@clipboard-health/ai-rules 2.14.24 → 2.14.26

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@clipboard-health/ai-rules",
-  "version": "2.14.24",
+  "version": "2.14.26",
   "description": "Pre-built AI agent rules for consistent coding standards.",
   "keywords": [
     "ai",

package/skills/babysit-pr/SKILL.md

@@ -0,0 +1,290 @@
+---
+name: babysit-pr
+description: "Watch a PR through CI and review feedback: commit/push, wait for CI, auto-fix high-confidence failures, reply to active review threads, and summarize parsed CodeRabbit nitpicks with sentinel-tagged comments. Runs once by default; pass a short interval like `30s` or `2m` for best-effort same-turn polling; longer cadences should use an external loop wrapper. Use when the user says 'babysit my PR', 'watch my PR', 'keep my PR moving', 'respond to comments', or 'loop on CI'."
+argument-hint: "[interval]"
+---
+
+# Babysit PR
+
+Watch one PR through CI, auto-fix high-confidence failures, and leave a paper-trail reply on every active review thread and CodeRabbit nitpick. Threads stay open for human resolution — this skill only posts replies, it never resolves.
+
+This skill is self-contained: it does not invoke other skills. It works in Claude Code and Codex — no subagents, no `Skill` tool calls, no `!` command interpolation, no `$CLAUDE_PLUGIN_ROOT`.
+
+## Inputs
+
+Parse an optional interval from the invocation arguments if the host exposes them; otherwise read the user's request text.
+
+Recognize intervals with this regex (case-insensitive):
+
+```regex
+\b(\d+)\s*(s|sec|secs|second|seconds|m|min|mins|minute|minutes|h|hr|hrs|hour|hours)\b
+```
+
+Rules:
+
+- If multiple matches appear in the user's text, take the **first** match.
+- Accept a bare number as seconds **only** when the bare number is the entire argument (not embedded in prose).
+- Normalize to seconds: `s*=1`, `m*=60`, `h*=3600`.
+- Empty → one iteration, then exit with a summary.
+- Normalized `<= 240` → best-effort same-turn loop: `sleep <seconds>` between iterations.
+- Normalized `> 240` → run one pass, then report that longer cadences need an external loop wrapper (the Claude Code `/loop` skill or a shell `while` loop outside the agent). Do not sleep inside the agent turn — blocking `sleep` past ~5 minutes will exceed prompt-cache TTLs and may hit tool-call timeouts.
+
+## Sentinel
+
+The skill tags every reply it posts with:
+
+```html
+<!-- babysit-pr:addressed v1 -->
+```
+
+on its own line at the end of the body. This is how the skill knows, on re-runs, which threads and nitpicks it already handled.
+
+**Sentinel recency rules.** The script emits a per-thread `activityState` with three values:
+
+- **`active`** — no sentinel yet, OR at least one human commented after the last sentinel. Always handle this thread.
+- **`uncertain`** — a sentinel exists AND one or more bot comments appeared after it. The thread carries a `postSentinelBotComments` array listing EVERY such comment. You MUST read every entry in that array (not just the most recent — a later ack must not hide an earlier actionable finding), then decide:
+  - **Every** post-sentinel bot comment is a non-actionable acknowledgement (`"Thanks, resolved"`, `"LGTM"`, `"Learnings added"`, etc.) → mark the thread **Skip-reply**; do not post a new reply. (See step 6 — Skip-reply is a distinct classification from the `addressed` activityState value.)
+  - **Any** post-sentinel bot comment carries new actionable content (new nit, new finding, corrected diagnosis) → treat as **active**; reply again AND mention in the final summary that you reactivated an "uncertain" thread and why.
+  - If you cannot confidently classify every entry → default to **active** and flag it. Silence is the failure mode we are trying to avoid.
+- **`addressed`** — the sentinel is the newest relevant activity on the thread. Skip it.
+
+**Bot detection** uses two signals (union): GraphQL `author.__typename == "Bot"` (primary — catches every GitHub-tagged bot, including ones not on our allowlist), plus a name allowlist (for bots that post via a User-type service account). An unknown bot never falls through to human classification, so a new review bot won't cause an infinite re-reply loop.
+
+The bot detection exists ONLY to downgrade the default for post-sentinel bot activity from `"active"` to `"uncertain"`. It NEVER suppresses bot comments or marks a thread `"addressed"` on its own — CodeRabbit's review content would be lost if it did.
+
+For nitpicks, the script emits a stable `fingerprint` per nitpick (sha256 of file + line + title + body, no timestamp). Before posting a nitpick summary, search existing PR issue-comments for a prior babysit-pr sentinel comment that already contains those fingerprints; if every current fingerprint is already present in a prior sentinel comment, skip posting.
+
+## One iteration
+
+Each iteration is a procedure you execute as ordinary tool calls in the same agent turn. No subagents, no `Skill` tool, no `!` prefix.
+
+### 1. Preflight
+
+Script paths in this procedure are written as `scripts/...`, relative to this SKILL.md. Each host (Claude Code, Codex, …) resolves them from wherever it has the skill installed — do not try to derive an absolute path yourself; it will be wrong under at least one host.
+
+```bash
+git status --short
+```
+
+If non-empty, stop and report the dirty files. The skill refuses to start with uncommitted changes so it never sweeps up unrelated work.
+
+```bash
+gh auth status
+```
+
+If this fails, stop and tell the user to run `gh auth login`.
+
+### 2. Locate the PR
+
+```bash
+gh pr view --json number,url,headRefName,statusCheckRollup 2>/dev/null
+```
+
+If no PR exists for the current branch:
+
+- Verify there are commits ahead of the base branch: `git log --oneline @{u}..HEAD 2>/dev/null || git log --oneline origin/HEAD..HEAD`. If nothing is ahead, stop and report "no commits to push".
+- Push the branch and open a PR:
+
+  ```bash
+  git push -u origin HEAD
+  gh pr create --fill
+  ```
+
+- Re-fetch `gh pr view --json number,url,statusCheckRollup`.
+
+### 3. Wait for CI
+
+Wrap the watch call with a timeout so a hung check doesn't wedge the turn:
+
+```bash
+rc=0
+if command -v gtimeout >/dev/null 2>&1; then
+  gtimeout 600 gh pr checks --watch || rc=$?
+elif command -v timeout >/dev/null 2>&1; then
+  timeout 600 gh pr checks --watch || rc=$?
+else
+  gh pr checks --watch || rc=$?
+fi
+case $rc in 0|1|8|124) ;; *) exit $rc;; esac
+```
+
+Exit codes 0 (pass), 1 (fail), 8 (pending), and 124 (timeout) are expected and handled next. Other codes (auth errors, etc.) re-raise.
+
+### 4. Fetch review data
+
+```bash
+bash scripts/unresolvedPrComments.sh
+```
+
+The output JSON has:
+
+- `threads`: every unresolved review thread, with `threadId`, `replyToCommentDatabaseId`, `comments[]`, `lastBabysitSentinelAt`, `lastHumanCommentAt`, `lastBotCommentAt`, `postSentinelBotComments[]`, `postSentinelHumanComments[]`, and `activityState` (`"active"` / `"uncertain"` / `"addressed"`).
+- `activeThreads`: threads where `activityState != "addressed"` — these need attention this iteration (active AND uncertain).
+- `uncertainThreads`: just the uncertain subset. For each, read EVERY entry in `postSentinelBotComments` before deciding.
+- `nitpickComments`: parsed CodeRabbit nitpicks, each with a stable `fingerprint`.
+- `totalActiveThreads`, `totalUncertainThreads`, `totalNitpicks`, `totalUnresolvedComments` for quick checks.
+
+### 5. Handle CI failures (conservative)
+
+Run `bash scripts/fetchFailedLogs.sh` to stream failed output for every failing check on the PR. The first line is either:
+
+- `# babysit-pr: no failing checks` → skip to step 6.
+- `# babysit-pr: failing checks` → followed by one delimited block per failing job or external check:
+  - `# --- run=<id> job=<id> ---` blocks carry the job's `--log-failed` output (GitHub Actions).
+  - `# --- external check: <name> (<url>) ---` blocks carry no logs — the check isn't a GitHub Actions run (CircleCI, Nx Cloud, semgrep, CodeRabbit, Devin, etc.). Treat these like "External checks with no inspectable logs" in the diagnosis-only list below: stop and report, don't guess a fix.
+
+Read the logs and diagnose: **build/type errors first** (they cause cascading test failures), then lint/format, then tests.
+
+**Apply a fix directly** only when the cause is high-confidence and inside the PR's changed surface:
+
+- Compile/type errors in files the PR touched.
+- Deterministic lint/format violations (auto-fixable).
+- Tests that the PR broke by renaming/removing symbols they reference.
+- Missing test updates for intentional behavior changes.
+
+**Stop and report a diagnosis** (do not guess a fix) for:
+
+- Flaky / intermittent failures.
+- Infrastructure or provider outages.
+- Permission / auth / missing-secret failures.
+- Unrelated failures (touching code this PR didn't modify).
+- Ambiguous test intent.
+- External checks with no inspectable logs.
+
+Scope check: `gh pr diff --name-only`. This is PR-authoritative — works even if the local base ref is missing or stale (e.g., in fresh clones or CI sandboxes). A fix outside these files is out of scope — report it, don't apply it.
+
+### 6. Assess active review threads
+
+For every thread in `activeThreads` (this includes both `"active"` and `"uncertain"`):
+
+- Group comments by file; read each file once (not per comment).
+- If the referenced file no longer exists, record "comment may be outdated" and classify as **Already fixed**.
+- If `activityState == "uncertain"`, read EVERY entry in `postSentinelBotComments` (not just the newest):
+  - If EVERY entry is a non-actionable acknowledgement → mark the thread **Skip-reply** (the existing sentinel already covers the thread; posting again would be noise). Do not classify it Agree/Disagree/Already-fixed. Record this in the final summary so the skip is visible.
+  - If ANY entry carries new actionable content → treat the thread as new feedback and proceed below. Note in the final summary that an uncertain thread was reactivated, citing the specific comment.
+- For each remaining thread (i.e., NOT marked Skip-reply), pick one verdict — each of these will get a reply posted in step 9:
+  - **Agree** — the comment identifies a real issue. Apply the fix. Record the thread ID and a one-line what-changed.
+  - **Disagree** — the current code is acceptable. Record a short reasoning.
+  - **Already fixed** — a prior commit addresses the concern. Record a pointer (commit SHA, file:line).
+
+### 7. Assess nitpicks
+
+For every nitpick in `nitpickComments`:
+
+- Check whether its `fingerprint` already appears in a prior babysit-pr sentinel comment on the PR. If yes, skip.
+- Otherwise classify (Agree / Disagree / Already fixed) the same way as threads. If Agree, apply the fix.
+
+If no nitpicks remain after filtering, skip ONLY the top-level nitpick-summary comment in step 9. Still post thread replies for every non-Skip-reply thread from step 6.
+
+### 8. Commit and push (if any edits)
+
+If steps 5, 6, or 7 modified any files, decide:
+
+- **Which files are yours this iteration.** The worktree may contain unrelated in-progress work. Only stage files this iteration touched — if in doubt, run `git diff --name-only` and pick from that list deliberately.
+- **A focused commit message.** Prefer something like `babysit-pr: <one-line what-changed>`; the project's commitlint expects conventional-commit form, so a `fix(core): ...` or `docs(core): ...` prefix is usually right.
+
+Then run:
+
+```bash
+bash scripts/commitAndPush.sh "<message>" <file1> [<file2> ...]
+```
+
+The script enforces explicit staging (never `git add -A`), never skips hooks, and prints:
+
+```text
+sha=<commit-sha>
+url=https://github.com/<owner>/<repo>/commit/<sha>
+```
+
+Capture the `url=` line for the reply templates in step 9.
+
+### 9. Post replies
+
+For every thread assessed in step 6 that was NOT marked **Skip-reply** (i.e., one of Agree / Disagree / Already fixed):
+
+```bash
+bash scripts/postSentinelReply.sh "$THREAD_ID" "$BODY"
+```
+
+Skip-reply threads (uncertain threads where every post-sentinel bot comment was a non-actionable ack) are left alone — the existing sentinel already covers them.
+
+Body templates (the script appends the sentinel if missing):
+
+- **Agree**: `Addressed in <commit-url>. <one-line what-changed>.`
+- **Disagree**: `Leaving current behavior. <reasoning>.`
+- **Already fixed**: `Already handled by <commit-url-or-file:line>. <brief pointer>.`
+
+The script uses the `addPullRequestReviewThreadReply` GraphQL mutation. It does NOT resolve the thread.
+
+If any nitpicks were assessed in step 7, post ONE top-level PR comment summarizing all of them:
+
+```bash
+bash scripts/postSentinelPrComment.sh "$PR_NUMBER" "$BODY"
+```
+
+The nitpick summary body should:
+
+- Group verdicts under **Agree / Disagree / Already fixed** headings.
+- Include the commit URL for fixes.
+- Include every current nitpick's `fingerprint` in a fenced block at the end (one per line, before the sentinel) so future runs can dedupe.
+
+### 10. Summarize
+
+Report:
+
+- Commits made (with URLs).
+- CI checks fixed / still failing / skipped-with-diagnosis.
+- Review threads replied to, grouped by verdict.
+- Nitpicks summarized (or skipped because already covered).
+- Threads left active because of bot-acknowledgement uncertainty (flag by thread URL).
+- The stop condition triggered for this iteration (clean / stuck / continue / long-interval / sanity-cap).
+
+## Loop control
+
+After an iteration, pick exactly one outcome:
+
+- **Exit clean** — all CI checks passed AND every thread in `activeThreads` was either marked Skip-reply during step 6's inspection or has already received a fresh sentinel reply in this iteration, AND every current nitpick fingerprint is covered by an existing sentinel comment. Do not use raw `totalActiveThreads` from the script output — it is pre-inspection and will stay non-zero for Skip-reply cases. Report success and stop.
+- **Exit stuck** — iteration made no commits, posted no new replies, and no CI check changed state from the previous iteration. Report state and stop; tell the user to investigate.
+- **Continue** — interval set, normalized `<= 240`, not clean, not stuck:
+
+  ```bash
+  sleep <interval-seconds>
+  ```
+
+  Then go back to step 1.
+
+- **Long interval** — interval set, normalized `> 240`. Do not sleep. Run one pass, report state, and tell the user to wrap the call in an external loop (Claude Code `/loop <interval> /babysit-pr` or a shell `while true; do ...; sleep ...; done`).
+- **Sanity cap** — hard-stop at 20 iterations regardless, with a clear "sanity cap hit" message. The cap only applies to internal looping.
+
+## Portability notes
+
+- No `Task` subagent spawning — run everything inline.
+- No `Skill` tool calls — this skill never invokes `core:commit-push-pr`, `core:fix-ci`, or `core:unresolved-pr-comments`.
+- No `!` slash-command prefix in code fences — the agent runs these as ordinary bash.
+- No `$CLAUDE_PLUGIN_ROOT` and no host-specific path discovery. Script paths are relative bundled-resource paths like `scripts/unresolvedPrComments.sh`, resolved relative to this SKILL.md.
+- `argument-hint` is the only intentional nonstandard frontmatter key (included for Claude Code UX). If a strict Codex validator rejects it, move the key into a host-specific wrapper and keep this file's frontmatter to `name` + `description` only.
+
+## Examples
+
+### Example 1: single pass, exits stuck awaiting CI
+
+User: `babysit my PR`
+
+- No interval → one iteration.
+- Preflight OK, PR #482 found.
+- `gh pr checks --watch` times out at 600s — two checks still pending.
+- `unresolvedPrComments.sh` returns 0 active threads, 0 nitpicks.
+- No commits, no replies posted, CI state unchanged vs. start.
+- Outcome: **stuck**. Report: "CI still running after 10 min; no comments to address. Re-run `/babysit-pr 2m` once CI settles, or wait and invoke again."
+
+### Example 2: `babysit-pr 2m` loop, exits clean on iteration 3
+
+User: `babysit-pr 2m`
+
+- Iteration 1: CI green, 3 active threads (1 Agree, 1 Disagree, 1 Already-fixed), 2 nitpicks (both Agree). Apply fixes, commit `a1b2c3d`, post 3 thread replies + 1 nitpick summary. Not clean (CI needs to re-run), not stuck. `sleep 120`.
+- Iteration 2: CI fails (lint on the nitpick fix). Log shows unused import. High-confidence + in scope → remove import, commit `d4e5f6a`, push. Threads are all addressed. `sleep 120`.
+- Iteration 3: CI green, 0 active threads, 0 new nitpick fingerprints. **Exit clean.** Report final commit SHAs and reply URLs.
+
+## Input
+
+Interval: $ARGUMENTS

package/skills/babysit-pr/scripts/commitAndPush.sh

@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+# commitAndPush.sh — stage explicit files, commit, push, emit commit URL.
+#
+# Usage: bash commitAndPush.sh "<message>" <file1> [<file2> ...]
+#
+# Output on success (stdout):
+#   sha=<commit-sha>
+#   url=https://github.com/<owner>/<repo>/commit/<sha>
+#
+# Does NOT use `git add -A` — the caller MUST name every file to stage, so the
+# skill never sweeps up unrelated uncommitted work. Does NOT skip hooks
+# (no --no-verify); a hook failure surfaces as a non-zero exit.
+#
+# Exit 0 on success. Exit 1 on runtime errors. Exit 2 on usage errors.
+#
+# Requires: git, gh, jq.
+
+set -euo pipefail
+
+if [ $# -lt 2 ]; then
+  printf '{"error":"Usage: commitAndPush.sh <message> <file1> [file2 ...]"}\n' >&2
+  exit 2
+fi
+
+MSG="$1"; shift
+
+if [ -z "$MSG" ]; then
+  printf '{"error":"commit message cannot be empty"}\n' >&2
+  exit 2
+fi
+
+for cmd in git gh jq; do
+  if ! command -v "$cmd" >/dev/null 2>&1; then
+    printf '{"error":"%s not found"}\n' "$cmd" >&2
+    exit 1
+  fi
+done
+
+# Verify each path either exists on disk or is tracked (handles deletions).
+for path in "$@"; do
+  if [ ! -e "$path" ] && ! git ls-files --error-unmatch -- "$path" >/dev/null 2>&1; then
+    printf '{"error":"path not found and not tracked: %s"}\n' "$path" >&2
+    exit 1
+  fi
+done
+
+git add -- "$@"
+
+if git diff --cached --quiet; then
+  printf '{"error":"nothing staged after git add — check the listed files actually have changes"}\n' >&2
+  exit 1
+fi
+
+git commit -m "$MSG"
+git push
+
+SHA="$(git rev-parse HEAD)"
+
+REPO_JSON="$(gh repo view --json owner,name 2>/dev/null)" || {
+  printf '{"error":"could not determine repository"}\n' >&2
+  exit 1
+}
+OWNER="$(printf '%s' "$REPO_JSON" | jq -r '.owner.login')"
+REPO="$(printf '%s' "$REPO_JSON" | jq -r '.name')"
+
+if [ -z "$OWNER" ] || [ "$OWNER" = "null" ] || [ -z "$REPO" ] || [ "$REPO" = "null" ]; then
+  printf '{"error":"failed to parse owner/repo from gh output"}\n' >&2
+  exit 1
+fi
+
+printf 'sha=%s\n' "$SHA"
+printf 'url=https://github.com/%s/%s/commit/%s\n' "$OWNER" "$REPO" "$SHA"

package/skills/babysit-pr/scripts/fetchFailedLogs.sh

@@ -0,0 +1,117 @@
+#!/usr/bin/env bash
+# fetchFailedLogs.sh — stream failed-step logs for every failing check on a PR.
+#
+# Usage: bash fetchFailedLogs.sh [pr-number]
+#   pr-number: optional; defaults to the PR on the current branch.
+#
+# Output (plain text on stdout). First line is either:
+#   # babysit-pr: no failing checks
+# or:
+#   # babysit-pr: failing checks
+# followed by one delimited block per failing job:
+#   # --- run=<id> job=<id> ---
+#   <log body>
+#
+# Exit 0 on normal completion (with or without failures — caller checks the
+# first line). Exit 1 on infrastructure errors (gh missing, not authed, no PR).
+# Exit 2 on usage errors.
+#
+# Filter uses `bucket == "fail"` (gh CLI's normalized lowercase field) instead
+# of `.conclusion` because the two gh APIs disagree on case —
+# `gh pr view --json statusCheckRollup` returns UPPER (GraphQL enum),
+# `gh run view --json jobs` returns lower (REST). `bucket` sidesteps it.
+#
+# Requires: gh, jq.
+
+set -euo pipefail
+
+if ! command -v gh >/dev/null 2>&1; then
+  printf '{"error":"gh CLI not found"}\n' >&2
+  exit 1
+fi
+if ! command -v jq >/dev/null 2>&1; then
+  printf '{"error":"jq not found"}\n' >&2
+  exit 1
+fi
+if ! gh api user --jq '.login' >/dev/null 2>&1; then
+  printf '{"error":"not authenticated with GitHub — run: gh auth login"}\n' >&2
+  exit 1
+fi
+
+PR_ARG="${1:-}"
+
+if [ -n "$PR_ARG" ]; then
+  if ! printf '%s' "$PR_ARG" | grep -qE '^[0-9]+$'; then
+    printf '{"error":"invalid PR number: %s"}\n' "$PR_ARG" >&2
+    exit 2
+  fi
+  ROLLUP="$(gh pr view "$PR_ARG" --json statusCheckRollup --jq '.statusCheckRollup' 2>/dev/null)" \
+    || { printf '{"error":"could not fetch PR %s"}\n' "$PR_ARG" >&2; exit 1; }
+else
+  ROLLUP="$(gh pr view --json statusCheckRollup --jq '.statusCheckRollup' 2>/dev/null)" \
+    || { printf '{"error":"no PR for current branch"}\n' >&2; exit 1; }
+fi
+
+# Check-failure detection combines THREE signals because gh's rollup is a mix of
+# CheckRun (has .conclusion, GraphQL enum UPPER like "FAILURE") and StatusContext
+# (has .state, GraphQL enum UPPER like "FAILURE" or "ERROR"). .bucket is gh CLI's
+# normalized lowercase ("fail" / "pass" / ...) but isn't always populated on
+# every rollup entry — older gh versions, custom app integrations, and certain
+# status contexts have been observed with .bucket == null. Relying only on
+# .bucket silently drops those entries.
+FAILING_RAW="$(printf '%s' "$ROLLUP" \
+  | jq -r '
+      def normalized_bucket:
+        (.bucket // "") as $b
+        | (.conclusion // "" | ascii_downcase) as $c
+        | (.state // "" | ascii_downcase) as $s
+        | if $b == "fail" or $c == "failure" or $s == "failure" or $s == "error"
+          then "fail" else "" end;
+      .[]
+      | select(normalized_bucket == "fail")
+      | [.name // "unknown", .detailsUrl // ""]
+      | @tsv
+    ')"
+
+if [ -z "$FAILING_RAW" ]; then
+  echo "# babysit-pr: no failing checks"
+  exit 0
+fi
+
+# Partition into GitHub-Actions runs (we can fetch --log-failed) vs external
+# checks (CircleCI, Nx Cloud, semgrep, CodeRabbit, Devin, etc. — no inline logs).
+RUN_IDS=""
+EXTERNAL_BLOCK=""
+while IFS=$'\t' read -r NAME URL; do
+  [ -z "$NAME" ] && continue
+  # Match GitHub Actions run URLs specifically. A loose `.*/runs/([0-9]+)` would
+  # misclassify Nx Cloud (`cloud.nx.app/runs/<numeric>`) and other hosts that
+  # reuse the `/runs/` path as GitHub Actions runs.
+  RUN_ID="$(printf '%s' "$URL" | sed -nE 's#^https://github\.com/[^/]+/[^/]+/actions/runs/([0-9]+).*#\1#p')"
+  if [ -n "$RUN_ID" ]; then
+    RUN_IDS="$RUN_IDS $RUN_ID"
+  else
+    EXTERNAL_BLOCK="${EXTERNAL_BLOCK}"$'\n'"# --- external check: ${NAME} (${URL:-no URL}) ---"
+  fi
+done <<EOF
+$FAILING_RAW
+EOF
+RUN_IDS="$(printf '%s\n' $RUN_IDS | sort -u | tr '\n' ' ')"
+
+echo "# babysit-pr: failing checks"
+
+for RUN_ID in $RUN_IDS; do
+  for JOB_ID in $(gh run view "$RUN_ID" --json jobs \
+      --jq '.jobs[] | select(.conclusion == "failure") | .databaseId'); do
+    echo ""
+    echo "# --- run=$RUN_ID job=$JOB_ID ---"
+    gh run view --job "$JOB_ID" --log-failed
+  done
+done
+
+if [ -n "$EXTERNAL_BLOCK" ]; then
+  printf '%s\n' "$EXTERNAL_BLOCK"
+  echo ""
+  echo "# (no inline logs available for external checks — investigate via the URLs above;"
+  echo "#  treat these like \"External checks with no inspectable logs\" in step 5's guidance)"
+fi

package/skills/babysit-pr/scripts/parseNitpicks.sh

@@ -0,0 +1,132 @@
+#!/usr/bin/env bash
+# parseNitpicks.sh — Parse CodeRabbit nitpick comments from PR review bodies.
+# Copied from plugins/core/skills/unresolved-pr-comments/scripts/parseNitpicks.sh
+# with one addition: each emitted nitpick includes a stable `fingerprint` field
+# (sha256 of file + normalized line range + title + body), so reposted reviews
+# dedupe to the same fingerprint. Source review timestamps are kept as
+# `createdAt` metadata but NOT included in the fingerprint.
+#
+# Sourced by unresolvedPrComments.sh. Requires: jq, perl with Digest::SHA + Encode.
+
+extract_nitpick_comments() {
+  local reviews_json="$1"
+
+  printf '%s' "$reviews_json" | perl -e '
+use strict;
+use warnings;
+use JSON::PP;
+use Digest::SHA qw(sha256_hex);
+use Encode qw(encode_utf8);
+
+local $/;
+my $reviews_json = <STDIN>;
+my $reviews = decode_json($reviews_json);
+
+my $latest_review;
+my $latest_time = "";
+for my $review (@$reviews) {
+  my $author = $review->{author}{login} // "";
+  my $body = $review->{body} // "";
+  next unless $author eq "coderabbitai" && $body =~ /Nitpick comments/;
+  my $created = $review->{createdAt} // "";
+  if ($created gt $latest_time) {
+    $latest_time = $created;
+    $latest_review = $review;
+  }
+}
+
+unless ($latest_review) {
+  print "[]";
+  exit 0;
+}
+
+my $body = $latest_review->{body};
+my $author = $latest_review->{author}{login} // "deleted-user";
+my $created_at = $latest_review->{createdAt} // "";
+
+my $nitpick_content = extract_nitpick_section($body);
+unless (defined $nitpick_content) {
+  print "[]";
+  exit 0;
+}
+
+my @comments;
+while ($nitpick_content =~ /<details>\s*<summary>([^<]+?)\s+\(\d+\)<\/summary>\s*<blockquote>([\s\S]*?)<\/blockquote>\s*<\/details>/g) {
+  my $file_name = trim($1);
+  my $file_content = $2;
+
+  while ($file_content =~ /`(\d+(?:-\d+)?)`:\s*\*\*([^*]+)\*\*\s*([\s\S]*?)(?=---|\n`\d|<\/blockquote>|$)/g) {
+    my $line_range = $1;
+    my $title = trim($2);
+    my $clean_body = clean_comment_body(trim($3));
+
+    # Fingerprint: file + normalized line + title + body (NO timestamp,
+    # NO author — reposted reviews must dedupe to the same fingerprint).
+    my $fingerprint_input = join("\n", $file_name, $line_range, $title, $clean_body);
+    my $fingerprint = substr(sha256_hex(encode_utf8($fingerprint_input)), 0, 16);
+
+    push @comments, {
+      author      => $author,
+      body        => "$title\n\n$clean_body",
+      createdAt   => $created_at,
+      file        => $file_name,
+      fingerprint => $fingerprint,
+      line        => $line_range,
+      title       => $title,
+    };
+  }
+}
+
+print encode_json(\@comments);
+
+sub extract_nitpick_section {
+  my ($text) = @_;
+  if ($text =~ /<summary>\x{1f9f9} Nitpick comments \(\d+\)<\/summary>\s*<blockquote>/i) {
+    my $content_start = $+[0];
+    my $after = substr($text, $content_start);
+
+    my $depth = 1;
+    my @tags;
+    while ($after =~ /(<blockquote>|<\/blockquote>)/gi) {
+      my $tag = $1;
+      my $pos = $-[0];
+      my $is_open = ($tag =~ /^<blockquote>/i) ? 1 : 0;
+      push @tags, [$pos, $is_open];
+    }
+    for my $tag (@tags) {
+      $depth += $tag->[1] ? 1 : -1;
+      if ($depth == 0) {
+        return substr($after, 0, $tag->[0]);
+      }
+    }
+  }
+  return undef;
+}
+
+sub clean_comment_body {
+  my ($text) = @_;
+  my $prev = "";
+  while ($text ne $prev) {
+    $prev = $text;
+    $text =~ s/<details>(?:(?!<details>)[\s\S])*?<\/details>//g;
+  }
+  # Do NOT HTML-escape angle brackets: the nitpick body is posted back to GitHub
+  # as Markdown via `gh api`, where `&lt;`/`&gt;` would render literally and
+  # corrupt generic-type expressions or HTML snippets from the original review.
+  return trim($text);
+}
+
+sub trim {
+  my ($s) = @_;
+  $s =~ s/^\s+//;
+  $s =~ s/\s+$//;
+  return $s;
+}
+'
+}
+
+# Extract code scanning alert number from comment body.
+extract_code_scanning_alert_number() {
+  local body="$1"
+  printf '%s' "$body" | perl -ne 'print $1 if m{/code-scanning/(\d+)}'
+}

package/skills/babysit-pr/scripts/postSentinelPrComment.sh

@@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+# postSentinelPrComment.sh — Post a top-level PR comment (used for nitpick summaries).
+# Appends the babysit-pr sentinel if missing.
+#
+# Usage: bash postSentinelPrComment.sh <pr-number> <body>
+#
+# Requires: gh, jq. Prints comment URL on stdout, or a JSON {"error": "..."} on failure.
+
+set -euo pipefail
+
+SENTINEL='<!-- babysit-pr:addressed v1 -->'
+
+if [ $# -lt 2 ]; then
+  printf '{"error":"Usage: postSentinelPrComment.sh <pr-number> <body>"}\n' >&2
+  exit 2
+fi
+
+PR_NUMBER="$1"
+BODY="$2"
+
+if ! printf '%s' "$PR_NUMBER" | grep -qE '^[0-9]+$'; then
+  printf '{"error":"Invalid PR number: %s"}\n' "$PR_NUMBER" >&2
+  exit 2
+fi
+if [ -z "$BODY" ]; then
+  printf '{"error":"body is required"}\n' >&2
+  exit 2
+fi
+
+case "$BODY" in
+  *"$SENTINEL") ;;
+  *)
+    BODY="${BODY}
+
+${SENTINEL}"
+    ;;
+esac
+
+repo_json="$(gh repo view --json owner,name 2>/dev/null)" || {
+  printf '{"error":"Could not determine repository."}\n' >&2
+  exit 1
+}
+owner="$(printf '%s' "$repo_json" | jq -r '.owner.login')"
+repo="$(printf '%s' "$repo_json" | jq -r '.name')"
+
+if [ -z "$owner" ] || [ "$owner" = "null" ] || [ -z "$repo" ] || [ "$repo" = "null" ]; then
+  printf '{"error":"Failed to parse repository info from gh output."}\n' >&2
+  exit 1
+fi
+
+result="$(gh api "repos/${owner}/${repo}/issues/${PR_NUMBER}/comments" \
+  --method POST \
+  -f "body=${BODY}" 2>&1)" || {
+  printf '{"error":%s}\n' "$(printf '%s' "$result" | jq -Rsc .)" >&2
+  exit 1
+}
+
+url="$(printf '%s' "$result" | jq -r '.html_url // empty')"
+if [ -z "$url" ]; then
+  printf '{"error":"comment posted but no URL returned","raw":%s}\n' "$(printf '%s' "$result" | jq -c .)" >&2
+  exit 1
+fi
+
+printf '%s\n' "$url"

package/skills/babysit-pr/scripts/postSentinelReply.sh

@@ -0,0 +1,68 @@
+#!/usr/bin/env bash
+# postSentinelReply.sh — Post a threaded reply to a PR review thread.
+# The body MUST end with the babysit-pr sentinel; this script enforces that.
+# Does NOT resolve the thread — that stays with the human.
+#
+# Usage: bash postSentinelReply.sh <thread-id> <body>
+#   <thread-id>: GraphQL PullRequestReviewThread.id (from unresolvedPrComments.sh .threads[].threadId)
+#   <body>: reply markdown. The sentinel will be appended if not already present.
+#
+# Requires: gh, jq. Prints reply URL on stdout, or a JSON {"error": "..."} on failure.
+
+set -euo pipefail
+
+SENTINEL='<!-- babysit-pr:addressed v1 -->'
+
+if [ $# -lt 2 ]; then
+  printf '{"error":"Usage: postSentinelReply.sh <thread-id> <body>"}\n' >&2
+  exit 2
+fi
+
+THREAD_ID="$1"
+BODY="$2"
+
+if [ -z "$THREAD_ID" ]; then
+  printf '{"error":"thread-id is required"}\n' >&2
+  exit 2
+fi
+if [ -z "$BODY" ]; then
+  printf '{"error":"body is required"}\n' >&2
+  exit 2
+fi
+
+# Ensure sentinel is present at the end.
+case "$BODY" in
+  *"$SENTINEL") ;;
+  *)
+    BODY="${BODY}
+
+${SENTINEL}"
+    ;;
+esac
+
+MUTATION='
+mutation($threadId: ID!, $body: String!) {
+  addPullRequestReviewThreadReply(input: { pullRequestReviewThreadId: $threadId, body: $body }) {
+    comment {
+      id
+      databaseId
+      url
+    }
+  }
+}'
+
+result="$(gh api graphql \
+  -f "query=${MUTATION}" \
+  -f "threadId=${THREAD_ID}" \
+  -f "body=${BODY}" 2>&1)" || {
+  printf '{"error":%s}\n' "$(printf '%s' "$result" | jq -Rsc .)" >&2
+  exit 1
+}
+
+url="$(printf '%s' "$result" | jq -r '.data.addPullRequestReviewThreadReply.comment.url // empty')"
+if [ -z "$url" ]; then
+  printf '{"error":"reply posted but no URL returned","raw":%s}\n' "$(printf '%s' "$result" | jq -c .)" >&2
+  exit 1
+fi
+
+printf '%s\n' "$url"

package/skills/babysit-pr/scripts/unresolvedPrComments.sh

@@ -0,0 +1,390 @@
+#!/usr/bin/env bash
+# unresolvedPrComments.sh — Fetch review threads + nitpicks for babysit-pr.
+# Extended from plugins/core/skills/unresolved-pr-comments/scripts/unresolvedPrComments.sh.
+# Adds: thread IDs, per-thread sentinel recency state, stable nitpick fingerprints.
+#
+# Usage: bash unresolvedPrComments.sh [pr-number]
+# Compatible with macOS bash 3.2. Requires: gh, jq (>= 1.5), perl with Digest::SHA.
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+# shellcheck source=parseNitpicks.sh
+source "${SCRIPT_DIR}/parseNitpicks.sh"
+
+SENTINEL='<!-- babysit-pr:addressed v1 -->'
+
+exec 3>&1
+
+output_error() {
+  printf '%s' "$1" | jq -Rsc '{ error: . }' >&3
+  exit 1
+}
+
+validate_prerequisites() {
+  if ! command -v jq >/dev/null 2>&1; then
+    printf '{"error":"jq not found. Install from https://stedolan.github.io/jq"}\n' >&3
+    exit 1
+  fi
+  if ! command -v gh >/dev/null 2>&1; then
+    output_error "gh CLI not found. Install from https://cli.github.com"
+  fi
+  if ! command -v perl >/dev/null 2>&1; then
+    output_error "perl not found."
+  fi
+  if ! perl -MDigest::SHA -e1 >/dev/null 2>&1; then
+    output_error "Perl Digest::SHA module not found (should be in core Perl since 5.9.3)."
+  fi
+  if ! gh api user --jq '.login' >/dev/null 2>&1; then
+    output_error "Not authenticated with GitHub. Run: gh auth login"
+  fi
+}
+
+get_pr_number() {
+  local arg="${1:-}"
+  if [ -n "$arg" ]; then
+    if ! printf '%s' "$arg" | grep -qE '^[0-9]+$'; then
+      output_error "Invalid PR number: ${arg}"
+    fi
+    printf '%s' "$arg"
+    return
+  fi
+
+  local pr_json
+  if ! pr_json="$(gh pr view --json number 2>/dev/null)"; then
+    output_error "No PR found for current branch. Provide PR number as argument."
+  fi
+
+  local pr_num
+  pr_num="$(printf '%s' "$pr_json" | jq -r '.number // empty')"
+  if [ -z "$pr_num" ]; then
+    output_error "No PR found for current branch. Provide PR number as argument."
+  fi
+  printf '%s' "$pr_num"
+}
+
+get_repo_info() {
+  local repo_json
+  if ! repo_json="$(gh repo view --json owner,name 2>/dev/null)"; then
+    output_error "Could not determine repository. Are you in a git repo with a GitHub remote?"
+  fi
+
+  REPO_OWNER="$(printf '%s' "$repo_json" | jq -r '.owner.login // empty')"
+  REPO_NAME="$(printf '%s' "$repo_json" | jq -r '.name // empty')"
+
+  if [ -z "$REPO_OWNER" ] || [ -z "$REPO_NAME" ]; then
+    output_error "Failed to parse repository info from gh CLI output."
+  fi
+}
+
+# Pagination limits: 100 review threads, 20 comments per thread, 100 reviews.
+GRAPHQL_QUERY='
+query($owner: String!, $repo: String!, $pr: Int!) {
+  repository(owner: $owner, name: $repo) {
+    pullRequest(number: $pr) {
+      title
+      url
+      reviewThreads(first: 100) {
+        nodes {
+          id
+          isResolved
+          comments(first: 20) {
+            nodes {
+              id
+              databaseId
+              body
+              path
+              line
+              originalLine
+              createdAt
+              author {
+                login
+                __typename
+              }
+            }
+          }
+        }
+      }
+      reviews(first: 100) {
+        nodes {
+          body
+          author { login }
+          createdAt
+        }
+      }
+    }
+  }
+}'
+
+execute_graphql_query() {
+  local owner="$1" repo="$2" pr_number="$3"
+  local result
+  if ! result="$(gh api graphql \
+    -f "query=${GRAPHQL_QUERY}" \
+    -f "owner=${owner}" \
+    -f "repo=${repo}" \
+    -F "pr=${pr_number}" 2>&1)"; then
+    output_error "GraphQL query failed: ${result}"
+  fi
+  printf '%s' "$result"
+}
+
+is_code_scanning_alert_fixed() {
+  local owner="$1" repo="$2" alert_number="$3"
+  local result
+  if ! result="$(gh api "repos/${owner}/${repo}/code-scanning/alerts/${alert_number}" 2>/dev/null)"; then
+    return 1
+  fi
+
+  local state
+  state="$(printf '%s' "$result" | jq -r '.most_recent_instance.state // empty')"
+  [ "$state" = "fixed" ]
+}
+
+main() {
+  validate_prerequisites
+
+  local pr_number
+  pr_number="$(get_pr_number "${1:-}")"
+
+  get_repo_info
+  local owner="$REPO_OWNER"
+  local repo="$REPO_NAME"
+
+  local response
+  response="$(execute_graphql_query "$owner" "$repo" "$pr_number")"
+
+  if [ "$(printf '%s' "$response" | jq -r '.data.repository // empty')" = "" ]; then
+    output_error "Repository ${owner}/${repo} not found or not accessible."
+  fi
+  if [ "$(printf '%s' "$response" | jq -r '.data.repository.pullRequest // empty')" = "" ]; then
+    output_error "PR #${pr_number} not found or not accessible."
+  fi
+
+  local title url
+  title="$(printf '%s' "$response" | jq -r '.data.repository.pullRequest.title')"
+  url="$(printf '%s' "$response" | jq -r '.data.repository.pullRequest.url')"
+
+  # Build threads with sentinel recency state.
+  #
+  # Bot detection combines TWO signals (union, not intersection):
+  #   1. GraphQL `author.__typename == "Bot"` — catches every bot GitHub marks as such,
+  #      including bots not on our allowlist. This is the primary signal.
+  #   2. Login allowlist — catches GitHub Apps/Actions that post via a User-type service
+  #      account rather than a Bot account.
+  # An unknown bot whose login we don't recognize but which is type=Bot still gets
+  # classified correctly; we never fall back to treating it as a human.
+  #
+  # Per-thread emitted fields:
+  #   - threadId, replyToCommentDatabaseId, comments[], isResolved, file, line
+  #   - lastBabysitSentinelAt:     max createdAt of OUR sentinel replies (null if none)
+  #   - lastHumanCommentAt:        max createdAt of non-sentinel, non-bot comments
+  #   - lastBotCommentAt:          max createdAt of non-sentinel bot comments
+  #   - postSentinelBotComments:   ARRAY of every bot comment after lastBabysitSentinelAt
+  #                                (the agent inspects ALL of them; a later ack must not hide
+  #                                an earlier actionable bot comment)
+  #   - postSentinelHumanComments: ARRAY of every human comment after lastBabysitSentinelAt
+  #   - activityState: tri-state, one of:
+  #       "active"     — needs a reply (no sentinel yet, OR a human commented after our sentinel)
+  #       "uncertain"  — sentinel exists, but a bot posted after it; agent MUST inspect every
+  #                      entry in postSentinelBotComments and treat as active unless EVERY one
+  #                      is confidently a non-actionable acknowledgement
+  #       "addressed"  — our sentinel is the newest relevant activity on this thread
+  local bots_json='["coderabbitai","coderabbitai[bot]","dependabot","dependabot[bot]","github-actions","github-actions[bot]","github-advanced-security","github-advanced-security[bot]","renovate","renovate[bot]","renovate-bot","pre-commit-ci","pre-commit-ci[bot]","codecov","codecov[bot]","sonarcloud","sonarcloud[bot]"]'
+  local threads_json
+  threads_json="$(printf '%s' "$response" | jq --arg sentinel "$SENTINEL" --argjson bots "$bots_json" '
+    # Exact login equality via IN($bots[]) — do NOT use `inside($bots)`, which
+    # does substring matching for strings and would classify login "code" as a
+    # bot because it appears inside "codecov".
+    def is_bot: ((.author.__typename // "") == "Bot") or ((.author.login // "") | IN($bots[]));
+    def is_sentinel: ((.body // "") | contains($sentinel));
+    [
+      .data.repository.pullRequest.reviewThreads.nodes[]
+      | select(.isResolved == false)
+      | . as $t
+      | ($t.comments.nodes) as $comments
+      | {
+          threadId: $t.id,
+          isResolved: $t.isResolved,
+          replyToCommentDatabaseId: ($comments[0].databaseId // null),
+          file: ($comments[0].path // null),
+          line: ($comments[0].line // $comments[0].originalLine // null),
+          comments: [
+            $comments[] | {
+              id,
+              databaseId,
+              author: (.author.login // "deleted-user"),
+              authorType: (.author.__typename // null),
+              body,
+              createdAt,
+              file: .path,
+              line: (.line // .originalLine),
+              isBabysitSentinel: is_sentinel,
+              isKnownBot: is_bot
+            }
+          ],
+          lastBabysitSentinelAt: (
+            [$comments[] | select(is_sentinel) | .createdAt] | sort | last
+          ),
+          lastHumanCommentAt: (
+            [$comments[] | select(is_sentinel | not) | select(is_bot | not) | .createdAt]
+            | sort | last
+          ),
+          lastBotCommentAt: (
+            [$comments[] | select(is_sentinel | not) | select(is_bot) | .createdAt]
+            | sort | last
+          )
+        }
+      | . as $thread
+      | .postSentinelBotComments = (
+          if $thread.lastBabysitSentinelAt == null then []
+          else [
+            $comments[]
+            | select(is_bot)
+            | select(is_sentinel | not)
+            | select(.createdAt > $thread.lastBabysitSentinelAt)
+            | {
+                id,
+                createdAt,
+                author: (.author.login // "deleted-user"),
+                authorType: (.author.__typename // null),
+                body
+              }
+          ]
+          end
+        )
+      | .postSentinelHumanComments = (
+          if $thread.lastBabysitSentinelAt == null then []
+          else [
+            $comments[]
+            | select(is_bot | not)
+            | select(is_sentinel | not)
+            | select(.createdAt > $thread.lastBabysitSentinelAt)
+            | {
+                id,
+                createdAt,
+                author: (.author.login // "deleted-user"),
+                body
+              }
+          ]
+          end
+        )
+      | .activityState = (
+          if .lastBabysitSentinelAt == null then
+            "active"
+          elif (.postSentinelHumanComments | length) > 0 then
+            "active"
+          elif (.postSentinelBotComments | length) > 0 then
+            "uncertain"
+          else
+            "addressed"
+          end
+        )
+    ]
+  ')"
+
+  # Flattened unresolved_comments (retained for backward compat with the prose summary).
+  # Includes comments from "active" AND "uncertain" threads so the agent never misses new feedback.
+  local all_unresolved
+  all_unresolved="$(printf '%s' "$threads_json" | jq '[
+    .[]
+    | select(.activityState != "addressed")
+    | .comments[]
+    | select(.isBabysitSentinel | not)
+    | {
+        author,
+        body,
+        createdAt,
+        file,
+        line
+      }
+  ]')"
+
+  # Filter out fixed code-scanning alerts from github-advanced-security
+  local unresolved_comments="[]"
+  local count
+  count="$(printf '%s' "$all_unresolved" | jq 'length')"
+
+  local i=0
+  while [ "$i" -lt "$count" ]; do
+    local comment
+    comment="$(printf '%s' "$all_unresolved" | jq ".[$i]")"
+    local comment_author
+    comment_author="$(printf '%s' "$comment" | jq -r '.author')"
+
+    local keep=true
+    # GitHub Advanced Security's bot posts under either login depending on account
+    # type (app installation vs. direct). Match both forms.
+    case "$comment_author" in
+      "github-advanced-security"|"github-advanced-security[bot]")
+        local comment_body alert_number
+        comment_body="$(printf '%s' "$comment" | jq -r '.body')"
+        alert_number="$(extract_code_scanning_alert_number "$comment_body")"
+        if [ -n "$alert_number" ]; then
+          if is_code_scanning_alert_fixed "$owner" "$repo" "$alert_number"; then
+            keep=false
+          fi
+        fi
+        ;;
+    esac
+
+    if [ "$keep" = true ]; then
+      unresolved_comments="$(printf '%s' "$unresolved_comments" | jq --argjson c "$comment" '. + [$c]')"
+    fi
+
+    i=$((i + 1))
+  done
+
+  # Nitpicks from coderabbit review bodies
+  local reviews_json
+  reviews_json="$(printf '%s' "$response" | jq '[.data.repository.pullRequest.reviews.nodes[]]')"
+  local nitpick_comments
+  nitpick_comments="$(extract_nitpick_comments "$reviews_json")"
+
+  # Active threads: anything NOT yet addressed. Includes "uncertain" — agent must inspect.
+  local active_threads total_active_threads uncertain_threads total_uncertain_threads
+  active_threads="$(printf '%s' "$threads_json" | jq '[.[] | select(.activityState != "addressed")]')"
+  total_active_threads="$(printf '%s' "$active_threads" | jq 'length')"
+  uncertain_threads="$(printf '%s' "$threads_json" | jq '[.[] | select(.activityState == "uncertain")]')"
+  total_uncertain_threads="$(printf '%s' "$uncertain_threads" | jq 'length')"
+
+  local total_unresolved total_nitpicks
+  total_unresolved="$(printf '%s' "$unresolved_comments" | jq 'length')"
+  total_nitpicks="$(printf '%s' "$nitpick_comments" | jq 'length')"
+
+  jq -n \
+    --argjson activeThreads "$active_threads" \
+    --argjson nitpickComments "$nitpick_comments" \
+    --arg owner "$owner" \
+    --argjson prNumber "$pr_number" \
+    --arg repo "$repo" \
+    --arg sentinel "$SENTINEL" \
+    --arg title "$title" \
+    --argjson threads "$threads_json" \
+    --argjson totalActiveThreads "$total_active_threads" \
+    --argjson totalNitpicks "$total_nitpicks" \
+    --argjson totalUncertainThreads "$total_uncertain_threads" \
+    --argjson totalUnresolvedComments "$total_unresolved" \
+    --argjson uncertainThreads "$uncertain_threads" \
+    --argjson unresolvedComments "$unresolved_comments" \
+    --arg url "$url" \
+    '{
+      activeThreads: $activeThreads,
+      nitpickComments: $nitpickComments,
+      owner: $owner,
+      prNumber: $prNumber,
+      repo: $repo,
+      sentinel: $sentinel,
+      threads: $threads,
+      title: $title,
+      totalActiveThreads: $totalActiveThreads,
+      totalNitpicks: $totalNitpicks,
+      totalUncertainThreads: $totalUncertainThreads,
+      totalUnresolvedComments: $totalUnresolvedComments,
+      uncertainThreads: $uncertainThreads,
+      unresolvedComments: $unresolvedComments,
+      url: $url
+    }'
+}
+
+main "$@"

package/skills/simplify/SKILL.md

@@ -32,6 +32,8 @@ Review the same changes for hacky patterns:
 4. **Leaky abstractions**: exposing internal details that should be encapsulated, or breaking existing abstraction boundaries
 5. **Stringly-typed code**: using raw strings where constants, enums (string unions), or branded types already exist in the codebase
 6. **Unnecessary JSX nesting**: wrapper Boxes/elements that add no layout value — check if inner component props (flexShrink, alignItems, etc.) already provide the needed behavior
+7. **Nested conditionals**: ternary chains (`a ? x : b ? y : ...`), nested if/else, or nested switch 3+ levels deep — flatten with early returns, guard clauses, a lookup table, or an if/else-if cascade
+8. **Unnecessary comments**: comments explaining WHAT the code does (well-named identifiers already do that), narrating the change, or referencing the task/caller — delete; keep only non-obvious WHY (hidden constraints, subtle invariants, workarounds)
 
 ### Agent 3: Efficiency Review