fix

Author: zbeyens

.claude/.skiller.json

@@ -399,8 +399,24 @@
         "pluginId": "compound-engineering@every-marketplace",
         "pluginVersion": "2.40.0",
         "sourceKind": "skill",
-        "sourceRelPath": "skills/generate_command",
-        "destRelPath": "generate_command"
+        "sourceRelPath": "skills/git-clean-gone-branches",
+        "destRelPath": "git-clean-gone-branches"
+      },
+      {
+        "sourceType": "plugin",
+        "pluginId": "compound-engineering@every-marketplace",
+        "pluginVersion": "2.40.0",
+        "sourceKind": "skill",
+        "sourceRelPath": "skills/git-commit-push-pr",
+        "destRelPath": "git-commit-push-pr"
+      },
+      {
+        "sourceType": "plugin",
+        "pluginId": "compound-engineering@every-marketplace",
+        "pluginVersion": "2.40.0",
+        "sourceKind": "skill",
+        "sourceRelPath": "skills/git-commit",
+        "destRelPath": "git-commit"
       },
       {
         "sourceType": "plugin",
@@ -498,6 +514,14 @@
         "sourceRelPath": "agents/review/maintainability-reviewer.md",
         "destRelPath": "maintainability-reviewer"
       },
+      {
+        "sourceType": "plugin",
+        "pluginId": "compound-engineering@every-marketplace",
+        "pluginVersion": "2.40.0",
+        "sourceKind": "skill",
+        "sourceRelPath": "skills/onboarding",
+        "destRelPath": "onboarding"
+      },
       {
         "sourceType": "plugin",
         "pluginId": "compound-engineering@every-marketplace",
@@ -615,8 +639,8 @@
         "pluginId": "compound-engineering@every-marketplace",
         "pluginVersion": "2.40.0",
         "sourceKind": "skill",
-        "sourceRelPath": "skills/resolve-pr-parallel",
-        "destRelPath": "resolve-pr-parallel"
+        "sourceRelPath": "skills/resolve-pr-feedback",
+        "destRelPath": "resolve-pr-feedback"
       },
       {
         "sourceType": "plugin",

.codex/skills/ce-compound/SKILL.md

@@ -427,7 +427,6 @@ Based on problem type, these agents can enhance documentation:
 ### When to Invoke
 - **Auto-triggered** (optional): Agents can run post-documentation for enhancement
 - **Manual trigger**: User can invoke agents after /ce:compound completes for deeper review
-- **Customize agents**: Edit `compound-engineering.local.md` or invoke the `setup` skill to configure which review agents are used across all workflows
 
 ## Related Commands
 

.codex/skills/ce-review/SKILL.md

@@ -73,7 +73,7 @@ Routing rules:
 
 ## Reviewers
 
-8 personas in two tiers, plus CE-specific agents. See [persona-catalog.md](./references/persona-catalog.md) for the full catalog.
+13 reviewer personas in layered conditionals, plus CE-specific agents. See [persona-catalog.md](./references/persona-catalog.md) for the full catalog.
 
 **Always-on (every review):**
 
@@ -85,7 +85,7 @@ Routing rules:
 | `compound-engineering:review:agent-native-reviewer` | Verify new features are agent-accessible |
 | `compound-engineering:research:learnings-researcher` | Search docs/solutions/ for past issues related to this PR |
 
-**Conditional (selected per diff):**
+**Cross-cutting conditional (selected per diff):**
 
 | Agent | Select when diff touches... |
 |-------|---------------------------|
@@ -95,6 +95,16 @@ Routing rules:
 | `compound-engineering:review:data-migrations-reviewer` | Migrations, schema changes, backfills |
 | `compound-engineering:review:reliability-reviewer` | Error handling, retries, timeouts, background jobs |
 
+**Stack-specific conditional (selected per diff):**
+
+| Agent | Select when diff touches... |
+|-------|---------------------------|
+| `compound-engineering:review:dhh-rails-reviewer` | Rails architecture, service objects, session/auth choices, or Hotwire-vs-SPA boundaries |
+| `compound-engineering:review:kieran-rails-reviewer` | Rails application code where conventions, naming, and maintainability are in play |
+| `compound-engineering:review:kieran-python-reviewer` | Python modules, endpoints, scripts, or services |
+| `compound-engineering:review:kieran-typescript-reviewer` | TypeScript components, services, hooks, utilities, or shared types |
+| `compound-engineering:review:julik-frontend-races-reviewer` | Stimulus/Turbo controllers, DOM events, timers, animations, or async UI flows |
+
 **CE conditional (migration-specific):**
 
 | Agent | Select when diff includes migration files |
@@ -104,7 +114,7 @@ Routing rules:
 
 ## Review Scope
 
-Every review spawns all 3 always-on personas plus the 2 CE always-on agents, then adds applicable conditionals. The tier model naturally right-sizes: a small config change triggers 0 conditionals = 5 reviewers. A large auth feature triggers security + maybe reliability = 7 reviewers.
+Every review spawns all 3 always-on personas plus the 2 CE always-on agents, then adds whichever cross-cutting and stack-specific conditionals fit the diff. The model naturally right-sizes: a small config change triggers 0 conditionals = 5 reviewers. A Rails auth feature might trigger security + reliability + kieran-rails + dhh-rails = 9 reviewers.
 
 ## Protected Artifacts
 
@@ -314,7 +324,9 @@ Pass this to every reviewer in their spawn prompt. Intent shapes *how hard each
 
 ### Stage 3: Select reviewers
 
-Read the diff and file list from Stage 1. The 3 always-on personas and 2 CE always-on agents are automatic. For each conditional persona in [persona-catalog.md](./references/persona-catalog.md), decide whether the diff warrants it. This is agent judgment, not keyword matching.
+Read the diff and file list from Stage 1. The 3 always-on personas and 2 CE always-on agents are automatic. For each cross-cutting and stack-specific conditional persona in [persona-catalog.md](./references/persona-catalog.md), decide whether the diff warrants it. This is agent judgment, not keyword matching.
+
+Stack-specific personas are additive. A Rails UI change may warrant `kieran-rails` plus `julik-frontend-races`; a TypeScript API diff may warrant `kieran-typescript` plus `api-contract` and `reliability`.
 
 For CE conditional agents, check if the diff includes files matching `db/migrate/*.rb`, `db/schema.rb`, or data backfill scripts.
 
@@ -328,6 +340,8 @@ Review team:
 - agent-native-reviewer (always)
 - learnings-researcher (always)
 - security -- new endpoint in routes.rb accepts user-provided redirect URL
+- kieran-rails -- controller and Turbo flow changed in app/controllers and app/views
+- dhh-rails -- diff adds service objects around ordinary Rails CRUD
 - data-migrations -- adds migration 20260303_add_index_to_orders
 - schema-drift-detector -- migration files present
 ```
@@ -408,9 +422,11 @@ Before delivering the review, verify:
 5. **Protected artifacts are respected.** Discard any findings that recommend deleting or gitignoring files in `docs/brainstorms/`, `docs/plans/`, or `docs/solutions/`.
 6. **Findings don't duplicate linter output.** Don't flag things the project's linter/formatter would catch (missing semicolons, wrong indentation). Focus on semantic issues.
 
-## Language-Agnostic
+## Language-Aware Conditionals
+
+This skill uses stack-specific reviewer agents when the diff clearly warrants them. Keep those agents opinionated. They are not generic language checkers; they add a distinct review lens on top of the always-on and cross-cutting personas.
 
-This skill does NOT use language-specific reviewer agents. Persona reviewers adapt their criteria to the language/framework based on project context (loaded automatically). This keeps the skill simple and avoids maintaining parallel reviewers per language.
+Do not spawn them mechanically from file extensions alone. The trigger is meaningful changed behavior, architecture, or UI state in that stack.
 
 ## After Review
 

.codex/skills/ce-review/references/persona-catalog.md

@@ -1,6 +1,6 @@
 # Persona Catalog
 
-8 reviewer personas organized in two tiers, plus CE-specific agents. The orchestrator uses this catalog to select which reviewers to spawn for each review.
+13 reviewer personas organized into always-on, cross-cutting conditional, and stack-specific conditional layers, plus CE-specific agents. The orchestrator uses this catalog to select which reviewers to spawn for each review.
 
 ## Always-on (3 personas + 2 CE agents)
 
@@ -33,6 +33,18 @@ Spawned when the orchestrator identifies relevant patterns in the diff. The orch
 | `data-migrations` | `compound-engineering:review:data-migrations-reviewer` | Migration files, schema changes, backfill scripts, data transformations |
 | `reliability` | `compound-engineering:review:reliability-reviewer` | Error handling, retry logic, circuit breakers, timeouts, background jobs, async handlers, health checks |
 
+## Stack-Specific Conditional (5 personas)
+
+These reviewers keep their original opinionated lens. They are additive with the cross-cutting personas above, not replacements for them.
+
+| Persona | Agent | Select when diff touches... |
+|---------|-------|---------------------------|
+| `dhh-rails` | `compound-engineering:review:dhh-rails-reviewer` | Rails architecture, service objects, authentication/session choices, Hotwire-vs-SPA boundaries, or abstractions that may fight Rails conventions |
+| `kieran-rails` | `compound-engineering:review:kieran-rails-reviewer` | Rails controllers, models, views, jobs, components, routes, or other application-layer Ruby code where clarity and conventions matter |
+| `kieran-python` | `compound-engineering:review:kieran-python-reviewer` | Python modules, endpoints, services, scripts, or typed domain code |
+| `kieran-typescript` | `compound-engineering:review:kieran-typescript-reviewer` | TypeScript components, services, hooks, utilities, or shared types |
+| `julik-frontend-races` | `compound-engineering:review:julik-frontend-races-reviewer` | Stimulus/Turbo controllers, DOM event wiring, timers, async UI flows, animations, or frontend state transitions with race potential |
+
 ## CE Conditional Agents (migration-specific)
 
 These CE-native agents provide specialized analysis beyond what the persona agents cover. Spawn them when the diff includes database migrations, schema.rb, or data backfills.
@@ -45,6 +57,7 @@ These CE-native agents provide specialized analysis beyond what the persona agen
 ## Selection rules
 
 1. **Always spawn all 3 always-on personas** plus the 2 CE always-on agents.
-2. **For each conditional persona**, the orchestrator reads the diff and decides whether the persona's domain is relevant. This is a judgment call, not a keyword match.
-3. **For CE conditional agents**, spawn when the diff includes migration files (`db/migrate/*.rb`, `db/schema.rb`) or data backfill scripts.
-4. **Announce the team** before spawning with a one-line justification per conditional reviewer selected.
+2. **For each cross-cutting conditional persona**, the orchestrator reads the diff and decides whether the persona's domain is relevant. This is a judgment call, not a keyword match.
+3. **For each stack-specific conditional persona**, use file types and changed patterns as a starting point, then decide whether the diff actually introduces meaningful work for that reviewer. Do not spawn language-specific reviewers just because one config or generated file happens to match the extension.
+4. **For CE conditional agents**, spawn when the diff includes migration files (`db/migrate/*.rb`, `db/schema.rb`) or data backfill scripts.
+5. **Announce the team** before spawning with a one-line justification per conditional reviewer selected.

.codex/skills/ce-work-beta/SKILL.md

@@ -244,11 +244,9 @@ This command takes a work document (plan, specification, or todo file) and execu
    # Use linting-agent before pushing to origin
    ```
 
-2. **Consider Reviewer Agents** (Optional)
+2. **Consider Code Review** (Optional)
 
-   Use for complex, risky, or large changes. Read agents from `compound-engineering.local.md` frontmatter (`review_agents`). If no settings file, invoke the `setup` skill to create one.
-
-   Run configured agents in parallel with Task tool. Present findings and address critical issues.
+   Use for complex, risky, or large changes. Load the `ce:review` skill with `mode:autofix` to fix safe issues and flag the rest before shipping.
 
 3. **Final Validation**
    - All tasks marked completed
@@ -470,7 +468,7 @@ When external delegation is active, follow this workflow for each tagged task. D
 
    Verify the delegate CLI is installed. If not found, print "Delegate CLI not installed - continuing with standard mode." and proceed normally.
 
-2. **Build prompt** — For each task, assemble a prompt from the plan's implementation unit (Goal, Files, Approach, Conventions from `compound-engineering.local.md`). Include rules: no git commits, no PRs, run `git status` and `git diff --stat` when done. Never embed credentials or tokens in the prompt - pass auth through environment variables.
+2. **Build prompt** — For each task, assemble a prompt from the plan's implementation unit (Goal, Files, Approach, Conventions from project CLAUDE.md/AGENTS.md). Include rules: no git commits, no PRs, run `git status` and `git diff --stat` when done. Never embed credentials or tokens in the prompt - pass auth through environment variables.
 
 3. **Write prompt to file** — Save the assembled prompt to a unique temporary file to avoid shell quoting issues and cross-task races. Use a unique filename per task.
 

.codex/skills/ce-work/SKILL.md

@@ -235,11 +235,9 @@ This command takes a work document (plan, specification, or todo file) and execu
    # Use linting-agent before pushing to origin
    ```
 
-2. **Consider Reviewer Agents** (Optional)
+2. **Consider Code Review** (Optional)
 
-   Use for complex, risky, or large changes. Read agents from `compound-engineering.local.md` frontmatter (`review_agents`). If no settings file, invoke the `setup` skill to create one.
-
-   Run configured agents in parallel with Task tool. Present findings and address critical issues.
+   Use for complex, risky, or large changes. Load the `ce:review` skill with `mode:autofix` to fix safe issues and flag the rest before shipping.
 
 3. **Final Validation**
    - All tasks marked completed

.codex/skills/claude-permissions-optimizer/scripts/extract-commands.mjs

@@ -15,6 +15,7 @@
 import { readdir, readFile, stat } from "node:fs/promises";
 import { join } from "node:path";
 import { homedir } from "node:os";
+import { isRiskFlag, normalize } from "./normalize.mjs";
 
 const args = process.argv.slice(2);
 
@@ -299,127 +300,7 @@ function classify(command) {
   return { tier: "unknown" };
 }
 
-// ── Normalization ──────────────────────────────────────────────────────────
-
-// Risk-modifying flags that must NOT be collapsed into wildcards.
-// Global flags are always preserved; context-specific flags only matter
-// for certain base commands.
-const GLOBAL_RISK_FLAGS = new Set([
-  "--force", "--hard", "-rf", "--privileged", "--no-verify",
-  "--system", "--force-with-lease", "-D", "--force-if-includes",
-  "--volumes", "--rmi", "--rewrite", "--delete",
-]);
-
-// Flags that are only risky for specific base commands.
-// -f means force-push in git, force-remove in docker, but pattern-file in grep.
-// -v means remove-volumes in docker-compose, but verbose everywhere else.
-const CONTEXTUAL_RISK_FLAGS = {
-  "-f": new Set(["git", "docker", "rm"]),
-  "-v": new Set(["docker", "docker-compose"]),
-};
-
-function isRiskFlag(token, base) {
-  if (GLOBAL_RISK_FLAGS.has(token)) return true;
-  // Check context-specific flags
-  const contexts = CONTEXTUAL_RISK_FLAGS[token];
-  if (contexts && base && contexts.has(base)) return true;
-  // Combined short flags containing risk chars: -rf, -fr, -fR, etc.
-  if (/^-[a-zA-Z]*[rf][a-zA-Z]*$/.test(token) && token.length <= 4) return true;
-  return false;
-}
-
-function normalize(command) {
-  // Don't normalize shell injection patterns
-  if (/\|\s*(sh|bash|zsh)\b/.test(command)) return command;
-  // Don't normalize sudo -- keep as-is
-  if (/^sudo\s/.test(command)) return "sudo *";
-
-  // Handle pnpm --filter <pkg> <subcommand> specially
-  const pnpmFilter = command.match(/^pnpm\s+--filter\s+\S+\s+(\S+)/);
-  if (pnpmFilter) return "pnpm --filter * " + pnpmFilter[1] + " *";
-
-  // Handle sed specially -- preserve the mode flag to keep safe patterns narrow.
-  // sed -i (in-place) is destructive; sed -n, sed -e, bare sed are read-only.
-  if (/^sed\s/.test(command)) {
-    if (/\s-i\b/.test(command)) return "sed -i *";
-    const sedFlag = command.match(/^sed\s+(-[a-zA-Z])\s/);
-    return sedFlag ? "sed " + sedFlag[1] + " *" : "sed *";
-  }
-
-  // Handle ast-grep specially -- preserve --rewrite flag.
-  if (/^(ast-grep|sg)\s/.test(command)) {
-    const base = command.startsWith("sg") ? "sg" : "ast-grep";
-    return /\s--rewrite\b/.test(command) ? base + " --rewrite *" : base + " *";
-  }
-
-  // Handle find specially -- preserve key action flags.
-  // find -delete and find -exec rm are destructive; find -name/-type are safe.
-  if (/^find\s/.test(command)) {
-    if (/\s-delete\b/.test(command)) return "find -delete *";
-    if (/\s-exec\s/.test(command)) return "find -exec *";
-    // Extract the first predicate flag for a narrower safe pattern
-    const findFlag = command.match(/\s(-(?:name|type|path|iname))\s/);
-    return findFlag ? "find " + findFlag[1] + " *" : "find *";
-  }
-
-  // Handle git -C <dir> <subcommand> -- strip the -C <dir> and normalize the git subcommand
-  const gitC = command.match(/^git\s+-C\s+\S+\s+(.+)$/);
-  if (gitC) return normalize("git " + gitC[1]);
-
-  // Split on compound operators -- normalize the first command only
-  const compoundMatch = command.match(/^(.+?)\s*(&&|\|\||;)\s*(.+)$/);
-  if (compoundMatch) {
-    return normalize(compoundMatch[1].trim());
-  }
-
-  // Strip trailing pipe chains for normalization (e.g., `cmd | tail -5`)
-  // but preserve pipe-to-shell (already handled by shell injection check above)
-  const pipeMatch = command.match(/^(.+?)\s*\|\s*(.+)$/);
-  if (pipeMatch) {
-    return normalize(pipeMatch[1].trim());
-  }
-
-  // Strip trailing redirections (2>&1, > file, >> file)
-  const cleaned = command.replace(/\s*[12]?>>?\s*\S+\s*$/, "").replace(/\s*2>&1\s*$/, "").trim();
-
-  const parts = cleaned.split(/\s+/);
-  if (parts.length === 0) return command;
-
-  const base = parts[0];
-
-  // For git/docker/gh/npm etc, include the subcommand
-  const multiWordBases = ["git", "docker", "docker-compose", "gh", "npm", "bun",
-    "pnpm", "yarn", "cargo", "pip", "pip3", "bundle", "systemctl", "kubectl"];
-
-  let prefix = base;
-  let argStart = 1;
-
-  if (multiWordBases.includes(base) && parts.length > 1) {
-    prefix = base + " " + parts[1];
-    argStart = 2;
-  }
-
-  // Preserve risk-modifying flags in the remaining args
-  const preservedFlags = [];
-  for (let i = argStart; i < parts.length; i++) {
-    if (isRiskFlag(parts[i], base)) {
-      preservedFlags.push(parts[i]);
-    }
-  }
-
-  // Build the normalized pattern
-  if (parts.length <= argStart && preservedFlags.length === 0) {
-    return prefix; // no args, no flags: e.g., "git status"
-  }
-
-  const flagStr = preservedFlags.length > 0 ? " " + preservedFlags.join(" ") : "";
-  const hasVaryingArgs = parts.length > argStart + preservedFlags.length;
-
-  if (hasVaryingArgs) {
-    return prefix + flagStr + " *";
-  }
-  return prefix + flagStr;
-}
+// ── Normalization (see ./normalize.mjs) ────────────────────────────────────
 
 // ── Session file scanning ──────────────────────────────────────────────────