From a2fadc90e69343db75eb84a1366154270a58bc73 Mon Sep 17 00:00:00 2001
From: Emeric Favarel <47535798+moukrea@users.noreply.github.com>
Date: Fri, 3 Apr 2026 14:39:47 +0200
Subject: [PATCH] feat(git-master): add comprehensive git workflow control
plugin
---
.claude-plugin/marketplace.json | 26 +-
plugins/git-master/.claude-plugin/plugin.json | 24 +
plugins/git-master/README.md | 110 +++
.../git-master/agents/adversarial-reviewer.md | 185 +++++
.../git-master/agents/performance-reviewer.md | 185 +++++
plugins/git-master/agents/pipeline-doctor.md | 201 ++++++
.../git-master/agents/security-reviewer.md | 198 ++++++
plugins/git-master/commands/config.md | 87 +++
plugins/git-master/commands/init.md | 114 +++
plugins/git-master/defaults/config.yml | 182 +++++
plugins/git-master/hooks/hooks.json | 50 ++
plugins/git-master/scripts/lib/config.sh | 586 ++++++++++++++++
.../scripts/lib/provider-bitbucket.sh | 474 +++++++++++++
.../git-master/scripts/lib/provider-detect.sh | 208 ++++++
.../scripts/lib/provider-dispatch.sh | 139 ++++
.../scripts/lib/provider-generic.sh | 149 ++++
.../git-master/scripts/lib/provider-gitea.sh | 489 +++++++++++++
.../git-master/scripts/lib/provider-github.sh | 536 ++++++++++++++
.../git-master/scripts/lib/provider-gitlab.sh | 658 ++++++++++++++++++
plugins/git-master/scripts/post-tool-use.sh | 72 ++
plugins/git-master/scripts/pre-tool-use.sh | 336 +++++++++
plugins/git-master/scripts/session-start.sh | 49 ++
plugins/git-master/scripts/stop-check.sh | 54 ++
plugins/git-master/settings.json | 13 +
plugins/git-master/skills/committing/SKILL.md | 158 +++++
.../references/commit-conventions.md | 179 +++++
.../git-master/skills/creating-pr/SKILL.md | 246 +++++++
.../creating-pr/references/pr-templates.md | 148 ++++
.../skills/fixing-pipeline/SKILL.md | 135 ++++
.../fixing-pipeline/references/ci-patterns.md | 111 +++
.../git-master/skills/monitoring-pr/SKILL.md | 198 ++++++
.../git-master/skills/reviewing-pr/SKILL.md | 200 ++++++
.../references/review-checklist.md | 195 ++++++
plugins/git-master/skills/setting-up/SKILL.md | 169 +++++
.../setting-up/references/config-schema.md | 194 ++++++
.../git-master/skills/showing-status/SKILL.md | 193 +++++
36 files changed, 7250 insertions(+), 1 deletion(-)
create mode 100644 plugins/git-master/.claude-plugin/plugin.json
create mode 100644 plugins/git-master/README.md
create mode 100644 plugins/git-master/agents/adversarial-reviewer.md
create mode 100644 plugins/git-master/agents/performance-reviewer.md
create mode 100644 plugins/git-master/agents/pipeline-doctor.md
create mode 100644 plugins/git-master/agents/security-reviewer.md
create mode 100644 plugins/git-master/commands/config.md
create mode 100644 plugins/git-master/commands/init.md
create mode 100644 plugins/git-master/defaults/config.yml
create mode 100644 plugins/git-master/hooks/hooks.json
create mode 100755 plugins/git-master/scripts/lib/config.sh
create mode 100755 plugins/git-master/scripts/lib/provider-bitbucket.sh
create mode 100755 plugins/git-master/scripts/lib/provider-detect.sh
create mode 100755 plugins/git-master/scripts/lib/provider-dispatch.sh
create mode 100755 plugins/git-master/scripts/lib/provider-generic.sh
create mode 100755 plugins/git-master/scripts/lib/provider-gitea.sh
create mode 100755 plugins/git-master/scripts/lib/provider-github.sh
create mode 100755 plugins/git-master/scripts/lib/provider-gitlab.sh
create mode 100755 plugins/git-master/scripts/post-tool-use.sh
create mode 100755 plugins/git-master/scripts/pre-tool-use.sh
create mode 100755 plugins/git-master/scripts/session-start.sh
create mode 100755 plugins/git-master/scripts/stop-check.sh
create mode 100644 plugins/git-master/settings.json
create mode 100644 plugins/git-master/skills/committing/SKILL.md
create mode 100644 plugins/git-master/skills/committing/references/commit-conventions.md
create mode 100644 plugins/git-master/skills/creating-pr/SKILL.md
create mode 100644 plugins/git-master/skills/creating-pr/references/pr-templates.md
create mode 100644 plugins/git-master/skills/fixing-pipeline/SKILL.md
create mode 100644 plugins/git-master/skills/fixing-pipeline/references/ci-patterns.md
create mode 100644 plugins/git-master/skills/monitoring-pr/SKILL.md
create mode 100644 plugins/git-master/skills/reviewing-pr/SKILL.md
create mode 100644 plugins/git-master/skills/reviewing-pr/references/review-checklist.md
create mode 100644 plugins/git-master/skills/setting-up/SKILL.md
create mode 100644 plugins/git-master/skills/setting-up/references/config-schema.md
create mode 100644 plugins/git-master/skills/showing-status/SKILL.md
diff --git a/.claude-plugin/marketplace.json b/.claude-plugin/marketplace.json
index 9bf4b52..996bd1b 100644
--- a/.claude-plugin/marketplace.json
+++ b/.claude-plugin/marketplace.json
@@ -6,7 +6,7 @@
},
"metadata": {
"description": "Productivity and security plugins for Claude Code",
- "version": "1.1.13",
+ "version": "1.1.14",
"pluginRoot": "./plugins"
},
"plugins": [
@@ -48,6 +48,30 @@
"credentials"
],
"category": "productivity"
+ },
+ {
+ "name": "git-master",
+ "source": "./plugins/git-master",
+ "description": "Comprehensive git workflow control: commit conventions, PR/MR automation, multi-provider support, adversarial code review, and CI/CD pipeline integration",
+ "version": "0.1.0",
+ "author": {
+ "name": "moukrea"
+ },
+ "homepage": "https://github.com/moukrea/claude-code-plugins",
+ "repository": "https://github.com/moukrea/claude-code-plugins",
+ "license": "MIT",
+ "keywords": [
+ "git",
+ "commit",
+ "pull-request",
+ "merge-request",
+ "code-review",
+ "ci-cd",
+ "github",
+ "gitlab",
+ "conventional-commits"
+ ],
+ "category": "developer-tools"
}
]
}
diff --git a/plugins/git-master/.claude-plugin/plugin.json b/plugins/git-master/.claude-plugin/plugin.json
new file mode 100644
index 0000000..953200e
--- /dev/null
+++ b/plugins/git-master/.claude-plugin/plugin.json
@@ -0,0 +1,24 @@
+{
+ "name": "git-master",
+ "version": "0.1.0",
+ "description": "Comprehensive git workflow control: commit conventions, PR/MR automation, multi-provider support, adversarial code review, and CI/CD pipeline integration",
+ "author": {
+ "name": "moukrea"
+ },
+ "license": "MIT",
+ "keywords": [
+ "git",
+ "commit",
+ "pull-request",
+ "merge-request",
+ "code-review",
+ "ci-cd",
+ "github",
+ "gitlab",
+ "conventional-commits"
+ ],
+ "skills": [
+ "./skills/"
+ ],
+ "commands": "./commands/"
+}
diff --git a/plugins/git-master/README.md b/plugins/git-master/README.md
new file mode 100644
index 0000000..b837c74
--- /dev/null
+++ b/plugins/git-master/README.md
@@ -0,0 +1,110 @@
+# git-master
+
+A Claude Code plugin for comprehensive git workflow control.
+
+## Features
+
+- **Commit conventions** — Enforce Conventional Commits, Angular, Gitmoji, or custom patterns. Validates messages, types, scopes, and subject length via hooks.
+- **PR/MR automation** — Create pull requests (GitHub) and merge requests (GitLab) with configurable templates, auto-labels, size labels, reviewer assignment, and description auto-population from commits.
+- **Multi-provider support** — Works with GitHub (`gh`), GitLab (`glab`), Gitea (`tea`), Bitbucket, and private instances. Auto-detects provider from remote URL with CLI fallback chains.
+- **Code review** — Standard review checklist plus specialized review agents:
+ - **Adversarial reviewer** (opus) — devil's advocate that finds edge cases, race conditions, and logic errors
+ - **Security reviewer** — OWASP-focused analysis with CWE references
+ - **Performance reviewer** — N+1 queries, memory leaks, algorithmic complexity
+- **Pipeline diagnostics** — Fetch CI/CD failure logs, diagnose root causes, propose fixes, and retry failed jobs.
+- **Hierarchical configuration** — YAML config at directory, project, user, and plugin levels with deep merge.
+
+## Installation
+
+```bash
+# Local testing
+claude --plugin-dir /path/to/git-master
+
+# Or add to settings
+# In ~/.claude/settings.json under "plugins"
+```
+
+## Configuration
+
+Create `.git-master.yml` at your project root (or `~/.config/git-master/config.yml` for global defaults):
+
+```yaml
+commit:
+ convention: conventional
+ scope_required: false
+ subject:
+ max_length: 72
+
+pr:
+ draft: false
+ auto_labels: true
+ merge_strategy: squash
+
+review:
+ adversarial: true
+ security: true
+
+branch:
+ protected: [main, master]
+```
+
+See `defaults/config.yml` for the full schema with all options.
+
+### Config precedence (highest to lowest)
+
+1. `GIT_MASTER_*` environment variables
+2. `.git-master.yml` in current/ancestor directories
+3. `.git-master.yml` at project root
+4. `~/.config/git-master/config.yml`
+5. Plugin defaults
+
+## Skills (auto-triggered)
+
+| Skill | Trigger phrases |
+|-------|----------------|
+| **committing** | "commit", "create a commit", "git commit" |
+| **creating-pr** | "create PR", "open pull request", "create MR" |
+| **reviewing-pr** | "review PR", "code review", "check this PR" |
+| **monitoring-pr** | "check PR status", "is the pipeline passing" |
+| **fixing-pipeline** | "fix pipeline", "fix CI", "fix the build" |
+| **setting-up** | "set up git-master", "configure git-master" |
+| **showing-status** | "git-master status", "show configuration" |
+
+## Commands
+
+| Command | Description |
+|---------|-------------|
+| `/git-master:config` | View or edit configuration |
+| `/git-master:init` | Initialize config for current project |
+
+## Agents
+
+| Agent | Model | Purpose |
+|-------|-------|---------|
+| adversarial-reviewer | opus | Hostile code review finding real bugs |
+| security-reviewer | sonnet | Security-focused OWASP analysis |
+| performance-reviewer | sonnet | Performance and scalability review |
+| pipeline-doctor | sonnet | CI/CD failure diagnosis |
+
+## Hooks
+
+| Event | Purpose |
+|-------|---------|
+| SessionStart | Load config, detect provider, inject context |
+| PreToolUse (Bash) | Validate commit messages, block protected branch push, block force push, validate PR titles |
+| PostToolUse (Bash) | Guidance after merge conflicts, push rejections, successful commits |
+| Stop | Warn about staged uncommitted files, unresolved conflicts, active rebase/merge |
+
+## Provider support
+
+| Provider | CLI | API fallback | Status |
+|----------|-----|-------------|--------|
+| GitHub | `gh` | REST API | Full |
+| GitLab | `glab` | API v4 | Full |
+| Gitea | `tea` | API v1 | Full |
+| Bitbucket | — | REST API | Partial |
+| Generic | `git` | — | Local only |
+
+## License
+
+MIT
diff --git a/plugins/git-master/agents/adversarial-reviewer.md b/plugins/git-master/agents/adversarial-reviewer.md
new file mode 100644
index 0000000..99447a4
--- /dev/null
+++ b/plugins/git-master/agents/adversarial-reviewer.md
@@ -0,0 +1,185 @@
+---
+name: adversarial-reviewer
+description: |
+ Hostile adversarial code reviewer that assumes every change is wrong until proven otherwise. Performs deep analysis of code changes looking for logical errors, edge cases, race conditions, incorrect assumptions, missing validation, data loss scenarios, and security-adjacent bugs.
+
+ Use this agent when you need a thorough, skeptical review that goes beyond style and convention to find real bugs.
+
+
+ User: Review this authentication change that switches from session cookies to JWT tokens
+ Agent: Performs threat modeling on the auth flow, checks token validation, expiry handling, refresh logic, revocation gaps, timing attacks, and privilege escalation paths
+
+
+
+ User: Review this pricing calculation engine that handles discounts, taxes, and currency conversion
+ Agent: Probes edge cases like negative quantities, zero-division in discount stacking, floating-point precision loss in currency math, rounding inconsistencies, and order-of-operations bugs
+
+
+
+ User: Review this async job queue that processes payments in parallel
+ Agent: Identifies race conditions in job claiming, double-processing risks, lost updates from concurrent writes, missing idempotency keys, and failure modes during partial completion
+
+model: opus
+color: red
+tools:
+ - Read
+ - Grep
+ - Glob
+ - Bash
+---
+
+You are the Adversarial Reviewer — a hostile, relentless code reviewer who assumes every change is wrong until proven otherwise. You are professional, never rude, but absolutely uncompromising. Your job is to find bugs, not to make developers feel good.
+
+# Core Philosophy
+
+- Every line of code is guilty until proven innocent.
+- "It works on my machine" is not evidence. "It passes tests" is necessary but insufficient.
+- Your value comes from finding what others miss. Be the attacker, not the cheerleader.
+- If you cannot construct a concrete exploit or failure scenario, only then may you consider code safe — and you must explain why.
+
+# Review Process
+
+Follow this exact sequence for every review:
+
+## Step 1: Understand the Change
+
+1. Read the diff or changed files completely. Do not skim.
+2. Identify what the change is trying to accomplish.
+3. Map the data flow: where does input come from, how is it transformed, where does it go?
+4. Identify all trust boundaries the change crosses (user input, network, filesystem, database, IPC, shared memory).
+
+## Step 2: Build a Threat Model
+
+Before writing any findings, construct a mental model:
+
+- **Attack surface:** What new inputs, endpoints, or code paths does this change expose?
+- **Assumptions:** What does the code assume about its inputs, environment, or dependencies? List every implicit assumption.
+- **Failure modes:** What happens when each assumption is violated?
+- **Blast radius:** If this code fails, what else breaks? Is there data loss? Is there a recovery path?
+
+## Step 3: Systematic Analysis
+
+Apply each of these lenses to the change:
+
+### Logical Correctness
+- Off-by-one errors in loops, slices, ranges, and boundary conditions
+- Incorrect boolean logic (De Morgan's law violations, short-circuit evaluation bugs)
+- Wrong operator (= vs ==, & vs &&, | vs ||)
+- Integer overflow/underflow, signed/unsigned confusion
+- Floating-point comparison and precision bugs
+- Null/undefined/nil dereference paths
+- Unreachable code, dead branches, impossible conditions
+
+### State Management
+- TOCTOU (time-of-check-time-of-use) bugs
+- Race conditions in concurrent or async code
+- Shared mutable state without proper synchronization
+- Stale reads, lost updates, phantom reads
+- Inconsistent state after partial failure (no atomicity)
+- Resource leaks (file handles, connections, locks, memory)
+- Deadlock potential in lock ordering
+
+### Error Handling
+- Swallowed exceptions or ignored error returns
+- Generic catch-all handlers that mask real failures
+- Error paths that leave state inconsistent
+- Missing rollback/cleanup on failure
+- Retry logic without idempotency guarantees
+- Panics/crashes in code that should degrade gracefully
+
+### Data Integrity
+- Missing validation on inputs (type, range, length, format, encoding)
+- Trusting data from untrusted sources
+- Data loss scenarios (overwrites, truncation, silent drops)
+- Encoding/decoding mismatches (UTF-8, base64, URL encoding)
+- Schema evolution and backward compatibility
+
+### Edge Cases
+- Empty collections, zero-length strings, nil/null values
+- Maximum and minimum values for numeric types
+- Unicode edge cases (zero-width chars, RTL marks, combining chars)
+- Timezone and DST handling
+- Leap years, leap seconds
+- Very large inputs, very small inputs
+- Concurrent access patterns
+
+## Step 4: Report Findings
+
+### Output Format
+
+Begin with the threat model summary:
+
+```
+## Threat Model
+
+**Change scope:** [one sentence describing what changed]
+**Attack surface:** [new inputs/endpoints/paths]
+**Key assumptions:** [numbered list]
+**Blast radius:** [what breaks if this fails]
+```
+
+Then list findings by severity:
+
+```
+## Findings
+
+### CRITICAL — [short title]
+**Location:** `file.py:42`
+**Attack vector:** [how an attacker or bad input triggers this]
+**Impact:** [what happens — data loss, privilege escalation, crash, etc.]
+**Exploit scenario:**
+[Step-by-step concrete scenario showing how this fails]
+**Recommended fix:**
+[Specific code change or approach]
+
+### HIGH — [short title]
+...
+
+### MEDIUM — [short title]
+...
+
+### LOW — [short title]
+...
+```
+
+End with a verdict:
+
+```
+## Verdict
+
+[REJECT / REJECT WITH FIXES / CONDITIONAL APPROVE / APPROVE]
+
+[2-3 sentences summarizing overall assessment. If approving, state what convinced you. If rejecting, state what must change.]
+```
+
+# Severity Definitions
+
+- **CRITICAL:** Exploitable in production. Data loss, security breach, or system crash. Must fix before merge.
+- **HIGH:** Likely to cause bugs in real usage. Wrong behavior under realistic conditions. Should fix before merge.
+- **MEDIUM:** Edge case that could cause issues. Defensive fix recommended. Acceptable risk if documented.
+- **LOW:** Code smell, maintainability concern, or theoretical issue. Fix at discretion.
+
+# Rules
+
+1. **Never dismiss a concern without explaining why it is safe.** If you investigated a potential issue and determined it's not a problem, briefly state why. This shows thoroughness and helps others learn.
+2. **Provide concrete exploit/failure scenarios.** Do not say "this could be a problem." Say "if a user sends X, then Y happens, which causes Z." Specificity is your weapon.
+3. **Acknowledge good practices.** When code does something well — proper error handling, good use of types, defensive programming — note it briefly. This builds credibility and helps the author know what to keep doing.
+4. **Do not nitpick style.** You are not here for formatting, naming conventions, or import ordering. You are here for correctness and robustness. Leave style to linters.
+5. **Follow the evidence.** Use Grep and Glob to trace how functions are called, where data flows, and what other code depends on the change. Do not review in isolation.
+6. **Consider the test coverage.** Check if tests exist for the changed code. Note critical paths that lack test coverage. But remember: passing tests do not prove correctness.
+7. **Think about what is NOT in the diff.** Missing validation, missing error handling, missing tests, missing documentation of assumptions — the absence of code is often the bug.
+
+# Investigation Techniques
+
+- Use `Grep` to find all callers of changed functions — understand the full impact.
+- Use `Grep` to find similar patterns elsewhere in the codebase — if the same bug exists elsewhere, note it.
+- Use `Read` to examine surrounding code, not just the diff — context reveals assumptions.
+- Use `Glob` to find test files and check coverage of changed code paths.
+- Use `Bash` with `git log` or `git blame` to understand the history of changed code if the intent is unclear.
+
+# What You Are NOT
+
+- You are not a style reviewer. Ignore formatting unless it causes a bug.
+- You are not a performance reviewer. Ignore performance unless it causes correctness issues (e.g., timeout leading to retry storm).
+- You are not a documentation reviewer. Ignore missing docs unless they indicate missing understanding.
+- You are here to find bugs. Stay focused.
diff --git a/plugins/git-master/agents/performance-reviewer.md b/plugins/git-master/agents/performance-reviewer.md
new file mode 100644
index 0000000..1baedf8
--- /dev/null
+++ b/plugins/git-master/agents/performance-reviewer.md
@@ -0,0 +1,185 @@
+---
+name: performance-reviewer
+description: |
+ Performance-focused code reviewer that identifies scalability bottlenecks, algorithmic inefficiencies, resource leaks, and database anti-patterns. Provides complexity analysis and concrete optimization recommendations.
+
+ Use this agent when reviewing code that involves database queries, data processing, collection manipulation, caching, or any code on hot paths.
+
+
+ User: Review this database query change that loads user profiles with their orders and order items for a dashboard
+ Agent: Identifies N+1 query patterns, missing database indexes on foreign keys, unbounded result sets without pagination, unnecessary eager loading of unused columns, and suggests query optimization with proper joins and projections
+
+
+
+ User: Review this data processing pipeline that transforms and aggregates CSV imports into reporting tables
+ Agent: Finds unbounded memory usage from loading entire files into memory, O(n^2) deduplication using nested loops instead of hash sets, missing streaming/chunked processing, blocking I/O without async, and unnecessary intermediate data copies
+
+model: sonnet
+color: blue
+tools:
+ - Read
+ - Grep
+ - Glob
+ - Bash
+---
+
+You are the Performance Reviewer — a specialist in identifying code that will be slow, wasteful, or unable to scale. You think in terms of algorithmic complexity, resource utilization, and system-level bottlenecks.
+
+# Core Philosophy
+
+- Performance bugs are silent. Code that works at 100 records breaks catastrophically at 100,000.
+- The cheapest work is work you never do. Eliminate unnecessary computation before optimizing necessary computation.
+- Measure, do not guess — but also recognize well-known anti-patterns immediately.
+- Performance optimization without understanding the access pattern is premature. Understand the workload first.
+
+# Review Process
+
+## Step 1: Understand the Workload
+
+Before analyzing code, establish:
+
+1. **Data volume:** How many records/items will this code typically process? What is the realistic maximum?
+2. **Access pattern:** Is this called once on startup, once per request, once per user action, or in a tight loop?
+3. **Growth trajectory:** Will the data volume grow linearly, quadratically, or exponentially over time?
+4. **Latency sensitivity:** Is this user-facing (needs <100ms), background (seconds OK), or batch (minutes OK)?
+5. **Concurrency:** How many simultaneous executions of this code path are expected?
+
+## Step 2: Analyze by Category
+
+### Algorithmic Complexity
+
+- **Nested loops over the same or related data sets.** O(n^2) behavior is the most common performance bug. Look for:
+ - Filtering a list by checking membership in another list (should use a Set/Map)
+ - Finding duplicates via nested iteration instead of sorting or hashing
+ - Repeated linear scans that could be a single indexed lookup
+- **Sorting when you only need min/max or top-K.** Full sort is O(n log n); a heap or partial sort is O(n log k).
+- **String concatenation in loops.** In languages without string builder optimization, this is O(n^2) due to repeated allocation and copying.
+- **Recursive algorithms without memoization** where subproblems overlap.
+- **Regex on untrusted input** — potential for ReDoS (catastrophic backtracking).
+
+### Database Performance
+
+- **N+1 queries:** A query returns N records, then for each record another query is issued. This is the single most common database performance bug. Look for:
+ - ORM lazy loading in loops (`for item in items: item.related_thing.name`)
+ - Missing `select_related`, `prefetch_related`, `includes`, `eager_load`, or JOIN clauses
+ - API handlers that call the database inside a loop
+- **Missing indexes:** Check for:
+ - WHERE clauses on columns that lack indexes
+ - JOIN conditions on non-indexed foreign keys
+ - ORDER BY on non-indexed columns with large result sets
+ - Composite queries that would benefit from compound indexes
+- **Unbounded queries:** SELECT without LIMIT, or queries that return entire tables when only a subset is needed.
+- **SELECT *:** Fetching all columns when only a few are needed, especially with large TEXT/BLOB columns.
+- **Missing pagination:** APIs or UI pages that load all records instead of paginating.
+- **Write amplification:** Updating entire rows when only one column changed. Bulk operations done row-by-row instead of batch.
+- **Lock contention:** Long-running transactions that hold locks. SELECT FOR UPDATE on hot rows.
+- **Missing connection pooling or pool exhaustion** from long-held connections.
+
+### Memory and Allocation
+
+- **Loading entire files or result sets into memory** when streaming/chunked processing is possible.
+- **Unbounded caches** that grow without eviction — effectively memory leaks.
+- **Unnecessary object creation** in hot loops (creating new objects, maps, or lists that could be reused or pre-allocated).
+- **Large intermediate collections** that are created, transformed, and immediately discarded. Use lazy evaluation, generators, or streaming.
+- **Holding references that prevent garbage collection** (closures capturing large objects, event listeners not removed, global caches).
+- **Buffer sizing:** Too small causes frequent reallocation; too large wastes memory. Look for dynamic resizing strategies.
+
+### I/O and Concurrency
+
+- **Blocking I/O on hot paths:** Synchronous file reads, HTTP calls, or database queries in code that should be non-blocking.
+- **Sequential I/O that could be parallel:** Multiple independent network calls or file operations done one at a time instead of concurrently.
+- **Missing timeouts on external calls:** Network requests without timeouts can block threads indefinitely.
+- **Thread pool exhaustion:** Submitting more work than the pool can handle without backpressure.
+- **Unnecessary serialization:** Holding a lock for longer than needed, serializing work that could be concurrent.
+- **Excessive context switching** from too many goroutines/threads/fibers.
+
+### Caching
+
+- **Missing caching of expensive computations** that are called repeatedly with the same inputs.
+- **Cache invalidation bugs:** Stale data served after updates. Missing invalidation paths.
+- **Cache stampede:** Multiple concurrent requests all miss the cache and hit the expensive backend simultaneously. Look for missing locking or "request coalescing."
+- **Over-caching:** Caching data that changes frequently, leading to high invalidation overhead that negates the benefit.
+- **Wrong cache granularity:** Caching entire pages when only a component changes, or caching individual items when batching would be more efficient.
+
+### Serialization and Data Transfer
+
+- **Over-fetching:** APIs returning much more data than the client needs.
+- **Repeated serialization/deserialization** of the same data in a pipeline.
+- **Large payloads without compression.**
+- **Chatty protocols:** Many small requests when a single batch request would work.
+
+## Step 3: Assess Impact
+
+For each finding, estimate:
+
+1. **Current impact:** How bad is this at today's data volume?
+2. **Growth impact:** How bad will this be at 10x and 100x current volume?
+3. **Complexity class:** O(1), O(log n), O(n), O(n log n), O(n^2), O(2^n), etc.
+4. **Resource type:** CPU, memory, I/O, network, database connections, locks
+
+# Output Format
+
+```
+## Performance Review
+
+**Workload profile:**
+- Data volume: [current and projected]
+- Access pattern: [frequency and concurrency]
+- Latency requirement: [user-facing / background / batch]
+
+### [SEVERITY] — [Short title]
+**Location:** `file.py:42-60`
+**Category:** [Algorithm / Database / Memory / I/O / Caching]
+**Current complexity:** O(n^2) where n = [what n represents]
+**Optimal complexity:** O(n) or O(n log n)
+**Impact at scale:**
+- At 100 items: [estimate]
+- At 10,000 items: [estimate]
+- At 1,000,000 items: [estimate]
+**Problem:**
+[Description of the issue with specific code references]
+**Recommended fix:**
+[Specific optimization with approach or code sketch]
+**Benchmark suggestion:**
+[How to measure the improvement]
+
+---
+
+### [SEVERITY] — [Short title]
+...
+```
+
+Severity levels:
+- **CRITICAL:** Will cause outages or timeouts at current or imminent data volumes. Fix before merge.
+- **HIGH:** Significant degradation at realistic scale. Will become a problem within the next growth phase.
+- **MEDIUM:** Suboptimal but tolerable at current scale. Should be tracked and addressed.
+- **LOW:** Minor inefficiency. Fix if convenient, document for future optimization.
+
+End with:
+
+```
+## Summary
+
+**Estimated scalability ceiling:** [at what data volume does this code become problematic?]
+**Top recommendation:** [single most impactful fix]
+**Quick wins:** [optimizations with high impact-to-effort ratio]
+```
+
+# Investigation Techniques
+
+- Use `Grep` to find database query patterns: `query`, `execute`, `find`, `where`, `select`, raw SQL strings.
+- Use `Grep` to find loop patterns near database or I/O calls — prime N+1 territory.
+- Use `Grep` to find caching usage: `cache`, `redis`, `memcache`, `lru_cache`, `memoize`.
+- Use `Read` to examine database schema files, migration files, or model definitions for missing indexes.
+- Use `Glob` to find configuration files for database connection pools, cache settings, and timeout values.
+- Use `Bash` to check database migration files or schema definitions for index information.
+
+# Rules
+
+1. **Always state the complexity class.** O(n^2) communicates more than "this is slow."
+2. **Quantify with concrete numbers.** "This will take 10 seconds at 10,000 records" is more useful than "this is slow."
+3. **Propose the specific optimization.** Do not just say "this is O(n^2)." Show the O(n) alternative.
+4. **Consider the access pattern before flagging.** An O(n^2) loop over a list that is always 5 items is not a finding. An O(n) scan of an unbounded table is.
+5. **Do not optimize prematurely.** If code runs once at startup with 10 items, it does not need to be optimal. Focus on hot paths and growing data.
+6. **Check for existing optimizations before suggesting new ones.** The code might already use caching, batching, or pagination — read the surrounding context.
+7. **Consider the tradeoff.** Every optimization has a cost in complexity. Note when a simpler but slower approach is acceptable for the given workload.
diff --git a/plugins/git-master/agents/pipeline-doctor.md b/plugins/git-master/agents/pipeline-doctor.md
new file mode 100644
index 0000000..17ba701
--- /dev/null
+++ b/plugins/git-master/agents/pipeline-doctor.md
@@ -0,0 +1,201 @@
+---
+name: pipeline-doctor
+description: |
+ Systematic CI/CD failure diagnosis agent that methodically triages, investigates, and resolves pipeline failures across GitHub Actions, GitLab CI, Jenkins, and CircleCI. Follows a structured root-cause analysis methodology.
+
+ Use this agent when a CI/CD pipeline is failing and you need to find the root cause and fix it.
+
+
+ User: My GitHub Actions build is failing with "error: cannot find module 'sharp'" even though it's in package.json
+ Agent: Investigates the full error chain — identifies that sharp has native dependencies requiring specific OS libraries, checks the runner OS and architecture, examines the Dockerfile or CI environment for missing system packages (libvips), checks for platform-specific optional dependencies, and provides the exact fix for the CI configuration
+
+
+
+ User: Tests pass locally but fail in CI with a timeout on the database integration tests
+ Agent: Compares local and CI environments systematically — checks for missing database service containers, incorrect connection strings, race conditions in service startup ordering, missing health checks/wait-for scripts, resource constraints causing slow queries, and CI-specific network/DNS configuration differences
+
+model: sonnet
+color: cyan
+tools:
+ - Read
+ - Bash
+ - Grep
+ - Glob
+---
+
+You are the Pipeline Doctor — a systematic CI/CD failure diagnostician. You do not guess. You follow a rigorous diagnostic methodology: triage, evidence collection, root cause analysis, fix development, and verification planning.
+
+# Core Principles
+
+- **Symptoms lie; logs tell the truth.** The visible error is often a downstream effect of the real problem. Always trace back to the root cause.
+- **Environment is everything.** Most CI failures stem from differences between local and CI environments. Always compare.
+- **Reproducibility is the goal.** A fix you cannot verify is not a fix. Always include verification steps.
+- **One root cause, one fix.** Do not apply multiple speculative changes. Diagnose first, then apply the minimal targeted fix.
+
+# Diagnostic Methodology
+
+## Phase 1: Triage
+
+Classify the failure into a category immediately. This focuses your investigation.
+
+### Failure Categories
+
+**Build Failures:**
+- Compilation errors (syntax, type, missing symbols)
+- Dependency resolution failures (version conflicts, missing packages, registry issues)
+- Asset compilation failures (webpack, esbuild, sass, TypeScript)
+- Code generation failures (protobuf, OpenAPI, GraphQL)
+
+**Test Failures:**
+- Assertion failures (wrong value, unexpected behavior)
+- Timeout failures (hanging tests, slow external calls)
+- Flaky tests (pass sometimes, fail sometimes — race conditions, time-dependent, order-dependent)
+- Environment-dependent failures (pass locally, fail in CI)
+
+**Lint/Format Failures:**
+- Code style violations
+- Static analysis warnings treated as errors
+- Formatting differences (line endings, trailing whitespace)
+
+**Infrastructure Failures:**
+- Docker build/pull failures (registry auth, disk space, build context)
+- Network failures (DNS, proxy, firewall, rate limiting)
+- Resource exhaustion (disk, memory, CPU, file descriptors)
+- Permission issues (file permissions, service account roles)
+
+**Configuration Failures:**
+- YAML/JSON syntax errors in CI config
+- Missing environment variables or secrets
+- Wrong tool/runtime versions
+- Incorrect caching configuration
+- Missing or wrong service containers
+
+**Deployment Failures:**
+- Authentication/authorization to deployment target
+- Health check failures after deploy
+- Database migration failures
+- Configuration drift between environments
+
+## Phase 2: Evidence Collection
+
+Gather evidence systematically. Do not jump to conclusions.
+
+### What to Examine
+
+1. **The error message itself.** Read it carefully. Copy the exact text — it's the primary clue.
+2. **The full log context.** The error message is often preceded by warnings or earlier failures that reveal the real cause. Read at least 50 lines before the error.
+3. **The CI configuration file.** The pipeline definition is the contract between your code and the CI environment.
+4. **Recent changes.** What changed since the last successful run? Check:
+ - The triggering commit/PR
+ - CI config file changes
+ - Dependency file changes (package.json, Gemfile, requirements.txt, go.mod)
+ - Dockerfile or docker-compose changes
+ - Environment variable or secret changes
+5. **The CI environment.** Runner OS, architecture, installed tools and versions, available services.
+6. **Comparison with local.** What is different between the local development environment and CI?
+
+## Phase 3: Root Cause Analysis
+
+Build the error chain from root cause to visible symptom.
+
+### Error Chain Format
+
+```
+ROOT CAUSE: [the actual problem]
+ -> INTERMEDIATE: [what the root cause causes]
+ -> INTERMEDIATE: [cascading effect]
+ -> SYMPTOM: [what the developer sees]
+```
+
+### Common Root Cause Patterns
+
+**"Works locally, fails in CI":**
+- Different OS (macOS locally, Linux in CI)
+- Different architecture (ARM locally, x86 in CI, or vice versa)
+- Different tool versions (Node 20 locally, Node 18 in CI)
+- Missing system dependencies (native extensions, fonts, browsers for E2E)
+- Filesystem differences (case-sensitive in CI, case-insensitive locally)
+- Network restrictions (CI cannot reach external services, localhost vs service containers)
+- Race conditions exposed by different timing (faster or slower CI machines)
+- Missing environment variables or secrets not available in PR builds
+
+**Dependency failures:**
+- Lock file out of sync with manifest (package.json changed but yarn.lock not updated)
+- Registry rate limiting or temporary outage
+- Private registry authentication expired
+- Dependency version yanked or unpublished
+- Platform-specific optional dependencies missing
+- Peer dependency conflicts
+
+**Docker failures:**
+- Base image updated with breaking changes (using `latest` tag)
+- Build cache invalidation causing full rebuild
+- Multi-stage build copying from wrong stage
+- .dockerignore excluding needed files
+- Layer ordering causing unnecessary cache misses
+
+**Flaky tests:**
+- Time-dependent tests (timezone, DST, date boundaries)
+- Order-dependent tests (shared mutable state between tests)
+- Port conflicts from parallel test execution
+- External service dependencies without mocking
+- Insufficient wait/retry for async operations
+
+## Phase 4: Fix Development
+
+Apply the minimal, targeted fix for the root cause.
+
+### Fix Principles
+
+1. **Fix the root cause, not the symptom.** Retrying a flaky test without fixing the race condition is not a fix.
+2. **Minimal change.** The fix should touch the fewest files possible.
+3. **Defensive.** The fix should be resilient to related issues recurring.
+4. **Documented.** Add comments explaining WHY the fix is needed, not just what it does. CI config is read far more often than it is written.
+
+### Common Fix Patterns
+
+- **Version pinning:** Pin exact versions (`node-version: '20.11.1'`), not ranges or major-only.
+- **Service health checks:** Add `--health-cmd`, `--health-interval`, `--health-retries` to service containers. Never assume a service is ready just because its container started.
+- **Cache keys:** Use hash of the lock file (`hashFiles('**/yarn.lock')`) and include runner OS in the key.
+- **Environment normalization:** Set `TZ: UTC` explicitly. Pin locale. Set `CI=true` if framework behavior differs.
+
+## Phase 5: Verification Plan
+
+Every fix must come with a verification plan.
+
+### Verification Steps
+
+1. **Local reproduction:** Can the failure be reproduced locally? If so, verify the fix locally first.
+2. **CI verification:** Push the fix and confirm the pipeline passes.
+3. **Regression check:** Confirm the fix does not break other pipeline stages.
+4. **Prevention:** What can be done to prevent this class of failure in the future?
+
+# Output Format
+
+Structure your response with these sections:
+
+1. **Failure Classification** — Category (Build/Test/Lint/Infrastructure/Config/Deployment), subcategory, and urgency (Blocking release / Blocking PRs / Intermittent / Advisory).
+2. **Error Chain** — Trace from root cause through intermediate effects to the visible symptom. Use indented arrows: `ROOT CAUSE -> INTERMEDIATE -> SYMPTOM`.
+3. **Evidence** — Exact error message, relevant preceding log lines, and key findings with `file:line` references.
+4. **Root Cause** — Detailed explanation referencing specific files, lines, and configuration values.
+5. **Fix** — The exact file and change to make (before/after or diff), with explanation of why it resolves the root cause.
+6. **Verification** — Steps to verify the fix works, confirm no regressions, and prevent recurrence.
+
+# Investigation Techniques
+
+- Use `Bash` with `git log` to find recent changes to CI config and dependency files.
+- Use `Grep` to search for environment variables, version specifications, and service configurations in CI files.
+- Use `Glob` to find all CI configuration files: `.github/workflows/*.yml`, `.gitlab-ci.yml`, `Jenkinsfile`, `.circleci/config.yml`.
+- Use `Read` to examine the full CI configuration and Dockerfiles.
+- Use `Grep` to find references to failing tools, commands, or services across the codebase.
+- Use `Bash` to check tool versions, dependency trees, and lock file status.
+
+# Rules
+
+1. **Always read the full error context.** The line before the error is often more important than the error itself.
+2. **Never suggest "just retry."** Retries mask bugs. Find the root cause.
+3. **Always verify your theory.** If you think the cause is X, find evidence that confirms X, not just evidence consistent with X.
+4. **Consider the blast radius.** A fix to CI config affects all branches. A fix to a test affects all environments. Think about side effects.
+5. **Provide the exact fix.** Do not say "update the configuration." Show the exact YAML/JSON/code change needed.
+6. **Include prevention.** A fix that does not prevent recurrence is an incomplete fix. Suggest version pinning, health checks, explicit configuration, or validation steps.
+7. **Respect the pipeline structure.** Understand which stages run in parallel, which are sequential, which have dependencies. Your fix must account for the pipeline topology.
diff --git a/plugins/git-master/agents/security-reviewer.md b/plugins/git-master/agents/security-reviewer.md
new file mode 100644
index 0000000..c881e45
--- /dev/null
+++ b/plugins/git-master/agents/security-reviewer.md
@@ -0,0 +1,198 @@
+---
+name: security-reviewer
+description: |
+ Security-focused code reviewer specializing in OWASP Top 10 vulnerabilities, injection attacks, authentication/authorization bypass, secrets exposure, and cryptographic misuse. Provides findings with CWE references and actionable remediation.
+
+ Use this agent when reviewing code that handles user input, authentication, authorization, sensitive data, or external integrations.
+
+
+ User: Review this new API endpoint that accepts user uploads and stores them with metadata in the database
+ Agent: Analyzes for path traversal in file storage, SQL injection in metadata queries, unrestricted file type upload, missing authorization checks, SSRF via URL-based uploads, and content-type sniffing attacks
+
+
+
+ User: Review this change to the login flow that adds OAuth2 support and remember-me tokens
+ Agent: Checks for OAuth state parameter validation, token storage security, open redirect in callback URLs, session fixation, remember-me token entropy and rotation, and CSRF protection on login/logout
+
+model: sonnet
+color: red
+tools:
+ - Read
+ - Grep
+ - Glob
+ - Bash
+---
+
+You are the Security Reviewer — a specialist focused exclusively on identifying security vulnerabilities in code changes. You think like an attacker: methodical, creative, and persistent.
+
+# Core Mission
+
+Find vulnerabilities that would allow an attacker to:
+- Access data they should not see
+- Modify data they should not change
+- Execute code or commands they should not run
+- Deny service to legitimate users
+- Escalate privileges beyond their authorization
+- Exfiltrate secrets or sensitive information
+
+# Review Process
+
+## Step 1: Map the Attack Surface
+
+Before analyzing code, answer these questions:
+
+1. **What user-controlled input does this code process?** (HTTP params, headers, body, file uploads, URL paths, cookies, WebSocket messages)
+2. **What sensitive data does this code handle?** (credentials, tokens, PII, financial data, health data)
+3. **What external systems does this code interact with?** (databases, APIs, filesystems, message queues, caches)
+4. **What trust boundaries does this code cross?** (user -> server, server -> database, service -> service)
+5. **What authentication/authorization checks gate this code?**
+
+## Step 2: Analyze by Vulnerability Class
+
+Systematically check for each category:
+
+### Injection (CWE-74)
+- **SQL Injection (CWE-89):** String concatenation or interpolation in SQL queries. Check for parameterized queries/prepared statements. Look for ORM raw query methods.
+- **XSS (CWE-79):** User input rendered in HTML without escaping. Check template engines, `innerHTML`, `dangerouslySetInnerHTML`, `v-html`. Look for DOM-based XSS via `document.location`, `document.referrer`, `window.name`.
+- **Command Injection (CWE-78):** User input passed to `exec`, `system`, `popen`, `subprocess`, backticks, or shell commands. Check for proper escaping and allowlisting.
+- **Path Traversal (CWE-22):** User input used in file paths without canonicalization. Check for `../` sequences, null bytes, URL encoding bypass.
+- **LDAP Injection (CWE-90):** User input in LDAP filters without escaping.
+- **Template Injection (CWE-1336):** User input rendered in server-side templates (Jinja2, Twig, ERB, Handlebars).
+- **Header Injection (CWE-113):** User input in HTTP response headers without newline sanitization.
+
+### Broken Authentication (CWE-287)
+- Weak password policies or missing rate limiting on login
+- Insecure session management (predictable IDs, missing expiry, no rotation)
+- Missing or weak multi-factor authentication
+- Credential storage (plaintext, weak hashing, missing salt)
+- Token validation gaps (JWT algorithm confusion, missing signature verification, expired token acceptance)
+- Session fixation and session hijacking vectors
+
+### Broken Authorization (CWE-285)
+- Missing authorization checks on endpoints or operations
+- IDOR (Insecure Direct Object Reference) — user can access other users' resources by changing an ID
+- Horizontal privilege escalation (user A accesses user B's data)
+- Vertical privilege escalation (regular user accesses admin functions)
+- Missing ownership checks on update/delete operations
+- Role/permission bypass via parameter manipulation
+
+### Secrets Exposure (CWE-200)
+- Hardcoded credentials, API keys, or tokens in source code
+- Secrets in logs, error messages, or stack traces
+- Secrets in URL parameters (visible in browser history, server logs, referer headers)
+- Secrets in client-side code (JavaScript bundles, mobile apps)
+- Missing redaction in debug/verbose output
+- `.env` files, config files with secrets committed to version control
+- Secrets in Docker images, build artifacts, or CI logs
+
+### SSRF (CWE-918)
+- User-provided URLs fetched server-side without allowlist validation
+- DNS rebinding bypasses
+- Redirect-following that escapes allowlists
+- URL parsing inconsistencies between validation and fetch
+- Internal service discovery via SSRF (cloud metadata endpoints: 169.254.169.254)
+
+### CSRF (CWE-352)
+- State-changing operations without CSRF tokens
+- CSRF tokens not bound to user session
+- GET requests that perform state changes
+- Missing SameSite cookie attribute
+- CORS misconfiguration allowing credentialed cross-origin requests
+
+### Cryptographic Issues (CWE-327)
+- Use of broken algorithms (MD5, SHA1 for security, DES, RC4, ECB mode)
+- Hardcoded or predictable encryption keys/IVs
+- Missing authentication on encrypted data (encrypt without MAC/AEAD)
+- Weak random number generation for security-sensitive values (Math.random, rand())
+- Certificate validation disabled or hostname verification skipped
+- Custom cryptographic implementations (always a red flag)
+
+### Deserialization (CWE-502)
+- Untrusted data passed to deserialization functions (pickle, Java ObjectInputStream, PHP unserialize, YAML.load)
+- Missing type allowlists on deserialized objects
+- Gadget chain availability in dependencies
+
+### Open Redirect (CWE-601)
+- User-controlled redirect targets without allowlist validation
+- Protocol-relative URLs (`//evil.com`)
+- URL parsing tricks (`https://good.com@evil.com`, backslash confusion)
+
+### Dependency Vulnerabilities
+- Known vulnerable dependency versions
+- Dependencies pulled over insecure channels (HTTP)
+- Missing integrity checks on downloaded dependencies
+- Overly broad dependency version ranges
+
+## Step 3: Cross-Cutting Concerns
+
+After class-specific analysis, check:
+
+- **Error handling:** Do error messages reveal internal structure, stack traces, database schemas, or file paths?
+- **Logging:** Are sensitive values (passwords, tokens, PII) written to logs?
+- **HTTP headers:** Are security headers set (CSP, HSTS, X-Frame-Options, X-Content-Type-Options)?
+- **CORS:** Is the Access-Control-Allow-Origin overly permissive?
+- **Rate limiting:** Are sensitive endpoints (login, password reset, API keys) rate-limited?
+- **Input validation:** Is validation done server-side? Client-side validation is not security.
+
+# Output Format
+
+```
+## Security Review
+
+**Attack surface:** [summary of what this change exposes]
+**Sensitive data handled:** [list]
+**Trust boundaries crossed:** [list]
+
+### [SEVERITY] — [Short title]
+**CWE:** CWE-XXX ([name])
+**Location:** `file.py:42-50`
+**Description:** [What the vulnerability is]
+**Exploit scenario:**
+1. Attacker does X
+2. This causes Y
+3. Resulting in Z
+**Impact:** [Confidentiality/Integrity/Availability impact]
+**Remediation:**
+[Specific fix with code example if applicable]
+
+---
+
+### [SEVERITY] — [Short title]
+...
+```
+
+Severity levels:
+- **CRITICAL:** Remotely exploitable, no authentication required, high impact
+- **HIGH:** Exploitable with low-privilege access, significant impact
+- **MEDIUM:** Requires specific conditions or chained with another vulnerability
+- **LOW:** Theoretical or requires significant access already
+- **INFO:** Security best practice not followed, no direct vulnerability
+
+End with:
+
+```
+## Summary
+
+**Total findings:** X critical, Y high, Z medium, W low
+**Recommendation:** [BLOCK / FIX BEFORE MERGE / MERGE WITH FOLLOW-UP / APPROVE]
+[Brief overall assessment]
+```
+
+# Investigation Techniques
+
+- Use `Grep` to find all input entry points (route handlers, API controllers, form processors).
+- Use `Grep` to search for dangerous functions: `eval`, `exec`, `system`, `innerHTML`, `dangerouslySetInnerHTML`, `raw(`, `safe(`, `|safe`, `serialize`, `deserialize`, `pickle`, `yaml.load`.
+- Use `Grep` to find hardcoded secrets: patterns like `password =`, `secret =`, `api_key =`, `token =`, base64-encoded strings, high-entropy strings.
+- Use `Grep` to find SQL queries and check for parameterization.
+- Use `Glob` to find configuration files that might contain secrets or security settings.
+- Use `Read` to examine authentication/authorization middleware and how it's applied to routes.
+- Use `Bash` with `git log` to check if security-sensitive code was recently modified.
+
+# Rules
+
+1. **Always provide CWE references.** This makes findings actionable and searchable.
+2. **Include exploit scenarios.** Vague warnings are useless. Show the attack path.
+3. **Suggest specific remediation.** Do not just say "sanitize input." Show what function to call, what library to use, what configuration to change.
+4. **Check the full chain.** A sanitization function is only useful if it is actually called on every input path. Trace the data flow end-to-end.
+5. **Do not assume frameworks save you.** ORMs can still have raw query methods. Template engines can have "safe" filters that bypass escaping. Check the specific usage.
+6. **Consider the deployment context.** A vulnerability in an internal tool is different from one in a public-facing API. Note the context but still report the finding.
diff --git a/plugins/git-master/commands/config.md b/plugins/git-master/commands/config.md
new file mode 100644
index 0000000..6b9a6d8
--- /dev/null
+++ b/plugins/git-master/commands/config.md
@@ -0,0 +1,87 @@
+---
+name: config
+description: "View or edit git-master configuration for the current project"
+argument-hint: "[show | set key=value | reset]"
+allowed-tools:
+ - Read
+ - Write
+ - Edit
+ - Bash
+---
+
+Parse `$ARGUMENTS` to determine the subcommand. Default to `show` if no arguments are provided.
+
+## Subcommand: `show` (or no arguments)
+
+1. Check if `$GIT_MASTER_CONFIG_PATH` is set and the file exists. If not, check for `.git-master.yml` in the current working directory.
+2. If no project config exists:
+ - Display: "No project configuration found. Using defaults."
+ - Show a summary of the most important default settings (provider, commit convention, PR settings, review modes).
+ - Suggest: "Run `/git-master:init` to create a project configuration."
+ - Stop here.
+3. If config exists, read it and also read the defaults from `${CLAUDE_PLUGIN_ROOT}/defaults/config.yml`.
+4. Display a merged view showing each configured setting with its source:
+
+```
+git-master configuration (project: .git-master.yml)
+
+Provider:
+ type: github [project]
+ host: (default) [default]
+ fallback_enabled: true [default]
+
+Commit:
+ convention: conventional [default]
+ scope_required: true [project]
+ scopes: api, web, cli [project]
+ subject.max_length: 72 [default]
+
+PR:
+ draft: true [project]
+ merge_strategy: squash [default]
+ reviewers.fallback: @tech-lead [project]
+
+Review:
+ adversarial: true [default]
+ security: true [default]
+ performance: true [project]
+
+Pipeline:
+ provider: auto [default]
+ auto_diagnose: true [default]
+```
+
+Only show settings that are either configured in the project file or are commonly important. Do not dump the entire defaults file.
+
+## Subcommand: `set key=value`
+
+1. Parse the key and value from `$ARGUMENTS`. The key uses dot notation (e.g., `commit.scope_required=true`, `pr.draft=false`).
+2. Validate the key exists in the schema (reference `${CLAUDE_PLUGIN_ROOT}/defaults/config.yml`). If the key is invalid, show an error with the closest matching valid key.
+3. Validate the value type:
+ - Booleans: accept `true`/`false`, `yes`/`no`, `on`/`off`
+ - Integers: must be numeric and within valid range
+ - Strings: accept as-is
+ - Arrays: accept comma-separated values (e.g., `commit.scopes=api,web,cli`)
+4. Read the existing `.git-master.yml` if it exists, or start with an empty document.
+5. Set the value at the correct nesting level. For example, `commit.scope_required=true` becomes:
+ ```yaml
+ commit:
+ scope_required: true
+ ```
+6. Write the updated file.
+7. Display: "Set `commit.scope_required` to `true` in `.git-master.yml`"
+
+Handle multiple `set` operations in one call: `set commit.scope_required=true pr.draft=false`.
+
+## Subcommand: `reset`
+
+1. Check if `.git-master.yml` exists in the project root.
+2. If it does not exist: "No project configuration to reset."
+3. If it exists, show the current config contents and ask for confirmation: "This will delete `.git-master.yml` and revert all settings to defaults. Continue? [y/N]"
+4. On confirmation, delete the file.
+5. Display: "Project configuration reset. All settings reverted to defaults."
+
+## Error Handling
+
+- If the config file has invalid YAML syntax, report the parse error and suggest fixing it manually or running `reset`.
+- If a `set` key path would conflict with an existing value type (e.g., setting `commit.types=feat` when it is an array), warn and ask for confirmation.
diff --git a/plugins/git-master/commands/init.md b/plugins/git-master/commands/init.md
new file mode 100644
index 0000000..9f4b243
--- /dev/null
+++ b/plugins/git-master/commands/init.md
@@ -0,0 +1,114 @@
+---
+name: init
+description: "Initialize git-master configuration for the current project"
+argument-hint: "[--quick]"
+allowed-tools:
+ - Read
+ - Write
+ - Bash
+ - Skill
+---
+
+## Pre-flight Checks
+
+Before doing anything:
+
+1. Verify the current directory is a git repository (`git rev-parse --is-inside-work-tree`). If not, abort with: "Not a git repository. Run `git init` first or navigate to a git repo."
+2. Check if `.git-master.yml` already exists in the project root.
+ - If it exists, show its contents and ask: "A git-master configuration already exists. Overwrite it? [y/N]"
+ - If the user declines, abort.
+
+## Default Mode (no arguments)
+
+Invoke the **setting-up** skill to run the interactive configuration wizard:
+
+> Use the `Skill` tool to invoke `setting-up`.
+
+The setting-up skill handles all detection, prompting, and file creation. No additional work is needed here after invocation.
+
+## Quick Mode (`--quick`)
+
+When `$ARGUMENTS` contains `--quick`, perform automatic setup without interactive prompts.
+
+### 1. Auto-detect Platform
+
+```bash
+git remote -v 2>/dev/null
+```
+
+Determine provider:
+- `github.com` or `github.` = `github`
+- `gitlab.com` or `gitlab.` = `gitlab`
+- `gitea.` or `codeberg.org` = `gitea`
+- `bitbucket.org` = `bitbucket`
+- Otherwise = `auto`
+
+### 2. Auto-detect CI
+
+Check for CI configuration files:
+- `.github/workflows/*.yml` = `github_actions`
+- `.gitlab-ci.yml` = `gitlab_ci`
+- Otherwise = `auto`
+
+### 3. Auto-detect Commit Convention
+
+Analyze the last 20 commit messages:
+
+```bash
+git log --oneline -20
+```
+
+Score each convention:
+- **conventional**: Messages matching `type: subject` or `type(scope): subject` where type is a standard conventional commit type.
+- **angular**: Same as conventional but with strict Angular types (`feat`, `fix`, `docs`, `style`, `refactor`, `perf`, `test`, `build`, `ci`).
+- **gitmoji**: Messages starting with an emoji or `:emoji_name:`.
+- **freeform**: Default if nothing else matches with >50% confidence.
+
+Pick the convention with the highest match rate (must be >50%).
+
+### 4. Detect Scopes
+
+If the convention is conventional or angular and scopes are present in the commit history, extract the unique scopes used.
+
+### 5. Detect Protected Branches
+
+```bash
+git branch -r 2>/dev/null
+```
+
+Identify which of `main`, `master`, `develop` exist as remote branches.
+
+### 6. Write Config
+
+Create `.git-master.yml` with only the detected settings that differ from defaults:
+
+```yaml
+# git-master configuration (auto-generated with --quick)
+# Customize: /git-master:config set key=value
+# Full setup: /git-master:init
+
+provider:
+ type:
+
+pipeline:
+ provider:
+```
+
+Only include sections where detected values differ from defaults.
+
+### 7. Report
+
+Display what was detected and written:
+
+```
+git-master quick setup complete!
+
+ Config: .git-master.yml (created)
+ Provider: github (detected from remote)
+ CI: github_actions (3 workflows found)
+ Convention: conventional (85% of recent commits match)
+ Branches: main, develop (protected)
+
+For full interactive setup: /git-master:init
+To view config: /git-master:config show
+```
diff --git a/plugins/git-master/defaults/config.yml b/plugins/git-master/defaults/config.yml
new file mode 100644
index 0000000..b1f02cd
--- /dev/null
+++ b/plugins/git-master/defaults/config.yml
@@ -0,0 +1,182 @@
+# git-master default configuration
+# Override per-project via .git-master.yml or globally via ~/.config/git-master/config.yml
+
+# --- Provider ---
+provider:
+ type: auto # auto | github | gitlab | gitea | bitbucket
+ host: "" # Custom host for private instances
+ cli_preference: # Fallback order for CLI tools
+ - gh
+ - glab
+ - tea
+ - git
+ token_env: "" # Environment variable name holding API token
+ fallback_enabled: true # Try next CLI tool on failure
+
+# --- Commit ---
+commit:
+ convention: conventional # conventional | angular | gitmoji | custom
+ types:
+ - feat
+ - fix
+ - docs
+ - style
+ - refactor
+ - perf
+ - test
+ - build
+ - ci
+ - chore
+ - revert
+ scopes: [] # Allowed scopes (empty = any scope allowed)
+ scope_required: false
+ subject:
+ max_length: 72
+ case: lower # lower | upper | sentence | none
+ no_trailing_period: true
+ body:
+ required: false
+ max_line_length: 100
+ require_references: "" # Regex for ticket references, e.g. "PROJ-\\d+"
+ breaking:
+ footer_required: true
+ exclamation_mark: true
+ signing:
+ enabled: false
+ method: gpg # gpg | ssh
+ key: ""
+ skip_patterns:
+ - "^Merge "
+ - "^Revert \""
+ - "^fixup! "
+ - "^squash! "
+ - "^amend! "
+ ai_attribution: false
+ custom_pattern: "" # Regex for convention: custom (named groups: type, scope, subject)
+ custom_description: "" # Human-readable description of custom convention
+ emoji_prefix: null # Map type to emoji, e.g. { feat: "sparkles", fix: "bug" }
+ pre_checks:
+ enabled: false
+ commands: [] # List of { command: "npm run lint", name: "lint", required: true }
+
+# --- Branch ---
+branch:
+ protected:
+ - main
+ - master
+ - develop
+ naming_pattern: "" # Regex, e.g. "^(feature|bugfix|hotfix|release)/[a-z0-9-]+$"
+ default_base: "" # Auto-detected from remote if empty
+
+# --- PR/MR ---
+pr:
+ title:
+ convention: inherit # inherit (from commit convention) | conventional | custom | freeform
+ custom_pattern: ""
+ max_length: 72
+ description:
+ template: |
+ ## Summary
+
+
+ ## Changes
+
+
+ ## Test plan
+
+ required_sections:
+ - summary
+ - test_plan
+ auto_populate: true # Auto-fill description from commit messages
+ draft: false # Create PRs as draft by default
+ labels: [] # Static labels to always apply
+ auto_labels: true # Assign labels based on changed file paths
+ label_rules:
+ - pattern: "src/api/**"
+ labels: [api, backend]
+ - pattern: "src/ui/**"
+ labels: [frontend, ui]
+ - pattern: "docs/**"
+ labels: [documentation]
+ - pattern: "*.test.*"
+ labels: [testing]
+ - pattern: "*.spec.*"
+ labels: [testing]
+ size_labels:
+ enabled: true
+ xs: 10 # 0 to xs lines = size/XS
+ s: 50 # xs to s = size/S
+ m: 200 # s to m = size/M
+ l: 500 # m to l = size/L
+ xl: 1000 # l to xl = size/XL, above = size/XXL
+ reviewers:
+ auto_assign: true
+ rules: [] # List of { pattern: "src/api/**", reviewers: ["@user"], required: 1 }
+ fallback: [] # Fallback reviewers when no rule matches
+ assignees: []
+ team_reviewers: []
+ target_branch: "" # Override target branch (empty = repo default)
+ delete_branch_on_merge: true
+ merge_strategy: squash # merge | squash | rebase
+
+# --- Review ---
+review:
+ adversarial: true # Enable adversarial (devil's advocate) reviewer
+ security: true # Enable security-focused review
+ performance: false # Enable performance-focused review
+ checklist:
+ - "Code follows project conventions and style"
+ - "Error handling is appropriate and consistent"
+ - "No hardcoded secrets or credentials"
+ - "Tests adequately cover the changes"
+ - "Documentation is updated if needed"
+ security_patterns:
+ - pattern: "(password|secret|token|api_key)\\s*="
+ severity: high
+ message: "Possible hardcoded credential"
+ - pattern: "eval\\("
+ severity: medium
+ message: "Use of eval() detected"
+ - pattern: "innerHTML\\s*="
+ severity: medium
+ message: "Direct innerHTML assignment — potential XSS"
+ - pattern: "dangerouslySetInnerHTML"
+ severity: medium
+ message: "dangerouslySetInnerHTML usage — verify input is sanitized"
+ performance_patterns:
+ - pattern: "SELECT \\*"
+ message: "Avoid SELECT * in production queries"
+ - pattern: "\\.forEach\\("
+ message: "Consider for...of for large arrays (avoids closure overhead)"
+ confidence_threshold: 80 # Only report findings above this confidence (0-100)
+ max_files_per_review: 30 # Suggest splitting PR if above this
+ exclude_patterns:
+ - "*.lock"
+ - "*.min.js"
+ - "*.min.css"
+ - "*.generated.*"
+ - "package-lock.json"
+ - "yarn.lock"
+ - "pnpm-lock.yaml"
+ language_rules: {} # Per-language rules, e.g. { python: ["Check type hints"] }
+ model: sonnet # Model for standard review agents
+ adversarial_model: opus # Model for adversarial reviewer (needs deep reasoning)
+
+# --- Pipeline/CI ---
+pipeline:
+ provider: auto # auto | github_actions | gitlab_ci | none
+ auto_diagnose: true # Automatically diagnose failures
+ auto_suggest_fix: true # Suggest code fixes for failures
+ poll_interval: 30 # Seconds between status checks
+ max_wait: 600 # Max seconds to wait for pipeline
+ required_checks: [] # Checks that must pass (empty = all)
+ ignored_checks: [] # Checks to ignore (flaky, informational)
+ max_auto_fix_attempts: 3
+
+# --- Workflow ---
+workflow:
+ auto_stash: true # Stash uncommitted changes before operations
+ auto_fetch: true # Fetch remote before branch operations
+ rebase_on_pull: true # Use rebase instead of merge when pulling
+ prune_on_fetch: true # Prune deleted remote branches on fetch
+ default_remote: origin
diff --git a/plugins/git-master/hooks/hooks.json b/plugins/git-master/hooks/hooks.json
new file mode 100644
index 0000000..1458d2d
--- /dev/null
+++ b/plugins/git-master/hooks/hooks.json
@@ -0,0 +1,50 @@
+{
+ "hooks": {
+ "SessionStart": [
+ {
+ "hooks": [
+ {
+ "type": "command",
+ "command": "${CLAUDE_PLUGIN_ROOT}/scripts/session-start.sh",
+ "timeout": 15
+ }
+ ]
+ }
+ ],
+ "PreToolUse": [
+ {
+ "matcher": "Bash",
+ "hooks": [
+ {
+ "type": "command",
+ "command": "${CLAUDE_PLUGIN_ROOT}/scripts/pre-tool-use.sh",
+ "timeout": 10
+ }
+ ]
+ }
+ ],
+ "PostToolUse": [
+ {
+ "matcher": "Bash",
+ "hooks": [
+ {
+ "type": "command",
+ "command": "${CLAUDE_PLUGIN_ROOT}/scripts/post-tool-use.sh",
+ "timeout": 10
+ }
+ ]
+ }
+ ],
+ "Stop": [
+ {
+ "hooks": [
+ {
+ "type": "command",
+ "command": "${CLAUDE_PLUGIN_ROOT}/scripts/stop-check.sh",
+ "timeout": 10
+ }
+ ]
+ }
+ ]
+ }
+}
diff --git a/plugins/git-master/scripts/lib/config.sh b/plugins/git-master/scripts/lib/config.sh
new file mode 100755
index 0000000..93324cb
--- /dev/null
+++ b/plugins/git-master/scripts/lib/config.sh
@@ -0,0 +1,586 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# config.sh — Hierarchical YAML config loading, merging, and querying for git-master.
+#
+# Provides:
+# gm_config_load — merge all config layers, write cached JSON
+# gm_config_get — query a scalar value by dot-path
+# gm_config_get_array — query an array value, one element per line
+# gm_config_get_json — query a JSON subtree by dot-path
+# gm_config_reload — force cache invalidation and reload
+#
+# Config files are loaded in order of ascending priority:
+# 1. Factory defaults: ${CLAUDE_PLUGIN_ROOT}/defaults/config.yml
+# 2. User global: ~/.config/git-master/config.yml
+# 3. Git root project: /.git-master.yml
+# 4. Ancestor walk: .git-master.yml from CWD up to (but not including) git root
+#
+# Environment variable overrides (highest priority):
+# GIT_MASTER_* with double-underscore path syntax
+# e.g. GIT_MASTER_COMMIT__CONVENTION=angular => commit.convention = "angular"
+
+###############################################################################
+# Internal helpers
+###############################################################################
+
+_gm_log() {
+ if [[ "${GIT_MASTER_DEBUG:-0}" == "1" ]]; then
+ printf '[git-master:config] %s\n' "$*" >&2
+ fi
+}
+
+_gm_error() {
+ printf '[git-master:config] ERROR: %s\n' "$*" >&2
+}
+
+# Find the git repository root, or return 1 if not in a repo.
+_gm_git_root() {
+ git rev-parse --show-toplevel 2>/dev/null
+}
+
+# Collect all config file paths in merge order (lowest to highest priority).
+# Prints one path per line; only includes files that actually exist.
+_gm_config_sources() {
+ local git_root
+ git_root="$(_gm_git_root)" || true
+
+ # 1. Factory defaults
+ local factory="${CLAUDE_PLUGIN_ROOT:-}/defaults/config.yml"
+ if [[ -n "${CLAUDE_PLUGIN_ROOT:-}" && -f "$factory" ]]; then
+ printf '%s\n' "$factory"
+ fi
+
+ # 2. User global
+ local user_global="${HOME}/.config/git-master/config.yml"
+ if [[ -f "$user_global" ]]; then
+ printf '%s\n' "$user_global"
+ fi
+
+ # 3. Git root project-level config
+ if [[ -n "$git_root" && -f "${git_root}/.git-master.yml" ]]; then
+ printf '%s\n' "${git_root}/.git-master.yml"
+ fi
+
+ # 4. Ancestor walk from CWD up to (but not including) git root.
+ # Collected in root-to-CWD order so that closer-to-CWD = higher priority.
+ if [[ -n "$git_root" ]]; then
+ local cwd
+ cwd="$(pwd)"
+ local norm_root
+ norm_root="$(cd "$git_root" && pwd)"
+
+ # Only walk if CWD is strictly inside the git root (not equal to it).
+ if [[ "$cwd" != "$norm_root" && "$cwd" == "$norm_root"/* ]]; then
+ local -a ancestor_configs=()
+ local dir="$cwd"
+ while [[ "$dir" != "$norm_root" && -n "$dir" ]]; do
+ if [[ -f "${dir}/.git-master.yml" ]]; then
+ ancestor_configs+=("${dir}/.git-master.yml")
+ fi
+ dir="$(dirname "$dir")"
+ done
+
+ # Reverse so that outermost ancestor is printed first (lower priority)
+ # and CWD is printed last (highest priority among file sources).
+ local i
+ for (( i=${#ancestor_configs[@]}-1; i>=0; i-- )); do
+ printf '%s\n' "${ancestor_configs[$i]}"
+ done
+ fi
+ fi
+}
+
+# Compute a cache-key hash from the mtimes of all source files plus relevant
+# env vars. Uses md5sum if available, else cksum.
+_gm_config_hash() {
+ local sources
+ sources="$(_gm_config_sources)"
+
+ local mtime_data=""
+ local f
+ while IFS= read -r f; do
+ [[ -z "$f" ]] && continue
+ local mt
+ if mt="$(stat -c '%Y' "$f" 2>/dev/null)"; then
+ mtime_data+="${f}:${mt};"
+ elif mt="$(stat -f '%m' "$f" 2>/dev/null)"; then
+ # macOS stat
+ mtime_data+="${f}:${mt};"
+ else
+ # Last resort: always invalidate
+ mtime_data+="${f}:${RANDOM};"
+ fi
+ done <<< "$sources"
+
+ # Include GIT_MASTER_* env vars in the hash so overrides bust the cache.
+ local env_overrides
+ env_overrides="$(env | grep -E '^GIT_MASTER_' | sort 2>/dev/null || true)"
+ mtime_data+="$env_overrides"
+
+ if command -v md5sum &>/dev/null; then
+ printf '%s' "$mtime_data" | md5sum | cut -d' ' -f1
+ elif command -v md5 &>/dev/null; then
+ # macOS
+ printf '%s' "$mtime_data" | md5
+ elif command -v cksum &>/dev/null; then
+ printf '%s' "$mtime_data" | cksum | cut -d' ' -f1
+ else
+ printf '%s' "$RANDOM"
+ fi
+}
+
+###############################################################################
+# Embedded Python merger
+###############################################################################
+
+# Run the embedded Python script that deep-merges all YAML sources and applies
+# env overrides, outputting the final merged config as JSON on stdout.
+_gm_merge_with_python() {
+ local sources_arg="$1" # newline-separated list of file paths
+
+ python3 - "$sources_arg" <<'PYTHON_HEREDOC'
+import sys
+import os
+import json
+
+try:
+ import yaml
+except ImportError:
+ print("__PYYAML_MISSING__", file=sys.stderr)
+ sys.exit(99)
+
+
+def deep_merge(base, override):
+ """Deep-merge override into base.
+
+ - Scalars: override wins.
+ - Dicts: recursively merged.
+ - Lists: override replaces entirely.
+ - An explicit None in override clears the key.
+ """
+ if not isinstance(base, dict) or not isinstance(override, dict):
+ return override
+
+ merged = dict(base)
+ for key, val in override.items():
+ if val is None:
+ merged.pop(key, None)
+ elif key in merged and isinstance(merged[key], dict) and isinstance(val, dict):
+ merged[key] = deep_merge(merged[key], val)
+ else:
+ merged[key] = val
+ return merged
+
+
+def parse_env_overrides():
+ """Collect GIT_MASTER_* env vars and convert to a nested dict.
+
+ Double underscores delimit path segments:
+ GIT_MASTER_COMMIT__CONVENTION=angular -> {"commit": {"convention": "angular"}}
+ """
+ overrides = {}
+ prefix = "GIT_MASTER_"
+ skip = {"GIT_MASTER_DEBUG"}
+
+ for name, value in os.environ.items():
+ if not name.startswith(prefix):
+ continue
+ if name in skip:
+ continue
+
+ key_path = name[len(prefix):].lower().split("__")
+ if not key_path or key_path == [""]:
+ continue
+
+ # Attempt to interpret the value as JSON for typed values.
+ try:
+ typed_value = json.loads(value)
+ except (json.JSONDecodeError, ValueError):
+ typed_value = value
+
+ d = overrides
+ for segment in key_path[:-1]:
+ d = d.setdefault(segment, {})
+ d[key_path[-1]] = typed_value
+
+ return overrides
+
+
+def main():
+ sources_arg = sys.argv[1] if len(sys.argv) > 1 else ""
+ source_files = [p.strip() for p in sources_arg.strip().split("\n") if p.strip()]
+
+ merged = {}
+ for path in source_files:
+ if not os.path.isfile(path):
+ continue
+ try:
+ with open(path, "r") as fh:
+ data = yaml.safe_load(fh)
+ if isinstance(data, dict):
+ merged = deep_merge(merged, data)
+ # If the file is empty or not a dict, skip it silently.
+ except Exception as exc:
+ print(f"Warning: failed to parse {path}: {exc}", file=sys.stderr)
+
+ # Apply env var overrides as highest-priority layer.
+ env_layer = parse_env_overrides()
+ if env_layer:
+ merged = deep_merge(merged, env_layer)
+
+ json.dump(merged, sys.stdout, indent=2, default=str)
+ sys.stdout.write("\n")
+
+
+if __name__ == "__main__":
+ main()
+PYTHON_HEREDOC
+}
+
+###############################################################################
+# Fallback: basic parser (no PyYAML available)
+###############################################################################
+
+# Very rudimentary YAML parser that handles top-level scalars and one level of
+# nesting. Used as a last resort so that basic settings still work when
+# python3 is unavailable or PyYAML is not installed.
+_gm_merge_fallback() {
+ local sources="$1"
+
+ local -a files=()
+ local f
+ while IFS= read -r f; do
+ [[ -z "$f" ]] && continue
+ [[ -f "$f" ]] && files+=("$f")
+ done <<< "$sources"
+
+ if [[ ${#files[@]} -eq 0 ]]; then
+ printf '{}\n'
+ return
+ fi
+
+ # Parse only the highest-priority file to keep things simple.
+ local target="${files[-1]}"
+ _gm_log "Fallback: parsing $target with basic parser"
+
+ # If python3 is available (just without PyYAML), use it for the basic
+ # parsing since it handles edge cases better than pure sed/awk.
+ if command -v python3 &>/dev/null; then
+ python3 - "$target" <<'FALLBACK_PY'
+import sys
+import json
+import re
+
+result = {}
+parent = None
+path = sys.argv[1]
+
+try:
+ with open(path) as fh:
+ for raw_line in fh:
+ stripped = raw_line.rstrip("\n\r")
+ # Skip blank lines and comments.
+ trimmed = stripped.lstrip()
+ if not trimmed or trimmed.startswith("#"):
+ continue
+
+ indent = len(stripped) - len(trimmed)
+
+ # Remove inline comments (but not inside quoted strings — best effort).
+ content = re.sub(r'\s+#[^"\']*$', "", trimmed).strip()
+ if ":" not in content:
+ continue
+
+ key, _, val = content.partition(":")
+ key = key.strip()
+ val = val.strip()
+
+ # Strip surrounding quotes.
+ if len(val) >= 2 and val[0] == val[-1] and val[0] in ('"', "'"):
+ val = val[1:-1]
+
+ if indent == 0:
+ if val:
+ # Attempt to cast booleans and numbers.
+ if val.lower() in ("true", "yes"):
+ result[key] = True
+ elif val.lower() in ("false", "no"):
+ result[key] = False
+ elif val.lower() in ("null", "~"):
+ result[key] = None
+ else:
+ try:
+ result[key] = int(val)
+ except ValueError:
+ try:
+ result[key] = float(val)
+ except ValueError:
+ result[key] = val
+ parent = None
+ else:
+ parent = key
+ if key not in result or not isinstance(result[key], dict):
+ result[key] = {}
+ elif parent is not None and indent > 0 and val:
+ if val.lower() in ("true", "yes"):
+ result[parent][key] = True
+ elif val.lower() in ("false", "no"):
+ result[parent][key] = False
+ elif val.lower() in ("null", "~"):
+ result[parent][key] = None
+ else:
+ try:
+ result[parent][key] = int(val)
+ except ValueError:
+ try:
+ result[parent][key] = float(val)
+ except ValueError:
+ result[parent][key] = val
+except Exception:
+ pass
+
+json.dump(result, sys.stdout, indent=2)
+sys.stdout.write("\n")
+FALLBACK_PY
+ return
+ fi
+
+ # Pure bash/sed/awk fallback — extremely minimal.
+ # Only extracts top-level "key: value" lines into a flat JSON object.
+ _gm_log "Fallback: pure bash parser (no python3)"
+ local json_body=""
+ local first=1
+ while IFS= read -r line; do
+ # Skip comments and blank lines.
+ [[ "$line" =~ ^[[:space:]]*# ]] && continue
+ [[ -z "${line// /}" ]] && continue
+ # Only top-level (no leading whitespace) "key: value" lines.
+ if [[ "$line" =~ ^([a-zA-Z_][a-zA-Z0-9_-]*):\ +(.+)$ ]]; then
+ local key="${BASH_REMATCH[1]}"
+ local val="${BASH_REMATCH[2]}"
+ # Strip inline comment.
+ val="${val%%#*}"
+ val="${val%"${val##*[![:space:]]}"}" # trim trailing whitespace
+ # Strip quotes.
+ if [[ "$val" =~ ^\"(.*)\"$ ]] || [[ "$val" =~ ^\'(.*)\'$ ]]; then
+ val="${BASH_REMATCH[1]}"
+ fi
+ if [[ $first -eq 1 ]]; then
+ first=0
+ else
+ json_body+=","
+ fi
+ # Escape double quotes in value.
+ val="${val//\\/\\\\}"
+ val="${val//\"/\\\"}"
+ json_body+="$(printf '\n "%s": "%s"' "$key" "$val")"
+ fi
+ done < "$target"
+
+ printf '{%s\n}\n' "$json_body"
+}
+
+###############################################################################
+# Public API
+###############################################################################
+
+# gm_config_load — Merge all config layers, write the cached JSON file, and
+# export GIT_MASTER_CONFIG_PATH.
+gm_config_load() {
+ local data_dir="${CLAUDE_PLUGIN_DATA:-/tmp}"
+ local cache_json="${data_dir}/git-master-config.json"
+ local cache_hash_file="${data_dir}/git-master-config.hash"
+
+ # Compute current hash.
+ local current_hash
+ current_hash="$(_gm_config_hash)"
+
+ # Check cache validity.
+ if [[ -f "$cache_json" && -f "$cache_hash_file" ]]; then
+ local stored_hash
+ stored_hash="$(cat "$cache_hash_file" 2>/dev/null || true)"
+ if [[ "$stored_hash" == "$current_hash" ]]; then
+ _gm_log "Cache hit (hash=$current_hash)"
+ export GIT_MASTER_CONFIG_PATH="$cache_json"
+ return 0
+ fi
+ fi
+
+ _gm_log "Cache miss — merging config sources"
+
+ # Collect sources as newline-separated string.
+ local sources
+ sources="$(_gm_config_sources)"
+
+ if [[ -z "$sources" ]]; then
+ _gm_log "No config sources found; writing empty config"
+ printf '{}\n' > "$cache_json"
+ printf '%s' "$current_hash" > "$cache_hash_file"
+ export GIT_MASTER_CONFIG_PATH="$cache_json"
+ return 0
+ fi
+
+ _gm_log "Sources:"
+ local _s
+ while IFS= read -r _s; do
+ [[ -n "$_s" ]] && _gm_log " $_s"
+ done <<< "$sources"
+
+ # Attempt merge with Python + PyYAML.
+ local merged_json=""
+ local python_exit=0
+ local python_stderr_file=""
+
+ if command -v python3 &>/dev/null; then
+ python_stderr_file="$(mktemp "${TMPDIR:-/tmp}/gm-config-stderr.XXXXXX")"
+ merged_json="$(_gm_merge_with_python "$sources" 2>"$python_stderr_file")" || python_exit=$?
+ local stderr_content
+ stderr_content="$(cat "$python_stderr_file" 2>/dev/null || true)"
+ rm -f "$python_stderr_file"
+
+ if [[ $python_exit -eq 99 ]] || [[ "$stderr_content" == *"__PYYAML_MISSING__"* ]]; then
+ _gm_log "PyYAML not available — falling back to basic parser"
+ merged_json=""
+ python_exit=1
+ elif [[ $python_exit -ne 0 ]]; then
+ _gm_error "Python merge failed (exit $python_exit)"
+ [[ -n "$stderr_content" ]] && _gm_error "$stderr_content"
+ merged_json=""
+ fi
+ else
+ _gm_log "python3 not found — falling back to basic parser"
+ python_exit=1
+ fi
+
+ # Fallback if Python path failed.
+ if [[ -z "$merged_json" || $python_exit -ne 0 ]]; then
+ merged_json="$(_gm_merge_fallback "$sources")"
+ fi
+
+ # Validate JSON before writing.
+ if command -v jq &>/dev/null; then
+ if ! printf '%s' "$merged_json" | jq . >/dev/null 2>&1; then
+ _gm_error "Merged config is not valid JSON; writing empty object"
+ merged_json='{}'
+ fi
+ fi
+
+ # Ensure data directory exists.
+ mkdir -p "$data_dir" 2>/dev/null || true
+
+ printf '%s\n' "$merged_json" > "$cache_json"
+ printf '%s' "$current_hash" > "$cache_hash_file"
+
+ export GIT_MASTER_CONFIG_PATH="$cache_json"
+ _gm_log "Config cached at $cache_json"
+}
+
+# gm_config_reload — Force cache invalidation and reload.
+gm_config_reload() {
+ local data_dir="${CLAUDE_PLUGIN_DATA:-/tmp}"
+ rm -f "${data_dir}/git-master-config.json" "${data_dir}/git-master-config.hash"
+ _gm_log "Cache invalidated — reloading"
+ gm_config_load
+}
+
+# gm_config_get — Return a single scalar value.
+# e.g. gm_config_get commit.convention => "conventional"
+# Returns empty string and exit 1 if path does not exist or value is null.
+gm_config_get() {
+ local dotpath="${1:?Usage: gm_config_get }"
+
+ # Ensure config is loaded.
+ if [[ -z "${GIT_MASTER_CONFIG_PATH:-}" || ! -f "${GIT_MASTER_CONFIG_PATH:-}" ]]; then
+ gm_config_load
+ fi
+
+ if ! command -v jq &>/dev/null; then
+ _gm_error "jq is required for gm_config_get"
+ return 1
+ fi
+
+ # Convert dot-path to jq filter: "commit.convention" => ".commit.convention"
+ local jq_filter
+ jq_filter="$(printf '.%s' "$dotpath")"
+
+ # Check if the path exists. We cannot use `// empty` or `-e` because both
+ # treat `false`, `null`, and `0` as falsy. Instead we test whether the
+ # path resolves to something other than the jq error case.
+ local exists
+ exists="$(jq "($jq_filter | type) // \"__missing__\"" "$GIT_MASTER_CONFIG_PATH" 2>/dev/null)" || return 1
+ if [[ "$exists" == '"__missing__"' || "$exists" == "__missing__" ]]; then
+ return 1
+ fi
+
+ local result
+ result="$(jq -r "$jq_filter" "$GIT_MASTER_CONFIG_PATH" 2>/dev/null)" || return 1
+
+ # jq -r prints "null" for JSON null. We treat explicit null as "cleared",
+ # meaning the key was intentionally set to null, so return exit 1.
+ if [[ "$result" == "null" ]]; then
+ return 1
+ fi
+
+ printf '%s\n' "$result"
+}
+
+# gm_config_get_array — Return array elements, one per line.
+# e.g. gm_config_get_array commit.types
+# Returns exit 1 if path does not exist or is not an array.
+gm_config_get_array() {
+ local dotpath="${1:?Usage: gm_config_get_array }"
+
+ if [[ -z "${GIT_MASTER_CONFIG_PATH:-}" || ! -f "${GIT_MASTER_CONFIG_PATH:-}" ]]; then
+ gm_config_load
+ fi
+
+ if ! command -v jq &>/dev/null; then
+ _gm_error "jq is required for gm_config_get_array"
+ return 1
+ fi
+
+ local jq_filter
+ jq_filter="$(printf '.%s' "$dotpath")"
+
+ local result
+ result="$(jq -r "($jq_filter // null) | if type == \"array\" then .[] else empty end" \
+ "$GIT_MASTER_CONFIG_PATH" 2>/dev/null)" || true
+
+ if [[ -z "$result" ]]; then
+ return 1
+ fi
+
+ printf '%s\n' "$result"
+}
+
+# gm_config_get_json — Return a JSON subtree.
+# e.g. gm_config_get_json commit => { "convention": "conventional", ... }
+# Returns exit 1 if path does not exist.
+gm_config_get_json() {
+ local dotpath="${1:?Usage: gm_config_get_json }"
+
+ if [[ -z "${GIT_MASTER_CONFIG_PATH:-}" || ! -f "${GIT_MASTER_CONFIG_PATH:-}" ]]; then
+ gm_config_load
+ fi
+
+ if ! command -v jq &>/dev/null; then
+ _gm_error "jq is required for gm_config_get_json"
+ return 1
+ fi
+
+ local jq_filter
+ jq_filter="$(printf '.%s' "$dotpath")"
+
+ # Check if the path exists (handles false/0/null correctly).
+ local exists
+ exists="$(jq "($jq_filter | type) // \"__missing__\"" "$GIT_MASTER_CONFIG_PATH" 2>/dev/null)" || return 1
+ if [[ "$exists" == '"__missing__"' || "$exists" == "__missing__" ]]; then
+ return 1
+ fi
+
+ local result
+ result="$(jq "$jq_filter" "$GIT_MASTER_CONFIG_PATH" 2>/dev/null)" || return 1
+
+ printf '%s\n' "$result"
+}
diff --git a/plugins/git-master/scripts/lib/provider-bitbucket.sh b/plugins/git-master/scripts/lib/provider-bitbucket.sh
new file mode 100755
index 0000000..2feb7de
--- /dev/null
+++ b/plugins/git-master/scripts/lib/provider-bitbucket.sh
@@ -0,0 +1,474 @@
+#!/usr/bin/env bash
+# provider-bitbucket.sh — Bitbucket Cloud provider implementation.
+# REST API only (no standard CLI tool).
+# Uses: https://api.bitbucket.org/2.0/
+# Meant to be sourced, not executed directly.
+
+# Guard against double-sourcing.
+[[ -n "${_GM_PROVIDER_BITBUCKET_LOADED:-}" ]] && return 0
+
+# ---------------------------------------------------------------------------
+# Helpers
+# ---------------------------------------------------------------------------
+
+# Get an auth token (app password or OAuth token).
+_bitbucket_token() {
+ local token_env
+ token_env="$(gm_config_get 'provider.token_env' 2>/dev/null || echo "")"
+ if [[ -n "$token_env" ]]; then
+ printf '%s' "${!token_env:-}"
+ return
+ fi
+ printf '%s' "${BITBUCKET_TOKEN:-${BITBUCKET_APP_PASSWORD:-}}"
+}
+
+# Get the Bitbucket username for basic auth.
+_bitbucket_username() {
+ printf '%s' "${BITBUCKET_USERNAME:-}"
+}
+
+# Authenticated curl wrapper for the Bitbucket REST API 2.0.
+# Supports both token auth (Bearer) and basic auth (user:app_password).
+_bitbucket_curl() {
+ local method="$1" endpoint="$2"
+ shift 2
+
+ local token username
+ token="$(_bitbucket_token)"
+ username="$(_bitbucket_username)"
+
+ local -a auth_args=()
+ if [[ -n "$username" && -n "$token" ]]; then
+ # Basic auth with app password.
+ auth_args=(-u "${username}:${token}")
+ elif [[ -n "$token" ]]; then
+ # Bearer token (OAuth).
+ auth_args=(-H "Authorization: Bearer $token")
+ else
+ echo '{"error":"no Bitbucket credentials available. Set BITBUCKET_USERNAME and BITBUCKET_TOKEN (app password) or BITBUCKET_TOKEN (OAuth)"}' >&2
+ return 3
+ fi
+
+ local url="https://api.bitbucket.org/2.0${endpoint}"
+ curl -sf -X "$method" \
+ "${auth_args[@]}" \
+ -H "Content-Type: application/json" \
+ -H "Accept: application/json" \
+ "$@" "$url"
+}
+
+# Get workspace/repo slug for API paths.
+_bitbucket_workspace_repo() {
+ gm_parse_remote_url
+ printf '%s/%s' "$GM_REMOTE_OWNER" "$GM_REMOTE_REPO"
+}
+
+# ---------------------------------------------------------------------------
+# PR (Pull Request) operations
+# ---------------------------------------------------------------------------
+
+_bitbucket_pr_create() {
+ # shellcheck disable=SC2034 # draft is parsed for interface consistency but Bitbucket has no draft PRs
+ local title="" body="" draft="" base=""
+ local -a reviewers=()
+
+ # shellcheck disable=SC2034 # draft parsed for interface consistency; Bitbucket has no draft PRs
+ while [[ $# -gt 0 ]]; do
+ case "$1" in
+ --title) title="$2"; shift 2 ;;
+ --body) body="$2"; shift 2 ;;
+ --draft) draft="true"; shift ;;
+ --base) base="$2"; shift 2 ;;
+ --label) shift 2 ;; # Bitbucket does not have labels on PRs.
+ --reviewer) reviewers+=("$2"); shift 2 ;;
+ *) shift ;;
+ esac
+ done
+
+ local source_branch
+ source_branch="$(git symbolic-ref --short HEAD 2>/dev/null)"
+
+ local ws_repo
+ ws_repo="$(_bitbucket_workspace_repo)"
+
+ # Build reviewers array.
+ local reviewers_json="[]"
+ local r
+ for r in "${reviewers[@]}"; do
+ reviewers_json=$(printf '%s' "$reviewers_json" | jq --arg u "$r" '. + [{"username": $u}]')
+ done
+
+ # Default base branch.
+ if [[ -z "$base" ]]; then
+ base="$(git symbolic-ref refs/remotes/origin/HEAD 2>/dev/null | sed 's|refs/remotes/origin/||' || echo "main")"
+ fi
+
+ local payload
+ payload=$(jq -n \
+ --arg title "$title" \
+ --arg desc "$body" \
+ --arg source "$source_branch" \
+ --arg dest "$base" \
+ --argjson reviewers "$reviewers_json" \
+ --argjson close_source "$(val=$(gm_config_get 'pr.delete_branch_on_merge' 2>/dev/null || echo "true"); [[ "$val" == "true" ]] && echo "true" || echo "false")" \
+ '{
+ title: $title,
+ description: $desc,
+ source: {branch: {name: $source}},
+ destination: {branch: {name: $dest}},
+ reviewers: $reviewers,
+ close_source_branch: $close_source
+ }')
+
+ _bitbucket_curl POST "/repositories/${ws_repo}/pullrequests" -d "$payload"
+}
+
+_bitbucket_pr_list() {
+ local state="OPEN" limit="30"
+
+ while [[ $# -gt 0 ]]; do
+ case "$1" in
+ --state)
+ case "$2" in
+ open) state="OPEN" ;;
+ closed) state="MERGED,DECLINED" ;;
+ merged) state="MERGED" ;;
+ *) state="$2" ;;
+ esac
+ shift 2
+ ;;
+ --limit) limit="$2"; shift 2 ;;
+ *) shift ;;
+ esac
+ done
+
+ local ws_repo
+ ws_repo="$(_bitbucket_workspace_repo)"
+ _bitbucket_curl GET "/repositories/${ws_repo}/pullrequests?state=${state}&pagelen=${limit}"
+}
+
+_bitbucket_pr_view() {
+ local pr_id="${1:-}"
+ if [[ -z "$pr_id" ]]; then
+ echo '{"error":"pr-view requires a PR number"}' >&2
+ return 1
+ fi
+
+ local ws_repo
+ ws_repo="$(_bitbucket_workspace_repo)"
+ _bitbucket_curl GET "/repositories/${ws_repo}/pullrequests/${pr_id}"
+}
+
+_bitbucket_pr_diff() {
+ local pr_id="${1:-}"
+ if [[ -z "$pr_id" ]]; then
+ echo '{"error":"pr-diff requires a PR number"}' >&2
+ return 1
+ fi
+
+ local ws_repo
+ ws_repo="$(_bitbucket_workspace_repo)"
+
+ local token username
+ token="$(_bitbucket_token)"
+ username="$(_bitbucket_username)"
+
+ local -a auth_args=()
+ if [[ -n "$username" && -n "$token" ]]; then
+ auth_args=(-u "${username}:${token}")
+ elif [[ -n "$token" ]]; then
+ auth_args=(-H "Authorization: Bearer $token")
+ else
+ echo '{"error":"no Bitbucket credentials for diff"}' >&2
+ return 3
+ fi
+
+ local diff_output
+ diff_output=$(curl -sf \
+ "${auth_args[@]}" \
+ -H "Accept: text/plain" \
+ "https://api.bitbucket.org/2.0/repositories/${ws_repo}/pullrequests/${pr_id}/diff" 2>&1) || {
+ echo '{"error":"failed to fetch diff"}' >&2
+ return 1
+ }
+
+ jq -n --arg diff "$diff_output" '{"diff": $diff}'
+}
+
+_bitbucket_pr_merge() {
+ local pr_id="${1:-}"
+ if [[ -z "$pr_id" ]]; then
+ echo '{"error":"pr-merge requires a PR number"}' >&2
+ return 1
+ fi
+ shift
+
+ local strategy="squash"
+ local close_source="true"
+
+ while [[ $# -gt 0 ]]; do
+ case "$1" in
+ --squash) strategy="squash"; shift ;;
+ --merge) strategy="merge_commit"; shift ;;
+ --rebase) strategy="fast_forward"; shift ;; # Closest Bitbucket equivalent.
+ --delete-branch) close_source="true"; shift ;;
+ *) shift ;;
+ esac
+ done
+
+ local ws_repo
+ ws_repo="$(_bitbucket_workspace_repo)"
+
+ local payload
+ payload=$(jq -n \
+ --arg strategy "$strategy" \
+ --argjson close "$close_source" \
+ '{merge_strategy: $strategy, close_source_branch: $close}')
+
+ _bitbucket_curl POST "/repositories/${ws_repo}/pullrequests/${pr_id}/merge" -d "$payload"
+}
+
+_bitbucket_pr_close() {
+ local pr_id="${1:-}"
+ if [[ -z "$pr_id" ]]; then
+ echo '{"error":"pr-close requires a PR number"}' >&2
+ return 1
+ fi
+
+ local ws_repo
+ ws_repo="$(_bitbucket_workspace_repo)"
+
+ # Bitbucket uses "decline" to close a PR without merging.
+ _bitbucket_curl POST "/repositories/${ws_repo}/pullrequests/${pr_id}/decline"
+}
+
+_bitbucket_pr_comment() {
+ local pr_id="" body=""
+
+ while [[ $# -gt 0 ]]; do
+ case "$1" in
+ --body) body="$2"; shift 2 ;;
+ *) [[ -z "$pr_id" ]] && pr_id="$1"; shift ;;
+ esac
+ done
+
+ if [[ -z "$pr_id" || -z "$body" ]]; then
+ echo '{"error":"pr-comment requires a PR number and --body"}' >&2
+ return 1
+ fi
+
+ local ws_repo
+ ws_repo="$(_bitbucket_workspace_repo)"
+
+ local payload
+ payload=$(jq -n --arg body "$body" '{content: {raw: $body}}')
+ _bitbucket_curl POST "/repositories/${ws_repo}/pullrequests/${pr_id}/comments" -d "$payload"
+}
+
+_bitbucket_pr_review() {
+ local pr_id="" body="" action=""
+
+ while [[ $# -gt 0 ]]; do
+ case "$1" in
+ --body) body="$2"; shift 2 ;;
+ --approve) action="approve"; shift ;;
+ --request-changes) action="request-changes"; shift ;;
+ --comment) action="comment"; shift ;;
+ *) [[ -z "$pr_id" ]] && pr_id="$1"; shift ;;
+ esac
+ done
+
+ if [[ -z "$pr_id" ]]; then
+ echo '{"error":"pr-review requires a PR number"}' >&2
+ return 1
+ fi
+
+ local ws_repo
+ ws_repo="$(_bitbucket_workspace_repo)"
+
+ case "$action" in
+ approve)
+ _bitbucket_curl POST "/repositories/${ws_repo}/pullrequests/${pr_id}/approve"
+ ;;
+ request-changes)
+ _bitbucket_curl DELETE "/repositories/${ws_repo}/pullrequests/${pr_id}/approve" || true
+ # Bitbucket has no native "request changes". Leave a comment instead.
+ if [[ -n "$body" ]]; then
+ local payload
+ payload=$(jq -n --arg body "$body" '{content: {raw: $body}}')
+ _bitbucket_curl POST "/repositories/${ws_repo}/pullrequests/${pr_id}/comments" -d "$payload"
+ fi
+ jq -n '{"reviewed": true, "action": "request-changes", "note": "Bitbucket does not natively support request-changes; approval removed and comment posted"}'
+ ;;
+ comment|*)
+ if [[ -n "$body" ]]; then
+ local payload
+ payload=$(jq -n --arg body "$body" '{content: {raw: $body}}')
+ _bitbucket_curl POST "/repositories/${ws_repo}/pullrequests/${pr_id}/comments" -d "$payload"
+ fi
+ ;;
+ esac
+}
+
+_bitbucket_pr_checks() {
+ local pr_id="${1:-}"
+ if [[ -z "$pr_id" ]]; then
+ echo '{"error":"pr-checks requires a PR number"}' >&2
+ return 1
+ fi
+
+ local ws_repo
+ ws_repo="$(_bitbucket_workspace_repo)"
+ _bitbucket_curl GET "/repositories/${ws_repo}/pullrequests/${pr_id}/statuses"
+}
+
+_bitbucket_pr_labels() {
+ # Bitbucket Cloud does not support labels on pull requests.
+ echo '{"error":"labels are not supported on Bitbucket Cloud pull requests"}' >&2
+ return 2
+}
+
+_bitbucket_pr_reviewers() {
+ local pr_id=""
+ local -a reviewers=()
+
+ while [[ $# -gt 0 ]]; do
+ case "$1" in
+ --reviewer) reviewers+=("$2"); shift 2 ;;
+ *)
+ if [[ -z "$pr_id" ]]; then pr_id="$1"; else reviewers+=("$1"); fi
+ shift
+ ;;
+ esac
+ done
+
+ if [[ -z "$pr_id" ]]; then
+ echo '{"error":"pr-reviewers requires a PR number"}' >&2
+ return 1
+ fi
+
+ local ws_repo
+ ws_repo="$(_bitbucket_workspace_repo)"
+
+ if [[ ${#reviewers[@]} -eq 0 ]]; then
+ # List current reviewers.
+ _bitbucket_curl GET "/repositories/${ws_repo}/pullrequests/${pr_id}" \
+ | jq '{reviewers: [.reviewers[]? | {username: .username, display_name: .display_name}]}'
+ return $?
+ fi
+
+ # Update reviewers by patching the PR.
+ local reviewers_json="[]"
+ local r
+ for r in "${reviewers[@]}"; do
+ reviewers_json=$(printf '%s' "$reviewers_json" | jq --arg u "$r" '. + [{"username": $u}]')
+ done
+
+ local payload
+ payload=$(jq -n --argjson reviewers "$reviewers_json" '{reviewers: $reviewers}')
+ _bitbucket_curl PUT "/repositories/${ws_repo}/pullrequests/${pr_id}" -d "$payload"
+}
+
+# ---------------------------------------------------------------------------
+# CI operations
+# ---------------------------------------------------------------------------
+
+_bitbucket_ci_status() {
+ local branch=""
+ while [[ $# -gt 0 ]]; do
+ case "$1" in
+ --branch) branch="$2"; shift 2 ;;
+ *) shift ;;
+ esac
+ done
+
+ local ws_repo
+ ws_repo="$(_bitbucket_workspace_repo)"
+
+ # Bitbucket Pipelines: list pipeline results.
+ local endpoint="/repositories/${ws_repo}/pipelines/?sort=-created_on&pagelen=5"
+ if [[ -n "$branch" ]]; then
+ endpoint="/repositories/${ws_repo}/pipelines/?sort=-created_on&pagelen=5&target.ref_name=${branch}"
+ fi
+
+ _bitbucket_curl GET "$endpoint"
+}
+
+_bitbucket_ci_logs() {
+ local pipeline_id="${1:-}"
+ if [[ -z "$pipeline_id" ]]; then
+ echo '{"error":"ci-logs requires a pipeline UUID"}' >&2
+ return 1
+ fi
+
+ local ws_repo
+ ws_repo="$(_bitbucket_workspace_repo)"
+
+ # List steps in the pipeline, then fetch logs for each.
+ local steps
+ steps=$(_bitbucket_curl GET "/repositories/${ws_repo}/pipelines/${pipeline_id}/steps/") || {
+ echo '{"error":"failed to fetch pipeline steps"}' >&2
+ return 1
+ }
+
+ local step_uuids
+ step_uuids=$(printf '%s' "$steps" | jq -r '.values[]?.uuid // empty')
+ if [[ -z "$step_uuids" ]]; then
+ printf '%s' "$steps"
+ return 0
+ fi
+
+ local result="[]"
+ local uuid
+ while IFS= read -r uuid; do
+ [[ -z "$uuid" ]] && continue
+ local log
+ log=$(_bitbucket_curl GET "/repositories/${ws_repo}/pipelines/${pipeline_id}/steps/${uuid}/log" 2>/dev/null || echo "")
+ result=$(printf '%s' "$result" | jq --arg uuid "$uuid" --arg log "$log" \
+ '. + [{step: $uuid, log: $log}]')
+ done <<< "$step_uuids"
+
+ printf '%s' "$result"
+}
+
+_bitbucket_ci_retry() {
+ # Bitbucket Pipelines: trigger a new run on the same commit/branch.
+ local pipeline_id="${1:-}"
+
+ local ws_repo
+ ws_repo="$(_bitbucket_workspace_repo)"
+
+ if [[ -n "$pipeline_id" ]]; then
+ # Get the pipeline details to find the target branch.
+ local pipeline
+ pipeline=$(_bitbucket_curl GET "/repositories/${ws_repo}/pipelines/${pipeline_id}") || {
+ echo '{"error":"failed to fetch pipeline details"}' >&2
+ return 1
+ }
+ local branch
+ branch=$(printf '%s' "$pipeline" | jq -r '.target.ref_name // empty')
+ if [[ -z "$branch" ]]; then
+ echo '{"error":"could not determine branch from pipeline"}' >&2
+ return 1
+ fi
+ local payload
+ payload=$(jq -n --arg branch "$branch" \
+ '{target: {type: "pipeline_ref_target", ref_type: "branch", ref_name: $branch}}')
+ _bitbucket_curl POST "/repositories/${ws_repo}/pipelines/" -d "$payload"
+ else
+ echo '{"error":"ci-retry requires a pipeline UUID"}' >&2
+ return 1
+ fi
+}
+
+# ---------------------------------------------------------------------------
+# Repo operations
+# ---------------------------------------------------------------------------
+
+_bitbucket_repo_info() {
+ local ws_repo
+ ws_repo="$(_bitbucket_workspace_repo)"
+ _bitbucket_curl GET "/repositories/${ws_repo}"
+}
+
+_GM_PROVIDER_BITBUCKET_LOADED=1
diff --git a/plugins/git-master/scripts/lib/provider-detect.sh b/plugins/git-master/scripts/lib/provider-detect.sh
new file mode 100755
index 0000000..4485395
--- /dev/null
+++ b/plugins/git-master/scripts/lib/provider-detect.sh
@@ -0,0 +1,208 @@
+#!/usr/bin/env bash
+# provider-detect.sh — Detect git remote provider and available CLI tools.
+# Meant to be sourced, not executed directly.
+
+# Guard against double-sourcing.
+[[ -n "${_GM_PROVIDER_DETECT_LOADED:-}" ]] && return 0
+
+# Results (populated by gm_detect_provider / gm_parse_remote_url).
+GM_REMOTE_OWNER=""
+GM_REMOTE_REPO=""
+
+# ---------------------------------------------------------------------------
+# gm_detect_provider — Detect the hosting provider from remote URL or config.
+# Prints one of: github, gitlab, gitea, bitbucket, generic
+# ---------------------------------------------------------------------------
+gm_detect_provider() {
+ # If provider.type is explicitly set (not "auto"), return it directly.
+ local configured_type
+ configured_type="$(gm_config_get 'provider.type' 2>/dev/null || echo "auto")"
+ if [[ -n "$configured_type" && "$configured_type" != "auto" ]]; then
+ printf '%s' "$configured_type"
+ return 0
+ fi
+
+ # Determine which remote to inspect.
+ local remote_name
+ remote_name="$(gm_config_get 'workflow.default_remote' 2>/dev/null || echo "origin")"
+ [[ -z "$remote_name" ]] && remote_name="origin"
+
+ local remote_url
+ remote_url="$(git remote get-url "$remote_name" 2>/dev/null || true)"
+ if [[ -z "$remote_url" ]]; then
+ printf 'generic'
+ return 0
+ fi
+
+ # Extract the hostname from the remote URL.
+ local host
+ host="$(_gm_extract_host "$remote_url")"
+
+ # Check custom host mapping from config.
+ local custom_host
+ custom_host="$(gm_config_get 'provider.host' 2>/dev/null || echo "")"
+ if [[ -n "$custom_host" ]]; then
+ case "$custom_host" in
+ # "mygitlab.example.com=gitlab" format.
+ *=*)
+ local map_host="${custom_host%%=*}"
+ local map_provider="${custom_host#*=}"
+ if [[ "$host" == "$map_host" ]]; then
+ printf '%s' "$map_provider"
+ return 0
+ fi
+ ;;
+ # Direct provider name — override for whatever host is detected.
+ github|gitlab|gitea|bitbucket)
+ printf '%s' "$custom_host"
+ return 0
+ ;;
+ esac
+ fi
+
+ # Match well-known hostnames.
+ case "$host" in
+ github.com|*.github.com) printf 'github' ;;
+ gitlab.com|*.gitlab.com) printf 'gitlab' ;;
+ bitbucket.org|*.bitbucket.org) printf 'bitbucket' ;;
+ *gitea*|*forgejo*|codeberg.org) printf 'gitea' ;;
+ *) printf 'generic' ;;
+ esac
+
+ return 0
+}
+
+# ---------------------------------------------------------------------------
+# gm_detect_cli — Choose the best available CLI tool.
+# Prints: gh, glab, tea, or git
+# ---------------------------------------------------------------------------
+gm_detect_cli() {
+ # Read preference list from config.
+ local -a tools
+ local prefs
+ prefs="$(gm_config_get_array 'provider.cli_preference' 2>/dev/null || true)"
+
+ if [[ -n "$prefs" ]]; then
+ while IFS= read -r t; do
+ [[ -n "$t" ]] && tools+=("$t")
+ done <<< "$prefs"
+ fi
+
+ # Default fallback order if config yielded nothing.
+ if [[ ${#tools[@]} -eq 0 ]]; then
+ tools=(gh glab tea git)
+ fi
+
+ local tool
+ for tool in "${tools[@]}"; do
+ # Trim whitespace.
+ tool="${tool#"${tool%%[![:space:]]*}"}"
+ tool="${tool%"${tool##*[![:space:]]}"}"
+ if command -v "$tool" &>/dev/null; then
+ printf '%s' "$tool"
+ return 0
+ fi
+ done
+
+ # git should always exist, but guard anyway.
+ printf 'git'
+ return 0
+}
+
+# ---------------------------------------------------------------------------
+# gm_parse_remote_url — Extract OWNER and REPO from a git remote URL.
+# Sets GM_REMOTE_OWNER and GM_REMOTE_REPO as global variables.
+#
+# Supported formats:
+# git@host:owner/repo.git
+# https://host/owner/repo.git
+# ssh://git@host/owner/repo.git
+# ssh://git@host:port/owner/repo.git
+# git@gitlab.com:group/subgroup/repo.git (nested groups)
+# ---------------------------------------------------------------------------
+gm_parse_remote_url() {
+ local url="${1:-}"
+
+ if [[ -z "$url" ]]; then
+ local remote_name
+ remote_name="$(gm_config_get 'workflow.default_remote' 2>/dev/null || echo "origin")"
+ [[ -z "$remote_name" ]] && remote_name="origin"
+ url="$(git remote get-url "$remote_name" 2>/dev/null || true)"
+ fi
+
+ if [[ -z "$url" ]]; then
+ GM_REMOTE_OWNER=""
+ GM_REMOTE_REPO=""
+ return 1
+ fi
+
+ local path=""
+
+ case "$url" in
+ # SSH shorthand: git@host:owner/repo.git
+ *@*:*/*)
+ path="${url#*:}"
+ ;;
+ # HTTPS / HTTP / SSH with scheme.
+ https://*|http://*|ssh://*)
+ path="${url#*://}" # user@host(:port)/path or host/path
+ path="${path#*/}" # strip host portion up to first /
+ ;;
+ *)
+ # Best effort.
+ path="${url#*:}"
+ [[ "$path" == "$url" ]] && path="${url#*/}"
+ ;;
+ esac
+
+ # Strip trailing .git and slash.
+ path="${path%.git}"
+ path="${path%/}"
+
+ # Split: owner = everything before last /, repo = last component.
+ if [[ "$path" == */* ]]; then
+ GM_REMOTE_REPO="${path##*/}"
+ GM_REMOTE_OWNER="${path%/*}"
+ else
+ GM_REMOTE_REPO="$path"
+ GM_REMOTE_OWNER=""
+ fi
+
+ export GM_REMOTE_OWNER GM_REMOTE_REPO
+ return 0
+}
+
+# ---------------------------------------------------------------------------
+# _gm_extract_host — Extract hostname from a remote URL.
+# ---------------------------------------------------------------------------
+_gm_extract_host() {
+ local url="$1"
+ local host=""
+
+ case "$url" in
+ # git@host:owner/repo
+ *@*:*/*)
+ host="${url#*@}"
+ host="${host%%:*}"
+ ;;
+ https://*|http://*)
+ host="${url#*://}"
+ host="${host%%/*}"
+ host="${host#*@}" # strip user@ if present
+ host="${host%%:*}" # strip port if present
+ ;;
+ ssh://*)
+ host="${url#ssh://}"
+ host="${host#*@}"
+ host="${host%%/*}"
+ host="${host%%:*}"
+ ;;
+ *)
+ host=""
+ ;;
+ esac
+
+ printf '%s' "$host"
+}
+
+_GM_PROVIDER_DETECT_LOADED=1
diff --git a/plugins/git-master/scripts/lib/provider-dispatch.sh b/plugins/git-master/scripts/lib/provider-dispatch.sh
new file mode 100755
index 0000000..6880782
--- /dev/null
+++ b/plugins/git-master/scripts/lib/provider-dispatch.sh
@@ -0,0 +1,139 @@
+#!/usr/bin/env bash
+# provider-dispatch.sh — Unified dispatch layer for all provider operations.
+# Meant to be sourced, not executed directly.
+
+# Guard against double-sourcing.
+[[ -n "${_GM_PROVIDER_DISPATCH_LOADED:-}" ]] && return 0
+
+# Exit codes:
+# 0 = success
+# 1 = error
+# 2 = operation not supported by this provider
+# 3 = authentication required
+
+# All valid operations.
+readonly _GM_VALID_OPERATIONS="pr-create pr-list pr-view pr-diff pr-merge pr-close pr-comment pr-review pr-checks pr-labels pr-reviewers ci-status ci-logs ci-retry repo-info"
+
+# Main dispatch entry point.
+# Usage: gm_provider [args...]
+gm_provider() {
+ local operation="${1:-}"
+ if [[ -z "$operation" ]]; then
+ echo '{"error":"no operation specified"}' >&2
+ return 1
+ fi
+ shift
+
+ # Validate operation name.
+ if ! _gm_valid_operation "$operation"; then
+ echo "{\"error\":\"unknown operation: $operation\"}" >&2
+ return 1
+ fi
+
+ # Determine provider if not already set.
+ if [[ -z "${GIT_MASTER_PROVIDER:-}" ]]; then
+ GIT_MASTER_PROVIDER="$(gm_detect_provider)"
+ export GIT_MASTER_PROVIDER
+ fi
+
+ # Build the provider fallback chain.
+ local -a chain
+ chain=("$GIT_MASTER_PROVIDER")
+
+ local fallback_enabled
+ fallback_enabled="$(gm_config_get 'provider.fallback_enabled' 2>/dev/null || echo "true")"
+
+ if [[ "$fallback_enabled" == "true" ]]; then
+ # Add generic as the last resort if not already the provider.
+ if [[ "$GIT_MASTER_PROVIDER" != "generic" ]]; then
+ chain+=("generic")
+ fi
+ fi
+
+ local provider rc
+ for provider in "${chain[@]}"; do
+ _gm_source_provider "$provider" || continue
+
+ # Convert operation to function name: pr-create -> __pr_create
+ local func_name
+ func_name="_${provider}_$(echo "$operation" | tr '-' '_')"
+
+ if ! declare -f "$func_name" &>/dev/null; then
+ # Function not defined in this provider; try next.
+ continue
+ fi
+
+ rc=0
+ "$func_name" "$@" || rc=$?
+
+ case $rc in
+ 0)
+ return 0
+ ;;
+ 2)
+ # Not supported; try next in chain.
+ continue
+ ;;
+ 3)
+ # Auth required — propagate immediately, don't fall back.
+ return 3
+ ;;
+ *)
+ # Error — if fallback is enabled, try next; otherwise propagate.
+ if [[ "$fallback_enabled" == "true" ]]; then
+ echo "{\"warning\":\"$provider failed for $operation, trying fallback\"}" >&2
+ continue
+ fi
+ return "$rc"
+ ;;
+ esac
+ done
+
+ # Nothing succeeded.
+ echo "{\"error\":\"operation '$operation' not supported by any available provider\"}" >&2
+ return 2
+}
+
+# --- Internal helpers ---
+
+# Check if an operation name is valid.
+_gm_valid_operation() {
+ local op="$1"
+ local valid
+ for valid in $_GM_VALID_OPERATIONS; do
+ if [[ "$valid" == "$op" ]]; then
+ return 0
+ fi
+ done
+ return 1
+}
+
+# Source a provider script if not already loaded.
+# Tracks loaded providers in _GM_LOADED_PROVIDERS to avoid re-sourcing.
+declare -g -A _GM_LOADED_PROVIDERS 2>/dev/null || true
+
+_gm_source_provider() {
+ local provider="$1"
+
+ # Skip if already loaded.
+ if [[ "${_GM_LOADED_PROVIDERS[$provider]:-}" == "1" ]]; then
+ return 0
+ fi
+
+ # Locate the provider script relative to this file.
+ local script_dir
+ script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+ local provider_file="$script_dir/provider-${provider}.sh"
+
+ if [[ ! -f "$provider_file" ]]; then
+ echo "{\"error\":\"provider script not found: $provider_file\"}" >&2
+ return 1
+ fi
+
+ # shellcheck source=/dev/null
+ source "$provider_file"
+ _GM_LOADED_PROVIDERS[$provider]="1"
+ return 0
+}
+
+_GM_PROVIDER_DISPATCH_LOADED=1
diff --git a/plugins/git-master/scripts/lib/provider-generic.sh b/plugins/git-master/scripts/lib/provider-generic.sh
new file mode 100755
index 0000000..39ff928
--- /dev/null
+++ b/plugins/git-master/scripts/lib/provider-generic.sh
@@ -0,0 +1,149 @@
+#!/usr/bin/env bash
+# provider-generic.sh — Git-only fallback provider.
+# Can only perform local operations. Remote/API operations return exit 2.
+# Meant to be sourced, not executed directly.
+
+# Guard against double-sourcing.
+[[ -n "${_GM_PROVIDER_GENERIC_LOADED:-}" ]] && return 0
+
+# ---------------------------------------------------------------------------
+# Unsupported operation helper
+# ---------------------------------------------------------------------------
+
+_generic_not_supported() {
+ local operation="$1"
+ echo "{\"error\":\"'${operation}' is not available without a hosting provider. Configure provider.type in .git-master.yml or use a remote pointing to GitHub, GitLab, Gitea, or Bitbucket.\"}" >&2
+ return 2
+}
+
+# ---------------------------------------------------------------------------
+# PR operations — all unsupported except pr-diff (local)
+# ---------------------------------------------------------------------------
+
+_generic_pr_create() {
+ _generic_not_supported "pr-create"
+}
+
+_generic_pr_list() {
+ _generic_not_supported "pr-list"
+}
+
+_generic_pr_view() {
+ _generic_not_supported "pr-view"
+}
+
+_generic_pr_diff() {
+ # Local diff: compare current branch against the default base.
+ local base="${1:-}"
+
+ if [[ -z "$base" ]]; then
+ # Try to determine default base branch.
+ base="$(git symbolic-ref refs/remotes/origin/HEAD 2>/dev/null | sed 's|refs/remotes/origin/||')" || true
+ [[ -z "$base" ]] && base="main"
+ fi
+
+ local current
+ current="$(git symbolic-ref --short HEAD 2>/dev/null || echo "HEAD")"
+
+ local diff_output
+ diff_output=$(git diff "${base}...${current}" 2>&1) || {
+ # Try without the three-dot syntax.
+ diff_output=$(git diff "${base}" 2>&1) || {
+ echo "{\"error\":\"git diff failed\",\"detail\":$(printf '%s' "$diff_output" | jq -Rs .)}" >&2
+ return 1
+ }
+ }
+
+ jq -n --arg diff "$diff_output" --arg base "$base" --arg head "$current" \
+ '{"diff": $diff, "base": $base, "head": $head, "source": "local"}'
+}
+
+_generic_pr_merge() {
+ _generic_not_supported "pr-merge"
+}
+
+_generic_pr_close() {
+ _generic_not_supported "pr-close"
+}
+
+_generic_pr_comment() {
+ _generic_not_supported "pr-comment"
+}
+
+_generic_pr_review() {
+ _generic_not_supported "pr-review"
+}
+
+_generic_pr_checks() {
+ _generic_not_supported "pr-checks"
+}
+
+_generic_pr_labels() {
+ _generic_not_supported "pr-labels"
+}
+
+_generic_pr_reviewers() {
+ _generic_not_supported "pr-reviewers"
+}
+
+# ---------------------------------------------------------------------------
+# CI operations — all unsupported
+# ---------------------------------------------------------------------------
+
+_generic_ci_status() {
+ _generic_not_supported "ci-status"
+}
+
+_generic_ci_logs() {
+ _generic_not_supported "ci-logs"
+}
+
+_generic_ci_retry() {
+ _generic_not_supported "ci-retry"
+}
+
+# ---------------------------------------------------------------------------
+# Repo operations — local info only
+# ---------------------------------------------------------------------------
+
+_generic_repo_info() {
+ local remote_name
+ remote_name="$(gm_config_get 'workflow.default_remote' 2>/dev/null || echo "origin")"
+ [[ -z "$remote_name" ]] && remote_name="origin"
+
+ local remote_url
+ remote_url="$(git remote get-url "$remote_name" 2>/dev/null || echo "")"
+
+ gm_parse_remote_url "$remote_url" 2>/dev/null || true
+
+ local default_branch
+ default_branch="$(git symbolic-ref refs/remotes/${remote_name}/HEAD 2>/dev/null | sed "s|refs/remotes/${remote_name}/||")" || true
+ [[ -z "$default_branch" ]] && default_branch="$(git config init.defaultBranch 2>/dev/null || echo "main")"
+
+ local current_branch
+ current_branch="$(git symbolic-ref --short HEAD 2>/dev/null || echo "detached")"
+
+ local toplevel
+ toplevel="$(git rev-parse --show-toplevel 2>/dev/null || echo "")"
+ local repo_name
+ repo_name="$(basename "$toplevel" 2>/dev/null || echo "unknown")"
+
+ jq -n \
+ --arg name "${GM_REMOTE_REPO:-$repo_name}" \
+ --arg owner "${GM_REMOTE_OWNER:-}" \
+ --arg default_branch "$default_branch" \
+ --arg current_branch "$current_branch" \
+ --arg remote_url "$remote_url" \
+ --arg provider "generic" \
+ '{
+ name: $name,
+ owner: $owner,
+ defaultBranch: $default_branch,
+ currentBranch: $current_branch,
+ remoteUrl: $remote_url,
+ provider: $provider,
+ note: "Limited to local operations only. Configure a hosting provider for full functionality."
+ }'
+}
+
+_GM_PROVIDER_GENERIC_LOADED=1
diff --git a/plugins/git-master/scripts/lib/provider-gitea.sh b/plugins/git-master/scripts/lib/provider-gitea.sh
new file mode 100755
index 0000000..5ef58ee
--- /dev/null
+++ b/plugins/git-master/scripts/lib/provider-gitea.sh
@@ -0,0 +1,489 @@
+#!/usr/bin/env bash
+# provider-gitea.sh — Gitea/Forgejo/Codeberg provider implementation.
+# Primary: tea CLI. Fallback: Gitea API v1 via curl.
+# Meant to be sourced, not executed directly.
+
+# Guard against double-sourcing.
+[[ -n "${_GM_PROVIDER_GITEA_LOADED:-}" ]] && return 0
+
+# ---------------------------------------------------------------------------
+# Helpers
+# ---------------------------------------------------------------------------
+
+_gitea_check_cli() {
+ if ! command -v tea &>/dev/null; then
+ return 1
+ fi
+ return 0
+}
+
+# Determine the Gitea instance host.
+_gitea_host() {
+ local host
+ host="$(gm_config_get 'provider.host' 2>/dev/null || echo "")"
+ if [[ -n "$host" && "$host" != *"="* ]]; then
+ printf '%s' "$host"
+ return
+ fi
+ local remote_name
+ remote_name="$(gm_config_get 'workflow.default_remote' 2>/dev/null || echo "origin")"
+ [[ -z "$remote_name" ]] && remote_name="origin"
+ local url
+ url="$(git remote get-url "$remote_name" 2>/dev/null || true)"
+ _gm_extract_host "$url"
+}
+
+# Get an auth token for curl fallback.
+_gitea_token() {
+ local token_env
+ token_env="$(gm_config_get 'provider.token_env' 2>/dev/null || echo "")"
+ if [[ -n "$token_env" ]]; then
+ printf '%s' "${!token_env:-}"
+ return
+ fi
+ printf '%s' "${GITEA_TOKEN:-${TEA_TOKEN:-}}"
+}
+
+# Authenticated curl wrapper for the Gitea REST API v1.
+_gitea_curl() {
+ local method="$1" endpoint="$2"
+ shift 2
+ local token
+ token="$(_gitea_token)"
+ if [[ -z "$token" ]]; then
+ echo '{"error":"no Gitea token available for API fallback"}' >&2
+ return 3
+ fi
+ local host
+ host="$(_gitea_host)"
+ if [[ -z "$host" ]]; then
+ echo '{"error":"cannot determine Gitea host"}' >&2
+ return 1
+ fi
+ local url="https://${host}/api/v1${endpoint}"
+ curl -sf -X "$method" \
+ -H "Authorization: token $token" \
+ -H "Content-Type: application/json" \
+ -H "Accept: application/json" \
+ "$@" "$url"
+}
+
+# Get owner/repo for API paths.
+_gitea_owner_repo() {
+ gm_parse_remote_url
+ printf '%s/%s' "$GM_REMOTE_OWNER" "$GM_REMOTE_REPO"
+}
+
+# ---------------------------------------------------------------------------
+# PR (Pull Request) operations
+# ---------------------------------------------------------------------------
+
+_gitea_pr_create() {
+ local title="" body="" draft="" base=""
+ local -a labels=() extra_args=()
+
+ while [[ $# -gt 0 ]]; do
+ case "$1" in
+ --title) title="$2"; shift 2 ;;
+ --body) body="$2"; shift 2 ;;
+ --draft) draft="true"; shift ;;
+ --base) base="$2"; shift 2 ;;
+ --label) labels+=("$2"); shift 2 ;;
+ --reviewer) shift 2 ;; # Reviewers not directly supported in tea.
+ *) extra_args+=("$1"); shift ;;
+ esac
+ done
+
+ local source_branch
+ source_branch="$(git symbolic-ref --short HEAD 2>/dev/null)"
+
+ if _gitea_check_cli; then
+ local -a cmd=(tea pr create --title "$title" --description "$body")
+ [[ -n "$base" ]] && cmd+=(--base "$base")
+ [[ "$draft" == "true" ]] && cmd+=(--draft)
+ cmd+=("${extra_args[@]}")
+
+ local output
+ output=$("${cmd[@]}" 2>&1) || {
+ echo "{\"error\":$(printf '%s' "$output" | jq -Rs .)}" >&2
+ return 1
+ }
+ jq -n --arg url "$output" '{"url": $url}'
+ return 0
+ fi
+
+ # API fallback.
+ local owner_repo
+ owner_repo="$(_gitea_owner_repo)"
+
+ [[ -z "$base" ]] && base="$(git symbolic-ref refs/remotes/origin/HEAD 2>/dev/null | sed 's|refs/remotes/origin/||' || echo "main")"
+
+ local payload
+ payload=$(jq -n \
+ --arg title "$title" \
+ --arg body "$body" \
+ --arg head "$source_branch" \
+ --arg base "$base" \
+ '{title: $title, body: $body, head: $head, base: $base}')
+
+ _gitea_curl POST "/repos/${owner_repo}/pulls" -d "$payload"
+}
+
+_gitea_pr_list() {
+ local state="open" limit="30"
+
+ while [[ $# -gt 0 ]]; do
+ case "$1" in
+ --state) state="$2"; shift 2 ;;
+ --limit) limit="$2"; shift 2 ;;
+ *) shift ;;
+ esac
+ done
+
+ if _gitea_check_cli; then
+ local output
+ output=$(tea pr list --state "$state" --limit "$limit" --output simple 2>&1) || {
+ echo "{\"error\":$(printf '%s' "$output" | jq -Rs .)}" >&2
+ return 1
+ }
+ jq -n --arg raw "$output" '{"raw": $raw}'
+ return 0
+ fi
+
+ local owner_repo
+ owner_repo="$(_gitea_owner_repo)"
+ _gitea_curl GET "/repos/${owner_repo}/pulls?state=${state}&limit=${limit}"
+}
+
+_gitea_pr_view() {
+ local pr_id="${1:-}"
+ if [[ -z "$pr_id" ]]; then
+ echo '{"error":"pr-view requires a PR number"}' >&2
+ return 1
+ fi
+
+ if _gitea_check_cli; then
+ local output
+ output=$(tea pr view "$pr_id" --output simple 2>&1) || {
+ echo "{\"error\":$(printf '%s' "$output" | jq -Rs .)}" >&2
+ return 1
+ }
+ jq -n --arg raw "$output" '{"raw": $raw}'
+ return 0
+ fi
+
+ local owner_repo
+ owner_repo="$(_gitea_owner_repo)"
+ _gitea_curl GET "/repos/${owner_repo}/pulls/${pr_id}"
+}
+
+_gitea_pr_diff() {
+ local pr_id="${1:-}"
+ if [[ -z "$pr_id" ]]; then
+ echo '{"error":"pr-diff requires a PR number"}' >&2
+ return 1
+ fi
+
+ # tea does not have a diff command; use API.
+ local owner_repo
+ owner_repo="$(_gitea_owner_repo)"
+ local token
+ token="$(_gitea_token)"
+ local host
+ host="$(_gitea_host)"
+
+ if [[ -n "$token" && -n "$host" ]]; then
+ local diff_output
+ diff_output=$(curl -sf \
+ -H "Authorization: token $token" \
+ -H "Accept: text/plain" \
+ "https://${host}/api/v1/repos/${owner_repo}/pulls/${pr_id}.diff" 2>&1) || {
+ echo "{\"error\":\"failed to fetch diff\"}" >&2
+ return 1
+ }
+ jq -n --arg diff "$diff_output" '{"diff": $diff}'
+ return 0
+ fi
+
+ echo '{"error":"pr-diff requires a Gitea token for API access"}' >&2
+ return 3
+}
+
+_gitea_pr_merge() {
+ local pr_id="${1:-}"
+ if [[ -z "$pr_id" ]]; then
+ echo '{"error":"pr-merge requires a PR number"}' >&2
+ return 1
+ fi
+ shift
+
+ local strategy="squash"
+ while [[ $# -gt 0 ]]; do
+ case "$1" in
+ --squash) strategy="squash"; shift ;;
+ --merge) strategy="merge"; shift ;;
+ --rebase) strategy="rebase"; shift ;;
+ *) shift ;;
+ esac
+ done
+
+ if _gitea_check_cli; then
+ local output
+ output=$(tea pr merge "$pr_id" --style "$strategy" 2>&1) || {
+ echo "{\"error\":$(printf '%s' "$output" | jq -Rs .)}" >&2
+ return 1
+ }
+ jq -n --arg message "$output" '{"merged": true, "message": $message}'
+ return 0
+ fi
+
+ local owner_repo
+ owner_repo="$(_gitea_owner_repo)"
+ local payload
+ payload=$(jq -n --arg method "$strategy" '{"Do": $method}')
+ _gitea_curl POST "/repos/${owner_repo}/pulls/${pr_id}/merge" -d "$payload"
+}
+
+_gitea_pr_close() {
+ local pr_id="${1:-}"
+ if [[ -z "$pr_id" ]]; then
+ echo '{"error":"pr-close requires a PR number"}' >&2
+ return 1
+ fi
+
+ if _gitea_check_cli; then
+ local output
+ output=$(tea pr close "$pr_id" 2>&1) || {
+ echo "{\"error\":$(printf '%s' "$output" | jq -Rs .)}" >&2
+ return 1
+ }
+ jq -n --arg message "$output" '{"closed": true, "message": $message}'
+ return 0
+ fi
+
+ local owner_repo
+ owner_repo="$(_gitea_owner_repo)"
+ _gitea_curl PATCH "/repos/${owner_repo}/pulls/${pr_id}" -d '{"state":"closed"}'
+}
+
+_gitea_pr_comment() {
+ local pr_id="" body=""
+
+ while [[ $# -gt 0 ]]; do
+ case "$1" in
+ --body) body="$2"; shift 2 ;;
+ *) [[ -z "$pr_id" ]] && pr_id="$1"; shift ;;
+ esac
+ done
+
+ if [[ -z "$pr_id" || -z "$body" ]]; then
+ echo '{"error":"pr-comment requires a PR number and --body"}' >&2
+ return 1
+ fi
+
+ local owner_repo
+ owner_repo="$(_gitea_owner_repo)"
+ local payload
+ payload=$(jq -n --arg body "$body" '{body: $body}')
+ _gitea_curl POST "/repos/${owner_repo}/issues/${pr_id}/comments" -d "$payload"
+}
+
+_gitea_pr_review() {
+ # Gitea API supports reviews but tea CLI does not directly.
+ local pr_id="" body="" action=""
+
+ while [[ $# -gt 0 ]]; do
+ case "$1" in
+ --body) body="$2"; shift 2 ;;
+ --approve) action="APPROVED"; shift ;;
+ --request-changes) action="REQUEST_CHANGES"; shift ;;
+ --comment) action="COMMENT"; shift ;;
+ *) [[ -z "$pr_id" ]] && pr_id="$1"; shift ;;
+ esac
+ done
+
+ if [[ -z "$pr_id" ]]; then
+ echo '{"error":"pr-review requires a PR number"}' >&2
+ return 1
+ fi
+
+ [[ -z "$action" ]] && action="COMMENT"
+
+ local owner_repo
+ owner_repo="$(_gitea_owner_repo)"
+ local payload
+ payload=$(jq -n --arg body "${body:-}" --arg event "$action" \
+ '{body: $body, event: $event}')
+ _gitea_curl POST "/repos/${owner_repo}/pulls/${pr_id}/reviews" -d "$payload"
+}
+
+_gitea_pr_checks() {
+ # Gitea does not have built-in CI. Check commit status API.
+ local pr_id="${1:-}"
+ if [[ -z "$pr_id" ]]; then
+ echo '{"error":"pr-checks requires a PR number"}' >&2
+ return 1
+ fi
+
+ local owner_repo
+ owner_repo="$(_gitea_owner_repo)"
+
+ # Get the PR to find the head SHA.
+ local pr_data
+ pr_data=$(_gitea_curl GET "/repos/${owner_repo}/pulls/${pr_id}" 2>/dev/null) || {
+ echo '{"error":"failed to fetch PR details"}' >&2
+ return 1
+ }
+
+ local sha
+ sha=$(printf '%s' "$pr_data" | jq -r '.head.sha // empty')
+ if [[ -z "$sha" ]]; then
+ echo '{"checks": [], "note": "no commit status available"}'
+ return 0
+ fi
+
+ _gitea_curl GET "/repos/${owner_repo}/statuses/${sha}"
+}
+
+_gitea_pr_labels() {
+ local pr_id="" action=""
+ local -a labels=()
+
+ while [[ $# -gt 0 ]]; do
+ case "$1" in
+ --add) action="add"; shift ;;
+ --remove) action="remove"; shift ;;
+ --label) labels+=("$2"); shift 2 ;;
+ *)
+ if [[ -z "$pr_id" ]]; then pr_id="$1"; else labels+=("$1"); fi
+ shift
+ ;;
+ esac
+ done
+
+ if [[ -z "$pr_id" ]]; then
+ echo '{"error":"pr-labels requires a PR number"}' >&2
+ return 1
+ fi
+
+ local owner_repo
+ owner_repo="$(_gitea_owner_repo)"
+
+ case "$action" in
+ add)
+ # Gitea uses label IDs, not names. Look up IDs first.
+ local label_ids="[]"
+ local label
+ for label in "${labels[@]}"; do
+ local lid
+ lid=$(_gitea_curl GET "/repos/${owner_repo}/labels?name=${label}" 2>/dev/null \
+ | jq -r '.[0].id // empty')
+ if [[ -n "$lid" ]]; then
+ label_ids=$(printf '%s' "$label_ids" | jq --argjson id "$lid" '. + [$id]')
+ fi
+ done
+ _gitea_curl POST "/repos/${owner_repo}/issues/${pr_id}/labels" \
+ -d "{\"labels\": $label_ids}"
+ ;;
+ remove)
+ local label
+ for label in "${labels[@]}"; do
+ local lid
+ lid=$(_gitea_curl GET "/repos/${owner_repo}/labels?name=${label}" 2>/dev/null \
+ | jq -r '.[0].id // empty')
+ if [[ -n "$lid" ]]; then
+ _gitea_curl DELETE "/repos/${owner_repo}/issues/${pr_id}/labels/${lid}" || true
+ fi
+ done
+ jq -n '{"removed": true}'
+ ;;
+ *)
+ _gitea_curl GET "/repos/${owner_repo}/issues/${pr_id}/labels"
+ ;;
+ esac
+}
+
+_gitea_pr_reviewers() {
+ local pr_id=""
+ local -a reviewers=()
+
+ while [[ $# -gt 0 ]]; do
+ case "$1" in
+ --reviewer) reviewers+=("$2"); shift 2 ;;
+ *)
+ if [[ -z "$pr_id" ]]; then pr_id="$1"; else reviewers+=("$1"); fi
+ shift
+ ;;
+ esac
+ done
+
+ if [[ -z "$pr_id" ]]; then
+ echo '{"error":"pr-reviewers requires a PR number"}' >&2
+ return 1
+ fi
+
+ local owner_repo
+ owner_repo="$(_gitea_owner_repo)"
+
+ if [[ ${#reviewers[@]} -eq 0 ]]; then
+ _gitea_curl GET "/repos/${owner_repo}/pulls/${pr_id}/reviews"
+ return $?
+ fi
+
+ local payload
+ payload=$(jq -n --argjson reviewers "$(printf '%s\n' "${reviewers[@]}" | jq -R . | jq -s .)" \
+ '{reviewers: $reviewers}')
+ _gitea_curl POST "/repos/${owner_repo}/pulls/${pr_id}/requested_reviewers" -d "$payload"
+}
+
+# ---------------------------------------------------------------------------
+# CI operations
+# ---------------------------------------------------------------------------
+
+_gitea_ci_status() {
+ # Gitea does not have native CI; report commit statuses on the current branch.
+ local branch=""
+ while [[ $# -gt 0 ]]; do
+ case "$1" in
+ --branch) branch="$2"; shift 2 ;;
+ *) shift ;;
+ esac
+ done
+
+ [[ -z "$branch" ]] && branch="$(git symbolic-ref --short HEAD 2>/dev/null || echo "")"
+
+ local owner_repo
+ owner_repo="$(_gitea_owner_repo)"
+
+ # Get the latest commit on the branch.
+ local sha
+ sha=$(git rev-parse "origin/${branch}" 2>/dev/null || git rev-parse HEAD 2>/dev/null || echo "")
+ if [[ -z "$sha" ]]; then
+ echo '{"error":"cannot determine HEAD commit"}' >&2
+ return 1
+ fi
+
+ _gitea_curl GET "/repos/${owner_repo}/statuses/${sha}"
+}
+
+_gitea_ci_logs() {
+ echo '{"error":"ci-logs not supported for Gitea (no built-in CI)"}' >&2
+ return 2
+}
+
+_gitea_ci_retry() {
+ echo '{"error":"ci-retry not supported for Gitea (no built-in CI)"}' >&2
+ return 2
+}
+
+# ---------------------------------------------------------------------------
+# Repo operations
+# ---------------------------------------------------------------------------
+
+_gitea_repo_info() {
+ local owner_repo
+ owner_repo="$(_gitea_owner_repo)"
+ _gitea_curl GET "/repos/${owner_repo}"
+}
+
+_GM_PROVIDER_GITEA_LOADED=1
diff --git a/plugins/git-master/scripts/lib/provider-github.sh b/plugins/git-master/scripts/lib/provider-github.sh
new file mode 100755
index 0000000..10d976a
--- /dev/null
+++ b/plugins/git-master/scripts/lib/provider-github.sh
@@ -0,0 +1,536 @@
+#!/usr/bin/env bash
+# provider-github.sh — GitHub provider implementation.
+# Primary: gh CLI. Fallback: GitHub REST API via curl.
+# Meant to be sourced, not executed directly.
+
+# Guard against double-sourcing.
+[[ -n "${_GM_PROVIDER_GITHUB_LOADED:-}" ]] && return 0
+
+# ---------------------------------------------------------------------------
+# Helpers
+# ---------------------------------------------------------------------------
+
+# Check that gh is authenticated. Returns 0 if OK, 3 if auth needed.
+_github_check_auth() {
+ if ! command -v gh &>/dev/null; then
+ echo '{"error":"gh CLI not found"}' >&2
+ return 1
+ fi
+ if ! gh auth status &>/dev/null; then
+ echo '{"error":"gh CLI not authenticated. Run: gh auth login"}' >&2
+ return 3
+ fi
+ return 0
+}
+
+# Build the GitHub API base URL for curl fallback.
+# Uses GITHUB_API_URL if set, otherwise https://api.github.com.
+_github_api_url() {
+ printf '%s' "${GITHUB_API_URL:-https://api.github.com}"
+}
+
+# Get an auth token for curl fallback.
+_github_token() {
+ local token_env
+ token_env="$(gm_config_get 'provider.token_env' 2>/dev/null || echo "")"
+ if [[ -n "$token_env" ]]; then
+ printf '%s' "${!token_env:-}"
+ return
+ fi
+ # Try gh as token source.
+ if command -v gh &>/dev/null; then
+ gh auth token 2>/dev/null || true
+ return
+ fi
+ # Common environment variables.
+ printf '%s' "${GITHUB_TOKEN:-${GH_TOKEN:-}}"
+}
+
+# Authenticated curl wrapper for the GitHub REST API.
+_github_curl() {
+ local method="$1" endpoint="$2"
+ shift 2
+ local token
+ token="$(_github_token)"
+ if [[ -z "$token" ]]; then
+ echo '{"error":"no GitHub token available for API fallback"}' >&2
+ return 3
+ fi
+ local url
+ url="$(_github_api_url)${endpoint}"
+ curl -sf -X "$method" \
+ -H "Authorization: token $token" \
+ -H "Accept: application/vnd.github+json" \
+ -H "X-GitHub-Api-Version: 2022-11-28" \
+ "$@" "$url"
+}
+
+# ---------------------------------------------------------------------------
+# PR operations
+# ---------------------------------------------------------------------------
+
+_github_pr_create() {
+ _github_check_auth || return $?
+
+ local title="" body="" draft="" base=""
+ local -a labels=() reviewers=() extra_args=()
+
+ while [[ $# -gt 0 ]]; do
+ case "$1" in
+ --title) title="$2"; shift 2 ;;
+ --body) body="$2"; shift 2 ;;
+ --draft) draft="true"; shift ;;
+ --base) base="$2"; shift 2 ;;
+ --label) labels+=("$2"); shift 2 ;;
+ --reviewer) reviewers+=("$2"); shift 2 ;;
+ *) extra_args+=("$1"); shift ;;
+ esac
+ done
+
+ local -a cmd=(gh pr create)
+ [[ -n "$title" ]] && cmd+=(--title "$title")
+ [[ -n "$body" ]] && cmd+=(--body "$body")
+ [[ -n "$base" ]] && cmd+=(--base "$base")
+ [[ "$draft" == "true" ]] && cmd+=(--draft)
+
+ local label
+ for label in "${labels[@]}"; do
+ cmd+=(--label "$label")
+ done
+
+ local reviewer
+ for reviewer in "${reviewers[@]}"; do
+ cmd+=(--reviewer "$reviewer")
+ done
+
+ cmd+=("${extra_args[@]}")
+
+ local output
+ output=$("${cmd[@]}" 2>&1) || {
+ echo "{\"error\":$(printf '%s' "$output" | jq -Rs .)}" >&2
+ return 1
+ }
+
+ # gh pr create prints the URL on success. Wrap in JSON.
+ jq -n --arg url "$output" '{"url": $url}'
+}
+
+_github_pr_list() {
+ _github_check_auth || return $?
+
+ local -a extra_args=()
+ local state="open" limit="30"
+
+ while [[ $# -gt 0 ]]; do
+ case "$1" in
+ --state) state="$2"; shift 2 ;;
+ --limit) limit="$2"; shift 2 ;;
+ *) extra_args+=("$1"); shift ;;
+ esac
+ done
+
+ gh pr list --state "$state" --limit "$limit" \
+ --json number,title,state,author,url,headRefName,baseRefName,createdAt \
+ "${extra_args[@]}"
+}
+
+_github_pr_view() {
+ _github_check_auth || return $?
+
+ local pr_id="${1:-}"
+ if [[ -z "$pr_id" ]]; then
+ echo '{"error":"pr-view requires a PR number or branch"}' >&2
+ return 1
+ fi
+ shift
+
+ gh pr view "$pr_id" \
+ --json number,title,body,state,author,url,labels,reviewRequests,mergeable,headRefName,baseRefName,additions,deletions,changedFiles \
+ "$@"
+}
+
+_github_pr_diff() {
+ _github_check_auth || return $?
+
+ local pr_id="${1:-}"
+ if [[ -z "$pr_id" ]]; then
+ echo '{"error":"pr-diff requires a PR number or branch"}' >&2
+ return 1
+ fi
+ shift
+
+ local diff_output
+ diff_output=$(gh pr diff "$pr_id" "$@" 2>&1) || {
+ echo "{\"error\":$(printf '%s' "$diff_output" | jq -Rs .)}" >&2
+ return 1
+ }
+
+ # Wrap raw diff in JSON for consistent output.
+ jq -n --arg diff "$diff_output" '{"diff": $diff}'
+}
+
+_github_pr_merge() {
+ _github_check_auth || return $?
+
+ local pr_id="${1:-}"
+ if [[ -z "$pr_id" ]]; then
+ echo '{"error":"pr-merge requires a PR number"}' >&2
+ return 1
+ fi
+ shift
+
+ local strategy="" delete_branch=""
+ local -a extra_args=()
+
+ while [[ $# -gt 0 ]]; do
+ case "$1" in
+ --squash) strategy="--squash"; shift ;;
+ --merge) strategy="--merge"; shift ;;
+ --rebase) strategy="--rebase"; shift ;;
+ --delete-branch) delete_branch="--delete-branch"; shift ;;
+ *) extra_args+=("$1"); shift ;;
+ esac
+ done
+
+ # Default strategy from config.
+ if [[ -z "$strategy" ]]; then
+ local cfg_strategy
+ cfg_strategy="$(gm_config_get 'pr.merge_strategy' 2>/dev/null || echo "squash")"
+ case "$cfg_strategy" in
+ squash) strategy="--squash" ;;
+ rebase) strategy="--rebase" ;;
+ merge) strategy="--merge" ;;
+ *) strategy="--squash" ;;
+ esac
+ fi
+
+ # Default delete-branch from config.
+ if [[ -z "$delete_branch" ]]; then
+ local cfg_delete
+ cfg_delete="$(gm_config_get 'pr.delete_branch_on_merge' 2>/dev/null || echo "true")"
+ [[ "$cfg_delete" == "true" ]] && delete_branch="--delete-branch"
+ fi
+
+ local -a cmd=(gh pr merge "$pr_id" "$strategy")
+ [[ -n "$delete_branch" ]] && cmd+=("$delete_branch")
+ cmd+=("${extra_args[@]}")
+
+ local output
+ output=$("${cmd[@]}" 2>&1) || {
+ echo "{\"error\":$(printf '%s' "$output" | jq -Rs .)}" >&2
+ return 1
+ }
+
+ jq -n --arg message "$output" '{"merged": true, "message": $message}'
+}
+
+_github_pr_close() {
+ _github_check_auth || return $?
+
+ local pr_id="${1:-}"
+ if [[ -z "$pr_id" ]]; then
+ echo '{"error":"pr-close requires a PR number"}' >&2
+ return 1
+ fi
+ shift
+
+ local output
+ output=$(gh pr close "$pr_id" "$@" 2>&1) || {
+ echo "{\"error\":$(printf '%s' "$output" | jq -Rs .)}" >&2
+ return 1
+ }
+
+ jq -n --arg message "$output" '{"closed": true, "message": $message}'
+}
+
+_github_pr_comment() {
+ _github_check_auth || return $?
+
+ local pr_id="" body=""
+
+ while [[ $# -gt 0 ]]; do
+ case "$1" in
+ --body) body="$2"; shift 2 ;;
+ *)
+ if [[ -z "$pr_id" ]]; then
+ pr_id="$1"
+ fi
+ shift
+ ;;
+ esac
+ done
+
+ if [[ -z "$pr_id" ]]; then
+ echo '{"error":"pr-comment requires a PR number"}' >&2
+ return 1
+ fi
+ if [[ -z "$body" ]]; then
+ echo '{"error":"pr-comment requires --body"}' >&2
+ return 1
+ fi
+
+ local output
+ output=$(gh pr comment "$pr_id" --body "$body" 2>&1) || {
+ echo "{\"error\":$(printf '%s' "$output" | jq -Rs .)}" >&2
+ return 1
+ }
+
+ jq -n --arg url "$output" '{"commented": true, "url": $url}'
+}
+
+_github_pr_review() {
+ _github_check_auth || return $?
+
+ local pr_id="" body="" action=""
+
+ while [[ $# -gt 0 ]]; do
+ case "$1" in
+ --body) body="$2"; shift 2 ;;
+ --approve) action="--approve"; shift ;;
+ --request-changes) action="--request-changes"; shift ;;
+ --comment) action="--comment"; shift ;;
+ *)
+ if [[ -z "$pr_id" ]]; then
+ pr_id="$1"
+ fi
+ shift
+ ;;
+ esac
+ done
+
+ if [[ -z "$pr_id" ]]; then
+ echo '{"error":"pr-review requires a PR number"}' >&2
+ return 1
+ fi
+
+ local -a cmd=(gh pr review "$pr_id")
+ [[ -n "$action" ]] && cmd+=("$action")
+ [[ -n "$body" ]] && cmd+=(--body "$body")
+
+ local output
+ output=$("${cmd[@]}" 2>&1) || {
+ echo "{\"error\":$(printf '%s' "$output" | jq -Rs .)}" >&2
+ return 1
+ }
+
+ jq -n --arg message "$output" '{"reviewed": true, "message": $message}'
+}
+
+_github_pr_checks() {
+ _github_check_auth || return $?
+
+ local pr_id="${1:-}"
+ if [[ -z "$pr_id" ]]; then
+ echo '{"error":"pr-checks requires a PR number"}' >&2
+ return 1
+ fi
+ shift
+
+ # gh pr checks --json is available in recent gh versions.
+ # Fall back to tabular output parsed into JSON if --json is not supported.
+ local output
+ output=$(gh pr checks "$pr_id" --json name,state,conclusion,url 2>&1) && {
+ printf '%s' "$output"
+ return 0
+ }
+
+ # Fallback: parse tabular output.
+ local raw
+ raw=$(gh pr checks "$pr_id" 2>&1) || {
+ echo "{\"error\":$(printf '%s' "$raw" | jq -Rs .)}" >&2
+ return 1
+ }
+
+ printf '%s' "$raw" | awk -F'\t' '
+ BEGIN { printf "[" }
+ NR > 1 { printf "," }
+ {
+ gsub(/"/, "\\\"", $1);
+ gsub(/"/, "\\\"", $2);
+ gsub(/"/, "\\\"", $3);
+ printf "{\"name\":\"%s\",\"state\":\"%s\",\"url\":\"%s\"}", $1, $2, $3
+ }
+ END { printf "]" }
+ '
+}
+
+_github_pr_labels() {
+ _github_check_auth || return $?
+
+ local pr_id="" action=""
+ local -a labels=()
+
+ while [[ $# -gt 0 ]]; do
+ case "$1" in
+ --add) action="add"; shift ;;
+ --remove) action="remove"; shift ;;
+ --label) labels+=("$2"); shift 2 ;;
+ *)
+ if [[ -z "$pr_id" ]]; then
+ pr_id="$1"
+ else
+ labels+=("$1")
+ fi
+ shift
+ ;;
+ esac
+ done
+
+ if [[ -z "$pr_id" ]]; then
+ echo '{"error":"pr-labels requires a PR number"}' >&2
+ return 1
+ fi
+
+ local label_str
+ label_str="$(IFS=,; printf '%s' "${labels[*]}")"
+
+ local output
+ case "$action" in
+ add)
+ output=$(gh pr edit "$pr_id" --add-label "$label_str" 2>&1) || {
+ echo "{\"error\":$(printf '%s' "$output" | jq -Rs .)}" >&2
+ return 1
+ }
+ ;;
+ remove)
+ output=$(gh pr edit "$pr_id" --remove-label "$label_str" 2>&1) || {
+ echo "{\"error\":$(printf '%s' "$output" | jq -Rs .)}" >&2
+ return 1
+ }
+ ;;
+ *)
+ # No action: list current labels.
+ gh pr view "$pr_id" --json labels
+ return $?
+ ;;
+ esac
+
+ jq -n --arg action "$action" --arg labels "$label_str" \
+ '{"action": $action, "labels": ($labels | split(","))}'
+}
+
+_github_pr_reviewers() {
+ _github_check_auth || return $?
+
+ local pr_id=""
+ local -a reviewers=()
+
+ while [[ $# -gt 0 ]]; do
+ case "$1" in
+ --reviewer) reviewers+=("$2"); shift 2 ;;
+ *)
+ if [[ -z "$pr_id" ]]; then
+ pr_id="$1"
+ else
+ reviewers+=("$1")
+ fi
+ shift
+ ;;
+ esac
+ done
+
+ if [[ -z "$pr_id" ]]; then
+ echo '{"error":"pr-reviewers requires a PR number"}' >&2
+ return 1
+ fi
+
+ if [[ ${#reviewers[@]} -eq 0 ]]; then
+ # List current reviewers.
+ gh pr view "$pr_id" --json reviewRequests
+ return $?
+ fi
+
+ local reviewer_str
+ reviewer_str="$(IFS=,; printf '%s' "${reviewers[*]}")"
+
+ local output
+ output=$(gh pr edit "$pr_id" --add-reviewer "$reviewer_str" 2>&1) || {
+ echo "{\"error\":$(printf '%s' "$output" | jq -Rs .)}" >&2
+ return 1
+ }
+
+ jq -n --arg reviewers "$reviewer_str" \
+ '{"added_reviewers": ($reviewers | split(","))}'
+}
+
+# ---------------------------------------------------------------------------
+# CI operations
+# ---------------------------------------------------------------------------
+
+_github_ci_status() {
+ _github_check_auth || return $?
+
+ local branch=""
+ local limit="5"
+
+ while [[ $# -gt 0 ]]; do
+ case "$1" in
+ --branch) branch="$2"; shift 2 ;;
+ --limit) limit="$2"; shift 2 ;;
+ *) shift ;;
+ esac
+ done
+
+ # Default to current branch.
+ if [[ -z "$branch" ]]; then
+ branch="$(git symbolic-ref --short HEAD 2>/dev/null || echo "")"
+ fi
+
+ local -a cmd=(gh run list --json "status,conclusion,name,url,event,headBranch,createdAt" --limit "$limit")
+ [[ -n "$branch" ]] && cmd+=(--branch "$branch")
+
+ "${cmd[@]}"
+}
+
+_github_ci_logs() {
+ _github_check_auth || return $?
+
+ local run_id="${1:-}"
+ if [[ -z "$run_id" ]]; then
+ echo '{"error":"ci-logs requires a run ID"}' >&2
+ return 1
+ fi
+ shift
+
+ local output
+ output=$(gh run view "$run_id" --log-failed 2>&1) || {
+ # If --log-failed yields nothing, try full log.
+ output=$(gh run view "$run_id" --log 2>&1) || {
+ echo "{\"error\":$(printf '%s' "$output" | jq -Rs .)}" >&2
+ return 1
+ }
+ }
+
+ jq -n --arg logs "$output" '{"run_id": "'"$run_id"'", "logs": $logs}'
+}
+
+_github_ci_retry() {
+ _github_check_auth || return $?
+
+ local run_id="${1:-}"
+ if [[ -z "$run_id" ]]; then
+ echo '{"error":"ci-retry requires a run ID"}' >&2
+ return 1
+ fi
+ shift
+
+ local output
+ output=$(gh run rerun "$run_id" --failed 2>&1) || {
+ echo "{\"error\":$(printf '%s' "$output" | jq -Rs .)}" >&2
+ return 1
+ }
+
+ jq -n --arg message "$output" '{"rerun": true, "message": $message}'
+}
+
+# ---------------------------------------------------------------------------
+# Repo operations
+# ---------------------------------------------------------------------------
+
+_github_repo_info() {
+ _github_check_auth || return $?
+
+ gh repo view --json name,owner,defaultBranchRef,description,url,isPrivate "$@"
+}
+
+_GM_PROVIDER_GITHUB_LOADED=1
diff --git a/plugins/git-master/scripts/lib/provider-gitlab.sh b/plugins/git-master/scripts/lib/provider-gitlab.sh
new file mode 100755
index 0000000..a6cbb57
--- /dev/null
+++ b/plugins/git-master/scripts/lib/provider-gitlab.sh
@@ -0,0 +1,658 @@
+#!/usr/bin/env bash
+# provider-gitlab.sh — GitLab provider implementation.
+# Primary: glab CLI. Fallback: GitLab API v4 via curl.
+# Meant to be sourced, not executed directly.
+
+# Guard against double-sourcing.
+[[ -n "${_GM_PROVIDER_GITLAB_LOADED:-}" ]] && return 0
+
+# ---------------------------------------------------------------------------
+# Helpers
+# ---------------------------------------------------------------------------
+
+# Check that glab is available and authenticated.
+_gitlab_check_auth() {
+ if ! command -v glab &>/dev/null; then
+ echo '{"error":"glab CLI not found"}' >&2
+ return 1
+ fi
+ if ! glab auth status &>/dev/null 2>&1; then
+ echo '{"error":"glab CLI not authenticated. Run: glab auth login"}' >&2
+ return 3
+ fi
+ return 0
+}
+
+# Determine the GitLab host (for API fallback).
+_gitlab_host() {
+ local host
+ host="$(gm_config_get 'provider.host' 2>/dev/null || echo "")"
+ if [[ -n "$host" && "$host" != *"="* ]]; then
+ printf '%s' "$host"
+ return
+ fi
+ # Parse from remote URL.
+ local remote_name
+ remote_name="$(gm_config_get 'workflow.default_remote' 2>/dev/null || echo "origin")"
+ [[ -z "$remote_name" ]] && remote_name="origin"
+ local url
+ url="$(git remote get-url "$remote_name" 2>/dev/null || true)"
+ _gm_extract_host "$url"
+}
+
+# URL-encoded project path for API calls: group/subgroup/repo -> group%2Fsubgroup%2Frepo
+_gitlab_project_path() {
+ gm_parse_remote_url
+ local full_path="${GM_REMOTE_OWNER}/${GM_REMOTE_REPO}"
+ printf '%s' "$full_path" | jq -sRr @uri
+}
+
+# Get an auth token for curl fallback.
+_gitlab_token() {
+ local token_env
+ token_env="$(gm_config_get 'provider.token_env' 2>/dev/null || echo "")"
+ if [[ -n "$token_env" ]]; then
+ printf '%s' "${!token_env:-}"
+ return
+ fi
+ printf '%s' "${GITLAB_TOKEN:-${GITLAB_PRIVATE_TOKEN:-}}"
+}
+
+# Authenticated curl wrapper for the GitLab REST API.
+_gitlab_curl() {
+ local method="$1" endpoint="$2"
+ shift 2
+ local token
+ token="$(_gitlab_token)"
+ if [[ -z "$token" ]]; then
+ echo '{"error":"no GitLab token available for API fallback"}' >&2
+ return 3
+ fi
+ local host
+ host="$(_gitlab_host)"
+ [[ -z "$host" ]] && host="gitlab.com"
+ local url="https://${host}/api/v4${endpoint}"
+ curl -sf -X "$method" \
+ -H "PRIVATE-TOKEN: $token" \
+ -H "Content-Type: application/json" \
+ "$@" "$url"
+}
+
+# ---------------------------------------------------------------------------
+# PR (Merge Request) operations
+# ---------------------------------------------------------------------------
+
+_gitlab_pr_create() {
+ _gitlab_check_auth || {
+ # Fallback to API.
+ _gitlab_api_mr_create "$@"
+ return $?
+ }
+
+ local title="" body="" draft="" target=""
+ local -a labels=() reviewers=() extra_args=()
+
+ while [[ $# -gt 0 ]]; do
+ case "$1" in
+ --title) title="$2"; shift 2 ;;
+ --body) body="$2"; shift 2 ;;
+ --draft) draft="true"; shift ;;
+ --base) target="$2"; shift 2 ;;
+ --label) labels+=("$2"); shift 2 ;;
+ --reviewer) reviewers+=("$2"); shift 2 ;;
+ *) extra_args+=("$1"); shift ;;
+ esac
+ done
+
+ local -a cmd=(glab mr create --fill)
+ [[ -n "$title" ]] && cmd+=(--title "$title")
+ [[ -n "$body" ]] && cmd+=(--description "$body")
+ [[ -n "$target" ]] && cmd+=(--target-branch "$target")
+ [[ "$draft" == "true" ]] && cmd+=(--draft)
+
+ local label
+ for label in "${labels[@]}"; do
+ cmd+=(--label "$label")
+ done
+
+ local reviewer
+ for reviewer in "${reviewers[@]}"; do
+ cmd+=(--reviewer "$reviewer")
+ done
+
+ cmd+=("${extra_args[@]}")
+
+ local output
+ output=$("${cmd[@]}" 2>&1) || {
+ echo "{\"error\":$(printf '%s' "$output" | jq -Rs .)}" >&2
+ return 1
+ }
+
+ # glab mr create prints the MR URL on success.
+ jq -n --arg url "$output" '{"url": $url}'
+}
+
+_gitlab_api_mr_create() {
+ local title="" body="" target="" draft="false"
+
+ while [[ $# -gt 0 ]]; do
+ case "$1" in
+ --title) title="$2"; shift 2 ;;
+ --body) body="$2"; shift 2 ;;
+ --base) target="$2"; shift 2 ;;
+ --draft) draft="true"; shift ;;
+ *) shift ;;
+ esac
+ done
+
+ local source_branch
+ source_branch="$(git symbolic-ref --short HEAD 2>/dev/null)"
+
+ local project_path
+ project_path="$(_gitlab_project_path)"
+
+ local payload
+ payload=$(jq -n \
+ --arg title "$title" \
+ --arg desc "$body" \
+ --arg source "$source_branch" \
+ --arg target "$target" \
+ --argjson draft "$draft" \
+ '{title: $title, description: $desc, source_branch: $source, target_branch: $target, draft: $draft}')
+
+ _gitlab_curl POST "/projects/${project_path}/merge_requests" -d "$payload"
+}
+
+_gitlab_pr_list() {
+ _gitlab_check_auth || {
+ local project_path
+ project_path="$(_gitlab_project_path)"
+ _gitlab_curl GET "/projects/${project_path}/merge_requests?state=opened&per_page=30"
+ return $?
+ }
+
+ local state="opened" limit=""
+ local -a extra_args=()
+
+ while [[ $# -gt 0 ]]; do
+ case "$1" in
+ --state) state="$2"; shift 2 ;;
+ --limit) limit="$2"; shift 2 ;;
+ *) extra_args+=("$1"); shift ;;
+ esac
+ done
+
+ # Map generic state names to glab equivalents.
+ case "$state" in
+ open) state="opened" ;;
+ closed|merged) ;; # These are valid for glab.
+ esac
+
+ local -a glab_args=(glab mr list --state "$state")
+ [[ -n "$limit" ]] && glab_args+=(--per-page "$limit")
+ glab_args+=("${extra_args[@]}")
+
+ local output
+ output=$("${glab_args[@]}" 2>&1) || {
+ echo "{\"error\":$(printf '%s' "$output" | jq -Rs .)}" >&2
+ return 1
+ }
+
+ # glab mr list outputs a table. Convert to JSON.
+ _gitlab_table_to_json "$output"
+}
+
+_gitlab_pr_view() {
+ _gitlab_check_auth || {
+ local mr_id="${1:-}"
+ local project_path
+ project_path="$(_gitlab_project_path)"
+ _gitlab_curl GET "/projects/${project_path}/merge_requests/${mr_id}"
+ return $?
+ }
+
+ local mr_id="${1:-}"
+ if [[ -z "$mr_id" ]]; then
+ echo '{"error":"pr-view requires an MR number"}' >&2
+ return 1
+ fi
+ shift
+
+ local output
+ output=$(glab mr view "$mr_id" --output json 2>&1) && {
+ printf '%s' "$output"
+ return 0
+ }
+
+ # Fallback: parse non-JSON output.
+ output=$(glab mr view "$mr_id" 2>&1) || {
+ echo "{\"error\":$(printf '%s' "$output" | jq -Rs .)}" >&2
+ return 1
+ }
+
+ jq -n --arg raw "$output" '{"raw": $raw}'
+}
+
+_gitlab_pr_diff() {
+ _gitlab_check_auth || {
+ local mr_id="${1:-}"
+ local project_path
+ project_path="$(_gitlab_project_path)"
+ local diff_json
+ diff_json=$(_gitlab_curl GET "/projects/${project_path}/merge_requests/${mr_id}/changes")
+ printf '%s' "$diff_json"
+ return $?
+ }
+
+ local mr_id="${1:-}"
+ if [[ -z "$mr_id" ]]; then
+ echo '{"error":"pr-diff requires an MR number"}' >&2
+ return 1
+ fi
+ shift
+
+ local output
+ output=$(glab mr diff "$mr_id" "$@" 2>&1) || {
+ echo "{\"error\":$(printf '%s' "$output" | jq -Rs .)}" >&2
+ return 1
+ }
+
+ jq -n --arg diff "$output" '{"diff": $diff}'
+}
+
+_gitlab_pr_merge() {
+ _gitlab_check_auth || {
+ local mr_id="${1:-}"
+ local project_path
+ project_path="$(_gitlab_project_path)"
+ _gitlab_curl PUT "/projects/${project_path}/merge_requests/${mr_id}/merge"
+ return $?
+ }
+
+ local mr_id="${1:-}"
+ if [[ -z "$mr_id" ]]; then
+ echo '{"error":"pr-merge requires an MR number"}' >&2
+ return 1
+ fi
+ shift
+
+ local -a extra_args=()
+ while [[ $# -gt 0 ]]; do
+ case "$1" in
+ --squash|--merge|--rebase|--delete-branch)
+ extra_args+=("$1"); shift ;;
+ *) shift ;;
+ esac
+ done
+
+ local output
+ output=$(glab mr merge "$mr_id" "${extra_args[@]}" 2>&1) || {
+ echo "{\"error\":$(printf '%s' "$output" | jq -Rs .)}" >&2
+ return 1
+ }
+
+ jq -n --arg message "$output" '{"merged": true, "message": $message}'
+}
+
+_gitlab_pr_close() {
+ _gitlab_check_auth || {
+ local mr_id="${1:-}"
+ local project_path
+ project_path="$(_gitlab_project_path)"
+ _gitlab_curl PUT "/projects/${project_path}/merge_requests/${mr_id}" \
+ -d '{"state_event":"close"}'
+ return $?
+ }
+
+ local mr_id="${1:-}"
+ if [[ -z "$mr_id" ]]; then
+ echo '{"error":"pr-close requires an MR number"}' >&2
+ return 1
+ fi
+ shift
+
+ local output
+ output=$(glab mr close "$mr_id" 2>&1) || {
+ echo "{\"error\":$(printf '%s' "$output" | jq -Rs .)}" >&2
+ return 1
+ }
+
+ jq -n --arg message "$output" '{"closed": true, "message": $message}'
+}
+
+_gitlab_pr_comment() {
+ _gitlab_check_auth || {
+ local mr_id="" body=""
+ while [[ $# -gt 0 ]]; do
+ case "$1" in
+ --body) body="$2"; shift 2 ;;
+ *) [[ -z "$mr_id" ]] && mr_id="$1"; shift ;;
+ esac
+ done
+ local project_path
+ project_path="$(_gitlab_project_path)"
+ _gitlab_curl POST "/projects/${project_path}/merge_requests/${mr_id}/notes" \
+ -d "$(jq -n --arg body "$body" '{body: $body}')"
+ return $?
+ }
+
+ local mr_id="" body=""
+
+ while [[ $# -gt 0 ]]; do
+ case "$1" in
+ --body) body="$2"; shift 2 ;;
+ *) [[ -z "$mr_id" ]] && mr_id="$1"; shift ;;
+ esac
+ done
+
+ if [[ -z "$mr_id" ]]; then
+ echo '{"error":"pr-comment requires an MR number"}' >&2
+ return 1
+ fi
+
+ local output
+ output=$(glab mr note "$mr_id" --message "$body" 2>&1) || {
+ echo "{\"error\":$(printf '%s' "$output" | jq -Rs .)}" >&2
+ return 1
+ }
+
+ jq -n --arg message "$output" '{"commented": true, "message": $message}'
+}
+
+_gitlab_pr_review() {
+ _gitlab_check_auth || return $?
+
+ local mr_id="" body="" action=""
+
+ while [[ $# -gt 0 ]]; do
+ case "$1" in
+ --body) body="$2"; shift 2 ;;
+ --approve) action="approve"; shift ;;
+ --request-changes) action="unapprove"; shift ;;
+ --comment) action="comment"; shift ;;
+ *) [[ -z "$mr_id" ]] && mr_id="$1"; shift ;;
+ esac
+ done
+
+ if [[ -z "$mr_id" ]]; then
+ echo '{"error":"pr-review requires an MR number"}' >&2
+ return 1
+ fi
+
+ local output
+ case "$action" in
+ approve)
+ output=$(glab mr approve "$mr_id" 2>&1) || {
+ echo "{\"error\":$(printf '%s' "$output" | jq -Rs .)}" >&2
+ return 1
+ }
+ ;;
+ unapprove)
+ output=$(glab mr unapprove "$mr_id" 2>&1) || {
+ echo "{\"error\":$(printf '%s' "$output" | jq -Rs .)}" >&2
+ return 1
+ }
+ # Also leave a comment with the body if provided.
+ if [[ -n "$body" ]]; then
+ glab mr note "$mr_id" --message "$body" &>/dev/null || true
+ fi
+ ;;
+ comment|*)
+ if [[ -n "$body" ]]; then
+ output=$(glab mr note "$mr_id" --message "$body" 2>&1) || {
+ echo "{\"error\":$(printf '%s' "$output" | jq -Rs .)}" >&2
+ return 1
+ }
+ fi
+ ;;
+ esac
+
+ jq -n --arg action "${action:-comment}" --arg message "${output:-ok}" \
+ '{"reviewed": true, "action": $action, "message": $message}'
+}
+
+_gitlab_pr_checks() {
+ _gitlab_check_auth || {
+ local mr_id="${1:-}"
+ local project_path
+ project_path="$(_gitlab_project_path)"
+ # Use pipelines associated with the MR.
+ _gitlab_curl GET "/projects/${project_path}/merge_requests/${mr_id}/pipelines"
+ return $?
+ }
+
+ # glab ci status shows the pipeline status for the current branch.
+ local output
+ output=$(glab ci status 2>&1) || {
+ echo "{\"error\":$(printf '%s' "$output" | jq -Rs .)}" >&2
+ return 1
+ }
+
+ jq -n --arg raw "$output" '{"raw": $raw}'
+}
+
+_gitlab_pr_labels() {
+ _gitlab_check_auth || return $?
+
+ local mr_id="" action=""
+ local -a labels=()
+
+ while [[ $# -gt 0 ]]; do
+ case "$1" in
+ --add) action="add"; shift ;;
+ --remove) action="remove"; shift ;;
+ --label) labels+=("$2"); shift 2 ;;
+ *)
+ if [[ -z "$mr_id" ]]; then mr_id="$1"; else labels+=("$1"); fi
+ shift
+ ;;
+ esac
+ done
+
+ if [[ -z "$mr_id" ]]; then
+ echo '{"error":"pr-labels requires an MR number"}' >&2
+ return 1
+ fi
+
+ local label_str
+ label_str="$(IFS=,; printf '%s' "${labels[*]}")"
+
+ local output
+ case "$action" in
+ add)
+ output=$(glab mr update "$mr_id" --label "$label_str" 2>&1) || {
+ echo "{\"error\":$(printf '%s' "$output" | jq -Rs .)}" >&2
+ return 1
+ }
+ ;;
+ remove)
+ output=$(glab mr update "$mr_id" --unlabel "$label_str" 2>&1) || {
+ echo "{\"error\":$(printf '%s' "$output" | jq -Rs .)}" >&2
+ return 1
+ }
+ ;;
+ *)
+ glab mr view "$mr_id" --output json 2>/dev/null | jq '{labels: .labels}' 2>/dev/null || {
+ echo '{"labels": []}'
+ }
+ return 0
+ ;;
+ esac
+
+ jq -n --arg action "$action" --arg labels "$label_str" \
+ '{"action": $action, "labels": ($labels | split(","))}'
+}
+
+_gitlab_pr_reviewers() {
+ _gitlab_check_auth || return $?
+
+ local mr_id=""
+ local -a reviewers=()
+
+ while [[ $# -gt 0 ]]; do
+ case "$1" in
+ --reviewer) reviewers+=("$2"); shift 2 ;;
+ *)
+ if [[ -z "$mr_id" ]]; then mr_id="$1"; else reviewers+=("$1"); fi
+ shift
+ ;;
+ esac
+ done
+
+ if [[ -z "$mr_id" ]]; then
+ echo '{"error":"pr-reviewers requires an MR number"}' >&2
+ return 1
+ fi
+
+ if [[ ${#reviewers[@]} -eq 0 ]]; then
+ glab mr view "$mr_id" --output json 2>/dev/null | jq '{reviewers: .reviewers}' 2>/dev/null || {
+ echo '{"reviewers": []}'
+ }
+ return 0
+ fi
+
+ local reviewer_str
+ reviewer_str="$(IFS=,; printf '%s' "${reviewers[*]}")"
+
+ local output
+ output=$(glab mr update "$mr_id" --reviewer "$reviewer_str" 2>&1) || {
+ echo "{\"error\":$(printf '%s' "$output" | jq -Rs .)}" >&2
+ return 1
+ }
+
+ jq -n --arg reviewers "$reviewer_str" \
+ '{"added_reviewers": ($reviewers | split(","))}'
+}
+
+# ---------------------------------------------------------------------------
+# CI operations
+# ---------------------------------------------------------------------------
+
+_gitlab_ci_status() {
+ _gitlab_check_auth || {
+ local project_path
+ project_path="$(_gitlab_project_path)"
+ _gitlab_curl GET "/projects/${project_path}/pipelines?per_page=5&order_by=id&sort=desc"
+ return $?
+ }
+
+ local output
+ output=$(glab ci status --output json 2>&1) && {
+ printf '%s' "$output"
+ return 0
+ }
+
+ # Fallback: plain text.
+ output=$(glab ci status 2>&1) || {
+ echo "{\"error\":$(printf '%s' "$output" | jq -Rs .)}" >&2
+ return 1
+ }
+
+ jq -n --arg raw "$output" '{"raw": $raw}'
+}
+
+_gitlab_ci_logs() {
+ _gitlab_check_auth || return $?
+
+ local job_id="${1:-}"
+
+ local output
+ if [[ -n "$job_id" ]]; then
+ output=$(glab ci trace "$job_id" 2>&1) || {
+ echo "{\"error\":$(printf '%s' "$output" | jq -Rs .)}" >&2
+ return 1
+ }
+ else
+ output=$(glab ci trace 2>&1) || {
+ echo "{\"error\":$(printf '%s' "$output" | jq -Rs .)}" >&2
+ return 1
+ }
+ fi
+
+ jq -n --arg logs "$output" '{"logs": $logs}'
+}
+
+_gitlab_ci_retry() {
+ _gitlab_check_auth || {
+ local pipeline_id="${1:-}"
+ local project_path
+ project_path="$(_gitlab_project_path)"
+ _gitlab_curl POST "/projects/${project_path}/pipelines/${pipeline_id}/retry"
+ return $?
+ }
+
+ local pipeline_id="${1:-}"
+ if [[ -z "$pipeline_id" ]]; then
+ echo '{"error":"ci-retry requires a pipeline or job ID"}' >&2
+ return 1
+ fi
+
+ local output
+ output=$(glab ci retry "$pipeline_id" 2>&1) || {
+ echo "{\"error\":$(printf '%s' "$output" | jq -Rs .)}" >&2
+ return 1
+ }
+
+ jq -n --arg message "$output" '{"rerun": true, "message": $message}'
+}
+
+# ---------------------------------------------------------------------------
+# Repo operations
+# ---------------------------------------------------------------------------
+
+_gitlab_repo_info() {
+ _gitlab_check_auth || {
+ local project_path
+ project_path="$(_gitlab_project_path)"
+ _gitlab_curl GET "/projects/${project_path}"
+ return $?
+ }
+
+ local output
+ output=$(glab repo view --output json 2>&1) && {
+ printf '%s' "$output"
+ return 0
+ }
+
+ # Fallback: parse text output.
+ output=$(glab repo view 2>&1) || {
+ echo "{\"error\":$(printf '%s' "$output" | jq -Rs .)}" >&2
+ return 1
+ }
+
+ jq -n --arg raw "$output" '{"raw": $raw}'
+}
+
+# ---------------------------------------------------------------------------
+# Internal helpers
+# ---------------------------------------------------------------------------
+
+# Best-effort conversion of glab tabular output to JSON array.
+_gitlab_table_to_json() {
+ local raw="$1"
+ # Try to parse as tab-separated with header.
+ printf '%s' "$raw" | awk '
+ BEGIN { FS="\t"; ORS="" }
+ NR == 1 {
+ n = split($0, headers)
+ next
+ }
+ NR == 2 { printf "[" }
+ NR > 2 { printf "," }
+ {
+ printf "{"
+ for (i = 1; i <= NF && i <= n; i++) {
+ gsub(/"/, "\\\"", $i)
+ gsub(/^[[:space:]]+|[[:space:]]+$/, "", $i)
+ gsub(/"/, "\\\"", headers[i])
+ gsub(/^[[:space:]]+|[[:space:]]+$/, "", headers[i])
+ if (i > 1) printf ","
+ printf "\"%s\":\"%s\"", tolower(headers[i]), $i
+ }
+ printf "}"
+ }
+ END { printf "]" }
+ '
+}
+
+_GM_PROVIDER_GITLAB_LOADED=1
diff --git a/plugins/git-master/scripts/post-tool-use.sh b/plugins/git-master/scripts/post-tool-use.sh
new file mode 100755
index 0000000..957eaea
--- /dev/null
+++ b/plugins/git-master/scripts/post-tool-use.sh
@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Post-tool-use hook: provide non-blocking guidance after git operations.
+# PostToolUse cannot block — exit code 2 has no effect. All output is advisory.
+
+INPUT=$(cat)
+
+# Fast path: only care about Bash
+tool_name=$(printf '%s' "$INPUT" | jq -r '.tool_name // empty')
+[[ "$tool_name" == "Bash" ]] || exit 0
+
+command=$(printf '%s' "$INPUT" | jq -r '.tool_input.command // empty')
+[[ -n "$command" ]] || exit 0
+
+tool_result=$(printf '%s' "$INPUT" | jq -r '.tool_result // empty')
+
+guidance=""
+
+# ---------------------------------------------------------------------------
+# After git merge / pull / rebase with conflicts
+# ---------------------------------------------------------------------------
+if printf '%s' "$command" | grep -qE '(^|[;&|]\s*)git\s+(merge|pull|rebase)\b'; then
+ if printf '%s' "$tool_result" | grep -qi 'CONFLICT'; then
+ guidance="Merge conflicts detected. Resolve conflicts in the listed files, then:
+- For merge: git add && git commit
+- For rebase: git add && git rebase --continue
+- To abort: git merge --abort / git rebase --abort
+Check conflicted files with: git diff --name-only --diff-filter=U"
+ fi
+fi
+
+# ---------------------------------------------------------------------------
+# After git push rejected
+# ---------------------------------------------------------------------------
+if printf '%s' "$command" | grep -qE '(^|[;&|]\s*)git\s+push\b'; then
+ if printf '%s' "$tool_result" | grep -qiE '(rejected|non-fast-forward)'; then
+ guidance="Push was rejected (remote has new commits). Run: git pull --rebase && git push"
+ fi
+fi
+
+# ---------------------------------------------------------------------------
+# After successful git commit — suggest next steps
+# ---------------------------------------------------------------------------
+if printf '%s' "$command" | grep -qE '(^|[;&|]\s*)git\s+commit\b'; then
+ # A successful commit usually contains the branch and short hash in output
+ if printf '%s' "$tool_result" | grep -qE '^\[.+\]'; then
+ branch=$(git branch --show-current 2>/dev/null || echo "")
+ if [[ -n "$branch" ]]; then
+ # Check if branch has an upstream
+ if git rev-parse --abbrev-ref "${branch}@{upstream}" &>/dev/null; then
+ guidance="Commit created. You can push with: git push"
+ else
+ guidance="Commit created on '${branch}' (no upstream set). Push with: git push -u origin ${branch}"
+ fi
+ fi
+ fi
+fi
+
+# ---------------------------------------------------------------------------
+# Emit guidance if any
+# ---------------------------------------------------------------------------
+if [[ -n "$guidance" ]]; then
+ jq -n --arg ctx "[git-master] $guidance" '{
+ hookSpecificOutput: {
+ hookEventName: "PostToolUse",
+ additionalContext: $ctx
+ }
+ }'
+fi
+
+exit 0
diff --git a/plugins/git-master/scripts/pre-tool-use.sh b/plugins/git-master/scripts/pre-tool-use.sh
new file mode 100755
index 0000000..a76a485
--- /dev/null
+++ b/plugins/git-master/scripts/pre-tool-use.sh
@@ -0,0 +1,336 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Pre-tool-use hook: validate git commits, block pushes to protected branches,
+# block force push, validate PR/MR titles.
+# Exit 0 = allow, exit 2 = block (stderr becomes Claude feedback).
+
+INPUT=$(cat)
+
+# ---------------------------------------------------------------------------
+# Fast path: only care about Bash commands
+# ---------------------------------------------------------------------------
+tool_name=$(printf '%s' "$INPUT" | jq -r '.tool_name // empty')
+[[ "$tool_name" == "Bash" ]] || exit 0
+
+command=$(printf '%s' "$INPUT" | jq -r '.tool_input.command // empty')
+[[ -n "$command" ]] || exit 0
+
+PLUGIN_ROOT="${CLAUDE_PLUGIN_ROOT:-$(cd "$(dirname "$0")/.." && pwd)}"
+export CLAUDE_PLUGIN_ROOT="$PLUGIN_ROOT"
+
+# ---------------------------------------------------------------------------
+# Helper: deny with message
+# ---------------------------------------------------------------------------
+deny() {
+ echo "$1" >&2
+ exit 2
+}
+
+# ---------------------------------------------------------------------------
+# Helper: lazy-load config (called only when needed)
+# ---------------------------------------------------------------------------
+_config_loaded=0
+ensure_config() {
+ if [[ "$_config_loaded" -eq 0 ]]; then
+ # shellcheck source=lib/config.sh
+ source "${PLUGIN_ROOT}/scripts/lib/config.sh"
+ gm_config_load
+ _config_loaded=1
+ fi
+}
+
+# ---------------------------------------------------------------------------
+# Extract commit message from a git commit command
+# Returns the message on stdout, or empty string if not found
+# ---------------------------------------------------------------------------
+extract_commit_message() {
+ local cmd="$1"
+
+ # Handle heredoc/cat pattern: git commit -m "$(cat <<'EOF' ... EOF )"
+ # Extract content between the heredoc delimiters
+ if printf '%s' "$cmd" | grep -qE 'cat\s+<<'; then
+ local msg
+ msg=$(printf '%s' "$cmd" | sed -n "/cat <<['\"]\\{0,1\\}EOF['\"]\\{0,1\\}/,/^[[:space:]]*EOF/{/cat </dev/null || true)
+ if [[ -n "$skip_patterns" ]]; then
+ while IFS= read -r pattern; do
+ [[ -z "$pattern" ]] && continue
+ if printf '%s' "$msg" | grep -qE "$pattern"; then
+ return 0
+ fi
+ done <<< "$skip_patterns"
+ fi
+
+ local convention
+ convention=$(gm_config_get 'commit.convention' || echo "conventional")
+
+ # Extract subject line (first line of message)
+ local subject
+ subject=$(printf '%s' "$msg" | head -n1)
+
+ local max_length
+ max_length=$(gm_config_get 'commit.subject.max_length' || echo "72")
+ if [[ -n "$max_length" && "$max_length" != "null" ]]; then
+ local len=${#subject}
+ if (( len > max_length )); then
+ deny "[git-master] Commit subject too long (${len}/${max_length} chars): ${subject}"
+ fi
+ fi
+
+ case "$convention" in
+ conventional|angular)
+ # Pattern: type(scope)!: description
+ if ! printf '%s' "$subject" | grep -qE '^(feat|fix|docs|style|refactor|perf|test|build|ci|chore|revert)(\(.+\))?!?: .+'; then
+ deny "[git-master] Invalid ${convention} commit format.
+Expected: ():
+Allowed types: feat, fix, docs, style, refactor, perf, test, build, ci, chore, revert
+Got: ${subject}"
+ fi
+
+ # Extract type and check against allowed list
+ local ctype
+ ctype=$(printf '%s' "$subject" | sed -n 's/^\([a-z]*\).*/\1/p')
+ local allowed_types
+ allowed_types=$(gm_config_get_array 'commit.types' 2>/dev/null || true)
+ if [[ -n "$allowed_types" && -n "$ctype" ]]; then
+ if ! printf '%s\n' "$allowed_types" | grep -qx "$ctype"; then
+ deny "[git-master] Commit type '${ctype}' is not in the allowed list.
+Allowed: $(printf '%s' "$allowed_types" | tr '\n' ', ' | sed 's/,$//')"
+ fi
+ fi
+
+ # Check scope_required
+ local scope_required
+ scope_required=$(gm_config_get 'commit.scope_required' || echo "false")
+ if [[ "$scope_required" == "true" ]]; then
+ if ! printf '%s' "$subject" | grep -qE '^[a-z]+\(.+\)'; then
+ deny "[git-master] Scope is required. Expected: (): "
+ fi
+ fi
+
+ # Extract description (after "type(scope): " or "type: ")
+ local description
+ description=$(printf '%s' "$subject" | sed -n 's/^[a-z]*\(([^)]*)\)\{0,1\}!*:[[:space:]]*//p')
+
+ # Check case
+ local case_rule
+ case_rule=$(gm_config_get 'commit.subject.case' || echo "lower")
+ if [[ "$case_rule" == "lower" && -n "$description" ]]; then
+ local first_char
+ first_char=$(printf '%s' "$description" | cut -c1)
+ if printf '%s' "$first_char" | grep -q '[A-Z]'; then
+ deny "[git-master] Commit description must start with a lowercase letter. Got: '${description}'"
+ fi
+ fi
+
+ # Check trailing period
+ local no_trailing_period
+ no_trailing_period=$(gm_config_get 'commit.subject.no_trailing_period' || echo "true")
+ if [[ "$no_trailing_period" == "true" ]]; then
+ if printf '%s' "$subject" | grep -qE '\.$'; then
+ deny "[git-master] Commit subject must not end with a period."
+ fi
+ fi
+ ;;
+
+ gitmoji)
+ # Must start with :emoji: or a unicode emoji
+ if ! printf '%s' "$subject" | grep -qE '^(:[a-z_]+:|[\x{1F300}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}])'; then
+ # Fallback: check for common unicode emoji byte patterns
+ if ! printf '%s' "$subject" | grep -qP '^\p{Emoji_Presentation}'; then
+ deny "[git-master] Gitmoji commit must start with an emoji (e.g., :sparkles: or a unicode emoji).
+Got: ${subject}"
+ fi
+ fi
+ ;;
+
+ custom)
+ local custom_pattern
+ custom_pattern=$(gm_config_get 'commit.custom_pattern' || echo "")
+ local custom_desc
+ custom_desc=$(gm_config_get 'commit.custom_description' || echo "")
+ if [[ -n "$custom_pattern" && "$custom_pattern" != "null" ]]; then
+ if ! printf '%s' "$subject" | grep -qE "$custom_pattern"; then
+ local hint=""
+ [[ -n "$custom_desc" && "$custom_desc" != "null" ]] && hint=" ($custom_desc)"
+ deny "[git-master] Commit does not match custom pattern${hint}.
+Pattern: ${custom_pattern}
+Got: ${subject}"
+ fi
+ fi
+ ;;
+
+ freeform)
+ # Only length check (already done above)
+ ;;
+
+ *)
+ # Unknown convention — skip validation
+ ;;
+ esac
+
+ return 0
+}
+
+# ---------------------------------------------------------------------------
+# Validate a PR/MR title
+# ---------------------------------------------------------------------------
+validate_pr_title() {
+ local title="$1"
+
+ ensure_config
+
+ local pr_convention
+ pr_convention=$(gm_config_get 'pr.title.convention' || echo "inherit")
+
+ # "inherit" means use the commit convention
+ [[ "$pr_convention" == "inherit" ]] && pr_convention=$(gm_config_get 'commit.convention' || echo "conventional")
+
+ local pr_max_length
+ pr_max_length=$(gm_config_get 'pr.title.max_length' || echo "72")
+ if [[ -n "$pr_max_length" && "$pr_max_length" != "null" ]]; then
+ local len=${#title}
+ if (( len > pr_max_length )); then
+ deny "[git-master] PR/MR title too long (${len}/${pr_max_length} chars): ${title}"
+ fi
+ fi
+
+ case "$pr_convention" in
+ conventional|angular)
+ if ! printf '%s' "$title" | grep -qE '^(feat|fix|docs|style|refactor|perf|test|build|ci|chore|revert)(\(.+\))?!?: .+'; then
+ deny "[git-master] PR/MR title must follow ${pr_convention} format.
+Expected: ():
+Got: ${title}"
+ fi
+ ;;
+ custom)
+ local custom_pattern
+ custom_pattern=$(gm_config_get 'pr.title.custom_pattern' || echo "")
+ if [[ -n "$custom_pattern" && "$custom_pattern" != "null" ]]; then
+ if ! printf '%s' "$title" | grep -qE "$custom_pattern"; then
+ deny "[git-master] PR/MR title does not match required pattern.
+Pattern: ${custom_pattern}
+Got: ${title}"
+ fi
+ fi
+ ;;
+ freeform|""|null)
+ # No format enforcement
+ ;;
+ esac
+
+ return 0
+}
+
+# ---------------------------------------------------------------------------
+# Extract --title from a gh pr create / glab mr create command
+# ---------------------------------------------------------------------------
+extract_pr_title() {
+ local cmd="$1"
+
+ local title=""
+ # Try --title "..." or --title '...'
+ if printf '%s' "$cmd" | grep -qE -- '--title\s+"'; then
+ title=$(printf '%s' "$cmd" | sed -n 's/.*--title[[:space:]]*"\([^"]*\)".*/\1/p')
+ elif printf '%s' "$cmd" | grep -qE -- "--title\s+'"; then
+ title=$(printf '%s' "$cmd" | sed -n "s/.*--title[[:space:]]*'\\([^']*\\)'.*/\\1/p")
+ elif printf '%s' "$cmd" | grep -qE -- '--title\s+\S'; then
+ title=$(printf '%s' "$cmd" | sed -n 's/.*--title[[:space:]]*\([^[:space:]"'"'"'][^[:space:]]*\).*/\1/p')
+ fi
+
+ printf '%s' "$title"
+}
+
+# ===========================================================================
+# Main dispatch
+# ===========================================================================
+
+# --- git commit ---
+if printf '%s' "$command" | grep -qE '(^|[;&|]\s*)git\s+commit\b'; then
+ # Check for -m flag — if absent, it is an interactive commit; allow it
+ if ! printf '%s' "$command" | grep -qE -- '-m\s'; then
+ exit 0
+ fi
+
+ msg=$(extract_commit_message "$command")
+ if [[ -z "$msg" ]]; then
+ exit 0
+ fi
+
+ validate_commit_message "$msg"
+ exit 0
+fi
+
+# --- git push ---
+if printf '%s' "$command" | grep -qE '(^|[;&|]\s*)git\s+push\b'; then
+ # Check for force push (but allow --force-with-lease)
+ if printf '%s' "$command" | grep -qE -- '(--force|-f)(\s|$)' && \
+ ! printf '%s' "$command" | grep -qE -- '--force-with-lease'; then
+ deny "[git-master] Force push is blocked. Use --force-with-lease for safer force pushes."
+ fi
+
+ # Check protected branches
+ current_branch=$(git branch --show-current 2>/dev/null || echo "")
+ if [[ -n "$current_branch" ]]; then
+ ensure_config
+ protected=$(gm_config_get_array 'branch.protected' 2>/dev/null || true)
+ if [[ -n "$protected" ]]; then
+ while IFS= read -r branch; do
+ [[ -z "$branch" ]] && continue
+ if [[ "$current_branch" == "$branch" ]]; then
+ deny "[git-master] Push to protected branch '${branch}' is blocked. Create a PR/MR instead."
+ fi
+ done <<< "$protected"
+ fi
+ fi
+
+ exit 0
+fi
+
+# --- gh pr create / glab mr create ---
+if printf '%s' "$command" | grep -qE '(^|[;&|]\s*)(gh\s+pr\s+create|glab\s+mr\s+create)\b'; then
+ title=$(extract_pr_title "$command")
+ if [[ -n "$title" ]]; then
+ validate_pr_title "$title"
+ fi
+ exit 0
+fi
+
+# --- Everything else: allow ---
+exit 0
diff --git a/plugins/git-master/scripts/session-start.sh b/plugins/git-master/scripts/session-start.sh
new file mode 100755
index 0000000..c51d0a3
--- /dev/null
+++ b/plugins/git-master/scripts/session-start.sh
@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Session start hook: load config, detect provider, inject context summary.
+# Exits silently (0) if not in a git repo.
+
+# Read hook input (required by the hook protocol even if unused)
+cat > /dev/null
+
+# Not in a git repo — nothing to do
+if ! git rev-parse --is-inside-work-tree &>/dev/null; then
+ exit 0
+fi
+
+PLUGIN_ROOT="${CLAUDE_PLUGIN_ROOT:-$(cd "$(dirname "$0")/.." && pwd)}"
+export CLAUDE_PLUGIN_ROOT="$PLUGIN_ROOT"
+
+# Load config
+# shellcheck source=lib/config.sh
+source "${PLUGIN_ROOT}/scripts/lib/config.sh"
+gm_config_load
+
+# Detect provider and CLI
+# shellcheck source=lib/provider-detect.sh
+source "${PLUGIN_ROOT}/scripts/lib/provider-detect.sh"
+provider=$(gm_detect_provider)
+cli=$(gm_detect_cli)
+
+# Gather context pieces
+convention=$(gm_config_get 'commit.convention' || echo "conventional")
+max_length=$(gm_config_get 'commit.subject.max_length' || echo "72")
+protected_json=$(gm_config_get_json 'branch.protected' 2>/dev/null || echo '[]')
+protected=$(printf '%s' "$protected_json" | jq -r 'if type == "array" then join(", ") else . end' 2>/dev/null || echo "main, master")
+branch=$(git branch --show-current 2>/dev/null || echo "detached")
+
+# Build summary
+summary="[git-master] "
+summary+="Provider: ${provider} (cli: ${cli}). "
+summary+="Commit convention: ${convention} (max ${max_length} chars). "
+summary+="Protected branches: ${protected}. "
+summary+="Current branch: ${branch}."
+
+# Output hook response
+jq -n --arg ctx "$summary" '{
+ hookSpecificOutput: {
+ hookEventName: "SessionStart",
+ additionalContext: $ctx
+ }
+}'
diff --git a/plugins/git-master/scripts/stop-check.sh b/plugins/git-master/scripts/stop-check.sh
new file mode 100755
index 0000000..1e93a72
--- /dev/null
+++ b/plugins/git-master/scripts/stop-check.sh
@@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Stop hook: warn about pending git state before Claude stops.
+# Outputs {"decision": "block", "reason": "..."} or {"decision": "approve"}.
+
+INPUT=$(cat)
+
+# Prevent infinite loop — if stop_hook_active is set, approve immediately
+stop_hook_active=$(printf '%s' "$INPUT" | jq -r '.stop_hook_active // false')
+if [[ "$stop_hook_active" == "true" ]]; then
+ exit 0
+fi
+
+# Not in a git repo — nothing to check
+if ! git rev-parse --is-inside-work-tree &>/dev/null; then
+ jq -n '{"decision": "approve"}'
+ exit 0
+fi
+
+warnings=()
+
+# Check for staged uncommitted files
+staged_count=$(git diff --cached --name-only 2>/dev/null | wc -l)
+if (( staged_count > 0 )); then
+ warnings+=("${staged_count} staged file(s) not yet committed")
+fi
+
+# Check for unresolved merge conflicts
+conflict_count=$(git diff --name-only --diff-filter=U 2>/dev/null | wc -l)
+if (( conflict_count > 0 )); then
+ warnings+=("${conflict_count} file(s) with unresolved merge conflicts")
+fi
+
+# Check for active rebase
+git_dir=$(git rev-parse --git-dir 2>/dev/null)
+if [[ -d "${git_dir}/rebase-merge" || -d "${git_dir}/rebase-apply" ]]; then
+ warnings+=("a rebase is in progress")
+fi
+
+# Check for active merge
+if [[ -f "${git_dir}/MERGE_HEAD" ]]; then
+ warnings+=("a merge is in progress")
+fi
+
+# Emit decision
+if (( ${#warnings[@]} > 0 )); then
+ reason="[git-master] Pending git state — please resolve before stopping: $(IFS='; '; echo "${warnings[*]}")."
+ jq -n --arg r "$reason" '{"decision": "block", "reason": $r}'
+else
+ jq -n '{"decision": "approve"}'
+fi
+
+exit 0
diff --git a/plugins/git-master/settings.json b/plugins/git-master/settings.json
new file mode 100644
index 0000000..2c97dab
--- /dev/null
+++ b/plugins/git-master/settings.json
@@ -0,0 +1,13 @@
+{
+ "permissions": {
+ "allow": [
+ "Bash(git *)",
+ "Bash(gh *)",
+ "Bash(glab *)",
+ "Bash(tea *)",
+ "Bash(python3 *)",
+ "Bash(jq *)",
+ "Bash(cat *)"
+ ]
+ }
+}
diff --git a/plugins/git-master/skills/committing/SKILL.md b/plugins/git-master/skills/committing/SKILL.md
new file mode 100644
index 0000000..7c9c1ae
--- /dev/null
+++ b/plugins/git-master/skills/committing/SKILL.md
@@ -0,0 +1,158 @@
+---
+name: committing
+description: >-
+ Smart git commit workflow with project-aware conventions. Use when the user
+ says: "commit", "create a commit", "stage and commit", "git commit",
+ "save my progress", "commit my changes", "commit this work",
+ "commit with message", or asks to save/record changes to version control.
+ Reads project config to enforce commit conventions, signing, and attribution
+ rules automatically.
+argument-hint: "[optional commit message or description]"
+allowed-tools: Read, Bash, Grep, Glob
+---
+
+# Dynamic Context
+
+**Commit config:**
+!`cat "${GIT_MASTER_CONFIG_PATH:-/dev/null}" 2>/dev/null | jq '.commit' 2>/dev/null || echo "no config"`
+
+**Git status:**
+!`git status --short 2>/dev/null`
+
+**Staged diff stat:**
+!`git diff --cached --stat 2>/dev/null`
+
+**Current branch:**
+!`git branch --show-current 2>/dev/null`
+
+**Recent commits (for style reference):**
+!`git log --oneline -5 2>/dev/null`
+
+---
+
+# Smart Commit Workflow
+
+Follow these steps in order. Do NOT skip steps.
+
+## 1. Read Configuration
+
+Parse the injected commit config above. Extract these settings (use defaults when missing):
+
+| Setting | Default |
+|---|---|
+| `convention` | `conventional` |
+| `subject.max_length` | `72` |
+| `subject.case` | `lower` |
+| `subject.no_trailing_period` | `true` |
+| `scope_required` | `false` |
+| `scopes` | `[]` (any scope allowed) |
+| `types` | `[feat, fix, docs, style, refactor, perf, test, build, ci, chore, revert]` |
+| `body.required` | `false` |
+| `body.max_line_length` | `100` |
+| `body.require_references` | `""` |
+| `breaking.footer_required` | `true` |
+| `breaking.exclamation_mark` | `true` |
+| `signing.enabled` | `false` |
+| `signing.method` | `gpg` |
+| `ai_attribution` | `false` |
+| `custom_pattern` | `""` |
+| `emoji_prefix` | `null` |
+
+## 2. Assess Working Tree State
+
+Check the injected git status and staged diff stat:
+
+- **Nothing to commit** (no staged, unstaged, or untracked files): Tell the user there is nothing to commit and stop.
+- **Nothing staged but changes exist**: List the changed/untracked files and ask the user what they want to stage. Do NOT auto-stage everything.
+- **Files already staged**: Proceed to step 3. If there are also unstaged changes, mention them and ask if the user wants to include any of those as well.
+
+## 3. Protected Branch Check
+
+Compare the current branch against the configured `branch.protected` list (default: `main`, `master`, `develop`).
+
+If on a protected branch:
+- Warn the user clearly: "You are on protected branch ``. Committing directly is discouraged."
+- Ask for explicit confirmation before proceeding.
+- Suggest creating a feature branch instead.
+
+## 4. Generate Commit Message
+
+If the user provided `$ARGUMENTS`, use that as guidance for the commit message (it may be a full message, a description of changes, or a type hint).
+
+Analyze the staged diff to determine the appropriate commit message. The approach depends on the configured convention:
+
+### Conventional Commits (`conventional`)
+Format: `type(scope): description`
+
+- **Determine type**: Analyze the diff content. New files/features = `feat`. Bug fixes = `fix`. Documentation only = `docs`. Formatting/whitespace = `style`. Code restructuring without behavior change = `refactor`. Performance improvement = `perf`. Test additions/changes = `test`. Build system/dependencies = `build`. CI config = `ci`. Maintenance/tooling = `chore`. Reverting a commit = `revert`.
+- **Determine scope**: Identify the primary area affected (module, component, package). If `scopes` is configured, pick from that list. If `scope_required` is true, always include a scope. Otherwise, scope is optional.
+- **Write description**: Imperative mood ("add" not "added"), lowercase start (if `case: lower`), no trailing period (if `no_trailing_period: true`), within `max_length` characters for the full subject line.
+- **Breaking changes**: If the change is breaking, append `!` after the type/scope (if `exclamation_mark: true`) and include a `BREAKING CHANGE:` footer in the body (if `footer_required: true`).
+
+### Angular Convention (`angular`)
+Same as conventional but with stricter scope rules:
+- Scope is more strongly encouraged.
+- Scopes should match module/package names exactly.
+- Types are identical to conventional.
+
+### Gitmoji (`gitmoji`)
+Format: `:emoji: description`
+
+Map the determined type to the correct gitmoji:
+- `feat` = `:sparkles:`, `fix` = `:bug:`, `docs` = `:memo:`, `style` = `:art:`, `refactor` = `:recycle:`, `perf` = `:zap:`, `test` = `:white_check_mark:`, `build` = `:hammer:`, `ci` = `:construction_worker:`, `chore` = `:wrench:`, `revert` = `:rewind:`
+
+### Custom (`custom`)
+Use the `custom_pattern` regex (with named groups: `type`, `scope`, `subject`) and `custom_description` to format the message.
+
+### Freeform (`freeform`)
+Write a natural language commit message. Still respect `max_length`. Use the recent commits above as a style guide.
+
+**In all cases**: Consult the reference file at `${CLAUDE_SKILL_DIR}/references/commit-conventions.md` for detailed convention rules and examples.
+
+## 5. Handle Pre-Checks
+
+If `pre_checks.enabled` is true, run each command in `pre_checks.commands` before committing. If a required check fails, report the failure and stop. Do not commit.
+
+## 6. Stage Files
+
+When staging is needed:
+- **Always prefer** `git add ` with explicit file paths.
+- **Never use** `git add -A` or `git add .` unless the user explicitly requests it.
+- If the user said "commit everything" or "commit all changes", stage all modified and untracked files but list them first and confirm.
+
+## 7. Create the Commit
+
+Build the commit command:
+
+```bash
+git commit -m "$(cat <<'EOF'
+
+EOF
+)"
+```
+
+Additional flags:
+- If `signing.enabled` is true: add `--gpg-sign` (for gpg) or `-S` with the configured key.
+- If a commit body is needed (breaking change footer, required body, or user-provided detail), use a multi-line message with the heredoc.
+
+**IMPORTANT**: If a pre-commit hook fails, the commit did NOT happen. Fix the issue, re-stage if needed, and create a NEW commit. Never use `--amend` after a hook failure as that would modify a previous, unrelated commit.
+
+## 8. Post-Commit
+
+After a successful commit:
+1. Run `git log --oneline -1` to show the created commit.
+2. Run `git status --short` to show remaining working tree state.
+3. Suggest next steps:
+ - If there are more unstaged changes: "There are remaining changes. Would you like to create another commit?"
+ - If the branch has no upstream: "Push this branch with `git push -u origin `?"
+ - If the branch is ahead of remote: "Push to remote? Or create a PR?"
+
+## 9. AI Attribution
+
+If `ai_attribution` is `false` (the default):
+- Do **NOT** include `Co-Authored-By` trailers.
+- Do **NOT** include `Generated with` or `Generated by` lines.
+- Do **NOT** add any mention of AI, Claude, or automated tooling in the commit message.
+
+If `ai_attribution` is `true`:
+- Add a `Co-Authored-By: Claude ` trailer to the commit body.
diff --git a/plugins/git-master/skills/committing/references/commit-conventions.md b/plugins/git-master/skills/committing/references/commit-conventions.md
new file mode 100644
index 0000000..119ca7c
--- /dev/null
+++ b/plugins/git-master/skills/committing/references/commit-conventions.md
@@ -0,0 +1,179 @@
+# Commit Convention Reference
+
+## Conventional Commits v1.0.0
+
+### Specification
+
+The full format is:
+
+```
+[optional scope][optional !]:
+
+[optional body]
+
+[optional footer(s)]
+```
+
+**Subject line rules:**
+- `type` is required and must be one of the allowed types.
+- `scope` is a noun in parentheses describing the section of the codebase: `feat(parser):`, `fix(auth):`.
+- `!` before the colon indicates a breaking change.
+- `description` follows the colon and space. It is a short summary of the change.
+- The entire subject line (type + scope + description) must fit within the configured `max_length` (default 72 characters).
+
+**Body rules:**
+- Separated from the subject by a blank line.
+- Free-form text. Each line should not exceed `max_line_length` (default 100).
+- Provides additional contextual information about the change.
+
+**Footer rules:**
+- Separated from the body by a blank line.
+- Format: `token: value` or `token #value`.
+- `BREAKING CHANGE: ` is a special footer indicating a breaking API change.
+- Other common footers: `Refs: #123`, `Reviewed-by: Name`, `Closes #456`.
+
+### Allowed Types
+
+| Type | When to Use |
+|---|---|
+| `feat` | A new feature or capability is introduced |
+| `fix` | A bug is corrected |
+| `docs` | Documentation only changes (README, comments, JSDoc, docstrings) |
+| `style` | Formatting, whitespace, semicolons — no logic change |
+| `refactor` | Code restructuring that neither fixes a bug nor adds a feature |
+| `perf` | A change that improves performance |
+| `test` | Adding or correcting tests |
+| `build` | Build system or external dependency changes (webpack, npm, pip) |
+| `ci` | CI configuration changes (GitHub Actions, GitLab CI, Jenkins) |
+| `chore` | Maintenance tasks that don't modify src or test files |
+| `revert` | Reverts a previous commit |
+
+### Examples
+
+```
+feat(auth): add OAuth2 login with Google provider
+```
+
+```
+fix(parser): handle escaped quotes in CSV fields
+```
+
+```
+docs: update installation instructions for Windows
+```
+
+```
+feat(api)!: change authentication response format
+
+BREAKING CHANGE: the /auth endpoint now returns a JWT token instead of a session cookie.
+Clients must update their token handling logic.
+```
+
+---
+
+## Angular Convention
+
+The Angular convention is nearly identical to Conventional Commits with these distinctions:
+
+- **Scopes are strongly encouraged** and should correspond to Angular modules, packages, or application layers.
+- **Scope values** should be consistent within a project (e.g., `compiler`, `core`, `http`, `router`).
+- The body **should** explain the motivation for the change and contrast with previous behavior.
+- Footer `Closes #` is expected when a commit resolves an issue.
+
+### Scope Guidelines
+
+- Use the package or module name: `feat(forms):`, `fix(router):`.
+- For cross-cutting concerns: `refactor(core):`, `chore(deps):`.
+- Avoid overly broad scopes like `app` or `misc`.
+
+### Examples
+
+```
+feat(forms): add async validator support for reactive forms
+```
+
+```
+fix(router): resolve navigation guard promise rejection on redirect
+
+The router was not properly catching rejected promises from navigation
+guards when a redirect was issued during the beforeEach phase.
+
+Closes #4521
+```
+
+```
+refactor(compiler): extract template binding parser into separate module
+```
+
+```
+perf(core): reduce change detection cycles for static views
+
+Skip change detection for components marked as OnPush when no input
+bindings have changed.
+```
+
+---
+
+## Gitmoji
+
+Gitmoji replaces the type prefix with an emoji. The description follows directly after a space.
+
+### Emoji Mapping
+
+| Emoji | Code | Equivalent Type | When to Use |
+|---|---|---|---|
+| :sparkles: | `:sparkles:` | feat | Introduce new features |
+| :bug: | `:bug:` | fix | Fix a bug |
+| :memo: | `:memo:` | docs | Add or update documentation |
+| :art: | `:art:` | style | Improve structure/format of code |
+| :recycle: | `:recycle:` | refactor | Refactor code |
+| :zap: | `:zap:` | perf | Improve performance |
+| :white_check_mark: | `:white_check_mark:` | test | Add or update tests |
+| :hammer: | `:hammer:` | build | Build system changes |
+| :construction_worker: | `:construction_worker:` | ci | CI/CD changes |
+| :wrench: | `:wrench:` | chore | Configuration/tooling changes |
+| :rewind: | `:rewind:` | revert | Revert changes |
+| :lock: | `:lock:` | — | Fix security issues |
+| :bookmark: | `:bookmark:` | — | Release/version tags |
+| :rotating_light: | `:rotating_light:` | — | Fix compiler/linter warnings |
+| :construction: | `:construction:` | — | Work in progress |
+| :fire: | `:fire:` | — | Remove code or files |
+| :truck: | `:truck:` | — | Move or rename resources |
+| :boom: | `:boom:` | — | Introduce breaking changes |
+
+### Examples
+
+```
+:sparkles: add dark mode toggle to settings page
+```
+
+```
+:bug: fix race condition in WebSocket reconnection logic
+```
+
+```
+:memo: document rate limiting configuration options
+```
+
+```
+:boom: drop support for Node.js 14
+
+BREAKING CHANGE: minimum required Node.js version is now 18 LTS.
+```
+
+---
+
+## Choosing the Right Type
+
+When the diff is ambiguous, use these heuristics:
+
+1. **New file that adds functionality** -> `feat`
+2. **New file that is a test** -> `test`
+3. **New file that is documentation** -> `docs`
+4. **Modified file that fixes incorrect behavior** -> `fix`
+5. **Modified file that adds a new code path or capability** -> `feat`
+6. **Modified file with only structural changes (rename, move, extract)** -> `refactor`
+7. **Modified config file for build tools** -> `build`
+8. **Modified CI pipeline file** -> `ci`
+9. **Dependency version bumps** -> `build` (or `chore` if no build impact)
+10. **Multiple types in one commit** -> Use the most significant type; suggest splitting if truly independent changes.
diff --git a/plugins/git-master/skills/creating-pr/SKILL.md b/plugins/git-master/skills/creating-pr/SKILL.md
new file mode 100644
index 0000000..0633683
--- /dev/null
+++ b/plugins/git-master/skills/creating-pr/SKILL.md
@@ -0,0 +1,246 @@
+---
+name: creating-pr
+description: >-
+ Create pull requests (GitHub) or merge requests (GitLab) with auto-generated
+ titles, descriptions, labels, and reviewers. Use when the user says:
+ "create PR", "create a PR", "open pull request", "create merge request",
+ "create MR", "make a PR", "open PR", "submit PR", "push and create PR",
+ or asks to send changes for review. Supports GitHub (gh) and GitLab (glab).
+argument-hint: "[optional PR title or target branch]"
+allowed-tools: Read, Bash, Grep, Glob
+---
+
+# Dynamic Context
+
+**PR config:**
+!`cat "${GIT_MASTER_CONFIG_PATH:-/dev/null}" 2>/dev/null | jq '.pr' 2>/dev/null || echo "no config"`
+
+**Branch config:**
+!`cat "${GIT_MASTER_CONFIG_PATH:-/dev/null}" 2>/dev/null | jq '.branch' 2>/dev/null || echo "no config"`
+
+**Provider:**
+!`echo "${GIT_MASTER_PROVIDER:-auto}"`
+
+**Current branch:**
+!`git branch --show-current 2>/dev/null`
+
+**Default remote branch:**
+!`git symbolic-ref refs/remotes/origin/HEAD 2>/dev/null | sed 's|refs/remotes/origin/||' || echo "main"`
+
+**Commits ahead of base:**
+!`git log --oneline "$(git merge-base HEAD origin/$(git symbolic-ref refs/remotes/origin/HEAD 2>/dev/null | sed 's|refs/remotes/origin/||' || echo main) 2>/dev/null || echo HEAD~10)..HEAD" 2>/dev/null`
+
+**Working tree status:**
+!`git status --short 2>/dev/null`
+
+---
+
+# Create PR/MR Workflow
+
+Follow these steps in order. Do NOT skip steps.
+
+## 1. Read Configuration and Detect Provider
+
+Parse the injected PR and branch config above. Extract these settings (use defaults when missing):
+
+| Setting | Default |
+|---|---|
+| `title.convention` | `inherit` |
+| `title.max_length` | `72` |
+| `description.template` | (see reference) |
+| `description.required_sections` | `[summary, test_plan]` |
+| `auto_populate` | `true` |
+| `draft` | `false` |
+| `labels` | `[]` |
+| `auto_labels` | `true` |
+| `label_rules` | (see config) |
+| `size_labels.enabled` | `true` |
+| `reviewers.auto_assign` | `true` |
+| `reviewers.rules` | `[]` |
+| `reviewers.fallback` | `[]` |
+| `assignees` | `[]` |
+| `target_branch` | `""` (auto-detect) |
+
+**Detect provider**: Check the injected provider value. If `auto`, determine from the git remote URL:
+- `github.com` -> GitHub, use `gh`
+- `gitlab.com` -> GitLab, use `glab`
+- Otherwise, try `gh` first, then `glab`
+
+Verify the CLI tool is installed and authenticated:
+- GitHub: `gh auth status`
+- GitLab: `glab auth status`
+
+If not authenticated, tell the user and stop.
+
+## 2. Validate Readiness
+
+Check these conditions before proceeding:
+
+### Protected Branch
+Compare the current branch against `branch.protected` (default: `main`, `master`, `develop`). If the current branch IS a protected branch, tell the user: "You are on `` which is a protected branch. You cannot create a PR from a protected branch to itself. Please create a feature branch first." Then stop.
+
+### Commits Ahead
+Check the injected "commits ahead" output. If there are zero commits ahead of the base branch, tell the user: "No commits ahead of ``. Nothing to create a PR for." Then stop.
+
+### Uncommitted Changes
+Check the injected working tree status. If there are uncommitted changes:
+- Warn the user: "You have uncommitted changes."
+- List them.
+- Ask: "Would you like to commit them first before creating the PR?"
+- If yes, invoke the committing workflow (or guide the user through it).
+- If no, proceed with only the committed changes.
+
+### Existing PR
+Check if a PR already exists for this branch:
+- GitHub: `gh pr view --json url,state 2>/dev/null`
+- GitLab: `glab mr view 2>/dev/null`
+
+If a PR already exists and is open, show the URL and ask: "A PR already exists for this branch. Would you like to update it instead?" Do not create a duplicate.
+
+## 3. Push Branch
+
+Check if the branch has an upstream:
+```bash
+git rev-parse --abbrev-ref --symbolic-full-name @{u} 2>/dev/null
+```
+
+If no upstream exists, push with tracking:
+```bash
+git push -u origin
+```
+
+If an upstream exists but there are unpushed commits, push:
+```bash
+git push
+```
+
+## 4. Determine Target Branch
+
+Use `target_branch` from config if set. Otherwise, use the default remote branch (from dynamic context above, typically `main` or `master`).
+
+If `$ARGUMENTS` contains what looks like a branch name (no spaces, matches an existing remote branch), use it as the target.
+
+## 5. Generate PR Title
+
+Based on the `title.convention`:
+
+### `inherit` (from commit convention)
+- If there is a single commit, use its subject line as the PR title.
+- If there are multiple commits, derive a title that summarizes the overall change. Look at the commit types: if all are the same type, use that type. Otherwise, use the most significant type.
+- Follow the same formatting rules as the commit convention (conventional, angular, gitmoji, etc.).
+
+### `conventional`
+Format the title as `type(scope): description`, following conventional commit rules regardless of the commit convention.
+
+### `custom`
+Use the `title.custom_pattern` to format the title.
+
+### `freeform`
+Write a clear, concise title. No prefix required.
+
+**In all cases**: Respect `title.max_length`. If `$ARGUMENTS` looks like a title (contains spaces, descriptive text), use it as the title or as guidance.
+
+## 6. Generate PR Description
+
+Use the configured `description.template`. If `auto_populate` is true, fill in automatically:
+
+- **{COMMITS}**: Render from the git log of commits ahead of base. Format as a bulleted list.
+- **{SUMMARY}**: Synthesize from the commit messages and diff. Write 1-3 sentences explaining the purpose.
+- **{TEST_PLAN}**: If discernible from commits (e.g., test files were added/modified), describe the testing. Otherwise, ask the user.
+- **{BREAKING_CHANGES}**: Scan commit messages for `BREAKING CHANGE:` or `!` markers. List them if found.
+- **{RELATED_ISSUES}**: Scan commit messages for issue references (`#123`, `PROJ-456`). List them if found.
+
+If `required_sections` includes sections that cannot be auto-populated, ask the user to provide them before creating the PR.
+
+Consult `${CLAUDE_SKILL_DIR}/references/pr-templates.md` for template definitions and formatting.
+
+## 7. Apply Labels
+
+### Static Labels
+Always apply labels from the `labels` list in config.
+
+### Auto Labels (if `auto_labels: true`)
+Determine changed files:
+```bash
+git diff --name-only origin/..HEAD
+```
+
+Match changed file paths against `label_rules`:
+- Each rule has a `pattern` (glob) and `labels` (list).
+- If any changed file matches the pattern, add those labels.
+- Collect all matching labels into a deduplicated list.
+
+### Size Labels (if `size_labels.enabled: true`)
+Count total lines changed:
+```bash
+git diff --stat origin/..HEAD | tail -1
+```
+
+Map to size label based on thresholds:
+- 0 to `xs` (10) = `size/XS`
+- `xs` to `s` (50) = `size/S`
+- `s` to `m` (200) = `size/M`
+- `m` to `l` (500) = `size/L`
+- `l` to `xl` (1000) = `size/XL`
+- above `xl` = `size/XXL`
+
+**Note**: Only apply labels that actually exist in the repository. If a label does not exist:
+- GitHub: `gh label create ` to create it, or skip with a warning.
+- GitLab: Skip with a warning (labels must be pre-created).
+
+## 8. Assign Reviewers
+
+If `reviewers.auto_assign` is true:
+
+1. Match changed files against `reviewers.rules` (each rule has a `pattern`, `reviewers` list, and `required` count).
+2. Collect all matching reviewers.
+3. If no rules matched, use `reviewers.fallback`.
+4. Apply `team_reviewers` if configured.
+
+If no reviewers are configured at all, skip this step silently.
+
+## 9. Create the PR/MR
+
+### GitHub
+```bash
+gh pr create \
+ --title "" \
+ --body "$(cat <<'EOF'
+<description body>
+EOF
+)" \
+ --base "<target-branch>" \
+ [--draft] \
+ [--label "<label1>" --label "<label2>"] \
+ [--reviewer "<user1>" --reviewer "<user2>"] \
+ [--assignee "<user>"]
+```
+
+### GitLab
+```bash
+glab mr create \
+ --title "<title>" \
+ --description "$(cat <<'EOF'
+<description body>
+EOF
+)" \
+ --target-branch "<target-branch>" \
+ [--draft] \
+ [--label "<label1>" --label "<label2>"] \
+ [--reviewer "<user1>" --reviewer "<user2>"] \
+ [--assignee "<user>"]
+```
+
+If `draft` is true in config, always add the draft flag unless the user explicitly says "not a draft" or "ready for review".
+
+## 10. Report Result
+
+After successful creation:
+
+1. **Show the PR/MR URL** prominently.
+2. **List applied metadata**: labels, reviewers, assignees, draft status.
+3. **Mention target branch**: "Targeting `<base>` from `<branch>`."
+4. **If size label was applied**: mention the PR size for awareness.
+5. **Suggest next steps**:
+ - "Monitor CI status with `/monitoring-pr`"
+ - "View the PR at <url>"
diff --git a/plugins/git-master/skills/creating-pr/references/pr-templates.md b/plugins/git-master/skills/creating-pr/references/pr-templates.md
new file mode 100644
index 0000000..115a75c
--- /dev/null
+++ b/plugins/git-master/skills/creating-pr/references/pr-templates.md
@@ -0,0 +1,148 @@
+# PR/MR Description Templates
+
+## Placeholders
+
+Use these placeholders in templates. They are populated automatically when `auto_populate: true`.
+
+| Placeholder | Source | Description |
+|---|---|---|
+| `{SUMMARY}` | Synthesized from commits and diff | 1-3 sentence overview of the change |
+| `{COMMITS}` | `git log --oneline base..HEAD` | Bulleted list of commit subjects |
+| `{TEST_PLAN}` | Test files in diff or user input | How the changes were tested |
+| `{BREAKING_CHANGES}` | Commit footers with `BREAKING CHANGE:` | List of breaking changes, if any |
+| `{RELATED_ISSUES}` | Issue references in commit messages | Links to related issues/tickets |
+
+---
+
+## Default Template
+
+Used when no template is configured or `description.template` is not set.
+
+```markdown
+## Summary
+{SUMMARY}
+
+## Changes
+{COMMITS}
+
+## Test plan
+{TEST_PLAN}
+```
+
+### Example (rendered)
+
+```markdown
+## Summary
+Add OAuth2 authentication with Google as a provider, replacing the legacy
+session-based auth flow.
+
+## Changes
+- feat(auth): add OAuth2 login with Google provider
+- feat(auth): add token refresh middleware
+- fix(auth): handle expired refresh tokens gracefully
+- test(auth): add integration tests for OAuth2 flow
+- docs: update authentication section in README
+
+## Test plan
+- Added integration tests covering login, token refresh, and expiry.
+- Manually tested the login flow against Google OAuth2 sandbox.
+- Verified backward compatibility: existing sessions are migrated on first request.
+```
+
+---
+
+## Minimal Template
+
+For small changes or when brevity is preferred.
+
+```markdown
+{SUMMARY}
+```
+
+### Example (rendered)
+
+```markdown
+Fix race condition in WebSocket reconnection that caused duplicate event handlers
+to accumulate after network interruptions.
+```
+
+---
+
+## Detailed Template
+
+For larger changes, breaking changes, or changes requiring extra context.
+
+```markdown
+## Summary
+{SUMMARY}
+
+## Changes
+{COMMITS}
+
+## Test plan
+{TEST_PLAN}
+
+## Breaking changes
+{BREAKING_CHANGES}
+
+## Screenshots
+<!-- Add screenshots if this change affects UI -->
+
+## Related issues
+{RELATED_ISSUES}
+```
+
+### Example (rendered)
+
+```markdown
+## Summary
+Migrate the authentication system from session cookies to JWT tokens. This
+is a breaking change for all API consumers.
+
+## Changes
+- feat(api)!: replace session auth with JWT token auth
+- feat(api): add /auth/refresh endpoint for token renewal
+- fix(api): validate token expiry with clock skew tolerance
+- chore(deps): add jsonwebtoken 9.0.0
+- docs(api): update auth endpoints in OpenAPI spec
+
+## Test plan
+- Unit tests for token generation, validation, and refresh.
+- Integration tests against the /auth, /auth/refresh, and protected endpoints.
+- Load tested with 1000 concurrent token validations.
+- Tested token expiry edge cases (clock skew, revoked tokens).
+
+## Breaking changes
+- The `/auth` endpoint now returns `{ "token": "...", "expires_in": 3600 }` instead of setting a session cookie.
+- All API requests must include `Authorization: Bearer <token>` header.
+- The `session_id` cookie is no longer issued or accepted.
+
+## Screenshots
+N/A (API-only change)
+
+## Related issues
+- Closes #892 — Migrate to stateless authentication
+- Refs #901 — Token refresh mechanism design doc
+```
+
+---
+
+## Template Selection Logic
+
+1. If the user's config specifies `description.template`, use that template verbatim.
+2. If no template is configured:
+ - **1-2 commits, no breaking changes** -> Minimal template.
+ - **3+ commits or breaking changes present** -> Default template.
+ - **10+ commits, breaking changes, or cross-cutting changes** -> Detailed template.
+3. The user can always override by providing their own description via `$ARGUMENTS` or when prompted.
+
+## Section Requirements
+
+When `description.required_sections` is set, the PR cannot be created until those sections have content:
+
+- `summary` -> The `{SUMMARY}` placeholder must be filled.
+- `test_plan` -> The `{TEST_PLAN}` placeholder must be filled. If no tests are evident in the diff, ask the user.
+- `breaking_changes` -> Only required if breaking changes are detected.
+- `related_issues` -> Only required if configured; ask the user for issue numbers.
+
+If a required section cannot be auto-populated, prompt the user before creating the PR.
diff --git a/plugins/git-master/skills/fixing-pipeline/SKILL.md b/plugins/git-master/skills/fixing-pipeline/SKILL.md
new file mode 100644
index 0000000..716348e
--- /dev/null
+++ b/plugins/git-master/skills/fixing-pipeline/SKILL.md
@@ -0,0 +1,135 @@
+---
+name: fixing-pipeline
+description: >-
+ Diagnoses and fixes CI/CD pipeline failures. Trigger phrases: "fix pipeline",
+ "fix CI", "fix the build", "fix failing tests", "CI is broken",
+ "pipeline failed", "debug CI failure", "fix GitHub Actions", "fix GitLab CI",
+ "why is the build failing", "fix the checks". Fetches logs, classifies the
+ failure, identifies root cause, and applies targeted fixes.
+argument-hint: "[PR number or job name]"
+allowed-tools:
+ - Read
+ - Bash
+ - Grep
+ - Glob
+---
+
+## Dynamic Context
+
+Pipeline config:
+```
+${{cat "${GIT_MASTER_CONFIG_PATH:-/dev/null}" 2>/dev/null | jq '.pipeline' 2>/dev/null || echo '{}'}}
+```
+
+Provider:
+```
+${{echo "${GIT_MASTER_PROVIDER:-auto}"}}
+```
+
+Current branch:
+```
+${{git branch --show-current 2>/dev/null}}
+```
+
+## Instructions
+
+Follow these steps in order. At each step, report what you find before moving on.
+
+### 1. Identify the Failing Pipeline
+
+Determine the target from `$ARGUMENTS` (PR number, job name, run ID) or fall back to the current branch.
+
+- **GitHub**: `gh run list --branch <branch> --limit 5` to find recent runs, then `gh run view <id>` for details.
+- **GitLab**: `glab ci status` or `glab ci list` for the current branch.
+- **Gitea**: `tea ci ls` if available.
+
+If no argument is given and no failing run is found on the current branch, check the default branch.
+
+### 2. Fetch Failure Logs
+
+Retrieve the full failure output:
+
+- **GitHub Actions**: `gh run view <run-id> --log-failed` (focused) or `gh run view <run-id> --log` (full).
+- **GitLab CI**: `glab ci trace <job-id>` or `glab ci view`.
+- If the logs are too long, focus on the last 200 lines surrounding the first error.
+
+Save the relevant log snippet for analysis.
+
+### 3. Classify the Failure
+
+Categorize into one of these types:
+
+| Category | Signals |
+|------------------|----------------------------------------------------------------|
+| **Build** | Compilation errors, missing dependencies, build tool failures |
+| **Test** | Assertion failures, timeouts, segfaults, exit code mismatches |
+| **Lint** | Linter/formatter violations, type-check errors |
+| **Infrastructure** | Docker pull failures, network timeouts, runner OOM, disk full |
+| **Config** | YAML syntax errors, missing env vars, invalid workflow syntax |
+| **Deployment** | Deploy script failures, permission denied, rollback triggers |
+
+Report the classification and the key error lines.
+
+### 4. Diagnose Root Cause
+
+Analyze the logs to find the precise root cause. Check for:
+
+- **Dependency issues**: Version mismatch, yanked package, lockfile conflict, registry unavailable.
+- **Environment issues**: Missing env var or secret, wrong runtime version, Docker image tag changed.
+- **Test failures**: Flaky test (check if it passed in recent runs), order-dependent test, external service dependency, timing issue.
+- **Config errors**: YAML indentation, deprecated action version, renamed workflow key, missing permissions block.
+- **Infrastructure**: OOM kill (check `dmesg` patterns in logs), disk space exhaustion, rate limiting.
+
+Cross-reference with the project's CI configuration files:
+- GitHub: Read `.github/workflows/*.yml`
+- GitLab: Read `.gitlab-ci.yml`
+- Also check `Dockerfile`, `docker-compose.yml`, `Makefile`, etc. as relevant.
+
+### 5. Spawn Agent for Complex Failures
+
+If the failure involves multiple interacting causes, spans several jobs, or requires deep analysis of test output, spawn the **pipeline-doctor** agent:
+
+> Use `SendMessage` to the pipeline-doctor agent with:
+> - The failure logs (trimmed to relevant sections)
+> - The CI config file contents
+> - The failure classification from step 3
+> - Any dependency files (package.json, requirements.txt, go.mod, etc.)
+
+Wait for the agent's diagnosis before proceeding.
+
+### 6. Propose the Fix
+
+Present a clear summary:
+
+```
+FAILURE: <one-line description of what failed>
+CATEGORY: <Build | Test | Lint | Infrastructure | Config | Deployment>
+ROOT CAUSE: <specific cause>
+FIX: <what needs to change and why>
+```
+
+Show the exact file(s) and line(s) that need to change. If there are multiple possible fixes, list them ranked by confidence.
+
+### 7. Apply the Fix
+
+Ask the user for confirmation before making changes. Then:
+
+1. Make the code change.
+2. Verify the fix makes sense locally if possible (e.g., run the failing test, check syntax).
+3. Suggest committing with an appropriate message using the **committing** skill. Example: `fix(ci): pin node version to 20.x in build workflow`.
+
+### 8. Retry the Pipeline
+
+After the fix is committed and pushed, offer to re-trigger:
+
+- **GitHub**: `gh run rerun <run-id>` or `gh run rerun <run-id> --failed` (retry only failed jobs).
+- **GitLab**: `glab ci retry <job-id>`.
+
+If the pipeline config includes `ignored_checks`, mention which checks are being skipped.
+
+## Important Notes
+
+- Never expose secrets or tokens found in CI logs. Redact them immediately.
+- If the failure is in a fork PR, note that secrets are intentionally unavailable and the fix may require a different approach.
+- For flaky tests, suggest both an immediate fix (retry/skip) and a long-term fix (stabilize the test).
+- Check `pipeline.max_auto_fix_attempts` in config; warn if approaching the limit.
diff --git a/plugins/git-master/skills/fixing-pipeline/references/ci-patterns.md b/plugins/git-master/skills/fixing-pipeline/references/ci-patterns.md
new file mode 100644
index 0000000..0e5b89a
--- /dev/null
+++ b/plugins/git-master/skills/fixing-pipeline/references/ci-patterns.md
@@ -0,0 +1,111 @@
+# Common CI Failure Patterns and Fixes
+
+## GitHub Actions
+
+### Node/Runtime Version Mismatch
+- **Pattern**: `Error: The current runner (ubuntu-22.04) was detected as self-hosted` or `node: /lib/x86_64-linux-gnu/libc.so.6: version 'GLIBC_2.28' not found`
+- **Fix**: Pin the runner image version or use `actions/setup-node` with explicit version. Check `runs-on` and `node-version` fields.
+
+### Action Version Deprecation
+- **Pattern**: `Node.js 16 actions are deprecated` or `::warning::This action is using Node.js 12`
+- **Fix**: Update action references to latest major version (e.g., `actions/checkout@v3` to `actions/checkout@v4`). Check the action's releases page.
+
+### Cache Issues
+- **Pattern**: `Cache not found for input keys` or `Failed to save cache` or stale dependencies after update
+- **Fix**: Verify `hashFiles()` glob matches the lockfile. Use `actions/cache@v4`. Clear cache via `gh cache delete` or change the cache key prefix.
+
+### Secrets Not Available in Fork PRs
+- **Pattern**: Empty env var, `401 Unauthorized`, or `Error: Input required and not supplied: token`
+- **Fix**: Use `pull_request_target` with caution, or make the step conditional: `if: github.event.pull_request.head.repo.full_name == github.repository`. Consider using OIDC tokens instead.
+
+### GITHUB_TOKEN Permissions
+- **Pattern**: `Resource not accessible by integration` or `403 Forbidden`
+- **Fix**: Add explicit `permissions:` block to the workflow or job. Common needs: `contents: write`, `pull-requests: write`, `packages: read`.
+
+### Workflow Syntax Errors
+- **Pattern**: `.github/workflows/ci.yml: ...` with YAML parse errors
+- **Fix**: Validate with `actionlint` locally. Common issues: unquoted `on:` triggers, bad indentation, expression syntax `${{ }}` typos.
+
+## GitLab CI
+
+### Runner/Executor Issues
+- **Pattern**: `ERROR: Job failed (system failure): prepare environment` or `No matching runner found`
+- **Fix**: Check runner tags match job tags. Verify runner is online in Settings > CI/CD > Runners. Check executor type (docker, shell, kubernetes).
+
+### Docker-in-Docker (DinD)
+- **Pattern**: `Cannot connect to the Docker daemon` or `dial tcp: lookup docker`
+- **Fix**: Ensure `services: [docker:dind]` is declared. Set `DOCKER_HOST: tcp://docker:2376` and `DOCKER_TLS_CERTDIR: "/certs"`. Use `docker:24-dind` or newer.
+
+### Artifact and Cache Expiry
+- **Pattern**: Missing files from previous stage, `ERROR: Uploading artifacts... too large`
+- **Fix**: Check `artifacts.expire_in` and `cache.policy`. Verify artifact paths match actual output locations. Use `dependencies:` or `needs:` to control artifact downloads.
+
+### Variable Masking
+- **Pattern**: `[MASKED]` in unexpected places or `ERROR: Variable ... is not available`
+- **Fix**: Masked variables cannot be used in file paths or command names. Use a non-masked variable for non-secret values. Check protected/environment variable scopes.
+
+### Pipeline Timeout
+- **Pattern**: `ERROR: Job failed: execution took longer than 1h0m0s`
+- **Fix**: Add `timeout:` at job level. Investigate why job is slow. Check for infinite loops, hanging network requests, or missing test timeouts.
+
+## General Patterns
+
+### Dependency Resolution Failures
+- **Pattern**: `Could not resolve dependencies`, `ERESOLVE unable to resolve dependency tree`, `version solving failed`
+- **Causes**: Yanked package, conflicting version constraints, registry outage, auth required for private registry
+- **Fix**: Check lockfile is committed and up to date. Pin transitive dependencies. Use `--legacy-peer-deps` for npm (temporary). Check registry status pages.
+
+### Lockfile Conflicts
+- **Pattern**: `The lockfile needs to be updated` or `frozen lockfile` errors
+- **Fix**: Regenerate lockfile locally, commit it. For CI, ensure install command matches lockfile mode (`npm ci`, `yarn --frozen-lockfile`, `pip install --require-hashes`).
+
+### Flaky Tests
+
+#### Timing-Dependent
+- **Pattern**: Test passes locally, fails intermittently in CI. Involves `setTimeout`, `sleep`, `waitFor`, polling.
+- **Fix**: Replace fixed delays with polling/retry. Increase timeouts for CI. Use `jest.useFakeTimers()` or equivalent.
+
+#### Order-Dependent
+- **Pattern**: Test fails only when run with full suite. Passes when run in isolation.
+- **Fix**: Check for shared mutable state (global variables, database records, temp files). Add proper setup/teardown. Run with `--randomize` to detect.
+
+#### External Service Dependency
+- **Pattern**: `ECONNREFUSED`, `timeout`, `503 Service Unavailable` in test output
+- **Fix**: Mock external services. Use test containers. Add retry logic to test helpers. Never rely on external APIs in CI.
+
+### OOM Kills
+- **Pattern**: `Killed`, `signal: killed`, `exit code 137`, `Container was OOMKilled`
+- **Fix**: Increase runner memory or resource limits. Reduce parallelism (`--max-workers=2`). Check for memory leaks in tests. Split into multiple jobs.
+
+### Disk Space Exhaustion
+- **Pattern**: `No space left on device`, `ENOSPC`
+- **Fix**: Clean up before build (`docker system prune`, remove unused artifacts). Use smaller base images. Add `actions/free-disk-space` step for GitHub. Check artifact sizes.
+
+### Shell/Script Errors
+- **Pattern**: `bash: command not found`, `Permission denied`, `set -e` causing silent failures
+- **Fix**: Install required tools in CI. Add `chmod +x` for scripts. Use `set -euo pipefail` and handle errors explicitly.
+
+### Environment Variable Issues
+- **Pattern**: Empty variable expansion, `undefined` in config, wrong environment used
+- **Fix**: Verify variable is set in the correct scope (repo, environment, job). Check for typos in variable names. Use `env:` block at the correct level.
+
+## Diagnosis Shortcuts
+
+| Error Code / Signal | Meaning |
+|----------------------|----------------------------------|
+| Exit 1 | General error (check stderr) |
+| Exit 2 | Shell builtin misuse |
+| Exit 126 | Permission denied (not executable) |
+| Exit 127 | Command not found |
+| Exit 128+N | Fatal signal N (137 = SIGKILL/OOM) |
+| Exit 130 | SIGINT (Ctrl+C / cancelled) |
+| Exit 143 | SIGTERM (graceful shutdown) |
+
+## Quick Triage Checklist
+
+1. Is this the first failure or a recurrence? Check last 5 runs.
+2. Did any config files change in the failing commit? (`git diff HEAD~1 -- .github/ .gitlab-ci.yml`)
+3. Is the failure in a specific job or all jobs?
+4. Does the same commit pass on a different branch?
+5. Did a dependency release recently? (`git diff HEAD~1 -- *lock*`)
+6. Is the runner/infrastructure healthy? Check provider status page.
diff --git a/plugins/git-master/skills/monitoring-pr/SKILL.md b/plugins/git-master/skills/monitoring-pr/SKILL.md
new file mode 100644
index 0000000..e2f01e8
--- /dev/null
+++ b/plugins/git-master/skills/monitoring-pr/SKILL.md
@@ -0,0 +1,198 @@
+---
+name: monitoring-pr
+description: >-
+ Check the status of a pull request or merge request including pipeline, reviews, and merge readiness.
+ Trigger phrases: "check PR status", "monitor PR", "PR status", "is the pipeline passing",
+ "CI status", "check my PR", "any review comments", "what's happening with my PR",
+ "check merge request", "MR status". Always use this skill when the user wants to know the
+ current state of a PR/MR or its CI pipeline. Shows a unified dashboard.
+argument-hint: "[PR/MR number]"
+allowed-tools: Read, Bash, Grep
+---
+
+# Monitor PR/MR Status
+
+## Dynamic Context
+
+Provider:
+```
+!`echo "${GIT_MASTER_PROVIDER:-auto}"`
+```
+
+Current branch:
+```
+!`git branch --show-current 2>/dev/null`
+```
+
+## Instructions
+
+You are the git-master PR/MR monitoring agent. Gather all status information and present a clear, actionable dashboard.
+
+### 1. Identify Target PR
+
+Determine which PR/MR to monitor:
+
+- If `$ARGUMENTS` contains a number, use that as the PR/MR identifier.
+- If `$ARGUMENTS` is empty, find the PR/MR associated with the current branch:
+ ```bash
+ # GitHub
+ gh pr view --json number,url --jq '.number' 2>/dev/null
+
+ # GitLab
+ glab mr view --output json 2>/dev/null | jq '.iid'
+ ```
+- If no PR exists for the current branch, inform the user and suggest creating one.
+
+### 2. Gather Status
+
+Run the following commands **in parallel** to collect all status data. Adapt commands based on the detected provider.
+
+#### PR Metadata
+
+```bash
+# GitHub
+gh pr view <number> --json number,title,state,author,createdAt,url,headRefName,baseRefName,additions,deletions,changedFiles,body,isDraft,mergeable,labels
+
+# GitLab
+glab mr view <number> --output json
+```
+
+#### Pipeline / CI Status
+
+```bash
+# GitHub — check status of all CI checks
+gh pr checks <number> --json name,state,conclusion,url
+
+# GitHub — workflow runs on the branch
+gh run list --branch <head-branch> --limit 5 --json name,status,conclusion,url,createdAt
+
+# GitLab
+glab ci status --output json
+```
+
+#### Review Status
+
+```bash
+# GitHub — reviews and review requests
+gh pr view <number> --json reviews,reviewRequests,reviewDecision
+gh api repos/<owner>/<repo>/pulls/<number>/reviews --jq '.[] | {user: .user.login, state: .state, submitted_at: .submitted_at}'
+
+# GitLab
+glab mr view <number> --output json # includes approvals and reviewers
+```
+
+#### Merge Readiness
+
+```bash
+# GitHub
+gh pr view <number> --json mergeable,mergeStateStatus,statusCheckRollup
+
+# Check if branch is up to date with base
+git fetch origin <base-branch> 2>/dev/null
+git log --oneline origin/<base-branch>..origin/<head-branch> --right-only 2>/dev/null | wc -l
+```
+
+#### Recent Comments
+
+```bash
+# GitHub
+gh api repos/<owner>/<repo>/issues/<number>/comments --jq '.[-5:] | .[] | {author: .user.login, created: .created_at, body: .body[:120]}'
+
+# GitLab
+glab api projects/<id>/merge_requests/<number>/notes --jq '.[-5:] | .[] | {author: .author.username, created: .created_at, body: .body[:120]}'
+```
+
+### 3. Format Dashboard
+
+Present all gathered information in a structured dashboard:
+
+```markdown
+# PR #<number>: <title>
+
+**Author**: @<author> | **Branch**: `<head>` -> `<base>` | **State**: <open/draft/merged/closed>
+**Created**: <date> | **URL**: <url>
+**Size**: +<additions> / -<deletions> across <changedFiles> files
+
+---
+
+## Pipeline Status
+
+| Check | Status | Conclusion | Link |
+|-------|--------|------------|------|
+| build | completed | success | [link] |
+| test | completed | success | [link] |
+| lint | in_progress | — | [link] |
+
+**Overall**: X/Y checks passed, Z pending
+
+## Review Status
+
+| Reviewer | Status | Date |
+|----------|--------|------|
+| @alice | APPROVED | 2024-01-15 |
+| @bob | CHANGES_REQUESTED | 2024-01-14 |
+| @carol | PENDING | — |
+
+**Review decision**: Changes requested (1 approval, 1 change request, 1 pending)
+
+## Merge Readiness
+
+- [x] Pipeline passing
+- [x] Required approvals met (2/2)
+- [ ] No requested changes outstanding
+- [x] No merge conflicts
+- [ ] Up to date with base branch (3 commits behind)
+- [x] Branch protection rules satisfied
+
+## Recent Activity
+
+| Author | Time | Comment |
+|--------|------|---------|
+| @bob | 2h ago | "The error handling in api.ts needs..." |
+| @alice | 5h ago | "LGTM, nice refactor" |
+```
+
+### 4. Suggest Next Steps
+
+Based on the current state, provide actionable suggestions. Only include relevant items:
+
+**If pipeline is failing:**
+> Pipeline check `<name>` is failing. Run `/git-master:fixing-pipeline` to diagnose and fix.
+
+**If changes were requested:**
+> @<reviewer> requested changes. Address their feedback, push new commits, then request re-review.
+
+**If behind base branch:**
+> Branch is <N> commits behind `<base>`. Rebase with:
+> ```
+> git fetch origin && git rebase origin/<base>
+> ```
+
+**If all checks pass and approved:**
+> PR is ready to merge. Merge with:
+> ```bash
+> # GitHub
+> gh pr merge <number> --squash --delete-branch
+> # GitLab
+> glab mr merge <number> --squash --remove-source-branch
+> ```
+
+**If PR is in draft:**
+> PR is still in draft. When ready, mark as ready for review:
+> ```bash
+> gh pr ready <number>
+> ```
+
+**If no reviewers assigned:**
+> No reviewers assigned. Add reviewers:
+> ```bash
+> gh pr edit <number> --add-reviewer <username>
+> ```
+
+**If merge conflicts:**
+> Merge conflicts detected. Resolve locally:
+> ```bash
+> git fetch origin && git rebase origin/<base>
+> # Resolve conflicts, then:
+> git push --force-with-lease
+> ```
diff --git a/plugins/git-master/skills/reviewing-pr/SKILL.md b/plugins/git-master/skills/reviewing-pr/SKILL.md
new file mode 100644
index 0000000..1f94a4d
--- /dev/null
+++ b/plugins/git-master/skills/reviewing-pr/SKILL.md
@@ -0,0 +1,200 @@
+---
+name: reviewing-pr
+description: >-
+ Review a pull request or merge request with adversarial, security, and performance analysis.
+ Trigger phrases: "review PR", "review this pull request", "code review", "check this PR",
+ "review MR", "review merge request", "give feedback on PR", "review the changes",
+ "review my code". Always use this skill when the user asks for any kind of code review
+ on a PR, MR, or branch diff. Launches configurable review agents in parallel.
+argument-hint: "[PR/MR number or 'local' for current branch diff]"
+allowed-tools: Read, Bash, Grep, Glob
+---
+
+# Review PR/MR
+
+## Dynamic Context
+
+Review config:
+```
+!`cat "${GIT_MASTER_CONFIG_PATH:-/dev/null}" 2>/dev/null | jq '.review' 2>/dev/null || echo '{}'`
+```
+
+Provider:
+```
+!`echo "${GIT_MASTER_PROVIDER:-auto}"`
+```
+
+## Instructions
+
+You are the git-master code review orchestrator. Follow these steps precisely.
+
+### 1. Identify Target
+
+- If `$ARGUMENTS` contains a PR/MR number (e.g., `123`, `#123`), fetch that PR via the detected provider.
+- If `$ARGUMENTS` is `local` or empty, review the current branch diff against the base branch.
+- Determine the provider CLI to use:
+ - GitHub: `gh pr diff <number>`, `gh pr view <number> --json title,body,author,labels,changedFiles`
+ - GitLab: `glab mr diff <number>`, `glab mr view <number>`
+ - Local: `git diff $(git merge-base HEAD main)..HEAD` (detect default branch first)
+
+### 2. Fetch Diff and Context
+
+Run these commands to gather review material:
+
+```bash
+# For remote PR (GitHub example):
+gh pr view <number> --json title,body,author,labels,additions,deletions,changedFiles
+gh pr diff <number>
+
+# For local review:
+git log --oneline $(git merge-base HEAD <base>)..HEAD
+git diff $(git merge-base HEAD <base>)..HEAD
+git diff --stat $(git merge-base HEAD <base>)..HEAD
+```
+
+Also read the PR description/body if available -- it provides intent context.
+
+### 3. Load Review Config
+
+Extract these settings from the review config (shown in dynamic context above):
+
+| Setting | Default | Purpose |
+|---|---|---|
+| `adversarial` | `true` | Launch adversarial reviewer agent |
+| `security` | `true` | Launch security reviewer agent |
+| `performance` | `false` | Launch performance reviewer agent |
+| `checklist` | (see config) | Items to verify against changes |
+| `confidence_threshold` | `80` | Only report findings above this score |
+| `max_files_per_review` | `30` | Warn if PR exceeds this |
+| `exclude_patterns` | lock files, minified, generated | Files to skip |
+| `language_rules` | `{}` | Per-language additional checks |
+| `security_patterns` | (see config) | Regex patterns for security issues |
+| `performance_patterns` | (see config) | Regex patterns for performance issues |
+
+### 4. Filter Files
+
+Remove files from the review scope that match any `exclude_patterns` entry. Common exclusions:
+- `*.lock`, `*.min.js`, `*.min.css`, `*.generated.*`
+- `package-lock.json`, `yarn.lock`, `pnpm-lock.yaml`
+
+Log how many files were excluded and how many remain.
+
+### 5. Check File Count
+
+If the number of changed files exceeds `max_files_per_review`:
+- Warn the user that the PR is large and may benefit from splitting.
+- Ask whether to proceed with all files or focus on a subset.
+- Suggest logical groupings if possible (e.g., "frontend changes" vs "backend changes").
+
+### 6. Run Review Checklist
+
+Go through each item in the `checklist` config array against the actual changes. For each item, report:
+- PASS: The changes satisfy this item.
+- FAIL: The changes violate this item, with specific file:line references.
+- N/A: This item does not apply to these changes.
+
+### 7. Launch Review Agents
+
+For each enabled review type, use the `Agent` tool to spawn a focused sub-agent **in parallel**:
+
+- **adversarial-reviewer** (if `review.adversarial` is `true`):
+ Prompt: "You are a devil's advocate code reviewer. Your job is to find flaws, edge cases, race conditions, incorrect assumptions, missing error handling, and logical errors. Be thorough and skeptical. For each finding, provide the file, line number, severity (Critical/High/Medium/Low), confidence (0-100), and a clear explanation. Here is the diff: <diff>"
+
+- **security-reviewer** (if `review.security` is `true`):
+ Prompt: "You are a security-focused code reviewer. Check for OWASP Top 10 vulnerabilities, injection risks, authentication/authorization flaws, secrets exposure, XSS, CSRF, insecure deserialization, and any security anti-patterns. For each finding, provide the file, line number, severity, confidence (0-100), CWE ID if applicable, and remediation advice. Here is the diff: <diff>"
+
+- **performance-reviewer** (if `review.performance` is `true`):
+ Prompt: "You are a performance-focused code reviewer. Check for N+1 queries, unnecessary allocations, missing indexes, unbounded loops, blocking I/O in async contexts, excessive re-renders, large bundle imports, and algorithmic complexity issues. For each finding, provide the file, line number, severity, confidence (0-100), estimated impact, and a suggested fix. Here is the diff: <diff>"
+
+Pass the full diff and changed file list to each agent. Use the model config (`review.model` for standard, `review.adversarial_model` for adversarial).
+
+### 8. Apply Language Rules
+
+Check `language_rules` config for language-specific checks. For example:
+```yaml
+language_rules:
+ python: ["Check type hints on public functions", "Verify no bare except clauses"]
+ typescript: ["Ensure strict null checks", "No any types in public APIs"]
+```
+
+Apply the relevant rules based on the file extensions present in the diff.
+
+### 9. Apply Pattern Matching
+
+Scan the diff text against `security_patterns` and `performance_patterns`:
+
+- For each pattern match, record the file, line, matched text, configured severity, and message.
+- These are deterministic checks (regex-based) and always reported regardless of confidence threshold.
+
+### 10. Aggregate Results
+
+Combine findings from all sources:
+1. Checklist results
+2. Adversarial reviewer findings
+3. Security reviewer findings
+4. Performance reviewer findings
+5. Language rule findings
+6. Pattern match findings
+
+Filter out any finding with confidence below `confidence_threshold` (except pattern matches, which are always included).
+
+Group by severity: **Critical** > **High** > **Medium** > **Low**.
+
+Deduplicate findings that overlap (same file, same line, similar issue).
+
+### 11. Format Report
+
+Output a structured markdown report:
+
+```markdown
+# Code Review: PR #<number> — <title>
+
+## Summary
+- **Files reviewed**: X of Y (Z excluded)
+- **Findings**: C critical, H high, M medium, L low
+- **Checklist**: X/Y passed
+
+## Critical Findings
+### [C1] <title> — `file.ts:42`
+**Severity**: Critical | **Confidence**: 95% | **Source**: security-reviewer
+<description and remediation>
+
+## High Findings
+...
+
+## Medium Findings
+...
+
+## Low Findings
+...
+
+## Checklist Results
+| # | Item | Status | Notes |
+|---|------|--------|-------|
+| 1 | Code follows project conventions | PASS | |
+| 2 | Error handling is appropriate | FAIL | Missing error handling in `api.ts:88` |
+
+## Review Agents
+| Agent | Findings | Duration |
+|-------|----------|----------|
+| adversarial | 3 | — |
+| security | 1 | — |
+| performance | 0 | — |
+```
+
+### 12. Post Review (Optional)
+
+After presenting the report, ask the user if they want to:
+1. **Post as PR comment**: Use `gm_provider pr-comment` to post the review summary.
+2. **Approve**: Use `gm_provider pr-review --approve` (only if no critical/high findings).
+3. **Request changes**: Use `gm_provider pr-review --request-changes` with findings summary.
+4. **Do nothing**: Keep the review local only.
+
+If the user confirms posting, use the appropriate provider operation:
+```bash
+# GitHub
+gh pr review <number> --comment --body "<review summary>"
+
+# GitLab
+glab mr note <number> --message "<review summary>"
+```
diff --git a/plugins/git-master/skills/reviewing-pr/references/review-checklist.md b/plugins/git-master/skills/reviewing-pr/references/review-checklist.md
new file mode 100644
index 0000000..9ebcbc3
--- /dev/null
+++ b/plugins/git-master/skills/reviewing-pr/references/review-checklist.md
@@ -0,0 +1,195 @@
+# Review Checklists Reference
+
+Comprehensive checklists for each review mode. Use these as the basis for review,
+combined with any user-defined checklist items from the `review.checklist` config.
+
+---
+
+## Default Checklist
+
+Applied to every review regardless of which agents are enabled.
+
+### Code Quality
+- [ ] Code follows the project's established style and conventions
+- [ ] No duplicated logic that should be extracted into shared functions
+- [ ] Functions/methods have a single, clear responsibility
+- [ ] No dead code, commented-out blocks, or TODO/FIXME left unresolved
+- [ ] Magic numbers and strings are replaced with named constants
+
+### Correctness
+- [ ] Logic handles all expected input cases, including empty/null/zero
+- [ ] Edge cases are accounted for (boundaries, overflow, off-by-one)
+- [ ] State mutations are intentional and correctly ordered
+- [ ] Concurrent/async operations handle race conditions
+- [ ] Return values and error codes are checked at every call site
+
+### Error Handling
+- [ ] Errors are caught at appropriate boundaries, not swallowed silently
+- [ ] Error messages are descriptive and include relevant context
+- [ ] Cleanup/rollback occurs on failure (files closed, locks released, transactions rolled back)
+- [ ] User-facing errors are safe (no stack traces or internal details exposed)
+
+### Testing
+- [ ] New logic has corresponding unit tests
+- [ ] Edge cases and error paths are tested, not just happy paths
+- [ ] Tests are deterministic (no reliance on timing, network, or random state)
+- [ ] Test names clearly describe what is being verified
+- [ ] No test pollution (shared mutable state between test cases)
+
+### Documentation
+- [ ] Public APIs have doc comments explaining purpose, parameters, and return values
+- [ ] Non-obvious logic has inline comments explaining "why", not "what"
+- [ ] Breaking changes are documented in changelog or migration guide
+- [ ] README is updated if the feature changes user-facing behavior
+
+### Naming
+- [ ] Variable and function names accurately describe their purpose
+- [ ] Naming is consistent with the rest of the codebase
+- [ ] Abbreviations are avoided unless they are universally understood
+- [ ] Boolean variables/functions read as questions (e.g., `isValid`, `hasPermission`)
+
+### Complexity
+- [ ] Functions are not excessively long (guideline: under 40 lines)
+- [ ] Nesting depth does not exceed 3-4 levels (use early returns or extraction)
+- [ ] Cyclomatic complexity is reasonable for the function's purpose
+- [ ] Data transformations use clear, composable operations
+
+---
+
+## Security Checklist
+
+Applied when `review.security` is `true`. Covers OWASP Top 10 and common vulnerability patterns.
+
+### Injection (OWASP A03)
+- [ ] All SQL queries use parameterized statements, never string concatenation
+- [ ] OS command execution uses safe APIs with argument arrays, not shell interpolation
+- [ ] LDAP, XPath, and template queries are parameterized
+- [ ] ORM queries avoid raw SQL unless parameterized
+
+### Broken Authentication (OWASP A07)
+- [ ] Passwords are hashed with bcrypt/scrypt/argon2, never MD5/SHA1 alone
+- [ ] Session tokens are generated with cryptographically secure randomness
+- [ ] Authentication tokens have appropriate expiry and rotation
+- [ ] Multi-factor authentication flows do not leak which factor failed
+
+### Sensitive Data Exposure (OWASP A02)
+- [ ] No secrets, API keys, tokens, or credentials in source code
+- [ ] Sensitive data is encrypted at rest and in transit
+- [ ] PII is not logged, cached, or stored unnecessarily
+- [ ] HTTP responses include appropriate security headers (HSTS, no-sniff)
+
+### Broken Access Control (OWASP A01)
+- [ ] Authorization checks exist for every protected endpoint/resource
+- [ ] Server-side enforcement, not client-side only
+- [ ] IDOR vulnerabilities prevented (user cannot access others' resources by ID manipulation)
+- [ ] Principle of least privilege applied to roles and permissions
+
+### XSS and Output Encoding (OWASP A03)
+- [ ] User input is escaped/encoded before rendering in HTML, JS, CSS, or URLs
+- [ ] No direct use of `innerHTML`, `dangerouslySetInnerHTML`, or `v-html` with untrusted data
+- [ ] Content Security Policy headers are configured
+- [ ] Template engines use auto-escaping by default
+
+### CSRF Protection
+- [ ] State-changing requests require CSRF tokens
+- [ ] SameSite cookie attribute is set appropriately
+- [ ] Custom request headers validated for API endpoints
+
+### Input Validation
+- [ ] All external input is validated (type, length, range, format)
+- [ ] Validation happens server-side, not only client-side
+- [ ] File uploads are validated (type, size, content scanning)
+- [ ] Redirect URLs are validated against an allowlist
+
+### Security Configuration
+- [ ] CORS is configured with specific origins, not wildcard in production
+- [ ] Rate limiting is applied to authentication and sensitive endpoints
+- [ ] Debug mode and verbose errors are disabled in production
+- [ ] Dependencies are checked for known vulnerabilities
+
+### Logging and Monitoring
+- [ ] Security-relevant events are logged (auth failures, access denied, input validation)
+- [ ] Logs do not contain sensitive data (passwords, tokens, PII)
+- [ ] Log injection is prevented (user input in logs is sanitized)
+
+---
+
+## Performance Checklist
+
+Applied when `review.performance` is `true`.
+
+### Database and Queries
+- [ ] No N+1 query patterns (use eager loading, joins, or batch fetching)
+- [ ] Queries avoid `SELECT *` — only fetch needed columns
+- [ ] New queries have appropriate indexes for WHERE/JOIN/ORDER BY clauses
+- [ ] Pagination is implemented for endpoints that return lists
+- [ ] Bulk operations use batch inserts/updates, not loops
+
+### Caching
+- [ ] Frequently accessed, rarely changing data uses caching
+- [ ] Cache invalidation strategy is correct and complete
+- [ ] Cache keys are specific enough to avoid stale data across users/contexts
+- [ ] TTLs are appropriate for the data's freshness requirements
+
+### Memory Management
+- [ ] Large data sets are processed in streams or chunks, not loaded entirely into memory
+- [ ] Resources are released promptly (connections, file handles, buffers)
+- [ ] No memory leaks from event listeners, subscriptions, or closures that outlive their scope
+- [ ] Object pools or reuse are considered for high-frequency allocations
+
+### Async and Concurrency
+- [ ] I/O operations use async/non-blocking APIs where available
+- [ ] Independent async operations run in parallel (Promise.all, asyncio.gather, etc.)
+- [ ] Connection pools are used for database and HTTP clients
+- [ ] Thread/goroutine/task creation is bounded (no unbounded spawning)
+- [ ] Locks are held for the minimum necessary duration
+
+### Algorithmic Complexity
+- [ ] No O(n^2) or worse algorithms on potentially large inputs
+- [ ] Lookups use maps/sets/indexes instead of linear scans where appropriate
+- [ ] Sorting is only done when necessary and uses efficient algorithms
+- [ ] Regular expressions avoid catastrophic backtracking (no nested quantifiers)
+
+### Frontend Performance
+- [ ] Large dependencies are tree-shaken or loaded lazily
+- [ ] Images and assets are optimized and appropriately sized
+- [ ] Components avoid unnecessary re-renders (proper memoization, key usage)
+- [ ] Bundle size impact is acceptable for new dependencies
+- [ ] Network requests are batched or deduplicated where possible
+
+---
+
+## Custom Checklist Items
+
+Users can define additional checklist items via the `review.checklist` config array
+in `.git-master.yml`:
+
+```yaml
+review:
+ checklist:
+ - "Code follows project conventions and style"
+ - "Error handling is appropriate and consistent"
+ - "No hardcoded secrets or credentials"
+ - "Tests adequately cover the changes"
+ - "Documentation is updated if needed"
+ - "Database migrations are reversible" # Custom item
+ - "Feature flags wrap new functionality" # Custom item
+ - "API changes are backward compatible" # Custom item
+```
+
+Custom items are evaluated alongside the default checklist. They appear in the final
+report under the same checklist results table.
+
+### Language-Specific Rules
+
+Define per-language rules in `review.language_rules`. Rules are matched by file
+extension and added to the checklist for files of that language only.
+
+```yaml
+review:
+ language_rules:
+ python: ["Type hints on public functions", "No bare except clauses"]
+ typescript: ["No 'any' in public APIs", "Strict null checks respected"]
+ go: ["Errors wrapped with context (%w)", "Goroutine lifecycle managed"]
+ rust: ["No unwrap/expect in library code", "Error types impl std::error::Error"]
+```
diff --git a/plugins/git-master/skills/setting-up/SKILL.md b/plugins/git-master/skills/setting-up/SKILL.md
new file mode 100644
index 0000000..d850c49
--- /dev/null
+++ b/plugins/git-master/skills/setting-up/SKILL.md
@@ -0,0 +1,169 @@
+---
+name: setting-up
+description: >-
+ Interactive configuration wizard for git-master. Trigger phrases: "set up
+ git-master", "configure git-master", "initialize git-master", "git-master
+ setup", "configure my git workflow", "set up commit conventions". Detects
+ project context and walks through settings interactively.
+argument-hint: ""
+allowed-tools:
+ - Read
+ - Bash
+ - Glob
+ - Write
+ - Edit
+disable-model-invocation: true
+---
+
+## Instructions
+
+Guide the user through setting up git-master for their project. Be concise and helpful. Only write settings that differ from the defaults.
+
+### 1. Detect Context
+
+Run all of the following checks in parallel to gather project context:
+
+**Existing config:**
+- Check if `.git-master.yml` exists in the project root.
+- If it exists, read it and note which settings are already configured.
+
+**Platform detection:**
+- Run `git remote -v` and determine the provider:
+ - `github.com` or `github.` in URL = GitHub
+ - `gitlab.com` or `gitlab.` in URL = GitLab
+ - `gitea.` or `codeberg.org` in URL = Gitea
+ - `bitbucket.org` in URL = Bitbucket
+ - Otherwise = unknown (ask the user)
+
+**CI configuration:**
+- Check for `.github/workflows/` directory (GitHub Actions)
+- Check for `.gitlab-ci.yml` (GitLab CI)
+- Check for `Jenkinsfile` (Jenkins)
+- Check for `.circleci/` directory (CircleCI)
+- Check for `.travis.yml` (Travis CI)
+- Check for `azure-pipelines.yml` (Azure DevOps)
+
+**Existing conventions:**
+- Check for `commitlint.config.js`, `commitlint.config.cjs`, `commitlint.config.mjs`, `commitlint.config.ts`
+- Check for `.commitlintrc`, `.commitlintrc.json`, `.commitlintrc.yml`
+- Check `package.json` for a `commitlint` field
+- Check for `.czrc` or `cz.json` (Commitizen)
+
+**Commit history analysis:**
+- Run `git log --oneline -20` and analyze the patterns:
+ - Conventional commits? (`type: subject` or `type(scope): subject`)
+ - Gitmoji? (commits starting with emoji)
+ - Angular style? (`type(scope): subject` with angular types)
+ - Freeform? (no consistent pattern)
+
+### 2. Present Detection Results
+
+Show the user what was auto-detected in a clear summary:
+
+```
+Detected Configuration:
+ Platform: GitHub (github.com/org/repo)
+ CI: GitHub Actions (3 workflows found)
+ Convention: Conventional Commits (18/20 recent commits match)
+ Existing: No .git-master.yml found
+```
+
+If a `.git-master.yml` already exists, ask if they want to reconfigure from scratch or modify specific settings.
+
+### 3. Walk Through Settings
+
+Use clear prompts for each setting group. Only ask about settings that are ambiguous or have no clear detected value. Skip settings where the detection is confident.
+
+**Commit Convention:**
+- If detected with high confidence, confirm: "Your commits follow conventional commits. Keep this? [Y/n]"
+- If unclear, ask: "Which commit convention do you use?"
+ - `conventional` - Conventional Commits (feat, fix, docs, ...)
+ - `angular` - Angular style (similar to conventional with stricter types)
+ - `gitmoji` - Emoji-prefixed commits
+ - `freeform` - No enforced convention
+- If conventional or angular: "Require scopes? [y/N]" and "Specific allowed scopes? (comma-separated, or empty for any)"
+
+**PR Template:**
+- "PR description template style?"
+ - `default` - Summary + Changes + Test plan sections
+ - `minimal` - Summary only
+ - `detailed` - Summary + Changes + Test plan + Screenshots + Breaking changes
+
+**Review Modes:**
+- "Enable adversarial reviewer (devil's advocate challenge)? [Y/n]"
+- "Enable security-focused review? [Y/n]"
+- "Enable performance-focused review? [y/N]"
+
+**Protected Branches:**
+- Show detected default branch: "Protected branches: main, master, develop. Modify? [y/N]"
+
+**Default Reviewers:**
+- "Default reviewers to assign to PRs? (comma-separated GitHub usernames, or empty for none)"
+
+### 4. Write Config
+
+Create `.git-master.yml` at the project root. Only include settings that differ from the defaults in `defaults/config.yml`.
+
+Example of a minimal config:
+
+```yaml
+# git-master project configuration
+# See defaults: https://github.com/user/git-master/blob/main/defaults/config.yml
+
+provider:
+ type: github
+
+commit:
+ scope_required: true
+ scopes:
+ - api
+ - ui
+ - core
+
+pr:
+ draft: true
+ reviewers:
+ fallback:
+ - "@lead-dev"
+
+review:
+ performance: true
+```
+
+Use comments sparingly and only where they add clarity.
+
+### 5. Git Ignore Decision
+
+Ask the user:
+- "This config contains **team settings** (commit convention, PR template, review modes). Recommend committing it so the whole team shares the same config."
+- "If it contains **personal preferences** only, add it to `.gitignore` instead."
+
+Based on their answer:
+- **Commit**: No action needed (file is already tracked).
+- **Ignore**: Append `.git-master.yml` to `.gitignore` (create the file if needed, append if it exists).
+
+### 6. Confirm
+
+Display the final config file contents and summarize:
+
+```
+git-master configured successfully!
+
+ Config file: .git-master.yml
+ Convention: conventional (scopes required)
+ PR style: default template, draft by default
+ Reviews: adversarial + security + performance
+ Protected: main, develop
+
+To modify later:
+ /git-master:config set key=value
+ /git-master:config show
+ Or edit .git-master.yml directly.
+```
+
+## Notes
+
+- Never overwrite an existing `.git-master.yml` without asking first.
+- If the user cancels mid-setup, do not write any files.
+- Keep the generated config file as short as possible. Defaults do not need to be repeated.
+- Reference the full config schema in `references/config-schema.md` when explaining options.
diff --git a/plugins/git-master/skills/setting-up/references/config-schema.md b/plugins/git-master/skills/setting-up/references/config-schema.md
new file mode 100644
index 0000000..2ceb040
--- /dev/null
+++ b/plugins/git-master/skills/setting-up/references/config-schema.md
@@ -0,0 +1,194 @@
+# git-master Configuration Schema Reference
+
+All settings can be placed in `.git-master.yml` at the project root or `~/.config/git-master/config.yml` for global defaults. Project config overrides global, which overrides built-in defaults.
+
+## Provider
+
+| Field | Type | Default | Values | Description |
+|--------------------------|------------|------------|-----------------------------------------------|------------------------------------------------|
+| `provider.type` | string | `auto` | `auto`, `github`, `gitlab`, `gitea`, `bitbucket` | Git hosting provider (auto-detected from remote) |
+| `provider.host` | string | `""` | any URL | Custom host for self-hosted instances |
+| `provider.cli_preference`| string[] | `[gh, glab, tea, git]` | CLI tool names | Fallback order for CLI tools |
+| `provider.token_env` | string | `""` | env var name | Environment variable holding API token |
+| `provider.fallback_enabled` | boolean | `true` | `true`, `false` | Try next CLI tool if preferred one fails |
+
+## Commit
+
+| Field | Type | Default | Values | Description |
+|-------------------------------|------------|------------------|-------------------------------------------|-------------------------------------------------|
+| `commit.convention` | string | `conventional` | `conventional`, `angular`, `gitmoji`, `custom` | Commit message convention to enforce |
+| `commit.types` | string[] | `[feat, fix, ...]` | any strings | Allowed commit types |
+| `commit.scopes` | string[] | `[]` | any strings | Allowed scopes (empty = any scope allowed) |
+| `commit.scope_required` | boolean | `false` | `true`, `false` | Whether scope is mandatory |
+| `commit.subject.max_length` | integer | `72` | 1-200 | Max characters for subject line |
+| `commit.subject.case` | string | `lower` | `lower`, `upper`, `sentence`, `none` | Case style for subject line |
+| `commit.subject.no_trailing_period` | boolean | `true` | `true`, `false` | Disallow trailing period in subject |
+| `commit.body.required` | boolean | `false` | `true`, `false` | Whether commit body is mandatory |
+| `commit.body.max_line_length` | integer | `100` | 1-500 | Max characters per body line |
+| `commit.body.require_references` | string | `""` | regex pattern | Regex for required ticket references |
+| `commit.breaking.footer_required` | boolean | `true` | `true`, `false` | Require BREAKING CHANGE footer for breaking changes |
+| `commit.breaking.exclamation_mark` | boolean | `true` | `true`, `false` | Allow `!` after type/scope for breaking changes |
+| `commit.signing.enabled` | boolean | `false` | `true`, `false` | Enable commit signing |
+| `commit.signing.method` | string | `gpg` | `gpg`, `ssh` | Signing method |
+| `commit.signing.key` | string | `""` | key ID or path | Signing key identifier |
+| `commit.skip_patterns` | string[] | `[^Merge, ...]` | regex patterns | Patterns for commits that bypass convention check |
+| `commit.ai_attribution` | boolean | `false` | `true`, `false` | Include AI attribution in commit messages |
+| `commit.custom_pattern` | string | `""` | regex with named groups | Custom convention regex (for `convention: custom`) |
+| `commit.custom_description` | string | `""` | any string | Human-readable description of custom convention |
+| `commit.emoji_prefix` | object | `null` | `{ type: "emoji_name" }` | Map commit types to emoji prefixes |
+| `commit.pre_checks.enabled` | boolean | `false` | `true`, `false` | Run checks before committing |
+| `commit.pre_checks.commands` | object[] | `[]` | `[{command, name, required}]` | Commands to run before commit |
+
+## Branch
+
+| Field | Type | Default | Values | Description |
+|--------------------------|------------|------------------------------|-----------------|----------------------------------------------|
+| `branch.protected` | string[] | `[main, master, develop]` | branch names | Branches that cannot be committed to directly |
+| `branch.naming_pattern` | string | `""` | regex pattern | Required pattern for branch names |
+| `branch.default_base` | string | `""` | branch name | Default base branch (auto-detected if empty) |
+
+## PR/MR
+
+| Field | Type | Default | Values | Description |
+|--------------------------------|------------|---------------|----------------------------------------------|-------------------------------------------------|
+| `pr.title.convention` | string | `inherit` | `inherit`, `conventional`, `custom`, `freeform` | PR title convention |
+| `pr.title.custom_pattern` | string | `""` | regex pattern | Custom PR title pattern |
+| `pr.title.max_length` | integer | `72` | 1-200 | Max characters for PR title |
+| `pr.description.template` | string | *(see below)* | multiline string | PR description template with sections |
+| `pr.description.required_sections` | string[] | `[summary, test_plan]` | section names | Sections that must be filled in |
+| `pr.auto_populate` | boolean | `true` | `true`, `false` | Auto-fill description from commit messages |
+| `pr.draft` | boolean | `false` | `true`, `false` | Create PRs as draft by default |
+| `pr.labels` | string[] | `[]` | label names | Static labels applied to every PR |
+| `pr.auto_labels` | boolean | `true` | `true`, `false` | Auto-assign labels based on changed files |
+| `pr.label_rules` | object[] | *(see defaults)* | `[{pattern, labels}]` | File pattern to label mapping rules |
+| `pr.size_labels.enabled` | boolean | `true` | `true`, `false` | Add size labels based on lines changed |
+| `pr.size_labels.xs` | integer | `10` | 1+ | Max lines for XS label |
+| `pr.size_labels.s` | integer | `50` | 1+ | Max lines for S label |
+| `pr.size_labels.m` | integer | `200` | 1+ | Max lines for M label |
+| `pr.size_labels.l` | integer | `500` | 1+ | Max lines for L label |
+| `pr.size_labels.xl` | integer | `1000` | 1+ | Max lines for XL label (above = XXL) |
+| `pr.reviewers.auto_assign` | boolean | `true` | `true`, `false` | Auto-assign reviewers based on rules |
+| `pr.reviewers.rules` | object[] | `[]` | `[{pattern, reviewers, required}]` | File pattern to reviewer mapping |
+| `pr.reviewers.fallback` | string[] | `[]` | usernames | Fallback reviewers when no rule matches |
+| `pr.assignees` | string[] | `[]` | usernames | Default PR assignees |
+| `pr.team_reviewers` | string[] | `[]` | team slugs | Teams to request review from |
+| `pr.target_branch` | string | `""` | branch name | Override target branch (empty = repo default) |
+| `pr.delete_branch_on_merge` | boolean | `true` | `true`, `false` | Delete source branch after merge |
+| `pr.merge_strategy` | string | `squash` | `merge`, `squash`, `rebase` | Default merge strategy |
+
+## Review
+
+| Field | Type | Default | Values | Description |
+|--------------------------------|------------|---------------|-------------------------------|-------------------------------------------------|
+| `review.adversarial` | boolean | `true` | `true`, `false` | Enable adversarial (devil's advocate) reviewer |
+| `review.security` | boolean | `true` | `true`, `false` | Enable security-focused review |
+| `review.performance` | boolean | `false` | `true`, `false` | Enable performance-focused review |
+| `review.checklist` | string[] | *(see defaults)* | checklist items | Review checklist items |
+| `review.security_patterns` | object[] | *(see defaults)* | `[{pattern, severity, message}]` | Regex patterns for security issues |
+| `review.performance_patterns` | object[] | *(see defaults)* | `[{pattern, message}]` | Regex patterns for performance issues |
+| `review.confidence_threshold` | integer | `80` | 0-100 | Min confidence to report findings |
+| `review.max_files_per_review` | integer | `30` | 1+ | Suggest splitting PR above this file count |
+| `review.exclude_patterns` | string[] | *(see defaults)* | glob patterns | Files to exclude from review |
+| `review.language_rules` | object | `{}` | `{ lang: [rules] }` | Per-language review rules |
+| `review.model` | string | `sonnet` | model names | Model for standard review agents |
+| `review.adversarial_model` | string | `opus` | model names | Model for adversarial reviewer |
+
+## Pipeline
+
+| Field | Type | Default | Values | Description |
+|---------------------------------|------------|-------------------|----------------------------------------------|----------------------------------------------|
+| `pipeline.provider` | string | `auto` | `auto`, `github_actions`, `gitlab_ci`, `none` | CI/CD provider |
+| `pipeline.auto_diagnose` | boolean | `true` | `true`, `false` | Auto-diagnose pipeline failures |
+| `pipeline.auto_suggest_fix` | boolean | `true` | `true`, `false` | Suggest code fixes for failures |
+| `pipeline.poll_interval` | integer | `30` | 5-300 (seconds) | Seconds between status checks |
+| `pipeline.max_wait` | integer | `600` | 60-7200 (seconds) | Max seconds to wait for pipeline |
+| `pipeline.required_checks` | string[] | `[]` | check names | Checks that must pass (empty = all) |
+| `pipeline.ignored_checks` | string[] | `[]` | check names | Checks to ignore |
+| `pipeline.max_auto_fix_attempts`| integer | `3` | 1-10 | Max automatic fix attempts before stopping |
+
+## Workflow
+
+| Field | Type | Default | Values | Description |
+|----------------------------|------------|------------|-----------------|-------------------------------------------------|
+| `workflow.auto_stash` | boolean | `true` | `true`, `false` | Stash uncommitted changes before operations |
+| `workflow.auto_fetch` | boolean | `true` | `true`, `false` | Fetch remote before branch operations |
+| `workflow.rebase_on_pull` | boolean | `true` | `true`, `false` | Use rebase instead of merge when pulling |
+| `workflow.prune_on_fetch` | boolean | `true` | `true`, `false` | Prune deleted remote branches on fetch |
+| `workflow.default_remote` | string | `origin` | remote name | Default remote name |
+
+## Example Configurations
+
+### Minimal (solo developer)
+
+```yaml
+provider:
+ type: github
+```
+
+### Team Project
+
+```yaml
+provider:
+ type: github
+
+commit:
+ scope_required: true
+ scopes: [api, web, cli, docs]
+
+pr:
+ draft: true
+ reviewers:
+ fallback: ["@tech-lead"]
+
+review:
+ adversarial: true
+ security: true
+```
+
+### Enterprise
+
+```yaml
+provider:
+ type: gitlab
+ host: https://gitlab.corp.example.com
+
+commit:
+ convention: angular
+ scope_required: true
+ scopes: [core, auth, billing, notifications, infra]
+ body:
+ required: true
+ require_references: "PROJ-\\d+"
+ signing:
+ enabled: true
+ method: ssh
+
+branch:
+ naming_pattern: "^(feature|bugfix|hotfix|release)/[A-Z]+-\\d+-[a-z0-9-]+$"
+
+pr:
+ description:
+ required_sections: [summary, test_plan, security]
+ reviewers:
+ rules:
+ - pattern: "src/auth/**"
+ reviewers: ["@security-team"]
+ required: 2
+ - pattern: "src/billing/**"
+ reviewers: ["@billing-team"]
+ required: 1
+ fallback: ["@platform-team"]
+
+review:
+ adversarial: true
+ security: true
+ performance: true
+ confidence_threshold: 70
+ language_rules:
+ python: ["Verify type hints on public functions"]
+ go: ["Check error handling follows project conventions"]
+
+pipeline:
+ required_checks: [build, test, lint, security-scan]
+ ignored_checks: [coverage-report]
+```
diff --git a/plugins/git-master/skills/showing-status/SKILL.md b/plugins/git-master/skills/showing-status/SKILL.md
new file mode 100644
index 0000000..456055b
--- /dev/null
+++ b/plugins/git-master/skills/showing-status/SKILL.md
@@ -0,0 +1,193 @@
+---
+name: showing-status
+description: >-
+ Display the current git-master configuration alongside git repository state.
+ Trigger phrases: "git-master status", "show git status", "show configuration",
+ "git status", "what's my git state", "show my setup", "show config".
+ Always use this skill when the user wants to see their git-master setup, current
+ git state, or an overview of their repository configuration.
+allowed-tools: Read, Bash, Grep, Glob
+---
+
+# Show git-master Status
+
+## Dynamic Context
+
+Full config:
+```
+!`cat "${GIT_MASTER_CONFIG_PATH:-/dev/null}" 2>/dev/null | jq '.' 2>/dev/null || echo "not configured"`
+```
+
+Git status:
+```
+!`git status --short 2>/dev/null`
+```
+
+Current branch:
+```
+!`git branch --show-current 2>/dev/null`
+```
+
+Remote:
+```
+!`git remote -v 2>/dev/null | head -2`
+```
+
+Recent commits:
+```
+!`git log --oneline -5 2>/dev/null`
+```
+
+Provider:
+```
+!`echo "${GIT_MASTER_PROVIDER:-not detected}"`
+```
+
+## Instructions
+
+You are the git-master status reporter. Present a clear, comprehensive overview of the user's git-master configuration and current git state.
+
+### 1. Configuration Summary
+
+Read the full config from the dynamic context above and present the key settings in a table:
+
+```markdown
+## git-master Configuration
+
+| Setting | Value |
+|---------|-------|
+| **Provider** | github (cli: gh) |
+| **Commit convention** | conventional (max 72 chars) |
+| **Protected branches** | main, master, develop |
+| **PR title convention** | inherit (from commit) |
+| **PR default draft** | false |
+| **PR merge strategy** | squash |
+| **Review: adversarial** | enabled |
+| **Review: security** | enabled |
+| **Review: performance** | disabled |
+| **Review confidence** | 80% |
+| **CI provider** | auto (github_actions) |
+| **CI auto-diagnose** | enabled |
+| **Branch naming** | (no pattern enforced) |
+| **Signing** | disabled |
+```
+
+Adapt the table to only show settings that differ from defaults or are particularly noteworthy. If a section is entirely default, summarize it briefly (e.g., "PR settings: all defaults").
+
+### 2. Git State
+
+Present the current repository state using information from the dynamic context:
+
+```markdown
+## Git State
+
+| Property | Value |
+|----------|-------|
+| **Branch** | feature/add-auth |
+| **Tracking** | origin/feature/add-auth (up to date) |
+| **Staged** | 2 files |
+| **Unstaged** | 3 files modified |
+| **Untracked** | 1 file |
+
+### Recent Commits
+| Hash | Message |
+|------|---------|
+| `a1b2c3d` | feat(auth): add JWT token validation |
+| `e4f5g6h` | refactor(api): extract middleware helpers |
+| `i7j8k9l` | fix(db): correct connection pool sizing |
+| `m0n1o2p` | docs: update API authentication guide |
+| `q3r4s5t` | test(auth): add token expiry edge cases |
+```
+
+Parse `git status --short` output to count staged, unstaged, and untracked files:
+- Staged: lines where column 1 is not `?` and not space
+- Unstaged: lines where column 2 is not space (and not `?`)
+- Untracked: lines starting with `??`
+
+Check tracking status:
+```bash
+git rev-parse --abbrev-ref @{upstream} 2>/dev/null
+git rev-list --left-right --count @{upstream}...HEAD 2>/dev/null
+```
+
+### 3. Open PRs
+
+If a provider is available (not "generic" or "not detected"), list the user's open PRs:
+
+```bash
+# GitHub
+gh pr list --author @me --state open --json number,title,url,headRefName,createdAt,reviewDecision
+
+# GitLab
+glab mr list --author @me --state opened
+```
+
+Present as:
+
+```markdown
+## Open PRs/MRs
+
+| # | Title | Branch | Status | Created |
+|---|-------|--------|--------|---------|
+| 42 | feat(auth): add OAuth2 support | feature/oauth2 | Review pending | 2d ago |
+| 38 | fix(api): rate limit headers | fix/rate-limits | Approved | 5d ago |
+```
+
+If no provider is detected or the command fails, skip this section silently.
+
+### 4. Suggested Actions
+
+Based on the current state, suggest relevant next steps. Only include items that are actually applicable:
+
+```markdown
+## Suggested Actions
+```
+
+**If there are staged files:**
+> You have staged changes ready to commit. Run `git commit` or use `/git-master:committing`.
+
+**If there are unstaged modifications:**
+> You have modified files. Stage them with `git add` or review with `git diff`.
+
+**If the branch has unpushed commits:**
+> Your branch has N unpushed commit(s). Push with `git push`.
+
+**If the branch has no upstream:**
+> Branch `<name>` has no upstream. Push with `git push -u origin <name>`.
+
+**If the branch is behind the remote:**
+> Your branch is N commit(s) behind the remote. Pull with `git pull --rebase`.
+
+**If the branch is behind the base branch:**
+> Your branch is behind `main`. Consider rebasing: `git rebase origin/main`.
+
+**If there are no open PRs for the current branch and it is not a protected branch:**
+> No PR/MR exists for this branch. Create one with `/git-master:creating-pr`.
+
+**If everything is clean and up to date:**
+> Repository is clean and up to date. No actions needed.
+
+### 5. Config Source
+
+If the dynamic context shows "not configured" for the full config:
+
+```markdown
+## Configuration
+
+No git-master configuration found. git-master is using factory defaults.
+
+To customize, create a config file:
+- **Project-level**: `.git-master.yml` in your repository root
+- **User-global**: `~/.config/git-master/config.yml`
+
+Or run `/git-master:setting-up` for guided configuration.
+```
+
+If config is loaded, note the source(s):
+```bash
+# Check which config files exist
+ls -la .git-master.yml 2>/dev/null
+ls -la ~/.config/git-master/config.yml 2>/dev/null
+```
+
+Report the active config sources (e.g., "Configuration loaded from: factory defaults + project `.git-master.yml`").