agentsystem-core

Read-only subagent that takes an artifact/entity name (Task, Project, Workspace, User, etc.) and returns every place a user creates, edits, configures, imports, or duplicates that artifact in the app — create dialog, edit dialog, settings page, bulk import, CSV upload, API client, admin override, duplicate-from-template, etc. Returns a structured surface list with file:line refs the parent uses to ensure a new field/behavior ships to every CRUD touchpoint, not just the most visible one. Used by add-feature Phase 1 (CRUD/input surfaces) and modify-feature when adding a field or behavior to an artifact. Never edits files.

Per-thread subagent that resolves a single GitHub PR review thread end-to-end — read code at the comment anchor, classify (change request / question / nit), apply the fix when needed (one commit per addressed comment), reply via the GitHub API (in_reply_to for inline comments), and resolve the thread (or leave unresolved if declined). The parent (address-pr-comments) fans out one subagent per unresolved thread for context isolation; the agent isolates the file-read + git + gh work that would otherwise pollute the parent's window. Returns a structured result the parent uses to verify and report. Used only by address-pr-comments — not user-invocable directly.

Read-only changed-files-only accessibility audit. Faster sibling to audit-a11y (which is whole-app); this auditor runs as a post-step on diffs without producing whole-app noise. Catches icon buttons missing accessible names, dialogs missing focus trap or initial focus, custom clickable divs where a button belongs, form errors not associated with their fields (aria-describedby missing), broken keyboard paths (no :focus-visible on custom interactives), labels not bound to inputs, and images missing alt. Returns severity-ranked findings with file:line refs and auto-fixable flags for mechanical issues; never edits files. Use when add-feature or modify-feature runs after UI mutation (new components, pages, routes, interactive primitives, forms).

Read-only audit of authorization on every server-side entry point — TanStack Start server functions in src/fn/, HTTP route handlers, tRPC procedures, GraphQL resolvers, webhook handlers, queue workers, IPC handlers — for missing or wrong access checks. Detects handlers with no auth check at all (anonymous access), handlers that check identity but not ownership (IDOR), handlers that grant by role-presence without resource scoping, admin gates depending on client-supplied flags, public endpoints reading user-scoped data via session, and webhook handlers without signature verification. Returns severity-ranked findings (critical/high/medium/low) with the specific check that's missing and a concrete fix snippet using the project's existing auth helpers; never edits files. Sibling concern to reviewer-security-regression (broader app security) — keep scopes separate. Use when add-feature, modify-feature, or fix-bug runs after a change to a server entry point or auth flow.

Read-only audit of client-bundle correctness and weight regressions. Catches server-only modules imported into client routes/components (drizzle, prisma, fs, child_process, postmark, stripe-node), non-public env vars in client files, heavy dependencies (lodash, moment, draft-js, monaco, recharts) added to first-load bundles, lodash full-imports that should be tree-shakable, and unoptimized images/videos shipped without responsive variants. Detects framework conventions (TanStack Start / Next App / Next Pages / Vite SPA) so client/server boundaries are correctly identified. Returns severity-ranked findings with file:line refs; never edits files. Use when add-feature, modify-feature, code-enforce-layers, or audit runs after client-side code changes, a new dependency was added, or an asset was added to public/.

Add a Playwright end-to-end test for a user-facing flow — sign-in, form submit, multi-step wizard, payment, navigation, etc. Detects existing Playwright setup and inherits its config (baseURL, projects, fixtures, auth state); installs Playwright via the official `npm init playwright@latest` flow only with explicit user approval. Wires one smoke test that hits the real running dev server before generating the full flow. Prefers role-based selectors (`getByRole`, `getByLabel`) over CSS/test-ids; uses `expect`-with-auto-retry assertions; adds an auth-state fixture for tests that need a logged-in user. Trigger phrases — "add an e2e test", "playwright test", "browser test for X", "test the signup flow", "/add-e2e-test", "end-to-end test". Skip for — pure unit-testable logic (use write-tests), API-only flows (use write-tests with supertest/fetch), and projects where the user explicitly does not want a browser harness.

Sibling to add-skeleton-loaders. After data fetching is wired in a route or component, verify and auto-fix the two non-loading states most often forgotten — empty (the request succeeded but returned zero items / null) and error (the request failed). Empty states get a clear message + primary call-to-action. Error states get a human-readable message + retry affordance + (in dev) a way to surface the actual error. Uses the project's existing UI primitives — shadcn `<EmptyState />` if present, project conventions otherwise. Does NOT cover loading skeletons. Trigger phrases — "add empty state", "what if this list is empty", "add error state", "handle the error case", "/add-empty-error-states", "error UI", "no results UI", any time a route was just wired with `useQuery` / `useSuspenseQuery` / loader. Skip for — pure static pages, mutations (useMutation has different patterns), modals/dialogs whose empty state is the parent's responsibility.

End-to-end workflow for planning and shipping a new feature in an existing codebase. Phases — clarify → explore → design → mandatory plan-approval gate → implement (subagent fan-out where useful) → verify → gated reviews (code + duplication always; security/performance/contracts/concurrency/observability/data integrity when gates trigger) → automated tests. Also enforces UI-convention parity: any new instance of a recurring UI surface (modal, dialog, drawer, form) must match sibling conventions for hotkeys, kbd hints, focus, and loading states. Accepts `mode=fast|balanced|production` to control depth (default: production); also accepts `include=<phases>` / `skip=<phases>` overrides. Use when the user asks to add, build, ship, or implement a new feature: "add a feature", "build this", "implement X", "new feature", "plan and build", "ship this". Skip for bug fixes (use fix-bug), pure refactors, enum/state renames (use realign), or one-line tweaks.

Generate and review a Drizzle (or Prisma / Knex / raw SQL) migration safely — classifies the change as additive, mutating, or destructive; for mutating/destructive changes, splits into a multi-phase plan (deploy code that tolerates both shapes → migrate → deploy code that requires the new shape). Catches the landmines: NOT NULL on a populated column without backfill, dropping a column still referenced by old code, adding a unique constraint with existing duplicates, large-table index without `CONCURRENTLY`, type changes that rewrite the table, default values evaluated at migration time vs. row time. Trigger phrases — "add a migration", "schema change", "add column to X", "drop column X", "rename column", "add index", "/add-migration", "drizzle migration", "alter table". Skip for — pure code changes with no schema impact, seed-data-only changes (use add-seed-data), and infra-level changes (DB version upgrades, replication setup).

Internal handoff target invoked by add-feature and modify-feature when wiring integration boundaries (HTTP/webhook dispatch, IPC, Claude Code hooks, queues, file writes, env-var injection, MCP tool calls, spawned processes) so that when a side effect later goes silent, fix-bug reads literal evidence instead of guessing. Instruments boundaries with leveled, structured logs and typed error reporting. Detects the project's existing logger and conforms; if none exists, proposes a minimal leveled logger or a zero-dep `console`-based fallback. Replaces silent-failure patterns (`|| true`, empty `catch {}`, `>/dev/null 2>&1`) with logged catches that preserve behavior. Trigger phrases for routing: "instrument this", "add logging to X", "this integration has no logs", "make this debuggable", "proactive logging", "structured logs for this feature", "wire up observability", "I want a trail for this". Skip for pure unit-test code, internal utility functions with no I/O, generated code, third-party vendor files, and reactive debugging of a specific failure (use fix-bug instead).