prizmkit 1.1.35 → 1.1.36

package/bundled/dev-pipeline/templates/refactor-bootstrap-prompt.md

@@ -162,15 +162,14 @@ Resolve any `[NEEDS CLARIFICATION]` markers using the refactor description — d
   Prompt: "Read {{REVIEWER_SUBAGENT_PATH}}. For refactor {{REFACTOR_ID}}:
   1. Read `.prizmkit/refactor/{{REFACTOR_ID}}/spec.md` for goals and behavior preservation contracts
   2. Read `.prizmkit/refactor/{{REFACTOR_ID}}/plan.md` for architecture decisions and completed tasks
-  3. Run `/prizmkit-code-review` with artifact_dir=.prizmkit/refactor/{{REFACTOR_ID}}/ scoped to CHANGED FILES ONLY (both phases: diagnostic + fix strategy)
+  3. Run `/prizmkit-code-review` with artifact_dir=.prizmkit/refactor/{{REFACTOR_ID}}/. The skill runs an internal review-fix loop (Reviewer → filter → Dev fix, max 3 rounds) and writes review-report.md.
   4. Run full test suite and verify ALL tests pass
-  5. Write integration tests covering all goals from spec.md
-  6. review-report.md will be written to .prizmkit/refactor/{{REFACTOR_ID}}/ by prizmkit-code-review
-  7. Report: number of findings found, or 'no findings' if clean
+  5. review-report.md will be written to .prizmkit/refactor/{{REFACTOR_ID}}/ by prizmkit-code-review
+  6. Report: verdict (PASS/NEEDS_FIXES), number of rounds, findings fixed/rejected
   "
 - **Wait for Reviewer to return**
-- **Verdict decision** (L4 responsibility): If findings exist → return to Phase 2 for refinement (max 2 review rounds). If no findings → proceed.
-- **CP-RF-3**: Code review passes, all tests green, behavior preserved
+- Read `review-report.md` — if PASS proceed, if NEEDS_FIXES log remaining findings and proceed.
+- **CP-RF-3**: Code review complete, tests pass, behavior preserved
 - **Checkpoint update**: set step `prizmkit-code-review` to `"completed"` in `{{CHECKPOINT_PATH}}`
 
 ---

package/bundled/dev-pipeline/templates/sections/phase-browser-verification-auto.md

@@ -0,0 +1,153 @@
+### Browser Verification — MANDATORY
+
+You MUST execute this phase. Do NOT skip it. Do NOT mark it as completed without actually running browser verification.
+
+**Step 0 — Tool Selection (BLOCKING — decide before any browser action)**:
+
+0a. Check which browser tools are available:
+```bash
+echo "=== playwright-cli ==="
+which playwright-cli 2>/dev/null && playwright-cli --version 2>/dev/null || echo "NOT_INSTALLED"
+echo "=== opencli ==="
+which opencli 2>/dev/null && opencli --version 2>/dev/null || echo "NOT_INSTALLED"
+```
+
+0b. If opencli is installed, verify Browser Bridge connectivity:
+```bash
+opencli doctor 2>/dev/null || echo "OPENCLI_BRIDGE_FAILED"
+```
+
+0c. **Choose your tool** based on availability and scenario:
+
+| Condition | Use this tool |
+|-----------|--------------|
+| Only playwright-cli installed | `playwright-cli` |
+| Only opencli installed (and doctor passes) | `opencli` |
+| Both installed — verifying local dev server, forms, components | `playwright-cli` (isolated, deterministic) |
+| Both installed — feature needs real login state (OAuth/SSO) | `opencli` (reuses Chrome sessions) |
+| Both installed — verifying third-party integration pages | `opencli` (has logged-in cookies) |
+| Both installed — headless CI environment | `playwright-cli` (no Chrome dependency) |
+| Neither installed | Skip — log `## Browser Verification: SKIPPED — no browser tool available` |
+
+If neither tool is available, install playwright-cli as the default:
+```bash
+npm install -g @playwright/cli@latest
+playwright-cli --version
+```
+
+Record your choice:
+```bash
+BROWSER_TOOL="playwright-cli"   # or "opencli"
+echo "Selected browser tool: $BROWSER_TOOL"
+```
+
+---
+
+**If you chose `playwright-cli`**, follow this workflow:
+
+0d. Check if playwright-cli skill is installed for the current AI platform:
+```bash
+CURRENT_PLATFORM=""
+if which claude >/dev/null 2>&1; then
+  CURRENT_PLATFORM="claude"; SKILL_DIR="$HOME/.claude/skills"
+elif which cbc >/dev/null 2>&1; then
+  CURRENT_PLATFORM="codebuddy"; SKILL_DIR="$HOME/.cbc/skills"
+else
+  CURRENT_PLATFORM="unknown"
+fi
+if [ -d "$SKILL_DIR/playwright-cli" ] || ls "$SKILL_DIR"/playwright* 2>/dev/null | grep -q .; then
+  echo "SKILL_EXISTS"
+else
+  echo "SKILL_MISSING"
+fi
+```
+If `SKILL_MISSING`: run `playwright-cli install --skills`. If current platform is NOT claude, copy installed skill from `$HOME/.claude/skills/playwright-cli` to `$SKILL_DIR/playwright-cli`.
+
+0e. Read the installed playwright-cli skill (SKILL.md) for workflow guidance. Learn usage: `playwright-cli --help`.
+
+**Step 1 — Start Dev Server + Open (playwright-cli)**:
+1. Identify and start the dev server (see port detection below)
+2. Open: `playwright-cli open http://localhost:$DEV_PORT`
+3. If auth needed, use playwright-cli to register a test user and log in
+
+**Step 2 — Verification (playwright-cli)**:
+Use `playwright-cli snapshot` to discover element refs, then verify these goals:
+   {{BROWSER_VERIFY_STEPS}}
+
+Construct your verification workflow based on: (1) the playwright-cli skill documentation, (2) the `--help` output, (3) the current task's acceptance criteria. Take a final screenshot: `playwright-cli screenshot`.
+
+**Step 3 — Cleanup (playwright-cli)**:
+1. `playwright-cli close`
+2. `kill $DEV_SERVER_PID 2>/dev/null || true`
+3. `lsof -ti:$DEV_PORT | xargs kill -9 2>/dev/null || true`
+
+---
+
+**If you chose `opencli`**, follow this workflow:
+
+0d. Learn usage: `opencli browser --help 2>/dev/null || opencli --help`
+
+**Step 1 — Start Dev Server + Open (opencli)**:
+1. Identify and start the dev server (see port detection below)
+2. Open and inspect: `opencli browser open http://localhost:$DEV_PORT && opencli browser state`
+3. If auth needed, opencli reuses Chrome cookies — SSO/OAuth may already be active
+
+**Step 2 — Verification (opencli)**:
+Use `opencli browser state` to discover elements with `[N]` indices, then verify these goals:
+   {{BROWSER_VERIFY_STEPS}}
+
+Key commands: `state`, `click <N>`, `type <N> "text"`, `get text <N>`, `get value <N>`, `wait text "..."`, `wait selector "..."`, `scroll down`, `eval "(function(){ ... })()"`.
+
+**Chain commands with `&&`**: `opencli browser type 3 "hello" && opencli browser click 7`
+
+Always run `state` after page-changing actions to get fresh indices.
+
+**Step 3 — Cleanup (opencli)**:
+1. `opencli browser close`
+2. `kill $DEV_SERVER_PID 2>/dev/null || true`
+3. `lsof -ti:$DEV_PORT | xargs kill -9 2>/dev/null || true`
+
+---
+
+**Shared: Dev Server Port Detection** (used by both tools):
+
+```bash
+DEV_PORT={{DEV_PORT}}
+if [ "$DEV_PORT" = "{{DEV_PORT}}" ]; then
+  DEV_PORT=$(node -e "const s=require('./package.json').scripts.dev; const m=s.match(/-p\s+(\d+)/); console.log(m?m[1]:'')")
+  if [ -z "$DEV_PORT" ]; then
+    DEV_PORT=$(echo "$NEXT_PUBLIC_SITE_URL" | sed -nE 's|.*:([0-9]+).*|\1|p')
+  fi
+  DEV_PORT=${DEV_PORT:-3000}
+fi
+echo "Detected DEV_PORT=$DEV_PORT"
+```
+
+Verify port available: `lsof -ti:$DEV_PORT 2>/dev/null && echo "PORT_IN_USE" || echo "PORT_FREE"`
+
+Start dev server: `<start-command> & DEV_SERVER_PID=$!`
+
+Wait for ready: poll `http://localhost:$DEV_PORT` with `curl -s -o /dev/null -w "%{http_code}"` until 200/302 (max 30s, 2s interval).
+
+---
+
+**Step 4 — Reporting** (both tools):
+
+Append results to `context-snapshot.md`:
+   ```
+   ## Browser Verification
+   Tool: <playwright-cli or opencli>
+   URL: http://localhost:$DEV_PORT
+   Dev Server Command: <actual command used>
+   Tool version: <version>
+   Steps executed: [list of commands used]
+   Screenshot: [path if taken]
+   Result: PASS / FAIL (reason)
+   Server cleanup: confirmed
+   Browser cleanup: confirmed
+   ```
+
+If verification fails, log the failure details but continue to commit. Failures do NOT block the commit, but you MUST attempt verification and MUST clean up the dev server.
+
+
+**Checkpoint update**: Update `workflow-checkpoint.json` — set step `browser-verification` to `"completed"`.

package/bundled/dev-pipeline/templates/sections/phase-browser-verification-opencli.md

@@ -0,0 +1,124 @@
+### Browser Verification (opencli) — MANDATORY
+
+You MUST execute this phase. Do NOT skip it. Do NOT mark it as completed without actually running opencli.
+
+**CRITICAL CONSTRAINT — opencli browser ONLY, NO Playwright**:
+- You MUST use `opencli browser` (the CLI tool) for ALL browser interactions in this phase
+- **NEVER** use playwright-cli, Playwright MCP server, or any MCP-based browser automation
+- All browser actions go through `opencli browser <command>` in the Bash tool, not through any MCP tool call
+- OpenCLI reuses Chrome's logged-in sessions — your existing authentication is available automatically
+
+**Step 0 — OpenCLI Readiness Check (BLOCKING — must pass before any browser action)**:
+
+0a. Check if `opencli` is installed:
+```bash
+which opencli 2>/dev/null && opencli --version 2>/dev/null || echo "NOT_INSTALLED"
+```
+If output is `NOT_INSTALLED`, install it:
+```bash
+npm install -g @jackwener/opencli@latest
+```
+Then verify installation succeeded: `opencli --version`. If installation fails, log `## Browser Verification: SKIPPED — opencli installation failed` in context-snapshot.md and proceed to the next phase.
+
+0b. Verify Browser Bridge connectivity:
+```bash
+opencli doctor
+```
+If `opencli doctor` fails (Chrome not running or extension not installed), log `## Browser Verification: SKIPPED — opencli doctor failed (Chrome/extension not ready)` in context-snapshot.md and proceed to the next phase.
+
+0c. Learn opencli browser usage (run once per session):
+```bash
+opencli browser --help 2>/dev/null || opencli --help
+```
+
+**Step 1 — Start Dev Server**:
+
+You know this project's tech stack. Detect and start the dev server yourself:
+
+1. Identify the dev server start command from project config (`package.json` scripts, `Makefile`, `docker-compose.yml`, etc.)
+2. **Detect the dev server port** — use the pre-detected port from pipeline if available, otherwise extract from project config. Do NOT hardcode or guess the port:
+   ```bash
+   DEV_PORT={{DEV_PORT}}
+   if [ "$DEV_PORT" = "{{DEV_PORT}}" ]; then
+     DEV_PORT=$(node -e "const s=require('./package.json').scripts.dev; const m=s.match(/-p\s+(\d+)/); console.log(m?m[1]:'')")
+     if [ -z "$DEV_PORT" ]; then
+       DEV_PORT=$(echo "$NEXT_PUBLIC_SITE_URL" | sed -nE 's|.*:([0-9]+).*|\1|p')
+     fi
+     DEV_PORT=${DEV_PORT:-3000}
+   fi
+   echo "Detected DEV_PORT=$DEV_PORT"
+   ```
+3. Verify the port is available:
+   ```bash
+   lsof -ti:$DEV_PORT 2>/dev/null && echo "PORT_IN_USE" || echo "PORT_FREE"
+   ```
+4. Start the dev server in background, capture PID:
+   ```bash
+   <start-command> &
+   DEV_SERVER_PID=$!
+   ```
+5. Wait for server to be ready: poll `http://localhost:$DEV_PORT` with `curl -s -o /dev/null -w "%{http_code}"` until it returns 200 or 302 (max 30 seconds, 2s interval)
+6. Open the app in opencli and inspect page state:
+   ```bash
+   opencli browser open http://localhost:$DEV_PORT && opencli browser state
+   ```
+7. If the page requires authentication, use opencli browser to interact with login forms (opencli reuses Chrome cookies, so SSO/OAuth may already be active)
+
+**Step 2 — Verification**:
+
+Use `opencli browser state` on the running app to discover elements with `[N]` indices, then verify these goals:
+   {{BROWSER_VERIFY_STEPS}}
+
+Key opencli browser commands for verification:
+- `opencli browser state` — structured DOM with `[N]` element indices (FREE, always use this)
+- `opencli browser click <N>` — click element by index
+- `opencli browser type <N> "text"` — type into input
+- `opencli browser get text <N>` — read element text
+- `opencli browser get value <N>` — read input value
+- `opencli browser wait text "Success"` — wait for text to appear
+- `opencli browser wait selector ".loaded"` — wait for element
+- `opencli browser scroll down` — scroll page
+- `opencli browser eval "(function(){ ... })()"` — read-only JS evaluation for data extraction
+
+**Chain commands aggressively with `&&`** to minimize tool calls:
+```bash
+# GOOD: open + inspect in one call
+opencli browser open http://localhost:$DEV_PORT && opencli browser state
+
+# GOOD: fill form in one call
+opencli browser type 3 "hello" && opencli browser type 4 "world" && opencli browser click 7
+
+# GOOD: click + wait + re-inspect
+opencli browser click 12 && opencli browser wait time 1 && opencli browser state
+```
+
+**IMPORTANT**: Always run `opencli browser state` after page-changing actions (open, click on links, scroll) to get fresh element indices. Never guess indices.
+
+Construct your verification workflow based on: (1) the `opencli browser --help` output, (2) the current task's acceptance criteria. Decide the concrete actions yourself. Take a final screenshot if needed: `opencli browser screenshot`.
+
+**Step 3 — Cleanup (REQUIRED — you started it, you stop it)**:
+
+1. Close the opencli browser session: `opencli browser close`
+2. Kill the dev server process: `kill $DEV_SERVER_PID 2>/dev/null || true`
+3. Verify port is released: `lsof -ti:$DEV_PORT | xargs kill -9 2>/dev/null || true`
+
+**Step 4 — Reporting**:
+
+Append results to `context-snapshot.md`:
+   ```
+   ## Browser Verification
+   Tool: opencli
+   URL: http://localhost:$DEV_PORT
+   Dev Server Command: <actual command used>
+   opencli version: <version>
+   Steps executed: [list of opencli browser commands used]
+   Screenshot: [path if taken]
+   Result: PASS / FAIL (reason)
+   Server cleanup: confirmed
+   Browser cleanup: confirmed
+   ```
+
+If verification fails, log the failure details but continue to commit. Failures do NOT block the commit, but you MUST attempt verification and MUST clean up the dev server.
+
+
+**Checkpoint update**: Update `workflow-checkpoint.json` — set step `browser-verification` to `"completed"`.

package/bundled/dev-pipeline/templates/sections/phase-review-agent.md

@@ -1,28 +1,21 @@
-### Review + Test — Reviewer Subagent
+### Review + Test — Code Review
 
-**Spawn Agent**:
-| Parameter | Value |
-|-----------|-------|
-| subagent_type | prizm-dev-team-reviewer |
-| run_in_background | false |
+Run `/prizmkit-code-review` with `artifact_dir=.prizmkit/specs/{{FEATURE_SLUG}}/`.
 
-**Prompt**:
-> {{AGENT_PROMPT_REVIEWER_REVIEW}}
-
-Wait for Reviewer to return.
+The skill runs an internal review-fix loop (Reviewer Agent → filter → Dev Agent fix, max 3 rounds) and writes `review-report.md` to the artifact directory.
 
 **Gate Check — Review Report**:
-After Reviewer agent returns, verify the review report was written:
+After `/prizmkit-code-review` returns, verify the review report:
 ```bash
-grep -q "## Findings" .prizmkit/specs/{{FEATURE_SLUG}}/review-report.md && echo "GATE:PASS" || echo "GATE:MISSING"
+grep -q "## Verdict" .prizmkit/specs/{{FEATURE_SLUG}}/review-report.md && echo "GATE:PASS" || echo "GATE:MISSING"
 ```
-If GATE:MISSING — send message to Reviewer (re-spawn if needed): "Write review-report.md to .prizmkit/specs/{{FEATURE_SLUG}}/ with findings."
-
-**Verdict decision** (L4 responsibility): Read review-report.md findings count. If findings exist → NEEDS_FIXES. If no findings → PASS.
+If GATE:MISSING — re-run `/prizmkit-code-review`.
 
-- If NEEDS_FIXES: spawn Dev to fix (Dev reads Fix Instructions in review-report.md), re-run Review (max 3 rounds)
+Read `review-report.md` and check the Verdict:
+- `PASS` → proceed to next phase
+- `NEEDS_FIXES` → the skill exhausted its max rounds; log the remaining findings and proceed (do not retry externally)
 
-**CP-3**: Tests pass, no unresolved findings.
+**CP-3**: Review complete, report written.
 
 
 **Checkpoint update**: Update `workflow-checkpoint.json` — set step `prizmkit-code-review` to `"completed"`.

package/bundled/dev-pipeline/templates/sections/phase-review-full.md

@@ -1,30 +1,23 @@
-### Review + Test — Reviewer Agent
+### Review + Test — Code Review
 
-**Spawn Agent**:
-| Parameter | Value |
-|-----------|-------|
-| subagent_type | prizm-dev-team-reviewer |
-| run_in_background | false |
+Run `/prizmkit-code-review` with `artifact_dir=.prizmkit/specs/{{FEATURE_SLUG}}/`.
 
-**Prompt**:
-> {{AGENT_PROMPT_REVIEWER_REVIEW}}
-
-Wait for Reviewer to return.
+The skill runs an internal review-fix loop (Reviewer Agent → filter → Dev Agent fix, max 3 rounds) and writes `review-report.md` to the artifact directory.
 
 **Gate Check — Review Report**:
-After Reviewer agent returns, verify the review report was written:
+After `/prizmkit-code-review` returns, verify the review report:
 ```bash
-grep -q "## Findings" .prizmkit/specs/{{FEATURE_SLUG}}/review-report.md && echo "GATE:PASS" || echo "GATE:MISSING"
+grep -q "## Verdict" .prizmkit/specs/{{FEATURE_SLUG}}/review-report.md && echo "GATE:PASS" || echo "GATE:MISSING"
 ```
-If GATE:MISSING — send message to Reviewer (re-spawn if needed): "Write review-report.md to .prizmkit/specs/{{FEATURE_SLUG}}/ with findings."
+If GATE:MISSING — re-run `/prizmkit-code-review`.
 
-**Verdict decision** (L4 responsibility): Read review-report.md findings count. If findings exist → NEEDS_FIXES. If no findings → PASS.
+Read `review-report.md` and check the Verdict:
+- `PASS` → proceed to next phase
+- `NEEDS_FIXES` → the skill exhausted its max rounds; log the remaining findings and proceed (do not retry externally)
 
-- If NEEDS_FIXES: spawn Dev to fix with this prompt:
-  > {{AGENT_PROMPT_DEV_FIX}}
-  Then re-run Review (max 3 rounds).
+Run the full test suite: `({{TEST_CMD}}) 2>&1 | tee /tmp/review-test-out.txt | tail -20`
 
-**CP-3**: Integration tests pass, no unresolved findings.
+**CP-3**: Review complete, tests pass, report written.
 
 
 **Checkpoint update**: Update `workflow-checkpoint.json` — set step `prizmkit-code-review` to `"completed"`.

package/bundled/skills/_metadata.json

@@ -1,5 +1,5 @@
 {
-  "version": "1.1.35",
+  "version": "1.1.36",
   "skills": {
     "prizm-kit": {
       "description": "Full-lifecycle dev toolkit. Covers spec-driven development, Prizm context docs, code quality, debugging, deployment, and knowledge management.",

package/bundled/skills/feature-planner/SKILL.md

@@ -284,9 +284,10 @@ A feature is **exempt** when ANY true:
 
 ### Default Behavior (Phase 4.2)
 
-1. **Auto-generate** `browser_interaction` for ALL qualifying features. Read `${SKILL_DIR}/references/browser-interaction.md` for the object format and field rules.
-2. **Present a summary** to the user showing which features received `browser_interaction`.
-3. **User can opt-OUT** specific features.
+1. **Auto-generate** `browser_interaction` for ALL qualifying features. Read `${SKILL_DIR}/references/browser-interaction.md` for the object format, field rules, and `tool` selection guide.
+2. **Tool selection**: Default `tool` to `"auto"`. Override to `"opencli"` when the feature involves OAuth/SSO callbacks, third-party dashboard verification, or requires real login state. Override to `"playwright-cli"` when the feature is purely local UI (forms, components, routing).
+3. **Present a summary** to the user showing which features received `browser_interaction` (including the `tool` value).
+4. **User can opt-OUT** specific features or override the `tool` choice.
 
 ## Output Rules
 
@@ -300,7 +301,7 @@ Key requirements:
 - new items default `status: "pending"`
 - English feature titles for stable slug generation
 - `critic` / `critic_count` defaults per Testing Defaults section
-- `browser_interaction` auto-generated for qualifying frontend features
+- `browser_interaction` auto-generated for qualifying frontend features (with `tool` selection: `auto`/`playwright-cli`/`opencli`)
 - descriptions: minimum 15 words (error), recommended minimum 30/50/80/100+ for low/medium/high/critical (warning). No upper limit — more detail prevents AI guessing
 - `estimated_complexity` determines pipeline execution tier:
   - `low` / `medium` → **lite** (single agent, no subagents)
@@ -322,7 +323,7 @@ Set default testing-related fields for each feature. The user can opt out.
 | medium | `true` | `1` | Single critic review |
 | low | `false` | (omitted) | Skip critic |
 
-For frontend features with `browser_interaction`, Playwright verification is enabled by default.
+For frontend features with `browser_interaction`, browser verification is enabled by default. The `tool` field determines which browser tool is used (default: `auto` — AI chooses at runtime between `playwright-cli` and `opencli`).
 
 Present a consolidated testing summary table at Phase 8, then ask for confirmation.
 

package/bundled/skills/feature-planner/references/browser-interaction.md

@@ -22,7 +22,20 @@ For each qualifying feature, generate the `browser_interaction` object:
 
 ## Field Rules
 
-- `verify_steps` are **verification goals**, not specific playwright-cli commands. Describe WHAT to verify, not HOW to verify it. The pipeline AI will:
+- `tool` selects the browser verification tool. Values: `"playwright-cli"`, `"opencli"`, `"auto"` (default).
+  - **`"auto"`** (default): AI chooses at runtime based on available tools and scenario. Recommended for most cases.
+  - **`"playwright-cli"`**: Isolated browser instance, no login state. Best for local dev server verification, form testing, component rendering checks.
+  - **`"opencli"`**: Reuses Chrome's logged-in sessions via Browser Bridge. Best for verifying third-party integrations (OAuth callbacks, API dashboards), features requiring real authentication state, or pages behind SSO.
+
+  | Scenario | Recommended `tool` |
+  |----------|-------------------|
+  | Local dev server, pure frontend components | `playwright-cli` |
+  | Needs real login state (e.g., OAuth redirect page) | `opencli` |
+  | Third-party API integration dashboard verification | `opencli` |
+  | Headless CI environment | `playwright-cli` |
+  | Unsure / mixed scenarios | `auto` |
+
+- `verify_steps` are **verification goals**, not specific tool commands. Describe WHAT to verify, not HOW to verify it. The pipeline AI will:
   1. Auto-detect the dev server start command from project config (`package.json`, `Makefile`, etc.)
   2. Start the server and discover the URL/port at runtime
   3. Use `playwright-cli snapshot` to discover real element refs