Skip to content

docs(skills): fix broken board commands, exit propagation, worktree policy, and skill contradictions#1851

Merged
steilerDev merged 1 commit into
betafrom
fix/1819-skill-defects
Jul 7, 2026
Merged

docs(skills): fix broken board commands, exit propagation, worktree policy, and skill contradictions#1851
steilerDev merged 1 commit into
betafrom
fix/1819-skill-defects

Conversation

@steilerDev

Copy link
Copy Markdown
Owner

Summary

  • Fix the broken gh project item-list --query board-status command (no such flag) in develop, epic-start, and release — replaced with the proven idempotent gh project item-add + item-edit pattern
  • Fix /exit propagating into batch-develop/release loops invoking /develop — the first item's /exit was terminating the whole batch/release session; excluded from mid-loop invocations, deferred to a single cleanup at the true end of each flow
  • Align worktree cleanup in develop/release/batch-develop with CLAUDE.md's flipped Session Isolation policy (PR docs: flip worktree policy — clean up worktrees when work is complete #1825): git worktree remove + git branch -D (force, since squash-merges fail -d's ancestry check) instead of the removed policy's "do not remove" stance or the undefined /exit shortcut
  • Fix fix-e2e's unsatisfiable branch-naming convention (no issue number ever exists for this skill) and its missing --base beta on PR creation
  • Fix epic-start's step 5→6 approval gap (posted the plan but never waited for user approval before proceeding); added a matching autonomy carve-out in epic-run
  • Fix dependabot's step 5c/5d contradiction on who commits/pushes, and stop dev-team-lead [MODE: commit] from creating a duplicate PR for an already-existing Dependabot PR
  • Fix review-pr's verdict-vocabulary mismatch (dev-team-lead [MODE: review] was instructed to post a gh pr review it has no access to post) and its required-checks list (was listing non-required jobs, omitting E2E Gates)
  • Fix release step 6's bare git push directly to beta (now routed through a proper branch+PR+CI+squash-merge cycle) and its circular/undefined epic-enriched PR body reference in step 2b (now defines the actual template)
  • Fix epic-close's stale step-count claim (13→8) and dead auto-fix.yml lint check (repointed to npm run lint directly, since no CI workflow runs lint)
  • Add the 5 undocumented skills (batch-develop, dependabot, fix-e2e, mini-epic, review-pr) to CLAUDE.md's Orchestration Skills table
  • Add the missing QA-test-file trailer rule to CLAUDE.md and develop's duplicate copy (co-located *.test.ts/*.test.tsx commits now require a qa-integration-tester trailer instead of incorrectly demanding backend-developer/frontend-developer)
  • Rename batch-develop's work-queue file to /tmp/batch-queue.md to stop colliding with /tmp/notes.md's release-feedback channel
  • Replace stale nameless Co-Authored-By: Claude Opus 4.6 trailers with the established 🤖 Generated with Claude Code footer for orchestrator-authored PR bodies (no canonical trailer exists for the orchestrator itself)

Fixes #1819

Test plan

  • All 26 spec items verified against the diff — exact match
  • 14/14 verification greps pass (board command, /exit, stale policy text, trailer duplication, step counts, dead workflow refs, etc.)
  • npx prettier --check clean on all touched files
  • Quality Gates pass in CI

Co-Authored-By: Claude dev-team-lead (Sonnet 4.6) noreply@anthropic.com

…olicy, and skill contradictions

Fixes #1819

Co-Authored-By: Claude dev-team-lead (Sonnet 4.6) <noreply@anthropic.com>
@steilerDev

Copy link
Copy Markdown
Owner Author

[security-engineer] Config-only review of PR #1851 (.claude/skills/*.md + CLAUDE.md, no server/, client/, or shared/ changes).

Scope confirmed: git diff origin/beta..HEAD touches only CLAUDE.md and 9 .claude/skills/*.md files (plus dev-team-lead memory notes) — no application code, no auth/session/crypto logic, no dependency changes.

1. Worktree cleanup bash sequences — safe

The new sequence (develop step 11, release steps 4e/7, batch-develop step 5):

git status --porcelain   # must be empty before proceeding
CURRENT_BRANCH=$(git branch --show-current)
WORKTREE_PATH=$(pwd)
BASE_REPO=$(git worktree list --porcelain | awk '/^worktree/{print $2; exit}')
cd "$BASE_REPO"
git worktree remove "$WORKTREE_PATH"
git branch -D "$CURRENT_BRANCH"
  • No rm -rf, no glob expansion, all variables quoted.
  • git worktree remove (without --force) has a built-in safety net: Git itself refuses to remove a worktree with modified tracked files or untracked files, independent of whether the agent actually honors the git status --porcelain comment-guard. Defense in depth even if the "must be empty" check is only a natural-language instruction rather than an executable if.
  • -D (force branch delete) is scoped correctly: only reached in develop/release after the PR has already merged, and batch-develop's variant explicitly gates on "skip if any items failed or worktree has uncommitted changes." CLAUDE.md's own Session Isolation section (already-merged, not part of this diff) carries the same "verify PR is merged first" and "never remove with uncommitted changes / active use" guardrails, so this PR's skill files are consistent with the governing policy, not diverging from it.
  • No remote branch deletion, no git push --force, no privileged git operations.

Minor (informational, non-blocking): the git status --porcelain guard is a comment, not an enforced conditional. Given git worktree remove's own refusal behavior backstops it, this is not a real gap — just noting for completeness.

2. Release step 6 — improvement, no bare push to beta

Confirmed: the old step 6 (bare git push on the lessons-learned commit directly to beta) is replaced with branch → commit → PR → CI gate poll → squash merge. This closes a path that bypassed branch protection / required status checks on beta. Good change.

3. No instructions bypass reviews/protections

Scanned the full diff for --no-verify, --force/-f push, gh pr merge --admin, disabled-check patterns, or any other protection-bypass language — none found. The review-pr verdict-logic fix is actually a protection strengthening: previously dev-team-lead [MODE: review] was instructed to post its own gh pr review, which it has no GitHub write access to do — meaning its verdict likely wasn't being counted toward the block/approve decision. The fix has it return VERDICT: APPROVED/VERDICT: CHANGES_REQUIRED as text, which the orchestrator now explicitly maps into the aggregate block/approve logic (request-changes blocks regardless of source). This closes a silent-bypass gap rather than opening one.

The new trailer rule (*.test.ts/*.test.tsxqa-integration-tester trailer, both in CLAUDE.md's Delegation Enforcement section and develop's copy) also strengthens attribution enforcement, consistent with the existing trailer-verification mechanism.

4. Command snippets — no untrusted-input interpolation

Checked all new/changed bash blocks (gh project item-add ... --url .../issues/<issue-number>, git branch -m fix/e2e-<run-id>-<short-description>, the worktree cleanup sequences, the dependabot push-ownership clarification). All placeholders (<issue-number>, <run-id>, <short-description>) are agent-filled from trusted internal sources (GitHub issue numbers, CI run IDs) at documentation-authoring time, not raw string interpolation of externally-supplied/untrusted data at execution time. No injection vector introduced.

Verdict

No security-relevant regressions. Changes are net-positive for process integrity (removes a beta bare-push path, fixes a review-verdict aggregation gap, tightens trailer enforcement).

APPROVED

@steilerDev steilerDev merged commit 7122fe1 into beta Jul 7, 2026
12 checks passed
@steilerDev steilerDev deleted the fix/1819-skill-defects branch July 7, 2026 23:53
@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

🎉 This PR is included in version 2.13.0-beta.20 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant