v0.4.1

Highlights

This patch release folds back lessons from three live QA reviews (NRS-4455, SRVGL-242, NRS-4188) where the skill's own guidance was contradictory or silently broken. The most impactful fix is qa-gather.sh discovery: the script searched for utility/qa-gather.py, but jira-integration 3.13 and later ship utility/jira-qa-gather.py, so one-call discovery always failed on current installs and silently fell back to multi-call mode at roughly four extra tool calls per review. The release also closes a notation contradiction — comment-template.md's own examples still used the (-) token that severity.md warns renders as a red forbidden icon in Jira — and codifies how to write findings the reviewer fixes during the review, so a fixed-in-QA issue neither hides behind a bare pass icon nor skews the verdict as an open should-fix.

Fixed

• (off) instead of (-) for n/a findings in the comment-template examples, consistent with the existing severity.md warning (#11)
• qa-gather.sh resolves jira-qa-gather.py (jira-integration >= 3.13) via deterministic find -type f -print -quit per candidate name — no | head pipeline, no SIGPIPE risk under set -o pipefail (#11)

Added

• Paired-icon notation for findings the reviewer reports and fixes during the review: (!) finding — (/) fixed <how> during QA (#12)
• Sparse praise icons and an optional 1-5 star rating for verdicts (#12)
• Display-text shorthand for pipeline and job links (#12)
• Sanity-scan items 7-9: escape literal block-markup tags in prose (\{code\}), link attachments with [^filename], and link every MR/commit/repo named in a finding (#11, #12)

Changed

• F1.5 (description currency) now names the concrete drift artifacts to look for: unticked task checkboxes, outdated status tables, superseded version strings (#13)

Full Changelog: v0.4.0...v0.4.1

v0.4.0

What's Changed

• feat: add G pillar (Guardrails) to Stage 2 of Round-1 QA by @CybotTM in #5
• docs(peer-qa-review): apply F4a link-audit symmetry to the reviewer's own comment by @CybotTM in #6
• docs(peer-qa-review): address #6 follow-up — terminology + verbosity by @CybotTM in #7
• docs(peer-qa-review): exempt parent Epic from F4a link-audit (Jira-native field) by @CybotTM in #8
• feat: add .pre-commit-config.yaml mirroring CI checks by @CybotTM in #9
• chore(release): v0.4.0 by @CybotTM in #10

Full Changelog: v0.3.0...v0.4.0

v0.3.0

Highlights

npm distribution — peer-qa-review-skill now ships as an npm package via @netresearch/agent-skill-coordinator, joining Composer and the Claude Code marketplace as a first-class install path (#3). Teams that standardize on Node tooling can now pin the skill from package.json.

Release pipeline

First release cut against the standardized skill-repo-skill reusable release workflow. The new .github/workflows/release.yml caller wires up:

• signed-tag-only release trigger (the previous version was tagged from a side path),
• cosign-keyless SHA256SUMS.txt signing,
• SLSA build-provenance attestations on every archive,
• GitHub native attestation API verification via gh attestation verify.

Verification

gh attestation verify peer-qa-review-skill-v0.3.0.zip --repo netresearch/peer-qa-review-skill

cosign verify-blob \
  --bundle SHA256SUMS.txt.bundle \
  --certificate-identity-regexp '^https://github\.com/netresearch/skill-repo-skill/\.github/workflows/release\.yml@' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  SHA256SUMS.txt
sha256sum --check SHA256SUMS.txt

Install

/plugin install peer-qa-review@netresearch
composer require netresearch/peer-qa-review-skill
npm i -D @netresearch/agent-skill-coordinator github:netresearch/peer-qa-review-skill

Full changelog: v0.2.0...v0.3.0

v0.2.0 — first matured release

First matured release after the initial dogfood loop on NRS-4365. The 0.1.x series was a rapid-iteration cycle (each round caught a different class of bug); 0.2.0 consolidates the stable result.

Highlights since 0.1.0

• Stronger severity vocabulary — explicit anti-patterns including "do not use (x) for reviewer-side limitations" and "internal inconsistency between findings list and verdict" (severity.md).
• Sanity-scan step before posting — re-read your own QA comment for severity inconsistencies, F7 violations, transition-name vs verdict mismatches, and Pillar P attestations contradicted by the comment itself.
• Jira-specific rendering rules — (-) renders as 🚫 forbidden, not "n/a"; severity tokens in prose render as icons mid-sentence; both called out in severity.md.
• Pillar F refinements — F4 split into F4a (structured issue links via the issue-link feature, verified against the API not description prose) and F4b (external work artefacts); F6 worklog upgraded (i) → (!) (audit/billing/capacity is not a courtesy); new F1.5 description currency.
• Two-comment pattern for long reviews — structured comment is the audit trail; optional TL;DR with [~username] mention + numbered action items keeps actionability visible without burying the audit-trail header.
• List format for pillar findings — bulleted lists for proper wrap-indent of long findings.
• GitHub / GitLab shorthand — owner/repo#123 (GitHub), group/project!456 (GitLab MR), group/project@sha (commits). In Jira, wrap as [shorthand|url] for clickability with shorthand-as-display-text. On GitHub/GitLab the bare shorthand auto-links natively.
• Methodology — every iteration round caught a different class of bug. Source-only review consistently misses what's only visible in the rendered output. When possible, fetch the rendered HTML before declaring done.

What's next

Listed in marketplace: netresearch-claude-code-marketplace#40 (open). Companion utility for single-call discovery: jira-skill#80 (open).