nowaikit 2.5.3 → 3.0.0

package/dist/prompts/capabilities/review-code.js

@@ -0,0 +1,155 @@
+const capability = {
+    name: 'review-code',
+    title: 'Code Review',
+    description: 'Deep code review for ANY ServiceNow script — security, performance, best practices, and upgrade safety across ALL artifact types',
+    category: 'review',
+    arguments: [
+        {
+            name: 'artifact',
+            description: 'Paste code, provide a sys_id, or name a business rule/script include/client script/widget/flow action',
+            required: true,
+        },
+        {
+            name: 'focus',
+            description: 'Review focus: security, performance, best-practices, upgrade-safety, or all (default: all)',
+            required: false,
+        },
+    ],
+    recommendedTools: [
+        'get_business_rule',
+        'list_business_rules',
+        'get_script_include',
+        'list_script_includes',
+        'get_client_script',
+        'list_client_scripts',
+        'get_ui_policy',
+        'list_ui_policies',
+        'get_ui_action',
+        'list_ui_actions',
+        'list_acls',
+        'get_acl',
+        'query_records',
+        'get_table_schema',
+    ],
+    buildPrompt(args) {
+        const artifact = args?.artifact ?? 'Review my ServiceNow code';
+        const focus = args?.focus ?? 'all';
+        return [
+            {
+                role: 'assistant',
+                content: {
+                    type: 'text',
+                    text: [
+                        '# Code Review',
+                        '',
+                        'I am a **ServiceNow code review specialist**. I perform deep reviews of ANY script',
+                        'artifact type for security vulnerabilities, performance issues, best-practice violations,',
+                        'and upgrade-safety risks.',
+                        '',
+                        '## Supported Artifact Types',
+                        '',
+                        'I can review ALL of the following artifact types:',
+                        '',
+                        '| Artifact | Table |',
+                        '|----------|-------|',
+                        '| Business Rules | `sys_script` |',
+                        '| Script Includes | `sys_script_include` |',
+                        '| Client Scripts | `sys_script_client` |',
+                        '| Fix Scripts | `sys_script_fix` |',
+                        '| UI Policies (script actions) | `sys_ui_policy` |',
+                        '| UI Actions | `sys_ui_action` |',
+                        '| UI Pages | `sys_ui_page` |',
+                        '| UI Macros | `sys_ui_macro` |',
+                        '| Scheduled Jobs | `sysauto_script` |',
+                        '| MID Server Script Includes | `ecc_agent_script_include` |',
+                        '| Script Actions | `sysevent_script_action` |',
+                        '| Processors | `sys_processor` |',
+                        '| Transform Map Scripts | `sys_transform_script` |',
+                        '| Flow Actions / Subflow scripts | Flow Designer |',
+                        '| Service Portal Widgets | `sp_widget` (client controller, server script, CSS, HTML) |',
+                        '| Angular Providers | `sp_angular_provider` |',
+                        '| Catalog Client Scripts | `catalog_script_client` |',
+                        '| Scripted REST APIs | `sys_ws_operation` |',
+                        '| Email notification scripts | `sysevent_email_action` |',
+                        '| ACL scripts (advanced conditions) | `sys_security_acl` |',
+                        '',
+                        '## Review Dimensions',
+                        '',
+                        '### 1. Security',
+                        '- **Injection risks** — `eval()`, `GlideEvaluator` with untrusted input, SQL-like string concatenation in queries',
+                        '- **Authorization gaps** — missing `gs.hasRole()` checks, overly permissive ACLs',
+                        '- **Data exposure** — sensitive fields returned without filtering, missing field-level ACLs',
+                        '- **XSS** — unescaped output in UI scripts, Service Portal widgets, UI Pages',
+                        '- **CSRF** — REST endpoints without proper token validation',
+                        '- **Credential leakage** — hardcoded passwords, API keys, tokens',
+                        '',
+                        '### 2. Performance',
+                        '- **N+1 queries** — `GlideRecord` inside loops',
+                        '- **Unbounded queries** — missing `setLimit()`, no encoded query optimization',
+                        '- **Unnecessary loads** — loading full records when only `sys_id` is needed',
+                        '- **Synchronous bottlenecks** — heavy processing in before business rules',
+                        '- **DOM overhead** — excessive `g_form` calls in client scripts (should batch)',
+                        '- **Payload bloat** — Service Portal widgets returning unused data to client',
+                        '',
+                        '### 3. Best Practices',
+                        '- **Naming conventions** — consistent, descriptive names for variables and artifacts',
+                        '- **Error handling** — try/catch blocks, graceful failures, `gs.addErrorMessage()`',
+                        '- **Logging** — appropriate `gs.log()` / `gs.debug()` usage, no `gs.print()` in production',
+                        '- **Scoping** — proper use of `current` vs `previous`, variable scope, `var` vs `let`/`const`',
+                        '- **DRY** — duplicate logic that should be in a Script Include',
+                        '- **Abort-on-false** — business rules that modify `current` without checking `current.operation()`',
+                        '',
+                        '### 4. Upgrade Safety',
+                        '- **OOB modifications** — direct edits to out-of-box scripts (should use insert-and-stay)',
+                        '- **Deprecated APIs** — `Packages.java.*`, `GlideRecord.getDisplayValue()` without field name, `current.update()` in business rules',
+                        '- **Hardcoded sys_ids** — should use `gs.getProperty()`, system properties, or reference qualifiers',
+                        '- **Version-specific behavior** — code relying on platform version quirks',
+                        '- **Skipped list conflicts** — customizations that will collide with upgrades',
+                        '',
+                        `## Review Focus: **${focus}**`,
+                        '',
+                        focus === 'all'
+                            ? 'I will review across all dimensions: security, performance, best practices, and upgrade safety.'
+                            : `I will focus primarily on **${focus}**, but will flag critical issues in other areas.`,
+                        '',
+                        '## Output Format',
+                        '',
+                        'For each issue found, I will report:',
+                        '',
+                        '| Field | Description |',
+                        '|-------|-------------|',
+                        '| **Severity** | Critical / Warning / Info |',
+                        '| **Category** | Security, Performance, Best Practice, Upgrade Safety |',
+                        '| **Location** | Line number or section in the script |',
+                        '| **Issue** | What is wrong and why it matters |',
+                        '| **Fix** | How to fix it, with a concrete code example |',
+                        '',
+                        '## Tools I Use',
+                        '',
+                        '| Tool | Purpose |',
+                        '|------|---------|',
+                        '| `get_business_rule` / `list_business_rules` | Fetch business rules to review |',
+                        '| `get_script_include` / `list_script_includes` | Fetch script includes to review |',
+                        '| `get_client_script` / `list_client_scripts` | Fetch client scripts to review |',
+                        '| `get_ui_policy` / `list_ui_policies` | Fetch UI policies and script actions |',
+                        '| `get_ui_action` / `list_ui_actions` | Fetch UI actions to review |',
+                        '| `list_acls` / `get_acl` | Check ACL coverage and advanced scripts |',
+                        '| `query_records` | Fetch any other artifact type by table |',
+                        '| `get_table_schema` | Understand table structure for context |',
+                        '',
+                        'I will now review your artifact.',
+                    ].join('\n'),
+                },
+            },
+            {
+                role: 'user',
+                content: {
+                    type: 'text',
+                    text: artifact,
+                },
+            },
+        ];
+    },
+};
+export default capability;
+//# sourceMappingURL=review-code.js.map

package/dist/prompts/capabilities/review-code.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"review-code.js","sourceRoot":"","sources":["../../../src/prompts/capabilities/review-code.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,GAAyB;IACvC,IAAI,EAAE,aAAa;IACnB,KAAK,EAAE,aAAa;IACpB,WAAW,EACT,kIAAkI;IACpI,QAAQ,EAAE,QAAQ;IAClB,SAAS,EAAE;QACT;YACE,IAAI,EAAE,UAAU;YAChB,WAAW,EACT,uGAAuG;YACzG,QAAQ,EAAE,IAAI;SACf;QACD;YACE,IAAI,EAAE,OAAO;YACb,WAAW,EACT,4FAA4F;YAC9F,QAAQ,EAAE,KAAK;SAChB;KACF;IACD,gBAAgB,EAAE;QAChB,mBAAmB;QACnB,qBAAqB;QACrB,oBAAoB;QACpB,sBAAsB;QACtB,mBAAmB;QACnB,qBAAqB;QACrB,eAAe;QACf,kBAAkB;QAClB,eAAe;QACf,iBAAiB;QACjB,WAAW;QACX,SAAS;QACT,eAAe;QACf,kBAAkB;KACnB;IAED,WAAW,CAAC,IAAI;QACd,MAAM,QAAQ,GAAG,IAAI,EAAE,QAAQ,IAAI,2BAA2B,CAAC;QAC/D,MAAM,KAAK,GAAG,IAAI,EAAE,KAAK,IAAI,KAAK,CAAC;QAEnC,OAAO;YACL;gBACE,IAAI,EAAE,WAAoB;gBAC1B,OAAO,EAAE;oBACP,IAAI,EAAE,MAAe;oBACrB,IAAI,EAAE;wBACJ,eAAe;wBACf,EAAE;wBACF,oFAAoF;wBACpF,2FAA2F;wBAC3F,2BAA2B;wBAC3B,EAAE;wBACF,6BAA6B;wBAC7B,EAAE;wBACF,mDAAmD;wBACnD,EAAE;wBACF,sBAAsB;wBACtB,sBAAsB;wBACtB,mCAAmC;wBACnC,4CAA4C;wBAC5C,0CAA0C;wBAC1C,oCAAoC;wBACpC,oDAAoD;wBACpD,kCAAkC;wBAClC,8BAA8B;wBAC9B,gCAAgC;wBAChC,uCAAuC;wBACvC,6DAA6D;wBAC7D,+CAA+C;wBAC/C,kCAAkC;wBAClC,oDAAoD;wBACpD,oDAAoD;wBACpD,wFAAwF;wBACxF,+CAA+C;wBAC/C,sDAAsD;wBACtD,6CAA6C;wBAC7C,0DAA0D;wBAC1D,4DAA4D;wBAC5D,EAAE;wBACF,sBAAsB;wBACtB,EAAE;wBACF,iBAAiB;wBACjB,mHAAmH;wBACnH,kFAAkF;wBAClF,6FAA6F;wBAC7F,8EAA8E;wBAC9E,6DAA6D;wBAC7D,kEAAkE;wBAClE,EAAE;wBACF,oBAAoB;wBACpB,gDAAgD;wBAChD,+EAA+E;wBAC/E,6EAA6E;wBAC7E,2EAA2E;wBAC3E,gFAAgF;wBAChF,8EAA8E;wBAC9E,EAAE;wBACF,uBAAuB;wBACvB,sFAAsF;wBACtF,oFAAoF;wBACpF,4FAA4F;wBAC5F,+FAA+F;wBAC/F,gEAAgE;wBAChE,oGAAoG;wBACpG,EAAE;wBACF,uBAAuB;wBACvB,2FAA2F;wBAC3F,qIAAqI;wBACrI,qGAAqG;wBACrG,2EAA2E;wBAC3E,+EAA+E;wBAC/E,EAAE;wBACF,sBAAsB,KAAK,IAAI;wBAC/B,EAAE;wBACF,KAAK,KAAK,KAAK;4BACb,CAAC,CAAC,iGAAiG;4BACnG,CAAC,CAAC,+BAA+B,KAAK,mDAAmD;wBAC3F,EAAE;wBACF,kBAAkB;wBAClB,EAAE;wBACF,sCAAsC;wBACtC,EAAE;wBACF,yBAAyB;wBACzB,yBAAyB;wBACzB,8CAA8C;wBAC9C,yEAAyE;wBACzE,yDAAyD;wBACzD,kDAAkD;wBAClD,2DAA2D;wBAC3D,EAAE;wBACF,gBAAgB;wBAChB,EAAE;wBACF,oBAAoB;wBACpB,oBAAoB;wBACpB,kFAAkF;wBAClF,qFAAqF;wBACrF,kFAAkF;wBAClF,iFAAiF;wBACjF,sEAAsE;wBACtE,uEAAuE;wBACvE,8DAA8D;wBAC9D,iEAAiE;wBACjE,EAAE;wBACF,kCAAkC;qBACnC,CAAC,IAAI,CAAC,IAAI,CAAC;iBACb;aACF;YACD;gBACE,IAAI,EAAE,MAAe;gBACrB,OAAO,EAAE;oBACP,IAAI,EAAE,MAAe;oBACrB,IAAI,EAAE,QAAQ;iBACf;aACF;SACF,CAAC;IACJ,CAAC;CACF,CAAC;AAEF,eAAe,UAAU,CAAC"}

package/dist/prompts/capabilities/review-flows.d.ts

@@ -0,0 +1,4 @@
+import type { CapabilityDefinition } from '../types.js';
+declare const capability: CapabilityDefinition;
+export default capability;
+//# sourceMappingURL=review-flows.d.ts.map

package/dist/prompts/capabilities/review-flows.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"review-flows.d.ts","sourceRoot":"","sources":["../../../src/prompts/capabilities/review-flows.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAExD,QAAA,MAAM,UAAU,EAAE,oBAwbjB,CAAC;AAEF,eAAe,UAAU,CAAC"}

package/dist/prompts/capabilities/review-flows.js

@@ -0,0 +1,413 @@
+const capability = {
+    name: 'review-flows',
+    title: 'Flow Designer Audit',
+    description: 'Flow audit — dead paths, missing error handlers, async issues, performance bottlenecks, best practices',
+    category: 'review',
+    arguments: [
+        {
+            name: 'scope',
+            description: 'Application scope to audit (e.g. "x_myapp"), or "all" for instance-wide. Default: all',
+            required: false,
+        },
+        {
+            name: 'focus',
+            description: 'Audit focus area: "errors", "performance", "security", or "all" (default)',
+            required: false,
+        },
+    ],
+    recommendedTools: [
+        'query_records',
+        'list_flows',
+        'get_flow',
+        'list_subflows',
+        'get_subflow',
+        'list_flow_executions',
+        'get_flow_execution',
+        'get_flow_error_log',
+    ],
+    buildPrompt(args) {
+        const scope = args?.scope ?? 'all';
+        const focus = args?.focus ?? 'all';
+        const scopeLabel = scope === 'all'
+            ? 'Instance-wide (all scopes)'
+            : `Application scope: \`${scope}\``;
+        const focusLabel = {
+            all: 'Full audit — errors, performance, security, best practices',
+            errors: 'Error handling and failure paths',
+            performance: 'Performance bottlenecks and resource consumption',
+            security: 'Security, role checks, and data exposure',
+        };
+        const focusDescription = focusLabel[focus] ?? `Custom focus: ${focus}`;
+        // ─── Section 1: Inventory ────────────────────────────────────────────────
+        const inventorySection = [
+            '## 1. Flow Inventory',
+            '',
+            'Use `list_flows`, `list_subflows`, and `query_records` to build a complete inventory:',
+            '',
+            '### Flows (sys_hub_flow)',
+            '- Count by status: active, inactive, draft',
+            '- Count by trigger type: record-based, schedule-based, application-based, inbound email, REST',
+            scope !== 'all'
+                ? `- Filter to scope \`${scope}\` — also note any global flows that affect tables in this scope`
+                : '- Group by application scope',
+            '- Identify flows with no trigger (manually invoked only)',
+            '- Identify flows created but never executed',
+            '',
+            '### Subflows (sys_hub_sub_flow)',
+            '- Count of subflows, grouped by scope',
+            '- Subflows that are never referenced by any parent flow (orphaned)',
+            '- Subflows used by 5+ parent flows (shared utilities — verify they are robust)',
+            '',
+            '### Legacy Workflows (wf_workflow)',
+            '- Count of active legacy workflows — flag for migration to Flow Designer',
+            '- Workflows with Run Script activities (security review needed)',
+            '',
+            '**Output:** Inventory table',
+            '| Name | Type | Scope | Trigger | Status | Last Executed | Execution Count |',
+            '|------|------|-------|---------|--------|---------------|-----------------|',
+        ];
+        // ─── Section 2: Error Handling ───────────────────────────────────────────
+        const errorSection = [
+            '## 2. Error Handling Audit',
+            '',
+            'Use `get_flow`, `get_subflow`, and `get_flow_error_log` to inspect each flow:',
+            '',
+            '### Missing Error Handlers',
+            '- Flows with **no Try/Catch blocks** — any action failure crashes the entire flow',
+            '- Flows where Try blocks exist but Catch blocks are empty (swallowed errors)',
+            '- Flows with error handling that only logs but takes no corrective action',
+            '- Subflows without error outputs — parent flow cannot detect failure',
+            '',
+            '### Missing Rollback Logic',
+            '- Flows that create/update multiple records but have no rollback on partial failure',
+            '- Example: Flow creates a record in table A, then tries to create in table B. If B fails,',
+            '  the record in A is orphaned. The Catch block should clean up A.',
+            '- Flows that call external APIs without handling non-2xx responses',
+            '',
+            '### Unhandled Error Paths',
+            '- If/Else branches where only the "If" path has actions (missing Else handling)',
+            '- Decision tables with no default/fallback branch',
+            '- Flows that call subflows without checking the subflow\'s return status',
+            '',
+            '### Error Notification Gaps',
+            '- Flows that fail silently — no email notification, no event, no log entry',
+            '- Flows that should alert admins on failure but have no notification action in Catch',
+            '',
+            '**Output per finding:**',
+            '| Flow Name | Issue Type | Severity | Details | Recommendation |',
+            '|-----------|------------|----------|---------|----------------|',
+        ];
+        // ─── Section 3: Performance ──────────────────────────────────────────────
+        const performanceSection = [
+            '## 3. Performance Analysis',
+            '',
+            'Use `get_flow`, `list_flow_executions`, `get_flow_execution`, and `query_records` to analyze:',
+            '',
+            '### Action Count Bloat',
+            '- Flows with more than **20 actions** — Flow Designer has a practical limit of ~100 actions',
+            '  but performance degrades well before that. Recommend breaking into subflows.',
+            '- Subflows with more than **15 actions** — should be further decomposed',
+            '- Flows with deeply nested subflow calls (depth > 3 levels, max platform limit is 500)',
+            '',
+            '### Loop Performance',
+            '- **For Each loops** iterating over unbounded record sets — must have `setLimit()` or a',
+            '  reasonable filter to prevent processing millions of records',
+            '- Nested loops (loop inside a loop) — O(n^2) complexity, major performance risk',
+            '- Loops containing GlideRecord queries — each iteration fires a separate query (N+1 pattern)',
+            '- Loops with Update Record actions — each iteration is a separate database write',
+            '',
+            '### Query Performance',
+            '- Flows using **Look Up Records** without filters or with very broad filters',
+            '- Flows querying large tables (task, sys_audit, syslog) without date or scope filters',
+            '- Multiple sequential Look Up Records actions that could be combined into one query',
+            '- Flows using dot-walked fields extensively — each dot-walk is an additional query',
+            '',
+            '### Execution Duration',
+            '- Flows with average execution time > 30 seconds (should be async)',
+            '- Flows with average execution time > 5 minutes (investigate bottleneck)',
+            '- Flows with high variance in execution time (sometimes fast, sometimes slow)',
+            '',
+            '### Resource Consumption',
+            '- Flows triggered on high-frequency tables (sys_audit, syslog) — can overwhelm the system',
+            '- Flows with record-based triggers that fire on every update (no condition filter)',
+            '- Multiple flows triggered on the same table+operation — cumulative impact',
+            '',
+            '**Output per finding:**',
+            '| Flow Name | Metric | Value | Threshold | Severity | Recommendation |',
+            '|-----------|--------|-------|-----------|----------|----------------|',
+        ];
+        // ─── Section 4: Dead Paths ───────────────────────────────────────────────
+        const deadPathSection = [
+            '## 4. Dead Path Detection',
+            '',
+            'Analyze flow logic for unreachable or redundant paths:',
+            '',
+            '### Unreachable Conditions',
+            '- If/Else branches where the condition is always true or always false',
+            '  (e.g., checking `current.state == "resolved"` in a flow triggered only on insert)',
+            '- Decision tables where a row\'s condition is a subset of a previous row\'s condition',
+            '  (the later row is never reached due to first-match semantics)',
+            '- Conditions that reference fields not present on the trigger table',
+            '',
+            '### Redundant Actions',
+            '- Actions that set a field value, followed by another action that overwrites the same field',
+            '- Look Up Records actions whose results are never used by subsequent actions',
+            '- Log actions left from debugging that serve no production purpose',
+            '',
+            '### Orphaned Branches',
+            '- If/Else structures where one branch has no actions (empty branch)',
+            '- Parallel branches where one branch always completes instantly (no-op)',
+            '- Flow stages with no actions between them',
+            '',
+            '### Inactive Elements',
+            '- Actions within a flow that are individually disabled/inactive',
+            '- Subflow calls where the target subflow is inactive',
+            '- Trigger conditions that can never match (contradictory filters)',
+            '',
+            '**Output per finding:**',
+            '| Flow Name | Dead Path Type | Location | Evidence | Recommendation |',
+            '|-----------|---------------|----------|----------|----------------|',
+        ];
+        // ─── Section 5: Async Issues ─────────────────────────────────────────────
+        const asyncSection = [
+            '## 5. Async Issues',
+            '',
+            'Analyze synchronous vs. asynchronous execution patterns:',
+            '',
+            '### Should Be Async But Is Not',
+            '- Flows with **REST/SOAP callouts** running synchronously — external API latency blocks the user',
+            '- Flows with **email/notification** actions running synchronously — SMTP delays affect response time',
+            '- Flows with **heavy GlideRecord operations** (updating 100+ records) running synchronously',
+            '- Flows triggered by user actions (form submit) that take > 5 seconds to complete',
+            '',
+            '### Should Be Sync But Is Async',
+            '- Flows that set field values on the triggering record but run asynchronously — the values',
+            '  will not be available when the record is saved (race condition)',
+            '- Flows that validate data and should abort the transaction but run async (validation is skipped)',
+            '- Flows that must complete before downstream processes depend on their output',
+            '',
+            '### Async Ordering Issues',
+            '- Multiple async flows on the same table — execution order is not guaranteed',
+            '- Async flows that depend on each other\'s output but have no sequencing mechanism',
+            '- Async flows competing for the same record (concurrent update conflicts)',
+            '',
+            '### Wait/Timer Misuse',
+            '- Flows using Wait For Condition with no timeout — can wait indefinitely',
+            '- Timer triggers with intervals < 1 minute (excessive system load)',
+            '- Flows combining timers with record queries in a polling pattern (use events instead)',
+            '',
+            '**Output per finding:**',
+            '| Flow Name | Async Issue | Current Mode | Recommended Mode | Impact | Recommendation |',
+            '|-----------|-------------|--------------|------------------|--------|----------------|',
+        ];
+        // ─── Section 6: Security ─────────────────────────────────────────────────
+        const securitySection = [
+            '## 6. Security Review',
+            '',
+            'Analyze flows for security risks:',
+            '',
+            '### Missing Role Checks',
+            '- Flows triggered by record changes on sensitive tables (sys_user, sys_user_has_role,',
+            '  sys_security_acl) without verifying the actor\'s role',
+            '- Flows that modify security-related tables (ACLs, roles, users) without admin checks',
+            '- Flows invocable via REST trigger without authentication requirements',
+            '',
+            '### Data Exposure',
+            '- Notification actions in flows that include sensitive fields in email body (password,',
+            '  SSN, salary, credit card, API keys)',
+            '- Flows that log sensitive data via Log actions (visible in flow execution history)',
+            '- Flows that pass sensitive data to external systems without encryption',
+            '',
+            '### Privilege Escalation',
+            '- Flows running as "System" that could be exploited to perform admin-level operations',
+            '  triggered by non-admin users',
+            '- Subflows with elevated privileges called from flows with lower privilege requirements',
+            '- Flows that create or modify user roles, group memberships, or ACLs',
+            '',
+            '### Script Actions in Flows',
+            '- Inline Script steps with `eval()`, `GlideEvaluator`, or `Packages.java.*`',
+            '- Script steps with hardcoded credentials or sys_ids',
+            '- Script steps using `setWorkflow(false)` to bypass other business rules',
+            '',
+            '**Output per finding:**',
+            '| Flow Name | Security Issue | Severity | Evidence | Risk | Recommendation |',
+            '|-----------|---------------|----------|----------|------|----------------|',
+        ];
+        // ─── Section 7: Best Practices ───────────────────────────────────────────
+        const bestPracticesSection = [
+            '## 7. Best Practices Audit',
+            '',
+            '### Naming Conventions',
+            '- Flows without a clear naming pattern — recommend: `[Scope] - [Table] - [Trigger] - [Purpose]`',
+            '  (e.g., `ITSM - Incident - Before Save - Set Priority`)',
+            '- Subflows without the "Subflow" or "SF" prefix/suffix for easy identification',
+            '- Actions with generic names like "Script Step 1", "Do Something"',
+            '',
+            '### Documentation',
+            '- Flows without descriptions — the description field should explain the business purpose',
+            '- Flows with undocumented inline scripts (no comments explaining logic)',
+            '- Complex decision logic without comments on what each branch handles',
+            '',
+            '### Version Control',
+            '- Flows not captured in an update set or source control',
+            '- Flows with many versions but no clear changelog',
+            '- Flows modified directly in production without a change record',
+            '',
+            '### Subflow Reuse',
+            '- Repeated action sequences (3+ identical actions) that should be extracted into subflows',
+            '- Flows duplicating logic that already exists in a subflow',
+            '- Subflows that are too specific — contain hardcoded values instead of accepting inputs',
+            '',
+            '### Trigger Hygiene',
+            '- Flows with overly broad triggers (e.g., "on update" with no condition — fires on EVERY update)',
+            '- Flows with conditions that should use "Run Trigger Once" to prevent re-firing',
+            '- Multiple flows with the same trigger and condition (candidates for merging)',
+            '',
+            '**Output per finding:**',
+            '| Flow Name | Best Practice Violation | Category | Recommendation |',
+            '|-----------|------------------------|----------|----------------|',
+        ];
+        // ─── Section 8: Execution History ────────────────────────────────────────
+        const executionSection = [
+            '## 8. Execution History Analysis',
+            '',
+            'Use `list_flow_executions`, `get_flow_execution`, and `get_flow_error_log` to analyze:',
+            '',
+            '### Failure Rates',
+            '- Flows with failure rate > 5% over the last 30 days — investigate root cause',
+            '- Flows with failure rate > 25% — likely broken, should be disabled pending fix',
+            '- Flows that started failing recently (new failures in last 7 days)',
+            '- Subflows that are a common failure point across multiple parent flows',
+            '',
+            '### Duration Analysis',
+            '- Average, median, and P95 execution time per flow',
+            '- Flows where execution time has increased > 50% over the last 30 days (degrading)',
+            '- Flows that frequently hit the platform timeout (300 seconds for sync, 900 for async)',
+            '',
+            '### Resource Consumption',
+            '- Flows with the highest execution counts (top 10 most-executed)',
+            '- Total flow execution volume per day — are we approaching platform limits?',
+            '- Flows consuming the most total execution time (count * average duration)',
+            '',
+            '### Error Patterns',
+            '- Most common error messages across all flows',
+            '- Errors correlated with time of day (batch processing conflicts)',
+            '- Errors correlated with specific users or integrations',
+            '',
+            '**Output:**',
+            '| Flow Name | Executions (30d) | Failures (30d) | Failure Rate | Avg Duration | P95 Duration | Trend |',
+            '|-----------|------------------|----------------|--------------|--------------|--------------|-------|',
+        ];
+        // ─── Build sections based on focus ───────────────────────────────────────
+        let sections;
+        switch (focus) {
+            case 'errors':
+                sections = [inventorySection, errorSection, deadPathSection, executionSection];
+                break;
+            case 'performance':
+                sections = [inventorySection, performanceSection, asyncSection, executionSection];
+                break;
+            case 'security':
+                sections = [inventorySection, securitySection];
+                break;
+            default:
+                sections = [
+                    inventorySection,
+                    errorSection,
+                    performanceSection,
+                    deadPathSection,
+                    asyncSection,
+                    securitySection,
+                    bestPracticesSection,
+                    executionSection,
+                ];
+        }
+        // ─── Report Format ───────────────────────────────────────────────────────
+        const reportFormat = [
+            '## Flow Audit Report Format',
+            '',
+            'Compile ALL findings into this structure:',
+            '',
+            '```',
+            'FLOW DESIGNER AUDIT REPORT',
+            '==========================',
+            `Scope: ${scopeLabel}`,
+            `Focus: ${focusDescription}`,
+            'Date: [current date]',
+            '',
+            'EXECUTIVE SUMMARY',
+            '- Total flows audited: X',
+            '- Total subflows audited: X',
+            '- Critical findings: X',
+            '- High findings: X',
+            '- Medium findings: X',
+            '- Low findings: X',
+            '- Overall health: [Healthy / Needs Attention / Critical]',
+            '',
+            'DETAILED FINDINGS',
+            '-----------------',
+            'Each finding MUST include:',
+            '  Finding ID:      FLOW-XXXX',
+            '  Severity:        Critical / High / Medium / Low',
+            '  Category:        Error Handling / Performance / Dead Path / Async / Security / Best Practice',
+            '  Flow:            [name] (sys_id)',
+            '  Details:         [specific issue found]',
+            '  Evidence:        [action name, execution log, or configuration detail]',
+            '  Impact:          [what happens if ignored]',
+            '  Recommendation:  [specific fix]',
+            '',
+            'SEVERITY DEFINITIONS',
+            '  CRITICAL — Flow failure causes data loss or business process outage',
+            '  HIGH     — Flow has errors/performance issues affecting users',
+            '  MEDIUM   — Flow works but violates best practices or has hidden risks',
+            '  LOW      — Cosmetic or hygiene issue; address during next maintenance',
+            '```',
+        ];
+        return [
+            {
+                role: 'assistant',
+                content: {
+                    type: 'text',
+                    text: [
+                        '# Capability: Flow Designer Audit',
+                        '',
+                        `**Scope:** ${scopeLabel}`,
+                        `**Focus:** ${focusDescription}`,
+                        '',
+                        'This capability performs a comprehensive audit of Flow Designer flows and subflows.',
+                        'I analyze flow structure, error handling, performance characteristics, execution history,',
+                        'and adherence to best practices. The audit covers both Flow Designer (sys_hub_flow) and',
+                        'legacy Workflow Editor (wf_workflow) artifacts.',
+                        '',
+                        '**Platform Knowledge:**',
+                        '- Flow Designer execution limit: ~100 actions per flow, 500 subflow call depth',
+                        '- Flows execute AFTER business rules in the save pipeline',
+                        '- Synchronous flows block the user transaction; async flows run in the background',
+                        '- Flow Designer replaced Workflow Editor starting in Madrid; legacy workflows should be migrated',
+                        '- Subflows can be reused across flows but add execution overhead per invocation',
+                        '- Flow execution history is stored in `sys_flow_context` and `sys_hub_action_execution`',
+                        '',
+                        ...sections.flatMap(s => [...s, '']),
+                        ...reportFormat,
+                        '',
+                        '---',
+                        '',
+                        'Beginning flow audit. Every finding must include its Finding ID, severity,',
+                        'category, concrete evidence, and a specific recommendation.',
+                    ].join('\n'),
+                },
+            },
+            {
+                role: 'user',
+                content: {
+                    type: 'text',
+                    text: scope === 'all'
+                        ? `Run a comprehensive Flow Designer audit across the entire instance. Focus: ${focus}. Analyze every flow and subflow and give me a structured report with severity ratings.`
+                        : `Run a Flow Designer audit for scope \`${scope}\`. Focus: ${focus}. Analyze every flow and subflow in this scope and give me a structured report with severity ratings.`,
+                },
+            },
+        ];
+    },
+};
+export default capability;
+//# sourceMappingURL=review-flows.js.map

package/dist/prompts/capabilities/review-flows.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"review-flows.js","sourceRoot":"","sources":["../../../src/prompts/capabilities/review-flows.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,GAAyB;IACvC,IAAI,EAAE,cAAc;IACpB,KAAK,EAAE,qBAAqB;IAC5B,WAAW,EACT,wGAAwG;IAC1G,QAAQ,EAAE,QAAQ;IAClB,SAAS,EAAE;QACT;YACE,IAAI,EAAE,OAAO;YACb,WAAW,EACT,uFAAuF;YACzF,QAAQ,EAAE,KAAK;SAChB;QACD;YACE,IAAI,EAAE,OAAO;YACb,WAAW,EACT,2EAA2E;YAC7E,QAAQ,EAAE,KAAK;SAChB;KACF;IACD,gBAAgB,EAAE;QAChB,eAAe;QACf,YAAY;QACZ,UAAU;QACV,eAAe;QACf,aAAa;QACb,sBAAsB;QACtB,oBAAoB;QACpB,oBAAoB;KACrB;IAED,WAAW,CAAC,IAAI;QACd,MAAM,KAAK,GAAG,IAAI,EAAE,KAAK,IAAI,KAAK,CAAC;QACnC,MAAM,KAAK,GAAG,IAAI,EAAE,KAAK,IAAI,KAAK,CAAC;QAEnC,MAAM,UAAU,GACd,KAAK,KAAK,KAAK;YACb,CAAC,CAAC,4BAA4B;YAC9B,CAAC,CAAC,wBAAwB,KAAK,IAAI,CAAC;QAExC,MAAM,UAAU,GAA2B;YACzC,GAAG,EAAE,4DAA4D;YACjE,MAAM,EAAE,kCAAkC;YAC1C,WAAW,EAAE,kDAAkD;YAC/D,QAAQ,EAAE,0CAA0C;SACrD,CAAC;QAEF,MAAM,gBAAgB,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,iBAAiB,KAAK,EAAE,CAAC;QAEvE,4EAA4E;QAE5E,MAAM,gBAAgB,GAAG;YACvB,sBAAsB;YACtB,EAAE;YACF,uFAAuF;YACvF,EAAE;YACF,0BAA0B;YAC1B,4CAA4C;YAC5C,+FAA+F;YAC/F,KAAK,KAAK,KAAK;gBACb,CAAC,CAAC,uBAAuB,KAAK,kEAAkE;gBAChG,CAAC,CAAC,8BAA8B;YAClC,0DAA0D;YAC1D,6CAA6C;YAC7C,EAAE;YACF,iCAAiC;YACjC,uCAAuC;YACvC,oEAAoE;YACpE,gFAAgF;YAChF,EAAE;YACF,oCAAoC;YACpC,0EAA0E;YAC1E,iEAAiE;YACjE,EAAE;YACF,6BAA6B;YAC7B,8EAA8E;YAC9E,8EAA8E;SAC/E,CAAC;QAEF,4EAA4E;QAE5E,MAAM,YAAY,GAAG;YACnB,4BAA4B;YAC5B,EAAE;YACF,+EAA+E;YAC/E,EAAE;YACF,4BAA4B;YAC5B,mFAAmF;YACnF,8EAA8E;YAC9E,2EAA2E;YAC3E,sEAAsE;YACtE,EAAE;YACF,4BAA4B;YAC5B,qFAAqF;YACrF,2FAA2F;YAC3F,mEAAmE;YACnE,oEAAoE;YACpE,EAAE;YACF,2BAA2B;YAC3B,iFAAiF;YACjF,mDAAmD;YACnD,0EAA0E;YAC1E,EAAE;YACF,6BAA6B;YAC7B,4EAA4E;YAC5E,sFAAsF;YACtF,EAAE;YACF,yBAAyB;YACzB,kEAAkE;YAClE,kEAAkE;SACnE,CAAC;QAEF,4EAA4E;QAE5E,MAAM,kBAAkB,GAAG;YACzB,4BAA4B;YAC5B,EAAE;YACF,+FAA+F;YAC/F,EAAE;YACF,wBAAwB;YACxB,6FAA6F;YAC7F,gFAAgF;YAChF,yEAAyE;YACzE,wFAAwF;YACxF,EAAE;YACF,sBAAsB;YACtB,yFAAyF;YACzF,+DAA+D;YAC/D,iFAAiF;YACjF,8FAA8F;YAC9F,kFAAkF;YAClF,EAAE;YACF,uBAAuB;YACvB,8EAA8E;YAC9E,uFAAuF;YACvF,qFAAqF;YACrF,oFAAoF;YACpF,EAAE;YACF,wBAAwB;YACxB,oEAAoE;YACpE,0EAA0E;YAC1E,+EAA+E;YAC/E,EAAE;YACF,0BAA0B;YAC1B,2FAA2F;YAC3F,oFAAoF;YACpF,4EAA4E;YAC5E,EAAE;YACF,yBAAyB;YACzB,wEAAwE;YACxE,wEAAwE;SACzE,CAAC;QAEF,4EAA4E;QAE5E,MAAM,eAAe,GAAG;YACtB,2BAA2B;YAC3B,EAAE;YACF,wDAAwD;YACxD,EAAE;YACF,4BAA4B;YAC5B,uEAAuE;YACvE,qFAAqF;YACrF,uFAAuF;YACvF,iEAAiE;YACjE,qEAAqE;YACrE,EAAE;YACF,uBAAuB;YACvB,6FAA6F;YAC7F,8EAA8E;YAC9E,oEAAoE;YACpE,EAAE;YACF,uBAAuB;YACvB,qEAAqE;YACrE,yEAAyE;YACzE,4CAA4C;YAC5C,EAAE;YACF,uBAAuB;YACvB,iEAAiE;YACjE,sDAAsD;YACtD,mEAAmE;YACnE,EAAE;YACF,yBAAyB;YACzB,uEAAuE;YACvE,sEAAsE;SACvE,CAAC;QAEF,4EAA4E;QAE5E,MAAM,YAAY,GAAG;YACnB,oBAAoB;YACpB,EAAE;YACF,0DAA0D;YAC1D,EAAE;YACF,gCAAgC;YAChC,kGAAkG;YAClG,sGAAsG;YACtG,6FAA6F;YAC7F,mFAAmF;YACnF,EAAE;YACF,iCAAiC;YACjC,4FAA4F;YAC5F,mEAAmE;YACnE,mGAAmG;YACnG,+EAA+E;YAC/E,EAAE;YACF,2BAA2B;YAC3B,8EAA8E;YAC9E,oFAAoF;YACpF,2EAA2E;YAC3E,EAAE;YACF,uBAAuB;YACvB,0EAA0E;YAC1E,oEAAoE;YACpE,wFAAwF;YACxF,EAAE;YACF,yBAAyB;YACzB,yFAAyF;YACzF,yFAAyF;SAC1F,CAAC;QAEF,4EAA4E;QAE5E,MAAM,eAAe,GAAG;YACtB,uBAAuB;YACvB,EAAE;YACF,mCAAmC;YACnC,EAAE;YACF,yBAAyB;YACzB,uFAAuF;YACvF,yDAAyD;YACzD,uFAAuF;YACvF,wEAAwE;YACxE,EAAE;YACF,mBAAmB;YACnB,wFAAwF;YACxF,uCAAuC;YACvC,qFAAqF;YACrF,yEAAyE;YACzE,EAAE;YACF,0BAA0B;YAC1B,uFAAuF;YACvF,gCAAgC;YAChC,yFAAyF;YACzF,sEAAsE;YACtE,EAAE;YACF,6BAA6B;YAC7B,6EAA6E;YAC7E,sDAAsD;YACtD,0EAA0E;YAC1E,EAAE;YACF,yBAAyB;YACzB,8EAA8E;YAC9E,6EAA6E;SAC9E,CAAC;QAEF,4EAA4E;QAE5E,MAAM,oBAAoB,GAAG;YAC3B,4BAA4B;YAC5B,EAAE;YACF,wBAAwB;YACxB,iGAAiG;YACjG,0DAA0D;YAC1D,gFAAgF;YAChF,mEAAmE;YACnE,EAAE;YACF,mBAAmB;YACnB,0FAA0F;YAC1F,yEAAyE;YACzE,uEAAuE;YACvE,EAAE;YACF,qBAAqB;YACrB,yDAAyD;YACzD,mDAAmD;YACnD,iEAAiE;YACjE,EAAE;YACF,mBAAmB;YACnB,2FAA2F;YAC3F,4DAA4D;YAC5D,yFAAyF;YACzF,EAAE;YACF,qBAAqB;YACrB,kGAAkG;YAClG,iFAAiF;YACjF,+EAA+E;YAC/E,EAAE;YACF,yBAAyB;YACzB,qEAAqE;YACrE,oEAAoE;SACrE,CAAC;QAEF,4EAA4E;QAE5E,MAAM,gBAAgB,GAAG;YACvB,kCAAkC;YAClC,EAAE;YACF,wFAAwF;YACxF,EAAE;YACF,mBAAmB;YACnB,+EAA+E;YAC/E,iFAAiF;YACjF,qEAAqE;YACrE,yEAAyE;YACzE,EAAE;YACF,uBAAuB;YACvB,oDAAoD;YACpD,oFAAoF;YACpF,wFAAwF;YACxF,EAAE;YACF,0BAA0B;YAC1B,kEAAkE;YAClE,6EAA6E;YAC7E,4EAA4E;YAC5E,EAAE;YACF,oBAAoB;YACpB,+CAA+C;YAC/C,mEAAmE;YACnE,yDAAyD;YACzD,EAAE;YACF,aAAa;YACb,wGAAwG;YACxG,wGAAwG;SACzG,CAAC;QAEF,4EAA4E;QAE5E,IAAI,QAAoB,CAAC;QACzB,QAAQ,KAAK,EAAE,CAAC;YACd,KAAK,QAAQ;gBACX,QAAQ,GAAG,CAAC,gBAAgB,EAAE,YAAY,EAAE,eAAe,EAAE,gBAAgB,CAAC,CAAC;gBAC/E,MAAM;YACR,KAAK,aAAa;gBAChB,QAAQ,GAAG,CAAC,gBAAgB,EAAE,kBAAkB,EAAE,YAAY,EAAE,gBAAgB,CAAC,CAAC;gBAClF,MAAM;YACR,KAAK,UAAU;gBACb,QAAQ,GAAG,CAAC,gBAAgB,EAAE,eAAe,CAAC,CAAC;gBAC/C,MAAM;YACR;gBACE,QAAQ,GAAG;oBACT,gBAAgB;oBAChB,YAAY;oBACZ,kBAAkB;oBAClB,eAAe;oBACf,YAAY;oBACZ,eAAe;oBACf,oBAAoB;oBACpB,gBAAgB;iBACjB,CAAC;QACN,CAAC;QAED,4EAA4E;QAE5E,MAAM,YAAY,GAAG;YACnB,6BAA6B;YAC7B,EAAE;YACF,2CAA2C;YAC3C,EAAE;YACF,KAAK;YACL,4BAA4B;YAC5B,4BAA4B;YAC5B,UAAU,UAAU,EAAE;YACtB,UAAU,gBAAgB,EAAE;YAC5B,sBAAsB;YACtB,EAAE;YACF,mBAAmB;YACnB,0BAA0B;YAC1B,6BAA6B;YAC7B,wBAAwB;YACxB,oBAAoB;YACpB,sBAAsB;YACtB,mBAAmB;YACnB,0DAA0D;YAC1D,EAAE;YACF,mBAAmB;YACnB,mBAAmB;YACnB,4BAA4B;YAC5B,8BAA8B;YAC9B,mDAAmD;YACnD,gGAAgG;YAChG,oCAAoC;YACpC,2CAA2C;YAC3C,0EAA0E;YAC1E,8CAA8C;YAC9C,mCAAmC;YACnC,EAAE;YACF,sBAAsB;YACtB,uEAAuE;YACvE,iEAAiE;YACjE,yEAAyE;YACzE,yEAAyE;YACzE,KAAK;SACN,CAAC;QAEF,OAAO;YACL;gBACE,IAAI,EAAE,WAAoB;gBAC1B,OAAO,EAAE;oBACP,IAAI,EAAE,MAAe;oBACrB,IAAI,EAAE;wBACJ,mCAAmC;wBACnC,EAAE;wBACF,cAAc,UAAU,EAAE;wBAC1B,cAAc,gBAAgB,EAAE;wBAChC,EAAE;wBACF,qFAAqF;wBACrF,2FAA2F;wBAC3F,yFAAyF;wBACzF,iDAAiD;wBACjD,EAAE;wBACF,yBAAyB;wBACzB,gFAAgF;wBAChF,2DAA2D;wBAC3D,mFAAmF;wBACnF,kGAAkG;wBAClG,iFAAiF;wBACjF,yFAAyF;wBACzF,EAAE;wBACF,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC;wBACpC,GAAG,YAAY;wBACf,EAAE;wBACF,KAAK;wBACL,EAAE;wBACF,4EAA4E;wBAC5E,6DAA6D;qBAC9D,CAAC,IAAI,CAAC,IAAI,CAAC;iBACb;aACF;YACD;gBACE,IAAI,EAAE,MAAe;gBACrB,OAAO,EAAE;oBACP,IAAI,EAAE,MAAe;oBACrB,IAAI,EACF,KAAK,KAAK,KAAK;wBACb,CAAC,CAAC,8EAA8E,KAAK,yFAAyF;wBAC9K,CAAC,CAAC,yCAAyC,KAAK,cAAc,KAAK,uGAAuG;iBAC/K;aACF;SACF,CAAC;IACJ,CAAC;CACF,CAAC;AAEF,eAAe,UAAU,CAAC"}

package/dist/prompts/capabilities/review-scripts.d.ts

@@ -0,0 +1,4 @@
+import type { CapabilityDefinition } from '../types.js';
+declare const capability: CapabilityDefinition;
+export default capability;
+//# sourceMappingURL=review-scripts.d.ts.map

package/dist/prompts/capabilities/review-scripts.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"review-scripts.d.ts","sourceRoot":"","sources":["../../../src/prompts/capabilities/review-scripts.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAExD,QAAA,MAAM,UAAU,EAAE,oBAkKjB,CAAC;AAEF,eAAe,UAAU,CAAC"}