opencodekit 0.16.14 → 0.16.17

package/dist/template/.opencode/command/review-codebase.md

@@ -2,236 +2,88 @@
 description: Review code for quality, security, and compliance
 argument-hint: "[path|bead-id|pr-number|'all'] [--quick|--thorough]"
 agent: review
-subtask: true
 ---
 
 # Review: $ARGUMENTS
 
-## Load Beads Skill
+## Load Skills
 
 ```typescript
 skill({ name: "beads" });
-skill({ name: "memory-system" });
-```
-
-## Check Memory for Context
-
-Search for existing patterns and gotchas before review:
-
-```typescript
-// Find related past reviews and findings
-memory_search({ query: "[path/module] review security", limit: 3 });
-
-// Find known gotchas for this area
-memory_search({ query: "[module keywords] gotchas patterns", limit: 3 });
-```
-
-Apply past learnings to the review - don't repeat known issues.
-
-## Phase 1: Determine Scope
-
-Parse `$ARGUMENTS` to determine what to review:
-
-| Input                    | Scope                  | How to Get Code                             |
-| ------------------------ | ---------------------- | ------------------------------------------- |
-| File/directory path      | That path only         | `read` or `glob` + `read`                   |
-| Bead ID (e.g., `br-123`) | Implementation vs spec | `br show` then `git diff` from spec         |
-| PR number (e.g., `#45`)  | PR changes             | `gh pr diff 45`                             |
-| `all` or empty           | Recent changes         | `git diff main...HEAD` or `git diff HEAD~5` |
-
-If bead exists, load spec from `.beads/artifacts/$ID/spec.md` and review against constraints.
-
-## Phase 2: Automated Analysis
-
-Run these checks first (batch for speed):
-
-```typescript
-// Type/lint errors
-lsp_lsp_diagnostics(); // for each changed file
-```
-
-!`npm run type-check || tsc --noEmit`
-!`npm run lint || true`
-
-```typescript
-// Anti-pattern detection with grep
-grep({ pattern: "console\\.log" }); // Debug statements
-grep({ pattern: "any" }); // TypeScript any
-grep({ pattern: "TODO|FIXME|HACK|XXX" });
-grep({ pattern: "password\\s*=" }); // Hardcoded secrets
-```
-
-!`npm test || pytest || cargo test`
-
-Collect all automated findings before manual review.
-
-## Phase 3: Manual Review Categories
-
-```typescript
 skill({ name: "requesting-code-review" });
 ```
 
-Review each category with specific focus:
-
-### Security
-
-- Authentication/authorization checks on all endpoints
-- Input validation and sanitization
-- No secrets in code (API keys, passwords, tokens)
-- SQL/command injection prevention
-- XSS prevention (output encoding)
-
-### Performance
-
-- N+1 query patterns
-- Unbounded loops or recursion
-- Missing pagination on large datasets
-- Expensive operations in hot paths
-- Missing caching where appropriate
-
-### Maintainability
-
-- Cyclomatic complexity (functions > 10 branches)
-- DRY violations (duplicated logic)
-- Dead code or unreachable branches
-- Naming clarity (can you understand without comments?)
-- Single Responsibility violations
-
-### Error Handling
-
-- All async operations have error handling
-- Errors are logged with context
-- User-facing errors are sanitized (no stack traces)
-- Graceful degradation where appropriate
-
-### Testing
-
-- Test coverage on new/changed code
-- Tests verify behavior, not implementation
-- Edge cases covered (empty, null, boundary)
-- No excessive mocking (tests actually test something)
-
-### Type Safety (TypeScript/typed languages)
-
-- No `any` types without justification
-- Proper null/undefined handling
-- Generic types used appropriately
-- Return types explicit on public APIs
-
-## Phase 4: Create Tracking Issues
-
-For each Critical or Important finding:
-
-```bash
-br create "[Review] <brief issue description>" --type bug --priority 1
-```
-
-Skip creating beads for Minor issues (just report them).
-
-## Phase 5: Output Format
-
-### Summary
-
-| Metric             | Value   |
-| ------------------ | ------- |
-| Files reviewed     | X       |
-| Lines changed      | +X / -Y |
-| Critical issues    | X       |
-| Important issues   | X       |
-| Minor issues       | X       |
-| Automated findings | X       |
-
-### Automated Findings
-
-```
-[LSP] src/auth.ts:45 - Type 'string' is not assignable to type 'User'
-[AST] src/utils.ts:12 - console.log detected
-[GREP] src/config.ts:8 - TODO: implement rate limiting
-```
-
-### Manual Findings
-
-#### Critical (Must Fix Before Merge)
-
-| File:Line        | Issue                                | Category | Fix                            |
-| ---------------- | ------------------------------------ | -------- | ------------------------------ |
-| `src/auth.ts:45` | Missing auth check on admin endpoint | Security | Add `requireAuth()` middleware |
-
-#### Important (Should Fix)
-
-| File:Line      | Issue                  | Category    | Fix                          |
-| -------------- | ---------------------- | ----------- | ---------------------------- |
-| `src/db.ts:89` | N+1 query in user list | Performance | Use `include` or batch query |
-
-#### Minor (Nice to Have)
-
-| File:Line         | Issue                    | Category        | Fix                         |
-| ----------------- | ------------------------ | --------------- | --------------------------- |
-| `src/utils.ts:12` | Console.log left in code | Maintainability | Remove or use proper logger |
-
-### Strengths
+## Phase 1: Determine Scope
 
-- [What's done well - be specific with file:line]
+| Input                    | Scope                 | How to Get Code           |
+| ------------------------ | --------------------- | ------------------------- |
+| File/directory path      | That path only        | `read` or `glob` + `read` |
+| Bead ID (e.g., `br-123`) | Implementation vs PRD | `br show` then `git diff` |
+| PR number (e.g., `#45`)  | PR changes            | `gh pr diff 45`           |
+| `all` or empty           | Recent changes        | `git diff main...HEAD`    |
 
-### Recommendations
+If bead provided, read `.beads/artifacts/$ID/prd.md` to review against spec.
 
-- [Improvements beyond immediate fixes]
+## Phase 2: Automated Checks
 
-### Verdict
+Detect project type and run the appropriate checks in parallel:
 
-**Ready to merge:** Yes | No | With Fixes
+| Project Type    | Detect Via                    | Build            | Test            | Lint                          | Typecheck                             |
+| --------------- | ----------------------------- | ---------------- | --------------- | ----------------------------- | ------------------------------------- |
+| Node/TypeScript | `package.json`                | `npm run build`  | `npm test`      | `npm run lint`                | `npm run typecheck` or `tsc --noEmit` |
+| Rust            | `Cargo.toml`                  | `cargo build`    | `cargo test`    | `cargo clippy -- -D warnings` | (included in build)                   |
+| Python          | `pyproject.toml` / `setup.py` | —                | `pytest`        | `ruff check .`                | `mypy .`                              |
+| Go              | `go.mod`                      | `go build ./...` | `go test ./...` | `golangci-lint run`           | (included in build)                   |
 
-**Reasoning:** [1-2 sentences explaining the decision]
+Check `package.json` scripts, `Makefile`, or `justfile` for project-specific commands first — prefer those over generic defaults.
 
-**Beads created:** [List bead IDs for Critical/Important findings, or "None"]
+Also scan for common issues appropriate to the detected language:
 
----
+- Debug statements (`console.log`, `print()`, `println!`, `fmt.Println`)
+- Loose typing (`any` in TypeScript, `type: ignore` in Python)
+- `TODO|FIXME|HACK` markers
+- Hardcoded secrets patterns
 
-## Depth Levels
+## Phase 3: Manual Review
 
-**--quick** (~5-10 min): Automated checks + skim changed files, focus on Critical only
-**--thorough** (default, ~15-30 min): Full automated + manual review of all categories
-**--security**: Focus only on security category with deeper analysis
+Review each category:
 
-## Examples
+| Category            | Focus                                                                   |
+| ------------------- | ----------------------------------------------------------------------- |
+| **Security**        | Auth checks, input validation, no secrets in code, injection prevention |
+| **Performance**     | N+1 queries, unbounded loops, missing pagination, hot path ops          |
+| **Maintainability** | Complexity, DRY violations, dead code, naming clarity                   |
+| **Error Handling**  | Async error handling, error context, sanitized user errors              |
+| **Testing**         | Coverage on changed code, behavior tests, edge cases                    |
+| **Type Safety**     | No unjustified `any`, null handling, explicit return types              |
 
-```bash
-# Review a specific file
-/review-codebase src/auth/login.ts
+**Depth levels:**
 
-# Review against a bead spec
-/review-codebase br-feature-auth
+- `--quick`: Automated checks + skim, critical issues only
+- Default: Full automated + manual review
+- `--thorough`: Deep analysis of all categories
 
-# Review a PR
-/review-codebase #45
+## Phase 4: Report
 
-# Quick review of recent changes
-/review-codebase all --quick
+Group findings by severity:
 
-# Security-focused review
-/review-codebase src/api/ --security
-```
+- **Critical** (must fix before merge): with file:line, issue, fix
+- **Important** (should fix): with file:line, issue, fix
+- **Minor** (nice to have): with file:line, suggestion
 
-## Anti-Patterns (Don't Do This)
+Include:
 
-- "LGTM" without actually reviewing
-- Marking style issues as Critical
-- Reviewing code you didn't read
-- Vague feedback ("improve error handling" - WHERE? HOW?)
-- Skipping automated checks "to save time"
-- Not creating beads for real issues (they get forgotten)
+1. Summary metrics (files reviewed, issues by severity)
+2. Strengths (what's done well, with file:line)
+3. Verdict: Ready to merge / With fixes / No
+4. Reasoning (1-2 sentences)
 
-## Record Significant Findings
+Record significant findings with `observation()`.
 
-For important findings worth remembering:
+## Related Commands
 
-```typescript
-observation({
-  type: "warning", // or "pattern", "bugfix"
-  title: "[Module] [Issue type] pattern detected",
-  narrative: "Found [issue] in [location], which can cause...",
-  facts: "[key facts about the issue]",
-  concepts: "[module], security, [issue keywords]",
-  confidence: "high",
-});
-```
+| Need                | Command        |
+| ------------------- | -------------- |
+| Ship after review   | `/ship <id>`   |
+| Verify completeness | `/verify <id>` |
+| Check status        | `/status`      |

package/dist/template/.opencode/command/ship.md

@@ -1,161 +1,120 @@
 ---
-description: Ship a bead - implement, verify, review, close
-argument-hint: "<bead-id> [--parallel] [--swarm]"
+description: Ship a bead - implement PRD tasks, verify, review, close
+argument-hint: "<bead-id>"
 agent: build
 ---
 
 # Ship: $ARGUMENTS
 
-This command combines implementation and finish gates. It implements, verifies, runs review, then closes.
+Execute PRD tasks, verify each passes, run review, close the bead.
+
+> **Workflow:** `/create` → `/start <id>` → **`/ship <id>`**
+>
+> ⛔ Bead MUST be `in_progress` with `prd.md`. Run `/start` first if not.
 
 ## Load Skills
 
 ```typescript
 skill({ name: "beads" });
-skill({ name: "test-driven-development" });
 skill({ name: "verification-before-completion" });
-skill({ name: "finishing-a-development-branch" });
-skill({ name: "receiving-code-review" });
-skill({ name: "swarm-coordination" });
-skill({ name: "beads-bridge" });
-skill({ name: "memory-system" });
-```
-
-## Check Memory for Context
-
-Search for related patterns and gotchas before shipping:
-
-```typescript
-// Find related patterns and decisions
-memory_search({ query: "$ARGUMENTS [feature keywords]", limit: 3 });
-
-// Find gotchas for affected modules
-memory_search({ query: "[affected modules] gotchas", limit: 3 });
 ```
 
-Apply past learnings to avoid known issues.
-
-## Skill Routing
-
-- Use **systematic-debugging** when a gate fails and root cause is unclear.
-- Use **receiving-code-review** to triage review feedback after the review agent runs.
-
-## Verify Task & Claim
+## Phase 1: Guards
 
 ```bash
 br show $ARGUMENTS
-br update $ARGUMENTS --status in_progress
 ```
 
-## Pre-Flight Verification
+Verify:
 
-Run `/verify $ARGUMENTS --quick` to check:
+- Bead status is `in_progress` (if not, tell user to run `/start $ARGUMENTS`)
+- `.beads/artifacts/$ARGUMENTS/prd.md` exists (if not, tell user to run `/create` first)
 
-- All spec requirements addressed
-- All gates passing
-- No obvious contradictions
+Check what artifacts exist:
 
-If verification fails, fix issues before proceeding.
-
-## Implement (Keep It Focused)
+```bash
+ls .beads/artifacts/$ARGUMENTS/
+```
 
-- Read before edit
-- Delegate research if unclear (Task → explore/scout)
-- Keep scope ≤ 3 files or create subtasks
+## Phase 2: Route to Execution
 
-If the task is large (3+ independent subtasks), use swarm mode.
+| Artifact exists | Action                                                   |
+| --------------- | -------------------------------------------------------- |
+| `plan.md`       | Load `executing-plans` skill, follow its batch process   |
+| `prd.json`      | Proceed to PRD task loop below                           |
+| Only `prd.md`   | Load `prd-task` skill to create `prd.json`, then proceed |
 
-## Run Verification Gates
+## Phase 3: PRD Task Loop
 
-Detect project type:
+For each task in `prd.json` (respecting `depends_on` ordering):
 
-```bash
-ls package.json Cargo.toml pyproject.toml go.mod Makefile 2>/dev/null
-```
-
-**Node/TypeScript:**
-
-```bash
-npm run build 2>/dev/null || true
-npm test
-npm run lint 2>/dev/null || true
-npm run typecheck 2>/dev/null || true
-```
+1. **Read** the task description, verification steps, and affected files
+2. **Read** the affected files before editing
+3. **Implement** the changes — stay within the task's `files` list
+4. **Verify** — run each verification step from the task
+5. **If verification fails**, fix and retry (max 2 attempts per task)
+6. **Mark** `passes: true` in `prd.json`
+7. **Append** progress to `.beads/artifacts/$ARGUMENTS/progress.txt`
 
-**Rust:**
+### Stop Conditions
 
-```bash
-cargo build
-cargo test
-cargo clippy -- -D warnings
-```
+- Verification fails 2x on same task → stop, report blocker
+- Blocked by unfinished dependency → stop, report which one
+- Modifying files outside task scope → stop, ask user
 
-**Python:**
+## Phase 4: Verification Gates
 
-```bash
-pytest
-ruff check .
-mypy . 2>/dev/null || true
-```
+After all PRD tasks pass, detect project type and run the appropriate verification gates:
 
-**Go:**
+| Project Type    | Detect Via                    | Build            | Test            | Lint                          | Typecheck                             |
+| --------------- | ----------------------------- | ---------------- | --------------- | ----------------------------- | ------------------------------------- |
+| Node/TypeScript | `package.json`                | `npm run build`  | `npm test`      | `npm run lint`                | `npm run typecheck` or `tsc --noEmit` |
+| Rust            | `Cargo.toml`                  | `cargo build`    | `cargo test`    | `cargo clippy -- -D warnings` | (included in build)                   |
+| Python          | `pyproject.toml` / `setup.py` | —                | `pytest`        | `ruff check .`                | `mypy .`                              |
+| Go              | `go.mod`                      | `go build ./...` | `go test ./...` | `golangci-lint run`           | (included in build)                   |
 
-```bash
-go build ./...
-go test ./...
-golangci-lint run
-```
+Check `package.json` scripts, `Makefile`, or `justfile` for project-specific commands first — prefer those over generic defaults.
 
-If ANY gate fails, stop and fix before proceeding.
+Also read the PRD's success criteria and run each `Verify:` command.
 
-## Stage Changes For Review
+If any gate fails, fix before proceeding.
 
-```bash
-git add -A
-git status
-git diff --cached --stat
-```
+## Phase 5: Review
 
-## Spawn Review Agent (After Tests)
+Spawn review agent to check changes against the PRD:
 
 ```typescript
 Task({
   subagent_type: "review",
   description: "Review changes for $ARGUMENTS",
-  prompt: `Review the staged changes for bead $ARGUMENTS.
+  prompt: `Review changes for bead $ARGUMENTS.
 
-Context:
-- Use git status and git diff --cached to see changes
-- Focus on correctness, edge cases, and risks
-- Report issues with file:line references
+Read PRD: .beads/artifacts/$ARGUMENTS/prd.md
+Review: git diff HEAD
 
-Return:
-- Summary of findings
-- Critical/High/Medium issues (if any)
-`,
+Check:
+1. Changes satisfy PRD success criteria
+2. Correctness, edge cases, security
+3. No scope creep beyond PRD files
+
+Return: findings by severity, whether success criteria are met.`,
 });
 ```
 
-If review finds issues, fix them, re-run verification gates, then re-run review.
+If review finds critical issues → fix → re-run Phase 4 → re-review.
 
-## Verify Success Criteria
+## Phase 6: Close
 
-```bash
-cat .beads/artifacts/$ARGUMENTS/prd.md
-```
-
-Ensure all criteria are met before closing.
-
-## Close Bead (Ask First)
+Ask user before closing:
 
 ```typescript
 question({
   questions: [
     {
       header: "Close",
-      question: "Ship complete. Close bead $ARGUMENTS?",
+      question: "All tasks pass, gates green, review clean. Close bead $ARGUMENTS?",
       options: [
-        { label: "Yes, close it (Recommended)", description: "All gates passed" },
+        { label: "Yes, close it (Recommended)", description: "All checks passed" },
         { label: "No, keep open", description: "Need more work" },
       ],
     },
@@ -166,34 +125,26 @@ question({
 If confirmed:
 
 ```bash
-br close $ARGUMENTS --reason "Shipped: verification + review passed"
+br close $ARGUMENTS --reason "Shipped: all PRD tasks pass, verification + review passed"
 br sync --flush-only
 ```
 
-## Record Learnings (On Completion)
+Record significant learnings with `observation()`.
 
-Before ending, capture what was learned:
+## Output
 
-```typescript
-// Record significant decisions or patterns discovered
-observation({
-  type: "feature", // or "decision", "pattern"
-  title: "$ARGUMENTS: [brief description]",
-  narrative: "Implemented [feature]. Key approach: [summary]...",
-  facts: "[key implementation details]",
-  concepts: "[domain keywords], [tech stack]",
-  bead_id: "$ARGUMENTS",
-  files_modified: "[key files changed]",
-  confidence: "high",
-});
+Report:
 
-// If encountered gotchas worth remembering
-observation({
-  type: "warning",
-  title: "[Gotcha discovered during $ARGUMENTS]",
-  narrative: "While implementing, discovered that...",
-  concepts: "[relevant keywords]",
-  bead_id: "$ARGUMENTS",
-  confidence: "high",
-});
-```
+1. PRD task results (completed/total, each task status)
+2. Verification gate results (typecheck, build, test, lint)
+3. Success criteria results
+4. Review summary
+5. Next steps: commit changes or create PR
+
+## Related Commands
+
+| Need        | Command       |
+| ----------- | ------------- |
+| Create spec | `/create`     |
+| Claim task  | `/start <id>` |
+| Create PR   | `/pr`         |