name: Claude Code Review on: pull_request: types: [opened, synchronize, ready_for_review, reopened] jobs: claude-review: if: | github.event.pull_request.draft == false && github.actor != 'dependabot[bot]' && github.event.pull_request.user.login != 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == github.repository runs-on: ubuntu-latest permissions: contents: read pull-requests: write issues: read id-token: write steps: - name: Checkout repository uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 1 persist-credentials: false - name: Run Claude Code Review id: claude-review uses: anthropics/claude-code-action@4481e6d3c7bbb88db2a928ca3444c536f589c7c1 # v1 with: claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} track_progress: true prompt: | REPO: ${{ github.repository }} PR NUMBER: ${{ github.event.pull_request.number }} You are reviewing a PR for claude-agents — a multi-harness agentic plugin marketplace (Claude Code, Codex CLI, Cursor, OpenCode, Gemini CLI) with 82+ plugins, 191+ agents, 155+ skills, and 102+ commands. The source of truth is Markdown under `plugins/`; per-harness artifacts under `.codex/`, `.cursor-plugin/`, `.cursor/rules/`, `.opencode/`, and the top-level `skills/`/`agents/`/`commands/` directories are generated by `make generate HARNESS=` and are gitignored. Read `AGENTS.md` at the repo root (canonical context) before starting. Consult `docs/authoring.md` for plugin / agent / skill frontmatter shapes, `docs/harnesses.md` for per-harness capability deltas, and `docs/plugins.md` for the catalog. ## Review checklist 1. **Source-of-truth invariant** — Only `plugins/`, `.claude-plugin/marketplace.json`, `docs/`, `tools/`, and top-level Markdown (`AGENTS.md`, `CLAUDE.md`, `GEMINI.md`, `README.md`, `ARCHITECTURE.md`, `CONTRIBUTING.md`) should be hand-edited. Flag any change under `.codex/`, `.cursor-plugin/`, `.cursor/rules/`, `.opencode/`, or top-level `skills/`/`agents/`/`commands/` at the extension root — those are generated artifacts and must not be committed by hand. 2. **Plugin / agent / skill frontmatter** — Every agent under `plugins/*/agents/*.md` needs `name:`, `description:`, and a `model:` tier. Every skill under `plugins/*/skills/*/SKILL.md` needs `name:` and `description:`. Plugin directory names must be lowercase, hyphen-separated, and must NOT contain `__` (that is the adapter namespace separator — see `docs/authoring.md`). 3. **Cross-harness portability** — Content should work across all five harnesses unless explicitly marked Claude-Code- only in `CLAUDE.md`. Watch for hard dependencies on Claude-Code-only primitives (`TodoWrite`, the `Task` / `Agent` spawn tool, per-agent `tools:` frontmatter) without a documented fallback. Locked agents (`tools: []`) get special-cased by the OpenCode adapter — preserve that contract. 4. **Codex 8 KB skill body cap** — Skill bodies in `plugins/*/skills/*/SKILL.md` should fit under ~8 KB after adapter transpilation; overflow belongs in `references/details.md`. `make garden` flags oversize skills; if a new or edited skill is borderline, suggest splitting before merge. 5. **Canonical context sync** — `AGENTS.md` is the single source of truth; `CLAUDE.md` imports it via `@AGENTS.md` and `GEMINI.md` mirrors it. If any of the three diverge in this PR, call it out. Per OpenAI's harness-engineering practice, `AGENTS.md` must stay under ~150 lines — detail belongs in `docs/`. 6. **Quality gates** — Will this break `make validate STRICT=1`, `make garden`, `make test`, or `make smoke-test`? Reference the relevant gate by name in your finding so the author knows what to run. 7. **Catalog drift** — New, removed, or renamed plugins, agents, skills, or commands should be reflected in `docs/plugins.md`, `docs/agents.md`, and `docs/agent-skills.md` counts and lists. The plugin total in `AGENTS.md` and `README.md` should also stay in sync. 8. **Python tooling correctness** — Code under `tools/` uses uv + ruff + ty (NOT pip / mypy / black). Flag any reintroduction of `pip`, `requirements.txt`, `mypy`, or `black`. Watch for unhandled errors in adapter code, broken JSON in `plugin.json` or `marketplace.json`, and missing tests under `tools/tests/`. 9. **Security** — No secrets in code or workflow files; no destructive git in scripts (`push --force`, `reset --hard`, `branch -D`); no shell injection in `Bash(...)` allowlists or hook scripts; pinned action SHAs and `persist-credentials: false` on any new GitHub workflow (match the style in `.github/workflows/validate.yml`). ## Output rules - Use inline comments (`mcp__github_inline_comment__create_inline_comment`) for specific issues tied to a line of code. - Use `gh pr comment` for a short summary (≤ 10 lines) at the end. - If no critical issues are found, post a single one-line ✅ summary via `gh pr comment` and stop — do NOT attempt to submit a formal review approval (no review-submission tool is exposed). - Do NOT comment on formatting, import order, or naming style — `ruff` and `ty` handle that. - Do NOT suggest documentation or comment additions unless a public-facing doc count or catalog entry is wrong. - Do NOT re-raise issues already flagged by `coderabbitai` or `chatgpt-codex-connector` in this PR's existing comments — read them first via `gh api repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/comments`. - Be concise: one sentence per finding is enough. Prefer actionable suggestions (diff blocks) over prose. claude_args: | --model claude-opus-4-7 --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh api repos/*/pulls/*/comments:*)"