feat: earl agent skills suite (setup-earl, create-template, migrate-to-earl, troubleshoot-earl, secure-agent)

[jrandolf]

Summary

• Renames getting-started-with-earl → setup-earl and moves shared reference files to skills/references/
• Rewrites setup-earl with a 5-phase bootstrap flow: Install → Demo → Connect → Route → Lock Down
• Adds 4 new skills: create-template, migrate-to-earl, troubleshoot-earl, secure-agent
• Adds skills/migrate-to-earl/references/cli-to-earl-mapping.md mapping 25 pre-built providers to grep patterns

Skills

Skill	Purpose
setup-earl	End-to-end bootstrap: install, MCP config, CLAUDE.md, route to next skill
create-template	Author a new HCL template with human review gate before any earl call
migrate-to-earl	Scan codebase for raw API/CLI calls, replace with Earl templates one provider at a time
troubleshoot-earl	6-step cold-start diagnostic for installation, template, auth, and MCP issues
secure-agent	Configure deniedTools + [[network.allow]] egress rules to make Earl enforceable

Test Plan

• All 16 Rust tests pass
• No stale getting-started-with-earl references remain
• All SKILL.md frontmatter name: fields are correct
• All 8 shared reference files present in skills/references/
• All Earl CLI commands used in skills verified (earl call, earl doctor, earl mcp, etc.)

🤖 Generated with Claude Code

[jrandolf]

@claude
Review this

[claude]

Claude finished @jrandolf's task in 3m 28s —— View job

---

PR Review

• Gathering context
• Reading changed files
• Reviewing skills content
• Final assessment

---

Overall

Well-structured suite. The 5-phase setup-earl flow is clear, the scope constraints in migrate-to-earl are thoughtful (particularly the one-provider-per-run and commit-checkpoint rules), and the cross-skill routing (invoke troubleshoot-earl, invoke create-template, etc.) is consistent throughout. The rename + reference consolidation is clean.

A few concrete issues below — two are real bugs that could confuse users.

---

Issues

cargo install earl missing Node.js + pnpm requirement — Medium

setup-earl/SKILL.md:37-38 and troubleshoot-earl/SKILL.md:39 describe cargo install earl as requiring only "the Rust toolchain." But quick-start.mdx:54 explicitly states it also requires Node.js + pnpm because Earl embeds web playground assets at compile time. An agent (or user) following the skill without Node.js will get a cryptic build failure.

Fix this →

---

migrate-to-earl scope constraint cap inconsistency — Medium

migrate-to-earl/SKILL.md:17:

Cap at 10 call sites. If more than 10 are found, ask which 5 to prioritize.

The cap is 10 but then asks the user to pick 5. Should be "ask which 10 to prioritize" (or adjust the cap to 5 throughout).

Fix this →

---

secure-agent Step 4 verification is circular for Claude Code — Minor

secure-agent/SKILL.md:100-106:

curl https://example.com

After applying deniedTools: ["Bash(curl *)"], Claude Code blocks the agent from running curl. So the agent will always see "command denied" — it can't distinguish "denylist works" from "command failed for another reason." Additionally, an agent that just applied the restriction is the same agent being asked to bypass it, which is confusing.

Suggest either (a) instructing the user to test manually, or (b) noting that the tool-denied error returned by Claude Code is itself evidence of success.

Fix this →

---

migrate-to-earl reference file URL not provided — Minor

migrate-to-earl/SKILL.md:27 says:

Read references/cli-to-earl-mapping.md for the full list of patterns and files to scan.

This works on a local checkout, but if the skill is invoked via URL fetch (the recommended entry point), the agent doesn't know the full URL for this nested reference file. The setup-earl quick-start prompt only tells agents to prefetch files under skills/references/, not skills/migrate-to-earl/references/. Consider either (a) moving the mapping file to skills/references/, or (b) annotating the path with the full raw URL.

---

jq dependency not mentioned — Nit

setup-earl/SKILL.md:91: earl templates list --json | jq length requires jq, which isn't flagged as a prerequisite. Most dev machines will have it, but a parenthetical would help (requires jq).

---

Cursor instructions incomplete in secure-agent — Nit

secure-agent/SKILL.md:29 says "Verify against Cursor docs" with no further instruction. Even a pointer to the likely config location (.cursor/mcp.json is mentioned in setup-earl) would be better than a dead end.

---

What's Good

• The two-session model explanation in setup-earl (Phase 3) is important and well-placed — prevents a common confusing pattern where agents try to use MCP tools before restarting.
• Human-action vs agent-action separation is clear in troubleshoot-earl — the "What Requires Human Action" section up front is excellent.
• The SSRF warning block in create-template is well-positioned (Phase 2, before any template is written).
• --yes flag ordering note in setup-earl (Phase 3) will prevent a real pain point.
• The commit checkpoint in migrate-to-earl (Phase 3) before rewriting call sites is a good safety guard.

[jrandolf]

@claude
Review this

[claude]

Claude finished @jrandolf's task in 2m 43s —— View job

---

PR Review

• Gathering context
• Reading changed files
• Reviewing skills content
• Final assessment

---

Overall

The previous Claude review feedback has all been addressed in de22f5e. The Node.js + pnpm note, cap inconsistency, circular verification, reference URL, jq annotation, and Cursor docs note are all resolved. The suite is well-structured.

A few new issues below — one is a real usability gap.

---

Issues

create-template reference files have no URL fallback — Minor

create-template/SKILL.md:53-57 gives relative paths for all 5 protocol reference files:

| ... | `http` | `../references/http-templates.md` |
| ... | `graphql` | `../references/graphql-templates.md` |

migrate-to-earl (now fixed) adds a full raw URL alongside its reference path. create-template doesn't. An agent that invokes create-template directly — without having pre-fetched skills/references/ via the quick-start prompt — will try to read a relative path that doesn't resolve. The fix is to add the raw GitHub URL as a fallback for each row, matching the pattern in migrate-to-earl:27.

Fix this →

---

Supabase grep pattern misses .com domain — Nit

migrate-to-earl/references/cli-to-earl-mapping.md:34:

curl.*supabase\.co

Supabase project URLs commonly use *.supabase.com (e.g. <project-ref>.supabase.com). The .co pattern only matches the legacy TLD. Change to curl.*supabase\.(co|com) to catch both.

Fix this →

---

secure-agent egress rules go to global config only — Nit

secure-agent/SKILL.md:132: [[network.allow]] rules are written to ~/.config/earl/config.toml (global). For project-level setups it may be desirable to scope egress rules to just the current project. If Earl supports a local config (e.g. ./earl.toml or .earl/config.toml), this section should mention it. If not, a note that egress rules are global-only would help users understand the scope.

---

All Previous Issues: Resolved ✓

Issue	Status
cargo install earl missing Node.js + pnpm	✓ Fixed in setup-earl:38, troubleshoot-earl:38
Cap inconsistency (10 vs 5) in migrate-to-earl	✓ Fixed — now consistently "10"
Circular curl verification in secure-agent Step 4	✓ Fixed — denial error is now correctly explained as the success signal
migrate-to-earl reference file missing URL	✓ Fixed — full raw URL added at line 27
jq dependency not noted	✓ Fixed — # requires jq added to setup-earl:91
Cursor instructions incomplete in secure-agent	✓ Partially addressed — platform table clarified

---

What's Good

• The two-session model explanation in setup-earl Phase 3 is well-placed and clearly worded.
• migrate-to-earl scope constraints (one provider, cap at 10, commit checkpoint, flag complex pipelines) are thoughtful — exactly the kind of guardrails that prevent agent messes.
• secure-agent Step 4 verification is now correctly framed: the denial IS the success signal, and the fallback for other platforms (ask user to test manually) is the right approach.
• The "What Requires Human Action" section in troubleshoot-earl is excellent — sets correct expectations up front.
• SSRF warning in create-template Phase 2 is well-positioned and specific about private IP ranges.
• The cli-to-earl-mapping.md reference is clean and actionable — grep patterns are specific enough to avoid false positives.

[jrandolf]

@claude
Review this

[claude]

Claude finished @jrandolf's task in 3m 46s —— View job

---

PR Review

• Gathering context
• Reading changed files
• Reviewing skills content
• Final assessment

---

Overall

All previous round-1 and round-2 feedback is addressed. Three new findings below — one is a real correctness bug confirmed against the actual HCL template file.

---

Issues

Jira grep pattern misses the actual Jira API URL format — Medium

migrate-to-earl/references/cli-to-earl-mapping.md:18:

curl.*api\.atlassian\.com.*jira

The jira.hcl template itself uses https://{{ args.domain }}.atlassian.net/rest/api/2/... — the tenant-specific atlassian.net subdomain, not api.atlassian.com. A codebase with curl https://mycompany.atlassian.net/rest/api/... calls will not match this pattern, so those call sites will be silently missed during the scan phase. The pattern should be curl.*atlassian\.net (or combined: curl.*atlassian\.(com|net)) to match both the platform API and the tenant-specific REST API.

Fix this →

---

troubleshoot-earl Step 5 only covers Claude Code and Claude Desktop — Minor

troubleshoot-earl/SKILL.md:104-119: Step 5 shows MCP config paths for Claude Code and Claude Desktop only. But setup-earl also configures Cursor (.cursor/mcp.json) and Windsurf (.windsurf/mcp.json). An agent troubleshooting an MCP-not-visible issue in Cursor will hit a dead end here — there's no config path to check.

Suggest adding:

**Cursor:** `.cursor/mcp.json`
**Windsurf:** `.windsurf/mcp.json`

Fix this →

---

--yes flag order not in troubleshoot-earl error table — Nit

troubleshoot-earl/SKILL.md:136-145: The Step 6 error table covers HCL errors, auth failures, SSRF blocks, etc. It doesn't include the --yes flag order issue, even though setup-earl explicitly warns this is a common mistake that causes Earl to hang interactively. Adding a row like:

| earl call hangs waiting for input | --yes flag in wrong position | Reorder: earl call --yes --json provider.command ... |

would let an agent diagnose this without needing to re-read setup-earl.

Fix this →

---

All Previous Issues: Resolved ✓

Issue	Round	Status
cargo install earl missing Node.js + pnpm	1	✓ Fixed
Cap inconsistency (10 vs 5) in migrate-to-earl	1	✓ Fixed
Circular curl verification in secure-agent Step 4	1	✓ Fixed
migrate-to-earl reference file missing URL	1	✓ Fixed
jq dependency not noted	1	✓ Fixed
Cursor instructions incomplete in secure-agent	1	✓ Fixed
create-template reference files no URL fallback	2	✓ Fixed — raw URLs present for all 5 protocols
Supabase grep pattern missing .com TLD	2	✓ Fixed — now supabase\.(co|com)
secure-agent egress rules global scope not noted	2	✓ Fixed — note added at Step 5

---

What's Good

• examples/bash/system.hcl URL in setup-earl Phase 2 is correct — confirmed against the actual repo structure (system.hcl is in examples/bash/, not the root examples/).
• The 25 pre-built provider import URLs are all flat at examples/<provider>.hcl — consistent with the mapping file.
• Shopify grep pattern (curl.*shopify\.com/admin) correctly catches myshopify.com/admin since it's a substring match — not a bug.
• The "What Requires Human Action" section in troubleshoot-earl continues to be the strongest UX pattern in the suite.
• secure-agent Step 4 verification framing (denial error = success signal) is now correct and clearly explained.

[jrandolf]

@claude
Review this

[claude]

Claude finished @jrandolf's task in 4m 12s —— View job

---

PR Review

• Gathering context
• Reading changed files
• Reviewing skills content
• Final assessment

---

Overall

All previous round-3 feedback is addressed in bfec7ee. The Jira grep pattern fix, Cursor/Windsurf in troubleshoot-earl Step 5, and --yes flag row in the error table are all confirmed. One new medium issue below, and two small ones.

---

Issues

secure-agent verification assumes system.list_files is imported — Medium

secure-agent/SKILL.md:121-124:

earl call --yes --json system.list_files --path .
Expected: succeeds (Earl is not in the denylist).

system.list_files only exists if examples/bash/system.hcl was imported (which happens in setup-earl Phase 2). secure-agent's description says "Use after Earl is working and templates are created" — which implies standalone invocation is expected. A user who set up Earl manually without setup-earl won't have the system template, so the verification fails with no such command, indistinguishable from Earl being broken by the denylist.

Fix: replace with earl templates list or earl doctor, neither of which depends on any specific template being imported.

Fix this →

---

cli-to-earl-mapping.md scan list omits Dockerfile and docker-compose — Minor

cli-to-earl-mapping.md:47-54 lists file patterns to scan, but Dockerfile, docker-compose*.yml, and compose*.yaml are missing. These are common homes for RUN curl ... and RUN wget ... calls (fetching binaries, install scripts, signing keys) and are frequently the densest source of raw curl usage in a repo.

Fix this →

---

SSRF warning in create-template doesn't mention 0.0.0.0 — Nit

create-template/SKILL.md:63: The warning lists localhost, 127.0.0.1, and private IP ranges but omits 0.0.0.0. On some platforms 0.0.0.0 is used as a wildcard that resolves to localhost and will similarly be blocked.

---

All Previous Issues: Resolved ✓

Issue	Round	Status
cargo install earl missing Node.js + pnpm	1	✓ Fixed
Cap inconsistency (10 vs 5) in migrate-to-earl	1	✓ Fixed
Circular curl verification in secure-agent Step 4	1	✓ Fixed
migrate-to-earl reference file missing URL	1	✓ Fixed
jq dependency not noted	1	✓ Fixed
Cursor instructions incomplete in secure-agent	1	✓ Fixed
create-template reference files no URL fallback	2	✓ Fixed
Supabase grep pattern missing .com TLD	2	✓ Fixed
secure-agent egress rules global scope not noted	2	✓ Fixed
Jira grep pattern misses atlassian.net	3	✓ Fixed — now atlassian\.(com|net)
troubleshoot-earl Step 5 missing Cursor/Windsurf	3	✓ Fixed
--yes flag order not in troubleshoot-earl error table	3	✓ Fixed

---

What's Good

• system.hcl confirmed to define both disk_usage and list_files — the Phase 2 demo in setup-earl imports both commands correctly.
• The 25-provider list in create-template Phase 1 matches cli-to-earl-mapping.md exactly — no drift.
• Cross-skill routing is consistent throughout: every skill's "Next Steps" section correctly names the other skills by their canonical name: values.
• The commit checkpoint in migrate-to-earl Phase 6 and the human-review gate in create-template Phase 5 are the right guardrails at the right places.

[jrandolf]

@claude
Review this

[claude]

Claude finished @jrandolf's task in 2m 34s —— View job

---

PR Review

• Gathering context
• Reading changed files
• Reviewing skills content
• Final assessment

---

Overall

All round-4 feedback is addressed in fb978e7. The earl templates list verification fix, Dockerfile scan addition, and 0.0.0.0 SSRF warning are all confirmed. Two new findings below — one is a real usability gap.

---

Issues

create-template pre-built import path skips secrets and verification — Medium

create-template/SKILL.md:31-43: When a pre-built template is imported in Phase 1, the skill says "Only proceed to custom template authoring if no pre-built template matches the need." This exits the skill before Phase 7 (secrets) and Phase 8 (verify).

A user who imports github.hcl still needs to set GITHUB_TOKEN and run a test call before the template is usable. Right now, create-template only prompts for secrets and verify on the custom authoring path. Note that migrate-to-earl correctly handles this: its Phase 2 (import) continues to Phase 4 (secrets) and Phase 5 (verify). create-template has no equivalent continuation for the pre-built case.

Fix: after a pre-built import in Phase 1, explicitly continue to Phase 7 and Phase 8 (skipping the custom authoring phases 2–6).

Fix this →

---

cli-to-earl-mapping.md provider patterns don't include wget — Minor

cli-to-earl-mapping.md:8-34: All 25 provider grep patterns are curl.* only. A codebase using wget https://api.github.com/... or wget https://api.stripe.com/... would be silently missed during the scan phase — the agent would report "no call sites found" even though they exist.

secure-agent/SKILL.md:55 already lists Bash(wget *) as a tool to deny for HTTP API templates, so the lockdown skill knows wget is a bypass vector, but the scan phase won't surface it. Suggest adding a wget variant column or note to the mapping table, or prefixing provider patterns with (curl|wget) where appropriate.

Fix this →

---

All Previous Issues: Resolved ✓

Issue	Round	Status
cargo install earl missing Node.js + pnpm	1	✓ Fixed
Cap inconsistency (10 vs 5) in migrate-to-earl	1	✓ Fixed
Circular curl verification in secure-agent Step 4	1	✓ Fixed
migrate-to-earl reference file missing URL	1	✓ Fixed
jq dependency not noted	1	✓ Fixed
Cursor instructions incomplete in secure-agent	1	✓ Fixed
create-template reference files no URL fallback	2	✓ Fixed
Supabase grep pattern missing .com TLD	2	✓ Fixed
secure-agent egress rules global scope not noted	2	✓ Fixed
Jira grep pattern misses atlassian.net	3	✓ Fixed
troubleshoot-earl Step 5 missing Cursor/Windsurf	3	✓ Fixed
--yes flag order not in troubleshoot-earl error table	3	✓ Fixed
secure-agent verify assumes system.list_files imported	4	✓ Fixed — now uses earl templates list
cli-to-earl-mapping.md missing Dockerfile/docker-compose	4	✓ Fixed
SSRF warning missing 0.0.0.0	4	✓ Fixed

---

What's Good

• Cross-skill routing is consistent throughout — every skill's "Next Steps" correctly uses invoke <name> with canonical name: values.
• earl call flag order (--yes --json before the command name) is consistent in all 5 skills.
• troubleshoot-earl error table is now comprehensive: covers HCL, Jinja, auth, SSRF, install, command name, MCP, flag order, keychain, and OAuth. Hard to think of a common failure path that isn't represented.
• The two-session model note in setup-earl Phase 3 continues to be well-placed.
• migrate-to-earl correctly handles post-import continuity (secrets + verify after Phase 2 import), which makes the create-template gap more noticeable by contrast.

[jrandolf]

@claude
Review this

[claude]

Claude finished @jrandolf's task in 3m 10s —— View job

---

PR Review

• Gathering context
• Reading changed files
• Reviewing skills content
• Final assessment

---

Overall

All round-5 feedback is addressed in d15783d. The pre-built import path in create-template now correctly routes to Phase 7+8, and cli-to-earl-mapping.md has the wget note at the top. Two small new findings below.

---

Issues

create-template Phase 1 doesn't check if provider is already imported — Minor

create-template/SKILL.md:36-44 jumps straight to earl templates import without first checking earl templates list. By contrast, migrate-to-earl/SKILL.md:53 explicitly says: "Check earl templates list first — if the provider is already imported, skip this step."

The consequence: if a user has a customized version of github.hcl (extra commands added), invoking create-template for GitHub would silently re-import and overwrite it with the upstream template. The fix is to add the same guard used in migrate-to-earl.

Fix this →

---

migrate-to-earl Phase 4 re-prompts for secrets already handled by create-template — Nit

migrate-to-earl/SKILL.md:86-107: Phase 4 prints a secrets checklist for all imported/created templates. When Phase 2 takes the "no pre-built" path and invokes create-template, that skill already runs through its own Phase 7 (secrets checklist + earl secrets list verification) before returning. migrate-to-earl Phase 4 then re-prompts the user for the same secrets.

The verification (earl secrets list) would pass immediately since secrets are already set, so it's harmless — but the user sees a redundant "set these secrets" prompt right after create-template just confirmed they're done. A note like "(skip if create-template was invoked in Phase 2 — it already handled secrets)" would prevent the confusion.

Fix this →

---

All Previous Issues: Resolved ✓

Issue	Round	Status
cargo install earl missing Node.js + pnpm	1	✓ Fixed
Cap inconsistency (10 vs 5) in migrate-to-earl	1	✓ Fixed
Circular curl verification in secure-agent Step 4	1	✓ Fixed
migrate-to-earl reference file missing URL	1	✓ Fixed
jq dependency not noted	1	✓ Fixed
Cursor instructions incomplete in secure-agent	1	✓ Fixed
create-template reference files no URL fallback	2	✓ Fixed
Supabase grep pattern missing .com TLD	2	✓ Fixed
secure-agent egress rules global scope not noted	2	✓ Fixed
Jira grep pattern misses atlassian.net	3	✓ Fixed
troubleshoot-earl Step 5 missing Cursor/Windsurf	3	✓ Fixed
--yes flag order not in troubleshoot-earl error table	3	✓ Fixed
secure-agent verify assumes system.list_files imported	4	✓ Fixed
cli-to-earl-mapping.md missing Dockerfile/docker-compose	4	✓ Fixed
SSRF warning missing 0.0.0.0	4	✓ Fixed
create-template pre-built path skips secrets + verify	5	✓ Fixed — now routes to Phase 7+8
Provider patterns don't cover wget	5	✓ Fixed — note added at top of mapping table

---

What's Good

• create-template now correctly routes pre-built imports through Phase 7+8 — the fix matches the behavior migrate-to-earl always had.
• The wget note approach (one note at the top vs duplicating every pattern) is cleaner than adding a second column and is clear enough for agents to act on.
• secure-agent Step 4 verification is now the cleanest in the suite — "denial IS the success signal" is the correct framing and hard to misread.
• troubleshoot-earl Step 6 error table is now comprehensive across all known failure modes.
• setup-earl Phase 3 two-session model note continues to be the right place for that clarification.

[jrandolf]

@claude
Review this

[claude]

Claude finished @jrandolf's task in 3m 44s —— View job

---

PR Review

• Gathering context
• Reading changed files
• Reviewing skills content
• Final assessment

---

Overall

All round-6 feedback is addressed in 0142a08. The earl templates list guard in create-template Phase 1 and the Phase 4 skip note in migrate-to-earl are both confirmed in the current files. Two new real issues below, plus a minor one.

---

Issues

create-template Phase 1 command-level check is too coarse — Medium

create-template/SKILL.md:40-41:

If the provider is already present (e.g. github.get_repo appears in the list), skip the import and go directly to Phase 7 to set any missing secrets.

The check is provider-level, not command-level. If a user invokes create-template to add a new github.search_code command that doesn't exist in the pre-built template, the agent will see github.get_repo in the list, conclude the provider is present, and skip directly to Phase 7 — bypassing the custom authoring flow entirely (Phases 2–6). The specific command the user asked for never gets created.

The guard should check whether the specific requested command already exists, not just whether any command for that provider is present. If the provider exists but the specific command doesn't, the agent should proceed to custom authoring and add the new command block to the existing file (Phase 4 already handles this: "If the file already exists: Read it first. Add the new command block to the existing file rather than overwriting it.").

Fix this →

---

troubleshoot-earl Step 5 missing Windows path for Claude Desktop — Medium

troubleshoot-earl/SKILL.md:117:

**Claude Desktop:** `~/Library/Application Support/Claude/claude_desktop_config.json` (macOS)

Only the macOS path is listed. setup-earl/SKILL.md:83 shows both:

~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows)

An agent troubleshooting a Windows user's Claude Desktop MCP config would look for a path that doesn't exist on their system. The Windows path should be added to match setup-earl.

Fix this →

---

create-template Phase 7 "After validation" phrasing is misleading for pre-built path — Minor

create-template/SKILL.md:200: Phase 7 opens with "After validation, check annotations.secrets for required secret keys." But for pre-built imports (Phase 1 → Phase 7, skipping Phases 2–6), there is no validation step. An agent following the pre-built path hasn't run earl templates validate, so "After validation" has no referent and can cause confusion about whether validation is a prerequisite.

Since the pre-built path skips validation, Phase 7 should either drop the "After validation" phrasing or clarify that it applies only to the custom authoring path. (The agent can still find the required secrets by reading ~/.config/earl/templates/<provider>.hcl after import.)

Fix this →

---

secure-agent Step 4 references docs with no link — Nit

secure-agent/SKILL.md:112: "Check the format against current Claude Code documentation — the exact pattern syntax may vary by version." No URL is provided. An agent that hits a pattern mismatch has no specific doc to check. A pointer to the Claude Code deniedTools docs or at minimum a search term would reduce dead-end troubleshooting time.

---

All Previous Issues: Resolved ✓

Issue	Round	Status
cargo install earl missing Node.js + pnpm	1	✓ Fixed
Cap inconsistency (10 vs 5) in migrate-to-earl	1	✓ Fixed
Circular curl verification in secure-agent Step 4	1	✓ Fixed
migrate-to-earl reference file missing URL	1	✓ Fixed
jq dependency not noted	1	✓ Fixed
Cursor instructions incomplete in secure-agent	1	✓ Fixed
create-template reference files no URL fallback	2	✓ Fixed
Supabase grep pattern missing .com TLD	2	✓ Fixed
secure-agent egress rules global scope not noted	2	✓ Fixed
Jira grep pattern misses atlassian.net	3	✓ Fixed
troubleshoot-earl Step 5 missing Cursor/Windsurf	3	✓ Fixed
--yes flag order not in troubleshoot-earl error table	3	✓ Fixed
secure-agent verify assumes system.list_files imported	4	✓ Fixed
cli-to-earl-mapping.md missing Dockerfile/docker-compose	4	✓ Fixed
SSRF warning missing 0.0.0.0	4	✓ Fixed
create-template pre-built path skips secrets + verify	5	✓ Fixed
Provider patterns don't cover wget	5	✓ Fixed
create-template Phase 1 doesn't check if provider already imported	6	✓ Fixed — earl templates list guard added
migrate-to-earl Phase 4 re-prompts after create-template	6	✓ Fixed — skip note added

---

What's Good

• The earl templates list guard in create-template Phase 1 prevents clobbering user-customized templates — the right place for this check.
• migrate-to-earl Phase 4 skip logic is clearly worded and correctly scoped to the Phase 2 invocation case.
• The wget note at the top of cli-to-earl-mapping.md is the right approach — single note beats duplicating every row.
• secure-agent Step 4 framing ("denial IS the success signal") is unambiguous and hard to misread.
• Cross-skill invoke routing uses canonical name: values consistently across all 5 skills.

[jrandolf]

@claude
Review this

[claude]

Claude finished @jrandolf's task in 3m 45s —— View job

---

PR Review

• Gathering context
• Reading changed files
• Reviewing skills content
• Final assessment

---

Overall

ac74093 addressed three of the four round-7 issues: Windows Claude Desktop path in troubleshoot-earl, Phase 7 phrasing in create-template, and deniedTools docs link in secure-agent. The one Medium issue from round 7 was not addressed. Two new Minor issues and one Nit below.

---

Issues

create-template Phase 1 command-level check still coarse — Medium (carried from round 7, not fixed in ac74093)

create-template/SKILL.md:40-41:

If the provider is already present (e.g. `github.get_repo` appears in the list), skip the
import and go directly to Phase 7 to set any missing secrets.

This is still a provider-level check. If a user asks to add github.search_code but github.get_repo already exists, the agent sees "provider present" and skips to Phase 7, bypassing custom authoring (Phases 2–6) entirely. The specific requested command never gets created. Phase 4 already has the right handling for this case: "If the file already exists: Read it first. Add the new command block to the existing file rather than overwriting it." The Phase 1 guard just needs to check whether the specific command exists, not whether any command for that provider exists.

Fix this →

---

create-template template is live before user review — Minor

create-template/SKILL.md:101-114 (Phase 4) instructs the agent to write the HCL file to disk. Phase 5 (line 166) then shows the file to the user for approval and says "Do not proceed until the user explicitly approves." But writing in Phase 4 makes the template immediately callable before the review happens — the note at line 177 confirms: "Agent-created templates are immediately callable — there is no staging step."

The skill should clarify that Phase 4 composes the template content (in memory or as a draft shown to the user), and the file is only written to disk after Phase 5 approval. As written, an agent will write the file in Phase 4 and the template is already live when the Phase 5 review dialog appears.

Fix this →

---

migrate-to-earl Phase 4 skip note is too narrow — Minor

migrate-to-earl/SKILL.md:88-89:

"Skip this phase if Phase 2 invoked create-template — that skill already ran secrets setup"

Phase 3 (line 82) can also invoke create-template: "For calls that don't map to any existing command, invoke create-template to add it." If create-template is invoked in Phase 3 (not Phase 2), Phase 4's skip check won't trigger and the user gets a redundant secrets prompt again. The note should cover both Phase 2 and Phase 3 invocations.

Fix this →

---

setup-earl Phase 2 demo has no re-import guard — Nit

setup-earl/SKILL.md:62-63:

earl templates import https://raw.githubusercontent.com/brwse/earl/main/examples/bash/system.hcl
earl call --yes --json system.list_files --path .

Unlike create-template Phase 1 (which now checks earl templates list before importing), the Phase 2 demo import runs unconditionally. On a re-run of setup-earl (e.g., to reconfigure MCP), this overwrites any user customizations to system.hcl. The same guard from migrate-to-earl:53 — "Check earl templates list first — if the provider is already imported, skip this step" — should apply here.

---

All Previous Issues: Resolved ✓

Issue	Round	Status
cargo install earl missing Node.js + pnpm	1	✓ Fixed
Cap inconsistency (10 vs 5) in migrate-to-earl	1	✓ Fixed
Circular curl verification in secure-agent Step 4	1	✓ Fixed
migrate-to-earl reference file missing URL	1	✓ Fixed
jq dependency not noted	1	✓ Fixed
Cursor instructions incomplete in secure-agent	1	✓ Fixed
create-template reference files no URL fallback	2	✓ Fixed
Supabase grep pattern missing .com TLD	2	✓ Fixed
secure-agent egress rules global scope not noted	2	✓ Fixed
Jira grep pattern misses atlassian.net	3	✓ Fixed
troubleshoot-earl Step 5 missing Cursor/Windsurf	3	✓ Fixed
--yes flag order not in troubleshoot-earl error table	3	✓ Fixed
secure-agent verify assumes system.list_files imported	4	✓ Fixed
cli-to-earl-mapping.md missing Dockerfile/docker-compose	4	✓ Fixed
SSRF warning missing 0.0.0.0	4	✓ Fixed
create-template pre-built path skips secrets + verify	5	✓ Fixed
Provider patterns don't cover wget	5	✓ Fixed
create-template Phase 1 doesn't check if provider already imported	6	✓ Fixed
migrate-to-earl Phase 4 re-prompts after create-template	6	✓ Fixed
troubleshoot-earl Step 5 missing Windows Claude Desktop path	7	✓ Fixed in ac74093
create-template Phase 7 "After validation" phrasing misleading	7	✓ Fixed in ac74093
secure-agent Step 4 references docs with no link	7	✓ Fixed in ac74093

---

What's Good

• The scope of ac74093 was precise: exactly the three flagged items were fixed without collateral changes.
• troubleshoot-earl Step 6 error table is now the most comprehensive in the suite — every known failure mode is represented.
• migrate-to-earl Phase 4 skip note is correctly scoped for the Phase 2 case — the Phase 3 gap above is genuinely narrow.
• secure-agent Step 4 verification framing is clean: "denial IS the success signal" with a docs link for pattern troubleshooting.
• Cross-skill invoke routing continues to be consistent throughout all 5 skills.

[jrandolf]

@claude
Review this

[claude]

Claude finished @jrandolf's task in 3m 28s —— View job

---

PR Review

• Gathering context
• Reading changed files
• Reviewing skills content
• Final assessment

---

Overall

3de3653 addressed the three round-8 issues (draft-before-write in create-template, widened Phase 4 skip to Phase 2+3 in migrate-to-earl, and re-import guard in setup-earl Phase 2). The one Medium issue from rounds 7 and 8 remains unaddressed. One new minor finding below.

---

Issues

create-template Phase 1 command-level check still coarse — Medium (carried from rounds 7 and 8, not fixed)

create-template/SKILL.md:40-41:

If the provider is already present (e.g. `github.get_repo` appears in the list), skip the
import and go directly to Phase 7 to set any missing secrets.

This is still provider-level. If the user invokes create-template to add github.search_code and github.get_repo already exists, the agent sees "provider present" and jumps to Phase 7 — the requested command never gets created. Phase 4 already handles the existing-file case correctly ("If the file already exists: Read it first. Add the new command block to the existing file rather than overwriting it"), so only the Phase 1 gate needs updating: check whether the specific requested command exists, not just whether any command for that provider exists. If the provider exists but the specific command doesn't, skip the import but continue to custom authoring (Phases 2–6).

Fix this →

---

cli-to-earl-mapping.md HubSpot pattern misses api.hubspot.com — Minor

cli-to-earl-mapping.md:30:

curl.*api\.hubapi\.com

HubSpot's CRM v3 and most newer APIs use api.hubspot.com, not api.hubapi.com (the older v1/v2 domain). A codebase with curl https://api.hubspot.com/crm/v3/... calls will be silently skipped during the scan phase. Change the pattern to curl.*api\.hub(api|spot)\.com to catch both domains.

Fix this →

---

create-template Phase 8 and migrate-to-earl Phase 5 have no write-mode side-effect warning — Nit

create-template/SKILL.md:233-237 and migrate-to-earl/SKILL.md:120:

Both verification phases instruct the agent to run a test earl call with --yes and representative parameters. For write-mode templates (annotations.mode = "write"), this executes the operation for real — creating a GitHub issue, posting a Slack message, creating a Stripe customer, etc. There's no caution about this. A brief note like "For write-mode commands, use a test or sandbox environment if available, or use read-only parameters that have no side effects" would prevent agents from accidentally creating real records as part of verification.

---

All Previous Issues: Resolved ✓

Issue	Round	Status
cargo install earl missing Node.js + pnpm	1	✓ Fixed
Cap inconsistency (10 vs 5) in migrate-to-earl	1	✓ Fixed
Circular curl verification in secure-agent Step 4	1	✓ Fixed
migrate-to-earl reference file missing URL	1	✓ Fixed
jq dependency not noted	1	✓ Fixed
Cursor instructions incomplete in secure-agent	1	✓ Fixed
create-template reference files no URL fallback	2	✓ Fixed
Supabase grep pattern missing .com TLD	2	✓ Fixed
secure-agent egress rules global scope not noted	2	✓ Fixed
Jira grep pattern misses atlassian.net	3	✓ Fixed
troubleshoot-earl Step 5 missing Cursor/Windsurf	3	✓ Fixed
--yes flag order not in troubleshoot-earl error table	3	✓ Fixed
secure-agent verify assumes system.list_files imported	4	✓ Fixed
cli-to-earl-mapping.md missing Dockerfile/docker-compose	4	✓ Fixed
SSRF warning missing 0.0.0.0	4	✓ Fixed
create-template pre-built path skips secrets + verify	5	✓ Fixed
Provider patterns don't cover wget	5	✓ Fixed
create-template Phase 1 doesn't check if provider already imported	6	✓ Fixed
migrate-to-earl Phase 4 re-prompts after create-template	6	✓ Fixed
troubleshoot-earl Step 5 missing Windows Claude Desktop path	7	✓ Fixed
create-template Phase 7 "After validation" phrasing misleading	7	✓ Fixed
secure-agent Step 4 references docs with no link	7	✓ Fixed
create-template template live before user review	8	✓ Fixed in 3de3653
migrate-to-earl Phase 4 skip note too narrow (Phase 2 only)	8	✓ Fixed in 3de3653
setup-earl Phase 2 demo has no re-import guard	8	✓ Fixed in 3de3653

---

What's Good

• 3de3653 is precise: only the three flagged items were touched.
• create-template Phase 4 draft-then-write separation is now clearly worded — "Do NOT write the file to disk yet" is unambiguous and Phase 5 explicitly says writing happens only after approval.
• migrate-to-earl Phase 4 skip note now covers both Phase 2 and Phase 3 invocations of create-template.
• setup-earl Phase 2 re-import guard uses the correct idiom (grep system || import) — short-circuits cleanly and doesn't block the subsequent earl call.
• The suite as a whole is in good shape. The only real open issue is the command-level check in create-template Phase 1 that has persisted through three rounds.

[jrandolf]

@claude Review this

[claude]

Claude finished @jrandolf's task in 3m 43s —— View job

---

PR Review

• Gathering context
• Reading changed files
• Reviewing skills content
• Final assessment

---

Overall

e79b4ff addresses all three round-9 issues. The command-level check in create-template Phase 1 — which carried through rounds 7, 8, and 9 — is now correctly written with three distinct branches: specific command exists → Phase 7, provider exists but command doesn't → custom authoring (phases 2–6), provider not imported → offer import. Write-mode side-effect warnings are present in both create-template Phase 8 and migrate-to-earl Phase 5. One new minor finding below.

---

Issues

troubleshoot-earl Step 5 example config doesn't cover discovery mode — Minor

troubleshoot-earl/SKILL.md:106-115: The MCP config example for Claude Code shows:

{
  "mcpServers": {
    "earl": {
      "command": "earl",
      "args": ["mcp", "stdio"]
    }
  }
}

But setup-earl Phase 3 installs discovery mode (["mcp", "stdio", "--mode", "discovery"]) when the template count is ≥ 30. An agent troubleshooting on a repo with 30+ templates would compare the user's config against this example, see "--mode", "discovery" in the args, and might "fix" it by removing that flag — silently downgrading the user from discovery mode to full mode. Full mode with 30+ templates exposes all templates as MCP tools, which was the reason for discovery mode in the first place.

The example should show a note that ["mcp", "stdio", "--mode", "discovery"] is also a valid variant.

Fix this →

---

secure-agent denylist may block non-API curl uses — Nit

secure-agent/SKILL.md:55: The mapping lists Bash(curl *) and Bash(wget *) as tools to deny for "any HTTP API template." But curl is also commonly used for non-API purposes: downloading binaries in CI scripts, health probes (curl http://localhost:8080/health), checking connectivity, fetching install scripts. Once Bash(curl *) is in the denylist, the agent can no longer do any of these.

The current "Important Limitation" section covers alternative interpreters as a bypass vector, but doesn't flag this as a practical day-to-day annoyance: the agent loses the ability to do basic curl-based operations that have nothing to do with the provider APIs Earl is covering.

A note in Step 1 ("Be aware that denying Bash(curl *) also blocks non-API curl uses like downloads and health probes — add narrow exceptions to deniedTools for those commands if needed, or use earl call instead") would set the right expectation.

---

All Previous Issues: Resolved ✓

Issue	Round	Status
cargo install earl missing Node.js + pnpm	1	✓ Fixed
Cap inconsistency (10 vs 5) in migrate-to-earl	1	✓ Fixed
Circular curl verification in secure-agent Step 4	1	✓ Fixed
migrate-to-earl reference file missing URL	1	✓ Fixed
jq dependency not noted	1	✓ Fixed
Cursor instructions incomplete in secure-agent	1	✓ Fixed
create-template reference files no URL fallback	2	✓ Fixed
Supabase grep pattern missing .com TLD	2	✓ Fixed
secure-agent egress rules global scope not noted	2	✓ Fixed
Jira grep pattern misses atlassian.net	3	✓ Fixed
troubleshoot-earl Step 5 missing Cursor/Windsurf	3	✓ Fixed
--yes flag order not in troubleshoot-earl error table	3	✓ Fixed
secure-agent verify assumes system.list_files imported	4	✓ Fixed
cli-to-earl-mapping.md missing Dockerfile/docker-compose	4	✓ Fixed
SSRF warning missing 0.0.0.0	4	✓ Fixed
create-template pre-built path skips secrets + verify	5	✓ Fixed
Provider patterns don't cover wget	5	✓ Fixed
create-template Phase 1 doesn't check if provider already imported	6	✓ Fixed
migrate-to-earl Phase 4 re-prompts after create-template	6	✓ Fixed
troubleshoot-earl Step 5 missing Windows Claude Desktop path	7	✓ Fixed
create-template Phase 7 "After validation" phrasing misleading	7	✓ Fixed
secure-agent Step 4 references docs with no link	7	✓ Fixed
create-template template live before user review	8	✓ Fixed
migrate-to-earl Phase 4 skip note too narrow (Phase 2 only)	8	✓ Fixed
setup-earl Phase 2 demo has no re-import guard	8	✓ Fixed
create-template Phase 1 command-level check too coarse	7/8/9	✓ Fixed in e79b4ff — three-branch logic is correct
cli-to-earl-mapping.md HubSpot missing api.hubspot.com	9	✓ Fixed — hub(api|spot) covers both domains
Write-mode side-effect warning missing from verify phases	9	✓ Fixed in both create-template:238 and migrate-to-earl:122

---

What's Good

• The three-branch routing in create-template Phase 1 is now exactly right: command exists → Phase 7, provider exists without command → custom authoring without re-import, provider not imported → import then Phase 7. Phase 4's "If the file already exists: Read it first" dovetails cleanly with branch 2.
• Write-mode warnings in both create-template Phase 8 and migrate-to-earl Phase 5 are worded identically — consistent, and specific enough to be actionable ("use a test or sandbox account, or choose a read-only command for initial verification").
• migrate-to-earl Phase 4 skip note now covers Phase 2 and Phase 3 invocations of create-template — the full set of cases where secrets would already be configured.
• The wget note at the top of cli-to-earl-mapping.md is the right approach over duplicating every row.
• secure-agent Step 4 verification framing ("denial IS the success signal") is unambiguous.

[jrandolf]

@claude Review this

[claude]

Claude finished @jrandolf's task in 3m 57s —— View job

---

PR Review

• Gathering context
• Reading changed files
• Reviewing skills content
• Final assessment

---

Overall

75d6b50 addresses both round-10 issues. The discovery mode note in troubleshoot-earl Step 5 is correctly placed with an explicit "do not remove" warning. The non-API curl caveat in secure-agent Step 1 is well-worded and actionable. Two new findings below — one is a real cross-platform scan reliability issue.

---

Issues

cli-to-earl-mapping.md alternation patterns silently fail on macOS — Minor

cli-to-earl-mapping.md:21,30,37 use GNU grep BRE alternation syntax (\|):

curl.*atlassian\.(com\|net)
curl.*api\.hub(api\|spot)\.com
curl.*supabase\.(co\|com)

On macOS, the system grep is BSD grep, which does not support \| as alternation in BRE mode. The pattern runs without error but matches nothing — an agent on macOS would silently get zero results for Jira, HubSpot, and Supabase, and report those providers as absent even if call sites exist. The fix is either (a) add a note to use grep -E and remove the backslashes from alternation groups (ERE works on both Linux and macOS), or (b) rewrite those three rows as duplicate entries with one pattern per TLD.

Fix this →

---

secure-agent Bash(gh *) denial blocks non-API GitHub uses — Nit

secure-agent/SKILL.md:50: The Step 1 table lists Bash(gh *) for denial when a github Earl template is present. Round 10 added a note about Bash(curl *) blocking non-API curl uses (downloads, health probes, etc.). The same logic applies to gh: it is also used for PR creation, branch management, release uploads, and other repository operations that aren't GitHub REST API calls. An agent that has github.hcl templates for API calls but also needs to run gh pr create would be silently blocked.

A brief note analogous to the curl one — "Denying Bash(gh *) also blocks all gh CLI uses, not just API calls. If the agent needs gh for PR/branch operations that lack Earl templates, add narrow exceptions or create templates for those commands first" — would complete the pattern.

---

All Previous Issues: Resolved ✓

Issue	Round	Status
cargo install earl missing Node.js + pnpm	1	✓ Fixed
Cap inconsistency (10 vs 5) in migrate-to-earl	1	✓ Fixed
Circular curl verification in secure-agent Step 4	1	✓ Fixed
migrate-to-earl reference file missing URL	1	✓ Fixed
jq dependency not noted	1	✓ Fixed
Cursor instructions incomplete in secure-agent	1	✓ Fixed
create-template reference files no URL fallback	2	✓ Fixed
Supabase grep pattern missing .com TLD	2	✓ Fixed
secure-agent egress rules global scope not noted	2	✓ Fixed
Jira grep pattern misses atlassian.net	3	✓ Fixed
troubleshoot-earl Step 5 missing Cursor/Windsurf	3	✓ Fixed
--yes flag order not in troubleshoot-earl error table	3	✓ Fixed
secure-agent verify assumes system.list_files imported	4	✓ Fixed
cli-to-earl-mapping.md missing Dockerfile/docker-compose	4	✓ Fixed
SSRF warning missing 0.0.0.0	4	✓ Fixed
create-template pre-built path skips secrets + verify	5	✓ Fixed
Provider patterns don't cover wget	5	✓ Fixed
create-template Phase 1 doesn't check if provider already imported	6	✓ Fixed
migrate-to-earl Phase 4 re-prompts after create-template	6	✓ Fixed
troubleshoot-earl Step 5 missing Windows Claude Desktop path	7	✓ Fixed
create-template Phase 7 "After validation" phrasing misleading	7	✓ Fixed
secure-agent Step 4 references docs with no link	7	✓ Fixed
create-template template live before user review	8	✓ Fixed
migrate-to-earl Phase 4 skip note too narrow (Phase 2 only)	8	✓ Fixed
setup-earl Phase 2 demo has no re-import guard	8	✓ Fixed
create-template Phase 1 command-level check too coarse	7/8/9	✓ Fixed
cli-to-earl-mapping.md HubSpot missing api.hubspot.com	9	✓ Fixed
Write-mode side-effect warning missing from verify phases	9	✓ Fixed
troubleshoot-earl Step 5 missing discovery mode note	10	✓ Fixed in 75d6b50
secure-agent denylist may block non-API curl uses	10	✓ Fixed in 75d6b50

---

What's Good

• The discovery mode caveat in troubleshoot-earl Step 5 is precisely worded: "Do not remove the --mode discovery flag from a config that already has it; that would silently downgrade to full mode." The explicit downgrade warning is better than just showing it as an alternate valid config.
• The non-API curl note in secure-agent Step 1 is actionable: it names specific examples (downloads, health probes, install scripts) and gives a concrete alternative (allowedTools override or earl call).
• create-template Phase 1 three-branch routing is clean and covers all cases correctly.
• The wget note at the top of cli-to-earl-mapping.md and the write-mode warnings in both verify phases are consistent between create-template and migrate-to-earl.
• The suite is in substantially good shape after 10 rounds of iteration. The remaining open items are both minor.

[jrandolf]

@claude Review this

[claude]

Claude finished @jrandolf's task in 3m 39s —— View job

---

PR Review

• Gathering context
• Reading changed files
• Reviewing skills content
• Final assessment

---

Overall

3583c0e addresses both round-11 issues. The BRE/ERE note is correctly placed and the three alternation patterns (atlassian, hubspot, supabase) are now in ERE (a|b) format without backslashes. The Bash(gh *) note is well-worded and consistent with the curl note added in round 10. Two new findings below.

---

Issues

setup-earl CLAUDE.md breadcrumb --yes scoped only to write-mode — Minor

setup-earl/SKILL.md:165:

- Always use `--yes` for write-mode commands (without it, Earl prompts interactively and hangs)

Every earl call example in all five skills uses --yes regardless of mode — including the CLI fallback line directly above this one (earl call --yes --json provider.command). The breadcrumb implies --yes is only needed for write-mode commands. An agent following this literally would omit --yes from read-mode calls, which may cause interactive prompts and hangs in automated contexts.

Suggest changing to: "Always use --yes for all automated earl call invocations (without it, Earl may prompt interactively and hang)."

Fix this →

---

migrate-to-earl Phase 7 rewrite examples are bash-only — Minor

migrate-to-earl/SKILL.md:149-162: The Phase 7 rewrite examples show only direct shell substitution:

# Before:
curl -H "Authorization: Bearer $GITHUB_TOKEN" https://api.github.com/repos/owner/repo
# After:
earl call --yes --json github.get_repo --owner owner --repo repo

But the scan phase targets source files (*.py, *.js, *.ts, *.rb, *.go, *.rs). In those files, curl typically appears in subprocess invocations like subprocess.run(['curl', ...]) or os.system('curl ...'). The replacement is language-dependent and the phase 7 example doesn't cover it. An agent rewriting a Python file with no guidance may produce incorrect syntax or be unsure how to proceed.

A brief note acknowledging the language context — e.g., "For source files (Python, JS, etc.), wrap the Earl command in the appropriate subprocess call for that language (e.g. subprocess.run(['earl', 'call', '--yes', '--json', ...]))" — would cover this.

Fix this →

---

grep -E note requires per-row evaluation — Nit

cli-to-earl-mapping.md:11-13: The note says "Use grep -E for patterns that contain alternation groups (a|b)." This requires an agent to scan each row to determine whether grep -E is needed. Since grep -E is a strict superset of grep for all these patterns (it has no behavior difference for non-alternation patterns), recommending grep -E for all patterns unconditionally would be simpler and eliminate the conditional.

---

All Previous Issues: Resolved ✓

Issue	Round	Status
cargo install earl missing Node.js + pnpm	1	✓ Fixed
Cap inconsistency (10 vs 5) in migrate-to-earl	1	✓ Fixed
Circular curl verification in secure-agent Step 4	1	✓ Fixed
migrate-to-earl reference file missing URL	1	✓ Fixed
jq dependency not noted	1	✓ Fixed
Cursor instructions incomplete in secure-agent	1	✓ Fixed
create-template reference files no URL fallback	2	✓ Fixed
Supabase grep pattern missing .com TLD	2	✓ Fixed
secure-agent egress rules global scope not noted	2	✓ Fixed
Jira grep pattern misses atlassian.net	3	✓ Fixed
troubleshoot-earl Step 5 missing Cursor/Windsurf	3	✓ Fixed
--yes flag order not in troubleshoot-earl error table	3	✓ Fixed
secure-agent verify assumes system.list_files imported	4	✓ Fixed
cli-to-earl-mapping.md missing Dockerfile/docker-compose	4	✓ Fixed
SSRF warning missing 0.0.0.0	4	✓ Fixed
create-template pre-built path skips secrets + verify	5	✓ Fixed
Provider patterns don't cover wget	5	✓ Fixed
create-template Phase 1 doesn't check if provider already imported	6	✓ Fixed
migrate-to-earl Phase 4 re-prompts after create-template	6	✓ Fixed
troubleshoot-earl Step 5 missing Windows Claude Desktop path	7	✓ Fixed
create-template Phase 7 "After validation" phrasing misleading	7	✓ Fixed
secure-agent Step 4 references docs with no link	7	✓ Fixed
create-template template live before user review	8	✓ Fixed
migrate-to-earl Phase 4 skip note too narrow (Phase 2 only)	8	✓ Fixed
setup-earl Phase 2 demo has no re-import guard	8	✓ Fixed
create-template Phase 1 command-level check too coarse	7/8/9	✓ Fixed
cli-to-earl-mapping.md HubSpot missing api.hubspot.com	9	✓ Fixed
Write-mode side-effect warning missing from verify phases	9	✓ Fixed
troubleshoot-earl Step 5 missing discovery mode note	10	✓ Fixed
secure-agent denylist may block non-API curl uses	10	✓ Fixed
cli-to-earl-mapping.md BRE alternation fails on macOS	11	✓ Fixed in 3583c0e — ERE note + patterns updated
secure-agent Bash(gh *) blocks non-API gh uses	11	✓ Fixed in 3583c0e

---

What's Good

• The three-branch routing in create-template Phase 1 (specific command present → Phase 7, provider exists without command → custom authoring, provider absent → import) is clean and correct — the most complex logic in the suite and it's right.
• troubleshoot-earl Step 6 error table is comprehensive: HCL, Jinja, auth, SSRF, install, command name, MCP, flag order, keychain, OAuth — hard to think of a missing failure mode.
• The discovery mode caveat in troubleshoot-earl Step 5 with the explicit "do not remove" warning is the right framing.
• Write-mode side-effect warnings in both create-template Phase 8 and migrate-to-earl Phase 5 are identically worded — consistent.
• Cross-skill invoke routing uses canonical name: values throughout.

[jrandolf]

@claude Review this

[claude]

Claude finished @jrandolf's task in 3m 30s —— View job

---

PR Review

• Gathering context
• Reading changed files
• Reviewing skills content
• Final assessment

---

Overall

d9d5dab addressed two of the three round-12 issues. The grep -E note is correctly updated to "Always use grep -E for all patterns in this table", and Phase 7 now includes Python and Node.js subprocess examples. The one Medium issue from round 12 was not addressed. One new minor finding below.

---

Issues

setup-earl CLAUDE.md breadcrumb --yes still scoped to write-mode — Medium (carried from round 12, not fixed in d9d5dab)

setup-earl/SKILL.md:165:

- Always use `--yes` for write-mode commands (without it, Earl prompts interactively and hangs)

This is still "write-mode commands." Every earl call example in all five skills uses --yes regardless of mode — including the CLI fallback on the line immediately above (earl call --yes --json provider.command --param value). An agent reading this breadcrumb would omit --yes from read-mode calls, which causes interactive prompts and hangs in automated contexts.

The fix from round 12 still stands: change to "Always use --yes for all automated earl call invocations (without it, Earl may prompt interactively and hang)."

Fix this →

---

cli-to-earl-mapping.md scan note doesn't cover httpie — Minor

cli-to-earl-mapping.md:8-9:

**Note:** All `curl.*` patterns should also be run with `wget` substituted for `curl` — ...

The note covers wget but not httpie (the http command). secure-agent/SKILL.md:55 already lists Bash(http *) and Bash(httpie *) as tools to deny for HTTP API templates, meaning the lockdown skill recognises httpie as a bypass vector — but an agent running the scan phase won't surface existing http GET https://api.github.com/... calls. This is the same asymmetry that motivated the wget note in round 5.

Fix: extend the existing note to also mention http (httpie):

"All curl.* patterns should also be run with wget and http (httpie) substituted for curl."

Fix this →

---

migrate-to-earl Phase 7 bash "After" example uses literal strings — Nit

migrate-to-earl/SKILL.md:152-156:

# Before:
curl -H "Authorization: Bearer $GITHUB_TOKEN" https://api.github.com/repos/owner/repo

# After:
earl call --yes --json github.get_repo --owner owner --repo repo

The "Before" example correctly uses $GITHUB_TOKEN as a shell variable. The "After" example passes owner and repo as bare literal strings, not shell variables. An agent rewriting a script that dynamically constructs the URL from $OWNER and $REPO might follow this example and hardcode literal strings instead of substituting variables. The "After" should show variable syntax: --owner $OWNER --repo $REPO (or use the values from the original curl's URL).

---

All Previous Issues: Resolved ✓

Issue	Round	Status
cargo install earl missing Node.js + pnpm	1	✓ Fixed
Cap inconsistency (10 vs 5) in migrate-to-earl	1	✓ Fixed
Circular curl verification in secure-agent Step 4	1	✓ Fixed
migrate-to-earl reference file missing URL	1	✓ Fixed
jq dependency not noted	1	✓ Fixed
Cursor instructions incomplete in secure-agent	1	✓ Fixed
create-template reference files no URL fallback	2	✓ Fixed
Supabase grep pattern missing .com TLD	2	✓ Fixed
secure-agent egress rules global scope not noted	2	✓ Fixed
Jira grep pattern misses atlassian.net	3	✓ Fixed
troubleshoot-earl Step 5 missing Cursor/Windsurf	3	✓ Fixed
--yes flag order not in troubleshoot-earl error table	3	✓ Fixed
secure-agent verify assumes system.list_files imported	4	✓ Fixed
cli-to-earl-mapping.md missing Dockerfile/docker-compose	4	✓ Fixed
SSRF warning missing 0.0.0.0	4	✓ Fixed
create-template pre-built path skips secrets + verify	5	✓ Fixed
Provider patterns don't cover wget	5	✓ Fixed
create-template Phase 1 doesn't check if provider already imported	6	✓ Fixed
migrate-to-earl Phase 4 re-prompts after create-template	6	✓ Fixed
troubleshoot-earl Step 5 missing Windows Claude Desktop path	7	✓ Fixed
create-template Phase 7 "After validation" phrasing misleading	7	✓ Fixed
secure-agent Step 4 references docs with no link	7	✓ Fixed
create-template template live before user review	8	✓ Fixed
migrate-to-earl Phase 4 skip note too narrow (Phase 2 only)	8	✓ Fixed
setup-earl Phase 2 demo has no re-import guard	8	✓ Fixed
create-template Phase 1 command-level check too coarse	7/8/9	✓ Fixed
cli-to-earl-mapping.md HubSpot missing api.hubspot.com	9	✓ Fixed
Write-mode side-effect warning missing from verify phases	9	✓ Fixed
troubleshoot-earl Step 5 missing discovery mode note	10	✓ Fixed
secure-agent denylist may block non-API curl uses	10	✓ Fixed
cli-to-earl-mapping.md BRE alternation fails on macOS	11	✓ Fixed
secure-agent Bash(gh *) blocks non-API gh uses	11	✓ Fixed
migrate-to-earl Phase 7 rewrite examples bash-only	12	✓ Fixed in d9d5dab — Python + Node examples added
grep -E note required per-row evaluation	12	✓ Fixed in d9d5dab — now "Always use grep -E for all patterns"

---

What's Good

• The Python and Node.js subprocess examples in Phase 7 are correctly structured: list form for Python (subprocess.run(["earl", ...])) and template literal for Node (execSync(\earl call ...`)`). These are the idiomatic patterns for each language.
• Three-branch routing in create-template Phase 1 (specific command present → Phase 7, provider exists without command → custom authoring, provider absent → import) remains correct.
• troubleshoot-earl Step 6 error table covers all known failure modes and continues to be the most comprehensive part of the suite.
• Cross-skill invoke routing uses canonical name: values consistently throughout all 5 skills.
• The suite is within one medium carry-forward and two small issues of being ready to merge.

[jrandolf]

@claude Review this

[claude]

Claude finished @jrandolf's task in 3m 4s —— View job

---

PR Review

• Gathering context
• Reading changed files
• Reviewing skills content
• Final assessment

---

Overall

31e4527 addressed two of the three round-12 issues. The httpie note in cli-to-earl-mapping.md is confirmed present, and migrate-to-earl Phase 7 now uses shell variable syntax ($OWNER, $REPO) in the "After" example. The one Medium issue from round 12 is still unaddressed. One new minor finding below.

---

Issues

setup-earl CLAUDE.md breadcrumb --yes still scoped to write-mode — Medium (carried from rounds 12 and 13, not fixed in 31e4527)

setup-earl/SKILL.md:165:

- Always use `--yes` for write-mode commands (without it, Earl prompts interactively and hangs)

Still "write-mode commands." Every earl call example across all five skills uses --yes regardless of mode — including the CLI fallback on the line directly above this one. An agent following this breadcrumb will omit --yes on read-mode calls and hit interactive hangs.

Change to: Always use --yesfor all automatedearl call invocations (without it, Earl may prompt interactively and hang)

Fix this →

---

Linux Claude Desktop config path missing from both setup-earl and troubleshoot-earl — Minor

setup-earl/SKILL.md:84 and troubleshoot-earl/SKILL.md:121 both show:

~/Library/Application Support/Claude/claude_desktop_config.json (macOS)
%APPDATA%\Claude\claude_desktop_config.json (Windows)

Claude Desktop also runs on Linux, where the config follows the XDG Base Directory Specification: ~/.config/Claude/claude_desktop_config.json. An agent troubleshooting Claude Desktop MCP on Linux will check both listed paths, find neither, and incorrectly conclude the config doesn't exist. Both skills should add the Linux path.

Fix this →

---

cli-to-earl-mapping.md httpie substitution can produce high false positives — Nit

cli-to-earl-mapping.md:8-9:

All curl.* patterns should also be run with wget and http (httpie) substituted for curl

Substituting http for curl in patterns like curl.*api\.github\.com gives http.*api\.github\.com. This would match any line containing http followed by api.github.com — including comments, string literals, import statements, and HTML content. Unlike curl and wget which are unambiguous command names, http is a common substring. The note should add a qualifier like: "Note: http substitution produces more false positives than curl or wget — scan results should be checked manually before acting on them."

---

All Previous Issues: Resolved ✓

Issue	Round	Status
cargo install earl missing Node.js + pnpm	1	✓ Fixed
Cap inconsistency (10 vs 5) in migrate-to-earl	1	✓ Fixed
Circular curl verification in secure-agent Step 4	1	✓ Fixed
migrate-to-earl reference file missing URL	1	✓ Fixed
jq dependency not noted	1	✓ Fixed
Cursor instructions incomplete in secure-agent	1	✓ Fixed
create-template reference files no URL fallback	2	✓ Fixed
Supabase grep pattern missing .com TLD	2	✓ Fixed
secure-agent egress rules global scope not noted	2	✓ Fixed
Jira grep pattern misses atlassian.net	3	✓ Fixed
troubleshoot-earl Step 5 missing Cursor/Windsurf	3	✓ Fixed
--yes flag order not in troubleshoot-earl error table	3	✓ Fixed
secure-agent verify assumes system.list_files imported	4	✓ Fixed
cli-to-earl-mapping.md missing Dockerfile/docker-compose	4	✓ Fixed
SSRF warning missing 0.0.0.0	4	✓ Fixed
create-template pre-built path skips secrets + verify	5	✓ Fixed
Provider patterns don't cover wget	5	✓ Fixed
create-template Phase 1 doesn't check if provider already imported	6	✓ Fixed
migrate-to-earl Phase 4 re-prompts after create-template	6	✓ Fixed
troubleshoot-earl Step 5 missing Windows Claude Desktop path	7	✓ Fixed
create-template Phase 7 "After validation" phrasing misleading	7	✓ Fixed
secure-agent Step 4 references docs with no link	7	✓ Fixed
create-template template live before user review	8	✓ Fixed
migrate-to-earl Phase 4 skip note too narrow (Phase 2 only)	8	✓ Fixed
setup-earl Phase 2 demo has no re-import guard	8	✓ Fixed
create-template Phase 1 command-level check too coarse	7/8/9	✓ Fixed
cli-to-earl-mapping.md HubSpot missing api.hubspot.com	9	✓ Fixed
Write-mode side-effect warning missing from verify phases	9	✓ Fixed
troubleshoot-earl Step 5 missing discovery mode note	10	✓ Fixed
secure-agent denylist may block non-API curl uses	10	✓ Fixed
cli-to-earl-mapping.md BRE alternation fails on macOS	11	✓ Fixed
secure-agent Bash(gh *) blocks non-API gh uses	11	✓ Fixed
migrate-to-earl Phase 7 rewrite examples bash-only	12	✓ Fixed
grep -E note required per-row evaluation	12	✓ Fixed
cli-to-earl-mapping.md scan note doesn't cover httpie	13	✓ Fixed in 31e4527
migrate-to-earl Phase 7 "After" uses literal strings	13	✓ Fixed in 31e4527

---

What's Good

• The Python subprocess example in Phase 7 is correctly structured and idiomatic.
• The Node.js template literal example now correctly uses ${owner} and ${repo} to mirror the "Before" ${token}/${url} variable pattern — the fix is consistent.
• create-template Phase 1 three-branch routing is still correct: specific command → Phase 7, provider without command → custom authoring, provider absent → import.
• secure-agent Step 1 now lists Bash(http *), Bash(httpie *) for HTTP API templates, consistent with the scan note added to cli-to-earl-mapping.md.
• troubleshoot-earl Step 6 error table continues to be comprehensive — all known failure modes covered.

[jrandolf]

@claude Review this

[claude]

Claude finished @jrandolf's task in 3m 36s —— View job

---

PR Review

• Gathering context
• Reading changed files
• Reviewing skills content
• Final assessment

---

Overall

838017b addresses all three round-14 issues. The --yes breadcrumb is now correctly scoped to "all automated earl call invocations." The Linux Claude Desktop path is present in both setup-earl:84 and troubleshoot-earl:121-123. The httpie false-positive warning is in cli-to-earl-mapping.md:9-11. Two new findings below.

---

Issues

setup-earl Phase 3 platform detection is first-match only — Minor

setup-earl/SKILL.md:79-87: The detection table has no instruction for when multiple checks match. A developer working on a project with both .claude/ (Claude Code) and .cursor/ (Cursor) will have the skill configure Claude Code only — Cursor is never reached. The same applies to a project with both Claude Code and Windsurf. The user gets a partially configured setup with no indication that a second platform was skipped.

Either (a) add a note that the skill configures all matching platforms (and loop through the table), or (b) clarify that when multiple match, the skill should ask which platform to configure, or (c) document that re-running setup-earl can target a different platform.

Fix this →

---

troubleshoot-earl Step 3 template path is Unix-only — Nit

troubleshoot-earl/SKILL.md:73: "Check that the file is in ./templates/ or ~/.config/earl/templates/"

~/.config/earl/templates/ is a Unix-style path. On Windows, Earl's global template storage would follow a different convention (likely %APPDATA%\earl\templates\ or similar). An agent troubleshooting on Windows would look for ~/.config/earl/templates/ and not find it, potentially concluding the template doesn't exist. Both setup-earl and troubleshoot-earl already include the Windows path for Claude Desktop config — the same pattern should apply here.

---

All Previous Issues: Resolved ✓

Issue	Round	Status
cargo install earl missing Node.js + pnpm	1	✓ Fixed
Cap inconsistency (10 vs 5) in migrate-to-earl	1	✓ Fixed
Circular curl verification in secure-agent Step 4	1	✓ Fixed
migrate-to-earl reference file missing URL	1	✓ Fixed
jq dependency not noted	1	✓ Fixed
Cursor instructions incomplete in secure-agent	1	✓ Fixed
create-template reference files no URL fallback	2	✓ Fixed
Supabase grep pattern missing .com TLD	2	✓ Fixed
secure-agent egress rules global scope not noted	2	✓ Fixed
Jira grep pattern misses atlassian.net	3	✓ Fixed
troubleshoot-earl Step 5 missing Cursor/Windsurf	3	✓ Fixed
--yes flag order not in troubleshoot-earl error table	3	✓ Fixed
secure-agent verify assumes system.list_files imported	4	✓ Fixed
cli-to-earl-mapping.md missing Dockerfile/docker-compose	4	✓ Fixed
SSRF warning missing 0.0.0.0	4	✓ Fixed
create-template pre-built path skips secrets + verify	5	✓ Fixed
Provider patterns don't cover wget	5	✓ Fixed
create-template Phase 1 doesn't check if provider already imported	6	✓ Fixed
migrate-to-earl Phase 4 re-prompts after create-template	6	✓ Fixed
troubleshoot-earl Step 5 missing Windows Claude Desktop path	7	✓ Fixed
create-template Phase 7 "After validation" phrasing misleading	7	✓ Fixed
secure-agent Step 4 references docs with no link	7	✓ Fixed
create-template template live before user review	8	✓ Fixed
migrate-to-earl Phase 4 skip note too narrow (Phase 2 only)	8	✓ Fixed
setup-earl Phase 2 demo has no re-import guard	8	✓ Fixed
create-template Phase 1 command-level check too coarse	7/8/9	✓ Fixed
cli-to-earl-mapping.md HubSpot missing api.hubspot.com	9	✓ Fixed
Write-mode side-effect warning missing from verify phases	9	✓ Fixed
troubleshoot-earl Step 5 missing discovery mode note	10	✓ Fixed
secure-agent denylist may block non-API curl uses	10	✓ Fixed
cli-to-earl-mapping.md BRE alternation fails on macOS	11	✓ Fixed
secure-agent Bash(gh *) blocks non-API gh uses	11	✓ Fixed
migrate-to-earl Phase 7 rewrite examples bash-only	12	✓ Fixed
grep -E note required per-row evaluation	12	✓ Fixed
cli-to-earl-mapping.md scan note doesn't cover httpie	13	✓ Fixed
migrate-to-earl Phase 7 "After" uses literal strings	13	✓ Fixed
setup-earl CLAUDE.md breadcrumb --yes scoped to write-mode	12/13/14	✓ Fixed in 838017b
Linux Claude Desktop path missing	14	✓ Fixed in 838017b
httpie false-positive warning missing	14	✓ Fixed in 838017b

---

What's Good

• create-template Phase 1 three-branch routing (specific command present → Phase 7, provider exists without command → custom authoring, provider absent → import) is correct and handles all cases.
• The draft-before-write separation in create-template Phase 4/5 is clean — "Do NOT write the file to disk yet" is unambiguous.
• troubleshoot-earl Step 6 error table is comprehensive: HCL, Jinja, auth, SSRF, install, command name, MCP, flag order, keychain, OAuth — hard to think of a missing failure mode.
• secure-agent notes about Bash(curl *) and Bash(gh *) blocking non-API uses are well-placed and give actionable alternatives.
• The grep -E universal note at the top of cli-to-earl-mapping.md is cleaner than per-row conditionals.
• Cross-skill invoke routing uses canonical name: values consistently throughout all 5 skills.

[jrandolf]

@claude Review this

[claude]

Claude finished @jrandolf's task in 3m 3s —— View job

---

PR Review

• Gathering context
• Reading changed files
• Reviewing skills content
• Final assessment

---

Overall

d5d53fa adds named environments support across all 5 skills. The additions are well-placed: the environments block note in create-template Phase 4 is appropriately guarded ("Only add environments when the user explicitly needs them"), and the three new rows in troubleshoot-earl Step 6 cover the obvious failure modes. The security note in secure-agent Step 5 about allow_environment_protocol_switching is the right place for it. Three issues from round 21 remain unaddressed. One new issue below.

---

Issues

troubleshoot-earl Step 6 environment protocol switching fix contradicts secure-agent — Minor

troubleshoot-earl/SKILL.md:161:

| `environment protocol switching not allowed` | Protocol mismatch in environment override | Agent: add `allow_environment_protocol_switching = true` to `annotations` |

But secure-agent/SKILL.md:164-168 explicitly says:

"Prefer vars.* for environment differences (e.g. different base URLs) over full protocol switching where possible."

An agent diagnosing this error in troubleshoot-earl will apply the fix (add the flag) without any indication that it's a security risk or that there's a preferred alternative. The two skills are now in tension: secure-agent says "avoid this", troubleshoot-earl says "add this" with no qualification. The fix row should match secure-agent's guidance — e.g.: "Agent: prefer vars.* for environment differences; only add allow_environment_protocol_switching = true to annotations if a protocol change is genuinely required (note: this bypasses HTTP egress rules — see secure-agent)"

Fix this →

---

setup-earl Windsurf breadcrumb file not named — Minor (carried from rounds 20–21, not fixed)

setup-earl/SKILL.md:155:

"write the Earl instructions to the appropriate context file for the detected platform instead: .cursorrules for Cursor, or the equivalent for Windsurf"

Windsurf uses .windsurfrules. An agent on a Windsurf-only project has to guess the filename.

Fix this →

---

migrate-to-earl Phase 2 "skip this step" still ambiguous — Minor (carried from rounds 20–21, not fixed)

migrate-to-earl/SKILL.md:53:

"Check earl templates list first — if the provider is already imported, skip this step."

"Skip this step" can be read as skipping the entire pre-built block — including line 60: "Show the user which commands are available in the imported template." That show-commands instruction is the primary value of Phase 2 when the provider already exists. The skip should apply only to the import command.

Fix this →

---

migrate-to-earl Phase 4 doesn't say how to find required secret keys — Minor (carried from round 21, not fixed)

migrate-to-earl/SKILL.md:98:

"print the checklist of required secrets for the imported templates"

No instruction on how to determine which secrets are required. Unlike create-template/SKILL.md:216-218, which says "Check annotations.secrets in the template file for required secret keys. For pre-built imports, read the imported file at ~/.config/earl/templates/<provider>.hcl…", migrate-to-earl Phase 4 has no equivalent. An agent following Phase 4 may print generic placeholder text (earl secrets set <provider>.<key>) instead of actual key names.

Fix this →

---

--env examples hardcode staging as the environment name — Nit

setup-earl/SKILL.md:174:

- Environments: `earl call --yes --json --env staging provider.command --param value`

create-template/SKILL.md:253 and migrate-to-earl/SKILL.md:131 similarly say "use --env staging". The environment name is user-defined in the environments block — it could be production, dev, sandbox, or anything else. Using staging as the literal example in all cases could mislead agents into hardcoding --env staging rather than using the actual name from the template. Consider --env <environment> in the breadcrumb (which is showing syntax, not an example call), and "use --env <environment-name> matching the name defined in the template" in the Phase 8 verify note.

---

All Previous Issues: Resolved ✓

Issue	Round	Status
cargo install earl missing Node.js + pnpm	1	✓ Fixed
Cap inconsistency (10 vs 5) in migrate-to-earl	1	✓ Fixed
Circular curl verification in secure-agent Step 4	1	✓ Fixed
migrate-to-earl reference file missing URL	1	✓ Fixed
jq dependency not noted	1	✓ Fixed
Cursor instructions incomplete in secure-agent	1	✓ Fixed
create-template reference files no URL fallback	2	✓ Fixed
Supabase grep pattern missing .com TLD	2	✓ Fixed
secure-agent egress rules global scope not noted	2	✓ Fixed
Jira grep pattern misses atlassian.net	3	✓ Fixed
troubleshoot-earl Step 5 missing Cursor/Windsurf	3	✓ Fixed
--yes flag order not in troubleshoot-earl error table	3	✓ Fixed
secure-agent verify assumes system.list_files imported	4	✓ Fixed
cli-to-earl-mapping.md missing Dockerfile/docker-compose	4	✓ Fixed
SSRF warning missing 0.0.0.0	4	✓ Fixed
create-template pre-built path skips secrets + verify	5	✓ Fixed
Provider patterns don't cover wget	5	✓ Fixed
create-template Phase 1 doesn't check if provider already imported	6	✓ Fixed
migrate-to-earl Phase 4 re-prompts after create-template	6	✓ Fixed
troubleshoot-earl Step 5 missing Windows Claude Desktop path	7	✓ Fixed
create-template Phase 7 "After validation" phrasing misleading	7	✓ Fixed
secure-agent Step 4 references docs with no link	7	✓ Fixed
create-template template live before user review	8	✓ Fixed
migrate-to-earl Phase 4 skip note too narrow (Phase 2 only)	8	✓ Fixed
setup-earl Phase 2 demo has no re-import guard	8	✓ Fixed
create-template Phase 1 command-level check too coarse	7/8/9	✓ Fixed
cli-to-earl-mapping.md HubSpot missing api.hubspot.com	9	✓ Fixed
Write-mode side-effect warning missing from verify phases	9	✓ Fixed
troubleshoot-earl Step 5 missing discovery mode note	10	✓ Fixed
secure-agent denylist may block non-API curl uses	10	✓ Fixed
cli-to-earl-mapping.md BRE alternation fails on macOS	11	✓ Fixed
secure-agent Bash(gh *) blocks non-API gh uses	11	✓ Fixed
migrate-to-earl Phase 7 rewrite examples bash-only	12	✓ Fixed
grep -E note required per-row evaluation	12	✓ Fixed
cli-to-earl-mapping.md scan note doesn't cover httpie	13	✓ Fixed
migrate-to-earl Phase 7 "After" uses literal strings	13	✓ Fixed
setup-earl CLAUDE.md breadcrumb --yes scoped to write-mode	12/13/14	✓ Fixed
Linux Claude Desktop path missing	14	✓ Fixed
httpie false-positive warning missing	14	✓ Fixed
setup-earl Phase 3 platform detection first-match only	15	✓ Fixed
troubleshoot-earl Step 3 template path Unix-only	15	✓ Fixed
create-template global template path Unix-only	16	✓ Fixed
secure-agent Step 5 egress config path Unix-only	16	✓ Fixed
setup-earl "Apply MCP config" missing Windsurf	16	✓ Fixed
secure-agent platform table missing Windsurf	16	✓ Fixed
cli-to-earl-mapping.md Datadog missing regional endpoints	18	✓ Fixed
setup-earl Phase 2 re-import guard too broad (grep system)	19	✓ Fixed
cli-to-earl-mapping.md missing interpreter-based call scope note	19	✓ Fixed
migrate-to-earl Phase 4 skip condition too broad	18/19/20	✓ Fixed
setup-earl CLAUDE.md breadcrumb not platform-aware	20	✓ Fixed

---

What's Good

• The environments block guidance in create-template Phase 4 is well-guarded: "Only add environments when the user explicitly needs them — most templates don't." This prevents over-engineering.
• The three new troubleshoot-earl Step 6 rows (unknown environment, vars.* empty, protocol switching) cover the complete set of environment-related failure modes.
• The secure-agent Step 5 environments security note is the right place for the allow_environment_protocol_switching warning — it ties directly into the egress rules that would be bypassed.
• create-template Phase 4 link to template schema docs is a good addition for the environments block.
• migrate-to-earl Phase 4 skip condition (only skip when Phase 2 took the no-pre-built path) is correct and unambiguous.
• Cross-skill invoke routing uses canonical name: values consistently throughout all 5 skills.

[jrandolf]

@claude Review this

[claude]

Claude finished @jrandolf's task in 3m 26s —— View job

---

PR Review

• Gathering context
• Reading changed files
• Reviewing skills content
• Final assessment

---

Overall

afb43a8 addressed three of the five round-22 issues. The migrate-to-earl Phase 2 "skip this step" ambiguity is resolved (line 53-54 now reads "skip the import command below and go directly to showing available commands"), Phase 4 now correctly says to read annotations.secrets at the right path (lines 99-101), and the --env breadcrumb placeholder is now <environment> throughout. Two issues carried from rounds 20-22 remain unaddressed. One new finding below.

---

Issues

troubleshoot-earl Step 6 protocol switching fix contradicts secure-agent — Minor (carried from round 22, not fixed)

troubleshoot-earl/SKILL.md:161:

| `environment protocol switching not allowed` | Protocol mismatch in environment override | Agent: add `allow_environment_protocol_switching = true` to `annotations` |

secure-agent/SKILL.md:164-168 explicitly says:

"Prefer vars.* for environment differences (e.g. different base URLs) over full protocol switching where possible."

The troubleshoot row gives a direct one-step fix with no security caveat and no mention of the preferred alternative. An agent diagnosing this error will apply the flag immediately, bypassing the vars.* guidance in secure-agent. The fix row should match secure-agent's framing — e.g.: "Agent: prefer vars.* for different base URLs; only add allow_environment_protocol_switching = true to annotations if a protocol change is genuinely required (note: this can bypass HTTP egress rules — see secure-agent)"

Fix this →

---

setup-earl Windsurf breadcrumb file not named — Minor (carried from rounds 20–22, not fixed)

setup-earl/SKILL.md:155:

"write the Earl instructions to the appropriate context file for the detected platform instead: .cursorrules for Cursor, or the equivalent for Windsurf"

Cursor's context file is named explicitly (.cursorrules). Windsurf uses .windsurfrules — same pattern. An agent on a Windsurf-only project has to guess the filename. Change "the equivalent for Windsurf" to ".windsurfrules for Windsurf".

Fix this →

---

setup-earl de-duplication check not applied to .cursorrules/.windsurfrules — Minor

setup-earl/SKILL.md:159-161:

If Claude Code is one of the detected platforms: if `CLAUDE.md` or `.claude/CLAUDE.md`
exists, check for an existing `## Earl` section before appending — do not duplicate.

This de-duplication check is only stated for CLAUDE.md. For .cursorrules and .windsurfrules, there is no equivalent instruction. A second invocation of setup-earl on a Cursor-only project would append the Earl content again, creating duplicate entries. The same guard applied to .claude/CLAUDE.md should also cover the platform-specific context files: "If .cursorrules (or .windsurfrules) already exists, check for existing Earl content before appending — do not duplicate."

Fix this →

---

create-template/migrate-to-earl verify steps don't say where to find environment names — Nit

create-template/SKILL.md:253-255 and migrate-to-earl/SKILL.md:135-136 both say "use --env <name> to select a non-production environment for the test call" without stating where to find valid names. The troubleshoot-earl Step 6 error table now has a row for unknown environment (pointing to the environments block), but a forward reference here — "Check the environments block in the template file for valid names" — would prevent the error before it occurs rather than after.

---

All Previous Issues: Resolved ✓

Issue	Round	Status
cargo install earl missing Node.js + pnpm	1	✓ Fixed
Cap inconsistency (10 vs 5) in migrate-to-earl	1	✓ Fixed
Circular curl verification in secure-agent Step 4	1	✓ Fixed
migrate-to-earl reference file missing URL	1	✓ Fixed
jq dependency not noted	1	✓ Fixed
Cursor instructions incomplete in secure-agent	1	✓ Fixed
create-template reference files no URL fallback	2	✓ Fixed
Supabase grep pattern missing .com TLD	2	✓ Fixed
secure-agent egress rules global scope not noted	2	✓ Fixed
Jira grep pattern misses atlassian.net	3	✓ Fixed
troubleshoot-earl Step 5 missing Cursor/Windsurf	3	✓ Fixed
--yes flag order not in troubleshoot-earl error table	3	✓ Fixed
secure-agent verify assumes system.list_files imported	4	✓ Fixed
cli-to-earl-mapping.md missing Dockerfile/docker-compose	4	✓ Fixed
SSRF warning missing 0.0.0.0	4	✓ Fixed
create-template pre-built path skips secrets + verify	5	✓ Fixed
Provider patterns don't cover wget	5	✓ Fixed
create-template Phase 1 doesn't check if provider already imported	6	✓ Fixed
migrate-to-earl Phase 4 re-prompts after create-template	6	✓ Fixed
troubleshoot-earl Step 5 missing Windows Claude Desktop path	7	✓ Fixed
create-template Phase 7 "After validation" phrasing misleading	7	✓ Fixed
secure-agent Step 4 references docs with no link	7	✓ Fixed
create-template template live before user review	8	✓ Fixed
migrate-to-earl Phase 4 skip note too narrow (Phase 2 only)	8	✓ Fixed
setup-earl Phase 2 demo has no re-import guard	8	✓ Fixed
create-template Phase 1 command-level check too coarse	7/8/9	✓ Fixed
cli-to-earl-mapping.md HubSpot missing api.hubspot.com	9	✓ Fixed
Write-mode side-effect warning missing from verify phases	9	✓ Fixed
troubleshoot-earl Step 5 missing discovery mode note	10	✓ Fixed
secure-agent denylist may block non-API curl uses	10	✓ Fixed
cli-to-earl-mapping.md BRE alternation fails on macOS	11	✓ Fixed
secure-agent Bash(gh *) blocks non-API gh uses	11	✓ Fixed
migrate-to-earl Phase 7 rewrite examples bash-only	12	✓ Fixed
grep -E note required per-row evaluation	12	✓ Fixed
cli-to-earl-mapping.md scan note doesn't cover httpie	13	✓ Fixed
migrate-to-earl Phase 7 "After" uses literal strings	13	✓ Fixed
setup-earl CLAUDE.md breadcrumb --yes scoped to write-mode	12/13/14	✓ Fixed
Linux Claude Desktop path missing	14	✓ Fixed
httpie false-positive warning missing	14	✓ Fixed
setup-earl Phase 3 platform detection first-match only	15	✓ Fixed
troubleshoot-earl Step 3 template path Unix-only	15	✓ Fixed
create-template global template path Unix-only	16	✓ Fixed
secure-agent Step 5 egress config path Unix-only	16	✓ Fixed
setup-earl "Apply MCP config" missing Windsurf	16	✓ Fixed
secure-agent platform table missing Windsurf	16	✓ Fixed
cli-to-earl-mapping.md Datadog missing regional endpoints	18	✓ Fixed
setup-earl Phase 2 re-import guard too broad (grep system)	19	✓ Fixed
cli-to-earl-mapping.md missing interpreter-based call scope note	19	✓ Fixed
migrate-to-earl Phase 4 skip condition too broad	18/19/20	✓ Fixed
setup-earl CLAUDE.md breadcrumb not platform-aware	20	✓ Fixed
setup-earl Phase 3 platform detection first-match only	15	✓ Fixed
cli-to-earl-mapping.md HubSpot missing api.hubspot.com	9	✓ Fixed
troubleshoot-earl Step 5 missing Windows Claude Desktop path	7	✓ Fixed
secure-agent platform table missing Windsurf	17	✓ Fixed
setup-earl "Apply MCP config" missing Windsurf	17	✓ Fixed
create-template global template path Unix-only	16	✓ Fixed
migrate-to-earl Phase 4 skip condition missing Phase 3 case	18	✓ Fixed
create-template template live before user review	8	✓ Fixed
setup-earl Phase 2 re-import guard too broad	19	✓ Fixed
migrate-to-earl Phase 4 skip condition too broad (pre-built gap)	18/19/20	✓ Fixed
secure-agent Bash(gh *) blocks non-API gh uses	11	✓ Fixed
troubleshoot-earl Step 5 missing discovery mode note	10	✓ Fixed
cli-to-earl-mapping.md BRE alternation fails on macOS	11	✓ Fixed
migrate-to-earl Phase 7 rewrite examples bash-only	12	✓ Fixed
cli-to-earl-mapping.md Datadog missing regional endpoints	18	✓ Fixed
setup-earl Phase 3 multi-platform detection first-match only	15	✓ Fixed
migrate-to-earl Phase 4 doesn't say how to find secret keys	21	✓ Fixed in afb43a8 — annotations.secrets path added
migrate-to-earl Phase 2 "skip this step" ambiguous	20/21	✓ Fixed in afb43a8 — now "skip the import command ... go directly to showing available commands"
--env examples hardcode staging	22	✓ Fixed in afb43a8 — now <environment> placeholder

---

What's Good

• The three-branch routing in create-template Phase 1 (specific command present → Phase 7, provider without command → custom authoring, provider absent → import) is correct and covers all cases.
• migrate-to-earl Phase 4 skip condition is now precisely scoped — the "Do NOT skip" paragraph explicitly calls out the Phase 2 bare import + Phase 3 create-template combination.
• The environments-related rows in troubleshoot-earl Step 6 are well-placed. The unknown environment and vars.* empty rows cover the two most common config mistakes.
• setup-earl Phase 3 multi-platform detection ("Configure every matching platform") is correct and handles mixed setups cleanly.
• Cross-skill invoke routing uses canonical name: values consistently throughout all 5 skills.

[jrandolf]

@claude Review this

[claude]

Claude finished @jrandolf's task in 5m 3s —— View job

---

PR Review

• Gathering context
• Reading changed files
• Reviewing skills content
• Final assessment

---

Overall

f457693 addresses all four round-23 issues. The protocol switching row in troubleshoot-earl Step 6 now matches secure-agent's vars.* preference. .windsurfrules is named explicitly in setup-earl. The de-duplication check now covers all three context files. Both verify phases now tell the agent to check the environments block for valid names. Two new findings below.

---

Issues

setup-earl breadcrumb not written to all detected platform context files — Minor

setup-earl/SKILL.md:79-80 correctly says "Configure every matching platform" for MCP config, and the apply section at line 125 groups "Claude Code, Cursor, or Windsurf" together. But the breadcrumb section (lines 153–157) only covers two cases:

• Claude Code IS detected → write to .claude/CLAUDE.md
• Claude Code is NOT detected → write to .cursorrules (Cursor) or .windsurfrules (Windsurf)

The missing case: Claude Code AND Cursor (or Windsurf) are both detected. An agent on a project with both .claude/ and .cursor/ would configure MCP for both platforms (correctly), but only write the Earl breadcrumb to .claude/CLAUDE.md. The Cursor agent would have Earl MCP tools available but no .cursorrules instructions telling it to use them.

The breadcrumb section should match the MCP section: when multiple platforms are detected, write to all matching context files, not just the Claude Code one.

Fix this →

---

cli-to-earl-mapping.md "No Pre-built Template" table omits http (httpie) — Nit

cli-to-earl-mapping.md:57:

| Any other `curl` / `wget` URL | `http` |

The top note (lines 8–9) instructs agents to substitute wget and http (httpie) for curl when scanning. For matched providers, this works because all three substitutions are explicitly covered. But for unmatched calls that fall through to this table, http is absent from the "Any other URL" row. An unmatched http GET https://... call would not clearly map to the http protocol, inconsistent with the note. Adding http here: Any other curl/wget/http URL would close the gap.

---

All Previous Issues: Resolved ✓

Issue	Round	Status
cargo install earl missing Node.js + pnpm	1	✓ Fixed
Cap inconsistency (10 vs 5) in migrate-to-earl	1	✓ Fixed
Circular curl verification in secure-agent Step 4	1	✓ Fixed
migrate-to-earl reference file missing URL	1	✓ Fixed
jq dependency not noted	1	✓ Fixed
Cursor instructions incomplete in secure-agent	1	✓ Fixed
create-template reference files no URL fallback	2	✓ Fixed
Supabase grep pattern missing .com TLD	2	✓ Fixed
secure-agent egress rules global scope not noted	2	✓ Fixed
Jira grep pattern misses atlassian.net	3	✓ Fixed
troubleshoot-earl Step 5 missing Cursor/Windsurf	3	✓ Fixed
--yes flag order not in troubleshoot-earl error table	3	✓ Fixed
secure-agent verify assumes system.list_files imported	4	✓ Fixed
cli-to-earl-mapping.md missing Dockerfile/docker-compose	4	✓ Fixed
SSRF warning missing 0.0.0.0	4	✓ Fixed
create-template pre-built path skips secrets + verify	5	✓ Fixed
Provider patterns don't cover wget	5	✓ Fixed
create-template Phase 1 doesn't check if provider already imported	6	✓ Fixed
migrate-to-earl Phase 4 re-prompts after create-template	6	✓ Fixed
troubleshoot-earl Step 5 missing Windows Claude Desktop path	7	✓ Fixed
create-template Phase 7 "After validation" phrasing misleading	7	✓ Fixed
secure-agent Step 4 references docs with no link	7	✓ Fixed
create-template template live before user review	8	✓ Fixed
migrate-to-earl Phase 4 skip note too narrow (Phase 2 only)	8	✓ Fixed
setup-earl Phase 2 demo has no re-import guard	8	✓ Fixed
create-template Phase 1 command-level check too coarse	7/8/9	✓ Fixed
cli-to-earl-mapping.md HubSpot missing api.hubspot.com	9	✓ Fixed
Write-mode side-effect warning missing from verify phases	9	✓ Fixed
troubleshoot-earl Step 5 missing discovery mode note	10	✓ Fixed
secure-agent denylist may block non-API curl uses	10	✓ Fixed
cli-to-earl-mapping.md BRE alternation fails on macOS	11	✓ Fixed
secure-agent Bash(gh *) blocks non-API gh uses	11	✓ Fixed
migrate-to-earl Phase 7 rewrite examples bash-only	12	✓ Fixed
grep -E note required per-row evaluation	12	✓ Fixed
cli-to-earl-mapping.md scan note doesn't cover httpie	13	✓ Fixed
migrate-to-earl Phase 7 "After" uses literal strings	13	✓ Fixed
setup-earl CLAUDE.md breadcrumb --yes scoped to write-mode	12/13/14	✓ Fixed
Linux Claude Desktop path missing	14	✓ Fixed
httpie false-positive warning missing	14	✓ Fixed
setup-earl Phase 3 platform detection first-match only	15	✓ Fixed
troubleshoot-earl Step 3 template path Unix-only	15	✓ Fixed
create-template global template path Unix-only	16	✓ Fixed
secure-agent Step 5 egress config path Unix-only	16	✓ Fixed
setup-earl "Apply MCP config" missing Windsurf	16	✓ Fixed
secure-agent platform table missing Windsurf	16	✓ Fixed
cli-to-earl-mapping.md Datadog missing regional endpoints	18	✓ Fixed
setup-earl Phase 2 re-import guard too broad (grep system)	19	✓ Fixed
cli-to-earl-mapping.md missing interpreter-based call scope note	19	✓ Fixed
migrate-to-earl Phase 4 skip condition too broad	18/19/20	✓ Fixed
setup-earl CLAUDE.md breadcrumb not platform-aware	20	✓ Fixed
setup-earl Windsurf breadcrumb file not named	20/21/22	✓ Fixed in f457693 — .windsurfrules named
migrate-to-earl Phase 4 doesn't say how to find secret keys	21	✓ Fixed
migrate-to-earl Phase 2 "skip this step" ambiguous	20/21	✓ Fixed
--env examples hardcode staging	22	✓ Fixed
troubleshoot-earl Step 6 protocol switching contradicts secure-agent	22/23	✓ Fixed in f457693 — vars.* preference added
setup-earl de-duplication check not for .cursorrules/.windsurfrules	23	✓ Fixed in f457693 — all 3 context files covered
create-template/migrate-to-earl verify steps missing env name location	23	✓ Fixed in f457693 — "check environments block for valid names"

---

What's Good

• The de-duplication guard for context files (setup-earl:159-161) is now unified across all three platform files with a single clean sentence — better than the previous Claude Code-only check.
• troubleshoot-earl Step 6 error table now has consistent advice for the protocol switching row: the vars.* preference and the egress bypass caveat match secure-agent Step 5 exactly.
• migrate-to-earl Phase 4 skip condition (only when Phase 2 took the no-pre-built path) is now unambiguous.
• create-template Phase 1 three-branch routing (specific command present → Phase 7, provider without command → custom authoring, provider absent → offer import) remains correct and complete.
• The suite is in excellent shape after 23 rounds of iteration — the remaining findings are one minor and one nit.

[jrandolf]

@claude Review this

[claude]

Claude finished @jrandolf's task in 3m 13s —— View job

---

PR Review

• Gathering context
• Reading changed files
• Reviewing skills content
• Final assessment

---

Overall

f457693 addresses all four round-22 issues. .windsurfrules is now named explicitly at setup-earl:155. The de-duplication check now covers .cursorrules and .windsurfrules in addition to .claude/CLAUDE.md at lines 159–162. The protocol-switching error row in troubleshoot-earl:161 now matches secure-agent's vars.* preference. Both verify phases now direct agents to the environments block for valid names.

One new finding below — a text formatting artifact.

---

Issues

Verify phase text has awkward mid-sentence line breaks — Nit

create-template/SKILL.md:254-258:

use `--env <name>` to select a non-production environment for the test call. Otherwise, use
a test or sandbox account, a safe test value
(e.g. a dedicated test repo), or
choose a read-only command for the initial verification.

migrate-to-earl/SKILL.md:137-139:

Otherwise, use read-only commands for
verification where possible, or use a
test/sandbox account.

These were introduced by the patch reflowing text around the new environments clause. The line breaks mid-clause ("a safe test value\n(e.g. a dedicated test repo)") could cause an agent parsing the file to see two separate list items rather than one continuous sentence. Minor — markdown renderers will join the lines — but it reads awkwardly.

---

All Previous Issues: Resolved ✓

Issue	Round	Status
cargo install earl missing Node.js + pnpm	1	✓ Fixed
Cap inconsistency (10 vs 5) in migrate-to-earl	1	✓ Fixed
Circular curl verification in secure-agent Step 4	1	✓ Fixed
migrate-to-earl reference file missing URL	1	✓ Fixed
jq dependency not noted	1	✓ Fixed
Cursor instructions incomplete in secure-agent	1	✓ Fixed
create-template reference files no URL fallback	2	✓ Fixed
Supabase grep pattern missing .com TLD	2	✓ Fixed
secure-agent egress rules global scope not noted	2	✓ Fixed
Jira grep pattern misses atlassian.net	3	✓ Fixed
troubleshoot-earl Step 5 missing Cursor/Windsurf	3	✓ Fixed
--yes flag order not in troubleshoot-earl error table	3	✓ Fixed
secure-agent verify assumes system.list_files imported	4	✓ Fixed
cli-to-earl-mapping.md missing Dockerfile/docker-compose	4	✓ Fixed
SSRF warning missing 0.0.0.0	4	✓ Fixed
create-template pre-built path skips secrets + verify	5	✓ Fixed
Provider patterns don't cover wget	5	✓ Fixed
create-template Phase 1 doesn't check if provider already imported	6	✓ Fixed
migrate-to-earl Phase 4 re-prompts after create-template	6	✓ Fixed
troubleshoot-earl Step 5 missing Windows Claude Desktop path	7	✓ Fixed
create-template Phase 7 "After validation" phrasing misleading	7	✓ Fixed
secure-agent Step 4 references docs with no link	7	✓ Fixed
create-template template live before user review	8	✓ Fixed
migrate-to-earl Phase 4 skip note too narrow (Phase 2 only)	8	✓ Fixed
setup-earl Phase 2 demo has no re-import guard	8	✓ Fixed
create-template Phase 1 command-level check too coarse	7/8/9	✓ Fixed
cli-to-earl-mapping.md HubSpot missing api.hubspot.com	9	✓ Fixed
Write-mode side-effect warning missing from verify phases	9	✓ Fixed
troubleshoot-earl Step 5 missing discovery mode note	10	✓ Fixed
secure-agent denylist may block non-API curl uses	10	✓ Fixed
cli-to-earl-mapping.md BRE alternation fails on macOS	11	✓ Fixed
secure-agent Bash(gh *) blocks non-API gh uses	11	✓ Fixed
migrate-to-earl Phase 7 rewrite examples bash-only	12	✓ Fixed
grep -E note required per-row evaluation	12	✓ Fixed
cli-to-earl-mapping.md scan note doesn't cover httpie	13	✓ Fixed
migrate-to-earl Phase 7 "After" uses literal strings	13	✓ Fixed
setup-earl CLAUDE.md breadcrumb --yes scoped to write-mode	12/13/14	✓ Fixed
Linux Claude Desktop path missing	14	✓ Fixed
httpie false-positive warning missing	14	✓ Fixed
setup-earl Phase 3 platform detection first-match only	15	✓ Fixed
troubleshoot-earl Step 3 template path Unix-only	15	✓ Fixed
create-template global template path Unix-only	16	✓ Fixed
secure-agent Step 5 egress config path Unix-only	16	✓ Fixed
setup-earl "Apply MCP config" missing Windsurf	16	✓ Fixed
secure-agent platform table missing Windsurf	16	✓ Fixed
cli-to-earl-mapping.md Datadog missing regional endpoints	18	✓ Fixed
setup-earl Phase 2 re-import guard too broad (grep system)	19	✓ Fixed
cli-to-earl-mapping.md missing interpreter-based call scope note	19	✓ Fixed
migrate-to-earl Phase 4 skip condition too broad	18/19/20	✓ Fixed
setup-earl CLAUDE.md breadcrumb not platform-aware	20	✓ Fixed
migrate-to-earl Phase 4 doesn't say how to find secret keys	21	✓ Fixed
migrate-to-earl Phase 2 "skip this step" ambiguous	20/21	✓ Fixed
--env examples hardcode staging	22	✓ Fixed
troubleshoot-earl Step 6 protocol switching fix contradicts secure-agent	22	✓ Fixed in f457693 — now recommends vars.* first
setup-earl Windsurf breadcrumb file not named	20/21/22	✓ Fixed in f457693 — .windsurfrules named explicitly
setup-earl de-duplication check not applied to .cursorrules/.windsurfrules	22	✓ Fixed in f457693 — now covers all platform context files
create-template/migrate-to-earl verify steps don't name environment block	22	✓ Fixed in f457693 — "check the environments block for valid names"

---

What's Good

• The three-branch routing in create-template Phase 1 (specific command present → Phase 7, provider without command → custom authoring, provider absent → import) is complete and handles all cases correctly.
• migrate-to-earl Phase 4 skip condition is precisely scoped — the "Do NOT skip" paragraph explicitly names the Phase 2 bare import + Phase 3 create-template combination as a non-skip case.
• troubleshoot-earl Step 6 error table is now comprehensive — HCL, Jinja, auth, SSRF, install, command name, MCP, flag order, keychain, OAuth, environments (3 rows) — with the protocol switching row now correctly aligned with secure-agent's guidance.
• secure-agent Step 1 notes on Bash(curl *) and Bash(gh *) blocking non-API uses remain well-placed and actionable.
• setup-earl Phase 3 multi-platform detection ("Configure every matching platform") and the de-duplication logic now consistently apply to Claude Code, Cursor, and Windsurf context files.
• The grep -E universal note and ERE alternation patterns are correct and cross-platform.
• Cross-skill invoke routing uses canonical name: values consistently throughout all 5 skills.
• The suite is ready to merge after 23 rounds of iteration.

[jrandolf]

@claude Review this

[claude]

Claude finished @jrandolf's task in 2m 4s —— View job

---

PR Review

• Gathering context
• Reading changed files
• Reviewing skills content
• Final assessment

---

Overall

6d255e9 addresses the round-24 nit: both verify phases now reflow cleanly across the new environments clause. No awkward mid-sentence breaks remain. The two Minor issues from round 24 are still open.

---

Issues

setup-earl breadcrumb not written to all detected platform context files — Minor (carried from round 24, not fixed)

setup-earl/SKILL.md:153-157:

"If Claude Code was not one of the detected platforms...write the Earl instructions to the appropriate context file for the detected platform instead: .cursorrules for Cursor, or .windsurfrules for Windsurf."

This is still a binary: either Claude Code is detected (write to .claude/CLAUDE.md) or it isn't (write to .cursorrules/.windsurfrules). When both .claude/ and .cursor/ exist, the agent writes only to .claude/CLAUDE.md — the Cursor agent gets Earl MCP tools configured but no .cursorrules instruction telling it how to use them. The MCP config section at line 79-80 already correctly says "Configure every matching platform" — the breadcrumb section should match.

Fix this →

---

cli-to-earl-mapping.md "No Pre-built Template" table omits http (httpie) — Nit (carried from round 24, not fixed)

cli-to-earl-mapping.md:57:

| Any other `curl` / `wget` URL | `http` |

The top note (lines 8–9) instructs agents to scan with wget and http (httpie) substituted for curl. For matched providers this is covered. But the fallthrough row for unmatched calls lists only curl / wget — an unmatched http GET https://... call doesn't clearly map through this row. Adding http here: Any other \curl` / `wget` / `http` URL` closes the asymmetry.

Fix this →

---

All Previous Issues: Resolved ✓

Issue	Round	Status
cargo install earl missing Node.js + pnpm	1	✓ Fixed
Cap inconsistency (10 vs 5) in migrate-to-earl	1	✓ Fixed
Circular curl verification in secure-agent Step 4	1	✓ Fixed
migrate-to-earl reference file missing URL	1	✓ Fixed
jq dependency not noted	1	✓ Fixed
Cursor instructions incomplete in secure-agent	1	✓ Fixed
create-template reference files no URL fallback	2	✓ Fixed
Supabase grep pattern missing .com TLD	2	✓ Fixed
secure-agent egress rules global scope not noted	2	✓ Fixed
Jira grep pattern misses atlassian.net	3	✓ Fixed
troubleshoot-earl Step 5 missing Cursor/Windsurf	3	✓ Fixed
--yes flag order not in troubleshoot-earl error table	3	✓ Fixed
secure-agent verify assumes system.list_files imported	4	✓ Fixed
cli-to-earl-mapping.md missing Dockerfile/docker-compose	4	✓ Fixed
SSRF warning missing 0.0.0.0	4	✓ Fixed
create-template pre-built path skips secrets + verify	5	✓ Fixed
Provider patterns don't cover wget	5	✓ Fixed
create-template Phase 1 doesn't check if provider already imported	6	✓ Fixed
migrate-to-earl Phase 4 re-prompts after create-template	6	✓ Fixed
troubleshoot-earl Step 5 missing Windows Claude Desktop path	7	✓ Fixed
create-template Phase 7 "After validation" phrasing misleading	7	✓ Fixed
secure-agent Step 4 references docs with no link	7	✓ Fixed
create-template template live before user review	8	✓ Fixed
migrate-to-earl Phase 4 skip note too narrow (Phase 2 only)	8	✓ Fixed
setup-earl Phase 2 demo has no re-import guard	8	✓ Fixed
create-template Phase 1 command-level check too coarse	7/8/9	✓ Fixed
cli-to-earl-mapping.md HubSpot missing api.hubspot.com	9	✓ Fixed
Write-mode side-effect warning missing from verify phases	9	✓ Fixed
troubleshoot-earl Step 5 missing discovery mode note	10	✓ Fixed
secure-agent denylist may block non-API curl uses	10	✓ Fixed
cli-to-earl-mapping.md BRE alternation fails on macOS	11	✓ Fixed
secure-agent Bash(gh *) blocks non-API gh uses	11	✓ Fixed
migrate-to-earl Phase 7 rewrite examples bash-only	12	✓ Fixed
grep -E note required per-row evaluation	12	✓ Fixed
cli-to-earl-mapping.md scan note doesn't cover httpie	13	✓ Fixed
migrate-to-earl Phase 7 "After" uses literal strings	13	✓ Fixed
setup-earl CLAUDE.md breadcrumb --yes scoped to write-mode	12/13/14	✓ Fixed
Linux Claude Desktop path missing	14	✓ Fixed
httpie false-positive warning missing	14	✓ Fixed
setup-earl Phase 3 platform detection first-match only	15	✓ Fixed
troubleshoot-earl Step 3 template path Unix-only	15	✓ Fixed
create-template global template path Unix-only	16	✓ Fixed
secure-agent Step 5 egress config path Unix-only	16	✓ Fixed
setup-earl "Apply MCP config" missing Windsurf	16	✓ Fixed
secure-agent platform table missing Windsurf	16	✓ Fixed
cli-to-earl-mapping.md Datadog missing regional endpoints	18	✓ Fixed
setup-earl Phase 2 re-import guard too broad (grep system)	19	✓ Fixed
cli-to-earl-mapping.md missing interpreter-based call scope note	19	✓ Fixed
migrate-to-earl Phase 4 skip condition too broad	18/19/20	✓ Fixed
setup-earl CLAUDE.md breadcrumb not platform-aware	20	✓ Fixed
migrate-to-earl Phase 4 doesn't say how to find secret keys	21	✓ Fixed
migrate-to-earl Phase 2 "skip this step" ambiguous	20/21	✓ Fixed
--env examples hardcode staging	22	✓ Fixed
troubleshoot-earl Step 6 protocol switching contradicts secure-agent	22/23	✓ Fixed
setup-earl Windsurf breadcrumb file not named	20/21/22	✓ Fixed
setup-earl de-duplication check not for .cursorrules/.windsurfrules	23	✓ Fixed
create-template/migrate-to-earl verify steps missing env name location	23	✓ Fixed
Verify phase text has awkward mid-sentence line breaks	24	✓ Fixed in 6d255e9

---

What's Good

• The reflow in both verify phases is clean — the environments clause integrates naturally into the sentence.
• migrate-to-earl Phase 4 skip condition (only when Phase 2 took the no-pre-built path) is precisely scoped and unambiguous.
• create-template Phase 1 three-branch routing (specific command present → Phase 7, provider without command → custom authoring, provider absent → import) handles all cases correctly.
• troubleshoot-earl Step 6 error table is comprehensive — HCL, Jinja, auth, SSRF, install, command name, MCP, flag order, keychain, OAuth, and environments (3 rows).
• Cross-skill invoke routing uses canonical name: values consistently throughout all 5 skills.
• The suite is one minor and one nit from being complete.

[jrandolf]

@claude Review this

[claude]

Claude finished @jrandolf's task in 4m 6s —— View job

---

PR Review

• Gathering context
• Reading changed files
• Reviewing skills content
• Final assessment

---

Overall

3b09a27 addresses both round-25 issues. The breadcrumb section in setup-earl now explicitly writes to every detected platform's context file (Claude Code, Cursor, Windsurf). The cli-to-earl-mapping.md fallthrough row now lists all three tools (curl / wget / http). One nit below.

---

Issues

setup-earl breadcrumb section title still says "CLAUDE.md" — Nit

setup-earl/SKILL.md:151:

### Write CLAUDE.md breadcrumb

The section now writes to .claude/CLAUDE.md, .cursorrules, and .windsurfrules — not just CLAUDE.md. An agent that skims section headers to orient itself would read "Write CLAUDE.md breadcrumb" and may not look further for the Cursor/Windsurf cases, especially if it determines Claude Code is one of the detected platforms and stops at the first match. Renaming to ### Write Agent Breadcrumbs (or ### Write Context File Breadcrumbs) would make the scope clear from the heading.

Fix this →

---

All Previous Issues: Resolved ✓

Issue	Round	Status
cargo install earl missing Node.js + pnpm	1	✓ Fixed
Cap inconsistency (10 vs 5) in migrate-to-earl	1	✓ Fixed
Circular curl verification in secure-agent Step 4	1	✓ Fixed
migrate-to-earl reference file missing URL	1	✓ Fixed
jq dependency not noted	1	✓ Fixed
Cursor instructions incomplete in secure-agent	1	✓ Fixed
create-template reference files no URL fallback	2	✓ Fixed
Supabase grep pattern missing .com TLD	2	✓ Fixed
secure-agent egress rules global scope not noted	2	✓ Fixed
Jira grep pattern misses atlassian.net	3	✓ Fixed
troubleshoot-earl Step 5 missing Cursor/Windsurf	3	✓ Fixed
--yes flag order not in troubleshoot-earl error table	3	✓ Fixed
secure-agent verify assumes system.list_files imported	4	✓ Fixed
cli-to-earl-mapping.md missing Dockerfile/docker-compose	4	✓ Fixed
SSRF warning missing 0.0.0.0	4	✓ Fixed
create-template pre-built path skips secrets + verify	5	✓ Fixed
Provider patterns don't cover wget	5	✓ Fixed
create-template Phase 1 doesn't check if provider already imported	6	✓ Fixed
migrate-to-earl Phase 4 re-prompts after create-template	6	✓ Fixed
troubleshoot-earl Step 5 missing Windows Claude Desktop path	7	✓ Fixed
create-template Phase 7 "After validation" phrasing misleading	7	✓ Fixed
secure-agent Step 4 references docs with no link	7	✓ Fixed
create-template template live before user review	8	✓ Fixed
migrate-to-earl Phase 4 skip note too narrow (Phase 2 only)	8	✓ Fixed
setup-earl Phase 2 demo has no re-import guard	8	✓ Fixed
create-template Phase 1 command-level check too coarse	7/8/9	✓ Fixed
cli-to-earl-mapping.md HubSpot missing api.hubspot.com	9	✓ Fixed
Write-mode side-effect warning missing from verify phases	9	✓ Fixed
troubleshoot-earl Step 5 missing discovery mode note	10	✓ Fixed
secure-agent denylist may block non-API curl uses	10	✓ Fixed
cli-to-earl-mapping.md BRE alternation fails on macOS	11	✓ Fixed
secure-agent Bash(gh *) blocks non-API gh uses	11	✓ Fixed
migrate-to-earl Phase 7 rewrite examples bash-only	12	✓ Fixed
grep -E note required per-row evaluation	12	✓ Fixed
cli-to-earl-mapping.md scan note doesn't cover httpie	13	✓ Fixed
migrate-to-earl Phase 7 "After" uses literal strings	13	✓ Fixed
setup-earl CLAUDE.md breadcrumb --yes scoped to write-mode	12/13/14	✓ Fixed
Linux Claude Desktop path missing	14	✓ Fixed
httpie false-positive warning missing	14	✓ Fixed
setup-earl Phase 3 platform detection first-match only	15	✓ Fixed
troubleshoot-earl Step 3 template path Unix-only	15	✓ Fixed
create-template global template path Unix-only	16	✓ Fixed
secure-agent Step 5 egress config path Unix-only	16	✓ Fixed
setup-earl "Apply MCP config" missing Windsurf	16	✓ Fixed
secure-agent platform table missing Windsurf	16	✓ Fixed
cli-to-earl-mapping.md Datadog missing regional endpoints	18	✓ Fixed
setup-earl Phase 2 re-import guard too broad (grep system)	19	✓ Fixed
cli-to-earl-mapping.md missing interpreter-based call scope note	19	✓ Fixed
migrate-to-earl Phase 4 skip condition too broad	18/19/20	✓ Fixed
setup-earl CLAUDE.md breadcrumb not platform-aware	20	✓ Fixed
migrate-to-earl Phase 4 doesn't say how to find secret keys	21	✓ Fixed
migrate-to-earl Phase 2 "skip this step" ambiguous	20/21	✓ Fixed
--env examples hardcode staging	22	✓ Fixed
troubleshoot-earl Step 6 protocol switching contradicts secure-agent	22/23	✓ Fixed
setup-earl Windsurf breadcrumb file not named	20/21/22	✓ Fixed
setup-earl de-duplication check not for .cursorrules/.windsurfrules	23	✓ Fixed
create-template/migrate-to-earl verify steps missing env name location	23	✓ Fixed
Verify phase text has awkward mid-sentence line breaks	24	✓ Fixed
setup-earl breadcrumb not written to all detected platform context files	24/25	✓ Fixed in 3b09a27 — now writes to every matching platform's context file
cli-to-earl-mapping.md "No Pre-built Template" table omits http (httpie)	24/25	✓ Fixed in 3b09a27 — fallthrough row now lists curl / wget / http

---

What's Good

• 3b09a27 is precise and exactly scoped to the two outstanding items — no collateral changes.
• The breadcrumb rewrite is correctly framed as a list (one bullet per platform) with a unified de-duplication rule at the end — cleaner than the previous conditional prose.
• The three-tool note at the top of cli-to-earl-mapping.md and the fallthrough row are now fully consistent.
• create-template Phase 1 three-branch routing (specific command present → Phase 7, provider without command → custom authoring, provider absent → import) is complete and correct.
• troubleshoot-earl Step 6 error table covers every known failure mode — HCL, Jinja, auth, SSRF, install, command name, MCP, flag order, keychain, OAuth, environments (3 rows), with the protocol switching row correctly aligned to secure-agent's vars.* preference.
• Cross-skill invoke routing uses canonical name: values consistently throughout all 5 skills.
• The suite is one nit away from being complete after 25 rounds of iteration.

[jrandolf]

@claude Review this

[claude]

Claude finished @jrandolf's task in 2m 19s —— View job

---

PR Review

• Gathering context
• Reading changed files
• Reviewing skills content
• Final assessment

---

Overall

3b09a27 addresses both round-25 issues. setup-earl lines 153–162 now say "Write the breadcrumb to every detected platform's context file" and explicitly list Claude Code (.claude/CLAUDE.md), Cursor (.cursorrules), and Windsurf (.windsurfrules) — matching the MCP config section's "Configure every matching platform" instruction. The cli-to-earl-mapping.md fallthrough row at line 57 now reads "Any other curl / wget / http URL" — consistent with the three-tool scan note.

No new issues found. The suite reads well end-to-end.

---

All Previous Issues: Resolved ✓

Full resolution history (25 rounds, 52 issues)

Issue	Round	Status
cargo install earl missing Node.js + pnpm	1	✓
Cap inconsistency (10 vs 5) in migrate-to-earl	1	✓
Circular curl verification in secure-agent Step 4	1	✓
migrate-to-earl reference file missing URL	1	✓
jq dependency not noted	1	✓
Cursor instructions incomplete in secure-agent	1	✓
create-template reference files no URL fallback	2	✓
Supabase grep pattern missing .com TLD	2	✓
secure-agent egress rules global scope not noted	2	✓
Jira grep pattern misses atlassian.net	3	✓
troubleshoot-earl Step 5 missing Cursor/Windsurf	3	✓
--yes flag order not in troubleshoot-earl error table	3	✓
secure-agent verify assumes system.list_files imported	4	✓
cli-to-earl-mapping.md missing Dockerfile/docker-compose	4	✓
SSRF warning missing 0.0.0.0	4	✓
create-template pre-built path skips secrets + verify	5	✓
Provider patterns don't cover wget	5	✓
create-template Phase 1 doesn't check if provider already imported	6	✓
migrate-to-earl Phase 4 re-prompts after create-template	6	✓
troubleshoot-earl Step 5 missing Windows Claude Desktop path	7	✓
create-template Phase 7 "After validation" phrasing misleading	7	✓
secure-agent Step 4 references docs with no link	7	✓
create-template template live before user review	8	✓
migrate-to-earl Phase 4 skip note too narrow (Phase 2 only)	8	✓
setup-earl Phase 2 demo has no re-import guard	8	✓
create-template Phase 1 command-level check too coarse	7/8/9	✓
cli-to-earl-mapping.md HubSpot missing api.hubspot.com	9	✓
Write-mode side-effect warning missing from verify phases	9	✓
troubleshoot-earl Step 5 missing discovery mode note	10	✓
secure-agent denylist may block non-API curl uses	10	✓
cli-to-earl-mapping.md BRE alternation fails on macOS	11	✓
secure-agent Bash(gh *) blocks non-API gh uses	11	✓
migrate-to-earl Phase 7 rewrite examples bash-only	12	✓
grep -E note required per-row evaluation	12	✓
cli-to-earl-mapping.md scan note doesn't cover httpie	13	✓
migrate-to-earl Phase 7 "After" uses literal strings	13	✓
setup-earl CLAUDE.md breadcrumb --yes scoped to write-mode	12/13/14	✓
Linux Claude Desktop path missing	14	✓
httpie false-positive warning missing	14	✓
setup-earl Phase 3 platform detection first-match only	15	✓
troubleshoot-earl Step 3 template path Unix-only	15	✓
create-template global template path Unix-only	16	✓
secure-agent Step 5 egress config path Unix-only	16	✓
setup-earl "Apply MCP config" missing Windsurf	16	✓
secure-agent platform table missing Windsurf	16	✓
cli-to-earl-mapping.md Datadog missing regional endpoints	18	✓
setup-earl Phase 2 re-import guard too broad (grep system)	19	✓
cli-to-earl-mapping.md missing interpreter-based call scope note	19	✓
migrate-to-earl Phase 4 skip condition too broad	18/19/20	✓
setup-earl CLAUDE.md breadcrumb not platform-aware	20	✓
migrate-to-earl Phase 4 doesn't say how to find secret keys	21	✓
migrate-to-earl Phase 2 "skip this step" ambiguous	20/21	✓
--env examples hardcode staging	22	✓
troubleshoot-earl Step 6 protocol switching contradicts secure-agent	22/23	✓
setup-earl Windsurf breadcrumb file not named	20–22	✓
setup-earl de-duplication check not for .cursorrules/.windsurfrules	23	✓
create-template/migrate-to-earl verify steps missing env name location	23	✓
Verify phase text has awkward mid-sentence line breaks	24	✓
setup-earl breadcrumb not written to all detected platform context files	24/25	✓ Fixed in 3b09a27
cli-to-earl-mapping.md fallthrough table omits http (httpie)	24/25	✓ Fixed in 3b09a27

---

What's Good

• setup-earl breadcrumb section now correctly mirrors the MCP config section: "every matching platform" applies to both MCP config writing and context file writing. The dedup check ("if it already exists, check for an existing ## Earl section before appending") covers all three files in one sentence.
• cli-to-earl-mapping.md is now internally consistent: the three-tool scan note (curl/wget/http) matches the fallthrough row.
• create-template Phase 1 three-branch routing (specific command present → Phase 7, provider without command → custom authoring, provider absent → import) is complete and handles all cases correctly.
• migrate-to-earl Phase 4 skip condition is precisely scoped — the "Do NOT skip" paragraph explicitly names the Phase 2 bare import + Phase 3 create-template combination as a non-skip case.
• troubleshoot-earl Step 6 error table is comprehensive: HCL, Jinja, auth, SSRF, install, command name, MCP, flag order, keychain, OAuth, and all three environment error modes.
• Cross-skill invoke routing uses canonical name: values consistently throughout all 5 skills.

This PR is ready to merge.

---