diff --git a/docs/CREATE-PLAN.md b/docs/CREATE-PLAN.md index 820ca70..74326ae 100644 --- a/docs/CREATE-PLAN.md +++ b/docs/CREATE-PLAN.md @@ -169,7 +169,7 @@ ts= level= state= -s read-only` | Yes (`codex exec resume `) | `-s read-only` | -| `claude` | `claude -p --model --allowedTools Read` | No (fresh call each round) | `--allowedTools Read` | +| `claude` | `claude -p --model --strict-mcp-config --setting-sources user` | No (fresh call each round) | `--strict-mcp-config --setting-sources user` | | `cursor` | `cursor-agent -p --mode=ask --model --trust --output-format json` | Yes (`--resume `) | `--mode=ask` | For all three CLIs, the preferred execution path is: diff --git a/docs/IMPLEMENT-PLAN.md b/docs/IMPLEMENT-PLAN.md index 1ed7f12..bc406f6 100644 --- a/docs/IMPLEMENT-PLAN.md +++ b/docs/IMPLEMENT-PLAN.md @@ -181,7 +181,7 @@ ts= level= state= -s read-only` | Yes (`codex exec resume `) | `-s read-only` | -| `claude` | `claude -p --model --allowedTools Read` | No (fresh call each round) | `--allowedTools Read` | +| `claude` | `claude -p --model --strict-mcp-config --setting-sources user` | No (fresh call each round) | `--strict-mcp-config --setting-sources user` | | `cursor` | `cursor-agent -p --mode=ask --model --trust --output-format json` | Yes (`--resume `) | `--mode=ask` | For all three CLIs, the preferred execution path is: diff --git a/skills/create-plan/claude-code/SKILL.md b/skills/create-plan/claude-code/SKILL.md index ed9c905..dc6ebe5 100644 --- a/skills/create-plan/claude-code/SKILL.md +++ b/skills/create-plan/claude-code/SKILL.md @@ -123,7 +123,10 @@ Do not try to capture the Codex session ID yet. When using the helper, extract i ```bash claude -p \ - "Read the file /tmp/plan-${REVIEW_ID}.md and review the implementation plan. Focus on: + "Review the implementation plan below. Focus on: + +$(cat /tmp/plan-${REVIEW_ID}.md) + 1. Correctness — Will this plan achieve the stated goals? 2. Risks — What could go wrong? Edge cases? Data loss? 3. Missing steps — Is anything forgotten? @@ -133,7 +136,8 @@ claude -p \ Be specific and actionable. If the plan is solid, end with exactly: VERDICT: APPROVED If changes are needed, end with exactly: VERDICT: REVISE" \ --model ${REVIEWER_MODEL} \ - --allowedTools Read + --strict-mcp-config \ + --setting-sources user ``` **If `REVIEWER_CLI` is `cursor`:** @@ -249,7 +253,9 @@ claude -p \ Previous feedback summary: [key points from last review] -I've revised the plan. Updated version is in /tmp/plan-${REVIEW_ID}.md. +I've revised the plan. Updated version is below. + +$(cat /tmp/plan-${REVIEW_ID}.md) Changes made: [List specific changes] @@ -257,7 +263,8 @@ Changes made: Re-review the full plan. If solid, end with: VERDICT: APPROVED If more changes needed, end with: VERDICT: REVISE" \ --model ${REVIEWER_MODEL} \ - --allowedTools Read + --strict-mcp-config \ + --setting-sources user ``` **If `REVIEWER_CLI` is `cursor`:** diff --git a/skills/create-plan/codex/SKILL.md b/skills/create-plan/codex/SKILL.md index 231f700..d3f9e03 100644 --- a/skills/create-plan/codex/SKILL.md +++ b/skills/create-plan/codex/SKILL.md @@ -146,7 +146,10 @@ Do not try to capture the Codex session ID yet. When using the helper, extract i ```bash claude -p \ - "Read the file /tmp/plan-${REVIEW_ID}.md and review the implementation plan. Focus on: + "Review the implementation plan below. Focus on: + +$(cat /tmp/plan-${REVIEW_ID}.md) + 1. Correctness — Will this plan achieve the stated goals? 2. Risks — What could go wrong? Edge cases? Data loss? 3. Missing steps — Is anything forgotten? @@ -156,7 +159,8 @@ claude -p \ Be specific and actionable. If the plan is solid, end with exactly: VERDICT: APPROVED If changes are needed, end with exactly: VERDICT: REVISE" \ --model ${REVIEWER_MODEL} \ - --allowedTools Read + --strict-mcp-config \ + --setting-sources user ``` **If `REVIEWER_CLI` is `cursor`:** @@ -274,7 +278,9 @@ claude -p \ Previous feedback summary: [key points from last review] -I've revised the plan. Updated version is in /tmp/plan-${REVIEW_ID}.md. +I've revised the plan. Updated version is below. + +$(cat /tmp/plan-${REVIEW_ID}.md) Changes made: [List specific changes] @@ -282,7 +288,8 @@ Changes made: Re-review the full plan. If solid, end with: VERDICT: APPROVED If more changes needed, end with: VERDICT: REVISE" \ --model ${REVIEWER_MODEL} \ - --allowedTools Read + --strict-mcp-config \ + --setting-sources user ``` **If `REVIEWER_CLI` is `cursor`:** diff --git a/skills/create-plan/cursor/SKILL.md b/skills/create-plan/cursor/SKILL.md index d5f43ba..dc7e9b7 100644 --- a/skills/create-plan/cursor/SKILL.md +++ b/skills/create-plan/cursor/SKILL.md @@ -152,7 +152,10 @@ Do not try to capture the Codex session ID yet. When using the helper, extract i ```bash claude -p \ - "Read the file /tmp/plan-${REVIEW_ID}.md and review the implementation plan. Focus on: + "Review the implementation plan below. Focus on: + +$(cat /tmp/plan-${REVIEW_ID}.md) + 1. Correctness — Will this plan achieve the stated goals? 2. Risks — What could go wrong? Edge cases? Data loss? 3. Missing steps — Is anything forgotten? @@ -162,7 +165,8 @@ claude -p \ Be specific and actionable. If the plan is solid, end with exactly: VERDICT: APPROVED If changes are needed, end with exactly: VERDICT: REVISE" \ --model ${REVIEWER_MODEL} \ - --allowedTools Read + --strict-mcp-config \ + --setting-sources user ``` **If `REVIEWER_CLI` is `cursor`:** @@ -284,7 +288,9 @@ claude -p \ Previous feedback summary: [key points from last review] -I've revised the plan. Updated version is in /tmp/plan-${REVIEW_ID}.md. +I've revised the plan. Updated version is below. + +$(cat /tmp/plan-${REVIEW_ID}.md) Changes made: [List specific changes] @@ -292,7 +298,8 @@ Changes made: Re-review the full plan. If solid, end with: VERDICT: APPROVED If more changes needed, end with: VERDICT: REVISE" \ --model ${REVIEWER_MODEL} \ - --allowedTools Read + --strict-mcp-config \ + --setting-sources user ``` **If `REVIEWER_CLI` is `cursor`:** diff --git a/skills/create-plan/opencode/SKILL.md b/skills/create-plan/opencode/SKILL.md index 0dcf8f6..28ee623 100644 --- a/skills/create-plan/opencode/SKILL.md +++ b/skills/create-plan/opencode/SKILL.md @@ -140,7 +140,10 @@ Do not try to capture the Codex session ID yet. When using the helper, extract i ```bash claude -p \ - "Read the file /tmp/plan-${REVIEW_ID}.md and review the implementation plan. Focus on: + "Review the implementation plan below. Focus on: + +$(cat /tmp/plan-${REVIEW_ID}.md) + 1. Correctness — Will this plan achieve the stated goals? 2. Risks — What could go wrong? Edge cases? Data loss? 3. Missing steps — Is anything forgotten? @@ -150,7 +153,8 @@ claude -p \ Be specific and actionable. If the plan is solid, end with exactly: VERDICT: APPROVED If changes are needed, end with exactly: VERDICT: REVISE" \ --model ${REVIEWER_MODEL} \ - --allowedTools Read + --strict-mcp-config \ + --setting-sources user ``` **If `REVIEWER_CLI` is `cursor`:** @@ -266,7 +270,9 @@ claude -p \ Previous feedback summary: [key points from last review] -I've revised the plan. Updated version is in /tmp/plan-${REVIEW_ID}.md. +I've revised the plan. Updated version is below. + +$(cat /tmp/plan-${REVIEW_ID}.md) Changes made: [List specific changes] @@ -274,7 +280,8 @@ Changes made: Re-review the full plan. If solid, end with: VERDICT: APPROVED If more changes needed, end with: VERDICT: REVISE" \ --model ${REVIEWER_MODEL} \ - --allowedTools Read + --strict-mcp-config \ + --setting-sources user ``` **If `REVIEWER_CLI` is `cursor`:** diff --git a/skills/implement-plan/claude-code/SKILL.md b/skills/implement-plan/claude-code/SKILL.md index 1f702b1..e157f22 100644 --- a/skills/implement-plan/claude-code/SKILL.md +++ b/skills/implement-plan/claude-code/SKILL.md @@ -211,7 +211,9 @@ Do not try to capture the Codex session ID yet. When using the helper, extract i ```bash claude -p \ - "Read the file /tmp/milestone-${REVIEW_ID}.md and review this milestone implementation. + "Review this milestone implementation using the following spec, acceptance criteria, git diff, and verification output: + +$(cat /tmp/milestone-${REVIEW_ID}.md) Evaluate: 1. Correctness — Does the implementation match the milestone spec? @@ -223,7 +225,8 @@ Evaluate: Be specific and actionable. If solid, end with exactly: VERDICT: APPROVED If changes are needed, end with exactly: VERDICT: REVISE" \ --model ${REVIEWER_MODEL} \ - --allowedTools Read + --strict-mcp-config \ + --setting-sources user ``` **If `REVIEWER_CLI` is `cursor`:** @@ -347,7 +350,9 @@ claude -p \ Previous feedback summary: [key points from last review] -I've addressed your feedback. Updated diff and verification output are in /tmp/milestone-${REVIEW_ID}.md. +I've addressed your feedback. Updated diff and verification output are below. + +$(cat /tmp/milestone-${REVIEW_ID}.md) Changes made: [List specific changes] @@ -355,7 +360,8 @@ Changes made: Re-review. If solid, end with: VERDICT: APPROVED If more changes needed, end with: VERDICT: REVISE" \ --model ${REVIEWER_MODEL} \ - --allowedTools Read \ + --strict-mcp-config \ + --setting-sources user \ > /tmp/milestone-review-${REVIEW_ID}.md ``` diff --git a/skills/implement-plan/codex/SKILL.md b/skills/implement-plan/codex/SKILL.md index f748376..d7605cc 100644 --- a/skills/implement-plan/codex/SKILL.md +++ b/skills/implement-plan/codex/SKILL.md @@ -244,7 +244,9 @@ Do not try to capture the Codex session ID yet. When using the helper, extract i ```bash claude -p \ - "Read the file /tmp/milestone-${REVIEW_ID}.md and review this milestone implementation. + "Review this milestone implementation using the following spec, acceptance criteria, git diff, and verification output: + +$(cat /tmp/milestone-${REVIEW_ID}.md) Evaluate: 1. Correctness — Does the implementation match the milestone spec? @@ -256,7 +258,8 @@ Evaluate: Be specific and actionable. If solid, end with exactly: VERDICT: APPROVED If changes are needed, end with exactly: VERDICT: REVISE" \ --model ${REVIEWER_MODEL} \ - --allowedTools Read + --strict-mcp-config \ + --setting-sources user ``` **If `REVIEWER_CLI` is `cursor`:** @@ -380,7 +383,9 @@ claude -p \ Previous feedback summary: [key points from last review] -I've addressed your feedback. Updated diff and verification output are in /tmp/milestone-${REVIEW_ID}.md. +I've addressed your feedback. Updated diff and verification output are below. + +$(cat /tmp/milestone-${REVIEW_ID}.md) Changes made: [List specific changes] @@ -388,7 +393,8 @@ Changes made: Re-review. If solid, end with: VERDICT: APPROVED If more changes needed, end with: VERDICT: REVISE" \ --model ${REVIEWER_MODEL} \ - --allowedTools Read \ + --strict-mcp-config \ + --setting-sources user \ > /tmp/milestone-review-${REVIEW_ID}.md ``` diff --git a/skills/implement-plan/cursor/SKILL.md b/skills/implement-plan/cursor/SKILL.md index 17f4846..822346d 100644 --- a/skills/implement-plan/cursor/SKILL.md +++ b/skills/implement-plan/cursor/SKILL.md @@ -248,7 +248,9 @@ Do not try to capture the Codex session ID yet. When using the helper, extract i ```bash claude -p \ - "Read the file /tmp/milestone-${REVIEW_ID}.md and review this milestone implementation. + "Review this milestone implementation using the following spec, acceptance criteria, git diff, and verification output: + +$(cat /tmp/milestone-${REVIEW_ID}.md) Evaluate: 1. Correctness — Does the implementation match the milestone spec? @@ -260,7 +262,8 @@ Evaluate: Be specific and actionable. If solid, end with exactly: VERDICT: APPROVED If changes are needed, end with exactly: VERDICT: REVISE" \ --model ${REVIEWER_MODEL} \ - --allowedTools Read + --strict-mcp-config \ + --setting-sources user ``` **If `REVIEWER_CLI` is `cursor`:** @@ -390,7 +393,9 @@ claude -p \ Previous feedback summary: [key points from last review] -I've addressed your feedback. Updated diff and verification output are in /tmp/milestone-${REVIEW_ID}.md. +I've addressed your feedback. Updated diff and verification output are below. + +$(cat /tmp/milestone-${REVIEW_ID}.md) Changes made: [List specific changes] @@ -398,7 +403,8 @@ Changes made: Re-review. If solid, end with: VERDICT: APPROVED If more changes needed, end with: VERDICT: REVISE" \ --model ${REVIEWER_MODEL} \ - --allowedTools Read \ + --strict-mcp-config \ + --setting-sources user \ > /tmp/milestone-review-${REVIEW_ID}.md ``` diff --git a/skills/implement-plan/opencode/SKILL.md b/skills/implement-plan/opencode/SKILL.md index 8efb202..b310a81 100644 --- a/skills/implement-plan/opencode/SKILL.md +++ b/skills/implement-plan/opencode/SKILL.md @@ -229,7 +229,9 @@ Do not try to capture the Codex session ID yet. When using the helper, extract i ```bash claude -p \ - "Read the file /tmp/milestone-${REVIEW_ID}.md and review this milestone implementation. + "Review this milestone implementation using the following spec, acceptance criteria, git diff, and verification output: + +$(cat /tmp/milestone-${REVIEW_ID}.md) Evaluate: 1. Correctness — Does the implementation match the milestone spec? @@ -241,7 +243,8 @@ Evaluate: Be specific and actionable. If solid, end with exactly: VERDICT: APPROVED If changes are needed, end with exactly: VERDICT: REVISE" \ --model ${REVIEWER_MODEL} \ - --allowedTools Read + --strict-mcp-config \ + --setting-sources user ``` **If `REVIEWER_CLI` is `cursor`:** @@ -365,7 +368,9 @@ claude -p \ Previous feedback summary: [key points from last review] -I've addressed your feedback. Updated diff and verification output are in /tmp/milestone-${REVIEW_ID}.md. +I've addressed your feedback. Updated diff and verification output are below. + +$(cat /tmp/milestone-${REVIEW_ID}.md) Changes made: [List specific changes] @@ -373,7 +378,8 @@ Changes made: Re-review. If solid, end with: VERDICT: APPROVED If more changes needed, end with: VERDICT: REVISE" \ --model ${REVIEWER_MODEL} \ - --allowedTools Read \ + --strict-mcp-config \ + --setting-sources user \ > /tmp/milestone-review-${REVIEW_ID}.md ``` diff --git a/skills/reviewer-runtime/tests/claude-review-template-guard.sh b/skills/reviewer-runtime/tests/claude-review-template-guard.sh new file mode 100755 index 0000000..2000c86 --- /dev/null +++ b/skills/reviewer-runtime/tests/claude-review-template-guard.sh @@ -0,0 +1,49 @@ +#!/usr/bin/env bash +set -euo pipefail + +SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd) +REPO_ROOT=$(cd "$SCRIPT_DIR/../../.." && pwd) + +fail() { + echo "FAIL: $*" >&2 + exit 1 +} + +assert_contains() { + local file=$1 + local pattern=$2 + + if ! grep -qF -- "$pattern" "$file"; then + fail "expected '$pattern' in $file" + fi +} + +assert_not_contains() { + local file=$1 + local pattern=$2 + + if grep -qF -- "$pattern" "$file"; then + fail "did not expect '$pattern' in $file" + fi +} + +check_skill_file() { + local file=$1 + + assert_contains "$file" "claude -p \\" + assert_contains "$file" '$(cat /tmp/' + assert_contains "$file" "--strict-mcp-config" + assert_contains "$file" "--setting-sources user" + assert_not_contains "$file" "--allowedTools Read" +} + +check_skill_file "$REPO_ROOT/skills/implement-plan/claude-code/SKILL.md" +check_skill_file "$REPO_ROOT/skills/implement-plan/codex/SKILL.md" +check_skill_file "$REPO_ROOT/skills/implement-plan/cursor/SKILL.md" +check_skill_file "$REPO_ROOT/skills/implement-plan/opencode/SKILL.md" +check_skill_file "$REPO_ROOT/skills/create-plan/claude-code/SKILL.md" +check_skill_file "$REPO_ROOT/skills/create-plan/codex/SKILL.md" +check_skill_file "$REPO_ROOT/skills/create-plan/cursor/SKILL.md" +check_skill_file "$REPO_ROOT/skills/create-plan/opencode/SKILL.md" + +echo "PASS: Claude reviewer templates use isolated settings and avoid Read-tool review prompts"