Desloppify Files

This release adds the progression log — an append-only lifecycle event timeline that gives AI agents persistent memory across cycles — along with a batch of bug fixes from the community covering cross-platform issues, regex safety, serialization crashes, and triage quality.

62 files changed | 18 commits | 5,495 tests passing

Progression Log

The biggest addition in this release is .desloppify/progression.jsonl — an append-only event log that records lifecycle boundary events as they happen. Each line is a self-contained JSON object with a discriminated event_type, timestamps, scores, and a structured payload.

The problem this solves: desloppify's lifecycle is a loop (execute → scan → review → triage → execute), and until now there was no persistent record of what happened at each boundary. The scan history had the last 20 scans, the execution log had plan actions, and query.json was ephemeral. A CEO agent guiding triage had no way to answer "what improved since last cycle?" without reconstructing it from scattered sources.

The progression log records 7 boundary events:

• scan_preflight — gate decision (allowed/blocked/bypassed) with queue state
• scan_complete — scores, dimension deltas, scan diff, execution summary with resolved/skipped IDs, suppression metrics
• postflight_scan_completed — scan marker flip for the current cycle
• subjective_review_completed — reviewer observations: which dimensions were covered, evidence summaries, new review issue IDs and summaries, import provenance
• triage_complete — strategy summary, cluster names and theses, verdict counts, organized/total counts
• entered_planning_mode — phase transition into any planning phase, with trigger
• execution_drain — queue drained via resolve or workflow resolve, with scores at drain

Key design decisions:

• Timestamps as join keys — events carry enough summary for quick reads, but timestamps let a reader query state.json and the plan's execution_log for full detail. The progression log is a timeline index, not a data copy.
• Idempotent marker triggers — events fire on mark_postflight_scan_completed() and mark_subjective_review_completed() returning True. These are idempotent per scan_count, so no double-fire.
• Best-effort, never break parent — all hooks are wrapped in try/except. Advisory file locking with 2s timeout. On lock failure, appends without the lock and logs a warning.
• Corruption-resilient reads — corrupt JSONL lines are skipped with a warning; the file is never erased. Periodic trim keeps it under 2000 lines.

Triage: Stop Obsessing Over Test Coverage

Multiple users reported the tool pushes test writing over actual code cleanup. The root cause: triage LLMs promote test_coverage clusters because they appear first (sorted by issue count) with no guidance to deprioritize.

Changes:

• Triage prompt now explicitly says: clean up code quality BEFORE test coverage — writing tests for sloppy code locks in the slop
• Added defer action type for auto-clusters (keeps in backlog for later cycles)
• Scan coaching and catalog guidance reworded to "review coverage gaps" instead of "add tests"

Bug Fixes

• Phantom cluster membership — action_step refs are traceability metadata, not membership. Merging them into issue_ids caused bare shorthand IDs from triage runners to become phantom cluster members that reappear after every reconcile cycle.
• Update-skill duplicate detection — raises CommandError when skill content is already present but begin/end markers are missing, preventing silent duplicate appends.
• Generic fixer crash — four autofix pipeline sites assumed FixResult entries always have a removed key. Generic fixers (e.g., eslint-warning) return {file, line} or {file, fixed} without it. Cherry-picked from PR [#484] by @AugusteBalas.
• JSON serialization crash — EcosystemFrameworkDetection dataclass instances leaked into review_cache via shared dict references, causing TypeError on state serialization. Adds a dataclass handler to json_default. Bug identified by @0-CYBERDYNE-SYSTEMS-0 in PR [#486].
• Synthetic ID deferred skip loop — synthetic queue IDs (workflow::*, triage::*) in the skipped dict caused phantom deferred-disposition items. Cherry-picked from PR [#485] by @ryexLLC.
• Dart regex catastrophic backtracking — the annotation sub-pattern had overlapping whitespace consumption between a character class and trailing \s*, wrapped in ()*, causing exponential backtracking. Possessive quantifiers prevent it. Cherry-picked from PR [#477] by @AvoMandjian.
• Framework cache state bloat — framework detection wrote dataclass objects into review_cache, which shares a dict reference with persisted state. New runtime_cache field separates ephemeral scan-scoped data from persisted review state. Cherry-picked from PR [#483] by @maciej-trebacz.
• Zone reclassification stale issues — when zone rules change (e.g., adding JS test patterns), existing open issues for reclassified files now auto-resolve instead of persisting forever. Bug identified by @claytona500 in PR [#478].
• macOS SSL for update-skill — uses certifi CA bundle instead of the system cert store, which on Homebrew Python often has no CA certificates. Closes [#468], reported by @Vuk97.
• Windows font fallbacks — scorecard image generator now has Consolas, Georgia, Segoe UI, and Arial as Windows fallbacks instead of falling through to Pillow's bitmap font.
• Windows .exe process execution — _resolve_executable() no longer wraps .exe binaries in cmd /c, which caused \" escaping errors when prompts contain spaces. Closes [#487], reported by @Dteyn.
• Snyk false positive — renamed session_token placeholder to session_hmac in review JSON examples to avoid Snyk W007 credential-detection heuristic. Closes [#473], reported by @mark-major.

R Code Smell Detectors

Contributed by @sims1253 (PR [#450]). Ten R-specific smell checks detecting common anti-patterns: setwd(), <<- global assignment, attach(), rm(list=ls()), debug leftovers, T/F ambiguity, 1:n() off-by-one risk, deprecated stringsAsFactors, and library() inside functions. The library_in_function check uses tree-sitter when available with a regex fallback.

Also extends the generic language framework with custom_phases support — any generic plugin can now inject language-specific detector phases without converting to a full plugin. 22 tests covering detection, false positive suppression, and edge cases.

Documentation

• Work queue README — explains how items flow from scan to execution queue, why test_coverage dominates pre-triage ordering, that tier is display-only metadata, and the full sort order with filter chain
• Main README process overview — new "How it works" section explaining the scan → score → review → triage → execute loop
• Docs reorganization — internal documentation (DEVELOPMENT_PHILOSOPHY, QUEUE_LIFECYCLE, ci_plan) and release infrastructure moved from docs/ to dev/. Website separated as its own repo.

Community

Cherry-picks and bug reports from @AugusteBalas (generic fixer crash), @AvoMandjian (Dart regex DoS), @maciej-trebacz (framework cache bloat), @ryexLLC (synthetic ID loop), @0-CYBERDYNE-SYSTEMS-0 (dataclass serialization), @claytona500 (zone reclassification), @Vuk97 (macOS SSL), @Dteyn (Windows .exe execution), and @mark-major (Snyk false positive).

@sims1253 continues to drive R language support forward — this is the fifth R-focused PR across the last few releases, and the custom_phases framework extension benefits every language plugin.

Thank you all — every report and PR made this release better.