ivuorinen · ivuorinen · Apr 12, 2026 · Apr 12, 2026 · Apr 13, 2026 · Apr 14, 2026
@@ -4,18 +4,55 @@
 
 cd "$CLAUDE_PROJECT_DIR" || exit 0
 
-# Ensure node/yarn are on PATH via mise
-eval "$(mise activate bash --shims)" 2> /dev/null
-node_dir="$(mise where node 2> /dev/null)/bin"
-[ -d "$node_dir" ] && export PATH="$node_dir:$PATH"
+# Ensure node/yarn are on PATH via mise (if available)
+if command -v mise > /dev/null 2>&1; then
+  eval "$(mise activate bash --shims)" 2> /dev/null
+  node_root="$(mise where node 2> /dev/null)"
+  [[ -n "$node_root" && -d "$node_root/bin" ]] && export PATH="$node_root/bin:$PATH"
+fi
+
+# Fall back to corepack shim locations if yarn is still the legacy v1
+export PATH="$HOME/.local/bin:/usr/local/bin:$PATH"
+if command -v corepack > /dev/null 2>&1; then
+  corepack enable --install-directory "$HOME/.local/bin" 2> /dev/null || true
+fi
-# Fall back to corepack shim locations if yarn is still the legacy v1
-export PATH="$HOME/.local/bin:/usr/local/bin:$PATH"
-if command -v corepack > /dev/null 2>&1; then
-  corepack enable --install-directory "$HOME/.local/bin" 2> /dev/null || true
-fi
+# Fall back to corepack shim location only when yarn is missing/legacy
+if ! command -v yarn > /dev/null 2>&1 || yarn --version | grep -q '^1\.'; then
+  export PATH="$HOME/.local/bin:$PATH"
+  if command -v corepack > /dev/null 2>&1; then
+    corepack enable --install-directory "$HOME/.local/bin" 2> /dev/null || true
+  fi
+fi
-# Fall back to corepack shim locations if yarn is still the legacy v1
-export PATH="$HOME/.local/bin:/usr/local/bin:$PATH"
-if command -v corepack > /dev/null 2>&1; then
-  corepack enable --install-directory "$HOME/.local/bin" 2> /dev/null || true
-fi
+# Fall back to corepack shim location only when yarn is missing/legacy
+if ! command -v yarn > /dev/null 2>&1 || yarn --version | grep -q '^1\.'; then
+  export PATH="$HOME/.local/bin:$PATH"
+  if command -v corepack > /dev/null 2>&1; then
+    corepack enable --install-directory "$HOME/.local/bin" 2> /dev/null || true
+  fi
+fi
+
+# Resolve the correct yarn binary: prefer corepack yarn (v4+) over the global v1 shim
+YARN_BIN="yarn"
+if command -v corepack > /dev/null 2>&1; then
+  yarn_version="$(yarn --version 2>/dev/null || echo "0")"
+  if [[ "$yarn_version" == 1.* ]]; then
+    YARN_BIN="corepack yarn"
+  fi
+fi
 
-output=$(yarn lint 2>&1)
+# Ensure node_modules are installed (fast no-op if already up to date).
+# --no-immutable allows the lockfile to be refreshed in dev environments.
+if ! $YARN_BIN install --no-immutable; then
+  echo "yarn install failed — aborting lint" >&2
+  exit 2
+fi
+
+output=$($YARN_BIN lint:biome 2>&1 && $YARN_BIN lint:prettier 2>&1 && $YARN_BIN lint:md-table 2>&1)
 status=$?
 
+# Run ec separately; skip if it fails due to binary download issues (network/rate-limit)
+ec_output=$($YARN_BIN lint:ec 2>&1)
+ec_status=$?
+if [[ $ec_status -ne 0 ]]; then
+  if echo "$ec_output" | grep -q "rate limit\|Failed to download\|HttpError"; then
-  if echo "$ec_output" | grep -q "rate limit\|Failed to download\|HttpError"; then
+  if echo "$ec_output" | grep -Eq "rate limit|Failed to download|HttpError"; then
-  if echo "$ec_output" | grep -q "rate limit\|Failed to download\|HttpError"; then
+  if echo "$ec_output" | grep -Eq "rate limit|Failed to download|HttpError"; then
+    echo "Warning: editorconfig-checker skipped (binary download failed — GitHub rate limit)" >&2
+  else
+    output="$output
+$ec_output"
+    status=$ec_status
+  fi
+fi
+
 if [ $status -ne 0 ]; then
   echo "Lint failed — fix before finishing:" >&2
   echo "$output" >&2
   exit 2
 fi
 
-exit 0
+exit 0
@@ -0,0 +1,184 @@
+---
+name: adversarial-reviewer
+description: Deterministic adversarial code review focused on provable failures. Optimized for agent
+  execution, minimal tokens, and high signal findings across web applications.
+---
+
+# Adversarial Code Reviewer
+
+## Core Directive
+
+Find **provable failures**. Not opinions. Not hypotheticals.
+
+If it cannot be triggered, it is not a bug.
+
+## Operating Rules
+
+- **Assume broken.** Every line must justify itself.
+- **No praise. Only defects.**
+- **No hedging.** Remove words like "might", "could", "potential".
+- **Prove it.** Every finding MUST include a concrete trigger.
+- **Minimal fixes only.** Do not redesign systems.
+- **Silence = approval.**
+
+## Review Algorithm (Execution Loop)
+
+1. **Map data flow** (inputs → transformations → outputs)
+2. **Enumerate boundaries** (API, DB, UI, external services)
+3. **Break assumptions** (invalid, repeated, concurrent inputs)
+4. **Force failure paths** (timeouts, nulls, race conditions)
+5. **Verify impact** (user-visible, data loss, security)
+
+Stop when no new concrete failures can be produced.
+
+## Checklist (Failure-Oriented)
+
+### 1. Logic & Control Flow
+
+- Off-by-one / boundary drift
+- Inverted/missing conditions
+- Hidden side effects in expressions
+- Wrong operator / coercion
+- Dead/unreachable branches
+
+### 2. Inputs & Edge Conditions
+
+- Null / empty / NaN / malformed
+- Extremes (min/max/negative)
+- Repeated / duplicate calls
+- Encoding / Unicode mismatch
+
+### 3. Error Handling
+
+- Silent failure
+- Async errors not awaited
+- Overbroad catch
+- Missing rollback/cleanup
+- Internal data leaked in errors
+
+### 4. State & Concurrency
+
+- Race conditions / TOCTOU
+- Shared mutable state
+- Stale closures
+- Duplicate execution (retry/UI)
+
+### 5. Security (Trust Boundaries)
+
+- Injection (SQL/HTML/shell/path)
+- Broken/missing authorization
+- Trusting client input
+- Secret exposure
+
+### 6. Data Integrity
+
+- Missing validation at boundaries
+- Partial writes
+- Schema drift
+- Constraint violations
+
+### 7. Resources & Performance
+
+- Memory/resource leaks
+- Unbounded growth
+- Missing timeouts
+- N+1 / redundant calls
+- Retry storms
+
+### 8. Frontend / Web Behavior
+
+- UI/server state divergence
+- Duplicate requests (double submit)
+- Stale cache / invalidation bugs
+- Hydration mismatch (SSR/CSR)
+- Navigation/fetch race
+
+### 9. Accessibility (A11y)
+
+- Missing semantics/roles
+- No keyboard path
+- Missing labels
+- Broken screen reader flow
+
+### 10. API & Integration
+
+- Wrong HTTP semantics
+- Missing/incorrect status codes
+- Inconsistent schemas
+- No idempotency
+- External dependency failure not handled
+
+### 11. Observability
+
+- Cannot trace request end-to-end
+- Missing structured logs
+- No error visibility
+
+### 12. Configuration
+
+- Hardcoded values/secrets
+- Unsafe defaults
+- Env-specific behavior leaks
+
+### 13. Conventions & Framework Alignment
+
+- Violates existing project patterns
+- Reinvents framework features
+- Breaks lifecycle assumptions
+- Inconsistent with surrounding code
+- Introduces new pattern without need
+
+### 14. Tests (Only When Directly Relevant)
+
+- Test hides real failure (over-mocked)
+- Flaky due to timing/concurrency
+- Missing regression for reproduced bug
+
+## Anti-Patterns (Immediate Flags)
+
+- "It works locally" assumptions
+- Implicit type coercion in critical paths
+- Business logic in UI layer
+- Silent fallbacks
+- Catch + ignore
+
+## Output Format (Strict)
+
+```text
+**BUG: [short title]**
+File: path/to/file:line
+Category: [Checklist category]
+Severity: CRITICAL | HIGH | MEDIUM | LOW
+
+[Failure description — 1-2 sentences]
+
+Trigger: [exact input/sequence]
+
+Fix: [minimal change]
+```
+
+## Severity Model
+
+- **CRITICAL**: Security issue, data loss, crash
+- **HIGH**: Common user-facing incorrect behavior
+- **MEDIUM**: Edge-case failure, performance degradation
+- **LOW**: Latent issue that can become a bug
+
+## Rejection Rules (Do NOT Output)
+
+- No style comments
+- No "this could be improved"
+- No architectural opinions
+- No unproven speculation
+
+If unsure → omit.
+
+## Termination Condition
+
+If no **provable** failures remain:
+
+```text
+No bugs found
+```
+
+Stop immediately.
@@ -1,4 +1,4 @@
 [tools]
 node = "24.14.1"
-python = "3.14.4"
+python = "3.14"
 go = "1.26.2"
@@ -169,14 +169,14 @@ SC2174 (mkdir -p -m), SC2016 (single-quote expressions).
 ## Claude Code Configuration
 
 - **Hooks** (`.claude/settings.json`):
-  - *PreToolUse*: Blocks edits to `fzf-tmux`, `yarn.lock`,
+  - _PreToolUse_: Blocks edits to `fzf-tmux`, `yarn.lock`,
     `.yarn/`, submodule paths, and real secrets.d files
-  - *PostToolUse*: Auto-formats files by extension
+  - _PostToolUse_: Auto-formats files by extension
     (shfmt, fish_indent, stylua, biome, prettier)
-  - *PostToolUse*: Validates Dotbot `install.conf.yaml`
+  - _PostToolUse_: Validates Dotbot `install.conf.yaml`
     after edits
-  - *PostToolUse*: Warns on formatter/linter config changes
-  - *Stop*: Runs `yarn lint` gate before finishing
+  - _PostToolUse_: Warns on formatter/linter config changes
+  - _Stop_: Runs `yarn lint` gate before finishing
 - **Skills** (`.claude/skills/`):
   - `shell-validate`: Auto-validates shell scripts
     (syntax + shellcheck)
@@ -280,4 +280,4 @@ You do NOT need to manually instruct subagents about context-mode.
 |---------------|---------------------------------------------------------------------------------------|
 | `ctx stats`   | Call the `ctx_stats` MCP tool and display the full output verbatim                    |
 | `ctx doctor`  | Call the `ctx_doctor` MCP tool, run the returned shell command, display as checklist  |
-| `ctx upgrade` | Call the `ctx_upgrade` MCP tool, run the returned shell command, display as checklist |
+| `ctx upgrade` | Call the `ctx_upgrade` MCP tool, run the returned shell command, display as checklist |
@@ -1,5 +1,5 @@
 {
-  "$schema": "https://biomejs.dev/schemas/2.4.7/schema.json",
+  "$schema": "https://biomejs.dev/schemas/2.4.12/schema.json",
   "vcs": {
     "enabled": true,
     "clientKind": "git",
@@ -101,4 +101,4 @@
       }
     }
   ]
-}
+}
@@ -514,6 +514,14 @@ export SQLITE_HISTORY="${XDG_CACHE_HOME}/sqlite_history"
 # sonarqube-cli
 [ -d "$HOME/.local/share/sonarqube-cli/bin" ] && export PATH="$HOME/.local/share/sonarqube-cli/bin:$PATH"
 
+# Set precompiled Python arch+OS so mise downloads the right binary
+if command -v mise-python-arch > /dev/null 2>&1; then
+  if _mise_python_arch_env="$(mise-python-arch 2>/dev/null)" && [ -n "$_mise_python_arch_env" ]; then
+    eval "$_mise_python_arch_env"
+  fi
+  unset _mise_python_arch_env
+fi
+
 # mise — unified tool version manager
 # https://mise.jdx.dev
 if command -v mise &> /dev/null; then

@@ -106,6 +106,19 @@ set -q OP_CACHE; or set -x OP_CACHE "$XDG_STATE_HOME/1password"
 # Python configuration
 set -q WORKON_HOME; or set -x WORKON_HOME "$XDG_DATA_HOME/virtualenvs"
 
+# Set precompiled Python arch+OS so mise downloads the right binary
+# Each output line from mise-python-arch has the format: export KEY="value"
+if command -v mise-python-arch >/dev/null 2>&1
+    mise-python-arch 2>/dev/null | while read -l _line
+        set -l _kv (string replace -r '^export ' '' -- $_line)
+        set -l _key (string split -m1 '=' $_kv)[1]
+        set -l _val (string replace -r '^[^=]+="|"$' '' -- $_kv | string replace -ra '"' '')
+        if test -n "$_key"
+            set -gx $_key $_val
+        end
+    end
+end
+
 # Poetry configuration
 set -q POETRY_HOME; or set -x POETRY_HOME "$XDG_DATA_HOME/poetry"
 fish_add_path "$POETRY_HOME/bin"

@@ -25,7 +25,7 @@ experimental = true
 [tools]
 # Language runtimes
 node = "lts"
-python = "3.14.4"
+python = "3.14"
 go = "1.26.2"
 rust = "stable"
 
@@ -36,7 +36,7 @@ eza = "latest"
 bottom = "latest"
 zoxide = "latest"
 tree-sitter = "latest"
-neovim = "0.11.6" # Neovim editor binary
+neovim = "0.12.0"
 delta = "latest"
 difftastic = "latest"