Skip to content

refactor(security-issue-sync): extract 4 subdocs to slim SKILL.md 3425 → 658 lines#410

Merged
potiuk merged 2 commits into
apache:mainfrom
potiuk:feat-security-issue-sync-extract-subdocs
May 31, 2026
Merged

refactor(security-issue-sync): extract 4 subdocs to slim SKILL.md 3425 → 658 lines#410
potiuk merged 2 commits into
apache:mainfrom
potiuk:feat-security-issue-sync-extract-subdocs

Conversation

@potiuk

@potiuk potiuk commented May 31, 2026

Copy link
Copy Markdown
Member

Summary

Profiling a 12-tracker bulk sync showed every subagent loading the full 3425-line SKILL.md (~30K tokens) regardless of which step it was running. Extract the four heaviest sections into focused subdocs so subagents can load just the slice they need.

Structure

.claude/skills/security-issue-sync/
├── SKILL.md                  658 lines  (overview + dispatcher + Step 0/2a/2c/3/6 inline)
├── bulk-mode.md              247 lines  (orchestration contract)
├── gather.md                 775 lines  (Step 1 sub-steps 1a-1h)
├── signals-to-actions.md   1088 lines  (Step 2b lookup table)
└── apply-and-push.md         768 lines  (Step 4 + Step 5/5a/5b/5c)

Subagent loading savings

Subagent role Before After Reduction
Gather-only (Step 1) 3425 lines 1412 lines 59%
Bulk orchestrator 3425 lines 884 lines 74%
Apply orchestrator 3425 lines 1405 lines 59%
Step 2b proposal builder 3425 lines 1725 lines 50%

Notes for reviewers

  • No behavior change — pure file restructure. Same pattern `setup-steward` already uses (`adopt.md` / `upgrade.md` / `verify.md` alongside `SKILL.md`).
  • Cross-references rewritten to point at the new subdoc files; same-file anchors preserved.
  • Injection-guard callout (Pattern 4) intentionally duplicated in `SKILL.md` + `gather.md` so subagents that only load gather.md still see the guard.
  • `skill-and-tool-validator` passes after the extraction.

Test plan

  • `skill-and-tool-validator` clean run
  • `markdownlint` clean run
  • Next bulk sync run on `airflow-s/airflow-s` confirms subagents load the smaller slice

🤖 Generated with Claude Code

potiuk added 2 commits May 31, 2026 12:31
…5 → 658 lines

Profiling a 12-tracker bulk sync showed every subagent loading the
full 3425-line SKILL.md (~30K tokens) regardless of which step it was
running. Extract the four heaviest sections into focused subdocs so
subagents can load just the slice they need.

Subdocs created (all alongside SKILL.md in the same skill dir):

- bulk-mode.md (247 lines) — orchestration contract for many-issue
  parallel runs: bucketing, subagent fan-out, merged-proposal review
  shape, hard rules, when bulk mode does NOT apply.

- gather.md (775 lines) — Step 1 sub-steps 1a-1h: read the GitHub
  issue, find referenced PRs, locate the real reporter, mine comments
  + mail for actionable signals, check Gmail for CVE-reviewer
  comments, determine the process step, check cve.org publication on
  recently-closed trackers, detect active release-vote threads.

- signals-to-actions.md (1088 lines) — Step 2b lookup table: every
  signal class from Step 1d translated to its proposal item.

- apply-and-push.md (768 lines) — Step 4 apply loop, Step 5/5a CVE
  JSON regen mechanics, Step 5b OAuth push including the six pre-push
  hygiene gates, Step 5c RM hand-off comment reconciliation.

SKILL.md (658 lines) now carries: overview, golden rules, inputs,
prerequisites, Step 0 pre-flight, Step 1/2/4 thin pointers to the
subdocs, Step 2a observed-state + Step 2c next-step (small enough to
stay inline), Step 3 confirm, Step 6 recap, guardrails, process
reference, canned responses. The Pattern-4 injection-guard callout
was added to SKILL.md (it lived inside the now-extracted Step 1d
section) and intentionally repeats inside gather.md so subagents that
only load gather.md still see the guard.

Subagent loading savings (per step):
- Gather-only subagent: 3425 → 1412 lines (59% reduction)
- Bulk orchestrator only: 3425 → 884 lines (74% reduction)
- Apply orchestrator: 3425 → 1405 lines (59% reduction)
- Step 2b proposal builder: 3425 → 1725 lines (50% reduction)

Cross-references that pointed at extracted sections rewritten to
point at the new subdoc files. Same pattern as setup-steward already
uses (adopt.md / upgrade.md / verify.md alongside SKILL.md).

No behavior change — pure file restructure. Skill-and-tool-validator
passes.
…d-push.md

PR apache#410 moved the Step 5b decision-flow block from SKILL.md into the
new apply-and-push.md subdoc. The scanner-products template still
referenced the old location, breaking the lychee fragment check.
Point the link at the new home.
@potiuk potiuk merged commit 5e68f26 into apache:main May 31, 2026
16 checks passed
potiuk added a commit that referenced this pull request May 31, 2026
…submitting (#411)

* docs(agents): require lychee local-run on every PR — added to Before submitting

Caught a Fragment-not-found regression in PR #410 only when CI
flagged it. The check is cheap to run locally (offline file + fragment
lookups; only the external-URL subset hits the network) and catching
it before the push avoids a round-trip.

Add to the Before-submitting checklist:

- the canonical invocation (lychee --config .lychee.toml .)
- guidance on the most common breakage class (Fragment not found)
  which is what bites on doc refactors that move sections between
  files or rename headings
- a one-liner for v0.24+ local lychee installations (since .lychee.toml
  pins the v0.23 schema)

The rule is enforce-via-CI either way (the lychee workflow blocks the
merge on any failure); this is just a documentation reminder so
agents add it to their pre-push routine and avoid the round-trip.

* fix(AGENTS.md): link to link-check.yml, not the made-up doc-validation.yml

The "Before submitting" lychee guidance pointed at
`.github/workflows/doc-validation.yml`, which does not exist —
this repo's link-check workflow is `link-check.yml`. Caught by
running lychee on the same file the PR added (which is what the
new rule itself prescribes).
potiuk added a commit to potiuk/magpie that referenced this pull request Jun 1, 2026
…ity-suite refactor patterns

Adds `optimize-skill` (capability:setup) — the refactoring sibling of
`write-skill`. It takes an existing framework skill (or sweeps a set)
and applies the five restructuring patterns proven on the security
suite, as behavior-preserving proposals gated by the validator
(green-before / green-after):

- split — slim an oversized SKILL.md into linked siblings (the apache#410
  pattern; addresses the PRINCIPLES.md P14 cap)
- config-lift — move concrete values into <project-config> (apache#386/apache#387/apache#388)
- out-of-context — read/PATCH one field without loading the body
  (apache#412 github-body-field, apache#424 github-rollup)
- fetch-upfront — batch per-item round-trips (apache#347)
- preflight-classifier — skip obvious no-ops before LLM passes (apache#414/apache#416)

SKILL.md is 297 lines; the pass catalogue (smell / exemplar PR /
mechanics / behavior-preservation guarantee / validation) lives in
the patterns.md sibling. Reads only framework-internal files, so no
injection-guard / Privacy-LLM callouts.

Ships a step-diagnose eval (5 auto-comparable cases incl. an
injection-resistance case) so the skill is not released without an
eval (P8). Wires the skill into the capability->skill map and the
eval index.

Generated-by: Claude Code (Opus 4.8)
potiuk added a commit to potiuk/magpie that referenced this pull request Jun 1, 2026
…ity-suite refactor patterns

Adds `optimize-skill` (capability:setup) — the refactoring sibling of
`write-skill`. It takes an existing framework skill (or sweeps a set)
and applies the five restructuring patterns proven on the security
suite, as behavior-preserving proposals gated by the validator
(green-before / green-after):

- split — slim an oversized SKILL.md into linked siblings (the apache#410
  pattern; addresses the PRINCIPLES.md P14 cap)
- config-lift — move concrete values into <project-config> (apache#386/apache#387/apache#388)
- out-of-context — read/PATCH one field without loading the body
  (apache#412 github-body-field, apache#424 github-rollup)
- fetch-upfront — batch per-item round-trips (apache#347)
- preflight-classifier — skip obvious no-ops before LLM passes (apache#414/apache#416)

SKILL.md is 297 lines; the pass catalogue (smell / exemplar PR /
mechanics / behavior-preservation guarantee / validation) lives in
the patterns.md sibling. Reads only framework-internal files, so no
injection-guard / Privacy-LLM callouts.

Ships a step-diagnose eval (5 auto-comparable cases incl. an
injection-resistance case) so the skill is not released without an
eval (P8). Wires the skill into the capability->skill map and the
eval index.

Generated-by: Claude Code (Opus 4.8)
potiuk added a commit that referenced this pull request Jun 1, 2026
…ity-suite refactor patterns (#427)

Adds `optimize-skill` (capability:setup) — the refactoring sibling of
`write-skill`. It takes an existing framework skill (or sweeps a set)
and applies the five restructuring patterns proven on the security
suite, as behavior-preserving proposals gated by the validator
(green-before / green-after):

- split — slim an oversized SKILL.md into linked siblings (the #410
  pattern; addresses the PRINCIPLES.md P14 cap)
- config-lift — move concrete values into <project-config> (#386/#387/#388)
- out-of-context — read/PATCH one field without loading the body
  (#412 github-body-field, #424 github-rollup)
- fetch-upfront — batch per-item round-trips (#347)
- preflight-classifier — skip obvious no-ops before LLM passes (#414/#416)

SKILL.md is 297 lines; the pass catalogue (smell / exemplar PR /
mechanics / behavior-preservation guarantee / validation) lives in
the patterns.md sibling. Reads only framework-internal files, so no
injection-guard / Privacy-LLM callouts.

Ships a step-diagnose eval (5 auto-comparable cases incl. an
injection-resistance case) so the skill is not released without an
eval (P8). Wires the skill into the capability->skill map and the
eval index.

Generated-by: Claude Code (Opus 4.8)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant