Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="docs/release-checklist.md">

<violation number="1" location="docs/release-checklist.md:27">
P3: Duplicate checklist entry: `pnpm test:tarball-install-smoke` is listed twice — once as a bare command and again later with detailed verification criteria. Remove the earlier bare entry to avoid running the same step twice during a release.</violation>
</file>

<file name="test/wrapper-session-continuity.test.ts">

<violation number="1" location="test/wrapper-session-continuity.test.ts:30">
P2: Add `vi.restoreAllMocks()` to `afterEach` to prevent spy leaks when a test fails before reaching its manual `mockRestore()` call. The two `vi.spyOn` usages (lines 478 and 543) rely on control reaching `mockRestore()`, which is skipped if the preceding `expect(…).rejects.toThrow(…)` assertion fails.</violation>
</file>

<file name="README.en.md">

<violation number="1" location="README.en.md:8">
P2: Missing `|` separator between the "English" and "日本語" language links. The other README translations (README.ja.md, README.md) correctly include `|` after "English" since it is no longer the last item. The fix requires adding ` |` to the end of the unchanged `English</a>` line above.</violation>
</file>

<file name=".github/workflows/release.yml">

<violation number="1" location=".github/workflows/release.yml:43">
P2: `npm pack` triggers the `prepack` lifecycle hook (`pnpm build`), which silently rebuilds the project *after* `verify:release` already built and tested it. The tarball therefore ships artifacts that were never the ones the test suite validated.

Use `--ignore-scripts` to pack the already-verified build output instead of rebuilding.</violation>
</file>

<file name="README.md">

<violation number="1" location="README.md:8">
P2: Missing ` |` separator between the English and Japanese navigation links. The English link line needs a trailing ` |` to match the pattern used by the other links (and the correct version in `README.ja.md`).</violation>
</file>

<file name="src/lib/runtime/runtime-context.ts">

<violation number="1" location="src/lib/runtime/runtime-context.ts:48">
P2: The first `buildRuntimeContext` call constructs a full runtime (config loading, SyncService, SessionContinuityStore, filesystem layout) only to extract `project.projectRoot`. Use `detectProjectContext(cwd)` directly to avoid the redundant initialization and I/O.</violation>
</file>

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@README.en.md`:
- Around line 6-8: The language selector in README.en.md is missing a pipe
separator between the "English" and "日本語" links; update the HTML fragment
containing the anchor tags for "English" and "日本語" so there is a " | " separator
inserted between the <a href="./README.en.md">English</a> and <a
href="./README.ja.md">日本語</a> links to match the other separators and restore
visual consistency.

In `@src/lib/commands/session-presenters.ts`:
- Around line 291-310: The persisted JSON currently only sets "action" inside
the conditional for refresh+rolloutSelection, so responses like "save" or
"refresh" without a selection drop the action; always include an "action"
top-level property using the action variable, and keep the existing conditional
to add writeMode: "replace" and rolloutSelection when action === "refresh" &&
rolloutSelection; update the object built in session-presenters.ts (the block
referencing action, rolloutSelection, persisted and SessionContinuityWriteMode)
so that action: action appears unconditionally while preserving the conditional
addition of writeMode and rolloutSelection.

In `@src/lib/commands/session.ts`:
- Around line 175-177: The JSON path currently ignores the --print-startup flag
because buildSessionLoadJson always includes startup; update
buildSessionLoadJson (in src/lib/commands/session-presenters.ts) to accept a
boolean (e.g., includeStartup) or read the flag you pass from the caller and
only include the startup field when that boolean is true, then change the call
site in session.ts (the branch where action === "load" and options.json) to pass
the options.printStartup value into buildSessionLoadJson so session load --json
and session load --json --print-startup produce different payload shapes.

In `@src/lib/domain/session-continuity-persistence.ts`:
- Around line 170-188: The code reads only recentAuditPreviewReadLimit entries
into recentContinuityAuditPreviewEntries then slices to recentAuditLimit, so if
recentAuditLimit > recentAuditPreviewReadLimit callers get fewer items than
requested; fix by computing a fetchLimit = Math.max(recentAuditPreviewReadLimit,
recentAuditLimit) (or similar) and pass that to
options.runtime.sessionContinuityStore.readRecentAuditEntries, then use
recentContinuityAuditPreviewEntries.slice(0, recentAuditLimit) to return the
requested number; update references to
recentAuditPreviewReadLimit/recentAuditLimit and the call to
readRecentAuditEntries accordingly.

In `@test/dist-cli-smoke.test.ts`:
- Around line 147-186: The test assumes the dist entrypoint successfully
launches the mock codex and then reads captured-args.json, but when the dist
build/CLI fails the file is missing; update the test around runCli/capturedArgs
to defensively check the CLI result before reading captured-args.json: after
calling runCli(repoDir, ["exec", "continue"], { entrypoint: "dist" }) inspect
result.exitCode and any stderr/stdout (result.exitCode !== 0) and fail the test
with a clear diagnostic (e.g., include result.stdout/result.stderr) instead of
immediately reading capturedArgsPath, and only read/parse captured-args.json if
result.exitCode === 0; reference runCli, capturedArgsPath, and the expect checks
for exec/continue.
- Around line 30-41: The dist smoke test (test/dist-cli-smoke.test.ts) runs
before build in CI and fails because dist/cli.js is missing; fix by removing it
from the default test run and running it only after build: add a dedicated
script for unit tests (e.g., "test:unit") that runs vitest with a pattern or
folder excluding dist-cli-smoke.test.ts and create a separate "test:dist" (or
include it in verify:release) that runs after "build"; update package.json
scripts so "test" calls "test:unit" (keeping verify:release to run build then
"test:dist"), and/or add a CI change to run the new "test:dist" step after pnpm
build. Reference test/dist-cli-smoke.test.ts, the "test" script and
verify:release script to locate where to modify.

In `@test/helpers/session-test-support.ts`:
- Around line 45-104: writeWrapperMockCodex and writeMockCodexBinary create
POSIX-only executable scripts which fail on Windows; detect process.platform ===
"win32" and alongside the generated mock-codex script write a .cmd wrapper that
invokes node with the script path (forwarding all args) and return the .cmd path
to callers on Windows (or alternatively, when creating the mock binary for
Windows, return process.execPath + " " + scriptPath so callers use node
directly). Update both functions (writeWrapperMockCodex and
writeMockCodexBinary) to create the .cmd file on Windows, ensure it forwards
arguments and points to the generated script, and have the function return the
platform-appropriate executable path so spawn() works cross-platform.

In `@test/session-command.test.ts`:
- Around line 47-57: The writeNoopCodexBinary helper is POSIX-only (writes a
shebang script and chmods), causing Windows spawns to fail; make it
platform-aware by detecting process.platform === "win32" and on Windows either
emit a .cmd wrapper alongside the script (or write a .bat/.cmd that calls node
%~dp0\mock-codex) or return a path that will be launched via process.execPath
(i.e., write a .js file and invoke it with process.execPath in tests), and avoid
relying solely on chmod; update any tests that spawn the returned path (or their
spawn options) to use shell:true or to use process.execPath when on Windows so
the noop codex executes reliably across platforms (refer to function name
writeNoopCodexBinary and any tests that call it).
- Around line 36-39: Ensure any spy on
SessionContinuityStore.prototype.appendAuditLog is restored in the test suite
teardown: in the afterEach hook, call mockRestore() (or vi.restoreAllMocks())
for the spy used in tests so the mocked appendAuditLog cannot leak between
tests; locate the afterEach block and add restoration of the spy or a global
restore to guarantee cleanup even if a test fails before its explicit
mockRestore.

In `@test/tarball-install-smoke.test.ts`:
- Around line 50-83: The tests can hang because runCommandCapture (which calls
spawnSync in src/lib/util/process.ts) doesn't set a timeout; update the
spawnSync call inside runCommandCapture (and any helpers in that module) to pass
a reasonable timeout option (e.g. configurable DEFAULT_SUBPROCESS_TIMEOUT) so
synchronous child processes like npm pack/install are killed if they exceed the
limit, expose/configure that timeout constant so tests can override it if
needed, and ensure the runCommandCapture return object still reports
exitCode/stdout/stderr when a timeout occurs.

In `@test/wrapper-session-continuity.test.ts`:
- Around line 30-33: Add a global mock restore to the test teardown: modify the
afterEach block that currently resets process.env and calls
cleanupTempDirs(tempDirs) to also call vi.restoreAllMocks() so any spies/mocks
created with vi.spyOn(...).mockRejectedValueOnce(...) are cleared even if
individual tests fail before calling mockRestore(); update the afterEach
containing process.env.CAM_CODEX_SESSIONS_DIR = originalSessionsDir and await
cleanupTempDirs(tempDirs) to include vi.restoreAllMocks() as the first or last
cleanup step.

---

Nitpick comments:
In `@src/lib/cli/register-commands.ts`:
- Around line 50-70: The nested calls to
addSessionScopeOption(addSessionRolloutOption(addJsonOption(...))) reduce
readability; refactor by creating a local command variable for each subcommand
(e.g., start with sessionCommand.command("save")/command("refresh") and assign
to a variable like cmd), then apply the option helpers in sequence (cmd =
addJsonOption(cmd); cmd = addSessionRolloutOption(cmd); cmd =
addSessionScopeOption(cmd)), and finally attach .action(withStdout(async
(options) => runSession("save" or "refresh", options))); this preserves behavior
(functions: addJsonOption, addSessionRolloutOption, addSessionScopeOption,
sessionCommand, runSession, withStdout) but makes the flow easier to read.

In `@src/lib/commands/session-presenters.ts`:
- Around line 142-166: The formatLayerSection function is incomplete as it only
formats part of the SessionContinuityState, causing code duplication and
divergence in formatSessionLoadText. To fix this, extend formatLayerSection to
cover all fields of SessionContinuityState completely and consistently, and
refactor formatSessionLoadText to reuse formatLayerSection for all local and
shared/merged blocks. This will ensure single-point updates and consistency
across rendering logic.

In `@test/helpers/cli-runner.ts`:
- Around line 7-11: The path.resolve calls for sourceCliPath, distCliPath, and
tsxBinaryPath are relative to process.cwd() and can break when tests run from
other directories; update them to compute paths from the repository file
location using import.meta.url (convert to a filesystem path with fileURLToPath
and path.dirname) and then join to "src/cli.ts", "dist/cli.js", and the
node_modules/.bin/tsx[.cmd] locations so the resolved paths are stable
regardless of the current working directory.

In `@test/wrapper-session-continuity.test.ts`:
- Around line 275-303: The test mocks use POSIX shebangs (creating mockCodexPath
and calling fs.chmod(..., 0o755)) which fail on Windows; update the helper
(writeWrapperMockCodex) and its call sites to be platform-aware: detect
process.platform === "win32" and either emit a .cmd shim that runs "node
<script>.js" or write a .js file and ensure tests spawn it with the Node
executable (instead of relying on shebang+chmod); replace direct fs.chmod(...,
0o755) usage and adjust places that call spawn() to use the shim or explicit
"node" invocation so mock binaries run cross-platform (refer to symbols
mockCodexPath, writeWrapperMockCodex, fs.chmod, and any
spawn/child_process.spawn usages).

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@test/dist-cli-smoke.test.ts`:
- Around line 48-59: The test fails because it relies on compiled artifacts
(entrypoint "dist") that may not exist; update the test to ensure the cli is
built before invoking runCli or switch to the source entrypoint: either (A) run
the build step (e.g., invoke the repo's build command or call the build helper)
and await completion before calling runCli with entrypoint "dist", or (B) change
the test to call runCli(repoDir, ["--version"], { entrypoint: "src" }) so it
uses the uncompiled entrypoint; update the three locations referencing
runCli(..., { entrypoint: "dist" }) (in test/dist-cli-smoke.test.ts and the
duplicates) accordingly.

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@CONTRIBUTING.md`:
- Line 70: The CONTRIBUTING.md note forbids hard-merging rollout selection rules
for "cam session refresh" and "wrapper auto-save" but lacks rationale; add a
brief explanation in docs/architecture.md (or create docs/session-continuity.md)
that explains why these two features must keep independent provenance selection
despite sharing persistence semantics — describe the distinct concerns (e.g.,
session continuity/provenance vs. UX autosave behavior), give a short example of
a problematic hard-merge scenario, and state the intended invariant to preserve
so future maintainers understand the constraint; reference the terms "cam
session refresh" and "wrapper auto-save" in that document so it’s discoverable
from CONTRIBUTING.md.
- Around line 66-70: The CONTRIBUTING.md lines that specify persistence
semantics for `cam session save` (merge), `cam session refresh` (replace), and
wrapper auto-save (merge), and the note about not hard-merging rollout selection
rules, should be moved into a design/architecture doc (e.g.,
docs/architecture.md or docs/session-continuity.md); update CONTRIBUTING.md to
reference that architecture doc for implementation contracts and keep only
high-level contribution workflow guidance, while copying the full details and
rationale for `cam session save`, `cam session refresh`, wrapper auto-save, and
the rollout selection rules into the chosen architecture document so they remain
discoverable and contextually documented.
- Around line 62-65: Rewrite the four consecutive lines that begin with "Keep"
to reduce repetition while preserving meaning: change the first line to start
with "Register new commands through src/lib/cli/register-commands.ts instead of
expanding src/cli.ts," change the second to "Perform runtime composition in
src/lib/runtime/runtime-context.ts so command files reuse that runtime surface,"
change the third to "Limit src/lib/commands/session.ts to provenance selection
and action dispatch, and move reviewer-facing presentation to
src/lib/commands/session-presenters.ts," and change the fourth to "Centralize
shared continuity persistence in
src/lib/domain/session-continuity-persistence.ts so session commands and
auto-save use the same persistence path." Ensure the phrasing is parallel but
varied (avoid starting three or more consecutive sentences with the same word).