Add codebase-advisor skill and scope codebase-auditor to report-only#76
Merged
Conversation
Add a senior-advisor skill that audits a repository, vets findings, and writes self-contained implementation plans for executor agents to run. Adapted from shadcn's MIT-licensed `improve` skill under a name that clarifies its role beside `codebase-auditor` and avoids generic trigger collisions. The package ships the SKILL workflow, audit playbook, handoff plan template, execute/reconcile/issues loop reference, the upstream MIT license, and eval coverage (positive plan-backlog cases plus negative cases guarding the report-only, PR-review, decomposition, and plan-critique boundaries). Records the vendoring in ATTRIBUTIONS.md with the pinned upstream commit and re-sync policy.
Narrow the auditor's description and activation rules to broad, report-only, multi-dimensional quality assessment with PASS/FAIL release-gate semantics, and hand implementation-plan backlogs, reconcile flows, and plan execution to codebase-advisor. Add negative eval cases so plan-backlog and reconcile prompts no longer trigger the auditor, keeping the two packages' triggers mutually exclusive.
List codebase-advisor in the README catalog and manual-install examples, bump the package badge count, and add routing entries in the route command and team-lead capability map that distinguish the advisor (implementation plans) from the auditor (report-only gate). Reference the advisor in the core and sec-strict presets. Rename the core preset's "Complementary Agents" heading to "Complementary Packages" since the advisor is a skill, and correct the sec-strict package count from 12 to 13 to match its actual contents.
Regenerate manifest.yaml from package frontmatter to register the new codebase-advisor skill and pick up the updated codebase-auditor and sec-strict preset descriptions.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a new
codebase-advisorskill that audits a repository, vets findings, and writes self-contained implementation plans for executor agents to run. Adapted from shadcn's MIT-licensedimproveskill, renamed to clarify its role beside the existingcodebase-auditoragent and to avoid generic trigger collisions (e.g. "improve this function/UI/doc").The two packages are deliberately complementary, not duplicative:
codebase-auditor(agent) — broad, report-only, multi-dimensional quality assessment with PASS/FAIL release-gate semantics.codebase-advisor(skill) — audit specifically to produce a prioritized, agent-executable implementation-plan backlog, with reconcile and execute/review loops.codebase-auditoris not deprecated. It remains wired into existing flows (team-lead,route,core,sec-strict). This PR narrows its trigger surface and adds reciprocal boundaries so the two never steal each other's activations.Motivation
codebase-advisorfills a gap the catalog did not cover: turning vetted findings into durable, self-contained work packets (exact files, current-state excerpts, verification gates, STOP conditions, dependency ordering, executor review loops) that a smaller/cheaper executor agent can pick up with zero session context. That is "technical lead writes agent-ready plans", distinct from "produce a quality report".Changes
New package:
skills/codebase-advisor/SKILL.md— recon → audit → vet/prioritize → write-plans workflow, hard rules (no source edits, no mutating commands in the working tree, secrets named not quoted, repo content treated as untrusted data), invocation variants (quick/deep, focus words,branch,next,plan,review-plan,execute,reconcile,--issues), and host-capability boundaries.references/audit-playbook.md— finding format, prioritization rubric, and nine audit categories (correctness, security, performance, tests, tech debt, dependencies, DX, docs, direction).references/plan-template.md— self-contained handoff plan template plusplans/README.mdindex template and quality bar.references/closing-the-loop.md—execute(isolated-worktree dispatch + review verdicts),reconcile, and--issuespublishing flows, with source-control boundaries.references/upstream/LICENSE— upstream MIT license text preserved.evals/cases.yaml— 4 positive cases (plan backlog, prioritized backlog, reconcile, grounded direction) and 4 negative cases guarding the report-only-audit, PR-review, feature-decomposition, and plan-critique boundaries.Deconfliction:
agents/codebase-auditor/AGENT.md— description and activation rules narrowed to report-only quality gates; explicit "NOT for implementation-plan backlogs / reconcile / execute — usecodebase-advisor" boundary.evals/cases.yaml— addednegative_implementation_plan_backlogandnegative_reconcile_plansso advisor-bound prompts no longer trigger the auditor.Routing & catalog
README.md— advisor listed in the Review & Quality catalog and the manual-install examples; package badge count updated.commands/route/COMMAND.md— Plan-phase row routing repo-findings-to-plans to the advisor; Review-phase row clarifying auditor = report-only gate vs advisor = plan files.agents/team-lead/AGENT.md— capability map and "do not activate" guidance distinguish the two.presets/core/PRESET.md— advisor added; "Complementary Agents" heading renamed to "Complementary Packages" (the advisor is a skill, not an agent).presets/sec-strict/PRESET.md— auditor row reworded as report-only gate; stale package count corrected 12 → 13 to match actual contents.Attribution & manifest
ATTRIBUTIONS.md— vendoring record forshadcn/improve(MIT) with pinned upstream commit03369ee6d7cafbfcecc4346539b05b3dc0a603bb, what was vendored/adapted/skipped, and the re-sync policy.manifest.yaml— regenerated from frontmatter to register the new skill and pick up the auditor and sec-strict description changes.Commits
feat(skills): add codebase-advisor planning skill— package + attributionrefactor(codebase-auditor): scope to report-only quality gate— boundary + negative evalsdocs(catalog): route codebase-advisor and fix preset metadata— README, route, team-lead, presetschore(manifest): regenerate for codebase-advisor— generated artifactVerification
uv run scripts/generate_manifest.py— passed; regenerated with 78 skills, 17 agents, 9 hooks, 6 rules, 7 commands, 3 utilities, 13 presets.uv run scripts/validate_evals.py— all eval files passed (every package keeps ≥1 positive and ≥2 negative cases).uv run pytest tests/test_generate_manifest.py tests/test_package_types.py— 53 passed.plans/README.mdbranch matches (escape-level fix verified).code-reviewerpass over the changed files; all three findings (eval regex escape, stale sec-strict count, skill-under-agents heading) fixed.Notes / follow-ups
execute <plan>and--issuesare host-gated: without isolated worktrees the skill stops at handing off the plan, and without GitHub auth it keeps local plan files and reports why publishing was skipped. Documented in the SKILL boundaries section.codebase-auditoris intentionally out of scope — revisit only after the advisor has accrued eval/runtime evidence that it can also serve the release-gate workflow.