claude-dev-env 1.38.1 → 1.40.0

package/skills/pr-converge/scripts/test_check_bugbot_ci.py

@@ -0,0 +1,312 @@
+"""Tests for check_bugbot_ci silent-pass detection.
+
+Covers:
+- is_bugbot_run_clean returns True for completed success / completed neutral
+- is_bugbot_run_clean returns False for completed failure, in_progress, missing
+- is_bugbot_run_clean returns None when the gh CLI fails
+- main(--check-clean) returns 0 on clean, 1 on not-clean, and
+  EXIT_CODE_GH_ERROR on gh CLI failure (with stderr diagnostics)
+"""
+
+from __future__ import annotations
+
+import importlib.util
+import json
+import subprocess
+import sys
+from collections.abc import Iterator
+from pathlib import Path
+from types import ModuleType
+from unittest.mock import MagicMock, patch
+
+import pytest
+
+_SCRIPTS_DIRECTORY = Path(__file__).resolve().parent
+
+
+@pytest.fixture(scope="session")
+def check_bugbot_ci_module() -> Iterator[ModuleType]:
+    """Load check_bugbot_ci with full sys.path and sys.modules isolation.
+
+    Snapshots sys.path and sys.modules at session start; restores both
+    unconditionally at session teardown so sibling tests inherit a clean
+    loading environment. The production script performs its own
+    membership-guarded sys.path.insert during exec_module so its config
+    dependency resolves; that insert and any config.* modules it loads
+    are reverted on teardown.
+    """
+    module_path = _SCRIPTS_DIRECTORY / "check_bugbot_ci.py"
+    spec = importlib.util.spec_from_file_location("check_bugbot_ci", module_path)
+    assert spec is not None
+    assert spec.loader is not None
+    module = importlib.util.module_from_spec(spec)
+    sys_path_snapshot = list(sys.path)
+    sys_modules_snapshot = dict(sys.modules)
+    evicted_config_modules = {
+        each_module_name: sys.modules.pop(each_module_name)
+        for each_module_name in list(sys.modules)
+        if each_module_name == "config" or each_module_name.startswith("config.")
+    }
+    sys_modules_snapshot.update(evicted_config_modules)
+    spec.loader.exec_module(module)
+    try:
+        yield module
+    finally:
+        sys.path[:] = sys_path_snapshot
+        for each_new_module_name in list(sys.modules):
+            if each_new_module_name not in sys_modules_snapshot:
+                del sys.modules[each_new_module_name]
+        for each_module_name, each_module_value in sys_modules_snapshot.items():
+            sys.modules[each_module_name] = each_module_value
+
+
+def _make_completed_process(
+    stdout: str, returncode: int = 0
+) -> subprocess.CompletedProcess[str]:
+    process = MagicMock(spec=subprocess.CompletedProcess)
+    process.stdout = stdout
+    process.stderr = ""
+    process.returncode = returncode
+    return process
+
+
+def _build_stdout(*all_check_entries: dict[str, object]) -> str:
+    return "\n".join(json.dumps(each_entry) for each_entry in all_check_entries) + "\n"
+
+
+def test_should_return_true_when_bugbot_completed_with_success_conclusion(
+    check_bugbot_ci_module: ModuleType,
+) -> None:
+    stdout = _build_stdout(
+        {"name": "Cursor Bugbot", "status": "completed", "conclusion": "success"}
+    )
+    with patch.object(
+        check_bugbot_ci_module,
+        "_run_check_runs_api",
+        return_value=_make_completed_process(stdout),
+    ):
+        is_clean = check_bugbot_ci_module.is_bugbot_run_clean(
+            owner="acme", repo="repo", sha="abc"
+        )
+    assert is_clean is True
+
+
+def test_should_return_true_when_bugbot_completed_with_neutral_conclusion(
+    check_bugbot_ci_module: ModuleType,
+) -> None:
+    stdout = _build_stdout(
+        {"name": "bugbot", "status": "completed", "conclusion": "neutral"}
+    )
+    with patch.object(
+        check_bugbot_ci_module,
+        "_run_check_runs_api",
+        return_value=_make_completed_process(stdout),
+    ):
+        is_clean = check_bugbot_ci_module.is_bugbot_run_clean(
+            owner="acme", repo="repo", sha="abc"
+        )
+    assert is_clean is True
+
+
+def test_should_return_false_when_bugbot_completed_with_failure_conclusion(
+    check_bugbot_ci_module: ModuleType,
+) -> None:
+    stdout = _build_stdout(
+        {"name": "Cursor Bugbot", "status": "completed", "conclusion": "failure"}
+    )
+    with patch.object(
+        check_bugbot_ci_module,
+        "_run_check_runs_api",
+        return_value=_make_completed_process(stdout),
+    ):
+        is_clean = check_bugbot_ci_module.is_bugbot_run_clean(
+            owner="acme", repo="repo", sha="abc"
+        )
+    assert is_clean is False
+
+
+def test_should_return_false_when_bugbot_still_in_progress(
+    check_bugbot_ci_module: ModuleType,
+) -> None:
+    stdout = _build_stdout(
+        {"name": "Cursor Bugbot", "status": "in_progress", "conclusion": None}
+    )
+    with patch.object(
+        check_bugbot_ci_module,
+        "_run_check_runs_api",
+        return_value=_make_completed_process(stdout),
+    ):
+        is_clean = check_bugbot_ci_module.is_bugbot_run_clean(
+            owner="acme", repo="repo", sha="abc"
+        )
+    assert is_clean is False
+
+
+def test_should_return_false_when_no_bugbot_check_run_present(
+    check_bugbot_ci_module: ModuleType,
+) -> None:
+    stdout = _build_stdout(
+        {"name": "ci-other", "status": "completed", "conclusion": "success"}
+    )
+    with patch.object(
+        check_bugbot_ci_module,
+        "_run_check_runs_api",
+        return_value=_make_completed_process(stdout),
+    ):
+        is_clean = check_bugbot_ci_module.is_bugbot_run_clean(
+            owner="acme", repo="repo", sha="abc"
+        )
+    assert is_clean is False
+
+
+def test_should_return_false_when_first_bugbot_run_is_in_progress_even_if_later_one_clean(
+    check_bugbot_ci_module: ModuleType,
+) -> None:
+    stdout = _build_stdout(
+        {"name": "Cursor Bugbot", "status": "in_progress", "conclusion": None},
+        {"name": "Cursor Bugbot", "status": "completed", "conclusion": "success"},
+    )
+    with patch.object(
+        check_bugbot_ci_module,
+        "_run_check_runs_api",
+        return_value=_make_completed_process(stdout),
+    ):
+        is_clean = check_bugbot_ci_module.is_bugbot_run_clean(
+            owner="acme", repo="repo", sha="abc"
+        )
+    assert is_clean is False
+
+
+def test_should_return_false_when_first_bugbot_run_failed_even_if_later_one_clean(
+    check_bugbot_ci_module: ModuleType,
+) -> None:
+    stdout = _build_stdout(
+        {"name": "Cursor Bugbot", "status": "completed", "conclusion": "failure"},
+        {"name": "Cursor Bugbot", "status": "completed", "conclusion": "success"},
+    )
+    with patch.object(
+        check_bugbot_ci_module,
+        "_run_check_runs_api",
+        return_value=_make_completed_process(stdout),
+    ):
+        is_clean = check_bugbot_ci_module.is_bugbot_run_clean(
+            owner="acme", repo="repo", sha="abc"
+        )
+    assert is_clean is False
+
+
+def test_should_return_none_when_gh_cli_fails(
+    check_bugbot_ci_module: ModuleType,
+) -> None:
+    failing_process = MagicMock(spec=subprocess.CompletedProcess)
+    failing_process.stdout = ""
+    failing_process.stderr = "boom"
+    failing_process.returncode = 1
+    with patch.object(
+        check_bugbot_ci_module,
+        "_run_check_runs_api",
+        return_value=failing_process,
+    ):
+        is_clean = check_bugbot_ci_module.is_bugbot_run_clean(
+            owner="acme", repo="repo", sha="abc"
+        )
+    assert is_clean is None
+
+
+def test_main_check_clean_should_return_gh_error_code_when_gh_cli_fails(
+    check_bugbot_ci_module: ModuleType,
+    capsys: pytest.CaptureFixture[str],
+) -> None:
+    failing_process = MagicMock(spec=subprocess.CompletedProcess)
+    failing_process.stdout = ""
+    failing_process.stderr = "boom"
+    failing_process.returncode = 1
+    with patch.object(
+        check_bugbot_ci_module,
+        "_run_check_runs_api",
+        return_value=failing_process,
+    ):
+        exit_code = check_bugbot_ci_module.main(
+            ["--check-clean", "--owner", "acme", "--repo", "repo", "--sha", "abc"]
+        )
+    assert exit_code == check_bugbot_ci_module.EXIT_CODE_GH_ERROR
+    captured = capsys.readouterr()
+    assert "gh api error: boom" in captured.err
+
+
+def test_main_check_clean_should_return_zero_when_bugbot_clean(
+    check_bugbot_ci_module: ModuleType,
+    capsys: pytest.CaptureFixture[str],
+) -> None:
+    stdout = _build_stdout(
+        {"name": "Cursor Bugbot", "status": "completed", "conclusion": "success"}
+    )
+    with patch.object(
+        check_bugbot_ci_module,
+        "_run_check_runs_api",
+        return_value=_make_completed_process(stdout),
+    ):
+        exit_code = check_bugbot_ci_module.main(
+            ["--check-clean", "--owner", "acme", "--repo", "repo", "--sha", "abc"]
+        )
+    assert exit_code == 0
+    captured = capsys.readouterr()
+    assert "not clean" not in captured.out
+
+
+def test_main_check_clean_should_return_one_when_bugbot_not_clean(
+    check_bugbot_ci_module: ModuleType,
+    capsys: pytest.CaptureFixture[str],
+) -> None:
+    stdout = _build_stdout(
+        {"name": "Cursor Bugbot", "status": "completed", "conclusion": "failure"}
+    )
+    with patch.object(
+        check_bugbot_ci_module,
+        "_run_check_runs_api",
+        return_value=_make_completed_process(stdout),
+    ):
+        exit_code = check_bugbot_ci_module.main(
+            ["--check-clean", "--owner", "acme", "--repo", "repo", "--sha", "abc"]
+        )
+    assert exit_code == 1
+    captured = capsys.readouterr()
+    assert "not clean" in captured.out
+
+
+def test_main_check_active_should_return_zero_when_bugbot_in_progress(
+    check_bugbot_ci_module: ModuleType,
+) -> None:
+    stdout = _build_stdout(
+        {"name": "Cursor Bugbot", "status": "in_progress", "conclusion": None}
+    )
+    with patch.object(
+        check_bugbot_ci_module,
+        "_run_check_runs_api",
+        return_value=_make_completed_process(stdout),
+    ):
+        exit_code = check_bugbot_ci_module.main(
+            ["--check-active", "--owner", "acme", "--repo", "repo", "--sha", "abc"]
+        )
+    assert exit_code == 0
+
+
+def test_main_should_reject_check_clean_and_check_active_together(
+    check_bugbot_ci_module: ModuleType,
+    capsys: pytest.CaptureFixture[str],
+) -> None:
+    with pytest.raises(SystemExit):
+        check_bugbot_ci_module.main(
+            [
+                "--check-clean",
+                "--check-active",
+                "--owner",
+                "acme",
+                "--repo",
+                "repo",
+                "--sha",
+                "abc",
+            ]
+        )
+    captured = capsys.readouterr()
+    assert "not allowed with" in captured.err or "mutually exclusive" in captured.err

package/skills/pr-converge/workflows/schedule-wakeup-loop.md

@@ -4,21 +4,14 @@ Load this document for converge **loop pacing**. The pre-flight in `SKILL.md`
 guarantees `ScheduleWakeup` is available before any tick runs. Shared bugbot
 / bugteam / Fix protocol steps stay in the main `SKILL.md`.
 
-## Session behavior
-
-Call `ScheduleWakeup` from this same session so the next tick fires back into **this** transcript with the prior tick's state line and PR context still addressable.
-
 ## Calling ScheduleWakeup
 
-At end of tick (unless convergence or another stop condition already
-omitted pacing), call `ScheduleWakeup` with:
+At end of every tick — across all phases (BUGBOT, BUGTEAM, COPILOT_WAIT)
+without distinction — call `ScheduleWakeup` unless convergence or another
+stop condition already omitted pacing:
 
-- `delaySeconds: 270` whenever bugbot was just re-triggered (by the
-  bugbot re-trigger in `../reference/per-tick.md`, by Fix protocol's
-  mandatory re-trigger, or by BUGTEAM's same-tick re-trigger). Bugbot
-  finishes a review in 1–4 minutes, so 270s stays under the 5-minute
-  prompt-cache TTL with margin past bugbot's typical upper bound. The
-  exception is the BUGBOT inline-lag branch (see below).
+- `delaySeconds: 360` — default wakeup interval. Keeps the loop advancing
+  through all phases. Exception: BUGBOT inline-lag branch (see below).
 - `reason`: one short sentence on what is being awaited, including the
   current `phase` and `bugbot_clean_at` SHA when set.
 - `prompt: "/pr-converge"` — re-enters this skill on the next firing.

package/skills/qbug/SKILL.md

@@ -23,7 +23,7 @@ Shared artifacts with /bugteam are referenced below by path, using the `${CLAUDE
 - Code-rules gate script: `${CLAUDE_SKILL_DIR}/../../_shared/pr-loop/scripts/code_rules_gate.py`
 - Bug category rubric A–J: [`bugteam/PROMPTS.md`](../bugteam/PROMPTS.md#audit-spawn-prompt-xml-bugfind-teammate)
 - **Audit contract** (finding schema, proof-of-absence, adversarial pass, Haiku secondary, post-fix self-audit, diagnostics JSON): [`bugteam/reference/audit-contract.md`](../bugteam/reference/audit-contract.md)
-- PR comment lifecycle shape: [`bugteam/SKILL.md`](../bugteam/SKILL.md#step-25-pr-comments-one-review-per-loop)
+- PR comment lifecycle shape: [`bugteam/SKILL.md`](../bugteam/SKILL.md#audit-posting)
 
 ## When this skill applies
 
@@ -31,6 +31,12 @@ Shared artifacts with /bugteam are referenced below by path, using the `${CLAUDE
 
 Refusals — first match wins; respond with the quoted line exactly and stop:
 
+- **Disabled via environment.** When `CLAUDE_REVIEWS_DISABLED` contains the
+  token `bugteam` (comma-separated, case-insensitive, whitespace-tolerant):
+  `/qbug is disabled via CLAUDE_REVIEWS_DISABLED.` `/qbug` is the bugteam
+  baseline review and shares the `bugteam` token with `/bugteam`; the shared
+  pre-flight script also exits 7 in this case so any caller invoking it
+  directly halts on the same signal.
 - **No PR or upstream diff.** `No PR or upstream diff. /qbug needs a target.`
 - **Dirty tree.** `Uncommitted changes detected. Stash, commit, or revert before /qbug.`
 - **Missing subagent.** Before Step 2, confirm `clean-coder` exists. Else: `Required subagent type clean-coder not installed. /qbug needs clean-coder available.`
@@ -198,17 +204,97 @@ The subagent receives this prompt and loops internally — the lead does not re-
        <qbug_temp_dir>/loop-<loop_count>-audit.json per the contract's
        persistence schema.
 
-       Post ONE review per loop. Use the payload shape from
-       <categories_file>'s sibling SKILL.md § "PR comments" — pass
-       the review body as a direct string parameter (not jq/piped files) to
-       `pull_request_review_write(method="create", event="COMMENT", body=<body>, owner=<owner>, repo=<repo>, pullNumber=<pr_number>, commitID=<head_sha>)`.
-       Review body first line: `## /qbug loop <N> audit: <P0>P0 / <P1>P1 / <P2>P2`.
-       If the review POST fails, fall back to one issue comment on
-       `add_issue_comment(owner=<owner>, repo=<repo>, issueNumber=<pr_number>, body=<body>)` carrying the full body; mark every
-       finding `used_fallback=true`.
-
-       Harvest `html_url` for the parent review and each child comment
-       into loop_comment_index[finding_id].
+       Post ONE review per loop via `post_audit_thread.py`. Before
+       serializing, partition the merged findings into anchored (line
+       appears in the captured diff) and unanchored (line is not in the
+       diff) buckets. Only anchored findings are written to
+       `<qbug_temp_dir>/loop-<loop_count>-findings.json` — the GitHub
+       reviews API rejects the entire POST if any inline comment in
+       `comments[]` targets a line not in the diff at `--commit`, so a
+       single unanchored entry breaks the whole review. Unanchored
+       findings surface in the loop's user-facing summary rather than
+       as inline anchored comments. The JSON root is a list of objects
+       shaped `{path, line, side, severity, description, fix_summary}`.
+       For each anchored finding, map `file` → `path`; split the
+       finding's `failure_mode` at the literal `Fix:` heading so the
+       failure narrative becomes `description` and the suffix beginning
+       at `Fix:` (including the trailing `Validation:` clause) becomes
+       `fix_summary` (the `failure_mode` field carries the full
+       audit-to-fix handoff per
+       [`agents/code-quality-agent.md`](../../agents/code-quality-agent.md)).
+       When a finding's `failure_mode` omits the `Fix:` heading, write
+       the full text to BOTH `description` and `fix_summary`. Set
+       `side="RIGHT"` for every entry. Zero anchored findings → write
+       `[]` and pass `--state CLEAN`; one or more anchored findings →
+       pass `--state DIRTY` with the full list.
+
+       **Self-PR auto-toggle.** GitHub rejects both `APPROVE` and
+       `REQUEST_CHANGES` reviews with HTTP 422 when the authenticated
+       identity matches the PR author ("Cannot approve/request changes
+       on your own pull request"). `post_audit_thread.py` detects this
+       case via `gh api user` + `gh api repos/<o>/<r>/pulls/<n>` and
+       auto-resolves an alternate gh account's token for the reviews
+       POST — the active `gh auth` account is not mutated; only the
+       bearer token sent on the request changes. After the POST the
+       active account is still whoever it was before, so no "swap back"
+       step is needed.
+
+       Configuration:
+
+       - `GH_TOKEN` / `GITHUB_TOKEN` env vars take precedence over the
+         toggle. Set them when you need to pin a specific reviewer
+         identity by token rather than by account login.
+       - `BUGTEAM_REVIEWER_ACCOUNT` env var names which authenticated
+         alternate to prefer when a toggle is needed (for example,
+         `BUGTEAM_REVIEWER_ACCOUNT=jl-cmd`). The env var name is shared
+         across every skill that invokes `post_audit_thread.py`. When
+         unset, the script falls back to the first alternate account
+         `gh auth status` reports.
+       - The named alternate must be logged in (`gh auth login -h
+         github.com -u <login>`) before the audit skill runs. The
+         script exits 1 with a pointing-at-`gh auth login` message
+         when self-PR is detected and no usable alternate is
+         authenticated.
+
+       ```
+       python "${CLAUDE_SKILL_DIR}/../../_shared/pr-loop/scripts/post_audit_thread.py" \
+         --skill qbug \
+         --owner <owner> \
+         --repo <repo> \
+         --pr-number <pr_number> \
+         --commit <head_sha> \
+         --state <CLEAN|DIRTY> \
+         --findings-json <qbug_temp_dir>/loop-<loop_count>-findings.json
+       ```
+
+       The script POSTs a single review with `event=APPROVE` on CLEAN
+       (the request event; GitHub stores it as `state=APPROVED`; empty
+       `comments[]`, body documents "no findings") or
+       `event=REQUEST_CHANGES` on DIRTY (one inline anchored comment per
+       finding; each becomes its own resolvable thread on the PR). It
+       handles retries internally (1s / 4s / 16s backoff across four
+       attempts). Exit 0 emits the new review's `html_url` to stdout;
+       extract the numeric review id from the URL's
+       `#pullrequestreview-<id>` suffix (the trailing URL fragment of
+       `html_url`, the part after `#`). Then harvest child-comment URLs **and PR review
+       thread node ids** via
+       `pull_request_read(method="get_review_comments",
+       owner=<owner>, repo=<repo>, pullNumber=<pr_number>)` filtered to
+       that review id. The same response carries each
+       comment's PR review thread node id (e.g. `PRRT_kwDOxxx`) — match
+       children to findings in the order they appear in the findings
+       JSON. Each `loop_comment_index[finding_id]` entry must carry
+       `finding_comment_id` (numeric, used by
+       `add_reply_to_pull_request_comment`), `finding_comment_url`, and
+       `thread_node_id` (`PRRT_kwDOxxx`, used by `resolve_thread`) so
+       the FIX step can reply against the comment and resolve the
+       thread.
+
+       Exit 2 means retry exhaustion — exit
+       `error: post_audit_thread retry exhausted` without retrying and
+       without falling back to a flat issue comment. A hard blocker on
+       the audit-posting path is a halt condition, not a fallback
+       opportunity.
 
        Update state: last_action="audited", last_findings=counts.
        Append `<N> audit: <P0>P0 / <P1>P1 / <P2>P2` to audit_log.
@@ -245,12 +331,54 @@ The subagent receives this prompt and loops internally — the lead does not re-
        Write <qbug_temp_dir>/loop-<loop_count>-diagnostics.json per the
        contract's diagnostics schema (all eight keys required).
 
-       Reply to each finding at loop_comment_index[finding_id].finding_comment_id
-       using `add_reply_to_pull_request_comment(commentId=<id>, body=<body>, owner=<owner>, repo=<repo>, pullNumber=<pr_number>)`.
-       Reply body is one of:
-         - `Fixed in <short_sha>`
-         - `Could not address this loop: <one-line reason>`
-         - `Hook blocked the fix commit: <one-line summary>`
+       For each finding, atomically (a) post the fix reply and
+       (b) call `resolve_thread`. The two calls form one logical action
+       per thread — do not yield to the lead between them, and do not
+       batch all replies before any resolves.
+
+       (a) Reply via
+       `add_reply_to_pull_request_comment(commentId=<loop_comment_index[finding_id].finding_comment_id>,
+       body=<reply_body>, owner=<owner>, repo=<repo>,
+       pullNumber=<pr_number>)`. The reply body uses the unified template
+       at [`../../_shared/pr-loop/audit-reply-template.md`](../../_shared/pr-loop/audit-reply-template.md).
+       Skeleton (identical across all paths):
+
+       ```
+       **Claude finished @<reviewer>'s task** —— <status_line>
+
+       ---
+       ### <action_heading> ✅
+
+       <1–2 paragraph plain-language explanation>
+
+       **`<file>:<line>`:**
+       - <bullet describing change or rationale>
+       - <bullet describing change or rationale>
+
+       <closing paragraph>
+       ```
+
+       Per-path `<status_line>` / `<action_heading>`:
+       - `status=fixed`: `Fixed in <short_sha>` (first 7 chars) /
+         finding-specific action verb (e.g.,
+         `Replaced Any with concrete type`).
+       - `status=could_not_address`: `Could not address this loop` /
+         one-line reason text.
+       - `status=hook_blocked`: `Hook blocked the fix commit` /
+         one-line hook summary.
+
+       Body text is passed directly as string parameters — no temp
+       files, no jq, no shell pipes.
+
+       (b) Immediately call
+       `pull_request_review_write(method="resolve_thread",
+       threadId=<loop_comment_index[finding_id].thread_node_id>,
+       owner=<owner>, repo=<repo>, pullNumber=<pr_number>)` for the
+       same thread (this is the PR review thread node ID —
+       `PRRT_kwDOxxx` — distinct from the numeric comment ID; the
+       AUDIT step captures it at audit time when calling
+       `get_review_comments` and stores it on each
+       `loop_comment_index` entry alongside `finding_comment_id`).
 
        Update state: last_action="fixed". Append
        `<N> fix: <short_sha> — <fixed>/<could_not_address>/<hook_blocked>`
@@ -260,14 +388,16 @@ The subagent receives this prompt and loops internally — the lead does not re-
 </cycle>
 
 <example_finding_body>
-**[P1] race condition on shared cache write**
-Category: I (concurrency hazards)
-Two writers can both pass the existence check at line 88 before either
-commits the write at line 91 — whichever writes second overwrites the
-first under contention. Either hold the cache lock across the check
-and the write, or use a compare-and-swap primitive.
-
-_From /qbug audit loop 2._
+Populate these two fields on each finding entry of the JSON payload
+consumed by `post_audit_thread.py` (the script renders the inline
+comment body via `INLINE_COMMENT_BODY_TEMPLATE`):
+
+```json
+{
+  "description": "Two writers can both pass the existence check at line 88 before either commits the write at line 91 — whichever writes second overwrites the first under contention.",
+  "fix_summary": "Hold the cache lock across the check and the write, or use a compare-and-swap primitive. Validation: pytest -k cache_concurrent with the threaded-writer fixture."
+}
+```
 </example_finding_body>
 
 <constraints>
@@ -315,7 +445,7 @@ Delete the resolved `<qbug_temp_dir>` tree and any `.qbug-*.md` temp files in th
 - **Code rules gate before every AUDIT.** Same `validate_content` logic as /bugteam.
 - **One commit per FIX action.** Linear branch, fast-forward push only.
 - **Categories A–J.** Same rubric as [`bugteam/PROMPTS.md`](../bugteam/PROMPTS.md).
-- **One review per loop.** Anchored findings as `comments[]`; unanchored listed under "Findings without a diff anchor" in the review body.
+- **One review per loop.** Anchored findings as `comments[]`; unanchored findings surface in the calling skill's user-facing output (chat reply to the user) rather than in the PR review body.
 - **PR description rewrite on every exit**, same as /bugteam Step 4.5.
 - **Temp file cleanup on every exit path.**
 - **No per-loop clean-room.** The single subagent's context accumulates across loops — that is the explicit trade vs /bugteam. For convergence-critical audits where bias isolation matters, use /bugteam.