feat(#256): /process skill — extract process from code, BPMN 2.0 output#259
Merged
Conversation
- New skill at .claude/skills/process/SKILL.md that maps a named business process by scanning across seven discovery axes (explicit workflow defs, queue/job chains, cron triggers, state-column transitions, API choreography, existing BPMN/Mermaid, documented steps), interviews only on gaps, then emits a lint-clean BPMN 2.0 file the operator can open in Camunda Modeler. - Anchor-scoped discovery (operator supplies process slug + entry point — endpoint / state machine / queue job / directory) with reachability bounding from the anchor. No exhaustive scans. - Cross-repo traversal via apexyard.projects.yaml — when a handoff target matches a registered project, the skill recurses into that repo (offers to clone workspace/<name>/ if missing, default-yes). Unregistered targets render as external participant pools. - generate-bpmn.sh emits valid BPMN 2.0 XML with bpmn:laneSet, bpmn:messageFlow for cross-pool handoffs, source citations via bpmn:documentation on every element. Pipes through `npx bpmn-auto-layout` for <bpmndi> coords; falls back to bare BPMN with warning when Node is missing. - lint.sh wraps `bpmnlint` (recommended ruleset + label-required + no-disconnected + no-implicit-split) as the merge gate; overridable via per-project .bpmnlintrc. - AgDR-0024 captures the seven sub-decisions: BPMN 2.0 over alternatives (DMN/CMMN/Mermaid sequence/raw flowchart), bpmn-auto-layout over manual coords, bpmnlint as the gate, read-first-then-ask over operator-only authoring, swimlanes-default vs pools-opt-in, registry-lookup vs heuristic URL matching, on-demand cloning offer vs black-box fallback. - Three test scripts cover discovery (smoke.sh — 18 checks across all seven axes on a synthetic Express+Prisma+BullMQ+XState fixture), cross-repo registry lookup (test_cross_repo.sh — 6 checks), and BPMN emission edge cases (test_bpmn_emit.sh — 21 checks: special-char XML escaping, message flows, --pools mode, flow refs, xmllint validity). - CLAUDE.md skill registry bumped to 44; docs/multi-project.md "How skills behave" table updated. Closes #256 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
atlas-apex
commented
May 16, 2026
atlas-apex
left a comment
Collaborator
Author
There was a problem hiding this comment.
Code Review: PR #259
Commit: 2a5b08558f244da8aab58659d04ce0f8e5fe52cc
Solid implementation across all six focus areas: (1) the seven grep signatures are realistic and well-bounded — vendored-dir pruning is consistent, the state-write pattern \.(status|state|phase|step|stage)\s*=\s*['\"][a-zA-Z_-]+['\"] is narrow enough to avoid common false positives, and head -N caps prevent runaway output; (2) anchor-required scoping is enforced at discover.sh:809-812 with a clear stderr error and exit 2; (3) cross-repo.sh cleanly handles cloned / missing / external / no-registry with all four paths covered in test_cross_repo.sh, and the default-yes clone offer mirrors /handover's pattern correctly; (4) BPMN emission is well-formed — xml_escape covers all five entities, <bpmn:incoming>/<bpmn:outgoing> refs are populated for every node, source-evidence <bpmn:documentation> is consistently attached, and xmllint --noout is asserted in the smoke test; (5) lint.sh degrades gracefully with a specific exit-3 + actionable message when npx is missing, and generate-bpmn.sh falls back to bare BPMN on Node absence with a warning rather than crashing; 45 assertions across three test files all pass. Two non-blocking items to address in a follow-up: (a) AgDR frontmatter ID mismatch — file is AgDR-0025-process-skill-bpmn-and-discovery.md but the YAML frontmatter says id: AgDR-0024 (line 2 of the AgDR), which collides with PR #260's AgDR-0024; please fix the frontmatter id: to AgDR-0025 and update the PR description (still claims "AgDR-0024 captures..." inside the AgDR's prose at the bottom of the Decision section). (b) Cross-PR consolidation with #260 — PR #260 ships .claude/hooks/_lib-multi-repo-trace.sh (324 LOC: mrt_resolve_target, mrt_is_third_party, mrt_workspace_for, mrt_offer_clone) explicitly intended for /process to consume, and its PR body states "the consumer that lands later should consolidate to a single file (Rex will flag the duplication)." Whichever PR merges second should refactor cross-repo.sh to delegate to _lib-multi-repo-trace.sh — the current cross-repo.sh reimplements roughly the same registry lookup, yq/awk fallback, and workspace-resolution logic. Approving (logged as comment because PR author = reviewer); please file the consolidation follow-up as a chore ticket against whichever PR lands second.
Verdict
APPROVED (filed as comment — cannot self-approve)
🤖 Reviewed by Rex (Code Reviewer Agent)
📌 Reviewed commit: `2a5b08558f244da8aab58659d04ce0f8e5fe52cc`
atlas-apex
commented
May 16, 2026
atlas-apex
left a comment
Collaborator
Author
There was a problem hiding this comment.
LGTM — re-approving at c1e081e: verified the 1-line frontmatter fix (id: AgDR-0024 → AgDR-0025) addresses the prior non-blocking drift; no other changes in this commit.
atlas-apex
added a commit
that referenced
this pull request
May 16, 2026
…ies + classifications (#260) * feat(#257): /dfd skill — extract Data Flow Diagram with trust boundaries + classifications Introduces /dfd as the canonical Data Flow Diagram producer. The DFD becomes the source of truth for /threat-model and /compliance-check — both refactored in this commit to consume from projects/<name>/architecture/dfd.md instead of regenerating their own data-flow views. Six-axis discovery (external actors, processes, data stores, data flows, trust boundaries, data classifications). Classifications detect via three additive pathways: code annotations (@pii, @sensitive, CLASSIFIED:), env-var heuristics (*_SECRET, *_TOKEN, EMAIL_*), and schema-column heuristics (email, phone, card_number). An optional explicit registry at docs/data-classification.{md,yaml} overrides heuristic labels. Two output formats: Mermaid markdown (default, renders inline on GitHub, zero new toolchain) and OWASP Threat Dragon v2 JSON (on --format=dragon, for visual editing in Threat Dragon). The Dragon serialiser is a pure function over the in-memory model so #255 (/threat-model --format=dragon) can share or import it. Multi-repo discovery via a new shared helper _lib-multi-repo-trace.sh (intended to also be consumed by /process #256). Three resolvers: mrt_resolve_target (hostname/URL/topic → registered project), mrt_is_third_party (known SaaS vendor detection), mrt_workspace_for (workspace clone path resolution). The refactors of /threat-model and /compliance-check are surgical — Step 1 of /threat-model now reads dfd.md and offers /dfd first if it doesn't exist; Step 4 of /compliance-check reads the classifications + external-services list from dfd.md for cross-border-transfer and DPA detection. Output formats and audit-history persistence contracts in both consumers are unchanged. AgDR-0024 captures the design rationale: Mermaid as primary, Threat Dragon as secondary; classifications as a first-class concept; the single-source-of-truth refactor; the shared multi-repo trace helper. Cross-PR coordination: - #255 (/threat-model --format=dragon) — shares the Threat Dragon serialiser; if #255 lands first with the serialiser inside /threat-model, this skill imports from there - #256 (/process) — shares the _lib-multi-repo-trace.sh helper; if /process extracted its own version first, the consumer that lands later should consolidate Tests (.claude/skills/dfd/tests/smoke.sh, 52 assertions) cover all three fixtures from the AC: single-service six-axis discovery, cross-service trust-boundary detection, three-pathway classification detection. Plus Mermaid generator output shape, Threat Dragon JSON schema validation, and verification that /threat-model and /compliance-check actually reference dfd.md. Closes #257 * fix(#257): renumber AgDR to 0026 — #258 + #259 took 0024 + 0025 during parallel landing * fix(#257): address Rex blockers — shellcheck SC2221/2222, MD032, lychee 404, AgDR refs - _lib-multi-repo-trace.sh: drop redundant subset patterns in third-party detector (e.g. *api.amplitude.com* covered by broader *amplitude.com*) — clears SC2221/2222. - dfd/SKILL.md: blank lines around Discovery + Classifications lists — clears MD032. - dfd/SKILL.md: Threat Dragon schema link now points to the repo root (sub-path 404'd). - AgDR cross-refs across 5 files renumbered 0024 → 0026 (renumber missed downstream). --------- Co-authored-by: me2resh <ahmed.abdelaliem@gmail.com>
32 tasks
me2resh
added a commit
that referenced
this pull request
Jun 5, 2026
…ut (#259) * feat(#256): /process skill — extract process from code, BPMN 2.0 output - New skill at .claude/skills/process/SKILL.md that maps a named business process by scanning across seven discovery axes (explicit workflow defs, queue/job chains, cron triggers, state-column transitions, API choreography, existing BPMN/Mermaid, documented steps), interviews only on gaps, then emits a lint-clean BPMN 2.0 file the operator can open in Camunda Modeler. - Anchor-scoped discovery (operator supplies process slug + entry point — endpoint / state machine / queue job / directory) with reachability bounding from the anchor. No exhaustive scans. - Cross-repo traversal via apexyard.projects.yaml — when a handoff target matches a registered project, the skill recurses into that repo (offers to clone workspace/<name>/ if missing, default-yes). Unregistered targets render as external participant pools. - generate-bpmn.sh emits valid BPMN 2.0 XML with bpmn:laneSet, bpmn:messageFlow for cross-pool handoffs, source citations via bpmn:documentation on every element. Pipes through `npx bpmn-auto-layout` for <bpmndi> coords; falls back to bare BPMN with warning when Node is missing. - lint.sh wraps `bpmnlint` (recommended ruleset + label-required + no-disconnected + no-implicit-split) as the merge gate; overridable via per-project .bpmnlintrc. - AgDR-0024 captures the seven sub-decisions: BPMN 2.0 over alternatives (DMN/CMMN/Mermaid sequence/raw flowchart), bpmn-auto-layout over manual coords, bpmnlint as the gate, read-first-then-ask over operator-only authoring, swimlanes-default vs pools-opt-in, registry-lookup vs heuristic URL matching, on-demand cloning offer vs black-box fallback. - Three test scripts cover discovery (smoke.sh — 18 checks across all seven axes on a synthetic Express+Prisma+BullMQ+XState fixture), cross-repo registry lookup (test_cross_repo.sh — 6 checks), and BPMN emission edge cases (test_bpmn_emit.sh — 21 checks: special-char XML escaping, message flows, --pools mode, flow refs, xmllint validity). - CLAUDE.md skill registry bumped to 44; docs/multi-project.md "How skills behave" table updated. Closes #256 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(#256): renumber AgDR to 0025 — #258 took 0024 during parallel landing * fix(#256): align AgDR-0025 frontmatter id (renumber missed YAML field) --------- Co-authored-by: me2resh <ahmed.abdelaliem@gmail.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
me2resh
added a commit
that referenced
this pull request
Jun 5, 2026
…ies + classifications (#260) * feat(#257): /dfd skill — extract Data Flow Diagram with trust boundaries + classifications Introduces /dfd as the canonical Data Flow Diagram producer. The DFD becomes the source of truth for /threat-model and /compliance-check — both refactored in this commit to consume from projects/<name>/architecture/dfd.md instead of regenerating their own data-flow views. Six-axis discovery (external actors, processes, data stores, data flows, trust boundaries, data classifications). Classifications detect via three additive pathways: code annotations (@pii, @sensitive, CLASSIFIED:), env-var heuristics (*_SECRET, *_TOKEN, EMAIL_*), and schema-column heuristics (email, phone, card_number). An optional explicit registry at docs/data-classification.{md,yaml} overrides heuristic labels. Two output formats: Mermaid markdown (default, renders inline on GitHub, zero new toolchain) and OWASP Threat Dragon v2 JSON (on --format=dragon, for visual editing in Threat Dragon). The Dragon serialiser is a pure function over the in-memory model so #255 (/threat-model --format=dragon) can share or import it. Multi-repo discovery via a new shared helper _lib-multi-repo-trace.sh (intended to also be consumed by /process #256). Three resolvers: mrt_resolve_target (hostname/URL/topic → registered project), mrt_is_third_party (known SaaS vendor detection), mrt_workspace_for (workspace clone path resolution). The refactors of /threat-model and /compliance-check are surgical — Step 1 of /threat-model now reads dfd.md and offers /dfd first if it doesn't exist; Step 4 of /compliance-check reads the classifications + external-services list from dfd.md for cross-border-transfer and DPA detection. Output formats and audit-history persistence contracts in both consumers are unchanged. AgDR-0024 captures the design rationale: Mermaid as primary, Threat Dragon as secondary; classifications as a first-class concept; the single-source-of-truth refactor; the shared multi-repo trace helper. Cross-PR coordination: - #255 (/threat-model --format=dragon) — shares the Threat Dragon serialiser; if #255 lands first with the serialiser inside /threat-model, this skill imports from there - #256 (/process) — shares the _lib-multi-repo-trace.sh helper; if /process extracted its own version first, the consumer that lands later should consolidate Tests (.claude/skills/dfd/tests/smoke.sh, 52 assertions) cover all three fixtures from the AC: single-service six-axis discovery, cross-service trust-boundary detection, three-pathway classification detection. Plus Mermaid generator output shape, Threat Dragon JSON schema validation, and verification that /threat-model and /compliance-check actually reference dfd.md. Closes #257 * fix(#257): renumber AgDR to 0026 — #258 + #259 took 0024 + 0025 during parallel landing * fix(#257): address Rex blockers — shellcheck SC2221/2222, MD032, lychee 404, AgDR refs - _lib-multi-repo-trace.sh: drop redundant subset patterns in third-party detector (e.g. *api.amplitude.com* covered by broader *amplitude.com*) — clears SC2221/2222. - dfd/SKILL.md: blank lines around Discovery + Classifications lists — clears MD032. - dfd/SKILL.md: Threat Dragon schema link now points to the repo root (sub-path 404'd). - AgDR cross-refs across 5 files renumbered 0024 → 0026 (renumber missed downstream). --------- Co-authored-by: me2resh <ahmed.abdelaliem@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
/processskill at.claude/skills/process/SKILL.md— maps a named business process by reading code first (state machines, queue chains, cron, state-column transitions, API choreography, existing BPMN, documented steps), interviews only on the gaps, then emits a lint-clean BPMN 2.0 file that opens cleanly in Camunda Modeler.--from-endpoint,--from-machine,--from-job,--scope); the scan never runs exhaustively across a repo.apexyard.projects.yamlregistry — handoffs to registered repos recurse into them (offers default-yes to cloneworkspace/<name>/when missing); unregistered targets render as external participant pools.projects/<project>/processes/<slug>.bpmn+ a.process-source.mdsibling for replay + a per-projectREADME.mdindex./c4(system topology) and/extract-features(feature inventory) — same read-first-then-ask family.bpmn-auto-layoutvs manual coords,bpmnlintas the gate, read-first-then-ask, swimlanes-default vs pools-opt-in, registry-lookup vs heuristic matching, on-demand cloning offer).Testing
&<>'", message flows,--poolsmode, incoming/outgoing flow refs on every node, exporter metadata, 21 assertions):$TMPDIRand cleans up on exit.Runtime requirements
bash>= 4git,xmllint,jq(orpython3)yqnode+npxbpmn-auto-layout+bpmnlint--skip-lintbypasses the gateDisclosed up-front in
SKILL.md§ Runtime requirements — same shape as the LSP-plugin disclosure pattern.Out of scope (v1, per the ticket)
.bpmnback into the interview stateGlossary
bpmnlintbpmn-auto-layout<bpmndi>coordinates so the file opens with a readable diagram in Camunda Modeler.apexyard.projects.yamlparticipate in the cross-repo trace; everything else renders as external.Closes #256