feat: implement all 30 open issues across 5 waves

.agents/skills/README.md

@@ -46,6 +46,7 @@ Validate symlinks are intact:
 | [`architecture-diagram/`](architecture-diagram/) | Generate or update a project architecture SVG diagram by scanning the live project structure. Use this skill whenever the user asks to regenerate, refresh, or update the architecture diagram, or when skills, agents, or commands have been added/removed and the diagram is stale. Triggers on phrases like "update the diagram", "regenerate the architecture SVG", "sync the diagram", or "diagram is out of date". |
 | [`atomic-commit/`](atomic-commit/) | Atomic git workflow - validates, commits, pushes, creates PR, and verifies CI with zero-warnings policy. Orchestrates complete code submission as state machine with rollback on failure. |
 | [`cicd-pipeline/`](cicd-pipeline/) | Design and implement CI/CD pipelines with GitHub Actions, GitLab CI, and Forgejo Actions. Use for automated testing, deployment strategies (blue-green, canary), security scanning, and multi-environment workflows. Includes pipeline optimization, secrets management, and failure handling patterns. |
+| [`codacy/`](codacy/) | Use Codacy static analysis CLIs to query PR analysis, triage issues, suppress false positives, and run local analysis. Use when Codacy blocks a PR, when asked to fix Codacy issues, suppress false positives, query PR quality data, or integrate Codacy into CI/CD workflows. Also use when the user mentions "Codacy", "static analysis check", "code quality gate", or "Codacy is failing". |
 | [`cloudflare-worker-api/`](cloudflare-worker-api/) | Structure Worker API routes and handlers. Activate for route definition, response helpers, and typed handler patterns. Auth belongs to secure-invite-and-access. |
 | [`code-quality/`](code-quality/) | Review and improve code quality across any programming language. Use when conducting code reviews, refactoring for best practices, identifying code smells, or improving maintainability. |
 | [`code-review-assistant/`](code-review-assistant/) | Automated code review with PR analysis, change summaries, and quality checks. Use for reviewing pull requests, generating review comments, checking against best practices, and identifying potential issues. Includes style guide compliance, security issue detection, and review automation. |

.agents/skills/codacy/SKILL.md

@@ -0,0 +1,185 @@
+---
+name: codacy
+description: Use Codacy static analysis CLIs to query PR analysis, triage issues, suppress false positives, and run local analysis. Trigger when Codacy blocks a PR, CI quality gate fails, asked to fix/suppress Codacy issues, query PR quality data, or integrate Codacy into agent workflows. Also trigger on "Codacy is failing", "static analysis check", "code quality gate", "Codacy check blocked", "Codacy findings", "Codacy issues", "suppress Codacy", "Codacy reanalysis", "fix Codacy", "Codacy PR", "code review quality gate".
+version: 1.0.0
+template_version: 0.1.0
+license: MIT
+compatibility: Node.js 18+, npm global install. Requires Codacy project access for Cloud CLI. Python 3.x recommended for JSON parsing but not required.
+metadata:
+  author: d-oit
+---
+
+# Codacy
+
+Two CLIs for interacting with Codacy static analysis — local analysis and remote Cloud API.
+
+## Quick Reference
+
+- `codacy-analysis` — Local static analysis (bundled/on-PATH tools only)
+- `codacy` — Cloud API (query PRs, suppress issues, reanalyze)
+- Both share credentials at `~/.codacy/credentials`
+
+## Setup
+
+```bash
+npm i -g @codacy/analysis-cli
+npm i -g @codacy/codacy-cloud-cli
+
+# Authenticate (once, covers both CLIs)
+codacy login --token <your-api-token>
+# Token: Codacy > My Account > Access Management > Account API Tokens
+```
+
+## When to Use Each CLI
+
+| Situation | CLI | Command |
+|-----------|-----|---------|
+| PR is blocked by Codacy | Cloud | `codacy pull-request ... --output json` |
+| Need to suppress false positives | Cloud | `codacy pull-request ... --ignore-issue` |
+| Need to run analysis before push | Analysis | `codacy-analysis analyze --pr` |
+| Need coverage/quality gate data | Cloud | `codacy pull-request ... --output json` |
+| Trigger reanalysis | Cloud | `codacy pull-request ... --reanalyze` |
+
+## Workflow: Triage a Codacy-Blocked PR
+
+### Step 1: Get PR Analysis
+
+```bash
+codacy pull-request gh <org> <repo> <prNumber> --output json > /tmp/codacy-pr.json
+```
+
+Parse the results:
+
+```bash
+python3 -c "
+import json
+from collections import Counter
+with open('/tmp/codacy-pr.json') as f:
+    data = json.load(f)
+issues = data.get('newIssues', [])
+print(f'New issues: {len(issues)}')
+print(f'Quality gate: {\"PASS\" if data[\"pullRequest\"].get(\"isUpToStandards\") else \"FAIL\"}')
+by_tool = Counter(i['commitIssue']['toolInfo']['name'] for i in issues)
+for t, c in by_tool.most_common():
+    print(f'  {t}: {c}')
+print()
+by_file = Counter(i['commitIssue']['filePath'] for i in issues)
+for f, c in by_file.most_common():
+    print(f'  {c:3d}x {f}')
+"
+```
+
+### Step 2: Categorize Issues
+
+Classify each issue from the JSON as:
+
+**False positives** — suppress via Cloud CLI:
+- SQLite-specific syntax (VIRTUAL, PRAGMA) flagged by SQLint
+- `dangerouslySetInnerHTML` with sanitizeHtml() applied before rendering
+- CLI `fs` access patterns (expected for CLI tooling)
+- Test fixtures with HTML in mocks
+- localStorage key names flagged as "hardcoded passwords"
+
+**Real issues** — fix in code, categorized by automation level:
+- Quick fixes: missing `type="button"`, `<div role="button">` → `<button>`, unused imports
+- Medium fixes: non-null assertions with proper guards, arrow function shorthands, unnecessary optionals
+- Deep fixes: Generic Object Injection Sink, non-serializable expressions, unsafe computed property deletes
+
+### Step 3: Suppress False Positives
+
+Issue IDs are the numeric `resultDataId` field in the JSON output, NOT the hash IDs:
+
+```bash
+codacy pull-request gh <org> <repo> <prNumber> \
+  --ignore-issue <resultDataId> \
+  --ignore-reason FalsePositive
+
+# Or suppress all auto-detected false positives at once:
+codacy pull-request gh <org> <repo> <prNumber> --ignore-all-false-positives
+```
+
+Extract issue IDs from JSON (requires `jq` or use Python):
+
+```bash
+# With jq
+jq '.newIssues[] | {id: .commitIssue.resultDataId, tool: .commitIssue.toolInfo.name, file: .commitIssue.filePath, message: .commitIssue.message}' /tmp/codacy-pr.json
+
+# With Python (no jq required)
+python3 -c "
+import json
+with open('/tmp/codacy-pr.json') as f:
+    data = json.load(f)
+for issue in data.get('newIssues', []):
+    ci = issue['commitIssue']
+    print(f\"{ci['resultDataId']} | {ci['toolInfo']['name']:10s} | {ci['filePath']}:{ci['lineNumber']} | {ci['message'][:80]}\")
+"
+```
+
+### Step 4: Fix Real Issues in Code
+
+Batch fixes by pattern across all affected files. For each fix, verify with `pnpm run lint && pnpm run typecheck && pnpm run test` (adjust for the project's toolchain).
+
+## Workflow: Local Analysis
+
+```bash
+# Initialize config with Codacy defaults
+codacy-analysis init --default
+
+# Check which tools are available locally
+codacy-analysis analyze --inspect --output-format json
+
+# Run full analysis
+codacy-analysis analyze --install-dependencies --output-format json
+
+# Run on PR changes only (compares against target branch)
+codacy-analysis analyze --pr --install-dependencies --output-format json
+
+# Run on a specific file
+codacy-analysis analyze ./src/main.ts --output-format json
+
+# Run specific tools
+codacy-analysis analyze --tool ESLint9 --tool Stylelint --output-format json
+```
+
+## Known Limitations
+
+### Analysis CLI (Local)
+
+| Tool | Status | Reason |
+|------|--------|--------|
+| ESLint9, ESLint8, Stylelint, ShellCheck, Trivy, markdownlint, Agentlinter, Jackson Linter | ✅ Works | Bundled or on PATH |
+| Bandit, Pylint, Prospector, Lizard | ❌ Fails | Python binary not found (venv creation fails) |
+| Semgrep | ❌ Fails | opengrep binary not found |
+| SQLint | ❌ Fails | Ruby runtime missing (gem install fails) |
+| PMD | ❌ Fails | Java runtime not available |
+
+The Analysis CLI may show "0 issues" even when the Cloud CLI reports many — always cross-reference.
+
+### Cloud CLI
+
+- `--ignore-issue` requires numeric `resultDataId`, NOT the hash-style issue ID
+- Suppressions take effect immediately; reanalysis may take a few minutes
+- Organization-level coding standards override repo-level tool/pattern settings
+
+## Common Gotchas
+
+| Problem | Cause | Fix |
+|---------|-------|-----|
+| `Error: --ignore-issue must be a number` | Used hash ID instead of numeric resultDataId | Use `resultDataId` from JSON output |
+| `Issue #NNNNN not found in this pull request` | Wrong PR or stale analysis | Run `--reanalyze` first or check PR number |
+| Local analysis = 0 issues, Cloud = many | Cloud runs tools not available locally | Always use Cloud CLI for actual PR data |
+| Analysis CLI install fails | Missing Python/Ruby/Java runtime | Use only JS/TS tools locally; skip auto-install |
+
+## Best Practices
+
+### DO:
+- Use Cloud CLI as primary tool for PR analysis
+- Batch false positive suppressions before fixing code
+- Verify fixes with lint + typecheck + test after each batch
+- Save issue JSON to file for repeatable triage
+
+### DON'T:
+- Rely on local Analysis CLI for full results (it's limited)
+- Use hash-style issue IDs for suppression (use numeric resultDataId)
+- Suppress issues without verifying they're actually false positives
+- Forget to `init --default` before first local analysis

.agents/skills/codacy/evals/evals.json

@@ -0,0 +1,101 @@
+{
+  "skill_name": "codacy",
+  "evals": [
+    {
+      "id": 1,
+      "prompt": "Codacy is blocking PR #209 on d-oit/do-knowledge-studio. How do I find out what issues exist?",
+      "files": [],
+      "assertions": [
+        "The output mentions `codacy pull-request` to query PR analysis",
+        "The output explains how to parse the newIssues JSON array",
+        "The output checks the quality gate status"
+      ]
+    },
+    {
+      "id": 2,
+      "prompt": "I have a false positive from SQLint about VIRTUAL in my SQL migration. How do I suppress it?",
+      "files": [],
+      "assertions": [
+        "The output uses the numeric resultDataId, not the hash ID",
+        "The output uses `--ignore-issue` with `--ignore-reason FalsePositive`",
+        "The output suggests verifying suppression by re-running the command"
+      ]
+    },
+    {
+      "id": 3,
+      "prompt": "I ran `codacy-analysis analyze` locally but it shows 0 issues. Codacy Cloud shows 86. What's wrong?",
+      "files": [],
+      "assertions": [
+        "The output explains that the Analysis CLI runs a limited subset of tools",
+        "The output mentions Python/Ruby/Java tools fail locally",
+        "The output recommends using the Cloud CLI for actual PR data"
+      ]
+    },
+    {
+      "id": 4,
+      "prompt": "I need to suppress all false positive issues in my PR at once. How?",
+      "files": [],
+      "assertions": [
+        "The output suggests `--ignore-all-false-positives`",
+        "The output explains this auto-suppresses Codacy-identified false positives"
+      ]
+    },
+    {
+      "id": 5,
+      "prompt": "The Codacy check says ACTION_REQUIRED on my PR but I've fixed all the issues. What now?",
+      "files": [],
+      "assertions": [
+        "The output suggests triggering reanalysis via `--reanalyze`",
+        "The output mentions suppressions may need human verification on the Codacy dashboard"
+      ]
+    },
+    {
+      "id": 6,
+      "prompt": "PR #42 is being blocked by Codacy's quality gate. Can you check what new issues were introduced and suppress any false positives?",
+      "files": [],
+      "assertions": [
+        "The output fetches PR analysis using `codacy pull-request`",
+        "The output categorizes issues into real vs false positives",
+        "The output explains how to suppress false positives"
+      ]
+    },
+    {
+      "id": 7,
+      "prompt": "I'm getting an error '--ignore-issue must be a number' when trying to suppress a Codacy issue. What am I doing wrong?",
+      "files": [],
+      "assertions": [
+        "The output identifies the cause as using a hash ID instead of numeric resultDataId",
+        "The output explains how to find the correct numeric ID from JSON output"
+      ]
+    },
+    {
+      "id": 8,
+      "prompt": "How do I install and authenticate the Codacy CLIs for the first time?",
+      "files": [],
+      "assertions": [
+        "The output mentions both `@codacy/analysis-cli` and `@codacy/codacy-cloud-cli`",
+        "The output shows the `codacy login --token` authentication command",
+        "The output mentions shared credentials at ~/.codacy/credentials"
+      ]
+    },
+    {
+      "id": 9,
+      "prompt": "Run local Codacy analysis on my TypeScript project before pushing to CI.",
+      "files": ["src/main.ts", "src/utils.ts"],
+      "assertions": [
+        "The output uses `codacy-analysis init --default` first",
+        "The output uses `codacy-analysis analyze --install-dependencies --output-format json`",
+        "The output mentions the limitations of local analysis"
+      ]
+    },
+    {
+      "id": 10,
+      "prompt": "What static analysis tools are available locally for Codacy on this project?",
+      "files": [],
+      "assertions": [
+        "The output uses `codacy-analysis analyze --inspect --output-format json`",
+        "The output lists available tools from the capability report"
+      ]
+    }
+  ]
+}

.agents/skills/codacy/references/output-format.md

@@ -0,0 +1,93 @@
+# Codacy PR Analysis JSON Output Format
+
+## Top-level Structure
+
+```json
+{
+  "pullRequest": {
+    "pullRequest": {
+      "repository": "repo-name",
+      "number": 123,
+      "title": "PR title",
+      "status": "Open",
+      "owner": { "name": "org-name" },
+      "originBranch": "feat/branch",
+      "targetBranch": "main",
+      "headCommitSha": "abc123..."
+    },
+    "isAnalysing": false,
+    "isUpToStandards": false,
+    "newIssues": 86,
+    "fixedIssues": 45,
+    "coverage": { ... },
+    "quality": {
+      "newIssues": 86,
+      "fixedIssues": 45,
+      "deltaComplexity": 241,
+      "deltaClonesCount": 15,
+      "isUpToStandards": false,
+      "resultReasons": [
+        {
+          "gate": "issueThreshold",
+          "expectedThreshold": { "threshold": 0 },
+          "isUpToStandards": false,
+          "expected": 0
+        }
+      ]
+    },
+    "deltaClonesCount": 15
+  },
+  "newIssues": [ ... ],
+  "fixedIssues": [ ... ]
+}
+```
+
+## Issue Object
+
+```json
+{
+  "commitIssue": {
+    "issueId": "f760d1633a4c7045bcc62e5777fbdacc",
+    "resultDataId": 131496760806,
+    "filePath": "src/main.ts",
+    "fileId": 123456789,
+    "patternInfo": {
+      "id": "ESLint8_no-unused-vars",
+      "category": "ErrorProne",
+      "level": "High",
+      "severityLevel": "High"
+    },
+    "toolInfo": {
+      "uuid": "25b6766b-06c6-4625-9df1-561d28386b5f",
+      "name": "ESLint"
+    },
+    "lineNumber": 42,
+    "message": "Description of the issue",
+    "language": "TypeScript",
+    "lineText": "const x = 1;",
+    "falsePositiveThreshold": 80,
+    "commitInfo": {
+      "sha": "abc...",
+      "commiter": "user@example.com",
+      "commiterName": "username",
+      "timestamp": "2026-05-26T19:08:58Z"
+    }
+  },
+  "deltaType": "Added"
+}
+```
+
+## Key Fields
+
+| Field | Type | Purpose |
+|-------|------|---------|
+| `resultDataId` | number | **Numeric ID for suppression** — use with `--ignore-issue` |
+| `issueId` | string | Hash ID — NOT used for suppression |
+| `filePath` | string | Relative path from repo root |
+| `patternInfo.id` | string | Codacy pattern ID (tool_rule-name) |
+| `patternInfo.severityLevel` | string | Critical, High, Medium, Minor, Warning |
+| `patternInfo.category` | string | ErrorProne, Security, CodeStyle, Compatibility, BestPractice, etc. |
+| `toolInfo.name` | string | Tool name (ESLint, Biome, Opengrep, SQLint, etc.) |
+| `lineNumber` | number | Line where issue was found |
+| `message` | string | Human-readable issue description |
+| `deltaType` | string | "Added" (new in this PR) or "Fixed" |

.claude/skills/codacy

@@ -0,0 +1 @@
+../../.agents/skills/codacy

.codacy/.gitignore

@@ -0,0 +1 @@
+generated/