diff --git a/.claude/skills/security-issue-sync/bulk-mode.md b/.claude/skills/security-issue-sync/bulk-mode.md index d8992a42..e3104a40 100644 --- a/.claude/skills/security-issue-sync/bulk-mode.md +++ b/.claude/skills/security-issue-sync/bulk-mode.md @@ -71,7 +71,9 @@ concurrently, which is exactly what the sync needs. **One query, one round-trip.** Build an aliased multi-field GraphQL query that fetches state for every resolved issue at - once: + once. The `body` field on `comments(last: 1)` lets the classifier + distinguish skill-authored writes from human activity (see + *Skill-or-bot detection* below): ```bash gh api graphql --raw-field query="$(cat <<'GQL' @@ -80,7 +82,9 @@ concurrently, which is exactly what the sync needs. i: issue(number: ) { number state closedAt updatedAt labels(first: 30) { nodes { name } } - comments(last: 1) { nodes { author { login } createdAt } } + comments(last: 1) { + nodes { author { login } createdAt body } + } } i: issue(number: ) { ... } # repeat one aliased block per resolved issue @@ -92,8 +96,40 @@ concurrently, which is exactly what the sync needs. The aliased-field form (`i: issue(number: ) { ... }`) works for any number of issues in a single query. For a 30-issue - bulk sweep the request is ~3 KB and the response is ~6 KB — - cheaper than a single subagent transcript. + bulk sweep the request is ~3 KB and the response is ~50-130 KB + depending on how long the latest comments are — still cheaper + than even one subagent transcript, and the body field is what + enables the skill-marker detection that drives ~30% of the + real-world skip rate. + + **Skill-or-bot detection — required for the rules below.** On a + private single-operator tracker, the sync skill itself writes + rollup updates and RM hand-off comments as the operator's + GitHub user — *not* as a `*[bot]` account. A naive + *"last comment author is a bot"* check is structurally + unreachable on those trackers and the classifier degenerates + to ~5% skip rate. The fix: recognise skill-authored comments + by their **marker comment**, which every status-rollup / + hand-off / wrap-up comment begins with: + + ```text + + ``` + + Concretely, treat the last-comment author as *bot-equivalent* if + **any** of these is true: + + - `login in {github-actions[bot], dependabot[bot]}` or + `login` ends with `[bot]` (real GitHub App accounts). + - The body starts with `