Improve skill workflows: advisory reviews, version coverage, pattern consolidation

.claude/commands/bump-version.md

@@ -24,6 +24,7 @@ Files that need updating:
 | `pyproject.toml` | `version = "X.Y.Z"` | ~7 |
 | `rust/Cargo.toml` | `version = "X.Y.Z"` | ~3 |
 | `CHANGELOG.md` | Section header + comparison link | Top + bottom |
+| `docs/llms-full.txt` | `- Version: X.Y.Z` | ~5 |
 
 ## Instructions
 
@@ -79,6 +80,9 @@ Files that need updating:
      Replace `version = "OLD_VERSION"` (the first version line under [package]) with `version = "NEW_VERSION"`
      Note: Rust version may differ from Python version; always sync to the new version
 
+   - `docs/llms-full.txt`:
+     Replace `- Version: OLD_VERSION` with `- Version: NEW_VERSION`
+
 6. **Update CHANGELOG comparison links**:
    - Run `git remote get-url origin` to determine the repository's GitHub URL
      (strip `.git` suffix, convert SSH format to HTTPS if needed)
@@ -97,6 +101,7 @@ Files that need updating:
    - diff_diff/__init__.py: __version__ = "NEW_VERSION"
    - pyproject.toml: version = "NEW_VERSION"
    - rust/Cargo.toml: version = "NEW_VERSION"
+   - docs/llms-full.txt: Version: NEW_VERSION
    - CHANGELOG.md: Added/verified [NEW_VERSION] entry
 
    Next steps:

.claude/commands/pre-merge-check.md

@@ -29,6 +29,8 @@ Categorize files into:
 
 #### 2.1 Inference & Parameter Pattern Checks (for methodology files)
 
+> **Canonical definitions** — This section is referenced by `/submit-pr` and `/push-pr-update`. Keep it as the single source of truth for methodology pattern checks.
+
 If any methodology files changed, run these pattern checks on the **changed methodology files only**:
 
 **Check A — Inline inference computation**:
@@ -121,6 +123,22 @@ by TODO.md."
 
 This is a WARNING, not a blocker — not every methodology change involves a deviation.
 
+#### 2.6 Secret Scanning Patterns (Canonical Definitions)
+
+> These patterns are referenced by `/submit-pr` and `/push-pr-update`.
+
+**Content pattern** (use with `-G` flag, `--name-only` to avoid leaking secrets):
+```bash
+-G "(AKIA[A-Z0-9]{16}|ghp_[a-zA-Z0-9]{36}|sk-[a-zA-Z0-9]{48}|gho_[a-zA-Z0-9]{36}|[Aa][Pp][Ii][_-]?[Kk][Ee][Yy][[:space:]]*[=:]|[Ss][Ee][Cc][Rr][Ee][Tt][_-]?[Kk][Ee][Yy][[:space:]]*[=:]|[Pp][Aa][Ss][Ss][Ww][Oo][Rr][Dd][[:space:]]*[=:]|[Pp][Rr][Ii][Vv][Aa][Tt][Ee][_-]?[Kk][Ee][Yy]|[Bb][Ee][Aa][Rr][Ee][Rr][[:space:]]+[a-zA-Z0-9_-]+|[Tt][Oo][Kk][Ee][Nn][[:space:]]*[=:])"
+```
+
+**Sensitive filename pattern**:
+```bash
+grep -iE "(\.env|credentials|secret|\.pem|\.key|\.p12|\.pfx|id_rsa|id_ed25519)$"
+```
+
+**Usage**: Apply content pattern to `--cached` for staged changes, or `<ref>..HEAD` for already-committed changes. Always use `--name-only` and `|| true`.
+
 ### 3. Display Context-Specific Checklist
 
 Based on what changed, display the appropriate checklist items:

.claude/commands/push-pr-update.md

@@ -69,7 +69,7 @@ Parse `$ARGUMENTS` to extract:
        - If ahead count > 0:
          - **Scan for secrets in commits to push** (see Section 3a below)
          - Compute `<files-changed-count>`: `git diff --name-only <comparison-ref>..HEAD | wc -l`
-         - Skip to Section 4 (Push to Remote) — will push with `-u` to set upstream
+         - Proceed to Section 3a (secret scan), then 3b (methodology checks), then Section 4 (Push to Remote) — will push with `-u` to set upstream
        - If ahead count = 0: Abort (new branch with nothing to push):
          ```
          No changes detected. Working directory is clean and branch has no commits ahead of <default-branch>.
@@ -80,7 +80,7 @@ Parse `$ARGUMENTS` to extract:
        - If ahead count > 0:
          - **Scan for secrets in commits to push** (see Section 3a below)
          - Compute `<files-changed-count>`: `git diff --name-only @{u}..HEAD | wc -l`
-         - Skip to Section 4 (Push to Remote) — there are committed changes to push
+         - Proceed to Section 3a (secret scan), then 3b (methodology checks), then Section 4 (Push to Remote) — there are committed changes to push
        - If ahead count = 0: Abort:
          ```
          No changes detected. Working directory is clean and branch is up to date.
@@ -93,17 +93,14 @@ When the working tree is clean but commits are ahead, scan for secrets in the co
 
 1. **Get diff range**: Use `<comparison-ref>..HEAD` (from Section 2.4 — either `@{u}`, `<default-branch>`, or `origin/<default-branch>`)
 
-2. **Run pattern check** (file names only, no content leaked):
+2. **Run pattern check** using the canonical patterns from `/pre-merge-check` Section 2.6:
    ```bash
-   secret_files=$(git diff <comparison-ref>..HEAD -G "(AKIA[A-Z0-9]{16}|ghp_[a-zA-Z0-9]{36}|sk-[a-zA-Z0-9]{48}|gho_[a-zA-Z0-9]{36}|[Aa][Pp][Ii][_-]?[Kk][Ee][Yy][[:space:]]*[=:]|[Ss][Ee][Cc][Rr][Ee][Tt][_-]?[Kk][Ee][Yy][[:space:]]*[=:]|[Pp][Aa][Ss][Ss][Ww][Oo][Rr][Dd][[:space:]]*[=:]|[Pp][Rr][Ii][Vv][Aa][Tt][Ee][_-]?[Kk][Ee][Yy]|[Bb][Ee][Aa][Rr][Ee][Rr][[:space:]]+[a-zA-Z0-9_-]+|[Tt][Oo][Kk][Ee][Nn][[:space:]]*[=:])" --name-only 2>/dev/null || true)
+   secret_files=$(git diff <comparison-ref>..HEAD -G "<content pattern from Section 2.6>" --name-only 2>/dev/null || true)
+   sensitive_files=$(git diff --name-only <comparison-ref>..HEAD | grep -iE "<filename pattern from Section 2.6>" || true)
    ```
+   Read the actual regex values from `/pre-merge-check` Section 2.6 at execution time. Uses `-G` to search diff content but `--name-only` to output only file names.
 
-3. **Check for sensitive file names**:
-   ```bash
-   sensitive_files=$(git diff --name-only <comparison-ref>..HEAD | grep -iE "(\.env|credentials|secret|\.pem|\.key|\.p12|\.pfx|id_rsa|id_ed25519)$" || true)
-   ```
-
-4. **If patterns detected**, warn with AskUserQuestion:
+3. **If patterns detected** (i.e., `secret_files` or `sensitive_files` is non-empty), warn with AskUserQuestion:
    ```
    Warning: Potential secrets detected in committed changes:
    - <list of files/patterns>
@@ -114,6 +111,34 @@ When the working tree is clean but commits are ahead, scan for secrets in the co
    ```
    Note: Unlike Section 3, we cannot simply unstage these changes since they are already committed.
 
+### 3b. Methodology Checks for Already-Committed Changes (when skipping Section 3)
+
+When the working tree is clean but commits are ahead, check for methodology issues before pushing:
+
+1. **Detect methodology files in committed changes**:
+   ```bash
+   git diff --name-only <comparison-ref>..HEAD | grep "^diff_diff/.*\.py$" | grep -v "__init__"
+   ```
+
+2. If methodology files are present:
+   1. Read `/pre-merge-check` Section 2.1 for pattern check definitions.
+   2. Run **all four pattern checks (A through D)** on those methodology files.
+      **Check C override**: The canonical Check C uses `git diff HEAD` which is empty on a clean working tree. For already-committed changes, substitute `git diff <comparison-ref>..HEAD -- <changed-methodology-files>` to extract new `self.X` assignments from the committed diff range.
+   3. For any matches, display the file:line and flag message from that section.
+
+   If warnings are found, display them as warnings (non-blocking) since changes are already committed.
+
+3. **REGISTRY.md check**: Check whether `docs/methodology/REGISTRY.md` is also in the committed changes (`git diff --name-only <comparison-ref>..HEAD`).
+   If methodology files changed but REGISTRY.md was NOT modified, warn:
+   "Methodology files changed but `docs/methodology/REGISTRY.md` was not updated.
+   If your changes deviate from reference implementations, document them using a
+   reviewer-recognized label (`**Note:**`, `**Deviation from R:**`, or
+   `**Note (deviation from R):**`) — undocumented deviations are flagged as P1
+   by the AI reviewer."
+   This is a WARNING, not a blocker.
+
+Note: Section 3b checks are informational warnings only — no AskUserQuestion prompt, since changes are already committed and cannot be unstaged. This differs from the staged-changes path (Section 3) which offers a "fix vs continue" choice.
+
 ### 3. Stage and Commit Changes
 
 1. **Stage all changes**:
@@ -126,9 +151,10 @@ When the working tree is clean but commits are ahead, scan for secrets in the co
    git diff --cached --name-only | grep "^diff_diff/.*\.py$" | grep -v "__init__"
    ```
 
-   If methodology files are present, run Checks A and B from `/pre-merge-check` Section 2.1 on those files:
-   - **Check A**: `grep -n "t_stat[[:space:]]*=[[:space:]]*[^#]*/ *se" <methodology-files> | grep -v "safe_inference"`
-   - **Check B**: `grep -En "if.*(se|SE).*>.*0.*else[[:space:]]+(0\.0|0)" <methodology-files>`
+   If methodology files are present:
+   1. Read `/pre-merge-check` Section 2.1 for pattern check definitions.
+   2. Run **all four pattern checks (A through D)** on the staged methodology files.
+   3. For any matches, display the file:line and flag message from that section.
 
    If warnings are found:
    ```
@@ -141,22 +167,29 @@ When the working tree is clean but commits are ahead, scan for secrets in the co
    ```
    Use AskUserQuestion. If user chooses to fix, abort the commit flow.
 
+   **REGISTRY.md check** (if methodology files are staged):
+   Check whether `docs/methodology/REGISTRY.md` is also in the staged file set.
+   If methodology files changed but REGISTRY.md was NOT staged, warn:
+   "Methodology files changed but `docs/methodology/REGISTRY.md` was not updated.
+   If your changes deviate from reference implementations, document them using a
+   reviewer-recognized label (`**Note:**`, `**Deviation from R:**`, or
+   `**Note (deviation from R):**`) — undocumented deviations are flagged as P1
+   by the AI reviewer."
+   This is a WARNING, not a blocker.
+
 3. **Capture file count for reporting**:
    ```bash
    git diff --cached --name-only | wc -l
    ```
    Store as `<files-changed-count>` for use in final report.
 
 4. **Secret scanning check** (same as submit-pr):
-   - **Run deterministic pattern check** (file names only, no content leaked):
-     ```bash
-     secret_files=$(git diff --cached -G "(AKIA[A-Z0-9]{16}|ghp_[a-zA-Z0-9]{36}|sk-[a-zA-Z0-9]{48}|gho_[a-zA-Z0-9]{36}|[Aa][Pp][Ii][_-]?[Kk][Ee][Yy][[:space:]]*[=:]|[Ss][Ee][Cc][Rr][Ee][Tt][_-]?[Kk][Ee][Yy][[:space:]]*[=:]|[Pp][Aa][Ss][Ss][Ww][Oo][Rr][Dd][[:space:]]*[=:]|[Pp][Rr][Ii][Vv][Aa][Tt][Ee][_-]?[Kk][Ee][Yy]|[Bb][Ee][Aa][Rr][Ee][Rr][[:space:]]+[a-zA-Z0-9_-]+|[Tt][Oo][Kk][Ee][Nn][[:space:]]*[=:])" --name-only 2>/dev/null || true)
-     ```
-     Note: Uses `-G` to search diff content but `--name-only` to output only file names, preventing secret values from appearing in logs. The `|| true` prevents exit status 1 when patterns match from aborting strict runners.
-   - **Check for sensitive file names**:
+   - **Run deterministic pattern check** using the canonical patterns from `/pre-merge-check` Section 2.6:
      ```bash
-     sensitive_files=$(git diff --cached --name-only | grep -iE "(\.env|credentials|secret|\.pem|\.key|\.p12|\.pfx|id_rsa|id_ed25519)$" || true)
+     secret_files=$(git diff --cached -G "<content pattern from Section 2.6>" --name-only 2>/dev/null || true)
+     sensitive_files=$(git diff --cached --name-only | grep -iE "<filename pattern from Section 2.6>" || true)
      ```
+     Read the actual regex values from `/pre-merge-check` Section 2.6 at execution time. Uses `-G` to search diff content but `--name-only` to output only file names.
    - **If patterns detected** (i.e., `secret_files` or `sensitive_files` is non-empty), **unstage and warn**:
      ```bash
      git reset HEAD

.claude/commands/review-plan.md

@@ -297,8 +297,8 @@ Only evaluate this dimension when `--pr` was provided and a non-empty comment wa
 
 Use judgment, not just substring matching — the plan may use different words to describe the same fix.
 
-**Verdict impact:**
-- Unaddressed P0/P1/Critical items -> automatic "Needs revision"
+**Assessment impact:**
+- Unaddressed P0/P1/Critical items -> results in "Significant issues found"
 - Unaddressed P2/Medium items count as Medium issues
 - Unaddressed P3/Low items count as Low issues
 
@@ -325,7 +325,7 @@ Present the review in the following format. Number each issue sequentially withi
 ```
 ## Overall Assessment
 
-[2-3 sentences: what the plan does, whether it's ready for implementation, and the biggest concern if any]
+[2-3 sentences: what the plan does, the reviewer's key observations, and the biggest concern if any]
 
 ---
 
@@ -426,11 +426,11 @@ The `--pr` URL must be the same across the initial review and the `--updated` re
 | PR feedback gaps | [count of Not Addressed + Partially Addressed] (only if `--pr`) |
 | Questions | [count] |
 
-**Verdict**: [Ready / Ready with minor fixes / Needs revision]
+**Assessment**: [No critical issues found / Minor issues to address / Significant issues found]
 
-- **Ready**: No critical issues, few or no medium issues
-- **Ready with minor fixes**: No critical issues, some medium issues that are straightforward to address
-- **Needs revision**: Has critical issues or many medium issues that require rethinking the approach
+- **No critical issues found**: No critical issues, few or no medium issues
+- **Minor issues to address**: No critical issues, some medium issues that are straightforward to address
+- **Significant issues found**: Has critical issues or many medium issues that require rethinking the approach
 ```
 
 ### Step 6: Save Review to File
@@ -455,7 +455,7 @@ After displaying the review in the conversation (Step 5), persist it to a file a
    ---
    plan: ~/.claude/plans/foo.md
    reviewed_at: "2026-02-15T14:30:00Z"
-   verdict: "Needs revision"
+   assessment: "Significant issues found"
    critical_count: 2
    medium_count: 3
    low_count: 1

.claude/commands/revise-plan.md

@@ -86,7 +86,7 @@ If "Skip review" is chosen:
     ---
     plan: <plan-file-path>
     reviewed_at: <ISO 8601 timestamp>
-    verdict: "Skipped"
+    assessment: "Skipped"
     critical_count: 0
     medium_count: 0
     low_count: 0
@@ -140,12 +140,12 @@ Extract from the review content:
 - Issues by severity: CRITICAL #N, MEDIUM #N, LOW #N
 - Checklist gaps
 - Questions for Author
-- Verdict
+- Assessment
 
 Display a summary:
 ```
 Found: N CRITICAL, N MEDIUM, N LOW issues, N checklist gaps, N questions
-Verdict: <verdict>
+Assessment: <assessment>
 ```
 
 ### Step 6: Collect User Input

.claude/commands/submit-pr.md

@@ -138,9 +138,10 @@ Determine if this is a fork-based workflow:
    git diff --cached --name-only | grep "^diff_diff/.*\.py$" | grep -v "__init__"
    ```
 
-   If methodology files are present, run Checks A and B from `/pre-merge-check` Section 2.1 on those files:
-   - **Check A**: `grep -n "t_stat[[:space:]]*=[[:space:]]*[^#]*/ *se" <methodology-files> | grep -v "safe_inference"`
-   - **Check B**: `grep -En "if.*(se|SE).*>.*0.*else[[:space:]]+(0\.0|0)" <methodology-files>`
+   If methodology files are present:
+   1. Read `/pre-merge-check` Section 2.1 for pattern check definitions.
+   2. Run **all four pattern checks (A through D)** on the staged methodology files.
+   3. For any matches, display the file:line and flag message from that section.
 
    If warnings are found:
    ```
@@ -153,18 +154,25 @@ Determine if this is a fork-based workflow:
    ```
    Use AskUserQuestion. If user chooses to fix, abort the commit flow and let them address the issues.
 
+3. **REGISTRY.md check** (if methodology files are staged):
+   Check whether `docs/methodology/REGISTRY.md` is also in the staged file set (`git diff --cached --name-only`).
+   If methodology files changed but REGISTRY.md was NOT staged, warn:
+   "Methodology files changed but `docs/methodology/REGISTRY.md` was not updated.
+   If your changes deviate from reference implementations, document them using a
+   reviewer-recognized label (`**Note:**`, `**Deviation from R:**`, or
+   `**Note (deviation from R):**`) — undocumented deviations are flagged as P1
+   by the AI reviewer."
+   This is a WARNING, not a blocker.
+
 ### 6. Commit Changes
 
 1. **Secret scanning check** (files already staged from 5b):
-   - **Run deterministic pattern check** (file names only, no content leaked):
-     ```bash
-     secret_files=$(git diff --cached -G "(AKIA[A-Z0-9]{16}|ghp_[a-zA-Z0-9]{36}|sk-[a-zA-Z0-9]{48}|gho_[a-zA-Z0-9]{36}|[Aa][Pp][Ii][_-]?[Kk][Ee][Yy][[:space:]]*[=:]|[Ss][Ee][Cc][Rr][Ee][Tt][_-]?[Kk][Ee][Yy][[:space:]]*[=:]|[Pp][Aa][Ss][Ss][Ww][Oo][Rr][Dd][[:space:]]*[=:]|[Pp][Rr][Ii][Vv][Aa][Tt][Ee][_-]?[Kk][Ee][Yy]|[Bb][Ee][Aa][Rr][Ee][Rr][[:space:]]+[a-zA-Z0-9_-]+|[Tt][Oo][Kk][Ee][Nn][[:space:]]*[=:])" --name-only 2>/dev/null || true)
-     ```
-     Note: Uses `-G` to search diff content but `--name-only` to output only file names, preventing secret values from appearing in logs. The `|| true` prevents exit status 1 when patterns match from aborting strict runners.
-   - **Check for sensitive file names** (case-insensitive):
+   - **Run deterministic pattern check** using the canonical patterns from `/pre-merge-check` Section 2.6:
      ```bash
-     git diff --cached --name-only | grep -iE "(\.env|credentials|secret|\.pem|\.key|\.p12|\.pfx|id_rsa|id_ed25519)$" || true
+     secret_files=$(git diff --cached -G "<content pattern from Section 2.6>" --name-only 2>/dev/null || true)
+     sensitive_files=$(git diff --cached --name-only | grep -iE "<filename pattern from Section 2.6>" || true)
      ```
+     Read the actual regex values from `/pre-merge-check` Section 2.6 at execution time. Uses `-G` to search diff content but `--name-only` to output only file names, preventing secret values from appearing in logs.
    - **Optional**: For more thorough scanning, use dedicated tools if available:
      ```bash
      # gitleaks detect --staged --no-git  # If gitleaks installed
@@ -174,7 +182,7 @@ Determine if this is a fork-based workflow:
      ```bash
      git diff --cached --name-only --diff-filter=A
      ```
-   - **If patterns detected** (i.e., `secret_files` or sensitive file names non-empty), **unstage and warn**:
+   - **If patterns detected** (i.e., `secret_files` or `sensitive_files` is non-empty), **unstage and warn**:
      ```bash
      git reset HEAD  # Unstage all files
      ```

.claude/hooks/test-check-plan-review.sh

@@ -44,7 +44,7 @@ create_review() {
 ---
 plan: $plan_path
 reviewed_at: 2026-01-01T00:00:00Z
-verdict: "Approved"
+assessment: "No critical issues found"
 critical_count: 0
 medium_count: 0
 low_count: 0
@@ -167,7 +167,7 @@ touch -t 202601010001 "$PLAN"
 cat > "$REVIEW" <<EOF
 ---
 reviewed_at: 2026-01-01T00:00:00Z
-verdict: "Approved"
+assessment: "No critical issues found"
 ---
 Review without plan field.
 EOF

CLAUDE.md

@@ -163,15 +163,15 @@ Before calling `ExitPlanMode`, offer the user an independent plan review via `As
 **If review requested**: Spawn review agent (Task tool, `subagent_type: "general-purpose"`)
 to read `.claude/commands/review-plan.md` and follow Steps 2-5. Display output in conversation.
 Save to `~/.claude/plans/<plan-basename>.review.md` with YAML frontmatter (plan path,
-timestamp, verdict, issue counts). Update sentinel. Collect feedback and revise if needed.
+timestamp, assessment, issue counts). Update sentinel. Collect feedback and revise if needed.
 Touch review file after revision to avoid staleness check failure.
 
 **If skipped**: Write a minimal review marker to `~/.claude/plans/<plan-basename>.review.md`:
 ```yaml
 ---
 plan: <plan-file-path>
 reviewed_at: <ISO 8601 timestamp>
-verdict: "Skipped"
+assessment: "Skipped"
 critical_count: 0
 medium_count: 0
 low_count: 0