ctrlrelay 0.4.0__tar.gz → 0.5.0__tar.gz

{ctrlrelay-0.4.0 → ctrlrelay-0.5.0}/CHANGELOG.md

@@ -7,6 +7,104 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.5.0] - 2026-05-11
+
+Minor release. Three changes on the secops path; together they take the
+secops sweep from "silently drops operator decisions" to "respects per-repo
+policy and reaches the operator on every blocked decision".
+
+### Fixed
+
+- **Secops BLOCKED questions now reach the operator via Telegram.**
+  Three discrete bugs were stacking to drop every blocked secops session
+  silently (#131):
+  1. `run_secops_all` never called `transport.ask()` after a blocked
+     pipeline result. The DB row was marked `status='blocked'` and a
+     `pending_resumes` entry was inserted, but the question went nowhere.
+     Now mirrors the dev/task pipelines: post the question, await an
+     answer, resume — up to `DEFAULT_MAX_BLOCKED_ROUNDS=5` rounds. On
+     transport failure preserves `blocked=True` so the existing
+     persistence-on-blocked branch fires.
+  2. `ctrlrelay run secops` (manual CLI) was passing `transport=None`,
+     so even with the dispatch loop in place, the `is not None` gate
+     short-circuited and questions still went to pending_resumes
+     instead of Telegram. Now builds a `SocketTransport` when the
+     bridge socket is up, mirroring the scheduled-cron path.
+  3. `SocketTransport._receive_loop` resolved the per-request future on
+     the FIRST message matching `request_id`. The bridge sends two
+     messages for an ASK: an intermediate `ACK(status="pending")` then
+     a terminal `ANSWER`. Receiving the ACK fulfilled the future early
+     and `ask()` raised `TransportError("Unexpected response: BridgeOp.ACK")`.
+     Now skips `ACK(status="pending")` and waits for `ANSWER`/`ERROR`.
+
+  Real-world impact: an 86-repo secops sweep with 21 sessions hitting
+  BLOCKED produced zero Telegram messages pre-fix. Post-fix, every
+  blocked session reaches the operator with a structured question.
+
+### Added
+
+- **Auto-merge operator-authored `.github/dependabot.yml`-only PRs.**
+  The secops agent's policy treated all operator-authored PRs as needing
+  explicit approval, even ones that ONLY add an ecosystem entry to
+  `.github/dependabot.yml`. These are the prerequisite PRs the operator
+  files when bulk-enabling Dependabot across repos with branch protection,
+  and they sat indefinitely (#132). The carve-out is narrow and
+  multi-gated:
+  1. **Author check**: `author.login == $OPERATOR` (derived from
+     `gh api user --jq .login`) — collaborators, GitHub apps, or
+     external contributors are NOT eligible even for dependabot.yml-only.
+  2. **Diff check**: `gh pr diff` must be PURELY ADDITIVE — any line
+     beginning with `-` (other than `---` file headers) signals a
+     deletion or modification of existing config -> BLOCKED.
+  3. **CI check**: `gh pr checks` must all pass — a PR adding invalid
+     YAML can pass author+diff and still break Dependabot for the repo
+     if merged without this gate.
+
+  All three must pass before merge. Any one failing -> BLOCKED.
+
+- **Per-repo `automation:` policy now drives the secops agent.**
+  `orchestrator.yaml`'s per-repo `automation` block (defining
+  `dependabot_patch`, `dependabot_minor`, `dependabot_major` as
+  auto/ask/never) was decorative — the secops prompt had hardcoded
+  prose that ignored it (#133). Now `_build_prompt` accepts an
+  `AutomationConfig` and renders per-tier directives like
+  "patch updates: AUTO-MERGE", "minor updates: ASK", "major updates: NEVER"
+  per repo. `run_secops_all` puts `repo_config.automation` in
+  `ctx.extra`; `resume_secops_from_pending` accepts an `automation`
+  kwarg; the pending-resume sweeper in `cli.py` looks up the per-repo
+  policy and threads it on resume.
+
+  Operators can now set a sensitive repo to `dependabot_minor: never`
+  and the agent will actually respect it.
+
+## [0.4.1] - 2026-05-08
+
+Patch release. Two follow-ups against the v0.4.0 setup flow surfaced
+during the dogfood validation:
+
+### Fixed
+
+- **`setup` no longer lists the personalization repo under
+  `repos:`.** When the operator's personalization repo lives under
+  one of the configured owners (e.g. `alice/dotclaude` while `alice`
+  is also an enumerated owner), it was being added to the dev
+  pipeline's monitored set — the poller would have polled it for
+  issues and worktree-cloned it. The repo is the cross-machine sync
+  target, not a project; setup now drops it from the enumerated list
+  before generating the YAML.
+
+### Added
+
+- **Auto-wire detected skills on `setup`.** When the personalization
+  repo already contains `global/skills/<name>/` directories (e.g.
+  from a prior `personalization push` on another machine), setup now
+  pre-clones the repo, scans for skill subdirectories, and adds one
+  `paths:` entry per skill to the generated `personalization.paths`
+  block. Operators don't have to hand-edit the config to wire each
+  skill back on a new machine. Pass `--no-wire-skills` to opt out.
+  Hidden directories and stray top-level files are ignored — only
+  real skill packages count.
+
 ## [0.4.0] - 2026-05-08
 
 Minor release. One new feature plus one schema simplification:

{ctrlrelay-0.4.0 → ctrlrelay-0.5.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: ctrlrelay
-Version: 0.4.0
+Version: 0.5.0
 Summary: Local-first orchestrator for headless coding agents across multiple GitHub repos
 Project-URL: Homepage, https://github.com/AInvirion/ctrlrelay
 Project-URL: Documentation, https://ainvirion.github.io/ctrlrelay/

{ctrlrelay-0.4.0 → ctrlrelay-0.5.0}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "ctrlrelay"
-version = "0.4.0"
+version = "0.5.0"
 description = "Local-first orchestrator for headless coding agents across multiple GitHub repos"
 readme = "README.md"
 requires-python = ">=3.12"

{ctrlrelay-0.4.0 → ctrlrelay-0.5.0}/src/ctrlrelay/cli.py

@@ -593,6 +593,29 @@ def run_secops(
     console.print(f"Running secops on {len(repos)} repo(s)...")
 
     async def _run():
+        # Build a transport so secops blocked questions reach Telegram.
+        # Without this, agents that end BLOCKED_NEEDS_INPUT silently land
+        # in the DB+pending_resumes and the operator never sees the
+        # question (mirror of the wiring in the scheduled path).
+        transport = None
+        if (
+            config.transport.type.value == "telegram"
+            and config.transport.telegram
+        ):
+            from ctrlrelay.transports import SocketTransport
+            sock = config.transport.telegram.socket_path.expanduser().resolve()
+            if sock.exists():
+                try:
+                    candidate = SocketTransport(sock)
+                    await candidate.connect()
+                    transport = candidate
+                except Exception as e:
+                    console.print(
+                        f"[yellow]Bridge transport connect failed ({e}) — "
+                        f"running without notifications. Blocked sessions "
+                        f"will land in pending_resumes for later resume.[/yellow]"
+                    )
+
         return await run_secops_all(
             repos=repos,
             dispatcher=dispatcher,
@@ -600,7 +623,7 @@ def run_secops(
             worktree=worktree,
             dashboard=dashboard,
             state_db=db,
-            transport=None,
+            transport=transport,
             contexts_dir=config.paths.contexts,
         )
 
@@ -1591,6 +1614,7 @@ def poller_start(
 
                     try:
                         if pipeline_name == "secops":
+                            sweep_repo_cfg = repo_cfg_by_name.get(repo)
                             result = await resume_secops_from_pending(
                                 session_id=session_id,
                                 repo=repo,
@@ -1602,6 +1626,11 @@ def poller_start(
                                 state_db=state_db,
                                 transport=sweeper_transport,
                                 contexts_dir=config.paths.contexts,
+                                automation=(
+                                    sweep_repo_cfg.automation
+                                    if sweep_repo_cfg is not None
+                                    else None
+                                ),
                             )
                         elif pipeline_name == "dev":
                             # Dev resume needs the repo's branch template
@@ -2252,6 +2281,15 @@ def setup(
         "--no-personalization",
         help="Skip the personalization prompt entirely (non-interactive mode).",
     ),
+    wire_skills: bool = typer.Option(
+        True,
+        "--wire-skills/--no-wire-skills",
+        help=(
+            "When the personalization repo already contains "
+            "global/skills/<name>/ directories, add a paths: entry per "
+            "skill so they sync to ~/.claude/skills/<name>/. Default: on."
+        ),
+    ),
     install_daemons: bool = typer.Option(
         False,
         "--install-daemons",
@@ -2412,6 +2450,7 @@ def setup(
         telegram_chat_id=telegram_chat_id,
         telegram_token=token,
         personalization_repo=chosen_personalization,
+        wire_skills=wire_skills,
         install_daemons=chosen_install_daemons,
         skip_archived=skip_archived,
         skip_forks=skip_forks,

{ctrlrelay-0.4.0 → ctrlrelay-0.5.0}/src/ctrlrelay/pipelines/secops.py

@@ -21,6 +21,8 @@ from ctrlrelay.transports.base import Transport
 
 _logger = get_logger("pipeline.secops")
 
+DEFAULT_MAX_BLOCKED_ROUNDS = 5
+
 
 def _question_for_persist(session_id: str, result: PipelineResult) -> str:
     """Return a non-empty question string for pending_resumes storage.
@@ -58,6 +60,7 @@ class SecopsPipeline:
             ctx.repo,
             session_id=ctx.session_id,
             state_file=ctx.state_file,
+            automation=ctx.extra.get("automation"),
         )
 
         result = await self._spawn(ctx, prompt, resume=False)
@@ -123,21 +126,118 @@ class SecopsPipeline:
         repo: str,
         session_id: str = "",
         state_file: Path | None = None,
+        automation: Any = None,
     ) -> str:
-        """Build the secops prompt."""
+        """Build the secops prompt.
+
+        ``automation`` is an optional ``AutomationConfig`` carrying the
+        per-repo Dependabot policy (auto/ask/never per severity tier).
+        When provided, the prompt explicitly tells the agent which tiers
+        auto-merge vs ask vs never-merge. When ``None``, falls back to
+        the default policy (patch=auto, minor=ask, never-major) so
+        existing callers and the schema defaults stay coherent."""
         state_file_path = str(state_file) if state_file else "/tmp/state.json"
 
+        # Translate per-repo policy into prompt directives. Use defaults
+        # from AutomationConfig if no policy was passed.
+        patch_pol = (
+            automation.dependabot_patch.value
+            if automation is not None and hasattr(automation, "dependabot_patch")
+            else "auto"
+        )
+        minor_pol = (
+            automation.dependabot_minor.value
+            if automation is not None and hasattr(automation, "dependabot_minor")
+            else "ask"
+        )
+        major_pol = (
+            automation.dependabot_major.value
+            if automation is not None and hasattr(automation, "dependabot_major")
+            else "never"
+        )
+
+        def _policy_directive(tier: str, policy: str) -> str:
+            if policy == "auto":
+                return (
+                    f"     - {tier}: AUTO-MERGE with passing CI. Squash + "
+                    "delete branch."
+                )
+            if policy == "ask":
+                return (
+                    f"     - {tier}: ASK — signal BLOCKED with a one-line "
+                    f"summary so the operator decides."
+                )
+            return (
+                f"     - {tier}: NEVER — do not merge. Leave the PR open "
+                "for manual review."
+            )
+
+        dependabot_policy_block = "\n".join(
+            [
+                _policy_directive("patch updates", patch_pol),
+                _policy_directive("minor updates", minor_pol),
+                _policy_directive("major updates", major_pol),
+            ]
+        )
+
         return f"""Execute security operations for repository {repo}.
 
 1. Check Dependabot alerts:
    `gh api repos/{repo}/dependabot/alerts --jq '.[] | select(.state=="open")'`
-2. Check security PRs:
+2. Check Dependabot-authored security PRs:
    `gh pr list --repo {repo} --author "app/dependabot" --json number,title`
-3. For each alert or PR:
-   - Review the severity and impact
-   - If patch/minor update with passing CI, merge the PR
-   - If major or unclear, signal BLOCKED to ask for guidance
-4. Summarize actions taken
+3. Determine the trusted operator's GitHub login (the identity the
+   agent itself runs as). The auto-merge carve-out below applies ONLY
+   to PRs authored by this exact login — never to other contributors,
+   apps, or bots even if their PR looks safe:
+   `OPERATOR=$(gh api user --jq '.login')`
+4. Check open PRs authored by the trusted operator that enable
+   Dependabot itself. These are prerequisites for future Dependabot
+   work and block the security pipeline if left open:
+   `gh pr list --repo {repo} --state open --author "$OPERATOR" --json number,title,files`
+   For each, inspect files: `gh pr view <NUM> --repo {repo} --json files`
+5. For each alert or PR:
+   - **Dependabot PRs**: classify the update as patch/minor/major and
+     apply the per-repo policy below. If the severity is unclear, signal
+     BLOCKED to ask for guidance.
+
+{dependabot_policy_block}
+   - **PR authored by `$OPERATOR` touching ONLY `.github/dependabot.yml`**
+     (additive ecosystem entries, no other files changed): MAYBE
+     auto-merge — but only after diff validation. These are the
+     "enable Dependabot" prerequisites the operator opened.
+
+     Required validation BEFORE merging:
+     a. **Author check**: confirm `author.login` exactly equals
+        `$OPERATOR`. Collaborators, GitHub apps, or external
+        contributors can craft a `dependabot.yml`-only PR to slip
+        past review — those go to BLOCKED, not auto-merge.
+     b. **Diff check**: pull the diff and confirm it is PURELY
+        ADDITIVE — no `-` lines (deletions or modifications of
+        existing stanzas), only `+` lines that introduce new
+        `package-ecosystem` blocks. Run:
+        `gh pr diff <NUM> --repo {repo}`
+        If any line in the diff begins with `-` (other than `---`
+        file headers), the PR modifies or removes existing config:
+        signal BLOCKED with a one-line summary like "operator
+        dependabot.yml PR #N modifies existing config — needs
+        review". Do NOT auto-merge.
+     c. **CI check**: confirm all status checks pass (matches the
+        Dependabot PR rule above). Run:
+        `gh pr checks <NUM> --repo {repo}`
+        Any failing or pending check -> BLOCKED. A PR that adds
+        invalid dependabot YAML can pass author+diff but fail
+        repo validation; without this gate the agent could merge
+        broken config and break Dependabot for the repo.
+
+     If (a), (b), AND (c) all pass: merge with squash, delete the
+     branch. If any one fails: BLOCKED.
+   - **Any other PR from `$OPERATOR`** (touches code, tests, configs
+     other than dependabot.yml): signal BLOCKED for operator approval.
+     Never auto-merge code changes, even from the trusted operator.
+   - **PRs from anyone else** (collaborators, contributors, other bots):
+     signal BLOCKED. Never on this path.
+6. Summarize actions taken
 
 ## Signaling Completion
 
@@ -214,6 +314,7 @@ async def run_secops_all(
     state_db: StateDB,
     transport: Transport | None,
     contexts_dir: Path,
+    max_blocked_rounds: int = DEFAULT_MAX_BLOCKED_ROUNDS,
 ) -> list[PipelineResult]:
     """Run secops pipeline on all configured repos."""
     results = []
@@ -260,6 +361,7 @@ async def run_secops_all(
                 worktree_path=worktree_path,
                 context_path=context_path,
                 state_file=state_file,
+                extra={"automation": getattr(repo_config, "automation", None)},
             )
 
             state_db.execute(
@@ -271,6 +373,51 @@ async def run_secops_all(
             session_row_inserted = True
 
             result = await pipeline.run(ctx)
+
+            # BLOCKED loop: when the agent ends BLOCKED_NEEDS_INPUT, push
+            # the question to the operator via the configured transport
+            # (Telegram), wait for an answer, and resume. Mirrors the
+            # dev/task pipelines — without this, secops blocked sessions
+            # silently land as "blocked" in the DB without ever reaching
+            # the operator. transport.ask() failure preserves blocked=True
+            # so the persistence-on-blocked branch below still fires and
+            # writes a pending_resumes row that a later out-of-band reply
+            # could resume via the sweeper.
+            rounds = 0
+            while (
+                result.blocked
+                and transport is not None
+                and rounds < max_blocked_rounds
+            ):
+                question = _question_for_persist(session_id, result)
+                try:
+                    answer = await transport.ask(
+                        question,
+                        session_id=session_id,
+                        repo=repo,
+                    )
+                except Exception as e:
+                    log_event(
+                        _logger,
+                        "secops.transport.ask_failed",
+                        session_id=session_id,
+                        repo=repo,
+                        error_type=type(e).__name__,
+                        error=str(e)[:200],
+                    )
+                    result = PipelineResult(
+                        success=False,
+                        blocked=True,
+                        session_id=session_id,
+                        summary=f"Blocked session deferred (transport): {e}",
+                        error=str(e),
+                        question=question,
+                        outputs=result.outputs,
+                    )
+                    break
+                rounds += 1
+                result = await pipeline.resume(ctx, answer)
+
             results.append(result)
 
             status = "done" if result.success else ("blocked" if result.blocked else "failed")
@@ -452,6 +599,7 @@ async def resume_secops_from_pending(
     state_db: StateDB,
     transport: Transport | None,
     contexts_dir: Path,
+    automation: Any = None,
 ) -> PipelineResult:
     """Resume a BLOCKED secops session using an answer that arrived via
     Telegram after the original session had already torn down.
@@ -497,6 +645,7 @@ async def resume_secops_from_pending(
             worktree_path=worktree_path,
             context_path=context_path,
             state_file=state_file,
+            extra={"automation": automation},
         )
 
         # Flip the session back to running so an observer sees progress,

{ctrlrelay-0.4.0 → ctrlrelay-0.5.0}/src/ctrlrelay/setup.py

@@ -23,11 +23,14 @@ from ctrlrelay.core.config import Config, load_config
 __all__ = [
     "SetupOptions",
     "SetupResult",
+    "PersonalizationPath",
     "GhAuthError",
     "VALID_TRANSPORTS",
     "DEFAULT_CONFIG_OUT",
+    "DEFAULT_PERSONALIZATION_CHECKOUT",
     "detect_owners",
     "list_repos",
+    "detect_personalization_skills",
     "build_orchestrator_yaml",
     "clone_repos",
     "run_setup",
@@ -45,6 +48,11 @@ VALID_TRANSPORTS = ("file_mock", "telegram")
 # orphan them, so setup refuses that combo (see ``run_setup``).
 DEFAULT_CONFIG_OUT = Path("~/.config/ctrlrelay/orchestrator.yaml").expanduser()
 
+# Mirrors ``Personalization.checkout_path``'s default. Setup pre-clones
+# into this path before generating the YAML so we can scan for skill
+# directories and wire them in the same setup run (see #129 follow-up).
+DEFAULT_PERSONALIZATION_CHECKOUT = Path("~/.ctrlrelay/personalization").expanduser()
+
 
 class GhAuthError(RuntimeError):
     """Raised when ``gh auth status`` fails — setup needs an authenticated gh CLI."""
@@ -72,11 +80,32 @@ class SetupOptions:
     telegram_chat_id: int | None = None
     telegram_token: str | None = None  # only used when transport == "telegram"
     personalization_repo: str | None = None  # e.g. "alice/dotclaude"
+    # When True (the default) and ``personalization_repo`` is set,
+    # setup pre-clones the personalization repo and scans
+    # ``global/skills/<name>/`` for existing skill directories,
+    # wiring each as its own ``paths:`` entry. Skills already laid
+    # down by the operator on a prior machine then auto-sync to this
+    # one without a hand-edit.
+    wire_skills: bool = True
     install_daemons: bool = False
     force: bool = False
     skip_clone: bool = False  # for tests / dry-run scenarios
 
 
+@dataclass
+class PersonalizationPath:
+    """One source/target pair for the personalization block.
+
+    Setup uses this to assemble the ``personalization.paths`` list:
+    the always-on ``global/CLAUDE.md`` entry plus any auto-detected
+    skills. Kept as a flat dataclass so tests can construct lists
+    without touching the YAML output format.
+    """
+
+    source: str
+    target: str
+
+
 @dataclass
 class SetupResult:
     """End-state summary returned by :func:`run_setup`."""
@@ -168,15 +197,118 @@ def list_repos(
     return sorted(result, key=lambda r: r["nameWithOwner"].lower())
 
 
+# ---------------------------------------------------------------------------
+# personalization helpers
+
+
+def _ensure_personalization_clone(
+    repo: str, checkout: Path
+) -> bool:
+    """Make sure ``checkout`` is a clone of ``github.com:<repo>.git``.
+
+    Returns True if the clone is present and matches ``repo`` (existing
+    or freshly created), False if the remote refused (auth error, repo
+    doesn't exist) OR the existing checkout points at a different repo.
+    Errors are swallowed so setup proceeds with the default
+    CLAUDE.md-only personalization paths — a missing or unrelated
+    remote shouldn't abort the whole onboarding flow, but we also must
+    not scan an unrelated working tree's skills and bake them into the
+    new config (codex review pass 2).
+    """
+    if (checkout / ".git").is_dir():
+        return _checkout_matches_repo(checkout, repo)
+    checkout.parent.mkdir(parents=True, exist_ok=True)
+    # Use HTTPS to match ``PersonalizationManager.repo_url`` so the
+    # pre-scan works for operators authenticated to GitHub via gh
+    # tokens / HTTPS without an SSH key on the machine. Codex review
+    # pass 3 caught the SSH/HTTPS mismatch — pre-scan would silently
+    # fail, the manager's own init() would later succeed via HTTPS,
+    # and the auto-wire feature would be bypassed in a common setup.
+    proc = subprocess.run(
+        ["git", "clone", "--quiet", f"https://github.com/{repo}.git", str(checkout)],
+        capture_output=True,
+        text=True,
+    )
+    return proc.returncode == 0
+
+
+def _checkout_matches_repo(checkout: Path, repo: str) -> bool:
+    """Return True iff the existing ``checkout``'s origin remote points
+    at ``github.com:<repo>``.
+
+    Accepts the three URL forms git emits for github.com remotes:
+    ``https://github.com/owner/repo(.git)``,
+    ``git@github.com:owner/repo(.git)``, and
+    ``ssh://git@github.com/owner/repo(.git)``. Comparison is
+    case-insensitive — GitHub repo names are. Any other host or any
+    error reading the remote returns False (treated as "not ours").
+    """
+    proc = subprocess.run(
+        ["git", "-C", str(checkout), "remote", "get-url", "origin"],
+        capture_output=True,
+        text=True,
+    )
+    if proc.returncode != 0:
+        return False
+    url = proc.stdout.strip()
+    expected = repo.lower()
+    # Strip the optional ``.git`` suffix and reduce each accepted URL
+    # form to ``owner/repo`` for the comparison.
+    if url.endswith(".git"):
+        url = url[: -len(".git")]
+    for prefix in (
+        "https://github.com/",
+        "ssh://git@github.com/",
+        "git@github.com:",
+    ):
+        if url.startswith(prefix):
+            return url[len(prefix):].lower() == expected
+    return False
+
+
+def detect_personalization_skills(checkout: Path) -> list[PersonalizationPath]:
+    """Return a sorted list of per-skill ``paths:`` entries derived from
+    ``<checkout>/global/skills/``.
+
+    Each direct subdirectory becomes one entry mapping
+    ``global/skills/<name>/`` -> ``~/.claude/skills/<name>/``. Hidden
+    dirs (``.foo``) and files at the top level are skipped — only
+    actual skill packages count. Returns an empty list when the
+    directory is missing.
+    """
+    skills_dir = checkout / "global" / "skills"
+    if not skills_dir.is_dir():
+        return []
+    paths: list[PersonalizationPath] = []
+    for entry in sorted(skills_dir.iterdir(), key=lambda p: p.name.lower()):
+        if not entry.is_dir() or entry.name.startswith("."):
+            continue
+        paths.append(
+            PersonalizationPath(
+                source=f"global/skills/{entry.name}/",
+                target=f"~/.claude/skills/{entry.name}/",
+            )
+        )
+    return paths
+
+
 # ---------------------------------------------------------------------------
 # config generation
 
 
 def build_orchestrator_yaml(
-    options: SetupOptions, repos_by_owner: dict[str, list[dict]]
+    options: SetupOptions,
+    repos_by_owner: dict[str, list[dict]],
+    personalization_paths: list[PersonalizationPath] | None = None,
 ) -> str:
     """Render the orchestrator.yaml as a string (no pyyaml — we want full
     control over comments and key order).
+
+    ``personalization_paths`` is the full list of ``paths:`` entries to
+    emit under the personalization block. When ``None`` and a
+    personalization repo is configured, defaults to the always-on
+    ``global/CLAUDE.md`` mapping. Pass an explicit list to add detected
+    skills (see :func:`detect_personalization_skills`).
     """
     lines: list[str] = []
     a = lines.append
@@ -222,11 +354,19 @@ def build_orchestrator_yaml(
     a('  secops_cron: "0 6 * * *"')
     a("")
     if options.personalization_repo:
+        if personalization_paths is None:
+            personalization_paths = [
+                PersonalizationPath(
+                    source="global/CLAUDE.md",
+                    target="~/.claude/CLAUDE.md",
+                )
+            ]
         a("personalization:")
         a(f'  repo: "{options.personalization_repo}"')
         a("  paths:")
-        a('    - source: "global/CLAUDE.md"')
-        a('      target: "~/.claude/CLAUDE.md"')
+        for entry in personalization_paths:
+            a(f'    - source: "{_yaml_escape(entry.source)}"')
+            a(f'      target: "{_yaml_escape(entry.target)}"')
         a("")
     a("# Repos discovered via `gh repo list`. Filters applied:")
     a(
@@ -345,11 +485,51 @@ def run_setup(options: SetupOptions) -> SetupResult:
 
     repos_by_owner: dict[str, list[dict]] = {}
     for owner in options.owners:
-        repos_by_owner[owner] = list_repos(
+        repos = list_repos(
             owner, skip_archived=options.skip_archived, skip_forks=options.skip_forks
         )
+        # Drop the personalization repo if it surfaced under one of the
+        # configured owners. It's the cross-machine sync target, not a
+        # project the dev pipeline should monitor for issues — listing
+        # it under ``repos:`` alongside the per-machine personalization
+        # checkout would have ctrlrelay polling and worktree-cloning
+        # the operator's own dotfiles. Comparison is case-insensitive
+        # because GitHub repo names are case-insensitive: ``alice/foo``
+        # and ``Alice/Foo`` resolve to the same repo, so an operator
+        # passing one casing while ``gh repo list`` returned the other
+        # would otherwise dodge the filter (codex review pass 1).
+        if options.personalization_repo:
+            personalization_norm = options.personalization_repo.lower()
+            repos = [
+                r for r in repos
+                if r["nameWithOwner"].lower() != personalization_norm
+            ]
+        repos_by_owner[owner] = repos
+
+    # Build the personalization paths list BEFORE writing the YAML so
+    # auto-detected skills end up baked into the file the operator
+    # eventually edits. Pre-clone the personalization repo if needed
+    # (it might already exist from a prior setup run on this machine).
+    personalization_paths: list[PersonalizationPath] | None = None
+    if options.personalization_repo:
+        personalization_paths = [
+            PersonalizationPath(
+                source="global/CLAUDE.md",
+                target="~/.claude/CLAUDE.md",
+            )
+        ]
+        if options.wire_skills:
+            cloned_for_scan = _ensure_personalization_clone(
+                options.personalization_repo, DEFAULT_PERSONALIZATION_CHECKOUT
+            )
+            if cloned_for_scan:
+                personalization_paths.extend(
+                    detect_personalization_skills(DEFAULT_PERSONALIZATION_CHECKOUT)
+                )
 
-    yaml_text = build_orchestrator_yaml(options, repos_by_owner)
+    yaml_text = build_orchestrator_yaml(
+        options, repos_by_owner, personalization_paths=personalization_paths
+    )
     options.config_out.parent.mkdir(parents=True, exist_ok=True)
     options.config_out.write_text(yaml_text)