Skip to content

docs: add CLAUDE.md and require skills to be checked on every stack change#596

Merged
coderdan merged 2 commits into
mainfrom
docs/claude-md-skills-sync
Jul 9, 2026
Merged

docs: add CLAUDE.md and require skills to be checked on every stack change#596
coderdan merged 2 commits into
mainfrom
docs/claude-md-skills-sync

Conversation

@coderdan

@coderdan coderdan commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Why

Two gaps, one fix.

1. Claude Code has been reading no project instructions in this repo

Claude Code loads CLAUDE.md, not AGENTS.md (docs). This repo only has AGENTS.md, so every Claude Code session here has started with zero project context — no build commands, no gotchas, no bundler warning, no changeset rule.

This PR adds a CLAUDE.md that imports @AGENTS.md. One source of truth, read by both Claude Code and Codex. The @ import is the documented pattern and is preferred over a symlink, which requires Developer Mode on Windows.

2. Skills drift silently, and the damage lands in customer repos

skills/*/SKILL.md are published artifacts:

  • packages/cli/tsup.config.ts copies skills/ into dist/skills/, so they ship inside the stash npm tarball.
  • installSkills() copies the per-integration set into the user's .claude/skills/ or .codex/skills/ at handoff time.
  • readBundledSkill() inlines a skill's body into the user's AGENTS.md for Cursor / Windsurf / Cline.

Nothing type-checks them and nothing in CI compares them to the code. A stale sentence becomes wrong guidance in someone else's codebase. This isn't hypothetical: stash-cli had fallen a whole command surface behind (the dbeql move, four undocumented commands, six wrong API signatures, and three citations of a closed issue) before anyone noticed.

What's in it

CLAUDE.md — imports @AGENTS.md, then repeats the two rules that fail silently (check the skills; add a changeset) and points at packages/cli/AGENTS.md for the two-Vitest-config gotcha.

AGENTS.md → new ## Agent Skills — these ship to customers section:

  • How a skill actually reaches a user, so the stakes are concrete.

  • Why each SKILL.md must stay self-sufficient — only SKILL.md is inlined for the agents-md target, so content split into sibling reference files is silently dropped for Cursor/Windsurf/Cline users.

  • A package→skill map, so "which skill do I check?" has an answer.

  • A mechanical check for CLI changes, since the command registry is the source of truth:

    pnpm --filter stash build
    node packages/cli/dist/bin/stash.js manifest --json

    Every command and flag named in skills/stash-cli/SKILL.md must resolve against that manifest. This turns "did anyone proofread the skill?" into a diff.

  • A reminder that skills are public: no Linear issue IDs.

AGENTS.md → new checklist item 8 in "Adding Features Safely", so the rule is enforced at PR time and not only by whoever happens to read the section.

AGENTS.md → changeset item now notes that a skills-only change is not internal. It ships in the stash tarball, so it needs a stash patch.

Verification

  • Every path referenced in the new section exists (tsup.config.ts, install-skills.ts, AGENTS-doctrine.md, packages/cli/AGENTS.md).
  • Every skill named in the package→skill table exists under skills/.
  • The "Adding Features Safely" list renumbers cleanly (1–9, no duplicates).
  • CLAUDE.md is not gitignored.

Notes

…hange

Two gaps, one fix.

**Claude Code was reading no project instructions in this repo.** It loads
`CLAUDE.md`, not `AGENTS.md` (https://code.claude.com/docs/en/memory#agentsmd),
and this repo only had the latter. Add a `CLAUDE.md` that imports `@AGENTS.md`
so both Claude Code and Codex read one source of truth, rather than
duplicating the rules or relying on a symlink (which needs Developer Mode on
Windows).

**Skills drift silently.** `skills/*/SKILL.md` ship inside the `stash` tarball
(`packages/cli/tsup.config.ts` copies them into `dist/skills/`), get copied into
the user's `.claude/skills/` or `.codex/skills/` by `installSkills()`, and are
inlined into their `AGENTS.md` by `readBundledSkill()`. Nothing type-checks
them, so a stale sentence lands in a customer's repo. The stash-cli skill had
drifted a whole command surface behind before anyone noticed.

- New `## Agent Skills — these ship to customers` section in `AGENTS.md`: how
  skills reach users, why each `SKILL.md` must stay self-sufficient (only
  `SKILL.md` is inlined for the agents-md target), a package-to-skill map, and
  the mechanical check for CLI changes -- diff the skill against
  `stash manifest --json` rather than proofreading it.
- New checklist item 8 in "Adding Features Safely", so the rule is hit at PR
  time and not only by whoever reads the section.
- Note in the changeset item that a skills-only change is not internal: it
  ships, so it needs a `stash` patch.
@coderdan coderdan requested a review from a team as a code owner July 9, 2026 06:24
@changeset-bot

changeset-bot Bot commented Jul 9, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: a36add6

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@coderdan, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 2 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a2eb1ac6-5c89-48af-a5e3-f567f15b88a7

📥 Commits

Reviewing files that changed from the base of the PR and between c67169f and a36add6.

📒 Files selected for processing (2)
  • AGENTS.md
  • CLAUDE.md
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch docs/claude-md-skills-sync

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR improves agent/developer guidance in the cipherstash/stack repo by adding Claude Code–specific instructions and strengthening the repo-wide policy that shipped skills (skills/*/SKILL.md) must be reviewed alongside product/CLI changes to prevent customer-facing drift.

Changes:

  • Add CLAUDE.md that imports @AGENTS.md and reiterates the two most commonly-missed rules (skills checks + changesets).
  • Expand AGENTS.md with a new “Agent Skills — these ship to customers” section explaining how skills are packaged/installed/inlined and providing a package→skill checklist.
  • Update the “Adding Features Safely” checklist to require checking relevant skills, and clarify that skills-only changes require a changeset.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
CLAUDE.md Adds Claude Code entrypoint instructions and re-emphasizes skills + changeset rules.
AGENTS.md Documents skills as shipped artifacts, adds a package→skill map, and updates the safety checklist accordingly.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread CLAUDE.md Outdated
Addresses review on #596. `src/messages.ts` is ambiguous from the repo root --
there is no root `src/` -- so spell it `packages/cli/src/messages.ts`, matching
the fully-qualified path next to it. Same for "the command registry", now named
as `packages/cli/src/cli/registry.ts`.

Swept every backticked path in CLAUDE.md and in the new AGENTS.md section; all
resolve.
@coderdan

coderdan commented Jul 9, 2026

Copy link
Copy Markdown
Contributor Author

Low impact change, AI review.

@coderdan coderdan merged commit f435ce5 into main Jul 9, 2026
9 checks passed
@coderdan coderdan deleted the docs/claude-md-skills-sync branch July 9, 2026 07:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants