npm - wogiflow - Versions diffs - 1.0.0 - Mend

wogiflow 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (221) hide show

package/.workflow/agents/reviewer.md +81 -0
package/.workflow/agents/security.md +94 -0
package/.workflow/agents/story-writer.md +58 -0
package/.workflow/bridges/base-bridge.js +395 -0
package/.workflow/bridges/claude-bridge.js +434 -0
package/.workflow/bridges/index.js +130 -0
package/.workflow/lib/assumption-detector.js +481 -0
package/.workflow/lib/config-substitution.js +371 -0
package/.workflow/lib/failure-categories.js +478 -0
package/.workflow/state/app-map.md.template +15 -0
package/.workflow/state/architecture.md.template +24 -0
package/.workflow/state/component-index.json.template +5 -0
package/.workflow/state/decisions.md.template +15 -0
package/.workflow/state/feedback-patterns.md.template +9 -0
package/.workflow/state/knowledge-sync.json.template +6 -0
package/.workflow/state/progress.md.template +14 -0
package/.workflow/state/ready.json.template +7 -0
package/.workflow/state/request-log.md.template +14 -0
package/.workflow/state/session-state.json.template +11 -0
package/.workflow/state/stack.md.template +33 -0
package/.workflow/state/testing.md.template +36 -0
package/.workflow/templates/claude-md.hbs +257 -0
package/.workflow/templates/correction-report.md +67 -0
package/.workflow/templates/gemini-md.hbs +52 -0
package/README.md +1802 -0
package/bin/flow +205 -0
package/lib/index.js +33 -0
package/lib/installer.js +467 -0
package/lib/release-channel.js +269 -0
package/lib/skill-registry.js +526 -0
package/lib/upgrader.js +401 -0
package/lib/utils.js +305 -0
package/package.json +64 -0
package/scripts/flow +985 -0
package/scripts/flow-adaptive-learning.js +1259 -0
package/scripts/flow-aggregate.js +488 -0
package/scripts/flow-archive +133 -0
package/scripts/flow-auto-context.js +1015 -0
package/scripts/flow-auto-learn.js +615 -0
package/scripts/flow-bridge.js +223 -0
package/scripts/flow-browser-suggest.js +316 -0
package/scripts/flow-bug.js +247 -0
package/scripts/flow-cascade.js +711 -0
package/scripts/flow-changelog +85 -0
package/scripts/flow-checkpoint.js +483 -0
package/scripts/flow-cli.js +403 -0
package/scripts/flow-code-intelligence.js +760 -0
package/scripts/flow-complexity.js +502 -0
package/scripts/flow-config-set.js +152 -0
package/scripts/flow-constants.js +157 -0
package/scripts/flow-context +152 -0
package/scripts/flow-context-init.js +482 -0
package/scripts/flow-context-monitor.js +384 -0
package/scripts/flow-context-scoring.js +886 -0
package/scripts/flow-correct.js +458 -0
package/scripts/flow-damage-control.js +985 -0
package/scripts/flow-deps +101 -0
package/scripts/flow-diff.js +700 -0
package/scripts/flow-done +151 -0
package/scripts/flow-done.js +489 -0
package/scripts/flow-durable-session.js +1541 -0
package/scripts/flow-entropy-monitor.js +345 -0
package/scripts/flow-export-profile +349 -0
package/scripts/flow-export-scanner.js +1046 -0
package/scripts/flow-figma-confirm.js +400 -0
package/scripts/flow-figma-extract.js +496 -0
package/scripts/flow-figma-generate.js +683 -0
package/scripts/flow-figma-index.js +909 -0
package/scripts/flow-figma-match.js +617 -0
package/scripts/flow-figma-mcp-server.js +518 -0
package/scripts/flow-figma-pipeline.js +414 -0
package/scripts/flow-file-ops.js +301 -0
package/scripts/flow-gate-confidence.js +825 -0
package/scripts/flow-guided-edit.js +659 -0
package/scripts/flow-health +185 -0
package/scripts/flow-health.js +413 -0
package/scripts/flow-hooks.js +556 -0
package/scripts/flow-http-client.js +249 -0
package/scripts/flow-hybrid-detect.js +167 -0
package/scripts/flow-hybrid-interactive.js +591 -0
package/scripts/flow-hybrid-test.js +152 -0
package/scripts/flow-import-profile +439 -0
package/scripts/flow-init +253 -0
package/scripts/flow-instruction-richness.js +827 -0
package/scripts/flow-jira-integration.js +579 -0
package/scripts/flow-knowledge-router.js +522 -0
package/scripts/flow-knowledge-sync.js +589 -0
package/scripts/flow-linear-integration.js +631 -0
package/scripts/flow-links.js +774 -0
package/scripts/flow-log-manager.js +559 -0
package/scripts/flow-loop-enforcer.js +1246 -0
package/scripts/flow-loop-retry-learning.js +630 -0
package/scripts/flow-lsp.js +923 -0
package/scripts/flow-map-index +348 -0
package/scripts/flow-map-sync +201 -0
package/scripts/flow-memory-blocks.js +668 -0
package/scripts/flow-memory-compactor.js +350 -0
package/scripts/flow-memory-db.js +1110 -0
package/scripts/flow-memory-sync.js +484 -0
package/scripts/flow-metrics.js +353 -0
package/scripts/flow-migrate-ids.js +370 -0
package/scripts/flow-model-adapter.js +802 -0
package/scripts/flow-model-router.js +884 -0
package/scripts/flow-models.js +1231 -0
package/scripts/flow-morning.js +517 -0
package/scripts/flow-multi-approach.js +660 -0
package/scripts/flow-new-feature +86 -0
package/scripts/flow-onboard +1042 -0
package/scripts/flow-orchestrate-llm.js +459 -0
package/scripts/flow-orchestrate.js +3592 -0
package/scripts/flow-output.js +123 -0
package/scripts/flow-parallel-detector.js +399 -0
package/scripts/flow-parallel-dispatch.js +987 -0
package/scripts/flow-parallel.js +428 -0
package/scripts/flow-pattern-enforcer.js +600 -0
package/scripts/flow-prd-manager.js +282 -0
package/scripts/flow-progress.js +323 -0
package/scripts/flow-project-analyzer.js +975 -0
package/scripts/flow-prompt-composer.js +487 -0
package/scripts/flow-providers.js +1381 -0
package/scripts/flow-queue.js +308 -0
package/scripts/flow-ready +82 -0
package/scripts/flow-ready.js +189 -0
package/scripts/flow-regression.js +396 -0
package/scripts/flow-response-parser.js +450 -0
package/scripts/flow-resume.js +284 -0
package/scripts/flow-rules-sync.js +439 -0
package/scripts/flow-run-trace.js +718 -0
package/scripts/flow-safety.js +587 -0
package/scripts/flow-search +104 -0
package/scripts/flow-security.js +481 -0
package/scripts/flow-session-end +106 -0
package/scripts/flow-session-end.js +437 -0
package/scripts/flow-session-state.js +671 -0
package/scripts/flow-setup-hooks +216 -0
package/scripts/flow-setup-hooks.js +377 -0
package/scripts/flow-skill-create.js +329 -0
package/scripts/flow-skill-creator.js +572 -0
package/scripts/flow-skill-generator.js +1046 -0
package/scripts/flow-skill-learn.js +880 -0
package/scripts/flow-skill-matcher.js +578 -0
package/scripts/flow-spec-generator.js +820 -0
package/scripts/flow-stack-wizard.js +895 -0
package/scripts/flow-standup +162 -0
package/scripts/flow-start +74 -0
package/scripts/flow-start.js +235 -0
package/scripts/flow-status +110 -0
package/scripts/flow-status.js +301 -0
package/scripts/flow-step-browser.js +83 -0
package/scripts/flow-step-changelog.js +217 -0
package/scripts/flow-step-comments.js +306 -0
package/scripts/flow-step-complexity.js +234 -0
package/scripts/flow-step-coverage.js +218 -0
package/scripts/flow-step-knowledge.js +193 -0
package/scripts/flow-step-pr-tests.js +364 -0
package/scripts/flow-step-regression.js +89 -0
package/scripts/flow-step-review.js +516 -0
package/scripts/flow-step-security.js +162 -0
package/scripts/flow-step-silent-failures.js +290 -0
package/scripts/flow-step-simplifier.js +346 -0
package/scripts/flow-story +105 -0
package/scripts/flow-story.js +500 -0
package/scripts/flow-suspend.js +252 -0
package/scripts/flow-sync-daemon.js +654 -0
package/scripts/flow-task-analyzer.js +606 -0
package/scripts/flow-team-dashboard.js +748 -0
package/scripts/flow-team-sync.js +752 -0
package/scripts/flow-team.js +977 -0
package/scripts/flow-tech-options.js +528 -0
package/scripts/flow-templates.js +812 -0
package/scripts/flow-tiered-learning.js +728 -0
package/scripts/flow-trace +204 -0
package/scripts/flow-transcript-chunking.js +1106 -0
package/scripts/flow-transcript-digest.js +7918 -0
package/scripts/flow-transcript-language.js +465 -0
package/scripts/flow-transcript-parsing.js +1085 -0
package/scripts/flow-transcript-stories.js +2194 -0
package/scripts/flow-update-map +224 -0
package/scripts/flow-utils.js +2242 -0
package/scripts/flow-verification.js +644 -0
package/scripts/flow-verify.js +1177 -0
package/scripts/flow-voice-input.js +638 -0
package/scripts/flow-watch +168 -0
package/scripts/flow-workflow-steps.js +521 -0
package/scripts/flow-workflow.js +1029 -0
package/scripts/flow-worktree.js +489 -0
package/scripts/hooks/adapters/base-adapter.js +102 -0
package/scripts/hooks/adapters/claude-code.js +359 -0
package/scripts/hooks/adapters/index.js +79 -0
package/scripts/hooks/core/component-check.js +341 -0
package/scripts/hooks/core/index.js +35 -0
package/scripts/hooks/core/loop-check.js +241 -0
package/scripts/hooks/core/session-context.js +294 -0
package/scripts/hooks/core/task-gate.js +177 -0
package/scripts/hooks/core/validation.js +230 -0
package/scripts/hooks/entry/claude-code/post-tool-use.js +65 -0
package/scripts/hooks/entry/claude-code/pre-tool-use.js +89 -0
package/scripts/hooks/entry/claude-code/session-end.js +87 -0
package/scripts/hooks/entry/claude-code/session-start.js +46 -0
package/scripts/hooks/entry/claude-code/stop.js +43 -0
package/scripts/postinstall.js +139 -0
package/templates/browser-test-flow.json +56 -0
package/templates/bug-report.md +43 -0
package/templates/component-detail.md +42 -0
package/templates/component.stories.tsx +49 -0
package/templates/context/constraints.md +83 -0
package/templates/context/conventions.md +177 -0
package/templates/context/stack.md +60 -0
package/templates/correction-report.md +90 -0
package/templates/feature-proposal.md +35 -0
package/templates/hybrid/_base.md +254 -0
package/templates/hybrid/_patterns.md +45 -0
package/templates/hybrid/create-component.md +127 -0
package/templates/hybrid/create-file.md +56 -0
package/templates/hybrid/create-hook.md +145 -0
package/templates/hybrid/create-service.md +70 -0
package/templates/hybrid/fix-bug.md +33 -0
package/templates/hybrid/modify-file.md +55 -0
package/templates/story.md +68 -0
package/templates/task.json +56 -0
package/templates/trace.md +69 -0

package/scripts/flow-step-review.js ADDED Viewed

@@ -0,0 +1,516 @@
+#!/usr/bin/env node
+/**
+ * Wogi Flow - Code Review Step
+ *
+ * Hybrid code review: multi-agent for big/high-risk tasks, simple for small/low-risk.
+ * Uses confidence scoring (0-100) and only reports issues with confidence >= threshold.
+ *
+ * Multi-agent review runs 3 parallel perspectives:
+ * 1. Architecture/Design review
+ * 2. Implementation/Logic review
+ * 3. Security/Edge cases review
+ */
+const fs = require('fs');
+const path = require('path');
+const { getProjectRoot, colors } = require('./flow-utils');
+const PROJECT_ROOT = getProjectRoot();
+// High-risk patterns that trigger multi-agent review
+const HIGH_RISK_PATTERNS = [
+  'auth', 'authentication', 'authorization',
+  'payment', 'billing', 'checkout',
+  'security', 'crypto', 'encrypt', 'decrypt',
+  'password', 'credential', 'secret', 'token',
+  'admin', 'permission', 'role',
+  'database', 'migration', 'schema',
+];
+/**
+ * Run code review as a workflow step
+ *
+ * @param {object} options
+ * @param {string[]} options.files - Files modified
+ * @param {object} options.stepConfig - Step configuration
+ * @param {string} options.mode - Step mode (block/warn/prompt/auto)
+ * @param {string} options.taskType - Type of task (feature/bugfix/refactor)
+ * @returns {object} - { passed: boolean, message: string, details?: object[] }
+ */
+async function run(options = {}) {
+  const { files = [], stepConfig = {}, taskType } = options;
+  const multiAgentThreshold = stepConfig.multiAgentThreshold || 5;
+  const confidenceThreshold = stepConfig.confidenceThreshold || 80;
+  const highRiskPatterns = stepConfig.highRiskPatterns || HIGH_RISK_PATTERNS;
+  // Filter to reviewable files
+  const reviewableExtensions = ['.js', '.ts', '.jsx', '.tsx', '.py', '.go', '.rs'];
+  const reviewableFiles = files.filter(f =>
+    reviewableExtensions.some(ext => f.endsWith(ext)) &&
+    !f.includes('.test.') &&
+    !f.includes('.spec.') &&
+    !f.includes('.d.ts')
+  );
+  if (reviewableFiles.length === 0) {
+    return { passed: true, message: 'No reviewable files modified' };
+  }
+  // Determine if high-risk
+  const isHighRisk = taskType === 'refactor' ||
+    reviewableFiles.some(f => highRiskPatterns.some(p => f.toLowerCase().includes(p)));
+  // Choose review mode
+  const useMultiAgent = reviewableFiles.length > multiAgentThreshold || isHighRisk;
+  let issues;
+  if (useMultiAgent) {
+    console.log(colors.cyan + '  Running multi-agent code review...' + colors.reset);
+    issues = await runMultiAgentReview(reviewableFiles, stepConfig);
+  } else {
+    console.log(colors.cyan + '  Running simple code review...' + colors.reset);
+    issues = await runSimpleReview(reviewableFiles, stepConfig);
+  }
+  // Filter by confidence threshold
+  const reportableIssues = issues.filter(i => i.confidence >= confidenceThreshold);
+  if (reportableIssues.length === 0) {
+    return {
+      passed: true,
+      message: useMultiAgent
+        ? `Multi-agent review passed (${reviewableFiles.length} files)`
+        : `Simple review passed (${reviewableFiles.length} files)`,
+    };
+  }
+  // Report issues
+  console.log(colors.yellow + '\n  Code Review Issues:' + colors.reset);
+  const criticalIssues = reportableIssues.filter(i => i.severity === 'critical');
+  const importantIssues = reportableIssues.filter(i => i.severity === 'important');
+  if (criticalIssues.length > 0) {
+    console.log(colors.red + '  Critical:' + colors.reset);
+    for (const issue of criticalIssues) {
+      printIssue(issue);
+    }
+  }
+  if (importantIssues.length > 0) {
+    console.log(colors.yellow + '  Important:' + colors.reset);
+    for (const issue of importantIssues) {
+      printIssue(issue);
+    }
+  }
+  // Critical issues block, important issues warn
+  const hasCritical = criticalIssues.length > 0;
+  // Auto-capture learnings from issues found
+  if (reportableIssues.length > 0) {
+    try {
+      const { captureFromSessionReview } = require('./flow-auto-learn');
+      captureFromSessionReview(reportableIssues);
+    } catch (err) {
+      // Auto-learn not available or failed - continue silently
+    }
+  }
+  return {
+    passed: !hasCritical,
+    message: `${reportableIssues.length} issue(s) found (${criticalIssues.length} critical, ${importantIssues.length} important)`,
+    details: reportableIssues,
+  };
+}
+/**
+ * Print a single issue
+ */
+function printIssue(issue) {
+  const confidenceColor = issue.confidence >= 90 ? colors.red : colors.yellow;
+  console.log(`    ${issue.file}:${issue.line}`);
+  console.log(`      ${issue.description}`);
+  console.log(`      ${confidenceColor}Confidence: ${issue.confidence}%${colors.reset}`);
+  if (issue.fix) {
+    console.log(colors.dim + `      Fix: ${issue.fix}` + colors.reset);
+  }
+}
+/**
+ * Run multi-agent review (3 perspectives)
+ */
+async function runMultiAgentReview(files, config) {
+  const allIssues = [];
+  for (const file of files) {
+    const filePath = path.join(PROJECT_ROOT, file);
+    if (!fs.existsSync(filePath)) continue;
+    try {
+      const content = fs.readFileSync(filePath, 'utf8');
+      // Run all 3 perspectives
+      const architectureIssues = reviewArchitecture(content, file);
+      const implementationIssues = reviewImplementation(content, file);
+      const securityIssues = reviewSecurity(content, file);
+      // Merge and dedupe issues
+      const fileIssues = mergeIssues([
+        ...architectureIssues,
+        ...implementationIssues,
+        ...securityIssues,
+      ]);
+      allIssues.push(...fileIssues);
+    } catch (err) {
+      // Skip unreadable files
+    }
+  }
+  return allIssues;
+}
+/**
+ * Run simple review (single pass)
+ */
+async function runSimpleReview(files, config) {
+  const allIssues = [];
+  for (const file of files) {
+    const filePath = path.join(PROJECT_ROOT, file);
+    if (!fs.existsSync(filePath)) continue;
+    try {
+      const content = fs.readFileSync(filePath, 'utf8');
+      const fileIssues = runBasicChecks(content, file);
+      allIssues.push(...fileIssues);
+    } catch (err) {
+      // Skip unreadable files
+    }
+  }
+  return allIssues;
+}
+/**
+ * Architecture/Design review perspective
+ */
+function reviewArchitecture(content, fileName) {
+  const issues = [];
+  const lines = content.split('\n');
+  // Check for god objects (too many methods/properties)
+  const methodCount = (content.match(/(?:function\s+\w+|(?:const|let|var)\s+\w+\s*=\s*(?:async\s*)?\()/g) || []).length;
+  if (methodCount > 15) {
+    issues.push({
+      file: fileName,
+      line: 1,
+      perspective: 'architecture',
+      severity: methodCount > 25 ? 'critical' : 'important',
+      confidence: Math.min(95, 70 + methodCount),
+      description: `File has ${methodCount} functions - consider splitting into modules`,
+      fix: 'Extract related functions into separate modules with clear responsibilities',
+    });
+  }
+  // Check for circular dependency hints
+  const imports = content.match(/(?:require|import).*['"](\.\.?\/[^'"]+)['"]/g) || [];
+  const uniqueImports = new Set(imports);
+  if (uniqueImports.size > 10) {
+    issues.push({
+      file: fileName,
+      line: 1,
+      perspective: 'architecture',
+      severity: 'important',
+      confidence: 75,
+      description: `High import count (${uniqueImports.size}) may indicate tight coupling`,
+      fix: 'Review dependencies and consider introducing facades or reorganizing modules',
+    });
+  }
+  // Check for mixed concerns
+  const hasDOM = /querySelector|getElementById|document\./i.test(content);
+  const hasAPI = /fetch|axios|http/i.test(content);
+  const hasDB = /query|findOne|insertOne|mongoose|prisma/i.test(content);
+  const concerns = [hasDOM, hasAPI, hasDB].filter(Boolean).length;
+  if (concerns >= 2) {
+    issues.push({
+      file: fileName,
+      line: 1,
+      perspective: 'architecture',
+      severity: 'important',
+      confidence: 80,
+      description: 'File mixes multiple concerns (UI/API/DB)',
+      fix: 'Separate into distinct layers: presentation, business logic, data access',
+    });
+  }
+  return issues;
+}
+/**
+ * Implementation/Logic review perspective
+ */
+function reviewImplementation(content, fileName) {
+  const issues = [];
+  const lines = content.split('\n');
+  // Check for magic numbers
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    // Skip comments, imports, and obvious cases
+    if (line.trim().startsWith('//') || line.includes('import') || line.includes('require')) continue;
+    const magicMatch = line.match(/[^a-zA-Z0-9_](\d{2,})[^a-zA-Z0-9_]/);
+    if (magicMatch) {
+      const num = parseInt(magicMatch[1]);
+      // Skip common values like 100, 1000, ports, etc.
+      if (![100, 1000, 10000, 3000, 8080, 8000, 443, 80].includes(num)) {
+        issues.push({
+          file: fileName,
+          line: i + 1,
+          perspective: 'implementation',
+          severity: 'important',
+          confidence: 70,
+          description: `Magic number ${num} - consider using a named constant`,
+          fix: `Extract to a descriptively named constant: const MEANINGFUL_NAME = ${num}`,
+        });
+      }
+    }
+  }
+  // Check for deeply nested logic
+  let maxIndent = 0;
+  for (let i = 0; i < lines.length; i++) {
+    const indent = (lines[i].match(/^(\s*)/)?.[1] || '').replace(/\t/g, '  ').length;
+    if (indent > maxIndent) maxIndent = indent;
+    if (indent >= 16) { // 8+ levels
+      issues.push({
+        file: fileName,
+        line: i + 1,
+        perspective: 'implementation',
+        severity: 'critical',
+        confidence: 95,
+        description: 'Deeply nested code (8+ levels)',
+        fix: 'Use early returns, extract functions, or restructure logic',
+      });
+      break; // Only report once per file
+    }
+  }
+  // Check for duplicate string literals
+  const stringLiterals = content.match(/['"][^'"]{10,}['"]/g) || [];
+  const literalCounts = {};
+  for (const lit of stringLiterals) {
+    literalCounts[lit] = (literalCounts[lit] || 0) + 1;
+  }
+  for (const [lit, count] of Object.entries(literalCounts)) {
+    if (count >= 3) {
+      issues.push({
+        file: fileName,
+        line: 1,
+        perspective: 'implementation',
+        severity: 'important',
+        confidence: 85,
+        description: `String literal appears ${count} times - extract to constant`,
+        fix: `Create a constant: const MESSAGE = ${lit}`,
+      });
+    }
+  }
+  return issues;
+}
+/**
+ * Security/Edge cases review perspective
+ */
+function reviewSecurity(content, fileName) {
+  const issues = [];
+  const lines = content.split('\n');
+  // Check for unsafe operations
+  const unsafePatterns = [
+    { pattern: /eval\s*\(/i, desc: 'eval() is dangerous - allows code injection', severity: 'critical', confidence: 100 },
+    { pattern: /innerHTML\s*=/i, desc: 'innerHTML can cause XSS - use textContent or sanitize', severity: 'critical', confidence: 95 },
+    { pattern: /dangerouslySetInnerHTML/i, desc: 'dangerouslySetInnerHTML requires careful sanitization', severity: 'important', confidence: 85 },
+    { pattern: /new Function\s*\(/i, desc: 'new Function() is similar to eval - avoid if possible', severity: 'critical', confidence: 95 },
+    { pattern: /document\.write/i, desc: 'document.write can be exploited - use DOM methods', severity: 'important', confidence: 90 },
+    { pattern: /exec\s*\(\s*[^)]*\+/i, desc: 'String concatenation in exec() may allow command injection', severity: 'critical', confidence: 90 },
+    { pattern: /execSync\s*\(\s*[^)]*\+/i, desc: 'String concatenation in execSync() may allow command injection', severity: 'critical', confidence: 90 },
+  ];
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    for (const { pattern, desc, severity, confidence } of unsafePatterns) {
+      if (pattern.test(line)) {
+        issues.push({
+          file: fileName,
+          line: i + 1,
+          perspective: 'security',
+          severity,
+          confidence,
+          description: desc,
+          fix: 'Review and use safer alternatives',
+        });
+      }
+    }
+  }
+  // Check for missing error handling in async
+  const asyncFunctions = content.match(/async\s+(?:function\s+)?(\w+)/g) || [];
+  for (const asyncFunc of asyncFunctions) {
+    // Simple heuristic: check if there's a try-catch nearby
+    const funcName = asyncFunc.replace(/async\s+(?:function\s+)?/, '');
+    const funcIndex = content.indexOf(asyncFunc);
+    const funcContext = content.substring(funcIndex, funcIndex + 500);
+    if (!funcContext.includes('try') && !funcContext.includes('catch')) {
+      issues.push({
+        file: fileName,
+        line: content.substring(0, funcIndex).split('\n').length,
+        perspective: 'security',
+        severity: 'important',
+        confidence: 70,
+        description: `Async function "${funcName}" may lack error handling`,
+        fix: 'Add try-catch or ensure errors are handled by the caller',
+      });
+    }
+  }
+  // Check for hardcoded credentials
+  const credPatterns = [
+    /(?:password|passwd|pwd)\s*[:=]\s*['"][^'"]+['"]/i,
+    /(?:api[_-]?key|apikey)\s*[:=]\s*['"][^'"]+['"]/i,
+    /(?:secret|token)\s*[:=]\s*['"][A-Za-z0-9+/=]{20,}['"]/i,
+  ];
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    // Skip comments and env references
+    if (line.trim().startsWith('//') || line.includes('process.env') || line.includes('.env')) continue;
+    for (const pattern of credPatterns) {
+      if (pattern.test(line)) {
+        issues.push({
+          file: fileName,
+          line: i + 1,
+          perspective: 'security',
+          severity: 'critical',
+          confidence: 90,
+          description: 'Potential hardcoded credential detected',
+          fix: 'Use environment variables or a secrets manager',
+        });
+        break;
+      }
+    }
+  }
+  return issues;
+}
+/**
+ * Run basic checks (for simple review mode)
+ */
+function runBasicChecks(content, fileName) {
+  const issues = [];
+  const lines = content.split('\n');
+  // Check for console.log left in code
+  for (let i = 0; i < lines.length; i++) {
+    if (/console\.(log|debug|info)\s*\(/.test(lines[i]) && !lines[i].trim().startsWith('//')) {
+      issues.push({
+        file: fileName,
+        line: i + 1,
+        perspective: 'basic',
+        severity: 'important',
+        confidence: 80,
+        description: 'console.log left in code',
+        fix: 'Remove or replace with proper logging',
+      });
+    }
+  }
+  // Check for TODO/FIXME comments
+  for (let i = 0; i < lines.length; i++) {
+    if (/\b(TODO|FIXME|XXX|HACK)\b/i.test(lines[i])) {
+      issues.push({
+        file: fileName,
+        line: i + 1,
+        perspective: 'basic',
+        severity: 'important',
+        confidence: 75,
+        description: 'Unresolved TODO/FIXME comment',
+        fix: 'Address the TODO or create a task to track it',
+      });
+    }
+  }
+  // Check for empty catch blocks
+  const emptyCatch = content.match(/catch\s*\([^)]*\)\s*\{\s*\}/g);
+  if (emptyCatch) {
+    issues.push({
+      file: fileName,
+      line: 1,
+      perspective: 'basic',
+      severity: 'critical',
+      confidence: 95,
+      description: 'Empty catch block swallows errors silently',
+      fix: 'Log the error or rethrow it',
+    });
+  }
+  // Check for debugger statements
+  for (let i = 0; i < lines.length; i++) {
+    if (/\bdebugger\b/.test(lines[i])) {
+      issues.push({
+        file: fileName,
+        line: i + 1,
+        perspective: 'basic',
+        severity: 'critical',
+        confidence: 100,
+        description: 'debugger statement left in code',
+        fix: 'Remove the debugger statement',
+      });
+    }
+  }
+  return issues;
+}
+/**
+ * Merge and dedupe issues from multiple perspectives
+ */
+function mergeIssues(issues) {
+  // Group by file:line
+  const grouped = {};
+  for (const issue of issues) {
+    const key = `${issue.file}:${issue.line}`;
+    if (!grouped[key]) {
+      grouped[key] = [];
+    }
+    grouped[key].push(issue);
+  }
+  // For each group, keep highest confidence version
+  const merged = [];
+  for (const group of Object.values(grouped)) {
+    // Sort by confidence descending
+    group.sort((a, b) => b.confidence - a.confidence);
+    // If multiple perspectives found same issue, boost confidence
+    if (group.length > 1) {
+      const best = group[0];
+      best.confidence = Math.min(100, best.confidence + (group.length - 1) * 5);
+      best.perspectives = group.map(i => i.perspective);
+      merged.push(best);
+    } else {
+      merged.push(group[0]);
+    }
+  }
+  return merged;
+}
+module.exports = { run, runMultiAgentReview, runSimpleReview };

package/scripts/flow-step-security.js ADDED Viewed

@@ -0,0 +1,162 @@
+#!/usr/bin/env node
+/**
+ * Wogi Flow - Security Scan Step
+ *
+ * Workflow step for security scanning.
+ * Runs npm audit and checks for common vulnerabilities.
+ */
+const { execSync } = require('child_process');
+const fs = require('fs');
+const path = require('path');
+const { getProjectRoot } = require('./flow-utils');
+const PROJECT_ROOT = getProjectRoot();
+/**
+ * Run security scan as a workflow step
+ *
+ * @param {object} options
+ * @param {string[]} options.files - Files modified
+ * @param {object} options.stepConfig - Step configuration
+ * @param {string} options.mode - Step mode (block/warn/prompt/auto)
+ * @returns {object} - { passed: boolean, message: string, details?: object }
+ */
+async function run(options = {}) {
+  const { files = [], stepConfig = {}, mode } = options;
+  const severity = stepConfig.severity || 'high';
+  const issues = [];
+  // 1. Check for secrets in modified files
+  const secretPatterns = [
+    /(?:api[_-]?key|apikey)\s*[:=]\s*['"][^'"]+['"]/gi,
+    /(?:secret|password|passwd|pwd)\s*[:=]\s*['"][^'"]+['"]/gi,
+    /(?:access[_-]?token|auth[_-]?token)\s*[:=]\s*['"][^'"]+['"]/gi,
+    /-----BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY-----/i,
+    /(?:aws[_-]?access[_-]?key[_-]?id)\s*[:=]\s*['"][A-Z0-9]+['"]/gi,
+  ];
+  for (const file of files) {
+    const filePath = path.join(PROJECT_ROOT, file);
+    if (!fs.existsSync(filePath)) continue;
+    // Skip test files and config examples
+    if (file.includes('.test.') || file.includes('.spec.') || file.includes('.example')) {
+      continue;
+    }
+    try {
+      const content = fs.readFileSync(filePath, 'utf8');
+      for (const pattern of secretPatterns) {
+        if (pattern.test(content)) {
+          issues.push({
+            type: 'secret',
+            severity: 'high',
+            file,
+            message: 'Potential secret or credential detected',
+          });
+          break; // One issue per file is enough
+        }
+      }
+    } catch (err) {
+      // Skip unreadable files
+    }
+  }
+  // 2. Run npm audit if package.json was modified
+  const packageModified = files.some(f => f.endsWith('package.json') || f.endsWith('package-lock.json'));
+  if (packageModified || stepConfig.alwaysAudit) {
+    try {
+      const auditResult = execSync('npm audit --json 2>/dev/null', {
+        cwd: PROJECT_ROOT,
+        encoding: 'utf8',
+        stdio: ['pipe', 'pipe', 'pipe'],
+      });
+      const audit = JSON.parse(auditResult);
+      if (audit.metadata && audit.metadata.vulnerabilities) {
+        const vulns = audit.metadata.vulnerabilities;
+        if (severity === 'critical' && vulns.critical > 0) {
+          issues.push({
+            type: 'npm_audit',
+            severity: 'critical',
+            message: `${vulns.critical} critical vulnerabilities found`,
+            count: vulns.critical,
+          });
+        } else if (severity === 'high' && (vulns.critical > 0 || vulns.high > 0)) {
+          const count = vulns.critical + vulns.high;
+          issues.push({
+            type: 'npm_audit',
+            severity: 'high',
+            message: `${count} high/critical vulnerabilities found`,
+            count,
+          });
+        } else if (severity === 'moderate') {
+          const count = vulns.critical + vulns.high + vulns.moderate;
+          if (count > 0) {
+            issues.push({
+              type: 'npm_audit',
+              severity: 'moderate',
+              message: `${count} moderate+ vulnerabilities found`,
+              count,
+            });
+          }
+        }
+      }
+    } catch (err) {
+      // npm audit failed or returned non-zero
+      if (e.stdout) {
+        try {
+          const audit = JSON.parse(e.stdout);
+          if (audit.metadata && audit.metadata.vulnerabilities) {
+            const vulns = audit.metadata.vulnerabilities;
+            const count = vulns.critical + vulns.high;
+            if (count > 0 && (severity === 'high' || severity === 'critical')) {
+              issues.push({
+                type: 'npm_audit',
+                severity: 'high',
+                message: `${count} high/critical vulnerabilities`,
+                count,
+              });
+            }
+          }
+        } catch (parseError) {
+          // Ignore parse errors
+        }
+      }
+    }
+  }
+  // 3. Evaluate results
+  if (issues.length === 0) {
+    return { passed: true, message: 'Security scan passed' };
+  }
+  // Filter by severity for blocking
+  const blockingIssues = issues.filter(i => {
+    if (severity === 'critical') return i.severity === 'critical';
+    if (severity === 'high') return i.severity === 'high' || i.severity === 'critical';
+    return true;
+  });
+  if (blockingIssues.length > 0) {
+    return {
+      passed: false,
+      message: `${blockingIssues.length} security issue(s) found`,
+      details: blockingIssues,
+    };
+  }
+  // Non-blocking issues
+  return {
+    passed: true,
+    message: `${issues.length} low-severity issue(s) found`,
+    details: issues,
+  };
+}
+module.exports = { run };