Release v3.4.3

.changelogs/v3.4.3.md

@@ -0,0 +1,11 @@
+# Release v3.4.3
+
+Released: 2026-06-01
+
+## Bug Fixes
+
+- **Local-agent review loop: documented that `agy`/`claude` reviewers take the prompt as an argument, never via stdin.** Added an explicit guardrail to `lib/local-agent-review-loop.md` so the orchestrator passes `"$LOCAL_PROMPT"` as the positional argument to `-p` and never pipes it (`echo … | agy -p`, `agy -p < file`). Piping makes `agy` exit with `agy --print takes the prompt as an argument, not stdin`, which previously forced a wasted second invocation. The `> "$LOG_FILE"` redirect captures the reviewer's output and is unrelated to how the prompt goes in.
+
+## Full Changelog
+
+**Full Diff**: https://github.com/atomantic/slashdo/compare/v3.4.2...v3.4.3

lib/local-agent-review-loop.md

@@ -98,6 +98,8 @@ Pick the invocation based on `{REVIEW_AGENT}` and `{REVIEWER_APPLIES}`:
 
 For `claude` and `agy`, the same `$LOCAL_PROMPT` drives both modes — it already encodes the mode via the suffix override that branches on `$REVIEWER_APPLIES` above. The CLI's behavior changes because do:review's body sees a different override. For `codex`, the invocation itself swaps because `codex review` (review-only) and `codex exec` (apply-fixes) are different subcommands with incompatible flag sets.
 
+> **Pass the prompt as a positional argument — never via stdin.** Both `claude -p` and `agy -p` (`--print`) take the prompt as the argument directly after the flag: `agy --dangerously-skip-permissions -p "$LOCAL_PROMPT"`. They do **not** read the prompt from stdin. Do NOT write `echo "$LOCAL_PROMPT" | agy --dangerously-skip-permissions -p`, `agy -p < prompt.txt`, or `printf … | agy -p` — agy ignores piped stdin and exits with `agy --print takes the prompt as an argument, not stdin`, forcing a wasted second invocation. The `> "$LOG_FILE" 2>&1` redirect in Step 2 captures the reviewer's *output*; it is unrelated to how the prompt goes in. Keep `"$LOCAL_PROMPT"` as the quoted argument to `-p` exactly as shown in the invocation table.
+
 Notes on each invocation:
 - **claude / agy** call slashdo's installed review command (`/do:review` under claude, `/do-review` under agy — `$REVIEW_CMD` resolved in pre-flight).<!-- if:teams --> Under Claude Code the `claude` reviewer is a sub-agent that invokes the `do:review` skill in-process (the prompt content is identical to `$LOCAL_PROMPT`), rather than a `claude -p` subprocess.<!-- /if:teams --> In `REVIEWER_APPLIES=true` mode, the suffix overrides two of do:review's defaults: switch the commit message to `address review (<agent>): <summary>` where `<agent>` is the reviewing CLI's slug — `claude` or `agy` here (instead of `do:review`'s current default `address review (self): <summary>`) and skip the auto-push (the orchestrating agent will verify and push). The parenthesized agent name records which reviewer surfaced the finding, which is useful when scanning the log of a release that ran multiple reviewers. In `REVIEWER_APPLIES=false` mode, the suffix instead instructs do:review to skip its Fix/Convention/PR-Comment phases and emit findings to stdout in a structured format the orchestrator can parse — the orchestrator then commits the fixes using the same `address review (<agent>): <summary>` form to preserve attribution.
 - **codex (review-only)** uses the built-in `codex review` subcommand with the **base-branch review target**, which reviews the full diff from `$BASE_BRANCH` to `HEAD`. The three review targets — `--uncommitted`, `--commit <SHA>`, and `--base <BRANCH>` — are mutually exclusive (per `codex review --help` and confirmed by `error: the argument '--commit <SHA>' cannot be used with: --base <BRANCH>`). The positional `[PROMPT]` is *also* mutually exclusive with `--base` (`error: the argument '--base <BRANCH>' cannot be used with: [PROMPT]`), so per-invocation overrides cannot be passed this way — the orchestrating agent applies the fixes itself per step 3. The top-level `--sandbox danger-full-access` flag (before the `review` subcommand) is required so codex can read the working tree and run git: under codex's default sandbox those operations are blocked and `codex review` produces no usable findings. Like `-a`, `--sandbox` is a top-level option and MUST precede `review`.
@@ -108,7 +110,7 @@ Flag rationale (reckless / unattended mode):
 - `codex review` — already non-interactive by design (per `codex review --help`: "Run a code review non-interactively"). Do NOT pass `-a` / `--approval`; the `codex review` subcommand does not accept it and will reject the flag. Also do NOT combine `--commit <SHA>` with `--base <BRANCH>` or with a positional `[PROMPT]` — codex enforces mutual exclusion across review targets and prompt mode, and the loop would exit with code 2 before any review work runs.
 - `codex --sandbox danger-full-access -a never exec` — `-a never` is a top-level Codex flag (never ask for approval; auto-approves all proposed actions). It MUST precede the `exec` subcommand; the `exec` subcommand's own parser does not accept `-a` and `codex exec -a never ...` exits 2 (`error: unexpected argument '-a' found`). Used in the reviewer-applies path alongside the top-level `--sandbox danger-full-access` flag (see below); `codex review` rejects `-a` entirely.
 - `codex --sandbox danger-full-access` — top-level sandbox-policy flag, used on BOTH codex invocations (it precedes the `review` / `exec` subcommand). Codex's default sandbox (`workspace-write`) blocks network and restricts command execution, so without this flag `codex review` can't reliably read the tree / run git and the apply path can't run build, tests, or network ops. PortOS-style hosts run on a trusted single-user machine, so full access is the intended posture (mirrors `claude --dangerously-skip-permissions` / `agy --dangerously-skip-permissions`). `--sandbox` and `-a` are independent top-level flags and may be combined (`codex --sandbox danger-full-access -a never exec …`).
-- `agy --dangerously-skip-permissions` — auto-approves all tool permission requests so the Antigravity CLI runs unattended (the headless equivalent of confirming every prompt). This is the agy successor to the Gemini CLI's `gemini --yolo` + `env GEMINI_SANDBOX=false`: agy folds both "auto-approve tools" and "no sandbox gate" into the single `--dangerously-skip-permissions` flag, and runs the prompt non-interactively via `-p`. Unlike the old gemini invocation, no `env VAR=…` prefix is needed, so it composes cleanly with the `timeout 1800 {INVOCATION}` wrapper at step 2 of the loop.
+- `agy --dangerously-skip-permissions` — auto-approves all tool permission requests so the Antigravity CLI runs unattended (the headless equivalent of confirming every prompt). This is the agy successor to the Gemini CLI's `gemini --yolo` + `env GEMINI_SANDBOX=false`: agy folds both "auto-approve tools" and "no sandbox gate" into the single `--dangerously-skip-permissions` flag, and runs the prompt non-interactively via `-p` — which takes the prompt as its positional argument (`agy … -p "$LOCAL_PROMPT"`), **not** from stdin. Piping into `agy -p` (e.g. `echo … | agy -p`) fails with `agy --print takes the prompt as an argument, not stdin` and wastes an invocation; always pass the quoted prompt as the argument. Unlike the old gemini invocation, no `env VAR=…` prefix is needed, so it composes cleanly with the `timeout 1800 {INVOCATION}` wrapper at step 2 of the loop.
 
 Because these flags grant the headless CLI full unattended write access to the working tree — and the Claude-Code sub-agent likewise shares this working tree — the verify step in this loop (build + tests + diff inspection by the main thread) is mandatory and non-skippable — it is the only line of defense between the reviewing agent's output and the remote branch. This applies in *both* editing modes: in review-only mode the orchestrator's own fixes are still verified before push, because the orchestrator may misread the CLI's findings or introduce its own regressions.
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "slash-do",
-  "version": "3.4.2",
+  "version": "3.4.3",
   "description": "Curated slash commands for AI coding assistants — Claude Code, OpenCode, Antigravity CLI, and Codex",
   "author": "Adam Eivy <adam@eivy.com>",
   "license": "MIT",