From 69fb28b57ca884a6205ad93c4b30c1718fdded69 Mon Sep 17 00:00:00 2001 From: "[._.]/ Adam Eivy" Date: Mon, 1 Jun 2026 13:07:39 -0700 Subject: [PATCH 1/2] fix: warn against piping prompts into agy/claude -p in local review loop agy -p (--print) reads the prompt from its positional argument, not stdin. The loop docs already used the argument form, but nothing forbade stdin, so the orchestrator sometimes ran 'echo $PROMPT | agy -p' (or 'agy -p < file'), hit 'agy --print takes the prompt as an argument, not stdin', and burned a second invocation re-running it correctly. Add an explicit guardrail in the invocation table note and the agy flag rationale. --- .changelogs/NEXT.md | 11 +++++++++++ lib/local-agent-review-loop.md | 4 +++- 2 files changed, 14 insertions(+), 1 deletion(-) create mode 100644 .changelogs/NEXT.md diff --git a/.changelogs/NEXT.md b/.changelogs/NEXT.md new file mode 100644 index 0000000..4f1db03 --- /dev/null +++ b/.changelogs/NEXT.md @@ -0,0 +1,11 @@ +# Unreleased Changes + +## Added + +## Changed + +## Fixed + +- **Local-agent review loop: documented that `agy`/`claude` reviewers take the prompt as an argument, never via stdin.** Added an explicit guardrail to `lib/local-agent-review-loop.md` so the orchestrator passes `"$LOCAL_PROMPT"` as the positional argument to `-p` and never pipes it (`echo … | agy -p`, `agy -p < file`). Piping makes `agy` exit with `agy --print takes the prompt as an argument, not stdin`, which previously forced a wasted second invocation. The `> "$LOG_FILE"` redirect captures the reviewer's output and is unrelated to how the prompt goes in. + +## Removed diff --git a/lib/local-agent-review-loop.md b/lib/local-agent-review-loop.md index fd8b619..52cee6b 100644 --- a/lib/local-agent-review-loop.md +++ b/lib/local-agent-review-loop.md @@ -98,6 +98,8 @@ Pick the invocation based on `{REVIEW_AGENT}` and `{REVIEWER_APPLIES}`: For `claude` and `agy`, the same `$LOCAL_PROMPT` drives both modes — it already encodes the mode via the suffix override that branches on `$REVIEWER_APPLIES` above. The CLI's behavior changes because do:review's body sees a different override. For `codex`, the invocation itself swaps because `codex review` (review-only) and `codex exec` (apply-fixes) are different subcommands with incompatible flag sets. +> **Pass the prompt as a positional argument — never via stdin.** Both `claude -p` and `agy -p` (`--print`) take the prompt as the argument directly after the flag: `agy --dangerously-skip-permissions -p "$LOCAL_PROMPT"`. They do **not** read the prompt from stdin. Do NOT write `echo "$LOCAL_PROMPT" | agy --dangerously-skip-permissions -p`, `agy -p < prompt.txt`, or `printf … | agy -p` — agy ignores piped stdin and exits with `agy --print takes the prompt as an argument, not stdin`, forcing a wasted second invocation. The `> "$LOG_FILE" 2>&1` redirect in Step 2 captures the reviewer's *output*; it is unrelated to how the prompt goes in. Keep `"$LOCAL_PROMPT"` as the quoted argument to `-p` exactly as shown in the invocation table. + Notes on each invocation: - **claude / agy** call slashdo's installed review command (`/do:review` under claude, `/do-review` under agy — `$REVIEW_CMD` resolved in pre-flight). Under Claude Code the `claude` reviewer is a sub-agent that invokes the `do:review` skill in-process (the prompt content is identical to `$LOCAL_PROMPT`), rather than a `claude -p` subprocess. In `REVIEWER_APPLIES=true` mode, the suffix overrides two of do:review's defaults: switch the commit message to `address review (): ` where `` is the reviewing CLI's slug — `claude` or `agy` here (instead of `do:review`'s current default `address review (self): `) and skip the auto-push (the orchestrating agent will verify and push). The parenthesized agent name records which reviewer surfaced the finding, which is useful when scanning the log of a release that ran multiple reviewers. In `REVIEWER_APPLIES=false` mode, the suffix instead instructs do:review to skip its Fix/Convention/PR-Comment phases and emit findings to stdout in a structured format the orchestrator can parse — the orchestrator then commits the fixes using the same `address review (): ` form to preserve attribution. - **codex (review-only)** uses the built-in `codex review` subcommand with the **base-branch review target**, which reviews the full diff from `$BASE_BRANCH` to `HEAD`. The three review targets — `--uncommitted`, `--commit `, and `--base ` — are mutually exclusive (per `codex review --help` and confirmed by `error: the argument '--commit ' cannot be used with: --base `). The positional `[PROMPT]` is *also* mutually exclusive with `--base` (`error: the argument '--base ' cannot be used with: [PROMPT]`), so per-invocation overrides cannot be passed this way — the orchestrating agent applies the fixes itself per step 3. The top-level `--sandbox danger-full-access` flag (before the `review` subcommand) is required so codex can read the working tree and run git: under codex's default sandbox those operations are blocked and `codex review` produces no usable findings. Like `-a`, `--sandbox` is a top-level option and MUST precede `review`. @@ -108,7 +110,7 @@ Flag rationale (reckless / unattended mode): - `codex review` — already non-interactive by design (per `codex review --help`: "Run a code review non-interactively"). Do NOT pass `-a` / `--approval`; the `codex review` subcommand does not accept it and will reject the flag. Also do NOT combine `--commit ` with `--base ` or with a positional `[PROMPT]` — codex enforces mutual exclusion across review targets and prompt mode, and the loop would exit with code 2 before any review work runs. - `codex --sandbox danger-full-access -a never exec` — `-a never` is a top-level Codex flag (never ask for approval; auto-approves all proposed actions). It MUST precede the `exec` subcommand; the `exec` subcommand's own parser does not accept `-a` and `codex exec -a never ...` exits 2 (`error: unexpected argument '-a' found`). Used in the reviewer-applies path alongside the top-level `--sandbox danger-full-access` flag (see below); `codex review` rejects `-a` entirely. - `codex --sandbox danger-full-access` — top-level sandbox-policy flag, used on BOTH codex invocations (it precedes the `review` / `exec` subcommand). Codex's default sandbox (`workspace-write`) blocks network and restricts command execution, so without this flag `codex review` can't reliably read the tree / run git and the apply path can't run build, tests, or network ops. PortOS-style hosts run on a trusted single-user machine, so full access is the intended posture (mirrors `claude --dangerously-skip-permissions` / `agy --dangerously-skip-permissions`). `--sandbox` and `-a` are independent top-level flags and may be combined (`codex --sandbox danger-full-access -a never exec …`). -- `agy --dangerously-skip-permissions` — auto-approves all tool permission requests so the Antigravity CLI runs unattended (the headless equivalent of confirming every prompt). This is the agy successor to the Gemini CLI's `gemini --yolo` + `env GEMINI_SANDBOX=false`: agy folds both "auto-approve tools" and "no sandbox gate" into the single `--dangerously-skip-permissions` flag, and runs the prompt non-interactively via `-p`. Unlike the old gemini invocation, no `env VAR=…` prefix is needed, so it composes cleanly with the `timeout 1800 {INVOCATION}` wrapper at step 2 of the loop. +- `agy --dangerously-skip-permissions` — auto-approves all tool permission requests so the Antigravity CLI runs unattended (the headless equivalent of confirming every prompt). This is the agy successor to the Gemini CLI's `gemini --yolo` + `env GEMINI_SANDBOX=false`: agy folds both "auto-approve tools" and "no sandbox gate" into the single `--dangerously-skip-permissions` flag, and runs the prompt non-interactively via `-p` — which takes the prompt as its positional argument (`agy … -p "$LOCAL_PROMPT"`), **not** from stdin. Piping into `agy -p` (e.g. `echo … | agy -p`) fails with `agy --print takes the prompt as an argument, not stdin` and wastes an invocation; always pass the quoted prompt as the argument. Unlike the old gemini invocation, no `env VAR=…` prefix is needed, so it composes cleanly with the `timeout 1800 {INVOCATION}` wrapper at step 2 of the loop. Because these flags grant the headless CLI full unattended write access to the working tree — and the Claude-Code sub-agent likewise shares this working tree — the verify step in this loop (build + tests + diff inspection by the main thread) is mandatory and non-skippable — it is the only line of defense between the reviewing agent's output and the remote branch. This applies in *both* editing modes: in review-only mode the orchestrator's own fixes are still verified before push, because the orchestrator may misread the CLI's findings or introduce its own regressions. From 16ff39f2273958c3ae749ae815eaf2c35d173900 Mon Sep 17 00:00:00 2001 From: "[._.]/ Adam Eivy" Date: Mon, 1 Jun 2026 13:09:55 -0700 Subject: [PATCH 2/2] chore: release v3.4.3 --- .changelogs/{NEXT.md => v3.4.3.md} | 12 ++++++------ package.json | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) rename .changelogs/{NEXT.md => v3.4.3.md} (79%) diff --git a/.changelogs/NEXT.md b/.changelogs/v3.4.3.md similarity index 79% rename from .changelogs/NEXT.md rename to .changelogs/v3.4.3.md index 4f1db03..7172243 100644 --- a/.changelogs/NEXT.md +++ b/.changelogs/v3.4.3.md @@ -1,11 +1,11 @@ -# Unreleased Changes +# Release v3.4.3 -## Added +Released: 2026-06-01 -## Changed - -## Fixed +## Bug Fixes - **Local-agent review loop: documented that `agy`/`claude` reviewers take the prompt as an argument, never via stdin.** Added an explicit guardrail to `lib/local-agent-review-loop.md` so the orchestrator passes `"$LOCAL_PROMPT"` as the positional argument to `-p` and never pipes it (`echo … | agy -p`, `agy -p < file`). Piping makes `agy` exit with `agy --print takes the prompt as an argument, not stdin`, which previously forced a wasted second invocation. The `> "$LOG_FILE"` redirect captures the reviewer's output and is unrelated to how the prompt goes in. -## Removed +## Full Changelog + +**Full Diff**: https://github.com/atomantic/slashdo/compare/v3.4.2...v3.4.3 diff --git a/package.json b/package.json index 76066c3..b015b47 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "slash-do", - "version": "3.4.2", + "version": "3.4.3", "description": "Curated slash commands for AI coding assistants — Claude Code, OpenCode, Antigravity CLI, and Codex", "author": "Adam Eivy ", "license": "MIT",