wogiflow 1.0.47 → 1.0.48

package/.claude/commands/wogi-review-fix.md

@@ -0,0 +1,241 @@
+Comprehensive code review with **automatic fixing**. Runs the full `/wogi-review` process, then automatically fixes all identified issues and re-verifies.
+
+**Triggers**: `/wogi-review-fix`, "review and fix", "fix all issues"
+
+## Usage
+
+```bash
+/wogi-review-fix              # Review + auto-fix all issues
+/wogi-review-fix --dry-run    # Show what would be fixed (no changes)
+/wogi-review-fix --no-verify  # Skip re-verification after fixes
+/wogi-review-fix --commits 3  # Review last 3 commits + fix
+```
+
+## How It Works
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│  /wogi-review-fix                                            │
+├─────────────────────────────────────────────────────────────┤
+│  PHASE 1: REVIEW (same as /wogi-review)                      │
+│     1. Identify changed files (git diff)                     │
+│     2. Run verification gates (lint, typecheck, tests)       │
+│     3. Run AI review (parallel or multi-pass)                │
+│     4. Consolidate findings                                  │
+│                                                              │
+│  PHASE 2: AUTO-FIX                                           │
+│     5. Categorize issues (auto-fixable vs manual)            │
+│     6. For each auto-fixable issue:                          │
+│        → Read file                                           │
+│        → Apply fix                                           │
+│        → Verify syntax (node --check)                        │
+│        → Track result                                        │
+│                                                              │
+│  PHASE 3: RE-VERIFY                                          │
+│     7. Run verification gates again                          │
+│     8. Report: Fixed N, Manual M, Verification PASS/FAIL     │
+└─────────────────────────────────────────────────────────────┘
+```
+
+## Auto-Fixable vs Manual Issues
+
+### Auto-Fixable (will be fixed automatically)
+
+| Issue Type | Fix Method |
+|------------|------------|
+| Unused imports | Remove the import line |
+| Console.log in production | Remove or convert to proper logger |
+| Missing try-catch (simple) | Wrap operation in try-catch |
+| Naming convention violation | Rename file/variable to match convention |
+| Missing null check (simple) | Add optional chaining `?.` or guard |
+| Dead code / unreachable | Remove the dead code |
+| Duplicate code (small) | Extract to shared function |
+
+### Manual (will be listed for user attention)
+
+| Issue Type | Why Manual |
+|------------|------------|
+| Logic bugs | Requires understanding intent |
+| Security vulnerabilities | Requires careful review |
+| Architecture issues | Requires design decisions |
+| Breaking API changes | Requires coordination |
+| Complex refactors | Requires validation |
+
+## Execution Steps
+
+### Step 1: Run Full Review
+
+Execute the standard `/wogi-review` process:
+
+```bash
+# Get changed files
+git diff --name-only HEAD
+
+# Run verification gates
+npm run lint 2>&1 | head -50
+npm run typecheck 2>&1 | head -50
+
+# Run AI review (parallel or multi-pass based on file count)
+# Collect all findings with file:line:issue:severity:suggestion
+```
+
+### Step 2: Categorize Findings
+
+After review completes, categorize each finding:
+
+```javascript
+// Example finding structure
+{
+  file: "src/utils.ts",
+  line: 45,
+  issue: "Unused import 'lodash'",
+  severity: "low",
+  category: "unused-import",  // Auto-fixable
+  suggestion: "Remove the unused import"
+}
+```
+
+**Categorization rules:**
+- `unused-import` → Auto-fix
+- `console-log` → Auto-fix
+- `missing-null-check` (single line) → Auto-fix
+- `naming-convention` → Auto-fix
+- `logic-error` → Manual
+- `security-*` → Manual
+- `architecture-*` → Manual
+
+### Step 3: Fix Loop
+
+For each auto-fixable issue, in order of file (to batch edits):
+
+```
+For each file with issues:
+  1. Read the file
+  2. For each issue in this file:
+     a. Apply the fix using Edit tool
+     b. Log: "Fixed: [issue] in [file:line]"
+  3. Verify file syntax: node --check [file] (for JS/TS)
+  4. If syntax fails:
+     - Rollback edit
+     - Move issue to "Manual" list
+     - Log: "Fix failed, moved to manual: [issue]"
+```
+
+### Step 4: Re-Verification
+
+After all fixes applied:
+
+```bash
+# Run verification gates again
+npm run lint 2>&1 | head -50
+npm run typecheck 2>&1 | head -50
+npm run test 2>&1 | head -50  # If tests exist
+
+# Syntax check all modified files
+node --check [modified files]
+```
+
+### Step 5: Summary Report
+
+```
+╔══════════════════════════════════════════════════════════╗
+║  Review + Fix Complete                                    ║
+╚══════════════════════════════════════════════════════════╝
+
+═══════════════════════════════════════════════════════════
+FIXES APPLIED (12 issues)
+═══════════════════════════════════════════════════════════
+✓ src/utils.ts:45 - Removed unused import 'lodash'
+✓ src/api.ts:23 - Removed console.log
+✓ src/api.ts:67 - Added null check
+✓ src/components/Button.tsx:12 - Removed unused import
+... (8 more)
+
+═══════════════════════════════════════════════════════════
+MANUAL ATTENTION NEEDED (3 issues)
+═══════════════════════════════════════════════════════════
+⚠ src/auth.ts:89 - Potential SQL injection (security)
+  → Review: User input not sanitized before query
+⚠ src/api.ts:134 - Race condition (logic)
+  → Review: Async operation may complete out of order
+⚠ src/utils.ts:200 - Breaking API change (architecture)
+  → Review: Function signature changed, check callers
+
+═══════════════════════════════════════════════════════════
+RE-VERIFICATION
+═══════════════════════════════════════════════════════════
+✓ Lint: passed
+✓ TypeCheck: passed
+✓ Syntax: all files valid
+
+═══════════════════════════════════════════════════════════
+SUMMARY
+═══════════════════════════════════════════════════════════
+Total issues found: 15
+Auto-fixed: 12
+Manual review needed: 3
+Verification: PASSED
+
+Files modified: 4
+  • src/utils.ts (3 fixes)
+  • src/api.ts (5 fixes)
+  • src/components/Button.tsx (2 fixes)
+  • src/auth.ts (2 fixes)
+```
+
+## Options
+
+| Flag | Description |
+|------|-------------|
+| `--dry-run` | Show what would be fixed without making changes |
+| `--no-verify` | Skip re-verification after fixes |
+| `--commits N` | Include last N commits in review scope |
+| `--staged` | Only review staged changes |
+| `--skip-manual` | Don't show manual issues in report |
+
+## Dry Run Mode
+
+With `--dry-run`, shows the fix plan without applying:
+
+```
+═══════════════════════════════════════════════════════════
+DRY RUN - WOULD FIX (12 issues)
+═══════════════════════════════════════════════════════════
+• src/utils.ts:45 - Would remove unused import 'lodash'
+• src/api.ts:23 - Would remove console.log
+• src/api.ts:67 - Would add null check: user?.profile
+...
+
+Run without --dry-run to apply these fixes.
+```
+
+## Comparison with /wogi-review
+
+| Aspect | `/wogi-review` | `/wogi-review-fix` |
+|--------|----------------|-------------------|
+| Reviews code | ✓ | ✓ |
+| Lists issues | ✓ | ✓ |
+| Fixes issues | ✗ | ✓ (auto-fixable) |
+| Re-verifies | ✗ | ✓ |
+| End state | Issues listed | Issues resolved |
+
+## When to Use
+
+**Use `/wogi-review`** when:
+- You want to see issues before deciding to fix
+- You're reviewing someone else's code
+- You want to understand the codebase state
+
+**Use `/wogi-review-fix`** when:
+- You want issues fixed immediately
+- You trust the auto-fix for common issues
+- You're cleaning up after a large change
+- You want a "fix everything" single command
+
+## Safety Guarantees
+
+1. **Syntax verification** - Every fix is syntax-checked before moving on
+2. **Rollback on failure** - If a fix breaks syntax, it's reverted
+3. **Manual escalation** - Complex issues are never auto-fixed
+4. **Security issues untouched** - Security findings always require manual review
+5. **Git-friendly** - All changes can be reviewed in `git diff` before commit

package/.workflow/bridges/codex-bridge.js

@@ -0,0 +1,441 @@
+#!/usr/bin/env node
+
+/**
+ * Wogi Flow - Codex CLI Bridge
+ *
+ * Generates AGENTS.md and .codex/config.toml from WogiFlow configuration.
+ * Provides soft parity with Claude Code/Gemini CLI - same rules, same memory,
+ * but enforcement is advisory (Codex lacks pre-operation hooks).
+ */
+
+const fs = require('fs');
+const path = require('path');
+const BaseBridge = require('./base-bridge');
+
+// Try to load Handlebars, fall back to inline templates if not available
+let Handlebars;
+try {
+  Handlebars = require('handlebars');
+} catch {
+  Handlebars = null;
+}
+
+// ============================================================
+// Codex Bridge Class
+// ============================================================
+
+class CodexBridge extends BaseBridge {
+  constructor(options = {}) {
+    super('codex', options);
+  }
+
+  // ==================== Abstract Method Implementations ====================
+
+  getCliFolder() {
+    return '.codex';
+  }
+
+  getRulesFileName() {
+    return 'AGENTS.md';
+  }
+
+  getSkillsPath() {
+    return path.join('.codex', 'skills');
+  }
+
+  getRulesPath() {
+    return path.join('.codex', 'rules');
+  }
+
+  /**
+   * Generate AGENTS.md content
+   */
+  generateRulesContent(config) {
+    const context = this.buildContext(config);
+
+    // Try to use Handlebars template with proper error handling
+    if (Handlebars) {
+      try {
+        const templatePath = path.join(this.projectDir, this.workflowDir, 'templates', 'agents-md.hbs');
+        if (fs.existsSync(templatePath)) {
+          const templateSource = fs.readFileSync(templatePath, 'utf-8');
+          const template = Handlebars.compile(templateSource);
+          return template(context);
+        }
+      } catch (err) {
+        // Template failed - fall through to inline generation
+        this.log(`Template generation failed, using fallback: ${err.message}`);
+      }
+    }
+
+    // Fallback to inline generation
+    return this.generateAgentsMdFallback(context);
+  }
+
+  /**
+   * Codex-specific setup: generate config.toml
+   */
+  async setupCliSpecific(config) {
+    // Generate config.toml
+    const configTomlPath = path.join(this.projectDir, this.getCliFolder(), 'config.toml');
+    const configTomlContent = this.generateConfigToml(config);
+    fs.writeFileSync(configTomlPath, configTomlContent);
+    this.log('Generated .codex/config.toml');
+
+    // Convert Claude skills to Codex format
+    this.convertAndSyncSkills();
+  }
+
+  // ==================== Codex-Specific Methods ====================
+
+  /**
+   * Build template context
+   */
+  buildContext(config) {
+    // Load decisions.md for coding rules
+    const decisionsPath = path.join(this.projectDir, this.workflowDir, 'state', 'decisions.md');
+    let decisions = '';
+    try {
+      decisions = fs.readFileSync(decisionsPath, 'utf-8');
+    } catch (err) {
+      // File may not exist or be unreadable - continue with empty decisions
+      if (err.code !== 'ENOENT') {
+        this.log(`Failed to read decisions.md: ${err.message}`);
+      }
+    }
+
+    // Get installed skills
+    const skills = config.skills?.installed || [];
+
+    return {
+      projectName: path.basename(this.projectDir),
+      projectRoot: this.projectDir,
+      timestamp: new Date().toISOString(),
+      config,
+      decisions,
+      skills,
+      enforcement: config.enforcement || {},
+      research: config.research || {},
+      qualityGates: config.qualityGates || {},
+      commits: config.commits || {}
+    };
+  }
+
+  /**
+   * Fallback AGENTS.md generation (no Handlebars)
+   */
+  generateAgentsMdFallback(context) {
+    const lines = [];
+
+    lines.push('# WogiFlow Project Instructions');
+    lines.push('');
+    lines.push(`> Generated by WogiFlow Codex Bridge - ${context.timestamp}`);
+    lines.push('');
+    lines.push('## Core Principles');
+    lines.push('');
+    lines.push('1. **State files are memory** - Read `.workflow/state/` first');
+    lines.push('2. **Config drives behavior** - Follow `.workflow/config.json` rules');
+    lines.push('3. **Log every change** - Append to `request-log.md`');
+    lines.push('4. **Reuse components** - Check `app-map.md` before creating');
+    lines.push('5. **Learn from feedback** - Update instructions when corrected');
+    lines.push('');
+
+    // Task Gating
+    if (context.enforcement?.strictMode) {
+      lines.push('## Task Gating (MANDATORY)');
+      lines.push('');
+      lines.push('**STOP. Before ANY implementation:**');
+      lines.push('1. Check `.workflow/state/ready.json` for existing tasks');
+      lines.push('2. If no task exists, create one with `/wogi-story`');
+      lines.push('3. Start with `/wogi-start TASK-XXX`');
+      lines.push('');
+    }
+
+    // Research Protocol
+    if (context.research?.enabled) {
+      lines.push('## Research Protocol');
+      lines.push('');
+      lines.push('For capability/feasibility/existence questions:');
+      lines.push('1. Search local files thoroughly (Glob, Grep)');
+      lines.push('2. Web search for current documentation');
+      lines.push('3. List assumptions and verify each');
+      lines.push('4. Cite sources for all claims');
+      lines.push('5. State confidence level (HIGH/MEDIUM/LOW)');
+      lines.push('');
+      lines.push('**FORBIDDEN:** Claiming "X doesn\'t exist" without exhaustive search.');
+      lines.push('');
+    }
+
+    // Essential Commands
+    lines.push('## Essential Commands');
+    lines.push('');
+    lines.push('| Command | Purpose |');
+    lines.push('|---------|---------|');
+    lines.push('| `/wogi-ready` | Show available tasks |');
+    lines.push('| `/wogi-start TASK-X` | Start task with context |');
+    lines.push('| `/wogi-story "title"` | Create story with AC |');
+    lines.push('| `/wogi-status` | Project overview |');
+    lines.push('| `/wogi-research "q"` | Research before answering |');
+    lines.push('');
+
+    // Request Logging
+    lines.push('## Request Logging');
+    lines.push('');
+    lines.push('After EVERY request that changes files:');
+    lines.push('```markdown');
+    lines.push('### R-[XXX] | [YYYY-MM-DD HH:MM]');
+    lines.push('**Type**: new | fix | change | refactor');
+    lines.push('**Tags**: #screen:[name] #component:[name]');
+    lines.push('**Request**: "[what user asked]"');
+    lines.push('**Result**: [what was done]');
+    lines.push('**Files**: [files changed]');
+    lines.push('```');
+    lines.push('');
+
+    // Component Reuse
+    lines.push('## Component Reuse');
+    lines.push('');
+    lines.push('**Before creating ANY component:**');
+    lines.push('1. Check `app-map.md`');
+    lines.push('2. Search codebase for existing');
+    lines.push('3. Priority: Use existing → Add variant → Extend → Create new');
+    lines.push('');
+
+    // File Locations
+    lines.push('## File Locations');
+    lines.push('');
+    lines.push('| What | Where |');
+    lines.push('|------|-------|');
+    lines.push('| Config | `.workflow/config.json` |');
+    lines.push('| Tasks | `.workflow/state/ready.json` |');
+    lines.push('| Logs | `.workflow/state/request-log.md` |');
+    lines.push('| Components | `.workflow/state/app-map.md` |');
+    lines.push('| Rules | `.workflow/state/decisions.md` |');
+    lines.push('');
+
+    lines.push('---');
+    lines.push('');
+    lines.push('*Note: Enforcement is advisory. Codex lacks pre-operation hooks.*');
+
+    return lines.join('\n');
+  }
+
+  /**
+   * Generate .codex/config.toml content
+   */
+  generateConfigToml(config) {
+    const context = this.buildContext(config);
+
+    // Try to use Handlebars template with proper error handling
+    if (Handlebars) {
+      try {
+        const templatePath = path.join(this.projectDir, this.workflowDir, 'templates', 'codex-config.hbs');
+        if (fs.existsSync(templatePath)) {
+          const templateSource = fs.readFileSync(templatePath, 'utf-8');
+          const template = Handlebars.compile(templateSource);
+          return template(context);
+        }
+      } catch (err) {
+        // Template failed - fall through to inline generation
+        this.log(`Config template failed, using fallback: ${err.message}`);
+      }
+    }
+
+    // Fallback to inline generation
+    return this.generateConfigTomlFallback(context);
+  }
+
+  /**
+   * Fallback config.toml generation
+   */
+  generateConfigTomlFallback(context) {
+    const lines = [];
+
+    lines.push('# WogiFlow Codex Configuration');
+    lines.push(`# Generated: ${context.timestamp}`);
+    lines.push('');
+
+    // Approvals - safer default
+    lines.push('[approvals]');
+    lines.push('mode = "on-request"');
+    lines.push('');
+
+    // MCP Servers
+    lines.push('[mcp_servers.wogiflow_memory]');
+    lines.push('command = "node"');
+    lines.push(`args = ["mcp-memory-server/index.js"]`);
+    lines.push(`cwd = "${context.projectRoot}"`);
+    lines.push('');
+
+    // Features
+    lines.push('[features]');
+    lines.push('child_agents_md = true');
+    lines.push('');
+
+    // Fallback filenames
+    lines.push('project_doc_fallback_filenames = ["CLAUDE.md", "GEMINI.md"]');
+    lines.push('');
+
+    return lines.join('\n');
+  }
+
+  /**
+   * Convert Claude skills to Codex SKILL.md format
+   */
+  convertAndSyncSkills() {
+    const claudeSkillsDir = path.join(this.projectDir, '.claude', 'skills');
+    const codexSkillsDir = path.join(this.projectDir, this.getSkillsPath());
+
+    if (!fs.existsSync(claudeSkillsDir)) {
+      this.log('No Claude skills to convert');
+      return;
+    }
+
+    // Ensure Codex skills directory exists with explicit permissions
+    if (!fs.existsSync(codexSkillsDir)) {
+      fs.mkdirSync(codexSkillsDir, { recursive: true, mode: 0o755 });
+    }
+
+    let skillDirs;
+    try {
+      skillDirs = fs.readdirSync(claudeSkillsDir, { withFileTypes: true })
+        .filter(d => d.isDirectory())
+        .map(d => d.name);
+    } catch (err) {
+      this.log(`Failed to read skills directory: ${err.message}`);
+      return;
+    }
+
+    let converted = 0;
+    let skipped = 0;
+
+    for (const skillName of skillDirs) {
+      try {
+        // SECURITY: Validate skillName to prevent path traversal
+        // path.basename() removes any directory components (../, etc.)
+        const safeSkillName = path.basename(skillName);
+        if (safeSkillName !== skillName) {
+          this.log(`Skipping suspicious skill name: ${skillName}`);
+          skipped++;
+          continue;
+        }
+
+        // Additional validation: only alphanumeric, dash, underscore
+        if (!/^[a-zA-Z0-9_-]+$/.test(safeSkillName)) {
+          this.log(`Skipping skill with invalid characters: ${skillName}`);
+          skipped++;
+          continue;
+        }
+
+        const claudeSkillMd = path.join(claudeSkillsDir, safeSkillName, 'skill.md');
+
+        if (fs.existsSync(claudeSkillMd)) {
+          const content = fs.readFileSync(claudeSkillMd, 'utf-8');
+          const codexContent = this.convertSkillToCodex(safeSkillName, content);
+
+          // Create Codex skill directory with explicit permissions
+          const codexSkillDir = path.join(codexSkillsDir, safeSkillName);
+          if (!fs.existsSync(codexSkillDir)) {
+            fs.mkdirSync(codexSkillDir, { recursive: true, mode: 0o755 });
+          }
+
+          // Write SKILL.md (Codex format)
+          fs.writeFileSync(path.join(codexSkillDir, 'SKILL.md'), codexContent);
+          this.log(`Converted skill: ${safeSkillName}`);
+          converted++;
+        }
+      } catch (err) {
+        // Log error but continue with other skills
+        this.log(`Failed to convert skill ${skillName}: ${err.message}`);
+        skipped++;
+      }
+    }
+
+    if (converted > 0 || skipped > 0) {
+      this.log(`Skill sync complete: ${converted} converted, ${skipped} skipped`);
+    }
+  }
+
+  /**
+   * Convert a Claude skill.md to Codex SKILL.md format
+   */
+  convertSkillToCodex(skillName, claudeContent) {
+    const lines = [];
+
+    // Parse Claude frontmatter if present
+    let description = `WogiFlow ${skillName} skill`;
+    let body = claudeContent;
+
+    const frontmatterMatch = claudeContent.match(/^---\n([\s\S]*?)\n---\n([\s\S]*)$/);
+    if (frontmatterMatch) {
+      const frontmatter = frontmatterMatch[1];
+      body = frontmatterMatch[2].trim();
+
+      const descMatch = frontmatter.match(/description:\s*["']?([^"'\n]+)["']?/);
+      if (descMatch) {
+        description = descMatch[1];
+      }
+    }
+
+    // Generate Codex SKILL.md format
+    lines.push('---');
+    lines.push(`name: ${skillName}`);
+    lines.push(`description: ${description}`);
+    lines.push('metadata:');
+    lines.push(`  short-description: ${description.slice(0, 50)}`);
+    lines.push(`  source: wogi-flow`);
+    lines.push('---');
+    lines.push('');
+    lines.push(body);
+
+    return lines.join('\n');
+  }
+}
+
+// ============================================================
+// Module Exports
+// ============================================================
+
+module.exports = CodexBridge;
+
+// CLI interface if run directly
+if (require.main === module) {
+  const args = process.argv.slice(2);
+  const command = args[0];
+
+  const bridge = new CodexBridge({ verbose: true });
+
+  switch (command) {
+    case 'sync':
+      bridge.sync().then(results => {
+        console.log('');
+        console.log('Codex Bridge Sync Results:');
+        console.log(`  Success: ${results.success}`);
+        console.log(`  Duration: ${results.duration}ms`);
+        console.log(`  Synced: ${results.synced.join(', ')}`);
+        if (results.errors.length > 0) {
+          console.log(`  Errors: ${results.errors.map(e => e.error).join(', ')}`);
+        }
+      });
+      break;
+
+    case 'status':
+      const agentsMdExists = fs.existsSync(path.join(process.cwd(), 'AGENTS.md'));
+      const configTomlExists = fs.existsSync(path.join(process.cwd(), '.codex', 'config.toml'));
+
+      console.log('Codex Bridge Status:');
+      console.log(`  AGENTS.md: ${agentsMdExists ? '✓ exists' : '✗ missing'}`);
+      console.log(`  .codex/config.toml: ${configTomlExists ? '✓ exists' : '✗ missing'}`);
+      break;
+
+    default:
+      console.log('WogiFlow Codex Bridge');
+      console.log('');
+      console.log('Commands:');
+      console.log('  sync     Sync WogiFlow config to Codex format');
+      console.log('  status   Check current Codex configuration');
+      console.log('');
+      console.log('Usage:');
+      console.log('  node .workflow/bridges/codex-bridge.js sync');
+  }
+}