xtrm-tools 0.5.47 → 0.6.0

package/skills/test-planning/SKILL.md

@@ -206,3 +206,260 @@ Agent closes a feature issue that was done ad-hoc. No test issue found. Agent:
 2. Picks strategy
 3. Creates test issue as child of same parent
 4. Documents what to assert based on the actual code
+
+## Anti-Pattern Checklist
+
+Run this checklist at both trigger points (planning and closure review). Flag any anti-patterns in the test issue description before closing.
+
+### 1. Assertion-free tests
+**Detect**: Test body calls functions/methods but has no `assert`, `expect`, or equivalent statement.
+**Fix**: Add at least one meaningful assertion. If the goal is "doesn't throw", assert that explicitly — `with pytest.raises(...)` or `expect(() => fn()).not.toThrow()`.
+
+### 2. Tautological assertions
+**Detect**: The assertion can only fail if the test framework itself is broken. E.g. `assert result == result`, `expect(true).toBe(true)`, asserting a value against the same expression used to produce it.
+**Fix**: Assert against a concrete expected value derived independently from the production code. If you can't state what the expected value is without running the code, the test has no falsifiable claim.
+
+### 3. Context leakage / shared mutable state
+**Detect**: Tests share module-level variables, database rows, file state, or global config without reset between runs. Symptoms: tests pass individually but fail in suite order.
+**Fix**: Use fixtures with setup/teardown (`beforeEach`/`afterEach`, pytest fixtures with function scope). Every test starts from a clean slate.
+
+### 4. Over-mocking internal collaborators
+**Detect**: Mocks are patching classes or functions that live in the same module under test — not external services. The test validates that internal wiring was called, not that the observable outcome is correct.
+**Fix**: Only mock at system boundaries (HTTP clients, file I/O, external services). Test internal collaborators by letting them run. If they're hard to instantiate, extract the pure logic and test that directly.
+
+### 5. Tests that cannot fail under realistic regressions
+**Detect**: Remove the core logic being tested and re-read the test — would it still pass? If yes, the test provides no protection. Common form: only testing the happy path of a function whose bug would only appear in error paths.
+**Fix**: Add at least one negative-path or edge-case assertion that would catch the most likely regression. Consult the implementation for obvious failure modes.
+
+## Priority Heuristics
+
+Test issues inherit priority from their implementation issues with bounded adjustment. The table below gives the deterministic mapping.
+
+| Implementation risk | Test issue priority | Examples |
+|---|---|---|
+| Security / auth / protocol compat | P0 (equal) | Auth token validation, schema migration safety, API contract |
+| Regression-critical boundary path | P0–P1 (equal) | Client URL routing, CLI exit codes used by external tooling |
+| High-business-impact core logic | P1 (equal or +0) | Pricing computations, session state transitions |
+| Standard domain logic | P2 (+0 or +1) | Config merge, output formatters, parsers |
+| Low-risk internals / non-critical adapters | P3 (+1) | Helper utilities, optional UI formatting |
+| Polish / test debt cleanup | P4 | Improving existing test coverage, test naming |
+
+**Inheritance rule**: start from the implementation issue's priority. Apply +1 if the test is covering a well-understood path with low regression risk. Never go lower than P2 for boundary or shell layer tests — integration tests are load-bearing.
+
+**Equal priority examples**:
+- Impl is P1 (auth endpoint) → test issue is P1 (auth contract test must ship with the feature)
+- Impl is P0 (critical fix) → test issue is P0 (regression test must land in same PR)
+
+**+1 priority examples**:
+- Impl is P2 (output formatter) → test issue is P3 (unit tests are useful but not blocking)
+- Impl is P3 (optional config key) → test issue is P4 (test debt, tackle in cleanup)
+
+## Definition of Done Templates
+
+Use these templates verbatim in test issue descriptions. Replace `<...>` placeholders.
+
+### Core layer DoD
+
+```
+Layer: core
+Strategy: <unit | property-based | example-based>
+Covers: <impl issue IDs>
+
+Assertions required:
+- [ ] Positive path: <expected output for valid input>
+- [ ] Negative path: <expected error/output for invalid input>
+- [ ] Edge cases explicitly enumerated: <list: empty input, zero, max boundary, ...>
+- [ ] Invariants/properties included: <e.g. "result is always sorted", "output length == input length">
+
+Fixture policy:
+- [ ] No shared mutable state between tests
+- [ ] Deterministic fixtures (no random, no time.now() without injection)
+- [ ] Each test constructs its own input independently
+
+Done when: all assertions above are implemented and passing in CI.
+```
+
+### Boundary layer DoD
+
+```
+Layer: boundary
+Strategy: <live-contract | recorded-fixture | mock (last resort)>
+Covers: <impl issue IDs>
+
+Assertions required:
+- [ ] Schema/contract assertions: <field presence, types, required vs optional>
+- [ ] Error codes and retry/fallback: <e.g. 404→empty list, 500→raises ServiceError>
+- [ ] Drift-safe: assertions check field presence and types, not brittle internal structure
+- [ ] Live-first policy documented: <live | recorded-fixture | mock — reason for choice>
+
+Done when: contract assertions pass against live service (or recorded fixture if live unavailable).
+Fallback documented in issue if live is not accessible.
+```
+
+### Shell layer DoD
+
+```
+Layer: shell
+Strategy: integration (subprocess or function-level wiring test)
+Covers: <impl issue IDs>
+
+Assertions required:
+- [ ] End-to-end observable outcomes: <what the user sees — output format, exit code>
+- [ ] Failure-mode UX: <error messages, non-zero exit codes, stderr vs stdout>
+- [ ] Cross-component wiring: <core + boundary are called and integrated correctly>
+- [ ] At least one real-data scenario (not mocked) if service is accessible
+
+Done when: integration tests run against real components (not mocked internals) and cover
+both success and at least one failure path.
+```
+
+## Critical-Path Coverage
+
+Do not frame test issues around coverage percentages. Frame them around critical paths and risk rationale.
+
+Every test issue description must include a **critical path map**:
+
+```
+Critical paths covered:
+- <path 1 and risk rationale>
+- <path 2 and risk rationale>
+
+Known deferred paths (with follow-up refs):
+- <path not covered yet> → follow-up: <bd issue ID or "to be created">
+```
+
+**Why**: a 90% line-coverage number says nothing about whether the one path that processes payments is tested. A critical path map forces explicit reasoning about what matters and what was skipped.
+
+**What counts as a critical path**:
+- Any path that involves auth, money, data loss, or external contract compliance
+- Any path exercised by the user-facing CLI commands described in the issue
+- Any path explicitly mentioned in the implementation issue's acceptance criteria
+
+**What to do with deferred paths**:
+- Document them — don't silently skip
+- Create a follow-up test issue if the deferred path is P2 or higher risk
+- Reference the follow-up issue ID in the current test issue's description
+
+## Advisory vs Enforcement Boundary
+
+This skill is advisory. It recommends test strategy, creates test issues, and flags anti-patterns. It does not block code execution or enforce pass/fail decisions — that is the job of hooks and quality gates.
+
+| Concern | Who owns it | How enforced |
+|---|---|---|
+| Test strategy selection (TDD vs contract vs unit) | This skill | Recommendation only |
+| Anti-pattern detection in test issues | This skill | Checklist in issue description |
+| Priority assignment | This skill | Heuristics table above |
+| DoD template in issue description | This skill | Template pasted into bd issue |
+| CI test pass/fail | quality-gates hook | PostToolUse hook blocks on test failures |
+| Test file lint/type correctness | quality-gates hook | ESLint + mypy on every edit |
+| Branch not mergeable without tests | Not enforced | Human review — no automated gate today |
+| Claiming work without test issue existing | Not enforced | Human judgment — skill creates test issue at closure if missing |
+
+**Example — advisory boundary in practice**:
+
+You are planning tests for `.14` (async HTTP client). This skill:
+- Classifies as boundary layer ✓
+- Recommends live-contract tests ✓
+- Creates a test issue with DoD template ✓
+- Flags if you try to describe tests that only mock the HTTP layer ✓ (anti-pattern 4)
+
+It does NOT:
+- Block `.14` from closing if the test issue isn't done
+- Fail the build if the test issue is open
+- Require approval before the implementation is merged
+
+The test issue is a tracked commitment, not a gate. Gating is opt-in via `bd dep` dependencies you set up during planning.
+
+## v1.1 Format Examples
+
+### Example A — Planning phase, boundary + shell epic
+
+Epic: "Implement gitnexus MCP sync in xtrm install"
+
+Children: `.1` (MCP config writer), `.2` (sync-on-install integration), `.3` (CLI `xtrm mcp` command)
+
+Classification:
+- `.1` → boundary (writes to `.mcp.json`, file I/O)
+- `.2` → shell (orchestrates install flow)
+- `.3` → shell (CLI command)
+
+Test issues created:
+
+```
+bd create "Test: MCP config writer — contract tests for .mcp.json output" \
+  -t task -p 2 --parent <epic> \
+  -d "Layer: boundary
+Strategy: example-based (file I/O, no external service)
+Covers: .1
+
+Assertions required:
+- [ ] Positive path: valid servers config produces correct .mcp.json structure
+- [ ] Negative path: invalid server entry raises validation error
+- [ ] Edge cases: empty servers list, duplicate server names, existing .mcp.json is merged not overwritten
+- [ ] Drift-safe: assert on field presence (name, command, args), not internal object identity
+
+Critical paths covered:
+- gitnexus server entry written with correct stdio transport — risk: wrong transport breaks MCP
+- existing user entries preserved during merge — risk: data loss
+
+Known deferred paths:
+- test with malformed existing .mcp.json → follow-up: to be created (P3)
+
+Done when: all assertions pass, no shared state between tests."
+```
+
+```
+bd create "Test: xtrm install MCP sync + xtrm mcp CLI — integration tests" \
+  -t task -p 2 --parent <epic> \
+  -d "Layer: shell
+Strategy: integration (subprocess)
+Covers: .2, .3
+
+Assertions required:
+- [ ] End-to-end: xtrm install writes correct .mcp.json in temp project dir
+- [ ] CLI: xtrm mcp list outputs expected server names
+- [ ] Failure-mode: xtrm mcp add with duplicate name exits non-zero with clear error
+- [ ] Cross-component: install flow calls MCP writer with correct config
+
+Critical paths covered:
+- full install → .mcp.json present and readable by Claude Code — risk: MCP servers not available
+- CLI add + list roundtrip — risk: user cannot inspect installed servers
+
+Known deferred paths:
+- test with no write permission on project dir → follow-up: to be created (P4)
+
+Done when: integration tests run against real file system in temp dir, no mocked internals."
+```
+
+---
+
+### Example B — Closure gate, core layer, implementation diverged
+
+Closing `.22` (config merge logic). Existing test issue `.31` was written before implementation.
+
+What `.22` actually built:
+- Added precedence chain: env > file > defaults (original plan had only file > defaults)
+- Added type coercion for boolean env vars ("true"/"false" → bool)
+- Removed support for `.xtrm.yaml` (only `.xtrm/config.json` now)
+
+Updated test issue `.31`:
+
+```
+bd update xtrm-31 --notes "Scope updated after .22 completed:
++ Add test: env var takes precedence over file config (new precedence chain)
++ Add test: 'true'/'false' env vars coerced to bool correctly
++ Add test: 'TRUE', '1', '0' edge cases for bool coercion
++ Remove test: .xtrm.yaml loading (format removed in .22)
+
+Anti-pattern check:
+- [ ] tautological: none detected
+- [ ] over-mocking: env injection via monkeypatch only, no internal mocking
+- [ ] shared state: each test resets env via fixture
+
+Critical paths covered:
+- env > file > defaults chain — risk: wrong precedence silently overrides user config
+- bool coercion — risk: 'false' string treated as truthy in Python
+
+Known deferred paths:
+- test with missing HOME dir (pathlib resolution edge case) → follow-up: xtrm-4x (P4)"
+```

package/skills/xt-end/SKILL.md

@@ -19,6 +19,7 @@ Default to **autonomous execution**:
 - do not ask the user routine clarification questions
 - prefer deterministic fallbacks over conversational review
 - only stop when a real blocker prevents safe progress
+- **always invoke `xt end --yes`** — never call `xt end` without this flag; the bare command prompts interactively for worktree removal which blocks autonomous execution
 
 ## Success States
 

package/skills/xt-merge/SKILL.md

@@ -40,6 +40,46 @@ you're rebasing more than necessary and risk conflicts that wouldn't have existe
 
 ---
 
+## Stage 0 — Pre-flight checks
+
+Run these before touching any branch.
+
+**1. Verify you are in a git repository:**
+```bash
+git rev-parse --git-dir
+```
+Stop immediately if this fails.
+
+**2. Verify gh auth:**
+```bash
+gh auth status
+```
+If this fails, stop immediately. Without auth, `gh pr merge` will silently fail or
+produce confusing errors mid-run.
+
+**3. Fetch all remotes:**
+```bash
+git fetch --all --prune
+```
+This ensures local remote-tracking refs reflect current upstream state before any
+rebase or CI check. Without this, CI status checks and rebase targets may be stale.
+
+**4. Check for uncommitted local changes:**
+```bash
+git status --porcelain
+```
+If the output is non-empty, **warn the user and stop**. The rebase cascade will
+check out other branches (`git checkout xt/<branch>`), which will either fail or
+silently carry dirty changes into the wrong branch. Resolve before continuing:
+- `git stash push -m "xt-merge cascade stash"` — stash and pop after cascade finishes
+- Or commit the work first
+- Or abort if the changes belong to a live worktree session
+
+If the user stashes, record the stash ref (`git stash list | head -1`) so you can
+pop it when done in Stage 6.
+
+---
+
 ## Stage 1 — Build the queue
 
 List all open PRs from xt worktree branches:
@@ -54,6 +94,9 @@ This sorts by creation time. The top row is the **head of the queue** — merge
 
 If there are draft PRs in the list, skip them. Drafts are not ready to merge.
 
+If `gh pr list` returns an error (network, auth, wrong repo), stop and report the
+error. Do not continue with stale or incomplete data.
+
 Present the sorted queue to the user before proceeding:
 ```
 Queue (oldest → newest):
@@ -70,6 +113,14 @@ Queue (oldest → newest):
 gh pr checks <number>
 ```
 
+**Stale CI warning:** After a rebase cascade the PR's HEAD SHA changes. Always verify
+the SHA that CI ran against matches the current branch tip before trusting a green result:
+```bash
+gh pr view <number> --json headRefOid --jq '.headRefOid'
+# compare against the commit SHA shown in gh pr checks output
+```
+If they differ, the green result is from before the rebase — wait for the new run.
+
 Wait for all checks to pass. If CI is still running, tell the user and pause — don't
 merge a PR with pending or failing checks.
 
@@ -90,12 +141,18 @@ gh pr merge <number> --rebase --delete-branch
 Use `--rebase` (not `--squash` or `--merge`) to keep linear history and preserve
 individual commits from the session. Use `--delete-branch` to clean up the remote branch.
 
-After merge, confirm main advanced:
+If `gh pr merge` fails with "No commits between main and xt/<branch>", the branch's
+commits were already absorbed into main (e.g. from a previous push). Close the PR
+and continue to the next.
+
+After merge, fetch and confirm main advanced:
 ```bash
 git fetch origin
 git log origin/main --oneline -3
 ```
 
+Record the new HEAD SHA of main — you will verify the cascade rebases onto it.
+
 ---
 
 ## Stage 4 — Rebase cascade (all remaining PRs)
@@ -106,10 +163,24 @@ For every remaining PR in the queue, rebase its branch onto the new main:
 git fetch origin main
 git checkout xt/<branch>
 git rebase origin/main
-git push origin xt/<branch> --force-with-lease
+git push origin xt/<branch> --force-with-lease --force-if-includes
+```
+
+`--force-with-lease` rejects the push if the remote has commits your local ref
+doesn't know about. `--force-if-includes` additionally verifies that whatever
+you're overwriting was reachable from your local history — together they prevent
+accidentally overwriting a collaborator's push that arrived after your last fetch.
+(Requires Git 2.30+. If not available, `--force-with-lease` alone is acceptable.)
+
+**After each push, verify it landed:**
+```bash
+git rev-parse HEAD
+git rev-parse origin/xt/<branch>
 ```
+Both SHAs must match. If the push was rejected (lease violation or other error),
+stop and report — do not silently continue to the next branch.
 
-Repeat for each remaining branch. Do them in queue order (oldest next).
+Repeat for each remaining branch in queue order (oldest next).
 
 After pushing, GitHub will re-trigger CI on each rebased PR. You don't need to wait
 for CI here — the rebase just gets the branches current. CI will run in parallel.
@@ -123,27 +194,43 @@ git add <resolved-files>
 git rebase --continue
 ```
 
+If you cannot safely resolve a conflict, **abort the rebase immediately**:
+```bash
+git rebase --abort
+```
+The branch is left unchanged. Report the branch name and conflicted files to the
+user. Continue the cascade for remaining branches; the user can resolve and push
+this one manually before you loop back to merge it.
+
 Conflicts mean two sessions touched the same file. Resolve carefully:
 - Keep both changes if they're in different parts of the file
 - If they overlap, understand what each session was doing and merge the intent
-- When unsure, call the user in to review before continuing
+- When unsure, abort and escalate to the user
 
-After resolving, push with `--force-with-lease` and move to the next branch.
+After resolving, push with `--force-with-lease --force-if-includes` and verify the
+push landed (SHA check above) before moving to the next branch.
 
 ---
 
 ## Stage 5 — Repeat
 
-Go back to Stage 2 with the new head of the queue. Check CI, merge, rebase cascade,
+Go back to Stage 2 with the new head of the queue. Check CI on the **new SHA**
+produced by the rebase cascade push — not a pre-rebase result. Merge, cascade,
 repeat until the queue is empty.
 
 The full loop:
 ```
 while queue not empty:
-  wait for CI green on head PR
+  check CI on head PR
+    → verify: gh pr view <n> headRefOid == SHA in gh pr checks output
+    → wait for green; stop if failing
   merge head PR (--rebase --delete-branch)
-  rebase all remaining PRs onto new main
-  push each (--force-with-lease)
+  git fetch origin → confirm main advanced
+  for each remaining branch in queue order:
+    git checkout xt/<branch>
+    git rebase origin/main
+    git push --force-with-lease --force-if-includes
+    verify: git rev-parse HEAD == git rev-parse origin/xt/<branch>
 ```
 
 ---
@@ -151,7 +238,11 @@ while queue not empty:
 ## Stage 6 — Done
 
 When the queue is empty:
+
 ```bash
+# If you stashed changes in Stage 0, pop now:
+git stash pop   # report any conflicts — do not discard silently
+
 gh pr list --state open
 git log origin/main --oneline -5
 ```
@@ -164,7 +255,10 @@ Confirm no open xt/ PRs remain and show the user the final state of main.
 
 **PR was already merged**: `gh pr merge` will error. Skip it and continue.
 
-**Branch was deleted** (worktree cleaned up by `xt end --keep`): The remote branch
+**No commits between main and xt/branch**: branch was already absorbed into main.
+Close the PR and continue.
+
+**Branch was deleted** (worktree cleaned up by `xt end`): The remote branch
 still exists (pushed by `xt end`). The local branch may not. Check out from remote:
 ```bash
 git fetch origin
@@ -178,13 +272,42 @@ git commit --allow-empty -m "trigger CI"
 git push origin xt/<branch>
 ```
 
+**Stale CI result after rebase**: Always confirm the SHA in `gh pr checks` matches
+`git rev-parse origin/xt/<branch>` before treating a green result as valid. If they
+differ, wait for the new run.
+
+**Push rejected (lease violation)**: Do not retry blindly. Fetch and inspect:
+```bash
+git fetch origin xt/<branch>
+git log origin/xt/<branch> --oneline -5
+```
+Decide whether the remote commits should be incorporated or overwritten, then act
+deliberately.
+
+**`gh auth` expired mid-run**: Stop the cascade immediately. Report which branches
+were successfully rebased/pushed and which were not, so the user can resume from the
+right point after re-authenticating.
+
+**Uncommitted changes on current branch**: Stash before the cascade, pop after:
+```bash
+git stash push -m "xt-merge cascade stash"
+# ... run cascade ...
+git stash pop
+```
+If `git stash pop` produces conflicts, report them — do not silently discard work.
+
 **Dependent sessions** (B was intentionally built on A's work): If session B was
 started from inside session A's worktree rather than from main, B's branch already
-contains A's commits. In this case B will rebase cleanly onto main after A merges —
-its commits are a superset. No special handling needed; the rebase just eliminates
-the duplicate commits.
-
-**Multiple conflicts across many PRs**: If the cascade produces conflicts in several
-branches, tackle them one at a time in queue order. Don't try to resolve all of them
-before pushing any — push each one as you resolve it so CI starts running in parallel
-while you work on the next.
+contains A's commits. B will rebase cleanly onto main after A merges — the rebase
+eliminates the duplicate commits. No special handling needed.
+
+**Multiple conflicts across many PRs**: Abort each failing rebase (`git rebase --abort`)
+and tackle them one at a time in queue order after the user resolves. Push each
+resolved branch immediately so CI starts running in parallel.
+
+**Rollback / abort mid-cascade**: If anything goes wrong and you need to stop cleanly:
+1. `git rebase --abort` if a rebase is in progress
+2. `git checkout <original-branch>` to return to where you started
+3. `git stash pop` if you stashed in Stage 0
+4. Report exactly which PRs were merged, which were rebased-and-pushed, and which
+   were untouched — so the user can resume or restart from the correct point.