Merge remote-tracking branch 'origin/main' into garrytan/elegance

# Conflicts: # package.json # scripts/gen-skill-docs.ts
2026-05-19 19:02:29 +08:00 · 2026-03-23 22:17:12 -07:00
parent 84df5f189d 6f1bdb6671
commit d5e857df74
70 changed files with 1000 additions and 200 deletions
--- a/review/SKILL.md
+++ b/review/SKILL.md
@@ -3,6 +3,7 @@ name: review
 preamble-tier: 4
 version: 1.0.0
 description: |
+  MANUAL TRIGGER ONLY: invoke only when user types /review.
  Pre-landing PR review. Analyzes diff against the base branch for SQL safety, LLM trust
  boundary violations, conditional side effects, and other structural issues. Use when
  asked to "review this PR", "code review", "pre-landing review", or "check my diff".
@@ -295,7 +296,7 @@ Before reviewing code quality, check: **did they build what was requested — no
   Read commit messages (`git log origin/<base>..HEAD --oneline`).
   **If no PR exists:** rely on commit messages and TODOS.md for stated intent — this is the common case since /review runs before /ship creates the PR.
 2. Identify the **stated intent** — what was this branch supposed to accomplish?
-3. Run `git diff origin/<base> --stat` and compare the files changed against the stated intent.
+3. Run `git diff origin/<base>...HEAD --stat` and compare the files changed against the stated intent.
 4. Evaluate with skepticism:

   **SCOPE CREEP detection:**
--- a/review/SKILL.md.tmpl
+++ b/review/SKILL.md.tmpl
@@ -45,7 +45,7 @@ Before reviewing code quality, check: **did they build what was requested — no
   Read commit messages (`git log origin/<base>..HEAD --oneline`).
   **If no PR exists:** rely on commit messages and TODOS.md for stated intent — this is the common case since /review runs before /ship creates the PR.
 2. Identify the **stated intent** — what was this branch supposed to accomplish?
-3. Run `git diff origin/<base> --stat` and compare the files changed against the stated intent.
+3. Run `git diff origin/<base>...HEAD --stat` and compare the files changed against the stated intent.
 4. Evaluate with skepticism:

   **SCOPE CREEP detection:**
--- a/review/checklist.md
+++ b/review/checklist.md
@@ -125,6 +125,18 @@ To do this: use Grep to find all references to the sibling values (e.g., grep fo
 - Small utility additions (<5KB gzipped)
 - Server-side-only dependencies

+#### Distribution & CI/CD Pipeline
+- CI/CD workflow changes (`.github/workflows/`): verify build tool versions match project requirements, artifact names/paths are correct, secrets use `${{ secrets.X }}` not hardcoded values
+- New artifact types (CLI binary, library, package): verify a publish/release workflow exists and targets correct platforms
+- Cross-platform builds: verify CI matrix covers all target OS/arch combinations, or documents which are untested
+- Version tag format consistency: `v1.2.3` vs `1.2.3` — must match across VERSION file, git tags, and publish scripts
+- Publish step idempotency: re-running the publish workflow should not fail (e.g., `gh release delete` before `gh release create`)
+
+**DO NOT flag:**
+- Web services with existing auto-deploy pipelines (Docker build + K8s deploy)
+- Internal tools not distributed outside the team
+- Test-only CI changes (adding test steps, not publish steps)
+
 ---

 ## Severity Classification
@@ -141,7 +153,8 @@ CRITICAL (highest severity):      INFORMATIONAL (lower severity):
                                   ├─ Time Window Safety
                                   ├─ Type Coercion at Boundaries
                                   ├─ View/Frontend
-                                   └─ Performance & Bundle Impact
+                                   ├─ Performance & Bundle Impact
+                                   └─ Distribution & CI/CD Pipeline

 All findings are actioned via Fix-First Review. Severity determines
 presentation order and classification of AUTO-FIX vs ASK — critical