opencode-swarm 7.57.0 → 7.58.1

package/.opencode/skills/codebase-review-swarm/assets/jsonl-schemas.md

@@ -0,0 +1,239 @@
+# JSONL and Structured Block Schemas
+
+Use these exact fields unless a field is not applicable, in which case write `N/A` or an explicit reason. Prefer one block per record in markdown ledgers and JSON object per line in `.jsonl` artifacts.
+
+## Coverage unit
+
+```json
+{"unit_id":"COV-001","track":"security","unit_type":"trust_boundary","path_or_id":"BOUNDARY-001","status":"UNREVIEWED","depth_tier":"focused|multi_track|complete_integrated|custom","passes_required":["candidate","deterministic_tool","caller_callee_trace","test_or_guard_check","reviewer_validation","critic_if_required"],"passes_completed":[],"evidence_refs":[],"deterministic_checks":[],"runtime_checks_or_reason":"","validation_refs":[],"remaining_uncertainty":"","reason":"","updated_at":"<iso8601>"}
+```
+
+Terminal `status` values: `REVIEWED`, `NOT_APPLICABLE`, `SKIPPED_WITH_REASON`, `BLOCKED`. Final report is forbidden for selected tracks while any unit remains `UNASSIGNED` or `UNREVIEWED`. `REVIEWED` is valid only when `passes_completed` satisfies the selected track's `TRACK_DEPTH_PLAN`.
+
+## Track depth plan
+
+Write one block per selected track to `ledgers/review-depth-plan.md` after track selection and before Phase 1.
+
+```text
+TRACK_DEPTH_PLAN
+  track: <A|B|C|D|E|F|G|1X>
+  mode: focused | multi_track | complete_integrated | custom
+  coverage_unit_basis: <public_surface | trust_boundary | test_cluster | ui_component_family | hot_path | dependency_family | ai_surface | domain_component | cross_boundary_pair>
+  expected_units: <count or unknown_until_inventory>
+  granularity_rule: <how complex units are split>
+  required_passes: <inventory excerpts, candidate pass, deterministic tool pass, caller/callee trace, tests/claims check, validation, critic>
+  deterministic_tools_to_attempt: <commands/tools or N/A with reason>
+  runtime_validation_policy: <when to run, when to mark UNVERIFIED>
+  reviewer_batch_rule: <local reasoning unit definition>
+  critic_rule: <inline/final/enhancement/systemic>
+  non_dilution_check: <why this track is not shallower because of selected breadth>
+END
+```
+
+## Candidate finding
+
+```text
+CANDIDATE_FINDING
+  id: <track>-<scope>-<sequence>
+  track: functionality | security | supply_chain | testing | ui_ux | performance | observability | ai_slop | docs_claims | cross_platform | cross_boundary
+  group: <short category>
+  provisional_severity: CRITICAL | HIGH | MEDIUM | LOW | INFO
+  confidence: HIGH | MEDIUM
+  grounding_assessment: HIGH | MEDIUM
+  file: <relative path>
+  line: <line or range>
+  exact_quote: <verbatim evidence>
+  title: <specific one-line title>
+  problem: <factual description>
+  impact: <why it matters>
+  likely_fix: <concrete likely remediation>
+  evidence_checked: <files, callers, configs, tests, docs, manifests, runtime paths checked>
+  alternative_interpretation: <what could make this wrong>
+  disproof_attempt: <required for CRITICAL/HIGH; recommended for all>
+  linked_claims: <claim ids or N/A>
+  linked_surfaces: <surface ids or N/A>
+  linked_boundaries: <boundary ids or N/A>
+  ai_pattern: <optional or N/A>
+  needs_runtime_validation: yes | no
+  size: S | M | L
+END
+```
+
+## Enhancement candidate
+
+```text
+ENHANCEMENT_CANDIDATE
+  id: ENH-<track>-<sequence>
+  track: enhancement | architecture | code_quality | testing | ui_ux | performance | observability | resilience | developer_experience
+  domain: <specific subsystem or component family>
+  category: architecture | code_quality | simplification | developer_experience | performance | resilience | observability | ui_hierarchy | ui_interaction | ui_accessibility | ui_typography | ui_performance | ui_consistency | testing
+  value_level: high | medium | low
+  confidence: HIGH | MEDIUM
+  grounding_assessment: HIGH | MEDIUM
+  file: <relative path>
+  line: <line or range>
+  exact_quote: <verbatim current-state evidence>
+  title: <specific one-line title>
+  current_state: <what exists now, without calling it broken>
+  confirms_current_code_is_working: yes | no
+  enhancement: <specific implementable improvement>
+  expected_impact: <what improves>
+  effort: S | M | L
+  dependencies: <other enhancement ids or N/A>
+  alternative_interpretation: <why current design might be intentional>
+  disproof_attempt: <required for high-value; recommended for all>
+  rejection_risk: <what would make this a bad suggestion>
+END
+```
+
+## Validated finding
+
+```text
+VALIDATED_FINDING
+  candidate_id:
+  status: CONFIRMED | DISPROVED | UNVERIFIED | PRE_EXISTING
+  final_severity: CRITICAL | HIGH | MEDIUM | LOW | INFO
+  confidence: HIGH | MEDIUM
+  grounding_assessment: HIGH | MEDIUM | LOW
+  file:
+  line:
+  exact_quote:
+  title:
+  problem:
+  impact:
+  fix:
+  validation_evidence:
+  disproof_reason: <required if DISPROVED>
+  verification_mode: STATIC | STATIC_PLUS_RUNTIME
+  runtime_validation: <command or N/A>
+  linked_claims:
+  linked_surfaces:
+  linked_boundaries:
+  ai_pattern: <same value from candidate or N/A>
+  inline_routing: CRITIC_REQUIRED | REVIEWER_FINALIZED | REVIEWER_DOWNGRADED
+  finalization_status: FINALIZED | DOWNGRADED | N/A
+  size: S | M | L
+END
+```
+
+## Validated enhancement
+
+```text
+VALIDATED_ENHANCEMENT
+  candidate_id:
+  status: CONFIRMED_HIGH_VALUE | CONFIRMED_MEDIUM_VALUE | REJECTED | UNVERIFIED
+  track:
+  domain:
+  category:
+  confidence: HIGH | MEDIUM
+  grounding_assessment: HIGH | MEDIUM | LOW
+  file:
+  line:
+  exact_quote:
+  title:
+  current_state:
+  confirms_current_code_is_working: yes | no
+  enhancement:
+  expected_impact:
+  effort: S | M | L
+  validation_evidence:
+  dependency_map:
+  rejection_reason: <required if REJECTED>
+END
+```
+
+## Critic result
+
+```text
+CRITIC_RESULT
+  finding_id:
+  verdict: UPHELD | REFINED | DOWNGRADED | OVERTURNED
+  original_severity: CRITICAL | HIGH
+  final_severity:
+  grounding_assessment: HIGH | MEDIUM | LOW
+  file:
+  line:
+  exact_quote:
+  title:
+  final_problem:
+  final_fix:
+  ai_pattern: <same value from validated finding or N/A>
+  verdict_reason:
+  coverage_gap:
+END
+```
+
+## Enhancement critic result
+
+```text
+ENHANCEMENT_CRITIC_RESULT
+  enhancement_id:
+  verdict: UPHELD_HIGH_VALUE | UPHELD_MEDIUM_VALUE | REFINED | MERGED | DOWNGRADED | REJECTED
+  final_category:
+  final_title:
+  grounding_assessment: HIGH | MEDIUM | LOW
+  file:
+  line:
+  exact_quote:
+  final_enhancement:
+  expected_impact:
+  effort: S | M | L
+  dependencies:
+  verdict_reason:
+END
+```
+
+## Test drift review
+
+```text
+TEST_DRIFT_REVIEW
+  related_findings:
+  commands_run:
+  behavior_assertions_verified:
+  stale_tests_found:
+  weak_assertions_found:
+  property_based_opportunities:
+  mutation_resilience_gaps:
+  remaining_uncertainty:
+END
+```
+
+## Final critic check
+
+```text
+FINAL_CRITIC_CHECK
+  verdict: PASS | REVISE
+  required_revisions:
+  severity_adjustments:
+  findings_to_drop:
+  findings_to_reclassify_as_enhancements:
+  enhancements_to_reclassify_as_defects:
+  unsupported_report_claims:
+  missing_or_empty_ledgers:
+  unsupported_strengths:
+  coverage_note_fixes:
+  count_mismatches:
+  coverage_closure_failures:
+  depth_plan_failures:
+  selected_track_dilution_detected: yes | no
+END
+```
+
+## Source-of-truth packet outline
+
+```markdown
+# Source of Truth Packet
+
+## Repo Identity
+## Tech Stack
+## Commands
+## Public Surfaces
+## Trust Boundaries
+## MCP and Agent Surfaces
+## Claims Needing Verification
+## Test and Quality Gates
+## UI Applicability
+## AI/Agent Applicability
+## Review Track Recommendation
+## Prohibited Assumptions
+```

package/.opencode/skills/codebase-review-swarm/assets/review-report-template.md

@@ -0,0 +1,244 @@
+# Codebase Review Report
+
+Generated: [timestamp]
+Repository: [name/path]
+Git HEAD: [SHA]
+Selected Review Tracks: [tracks]
+Skipped Tracks: [tracks and why]
+Review Mode: [complete integrated | defect-focused | focused | enhancement-only | custom]
+
+## Executive Summary
+
+[2-5 sentences. Strongest confirmed themes only. No unvalidated or unquoted claims.]
+
+## Review Scope and Method
+
+- Phase 0 inventory completed: yes
+- User-selected tracks:
+- Explorer candidates generated:
+- Reviewer validation completed:
+- Inline critic used for CRITICAL/HIGH:
+- Reviewer finalization used for MEDIUM/LOW:
+- Enhancement critic used:
+- Final whole-report critic verdict:
+- Coverage closure verified: yes (N units reviewed, 0 unreviewed)
+- Runtime validation commands run:
+
+## Findings Count
+
+```text
+Defect Findings by Track:
+  functionality_correctness: C / H / M / L / I
+  security_privacy:         C / H / M / L / I
+  llm_ai_security:          C / H / M / L / I
+  supply_chain:             C / H / M / L / I
+  testing_quality:          C / H / M / L / I
+  ui_ux_accessibility:      C / H / M / L / I
+  performance:              C / H / M / L / I
+  observability:            C / H / M / L / I
+  ai_slop_provenance:       C / H / M / L / I
+  docs_claims_drift:        C / H / M / L / I
+  cross_platform:           C / H / M / L / I
+  cross_boundary:           C / H / M / L / I
+  total:                    C / H / M / L / I
+
+Validation Outcomes:
+  candidates_generated:
+  confirmed:
+  pre_existing:
+  disproved:
+  unverified:
+  reviewer_downgraded:
+  critic_upheld:
+  critic_refined:
+  critic_downgraded:
+  critic_overturned:
+
+Enhancement Outcomes:
+  candidates_generated:
+  upheld_high_value:
+  upheld_medium_value:
+  refined:
+  merged:
+  downgraded:
+  rejected:
+  unverified:
+
+Claim Ledger:
+  supported:
+  partially_supported:
+  unsupported:
+  contradicted:
+  stealth_change:
+  unverified:
+
+Coverage Closure:
+  total_coverage_units:
+  reviewed:
+  not_applicable:
+  skipped_with_reason:
+  blocked:
+  unreviewed: 0
+```
+
+## Critical and High Confirmed Defect Findings
+
+[Full details. Do not include PRE_EXISTING here.]
+
+## High-Severity Pre-Existing Findings
+
+[Required if any CRITICAL/HIGH PRE_EXISTING findings exist.]
+
+## Medium Defect Findings
+
+[Full details or grouped details.]
+
+## Low and Info Defect Findings
+
+[Condensed but evidence-grounded.]
+
+## Security, Privacy, LLM/MCP, and Supply Chain Notes
+
+[Include only if selected or relevant.]
+
+## Unsupported, Contradicted, or Partially Supported Claims
+
+[Claim ledger outcomes.]
+
+## AI Slop and Code Provenance Patterns
+
+[Evidence-based patterns only. Never vibe-based.]
+
+## Testing and Test Drift Findings
+
+[Test-quality and drift results.]
+
+## UI/UX and Accessibility Findings
+
+[Include only if selected and UI exists.]
+
+## Performance and Observability Findings
+
+[Include only if selected.]
+
+## Systemic Themes
+
+[Themes synthesized from validated findings only.]
+
+## Enhancement Opportunities
+
+[Include only if selected.]
+
+### Top 10 Highest-Impact Enhancements
+
+[Top validated high-value opportunities, ranked by impact.]
+
+### Full Enhancement Catalog
+
+#### Architecture Enhancements (ARCH-*)
+#### Code Quality Enhancements (QUAL-*)
+#### Performance Enhancements (PERF-*)
+#### Resilience and Observability Enhancements (RES-*)
+#### Testing Enhancements (TEST-*)
+#### UI/UX — Visual Hierarchy and Layout (UI-HIER-*)
+#### UI/UX — Interaction Design and Feedback (UI-INT-*)
+#### UI/UX — Accessibility and Inclusivity (UI-A11Y-*)
+#### UI/UX — Typography and Visual Polish (UI-VIS-*)
+#### UI/UX — Performance and Perceived Performance (UI-PERF-*)
+#### UI/UX — Consistency and Design System Alignment (UI-CON-*)
+
+### Implementation Roadmap
+
+#### Phase 1 — Quick Wins
+
+Low effort, high clarity. List by ID with one-line description.
+
+#### Phase 2 — Meaningful Improvements
+
+Medium effort, clear payoff. List by ID with dependencies noted.
+
+#### Phase 3 — Architectural Investments
+
+High effort, transformational impact. List by ID.
+
+### Codebase Strengths
+
+[Specific patterns worth preserving. Each strength must cite file and line range and include exact quote evidence.]
+
+## Recommended Remediation Order
+
+1. Security, supply-chain, data-loss, and broken shipped functionality.
+2. Unsupported public claims and stealth behavior changes.
+3. Trust-boundary and authorization defects.
+4. Test gaps that allow confirmed defects to recur.
+5. Performance and observability gaps affecting production diagnosis.
+6. AI slop and provenance cleanup by repeated pattern.
+7. Validated enhancement opportunities by dependency order.
+
+## Coverage and Depth Notes
+
+- Tracks not run:
+- Areas inventoried but not deeply reviewed:
+- Runtime validations not run and why:
+- UNVERIFIED findings worth future attention:
+- Files or generated artifacts intentionally excluded:
+
+## Validation Notes
+
+- candidates generated:
+- reviewer confirmed:
+- reviewer disproved:
+- reviewer unverified:
+- critic upheld/refined/downgraded/overturned:
+- enhancements upheld/rejected:
+- final critic verdict:
+- coverage units: total / reviewed / not_applicable / skipped / blocked / unreviewed
+- depth plan failures: none or list
+- selected-track dilution detected: yes/no
+
+## Per-Finding Format
+
+### [SEVERITY] [Title]
+
+Location: `path:line`
+Track: [track]
+Status: CONFIRMED | PRE_EXISTING
+Confidence: HIGH | MEDIUM
+Grounding: HIGH | MEDIUM
+
+Evidence:
+> [exact quote]
+
+Problem:
+[factual issue]
+
+Impact:
+[specific impact]
+
+Validation:
+[what reviewer checked, runtime command if any, critic outcome if high severity]
+
+Recommended Fix:
+[actionable remediation]
+
+## Per-Enhancement Format
+
+### [ENHANCEMENT-ID] [Title]
+
+Location: `path:line`
+Category: [category]
+Value: High | Medium
+Effort: S | M | L
+Grounding: HIGH | MEDIUM
+
+Current State:
+> [exact quote]
+
+Opportunity:
+[specific improvement]
+
+Expected Impact:
+[what improves]
+
+Validation:
+[critic result and dependencies]

package/.opencode/skills/codebase-review-swarm/references/compatibility-and-research-notes.md

@@ -0,0 +1,25 @@
+# Compatibility and Research Notes
+
+This package targets the shared Agent Skills shape: a directory containing `SKILL.md`, plus optional `references/`, `assets/`, `scripts/`, and Codex-specific `agents/openai.yaml` metadata.
+
+## Compatibility decisions
+
+- Canonical opencode-swarm repo install path: `.opencode/skills/codebase-review-swarm/`.
+- Claude Code repo adapter path: `.claude/skills/codebase-review-swarm/`.
+- Codex repo adapter path: `.agents/skills/codebase-review-swarm/`.
+- Portable OpenCode install paths for other repositories: `.opencode/skills/codebase-review-swarm/`, `.claude/skills/codebase-review-swarm/`, or `.agents/skills/codebase-review-swarm/`.
+- Frontmatter is intentionally minimal and portable: `name`, `description`, `license`, `compatibility`, and `metadata`.
+- Long operational content is progressively disclosed via `references/` and `assets/` rather than packed only into `SKILL.md`.
+- The full v7 source is retained verbatim in `references/full-v7-source-prompt.md` for long checklists and provenance.
+
+## Standards updates in v8.2
+
+- OWASP ASVS: use 5.0.0 as the stable baseline. The source v7 prompt referenced 4.0.3 with v5.0 draft; this package supersedes that for current reviews.
+- OWASP Top 10 for LLM Applications: use 2025 categories, including system prompt leakage and vector/embedding weaknesses.
+- SLSA: use v1.2 terminology for provenance, build levels/tracks, and attestation expectations.
+- UI accessibility: use WCAG 2.2 AA unless repository policy requires stricter.
+- Observability: use OpenTelemetry traces, metrics, logs, and context propagation as the default model.
+
+## Invocation policy
+
+This review is heavy and can run many read-only commands. Codex-specific `agents/openai.yaml` sets `allow_implicit_invocation: false` to prefer explicit `$codebase-review-swarm` usage. Other hosts may still suggest it based on the `description`.