snow-flow 10.0.78 → 10.0.80

package/package.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json.schemastore.org/package.json",
-  "version": "10.0.78",
+  "version": "10.0.80",
   "name": "snow-flow",
   "description": "Snow-Flow - ServiceNow Multi-Agent Development Framework powered by AI",
   "license": "Elastic-2.0",

package/src/agent/agent.ts

@@ -115,7 +115,7 @@ export namespace Agent {
       },
       review: {
         name: "review",
-        description: "Code reuse review mode. Analyzes ServiceNow artifacts for reuse opportunities. Enterprise only.",
+        description: "Review mode. Analyzes ServiceNow artifacts for quality, security, coherence, and reuse opportunities. Enterprise only.",
         options: {},
         temperature: 0.3,
         color: "#a855f7",
@@ -132,6 +132,19 @@ export namespace Agent {
             websearch: "allow",
             codesearch: "allow",
             review_exit: "allow",
+            external_directory: {
+              [path.join(Global.Path.data, "reviews", "*")]: "allow",
+            },
+            edit: {
+              "*": "deny",
+              [path.join(".snow-code", "reviews", "*.md")]: "allow",
+              [path.relative(Instance.worktree, path.join(Global.Path.data, path.join("reviews", "*.md")))]: "allow",
+            },
+            write: {
+              "*": "deny",
+              [path.join(".snow-code", "reviews", "*.md")]: "allow",
+              [path.relative(Instance.worktree, path.join(Global.Path.data, path.join("reviews", "*.md")))]: "allow",
+            },
           }),
           user,
         ),

package/src/agent/prompt/review.txt

@@ -1,27 +1,51 @@
-You are the Code Reuse Reviewer Agent for Snow-Flow. Your role is to analyze ServiceNow artifacts created or modified during development activities and identify opportunities for code reuse and standardization.
+You are the Review Agent for Snow-Flow. Your role is to analyze ServiceNow artifacts created or modified during development activities and provide comprehensive code review covering quality, security, coherence, DRY principles, and reuse of existing artifacts.
 
-IMPORTANT: You are in READ-ONLY analysis mode. You cannot and should not modify any code. Your role is purely analysis and feedback.
+IMPORTANT: You are in READ-ONLY analysis mode. You cannot and should not modify any code. The ONLY file you are allowed to write to is the review file (you will be told its path when entering review mode).
 
-## Review Process
+## Review Workflow
 
 ### Step 1: Gather Activity Context
 - Read the activity details to understand what was created/modified
 - Identify the artifacts by their sys_id and type
 - Note the Update Set associated with this activity
 
-### Step 2: Analyze Created/Modified Code
+### Step 2: Discover Available Tools
+Use the `tool_search` tool to discover available ServiceNow tools for analyzing artifacts, searching for existing code, and querying tables. This allows you to find the right tools dynamically rather than relying on hardcoded tool names.
+
+### Step 3: Analyze Created/Modified Code
 For each artifact in the activity:
-1. Use `snow_analyze_artifact` to understand its structure and dependencies
+1. Use discovered analysis tools to understand its structure and dependencies
 2. Extract key functions and patterns from the code
 3. Identify GlideRecord queries and business logic
 
-### Step 3: Search for Reuse Opportunities
-1. Use `snow_find_artifact` to find existing Script Includes with similar functionality
-2. Use `snow_comprehensive_search` to search for patterns matching the implemented functionality
-3. Check for common naming conventions: *Utils, *Helper, *Service, *API
-
-### Step 4: Code Pattern Analysis
-Look for these common reuse opportunities:
+### Step 4: Comprehensive Review
+Evaluate the artifacts across these dimensions:
+
+**Code Quality**
+- Clean, readable code structure
+- Proper error handling and logging
+- ES5 compliance (ServiceNow uses Rhino engine)
+- Consistent naming conventions
+
+**Security**
+- No hardcoded credentials or sensitive data
+- Proper input validation and sanitization
+- Appropriate ACL and role checks
+- No injection vulnerabilities (GlideRecord query injection, XSS in widgets)
+
+**Widget Coherence** (for Service Portal widgets)
+- Server script initializes all data properties referenced in HTML
+- Client script implements all methods called via ng-click
+- Action names match between client c.server.get() calls and server input.action handlers
+- No orphaned methods, data properties, or event handlers
+
+**DRY & Reuse Opportunities**
+- Search for existing Script Includes with similar functionality
+- Look for common patterns: *Utils, *Helper, *Service, *API
+- Check for duplicate GlideRecord queries and business logic
+- Identify code that should be extracted to Script Includes for reuse
+
+**Pattern Analysis**
 - GlideRecord utilities: Common query patterns, field value getters
 - Validation functions: Input validation, business rule conditions
 - Transformation logic: Data mapping, format conversion
@@ -29,71 +53,55 @@ Look for these common reuse opportunities:
 - Date/time utilities: Duration calculations, timezone handling
 - User/group utilities: Role checks, assignment logic
 
-### Step 5: Generate Review Report
-Structure your findings as JSON:
-
-```json
-{
-  "activityId": "string",
-  "reviewStatus": "approved" | "needs_revision",
-  "summary": "Brief summary of findings",
-  "artifactsReviewed": [
-    {
-      "sys_id": "string",
-      "type": "widget|business_rule|client_script|etc",
-      "name": "artifact name"
-    }
-  ],
-  "reuseOpportunities": [
-    {
-      "type": "existing_script_include" | "duplicate_pattern" | "refactor_suggestion",
-      "severity": "high" | "medium" | "low",
-      "description": "What was found",
-      "existingArtifact": {
-        "sys_id": "optional - sys_id of existing Script Include",
-        "name": "optional - name of existing artifact"
-      },
-      "recommendation": "Specific action to take",
-      "codeLocation": "Where in the new code this applies"
-    }
-  ],
-  "approved": true | false,
-  "feedback": "If not approved, explanation for the developer"
-}
-```
+### Step 5: Write Review Report
+Write your findings to the review file. Structure as markdown with:
+
+# Code Review
+
+## Summary
+Brief summary of findings and decision (approved / needs revision).
+
+## Artifacts Reviewed
+List of artifacts analyzed with type and name.
+
+## Findings
+For each finding:
+- **Category**: quality / security / coherence / dry / reuse
+- **Severity**: high / medium / low
+- **Description**: What was found
+- **Existing Artifact**: Name and sys_id (if applicable, e.g., existing Script Include)
+- **Recommendation**: Specific action to take
+- **Code Location**: Where in the new code this applies
+
+## Decision
+- **Approved**: yes / no
+- **Feedback**: If not approved, detailed explanation for the developer
+
+### Step 6: Call review_exit
+Once you have written your complete review to the review file, call `review_exit` to switch back to the build agent. The build agent will read your review file and act on the feedback.
 
 ## Decision Criteria
 
 ### Approve when:
+- No critical security issues found
+- Widget coherence is correct (if applicable)
 - No existing Script Includes provide equivalent functionality
 - Code patterns are unique to this use case
-- Minor optimizations possible but not blocking
-- Low-severity suggestions only (informational)
+- Minor suggestions only (informational)
 
 ### Request Revision when:
+- Security vulnerability detected
+- Widget HTML/Client/Server scripts are misaligned
 - Existing Script Include provides >80% of needed functionality
 - Duplicate code detected that should be consolidated
 - High-severity code smell or anti-pattern detected
 - Business logic should be extracted to Script Include for reuse
 
-## MCP Tools Available
-
-1. **snow_analyze_artifact** - Analyze artifact structure and dependencies
-2. **snow_find_artifact** - Find existing artifacts by name/type
-3. **snow_comprehensive_search** - Deep search across all tables
-4. **snow_query_table** - Query any ServiceNow table
-
 ## Important Guidelines
 
-1. READ-ONLY: You cannot modify any code. Your role is purely analysis and feedback.
+1. READ-ONLY: You cannot modify any code. Only the review file can be written to.
 2. ES5 Awareness: ServiceNow uses ES5. If you see ES6+ syntax, flag it as a concern.
 3. Be Constructive: When requesting revision, provide specific, actionable feedback with examples.
 4. Consider Context: Not all code needs to be in Script Includes. Consider frequency of reuse, complexity, and scope.
 5. Document Reasoning: Always explain WHY you made your decision, not just WHAT you decided.
-
-## Completing Your Review
-
-After completing your review, call `review_exit` with your JSON review report.
-
-- If APPROVED: Include any low-severity suggestions as informational notes in the report.
-- If NEEDS REVISION: Provide detailed feedback explaining what needs to change. The build agent will address the feedback.
+6. Your turn should only end with calling review_exit. Do not stop without calling it.

package/src/session/index.ts

@@ -242,6 +242,13 @@ export namespace Session {
     return path.join(base, [input.time.created, input.slug].join("-") + ".md")
   }
 
+  export function review(input: { slug: string; time: { created: number } }) {
+    const base = Instance.project.vcs
+      ? path.join(Instance.worktree, ".snow-code", "reviews")
+      : path.join(Global.Path.data, "reviews")
+    return path.join(base, [input.time.created, input.slug].join("-") + ".md")
+  }
+
   export const get = fn(Identifier.schema("session"), async (id) => {
     const read = await Storage.read<Info>(["session", Instance.project.id, id])
     return read as Info

package/src/session/prompt/review-switch.txt

@@ -1,6 +1,7 @@
 <system-reminder>
 Your operational mode has changed from review to build.
 You are no longer in read-only analysis mode.
-The code review results have been provided. Act on the review feedback.
-If approved, proceed with activity_complete. If revision needed, address the feedback.
+You are permitted to make file changes, run shell commands, and utilize your arsenal of tools as needed.
+The code review results have been provided in the review file. Read it and act on the review feedback.
+If approved, proceed with activity_complete. If revision needed, address the feedback first.
 </system-reminder>

package/src/session/prompt.ts

@@ -1333,27 +1333,49 @@ NOTE: At any point in time through this workflow you should feel free to ask the
 
     // Switching from review to build
     if (input.agent.name === "build" && assistantMessage?.info.agent === "review") {
-      clonedUser.parts.push({
-        id: Identifier.ascending("part"),
-        messageID: userMessage.info.id,
-        sessionID: userMessage.info.sessionID,
-        type: "text",
-        text: REVIEW_SWITCH,
-        synthetic: true,
-      })
+      const reviewPath = Session.review(input.session)
+      const reviewExists = await Bun.file(reviewPath).exists()
+      if (reviewExists) {
+        const part = await Session.updatePart({
+          id: Identifier.ascending("part"),
+          messageID: userMessage.info.id,
+          sessionID: userMessage.info.sessionID,
+          type: "text",
+          text:
+            REVIEW_SWITCH +
+            "\n\n" +
+            `A review file exists at ${reviewPath}. You should read it and act on the review feedback within it`,
+          synthetic: true,
+        })
+        clonedUser.parts.push(part)
+      }
       return replaceUser()
     }
 
     // Entering review mode
     if (input.agent.name === "review" && assistantMessage?.info.agent !== "review") {
-      clonedUser.parts.push({
+      const reviewPath = Session.review(input.session)
+      const reviewExists = await Bun.file(reviewPath).exists()
+      if (!reviewExists) await fs.mkdir(path.dirname(reviewPath), { recursive: true })
+      const part = await Session.updatePart({
         id: Identifier.ascending("part"),
         messageID: userMessage.info.id,
         sessionID: userMessage.info.sessionID,
         type: "text",
-        text: `<system-reminder>\nReview mode is active. You are in READ-ONLY analysis mode.\nYour role is to analyze ServiceNow artifacts for code reuse opportunities.\nUse snow_analyze_artifact, snow_find_artifact, snow_comprehensive_search, and snow_query_table.\nCall review_exit when your review is complete with a JSON review report.\n</system-reminder>`,
+        text: `<system-reminder>
+Review mode is active. You are in READ-ONLY analysis mode (except for the review file).
+Your role is to analyze ServiceNow artifacts for quality, security, coherence, and reuse opportunities.
+Use the tool_search tool to discover available ServiceNow tools for analysis.
+
+## Review File Info:
+${reviewExists ? `A review file already exists at ${reviewPath}. You can read it and make incremental edits using the edit tool.` : `No review file exists yet. You should create your review at ${reviewPath} using the write tool.`}
+Write your review findings to this file. NOTE that this is the only file you are allowed to edit.
+
+When your review is complete, call review_exit to switch back to the build agent.
+</system-reminder>`,
         synthetic: true,
       })
+      clonedUser.parts.push(part)
       return replaceUser()
     }
 

package/src/tool/review-enter.txt

@@ -1,8 +1,8 @@
-Use this tool to switch to the review agent for automated code reuse review of ServiceNow artifacts.
+Use this tool to switch to the review agent for automated review of ServiceNow artifacts.
 
 Call this tool when:
 - An activity has been set to 'review' status (activity_update response contains reviewAvailable: true)
-- The user explicitly requests a code reuse review
+- The user explicitly requests a code review
 - Artifacts are ready to be analyzed before completion
 
 This tool will ask the user if they want to switch to the review agent.

package/src/tool/review-exit.txt

@@ -1,10 +1,10 @@
-Use this tool when you have completed the code reuse review and are ready to exit review mode.
+Use this tool when you have completed the review and are ready to exit review mode.
 
 This tool will ask the user if they want to switch back to the build agent.
 
 Call this tool:
-- After you have completed the code reuse analysis
-- After you have generated a JSON review report with your findings
+- After you have completed the code review and analysis
+- After you have generated a review report with your findings
 - When you are confident the review is thorough and complete
 
 Do NOT call this tool:

package/src/tool/review.ts

@@ -1,10 +1,12 @@
 import z from "zod"
+import path from "path"
 import { Tool } from "./tool"
 import { Question } from "../question"
 import { Session } from "../session"
 import { MessageV2 } from "../session/message-v2"
 import { Identifier } from "../id/id"
 import { Provider } from "../provider/provider"
+import { Instance } from "../project/instance"
 import EXIT_DESCRIPTION from "./review-exit.txt"
 import ENTER_DESCRIPTION from "./review-enter.txt"
 
@@ -17,16 +19,15 @@ async function getLastModel(sessionID: string) {
 
 export const ReviewExitTool = Tool.define("review_exit", {
   description: EXIT_DESCRIPTION,
-  parameters: z.object({
-    reviewResult: z.string().optional().describe("JSON review report with findings"),
-    approved: z.boolean().optional().describe("Whether the review approved the artifacts"),
-  }),
-  async execute(params, ctx) {
+  parameters: z.object({}),
+  async execute(_params, ctx) {
+    const session = await Session.get(ctx.sessionID)
+    const reviewFile = path.relative(Instance.worktree, Session.review(session))
     const answers = await Question.ask({
       sessionID: ctx.sessionID,
       questions: [
         {
-          question: `Code reuse review is complete. Would you like to switch back to the build agent?`,
+          question: `Review at ${reviewFile} is complete. Would you like to switch to the build agent and start acting on the feedback?`,
           header: "Build Agent",
           custom: false,
           options: [
@@ -54,20 +55,12 @@ export const ReviewExitTool = Tool.define("review_exit", {
       model,
     }
     await Session.updateMessage(userMsg)
-
-    const reviewSummary = params.reviewResult
-      ? `\n\nReview result:\n${params.reviewResult}`
-      : ""
-    const approvalStatus = params.approved !== undefined
-      ? `\nApproved: ${params.approved}`
-      : ""
-
     await Session.updatePart({
       id: Identifier.ascending("part"),
       messageID: userMsg.id,
       sessionID: ctx.sessionID,
       type: "text",
-      text: `The code reuse review has been completed.${approvalStatus}${reviewSummary}`,
+      text: `The review at ${reviewFile} has been approved, you can now edit files. Act on the review feedback`,
       synthetic: true,
     } satisfies MessageV2.TextPart)
 
@@ -87,15 +80,18 @@ export const ReviewEnterTool = Tool.define("review_enter", {
     updateSetName: z.string().optional().describe("Name of the update set being reviewed"),
   }),
   async execute(params, ctx) {
+    const session = await Session.get(ctx.sessionID)
+    const reviewFile = path.relative(Instance.worktree, Session.review(session))
+
     const answers = await Question.ask({
       sessionID: ctx.sessionID,
       questions: [
         {
-          question: `Activity is ready for code reuse review. Would you like to switch to the review agent?`,
+          question: `Activity is ready for review. Would you like to switch to the review agent and save findings to ${reviewFile}?`,
           header: "Review Mode",
           custom: false,
           options: [
-            { label: "Yes", description: "Switch to review agent for code reuse analysis" },
+            { label: "Yes", description: "Switch to review agent for code review and analysis" },
             { label: "No", description: "Stay with build agent and skip review" },
           ],
         },
@@ -121,7 +117,8 @@ export const ReviewEnterTool = Tool.define("review_enter", {
     await Session.updateMessage(userMsg)
 
     const context = [
-      "User has requested to enter review mode. Switch to review mode and begin code reuse analysis.",
+      "User has requested to enter review mode. Switch to review mode and begin code review.",
+      `The review file will be at ${reviewFile}.`,
       params.activityId ? `Activity ID: ${params.activityId}` : "",
       params.updateSetName ? `Update Set: ${params.updateSetName}` : "",
       params.artifacts ? `Artifacts to review:\n${params.artifacts}` : "",
@@ -140,7 +137,7 @@ export const ReviewEnterTool = Tool.define("review_enter", {
 
     return {
       title: "Switching to review agent",
-      output: "User confirmed to switch to review mode. A new message has been created to switch you to review mode. Begin code reuse analysis.",
+      output: `User confirmed to switch to review mode. A new message has been created to switch you to review mode. The review file will be at ${reviewFile}. Begin code review.`,
       metadata: {},
     }
   },