Skip to content

feat(skills): /unblock — operator decisions queue, sensitivity-leak-safe#34

Merged
samtuckerdavis merged 1 commit intomainfrom
operator-cmd/unblock
Apr 25, 2026
Merged

feat(skills): /unblock — operator decisions queue, sensitivity-leak-safe#34
samtuckerdavis merged 1 commit intomainfrom
operator-cmd/unblock

Conversation

@OriginalGary
Copy link
Copy Markdown
Contributor

@OriginalGary OriginalGary commented Apr 25, 2026

Summary

Adds /unblock — third and last of the operator-level slash commands. Surfaces every pending decision only the operator can make, with copy-paste-ready next actions. Three sections: credentials, decisions, sensitivity escalations.

Also adds the documenting "Operator commands" section to .claude/rules/tooling-reference.md (surgical edit — does not re-sync the rest of the rule file).

Stack-independent — branched fresh from main, doesn't depend on PRs #32 (/run) or #33 (/merge) being merged.

Why

Pipeline produces work that humans-only can resolve: rotate this credential, settle this decision, choose a sensitivity tier for this issue. Without /unblock these items pile up invisibly inside /run's human-gate section, mixed with "needs persona-qa" and other passive waits. /unblock is the active list — every row has a button to push.

Specific actions, not generic instructions

The whole value of this command is replacing "fix the GCP creds" (operator goes off to find which dashboard) with "Fix at: https://console.cloud.google.com/iam-admin/iam?project=". If a row can't carry a concrete URL or gh command, the row doesn't belong in /unblock — it belongs in /run's human-gate section.

Sensitivity-section confidentiality

The sensitivity section is the most dangerous part of this command. STAGE 13 confidentiality leak rule (per context-repo.md) applies: the report must NEVER contain the private content itself. Repo+number + non-sensitive summary only.

If a sensitivity row can't be summarized without quoting the issue body, the row reads "operator: read issue body, no summary safe in this report" and links to the URL. The whole point of the section is that the operator sees WHICH items need a call without seeing WHAT's in them — the report can be screen-shared, the underlying issues cannot.

Hard rules

  • Never applies override labels (human-only per pipeline-nevers.md)
  • Never closes PRs or issues (surfaces gh close commands for the operator)
  • Never merges (that's /merge's queue)
  • Never invokes subagents (reads existing pipeline state only)
  • Sensitivity section never leaks content — checked at format time

Tooling-reference update

Adds an "Operator commands" section to .claude/rules/tooling-reference.md with two-line descriptions of /run, /merge, /unblock. This is the discoverability hook so future Claude sessions know the commands exist. Surgical diff — does not touch the rest of the file.

Test plan

  • Confirm SKILL.md frontmatter parses (verified locally)
  • Smoke-test the consumption path against the fixture log file (verified locally: 2 credentials, 1 decision, 0 sensitivity items extracted correctly from the run report shape)
  • After /run lands and produces a real run, invoke /unblock and verify all three sections render
  • Verify --section credentials correctly filters to one section
  • Critical: verify that on a sensitivity:private issue, the report row contains NO content from the issue body — only the repo/number + non-sensitive summary
  • Verify the --fix-mode reference in the credentials section works as a hand-off to /run

@OriginalGary
feat(skills): add /unblock operator command + tooling-reference Opera…
acc070b 
…tor section

Surfaces every pending decision only the operator can make. Three sections —
credentials, decisions, sensitivity. Reads the latest /run report (<30min
old) or derives via gh.

Every item has a specific actionable next step. Credentials carry the actual
URL or gh command (not generic "fix the secret"); decisions offer three
concrete resolutions (update decision, close, override label); sensitivity
escalations offer approve/recategorize/reject.

If an item lacks a specific action, it does NOT belong in /unblock — it
belongs in /run's stopped-at-human-gate section.

Critical hard rule: sensitivity section NEVER leaks private content.
Repo+number + non-sensitive summary only. STAGE 13 confidentiality leak
rule per context-repo.md applies. If a row can't be summarized without
quoting the issue body, write "operator: read issue body, no summary safe"
and link to the URL — never paraphrase private content.

Other hard rules (per pipeline-nevers.md):
- Never applies override labels itself (human-only)
- Never closes PRs/issues itself (surfaces gh close commands)
- Never merges (that's /merge's read-only queue)
- Never invokes subagents (reads existing pipeline state only)

Args: --section limits to one section, --repo scopes to one repo.
Model: sonnet (mostly structured retrieval; opus is overkill).
disable-model-invocation: true — operator-only.

Plus: adds an "Operator commands" section to .claude/rules/tooling-reference.md
documenting all three commands (/run, /merge, /unblock) with two-line
description per command. Surgical diff against the canonical rule set —
does not re-sync the rest of the file.
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Apr 25, 2026

Warning

Rate limit exceeded

@OpenGaryBot has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 4 minutes and 55 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 4 minutes and 55 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1108120d-eabd-4e55-ba9c-a46fd956bfd5

📥 Commits

Reviewing files that changed from the base of the PR and between 0157ede and acc070b.

📒 Files selected for processing (2)
  • .claude/rules/tooling-reference.md
  • claude-code/.claude/skills/unblock/SKILL.md
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch operator-cmd/unblock
  • 🛠️ fix NAV violations: Commit on current branch
  • 🛠️ fix NAV violations: Create PR

Comment @coderabbitai help to get the list of available commands and usage tips.

@OriginalGary OriginalGary mentioned this pull request Apr 25, 2026
Merged
5 tasks
@samtuckerdavis samtuckerdavis merged commit 660e225 into main Apr 25, 2026
6 checks passed
@samtuckerdavis samtuckerdavis deleted the operator-cmd/unblock branch April 25, 2026 12:11
@OriginalGary OriginalGary mentioned this pull request Apr 26, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@OriginalGary @samtuckerdavis