Conversation
Co-Authored-By: Sungmin Hong <hsungmin@amazon.com>
📝 WalkthroughWalkthroughAdds comprehensive documentation and configuration for the Everything Claude Code (ECC) agentic engineering framework. Includes a root README, 20+ agent specifications with configuration and guidance documents, 13+ development skill guides, steering files for project context, 10+ IDE/CLI hook definitions, installation scripts, and example configurations—establishing a complete framework for AI-assisted software development workflows without modifying runtime code. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Suggested labels
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
📝 Coding Plan
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment Tip CodeRabbit can use oxc to improve the quality of JavaScript and TypeScript code reviews.Add a configuration file to your project to customize how CodeRabbit runs oxc. |
Greptile SummaryThis PR adds full Kiro IDE/CLI support to the Everything Claude Code repository by introducing a new Key issues found:
Confidence Score: 2/5
Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[User runs install.sh /target] --> B{Resolve SCRIPT_DIR}
B --> C["SCRIPT_DIR = /path/to/repo/.kiro"]
C --> D["SOURCE_KIRO = SCRIPT_DIR + /.kiro\n❌ Points to .kiro/.kiro/ — does not exist"]
D --> E{nullglob active}
E --> F["Globs expand to empty list\nAll copy loops = 0 iterations"]
F --> G["Summary shows: 0 agents, 0 skills, 0 steering..."]
G --> H["✗ Silent failure — nothing installed"]
C --> I["Fix: SOURCE_KIRO = SCRIPT_DIR\n✅ Points to .kiro/ — exists"]
I --> J{SUBDIRS loop}
J --> K["agents / skills / steering / hooks / scripts / settings\n❌ Missing: docs"]
K --> L["Copy files non-destructively"]
L --> M["✓ Most components installed\n✗ docs/*.md not installed"]
style D fill:#ffcccc,stroke:#cc0000
style H fill:#ffcccc,stroke:#cc0000
style I fill:#ccffcc,stroke:#009900
style K fill:#fff3cc,stroke:#cc8800
style M fill:#fff3cc,stroke:#cc8800
Last reviewed commit: 278964c |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| SOURCE_KIRO="$SCRIPT_DIR/.kiro" | ||
|
|
There was a problem hiding this comment.
SOURCE_KIRO path — all copy operations silently fail
The script lives at .kiro/install.sh, so SCRIPT_DIR resolves to the .kiro/ directory itself. Setting SOURCE_KIRO="$SCRIPT_DIR/.kiro" makes it point to .kiro/.kiro/, a path that doesn't exist. Because shopt -s nullglob is set, every glob ("$SOURCE_KIRO/agents"/*.json, etc.) expands to an empty list, all loops have zero iterations, and the counters stay at 0. The installation appears to succeed but copies nothing.
The comment on line 19 says "the repo root", which is also wrong — SCRIPT_DIR is the .kiro/ directory, not the repo root.
Fix: drop the .kiro suffix since SCRIPT_DIR already IS the .kiro/ directory:
| SOURCE_KIRO="$SCRIPT_DIR/.kiro" | |
| SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" | |
| SOURCE_KIRO="$SCRIPT_DIR" |
|
|
||
| # Create all required .kiro/ subdirectories | ||
| for dir in $SUBDIRS; do | ||
| mkdir -p "$TARGET/.kiro/$dir" |
There was a problem hiding this comment.
docs directory missing from SUBDIRS
The docs subdirectory (containing longform-guide.md, security-guide.md, shortform-guide.md) is listed in the README as an installed component, but it is not in the SUBDIRS string and has no corresponding copy loop. These files are never installed.
| mkdir -p "$TARGET/.kiro/$dir" | |
| SUBDIRS="agents skills steering hooks scripts settings docs" |
A corresponding copy block should also be added after the settings block:
# Copy docs
if [ -d "$SOURCE_KIRO/docs" ]; then
mkdir -p "$TARGET/.kiro/docs"
for f in "$SOURCE_KIRO/docs"/*.md; do
local_name=$(basename "$f")
if [ ! -f "$TARGET/.kiro/docs/$local_name" ]; then
cp "$f" "$TARGET/.kiro/docs/" 2>/dev/null || true
fi
done
fi| # ───────────────────────────────────────────────────────────── | ||
| # Format — auto-format a file using detected formatter | ||
| # Detects: biome or prettier | ||
| # Used by: .kiro/hooks/auto-format.json (fileEdited) |
There was a problem hiding this comment.
The comment says auto-format.json but the actual hook file is auto-format.kiro.hook. The same issue exists in .kiro/scripts/quality-gate.sh line 5, where the comment references quality-gate.json instead of quality-gate.kiro.hook.
| # Used by: .kiro/hooks/auto-format.json (fileEdited) | |
| # Used by: .kiro/hooks/auto-format.kiro.hook (fileEdited) |
| # ───────────────────────────────────────────────────────────── | ||
| # Quality Gate — full project quality check | ||
| # Runs: build, type check, lint, tests | ||
| # Used by: .kiro/hooks/quality-gate.json (userTriggered) |
There was a problem hiding this comment.
The comment says quality-gate.json but the actual hook file is quality-gate.kiro.hook.
| # Used by: .kiro/hooks/quality-gate.json (userTriggered) | |
| # Used by: .kiro/hooks/quality-gate.kiro.hook (userTriggered) |
| "enabled": true, | ||
| "description": "Generate a brief summary of what was accomplished after agent execution completes", | ||
| "when": { | ||
| "type": "agentStop" |
There was a problem hiding this comment.
agentStop trigger may cause noisy post-session prompts
Both session-summary.kiro.hook and extract-patterns.kiro.hook use "type": "agentStop" as their trigger. When both hooks are enabled, the agent will receive two separate follow-up prompts after every single session — one asking for a summary and one asking for patterns to extract. This doubles the post-session overhead and could be confusing or annoying for users.
Consider either:
- Consolidating both prompts into one hook, or
- Defaulting one (e.g.,
extract-patterns) to"enabled": falseso users opt in deliberately.
| ] | ||
| } | ||
| } | ||
| } No newline at end of file |
There was a problem hiding this comment.
The file ends without a trailing newline (the diff shows \ No newline at end of file). Many tools and editors expect text files to end with a newline.
| } | |
| } | |
| } |
(add a trailing newline after the closing brace)
Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!
|
Hi @affaan-m 👋 Thanks for maintaining this great project! We'd love to continue contributing Kiro support and keep it in sync with future ECC releases. Would you be open to granting write access to @ihimanss as a collaborator? This would make it easier to push branches directly and iterate on updates (README, CONTRIBUTING, cross-tool parity table, etc.) without the fork overhead. Happy to discuss further — thanks for considering! |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
40 issues found across 85 files
Note: This PR contains a large number of files. cubic only reviews up to 75 files per PR, so some files may not have been reviewed.
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name=".kiro/install.sh">
<violation number="1" location=".kiro/install.sh:19">
P1: Installer source path is miscomputed as `.kiro/.kiro`, causing copy steps to be skipped.</violation>
<violation number="2" location=".kiro/install.sh:56">
P2: Copy/chmod failures are ignored but the script still increments the installed counters, so the summary can report success when files were not actually installed.</violation>
</file>
<file name=".kiro/agents/go-reviewer.md">
<violation number="1" location=".kiro/agents/go-reviewer.md:12">
P1: Changed-file detection uses working-tree diff (`git diff -- '*.go'`), which can miss committed PR changes on a clean branch.</violation>
<violation number="2" location=".kiro/agents/go-reviewer.md:15">
P2: Agent workflow violates team pre-review policy by starting review immediately without checking CI status and merge conflicts.</violation>
</file>
<file name=".kiro/agents/code-reviewer.json">
<violation number="1" location=".kiro/agents/code-reviewer.json:9">
P1: Reviewer agent is over-privileged with `shell`, creating avoidable prompt-injection command-execution risk and violating repo security guidance.</violation>
</file>
<file name=".kiro/agents/architect.json">
<violation number="1" location=".kiro/agents/architect.json:10">
P1: `architect` is granted auto-approved `shell` access, which over-privileges a primarily advisory agent and conflicts with least-privilege/security guidance.</violation>
</file>
<file name=".kiro/agents/build-error-resolver.md">
<violation number="1" location=".kiro/agents/build-error-resolver.md:92">
P1: The new build-error resolver hard-codes npm/package-lock recovery steps, which conflicts with the repo’s multi-package-manager design and can produce incorrect dependency state in pnpm/yarn/bun projects.</violation>
</file>
<file name=".kiro/docs/security-guide.md">
<violation number="1" location=".kiro/docs/security-guide.md:381">
P1: The security guide recommends a fragile `.env` loading command (`export $(cat .env | xargs)`) that mangles valid secret values containing spaces/quotes.</violation>
</file>
<file name=".kiro/skills/security-review/SKILL.md">
<violation number="1" location=".kiro/skills/security-review/SKILL.md:88">
P1: Security guidance for file uploads is incomplete: it treats MIME type + extension checks as sufficient without requiring content/signature validation, which can allow spoofed malicious files.</violation>
</file>
<file name=".kiro/scripts/format.sh">
<violation number="1" location=".kiro/scripts/format.sh:46">
P1: Auto-format hook executes `npx` without disabling installs, allowing implicit package fetch/exec when formatter isn’t locally installed.</violation>
</file>
<file name=".kiro/hooks/typecheck-on-edit.kiro.hook">
<violation number="1" location=".kiro/hooks/typecheck-on-edit.kiro.hook:5">
P2: The hook claims to run TypeScript type checking, but it only asks an agent to review the edited file, creating misleading assurance and missing compiler-backed checks.</violation>
</file>
<file name=".kiro/agents/e2e-runner.md">
<violation number="1" location=".kiro/agents/e2e-runner.md:76">
P2: Playwright guidance is incorrect: `page.click(selector)` also auto-waits, so this line teaches a false API behavior.</violation>
<violation number="2" location=".kiro/agents/e2e-runner.md:93">
P2: Recommending `networkidle` as a generic stabilization step can cause tests to hang/time out on apps with background requests; Playwright discourages using it for readiness. Prefer waiting for specific UI conditions or assertions instead.</violation>
</file>
<file name=".kiro/settings/mcp.json.example">
<violation number="1" location=".kiro/settings/mcp.json.example:6">
P2: Example MCP config executes external packages with floating/unpinned versions (`@latest` or no version), creating reproducibility and supply-chain risk for users who copy this file.</violation>
</file>
<file name=".kiro/skills/python-patterns/SKILL.md">
<violation number="1" location=".kiro/skills/python-patterns/SKILL.md:183">
P2: Singleton class-decorator example replaces the class with a function, breaking expected class/type semantics (`isinstance`, subclassing, type usage).</violation>
<violation number="2" location=".kiro/skills/python-patterns/SKILL.md:223">
P2: The async context manager example uses `async with` and `await` at module scope, which is invalid Python syntax. Wrap this in an `async def` and run it via the event loop to provide a valid example.</violation>
</file>
<file name=".kiro/hooks/extract-patterns.kiro.hook">
<violation number="1" location=".kiro/hooks/extract-patterns.kiro.hook:7">
P2: Enabled `agentStop` + `askAgent` hook unconditionally adds a second agent pass after every completion, increasing baseline latency/token cost.</violation>
</file>
<file name=".kiro/skills/postgres-patterns/SKILL.md">
<violation number="1" location=".kiro/skills/postgres-patterns/SKILL.md:84">
P2: Cursor pagination example uses non-PostgreSQL placeholder syntax (`$last_id`), making the documented SQL invalid as written.</violation>
<violation number="2" location=".kiro/skills/postgres-patterns/SKILL.md:108">
P2: The FK-index diagnostic checks per-column index membership, which can miss improperly indexed composite foreign keys and report false safety.</violation>
</file>
<file name=".kiro/agents/database-reviewer.md">
<violation number="1" location=".kiro/agents/database-reviewer.md:25">
P2: Interactive `psql` invocation in diagnostic commands can block autonomous shell execution; use a non-interactive `-c` command instead.</violation>
</file>
<file name=".kiro/skills/verification-loop/SKILL.md">
<violation number="1" location=".kiro/skills/verification-loop/SKILL.md:26">
P2: Piping verification commands through tail/head masks non-zero exit codes unless pipefail is enabled, so failed builds/tests can still appear successful.</violation>
<violation number="2" location=".kiro/skills/verification-loop/SKILL.md:81">
P2: Diff review commands only inspect working tree or the latest commit, so they can miss files changed earlier in a multi-commit PR.</violation>
</file>
<file name=".kiro/skills/golang-patterns/SKILL.md">
<violation number="1" location=".kiro/skills/golang-patterns/SKILL.md:212">
P2: Test helper teaches unsafe SQLite in-memory usage: `:memory:` is per connection, but `*sql.DB` is pooled, which can cause flaky/missing-table tests.</violation>
</file>
<file name=".kiro/skills/frontend-patterns/SKILL.md">
<violation number="1" location=".kiro/skills/frontend-patterns/SKILL.md:179">
P2: `useQuery` example is vulnerable to async race conditions: older requests can resolve later and overwrite newer state because results are committed without cancellation or stale-response guards.</violation>
<violation number="2" location=".kiro/skills/frontend-patterns/SKILL.md:189">
P2: The `useQuery` example passes inline `fetcher`/`options` while `refetch` is memoized on the full `options` object, so `useEffect` can re-run every render and continuously refetch.</violation>
<violation number="3" location=".kiro/skills/frontend-patterns/SKILL.md:580">
P2: Dropdown keyboard example does not guard empty options, allowing invalid index and `onSelect(undefined)` on Enter.</violation>
</file>
<file name=".kiro/agents/build-error-resolver.json">
<violation number="1" location=".kiro/agents/build-error-resolver.json:2">
P2: Agent success criteria require tests to be passing, but the workflow never runs tests and defers test failures elsewhere, allowing false "done" states versus required green checks.</violation>
<violation number="2" location=".kiro/agents/build-error-resolver.json:16">
P2: The new reusable build agent hardcodes npm-specific commands and lockfile handling, which is inconsistent with multi-package-manager project usage and can fail or create unintended `package-lock.json` changes in non-npm repos.</violation>
</file>
<file name=".kiro/skills/docker-patterns/SKILL.md">
<violation number="1" location=".kiro/skills/docker-patterns/SKILL.md:47">
P2: `redis` is only gated by `service_started`, which does not guarantee readiness and can cause app startup races when connecting to Redis.</violation>
<violation number="2" location=".kiro/skills/docker-patterns/SKILL.md:195">
P2: The comment incorrectly claims loopback port binding makes the service unreachable from the Docker network, which can mislead readers about actual container-to-container exposure.</violation>
</file>
<file name=".kiro/skills/python-testing/SKILL.md">
<violation number="1" location=".kiro/skills/python-testing/SKILL.md:49">
P2: Async fixture example uses `@pytest.fixture` on `async def`, which is incompatible with pytest-asyncio strict mode and can mislead users into broken setup.</violation>
<violation number="2" location=".kiro/skills/python-testing/SKILL.md:257">
P2: Coverage config example incorrectly claims a TOML-only section works in `pytest.ini`.</violation>
</file>
<file name=".kiro/skills/golang-testing/SKILL.md">
<violation number="1" location=".kiro/skills/golang-testing/SKILL.md:48">
P2: Table-driven subtest example closes over loop variable `tt` without per-iteration rebinding, which is unsafe for pre-Go-1.22 (especially with parallel subtests).</violation>
<violation number="2" location=".kiro/skills/golang-testing/SKILL.md:170">
P2: Benchmark example ignores the function result, which can let compiler optimizations invalidate the measurement.</violation>
</file>
<file name=".kiro/scripts/quality-gate.sh">
<violation number="1" location=".kiro/scripts/quality-gate.sh:85">
P2: ESLint config detection omits valid filenames (e.g., .eslintrc.cjs/.eslintrc.yaml and eslint.config.cjs/ts), so linting can be skipped even when ESLint is configured.</violation>
</file>
<file name=".kiro/skills/database-migrations/SKILL.md">
<violation number="1" location=".kiro/skills/database-migrations/SKILL.md:87">
P2: The zero-downtime rename example drops the old column immediately after a dual-write deploy, skipping the required read-from-new-only/soak phase. This is inconsistent with the later strategy section and can mislead teams into an unsafe rename sequence.</violation>
</file>
<file name=".kiro/skills/e2e-testing/SKILL.md">
<violation number="1" location=".kiro/skills/e2e-testing/SKILL.md:208">
P2: The trace example uses Chromium-only `browser.startTracing` and outputs `trace.json`, which is not the Playwright Trace Viewer format and doesn’t match the cross-browser trace workflow used elsewhere. This will mislead users and produce artifacts that can’t be opened as Playwright traces.</violation>
</file>
<file name=".kiro/steering/git-workflow.md">
<violation number="1" location=".kiro/steering/git-workflow.md:17">
P2: Kiro steering references Claude’s settings file (`~/.claude/settings.json`), which is misleading in a `.kiro` workflow doc and can send users to the wrong configuration source.</violation>
</file>
<file name=".kiro/agents/tdd-guide.md">
<violation number="1" location=".kiro/agents/tdd-guide.md:27">
P2: Generic TDD agent text is coupled to npm/Playwright commands, which can misguide or fail in projects with different tooling.</violation>
</file>
<file name=".kiro/skills/coding-standards/SKILL.md">
<violation number="1" location=".kiro/skills/coding-standards/SKILL.md:402">
P2: The “GOOD” memoization example mutates the source array with `sort()`, which teaches a React props/state mutation pattern and contradicts the doc’s immutability rule. Use a copy before sorting to avoid side effects.</violation>
</file>
Since this is your first cubic review, here's how it works:
- cubic automatically reviews your code and comments on bugs and improvements
- Teach cubic by replying to its comments. cubic learns from your replies and gets better over time
- Add one-off context when rerunning by tagging
@cubic-dev-aiwith guidance or docs links (includingllms.txt) - Ask questions if you need clarification on any suggestion
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
|
|
||
| # Resolve the directory where this script lives (the repo root) | ||
| SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" | ||
| SOURCE_KIRO="$SCRIPT_DIR/.kiro" |
There was a problem hiding this comment.
P1: Installer source path is miscomputed as .kiro/.kiro, causing copy steps to be skipped.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .kiro/install.sh, line 19:
<comment>Installer source path is miscomputed as `.kiro/.kiro`, causing copy steps to be skipped.</comment>
<file context>
@@ -0,0 +1,139 @@
+
+# Resolve the directory where this script lives (the repo root)
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+SOURCE_KIRO="$SCRIPT_DIR/.kiro"
+
+# Target directory: argument or current working directory
</file context>
| SOURCE_KIRO="$SCRIPT_DIR/.kiro" | |
| SOURCE_KIRO="$SCRIPT_DIR" |
| You are a senior Go code reviewer ensuring high standards of idiomatic Go and best practices. | ||
|
|
||
| When invoked: | ||
| 1. Run `git diff -- '*.go'` to see recent Go file changes |
There was a problem hiding this comment.
P1: Changed-file detection uses working-tree diff (git diff -- '*.go'), which can miss committed PR changes on a clean branch.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .kiro/agents/go-reviewer.md, line 12:
<comment>Changed-file detection uses working-tree diff (`git diff -- '*.go'`), which can miss committed PR changes on a clean branch.</comment>
<file context>
@@ -0,0 +1,77 @@
+You are a senior Go code reviewer ensuring high standards of idiomatic Go and best practices.
+
+When invoked:
+1. Run `git diff -- '*.go'` to see recent Go file changes
+2. Run `go vet ./...` and `staticcheck ./...` if available
+3. Focus on modified `.go` files
</file context>
| "@builtin" | ||
| ], | ||
| "allowedTools": [ | ||
| "fs_read", |
There was a problem hiding this comment.
P1: Reviewer agent is over-privileged with shell, creating avoidable prompt-injection command-execution risk and violating repo security guidance.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .kiro/agents/code-reviewer.json, line 9:
<comment>Reviewer agent is over-privileged with `shell`, creating avoidable prompt-injection command-execution risk and violating repo security guidance.</comment>
<file context>
@@ -0,0 +1,16 @@
+ "@builtin"
+ ],
+ "allowedTools": [
+ "fs_read",
+ "shell"
+ ],
</file context>
| ], | ||
| "allowedTools": [ | ||
| "fs_read", | ||
| "shell" |
There was a problem hiding this comment.
P1: architect is granted auto-approved shell access, which over-privileges a primarily advisory agent and conflicts with least-privilege/security guidance.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .kiro/agents/architect.json, line 10:
<comment>`architect` is granted auto-approved `shell` access, which over-privileges a primarily advisory agent and conflicts with least-privilege/security guidance.</comment>
<file context>
@@ -0,0 +1,16 @@
+ ],
+ "allowedTools": [
+ "fs_read",
+ "shell"
+ ],
+ "resources": [],
</file context>
| rm -rf .next node_modules/.cache && npm run build | ||
|
|
||
| # Reinstall dependencies | ||
| rm -rf node_modules package-lock.json && npm install |
There was a problem hiding this comment.
P1: The new build-error resolver hard-codes npm/package-lock recovery steps, which conflicts with the repo’s multi-package-manager design and can produce incorrect dependency state in pnpm/yarn/bun projects.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .kiro/agents/build-error-resolver.md, line 92:
<comment>The new build-error resolver hard-codes npm/package-lock recovery steps, which conflicts with the repo’s multi-package-manager design and can produce incorrect dependency state in pnpm/yarn/bun projects.</comment>
<file context>
@@ -0,0 +1,116 @@
+rm -rf .next node_modules/.cache && npm run build
+
+# Reinstall dependencies
+rm -rf node_modules package-lock.json && npm install
+
+# Fix ESLint auto-fixable
</file context>
|
|
||
| Types: feat, fix, refactor, docs, test, chore, perf, ci | ||
|
|
||
| Note: Attribution disabled globally via ~/.claude/settings.json. |
There was a problem hiding this comment.
P2: Kiro steering references Claude’s settings file (~/.claude/settings.json), which is misleading in a .kiro workflow doc and can send users to the wrong configuration source.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .kiro/steering/git-workflow.md, line 17:
<comment>Kiro steering references Claude’s settings file (`~/.claude/settings.json`), which is misleading in a `.kiro` workflow doc and can send users to the wrong configuration source.</comment>
<file context>
@@ -0,0 +1,29 @@
+
+Types: feat, fix, refactor, docs, test, chore, perf, ci
+
+Note: Attribution disabled globally via ~/.claude/settings.json.
+
+## Pull Request Workflow
</file context>
| [ -f "$f" ] || continue | ||
| local_name=$(basename "$f") | ||
| if [ ! -f "$TARGET/.kiro/agents/$local_name" ]; then | ||
| cp "$f" "$TARGET/.kiro/agents/" 2>/dev/null || true |
There was a problem hiding this comment.
P2: Copy/chmod failures are ignored but the script still increments the installed counters, so the summary can report success when files were not actually installed.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .kiro/install.sh, line 56:
<comment>Copy/chmod failures are ignored but the script still increments the installed counters, so the summary can report success when files were not actually installed.</comment>
<file context>
@@ -0,0 +1,139 @@
+ [ -f "$f" ] || continue
+ local_name=$(basename "$f")
+ if [ ! -f "$TARGET/.kiro/agents/$local_name" ]; then
+ cp "$f" "$TARGET/.kiro/agents/" 2>/dev/null || true
+ agents=$((agents + 1))
+ fi
</file context>
|
|
||
| ### 2. Run Test -- Verify it FAILS | ||
| ```bash | ||
| npm test |
There was a problem hiding this comment.
P2: Generic TDD agent text is coupled to npm/Playwright commands, which can misguide or fail in projects with different tooling.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .kiro/agents/tdd-guide.md, line 27:
<comment>Generic TDD agent text is coupled to npm/Playwright commands, which can misguide or fail in projects with different tooling.</comment>
<file context>
@@ -0,0 +1,93 @@
+
+### 2. Run Test -- Verify it FAILS
+```bash
+npm test
+```
+
</file context>
| ### Phase 1: Build Verification | ||
| ```bash | ||
| # Check if project builds | ||
| npm run build 2>&1 | tail -20 |
There was a problem hiding this comment.
P2: Piping verification commands through tail/head masks non-zero exit codes unless pipefail is enabled, so failed builds/tests can still appear successful.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .kiro/skills/verification-loop/SKILL.md, line 26:
<comment>Piping verification commands through tail/head masks non-zero exit codes unless pipefail is enabled, so failed builds/tests can still appear successful.</comment>
<file context>
@@ -0,0 +1,128 @@
+### Phase 1: Build Verification
+```bash
+# Check if project builds
+npm run build 2>&1 | tail -20
+# OR
+pnpm build 2>&1 | tail -20
</file context>
|
|
||
| // ✅ GOOD: Memoize expensive computations | ||
| const sortedMarkets = useMemo(() => { | ||
| return markets.sort((a, b) => b.volume - a.volume) |
There was a problem hiding this comment.
P2: The “GOOD” memoization example mutates the source array with sort(), which teaches a React props/state mutation pattern and contradicts the doc’s immutability rule. Use a copy before sorting to avoid side effects.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .kiro/skills/coding-standards/SKILL.md, line 402:
<comment>The “GOOD” memoization example mutates the source array with `sort()`, which teaches a React props/state mutation pattern and contradicts the doc’s immutability rule. Use a copy before sorting to avoid side effects.</comment>
<file context>
@@ -0,0 +1,532 @@
+
+// ✅ GOOD: Memoize expensive computations
+const sortedMarkets = useMemo(() => {
+ return markets.sort((a, b) => b.volume - a.volume)
+}, [markets])
+
</file context>
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
Note
Due to the large number of review comments, Critical severity comments were prioritized as inline comments.
🟠 Major comments (21)
.kiro/agents/refactor-cleaner.md-1-8 (1)
1-8:⚠️ Potential issue | 🟠 MajorFrontmatter is missing required agent metadata fields.
Lines 1-8 define
name/description/allowedToolsbut omittoolsandmodel, which can break tooling that parses agent specs in this repo.Suggested fix
--- name: refactor-cleaner description: Dead code cleanup and consolidation specialist. Use PROACTIVELY for removing unused code, duplicates, and refactoring. Runs analysis tools (knip, depcheck, ts-prune) to identify dead code and safely removes it. +tools: + - read + - write + - shell +model: sonnet-4.6 allowedTools: - read - write - shell ---Based on learnings: "Applies to agents/**/*.md : Agents should be formatted as Markdown with YAML frontmatter containing name, description, tools, and model fields."
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.kiro/agents/refactor-cleaner.md around lines 1 - 8, The YAML frontmatter for the agent (fields name, description, allowedTools) is missing required fields `tools` and `model`; update the frontmatter in the refactor-cleaner agent (the top YAML block) to include a `tools` list mirroring or mapping allowedTools and a `model` string (e.g., the repo-standard model name), ensuring the frontmatter contains name, description, tools, allowedTools, and model so it conforms to the agents/**/*.md schema used by tooling..kiro/skills/coding-standards/SKILL.md-316-337 (1)
316-337: 🛠️ Refactor suggestion | 🟠 MajorAdd file size standards to File Organization section.
The File Organization section should include file size guidelines that are emphasized across the codebase. Based on learnings, files should be kept focused and maintainable: typically 200-400 lines, with a maximum of 800 lines per file.
📏 Proposed addition for file size standards
Add this subsection after line 337:
### File Size Guidelines ```typescript // ✅ GOOD: Focused, single-responsibility files // File: components/MarketCard.tsx (250 lines) // File: hooks/useMarketData.ts (180 lines) // ❌ BAD: Large, multi-responsibility files // File: utils/helpers.ts (1200 lines) - split into specific utilities // File: components/Dashboard.tsx (900 lines) - extract sub-componentsGuidelines:
- Target: 200-400 lines per file
- Maximum: 800 lines per file
- Prefer many small, focused files over few large files
- Organize by functionality/domain rather than by type
- Extract sub-components when files grow too large
</details> Based on learnings, files should be kept focused and specialized (less than 800 lines per file, ideally 200-400 lines). <details> <summary>🤖 Prompt for AI Agents</summary>Verify each finding against the current code and only fix it if needed.
In @.kiro/skills/coding-standards/SKILL.md around lines 316 - 337, Add a new
subsection titled "### File Size Guidelines" to the File Organization section
(immediately after the Project Structure block / the existing File Organization
text) that states the target file size (200-400 lines) and maximum (800 lines),
includes the proposed example filenames (components/MarketCard.tsx,
hooks/useMarketData.ts, utils/helpers.ts, components/Dashboard.tsx) and the
short bullet guidelines (prefer small focused files, organize by
functionality/domain, extract sub-components), and include the proposed
fenced-code example block and brief Guidelines list exactly as shown in the
proposal so the standard is enforced across the docs.</details> </blockquote></details> <details> <summary>.kiro/settings/mcp.json.example-11-16 (1)</summary><blockquote> `11-16`: _⚠️ Potential issue_ | _🟠 Major_ **Use least-privilege defaults for an example config.** Default-enabled servers plus populated `autoApprove` lists are too permissive for a starter template. Prefer opt-in defaults (`disabled: true`) and empty/omitted `autoApprove` so tool calls require interactive user approval by default. <details> <summary>Proposed change</summary> ```diff - "disabled": false, - "autoApprove": [ - "search_agentcore_docs", - "fetch_agentcore_doc", - "manage_agentcore_memory" - ] + "disabled": true, + "autoApprove": [] @@ - "disabled": false, - "autoApprove": [ - "search_docs", - "fetch_doc" - ] + "disabled": true, + "autoApprove": []Also applies to: 26-30
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.kiro/settings/mcp.json.example around lines 11 - 16, Change the example MCP config to use least-privilege defaults: set the "disabled" property to true and remove or empty the "autoApprove" array so no tools are pre-approved; update the JSON entries shown (the "disabled" key and the "autoApprove" list in .kiro/settings/mcp.json.example) and apply the same change to the other instance referenced (lines 26-30) so tool calls require interactive approval by default..kiro/skills/frontend-patterns/SKILL.md-165-198 (1)
165-198:⚠️ Potential issue | 🟠 MajorFix dependency issues to prevent infinite re-renders.
The
useQueryhook has several dependency-related issues that can cause infinite re-renders:
- Lines 189, 195:
fetcherandoptionsin dependency arrays will recreaterefetchon every render if the caller doesn't memoize them.- Line 195: Using
options?.enabledmeans any change to theoptionsobject (not justenabled) triggers a refetch.- Missing cleanup: No abort controller for the async operation, which can cause state updates on unmounted components.
♻️ Proposed fix to stabilize dependencies and add cleanup
export function useQuery<T>( key: string, fetcher: () => Promise<T>, options?: UseQueryOptions<T> ) { const [data, setData] = useState<T | null>(null) const [error, setError] = useState<Error | null>(null) const [loading, setLoading] = useState(false) + + // Stabilize options to avoid recreating refetch + const enabledRef = useRef(options?.enabled) + useEffect(() => { + enabledRef.current = options?.enabled + }) + + const onSuccessRef = useRef(options?.onSuccess) + const onErrorRef = useRef(options?.onError) + useEffect(() => { + onSuccessRef.current = options?.onSuccess + onErrorRef.current = options?.onError + }) const refetch = useCallback(async () => { + let cancelled = false setLoading(true) setError(null) try { const result = await fetcher() + if (cancelled) return setData(result) - options?.onSuccess?.(result) + onSuccessRef.current?.(result) } catch (err) { + if (cancelled) return const error = err as Error setError(error) - options?.onError?.(error) + onErrorRef.current?.(error) } finally { + if (!cancelled) { setLoading(false) + } } - }, [fetcher, options]) + + return () => { + cancelled = true + } + }, [fetcher]) useEffect(() => { - if (options?.enabled !== false) { - refetch() + if (enabledRef.current !== false) { + const cleanup = refetch() + return cleanup } - }, [key, refetch, options?.enabled]) + }, [key, refetch]) return { data, error, loading, refetch } }Based on learnings, custom React hooks should implement proper useEffect cleanup for side effects.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.kiro/skills/frontend-patterns/SKILL.md around lines 165 - 198, The useQuery hook recreates refetch on every render and triggers extra refetches because it depends on unstable objects; to fix, extract and memoize individual option fields and the fetcher: in useQuery, replace direct dependencies on fetcher and options with stable refs/values (e.g., const fetcherRef = useRef(fetcher) and update it in an effect, and destructure options into enabled, onSuccess, onError) and update useCallback(refetch) to depend only on those stable refs/primitive values; also add abort/cleanup logic inside refetch and the effect (create an AbortController or mounted flag, pass its signal to the async work, and ensure you don't call setState if aborted/unmounted) so refetch and the useEffect that triggers it (useEffect watching key and enabled only) no longer cause infinite re-renders..kiro/skills/deployment-patterns/SKILL.md-15-22 (1)
15-22: 🛠️ Refactor suggestion | 🟠 MajorConsolidate duplicate sections and align with skill format.
The skill has two "when to use" sections at lines 15-22 ("When to Activate") and lines 433-440 ("When to Use This Skill") with identical content. Additionally, per learnings, skills should follow a clear structure with "When to Use", "How It Works", and "Examples" sections, but this skill embeds content in topical sections instead.
Suggested structure:
- Keep one "When to Use" section
- Add "How It Works" section explaining deployment workflow concepts
- Add "Examples" section with all the code samples
Based on learnings: Skills should be formatted as Markdown with clear sections for When to Use, How It Works, and Examples.
📋 Proposed structural reorganization
-## When to Activate +## When to Use - Setting up CI/CD pipelines - Dockerizing an application - Planning deployment strategy (blue-green, canary, rolling) - Implementing health checks and readiness probes - Preparing for a production release - Configuring environment-specific settings +## How It Works + +This skill covers production deployment workflows through several key areas: + +1. **Deployment Strategies**: Rolling, blue-green, and canary patterns for zero-downtime releases +2. **Containerization**: Multi-stage Docker builds optimized for production +3. **CI/CD Pipelines**: Automated testing, building, and deployment workflows +4. **Health Checks**: Application readiness and liveness probes +5. **Configuration Management**: Environment-based config following 12-factor principles +6. **Rollback Procedures**: Safe recovery mechanisms for failed deployments +7. **Production Readiness**: Comprehensive checklists across application, infrastructure, monitoring, security, and operations + +## Examples ## Deployment Strategies (keep all existing content from Deployment Strategies through Production Readiness Checklist) -## When to Use This Skill - -- Setting up CI/CD pipelines -- Dockerizing applications -- Planning deployment strategies -- Implementing health checks -- Preparing for production releases -- Troubleshooting deployment issuesAlso applies to: 433-440
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.kiro/skills/deployment-patterns/SKILL.md around lines 15 - 22, Consolidate the duplicate "When to Activate" and "When to Use This Skill" sections into a single "When to Use" section (replace the header "When to Activate" with "When to Use" and remove the other duplicate), then add a new "How It Works" section that explains high-level deployment workflow concepts (blue-green, canary, rolling, health/readiness, CI/CD and env config) and a separate "Examples" section that collects all code samples now scattered in topical sections; ensure headings are exactly "When to Use", "How It Works", and "Examples" and move/remove the duplicated content so the file follows the required skill format..kiro/skills/deployment-patterns/SKILL.md-142-142 (1)
142-142:⚠️ Potential issue | 🟠 MajorAdd
wgetto Alpine base image dependencies.The HEALTHCHECK command on line 142 uses
wget, but it is not installed in the Alpine 3.19 image. The minimal Alpine image does not includewgetby default; only BusyBox provides a limited applet. This will cause the health check to fail at runtime.Fix
-RUN apk --no-cache add ca-certificates +RUN apk --no-cache add ca-certificates wget🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.kiro/skills/deployment-patterns/SKILL.md at line 142, The HEALTHCHECK uses wget but the Alpine 3.19 base image doesn't include it; update the image's package installation to add wget (e.g., add apk add --no-cache wget in the Dockerfile or the base-image setup referenced by this SKILL) so the HEALTHCHECK line (HEALTHCHECK --interval=30s --timeout=3s CMD wget -qO- http://localhost:8080/health || exit 1) can run successfully; ensure the change is applied to the stage that produces the runtime image so wget is present when the container starts..kiro/skills/golang-patterns/SKILL.md-89-102 (1)
89-102:⚠️ Potential issue | 🟠 MajorWorker-pool example can block indefinitely.
This pattern can deadlock if
resultsis not drained while workers are sending.🔧 Safer pattern
-func workerPool(jobs <-chan Job, results chan<- Result, workers int) { +func workerPool(jobs <-chan Job, workers int) <-chan Result { + results := make(chan Result, workers) var wg sync.WaitGroup for i := 0; i < workers; i++ { wg.Add(1) go func() { defer wg.Done() for job := range jobs { results <- processJob(job) } }() } - wg.Wait() - close(results) + go func() { + wg.Wait() + close(results) + }() + return results }🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.kiro/skills/golang-patterns/SKILL.md around lines 89 - 102, The workerPool can deadlock because goroutines send to the results channel while no receiver may be draining it; update workerPool (and its use of jobs, results, workers, processJob, wg) to ensure sends never block by either creating/using a buffered results channel (e.g., capacity >= workers or number of jobs) or by spawning an internal goroutine that consumes worker outputs and forwards them to the provided results channel; keep the existing wg.Done/close(results) logic so results is closed only after all workers finish..kiro/skills/docker-patterns/SKILL.md-141-146 (1)
141-146:⚠️ Potential issue | 🟠 MajorUse
cpusandmem_limitinstead ofdeploy.resources.limitsfor Docker Compose non-Swarm mode.The
deploy.resources.limitssection is ignored bydocker compose up(non-Swarm) and will not enforce the specified CPU or memory limits. Use service-level fields instead:cpusfor CPU constraints andmem_limitfor hard memory limits (optionallymem_reservationfor soft limits).🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.kiro/skills/docker-patterns/SKILL.md around lines 141 - 146, The current Docker Compose snippet uses deploy.resources.limits (deploy.resources.limits -> cpus: "1.0", memory: 512M) which is ignored by non‑Swarm docker compose; update the service definition to use service‑level fields instead (replace deploy.resources.limits with cpus and mem_limit, and optionally mem_reservation) so that docker compose up will enforce CPU and memory limits (e.g., set cpus: "1.0" and mem_limit: 512M on the service config)..kiro/docs/shortform-guide.md-286-290 (1)
286-290:⚠️ Potential issue | 🟠 MajorRemove reference to missing documentation file or create it.
The guide references
docs/migration-from-ecc.md(line 288), but this file does not exist in the repository. Either create the missing file or remove the reference from the documentation.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.kiro/docs/shortform-guide.md around lines 286 - 290, The docs reference to `docs/migration-from-ecc.md` in the shortform guide must be resolved: either add the missing migration document with the expected content or remove/update the bullet referencing `docs/migration-from-ecc.md` in `.kiro/docs/shortform-guide.md` so it no longer points to a non-existent file; ensure the change keeps the surrounding bullets (`Longform Guide`, `Security Guide`, `GitHub Issues`, `Kiro Documentation`) consistent and the link text/format remains valid if you replace it with an alternative resource..kiro/scripts/format.sh-30-33 (1)
30-33:⚠️ Potential issue | 🟠 MajorFormatter detection and execution paths are inconsistent.
detect_formatteraccepts globally installed formatters (lines 30–33), but the execution logic (lines 44–61) hard-requiresnpx. Ifnpxis unavailable while a global formatter exists, the script exits with an error despite having a valid formatter to use.For example, a user with
biomeinstalled globally but nonpxwill see the script detectbiomebut then fail with "Error: npx not found (required for Biome)".Suggested fix
biome) - if command -v npx &>/dev/null; then + if command -v npx &>/dev/null; then echo "Formatting $FILE with Biome..." - npx biome format --write "$FILE" + npx biome format --write -- "$FILE" + exit $? + elif command -v biome &>/dev/null; then + echo "Formatting $FILE with Biome (global)..." + biome format --write -- "$FILE" exit $? else - echo "Error: npx not found (required for Biome)" + echo "Error: Neither npx nor biome executable found" exit 1 fi ;; @@ prettier) if command -v npx &>/dev/null; then echo "Formatting $FILE with Prettier..." - npx prettier --write "$FILE" + npx prettier --write -- "$FILE" + exit $? + elif command -v prettier &>/dev/null; then + echo "Formatting $FILE with Prettier (global)..." + prettier --write -- "$FILE" exit $? else - echo "Error: npx not found (required for Prettier)" + echo "Error: Neither npx nor prettier executable found" exit 1 fi ;;🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.kiro/scripts/format.sh around lines 30 - 33, The formatter detection (detect_formatter) allows globally installed tools like "biome" or "prettier" but the execution block later assumes npx is mandatory; update the execution logic to first check whether the detected formatter binary (e.g., "biome" or "prettier") exists in PATH and, if so, invoke that global command directly, only falling back to requiring npx when the binary is not present; ensure references to the detected value from detect_formatter are used and that the error message about "npx not found" is only shown when npx is actually required for the chosen formatter..kiro/skills/database-migrations/SKILL.md-110-129 (1)
110-129:⚠️ Potential issue | 🟠 MajorAdd execution-context warnings to migration examples.
The
DO $$ ... $$block at line 127 containsCOMMITinside the block, which only works when invoked at the database's "top level"—not inside a transaction. Similarly, the golang-migrate example at lines 293–295 usesCREATE INDEX CONCURRENTLY, which cannot run inside a transaction block. golang-migrate's Postgres driver disables multi-statement mode by default, meaning all statements in a migration file execute within a single transaction, causingCREATE INDEX CONCURRENTLYto fail.While a warning about
CONCURRENTLYexists at lines 69–70, it's in the PostgreSQL section and not visible to users following the golang-migrate section. Add explicit guidance to both examples:
- Line 110–129: Document that the
DOblock requires non-transaction execution context and may need to be run separately in golang-migrate or other transaction-bound runners.- Lines 293–295: Repeat or reference the CONCURRENTLY warning and explain how to handle it in golang-migrate (e.g., separate the CREATE INDEX into its own migration or enable x-multi-statement with transaction handling).
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.kiro/skills/database-migrations/SKILL.md around lines 110 - 129, The DO $$ ... $$ block that contains COMMIT (the anonymous PL/pgSQL block) must be documented as requiring top-level/non-transaction execution (cannot be run inside a transaction block), so update the SKILL.md example around the DO $$ block to warn readers to run that block as a standalone migration or outside transaction-bound runners (or split into separate statements) when using tools like golang-migrate; likewise, for the CREATE INDEX CONCURRENTLY example referenced earlier, add or repeat a clear note explaining that CREATE INDEX CONCURRENTLY cannot run inside a transaction and advise concrete remedies for golang-migrate users (e.g., place the CONCURRENTLY statement in its own single-statement migration or enable multi-statement handling with correct transaction control)..kiro/install.sh-56-57 (1)
56-57:⚠️ Potential issue | 🟠 MajorDon’t suppress copy failures while counting them as successful installs.
On these lines,
cp ... || truehides failures, but counters are still incremented, so the summary can be incorrect.💡 Suggested pattern
- cp "$f" "$TARGET/.kiro/agents/" 2>/dev/null || true - agents=$((agents + 1)) + if cp "$f" "$TARGET/.kiro/agents/"; then + agents=$((agents + 1)) + else + echo "Warning: failed to copy $f" >&2 + fiAlso applies to: 69-70, 80-81, 92-94, 103-106, 116-117
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.kiro/install.sh around lines 56 - 57, The copy commands currently swallow failures with "|| true" but still increment counters (e.g., the cp "$f" "$TARGET/.kiro/agents/" 2>/dev/null || true followed by agents=$((agents + 1))), producing incorrect install summaries; change the flow to run cp without unconditionally ignoring errors, capture its exit status, increment the corresponding counter (agents and the other counters referenced in the comment) only when cp succeeds, and log or surface failures (preserve stderr) instead of discarding them so the summary accurately reflects successful installs..kiro/skills/api-design/SKILL.md-308-308 (1)
308-308:⚠️ Potential issue | 🟠 MajorReplace the secret-like API key example to avoid scanner hits.
Line 308 uses a token pattern (
sk_live_abc123) that can trip secret scanners and CI checks.💡 Proposed fix
-X-API-Key: sk_live_abc123 +X-API-Key: <YOUR_API_KEY>🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.kiro/skills/api-design/SKILL.md at line 308, Replace the secret-like API key example "X-API-Key: sk_live_abc123" with a non-sensitive placeholder to avoid scanner/CI hits; update the example to use a clearly synthetic token such as "X-API-Key: sk_test_XXXX" or "X-API-Key: <API_KEY_PLACEHOLDER>" so the string no longer matches live-token patterns while preserving the example intent..kiro/agents/chief-of-staff.json-16-16 (1)
16-16:⚠️ Potential issue | 🟠 MajorAvoid unconditional
git commit & pushin the default workflow.Line 16 hardcodes commit/push as mandatory after each send; this can cause unintended remote writes. Gate
pushbehind explicit user confirmation.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.kiro/agents/chief-of-staff.json at line 16, The PostToolUse hook currently enforces unconditional "Git commit & push" in the post-send checklist (the checklist item "Git commit & push"); change it so the hook still performs a local git commit (or stages changes) but does not perform a remote push without explicit user confirmation. Update the PostToolUse logic to: 1) replace mandatory push with a gated action (e.g., require a "confirm_push" boolean or an interactive confirmation prompt), 2) ensure commits are created/recorded by the hook (so changes are saved locally) using the same hook name PostToolUse, and 3) surface the push decision in the UI/briefing output as an explicit [Push] button or confirmation message before executing git push..kiro/agents/chief-of-staff.md-1-8 (1)
1-8:⚠️ Potential issue | 🟠 MajorAdd missing frontmatter fields required for agent definitions.
This frontmatter omits
toolsandmodel, which can break consistency with existing agent metadata conventions.💡 Example frontmatter shape
--- name: chief-of-staff description: Personal communication chief of staff that triages email, Slack, LINE, and Messenger. Classifies messages into 4 tiers (skip/info_only/meeting_info/action_required), generates draft replies, and enforces post-send follow-through via hooks. Use when managing multi-channel communication workflows. +tools: + - read + - write + - shell +model: sonnet allowedTools: - read - write - shell ---Based on learnings: Applies to agents/**/*.md : Agents should be formatted as Markdown with YAML frontmatter containing name, description, tools, and model fields.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.kiro/agents/chief-of-staff.md around lines 1 - 8, The YAML frontmatter for the agent "chief-of-staff" is missing the required tools and model fields; update the frontmatter block in .kiro/agents/chief-of-staff.md to include a tools list (matching allowedTools like read/write/shell) and a model entry (e.g., a model name or version used by your agents), ensuring the frontmatter contains name, description, tools, and model keys so the agent metadata aligns with other agents' definitions..kiro/agents/chief-of-staff.json-14-16 (1)
14-16:⚠️ Potential issue | 🟠 MajorConfigure the
PostToolUsehook in thehooksobject to match the prompt's design intent.The hooks object (line 14) is empty, but the prompt (line 16+) describes a
PostToolUsehook that enforces the post-send checklist. Move the hook definition from the prompt documentation into thehooksconfiguration so the enforcement is actually active.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.kiro/agents/chief-of-staff.json around lines 14 - 16, The hooks object is empty but the prompt describes a PostToolUse hook that must enforce the post-send checklist; add a PostToolUse entry into the "hooks" object that references the enforcement logic (e.g., a hook named "PostToolUse" that invokes the checklist handler), ensure its configuration keys match the prompt's behavior (block completion until checklist steps complete, intercept gmail send and conversations_add_message), and wire it to the existing checklist handler/module referenced by the agent (PostToolUse hook name and checklist enforcement handler) so the documented enforcement is actually active..kiro/hooks/extract-patterns.kiro.hook-7-11 (1)
7-11:⚠️ Potential issue | 🟠 MajorReplace
agentStop→askAgentwith a guarded pattern to prevent recursive hook triggers.The
agentStopevent fires when an agent turn completes. When triggered by a hook,askAgentstarts a new agent loop that will itself emitagentStopon completion, re-triggering the hook unless guarded. UserunCommandwith a lock/sentinel instead:Recommended guard pattern
{ "when": { "type": "agentStop" }, "then": { "type": "runCommand", "command": "bash -lc '\nLOCK=.kiro/.hook-lock/after-stop.lock\nmkdir -p .kiro/.hook-lock\nif [ -f \"$LOCK\" ]; then exit 0; fi\ntrap \"rm -f $LOCK\" EXIT\ntouch \"$LOCK\"\n# Trigger follow-up agent work here\n'" } }🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.kiro/hooks/extract-patterns.kiro.hook around lines 7 - 11, The hook currently triggers on "agentStop" and directly uses "askAgent", which can re-enter the agent loop and retrigger "agentStop"; replace the "then": {"type":"askAgent", ...} block with a guarded "runCommand" pattern that creates and checks a sentinel lock (e.g., .kiro/.hook-lock/after-stop.lock), exits immediately if the lock exists, sets a trap to remove the lock on exit, touches/creates the lock, and then invokes the follow-up agent action; reference the "agentStop" trigger, remove or replace "askAgent", and implement "runCommand" with the lock sentinel to prevent recursive hook execution..kiro/agents/tdd-guide.json-16-16 (1)
16-16:⚠️ Potential issue | 🟠 MajorPrompt hardcodes npm commands, which breaks cross-language applicability.
Line 16 instructs
npm testandnpm run test:coveragedirectly. For Go/Python/Java repos this produces incorrect execution guidance. Please replace with project-native command placeholders and short examples by ecosystem.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.kiro/agents/tdd-guide.json at line 16, The prompt string under the "prompt" key hardcodes npm commands (`npm test`, `npm run test:coverage`) which are not portable; update the "prompt" value to use a configurable placeholder (e.g., {run_tests_command}, {coverage_command}) and include a short example list of ecosystem-specific commands (Node: npm/yarn, Python: pytest/coverage, Go: go test, Java/Maven: mvn test) so the guidance shows how to map the placeholders to project-native commands; ensure references to the test and coverage steps (the "Write Test First (RED)" and "Verify Coverage" sections) use the placeholders rather than literal npm commands..kiro/hooks/doc-file-warning.kiro.hook-5-13 (1)
5-13:⚠️ Potential issue | 🟠 MajorHook must implement path-based filtering inside the command logic.
The hook fires for all
writeoperations regardless of target file, creating noise for non-documentation edits. Kiro'spreToolUsematchers cannot filter by file path at the manifest level—filtering must be implemented inside the hook command by inspectingtool_input.operations[].path. Check if each write operation targets documentation patterns (README, CHANGELOG, docs/, etc.) and only prompt when appropriate.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.kiro/hooks/doc-file-warning.kiro.hook around lines 5 - 13, The hook currently prompts on every write because path filtering is missing; update the hook's command logic (the code executed for the "then" action in .kiro/hooks/doc-file-warning.kiro.hook) to inspect tool_input.operations[].path and only trigger the askAgent prompt when at least one operation path matches documentation patterns (e.g., /^README/i, /^CHANGELOG/i, /^docs[\/\\]/, /^docs\//, files under /docs/, or other project-specific doc filenames). If no operations match those patterns, skip the askAgent prompt and allow the write to proceed unprompted; if some match, run the existing prompt logic but restrict the message/context to only the matched operation(s)..kiro/hooks/tdd-reminder.kiro.hook-8-8 (1)
8-8:⚠️ Potential issue | 🟠 MajorUse recursive globs for nested TypeScript files.
Kiro pattern matching is path-based where
*matches only within a single path segment (doesn't cross/). The patterns"*.ts"and"*.tsx"match only root-level files likefoo.ts, not nested files likesrc/app/foo.ts. This hook won't trigger for most TypeScript files in the project.Proposed matcher update
- "patterns": ["*.ts", "*.tsx"] + "patterns": ["**/*.ts", "**/*.tsx"]🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.kiro/hooks/tdd-reminder.kiro.hook at line 8, The hook's file-matching patterns ("*.ts", "*.tsx") only match single-segment paths and miss nested files; update the patterns in .kiro/hooks/tdd-reminder.kiro.hook to use recursive globs (e.g., "**/*.ts" and "**/*.tsx") so the matcher includes nested TypeScript files like src/app/foo.ts and src/components/foo.tsx; locate the "patterns" array and replace the single-segment globs with the double-star recursive variants..kiro/skills/tdd-workflow/SKILL.md-184-234 (1)
184-234: 🛠️ Refactor suggestion | 🟠 MajorReplace
waitForTimeoutwith explicit waits for reliable tests.Line 199 uses
page.waitForTimeout(600), which Playwright explicitly discourages and marks for debugging-only use. Fixed sleeps don't wait for actual application state—they're inherently racy and fail when the app is slower than expected. Theexpect(results).toHaveCount(5, { timeout: 5000 })on line 204 already provides an explicit retry-based wait, making thewaitForTimeoutboth redundant and anti-pattern.♻️ Recommended fix
// Search for markets await page.fill('input[placeholder="Search markets"]', 'election') - // Wait for debounce and results - await page.waitForTimeout(600) - // Verify search results displayed const results = page.locator('[data-testid="market-card"]') await expect(results).toHaveCount(5, { timeout: 5000 })The
expect(...).toHaveCount(...)with its timeout automatically polls the element count until the condition is met or timeout expires. If you need to explicitly wait for a network request, usepage.waitForResponse()instead.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.kiro/skills/tdd-workflow/SKILL.md around lines 184 - 234, In the "user can search and filter markets" test remove the hard sleep call page.waitForTimeout(600) and rely on the existing retryable assertion expect(results).toHaveCount(5, { timeout: 5000 }) (results is the locator defined as page.locator('[data-testid="market-card"]')); if you actually need to wait for a specific network response before asserting, replace the sleep with an explicit wait like page.waitForResponse(...) targeting the backend endpoint that returns market results or use page.waitForSelector(...) for a known element, then keep the expect(results).toHaveCount assertion.
🟡 Minor comments (16)
.kiro/agents/harness-optimizer.json-1-15 (1)
1-15:⚠️ Potential issue | 🟡 MinorInconsistent
allowedToolsvalue between JSON and MD formats.The JSON file specifies
"fs_read"inallowedTools(line 9), while the companion.kiro/agents/harness-optimizer.mdspecifiesreadin its frontmatter (line 5). These dual-format files should be consistent to avoid confusion when the agent is invoked via CLI vs IDE.Proposed fix (align with JSON naming)
In
.kiro/agents/harness-optimizer.md, update the frontmatter:allowedTools: - - read + - fs_readOr, if
readis the correct Kiro IDE convention, update the JSON:"allowedTools": [ - "fs_read" + "read" ],🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.kiro/agents/harness-optimizer.json around lines 1 - 15, The allowedTools entry is inconsistent between the harness-optimizer JSON ("allowedTools": ["fs_read"]) and the harness-optimizer MD frontmatter (`read`); pick one canonical tool name and make both files match—preferably update the .kiro/agents/harness-optimizer.md frontmatter to use fs_read to mirror the JSON (or if you decide `read` is canonical, update the JSON allowedTools to "read"); ensure the keys named allowedTools and the literal tool token ("fs_read" vs "read") are identical across both files and run the agent/CI to validate no tooling errors..kiro/skills/coding-standards/SKILL.md-1-21 (1)
1-21:⚠️ Potential issue | 🟡 MinorAdd missing "How it works" and "Examples" sections to match skill documentation standards.
The file currently uses "When to Activate" followed by topical sections with embedded examples. Per skill formatting guidelines, add dedicated "How it works" and "Examples" sections. You can structure it as: frontmatter → "When to Activate" → "How it works" (explaining the approach) → "Examples" → topical sections.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.kiro/skills/coding-standards/SKILL.md around lines 1 - 21, The document is missing dedicated "How it works" and "Examples" sections per skill formatting; after the frontmatter and the existing "When to Activate" heading, add a "How it works" section that succinctly explains the approach and rationale for the coding standards (e.g., scope, enforcement, examples of patterns to follow) and then an "Examples" section that provides concrete, short examples/snippets or usage scenarios illustrating the standards; keep the existing topical sections (like the list items under "When to Activate") after the new "Examples" section so the file follows the required order: frontmatter → When to Activate → How it works → Examples → topical sections..kiro/skills/frontend-patterns/SKILL.md-111-125 (1)
111-125:⚠️ Potential issue | 🟡 MinorAdd cleanup to prevent state updates on unmounted component.
The
useEffecthook fetches data but doesn't clean up if the component unmounts during the fetch. This can cause React warnings about setting state on an unmounted component and potential memory leaks.🛡️ Proposed fix using AbortController
export function DataLoader<T>({ url, children }: DataLoaderProps<T>) { const [data, setData] = useState<T | null>(null) const [loading, setLoading] = useState(true) const [error, setError] = useState<Error | null>(null) useEffect(() => { + const controller = new AbortController() + - fetch(url) + fetch(url, { signal: controller.signal }) .then(res => res.json()) .then(setData) - .catch(setError) + .catch(err => { + if (err.name !== 'AbortError') { + setError(err) + } + }) .finally(() => setLoading(false)) + + return () => controller.abort() }, [url]) return <>{children(data, loading, error)}</> }Based on learnings, custom React hooks should implement proper useEffect cleanup for side effects.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.kiro/skills/frontend-patterns/SKILL.md around lines 111 - 125, The DataLoader component's useEffect can set state after unmount; modify the effect in DataLoader to create an AbortController and pass controller.signal to fetch, and in the cleanup call controller.abort(); also guard state setters (setData, setError, setLoading) so they only run when the fetch wasn't aborted (check error.name !== 'AbortError' or track a mounted flag), and ensure finally still sets loading to false only if not aborted—update the useEffect that references url, fetch, setData, setError, setLoading to implement this cleanup and abort handling..kiro/steering/golang-patterns.md-9-9 (1)
9-9:⚠️ Potential issue | 🟡 MinorUse a hyphenated adjective on Line 9.
“Go-specific” is the correct form here.
Suggested patch
-> This file extends the common patterns with Go specific content. +> This file extends the common patterns with Go-specific content.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.kiro/steering/golang-patterns.md at line 9, Replace the unhyphenated adjective in the sentence "This file extends the common patterns with Go specific content." by changing "Go specific" to the hyphenated form "Go-specific" so the line reads "This file extends the common patterns with Go-specific content."; locate that exact sentence in the document and update the wording accordingly..kiro/steering/typescript-patterns.md-3-4 (1)
3-4:⚠️ Potential issue | 🟡 MinorAlign the frontmatter scope with the stated TypeScript/JavaScript intent.
Line 3 currently excludes JavaScript files even though Lines 4 and 9 describe TS/JS coverage.
Suggested patch
-fileMatchPattern: "*.ts,*.tsx" +fileMatchPattern: "*.ts,*.tsx,*.js,*.jsx"Based on learnings: Applies to **/*.{ts,tsx,js,jsx} : Use the ApiResponse interface pattern with generic type parameter.
Also applies to: 9-9
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.kiro/steering/typescript-patterns.md around lines 3 - 4, Update the frontmatter fileMatchPattern to include JavaScript extensions so the scope matches the stated TS/JS intent: locate the frontmatter key fileMatchPattern and change its value from "*.ts,*.tsx" to a glob that includes js and jsx (e.g., "*.{ts,tsx,js,jsx}"), and similarly update the other occurrence that restricts patterns (the second fileMatchPattern-like entry referenced in the comment) to the same combined glob so examples like the ApiResponse generic pattern apply to .ts/.tsx/.js/.jsx files..kiro/steering/typescript-patterns.md-9-9 (1)
9-9:⚠️ Potential issue | 🟡 MinorMinor doc polish on Line 9: hyphenate the compound adjective.
Use “TypeScript/JavaScript-specific”.
Suggested patch
-> This file extends the common patterns rule with TypeScript/JavaScript specific content. +> This file extends the common patterns rule with TypeScript/JavaScript-specific content.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.kiro/steering/typescript-patterns.md at line 9, Update the sentence "This file extends the common patterns rule with TypeScript/JavaScript specific content." to hyphenate the compound adjective as "TypeScript/JavaScript-specific" so it reads "This file extends the common patterns rule with TypeScript/JavaScript-specific content."; locate and edit that exact line in the document to apply the change..kiro/hooks/console-log-check.kiro.hook-8-8 (1)
8-8:⚠️ Potential issue | 🟡 MinorAdd
.jsxto the monitored patterns on Line 8.Without it, React JSX files are excluded from the console-log check.
Suggested patch
- "patterns": ["*.js", "*.ts", "*.tsx"] + "patterns": ["*.js", "*.ts", "*.tsx", "*.jsx"]Based on learnings: Applies to **/*.{ts,tsx,js,jsx} : Warn about
console.logstatements in edited files.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.kiro/hooks/console-log-check.kiro.hook at line 8, The "patterns" array in the hook configuration currently monitors "*.js", "*.ts", and "*.tsx" but omits React .jsx files; update the patterns array used by the console-log check (the "patterns" entry) to include "*.jsx" so files matching .jsx are also scanned (i.e., apply the same glob set used elsewhere such as /*.{ts,tsx,js,jsx})..kiro/hooks/auto-format.kiro.hook-8-8 (1)
8-8:⚠️ Potential issue | 🟡 MinorInclude
.jsxin the file patterns on Line 8.Right now JSX files won’t trigger this formatter hook.
Suggested patch
- "patterns": ["*.ts", "*.tsx", "*.js"] + "patterns": ["*.ts", "*.tsx", "*.js", "*.jsx"]Based on learnings: Applies to **/*.{ts,tsx,js,jsx} : Auto-format JavaScript/TypeScript files using Prettier after edit.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.kiro/hooks/auto-format.kiro.hook at line 8, Update the hook's file patterns so JSX files are included: modify the "patterns" array in .kiro/hooks/auto-format.kiro.hook (the entry currently ["*.ts", "*.tsx", "*.js"]) to also match .jsx files (e.g., add "*.jsx" or replace with a single glob like "*.{ts,tsx,js,jsx}") so the Auto-format JavaScript/TypeScript Prettier hook triggers for .jsx files as well..kiro/steering/git-workflow.md-17-17 (1)
17-17:⚠️ Potential issue | 🟡 MinorAvoid tool-specific settings path in Kiro steering.
The note points to
~/.claude/settings.json, which is likely confusing in this Kiro-specific workflow doc.🔧 Proposed wording
- Note: Attribution disabled globally via ~/.claude/settings.json. + Note: Attribution behavior is controlled by the active client's global settings.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.kiro/steering/git-workflow.md at line 17, Replace the tool-specific path "~/.claude/settings.json" with a generic, Kiro-appropriate note: remove the explicit ~/.claude path and reword the sentence to say something like "Attribution is disabled via the user's assistant tool settings" or "Attribution disabled via local assistant settings" so the Kiro steering doc avoids referencing a third-party tool; update the line containing "~/.claude/settings.json" accordingly..kiro/skills/verification-loop/SKILL.md-82-83 (1)
82-83:⚠️ Potential issue | 🟡 MinorUse a branch-aware diff instead of
HEAD~1.
git diff HEAD~1 --name-onlyonly compares the last commit and can miss current staged/unstaged scope.🔧 Proposed update
- git diff HEAD~1 --name-only + git diff --name-only + # For PR scope: + git diff [base-branch]...HEAD --name-only🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.kiro/skills/verification-loop/SKILL.md around lines 82 - 83, Replace the brittle `git diff HEAD~1 --name-only` with a branch-aware comparison using the merge-base (e.g. `git diff --name-only $(git merge-base origin/main HEAD)..HEAD`) and include staged changes as needed (use `--cached` for staged) so the command in SKILL.md compares your current branch against the target branch instead of only the last commit; update the example/command text to show both the working-tree and cached variants if you want to capture unstaged and staged changes respectively..kiro/docs/shortform-guide.md-5-15 (1)
5-15:⚠️ Potential issue | 🟡 MinorInstallation instructions contain incorrect URLs and script paths.
Line 7 uses placeholder
yourusernameinstead of the actual repository owner. Lines 11 and 14 reference./install.sh, but the install script is located at.kiro/install.sh.Suggested fix
# Clone the repository -git clone https://github.com/yourusername/ecc-kiro-public-repo.git +git clone https://github.com/affaan-m/everything-claude-code.git cd ecc-kiro-public-repo # Install to current project -./install.sh +.kiro/install.sh # Install globally to ~/.kiro/ -./install.sh ~ +.kiro/install.sh ~🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.kiro/docs/shortform-guide.md around lines 5 - 15, Replace the placeholder repo URL and incorrect script paths in the shortform guide: update the git clone URL (currently "https://github.com/yourusername/ecc-kiro-public-repo.git") to use the real repository owner/org or a canonical repo URL, and change all references to "./install.sh" to the correct ".kiro/install.sh" script path so the three example install commands point to the actual install script; update text surrounding the commands if necessary to keep phrasing consistent with the new URL and path..kiro/README.md-598-598 (1)
598-598:⚠️ Potential issue | 🟡 MinorFix spelling: "Contributers" → "Contributors"
Static analysis flagged this typo.
📝 Proposed fix
-## Contributers +## Contributors🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.kiro/README.md at line 598, Replace the misspelled header "## Contributers" in the README entry with the correct spelling "## Contributors"; update the header line in .kiro/README.md where the symbol "## Contributers" appears so it reads "## Contributors"..kiro/skills/backend-patterns/SKILL.md-188-206 (1)
188-206:⚠️ Potential issue | 🟡 MinorSQL dollar-quoting syntax is incomplete.
The PL/pgSQL function uses
$as the delimiter, but PostgreSQL requires$$(double dollar signs) for dollar-quoting. This will cause a syntax error if copied directly.🐛 Proposed fix
// SQL function in Supabase CREATE OR REPLACE FUNCTION create_market_with_position( market_data jsonb, position_data jsonb ) RETURNS jsonb LANGUAGE plpgsql -AS $ +AS $$ BEGIN -- Start transaction automatically INSERT INTO markets VALUES (market_data); INSERT INTO positions VALUES (position_data); RETURN jsonb_build_object('success', true); EXCEPTION WHEN OTHERS THEN -- Rollback happens automatically RETURN jsonb_build_object('success', false, 'error', SQLERRM); END; -$; +$$;🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.kiro/skills/backend-patterns/SKILL.md around lines 188 - 206, The function create_market_with_position uses a single-dollar delimiter which is invalid; change the PL/pgSQL dollar-quoting to use double dollar signs so the block is wrapped with AS $$ ... $$; and ensure the closing delimiter is $$ followed by the terminating semicolon. Locate the CREATE FUNCTION create_market_with_position declaration and replace the single $ delimiters surrounding the body with $$ for both the opening (AS $$) and closing ($$;) delimiters..kiro/steering/typescript-security.md-9-9 (1)
9-9:⚠️ Potential issue | 🟡 MinorHyphenate the compound modifier for clarity.
Line 9 should use
TypeScript/JavaScript-specificinstead ofTypeScript/JavaScript specific.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.kiro/steering/typescript-security.md at line 9, Replace the phrase "TypeScript/JavaScript specific" with the hyphenated compound "TypeScript/JavaScript-specific" in the document comment that reads "This file extends the common security rule with TypeScript/JavaScript specific content." to ensure correct compound-modifier punctuation..kiro/scripts/quality-gate.sh-5-5 (1)
5-5:⚠️ Potential issue | 🟡 MinorUpdate the hook filename in the header comment.
Line 5 references
.kiro/hooks/quality-gate.json, but this PR adds.kiro/hooks/quality-gate.kiro.hook.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.kiro/scripts/quality-gate.sh at line 5, Update the header comment in the .kiro/scripts/quality-gate.sh file so the referenced hook filename matches the new file added in this PR: replace the old `.kiro/hooks/quality-gate.json` reference with `.kiro/hooks/quality-gate.kiro.hook` in the comment at the top of the script (the line currently saying "Used by: .kiro/hooks/quality-gate.json")..kiro/agents/e2e-runner.md-74-79 (1)
74-79:⚠️ Potential issue | 🟡 MinorIncorrect auto-wait statement for
page.click().Line 76 states that
page.locator().click()auto-waits whilepage.click()doesn't. This is inaccurate for modern Playwright—page.click(selector)also auto-waits for the element. The key difference is thatpage.locator()returns a reusable locator object with better assertion support.📝 Suggested fix
-- **Auto-wait built in**: `page.locator().click()` auto-waits; raw `page.click()` doesn't +- **Prefer locators**: `page.locator().click()` is preferred over `page.click(selector)` for reusability and better assertions🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.kiro/agents/e2e-runner.md around lines 74 - 79, The statement claiming `page.locator().click()` auto-waits while `page.click()` doesn't is incorrect; update the line to say that both `page.click(selector)` and `locator.click()` perform Playwright's built-in auto-waiting, and highlight that `page.locator()` (the `Locator` object) is reusable and provides richer assertion methods (e.g., `locator.waitFor()`, `expect(locator).toHaveText()`) and chaining benefits compared to the one-off `page.click(selector)` call; replace the inaccurate wording on the `page.click()` vs `page.locator()` difference accordingly.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 7831620c-1430-42ce-96ff-6099b1fe312e
📒 Files selected for processing (85)
.kiro/README.md.kiro/agents/architect.json.kiro/agents/architect.md.kiro/agents/build-error-resolver.json.kiro/agents/build-error-resolver.md.kiro/agents/chief-of-staff.json.kiro/agents/chief-of-staff.md.kiro/agents/code-reviewer.json.kiro/agents/code-reviewer.md.kiro/agents/database-reviewer.json.kiro/agents/database-reviewer.md.kiro/agents/doc-updater.json.kiro/agents/doc-updater.md.kiro/agents/e2e-runner.json.kiro/agents/e2e-runner.md.kiro/agents/go-build-resolver.json.kiro/agents/go-build-resolver.md.kiro/agents/go-reviewer.json.kiro/agents/go-reviewer.md.kiro/agents/harness-optimizer.json.kiro/agents/harness-optimizer.md.kiro/agents/loop-operator.json.kiro/agents/loop-operator.md.kiro/agents/planner.json.kiro/agents/planner.md.kiro/agents/python-reviewer.json.kiro/agents/python-reviewer.md.kiro/agents/refactor-cleaner.json.kiro/agents/refactor-cleaner.md.kiro/agents/security-reviewer.json.kiro/agents/security-reviewer.md.kiro/agents/tdd-guide.json.kiro/agents/tdd-guide.md.kiro/docs/longform-guide.md.kiro/docs/security-guide.md.kiro/docs/shortform-guide.md.kiro/hooks/README.md.kiro/hooks/auto-format.kiro.hook.kiro/hooks/code-review-on-write.kiro.hook.kiro/hooks/console-log-check.kiro.hook.kiro/hooks/doc-file-warning.kiro.hook.kiro/hooks/extract-patterns.kiro.hook.kiro/hooks/git-push-review.kiro.hook.kiro/hooks/quality-gate.kiro.hook.kiro/hooks/session-summary.kiro.hook.kiro/hooks/tdd-reminder.kiro.hook.kiro/hooks/typecheck-on-edit.kiro.hook.kiro/install.sh.kiro/scripts/format.sh.kiro/scripts/quality-gate.sh.kiro/settings/mcp.json.example.kiro/skills/agentic-engineering/SKILL.md.kiro/skills/api-design/SKILL.md.kiro/skills/backend-patterns/SKILL.md.kiro/skills/coding-standards/SKILL.md.kiro/skills/database-migrations/SKILL.md.kiro/skills/deployment-patterns/SKILL.md.kiro/skills/docker-patterns/SKILL.md.kiro/skills/e2e-testing/SKILL.md.kiro/skills/frontend-patterns/SKILL.md.kiro/skills/golang-patterns/SKILL.md.kiro/skills/golang-testing/SKILL.md.kiro/skills/postgres-patterns/SKILL.md.kiro/skills/python-patterns/SKILL.md.kiro/skills/python-testing/SKILL.md.kiro/skills/search-first/SKILL.md.kiro/skills/security-review/SKILL.md.kiro/skills/tdd-workflow/SKILL.md.kiro/skills/verification-loop/SKILL.md.kiro/steering/coding-style.md.kiro/steering/dev-mode.md.kiro/steering/development-workflow.md.kiro/steering/git-workflow.md.kiro/steering/golang-patterns.md.kiro/steering/lessons-learned.md.kiro/steering/patterns.md.kiro/steering/performance.md.kiro/steering/python-patterns.md.kiro/steering/research-mode.md.kiro/steering/review-mode.md.kiro/steering/security.md.kiro/steering/swift-patterns.md.kiro/steering/testing.md.kiro/steering/typescript-patterns.md.kiro/steering/typescript-security.md
| SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" | ||
| SOURCE_KIRO="$SCRIPT_DIR/.kiro" | ||
|
|
There was a problem hiding this comment.
Fix source path resolution; it currently points to a non-existent directory.
Line 19 sets SOURCE_KIRO="$SCRIPT_DIR/.kiro", but this script already lives in .kiro, so it resolves to .../.kiro/.kiro.
💡 Proposed fix
-# Resolve the directory where this script lives (the repo root)
+# Resolve the directory where this script lives (.kiro)
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
-SOURCE_KIRO="$SCRIPT_DIR/.kiro"
+SOURCE_KIRO="$SCRIPT_DIR"🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.kiro/install.sh around lines 18 - 20, The SOURCE_KIRO variable is
incorrectly set to "$SCRIPT_DIR/.kiro" causing a duplicated .kiro path; update
SOURCE_KIRO in .kiro/install.sh to point to the script directory itself (i.e.,
set SOURCE_KIRO to "$SCRIPT_DIR" or to the resolved parent as appropriate) so
references use the actual .kiro directory, and verify any subsequent uses of
SOURCE_KIRO still work with the new value (look for usages of SOURCE_KIRO
elsewhere in the script to confirm no other path joins are required).
| │ Define what functionality is needed │ | ||
| │ Identify language/framework constraints │ | ||
| ├─────────────────────────────────────────────┤ | ||
| │ 2. PARALLEL SEARCH (researcher agent) │ |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Description: Check for researcher agent in .kiro/agents/
# Search for researcher agent files
fd -e md -e json 'researcher' .kiro/agents/
# Also search for any references to researcher in agent files
rg -l 'researcher' .kiro/agents/Repository: affaan-m/everything-claude-code
Length of output: 57
🏁 Script executed:
# Check if .kiro/agents/ exists and what's in it
ls -la .kiro/agents/ 2>&1 || echo "Directory may not exist"
# List all agent-related files
fd . .kiro/agents/ 2>&1 | head -20
# Check the full SKILL.md file to see context around line 32
cat -n .kiro/skills/search-first/SKILL.md | head -90
# Search for any references to "agent" in the codebase
rg 'agent' .kiro/ -i --count | head -20Repository: affaan-m/everything-claude-code
Length of output: 7441
Add missing researcher agent or update documentation.
The workflow diagram (line 32) and Full Mode instructions (lines 77-87) reference a "researcher agent" subagent that does not exist in .kiro/agents/. Either implement this agent or clarify in the documentation that this feature is aspirational or requires manual research steps.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.kiro/skills/search-first/SKILL.md at line 32, The doc references a
non-existent "researcher agent" in the PARALLEL SEARCH workflow and Full Mode
instructions; either implement that subagent with the same agent interface used
by other subagents in .kiro/agents/ (name it researcher-agent or
researcherAgent, accept the same init/config and message/execute handlers as
other agents, and wire it into the PARALLEL SEARCH orchestration), or update
.kiro/skills/search-first/SKILL.md to remove/annotate the researcher agent
references and change Full Mode steps (lines referencing "researcher agent") to
explain the manual research steps or that the feature is aspirational. Ensure
the chosen fix keeps naming consistent with other agents (use the exact symbol
"researcher agent" in docs or "researcher-agent"/"researcherAgent" in code) so
cross-references resolve.
| import { verify } from '@solana/web3.js' | ||
|
|
||
| async function verifyWalletOwnership( | ||
| publicKey: string, | ||
| signature: string, | ||
| message: string | ||
| ) { | ||
| try { | ||
| const isValid = verify( | ||
| Buffer.from(message), | ||
| Buffer.from(signature, 'base64'), | ||
| Buffer.from(publicKey, 'base64') | ||
| ) | ||
| return isValid | ||
| } catch (error) { | ||
| return false | ||
| } | ||
| } |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
How to verify wallet signature in @solana/web3.js latest version
💡 Result:
Verify a signed message (wallet signature) — current Solana JS SDKs
Option A (recommended if you’re on @solana/web3.js v2 / “CryptoKey” APIs): verifySignature
@solana/web3.js v2 exposes verifySignature(publicKeyCryptoKey, signatureBytes, messageBytes) and returns a boolean. (tessl.io)
import { verifySignature } from "@solana/web3.js";
const messageBytes = new TextEncoder().encode(message); // EXACT bytes that were signed
const signatureBytes = signature; // Uint8Array (64 bytes)
const publicKeyCryptoKey = publicKey; // CryptoKey (Ed25519 public key)
const ok = await verifySignature(publicKeyCryptoKey, signatureBytes, messageBytes);If your wallet library gives you a base58 signature string, decode it to bytes first (e.g., with a base58 decoder), then verify. (The Solana Cookbook’s current examples show this flow, though using
@solana/kit.) (solana.com)
Option B (if you’re on legacy @solana/web3.js v1 / PublicKey class): use Ed25519 verify (tweetnacl)
In v1, wallet public keys are PublicKey, and signatures are verified via Ed25519 detached verification (commonly tweetnacl.sign.detached.verify) using:
messageBytessignatureBytes(Uint8Array)publicKey.toBytes()(32-byte Uint8Array)
(This is the standard approach when you have PublicKey + signature bytes, but verifySignature(CryptoKey, ...) isn’t available.)
Verify a transaction’s signatures
If you’re verifying a serialized transaction (not a signMessage signature), deserialize and call:
import { Transaction } from "@solana/web3.js";
const tx = Transaction.from(rawTxBytes);
const ok = tx.verifySignatures(); // booleanTransaction.verifySignatures(requireAllSignatures?: boolean) is documented in @solana/web3.js. (solana-foundation.github.io)
Citations:
- 1: https://tessl.io/registry/tessl/npm-solana--web3-js/2.0.0/files/docs/cryptography.md
- 2: https://solana.com/developers/cookbook/wallets/sign-message
- 3: https://solana-foundation.github.io/solana-web3.js/classes/Transaction.html
🏁 Script executed:
#!/bin/bash
# Check if there's a package.json or npm registry info we can examine
# Let's search for `@solana/web3.js` imports in the codebase to understand which version is being used
rg "@solana/web3.js" -A 2 -B 2 | head -50Repository: affaan-m/everything-claude-code
Length of output: 2008
🌐 Web query:
@solana/web3.js verify function export documentation
💡 Result:
There isn’t a top-level verify() export in @solana/web3.js (legacy). Signature verification is exposed as:
-
Legacy transactions:
Transaction.prototype.verifySignatures(requireAllSignatures?: boolean): boolean(a method onTransaction, not a standalone export). [1]import { Transaction } from "@solana/web3.js"; const tx = Transaction.from(rawTxBytes); const ok = tx.verifySignatures(); // requireAllSignatures defaults to true
-
web3.js v2-style “signing/authentication” helpers (standalone exports):
verifyTransactionSignatures(transaction): Promise<{ valid: boolean; invalidSignatures: Address[] }>verifyMessageSignature(message, signature, publicKey): Promise<boolean>[2]
import { verifyMessageSignature, verifyTransactionSignatures } from "@solana/web3.js";
Docs: Transaction verifySignatures API page [1]; v2 signing/authentication doc showing the verification exports [2].
References:
[1] (solana-foundation.github.io)
[2] (tessl.io)
Citations:
- 1: https://solana-foundation.github.io/solana-web3.js/classes/Transaction.html
- 2: https://tessl.io/registry/tessl/npm-solana--web3-js/2.0.0/files/docs/signing-authentication.md
🌐 Web query:
@solana/web3.js verifySignature v2 latest documentation
💡 Result:
- API (web3.js v2):
verifySignature(key: CryptoKey, signature: SignatureBytes, data: ReadonlyUint8Array): Promise<boolean>and it’s used with Web CryptoCryptoKeypublic keys (Ed25519). [1][3] - Example (v2):
[1][3]
import { generateKeyPair, signBytes, verifySignature } from "@solana/web3.js"; const { privateKey, publicKey } = await generateKeyPair(); const message = new TextEncoder().encode("Hello, Solana!"); const sig = await signBytes(privateKey, message); const ok = await verifySignature(publicKey, sig, message);
- Modular package doc (same function):
verifySignatureis also documented asimport { verifySignature } from "@solana/keys";with the same behavior/signature. [2]
Sources: [1] @solana/web3.js “Technology Preview” (npm docs) • [2] @solana/keys verifySignature API doc • [3] web3.js v2 cryptography docs (verifySignature signature + example)
Use correct signature verification API from @solana/web3.js.
The verify function does not exist in @solana/web3.js. Use verifySignature (v2) instead:
import { verifySignature } from "@solana/web3.js";
const ok = await verifySignature(
publicKeyCryptoKey, // CryptoKey (Ed25519 public key)
signatureBytes, // Uint8Array (64 bytes)
messageBytes // Uint8Array (exact bytes that were signed)
);The current code imports a non-existent function and uses incorrect parameter formats (base64 instead of CryptoKey/Uint8Array), causing a runtime error.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.kiro/skills/security-review/SKILL.md around lines 344 - 361, The
verifyWalletOwnership function is using a non-existent verify API and wrong
parameter formats; replace the import with verifySignature from `@solana/web3.js`,
convert the public key bytes into an Ed25519 CryptoKey (or obtain a CryptoKey
via WebCrypto importKey) and convert signature and message into Uint8Array
(signature 64 bytes, message exact bytes), then call await
verifySignature(publicKeyCryptoKey, signatureBytes, messageBytes) and return its
boolean result inside verifyWalletOwnership while preserving the current
try/catch error handling.
1 participant
Summary
.kiro/directoryThis is a contribution from the kiro-everything-claude-code project, adapting ECC workflows for Kiro's native format.
What's included
.kiro/agents/.kiro/skills/*/SKILL.md.kiro/steering/*.md.kiro/hooks/*.kiro.hook.kiro/scripts/.kiro/settings/mcp.json.example.kiro/docs/.kiro/install.sh.kiro/README.mdNote for maintainers
Only the
.kiro/folder is included in this PR. Other files (README.md, CONTRIBUTING.md, cross-tool parity table, FAQ, etc.) will need updating to reference Kiro support — happy to help with those changes or leave it to you.Contributors
Test plan
.kiro/files validated against Kiro's expected format/menu.kiro.hookextension with correct trigger types🤖 Generated with Claude Code
Summary by cubic
Adds native Kiro IDE and CLI support via a self-contained
.kiro/bundle and installer. Enables ECC workflows in Kiro with agents, skills, hooks, steering, scripts, and docs without touching app code.New Features
.md, CLI.json) for planning, reviews, security, TDD, build fixes, E2E, and Go/Python reviews..kiro/.install.sh(non-destructive),scripts/quality-gate.sh,scripts/format.sh..kiro/settings/mcp.json.exampleplus short/longform and security guides.Migration
./.kiro/install.sh [path|~]; safe copy with no overwrites.bash .kiro/scripts/quality-gate.shon demand..kiro/.Written for commit 278964c. Summary will update on new commits.
Summary by CodeRabbit
Documentation
Chores