fix: address 28 PR review items from docs-consistency, CodeRabbit, Copilot

Aureliolo · Aureliolo · commit c4cb4538139e · 2026-04-06T16:45:44.000+02:00
- Hookify: fix regex patterns for pytest (bare pytest) and cd (whitespace bypass)
- OpenCode: remove non-existent .claude/rules/common/ from instructions
- Memory plugin: fix hardcoded path (derive from cwd), add path traversal protection
- Hooks plugin: fix JSON parsing for check_push_rebased, fix error logging
- Shell scripts: fix exit code alignment (check_git_c_cwd exits 2 on deny)
- Block redirects to files (more comprehensive check_bash_no_write)
- Skill: add auto-detection for CodeRabbit processing status
- Agent docs: fix MD022 (blank lines around headings)
diff --git a/.claude/hookify.enforce-parallel-tests.md b/.claude/hookify.enforce-parallel-tests.md
@@ -5,7 +5,7 @@ event: bash
 conditions:
   - field: command
     operator: regex_match
-    pattern: (?:run\s+pytest|python\s+-m\s+pytest)\b
+    pattern: (?:^|\s)(?:pytest|run\s+pytest|python\s+-m\s+pytest)\b
   - field: command
     operator: not_contains
     pattern: "-n 8"
diff --git a/.claude/hookify.no-cd-prefix.md b/.claude/hookify.no-cd-prefix.md
@@ -2,7 +2,7 @@
 name: no-cd-prefix
 enabled: true
 event: bash
-pattern: ^cd\s+
+pattern: ^\s*cd\s+
 action: block
 ---
 
diff --git a/.claude/skills/aurelio-review-pr/SKILL.md b/.claude/skills/aurelio-review-pr/SKILL.md
@@ -152,31 +152,35 @@ git diff main --name-only
 
 Based on changed files, launch applicable review agents **in parallel** using the Task tool. **Do NOT use `run_in_background`** -- launch them as regular parallel Task calls so results arrive together and the user sees all agents complete before triage begins. Background agents cause confusing late-arriving `task-notification` messages that make it look like you presented triage before agents finished.
 
+> **IMPORTANT - OpenCode Agent Mapping**: When running in OpenCode (not Claude Code), you MUST use these working subagent types. NEVER use the Claude Code plugin names directly -- they will fail with "Unknown agent type".
+
 | Agent | When to launch | subagent_type |
 |---|---|---|
-| **docs-consistency** | **ALWAYS** -- runs on every PR regardless of change type | `pr-review-toolkit:code-reviewer` (custom prompt below) |
-| **code-reviewer** | Any `src_py` or `test_py` | `pr-review-toolkit:code-reviewer` |
-| **python-reviewer** | Any `src_py` or `test_py` | `everything-claude-code:python-reviewer` |
-| **pr-test-analyzer** | `test_py` changed, OR `src_py` changed with no corresponding test changes | `pr-review-toolkit:pr-test-analyzer` |
-| **silent-failure-hunter** | Diff contains `try`, `except`, `raise`, error handling patterns | `pr-review-toolkit:silent-failure-hunter` |
-| **comment-analyzer** | Diff contains docstring changes (`"""`) or significant comment changes | `pr-review-toolkit:comment-analyzer` |
-| **type-design-analyzer** | Diff contains `class ` definitions, `BaseModel`, `TypedDict`, type aliases | `pr-review-toolkit:type-design-analyzer` |
-| **logging-audit** | Any `src_py` changed | `pr-review-toolkit:code-reviewer` (custom prompt below) |
-| **resilience-audit** | Any `src_py` changed | `pr-review-toolkit:code-reviewer` (custom prompt below) |
-| **conventions-enforcer** | Any `src_py` or `test_py` | `pr-review-toolkit:code-reviewer` (custom prompt below) |
-| **security-reviewer** | Files in `src/synthorg/api/`, `src/synthorg/security/`, `src/synthorg/tools/`, `src/synthorg/config/`, `src/synthorg/persistence/`, `src/synthorg/engine/` changed, OR any `web_src` changed, OR diff contains `subprocess`, `eval`, `exec`, `pickle`, `yaml.load`, `sql`, auth/credential patterns | `everything-claude-code:security-reviewer` |
-| **frontend-reviewer** | Any `web_src` or `web_test` | `pr-review-toolkit:code-reviewer` (custom prompt below) |
-| **design-token-audit** | Any `web_src` | `.claude/agents/design-token-audit.md` prompt (scans for density, animation, spacing token violations) |
-| **api-contract-drift** | Any file in `src/synthorg/api/` OR `web/src/api/` OR `src/synthorg/core/enums.py` | `pr-review-toolkit:code-reviewer` (custom prompt below) |
-| **infra-reviewer** | Any `docker`, `ci`, or `infra_config` file | `pr-review-toolkit:code-reviewer` (custom prompt below) |
-| **persistence-reviewer** | Any file in `src/synthorg/persistence/` | `everything-claude-code:database-reviewer` |
-| **test-quality-reviewer** | Any `test_py` or `web_test` | `pr-review-toolkit:pr-test-analyzer` (custom prompt below) |
-| **async-concurrency-reviewer** | Diff contains `async def`, `await`, `asyncio`, `TaskGroup`, `create_task`, `aiosqlite` in `src_py` files | `pr-review-toolkit:code-reviewer` (custom prompt below) |
-| **go-reviewer** | Any `cli_go` | `everything-claude-code:go-reviewer` |
-| **go-security-reviewer** | Any `cli_go` -- diff contains `exec.Command`, `os/exec`, `http`, `os.Remove`, `os.WriteFile`, `filepath`, user-supplied paths | `everything-claude-code:security-reviewer` |
-| **go-conventions-enforcer** | Any `cli_go` | `pr-review-toolkit:code-reviewer` (go-conventions-enforcer custom prompt -- same as in pre-pr-review skill) |
-| **issue-resolution-verifier** | Issue is linked (pre-existing or auto-linked in Phase 2) | `pr-review-toolkit:code-reviewer` (custom prompt below) |
-| **tool-parity-checker** | Any `.claude/` or `.opencode/` or `opencode.json` or `AGENTS.md` or `CLAUDE.md` file changed | `.claude/agents/tool-parity-checker.md` prompt (verifies Claude Code <-> OpenCode config parity) |
+| **docs-consistency** | **ALWAYS** -- runs on every PR regardless of change type | `explore` (use custom prompt below) |
+| **tool-parity-checker** | Any `.claude/` or `.opencode/` or `opencode.json` or `AGENTS.md` or `CLAUDE.md` file changed | `explore` (use custom prompt below) |
+| **code-reviewer** | Any `src_py` or `test_py` | `explore` |
+| **python-reviewer** | Any `src_py` or `test_py` | `explore` |
+| **pr-test-analyzer** | `test_py` changed, OR `src_py` changed with no corresponding test changes | `explore` |
+| **silent-failure-hunter** | Diff contains `try`, `except`, `raise`, error handling patterns | `explore` |
+| **comment-analyzer** | Diff contains docstring changes (`"""`) or significant comment changes | `explore` |
+| **type-design-analyzer** | Diff contains `class ` definitions, `BaseModel`, `TypedDict`, type aliases | `explore` |
+| **logging-audit** | Any `src_py` changed | `explore` (use custom prompt below) |
+| **resilience-audit** | Any `src_py` changed | `explore` (use custom prompt below) |
+| **conventions-enforcer** | Any `src_py` or `test_py` | `explore` (use custom prompt below) |
+| **security-reviewer** | Files in sensitive paths OR any `web_src` changed OR diff contains dangerous patterns | `explore` |
+| **frontend-reviewer** | Any `web_src` or `web_test` | `explore` (use custom prompt below) |
+| **design-token-audit** | Any `web_src` | `explore` |
+| **api-contract-drift** | Any file in `src/synthorg/api/` OR `web/src/api/` OR `src/synthorg/core/enums.py` | `explore` (use custom prompt below) |
+| **infra-reviewer** | Any `docker`, `ci`, or `infra_config` file | `explore` (use custom prompt below) |
+| **persistence-reviewer** | Any file in `src/synthorg/persistence/` | `explore` |
+| **test-quality-reviewer** | Any `test_py` or `web_test` | `explore` (use custom prompt below) |
+| **async-concurrency-reviewer** | Diff contains `async def`, `await`, `asyncio`, `TaskGroup`, `create_task`, `aiosqlite` in `src_py` files | `explore` (use custom prompt below) |
+| **go-reviewer** | Any `cli_go` | `explore` |
+| **go-security-reviewer** | Any `cli_go` with dangerous patterns | `explore` |
+| **go-conventions-enforcer** | Any `cli_go` | `explore` |
+| **issue-resolution-verifier** | Issue is linked (pre-existing or auto-linked in Phase 2) | `explore` (use custom prompt below) |
+
+**If the Task tool fails** (e.g., "Unknown agent type"), fall back to running the check manually using Read/Grep tools on the changed files.
 
 The **issue-resolution-verifier** agent checks whether the PR fully resolves the linked issue. It only runs when an issue is linked -- either from a pre-existing `closes #N` in the PR body, or auto-linked/user-selected during Phase 2's search.
 
@@ -547,10 +551,14 @@ Collect all findings with their severity/confidence scores.
 
 **CRITICAL: Fetch ALL reviewers -- do NOT filter by known bot names.** The set of external reviewers varies per repo and can include any combination of bots (CodeRabbit, Gemini, Copilot, Greptile, etc.) and human reviewers. Always fetch unfiltered results and categorize by author from the response.
 
-**CRITICAL: Wait for all bots to finish processing.** Before triaging, check if any bot reviewer is still processing (e.g. CodeRabbit's "Currently processing" placeholder, or a review with an empty body). If a bot appears to still be processing:
-1. Poll every 30 seconds for up to 3 minutes (6 checks)
-2. If still not ready after 3 minutes, proceed without it and mark its coverage as "pending" in the triage table
-3. After implementing fixes and pushing, re-check for the bot's feedback in Phase 9
+**CRITICAL: Wait for all bots to finish processing.** Before triaging, check if any bot reviewer is still processing:
+1. First check the ISSUE comments (not PR reviews) for bot status - CodeRabbit posts "Currently processing" placeholder there
+2. If found, poll every 30 seconds for up to 3 minutes (6 checks)
+3. After each poll, re-fetch the issue comments to check if processing is complete
+4. If still not ready after 3 minutes, proceed and mark its coverage as "pending" in the triage table
+5. After implementing fixes and pushing, re-check for the bot's feedback in Phase 9
+
+**ALWAYS check both issue comments AND review submissions for bots** -- some bots (CodeRabbit) use issue comments to signal processing status, while others (Gemini, Copilot) use PR review submissions.
 
 Fetch from three GitHub API sources **in parallel** using `gh api` -- **always unfiltered** (no `select(.user.login == ...)` filtering):
 
diff --git a/.opencode/agents/comment-analyzer.md b/.opencode/agents/comment-analyzer.md
@@ -15,32 +15,37 @@ You analyze comments and docstrings for accuracy, completeness, and adherence to
 ## What to Check
 
 ### 1. Docstring Completeness (MEDIUM)
+
 - Public classes missing class-level docstring
 - Public functions missing docstring
 - Missing `Args:` section for functions with parameters
 - Missing `Returns:` section for functions with non-None return
 - Missing `Raises:` section for functions that raise exceptions
 
 ### 2. Docstring Accuracy (HIGH)
+
 - Docstring describes behavior the function no longer implements
 - Parameter names in docstring don't match function signature
 - Return type description doesn't match actual return type
 - Documented exceptions not actually raised (or vice versa)
 - Copy-pasted docstrings from similar functions not updated
 
 ### 3. Google Style Compliance (MEDIUM)
+
 - Wrong docstring format (must be Google style, not NumPy or reST)
 - Missing one-line summary as first line
 - Args/Returns/Raises sections with wrong formatting
 - Multi-line descriptions not properly indented
 
 ### 4. Comment Quality (MEDIUM)
+
 - Comments that just restate the code (`# increment counter` before `counter += 1`)
 - Outdated TODO/FIXME/HACK comments referencing resolved issues
 - Commented-out code blocks (should be removed)
 - Comments explaining "what" instead of "why"
 
 ### 5. Comment Maintenance Risks (LOW)
+
 - Comments referencing specific line numbers (will drift)
 - Comments referencing removed functions or classes
 - Links to external resources that may be dead
@@ -61,7 +66,8 @@ You analyze comments and docstrings for accuracy, completeness, and adherence to
 ## Report Format
 
 For each finding:
-```
+
+```text
 [SEVERITY] file:line -- Category
   Problem: What's wrong with the comment/docstring
   Fix: Corrected version or action needed
diff --git a/.opencode/plugins/memory.ts b/.opencode/plugins/memory.ts
@@ -3,7 +3,7 @@
  *
  * Provides read/write access to the shared MEMORY.md system used by
  * both Claude Code and OpenCode. Memory files live in:
- *   ~/.claude/projects/C--Users-Aurelio-synthorg/memory/
+ *   ~/.claude/projects/<mangled-cwd>/memory/
  *
  * Format (same as Claude Code):
  *   - MEMORY.md: index file with one-line pointers
@@ -13,16 +13,16 @@
 
 import type { Plugin } from "@opencode-ai/plugin";
 import { existsSync, mkdirSync, readFileSync, writeFileSync, unlinkSync } from "fs";
-import { join, basename } from "path";
+import { join, resolve, dirname } from "path";
 import { homedir } from "os";
 
-const MEMORY_DIR = join(
-  homedir(),
-  ".claude",
-  "projects",
-  "C--Users-Aurelio-synthorg",
-  "memory",
-);
+function getMemoryDir(): string {
+  const cwd = process.cwd();
+  const mangled = cwd.replace(/[:/\\]/g, "_").replace(/^_/, "").replace(/_$/, "");
+  return join(homedir(), ".claude", "projects", mangled, "memory");
+}
+
+const MEMORY_DIR = getMemoryDir();
 const MEMORY_INDEX = join(MEMORY_DIR, "MEMORY.md");
 
 interface MemoryEntry {
@@ -112,10 +112,19 @@ export const MemoryPlugin: Plugin = async ({ client, $, app }) => {
             if (!filename) {
               throw new Error("delete_memory requires: filename");
             }
-            const filepath = join(MEMORY_DIR, filename);
+            // Validate: only allow simple filenames, no path traversal
+            const safeName = filename.replace(/[^a-zA-Z0-9_.-]/g, "");
+            if (safeName !== filename || filename.includes("..")) {
+              throw new Error("delete_memory: invalid filename (no path traversal allowed)");
+            }
+            const filepath = resolve(MEMORY_DIR, safeName);
+            // Ensure resolved path is within MEMORY_DIR
+            if (!filepath.startsWith(MEMORY_DIR)) {
+              throw new Error("delete_memory: path traversal detected");
+            }
             if (existsSync(filepath)) {
               unlinkSync(filepath);
-              updateIndex("remove", filename, "", "");
+              updateIndex("remove", safeName, "", "");
             }
             return;
           }
diff --git a/.opencode/plugins/synthorg-hooks.ts b/.opencode/plugins/synthorg-hooks.ts
@@ -4,17 +4,17 @@
  * Mirrors the Claude Code hooks defined in .claude/settings.json and
  * .claude/settings.local.json by calling the same shell scripts.
  *
- * Claude Code hooks:
+ * Committed Claude Code hooks (from .claude/settings.json):
  *   PreToolUse (Bash): scripts/check_push_rebased.sh
- *   PreToolUse (Bash): scripts/check_bash_no_write.sh
- *   PreToolUse (Bash): scripts/check_git_c_cwd.sh
- *   PostToolUse (Edit|Write): scripts/check_web_design_system.py
  *
- * Hookify rules (from .claude/hookify.*.md):
+ * Hookify rules enforced via this plugin (from .claude/hookify.*.md):
  *   block-pr-create: blocks direct `gh pr create`
  *   enforce-parallel-tests: enforces `-n 8` with pytest
  *   no-cd-prefix: blocks `cd` prefix in Bash commands
  *   no-local-coverage: blocks `--cov` flags locally
+ *   check_bash_no_write.sh: blocks file writes via Bash
+ *   check_git_c_cwd.sh: blocks unnecessary git -C to cwd
+ *   check_web_design_system.py: validates design tokens on web file edits
  */
 
 import type { Plugin } from "@opencode-ai/plugin";
@@ -69,8 +69,8 @@ export const SynthOrgHooks: Plugin = async ({ client, $, app }) => {
               );
             }
 
-            // no-cd-prefix: block cd prefix in Bash commands
-            if (/^cd\s+/i.test(command)) {
+            // no-cd-prefix: block cd prefix in Bash commands (with optional leading whitespace)
+            if (/^\s*cd\s+/i.test(command)) {
               throw new Error(
                 "BLOCKED: Do not use `cd` in Bash commands -- it poisons the cwd for all subsequent calls. The working directory is ALREADY set to the project root. Run commands directly. For Go commands: use `go -C cli <command>`. For subdir tools without a `-C`/`--prefix` equivalent: use `bash -c \"cd <dir> && <cmd>\"`.",
               );
@@ -93,8 +93,18 @@ export const SynthOrgHooks: Plugin = async ({ client, $, app }) => {
                 { command },
                 15000,
               );
-              if (result && result.includes("block")) {
-                throw new Error(result);
+              if (result) {
+                try {
+                  const parsed = JSON.parse(result);
+                  if (parsed.hookSpecificOutput?.permissionDecision === "deny") {
+                    throw new Error(parsed.hookSpecificOutput?.permissionDecisionReason || "Push blocked");
+                  }
+                } catch {
+                  // Not JSON or parse error - check for legacy "block" pattern
+                  if (result.includes("block")) {
+                    throw new Error(result);
+                  }
+                }
               }
             }
 
@@ -133,9 +143,10 @@ export const SynthOrgHooks: Plugin = async ({ client, $, app }) => {
                 `python scripts/check_web_design_system.py`,
                 { timeout: 10000, encoding: "utf-8" },
               );
-            } catch {
+            } catch (error: unknown) {
+              const err = error as { message?: string; stderr?: string };
               // Log but don't block -- PostToolUse is advisory
-              console.error("Design system check failed for:", output.args.file_path);
+              console.error("Design system check failed for:", output.args.file_path, "-", err.message || err.stderr || "Unknown error");
             }
           }
         },
diff --git a/opencode.json b/opencode.json
@@ -54,11 +54,7 @@
   "model": "ollama-cloud/minimax-m2.5:cloud",
   "instructions": [
     "CLAUDE.md",
-    ".claude/rules/common/agents.md",
-    ".claude/rules/common/bash.md",
-    ".claude/rules/common/hooks.md",
-    ".claude/rules/common/patterns.md",
-    ".claude/rules/common/performance.md",
+    "AGENTS.md",
     ".claude/hookify.block-pr-create.md",
     ".claude/hookify.enforce-parallel-tests.md",
     ".claude/hookify.function-length.md",
diff --git a/scripts/check_bash_no_write.sh b/scripts/check_bash_no_write.sh
@@ -30,10 +30,16 @@ if printf '%s\n' "$COMMAND" | grep -qE "<<-?\s*'?[A-Za-z_]"; then
     deny "Do not use heredocs (<< EOF) to write files. Use the Write tool to create new files or the Edit tool to modify existing files. Never use Bash for file creation or modification."
 fi
 
-# Output redirection to a file: > file, >> file, > /path, > "./path"
-# Skip >/dev/null, >&2, etc.
-if printf '%s\n' "$COMMAND" | grep -qE '>\s*"?(/[^d>]|\.\.?/|[a-zA-Z]:\\)'; then
-    deny "Do not use shell redirects (> or >>) to write files. Use the Write tool to create new files or the Edit tool to modify existing files. Never use Bash for file creation or modification."
+# Output redirection: > file, >> file, > /path, > "./path", > file.txt
+# Block ALL redirects to files (only allow fd redirects like >&2, 2>&1)
+# This catches: echo > file.txt, cat > foo, > output, etc.
+if printf '%s\n' "$COMMAND" | grep -qE '(^|[|&;])\s*>>?\s*"?[^-]'; then
+    # Extract redirect target to check if it's a file descriptor
+    REDIR=$(printf '%s\n' "$COMMAND" | grep -oE '>>?\s*"?[^|&;<>]+' | head -1 | sed 's/^>>\?["'"'"']*//')
+    # Only allow if it's a file descriptor (>&N or <&N format)
+    if [[ ! "$REDIR" =~ ^&[0-9]+$ ]]; then
+        deny "Do not use shell redirects (> or >>) to write files. Use the Write tool to create new files or the Edit tool to modify existing files. Never use Bash for file creation or modification."
+    fi
 fi
 
 # echo/printf > filename.ext (catches echo "text" > file.txt)
diff --git a/scripts/check_git_c_cwd.sh b/scripts/check_git_c_cwd.sh
@@ -32,5 +32,14 @@ NORM_ARG=$(normalize "$GIT_C_PATH")
 NORM_PWD=$(normalize "$PWD")
 
 if [[ "$NORM_ARG" == "$NORM_PWD" ]]; then
-    echo '{"decision":"block","reason":"BLOCKED: git -C points to the current working directory. Just use git directly -- the Bash tool already runs in the project root."}'
+    cat <<ENDJSON
+{
+  "hookSpecificOutput": {
+    "hookEventName": "PreToolUse",
+    "permissionDecision": "deny",
+    "permissionDecisionReason": "BLOCKED: git -C points to the current working directory. Just use git directly -- the Bash tool already runs in the project root."
+  }
+}
+ENDJSON
+    exit 2
 fi
