wogiflow 1.0.47 → 1.0.49

package/.claude/commands/wogi-research.md

@@ -0,0 +1,223 @@
+# /wogi-research - Zero-Trust Research Protocol
+
+Execute rigorous research before answering questions about capabilities, feasibility, or existence.
+
+## Usage
+
+```
+/wogi-research "Does X support Y?"          # Standard depth
+/wogi-research --quick "Simple question"    # Quick check (5K tokens)
+/wogi-research --deep "Architecture query"  # Deep audit (50K tokens)
+/wogi-research --exhaustive "Critical decision" # Full audit (100K tokens)
+```
+
+## When This is Required
+
+This command is **automatically triggered** (when strict mode is enabled) for:
+
+1. **Capability Questions**: "Does X support Y?", "Can X do Y?"
+2. **Feasibility Questions**: "Is it possible to...", "Can we..."
+3. **Existence Questions**: "Is there a...", "Does X exist?"
+4. **Architecture Questions**: "How does X work?", "How is X structured?"
+5. **Integration Questions**: "How to integrate X with Y?"
+
+## Research Protocol Phases
+
+### Phase 1: Scope Mapping
+- Identify all potentially relevant local files
+- Identify external tools/libraries mentioned
+- Generate search keywords
+- Create `research-scope.json`
+
+### Phase 2: Local Evidence Gathering
+- Read ALL files identified in scope (not just the first match)
+- Extract relevant code snippets and documentation
+- Log findings to research notes
+- **DO NOT SKIP FILES** - partial reading leads to false conclusions
+
+### Phase 3: External Verification
+- For each external tool/library:
+  - Web search: "[tool] documentation [feature] [current year]"
+  - Read official docs (top 3 results minimum)
+  - Extract quotes with URLs
+- **ASSUME training data is 2+ years stale**
+
+### Phase 4: Assumption Check
+- List ALL assumptions made during research
+- Tag each assumption:
+  - `[VERIFIED]` with HIGH confidence + source
+  - `[UNVERIFIED]` with LOW confidence - **MUST be verified before proceeding**
+- Loop back to Phase 2/3 for any unverified assumptions
+
+### Phase 5: Synthesis
+- Generate research report with:
+  - Answer to original question
+  - Evidence chain (every claim → source)
+  - Confidence level (HIGH/MEDIUM/LOW)
+  - Caveats and uncertainties
+  - List of searches performed
+
+## Critical Rules
+
+### The Negative Evidence Rule
+
+**FORBIDDEN conclusions:**
+- "X is not supported"
+- "There is no Y"
+- "It doesn't exist"
+- "X cannot do Y"
+
+**REQUIRED format for negative claims:**
+```
+I searched the following sources and found no evidence of X:
+1. [source 1] - searched for [terms]
+2. [source 2] - searched for [terms]
+3. [official docs URL] - no mention found
+
+However, my search may be incomplete. Before concluding X doesn't exist:
+- Check if there's a different name for this feature
+- Verify with the latest official documentation
+- Consider that the feature may be in development
+```
+
+### The Version Paranoia Rule
+
+For ANY external tool (npm packages, CLIs, APIs, frameworks):
+```
+ASSUME: Training data is 2+ years old
+ACTION: ALWAYS web search "[tool] latest documentation [current year]"
+        BEFORE making capability claims
+```
+
+### The Assumption Stack
+
+Before answering, explicitly list:
+```markdown
+## My Assumptions
+1. [VERIFY] Gemini CLI version supports hooks → Confidence: LOW (training data)
+2. [OK] Project uses JavaScript → Confidence: HIGH (read package.json)
+3. [VERIFY] settings.json format → Confidence: LOW (haven't read docs)
+```
+
+Any assumption marked `[VERIFY]` with `LOW` confidence **MUST** be verified.
+
+## Evidence Chain Format
+
+Every claim needs a traceable source:
+
+```markdown
+| Claim | Source Type | Source Location | Confidence |
+|-------|-------------|-----------------|------------|
+| "Hooks are supported" | Live Docs | github.com/x/docs/hooks | HIGH |
+| "Settings format is X" | File Read | .gemini/settings.json | HIGH |
+| "Feature Y exists" | Training Data | None | LOW - VERIFY |
+```
+
+## Depth Tiers
+
+| Depth | Token Budget | Actions | Use For |
+|-------|--------------|---------|---------|
+| `--quick` | 5K | 1-2 files, no web search | Simple factual lookups |
+| (default) | 20K | All relevant files, 1 web search | Most questions |
+| `--deep` | 50K | Full file audit, multiple web searches | Architecture/feasibility |
+| `--exhaustive` | 100K+ | Everything + user confirmation gates | Production decisions |
+
+## Output
+
+The command generates:
+
+1. **research-report.md** - Full research findings with citations
+2. **Console summary** - Key findings and confidence level
+3. **Cached verifications** - Stored in `.workflow/state/research-cache.json`
+
+## Configuration
+
+In `.workflow/config.json`:
+
+```json
+{
+  "research": {
+    "enabled": true,
+    "defaultDepth": "standard",
+    "strictMode": true,
+    "autoTrigger": true,
+    "maxTokensPerDepth": {
+      "quick": 5000,
+      "standard": 20000,
+      "deep": 50000,
+      "exhaustive": 100000
+    },
+    "requireCitations": true,
+    "cacheVerifications": true,
+    "cacheExpiryHours": 24,
+    "budgetMode": "soft",
+    "negativeEvidenceRule": true,
+    "assumptionTracking": true
+  }
+}
+```
+
+## Examples
+
+### Example 1: Capability Question
+
+```
+User: Does Gemini CLI support hooks?
+
+/wogi-research "Does Gemini CLI support hooks?"
+```
+
+Research output:
+```
+## Research Report
+
+**Question:** Does Gemini CLI support hooks?
+**Depth:** standard
+**Confidence:** HIGH
+
+### Conclusion
+Yes, Gemini CLI supports hooks since version X.
+
+### Evidence Chain
+| Claim | Source | Confidence |
+|-------|--------|------------|
+| Hooks supported | https://github.com/gemini-cli/docs/hooks | HIGH |
+| Configuration in .gemini/settings.json | File read | HIGH |
+
+### Searches Performed
+1. Web: "Gemini CLI hooks documentation 2026"
+2. Local: .gemini/settings.json
+3. Local: .gemini/**/*.md
+```
+
+### Example 2: Architecture Question
+
+```
+User: How does the authentication flow work in this codebase?
+
+/wogi-research --deep "How does the authentication flow work?"
+```
+
+This will:
+1. Search for auth-related files
+2. Read all matches (not just first)
+3. Trace the flow through the codebase
+4. Generate a comprehensive report
+
+## Integration with Hooks
+
+When `research.strictMode` is enabled and `research.autoTrigger` is true:
+- Capability/feasibility questions automatically trigger research
+- Claims without citations are flagged
+- Negative claims require exhaustive search evidence
+
+## CLI Compatibility
+
+This command works across all supported CLIs:
+- Claude Code
+- Gemini CLI
+- Codex (OpenAI)
+- OpenCode
+- Cline/Cursor
+
+State is stored in `.workflow/` for cross-CLI persistence.

package/.claude/commands/wogi-review-fix.md

@@ -0,0 +1,241 @@
+Comprehensive code review with **automatic fixing**. Runs the full `/wogi-review` process, then automatically fixes all identified issues and re-verifies.
+
+**Triggers**: `/wogi-review-fix`, "review and fix", "fix all issues"
+
+## Usage
+
+```bash
+/wogi-review-fix              # Review + auto-fix all issues
+/wogi-review-fix --dry-run    # Show what would be fixed (no changes)
+/wogi-review-fix --no-verify  # Skip re-verification after fixes
+/wogi-review-fix --commits 3  # Review last 3 commits + fix
+```
+
+## How It Works
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│  /wogi-review-fix                                            │
+├─────────────────────────────────────────────────────────────┤
+│  PHASE 1: REVIEW (same as /wogi-review)                      │
+│     1. Identify changed files (git diff)                     │
+│     2. Run verification gates (lint, typecheck, tests)       │
+│     3. Run AI review (parallel or multi-pass)                │
+│     4. Consolidate findings                                  │
+│                                                              │
+│  PHASE 2: AUTO-FIX                                           │
+│     5. Categorize issues (auto-fixable vs manual)            │
+│     6. For each auto-fixable issue:                          │
+│        → Read file                                           │
+│        → Apply fix                                           │
+│        → Verify syntax (node --check)                        │
+│        → Track result                                        │
+│                                                              │
+│  PHASE 3: RE-VERIFY                                          │
+│     7. Run verification gates again                          │
+│     8. Report: Fixed N, Manual M, Verification PASS/FAIL     │
+└─────────────────────────────────────────────────────────────┘
+```
+
+## Auto-Fixable vs Manual Issues
+
+### Auto-Fixable (will be fixed automatically)
+
+| Issue Type | Fix Method |
+|------------|------------|
+| Unused imports | Remove the import line |
+| Console.log in production | Remove or convert to proper logger |
+| Missing try-catch (simple) | Wrap operation in try-catch |
+| Naming convention violation | Rename file/variable to match convention |
+| Missing null check (simple) | Add optional chaining `?.` or guard |
+| Dead code / unreachable | Remove the dead code |
+| Duplicate code (small) | Extract to shared function |
+
+### Manual (will be listed for user attention)
+
+| Issue Type | Why Manual |
+|------------|------------|
+| Logic bugs | Requires understanding intent |
+| Security vulnerabilities | Requires careful review |
+| Architecture issues | Requires design decisions |
+| Breaking API changes | Requires coordination |
+| Complex refactors | Requires validation |
+
+## Execution Steps
+
+### Step 1: Run Full Review
+
+Execute the standard `/wogi-review` process:
+
+```bash
+# Get changed files
+git diff --name-only HEAD
+
+# Run verification gates
+npm run lint 2>&1 | head -50
+npm run typecheck 2>&1 | head -50
+
+# Run AI review (parallel or multi-pass based on file count)
+# Collect all findings with file:line:issue:severity:suggestion
+```
+
+### Step 2: Categorize Findings
+
+After review completes, categorize each finding:
+
+```javascript
+// Example finding structure
+{
+  file: "src/utils.ts",
+  line: 45,
+  issue: "Unused import 'lodash'",
+  severity: "low",
+  category: "unused-import",  // Auto-fixable
+  suggestion: "Remove the unused import"
+}
+```
+
+**Categorization rules:**
+- `unused-import` → Auto-fix
+- `console-log` → Auto-fix
+- `missing-null-check` (single line) → Auto-fix
+- `naming-convention` → Auto-fix
+- `logic-error` → Manual
+- `security-*` → Manual
+- `architecture-*` → Manual
+
+### Step 3: Fix Loop
+
+For each auto-fixable issue, in order of file (to batch edits):
+
+```
+For each file with issues:
+  1. Read the file
+  2. For each issue in this file:
+     a. Apply the fix using Edit tool
+     b. Log: "Fixed: [issue] in [file:line]"
+  3. Verify file syntax: node --check [file] (for JS/TS)
+  4. If syntax fails:
+     - Rollback edit
+     - Move issue to "Manual" list
+     - Log: "Fix failed, moved to manual: [issue]"
+```
+
+### Step 4: Re-Verification
+
+After all fixes applied:
+
+```bash
+# Run verification gates again
+npm run lint 2>&1 | head -50
+npm run typecheck 2>&1 | head -50
+npm run test 2>&1 | head -50  # If tests exist
+
+# Syntax check all modified files
+node --check [modified files]
+```
+
+### Step 5: Summary Report
+
+```
+╔══════════════════════════════════════════════════════════╗
+║  Review + Fix Complete                                    ║
+╚══════════════════════════════════════════════════════════╝
+
+═══════════════════════════════════════════════════════════
+FIXES APPLIED (12 issues)
+═══════════════════════════════════════════════════════════
+✓ src/utils.ts:45 - Removed unused import 'lodash'
+✓ src/api.ts:23 - Removed console.log
+✓ src/api.ts:67 - Added null check
+✓ src/components/Button.tsx:12 - Removed unused import
+... (8 more)
+
+═══════════════════════════════════════════════════════════
+MANUAL ATTENTION NEEDED (3 issues)
+═══════════════════════════════════════════════════════════
+⚠ src/auth.ts:89 - Potential SQL injection (security)
+  → Review: User input not sanitized before query
+⚠ src/api.ts:134 - Race condition (logic)
+  → Review: Async operation may complete out of order
+⚠ src/utils.ts:200 - Breaking API change (architecture)
+  → Review: Function signature changed, check callers
+
+═══════════════════════════════════════════════════════════
+RE-VERIFICATION
+═══════════════════════════════════════════════════════════
+✓ Lint: passed
+✓ TypeCheck: passed
+✓ Syntax: all files valid
+
+═══════════════════════════════════════════════════════════
+SUMMARY
+═══════════════════════════════════════════════════════════
+Total issues found: 15
+Auto-fixed: 12
+Manual review needed: 3
+Verification: PASSED
+
+Files modified: 4
+  • src/utils.ts (3 fixes)
+  • src/api.ts (5 fixes)
+  • src/components/Button.tsx (2 fixes)
+  • src/auth.ts (2 fixes)
+```
+
+## Options
+
+| Flag | Description |
+|------|-------------|
+| `--dry-run` | Show what would be fixed without making changes |
+| `--no-verify` | Skip re-verification after fixes |
+| `--commits N` | Include last N commits in review scope |
+| `--staged` | Only review staged changes |
+| `--skip-manual` | Don't show manual issues in report |
+
+## Dry Run Mode
+
+With `--dry-run`, shows the fix plan without applying:
+
+```
+═══════════════════════════════════════════════════════════
+DRY RUN - WOULD FIX (12 issues)
+═══════════════════════════════════════════════════════════
+• src/utils.ts:45 - Would remove unused import 'lodash'
+• src/api.ts:23 - Would remove console.log
+• src/api.ts:67 - Would add null check: user?.profile
+...
+
+Run without --dry-run to apply these fixes.
+```
+
+## Comparison with /wogi-review
+
+| Aspect | `/wogi-review` | `/wogi-review-fix` |
+|--------|----------------|-------------------|
+| Reviews code | ✓ | ✓ |
+| Lists issues | ✓ | ✓ |
+| Fixes issues | ✗ | ✓ (auto-fixable) |
+| Re-verifies | ✗ | ✓ |
+| End state | Issues listed | Issues resolved |
+
+## When to Use
+
+**Use `/wogi-review`** when:
+- You want to see issues before deciding to fix
+- You're reviewing someone else's code
+- You want to understand the codebase state
+
+**Use `/wogi-review-fix`** when:
+- You want issues fixed immediately
+- You trust the auto-fix for common issues
+- You're cleaning up after a large change
+- You want a "fix everything" single command
+
+## Safety Guarantees
+
+1. **Syntax verification** - Every fix is syntax-checked before moving on
+2. **Rollback on failure** - If a fix breaks syntax, it's reverted
+3. **Manual escalation** - Complex issues are never auto-fixed
+4. **Security issues untouched** - Security findings always require manual review
+5. **Git-friendly** - All changes can be reviewed in `git diff` before commit

package/.claude/docs/commands.md

@@ -141,6 +141,15 @@ When user types these commands, execute the corresponding action immediately.
 |---------|--------|
 | `/wogi-guided-edit` | Guide through multi-file changes step by step. Shows each edit for approval. |
 
+### Research Protocol (Zero-Trust)
+
+| Command | Action |
+|---------|--------|
+| `/wogi-research [question]` | Execute rigorous research before answering capability/feasibility questions. Phases: scope mapping, evidence gathering, external verification, assumption check, synthesis. |
+| `/wogi-research --quick [q]` | Quick research (5K tokens) - 1-2 files, no web search. |
+| `/wogi-research --deep [q]` | Deep research (50K tokens) - full file audit, multiple web searches. |
+| `/wogi-research --exhaustive [q]` | Exhaustive research (100K+ tokens) - everything + user confirmation gates. |
+
 ### Planning & Documentation
 
 | Command | Action |
@@ -312,6 +321,14 @@ npx flow onboard                  # Analyze existing project & set up context
 ./scripts/flow figma confirm <f>  # Interactive confirmation
 ./scripts/flow figma generate     # Generate code from decisions
 ./scripts/flow figma server       # Start MCP server
+
+# Research Protocol
+./scripts/flow research "q"       # Execute research protocol
+./scripts/flow research --quick   # Quick research (5K tokens)
+./scripts/flow research --deep    # Deep research (50K tokens)
+./scripts/flow research --exhaustive # Full audit (100K+ tokens)
+./scripts/flow research cache     # Show cached verifications
+./scripts/flow research cache clear # Clear verification cache
 ```
 
 ## Command Execution

package/.workflow/bridges/base-bridge.js

@@ -109,26 +109,64 @@ class BaseBridge {
 
   /**
    * Safe JSON parse that checks for prototype pollution (fallback when flow-utils unavailable)
+   *
+   * NOTE: This is a fallback implementation. When flow-utils is available,
+   * safeJsonParse from flow-utils is used instead (it performs recursive
+   * validation of the parsed object). This fallback only does pre-parse
+   * string checking which is less comprehensive but better than nothing.
+   *
    * @param {string} content - JSON string to parse
    * @returns {Object|null} Parsed object or null if invalid
    */
   safeJsonParseContent(content) {
-    // Check for prototype pollution attempts (case-insensitive)
-    const contentLower = content.toLowerCase();
-    if (contentLower.includes('__proto__') ||
-        contentLower.includes('constructor') ||
-        contentLower.includes('prototype')) {
-      this.log('Warning: Potential prototype pollution detected in JSON');
+    if (!content || typeof content !== 'string') {
       return null;
     }
 
+    // Check for prototype pollution attempts
+    // These patterns look for dangerous keys that could be used for prototype pollution
+    const dangerousPatterns = [
+      /__proto__/i,
+      /"constructor"\s*:/,
+      /"prototype"\s*:/
+    ];
+
+    for (const pattern of dangerousPatterns) {
+      if (pattern.test(content)) {
+        this.log('Warning: Potential prototype pollution detected in JSON');
+        return null;
+      }
+    }
+
     try {
       const parsed = JSON.parse(content);
       if (parsed === null || typeof parsed !== 'object') {
         return null;
       }
+
+      // Additional check: verify no __proto__ keys in parsed result
+      // (JSON.parse could still create them in some edge cases)
+      const hasProtoKey = (obj) => {
+        if (!obj || typeof obj !== 'object') return false;
+        if (Object.prototype.hasOwnProperty.call(obj, '__proto__')) return true;
+        for (const value of Object.values(obj)) {
+          if (typeof value === 'object' && value !== null && hasProtoKey(value)) {
+            return true;
+          }
+        }
+        return false;
+      };
+
+      if (hasProtoKey(parsed)) {
+        this.log('Warning: __proto__ key detected in parsed JSON');
+        return null;
+      }
+
       return parsed;
-    } catch {
+    } catch (err) {
+      if (process.env.DEBUG) {
+        this.log(`JSON parse error: ${err.message}`);
+      }
       return null;
     }
   }
@@ -164,7 +202,8 @@ class BaseBridge {
   ensureCliFolder() {
     const cliFolder = path.join(this.projectDir, this.getCliFolder());
     if (!fs.existsSync(cliFolder)) {
-      fs.mkdirSync(cliFolder, { recursive: true });
+      // Use explicit permissions (0o755 = rwxr-xr-x) to avoid relying on umask
+      fs.mkdirSync(cliFolder, { recursive: true, mode: 0o755 });
       this.log(`Created ${this.getCliFolder()}/`);
     }
   }
@@ -181,9 +220,9 @@ class BaseBridge {
       return;
     }
 
-    // Ensure target directory exists
+    // Ensure target directory exists with explicit permissions
     if (!fs.existsSync(targetSkillsDir)) {
-      fs.mkdirSync(targetSkillsDir, { recursive: true });
+      fs.mkdirSync(targetSkillsDir, { recursive: true, mode: 0o755 });
     }
 
     // Copy skills
@@ -214,9 +253,9 @@ class BaseBridge {
   syncRules() {
     const rulesDir = path.join(this.projectDir, this.getRulesPath());
 
-    // Ensure rules directory exists
+    // Ensure rules directory exists with explicit permissions
     if (!fs.existsSync(rulesDir)) {
-      fs.mkdirSync(rulesDir, { recursive: true });
+      fs.mkdirSync(rulesDir, { recursive: true, mode: 0o755 });
     }
 
     // Copy any existing rules from .workflow/rules/ if present
@@ -244,9 +283,9 @@ class BaseBridge {
     // Knowledge files to sync
     const knowledgeFiles = ['stack.md', 'architecture.md', 'testing.md'];
 
-    // Ensure CLI docs directory exists
+    // Ensure CLI docs directory exists with explicit permissions
     if (!fs.existsSync(cliDocsDir)) {
-      fs.mkdirSync(cliDocsDir, { recursive: true });
+      fs.mkdirSync(cliDocsDir, { recursive: true, mode: 0o755 });
     }
 
     let syncedCount = 0;
@@ -359,6 +398,76 @@ class BaseBridge {
     return results;
   }
 
+  // ==================== Template Utility Methods ====================
+
+  /**
+   * Load a partial template from .workflow/templates/partials/
+   * @param {string} partialName - Name of the partial (without .hbs extension)
+   * @returns {string} Partial content or empty string if not found
+   */
+  loadPartial(partialName) {
+    const partialPath = path.join(
+      this.projectDir,
+      this.workflowDir,
+      'templates',
+      'partials',
+      `${partialName}.hbs`
+    );
+
+    try {
+      if (fs.existsSync(partialPath)) {
+        return fs.readFileSync(partialPath, 'utf-8');
+      }
+    } catch (err) {
+      this.log(`Warning: Could not load partial ${partialName}: ${err.message}`);
+    }
+    return '';
+  }
+
+  /**
+   * Process partial includes in template content
+   * Replaces {{> partial-name}} with the partial content
+   * @param {string} content - Template content
+   * @returns {string} Content with partials included
+   */
+  processPartials(content) {
+    // Match {{> partial-name}} pattern
+    const partialRegex = /\{\{>\s*([a-zA-Z0-9_-]+)\s*\}\}/g;
+
+    return content.replace(partialRegex, (match, partialName) => {
+      const partialContent = this.loadPartial(partialName);
+      if (!partialContent) {
+        this.log(`Warning: Partial not found: ${partialName}`);
+        return `<!-- Partial not found: ${partialName} -->`;
+      }
+      return partialContent;
+    });
+  }
+
+  /**
+   * Get nested value from config object using dot notation
+   * @param {Object} obj - The object to search
+   * @param {string} path - Dot-separated path (e.g., 'hooks.rules.taskGating')
+   * @returns {*} The value or undefined
+   */
+  getNestedValue(obj, path) {
+    if (!path || typeof path !== 'string') return undefined;
+
+    const parts = path.split('.');
+    let current = obj;
+
+    for (const part of parts) {
+      if (current === null || current === undefined) return undefined;
+      // Security: skip dangerous property names
+      if (part === '__proto__' || part === 'constructor' || part === 'prototype') {
+        return undefined;
+      }
+      current = current[part];
+    }
+
+    return current;
+  }
+
   // ==================== Utility Methods ====================
 
   /**
@@ -366,7 +475,7 @@ class BaseBridge {
    */
   copyDirRecursive(source, target) {
     if (!fs.existsSync(target)) {
-      fs.mkdirSync(target, { recursive: true });
+      fs.mkdirSync(target, { recursive: true, mode: 0o755 });
     }
 
     const items = fs.readdirSync(source);