glitchwerks · cbeaulieu-gt · May 15, 2026
diff --git a/pr-review/action.yml b/pr-review/action.yml
@@ -8,6 +8,10 @@ inputs:
   app_private_key:
     description: 'GitHub App private key for generating a short-lived token (required for App-identity comments)'
     required: false
+  spike_diagnostics:
+    description: 'Spike #261: enable empirical diagnostics for overlay reachability. Production callers MUST leave unset.'
+    required: false
+    default: 'false'
   authorized_users:
     description: 'Comma-separated list of GitHub usernames that bypass the association check. When set, any actor in this list is authorized regardless of org membership visibility. Takes precedence over the API-fallback collaborator check. See #253.'
     required: false
@@ -243,8 +247,22 @@ runs:
       shell: bash
       run: echo "REVIEW_START_TIME=$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> "$GITHUB_ENV"
 
+    - name: 'Spike #261: pre-cp diagnostics'
+      if: inputs.spike_diagnostics == 'true'
+      shell: bash
+      run: |
+        echo "===SPIKE-261 PRE-CP==="
+        echo "--- \$HOME/.claude/ state before cp ---"
+        ls -laR "$HOME/.claude/" 2>&1 | head -200 || echo "(directory does not exist)"
+        echo "--- /opt/claude/.claude dir tree (maxdepth 3) ---"
+        find /opt/claude/.claude -maxdepth 3 -type d 2>&1 | head -50 || echo "(not found)"
+        echo "===SPIKE-261 PRE-CP END==="
+
     - name: Install overlay tree for claude-code-action CLI
       shell: bash
+      # shellcheck disable=SC2016
+      env:
+        SPIKE_DIAG: ${{ inputs.spike_diagnostics }}
       run: |
         # GitHub Actions overrides HOME=/github/home in container jobs, discarding
         # the image's baked HOME=/opt/claude. The CLI discovers $HOME/.claude/ which
@@ -255,15 +273,33 @@ runs:
         # Tracking: https://github.com/glitchwerks/github-actions/issues/259
         if [ -d /opt/claude/.claude ]; then
           mkdir -p "$HOME/.claude"
-          cp -r /opt/claude/.claude/. "$HOME/.claude/"
+          if [ "$SPIKE_DIAG" = "true" ]; then
+            echo "===SPIKE-261 CP==="
+            echo "Running: cp -a /opt/claude/.claude/. \$HOME/.claude/"
+          fi
+          cp -a /opt/claude/.claude/. "$HOME/.claude/"
           agent_count=$(find "$HOME/.claude/agents" -name '*.md' 2>/dev/null | wc -l || echo 0)
           skill_count=$(find "$HOME/.claude/skills" -type f 2>/dev/null | wc -l || echo 0)
           plugin_count=$(find "$HOME/.claude/plugins" -type d -mindepth 1 -maxdepth 1 2>/dev/null | wc -l || echo 0)
           echo "Overlay installed: agents=${agent_count} skills=${skill_count} plugins=${plugin_count}"
+          if [ "$SPIKE_DIAG" = "true" ]; then
+            echo "===SPIKE-261 CP END==="
+          fi
         else
           echo "::warning::No baked overlay at /opt/claude/.claude — running without overlay tree"
         fi
 
+    - name: 'Spike #261: post-cp diagnostics'
+      if: inputs.spike_diagnostics == 'true'
+      shell: bash
+      run: |
+        echo "===SPIKE-261 POST-CP==="
+        echo "--- \$HOME/.claude/ state after cp ---"
+        ls -laR "$HOME/.claude/" 2>&1 | head -200 || echo "(directory does not exist)"
+        echo "--- agents/ and skills/ dir counts ---"
+        find "$HOME/.claude/agents" "$HOME/.claude/skills" -maxdepth 2 -type d 2>/dev/null | wc -l || echo "0"
+        echo "===SPIKE-261 POST-CP END==="
+
     - name: Generate App token
       id: app-token
       if: inputs.app_id != '' && inputs.app_private_key != ''
@@ -287,6 +323,19 @@ runs:
           exit 1
         fi
 
+    - name: 'Spike #261: build prompt suffix'
+      if: inputs.spike_diagnostics == 'true'
+      shell: bash
+      run: |
+        # Write the spike prompt suffix to GITHUB_ENV so it is available
+        # to the claude-code-action prompt: block below.
+        {
+          printf 'SPIKE_261_PROMPT_SUFFIX<<EOF\n'
+          printf '\n<!-- SPIKE-261 -->\n'
+          printf 'After your primary review, attempt to dispatch the `inquisitor` agent via the `Task` tool to deliver an adversarial second pass on this PR. Report the inquisitor'"'"'s findings in a separate section titled "## Inquisitor Second Pass". If the `Task` tool is unavailable or not recognized, state that explicitly (e.g. "Task tool not available") so we can confirm whether claude-code-action@v1 recognizes Task/Skill as allowedTools tokens.\n'
+          printf 'EOF\n'
+        } >> "$GITHUB_ENV"
+
     - uses: anthropics/claude-code-action@v1
       id: claude-review
       if: steps.authz.outputs.skip != 'true' && steps.size-check.outputs.skip != 'true'
@@ -295,7 +344,7 @@ runs:
         github_token: ${{ steps.token.outputs.value }}
         use_sticky_comment: true
         track_progress: true
-        claude_args: --max-turns ${{ env.EFFECTIVE_MAX_TURNS }} --model ${{ inputs.model }} --allowedTools "Bash(gh pr diff:*),Bash(gh pr review:*),Bash(gh pr view:*),Task,Skill"
+        claude_args: --max-turns ${{ env.EFFECTIVE_MAX_TURNS }} --model ${{ inputs.model }} --allowedTools "Bash(gh pr diff:*),Bash(gh pr review:*),Bash(gh pr view:*),Task,Skill,Read,Grep,Glob"
         prompt: |
           Review the pull request in repository ${{ github.repository }} (#${{ github.event.pull_request.number }}).
 
@@ -309,7 +358,18 @@ runs:
           4. **Test coverage** — are new code paths tested? are edge cases and error paths covered?
           5. **Documentation** — are public APIs, functions, and non-obvious logic commented or documented?
 
-          Post a summary comment on the PR. Where a specific line is problematic, post an inline review comment on that line using `gh pr review`. Be constructive and specific — cite the line and explain the concern and a suggested fix.
+          Post a summary comment on the PR. Where a specific line is problematic, post an inline review comment on that line using `gh pr review`. Be constructive and specific — cite the line and explain the concern and a suggested fix.${{ env.SPIKE_261_PROMPT_SUFFIX }}
+
+    - name: 'Spike #261: post-action diagnostics'
+      if: always() && inputs.spike_diagnostics == 'true'
+      shell: bash
+      run: |
+        echo "===SPIKE-261 POST-ACTION==="
+        echo "--- \$HOME/.claude/ state after claude-code-action ---"
+        ls -laR "$HOME/.claude/" 2>&1 | head -200 || echo "(directory does not exist)"
+        echo "--- Files added/changed since post-cp (checking mtime within last 10 min) ---"
+        find "$HOME/.claude" -newer /tmp -type f 2>/dev/null | head -50 || echo "(none or /tmp not available as reference)"
+        echo "===SPIKE-261 POST-ACTION END==="
 
     - name: Record review checkpoint
       if: github.event.action == 'synchronize' && steps.claude-review.outcome == 'success'