prizmkit 1.1.35 → 1.1.37

package/bundled/skills/prizmkit-code-review/SKILL.md

@@ -1,11 +1,17 @@
 ---
 name: "prizmkit-code-review"
-description: "Code review against spec and plan. Diagnoses issues across multiple dimensions, produces findings with fix instructions. Use after /prizmkit-implement as quality gate. Trigger on: 'review', 'check code', 'code review', 'is it ready to commit'. (project)"
+description: "Iterative review-fix loop against spec and plan. Spawns a read-only Reviewer agent, filters findings, then a Dev agent applies fixes. Loops until PASS (max 3 rounds). Use after /prizmkit-implement as quality gate. Trigger on: 'review', 'check code', 'code review', 'is it ready to commit'. (project)"
 ---
 
 # PrizmKit Code Review
 
-Review code changes against the spec, plan, and project conventions. Produces a diagnostic report with findings and actionable fix instructions. The review itself is read-only — no source code is modified.
+An iterative review-fix loop that reviews code changes against the spec and plan, then automatically fixes issues. Uses three separated roles:
+
+- **Reviewer Agent** (read-only): analyzes git diff against spec goals and plan decisions, produces structured findings
+- **Main Agent** (orchestrator): filters Reviewer findings for reasonableness, coordinates the loop
+- **Dev Agent** (read-write): applies fixes for accepted findings
+
+The loop repeats until the Reviewer finds no issues or the max round limit is reached.
 
 ### When to Use
 - After `/prizmkit-implement` to verify code quality before commit
@@ -22,68 +28,193 @@ Review code changes against the spec, plan, and project conventions. Produces a
 |-----------|----------|-------------|
 | `artifact_dir` | No | Directory containing spec.md + plan.md. If omitted, scan `.prizmkit/` subdirectories for the most recently modified directory with a `plan.md` whose tasks are all completed. |
 
-## Context Loading
+## Phase 0: Context Loading
 
-1. **Task context**: Read `spec.md`, `plan.md`, and any companion documents (e.g., `refactor-analysis.md`) from the artifact directory.
-2. **Architecture context**: Read `.prizm-docs/root.prizm` (L0) and relevant L1/L2 docs for affected modules — check RULES, PATTERNS, TRAPS, DECISIONS.
+1. **Read spec.md** from the artifact directory — extract goals and acceptance criteria.
+2. **Read plan.md** from the artifact directory — extract architecture decisions and completed tasks.
+3. **Capture workspace diff**: run `git diff` (unstaged) + `git diff --cached` (staged) + `git status` to understand the full scope of changes. For new files in git status, note their paths for the Reviewer to read.
+   - If no changes are detected, output PASS and stop.
 
-## Phase 1: Diagnostic Review
+## Phase 1: Review-Fix Loop
 
-1. **Identify changed files**: Extract file paths from completed tasks in plan.md, or use `git diff` against the branch base.
-2. **Read changed files**: Scan all code files identified above.
-3. **Review across dimensions**: Load `${SKILL_DIR}/rules/dimensions.md` and evaluate each applicable dimension. Dimensions are conditionally triggered based on what sections exist in spec.md — see the dimensions file for trigger conditions.
-4. **Generate findings**: For each issue found, describe the problem, its location, which dimension it falls under, and why it matters.
-5. If unsure whether something is a bug or intentional design, flag it with a note asking the developer to confirm.
+```
+┌─── Loop (max 3 rounds) ──────────────────────────────┐
+│                                                        │
+│  Step 1: Spawn Reviewer Agent (read-only)              │
+│    → Input: git diff + spec goals + plan decisions     │
+│    → Output: structured findings or PASS               │
+│                                                        │
+│  Step 2: Check result                                  │
+│    → If PASS (no findings): exit loop                  │
+│                                                        │
+│  Step 3: Main Agent filters findings                   │
+│    → For each finding: accept (reasonable) or reject   │
+│    → If all rejected: exit loop                        │
+│                                                        │
+│  Step 4: Spawn Dev Agent (read-write)                  │
+│    → Input: accepted findings + spec/plan context      │
+│    → Output: fix report                                │
+│                                                        │
+│  Step 5: Back to Step 1                                │
+│                                                        │
+│  Hard limit: exit after 3 rounds regardless            │
+│  → On max-round exhaustion: output a summary of all    │
+│    unresolved findings to the conversation, then write  │
+│    review-report.md with NEEDS_FIXES verdict.           │
+└────────────────────────────────────────────────────────┘
+```
 
-## Phase 2: Fix Strategy
+### Step 1: Spawn Reviewer Agent
 
-For each finding, load `${SKILL_DIR}/rules/fix-strategy.md` and produce structured Fix Instructions: Root Cause, Impact, Fix Strategy, Code Guidance, Verification Criteria.
+Spawn a **read-only** agent (subagent_type: `Explore`) with the following prompt:
 
-## Reviewer Agent Mode
+```
+You are a code reviewer. Review workspace changes against the spec goals and plan decisions.
 
-When interactive session is available, offer the option to spawn an independent reviewer subagent:
+## Spec Goals
+{goals and acceptance criteria from spec.md}
 
-1. Spawn a reviewer subagent with **read-only** permissions (Read, Glob, Grep, Bash for test commands only)
-2. The subagent independently reviews changed files against spec/plan/dimensions and produces findings
-3. The main agent receives findings and applies fixes
-4. Re-spawn the subagent to verify fixes
-5. Repeat until the subagent reports no more findings or the caller's maximum iteration limit is reached
+## Plan Decisions
+{architecture decisions and task list from plan.md}
 
-In non-interactive mode, perform the review directly (no subagent).
+## Review Round
+Round {N}. {round_context}
 
-## Output
+## What to Review
+Run these commands to see the current workspace changes:
+- `git diff` (unstaged changes)
+- `git diff --cached` (staged changes)
+- `git status` (new/deleted files)
 
-Write `review-report.md` to the artifact directory:
+For new files shown in git status, read their full content.
+For modified files, read enough surrounding context to understand the change.
 
-```markdown
-# Review Report
+## Review Dimensions
+Evaluate the changes across these dimensions (focus on what's relevant):
+
+1. **Goal alignment**: Do the changes accomplish all goals from spec.md? Anything missing or off-target?
+2. **Defects**: Logic bugs, missing error handling, boundary condition issues, incorrect behavior.
+3. **Completeness**: Files that should have been changed but weren't? Missing tests, types, imports, exports?
+4. **Consistency**: Do changes follow the project's existing patterns, naming conventions, and code style?
+5. **Security**: Hardcoded secrets, injection vulnerabilities, unsafe operations.
+
+## Output Format
+Respond with EXACTLY this format:
+
+### Result: PASS | NEEDS_FIXES
+
+### Findings
+(If PASS, write "No issues found.")
+
+#### Finding N
+- **Severity**: high | medium | low
+- **Dimension**: goal-alignment | defect | completeness | consistency | security
+- **Location**: filepath:line (or "project-level")
+- **Problem**: What is wrong and why it matters
+- **Suggestion**: Recommended fix approach
+- **Verification**: How to confirm the fix is correct
+
+### Summary
+One to two sentences about the overall state of the changes.
+```
 
-## Verdict: PASS | NEEDS_FIXES
+**Round context** varies by round:
+- Round 1: "This is the first review. Examine all changes comprehensively."
+- Round 2+: "Previous round found issues that were fixed. Focus on: (1) whether previous fixes are correct, (2) whether fixes introduced new problems, (3) any remaining issues. Do not re-report issues that have already been fixed."
 
-## Summary: X findings
+### Step 2: Check Result
 
-## Findings
+Parse the Reviewer Agent's output:
+- If `Result: PASS` → exit loop, proceed to Phase 2.
+- If `Result: NEEDS_FIXES` → extract findings and continue to Step 3.
 
-### Finding 1: Title
-- Location: file:line
-- Dimension: category
-- Problem: what is wrong and why it matters
-- Root Cause: explanation
-- Impact: affected callers/dependents
-- Fix Strategy: step-by-step
-- Code Guidance: before/after snippet
-- Verification: commands/checks to confirm
-- Related: Finding N (if grouped)
+### Step 3: Main Agent Filters Findings
+
+Review each finding and decide whether it's reasonable. This prevents unnecessary or harmful changes.
+
+**For each finding, evaluate:**
+- Is this relevant to the current changes? (Reject findings about unmodified, unrelated code.)
+- Is this a real problem or a subjective style preference? (Reject pure style preferences unless they violate clear project conventions.)
+- Would fixing this improve the code without introducing risk? (Reject fixes that require large refactors outside scope.)
+
+**Output per finding:**
+- **Accepted**: The finding is reasonable — include it in the Dev Agent's task.
+- **Rejected** (with reason): Brief explanation (e.g., "Out of scope", "Style preference, not a defect").
+
+If all findings are rejected → exit loop, proceed to Phase 2.
+
+### Step 4: Spawn Dev Agent
+
+Spawn a **general-purpose** agent (read-write) with the following prompt:
+
+```
+You are a developer fixing code review findings. Apply each fix carefully without breaking existing functionality.
+
+## Spec Context
+{goals from spec.md for reference}
+
+## Findings to Fix
+{accepted findings list — each with Severity, Location, Problem, Suggestion, Verification}
+
+## Instructions
+1. Read each finding carefully.
+2. For each finding:
+   a. Read the relevant code and understand the context.
+   b. Implement the fix based on the suggestion.
+   c. If a suggestion is not feasible (would break other functionality, technically impossible), explain why.
+3. After all fixes, report what you did.
+
+## Output Format
+For each finding, report:
+- **Finding N**: [fixed | unable-to-fix]
+- **What was done**: Brief description
+- **Files modified**: List of changed files
+(If unable-to-fix, explain why)
 ```
 
-- `PASS`: 0 findings
-- `NEEDS_FIXES`: 1+ findings with fix instructions
+After the Dev Agent returns, record results and return to Step 1 for the next round.
 
-Also output findings summary to conversation.
+## Phase 2: Output
+
+Write `review-report.md` to the artifact directory:
+
+```markdown
+# Review Report
+
+## Verdict: PASS
+## Rounds: 2
+## Total findings: 3 → Fixed: 2, Rejected: 1
+
+## Round 1
+Findings: 3 | Accepted: 2, Rejected: 1
+
+### Finding 1: Missing null check in parseConfig
+- Severity: high
+- Dimension: defect
+- Location: src/config.ts:42
+- Problem: parseConfig crashes when input is undefined
+- Status: fixed (round 1)
+
+### Finding 2: Export missing from index.ts
+- Severity: medium
+- Dimension: completeness
+- Location: src/index.ts
+- Problem: New parseConfig function not exported
+- Status: fixed (round 1)
+
+### Finding 3: Consider renaming variable
+- Severity: low
+- Dimension: consistency
+- Location: src/config.ts:15
+- Problem: Variable `d` should be more descriptive
+- Status: rejected — Style preference; existing code uses short names in this module
+
+## Round 2: PASS — no new findings
+```
 
-**HANDOFF:** `/prizmkit-retrospective` (if no findings) or apply fixes and re-review (if findings exist)
+- `PASS`: Reviewer returned no findings (or all remaining findings were rejected as unreasonable)
+- `NEEDS_FIXES`: 3 rounds completed but unresolved findings remain
 
-## References
+Also output a completion summary to conversation.
 
-- Review dimensions: `${SKILL_DIR}/rules/dimensions.md`
-- Fix strategy formulation: `${SKILL_DIR}/rules/fix-strategy.md`
+**HANDOFF:** `/prizmkit-retrospective` (if PASS) or inform the caller of remaining issues (if NEEDS_FIXES after max rounds)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "prizmkit",
-  "version": "1.1.35",
+  "version": "1.1.37",
   "description": "Create a new PrizmKit-powered project with clean initialization — no framework dev files, just what you need.",
   "type": "module",
   "bin": {

package/src/index.js

@@ -68,6 +68,7 @@ export async function runScaffold(directory, options) {
       team: options.team !== false,
       pipeline: options.pipeline !== false,
       playwrightCli: options.playwrightCli !== false,
+      openCli: options.openCli !== false,
       rules: options.rules || 'recommended',
       aiCli: options.aiCli || '',
       externalSkills: options.externalSkills ? options.externalSkills.split(',').map(s => s.trim()).filter(Boolean) : [],
@@ -191,6 +192,12 @@ export async function runScaffold(directory, options) {
       default: true,
     });
 
+    // 4.6. OpenCLI (browser interaction with Chrome login session reuse)
+    const openCli = await confirm({
+      message: '安装浏览器交互工具 (opencli)? 复用 Chrome 登录态，支持 OAuth/第三方集成验证',
+      default: true,
+    });
+
     // 5. Rules 预设
     const rulesPreset = await select({
       message: '安装 AI 行为规则 (rules):',
@@ -215,7 +222,8 @@ export async function runScaffold(directory, options) {
     console.log(`    技能:       ${chalk.cyan(suiteLabel)}`);
     console.log(`    团队模式:   ${team ? chalk.green('启用') : chalk.gray('禁用')}`);
     console.log(`    流水线:     ${pipeline ? chalk.green('启用') : chalk.gray('禁用')}`);
-    console.log(`    浏览器工具: ${playwrightCli ? chalk.green('启用') : chalk.gray('禁用')}`);
+    const browserToolsLabel = [playwrightCli && 'playwright-cli', openCli && 'opencli'].filter(Boolean);
+    console.log(`    浏览器工具: ${browserToolsLabel.length ? chalk.green(browserToolsLabel.join(' + ')) : chalk.gray('禁用')}`);
     console.log(`    规则:       ${chalk.cyan(rulesPreset)}`);
     if (aiCli) console.log(`    AI CLI:     ${chalk.cyan(aiCli)}`);
     if (selectedExternalSkills.length > 0) console.log(`    外部技能:   ${chalk.cyan(selectedExternalSkills.join(', '))}`);
@@ -239,6 +247,7 @@ export async function runScaffold(directory, options) {
       team,
       pipeline,
       playwrightCli,
+      openCli,
       rules: rulesPreset,
       aiCli: aiCli || '',
       externalSkills: selectedExternalSkills,

package/src/scaffold.js

@@ -774,6 +774,43 @@ export async function installPlaywrightCli(projectRoot, dryRun) {
   }
 }
 
+// ============================================================
+// OpenCLI 安装
+// ============================================================
+
+/**
+ * 安装 opencli（全局 npm 包）
+ * 用于浏览器交互验证，复用 Chrome 已登录会话（OAuth/SSO/第三方集成）
+ */
+export async function installOpenCli(projectRoot, dryRun) {
+  if (dryRun) {
+    console.log(chalk.gray('      [dry-run] @jackwener/opencli (global install)'));
+    return;
+  }
+
+  // Check if already installed
+  try {
+    execSync('opencli --version', { stdio: 'pipe' });
+    console.log(chalk.green('      ✓ opencli (already installed)'));
+  } catch {
+    // Not installed, install it
+    try {
+      console.log(chalk.blue('      ⏳ Installing @jackwener/opencli globally...'));
+      execSync('npm install -g @jackwener/opencli@latest', { stdio: 'pipe', timeout: 120000 });
+      console.log(chalk.green('      ✓ @jackwener/opencli installed globally'));
+    } catch (e) {
+      console.log(chalk.yellow(`      ⚠ @jackwener/opencli install failed: ${e.message}`));
+      console.log(chalk.yellow('      ⚠ Run manually: npm install -g @jackwener/opencli@latest'));
+      return;
+    }
+  }
+
+  // Note: opencli requires Chrome + Browser Bridge extension for browser-backed commands.
+  // The extension must be installed manually — see: https://github.com/jackwener/opencli
+  console.log(chalk.gray('      ℹ OpenCLI requires Chrome + Browser Bridge extension for browser commands'));
+  console.log(chalk.gray('      ℹ Run "opencli doctor" to verify connectivity'));
+}
+
 // ============================================================
 // Extras 注册表
 // ============================================================
@@ -784,9 +821,13 @@ export async function installPlaywrightCli(projectRoot, dryRun) {
  */
 export const EXTRAS_REGISTRY = {
   'playwright-cli': {
-    label: '浏览器交互工具',
+    label: '浏览器交互工具 (playwright-cli)',
     install: installPlaywrightCli,
   },
+  'opencli': {
+    label: '浏览器交互工具 (opencli — 复用 Chrome 登录态)',
+    install: installOpenCli,
+  },
 };
 
 // ============================================================
@@ -804,11 +845,12 @@ export const EXTRAS_REGISTRY = {
  * @param {string} [config.aiCli] - AI CLI 可执行命令（写入 .prizmkit/config.json）
  * @param {string[]} [config.externalSkills] - 要安装的外部 skill 名称列表
  * @param {boolean} [config.playwrightCli] - 是否安装 playwright-cli
+ * @param {boolean} [config.openCli] - 是否安装 opencli
  * @param {string} config.projectRoot - 目标项目根目录
  * @param {boolean} config.dryRun - 是否为预览模式
  */
 export async function scaffold(config) {
-  const { platform, skills, team, pipeline, rules, aiCli, externalSkills, playwrightCli, projectRoot, dryRun } = config;
+  const { platform, skills, team, pipeline, rules, aiCli, externalSkills, playwrightCli, openCli, projectRoot, dryRun } = config;
   const platforms = platform === 'both' ? ['codebuddy', 'claude'] : [platform];
 
   if (dryRun) {
@@ -910,6 +952,12 @@ export async function scaffold(config) {
     await installPlaywrightCli(projectRoot, dryRun);
     console.log('');
   }
+  if (openCli) {
+    activeExtras.push('opencli');
+    console.log(chalk.blue(`    ${EXTRAS_REGISTRY['opencli'].label}:`));
+    await installOpenCli(projectRoot, dryRun);
+    console.log('');
+  }
 
   // 11. Clean up stray .codebuddy/ directory left by third-party tools (e.g. npx skills)
   // when installing for Claude Code only. CodeBuddy files should never appear in a
@@ -998,7 +1046,8 @@ export async function scaffold(config) {
     console.log(chalk.gray(`    平台: ${platforms.map(p => p === 'codebuddy' ? 'CodeBuddy' : 'Claude Code').join(' + ')}`));
     console.log(chalk.gray(`    团队: ${team ? '已启用' : '未启用'}`));
     console.log(chalk.gray(`    流水线: ${pipeline ? '已安装' : '未安装'}`));
-    console.log(chalk.gray(`    浏览器工具: ${playwrightCli ? '已安装 (playwright-cli)' : '未安装'}`));
+    const browserTools = [playwrightCli && 'playwright-cli', openCli && 'opencli'].filter(Boolean);
+    console.log(chalk.gray(`    浏览器工具: ${browserTools.length ? '已安装 (' + browserTools.join(' + ') + ')' : '未安装'}`));
     console.log(chalk.gray(`    规则: ${rules || 'recommended'}`));
     if (aiCli) console.log(chalk.gray(`    AI CLI: ${aiCli}`));
     console.log('');

package/bundled/skills/prizmkit-code-review/rules/dimensions.md

@@ -1,85 +0,0 @@
-# Review Dimensions
-
-Evaluate code changes across the following dimensions. Each dimension is either **always active** or **conditionally triggered** based on spec.md content.
-
----
-
-## §1 Goal Compliance (always active)
-
-Does code implement all goals and acceptance criteria from spec.md?
-
-- Check every goal (G-N) in spec.md has a corresponding implementation
-- Verify acceptance criteria are met
-- Verify edge cases mentioned in spec are handled
-- Confirm scope boundaries are respected (no over-implementation, no under-implementation)
-
-## §2 Plan Adherence (always active)
-
-Does implementation follow architectural decisions in plan.md?
-
-- Check component structure matches plan's change approach
-- Verify data model matches plan's schema design (if applicable)
-- Confirm API contracts (endpoints, request/response) match plan (if applicable)
-- Deviations may be improvements — flag for confirmation, not automatic rejection
-
-## §3 Behavior Preservation (conditional: spec.md has `## Behavior Preservation`)
-
-Observable behavior for existing functionality must remain unchanged.
-
-- All existing tests still pass without modification
-- Public API signatures are unchanged (parameter types, return types, error types)
-- Side effects (logging, metrics, events) are preserved unless explicitly scoped for removal
-- Edge case handling is preserved — changes often silently drop edge case branches
-
-## §4 Code Quality (always active)
-
-Naming, structure, complexity, DRY. Focus on maintainability.
-
-- Function/variable names are descriptive and consistent with project conventions
-- No unnecessary complexity (deep nesting, oversized functions)
-- No copy-paste duplication that should be abstracted
-- Error messages are informative for debugging
-
-## §5 Security (always active)
-
-Injection, auth/authz gaps, sensitive data exposure, insecure defaults.
-
-- User input is validated and sanitized before use in queries, HTML, or commands
-- Authentication and authorization checks are present on protected routes
-- Sensitive data (passwords, tokens, PII) is not logged or exposed in responses
-- Cryptographic operations use established libraries, not custom implementations
-
-## §6 Consistency (always active)
-
-Follows project patterns from `.prizm-docs/` PATTERNS and RULES sections.
-
-- Code style matches existing codebase conventions
-- Error handling follows established patterns
-- File organization follows project structure conventions
-- Naming conventions align with `.prizm-docs/` RULES
-
-## §7 Test Coverage (always active)
-
-Are critical paths tested?
-
-- Happy path tests exist for each goal
-- Error/edge case tests for critical paths
-- Tests are deterministic (no flaky timing dependencies)
-- Test names clearly describe what they verify
-
-## §8 Fix Correctness (conditional: spec.md has `## Root Cause`)
-
-The fix addresses the actual root cause, not just symptoms.
-
-- The root cause identified in spec.md is addressed
-- A regression test exists that would catch this issue if reintroduced
-- The fix does not change behavior for non-affected inputs
-- Related code paths are not inadvertently affected
-
-## §9 Change Scope (conditional: spec.md `## Scope` emphasizes minimal change)
-
-Only files directly related to the task are modified.
-
-- No "while I'm here" changes mixed with the primary task
-- If scope creep is detected, flag it — those changes belong in a separate commit
-- Structural improvement (refactoring) is measured against stated goals, not unbounded

package/bundled/skills/prizmkit-code-review/rules/fix-strategy.md

@@ -1,61 +0,0 @@
-# Fix Strategy Formulation
-
-For each finding from the Diagnostic Review, produce actionable Fix Instructions.
-
-## Per-Finding Analysis
-
-### 1. Root Cause Analysis
-Identify WHY the problem exists, not just WHAT is wrong. Trace the issue to its origin (wrong assumption? missing context? copy-paste error?).
-
-### 2. Impact Analysis
-Search the codebase for all callers/dependents of the affected code. List concrete `file:line` locations that will be affected by the fix.
-
-### 3. Fix Strategy
-Concrete step-by-step modification plan:
-- What to change, where, and in what order
-- Which project conventions to follow (reference `.prizm-docs/` RULES)
-- Dependencies between fixes (Finding 1 must be done before Finding 3)
-
-### 4. Code Guidance
-Show before/after code snippets for the key change. Keep minimal — enough to unambiguate the approach, not a full implementation.
-
-### 5. Verification Criteria
-How to confirm the fix works:
-- Specific commands to run (grep patterns, test commands)
-- What the output should look like
-- Edge cases to verify
-
-## Finding Grouping
-
-Group related findings that should be fixed together. If Finding 1 and Finding 3 share the same root cause or affect the same code path, mark them as a group with a shared fix strategy. This prevents fixing symptoms individually only to have the underlying cause persist.
-
-## Fix Ordering
-
-Order Fix Instructions by:
-1. **Dependencies first** — if Finding 2 depends on Finding 1, Finding 1 comes first
-2. **Grouped fixes together** — related findings are adjacent
-
-## Finding Format
-
-```
-### Finding N: Title
-- Location: file:line
-- Dimension: category
-- Problem: what is wrong and why it matters
-- Root Cause: explanation
-- Impact: affected callers/dependents with file:line locations
-- Fix Strategy:
-  1. step one
-  2. step two
-  Note: reference project conventions from .prizm-docs/ RULES
-- Code Guidance:
-  ```language
-  // before → after
-  ```
-- Verification:
-  - command to run
-  - expected output
-- Related: Finding X (if grouped)
-- Depends On: Finding Y (if dependency)
-- Blocks: Finding Z (if blocking)
-```