charles/claude-hooks
1
0
Fork 0
Code Issues 10 Pull requests Projects Releases Packages 1 Wiki Activity Actions

Skills: breakdown — generate issues from specs/*.md with routing labels #54

New issue
Closed
opened 2026-04-18 15:02:00 +00:00 by claude-desktop · 0 comments
claude-desktop commented 2026-04-18 15:02:00 +00:00
Collaborator
Copy link

User story

As a maintainer, I want to drop a spec.md in a repo's specs/ folder and, via a /breakdown slash-command comment on a tracking issue, have boss read the spec, generate a user-story-format issue per section (with labels like area:*, type:user-story, and security where warranted), so that routing (A3) can then send security-labeled PRs to a senior reviewer instance automatically.

Context

No skill currently drives this — the CLAUDE.md convention for well-structured user stories is applied manually by the interactive operator via the MCP. Automating it enables spec → issues → typed-review loops without human authoring of each ticket.

Trigger choice: slash-command on an issue comment. Explicit, no ambiguity, scoped. Alternatives (push-webhook on specs/** changes, issue labels) defer for now.

Acceptance criteria

New skill

  • skills/breakdown.md — instructs boss to:
    1. List specs/*.md in the repo (via forgejo-mcp get_file_content against the repo root + directory listing).
    2. Read each spec file.
    3. For each logical section, create one Forgejo issue with: user-story statement (As a <role>, I want <capability>, so that <outcome>), acceptance criteria grouped by sub-section, out-of-scope list, references list, dependencies footer.
    4. Apply labels:
      • type:user-story always.
      • area:<slug> per existing repo convention (read the label list first; don't invent new area:* labels — log a warning and skip if the spec implies one that doesn't exist).
      • security when the spec section mentions authentication, authorization, crypto / key material, secrets, session tokens, SSRF / injection / XSS patterns. Mechanical keyword-match; over-tag is fine, under-tag is the failure mode.
    5. Assign each issue to the appropriate agent type (dev for typical implementation, boss for architecture-heavy work the spec explicitly flags as senior).
    6. Post a summary comment on the triggering tracking issue: "Created #A, #B, #C from specs/<file>.md. Security-labeled: #B."
  • The skill file lives in git like every other skill; no runtime-editable part.

Dispatch path

  • Webhook handles issue_comment events (new event handler in src/webhook-handlers.ts). When the comment body starts with /breakdown and the commenter is a configured trusted user (owner + any agent — NOT arbitrary Forgejo users), dispatch a breakdown task to the boss pool.
  • buildTaskRequest (existing helper) extended for the breakdown flow: the skill is breakdown, the prompt interpolates {{repo}}, {{tracking_issue_number}}, and {{trigger_comment_body}}.
  • Non-/breakdown comments are ignored (no dispatch, webhook returns 200).

Security label as A3 fodder

  • Document in the skill: emitting security on an issue means any PR that closes that issue inherits the label (via Forgejo's Closes #N resolution), and A3's reviewer routing picks the reviewer-security instance on that PR. So the skill authoring quality directly affects review-model cost.

Tests

  • Webhook test for issue_comment: /breakdown from trusted user dispatches; /breakdown from random user → 200 + skip log; non-slash comment → 200 + skip log.
  • Skill prompt renders — snapshot test on the interpolated output.
  • No integration test against live Forgejo — manual verification only.

Manual verification

  • On a test repo with a small specs/hello.md (2–3 sections, one mentioning "authentication"), comment /breakdown on a tracking issue. Confirm:
    • Boss opens N issues matching the spec sections.
    • The auth-related issue has the security label.
    • If a reviewer-security instance exists with match_labels: ["security"], a PR that closes the security issue gets routed to that reviewer instance per A3's log line.

Out of scope

  • Cross-repo breakdowns.
  • Scheduling (cron-triggered breakdowns).
  • Re-running on updated spec content (no diffing — v1 is idempotent against a spec that hasn't already been broken down, via "skip if tracking issue already has a summary comment from a prior breakdown").
  • Advanced classification beyond keyword matching for the security label.
  • Editing / approving generated issues before posting (ship-them-as-is; operator closes the bad ones).

References

  • Tracking issue: #47.
  • CLAUDE.md issue-authoring conventions (user-story + AC + out-of-scope + references).
  • A3's label-aware routing is what makes the emitted labels load-bearing.

Dependencies

  • Blocked by: A3 (labels matter only once routing consumes them).
  • Branch off: main (after A3 lands).
  • Milestone stretch goal. Nice-to-have for closing the milestone; not gating.
## User story As a **maintainer**, I want to drop a `spec.md` in a repo's `specs/` folder and, via a `/breakdown` slash-command comment on a tracking issue, have boss read the spec, generate a user-story-format issue per section (with labels like `area:*`, `type:user-story`, and `security` where warranted), so that routing (A3) can then send `security`-labeled PRs to a senior reviewer instance automatically. ## Context No skill currently drives this — the CLAUDE.md convention for well-structured user stories is applied manually by the interactive operator via the MCP. Automating it enables spec → issues → typed-review loops without human authoring of each ticket. Trigger choice: **slash-command on an issue comment**. Explicit, no ambiguity, scoped. Alternatives (push-webhook on `specs/**` changes, issue labels) defer for now. ## Acceptance criteria ### New skill - [ ] `skills/breakdown.md` — instructs boss to: 1. List `specs/*.md` in the repo (via forgejo-mcp `get_file_content` against the repo root + directory listing). 2. Read each spec file. 3. For each logical section, create one Forgejo issue with: user-story statement (`As a <role>, I want <capability>, so that <outcome>`), acceptance criteria grouped by sub-section, out-of-scope list, references list, dependencies footer. 4. Apply labels: - `type:user-story` always. - `area:<slug>` per existing repo convention (read the label list first; don't invent new `area:*` labels — log a warning and skip if the spec implies one that doesn't exist). - `security` when the spec section mentions authentication, authorization, crypto / key material, secrets, session tokens, SSRF / injection / XSS patterns. Mechanical keyword-match; over-tag is fine, under-tag is the failure mode. 5. Assign each issue to the appropriate agent type (`dev` for typical implementation, `boss` for architecture-heavy work the spec explicitly flags as senior). 6. Post a summary comment on the triggering tracking issue: "Created #A, #B, #C from `specs/<file>.md`. Security-labeled: #B." - [ ] The skill file lives in git like every other skill; no runtime-editable part. ### Dispatch path - [ ] Webhook handles `issue_comment` events (new event handler in `src/webhook-handlers.ts`). When the comment body starts with `/breakdown` and the commenter is a configured trusted user (owner + any agent — NOT arbitrary Forgejo users), dispatch a `breakdown` task to the `boss` pool. - [ ] `buildTaskRequest` (existing helper) extended for the breakdown flow: the skill is `breakdown`, the prompt interpolates `{{repo}}`, `{{tracking_issue_number}}`, and `{{trigger_comment_body}}`. - [ ] Non-`/breakdown` comments are ignored (no dispatch, webhook returns 200). ### Security label as A3 fodder - [ ] Document in the skill: emitting `security` on an issue means any PR that closes that issue inherits the label (via Forgejo's `Closes #N` resolution), and A3's reviewer routing picks the `reviewer-security` instance on that PR. So the skill authoring quality directly affects review-model cost. ### Tests - [ ] Webhook test for `issue_comment`: `/breakdown` from trusted user dispatches; `/breakdown` from random user → 200 + skip log; non-slash comment → 200 + skip log. - [ ] Skill prompt renders — snapshot test on the interpolated output. - [ ] No integration test against live Forgejo — manual verification only. ### Manual verification - [ ] On a test repo with a small `specs/hello.md` (2–3 sections, one mentioning "authentication"), comment `/breakdown` on a tracking issue. Confirm: - Boss opens N issues matching the spec sections. - The auth-related issue has the `security` label. - If a `reviewer-security` instance exists with `match_labels: ["security"]`, a PR that closes the security issue gets routed to that reviewer instance per A3's log line. ## Out of scope - Cross-repo breakdowns. - Scheduling (cron-triggered breakdowns). - Re-running on updated spec content (no diffing — v1 is idempotent against a spec that hasn't already been broken down, via "skip if tracking issue already has a summary comment from a prior breakdown"). - Advanced classification beyond keyword matching for the `security` label. - Editing / approving generated issues before posting (ship-them-as-is; operator closes the bad ones). ## References - Tracking issue: #47. - CLAUDE.md issue-authoring conventions (user-story + AC + out-of-scope + references). - A3's label-aware routing is what makes the emitted labels load-bearing. ## Dependencies - **Blocked by:** A3 (labels matter only once routing consumes them). - **Branch off:** `main` (after A3 lands). - **Milestone stretch goal.** Nice-to-have for closing the milestone; not gating.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
chore/sync-pre-push-from-forge-base
fix/flows-yaml-dispatch-identity
feat/board-tap-to-assign
dev/1107
code-lead/1106
code-lead/1108
dev/1104
code-lead/1103
code-lead/1080
dev/1087
feat/flows-yaml-ci-events
chore/board-drop-stalled-and-density-controls
fix/flows-yaml-routes-always-register
flows-yaml/api-defaults
dev/1023
fix/event-log-history-bleed
fix/janitor-fix-ci-logs-and-cap
dev/1022
fix/board-card-provider
code-lead/1036
dev/1025
code-lead/1020
dev/1017
code-lead/1026
feat/web-shortcut-registry-1018
dev/1015
code-lead/1009
code-lead/1008
dev/975
dev/969
dev/973
dev/967
code-lead/968
code-lead/953
dev/970
dev/976
code-lead/966
code-lead/956
code-lead/951
dev/962
dev/963
dev/977
dev/955
dev/983
dev/961
dev/974
code-lead/950
code-lead/939
dev/941
dev/940
dev/937
dev/938
dev/936
dev/935
feat/web-i18n-fr-locale
feat/spec-editor-ui-polish
chore/drop-legacy-compat
fix/skills-drop-preview-pane
fix/882-skills-safety-rail
dev/911
dev/909
dev/923
dev/917
dev/915
feat/879-sr11-m2-drop-legacy-skill
code-lead/873
dev/881
code-lead/869
dev/867
code-lead/845
code-lead/843
code-lead/844
dev/837
dev/861
dev/849
code-lead/837
code-lead/842
fix/dedup-rebase-inflight
dev/838
code-lead/847
dev/833
code-lead/848
pr/838
code-lead/841
feat/settings-save-bar/836
code-lead/840
dev/846
code-lead/839
dev/832
fix/board-sse-stale-cache
dev/834
dev/835
feat/settings-breadcrumbs
feat/forge-oauth-credentials
refactor/service-config-consolidation
feat/agent-tokens-to-secrets
feat/gitlab-oauth-to-db
feat/authelia-rip-and-voice-fixes
fix/rebase-storm-and-dead-letter
code-lead/797
code-lead/796
dev/811
code-lead/798
dev/810
code-lead/795
dev/808
code-lead/794
dev/805
dev/802
dev/803
feat/avatar-menu-settings-entry
feat/per-agent-token-tracking
dev/793
dev/747
dev/752
code-lead/790
code-lead/759
dev/756
dev/760
dev/741
dev/767
dev/740
dev/709
dev/644
dev/637
boss/614
dev/600
dev/611
dev/585
fix/login-bonus-fixes
boss/544
dev/542
refactor/api-prefix-and-session-gate
dev/489
boss/531
boss/518
dev/499
boss/516
dev/530
dev/517
dev/519
dev/515
dev/522
dev/503
dev/471
boss/329
dev/417
dev/418
dev/402
boss/327
dev/334
dev/332
boss/326
boss/325
dev/331
boss/324
boss/323
boss/322
dev/294
test/s11-task-analytics
dev/262
boss/270
dev/268
foreman/ui-consolidation-spec
dev/234
boss/196
boss/176
boss/164
fix/124-session-persist-bind
boss/52
dev/87
boss/73
dev/77
dev/81
dev/82
boss/79
dev/42
dev/35
boss/7
No results found.
Labels
Clear labels   
area:agents
Agent types, pool scheduling, per-instance config

  
area:dashboard
Dashboard UI and observability surfaces

  
area:database
DB layer — schema, migrations, ORM, raw SQL

  
area:design
UI/UX mockup work — routes to designer agent

  
area:design-review
Design review dispatch — routes to design-reviewer agent

  
area:flows
Flow runner — YAML loader, executor, op registry, expression eval

  
area:infra
Deployment, isolation, containers, systemd units

  
area:meta
Tracking, scaffolding, project setup

  
area:security
Security — routes to reviewer-security (opus)

  
area:sessions
Session-id store, Claude SDK resume logic

  
area:webhook
Forgejo webhook routing and handlers

  
area:workdir
Clone cache, worktrees, git identity

  
security
Security-sensitive issue

  
type:bug
Bug

  
type:chore
Chore

  
type:meta
Tracking or decisions, not implementation work

  
type:user-story
User story

No labels
area:agents
area:dashboard
area:database
area:design
area:design-review
area:flows
area:infra
area:meta
area:security
area:sessions
area:webhook
area:workdir
security
type:bug
type:chore
type:meta
type:user-story
Milestone
Clear milestone
No items
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
dev
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
charles/claude-hooks#54
No description provided.