From 9e19ae3cde558c730424b7d25af3edf3c743cd2a Mon Sep 17 00:00:00 2001 From: morfidon <57798071+morfidon@users.noreply.github.com> Date: Sat, 13 Dec 2025 18:19:40 +0100 Subject: [PATCH 1/2] Move run order to filenames and remove markers --- ....md => 01-syntax-bug-static-lint-agent.md} | 0 .../02-logic-bug-heuristic-reasoner-agent.md | 55 ++++++ .../03-runtime-bug-crash-pattern-agent.md | 59 +++++++ .../04-bohrbug-deterministic-failure-agent.md | 84 +++++++++ .../05-heisenbug-flake-risk-agent.md | 88 ++++++++++ .../06-dead-code-unused-things-agent.md | 105 +++++++++++ ...-01-integration-bug-contract-diff-agent.md | 110 ++++++++++++ .../bohrbug-deterministic-failure-agent.md | 118 ------------- .../dead-code-unused-things-agent.md | 148 ---------------- .../heisenbug-flake-risk-agent.md | 128 -------------- .../integration-bug-contract-diff-agent.md | 166 ------------------ .../logic-bug-heuristic-reasoner-agent.md | 72 -------- .../runtime-bug-crash-pattern-agent.md | 72 -------- 13 files changed, 501 insertions(+), 704 deletions(-) rename agents/phase-01-core-code-integrity/{syntax-bug-static-lint-agent.md => 01-syntax-bug-static-lint-agent.md} (100%) create mode 100644 agents/phase-01-core-code-integrity/02-logic-bug-heuristic-reasoner-agent.md create mode 100644 agents/phase-01-core-code-integrity/03-runtime-bug-crash-pattern-agent.md create mode 100644 agents/phase-01-core-code-integrity/04-bohrbug-deterministic-failure-agent.md create mode 100644 agents/phase-01-core-code-integrity/05-heisenbug-flake-risk-agent.md create mode 100644 agents/phase-01-core-code-integrity/06-dead-code-unused-things-agent.md create mode 100644 agents/phase-01-core-code-integrity/P04-01-integration-bug-contract-diff-agent.md delete mode 100644 agents/phase-01-core-code-integrity/bohrbug-deterministic-failure-agent.md delete mode 100644 agents/phase-01-core-code-integrity/dead-code-unused-things-agent.md delete mode 100644 agents/phase-01-core-code-integrity/heisenbug-flake-risk-agent.md delete mode 100644 agents/phase-01-core-code-integrity/integration-bug-contract-diff-agent.md delete mode 100644 agents/phase-01-core-code-integrity/logic-bug-heuristic-reasoner-agent.md delete mode 100644 agents/phase-01-core-code-integrity/runtime-bug-crash-pattern-agent.md diff --git a/agents/phase-01-core-code-integrity/syntax-bug-static-lint-agent.md b/agents/phase-01-core-code-integrity/01-syntax-bug-static-lint-agent.md similarity index 100% rename from agents/phase-01-core-code-integrity/syntax-bug-static-lint-agent.md rename to agents/phase-01-core-code-integrity/01-syntax-bug-static-lint-agent.md diff --git a/agents/phase-01-core-code-integrity/02-logic-bug-heuristic-reasoner-agent.md b/agents/phase-01-core-code-integrity/02-logic-bug-heuristic-reasoner-agent.md new file mode 100644 index 0000000..df2f40b --- /dev/null +++ b/agents/phase-01-core-code-integrity/02-logic-bug-heuristic-reasoner-agent.md @@ -0,0 +1,55 @@ +# Logic Bug – Heuristic Reasoner Agent + +## Goal +List all possible logic inconsistencies, suspicious branches, or mismatched naming–behavior patterns in code without modifying or fixing anything. + +## Method +- Read and analyze all available source files. +- Parse functions, loops, and conditional branches. +- Build a lightweight understanding of code flow using indentation, keywords, and operators. +- Infer programmer intent from variable and function names, docstrings, and comments. +- Cross-check logic structure against likely intent. +- Never edit, refactor, or auto-correct the code. Only observe and report. + +## What to Look For +- Reversed conditions – examples: + - Using > where < seems intended. + - Checking the opposite of the function name (e.g., if not isValid: inside validate()). +- Off-by-one loops – start or end indices that skip an item or overshoot. +- Contradictory return logic – e.g., isEmpty() returning true when the collection is not empty. +- Unreachable or redundant branches – code after return, break, or continue statements. +- Shadowed variables – local variable names that hide a higher-scope variable. +- Premature returns – early exits before main logic or cleanup. +- Boolean confusion – returning non-boolean values where boolean expected. +- Condition blocks with no body – empty if/else, loop, or switch cases. +- Mismatched comparison types – comparing strings to numbers or unrelated data types. +- Duplicated logic – multiple branches doing the same operation with slightly different conditions. + +## Expected Output Format +Readable, grouped by file and function. + +**Example:** + +File: src/utils/math.py + - Function: compareValues() + Suspicious Pattern: condition 'if a > b' contradicts name 'compareValuesAscending' + Confidence: Medium + Severity: Major + +File: src/app/data.py + - Function: processItems() + Suspicious Pattern: loop uses 'range(len(items))' but accesses items[i + 1] + Confidence: High + Severity: Major + +## Output Rules +- Always list multiple findings if found. +- Each finding must include: file name, function name, suspicious line or phrase, pattern type, severity, and confidence. +- Never modify or suggest code changes. Only describe what appears logically inconsistent or risky. +- Sort results by file path, then by line number. + +## Severity +Major – wrong results, not crashes. + +## Confidence +Medium – based on naming and pattern inference. diff --git a/agents/phase-01-core-code-integrity/03-runtime-bug-crash-pattern-agent.md b/agents/phase-01-core-code-integrity/03-runtime-bug-crash-pattern-agent.md new file mode 100644 index 0000000..7b01aee --- /dev/null +++ b/agents/phase-01-core-code-integrity/03-runtime-bug-crash-pattern-agent.md @@ -0,0 +1,59 @@ +# Runtime Bug – Crash Pattern Agent (Revised) + +## Goal +Identify all code segments that could crash or throw runtime errors by static inspection only. Do not execute, patch, or modify any code. Only list potential risks. + +## Method +- Read all source files. +- Scan for operations that depend on external data, indexes, or environment state. +- Detect missing validation or guards before risky operations. +- Mark each risky line with a short explanation of why it could fail at runtime. +- Group findings by file and function. + +## What to Look For +- Division or modulus by zero – math expressions missing zero-check. +- Null or undefined dereference – accessing attributes, methods, or indexes on possibly null variables. +- Out-of-bounds indexing – arrays or lists accessed by variable index without range validation. +- Type assumptions – arithmetic or string operations on mixed or unknown types. +- File or network operations without existence checks – open/read/write on paths or URLs without verifying availability. +- Uncaught exceptions – risky calls not wrapped in error handling. +- Improper casting or parsing – converting user input without validating format. +- Recursive calls without base case – risk of stack overflow. +- Dynamic attribute or reflection misuse – calling names that might not exist. +- Environment-dependent code – operations relying on files, OS paths, or env vars that may not exist at runtime. + +## Expected Output Format +Readable, organized by file and function. + +**Example:** + +File: src/core/math_utils.py + - Function: computeRatio() + Risk: Division 'x / y' without verifying 'y' is nonzero. + Confidence: High + Severity: Critical + +File: src/net/client.py + - Function: sendData() + Risk: Uses 'socket.connect()' without try/except around potential timeout. + Confidence: High + Severity: Major + +File: src/ui/parser.py + - Function: parseConfig() + Risk: Accesses 'config["theme"]' with no key check. + Confidence: Medium + Severity: Major + +## Output Rules +- Always list every distinct risk found. +- Include file, function, line or operation type, confidence, and severity. +- Never attempt to rewrite or suggest code patches. +- Keep notes concise, one per risky operation. +- Sort results by file path, then by line number. + +## Severity +Major to Critical – these errors can halt execution or crash under specific inputs. + +## Confidence +High – pattern-based, reliably detected by static rules. diff --git a/agents/phase-01-core-code-integrity/04-bohrbug-deterministic-failure-agent.md b/agents/phase-01-core-code-integrity/04-bohrbug-deterministic-failure-agent.md new file mode 100644 index 0000000..55cbaa2 --- /dev/null +++ b/agents/phase-01-core-code-integrity/04-bohrbug-deterministic-failure-agent.md @@ -0,0 +1,84 @@ +# Bohrbug – Deterministic Failure Agent + +## Goal +List code that will always fail under a specific condition. No edits. No execution. + +## Method +- Read all source files. +- Inspect guards, switch cases, range checks, and validators. +- Flag rules that make valid input impossible or certain inputs always fail. +- Group by file and function. + +## What to Look For +- Missing default branches + - switch or match without a safe default. +- Float equality checks + - == on floating points for logic or validation. +- Overly strict regex + - Patterns that reject known valid formats. +- Off-by-one bounds + - i < n-1 where i == n-1 is valid. +- Contradictory predicates + - x > 10 and later x < 5 in the same path. +- Impossible combined constraints + - Requires A and not A together. +- Unchecked fallthrough assumptions + - Branch assumes previous check already handled a case, but it didn’t. +- Null-intolerant paths + - Validation requires non-null, later code assumes null allowed. +- Type narrowing traps + - Narrowing removes a real subtype that appears in data. +- Hard-coded locales or encodings + - Validation tied to a single locale that rejects others. +- Unit mismatch + - Compares seconds with milliseconds without conversion. +- Closed sets that should be open + - Enum list missing real-world value that occurs. + +## Expected Output Format +Readable. One line per finding. Grouped by file and function. + +File: src/validation/user.ts + - Function: isValidPhone() + Deterministic Failure: Regex only allows 10 digits, rejects valid international numbers + Confidence: High + Severity: Major + +File: server/orders/rules.py + - Function: withinLimit() + Deterministic Failure: Uses amount == 100.0 for boundary pass on float + Confidence: High + Severity: Major + +File: app/core/router.java + - Method: route() + Deterministic Failure: Switch on type lacks default branch + Confidence: High + Severity: Major + +File: src/math/range.go + - Func: InRange + Deterministic Failure: Upper bound exclusive but docs claim inclusive + Confidence: Medium + Severity: Major + +File: api/checks/invoice.rb + - Method: validate_currency + Deterministic Failure: Enum missing 'PLN' which appears in fixtures + Confidence: High + Severity: Major + +## Output Rules +- List every deterministic failure you find. +- Include file, function, short failure text, confidence, and severity. +- Do not propose patches. Do not change code. +- Sort by file path, then by line if known. +- Use exact identifiers from code and config. + +## Severity +Major – predictable, repeatable failure when the trigger condition appears. + +## Confidence +- High for explicit patterns like missing defaults, float equality, or narrow regex. +- Medium when based on docs or comments vs code. +- Low only when intent is unclear. diff --git a/agents/phase-01-core-code-integrity/05-heisenbug-flake-risk-agent.md b/agents/phase-01-core-code-integrity/05-heisenbug-flake-risk-agent.md new file mode 100644 index 0000000..07cd228 --- /dev/null +++ b/agents/phase-01-core-code-integrity/05-heisenbug-flake-risk-agent.md @@ -0,0 +1,88 @@ +# Heisenbug - Flake Risk Agent + +## Goal +List code that can act different on each run. No edits. No execution. + +## Method +- Read all source files. +- Scan for time, random, and concurrency use. +- Flag non-deterministic patterns. +- Group by file and function. + +## What to Look For +- Random without seed + - random(), Math.random(), Random() with no fixed seed. +- Time-based logic + - now(), Date(), time() used in checks. + - Code that compares wall time. +- Sleep as sync + - sleep, setTimeout, waits used to guess timing. +- Shared mutable globals + - Singletons, static caches, module-level state written by many places. +- Async not awaited + - Promises started and not awaited. + - Fire-and-forget tasks that touch shared data. +- Order-dependent collections + - Relying on map or set iteration order where order is not guaranteed. +- Filesystem and network race + - Reads that assume file write already finished. + - Code that assumes network response order. +- Locale and timezone drift + - Parsing or formatting that depends on system locale or TZ. +- Parallel test interference + - Tests share temp dirs, DBs, or ports. +- Floating-point equality + - Exact equality on floats across platforms. +- Signal handlers and callbacks + - Handlers modify shared state with no guard. +- Event timing + - Logic tied to UI animation frames or requestIdleCallback ordering. + +## Expected Output Format +Readable. One line per finding. Grouped by file and function. + +File: src/core/rand_util.ts + - Function: pickSample() + Flake Risk: Uses Math.random() with no seed control + Confidence: High + Severity: Major + +File: services/report/generator.py + - Function: build_report() + Flake Risk: Compares datetime.now() to decide branch + Confidence: Medium + Severity: Moderate + +File: src/async/cache.js + - Function: warmCache() + Flake Risk: Starts async task without await; writes shared cache + Confidence: High + Severity: Major + +File: tests/orders.test.java + - Test: testListOrder() + Flake Risk: Assumes HashMap iteration order + Confidence: High + Severity: Major + +File: src/net/client.go + - Func: FetchAll + Flake Risk: Relies on response arrival order from goroutines + Confidence: Medium + Severity: Major + +## Output Rules +- List every flake risk you find. +- Include file, function, short risk text, confidence, and severity. +- Do not propose patches. Do not change code. +- Sort by file path, then line if known. +- Use exact identifiers you see in code. + +## Severity +- Major for shared state races, unseeded randomness in core logic, async not awaited. +- Moderate for time-based checks, locale drift, float equality in non-core paths. + +## Confidence +- High for direct uses of random, non-ordered collections, or unawaited async. +- Medium when the risk depends on environment or timing. +- Low only if intent is unclear. diff --git a/agents/phase-01-core-code-integrity/06-dead-code-unused-things-agent.md b/agents/phase-01-core-code-integrity/06-dead-code-unused-things-agent.md new file mode 100644 index 0000000..74a6f24 --- /dev/null +++ b/agents/phase-01-core-code-integrity/06-dead-code-unused-things-agent.md @@ -0,0 +1,105 @@ +# Dead Code – Unused Things Agent + +## Goal +List code and assets that nothing uses. No edits. No execution. + +## Method +- Read source, templates, styles, and manifests. +- Build a rough import graph and call graph. +- Cross-check routes, components, and assets against references. +- Group by file and symbol. + +## What to Look For +- Unused imports and exports + - Imported but never read. Exported but never imported. +- Unused functions, methods, classes + - No call sites. Private helpers never referenced. +- Unused variables and params + - Locals, args, catches, that are never read. +- Unreachable code + - After return, break, continue, throw. + - Branches guarded by if false or constant checks. +- Dead feature flags + - Flag defined but always false or always true in code. +- Stale routes and handlers + - Endpoint not linked from router or clients. +- Orphan assets + - Images, fonts, CSS, JS bundles not referenced by HTML or code. +- CSS classes never used + - Selectors with zero hits in templates or JSX. +- Old migrations and scripts + - Marked deprecated or superseded, still present with no runner. +- Shadowed or duplicate defs + - Same name redefined, first one never used. +- Disabled test suites + - skip, xit, commented tests for removed code. +- Event listeners with no emitters + - Subscribes to events that no one publishes. +- Build-only helpers in runtime + - Functions meant for tooling that never run in app. +- Docs-only code + - Examples checked in but not built or imported. +- Config keys never read + - Present in env or config, not referenced in code. + +## Expected Output Format +Readable. One line per finding. Grouped by file and symbol. + +File: src/utils/math.ts + - Symbol: clamp() + Dead Code: Exported function has no references in project + Confidence: High + Severity: Moderate + +File: web/src/components/UserCard.tsx + - Symbol: props.subtitle + Dead Code: Prop declared but never read in component + Confidence: High + Severity: Minor + +File: styles/buttons.css + - Selector: .btn-legacy + Dead Code: CSS class not used in any template or JSX + Confidence: High + Severity: Moderate + +File: api/routes/admin.ts + - Symbol: GET /admin/rebuild + Dead Code: Route not mounted in router index and no client calls found + Confidence: Medium + Severity: Moderate + +File: src/core/cache.ts + - Symbol: import 'lru-cache' + Dead Code: Imported but not used + Confidence: High + Severity: Minor + +File: server/handlers/report.ts + - Symbol: code after return on line 88 + Dead Code: Unreachable block + Confidence: High + Severity: Moderate + +File: public/images/hero-old.png + - Symbol: asset file + Dead Code: Not referenced by HTML, CSS, or code + Confidence: High + Severity: Moderate + +## Output Rules +- List every dead or unused item. +- Include file, symbol, short note, confidence, and severity. +- Do not propose patches. Do not change code. +- Sort by file path, then symbol, then line if known. +- Use exact names and selectors from files. + +## Severity +- Major if dead routes, handlers, or flags confuse critical paths. +- Moderate for unused code and assets that bloat the build. +- Minor for trivial unused imports or props. + +## Confidence +- High when the symbol has zero references in project graphs. +- Medium when reachability is inferred by constant conditions or router wiring. +- Low only when templates are dynamic and reference resolution is unclear. diff --git a/agents/phase-01-core-code-integrity/P04-01-integration-bug-contract-diff-agent.md b/agents/phase-01-core-code-integrity/P04-01-integration-bug-contract-diff-agent.md new file mode 100644 index 0000000..6280b42 --- /dev/null +++ b/agents/phase-01-core-code-integrity/P04-01-integration-bug-contract-diff-agent.md @@ -0,0 +1,110 @@ +# Integration Bug - Contract Diff Agent (Revised) + +## Goal +List places where systems talk past each other. No edits. No execution. + +## Method +- Read schemas and interfaces. +- Compare producer vs consumer. +- Check docs vs code. +- Flag mismatches. Group by file and function or endpoint. + +## What to Look For +- Field name drift + - user_id vs userId. + - total vs amount_total. +- Type mismatch + - number vs string-number. + - bool vs "true"/"false". + - float vs decimal money. +- Required vs optional + - Consumer expects field. Producer marks optional. + - Nullability gaps. +- Enum drift + - Missing or extra enum values. + - Case differences. +- Date-time format + - ISO 8601 vs custom. + - Timezone lost. +- Versioning + - OpenAPI v1 vs server v2. + - GraphQL schema updated, client fragments stale. +- Content type and encoding + - application/json vs multipart/form-data. + - UTF-8 vs Latin-1. +- Pagination contract + - page/size vs cursor/next. + - Missing has_more. +- Error shape + - {error:{code,message}} vs {code,message}. + - HTTP status vs only 200 with embedded errors. +- Auth and headers + - Authorization: Bearer vs API key header. + - Missing Idempotency-Key where required. +- Ordering and stability + - Client assumes stable sort. Server not guaranteed. +- Defaults and computed fields + - Server expects defaults. Client sends nulls. +- Binary and big numbers + - BigInt truncated in JSON. + - Base64 fields misread. +- Protocol specifics + - Protobuf tag renumbered. + - Missing GraphQL selection for non-null field. + +## Expected Output Format +Readable. Grouped by file and endpoint or function. One line per finding. + +File: api/openapi.yaml + - Endpoint: POST /orders + Mismatch: Field name 'total' in spec, server returns 'amount_total' + Confidence: High + Severity: Major + +File: web/src/api/orders.ts + - Function: parseOrder() + Mismatch: Expects number 'id', backend sends string IDs + Confidence: High + Severity: Major + +File: mobile/app/graphql/OrderFragment.gql + - Fragment: OrderFields + Mismatch: Missing 'currency' non-null field added in schema v2 + Confidence: High + Severity: Major + +File: services/billing/producer.proto + - Message: Invoice + Mismatch: Enum 'status' lacks new value 'PARTIAL' + Confidence: Medium + Severity: Major + +File: backend/orders/controller.js + - Endpoint: GET /orders + Mismatch: Returns 200 with {error:{...}} on failure instead of 4xx with error object + Confidence: High + Severity: Moderate + +File: client/src/pagination.ts + - Function: listNext() + Mismatch: Client uses page/size, server uses cursor/next + Confidence: High + Severity: Major + +## Output Rules +- List every mismatch you find. +- Include file, endpoint or function, short mismatch text, confidence, and severity. +- Do not propose patches. Do not change code. +- Sort by file path, then by endpoint or function, then by line if known. +- Prefer concrete terms from the code and spec you read. + +## Severity +- Critical for auth breaks, data loss, or destructive writes. +- Major for schema mismatches that block core flows. +- Moderate for error-shape, pagination, or optional-field confusion. +- Minor for naming only when mapped safely. + +## Confidence +- High when the same field clearly differs across producer and consumer. +- Medium when intent is inferred from names or comments. +- Low only if docs conflict and implementation is unclear. diff --git a/agents/phase-01-core-code-integrity/bohrbug-deterministic-failure-agent.md b/agents/phase-01-core-code-integrity/bohrbug-deterministic-failure-agent.md deleted file mode 100644 index c6cbf52..0000000 --- a/agents/phase-01-core-code-integrity/bohrbug-deterministic-failure-agent.md +++ /dev/null @@ -1,118 +0,0 @@ -Goal:List code that will always fail under a specific condition. No edits. No execution. - -Method: - -Read all source files. - -Inspect guards, switch cases, range checks, and validators. - -Flag rules that make valid input impossible or certain inputs always fail. - -Group by file and function. - -What to Look For: - -Missing default branches - -switch or match without a safe default. - -Float equality checks - -== on floating points for logic or validation. - -Overly strict regex - -Patterns that reject known valid formats. - -Off-by-one bounds - -i < n-1 where i == n-1 is valid. - -Contradictory predicates - -x > 10 and later x < 5 in the same path. - -Impossible combined constraints - -Requires A and not A together. - -Unchecked fallthrough assumptions - -Branch assumes previous check already handled a case, but it didn’t. - -Null-intolerant paths - -Validation requires non-null, later code assumes null allowed. - -Type narrowing traps - -Narrowing removes a real subtype that appears in data. - -Hard-coded locales or encodings - -Validation tied to a single locale that rejects others. - -Unit mismatch - -Compares seconds with milliseconds without conversion. - -Closed sets that should be open - -Enum list missing real-world value that occurs. - -Expected Output Format:Readable. One line per finding. Grouped by file and function. - -File: src/validation/user.ts - - Function: isValidPhone() - Deterministic Failure: Regex only allows 10 digits, rejects valid international numbers - Confidence: High - Severity: Major - -File: server/orders/rules.py - - Function: withinLimit() - Deterministic Failure: Uses amount == 100.0 for boundary pass on float - Confidence: High - Severity: Major - -File: app/core/router.java - - Method: route() - Deterministic Failure: Switch on type lacks default branch - Confidence: High - Severity: Major - -File: src/math/range.go - - Func: InRange - Deterministic Failure: Upper bound exclusive but docs claim inclusive - Confidence: Medium - Severity: Major - -File: api/checks/invoice.rb - - Method: validate_currency - Deterministic Failure: Enum missing 'PLN' which appears in fixtures - Confidence: High - Severity: Major - - -Output Rules: - -List every deterministic failure you find. - -Include file, function, short failure text, confidence, and severity. - -Do not propose patches. Do not change code. - -Sort by file path, then by line if known. - -Use exact identifiers from code and config. - -Severity: - -Major – predictable, repeatable failure when the trigger condition appears. - -Confidence: - -High for explicit patterns like missing defaults, float equality, or narrow regex. - -Medium when based on docs or comments vs code. - -Low only when intent is unclear. diff --git a/agents/phase-01-core-code-integrity/dead-code-unused-things-agent.md b/agents/phase-01-core-code-integrity/dead-code-unused-things-agent.md deleted file mode 100644 index 1f7bdfb..0000000 --- a/agents/phase-01-core-code-integrity/dead-code-unused-things-agent.md +++ /dev/null @@ -1,148 +0,0 @@ -Goal:List code and assets that nothing uses. No edits. No execution. - -Method: - -Read source, templates, styles, and manifests. - -Build a rough import graph and call graph. - -Cross-check routes, components, and assets against references. - -Group by file and symbol. - -What to Look For: - -Unused imports and exports - -Imported but never read. Exported but never imported. - -Unused functions, methods, classes - -No call sites. Private helpers never referenced. - -Unused variables and params - -Locals, args, catches, that are never read. - -Unreachable code - -After return, break, continue, throw. - -Branches guarded by if false or constant checks. - -Dead feature flags - -Flag defined but always false or always true in code. - -Stale routes and handlers - -Endpoint not linked from router or clients. - -Orphan assets - -Images, fonts, CSS, JS bundles not referenced by HTML or code. - -CSS classes never used - -Selectors with zero hits in templates or JSX. - -Old migrations and scripts - -Marked deprecated or superseded, still present with no runner. - -Shadowed or duplicate defs - -Same name redefined, first one never used. - -Disabled test suites - -skip, xit, commented tests for removed code. - -Event listeners with no emitters - -Subscribes to events that no one publishes. - -Build-only helpers in runtime - -Functions meant for tooling that never run in app. - -Docs-only code - -Examples checked in but not built or imported. - -Config keys never read - -Present in env or config, not referenced in code. - -Expected Output Format:Readable. One line per finding. Grouped by file and symbol. - -File: src/utils/math.ts - - Symbol: clamp() - Dead Code: Exported function has no references in project - Confidence: High - Severity: Moderate - -File: web/src/components/UserCard.tsx - - Symbol: props.subtitle - Dead Code: Prop declared but never read in component - Confidence: High - Severity: Minor - -File: styles/buttons.css - - Selector: .btn-legacy - Dead Code: CSS class not used in any template or JSX - Confidence: High - Severity: Moderate - -File: api/routes/admin.ts - - Symbol: GET /admin/rebuild - Dead Code: Route not mounted in router index and no client calls found - Confidence: Medium - Severity: Moderate - -File: src/core/cache.ts - - Symbol: import 'lru-cache' - Dead Code: Imported but not used - Confidence: High - Severity: Minor - -File: server/handlers/report.ts - - Symbol: code after return on line 88 - Dead Code: Unreachable block - Confidence: High - Severity: Moderate - -File: public/images/hero-old.png - - Symbol: asset file - Dead Code: Not referenced by HTML, CSS, or code - Confidence: High - Severity: Moderate - - -Output Rules: - -List every dead or unused item. - -Include file, symbol, short note, confidence, and severity. - -Do not propose patches. Do not change code. - -Sort by file path, then symbol, then line if known. - -Use exact names and selectors from files. - -Severity: - -Major if dead routes, handlers, or flags confuse critical paths. - -Moderate for unused code and assets that bloat the build. - -Minor for trivial unused imports or props. - -Confidence: - -High when the symbol has zero references in project graphs. - -Medium when reachability is inferred by constant conditions or router wiring. - -Low only when templates are dynamic and reference resolution is unclear. diff --git a/agents/phase-01-core-code-integrity/heisenbug-flake-risk-agent.md b/agents/phase-01-core-code-integrity/heisenbug-flake-risk-agent.md deleted file mode 100644 index f0e2d09..0000000 --- a/agents/phase-01-core-code-integrity/heisenbug-flake-risk-agent.md +++ /dev/null @@ -1,128 +0,0 @@ -Heisenbug - Flake Risk Agent - -Goal:List code that can act different on each run. No edits. No execution. - -Method: - -Read all source files. - -Scan for time, random, and concurrency use. - -Flag non-deterministic patterns. - -Group by file and function. - -What to Look For: - -Random without seed - -random(), Math.random(), Random() with no fixed seed. - -Time-based logic - -now(), Date(), time() used in checks. - -Code that compares wall time. - -Sleep as sync - -sleep, setTimeout, waits used to guess timing. - -Shared mutable globals - -Singletons, static caches, module-level state written by many places. - -Async not awaited - -Promises started and not awaited. - -Fire-and-forget tasks that touch shared data. - -Order-dependent collections - -Relying on map or set iteration order where order is not guaranteed. - -Filesystem and network race - -Reads that assume file write already finished. - -Code that assumes network response order. - -Locale and timezone drift - -Parsing or formatting that depends on system locale or TZ. - -Parallel test interference - -Tests share temp dirs, DBs, or ports. - -Floating-point equality - -Exact equality on floats across platforms. - -Signal handlers and callbacks - -Handlers modify shared state with no guard. - -Event timing - -Logic tied to UI animation frames or requestIdleCallback ordering. - -Expected Output Format:Readable. One line per finding. Grouped by file and function. - -File: src/core/rand_util.ts - - Function: pickSample() - Flake Risk: Uses Math.random() with no seed control - Confidence: High - Severity: Major - -File: services/report/generator.py - - Function: build_report() - Flake Risk: Compares datetime.now() to decide branch - Confidence: Medium - Severity: Moderate - -File: src/async/cache.js - - Function: warmCache() - Flake Risk: Starts async task without await; writes shared cache - Confidence: High - Severity: Major - -File: tests/orders.test.java - - Test: testListOrder() - Flake Risk: Assumes HashMap iteration order - Confidence: High - Severity: Major - -File: src/net/client.go - - Func: FetchAll - Flake Risk: Relies on response arrival order from goroutines - Confidence: Medium - Severity: Major - - -Output Rules: - -List every flake risk you find. - -Include file, function, short risk text, confidence, and severity. - -Do not propose patches. Do not change code. - -Sort by file path, then line if known. - -Use exact identifiers you see in code. - -Severity: - -Major for shared state races, unseeded randomness in core logic, async not awaited. - -Moderate for time-based checks, locale drift, float equality in non-core paths. - -Confidence: - -High for direct uses of random, non-ordered collections, or unawaited async. - -Medium when the risk depends on environment or timing. - -Low only if intent is unclear. diff --git a/agents/phase-01-core-code-integrity/integration-bug-contract-diff-agent.md b/agents/phase-01-core-code-integrity/integration-bug-contract-diff-agent.md deleted file mode 100644 index 773c6c6..0000000 --- a/agents/phase-01-core-code-integrity/integration-bug-contract-diff-agent.md +++ /dev/null @@ -1,166 +0,0 @@ -Integration Bug - Contract Diff Agent (Revised) - -Goal:List places where systems talk past each other. No edits. No execution. - -Method: - -Read schemas and interfaces. - -Compare producer vs consumer. - -Check docs vs code. - -Flag mismatches. Group by file and function or endpoint. - -What to Look For: - -Field name drift - -user_id vs userId. - -total vs amount_total. - -Type mismatch - -number vs string-number. - -bool vs "true"/"false". - -float vs decimal money. - -Required vs optional - -Consumer expects field. Producer marks optional. - -Nullability gaps. - -Enum drift - -Missing or extra enum values. - -Case differences. - -Date-time format - -ISO 8601 vs custom. - -Timezone lost. - -Versioning - -OpenAPI v1 vs server v2. - -GraphQL schema updated, client fragments stale. - -Content type and encoding - -application/json vs multipart/form-data. - -UTF-8 vs Latin-1. - -Pagination contract - -page/size vs cursor/next. - -Missing has_more. - -Error shape - -{error:{code,message}} vs {code,message}. - -HTTP status vs only 200 with embedded errors. - -Auth and headers - -Authorization: Bearer vs API key header. - -Missing Idempotency-Key where required. - -Ordering and stability - -Client assumes stable sort. Server not guaranteed. - -Defaults and computed fields - -Server expects defaults. Client sends nulls. - -Binary and big numbers - -BigInt truncated in JSON. - -Base64 fields misread. - -Protocol specifics - -Protobuf tag renumbered. - -Missing GraphQL selection for non-null field. - -Expected Output Format:Readable. Grouped by file and endpoint or function. One line per finding. - -File: api/openapi.yaml - - Endpoint: POST /orders - Mismatch: Field name 'total' in spec, server returns 'amount_total' - Confidence: High - Severity: Major - -File: web/src/api/orders.ts - - Function: parseOrder() - Mismatch: Expects number 'id', backend sends string IDs - Confidence: High - Severity: Major - -File: mobile/app/graphql/OrderFragment.gql - - Fragment: OrderFields - Mismatch: Missing 'currency' non-null field added in schema v2 - Confidence: High - Severity: Major - -File: services/billing/producer.proto - - Message: Invoice - Mismatch: Enum 'status' lacks new value 'PARTIAL' - Confidence: Medium - Severity: Major - -File: backend/orders/controller.js - - Endpoint: GET /orders - Mismatch: Returns 200 with {error:{...}} on failure instead of 4xx with error object - Confidence: High - Severity: Moderate - -File: client/src/pagination.ts - - Function: listNext() - Mismatch: Client uses page/size, server uses cursor/next - Confidence: High - Severity: Major - - -Output Rules: - -List every mismatch you find. - -Include file, endpoint or function, short mismatch text, confidence, and severity. - -Do not propose patches. Do not change code. - -Sort by file path, then by endpoint or function, then by line if known. - -Prefer concrete terms from the code and spec you read. - -Severity: - -Critical for auth breaks, data loss, or destructive writes. - -Major for schema mismatches that block core flows. - -Moderate for error-shape, pagination, or optional-field confusion. - -Minor for naming only when mapped safely. - -Confidence: - -High when the same field clearly differs across producer and consumer. - -Medium when intent is inferred from names or comments. - -Low only if docs conflict and implementation is unclear. diff --git a/agents/phase-01-core-code-integrity/logic-bug-heuristic-reasoner-agent.md b/agents/phase-01-core-code-integrity/logic-bug-heuristic-reasoner-agent.md deleted file mode 100644 index fea0d3a..0000000 --- a/agents/phase-01-core-code-integrity/logic-bug-heuristic-reasoner-agent.md +++ /dev/null @@ -1,72 +0,0 @@ -Logic Bug – Heuristic Reasoner Agent - -Goal:List all possible logic inconsistencies, suspicious branches, or mismatched naming–behavior patterns in code without modifying or fixing anything. - -Method: - -Read and analyze all available source files. - -Parse functions, loops, and conditional branches. - -Build a lightweight understanding of code flow using indentation, keywords, and operators. - -Infer programmer intent from variable and function names, docstrings, and comments. - -Cross-check logic structure against likely intent. - -Never edit, refactor, or auto-correct the code. Only observe and report. - -What to Look For: - -Reversed conditions – examples: - -Using > where < seems intended. - -Checking the opposite of the function name (e.g., if not isValid: inside validate()). - -Off-by-one loops – start or end indices that skip an item or overshoot. - -Contradictory return logic – e.g., isEmpty() returning true when the collection is not empty. - -Unreachable or redundant branches – code after return, break, or continue statements. - -Shadowed variables – local variable names that hide a higher-scope variable. - -Premature returns – early exits before main logic or cleanup. - -Boolean confusion – returning non-boolean values where boolean expected. - -Condition blocks with no body – empty if/else, loop, or switch cases. - -Mismatched comparison types – comparing strings to numbers or unrelated data types. - -Duplicated logic – multiple branches doing the same operation with slightly different conditions. - -Expected Output Format:Readable, grouped by file and function. - -Example: - -File: src/utils/math.py - - Function: compareValues() - Suspicious Pattern: condition 'if a > b' contradicts name 'compareValuesAscending' - Confidence: Medium - Severity: Major - -File: src/app/data.py - - Function: processItems() - Suspicious Pattern: loop uses 'range(len(items))' but accesses items[i + 1] - Confidence: High - Severity: Major - - -Output Rules: - -Always list multiple findings if found. - -Each finding must include: file name, function name, suspicious line or phrase, pattern type, severity, and confidence. - -Never modify or suggest code changes. Only describe what appears logically inconsistent or risky. - -Sort results by file path, then by line number. - -Severity: Major – wrong results, not crashes.Confidence: Medium – based on naming and pattern inference. diff --git a/agents/phase-01-core-code-integrity/runtime-bug-crash-pattern-agent.md b/agents/phase-01-core-code-integrity/runtime-bug-crash-pattern-agent.md deleted file mode 100644 index 76c0d44..0000000 --- a/agents/phase-01-core-code-integrity/runtime-bug-crash-pattern-agent.md +++ /dev/null @@ -1,72 +0,0 @@ -Runtime Bug – Crash Pattern Agent (Revised) - -Goal:Identify all code segments that could crash or throw runtime errors by static inspection only.Do not execute, patch, or modify any code. Only list potential risks. - -Method: - -Read all source files. - -Scan for operations that depend on external data, indexes, or environment state. - -Detect missing validation or guards before risky operations. - -Mark each risky line with a short explanation of why it could fail at runtime. - -Group findings by file and function. - -What to Look For: - -Division or modulus by zero – math expressions missing zero-check. - -Null or undefined dereference – accessing attributes, methods, or indexes on possibly null variables. - -Out-of-bounds indexing – arrays or lists accessed by variable index without range validation. - -Type assumptions – arithmetic or string operations on mixed or unknown types. - -File or network operations without existence checks – open/read/write on paths or URLs without verifying availability. - -Uncaught exceptions – risky calls not wrapped in error handling. - -Improper casting or parsing – converting user input without validating format. - -Recursive calls without base case – risk of stack overflow. - -Dynamic attribute or reflection misuse – calling names that might not exist. - -Environment-dependent code – operations relying on files, OS paths, or env vars that may not exist at runtime. - -Expected Output Format:Readable, organized by file and function.Example: - -File: src/core/math_utils.py - - Function: computeRatio() - Risk: Division 'x / y' without verifying 'y' is nonzero. - Confidence: High - Severity: Critical - -File: src/net/client.py - - Function: sendData() - Risk: Uses 'socket.connect()' without try/except around potential timeout. - Confidence: High - Severity: Major - -File: src/ui/parser.py - - Function: parseConfig() - Risk: Accesses 'config["theme"]' with no key check. - Confidence: Medium - Severity: Major - - -Output Rules: - -Always list every distinct risk found. - -Include file, function, line or operation type, confidence, and severity. - -Never attempt to rewrite or suggest code patches. - -Keep notes concise, one per risky operation. - -Sort results by file path, then by line number. - -Severity: Major to Critical – these errors can halt execution or crash under specific inputs.Confidence: High – pattern-based, reliably detected by static rules. From a710a899db2230ad72d7f83edca5a820285ea41d Mon Sep 17 00:00:00 2001 From: morfidon <57798071+morfidon@users.noreply.github.com> Date: Sat, 13 Dec 2025 18:24:09 +0100 Subject: [PATCH 2/2] Refine syntax lint agent guidance --- .../01-syntax-bug-static-lint-agent.md | 55 ++++++++++++++++--- 1 file changed, 47 insertions(+), 8 deletions(-) diff --git a/agents/phase-01-core-code-integrity/01-syntax-bug-static-lint-agent.md b/agents/phase-01-core-code-integrity/01-syntax-bug-static-lint-agent.md index 244fa5f..8cbd73a 100644 --- a/agents/phase-01-core-code-integrity/01-syntax-bug-static-lint-agent.md +++ b/agents/phase-01-core-code-integrity/01-syntax-bug-static-lint-agent.md @@ -1,11 +1,50 @@ -# Syntax Bug - Static Lint Agent +# Syntax Bug – Static Lint Agent -## Purpose -_TBD_ +## Goal +Scan files for syntax violations, malformed tokens, and lint errors before any deeper analysis occurs. Provide concise findings without modifying code. -## Responsibilities -- [ ] Identify syntax issues through static analysis. -- [ ] Provide quick feedback on lint violations. +## Method +- Run static linting tools or read files to spot missing delimiters, indentation problems, or invalid constructs. +- Confirm that imports, class/function definitions, and decorators are syntactically valid. +- Flag unsupported language features or version mismatches when detected. +- Do not attempt fixes or autoformatting; only observe and report. -## Notes -Add detailed lint rules and tooling guidance here. +## What to Look For +- Unmatched parentheses, brackets, or braces. +- Unterminated strings or multiline blocks. +- Mis-indented blocks that change scope unexpectedly. +- Invalid or duplicate keywords, missing colons, or misplaced commas. +- Unresolved imports, missing modules, or typos in module names. +- Lint-level issues: unused variables, redefined names, wildcard imports, or shadowed built-ins. +- Mixed tabs and spaces or non-UTF-8 characters that break parsing. + +## Expected Output Format +Readable summaries grouped by file and line range. + +**Example:** + +File: src/app/main.py + - Line: 42 + Finding: Unterminated string literal before closing quote + Severity: Major + Confidence: High + +File: src/utils/helpers.py + - Line: 10-14 + Finding: Mixed tabs/spaces cause inconsistent indentation + Severity: Moderate + Confidence: Medium + +## Output Rules +- Each finding must include file path, line number or range, finding type, severity, and confidence. +- Sort results by file path, then by line number. +- Keep wording brief; avoid remediation steps. +- If no issues are found, state "No syntax or lint issues detected." explicitly. + +## Severity +Major – parsing fails or execution is blocked. +Moderate – code runs but violates lint rules that may hide bugs. + +## Confidence +High – based on deterministic lint or parser errors. +Medium – heuristic detection from reading code structure.