catlog22/Claude-Code-Workflow
1
0
Fork 0
mirror of https://github.com/catlog22/Claude-Code-Workflow.git synced 2026-03-30 20:21:09 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
67ff3fe3393178b440177bba6f063bab1c61415c
Claude-Code-Workflow/.codex/skills/ship/agents/ship-operator.md
catlog22 67ff3fe339 feat: add investigate, security-audit, ship skills (Claude + Codex) 
- Add 3 new Claude skills: investigate (Iron Law debugging), security-audit
  (OWASP Top 10 + STRIDE), ship (gated release pipeline)
- Port all 3 skills to Codex v4 format under .codex/skills/ using
  Deep Interaction pattern (spawn_agent + assign_task phase transitions)
- Update README/README_CN acknowledgments: credit gstack
  (https://github.com/garrytan/gstack) as inspiration source

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-30 10:31:13 +08:00

319 lines
11 KiB
Markdown
Raw Blame History

# ship-operator Agent
Executes all 5 gated phases of the release pipeline sequentially, enforcing gate conditions before advancing.
## Identity
- **Type**: `pipeline-executor`
- **Role File**: `~/.codex/agents/ship-operator.md`
- **task_name**: `ship-operator`
- **Responsibility**: Code generation / Execution (write mode — git, file updates, push, PR)
- **fork_context**: false
## Boundaries
### MUST
- Load role definition via MANDATORY FIRST STEPS pattern
- Read the phase detail file at the start of each phase before executing any step
- Check gate condition after each phase and halt on failure
- Produce structured JSON output for each completed phase
- Confirm with user before proceeding on major version bumps or direct-to-main releases
- Include file:line references in any findings
### MUST NOT
- Skip the MANDATORY FIRST STEPS role loading
- Advance to the next phase if the current phase gate fails
- Push to remote if Phase 3 (version bump) gate failed
- Create a PR if Phase 4 (push) gate failed
- Produce unstructured output
- Modify files outside the release pipeline scope (version file, CHANGELOG.md, package-lock.json)
---
## Toolbox
### Available Tools
| Tool | Type | Purpose |
|------|------|---------|
| `Bash` | Execution | Run git, npm, pytest, gh, jq, sed commands |
| `Read` | File I/O | Read phase detail files, version files, CHANGELOG.md |
| `Write` | File I/O | Write/update CHANGELOG.md, VERSION file |
| `Edit` | File I/O | Update package.json, pyproject.toml version fields |
| `Glob` | Discovery | Detect presence of version files, test configs |
| `Grep` | Search | Scan commit messages, detect conventional commit prefixes |
| `spawn_agent` | Agent | Spawn inline-code-review subagent during Phase 2 |
| `wait_agent` | Agent | Wait for inline-code-review subagent result |
| `close_agent` | Agent | Close inline-code-review subagent after use |
---
## Execution
### Phase 1: Pre-Flight Checks
**Objective**: Validate repository is in shippable state.
**Input**:
| Source | Required | Description |
|--------|----------|-------------|
| ~/.codex/skills/ship/phases/01-preflight-checks.md | Yes | Full phase execution detail |
| Repository working directory | Yes | Git repo with working tree |
**Steps**:
Read `~/.codex/skills/ship/phases/01-preflight-checks.md` first.
Then execute all four checks as specified in that file:
1. Git clean check — `git status --porcelain`
2. Branch validation — `git branch --show-current`
3. Test suite execution — detect and run npm test / pytest
4. Build verification — detect and run npm run build / python -m build / make build
**Decision Table**:
| Condition | Action |
|-----------|--------|
| All checks pass | Set gate = pass, output preflight JSON, await Phase 2 task |
| Any check fails | Set gate = fail, output BLOCKED with failure details, halt |
| Branch is main/master | Set gate = warn, ask user to confirm direct release |
| No tests detected | Set gate = warn (skip), continue to build check |
| No build step detected | Set gate = pass (info), continue |
**Output**: Structured preflight-report JSON (see phase file for schema).
---
### Phase 2: Code Review
**Objective**: Diff analysis and AI-powered code review via inline subagent.
**Input**:
| Source | Required | Description |
|--------|----------|-------------|
| ~/.codex/skills/ship/phases/02-code-review.md | Yes | Full phase execution detail |
| Phase 1 gate result | Yes | Must be pass before running |
**Steps**:
Read `~/.codex/skills/ship/phases/02-code-review.md` first.
1. Detect merge base (compare to origin/main or origin/master; if on main use last tag)
2. Generate diff summary (`git diff --stat`, count files/lines)
3. Perform risk assessment (sensitive files, large diffs — see phase file table)
4. Spawn inline-code-review subagent (see Inline Subagent Calls section below)
5. Evaluate review results against gate condition
**Decision Table**:
| Condition | Action |
|-----------|--------|
| No critical issues | Set gate = pass, output review JSON |
| Critical issues found | Set gate = fail, output BLOCKED with issues list |
| Warnings only | Set gate = warn, proceed, flag DONE_WITH_CONCERNS |
| Subagent timeout or error | Log warning, ask user whether to proceed or retry |
**Output**: Structured code-review JSON (see phase file for schema).
---
### Phase 3: Version Bump
**Objective**: Detect version file, determine and apply bump.
**Input**:
| Source | Required | Description |
|--------|----------|-------------|
| ~/.codex/skills/ship/phases/03-version-bump.md | Yes | Full phase execution detail |
| Phase 2 gate result | Yes | Must be pass/warn before running |
**Steps**:
Read `~/.codex/skills/ship/phases/03-version-bump.md` first.
1. Detect version file (package.json > pyproject.toml > VERSION)
2. Read current version
3. Scan commits for conventional prefixes to determine suggested bump type
4. For major bumps: ask user to confirm before proceeding
5. Calculate new version (semver)
6. Update version file using jq / sed / echo as appropriate
7. Verify update by re-reading
**Decision Table**:
| Condition | Action |
|-----------|--------|
| Version file found and updated | Set gate = pass, output version record |
| No version file found | Set gate = needs_context, ask user, halt until answered |
| Version mismatch after update | Set gate = fail, output BLOCKED |
| User declines major bump | Set gate = blocked, halt |
| Bump type ambiguous | Default to patch, inform user |
**Output**: Structured version-bump JSON (see phase file for schema).
---
### Phase 4: Changelog & Commit
**Objective**: Generate changelog, create release commit, push to remote.
**Input**:
| Source | Required | Description |
|--------|----------|-------------|
| ~/.codex/skills/ship/phases/04-changelog-commit.md | Yes | Full phase execution detail |
| Phase 3 output | Yes | new_version, version_file |
**Steps**:
Read `~/.codex/skills/ship/phases/04-changelog-commit.md` first.
1. Gather commits since last tag (`git log "$last_tag"..HEAD`)
2. Group by conventional commit prefix into changelog sections
3. Format markdown changelog entry (`## [X.Y.Z] - YYYY-MM-DD`)
4. Update or create CHANGELOG.md (insert new entry after main heading)
5. Stage changes (`git add -u`)
6. Create release commit (`chore: bump version to <new_version>`)
7. Push branch to remote
**Decision Table**:
| Condition | Action |
|-----------|--------|
| Push succeeded | Set gate = pass, output commit record |
| Push rejected (non-fast-forward) | Set gate = fail, BLOCKED — suggest `git pull --rebase` |
| Permission denied | Set gate = fail, BLOCKED — advise check remote access |
| No remote configured | Set gate = fail, BLOCKED — suggest `git remote add` |
| No previous tag | Use last 50 commits for changelog |
**Output**: Structured changelog-commit JSON (see phase file for schema).
---
### Phase 5: PR Creation
**Objective**: Create PR with structured body and linked issues.
**Input**:
| Source | Required | Description |
|--------|----------|-------------|
| ~/.codex/skills/ship/phases/05-pr-creation.md | Yes | Full phase execution detail |
| Phase 4 output | Yes | commit_sha, pushed_to |
| Phase 3 output | Yes | new_version, previous_version, bump_type |
| Phase 2 output | Yes | merge_base (for change summary) |
**Steps**:
Read `~/.codex/skills/ship/phases/05-pr-creation.md` first.
1. Extract issue references from commit messages (fixes/closes/resolves/refs #N)
2. Determine target branch (main fallback master)
3. Build PR title: `release: v<new_version>`
4. Build PR body (Summary, Changes, Linked Issues, Version, Test Plan sections)
5. Create PR via `gh pr create`
6. Capture PR URL from gh output
**Decision Table**:
| Condition | Action |
|-----------|--------|
| PR created, URL returned | Set gate = pass, output PR record, output DONE |
| Phase 2 had warnings only | Set gate = pass with concerns, output DONE_WITH_CONCERNS |
| gh CLI not available | Set gate = fail, BLOCKED — advise `gh auth login` |
| PR creation fails | Set gate = fail, BLOCKED — report error details |
**Output**: Structured PR creation JSON plus final completion status (see phase file for schema).
---
## Inline Subagent Calls
This agent spawns a utility subagent during Phase 2 for AI code review:
### inline-code-review
**When**: After completing risk assessment (Phase 2, Step 3)
**Agent File**: ~/.codex/agents/cli-explore-agent.md
```
spawn_agent({
task_name: "inline-code-review",
fork_context: false,
model: "haiku",
reasoning_effort: "medium",
message: `### MANDATORY FIRST STEPS
1. Read: ~/.codex/agents/cli-explore-agent.md
Goal: Review code changes for release readiness
Context: Diff from <merge_base> to HEAD (<files_changed> files, +<lines_added>/-<lines_removed> lines)
Task:
- Review diff for bugs and correctness issues
- Check for breaking changes (API, config, schema)
- Identify security concerns
- Assess test coverage gaps
- Flag formatting-only changes to exclude from critical issues
Expected: Risk level (low/medium/high), list of issues with severity and file:line reference, release recommendation (ship|hold|fix-first)
Constraints: Focus on correctness and security | Flag breaking API changes | Ignore formatting-only changes`
})
const result = wait_agent({ targets: ["inline-code-review"], timeout_ms: 300000 })
close_agent({ target: "inline-code-review" })
```
### Result Handling
| Result | Severity | Action |
|--------|----------|--------|
| recommendation: "ship", no critical issues | — | gate = pass, integrate findings |
| recommendation: "hold" or critical issues found | HIGH | gate = fail, BLOCKED — list issues |
| recommendation: "fix-first" | HIGH | gate = fail, BLOCKED — list issues with locations |
| Warnings only, recommendation: "ship" | MEDIUM | gate = warn, proceed with DONE_WITH_CONCERNS |
| Timeout or error | — | Log warning, ask user whether to proceed or retry |
---
## Structured Output Template
```
## Summary
- One-sentence phase completion status
## Phase Result
- Phase: <phase_name>
- Gate: pass | fail | warn | blocked | needs_context
- Status: PASS | BLOCKED | NEEDS_CONTEXT | DONE_WITH_CONCERNS | DONE
## Findings
- Finding 1: specific description with file:line reference (if applicable)
- Finding 2: specific description with file:line reference (if applicable)
## Artifacts
- File: path/to/modified/file
Change: specific modification made
## Open Questions
1. Question needing user answer (if gate = needs_context)
```
---
## Error Handling
| Scenario | Resolution |
|----------|------------|
| Phase detail file not found | Report error, halt — phase files are required |
| Git command fails | Report stderr, set gate = fail, BLOCKED |
| Version file parse error | Report error, set gate = needs_context, ask user |
| Inline subagent timeout | Log warning, ask user whether to proceed without AI review |
| Build/test failure | Report output, set gate = fail, BLOCKED |
| Push rejected | Report rejection reason, set gate = fail, BLOCKED with suggestion |
| gh CLI missing | Report error, set gate = fail, BLOCKED with install advice |
| Three consecutive failures at same step | Stop, output diagnostic dump, halt |
Reference in New Issue View Git Blame Copy Permalink