clud-bug 0.5.7 → 0.5.9

package/lib/skills.js

@@ -348,4 +348,56 @@ function sanitizeSlug(name) {
   return name.toLowerCase().replace(/[^a-z0-9-]+/g, '-').replace(/^-+|-+$/g, '');
 }
 
+// Extract the `review_mode` field from a SKILL.md's frontmatter.
+//
+// Contract (from the v0.6 plan, option D-unified):
+//   - `shared`    → the skill loads alongside other shared skills in ONE
+//                   Claude call. Bug-finding baselines + most skills.sh
+//                   contributions live here; they benefit from cross-
+//                   correlation (an evidence-based finding flagged for
+//                   critical-issues-only also gets the convention check).
+//   - `dedicated` → the skill gets its OWN focused Claude call. Reserved
+//                   for domain-specific skills (brand voice, compliance,
+//                   API-contract) where attention dilution at high skill
+//                   counts is the real failure mode.
+//   - Missing field → default to `shared`. Conservative: the skill loads,
+//                   no surprise per-skill API cost. Users opt skills INTO
+//                   `dedicated` by authoring the field.
+//
+// The CLI runtime (v0.5.9) honors this via prompt restructuring inside a
+// single claude-code-action call. The v0.6 GitHub App will use the same
+// field to route to literal parallel API calls. Single source of truth.
+export function readReviewMode(skillContent) {
+  if (typeof skillContent !== 'string') return 'shared';
+  // Scope to the YAML frontmatter block (between the first two `---` lines).
+  // A `review_mode:` line in the body is documentation, not configuration.
+  const fm = skillContent.match(/^---\n([\s\S]*?)\n---/);
+  if (!fm) return 'shared';
+  const m = fm[1].match(/^review_mode:\s*(\S+)\s*$/m);
+  if (!m) return 'shared';
+  // Strip optional YAML string-quotes — `review_mode: "dedicated"` and
+  // `review_mode: 'dedicated'` are both valid YAML, but the (\S+) capture
+  // grabs the quotes too. Without this, quoted forms silently fell back
+  // to `shared` even though the author clearly meant dedicated.
+  const value = m[1].toLowerCase().replace(/^["']|["']$/g, '');
+  return value === 'dedicated' ? 'dedicated' : 'shared';
+}
+
+// Partition a set of loaded skills into {shared, dedicated} buckets per
+// each skill's review_mode frontmatter. Expects skills with a `content`
+// field (SKILL.md text). Skills without content default to `shared`.
+//
+// Shape: input is the same skill objects produced by loadBaseline /
+// writeSkills / listInstalled. Output is two arrays of the same shape;
+// caller decides what to do with each bucket.
+export function partitionByReviewMode(skills) {
+  const shared = [];
+  const dedicated = [];
+  for (const skill of skills) {
+    const mode = readReviewMode(skill?.content);
+    (mode === 'dedicated' ? dedicated : shared).push(skill);
+  }
+  return { shared, dedicated };
+}
+
 export const _internal = { normalizeList, sanitizeSlug, entryKey, MAX_SKILLS, API_BASE, MANIFEST_FILE };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "clud-bug",
-  "version": "0.5.7",
+  "version": "0.5.9",
   "description": "Claude PR review with project-aware skills. CLI installs a working GitHub Actions workflow and curates skills from skills.sh.",
   "homepage": "https://cludbug.dev",
   "bugs": "https://github.com/thrillmot/clud-bug/issues",

package/templates/skills/baseline/clud-bug-collaboration.md

@@ -1,6 +1,7 @@
 ---
 name: clud-bug-collaboration
 description: How Claude Code agents working in a clud-bug-installed repo should interact with the bot's review threads, strict-mode gate, and skill set. Use this skill whenever you're about to push a commit, address a clud-bug PR review comment, edit anything under .claude/skills/, modify .github/workflows/clud-bug-*.yml, or wonder why a PR check is red. Also use when planning work in a repo that has a `clud-bug-review` workflow installed — even if the user didn't mention clud-bug by name.
+review_mode: shared
 ---
 
 # Working in a clud-bug-installed repo

package/templates/skills/baseline/critical-issues-only.md

@@ -1,6 +1,7 @@
 ---
 name: critical-issues-only
 description: PR review discipline - flag only correctness, security, and performance issues. Skip nits.
+review_mode: shared
 ---
 
 # Critical issues only

package/templates/skills/baseline/evidence-based-review.md

@@ -1,6 +1,7 @@
 ---
 name: evidence-based-review
 description: Every PR review claim must quote the specific code being criticized. No hand-waving.
+review_mode: shared
 ---
 
 # Evidence-based review

package/templates/skills/baseline/respect-existing-conventions.md

@@ -1,6 +1,7 @@
 ---
 name: respect-existing-conventions
 description: Don't suggest changes that fight the codebase's established patterns. Match what's already there.
+review_mode: shared
 ---
 
 # Respect existing conventions

package/templates/workflow-py.yml.tmpl

@@ -1,4 +1,4 @@
-# clud-bug-template-version: v1
+# clud-bug-template-version: v3
 name: Clud Bug 🐛 Crawls Your Code
 
 on:
@@ -56,7 +56,7 @@ jobs:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
           track_progress: true
           claude_args: |
-            --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh api graphql:*),Bash(gh api repos/:*),Bash(git show:*),Bash(cat .claude/skills/.clud-bug.json)"
+            --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh api graphql:*),Bash(gh api repos/:*),Bash(git show:*),Bash(cat .claude/skills/.clud-bug.json),Bash(cat .claude/skills/*/SKILL.md)"
           prompt: |
             {{PROJECT_DESCRIPTION}}
 
@@ -80,6 +80,23 @@ jobs:
             based-review]: this claim isn't anchored to a line"). Generic
             advice that contradicts a project skill is wrong by definition.
 
+            Skill routing — shared vs dedicated:
+            Each loaded skill carries a `review_mode:` field in its YAML
+            frontmatter at .claude/skills/<name>/SKILL.md. Two values:
+
+              - `review_mode: shared` — bug-finding / convention / evidence
+                skills. Their findings bundle into the standard "Critical
+                findings" / "Minor findings" sections.
+              - `review_mode: dedicated` — domain-specific skills (brand
+                voice, compliance, API-contract, test-discipline). Each
+                gets its own focused H3 section in the review.
+              - Missing field → treat as `shared`.
+
+            Before writing the review, scan each loaded skill's frontmatter
+            (the first `---`-delimited block of its SKILL.md) to identify
+            its review_mode. You can read them with:
+              cat .claude/skills/*/SKILL.md
+
             At the end of every review, append a single-line footer:
               Skills referenced: [skill-name-1, skill-name-2, ...]
             If you genuinely cited none, list "[none]" and explain why no
@@ -147,6 +164,38 @@ jobs:
             open" are both 0. On follow-up reviews after a fix-push,
             "resolved from prior" should typically be positive.
 
+            Per-skill scan block (required, immediately under the status line):
+            After the **This round:** counters, emit a "### Per-skill scan"
+            section with ONE line per loaded skill — even silent ones. This
+            is the anti-dilution layer: every loaded skill must be
+            acknowledged so authors can see their skill ran, even when it
+            produced no findings.
+
+              ### Per-skill scan
+              - [<skill-name>]: <one-sentence outcome>
+
+            Examples (mix of shared + dedicated, with and without findings):
+              - [critical-issues-only]: scanned all paths. 2 critical findings below.
+              - [evidence-based-review]: applied to all findings. ✓ all anchored.
+              - [respect-existing-conventions]: scanned for pattern fights. 0 findings.
+              - [brand-voice-review]: scanned 3 microcopy changes. 1 finding (below).
+              - [pii-and-compliance]: scanned logging + analytics. 0 findings.
+
+            Per-skill findings sections (dedicated-mode skills only):
+            For each dedicated-mode skill that produced one or more
+            findings, emit a dedicated H3 section before the standard
+            critical/minor buckets:
+
+              ### Brand voice [brand-voice-review]
+              - Finding: button label "Click here!" violates verb-noun rule
+                (lib/ui/Button.tsx:42). Suggested: "Open settings."
+
+            Shared-mode skill findings stay in the existing combined
+            "Critical findings" / "Minor findings" buckets — they
+            cross-correlate (a logging-PII issue belongs in both the
+            critical-issues-only and pii-and-compliance lens at once), so
+            bundling preserves that signal.
+
             Post it via:
               gh pr comment "$PR_NUMBER" --body "<your review>"
 
@@ -168,23 +217,9 @@ jobs:
             with confirmed: true.
             If there are no critical issues, post a one-line comment saying so.
 
-      # Strict-mode gate — see workflow.yml.tmpl for full design notes.
+      # Strict-mode gate — composite action; see workflow.yml.tmpl for design notes.
       - name: Strict mode — fail check on critical findings
         if: success()
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-        run: |
-          BASE_MANIFEST=$(git show "origin/${{ github.base_ref }}:.claude/skills/.clud-bug.json" 2>&1) || {
-            echo "::warning::Base manifest not found on ${{ github.base_ref }} — strict mode disabled for this run."
-            exit 0
-          }
-          STRICT=$(echo "$BASE_MANIFEST" | node -e "let s='';process.stdin.on('data',c=>s+=c);process.stdin.on('end',()=>{try{console.log(JSON.parse(s).strictMode===true)}catch(e){console.log('false')}})")
-          [ "$STRICT" = "true" ] || exit 0
-          LATEST=$(gh api "repos/${{ github.repository }}/issues/${PR_NUMBER}/comments?sort=created&direction=desc&per_page=100" \
-            --jq '[.[] | select(.user.login == "claude[bot]" and (.body | startswith("## 🐛 Clud Bug review")))][0].body // ""')
-          if echo "$LATEST" | head -n1 | grep -q "Clud Bug review — critical findings"; then
-            echo "::error title=Clud Bug 🐛::Critical issues found and strictMode is enabled — failing this check."
-            echo "::error::See the latest Clud Bug review comment for details. Push a fix and the gate will clear on the next run."
-            exit 1
-          fi
+        uses: thrillmot/clud-bug/.github/actions/strict-mode-gate@v0.5.8
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}

package/templates/workflow-ts.yml.tmpl

@@ -1,4 +1,4 @@
-# clud-bug-template-version: v1
+# clud-bug-template-version: v3
 name: Clud Bug 🐛 Crawls Your Code
 
 on:
@@ -56,7 +56,7 @@ jobs:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
           track_progress: true
           claude_args: |
-            --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh api graphql:*),Bash(gh api repos/:*),Bash(git show:*),Bash(cat .claude/skills/.clud-bug.json)"
+            --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh api graphql:*),Bash(gh api repos/:*),Bash(git show:*),Bash(cat .claude/skills/.clud-bug.json),Bash(cat .claude/skills/*/SKILL.md)"
           prompt: |
             {{PROJECT_DESCRIPTION}}
 
@@ -81,6 +81,23 @@ jobs:
             based-review]: this claim isn't anchored to a line"). Generic
             advice that contradicts a project skill is wrong by definition.
 
+            Skill routing — shared vs dedicated:
+            Each loaded skill carries a `review_mode:` field in its YAML
+            frontmatter at .claude/skills/<name>/SKILL.md. Two values:
+
+              - `review_mode: shared` — bug-finding / convention / evidence
+                skills. Their findings bundle into the standard "Critical
+                findings" / "Minor findings" sections.
+              - `review_mode: dedicated` — domain-specific skills (brand
+                voice, compliance, API-contract, test-discipline). Each
+                gets its own focused H3 section in the review.
+              - Missing field → treat as `shared`.
+
+            Before writing the review, scan each loaded skill's frontmatter
+            (the first `---`-delimited block of its SKILL.md) to identify
+            its review_mode. You can read them with:
+              cat .claude/skills/*/SKILL.md
+
             At the end of every review, append a single-line footer:
               Skills referenced: [skill-name-1, skill-name-2, ...]
             If you genuinely cited none, list "[none]" and explain why no
@@ -148,6 +165,38 @@ jobs:
             open" are both 0. On follow-up reviews after a fix-push,
             "resolved from prior" should typically be positive.
 
+            Per-skill scan block (required, immediately under the status line):
+            After the **This round:** counters, emit a "### Per-skill scan"
+            section with ONE line per loaded skill — even silent ones. This
+            is the anti-dilution layer: every loaded skill must be
+            acknowledged so authors can see their skill ran, even when it
+            produced no findings.
+
+              ### Per-skill scan
+              - [<skill-name>]: <one-sentence outcome>
+
+            Examples (mix of shared + dedicated, with and without findings):
+              - [critical-issues-only]: scanned all paths. 2 critical findings below.
+              - [evidence-based-review]: applied to all findings. ✓ all anchored.
+              - [respect-existing-conventions]: scanned for pattern fights. 0 findings.
+              - [brand-voice-review]: scanned 3 microcopy changes. 1 finding (below).
+              - [pii-and-compliance]: scanned logging + analytics. 0 findings.
+
+            Per-skill findings sections (dedicated-mode skills only):
+            For each dedicated-mode skill that produced one or more
+            findings, emit a dedicated H3 section before the standard
+            critical/minor buckets:
+
+              ### Brand voice [brand-voice-review]
+              - Finding: button label "Click here!" violates verb-noun rule
+                (lib/ui/Button.tsx:42). Suggested: "Open settings."
+
+            Shared-mode skill findings stay in the existing combined
+            "Critical findings" / "Minor findings" buckets — they
+            cross-correlate (a logging-PII issue belongs in both the
+            critical-issues-only and pii-and-compliance lens at once), so
+            bundling preserves that signal.
+
             Post it via:
               gh pr comment "$PR_NUMBER" --body "<your review>"
 
@@ -169,23 +218,9 @@ jobs:
             with confirmed: true.
             If there are no critical issues, post a one-line comment saying so.
 
-      # Strict-mode gate — see workflow.yml.tmpl for full design notes.
+      # Strict-mode gate — composite action; see workflow.yml.tmpl for design notes.
       - name: Strict mode — fail check on critical findings
         if: success()
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-        run: |
-          BASE_MANIFEST=$(git show "origin/${{ github.base_ref }}:.claude/skills/.clud-bug.json" 2>&1) || {
-            echo "::warning::Base manifest not found on ${{ github.base_ref }} — strict mode disabled for this run."
-            exit 0
-          }
-          STRICT=$(echo "$BASE_MANIFEST" | node -e "let s='';process.stdin.on('data',c=>s+=c);process.stdin.on('end',()=>{try{console.log(JSON.parse(s).strictMode===true)}catch(e){console.log('false')}})")
-          [ "$STRICT" = "true" ] || exit 0
-          LATEST=$(gh api "repos/${{ github.repository }}/issues/${PR_NUMBER}/comments?sort=created&direction=desc&per_page=100" \
-            --jq '[.[] | select(.user.login == "claude[bot]" and (.body | startswith("## 🐛 Clud Bug review")))][0].body // ""')
-          if echo "$LATEST" | head -n1 | grep -q "Clud Bug review — critical findings"; then
-            echo "::error title=Clud Bug 🐛::Critical issues found and strictMode is enabled — failing this check."
-            echo "::error::See the latest Clud Bug review comment for details. Push a fix and the gate will clear on the next run."
-            exit 1
-          fi
+        uses: thrillmot/clud-bug/.github/actions/strict-mode-gate@v0.5.8
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}

package/templates/workflow.yml.tmpl

@@ -1,4 +1,4 @@
-# clud-bug-template-version: v1
+# clud-bug-template-version: v3
 name: Clud Bug 🐛 Crawls Your Code
 
 on:
@@ -80,7 +80,7 @@ jobs:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
           track_progress: true
           claude_args: |
-            --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh api graphql:*),Bash(gh api repos/:*),Bash(git show:*),Bash(cat .claude/skills/.clud-bug.json)"
+            --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh api graphql:*),Bash(gh api repos/:*),Bash(git show:*),Bash(cat .claude/skills/.clud-bug.json),Bash(cat .claude/skills/*/SKILL.md)"
           prompt: |
             {{PROJECT_DESCRIPTION}}
 
@@ -101,6 +101,23 @@ jobs:
             based-review]: this claim isn't anchored to a line"). Generic
             advice that contradicts a project skill is wrong by definition.
 
+            Skill routing — shared vs dedicated:
+            Each loaded skill carries a `review_mode:` field in its YAML
+            frontmatter at .claude/skills/<name>/SKILL.md. Two values:
+
+              - `review_mode: shared` — bug-finding / convention / evidence
+                skills. Their findings bundle into the standard "Critical
+                findings" / "Minor findings" sections.
+              - `review_mode: dedicated` — domain-specific skills (brand
+                voice, compliance, API-contract, test-discipline). Each
+                gets its own focused H3 section in the review.
+              - Missing field → treat as `shared`.
+
+            Before writing the review, scan each loaded skill's frontmatter
+            (the first `---`-delimited block of its SKILL.md) to identify
+            its review_mode. You can read them with:
+              cat .claude/skills/*/SKILL.md
+
             At the end of every review, append a single-line footer:
               Skills referenced: [skill-name-1, skill-name-2, ...]
             If you genuinely cited none, list "[none]" and explain why no
@@ -168,6 +185,38 @@ jobs:
             open" are both 0. On follow-up reviews after a fix-push,
             "resolved from prior" should typically be positive.
 
+            Per-skill scan block (required, immediately under the status line):
+            After the **This round:** counters, emit a "### Per-skill scan"
+            section with ONE line per loaded skill — even silent ones. This
+            is the anti-dilution layer: every loaded skill must be
+            acknowledged so authors can see their skill ran, even when it
+            produced no findings.
+
+              ### Per-skill scan
+              - [<skill-name>]: <one-sentence outcome>
+
+            Examples (mix of shared + dedicated, with and without findings):
+              - [critical-issues-only]: scanned all paths. 2 critical findings below.
+              - [evidence-based-review]: applied to all findings. ✓ all anchored.
+              - [respect-existing-conventions]: scanned for pattern fights. 0 findings.
+              - [brand-voice-review]: scanned 3 microcopy changes. 1 finding (below).
+              - [pii-and-compliance]: scanned logging + analytics. 0 findings.
+
+            Per-skill findings sections (dedicated-mode skills only):
+            For each dedicated-mode skill that produced one or more
+            findings, emit a dedicated H3 section before the standard
+            critical/minor buckets:
+
+              ### Brand voice [brand-voice-review]
+              - Finding: button label "Click here!" violates verb-noun rule
+                (lib/ui/Button.tsx:42). Suggested: "Open settings."
+
+            Shared-mode skill findings stay in the existing combined
+            "Critical findings" / "Minor findings" buckets — they
+            cross-correlate (a logging-PII issue belongs in both the
+            critical-issues-only and pii-and-compliance lens at once), so
+            bundling preserves that signal.
+
             Post it via:
               gh pr comment "$PR_NUMBER" --body "<your review>"
 
@@ -189,12 +238,14 @@ jobs:
             with confirmed: true.
             If there are no critical issues, post a one-line comment saying so.
 
-      # Strict-mode gate. Fails the check when both
-      #   (a) the BASE ref's .claude/skills/.clud-bug.json has
-      #       { "strictMode": true } — read from base so a PR can't opt
-      #       itself out of strict mode by editing its own manifest, AND
-      #   (b) the LATEST clud-bug review comment on this PR has a body
-      #       whose FIRST LINE is "## 🐛 Clud Bug review — critical findings".
+      # Strict-mode gate. Fails the check when the BASE ref's manifest
+      # has { "strictMode": true } AND the latest clud-bug review's first
+      # line starts with "## 🐛 Clud Bug review — critical findings".
+      #
+      # Logic lives in the composite action so it's revised once across
+      # all 3 templates + the App runtime. Pinned to the same clud-bug
+      # tag the user installed (rendered by `clud-bug init`), so the
+      # action's contract is stable for the lifetime of that install.
       #
       # if: success() — only run when claude-code-action succeeded. If the
       # action errored, no new comment was posted for this run; falling back
@@ -202,30 +253,6 @@ jobs:
       # Letting the action's own failure fail the check is louder and right.
       - name: Strict mode — fail check on critical findings
         if: success()
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-        run: |
-          # Loud failure if the base manifest can't be read — silently falling
-          # back to advisory would silently disable strict mode for every
-          # opted-in repo. (Requires fetch-depth: 0 on the checkout above.)
-          BASE_MANIFEST=$(git show "origin/${{ github.base_ref }}:.claude/skills/.clud-bug.json" 2>&1) || {
-            echo "::warning::Base manifest not found on ${{ github.base_ref }} — strict mode disabled for this run."
-            exit 0
-          }
-          STRICT=$(echo "$BASE_MANIFEST" | node -e "let s='';process.stdin.on('data',c=>s+=c);process.stdin.on('end',()=>{try{console.log(JSON.parse(s).strictMode===true)}catch(e){console.log('false')}})")
-          [ "$STRICT" = "true" ] || exit 0
-
-          # Use startswith (not regex contains) so comments that *quote* the
-          # sentinel header (other reviews, @claude responses, meta-PRs about
-          # strict mode itself) don't get picked up as "the latest review."
-          LATEST=$(gh api "repos/${{ github.repository }}/issues/${PR_NUMBER}/comments?sort=created&direction=desc&per_page=100" \
-            --jq '[.[] | select(.user.login == "claude[bot]" and (.body | startswith("## 🐛 Clud Bug review")))][0].body // ""')
-
-          # Scope the critical-findings match to the FIRST LINE so quoted
-          # sentinels deeper in the review can't trip the gate.
-          if echo "$LATEST" | head -n1 | grep -q "Clud Bug review — critical findings"; then
-            echo "::error title=Clud Bug 🐛::Critical issues found and strictMode is enabled — failing this check."
-            echo "::error::See the latest Clud Bug review comment for details. Push a fix and the gate will clear on the next run."
-            exit 1
-          fi
+        uses: thrillmot/clud-bug/.github/actions/strict-mode-gate@v0.5.8
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}