From 80e7730be84ebddfc5439e32e19bb757a09bf40d Mon Sep 17 00:00:00 2001 From: AnExiledDev Date: Tue, 24 Feb 2026 23:59:14 +0000 Subject: [PATCH 1/2] Add git-workflow plugin with /ship and /pr:review commands Standalone git workflow commands that work independently of the EARS ticket lifecycle. /ship reviews changes, commits, pushes, and optionally creates a PR with user confirmation. /pr:review conducts aggressive analysis on any PR by number/URL or auto-detect and posts findings as a comment (never approves or merges). Both commands are optionally ticket-aware when context exists. --- .devcontainer/CHANGELOG.md | 4 + .devcontainer/CLAUDE.md | 1 + .devcontainer/config/defaults/settings.json | 3 +- .../.claude-plugin/marketplace.json | 8 + .../git-workflow/.claude-plugin/plugin.json | 7 + .../plugins/git-workflow/README.md | 125 +++++++ .../git-workflow/skills/pr-review/SKILL.md | 325 ++++++++++++++++++ .../plugins/git-workflow/skills/ship/SKILL.md | 314 +++++++++++++++++ docs/src/content/docs/reference/commands.md | 28 +- 9 files changed, 813 insertions(+), 2 deletions(-) create mode 100644 .devcontainer/plugins/devs-marketplace/plugins/git-workflow/.claude-plugin/plugin.json create mode 100644 .devcontainer/plugins/devs-marketplace/plugins/git-workflow/README.md create mode 100644 .devcontainer/plugins/devs-marketplace/plugins/git-workflow/skills/pr-review/SKILL.md create mode 100644 .devcontainer/plugins/devs-marketplace/plugins/git-workflow/skills/ship/SKILL.md diff --git a/.devcontainer/CHANGELOG.md b/.devcontainer/CHANGELOG.md index eb5e73f..032f14d 100644 --- a/.devcontainer/CHANGELOG.md +++ b/.devcontainer/CHANGELOG.md @@ -13,6 +13,10 @@ #### Claude Code Installation - **Post-start onboarding hook** (`99-claude-onboarding.sh`) — ensures `hasCompletedOnboarding: true` in `.claude.json` when token auth is configured; catches overwrites from Claude Code CLI/extension that race with `postStartCommand` +#### Git Workflow Plugin +- **`/ship`** — Combined commit/push/PR command with full code review, commit message approval, and AskUserQuestion confirmation before PR creation; optionally links to tickets if context exists +- **`/pr:review`** — Review any PR by number/URL or auto-detect from current branch; posts findings as PR comment with severity ratings; never approves or merges + ### Changed #### Claude Code Installation diff --git a/.devcontainer/CLAUDE.md b/.devcontainer/CLAUDE.md index c81e924..796109c 100644 --- a/.devcontainer/CLAUDE.md +++ b/.devcontainer/CLAUDE.md @@ -89,6 +89,7 @@ Declared in `settings.json` under `enabledPlugins`, auto-activated on start: - **protected-files-guard** — Blocks edits to secrets/lock files - **codeforge-lsp** — LSP for Python + TypeScript/JavaScript - **ticket-workflow** — EARS ticket workflow + auto-linking +- **git-workflow** — Standalone ship (commit/push/PR) + PR review - **notify-hook** — Desktop notifications on completion - **frontend-design** (Anthropic official) — UI/frontend design skill - **prompt-snippets** — Quick behavioral mode switches via /ps command diff --git a/.devcontainer/config/defaults/settings.json b/.devcontainer/config/defaults/settings.json index 8dbe63f..49d1ad3 100644 --- a/.devcontainer/config/defaults/settings.json +++ b/.devcontainer/config/defaults/settings.json @@ -65,7 +65,8 @@ "session-context@devs-marketplace": true, "auto-code-quality@devs-marketplace": true, "workspace-scope-guard@devs-marketplace": true, - "prompt-snippets@devs-marketplace": true + "prompt-snippets@devs-marketplace": true, + "git-workflow@devs-marketplace": true }, "autoUpdatesChannel": "latest" } diff --git a/.devcontainer/plugins/devs-marketplace/.claude-plugin/marketplace.json b/.devcontainer/plugins/devs-marketplace/.claude-plugin/marketplace.json index 415a22d..091018c 100644 --- a/.devcontainer/plugins/devs-marketplace/.claude-plugin/marketplace.json +++ b/.devcontainer/plugins/devs-marketplace/.claude-plugin/marketplace.json @@ -105,6 +105,14 @@ "source": "./plugins/prompt-snippets", "category": "productivity", "keywords": ["snippets", "prompts", "modes", "shortcuts"] + }, + { + "name": "git-workflow", + "description": "Standalone git workflow: ship (commit/push/PR) and PR review", + "version": "1.0.0", + "source": "./plugins/git-workflow", + "category": "workflow", + "keywords": ["git", "commit", "push", "pr", "review", "ship"] } ] } diff --git a/.devcontainer/plugins/devs-marketplace/plugins/git-workflow/.claude-plugin/plugin.json b/.devcontainer/plugins/devs-marketplace/plugins/git-workflow/.claude-plugin/plugin.json new file mode 100644 index 0000000..d71b563 --- /dev/null +++ b/.devcontainer/plugins/devs-marketplace/plugins/git-workflow/.claude-plugin/plugin.json @@ -0,0 +1,7 @@ +{ + "name": "git-workflow", + "description": "Standalone git workflow: review, commit, push, PR creation, and PR review", + "author": { + "name": "AnExiledDev" + } +} diff --git a/.devcontainer/plugins/devs-marketplace/plugins/git-workflow/README.md b/.devcontainer/plugins/devs-marketplace/plugins/git-workflow/README.md new file mode 100644 index 0000000..ae355ff --- /dev/null +++ b/.devcontainer/plugins/devs-marketplace/plugins/git-workflow/README.md @@ -0,0 +1,125 @@ +# git-workflow + +Claude Code plugin that provides standalone git workflow commands. Not tied to the EARS ticket lifecycle — works independently, but optionally links to tickets when context exists. + +## What It Does + +Provides two slash commands for shipping code and reviewing pull requests. + +### Slash Commands + +| Command | Description | +|---------|-------------| +| `/ship` | Review all changes, commit with a detailed message, push, and optionally create a PR | +| `/pr:review` | Review an existing PR by number/URL or auto-detect from current branch (never merges) | + +## How It Works + +### `/ship` Workflow + +``` +/ship [optional commit message hint] + │ + └─→ Gather context (git status, diff, branch, project rules) + │ + └─→ Full review (security, rules, quality, architecture, tests) + │ + └─→ Present findings → User decisions (fix/issue/ignore) + │ + └─→ Draft commit message → User approval + │ + └─→ Commit + Push + │ + └─→ AskUserQuestion: "Create a PR?" + │ + ├─→ Yes: Create PR (+ link ticket if context exists) + └─→ No: Done +``` + +### `/pr:review` Workflow + +``` +/pr:review [PR number, URL, or omit for auto-detect] + │ + └─→ Identify target PR (argument, auto-detect, or ask) + │ + └─→ Fetch PR details + diff + changed files + │ + └─→ Aggressive analysis (attack surface, threats, deps, rules, architecture, quality, tests, breaking changes) + │ + └─→ Present findings → User decisions (note/issue/ignore) + │ + └─→ Post review comment (NEVER approve/merge) +``` + +### Ticket Awareness + +Both commands are **optionally ticket-aware**: +- If a ticket number exists in the session context (from a prior `/ticket:work` call), it is linked in commit messages, PRs, and issue comments +- If reviewing a PR that references a ticket in its body (`Closes #N`, `Refs #N`), requirements are verified against the diff +- Neither command prompts for a ticket — they work fully standalone + +### Review Depth + +| Command | Review Depth | Purpose | +|---------|-------------|---------| +| `/ship` | Full (same as `/ticket:review-commit`) | Pre-commit gate — catches issues before they enter history | +| `/pr:review` | Aggressive (same as `/ticket:create-pr`) | Final gate — deep security, threat modeling, and architecture review | + +### Finding Severity Levels + +| Level | Meaning | +|-------|---------| +| Critical | Active vulnerability, data exposure, auth bypass, breaking production | +| High | Security weakness, significant bug, major pattern violation | +| Medium | Code smell, minor vulnerability, missing validation | +| Low | Style, optimization, minor improvements | +| Info | Observations, questions, future considerations | + +## Installation + +### CodeForge DevContainer + +Pre-installed and activated automatically — no setup needed. + +### From GitHub + +Use this plugin in any Claude Code setup: + +1. Clone the [CodeForge](https://github.com/AnExiledDev/CodeForge) repository: + + ```bash + git clone https://github.com/AnExiledDev/CodeForge.git + ``` + +2. Enable the plugin in your `.claude/settings.json`: + + ```json + { + "enabledPlugins": { + "git-workflow@/.devcontainer/plugins/devs-marketplace": true + } + } + ``` + + Replace `` with the absolute path to your CodeForge clone. + +## Plugin Structure + +``` +git-workflow/ +├── .claude-plugin/ +│ └── plugin.json # Plugin metadata +├── skills/ +│ ├── ship/ +│ │ └── SKILL.md # /ship command definition +│ └── pr-review/ +│ └── SKILL.md # /pr:review command definition +└── README.md # This file +``` + +## Requirements + +- Claude Code with plugin command support +- [GitHub CLI](https://cli.github.com/) (`gh`) installed and authenticated +- A GitHub repository as the working context diff --git a/.devcontainer/plugins/devs-marketplace/plugins/git-workflow/skills/pr-review/SKILL.md b/.devcontainer/plugins/devs-marketplace/plugins/git-workflow/skills/pr-review/SKILL.md new file mode 100644 index 0000000..fb47ed6 --- /dev/null +++ b/.devcontainer/plugins/devs-marketplace/plugins/git-workflow/skills/pr-review/SKILL.md @@ -0,0 +1,325 @@ +--- +description: Review an existing pull request without merging — post findings as PR comment +argument-hint: [PR number, URL, or omit for current branch] +disable-model-invocation: true +allowed-tools: Bash(gh:*), Bash(git:*), Read, Grep, Glob, AskUserQuestion +--- + +# /pr:review - Review Existing PR + +Review an existing pull request and post findings as a PR comment. NEVER approve or merge. + +## Input + +`$ARGUMENTS` - PR number (e.g., `42`), URL (e.g., `https://github.com/owner/repo/pull/42`), or empty to auto-detect from current branch. + +## Process + +### Phase 1: Identify Target PR + +**With argument:** +```bash +gh pr view $1 --json number,title,body,baseRefName,headRefName,additions,deletions,commits,files +``` + +**Without argument (auto-detect):** +```bash +gh pr view --json number,title,body,baseRefName,headRefName,additions,deletions,commits,files +``` + +**If both fail:** Use AskUserQuestion to prompt for PR number. + +Capture PR number for subsequent operations. + +Fetch the full diff: +```bash +gh pr diff $PR +``` + +### Phase 2: Gather Additional Context + +- Read changed files in full (not just diff) for deeper understanding of surrounding code +- Discover project rules: + ```bash + ls -la CLAUDE.md .claude/CLAUDE.md CLAUDE.local.md 2>/dev/null + ls -la .claude/rules/*.md 2>/dev/null + ``` +- Check if PR body references a ticket (parse for `#N`, `Closes #N`, `Refs #N`, `Fixes #N`) +- If ticket found, fetch it for requirements verification: + ```bash + gh issue view $TICKET --json number,title,body + ``` + +### Phase 3: Aggressive Analysis + +This review is DEEPER than a commit review — it is the final gate before merge. + +#### Attack Surface Analysis + +| Check | Look For | +|-------|----------| +| New Endpoints | Every new route/handler exposed | +| New Inputs | Every new user input vector | +| Permission Changes | Any auth/authz modifications | +| Data Flow | How data moves through new code | +| External Integrations | New API calls, webhooks, services | + +#### Threat Modeling (per feature) + +For each significant feature in the PR: +- What could an attacker exploit? +- What data could be exfiltrated? +- What operations could be abused? +- What rate limiting is needed? +- What audit logging is needed? + +#### Dependency Security + +```bash +# Check for new dependencies (adapt patterns to project) +gh pr diff $PR | grep -E '^\+.*"(dependencies|devDependencies)"' -A 50 +gh pr diff $PR | grep -E '^\+' -- "**/requirements*.txt" "**/package*.json" "**/Cargo.toml" "**/go.mod" "**/Gemfile" 2>/dev/null +``` + +| Check | Look For | +|-------|----------| +| New Dependencies | List all new packages + versions | +| Known CVEs | Check against vulnerability databases | +| Supply Chain | Typosquatting, maintainer reputation | +| License Compliance | License compatibility issues | + +#### Project Rules Adherence + +Check compliance with project-specific rules (deeper than commit review): + +1. **Discover rules**: + - Read `CLAUDE.md` or `.claude/CLAUDE.md` if present + - Read all files in `.claude/rules/*.md` + - Check `CLAUDE.local.md` for user-specific rules + +2. **Full diff review for compliance**: + - Check EVERY change against stated rules + - Note architectural patterns that should be followed + - Flag ALL deviations from documented conventions + +| Rule Source | Compliance | Notes | +|-------------|------------|-------| +| CLAUDE.md | OK / VIOLATION | [specifics] | +| rules/[name].md | OK / VIOLATION | [specifics] | + +#### Architecture Deep Dive + +| Check | Look For | +|-------|----------| +| Pattern Compliance | Full diff against established patterns | +| Coupling Analysis | New dependencies between modules | +| Scalability | O(n) analysis, potential bottlenecks | +| Error Propagation | How errors flow through new code | +| Recovery Strategies | Graceful degradation, retry logic | +| State Management | Race conditions, consistency issues | + +#### Code Quality Review + +| Check | Look For | +|-------|----------| +| Complexity | Nesting depth > 3, high cyclomatic complexity | +| Duplication | Copy-paste code, extractable shared logic | +| Naming | Unclear names, inconsistent conventions | +| Error Handling | Missing boundaries, generic catches, no recovery | +| SOLID Violations | God classes, tight coupling, leaky abstractions | +| Dead Code | Unreachable code, unused imports/variables | + +#### Test Analysis + +Evaluate against testing standards: + +| Check | Assess | +|-------|--------| +| Behavior Coverage | Are key behaviors tested? (not line count) | +| Test Quality | Do tests verify outcomes, not implementation? | +| Brittleness | Any tests that will break on refactor? | +| Over-testing | Trivial code with unnecessary tests? | +| Under-testing | Critical paths without tests? | +| Manual Test Plan | What cannot be automated | + +**AI testing pitfalls to flag**: +- Tests for trivial getters/setters +- Excessive edge cases (>5 per function) +- Tests asserting on implementation details +- Over-mocked tests that verify nothing + +#### Breaking Changes + +| Check | Look For | +|-------|----------| +| API Contracts | Changed request/response schemas | +| Database Schema | Migration requirements | +| Configuration | New env vars, changed defaults | +| Dependencies | Version bumps affecting consumers | + +#### Requirements Verification (if ticket found) + +Cross-reference each requirement from the linked ticket: + +| Requirement | Status | Evidence | +|-------------|--------|----------| +| [REQ text] | SATISFIED / PARTIAL / NOT MET | [file:line or explanation] | + +All acceptance criteria must be verified. + +### Phase 4: Present Findings + +Organize by severity: + +```markdown +## PR Review Findings + +### Critical (Must Fix Before Merge) +- [Finding]: [file:line] - [Impact] + +### High (Should Fix Before Merge) +- [Finding]: [file:line] - [Impact] + +### Medium (Fix Soon) +- [Finding]: [file:line] - [Impact] + +### Low (Nice to Have) +- [Finding]: [file:line] - [Impact] + +### Info (Observations) +- [Observation] + +### Project Rules Compliance +| Rule Source | Status | Details | +|-------------|--------|---------| +| ... | ... | ... | + +### Requirements Status (if ticket linked) +| Requirement | Status | Evidence | +|-------------|--------|----------| +| ... | ... | ... | + +### Threat Model Summary +| Feature | Primary Risks | Mitigations Present | +|---------|---------------|---------------------| +| ... | ... | ... | +``` + +If no findings in a severity level, omit that section. + +### Phase 5: User Decisions + +Use AskUserQuestion: + +``` +For each finding, select handling: +- NOTE: Include in PR review comment +- ISSUE: Create separate GitHub issue +- IGNORE: Don't include in review +``` + +### Phase 6: Create Issues (if selected) + +Group by category, include: +- PR number +- Branch name +- Link to original ticket (if found) + +```bash +gh issue create --title "[Category] findings from PR #[PR]" --body "$(cat <<'EOF' +## [Category] Findings from PR #[PR] + +**PR**: #[PR_NUMBER] +**Branch**: [branch] +[**Related Ticket**: #[TICKET] — only if ticket found] + +### Findings + +- [ ] [Finding 1] - `file:line` +- [ ] [Finding 2] - `file:line` + +### Context + +[Brief context about the PR's purpose] +EOF +)" +``` + +### Phase 7: Post Review Comment (NEVER APPROVE) + +```bash +gh pr review $PR --comment --body "$(cat <<'EOF' +## Automated Review + +**Status**: Requires human approval + +### Summary + +[Overall assessment - 2-3 sentences] + +### Critical Issues (Must Address) +- [Issue with file:line] + +### Required Changes +- [Specific change needed] + +### Suggestions +- [Nice-to-have improvements] + +### Project Rules Compliance +- [Summary of rules adherence] + +### Security Considerations +- [Key security points for human reviewer] + +### Test Coverage +- [Coverage assessment] +- [Manual test recommendations if applicable] + +### Requirements Status (if ticket linked) +| Requirement | Status | +|-------------|--------| +| ... | ... | + +### Related Issues Created +- #[N]: [Description] + +--- +*Automated review by Claude. Human approval required before merge.* +EOF +)" +``` + +### Phase 8: Report + +Output summary: + +```markdown +## Review Summary + +- **PR**: #[N] — [title] +- **Findings**: [Critical: N, High: N, Medium: N, Low: N, Info: N] +- **Review**: Posted as comment +- **Issues Created**: #[N]: [category] — or "None" +- **Ticket**: #[TICKET] requirements verified — or "No linked ticket" +``` + +## Rules + +- **NEVER approve or merge** — post review as comment only +- **Deeper than commit review** — this is the final gate before merge +- **Active threat modeling** required for each significant feature +- **All findings** categorized by severity with `file:line` references +- **User decides** what goes in the review comment +- **Check project rules** (CLAUDE.md, .claude/rules/*.md) thoroughly +- **Auto-detect ticket** from PR body if possible — never prompt for one +- **Read full files** for changed code, not just the diff +- Batch all GitHub operations + +## Severity Guide + +**Critical**: Active vulnerability, data exposure, auth bypass, breaking production +**High**: Security weakness, significant bug, major pattern violation +**Medium**: Code smell, minor vulnerability, missing validation +**Low**: Style, optimization, minor improvements +**Info**: Observations, questions, future considerations diff --git a/.devcontainer/plugins/devs-marketplace/plugins/git-workflow/skills/ship/SKILL.md b/.devcontainer/plugins/devs-marketplace/plugins/git-workflow/skills/ship/SKILL.md new file mode 100644 index 0000000..4017676 --- /dev/null +++ b/.devcontainer/plugins/devs-marketplace/plugins/git-workflow/skills/ship/SKILL.md @@ -0,0 +1,314 @@ +--- +description: Review changes, commit with detailed message, push, and optionally create pull request +argument-hint: [commit message hint] +disable-model-invocation: true +allowed-tools: Bash(gh:*), Bash(git:*), Read, Grep, Glob, AskUserQuestion +--- + +# /ship - Review, Commit, Push & Optional PR + +Review all changes, commit with a detailed message, push, and optionally create a pull request. Optionally links to tickets if context exists from `/ticket:work`. + +## Input + +`$ARGUMENTS` - Optional commit message hint or summary of changes. May be empty. + +## Process + +### Phase 1: Gather Context + +```bash +# Working tree state +git status +git diff HEAD +git diff --staged + +# Branch info +git branch --show-current +git log main..HEAD --oneline +git diff main...HEAD --stat + +# Discover project rules +ls -la CLAUDE.md .claude/CLAUDE.md CLAUDE.local.md 2>/dev/null +ls -la .claude/rules/*.md 2>/dev/null +``` + +Check for ticket context in the current session. If a ticket number is available from a prior `/ticket:work` call, note it for linking in later phases. Do NOT prompt for a ticket — this command works standalone. + +### Phase 2: Full Review + +Review ALL changes (staged + unstaged) with `file:line` references. + +#### Security Review + +| Check | Look For | +|-------|----------| +| Secrets | API keys, passwords, tokens, connection strings in code | +| Injection | SQL injection, command injection, XSS, CSRF | +| Auth/Authz | Missing auth checks, privilege escalation paths | +| Data Exposure | PII in logs, sensitive data in error messages | +| Dependencies | New dependencies with known vulnerabilities | +| Input Validation | Unvalidated user input, missing sanitization | + +#### Project Rules Adherence + +Check compliance with project-specific rules: + +1. **Discover rules**: + - Read `CLAUDE.md` or `.claude/CLAUDE.md` if present + - Read all files in `.claude/rules/*.md` + - Check `CLAUDE.local.md` for user-specific rules + +2. **Review for compliance**: + - Check if changes violate any stated rules + - Note architectural patterns that should be followed + - Flag deviations from documented conventions + +| Rule Source | Compliance | Notes | +|-------------|------------|-------| +| CLAUDE.md | OK / VIOLATION | [specifics] | +| rules/[name].md | OK / VIOLATION | [specifics] | + +#### Code Quality Review + +| Check | Look For | +|-------|----------| +| Complexity | Nesting depth > 3, high cyclomatic complexity | +| Duplication | Copy-paste code, extractable shared logic | +| Naming | Unclear names, inconsistent conventions | +| Error Handling | Missing boundaries, generic catches, no recovery | +| SOLID Violations | God classes, tight coupling, leaky abstractions | +| Dead Code | Unreachable code, unused imports/variables | + +#### Architecture Review + +| Check | Look For | +|-------|----------| +| Pattern Compliance | Deviations from established patterns | +| Coupling | Inappropriate dependencies, circular imports | +| API Contracts | Breaking changes, missing versioning | +| Cohesion | Mixed responsibilities, scattered logic | + +#### Test Review + +**Note**: If user indicates tests are not applicable or opts out, skip this section entirely and note "Tests: Skipped per user preference." + +| Check | Assess | +|-------|--------| +| Behavior Coverage | Are key behaviors tested? (not line count) | +| Test Quality | Do tests verify outcomes, not implementation? | +| Brittleness | Any tests that will break on refactor? | +| Over-testing | Trivial code with unnecessary tests? | +| Under-testing | Critical paths without tests? | + +### Phase 3: Present Findings + +Organize ALL findings by severity: + +```markdown +## Review Findings + +### Critical (Must Fix Before Commit) +- [Finding]: [file:line] - [Impact] + +### High (Should Fix Before Commit) +- [Finding]: [file:line] - [Impact] + +### Medium (Fix Soon) +- [Finding]: [file:line] - [Impact] + +### Low (Nice to Have) +- [Finding]: [file:line] - [Impact] + +### Info (Observations) +- [Observation] + +### Project Rules Compliance +| Rule Source | Status | Details | +|-------------|--------|---------| +| ... | ... | ... | +``` + +If no findings in a severity level, omit that section. + +### Phase 4: User Decisions on Findings + +Use AskUserQuestion to batch decisions: + +``` +For each category of findings, select handling: +- FIX: Address before commit +- ISSUE: Create GitHub issue for later +- IGNORE: Acknowledge and proceed +``` + +Allow multi-select within categories. + +### Phase 5: Fix Selected Items + +Address all items marked FIX. Re-run relevant checks after fixes. + +### Phase 6: Create Issues (if selected) + +For findings marked ISSUE, group by category: + +```bash +gh issue create --title "[Category] findings from [branch]" --body "$(cat <<'EOF' +## [Category] Findings + +**Source**: Branch `[branch]`, commit `[hash]` +[**Related Ticket**: #[TICKET] — only if ticket context exists] + +### Findings + +- [ ] [Finding 1] - `file:line` +- [ ] [Finding 2] - `file:line` + +### Context + +[Brief context about what was being implemented] +EOF +)" +``` + +Link to ticket if context exists. + +### Phase 7: Draft Commit Message + +```markdown +(): + + +- [Change description] +- [User-facing impact] + + +- [File/component changed] +- [Pattern used] + + +- Addressed: [list] +- Deferred to #[issue]: [list] +- Acknowledged: [list] + +Closes #[TICKET] (if completing all requirements — only if ticket context) +Refs #[TICKET] (if partial — only if ticket context) +``` + +Types: `feat`, `fix`, `refactor`, `test`, `docs`, `chore` + +If `$ARGUMENTS` provided a commit message hint, use it to inform the summary line. + +### Phase 8: User Sign-Off on Commit Message + +Present commit message for approval via AskUserQuestion. Allow edits. Do not proceed without explicit approval. + +### Phase 9: Commit & Push + +```bash +git add [specific files — never git add -A] +git commit -m "$(cat <<'EOF' +[approved message] +EOF +)" +git push -u origin $(git branch --show-current) +``` + +Stage specific files by name. Never use `git add .` or `git add -A`. + +### Phase 10: Ask About PR + +Use AskUserQuestion: + +``` +Changes committed and pushed to [branch]. + +Would you like to create a pull request? +- Yes: Create PR targeting main +- No: Done — just commit and push +``` + +If **No** → skip to Phase 12. + +### Phase 11: Create PR (conditional) + +```bash +gh pr create --title "(): " --body "$(cat <<'EOF' +## Summary + +- [1-3 bullet points of what this PR accomplishes] + +## Related Issue + +[Closes #TICKET / Refs #TICKET — only if ticket context exists] + +## Changes + +- [Component]: [What changed] + +## Testing + +- [ ] [How to test each change] + +--- +*PR created by Claude. Awaiting human review.* +EOF +)" +``` + +Capture PR number. + +If ticket context exists, post comment to the original issue: + +```bash +gh issue comment $TICKET --body "$(cat <<'EOF' +## Pull Request Created + +**PR**: #[PR_NUMBER] +**Branch**: [branch] + +### Status +- [x] PR created +- [ ] Human review pending +- [ ] Approved and merged + +--- +*PR created by Claude.* +EOF +)" +``` + +### Phase 12: Report + +Output summary: + +```markdown +## Ship Summary + +- **Commit**: [hash] on `[branch]` +- **Push**: [branch] → origin/[branch] +- **PR**: #[N] ([URL]) — or "Not created" +- **Issues Created**: #[N]: [category] — or "None" +- **Ticket**: #[TICKET] linked — or "Standalone (no ticket context)" +``` + +## Rules + +- **Full review is mandatory** — no skipping phases 2-3 +- **User MUST approve** commit message before committing +- **AskUserQuestion MUST confirm** before PR creation — never auto-create +- **NEVER auto-approve** PRs +- **Stage specific files** — never `git add .` or `git add -A` +- **Optionally ticket-aware** — link to ticket if context exists, never prompt for one +- **Batch** all GitHub operations +- **Check project rules** (CLAUDE.md, .claude/rules/*.md) thoroughly +- Present findings FIRST, then get decisions +- Fix selected items BEFORE drafting commit + +## Finding Severity Guide + +**Critical**: Security vulnerability, data loss risk, breaking production +**High**: Significant bug, major pattern violation, auth issue +**Medium**: Code smell, minor bug, missing validation +**Low**: Style issue, minor optimization, documentation gap +**Info**: Observations, questions, future considerations diff --git a/docs/src/content/docs/reference/commands.md b/docs/src/content/docs/reference/commands.md index 43e49ab..4355b16 100644 --- a/docs/src/content/docs/reference/commands.md +++ b/docs/src/content/docs/reference/commands.md @@ -144,6 +144,32 @@ Slash commands for issue and ticket management within Claude Code sessions. | `/ticket:create-pr` | Generate a PR from ticket context with security review | | `/ticket:review-commit` | Review commits against ticket requirements | +## Git Workflow Slash Commands + +Standalone slash commands for git operations within Claude Code sessions. These work independently of the ticket workflow but optionally link to tickets when context exists. + +| Command | Purpose | Example | +|---------|---------|---------| +| `/ship` | Review changes, commit, push, and optionally create a PR | `/ship` | +| `/pr:review` | Review an existing PR and post findings (never merges) | `/pr:review 42` | + +### `/ship` Workflow + +1. Gathers git context (status, diff, branch, project rules) +2. Conducts full review (security, rules, quality, architecture, tests) +3. Presents findings by severity — user decides what to fix, defer to issues, or ignore +4. Drafts commit message — user must approve before committing +5. Commits and pushes +6. Asks whether to create a PR — only creates if user confirms + +### `/pr:review` Workflow + +1. Identifies target PR (by number, URL, or auto-detects from current branch) +2. Fetches PR details, diff, and reads changed files in full +3. Conducts aggressive analysis (attack surface, threat modeling, dependencies, rules, architecture, quality, tests, breaking changes) +4. Presents findings — user selects what to include in review, create as issues, or ignore +5. Posts review comment to PR (never approves or merges) + ## GitHub CLI The GitHub CLI (`gh`) is pre-installed for repository operations. @@ -179,7 +205,7 @@ Commands come from different sources in the CodeForge setup: | Shell aliases | `cc`, `claude`, `ccw`, `ccraw`, `check-setup` | `setup-aliases.sh` writes to `.bashrc`/`.zshrc` | | Shell functions | `cc-tools` | `setup-aliases.sh` writes to `.bashrc`/`.zshrc` | | DevContainer features | `ccms`, `ccusage`, `ccburn`, `ruff`, `biome`, `sg`, etc. | `install.sh` in each feature directory | -| Slash commands | `/spec-new`, `/ticket:new`, etc. | Skill SKILL.md files in plugin directories | +| Slash commands | `/spec-new`, `/ticket:new`, `/ship`, `/pr:review`, etc. | Skill SKILL.md files in plugin directories | | External features | `gh`, `docker`, `node`, `bun`, `cargo` | Installed via `devcontainer.json` features | :::tip[Listing All Tools] From 0a7becc80bfa4a3bfe6a85c1b7f184a44ef609fa Mon Sep 17 00:00:00 2001 From: AnExiledDev Date: Wed, 25 Feb 2026 05:20:14 +0000 Subject: [PATCH 2/2] Fix 3 CodeRabbit issues from PR review - ship/SKILL.md: Add Edit, Write to allowed-tools so Phase 5 "Fix Selected Items" can actually modify files - pr-review/SKILL.md: Fix broken grep invocation where glob patterns after -- were treated as filenames instead of filtering stdin - README.md: Add `text` language tag to 3 unlabelled fenced code blocks (markdownlint MD040) --- .../plugins/devs-marketplace/plugins/git-workflow/README.md | 6 +++--- .../plugins/git-workflow/skills/pr-review/SKILL.md | 2 +- .../plugins/git-workflow/skills/ship/SKILL.md | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.devcontainer/plugins/devs-marketplace/plugins/git-workflow/README.md b/.devcontainer/plugins/devs-marketplace/plugins/git-workflow/README.md index ae355ff..cac9f55 100644 --- a/.devcontainer/plugins/devs-marketplace/plugins/git-workflow/README.md +++ b/.devcontainer/plugins/devs-marketplace/plugins/git-workflow/README.md @@ -17,7 +17,7 @@ Provides two slash commands for shipping code and reviewing pull requests. ### `/ship` Workflow -``` +```text /ship [optional commit message hint] │ └─→ Gather context (git status, diff, branch, project rules) @@ -38,7 +38,7 @@ Provides two slash commands for shipping code and reviewing pull requests. ### `/pr:review` Workflow -``` +```text /pr:review [PR number, URL, or omit for auto-detect] │ └─→ Identify target PR (argument, auto-detect, or ask) @@ -106,7 +106,7 @@ Use this plugin in any Claude Code setup: ## Plugin Structure -``` +```text git-workflow/ ├── .claude-plugin/ │ └── plugin.json # Plugin metadata diff --git a/.devcontainer/plugins/devs-marketplace/plugins/git-workflow/skills/pr-review/SKILL.md b/.devcontainer/plugins/devs-marketplace/plugins/git-workflow/skills/pr-review/SKILL.md index fb47ed6..a5ee7d5 100644 --- a/.devcontainer/plugins/devs-marketplace/plugins/git-workflow/skills/pr-review/SKILL.md +++ b/.devcontainer/plugins/devs-marketplace/plugins/git-workflow/skills/pr-review/SKILL.md @@ -78,7 +78,7 @@ For each significant feature in the PR: ```bash # Check for new dependencies (adapt patterns to project) gh pr diff $PR | grep -E '^\+.*"(dependencies|devDependencies)"' -A 50 -gh pr diff $PR | grep -E '^\+' -- "**/requirements*.txt" "**/package*.json" "**/Cargo.toml" "**/go.mod" "**/Gemfile" 2>/dev/null +gh pr diff $PR | grep -E '^\+' | grep -E 'requirements.*\.txt|package.*\.json|Cargo\.toml|go\.mod|Gemfile' ``` | Check | Look For | diff --git a/.devcontainer/plugins/devs-marketplace/plugins/git-workflow/skills/ship/SKILL.md b/.devcontainer/plugins/devs-marketplace/plugins/git-workflow/skills/ship/SKILL.md index 4017676..8a9ddeb 100644 --- a/.devcontainer/plugins/devs-marketplace/plugins/git-workflow/skills/ship/SKILL.md +++ b/.devcontainer/plugins/devs-marketplace/plugins/git-workflow/skills/ship/SKILL.md @@ -2,7 +2,7 @@ description: Review changes, commit with detailed message, push, and optionally create pull request argument-hint: [commit message hint] disable-model-invocation: true -allowed-tools: Bash(gh:*), Bash(git:*), Read, Grep, Glob, AskUserQuestion +allowed-tools: Bash(gh:*), Bash(git:*), Read, Grep, Glob, Edit, Write, AskUserQuestion --- # /ship - Review, Commit, Push & Optional PR