tribunal-kit 3.0.0 → 3.1.0

package/.agent/workflows/tribunal-database.md

@@ -1,115 +1,94 @@
----
-description: Database-specific Tribunal. Runs Logic + Security + SQL reviewers. Use for Prisma queries, raw SQL, schema migrations, ORM operations, and database transaction code.
----
-
-# /tribunal-database — Database Code Audit
-
-$ARGUMENTS
-
----
-
-## When to Use /tribunal-database
-
-| Use `/tribunal-database` when... | Use something else when... |
-|:---|:---|
-| Prisma queries and schema | Frontend queries → `/tribunal-frontend` |
-| Raw SQL with pg/mysql2/better-sqlite3 | API routes calling DB → `/tribunal-backend` |
-| Database migrations | Full audit → `/tribunal-full` |
-| ORM schema changes | |
-| Transaction boundaries | |
-
----
-
-## 3 Active Reviewers (All Run Simultaneously)
-
-### logic-reviewer
-- Prisma methods that don't exist (`findOne` was removed — use `findUnique`)
-- Transaction that should be `$transaction` but isn't
-- Pagination query missing total count (returns wrong metadata)
-- `.findMany()` with no `take` limit (unbounded query)
-
-### security-auditor
-- SQL injection via `$queryRaw` with template literals and user input
-- Row-level security bypass (no WHERE clause on user-scoped query)
-- Mass assignment via `prisma.user.update({ data: req.body })` (unrestricted)
-- Prisma `$executeRaw` with string interpolation
-
-### sql-reviewer
-- N+1 pattern (loop with prisma query inside)
-- Foreign key columns without `@@index`
-- No index on ORDER BY column for large tables
-- Unscoped UPDATE/DELETE without WHERE clause
-- Missing rollback in raw SQL catch block
-- Expand vs contract migration not followed
-
----
-
-## Verdict System
-
-```
-If ANY reviewer → ❌ REJECTED: fix before Human Gate
-If any reviewer → ⚠️ WARNING:  proceed with flagged items
-If all reviewers → ✅ APPROVED: Human Gate
-```
-
----
-
-## Output Format
-
-```
-━━━ Tribunal Database ━━━━━━━━━━━━━━━━━━━━
-
-logic-reviewer:   ✅ APPROVED
-security-auditor: ❌ REJECTED
-sql-reviewer:     ⚠️ WARNING
-
-━━━ VERDICT: ❌ REJECTED ━━━━━━━━━━━━━━━━━
-
-Blockers:
-- security-auditor: [CRITICAL] SQL injection via $queryRaw at src/lib/db.ts:34
-  Code: await prisma.$queryRaw`SELECT * WHERE email = '${email}'`
-  Fix:  await prisma.$queryRaw`SELECT * WHERE email = ${email}` (Prisma auto-parameterizes)
-
-Warnings:
-- sql-reviewer: [MEDIUM] N+1 detected — posts fetched inside user loop at src/lib/feed.ts:56
-  Fix: Use include: { posts: true } in findMany() instead of for-loop fetches
-```
-
----
-
-## Database-Specific Hallucination Traps (Common LLM Mistakes)
-
-```typescript
-// ❌ Prisma: findOne was REMOVED — doesn't exist in any version
-const user = await prisma.user.findOne({ where: { id } });
-// ✅ Correct
-const user = await prisma.user.findUnique({ where: { id } });
-
-// ❌ Prisma: upsertMany doesn't exist
-await prisma.product.upsertMany({ data: products });         // Doesn't exist
-// ✅ Use createMany or transaction with multiple upserts
-await prisma.$transaction(products.map(p => prisma.product.upsert({ ... })));
-
-// ❌ Migration fails silently: adding NOT NULL column to populated table
-ALTER TABLE users ADD COLUMN phone VARCHAR(20) NOT NULL; // Error on existing rows
-// ✅ Always add nullable first, backfill, then add constraint
-
-// ❌ Missing rollback in raw SQL
-try {
-  await db.query('BEGIN');
-  await db.query('UPDATE ...');
-} catch (e) {
-  // Missing: await db.query('ROLLBACK');
-}
-```
-
----
-
-## Usage Examples
-
-```
-/tribunal-database the createOrder function with Stripe idempotency
-/tribunal-database the user registration with email uniqueness check
-/tribunal-database the migration file adding phoneNumber to users
-/tribunal-database the paginated product query with category filter
-```
+---
+description: Database-specific Tribunal. Runs Logic + Security + SQL reviewers. Use for Prisma queries, raw SQL, schema migrations, ORM operations, and database transaction code.
+---
+
+# /tribunal-database — Database Code Audit
+
+$ARGUMENTS
+
+---
+
+## When to Use /tribunal-database
+
+|Use `/tribunal-database` when...|Use something else when...|
+|:---|:---|
+|Prisma queries and schema|Frontend queries → `/tribunal-frontend`|
+|Raw SQL with pg/mysql2/better-sqlite3|API routes calling DB → `/tribunal-backend`|
+|Database migrations|Full audit → `/tribunal-full`|
+|ORM schema changes||
+|Transaction boundaries||
+
+---
+
+## 3 Active Reviewers (All Run Simultaneously)
+
+### logic-reviewer
+- Prisma methods that don't exist (`findOne` was removed — use `findUnique`)
+- Transaction that should be `$transaction` but isn't
+- Pagination query missing total count (returns wrong metadata)
+- `.findMany()` with no `take` limit (unbounded query)
+
+### security-auditor
+- SQL injection via `$queryRaw` with template literals and user input
+- Row-level security bypass (no WHERE clause on user-scoped query)
+- Mass assignment via `prisma.user.update({ data: req.body })` (unrestricted)
+- Prisma `$executeRaw` with string interpolation
+
+### sql-reviewer
+- N+1 pattern (loop with prisma query inside)
+- Foreign key columns without `@@index`
+- No index on ORDER BY column for large tables
+- Unscoped UPDATE/DELETE without WHERE clause
+- Missing rollback in raw SQL catch block
+- Expand vs contract migration not followed
+
+---
+
+## Verdict System
+
+```
+If ANY reviewer → ❌ REJECTED: fix before Human Gate
+If any reviewer → ⚠️ WARNING:  proceed with flagged items
+If all reviewers → ✅ APPROVED: Human Gate
+```
+
+---
+
+---
+
+## Database-Specific Hallucination Traps (Common LLM Mistakes)
+
+```typescript
+// ❌ Prisma: findOne was REMOVED — doesn't exist in any version
+const user = await prisma.user.findOne({ where: { id } });
+// ✅ Correct
+const user = await prisma.user.findUnique({ where: { id } });
+
+// ❌ Prisma: upsertMany doesn't exist
+await prisma.product.upsertMany({ data: products });         // Doesn't exist
+// ✅ Use createMany or transaction with multiple upserts
+await prisma.$transaction(products.map(p => prisma.product.upsert({ ... })));
+
+// ❌ Migration fails silently: adding NOT NULL column to populated table
+ALTER TABLE users ADD COLUMN phone VARCHAR(20) NOT NULL; // Error on existing rows
+// ✅ Always add nullable first, backfill, then add constraint
+
+// ❌ Missing rollback in raw SQL
+try {
+  await db.query('BEGIN');
+  await db.query('UPDATE ...');
+} catch (e) {
+  // Missing: await db.query('ROLLBACK');
+}
+```
+
+---
+
+## Usage Examples
+
+```
+/tribunal-database the createOrder function with Stripe idempotency
+/tribunal-database the user registration with email uniqueness check
+/tribunal-database the migration file adding phoneNumber to users
+/tribunal-database the paginated product query with category filter
+```

package/.agent/workflows/tribunal-frontend.md

@@ -1,118 +1,95 @@
----
-description: Frontend and React specific Tribunal. Runs Logic + Security + Frontend + Type Safety reviewers. Use for React components, hooks, UI code, Next.js pages, Server Components, and Client Components.
----
-
-# /tribunal-frontend — Frontend Code Audit
-
-$ARGUMENTS
-
----
-
-## When to Use /tribunal-frontend
-
-| Use `/tribunal-frontend` when... | Use something else when... |
-|:---|:---|
-| React components (Server or Client) | Backend routes → `/tribunal-backend` |
-| Custom hooks | Database queries → `/tribunal-database` |
-| Next.js pages and layouts | Mobile (React Native) → `/tribunal-mobile` |
-| UI state management | Maximum coverage → `/tribunal-full` |
-| Form handling with Server Actions | |
-
----
-
-## 4 Active Reviewers (All Run Simultaneously)
-
-### logic-reviewer
-- Hallucinated React 19 hooks (non-existent hook names)
-- useFormState called instead of useActionState (React 19 rename)
-- useEffect missing dependencies (stale closure)
-- Multiple setStates that should be batched (React 19 auto-batches in most cases)
-
-### security-auditor
-- `dangerouslySetInnerHTML` with user-controlled content (XSS)
-- eval/Function() calls in component code
-- Exposing sensitive data in client-rendered output
-
-### frontend-reviewer
-- useState/useReducer in Server Components (no client runtime!)
-- 'use client' directive missing on components using hooks
-- Missing 'use server' on Server Actions
-- cookies()/headers()/params not awaited in Next.js 15
-- useEffect not cleaned up (subscription leaks)
-- Keys not unique in list rendering (using index as key)
-- Direct DOM mutations (document.querySelector inside React)
-
-### type-safety-reviewer  
-- Props typed as `any`
-- Event handlers typed as `any` (use `React.MouseEvent<HTMLButtonElement>`)
-- Server Component async props typed without Promise<> (Next.js 15 params)
-- No explicit return type on custom hooks
-
----
-
-## Verdict System
-
-```
-If ANY reviewer → ❌ REJECTED: fix before Human Gate
-If any reviewer → ⚠️ WARNING:  proceed with flagged items
-If all reviewers → ✅ APPROVED: Human Gate
-```
-
----
-
-## Output Format
-
-```
-━━━ Tribunal Frontend ━━━━━━━━━━━━━━━━━━━━━
-
-logic-reviewer:      ✅ APPROVED
-security-auditor:    ✅ APPROVED
-frontend-reviewer:   ❌ REJECTED
-type-safety-reviewer: ⚠️ WARNING
-
-━━━ VERDICT: ❌ REJECTED ━━━━━━━━━━━━━━━━━
-
-Blockers:
-- frontend-reviewer: [HIGH] useState() in Server Component at src/app/dashboard/page.tsx:12
-  Fix: Move state to a Client Component ('use client')
-- frontend-reviewer: [HIGH] cookies() not awaited at src/app/api/auth/route.ts:8
-  Fix: const cookieStore = await cookies();
-
-Warnings:
-- type-safety-reviewer: [MEDIUM] onClick handler typed as 'any' at line 34
-  Fix: onClick: (e: React.MouseEvent<HTMLButtonElement>) => void
-```
-
----
-
-## Frontend-Specific Hallucination Traps (Common LLM Mistakes)
-
-```typescript
-// ❌ React 19: useFormState renamed to useActionState
-import { useFormState } from 'react';      // useFormState no longer exists in React 19
-import { useActionState } from 'react';    // Correct React 19 name
-
-// ❌ Next.js 15: params and searchParams must be awaited
-const { id } = params;                    // WRONG — params is a Promise in Next.js 15
-const { id } = await params;             // CORRECT
-
-// ❌ Hook not valid in Server Component
-export default async function Page() {
-  const [count, setCount] = useState(0); // Server Components cannot use hooks
-}
-
-// ❌ Server Action missing 'use server'
-async function saveData(formData: FormData) {  // Without 'use server' — not a Server Action
-  'use server';                                // Must be FIRST line
-```
-
----
-
-## Usage Examples
-
-```
-/tribunal-frontend the ProductCard component with server-fetched data
-/tribunal-frontend the useAuth custom hook implementation
-/tribunal-frontend the checkout page with Server Action form
-/tribunal-frontend the DashboardLayout with Suspense and loading states
-```
+---
+description: Frontend and React specific Tribunal. Runs Logic + Security + Frontend + Type Safety reviewers. Use for React components, hooks, UI code, Next.js pages, Server Components, and Client Components.
+---
+
+# /tribunal-frontend — Frontend Code Audit
+
+$ARGUMENTS
+
+---
+
+## When to Use /tribunal-frontend
+
+|Use `/tribunal-frontend` when...|Use something else when...|
+|:---|:---|
+|React components (Server or Client)|Backend routes → `/tribunal-backend`|
+|Custom hooks|Database queries → `/tribunal-database`|
+|Next.js pages and layouts|Mobile (React Native) → `/tribunal-mobile`|
+|UI state management|Maximum coverage → `/tribunal-full`|
+|Form handling with Server Actions||
+
+---
+
+## 4 Active Reviewers (All Run Simultaneously)
+
+### logic-reviewer
+- Hallucinated React 19 hooks (non-existent hook names)
+- useFormState called instead of useActionState (React 19 rename)
+- useEffect missing dependencies (stale closure)
+- Multiple setStates that should be batched (React 19 auto-batches in most cases)
+
+### security-auditor
+- `dangerouslySetInnerHTML` with user-controlled content (XSS)
+- eval/Function() calls in component code
+- Exposing sensitive data in client-rendered output
+
+### frontend-reviewer
+- useState/useReducer in Server Components (no client runtime!)
+- 'use client' directive missing on components using hooks
+- Missing 'use server' on Server Actions
+- cookies()/headers()/params not awaited in Next.js 15
+- useEffect not cleaned up (subscription leaks)
+- Keys not unique in list rendering (using index as key)
+- Direct DOM mutations (document.querySelector inside React)
+
+### type-safety-reviewer  
+- Props typed as `any`
+- Event handlers typed as `any` (use `React.MouseEvent<HTMLButtonElement>`)
+- Server Component async props typed without Promise<> (Next.js 15 params)
+- No explicit return type on custom hooks
+
+---
+
+## Verdict System
+
+```
+If ANY reviewer → ❌ REJECTED: fix before Human Gate
+If any reviewer → ⚠️ WARNING:  proceed with flagged items
+If all reviewers → ✅ APPROVED: Human Gate
+```
+
+---
+
+---
+
+## Frontend-Specific Hallucination Traps (Common LLM Mistakes)
+
+```typescript
+// ❌ React 19: useFormState renamed to useActionState
+import { useFormState } from 'react';      // useFormState no longer exists in React 19
+import { useActionState } from 'react';    // Correct React 19 name
+
+// ❌ Next.js 15: params and searchParams must be awaited
+const { id } = params;                    // WRONG — params is a Promise in Next.js 15
+const { id } = await params;             // CORRECT
+
+// ❌ Hook not valid in Server Component
+export default async function Page() {
+  const [count, setCount] = useState(0); // Server Components cannot use hooks
+}
+
+// ❌ Server Action missing 'use server'
+async function saveData(formData: FormData) {  // Without 'use server' — not a Server Action
+  'use server';                                // Must be FIRST line
+```
+
+---
+
+## Usage Examples
+
+```
+/tribunal-frontend the ProductCard component with server-fetched data
+/tribunal-frontend the useAuth custom hook implementation
+/tribunal-frontend the checkout page with Server Action form
+/tribunal-frontend the DashboardLayout with Suspense and loading states
+```

package/.agent/workflows/tribunal-full.md

@@ -1,133 +1,92 @@
----
-description: Run ALL 11 Tribunal reviewer agents simultaneously. Maximum hallucination coverage. Use before merging any AI-generated code, before production deployments, or when maximum confidence is required.
----
-
-# /tribunal-full — Complete 11-Reviewer Audit
-
-$ARGUMENTS
-
----
-
-## When to Use /tribunal-full
-
-| Use `/tribunal-full` when... | Use targeted tribunal when... |
-|:---|:---|
-| Before merging any AI-generated code | Backend only → `/tribunal-backend` |
-| Before production deployment | Frontend only → `/tribunal-frontend` |
-| Security-critical feature review | DB only → `/tribunal-database` |
-| Code affects auth, payments, or PII | |
-| Maximum confidence required | |
-
----
-
-## 11 Reviewers — All Active Simultaneously
-
-```
-Tier 1: Always active (universal concerns)
-├── logic-reviewer         → Hallucinated methods, impossible logic, undefined refs
-└── security-auditor       → OWASP 2025, injection, JWT, SSRF, IDOR
-
-Tier 2: Code quality
-├── dependency-reviewer    → Fabricated packages, supply chain, version compatibility
-├── type-safety-reviewer   → 'any' epidemic, Zod parse vs cast, unguarded access
-└── sql-reviewer           → Injection, N+1, missing indexes, unscoped mutations
-
-Tier 3: Domain-specific
-├── frontend-reviewer      → React 19 APIs, RSC violations, hook rules, hydration
-├── performance-reviewer   → 2026 CWV targets, re-render cascades, memory leaks
-├── mobile-reviewer        → Reanimated thread safety, FlashList, safe area insets
-├── ai-code-reviewer       → Model name hallucinations, prompt injection, cost explosion
-├── test-coverage-reviewer → Happy path only, brittle selectors, missing edge cases
-└── accessibility-reviewer → WCAG 2.2 AA, ARIA misuse, focus management, live regions
-```
-
----
-
-## Active Reviewers by Code Type
-
-Not all 11 reviewers produce meaningful findings on all code types. Active reviewers detect their first finding immediately — inactive reviewers auto-pass with "N/A for this code type."
-
-| Code Under Review | Critical Reviewers |
-|:---|:---|
-| REST API route | logic, security, dependency, type-safety, sql |
-| React component | logic, frontend, accessibility, type-safety |
-| Database query | logic, security, sql |
-| AI LLM integration | logic, security, ai-code, dependency |
-| Test file | test-coverage, logic |
-| React Native / Expo | mobile, logic, security, performance |
-| Next.js page | logic, frontend, performance, accessibility |
-| Auth/JWT code | security, logic, type-safety |
-
----
-
-## Verdict Aggregation
-
-```
-All 11 verdicts are collected. Aggregated result:
-
-If ANY reviewer = ❌ REJECTED → Global verdict: ❌ REJECTED (must fix before Human Gate)
-If any reviewer = ⚠️ WARNING  → Global verdict: ⚠️ WARNINGS (proceed with attention)
-If all reviewers = ✅ APPROVED → Global verdict: ✅ APPROVED (proceed to Human Gate)
-```
-
----
-
-## Output Format
-
-```
-━━━ Tribunal Full — All 11 Reviewers ━━━━━━━━━━━━━━
-
-logic-reviewer:         ✅ APPROVED
-security-auditor:       ❌ REJECTED (1 critical)
-dependency-reviewer:    ⚠️ WARNING (1 medium)
-type-safety-reviewer:   ✅ APPROVED
-sql-reviewer:           ✅ APPROVED
-frontend-reviewer:      ✅ APPROVED
-performance-reviewer:   ⚠️ WARNING (1 low)
-mobile-reviewer:        N/A — no mobile code
-ai-code-reviewer:       N/A — no AI API calls
-test-coverage-reviewer: ❌ REJECTED (missing error path)
-accessibility-reviewer: ⚠️ WARNING (1 medium)
-
-━━━ GLOBAL VERDICT: ❌ REJECTED ━━━━━━━━━━━━━━━━━━━
-
-Blockers (must fix before Human Gate):
-1. security-auditor: JWT verify missing { algorithms } option in src/lib/auth.ts:45
-2. test-coverage-reviewer: POST /api/orders missing error path test
-
-Warnings (flagged but not blocking):
-- dependency-reviewer: 'zod' version mismatch — package uses 3.22.4, imports from 3.23.0-beta
-- performance-reviewer: LCP image missing priority={true}
-- accessibility-reviewer: icon button at line 67 missing aria-label
-
-━━━ Human Gate ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-Approve after blockers resolved?  Y = proceed | N = discard | R = revise
-```
-
----
-
-## Retry Protocol
-
-When code is rejected:
-
-```
-Attempt 1: Maker revises with reviewer feedback
-Attempt 2: Maker revises with stricter constraints + full reviewer context
-Attempt 3: Maker revises with maximum constraints + full context dump
-
-After 3 failed attempts:
-  → HALT
-  → Report to human with full failure history
-  → DO NOT retry silently
-```
-
----
-
-## Cross-Workflow Navigation
-
-| Full Tribunal finds... | Go to |
-|:---|:---|
-| Backend security issues | Also run `/review` for deep pattern analysis |
-| Tests incomplete | `/test` to write missing cases |
-| Performance warnings | `/tribunal-performance` for full analysis |
-| After all blockers resolved | Re-run `/tribunal-full` before Human Gate |
+---
+description: Run ALL 11 Tribunal reviewer agents simultaneously. Maximum hallucination coverage. Use before merging any AI-generated code, before production deployments, or when maximum confidence is required.
+---
+
+# /tribunal-full — Complete 11-Reviewer Audit
+
+$ARGUMENTS
+
+---
+
+## When to Use /tribunal-full
+
+|Use `/tribunal-full` when...|Use targeted tribunal when...|
+|:---|:---|
+|Before merging any AI-generated code|Backend only → `/tribunal-backend`|
+|Before production deployment|Frontend only → `/tribunal-frontend`|
+|Security-critical feature review|DB only → `/tribunal-database`|
+|Code affects auth, payments, or PII||
+|Maximum confidence required||
+
+---
+
+## 11 Reviewers — All Active Simultaneously
+
+```
+Tier 1: Always active (universal concerns)
+├── logic-reviewer         → Hallucinated methods, impossible logic, undefined refs
+└── security-auditor       → OWASP 2025, injection, JWT, SSRF, IDOR
+
+Tier 2: Code quality
+├── dependency-reviewer    → Fabricated packages, supply chain, version compatibility
+├── type-safety-reviewer   → 'any' epidemic, Zod parse vs cast, unguarded access
+└── sql-reviewer           → Injection, N+1, missing indexes, unscoped mutations
+
+Tier 3: Domain-specific
+├── frontend-reviewer      → React 19 APIs, RSC violations, hook rules, hydration
+├── performance-reviewer   → 2026 CWV targets, re-render cascades, memory leaks
+├── mobile-reviewer        → Reanimated thread safety, FlashList, safe area insets
+├── ai-code-reviewer       → Model name hallucinations, prompt injection, cost explosion
+├── test-coverage-reviewer → Happy path only, brittle selectors, missing edge cases
+└── accessibility-reviewer → WCAG 2.2 AA, ARIA misuse, focus management, live regions
+```
+
+---
+
+## Active Reviewers by Code Type
+
+Not all 11 reviewers produce meaningful findings on all code types. Active reviewers detect their first finding immediately — inactive reviewers auto-pass with "N/A for this code type."
+
+|Code Under Review|Critical Reviewers|
+|:---|:---|
+|REST API route|logic, security, dependency, type-safety, sql|
+|React component|logic, frontend, accessibility, type-safety|
+|Database query|logic, security, sql|
+|AI LLM integration|logic, security, ai-code, dependency|
+|Test file|test-coverage, logic|
+|React Native / Expo|mobile, logic, security, performance|
+|Next.js page|logic, frontend, performance, accessibility|
+|Auth/JWT code|security, logic, type-safety|
+
+---
+
+## Verdict Aggregation
+
+```
+All 11 verdicts are collected. Aggregated result:
+
+If ANY reviewer = ❌ REJECTED → Global verdict: ❌ REJECTED (must fix before Human Gate)
+If any reviewer = ⚠️ WARNING  → Global verdict: ⚠️ WARNINGS (proceed with attention)
+If all reviewers = ✅ APPROVED → Global verdict: ✅ APPROVED (proceed to Human Gate)
+```
+
+---
+
+---
+
+## Retry Protocol
+
+When code is rejected:
+
+```
+Attempt 1: Maker revises with reviewer feedback
+Attempt 2: Maker revises with stricter constraints + full reviewer context
+Attempt 3: Maker revises with maximum constraints + full context dump
+
+After 3 failed attempts:
+  → HALT
+  → Report to human with full failure history
+  → DO NOT retry silently
+```
+
+---