feat(forge): add /forge slash command for validation orchestration

Implement the /forge command with subcommands:
- /forge (or /forge run) - Run all validation agents
- /forge status - Show current validation status
- /forge config - Show configuration
- /forge agents - List available agents
- /forge check <agent> - Run specific agent only

Includes alias 'validate', category 'Development', comprehensive help text,
and 9 unit tests covering all subcommands.

Author: echobt

src/cortex-agents/src/forge/agents/aggregator.rs

@@ -106,22 +106,34 @@ impl ForgeResponse {
 
     /// Get critical findings count.
     pub fn critical_count(&self) -> usize {
-        self.finding_counts.get(&Severity::Critical).copied().unwrap_or(0)
+        self.finding_counts
+            .get(&Severity::Critical)
+            .copied()
+            .unwrap_or(0)
     }
 
     /// Get error findings count.
     pub fn error_count(&self) -> usize {
-        self.finding_counts.get(&Severity::Error).copied().unwrap_or(0)
+        self.finding_counts
+            .get(&Severity::Error)
+            .copied()
+            .unwrap_or(0)
     }
 
     /// Get warning findings count.
     pub fn warning_count(&self) -> usize {
-        self.finding_counts.get(&Severity::Warning).copied().unwrap_or(0)
+        self.finding_counts
+            .get(&Severity::Warning)
+            .copied()
+            .unwrap_or(0)
     }
 
     /// Get info findings count.
     pub fn info_count(&self) -> usize {
-        self.finding_counts.get(&Severity::Info).copied().unwrap_or(0)
+        self.finding_counts
+            .get(&Severity::Info)
+            .copied()
+            .unwrap_or(0)
     }
 }
 
@@ -299,8 +311,8 @@ impl ValidationAgent for AggregatorAgent {
         result.summary = forge_response.summary.clone();
 
         // Add a meta-finding with the ForgeResponse as JSON
-        let response_json = serde_json::to_string_pretty(&forge_response)
-            .map_err(AgentError::Serialization)?;
+        let response_json =
+            serde_json::to_string_pretty(&forge_response).map_err(AgentError::Serialization)?;
 
         // Store the full response in the summary for downstream consumers
         result.summary = format!(
@@ -408,10 +420,20 @@ fn generate_detailed_report(response: &ForgeResponse, all_findings: &[Finding])
     // Finding counts table
     report.push_str("\n### Findings by Severity\n\n");
     report.push_str("| Severity | Count |\n|----------|-------|\n");
-    for severity in [Severity::Critical, Severity::Error, Severity::Warning, Severity::Info] {
+    for severity in [
+        Severity::Critical,
+        Severity::Error,
+        Severity::Warning,
+        Severity::Info,
+    ] {
         let count = response.finding_counts.get(&severity).copied().unwrap_or(0);
         if count > 0 {
-            report.push_str(&format!("| {} {} | {} |\n", severity.icon(), severity.name(), count));
+            report.push_str(&format!(
+                "| {} {} | {} |\n",
+                severity.icon(),
+                severity.name(),
+                count
+            ));
         }
     }
 
@@ -428,15 +450,27 @@ fn generate_detailed_report(response: &ForgeResponse, all_findings: &[Finding])
     if !all_findings.is_empty() {
         report.push_str("### Detailed Findings\n\n");
 
-        for severity in [Severity::Critical, Severity::Error, Severity::Warning, Severity::Info] {
+        for severity in [
+            Severity::Critical,
+            Severity::Error,
+            Severity::Warning,
+            Severity::Info,
+        ] {
             if let Some(findings) = response.findings_by_severity.get(&severity) {
                 if !findings.is_empty() {
-                    report.push_str(&format!("#### {} {} Findings\n\n", severity.icon(), severity.name()));
+                    report.push_str(&format!(
+                        "#### {} {} Findings\n\n",
+                        severity.icon(),
+                        severity.name()
+                    ));
 
                     // Limit output to first 10 findings per severity
                     let display_count = findings.len().min(10);
                     for finding in findings.iter().take(display_count) {
-                        report.push_str(&format!("- **[{}]** {}\n", finding.rule_id, finding.message));
+                        report.push_str(&format!(
+                            "- **[{}]** {}\n",
+                            finding.rule_id, finding.message
+                        ));
                         if let Some(ref file) = finding.file {
                             report.push_str(&format!("  - File: `{}`", file.display()));
                             if let Some(line) = finding.line {
@@ -497,7 +531,10 @@ mod tests {
             ValidationStatus::Failed
         );
         assert_eq!(
-            combine_status(ValidationStatus::PassedWithWarnings, ValidationStatus::Passed),
+            combine_status(
+                ValidationStatus::PassedWithWarnings,
+                ValidationStatus::Passed
+            ),
             ValidationStatus::PassedWithWarnings
         );
     }

src/cortex-agents/src/forge/agents/mod.rs

@@ -145,7 +145,11 @@ pub struct RuleInfo {
 
 impl RuleInfo {
     /// Create a new rule info.
-    pub fn new(id: impl Into<String>, name: impl Into<String>, description: impl Into<String>) -> Self {
+    pub fn new(
+        id: impl Into<String>,
+        name: impl Into<String>,
+        description: impl Into<String>,
+    ) -> Self {
         Self {
             id: id.into(),
             name: name.into(),
@@ -236,7 +240,12 @@ impl Finding {
 
     /// Format finding as a human-readable string.
     pub fn format(&self) -> String {
-        let mut result = format!("{} [{}] {}", self.severity.icon(), self.rule_id, self.message);
+        let mut result = format!(
+            "{} [{}] {}",
+            self.severity.icon(),
+            self.rule_id,
+            self.message
+        );
 
         if let Some(ref file) = self.file {
             result.push_str(&format!("\n  at {}", file.display()));
@@ -332,17 +341,26 @@ impl ValidationResult {
 
     /// Check if validation passed (no errors or criticals).
     pub fn is_passed(&self) -> bool {
-        matches!(self.status, ValidationStatus::Passed | ValidationStatus::PassedWithWarnings)
+        matches!(
+            self.status,
+            ValidationStatus::Passed | ValidationStatus::PassedWithWarnings
+        )
     }
 
     /// Get all critical findings.
     pub fn critical_findings(&self) -> Vec<&Finding> {
-        self.findings.iter().filter(|f| f.severity == Severity::Critical).collect()
+        self.findings
+            .iter()
+            .filter(|f| f.severity == Severity::Critical)
+            .collect()
     }
 
     /// Get all error findings.
     pub fn error_findings(&self) -> Vec<&Finding> {
-        self.findings.iter().filter(|f| f.severity == Severity::Error).collect()
+        self.findings
+            .iter()
+            .filter(|f| f.severity == Severity::Error)
+            .collect()
     }
 }
 
@@ -482,7 +500,8 @@ impl ValidationContext {
 
     /// Add a previous result (for dependent agents).
     pub fn with_previous_result(mut self, result: ValidationResult) -> Self {
-        self.previous_results.insert(result.agent_id.clone(), result);
+        self.previous_results
+            .insert(result.agent_id.clone(), result);
         self
     }
 

src/cortex-agents/src/forge/agents/quality.rs

@@ -14,8 +14,7 @@ use tokio::fs;
 use tokio::io::AsyncBufReadExt;
 
 use super::{
-    AgentError, Finding, RuleInfo, Severity, ValidationAgent, ValidationContext,
-    ValidationResult,
+    AgentError, Finding, RuleInfo, Severity, ValidationAgent, ValidationContext, ValidationResult,
 };
 
 // ============================================================================
@@ -294,17 +293,17 @@ impl QualityAgent {
             // Check for bare .unwrap() calls (not followed by expect-like context)
             if line.contains(".unwrap()") {
                 // Check if it's in a test (heuristic: file or function name contains test)
-                let is_test_file = file_path
-                    .to_string_lossy()
-                    .contains("test")
+                let is_test_file = file_path.to_string_lossy().contains("test")
                     || file_path
                         .file_stem()
                         .map_or(false, |s| s.to_string_lossy().ends_with("_test"));
 
                 if !is_test_file {
                     // Check if the next line or same line has a comment explaining it
                     let has_context = line.contains("// ")
-                        && (line.contains("safe") || line.contains("always") || line.contains("guaranteed"));
+                        && (line.contains("safe")
+                            || line.contains("always")
+                            || line.contains("guaranteed"));
 
                     if !has_context {
                         findings.push(
@@ -342,7 +341,9 @@ impl QualityAgent {
                         .at_file(file_path)
                         .at_line(line_num)
                         .with_snippet(truncate_line(&line, 80))
-                        .with_suggestion("Handle the Result explicitly or use `_ = expr;` if intentional"),
+                        .with_suggestion(
+                            "Handle the Result explicitly or use `_ = expr;` if intentional",
+                        ),
                     );
                 }
             }
@@ -434,7 +435,9 @@ impl QualityAgent {
                         .at_file(file_path)
                         .at_line(line_num)
                         .with_snippet(truncate_line(trimmed, 80))
-                        .with_suggestion("Remove unused code or document why suppression is needed"),
+                        .with_suggestion(
+                            "Remove unused code or document why suppression is needed",
+                        ),
                 );
             }
         }

src/cortex-agents/src/forge/agents/security.rs

@@ -13,8 +13,7 @@ use tokio::fs;
 use tokio::io::AsyncBufReadExt;
 
 use super::{
-    AgentError, Finding, RuleInfo, Severity, ValidationAgent, ValidationContext,
-    ValidationResult,
+    AgentError, Finding, RuleInfo, Severity, ValidationAgent, ValidationContext, ValidationResult,
 };
 
 // ============================================================================
@@ -49,11 +48,7 @@ const SECRET_PATTERNS: &[(&str, &str)] = &[
 /// Patterns for base64-encoded or hex-encoded potential secrets.
 const ENCODED_SECRET_PATTERNS: &[&str] = &[
     // Common API key prefixes
-    "sk_live_",
-    "sk_test_",
-    "pk_live_",
-    "pk_test_",
-    "xox", // Slack tokens
+    "sk_live_", "sk_test_", "pk_live_", "pk_test_", "xox",  // Slack tokens
     "ghp_", // GitHub personal access token
     "gho_", // GitHub OAuth token
     "ghu_", // GitHub user-to-server token
@@ -64,7 +59,11 @@ const ENCODED_SECRET_PATTERNS: &[&str] = &[
 /// Known vulnerable crate patterns (simplified - in production would use advisory database).
 const VULNERABLE_CRATES: &[(&str, &str, &str)] = &[
     ("chrono", "<0.4.20", "RUSTSEC-2020-0159: Potential segfault"),
-    ("smallvec", "<0.6.14", "RUSTSEC-2019-0009: Double-free vulnerability"),
+    (
+        "smallvec",
+        "<0.6.14",
+        "RUSTSEC-2019-0009: Double-free vulnerability",
+    ),
     ("regex", "<1.5.5", "RUSTSEC-2022-0013: Denial of service"),
 ];
 
@@ -145,7 +144,8 @@ impl SecurityAgent {
 
             // Skip comments that are likely documentation
             let trimmed = line.trim();
-            if trimmed.starts_with("//") || trimmed.starts_with("///") || trimmed.starts_with("//!") {
+            if trimmed.starts_with("//") || trimmed.starts_with("///") || trimmed.starts_with("//!")
+            {
                 // Still check for actual secret values in comments
                 if !contains_suspicious_value(&line) {
                     continue;
@@ -226,10 +226,7 @@ impl SecurityAgent {
                         Finding::new(
                             rule_id,
                             severity,
-                            format!(
-                                "Vulnerable dependency: {} {} ({})",
-                                name, version, advisory
-                            ),
+                            format!("Vulnerable dependency: {} {} ({})", name, version, advisory),
                         )
                         .at_file(&cargo_lock)
                         .with_suggestion(format!("Update {} to a patched version", name)),
@@ -392,11 +389,15 @@ impl SecurityAgent {
                 && line.contains("format!")
             {
                 findings.push(
-                    Finding::new(rule_id, Severity::Error, "Potential SQL injection vulnerability")
-                        .at_file(file_path)
-                        .at_line(line_num)
-                        .with_snippet(truncate_line(&line, 80))
-                        .with_suggestion("Use parameterized queries instead of string formatting"),
+                    Finding::new(
+                        rule_id,
+                        Severity::Error,
+                        "Potential SQL injection vulnerability",
+                    )
+                    .at_file(file_path)
+                    .at_line(line_num)
+                    .with_snippet(truncate_line(&line, 80))
+                    .with_suggestion("Use parameterized queries instead of string formatting"),
                 );
             }
         }
@@ -571,7 +572,10 @@ fn looks_like_hardcoded_secret(line: &str) -> bool {
         if let Some(end_quote) = line[start_quote + 1..].find('"') {
             let value = &line[start_quote + 1..start_quote + 1 + end_quote];
             // Long alphanumeric strings are suspicious
-            if value.len() > 20 && value.chars().all(|c| c.is_alphanumeric() || c == '_' || c == '-')
+            if value.len() > 20
+                && value
+                    .chars()
+                    .all(|c| c.is_alphanumeric() || c == '_' || c == '-')
             {
                 return true;
             }
@@ -649,9 +653,13 @@ mod tests {
 
     #[test]
     fn test_looks_like_hardcoded_secret() {
-        assert!(!looks_like_hardcoded_secret("let api_key = env!(\"API_KEY\");"));
+        assert!(!looks_like_hardcoded_secret(
+            "let api_key = env!(\"API_KEY\");"
+        ));
         assert!(!looks_like_hardcoded_secret("api_key: \"${API_KEY}\""));
-        assert!(!looks_like_hardcoded_secret("password: \"your_password_here\""));
+        assert!(!looks_like_hardcoded_secret(
+            "password: \"your_password_here\""
+        ));
     }
 
     #[test]

src/cortex-agents/src/forge/config.rs

@@ -583,12 +583,13 @@ impl ConfigLoader {
             return Ok(None);
         }
 
-        let content = tokio::fs::read_to_string(&config_file)
-            .await
-            .map_err(|e| ConfigError::ReadError {
-                path: config_file.clone(),
-                source: e,
-            })?;
+        let content =
+            tokio::fs::read_to_string(&config_file)
+                .await
+                .map_err(|e| ConfigError::ReadError {
+                    path: config_file.clone(),
+                    source: e,
+                })?;
 
         let config = toml::from_str(&content).map_err(|e| ConfigError::ParseError {
             path: config_file,
@@ -630,12 +631,12 @@ impl ConfigLoader {
                     continue;
                 }
 
-                let content = tokio::fs::read_to_string(&rules_file)
-                    .await
-                    .map_err(|e| ConfigError::ReadError {
+                let content = tokio::fs::read_to_string(&rules_file).await.map_err(|e| {
+                    ConfigError::ReadError {
                         path: rules_file.clone(),
                         source: e,
-                    })?;
+                    }
+                })?;
 
                 let rules: AgentRulesFile =
                     toml::from_str(&content).map_err(|e| ConfigError::ParseError {
@@ -752,7 +753,9 @@ priority = 5
         assert!(config.global.fail_fast);
         assert_eq!(config.defaults.timeout_seconds, 180);
 
-        let security = config.get_agent("security").expect("should have security agent");
+        let security = config
+            .get_agent("security")
+            .expect("should have security agent");
         assert_eq!(security.name, "Security Scanner");
         assert_eq!(security.priority, 10);
         assert_eq!(security.depends_on, vec!["lint"]);