Tech Debt Backlog

[dean0x]

Tech Debt Backlog

Auto-maintained by /review. Items are added when pre-existing issues are found during code reviews.

How This Works

• Issues found in code you didn't change are logged here
• Each item links to the review that found it
• Items are automatically removed when fixed
• Check items off manually as you address them

---

Items

Architecture

• [architecture] src/cli/commands/init.ts:32-39 - Tight coupling to Claude CLI with no timeout, can hang indefinitely
  -> Review: 2026-01-03

• [architecture] src/cli/commands/init.ts:213-216 - Missing dependency injection for readline, makes prompt testing impossible
  -> Review: 2026-01-03

• [architecture] commands/implement.md:100-132 - Parallel agent execution without dependency graph or failure handling
  -> Review: 2026-01-03

• [architecture] agents/synthesize.md:4 - Hardcoded model haiku prevents flexibility for complex scenarios
  -> Review: 2026-01-03

• [architecture] agents/skimmer.md:4 - Hardcoded model haiku prevents user override
  -> Review: 2026-01-03

• [architecture] src/cli/commands/init.ts:337-370 - Mutable state in loop during skill cleanup, potential race conditions
  -> Review: 2026-01-03

• [architecture] src/cli/commands/init.ts:340-345 - Silent error swallowing in skill removal without verbose logging
  -> Review: 2026-01-03

• [architecture] src/cli/commands/init.ts - God object pattern, handles too many responsibilities (767 lines)
  -> Review: 2026-01-03

• [architecture] src/templates/settings.json - Magic numbers: 126 patterns with no categorization or comments
  -> Review: 2026-01-03

• [architecture] src/cli/commands/init.ts:66-94 - Hardcoded command/skill registry duplicates data from filesystem
  -> Review: 2025-12-01

• [architecture] src/cli/commands/init.ts - Scattered verbose checks (15+ if (verbose) occurrences), consider logger abstraction
  -> Review: 2025-12-03

• [architecture] src/cli/commands/init.ts - Missing Result type pattern - uses process.exit(1) instead of error returns (6 occurrences)
  -> Review: 2025-12-03

• [architecture] src/cli/utils/paths.ts:14,31,57,87 - Functions throw errors instead of returning Result types, violates project engineering principles
  -> Review: 2025-12-03

• [architecture] CLAUDE.md - Missing docs-helpers.sh script referenced in documentation but not implemented
  -> Review: 2025-12-03

• [architecture] src/cli/utils/paths.ts - Inconsistent async pattern - mixed sync/async functions in same module
  -> Review: 2025-12-03

• [architecture] src/cli/commands/init.ts, uninstall.ts - Magic string constants scattered (URLs, skill names) instead of centralized constants
  -> Review: 2025-12-03

Security

• [security] src/claude/agents/devflow/release.md:528,556,649 - Command injection risk via eval for build/test/publish commands
  -> Review: 2025-12-03

• [security] src/cli/utils/paths.ts:26-40,52-66 - Path traversal prevention could be stronger (no symlink or .. validation)
  -> Review: 2025-12-03

• [security] src/cli/cli.ts:14-16 - JSON parsing without schema validation for package.json
  -> Review: 2025-12-03

Complexity

• [complexity] src/cli/commands/init.ts:169-750 - initCommand.action spans 580 lines, exceeds 50-line recommendation
  -> Review: 2026-01-03

• [complexity] src/cli/commands/init.ts:490-678 - Embedded 190-line .claudeignore template inflates function length
  -> Review: 2026-01-03

• [complexity] src/cli/commands/init.ts:309,398 - Duplicated rootDir computation with identical logic
  -> Review: 2026-01-03

• [complexity] src/cli/commands/uninstall.ts:150-172 - Hardcoded skill list duplicates init.ts array, risk of drift
  -> Review: 2026-01-03

• [complexity] scripts/statusline.sh:48-76 - Context usage calculation has 3 levels of nesting
  -> Review: 2026-01-03

• [complexity] src/cli/commands/init.ts - Inconsistent error handling (process.exit vs try/catch vs verbose-only)
  -> Review: 2026-01-03

• [complexity] src/cli/commands/init.ts:726-739 - copyDirectory recursion without depth limit (potential stack overflow on deep trees)
  -> Review: 2025-12-01

• [complexity] src/cli/commands/init.ts:32,223 - Multiple readline.createInterface patterns exist, consider consolidating
  -> Review: 2025-12-03

• [complexity] src/cli/commands/init.ts:455-642 - Embedded 187-line .claudeignore template string should be externalized
  -> Review: 2025-12-03

• [complexity] src/cli/commands/init.ts:399-416,424-442 - Duplicated atomic file write with fallback pattern for settings.json and CLAUDE.md
  -> Review: 2025-12-03

• [complexity] src/cli/commands/init.ts:332-366 - Nesting depth of 4 levels in skill cleanup loop
  -> Review: 2025-12-03

Performance

• [performance] src/cli/commands/init.ts:752-766 - copyDirectory uses sequential file ops instead of parallel Promise.all
  -> Review: 2026-01-03

• [performance] scripts/statusline.sh:12-22 - Multiple jq invocations on same input (4 process spawns instead of 1)
  -> Review: 2026-01-03

• [performance] scripts/statusline.sh:34 - git status --porcelain can be slow in large repos
  -> Review: 2026-01-03

• [performance] src/cli/commands/init.ts:337-369 - Sequential directory removal in cleanup, could use Promise.all
  -> Review: 2026-01-03

• [performance] src/cli/commands/init.ts:33-38 - Synchronous execSync for version check blocks event loop
  -> Review: 2026-01-03

• [performance] src/cli/commands/init.ts:44-52 - Synchronous execSync for plugin install blocks event loop
  -> Review: 2026-01-03

• [performance] src/cli/commands/init.ts:264 - Repeated gitRoot computation (getGitRoot called after getInstallationPaths already computes it)
  -> Review: 2025-12-03

• [performance] src/cli/utils/git.ts:18 - Uses child_process.exec which spawns shell; could use execFile for slightly better performance
  -> Review: 2025-12-03

• [performance] src/cli/commands/init.ts:370-373 - Sequential file operations in loop could use Promise.all for parallelism
  -> Review: 2025-12-03

• [performance] src/cli/commands/init.ts:377-380 - Sequential script chmod operations could be batched
  -> Review: 2025-12-03

• [performance] src/cli/commands/init.ts:726-739 - copyDirectory processes entries sequentially instead of parallel
  -> Review: 2025-12-03

TypeScript

• [typescript] src/cli/commands/uninstall.ts:50 - options parameter implicitly typed, missing UninstallOptions interface
  -> Review: 2026-01-03

• [typescript] src/cli/commands/init.ts:379 - Non-null assertion operator (!) bypasses null checks
  -> Review: 2026-01-03

• [typescript] src/cli/commands/uninstall.ts:59 - Type assertion without runtime validation trusts Commander.js regex
  -> Review: 2026-01-03

• [typescript] src/cli/commands/uninstall.ts:23 - Untyped options parameter in action handler (implicit any)
  -> Review: 2025-12-03

• [typescript] src/cli/commands/uninstall.ts:30 - Unsafe type assertion for scope without runtime validation
  -> Review: 2025-12-03

• [typescript] src/cli/commands/init.ts, uninstall.ts - Inconsistent catch block typing (some use : unknown, others do not)
  -> Review: 2025-12-03

• [typescript] src/cli/commands/init.ts:376 - Non-null assertion operator usage without defensive coding
  -> Review: 2025-12-03

• [typescript] src/cli/cli.ts:14-16, init.ts:181 - JSON.parse without type validation returns any
  -> Review: 2025-12-03

• [typescript] src/cli/utils/paths.ts:77 - String literal union 'user' | 'local' duplicated, should be shared type
  -> Review: 2025-12-03

Documentation

• [documentation] README.md:489-501 - Project structure documents old src/claude/ layout, doesn't match actual agents/commands/skills at root
  -> Review: 2026-01-03

• [documentation] README.md:175-187 - Missing ConsistencyReview and RegressionReview agents from Review Agents table
  -> Review: 2026-01-03

• [documentation] README.md:189-202 - Missing Synthesize agent from Utility Agents table (or mark as internal)
  -> Review: 2026-01-03

• [documentation] CLAUDE.md:102-114 - Inconsistent review agent counts (9 vs 11 vs 12 in different sections)
  -> Review: 2026-01-03

• [documentation] CLAUDE.md:31-51 - Missing Swarm/reviews directory relationship in .docs structure
  -> Review: 2026-01-03

• [documentation] CLAUDE.md:78 - References non-existent .devflow/scripts/docs-helpers.sh script
  -> Review: 2026-01-03

• [documentation] README.md:153-154 - /implement vs /run relationship unclear to users
  -> Review: 2026-01-03

• [documentation] README.md - Missing /get-issue command in Slash Commands table
  -> Review: 2025-12-03

• [documentation] README.md - Missing get-issue sub-agent in Sub-Agents table
  -> Review: 2025-12-03

• [documentation] src/cli/commands/init.ts:726-739 - copyDirectory utility function lacks JSDoc documentation
  -> Review: 2025-12-03

• [documentation] src/cli/commands/init.ts:116 - Hardcoded docs URL appears in multiple places, could be a constant
  -> Review: 2025-12-01

• [documentation] CHANGELOG.md - Missing version link for v0.6.1 at bottom of file
  -> Review: 2025-12-03

• [documentation] CLAUDE.md and .claude/CLAUDE.md - Duplicate content between files, consider consolidating
  -> Review: 2025-12-03

Dependencies

• [dependencies] package.json - commander@12.1.0 is 2 major versions behind, @types/node has patch updates available
  -> Review: 2026-01-03

• [dependencies] package.json - Caret version ranges may cause inconsistencies between environments
  -> Review: 2026-01-03

• [dependencies] package-lock.json - Name/version mismatch (shows "devflow" and "1.0.0" instead of "devflow-kit" and "0.8.1")
  -> Review: 2025-12-03

• [dependencies] dist/ - Sourcemaps (.js.map, .d.ts.map) included in published package unnecessarily
  -> Review: 2025-12-03

Tests

• [tests] src/cli/commands/init.ts, uninstall.ts - No test coverage for 766+ lines of installation/uninstallation logic
  -> Review: 2026-01-03

• [tests] src/cli/utils/paths.ts, git.ts - Pure utility functions untested, security validation in getGitRoot not verified
  -> Review: 2026-01-03

• [tests] package.json:15 - Test script is placeholder that always succeeds, breaks CI/CD test gates
  -> Review: 2026-01-03

• [tests] Project-wide - Architecture has tight coupling (no DI) making unit tests difficult without mocking Node.js internals
  -> Review: 2026-01-03

• [tests] package.json - No testing framework configured (test script just exits 0)
  -> Review: 2025-12-03

• [tests] Project-wide - No test coverage configuration (thresholds, CI/CD integration, pre-commit hooks)
  -> Review: 2025-12-01

• [tests] src/cli/utils/ - Utility modules (paths.ts, git.ts) lack tests
  -> Review: 2025-12-01

• [tests] src/cli/commands/uninstall.ts - Uninstall command lacks tests
  -> Review: 2025-12-01

• [tests] Architecture - Tight coupling to console/fs/process.exit makes testing difficult (no DI)
  -> Review: 2025-12-03

Consistency

• [consistency] agents/review-summary.md:2 - Agent named Summary, but sibling agents follow {Domain}Review pattern
  -> Review: 2026-01-03

• [consistency] commands/review.md:113-128 - Table header still says "Audits" when codebase renamed to "Reviews"
  -> Review: 2026-01-03

• [consistency] commands/review.md:145 - Task placeholder uses old "AuditType" terminology instead of ReviewType
  -> Review: 2026-01-03

---

Last updated: 2026-01-03

Summary:

• Total items: 85
• Items removed this update: 1 (promptUser dead code)
• Items added this update: 42 (new findings from feat/agent-orchestration-v2 review)