-service.js';
@@ -39,106 +40,11 @@ export function buildCodeReviewPrompt(dirPath: string, cliFindings?: Array<{ sev
     ? `\n## CLI Tool Findings (already detected)\n\nThe following issues were found by automated CLI tools (linters, formatters, complexity analyzers). Review these for context — they are already included in the final report. Focus your analysis on DEEPER issues these tools cannot detect.\n\n${cliFindings.slice(0, 50).map((f, i) => `${i + 1}. [${f.severity.toUpperCase()}] ${f.category} — ${f.file}${f.line ? `:${f.line}` : ''} — ${f.title}: ${f.description}`).join('\n')}\n${cliFindings.length > 50 ? `\n...and ${cliFindings.length - 50} more issues from CLI tools.\n` : ''}`
     : '';
-  return `You are a senior staff engineer performing a rigorous, honest code review. Your job is to surface the most impactful quality bottlenecks — the issues a principal engineer would flag in a code review. Be critical and objective. Do NOT inflate scores.
-IMPORTANT: Your current working directory is "${dirPath}". Only review files within this directory.
-${cliFindingsSection}
-## Review Process
-1. **Discover**: Use Glob to find source files (e.g. "**/*.{ts,tsx,js,py,rs,go,java,rb,php}"). Understand the project structure.
-2. **Read**: Read the most important files — entry points, core modules, handlers, services. Prioritize files with recent git changes (\`git diff --name-only HEAD~5\` via Bash if available).
-3. **Analyze**: Look for real, actionable issues across ALL of these categories:
-   ### Architecture
-   - What is the current architecture (monolith, microservices, layered, etc.)?
-   - Are there architectural violations? (e.g., presentation layer directly accessing data layer, circular dependencies between modules)
-   - Is there proper separation of concerns?
-   - Are there god objects or god modules that do too much?
-   ### SOLID / OOP Principles
-   - **SRP**: Classes/modules with multiple unrelated responsibilities
-   - **OCP**: Code that requires modification instead of extension for new features
-   - **LSP**: Subtypes that don't properly substitute for their base types
-   - **ISP**: Interfaces/contracts that force implementations to depend on methods they don't use
-   - **DIP**: High-level modules directly depending on low-level modules instead of abstractions
-   ### Security
-   - Injection vulnerabilities (SQL, XSS, command), hardcoded secrets/credentials, auth bypasses, insecure crypto, path traversal, SSRF, unsafe deserialization
-   ### Bugs & Logic
-   - Null/undefined errors, race conditions, logic errors, unhandled edge cases, off-by-one errors, resource leaks, incorrect error handling, incorrect algorithms
-   ### Performance
-   - N+1 queries, unnecessary re-renders, missing memoization, blocking I/O in hot paths, unbounded data structures, missing pagination
-## CRITICAL — Structured Evidence Requirement
-For EACH finding, you MUST provide structured evidence that grounds the finding in actual code. This is required to prevent false positives.
-For each finding, use this reasoning process:
-1. **PREMISE**: State the observable fact from the code. Quote the exact code you see.
-2. **CONTEXT**: What is the surrounding code doing? Are there guards, fixes, or patterns elsewhere that might handle this?
-3. **COUNTER-CHECK**: Actively look for evidence that CONTRADICTS your finding. Check for:
-   - Guards or validation earlier in the call chain
-   - Error handling wrapping the code
-   - Configuration that changes behavior (e.g., NODE_ENV checks)
-   - Comments explaining intentional design choices
-4. **CONCLUSION**: Only report the finding if you could not find contradicting evidence.
-### Common False Positive Patterns to AVOID
-- Claiming a function uses API X when it actually uses API Y (e.g., claiming Math.random() when code uses crypto.randomInt()) — ALWAYS quote the actual function call
-- Claiming a header/value is leaked when code already deletes/filters it — READ the full function
-- Claiming there's no guard when a condition check exists nearby — READ surrounding lines
-- Claiming N fields/methods when the actual count differs — COUNT explicitly
-- Claiming a resource leaks when cleanup exists in a different handler — SEARCH for the cleanup code
-## Rules
-- Only report findings you are >90% confident about after completing the counter-check step.
-- Focus on architecture, SOLID violations, bugs, and security over style nits.
-- Each finding MUST reference a specific file and line number. Do not report vague or file-level issues.
-- Each finding MUST include an "evidence" field with the exact code snippet (1-5 lines) proving the issue exists.
-- Limit to the 25 most important findings, ranked by severity.
-- Do NOT modify any files. This is a read-only review.
-- Be HONEST about the overall quality. A codebase with serious issues should score low.
-## Scoring Guidelines
-After your analysis, provide an honest overall quality score (0-100) and letter grade:
-- **A (90-100)**: Excellent — clean architecture, minimal issues, well-tested, follows best practices
-- **B (80-89)**: Good — solid code with minor issues, mostly well-structured
-- **C (70-79)**: Adequate — functional but has notable quality issues that should be addressed
-- **D (60-69)**: Below average — significant issues in architecture, testing, or code quality
-- **F (0-59)**: Poor — serious problems: security vulnerabilities, broken architecture, major bugs, or unmaintainable code
-Consider ALL findings (both CLI tool findings and your own) when determining the score. The score should reflect the overall state of the codebase honestly. A project with 50+ linting errors, formatting issues, complex functions, AND architectural problems should NOT score above 70.
-## Output
-After your analysis, output EXACTLY one JSON code block with your findings. No other text after the JSON block.
-\`\`\`json
-{
-  "score": 72,
-  "grade": "C",
-  "scoreRationale": "Brief explanation of why this score was given, referencing key issues",
-  "findings": [
-    {
-      "severity": "critical|high|medium|low",
-      "category": "architecture|oop|security|bugs|performance|logic",
-      "file": "relative/path/to/file.ts",
-      "line": 42,
-      "title": "Short title describing the issue",
-      "description": "What the problem is and why it matters.",
-      "suggestion": "How to fix it.",
-      "evidence": "const token = Math.random().toString(36) // exact code from file proving the issue"
-    }
-  ],
-  "summary": "Brief 1-2 sentence summary of overall code quality."
-}
-\`\`\``;
+  const fromSkill = loadSkillPrompt('code-review', { dirPath, cliFindingsSection }, dirPath);
+  if (fromSkill) return fromSkill;
+  // Inline fallback when Skill file is not available (e.g., standalone CLI install)
+  return `You are a senior staff engineer performing a rigorous code review.\n\nIMPORTANT: Your current working directory is "${dirPath}". Only review files within this directory.\n${cliFindingsSection}\nDiscover source files with Glob, read important files, analyze for architecture, SOLID, security, bugs, and performance issues. Each finding needs file, line, evidence. Output one JSON code block with score, grade, findings array, and summary.`;
 }
 // ── Response parsing ──────────────────────────────────────────
@@ -343,7 +249,7 @@ export function buildVerificationPrompt(
   dirPath: string,
   findings: CodeReviewFinding[],
 ): string {
-  const findingsJson = findings.map((f, i) => ({
+  const findingsJson = JSON.stringify(findings.map((f, i) => ({
     id: i + 1,
     severity: f.severity,
     category: f.category,
@@ -352,56 +258,13 @@ export function buildVerificationPrompt(
     title: f.title,
     description: f.description,
     evidence: f.evidence || '(none provided)',
-  }));
-  return `You are an independent code review VERIFIER. A separate reviewer produced the findings below. Your job is to VERIFY each finding against the actual code. You are a skeptic — do NOT trust the original reviewer's claims.
-IMPORTANT: Your current working directory is "${dirPath}". Only read files within this directory.
-## Findings to Verify
-${JSON.stringify(findingsJson, null, 2)}
-## Verification Process
+  })), null, 2);
-For EACH finding:
+  const fromSkill = loadSkillPrompt('verify-review', { dirPath, findingsJson }, dirPath);
+  if (fromSkill) return fromSkill;
-1. **Read the cited file and line** using the Read tool. Read at least 20 lines around the cited line for context.
-2. **Check the specific claim** in the description. Does the code actually do what the finding claims?
-3. **Search for counter-evidence**:
-   - If the finding claims something is missing (no validation, no cleanup, no guard): search for it with Grep
-   - If the finding claims an API is used: verify the actual API call at that line
-   - If the finding claims a value is leaked/exposed: check if it's filtered/deleted elsewhere in the same function
-4. **Verdict**: Mark as "confirmed" or "rejected" with a brief explanation
-## Rules
-- You MUST actually Read each cited file. Do not rely on memory or assumptions.
-- Use Grep to search for patterns the finding claims exist (or don't exist).
-- A finding is "rejected" if:
-  - The code does NOT match what the description claims
-  - There IS a guard/fix that the finding claims is missing
-  - The line number doesn't contain the relevant code
-  - The finding is about a different version of the code than what exists now
-- A finding is "confirmed" if you can independently verify the issue exists in the current code.
-- Be thorough but efficient — focus verification effort on high/critical severity findings.
-## Output
-Output EXACTLY one JSON code block. No other text after the JSON block.
-\`\`\`json
-{
-  "verifications": [
-    {
-      "id": 1,
-      "verdict": "confirmed|rejected",
-      "confidence": 0.95,
-      "note": "Brief explanation of what you found when checking the code"
-    }
-  ]
-}
-\`\`\``;
+  // Inline fallback
+  return `You are an independent code review VERIFIER. Verify each finding below against actual code in "${dirPath}".\n\n## Findings to Verify\n\n${findingsJson}\n\nFor each finding: Read the cited file, check the claim, search for counter-evidence. Output one JSON code block with verifications array containing id, verdict (confirmed|rejected), confidence, and note.`;
 }
 interface VerificationVerdict {