Merge remote-tracking branch 'origin/main' into worktree-20260321-161319

# Conflicts:
#	.tickets/.index.json

Author: JoeOakhartNava

.tickets/.index.json

@@ -0,0 +1,85 @@
+---
+id: dso-5ooy
+status: open
+deps: [w21-ykic, w21-ovpn]
+links: []
+created: 2026-03-21T23:27:40Z
+type: epic
+priority: 2
+assignee: Joe Oakhart
+---
+# Conditional Security & Performance Review Overlays
+
+
+## Notes
+
+<!-- note-id: k3xxzh2r -->
+<!-- timestamp: 2026-03-21T23:28:18Z -->
+<!-- origin: agent -->
+<!-- sync: unsynced -->
+
+
+## Context
+
+Security and performance concerns cut across all review dimensions but don't belong as permanent sub-criteria in every review — they waste tokens on changes with no security/performance surface. This epic adds conditional review overlays that trigger only when the classifier detects relevant signals, orthogonal to the tier system (any tier can trigger an overlay).
+
+## Brainstorm Research (to be resumed)
+
+### Architecture Decision
+- Security and performance reviews are **conditional overlays**, not permanent dimensions
+- Triggered by classifier signals alongside tier routing: classifier emits trigger flags (security_review: true, performance_review: true)
+- Any tier level can trigger an overlay — a Light tier change touching auth still gets security review
+- Each overlay has its own dedicated reviewer agent, checklist, and findings that merge into reviewer-findings.json
+
+### Security Review Triggers (proposed)
+- Code that touches external integrations
+- Code that touches data layer
+- Authentication or authorization code
+- Encryption-related code
+
+### Security Review Criteria (from research)
+Source: Anthropic claude-code-security-review (OWASP-aligned)
+- Injection attacks: SQL, command, LDAP, XPath, NoSQL, XXE
+- Authentication & authorization: broken auth, privilege escalation, insecure direct object references, auth bypass, session flaws
+- Data exposure: hardcoded secrets, sensitive data logging, information disclosure, PII handling violations
+- Cryptographic issues: weak algorithms, improper key management, insecure RNG
+- Input validation: missing validation, improper sanitization, buffer overflows
+- Business logic flaws: race conditions, TOCTOU (time-of-check-time-of-use)
+- Configuration security: insecure defaults, missing security headers, permissive CORS
+- Supply chain: vulnerable dependencies, typosquatting
+- Code execution: RCE via deserialization, pickle injection, eval injection
+- XSS: reflected, stored, DOM-based
+- Error message information leakage (OWASP): errors that reveal internal state
+
+### Performance Review Triggers (proposed)
+- Any operation more expensive than O(n)
+- Code that touches infrastructure
+- Code that touches data layer
+- Future enhancement: trigger on spike in test runtime or application latency in E2E testing (needs friction-free way to surface this data)
+
+### Performance Review Criteria (from research)
+- N+1 query problems
+- Nested loops over large datasets
+- Inefficient algorithms or database queries
+- Memory usage patterns and potential leaks
+- Bundle size and optimization opportunities
+- Sequential I/O where parallel is possible (AI-specific)
+- Image optimization
+
+### Integration Architecture (to be designed)
+Pipeline becomes: classifier → tier + overlay triggers → dispatch tier reviewer(s) + overlay reviewer(s) → merged findings → resolution loop
+- Overlay reviewers need own agent definitions and checklists
+- Findings merge into same reviewer-findings.json and scoring
+- Classifier/dispatch changes needed to trigger overlays
+- Performance runtime trigger (pytest --durations baseline comparison) deferred as future enhancement to avoid friction
+
+### Open Questions
+- Exact classifier signal thresholds for triggering overlays
+- Whether overlays should have their own severity scale or use the existing critical/important/minor
+- How overlay findings interact with the autonomous resolution loop
+- Whether the security overlay replaces or supplements the existing dso-0wi2 sensitive-info security review
+
+## Dependencies
+- w21-ykic (Tiered Review Architecture): requires classifier infrastructure to add overlay trigger signals
+- w21-ovpn (Review Intelligence & Precision): requires enriched checklist architecture (reviewer-delta files, confidence scoring, false-positive filters)
+

.tickets/dso-5ooy.md

@@ -0,0 +1,51 @@
+---
+id: dso-6x8o
+status: open
+deps: []
+links: []
+created: 2026-03-22T00:00:28Z
+type: bug
+priority: 1
+assignee: Joe Oakhart
+---
+# Bug: record-test-status.sh allows re-recording with stale test results — hash updated without re-running tests
+
+
+## Notes
+
+<!-- note-id: mw0cb2ez -->
+<!-- timestamp: 2026-03-22T00:00:47Z -->
+<!-- origin: agent -->
+<!-- sync: unsynced -->
+
+
+## Observed Behavior
+
+During the commit workflow, the orchestrator:
+1. Ran tests and recorded test-gate-status (hash A)
+2. Made code changes during the review resolution loop (code changed, hash now B)
+3. Called record-test-status.sh again — it computed the new hash B and wrote 'passed' WITHOUT re-running the tests
+4. The commit proceeded with hash B in test-gate-status, but the tests were only validated against hash A
+
+This means record-test-status.sh trusts whatever the current diff hash is and stamps it as 'passed' based on a single test run, even if the code has changed since that run. The test gate checks that the hash matches, but it doesn't verify that the tests were actually run against the current hash.
+
+## Root Cause
+
+record-test-status.sh computes the current diff hash and writes it to test-gate-status with 'passed', but it does not compare the new hash against the hash from the actual test execution. If called after code changes (e.g., review fixes), it re-stamps without re-running.
+
+## Expected Behavior
+
+record-test-status.sh should either:
+(a) Always re-run the associated tests before writing 'passed' (current behavior runs tests, but if called a second time after code changes, it should detect the hash mismatch and re-run), OR
+(b) Track the hash at the time tests were run and refuse to write a new hash unless tests are re-executed
+
+## Impact
+
+The test gate can be satisfied without tests covering the actual committed code. This undermines the two-layer defense-in-depth: the gate checks hash consistency, but the recording step doesn't enforce test-to-hash correspondence on re-invocation.
+
+## Reproduction
+
+1. Stage files, run record-test-status.sh (records hash A)
+2. Edit a staged file (hash changes to B)
+3. Run record-test-status.sh again (records hash B with 'passed' — no tests re-run if the associated test files haven't changed)
+

.tickets/dso-6x8o.md

@@ -0,0 +1,37 @@
+---
+id: dso-b538
+status: open
+deps: [dso-bxng]
+links: []
+created: 2026-03-21T23:20:14Z
+type: story
+priority: 2
+assignee: Joe Oakhart
+parent: w21-ovpn
+---
+# As a DSO practitioner, the Deep Sonnet C reviewer applies deep hygiene, design, and maintainability checks
+
+
+## Notes
+
+<!-- note-id: qbufm2gh -->
+<!-- timestamp: 2026-03-21T23:21:29Z -->
+<!-- origin: agent -->
+<!-- sync: unsynced -->
+
+
+## Description
+
+**What**: Create the reviewer-delta-deep-hygiene-design-maint.md checklist for the Deep tier Sonnet C (hygiene + design + maintainability specialist) reviewer.
+
+**Why**: Deep tier reviews high-complexity changes. Sonnet C owns three structural dimensions — the qualities that prevent long-term codebase decay. No ticket context needed because structural quality is ticket-independent.
+
+## Acceptance Criteria
+
+- When this story is complete, reviewer-delta-deep-hygiene-design-maint.md includes all Standard hygiene/design/maintainability criteria plus:
+  - Flag functions where branching depth suggests extraction opportunities
+  - Evaluate whether new abstractions follow single responsibility
+  - Flag in-place mutation of shared data structures when immutable patterns are established in surrounding code
+- When this story is complete, the checklist includes no ticket context instructions (structural quality is ticket-independent)
+- When this story is complete, build-review-agents.sh regenerates the deep hygiene/design/maintainability reviewer agent successfully
+

.tickets/dso-b538.md

@@ -0,0 +1,40 @@
+---
+id: dso-b7nb
+status: open
+deps: [dso-bxng]
+links: []
+created: 2026-03-21T23:20:11Z
+type: story
+priority: 2
+assignee: Joe Oakhart
+parent: w21-ovpn
+---
+# As a DSO practitioner, the Deep Sonnet A reviewer applies deep correctness checks with acceptance criteria validation
+
+
+## Notes
+
+<!-- note-id: 6sefb1v1 -->
+<!-- timestamp: 2026-03-21T23:21:18Z -->
+<!-- origin: agent -->
+<!-- sync: unsynced -->
+
+
+## Description
+
+**What**: Create the reviewer-delta-deep-correctness.md checklist for the Deep tier Sonnet A (correctness specialist) reviewer.
+
+**Why**: Deep tier reviews high-complexity changes (classifier score 7+). Sonnet A owns correctness with full ticket context, enabling acceptance criteria validation that other reviewers can't perform.
+
+## Acceptance Criteria
+
+- When this story is complete, reviewer-delta-deep-correctness.md includes all Standard correctness criteria plus:
+  - Acceptance criteria validation against ticket (when ticket context available)
+  - Deeper edge-case analysis with explicit escape hatch: if code handles edge cases adequately, state so — do not manufacture findings
+  - Inaccurate naming elevated from minor to important severity (name implies different behavior than implementation)
+- When this story is complete, the checklist includes ticket context instructions: use full ticket (minus verbose status update notes) when available; do not block on missing ticket context
+- When this story is complete, build-review-agents.sh regenerates the deep correctness reviewer agent successfully
+
+## Constraints
+- Must reference Standard checklist criteria by inclusion, not duplication — the build process composes base + standard + deep-correctness
+

.tickets/dso-b7nb.md

@@ -0,0 +1,46 @@
+---
+id: dso-boct
+status: open
+deps: []
+links: []
+created: 2026-03-21T23:20:00Z
+type: story
+priority: 2
+assignee: Joe Oakhart
+parent: w21-ovpn
+---
+# As a DSO practitioner, the Light tier haiku reviewer applies a focused 6-item checklist to low-complexity changes
+
+
+## Notes
+
+<!-- note-id: t9c2dk6q -->
+<!-- timestamp: 2026-03-21T23:20:49Z -->
+<!-- origin: agent -->
+<!-- sync: unsynced -->
+
+
+## Description
+
+**What**: Create the reviewer-delta-light.md checklist for the Light tier haiku reviewer with exactly 6 high-signal items.
+
+**Why**: Light tier reviews low-complexity changes (classifier score 0-2). Haiku has limited context budget — the checklist must focus on what delivers value for small changes without codebase research.
+
+## Acceptance Criteria
+
+- When this story is complete, reviewer-delta-light.md contains exactly 6 checklist items:
+  1. Silent failures: swallowed exceptions, empty catch blocks
+  2. Tolerance/assertion weakening: changes that relax existing validation
+  3. Test-code correspondence: production change without test change in same diff (binary check)
+  4. Type system escape hatches: Any/any/interface{} without justifying comment
+  5. Dead code introduced in the diff: unused imports, unreachable branches
+  6. Non-descriptive names in the diff: single letters, generic words (data, temp, result, process, handle)
+- When this story is complete, the checklist includes no codebase research instructions (no Grep/Read)
+- When this story is complete, the checklist includes no similarity pipeline or ticket context references
+- When this story is complete, the checklist includes escape hatch language: if no issues found, state so explicitly rather than manufacturing findings
+- When this story is complete, build-review-agents.sh regenerates the light reviewer agent successfully
+
+## Constraints
+- No codebase research tools — haiku doesn't have the context budget
+- Items must be evaluable from the diff alone
+

.tickets/dso-boct.md

@@ -0,0 +1,44 @@
+---
+id: dso-bxng
+status: open
+deps: []
+links: []
+created: 2026-03-21T23:20:06Z
+type: story
+priority: 2
+assignee: Joe Oakhart
+parent: w21-ovpn
+---
+# As a DSO practitioner, the Standard tier sonnet reviewer applies full 5-dimension checklists with researched sub-criteria
+
+
+## Notes
+
+<!-- note-id: 2k8hj2b0 -->
+<!-- timestamp: 2026-03-21T23:21:05Z -->
+<!-- origin: agent -->
+<!-- sync: unsynced -->
+
+
+## Description
+
+**What**: Create the reviewer-delta-standard.md checklist for the Standard tier sonnet reviewer with full 5-dimension coverage and researched sub-criteria.
+
+**Why**: Standard tier handles ~30-40% of reviews. This is the most common reviewer and needs comprehensive criteria across all dimensions. Condensed ticket context reduces false positives without exhausting context budget.
+
+## Acceptance Criteria
+
+- When this story is complete, reviewer-delta-standard.md contains sub-criteria for all 5 dimensions:
+  - Correctness: edge cases/failure states with escape hatch, race conditions in async operations, silent failures, tolerance/assertion weakening, over-engineering/YAGNI
+  - Verification: behavior-driven not implementation-driven tests, test-code correspondence in same changeset, assertion quality (meaningful vs trivial), arrange-act-assert structure, test smells (naming, fixture bloat)
+  - Hygiene: type system escape hatches without justification, nesting depth >2 levels (suggest early returns/extraction), dead code, suppression scrutiny (noqa/type:ignore with justifying comments), explicit exclusion of linter-catchable issues
+  - Design: SOLID adherence, architectural pattern adherence, correct file/folder placement, Rule of Three duplication via similarity pipeline, coupling/dependency direction, reuse of existing utilities
+  - Maintainability: codebase consistency (local patterns — error handling style, return type patterns, abstraction level — not linter rules), clear and accurate naming (non-descriptive AND inaccurate), comments explain why not what, doc correspondence for public interface changes (minor severity — only when specific existing doc artifact is stale)
+- When this story is complete, the checklist includes anti-shortcut distribution: noqa/type:ignore -> hygiene, skipped tests -> verification, tolerances/assertions -> correctness
+- When this story is complete, consolidation findings are severity=minor with orchestrator ticket creation
+- When this story is complete, the checklist includes ticket context instructions: use condensed summary (title + acceptance criteria) when available; do not block on missing ticket context
+- When this story is complete, build-review-agents.sh regenerates the standard reviewer agent successfully
+
+## Research Sources
+Google engineering practices, OWASP, test smell literature, 5 Claude Code review plugins (Anthropic official, Claude Command Suite, claude-code-skills, claude-code-showcase, wshobson commands)
+

.tickets/dso-bxng.md

@@ -0,0 +1,41 @@
+---
+id: dso-gfry
+status: open
+deps: [dso-bxng]
+links: []
+created: 2026-03-21T23:20:12Z
+type: story
+priority: 2
+assignee: Joe Oakhart
+parent: w21-ovpn
+---
+# As a DSO practitioner, the Deep Sonnet B reviewer applies deep verification checks evaluating test quality and coverage
+
+
+## Notes
+
+<!-- note-id: 5t4zz04f -->
+<!-- timestamp: 2026-03-21T23:21:24Z -->
+<!-- origin: agent -->
+<!-- sync: unsynced -->
+
+
+## Description
+
+**What**: Create the reviewer-delta-deep-verification.md checklist for the Deep tier Sonnet B (verification specialist) reviewer.
+
+**Why**: Deep tier reviews high-complexity changes. Sonnet B owns verification — evaluating whether the test suite is trustworthy and covers the right behaviors. It does not identify edge cases itself; it evaluates test coverage of edge cases present in the code.
+
+## Acceptance Criteria
+
+- When this story is complete, reviewer-delta-deep-verification.md includes all Standard verification criteria plus:
+  - Test as documentation: can someone read the test and understand the intended behavior?
+  - Test isolation evaluation: are tests independent or do they depend on shared state/execution order?
+- When this story is complete, the checklist explicitly states: does not identify edge cases — evaluates whether test suite covers edge cases present in the code
+- When this story is complete, the checklist includes no ticket context instructions (verification is code-observable)
+- When this story is complete, build-review-agents.sh regenerates the deep verification reviewer agent successfully
+
+## Scope Boundary
+- This story owns checklist criteria for how the reviewer evaluates test quality in the diff
+- dso-ppwp owns pre-commit test gate enforcement that blocks commits when tests haven't been run
+

.tickets/dso-gfry.md

@@ -0,0 +1,47 @@
+---
+id: dso-jf62
+status: open
+deps: [dso-b7nb, dso-gfry, dso-b538]
+links: []
+created: 2026-03-21T23:20:18Z
+type: story
+priority: 2
+assignee: Joe Oakhart
+parent: w21-ovpn
+---
+# As a DSO practitioner, the Deep Opus architectural reviewer applies cross-cutting synthesis checks across all specialist findings
+
+
+## Notes
+
+<!-- note-id: 62cayy1f -->
+<!-- timestamp: 2026-03-21T23:21:40Z -->
+<!-- origin: agent -->
+<!-- sync: unsynced -->
+
+
+## Description
+
+**What**: Create the reviewer-delta-deep-architectural.md checklist for the Deep tier Opus (architectural synthesis) reviewer.
+
+**Why**: The opus reviewer is the only agent that sees all 3 specialists' findings plus the full diff plus full ticket context. Its job is cross-cutting synthesis — identifying patterns and risks that no single specialist can see.
+
+## Acceptance Criteria
+
+- When this story is complete, reviewer-delta-deep-architectural.md includes these cross-cutting checks:
+  - Cross-cutting coherence: resolve contradictions between specialist findings
+  - Untested edge cases: cross-reference Sonnet A edge cases against Sonnet B test coverage findings
+  - Architectural boundary shifts: logic/validation/data moving between layers
+  - Pattern divergence: new approach to something the codebase already has a pattern for
+  - Acceptance criteria completeness: does the change fulfill what the ticket asked for?
+  - Unrelated scope: flag changes that include modifications unrelated to the stated ticket objective
+  - Regression awareness: repeated patches to same area suggesting deeper issue (via targeted git blame)
+  - Root cause vs. symptom: does the fix address the underlying cause or just the visible symptom?
+- When this story is complete, the checklist includes instructions for self-directed git history investigation (opus runs targeted git blame/log based on findings — no orchestrator pre-gathering)
+- When this story is complete, the checklist includes ticket context instructions: use full ticket (minus verbose status update notes) when available; do not block on missing ticket context
+- When this story is complete, build-review-agents.sh regenerates the deep architectural reviewer agent successfully
+
+## Constraints
+- This reviewer does not duplicate specialist checks — it synthesizes across them
+- Git history investigation is self-directed and targeted, not exhaustive
+